summaryrefslogtreecommitdiffstats
path: root/src/nspawn/nspawn.c
diff options
context:
space:
mode:
authorLuke T. Shumaker <lukeshu@parabola.nu>2024-08-22 06:50:16 +0200
committerLuke T. Shumaker <lukeshu@parabola.nu>2024-09-07 02:33:50 +0200
commitcde9210efd26854c849dfb60a784d9c1aa098b7c (patch)
tree5586f597eb759b1dd1192867b3eb6720909b4270 /src/nspawn/nspawn.c
parentMerge pull request #34295 from poettering/uki-with-many-ukify (diff)
downloadsystemd-cde9210efd26854c849dfb60a784d9c1aa098b7c.tar.xz
systemd-cde9210efd26854c849dfb60a784d9c1aa098b7c.zip
nspawn: fix the comment about which namespaces outer_child is in
The comment says that it is still in the host's CLONE_NEWUSER namespace, which is not true if !arg_privileged. Also, it says that the CLONE_NEWNS namespace was created by clone(), but if !arg_privileged then it was actually created by nsresource_allocate_userns() and switched into by setns(). Fix those inaccuracies. When trying to word it clearly, there are enough commas and nested clauses that I think it's clearer to break it into a list/table.
Diffstat (limited to 'src/nspawn/nspawn.c')
-rw-r--r--src/nspawn/nspawn.c18
1 files changed, 13 insertions, 5 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 0653196e1a..8fd307b1d8 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -3811,11 +3811,19 @@ static int outer_child(
ssize_t l;
int r;
- /* This is the "outer" child process, i.e the one forked off by the container manager itself. It
- * already has its own CLONE_NEWNS namespace (which was created by the clone()). It still lives in
- * the host's CLONE_NEWPID, CLONE_NEWUTS, CLONE_NEWIPC, CLONE_NEWUSER and CLONE_NEWNET
- * namespaces. After it completed a number of initializations a second child (the "inner" one) is
- * forked off it, and it exits. */
+ /* This is the "outer" child process, i.e the one forked off by the container manager itself. Its
+ * namespace situation is:
+ *
+ * - CLONE_NEWNS : already has its own (created by clone() if arg_privileged, or unshare() if !arg_unprivileged)
+ * - CLONE_NEWUSER : if arg_privileged: still in the host's
+ * if !arg_privileged: already has its own (created by nsresource_allocate_userns()->setns(userns_fd))
+ * - CLONE_NEWPID : still in the host's
+ * - CLONE_NEWUTS : still in the host's
+ * - CLONE_NEWIPC : still in the host's
+ * - CLONE_NEWNET : still in the host's
+ *
+ * After it completed a number of initializations a second child (the "inner" one) is forked off it,
+ * and it exits. */
assert(barrier);
assert(directory);