Make / mount as rslave instead of bind mounting polydirs.

* modules/pam_namespace/pam_namespace.c (protect_dir): Drop the always argument.
(check_inst_parent): Drop the always argument from protect_dir().
(create_polydir): Likewise.
(ns_setup): Likewise and do not mark the polydir with MS_PRIVATE.
(setup_namespace): Mark the / with MS_SLAVE|MS_REC.
* modules/pam_namespace/pam_namespace.8.xml: Reflect the change in docs.

1 files changed, 8 insertions, 2 deletions

diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml
index 48021c80..6ec3ad23 100644
--- a/modules/pam_namespace/pam_namespace.8.xml
+++ b/modules/pam_namespace/pam_namespace.8.xml
@@ -246,12 +246,18 @@
 	    This option can be used on systems where the / mount point or
 	    its submounts are made shared (for example with a
 	    <command>mount --make-rshared /</command> command).
-	    The module will make the polyinstantiated directory mount points
-	    private. Normally the pam_namespace will try to detect the
+	    The module will mark the whole directory tree so any mount and
+	    unmount operations in the polyinstantiation namespace are private.
+	    Normally the pam_namespace will try to detect the
 	    shared / mount point and make the polyinstantiated directories
 	    private automatically. This option has to be used just when
 	    only a subtree is shared and / is not.
           </para>
+          <para>
+	    Note that mounts and unmounts done in the private namespace will not
+	    affect the parent namespace if this option is used or when the
+	    shared / mount point is autodetected.
+          </para>
         </listitem>
       </varlistentry>