cmd/snap-confine: fix exploding homedirs bug

The combination of snap set system homedirs=/var/lib/ and a snap that causes a mimic to be created over /var/lib is sufficient to leak over to the initial mount namespace. Fixes: https://warthogs.atlassian.net/browse/SNAPDENG-17066 Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
snapcore · Mar 1, 2024 · 1aaf325 · 1aaf325
1 parent a910533
commit 1aaf325
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/cmd/snap-confine/mount-support.c b/cmd/snap-confine/mount-support.c
@@ -927,7 +927,8 @@ static struct sc_mount *sc_homedir_mounts(const struct sc_invocation *inv)
 	for (int i = 0; i < inv->num_homedirs; i++) {
 		debug("Adding homedir: %s", inv->homedirs[i]);
 		mounts[i].path = sc_strdup(inv->homedirs[i]);
-		mounts[i].is_bidirectional = true;
+		// Note that we are not setting bidirectional flag, so anything mounted
+		// here will not propagate to the host.
 	}
 	return mounts;
 }