From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 19 Jun 2024 16:33:51 +0000 (+0900)
Subject: core/namespace: ensure private tmpfs is mounted earlier
X-Git-Tag: v257-rc1~1094
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7fef19963d40425666bdf1a7ef6120e7d35073ac;p=thirdparty%2Fsystemd.git

core/namespace: ensure private tmpfs is mounted earlier

And drop spurious assertion.

Fortunately, the previous logic worked, as /run/systemd/unit-private-tmp
is ordered earlier than /tmp or /var/tmp. But, let's ensure the tmpfs
mounted earlier to make the logic clearer.

Follow-up for 0e551b04efb911d38b586cca1a6a462c87a2cb1b.
---

diff --git a/src/core/namespace.c b/src/core/namespace.c
index 615eb9860e8..0a1d20b5bb1 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -752,6 +752,11 @@ static int mount_path_compare(const MountEntry *a, const MountEntry *b) {
         if (d != 0)
                 return d;
 
+        /* MOUNT_PRIVATE_TMPFS needs to be set up earlier, especially than MOUNT_BIND. */
+        d = -CMP(a->mode == MOUNT_PRIVATE_TMPFS, b->mode == MOUNT_PRIVATE_TMPFS);
+        if (d != 0)
+                return d;
+
         /* If the paths are not equal, then order prefixes first */
         d = path_compare(mount_entry_path(a), mount_entry_path(b));
         if (d != 0)
@@ -2309,9 +2314,6 @@ int setup_namespace(const NamespaceParameters *p, char **error_path) {
                         .source_dir_mode = 01777,
                         .create_source_dir = true,
                 };
-
-                /* Ensure that the tmpfs is mounted first, and bind mounts are added later. */
-                assert_cc(MOUNT_BIND < MOUNT_PRIVATE_TMPFS);
         } else {
                 if (p->tmp_dir) {
                         bool ro = streq(p->tmp_dir, RUN_SYSTEMD_EMPTY);