[thirdparty/systemd.git] / src / core / mount-setup.c

/* SPDX-License-Identifier: LGPL-2.1+ */
/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <ftw.h>
#include <stdlib.h>
#include <sys/mount.h>
#include <unistd.h>

#include "alloc-util.h"
#include "bus-util.h"
#include "cgroup-util.h"
#include "dev-setup.h"
#include "efivars.h"
#include "fileio.h"
#include "fs-util.h"
#include "label.h"
#include "log.h"
#include "macro.h"
#include "missing.h"
#include "mkdir.h"
#include "mount-setup.h"
#include "mount-util.h"
#include "path-util.h"
#include "set.h"
#include "smack-util.h"
#include "strv.h"
#include "user-util.h"
#include "util.h"
#include "virt.h"

typedef enum MountMode {
        MNT_NONE  =           0,
        MNT_FATAL =           1 <<  0,
        MNT_IN_CONTAINER =    1 <<  1,
        MNT_CHECK_WRITABLE  = 1 <<  2,
} MountMode;

typedef struct MountPoint {
        const char *what;
        const char *where;
        const char *type;
        const char *options;
        unsigned long flags;
        bool (*condition_fn)(void);
        MountMode mode;
} MountPoint;

/* The first three entries we might need before SELinux is up. The
 * fourth (securityfs) is needed by IMA to load a custom policy. The
 * other ones we can delay until SELinux and IMA are loaded. When
 * SMACK is enabled we need smackfs, too, so it's a fifth one. */
#if ENABLE_SMACK
#define N_EARLY_MOUNT 5
#else
#define N_EARLY_MOUNT 4
#endif

static const MountPoint mount_table[] = {
        { "sysfs",       "/sys",                      "sysfs",      NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
          NULL,          MNT_FATAL|MNT_IN_CONTAINER },
        { "proc",        "/proc",                     "proc",       NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
          NULL,          MNT_FATAL|MNT_IN_CONTAINER },
        { "devtmpfs",    "/dev",                      "devtmpfs",   "mode=755",                MS_NOSUID|MS_STRICTATIME,
          NULL,          MNT_FATAL|MNT_IN_CONTAINER },
        { "securityfs",  "/sys/kernel/security",      "securityfs", NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
          NULL,          MNT_NONE                   },
#if ENABLE_SMACK
        { "smackfs",     "/sys/fs/smackfs",           "smackfs",    "smackfsdef=*",            MS_NOSUID|MS_NOEXEC|MS_NODEV,
          mac_smack_use, MNT_FATAL                  },
        { "tmpfs",       "/dev/shm",                  "tmpfs",      "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
          mac_smack_use, MNT_FATAL                  },
#endif
        { "tmpfs",       "/dev/shm",                  "tmpfs",      "mode=1777",               MS_NOSUID|MS_NODEV|MS_STRICTATIME,
          NULL,          MNT_FATAL|MNT_IN_CONTAINER },
        { "devpts",      "/dev/pts",                  "devpts",     "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
          NULL,          MNT_IN_CONTAINER           },
#if ENABLE_SMACK
        { "tmpfs",       "/run",                      "tmpfs",      "mode=755,smackfsroot=*",  MS_NOSUID|MS_NODEV|MS_STRICTATIME,
          mac_smack_use, MNT_FATAL                  },
#endif
        { "tmpfs",       "/run",                      "tmpfs",      "mode=755",                MS_NOSUID|MS_NODEV|MS_STRICTATIME,
          NULL,          MNT_FATAL|MNT_IN_CONTAINER },
        { "cgroup",      "/sys/fs/cgroup",            "cgroup2",    "nsdelegate",              MS_NOSUID|MS_NOEXEC|MS_NODEV,
          cg_is_unified_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
        { "cgroup",      "/sys/fs/cgroup",            "cgroup2",    NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
          cg_is_unified_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
        { "tmpfs",       "/sys/fs/cgroup",            "tmpfs",      "mode=755",                MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
          cg_is_legacy_wanted, MNT_FATAL|MNT_IN_CONTAINER },
        { "cgroup",      "/sys/fs/cgroup/unified",    "cgroup2",    "nsdelegate",              MS_NOSUID|MS_NOEXEC|MS_NODEV,
          cg_is_hybrid_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
        { "cgroup",      "/sys/fs/cgroup/unified",    "cgroup2",    NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
          cg_is_hybrid_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
        { "cgroup",      "/sys/fs/cgroup/systemd",    "cgroup",     "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV,
          cg_is_legacy_wanted, MNT_IN_CONTAINER     },
        { "cgroup",      "/sys/fs/cgroup/systemd",    "cgroup",     "none,name=systemd",       MS_NOSUID|MS_NOEXEC|MS_NODEV,
          cg_is_legacy_wanted, MNT_FATAL|MNT_IN_CONTAINER },
        { "pstore",      "/sys/fs/pstore",            "pstore",     NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
          NULL,          MNT_NONE                   },
#if ENABLE_EFI
        { "efivarfs",    "/sys/firmware/efi/efivars", "efivarfs",   NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
          is_efi_boot,   MNT_NONE                   },
#endif
};

/* These are API file systems that might be mounted by other software,
 * we just list them here so that we know that we should ignore them */

static const char ignore_paths[] =
        /* SELinux file systems */
        "/sys/fs/selinux\0"
        /* Container bind mounts */
        "/proc/sys\0"
        "/dev/console\0"
        "/proc/kmsg\0";

bool mount_point_is_api(const char *path) {
        unsigned i;

        /* Checks if this mount point is considered "API", and hence
         * should be ignored */

        for (i = 0; i < ELEMENTSOF(mount_table); i ++)
                if (path_equal(path, mount_table[i].where))
                        return true;

        return path_startswith(path, "/sys/fs/cgroup/");
}

bool mount_point_ignore(const char *path) {
        const char *i;

        NULSTR_FOREACH(i, ignore_paths)
                if (path_equal(path, i))
                        return true;

        return false;
}

static int mount_one(const MountPoint *p, bool relabel) {
        int r;

        assert(p);

        if (p->condition_fn && !p->condition_fn())
                return 0;

        /* Relabel first, just in case */
        if (relabel)
                (void) label_fix(p->where, true, true);

        r = path_is_mount_point(p->where, NULL, AT_SYMLINK_FOLLOW);
        if (r < 0 && r != -ENOENT) {
                log_full_errno((p->mode & MNT_FATAL) ? LOG_ERR : LOG_DEBUG, r, "Failed to determine whether %s is a mount point: %m", p->where);
                return (p->mode & MNT_FATAL) ? r : 0;
        }
        if (r > 0)
                return 0;

        /* Skip securityfs in a container */
        if (!(p->mode & MNT_IN_CONTAINER) && detect_container() > 0)
                return 0;

        /* The access mode here doesn't really matter too much, since
         * the mounted file system will take precedence anyway. */
        if (relabel)
                (void) mkdir_p_label(p->where, 0755);
        else
                (void) mkdir_p(p->where, 0755);

        log_debug("Mounting %s to %s of type %s with options %s.",
                  p->what,
                  p->where,
                  p->type,
                  strna(p->options));

        if (mount(p->what,
                  p->where,
                  p->type,
                  p->flags,
                  p->options) < 0) {
                log_full_errno((p->mode & MNT_FATAL) ? LOG_ERR : LOG_DEBUG, errno, "Failed to mount %s at %s: %m", p->type, p->where);
                return (p->mode & MNT_FATAL) ? -errno : 0;
        }

        /* Relabel again, since we now mounted something fresh here */
        if (relabel)
                (void) label_fix(p->where, false, false);

        if (p->mode & MNT_CHECK_WRITABLE) {
                r = access(p->where, W_OK);
                if (r < 0) {
                        (void) umount(p->where);
                        return (p->mode & MNT_FATAL) ? r : 0;
                }
        }

        return 1;
}

static int mount_points_setup(unsigned n, bool loaded_policy) {
        unsigned i;
        int r = 0;

        for (i = 0; i < n; i ++) {
                int j;

                j = mount_one(mount_table + i, loaded_policy);
                if (j != 0 && r >= 0)
                        r = j;
        }

        return r;
}

int mount_setup_early(void) {
        assert_cc(N_EARLY_MOUNT <= ELEMENTSOF(mount_table));

        /* Do a minimal mount of /proc and friends to enable the most
         * basic stuff, such as SELinux */
        return mount_points_setup(N_EARLY_MOUNT, false);
}

int mount_cgroup_controllers(char ***join_controllers) {
        _cleanup_set_free_free_ Set *controllers = NULL;
        int r;

        if (!cg_is_legacy_wanted())
                return 0;

        /* Mount all available cgroup controllers that are built into the kernel. */

        r = cg_kernel_controllers(&controllers);
        if (r < 0)
                return log_error_errno(r, "Failed to enumerate cgroup controllers: %m");

        for (;;) {
                _cleanup_free_ char *options = NULL, *controller = NULL, *where = NULL;
                MountPoint p = {
                        .what = "cgroup",
                        .type = "cgroup",
                        .flags = MS_NOSUID|MS_NOEXEC|MS_NODEV,
                        .mode = MNT_IN_CONTAINER,
                };
                char ***k = NULL;

                controller = set_steal_first(controllers);
                if (!controller)
                        break;

                if (join_controllers)
                        for (k = join_controllers; *k; k++)
                                if (strv_find(*k, controller))
                                        break;

                if (k && *k) {
                        char **i, **j;

                        for (i = *k, j = *k; *i; i++) {

                                if (!streq(*i, controller)) {
                                        _cleanup_free_ char *t;

                                        t = set_remove(controllers, *i);
                                        if (!t) {
                                                free(*i);
                                                continue;
                                        }
                                }

                                *(j++) = *i;
                        }

                        *j = NULL;

                        options = strv_join(*k, ",");
                        if (!options)
                                return log_oom();
                } else {
                        options = controller;
                        controller = NULL;
                }

                where = strappend("/sys/fs/cgroup/", options);
                if (!where)
                        return log_oom();

                p.where = where;
                p.options = options;

                r = mount_one(&p, true);
                if (r < 0)
                        return r;

                if (r > 0 && k && *k) {
                        char **i;

                        for (i = *k; *i; i++) {
                                _cleanup_free_ char *t = NULL;

                                t = strappend("/sys/fs/cgroup/", *i);
                                if (!t)
                                        return log_oom();

                                r = symlink(options, t);
                                if (r >= 0) {
#ifdef SMACK_RUN_LABEL
                                        _cleanup_free_ char *src;
                                        src = strappend("/sys/fs/cgroup/", options);
                                        if (!src)
                                                return log_oom();
                                        r = mac_smack_copy(t, src);
                                        if (r < 0 && r != -EOPNOTSUPP)
                                                return log_error_errno(r, "Failed to copy smack label from %s to %s: %m", src, t);
#endif
                                } else if (errno != EEXIST)
                                        return log_error_errno(errno, "Failed to create symlink %s: %m", t);
                        }
                }
        }

        /* Now that we mounted everything, let's make the tmpfs the
         * cgroup file systems are mounted into read-only. */
        (void) mount("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY, "mode=755");

        return 0;
}

#if HAVE_SELINUX || ENABLE_SMACK
static int nftw_cb(
                const char *fpath,
                const struct stat *sb,
                int tflag,
                struct FTW *ftwbuf) {

        /* No need to label /dev twice in a row... */
        if (_unlikely_(ftwbuf->level == 0))
                return FTW_CONTINUE;

        label_fix(fpath, false, false);

        /* /run/initramfs is static data and big, no need to
         * dynamically relabel its contents at boot... */
        if (_unlikely_(ftwbuf->level == 1 &&
                      tflag == FTW_D &&
                      streq(fpath, "/run/initramfs")))
                return FTW_SKIP_SUBTREE;

        return FTW_CONTINUE;
};
#endif

int mount_setup(bool loaded_policy) {
        int r = 0;

        r = mount_points_setup(ELEMENTSOF(mount_table), loaded_policy);
        if (r < 0)
                return r;

#if HAVE_SELINUX || ENABLE_SMACK
        /* Nodes in devtmpfs and /run need to be manually updated for
         * the appropriate labels, after mounting. The other virtual
         * API file systems like /sys and /proc do not need that, they
         * use the same label for all their files. */
        if (loaded_policy) {
                usec_t before_relabel, after_relabel;
                char timespan[FORMAT_TIMESPAN_MAX];

                before_relabel = now(CLOCK_MONOTONIC);

                nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
                nftw("/dev/shm", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
                nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);

                after_relabel = now(CLOCK_MONOTONIC);

                log_info("Relabelled /dev and /run in %s.",
                         format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel, 0));
        }
#endif

        /* Create a few default symlinks, which are normally created
         * by udevd, but some scripts might need them before we start
         * udevd. */
        dev_setup(NULL, UID_INVALID, GID_INVALID);

        /* Mark the root directory as shared in regards to mount propagation. The kernel defaults to "private", but we
         * think it makes more sense to have a default of "shared" so that nspawn and the container tools work out of
         * the box. If specific setups need other settings they can reset the propagation mode to private if
         * needed. Note that we set this only when we are invoked directly by the kernel. If we are invoked by a
         * container manager we assume the container manager knows what it is doing (for example, because it set up
         * some directories with different propagation modes). */
        if (detect_container() <= 0)
                if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0)
                        log_warning_errno(errno, "Failed to set up the root directory for shared mount propagation: %m");

        /* Create a few directories we always want around, Note that sd_booted() checks for /run/systemd/system, so
         * this mkdir really needs to stay for good, otherwise software that copied sd-daemon.c into their sources will
         * misdetect systemd. */
        (void) mkdir_label("/run/systemd", 0755);
        (void) mkdir_label("/run/systemd/system", 0755);

        /* Set up inaccessible items */
        (void) mkdir_label("/run/systemd/inaccessible", 0000);
        (void) mknod("/run/systemd/inaccessible/reg", S_IFREG | 0000, 0);
        (void) mkdir_label("/run/systemd/inaccessible/dir", 0000);
        (void) mknod("/run/systemd/inaccessible/chr", S_IFCHR | 0000, makedev(0, 0));
        (void) mknod("/run/systemd/inaccessible/blk", S_IFBLK | 0000, makedev(0, 0));
        (void) mkfifo("/run/systemd/inaccessible/fifo", 0000);
        (void) mknod("/run/systemd/inaccessible/sock", S_IFSOCK | 0000, 0);

        return 0;
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
8e274523 LP	2	/***
	3	This file is part of systemd.
	4
	5	Copyright 2010 Lennart Poettering
	6
	7	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	8	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	9	the Free Software Foundation; either version 2.1 of the License, or
8e274523 LP	10	(at your option) any later version.
	11
	12	systemd is distributed in the hope that it will be useful, but
	13	WITHOUT ANY WARRANTY; without even the implied warranty of
	14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	15	Lesser General Public License for more details.
8e274523	16
5430f7f2	17	You should have received a copy of the GNU Lesser General Public License
8e274523 LP	18	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	19	***/
	20
8e274523	21	#include <errno.h>
cf0fbc49	22	#include <ftw.h>
8e274523	23	#include <stdlib.h>
cf0fbc49	24	#include <sys/mount.h>
5c0532d1	25	#include <unistd.h>
8e274523	26
b5efdb8a	27	#include "alloc-util.h"
64824462	28	#include "bus-util.h"
4349cd7c LP	29	#include "cgroup-util.h"
	30	#include "dev-setup.h"
	31	#include "efivars.h"
e07aefbd	32	#include "fileio.h"
c4b41707	33	#include "fs-util.h"
4349cd7c	34	#include "label.h"
8e274523	35	#include "log.h"
c9af1080	36	#include "macro.h"
4349cd7c	37	#include "missing.h"
49e942b2	38	#include "mkdir.h"
4349cd7c LP	39	#include "mount-setup.h"
4349cd7c LP	40	#include "mount-util.h"
9eb977db	41	#include "path-util.h"
4349cd7c	42	#include "set.h"
8552b176	43	#include "smack-util.h"
4349cd7c	44	#include "strv.h"
ee104e11	45	#include "user-util.h"
4349cd7c LP	46	#include "util.h"
4349cd7c LP	47	#include "virt.h"
bef2733f	48
6aa220e0	49	typedef enum MountMode {
e07aefbd CB	50	MNT_NONE = 0,
	51	MNT_FATAL = 1 << 0,
	52	MNT_IN_CONTAINER = 1 << 1,
	53	MNT_CHECK_WRITABLE = 1 << 2,
6aa220e0 KS	54	} MountMode;
6aa220e0 KS	55
ca714c0e LP	56	typedef struct MountPoint {
	57	const char *what;
	58	const char *where;
	59	const char *type;
	60	const char *options;
	61	unsigned long flags;
6aa220e0 KS	62	bool (*condition_fn)(void);
6aa220e0 KS	63	MountMode mode;
ca714c0e LP	64	} MountPoint;
ca714c0e LP	65
4ef31082	66	/* The first three entries we might need before SELinux is up. The
160481f6	67	* fourth (securityfs) is needed by IMA to load a custom policy. The
7c96ab1d LP	68	* other ones we can delay until SELinux and IMA are loaded. When
7c96ab1d LP	69	* SMACK is enabled we need smackfs, too, so it's a fifth one. */
f9fa32f0	70	#if ENABLE_SMACK
ffbd2c4d	71	#define N_EARLY_MOUNT 5
7c96ab1d LP	72	#else
	73	#define N_EARLY_MOUNT 4
	74	#endif
4ef31082	75
ca714c0e	76	static const MountPoint mount_table[] = {
68d4c452 LP	77	{ "sysfs", "/sys", "sysfs", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
	78	NULL, MNT_FATAL\|MNT_IN_CONTAINER },
	79	{ "proc", "/proc", "proc", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
	80	NULL, MNT_FATAL\|MNT_IN_CONTAINER },
	81	{ "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID\|MS_STRICTATIME,
	82	NULL, MNT_FATAL\|MNT_IN_CONTAINER },
	83	{ "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
	84	NULL, MNT_NONE },
f9fa32f0	85	#if ENABLE_SMACK
68d4c452 LP	86	{ "smackfs", "/sys/fs/smackfs", "smackfs", "smackfsdef=*", MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
	87	mac_smack_use, MNT_FATAL },
	88	{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID\|MS_NODEV\|MS_STRICTATIME,
	89	mac_smack_use, MNT_FATAL },
d407c940	90	#endif
68d4c452 LP	91	{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID\|MS_NODEV\|MS_STRICTATIME,
	92	NULL, MNT_FATAL\|MNT_IN_CONTAINER },
	93	{ "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID\|MS_NOEXEC,
	94	NULL, MNT_IN_CONTAINER },
f9fa32f0	95	#if ENABLE_SMACK
68d4c452 LP	96	{ "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID\|MS_NODEV\|MS_STRICTATIME,
68d4c452 LP	97	mac_smack_use, MNT_FATAL },
d407c940	98	#endif
68d4c452 LP	99	{ "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID\|MS_NODEV\|MS_STRICTATIME,
68d4c452 LP	100	NULL, MNT_FATAL\|MNT_IN_CONTAINER },
4095205e	101	{ "cgroup", "/sys/fs/cgroup", "cgroup2", "nsdelegate", MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
2d56b80a	102	cg_is_unified_wanted, MNT_IN_CONTAINER\|MNT_CHECK_WRITABLE },
09961995	103	{ "cgroup", "/sys/fs/cgroup", "cgroup2", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
2d56b80a	104	cg_is_unified_wanted, MNT_IN_CONTAINER\|MNT_CHECK_WRITABLE },
68d4c452	105	{ "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID\|MS_NOEXEC\|MS_NODEV\|MS_STRICTATIME,
efdb0237	106	cg_is_legacy_wanted, MNT_FATAL\|MNT_IN_CONTAINER },
4095205e	107	{ "cgroup", "/sys/fs/cgroup/unified", "cgroup2", "nsdelegate", MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
e07aefbd	108	cg_is_hybrid_wanted, MNT_IN_CONTAINER\|MNT_CHECK_WRITABLE },
2977724b	109	{ "cgroup", "/sys/fs/cgroup/unified", "cgroup2", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
e07aefbd	110	cg_is_hybrid_wanted, MNT_IN_CONTAINER\|MNT_CHECK_WRITABLE },
68d4c452	111	{ "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
2977724b	112	cg_is_legacy_wanted, MNT_IN_CONTAINER },
68d4c452	113	{ "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
2977724b	114	cg_is_legacy_wanted, MNT_FATAL\|MNT_IN_CONTAINER },
68d4c452 LP	115	{ "pstore", "/sys/fs/pstore", "pstore", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
68d4c452 LP	116	NULL, MNT_NONE },
349cc4a5	117	#if ENABLE_EFI
68d4c452 LP	118	{ "efivarfs", "/sys/firmware/efi/efivars", "efivarfs", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
68d4c452 LP	119	is_efi_boot, MNT_NONE },
c06bf414	120	#endif
63cc4c31 DM	121	};
63cc4c31 DM	122
949c6510	123	/* These are API file systems that might be mounted by other software,
46ff0ed7	124	* we just list them here so that we know that we should ignore them */
949c6510	125
eaeb18db LP	126	static const char ignore_paths[] =
	127	/* SELinux file systems */
	128	"/sys/fs/selinux\0"
eaeb18db LP	129	/* Container bind mounts */
	130	"/proc/sys\0"
	131	"/dev/console\0"
c481f78b	132	"/proc/kmsg\0";
949c6510	133
dad08730 LP	134	bool mount_point_is_api(const char *path) {
	135	unsigned i;
	136
	137	/* Checks if this mount point is considered "API", and hence
	138	* should be ignored */
	139
ca714c0e	140	for (i = 0; i < ELEMENTSOF(mount_table); i ++)
449ddb2d	141	if (path_equal(path, mount_table[i].where))
dad08730 LP	142	return true;
dad08730 LP	143
57f2a956 KS	144	return path_startswith(path, "/sys/fs/cgroup/");
	145	}
	146
	147	bool mount_point_ignore(const char *path) {
eaeb18db	148	const char *i;
57f2a956	149
eaeb18db LP	150	NULSTR_FOREACH(i, ignore_paths)
eaeb18db LP	151	if (path_equal(path, i))
949c6510 LP	152	return true;
949c6510 LP	153
57f2a956	154	return false;
dad08730 LP	155	}
dad08730 LP	156
4ef31082	157	static int mount_one(const MountPoint *p, bool relabel) {
8e274523 LP	158	int r;
8e274523 LP	159
ca714c0e	160	assert(p);
8e274523	161
6aa220e0 KS	162	if (p->condition_fn && !p->condition_fn())
	163	return 0;
	164
51b4af2c	165	/* Relabel first, just in case */
4ef31082	166	if (relabel)
1411b094	167	(void) label_fix(p->where, true, true);
51b4af2c	168
e1873695	169	r = path_is_mount_point(p->where, NULL, AT_SYMLINK_FOLLOW);
1411b094 LP	170	if (r < 0 && r != -ENOENT) {
	171	log_full_errno((p->mode & MNT_FATAL) ? LOG_ERR : LOG_DEBUG, r, "Failed to determine whether %s is a mount point: %m", p->where);
	172	return (p->mode & MNT_FATAL) ? r : 0;
	173	}
8e274523	174	if (r > 0)
51b4af2c	175	return 0;
8e274523	176
c481f78b	177	/* Skip securityfs in a container */
75f86906	178	if (!(p->mode & MNT_IN_CONTAINER) && detect_container() > 0)
c481f78b LP	179	return 0;
c481f78b LP	180
a04f58d6 LP	181	/* The access mode here doesn't really matter too much, since
a04f58d6 LP	182	* the mounted file system will take precedence anyway. */
c4bfd169	183	if (relabel)
1411b094	184	(void) mkdir_p_label(p->where, 0755);
c4bfd169	185	else
1411b094	186	(void) mkdir_p(p->where, 0755);
a04f58d6	187
8e274523	188	log_debug("Mounting %s to %s of type %s with options %s.",
ca714c0e LP	189	p->what,
	190	p->where,
	191	p->type,
	192	strna(p->options));
	193
	194	if (mount(p->what,
	195	p->where,
	196	p->type,
	197	p->flags,
	198	p->options) < 0) {
1411b094	199	log_full_errno((p->mode & MNT_FATAL) ? LOG_ERR : LOG_DEBUG, errno, "Failed to mount %s at %s: %m", p->type, p->where);
6aa220e0	200	return (p->mode & MNT_FATAL) ? -errno : 0;
8e274523 LP	201	}
8e274523 LP	202
51b4af2c	203	/* Relabel again, since we now mounted something fresh here */
4ef31082	204	if (relabel)
1411b094	205	(void) label_fix(p->where, false, false);
5275d3c1	206
e07aefbd CB	207	if (p->mode & MNT_CHECK_WRITABLE) {
	208	r = access(p->where, W_OK);
	209	if (r < 0) {
	210	(void) umount(p->where);
	211	return (p->mode & MNT_FATAL) ? r : 0;
	212	}
	213	}
	214
0c85a4f3	215	return 1;
8e274523 LP	216	}
8e274523 LP	217
400fac06	218	static int mount_points_setup(unsigned n, bool loaded_policy) {
4ef31082 LP	219	unsigned i;
	220	int r = 0;
	221
400fac06	222	for (i = 0; i < n; i ++) {
4ef31082 LP	223	int j;
4ef31082 LP	224
400fac06	225	j = mount_one(mount_table + i, loaded_policy);
7ff307bc	226	if (j != 0 && r >= 0)
4ef31082 LP	227	r = j;
	228	}
	229
	230	return r;
	231	}
	232
400fac06 AK	233	int mount_setup_early(void) {
	234	assert_cc(N_EARLY_MOUNT <= ELEMENTSOF(mount_table));
	235
	236	/* Do a minimal mount of /proc and friends to enable the most
	237	* basic stuff, such as SELinux */
	238	return mount_points_setup(N_EARLY_MOUNT, false);
	239	}
	240
0c85a4f3	241	int mount_cgroup_controllers(char ***join_controllers) {
a6b26d90	242	_cleanup_set_free_free_ Set *controllers = NULL;
a641dcd9	243	int r;
2076ca54	244
efdb0237 LP	245	if (!cg_is_legacy_wanted())
	246	return 0;
	247
670802d4	248	/* Mount all available cgroup controllers that are built into the kernel. */
2076ca54	249
6925a0de	250	r = cg_kernel_controllers(&controllers);
b12afc8c LP	251	if (r < 0)
b12afc8c LP	252	return log_error_errno(r, "Failed to enumerate cgroup controllers: %m");
0c85a4f3 LP	253
0c85a4f3 LP	254	for (;;) {
a641dcd9	255	_cleanup_free_ char options = NULL, controller = NULL, *where = NULL;
a6b26d90 ZJS	256	MountPoint p = {
	257	.what = "cgroup",
	258	.type = "cgroup",
	259	.flags = MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
	260	.mode = MNT_IN_CONTAINER,
	261	};
0c85a4f3 LP	262	char ***k = NULL;
	263
	264	controller = set_steal_first(controllers);
	265	if (!controller)
	266	break;
	267
	268	if (join_controllers)
	269	for (k = join_controllers; *k; k++)
	270	if (strv_find(*k, controller))
	271	break;
	272
	273	if (k && *k) {
	274	char i, j;
	275
	276	for (i = k, j = k; *i; i++) {
	277
	278	if (!streq(*i, controller)) {
a641dcd9	279	_cleanup_free_ char *t;
0c85a4f3 LP	280
	281	t = set_remove(controllers, *i);
	282	if (!t) {
	283	free(*i);
	284	continue;
	285	}
0c85a4f3 LP	286	}
	287
	288	(j++) = i;
	289	}
	290
	291	*j = NULL;
	292
	293	options = strv_join(*k, ",");
a6b26d90 ZJS	294	if (!options)
a6b26d90 ZJS	295	return log_oom();
0c85a4f3 LP	296	} else {
	297	options = controller;
	298	controller = NULL;
	299	}
	300
a641dcd9 LP	301	where = strappend("/sys/fs/cgroup/", options);
	302	if (!where)
	303	return log_oom();
	304
	305	p.where = where;
0c85a4f3	306	p.options = options;
2076ca54	307
4ef31082	308	r = mount_one(&p, true);
a6b26d90 ZJS	309	if (r < 0)
a6b26d90 ZJS	310	return r;
0c85a4f3 LP	311
	312	if (r > 0 && k && *k) {
	313	char **i;
	314
	315	for (i = k; i; i++) {
a641dcd9 LP	316	_cleanup_free_ char *t = NULL;
	317
	318	t = strappend("/sys/fs/cgroup/", *i);
	319	if (!t)
	320	return log_oom();
0c85a4f3 LP	321
0c85a4f3 LP	322	r = symlink(options, t);
ea2b93a8	323	if (r >= 0) {
f8c1a81c	324	#ifdef SMACK_RUN_LABEL
ea2b93a8 PO	325	_cleanup_free_ char *src;
	326	src = strappend("/sys/fs/cgroup/", options);
	327	if (!src)
	328	return log_oom();
	329	r = mac_smack_copy(t, src);
	330	if (r < 0 && r != -EOPNOTSUPP)
	331	return log_error_errno(r, "Failed to copy smack label from %s to %s: %m", src, t);
f8c1a81c	332	#endif
ea2b93a8 PO	333	} else if (errno != EEXIST)
ea2b93a8 PO	334	return log_error_errno(errno, "Failed to create symlink %s: %m", t);
0c85a4f3 LP	335	}
0c85a4f3 LP	336	}
2076ca54 LP	337	}
2076ca54 LP	338
679142ce LP	339	/* Now that we mounted everything, let's make the tmpfs the
679142ce LP	340	* cgroup file systems are mounted into read-only. */
b12afc8c	341	(void) mount("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT\|MS_NOSUID\|MS_NOEXEC\|MS_NODEV\|MS_STRICTATIME\|MS_RDONLY, "mode=755");
679142ce	342
a6b26d90	343	return 0;
2076ca54 LP	344	}
2076ca54 LP	345
f9fa32f0	346	#if HAVE_SELINUX \|\| ENABLE_SMACK
1829dc9d LP	347	static int nftw_cb(
	348	const char *fpath,
	349	const struct stat *sb,
	350	int tflag,
	351	struct FTW *ftwbuf) {
	352
9fe117ea	353	/* No need to label /dev twice in a row... */
edb49778 LP	354	if (_unlikely_(ftwbuf->level == 0))
	355	return FTW_CONTINUE;
	356
c9bc0764	357	label_fix(fpath, false, false);
af65c248	358
edb49778	359	/* /run/initramfs is static data and big, no need to
af65c248	360	* dynamically relabel its contents at boot... */
edb49778 LP	361	if (_unlikely_(ftwbuf->level == 1 &&
	362	tflag == FTW_D &&
	363	streq(fpath, "/run/initramfs")))
	364	return FTW_SKIP_SUBTREE;
9fe117ea	365
edb49778	366	return FTW_CONTINUE;
1829dc9d	367	};
0fff82e5	368	#endif
1829dc9d	369
0b3325e7	370	int mount_setup(bool loaded_policy) {
68d4c452	371	int r = 0;
8e274523	372
400fac06	373	r = mount_points_setup(ELEMENTSOF(mount_table), loaded_policy);
68d4c452 LP	374	if (r < 0)
	375	return r;
	376
f9fa32f0	377	#if HAVE_SELINUX \|\| ENABLE_SMACK
f1d19aa4 LP	378	/* Nodes in devtmpfs and /run need to be manually updated for
	379	* the appropriate labels, after mounting. The other virtual
	380	* API file systems like /sys and /proc do not need that, they
	381	* use the same label for all their files. */
0b3325e7 LP	382	if (loaded_policy) {
	383	usec_t before_relabel, after_relabel;
	384	char timespan[FORMAT_TIMESPAN_MAX];
	385
	386	before_relabel = now(CLOCK_MONOTONIC);
	387
edb49778	388	nftw("/dev", nftw_cb, 64, FTW_MOUNT\|FTW_PHYS\|FTW_ACTIONRETVAL);
cacf980e	389	nftw("/dev/shm", nftw_cb, 64, FTW_MOUNT\|FTW_PHYS\|FTW_ACTIONRETVAL);
edb49778	390	nftw("/run", nftw_cb, 64, FTW_MOUNT\|FTW_PHYS\|FTW_ACTIONRETVAL);
0b3325e7 LP	391
	392	after_relabel = now(CLOCK_MONOTONIC);
	393
	394	log_info("Relabelled /dev and /run in %s.",
2fa4092c	395	format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel, 0));
3bbecb2f	396	}
0fff82e5	397	#endif
1829dc9d	398
5c0532d1	399	/* Create a few default symlinks, which are normally created
f1d19aa4	400	* by udevd, but some scripts might need them before we start
5c0532d1	401	* udevd. */
03cfe0d5	402	dev_setup(NULL, UID_INVALID, GID_INVALID);
5c0532d1	403
dee22f39 LP	404	/* Mark the root directory as shared in regards to mount propagation. The kernel defaults to "private", but we
	405	* think it makes more sense to have a default of "shared" so that nspawn and the container tools work out of
	406	* the box. If specific setups need other settings they can reset the propagation mode to private if
	407	* needed. Note that we set this only when we are invoked directly by the kernel. If we are invoked by a
	408	* container manager we assume the container manager knows what it is doing (for example, because it set up
	409	* some directories with different propagation modes). */
75f86906	410	if (detect_container() <= 0)
c481f78b	411	if (mount(NULL, "/", NULL, MS_REC\|MS_SHARED, NULL) < 0)
56f64d95	412	log_warning_errno(errno, "Failed to set up the root directory for shared mount propagation: %m");
b3ac5f8c	413
dee22f39 LP	414	/* Create a few directories we always want around, Note that sd_booted() checks for /run/systemd/system, so
	415	* this mkdir really needs to stay for good, otherwise software that copied sd-daemon.c into their sources will
	416	* misdetect systemd. */
c4b41707 AP	417	(void) mkdir_label("/run/systemd", 0755);
c4b41707 AP	418	(void) mkdir_label("/run/systemd/system", 0755);
dee22f39	419
c4b41707	420	/* Set up inaccessible items */
dee22f39	421	(void) mkdir_label("/run/systemd/inaccessible", 0000);
c4b41707 AP	422	(void) mknod("/run/systemd/inaccessible/reg", S_IFREG \| 0000, 0);
	423	(void) mkdir_label("/run/systemd/inaccessible/dir", 0000);
	424	(void) mknod("/run/systemd/inaccessible/chr", S_IFCHR \| 0000, makedev(0, 0));
	425	(void) mknod("/run/systemd/inaccessible/blk", S_IFBLK \| 0000, makedev(0, 0));
	426	(void) mkfifo("/run/systemd/inaccessible/fifo", 0000);
	427	(void) mknod("/run/systemd/inaccessible/sock", S_IFSOCK \| 0000, 0);
b925e726	428
0c85a4f3	429	return 0;
8e274523	430	}