jail: only mess with rootfs if CLONE_NEWNS was set

Avoid messing up rootfs of the parent/only mount namespace for the
unusual case of a jailed process which does use namespaces, but
doesn't make use of mount namespaces.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

diff --git a/jail/jail.c b/jail/jail.c
index ec106d27147161f70d9ab6b098fe1fcebcf1837a..fa8da01435419aac2397b7d8dd19c0a3b41d2dee 100644 (file)
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -502,7 +502,7 @@ static int exec_jail(void *pipes_ptr)
                exit(EXIT_FAILURE);
        }
 
                exit(EXIT_FAILURE);
        }
 

-       if (opts.namespace && build_jail_fs()) {
+       if ((opts.namespace & CLONE_NEWNS) && build_jail_fs()) {

                ERROR("failed to build jail fs\n");
                exit(EXIT_FAILURE);
        }
                ERROR("failed to build jail fs\n");
                exit(EXIT_FAILURE);
        }