From 49a72e53b8da3d11ada2b5738651b23538cc15bc Mon Sep 17 00:00:00 2001
From: Sargun Dhillon <sargun@netflix.com>
Date: Mon, 30 Apr 2018 09:52:40 -0700
Subject: [PATCH] Add tini unshare

---
 src/tini.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/tini.c b/src/tini.c
index 1908870..1434fb9 100644
--- a/src/tini.c
+++ b/src/tini.c
@@ -13,6 +13,7 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <stdbool.h>
+#include <sched.h>
 
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -32,6 +33,7 @@
 #define TITUS_CB_PATH	"TITUS_UNIX_CB_PATH"
 #define TITUS_CONFIRM	"TITUS_CONFIRM"
 #define TINI_HANDOFF	"TINI_HANDOFF"
+#define TINI_UNSHARE	"TINI_UNSHARE"
 
 const char stdioattr[] = "user.stdio";
 
@@ -169,6 +171,7 @@ int do_execvp(char* const argv[], int new_stdout_fd, int new_stderr_fd, const si
 	unsetenv(TITUS_CB_PATH);
 	unsetenv(TITUS_CONFIRM);
 	unsetenv(TINI_HANDOFF);
+	unsetenv(TINI_UNSHARE);
 
 	execvp(argv[0], argv);
 
@@ -219,6 +222,16 @@ int spawn(const signal_configuration_t* const sigconf_ptr, char* const argv[], i
 			return 1;
 		}
 	}
+
+	// Should unshare happen here, or in do_execvp / the child?
+	if (getenv(TINI_UNSHARE)) {
+		if (unshare(CLONE_NEWCGROUP)) {
+			PRINT_FATAL("Unable to unshare new cgroup namespace: %s", strerror(errno));
+			return 1;
+		}
+	}
+
+
 	if (getenv(TINI_HANDOFF))
 		return do_execvp(argv, new_stdout_fd, new_stderr_fd, sigconf_ptr);