user_namespaces.7: Clarify the meaning of "Mounts that come as a single unit"

Quoting Eric Biederman:

The importance of [mounts coming across as a dingle unit] is [to]
allow the global root to mount over things and not have to worry
that someone from a user namespace root can peek underneath.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
index 2939db1b827c3dcc4f20c51828cfd4420ceb07df..52ddc74775670080726b8269e5bf533fd353ee39 100644 (file)
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@@ -273,6 +273,13 @@ mount namespaces.
 Mounts that come as a single unit from more privileged mount are
 locked together and may not be separated in a less privileged mount
 namespace.
+(The
+.BR unshare (2)
+.B CLONE_NEWNS
+operation brings across all of the mounts from the original
+mount namespace as a single unit,
+and recursive mounts that propogate between
+mount namespaces propogate as a single unit.)
 .IP *
 The
 .BR mount (2)