mount-setup.c revision cf0fbc49e67b55f8d346fc94de28c90113505297
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering This file is part of systemd.
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering Copyright 2010 Lennart Poettering
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering systemd is free software; you can redistribute it and/or modify it
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering under the terms of the GNU Lesser General Public License as published by
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering the Free Software Foundation; either version 2.1 of the License, or
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering (at your option) any later version.
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering systemd is distributed in the hope that it will be useful, but
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering WITHOUT ANY WARRANTY; without even the implied warranty of
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering Lesser General Public License for more details.
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering You should have received a copy of the GNU Lesser General Public License
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering along with systemd; If not, see <http://www.gnu.org/licenses/>.
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poetteringtypedef struct MountPoint {
de190aef08bb267b645205a747762df573b36834Lennart Poettering unsigned long flags;
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering/* The first three entries we might need before SELinux is up. The
de190aef08bb267b645205a747762df573b36834Lennart Poettering * fourth (securityfs) is needed by IMA to load a custom policy. The
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering * other ones we can delay until SELinux and IMA are loaded. When
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering * SMACK is enabled we need smackfs, too, so it's a fifth one. */
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
de190aef08bb267b645205a747762df573b36834Lennart Poettering { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
de190aef08bb267b645205a747762df573b36834Lennart Poettering { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME,
de190aef08bb267b645205a747762df573b36834Lennart Poettering { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
de190aef08bb267b645205a747762df573b36834Lennart Poettering { "smackfs", "/sys/fs/smackfs", "smackfs", "smackfsdef=*", MS_NOSUID|MS_NOEXEC|MS_NODEV,
de190aef08bb267b645205a747762df573b36834Lennart Poettering { "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
de190aef08bb267b645205a747762df573b36834Lennart Poettering { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering { "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering { "cgroup", "/sys/fs/cgroup", "cgroup", "__DEVEL__sane_behavior", MS_NOSUID|MS_NOEXEC|MS_NODEV,
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering cg_is_unified_wanted, MNT_FATAL|MNT_IN_CONTAINER },
de190aef08bb267b645205a747762df573b36834Lennart Poettering { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering cg_is_legacy_wanted, MNT_FATAL|MNT_IN_CONTAINER },
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV,
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV,
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering cg_is_legacy_wanted, MNT_FATAL|MNT_IN_CONTAINER },
de190aef08bb267b645205a747762df573b36834Lennart Poettering { "pstore", "/sys/fs/pstore", "pstore", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
0ac38b707212e9aa40e25d65ffbae648cc9116f5Lennart Poettering { "efivarfs", "/sys/firmware/efi/efivars", "efivarfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering { "kdbusfs", "/sys/fs/kdbus", "kdbusfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
6ad1d1c30621280bfad3e63fcc1c7ceb7d8ffa98Lennart Poettering/* These are API file systems that might be mounted by other software,
87d2c1ff6a7375f03476767e6f59454bcc5cd04bLennart Poettering * we just list them here so that we know that we should ignore them */
static const char ignore_paths[] =
assert(p);
if (relabel)
if (r < 0 && r != -ENOENT)
if (relabel)
p->what,
p->where,
p->type,
p->where,
p->type,
p->flags,
p->options) < 0) {
log_full((p->mode & MNT_FATAL) ? LOG_ERR : LOG_DEBUG, "Failed to mount %s at %s: %m", p->type, p->where);
if (relabel)
int mount_setup_early(void) {
for (i = 0; i < N_EARLY_MOUNT; i ++) {
if (!cg_is_legacy_wanted())
if (!controllers)
return log_oom();
MountPoint p = {
char ***k = NULL;
if (!controller)
if (join_controllers)
for (k = join_controllers; *k; k++)
_cleanup_free_ char *t;
free(*i);
*j = NULL;
if (!options)
return log_oom();
if (!where)
return log_oom();
r = mount_one(&p, true);
return log_oom();
#ifdef SMACK_RUN_LABEL
if (r < 0 && r != -EOPNOTSUPP)
(void) mount("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY, "mode=755");
static int nftw_cb(
const char *fpath,
int tflag,
return FTW_CONTINUE;
return FTW_SKIP_SUBTREE;
return FTW_CONTINUE;
if (loaded_policy) {
if (detect_container() <= 0)
* copied sd-daemon.c into their sources will misdetect