From b6904196a6506cf3dcbe4c90f56b7e77434e7db4 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 13 Mar 2023 15:16:55 +0100 Subject: [PATCH] namespace-util: set mounts back to MS_SHARED in detach_mount_namespace() For nspawn and services we first turn off two-way propagation of mounts from host to sandbox via MS_SLAVE, and then set MS_SHARED again, so that we create a new mount prop peer group again, and that we provide behaviour similar to what we provide on the host further down the tree. Let's do the same in detach_mount_namespace(), which we use for the temporary mounts in the implementation of --image= in various tools. This doesn't fix any immediate issue, but ensures we expose somewhat systematic behaviour: whenever we detach mount namespaces we always set things back to MS_SLAVE in the child. --- src/basic/namespace-util.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/basic/namespace-util.c b/src/basic/namespace-util.c index f5c0e04cecb..f511a91720a 100644 --- a/src/basic/namespace-util.c +++ b/src/basic/namespace-util.c @@ -190,13 +190,20 @@ int fd_is_ns(int fd, unsigned long nsflag) { } int detach_mount_namespace(void) { - - /* Detaches the mount namespace, disabling propagation from our namespace to the host */ + /* Detaches the mount namespace, disabling propagation from our namespace to the host. Sets + * propagation first to MS_SLAVE for all mounts (disabling propagation), and then back to MS_SHARED + * (so that we create a new peer group). */ if (unshare(CLONE_NEWNS) < 0) - return -errno; + return log_debug_errno(errno, "Failed to acquire mount namespace: %m"); + + if (mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL) < 0) + return log_debug_errno(errno, "Failed to set mount propagation to MS_SLAVE for all mounts: %m"); - return RET_NERRNO(mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL)); + if (mount(NULL, "/", NULL, MS_SHARED | MS_REC, NULL) < 0) + return log_debug_errno(errno, "Failed to set mount propagation back to MS_SHARED for all mounts: %m"); + + return 0; } int userns_acquire(const char *uid_map, const char *gid_map) { -- 2.47.3