"Michael Kerrisk (man-pages)" <mtk.manpages@xxxxxxxxx> writes: > Okay. See below. > > So, let's take one more pass. How does the following look: > > A multi-threaded process may not change user namespace with > setns(). It is not permitted to use setns() to reenter the > caller's current user namespace. This prevents a caller that > has dropped capabilities from regaining those capabilities via > a call to setns() A process reassociating itself with a user > namespace must have CAP_SYS_ADMIN privileges in the target user > namespace. > > A process may not be reassociated with a new mount namespace if > it is multi-threaded. Changing the mount namespace requires > that the caller possess both CAP_SYS_CHROOT and CAP_SYS_ADMIN > capabilities in its own user namespace and CAP_SYS_ADMIN in the > target mount namespace. That wording looks correct. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
