+int setup_namespace(char** read_write_dirs,
+ char** read_only_dirs,
+ char** inaccessible_dirs,
+ char* tmp_dir,
+ char* var_tmp_dir,
+ bool private_tmp,
+ unsigned mount_flags) {
+
+ unsigned n = strv_length(read_write_dirs) +
+ strv_length(read_only_dirs) +
+ strv_length(inaccessible_dirs) +
+ (private_tmp ? 2 : 0);
+ BindMount *m, *mounts = NULL;
+ int r = 0;
+
+ if (!mount_flags)
+ mount_flags = MS_SHARED;
+
+ if (unshare(CLONE_NEWNS) < 0)
+ return -errno;
+
+ if (n) {
+ m = mounts = (BindMount *) alloca(n * sizeof(BindMount));
+ if ((r = append_mounts(&m, read_write_dirs, READWRITE)) < 0 ||
+ (r = append_mounts(&m, read_only_dirs, READONLY)) < 0 ||
+ (r = append_mounts(&m, inaccessible_dirs, INACCESSIBLE)) < 0)
+ return r;
+
+ if (private_tmp) {
+ m->path = "/tmp";
+ m->mode = PRIVATE_TMP;
+ m++;
+
+ m->path = "/var/tmp";
+ m->mode = PRIVATE_VAR_TMP;
+ m++;