Permalink
Browse files

mnexec: properly setup the mount namespace

Systemd's default is to mark the root mount as shared and it is
inherited as such by the new mount namespace. This means that any
mounts performed inthe new namespace will be visible by the rest of
the system, breaking privateDirs.

To restore a more sane behaviour, we explicitly mark all mounts
recursively as private, meaning that we will no longer see new mounts
from the root namespace, and our mounts will also not propagate to the
rest of the system.

Fixes #565
  • Loading branch information...
1 parent 7c6d645 commit 96ea5367dbea7b77e6b7454c1de85b30b7ba7035 @thinred thinred committed with lantz Nov 6, 2015
Showing with 10 additions and 0 deletions.
  1. +10 −0 mnexec.c
View
@@ -130,6 +130,16 @@ int main(int argc, char *argv[])
perror("unshare");
return 1;
}
+
+ /* Mark our whole hierarchy recursively as private, so that our
+ * mounts do not propagate to other processes.
+ */
+
+ if (mount("none", "/", NULL, MS_REC|MS_PRIVATE, NULL) == -1) {
+ perror("remount");
+ return 1;
+ }
+
/* mount sysfs to pick up the new network namespace */
if (mount("sysfs", "/sys", "sysfs", MS_MGC_VAL, NULL) == -1) {
perror("mount");

0 comments on commit 96ea536

Please sign in to comment.