core/namespace: ensure private tmpfs is mounted earlier

And drop spurious assertion.

Fortunately, the previous logic worked, as /run/systemd/unit-private-tmp
is ordered earlier than /tmp or /var/tmp. But, let's ensure the tmpfs
mounted earlier to make the logic clearer.

Follow-up for 0e551b04efb911d38b586cca1a6a462c87a2cb1b.

diff --git a/src/core/namespace.c b/src/core/namespace.c
index 615eb9860e8f1385a8db685363cc3c106b156f03..0a1d20b5bb17c37b245df03b4eb002e80cc43b81 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -752,6 +752,11 @@ static int mount_path_compare(const MountEntry *a, const MountEntry *b) {
         if (d != 0)
                 return d;
 
+        /* MOUNT_PRIVATE_TMPFS needs to be set up earlier, especially than MOUNT_BIND. */
+        d = -CMP(a->mode == MOUNT_PRIVATE_TMPFS, b->mode == MOUNT_PRIVATE_TMPFS);
+        if (d != 0)
+                return d;
+
         /* If the paths are not equal, then order prefixes first */
         d = path_compare(mount_entry_path(a), mount_entry_path(b));
         if (d != 0)
@@ -2309,9 +2314,6 @@ int setup_namespace(const NamespaceParameters *p, char **error_path) {
                         .source_dir_mode = 01777,
                         .create_source_dir = true,
                 };
-
-                /* Ensure that the tmpfs is mounted first, and bind mounts are added later. */
-                assert_cc(MOUNT_BIND < MOUNT_PRIVATE_TMPFS);
         } else {
                 if (p->tmp_dir) {
                         bool ro = streq(p->tmp_dir, RUN_SYSTEMD_EMPTY);