LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity
11,741 Commits 1 Branch 197 Tags 93 MiB
Commit Graph

11741 Commits

Author SHA1 Message Date
Michael Kerrisk 4dd85833c1 unshare.2: Document use of CLONE_THREAD, CLONE_SIGHAND, and CLONE_VM 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Eric W. Biederman 98029e6531 pid_namespaces.7: Add much more detail on CLONE_NEWPID + multhreaded processes 
CLONE_NEWPID doesn't mix with CLONE_THREAD, CLONE_VM,
and CLONE_SIGHAND.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk bd23efc759 pid_namespaces.7: Further reworking of text on CLONE_NEWPID and threads 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk e0fd534919 pid_namespaces.7: Rework text on threads and CLONE_NEWPID 
Adapted text from Eric Biederman.

Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 7cd5151990 pid_namespaces.7: SEE ALSO: remove unshare(1) (which is mentioned in namespaces(7)) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 81ccc85366 pid_namespaces.7: Mention unshare()+fork() failure case if "init" terminates 
Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 5597d425e9 pid_namespaces.7: Explain use for readlink() from /proc/self 
Reported-by: Rob Landley <rob@landley.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 47832b6dfc pid_namespaces.7: Clarify text on failure cases with CLONE_VM + multithreaded 
Reported-by: Rob Landley <rob@landley.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 837ddeb969 pid_namespaces.7: wfix 
Reported-by: Rob Landley <rob@landley.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 36b04745db pid_namespaces.7: Mention suspend/resume of containers in intro text 
Reported-by: Rob Landley <rob@landley.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk cbf542aa98 pid_namespaces.7: tfix 
Reported-by: Rob Landley <rob@landley.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk bac6162841 pid_namespaces.7: /proc shows mounts according to PID namespace of mounting process 
Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 805685dc1b pid_namespaces.7: Note the shell command used for mount procfs 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk ec411de6d5 pid_namespaces.7: Other call sequences fail with multiple threads and CLONE_NEWPID 
Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 2a4b78e7e2 pid_namespaces.7: Mention PR_SET_CHILD_SUBREAPER in discussion of reparenting to init 
Reported-by: Vasily Kulikov <segoon@openwall.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk fa88d1a483 namespaces.7, pid_namespaces.7: Add pointer to example program in user_namespaces(7) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 8d36d80cc3 user_namespaces.7: Add an example program 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk df23ae04d6 user_namespaces.7: Linux 3.9 provides a better implementation of nonoverlapping map checks 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk e4f4f2e125 user_namespaces.7: Clarify discussion on privileges of child after clone() by UID 0 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 1b3d5347f5 user_namespaces.7: Clarify that rules for writing to map files also apply to gid_map 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 0f069d0c69 user_namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk d45d012859 user_namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 54ead6d395 user_namespaces.7: Describe effect of mappings in the context of file-system operations 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 4332e54d27 user_namespaces.7: wfix + ffix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 674c23884e user_namespaces.7: Note some interfaces that return overflowuid and overflowgid 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 0df0f26dcc user_namespaces.7: srcfix: remove obsolete FIXME 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 27a6ff6ee6 user_namespaces.7: Describe handling of UIDs+GIDs when passed across a UNIX domain socket 
UIDs and GIDs are mapped to receiver's userns when passed across
a UNIX domain socket

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 01ce1ceaa1 pid_namespaces.7: srcfix: Removed FIXME 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 5ba153e7ac user_namespaces.7: The initial process in a userns has no capabilities outside the userns 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk d6842bf18d user_namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 627e4074b4 user_namespaces.7: Fix description of inheritance of capabilities across nested namespaces 
Based on input from Eric Biederman

    Calling cap_capable asks: Does the current process have
    capability X in userns U.

    I see three ways you can have that capability.

    1) The current process can be in user namespace U and directly
       have capability X.

    2) The current process can be in the parent of namespace U and
       its euid can be the euid that created user namespace U.

    3) You can have be have the capability X in a user namespace
       that is an ancestor of U.

    Coming from the direction of your manpage text.

    With respect to capabilities, the following rules apply to
    nested user namespaces.

    1.  If a process has a capability in a user namespace has that
        capability in all descendant user namespaces as well.

    2.  The user that creates a user namespace while in the parent
        namespace has all capabilities in the created namespace
        and in all descendent user namespaces.

    So having said that part of my problem with your original
    text is that it actually switches directions.  One one rule
    it is looking into the descendent user namespaces, and in the
    other rule it is looking at ancestor user namespaces.

    So perhaps the text should read:

    With respect to capabilities, the following rules are used to
    answer the question does a process P have a capability C in a
    user namespace U.

    1. P has the capability C if P is in user namespace U and
       capability C is in process P's capability set.

    2. P has the capability C if P is in the parent of user
       namespace U and the euid of P is the euid that created user
       namespace U.

    3. P has the capability C if P has the capability C in some
       user namespace V that is an ancestor of U.

    Which probably gets a little extra mathematical, but it is
    precise.

Reported-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 7ae693d017 user_namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 03611be8d7 user_namespaces.7: Add some references to other pages 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 6c3db75479 pid_namespaces.7: readlink(2) on /proc/self gives the caller's PID in the pidns of /proc 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 6e377abf9c pid_namespaces.7: Parent process relationships mirror parent PID namespace relationships 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 7a9ab60197 pid_namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 546fb4eefe pid_namespaces.7: Rewrite discussion of nested PID namespaces 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 4085d4cde3 pid_namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 963e117faf pid_namespaces.7: Minor wording fix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk 84030779d2 pid_namespaces.7: Reorganize and add some subheadings 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk 7e0e902b55 clone.2, getpid.2, credentials.7: Replace reference to namespaces(7) with pid_namespaces(7) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk 024d6a8449 namespaces.7: Remove PID namespaces material shifted to pid_namespaces(7) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk a79bacf5f1 pid_namespaces.7: New page splitting PID namespace material out of namespaces(7) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk f58fb24f16 clone.2, seteuid.2, setgid.2, setresuid.2, setreuid.2, setuid.2, unshare.2, capabilities.7, credentials.7: Change reference to namespaces(7) to user_namespaces(7) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk 62a5214c57 user_namespaces.7: Reorganize and add some subheadings 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk 67d1131fd9 namespaces.7: Remove userns material shifted to user_namespaces(7) 
The user namespaces section was getting long and unwieldy.
Split it into its own page, so that it can be better
structured with subtitles, etc.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk 046de6a7d7 user_namespaces.7: New page splitting user namespace material out of namespaces(7) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk 9552196ecb namespaces.7: ffix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk e67b117c39 namespaces.7: Document association between userns and other namespace types 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:15:59 -07:00
Michael Kerrisk 16fe718f99 setns.2: wfix 2014-09-13 20:15:59 -07:00