Commit 290620df authored by intrigeri's avatar intrigeri

Mount a dedicated tmpfs on /run/initramfs instead of trying to remount /run...

Mount a dedicated tmpfs on /run/initramfs instead of trying to remount /run with the "exec" option (refs: #16097).

My previous approach, i.e. "let's remount /run with the exec option via a unit
file started as part of the shutdown procedure", worked just fine for clean
shutdown. But it does not work for emergency shutdown, i.e. when the boot medium
is physically removed: for some reason (possibly missing bits in the memlockd
configuration), this service is not started, and then systemd-shutdown won't
return to the initramfs because /run/initramfs/shutdown is not executable.

So let's instead disregard /run and extract the initramfs into a dedicated
tmpfs, that we mount on /run/initramfs (where systemd-shutdown will look for
it), and that we mount without the "noexec" option.

Also, remove manual calls to eject(1):

 - They increase chances that the shutdown process breaks due to missing
   files locked in memory by memlockd.

 - Their sole benefit is to ensure we physically eject the DVD. It's unclear if
   this code is still needed nowadays. Regardless, starting with Tails 3.12, the
   only supported use case for ISO and DVD is virtual machines, which are not
   targeted by the emergency shutdown feature, which is about removing the
   *physical* boot medium.
parent 634e5a6d
......@@ -13,12 +13,12 @@ systemctl enable onion-grater.service
systemctl enable tails-synchronize-data-to-new-persistent-volume-on-shutdown.service
systemctl enable tails-autotest-broken-Xorg.service
systemctl enable tails-autotest-remote-shell.service
systemctl enable tails-remount-run-exec.service
systemctl enable tails-set-wireless-devices-state.service
systemctl enable tails-shutdown-on-media-removal.service
systemctl enable tails-tor-has-bootstrapped.target
systemctl enable tails-wait-until-tor-has-bootstrapped.service
systemctl enable tails-tor-has-bootstrapped-flag-file.service
systemctl enable run-initramfs.mount
systemctl enable var-tmp.mount
# Enable our own systemd user unit files
......
......@@ -3,15 +3,16 @@
# we can remove this custom code.
[Unit]
Description=Allow executing binaries in /run
Documentation=https://tails.boum.org/contribute/design/memory_erasure/
Description=Extracted initrd directory
ConditionPathIsSymbolicLink=!/run/initramfs
DefaultDependencies=no
After=shutdown.target umount.target
Requires=shutdown.target umount.target
Before=final.target
Before=initramfs-shutdown.service local-fs.target
[Service]
ExecStart=/bin/mount -o remount,exec /run
[Mount]
What=tmpfs
Where=/run/initramfs
Type=tmpfs
Options=mode=755
[Install]
WantedBy=final.target
WantedBy=local-fs.target
......@@ -44,13 +44,6 @@ boot_device() {
# First clean the screen, then brutally shutdown the machine.
do_stop() {
# Really make sure that the CD is ejected
# FIXME: this might not be necessary with future kernel/udev
if [ "${DEV_TYPE}" = "cd" ]; then
/usr/bin/eject -i off "${BOOT_DEVICE}" || true
/usr/bin/eject -m "${BOOT_DEVICE}" || true
fi
# Kill everything run by amnesia or Debian-gdm, otherwise emergency
# shutdown fails for some reason. Incidentally, this also allows
# the test suite to look for a known message ("Happy dumping!")
......@@ -60,11 +53,6 @@ do_stop() {
/bin/systemctl --signal=9 kill gdm.service || true
/bin/loginctl --signal=9 kill-user Debian-gdm || true
# This allows systemd-shutdown to execute /run/initramfs/shutdown.
# XXX:Bullseye: if https://github.com/systemd/systemd/pull/9429 is merged,
# we can remove this custom code.
/bin/mount -o remount,exec /run
# Finally, return to the initramfs and poweroff the system
/bin/systemctl --force poweroff
}
......
......@@ -29,8 +29,12 @@ in the initramfs. That one will unmount all filesystems, run
that helps us automatically test this behavior, and finally perform
the requested poweroff/reboot action.
To make this work, `/run` is [[!tails_gitweb config/chroot_local-includes/lib/systemd/system/tails-remount-run-exec.service desc="remounted"]] with
the `exec` option before `final.target` is started.
To make this work, a dedicated `tmpfs` filesystem is [[!tails_gitweb
config/chroot_local-includes/lib/systemd/system/run-initramfs.mount
desc="mounted"]] on `/run/initramfs`: `/run` is mounted with the
`noexec` option and while our attempts to remount it with `exec`
worked for clean shutdown, they failed for emergency shutdown, i.e.
when the boot medium is physically removed.
For details about the underlying systemd mechanisms, see `bootup(7)`
and `systemd-shutdown(8)`.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment