LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity
11,710 Commits 1 Branch 197 Tags 93 MiB
Commit Graph

11710 Commits

Author SHA1 Message Date
Michael Kerrisk 3b44624fa4 user_namespaces.7: Minor fixes in various places 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 8a87c8b32f user_namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 589e43bb00 user_namespaces.7: tfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk d68c5f1184 user_namespaces.7: Clarify some capabilities details 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 0666f549da user_namespaces.7: Note treatment of "securebits" flags 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 37909beed2 user_namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk d916d9d073 user_namespaces.7: Rewrote and reorganized various pieces 
Mainly the pieces on capabilities, nested namespaces
and namespace membership.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk c9195dede4 user_namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 3a9ff754df user_namespaces.7: SEE ALSO: remove unshare(1) (which is mentioned in namespaces(7)) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 96ec9d12e6 user_namespaces.7: Clarify that the child of clone() gets all privileges in new userns 
Nothing special happens for the children of unshare(2).

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk c94eb4a68d user_namespaces.7: Add reference to Documentation/namespaces/resource-control.txt 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk cf7d22a535 user_namespaces.7: Further reworking of text on nested namespaces and capabilities 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk c0098e767d user_namespaces.7: Relocate text on capabilities of initial process in userns 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 20e4a14719 user_namespaces.7: Explain uid_map and gid_map in the initial user namespace 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 3e2a37ec85 user_namespaces.7: Add more detail on unmapped UIDs and GIDs exposed to user space 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 6eda94413b user_namespaces.7: Reorganize various pieces of DESCRIPTION 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 30f3ddd6dd user_namespaces.7: Remove duplicated text on EPERM + mapping required in parent userns 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 1863e45128 user_namespaces.7: Move a misplaced rule re writing to map files 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk f00071920e clone.2: EINVAL if (CLONE_NEWUSER|CLONE_NEWPID) && (CLONE_THREAD|CLONE_PARENT) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 4dd85833c1 unshare.2: Document use of CLONE_THREAD, CLONE_SIGHAND, and CLONE_VM 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Eric W. Biederman 98029e6531 pid_namespaces.7: Add much more detail on CLONE_NEWPID + multhreaded processes 
CLONE_NEWPID doesn't mix with CLONE_THREAD, CLONE_VM,
and CLONE_SIGHAND.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk bd23efc759 pid_namespaces.7: Further reworking of text on CLONE_NEWPID and threads 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk e0fd534919 pid_namespaces.7: Rework text on threads and CLONE_NEWPID 
Adapted text from Eric Biederman.

Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 7cd5151990 pid_namespaces.7: SEE ALSO: remove unshare(1) (which is mentioned in namespaces(7)) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 81ccc85366 pid_namespaces.7: Mention unshare()+fork() failure case if "init" terminates 
Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 5597d425e9 pid_namespaces.7: Explain use for readlink() from /proc/self 
Reported-by: Rob Landley <rob@landley.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:01 -07:00
Michael Kerrisk 47832b6dfc pid_namespaces.7: Clarify text on failure cases with CLONE_VM + multithreaded 
Reported-by: Rob Landley <rob@landley.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 837ddeb969 pid_namespaces.7: wfix 
Reported-by: Rob Landley <rob@landley.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 36b04745db pid_namespaces.7: Mention suspend/resume of containers in intro text 
Reported-by: Rob Landley <rob@landley.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk cbf542aa98 pid_namespaces.7: tfix 
Reported-by: Rob Landley <rob@landley.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk bac6162841 pid_namespaces.7: /proc shows mounts according to PID namespace of mounting process 
Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 805685dc1b pid_namespaces.7: Note the shell command used for mount procfs 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk ec411de6d5 pid_namespaces.7: Other call sequences fail with multiple threads and CLONE_NEWPID 
Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 2a4b78e7e2 pid_namespaces.7: Mention PR_SET_CHILD_SUBREAPER in discussion of reparenting to init 
Reported-by: Vasily Kulikov <segoon@openwall.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk fa88d1a483 namespaces.7, pid_namespaces.7: Add pointer to example program in user_namespaces(7) 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 8d36d80cc3 user_namespaces.7: Add an example program 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk df23ae04d6 user_namespaces.7: Linux 3.9 provides a better implementation of nonoverlapping map checks 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk e4f4f2e125 user_namespaces.7: Clarify discussion on privileges of child after clone() by UID 0 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 1b3d5347f5 user_namespaces.7: Clarify that rules for writing to map files also apply to gid_map 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 0f069d0c69 user_namespaces.7: wfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk d45d012859 user_namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 54ead6d395 user_namespaces.7: Describe effect of mappings in the context of file-system operations 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 4332e54d27 user_namespaces.7: wfix + ffix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 674c23884e user_namespaces.7: Note some interfaces that return overflowuid and overflowgid 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 0df0f26dcc user_namespaces.7: srcfix: remove obsolete FIXME 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 27a6ff6ee6 user_namespaces.7: Describe handling of UIDs+GIDs when passed across a UNIX domain socket 
UIDs and GIDs are mapped to receiver's userns when passed across
a UNIX domain socket

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 01ce1ceaa1 pid_namespaces.7: srcfix: Removed FIXME 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 5ba153e7ac user_namespaces.7: The initial process in a userns has no capabilities outside the userns 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk d6842bf18d user_namespaces.7: srcfix 
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00
Michael Kerrisk 627e4074b4 user_namespaces.7: Fix description of inheritance of capabilities across nested namespaces 
Based on input from Eric Biederman

    Calling cap_capable asks: Does the current process have
    capability X in userns U.

    I see three ways you can have that capability.

    1) The current process can be in user namespace U and directly
       have capability X.

    2) The current process can be in the parent of namespace U and
       its euid can be the euid that created user namespace U.

    3) You can have be have the capability X in a user namespace
       that is an ancestor of U.

    Coming from the direction of your manpage text.

    With respect to capabilities, the following rules apply to
    nested user namespaces.

    1.  If a process has a capability in a user namespace has that
        capability in all descendant user namespaces as well.

    2.  The user that creates a user namespace while in the parent
        namespace has all capabilities in the created namespace
        and in all descendent user namespaces.

    So having said that part of my problem with your original
    text is that it actually switches directions.  One one rule
    it is looking into the descendent user namespaces, and in the
    other rule it is looking at ancestor user namespaces.

    So perhaps the text should read:

    With respect to capabilities, the following rules are used to
    answer the question does a process P have a capability C in a
    user namespace U.

    1. P has the capability C if P is in user namespace U and
       capability C is in process P's capability set.

    2. P has the capability C if P is in the parent of user
       namespace U and the euid of P is the euid that created user
       namespace U.

    3. P has the capability C if P has the capability C in some
       user namespace V that is an ancestor of U.

    Which probably gets a little extra mathematical, but it is
    precise.

Reported-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
 2014-09-13 20:16:00 -07:00