"Michael Kerrisk (man-pages)" <mtk.manpages@xxxxxxxxx> writes: > Okay. See below. > > So, let's take one more pass. How does the following look: > > A multi-threaded process may not change user namespace with > setns(). It is not permitted to use setns() to reenter the > caller's current user namespace. This prevents a caller that > has dropped capabilities from regaining those capabilities via > a call to setns() A process reassociating itself with a user > namespace must have CAP_SYS_ADMIN privileges in the target user > namespace. > > A process may not be reassociated with a new mount namespace if > it is multi-threaded. Changing the mount namespace requires > that the caller possess both CAP_SYS_CHROOT and CAP_SYS_ADMIN > capabilities in its own user namespace and CAP_SYS_ADMIN in the > target mount namespace. That wording looks correct. Eric _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
