+ if (!strv_isempty(context->read_write_dirs) ||
+ !strv_isempty(context->read_only_dirs) ||
+ !strv_isempty(context->inaccessible_dirs) ||
+ context->mount_flags != 0 ||
+ (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) ||
+ params->bus_endpoint_path ||
+ context->private_devices ||
+ context->protect_system != PROTECT_SYSTEM_NO ||
+ context->protect_home != PROTECT_HOME_NO) {
+
+ char *tmp = NULL, *var = NULL;
+
+ /* The runtime struct only contains the parent
+ * of the private /tmp, which is
+ * non-accessible to world users. Inside of it
+ * there's a /tmp that is sticky, and that's
+ * the one we want to use here. */
+
+ if (context->private_tmp && runtime) {
+ if (runtime->tmp_dir)
+ tmp = strappenda(runtime->tmp_dir, "/tmp");
+ if (runtime->var_tmp_dir)
+ var = strappenda(runtime->var_tmp_dir, "/tmp");
+ }
+
+ err = setup_namespace(
+ context->read_write_dirs,
+ context->read_only_dirs,
+ context->inaccessible_dirs,
+ tmp,
+ var,
+ params->bus_endpoint_path,
+ context->private_devices,
+ context->protect_home,
+ context->protect_system,
+ context->mount_flags);
+
+ if (err == -EPERM)
+ log_unit_warning_errno(params->unit_id, err, "Failed to set up file system namespace due to lack of privileges. Execution sandbox will not be in effect: %m");
+ else if (err < 0) {
+ *error = EXIT_NAMESPACE;
+ return err;
+ }
+ }
+
+ if (params->apply_chroot) {
+ if (context->root_directory)
+ if (chroot(context->root_directory) < 0) {
+ *error = EXIT_CHROOT;
+ return -errno;