container: make setup more similar to OCI runtime

- Make whole tree MS_PRIVATE
- Create extra mount namespace after creating container mounts

1 files changed, 10 insertions, 1 deletions

diff --git a/src/runner/container/task.rs b/src/runner/container/task.rs
index 09b5f94..2e3f86f 100644
--- a/src/runner/container/task.rs
+++ b/src/runner/container/task.rs
@@ -251,13 +251,22 @@ fn run_task(input_hash: &InputHash, task: &runner::Task) -> Result<()> {
 		.expect("Failed to bind mount build directory");
 
 		ns::pivot_root(&rootfs);
+		mount::mount::<str, _, str, str>(
+			None,
+			"/",
+			None,
+			MsFlags::MS_PRIVATE | MsFlags::MS_REC,
+			None,
+		)
+		.context("Failed to set MS_PRIVATE for container root")?;
 		ns::container_mounts().context("Failed to set up container mounts")?;
 
 		unistd::sethostname("rebel-builder").context("Failed to set hostname")?;
 
 		prctl::set_no_new_privs().context("set_no_new_privs()")?;
 
-		unshare(CloneFlags::CLONE_NEWUSER).context("Failed to create user namespace")?;
+		unshare(CloneFlags::CLONE_NEWUSER | CloneFlags::CLONE_NEWNS)
+			.context("Failed to create user namespace")?;
 		ns::setup_userns(BUILD_UID, BUILD_GID, Uid::from_raw(0), Gid::from_raw(0));
 
 		let err = Command::new("sh")