1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 #include <sys/mount.h>
32 #include "mount-setup.h"
33 #include "dev-setup.h"
41 #include "path-util.h"
49 typedef struct MountPoint {
59 /* The first three entries we might need before SELinux is up. The
60 * fourth (securityfs) is needed by IMA to load a custom policy. The
61 * other ones we can delay until SELinux and IMA are loaded. */
62 #define N_EARLY_MOUNT 4
64 static const MountPoint mount_table[] = {
65 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true, true },
66 { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true, true },
67 { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true, true },
68 { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false },
69 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true, true },
70 { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, false, true },
71 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true, true },
72 { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, false, true },
73 { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, true },
76 /* These are API file systems that might be mounted by other software,
77 * we just list them here so that we know that we should ignore them */
79 static const char ignore_paths[] =
80 /* SELinux file systems */
83 /* Legacy cgroup mount points */
86 /* Legacy kernel file system */
88 /* Container bind mounts */
93 bool mount_point_is_api(const char *path) {
96 /* Checks if this mount point is considered "API", and hence
97 * should be ignored */
99 for (i = 0; i < ELEMENTSOF(mount_table); i ++)
100 if (path_equal(path, mount_table[i].where))
103 return path_startswith(path, "/sys/fs/cgroup/");
106 bool mount_point_ignore(const char *path) {
109 NULSTR_FOREACH(i, ignore_paths)
110 if (path_equal(path, i))
116 static int mount_one(const MountPoint *p, bool relabel) {
121 /* Relabel first, just in case */
123 label_fix(p->where, true, true);
125 r = path_is_mount_point(p->where, true);
132 /* Skip securityfs in a container */
133 if (!p->in_container && detect_container(NULL) > 0)
136 /* The access mode here doesn't really matter too much, since
137 * the mounted file system will take precedence anyway. */
138 mkdir_p_label(p->where, 0755);
140 log_debug("Mounting %s to %s of type %s with options %s.",
151 log_full(p->fatal ? LOG_ERR : LOG_DEBUG, "Failed to mount %s: %s", p->where, strerror(errno));
152 return p->fatal ? -errno : 0;
155 /* Relabel again, since we now mounted something fresh here */
157 label_fix(p->where, false, false);
162 int mount_setup_early(void) {
166 assert_cc(N_EARLY_MOUNT <= ELEMENTSOF(mount_table));
168 /* Do a minimal mount of /proc and friends to enable the most
169 * basic stuff, such as SELinux */
170 for (i = 0; i < N_EARLY_MOUNT; i ++) {
173 j = mount_one(mount_table + i, false);
181 int mount_cgroup_controllers(char ***join_controllers) {
187 /* Mount all available cgroup controllers that are built into the kernel. */
189 f = fopen("/proc/cgroups", "re");
191 log_error("Failed to enumerate cgroup controllers: %m");
195 controllers = set_new(string_hash_func, string_compare_func);
201 /* Ignore the header line */
202 (void) fgets(buf, sizeof(buf), f);
208 if (fscanf(f, "%ms %*i %*i %i", &controller, &enabled) != 2) {
213 log_error("Failed to parse /proc/cgroups.");
223 r = set_put(controllers, controller);
225 log_error("Failed to add controller to set.");
233 char *controller, *where, *options;
236 controller = set_steal_first(controllers);
240 if (join_controllers)
241 for (k = join_controllers; *k; k++)
242 if (strv_find(*k, controller))
248 for (i = *k, j = *k; *i; i++) {
250 if (!streq(*i, controller)) {
253 t = set_remove(controllers, *i);
266 options = strv_join(*k, ",");
274 options = controller;
278 where = strappend("/sys/fs/cgroup/", options);
290 p.flags = MS_NOSUID|MS_NOEXEC|MS_NODEV;
293 r = mount_one(&p, true);
302 if (r > 0 && k && *k) {
305 for (i = *k; *i; i++) {
308 t = strappend("/sys/fs/cgroup/", *i);
315 r = symlink(options, t);
318 if (r < 0 && errno != EEXIST) {
319 log_error("Failed to create symlink: %m");
333 set_free_free(controllers);
342 const struct stat *sb,
344 struct FTW *ftwbuf) {
346 /* No need to label /dev twice in a row... */
347 if (_unlikely_(ftwbuf->level == 0))
350 label_fix(fpath, false, false);
352 /* /run/initramfs is static data and big, no need to
353 * dynamically relabel its contents at boot... */
354 if (_unlikely_(ftwbuf->level == 1 &&
356 streq(fpath, "/run/initramfs")))
357 return FTW_SKIP_SUBTREE;
362 int mount_setup(bool loaded_policy) {
364 static const char relabel[] =
365 "/run/initramfs/root-fsck\0"
366 "/run/initramfs/shutdown\0";
372 for (i = 0; i < ELEMENTSOF(mount_table); i ++) {
373 r = mount_one(mount_table + i, true);
379 /* Nodes in devtmpfs and /run need to be manually updated for
380 * the appropriate labels, after mounting. The other virtual
381 * API file systems like /sys and /proc do not need that, they
382 * use the same label for all their files. */
384 usec_t before_relabel, after_relabel;
385 char timespan[FORMAT_TIMESPAN_MAX];
387 before_relabel = now(CLOCK_MONOTONIC);
389 nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
390 nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
392 /* Explicitly relabel these */
393 NULSTR_FOREACH(j, relabel)
394 label_fix(j, true, false);
396 after_relabel = now(CLOCK_MONOTONIC);
398 log_info("Relabelled /dev and /run in %s.",
399 format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel));
402 /* Create a few default symlinks, which are normally created
403 * by udevd, but some scripts might need them before we start
407 /* Mark the root directory as shared in regards to mount
408 * propagation. The kernel defaults to "private", but we think
409 * it makes more sense to have a default of "shared" so that
410 * nspawn and the container tools work out of the box. If
411 * specific setups need other settings they can reset the
412 * propagation mode to private if needed. */
413 if (detect_container(NULL) <= 0)
414 if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0)
415 log_warning("Failed to set up the root directory for shared mount propagation: %m");
417 /* Create a few directories we always want around */
418 mkdir_label("/run/systemd", 0755);
419 mkdir_label("/run/systemd/system", 0755);
~ianmdlvl / elogind.git / blob