/* Wait until the parent wrote the UID map */
if (!barrier_place_and_sync(barrier)) /* #2 */
- return log_error_errno(SYNTHETIC_ERRNO(ESRCH),
- "Parent died too early");
- }
+ return log_error_errno(SYNTHETIC_ERRNO(ESRCH), "Parent died too early");
- r = reset_uid_gid();
- if (r < 0)
- return log_error_errno(r, "Couldn't become new root: %m");
+ /* Become the new root user inside our namespace */
+ r = reset_uid_gid();
+ if (r < 0)
+ return log_error_errno(r, "Couldn't become new root: %m");
+
+ /* Creating a new user namespace means all MS_SHARED mounts become MS_SLAVE. Let's put them
+ * back to MS_SHARED here, since that's what we want as defaults. (This will not reconnect
+ * propagation, but simply create new peer groups for all our mounts). */
+ r = mount_verbose(LOG_ERR, NULL, "/", NULL, MS_SHARED|MS_REC, NULL);
+ if (r < 0)
+ return r;
+ }
r = mount_all(NULL,
arg_mount_settings | MOUNT_IN_USERNS,
if (r < 0)
return r;
- /* Mark everything as slave, so that we still
- * receive mounts from the real root, but don't
- * propagate mounts to the real root. */
+ /* Mark everything as slave, so that we still receive mounts from the real root, but don't propagate
+ * mounts to the real root. */
r = mount_verbose(LOG_ERR, NULL, "/", NULL, MS_SLAVE|MS_REC, NULL);
if (r < 0)
return r;
notify_socket = safe_close(notify_socket);
uid_shift_socket = safe_close(uid_shift_socket);
- /* The inner child has all namespaces that are
- * requested, so that we all are owned by the user if
- * user namespaces are turned on. */
+ /* The inner child has all namespaces that are requested, so that we all are owned by the
+ * user if user namespaces are turned on. */
if (arg_network_namespace_path) {
r = namespace_enter(-1, -1, netns_fd, -1, -1);