diff options
author | Kay Sievers <kay@vrfy.org> | 2012-11-04 17:03:48 +0100 |
---|---|---|
committer | Kay Sievers <kay@vrfy.org> | 2012-11-04 17:03:48 +0100 |
commit | 6aa220e019f9dffd96590b06b68f937985204109 (patch) | |
tree | 86e91de1102d45be483eb6c74d20e05b32a6bc4b | |
parent | 3dfb265083347cb5700dc38f7cc0f479f378e6e9 (diff) |
mount-setup: try mounting 'efivarfs' only if the system bootet with EFI
-rw-r--r-- | TODO | 3 | ||||
-rw-r--r-- | src/core/mount-setup.c | 50 |
2 files changed, 34 insertions, 19 deletions
@@ -1,7 +1,4 @@ Bugfixes: -* mount efivars only if /sys/firmware/efi/ exists - (add *condition callback to API mounts array and check for directory) - * check systemd-tmpfiles for selinux context hookup for mknod(), symlink() and similar * swap units that are activated by one name but shown in the kernel under another are semi-broken diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c index 9894c7fddf..98614d0c3e 100644 --- a/src/core/mount-setup.c +++ b/src/core/mount-setup.c @@ -46,14 +46,20 @@ #define TTY_GID 5 #endif +typedef enum MountMode { + MNT_NONE = 0, + MNT_FATAL = 1 << 0, + MNT_IN_CONTAINER = 1 << 1, +} MountMode; + typedef struct MountPoint { const char *what; const char *where; const char *type; const char *options; unsigned long flags; - bool fatal; - bool in_container; + bool (*condition_fn)(void); + MountMode mode; } MountPoint; /* The first three entries we might need before SELinux is up. The @@ -62,16 +68,26 @@ typedef struct MountPoint { #define N_EARLY_MOUNT 4 static const MountPoint mount_table[] = { - { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true, true }, - { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true, true }, - { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true, true }, - { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false }, - { "efivarfs", "/sys/firmware/efi/efivars", "efivarfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false }, - { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true, true }, - { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, false, true }, - { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true, true }, - { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, false, true }, - { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, true }, + { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, + NULL, MNT_FATAL|MNT_IN_CONTAINER }, + { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, + NULL, MNT_FATAL|MNT_IN_CONTAINER }, + { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, + NULL, MNT_FATAL|MNT_IN_CONTAINER }, + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, + NULL, MNT_NONE }, + { "efivarfs", "/sys/firmware/efi/efivars", "efivarfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, + is_efiboot, MNT_NONE }, + { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, + NULL, MNT_FATAL|MNT_IN_CONTAINER }, + { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, + NULL, MNT_IN_CONTAINER }, + { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, + NULL, MNT_FATAL|MNT_IN_CONTAINER }, + { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, + NULL, MNT_IN_CONTAINER }, + { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV, + NULL, MNT_IN_CONTAINER }, }; /* These are API file systems that might be mounted by other software, @@ -119,6 +135,9 @@ static int mount_one(const MountPoint *p, bool relabel) { assert(p); + if (p->condition_fn && !p->condition_fn()) + return 0; + /* Relabel first, just in case */ if (relabel) label_fix(p->where, true, true); @@ -131,7 +150,7 @@ static int mount_one(const MountPoint *p, bool relabel) { return 0; /* Skip securityfs in a container */ - if (!p->in_container && detect_container(NULL) > 0) + if (!(p->mode & MNT_IN_CONTAINER) && detect_container(NULL) > 0) return 0; /* The access mode here doesn't really matter too much, since @@ -149,8 +168,8 @@ static int mount_one(const MountPoint *p, bool relabel) { p->type, p->flags, p->options) < 0) { - log_full(p->fatal ? LOG_ERR : LOG_DEBUG, "Failed to mount %s: %s", p->where, strerror(errno)); - return p->fatal ? -errno : 0; + log_full((p->mode & MNT_FATAL) ? LOG_ERR : LOG_DEBUG, "Failed to mount %s: %s", p->where, strerror(errno)); + return (p->mode & MNT_FATAL) ? -errno : 0; } /* Relabel again, since we now mounted something fresh here */ @@ -289,7 +308,6 @@ int mount_cgroup_controllers(char ***join_controllers) { p.type = "cgroup"; p.options = options; p.flags = MS_NOSUID|MS_NOEXEC|MS_NODEV; - p.fatal = false; r = mount_one(&p, true); free(controller); |