From 4b6414079b074ec2a914f2e6a0fdb47916453f78 Mon Sep 17 00:00:00 2001
From: Helmut Grohne <helmut@subdivi.de>
Date: Thu, 4 Apr 2024 10:57:47 +0200
Subject: document security implications of populate_* functions

---
 linuxnamespaces/__init__.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/linuxnamespaces/__init__.py b/linuxnamespaces/__init__.py
index c12a13c..2b92462 100644
--- a/linuxnamespaces/__init__.py
+++ b/linuxnamespaces/__init__.py
@@ -359,6 +359,10 @@ def populate_dev(
     """Mount a tmpfs to the dev directory beneath newroot and populate it with
     basic devices by bind mounting them from the dev directory beneath
     origroot. Also mount a new pts instance.
+
+    Even though a CAP_SYS_ADMIN-enabled process can umount components of the
+    /dev hierarchy, they they cannot gain privileges in doing so as no
+    hierarchies are restricted via tmpfs mounts or read-only bind mounts.
     """
     origdev = AtLocation(origroot) / "dev"
     newdev = AtLocation(newroot) / "dev"
@@ -430,6 +434,9 @@ def populate_sys(
 ) -> None:
     """Create a /sys hierarchy below newroot. Bind the cgroup hierarchy. The
     cgroup hierarchy will be mounted read-only if mounting the root group.
+
+    A process with CAP_SYS_ADMIN can remount the created bind mounts read-write
+    or umount hiding mounts and thus elevate their privileges.
     """
     newsys = AtLocation(newroot) / "sys"
     mflags = MountFlags.NOSUID | MountFlags.NOEXEC | MountFlags.NODEV
-- 
cgit v1.2.3