[PATCH 4/4] setns.2: Document the pid, user, and mount namespace support.

Eric W. Biederman ebiederm at xmission.com
Mon Jan 7 23:58:46 UTC 2013


"Michael Kerrisk (man-pages)" <mtk.manpages at gmail.com> writes:

> Okay. See below.
>
> So, let's take one more pass. How does the following look:
>
>        A multi-threaded process may not  change  user  namespace  with
>        setns().   It  is  not  permitted to use setns() to reenter the
>        caller's current user namespace.  This prevents a  caller  that
>        has  dropped capabilities from regaining those capabilities via
>        a call to setns() A process reassociating itself  with  a  user
>        namespace must have CAP_SYS_ADMIN privileges in the target user
>        namespace.
>
>        A process may not be reassociated with a new mount namespace if
>        it  is  multi-threaded.   Changing the mount namespace requires
>        that the caller possess both CAP_SYS_CHROOT  and  CAP_SYS_ADMIN
>        capabilities in its own user namespace and CAP_SYS_ADMIN in the
>        target mount namespace.

That wording looks correct.

Eric


More information about the Containers mailing list