static int mount_one(const MountPoint *p, bool relabel) {
int r;
assert(p);
if (p->condition_fn && !p->condition_fn())
return 0;
/* Relabel first, just in case */
if (relabel)
(void) label_fix(p->where, true, true);
r = path_is_mount_point(p->where, NULL, AT_SYMLINK_FOLLOW);
if (r < 0 && r != -ENOENT) {
log_full_errno((p->mode & MNT_FATAL) ? LOG_ERR : LOG_DEBUG, r, "Failed to determine whether %s is a mount point: %m", p->where);
return (p->mode & MNT_FATAL) ? r : 0;
}
if (r > 0)
return 0;
/* Skip securityfs in a container */
if (!(p->mode & MNT_IN_CONTAINER) && detect_container() > 0)
return 0;
/* The access mode here doesn't really matter too much, since
* the mounted file system will take precedence anyway. */
if (relabel)
(void) mkdir_p_label(p->where, 0755);
else
(void) mkdir_p(p->where, 0755);
log_debug("Mounting %s to %s of type %s with options %s.",
p->what,
p->where,
p->type,
strna(p->options));
if (mount(p->what,
p->where,
p->type,
p->flags,
p->options) < 0) {
log_full_errno((p->mode & MNT_FATAL) ? LOG_ERR : LOG_DEBUG, errno, "Failed to mount %s at %s: %m", p->type, p->where);
return (p->mode & MNT_FATAL) ? -errno : 0;
}
/* Relabel again, since we now mounted something fresh here */
if (relabel)
(void) label_fix(p->where, false, false);
return 1;
}
static int open_dev_autofs(Manager *m) {
struct autofs_dev_ioctl param;
assert(m);
if (m->dev_autofs_fd >= 0)
return m->dev_autofs_fd;
label_fix("/dev/autofs", false, false);
m->dev_autofs_fd = open("/dev/autofs", O_CLOEXEC|O_RDONLY);
if (m->dev_autofs_fd < 0) {
log_error("Failed to open /dev/autofs: %m");
return -errno;
}
init_autofs_dev_ioctl(¶m);
if (ioctl(m->dev_autofs_fd, AUTOFS_DEV_IOCTL_VERSION, ¶m) < 0) {
close_nointr_nofail(m->dev_autofs_fd);
m->dev_autofs_fd = -1;
return -errno;
}
log_debug("Autofs kernel version %i.%i", param.ver_major, param.ver_minor);
return m->dev_autofs_fd;
}
static int node_fixup(struct udev_device *dev, mode_t mode, uid_t uid, gid_t gid)
{
const char *devnode = udev_device_get_devnode(dev);
dev_t devnum = udev_device_get_devnum(dev);
struct stat stats;
int err = 0;
if (strcmp(udev_device_get_subsystem(dev), "block") == 0)
mode |= S_IFBLK;
else
mode |= S_IFCHR;
if (lstat(devnode, &stats) != 0) {
err = -errno;
log_debug("can not stat() node '%s' (%m)\n", devnode);
goto out;
}
if (((stats.st_mode & S_IFMT) != (mode & S_IFMT)) || (stats.st_rdev != devnum)) {
err = -EEXIST;
log_debug("found node '%s' with non-matching devnum %s, skip handling\n",
udev_device_get_devnode(dev), udev_device_get_id_filename(dev));
goto out;
}
if ((stats.st_mode & 0777) != (mode & 0777) || stats.st_uid != uid || stats.st_gid != gid) {
log_debug("set permissions %s, %#o, uid=%u, gid=%u\n", devnode, mode, uid, gid);
chmod(devnode, mode);
chown(devnode, uid, gid);
} else {
log_debug("preserve permissions %s, %#o, uid=%u, gid=%u\n", devnode, mode, uid, gid);
}
/*
* Set initial selinux file context only on add events.
* We set the proper context on bootup (triger) or for newly
* added devices, but we don't change it later, in case
* something else has set a custom context in the meantime.
*/
if (strcmp(udev_device_get_action(dev), "add") == 0)
label_fix(devnode, true, false);
/* always update timestamp when we re-use the node, like on media change events */
utimensat(AT_FDCWD, devnode, NULL, 0);
out:
return err;
}
static int item_set_perms(Item *i, const char *path) {
/* not using i->path directly because it may be a glob */
if (i->mode_set)
if (chmod(path, i->mode) < 0) {
log_error("chmod(%s) failed: %m", path);
return -errno;
}
if (i->uid_set || i->gid_set)
if (chown(path,
i->uid_set ? i->uid : (uid_t) -1,
i->gid_set ? i->gid : (gid_t) -1) < 0) {
log_error("chown(%s) failed: %m", path);
return -errno;
}
return label_fix(path, false, false);
}
static int node_permissions_apply(struct udev_device *dev, bool apply, mode_t mode, uid_t uid, gid_t gid)
{
const char *devnode = udev_device_get_devnode(dev);
dev_t devnum = udev_device_get_devnum(dev);
struct stat stats;
int err = 0;
if (streq(udev_device_get_subsystem(dev), "block"))
mode |= S_IFBLK;
else
mode |= S_IFCHR;
if (lstat(devnode, &stats) != 0) {
err = -errno;
log_debug("can not stat() node '%s' (%m)\n", devnode);
goto out;
}
if (((stats.st_mode & S_IFMT) != (mode & S_IFMT)) || (stats.st_rdev != devnum)) {
err = -EEXIST;
log_debug("found node '%s' with non-matching devnum %s, skip handling\n",
udev_device_get_devnode(dev), udev_device_get_id_filename(dev));
goto out;
}
if (apply) {
if ((stats.st_mode & 0777) != (mode & 0777) || stats.st_uid != uid || stats.st_gid != gid) {
log_debug("set permissions %s, %#o, uid=%u, gid=%u\n", devnode, mode, uid, gid);
chmod(devnode, mode);
if (chown(devnode, uid, gid) < 0)
log_debug("Failed to change ownership of %s to uid=%u, gid=%u\n", devnode, uid, gid);
} else {
log_debug("preserve permissions %s, %#o, uid=%u, gid=%u\n", devnode, mode, uid, gid);
}
label_fix(devnode, true, false);
}
/* always update timestamp when we re-use the node, like on media change events */
utimensat(AT_FDCWD, devnode, NULL, 0);
out:
return err;
}
static int nftw_cb(
const char *fpath,
const struct stat *sb,
int tflag,
struct FTW *ftwbuf) {
/* No need to label /dev twice in a row... */
if (_unlikely_(ftwbuf->level == 0))
return FTW_CONTINUE;
label_fix(fpath, false, false);
/* /run/initramfs is static data and big, no need to
* dynamically relabel its contents at boot... */
if (_unlikely_(ftwbuf->level == 1 &&
tflag == FTW_D &&
streq(fpath, "/run/initramfs")))
return FTW_SKIP_SUBTREE;
return FTW_CONTINUE;
};
int mount_setup(bool loaded_policy) {
static const char relabel[] =
"/run/initramfs/root-fsck\0"
"/run/initramfs/shutdown\0";
int r;
unsigned i;
const char *j;
for (i = 0; i < ELEMENTSOF(mount_table); i ++) {
r = mount_one(mount_table + i, true);
if (r < 0)
return r;
}
/* Nodes in devtmpfs and /run need to be manually updated for
* the appropriate labels, after mounting. The other virtual
* API file systems like /sys and /proc do not need that, they
* use the same label for all their files. */
if (loaded_policy) {
usec_t before_relabel, after_relabel;
char timespan[FORMAT_TIMESPAN_MAX];
before_relabel = now(CLOCK_MONOTONIC);
nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
/* Explicitly relabel these */
NULSTR_FOREACH(j, relabel)
label_fix(j, true, false);
after_relabel = now(CLOCK_MONOTONIC);
log_info("Relabelled /dev and /run in %s.",
format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel));
}
/* Create a few default symlinks, which are normally created
* by udevd, but some scripts might need them before we start
* udevd. */
dev_setup(NULL);
/* Mark the root directory as shared in regards to mount
* propagation. The kernel defaults to "private", but we think
* it makes more sense to have a default of "shared" so that
* nspawn and the container tools work out of the box. If
* specific setups need other settings they can reset the
* propagation mode to private if needed. */
if (detect_container(NULL) <= 0)
if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0)
log_warning("Failed to set up the root directory for shared mount propagation: %m");
/* Create a few directories we always want around, Note that
* sd_booted() checks for /run/systemd/system, so this mkdir
* really needs to stay for good, otherwise software that
* copied sd-daemon.c into their sources will misdetect
* systemd. */
mkdir_label("/run/systemd", 0755);
mkdir_label("/run/systemd/system", 0755);
mkdir_label("/run/systemd/inaccessible", 0000);
return 0;
}
int mount_cgroup_controllers(char ***join_controllers) {
_cleanup_set_free_free_ Set *controllers = NULL;
int r;
if (!cg_is_legacy_wanted())
return 0;
/* Mount all available cgroup controllers that are built into the kernel. */
controllers = set_new(&string_hash_ops);
if (!controllers)
return log_oom();
r = cg_kernel_controllers(controllers);
if (r < 0)
return log_error_errno(r, "Failed to enumerate cgroup controllers: %m");
for (;;) {
_cleanup_free_ char *options = NULL, *controller = NULL, *where = NULL;
MountPoint p = {
.what = "cgroup",
.type = "cgroup",
.flags = MS_NOSUID|MS_NOEXEC|MS_NODEV,
.mode = MNT_IN_CONTAINER,
};
char ***k = NULL;
controller = set_steal_first(controllers);
if (!controller)
break;
if (join_controllers)
for (k = join_controllers; *k; k++)
if (strv_find(*k, controller))
break;
if (k && *k) {
char **i, **j;
for (i = *k, j = *k; *i; i++) {
if (!streq(*i, controller)) {
_cleanup_free_ char *t;
t = set_remove(controllers, *i);
if (!t) {
free(*i);
continue;
}
}
*(j++) = *i;
}
*j = NULL;
options = strv_join(*k, ",");
if (!options)
return log_oom();
} else {
options = controller;
controller = NULL;
}
where = strappend("/sys/fs/cgroup/", options);
if (!where)
return log_oom();
p.where = where;
p.options = options;
r = mount_one(&p, true);
if (r < 0)
return r;
if (r > 0 && k && *k) {
char **i;
for (i = *k; *i; i++) {
_cleanup_free_ char *t = NULL;
t = strappend("/sys/fs/cgroup/", *i);
if (!t)
return log_oom();
r = symlink(options, t);
if (r < 0 && errno != EEXIST)
return log_error_errno(errno, "Failed to create symlink %s: %m", t);
#ifdef SMACK_RUN_LABEL
r = mac_smack_copy(t, options);
if (r < 0 && r != -EOPNOTSUPP)
return log_error_errno(r, "Failed to copy smack label from %s to %s: %m", options, t);
#endif
}
}
}
/* Now that we mounted everything, let's make the tmpfs the
* cgroup file systems are mounted into read-only. */
(void) mount("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY, "mode=755");
return 0;
}
#if defined(HAVE_SELINUX) || defined(HAVE_SMACK)
static int nftw_cb(
const char *fpath,
const struct stat *sb,
int tflag,
struct FTW *ftwbuf) {
/* No need to label /dev twice in a row... */
if (_unlikely_(ftwbuf->level == 0))
return FTW_CONTINUE;
label_fix(fpath, false, false);
/* /run/initramfs is static data and big, no need to
* dynamically relabel its contents at boot... */
if (_unlikely_(ftwbuf->level == 1 &&
tflag == FTW_D &&
streq(fpath, "/run/initramfs")))
return FTW_SKIP_SUBTREE;
return FTW_CONTINUE;
};
#endif
int mount_setup(bool loaded_policy) {
unsigned i;
int r = 0;
for (i = 0; i < ELEMENTSOF(mount_table); i ++) {
int j;
j = mount_one(mount_table + i, loaded_policy);
if (j != 0 && r >= 0)
r = j;
}
if (r < 0)
return r;
#if defined(HAVE_SELINUX) || defined(HAVE_SMACK)
/* Nodes in devtmpfs and /run need to be manually updated for
* the appropriate labels, after mounting. The other virtual
* API file systems like /sys and /proc do not need that, they
* use the same label for all their files. */
if (loaded_policy) {
usec_t before_relabel, after_relabel;
char timespan[FORMAT_TIMESPAN_MAX];
before_relabel = now(CLOCK_MONOTONIC);
nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
after_relabel = now(CLOCK_MONOTONIC);
log_info("Relabelled /dev and /run in %s.",
format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel, 0));
}
#endif
/* Create a few default symlinks, which are normally created
* by udevd, but some scripts might need them before we start
* udevd. */
dev_setup(NULL, UID_INVALID, GID_INVALID);
/* Mark the root directory as shared in regards to mount
* propagation. The kernel defaults to "private", but we think
* it makes more sense to have a default of "shared" so that
* nspawn and the container tools work out of the box. If
* specific setups need other settings they can reset the
* propagation mode to private if needed. */
if (detect_container() <= 0)
if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0)
log_warning_errno(errno, "Failed to set up the root directory for shared mount propagation: %m");
/* Create a few directories we always want around, Note that
* sd_booted() checks for /run/systemd/system, so this mkdir
* really needs to stay for good, otherwise software that
* copied sd-daemon.c into their sources will misdetect
* systemd. */
mkdir_label("/run/systemd", 0755);
mkdir_label("/run/systemd/system", 0755);
mkdir_label("/run/systemd/inaccessible", 0000);
return 0;
}
static int node_symlink(struct udev_device *dev, const char *node, const char *slink) {
struct stat stats;
char target[UTIL_PATH_SIZE];
char *s;
size_t l;
char slink_tmp[UTIL_PATH_SIZE + 32];
int i = 0;
int tail = 0;
int err = 0;
/* use relative link */
target[0] = '\0';
while (node[i] && (node[i] == slink[i])) {
if (node[i] == '/')
tail = i+1;
i++;
}
s = target;
l = sizeof(target);
while (slink[i] != '\0') {
if (slink[i] == '/')
l = strpcpy(&s, l, "../");
i++;
}
l = strscpy(s, l, &node[tail]);
if (l == 0) {
err = -EINVAL;
goto exit;
}
/* preserve link with correct target, do not replace node of other device */
if (lstat(slink, &stats) == 0) {
if (S_ISBLK(stats.st_mode) || S_ISCHR(stats.st_mode)) {
log_error("conflicting device node '%s' found, link to '%s' will not be created", slink, node);
goto exit;
} else if (S_ISLNK(stats.st_mode)) {
char buf[UTIL_PATH_SIZE];
int len;
len = readlink(slink, buf, sizeof(buf));
if (len > 0 && len < (int)sizeof(buf)) {
buf[len] = '\0';
if (streq(target, buf)) {
log_debug("preserve already existing symlink '%s' to '%s'", slink, target);
label_fix(slink, true, false);
utimensat(AT_FDCWD, slink, NULL, AT_SYMLINK_NOFOLLOW);
goto exit;
}
}
}
} else {
log_debug("creating symlink '%s' to '%s'", slink, target);
do {
err = mkdir_parents_label(slink, 0755);
if (err != 0 && err != -ENOENT)
break;
mac_selinux_create_file_prepare(slink, S_IFLNK);
err = symlink(target, slink);
if (err != 0)
err = -errno;
mac_selinux_create_file_clear();
} while (err == -ENOENT);
if (err == 0)
goto exit;
}
log_debug("atomically replace '%s'", slink);
strscpyl(slink_tmp, sizeof(slink_tmp), slink, ".tmp-", udev_device_get_id_filename(dev), NULL);
unlink(slink_tmp);
do {
err = mkdir_parents_label(slink_tmp, 0755);
if (err != 0 && err != -ENOENT)
break;
mac_selinux_create_file_prepare(slink_tmp, S_IFLNK);
err = symlink(target, slink_tmp);
if (err != 0)
err = -errno;
mac_selinux_create_file_clear();
} while (err == -ENOENT);
if (err != 0) {
log_error_errno(errno, "symlink '%s' '%s' failed: %m", target, slink_tmp);
goto exit;
}
err = rename(slink_tmp, slink);
if (err != 0) {
log_error_errno(errno, "rename '%s' '%s' failed: %m", slink_tmp, slink);
unlink(slink_tmp);
}
exit:
return err;
}
static int node_symlink(sd_device *dev, const char *node, const char *slink) {
_cleanup_free_ char *slink_dirname = NULL, *target = NULL;
const char *id_filename, *slink_tmp;
struct stat stats;
int r;
assert(dev);
assert(node);
assert(slink);
slink_dirname = dirname_malloc(slink);
if (!slink_dirname)
return log_oom();
/* use relative link */
r = path_make_relative(slink_dirname, node, &target);
if (r < 0)
return log_device_error_errno(dev, r, "Failed to get relative path from '%s' to '%s': %m", slink, node);
/* preserve link with correct target, do not replace node of other device */
if (lstat(slink, &stats) == 0) {
if (S_ISBLK(stats.st_mode) || S_ISCHR(stats.st_mode)) {
log_device_error(dev, "Conflicting device node '%s' found, link to '%s' will not be created.", slink, node);
return -EOPNOTSUPP;
} else if (S_ISLNK(stats.st_mode)) {
_cleanup_free_ char *buf = NULL;
if (readlink_malloc(slink, &buf) >= 0 &&
streq(target, buf)) {
log_device_debug(dev, "Preserve already existing symlink '%s' to '%s'", slink, target);
(void) label_fix(slink, LABEL_IGNORE_ENOENT);
(void) utimensat(AT_FDCWD, slink, NULL, AT_SYMLINK_NOFOLLOW);
return 0;
}
}
} else {
log_device_debug(dev, "Creating symlink '%s' to '%s'", slink, target);
do {
r = mkdir_parents_label(slink, 0755);
if (!IN_SET(r, 0, -ENOENT))
break;
mac_selinux_create_file_prepare(slink, S_IFLNK);
if (symlink(target, slink) < 0)
r = -errno;
mac_selinux_create_file_clear();
} while (r == -ENOENT);
if (r == 0)
return 0;
if (r < 0)
log_device_debug_errno(dev, r, "Failed to create symlink '%s' to '%s', trying to replace '%s': %m", slink, target, slink);
}
log_device_debug(dev, "Atomically replace '%s'", slink);
r = device_get_id_filename(dev, &id_filename);
if (r < 0)
return log_device_error_errno(dev, r, "Failed to get id_filename: %m");
slink_tmp = strjoina(slink, ".tmp-", id_filename);
(void) unlink(slink_tmp);
do {
r = mkdir_parents_label(slink_tmp, 0755);
if (!IN_SET(r, 0, -ENOENT))
break;
mac_selinux_create_file_prepare(slink_tmp, S_IFLNK);
if (symlink(target, slink_tmp) < 0)
r = -errno;
mac_selinux_create_file_clear();
} while (r == -ENOENT);
if (r < 0)
return log_device_error_errno(dev, r, "Failed to create symlink '%s' to '%s': %m", slink_tmp, target);
if (rename(slink_tmp, slink) < 0) {
r = log_device_error_errno(dev, errno, "Failed to rename '%s' to '%s' failed: %m", slink_tmp, slink);
(void) unlink(slink_tmp);
}
return r;
}
int mount_cgroup_controllers(char ***join_controllers) {
int r;
char buf[LINE_MAX];
_cleanup_set_free_free_ Set *controllers = NULL;
_cleanup_fclose_ FILE *f;
/* Mount all available cgroup controllers that are built into the kernel. */
f = fopen("/proc/cgroups", "re");
if (!f) {
log_error("Failed to enumerate cgroup controllers: %m");
return 0;
}
controllers = set_new(string_hash_func, string_compare_func);
if (!controllers)
return log_oom();
/* Ignore the header line */
(void) fgets(buf, sizeof(buf), f);
for (;;) {
char *controller;
int enabled = 0;
if (fscanf(f, "%ms %*i %*i %i", &controller, &enabled) != 2) {
if (feof(f))
break;
log_error("Failed to parse /proc/cgroups.");
return -EIO;
}
if (!enabled) {
free(controller);
continue;
}
r = set_consume(controllers, controller);
if (r < 0) {
log_error("Failed to add controller to set.");
return r;
}
}
for (;;) {
MountPoint p = {
.what = "cgroup",
.type = "cgroup",
.flags = MS_NOSUID|MS_NOEXEC|MS_NODEV,
.mode = MNT_IN_CONTAINER,
};
char ***k = NULL;
_cleanup_free_ char *options = NULL, *controller;
controller = set_steal_first(controllers);
if (!controller)
break;
if (join_controllers)
for (k = join_controllers; *k; k++)
if (strv_find(*k, controller))
break;
if (k && *k) {
char **i, **j;
for (i = *k, j = *k; *i; i++) {
if (!streq(*i, controller)) {
char _cleanup_free_ *t;
t = set_remove(controllers, *i);
if (!t) {
free(*i);
continue;
}
}
*(j++) = *i;
}
*j = NULL;
options = strv_join(*k, ",");
if (!options)
return log_oom();
} else {
options = controller;
controller = NULL;
}
p.where = strappenda("/sys/fs/cgroup/", options);
p.options = options;
r = mount_one(&p, true);
if (r < 0)
return r;
if (r > 0 && k && *k) {
char **i;
for (i = *k; *i; i++) {
char *t = strappenda("/sys/fs/cgroup/", *i);
r = symlink(options, t);
if (r < 0 && errno != EEXIST) {
log_error("Failed to create symlink %s: %m", t);
return -errno;
}
}
}
}
return 0;
}
static int nftw_cb(
const char *fpath,
const struct stat *sb,
int tflag,
struct FTW *ftwbuf) {
/* No need to label /dev twice in a row... */
if (_unlikely_(ftwbuf->level == 0))
return FTW_CONTINUE;
label_fix(fpath, false, false);
/* /run/initramfs is static data and big, no need to
* dynamically relabel its contents at boot... */
if (_unlikely_(ftwbuf->level == 1 &&
tflag == FTW_D &&
streq(fpath, "/run/initramfs")))
return FTW_SKIP_SUBTREE;
return FTW_CONTINUE;
};
int mount_setup(bool loaded_policy) {
int r;
unsigned i;
for (i = 0; i < ELEMENTSOF(mount_table); i ++) {
r = mount_one(mount_table + i, true);
if (r < 0)
return r;
}
/* Nodes in devtmpfs and /run need to be manually updated for
* the appropriate labels, after mounting. The other virtual
* API file systems like /sys and /proc do not need that, they
* use the same label for all their files. */
if (loaded_policy) {
usec_t before_relabel, after_relabel;
char timespan[FORMAT_TIMESPAN_MAX];
before_relabel = now(CLOCK_MONOTONIC);
nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
after_relabel = now(CLOCK_MONOTONIC);
log_info("Relabelled /dev and /run in %s.",
format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel, 0));
}
/* Create a few default symlinks, which are normally created
* by udevd, but some scripts might need them before we start
* udevd. */
dev_setup(NULL);
/* Mark the root directory as shared in regards to mount
* propagation. The kernel defaults to "private", but we think
* it makes more sense to have a default of "shared" so that
* nspawn and the container tools work out of the box. If
* specific setups need other settings they can reset the
* propagation mode to private if needed. */
if (detect_container(NULL) <= 0)
if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0)
log_warning("Failed to set up the root directory for shared mount propagation: %m");
/* Create a few directories we always want around, Note that
* sd_booted() checks for /run/systemd/system, so this mkdir
* really needs to stay for good, otherwise software that
* copied sd-daemon.c into their sources will misdetect
* systemd. */
mkdir_label("/run/systemd", 0755);
mkdir_label("/run/systemd/system", 0755);
mkdir_label("/run/systemd/inaccessible", 0000);
return 0;
}
static int node_permissions_apply(struct udev_device *dev, bool apply,
mode_t mode, uid_t uid, gid_t gid,
struct udev_list *seclabel_list) {
const char *devnode = udev_device_get_devnode(dev);
dev_t devnum = udev_device_get_devnum(dev);
struct stat stats;
struct udev_list_entry *entry;
int err = 0;
if (streq(udev_device_get_subsystem(dev), "block"))
mode |= S_IFBLK;
else
mode |= S_IFCHR;
if (lstat(devnode, &stats) != 0) {
err = -errno;
log_debug("can not stat() node '%s' (%m)", devnode);
goto out;
}
if (((stats.st_mode & S_IFMT) != (mode & S_IFMT)) || (stats.st_rdev != devnum)) {
err = -EEXIST;
log_debug("found node '%s' with non-matching devnum %s, skip handling",
udev_device_get_devnode(dev), udev_device_get_id_filename(dev));
goto out;
}
if (apply) {
bool selinux = false;
bool smack = false;
if ((stats.st_mode & 0777) != (mode & 0777) || stats.st_uid != uid || stats.st_gid != gid) {
log_debug("set permissions %s, %#o, uid=%u, gid=%u", devnode, mode, uid, gid);
if((chmod(devnode, mode) !=0 ) || (chown(devnode, uid,gid) !=0)) {
err = -errno;
log_error("FAILED to set permissions %s, %#o, uid=%u, gid=%u", devnode, mode, uid, gid);
goto out;
}
} else {
log_debug("preserve permissions %s, %#o, uid=%u, gid=%u", devnode, mode, uid, gid);
}
/* apply SECLABEL{$module}=$label */
udev_list_entry_foreach(entry, udev_list_get_entry(seclabel_list)) {
const char *name, *label;
name = udev_list_entry_get_name(entry);
label = udev_list_entry_get_value(entry);
if (streq(name, "selinux")) {
selinux = true;
if (label_apply(devnode, label) < 0)
log_error("SECLABEL: failed to set SELinux label '%s'", label);
else
log_debug("SECLABEL: set SELinux label '%s'", label);
} else if (streq(name, "smack")) {
smack = true;
if (smack_label_path(devnode, label) < 0)
log_error("SECLABEL: failed to set SMACK label '%s'", label);
else
log_debug("SECLABEL: set SMACK label '%s'", label);
} else
log_error("SECLABEL: unknown subsystem, ignoring '%s'='%s'", name, label);
}
/* set the defaults */
if (!selinux)
label_fix(devnode, true, false);
if (!smack)
smack_label_path(devnode, NULL);
}
/* always update timestamp when we re-use the node, like on media change events */
utimensat(AT_FDCWD, devnode, NULL, 0);
out:
return err;
}
