start: add crucial details about lxc_spawn()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: add crucial details about lxc_spawn()
e6bbc40b · Christian Brauner · Stéphane Graber · 9a135d2c · e6bbc40b
Unverified Commit e6bbc40b authored May 11, 2017 by Christian Brauner Committed by Stéphane Graber May 11, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

start.c src/lxc/start.c +7 -0

No files found.
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1046,6 +1046,13 @@ void resolve_clone_flags(struct lxc_handler *handler)
 		INFO("Inheriting a UTS namespace.");
 }
+/* lxc_spawn() performs crucial setup tasks and clone()s the new process which
+ * exec()s the requested container binary.
+ * Note that lxc_spawn() runs in the parent namespaces. Any operations performed
+ * right here should be double checked if they'd pose a security risk. (For
+ * example, any {u}mount() operations performed here will be reflected on the
+ * host!)
+ */
 static int lxc_spawn(struct lxc_handler *handler)
 {
 	int failed_before_rename = 0;