diff options
| -rw-r--r-- | man7/namespaces.7 | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/man7/namespaces.7 b/man7/namespaces.7 index 196972e9ca..bb37fedb6f 100644 --- a/man7/namespaces.7 +++ b/man7/namespaces.7 @@ -267,9 +267,22 @@ $ \fBcat /proc/20124/cgroup | grep freezer\fP .in .fi -The virtualization provided by cgroup namespaces can be used to prevent +The virtualization provided by cgroup namespaces serves at least two purposes. +First, it can be used to prevent information leaks whereby cgroup directory paths outside of a container would otherwise be visible to processes in the container. +More importantly, this allows easier and more flexible +confinement of container root tasks, because they can mount +their own cgroup filesystems without needing to gain access to ancestor +cgroup directories. +So, for example, even if +.I /cg/1 +is owned by uid 100000, a task namespaced under +.I /cg/1/2 +owned by UID 100000 can mount that cgroup but not change settings in +.IR /cg/1 . +Combined with correct enforcement of hierarchical limits, +this prevents that task from escaping its limits. Use of cgroup namespaces requires a kernel that is configured with the .B CONFIG_CGROUPS |