Michael Kerrisk
|
b6462f7519
|
user_namespaces.7: SEE ALSO: add newgidmap(1), newuidmap(1), subgid(5), subuid(5)
Pages in the "shadow" package
Reported-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
77f9548830
|
user_namespaces.7: execve(2) will drop capabilities unless the caller's UID maps to 0
Reported-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
550d1c537c
|
user_namespaces.7: wfix
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
0ac408439b
|
user_namespaces.7: Some subsystems don't support user namespaces in some kernel versions
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
6b92803065
|
user_namespaces.7: srcfix: Add FIXME
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
3b44624fa4
|
user_namespaces.7: Minor fixes in various places
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
8a87c8b32f
|
user_namespaces.7: srcfix
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
589e43bb00
|
user_namespaces.7: tfix
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
d68c5f1184
|
user_namespaces.7: Clarify some capabilities details
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
0666f549da
|
user_namespaces.7: Note treatment of "securebits" flags
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
37909beed2
|
user_namespaces.7: wfix
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
d916d9d073
|
user_namespaces.7: Rewrote and reorganized various pieces
Mainly the pieces on capabilities, nested namespaces
and namespace membership.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
c9195dede4
|
user_namespaces.7: wfix
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
3a9ff754df
|
user_namespaces.7: SEE ALSO: remove unshare(1) (which is mentioned in namespaces(7))
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
96ec9d12e6
|
user_namespaces.7: Clarify that the child of clone() gets all privileges in new userns
Nothing special happens for the children of unshare(2).
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
c94eb4a68d
|
user_namespaces.7: Add reference to Documentation/namespaces/resource-control.txt
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
cf7d22a535
|
user_namespaces.7: Further reworking of text on nested namespaces and capabilities
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
c0098e767d
|
user_namespaces.7: Relocate text on capabilities of initial process in userns
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
20e4a14719
|
user_namespaces.7: Explain uid_map and gid_map in the initial user namespace
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
3e2a37ec85
|
user_namespaces.7: Add more detail on unmapped UIDs and GIDs exposed to user space
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
6eda94413b
|
user_namespaces.7: Reorganize various pieces of DESCRIPTION
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
30f3ddd6dd
|
user_namespaces.7: Remove duplicated text on EPERM + mapping required in parent userns
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
1863e45128
|
user_namespaces.7: Move a misplaced rule re writing to map files
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
f00071920e
|
clone.2: EINVAL if (CLONE_NEWUSER|CLONE_NEWPID) && (CLONE_THREAD|CLONE_PARENT)
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
4dd85833c1
|
unshare.2: Document use of CLONE_THREAD, CLONE_SIGHAND, and CLONE_VM
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Eric W. Biederman
|
98029e6531
|
pid_namespaces.7: Add much more detail on CLONE_NEWPID + multhreaded processes
CLONE_NEWPID doesn't mix with CLONE_THREAD, CLONE_VM,
and CLONE_SIGHAND.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
bd23efc759
|
pid_namespaces.7: Further reworking of text on CLONE_NEWPID and threads
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
e0fd534919
|
pid_namespaces.7: Rework text on threads and CLONE_NEWPID
Adapted text from Eric Biederman.
Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
7cd5151990
|
pid_namespaces.7: SEE ALSO: remove unshare(1) (which is mentioned in namespaces(7))
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
81ccc85366
|
pid_namespaces.7: Mention unshare()+fork() failure case if "init" terminates
Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
5597d425e9
|
pid_namespaces.7: Explain use for readlink() from /proc/self
Reported-by: Rob Landley <rob@landley.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:01 -07:00 |
|
Michael Kerrisk
|
47832b6dfc
|
pid_namespaces.7: Clarify text on failure cases with CLONE_VM + multithreaded
Reported-by: Rob Landley <rob@landley.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:00 -07:00 |
|
Michael Kerrisk
|
837ddeb969
|
pid_namespaces.7: wfix
Reported-by: Rob Landley <rob@landley.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:00 -07:00 |
|
Michael Kerrisk
|
36b04745db
|
pid_namespaces.7: Mention suspend/resume of containers in intro text
Reported-by: Rob Landley <rob@landley.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:00 -07:00 |
|
Michael Kerrisk
|
cbf542aa98
|
pid_namespaces.7: tfix
Reported-by: Rob Landley <rob@landley.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:00 -07:00 |
|
Michael Kerrisk
|
bac6162841
|
pid_namespaces.7: /proc shows mounts according to PID namespace of mounting process
Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:00 -07:00 |
|
Michael Kerrisk
|
805685dc1b
|
pid_namespaces.7: Note the shell command used for mount procfs
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:00 -07:00 |
|
Michael Kerrisk
|
ec411de6d5
|
pid_namespaces.7: Other call sequences fail with multiple threads and CLONE_NEWPID
Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:00 -07:00 |
|
Michael Kerrisk
|
2a4b78e7e2
|
pid_namespaces.7: Mention PR_SET_CHILD_SUBREAPER in discussion of reparenting to init
Reported-by: Vasily Kulikov <segoon@openwall.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:00 -07:00 |
|
Michael Kerrisk
|
fa88d1a483
|
namespaces.7, pid_namespaces.7: Add pointer to example program in user_namespaces(7)
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:00 -07:00 |
|
Michael Kerrisk
|
8d36d80cc3
|
user_namespaces.7: Add an example program
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:00 -07:00 |
|
Michael Kerrisk
|
df23ae04d6
|
user_namespaces.7: Linux 3.9 provides a better implementation of nonoverlapping map checks
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:00 -07:00 |
|
Michael Kerrisk
|
e4f4f2e125
|
user_namespaces.7: Clarify discussion on privileges of child after clone() by UID 0
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:00 -07:00 |
|
Michael Kerrisk
|
1b3d5347f5
|
user_namespaces.7: Clarify that rules for writing to map files also apply to gid_map
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:00 -07:00 |
|
Michael Kerrisk
|
0f069d0c69
|
user_namespaces.7: wfix
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:00 -07:00 |
|
Michael Kerrisk
|
d45d012859
|
user_namespaces.7: srcfix
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:00 -07:00 |
|
Michael Kerrisk
|
54ead6d395
|
user_namespaces.7: Describe effect of mappings in the context of file-system operations
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:00 -07:00 |
|
Michael Kerrisk
|
4332e54d27
|
user_namespaces.7: wfix + ffix
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:00 -07:00 |
|
Michael Kerrisk
|
674c23884e
|
user_namespaces.7: Note some interfaces that return overflowuid and overflowgid
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:00 -07:00 |
|
Michael Kerrisk
|
0df0f26dcc
|
user_namespaces.7: srcfix: remove obsolete FIXME
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
|
2014-09-13 20:16:00 -07:00 |