[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-api
Subject:    Re: [PATCH 4/4] setns.2: Document the pid, user, and mount namespace support.
From:       ebiederm () xmission ! com (Eric W !  Biederman)
Date:       2013-01-07 23:58:46
Message-ID: 8738yc5yvd.fsf () xmission ! com
[Download RAW message or body]

"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:

> Okay. See below.
>
> So, let's take one more pass. How does the following look:
>
>        A multi-threaded process may not  change  user  namespace  with
>        setns().   It  is  not  permitted to use setns() to reenter the
>        caller's current user namespace.  This prevents a  caller  that
>        has  dropped capabilities from regaining those capabilities via
>        a call to setns() A process reassociating itself  with  a  user
>        namespace must have CAP_SYS_ADMIN privileges in the target user
>        namespace.
>
>        A process may not be reassociated with a new mount namespace if
>        it  is  multi-threaded.   Changing the mount namespace requires
>        that the caller possess both CAP_SYS_CHROOT  and  CAP_SYS_ADMIN
>        capabilities in its own user namespace and CAP_SYS_ADMIN in the
>        target mount namespace.

That wording looks correct.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-api" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]