[lxc-devel] [lxc/master] start: add crucial details about lxc_spawn()
brauner on Github
lxc-bot at linuxcontainers.org
Thu May 11 12:45:22 UTC 2017
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20170511/b7a4c156/attachment.bin>
-------------- next part --------------
From 480588e6adcc4a02e54544844b7f7f1808776b48 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 11 May 2017 14:41:47 +0200
Subject: [PATCH] start: add crucial details about lxc_spawn()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/start.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/lxc/start.c b/src/lxc/start.c
index db2a56e..4f54012 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1071,6 +1071,13 @@ void resolve_clone_flags(struct lxc_handler *handler)
INFO("Inheriting a UTS namespace.");
}
+/* lxc_spawn() performs crucial setup tasks and clone()s the new process which
+ * exec()s the requested container binary.
+ * Note that lxc_spawn() runs in the parent namespaces. Any operations performed
+ * right here should be double checked if they'd pose a security risk. (For
+ * example, any {u}mount() operations performed here will be reflected on the
+ * host!)
+ */
static int lxc_spawn(struct lxc_handler *handler)
{
int failed_before_rename = 0;
More information about the lxc-devel
mailing list