namespace: unify limit behavior on non-directory paths

Despite the name, `Read{Write,Only}Directories=` already allows for
regular file paths to be masked. This commit adds the same behavior
to `InaccessibleDirectories=` and makes it explicit in the doc.
This patch introduces `/run/elogind/inaccessible/{reg,dir,chr,blk,fifo,sock}`
{dile,device}nodes and mounts on the appropriate one the paths specified
in `InacessibleDirectories=`.

Based on Luca's patch from https://github.com/elogind/elogind/pull/3327

diff --git a/src/basic/mount-util.h b/src/basic/mount-util.h
index 237bd4711204a2f0ca02f28800c08de063ed7663..9ed5b284ceab5e275c02a1ac30b9c49b8accd02e 100644 (file)
--- a/src/basic/mount-util.h
+++ b/src/basic/mount-util.h
@@ -53,4 +53,6 @@ union file_handle_union {
         char padding[sizeof(struct file_handle) + MAX_HANDLE_SZ];
 };
 
+const char* mode_to_inaccessible_node(mode_t mode);
+
 #define FILE_HANDLE_INIT { .handle.handle_bytes = MAX_HANDLE_SZ }