From be39f6ee315e8935fc4999ffd3b072e358043714 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 29 Dec 2017 18:52:20 +0100
Subject: [PATCH] process-util: add new FORK_NEW_MOUNTNS flag to safe_fork()

That way we can move one more code location to use safe_fork()
---
 src/basic/process-util.c   |  5 ++++-
 src/basic/process-util.h   |  1 +
 src/shared/dissect-image.c | 14 +++-----------
 3 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/src/basic/process-util.c b/src/basic/process-util.c
index 69f1d1e7b4..d74813dada 100644
--- a/src/basic/process-util.c
+++ b/src/basic/process-util.c
@@ -1199,7 +1199,10 @@ int safe_fork_full(
                 if (sigprocmask(SIG_SETMASK, &ss, &saved_ss) < 0)
                         return log_full_errno(prio, errno, "Failed to set signal mask: %m");
 
-        pid = fork();
+        if (flags & FORK_NEW_MOUNTNS)
+                pid = raw_clone(SIGCHLD|CLONE_NEWNS);
+        else
+                pid = fork();
         if (pid < 0) {
                 r = -errno;
 
diff --git a/src/basic/process-util.h b/src/basic/process-util.h
index ba247a089d..fdb1790b2e 100644
--- a/src/basic/process-util.h
+++ b/src/basic/process-util.h
@@ -168,6 +168,7 @@ typedef enum ForkFlags {
         FORK_REOPEN_LOG    = 1U << 4,
         FORK_LOG           = 1U << 5,
         FORK_WAIT          = 1U << 6,
+        FORK_NEW_MOUNTNS   = 1U << 7,
 } ForkFlags;
 
 int safe_fork_full(const char *name, const int except_fds[], size_t n_except_fds, ForkFlags flags, pid_t *ret_pid);
diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index 05a9f37da3..35b2c56555 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -1259,18 +1259,10 @@ int dissected_image_acquire_metadata(DissectedImage *m) {
         if (r < 0)
                 goto finish;
 
-        child = raw_clone(SIGCHLD|CLONE_NEWNS);
-        if (child < 0) {
-                r = -errno;
+        r = safe_fork("(sd-dissect)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_NEW_MOUNTNS, &child);
+        if (r < 0)
                 goto finish;
-        }
-
-        if (child == 0) {
-
-                (void) reset_all_signal_handlers();
-                (void) reset_signal_mask();
-                assert_se(prctl(PR_SET_PDEATHSIG, SIGTERM) == 0);
-
+        if (r == 0) {
                 /* Make sure we never propagate to the host */
                 if (mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL) < 0)
                         _exit(EXIT_FAILURE);