1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 #include <sys/mount.h>
32 #include "mount-setup.h"
33 #include "dev-setup.h"
41 #include "path-util.h"
50 typedef enum MountMode {
53 MNT_IN_CONTAINER = 1 << 1,
56 typedef struct MountPoint {
62 bool (*condition_fn)(void);
66 /* The first three entries we might need before SELinux is up. The
67 * fourth (securityfs) is needed by IMA to load a custom policy. The
68 * other ones we can delay until SELinux and IMA are loaded. */
69 #define N_EARLY_MOUNT 4
71 static const MountPoint mount_table[] = {
72 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
73 NULL, MNT_FATAL|MNT_IN_CONTAINER },
74 { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
75 NULL, MNT_FATAL|MNT_IN_CONTAINER },
76 { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME,
77 NULL, MNT_FATAL|MNT_IN_CONTAINER },
78 { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
80 { "efivarfs", "/sys/firmware/efi/efivars", "efivarfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
81 is_efiboot, MNT_NONE },
82 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
83 NULL, MNT_FATAL|MNT_IN_CONTAINER },
84 { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
85 NULL, MNT_IN_CONTAINER },
86 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
87 NULL, MNT_FATAL|MNT_IN_CONTAINER },
88 { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
89 NULL, MNT_IN_CONTAINER },
90 { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV,
91 NULL, MNT_IN_CONTAINER },
94 /* These are API file systems that might be mounted by other software,
95 * we just list them here so that we know that we should ignore them */
97 static const char ignore_paths[] =
98 /* SELinux file systems */
101 /* Legacy cgroup mount points */
104 /* Legacy kernel file system */
106 /* Container bind mounts */
111 bool mount_point_is_api(const char *path) {
114 /* Checks if this mount point is considered "API", and hence
115 * should be ignored */
117 for (i = 0; i < ELEMENTSOF(mount_table); i ++)
118 if (path_equal(path, mount_table[i].where))
121 return path_startswith(path, "/sys/fs/cgroup/");
124 bool mount_point_ignore(const char *path) {
127 NULSTR_FOREACH(i, ignore_paths)
128 if (path_equal(path, i))
134 static int mount_one(const MountPoint *p, bool relabel) {
139 if (p->condition_fn && !p->condition_fn())
142 /* Relabel first, just in case */
144 label_fix(p->where, true, true);
146 r = path_is_mount_point(p->where, true);
153 /* Skip securityfs in a container */
154 if (!(p->mode & MNT_IN_CONTAINER) && detect_container(NULL) > 0)
157 /* The access mode here doesn't really matter too much, since
158 * the mounted file system will take precedence anyway. */
159 mkdir_p_label(p->where, 0755);
161 log_debug("Mounting %s to %s of type %s with options %s.",
172 log_full((p->mode & MNT_FATAL) ? LOG_ERR : LOG_DEBUG, "Failed to mount %s: %s", p->where, strerror(errno));
173 return (p->mode & MNT_FATAL) ? -errno : 0;
176 /* Relabel again, since we now mounted something fresh here */
178 label_fix(p->where, false, false);
183 int mount_setup_early(void) {
187 assert_cc(N_EARLY_MOUNT <= ELEMENTSOF(mount_table));
189 /* Do a minimal mount of /proc and friends to enable the most
190 * basic stuff, such as SELinux */
191 for (i = 0; i < N_EARLY_MOUNT; i ++) {
194 j = mount_one(mount_table + i, false);
202 int mount_cgroup_controllers(char ***join_controllers) {
208 /* Mount all available cgroup controllers that are built into the kernel. */
210 f = fopen("/proc/cgroups", "re");
212 log_error("Failed to enumerate cgroup controllers: %m");
216 controllers = set_new(string_hash_func, string_compare_func);
222 /* Ignore the header line */
223 (void) fgets(buf, sizeof(buf), f);
229 if (fscanf(f, "%ms %*i %*i %i", &controller, &enabled) != 2) {
234 log_error("Failed to parse /proc/cgroups.");
244 r = set_put(controllers, controller);
246 log_error("Failed to add controller to set.");
254 char *controller, *where, *options;
257 controller = set_steal_first(controllers);
261 if (join_controllers)
262 for (k = join_controllers; *k; k++)
263 if (strv_find(*k, controller))
269 for (i = *k, j = *k; *i; i++) {
271 if (!streq(*i, controller)) {
274 t = set_remove(controllers, *i);
287 options = strv_join(*k, ",");
295 options = controller;
299 where = strappend("/sys/fs/cgroup/", options);
311 p.flags = MS_NOSUID|MS_NOEXEC|MS_NODEV;
313 r = mount_one(&p, true);
322 if (r > 0 && k && *k) {
325 for (i = *k; *i; i++) {
328 t = strappend("/sys/fs/cgroup/", *i);
335 r = symlink(options, t);
338 if (r < 0 && errno != EEXIST) {
339 log_error("Failed to create symlink: %m");
353 set_free_free(controllers);
362 const struct stat *sb,
364 struct FTW *ftwbuf) {
366 /* No need to label /dev twice in a row... */
367 if (_unlikely_(ftwbuf->level == 0))
370 label_fix(fpath, false, false);
372 /* /run/initramfs is static data and big, no need to
373 * dynamically relabel its contents at boot... */
374 if (_unlikely_(ftwbuf->level == 1 &&
376 streq(fpath, "/run/initramfs")))
377 return FTW_SKIP_SUBTREE;
382 int mount_setup(bool loaded_policy) {
384 static const char relabel[] =
385 "/run/initramfs/root-fsck\0"
386 "/run/initramfs/shutdown\0";
392 for (i = 0; i < ELEMENTSOF(mount_table); i ++) {
393 r = mount_one(mount_table + i, true);
399 /* Nodes in devtmpfs and /run need to be manually updated for
400 * the appropriate labels, after mounting. The other virtual
401 * API file systems like /sys and /proc do not need that, they
402 * use the same label for all their files. */
404 usec_t before_relabel, after_relabel;
405 char timespan[FORMAT_TIMESPAN_MAX];
407 before_relabel = now(CLOCK_MONOTONIC);
409 nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
410 nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
412 /* Explicitly relabel these */
413 NULSTR_FOREACH(j, relabel)
414 label_fix(j, true, false);
416 after_relabel = now(CLOCK_MONOTONIC);
418 log_info("Relabelled /dev and /run in %s.",
419 format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel));
422 /* Create a few default symlinks, which are normally created
423 * by udevd, but some scripts might need them before we start
427 /* Mark the root directory as shared in regards to mount
428 * propagation. The kernel defaults to "private", but we think
429 * it makes more sense to have a default of "shared" so that
430 * nspawn and the container tools work out of the box. If
431 * specific setups need other settings they can reset the
432 * propagation mode to private if needed. */
433 if (detect_container(NULL) <= 0)
434 if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0)
435 log_warning("Failed to set up the root directory for shared mount propagation: %m");
437 /* Create a few directories we always want around */
438 mkdir_label("/run/systemd", 0755);
439 mkdir_label("/run/systemd/system", 0755);
~ianmdlvl / elogind.git / blob