start: documented idmapped mounts

src/lxc/start.c

@@ -2042,7 +2042,21 @@ int __lxc_start(struct lxc_handler *handler, struct lxc_operations *ops,
 	}
 
 	if (geteuid() == 0 && !lxc_list_empty(&conf->id_map)) {
-		/* If the backing store is a device, mount it here and now. */
+		/*
+		 * This handles two cases: mounting real block devices and
+		 * creating idmapped mounts. The block device case should be
+		 * obivous, i.e. no real filesystem can currently be mounted
+		 * from inside a user namespace.
+		 *
+		 * Idmapped mounts can currently only be created if the caller
+		 * is privileged wrt to the user namespace in which the
+		 * underlying block device has been mounted in. This basically
+		 * (with few exceptions) means we need to be CAP_SYS_ADMIN in
+		 * the initial user namespace since almost no interesting
+		 * filesystems can be mounted inside of user namespaces. This
+		 * is way we need to do the rootfs setup here. In the future
+		 * this may change.
+		 */
 		if (idmapped_rootfs_mnt(&conf->rootfs) || rootfs_is_blockdev(conf)) {
 			ret = unshare(CLONE_NEWNS);
 			if (ret < 0) {