From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Thu, 11 May 2017 12:41:47 +0000 (+0200)
Subject: start: add crucial details about lxc_spawn()
X-Git-Tag: lxc-2.1.0~135^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1550%2Fhead;p=thirdparty%2Flxc.git

start: add crucial details about lxc_spawn()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/lxc/start.c b/src/lxc/start.c
index db2a56e71..4f54012ec 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1071,6 +1071,13 @@ void resolve_clone_flags(struct lxc_handler *handler)
 		INFO("Inheriting a UTS namespace.");
 }
 
+/* lxc_spawn() performs crucial setup tasks and clone()s the new process which
+ * exec()s the requested container binary.
+ * Note that lxc_spawn() runs in the parent namespaces. Any operations performed
+ * right here should be double checked if they'd pose a security risk. (For
+ * example, any {u}mount() operations performed here will be reflected on the
+ * host!)
+ */
 static int lxc_spawn(struct lxc_handler *handler)
 {
 	int failed_before_rename = 0;