From 6bb65864589fbd720622cbd795763d108999a366 Mon Sep 17 00:00:00 2001
From: Vincent Batts <vbatts@redhat.com>
Date: Tue, 20 Jan 2015 15:17:41 -0500
Subject: [PATCH] contrib/sysvinit-redhat: unshare mount namespace

unshare the mount namespace of the docker daemon to avoid other pids
outside the daemon holding mount references of docker containers.

Signed-off-by: Vincent Batts <vbatts@redhat.com>
---
 contrib/init/sysvinit-redhat/docker | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/contrib/init/sysvinit-redhat/docker b/contrib/init/sysvinit-redhat/docker
index eadf02c75c..1994d6b31e 100755
--- a/contrib/init/sysvinit-redhat/docker
+++ b/contrib/init/sysvinit-redhat/docker
@@ -23,6 +23,7 @@
 . /etc/rc.d/init.d/functions
 
 prog="docker"
+unshare=/usr/bin/unshare
 exec="/usr/bin/$prog"
 pidfile="/var/run/$prog.pid"
 lockfile="/var/lock/subsys/$prog"
@@ -46,7 +47,7 @@ start() {
         prestart
         printf "Starting $prog:\t"
         echo "\n$(date)\n" >> $logfile
-        $exec -d $other_args &>> $logfile &
+        "$unshare" -m -- $exec -d $other_args &>> $logfile &
         pid=$!
         touch $lockfile
         # wait up to 10 seconds for the pidfile to exist.  see