Signed-off-by: Alexey Gladkov <gladkov.alexey@xxxxxxxxx> --- Documentation/filesystems/proc.rst | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/Documentation/filesystems/proc.rst b/Documentation/filesystems/proc.rst index 2fa69f710e2a..3daf0e7d1071 100644 --- a/Documentation/filesystems/proc.rst +++ b/Documentation/filesystems/proc.rst @@ -50,6 +50,7 @@ fixes/update part 1.1 Stefani Seibold <stefani@xxxxxxxxxxx> June 9 2009 4 Configuring procfs 4.1 Mount options + 4.2 Mount restrictions 5 Filesystem behavior @@ -2175,6 +2176,21 @@ information about processes information, just add identd to this group. subset=pid hides all top level files and directories in the procfs that are not related to tasks. +4.2 Mount restrictions +-------------------------- + +The procfs can be mounted without any special restrictions if user namespace is +not used. You only need to have permission to mount (CAP_SYS_ADMIN). + +If you are inside the user namespace, the kernel checks the instances of procfs +available to you and will not allow procfs to be mounted if: + + 1. There is a bind mount of part of procfs visible. Whoever mounts should be + able to see the entire filesystem. + 2. Mount is prohibited if a new mount overrides the readonly option or family + of atime options. + 3. If any file or non-empty procfs directory is hidden by another filesystem. + Chapter 5: Filesystem behavior ============================== -- 2.29.2
