From 6f997852c8830ca073c55241b0068ebbf1f94a72 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 15 Oct 2020 15:25:56 +0200
Subject: [PATCH] pid1: ignore whole /run/host hierarchy

Let's mark the whole /run/host hierarchy as something to ignore by PID 1
for generation of .mount units, i.e. consider it as "extrinsic".

By unifying container mgr supplied resources in one dir it's also easy
to exclude the whole lot from PID1's management inside the container.
This is the right thing to do, since from the payload's PoV these mounts
are just API and not manipulatable as they are established, managed and
owned by the container manager, not the payload.

(While we are it, also add the boot ID mount to the existing list, as
nspawn and other container managers overmount that too, typically, and
it is thus owned by the container manager and not the payload
typically.)
---
 src/core/mount-setup.c | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
index e1ecb448ea2..f745df7c95d 100644
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@@ -112,17 +112,6 @@ static const MountPoint mount_table[] = {
           NULL,          MNT_NONE,                  },
 };
 
-/* These are API file systems that might be mounted by other software,
- * we just list them here so that we know that we should ignore them */
-
-static const char ignore_paths[] =
-        /* SELinux file systems */
-        "/sys/fs/selinux\0"
-        /* Container bind mounts */
-        "/proc/sys\0"
-        "/dev/console\0"
-        "/proc/kmsg\0";
-
 bool mount_point_is_api(const char *path) {
         unsigned i;
 
@@ -137,12 +126,26 @@ bool mount_point_is_api(const char *path) {
 }
 
 bool mount_point_ignore(const char *path) {
+
         const char *i;
 
-        NULSTR_FOREACH(i, ignore_paths)
+        /* These are API file systems that might be mounted by other software, we just list them here so that
+         * we know that we should ignore them. */
+        FOREACH_STRING(i,
+                       /* SELinux file systems */
+                       "/sys/fs/selinux",
+                       /* Container bind mounts */
+                       "/dev/console",
+                       "/proc/kmsg",
+                       "/proc/sys",
+                       "/proc/sys/kernel/random/boot_id")
                 if (path_equal(path, i))
                         return true;
 
+        if (path_startswith(path, "/run/host")) /* All mounts passed in from the container manager are
+                                                 * something we better ignore. */
+                return true;
+
         return false;
 }
 
-- 
2.47.3