1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 #include <sys/mount.h>
32 #include "mount-setup.h"
45 typedef struct MountPoint {
54 /* The first three entries we might need before SELinux is up. The
55 * fourth (securityfs) is needed by IMA to load a custom policy. The
56 * other ones we can delay until SELinux and IMA are loaded. */
57 #define N_EARLY_MOUNT 4
59 static const MountPoint mount_table[] = {
60 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
61 { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
62 { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true },
63 { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, false },
64 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
65 { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, false },
66 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
67 { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, false },
68 { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV, false },
71 /* These are API file systems that might be mounted by other software,
72 * we just list them here so that we know that we should ignore them */
74 static const char * const ignore_paths[] = {
80 bool mount_point_is_api(const char *path) {
83 /* Checks if this mount point is considered "API", and hence
84 * should be ignored */
86 for (i = 0; i < ELEMENTSOF(mount_table); i ++)
87 if (path_equal(path, mount_table[i].where))
90 return path_startswith(path, "/sys/fs/cgroup/");
93 bool mount_point_ignore(const char *path) {
96 for (i = 0; i < ELEMENTSOF(ignore_paths); i++)
97 if (path_equal(path, ignore_paths[i]))
103 static int mount_one(const MountPoint *p, bool relabel) {
108 /* Relabel first, just in case */
110 label_fix(p->where, true);
112 if ((r = path_is_mount_point(p->where, true)) < 0)
118 /* The access mode here doesn't really matter too much, since
119 * the mounted file system will take precedence anyway. */
120 mkdir_p(p->where, 0755);
122 log_debug("Mounting %s to %s of type %s with options %s.",
133 log_error("Failed to mount %s: %s", p->where, strerror(errno));
134 return p->fatal ? -errno : 0;
137 /* Relabel again, since we now mounted something fresh here */
139 label_fix(p->where, false);
144 int mount_setup_early(void) {
148 assert_cc(N_EARLY_MOUNT <= ELEMENTSOF(mount_table));
150 /* Do a minimal mount of /proc and friends to enable the most
151 * basic stuff, such as SELinux */
152 for (i = 0; i < N_EARLY_MOUNT; i ++) {
155 j = mount_one(mount_table + i, false);
163 int mount_cgroup_controllers(char ***join_controllers) {
169 /* Mount all available cgroup controllers that are built into the kernel. */
171 f = fopen("/proc/cgroups", "re");
173 log_error("Failed to enumerate cgroup controllers: %m");
177 controllers = set_new(string_hash_func, string_compare_func);
180 log_error("Failed to allocate controller set.");
184 /* Ignore the header line */
185 (void) fgets(buf, sizeof(buf), f);
191 if (fscanf(f, "%ms %*i %*i %i", &controller, &enabled) != 2) {
196 log_error("Failed to parse /proc/cgroups.");
206 r = set_put(controllers, controller);
208 log_error("Failed to add controller to set.");
216 char *controller, *where, *options;
219 controller = set_steal_first(controllers);
223 if (join_controllers)
224 for (k = join_controllers; *k; k++)
225 if (strv_find(*k, controller))
231 for (i = *k, j = *k; *i; i++) {
233 if (!streq(*i, controller)) {
236 t = set_remove(controllers, *i);
249 options = strv_join(*k, ",");
251 log_error("Failed to join options");
258 options = controller;
262 where = strappend("/sys/fs/cgroup/", options);
264 log_error("Failed to build path");
275 p.flags = MS_NOSUID|MS_NOEXEC|MS_NODEV;
278 r = mount_one(&p, true);
287 if (r > 0 && k && *k) {
290 for (i = *k; *i; i++) {
293 t = strappend("/sys/fs/cgroup/", *i);
295 log_error("Failed to build path");
301 r = symlink(options, t);
304 if (r < 0 && errno != EEXIST) {
305 log_error("Failed to create symlink: %m");
319 set_free_free(controllers);
326 static int symlink_and_label(const char *old_path, const char *new_path) {
332 r = label_context_set(new_path, S_IFLNK);
336 if (symlink(old_path, new_path) < 0)
339 label_context_clear();
346 const struct stat *sb,
348 struct FTW *ftwbuf) {
350 /* No need to label /dev twice in a row... */
351 if (_unlikely_(ftwbuf->level == 0))
354 label_fix(fpath, true);
356 /* /run/initramfs is static data and big, no need to
357 * dynamically relabel its contents at boot... */
358 if (_unlikely_(ftwbuf->level == 1 &&
360 streq(fpath, "/run/initramfs")))
361 return FTW_SKIP_SUBTREE;
366 int mount_setup(bool loaded_policy) {
368 static const char symlinks[] =
369 "/proc/kcore\0" "/dev/core\0"
370 "/proc/self/fd\0" "/dev/fd\0"
371 "/proc/self/fd/0\0" "/dev/stdin\0"
372 "/proc/self/fd/1\0" "/dev/stdout\0"
373 "/proc/self/fd/2\0" "/dev/stderr\0";
375 static const char relabel[] =
376 "/run/initramfs/root-fsck\0"
377 "/run/initramfs/shutdown\0";
383 for (i = 0; i < ELEMENTSOF(mount_table); i ++) {
384 r = mount_one(mount_table + i, true);
390 /* Nodes in devtmpfs and /run need to be manually updated for
391 * the appropriate labels, after mounting. The other virtual
392 * API file systems like /sys and /proc do not need that, they
393 * use the same label for all their files. */
395 usec_t before_relabel, after_relabel;
396 char timespan[FORMAT_TIMESPAN_MAX];
398 before_relabel = now(CLOCK_MONOTONIC);
400 nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
401 nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
403 /* Explicitly relabel these */
404 NULSTR_FOREACH(j, relabel)
407 after_relabel = now(CLOCK_MONOTONIC);
409 log_info("Relabelled /dev and /run in %s.",
410 format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel));
413 /* Create a few default symlinks, which are normally created
414 * by udevd, but some scripts might need them before we start
416 NULSTR_FOREACH_PAIR(j, k, symlinks)
417 symlink_and_label(j, k);
419 /* Create a few directories we always want around */
420 label_mkdir("/run/systemd", 0755);
421 label_mkdir("/run/systemd/system", 0755);
~ianmdlvl / elogind.git / blob