LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity
22,547 Commits 1 Branch 197 Tags 93 MiB
Commit Graph

167 Commits

Author SHA1 Message Date
Michael Kerrisk d510e7de7e namespaces.7: EXAMPLE: rename the example program 
Use a more generic name, since this program may be expanded
in various ways in the future.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-12-23 09:28:54 +01:00
Michael Kerrisk e79c9e5825 namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-12-23 09:26:09 +01:00
Michael Kerrisk 0fbabfc2d5 namespaces.7: Minor clarification in EXAMPLE 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-12-23 09:22:27 +01:00
Michael Kerrisk c6ff0d07a0 namespaces.7: EXAMPLE: fix an error in shell session 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-12-23 09:18:46 +01:00
Michael Kerrisk 794652c5f0 namespaces.7: Minor wording fix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-12-23 09:18:34 +01:00
Michael Kerrisk d3fca275d2 namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-12-23 09:05:41 +01:00
Michael Kerrisk fa72c2244f namespaces.7: tfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-12-14 11:52:55 +01:00
Michael Kerrisk 35deeb8703 bind.2, chmod.2, chown.2, chroot.2, clock_getres.2, clone.2, connect.2, dup.2, fallocate.2, get_mempolicy.2, getpeername.2, getpriority.2, getsockname.2, getsockopt.2, gettimeofday.2, ioctl_ficlonerange.2, ioctl_fideduperange.2, kill.2, mbind.2, mmap.2, mount.2, mprotect.2, nfsservctl.2, nice.2, open.2, perf_event_open.2, pipe.2, pkey_alloc.2, prctl.2, ptrace.2, quotactl.2, remap_file_pages.2, sched_setscheduler.2, set_mempolicy.2, signal.2, signalfd.2, swapon.2, sync_file_range.2, syscalls.2, timer_create.2, timerfd_create.2, utime.2, utimensat.2, wait.2, atof.3, ctime.3, errno.3, fclose.3, fflush.3, insque.3, malloc_get_state.3, mallopt.3, mbsnrtowcs.3, mq_close.3, mq_open.3, mq_receive.3, mq_send.3, printf.3, pthread_attr_init.3, pthread_create.3, pthread_setaffinity_np.3, ptsname.3, remainder.3, strtod.3, tgamma.3, timegm.3, tmpnam.3, ttyname.3, console_ioctl.4, elf.5, filesystems.5, proc.5, utmp.5, capabilities.7, cgroups.7, credentials.7, ddp.7, feature_test_macros.7, fifo.7, inotify.7, libc.7, mount_namespaces.7, namespaces.7, netlink.7, pid_namespaces.7, pkeys.7, shm_overview.7, standards.7, uri.7, user_namespaces.7: tstamp 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-12-12 10:45:24 +01:00
Michael Kerrisk e6f1b08f55 namespaces.7: Adjust example program to show device major and minor numbers 
Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-12-12 07:30:16 +01:00
Michael Kerrisk e0ff749f64 namespaces.7: Comparisons between fstat()ed files should be on st_dev+st_ino 
The FDs returned by NS_GET_USERNS and NS_GET_PAREENT must be
tested by comparing to both the 'st_dev' and 'st_ino' fields
returned by fstat(2).

Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-12-12 07:30:16 +01:00
Michael Kerrisk 58615b43fb namespaces.7: Add ENOTTY error() for ioctl namespace operations 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-12-12 07:30:16 +01:00
Michael Kerrisk 519949ecad namespaces.7: ffix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-12-12 07:30:16 +01:00
Michael Kerrisk 57422589cf namespaces.7: Tweaks to text on ioctl() operations 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-12-12 07:30:16 +01:00
Michael Kerrisk 6143dbbffd namespaces.7: Document the NS_GET_USERNS and NS_GET_PARENT ioctl() operations 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-12-12 07:27:23 +01:00
Michael Kerrisk ced6277a7b namespaces.7: ffix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-12-11 11:06:24 +01:00
Michael Kerrisk 1dc3d91d7b namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-11-29 17:55:08 +01:00
Michael Kerrisk b237b37c70 namespaces.7: srcfix: FIXME tidy-up 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-10-29 13:43:30 +02:00
Michael Kerrisk 8512495a12 namespaces.7: tfix 
Reported-by: Nikola Forró <nforro@redhat.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-09-23 13:56:31 +02:00
Michael Kerrisk 3df541c0e6 ldd.1, localedef.1, add_key.2, chroot.2, clone.2, fork.2, futex.2, get_mempolicy.2, get_robust_list.2, getitimer.2, getpriority.2, ioctl.2, ioctl_ficlonerange.2, ioctl_fideduperange.2, kcmp.2, kill.2, lookup_dcookie.2, mmap.2, mount.2, open.2, pciconfig_read.2, perf_event_open.2, prctl.2, process_vm_readv.2, ptrace.2, quotactl.2, recv.2, setfsgid.2, setfsuid.2, sysinfo.2, umask.2, umount.2, unshare.2, utimensat.2, wait.2, assert.3, fmax.3, fmin.3, getauxval.3, inet_pton.3, malloc_hook.3, memmem.3, mkdtemp.3, mktemp.3, printf.3, strcasecmp.3, strcat.3, strtoul.3, strxfrm.3, console_codes.4, console_ioctl.4, lirc.4, tty.4, vcs.4, charmap.5, elf.5, locale.5, proc.5, repertoiremap.5, utmp.5, capabilities.7, cgroup_namespaces.7, cgroups.7, charsets.7, cp1251.7, cp1252.7, credentials.7, feature_test_macros.7, iso_8859-1.7, iso_8859-15.7, iso_8859-5.7, koi8-r.7, koi8-u.7, man-pages.7, mount_namespaces.7, namespaces.7, netlink.7, pid_namespaces.7, unix.7, user_namespaces.7, utf-8.7: tstamp 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-07-17 18:10:19 +02:00
Michael Kerrisk da031af127 namespaces.7: Refer to new mount_namespaces(7) for information on mount namespaces 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-06-30 06:08:31 +02:00
Michael Kerrisk 33a1ab5da1 namespaces.7: /proc/PID/ns/* are governed by PTRACE_MODE_READ_FSCREDS 
Permission to dereference/readlink /proc/PID/ns/* symlinks is
governed by a PTRACE_MODE_READ_FSCREDS ptrace access mode check.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-06-29 07:06:29 +02:00
Michael Kerrisk 7575dbc507 namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-06-11 11:32:47 +02:00
Michael Kerrisk 7eb8372d87 namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-06-01 11:21:29 -05:00
Michael Kerrisk 226cb3a87a proc.5, namespaces.7: Move /proc/PID/mounts information to proc(5) 
There was partial duplication, and some extra information
in namespaces(7). Move everything to proc(5).

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-05-18 22:08:44 +02:00
Michael Kerrisk ad5fa2c3a8 namespaces.7: Remove /proc/PID/mountstats description 
This is a duplicate of information in proc(5).

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-05-18 22:03:31 +02:00
Michael Kerrisk 68886a1c7e namespaces.7: Nowadays, file changes in /proc/PID/mounts are notified differently 
Exceptional condition for select(), (E)POLLPRI for (e)poll

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-05-18 22:02:04 +02:00
Michael Kerrisk a2ee61a38a namespaces.7: Remove cgroup namespaces content to a separate page 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-05-09 23:08:54 +02:00
Michael Kerrisk 434aadd5d3 namespaces.7: Add /proc/PID/mountinfo discussion under cgroup namespaces 
The discussion here is contingent on the acceptance of
Serge Hallyn's patch, "mountinfo: implement show_path
for kernfs and cgroup".

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-05-09 23:08:54 +02:00
Michael Kerrisk 8079aefa6f namespaces.7: Rework discussion of cgroup namespaces 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-05-09 23:08:54 +02:00
Serge E. Hallyn 99ef85aba8 namespaces.7: Explain the more important benefit for cgroup namespaces 
mtk: edited text supplied by Serge.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-05-09 23:08:54 +02:00
Michael Kerrisk fc5a79d886 namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-05-09 23:08:54 +02:00
Michael Kerrisk d4d37f0a53 namespaces.7: Document cgroup namespaces (CLONE_NEWCGROUP) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-05-09 23:08:54 +02:00
Michael Kerrisk 35fae0aaa0 namespaces.7: SEE ALSO: add cgroups(7) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-05-09 23:08:52 +02:00
Michael Kerrisk 10f8f8cb75 namespaces.7: tfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-05-09 23:08:52 +02:00
Michael Kerrisk 979867082b locale.1, localedef.1, _exit.2, accept.2, access.2, acct.2, adjtimex.2, bdflush.2, bind.2, bpf.2, brk.2, chdir.2, chmod.2, chown.2, chroot.2, clock_nanosleep.2, clone.2, close.2, connect.2, copy_file_range.2, create_module.2, delete_module.2, dup.2, epoll_ctl.2, eventfd.2, execve.2, fallocate.2, fanotify_init.2, fcntl.2, flock.2, fork.2, fsync.2, futex.2, get_kernel_syms.2, getdomainname.2, getgroups.2, gethostname.2, getpagesize.2, getpeername.2, getsid.2, getsockname.2, getsockopt.2, gettimeofday.2, init_module.2, ioctl.2, ioctl_list.2, ioperm.2, iopl.2, kexec_load.2, kill.2, killpg.2, link.2, listen.2, llseek.2, lseek.2, madvise.2, memfd_create.2, mincore.2, mkdir.2, mknod.2, mmap.2, mount.2, nanosleep.2, nice.2, open.2, personality.2, pipe.2, poll.2, posix_fadvise.2, read.2, readahead.2, readlink.2, readv.2, recv.2, recvmmsg.2, rename.2, request_key.2, sched_setaffinity.2, sched_setattr.2, select.2, select_tut.2, semctl.2, semop.2, send.2, sendfile.2, sendmmsg.2, seteuid.2, setns.2, setpgid.2, setreuid.2, shutdown.2, sigaction.2, sigaltstack.2, signal.2, signalfd.2, sigpending.2, sigprocmask.2, sigsuspend.2, socketpair.2, splice.2, stat.2, statfs.2, stime.2, symlink.2, sync.2, syscall.2, syscalls.2, times.2, truncate.2, unlink.2, unshare.2, uselib.2, utimensat.2, vfork.2, vhangup.2, wait.2, wait4.2, write.2, a64l.3, abs.3, acos.3, acosh.3, addseverity.3, adjtime.3, aio_read.3, aio_write.3, asin.3, asinh.3, atan.3, atan2.3, atanh.3, atoi.3, backtrace.3, cbrt.3, ceil.3, cfree.3, clearenv.3, clock_getcpuclockid.3, clog10.3, cmsg.3, copysign.3, cos.3, cosh.3, ctermid.3, ctime.3, daemon.3, dirfd.3, div.3, dl_iterate_phdr.3, drand48.3, drand48_r.3, dysize.3, ecvt.3, ecvt_r.3, endian.3, erf.3, erfc.3, errno.3, exec.3, exp.3, exp2.3, expm1.3, fabs.3, fdim.3, ferror.3, fexecve.3, ffs.3, fgetgrent.3, fgetpwent.3, finite.3, flockfile.3, floor.3, fma.3, fmax.3, fmin.3, fmod.3, fopen.3, fpclassify.3, frexp.3, fseeko.3, fts.3, futimes.3, fwide.3, gamma.3, gcvt.3, getaddrinfo.3, getcwd.3, getdate.3, getdirentries.3, getdtablesize.3, getgrent.3, getgrent_r.3, getgrnam.3, getgrouplist.3, gethostbyname.3, gethostid.3, getline.3, getloadavg.3, getmntent.3, getnameinfo.3, getnetent_r.3, getpass.3, getprotoent_r.3, getpwent.3, getpwent_r.3, getpwnam.3, getrpcent_r.3, getservent_r.3, getspnam.3, getsubopt.3, getusershell.3, getutent.3, getw.3, gsignal.3, hypot.3, ilogb.3, inet.3, initgroups.3, insque.3, isalpha.3, isgreater.3, iswblank.3, j0.3, ldexp.3, lgamma.3, lio_listio.3, lockf.3, log.3, log10.3, log1p.3, log2.3, logb.3, lrint.3, lround.3, makedev.3, matherr.3, mbsnrtowcs.3, mkdtemp.3, mkfifo.3, mkstemp.3, mktemp.3, modf.3, mq_close.3, mq_getattr.3, mq_notify.3, mq_receive.3, mq_send.3, nan.3, nextafter.3, on_exit.3, open_memstream.3, opendir.3, perror.3, popen.3, posix_fallocate.3, posix_madvise.3, posix_memalign.3, posix_openpt.3, posix_spawn.3, pow.3, printf.3, profil.3, psignal.3, pthread_attr_setstack.3, pthread_setaffinity_np.3, putenv.3, putpwent.3, qecvt.3, rand.3, random.3, random_r.3, rcmd.3, readdir.3, realpath.3, remainder.3, remquo.3, rexec.3, rint.3, round.3, rpc.3, rpmatch.3, scalb.3, scalbln.3, scandir.3, scanf.3, seekdir.3, sem_wait.3, setbuf.3, setenv.3, setjmp.3, setnetgrent.3, siginterrupt.3, signbit.3, significand.3, sigset.3, sigsetops.3, sigvec.3, sigwait.3, sin.3, sinh.3, sleep.3, sockatmark.3, sqrt.3, statvfs.3, stpcpy.3, stpncpy.3, strdup.3, strerror.3, strftime.3, strlen.3, strnlen.3, strsep.3, strsignal.3, strtod.3, strtok.3, strtol.3, strtoul.3, syslog.3, system.3, tan.3, tanh.3, telldir.3, tempnam.3, termios.3, tgamma.3, timegm.3, timeradd.3, tmpfile.3, tmpnam.3, toascii.3, trunc.3, ttyslot.3, tzset.3, ualarm.3, unlocked_stdio.3, usleep.3, wcpcpy.3, wcpncpy.3, wcscasecmp.3, wcsdup.3, wcsncasecmp.3, wcsnlen.3, wcsnrtombs.3, wprintf.3, y0.3, pts.4, st.4, tty_ioctl.4, elf.5, gai.conf.5, group.5, locale.5, nsswitch.conf.5, proc.5, utmp.5, aio.7, capabilities.7, credentials.7, environ.7, epoll.7, fanotify.7, feature_test_macros.7, inotify.7, ip.7, mq_overview.7, namespaces.7, pipe.7, signal.7, socket.7, standards.7, svipc.7, symlink.7, time.7, unicode.7, unix.7: tstamp 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-03-15 17:30:43 +13:00
Michael Kerrisk 63f775e8f5 namespaces.7: SEE ALSO: add lsns(1) 
lsns(1) was recently added in util-linux, probably to appear
in next release (2.28?).

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2016-02-15 15:31:59 +01:00
Michael Kerrisk aea4d7b4f5 namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2015-01-28 10:39:58 +01:00
Mike Frysinger f7611a00f6 namespaces(7): minor tweaks 
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-11-08 14:27:47 +01:00
Wieland Hoffmann b23c9a79d9 namespaces.7: tfix: CLONE_IPC -> CLONE_NEWIPC 
CLONE_NEWIPC is the correct constant, as can be seen in the detailed
list of namespaces & their corresponding constants, as well as the
clone(2) man page and include/uapi/linux/sched.h in the Linux source tree.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-23 04:23:11 +02:00
Michael Kerrisk f5d401ddda Removed trailing white space at end of lines 2014-09-21 11:24:24 +02:00
Michael Kerrisk daf084cc33 clone.2, flock.2, getpid.2, getunwind.2, mount.2, reboot.2, semop.2, seteuid.2, setgid.2, setns.2, setresuid.2, setreuid.2, setuid.2, uname.2, unshare.2, clock.3, drand48.3, proc.5, capabilities.7, credentials.7, mq_overview.7, namespaces.7, pid_namespaces.7, svipc.7, user_namespaces.7: tstamp 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-21 11:23:07 +02:00
Michael Kerrisk c228b4b4d1 namespaces.7, pid_namespaces.7, user_namespaces.7: srcfix: Add LICENSE_START tag 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-16 09:05:40 +02:00
Michael Kerrisk fd0a5c693d namespaces.7: tfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-15 10:39:50 +02:00
Michael Kerrisk 258e6b6c7a namespaces.7: wfix 
Reported-by: Vitaly Rybnikov <frodox@zoho.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk 0b497138b9 namespaces.7: Add table of namespaces to top of page 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk 309abda4a0 namespaces.7: tfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk c6d54e1fd6 namespaces.7: tfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk beb9df9ed3 namespaces.7: tfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:03 -07:00
Michael Kerrisk ab3311aa06 clone.2, namespaces.7, pid_namespaces.7, user_namespaces.7: wfix "file system" ==> "filesystem" 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:02 -07:00
Michael Kerrisk f344e055a6 namespaces.7: Document /proc interfaces that are distinct in each IPC namespace 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:02 -07:00
Michael Kerrisk 7d8d64eb14 namespaces.7: Remove repetitious text under network namespaces 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:02 -07:00
Michael Kerrisk fa88d1a483 namespaces.7, pid_namespaces.7: Add pointer to example program in user_namespaces(7) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 024d6a8449 namespaces.7: Remove PID namespaces material shifted to pid_namespaces(7) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk 67d1131fd9 namespaces.7: Remove userns material shifted to user_namespaces(7) 
The user namespaces section was getting long and unwieldy.
Split it into its own page, so that it can be better
structured with subtitles, etc.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk 9552196ecb namespaces.7: ffix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk e67b117c39 namespaces.7: Document association between userns and other namespace types 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk 365d292a3c clone.2, unshare.2, namespaces.7: clone() and unshare() fail (EPERM) if caller's UID/GID are not mapped 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk 1d5adb6f9e namespaces.7: Userns creation associates eff. GID of creator with the userns 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk 5eb7f09d7c namespaces.7: Move text on capabilities in user namespaces 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk 7f76dc3079 namespaces.7: tfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk cda377d2bc namespaces.7: Clarify use of 'single line' case when writing userns map files 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk e2eb61370e namespaces.7: Note rules regarding capabilities and nested namespaces 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk 9a80f81d04 namespaces.7: Clarify explanation of nested user namespaces 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk 6be09bd882 namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk fd4eb520d6 namespaces.7: srcfix: Added FIXME 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk aa49742066 namespaces.7: Mapping files are empty when a user namespace is first created 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk b87dd2afb0 namespaces.7: User namespace ID mappings can be defined via any member process's map 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk b2e73e0ce8 namespaces.7: Clarify max # of bytes that can be written to a user namespace map 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk 3fe8d14797 namespaces.7: Describe semantics of set-user/group-ID programs in a user namespace 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk e420879421 namespaces.7: Rewrite EPERM rules for writing to user namespace map file 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk 1879c18c63 namespaces.7: spfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk d70ee6ff45 namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk 6155c4554f namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk 4d2d9a106f namespaces.7: Add further EINVAL cases for writes to userspace map files 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk 8e5924c0a9 namespaces.7: Clarify a detail in permissions for writing to user namespace map files 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk cfc50babe7 namespaces.7: Violating rules for writing to user namespace map file yields EPERM 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk ed0ce71a31 namespaces.7: ffix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk 76f89cbea4 namespaces.7: ffix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk d3c16a98d1 namespaces.7: tfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk 147a0c9098 namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk b680649a5c namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk 291e9237d7 namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk 029ae9e3f5 namespaces.7: SEE ALSO: add switch_root(8) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk c0004fb480 namespaces.7: Clarify details of sending signals to init from ancestor PID namespaces 
After email from Eric Biederman

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk b16d757dfd namespaces.7: When a PID namespace terminates, the other processes get SIGKILL 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk fc49d2ac6b namespaces.7: Repair discussion of signals that can be sent to pidns init process 
From outside a PID namespace, only the SIGKILL and SIGSTOP
signals can be sent to the init process.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk 3c96796395 namespaces.7: Fixes to text on forking a process into a PID namespace with no "init" 
Based on comments from Eric Biederman

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk bcf8010e24 namespaces.7: Trying to add a new process to a PID namespace with no "init" fails 
If the PID namespace init process has terminated, then
setns() on a previously opened /proc/PID/ns/pid file
will succeed, but the subsequent fork() will fail with
ENOMEM.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk ed94b9b881 namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk 53d63b8925 namespaces.7: Document effect of PID namespaces when passing credentials over a socket 
PIDs passed via UNIX domain sockets are translated according to
the receiving process's namespace.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk 86499a6b26 namespaces.7: SEE ALSO: Add nsenter(1), unshare(1) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk 3c7103af43 namespaces.7: Remove text on "equivalence" between clone() and fork()+unshare() 
The text probably doesn't help the readers understanding much,
and it's not quite accurate in the case of PID namespaces.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk 84c35715ba namespaces.7: tfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk ca29156707 namespaces.7: Explain why unshare() and setns() do not change caller's PID namespace 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk e13b53a611 namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk e17d07c17b namespaces.7: Note treatment of PID namespace "init" process with respect to signals 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk 33a3c1b8ec namespaces.7: Repair discussion of termination of "init" in PID namespace 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk 110026abe4 namespaces.7: Document PID namespace case where getppid() can return 0 
getppid() can return 0 if parent is in a different namespace.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk 7091f8f392 namespaces.7: spfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:58 -07:00
Michael Kerrisk 37d12157fd namespaces.7: Note exception to permissions needed when writing to uid_map/gid_lmap 
Quoting mail with Eric Biederman:

>>> So, by the way, I added this sentence to the page:
>>>
>>>         In   order   to   write   to   the   /proc/[pid]/uid_map
>>>         (/proc/[pid]/gid_map) file,  a  process  must  have  the
>>>         CAP_SETUID (CAP_SETGID) capability in the user namespace
>>>         of the process pid.
>>>
>>> Is that correct?
>>
>> Yes.
>>
>>> But, there appear to be more rules than this governing whether a
>>> process can write to the file (i.e., various other -EPERM cases). What
>>> are the rules?
>>
>> In general you must also have CAP_SETUID (CAP_SETGID) in the parent user
>> namespace as well.  The one exception to that is if you are mapping
>> your current uid and gid.
>
> Can you clarify what you mean by "mapping your own UID and GID" please
> (i.e., who is "you" in that sentence).

At the time of clone() or unshare() that creates a new user namespace,
the kuid and the kgid of the process does not change.

setuid and setgid fail before any mappings are set up.

Therefore the caller is allowed to map any single uid to the uid of the
caller in the parent user namespace.  Likewise the caller is allowed to
map any single gid to the gid of the caller in the parent user

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:57 -07:00