With the move to Debian, we now mount /home onto a separate device. This means that the old approach of calling --make-private on / no longer works, because /home is still shared.
It's also unclear how calling mount --make-private / worked, because this happened in a child process of the shell in which we had previously called unshare.
Looking at the example in unshare(1), that seems to suggest the call to unshare and the call to mount --make-private should happen in the parent/current process. Mainly because repeatedly making that call will have no effect - calling it once should suffice.
The docs in unshare(1) are also somewhat unclear on the order in which the calls should be made:
$ mount --bind /root/namespaces /root/namespaces
$ mount --make-private /root/namespaces
$ touch /root/namespaces/mnt
$ unshare --mount=/root/namespaces/mnt
For now it seems like the most sensible thing to do is to call unshare first (to create a separate mount namespace), then make the mount private to the new namespace.
Also fix up newshell. There is lots of bad code in this repo, much hard coding of values... but for now it works again.
With the move to Debian, we now mount /home onto a separate device. This means that the old approach of calling --make-private on / no longer works, because /home is still shared.
It's also unclear how calling mount --make-private / worked, because this happened in a child process of the shell in which we had previously called unshare.
Looking at the example in unshare(1), that seems to suggest the call to unshare and the call to mount --make-private should happen in the parent/current process. Mainly because repeatedly making that call will have no effect - calling it once should suffice.
The docs in unshare(1) are also somewhat unclear on the order in which the calls should be made:
$ mount --bind /root/namespaces /root/namespaces $ mount --make-private /root/namespaces $ touch /root/namespaces/mnt $ unshare --mount=/root/namespaces/mnt
For now it seems like the most sensible thing to do is to call unshare first (to create a separate mount namespace), then make the mount private to the new namespace.
Also fix up newshell. There is lots of bad code in this repo, much hard coding of values... but for now it works again.