execute: remove credentials dir again when empty

This is closely related to the previous commit: if the credentials dir
is empty and nothing mounted on it, let's remove it again.

This will in particular happen if we decided to not actually install the
mount we prepared for the credentials because it is empty. In that case
the mount point inode is already there, and with this we'll remove it.
Primary effect, users will see ENOENT rather than EACCESS when trying to
access it, which should be preferable, given we already handle that
nicely in our credential consumption code.

This should also be useful on systems where we lack any privs to create
mounts, and thus operate on a regular dir anyway.

2 files changed, 6 insertions, 0 deletions

diff --git a/src/core/execute.c b/src/core/execute.c
index b803edb145..04dcf4b427 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -3423,6 +3423,11 @@ static int setup_credentials(
                 _exit(EXIT_FAILURE);
         }
 
+        /* If the credentials dir is empty and not a mount point, then there's no point in having it. Let's
+         * try to remove it. This matters in particular if we created the dir as mount point but then didn't
+         * actually end up mounting anything on it. In that case we'd rather have ENOENT than EACCESS being
+         * seen by users when trying access this inode. */
+        (void) rmdir(p);
         return 0;
 }
 
diff --git a/src/core/namespace.c b/src/core/namespace.c
index 1d19685d2e..2fcc096217 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -2385,6 +2385,7 @@ int setup_namespace(
                                 .mode = BIND_MOUNT,
                                 .read_only = true,
                                 .source_const = creds_path,
+                                .ignore = true,
                         };
                 } else {
                         /* If our service has no credentials store configured, then make the whole