Skip to content

L
lxc
Unverified Commit 4f7e281f by Tycho Andersen Committed by Christian Brauner
Options

doc: add a little note about shared ns + LSMs

We should add a little not about the race in the previous patch. Signed-off-by: 's avatarTycho Andersen <tycho@tycho.ws>
parent 68a1966d
Showing with 6 additions and 0 deletions
doc/lxc.container.conf.sgml.in
...@@ -1630,6 +1630,12 @@ dev/null proc/kcore none bind,relative 0 0 ...@@ -1630,6 +1630,12 @@ dev/null proc/kcore none bind,relative 0 0
process wants to inherit the other's network namespace it usually process wants to inherit the other's network namespace it usually
needs to inherit the user namespace as well. needs to inherit the user namespace as well.
</para> </para>
<para>
Note that without careful additional configuration of an LSM,
sharing user+pid namespaces with a task may allow that task to
escalate privileges to that of the task calling liblxc.
</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment