1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 #include <sys/mount.h>
32 #include "mount-setup.h"
33 #include "dev-setup.h"
41 #include "path-util.h"
50 typedef enum MountMode {
53 MNT_IN_CONTAINER = 1 << 1,
56 typedef struct MountPoint {
62 bool (*condition_fn)(void);
66 /* The first three entries we might need before SELinux is up. The
67 * fourth (securityfs) is needed by IMA to load a custom policy. The
68 * other ones we can delay until SELinux and IMA are loaded. */
69 #define N_EARLY_MOUNT 5
71 static const MountPoint mount_table[] = {
72 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
73 NULL, MNT_FATAL|MNT_IN_CONTAINER },
74 { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
75 NULL, MNT_FATAL|MNT_IN_CONTAINER },
76 { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME,
77 NULL, MNT_FATAL|MNT_IN_CONTAINER },
78 { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
80 { "smackfs", "/sys/fs/smackfs", "smackfs", "smackfsdef=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
83 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
84 NULL, MNT_IN_CONTAINER },
86 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
87 NULL, MNT_FATAL|MNT_IN_CONTAINER },
88 { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
89 NULL, MNT_IN_CONTAINER },
91 { "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
92 NULL, MNT_IN_CONTAINER },
94 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
95 NULL, MNT_FATAL|MNT_IN_CONTAINER },
96 { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
97 NULL, MNT_IN_CONTAINER },
99 { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV,
100 NULL, MNT_IN_CONTAINER },
102 { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV,
103 NULL, MNT_IN_CONTAINER },
104 { "pstore", "/sys/fs/pstore", "pstore", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
107 { "efivarfs", "/sys/firmware/efi/efivars", "efivarfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
108 is_efi_boot, MNT_NONE },
112 /* These are API file systems that might be mounted by other software,
113 * we just list them here so that we know that we should ignore them */
115 static const char ignore_paths[] =
116 /* SELinux file systems */
119 /* Legacy cgroup mount points */
122 /* Legacy kernel file system */
124 /* Container bind mounts */
129 bool mount_point_is_api(const char *path) {
132 /* Checks if this mount point is considered "API", and hence
133 * should be ignored */
135 for (i = 0; i < ELEMENTSOF(mount_table); i ++)
136 if (path_equal(path, mount_table[i].where))
139 return path_startswith(path, "/sys/fs/cgroup/");
142 bool mount_point_ignore(const char *path) {
145 NULSTR_FOREACH(i, ignore_paths)
146 if (path_equal(path, i))
152 static int mount_one(const MountPoint *p, bool relabel) {
157 if (p->condition_fn && !p->condition_fn())
160 /* Relabel first, just in case */
162 label_fix(p->where, true, true);
164 r = path_is_mount_point(p->where, true);
171 /* Skip securityfs in a container */
172 if (!(p->mode & MNT_IN_CONTAINER) && detect_container(NULL) > 0)
175 /* The access mode here doesn't really matter too much, since
176 * the mounted file system will take precedence anyway. */
177 mkdir_p_label(p->where, 0755);
179 log_debug("Mounting %s to %s of type %s with options %s.",
190 log_full((p->mode & MNT_FATAL) ? LOG_ERR : LOG_DEBUG, "Failed to mount %s: %s", p->where, strerror(errno));
191 return (p->mode & MNT_FATAL) ? -errno : 0;
194 /* Relabel again, since we now mounted something fresh here */
196 label_fix(p->where, false, false);
201 int mount_setup_early(void) {
205 assert_cc(N_EARLY_MOUNT <= ELEMENTSOF(mount_table));
207 /* Do a minimal mount of /proc and friends to enable the most
208 * basic stuff, such as SELinux */
209 for (i = 0; i < N_EARLY_MOUNT; i ++) {
212 j = mount_one(mount_table + i, false);
220 int mount_cgroup_controllers(char ***join_controllers) {
223 _cleanup_set_free_free_ Set *controllers = NULL;
224 _cleanup_fclose_ FILE *f;
226 /* Mount all available cgroup controllers that are built into the kernel. */
228 f = fopen("/proc/cgroups", "re");
230 log_error("Failed to enumerate cgroup controllers: %m");
234 controllers = set_new(string_hash_func, string_compare_func);
238 /* Ignore the header line */
239 (void) fgets(buf, sizeof(buf), f);
245 if (fscanf(f, "%ms %*i %*i %i", &controller, &enabled) != 2) {
250 log_error("Failed to parse /proc/cgroups.");
259 r = set_consume(controllers, controller);
261 log_error("Failed to add controller to set.");
270 .flags = MS_NOSUID|MS_NOEXEC|MS_NODEV,
271 .mode = MNT_IN_CONTAINER,
274 _cleanup_free_ char *options = NULL, *controller;
276 controller = set_steal_first(controllers);
280 if (join_controllers)
281 for (k = join_controllers; *k; k++)
282 if (strv_find(*k, controller))
288 for (i = *k, j = *k; *i; i++) {
290 if (!streq(*i, controller)) {
291 char _cleanup_free_ *t;
293 t = set_remove(controllers, *i);
305 options = strv_join(*k, ",");
309 options = controller;
313 p.where = strappenda("/sys/fs/cgroup/", options);
316 r = mount_one(&p, true);
320 if (r > 0 && k && *k) {
323 for (i = *k; *i; i++) {
324 char *t = strappenda("/sys/fs/cgroup/", *i);
326 r = symlink(options, t);
327 if (r < 0 && errno != EEXIST) {
328 log_error("Failed to create symlink %s: %m", t);
340 const struct stat *sb,
342 struct FTW *ftwbuf) {
344 /* No need to label /dev twice in a row... */
345 if (_unlikely_(ftwbuf->level == 0))
348 label_fix(fpath, false, false);
350 /* /run/initramfs is static data and big, no need to
351 * dynamically relabel its contents at boot... */
352 if (_unlikely_(ftwbuf->level == 1 &&
354 streq(fpath, "/run/initramfs")))
355 return FTW_SKIP_SUBTREE;
360 int mount_setup(bool loaded_policy) {
364 for (i = 0; i < ELEMENTSOF(mount_table); i ++) {
365 r = mount_one(mount_table + i, true);
371 /* Nodes in devtmpfs and /run need to be manually updated for
372 * the appropriate labels, after mounting. The other virtual
373 * API file systems like /sys and /proc do not need that, they
374 * use the same label for all their files. */
376 usec_t before_relabel, after_relabel;
377 char timespan[FORMAT_TIMESPAN_MAX];
379 before_relabel = now(CLOCK_MONOTONIC);
381 nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
382 nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
384 after_relabel = now(CLOCK_MONOTONIC);
386 log_info("Relabelled /dev and /run in %s.",
387 format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel, 0));
390 /* Create a few default symlinks, which are normally created
391 * by udevd, but some scripts might need them before we start
395 /* Mark the root directory as shared in regards to mount
396 * propagation. The kernel defaults to "private", but we think
397 * it makes more sense to have a default of "shared" so that
398 * nspawn and the container tools work out of the box. If
399 * specific setups need other settings they can reset the
400 * propagation mode to private if needed. */
401 if (detect_container(NULL) <= 0)
402 if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0)
403 log_warning("Failed to set up the root directory for shared mount propagation: %m");
405 /* Create a few directories we always want around, Note that
406 * sd_booted() checks for /run/systemd/system, so this mkdir
407 * really needs to stay for good, otherwise software that
408 * copied sd-daemon.c into their sources will misdetect
410 mkdir_label("/run/systemd", 0755);
411 mkdir_label("/run/systemd/system", 0755);
412 mkdir_label("/run/systemd/inaccessible", 0000);