namespaces.7: Note treatment of PID namespace "init" process with respect to signals

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
author: Michael Kerrisk <mtk.manpages@gmail.com> 2013-01-16 01:25:16 +0100
committer: Michael Kerrisk <mtk.manpages@gmail.com> 2014-09-13 20:15:58 -0700
commit: e17d07c17b3bf4797c5749796938706287dca850 (patch)
tree: 4466c9dca0013c797f9386ab374ff6547035ab50
parent: 33a3c1b8ec6af5eb2a49120f80dd20535018f8cd (diff)
download: man-pages-e17d07c17b3bf4797c5749796938706287dca850.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/man7/namespaces.7 b/man7/namespaces.7
index 5ca20a7e33..2224c96af1 100644
--- a/man7/namespaces.7
+++ b/man7/namespaces.7
@@ -345,6 +345,18 @@ the kernel terminates all of the processes in the namespace.
 This behavior reflects the fact that the "init" process
 is essential for the correct operation of a PID namespace.
 
+Only signals for which the "init" process has established a signal handler
+can be sent to the "init" process by other members of the PID namespace.
+This restriction applies even to privileged processes,
+and prevents other members of the PID namespace from
+accidentally killing the "init" process.
+However, within ancestor namespaces
+the "init" process is treated as a normal user process:
+any process can\(emsubject to the usual permission checks described in
+.BR kill (2)\(emsend
+any signal to the "init" process,
+including signals that may result in its termination.
+
 PID namespaces can be nested.
 When a new PID namespace is created,
 the processes in that namespace are visible
author	Michael Kerrisk <mtk.manpages@gmail.com>	2013-01-16 01:25:16 +0100
committer	Michael Kerrisk <mtk.manpages@gmail.com>	2014-09-13 20:15:58 -0700
commit	e17d07c17b3bf4797c5749796938706287dca850 (patch)
tree	4466c9dca0013c797f9386ab374ff6547035ab50
parent	33a3c1b8ec6af5eb2a49120f80dd20535018f8cd (diff)
download	man-pages-e17d07c17b3bf4797c5749796938706287dca850.tar.gz