diff options
| author | Eric W. Biederman <ebiederm@xmission.com> | 2014-09-08 06:01:40 -0700 |
|---|---|---|
| committer | Michael Kerrisk <mtk.manpages@gmail.com> | 2014-09-13 20:16:03 -0700 |
| commit | b10c74ff2596222e8b353904ae680171282963ac (patch) | |
| tree | a3d0e1e4ac185bfb7baccb93b847ea5e7adac1ee /man7/user_namespaces.7 | |
| parent | 7aba437aa18c163262e48a004c3db1faddbb29c5 (diff) | |
| download | man-pages-b10c74ff2596222e8b353904ae680171282963ac.tar.gz | |
user_namespaces.7: Add "Restrictions on mount namespaces" section
Light edits by mtk
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Diffstat (limited to 'man7/user_namespaces.7')
| -rw-r--r-- | man7/user_namespaces.7 | 63 |
1 files changed, 61 insertions, 2 deletions
diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 index fc328ae688..2d6530d601 100644 --- a/man7/user_namespaces.7 +++ b/man7/user_namespaces.7 @@ -1,5 +1,5 @@ -.\" Copyright (c) 2013 by Michael Kerrisk <mtk.manpages@gmail.com> -.\" and Copyright (c) 2012 by Eric W. Biederman <ebiederm@xmission.com> +.\" Copyright (c) 2013, 2014 by Michael Kerrisk <mtk.manpages@gmail.com> +.\" and Copyright (c) 2012, 2014 by Eric W. Biederman <ebiederm@xmission.com> .\" .\" Permission is granted to make and distribute verbatim copies of this .\" manual provided the copyright notice and this permission notice are @@ -245,6 +245,65 @@ in the user namespace that the kernel associated with the new namespace. .\" .\" ============================================================ .\" +.SS Restrictions on mount namespaces + +Note the following points with respect to mount namespaces: +.IP * 3 +A mount namespace has an owner user namespace. +A mount namespace whose owner user namespace is different from +the owner user namespace of its parent mount namespace is +considered a less privileged mount namespace. +.IP * +When creating a less privileged mount namespace, +shared mounts are reduced to slave mounts. +This ensures that mappings performed in less +privileged mount namespaces will not propagate to more privileged +mount namespaces. +.IP * +.\" FIXME . +.\" What does "come as a single unit from more privileged mount" mean? +Mounts that come as a single unit from more privileged mount are +locked together and may not be separated in a less privileged mount +namespace. +.IP * +The +.BR mount (2) +flags +.BR MS_RDONLY , +.BR MS_NOSUID , +.BR MS_NOEXEC , +and the "atime" flags +.RB ( MS_NOATIME , +.BR MS_NODIRATIME , +.BR MS_RELATIME) +settings become locked +.\" commit 9566d6742852c527bf5af38af5cbb878dad75705 +.\" Author: Eric W. Biederman <ebiederm@xmission.com> +.\" Date: Mon Jul 28 17:26:07 2014 -0700 +.\" +.\" mnt: Correct permission checks in do_remount +.\" +when propagated from a more privileged to +a less privileged mount namespace, +and may not be changed in the less privileged mount namespace. +.IP * +.\" (As of 3.18-rc1 (in Al Viro's 2014-08-30 vfs.git#for-next tree)) +A file or directory that is a mount point in one namespace that is not +a mount point in another namespace, may be renamed, unlinked, or removed +.RB ( rmdir (2)) +in the mount namespace in which it is not a mount point +(subject to the usual permission checks). +.IP +Previously, attempting to unlink, rename, or remove a file or directory +that was a mount point in another mount namespace would result in the error +.BR EBUSY . +That behavior had technical problems of enforcement (e.g., for NFS) +and permitted denial-of-service attacks against more privileged users. +(i.e., preventing individual files from being updated +by bind mounting on top of them). +.\" +.\" ============================================================ +.\" .SS User and group ID mappings: uid_map and gid_map When a user namespace is created, it starts out without a mapping of user IDs (group IDs) |