doc: document /run/host/root/ as an optional bind mount for the host fs

Container managers may want to bind mount the root filesystem
somewhere within the container. Security-wise, this is very much not
recommended, but it may be something application containers may want
to do nonetheless.

Ref: https://github.com/flatpak/flatpak/pull/6125#issuecomment-2759378603

diff --git a/docs/CONTAINER_INTERFACE.md b/docs/CONTAINER_INTERFACE.md
index 2a82321881435503f7eef14da81378ea19dd6cec..77648395e9606acfb1eb5df87c57b4018d2d137b 100644 (file)
--- a/docs/CONTAINER_INTERFACE.md
+++ b/docs/CONTAINER_INTERFACE.md
@@ -301,6 +301,12 @@ care should be taken to avoid naming conflicts. `systemd` (and in particular
     may be used in combination with `/run/host/userdb/` above: one defines the
     user record, the other contains the user's home directory.
 
+12. The `/run/host/root/` directory may be used to bind mount the host root
+    filesystem. Binding the host's root filesystem into the container is a
+    major security hole: any container manager that maintains a security
+    boundary should not use this; however, if having the root filesystem in
+    the container is desired, this is a good place to mount it to.
+
 ## What You Shouldn't Do
 
 1. Do not drop `CAP_MKNOD` from the container. `PrivateDevices=` is a commonly