diff options
Diffstat (limited to 'man7/namespaces.7')
| -rw-r--r-- | man7/namespaces.7 | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/man7/namespaces.7 b/man7/namespaces.7 index f134ff3795..e4516d7d2f 100644 --- a/man7/namespaces.7 +++ b/man7/namespaces.7 @@ -555,6 +555,19 @@ namespaces created by the call. Thus, it is possible for an unprivileged caller to specify this combination of flags. +When a new IPC, mount, network, PID, or UTS namespace is created via +.BR clone (2) +or +.BR unshare (2), +the kernel records the user namespace of the creating process against +the new namespace. +When a process in the new namespace subsequently performs +privileged operations that operate on global +resources isolated by the namespace, +the permission checks are performed according to the process's capabilities +in the user namespace that the kernel associated with the new namespace. + + The following rules apply with respect to the capabilities granted to a process: .\" In the 3.8 sources, see security/commoncap.c::cap_capable(): |