1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 #include <sys/mount.h>
28 #include "mount-setup.h"
29 #include "dev-setup.h"
37 #include "path-util.h"
41 #include "smack-util.h"
42 #include "cgroup-util.h"
44 typedef enum MountMode
{
47 MNT_IN_CONTAINER
= 1 << 1,
50 typedef struct MountPoint
{
56 bool (*condition_fn
)(void);
60 /* The first three entries we might need before SELinux is up. The
61 * fourth (securityfs) is needed by IMA to load a custom policy. The
62 * other ones we can delay until SELinux and IMA are loaded. When
63 * SMACK is enabled we need smackfs, too, so it's a fifth one. */
65 #define N_EARLY_MOUNT 5
67 #define N_EARLY_MOUNT 4
70 static const MountPoint mount_table
[] = {
71 { "sysfs", "/sys", "sysfs", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
72 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
73 { "proc", "/proc", "proc", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
74 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
75 { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID
|MS_STRICTATIME
,
76 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
77 { "securityfs", "/sys/kernel/security", "securityfs", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
80 { "smackfs", "/sys/fs/smackfs", "smackfs", "smackfsdef=*", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
81 mac_smack_use
, MNT_FATAL
},
82 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
83 mac_smack_use
, MNT_FATAL
},
85 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
86 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
87 { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID
), MS_NOSUID
|MS_NOEXEC
,
88 NULL
, MNT_IN_CONTAINER
},
90 { "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
91 mac_smack_use
, MNT_FATAL
},
93 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
94 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
95 { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_STRICTATIME
,
96 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
97 { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
98 NULL
, MNT_IN_CONTAINER
},
99 { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
100 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
101 { "pstore", "/sys/fs/pstore", "pstore", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
104 { "efivarfs", "/sys/firmware/efi/efivars", "efivarfs", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
105 is_efi_boot
, MNT_NONE
},
108 { "kdbusfs", "/sys/fs/kdbus", "kdbusfs", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
109 NULL
, MNT_IN_CONTAINER
},
113 /* These are API file systems that might be mounted by other software,
114 * we just list them here so that we know that we should ignore them */
116 static const char ignore_paths
[] =
117 /* SELinux file systems */
119 /* Container bind mounts */
124 bool mount_point_is_api(const char *path
) {
127 /* Checks if this mount point is considered "API", and hence
128 * should be ignored */
130 for (i
= 0; i
< ELEMENTSOF(mount_table
); i
++)
131 if (path_equal(path
, mount_table
[i
].where
))
134 return path_startswith(path
, "/sys/fs/cgroup/");
137 bool mount_point_ignore(const char *path
) {
140 NULSTR_FOREACH(i
, ignore_paths
)
141 if (path_equal(path
, i
))
147 static int mount_one(const MountPoint
*p
, bool relabel
) {
152 if (p
->condition_fn
&& !p
->condition_fn())
155 /* Relabel first, just in case */
157 label_fix(p
->where
, true, true);
159 r
= path_is_mount_point(p
->where
, true);
160 if (r
< 0 && r
!= -ENOENT
)
165 /* Skip securityfs in a container */
166 if (!(p
->mode
& MNT_IN_CONTAINER
) && detect_container(NULL
) > 0)
169 /* The access mode here doesn't really matter too much, since
170 * the mounted file system will take precedence anyway. */
172 mkdir_p_label(p
->where
, 0755);
174 mkdir_p(p
->where
, 0755);
176 log_debug("Mounting %s to %s of type %s with options %s.",
187 log_full((p
->mode
& MNT_FATAL
) ? LOG_ERR
: LOG_DEBUG
, "Failed to mount %s at %s: %m", p
->type
, p
->where
);
188 return (p
->mode
& MNT_FATAL
) ? -errno
: 0;
191 /* Relabel again, since we now mounted something fresh here */
193 label_fix(p
->where
, false, false);
198 int mount_setup_early(void) {
202 assert_cc(N_EARLY_MOUNT
<= ELEMENTSOF(mount_table
));
204 /* Do a minimal mount of /proc and friends to enable the most
205 * basic stuff, such as SELinux */
206 for (i
= 0; i
< N_EARLY_MOUNT
; i
++) {
209 j
= mount_one(mount_table
+ i
, false);
217 int mount_cgroup_controllers(char ***join_controllers
) {
218 _cleanup_set_free_free_ Set
*controllers
= NULL
;
221 /* Mount all available cgroup controllers that are built into the kernel. */
223 controllers
= set_new(&string_hash_ops
);
227 r
= cg_kernel_controllers(controllers
);
229 return log_error_errno(r
, "Failed to enumerate cgroup controllers: %m");
232 _cleanup_free_
char *options
= NULL
, *controller
= NULL
, *where
= NULL
;
236 .flags
= MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
237 .mode
= MNT_IN_CONTAINER
,
241 controller
= set_steal_first(controllers
);
245 if (join_controllers
)
246 for (k
= join_controllers
; *k
; k
++)
247 if (strv_find(*k
, controller
))
253 for (i
= *k
, j
= *k
; *i
; i
++) {
255 if (!streq(*i
, controller
)) {
256 _cleanup_free_
char *t
;
258 t
= set_remove(controllers
, *i
);
270 options
= strv_join(*k
, ",");
274 options
= controller
;
278 where
= strappend("/sys/fs/cgroup/", options
);
285 r
= mount_one(&p
, true);
289 if (r
> 0 && k
&& *k
) {
292 for (i
= *k
; *i
; i
++) {
293 _cleanup_free_
char *t
= NULL
;
295 t
= strappend("/sys/fs/cgroup/", *i
);
299 r
= symlink(options
, t
);
300 if (r
< 0 && errno
!= EEXIST
)
301 return log_error_errno(errno
, "Failed to create symlink %s: %m", t
);
306 /* Now that we mounted everything, let's make the tmpfs the
307 * cgroup file systems are mounted into read-only. */
308 (void) mount("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_STRICTATIME
|MS_RDONLY
, "mode=755");
313 #if defined(HAVE_SELINUX) || defined(HAVE_SMACK)
316 const struct stat
*sb
,
318 struct FTW
*ftwbuf
) {
320 /* No need to label /dev twice in a row... */
321 if (_unlikely_(ftwbuf
->level
== 0))
324 label_fix(fpath
, false, false);
326 /* /run/initramfs is static data and big, no need to
327 * dynamically relabel its contents at boot... */
328 if (_unlikely_(ftwbuf
->level
== 1 &&
330 streq(fpath
, "/run/initramfs")))
331 return FTW_SKIP_SUBTREE
;
337 int mount_setup(bool loaded_policy
) {
341 for (i
= 0; i
< ELEMENTSOF(mount_table
); i
++) {
344 j
= mount_one(mount_table
+ i
, loaded_policy
);
352 #if defined(HAVE_SELINUX) || defined(HAVE_SMACK)
353 /* Nodes in devtmpfs and /run need to be manually updated for
354 * the appropriate labels, after mounting. The other virtual
355 * API file systems like /sys and /proc do not need that, they
356 * use the same label for all their files. */
358 usec_t before_relabel
, after_relabel
;
359 char timespan
[FORMAT_TIMESPAN_MAX
];
361 before_relabel
= now(CLOCK_MONOTONIC
);
363 nftw("/dev", nftw_cb
, 64, FTW_MOUNT
|FTW_PHYS
|FTW_ACTIONRETVAL
);
364 nftw("/run", nftw_cb
, 64, FTW_MOUNT
|FTW_PHYS
|FTW_ACTIONRETVAL
);
366 after_relabel
= now(CLOCK_MONOTONIC
);
368 log_info("Relabelled /dev and /run in %s.",
369 format_timespan(timespan
, sizeof(timespan
), after_relabel
- before_relabel
, 0));
373 /* Create a few default symlinks, which are normally created
374 * by udevd, but some scripts might need them before we start
376 dev_setup(NULL
, UID_INVALID
, GID_INVALID
);
378 /* Mark the root directory as shared in regards to mount
379 * propagation. The kernel defaults to "private", but we think
380 * it makes more sense to have a default of "shared" so that
381 * nspawn and the container tools work out of the box. If
382 * specific setups need other settings they can reset the
383 * propagation mode to private if needed. */
384 if (detect_container(NULL
) <= 0)
385 if (mount(NULL
, "/", NULL
, MS_REC
|MS_SHARED
, NULL
) < 0)
386 log_warning_errno(errno
, "Failed to set up the root directory for shared mount propagation: %m");
388 /* Create a few directories we always want around, Note that
389 * sd_booted() checks for /run/systemd/system, so this mkdir
390 * really needs to stay for good, otherwise software that
391 * copied sd-daemon.c into their sources will misdetect
393 mkdir_label("/run/systemd", 0755);
394 mkdir_label("/run/systemd/system", 0755);
395 mkdir_label("/run/systemd/inaccessible", 0000);