From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Wed, 17 Mar 2021 15:22:46 +0000 (+0100)
Subject: start: documented idmapped mounts
X-Git-Tag: lxc-5.0.0~197^2~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=26ad2c6f3aaf2e2c2f0b243342ff9bb5075672e7;p=thirdparty%2Flxc.git

start: documented idmapped mounts

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/lxc/start.c b/src/lxc/start.c
index e4e7e365a..c83c0f72e 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -2042,7 +2042,21 @@ int __lxc_start(struct lxc_handler *handler, struct lxc_operations *ops,
 	}
 
 	if (geteuid() == 0 && !lxc_list_empty(&conf->id_map)) {
-		/* If the backing store is a device, mount it here and now. */
+		/*
+		 * This handles two cases: mounting real block devices and
+		 * creating idmapped mounts. The block device case should be
+		 * obivous, i.e. no real filesystem can currently be mounted
+		 * from inside a user namespace.
+		 *
+		 * Idmapped mounts can currently only be created if the caller
+		 * is privileged wrt to the user namespace in which the
+		 * underlying block device has been mounted in. This basically
+		 * (with few exceptions) means we need to be CAP_SYS_ADMIN in
+		 * the initial user namespace since almost no interesting
+		 * filesystems can be mounted inside of user namespaces. This
+		 * is way we need to do the rootfs setup here. In the future
+		 * this may change.
+		 */
 		if (idmapped_rootfs_mnt(&conf->rootfs) || rootfs_is_blockdev(conf)) {
 			ret = unshare(CLONE_NEWNS);
 			if (ret < 0) {