test: add a testcase for ProtectHome=tmpfs vs ProtectSystem=strict

src/test/test-execute.c

@@ -269,6 +269,10 @@ static void test_exec_privatedevices(Manager *m) {
         test(m, "exec-privatedevices-no-capability-sys-rawio.service", 0, CLD_EXITED);
 }
 
+static void test_exec_protecthome(Manager *m) {
+        test(m, "exec-protecthome-tmpfs-vs-protectsystem-strict.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED);
+}
+
 static void test_exec_protectkernelmodules(Manager *m) {
         int r;
 
@@ -732,6 +736,7 @@ int main(int argc, char *argv[]) {
                 test_exec_privatedevices,
                 test_exec_privatenetwork,
                 test_exec_privatetmp,
+                test_exec_protecthome,
                 test_exec_protectkernelmodules,
                 test_exec_readonlypaths,
                 test_exec_readwritepaths,

test/meson.build

@@ -94,6 +94,7 @@ test_data_files = '''
         test-execute/exec-privatenetwork-yes.service
         test-execute/exec-privatetmp-no.service
         test-execute/exec-privatetmp-yes.service
+        test-execute/exec-protecthome-tmpfs-vs-protectsystem-strict.service
         test-execute/exec-protectkernelmodules-no-capabilities.service
         test-execute/exec-protectkernelmodules-yes-capabilities.service
         test-execute/exec-protectkernelmodules-yes-mount-propagation.service

test/test-execute/exec-protecthome-tmpfs-vs-protectsystem-strict.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Test ProtectHome=tmpfs vs ProtectSystem=strict
+# Test for #11276
+
+[Service]
+ProtectHome=tmpfs
+ProtectSystem=strict
+Type=oneshot
+ExecStart=/bin/sh -x -c 'test "$$(stat -fc %%T /home)" = "tmpfs"'