namespace: create base-filesystem directories if RootImage= or RootDirectory= are set

When a service is started with its own file system image, always try to
create the base-filesystem directories that are needed. This implicitly
covers the directories handled by MountAPIVFS= {/proc|/sys|/dev}.

Mount protections or MountAPIVFS= mounts were never applied if we
changed the root directory and the related paths were not present under
the new root. The mounts were silently. Fix this by creating those
directories if they are missing.

Closes https://github.com/systemd/systemd/issues/5488

diff --git a/src/core/namespace.c b/src/core/namespace.c
index 4f29217bc4a342e8cf56b4e6dd7f478078b6f681..673b8364895a15ad38ddce7d4325e9ef213237f4 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -27,6 +27,7 @@
 #include <linux/fs.h>
 
 #include "alloc-util.h"
+#include "base-filesystem.h"
 #include "dev-setup.h"
 #include "fd-util.h"
 #include "fs-util.h"
@@ -1044,6 +1045,10 @@ int setup_namespace(
                 }
         }
 
+        /* Try to set up the new root directory before mounting anything there */
+        if (root_directory)
+                (void) base_filesystem_create(root_directory, UID_INVALID, GID_INVALID);
+
         if (root_image) {
                 r = dissected_image_mount(dissected_image, root_directory, dissect_image_flags);
                 if (r < 0)

diff --git a/src/shared/base-filesystem.c b/src/shared/base-filesystem.c
index 127cbe44e38744bfd85e9f648724a9bb3de7d3de..5cbb2ec3dd1f806f19aac35981d8da9af91ba065 100644 (file)
--- a/src/shared/base-filesystem.c
+++ b/src/shared/base-filesystem.c
@@ -51,6 +51,9 @@ static const BaseFilesystem table[] = {
         { "usr",   0755, NULL,                         NULL },
         { "var",   0755, NULL,                         NULL },
         { "etc",   0755, NULL,                         NULL },
+        { "proc",  0755, NULL,                         NULL, true },
+        { "sys",   0755, NULL,                         NULL, true },
+        { "dev",   0755, NULL,                         NULL, true },
 #if defined(__i386__) || defined(__x86_64__)
         { "lib64",    0, "usr/lib/x86_64-linux-gnu\0"
                          "usr/lib64\0",                "ld-linux-x86-64.so.2" },