Add an option to use private (instead of slave) propagation for bind mounts.

[ChrysoliteAzalea]

Hello everyone! I propose using a private propagation instead of slave one for bind mounts (this is optional and done by --private option). It can theoretically enhance sandbox security as bind-mounting protected paths inside accessible paths won't expose anything to the sandbox.

[ChrysoliteAzalea]

Manpage and shell completion missing.

The manpage should also explain consequences like busy removable media.

Done.

[smcv]

It can theoretically enhance sandbox security as bind-mounting protected paths inside accessible paths won't expose anything to the sandbox

It can also make sandbox security worse, by having files that you thought you had unmounted (outside the sandbox) remain accessible inside the sandbox, or by having files that you thought you had hidden (by mounting something else over them) remain visible inside the sandbox.

[smcv]

I don't think we can allow this in situations where bwrap is privileged (setuid root), because it would give users the ability to do something that the sysadmin thought they had prevented:

• sysadmin or OS mounts a device, let's say /run/media/usb_backup_drive
• unprivileged user uses the setuid bwrap to create a mount namespace with private propagation
• sysadmin unmounts /run/media/usb_backup_drive
• unprivileged user can still access /run/media/usb_backup_drive/... using programs running in their private mount namespace