mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2025-12-10 03:51:14 +01:00
Code Issues Packages Projects Releases Wiki Activity
talos/internal/pkg/mount/v2/pseudo.go
Dmitry Sharshakov ae6d065beb
fix: mount selinuxfs only when SELinux is enabled 
Having selinuxfs mounted might confuse some software, as conventional Linux systems do not have selinuxfs mounted when SELinux is disabled and no policy is loaded.

Fixes #10083

Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
2025-01-05 19:17:34 +03:00

62 lines
2.6 KiB
Go
Raw Blame History

// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
package mount
import (
"os"
"golang.org/x/sys/unix"
"github.com/siderolabs/talos/internal/pkg/selinux"
"github.com/siderolabs/talos/pkg/machinery/constants"
)
// Pseudo returns the mountpoints required to boot the system.
func Pseudo() Points {
return Points{
NewPoint("devtmpfs", "/dev", "devtmpfs", WithFlags(unix.MS_NOSUID), WithData("mode=0755")),
NewPoint("proc", "/proc", "proc", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_NODEV)),
NewPoint("sysfs", "/sys", "sysfs"),
}
}
// PseudoLate returns the mountpoints mounted later in the boot cycle.
func PseudoLate() Points {
return Points{
NewPoint("tmpfs", "/run", "tmpfs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_RELATIME), WithData("mode=0755"), WithSelinuxLabel(constants.RunSelinuxLabel)),
NewPoint("tmpfs", "/system", "tmpfs", WithData("mode=0755"), WithSelinuxLabel(constants.SystemSelinuxLabel)),
NewPoint("tmpfs", "/tmp", "tmpfs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_NODEV), WithData("size=64M"), WithData("mode=0755")),
}
}
// PseudoSubMountPoints returns the sub-mountpoints under Pseudo().
func PseudoSubMountPoints() Points {
points := Points{
NewPoint("devshm", "/dev/shm", "tmpfs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_NODEV|unix.MS_RELATIME)),
NewPoint("devpts", "/dev/pts", "devpts", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC), WithData("ptmxmode=000,mode=620,gid=5")),
NewPoint("hugetlb", "/dev/hugepages", "hugetlbfs", WithFlags(unix.MS_NOSUID|unix.MS_NODEV)),
NewPoint("bpf", "/sys/fs/bpf", "bpf"),
NewPoint("securityfs", "/sys/kernel/security", "securityfs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_NODEV|unix.MS_RELATIME)),
NewPoint("tracefs", "/sys/kernel/tracing", "tracefs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_NODEV)),
NewPoint("configfs", "/sys/kernel/config", "configfs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_NODEV|unix.MS_RELATIME)),
}
if _, err := os.Stat(constants.EFIVarsMountPoint); err == nil {
// mount EFI vars if they exist
points = append(points,
NewPoint("efivars", constants.EFIVarsMountPoint, "efivarfs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_NODEV|unix.MS_RELATIME|unix.MS_RDONLY)),
)
}
if selinux.IsEnabled() {
// mount selinuxfs if it is enabled, which implies SELinux is the major LSM
points = append(points,
NewPoint("selinuxfs", "/sys/fs/selinux", "selinuxfs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_RELATIME)),
)
}
return points
}
Reference in New Issue View Git Blame Copy Permalink