1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 #include <sys/mount.h>
28 #include "mount-setup.h"
29 #include "dev-setup.h"
38 #include "path-util.h"
42 #include "smack-util.h"
43 #include "cgroup-util.h"
45 typedef enum MountMode
{
48 MNT_IN_CONTAINER
= 1 << 1,
51 typedef struct MountPoint
{
57 bool (*condition_fn
)(void);
61 /* The first three entries we might need before SELinux is up. The
62 * fourth (securityfs) is needed by IMA to load a custom policy. The
63 * other ones we can delay until SELinux and IMA are loaded. When
64 * SMACK is enabled we need smackfs, too, so it's a fifth one. */
66 #define N_EARLY_MOUNT 5
68 #define N_EARLY_MOUNT 4
71 static const MountPoint mount_table
[] = {
72 { "sysfs", "/sys", "sysfs", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
73 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
74 { "proc", "/proc", "proc", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
75 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
76 { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID
|MS_STRICTATIME
,
77 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
78 { "securityfs", "/sys/kernel/security", "securityfs", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
81 { "smackfs", "/sys/fs/smackfs", "smackfs", "smackfsdef=*", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
82 mac_smack_use
, MNT_FATAL
},
83 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
84 mac_smack_use
, MNT_FATAL
},
86 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
87 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
88 { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID
), MS_NOSUID
|MS_NOEXEC
,
89 NULL
, MNT_IN_CONTAINER
},
91 { "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
92 mac_smack_use
, MNT_FATAL
},
94 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
95 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
96 { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_STRICTATIME
,
97 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
98 { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
99 NULL
, MNT_IN_CONTAINER
},
100 { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
101 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
102 { "pstore", "/sys/fs/pstore", "pstore", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
105 { "efivarfs", "/sys/firmware/efi/efivars", "efivarfs", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
106 is_efi_boot
, MNT_NONE
},
108 { "kdbusfs", "/sys/fs/kdbus", "kdbusfs", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
109 is_kdbus_wanted
, MNT_IN_CONTAINER
},
112 /* These are API file systems that might be mounted by other software,
113 * we just list them here so that we know that we should ignore them */
115 static const char ignore_paths
[] =
116 /* SELinux file systems */
118 /* Container bind mounts */
123 bool mount_point_is_api(const char *path
) {
126 /* Checks if this mount point is considered "API", and hence
127 * should be ignored */
129 for (i
= 0; i
< ELEMENTSOF(mount_table
); i
++)
130 if (path_equal(path
, mount_table
[i
].where
))
133 return path_startswith(path
, "/sys/fs/cgroup/");
136 bool mount_point_ignore(const char *path
) {
139 NULSTR_FOREACH(i
, ignore_paths
)
140 if (path_equal(path
, i
))
146 static int mount_one(const MountPoint
*p
, bool relabel
) {
151 if (p
->condition_fn
&& !p
->condition_fn())
154 /* Relabel first, just in case */
156 label_fix(p
->where
, true, true);
158 r
= path_is_mount_point(p
->where
, AT_SYMLINK_FOLLOW
);
159 if (r
< 0 && r
!= -ENOENT
)
164 /* Skip securityfs in a container */
165 if (!(p
->mode
& MNT_IN_CONTAINER
) && detect_container(NULL
) > 0)
168 /* The access mode here doesn't really matter too much, since
169 * the mounted file system will take precedence anyway. */
171 mkdir_p_label(p
->where
, 0755);
173 mkdir_p(p
->where
, 0755);
175 log_debug("Mounting %s to %s of type %s with options %s.",
186 log_full((p
->mode
& MNT_FATAL
) ? LOG_ERR
: LOG_DEBUG
, "Failed to mount %s at %s: %m", p
->type
, p
->where
);
187 return (p
->mode
& MNT_FATAL
) ? -errno
: 0;
190 /* Relabel again, since we now mounted something fresh here */
192 label_fix(p
->where
, false, false);
197 int mount_setup_early(void) {
201 assert_cc(N_EARLY_MOUNT
<= ELEMENTSOF(mount_table
));
203 /* Do a minimal mount of /proc and friends to enable the most
204 * basic stuff, such as SELinux */
205 for (i
= 0; i
< N_EARLY_MOUNT
; i
++) {
208 j
= mount_one(mount_table
+ i
, false);
216 int mount_cgroup_controllers(char ***join_controllers
) {
217 _cleanup_set_free_free_ Set
*controllers
= NULL
;
220 /* Mount all available cgroup controllers that are built into the kernel. */
222 controllers
= set_new(&string_hash_ops
);
226 r
= cg_kernel_controllers(controllers
);
228 return log_error_errno(r
, "Failed to enumerate cgroup controllers: %m");
231 _cleanup_free_
char *options
= NULL
, *controller
= NULL
, *where
= NULL
;
235 .flags
= MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
236 .mode
= MNT_IN_CONTAINER
,
240 controller
= set_steal_first(controllers
);
244 if (join_controllers
)
245 for (k
= join_controllers
; *k
; k
++)
246 if (strv_find(*k
, controller
))
252 for (i
= *k
, j
= *k
; *i
; i
++) {
254 if (!streq(*i
, controller
)) {
255 _cleanup_free_
char *t
;
257 t
= set_remove(controllers
, *i
);
269 options
= strv_join(*k
, ",");
273 options
= controller
;
277 where
= strappend("/sys/fs/cgroup/", options
);
284 r
= mount_one(&p
, true);
288 if (r
> 0 && k
&& *k
) {
291 for (i
= *k
; *i
; i
++) {
292 _cleanup_free_
char *t
= NULL
;
294 t
= strappend("/sys/fs/cgroup/", *i
);
298 r
= symlink(options
, t
);
299 if (r
< 0 && errno
!= EEXIST
)
300 return log_error_errno(errno
, "Failed to create symlink %s: %m", t
);
305 /* Now that we mounted everything, let's make the tmpfs the
306 * cgroup file systems are mounted into read-only. */
307 (void) mount("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_STRICTATIME
|MS_RDONLY
, "mode=755");
312 #if defined(HAVE_SELINUX) || defined(HAVE_SMACK)
315 const struct stat
*sb
,
317 struct FTW
*ftwbuf
) {
319 /* No need to label /dev twice in a row... */
320 if (_unlikely_(ftwbuf
->level
== 0))
323 label_fix(fpath
, false, false);
325 /* /run/initramfs is static data and big, no need to
326 * dynamically relabel its contents at boot... */
327 if (_unlikely_(ftwbuf
->level
== 1 &&
329 streq(fpath
, "/run/initramfs")))
330 return FTW_SKIP_SUBTREE
;
336 int mount_setup(bool loaded_policy
) {
340 for (i
= 0; i
< ELEMENTSOF(mount_table
); i
++) {
343 j
= mount_one(mount_table
+ i
, loaded_policy
);
351 #if defined(HAVE_SELINUX) || defined(HAVE_SMACK)
352 /* Nodes in devtmpfs and /run need to be manually updated for
353 * the appropriate labels, after mounting. The other virtual
354 * API file systems like /sys and /proc do not need that, they
355 * use the same label for all their files. */
357 usec_t before_relabel
, after_relabel
;
358 char timespan
[FORMAT_TIMESPAN_MAX
];
360 before_relabel
= now(CLOCK_MONOTONIC
);
362 nftw("/dev", nftw_cb
, 64, FTW_MOUNT
|FTW_PHYS
|FTW_ACTIONRETVAL
);
363 nftw("/run", nftw_cb
, 64, FTW_MOUNT
|FTW_PHYS
|FTW_ACTIONRETVAL
);
365 after_relabel
= now(CLOCK_MONOTONIC
);
367 log_info("Relabelled /dev and /run in %s.",
368 format_timespan(timespan
, sizeof(timespan
), after_relabel
- before_relabel
, 0));
372 /* Create a few default symlinks, which are normally created
373 * by udevd, but some scripts might need them before we start
375 dev_setup(NULL
, UID_INVALID
, GID_INVALID
);
377 /* Mark the root directory as shared in regards to mount
378 * propagation. The kernel defaults to "private", but we think
379 * it makes more sense to have a default of "shared" so that
380 * nspawn and the container tools work out of the box. If
381 * specific setups need other settings they can reset the
382 * propagation mode to private if needed. */
383 if (detect_container(NULL
) <= 0)
384 if (mount(NULL
, "/", NULL
, MS_REC
|MS_SHARED
, NULL
) < 0)
385 log_warning_errno(errno
, "Failed to set up the root directory for shared mount propagation: %m");
387 /* Create a few directories we always want around, Note that
388 * sd_booted() checks for /run/systemd/system, so this mkdir
389 * really needs to stay for good, otherwise software that
390 * copied sd-daemon.c into their sources will misdetect
392 mkdir_label("/run/systemd", 0755);
393 mkdir_label("/run/systemd/system", 0755);
394 mkdir_label("/run/systemd/inaccessible", 0000);