namespace: create /dev, /proc, /sys when needed

We already create /dev implicitly if PrivateTmp=yes is on, if it is
missing. Do so too for the other two API VFS, as well as for /dev if
PrivateTmp=yes is off but MountAPIVFS=yes is on (i.e. when /dev is bind
mounted from the host).

diff --git a/src/core/namespace.c b/src/core/namespace.c
index 09eac6b..8511131 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -618,6 +618,8 @@ static int mount_bind_dev(MountEntry *m) {
         /* Implements the little brother of mount_private_dev(): simply bind mounts the host's /dev into the service's
          * /dev. This is only used when RootDirectory= is set. */
 
+        (void) mkdir_p_label(mount_entry_path(m), 0755);
+
         r = path_is_mount_point(mount_entry_path(m), NULL, 0);
         if (r < 0)
                 return log_debug_errno(r, "Unable to determine whether /dev is already mounted: %m");
@@ -635,6 +637,8 @@ static int mount_sysfs(MountEntry *m) {
 
         assert(m);
 
+        (void) mkdir_p_label(mount_entry_path(m), 0755);
+
         r = path_is_mount_point(mount_entry_path(m), NULL, 0);
         if (r < 0)
                 return log_debug_errno(r, "Unable to determine whether /sys is already mounted: %m");
@@ -653,6 +657,8 @@ static int mount_procfs(MountEntry *m) {
 
         assert(m);
 
+        (void) mkdir_p_label(mount_entry_path(m), 0755);
+
         r = path_is_mount_point(mount_entry_path(m), NULL, 0);
         if (r < 0)
                 return log_debug_errno(r, "Unable to determine whether /proc is already mounted: %m");