[PATCH 4/4] setns.2: Document the pid, user, and mount namespace support.
Eric W. Biederman
ebiederm at xmission.com
Mon Jan 7 23:58:46 UTC 2013
"Michael Kerrisk (man-pages)" <mtk.manpages at gmail.com> writes:
> Okay. See below.
>
> So, let's take one more pass. How does the following look:
>
> A multi-threaded process may not change user namespace with
> setns(). It is not permitted to use setns() to reenter the
> caller's current user namespace. This prevents a caller that
> has dropped capabilities from regaining those capabilities via
> a call to setns() A process reassociating itself with a user
> namespace must have CAP_SYS_ADMIN privileges in the target user
> namespace.
>
> A process may not be reassociated with a new mount namespace if
> it is multi-threaded. Changing the mount namespace requires
> that the caller possess both CAP_SYS_CHROOT and CAP_SYS_ADMIN
> capabilities in its own user namespace and CAP_SYS_ADMIN in the
> target mount namespace.
That wording looks correct.
Eric
More information about the Containers
mailing list