From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Michael Kerrisk (man-pages)" Subject: Re: [PATCH 1/2] proc.5: Document /proc/[pid]/setgroups Date: Thu, 12 Feb 2015 14:53:29 +0100 Message-ID: <54DCB059.2020305@gmail.com> References: <52e0643bd47b1e5c65921d6e00aea1f724bb510a.1417281801.git.luto@amacapital.net> <87ppbtn4mv.fsf@x220.int.ebiederm.org> <87a92xn2io.fsf@x220.int.ebiederm.org> <87r3w8liw4.fsf@x220.int.ebiederm.org> <87iohklfvj.fsf_-_@x220.int.ebiederm.org> <87fvcok11h.fsf_-_@x220.int.ebiederm.org> <971ad3f6-90fd-4e3f-916c-8988af3c826d@email.android.com> <87wq5zf83t.fsf@x220.int.ebiederm.org> <87iohh3c9c.fsf@x220.int.ebiederm.org> <8761dh3b7k.fsf_-_@x220.int.ebiederm.org> <878uicy1r9.fsf_-_@x220.int.ebiederm.org> <87vblg1qme.fs f@x220.int.ebiederm.org> <54CF9995.1050409@gmail.com> <8761b8lfoz.fsf@x220.int.ebiederm.org> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <8761b8lfoz.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Eric W. Biederman" Cc: linux-man , Kees Cook , Linux API , Linux Containers , Josh Triplett , stable , "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , Kenton Varda , LSM , mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org, Richard Weinberger , Casey Schaufler , Andrew Morton , Andy Lutomirski List-Id: containers.vger.kernel.org SGVsbG8gRXJpYywKCk9uIDAyLzExLzIwMTUgMDI6NTEgUE0sIEVyaWMgVy4gQmllZGVybWFuIHdy b3RlOgo+ICJNaWNoYWVsIEtlcnJpc2sgKG1hbi1wYWdlcykiIDxtdGsubWFucGFnZXNAZ21haWwu Y29tPiB3cml0ZXM6Cj4gCj4+IEhpIEVyaWMsCj4+Cj4+IFBpbmchCj4+Cj4+IENoZWVycywKPj4K Pj4gTWljaGFlbAo+IAo+IE15IGFwb2xvZ2llcy4gIFlvdSBkZXNjcmlwdGlvbiB3YXNuJ3Qgd3Jv bmcgYnV0IGl0IG1heSBiZSBhIGJpdAo+IG1pc2xlYWRpbmcsIGV4cGxhbmF0aW9uIGJlbG93LiAg WW91IHdpbGwgaGF2ZSB0byBmaWd1cmUgb3V0IGhvdyB0byB3b3JrCj4gdGhhdCBpbnRvIHlvdXIg cHJvcG9zZWQgdGV4dC4KPiAKPj4gT24gMiBGZWJydWFyeSAyMDE1IGF0IDE2OjM2LCBNaWNoYWVs IEtlcnJpc2sgKG1hbi1wYWdlcykKPj4gPG10ay5tYW5wYWdlc0BnbWFpbC5jb20+IHdyb3RlOgo+ Pj4gW0FkZGluZyBKb3NoIHRvIENDIGluIGNhc2UgaGUgaGFzIGFueXRoaW5nIHRvIGFkZC5dCj4+ Pgo+Pj4gT24gMTIvMTIvMjAxNCAxMDo1NCBQTSwgRXJpYyBXLiBCaWVkZXJtYW4gd3JvdGU6Cj4+ Pj4KPj4+PiBTaWduZWQtb2ZmLWJ5OiBFcmljIFcuIEJpZWRlcm1hbiA8ZWJpZWRlcm1AeG1pc3Np b24uY29tPgo+Pj4+IC0tLQo+Pj4+ICBtYW41L3Byb2MuNSB8IDE1ICsrKysrKysrKysrKysrKwo+ Pj4+ICAxIGZpbGUgY2hhbmdlZCwgMTUgaW5zZXJ0aW9ucygrKQo+Pj4+Cj4+Pj4gZGlmZiAtLWdp dCBhL21hbjUvcHJvYy41IGIvbWFuNS9wcm9jLjUKPj4+PiBpbmRleCA5NjA3N2QwZGQxOTUuLmQ2 NjFlOGNmZWFjOSAxMDA2NDQKPj4+PiAtLS0gYS9tYW41L3Byb2MuNQo+Pj4+ICsrKyBiL21hbjUv cHJvYy41Cj4+Pj4gQEAgLTEwOTcsNiArMTA5NywyMSBAQCBhcmUgbm90IGF2YWlsYWJsZSBpZiB0 aGUgbWFpbiB0aHJlYWQgaGFzIGFscmVhZHkgdGVybWluYXRlZAo+Pj4+ICAuXCIgICAgICAgQWRk ZWQgaW4gMi42LjkKPj4+PiAgLlwiICAgICAgIENPTkZJR19TQ0hFRFNUQVRTCj4+Pj4gIC5UUAo+ Pj4+ICsuSVIgL3Byb2MvW3BpZF0vc2V0Z3JvdXBzICIgKHNpbmNlIExpbnV4IDMuMTktcmMxKSIK Pj4+PiArVGhpcyBmaWxlIHJlcG9ydHMKPj4+PiArLkJSIGFsbG93Cj4+Pj4gK2lmIHRoZSBzZXRn cm91cHMgc3lzdGVtIGNhbGwgaXMgYWxsb3dlZCBpbiB0aGUgY3VycmVudCB1c2VyIG5hbWVzcGFj ZS4KPj4+PiArVGhpcyBmaWxlIHJlcG9ydHMKPj4+PiArLkJSIGRlbnkKPj4+PiAraWYgdGhlIHNl dGdyb3VwcyBzeXN0ZW0gY2FsbCBpcyBub3QgYWxsb3dlZCBpbiB0aGUgY3VycmVudCB1c2VyIG5h bWVzcGFjZS4KPj4+PiArVGhpcyBmaWxlIG1heSBiZSB3cml0dGVuIHRvIHdpdGggdmFsdWVzIG9m Cj4+Pj4gKy5CUiBhbGxvdwo+Pj4+ICthbmQKPj4+PiArLkJSIGRlbnkKPj4+PiArYmVmb3JlCj4+ Pj4gKy5JUiAvcHJvYy9bcGlkXS9naWRfbWFwCj4+Pj4gK2lzIHdyaXR0ZW4gdG8gKGVuYWJsaW5n IHNldGdyb3VwcykgaW4gYSB1c2VyIG5hbWVzcGFjZS4KPj4+PiArLlRQCj4+Pj4gIC5JUiAvcHJv Yy9bcGlkXS9zbWFwcyAiIChzaW5jZSBMaW51eCAyLjYuMTQpIgo+Pj4+ICBUaGlzIGZpbGUgc2hv d3MgbWVtb3J5IGNvbnN1bXB0aW9uIGZvciBlYWNoIG9mIHRoZSBwcm9jZXNzJ3MgbWFwcGluZ3Mu Cj4+Pj4gIChUaGUKPj4+Cj4+PiBIaSBFcmljLAo+Pj4KPj4+IFRoYW5rcyBmb3IgdGhpcyBwYXRj aC4gSSBhcHBsaWVkIGl0LCBhbmQgdGhlbiB0cmllZCB0byB3b3JrIGluCj4+PiBxdWl0ZSBhIGZl dyBvdGhlciBkZXRhaWxzIGdsZWFuZWQgZnJvbSB0aGUgc291cmNlIGNvZGUgYW5kIGNvbW1pdAo+ Pj4gbWVzc2FnZSwgYW5kIEpvbiBDb3JiZXQncyBhcnRpY2xlIGF0IGh0dHA6Ly9sd24ubmV0L0Fy dGljbGVzLzYyNjY2NS8uCj4+PiBDb3VsZCB5b3UgcGxlYXNlIGxldCBtZSBrbm93IGlmIHRoZSBm b2xsb3dpbmcgaXMgY29ycmVjdDoKPiAKPiBJdCBpcyBjbG9zZSBidXQgaXQgbWF5IGJlIG1pc2xl YWRpbmcuCj4gCj4+PiAgICAgL3Byb2MvW3BpZF0vc2V0Z3JvdXBzIChzaW5jZSBMaW51eCAzLjE5 KQo+Pj4gICAgICAgICAgICBUaGlzIGZpbGUgZGlzcGxheXMgdGhlIHN0cmluZyAiYWxsb3ciICBp ZiAgcHJvY2Vzc2VzICBpbgo+Pj4gICAgICAgICAgICB0aGUgIHVzZXIgIG5hbWVzcGFjZSAgdGhh dCAgY29udGFpbnMgdGhlIHByb2Nlc3MgcGlkIGFyZQo+Pj4gICAgICAgICAgICBwZXJtaXR0ZWQg dG8gZW1wbG95IHRoZSBzZXRncm91cHMoMikgIHN5c3RlbSAgY2FsbCwgIGFuZAo+Pj4gICAgICAg ICAgICAiZGVueSIgIGlmICBzZXRncm91cHMoMikgIGlzICBub3QgcGVybWl0dGVkIGluIHRoYXQg dXNlcgo+Pj4gICAgICAgICAgICBuYW1lc3BhY2UuCj4gCj4gV2l0aCB0aGUgY2F2ZWF0IHRoYXQg d2hlbiBnaWRfbWFwIGlzIG5vdCBzZXQgdGhhdCBzZXRncm91cHMgaXMgYWxzbyBub3QKPiBhbGxv d2VkLgoKT2theSAtLSBJYWRkZWQgdGhhdCBwb2ludC4KCj4+PiAgICAgICAgICAgIEEgcHJpdmls ZWdlZCBwcm9jZXNzIChvbmUgd2l0aCB0aGUgIENBUF9TWVNfQURNSU4gIGNhcGHigJAKPj4+ICAg ICAgICAgICAgYmlsaXR5IGluIHRoZSBuYW1lc3BhY2UpIG1heSB3cml0ZSBlaXRoZXIgb2YgdGhl IHN0cmluZ3MKPj4+ICAgICAgICAgICAgImFsbG93IiBvciAiZGVueSIgdG8gdGhpcyBmaWxlIGJl Zm9yZSB3cml0aW5nIGEgZ3JvdXAgSUQKPj4+ICAgICAgICAgICAgbWFwcGluZyAgIGZvciAgIHRo aXMgICB1c2VyICAgbmFtZXNwYWNlICAgdG8gICB0aGUgIGZpbGUKPj4+ICAgICAgICAgICAgL3By b2MvW3BpZF0vZ2lkX21hcC4gIFdyaXRpbmcgdGhlIHN0cmluZyAiZGVueSIgcHJldmVudHMKPj4+ ICAgICAgICAgICAgYW55ICBwcm9jZXNzICBpbiAgdGhlIHVzZXIgbmFtZXNwYWNlIGZyb20gZW1w bG95aW5nIHNldOKAkAo+Pj4gICAgICAgICAgICBncm91cHMoMikuCj4gCj4gT3IgbW9yZSBzdWNj aW50bHkuICBZb3UgYXJlIGFsbG93ZWQgdG8gd3JpdGUgdG8gL3Byb2MvW3BpZF0vc2V0Z3JvdXBz Cj4gd2hlbiBjYWxsaW5nIHNldGdyb3VwcyBpcyBub3QgYWxsb3dlZCBiZWNhdXNlIGdpZF9tYXAg aXMgdW5zZXQuICBUaGlzCj4gZW5zdXJlcyB3ZSBkbyBub3QgaGF2ZSBhbnkgdHJhbnNpdGlvbnMg ZnJvbSBhIHN0YXRlIHdoZXJlIHNldGdyb3Vwcwo+IGlzIGFsbG93ZWQgdG8gYSBzdGF0ZSB3aGVy ZSBzZXRncm91cHMgaXMgZGVuaWVkLiAgVGhlcmUgYXJlIG9ubHkKPiB0cmFuc2l0aW9ucyBmcm9t IHNldGdyb3VwcyBub3QtYWxsb3dlZCB0byBzZXRncm91cHMgYWxsb3dlZC4KCkFuZCBJJ3ZlIHdv cmtlZCBpbiB0aGUgYWJvdmUgcG9pbnQsIHJld29yZGluZyBhIGJpdCBhbG9uZyB0aGUgd2F5LgpT bywgaG93IGRvZXMgdGhlIGZvbGxvd2luZyBsb29rIChvbmx5IHRoZSBmaXJzdCB0d28gcGFyYWdy YXBocyBoYXZlCmNoYW5nZWQpPwoKICAgICAgIC9wcm9jL1twaWRdL3NldGdyb3VwcyAoc2luY2Ug TGludXggMy4xOSkKICAgICAgICAgICAgICBUaGlzIGZpbGUgZGlzcGxheXMgdGhlIHN0cmluZyAi YWxsb3ciICBpZiAgcHJvY2Vzc2VzICBpbgogICAgICAgICAgICAgIHRoZSAgdXNlciAgbmFtZXNw YWNlICB0aGF0ICBjb250YWlucyB0aGUgcHJvY2VzcyBwaWQgYXJlCiAgICAgICAgICAgICAgcGVy bWl0dGVkIHRvIGVtcGxveSB0aGUgc2V0Z3JvdXBzKDIpICBzeXN0ZW0gIGNhbGwsICBhbmQKICAg ICAgICAgICAgICAiZGVueSIgIGlmICBzZXRncm91cHMoMikgIGlzICBub3QgcGVybWl0dGVkIGlu IHRoYXQgdXNlcgogICAgICAgICAgICAgIG5hbWVzcGFjZS4gIChOb3RlLCBob3dldmVyLCB0aGF0 IGNhbGxzICB0byAgc2V0Z3JvdXBzKDIpCiAgICAgICAgICAgICAgYXJlICBhbHNvICBub3QgIHBl cm1pdHRlZCBpZiAvcHJvYy9bcGlkXS9naWRfbWFwIGhhcyBub3QKICAgICAgICAgICAgICB5ZXQg YmVlbiBzZXQuKQoKICAgICAgICAgICAgICBBIHByaXZpbGVnZWQgcHJvY2VzcyAob25lIHdpdGgg dGhlICBDQVBfU1lTX0FETUlOICBjYXBh4oCQCiAgICAgICAgICAgICAgYmlsaXR5IGluIHRoZSBu YW1lc3BhY2UpIG1heSB3cml0ZSBlaXRoZXIgb2YgdGhlIHN0cmluZ3MKICAgICAgICAgICAgICAi YWxsb3ciIG9yICJkZW55IiB0byB0aGlzIGZpbGUgYmVmb3JlIHdyaXRpbmcgYSBncm91cCBJRAog ICAgICAgICAgICAgIG1hcHBpbmcgICBmb3IgICB0aGlzICAgdXNlciAgIG5hbWVzcGFjZSAgIHRv ICAgdGhlICBmaWxlCiAgICAgICAgICAgICAgL3Byb2MvW3BpZF0vZ2lkX21hcC4gIFdyaXRpbmcg dGhlIHN0cmluZyAiZGVueSIgcHJldmVudHMKICAgICAgICAgICAgICBhbnkgIHByb2Nlc3MgIGlu ICB0aGUgdXNlciBuYW1lc3BhY2UgZnJvbSBlbXBsb3lpbmcgc2V04oCQCiAgICAgICAgICAgICAg Z3JvdXBzKDIpLiAgSW4gb3RoZXIgd29yZHMsIGl0IGlzIHBlcm1pdHRlZCB0byB3cml0ZSAgdG8K ICAgICAgICAgICAgICAvcHJvYy9bcGlkXS9zZXRncm91cHMgc28gbG9uZyBhcyBjYWxsaW5nIHNl dGdyb3VwcygyKSBpcwogICAgICAgICAgICAgIG5vdCBhbGxvd2VkIGJlY2F1c2UgL3Byb2MvW3Bp ZF1naWRfbWFwIGhhcyBub3QgYmVlbiBzZXQuCiAgICAgICAgICAgICAgVGhpcyAgZW5zdXJlcyAg dGhhdCAgYSAgcHJvY2VzcyBjYW5ub3QgdHJhbnNpdGlvbiBmcm9tIGEKICAgICAgICAgICAgICBz dGF0ZSB3aGVyZSBzZXRncm91cHMoMikgaXMgYWxsb3dlZCAgdG8gIGEgIHN0YXRlICB3aGVyZQog ICAgICAgICAgICAgIHNldGdyb3VwcygyKSAgaXMgIGRlbmllZDsgIGEgcHJvY2VzcyBjYW4gb25s eSB0cmFic2l0aW9uCiAgICAgICAgICAgICAgZnJvbSBzZXRncm91cHMoMikgYmVpbmcgZGlzYWxs b3dlZCB0byBzZXRncm91cHMoMikgYmVpbmcKICAgICAgICAgICAgICBhbGxvd2VkLgoKICAgICAg ICAgICAgICBUaGUgIGRlZmF1bHQgIHZhbHVlICBvZiAgdGhpcyAgZmlsZSAgaW4gdGhlIGluaXRp YWwgdXNlcgogICAgICAgICAgICAgIG5hbWVzcGFjZSBpcyAiYWxsb3ciLgoKICAgICAgICAgICAg ICBPbmNlIC9wcm9jL1twaWRdL2dpZF9tYXAgaGFzIGJlZW4gd3JpdHRlbiB0byAod2hpY2ggIGhh cwogICAgICAgICAgICAgIHRoZSAgZWZmZWN0ICBvZiBlbmFibGluZyBzZXRncm91cHMoMikgaW4g dGhlIHVzZXIgbmFtZXPigJAKICAgICAgICAgICAgICBwYWNlKSwgaXQgaXMgbm8gbG9uZ2VyIHBv c3NpYmxlIHRvIGRlbnkgc2V0Z3JvdXBzKDIpICBieQogICAgICAgICAgICAgIHdyaXRpbmcgdG8g L3Byb2MvW3BpZF0vc2V0Z3JvdXBzLgoKICAgICAgICAgICAgICBBICBjaGlsZCB1c2VyIG5hbWVz cGFjZSBpbmhlcml0cyB0aGUgL3Byb2MvW3BpZF0vZ2lkX21hcAogICAgICAgICAgICAgIHNldHRp bmcgZnJvbSBpdHMgcGFyZW50LgoKICAgICAgICAgICAgICBJZiB0aGUgc2V0Z3JvdXBzIGZpbGUg aGFzIHRoZSAgdmFsdWUgICJkZW55IiwgIHRoZW4gIHRoZQogICAgICAgICAgICAgIHNldGdyb3Vw cygyKSBzeXN0ZW0gY2FsbCBjYW4ndCBzdWJzZXF1ZW50bHkgYmUgcmVlbmFibGVkCiAgICAgICAg ICAgICAgKGJ5IHdyaXRpbmcgImFsbG93IiB0byB0aGUgZmlsZSkgaW4gdGhpcyB1c2VyIG5hbWVz cGFjZS4KICAgICAgICAgICAgICBUaGlzICByZXN0cmljdGlvbiBhbHNvIHByb3BhZ2F0ZXMgZG93 biB0byBhbGwgY2hpbGQgdXNlcgogICAgICAgICAgICAgIG5hbWVzcGFjZXMgb2YgdGhpcyB1c2Vy IG5hbWVzcGFjZS4KCkNoZWVycywKCk1pY2hhZWwKCgoKLS0gCk1pY2hhZWwgS2VycmlzawpMaW51 eCBtYW4tcGFnZXMgbWFpbnRhaW5lcjsgaHR0cDovL3d3dy5rZXJuZWwub3JnL2RvYy9tYW4tcGFn ZXMvCkxpbnV4L1VOSVggU3lzdGVtIFByb2dyYW1taW5nIFRyYWluaW5nOiBodHRwOi8vbWFuNy5v cmcvdHJhaW5pbmcvCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fCkNvbnRhaW5lcnMgbWFpbGluZyBsaXN0CkNvbnRhaW5lcnNAbGlzdHMubGludXgtZm91bmRh dGlvbi5vcmcKaHR0cHM6Ly9saXN0cy5saW51eGZvdW5kYXRpb24ub3JnL21haWxtYW4vbGlzdGlu Zm8vY29udGFpbmVycw== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932147AbbBLNxh (ORCPT ); Thu, 12 Feb 2015 08:53:37 -0500 Received: from mail-we0-f179.google.com ([74.125.82.179]:53426 "EHLO mail-we0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755670AbbBLNxd (ORCPT ); Thu, 12 Feb 2015 08:53:33 -0500 Message-ID: <54DCB059.2020305@gmail.com> Date: Thu, 12 Feb 2015 14:53:29 +0100 From: "Michael Kerrisk (man-pages)" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: "Eric W. Biederman" CC: mtk.manpages@gmail.com, Linux Containers , Josh Triplett , Andrew Morton , Kees Cook , Linux API , linux-man , "linux-kernel@vger.kernel.org" , LSM , Casey Schaufler , "Serge E. Hallyn" , Richard Weinberger , Kenton Varda , stable , Andy Lutomirski Subject: Re: [PATCH 1/2] proc.5: Document /proc/[pid]/setgroups References: <52e0643bd47b1e5c65921d6e00aea1f724bb510a.1417281801.git.luto@amacapital.net> <87ppbtn4mv.fsf@x220.int.ebiederm.org> <87a92xn2io.fsf@x220.int.ebiederm.org> <87r3w8liw4.fsf@x220.int.ebiederm.org> <87iohklfvj.fsf_-_@x220.int.ebiederm.org> <87fvcok11h.fsf_-_@x220.int.ebiederm.org> <971ad3f6-90fd-4e3f-916c-8988af3c826d@email.android.com> <87wq5zf83t.fsf@x220.int.ebiederm.org> <87iohh3c9c.fsf@x220.int.ebiederm.org> <8761dh3b7k.fsf_-_@x220.int.ebiederm.org> <878uicy1r9.fsf_-_@x220.int.ebiederm.org> <87vblg1qme.fsf@x220.int.ebiederm.org> <54CF9995.1050409@gmail.com> <8761b8lfoz.fsf@x220.int.ebiederm.org> In-Reply-To: <8761b8lfoz.fsf@x220.int.ebiederm.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello Eric, On 02/11/2015 02:51 PM, Eric W. Biederman wrote: > "Michael Kerrisk (man-pages)" writes: > >> Hi Eric, >> >> Ping! >> >> Cheers, >> >> Michael > > My apologies. You description wasn't wrong but it may be a bit > misleading, explanation below. You will have to figure out how to work > that into your proposed text. > >> On 2 February 2015 at 16:36, Michael Kerrisk (man-pages) >> wrote: >>> [Adding Josh to CC in case he has anything to add.] >>> >>> On 12/12/2014 10:54 PM, Eric W. Biederman wrote: >>>> >>>> Signed-off-by: Eric W. Biederman >>>> --- >>>> man5/proc.5 | 15 +++++++++++++++ >>>> 1 file changed, 15 insertions(+) >>>> >>>> diff --git a/man5/proc.5 b/man5/proc.5 >>>> index 96077d0dd195..d661e8cfeac9 100644 >>>> --- a/man5/proc.5 >>>> +++ b/man5/proc.5 >>>> @@ -1097,6 +1097,21 @@ are not available if the main thread has already terminated >>>> .\" Added in 2.6.9 >>>> .\" CONFIG_SCHEDSTATS >>>> .TP >>>> +.IR /proc/[pid]/setgroups " (since Linux 3.19-rc1)" >>>> +This file reports >>>> +.BR allow >>>> +if the setgroups system call is allowed in the current user namespace. >>>> +This file reports >>>> +.BR deny >>>> +if the setgroups system call is not allowed in the current user namespace. >>>> +This file may be written to with values of >>>> +.BR allow >>>> +and >>>> +.BR deny >>>> +before >>>> +.IR /proc/[pid]/gid_map >>>> +is written to (enabling setgroups) in a user namespace. >>>> +.TP >>>> .IR /proc/[pid]/smaps " (since Linux 2.6.14)" >>>> This file shows memory consumption for each of the process's mappings. >>>> (The >>> >>> Hi Eric, >>> >>> Thanks for this patch. I applied it, and then tried to work in >>> quite a few other details gleaned from the source code and commit >>> message, and Jon Corbet's article at http://lwn.net/Articles/626665/. >>> Could you please let me know if the following is correct: > > It is close but it may be misleading. > >>> /proc/[pid]/setgroups (since Linux 3.19) >>> This file displays the string "allow" if processes in >>> the user namespace that contains the process pid are >>> permitted to employ the setgroups(2) system call, and >>> "deny" if setgroups(2) is not permitted in that user >>> namespace. > > With the caveat that when gid_map is not set that setgroups is also not > allowed. Okay -- Iadded that point. >>> A privileged process (one with the CAP_SYS_ADMIN capa‐ >>> bility in the namespace) may write either of the strings >>> "allow" or "deny" to this file before writing a group ID >>> mapping for this user namespace to the file >>> /proc/[pid]/gid_map. Writing the string "deny" prevents >>> any process in the user namespace from employing set‐ >>> groups(2). > > Or more succintly. You are allowed to write to /proc/[pid]/setgroups > when calling setgroups is not allowed because gid_map is unset. This > ensures we do not have any transitions from a state where setgroups > is allowed to a state where setgroups is denied. There are only > transitions from setgroups not-allowed to setgroups allowed. And I've worked in the above point, rewording a bit along the way. So, how does the following look (only the first two paragraphs have changed)? /proc/[pid]/setgroups (since Linux 3.19) This file displays the string "allow" if processes in the user namespace that contains the process pid are permitted to employ the setgroups(2) system call, and "deny" if setgroups(2) is not permitted in that user namespace. (Note, however, that calls to setgroups(2) are also not permitted if /proc/[pid]/gid_map has not yet been set.) A privileged process (one with the CAP_SYS_ADMIN capa‐ bility in the namespace) may write either of the strings "allow" or "deny" to this file before writing a group ID mapping for this user namespace to the file /proc/[pid]/gid_map. Writing the string "deny" prevents any process in the user namespace from employing set‐ groups(2). In other words, it is permitted to write to /proc/[pid]/setgroups so long as calling setgroups(2) is not allowed because /proc/[pid]gid_map has not been set. This ensures that a process cannot transition from a state where setgroups(2) is allowed to a state where setgroups(2) is denied; a process can only trabsition from setgroups(2) being disallowed to setgroups(2) being allowed. The default value of this file in the initial user namespace is "allow". Once /proc/[pid]/gid_map has been written to (which has the effect of enabling setgroups(2) in the user names‐ pace), it is no longer possible to deny setgroups(2) by writing to /proc/[pid]/setgroups. A child user namespace inherits the /proc/[pid]/gid_map setting from its parent. If the setgroups file has the value "deny", then the setgroups(2) system call can't subsequently be reenabled (by writing "allow" to the file) in this user namespace. This restriction also propagates down to all child user namespaces of this user namespace. Cheers, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/