core: dont't remount /sys/fs/cgroup for relabel if not needed (#8595)

The initial fix for relabelling the cgroup filesystem for SELinux delivered in commit 8739f23e3 was based on the assumption that the cgroup filesystem is already populated once mount_setup() is executed, which was true for my system. What I wasn't aware is that this is the case only when another instance of systemd was running before this one, which can happen if systemd is used in the initrd (for ex. by dracut). In case of a clean systemd start-up the cgroup filesystem is actually being populated after mount_setup() and does not need relabelling as at that moment the SELinux policy is already loaded. Since however the root cgroup filesystem was remounted read-only in the meantime this operation will now fail. To fix this check for the filesystem mount flags before relabelling and only remount ro->rw->ro if necessary and leave the filesystem read-write otherwise. Fixes #7901.
2018-03-28 13:36:33 +02:00 · 2018-03-28 13:36:33 +02:00 · 6f7729c176
parent 54479bf407
commit 6f7729c176
1 changed files with 33 additions and 9 deletions
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@ -22,6 +22,7 @@
 #include <ftw.h>
 #include <stdlib.h>
 #include <sys/mount.h>
+#include <sys/statvfs.h>
 #include <unistd.h>

 #include "alloc-util.h"
@ -385,6 +386,35 @@ static int nftw_cb(

        return FTW_CONTINUE;
 };
+
+static int relabel_cgroup_filesystems(void) {
+        int r;
+        struct statfs st;
+
+        r = cg_all_unified();
+        if (r == 0) {
+                /* Temporarily remount the root cgroup filesystem to give it a proper label. Do this
+                   only when the filesystem has been already populated by a previous instance of systemd
+                   running from initrd. Otherwise don't remount anything and leave the filesystem read-write
+                   for the cgroup filesystems to be mounted inside. */
+                r = statfs("/sys/fs/cgroup", &st);
+                if (r < 0) {
+                        return log_error_errno(errno, "Failed to determine mount flags for /sys/fs/cgroup: %m");
+                }
+
+                if (st.f_flags & ST_RDONLY)
+                        (void) mount(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT, NULL);
+
+                (void) label_fix("/sys/fs/cgroup", 0);
+                nftw("/sys/fs/cgroup", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
+
+                if (st.f_flags & ST_RDONLY)
+                        (void) mount(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT|MS_RDONLY, NULL);
+        } else if (r < 0)
+                return log_error_errno(r, "Failed to determine whether we are in all unified mode: %m");
+
+        return 0;
+}
 #endif

 int mount_setup(bool loaded_policy) {
@ -409,15 +439,9 @@ int mount_setup(bool loaded_policy) {
                nftw("/dev/shm", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
                nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);

-                /* Temporarily remount the root cgroup filesystem to give it a proper label. */
-                r = cg_all_unified();
-                if (r == 0) {
-                        (void) mount(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT, NULL);
-                        (void) label_fix("/sys/fs/cgroup", 0);
-                        nftw("/sys/fs/cgroup", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
-                        (void) mount(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT|MS_RDONLY, NULL);
-                } else if (r < 0)
-                        return log_error_errno(r, "Failed to determine whether we are in all unified mode: %m");
+                r = relabel_cgroup_filesystems();
+                if (r < 0)
+                        return r;

                after_relabel = now(CLOCK_MONOTONIC);