systemd: mount the securityfs filesystem at early stage

This is an S/MIME signed message

The mount of the securityfs filesystem is now performed in the main systemd
executable as it is used by IMA to provide the interface for loading custom
policies. The unit file 'units/sys-kernel-security.mount' has been removed
because it is not longer necessary.

Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Acked-by: Gianluca Ramunno <ramunno@polito.it>

diff --git a/Makefile.am b/Makefile.am
index 547ae0a2eaa722faf21ae1d03969200fc1783040..d8155fdac7296231b721603abb23060606867b1d 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -285,7 +285,6 @@ dist_systemunit_DATA = \
        units/dev-mqueue.mount \
        units/sys-kernel-config.mount \
        units/sys-kernel-debug.mount \
-       units/sys-kernel-security.mount \
        units/sys-fs-fuse-connections.mount \
        units/var-run.mount \
        units/media.mount \
@@ -2291,7 +2290,6 @@ systemd-install-data-hook:
                        dev-mqueue.mount \
                        sys-kernel-config.mount \
                        sys-kernel-debug.mount \
-                       sys-kernel-security.mount \
                        sys-fs-fuse-connections.mount \
                        systemd-modules-load.service \
                        systemd-tmpfiles-setup.service \
@@ -2301,7 +2299,6 @@ systemd-install-data-hook:
                $(LN_S) ../dev-mqueue.mount dev-mqueue.mount && \
                $(LN_S) ../sys-kernel-config.mount sys-kernel-config.mount && \
                $(LN_S) ../sys-kernel-debug.mount sys-kernel-debug.mount && \
-               $(LN_S) ../sys-kernel-security.mount sys-kernel-security.mount && \
                $(LN_S) ../sys-fs-fuse-connections.mount sys-fs-fuse-connections.mount && \
                $(LN_S) ../systemd-modules-load.service systemd-modules-load.service && \
                $(LN_S) ../systemd-tmpfiles-setup.service systemd-tmpfiles-setup.service && \

diff --git a/src/mount-setup.c b/src/mount-setup.c
index 7c14ea8e556a2c563d99a2c28f86120c90ac9410..aaffb655eea77408ada01b04e81830934db95b44 100644 (file)
--- a/src/mount-setup.c
+++ b/src/mount-setup.c
@@ -51,13 +51,15 @@ typedef struct MountPoint {
 } MountPoint;
 
 /* The first three entries we might need before SELinux is up. The
- * other ones we can delay until SELinux is loaded. */
-#define N_EARLY_MOUNT 3
+ * fourth (securityfs) is needed by IMA to load a custom policy. The
+ * other ones we can delay until SELinux and IMA are loaded. */
+#define N_EARLY_MOUNT 4
 
 static const MountPoint mount_table[] = {
         { "proc",     "/proc",                  "proc",     NULL,                MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
         { "sysfs",    "/sys",                   "sysfs",    NULL,                MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
         { "devtmpfs", "/dev",                   "devtmpfs", "mode=755",          MS_NOSUID,                    true },
+        { "securityfs", "/sys/kernel/security", "securityfs", NULL,              MS_NOSUID|MS_NOEXEC|MS_NODEV, false },
         { "tmpfs",    "/dev/shm",               "tmpfs",    "mode=1777",         MS_NOSUID|MS_NODEV,           true },
         { "devpts",   "/dev/pts",               "devpts",   "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, false },
         { "tmpfs",    "/run",                   "tmpfs",    "mode=755",          MS_NOSUID|MS_NODEV, true },

diff --git a/units/sys-kernel-security.mount b/units/sys-kernel-security.mount
deleted file mode 100644 (file)
index 80cd761..0000000
--- a/units/sys-kernel-security.mount
+++ /dev/null
@@ -1,17 +0,0 @@
-#  This file is part of systemd.
-#
-#  systemd is free software; you can redistribute it and/or modify it
-#  under the terms of the GNU General Public License as published by
-#  the Free Software Foundation; either version 2 of the License, or
-#  (at your option) any later version.
-
-[Unit]
-Description=Security File System
-DefaultDependencies=no
-ConditionPathExists=/sys/kernel/security
-Before=sysinit.target
-
-[Mount]
-What=securityfs
-Where=/sys/kernel/security
-Type=securityfs