From fc49cc3895614c1dfcaf930b8ff4fa16a5dfd75b Mon Sep 17 00:00:00 2001
From: Simon Fels <morphis@gravedo.de>
Date: Mon, 20 Feb 2017 08:18:02 +0100
Subject: [PATCH] Make our mounts private to our namespace

That way they don't end up in the host namespace in any case. Only the
loop device we're allocating remains visible as there is currently no
real separation between containers on loop device usage.
---
 src/anbox/cmds/container_manager.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/anbox/cmds/container_manager.cpp b/src/anbox/cmds/container_manager.cpp
index f2d5fb0..b4d7a19 100644
--- a/src/anbox/cmds/container_manager.cpp
+++ b/src/anbox/cmds/container_manager.cpp
@@ -109,7 +109,7 @@ bool anbox::cmds::ContainerManager::setup_mounts() {
     return false;
   }
 
-  auto m = common::MountEntry::create(loop_device, android_rootfs_dir, "squashfs", MS_MGC_VAL | MS_RDONLY);
+  auto m = common::MountEntry::create(loop_device, android_rootfs_dir, "squashfs", MS_MGC_VAL | MS_RDONLY | MS_PRIVATE);
   if (!m) {
     ERROR("Failed to mount Android rootfs");
     return false;
@@ -133,7 +133,7 @@ bool anbox::cmds::ContainerManager::setup_mounts() {
       }
     }
 
-    auto m = common::MountEntry::create(src_dir_path, target_dir_path, "", MS_MGC_VAL | MS_BIND);
+    auto m = common::MountEntry::create(src_dir_path, target_dir_path, "", MS_MGC_VAL | MS_BIND | MS_PRIVATE);
     if (!m) {
       ERROR("Failed to mount Android %s directory", dir_name);
       mounts_.clear();