Mount /run, /dev/shm usable to tasks when using SMACK.

Once systemd itself is running in a security domain for SMACK, it will fail to start countless tasks due to missing privileges for mounted and created directory structures. For /run and shm specifically, we grant all tasks access. These 2 mounts are allowed to fail, which will happen if the system is not running a SMACK enabled kernel or security=none is passed to the kernel.
2024-11-06 16:59:03 +03:00 · 2013-09-26 14:41:09 -07:00 · 2013-09-26 14:41:09 -07:00 · d407c94020
commit d407c94020
parent 1d5989fd80
1 changed files with 8 additions and 0 deletions
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@ -79,10 +79,18 @@ static const MountPoint mount_table[] = {
          NULL,       MNT_NONE },
        { "smackfs",    "/sys/fs/smackfs",           "smackfs",    "smackfsdef=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
          NULL,       MNT_NONE },
+#ifdef HAVE_SMACK
+        { "tmpfs",      "/dev/shm",                  "tmpfs",      "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+          NULL,       MNT_IN_CONTAINER },
+#endif
        { "tmpfs",      "/dev/shm",                  "tmpfs",      "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
          NULL,       MNT_FATAL|MNT_IN_CONTAINER },
        { "devpts",     "/dev/pts",                  "devpts",     "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
          NULL,       MNT_IN_CONTAINER },
+#ifdef HAVE_SMACK
+        { "tmpfs",      "/run",                      "tmpfs",      "mode=755,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+          NULL,       MNT_IN_CONTAINER },
+#endif
        { "tmpfs",      "/run",                      "tmpfs",      "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
          NULL,       MNT_FATAL|MNT_IN_CONTAINER },
        { "tmpfs",      "/sys/fs/cgroup",            "tmpfs",      "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,