summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile.am3
-rw-r--r--man/systemd.mount.xml12
-rw-r--r--src/core/dbus-mount.c1
-rw-r--r--src/core/load-fragment-gperf.gperf.m41
-rw-r--r--src/core/mount.c36
-rw-r--r--src/core/mount.h1
-rw-r--r--src/core/unit-printf.c9
-rw-r--r--src/journal/journal-verify.c2
-rw-r--r--src/tmpfiles/tmpfiles.c3
-rw-r--r--units/tmp.mount.m4 (renamed from units/tmp.mount)3
10 files changed, 58 insertions, 13 deletions
diff --git a/Makefile.am b/Makefile.am
index fa25485b73..89eaf80575 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -616,7 +616,8 @@ EXTRA_DIST += \
units/initrd-udevadm-cleanup-db.service.in \
units/initrd-switch-root.service.in \
units/systemd-nspawn@.service.in \
- units/systemd-update-done.service.in
+ units/systemd-update-done.service.in \
+ units/tmp.mount.m4
if HAVE_SYSV_COMPAT
nodist_systemunit_DATA += \
diff --git a/man/systemd.mount.xml b/man/systemd.mount.xml
index ffffc56936..d3775ff830 100644
--- a/man/systemd.mount.xml
+++ b/man/systemd.mount.xml
@@ -324,6 +324,18 @@
</varlistentry>
<varlistentry>
+ <term><varname>SmackFileSystemRoot=</varname></term>
+ <listitem><para>Takes a string for the smack label.
+ This option specifies the label to assign the root of the
+ file system if it lacks the Smack extended attribute.
+ Note that this option will be ignored if kernel does not
+ support the Smack feature.
+ See <ulink
+ url="https://www.kernel.org/doc/Documentation/security/Smack.txt">Smack.txt</ulink>
+ for details. </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><varname>TimeoutSec=</varname></term>
<listitem><para>Configures the time to wait for the mount
command to finish. If a command does not exit within the
diff --git a/src/core/dbus-mount.c b/src/core/dbus-mount.c
index 24813c6d20..dbee7fc908 100644
--- a/src/core/dbus-mount.c
+++ b/src/core/dbus-mount.c
@@ -117,6 +117,7 @@ const sd_bus_vtable bus_mount_vtable[] = {
SD_BUS_PROPERTY("ControlPID", "u", bus_property_get_pid, offsetof(Mount, control_pid), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
SD_BUS_PROPERTY("DirectoryMode", "u", bus_property_get_mode, offsetof(Mount, directory_mode), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("SloppyOptions", "b", bus_property_get_bool, offsetof(Mount, sloppy_options), SD_BUS_VTABLE_PROPERTY_CONST),
+ SD_BUS_PROPERTY("SmackFileSystemRoot", "s", NULL, offsetof(Mount, smack_fs_root), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("Result", "s", property_get_result, offsetof(Mount, result), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
BUS_EXEC_COMMAND_VTABLE("ExecMount", offsetof(Mount, exec_command[MOUNT_EXEC_MOUNT]), SD_BUS_VTABLE_PROPERTY_EMITS_INVALIDATION),
BUS_EXEC_COMMAND_VTABLE("ExecUnmount", offsetof(Mount, exec_command[MOUNT_EXEC_UNMOUNT]), SD_BUS_VTABLE_PROPERTY_EMITS_INVALIDATION),
diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
index 89e624b557..507cfdde75 100644
--- a/src/core/load-fragment-gperf.gperf.m4
+++ b/src/core/load-fragment-gperf.gperf.m4
@@ -319,6 +319,7 @@ Mount.Type, config_parse_string, 0,
Mount.TimeoutSec, config_parse_sec, 0, offsetof(Mount, timeout_usec)
Mount.DirectoryMode, config_parse_mode, 0, offsetof(Mount, directory_mode)
Mount.SloppyOptions, config_parse_bool, 0, offsetof(Mount, sloppy_options)
+Mount.SmackFileSystemRoot, config_parse_string, 0, offsetof(Mount, smack_fs_root)
EXEC_CONTEXT_CONFIG_ITEMS(Mount)m4_dnl
CGROUP_CONTEXT_CONFIG_ITEMS(Mount)m4_dnl
KILL_CONTEXT_CONFIG_ITEMS(Mount)m4_dnl
diff --git a/src/core/mount.c b/src/core/mount.c
index 8611129453..0d1a9b9de7 100644
--- a/src/core/mount.c
+++ b/src/core/mount.c
@@ -39,6 +39,7 @@
#include "exit-status.h"
#include "fstab-util.h"
#include "formats-util.h"
+#include "smack-util.h"
#define RETRY_UMOUNT_MAX 32
@@ -202,6 +203,7 @@ static void mount_done(Unit *u) {
assert(m);
m->where = mfree(m->where);
+ m->smack_fs_root = mfree(m->smack_fs_root);
mount_parameters_done(&m->parameters_proc_self_mountinfo);
mount_parameters_done(&m->parameters_fragment);
@@ -666,7 +668,8 @@ static void mount_dump(Unit *u, FILE *f, const char *prefix) {
"%sOptions: %s\n"
"%sFrom /proc/self/mountinfo: %s\n"
"%sFrom fragment: %s\n"
- "%sDirectoryMode: %04o\n",
+ "%sDirectoryMode: %04o\n"
+ "%sSmackFileSystemRoot: %s\n",
prefix, mount_state_to_string(m->state),
prefix, mount_result_to_string(m->result),
prefix, m->where,
@@ -675,7 +678,8 @@ static void mount_dump(Unit *u, FILE *f, const char *prefix) {
prefix, p ? strna(p->options) : "n/a",
prefix, yes_no(m->from_proc_self_mountinfo),
prefix, yes_no(m->from_fragment),
- prefix, m->directory_mode);
+ prefix, m->directory_mode,
+ prefix, strna(m->smack_fs_root));
if (m->control_pid > 0)
fprintf(f,
@@ -852,6 +856,31 @@ fail:
mount_enter_mounted(m, MOUNT_FAILURE_RESOURCES);
}
+static int mount_get_opts(Mount *m, char **_opts) {
+ int r;
+ char *o = NULL, *opts = NULL;
+
+ r = fstab_filter_options(m->parameters_fragment.options,
+ "nofail\0" "noauto\0" "auto\0", NULL, NULL, &o);
+ if (r < 0)
+ return r;
+
+ if (mac_smack_use() && m->smack_fs_root) {
+ if (!isempty(o)) {
+ opts = strjoin(o, ",", "smackfsroot=", m->smack_fs_root, NULL);
+ free(o);
+ } else
+ opts = strjoin("smackfsroot=", m->smack_fs_root, NULL);
+
+ if (!opts)
+ return -ENOMEM;
+ } else
+ opts = o;
+
+ *_opts = opts;
+ return 0;
+}
+
static void mount_enter_mounting(Mount *m) {
int r;
MountParameters *p;
@@ -877,8 +906,7 @@ static void mount_enter_mounting(Mount *m) {
if (m->from_fragment) {
_cleanup_free_ char *opts = NULL;
- r = fstab_filter_options(m->parameters_fragment.options,
- "nofail\0" "noauto\0" "auto\0", NULL, NULL, &opts);
+ r = mount_get_opts(m, &opts);
if (r < 0)
goto fail;
diff --git a/src/core/mount.h b/src/core/mount.h
index 83d14ae713..4e28810f6c 100644
--- a/src/core/mount.h
+++ b/src/core/mount.h
@@ -71,6 +71,7 @@ struct Mount {
bool reset_cpu_usage:1;
bool sloppy_options;
+ char *smack_fs_root;
MountResult result;
MountResult reload_result;
diff --git a/src/core/unit-printf.c b/src/core/unit-printf.c
index 0889769d03..f327953266 100644
--- a/src/core/unit-printf.c
+++ b/src/core/unit-printf.c
@@ -63,10 +63,7 @@ static int specifier_instance_unescaped(char specifier, void *data, void *userda
assert(u);
- if (!u->instance)
- return -EINVAL;
-
- return unit_name_unescape(u->instance, ret);
+ return unit_name_unescape(strempty(u->instance), ret);
}
static int specifier_filename(char specifier, void *data, void *userdata, char **ret) {
@@ -128,6 +125,8 @@ static int specifier_cgroup_slice(char specifier, void *data, void *userdata, ch
n = unit_default_cgroup_path(slice);
} else
n = strdup(u->manager->cgroup_root);
+ if (!n)
+ return -ENOMEM;
*ret = n;
return 0;
@@ -166,7 +165,7 @@ static int specifier_user_name(char specifier, void *data, void *userdata, char
c = unit_get_exec_context(u);
if (!c)
- return -EINVAL;
+ return -EOPNOTSUPP;
if (u->manager->running_as == MANAGER_SYSTEM) {
diff --git a/src/journal/journal-verify.c b/src/journal/journal-verify.c
index 32d59c716f..4f1d125bb9 100644
--- a/src/journal/journal-verify.c
+++ b/src/journal/journal-verify.c
@@ -897,7 +897,7 @@ int journal_file_verify(
r = journal_file_object_verify(f, p, o);
if (r < 0) {
- error(p, "Envalid object contents: %s", strerror(-r));
+ error(p, "Invalid object contents: %s", strerror(-r));
goto fail;
}
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index f636a4d33b..09b6ca5c2c 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -1585,8 +1585,7 @@ static int clean_item_instance(Item *i, const char* instance) {
if (fstatat(dirfd(d), "..", &ps, AT_SYMLINK_NOFOLLOW) != 0)
return log_error_errno(errno, "stat(%s/..) failed: %m", i->path);
- mountpoint = s.st_dev != ps.st_dev ||
- (s.st_dev == ps.st_dev && s.st_ino == ps.st_ino);
+ mountpoint = s.st_dev != ps.st_dev || s.st_ino == ps.st_ino;
log_debug("Cleanup threshold for %s \"%s\" is %s",
mountpoint ? "mount point" : "directory",
diff --git a/units/tmp.mount b/units/tmp.mount.m4
index 00a0d28722..e1e26bdfc0 100644
--- a/units/tmp.mount
+++ b/units/tmp.mount.m4
@@ -19,3 +19,6 @@ What=tmpfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime
+m4_ifdef(`HAVE_SMACK',
+SmackFileSystemRoot=*
+)m4_dnl