Skip new mount namespace on -k.
When using -k and entering an existing namespace (-V), we don't want to
create yet another namespace. This is implicit behaviour that can be
confusing.
Bug: chromium:1038925
Test: tast run <IP> security.Minijail* passes on eve.
Change-Id: I27a4d0c1b83645295c8d36473fcb860da041c8bf
diff --git a/libminijail.c b/libminijail.c
index 8531c76..d9e8e3c 100644
--- a/libminijail.c
+++ b/libminijail.c
@@ -832,10 +832,14 @@
m->flags = flags;
/*
- * Force vfs namespacing so the mounts don't leak out into the
- * containing vfs namespace.
+ * Unless asked to enter an existing namespace, force vfs namespacing
+ * so the mounts don't leak out into the containing vfs namespace.
+ * If Minijail is being asked to enter the root vfs namespace this will
+ * leak mounts, but it's unlikely that the user would ask to do that by
+ * mistake.
*/
- minijail_namespace_vfs(j);
+ if (!j->flags.enter_vfs)
+ minijail_namespace_vfs(j);
if (j->mounts_tail)
j->mounts_tail->next = m;
