diff options
Diffstat (limited to 'man7/user_namespaces.7')
| -rw-r--r-- | man7/user_namespaces.7 | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 index d0414c0dda..2dee47ee24 100644 --- a/man7/user_namespaces.7 +++ b/man7/user_namespaces.7 @@ -108,7 +108,13 @@ or joins an existing user namespace using gains a full set of capabilities in that namespace, and its securebits flags are cleared. On the other hand, -that process has no capabilities outside that user namespace, +that process has no capabilities in the parent (in the case of +.BR clone (2)) +or previous (in the case of +.BR unshare (2) +and +.BR setns (2)) +user namespace, even if the new namespace is created or joined by the root user (i.e., a process with user ID 0 in the root namespace). (Nevertheless, a process owned by the root user @@ -133,9 +139,8 @@ or caller (for .BR unshare (2), or .BR setns (2)). -Note that -because the caller no longer has capabilities in its original user namespace -after a call to +Note that because the caller no longer has capabilities +in its original user namespace after a call to .BR setns (2), it is not possible for a process to reset its "securebits" flags while retaining its user namespace membership by using a pair of |