TEST-07-PID1.delegate-namespaces: Make sure fully visible procfs is available

To be able to mount /proc inside an unprivileged user namespace, we have
to make sure a fully visible procfs is available on the host, so let's make
sure that's the case.

diff --git a/test/units/TEST-07-PID1.delegate-namespaces.sh b/test/units/TEST-07-PID1.delegate-namespaces.sh
index ed447f150814877f1bc7c329f5ea41d963547560..8eb9956c2e72c3d3ba33b14d1812fd0ce9d063af 100755 (executable)
--- a/test/units/TEST-07-PID1.delegate-namespaces.sh
+++ b/test/units/TEST-07-PID1.delegate-namespaces.sh
@@ -9,6 +9,22 @@ set -o pipefail
 # shellcheck source=test/units/util.sh
 . "$(dirname "$0")"/util.sh
 
+# IMPORTANT: For /proc/ to be remounted in pid namespace within an unprivileged user namespace, there needs to
+# be at least 1 unmasked procfs mount in ANY directory. Otherwise, if /proc/ is masked (e.g. /proc/scsi is
+# over-mounted with tmpfs), then mounting a new /proc/ will fail.
+#
+# Thus, to guarantee PrivatePIDs=yes tests for unprivileged users pass, we mount a new procfs on a temporary
+# directory with no masking. This will guarantee an unprivileged user can mount a new /proc/ successfully.
+mkdir -p /tmp/TEST-07-PID1-delegate-namespaces-proc
+mount -t proc proc /tmp/TEST-07-PID1-delegate-namespaces-proc
+
+at_exit() {
+    umount /tmp/TEST-07-PID1-delegate-namespaces-proc
+    rm -rf /tmp/TEST-07-PID1-delegate-namespaces-proc
+}
+
+trap at_exit EXIT
+
 testcase_mount() {
     (! systemd-run -p PrivateUsersEx=self -p PrivateMounts=yes --wait --pipe -- mount --bind /usr /home)
     systemd-run -p PrivateUsersEx=self -p PrivateMounts=yes -p DelegateNamespaces=mnt --wait --pipe -- mount --bind /usr /home