Michael Kerrisk
734882f4c4
_exit.2, alarm.2, chmod.2, clone.2, epoll_ctl.2, fcntl.2, fork.2, fsync.2, getdents.2, getpid.2, ioctl.2, ioctl_console.2, ioctl_list.2, ioctl_ns.2, ioctl_tty.2, ioctl_userfaultfd.2, kexec_load.2, lseek.2, mincore.2, mkdir.2, mknod.2, mmap.2, open.2, poll.2, posix_fadvise.2, prctl.2, rename.2, sched_setaffinity.2, select.2, select_tut.2, sigaction.2, signalfd.2, sigprocmask.2, sigwaitinfo.2, socketcall.2, stat.2, statx.2, syscalls.2, truncate.2, umask.2, unshare.2, userfaultfd.2, utime.2, utimensat.2, wait.2, bzero.3, cfree.3, exit.3, getentropy.3, grantpt.3, insque.3, shm_open.3, syslog.3, termios.3, ttyname.3, wcsdup.3, console_codes.4, tty.4, vcs.4, elf.5, nsswitch.conf.5, proc.5, slabinfo.5, tmpfs.5, bootparam.7, environ.7, hostname.7, inotify.7, mailaddr.7, man-pages.7, namespaces.7, pid_namespaces.7, pthreads.7, pty.7, sem_overview.7, signal.7, socket.7, tcp.7, termio.7, user_namespaces.7, xattr.7, ld.so.8, zdump.8: tstamp
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2017-05-03 19:27:48 +02:00
Stephan Bergmann
a2b1485b5f
user_namespaces.7: Fixes to example
...
While toying around with the userns_child_exec example program on the
user_namespaces(7) man page, I noticed two things:
* In the EXAMPLE section, we need to mount the new /proc before
looking at /proc/$$/status, otherwise the latter will print
information about the outer namespace's PID 1 (i.e., the real
init). So the two paragraphs need to be swapped.
* In the program source, make sure to close pipe_fd[0] in the
child before exec'ing.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2017-05-03 19:20:50 +02:00
Michael Kerrisk
09860f3162
pid_namespaces.7, user_namespaces.7: Adjust references to namespaces(7) to ioctl_ns(2)
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2017-01-09 15:48:57 +13:00
Michael Kerrisk
9d85c78908
user_namespaces.7: Change page cross reference: keyctl(2) ==> keyrings(7)
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-27 09:36:21 +01:00
Michael Kerrisk
35deeb8703
bind.2, chmod.2, chown.2, chroot.2, clock_getres.2, clone.2, connect.2, dup.2, fallocate.2, get_mempolicy.2, getpeername.2, getpriority.2, getsockname.2, getsockopt.2, gettimeofday.2, ioctl_ficlonerange.2, ioctl_fideduperange.2, kill.2, mbind.2, mmap.2, mount.2, mprotect.2, nfsservctl.2, nice.2, open.2, perf_event_open.2, pipe.2, pkey_alloc.2, prctl.2, ptrace.2, quotactl.2, remap_file_pages.2, sched_setscheduler.2, set_mempolicy.2, signal.2, signalfd.2, swapon.2, sync_file_range.2, syscalls.2, timer_create.2, timerfd_create.2, utime.2, utimensat.2, wait.2, atof.3, ctime.3, errno.3, fclose.3, fflush.3, insque.3, malloc_get_state.3, mallopt.3, mbsnrtowcs.3, mq_close.3, mq_open.3, mq_receive.3, mq_send.3, printf.3, pthread_attr_init.3, pthread_create.3, pthread_setaffinity_np.3, ptsname.3, remainder.3, strtod.3, tgamma.3, timegm.3, tmpnam.3, ttyname.3, console_ioctl.4, elf.5, filesystems.5, proc.5, utmp.5, capabilities.7, cgroups.7, credentials.7, ddp.7, feature_test_macros.7, fifo.7, inotify.7, libc.7, mount_namespaces.7, namespaces.7, netlink.7, pid_namespaces.7, pkeys.7, shm_overview.7, standards.7, uri.7, user_namespaces.7: tstamp
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-12 10:45:24 +01:00
Michael Kerrisk
4bfc202622
mount_namespaces.7, user_namespaces.7: Migrate subsection on mount restrictions to mount_namespaces(7)
...
This section material in the user_namespaces(7) page was written
before the creation of the mount_namespaces(7) manual page.
Nowadays, this material properly belongs in the newer page.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-12 07:28:52 +01:00
Michael Kerrisk
414908519d
user_namespaces.7: Add reference to namespaces(7) for NS_GET_USERNS operation
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-12 07:27:23 +01:00
Michael Kerrisk
7af6863be7
user_namespaces.7: Add reference to namespaces(7) for NS_GET_PARENT operation
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-12 07:27:23 +01:00
Michael Kerrisk
791ea4b39c
user_namespaces.7: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-12-11 11:07:19 +01:00
Michael Kerrisk
b64fbdca61
user_namespaces.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-11-11 09:38:06 +01:00
Michael Kerrisk
4e07c70f90
fallocate.2, fcntl.2, lseek.2, madvise.2, memfd_create.2, mmap.2, remap_file_pages.2, swapon.2, proc.5, cgroups.7, shm_overview.7, user_namespaces.7: Fix cross references to new tmpfs(5) page
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-11-07 16:21:41 +01:00
Michael Kerrisk
c63b745431
user_namespaces.7: srcfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-10-31 16:44:08 +01:00
Michael Kerrisk
750653a812
getrusage.2, madvise.2, memfd_create.2, mlock.2, mount.2, getauxval.3, core.5, capabilities.7, pid_namespaces.7, symlink.7, user_namespaces.7: Consistently use /proc/[pid] (not /proc/PID)
...
Reported-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-10-07 22:47:23 +02:00
Michael Kerrisk
a4680ab51d
user_namespaces.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-08-08 05:54:16 +10:00
Michael Kerrisk
3525268cbd
user_namespaces.7: Fix order of SEE ALSO entries
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-08-08 05:54:14 +10:00
Michael Kerrisk
3df541c0e6
ldd.1, localedef.1, add_key.2, chroot.2, clone.2, fork.2, futex.2, get_mempolicy.2, get_robust_list.2, getitimer.2, getpriority.2, ioctl.2, ioctl_ficlonerange.2, ioctl_fideduperange.2, kcmp.2, kill.2, lookup_dcookie.2, mmap.2, mount.2, open.2, pciconfig_read.2, perf_event_open.2, prctl.2, process_vm_readv.2, ptrace.2, quotactl.2, recv.2, setfsgid.2, setfsuid.2, sysinfo.2, umask.2, umount.2, unshare.2, utimensat.2, wait.2, assert.3, fmax.3, fmin.3, getauxval.3, inet_pton.3, malloc_hook.3, memmem.3, mkdtemp.3, mktemp.3, printf.3, strcasecmp.3, strcat.3, strtoul.3, strxfrm.3, console_codes.4, console_ioctl.4, lirc.4, tty.4, vcs.4, charmap.5, elf.5, locale.5, proc.5, repertoiremap.5, utmp.5, capabilities.7, cgroup_namespaces.7, cgroups.7, charsets.7, cp1251.7, cp1252.7, credentials.7, feature_test_macros.7, iso_8859-1.7, iso_8859-15.7, iso_8859-5.7, koi8-r.7, koi8-u.7, man-pages.7, mount_namespaces.7, namespaces.7, netlink.7, pid_namespaces.7, unix.7, user_namespaces.7, utf-8.7: tstamp
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-07-17 18:10:19 +02:00
Michael Kerrisk
8c74a1cea4
user_namespaces.7: Clarify details of CAP_SYS_ADMIN and cgroup v1 mounts
...
With respect to cgroups version 1, CAP_SYS_ADMIN in the user
namespace allows only *named* hierarchies to be mounted (and
not hierarchies that have a controller).
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-07-07 14:30:01 +02:00
Michael Kerrisk
c7e077eaa4
user_namespaces.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-07-07 13:59:24 +02:00
Michael Kerrisk
fa7ae0ea13
user_namespaces.7: Correct kernel version where XFS added support for user namespaces
...
Linux 3.12, not 3.11.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-06-30 06:08:18 +02:00
Michael Kerrisk
801245a110
user_namespaces.7: SEE ALSO: add ptrace(2)
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-06-29 07:06:30 +02:00
Michael Kerrisk
687d3f4aef
user_namespaces.7: Correct user namespace rules for mounting /proc
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-06-26 16:31:44 +02:00
Michael Kerrisk
7e52299f66
user_namespaces.7: CAP_SYS_ADMIN allows mounting cgroup filesystems
...
See https://bugzilla.kernel.org/show_bug.cgi?id=120671
Reported-by: Michał Zegan <webczat_200@poczta.onet.pl>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-06-26 16:11:30 +02:00
Michael Kerrisk
8a9fb19dbd
user_namespaces.7: Clarify CAP_SYS_ADMIN details for mounting FS_USERNS_MOUNT filesystems
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-06-26 16:09:06 +02:00
Michael Kerrisk
32efecaab8
user_namespaces.7: List the mount operations permitted by CAP_SYS_ADMIN
...
List the mount operations permitted by CAP_SYS_ADMIN in a
noninitial userns.
See https://bugzilla.kernel.org/show_bug.cgi?id=120671
Reported-by: Michał Zegan <webczat_200@poczta.onet.pl>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-06-21 13:55:07 +02:00
Michael Kerrisk
2304b0d740
user_namespaces.7: Add a subsection heading for effects of capabilities in user NS
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-06-21 13:55:07 +02:00
Michael Kerrisk
89070c1a7c
user_namespaces.7: Clarify meaning of privilege in a user namespace
...
Having privilege in a user NS only allows privileged
operations on resources governed by that user NS. Many
privileged operations relate to resources that have no
association with any namespace type, and only processes
with privilege in the initial user NS can perform those
operations.
See https://bugzilla.kernel.org/show_bug.cgi?id=120671
Reported-by: Michał Zegan <webczat_200@poczta.onet.pl>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-06-21 10:48:43 +02:00
Michael Kerrisk
3afb0c6a8e
user_namespaces.7: SEE ALSO: add cgroup_namespaces(7)
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-06-21 10:25:14 +02:00
Michael Kerrisk
7ea1c45ebd
user_namespaces.7: Describe a concrete example of capability checking
...
Add a concrete example of how the kernel checks capabilities in
an associated user namespace when a process attempts a privileged
operation.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-06-21 10:25:14 +02:00
Michael Kerrisk
06999763ba
user_namespaces.7: Minor wording fix
...
Avoid listing all namespace types in a couple of places,
since such a list is subject to bit rot as the number
of namespace types grows.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-06-21 10:25:14 +02:00
Michael Kerrisk
a3969b76b9
user_namespaces.7: wfix: reword a long, difficult to understand sentence
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-06-21 10:25:14 +02:00
Mike Frysinger
bb6adc5828
user_namespaces.7: tfix
...
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-09-13 09:52:05 +02:00
Michael Kerrisk
458abbe629
Removed trailing white space at end of lines
2015-03-29 22:31:35 +02:00
Michael Kerrisk
1e64c86bbf
intro.1, ldd.1, clone.2, getgroups.2, getpid.2, getsockopt.2, ioctl_list.2, msgop.2, open.2, seccomp.2, setgid.2, setresuid.2, setreuid.2, setuid.2, sigaction.2, sigpending.2, sigprocmask.2, sigreturn.2, sigsuspend.2, sigwaitinfo.2, socket.2, syscall.2, syscalls.2, umount.2, clock.3, dlopen.3, fmemopen.3, fpathconf.3, fputwc.3, fputws.3, fseek.3, fseeko.3, gcvt.3, getline.3, getwchar.3, hypot.3, if_nameindex.3, initgroups.3, popen.3, resolver.3, strcoll.3, strdup.3, tzset.3, ulimit.3, wcstombs.3, wctob.3, xdr.3, console_codes.4, random.4, filesystems.5, host.conf.5, hosts.5, proc.5, resolv.conf.5, securetty.5, credentials.7, feature_test_macros.7, hier.7, ipv6.7, packet.7, pthreads.7, raw.7, signal.7, tcp.7, user_namespaces.7, ld.so.8, ldconfig.8: tstamp
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-29 22:30:09 +02:00
Michael Kerrisk
e2b6e58cd8
user_namespaces.7: Minor tweak to order of "setgroups" text
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-09 14:33:20 +01:00
Michael Kerrisk
fe3e2b4e4a
user_namespaces.7: Tweaks to /proc/PID/setgroups text
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-07 08:31:39 +01:00
Michael Kerrisk
34bcced069
user_namespaces.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-06 22:53:43 +01:00
Michael Kerrisk
690c890a75
user_namespaces.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-06 22:44:41 +01:00
Michael Kerrisk
50b49f0b54
user_namespaces.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-06 22:43:45 +01:00
Michael Kerrisk
1fc04edfbb
user_namespaces.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-06 22:42:17 +01:00
Michael Kerrisk
31a7d5060a
user_namespaces.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-06 22:40:32 +01:00
Michael Kerrisk
6c8571e079
user_namespaces.7: ffix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-06 20:13:57 +01:00
Michael Kerrisk
4990f759aa
user_namespaces.7: wspfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-04 15:11:02 +01:00
Michael Kerrisk
c38a2a0473
user_namespaces.7: Handle /proc/PID/setgroups in the example program
...
Reported-by: Alban Crequy <alban.crequy@gmail.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-04 15:11:02 +01:00
Michael Kerrisk
ecb0ff30e8
user_namespaces.7: Explain why the /proc/PID/setgroups file was added
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-04 15:11:02 +01:00
Michael Kerrisk
d6add5efa2
user_namespaces.7: Rework test describing restrictions on updating /proc/PID/setgroups
...
No (intentional) changes to factual description, but the
restructured text is hopefully easier to grasp.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-04 15:11:02 +01:00
Michael Kerrisk
30b33164cb
user_namespaces.7: Rework some text describing permission rules for updating map files
...
No (intentional) change to the facts, but this restructuring
should make the meaning easier to grasp.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-04 15:11:02 +01:00
Michael Kerrisk
ab28dba9a0
proc.5, user_namespaces.7: Migrate description of /proc/PID/setgroups to user_namespaces(7)
...
It makes sense to have the description of this file
in the general discussion of user namespaces.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-04 15:11:02 +01:00
Michael Kerrisk
f72de267d9
user_namespaces.7: srcfix: FIXME
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-04 15:11:02 +01:00
Michael Kerrisk
364ce93556
user_namespaces.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-04 15:11:02 +01:00
Michael Kerrisk
f2d61dbbaa
user_namespaces.7: Some tweaks to Eric Biederman's patch
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2015-03-04 15:11:02 +01:00