buildFhsUserenv: don't leak mounts to other processes

If run as root we were leaking mounts to the parent namespace,
which lead to an error when removing the temporary mountroot.
To fix this we remount the whole tree as private as soon as we created
the new mountenamespace.

pkgs/build-support/build-fhs-userenv/chrootenv/chrootenv.c

@@ -43,7 +43,6 @@ const gchar *create_tmpdir() {
 void pivot_host(const gchar *guest) {
   g_autofree gchar *point = g_build_filename(guest, "host", NULL);
   fail_if(g_mkdir(point, 0755));
-  fail_if(mount(0, "/", 0, MS_PRIVATE | MS_REC, 0));
   fail_if(pivot_root(guest, point));
 }
 
@@ -122,6 +121,9 @@ int main(gint argc, gchar **argv) {
       fail("unshare", unshare_errno);
     }
 
+    // hide all mounts we do from the parent
+    fail_if(mount(0, "/", 0, MS_PRIVATE | MS_REC, 0));
+
     if (uid != 0) {
       spit("/proc/self/setgroups", "deny");
       spit("/proc/self/uid_map", "%d %d 1", uid, uid);