Explain why a substring match is sufficient when reading uid_map

per containers#1312 (comment) . Signed-off-by: Miloslav Trmač <[email protected]>
mtrmac · Sep 9, 2022 · 0138440 · 0138440
1 parent b321881
commit 0138440
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/pkg/unshare/unshare_linux.go b/pkg/unshare/unshare_linux.go
@@ -394,7 +394,9 @@ func hasFullUsersMappings() (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	// if the uid_map contains 4294967295, the entire IDs space is available in the
+	// The kernel rejects attempts to create mappings where either starting
+	// point is (u32)-1: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/user_namespace.c?id=af3e9579ecfb#n1006 .
+	// So, if the uid_map contains 4294967295, the entire IDs space is available in the
 	// user namespace, so it is likely the initial user namespace.
 	return bytes.Contains(content, []byte("4294967295")), nil
 }