job: fix loss of ordering with restart jobs

[elogind.git] / src / mount-setup.c
diff --git a/src/mount-setup.c b/src/mount-setup.c

index abb0c19d2543e110478831b5ee9a5e944497b87f..aaffb655eea77408ada01b04e81830934db95b44 100644 (file)
--- a/src/mount-setup.c
+++ b/src/mount-setup.c
@@ -51,13 +51,15 @@ typedef struct MountPoint {
  } MountPoint;
  
  /* The first three entries we might need before SELinux is up. The
- * other ones we can delay until SELinux is loaded. */
-#define N_EARLY_MOUNT 3
+ * fourth (securityfs) is needed by IMA to load a custom policy. The
+ * other ones we can delay until SELinux and IMA are loaded. */
+#define N_EARLY_MOUNT 4
  
  static const MountPoint mount_table[] = {
          { "proc",     "/proc",                  "proc",     NULL,                MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
          { "sysfs",    "/sys",                   "sysfs",    NULL,                MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
          { "devtmpfs", "/dev",                   "devtmpfs", "mode=755",          MS_NOSUID,                    true },
+        { "securityfs", "/sys/kernel/security", "securityfs", NULL,              MS_NOSUID|MS_NOEXEC|MS_NODEV, false },
          { "tmpfs",    "/dev/shm",               "tmpfs",    "mode=1777",         MS_NOSUID|MS_NODEV,           true },
          { "devpts",   "/dev/pts",               "devpts",   "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, false },
          { "tmpfs",    "/run",                   "tmpfs",    "mode=755",          MS_NOSUID|MS_NODEV, true },
@@ -344,22 +346,34 @@ static int nftw_cb(
                  struct FTW *ftwbuf) {
  
          /* No need to label /dev twice in a row... */
-        if (ftwbuf->level == 0)
-                return 0;
+        if (_unlikely_(ftwbuf->level == 0))
+                return FTW_CONTINUE;
  
          label_fix(fpath, true);
-        return 0;
+
+        /* /run/initramfs is static data and big, no need to
+         * dynamically relabel its contents at boot... */
+        if (_unlikely_(ftwbuf->level == 1 &&
+                      tflag == FTW_D &&
+                      streq(fpath, "/run/initramfs")))
+                return FTW_SKIP_SUBTREE;
+
+        return FTW_CONTINUE;
  };
  
  int mount_setup(bool loaded_policy) {
  
-        const char symlinks[] =
+        static const char symlinks[] =
                  "/proc/kcore\0"      "/dev/core\0"
                  "/proc/self/fd\0"    "/dev/fd\0"
                  "/proc/self/fd/0\0"  "/dev/stdin\0"
                  "/proc/self/fd/1\0"  "/dev/stdout\0"
                  "/proc/self/fd/2\0"  "/dev/stderr\0";
  
+        static const char relabel[] =
+                "/run/initramfs/root-fsck\0"
+                "/run/initramfs/shutdown\0";
+
          int r;
          unsigned i;
          const char *j, *k;
@@ -381,14 +395,17 @@ int mount_setup(bool loaded_policy) {
  
                  before_relabel = now(CLOCK_MONOTONIC);
  
-                nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS);
-                nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS);
+                nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
+                nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
+
+                /* Explicitly relabel these */
+                NULSTR_FOREACH(j, relabel)
+                        label_fix(j, true);
  
                  after_relabel = now(CLOCK_MONOTONIC);
  
                  log_info("Relabelled /dev and /run in %s.",
                           format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel));
-
          }
  
          /* Create a few default symlinks, which are normally created
@@ -398,8 +415,8 @@ int mount_setup(bool loaded_policy) {
                  symlink_and_label(j, k);
  
          /* Create a few directories we always want around */
-        mkdir("/run/systemd", 0755);
-        mkdir("/run/systemd/system", 0755);
+        label_mkdir("/run/systemd", 0755);
+        label_mkdir("/run/systemd/system", 0755);
  
          return 0;
  }