Re: RFS: fsprotect (try #2)
On Tuesday 21 April 2009, Paul Wise wrote:
> 2009/4/21 Stefanos Harhalakis <firstname.lastname@example.org>:
> > fsprotect needs a directory under the root filesystem to preexist. Most
> > probably it won't be used by normal users, so this won't be common. In
> > IRC it was mentioned that it could should use /lib/fsprotect, but this
> > directory is already used to store a helper script:
> > -rwxr-xr-x 1 root root 1786 2009-03-22 17:32
> > /lib/fsprotect/fsprotect-protect
> > and perhaps (in the future) hold other helper scripts too.
> What about using /lib/fsprotect/mount/ (or similar) instead?
Everything works as-long-as it is in the root filesystem.
If /lib/fsprotect/mount/ is acceptable and
... etc ...
are acceptable mountpoints, then OK. My personal opinion is that it will be
ugly, but I'll change it to that if you agree.
> > The /fsprotect/system and /fsprotect/tmp directories are required to
> > pre-exist at the time initramfs mounts the root filesystem.
> Could they be created from a script in the initramfs?
/ is mounted read-only. An initial /fsprotect dir is created inside the
initramfs / (which is tmpfs at that point). Latter, the root fs is merged with
a tmpfs using aufs. At that point it is possible to create the directories
under the new root (which is aufs) and those will be actually created in tmpfs
and will be lost latter.
The questions are:
a) Isn't this somehow hackish?
b) Is it better and/or different at all? Still /fsprotect will exist, even if
it is created by an initramfs hook and even if it resides in tmpfs.