From e2047ba9ed68aa223715f25e156aeb0665c884ce Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 23 Mar 2018 20:52:46 +0100
Subject: [PATCH] process-util: add a new FORK_MOUNTNS_SLAVE flag for
 safe_fork()

We already have a flag for creating a new mount namespace for the child.
Let's add an extension to that: a new FORK_MOUNTNFS_SLAVE flag. When
used in combination will mark all mounts in the child namespace as
MS_SLAVE so that the child can freely mount or unmount stuff but it
won't leak into the parent.
---
 src/basic/process-util.c   | 11 +++++++++++
 src/basic/process-util.h   |  1 +
 src/shared/dissect-image.c |  6 +-----
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/basic/process-util.c b/src/basic/process-util.c
index ce56ce0735..65abaaf888 100644
--- a/src/basic/process-util.c
+++ b/src/basic/process-util.c
@@ -17,6 +17,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <sys/mman.h>
+#include <sys/mount.h>
 #include <sys/personality.h>
 #include <sys/prctl.h>
 #include <sys/types.h>
@@ -1344,6 +1345,16 @@ int safe_fork_full(
                 }
         }
 
+        if ((flags & (FORK_NEW_MOUNTNS|FORK_MOUNTNS_SLAVE)) == (FORK_NEW_MOUNTNS|FORK_MOUNTNS_SLAVE)) {
+
+                /* Optionally, make sure we never propagate mounts to the host. */
+
+                if (mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL) < 0) {
+                        log_full_errno(prio, errno, "Failed to remount root directory as MS_SLAVE: %m");
+                        _exit(EXIT_FAILURE);
+                }
+        }
+
         if (flags & FORK_CLOSE_ALL_FDS) {
                 /* Close the logs here in case it got reopened above, as close_all_fds() would close them for us */
                 log_close();
diff --git a/src/basic/process-util.h b/src/basic/process-util.h
index 0cec7c4c5c..ba6fea6891 100644
--- a/src/basic/process-util.h
+++ b/src/basic/process-util.h
@@ -163,6 +163,7 @@ typedef enum ForkFlags {
         FORK_LOG           = 1U << 5,
         FORK_WAIT          = 1U << 6,
         FORK_NEW_MOUNTNS   = 1U << 7,
+        FORK_MOUNTNS_SLAVE = 1U << 8,
 } ForkFlags;
 
 int safe_fork_full(const char *name, const int except_fds[], size_t n_except_fds, ForkFlags flags, pid_t *ret_pid);
diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index f63c2a0c63..608e4b51ac 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -1278,14 +1278,10 @@ int dissected_image_acquire_metadata(DissectedImage *m) {
         if (r < 0)
                 goto finish;
 
-        r = safe_fork("(sd-dissect)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_NEW_MOUNTNS, &child);
+        r = safe_fork("(sd-dissect)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_NEW_MOUNTNS|FORK_MOUNTNS_SLAVE, &child);
         if (r < 0)
                 goto finish;
         if (r == 0) {
-                /* Make sure we never propagate to the host */
-                if (mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL) < 0)
-                        _exit(EXIT_FAILURE);
-
                 r = dissected_image_mount(m, t, UID_INVALID, DISSECT_IMAGE_READ_ONLY|DISSECT_IMAGE_MOUNT_ROOT_ONLY|DISSECT_IMAGE_VALIDATE_OS);
                 if (r < 0) {
                         log_debug_errno(r, "Failed to mount dissected image: %m");
-- 
2.25.1