Michael Kerrisk
84c35715ba
namespaces.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:58 -07:00
Michael Kerrisk
ca29156707
namespaces.7: Explain why unshare() and setns() do not change caller's PID namespace
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:58 -07:00
Michael Kerrisk
e13b53a611
namespaces.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:58 -07:00
Michael Kerrisk
e17d07c17b
namespaces.7: Note treatment of PID namespace "init" process with respect to signals
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:58 -07:00
Michael Kerrisk
33a3c1b8ec
namespaces.7: Repair discussion of termination of "init" in PID namespace
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:58 -07:00
Michael Kerrisk
110026abe4
namespaces.7: Document PID namespace case where getppid() can return 0
...
getppid() can return 0 if parent is in a different namespace.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:58 -07:00
Michael Kerrisk
7091f8f392
namespaces.7: spfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:58 -07:00
Michael Kerrisk
37d12157fd
namespaces.7: Note exception to permissions needed when writing to uid_map/gid_lmap
...
Quoting mail with Eric Biederman:
>>> So, by the way, I added this sentence to the page:
>>>
>>> In order to write to the /proc/[pid]/uid_map
>>> (/proc/[pid]/gid_map) file, a process must have the
>>> CAP_SETUID (CAP_SETGID) capability in the user namespace
>>> of the process pid.
>>>
>>> Is that correct?
>>
>> Yes.
>>
>>> But, there appear to be more rules than this governing whether a
>>> process can write to the file (i.e., various other -EPERM cases). What
>>> are the rules?
>>
>> In general you must also have CAP_SETUID (CAP_SETGID) in the parent user
>> namespace as well. The one exception to that is if you are mapping
>> your current uid and gid.
>
> Can you clarify what you mean by "mapping your own UID and GID" please
> (i.e., who is "you" in that sentence).
At the time of clone() or unshare() that creates a new user namespace,
the kuid and the kgid of the process does not change.
setuid and setgid fail before any mappings are set up.
Therefore the caller is allowed to map any single uid to the uid of the
caller in the parent user namespace. Likewise the caller is allowed to
map any single gid to the gid of the caller in the parent user
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:57 -07:00
Michael Kerrisk
2a4cbd77a1
namespaces.7: spfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:57 -07:00
Michael Kerrisk
857c57e70d
namespaces.7: Document some disallowed cases for CLONE_NEWPID + CLONE_VM
...
Based on text from Eric Biederman
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:57 -07:00
Michael Kerrisk
e7d2eab5d3
namespaces.7: Minor wording fix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:57 -07:00
Michael Kerrisk
027a0716d7
namespaces.7: Note that creation of most namespaces requires CAP_SYS_ADMIN
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:57 -07:00
Michael Kerrisk
a122e26793
namespaces.7: spfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:57 -07:00
Michael Kerrisk
7a30282c0d
namespaces.7: srcfix: Add Eric Biederman to copyright holders
...
The pieces on uid_map, gd_map and CLONE_NEWUSER were
originally drafted (in other pages) by Eric Biederman.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:57 -07:00
Michael Kerrisk
9387987bbb
namespaces.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:57 -07:00
Michael Kerrisk
f2752f9088
namespaces.7: Add 'ls -l' example of /proc/PID/ns
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:57 -07:00
Michael Kerrisk
83d9e9b2bc
clone.2, namespaces.7: Move some CLONE_NEWUTS text from clone.2 to namespaces.7
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:57 -07:00
Michael Kerrisk
9d005472a8
clone.2, namespaces.7: Move some CLONE_NEWUSER text from clone.2 to namespaces.7
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:57 -07:00
Michael Kerrisk
73680728d1
clone.2, namespaces.7: Move some CLONE_NEWNET text from clone.2 to namespaces.7
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:57 -07:00
Michael Kerrisk
9343f8e7c3
clone.2, namespaces.7: Move some CLONE_NEWIPC text from clone.2 to namespaces.7
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:57 -07:00
Michael Kerrisk
b81acb1504
proc.5, namespaces.7: Move /proc/[pid]/{gid_map,uid_map} text from proc.5 to namespaces.7
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:57 -07:00
Michael Kerrisk
cf8bfe6d2a
proc.5, namespaces.7: Move /proc/[pid]/mountstat text from proc.5 to namespaces.7
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:57 -07:00
Michael Kerrisk
4716a1dd65
proc.5, namespaces.7: Move /proc/[pid]/mountstats from proc.5 to namespaces.7
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:57 -07:00
Michael Kerrisk
357002ecdf
proc.5, namespaces.7: Move /proc/[pid]/mounts from proc.5 to namespaces.7
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:57 -07:00
Michael Kerrisk
020357e8e4
namespaces.7: New page providing overview of Linux namespaces
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2014-09-13 20:15:57 -07:00