libnetwork/rootlessnetns: set mount propagation to slave

We don't want to leak our mounts to the host but we still like to to
update mounts/umount events from the host. This is so when a fs is
unmounted on the host we don't happen to keep it open in aardvark-dns.

Fixes: containers/podman#25994
Fixes: 4225302 ("libnetwork/rootlessnetns: make mountns tree private")

Signed-off-by: Paul Holzinger <[email protected]>

Author: Luap99

libnetwork/internal/rootlessnetns/netns_linux.go

@@ -369,9 +369,14 @@ func (n *Netns) setupMounts() error {
 
 	// Ensure we mount private in our mountns to prevent accidentally
 	// overwriting the host mounts in case the default propagation is shared.
-	err = unix.Mount("", "/", "", unix.MS_PRIVATE|unix.MS_REC, "")
+	// However using private propagation is not what we want as new mounts/umounts
+	// are not propagted into our namespace thus we use salve.
+	// This is a problem because we now may hold mount points open that were unmounted
+	// on the host confusing users why the underlying device is still busy as they no
+	// longer see the mount: https://github.com/containers/podman/issues/25994
+	err = unix.Mount("", "/", "", unix.MS_SLAVE|unix.MS_REC, "")
 	if err != nil {
-		return wrapError("make tree private in new mount namespace", err)
+		return wrapError("set mount propagation to slave in new mount namespace", err)
 	}
 
 	xdgRuntimeDir, err := homedir.GetRuntimeDir()