1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 #include <sys/mount.h>
32 #include "mount-setup.h"
33 #include "dev-setup.h"
41 #include "path-util.h"
45 #include "smack-util.h"
48 typedef enum MountMode {
51 MNT_IN_CONTAINER = 1 << 1,
54 typedef struct MountPoint {
60 bool (*condition_fn)(void);
64 /* The first three entries we might need before SELinux is up. The
65 * fourth (securityfs) is needed by IMA to load a custom policy. The
66 * other ones we can delay until SELinux and IMA are loaded. When
67 * SMACK is enabled we need smackfs, too, so it's a fifth one. */
69 #define N_EARLY_MOUNT 5
71 #define N_EARLY_MOUNT 4
74 static const MountPoint mount_table[] = {
75 { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
76 NULL, MNT_FATAL|MNT_IN_CONTAINER },
77 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
78 NULL, MNT_FATAL|MNT_IN_CONTAINER },
79 { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME,
80 NULL, MNT_FATAL|MNT_IN_CONTAINER },
81 { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
84 { "smackfs", "/sys/fs/smackfs", "smackfs", "smackfsdef=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
85 mac_smack_use, MNT_FATAL },
86 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
87 mac_smack_use, MNT_FATAL },
89 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
90 NULL, MNT_FATAL|MNT_IN_CONTAINER },
91 { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
92 NULL, MNT_IN_CONTAINER },
94 { "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
95 mac_smack_use, MNT_FATAL },
97 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
98 NULL, MNT_FATAL|MNT_IN_CONTAINER },
99 { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
100 NULL, MNT_FATAL|MNT_IN_CONTAINER },
101 { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV,
102 NULL, MNT_IN_CONTAINER },
103 { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV,
104 NULL, MNT_FATAL|MNT_IN_CONTAINER },
105 { "pstore", "/sys/fs/pstore", "pstore", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
108 { "efivarfs", "/sys/firmware/efi/efivars", "efivarfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
109 is_efi_boot, MNT_NONE },
113 static const MountPoint mount_table_late[] = {
115 { "kdbusfs", "/sys/fs/kdbus", "kdbusfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
116 NULL, MNT_IN_CONTAINER },
120 /* These are API file systems that might be mounted by other software,
121 * we just list them here so that we know that we should ignore them */
123 static const char ignore_paths[] =
124 /* SELinux file systems */
127 /* Legacy cgroup mount points */
130 /* Legacy kernel file system */
132 /* Container bind mounts */
137 bool mount_point_is_api(const char *path) {
140 /* Checks if this mount point is considered "API", and hence
141 * should be ignored */
143 for (i = 0; i < ELEMENTSOF(mount_table); i ++)
144 if (path_equal(path, mount_table[i].where))
147 return path_startswith(path, "/sys/fs/cgroup/");
150 bool mount_point_ignore(const char *path) {
153 NULSTR_FOREACH(i, ignore_paths)
154 if (path_equal(path, i))
160 static int mount_one(const MountPoint *p, bool relabel) {
165 if (p->condition_fn && !p->condition_fn())
168 /* Relabel first, just in case */
170 label_fix(p->where, true, true);
172 r = path_is_mount_point(p->where, true);
179 /* Skip securityfs in a container */
180 if (!(p->mode & MNT_IN_CONTAINER) && detect_container(NULL) > 0)
183 /* The access mode here doesn't really matter too much, since
184 * the mounted file system will take precedence anyway. */
186 mkdir_p_label(p->where, 0755);
188 mkdir_p(p->where, 0755);
190 log_debug("Mounting %s to %s of type %s with options %s.",
201 log_full((p->mode & MNT_FATAL) ? LOG_ERR : LOG_DEBUG, "Failed to mount %s at %s: %m", p->type, p->where);
202 return (p->mode & MNT_FATAL) ? -errno : 0;
205 /* Relabel again, since we now mounted something fresh here */
207 label_fix(p->where, false, false);
212 int mount_setup_early(void) {
216 assert_cc(N_EARLY_MOUNT <= ELEMENTSOF(mount_table));
218 /* Do a minimal mount of /proc and friends to enable the most
219 * basic stuff, such as SELinux */
220 for (i = 0; i < N_EARLY_MOUNT; i ++) {
223 j = mount_one(mount_table + i, false);
231 int mount_setup_late(void) {
235 for (i = 0; i < ELEMENTSOF(mount_table_late); i ++) {
238 j = mount_one(mount_table_late + i, false);
246 int mount_cgroup_controllers(char ***join_controllers) {
247 _cleanup_set_free_free_ Set *controllers = NULL;
248 _cleanup_fclose_ FILE *f;
252 /* Mount all available cgroup controllers that are built into the kernel. */
254 f = fopen("/proc/cgroups", "re");
256 log_error("Failed to enumerate cgroup controllers: %m");
260 controllers = set_new(&string_hash_ops);
264 /* Ignore the header line */
265 (void) fgets(buf, sizeof(buf), f);
271 if (fscanf(f, "%ms %*i %*i %i", &controller, &enabled) != 2) {
276 log_error("Failed to parse /proc/cgroups.");
285 r = set_consume(controllers, controller);
287 log_error("Failed to add controller to set.");
293 _cleanup_free_ char *options = NULL, *controller = NULL, *where = NULL;
297 .flags = MS_NOSUID|MS_NOEXEC|MS_NODEV,
298 .mode = MNT_IN_CONTAINER,
302 controller = set_steal_first(controllers);
306 if (join_controllers)
307 for (k = join_controllers; *k; k++)
308 if (strv_find(*k, controller))
314 for (i = *k, j = *k; *i; i++) {
316 if (!streq(*i, controller)) {
317 _cleanup_free_ char *t;
319 t = set_remove(controllers, *i);
331 options = strv_join(*k, ",");
335 options = controller;
339 where = strappend("/sys/fs/cgroup/", options);
346 r = mount_one(&p, true);
350 if (r > 0 && k && *k) {
353 for (i = *k; *i; i++) {
354 _cleanup_free_ char *t = NULL;
356 t = strappend("/sys/fs/cgroup/", *i);
360 r = symlink(options, t);
361 if (r < 0 && errno != EEXIST) {
362 log_error("Failed to create symlink %s: %m", t);
369 /* Now that we mounted everything, let's make the tmpfs the
370 * cgroup file systems are mounted into read-only. */
371 mount("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY, "mode=755");
376 #if defined(HAVE_SELINUX) || defined(HAVE_SMACK)
379 const struct stat *sb,
381 struct FTW *ftwbuf) {
383 /* No need to label /dev twice in a row... */
384 if (_unlikely_(ftwbuf->level == 0))
387 label_fix(fpath, false, false);
389 /* /run/initramfs is static data and big, no need to
390 * dynamically relabel its contents at boot... */
391 if (_unlikely_(ftwbuf->level == 1 &&
393 streq(fpath, "/run/initramfs")))
394 return FTW_SKIP_SUBTREE;
400 int mount_setup(bool loaded_policy) {
404 for (i = 0; i < ELEMENTSOF(mount_table); i ++) {
405 r = mount_one(mount_table + i, true);
411 #if defined(HAVE_SELINUX) || defined(HAVE_SMACK)
412 /* Nodes in devtmpfs and /run need to be manually updated for
413 * the appropriate labels, after mounting. The other virtual
414 * API file systems like /sys and /proc do not need that, they
415 * use the same label for all their files. */
417 usec_t before_relabel, after_relabel;
418 char timespan[FORMAT_TIMESPAN_MAX];
420 before_relabel = now(CLOCK_MONOTONIC);
422 nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
423 nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
425 after_relabel = now(CLOCK_MONOTONIC);
427 log_info("Relabelled /dev and /run in %s.",
428 format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel, 0));
432 /* Create a few default symlinks, which are normally created
433 * by udevd, but some scripts might need them before we start
437 /* Mark the root directory as shared in regards to mount
438 * propagation. The kernel defaults to "private", but we think
439 * it makes more sense to have a default of "shared" so that
440 * nspawn and the container tools work out of the box. If
441 * specific setups need other settings they can reset the
442 * propagation mode to private if needed. */
443 if (detect_container(NULL) <= 0)
444 if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0)
445 log_warning("Failed to set up the root directory for shared mount propagation: %m");
447 /* Create a few directories we always want around, Note that
448 * sd_booted() checks for /run/systemd/system, so this mkdir
449 * really needs to stay for good, otherwise software that
450 * copied sd-daemon.c into their sources will misdetect
452 mkdir_label("/run/systemd", 0755);
453 mkdir_label("/run/systemd/system", 0755);
454 mkdir_label("/run/systemd/inaccessible", 0000);
~ianmdlvl / elogind.git / blob