Make /run/lock tmpfs an API fs

The /run/lock directory is world-writable in Debian due to historic
reasons. To avoid user processes filling up /run, we mount a separate
tmpfs for /run/lock. As this directory needs to be available during
early boot, we make it an API fs.

Drop it from tmpfiles.d/legacy.conf to not clobber the permissions.

Closes: #751392
Gbp-Pq: Topic debian
Gbp-Pq: Name Make-run-lock-tmpfs-an-API-fs.patch

diff --git a/src/shared/mount-setup.c b/src/shared/mount-setup.c
index 6882b62c40472948c17b17be6720806f1aa15236..c54e6325438e775d86f4172d0fb175277a094c44 100644 (file)
--- a/src/shared/mount-setup.c
+++ b/src/shared/mount-setup.c
@@ -86,6 +86,8 @@ static const MountPoint mount_table[] = {
 #endif
         { "tmpfs",       "/run",                      "tmpfs",      "mode=755" TMPFS_LIMITS_RUN,               MS_NOSUID|MS_NODEV|MS_STRICTATIME,
           NULL,          MNT_FATAL|MNT_IN_CONTAINER },
+        { "tmpfs",       "/run/lock",                 "tmpfs",      "mode=1777,size=5242880",                  MS_NOSUID|MS_NOEXEC|MS_NODEV,
+          NULL,          MNT_FATAL|MNT_IN_CONTAINER },
         { "cgroup2",     "/sys/fs/cgroup",            "cgroup2",    "nsdelegate,memory_recursiveprot",         MS_NOSUID|MS_NOEXEC|MS_NODEV,
           cg_is_unified_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
         { "cgroup2",     "/sys/fs/cgroup",            "cgroup2",    "nsdelegate",                              MS_NOSUID|MS_NOEXEC|MS_NODEV,

diff --git a/tmpfiles.d/legacy.conf.in b/tmpfiles.d/legacy.conf.in
index 4f2c0d7c4310aeea4d75b7c416c81ad63777cf37..fb1d6bf6e9677b727bdc394fc9becd5bb87de437 100644 (file)
--- a/tmpfiles.d/legacy.conf.in
+++ b/tmpfiles.d/legacy.conf.in
@@ -10,7 +10,6 @@
 # These files are considered legacy and are unnecessary on legacy-free
 # systems.
 
-d /run/lock 0755 root root -
 L /var/lock - - - - ../run/lock
 {% if CREATE_LOG_DIRS %}
 L /var/log/README - - - - ../..{{DOC_DIR}}/README.logs