1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 #include <sys/mount.h>
32 #include "mount-setup.h"
33 #include "dev-setup.h"
41 #include "path-util.h"
50 typedef enum MountMode {
53 MNT_IN_CONTAINER = 1 << 1,
56 typedef struct MountPoint {
62 bool (*condition_fn)(void);
66 /* The first three entries we might need before SELinux is up. The
67 * fourth (securityfs) is needed by IMA to load a custom policy. The
68 * other ones we can delay until SELinux and IMA are loaded. */
69 #define N_EARLY_MOUNT 5
71 static const MountPoint mount_table[] = {
72 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
73 NULL, MNT_FATAL|MNT_IN_CONTAINER },
74 { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
75 NULL, MNT_FATAL|MNT_IN_CONTAINER },
76 { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME,
77 NULL, MNT_FATAL|MNT_IN_CONTAINER },
78 { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
80 { "smackfs", "/sys/fs/smackfs", "smackfs", "smackfsdef=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
83 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
84 NULL, MNT_IN_CONTAINER },
86 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
87 NULL, MNT_FATAL|MNT_IN_CONTAINER },
88 { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
89 NULL, MNT_IN_CONTAINER },
91 { "tmpfs", "/run", "tmpfs", "mode=755,smackfstransmute=System::Run", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
92 NULL, MNT_IN_CONTAINER },
93 { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
94 NULL, MNT_IN_CONTAINER },
96 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
97 NULL, MNT_FATAL|MNT_IN_CONTAINER },
98 { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
99 NULL, MNT_IN_CONTAINER },
101 { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV,
102 NULL, MNT_IN_CONTAINER },
104 { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV,
105 NULL, MNT_IN_CONTAINER },
106 { "pstore", "/sys/fs/pstore", "pstore", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
109 { "efivarfs", "/sys/firmware/efi/efivars", "efivarfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
110 is_efi_boot, MNT_NONE },
114 /* These are API file systems that might be mounted by other software,
115 * we just list them here so that we know that we should ignore them */
117 static const char ignore_paths[] =
118 /* SELinux file systems */
121 /* Legacy cgroup mount points */
124 /* Legacy kernel file system */
126 /* Container bind mounts */
131 bool mount_point_is_api(const char *path) {
134 /* Checks if this mount point is considered "API", and hence
135 * should be ignored */
137 for (i = 0; i < ELEMENTSOF(mount_table); i ++)
138 if (path_equal(path, mount_table[i].where))
141 return path_startswith(path, "/sys/fs/cgroup/");
144 bool mount_point_ignore(const char *path) {
147 NULSTR_FOREACH(i, ignore_paths)
148 if (path_equal(path, i))
154 static int mount_one(const MountPoint *p, bool relabel) {
159 if (p->condition_fn && !p->condition_fn())
162 /* Relabel first, just in case */
164 label_fix(p->where, true, true);
166 r = path_is_mount_point(p->where, true);
173 /* Skip securityfs in a container */
174 if (!(p->mode & MNT_IN_CONTAINER) && detect_container(NULL) > 0)
177 /* The access mode here doesn't really matter too much, since
178 * the mounted file system will take precedence anyway. */
179 mkdir_p_label(p->where, 0755);
181 log_debug("Mounting %s to %s of type %s with options %s.",
192 log_full((p->mode & MNT_FATAL) ? LOG_ERR : LOG_DEBUG, "Failed to mount %s: %s", p->where, strerror(errno));
193 return (p->mode & MNT_FATAL) ? -errno : 0;
196 /* Relabel again, since we now mounted something fresh here */
198 label_fix(p->where, false, false);
203 int mount_setup_early(void) {
207 assert_cc(N_EARLY_MOUNT <= ELEMENTSOF(mount_table));
209 /* Do a minimal mount of /proc and friends to enable the most
210 * basic stuff, such as SELinux */
211 for (i = 0; i < N_EARLY_MOUNT; i ++) {
214 j = mount_one(mount_table + i, false);
222 int mount_cgroup_controllers(char ***join_controllers) {
225 _cleanup_set_free_free_ Set *controllers = NULL;
226 _cleanup_fclose_ FILE *f;
228 /* Mount all available cgroup controllers that are built into the kernel. */
230 f = fopen("/proc/cgroups", "re");
232 log_error("Failed to enumerate cgroup controllers: %m");
236 controllers = set_new(string_hash_func, string_compare_func);
240 /* Ignore the header line */
241 (void) fgets(buf, sizeof(buf), f);
247 if (fscanf(f, "%ms %*i %*i %i", &controller, &enabled) != 2) {
252 log_error("Failed to parse /proc/cgroups.");
261 r = set_consume(controllers, controller);
263 log_error("Failed to add controller to set.");
272 .flags = MS_NOSUID|MS_NOEXEC|MS_NODEV,
273 .mode = MNT_IN_CONTAINER,
276 _cleanup_free_ char *options = NULL, *controller;
278 controller = set_steal_first(controllers);
282 if (join_controllers)
283 for (k = join_controllers; *k; k++)
284 if (strv_find(*k, controller))
290 for (i = *k, j = *k; *i; i++) {
292 if (!streq(*i, controller)) {
293 char _cleanup_free_ *t;
295 t = set_remove(controllers, *i);
307 options = strv_join(*k, ",");
311 options = controller;
315 p.where = strappenda("/sys/fs/cgroup/", options);
318 r = mount_one(&p, true);
322 if (r > 0 && k && *k) {
325 for (i = *k; *i; i++) {
326 char *t = strappenda("/sys/fs/cgroup/", *i);
328 r = symlink(options, t);
329 if (r < 0 && errno != EEXIST) {
330 log_error("Failed to create symlink %s: %m", t);
342 const struct stat *sb,
344 struct FTW *ftwbuf) {
346 /* No need to label /dev twice in a row... */
347 if (_unlikely_(ftwbuf->level == 0))
350 label_fix(fpath, false, false);
352 /* /run/initramfs is static data and big, no need to
353 * dynamically relabel its contents at boot... */
354 if (_unlikely_(ftwbuf->level == 1 &&
356 streq(fpath, "/run/initramfs")))
357 return FTW_SKIP_SUBTREE;
362 int mount_setup(bool loaded_policy) {
366 for (i = 0; i < ELEMENTSOF(mount_table); i ++) {
367 r = mount_one(mount_table + i, true);
373 /* Nodes in devtmpfs and /run need to be manually updated for
374 * the appropriate labels, after mounting. The other virtual
375 * API file systems like /sys and /proc do not need that, they
376 * use the same label for all their files. */
378 usec_t before_relabel, after_relabel;
379 char timespan[FORMAT_TIMESPAN_MAX];
381 before_relabel = now(CLOCK_MONOTONIC);
383 nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
384 nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
386 after_relabel = now(CLOCK_MONOTONIC);
388 log_info("Relabelled /dev and /run in %s.",
389 format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel, 0));
392 /* Create a few default symlinks, which are normally created
393 * by udevd, but some scripts might need them before we start
397 /* Mark the root directory as shared in regards to mount
398 * propagation. The kernel defaults to "private", but we think
399 * it makes more sense to have a default of "shared" so that
400 * nspawn and the container tools work out of the box. If
401 * specific setups need other settings they can reset the
402 * propagation mode to private if needed. */
403 if (detect_container(NULL) <= 0)
404 if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0)
405 log_warning("Failed to set up the root directory for shared mount propagation: %m");
407 /* Create a few directories we always want around, Note that
408 * sd_booted() checks for /run/systemd/system, so this mkdir
409 * really needs to stay for good, otherwise software that
410 * copied sd-daemon.c into their sources will misdetect
412 mkdir_label("/run/systemd", 0755);
413 mkdir_label("/run/systemd/system", 0755);
414 mkdir_label("/run/systemd/inaccessible", 0000);