From adeff822348e7b3dbdcc3dbdf274609fd1209091 Mon Sep 17 00:00:00 2001
From: Haochen Tong <i@hexchain.org>
Date: Wed, 14 Jun 2023 23:55:56 +0800
Subject: [PATCH] execute: fix the condition of private mounts for user
 namespacing

Follow-up for: 6ef721cbc7dadee4ae878ecf0076d87e57233908
---
 src/core/execute.c      |  2 +-
 src/test/test-execute.c | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/core/execute.c b/src/core/execute.c
index f9a8ae9f154..e46875f5b0f 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -4584,7 +4584,7 @@ static bool exec_context_need_unprivileged_private_users(const ExecContext *cont
                context->network_namespace_path ||
                context->private_ipc ||
                context->ipc_namespace_path ||
-               context->private_mounts ||
+               context->private_mounts > 0 ||
                context->mount_apivfs ||
                context->n_bind_mounts > 0 ||
                context->n_temporary_filesystems > 0 ||
diff --git a/src/test/test-execute.c b/src/test/test-execute.c
index a63afa873b9..b2721a0c7b8 100644
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@@ -448,9 +448,9 @@ static void test_exec_privatedevices(Manager *m) {
         }
 
         test(m, "exec-privatedevices-yes-capability-mknod.service", can_unshare || MANAGER_IS_SYSTEM(m) ? 0 : EXIT_NAMESPACE, CLD_EXITED);
-        test(m, "exec-privatedevices-no-capability-mknod.service", 0, CLD_EXITED);
+        test(m, "exec-privatedevices-no-capability-mknod.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_FAILURE, CLD_EXITED);
         test(m, "exec-privatedevices-yes-capability-sys-rawio.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_NAMESPACE, CLD_EXITED);
-        test(m, "exec-privatedevices-no-capability-sys-rawio.service", 0, CLD_EXITED);
+        test(m, "exec-privatedevices-no-capability-sys-rawio.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_FAILURE, CLD_EXITED);
 }
 
 static void test_exec_protecthome(Manager *m) {
@@ -480,7 +480,7 @@ static void test_exec_protectkernelmodules(Manager *m) {
                 return;
         }
 
-        test(m, "exec-protectkernelmodules-no-capabilities.service", 0, CLD_EXITED);
+        test(m, "exec-protectkernelmodules-no-capabilities.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_FAILURE, CLD_EXITED);
         test(m, "exec-protectkernelmodules-yes-capabilities.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_NAMESPACE, CLD_EXITED);
         test(m, "exec-protectkernelmodules-yes-mount-propagation.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED);
 }
@@ -1118,12 +1118,12 @@ static void test_exec_unsetenvironment(Manager *m) {
 }
 
 static void test_exec_specifier(Manager *m) {
-        test(m, "exec-specifier.service", can_unshare || MANAGER_IS_SYSTEM(m) ? 0 : EXIT_FAILURE, CLD_EXITED);
+        test(m, "exec-specifier.service", 0, CLD_EXITED);
         if (MANAGER_IS_SYSTEM(m))
                 test(m, "exec-specifier-system.service", 0, CLD_EXITED);
         else
                 test(m, "exec-specifier-user.service", 0, CLD_EXITED);
-        test(m, "exec-specifier@foo-bar.service", can_unshare || MANAGER_IS_SYSTEM(m) ? 0 : EXIT_FAILURE, CLD_EXITED);
+        test(m, "exec-specifier@foo-bar.service", 0, CLD_EXITED);
         test(m, "exec-specifier-interpolation.service", 0, CLD_EXITED);
 }