mount-setup: add a comment that the character/block device nodes are "optional" (#8893)

if we lack privs to create device nodes that's fine, and creating
/run/systemd/inaccessible/chr or /run/systemd/inaccessible/blk won't
work then. Document this in longer comments.

Fixes: #4484

1 files changed, 12 insertions, 3 deletions

diff --git a/src/basic/mount-util.c b/src/basic/mount-util.c
index 1736cf19b..9d1f34e08 100644
--- a/src/basic/mount-util.c
+++ b/src/basic/mount-util.c
@@ -702,24 +702,33 @@ int repeat_unmount(const char *path, int flags) {
 #endif // 0
 
 const char* mode_to_inaccessible_node(mode_t mode) {
-        /* This function maps a node type to the correspondent inaccessible node type.
-         * Character and block inaccessible devices may not be created (because major=0 and minor=0),
-         * in such case we map character and block devices to the inaccessible node type socket. */
+        /* This function maps a node type to a corresponding inaccessible file node. These nodes are created during
+         * early boot by PID 1. In some cases we lacked the privs to create the character and block devices (maybe
+         * because we run in an userns environment, or miss CAP_SYS_MKNOD, or run with a devices policy that excludes
+         * device nodes with major and minor of 0), but that's fine, in that case we use an AF_UNIX file node instead,
+         * which is not the same, but close enough for most uses. And most importantly, the kernel allows bind mounts
+         * from socket nodes to any non-directory file nodes, and that's the most important thing that matters. */
+
         switch(mode & S_IFMT) {
                 case S_IFREG:
                         return "/run/systemd/inaccessible/reg";
+
                 case S_IFDIR:
                         return "/run/systemd/inaccessible/dir";
+
                 case S_IFCHR:
                         if (access("/run/systemd/inaccessible/chr", F_OK) == 0)
                                 return "/run/systemd/inaccessible/chr";
                         return "/run/systemd/inaccessible/sock";
+
                 case S_IFBLK:
                         if (access("/run/systemd/inaccessible/blk", F_OK) == 0)
                                 return "/run/systemd/inaccessible/blk";
                         return "/run/systemd/inaccessible/sock";
+
                 case S_IFIFO:
                         return "/run/systemd/inaccessible/fifo";
+
                 case S_IFSOCK:
                         return "/run/systemd/inaccessible/sock";
         }