Make our mounts private to our namespace

That way they don't end up in the host namespace in any case. Only the loop device we're allocating remains visible as there is currently no real separation between containers on loop device usage.

Make our mounts private to our namespace
That way they don't end up in the host namespace in any case. Only the loop device we're allocating remains visible as there is currently no real separation between containers on loop device usage.
fc49cc38 · Simon Fels · 5520dfac · fc49cc38
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

src/anbox/cmds/container_manager.cpp src/anbox/cmds/container_manager.cpp +2 -2

未找到文件。
--- a/src/anbox/cmds/container_manager.cpp
+++ b/src/anbox/cmds/container_manager.cpp
@@ -109,7 +109,7 @@ bool anbox::cmds::ContainerManager::setup_mounts() {
    return false;
  }

-  auto m = common::MountEntry::create(loop_device, android_rootfs_dir, "squashfs", MS_MGC_VAL | MS_RDONLY);
+  auto m = common::MountEntry::create(loop_device, android_rootfs_dir, "squashfs", MS_MGC_VAL | MS_RDONLY | MS_PRIVATE);
  if (!m) {
    ERROR("Failed to mount Android rootfs");
    return false;
@@ -133,7 +133,7 @@ bool anbox::cmds::ContainerManager::setup_mounts() {
      }
    }

-    auto m = common::MountEntry::create(src_dir_path, target_dir_path, "", MS_MGC_VAL | MS_BIND);
+    auto m = common::MountEntry::create(src_dir_path, target_dir_path, "", MS_MGC_VAL | MS_BIND | MS_PRIVATE);
    if (!m) {
      ERROR("Failed to mount Android %s directory", dir_name);
      mounts_.clear();