18988181302

Committed 31 Oct 2025 09:30PM UTC coverage: 72.241% (+0.2%) from 72.046%

Build # 18988181302

Build Type

push

github

Committed by

web-flow

Commit Message

core: Add RootDirectoryFileDescriptor= (#39480)

RootDirectory= but via a open_tree() file descriptor. This allows
setting up the execution environment for a service by the client in a
mount namespace and then starting a transient unit in that execution
environment using the new property.

We also add --root-directory= and --same-root-dir= to systemd-run to
have it run services within the given root directory. As systemd-run
might be invoked from a different mount namespace than what systemd is
running in, systemd-run opens the given path with open_tree() and then
sends it to systemd using the new RootDirectoryFileDescriptor= property.

Run Details

45 of 76 new or added lines in 8 files covered. (59.21%)

2101 existing lines in 44 files now uncovered.

305020 of 422226 relevant lines covered (72.24%)

1081585.12 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

56.07

/src/shared/mount-setup.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <sys/mount.h>
#include <unistd.h>

#include "alloc-util.h"
#include "conf-files.h"
#include "dev-setup.h"
#include "efivars.h"
#include "errno-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "label-util.h"
#include "log.h"
#include "mkdir-label.h"
#include "mount-setup.h"
#include "mount-util.h"
#include "mountpoint-util.h"
#include "path-util.h"
#include "recurse-dir.h"
#include "smack-util.h"
#include "string-util.h"
#include "strv.h"
#include "time-util.h"
#include "virt.h"

typedef enum MountMode {
        MNT_FATAL             = 1 << 0,
        MNT_IN_CONTAINER      = 1 << 1,
        MNT_CHECK_WRITABLE    = 1 << 2,
        MNT_FOLLOW_SYMLINK    = 1 << 3,
} MountMode;

typedef struct MountPoint {
        const char *what;
        const char *where;
        const char *type;
        const char *options;
        int (*options_fn)(int priority, const char *type, char **ret);
        unsigned long flags;
        MountMode mode;
        bool (*condition_fn)(void);
} MountPoint;

static int cgroupfs_mount_options(int priority, const char *type, char **ret) {
        int r;

        assert(type);
        assert(streq(type, "cgroup2"));
        assert(ret);

        _cleanup_free_ char *opts = NULL;
        FOREACH_STRING(o, "memory_recursiveprot", "memory_hugetlb_accounting") {
                r = mount_option_supported("cgroup2", o, /* value = */ NULL);
                if (r < 0)
                        log_full_errno(priority, r, "Failed to determine whether cgroupfs supports '%s' mount option, assuming not: %m", o);
                else if (r == 0)
                        log_debug("'%s' not supported by cgroupfs, not using mount option.", o);
                else if (!strextend_with_separator(&opts, ",", o))
                        return log_oom_full(priority);
        }

        *ret = TAKE_PTR(opts);
        return 0;
}

int mount_cgroupfs(const char *path) {
        int r;

        assert(path);

        /* Mount a separate cgroupfs instance, taking all options we initial set into account. This is
         * especially useful when cgroup namespace is *not* employed, since the kernel overrides all
         * previous options if a new mount is established in initial cgns (c.f.
         * https://github.com/torvalds/linux/blob/b69bb476dee99d564d65d418e9a20acca6f32c3f/kernel/cgroup/cgroup.c#L1984)
         */

        _cleanup_free_ char *opts = NULL;
        r = cgroupfs_mount_options(LOG_WARNING, "cgroup2", &opts);
        if (r < 0)
                return r;

        /* These options shall be kept in sync with those in mount_table below. */
        if (!strprepend_with_separator(&opts, ",", "nsdelegate"))
                return log_oom();

        return mount_nofollow_verbose(LOG_ERR, "cgroup2", path, "cgroup2", MS_NOSUID|MS_NOEXEC|MS_NODEV, opts);
}

static int usrquota_mount_option(int priority, const char *type, char **ret) {
        _cleanup_free_ char *o = NULL;
        int r;

        assert(type);
        assert(ret);

        r = mount_option_supported(type, "usrquota", /* value= */ NULL);
        if (r < 0)
                log_full_errno(priority, r, "Unable to determine whether %s supports 'usrquota' mount option, assuming not: %m", type);
        else if (r == 0)
                log_debug("Not enabling 'usrquota' for '%s' as kernel lacks support for it.", type);
        else {
                o = strdup("usrquota");
                if (!o)
                        return log_oom_full(priority);
        }

        *ret = TAKE_PTR(o);
        return 0;
}

static const MountPoint mount_table[] = {
        {
                .what = "proc",
                .where = "/proc",
                .type = "proc",
                .flags = MS_NOSUID|MS_NOEXEC|MS_NODEV,
                .mode = MNT_FATAL|MNT_IN_CONTAINER|MNT_FOLLOW_SYMLINK,
        },
        {
                .what = "sysfs",
                .where = "/sys",
                .type = "sysfs",
                .flags = MS_NOSUID|MS_NOEXEC|MS_NODEV,
                .mode = MNT_FATAL|MNT_IN_CONTAINER,
        },
        {
                .what = "devtmpfs",
                .where = "/dev",
                .type = "devtmpfs",
                .options = "mode=0755" TMPFS_LIMITS_DEV,
                .flags = MS_NOSUID|MS_STRICTATIME,
                .mode = MNT_FATAL|MNT_IN_CONTAINER,
        },
        {
                .what = "securityfs",
                .where = "/sys/kernel/security",
                .type = "securityfs",
                .flags = MS_NOSUID|MS_NOEXEC|MS_NODEV,
        },
#if ENABLE_SMACK
        {
                .what = "smackfs",
                .where = "/sys/fs/smackfs",
                .type = "smackfs",
                .options = "smackfsdef=*",
                .flags = MS_NOSUID|MS_NOEXEC|MS_NODEV,
                .mode = MNT_FATAL,
                .condition_fn = mac_smack_use,
        },
        {
                .what = "tmpfs",
                .where = "/dev/shm",
                .type = "tmpfs",
                .options = "mode=01777,smackfsroot=*",
                .options_fn = usrquota_mount_option,
                .flags = MS_NOSUID|MS_NODEV|MS_STRICTATIME,
                .mode = MNT_FATAL,
                .condition_fn = mac_smack_use,
        },
#endif
        {
                .what = "tmpfs",
                .where = "/dev/shm",
                .type = "tmpfs",
                .options = "mode=01777",
                .options_fn = usrquota_mount_option,
                .flags = MS_NOSUID|MS_NODEV|MS_STRICTATIME,
                .mode = MNT_FATAL|MNT_IN_CONTAINER,
        },
        {
                .what = "devpts",
                .where = "/dev/pts",
                .type = "devpts",
                .options = "mode=" STRINGIFY(TTY_MODE) ",gid=" STRINGIFY(TTY_GID),
                .flags = MS_NOSUID|MS_NOEXEC,
                .mode = MNT_IN_CONTAINER,
        },
#if ENABLE_SMACK
        {
                .what = "tmpfs",
                .where = "/run",
                .type = "tmpfs",
                .options = "mode=0755,smackfsroot=*" TMPFS_LIMITS_RUN,
                .flags = MS_NOSUID|MS_NODEV|MS_STRICTATIME,
                .mode = MNT_FATAL,
                .condition_fn = mac_smack_use,
        },
#endif
        {
                .what = "tmpfs",
                .where = "/run",
                .type = "tmpfs",
                .options = "mode=0755" TMPFS_LIMITS_RUN,
                .flags = MS_NOSUID|MS_NODEV|MS_STRICTATIME,
                .mode = MNT_FATAL|MNT_IN_CONTAINER,
        },
        {
                .what = "cgroup2",
                .where = "/sys/fs/cgroup",
                .type = "cgroup2",
                .options = "nsdelegate",
                .options_fn = cgroupfs_mount_options,
                .flags = MS_NOSUID|MS_NOEXEC|MS_NODEV,
                .mode = MNT_FATAL|MNT_IN_CONTAINER|MNT_CHECK_WRITABLE,
        },
#if ENABLE_PSTORE
        {
                .what = "pstore",
                .where = "/sys/fs/pstore",
                .type = "pstore",
                .flags = MS_NOSUID|MS_NOEXEC|MS_NODEV,
        },
#endif
#if ENABLE_EFI
        {
                .what = "efivarfs",
                .where = "/sys/firmware/efi/efivars",
                .type = "efivarfs",
                .flags = MS_NOSUID|MS_NOEXEC|MS_NODEV,
                .condition_fn = is_efi_boot,
        },
#endif
        {
                .what = "bpf",
                .where = "/sys/fs/bpf",
                .type = "bpf",
                .options = "mode=0700",
                .flags = MS_NOSUID|MS_NOEXEC|MS_NODEV,
        },
};

/* The first three entries we might need before SELinux is up. The
 * fourth (securityfs) is needed by IMA to load a custom policy. The
 * other ones we can delay until SELinux and IMA are loaded. When
 * SMACK is enabled we need smackfs, too, so it's a fifth one. */
#if ENABLE_SMACK
#define N_EARLY_MOUNT 5
#else
#define N_EARLY_MOUNT 4
#endif

assert_cc(N_EARLY_MOUNT <= ELEMENTSOF(mount_table));

bool mount_point_is_api(const char *path) {
        /* Checks if this mount point is considered "API", and hence
         * should be ignored */

        FOREACH_ELEMENT(i, mount_table)
                if (path_equal(path, i->where))
                        return true;

        return path_startswith(path, "/sys/fs/cgroup/");
}

bool mount_point_ignore(const char *path) {
        /* These are API file systems that might be mounted by other software, we just list them here so that
         * we know that we should ignore them. */
        FOREACH_STRING(i,
                       /* SELinux file systems */
                       "/sys/fs/selinux",
                       /* Container bind mounts */
                       "/dev/console",
                       "/proc/kmsg",
                       "/proc/sys",
                       "/proc/sys/kernel/random/boot_id")
                if (path_equal(path, i))
                        return true;

        if (path_startswith(path, "/run/host")) /* All mounts passed in from the container manager are
                                                 * something we better ignore. */
                return true;

        return false;
}

static int mount_one(const MountPoint *p, bool relabel) {
        int r, priority;

        assert(p);
        assert(p->what);
        assert(p->where);
        assert(p->type);

        priority = FLAGS_SET(p->mode, MNT_FATAL) ? LOG_ERR : LOG_DEBUG;

        if (p->condition_fn && !p->condition_fn())
                return 0;

        /* Relabel first, just in case */
        if (relabel)
                (void) label_fix(p->where, LABEL_IGNORE_ENOENT|LABEL_IGNORE_EROFS);

        r = path_is_mount_point_full(p->where, /* root = */ NULL, AT_SYMLINK_FOLLOW);
        if (r < 0 && r != -ENOENT) {
                log_full_errno(priority, r, "Failed to determine whether %s is a mount point: %m", p->where);
                return FLAGS_SET(p->mode, MNT_FATAL) ? r : 0;
        }
        if (r > 0)
                return 0;

        if (!FLAGS_SET(p->mode, MNT_IN_CONTAINER) && detect_container() > 0)
                return 0;

        /* The access mode here doesn't really matter too much, since
         * the mounted file system will take precedence anyway. */
        if (relabel)
                (void) mkdir_p_label(p->where, 0755);
        else
                (void) mkdir_p(p->where, 0755);

        _cleanup_free_ char *extend_options = NULL;
        const char *o;
        if (p->options_fn) {
                r = p->options_fn(priority, p->type, &extend_options);
                if (r < 0)
                        return r;

                if (!strprepend_with_separator(&extend_options, ",", p->options))
                        return log_oom();

                o = extend_options;
        } else
                o = p->options;

        r = mount_verbose_full(priority, p->what, p->where, p->type, p->flags, o, FLAGS_SET(p->mode, MNT_FOLLOW_SYMLINK));
        if (r < 0)
                return FLAGS_SET(p->mode, MNT_FATAL) ? r : 0;

        /* Relabel again, since we now mounted something fresh here */
        if (relabel)
                (void) label_fix(p->where, 0);

        if (FLAGS_SET(p->mode, MNT_CHECK_WRITABLE))
                if (access(p->where, W_OK) < 0) {
                        r = -errno;

                        (void) umount2(p->where, UMOUNT_NOFOLLOW);
                        (void) rmdir(p->where);

                        log_full_errno(priority, r, "Mount point '%s' not writable after mounting, undoing: %m", p->where);
                        return FLAGS_SET(p->mode, MNT_FATAL) ? r : 0;
                }

        return 1;
}

static int mount_points_setup(size_t n, bool loaded_policy) {
        int r = 0;

        assert(n <= ELEMENTSOF(mount_table));

        FOREACH_ARRAY(mp, mount_table, n)
                RET_GATHER(r, mount_one(mp, loaded_policy));

        return r;
}

int mount_setup_early(void) {
        /* Do a minimal mount of /proc and friends to enable the most basic stuff, such as SELinux */
        return mount_points_setup(N_EARLY_MOUNT, /* loaded_policy= */ false);
}

#if HAVE_SELINUX || ENABLE_SMACK
static int relabel_cb(
                RecurseDirEvent event,
                const char *path,
                int dir_fd,
                int inode_fd,
                const struct dirent *de,
                const struct statx *sx,
                void *userdata) {

        switch (event) {

        case RECURSE_DIR_LEAVE:
        case RECURSE_DIR_SKIP_MOUNT:
                /* If we already saw this dirent when entering it or this is a dirent that on a different
                 * mount, don't relabel it. */
                return RECURSE_DIR_CONTINUE;

        case RECURSE_DIR_ENTER:
                /* /run/initramfs/ + /run/nextroot/ are static data and big, no need to dynamically relabel
                 * its contents at boot... */
                if (PATH_STARTSWITH_SET(path, "/run/initramfs", "/run/nextroot"))
                        return RECURSE_DIR_SKIP_ENTRY;

                _fallthrough_;

        default:
                /* Otherwise, label it, even if we had trouble stat()ing it and similar. SELinux can figure this out */
                (void) label_fix(path, 0);
                return RECURSE_DIR_CONTINUE;
        }
}

static int relabel_tree(const char *path) {
        int r;

        r = recurse_dir_at(AT_FDCWD, path, 0, UINT_MAX, RECURSE_DIR_ENSURE_TYPE|RECURSE_DIR_SAME_MOUNT, relabel_cb, NULL);
        if (r < 0)
                log_debug_errno(r, "Failed to recursively relabel '%s': %m", path);

        return r;
}

static int relabel_extra(void) {
        _cleanup_strv_free_ char **files = NULL;
        int r, c = 0;

        /* Support for relabelling additional files or directories after loading the policy. For this, code in the
         * initrd simply has to drop in *.relabel files into /run/systemd/relabel-extra.d/. We'll read all such files
         * expecting one absolute path by line and will relabel each (and everyone below that in case the path refers
         * to a directory). These drop-in files are supposed to be absolutely minimal, and do not understand comments
         * and such. After the operation succeeded the files are removed, and the drop-in directory as well, if
         * possible.
         */

        r = conf_files_list(&files, ".relabel", NULL,
                            CONF_FILES_FILTER_MASKED | CONF_FILES_REGULAR,
                            "/run/systemd/relabel-extra.d/");
        if (r < 0)
                return log_error_errno(r, "Failed to enumerate /run/systemd/relabel-extra.d/, ignoring: %m");

        STRV_FOREACH(file, files) {
                _cleanup_fclose_ FILE *f = NULL;

                f = fopen(*file, "re");
                if (!f) {
                        log_warning_errno(errno, "Failed to open %s, ignoring: %m", *file);
                        continue;
                }

                for (;;) {
                        _cleanup_free_ char *line = NULL;

                        r = read_line(f, LONG_LINE_MAX, &line);
                        if (r < 0) {
                                log_warning_errno(r, "Failed to read %s, ignoring: %m", *file);
                                break;
                        }
                        if (r == 0) /* EOF */
                                break;

                        path_simplify(line);

                        if (!path_is_normalized(line)) {
                                log_warning("Path to relabel is not normalized, ignoring: %s", line);
                                continue;
                        }

                        if (!path_is_absolute(line)) {
                                log_warning("Path to relabel is not absolute, ignoring: %s", line);
                                continue;
                        }

                        log_debug("Relabelling additional file/directory '%s'.", line);
                        (void) label_fix(line, 0);
                        (void) relabel_tree(line);
                        c++;
                }

                if (unlink(*file) < 0)
                        log_warning_errno(errno, "Failed to remove %s, ignoring: %m", *file);
        }

        /* Remove when we complete things. */
        if (rmdir("/run/systemd/relabel-extra.d") < 0 &&
            errno != ENOENT)
                log_warning_errno(errno, "Failed to remove /run/systemd/relabel-extra.d/ directory: %m");

        return c;
}
#endif

int mount_setup(bool loaded_policy, bool leave_propagation) {
        int r;

        r = mount_points_setup(ELEMENTSOF(mount_table), loaded_policy);
        if (r < 0)
                return r;

#if HAVE_SELINUX || ENABLE_SMACK
        /* Nodes in devtmpfs and /run need to be manually updated for
         * the appropriate labels, after mounting. The other virtual
         * API file systems like /sys and /proc do not need that, they
         * use the same label for all their files. */
        if (loaded_policy) {
                usec_t before_relabel, after_relabel;
                int n_extra;

                before_relabel = now(CLOCK_MONOTONIC);

                FOREACH_STRING(i, "/dev", "/dev/shm", "/run")
                        (void) relabel_tree(i);

                n_extra = relabel_extra();

                after_relabel = now(CLOCK_MONOTONIC);

                log_info("Relabeled /dev/, /dev/shm/, /run/%s in %s.",
                         n_extra > 0 ? ", and additional files" : "",
                         FORMAT_TIMESPAN(after_relabel - before_relabel, 0));
        }
#endif

        /* Create a few default symlinks, which are normally created
         * by udevd, but some scripts might need them before we start
         * udevd. */
        dev_setup(NULL, UID_INVALID, GID_INVALID);

        /* Mark the root directory as shared in regards to mount propagation. The kernel defaults to "private", but we
         * think it makes more sense to have a default of "shared" so that nspawn and the container tools work out of
         * the box. If specific setups need other settings they can reset the propagation mode to private if
         * needed. Note that we set this only when we are invoked directly by the kernel. If we are invoked by a
         * container manager we assume the container manager knows what it is doing (for example, because it set up
         * some directories with different propagation modes). */
        if (detect_container() <= 0 && !leave_propagation)
                if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0)
                        log_warning_errno(errno, "Failed to set up the root directory for shared mount propagation: %m");

        /* Create a few directories we always want around, Note that sd_booted() checks for /run/systemd/system, so
         * this mkdir really needs to stay for good, otherwise software that copied sd-daemon.c into their sources will
         * misdetect systemd. */
        (void) mkdir_label("/run/systemd", 0755);
        (void) mkdir_label("/run/systemd/system", 0755);

        /* Make sure there's always a place where sandboxed environments can mount root file systems they are
         * about to move into, even when unprivileged, without having to create a temporary one in /tmp/
         * (which they then have to keep track of and clean) */
        (void) mkdir_label("/run/systemd/mount-rootfs", 0555);

        /* Make sure we have a mount point to hide in sandboxes */
        (void) mkdir_label("/run/credentials", 0755);

        /* Also create /run/systemd/inaccessible nodes, so that we always have something to mount
         * inaccessible nodes from. If we run in a container the host might have created these for us already
         * in /run/host/inaccessible/. Use those if we can, since that way we likely get access to block/char
         * device nodes that are inaccessible, and if userns is used to nodes that are on mounts owned by a
         * userns outside the container and thus nicely read-only and not remountable. */
        if (access("/run/host/inaccessible/", F_OK) < 0) {
                if (errno != ENOENT)
                        log_debug_errno(errno, "Failed to check if /run/host/inaccessible exists, ignoring: %m");

                (void) make_inaccessible_nodes("/run/systemd", UID_INVALID, GID_INVALID);
        } else
                (void) symlink("../host/inaccessible", "/run/systemd/inaccessible");

        return 0;
}

1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3	#include <sys/mount.h>
4	#include <unistd.h>
5
6	#include "alloc-util.h"
7	#include "conf-files.h"
8	#include "dev-setup.h"
9	#include "efivars.h"
10	#include "errno-util.h"
11	#include "fd-util.h"
12	#include "fileio.h"
13	#include "label-util.h"
14	#include "log.h"
15	#include "mkdir-label.h"
16	#include "mount-setup.h"
17	#include "mount-util.h"
18	#include "mountpoint-util.h"
19	#include "path-util.h"
20	#include "recurse-dir.h"
21	#include "smack-util.h"
22	#include "string-util.h"
23	#include "strv.h"
24	#include "time-util.h"
25	#include "virt.h"
26
27	typedef enum MountMode {
28	MNT_FATAL = 1 << 0,
29	MNT_IN_CONTAINER = 1 << 1,
30	MNT_CHECK_WRITABLE = 1 << 2,
31	MNT_FOLLOW_SYMLINK = 1 << 3,
32	} MountMode;
33
34	typedef struct MountPoint {
35	const char *what;
36	const char *where;
37	const char *type;
38	const char *options;
39	int (options_fn)(int priority, const char type, char **ret);
40	unsigned long flags;
41	MountMode mode;
42	bool (*condition_fn)(void);
43	} MountPoint;
44
45	static int cgroupfs_mount_options(int priority, const char type, char *ret) {	150✔
46	int r;	150✔
47
48	assert(type);	150✔
49	assert(streq(type, "cgroup2"));	150✔
50	assert(ret);	150✔
51
52	_cleanup_free_ char *opts = NULL;	150✔
53	FOREACH_STRING(o, "memory_recursiveprot", "memory_hugetlb_accounting") {	450✔
54	r = mount_option_supported("cgroup2", o, /* value = */ NULL);	300✔
55	if (r < 0)	300✔
56	log_full_errno(priority, r, "Failed to determine whether cgroupfs supports '%s' mount option, assuming not: %m", o);	300✔
57	else if (r == 0)	300✔
UNCOV 58	log_debug("'%s' not supported by cgroupfs, not using mount option.", o);	×
59	else if (!strextend_with_separator(&opts, ",", o))	300✔
UNCOV 60	return log_oom_full(priority);	×
61	}
62
63	*ret = TAKE_PTR(opts);	150✔
64	return 0;	150✔
65	}
66
67	int mount_cgroupfs(const char *path) {	136✔
68	int r;	136✔
69
70	assert(path);	136✔
71
72	/* Mount a separate cgroupfs instance, taking all options we initial set into account. This is
73	* especially useful when cgroup namespace is not employed, since the kernel overrides all
74	* previous options if a new mount is established in initial cgns (c.f.
75	* https://github.com/torvalds/linux/blob/b69bb476dee99d564d65d418e9a20acca6f32c3f/kernel/cgroup/cgroup.c#L1984)
76	*/
77
78	_cleanup_free_ char *opts = NULL;	136✔
79	r = cgroupfs_mount_options(LOG_WARNING, "cgroup2", &opts);	136✔
80	if (r < 0)	136✔
81	return r;
82
83	/* These options shall be kept in sync with those in mount_table below. */
84	if (!strprepend_with_separator(&opts, ",", "nsdelegate"))	272✔
UNCOV 85	return log_oom();	×
86
87	return mount_nofollow_verbose(LOG_ERR, "cgroup2", path, "cgroup2", MS_NOSUID\|MS_NOEXEC\|MS_NODEV, opts);	136✔
88	}
89
90	static int usrquota_mount_option(int priority, const char type, char *ret) {	14✔
91	_cleanup_free_ char *o = NULL;	14✔
92	int r;	14✔
93
94	assert(type);	14✔
95	assert(ret);	14✔
96
97	r = mount_option_supported(type, "usrquota", /* value= */ NULL);	14✔
98	if (r < 0)	14✔
UNCOV 99	log_full_errno(priority, r, "Unable to determine whether %s supports 'usrquota' mount option, assuming not: %m", type);	×
100	else if (r == 0)	14✔
UNCOV 101	log_debug("Not enabling 'usrquota' for '%s' as kernel lacks support for it.", type);	×
102	else {
103	o = strdup("usrquota");	14✔
104	if (!o)	14✔
UNCOV 105	return log_oom_full(priority);	×
106	}
107
108	*ret = TAKE_PTR(o);	14✔
109	return 0;	14✔
110	}
111
112	static const MountPoint mount_table[] = {
113	{
114	.what = "proc",
115	.where = "/proc",
116	.type = "proc",
117	.flags = MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
118	.mode = MNT_FATAL\|MNT_IN_CONTAINER\|MNT_FOLLOW_SYMLINK,
119	},
120	{
121	.what = "sysfs",
122	.where = "/sys",
123	.type = "sysfs",
124	.flags = MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
125	.mode = MNT_FATAL\|MNT_IN_CONTAINER,
126	},
127	{
128	.what = "devtmpfs",
129	.where = "/dev",
130	.type = "devtmpfs",
131	.options = "mode=0755" TMPFS_LIMITS_DEV,
132	.flags = MS_NOSUID\|MS_STRICTATIME,
133	.mode = MNT_FATAL\|MNT_IN_CONTAINER,
134	},
135	{
136	.what = "securityfs",
137	.where = "/sys/kernel/security",
138	.type = "securityfs",
139	.flags = MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
140	},
141	#if ENABLE_SMACK
142	{
143	.what = "smackfs",
144	.where = "/sys/fs/smackfs",
145	.type = "smackfs",
146	.options = "smackfsdef=*",
147	.flags = MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
148	.mode = MNT_FATAL,
149	.condition_fn = mac_smack_use,
150	},
151	{
152	.what = "tmpfs",
153	.where = "/dev/shm",
154	.type = "tmpfs",
155	.options = "mode=01777,smackfsroot=*",
156	.options_fn = usrquota_mount_option,
157	.flags = MS_NOSUID\|MS_NODEV\|MS_STRICTATIME,
158	.mode = MNT_FATAL,
159	.condition_fn = mac_smack_use,
160	},
161	#endif
162	{
163	.what = "tmpfs",
164	.where = "/dev/shm",
165	.type = "tmpfs",
166	.options = "mode=01777",
167	.options_fn = usrquota_mount_option,
168	.flags = MS_NOSUID\|MS_NODEV\|MS_STRICTATIME,
169	.mode = MNT_FATAL\|MNT_IN_CONTAINER,
170	},
171	{
172	.what = "devpts",
173	.where = "/dev/pts",
174	.type = "devpts",
175	.options = "mode=" STRINGIFY(TTY_MODE) ",gid=" STRINGIFY(TTY_GID),
176	.flags = MS_NOSUID\|MS_NOEXEC,
177	.mode = MNT_IN_CONTAINER,
178	},
179	#if ENABLE_SMACK
180	{
181	.what = "tmpfs",
182	.where = "/run",
183	.type = "tmpfs",
184	.options = "mode=0755,smackfsroot=*" TMPFS_LIMITS_RUN,
185	.flags = MS_NOSUID\|MS_NODEV\|MS_STRICTATIME,
186	.mode = MNT_FATAL,
187	.condition_fn = mac_smack_use,
188	},
189	#endif
190	{
191	.what = "tmpfs",
192	.where = "/run",
193	.type = "tmpfs",
194	.options = "mode=0755" TMPFS_LIMITS_RUN,
195	.flags = MS_NOSUID\|MS_NODEV\|MS_STRICTATIME,
196	.mode = MNT_FATAL\|MNT_IN_CONTAINER,
197	},
198	{
199	.what = "cgroup2",
200	.where = "/sys/fs/cgroup",
201	.type = "cgroup2",
202	.options = "nsdelegate",
203	.options_fn = cgroupfs_mount_options,
204	.flags = MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
205	.mode = MNT_FATAL\|MNT_IN_CONTAINER\|MNT_CHECK_WRITABLE,
206	},
207	#if ENABLE_PSTORE
208	{
209	.what = "pstore",
210	.where = "/sys/fs/pstore",
211	.type = "pstore",
212	.flags = MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
213	},
214	#endif
215	#if ENABLE_EFI
216	{
217	.what = "efivarfs",
218	.where = "/sys/firmware/efi/efivars",
219	.type = "efivarfs",
220	.flags = MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
221	.condition_fn = is_efi_boot,
222	},
223	#endif
224	{
225	.what = "bpf",
226	.where = "/sys/fs/bpf",
227	.type = "bpf",
228	.options = "mode=0700",
229	.flags = MS_NOSUID\|MS_NOEXEC\|MS_NODEV,
230	},
231	};
232
233	/* The first three entries we might need before SELinux is up. The
234	* fourth (securityfs) is needed by IMA to load a custom policy. The
235	* other ones we can delay until SELinux and IMA are loaded. When
236	* SMACK is enabled we need smackfs, too, so it's a fifth one. */
237	#if ENABLE_SMACK
238	#define N_EARLY_MOUNT 5
239	#else
240	#define N_EARLY_MOUNT 4
241	#endif
242
243	assert_cc(N_EARLY_MOUNT <= ELEMENTSOF(mount_table));
244
245	bool mount_point_is_api(const char *path) {	142,212✔
246	/* Checks if this mount point is considered "API", and hence
247	* should be ignored */
248
249	FOREACH_ELEMENT(i, mount_table)	1,812,416✔
250	if (path_equal(path, i->where))	1,709,321✔
251	return true;
252
253	return path_startswith(path, "/sys/fs/cgroup/");	103,095✔
254	}
255
256	bool mount_point_ignore(const char *path) {	103,083✔
257	/* These are API file systems that might be mounted by other software, we just list them here so that
258	* we know that we should ignore them. */
259	FOREACH_STRING(i,	609,629✔
260	/* SELinux file systems */
261	"/sys/fs/selinux",
262	/* Container bind mounts */
263	"/dev/console",
264	"/proc/kmsg",
265	"/proc/sys",
266	"/proc/sys/kernel/random/boot_id")
267	if (path_equal(path, i))	511,614✔
268	return true;	5,068✔
269
270	if (path_startswith(path, "/run/host")) /* All mounts passed in from the container manager are	98,015✔
271	* something we better ignore. */
272	return true;	7,602✔
273
274	return false;
275	}
276
277	static int mount_one(const MountPoint *p, bool relabel) {	799✔
278	int r, priority;	799✔
279
280	assert(p);	799✔
281	assert(p->what);	799✔
282	assert(p->where);	799✔
283	assert(p->type);	799✔
284
285	priority = FLAGS_SET(p->mode, MNT_FATAL) ? LOG_ERR : LOG_DEBUG;	799✔
286
287	if (p->condition_fn && !p->condition_fn())	799✔
288	return 0;	799✔
289
290	/* Relabel first, just in case */
291	if (relabel)	590✔
292	(void) label_fix(p->where, LABEL_IGNORE_ENOENT\|LABEL_IGNORE_EROFS);	×
293
294	r = path_is_mount_point_full(p->where, /* root = */ NULL, AT_SYMLINK_FOLLOW);	590✔
295	if (r < 0 && r != -ENOENT) {	590✔
UNCOV 296	log_full_errno(priority, r, "Failed to determine whether %s is a mount point: %m", p->where);	×
UNCOV 297	return FLAGS_SET(p->mode, MNT_FATAL) ? r : 0;	×
298	}
299	if (r > 0)	590✔
300	return 0;
301
302	if (!FLAGS_SET(p->mode, MNT_IN_CONTAINER) && detect_container() > 0)	233✔
303	return 0;
304
305	/* The access mode here doesn't really matter too much, since
306	* the mounted file system will take precedence anyway. */
307	if (relabel)	146✔
308	(void) mkdir_p_label(p->where, 0755);	×
309	else
310	(void) mkdir_p(p->where, 0755);	146✔
311
312	_cleanup_free_ char *extend_options = NULL;	146✔
313	const char *o;	146✔
314	if (p->options_fn) {	146✔
315	r = p->options_fn(priority, p->type, &extend_options);	28✔
316	if (r < 0)	28✔
317	return r;
318
319	if (!strprepend_with_separator(&extend_options, ",", p->options))	56✔
320	return log_oom();	×
321
322	o = extend_options;	28✔
323	} else
324	o = p->options;	118✔
325
326	r = mount_verbose_full(priority, p->what, p->where, p->type, p->flags, o, FLAGS_SET(p->mode, MNT_FOLLOW_SYMLINK));	146✔
327	if (r < 0)	146✔
UNCOV 328	return FLAGS_SET(p->mode, MNT_FATAL) ? r : 0;	×
329
330	/* Relabel again, since we now mounted something fresh here */
331	if (relabel)	146✔
332	(void) label_fix(p->where, 0);	×
333
334	if (FLAGS_SET(p->mode, MNT_CHECK_WRITABLE))	146✔
335	if (access(p->where, W_OK) < 0) {	14✔
UNCOV 336	r = -errno;	×
337
338	(void) umount2(p->where, UMOUNT_NOFOLLOW);	×
339	(void) rmdir(p->where);	×
340
UNCOV 341	log_full_errno(priority, r, "Mount point '%s' not writable after mounting, undoing: %m", p->where);	×
342	return FLAGS_SET(p->mode, MNT_FATAL) ? r : 0;	×
343	}
344
345	return 1;
346	}
347
348	static int mount_points_setup(size_t n, bool loaded_policy) {	68✔
349	int r = 0;	68✔
350
351	assert(n <= ELEMENTSOF(mount_table));	68✔
352
353	FOREACH_ARRAY(mp, mount_table, n)	867✔
354	RET_GATHER(r, mount_one(mp, loaded_policy));	799✔
355
356	return r;	68✔
357	}
358
359	int mount_setup_early(void) {	17✔
360	/* Do a minimal mount of /proc and friends to enable the most basic stuff, such as SELinux */
361	return mount_points_setup(N_EARLY_MOUNT, /* loaded_policy= */ false);	17✔
362	}
363
364	#if HAVE_SELINUX \|\| ENABLE_SMACK
UNCOV 365	static int relabel_cb(	×
366	RecurseDirEvent event,
367	const char *path,
368	int dir_fd,
369	int inode_fd,
370	const struct dirent *de,
371	const struct statx *sx,
372	void *userdata) {
373
374	switch (event) {	×
375
376	case RECURSE_DIR_LEAVE:
377	case RECURSE_DIR_SKIP_MOUNT:
378	/* If we already saw this dirent when entering it or this is a dirent that on a different
379	* mount, don't relabel it. */
380	return RECURSE_DIR_CONTINUE;
381
382	case RECURSE_DIR_ENTER:	×
383	/* /run/initramfs/ + /run/nextroot/ are static data and big, no need to dynamically relabel
384	* its contents at boot... */
UNCOV 385	if (PATH_STARTSWITH_SET(path, "/run/initramfs", "/run/nextroot"))	×
386	return RECURSE_DIR_SKIP_ENTRY;	×
387
UNCOV 388	_fallthrough_;	×
389
390	default:
391	/* Otherwise, label it, even if we had trouble stat()ing it and similar. SELinux can figure this out */
UNCOV 392	(void) label_fix(path, 0);	×
UNCOV 393	return RECURSE_DIR_CONTINUE;	×
394	}
395	}
396
UNCOV 397	static int relabel_tree(const char *path) {	×
UNCOV 398	int r;	×
399
UNCOV 400	r = recurse_dir_at(AT_FDCWD, path, 0, UINT_MAX, RECURSE_DIR_ENSURE_TYPE\|RECURSE_DIR_SAME_MOUNT, relabel_cb, NULL);	×
UNCOV 401	if (r < 0)	×
UNCOV 402	log_debug_errno(r, "Failed to recursively relabel '%s': %m", path);	×
403
UNCOV 404	return r;	×
405	}
406
UNCOV 407	static int relabel_extra(void) {	×
UNCOV 408	_cleanup_strv_free_ char **files = NULL;	×
UNCOV 409	int r, c = 0;	×
410
411	/* Support for relabelling additional files or directories after loading the policy. For this, code in the
412	* initrd simply has to drop in *.relabel files into /run/systemd/relabel-extra.d/. We'll read all such files
413	* expecting one absolute path by line and will relabel each (and everyone below that in case the path refers
414	* to a directory). These drop-in files are supposed to be absolutely minimal, and do not understand comments
415	* and such. After the operation succeeded the files are removed, and the drop-in directory as well, if
416	* possible.
417	*/
418
UNCOV 419	r = conf_files_list(&files, ".relabel", NULL,	×
420	CONF_FILES_FILTER_MASKED \| CONF_FILES_REGULAR,
421	"/run/systemd/relabel-extra.d/");
UNCOV 422	if (r < 0)	×
UNCOV 423	return log_error_errno(r, "Failed to enumerate /run/systemd/relabel-extra.d/, ignoring: %m");	×
424
UNCOV 425	STRV_FOREACH(file, files) {	×
UNCOV 426	_cleanup_fclose_ FILE *f = NULL;	×
427
428	f = fopen(*file, "re");	×
UNCOV 429	if (!f) {	×
UNCOV 430	log_warning_errno(errno, "Failed to open %s, ignoring: %m", *file);	×
UNCOV 431	continue;	×
432	}
433
UNCOV 434	for (;;) {	×
UNCOV 435	_cleanup_free_ char *line = NULL;	×
436
UNCOV 437	r = read_line(f, LONG_LINE_MAX, &line);	×
UNCOV 438	if (r < 0) {	×
UNCOV 439	log_warning_errno(r, "Failed to read %s, ignoring: %m", *file);	×
440	break;
441	}
UNCOV 442	if (r == 0) /* EOF */	×
443	break;
444
UNCOV 445	path_simplify(line);	×
446
UNCOV 447	if (!path_is_normalized(line)) {	×
UNCOV 448	log_warning("Path to relabel is not normalized, ignoring: %s", line);	×
UNCOV 449	continue;	×
450	}
451
UNCOV 452	if (!path_is_absolute(line)) {	×
UNCOV 453	log_warning("Path to relabel is not absolute, ignoring: %s", line);	×
UNCOV 454	continue;	×
455	}
456
UNCOV 457	log_debug("Relabelling additional file/directory '%s'.", line);	×
UNCOV 458	(void) label_fix(line, 0);	×
UNCOV 459	(void) relabel_tree(line);	×
UNCOV 460	c++;	×
461	}
462
UNCOV 463	if (unlink(*file) < 0)	×
UNCOV 464	log_warning_errno(errno, "Failed to remove %s, ignoring: %m", *file);	×
465	}
466
467	/* Remove when we complete things. */
UNCOV 468	if (rmdir("/run/systemd/relabel-extra.d") < 0 &&	×
UNCOV 469	errno != ENOENT)	×
UNCOV 470	log_warning_errno(errno, "Failed to remove /run/systemd/relabel-extra.d/ directory: %m");	×
471
472	return c;
473	}
474	#endif
475
476	int mount_setup(bool loaded_policy, bool leave_propagation) {	51✔
477	int r;	51✔
478
479	r = mount_points_setup(ELEMENTSOF(mount_table), loaded_policy);	51✔
480	if (r < 0)	51✔
481	return r;
482
483	#if HAVE_SELINUX \|\| ENABLE_SMACK
484	/* Nodes in devtmpfs and /run need to be manually updated for
485	* the appropriate labels, after mounting. The other virtual
486	* API file systems like /sys and /proc do not need that, they
487	* use the same label for all their files. */
488	if (loaded_policy) {	51✔
UNCOV 489	usec_t before_relabel, after_relabel;	×
UNCOV 490	int n_extra;	×
491
UNCOV 492	before_relabel = now(CLOCK_MONOTONIC);	×
493
UNCOV 494	FOREACH_STRING(i, "/dev", "/dev/shm", "/run")	×
UNCOV 495	(void) relabel_tree(i);	×
496
UNCOV 497	n_extra = relabel_extra();	×
498
UNCOV 499	after_relabel = now(CLOCK_MONOTONIC);	×
500
UNCOV 501	log_info("Relabeled /dev/, /dev/shm/, /run/%s in %s.",	×
502	n_extra > 0 ? ", and additional files" : "",
503	FORMAT_TIMESPAN(after_relabel - before_relabel, 0));
504	}
505	#endif
506
507	/* Create a few default symlinks, which are normally created
508	* by udevd, but some scripts might need them before we start
509	* udevd. */
510	dev_setup(NULL, UID_INVALID, GID_INVALID);	51✔
511
512	/* Mark the root directory as shared in regards to mount propagation. The kernel defaults to "private", but we
513	* think it makes more sense to have a default of "shared" so that nspawn and the container tools work out of
514	* the box. If specific setups need other settings they can reset the propagation mode to private if
515	* needed. Note that we set this only when we are invoked directly by the kernel. If we are invoked by a
516	* container manager we assume the container manager knows what it is doing (for example, because it set up
517	* some directories with different propagation modes). */
518	if (detect_container() <= 0 && !leave_propagation)	51✔
519	if (mount(NULL, "/", NULL, MS_REC\|MS_SHARED, NULL) < 0)	17✔
UNCOV 520	log_warning_errno(errno, "Failed to set up the root directory for shared mount propagation: %m");	×
521
522	/* Create a few directories we always want around, Note that sd_booted() checks for /run/systemd/system, so
523	* this mkdir really needs to stay for good, otherwise software that copied sd-daemon.c into their sources will
524	* misdetect systemd. */
525	(void) mkdir_label("/run/systemd", 0755);	51✔
526	(void) mkdir_label("/run/systemd/system", 0755);	51✔
527
528	/* Make sure there's always a place where sandboxed environments can mount root file systems they are
529	* about to move into, even when unprivileged, without having to create a temporary one in /tmp/
530	* (which they then have to keep track of and clean) */
531	(void) mkdir_label("/run/systemd/mount-rootfs", 0555);	51✔
532
533	/* Make sure we have a mount point to hide in sandboxes */
534	(void) mkdir_label("/run/credentials", 0755);	51✔
535
536	/* Also create /run/systemd/inaccessible nodes, so that we always have something to mount
537	* inaccessible nodes from. If we run in a container the host might have created these for us already
538	* in /run/host/inaccessible/. Use those if we can, since that way we likely get access to block/char
539	* device nodes that are inaccessible, and if userns is used to nodes that are on mounts owned by a
540	* userns outside the container and thus nicely read-only and not remountable. */
541	if (access("/run/host/inaccessible/", F_OK) < 0) {	51✔
542	if (errno != ENOENT)	22✔
UNCOV 543	log_debug_errno(errno, "Failed to check if /run/host/inaccessible exists, ignoring: %m");	×
544
545	(void) make_inaccessible_nodes("/run/systemd", UID_INVALID, GID_INVALID);	22✔
546	} else
547	(void) symlink("../host/inaccessible", "/run/systemd/inaccessible");	29✔
548
549	return 0;
550	}

systemd / systemd / 18988181302

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous