unshare: add note about sysfs and procfs

Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1390057 Signed-off-by: Karel Zak <kzak@redhat.com>
author: Karel Zak 2017-02-27 12:09:35 +0100
committer: Karel Zak 2017-02-27 12:09:35 +0100
commit: 86b6d7f4346c6b85c60aaae993ce5b27dfff6bea (patch)
tree: 178e47dace3896caa9ff850d20d3bae36ab2271e /sys-utils
parent: docs: add note about branches to README (diff)
download: kernel-qcow2-util-linux-86b6d7f4346c6b85c60aaae993ce5b27dfff6bea.tar.gz
kernel-qcow2-util-linux-86b6d7f4346c6b85c60aaae993ce5b27dfff6bea.tar.xz
kernel-qcow2-util-linux-86b6d7f4346c6b85c60aaae993ce5b27dfff6bea.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/sys-utils/unshare.1 b/sys-utils/unshare.1
index 7c7d144d1..dd12c7446 100644
--- a/sys-utils/unshare.1
+++ b/sys-utils/unshare.1
@@ -183,6 +183,11 @@ Display version information and exit.
 .TP
 .BR \-h , " \-\-help"
 Display help text and exit.
+.SH NOTES
+The proc and sysfs filesystems mounting as root in a user namespace have to be
+restricted so that a less privileged user can not get more access to sensitive
+files that a more privileged user made unavailable. In short the rule for proc
+and sysfs is as close to a bind mount as possible.
 .SH EXAMPLES
 .TP
 .B # unshare --fork --pid --mount-proc readlink /proc/self
author	Karel Zak	2017-02-27 12:09:35 +0100
committer	Karel Zak	2017-02-27 12:09:35 +0100
commit	86b6d7f4346c6b85c60aaae993ce5b27dfff6bea (patch)
tree	178e47dace3896caa9ff850d20d3bae36ab2271e /sys-utils
parent	docs: add note about branches to README (diff)
download	kernel-qcow2-util-linux-86b6d7f4346c6b85c60aaae993ce5b27dfff6bea.tar.gz kernel-qcow2-util-linux-86b6d7f4346c6b85c60aaae993ce5b27dfff6bea.tar.xz kernel-qcow2-util-linux-86b6d7f4346c6b85c60aaae993ce5b27dfff6bea.zip