user_namespaces.7: Describe how kernel treats UIDs/GIDs when a process access to...

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
index 8492f9f2c969bb7a0b502915b9c621f4045d4413..f8dbc8217e0c0fd09afba8d740347fdc207455cc 100644 (file)
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@@ -867,6 +867,17 @@ that field is displayed as 4294967295 (\-1 as an unsigned integer).
 .\"
 .\" ============================================================
 .\"
+.SS Accessing files
+.PP
+In order to determine permissions when an unprivileged process accesses a file
+(or other resource such as a System V IPC object),
+the process credentials (UID, GID) and the file credentials
+are in effect mapped back to what they would be in
+the initial user namespace and then compared to determine
+the permissions that the process has on the file.
+.\"
+.\" ============================================================
+.\"
 .SS Set-user-ID and set-group-ID programs
 .PP
 When a process inside a user namespace executes