naccyde / rpms / systemd

Forked from rpms/systemd a year ago
Clone
923a60
From 1707b9959e67e5e73987e1ff8a72189d24656fa0 Mon Sep 17 00:00:00 2001
923a60
From: Krzysztof Nowicki <krzysztof.a.nowicki+github@gmail.com>
923a60
Date: Wed, 28 Mar 2018 13:36:33 +0200
923a60
Subject: [PATCH] core: dont't remount /sys/fs/cgroup for relabel if not needed
923a60
 (#8595)
923a60
923a60
The initial fix for relabelling the cgroup filesystem for
923a60
SELinux delivered in commit 8739f23e3 was based on the assumption that
923a60
the cgroup filesystem is already populated once mount_setup() is
923a60
executed, which was true for my system. What I wasn't aware is that this
923a60
is the case only when another instance of systemd was running before
923a60
this one, which can happen if systemd is used in the initrd (for ex. by
923a60
dracut).
923a60
923a60
In case of a clean systemd start-up the cgroup filesystem is actually
923a60
being populated after mount_setup() and does not need relabelling as at
923a60
that moment the SELinux policy is already loaded. Since however the root
923a60
cgroup filesystem was remounted read-only in the meantime this operation
923a60
will now fail.
923a60
923a60
To fix this check for the filesystem mount flags before relabelling and
923a60
only remount ro->rw->ro if necessary and leave the filesystem read-write
923a60
otherwise.
923a60
923a60
Fixes #7901.
923a60
923a60
(cherry picked from commit 6f7729c1767998110c4460c85c94435c5782a613)
923a60
---
923a60
 src/core/mount-setup.c | 35 ++++++++++++++++++++++++++++++-----
923a60
 1 file changed, 30 insertions(+), 5 deletions(-)
923a60
923a60
diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
923a60
index 7a2cae4a39..ed493cbe36 100644
923a60
--- a/src/core/mount-setup.c
923a60
+++ b/src/core/mount-setup.c
923a60
@@ -25,6 +25,8 @@
923a60
 #include <stdlib.h>
923a60
 #include <string.h>
923a60
 #include <assert.h>
923a60
+#include <sys/statfs.h>
923a60
+#include <sys/statvfs.h>
923a60
 #include <unistd.h>
923a60
 #include <ftw.h>
923a60
 
923a60
@@ -337,6 +339,31 @@ static int nftw_cb(
923a60
 
923a60
         return FTW_CONTINUE;
923a60
 };
923a60
+
923a60
+static int relabel_cgroup_filesystems(void) {
923a60
+        int r;
923a60
+        struct statfs st;
923a60
+
923a60
+        /* Temporarily remount the root cgroup filesystem to give it a proper label. Do this
923a60
+           only when the filesystem has been already populated by a previous instance of systemd
923a60
+           running from initrd. Otherwise don't remount anything and leave the filesystem read-write
923a60
+           for the cgroup filesystems to be mounted inside. */
923a60
+        r = statfs("/sys/fs/cgroup", &st);
923a60
+        if (r < 0) {
923a60
+                return log_error_errno(errno, "Failed to determine mount flags for /sys/fs/cgroup: %m");
923a60
+        }
923a60
+
923a60
+        if (st.f_flags & ST_RDONLY)
923a60
+                (void) mount(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT, NULL);
923a60
+
923a60
+        (void) label_fix("/sys/fs/cgroup", false, false);
923a60
+        nftw("/sys/fs/cgroup", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
923a60
+
923a60
+        if (st.f_flags & ST_RDONLY)
923a60
+                (void) mount(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT|MS_RDONLY, NULL);
923a60
+
923a60
+        return 0;
923a60
+}
923a60
 #endif
923a60
 
923a60
 int mount_setup(bool loaded_policy) {
923a60
@@ -369,11 +396,9 @@ int mount_setup(bool loaded_policy) {
923a60
                 nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
923a60
                 nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
923a60
 
923a60
-                /* Temporarily remount the root cgroup filesystem to give it a proper label. */
923a60
-                (void) mount(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT, NULL);
923a60
-                label_fix("/sys/fs/cgroup", false, false);
923a60
-                nftw("/sys/fs/cgroup", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
923a60
-                (void) mount(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT|MS_RDONLY, NULL);
923a60
+                r = relabel_cgroup_filesystems();
923a60
+                if (r < 0)
923a60
+                        return r;
923a60
 
923a60
                 after_relabel = now(CLOCK_MONOTONIC);
923a60