namespace: unify limit behavior on non-directory paths

Despite the name, `Read{Write,Only}Directories=` already allows for
regular file paths to be masked. This commit adds the same behavior
to `InaccessibleDirectories=` and makes it explicit in the doc.
This patch introduces `/run/systemd/inaccessible/{reg,dir,chr,blk,fifo,sock}`
{dile,device}nodes and mounts on the appropriate one the paths specified
in `InacessibleDirectories=`.

Based on Luca's patch from https://github.com/systemd/systemd/pull/3327

2 files changed, 20 insertions, 0 deletions

diff --git a/src/basic/mount-util.c b/src/basic/mount-util.c
index 90b7a885a8..63dff3dd5c 100644
--- a/src/basic/mount-util.c
+++ b/src/basic/mount-util.c
@@ -532,3 +532,21 @@ int repeat_unmount(const char *path, int flags) {
                 done = true;
         }
 }
+
+const char* mode_to_inaccessible_node(mode_t mode) {
+        switch(mode & S_IFMT) {
+                case S_IFREG:
+                        return "/run/systemd/inaccessible/reg";
+                case S_IFDIR:
+                        return "/run/systemd/inaccessible/dir";
+                case S_IFCHR:
+                        return "/run/systemd/inaccessible/chr";
+                case S_IFBLK:
+                        return "/run/systemd/inaccessible/blk";
+                case S_IFIFO:
+                        return "/run/systemd/inaccessible/fifo";
+                case S_IFSOCK:
+                        return "/run/systemd/inaccessible/sock";
+        }
+        return NULL;
+}
diff --git a/src/basic/mount-util.h b/src/basic/mount-util.h
index bdb525d6b0..f46989ebb3 100644
--- a/src/basic/mount-util.h
+++ b/src/basic/mount-util.h
@@ -49,4 +49,6 @@ union file_handle_union {
         char padding[sizeof(struct file_handle) + MAX_HANDLE_SZ];
 };
 
+const char* mode_to_inaccessible_node(mode_t mode);
+
 #define FILE_HANDLE_INIT { .handle.handle_bytes = MAX_HANDLE_SZ }