From 4740367330b1e0c0f7bcd65a8c00d67582ddda5d Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Thu, 21 Mar 2024 11:31:37 +0100
Subject: [PATCH] util: use private propagation with bind

when the "bind" option is used, do not use the "rprivate" propagation
as it would inhibit the effect of "bind", instead default to "private".

Closes: https://github.com/containers/podman/issues/22107

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 pkg/util/mount_opts.go | 13 +++++++++++--
 pkg/util/utils_test.go |  6 ++++++
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/pkg/util/mount_opts.go b/pkg/util/mount_opts.go
index ab6dbf9551..c9a773093e 100644
--- a/pkg/util/mount_opts.go
+++ b/pkg/util/mount_opts.go
@@ -37,6 +37,8 @@ func processOptionsInternal(options []string, isTmpfs bool, sourcePath string, g
 		foundWrite, foundSize, foundProp, foundMode, foundExec, foundSuid, foundDev, foundCopyUp, foundBind, foundZ, foundU, foundOverlay, foundIdmap, foundCopy, foundNoSwap, foundNoDereference bool
 	)
 
+	recursiveBind := true
+
 	newOptions := make([]string, 0, len(options))
 	for _, opt := range options {
 		// Some options have parameters - size, mode
@@ -159,7 +161,10 @@ func processOptionsInternal(options []string, isTmpfs bool, sourcePath string, g
 				return nil, fmt.Errorf("the 'no-dereference' option can only be set once: %w", ErrDupeMntOption)
 			}
 			foundNoDereference = true
-		case define.TypeBind, "rbind":
+		case define.TypeBind:
+			recursiveBind = false
+			fallthrough
+		case "rbind":
 			if isTmpfs {
 				return nil, fmt.Errorf("the 'bind' and 'rbind' options are not allowed with tmpfs mounts: %w", ErrBadMntOption)
 			}
@@ -190,7 +195,11 @@ func processOptionsInternal(options []string, isTmpfs bool, sourcePath string, g
 		newOptions = append(newOptions, "rw")
 	}
 	if !foundProp {
-		newOptions = append(newOptions, "rprivate")
+		if recursiveBind {
+			newOptions = append(newOptions, "rprivate")
+		} else {
+			newOptions = append(newOptions, "private")
+		}
 	}
 	defaults, err := getDefaultMountOptions(sourcePath)
 	if err != nil {
diff --git a/pkg/util/utils_test.go b/pkg/util/utils_test.go
index dbe7822d38..efc256e484 100644
--- a/pkg/util/utils_test.go
+++ b/pkg/util/utils_test.go
@@ -742,6 +742,12 @@ func TestProcessOptions(t *testing.T) {
 			sourcePath: "/path/to/source",
 			expected:   []string{"nodev", "nosuid", "rbind", "rprivate", "rw"},
 		},
+		{
+			name:       "default bind mount with bind",
+			sourcePath: "/path/to/source",
+			options:    []string{"bind"},
+			expected:   []string{"nodev", "nosuid", "bind", "private", "rw"},
+		},
 	}
 
 	for _, tt := range tests {