1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2010 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24 #include <sys/mount.h>
27 #include "alloc-util.h"
29 #include "cgroup-util.h"
30 #include "dev-setup.h"
38 #include "mount-setup.h"
39 #include "mount-util.h"
40 #include "path-util.h"
42 #include "smack-util.h"
44 #include "user-util.h"
48 typedef enum MountMode
{
51 MNT_IN_CONTAINER
= 1 << 1,
54 typedef struct MountPoint
{
60 bool (*condition_fn
)(void);
64 /* The first three entries we might need before SELinux is up. The
65 * fourth (securityfs) is needed by IMA to load a custom policy. The
66 * other ones we can delay until SELinux and IMA are loaded. When
67 * SMACK is enabled we need smackfs, too, so it's a fifth one. */
69 #define N_EARLY_MOUNT 5
71 #define N_EARLY_MOUNT 4
74 static const MountPoint mount_table
[] = {
75 { "sysfs", "/sys", "sysfs", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
76 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
77 { "proc", "/proc", "proc", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
78 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
79 { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID
|MS_STRICTATIME
,
80 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
81 { "securityfs", "/sys/kernel/security", "securityfs", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
84 { "smackfs", "/sys/fs/smackfs", "smackfs", "smackfsdef=*", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
85 mac_smack_use
, MNT_FATAL
},
86 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
87 mac_smack_use
, MNT_FATAL
},
89 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
90 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
91 { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID
), MS_NOSUID
|MS_NOEXEC
,
92 NULL
, MNT_IN_CONTAINER
},
94 { "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
95 mac_smack_use
, MNT_FATAL
},
97 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
98 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
99 { "cgroup", "/sys/fs/cgroup", "cgroup2", "nsdelegate", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
100 cg_is_unified_wanted
, MNT_IN_CONTAINER
},
101 { "cgroup", "/sys/fs/cgroup", "cgroup2", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
102 cg_is_unified_wanted
, MNT_IN_CONTAINER
},
103 { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_STRICTATIME
,
104 cg_is_legacy_wanted
, MNT_FATAL
|MNT_IN_CONTAINER
},
105 { "cgroup", "/sys/fs/cgroup/unified", "cgroup2", "nsdelegate", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
106 cg_is_hybrid_wanted
, MNT_IN_CONTAINER
},
107 { "cgroup", "/sys/fs/cgroup/unified", "cgroup2", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
108 cg_is_hybrid_wanted
, MNT_IN_CONTAINER
},
109 { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
110 cg_is_legacy_wanted
, MNT_IN_CONTAINER
},
111 { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
112 cg_is_legacy_wanted
, MNT_FATAL
|MNT_IN_CONTAINER
},
113 { "pstore", "/sys/fs/pstore", "pstore", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
116 { "efivarfs", "/sys/firmware/efi/efivars", "efivarfs", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
117 is_efi_boot
, MNT_NONE
},
121 /* These are API file systems that might be mounted by other software,
122 * we just list them here so that we know that we should ignore them */
124 static const char ignore_paths
[] =
125 /* SELinux file systems */
127 /* Container bind mounts */
132 bool mount_point_is_api(const char *path
) {
135 /* Checks if this mount point is considered "API", and hence
136 * should be ignored */
138 for (i
= 0; i
< ELEMENTSOF(mount_table
); i
++)
139 if (path_equal(path
, mount_table
[i
].where
))
142 return path_startswith(path
, "/sys/fs/cgroup/");
145 bool mount_point_ignore(const char *path
) {
148 NULSTR_FOREACH(i
, ignore_paths
)
149 if (path_equal(path
, i
))
155 static int mount_one(const MountPoint
*p
, bool relabel
) {
160 if (p
->condition_fn
&& !p
->condition_fn())
163 /* Relabel first, just in case */
165 (void) label_fix(p
->where
, true, true);
167 r
= path_is_mount_point(p
->where
, NULL
, AT_SYMLINK_FOLLOW
);
168 if (r
< 0 && r
!= -ENOENT
) {
169 log_full_errno((p
->mode
& MNT_FATAL
) ? LOG_ERR
: LOG_DEBUG
, r
, "Failed to determine whether %s is a mount point: %m", p
->where
);
170 return (p
->mode
& MNT_FATAL
) ? r
: 0;
175 /* Skip securityfs in a container */
176 if (!(p
->mode
& MNT_IN_CONTAINER
) && detect_container() > 0)
179 /* The access mode here doesn't really matter too much, since
180 * the mounted file system will take precedence anyway. */
182 (void) mkdir_p_label(p
->where
, 0755);
184 (void) mkdir_p(p
->where
, 0755);
186 log_debug("Mounting %s to %s of type %s with options %s.",
197 log_full_errno((p
->mode
& MNT_FATAL
) ? LOG_ERR
: LOG_DEBUG
, errno
, "Failed to mount %s at %s: %m", p
->type
, p
->where
);
198 return (p
->mode
& MNT_FATAL
) ? -errno
: 0;
201 /* Relabel again, since we now mounted something fresh here */
203 (void) label_fix(p
->where
, false, false);
208 static int mount_points_setup(unsigned n
, bool loaded_policy
) {
212 for (i
= 0; i
< n
; i
++) {
215 j
= mount_one(mount_table
+ i
, loaded_policy
);
216 if (j
!= 0 && r
>= 0)
223 int mount_setup_early(void) {
224 assert_cc(N_EARLY_MOUNT
<= ELEMENTSOF(mount_table
));
226 /* Do a minimal mount of /proc and friends to enable the most
227 * basic stuff, such as SELinux */
228 return mount_points_setup(N_EARLY_MOUNT
, false);
231 int mount_cgroup_controllers(char ***join_controllers
) {
232 _cleanup_set_free_free_ Set
*controllers
= NULL
;
235 if (!cg_is_legacy_wanted())
238 /* Mount all available cgroup controllers that are built into the kernel. */
240 controllers
= set_new(&string_hash_ops
);
244 r
= cg_kernel_controllers(controllers
);
246 return log_error_errno(r
, "Failed to enumerate cgroup controllers: %m");
249 _cleanup_free_
char *options
= NULL
, *controller
= NULL
, *where
= NULL
;
253 .flags
= MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
254 .mode
= MNT_IN_CONTAINER
,
258 controller
= set_steal_first(controllers
);
262 if (join_controllers
)
263 for (k
= join_controllers
; *k
; k
++)
264 if (strv_find(*k
, controller
))
270 for (i
= *k
, j
= *k
; *i
; i
++) {
272 if (!streq(*i
, controller
)) {
273 _cleanup_free_
char *t
;
275 t
= set_remove(controllers
, *i
);
287 options
= strv_join(*k
, ",");
291 options
= controller
;
295 where
= strappend("/sys/fs/cgroup/", options
);
302 r
= mount_one(&p
, true);
306 if (r
> 0 && k
&& *k
) {
309 for (i
= *k
; *i
; i
++) {
310 _cleanup_free_
char *t
= NULL
;
312 t
= strappend("/sys/fs/cgroup/", *i
);
316 r
= symlink(options
, t
);
318 #ifdef SMACK_RUN_LABEL
319 _cleanup_free_
char *src
;
320 src
= strappend("/sys/fs/cgroup/", options
);
323 r
= mac_smack_copy(t
, src
);
324 if (r
< 0 && r
!= -EOPNOTSUPP
)
325 return log_error_errno(r
, "Failed to copy smack label from %s to %s: %m", src
, t
);
327 } else if (errno
!= EEXIST
)
328 return log_error_errno(errno
, "Failed to create symlink %s: %m", t
);
333 /* Now that we mounted everything, let's make the tmpfs the
334 * cgroup file systems are mounted into read-only. */
335 (void) mount("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_STRICTATIME
|MS_RDONLY
, "mode=755");
340 #if HAVE_SELINUX || ENABLE_SMACK
343 const struct stat
*sb
,
345 struct FTW
*ftwbuf
) {
347 /* No need to label /dev twice in a row... */
348 if (_unlikely_(ftwbuf
->level
== 0))
351 label_fix(fpath
, false, false);
353 /* /run/initramfs is static data and big, no need to
354 * dynamically relabel its contents at boot... */
355 if (_unlikely_(ftwbuf
->level
== 1 &&
357 streq(fpath
, "/run/initramfs")))
358 return FTW_SKIP_SUBTREE
;
364 int mount_setup(bool loaded_policy
) {
367 r
= mount_points_setup(ELEMENTSOF(mount_table
), loaded_policy
);
371 #if HAVE_SELINUX || ENABLE_SMACK
372 /* Nodes in devtmpfs and /run need to be manually updated for
373 * the appropriate labels, after mounting. The other virtual
374 * API file systems like /sys and /proc do not need that, they
375 * use the same label for all their files. */
377 usec_t before_relabel
, after_relabel
;
378 char timespan
[FORMAT_TIMESPAN_MAX
];
380 before_relabel
= now(CLOCK_MONOTONIC
);
382 nftw("/dev", nftw_cb
, 64, FTW_MOUNT
|FTW_PHYS
|FTW_ACTIONRETVAL
);
383 nftw("/dev/shm", nftw_cb
, 64, FTW_MOUNT
|FTW_PHYS
|FTW_ACTIONRETVAL
);
384 nftw("/run", nftw_cb
, 64, FTW_MOUNT
|FTW_PHYS
|FTW_ACTIONRETVAL
);
386 after_relabel
= now(CLOCK_MONOTONIC
);
388 log_info("Relabelled /dev and /run in %s.",
389 format_timespan(timespan
, sizeof(timespan
), after_relabel
- before_relabel
, 0));
393 /* Create a few default symlinks, which are normally created
394 * by udevd, but some scripts might need them before we start
396 dev_setup(NULL
, UID_INVALID
, GID_INVALID
);
398 /* Mark the root directory as shared in regards to mount propagation. The kernel defaults to "private", but we
399 * think it makes more sense to have a default of "shared" so that nspawn and the container tools work out of
400 * the box. If specific setups need other settings they can reset the propagation mode to private if
401 * needed. Note that we set this only when we are invoked directly by the kernel. If we are invoked by a
402 * container manager we assume the container manager knows what it is doing (for example, because it set up
403 * some directories with different propagation modes). */
404 if (detect_container() <= 0)
405 if (mount(NULL
, "/", NULL
, MS_REC
|MS_SHARED
, NULL
) < 0)
406 log_warning_errno(errno
, "Failed to set up the root directory for shared mount propagation: %m");
408 /* Create a few directories we always want around, Note that sd_booted() checks for /run/systemd/system, so
409 * this mkdir really needs to stay for good, otherwise software that copied sd-daemon.c into their sources will
410 * misdetect systemd. */
411 (void) mkdir_label("/run/systemd", 0755);
412 (void) mkdir_label("/run/systemd/system", 0755);
414 /* Set up inaccessible items */
415 (void) mkdir_label("/run/systemd/inaccessible", 0000);
416 (void) mknod("/run/systemd/inaccessible/reg", S_IFREG
| 0000, 0);
417 (void) mkdir_label("/run/systemd/inaccessible/dir", 0000);
418 (void) mknod("/run/systemd/inaccessible/chr", S_IFCHR
| 0000, makedev(0, 0));
419 (void) mknod("/run/systemd/inaccessible/blk", S_IFBLK
| 0000, makedev(0, 0));
420 (void) mkfifo("/run/systemd/inaccessible/fifo", 0000);
421 (void) mknod("/run/systemd/inaccessible/sock", S_IFSOCK
| 0000, 0);