diff options
| author | Michael Kerrisk <mtk.manpages@gmail.com> | 2016-06-21 13:51:24 +0200 |
|---|---|---|
| committer | Michael Kerrisk <mtk.manpages@gmail.com> | 2016-06-21 13:55:07 +0200 |
| commit | 32efecaab86db8fd18ba8cc730833ab5514d143e (patch) | |
| tree | 616976e39bde98be7cc4ca436d5970218663424a /man7/user_namespaces.7 | |
| parent | 2304b0d740d7d7cdf8a9bc98549d0ac66b9394b8 (diff) | |
| download | man-pages-32efecaab86db8fd18ba8cc730833ab5514d143e.tar.gz | |
user_namespaces.7: List the mount operations permitted by CAP_SYS_ADMIN
List the mount operations permitted by CAP_SYS_ADMIN in a
noninitial userns.
See https://bugzilla.kernel.org/show_bug.cgi?id=120671
Reported-by: MichaĆ Zegan <webczat_200@poczta.onet.pl>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Diffstat (limited to 'man7/user_namespaces.7')
| -rw-r--r-- | man7/user_namespaces.7 | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 index e223bf300e..5c792985eb 100644 --- a/man7/user_namespaces.7 +++ b/man7/user_namespaces.7 @@ -227,6 +227,44 @@ and creating a device (governed by Only a process with privileges in the .I initial user namespace can perform such operations. + +Holding +.B CAP_SYS_ADMIN +within a (noninitial) user namespace allows the creation of bind mounts, +and mounting of the following types of filesystems: +.\" fs_flags = FS_USERNS_MOUNT in kernel sources + +.RS 4 +.PD 0 +.IP * 2 +.IR /proc +(since Linux 3.8) +.IP * +.IR /sys +(since Linux 3.8) +.IP * +.IR devpts +(since Linux 3.9) +.IP * +.IR tmpfs +(since Linux 3.9) +.IP * +.IR ramfs +(since Linux 3.9) +.IP * +.IR mqueue +(since Linux 3.9) +.IP * +.IR bpf +.\" commit b2197755b2633e164a439682fb05a9b5ea48f706 +(since Linux 4.4) +.PD +.RE +.PP +Note however, that mounting block-based filesystems can be done +only by a process that holds +.BR CAP_SYS_ADMIN +in the initial user namespace. .\" .\" ============================================================ .\" |