exec-invoke: extend comment on placement of apply_working_directory() call

Inspired by CVE-2024-21626, let's add a longer comment explaining why
the code really shouldn#t be moved any earlier.

Just in the hope that anyone who feels tempted to move this around maybe
actually reads the comment and reconsiders.

diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
index 1a6f606448f0fb429672fd4a23cfcb6c74444a50..81d243c5b204548bbb21530ce30f61308b16aa5e 100644 (file)
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -5040,8 +5040,10 @@ int exec_invoke(
                 }
         }
 
-        /* Apply working directory here, because the working directory might be on NFS and only the user running
-         * this service might have the correct privilege to change to the working directory */
+        /* Apply working directory here, because the working directory might be on NFS and only the user
+         * running this service might have the correct privilege to change to the working directory. Also, it
+         * is absolutely 💣 crucial 💣 we applied all mount namespacing rearrangements before this, so that
+         * the cwd cannot be used to pin directories outside of the sandbox. */
         r = apply_working_directory(context, params, runtime, home, exit_status);
         if (r < 0)
                 return log_exec_error_errno(context, params, r, "Changing to the requested working directory failed: %m");