namespace: create base-filesystem directories if RootImage= or RootDirectory= are set

When a service is started with its own file system image, always try to
create the base-filesystem directories that are needed. This implicitly
covers the directories handled by MountAPIVFS= {/proc|/sys|/dev}.

Mount protections or MountAPIVFS= mounts were never applied if we
changed the root directory and the related paths were not present under
the new root. The mounts were silently. Fix this by creating those
directories if they are missing.

Closes https://github.com/systemd/systemd/issues/5488

src/core/namespace.c

@@ -27,6 +27,7 @@
 #include <linux/fs.h>
 
 #include "alloc-util.h"
+#include "base-filesystem.h"
 #include "dev-setup.h"
 #include "fd-util.h"
 #include "fs-util.h"
@@ -1044,6 +1045,10 @@ int setup_namespace(
                 }
         }
 
+        /* Try to set up the new root directory before mounting anything there */
+        if (root_directory)
+                (void) base_filesystem_create(root_directory, UID_INVALID, GID_INVALID);
+
         if (root_image) {
                 r = dissected_image_mount(dissected_image, root_directory, dissect_image_flags);
                 if (r < 0)

src/shared/base-filesystem.c

@@ -51,6 +51,9 @@ static const BaseFilesystem table[] = {
         { "usr",   0755, NULL,                         NULL },
         { "var",   0755, NULL,                         NULL },
         { "etc",   0755, NULL,                         NULL },
+        { "proc",  0755, NULL,                         NULL, true },
+        { "sys",   0755, NULL,                         NULL, true },
+        { "dev",   0755, NULL,                         NULL, true },
 #if defined(__i386__) || defined(__x86_64__)
         { "lib64",    0, "usr/lib/x86_64-linux-gnu\0"
                          "usr/lib64\0",                "ld-linux-x86-64.so.2" },