Make /run/lock tmpfs an API fs

The /run/lock directory is world-writable in Debian due to historic
reasons. To avoid user processes filling up /run, we mount a separate
tmpfs for /run/lock. As this directory needs to be available during
early boot, we make it an API fs.

Drop it from tmpfiles.d/legacy.conf to not clobber the permissions.

Closes: #751392
Gbp-Pq: Topic debian
Gbp-Pq: Name Make-run-lock-tmpfs-an-API-fs.patch

diff --git a/src/shared/mount-setup.c b/src/shared/mount-setup.c
index ef3527e9a7f68b035e9277d4c00795111be2c515..ebea7a242e504809e7799b55ac115d79de8ac54c 100644 (file)
--- a/src/shared/mount-setup.c
+++ b/src/shared/mount-setup.c
@@ -86,6 +86,8 @@ static const MountPoint mount_table[] = {
 #endif
         { "tmpfs",       "/run",                      "tmpfs",      "mode=755" TMPFS_LIMITS_RUN,               MS_NOSUID|MS_NODEV|MS_STRICTATIME,
           NULL,          MNT_FATAL|MNT_IN_CONTAINER },
+        { "tmpfs",       "/run/lock",                 "tmpfs",      "mode=1777,size=5242880",                  MS_NOSUID|MS_NOEXEC|MS_NODEV,
+          NULL,          MNT_FATAL|MNT_IN_CONTAINER },
         { "cgroup2",     "/sys/fs/cgroup",            "cgroup2",    "nsdelegate,memory_recursiveprot",         MS_NOSUID|MS_NOEXEC|MS_NODEV,
           cg_is_unified_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
         { "cgroup2",     "/sys/fs/cgroup",            "cgroup2",    "nsdelegate",                              MS_NOSUID|MS_NOEXEC|MS_NODEV,

diff --git a/tmpfiles.d/legacy.conf b/tmpfiles.d/legacy.conf
index 62e2ae0986234974d4bb89997f3ca73fda7144a6..ea5e735e37fe802730806a81d5c7ca48a568be47 100644 (file)
--- a/tmpfiles.d/legacy.conf
+++ b/tmpfiles.d/legacy.conf
@@ -10,7 +10,6 @@
 # These files are considered legacy and are unnecessary on legacy-free
 # systems.
 
-d /run/lock 0755 root root -
 L /var/lock - - - - ../run/lock
 
 # /run/lock/subsys is used for serializing SysV service execution, and