X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fmount-setup.c;h=7d6cdf6cb4a820b39985a4b5128649cc09a3c466;hb=6996295f85a0402b8a72d76c1eab02fb8152f81d;hp=7c14ea8e556a2c563d99a2c28f86120c90ac9410;hpb=af65c248040108830a02860a395f44a186f08495;p=elogind.git

diff --git a/src/mount-setup.c b/src/mount-setup.c
index 7c14ea8e5..7d6cdf6cb 100644
--- a/src/mount-setup.c
+++ b/src/mount-setup.c
@@ -36,6 +36,7 @@
 #include "label.h"
 #include "set.h"
 #include "strv.h"
+#include "mkdir.h"
 
 #ifndef TTY_GID
 #define TTY_GID 5
@@ -51,13 +52,15 @@ typedef struct MountPoint {
 } MountPoint;
 
 /* The first three entries we might need before SELinux is up. The
- * other ones we can delay until SELinux is loaded. */
-#define N_EARLY_MOUNT 3
+ * fourth (securityfs) is needed by IMA to load a custom policy. The
+ * other ones we can delay until SELinux and IMA are loaded. */
+#define N_EARLY_MOUNT 4
 
 static const MountPoint mount_table[] = {
         { "proc",     "/proc",                  "proc",     NULL,                MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
         { "sysfs",    "/sys",                   "sysfs",    NULL,                MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
         { "devtmpfs", "/dev",                   "devtmpfs", "mode=755",          MS_NOSUID,                    true },
+        { "securityfs", "/sys/kernel/security", "securityfs", NULL,              MS_NOSUID|MS_NOEXEC|MS_NODEV, false },
         { "tmpfs",    "/dev/shm",               "tmpfs",    "mode=1777",         MS_NOSUID|MS_NODEV,           true },
         { "devpts",   "/dev/pts",               "devpts",   "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, false },
         { "tmpfs",    "/run",                   "tmpfs",    "mode=755",          MS_NOSUID|MS_NODEV, true },