From 290620df4d1992598e45deda015ec85518c89ed6 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Thu, 10 Jan 2019 21:57:31 +0000 Subject: [PATCH] Mount a dedicated tmpfs on /run/initramfs instead of trying to remount /run with the "exec" option (refs: #16097). My previous approach, i.e. "let's remount /run with the exec option via a unit file started as part of the shutdown procedure", worked just fine for clean shutdown. But it does not work for emergency shutdown, i.e. when the boot medium is physically removed: for some reason (possibly missing bits in the memlockd configuration), this service is not started, and then systemd-shutdown won't return to the initramfs because /run/initramfs/shutdown is not executable. So let's instead disregard /run and extract the initramfs into a dedicated tmpfs, that we mount on /run/initramfs (where systemd-shutdown will look for it), and that we mount without the "noexec" option. Also, remove manual calls to eject(1): - They increase chances that the shutdown process breaks due to missing files locked in memory by memlockd. - Their sole benefit is to ensure we physically eject the DVD. It's unclear if this code is still needed nowadays. Regardless, starting with Tails 3.12, the only supported use case for ISO and DVD is virtual machines, which are not targeted by the emergency shutdown feature, which is about removing the *physical* boot medium. --- config/chroot_local-hooks/52-update-rc.d | 2 +- .../lib/systemd/system/run-initramfs.mount | 18 ++++++++++++++++++ .../system/tails-remount-run-exec.service | 17 ----------------- .../usr/local/lib/udev-watchdog-wrapper | 12 ------------ wiki/src/contribute/design/memory_erasure.mdwn | 8 ++++++-- 5 files changed, 25 insertions(+), 32 deletions(-) create mode 100644 config/chroot_local-includes/lib/systemd/system/run-initramfs.mount delete mode 100644 config/chroot_local-includes/lib/systemd/system/tails-remount-run-exec.service diff --git a/config/chroot_local-hooks/52-update-rc.d b/config/chroot_local-hooks/52-update-rc.d index 3d5da862a6..b0834f459d 100755 --- a/config/chroot_local-hooks/52-update-rc.d +++ b/config/chroot_local-hooks/52-update-rc.d @@ -13,12 +13,12 @@ systemctl enable onion-grater.service systemctl enable tails-synchronize-data-to-new-persistent-volume-on-shutdown.service systemctl enable tails-autotest-broken-Xorg.service systemctl enable tails-autotest-remote-shell.service -systemctl enable tails-remount-run-exec.service systemctl enable tails-set-wireless-devices-state.service systemctl enable tails-shutdown-on-media-removal.service systemctl enable tails-tor-has-bootstrapped.target systemctl enable tails-wait-until-tor-has-bootstrapped.service systemctl enable tails-tor-has-bootstrapped-flag-file.service +systemctl enable run-initramfs.mount systemctl enable var-tmp.mount # Enable our own systemd user unit files diff --git a/config/chroot_local-includes/lib/systemd/system/run-initramfs.mount b/config/chroot_local-includes/lib/systemd/system/run-initramfs.mount new file mode 100644 index 0000000000..20ad14e9b7 --- /dev/null +++ b/config/chroot_local-includes/lib/systemd/system/run-initramfs.mount @@ -0,0 +1,18 @@ +# This allows systemd-shutdown to execute /run/initramfs/shutdown. +# XXX:Bullseye: if https://github.com/systemd/systemd/pull/9429 is merged, +# we can remove this custom code. + +[Unit] +Description=Extracted initrd directory +ConditionPathIsSymbolicLink=!/run/initramfs +DefaultDependencies=no +Before=initramfs-shutdown.service local-fs.target + +[Mount] +What=tmpfs +Where=/run/initramfs +Type=tmpfs +Options=mode=755 + +[Install] +WantedBy=local-fs.target diff --git a/config/chroot_local-includes/lib/systemd/system/tails-remount-run-exec.service b/config/chroot_local-includes/lib/systemd/system/tails-remount-run-exec.service deleted file mode 100644 index debeb28d30..0000000000 --- a/config/chroot_local-includes/lib/systemd/system/tails-remount-run-exec.service +++ /dev/null @@ -1,17 +0,0 @@ -# This allows systemd-shutdown to execute /run/initramfs/shutdown. -# XXX:Bullseye: if https://github.com/systemd/systemd/pull/9429 is merged, -# we can remove this custom code. - -[Unit] -Description=Allow executing binaries in /run -Documentation=https://tails.boum.org/contribute/design/memory_erasure/ -DefaultDependencies=no -After=shutdown.target umount.target -Requires=shutdown.target umount.target -Before=final.target - -[Service] -ExecStart=/bin/mount -o remount,exec /run - -[Install] -WantedBy=final.target diff --git a/config/chroot_local-includes/usr/local/lib/udev-watchdog-wrapper b/config/chroot_local-includes/usr/local/lib/udev-watchdog-wrapper index 20cef760cd..8d7e1dd7bb 100755 --- a/config/chroot_local-includes/usr/local/lib/udev-watchdog-wrapper +++ b/config/chroot_local-includes/usr/local/lib/udev-watchdog-wrapper @@ -44,13 +44,6 @@ boot_device() { # First clean the screen, then brutally shutdown the machine. do_stop() { - # Really make sure that the CD is ejected - # FIXME: this might not be necessary with future kernel/udev - if [ "${DEV_TYPE}" = "cd" ]; then - /usr/bin/eject -i off "${BOOT_DEVICE}" || true - /usr/bin/eject -m "${BOOT_DEVICE}" || true - fi - # Kill everything run by amnesia or Debian-gdm, otherwise emergency # shutdown fails for some reason. Incidentally, this also allows # the test suite to look for a known message ("Happy dumping!") @@ -60,11 +53,6 @@ do_stop() { /bin/systemctl --signal=9 kill gdm.service || true /bin/loginctl --signal=9 kill-user Debian-gdm || true - # This allows systemd-shutdown to execute /run/initramfs/shutdown. - # XXX:Bullseye: if https://github.com/systemd/systemd/pull/9429 is merged, - # we can remove this custom code. - /bin/mount -o remount,exec /run - # Finally, return to the initramfs and poweroff the system /bin/systemctl --force poweroff } diff --git a/wiki/src/contribute/design/memory_erasure.mdwn b/wiki/src/contribute/design/memory_erasure.mdwn index 8c3c6399a0..f125d256dc 100644 --- a/wiki/src/contribute/design/memory_erasure.mdwn +++ b/wiki/src/contribute/design/memory_erasure.mdwn @@ -29,8 +29,12 @@ in the initramfs. That one will unmount all filesystems, run that helps us automatically test this behavior, and finally perform the requested poweroff/reboot action. -To make this work, `/run` is [[!tails_gitweb config/chroot_local-includes/lib/systemd/system/tails-remount-run-exec.service desc="remounted"]] with -the `exec` option before `final.target` is started. +To make this work, a dedicated `tmpfs` filesystem is [[!tails_gitweb +config/chroot_local-includes/lib/systemd/system/run-initramfs.mount +desc="mounted"]] on `/run/initramfs`: `/run` is mounted with the +`noexec` option and while our attempts to remount it with `exec` +worked for clean shutdown, they failed for emergency shutdown, i.e. +when the boot medium is physically removed. For details about the underlying systemd mechanisms, see `bootup(7)` and `systemd-shutdown(8)`. -- GitLab