[PATCH 4/4] setns.2: Document the pid, user, and mount namespace support.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: "Michael Kerrisk (man-pages)"
	<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
	"Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>,
	Linux Containers
	<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>
Subject: [PATCH 4/4] setns.2: Document the pid, user, and mount namespace support.
Date: Mon, 26 Nov 2012 18:48:45 -0600	[thread overview]
Message-ID: <87k3t7q39u.fsf@xmission.com> (raw)
In-Reply-To: <87a9u4rmz0.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> (Eric W. Biederman's message of "Mon, 26 Nov 2012 16:57:55 -0600")


Signed-off-by: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
---
 man2/setns.2 |   41 +++++++++++++++++++++++++++++++++--------
 1 files changed, 33 insertions(+), 8 deletions(-)

diff --git a/man2/setns.2 b/man2/setns.2
index 6aa01e1..63b04dc 100644
--- a/man2/setns.2
+++ b/man2/setns.2
@@ -48,6 +48,18 @@ must refer to a network namespace.
 .BR CLONE_NEWUTS
 .I fd
 must refer to a UTS namespace.
+.TP
+.BR CLONE_NEWPID
+.I fd
+must refer to a PID namespace.
+.TP
+.BR CLONE_NEWUSER
+.I fd
+must refer to a user namespace.
+.TP
+.BR CLONE_NEWNS
+.I fd
+must refer to a mount namespace.
 .PP
 Specifying
 .I nstype
@@ -63,6 +75,25 @@ and wants to ensure that the namespace is of a particular type.
 .IR fd
 if the file descriptor was opened by another process and, for example,
 passed to the caller via a UNIX domain socket.)
+
+The pid namespace is a little different.  Reassociating the calling
+thread with a pid namespace only changes the pid namespace that the
+child processes will be created in.
+
+Changing the pid namespace for child processes is only allowed if the
+pid namespace specified by
+.IR fd
+is a child pid namespace of the pid namespace of the current thread.
+
+A multi-threaded process may not change user namespace with setns.  A
+process may not reassociate the thread with the current user
+namespace.  The process reassociating itself with a user namespace
+must have CAP_SYS_ADMIN privileges in the target user namespace.
+
+A process may not be reassociated with a new mount namespace if it is
+multi-threaded or it does not possess both CAP_SYS_CHROOT privileges
+and CAP_SYS_ADMIN rights over the target mount namespace.
+
 .SH RETURN VALUE
 On success,
 .IR setns ()
@@ -94,7 +125,8 @@ for this operation.
 The
 .BR setns ()
 system call first appeared in Linux in kernel 3.0;
-library support was added to glibc in version 2.14.
+library support was added to glibc in version 2.14;
+Support for PID, user and mount namespaces first appeard in Linux in kernel 3.8.
 .SH CONFORMING TO
 The
 .BR setns ()
@@ -106,13 +138,6 @@ a new thread is created using
 can be changed using
 .BR setns ().
 .SH BUGS
-The PID namespace and the mount namespace are not currently supported.
-(See the descriptions of
-.BR CLONE_NEWPID
-and
-.BR CLONE_NEWNS
-in
-.BR clone (2).)
 .SH SEE ALSO
 .BR clone (2),
 .BR fork (2),
-- 
1.7.5.4

next prev parent reply	other threads:[~2012-11-27  0:48 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-11-26 22:57 [PATCH 0/4] namespace man page updates for 3.8 Eric W. Biederman
     [not found] ` <87a9u4rmz0.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-27  0:46   ` [PATCH 1/4] proc.5: Document /proc/[pid]/uid_map and /proc/[pid]/gid_map Eric W. Biederman
     [not found]     ` <874nkbrhyv.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-27  9:03       ` Michael Kerrisk (man-pages)
2012-12-27  9:03       ` Michael Kerrisk (man-pages)
     [not found]         ` <CAKgNAkixXmtvQUbwyv=a8mU=gdf-x+w-ou_4N=cNaau+hVoy4Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-27 16:58           ` Eric W. Biederman
     [not found]             ` <87obhfxwhb.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-28 19:20               ` Michael Kerrisk (man-pages)
     [not found]                 ` <CAKgNAkjs9T-s8SG-EgTT0O-Uj8S98Q_zfnMqnZ1ROrcYqh7Z5w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-28 21:20                   ` Eric W. Biederman
     [not found]                     ` <87vcbldgbj.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-01  9:37                       ` Michael Kerrisk (man-pages)
     [not found]                         ` <CAKgNAkjf=KS5FnP0L-TPTCjQuTDAMs-N4cadAP89L4Mb3KubzQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-01 10:12                           ` Eric W. Biederman
     [not found]                             ` <87r4m51abp.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-14  8:59                               ` Michael Kerrisk (man-pages)
2012-12-27 16:58           ` Eric W. Biederman
2012-12-27 17:23           ` Eric W. Biederman
     [not found]             ` <87licjv276.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-27 18:39               ` Michael Kerrisk (man-pages)
2012-12-27 18:39               ` Michael Kerrisk (man-pages)
2012-12-27 17:23           ` Eric W. Biederman
2012-11-27  0:46   ` [PATCH 2/4] clone.2: Describe the user namespace Eric W. Biederman
     [not found]     ` <87y5hnq3d5.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-27 10:16       ` Michael Kerrisk (man-pages)
     [not found]         ` <CAKgNAkgXWp49wXKom9hMm9fajKVOAwOmFzPdKWBesbBhfZEssA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-27 17:20           ` Eric W. Biederman
     [not found]             ` <87r4mbv2c9.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-01  9:30               ` Michael Kerrisk (man-pages)
     [not found]                 ` <CAKgNAkgPET9jex1DO=1Z3HRQqO_WVD8qmG-UaH1DQB6wDGqO5A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-01  9:45                   ` Eric W. Biederman
2013-01-01  9:30               ` Michael Kerrisk (man-pages)
2012-12-27 17:47           ` Eric W. Biederman
     [not found]             ` <87sj6rs7zc.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-01  9:29               ` Michael Kerrisk (man-pages)
     [not found]                 ` <CAKgNAkgRQXn0-x6CXxvW94eeG19dOAOEx78iNC0+w08uX+Sg1w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-01  9:39                   ` Eric W. Biederman
2013-01-01  9:39                   ` Eric W. Biederman
     [not found]                     ` <87a9st5jj4.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-07  8:33                       ` Michael Kerrisk (man-pages)
     [not found]                         ` <CAKgNAkggMKib5v4ND9UR1jH=CrK-viM5hhfmc0Rw=mP5GbenSg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-07  8:59                           ` Eric W. Biederman
2013-01-07  8:59                           ` Eric W. Biederman
2013-01-07  8:33                       ` Michael Kerrisk (man-pages)
2012-11-27  0:46   ` Eric W. Biederman
2012-11-27  0:47   ` [PATCH 3/4] proc.5: Document the proc files for the user, mount, and pid namespaces Eric W. Biederman
     [not found]     ` <87pq2zq3b6.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-27 10:28       ` Michael Kerrisk (man-pages)
2012-11-27  0:48   ` Eric W. Biederman [this message]
     [not found]     ` <87k3t7q39u.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-27 11:08       ` [PATCH 4/4] setns.2: Document the pid, user, and mount namespace support Michael Kerrisk (man-pages)
2012-12-27 11:08       ` Michael Kerrisk (man-pages)
     [not found]         ` <CAKgNAkiaw5L_oNE8NENjmoBS8Hq_uj+iaEdhyXc1+hje4HdnNQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-27 17:40           ` Eric W. Biederman
     [not found]             ` <87bodftmv0.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-01  9:30               ` Michael Kerrisk (man-pages)
     [not found]                 ` <CAKgNAkjJR02rKOBh98n7HJwXqAwywHY=Ef35t9tW7wOuyo86NQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-01  9:58                   ` Eric W. Biederman
     [not found]                     ` <87mwwt2pj8.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-07  9:51                       ` Michael Kerrisk (man-pages)
     [not found]                         ` <CAKgNAkggEOV0dXVzr4Zf3n_-it5SXfvjJ1ooYxiVNWaYzQgRLg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-07 23:58                           ` Eric W. Biederman
2013-01-07 23:58                           ` Eric W. Biederman
2012-11-27  0:48   ` Eric W. Biederman

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:6aa01e1 dfblob:63b04dc )
 OR (
bs:"[PATCH 4/4] setns.2: Document the pid, user, and mount namespace support." )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87k3t7q39u.fsf@xmission.com \
    --to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
    --cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
    --cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
    --cc=serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.