nspawn,namespaces: make sure we recursively bind mount things in

We want to make sure that everything from the host is also visible in
the sandbox.

diff --git a/src/core/namespace.c b/src/core/namespace.c
index 5c2a246..ba18ddc 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -156,7 +156,7 @@ static int apply_mount(
 
         assert(what);
 
-        r = mount(what, p->path, NULL, MS_BIND, NULL);
+        r = mount(what, p->path, NULL, MS_BIND|MS_REC, NULL);
         if (r >= 0)
                 log_debug("Successfully mounted %s to %s", what, p->path);
 
@@ -171,7 +171,7 @@ static int make_read_only(Path *p) {
         if (p->mode != INACCESSIBLE && p->mode != READONLY)
                 return 0;
 
-        r = mount(NULL, p->path, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL);
+        r = mount(NULL, p->path, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL);
         if (r < 0)
                 return -errno;
 

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 78b5602..7d188f0 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1187,13 +1187,13 @@ int main(int argc, char *argv[]) {
                 }
 
                 /* Turn directory into bind mount */
-                if (mount(arg_directory, arg_directory, "bind", MS_BIND, NULL) < 0) {
+                if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REC, NULL) < 0) {
                         log_error("Failed to make bind mount.");
                         goto child_fail;
                 }
 
                 if (arg_read_only)
-                        if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) {
+                        if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0) {
                                 log_error("Failed to make read-only.");
                                 goto child_fail;
                         }