1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 #include <sys/mount.h>
32 #include "mount-setup.h"
33 #include "dev-setup.h"
46 typedef struct MountPoint {
55 /* The first three entries we might need before SELinux is up. The
56 * fourth (securityfs) is needed by IMA to load a custom policy. The
57 * other ones we can delay until SELinux and IMA are loaded. */
58 #define N_EARLY_MOUNT 4
60 static const MountPoint mount_table[] = {
61 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
62 { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
63 { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true },
64 { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, false },
65 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
66 { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, false },
67 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
68 { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, false },
69 { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV, false },
72 /* These are API file systems that might be mounted by other software,
73 * we just list them here so that we know that we should ignore them */
75 static const char * const ignore_paths[] = {
81 bool mount_point_is_api(const char *path) {
84 /* Checks if this mount point is considered "API", and hence
85 * should be ignored */
87 for (i = 0; i < ELEMENTSOF(mount_table); i ++)
88 if (path_equal(path, mount_table[i].where))
91 return path_startswith(path, "/sys/fs/cgroup/");
94 bool mount_point_ignore(const char *path) {
97 for (i = 0; i < ELEMENTSOF(ignore_paths); i++)
98 if (path_equal(path, ignore_paths[i]))
104 static int mount_one(const MountPoint *p, bool relabel) {
109 /* Relabel first, just in case */
111 label_fix(p->where, true);
113 if ((r = path_is_mount_point(p->where, true)) < 0)
119 /* The access mode here doesn't really matter too much, since
120 * the mounted file system will take precedence anyway. */
121 mkdir_p(p->where, 0755);
123 log_debug("Mounting %s to %s of type %s with options %s.",
134 log_full(p->fatal ? LOG_ERR : LOG_DEBUG, "Failed to mount %s: %s", p->where, strerror(errno));
135 return p->fatal ? -errno : 0;
138 /* Relabel again, since we now mounted something fresh here */
140 label_fix(p->where, false);
145 int mount_setup_early(void) {
149 assert_cc(N_EARLY_MOUNT <= ELEMENTSOF(mount_table));
151 /* Do a minimal mount of /proc and friends to enable the most
152 * basic stuff, such as SELinux */
153 for (i = 0; i < N_EARLY_MOUNT; i ++) {
156 j = mount_one(mount_table + i, false);
164 int mount_cgroup_controllers(char ***join_controllers) {
170 /* Mount all available cgroup controllers that are built into the kernel. */
172 f = fopen("/proc/cgroups", "re");
174 log_error("Failed to enumerate cgroup controllers: %m");
178 controllers = set_new(string_hash_func, string_compare_func);
181 log_error("Failed to allocate controller set.");
185 /* Ignore the header line */
186 (void) fgets(buf, sizeof(buf), f);
192 if (fscanf(f, "%ms %*i %*i %i", &controller, &enabled) != 2) {
197 log_error("Failed to parse /proc/cgroups.");
207 r = set_put(controllers, controller);
209 log_error("Failed to add controller to set.");
217 char *controller, *where, *options;
220 controller = set_steal_first(controllers);
224 if (join_controllers)
225 for (k = join_controllers; *k; k++)
226 if (strv_find(*k, controller))
232 for (i = *k, j = *k; *i; i++) {
234 if (!streq(*i, controller)) {
237 t = set_remove(controllers, *i);
250 options = strv_join(*k, ",");
252 log_error("Failed to join options");
259 options = controller;
263 where = strappend("/sys/fs/cgroup/", options);
265 log_error("Failed to build path");
276 p.flags = MS_NOSUID|MS_NOEXEC|MS_NODEV;
279 r = mount_one(&p, true);
288 if (r > 0 && k && *k) {
291 for (i = *k; *i; i++) {
294 t = strappend("/sys/fs/cgroup/", *i);
296 log_error("Failed to build path");
302 r = symlink(options, t);
305 if (r < 0 && errno != EEXIST) {
306 log_error("Failed to create symlink: %m");
320 set_free_free(controllers);
329 const struct stat *sb,
331 struct FTW *ftwbuf) {
333 /* No need to label /dev twice in a row... */
334 if (_unlikely_(ftwbuf->level == 0))
337 label_fix(fpath, true);
339 /* /run/initramfs is static data and big, no need to
340 * dynamically relabel its contents at boot... */
341 if (_unlikely_(ftwbuf->level == 1 &&
343 streq(fpath, "/run/initramfs")))
344 return FTW_SKIP_SUBTREE;
349 int mount_setup(bool loaded_policy) {
351 static const char relabel[] =
352 "/run/initramfs/root-fsck\0"
353 "/run/initramfs/shutdown\0";
359 for (i = 0; i < ELEMENTSOF(mount_table); i ++) {
360 r = mount_one(mount_table + i, true);
366 /* Nodes in devtmpfs and /run need to be manually updated for
367 * the appropriate labels, after mounting. The other virtual
368 * API file systems like /sys and /proc do not need that, they
369 * use the same label for all their files. */
371 usec_t before_relabel, after_relabel;
372 char timespan[FORMAT_TIMESPAN_MAX];
374 before_relabel = now(CLOCK_MONOTONIC);
376 nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
377 nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
379 /* Explicitly relabel these */
380 NULSTR_FOREACH(j, relabel)
383 after_relabel = now(CLOCK_MONOTONIC);
385 log_info("Relabelled /dev and /run in %s.",
386 format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel));
389 /* Create a few default symlinks, which are normally created
390 * by udevd, but some scripts might need them before we start
394 /* Create a few directories we always want around */
395 label_mkdir("/run/systemd", 0755);
396 label_mkdir("/run/systemd/system", 0755);
~ianmdlvl / elogind.git / blob