Michael Kerrisk
d916d9d073
user_namespaces.7: Rewrote and reorganized various pieces
...
Mainly the pieces on capabilities, nested namespaces
and namespace membership.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:01 -07:00
Michael Kerrisk
c9195dede4
user_namespaces.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:01 -07:00
Michael Kerrisk
3a9ff754df
user_namespaces.7: SEE ALSO: remove unshare(1) (which is mentioned in namespaces(7))
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:01 -07:00
Michael Kerrisk
96ec9d12e6
user_namespaces.7: Clarify that the child of clone() gets all privileges in new userns
...
Nothing special happens for the children of unshare(2).
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:01 -07:00
Michael Kerrisk
c94eb4a68d
user_namespaces.7: Add reference to Documentation/namespaces/resource-control.txt
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:01 -07:00
Michael Kerrisk
cf7d22a535
user_namespaces.7: Further reworking of text on nested namespaces and capabilities
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:01 -07:00
Michael Kerrisk
c0098e767d
user_namespaces.7: Relocate text on capabilities of initial process in userns
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:01 -07:00
Michael Kerrisk
20e4a14719
user_namespaces.7: Explain uid_map and gid_map in the initial user namespace
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:01 -07:00
Michael Kerrisk
3e2a37ec85
user_namespaces.7: Add more detail on unmapped UIDs and GIDs exposed to user space
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:01 -07:00
Michael Kerrisk
6eda94413b
user_namespaces.7: Reorganize various pieces of DESCRIPTION
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:01 -07:00
Michael Kerrisk
30f3ddd6dd
user_namespaces.7: Remove duplicated text on EPERM + mapping required in parent userns
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:01 -07:00
Michael Kerrisk
1863e45128
user_namespaces.7: Move a misplaced rule re writing to map files
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:01 -07:00
Michael Kerrisk
8d36d80cc3
user_namespaces.7: Add an example program
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
df23ae04d6
user_namespaces.7: Linux 3.9 provides a better implementation of nonoverlapping map checks
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
e4f4f2e125
user_namespaces.7: Clarify discussion on privileges of child after clone() by UID 0
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
1b3d5347f5
user_namespaces.7: Clarify that rules for writing to map files also apply to gid_map
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
0f069d0c69
user_namespaces.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
d45d012859
user_namespaces.7: srcfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
54ead6d395
user_namespaces.7: Describe effect of mappings in the context of file-system operations
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
4332e54d27
user_namespaces.7: wfix + ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
674c23884e
user_namespaces.7: Note some interfaces that return overflowuid and overflowgid
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
0df0f26dcc
user_namespaces.7: srcfix: remove obsolete FIXME
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
27a6ff6ee6
user_namespaces.7: Describe handling of UIDs+GIDs when passed across a UNIX domain socket
...
UIDs and GIDs are mapped to receiver's userns when passed across
a UNIX domain socket
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
5ba153e7ac
user_namespaces.7: The initial process in a userns has no capabilities outside the userns
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
d6842bf18d
user_namespaces.7: srcfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
627e4074b4
user_namespaces.7: Fix description of inheritance of capabilities across nested namespaces
...
Based on input from Eric Biederman
Calling cap_capable asks: Does the current process have
capability X in userns U.
I see three ways you can have that capability.
1) The current process can be in user namespace U and directly
have capability X.
2) The current process can be in the parent of namespace U and
its euid can be the euid that created user namespace U.
3) You can have be have the capability X in a user namespace
that is an ancestor of U.
Coming from the direction of your manpage text.
With respect to capabilities, the following rules apply to
nested user namespaces.
1. If a process has a capability in a user namespace has that
capability in all descendant user namespaces as well.
2. The user that creates a user namespace while in the parent
namespace has all capabilities in the created namespace
and in all descendent user namespaces.
So having said that part of my problem with your original
text is that it actually switches directions. One one rule
it is looking into the descendent user namespaces, and in the
other rule it is looking at ancestor user namespaces.
So perhaps the text should read:
With respect to capabilities, the following rules are used to
answer the question does a process P have a capability C in a
user namespace U.
1. P has the capability C if P is in user namespace U and
capability C is in process P's capability set.
2. P has the capability C if P is in the parent of user
namespace U and the euid of P is the euid that created user
namespace U.
3. P has the capability C if P has the capability C in some
user namespace V that is an ancestor of U.
Which probably gets a little extra mathematical, but it is
precise.
Reported-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
7ae693d017
user_namespaces.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
03611be8d7
user_namespaces.7: Add some references to other pages
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:16:00 -07:00
Michael Kerrisk
62a5214c57
user_namespaces.7: Reorganize and add some subheadings
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00
Michael Kerrisk
046de6a7d7
user_namespaces.7: New page splitting user namespace material out of namespaces(7)
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:59 -07:00