diff options
-rw-r--r-- | Makefile.am | 3 | ||||
-rw-r--r-- | man/systemd.mount.xml | 12 | ||||
-rw-r--r-- | src/core/dbus-mount.c | 1 | ||||
-rw-r--r-- | src/core/load-fragment-gperf.gperf.m4 | 1 | ||||
-rw-r--r-- | src/core/mount.c | 36 | ||||
-rw-r--r-- | src/core/mount.h | 1 | ||||
-rw-r--r-- | src/core/unit-printf.c | 9 | ||||
-rw-r--r-- | src/journal/journal-verify.c | 2 | ||||
-rw-r--r-- | src/tmpfiles/tmpfiles.c | 3 | ||||
-rw-r--r-- | units/tmp.mount.m4 (renamed from units/tmp.mount) | 3 |
10 files changed, 58 insertions, 13 deletions
diff --git a/Makefile.am b/Makefile.am index fa25485b73..89eaf80575 100644 --- a/Makefile.am +++ b/Makefile.am @@ -616,7 +616,8 @@ EXTRA_DIST += \ units/initrd-udevadm-cleanup-db.service.in \ units/initrd-switch-root.service.in \ units/systemd-nspawn@.service.in \ - units/systemd-update-done.service.in + units/systemd-update-done.service.in \ + units/tmp.mount.m4 if HAVE_SYSV_COMPAT nodist_systemunit_DATA += \ diff --git a/man/systemd.mount.xml b/man/systemd.mount.xml index ffffc56936..d3775ff830 100644 --- a/man/systemd.mount.xml +++ b/man/systemd.mount.xml @@ -324,6 +324,18 @@ </varlistentry> <varlistentry> + <term><varname>SmackFileSystemRoot=</varname></term> + <listitem><para>Takes a string for the smack label. + This option specifies the label to assign the root of the + file system if it lacks the Smack extended attribute. + Note that this option will be ignored if kernel does not + support the Smack feature. + See <ulink + url="https://www.kernel.org/doc/Documentation/security/Smack.txt">Smack.txt</ulink> + for details. </para></listitem> + </varlistentry> + + <varlistentry> <term><varname>TimeoutSec=</varname></term> <listitem><para>Configures the time to wait for the mount command to finish. If a command does not exit within the diff --git a/src/core/dbus-mount.c b/src/core/dbus-mount.c index 24813c6d20..dbee7fc908 100644 --- a/src/core/dbus-mount.c +++ b/src/core/dbus-mount.c @@ -117,6 +117,7 @@ const sd_bus_vtable bus_mount_vtable[] = { SD_BUS_PROPERTY("ControlPID", "u", bus_property_get_pid, offsetof(Mount, control_pid), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE), SD_BUS_PROPERTY("DirectoryMode", "u", bus_property_get_mode, offsetof(Mount, directory_mode), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("SloppyOptions", "b", bus_property_get_bool, offsetof(Mount, sloppy_options), SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_PROPERTY("SmackFileSystemRoot", "s", NULL, offsetof(Mount, smack_fs_root), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("Result", "s", property_get_result, offsetof(Mount, result), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE), BUS_EXEC_COMMAND_VTABLE("ExecMount", offsetof(Mount, exec_command[MOUNT_EXEC_MOUNT]), SD_BUS_VTABLE_PROPERTY_EMITS_INVALIDATION), BUS_EXEC_COMMAND_VTABLE("ExecUnmount", offsetof(Mount, exec_command[MOUNT_EXEC_UNMOUNT]), SD_BUS_VTABLE_PROPERTY_EMITS_INVALIDATION), diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 index 89e624b557..507cfdde75 100644 --- a/src/core/load-fragment-gperf.gperf.m4 +++ b/src/core/load-fragment-gperf.gperf.m4 @@ -319,6 +319,7 @@ Mount.Type, config_parse_string, 0, Mount.TimeoutSec, config_parse_sec, 0, offsetof(Mount, timeout_usec) Mount.DirectoryMode, config_parse_mode, 0, offsetof(Mount, directory_mode) Mount.SloppyOptions, config_parse_bool, 0, offsetof(Mount, sloppy_options) +Mount.SmackFileSystemRoot, config_parse_string, 0, offsetof(Mount, smack_fs_root) EXEC_CONTEXT_CONFIG_ITEMS(Mount)m4_dnl CGROUP_CONTEXT_CONFIG_ITEMS(Mount)m4_dnl KILL_CONTEXT_CONFIG_ITEMS(Mount)m4_dnl diff --git a/src/core/mount.c b/src/core/mount.c index 8611129453..0d1a9b9de7 100644 --- a/src/core/mount.c +++ b/src/core/mount.c @@ -39,6 +39,7 @@ #include "exit-status.h" #include "fstab-util.h" #include "formats-util.h" +#include "smack-util.h" #define RETRY_UMOUNT_MAX 32 @@ -202,6 +203,7 @@ static void mount_done(Unit *u) { assert(m); m->where = mfree(m->where); + m->smack_fs_root = mfree(m->smack_fs_root); mount_parameters_done(&m->parameters_proc_self_mountinfo); mount_parameters_done(&m->parameters_fragment); @@ -666,7 +668,8 @@ static void mount_dump(Unit *u, FILE *f, const char *prefix) { "%sOptions: %s\n" "%sFrom /proc/self/mountinfo: %s\n" "%sFrom fragment: %s\n" - "%sDirectoryMode: %04o\n", + "%sDirectoryMode: %04o\n" + "%sSmackFileSystemRoot: %s\n", prefix, mount_state_to_string(m->state), prefix, mount_result_to_string(m->result), prefix, m->where, @@ -675,7 +678,8 @@ static void mount_dump(Unit *u, FILE *f, const char *prefix) { prefix, p ? strna(p->options) : "n/a", prefix, yes_no(m->from_proc_self_mountinfo), prefix, yes_no(m->from_fragment), - prefix, m->directory_mode); + prefix, m->directory_mode, + prefix, strna(m->smack_fs_root)); if (m->control_pid > 0) fprintf(f, @@ -852,6 +856,31 @@ fail: mount_enter_mounted(m, MOUNT_FAILURE_RESOURCES); } +static int mount_get_opts(Mount *m, char **_opts) { + int r; + char *o = NULL, *opts = NULL; + + r = fstab_filter_options(m->parameters_fragment.options, + "nofail\0" "noauto\0" "auto\0", NULL, NULL, &o); + if (r < 0) + return r; + + if (mac_smack_use() && m->smack_fs_root) { + if (!isempty(o)) { + opts = strjoin(o, ",", "smackfsroot=", m->smack_fs_root, NULL); + free(o); + } else + opts = strjoin("smackfsroot=", m->smack_fs_root, NULL); + + if (!opts) + return -ENOMEM; + } else + opts = o; + + *_opts = opts; + return 0; +} + static void mount_enter_mounting(Mount *m) { int r; MountParameters *p; @@ -877,8 +906,7 @@ static void mount_enter_mounting(Mount *m) { if (m->from_fragment) { _cleanup_free_ char *opts = NULL; - r = fstab_filter_options(m->parameters_fragment.options, - "nofail\0" "noauto\0" "auto\0", NULL, NULL, &opts); + r = mount_get_opts(m, &opts); if (r < 0) goto fail; diff --git a/src/core/mount.h b/src/core/mount.h index 83d14ae713..4e28810f6c 100644 --- a/src/core/mount.h +++ b/src/core/mount.h @@ -71,6 +71,7 @@ struct Mount { bool reset_cpu_usage:1; bool sloppy_options; + char *smack_fs_root; MountResult result; MountResult reload_result; diff --git a/src/core/unit-printf.c b/src/core/unit-printf.c index 0889769d03..f327953266 100644 --- a/src/core/unit-printf.c +++ b/src/core/unit-printf.c @@ -63,10 +63,7 @@ static int specifier_instance_unescaped(char specifier, void *data, void *userda assert(u); - if (!u->instance) - return -EINVAL; - - return unit_name_unescape(u->instance, ret); + return unit_name_unescape(strempty(u->instance), ret); } static int specifier_filename(char specifier, void *data, void *userdata, char **ret) { @@ -128,6 +125,8 @@ static int specifier_cgroup_slice(char specifier, void *data, void *userdata, ch n = unit_default_cgroup_path(slice); } else n = strdup(u->manager->cgroup_root); + if (!n) + return -ENOMEM; *ret = n; return 0; @@ -166,7 +165,7 @@ static int specifier_user_name(char specifier, void *data, void *userdata, char c = unit_get_exec_context(u); if (!c) - return -EINVAL; + return -EOPNOTSUPP; if (u->manager->running_as == MANAGER_SYSTEM) { diff --git a/src/journal/journal-verify.c b/src/journal/journal-verify.c index 32d59c716f..4f1d125bb9 100644 --- a/src/journal/journal-verify.c +++ b/src/journal/journal-verify.c @@ -897,7 +897,7 @@ int journal_file_verify( r = journal_file_object_verify(f, p, o); if (r < 0) { - error(p, "Envalid object contents: %s", strerror(-r)); + error(p, "Invalid object contents: %s", strerror(-r)); goto fail; } diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c index f636a4d33b..09b6ca5c2c 100644 --- a/src/tmpfiles/tmpfiles.c +++ b/src/tmpfiles/tmpfiles.c @@ -1585,8 +1585,7 @@ static int clean_item_instance(Item *i, const char* instance) { if (fstatat(dirfd(d), "..", &ps, AT_SYMLINK_NOFOLLOW) != 0) return log_error_errno(errno, "stat(%s/..) failed: %m", i->path); - mountpoint = s.st_dev != ps.st_dev || - (s.st_dev == ps.st_dev && s.st_ino == ps.st_ino); + mountpoint = s.st_dev != ps.st_dev || s.st_ino == ps.st_ino; log_debug("Cleanup threshold for %s \"%s\" is %s", mountpoint ? "mount point" : "directory", diff --git a/units/tmp.mount b/units/tmp.mount.m4 index 00a0d28722..e1e26bdfc0 100644 --- a/units/tmp.mount +++ b/units/tmp.mount.m4 @@ -19,3 +19,6 @@ What=tmpfs Where=/tmp Type=tmpfs Options=mode=1777,strictatime +m4_ifdef(`HAVE_SMACK', +SmackFileSystemRoot=* +)m4_dnl |