namespace-util: set mounts back to MS_SHARED in detach_mount_namespace()

For nspawn and services we first turn off two-way propagation of mounts
from host to sandbox via MS_SLAVE, and then set MS_SHARED again, so that
we create a new mount prop peer group again, and that we provide
behaviour similar to what we provide on the host further down the tree.

Let's do the same in detach_mount_namespace(), which we use for the
temporary mounts in the implementation of --image= in various tools.

This doesn't fix any immediate issue, but ensures we expose somewhat
systematic behaviour: whenever we detach mount namespaces we always set
things back to MS_SLAVE in the child.

src/basic/namespace-util.c

@@ -190,13 +190,20 @@ int fd_is_ns(int fd, unsigned long nsflag) {
 }
 
 int detach_mount_namespace(void) {
-
-        /* Detaches the mount namespace, disabling propagation from our namespace to the host */
+        /* Detaches the mount namespace, disabling propagation from our namespace to the host. Sets
+         * propagation first to MS_SLAVE for all mounts (disabling propagation), and then back to MS_SHARED
+         * (so that we create a new peer group).  */
 
         if (unshare(CLONE_NEWNS) < 0)
-                return -errno;
+                return log_debug_errno(errno, "Failed to acquire mount namespace: %m");
 
-        return RET_NERRNO(mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL));
+        if (mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL) < 0)
+                return log_debug_errno(errno, "Failed to set mount propagation to MS_SLAVE for all mounts: %m");
+
+        if (mount(NULL, "/", NULL, MS_SHARED | MS_REC, NULL) < 0)
+                return log_debug_errno(errno, "Failed to set mount propagation back to MS_SHARED for all mounts: %m");
+
+        return 0;
 }
 
 int userns_acquire(const char *uid_map, const char *gid_map) {