From bc5b38218a73c12b04045cbcb9b2e713b90bfc33 Mon Sep 17 00:00:00 2001
From: Duncaen <mail@duncano.de>
Date: Tue, 20 Sep 2016 01:26:33 +0200
Subject: [PATCH 1/2] bin/xbps-uchroot: call clone only once if its successful

---
 bin/xbps-uchroot/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bin/xbps-uchroot/main.c b/bin/xbps-uchroot/main.c
index d2008ba4..dd64333e 100644
--- a/bin/xbps-uchroot/main.c
+++ b/bin/xbps-uchroot/main.c
@@ -349,7 +349,7 @@ main(int argc, char **argv)
 	container_flags = clone_flags & ~(CLONE_NEWNS|CLONE_NEWIPC|CLONE_NEWUTS|CLONE_NEWPID);
 
 	/* Issue the clone(2) syscall with our settings */
-	if ((child = syscall(__NR_clone, clone_flags, NULL)) == -1 ||
+	if ((child = syscall(__NR_clone, clone_flags, NULL)) == -1 &&
 			(child = syscall(__NR_clone, container_flags, NULL)) == -1)
 		die("clone");
 

From 414256292a691f147c39087574b5eb09d598136c Mon Sep 17 00:00:00 2001
From: Duncaen <mail@duncano.de>
Date: Tue, 20 Sep 2016 17:45:56 +0200
Subject: [PATCH 2/2] bin/xbps-uchroot: mount / as private

---
 bin/xbps-uchroot/main.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/bin/xbps-uchroot/main.c b/bin/xbps-uchroot/main.c
index dd64333e..412bb72b 100644
--- a/bin/xbps-uchroot/main.c
+++ b/bin/xbps-uchroot/main.c
@@ -364,6 +364,13 @@ main(int argc, char **argv)
 			SECBIT_NOROOT|SECBIT_NOROOT_LOCKED) == -1) {
 			die("prctl SECBIT_NOROOT");
 		}
+
+		/* mount as private, systemd mounts it as shared by default */
+		if (mount(NULL, "/", "none", MS_PRIVATE|MS_REC, NULL) == -1)
+			die("Failed to mount / private");
+		if (mount(NULL, "/", "none", MS_PRIVATE|MS_REMOUNT|MS_NOSUID, NULL) == -1)
+			die("Failed to remount /");
+
 		/* setup our overlayfs if set */
 		if (overlayfs)
 			chrootdir = setup_overlayfs(chrootdir, ruid, rgid,