user_namespaces.7: Add note about PR_SET_DUMPABLE on nested userns

In order to create a nested user namespace, we need to re-set the
PR_SET_DUMPABLE attribute after switching the effective UID/GID. Clarify
this in the section about nested user namespaces.

Having this note would have saved me some time debugging.

Signed-off-by: Rodrigo Campos <rodrigo@sdfg.com.ar>
Cc: Christian Brauner <brauner@kernel.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

1 files changed, 17 insertions, 0 deletions

diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
index 3c376a9f0..3db79d9a2 100644
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@@ -91,6 +91,23 @@ The
 operation can be used to discover the parental relationship
 between user namespaces; see
 .BR ioctl_ns (2).
+.PP
+A task that changes one of its effective IDs
+will have its dumpability reset to the value in
+.IR /proc/sys/fs/suid_dumpable .
+This may affect the ownership of proc files of child processes
+and may thus cause the parent to lack the permissions
+to write to mapping files of child processes running in a new user namespace.
+In such cases making the parent process dumpable, using
+.B PR_SET_DUMPABLE
+in a call to
+.BR prctl (2),
+before creating a child process in a new user namespace may rectify this problem.
+See
+.BR prctl (2)
+and
+.BR proc (5)
+for details on how ownership is affected.
 .\"
 .\" ============================================================
 .\"