executor/linux: change mount propagation type to private

unshare(CLONE_NEWNS) might not be sufficient for making all test processes run in
separate mount namespace, for "mount --make-rshared /" request issued by systemd
causes mount operations issued by test processes visible from outside of test
processes. Issue "mount --make-rprivate /" request after unshare(CLONE_NEWNS).

2 files changed, 6 insertions, 0 deletions

diff --git a/executor/common_linux.h b/executor/common_linux.h
index deb0487f0..43da7be11 100644
--- a/executor/common_linux.h
+++ b/executor/common_linux.h
@@ -3318,6 +3318,9 @@ static void sandbox_common()
 	if (unshare(CLONE_NEWNS)) {
 		debug("unshare(CLONE_NEWNS): %d\n", errno);
 	}
+	if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) {
+		debug("mount(\"/\", MS_REC | MS_PRIVATE): %d\n", errno);
+	}
 	if (unshare(CLONE_NEWIPC)) {
 		debug("unshare(CLONE_NEWIPC): %d\n", errno);
 	}
diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go
index b5dc79b54..077355add 100644
--- a/pkg/csource/generated.go
+++ b/pkg/csource/generated.go
@@ -7576,6 +7576,9 @@ static void sandbox_common()
 	if (unshare(CLONE_NEWNS)) {
 		debug("unshare(CLONE_NEWNS): %d\n", errno);
 	}
+	if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) {
+		debug("mount(\"/\", MS_REC | MS_PRIVATE): %d\n", errno);
+	}
 	if (unshare(CLONE_NEWIPC)) {
 		debug("unshare(CLONE_NEWIPC): %d\n", errno);
 	}