doc: add a little note about shared ns + LSMs

We should add a little not about the race in the previous patch. Signed-off-by: Tycho Andersen <tycho@tycho.ws>

doc: add a little note about shared ns + LSMs
8de90384 · Tycho Andersen · c74e9217 · 8de90384
Commit 8de90384 authored May 09, 2019 by Tycho Andersen
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

lxc.container.conf.sgml.in doc/lxc.container.conf.sgml.in +6 -0

No files found.
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1722,6 +1722,12 @@ dev/null proc/kcore none bind,relative 0 0
            process wants to inherit the other's network namespace it usually
            needs to inherit the user namespace as well.
            </para>
+            <para>
+            Note that without careful additional configuration of an LSM,
+            sharing user+pid namespaces with a task may allow that task to
+            escalate privileges to that of the task calling liblxc.
+            </para>
          </listitem>
        </varlistentry>
      </variablelist>