From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 13 Mar 2023 14:16:55 +0000 (+0100)
Subject: namespace-util: set mounts back to MS_SHARED in detach_mount_namespace()
X-Git-Tag: v254-rc1~1039
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b6904196a6506cf3dcbe4c90f56b7e77434e7db4;p=thirdparty%2Fsystemd.git

namespace-util: set mounts back to MS_SHARED in detach_mount_namespace()

For nspawn and services we first turn off two-way propagation of mounts
from host to sandbox via MS_SLAVE, and then set MS_SHARED again, so that
we create a new mount prop peer group again, and that we provide
behaviour similar to what we provide on the host further down the tree.

Let's do the same in detach_mount_namespace(), which we use for the
temporary mounts in the implementation of --image= in various tools.

This doesn't fix any immediate issue, but ensures we expose somewhat
systematic behaviour: whenever we detach mount namespaces we always set
things back to MS_SLAVE in the child.
---

diff --git a/src/basic/namespace-util.c b/src/basic/namespace-util.c
index f5c0e04cecb..f511a91720a 100644
--- a/src/basic/namespace-util.c
+++ b/src/basic/namespace-util.c
@@ -190,13 +190,20 @@ int fd_is_ns(int fd, unsigned long nsflag) {
 }
 
 int detach_mount_namespace(void) {
-
-        /* Detaches the mount namespace, disabling propagation from our namespace to the host */
+        /* Detaches the mount namespace, disabling propagation from our namespace to the host. Sets
+         * propagation first to MS_SLAVE for all mounts (disabling propagation), and then back to MS_SHARED
+         * (so that we create a new peer group).  */
 
         if (unshare(CLONE_NEWNS) < 0)
-                return -errno;
+                return log_debug_errno(errno, "Failed to acquire mount namespace: %m");
+
+        if (mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL) < 0)
+                return log_debug_errno(errno, "Failed to set mount propagation to MS_SLAVE for all mounts: %m");
 
-        return RET_NERRNO(mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL));
+        if (mount(NULL, "/", NULL, MS_SHARED | MS_REC, NULL) < 0)
+                return log_debug_errno(errno, "Failed to set mount propagation back to MS_SHARED for all mounts: %m");
+
+        return 0;
 }
 
 int userns_acquire(const char *uid_map, const char *gid_map) {