From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Michael Kerrisk (man-pages)" Subject: Re: [PATCH 1/2] proc.5: Document /proc/[pid]/setgroups Date: Sat, 21 Feb 2015 08:57:09 +0100 Message-ID: <54E83A55.9080408@gmail.com> References: <52e0643bd47b1e5c65921d6e00aea1f724bb510a.1417281801.git.luto@amacapital.net> <87ppbtn4mv.fsf@x220.int.ebiederm.org> <87a92xn2io.fsf@x220.int.ebiederm.org> <87r3w8liw4.fsf@x220.int.ebiederm.org> <87iohklfvj.fsf_-_@x220.int.ebiederm.org> <87fvcok11h.fsf_-_@x220.int.ebiederm.org> <971ad3f6-90fd-4e3f-916c-8988af3c826d@email.android.com> <87wq5zf83t.fsf@x220.int.ebiederm.org> <87iohh3c9c.fsf@x220.int.ebiederm.org> <8761dh3b7k.fsf_-_@x220.int.ebiederm.org> <878uicy1r9.fsf_-_@x220.int.ebiederm.org> <87vblg1qme.fs f@x220.int.ebiederm.org> <54CF9995.1050409@gmail.com> <8761b8lfoz.fsf@x220.int.ebiederm.org> <54DCB059.2020305@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <54DCB059.2020305-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Eric W. Biederman" Cc: linux-man , Kees Cook , Linux API , Linux Containers , Josh Triplett , stable , "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , Kenton Varda , LSM , mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org, Richard Weinberger , Casey Schaufler , Andrew Morton , Andy Lutomirski List-Id: containers.vger.kernel.org SGkgRXJpYywKClBpbmchCgpDaGVlcnMsCgpNaWNoYWVsCgoKT24gMDIvMTIvMjAxNSAwMjo1MyBQ TSwgTWljaGFlbCBLZXJyaXNrIChtYW4tcGFnZXMpIHdyb3RlOgo+IEhlbGxvIEVyaWMsCj4gCj4g T24gMDIvMTEvMjAxNSAwMjo1MSBQTSwgRXJpYyBXLiBCaWVkZXJtYW4gd3JvdGU6Cj4+ICJNaWNo YWVsIEtlcnJpc2sgKG1hbi1wYWdlcykiIDxtdGsubWFucGFnZXNAZ21haWwuY29tPiB3cml0ZXM6 Cj4+Cj4+PiBIaSBFcmljLAo+Pj4KPj4+IFBpbmchCj4+Pgo+Pj4gQ2hlZXJzLAo+Pj4KPj4+IE1p Y2hhZWwKPj4KPj4gTXkgYXBvbG9naWVzLiAgWW91IGRlc2NyaXB0aW9uIHdhc24ndCB3cm9uZyBi dXQgaXQgbWF5IGJlIGEgYml0Cj4+IG1pc2xlYWRpbmcsIGV4cGxhbmF0aW9uIGJlbG93LiAgWW91 IHdpbGwgaGF2ZSB0byBmaWd1cmUgb3V0IGhvdyB0byB3b3JrCj4+IHRoYXQgaW50byB5b3VyIHBy b3Bvc2VkIHRleHQuCj4+Cj4+PiBPbiAyIEZlYnJ1YXJ5IDIwMTUgYXQgMTY6MzYsIE1pY2hhZWwg S2VycmlzayAobWFuLXBhZ2VzKQo+Pj4gPG10ay5tYW5wYWdlc0BnbWFpbC5jb20+IHdyb3RlOgo+ Pj4+IFtBZGRpbmcgSm9zaCB0byBDQyBpbiBjYXNlIGhlIGhhcyBhbnl0aGluZyB0byBhZGQuXQo+ Pj4+Cj4+Pj4gT24gMTIvMTIvMjAxNCAxMDo1NCBQTSwgRXJpYyBXLiBCaWVkZXJtYW4gd3JvdGU6 Cj4+Pj4+Cj4+Pj4+IFNpZ25lZC1vZmYtYnk6IEVyaWMgVy4gQmllZGVybWFuIDxlYmllZGVybUB4 bWlzc2lvbi5jb20+Cj4+Pj4+IC0tLQo+Pj4+PiAgbWFuNS9wcm9jLjUgfCAxNSArKysrKysrKysr KysrKysKPj4+Pj4gIDEgZmlsZSBjaGFuZ2VkLCAxNSBpbnNlcnRpb25zKCspCj4+Pj4+Cj4+Pj4+ IGRpZmYgLS1naXQgYS9tYW41L3Byb2MuNSBiL21hbjUvcHJvYy41Cj4+Pj4+IGluZGV4IDk2MDc3 ZDBkZDE5NS4uZDY2MWU4Y2ZlYWM5IDEwMDY0NAo+Pj4+PiAtLS0gYS9tYW41L3Byb2MuNQo+Pj4+ PiArKysgYi9tYW41L3Byb2MuNQo+Pj4+PiBAQCAtMTA5Nyw2ICsxMDk3LDIxIEBAIGFyZSBub3Qg YXZhaWxhYmxlIGlmIHRoZSBtYWluIHRocmVhZCBoYXMgYWxyZWFkeSB0ZXJtaW5hdGVkCj4+Pj4+ ICAuXCIgICAgICAgQWRkZWQgaW4gMi42LjkKPj4+Pj4gIC5cIiAgICAgICBDT05GSUdfU0NIRURT VEFUUwo+Pj4+PiAgLlRQCj4+Pj4+ICsuSVIgL3Byb2MvW3BpZF0vc2V0Z3JvdXBzICIgKHNpbmNl IExpbnV4IDMuMTktcmMxKSIKPj4+Pj4gK1RoaXMgZmlsZSByZXBvcnRzCj4+Pj4+ICsuQlIgYWxs b3cKPj4+Pj4gK2lmIHRoZSBzZXRncm91cHMgc3lzdGVtIGNhbGwgaXMgYWxsb3dlZCBpbiB0aGUg Y3VycmVudCB1c2VyIG5hbWVzcGFjZS4KPj4+Pj4gK1RoaXMgZmlsZSByZXBvcnRzCj4+Pj4+ICsu QlIgZGVueQo+Pj4+PiAraWYgdGhlIHNldGdyb3VwcyBzeXN0ZW0gY2FsbCBpcyBub3QgYWxsb3dl ZCBpbiB0aGUgY3VycmVudCB1c2VyIG5hbWVzcGFjZS4KPj4+Pj4gK1RoaXMgZmlsZSBtYXkgYmUg d3JpdHRlbiB0byB3aXRoIHZhbHVlcyBvZgo+Pj4+PiArLkJSIGFsbG93Cj4+Pj4+ICthbmQKPj4+ Pj4gKy5CUiBkZW55Cj4+Pj4+ICtiZWZvcmUKPj4+Pj4gKy5JUiAvcHJvYy9bcGlkXS9naWRfbWFw Cj4+Pj4+ICtpcyB3cml0dGVuIHRvIChlbmFibGluZyBzZXRncm91cHMpIGluIGEgdXNlciBuYW1l c3BhY2UuCj4+Pj4+ICsuVFAKPj4+Pj4gIC5JUiAvcHJvYy9bcGlkXS9zbWFwcyAiIChzaW5jZSBM aW51eCAyLjYuMTQpIgo+Pj4+PiAgVGhpcyBmaWxlIHNob3dzIG1lbW9yeSBjb25zdW1wdGlvbiBm b3IgZWFjaCBvZiB0aGUgcHJvY2VzcydzIG1hcHBpbmdzLgo+Pj4+PiAgKFRoZQo+Pj4+Cj4+Pj4g SGkgRXJpYywKPj4+Pgo+Pj4+IFRoYW5rcyBmb3IgdGhpcyBwYXRjaC4gSSBhcHBsaWVkIGl0LCBh bmQgdGhlbiB0cmllZCB0byB3b3JrIGluCj4+Pj4gcXVpdGUgYSBmZXcgb3RoZXIgZGV0YWlscyBn bGVhbmVkIGZyb20gdGhlIHNvdXJjZSBjb2RlIGFuZCBjb21taXQKPj4+PiBtZXNzYWdlLCBhbmQg Sm9uIENvcmJldCdzIGFydGljbGUgYXQgaHR0cDovL2x3bi5uZXQvQXJ0aWNsZXMvNjI2NjY1Ly4K Pj4+PiBDb3VsZCB5b3UgcGxlYXNlIGxldCBtZSBrbm93IGlmIHRoZSBmb2xsb3dpbmcgaXMgY29y cmVjdDoKPj4KPj4gSXQgaXMgY2xvc2UgYnV0IGl0IG1heSBiZSBtaXNsZWFkaW5nLgo+Pgo+Pj4+ ICAgICAvcHJvYy9bcGlkXS9zZXRncm91cHMgKHNpbmNlIExpbnV4IDMuMTkpCj4+Pj4gICAgICAg ICAgICBUaGlzIGZpbGUgZGlzcGxheXMgdGhlIHN0cmluZyAiYWxsb3ciICBpZiAgcHJvY2Vzc2Vz ICBpbgo+Pj4+ICAgICAgICAgICAgdGhlICB1c2VyICBuYW1lc3BhY2UgIHRoYXQgIGNvbnRhaW5z IHRoZSBwcm9jZXNzIHBpZCBhcmUKPj4+PiAgICAgICAgICAgIHBlcm1pdHRlZCB0byBlbXBsb3kg dGhlIHNldGdyb3VwcygyKSAgc3lzdGVtICBjYWxsLCAgYW5kCj4+Pj4gICAgICAgICAgICAiZGVu eSIgIGlmICBzZXRncm91cHMoMikgIGlzICBub3QgcGVybWl0dGVkIGluIHRoYXQgdXNlcgo+Pj4+ ICAgICAgICAgICAgbmFtZXNwYWNlLgo+Pgo+PiBXaXRoIHRoZSBjYXZlYXQgdGhhdCB3aGVuIGdp ZF9tYXAgaXMgbm90IHNldCB0aGF0IHNldGdyb3VwcyBpcyBhbHNvIG5vdAo+PiBhbGxvd2VkLgo+ IAo+IE9rYXkgLS0gSWFkZGVkIHRoYXQgcG9pbnQuCj4gCj4+Pj4gICAgICAgICAgICBBIHByaXZp bGVnZWQgcHJvY2VzcyAob25lIHdpdGggdGhlICBDQVBfU1lTX0FETUlOICBjYXBh4oCQCj4+Pj4g ICAgICAgICAgICBiaWxpdHkgaW4gdGhlIG5hbWVzcGFjZSkgbWF5IHdyaXRlIGVpdGhlciBvZiB0 aGUgc3RyaW5ncwo+Pj4+ICAgICAgICAgICAgImFsbG93IiBvciAiZGVueSIgdG8gdGhpcyBmaWxl IGJlZm9yZSB3cml0aW5nIGEgZ3JvdXAgSUQKPj4+PiAgICAgICAgICAgIG1hcHBpbmcgICBmb3Ig ICB0aGlzICAgdXNlciAgIG5hbWVzcGFjZSAgIHRvICAgdGhlICBmaWxlCj4+Pj4gICAgICAgICAg ICAvcHJvYy9bcGlkXS9naWRfbWFwLiAgV3JpdGluZyB0aGUgc3RyaW5nICJkZW55IiBwcmV2ZW50 cwo+Pj4+ICAgICAgICAgICAgYW55ICBwcm9jZXNzICBpbiAgdGhlIHVzZXIgbmFtZXNwYWNlIGZy b20gZW1wbG95aW5nIHNldOKAkAo+Pj4+ICAgICAgICAgICAgZ3JvdXBzKDIpLgo+Pgo+PiBPciBt b3JlIHN1Y2NpbnRseS4gIFlvdSBhcmUgYWxsb3dlZCB0byB3cml0ZSB0byAvcHJvYy9bcGlkXS9z ZXRncm91cHMKPj4gd2hlbiBjYWxsaW5nIHNldGdyb3VwcyBpcyBub3QgYWxsb3dlZCBiZWNhdXNl IGdpZF9tYXAgaXMgdW5zZXQuICBUaGlzCj4+IGVuc3VyZXMgd2UgZG8gbm90IGhhdmUgYW55IHRy YW5zaXRpb25zIGZyb20gYSBzdGF0ZSB3aGVyZSBzZXRncm91cHMKPj4gaXMgYWxsb3dlZCB0byBh IHN0YXRlIHdoZXJlIHNldGdyb3VwcyBpcyBkZW5pZWQuICBUaGVyZSBhcmUgb25seQo+PiB0cmFu c2l0aW9ucyBmcm9tIHNldGdyb3VwcyBub3QtYWxsb3dlZCB0byBzZXRncm91cHMgYWxsb3dlZC4K PiAKPiBBbmQgSSd2ZSB3b3JrZWQgaW4gdGhlIGFib3ZlIHBvaW50LCByZXdvcmRpbmcgYSBiaXQg YWxvbmcgdGhlIHdheS4KPiBTbywgaG93IGRvZXMgdGhlIGZvbGxvd2luZyBsb29rIChvbmx5IHRo ZSBmaXJzdCB0d28gcGFyYWdyYXBocyBoYXZlCj4gY2hhbmdlZCk/Cj4gCj4gICAgICAgIC9wcm9j L1twaWRdL3NldGdyb3VwcyAoc2luY2UgTGludXggMy4xOSkKPiAgICAgICAgICAgICAgIFRoaXMg ZmlsZSBkaXNwbGF5cyB0aGUgc3RyaW5nICJhbGxvdyIgIGlmICBwcm9jZXNzZXMgIGluCj4gICAg ICAgICAgICAgICB0aGUgIHVzZXIgIG5hbWVzcGFjZSAgdGhhdCAgY29udGFpbnMgdGhlIHByb2Nl c3MgcGlkIGFyZQo+ICAgICAgICAgICAgICAgcGVybWl0dGVkIHRvIGVtcGxveSB0aGUgc2V0Z3Jv dXBzKDIpICBzeXN0ZW0gIGNhbGwsICBhbmQKPiAgICAgICAgICAgICAgICJkZW55IiAgaWYgIHNl dGdyb3VwcygyKSAgaXMgIG5vdCBwZXJtaXR0ZWQgaW4gdGhhdCB1c2VyCj4gICAgICAgICAgICAg ICBuYW1lc3BhY2UuICAoTm90ZSwgaG93ZXZlciwgdGhhdCBjYWxscyAgdG8gIHNldGdyb3Vwcygy KQo+ICAgICAgICAgICAgICAgYXJlICBhbHNvICBub3QgIHBlcm1pdHRlZCBpZiAvcHJvYy9bcGlk XS9naWRfbWFwIGhhcyBub3QKPiAgICAgICAgICAgICAgIHlldCBiZWVuIHNldC4pCj4gCj4gICAg ICAgICAgICAgICBBIHByaXZpbGVnZWQgcHJvY2VzcyAob25lIHdpdGggdGhlICBDQVBfU1lTX0FE TUlOICBjYXBh4oCQCj4gICAgICAgICAgICAgICBiaWxpdHkgaW4gdGhlIG5hbWVzcGFjZSkgbWF5 IHdyaXRlIGVpdGhlciBvZiB0aGUgc3RyaW5ncwo+ICAgICAgICAgICAgICAgImFsbG93IiBvciAi ZGVueSIgdG8gdGhpcyBmaWxlIGJlZm9yZSB3cml0aW5nIGEgZ3JvdXAgSUQKPiAgICAgICAgICAg ICAgIG1hcHBpbmcgICBmb3IgICB0aGlzICAgdXNlciAgIG5hbWVzcGFjZSAgIHRvICAgdGhlICBm aWxlCj4gICAgICAgICAgICAgICAvcHJvYy9bcGlkXS9naWRfbWFwLiAgV3JpdGluZyB0aGUgc3Ry aW5nICJkZW55IiBwcmV2ZW50cwo+ICAgICAgICAgICAgICAgYW55ICBwcm9jZXNzICBpbiAgdGhl IHVzZXIgbmFtZXNwYWNlIGZyb20gZW1wbG95aW5nIHNldOKAkAo+ICAgICAgICAgICAgICAgZ3Jv dXBzKDIpLiAgSW4gb3RoZXIgd29yZHMsIGl0IGlzIHBlcm1pdHRlZCB0byB3cml0ZSAgdG8KPiAg ICAgICAgICAgICAgIC9wcm9jL1twaWRdL3NldGdyb3VwcyBzbyBsb25nIGFzIGNhbGxpbmcgc2V0 Z3JvdXBzKDIpIGlzCj4gICAgICAgICAgICAgICBub3QgYWxsb3dlZCBiZWNhdXNlIC9wcm9jL1tw aWRdZ2lkX21hcCBoYXMgbm90IGJlZW4gc2V0Lgo+ICAgICAgICAgICAgICAgVGhpcyAgZW5zdXJl cyAgdGhhdCAgYSAgcHJvY2VzcyBjYW5ub3QgdHJhbnNpdGlvbiBmcm9tIGEKPiAgICAgICAgICAg ICAgIHN0YXRlIHdoZXJlIHNldGdyb3VwcygyKSBpcyBhbGxvd2VkICB0byAgYSAgc3RhdGUgIHdo ZXJlCj4gICAgICAgICAgICAgICBzZXRncm91cHMoMikgIGlzICBkZW5pZWQ7ICBhIHByb2Nlc3Mg Y2FuIG9ubHkgdHJhYnNpdGlvbgo+ICAgICAgICAgICAgICAgZnJvbSBzZXRncm91cHMoMikgYmVp bmcgZGlzYWxsb3dlZCB0byBzZXRncm91cHMoMikgYmVpbmcKPiAgICAgICAgICAgICAgIGFsbG93 ZWQuCj4gCj4gICAgICAgICAgICAgICBUaGUgIGRlZmF1bHQgIHZhbHVlICBvZiAgdGhpcyAgZmls ZSAgaW4gdGhlIGluaXRpYWwgdXNlcgo+ICAgICAgICAgICAgICAgbmFtZXNwYWNlIGlzICJhbGxv dyIuCj4gCj4gICAgICAgICAgICAgICBPbmNlIC9wcm9jL1twaWRdL2dpZF9tYXAgaGFzIGJlZW4g d3JpdHRlbiB0byAod2hpY2ggIGhhcwo+ICAgICAgICAgICAgICAgdGhlICBlZmZlY3QgIG9mIGVu YWJsaW5nIHNldGdyb3VwcygyKSBpbiB0aGUgdXNlciBuYW1lc+KAkAo+ICAgICAgICAgICAgICAg cGFjZSksIGl0IGlzIG5vIGxvbmdlciBwb3NzaWJsZSB0byBkZW55IHNldGdyb3VwcygyKSAgYnkK PiAgICAgICAgICAgICAgIHdyaXRpbmcgdG8gL3Byb2MvW3BpZF0vc2V0Z3JvdXBzLgo+IAo+ICAg ICAgICAgICAgICAgQSAgY2hpbGQgdXNlciBuYW1lc3BhY2UgaW5oZXJpdHMgdGhlIC9wcm9jL1tw aWRdL2dpZF9tYXAKPiAgICAgICAgICAgICAgIHNldHRpbmcgZnJvbSBpdHMgcGFyZW50Lgo+IAo+ ICAgICAgICAgICAgICAgSWYgdGhlIHNldGdyb3VwcyBmaWxlIGhhcyB0aGUgIHZhbHVlICAiZGVu eSIsICB0aGVuICB0aGUKPiAgICAgICAgICAgICAgIHNldGdyb3VwcygyKSBzeXN0ZW0gY2FsbCBj YW4ndCBzdWJzZXF1ZW50bHkgYmUgcmVlbmFibGVkCj4gICAgICAgICAgICAgICAoYnkgd3JpdGlu ZyAiYWxsb3ciIHRvIHRoZSBmaWxlKSBpbiB0aGlzIHVzZXIgbmFtZXNwYWNlLgo+ICAgICAgICAg ICAgICAgVGhpcyAgcmVzdHJpY3Rpb24gYWxzbyBwcm9wYWdhdGVzIGRvd24gdG8gYWxsIGNoaWxk IHVzZXIKPiAgICAgICAgICAgICAgIG5hbWVzcGFjZXMgb2YgdGhpcyB1c2VyIG5hbWVzcGFjZS4K PiAKPiBDaGVlcnMsCj4gCj4gTWljaGFlbAo+IAo+IAo+IAoKCi0tIApNaWNoYWVsIEtlcnJpc2sK TGludXggbWFuLXBhZ2VzIG1haW50YWluZXI7IGh0dHA6Ly93d3cua2VybmVsLm9yZy9kb2MvbWFu LXBhZ2VzLwpMaW51eC9VTklYIFN5c3RlbSBQcm9ncmFtbWluZyBUcmFpbmluZzogaHR0cDovL21h bjcub3JnL3RyYWluaW5nLwpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fXwpDb250YWluZXJzIG1haWxpbmcgbGlzdApDb250YWluZXJzQGxpc3RzLmxpbnV4LWZv dW5kYXRpb24ub3JnCmh0dHBzOi8vbGlzdHMubGludXhmb3VuZGF0aW9uLm9yZy9tYWlsbWFuL2xp c3RpbmZvL2NvbnRhaW5lcnM= From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755858AbbBUH5W (ORCPT ); Sat, 21 Feb 2015 02:57:22 -0500 Received: from mail-wi0-f175.google.com ([209.85.212.175]:63630 "EHLO mail-wi0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755820AbbBUH5O (ORCPT ); Sat, 21 Feb 2015 02:57:14 -0500 Message-ID: <54E83A55.9080408@gmail.com> Date: Sat, 21 Feb 2015 08:57:09 +0100 From: "Michael Kerrisk (man-pages)" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: "Eric W. Biederman" CC: mtk.manpages@gmail.com, Linux Containers , Josh Triplett , Andrew Morton , Kees Cook , Linux API , linux-man , "linux-kernel@vger.kernel.org" , LSM , Casey Schaufler , "Serge E. Hallyn" , Richard Weinberger , Kenton Varda , stable , Andy Lutomirski Subject: Re: [PATCH 1/2] proc.5: Document /proc/[pid]/setgroups References: <52e0643bd47b1e5c65921d6e00aea1f724bb510a.1417281801.git.luto@amacapital.net> <87ppbtn4mv.fsf@x220.int.ebiederm.org> <87a92xn2io.fsf@x220.int.ebiederm.org> <87r3w8liw4.fsf@x220.int.ebiederm.org> <87iohklfvj.fsf_-_@x220.int.ebiederm.org> <87fvcok11h.fsf_-_@x220.int.ebiederm.org> <971ad3f6-90fd-4e3f-916c-8988af3c826d@email.android.com> <87wq5zf83t.fsf@x220.int.ebiederm.org> <87iohh3c9c.fsf@x220.int.ebiederm.org> <8761dh3b7k.fsf_-_@x220.int.ebiederm.org> <878uicy1r9.fsf_-_@x220.int.ebiederm.org> <87vblg1qme.fsf@x220.int.ebiederm.org> <54CF9995.1050409@gmail.com> <8761b8lfoz.fsf@x220.int.ebiederm.org> <54DCB059.2020305@gmail.com> In-Reply-To: <54DCB059.2020305@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Eric, Ping! Cheers, Michael On 02/12/2015 02:53 PM, Michael Kerrisk (man-pages) wrote: > Hello Eric, > > On 02/11/2015 02:51 PM, Eric W. Biederman wrote: >> "Michael Kerrisk (man-pages)" writes: >> >>> Hi Eric, >>> >>> Ping! >>> >>> Cheers, >>> >>> Michael >> >> My apologies. You description wasn't wrong but it may be a bit >> misleading, explanation below. You will have to figure out how to work >> that into your proposed text. >> >>> On 2 February 2015 at 16:36, Michael Kerrisk (man-pages) >>> wrote: >>>> [Adding Josh to CC in case he has anything to add.] >>>> >>>> On 12/12/2014 10:54 PM, Eric W. Biederman wrote: >>>>> >>>>> Signed-off-by: Eric W. Biederman >>>>> --- >>>>> man5/proc.5 | 15 +++++++++++++++ >>>>> 1 file changed, 15 insertions(+) >>>>> >>>>> diff --git a/man5/proc.5 b/man5/proc.5 >>>>> index 96077d0dd195..d661e8cfeac9 100644 >>>>> --- a/man5/proc.5 >>>>> +++ b/man5/proc.5 >>>>> @@ -1097,6 +1097,21 @@ are not available if the main thread has already terminated >>>>> .\" Added in 2.6.9 >>>>> .\" CONFIG_SCHEDSTATS >>>>> .TP >>>>> +.IR /proc/[pid]/setgroups " (since Linux 3.19-rc1)" >>>>> +This file reports >>>>> +.BR allow >>>>> +if the setgroups system call is allowed in the current user namespace. >>>>> +This file reports >>>>> +.BR deny >>>>> +if the setgroups system call is not allowed in the current user namespace. >>>>> +This file may be written to with values of >>>>> +.BR allow >>>>> +and >>>>> +.BR deny >>>>> +before >>>>> +.IR /proc/[pid]/gid_map >>>>> +is written to (enabling setgroups) in a user namespace. >>>>> +.TP >>>>> .IR /proc/[pid]/smaps " (since Linux 2.6.14)" >>>>> This file shows memory consumption for each of the process's mappings. >>>>> (The >>>> >>>> Hi Eric, >>>> >>>> Thanks for this patch. I applied it, and then tried to work in >>>> quite a few other details gleaned from the source code and commit >>>> message, and Jon Corbet's article at http://lwn.net/Articles/626665/. >>>> Could you please let me know if the following is correct: >> >> It is close but it may be misleading. >> >>>> /proc/[pid]/setgroups (since Linux 3.19) >>>> This file displays the string "allow" if processes in >>>> the user namespace that contains the process pid are >>>> permitted to employ the setgroups(2) system call, and >>>> "deny" if setgroups(2) is not permitted in that user >>>> namespace. >> >> With the caveat that when gid_map is not set that setgroups is also not >> allowed. > > Okay -- Iadded that point. > >>>> A privileged process (one with the CAP_SYS_ADMIN capa‐ >>>> bility in the namespace) may write either of the strings >>>> "allow" or "deny" to this file before writing a group ID >>>> mapping for this user namespace to the file >>>> /proc/[pid]/gid_map. Writing the string "deny" prevents >>>> any process in the user namespace from employing set‐ >>>> groups(2). >> >> Or more succintly. You are allowed to write to /proc/[pid]/setgroups >> when calling setgroups is not allowed because gid_map is unset. This >> ensures we do not have any transitions from a state where setgroups >> is allowed to a state where setgroups is denied. There are only >> transitions from setgroups not-allowed to setgroups allowed. > > And I've worked in the above point, rewording a bit along the way. > So, how does the following look (only the first two paragraphs have > changed)? > > /proc/[pid]/setgroups (since Linux 3.19) > This file displays the string "allow" if processes in > the user namespace that contains the process pid are > permitted to employ the setgroups(2) system call, and > "deny" if setgroups(2) is not permitted in that user > namespace. (Note, however, that calls to setgroups(2) > are also not permitted if /proc/[pid]/gid_map has not > yet been set.) > > A privileged process (one with the CAP_SYS_ADMIN capa‐ > bility in the namespace) may write either of the strings > "allow" or "deny" to this file before writing a group ID > mapping for this user namespace to the file > /proc/[pid]/gid_map. Writing the string "deny" prevents > any process in the user namespace from employing set‐ > groups(2). In other words, it is permitted to write to > /proc/[pid]/setgroups so long as calling setgroups(2) is > not allowed because /proc/[pid]gid_map has not been set. > This ensures that a process cannot transition from a > state where setgroups(2) is allowed to a state where > setgroups(2) is denied; a process can only trabsition > from setgroups(2) being disallowed to setgroups(2) being > allowed. > > The default value of this file in the initial user > namespace is "allow". > > Once /proc/[pid]/gid_map has been written to (which has > the effect of enabling setgroups(2) in the user names‐ > pace), it is no longer possible to deny setgroups(2) by > writing to /proc/[pid]/setgroups. > > A child user namespace inherits the /proc/[pid]/gid_map > setting from its parent. > > If the setgroups file has the value "deny", then the > setgroups(2) system call can't subsequently be reenabled > (by writing "allow" to the file) in this user namespace. > This restriction also propagates down to all child user > namespaces of this user namespace. > > Cheers, > > Michael > > > -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/