mirror of
https://github.com/systemd/systemd.git
synced 2025-01-18 10:04:04 +03:00
tree-wide: use mode=0nnn for mount option
This is an octal number. We used the 0 prefix in some places inconsistently. The kernel always interprets in base-8, so this has no effect, but I think it's nicer to use the 0 to remind the reader that this is not a decimal number.
This commit is contained in:
parent
ca6ce62d2a
commit
9f563f2792
@ -21,7 +21,7 @@ ArchLinux initrds.
|
|||||||
|
|
||||||
* The initrd should mount `/run/` as a tmpfs and pass it pre-mounted when
|
* The initrd should mount `/run/` as a tmpfs and pass it pre-mounted when
|
||||||
jumping into the main system when executing systemd. The mount options should
|
jumping into the main system when executing systemd. The mount options should
|
||||||
be `mode=755,nodev,nosuid,strictatime`.
|
be `mode=0755,nodev,nosuid,strictatime`.
|
||||||
|
|
||||||
* It's highly recommended that the initrd also mounts `/usr/` (if split off) as
|
* It's highly recommended that the initrd also mounts `/usr/` (if split off) as
|
||||||
appropriate and passes it pre-mounted to the main system, to avoid the
|
appropriate and passes it pre-mounted to the main system, to avoid the
|
||||||
|
@ -104,7 +104,7 @@ static const MountEntry apivfs_table[] = {
|
|||||||
{ "/proc", PROCFS, false },
|
{ "/proc", PROCFS, false },
|
||||||
{ "/dev", BIND_DEV, false },
|
{ "/dev", BIND_DEV, false },
|
||||||
{ "/sys", SYSFS, false },
|
{ "/sys", SYSFS, false },
|
||||||
{ "/run", RUN, false, .options_const = "mode=755" TMPFS_LIMITS_RUN, .flags = MS_NOSUID|MS_NODEV|MS_STRICTATIME },
|
{ "/run", RUN, false, .options_const = "mode=0755" TMPFS_LIMITS_RUN, .flags = MS_NOSUID|MS_NODEV|MS_STRICTATIME },
|
||||||
};
|
};
|
||||||
|
|
||||||
/* ProtectKernelTunables= option and the related filesystem APIs */
|
/* ProtectKernelTunables= option and the related filesystem APIs */
|
||||||
@ -366,7 +366,7 @@ static int append_empty_dir_mounts(MountEntry **p, char **strv) {
|
|||||||
.mode = EMPTY_DIR,
|
.mode = EMPTY_DIR,
|
||||||
.ignore = false,
|
.ignore = false,
|
||||||
.read_only = true,
|
.read_only = true,
|
||||||
.options_const = "mode=755" TMPFS_LIMITS_EMPTY_OR_ALMOST,
|
.options_const = "mode=0755" TMPFS_LIMITS_EMPTY_OR_ALMOST,
|
||||||
.flags = MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
|
.flags = MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
@ -927,7 +927,7 @@ static int mount_private_dev(MountEntry *m) {
|
|||||||
|
|
||||||
dev = strjoina(temporary_mount, "/dev");
|
dev = strjoina(temporary_mount, "/dev");
|
||||||
(void) mkdir(dev, 0755);
|
(void) mkdir(dev, 0755);
|
||||||
r = mount_nofollow_verbose(LOG_DEBUG, "tmpfs", dev, "tmpfs", DEV_MOUNT_OPTIONS, "mode=755" TMPFS_LIMITS_PRIVATE_DEV);
|
r = mount_nofollow_verbose(LOG_DEBUG, "tmpfs", dev, "tmpfs", DEV_MOUNT_OPTIONS, "mode=0755" TMPFS_LIMITS_PRIVATE_DEV);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
goto fail;
|
goto fail;
|
||||||
|
|
||||||
|
@ -317,7 +317,7 @@ static int mount_legacy_cgns_supported(
|
|||||||
* uid/gid as seen from e.g. /proc/1/mountinfo. So we simply
|
* uid/gid as seen from e.g. /proc/1/mountinfo. So we simply
|
||||||
* pass uid 0 and not uid_shift to tmpfs_patch_options().
|
* pass uid 0 and not uid_shift to tmpfs_patch_options().
|
||||||
*/
|
*/
|
||||||
r = tmpfs_patch_options("mode=755" TMPFS_LIMITS_SYS_FS_CGROUP, 0, selinux_apifs_context, &options);
|
r = tmpfs_patch_options("mode=0755" TMPFS_LIMITS_SYS_FS_CGROUP, 0, selinux_apifs_context, &options);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_oom();
|
return log_oom();
|
||||||
|
|
||||||
@ -390,7 +390,8 @@ skip_controllers:
|
|||||||
|
|
||||||
if (!userns)
|
if (!userns)
|
||||||
return mount_nofollow_verbose(LOG_ERR, NULL, cgroup_root, NULL,
|
return mount_nofollow_verbose(LOG_ERR, NULL, cgroup_root, NULL,
|
||||||
MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY, "mode=755");
|
MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY,
|
||||||
|
"mode=0755");
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -419,7 +420,10 @@ static int mount_legacy_cgns_unsupported(
|
|||||||
if (r == 0) {
|
if (r == 0) {
|
||||||
_cleanup_free_ char *options = NULL;
|
_cleanup_free_ char *options = NULL;
|
||||||
|
|
||||||
r = tmpfs_patch_options("mode=755" TMPFS_LIMITS_SYS_FS_CGROUP, uid_shift == 0 ? UID_INVALID : uid_shift, selinux_apifs_context, &options);
|
r = tmpfs_patch_options("mode=0755" TMPFS_LIMITS_SYS_FS_CGROUP,
|
||||||
|
uid_shift == 0 ? UID_INVALID : uid_shift,
|
||||||
|
selinux_apifs_context,
|
||||||
|
&options);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_oom();
|
return log_oom();
|
||||||
|
|
||||||
@ -498,7 +502,8 @@ skip_controllers:
|
|||||||
return r;
|
return r;
|
||||||
|
|
||||||
return mount_nofollow_verbose(LOG_ERR, NULL, cgroup_root, NULL,
|
return mount_nofollow_verbose(LOG_ERR, NULL, cgroup_root, NULL,
|
||||||
MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY, "mode=755");
|
MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY,
|
||||||
|
"mode=0755");
|
||||||
}
|
}
|
||||||
|
|
||||||
static int mount_unified_cgroups(const char *dest) {
|
static int mount_unified_cgroups(const char *dest) {
|
||||||
|
@ -576,19 +576,19 @@ int mount_all(const char *dest,
|
|||||||
MOUNT_IN_USERNS|MOUNT_MKDIR },
|
MOUNT_IN_USERNS|MOUNT_MKDIR },
|
||||||
|
|
||||||
/* Then we list outer child mounts (i.e. mounts applied *before* entering user namespacing) */
|
/* Then we list outer child mounts (i.e. mounts applied *before* entering user namespacing) */
|
||||||
{ "tmpfs", "/tmp", "tmpfs", "mode=1777" NESTED_TMPFS_LIMITS, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
{ "tmpfs", "/tmp", "tmpfs", "mode=01777" NESTED_TMPFS_LIMITS, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
||||||
MOUNT_FATAL|MOUNT_APPLY_TMPFS_TMP|MOUNT_MKDIR },
|
MOUNT_FATAL|MOUNT_APPLY_TMPFS_TMP|MOUNT_MKDIR },
|
||||||
{ "tmpfs", "/sys", "tmpfs", "mode=555" TMPFS_LIMITS_SYS, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "tmpfs", "/sys", "tmpfs", "mode=0555" TMPFS_LIMITS_SYS, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
MOUNT_FATAL|MOUNT_APPLY_APIVFS_NETNS|MOUNT_MKDIR },
|
MOUNT_FATAL|MOUNT_APPLY_APIVFS_NETNS|MOUNT_MKDIR },
|
||||||
{ "sysfs", "/sys", "sysfs", NULL, SYS_DEFAULT_MOUNT_FLAGS,
|
{ "sysfs", "/sys", "sysfs", NULL, SYS_DEFAULT_MOUNT_FLAGS,
|
||||||
MOUNT_FATAL|MOUNT_APPLY_APIVFS_RO|MOUNT_MKDIR }, /* skipped if above was mounted */
|
MOUNT_FATAL|MOUNT_APPLY_APIVFS_RO|MOUNT_MKDIR }, /* skipped if above was mounted */
|
||||||
{ "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
MOUNT_FATAL|MOUNT_MKDIR }, /* skipped if above was mounted */
|
MOUNT_FATAL|MOUNT_MKDIR }, /* skipped if above was mounted */
|
||||||
{ "tmpfs", "/dev", "tmpfs", "mode=755" TMPFS_LIMITS_PRIVATE_DEV, MS_NOSUID|MS_STRICTATIME,
|
{ "tmpfs", "/dev", "tmpfs", "mode=0755" TMPFS_LIMITS_PRIVATE_DEV, MS_NOSUID|MS_STRICTATIME,
|
||||||
MOUNT_FATAL|MOUNT_MKDIR },
|
MOUNT_FATAL|MOUNT_MKDIR },
|
||||||
{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777" NESTED_TMPFS_LIMITS, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
{ "tmpfs", "/dev/shm", "tmpfs", "mode=01777" NESTED_TMPFS_LIMITS, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
||||||
MOUNT_FATAL|MOUNT_MKDIR },
|
MOUNT_FATAL|MOUNT_MKDIR },
|
||||||
{ "tmpfs", "/run", "tmpfs", "mode=755" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
{ "tmpfs", "/run", "tmpfs", "mode=0755" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
||||||
MOUNT_FATAL|MOUNT_MKDIR },
|
MOUNT_FATAL|MOUNT_MKDIR },
|
||||||
{ "/run/host", "/run/host", NULL, NULL, MS_BIND,
|
{ "/run/host", "/run/host", NULL, NULL, MS_BIND,
|
||||||
MOUNT_FATAL|MOUNT_MKDIR|MOUNT_PREFIX_ROOT }, /* Prepare this so that we can make it read-only when we are done */
|
MOUNT_FATAL|MOUNT_MKDIR|MOUNT_PREFIX_ROOT }, /* Prepare this so that we can make it read-only when we are done */
|
||||||
@ -1043,7 +1043,7 @@ static int setup_volatile_state(const char *directory, uid_t uid_shift, const ch
|
|||||||
if (r < 0 && errno != EEXIST)
|
if (r < 0 && errno != EEXIST)
|
||||||
return log_error_errno(errno, "Failed to create %s: %m", directory);
|
return log_error_errno(errno, "Failed to create %s: %m", directory);
|
||||||
|
|
||||||
options = "mode=755" TMPFS_LIMITS_VOLATILE_STATE;
|
options = "mode=0755" TMPFS_LIMITS_VOLATILE_STATE;
|
||||||
r = tmpfs_patch_options(options, uid_shift == 0 ? UID_INVALID : uid_shift, selinux_apifs_context, &buf);
|
r = tmpfs_patch_options(options, uid_shift == 0 ? UID_INVALID : uid_shift, selinux_apifs_context, &buf);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_oom();
|
return log_oom();
|
||||||
@ -1087,7 +1087,7 @@ static int setup_volatile_yes(const char *directory, uid_t uid_shift, const char
|
|||||||
if (!mkdtemp(template))
|
if (!mkdtemp(template))
|
||||||
return log_error_errno(errno, "Failed to create temporary directory: %m");
|
return log_error_errno(errno, "Failed to create temporary directory: %m");
|
||||||
|
|
||||||
options = "mode=755" TMPFS_LIMITS_ROOTFS;
|
options = "mode=0755" TMPFS_LIMITS_ROOTFS;
|
||||||
r = tmpfs_patch_options(options, uid_shift == 0 ? UID_INVALID : uid_shift, selinux_apifs_context, &buf);
|
r = tmpfs_patch_options(options, uid_shift == 0 ? UID_INVALID : uid_shift, selinux_apifs_context, &buf);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
goto fail;
|
goto fail;
|
||||||
@ -1154,7 +1154,7 @@ static int setup_volatile_overlay(const char *directory, uid_t uid_shift, const
|
|||||||
if (!mkdtemp(template))
|
if (!mkdtemp(template))
|
||||||
return log_error_errno(errno, "Failed to create temporary directory: %m");
|
return log_error_errno(errno, "Failed to create temporary directory: %m");
|
||||||
|
|
||||||
options = "mode=755" TMPFS_LIMITS_ROOTFS;
|
options = "mode=0755" TMPFS_LIMITS_ROOTFS;
|
||||||
r = tmpfs_patch_options(options, uid_shift == 0 ? UID_INVALID : uid_shift, selinux_apifs_context, &buf);
|
r = tmpfs_patch_options(options, uid_shift == 0 ? UID_INVALID : uid_shift, selinux_apifs_context, &buf);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
goto finish;
|
goto finish;
|
||||||
|
@ -62,55 +62,55 @@ typedef struct MountPoint {
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
static const MountPoint mount_table[] = {
|
static const MountPoint mount_table[] = {
|
||||||
{ "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
NULL, MNT_FATAL|MNT_IN_CONTAINER|MNT_FOLLOW_SYMLINK },
|
NULL, MNT_FATAL|MNT_IN_CONTAINER|MNT_FOLLOW_SYMLINK },
|
||||||
{ "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
NULL, MNT_FATAL|MNT_IN_CONTAINER },
|
NULL, MNT_FATAL|MNT_IN_CONTAINER },
|
||||||
{ "devtmpfs", "/dev", "devtmpfs", "mode=755" TMPFS_LIMITS_DEV, MS_NOSUID|MS_STRICTATIME,
|
{ "devtmpfs", "/dev", "devtmpfs", "mode=0755" TMPFS_LIMITS_DEV, MS_NOSUID|MS_STRICTATIME,
|
||||||
NULL, MNT_FATAL|MNT_IN_CONTAINER },
|
NULL, MNT_FATAL|MNT_IN_CONTAINER },
|
||||||
{ "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
NULL, MNT_NONE },
|
NULL, MNT_NONE },
|
||||||
#if ENABLE_SMACK
|
#if ENABLE_SMACK
|
||||||
{ "smackfs", "/sys/fs/smackfs", "smackfs", "smackfsdef=*", MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "smackfs", "/sys/fs/smackfs", "smackfs", "smackfsdef=*", MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
mac_smack_use, MNT_FATAL },
|
mac_smack_use, MNT_FATAL },
|
||||||
{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
{ "tmpfs", "/dev/shm", "tmpfs", "mode=01777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
||||||
mac_smack_use, MNT_FATAL },
|
mac_smack_use, MNT_FATAL },
|
||||||
#endif
|
#endif
|
||||||
{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
{ "tmpfs", "/dev/shm", "tmpfs", "mode=01777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
||||||
NULL, MNT_FATAL|MNT_IN_CONTAINER },
|
NULL, MNT_FATAL|MNT_IN_CONTAINER },
|
||||||
{ "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
|
{ "devpts", "/dev/pts", "devpts", "mode=0620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
|
||||||
NULL, MNT_IN_CONTAINER },
|
NULL, MNT_IN_CONTAINER },
|
||||||
#if ENABLE_SMACK
|
#if ENABLE_SMACK
|
||||||
{ "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
{ "tmpfs", "/run", "tmpfs", "mode=0755,smackfsroot=*" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
||||||
mac_smack_use, MNT_FATAL },
|
mac_smack_use, MNT_FATAL },
|
||||||
#endif
|
#endif
|
||||||
{ "tmpfs", "/run", "tmpfs", "mode=755" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
{ "tmpfs", "/run", "tmpfs", "mode=0755" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
||||||
NULL, MNT_FATAL|MNT_IN_CONTAINER },
|
NULL, MNT_FATAL|MNT_IN_CONTAINER },
|
||||||
{ "cgroup2", "/sys/fs/cgroup", "cgroup2", "nsdelegate,memory_recursiveprot", MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "cgroup2", "/sys/fs/cgroup", "cgroup2", "nsdelegate,memory_recursiveprot", MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
cg_is_unified_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
|
cg_is_unified_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
|
||||||
{ "cgroup2", "/sys/fs/cgroup", "cgroup2", "nsdelegate", MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "cgroup2", "/sys/fs/cgroup", "cgroup2", "nsdelegate", MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
cg_is_unified_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
|
cg_is_unified_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
|
||||||
{ "cgroup2", "/sys/fs/cgroup", "cgroup2", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "cgroup2", "/sys/fs/cgroup", "cgroup2", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
cg_is_unified_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
|
cg_is_unified_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
|
||||||
{ "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755" TMPFS_LIMITS_SYS_FS_CGROUP, MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
|
{ "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=0755" TMPFS_LIMITS_SYS_FS_CGROUP, MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
|
||||||
cg_is_legacy_wanted, MNT_FATAL|MNT_IN_CONTAINER },
|
cg_is_legacy_wanted, MNT_FATAL|MNT_IN_CONTAINER },
|
||||||
{ "cgroup2", "/sys/fs/cgroup/unified", "cgroup2", "nsdelegate", MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "cgroup2", "/sys/fs/cgroup/unified", "cgroup2", "nsdelegate", MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
cg_is_hybrid_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
|
cg_is_hybrid_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
|
||||||
{ "cgroup2", "/sys/fs/cgroup/unified", "cgroup2", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "cgroup2", "/sys/fs/cgroup/unified", "cgroup2", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
cg_is_hybrid_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
|
cg_is_hybrid_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
|
||||||
{ "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
cg_is_legacy_wanted, MNT_IN_CONTAINER },
|
cg_is_legacy_wanted, MNT_IN_CONTAINER },
|
||||||
{ "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
cg_is_legacy_wanted, MNT_FATAL|MNT_IN_CONTAINER },
|
cg_is_legacy_wanted, MNT_FATAL|MNT_IN_CONTAINER },
|
||||||
#if ENABLE_PSTORE
|
#if ENABLE_PSTORE
|
||||||
{ "pstore", "/sys/fs/pstore", "pstore", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "pstore", "/sys/fs/pstore", "pstore", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
NULL, MNT_NONE },
|
NULL, MNT_NONE },
|
||||||
#endif
|
#endif
|
||||||
#if ENABLE_EFI
|
#if ENABLE_EFI
|
||||||
{ "efivarfs", "/sys/firmware/efi/efivars", "efivarfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "efivarfs", "/sys/firmware/efi/efivars", "efivarfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
is_efi_boot, MNT_NONE },
|
is_efi_boot, MNT_NONE },
|
||||||
#endif
|
#endif
|
||||||
{ "bpf", "/sys/fs/bpf", "bpf", "mode=700", MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "bpf", "/sys/fs/bpf", "bpf", "mode=0700", MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
NULL, MNT_NONE, },
|
NULL, MNT_NONE, },
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -356,7 +356,9 @@ int mount_cgroup_controllers(void) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Now that we mounted everything, let's make the tmpfs the cgroup file systems are mounted into read-only. */
|
/* Now that we mounted everything, let's make the tmpfs the cgroup file systems are mounted into read-only. */
|
||||||
(void) mount_nofollow("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY, "mode=755" TMPFS_LIMITS_SYS_FS_CGROUP);
|
(void) mount_nofollow("tmpfs", "/sys/fs/cgroup", "tmpfs",
|
||||||
|
MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY,
|
||||||
|
"mode=0755" TMPFS_LIMITS_SYS_FS_CGROUP);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -763,9 +763,9 @@ int mount_option_mangle(
|
|||||||
/* This extracts mount flags from the mount options, and stores
|
/* This extracts mount flags from the mount options, and stores
|
||||||
* non-mount-flag options to '*ret_remaining_options'.
|
* non-mount-flag options to '*ret_remaining_options'.
|
||||||
* E.g.,
|
* E.g.,
|
||||||
* "rw,nosuid,nodev,relatime,size=1630748k,mode=700,uid=1000,gid=1000"
|
* "rw,nosuid,nodev,relatime,size=1630748k,mode=0700,uid=1000,gid=1000"
|
||||||
* is split to MS_NOSUID|MS_NODEV|MS_RELATIME and
|
* is split to MS_NOSUID|MS_NODEV|MS_RELATIME and
|
||||||
* "size=1630748k,mode=700,uid=1000,gid=1000".
|
* "size=1630748k,mode=0700,uid=1000,gid=1000".
|
||||||
* See more examples in test-mount-util.c.
|
* See more examples in test-mount-util.c.
|
||||||
*
|
*
|
||||||
* If 'options' does not contain any non-mount-flag options,
|
* If 'options' does not contain any non-mount-flag options,
|
||||||
|
@ -37,14 +37,14 @@ TEST(mount_option_mangle) {
|
|||||||
assert_se(f == (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC));
|
assert_se(f == (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC));
|
||||||
assert_se(opts == NULL);
|
assert_se(opts == NULL);
|
||||||
|
|
||||||
assert_se(mount_option_mangle("ro,nosuid,nodev,noexec,mode=755", 0, &f, &opts) == 0);
|
assert_se(mount_option_mangle("ro,nosuid,nodev,noexec,mode=0755", 0, &f, &opts) == 0);
|
||||||
assert_se(f == (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC));
|
assert_se(f == (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC));
|
||||||
assert_se(streq(opts, "mode=755"));
|
assert_se(streq(opts, "mode=0755"));
|
||||||
opts = mfree(opts);
|
opts = mfree(opts);
|
||||||
|
|
||||||
assert_se(mount_option_mangle("rw,nosuid,foo,hogehoge,nodev,mode=755", 0, &f, &opts) == 0);
|
assert_se(mount_option_mangle("rw,nosuid,foo,hogehoge,nodev,mode=0755", 0, &f, &opts) == 0);
|
||||||
assert_se(f == (MS_NOSUID|MS_NODEV));
|
assert_se(f == (MS_NOSUID|MS_NODEV));
|
||||||
assert_se(streq(opts, "foo,hogehoge,mode=755"));
|
assert_se(streq(opts, "foo,hogehoge,mode=0755"));
|
||||||
opts = mfree(opts);
|
opts = mfree(opts);
|
||||||
|
|
||||||
assert_se(mount_option_mangle("rw,nosuid,nodev,noexec,relatime,net_cls,net_prio", MS_RDONLY, &f, &opts) == 0);
|
assert_se(mount_option_mangle("rw,nosuid,nodev,noexec,relatime,net_cls,net_prio", MS_RDONLY, &f, &opts) == 0);
|
||||||
@ -52,19 +52,19 @@ TEST(mount_option_mangle) {
|
|||||||
assert_se(streq(opts, "net_cls,net_prio"));
|
assert_se(streq(opts, "net_cls,net_prio"));
|
||||||
opts = mfree(opts);
|
opts = mfree(opts);
|
||||||
|
|
||||||
assert_se(mount_option_mangle("rw,nosuid,nodev,relatime,size=1630748k,mode=700,uid=1000,gid=1000", MS_RDONLY, &f, &opts) == 0);
|
assert_se(mount_option_mangle("rw,nosuid,nodev,relatime,size=1630748k,mode=0700,uid=1000,gid=1000", MS_RDONLY, &f, &opts) == 0);
|
||||||
assert_se(f == (MS_NOSUID|MS_NODEV|MS_RELATIME));
|
assert_se(f == (MS_NOSUID|MS_NODEV|MS_RELATIME));
|
||||||
assert_se(streq(opts, "size=1630748k,mode=700,uid=1000,gid=1000"));
|
assert_se(streq(opts, "size=1630748k,mode=0700,uid=1000,gid=1000"));
|
||||||
opts = mfree(opts);
|
opts = mfree(opts);
|
||||||
|
|
||||||
assert_se(mount_option_mangle("size=1630748k,rw,gid=1000,,,nodev,relatime,,mode=700,nosuid,uid=1000", MS_RDONLY, &f, &opts) == 0);
|
assert_se(mount_option_mangle("size=1630748k,rw,gid=1000,,,nodev,relatime,,mode=0700,nosuid,uid=1000", MS_RDONLY, &f, &opts) == 0);
|
||||||
assert_se(f == (MS_NOSUID|MS_NODEV|MS_RELATIME));
|
assert_se(f == (MS_NOSUID|MS_NODEV|MS_RELATIME));
|
||||||
assert_se(streq(opts, "size=1630748k,gid=1000,mode=700,uid=1000"));
|
assert_se(streq(opts, "size=1630748k,gid=1000,mode=0700,uid=1000"));
|
||||||
opts = mfree(opts);
|
opts = mfree(opts);
|
||||||
|
|
||||||
assert_se(mount_option_mangle("rw,exec,size=8143984k,nr_inodes=2035996,mode=755", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, &f, &opts) == 0);
|
assert_se(mount_option_mangle("rw,exec,size=8143984k,nr_inodes=2035996,mode=0755", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, &f, &opts) == 0);
|
||||||
assert_se(f == (MS_NOSUID|MS_NODEV));
|
assert_se(f == (MS_NOSUID|MS_NODEV));
|
||||||
assert_se(streq(opts, "size=8143984k,nr_inodes=2035996,mode=755"));
|
assert_se(streq(opts, "size=8143984k,nr_inodes=2035996,mode=0755"));
|
||||||
opts = mfree(opts);
|
opts = mfree(opts);
|
||||||
|
|
||||||
assert_se(mount_option_mangle("rw,relatime,fmask=0022,,,dmask=0022", MS_RDONLY, &f, &opts) == 0);
|
assert_se(mount_option_mangle("rw,relatime,fmask=0022,,,dmask=0022", MS_RDONLY, &f, &opts) == 0);
|
||||||
@ -74,9 +74,9 @@ TEST(mount_option_mangle) {
|
|||||||
|
|
||||||
assert_se(mount_option_mangle("rw,relatime,fmask=0022,dmask=0022,\"hogehoge", MS_RDONLY, &f, &opts) < 0);
|
assert_se(mount_option_mangle("rw,relatime,fmask=0022,dmask=0022,\"hogehoge", MS_RDONLY, &f, &opts) < 0);
|
||||||
|
|
||||||
assert_se(mount_option_mangle("mode=1777,size=10%,nr_inodes=400k,uid=496107520,gid=496107520,context=\"system_u:object_r:svirt_sandbox_file_t:s0:c0,c1\"", 0, &f, &opts) == 0);
|
assert_se(mount_option_mangle("mode=01777,size=10%,nr_inodes=400k,uid=496107520,gid=496107520,context=\"system_u:object_r:svirt_sandbox_file_t:s0:c0,c1\"", 0, &f, &opts) == 0);
|
||||||
assert_se(f == 0);
|
assert_se(f == 0);
|
||||||
assert_se(streq(opts, "mode=1777,size=10%,nr_inodes=400k,uid=496107520,gid=496107520,context=\"system_u:object_r:svirt_sandbox_file_t:s0:c0,c1\""));
|
assert_se(streq(opts, "mode=01777,size=10%,nr_inodes=400k,uid=496107520,gid=496107520,context=\"system_u:object_r:svirt_sandbox_file_t:s0:c0,c1\""));
|
||||||
opts = mfree(opts);
|
opts = mfree(opts);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -29,7 +29,7 @@ static int make_volatile(const char *path) {
|
|||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Couldn't generate volatile sysroot directory: %m");
|
return log_error_errno(r, "Couldn't generate volatile sysroot directory: %m");
|
||||||
|
|
||||||
r = mount_nofollow_verbose(LOG_ERR, "tmpfs", "/run/systemd/volatile-sysroot", "tmpfs", MS_STRICTATIME, "mode=755" TMPFS_LIMITS_ROOTFS);
|
r = mount_nofollow_verbose(LOG_ERR, "tmpfs", "/run/systemd/volatile-sysroot", "tmpfs", MS_STRICTATIME, "mode=0755" TMPFS_LIMITS_ROOTFS);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
goto finish_rmdir;
|
goto finish_rmdir;
|
||||||
|
|
||||||
@ -80,7 +80,7 @@ static int make_overlay(const char *path) {
|
|||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Couldn't create overlay sysroot directory: %m");
|
return log_error_errno(r, "Couldn't create overlay sysroot directory: %m");
|
||||||
|
|
||||||
r = mount_nofollow_verbose(LOG_ERR, "tmpfs", "/run/systemd/overlay-sysroot", "tmpfs", MS_STRICTATIME, "mode=755" TMPFS_LIMITS_ROOTFS);
|
r = mount_nofollow_verbose(LOG_ERR, "tmpfs", "/run/systemd/overlay-sysroot", "tmpfs", MS_STRICTATIME, "mode=0755" TMPFS_LIMITS_ROOTFS);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
goto finish;
|
goto finish;
|
||||||
|
|
||||||
|
@ -2444,7 +2444,7 @@ sub udev_setup {
|
|||||||
rmdir($udev_tmpfs);
|
rmdir($udev_tmpfs);
|
||||||
mkdir($udev_tmpfs) || die "unable to create udev_tmpfs: $udev_tmpfs\n";
|
mkdir($udev_tmpfs) || die "unable to create udev_tmpfs: $udev_tmpfs\n";
|
||||||
|
|
||||||
if (system("mount", "-o", "rw,mode=755,nosuid,noexec", "-t", "tmpfs", "tmpfs", $udev_tmpfs)) {
|
if (system("mount", "-o", "rw,mode=0755,nosuid,noexec", "-t", "tmpfs", "tmpfs", $udev_tmpfs)) {
|
||||||
warn "unable to mount tmpfs";
|
warn "unable to mount tmpfs";
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user