diff options
Diffstat (limited to 'man7/namespaces.7')
| -rw-r--r-- | man7/namespaces.7 | 40 |
1 files changed, 20 insertions, 20 deletions
diff --git a/man7/namespaces.7 b/man7/namespaces.7 index c79d3de08d..9873cc7627 100644 --- a/man7/namespaces.7 +++ b/man7/namespaces.7 @@ -555,6 +555,26 @@ namespaces created by the call. Thus, it is possible for an unprivileged caller to specify this combination of flags. +The following rules apply with respect to the capabilities granted +to a process: +.\" In the 3.8 sources, see security/commoncap.c::cap_capable(): +.IP 1. 3 +If a process has a capability in a parent user namespace, +then it has that capability in all child (and further removed descendant) +namespaces as well. +.IP 2. +.\" * The owner of the user namespace in the parent of the +.\" * user namespace has all caps. +When a user namespace is created, the kernel records the effective +user ID of the creating process as being the "owner" of the namespace. +A process whose effective user ID matches that of the +owner of a user namespace and which is a member of the parent namespace +(or a further removed namespace that is a direct ancestor) +has all capabilities in the user namespace. +.\" As a rough approximation, this means that +.\" the user who creates a user namespace +.\" has all capabilities inside that namespace and its descendants. +.PP Use of user namespaces requires a kernel that is configured with the .B CONFIG_USER_NS option. @@ -737,26 +757,6 @@ in the parent user namespace. .PP Writes that violate the above rules fail with the error .BR EPERM . - -The following rules apply with respect to the capabilities granted -to a process: -.\" In the 3.8 sources, see security/commoncap.c::cap_capable(): -.IP 1. 3 -If a process has a capability in a parent user namespace, -then it has that capability in all child (and further removed descendant) -namespaces as well. -.IP 2. -.\" * The owner of the user namespace in the parent of the -.\" * user namespace has all caps. -When a user namespace is created, the kernel records the effective -user ID of the creating process as being the "owner" of the namespace. -A process whose effective user ID matches that of the -owner of a user namespace and which is a member of the parent namespace -(or a further removed namespace that is a direct ancestor) -has all capabilities in the user namespace. -.\" As a rough approximation, this means that -.\" the user who creates a user namespace -.\" has all capabilities inside that namespace and its descendants. .PP When a process inside a user namespace executes a set-user-ID (set-group-ID) program, |