1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 #include <sys/mount.h>
32 #include "mount-setup.h"
33 #include "dev-setup.h"
41 #include "path-util.h"
50 typedef enum MountMode {
53 MNT_IN_CONTAINER = 1 << 1,
56 typedef struct MountPoint {
62 bool (*condition_fn)(void);
66 /* The first three entries we might need before SELinux is up. The
67 * fourth (securityfs) is needed by IMA to load a custom policy. The
68 * other ones we can delay until SELinux and IMA are loaded. */
69 #define N_EARLY_MOUNT 4
71 static const MountPoint mount_table[] = {
72 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
73 NULL, MNT_FATAL|MNT_IN_CONTAINER },
74 { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
75 NULL, MNT_FATAL|MNT_IN_CONTAINER },
76 { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME,
77 NULL, MNT_FATAL|MNT_IN_CONTAINER },
78 { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
80 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
81 NULL, MNT_FATAL|MNT_IN_CONTAINER },
82 { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
83 NULL, MNT_IN_CONTAINER },
84 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
85 NULL, MNT_FATAL|MNT_IN_CONTAINER },
86 { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
87 NULL, MNT_IN_CONTAINER },
88 { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV,
89 NULL, MNT_IN_CONTAINER },
90 { "pstore", "/sys/fs/pstore", "pstore", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
93 { "efivarfs", "/sys/firmware/efi/efivars", "efivarfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
94 is_efi_boot, MNT_NONE },
98 /* These are API file systems that might be mounted by other software,
99 * we just list them here so that we know that we should ignore them */
101 static const char ignore_paths[] =
102 /* SELinux file systems */
105 /* Legacy cgroup mount points */
108 /* Legacy kernel file system */
110 /* Container bind mounts */
115 bool mount_point_is_api(const char *path) {
118 /* Checks if this mount point is considered "API", and hence
119 * should be ignored */
121 for (i = 0; i < ELEMENTSOF(mount_table); i ++)
122 if (path_equal(path, mount_table[i].where))
125 return path_startswith(path, "/sys/fs/cgroup/");
128 bool mount_point_ignore(const char *path) {
131 NULSTR_FOREACH(i, ignore_paths)
132 if (path_equal(path, i))
138 static int mount_one(const MountPoint *p, bool relabel) {
143 if (p->condition_fn && !p->condition_fn())
146 /* Relabel first, just in case */
148 label_fix(p->where, true, true);
150 r = path_is_mount_point(p->where, true);
157 /* Skip securityfs in a container */
158 if (!(p->mode & MNT_IN_CONTAINER) && detect_container(NULL) > 0)
161 /* The access mode here doesn't really matter too much, since
162 * the mounted file system will take precedence anyway. */
163 mkdir_p_label(p->where, 0755);
165 log_debug("Mounting %s to %s of type %s with options %s.",
176 log_full((p->mode & MNT_FATAL) ? LOG_ERR : LOG_DEBUG, "Failed to mount %s: %s", p->where, strerror(errno));
177 return (p->mode & MNT_FATAL) ? -errno : 0;
180 /* Relabel again, since we now mounted something fresh here */
182 label_fix(p->where, false, false);
187 int mount_setup_early(void) {
191 assert_cc(N_EARLY_MOUNT <= ELEMENTSOF(mount_table));
193 /* Do a minimal mount of /proc and friends to enable the most
194 * basic stuff, such as SELinux */
195 for (i = 0; i < N_EARLY_MOUNT; i ++) {
198 j = mount_one(mount_table + i, false);
206 int mount_cgroup_controllers(char ***join_controllers) {
212 /* Mount all available cgroup controllers that are built into the kernel. */
214 f = fopen("/proc/cgroups", "re");
216 log_error("Failed to enumerate cgroup controllers: %m");
220 controllers = set_new(string_hash_func, string_compare_func);
226 /* Ignore the header line */
227 (void) fgets(buf, sizeof(buf), f);
233 if (fscanf(f, "%ms %*i %*i %i", &controller, &enabled) != 2) {
238 log_error("Failed to parse /proc/cgroups.");
248 r = set_put(controllers, controller);
250 log_error("Failed to add controller to set.");
258 char *controller, *where, *options;
261 controller = set_steal_first(controllers);
265 if (join_controllers)
266 for (k = join_controllers; *k; k++)
267 if (strv_find(*k, controller))
273 for (i = *k, j = *k; *i; i++) {
275 if (!streq(*i, controller)) {
278 t = set_remove(controllers, *i);
291 options = strv_join(*k, ",");
299 options = controller;
303 where = strappend("/sys/fs/cgroup/", options);
315 p.flags = MS_NOSUID|MS_NOEXEC|MS_NODEV;
317 r = mount_one(&p, true);
326 if (r > 0 && k && *k) {
329 for (i = *k; *i; i++) {
332 t = strappend("/sys/fs/cgroup/", *i);
339 r = symlink(options, t);
342 if (r < 0 && errno != EEXIST) {
343 log_error("Failed to create symlink: %m");
357 set_free_free(controllers);
366 const struct stat *sb,
368 struct FTW *ftwbuf) {
370 /* No need to label /dev twice in a row... */
371 if (_unlikely_(ftwbuf->level == 0))
374 label_fix(fpath, false, false);
376 /* /run/initramfs is static data and big, no need to
377 * dynamically relabel its contents at boot... */
378 if (_unlikely_(ftwbuf->level == 1 &&
380 streq(fpath, "/run/initramfs")))
381 return FTW_SKIP_SUBTREE;
386 int mount_setup(bool loaded_policy) {
388 static const char relabel[] =
389 "/run/initramfs/root-fsck\0"
390 "/run/initramfs/shutdown\0";
396 for (i = 0; i < ELEMENTSOF(mount_table); i ++) {
397 r = mount_one(mount_table + i, true);
403 /* Nodes in devtmpfs and /run need to be manually updated for
404 * the appropriate labels, after mounting. The other virtual
405 * API file systems like /sys and /proc do not need that, they
406 * use the same label for all their files. */
408 usec_t before_relabel, after_relabel;
409 char timespan[FORMAT_TIMESPAN_MAX];
411 before_relabel = now(CLOCK_MONOTONIC);
413 nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
414 nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
416 /* Explicitly relabel these */
417 NULSTR_FOREACH(j, relabel)
418 label_fix(j, true, false);
420 after_relabel = now(CLOCK_MONOTONIC);
422 log_info("Relabelled /dev and /run in %s.",
423 format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel));
426 /* Create a few default symlinks, which are normally created
427 * by udevd, but some scripts might need them before we start
431 /* Mark the root directory as shared in regards to mount
432 * propagation. The kernel defaults to "private", but we think
433 * it makes more sense to have a default of "shared" so that
434 * nspawn and the container tools work out of the box. If
435 * specific setups need other settings they can reset the
436 * propagation mode to private if needed. */
437 if (detect_container(NULL) <= 0)
438 if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0)
439 log_warning("Failed to set up the root directory for shared mount propagation: %m");
441 /* Create a few directories we always want around */
442 mkdir_label("/run/systemd", 0755);
443 mkdir_label("/run/systemd/system", 0755);
~ianmdlvl / elogind.git / blob