X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fmount-setup.c;h=7d6cdf6cb4a820b39985a4b5128649cc09a3c466;hb=7e59bfcb18bcfdb82fa1f197c935bb15a22aa582;hp=abb0c19d2543e110478831b5ee9a5e944497b87f;hpb=0c85a4f3efa2883c414ed8ff59aea263b85b7687;p=elogind.git diff --git a/src/mount-setup.c b/src/mount-setup.c index abb0c19d2..7d6cdf6cb 100644 --- a/src/mount-setup.c +++ b/src/mount-setup.c @@ -36,6 +36,7 @@ #include "label.h" #include "set.h" #include "strv.h" +#include "mkdir.h" #ifndef TTY_GID #define TTY_GID 5 @@ -51,13 +52,15 @@ typedef struct MountPoint { } MountPoint; /* The first three entries we might need before SELinux is up. The - * other ones we can delay until SELinux is loaded. */ -#define N_EARLY_MOUNT 3 + * fourth (securityfs) is needed by IMA to load a custom policy. The + * other ones we can delay until SELinux and IMA are loaded. */ +#define N_EARLY_MOUNT 4 static const MountPoint mount_table[] = { { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true }, { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true }, { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID, true }, + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, false }, { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV, true }, { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, false }, { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV, true }, @@ -344,22 +347,34 @@ static int nftw_cb( struct FTW *ftwbuf) { /* No need to label /dev twice in a row... */ - if (ftwbuf->level == 0) - return 0; + if (_unlikely_(ftwbuf->level == 0)) + return FTW_CONTINUE; label_fix(fpath, true); - return 0; + + /* /run/initramfs is static data and big, no need to + * dynamically relabel its contents at boot... */ + if (_unlikely_(ftwbuf->level == 1 && + tflag == FTW_D && + streq(fpath, "/run/initramfs"))) + return FTW_SKIP_SUBTREE; + + return FTW_CONTINUE; }; int mount_setup(bool loaded_policy) { - const char symlinks[] = + static const char symlinks[] = "/proc/kcore\0" "/dev/core\0" "/proc/self/fd\0" "/dev/fd\0" "/proc/self/fd/0\0" "/dev/stdin\0" "/proc/self/fd/1\0" "/dev/stdout\0" "/proc/self/fd/2\0" "/dev/stderr\0"; + static const char relabel[] = + "/run/initramfs/root-fsck\0" + "/run/initramfs/shutdown\0"; + int r; unsigned i; const char *j, *k; @@ -381,14 +396,17 @@ int mount_setup(bool loaded_policy) { before_relabel = now(CLOCK_MONOTONIC); - nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS); - nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS); + nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL); + nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL); + + /* Explicitly relabel these */ + NULSTR_FOREACH(j, relabel) + label_fix(j, true); after_relabel = now(CLOCK_MONOTONIC); log_info("Relabelled /dev and /run in %s.", format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel)); - } /* Create a few default symlinks, which are normally created @@ -398,8 +416,8 @@ int mount_setup(bool loaded_policy) { symlink_and_label(j, k); /* Create a few directories we always want around */ - mkdir("/run/systemd", 0755); - mkdir("/run/systemd/system", 0755); + label_mkdir("/run/systemd", 0755); + label_mkdir("/run/systemd/system", 0755); return 0; }