network: simplify lxc_network_move_created_netdev_priv()

[mirror_lxc.git] / doc / lxc.container.conf.sgml.in

diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 0af0456a5addc8510d77acf3c3fa1726b0bea315..782dede78776552b9925af4506ea3988615b04bc 100644 (file)
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1722,6 +1722,12 @@ dev/null proc/kcore none bind,relative 0 0
             process wants to inherit the other's network namespace it usually
             needs to inherit the user namespace as well.
             </para>
+
+            <para>
+            Note that without careful additional configuration of an LSM,
+            sharing user+pid namespaces with a task may allow that task to
+            escalate privileges to that of the task calling liblxc.
+            </para>
           </listitem>
         </varlistentry>
       </variablelist>
@@ -1943,7 +1949,7 @@ dev/null proc/kcore none bind,relative 0 0
 
       <para>
       Specifying "errno" as action will cause LXC to register a seccomp filter
-      that will cause a specific errno to be returned ot the caller. The errno
+      that will cause a specific errno to be returned to the caller. The errno
       value can be specified after the "errno" action word.
       </para>