X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fcore%2Fmount-setup.c;h=e45a6bc1c889821547d3c324ea1f395dc8651423;hb=0a20e3c10761378869af7bbef2733e3ae879d0f1;hp=e7e27366154b6f1a0d93ad114c48cac878285c48;hpb=b872e9a05939bc3e0ac95a042592506a7488dd6f;p=elogind.git

diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
index e7e273661..e45a6bc1c 100644
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@@ -66,7 +66,7 @@ typedef struct MountPoint {
 /* The first three entries we might need before SELinux is up. The
  * fourth (securityfs) is needed by IMA to load a custom policy. The
  * other ones we can delay until SELinux and IMA are loaded. */
-#define N_EARLY_MOUNT 4
+#define N_EARLY_MOUNT 5
 
 static const MountPoint mount_table[] = {
         { "proc",       "/proc",                     "proc",       NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
@@ -77,10 +77,8 @@ static const MountPoint mount_table[] = {
           NULL,       MNT_FATAL|MNT_IN_CONTAINER },
         { "securityfs", "/sys/kernel/security",      "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
           NULL,       MNT_NONE },
-#ifdef ENABLE_EFI
-        { "efivarfs",   "/sys/firmware/efi/efivars", "efivarfs",   NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
-          is_efi_boot, MNT_NONE },
-#endif
+        { "smackfs",    "/sys/fs/smackfs",           "smackfs",    "smackfsdef=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
+          NULL,       MNT_NONE },
         { "tmpfs",      "/dev/shm",                  "tmpfs",      "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
           NULL,       MNT_FATAL|MNT_IN_CONTAINER },
         { "devpts",     "/dev/pts",                  "devpts",     "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
@@ -91,6 +89,12 @@ static const MountPoint mount_table[] = {
           NULL,       MNT_IN_CONTAINER },
         { "cgroup",     "/sys/fs/cgroup/systemd",    "cgroup",     "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV,
           NULL,       MNT_IN_CONTAINER },
+        { "pstore",     "/sys/fs/pstore",            "pstore",     NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
+          NULL,       MNT_NONE },
+#ifdef ENABLE_EFI
+        { "efivarfs",   "/sys/firmware/efi/efivars", "efivarfs",   NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
+          is_efi_boot, MNT_NONE },
+#endif
 };
 
 /* These are API file systems that might be mounted by other software,
@@ -311,6 +315,7 @@ int mount_cgroup_controllers(char ***join_controllers) {
                 p.type = "cgroup";
                 p.options = options;
                 p.flags = MS_NOSUID|MS_NOEXEC|MS_NODEV;
+                p.mode = MNT_IN_CONTAINER;
 
                 r = mount_one(&p, true);
                 free(controller);
@@ -418,7 +423,7 @@ int mount_setup(bool loaded_policy) {
                 after_relabel = now(CLOCK_MONOTONIC);
 
                 log_info("Relabelled /dev and /run in %s.",
-                         format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel));
+                         format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel, 0));
         }
 
         /* Create a few default symlinks, which are normally created
@@ -436,9 +441,14 @@ int mount_setup(bool loaded_policy) {
                 if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0)
                         log_warning("Failed to set up the root directory for shared mount propagation: %m");
 
-        /* Create a few directories we always want around */
+        /* Create a few directories we always want around, Note that
+         * sd_booted() checks for /run/systemd/system, so this mkdir
+         * really needs to stay for good, otherwise software that
+         * copied sd-daemon.c into their sources will misdetect
+         * systemd. */
         mkdir_label("/run/systemd", 0755);
         mkdir_label("/run/systemd/system", 0755);
+        mkdir_label("/run/systemd/inaccessible", 0000);
 
         return 0;
 }