1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 Copyright 2010 Lennart Poettering
10 #include <sys/statvfs.h>
13 #include "alloc-util.h"
15 #include "cgroup-util.h"
16 #include "dev-setup.h"
25 #include "mount-setup.h"
26 #include "mount-util.h"
27 #include "path-util.h"
29 #include "smack-util.h"
31 #include "user-util.h"
35 typedef enum MountMode
{
38 MNT_IN_CONTAINER
= 1 << 1,
39 MNT_CHECK_WRITABLE
= 1 << 2,
42 typedef struct MountPoint
{
48 bool (*condition_fn
)(void);
52 /* The first three entries we might need before SELinux is up. The
53 * fourth (securityfs) is needed by IMA to load a custom policy. The
54 * other ones we can delay until SELinux and IMA are loaded. When
55 * SMACK is enabled we need smackfs, too, so it's a fifth one. */
57 #define N_EARLY_MOUNT 5
59 #define N_EARLY_MOUNT 4
62 static const MountPoint mount_table
[] = {
63 { "sysfs", "/sys", "sysfs", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
64 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
65 { "proc", "/proc", "proc", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
66 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
67 { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID
|MS_STRICTATIME
,
68 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
69 { "securityfs", "/sys/kernel/security", "securityfs", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
72 { "smackfs", "/sys/fs/smackfs", "smackfs", "smackfsdef=*", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
73 mac_smack_use
, MNT_FATAL
},
74 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
75 mac_smack_use
, MNT_FATAL
},
77 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
78 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
79 { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID
), MS_NOSUID
|MS_NOEXEC
,
80 NULL
, MNT_IN_CONTAINER
},
82 { "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
83 mac_smack_use
, MNT_FATAL
},
85 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
86 NULL
, MNT_FATAL
|MNT_IN_CONTAINER
},
87 { "cgroup2", "/sys/fs/cgroup", "cgroup2", "nsdelegate", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
88 cg_is_unified_wanted
, MNT_IN_CONTAINER
|MNT_CHECK_WRITABLE
},
89 { "cgroup2", "/sys/fs/cgroup", "cgroup2", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
90 cg_is_unified_wanted
, MNT_IN_CONTAINER
|MNT_CHECK_WRITABLE
},
91 { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_STRICTATIME
,
92 cg_is_legacy_wanted
, MNT_FATAL
|MNT_IN_CONTAINER
},
93 { "cgroup2", "/sys/fs/cgroup/unified", "cgroup2", "nsdelegate", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
94 cg_is_hybrid_wanted
, MNT_IN_CONTAINER
|MNT_CHECK_WRITABLE
},
95 { "cgroup2", "/sys/fs/cgroup/unified", "cgroup2", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
96 cg_is_hybrid_wanted
, MNT_IN_CONTAINER
|MNT_CHECK_WRITABLE
},
97 { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
98 cg_is_legacy_wanted
, MNT_IN_CONTAINER
},
99 { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
100 cg_is_legacy_wanted
, MNT_FATAL
|MNT_IN_CONTAINER
},
101 { "pstore", "/sys/fs/pstore", "pstore", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
104 { "efivarfs", "/sys/firmware/efi/efivars", "efivarfs", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
105 is_efi_boot
, MNT_NONE
},
107 { "bpf", "/sys/fs/bpf", "bpf", "mode=700", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
111 /* These are API file systems that might be mounted by other software,
112 * we just list them here so that we know that we should ignore them */
114 static const char ignore_paths
[] =
115 /* SELinux file systems */
117 /* Container bind mounts */
122 bool mount_point_is_api(const char *path
) {
125 /* Checks if this mount point is considered "API", and hence
126 * should be ignored */
128 for (i
= 0; i
< ELEMENTSOF(mount_table
); i
++)
129 if (path_equal(path
, mount_table
[i
].where
))
132 return path_startswith(path
, "/sys/fs/cgroup/");
135 bool mount_point_ignore(const char *path
) {
138 NULSTR_FOREACH(i
, ignore_paths
)
139 if (path_equal(path
, i
))
145 static int mount_one(const MountPoint
*p
, bool relabel
) {
150 priority
= (p
->mode
& MNT_FATAL
) ? LOG_ERR
: LOG_DEBUG
;
152 if (p
->condition_fn
&& !p
->condition_fn())
155 /* Relabel first, just in case */
157 (void) label_fix(p
->where
, LABEL_IGNORE_ENOENT
|LABEL_IGNORE_EROFS
);
159 r
= path_is_mount_point(p
->where
, NULL
, AT_SYMLINK_FOLLOW
);
160 if (r
< 0 && r
!= -ENOENT
) {
161 log_full_errno(priority
, r
, "Failed to determine whether %s is a mount point: %m", p
->where
);
162 return (p
->mode
& MNT_FATAL
) ? r
: 0;
167 /* Skip securityfs in a container */
168 if (!(p
->mode
& MNT_IN_CONTAINER
) && detect_container() > 0)
171 /* The access mode here doesn't really matter too much, since
172 * the mounted file system will take precedence anyway. */
174 (void) mkdir_p_label(p
->where
, 0755);
176 (void) mkdir_p(p
->where
, 0755);
178 log_debug("Mounting %s to %s of type %s with options %s.",
189 log_full_errno(priority
, errno
, "Failed to mount %s at %s: %m", p
->type
, p
->where
);
190 return (p
->mode
& MNT_FATAL
) ? -errno
: 0;
193 /* Relabel again, since we now mounted something fresh here */
195 (void) label_fix(p
->where
, 0);
197 if (p
->mode
& MNT_CHECK_WRITABLE
) {
198 if (access(p
->where
, W_OK
) < 0) {
201 (void) umount(p
->where
);
202 (void) rmdir(p
->where
);
204 log_full_errno(priority
, r
, "Mount point %s not writable after mounting: %m", p
->where
);
205 return (p
->mode
& MNT_FATAL
) ? r
: 0;
212 static int mount_points_setup(unsigned n
, bool loaded_policy
) {
216 for (i
= 0; i
< n
; i
++) {
219 j
= mount_one(mount_table
+ i
, loaded_policy
);
220 if (j
!= 0 && r
>= 0)
227 int mount_setup_early(void) {
228 assert_cc(N_EARLY_MOUNT
<= ELEMENTSOF(mount_table
));
230 /* Do a minimal mount of /proc and friends to enable the most
231 * basic stuff, such as SELinux */
232 return mount_points_setup(N_EARLY_MOUNT
, false);
235 int mount_cgroup_controllers(char ***join_controllers
) {
236 _cleanup_set_free_free_ Set
*controllers
= NULL
;
237 bool has_argument
= !!join_controllers
;
240 if (!cg_is_legacy_wanted())
243 /* Mount all available cgroup controllers that are built into the kernel. */
247 * mount "cpu" + "cpuacct" together, and "net_cls" + "net_prio".
249 * We'd like to add "cpuset" to the mix, but "cpuset" doesn't really
250 * work for groups with no initialized attributes.
252 join_controllers
= (char**[]) {
253 STRV_MAKE("cpu", "cpuacct"),
254 STRV_MAKE("net_cls", "net_prio"),
258 r
= cg_kernel_controllers(&controllers
);
260 return log_error_errno(r
, "Failed to enumerate cgroup controllers: %m");
263 _cleanup_free_
char *options
= NULL
, *controller
= NULL
, *where
= NULL
;
267 .flags
= MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
268 .mode
= MNT_IN_CONTAINER
,
272 controller
= set_steal_first(controllers
);
276 for (k
= join_controllers
; *k
; k
++)
277 if (strv_find(*k
, controller
))
283 for (i
= *k
, j
= *k
; *i
; i
++) {
285 if (!streq(*i
, controller
)) {
286 _cleanup_free_
char *t
;
288 t
= set_remove(controllers
, *i
);
301 options
= strv_join(*k
, ",");
305 options
= TAKE_PTR(controller
);
307 where
= strappend("/sys/fs/cgroup/", options
);
314 r
= mount_one(&p
, true);
321 for (i
= *k
; *i
; i
++) {
322 _cleanup_free_
char *t
= NULL
;
324 t
= strappend("/sys/fs/cgroup/", *i
);
328 r
= symlink(options
, t
);
330 #ifdef SMACK_RUN_LABEL
331 _cleanup_free_
char *src
;
332 src
= strappend("/sys/fs/cgroup/", options
);
335 r
= mac_smack_copy(t
, src
);
336 if (r
< 0 && r
!= -EOPNOTSUPP
)
337 return log_error_errno(r
, "Failed to copy smack label from %s to %s: %m", src
, t
);
339 } else if (errno
!= EEXIST
)
340 return log_error_errno(errno
, "Failed to create symlink %s: %m", t
);
345 /* Now that we mounted everything, let's make the tmpfs the
346 * cgroup file systems are mounted into read-only. */
347 (void) mount("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_STRICTATIME
|MS_RDONLY
, "mode=755");
352 #if HAVE_SELINUX || ENABLE_SMACK
355 const struct stat
*sb
,
357 struct FTW
*ftwbuf
) {
359 /* No need to label /dev twice in a row... */
360 if (_unlikely_(ftwbuf
->level
== 0))
363 (void) label_fix(fpath
, 0);
365 /* /run/initramfs is static data and big, no need to
366 * dynamically relabel its contents at boot... */
367 if (_unlikely_(ftwbuf
->level
== 1 &&
369 streq(fpath
, "/run/initramfs")))
370 return FTW_SKIP_SUBTREE
;
375 static int relabel_cgroup_filesystems(void) {
379 r
= cg_all_unified();
381 /* Temporarily remount the root cgroup filesystem to give it a proper label. Do this
382 only when the filesystem has been already populated by a previous instance of systemd
383 running from initrd. Otherwise don't remount anything and leave the filesystem read-write
384 for the cgroup filesystems to be mounted inside. */
385 if (statfs("/sys/fs/cgroup", &st
) < 0)
386 return log_error_errno(errno
, "Failed to determine mount flags for /sys/fs/cgroup: %m");
388 if (st
.f_flags
& ST_RDONLY
)
389 (void) mount(NULL
, "/sys/fs/cgroup", NULL
, MS_REMOUNT
, NULL
);
391 (void) label_fix("/sys/fs/cgroup", 0);
392 (void) nftw("/sys/fs/cgroup", nftw_cb
, 64, FTW_MOUNT
|FTW_PHYS
|FTW_ACTIONRETVAL
);
394 if (st
.f_flags
& ST_RDONLY
)
395 (void) mount(NULL
, "/sys/fs/cgroup", NULL
, MS_REMOUNT
|MS_RDONLY
, NULL
);
398 return log_error_errno(r
, "Failed to determine whether we are in all unified mode: %m");
404 int mount_setup(bool loaded_policy
) {
407 r
= mount_points_setup(ELEMENTSOF(mount_table
), loaded_policy
);
411 #if HAVE_SELINUX || ENABLE_SMACK
412 /* Nodes in devtmpfs and /run need to be manually updated for
413 * the appropriate labels, after mounting. The other virtual
414 * API file systems like /sys and /proc do not need that, they
415 * use the same label for all their files. */
417 usec_t before_relabel
, after_relabel
;
418 char timespan
[FORMAT_TIMESPAN_MAX
];
420 before_relabel
= now(CLOCK_MONOTONIC
);
422 (void) nftw("/dev", nftw_cb
, 64, FTW_MOUNT
|FTW_PHYS
|FTW_ACTIONRETVAL
);
423 (void) nftw("/dev/shm", nftw_cb
, 64, FTW_MOUNT
|FTW_PHYS
|FTW_ACTIONRETVAL
);
424 (void) nftw("/run", nftw_cb
, 64, FTW_MOUNT
|FTW_PHYS
|FTW_ACTIONRETVAL
);
426 r
= relabel_cgroup_filesystems();
430 after_relabel
= now(CLOCK_MONOTONIC
);
432 log_info("Relabelled /dev, /run and /sys/fs/cgroup in %s.",
433 format_timespan(timespan
, sizeof(timespan
), after_relabel
- before_relabel
, 0));
437 /* Create a few default symlinks, which are normally created
438 * by udevd, but some scripts might need them before we start
440 dev_setup(NULL
, UID_INVALID
, GID_INVALID
);
442 /* Mark the root directory as shared in regards to mount propagation. The kernel defaults to "private", but we
443 * think it makes more sense to have a default of "shared" so that nspawn and the container tools work out of
444 * the box. If specific setups need other settings they can reset the propagation mode to private if
445 * needed. Note that we set this only when we are invoked directly by the kernel. If we are invoked by a
446 * container manager we assume the container manager knows what it is doing (for example, because it set up
447 * some directories with different propagation modes). */
448 if (detect_container() <= 0)
449 if (mount(NULL
, "/", NULL
, MS_REC
|MS_SHARED
, NULL
) < 0)
450 log_warning_errno(errno
, "Failed to set up the root directory for shared mount propagation: %m");
452 /* Create a few directories we always want around, Note that sd_booted() checks for /run/systemd/system, so
453 * this mkdir really needs to stay for good, otherwise software that copied sd-daemon.c into their sources will
454 * misdetect systemd. */
455 (void) mkdir_label("/run/systemd", 0755);
456 (void) mkdir_label("/run/systemd/system", 0755);
458 /* Set up inaccessible (and empty) file nodes of all types */
459 (void) mkdir_label("/run/systemd/inaccessible", 0000);
460 (void) mknod("/run/systemd/inaccessible/reg", S_IFREG
| 0000, 0);
461 (void) mkdir_label("/run/systemd/inaccessible/dir", 0000);
462 (void) mkfifo("/run/systemd/inaccessible/fifo", 0000);
463 (void) mknod("/run/systemd/inaccessible/sock", S_IFSOCK
| 0000, 0);
465 /* The following two are likely to fail if we lack the privs for it (for example in an userns environment, if
466 * CAP_SYS_MKNOD is missing, or if a device node policy prohibit major/minor of 0 device nodes to be
467 * created). But that's entirely fine. Consumers of these files should carry fallback to use a different node
468 * then, for example /run/systemd/inaccessible/sock, which is close enough in behaviour and semantics for most
470 (void) mknod("/run/systemd/inaccessible/chr", S_IFCHR
| 0000, makedev(0, 0));
471 (void) mknod("/run/systemd/inaccessible/blk", S_IFBLK
| 0000, makedev(0, 0));