diff options
| author | Auke Kok <auke-jan.h.kok@intel.com> | 2013-09-26 14:41:09 -0700 |
|---|---|---|
| committer | Auke Kok <auke-jan.h.kok@intel.com> | 2013-10-07 10:23:20 -0700 |
| commit | d407c9402064d8b9d1b12dca6ca1ddb2688e5454 (patch) | |
| tree | 9b1a92f312926b3e63d6aa72fbb6fa18127365ef /src/core | |
| parent | 1d5989fd803d2019de0f6aaaf3cfb1cb2bbc3cdb (diff) | |
Mount /run, /dev/shm usable to tasks when using SMACK.
Once systemd itself is running in a security domain for SMACK,
it will fail to start countless tasks due to missing privileges
for mounted and created directory structures. For /run and shm
specifically, we grant all tasks access.
These 2 mounts are allowed to fail, which will happen if the
system is not running a SMACK enabled kernel or security=none is
passed to the kernel.
Diffstat (limited to 'src/core')
| -rw-r--r-- | src/core/mount-setup.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c index 4359f5990..7845e8864 100644 --- a/src/core/mount-setup.c +++ b/src/core/mount-setup.c @@ -79,10 +79,18 @@ static const MountPoint mount_table[] = { NULL, MNT_NONE }, { "smackfs", "/sys/fs/smackfs", "smackfs", "smackfsdef=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, NULL, MNT_NONE }, +#ifdef HAVE_SMACK + { "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME, + NULL, MNT_IN_CONTAINER }, +#endif { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, NULL, MNT_FATAL|MNT_IN_CONTAINER }, { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, NULL, MNT_IN_CONTAINER }, +#ifdef HAVE_SMACK + { "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME, + NULL, MNT_IN_CONTAINER }, +#endif { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, NULL, MNT_FATAL|MNT_IN_CONTAINER }, { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, |