fix rootfs propagation mode

Signed-off-by: Yusuke Sakurai <yusuke.sakurai@3-shake.com>

libcontainer/rootfs_linux.go

@@ -215,6 +215,18 @@ func prepareRootfs(pipe *syncSocket, iConfig *initConfig) (err error) {
 		return fmt.Errorf("error jailing process inside rootfs: %w", err)
 	}
 
+	// Apply root mount propagation flags.
+	// This must be done after pivot_root/chroot because the mount propagation flag is applied
+	// to the current root ("/"), and not to the old rootfs before it becomes "/". Applying the
+	// flag in prepareRoot would affect the host mount namespace if the container's
+	// root mount is shared.
+	// MS_PRIVATE is skipped as rootfsParentMountPrivate() is already called.
+	if config.RootPropagation != 0 && config.RootPropagation&unix.MS_PRIVATE == 0 {
+		if err := mount("", "/", "", uintptr(config.RootPropagation), ""); err != nil {
+			return fmt.Errorf("unable to apply root propagation flags: %w", err)
+		}
+	}
+
 	if setupDev {
 		if err := reOpenDevNull(); err != nil {
 			return fmt.Errorf("error reopening /dev/null inside container: %w", err)

tests/integration/mounts_propagation.bats

@@ -0,0 +1,22 @@
+#!/usr/bin/env bats
+
+load helpers
+
+function setup() {
+	requires root
+	setup_debian
+}
+
+function teardown() {
+	teardown_bundle
+}
+
+@test "runc run [rootfsPropagation shared]" {
+	update_config ' .linux.rootfsPropagation = "shared" '
+
+	update_config ' .process.args = ["findmnt", "--noheadings", "-o", "PROPAGATION", "/"] '
+
+	runc run test_shared_rootfs
+	[ "$status" -eq 0 ]
+	[ "$output" = "shared" ]
+}