diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
index 3d20ccb689..ab97f80aea 100644
--- a/internal/volumes/volumes.go
+++ b/internal/volumes/volumes.go
@@ -104,6 +104,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
 			if !hasArgValue {
 				return newMount, "", fmt.Errorf("%v: %w", argName, errBadOptionArg)
 			}
+			switch argValue {
+			default:
+				return newMount, "", fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
+			case "shared", "rshared", "private", "rprivate", "slave", "rslave":
+				// this should be the relevant parts of the same list of options we accepted above
+			}
 			newMount.Options = append(newMount.Options, argValue)
 		case "src", "source":
 			if !hasArgValue {
@@ -276,6 +282,12 @@ func GetCacheMount(args []string, _ storage.Store, _ string, additionalMountPoin
 			if !hasArgValue {
 				return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg)
 			}
+			switch argValue {
+			default:
+				return newMount, nil, fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
+			case "shared", "rshared", "private", "rprivate", "slave", "rslave":
+				// this should be the relevant parts of the same list of options we accepted above
+			}
 			newMount.Options = append(newMount.Options, argValue)
 		case "id":
 			if !hasArgValue {
diff --git a/tests/bud.bats b/tests/bud.bats
index 0a5c66ba34..76f7005a61 100644
--- a/tests/bud.bats
+++ b/tests/bud.bats
@@ -6946,3 +6946,28 @@ _EOF
   run_buildah run testctr -- sh -c 'cd podman-tag && git ls-remote --tags origin v5.0.0^{} | cut -f1'
   assert "$output" = "$local_head_hash"
 }
+
+@test "build-validates-bind-bind-propagation" {
+  _prefetch alpine
+
+  cat > ${TEST_SCRATCH_DIR}/Containerfile << _EOF
+FROM alpine as base
+FROM alpine
+RUN --mount=type=bind,from=base,source=/,destination=/var/empty,rw,bind-propagation=suid pwd
+_EOF
+
+  run_buildah 125 build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR}
+  expect_output --substring "invalid mount option"
+}
+
+@test "build-validates-cache-bind-propagation" {
+  _prefetch alpine
+
+  cat > ${TEST_SCRATCH_DIR}/Containerfile << _EOF
+FROM alpine
+RUN --mount=type=cache,destination=/var/empty,rw,bind-propagation=suid pwd
+_EOF
+
+  run_buildah 125 build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR}
+  expect_output --substring "invalid mount option"
+}