mount-setup.c revision 08e1fb68d78b4adf26cce8387fc428b9e370bcf4
45632c3574ce843b9e85b9f73efe75b7b809f789slive/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd/***
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd This file is part of systemd.
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd Copyright 2010 Lennart Poettering
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd systemd is free software; you can redistribute it and/or modify it
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd under the terms of the GNU Lesser General Public License as published by
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd the Free Software Foundation; either version 2.1 of the License, or
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd (at your option) any later version.
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd systemd is distributed in the hope that it will be useful, but
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd WITHOUT ANY WARRANTY; without even the implied warranty of
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd Lesser General Public License for more details.
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd You should have received a copy of the GNU Lesser General Public License
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd along with systemd; If not, see <http://www.gnu.org/licenses/>.
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd***/
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd#include <sys/mount.h>
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd#include <errno.h>
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd#include <sys/stat.h>
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd#include <stdlib.h>
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd#include <string.h>
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd#include <libgen.h>
fe4f1730693292317276e92e62e219422407c949nd#include <assert.h>
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd#include <unistd.h>
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd#include <ftw.h>
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd
a12dd6260a66f51e25119982390def72e2db4be5nd#include "mount-setup.h"
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd#include "log.h"
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd#include "macro.h"
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd#include "util.h"
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd#include "label.h"
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd#include "set.h"
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd#include "strv.h"
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd#include "mkdir.h"
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd#ifndef TTY_GID
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd#define TTY_GID 5
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd#endif
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26ndtypedef struct MountPoint {
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd const char *what;
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd const char *where;
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd const char *type;
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd const char *options;
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd unsigned long flags;
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd bool fatal;
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd} MountPoint;
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd/* The first three entries we might need before SELinux is up. The
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd * fourth (securityfs) is needed by IMA to load a custom policy. The
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd * other ones we can delay until SELinux and IMA are loaded. */
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd#define N_EARLY_MOUNT 4
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26ndstatic const MountPoint mount_table[] = {
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true },
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, false },
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, false },
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, false },
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV, false },
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd};
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd/* These are API file systems that might be mounted by other software,
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd * we just list them here so that we know that we should ignore them */
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26ndstatic const char * const ignore_paths[] = {
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd "/sys/fs/selinux",
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd "/selinux",
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd "/proc/bus/usb"
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd};
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26ndbool mount_point_is_api(const char *path) {
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd unsigned i;
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd /* Checks if this mount point is considered "API", and hence
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd * should be ignored */
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd for (i = 0; i < ELEMENTSOF(mount_table); i ++)
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd if (path_equal(path, mount_table[i].where))
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd return true;
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd return path_startswith(path, "/sys/fs/cgroup/");
35714556a25fceb7c9bf9c4e01791b2e2a4c27c3nd}
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26nd
29fb68cf24dbdb4985cbb4734cb6074ea4bbab26ndbool mount_point_ignore(const char *path) {
unsigned i;
for (i = 0; i < ELEMENTSOF(ignore_paths); i++)
if (path_equal(path, ignore_paths[i]))
return true;
return false;
}
static int mount_one(const MountPoint *p, bool relabel) {
int r;
assert(p);
/* Relabel first, just in case */
if (relabel)
label_fix(p->where, true);
if ((r = path_is_mount_point(p->where, true)) < 0)
return r;
if (r > 0)
return 0;
/* The access mode here doesn't really matter too much, since
* the mounted file system will take precedence anyway. */
mkdir_p(p->where, 0755);
log_debug("Mounting %s to %s of type %s with options %s.",
p->what,
p->where,
p->type,
strna(p->options));
if (mount(p->what,
p->where,
p->type,
p->flags,
p->options) < 0) {
log_error("Failed to mount %s: %s", p->where, strerror(errno));
return p->fatal ? -errno : 0;
}
/* Relabel again, since we now mounted something fresh here */
if (relabel)
label_fix(p->where, false);
return 1;
}
int mount_setup_early(void) {
unsigned i;
int r = 0;
assert_cc(N_EARLY_MOUNT <= ELEMENTSOF(mount_table));
/* Do a minimal mount of /proc and friends to enable the most
* basic stuff, such as SELinux */
for (i = 0; i < N_EARLY_MOUNT; i ++) {
int j;
j = mount_one(mount_table + i, false);
if (r == 0)
r = j;
}
return r;
}
int mount_cgroup_controllers(char ***join_controllers) {
int r;
FILE *f;
char buf[LINE_MAX];
Set *controllers;
/* Mount all available cgroup controllers that are built into the kernel. */
f = fopen("/proc/cgroups", "re");
if (!f) {
log_error("Failed to enumerate cgroup controllers: %m");
return 0;
}
controllers = set_new(string_hash_func, string_compare_func);
if (!controllers) {
r = -ENOMEM;
log_error("Failed to allocate controller set.");
goto finish;
}
/* Ignore the header line */
(void) fgets(buf, sizeof(buf), f);
for (;;) {
char *controller;
int enabled = 0;
if (fscanf(f, "%ms %*i %*i %i", &controller, &enabled) != 2) {
if (feof(f))
break;
log_error("Failed to parse /proc/cgroups.");
r = -EIO;
goto finish;
}
if (!enabled) {
free(controller);
continue;
}
r = set_put(controllers, controller);
if (r < 0) {
log_error("Failed to add controller to set.");
free(controller);
goto finish;
}
}
for (;;) {
MountPoint p;
char *controller, *where, *options;
char ***k = NULL;
controller = set_steal_first(controllers);
if (!controller)
break;
if (join_controllers)
for (k = join_controllers; *k; k++)
if (strv_find(*k, controller))
break;
if (k && *k) {
char **i, **j;
for (i = *k, j = *k; *i; i++) {
if (!streq(*i, controller)) {
char *t;
t = set_remove(controllers, *i);
if (!t) {
free(*i);
continue;
}
free(t);
}
*(j++) = *i;
}
*j = NULL;
options = strv_join(*k, ",");
if (!options) {
log_error("Failed to join options");
free(controller);
r = -ENOMEM;
goto finish;
}
} else {
options = controller;
controller = NULL;
}
where = strappend("/sys/fs/cgroup/", options);
if (!where) {
log_error("Failed to build path");
free(options);
r = -ENOMEM;
goto finish;
}
zero(p);
p.what = "cgroup";
p.where = where;
p.type = "cgroup";
p.options = options;
p.flags = MS_NOSUID|MS_NOEXEC|MS_NODEV;
p.fatal = false;
r = mount_one(&p, true);
free(controller);
free(where);
if (r < 0) {
free(options);
goto finish;
}
if (r > 0 && k && *k) {
char **i;
for (i = *k; *i; i++) {
char *t;
t = strappend("/sys/fs/cgroup/", *i);
if (!t) {
log_error("Failed to build path");
r = -ENOMEM;
free(options);
goto finish;
}
r = symlink(options, t);
free(t);
if (r < 0 && errno != EEXIST) {
log_error("Failed to create symlink: %m");
r = -errno;
free(options);
goto finish;
}
}
}
free(options);
}
r = 0;
finish:
set_free_free(controllers);
fclose(f);
return r;
}
static int symlink_and_label(const char *old_path, const char *new_path) {
int r;
assert(old_path);
assert(new_path);
if ((r = label_symlinkfile_set(new_path)) < 0)
return r;
if (symlink(old_path, new_path) < 0)
r = -errno;
label_file_clear();
return r;
}
static int nftw_cb(
const char *fpath,
const struct stat *sb,
int tflag,
struct FTW *ftwbuf) {
/* No need to label /dev twice in a row... */
if (_unlikely_(ftwbuf->level == 0))
return FTW_CONTINUE;
label_fix(fpath, true);
/* /run/initramfs is static data and big, no need to
* dynamically relabel its contents at boot... */
if (_unlikely_(ftwbuf->level == 1 &&
tflag == FTW_D &&
streq(fpath, "/run/initramfs")))
return FTW_SKIP_SUBTREE;
return FTW_CONTINUE;
};
int mount_setup(bool loaded_policy) {
static const char symlinks[] =
"/proc/kcore\0" "/dev/core\0"
"/proc/self/fd\0" "/dev/fd\0"
"/proc/self/fd/0\0" "/dev/stdin\0"
"/proc/self/fd/1\0" "/dev/stdout\0"
"/proc/self/fd/2\0" "/dev/stderr\0";
static const char relabel[] =
"/run/initramfs/root-fsck\0"
"/run/initramfs/shutdown\0";
int r;
unsigned i;
const char *j, *k;
for (i = 0; i < ELEMENTSOF(mount_table); i ++) {
r = mount_one(mount_table + i, true);
if (r < 0)
return r;
}
/* Nodes in devtmpfs and /run need to be manually updated for
* the appropriate labels, after mounting. The other virtual
* API file systems like /sys and /proc do not need that, they
* use the same label for all their files. */
if (loaded_policy) {
usec_t before_relabel, after_relabel;
char timespan[FORMAT_TIMESPAN_MAX];
before_relabel = now(CLOCK_MONOTONIC);
nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
/* Explicitly relabel these */
NULSTR_FOREACH(j, relabel)
label_fix(j, true);
after_relabel = now(CLOCK_MONOTONIC);
log_info("Relabelled /dev and /run in %s.",
format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel));
}
/* Create a few default symlinks, which are normally created
* by udevd, but some scripts might need them before we start
* udevd. */
NULSTR_FOREACH_PAIR(j, k, symlinks)
symlink_and_label(j, k);
/* Create a few directories we always want around */
label_mkdir("/run/systemd", 0755);
label_mkdir("/run/systemd/system", 0755);
return 0;
}