[thirdparty/systemd.git] / src / core / mount-setup.c

/* SPDX-License-Identifier: LGPL-2.1+ */
/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <ftw.h>
#include <stdlib.h>
#include <sys/mount.h>
#include <unistd.h>

#include "alloc-util.h"
#include "bus-util.h"
#include "cgroup-util.h"
#include "dev-setup.h"
#include "efivars.h"
#include "fileio.h"
#include "fs-util.h"
#include "label.h"
#include "log.h"
#include "macro.h"
#include "missing.h"
#include "mkdir.h"
#include "mount-setup.h"
#include "mount-util.h"
#include "path-util.h"
#include "set.h"
#include "smack-util.h"
#include "strv.h"
#include "user-util.h"
#include "util.h"
#include "virt.h"

typedef enum MountMode {
        MNT_NONE  =           0,
        MNT_FATAL =           1 <<  0,
        MNT_IN_CONTAINER =    1 <<  1,
        MNT_CHECK_WRITABLE  = 1 <<  2,
} MountMode;

typedef struct MountPoint {
        const char *what;
        const char *where;
        const char *type;
        const char *options;
        unsigned long flags;
        bool (*condition_fn)(void);
        MountMode mode;
} MountPoint;

/* The first three entries we might need before SELinux is up. The
 * fourth (securityfs) is needed by IMA to load a custom policy. The
 * other ones we can delay until SELinux and IMA are loaded. When
 * SMACK is enabled we need smackfs, too, so it's a fifth one. */
#if ENABLE_SMACK
#define N_EARLY_MOUNT 5
#else
#define N_EARLY_MOUNT 4
#endif

static const MountPoint mount_table[] = {
        { "sysfs",       "/sys",                      "sysfs",      NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
          NULL,          MNT_FATAL|MNT_IN_CONTAINER },
        { "proc",        "/proc",                     "proc",       NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
          NULL,          MNT_FATAL|MNT_IN_CONTAINER },
        { "devtmpfs",    "/dev",                      "devtmpfs",   "mode=755",                MS_NOSUID|MS_STRICTATIME,
          NULL,          MNT_FATAL|MNT_IN_CONTAINER },
        { "securityfs",  "/sys/kernel/security",      "securityfs", NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
          NULL,          MNT_NONE                   },
#if ENABLE_SMACK
        { "smackfs",     "/sys/fs/smackfs",           "smackfs",    "smackfsdef=*",            MS_NOSUID|MS_NOEXEC|MS_NODEV,
          mac_smack_use, MNT_FATAL                  },
        { "tmpfs",       "/dev/shm",                  "tmpfs",      "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
          mac_smack_use, MNT_FATAL                  },
#endif
        { "tmpfs",       "/dev/shm",                  "tmpfs",      "mode=1777",               MS_NOSUID|MS_NODEV|MS_STRICTATIME,
          NULL,          MNT_FATAL|MNT_IN_CONTAINER },
        { "devpts",      "/dev/pts",                  "devpts",     "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
          NULL,          MNT_IN_CONTAINER           },
#if ENABLE_SMACK
        { "tmpfs",       "/run",                      "tmpfs",      "mode=755,smackfsroot=*",  MS_NOSUID|MS_NODEV|MS_STRICTATIME,
          mac_smack_use, MNT_FATAL                  },
#endif
        { "tmpfs",       "/run",                      "tmpfs",      "mode=755",                MS_NOSUID|MS_NODEV|MS_STRICTATIME,
          NULL,          MNT_FATAL|MNT_IN_CONTAINER },
        { "cgroup",      "/sys/fs/cgroup",            "cgroup2",    "nsdelegate",              MS_NOSUID|MS_NOEXEC|MS_NODEV,
          cg_is_unified_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
        { "cgroup",      "/sys/fs/cgroup",            "cgroup2",    NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
          cg_is_unified_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
        { "tmpfs",       "/sys/fs/cgroup",            "tmpfs",      "mode=755",                MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
          cg_is_legacy_wanted, MNT_FATAL|MNT_IN_CONTAINER },
        { "cgroup",      "/sys/fs/cgroup/unified",    "cgroup2",    "nsdelegate",              MS_NOSUID|MS_NOEXEC|MS_NODEV,
          cg_is_hybrid_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
        { "cgroup",      "/sys/fs/cgroup/unified",    "cgroup2",    NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
          cg_is_hybrid_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
        { "cgroup",      "/sys/fs/cgroup/systemd",    "cgroup",     "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV,
          cg_is_legacy_wanted, MNT_IN_CONTAINER     },
        { "cgroup",      "/sys/fs/cgroup/systemd",    "cgroup",     "none,name=systemd",       MS_NOSUID|MS_NOEXEC|MS_NODEV,
          cg_is_legacy_wanted, MNT_FATAL|MNT_IN_CONTAINER },
        { "pstore",      "/sys/fs/pstore",            "pstore",     NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
          NULL,          MNT_NONE                   },
#if ENABLE_EFI
        { "efivarfs",    "/sys/firmware/efi/efivars", "efivarfs",   NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
          is_efi_boot,   MNT_NONE                   },
#endif
};

/* These are API file systems that might be mounted by other software,
 * we just list them here so that we know that we should ignore them */

static const char ignore_paths[] =
        /* SELinux file systems */
        "/sys/fs/selinux\0"
        /* Container bind mounts */
        "/proc/sys\0"
        "/dev/console\0"
        "/proc/kmsg\0";

bool mount_point_is_api(const char *path) {
        unsigned i;

        /* Checks if this mount point is considered "API", and hence
         * should be ignored */

        for (i = 0; i < ELEMENTSOF(mount_table); i ++)
                if (path_equal(path, mount_table[i].where))
                        return true;

        return path_startswith(path, "/sys/fs/cgroup/");
}

bool mount_point_ignore(const char *path) {
        const char *i;

        NULSTR_FOREACH(i, ignore_paths)
                if (path_equal(path, i))
                        return true;

        return false;
}

static int mount_one(const MountPoint *p, bool relabel) {
        int r, priority;

        assert(p);

        priority = (p->mode & MNT_FATAL) ? LOG_ERR : LOG_DEBUG;

        if (p->condition_fn && !p->condition_fn())
                return 0;

        /* Relabel first, just in case */
        if (relabel)
                (void) label_fix(p->where, true, true);

        r = path_is_mount_point(p->where, NULL, AT_SYMLINK_FOLLOW);
        if (r < 0 && r != -ENOENT) {
                log_full_errno(priority, r, "Failed to determine whether %s is a mount point: %m", p->where);
                return (p->mode & MNT_FATAL) ? r : 0;
        }
        if (r > 0)
                return 0;

        /* Skip securityfs in a container */
        if (!(p->mode & MNT_IN_CONTAINER) && detect_container() > 0)
                return 0;

        /* The access mode here doesn't really matter too much, since
         * the mounted file system will take precedence anyway. */
        if (relabel)
                (void) mkdir_p_label(p->where, 0755);
        else
                (void) mkdir_p(p->where, 0755);

        log_debug("Mounting %s to %s of type %s with options %s.",
                  p->what,
                  p->where,
                  p->type,
                  strna(p->options));

        if (mount(p->what,
                  p->where,
                  p->type,
                  p->flags,
                  p->options) < 0) {
                log_full_errno(priority, errno, "Failed to mount %s at %s: %m", p->type, p->where);
                return (p->mode & MNT_FATAL) ? -errno : 0;
        }

        /* Relabel again, since we now mounted something fresh here */
        if (relabel)
                (void) label_fix(p->where, false, false);

        if (p->mode & MNT_CHECK_WRITABLE) {
                if (access(p->where, W_OK) < 0) {
                        r = -errno;

                        (void) umount(p->where);
                        (void) rmdir(p->where);

                        log_full_errno(priority, r, "Mount point %s not writable after mounting: %m", p->where);
                        return (p->mode & MNT_FATAL) ? r : 0;
                }
        }

        return 1;
}

static int mount_points_setup(unsigned n, bool loaded_policy) {
        unsigned i;
        int r = 0;

        for (i = 0; i < n; i ++) {
                int j;

                j = mount_one(mount_table + i, loaded_policy);
                if (j != 0 && r >= 0)
                        r = j;
        }

        return r;
}

int mount_setup_early(void) {
        assert_cc(N_EARLY_MOUNT <= ELEMENTSOF(mount_table));

        /* Do a minimal mount of /proc and friends to enable the most
         * basic stuff, such as SELinux */
        return mount_points_setup(N_EARLY_MOUNT, false);
}

int mount_cgroup_controllers(char ***join_controllers) {
        _cleanup_set_free_free_ Set *controllers = NULL;
        int r;

        if (!cg_is_legacy_wanted())
                return 0;

        /* Mount all available cgroup controllers that are built into the kernel. */

        if (!join_controllers)
                /* The defaults:
                 * mount "cpu" + "cpuacct" together, and "net_cls" + "net_prio".
                 *
                 * We'd like to add "cpuset" to the mix, but "cpuset" doesn't really
                 * work for groups with no initialized attributes.
                 */
                join_controllers = (char**[]) {
                        STRV_MAKE("cpu", "cpuacct"),
                        STRV_MAKE("net_cls", "net_prio"),
                        NULL,
                };

        r = cg_kernel_controllers(&controllers);
        if (r < 0)
                return log_error_errno(r, "Failed to enumerate cgroup controllers: %m");

        for (;;) {
                _cleanup_free_ char *options = NULL, *controller = NULL, *where = NULL;
                MountPoint p = {
                        .what = "cgroup",
                        .type = "cgroup",
                        .flags = MS_NOSUID|MS_NOEXEC|MS_NODEV,
                        .mode = MNT_IN_CONTAINER,
                };
                char ***k = NULL;

                controller = set_steal_first(controllers);
                if (!controller)
                        break;

                for (k = join_controllers; *k; k++)
                        if (strv_find(*k, controller))
                                break;

                if (k && *k) {
                        char **i, **j;

                        for (i = *k, j = *k; *i; i++) {

                                if (!streq(*i, controller)) {
                                        _cleanup_free_ char *t;

                                        t = set_remove(controllers, *i);
                                        if (!t) {
                                                free(*i);
                                                continue;
                                        }
                                }

                                *(j++) = *i;
                        }

                        *j = NULL;

                        options = strv_join(*k, ",");
                        if (!options)
                                return log_oom();
                } else {
                        options = controller;
                        controller = NULL;
                }

                where = strappend("/sys/fs/cgroup/", options);
                if (!where)
                        return log_oom();

                p.where = where;
                p.options = options;

                r = mount_one(&p, true);
                if (r < 0)
                        return r;

                if (r > 0 && k && *k) {
                        char **i;

                        for (i = *k; *i; i++) {
                                _cleanup_free_ char *t = NULL;

                                t = strappend("/sys/fs/cgroup/", *i);
                                if (!t)
                                        return log_oom();

                                r = symlink(options, t);
                                if (r >= 0) {
#ifdef SMACK_RUN_LABEL
                                        _cleanup_free_ char *src;
                                        src = strappend("/sys/fs/cgroup/", options);
                                        if (!src)
                                                return log_oom();
                                        r = mac_smack_copy(t, src);
                                        if (r < 0 && r != -EOPNOTSUPP)
                                                return log_error_errno(r, "Failed to copy smack label from %s to %s: %m", src, t);
#endif
                                } else if (errno != EEXIST)
                                        return log_error_errno(errno, "Failed to create symlink %s: %m", t);
                        }
                }
        }

        /* Now that we mounted everything, let's make the tmpfs the
         * cgroup file systems are mounted into read-only. */
        (void) mount("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY, "mode=755");

        return 0;
}

#if HAVE_SELINUX || ENABLE_SMACK
static int nftw_cb(
                const char *fpath,
                const struct stat *sb,
                int tflag,
                struct FTW *ftwbuf) {

        /* No need to label /dev twice in a row... */
        if (_unlikely_(ftwbuf->level == 0))
                return FTW_CONTINUE;

        label_fix(fpath, false, false);

        /* /run/initramfs is static data and big, no need to
         * dynamically relabel its contents at boot... */
        if (_unlikely_(ftwbuf->level == 1 &&
                      tflag == FTW_D &&
                      streq(fpath, "/run/initramfs")))
                return FTW_SKIP_SUBTREE;

        return FTW_CONTINUE;
};
#endif

int mount_setup(bool loaded_policy) {
        int r = 0;

        r = mount_points_setup(ELEMENTSOF(mount_table), loaded_policy);
        if (r < 0)
                return r;

#if HAVE_SELINUX || ENABLE_SMACK
        /* Nodes in devtmpfs and /run need to be manually updated for
         * the appropriate labels, after mounting. The other virtual
         * API file systems like /sys and /proc do not need that, they
         * use the same label for all their files. */
        if (loaded_policy) {
                usec_t before_relabel, after_relabel;
                char timespan[FORMAT_TIMESPAN_MAX];

                before_relabel = now(CLOCK_MONOTONIC);

                nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
                nftw("/dev/shm", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
                nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);

                /* Temporarily remount the root cgroup filesystem to give it a proper label. */
                r = cg_all_unified();
                if (r == 0) {
                        (void) mount(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT, NULL);
                        label_fix("/sys/fs/cgroup", false, false);
                        nftw("/sys/fs/cgroup", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
                        (void) mount(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT|MS_RDONLY, NULL);
                } else if (r < 0)
                        return log_error_errno(r, "Failed to determine whether we are in all unified mode: %m");

                after_relabel = now(CLOCK_MONOTONIC);

                log_info("Relabelled /dev, /run and /sys/fs/cgroup in %s.",
                         format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel, 0));
        }
#endif

        /* Create a few default symlinks, which are normally created
         * by udevd, but some scripts might need them before we start
         * udevd. */
        dev_setup(NULL, UID_INVALID, GID_INVALID);

        /* Mark the root directory as shared in regards to mount propagation. The kernel defaults to "private", but we
         * think it makes more sense to have a default of "shared" so that nspawn and the container tools work out of
         * the box. If specific setups need other settings they can reset the propagation mode to private if
         * needed. Note that we set this only when we are invoked directly by the kernel. If we are invoked by a
         * container manager we assume the container manager knows what it is doing (for example, because it set up
         * some directories with different propagation modes). */
        if (detect_container() <= 0)
                if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0)
                        log_warning_errno(errno, "Failed to set up the root directory for shared mount propagation: %m");

        /* Create a few directories we always want around, Note that sd_booted() checks for /run/systemd/system, so
         * this mkdir really needs to stay for good, otherwise software that copied sd-daemon.c into their sources will
         * misdetect systemd. */
        (void) mkdir_label("/run/systemd", 0755);
        (void) mkdir_label("/run/systemd/system", 0755);

        /* Set up inaccessible items */
        (void) mkdir_label("/run/systemd/inaccessible", 0000);
        (void) mknod("/run/systemd/inaccessible/reg", S_IFREG | 0000, 0);
        (void) mkdir_label("/run/systemd/inaccessible/dir", 0000);
        (void) mknod("/run/systemd/inaccessible/chr", S_IFCHR | 0000, makedev(0, 0));
        (void) mknod("/run/systemd/inaccessible/blk", S_IFBLK | 0000, makedev(0, 0));
        (void) mkfifo("/run/systemd/inaccessible/fifo", 0000);
        (void) mknod("/run/systemd/inaccessible/sock", S_IFSOCK | 0000, 0);

        return 0;
}
Commit	Line	Data
	1	/* SPDX-License-Identifier: LGPL-2.1+ */
	2	/***
	3	This file is part of systemd.
	4
	5	Copyright 2010 Lennart Poettering
	6
	7	systemd is free software; you can redistribute it and/or modify it
	8	under the terms of the GNU Lesser General Public License as published by
	9	the Free Software Foundation; either version 2.1 of the License, or
	10	(at your option) any later version.
	11
	12	systemd is distributed in the hope that it will be useful, but
	13	WITHOUT ANY WARRANTY; without even the implied warranty of
	14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	15	Lesser General Public License for more details.
	16
	17	You should have received a copy of the GNU Lesser General Public License
	18	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	19	***/
	20
	21	#include <errno.h>
	22	#include <ftw.h>
	23	#include <stdlib.h>
	24	#include <sys/mount.h>
	25	#include <unistd.h>
	26
	27	#include "alloc-util.h"
	28	#include "bus-util.h"
	29	#include "cgroup-util.h"
	30	#include "dev-setup.h"
	31	#include "efivars.h"
	32	#include "fileio.h"
	33	#include "fs-util.h"
	34	#include "label.h"
	35	#include "log.h"
	36	#include "macro.h"
	37	#include "missing.h"
	38	#include "mkdir.h"
	39	#include "mount-setup.h"
	40	#include "mount-util.h"
	41	#include "path-util.h"
	42	#include "set.h"
	43	#include "smack-util.h"
	44	#include "strv.h"
	45	#include "user-util.h"
	46	#include "util.h"
	47	#include "virt.h"
	48
	49	typedef enum MountMode {
	50	MNT_NONE = 0,
	51	MNT_FATAL = 1 << 0,
	52	MNT_IN_CONTAINER = 1 << 1,
	53	MNT_CHECK_WRITABLE = 1 << 2,
	54	} MountMode;
	55
	56	typedef struct MountPoint {
	57	const char *what;
	58	const char *where;
	59	const char *type;
	60	const char *options;
	61	unsigned long flags;
	62	bool (*condition_fn)(void);
	63	MountMode mode;
	64	} MountPoint;
	65
	66	/* The first three entries we might need before SELinux is up. The
	67	* fourth (securityfs) is needed by IMA to load a custom policy. The
	68	* other ones we can delay until SELinux and IMA are loaded. When
	69	* SMACK is enabled we need smackfs, too, so it's a fifth one. */
	70	#if ENABLE_SMACK
	71	#define N_EARLY_MOUNT 5
	72	#else
	73	#define N_EARLY_MOUNT 4
	74	#endif
	75
	76	static const MountPoint mount_table[] = {
	77	{ "sysfs", "/sys", "sysfs", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
	78	NULL, MNT_FATAL\|MNT_IN_CONTAINER },
	79	{ "proc", "/proc", "proc", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
	80	NULL, MNT_FATAL\|MNT_IN_CONTAINER },
	81	{ "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID\|MS_STRICTATIME,
	82	NULL, MNT_FATAL\|MNT_IN_CONTAINER },
	83	{ "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
	84	NULL, MNT_NONE },
	85	#if ENABLE_SMACK
	86	{ "smackfs", "/sys/fs/smackfs", "smackfs", "smackfsdef=*", MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
	87	mac_smack_use, MNT_FATAL },
	88	{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID\|MS_NODEV\|MS_STRICTATIME,
	89	mac_smack_use, MNT_FATAL },
	90	#endif
	91	{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID\|MS_NODEV\|MS_STRICTATIME,
	92	NULL, MNT_FATAL\|MNT_IN_CONTAINER },
	93	{ "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID\|MS_NOEXEC,
	94	NULL, MNT_IN_CONTAINER },
	95	#if ENABLE_SMACK
	96	{ "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID\|MS_NODEV\|MS_STRICTATIME,
	97	mac_smack_use, MNT_FATAL },
	98	#endif
	99	{ "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID\|MS_NODEV\|MS_STRICTATIME,
	100	NULL, MNT_FATAL\|MNT_IN_CONTAINER },
	101	{ "cgroup", "/sys/fs/cgroup", "cgroup2", "nsdelegate", MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
	102	cg_is_unified_wanted, MNT_IN_CONTAINER\|MNT_CHECK_WRITABLE },
	103	{ "cgroup", "/sys/fs/cgroup", "cgroup2", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
	104	cg_is_unified_wanted, MNT_IN_CONTAINER\|MNT_CHECK_WRITABLE },
	105	{ "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID\|MS_NOEXEC\|MS_NODEV\|MS_STRICTATIME,
	106	cg_is_legacy_wanted, MNT_FATAL\|MNT_IN_CONTAINER },
	107	{ "cgroup", "/sys/fs/cgroup/unified", "cgroup2", "nsdelegate", MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
	108	cg_is_hybrid_wanted, MNT_IN_CONTAINER\|MNT_CHECK_WRITABLE },
	109	{ "cgroup", "/sys/fs/cgroup/unified", "cgroup2", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
	110	cg_is_hybrid_wanted, MNT_IN_CONTAINER\|MNT_CHECK_WRITABLE },
	111	{ "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
	112	cg_is_legacy_wanted, MNT_IN_CONTAINER },
	113	{ "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
	114	cg_is_legacy_wanted, MNT_FATAL\|MNT_IN_CONTAINER },
	115	{ "pstore", "/sys/fs/pstore", "pstore", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
	116	NULL, MNT_NONE },
	117	#if ENABLE_EFI
	118	{ "efivarfs", "/sys/firmware/efi/efivars", "efivarfs", NULL, MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
	119	is_efi_boot, MNT_NONE },
	120	#endif
	121	};
	122
	123	/* These are API file systems that might be mounted by other software,
	124	* we just list them here so that we know that we should ignore them */
	125
	126	static const char ignore_paths[] =
	127	/* SELinux file systems */
	128	"/sys/fs/selinux\0"
	129	/* Container bind mounts */
	130	"/proc/sys\0"
	131	"/dev/console\0"
	132	"/proc/kmsg\0";
	133
	134	bool mount_point_is_api(const char *path) {
	135	unsigned i;
	136
	137	/* Checks if this mount point is considered "API", and hence
	138	* should be ignored */
	139
	140	for (i = 0; i < ELEMENTSOF(mount_table); i ++)
	141	if (path_equal(path, mount_table[i].where))
	142	return true;
	143
	144	return path_startswith(path, "/sys/fs/cgroup/");
	145	}
	146
	147	bool mount_point_ignore(const char *path) {
	148	const char *i;
	149
	150	NULSTR_FOREACH(i, ignore_paths)
	151	if (path_equal(path, i))
	152	return true;
	153
	154	return false;
	155	}
	156
	157	static int mount_one(const MountPoint *p, bool relabel) {
	158	int r, priority;
	159
	160	assert(p);
	161
	162	priority = (p->mode & MNT_FATAL) ? LOG_ERR : LOG_DEBUG;
	163
	164	if (p->condition_fn && !p->condition_fn())
	165	return 0;
	166
	167	/* Relabel first, just in case */
	168	if (relabel)
	169	(void) label_fix(p->where, true, true);
	170
	171	r = path_is_mount_point(p->where, NULL, AT_SYMLINK_FOLLOW);
	172	if (r < 0 && r != -ENOENT) {
	173	log_full_errno(priority, r, "Failed to determine whether %s is a mount point: %m", p->where);
	174	return (p->mode & MNT_FATAL) ? r : 0;
	175	}
	176	if (r > 0)
	177	return 0;
	178
	179	/* Skip securityfs in a container */
	180	if (!(p->mode & MNT_IN_CONTAINER) && detect_container() > 0)
	181	return 0;
	182
	183	/* The access mode here doesn't really matter too much, since
	184	* the mounted file system will take precedence anyway. */
	185	if (relabel)
	186	(void) mkdir_p_label(p->where, 0755);
	187	else
	188	(void) mkdir_p(p->where, 0755);
	189
	190	log_debug("Mounting %s to %s of type %s with options %s.",
	191	p->what,
	192	p->where,
	193	p->type,
	194	strna(p->options));
	195
	196	if (mount(p->what,
	197	p->where,
	198	p->type,
	199	p->flags,
	200	p->options) < 0) {
	201	log_full_errno(priority, errno, "Failed to mount %s at %s: %m", p->type, p->where);
	202	return (p->mode & MNT_FATAL) ? -errno : 0;
	203	}
	204
	205	/* Relabel again, since we now mounted something fresh here */
	206	if (relabel)
	207	(void) label_fix(p->where, false, false);
	208
	209	if (p->mode & MNT_CHECK_WRITABLE) {
	210	if (access(p->where, W_OK) < 0) {
	211	r = -errno;
	212
	213	(void) umount(p->where);
	214	(void) rmdir(p->where);
	215
	216	log_full_errno(priority, r, "Mount point %s not writable after mounting: %m", p->where);
	217	return (p->mode & MNT_FATAL) ? r : 0;
	218	}
	219	}
	220
	221	return 1;
	222	}
	223
	224	static int mount_points_setup(unsigned n, bool loaded_policy) {
	225	unsigned i;
	226	int r = 0;
	227
	228	for (i = 0; i < n; i ++) {
	229	int j;
	230
	231	j = mount_one(mount_table + i, loaded_policy);
	232	if (j != 0 && r >= 0)
	233	r = j;
	234	}
	235
	236	return r;
	237	}
	238
	239	int mount_setup_early(void) {
	240	assert_cc(N_EARLY_MOUNT <= ELEMENTSOF(mount_table));
	241
	242	/* Do a minimal mount of /proc and friends to enable the most
	243	* basic stuff, such as SELinux */
	244	return mount_points_setup(N_EARLY_MOUNT, false);
	245	}
	246
	247	int mount_cgroup_controllers(char ***join_controllers) {
	248	_cleanup_set_free_free_ Set *controllers = NULL;
	249	int r;
	250
	251	if (!cg_is_legacy_wanted())
	252	return 0;
	253
	254	/* Mount all available cgroup controllers that are built into the kernel. */
	255
	256	if (!join_controllers)
	257	/* The defaults:
	258	* mount "cpu" + "cpuacct" together, and "net_cls" + "net_prio".
	259	*
	260	* We'd like to add "cpuset" to the mix, but "cpuset" doesn't really
	261	* work for groups with no initialized attributes.
	262	*/
	263	join_controllers = (char**[]) {
	264	STRV_MAKE("cpu", "cpuacct"),
	265	STRV_MAKE("net_cls", "net_prio"),
	266	NULL,
	267	};
	268
	269	r = cg_kernel_controllers(&controllers);
	270	if (r < 0)
	271	return log_error_errno(r, "Failed to enumerate cgroup controllers: %m");
	272
	273	for (;;) {
	274	_cleanup_free_ char options = NULL, controller = NULL, *where = NULL;
	275	MountPoint p = {
	276	.what = "cgroup",
	277	.type = "cgroup",
	278	.flags = MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
	279	.mode = MNT_IN_CONTAINER,
	280	};
	281	char ***k = NULL;
	282
	283	controller = set_steal_first(controllers);
	284	if (!controller)
	285	break;
	286
	287	for (k = join_controllers; *k; k++)
	288	if (strv_find(*k, controller))
	289	break;
	290
	291	if (k && *k) {
	292	char i, j;
	293
	294	for (i = k, j = k; *i; i++) {
	295
	296	if (!streq(*i, controller)) {
	297	_cleanup_free_ char *t;
	298
	299	t = set_remove(controllers, *i);
	300	if (!t) {
	301	free(*i);
	302	continue;
	303	}
	304	}
	305
	306	(j++) = i;
	307	}
	308
	309	*j = NULL;
	310
	311	options = strv_join(*k, ",");
	312	if (!options)
	313	return log_oom();
	314	} else {
	315	options = controller;
	316	controller = NULL;
	317	}
	318
	319	where = strappend("/sys/fs/cgroup/", options);
	320	if (!where)
	321	return log_oom();
	322
	323	p.where = where;
	324	p.options = options;
	325
	326	r = mount_one(&p, true);
	327	if (r < 0)
	328	return r;
	329
	330	if (r > 0 && k && *k) {
	331	char **i;
	332
	333	for (i = k; i; i++) {
	334	_cleanup_free_ char *t = NULL;
	335
	336	t = strappend("/sys/fs/cgroup/", *i);
	337	if (!t)
	338	return log_oom();
	339
	340	r = symlink(options, t);
	341	if (r >= 0) {
	342	#ifdef SMACK_RUN_LABEL
	343	_cleanup_free_ char *src;
	344	src = strappend("/sys/fs/cgroup/", options);
	345	if (!src)
	346	return log_oom();
	347	r = mac_smack_copy(t, src);
	348	if (r < 0 && r != -EOPNOTSUPP)
	349	return log_error_errno(r, "Failed to copy smack label from %s to %s: %m", src, t);
	350	#endif
	351	} else if (errno != EEXIST)
	352	return log_error_errno(errno, "Failed to create symlink %s: %m", t);
	353	}
	354	}
	355	}
	356
	357	/* Now that we mounted everything, let's make the tmpfs the
	358	* cgroup file systems are mounted into read-only. */
	359	(void) mount("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT\|MS_NOSUID\|MS_NOEXEC\|MS_NODEV\|MS_STRICTATIME\|MS_RDONLY, "mode=755");
	360
	361	return 0;
	362	}
	363
	364	#if HAVE_SELINUX \|\| ENABLE_SMACK
	365	static int nftw_cb(
	366	const char *fpath,
	367	const struct stat *sb,
	368	int tflag,
	369	struct FTW *ftwbuf) {
	370
	371	/* No need to label /dev twice in a row... */
	372	if (_unlikely_(ftwbuf->level == 0))
	373	return FTW_CONTINUE;
	374
	375	label_fix(fpath, false, false);
	376
	377	/* /run/initramfs is static data and big, no need to
	378	* dynamically relabel its contents at boot... */
	379	if (_unlikely_(ftwbuf->level == 1 &&
	380	tflag == FTW_D &&
	381	streq(fpath, "/run/initramfs")))
	382	return FTW_SKIP_SUBTREE;
	383
	384	return FTW_CONTINUE;
	385	};
	386	#endif
	387
	388	int mount_setup(bool loaded_policy) {
	389	int r = 0;
	390
	391	r = mount_points_setup(ELEMENTSOF(mount_table), loaded_policy);
	392	if (r < 0)
	393	return r;
	394
	395	#if HAVE_SELINUX \|\| ENABLE_SMACK
	396	/* Nodes in devtmpfs and /run need to be manually updated for
	397	* the appropriate labels, after mounting. The other virtual
	398	* API file systems like /sys and /proc do not need that, they
	399	* use the same label for all their files. */
	400	if (loaded_policy) {
	401	usec_t before_relabel, after_relabel;
	402	char timespan[FORMAT_TIMESPAN_MAX];
	403
	404	before_relabel = now(CLOCK_MONOTONIC);
	405
	406	nftw("/dev", nftw_cb, 64, FTW_MOUNT\|FTW_PHYS\|FTW_ACTIONRETVAL);
	407	nftw("/dev/shm", nftw_cb, 64, FTW_MOUNT\|FTW_PHYS\|FTW_ACTIONRETVAL);
	408	nftw("/run", nftw_cb, 64, FTW_MOUNT\|FTW_PHYS\|FTW_ACTIONRETVAL);
	409
	410	/* Temporarily remount the root cgroup filesystem to give it a proper label. */
	411	r = cg_all_unified();
	412	if (r == 0) {
	413	(void) mount(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT, NULL);
	414	label_fix("/sys/fs/cgroup", false, false);
	415	nftw("/sys/fs/cgroup", nftw_cb, 64, FTW_MOUNT\|FTW_PHYS\|FTW_ACTIONRETVAL);
	416	(void) mount(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT\|MS_RDONLY, NULL);
	417	} else if (r < 0)
	418	return log_error_errno(r, "Failed to determine whether we are in all unified mode: %m");
	419
	420	after_relabel = now(CLOCK_MONOTONIC);
	421
	422	log_info("Relabelled /dev, /run and /sys/fs/cgroup in %s.",
	423	format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel, 0));
	424	}
	425	#endif
	426
	427	/* Create a few default symlinks, which are normally created
	428	* by udevd, but some scripts might need them before we start
	429	* udevd. */
	430	dev_setup(NULL, UID_INVALID, GID_INVALID);
	431
	432	/* Mark the root directory as shared in regards to mount propagation. The kernel defaults to "private", but we
	433	* think it makes more sense to have a default of "shared" so that nspawn and the container tools work out of
	434	* the box. If specific setups need other settings they can reset the propagation mode to private if
	435	* needed. Note that we set this only when we are invoked directly by the kernel. If we are invoked by a
	436	* container manager we assume the container manager knows what it is doing (for example, because it set up
	437	* some directories with different propagation modes). */
	438	if (detect_container() <= 0)
	439	if (mount(NULL, "/", NULL, MS_REC\|MS_SHARED, NULL) < 0)
	440	log_warning_errno(errno, "Failed to set up the root directory for shared mount propagation: %m");
	441
	442	/* Create a few directories we always want around, Note that sd_booted() checks for /run/systemd/system, so
	443	* this mkdir really needs to stay for good, otherwise software that copied sd-daemon.c into their sources will
	444	* misdetect systemd. */
	445	(void) mkdir_label("/run/systemd", 0755);
	446	(void) mkdir_label("/run/systemd/system", 0755);
	447
	448	/* Set up inaccessible items */
	449	(void) mkdir_label("/run/systemd/inaccessible", 0000);
	450	(void) mknod("/run/systemd/inaccessible/reg", S_IFREG \| 0000, 0);
	451	(void) mkdir_label("/run/systemd/inaccessible/dir", 0000);
	452	(void) mknod("/run/systemd/inaccessible/chr", S_IFCHR \| 0000, makedev(0, 0));
	453	(void) mknod("/run/systemd/inaccessible/blk", S_IFBLK \| 0000, makedev(0, 0));
	454	(void) mkfifo("/run/systemd/inaccessible/fifo", 0000);
	455	(void) mknod("/run/systemd/inaccessible/sock", S_IFSOCK \| 0000, 0);
	456
	457	return 0;
	458	}