summaryrefslogtreecommitdiff
path: root/bwrap.xml
diff options
context:
space:
mode:
Diffstat (limited to 'bwrap.xml')
-rw-r--r--bwrap.xml15
1 files changed, 15 insertions, 0 deletions
diff --git a/bwrap.xml b/bwrap.xml
index 73ca161..7c53207 100644
--- a/bwrap.xml
+++ b/bwrap.xml
@@ -131,6 +131,21 @@
<listitem><para>Unshare all possible namespaces. Currently equivalent with: <option>--unshare-user-try</option> <option>--unshare-ipc</option> <option>--unshare-pid</option> <option>--unshare-net</option> <option>--unshare-uts</option> <option>--unshare-cgroup-try</option></para></listitem>
</varlistentry>
<varlistentry>
+ <term><option>--userns <arg choice="plain">FD</arg></option></term>
+ <listitem><para>Use an existing user namespace instead of creating a new one. The namespace must fulfil the permission requirements for setns(), which generally means that it must be a decendant of the currently active user namespace, owned by the same user. </para>
+ <para>This is incompatible with --unshare-user, and doesn't work in the setuid version of bubblewrap.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--userns2 <arg choice="plain">FD</arg></option></term>
+ <listitem><para>After setting up the new namespace, switch into the specified namespace. For this to work the specified namespace must be a decendant of the user namespace used for the setup, so this is only useful in combination with --userns.</para>
+ <para>This is useful because sometimes bubblewrap itself creates nested user namespaces (to work around some kernel issues) and --userns2 can be used to enter these.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--pidns <arg choice="plain">FD</arg></option></term>
+ <listitem><para>Use an existing pid namespace instead of creating one. This is often used with --userns, because the pid namespace must be owned by the same user namespace that bwrap uses. </para>
+ <para>Note that this can be combined with --unshare-pid, and in that case it means that the sandbox will be in its own pid namespace, which is a child of the passed in one.</para></listitem>
+ </varlistentry>
+ <varlistentry>
<term><option>--uid <arg choice="plain">UID</arg></option></term>
<listitem><para>Use a custom user id in the sandbox (requires <option>--unshare-user</option>)</para></listitem>
</varlistentry>
View Lorry Controller Status