1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 #include <sys/mount.h>
32 #include "mount-setup.h"
33 #include "dev-setup.h"
41 #include "path-util.h"
49 typedef enum MountMode {
52 MNT_IN_CONTAINER = 1 << 1,
55 typedef struct MountPoint {
61 bool (*condition_fn)(void);
65 /* The first three entries we might need before SELinux is up. The
66 * fourth (securityfs) is needed by IMA to load a custom policy. The
67 * other ones we can delay until SELinux and IMA are loaded. */
68 #define N_EARLY_MOUNT 4
70 static const MountPoint mount_table[] = {
71 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
72 NULL, MNT_FATAL|MNT_IN_CONTAINER },
73 { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
74 NULL, MNT_FATAL|MNT_IN_CONTAINER },
75 { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME,
76 NULL, MNT_FATAL|MNT_IN_CONTAINER },
77 { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
79 { "efivarfs", "/sys/firmware/efi/efivars", "efivarfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
80 is_efiboot, MNT_NONE },
81 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
82 NULL, MNT_FATAL|MNT_IN_CONTAINER },
83 { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
84 NULL, MNT_IN_CONTAINER },
85 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
86 NULL, MNT_FATAL|MNT_IN_CONTAINER },
87 { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
88 NULL, MNT_IN_CONTAINER },
89 { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV,
90 NULL, MNT_IN_CONTAINER },
93 /* These are API file systems that might be mounted by other software,
94 * we just list them here so that we know that we should ignore them */
96 static const char ignore_paths[] =
97 /* SELinux file systems */
100 /* Legacy cgroup mount points */
103 /* Legacy kernel file system */
105 /* Container bind mounts */
110 bool mount_point_is_api(const char *path) {
113 /* Checks if this mount point is considered "API", and hence
114 * should be ignored */
116 for (i = 0; i < ELEMENTSOF(mount_table); i ++)
117 if (path_equal(path, mount_table[i].where))
120 return path_startswith(path, "/sys/fs/cgroup/");
123 bool mount_point_ignore(const char *path) {
126 NULSTR_FOREACH(i, ignore_paths)
127 if (path_equal(path, i))
133 static int mount_one(const MountPoint *p, bool relabel) {
138 if (p->condition_fn && !p->condition_fn())
141 /* Relabel first, just in case */
143 label_fix(p->where, true, true);
145 r = path_is_mount_point(p->where, true);
152 /* Skip securityfs in a container */
153 if (!(p->mode & MNT_IN_CONTAINER) && detect_container(NULL) > 0)
156 /* The access mode here doesn't really matter too much, since
157 * the mounted file system will take precedence anyway. */
158 mkdir_p_label(p->where, 0755);
160 log_debug("Mounting %s to %s of type %s with options %s.",
171 log_full((p->mode & MNT_FATAL) ? LOG_ERR : LOG_DEBUG, "Failed to mount %s: %s", p->where, strerror(errno));
172 return (p->mode & MNT_FATAL) ? -errno : 0;
175 /* Relabel again, since we now mounted something fresh here */
177 label_fix(p->where, false, false);
182 int mount_setup_early(void) {
186 assert_cc(N_EARLY_MOUNT <= ELEMENTSOF(mount_table));
188 /* Do a minimal mount of /proc and friends to enable the most
189 * basic stuff, such as SELinux */
190 for (i = 0; i < N_EARLY_MOUNT; i ++) {
193 j = mount_one(mount_table + i, false);
201 int mount_cgroup_controllers(char ***join_controllers) {
207 /* Mount all available cgroup controllers that are built into the kernel. */
209 f = fopen("/proc/cgroups", "re");
211 log_error("Failed to enumerate cgroup controllers: %m");
215 controllers = set_new(string_hash_func, string_compare_func);
221 /* Ignore the header line */
222 (void) fgets(buf, sizeof(buf), f);
228 if (fscanf(f, "%ms %*i %*i %i", &controller, &enabled) != 2) {
233 log_error("Failed to parse /proc/cgroups.");
243 r = set_put(controllers, controller);
245 log_error("Failed to add controller to set.");
253 char *controller, *where, *options;
256 controller = set_steal_first(controllers);
260 if (join_controllers)
261 for (k = join_controllers; *k; k++)
262 if (strv_find(*k, controller))
268 for (i = *k, j = *k; *i; i++) {
270 if (!streq(*i, controller)) {
273 t = set_remove(controllers, *i);
286 options = strv_join(*k, ",");
294 options = controller;
298 where = strappend("/sys/fs/cgroup/", options);
310 p.flags = MS_NOSUID|MS_NOEXEC|MS_NODEV;
312 r = mount_one(&p, true);
321 if (r > 0 && k && *k) {
324 for (i = *k; *i; i++) {
327 t = strappend("/sys/fs/cgroup/", *i);
334 r = symlink(options, t);
337 if (r < 0 && errno != EEXIST) {
338 log_error("Failed to create symlink: %m");
352 set_free_free(controllers);
361 const struct stat *sb,
363 struct FTW *ftwbuf) {
365 /* No need to label /dev twice in a row... */
366 if (_unlikely_(ftwbuf->level == 0))
369 label_fix(fpath, false, false);
371 /* /run/initramfs is static data and big, no need to
372 * dynamically relabel its contents at boot... */
373 if (_unlikely_(ftwbuf->level == 1 &&
375 streq(fpath, "/run/initramfs")))
376 return FTW_SKIP_SUBTREE;
381 int mount_setup(bool loaded_policy) {
383 static const char relabel[] =
384 "/run/initramfs/root-fsck\0"
385 "/run/initramfs/shutdown\0";
391 for (i = 0; i < ELEMENTSOF(mount_table); i ++) {
392 r = mount_one(mount_table + i, true);
398 /* Nodes in devtmpfs and /run need to be manually updated for
399 * the appropriate labels, after mounting. The other virtual
400 * API file systems like /sys and /proc do not need that, they
401 * use the same label for all their files. */
403 usec_t before_relabel, after_relabel;
404 char timespan[FORMAT_TIMESPAN_MAX];
406 before_relabel = now(CLOCK_MONOTONIC);
408 nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
409 nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
411 /* Explicitly relabel these */
412 NULSTR_FOREACH(j, relabel)
413 label_fix(j, true, false);
415 after_relabel = now(CLOCK_MONOTONIC);
417 log_info("Relabelled /dev and /run in %s.",
418 format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel));
421 /* Create a few default symlinks, which are normally created
422 * by udevd, but some scripts might need them before we start
426 /* Mark the root directory as shared in regards to mount
427 * propagation. The kernel defaults to "private", but we think
428 * it makes more sense to have a default of "shared" so that
429 * nspawn and the container tools work out of the box. If
430 * specific setups need other settings they can reset the
431 * propagation mode to private if needed. */
432 if (detect_container(NULL) <= 0)
433 if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0)
434 log_warning("Failed to set up the root directory for shared mount propagation: %m");
436 /* Create a few directories we always want around */
437 mkdir_label("/run/systemd", 0755);
438 mkdir_label("/run/systemd/system", 0755);
~ianmdlvl / elogind.git / blob