From 4de2791fa7dcc6d4cd445f3c6678623a998b18e2 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Fri, 1 Nov 2013 12:17:52 -0500
Subject: [PATCH] always remount / rslave before running creation template (if
 root)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

If we're not root, our mounts in private userns won't get pushed
back anyway.  If we are root, we need to make sure that anything
the template does gets cleaned up.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
---
 src/lxc/lxccontainer.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 8b81a6346..946133d87 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -24,6 +24,7 @@
 #include <unistd.h>
 #include <sys/types.h>
 #include <sys/wait.h>
+#include <sys/mount.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <sched.h>
@@ -833,11 +834,23 @@ static bool create_run_template(struct lxc_container *c, char *tpath, bool quiet
 			exit(1);
 		}
 
-		if (strcmp(bdev->type, "dir") != 0) {
+		if (geteuid() == 0) {
 			if (unshare(CLONE_NEWNS) < 0) {
 				ERROR("error unsharing mounts");
 				exit(1);
 			}
+			if (detect_shared_rootfs()) {
+				if (mount("", "", NULL, MS_SLAVE|MS_REC, 0)) {
+					SYSERROR("Failed to make / rslave to run template");
+					ERROR("Continuing...");
+				}
+			}
+		}
+		if (strcmp(bdev->type, "dir") != 0) {
+			if (geteuid() != 0) {
+				ERROR("non-root users can only create directory-backed containers");
+				exit(1);
+			}
 			if (bdev->ops->mount(bdev) < 0) {
 				ERROR("Error mounting rootfs");
 				exit(1);
-- 
2.47.2