From: Luke T. Shumaker Date: Thu, 22 Aug 2024 04:50:16 +0000 (-0600) Subject: nspawn: fix the comment about which namespaces outer_child is in X-Git-Tag: v257-rc1~515^2~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cde9210efd26854c849dfb60a784d9c1aa098b7c;p=thirdparty%2Fsystemd.git nspawn: fix the comment about which namespaces outer_child is in The comment says that it is still in the host's CLONE_NEWUSER namespace, which is not true if !arg_privileged. Also, it says that the CLONE_NEWNS namespace was created by clone(), but if !arg_privileged then it was actually created by nsresource_allocate_userns() and switched into by setns(). Fix those inaccuracies. When trying to word it clearly, there are enough commas and nested clauses that I think it's clearer to break it into a list/table. --- diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 0653196e1a7..8fd307b1d89 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -3811,11 +3811,19 @@ static int outer_child( ssize_t l; int r; - /* This is the "outer" child process, i.e the one forked off by the container manager itself. It - * already has its own CLONE_NEWNS namespace (which was created by the clone()). It still lives in - * the host's CLONE_NEWPID, CLONE_NEWUTS, CLONE_NEWIPC, CLONE_NEWUSER and CLONE_NEWNET - * namespaces. After it completed a number of initializations a second child (the "inner" one) is - * forked off it, and it exits. */ + /* This is the "outer" child process, i.e the one forked off by the container manager itself. Its + * namespace situation is: + * + * - CLONE_NEWNS : already has its own (created by clone() if arg_privileged, or unshare() if !arg_unprivileged) + * - CLONE_NEWUSER : if arg_privileged: still in the host's + * if !arg_privileged: already has its own (created by nsresource_allocate_userns()->setns(userns_fd)) + * - CLONE_NEWPID : still in the host's + * - CLONE_NEWUTS : still in the host's + * - CLONE_NEWIPC : still in the host's + * - CLONE_NEWNET : still in the host's + * + * After it completed a number of initializations a second child (the "inner" one) is forked off it, + * and it exits. */ assert(barrier); assert(directory);