nspawn: disable propagation for selected host API bind mounts

We bind mount two selected inodes from the host into our container. Let's turn off propagation for that, since we just want those inodes, nothing else. With this change "grep master: /proc/self/mountinfo" should list only the mount propagation "tunnel" dir, and nothing else anymore.
author: Lennart Poettering <lennart@poettering.net> 2023-03-02 19:01:39 +0100
committer: Lennart Poettering <lennart@poettering.net> 2023-03-03 12:17:49 +0100
commit: 56339a10db0c701a298f51e0d6cb02901b366ffa (patch)
tree: 31a5ae9b60eec31d055666e0d94f928a115a2914 /src/nspawn
parent: 75f8173247e7e5c50e1121c5330acf6f165a910d (diff)
download: systemd-56339a10db0c701a298f51e0d6cb02901b366ffa.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
index ee00362b54..ea54b23e08 100644
--- a/src/nspawn/nspawn-mount.c
+++ b/src/nspawn/nspawn-mount.c
@@ -598,6 +598,8 @@ int mount_all(const char *dest,
                   MOUNT_FATAL }, /* If /etc/os-release doesn't exist use the version in /usr/lib as fallback */
                 { NULL,                     "/run/host/os-release",         NULL,    NULL,                             MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,
                   MOUNT_FATAL },
+                { NULL,                     "/run/host/os-release",         NULL,    NULL,                             MS_PRIVATE,
+                  MOUNT_FATAL },  /* Turn off propagation (we only want that for the mount propagation tunnel dir) */
                 { NULL,                     "/run/host",                    NULL,    NULL,                             MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,
                   MOUNT_FATAL|MOUNT_IN_USERNS },
 #if HAVE_SELINUX
@@ -605,6 +607,8 @@ int mount_all(const char *dest,
                   MOUNT_MKDIR },  /* Bind mount first (mkdir/chown the mount point in case /sys/ is mounted as minimal skeleton tmpfs) */
                 { NULL,                     "/sys/fs/selinux",              NULL,    NULL,                             MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,
                   0 },            /* Then, make it r/o (don't mkdir/chown the mount point here, the previous entry already did that) */
+                { NULL,                     "/sys/fs/selinux",              NULL,    NULL,                             MS_PRIVATE,
+                  0 },            /* Turn off propagation (we only want that for the mount propagation tunnel dir) */
 #endif
         };
author	Lennart Poettering <lennart@poettering.net>	2023-03-02 19:01:39 +0100
committer	Lennart Poettering <lennart@poettering.net>	2023-03-03 12:17:49 +0100
commit	56339a10db0c701a298f51e0d6cb02901b366ffa (patch)
tree	31a5ae9b60eec31d055666e0d94f928a115a2914 /src/nspawn
parent	75f8173247e7e5c50e1121c5330acf6f165a910d (diff)
download	systemd-56339a10db0c701a298f51e0d6cb02901b366ffa.tar.gz