[iproute2-3.8,1/6] iproute2: Don't propogate mounts out of ip

Submitted by Eric W. Biederman on Jan. 18, 2013, 12:45 a.m.


Message ID 87y5fr48uq.fsf_-_@xmission.com
State Accepted
Delegated to: stephen hemminger
Headers show

Commit Message

Eric W. Biederman Jan. 18, 2013, 12:45 a.m.
Some systems are now following the advice in
linux/Documentation/sharedsubtrees.txt and running with all mount
points shared between all mount namespaces by default.

After creating the mount namespace call mount on / with
MS_SLAVE|MS_REC to modify all mounts in the new mount namespace to
slave mounts if they are shared or private mounts otherwise.
Guarnateeing that changes to the mount namespace created with
"ip netns exec" don't propgate to other namespaces.

Reported-by: Petr Šabata <contyk@redhat.com>
Tested-by: Petr Šabata <contyk@redhat.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
 ip/ipnetns.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

Patch hide | download patch | download mbox

diff --git a/ip/ipnetns.c b/ip/ipnetns.c
index e41a598..f2c42ba 100644
--- a/ip/ipnetns.c
+++ b/ip/ipnetns.c
@@ -152,6 +152,12 @@  static int netns_exec(int argc, char **argv)
 		fprintf(stderr, "unshare failed: %s\n", strerror(errno));
 		return -1;
+	/* Don't let any mounts propogate back to the parent */
+	if (mount("", "/", "none", MS_SLAVE | MS_REC, NULL)) {
+		fprintf(stderr, "mount --make-rslave / failed: %s\n",
+			strerror(errno));
+		return -1;
+	}
 	/* Mount a version of /sys that describes the network namespace */
 	if (umount2("/sys", MNT_DETACH) < 0) {
 		fprintf(stderr, "umount of /sys failed: %s\n", strerror(errno));