From 56339a10db0c701a298f51e0d6cb02901b366ffa Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 2 Mar 2023 19:01:39 +0100 Subject: [PATCH] nspawn: disable propagation for selected host API bind mounts We bind mount two selected inodes from the host into our container. Let's turn off propagation for that, since we just want those inodes, nothing else. With this change "grep master: /proc/self/mountinfo" should list only the mount propagation "tunnel" dir, and nothing else anymore. --- src/nspawn/nspawn-mount.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c index ee00362b546..ea54b23e083 100644 --- a/src/nspawn/nspawn-mount.c +++ b/src/nspawn/nspawn-mount.c @@ -598,6 +598,8 @@ int mount_all(const char *dest, MOUNT_FATAL }, /* If /etc/os-release doesn't exist use the version in /usr/lib as fallback */ { NULL, "/run/host/os-release", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, MOUNT_FATAL }, + { NULL, "/run/host/os-release", NULL, NULL, MS_PRIVATE, + MOUNT_FATAL }, /* Turn off propagation (we only want that for the mount propagation tunnel dir) */ { NULL, "/run/host", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, MOUNT_FATAL|MOUNT_IN_USERNS }, #if HAVE_SELINUX @@ -605,6 +607,8 @@ int mount_all(const char *dest, MOUNT_MKDIR }, /* Bind mount first (mkdir/chown the mount point in case /sys/ is mounted as minimal skeleton tmpfs) */ { NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, 0 }, /* Then, make it r/o (don't mkdir/chown the mount point here, the previous entry already did that) */ + { NULL, "/sys/fs/selinux", NULL, NULL, MS_PRIVATE, + 0 }, /* Turn off propagation (we only want that for the mount propagation tunnel dir) */ #endif }; -- 2.47.3