From: Tycho Andersen <tycho@tycho.ws>
Date: Thu, 9 May 2019 18:13:40 +0000 (-0400)
Subject: doc: add a little note about shared ns + LSMs
X-Git-Tag: lxc-3.2.0~44^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8de90384363fe01f5258d36724dd3eae55918b5b;p=thirdparty%2Flxc.git

doc: add a little note about shared ns + LSMs

We should add a little not about the race in the previous patch.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>
---

diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index b03cf851f..782dede78 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1722,6 +1722,12 @@ dev/null proc/kcore none bind,relative 0 0
             process wants to inherit the other's network namespace it usually
             needs to inherit the user namespace as well.
             </para>
+
+            <para>
+            Note that without careful additional configuration of an LSM,
+            sharing user+pid namespaces with a task may allow that task to
+            escalate privileges to that of the task calling liblxc.
+            </para>
           </listitem>
         </varlistentry>
       </variablelist>