doc: add a little note about shared ns + LSMs

author Tycho Andersen <tycho@tycho.ws>

Thu, 9 May 2019 18:13:40 +0000 (14:13 -0400)

committer Tycho Andersen <tycho@tycho.ws>

Wed, 15 May 2019 13:56:01 +0000 (07:56 -0600)
author Tycho Andersen <tycho@tycho.ws>
Thu, 9 May 2019 18:13:40 +0000 (14:13 -0400)
committer Tycho Andersen <tycho@tycho.ws>
Wed, 15 May 2019 13:56:01 +0000 (07:56 -0600)
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in

index b03cf851f26b3deb4b83fc06ff66f0fb3e4a03fe..782dede78776552b9925af4506ea3988615b04bc 100644 (file)
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1722,6 +1722,12 @@ dev/null proc/kcore none bind,relative 0 0
              process wants to inherit the other's network namespace it usually
              needs to inherit the user namespace as well.
              </para>
+
+            <para>
+            Note that without careful additional configuration of an LSM,
+            sharing user+pid namespaces with a task may allow that task to
+            escalate privileges to that of the task calling liblxc.
+            </para>
            </listitem>
          </varlistentry>
        </variablelist>
author	Tycho Andersen <tycho@tycho.ws>
	Thu, 9 May 2019 18:13:40 +0000 (14:13 -0400)
committer	Tycho Andersen <tycho@tycho.ws>
	Wed, 15 May 2019 13:56:01 +0000 (07:56 -0600)