job: fix loss of ordering with restart jobs

[elogind.git] / src / mount-setup.c

diff --git a/src/mount-setup.c b/src/mount-setup.c
index f70c4d46f3b9a78f977e6086917eed63a9a20c0d..aaffb655eea77408ada01b04e81830934db95b44 100644 (file)
--- a/src/mount-setup.c
+++ b/src/mount-setup.c
@@ -51,13 +51,15 @@ typedef struct MountPoint {
 } MountPoint;
 
 /* The first three entries we might need before SELinux is up. The
- * other ones we can delay until SELinux is loaded. */
-#define N_EARLY_MOUNT 3
+ * fourth (securityfs) is needed by IMA to load a custom policy. The
+ * other ones we can delay until SELinux and IMA are loaded. */
+#define N_EARLY_MOUNT 4
 
 static const MountPoint mount_table[] = {
         { "proc",     "/proc",                  "proc",     NULL,                MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
         { "sysfs",    "/sys",                   "sysfs",    NULL,                MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
         { "devtmpfs", "/dev",                   "devtmpfs", "mode=755",          MS_NOSUID,                    true },
+        { "securityfs", "/sys/kernel/security", "securityfs", NULL,              MS_NOSUID|MS_NOEXEC|MS_NODEV, false },
         { "tmpfs",    "/dev/shm",               "tmpfs",    "mode=1777",         MS_NOSUID|MS_NODEV,           true },
         { "devpts",   "/dev/pts",               "devpts",   "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, false },
         { "tmpfs",    "/run",                   "tmpfs",    "mode=755",          MS_NOSUID|MS_NODEV, true },
@@ -347,26 +349,31 @@ static int nftw_cb(
         if (_unlikely_(ftwbuf->level == 0))
                 return FTW_CONTINUE;
 
+        label_fix(fpath, true);
+
         /* /run/initramfs is static data and big, no need to
-         * dynamically relabel it at boot... */
+         * dynamically relabel its contents at boot... */
         if (_unlikely_(ftwbuf->level == 1 &&
                       tflag == FTW_D &&
                       streq(fpath, "/run/initramfs")))
                 return FTW_SKIP_SUBTREE;
 
-        label_fix(fpath, true);
         return FTW_CONTINUE;
 };
 
 int mount_setup(bool loaded_policy) {
 
-        const char symlinks[] =
+        static const char symlinks[] =
                 "/proc/kcore\0"      "/dev/core\0"
                 "/proc/self/fd\0"    "/dev/fd\0"
                 "/proc/self/fd/0\0"  "/dev/stdin\0"
                 "/proc/self/fd/1\0"  "/dev/stdout\0"
                 "/proc/self/fd/2\0"  "/dev/stderr\0";
 
+        static const char relabel[] =
+                "/run/initramfs/root-fsck\0"
+                "/run/initramfs/shutdown\0";
+
         int r;
         unsigned i;
         const char *j, *k;
@@ -391,11 +398,14 @@ int mount_setup(bool loaded_policy) {
                 nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
                 nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
 
+                /* Explicitly relabel these */
+                NULSTR_FOREACH(j, relabel)
+                        label_fix(j, true);
+
                 after_relabel = now(CLOCK_MONOTONIC);
 
                 log_info("Relabelled /dev and /run in %s.",
                          format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel));
-
         }
 
         /* Create a few default symlinks, which are normally created
@@ -405,8 +415,8 @@ int mount_setup(bool loaded_policy) {
                 symlink_and_label(j, k);
 
         /* Create a few directories we always want around */
-        mkdir("/run/systemd", 0755);
-        mkdir("/run/systemd/system", 0755);
+        label_mkdir("/run/systemd", 0755);
+        label_mkdir("/run/systemd/system", 0755);
 
         return 0;
 }