diff options
| -rw-r--r-- | man7/user_namespaces.7 | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 index e223bf300e..5c792985eb 100644 --- a/man7/user_namespaces.7 +++ b/man7/user_namespaces.7 @@ -227,6 +227,44 @@ and creating a device (governed by Only a process with privileges in the .I initial user namespace can perform such operations. + +Holding +.B CAP_SYS_ADMIN +within a (noninitial) user namespace allows the creation of bind mounts, +and mounting of the following types of filesystems: +.\" fs_flags = FS_USERNS_MOUNT in kernel sources + +.RS 4 +.PD 0 +.IP * 2 +.IR /proc +(since Linux 3.8) +.IP * +.IR /sys +(since Linux 3.8) +.IP * +.IR devpts +(since Linux 3.9) +.IP * +.IR tmpfs +(since Linux 3.9) +.IP * +.IR ramfs +(since Linux 3.9) +.IP * +.IR mqueue +(since Linux 3.9) +.IP * +.IR bpf +.\" commit b2197755b2633e164a439682fb05a9b5ea48f706 +(since Linux 4.4) +.PD +.RE +.PP +Note however, that mounting block-based filesystems can be done +only by a process that holds +.BR CAP_SYS_ADMIN +in the initial user namespace. .\" .\" ============================================================ .\" |