namespaces.7: Document association between userns and other namespace types

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
author: Michael Kerrisk <mtk.manpages@gmail.com> 2013-02-26 15:27:49 +0100
committer: Michael Kerrisk <mtk.manpages@gmail.com> 2014-09-13 20:15:59 -0700
commit: e67b117c39c1b2b48fa0ef401e6493b3d0a6e2f0 (patch)
tree: 09b0eae28114451918155573019f8b36e942cd84 /man7/namespaces.7
parent: 16fe718f999e9c75a45d7582f6bc287f11d6d065 (diff)
download: man-pages-e67b117c39c1b2b48fa0ef401e6493b3d0a6e2f0.tar.gz
1 files changed, 13 insertions, 0 deletions
diff --git a/man7/namespaces.7 b/man7/namespaces.7
index f134ff3795..e4516d7d2f 100644
--- a/man7/namespaces.7
+++ b/man7/namespaces.7
@@ -555,6 +555,19 @@ namespaces created by the call.
 Thus, it is possible for an unprivileged caller to specify this combination
 of flags.
 
+When a new IPC,  mount, network, PID, or UTS namespace is created via
+.BR clone (2)
+or
+.BR unshare (2),
+the kernel records the user namespace of the creating process against
+the new namespace.
+When a process in the new namespace subsequently performs
+privileged operations that operate on global
+resources isolated by the namespace,
+the permission checks are performed according to the process's capabilities
+in the user namespace that the kernel associated with the new namespace.
+
+
 The following rules apply with respect to the capabilities granted
 to a process:
 .\" In the 3.8 sources, see security/commoncap.c::cap_capable():
author	Michael Kerrisk <mtk.manpages@gmail.com>	2013-02-26 15:27:49 +0100
committer	Michael Kerrisk <mtk.manpages@gmail.com>	2014-09-13 20:15:59 -0700
commit	e67b117c39c1b2b48fa0ef401e6493b3d0a6e2f0 (patch)
tree	09b0eae28114451918155573019f8b36e942cd84 /man7/namespaces.7
parent	16fe718f999e9c75a45d7582f6bc287f11d6d065 (diff)
download	man-pages-e67b117c39c1b2b48fa0ef401e6493b3d0a6e2f0.tar.gz