cmd/snap-update-ns: detach all bind-mounted file
When a mount namespace update, coupled with robust mount namespace
update option occurs, a mount namespace is torn down and re-constructed,
at least to the extent possible with snap-update-ns and the mount
profiles.
During the tear-down operation, snap-update-ns computes a set of mount
changes to perform, based on the currently applied mount profile. Those
actions are in general, the "undo" of the profile, so when something is
mounted, it gets unmounted during the undo process.
Some things are handled specially, as we've learned over time that the
extreme popularity of layouts and content has allowed for interesting
interactions that were not originally envisioned when designing the
mount/layout system. One such realization was that we can and should
detach bind-mounted directories as they can internally hold other mount
points due to how mount events propagate.
Today we realized that we need to detach bind-mounted files as well, as
a file that is open via file descriptor _or_ mapped as a section into a
process by the dynamic linker, can keep a file busy. In effect a file
that is busy this way cannot be unmounted.
There's an interesting interaction between layouts and content
connections. When a snap application, for example a service, is running
while content snap connection is established, the mount namespace may
not tear don correctly when such service (or any application really)
keeps a file open either via linker mapping or via an open file
descriptor.
Fixes: https://bugs.launchpad.net/snapd/+bug/1891371
Signed-off-by: Zygmunt Krynicki <email address hidden>