From 7c0beea7575200a924188ee670c460feb1ccefea Mon Sep 17 00:00:00 2001
From: Evan Phoenix <evan@phx.io>
Date: Thu, 27 Feb 2025 15:35:28 -0800
Subject: [PATCH] Allow shared mounts by default

The current behavior disallows any mount have (r)shared on it because by
default, the root is set with MS_SLAVE, which disallows sub-dirs from
having a different propagation.

Projects have been working around this by setting the RootfsPropogation
to "shared", to override the default
(https://github.com/containerd/nerdctl/blob/main/pkg/mountutil/mountutil_linux.go#L185-L193).

This patch makes a reasonable attempt to make the functionality work
without touching RootfsPropogation.

Signed-off-by: Evan Phoenix <evan@phx.io>
---
 libcontainer/rootfs_linux.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index 68e16b7920b..8cf51a398c0 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -1016,7 +1016,18 @@ func prepareRoot(config *configs.Config) error {
 	flag := unix.MS_SLAVE | unix.MS_REC
 	if config.RootPropagation != 0 {
 		flag = config.RootPropagation
+	} else {
+		for _, m := range config.Mounts {
+			if m.Flags&unix.MS_SHARED != 0 {
+				// if a mount is using shared, then we don't lock down access with
+				// slave, instead we just use private so that the submounts can be
+				// configured shared correctly.
+				flag = unix.MS_PRIVATE
+				break
+			}
+		}
 	}
+
 	if err := mount("", "/", "", uintptr(flag), ""); err != nil {
 		return err
 	}