namespace: introduce a common dir in /run/ that we can use to see new root fs up on

This creates a new dir /run/systemd/mount-rootfs/ early in PID 1 that
thus always exists. It's supposed to be used by any code that creates
its own mount namespace and then sets up a new root dir to switch into.
So far in many cases we used a temporary dir (which needed explicit
clean-up) or a purpose-specific fixed dir.

Let's create a common dir instead, that always exists (as it is created
in PID 1 early on, always).

Besides making things more robust, as manual clean-up of the inode is
not necessary anymore this also opens the door for unprivileged programs
to use the same dir, since it now always exists.

Set the access mode to 555 (instead of the otherwise previously used
0755, 0700 or similar), so that unprivileged programs can access it, but
we make clear it's not supposed to be written directly to, by anyone,
not even root.

1 files changed, 5 insertions, 0 deletions

diff --git a/src/shared/mount-setup.c b/src/shared/mount-setup.c
index a920e8a92a..901c3cd777 100644
--- a/src/shared/mount-setup.c
+++ b/src/shared/mount-setup.c
@@ -554,6 +554,11 @@ int mount_setup(bool loaded_policy, bool leave_propagation) {
         (void) mkdir_label("/run/systemd", 0755);
         (void) mkdir_label("/run/systemd/system", 0755);
 
+        /* Make sure there's always a place where sandboxed environments can mount root file systems they are
+         * about to move into, even when unprivileged, without having to create a temporary one in /tmp/
+         * (which they then have to keep track of and clean) */
+        (void) mkdir_label("/run/systemd/mount-rootfs", 0555);
+
         /* Make sure we have a mount point to hide in sandboxes */
         (void) mkdir_label("/run/credentials", 0755);