picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Systemd/src/shared/mount-util.c

745 lines
28 KiB
C
Raw Normal View History

license: LGPL-2.1+ -> LGPL-2.1-or-later
2020-11-09 05:23:58 +01:00
/* SPDX-License-Identifier: LGPL-2.1-or-later */
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
basic: include only what we use This is a cleaned up result of running iwyu but without forward declarations on src/basic.
2015-11-30 21:43:37 +01:00
#include <errno.h>
#include <stdlib.h>
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
#include <sys/mount.h>
basic: include only what we use This is a cleaned up result of running iwyu but without forward declarations on src/basic.
2015-11-30 21:43:37 +01:00
#include <sys/stat.h>
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
#include <sys/statvfs.h>
basic: include only what we use This is a cleaned up result of running iwyu but without forward declarations on src/basic.
2015-11-30 21:43:37 +01:00
#include <unistd.h>
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
util-lib: split out allocation calls into alloc-util.[ch]
2015-10-27 03:01:06 +01:00
#include "alloc-util.h"
mount-util: add mount_option_mangle() This is used in the later commits.
2018-02-15 01:32:04 +01:00
#include "extract-word.h"
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
#include "fd-util.h"
#include "fileio.h"
tree-wide: stop using canonicalize_file_name(), use chase_symlinks() instead Let's use chase_symlinks() everywhere, and stop using GNU canonicalize_file_name() everywhere. For most cases this should not change behaviour, however increase exposure of our function to get better tested. Most importantly in a few cases (most notably nspawn) it can take the correct root directory into account when chasing symlinks.
2016-11-18 21:35:21 +01:00
#include "fs-util.h"
basic: re-sort includes My previous patch to only include what we use accidentially placed the added inlcudes in non-sorted order.
2015-12-01 23:22:03 +01:00
#include "hashmap.h"
shared/mount-util: convert to libmount It seems better to use just a single parsing algorithm for /proc/self/mountinfo. Also, unify the naming of variables in all places that use mnt_table_next_fs(). It makes it easier to compare the different call sites.
2019-04-04 13:36:19 +02:00
#include "libmount-util.h"
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
#include "mount-util.h"
Split out part of mount-util.c into mountpoint-util.c The idea is that anything which is related to actually manipulating mounts is in mount-util.c, but functions for mountpoint introspection are moved to the new file. Anything which requires libmount must be in mount-util.c. This was supposed to be a preparation for further changes, with no functional difference, but it results in a significant change in linkage: $ ldd build/libnss_*.so.2 (before) build/libnss_myhostname.so.2: linux-vdso.so.1 (0x00007fff77bf5000) librt.so.1 => /lib64/librt.so.1 (0x00007f4bbb7b2000) libmount.so.1 => /lib64/libmount.so.1 (0x00007f4bbb755000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f4bbb734000) libc.so.6 => /lib64/libc.so.6 (0x00007f4bbb56e000) /lib64/ld-linux-x86-64.so.2 (0x00007f4bbb8c1000) libblkid.so.1 => /lib64/libblkid.so.1 (0x00007f4bbb51b000) libuuid.so.1 => /lib64/libuuid.so.1 (0x00007f4bbb512000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f4bbb4e3000) libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f4bbb45e000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f4bbb458000) build/libnss_mymachines.so.2: linux-vdso.so.1 (0x00007ffc19cc0000) librt.so.1 => /lib64/librt.so.1 (0x00007fdecb74b000) libcap.so.2 => /lib64/libcap.so.2 (0x00007fdecb744000) libmount.so.1 => /lib64/libmount.so.1 (0x00007fdecb6e7000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fdecb6c6000) libc.so.6 => /lib64/libc.so.6 (0x00007fdecb500000) /lib64/ld-linux-x86-64.so.2 (0x00007fdecb8a9000) libblkid.so.1 => /lib64/libblkid.so.1 (0x00007fdecb4ad000) libuuid.so.1 => /lib64/libuuid.so.1 (0x00007fdecb4a2000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fdecb475000) libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007fdecb3f0000) libdl.so.2 => /lib64/libdl.so.2 (0x00007fdecb3ea000) build/libnss_resolve.so.2: linux-vdso.so.1 (0x00007ffe8ef8e000) librt.so.1 => /lib64/librt.so.1 (0x00007fcf314bd000) libcap.so.2 => /lib64/libcap.so.2 (0x00007fcf314b6000) libmount.so.1 => /lib64/libmount.so.1 (0x00007fcf31459000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fcf31438000) libc.so.6 => /lib64/libc.so.6 (0x00007fcf31272000) /lib64/ld-linux-x86-64.so.2 (0x00007fcf31615000) libblkid.so.1 => /lib64/libblkid.so.1 (0x00007fcf3121f000) libuuid.so.1 => /lib64/libuuid.so.1 (0x00007fcf31214000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fcf311e7000) libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007fcf31162000) libdl.so.2 => /lib64/libdl.so.2 (0x00007fcf3115c000) build/libnss_systemd.so.2: linux-vdso.so.1 (0x00007ffda6d17000) librt.so.1 => /lib64/librt.so.1 (0x00007f610b83c000) libcap.so.2 => /lib64/libcap.so.2 (0x00007f610b835000) libmount.so.1 => /lib64/libmount.so.1 (0x00007f610b7d8000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f610b7b7000) libc.so.6 => /lib64/libc.so.6 (0x00007f610b5f1000) /lib64/ld-linux-x86-64.so.2 (0x00007f610b995000) libblkid.so.1 => /lib64/libblkid.so.1 (0x00007f610b59e000) libuuid.so.1 => /lib64/libuuid.so.1 (0x00007f610b593000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f610b566000) libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f610b4e1000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f610b4db000) (after) build/libnss_myhostname.so.2: linux-vdso.so.1 (0x00007fff0b5e2000) librt.so.1 => /lib64/librt.so.1 (0x00007fde0c328000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fde0c307000) libc.so.6 => /lib64/libc.so.6 (0x00007fde0c141000) /lib64/ld-linux-x86-64.so.2 (0x00007fde0c435000) build/libnss_mymachines.so.2: linux-vdso.so.1 (0x00007ffdc30a7000) librt.so.1 => /lib64/librt.so.1 (0x00007f06ecabb000) libcap.so.2 => /lib64/libcap.so.2 (0x00007f06ecab4000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f06eca93000) libc.so.6 => /lib64/libc.so.6 (0x00007f06ec8cd000) /lib64/ld-linux-x86-64.so.2 (0x00007f06ecc15000) build/libnss_resolve.so.2: linux-vdso.so.1 (0x00007ffe95747000) librt.so.1 => /lib64/librt.so.1 (0x00007fa56a80f000) libcap.so.2 => /lib64/libcap.so.2 (0x00007fa56a808000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fa56a7e7000) libc.so.6 => /lib64/libc.so.6 (0x00007fa56a621000) /lib64/ld-linux-x86-64.so.2 (0x00007fa56a964000) build/libnss_systemd.so.2: linux-vdso.so.1 (0x00007ffe67b51000) librt.so.1 => /lib64/librt.so.1 (0x00007ffb32113000) libcap.so.2 => /lib64/libcap.so.2 (0x00007ffb3210c000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007ffb320eb000) libc.so.6 => /lib64/libc.so.6 (0x00007ffb31f25000) /lib64/ld-linux-x86-64.so.2 (0x00007ffb3226a000) I don't quite understand what is going on here, but let's not be too picky.
2018-11-29 10:24:39 +01:00
#include "mountpoint-util.h"
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
#include "parse-util.h"
#include "path-util.h"
#include "set.h"
mount-util: add helpers for mount() without following symlinks
2020-09-22 15:16:15 +02:00
#include "stat-util.h"
util-lib: split out printf() helpers to stdio-util.h
2015-10-27 01:26:31 +01:00
#include "stdio-util.h"
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
#include "string-util.h"
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
#include "strv.h"
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
mount-util: add helpers for mount() without following symlinks
2020-09-22 15:16:15 +02:00
int mount_fd(const char *source,
int target_fd,
const char *filesystemtype,
unsigned long mountflags,
const void *data) {
char path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
xsprintf(path, "/proc/self/fd/%i", target_fd);
if (mount(source, path, filesystemtype, mountflags, data) < 0) {
if (errno != ENOENT)
return -errno;
/* ENOENT can mean two things: either that the source is missing, or that /proc/ isn't
* mounted. Check for the latter to generate better error messages. */
if (proc_mounted() == 0)
return -ENOSYS;
return -ENOENT;
}
return 0;
}
int mount_nofollow(
const char *source,
const char *target,
const char *filesystemtype,
unsigned long mountflags,
const void *data) {
_cleanup_close_ int fd = -1;
/* In almost all cases we want to manipulate the mount table without following symlinks, hence
* mount_nofollow() is usually the way to go. The only exceptions are environments where /proc/ is
* not available yet, since we need /proc/self/fd/ for this logic to work. i.e. during the early
* initialization of namespacing/container stuff where /proc is not yet mounted (and maybe even the
* fs to mount) we can only use traditional mount() directly.
*
* Note that this disables following only for the final component of the target, i.e symlinks within
* the path of the target are honoured, as are symlinks in the source path everywhere. */
fd = open(target, O_PATH|O_CLOEXEC|O_NOFOLLOW);
if (fd < 0)
return -errno;
return mount_fd(source, fd, filesystemtype, mountflags, data);
}
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
int umount_recursive(const char *prefix, int flags) {
int n = 0, r;
mount-util: don't clobber return value in umount_recursive() We shouldn't override 'r' with the result of cunescape(), since we use it to return the last error of umount().
2019-03-25 16:54:48 +01:00
bool again;
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
/* Try to umount everything recursively below a
* directory. Also, take care of stacked mounts, and keep
* unmounting them until they are gone. */
do {
shared/mount-util: convert to libmount It seems better to use just a single parsing algorithm for /proc/self/mountinfo. Also, unify the naming of variables in all places that use mnt_table_next_fs(). It makes it easier to compare the different call sites.
2019-04-04 13:36:19 +02:00
_cleanup_(mnt_free_tablep) struct libmnt_table *table = NULL;
_cleanup_(mnt_free_iterp) struct libmnt_iter *iter = NULL;
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
again = false;
shared/mount-util: make sure utab is ignored in umount_recursive() See https://github.com/systemd/systemd/pull/12218#pullrequestreview-226029985.
2019-04-23 23:52:15 +02:00
r = libmount_parse("/proc/self/mountinfo", NULL, &table, &iter);
Add fopen_unlocked() wrapper
2019-04-04 10:17:16 +02:00
if (r < 0)
shared/mount-util: convert to libmount It seems better to use just a single parsing algorithm for /proc/self/mountinfo. Also, unify the naming of variables in all places that use mnt_table_next_fs(). It makes it easier to compare the different call sites.
2019-04-04 13:36:19 +02:00
return log_debug_errno(r, "Failed to parse /proc/self/mountinfo: %m");
basic: turn off stdio locking for a couple of helper calls These helper calls are potentially called often, and allocate FILE* objects internally for a very short period of time, let's turn off locking for them too.
2017-12-11 20:01:55 +01:00
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
for (;;) {
shared/mount-util: convert to libmount It seems better to use just a single parsing algorithm for /proc/self/mountinfo. Also, unify the naming of variables in all places that use mnt_table_next_fs(). It makes it easier to compare the different call sites.
2019-04-04 13:36:19 +02:00
struct libmnt_fs *fs;
const char *path;
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
shared/mount-util: convert to libmount It seems better to use just a single parsing algorithm for /proc/self/mountinfo. Also, unify the naming of variables in all places that use mnt_table_next_fs(). It makes it easier to compare the different call sites.
2019-04-04 13:36:19 +02:00
r = mnt_table_next_fs(table, iter, &fs);
if (r == 1)
break;
if (r < 0)
return log_debug_errno(r, "Failed to get next entry from /proc/self/mountinfo: %m");
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
shared/mount-util: convert to libmount It seems better to use just a single parsing algorithm for /proc/self/mountinfo. Also, unify the naming of variables in all places that use mnt_table_next_fs(). It makes it easier to compare the different call sites.
2019-04-04 13:36:19 +02:00
path = mnt_fs_get_target(fs);
if (!path)
continue;
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
shared/mount-util: convert to libmount It seems better to use just a single parsing algorithm for /proc/self/mountinfo. Also, unify the naming of variables in all places that use mnt_table_next_fs(). It makes it easier to compare the different call sites.
2019-04-04 13:36:19 +02:00
if (!path_startswith(path, prefix))
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
continue;
mount-util: use UMOUNT_NOFOLLOW in recursive umounter When we only want to unmount mount points below some path then it is against our interest to follow symlinks. Hence don't.
2020-06-27 11:13:01 +02:00
if (umount2(path, flags | UMOUNT_NOFOLLOW) < 0) {
log_debug_errno(errno, "Failed to umount %s, ignoring: %m", path);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
continue;
}
shared/mount-util: convert to libmount It seems better to use just a single parsing algorithm for /proc/self/mountinfo. Also, unify the naming of variables in all places that use mnt_table_next_fs(). It makes it easier to compare the different call sites.
2019-04-04 13:36:19 +02:00
log_debug("Successfully unmounted %s", path);
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
again = true;
n++;
break;
}
} while (again);
shared/mount-util: convert to libmount It seems better to use just a single parsing algorithm for /proc/self/mountinfo. Also, unify the naming of variables in all places that use mnt_table_next_fs(). It makes it easier to compare the different call sites.
2019-04-04 13:36:19 +02:00
return n;
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
}
mount-util: clean up get_mount_flags() This cleans up the function in multiple ways: - change order of parameters to follow our usualy system of putting return parameters last - rename return parameter "ret" as we usually do - don't initialize local variables we override immediately anyway - downgrade log messages to LOG_DEBUG (since we don't log about any other errors here above LOG_DEBUG, as this is mostly an "API"-style function) - handle that mnt_fs_get_vfs_options() may return NULL (according to docs) - manually map the ST_xyz to MS_xyz flags on statvfs(), because while they are mostly the same, they aren't entirely the same, MS_RELATIME and ST_RELATIME are defined differently (sad!)
2020-01-09 14:59:41 +01:00
static int get_mount_flags(
struct libmnt_table *table,
const char *path,
unsigned long *ret) {
mount-util: make sure get_mount_flags() ever follows symlinks It doesn't follow symlinks when we check for the mount flags via libmount, hence it shouldn't do either when we go via statvfs().
2020-09-22 15:16:37 +02:00
_cleanup_close_ int fd = -1;
mount-util: clean up get_mount_flags() This cleans up the function in multiple ways: - change order of parameters to follow our usualy system of putting return parameters last - rename return parameter "ret" as we usually do - don't initialize local variables we override immediately anyway - downgrade log messages to LOG_DEBUG (since we don't log about any other errors here above LOG_DEBUG, as this is mostly an "API"-style function) - handle that mnt_fs_get_vfs_options() may return NULL (according to docs) - manually map the ST_xyz to MS_xyz flags on statvfs(), because while they are mostly the same, they aren't entirely the same, MS_RELATIME and ST_RELATIME are defined differently (sad!)
2020-01-09 14:59:41 +01:00
struct libmnt_fs *fs;
struct statvfs buf;
const char *opts;
mount-util: make sure get_mount_flags() ever follows symlinks It doesn't follow symlinks when we check for the mount flags via libmount, hence it shouldn't do either when we go via statvfs().
2020-09-22 15:16:37 +02:00
int r;
mount-util: bind_remount: avoid calling statvfs The commit "util: Do not clear parent mount flags when setting up namespaces" introduced a statvfs call read the flags of the original mount and have them applied to the bind mount. This has two problems: (1) The mount flags returned by statvfs(2) do not match the flags accepted by mount(2). For example, the value 4096 means ST_RELATIME when returned by statvfs(2), but means MS_BIND when passed to mount(2). (2) A call to statvfs blocks indefinitely when ran against a disconnected network drive ( https://github.com/systemd/systemd/issues/12667 ). We already use libmount to parse `/proc/self/mountinfo` but did not use the mount flag information from there. This patch changes that to use the mount flags parsed by libmount instead of calling statvfs. Only if getting the flags through libmount fails we call statvfs. Fixes https://github.com/systemd/systemd/issues/12667
2019-07-16 23:09:07 +02:00
mount-util: clean up get_mount_flags() This cleans up the function in multiple ways: - change order of parameters to follow our usualy system of putting return parameters last - rename return parameter "ret" as we usually do - don't initialize local variables we override immediately anyway - downgrade log messages to LOG_DEBUG (since we don't log about any other errors here above LOG_DEBUG, as this is mostly an "API"-style function) - handle that mnt_fs_get_vfs_options() may return NULL (according to docs) - manually map the ST_xyz to MS_xyz flags on statvfs(), because while they are mostly the same, they aren't entirely the same, MS_RELATIME and ST_RELATIME are defined differently (sad!)
2020-01-09 14:59:41 +01:00
/* Get the mount flags for the mountpoint at "path" from "table". We have a fallback using statvfs()
* in place (which provides us with mostly the same info), but it's just a fallback, since using it
mount-util: make sure get_mount_flags() ever follows symlinks It doesn't follow symlinks when we check for the mount flags via libmount, hence it shouldn't do either when we go via statvfs().
2020-09-22 15:16:37 +02:00
* means triggering autofs or NFS mounts, which we'd rather avoid needlessly.
*
* This generally doesn't follow symlinks. */
mount-util: clean up get_mount_flags() This cleans up the function in multiple ways: - change order of parameters to follow our usualy system of putting return parameters last - rename return parameter "ret" as we usually do - don't initialize local variables we override immediately anyway - downgrade log messages to LOG_DEBUG (since we don't log about any other errors here above LOG_DEBUG, as this is mostly an "API"-style function) - handle that mnt_fs_get_vfs_options() may return NULL (according to docs) - manually map the ST_xyz to MS_xyz flags on statvfs(), because while they are mostly the same, they aren't entirely the same, MS_RELATIME and ST_RELATIME are defined differently (sad!)
2020-01-09 14:59:41 +01:00
mount-util: bind_remount: avoid calling statvfs The commit "util: Do not clear parent mount flags when setting up namespaces" introduced a statvfs call read the flags of the original mount and have them applied to the bind mount. This has two problems: (1) The mount flags returned by statvfs(2) do not match the flags accepted by mount(2). For example, the value 4096 means ST_RELATIME when returned by statvfs(2), but means MS_BIND when passed to mount(2). (2) A call to statvfs blocks indefinitely when ran against a disconnected network drive ( https://github.com/systemd/systemd/issues/12667 ). We already use libmount to parse `/proc/self/mountinfo` but did not use the mount flag information from there. This patch changes that to use the mount flags parsed by libmount instead of calling statvfs. Only if getting the flags through libmount fails we call statvfs. Fixes https://github.com/systemd/systemd/issues/12667
2019-07-16 23:09:07 +02:00
fs = mnt_table_find_target(table, path, MNT_ITER_FORWARD);
tree-wide: various code-formatting improvements Reported/found by Coccinelle
2019-09-21 16:01:14 +02:00
if (!fs) {
mount-util: clean up get_mount_flags() This cleans up the function in multiple ways: - change order of parameters to follow our usualy system of putting return parameters last - rename return parameter "ret" as we usually do - don't initialize local variables we override immediately anyway - downgrade log messages to LOG_DEBUG (since we don't log about any other errors here above LOG_DEBUG, as this is mostly an "API"-style function) - handle that mnt_fs_get_vfs_options() may return NULL (according to docs) - manually map the ST_xyz to MS_xyz flags on statvfs(), because while they are mostly the same, they aren't entirely the same, MS_RELATIME and ST_RELATIME are defined differently (sad!)
2020-01-09 14:59:41 +01:00
log_debug("Could not find '%s' in mount table, ignoring.", path);
mount-util: bind_remount: avoid calling statvfs The commit "util: Do not clear parent mount flags when setting up namespaces" introduced a statvfs call read the flags of the original mount and have them applied to the bind mount. This has two problems: (1) The mount flags returned by statvfs(2) do not match the flags accepted by mount(2). For example, the value 4096 means ST_RELATIME when returned by statvfs(2), but means MS_BIND when passed to mount(2). (2) A call to statvfs blocks indefinitely when ran against a disconnected network drive ( https://github.com/systemd/systemd/issues/12667 ). We already use libmount to parse `/proc/self/mountinfo` but did not use the mount flag information from there. This patch changes that to use the mount flags parsed by libmount instead of calling statvfs. Only if getting the flags through libmount fails we call statvfs. Fixes https://github.com/systemd/systemd/issues/12667
2019-07-16 23:09:07 +02:00
goto fallback;
}
opts = mnt_fs_get_vfs_options(fs);
mount-util: clean up get_mount_flags() This cleans up the function in multiple ways: - change order of parameters to follow our usualy system of putting return parameters last - rename return parameter "ret" as we usually do - don't initialize local variables we override immediately anyway - downgrade log messages to LOG_DEBUG (since we don't log about any other errors here above LOG_DEBUG, as this is mostly an "API"-style function) - handle that mnt_fs_get_vfs_options() may return NULL (according to docs) - manually map the ST_xyz to MS_xyz flags on statvfs(), because while they are mostly the same, they aren't entirely the same, MS_RELATIME and ST_RELATIME are defined differently (sad!)
2020-01-09 14:59:41 +01:00
if (!opts) {
*ret = 0;
return 0;
}
r = mnt_optstr_get_flags(opts, ret, mnt_get_builtin_optmap(MNT_LINUX_MAP));
mount-util: bind_remount: avoid calling statvfs The commit "util: Do not clear parent mount flags when setting up namespaces" introduced a statvfs call read the flags of the original mount and have them applied to the bind mount. This has two problems: (1) The mount flags returned by statvfs(2) do not match the flags accepted by mount(2). For example, the value 4096 means ST_RELATIME when returned by statvfs(2), but means MS_BIND when passed to mount(2). (2) A call to statvfs blocks indefinitely when ran against a disconnected network drive ( https://github.com/systemd/systemd/issues/12667 ). We already use libmount to parse `/proc/self/mountinfo` but did not use the mount flag information from there. This patch changes that to use the mount flags parsed by libmount instead of calling statvfs. Only if getting the flags through libmount fails we call statvfs. Fixes https://github.com/systemd/systemd/issues/12667
2019-07-16 23:09:07 +02:00
if (r != 0) {
mount-util: clean up get_mount_flags() This cleans up the function in multiple ways: - change order of parameters to follow our usualy system of putting return parameters last - rename return parameter "ret" as we usually do - don't initialize local variables we override immediately anyway - downgrade log messages to LOG_DEBUG (since we don't log about any other errors here above LOG_DEBUG, as this is mostly an "API"-style function) - handle that mnt_fs_get_vfs_options() may return NULL (according to docs) - manually map the ST_xyz to MS_xyz flags on statvfs(), because while they are mostly the same, they aren't entirely the same, MS_RELATIME and ST_RELATIME are defined differently (sad!)
2020-01-09 14:59:41 +01:00
log_debug_errno(r, "Could not get flags for '%s', ignoring: %m", path);
mount-util: bind_remount: avoid calling statvfs The commit "util: Do not clear parent mount flags when setting up namespaces" introduced a statvfs call read the flags of the original mount and have them applied to the bind mount. This has two problems: (1) The mount flags returned by statvfs(2) do not match the flags accepted by mount(2). For example, the value 4096 means ST_RELATIME when returned by statvfs(2), but means MS_BIND when passed to mount(2). (2) A call to statvfs blocks indefinitely when ran against a disconnected network drive ( https://github.com/systemd/systemd/issues/12667 ). We already use libmount to parse `/proc/self/mountinfo` but did not use the mount flag information from there. This patch changes that to use the mount flags parsed by libmount instead of calling statvfs. Only if getting the flags through libmount fails we call statvfs. Fixes https://github.com/systemd/systemd/issues/12667
2019-07-16 23:09:07 +02:00
goto fallback;
}
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
mount-util: clean up get_mount_flags() This cleans up the function in multiple ways: - change order of parameters to follow our usualy system of putting return parameters last - rename return parameter "ret" as we usually do - don't initialize local variables we override immediately anyway - downgrade log messages to LOG_DEBUG (since we don't log about any other errors here above LOG_DEBUG, as this is mostly an "API"-style function) - handle that mnt_fs_get_vfs_options() may return NULL (according to docs) - manually map the ST_xyz to MS_xyz flags on statvfs(), because while they are mostly the same, they aren't entirely the same, MS_RELATIME and ST_RELATIME are defined differently (sad!)
2020-01-09 14:59:41 +01:00
/* MS_RELATIME is default and trying to set it in an unprivileged container causes EPERM */
*ret &= ~MS_RELATIME;
mount-util: bind_remount: avoid calling statvfs The commit "util: Do not clear parent mount flags when setting up namespaces" introduced a statvfs call read the flags of the original mount and have them applied to the bind mount. This has two problems: (1) The mount flags returned by statvfs(2) do not match the flags accepted by mount(2). For example, the value 4096 means ST_RELATIME when returned by statvfs(2), but means MS_BIND when passed to mount(2). (2) A call to statvfs blocks indefinitely when ran against a disconnected network drive ( https://github.com/systemd/systemd/issues/12667 ). We already use libmount to parse `/proc/self/mountinfo` but did not use the mount flag information from there. This patch changes that to use the mount flags parsed by libmount instead of calling statvfs. Only if getting the flags through libmount fails we call statvfs. Fixes https://github.com/systemd/systemd/issues/12667
2019-07-16 23:09:07 +02:00
return 0;
fallback:
mount-util: make sure get_mount_flags() ever follows symlinks It doesn't follow symlinks when we check for the mount flags via libmount, hence it shouldn't do either when we go via statvfs().
2020-09-22 15:16:37 +02:00
fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW);
if (fd < 0)
return -errno;
if (fstatvfs(fd, &buf) < 0)
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
return -errno;
mount-util: bind_remount: avoid calling statvfs The commit "util: Do not clear parent mount flags when setting up namespaces" introduced a statvfs call read the flags of the original mount and have them applied to the bind mount. This has two problems: (1) The mount flags returned by statvfs(2) do not match the flags accepted by mount(2). For example, the value 4096 means ST_RELATIME when returned by statvfs(2), but means MS_BIND when passed to mount(2). (2) A call to statvfs blocks indefinitely when ran against a disconnected network drive ( https://github.com/systemd/systemd/issues/12667 ). We already use libmount to parse `/proc/self/mountinfo` but did not use the mount flag information from there. This patch changes that to use the mount flags parsed by libmount instead of calling statvfs. Only if getting the flags through libmount fails we call statvfs. Fixes https://github.com/systemd/systemd/issues/12667
2019-07-16 23:09:07 +02:00
mount-util: clean up get_mount_flags() This cleans up the function in multiple ways: - change order of parameters to follow our usualy system of putting return parameters last - rename return parameter "ret" as we usually do - don't initialize local variables we override immediately anyway - downgrade log messages to LOG_DEBUG (since we don't log about any other errors here above LOG_DEBUG, as this is mostly an "API"-style function) - handle that mnt_fs_get_vfs_options() may return NULL (according to docs) - manually map the ST_xyz to MS_xyz flags on statvfs(), because while they are mostly the same, they aren't entirely the same, MS_RELATIME and ST_RELATIME are defined differently (sad!)
2020-01-09 14:59:41 +01:00
/* The statvfs() flags and the mount flags mostly have the same values, but for some cases do
* not. Hence map the flags manually. (Strictly speaking, ST_RELATIME/MS_RELATIME is the most
* prominent one that doesn't match, but that's the one we mask away anyway, see above.) */
*ret =
FLAGS_SET(buf.f_flag, ST_RDONLY) * MS_RDONLY |
FLAGS_SET(buf.f_flag, ST_NODEV) * MS_NODEV |
FLAGS_SET(buf.f_flag, ST_NOEXEC) * MS_NOEXEC |
FLAGS_SET(buf.f_flag, ST_NOSUID) * MS_NOSUID |
FLAGS_SET(buf.f_flag, ST_NOATIME) * MS_NOATIME |
FLAGS_SET(buf.f_flag, ST_NODIRATIME) * MS_NODIRATIME;
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
return 0;
}
util-lib: fix sentence in comment
2019-03-26 10:20:57 +01:00
/* Use this function only if you do not have direct access to /proc/self/mountinfo but the caller can open it
mount-util: beef up bind_remount_recursive() to be able to toggle more than MS_RDONLY The function is otherwise generic enough to toggle other bind mount flags beyond MS_RDONLY (for example: MS_NOSUID or MS_NODEV), hence let's beef it up slightly to support that too.
2019-03-25 17:04:38 +01:00
* for you. This is the case when /proc is masked or not mounted. Otherwise, use bind_remount_recursive. */
int bind_remount_recursive_with_mountinfo(
const char *prefix,
unsigned long new_flags,
unsigned long flags_mask,
tree-wide: avoid some loaded terms https://tools.ietf.org/html/draft-knodel-terminology-02 https://lwn.net/Articles/823224/ This gets rid of most but not occasions of these loaded terms: 1. scsi_id and friends are something that is supposed to be removed from our tree (see #7594) 2. The test suite defines an API used by the ubuntu CI. We can remove this too later, but this needs to be done in sync with the ubuntu CI. 3. In some cases the terms are part of APIs we call or where we expose concepts the kernel names the way it names them. (In particular all remaining uses of the word "slave" in our codebase are like this, it's used by the POSIX PTY layer, by the network subsystem, the mount API and the block device subsystem). Getting rid of the term in these contexts would mean doing some major fixes of the kernel ABI first. Regarding the replacements: when whitelist/blacklist is used as noun we replace with with allow list/deny list, and when used as verb with allow-list/deny-list.
2020-06-23 08:31:16 +02:00
char **deny_list,
mount-util: beef up bind_remount_recursive() to be able to toggle more than MS_RDONLY The function is otherwise generic enough to toggle other bind mount flags beyond MS_RDONLY (for example: MS_NOSUID or MS_NODEV), hence let's beef it up slightly to support that too.
2019-03-25 17:04:38 +01:00
FILE *proc_self_mountinfo) {
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
_cleanup_set_free_free_ Set *done = NULL;
mount-util: rename cleaned → simplified, because that's what we actually did here
2020-01-09 14:53:36 +01:00
_cleanup_free_ char *simplified = NULL;
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
int r;
mount-util: line break overly long function prototypes
2020-01-09 15:05:55 +01:00
assert(prefix);
core: open /proc/self/mountinfo early to allow mounts over /proc (#5985) Enable masking the /proc folder using the 'InaccessiblePaths' unit option. This also slightly simplify mounts setup as the bind_remount_recursive function will only open /proc/self/mountinfo once. This is based on the suggestion at: https://lists.freedesktop.org/archives/systemd-devel/2017-April/038634.html
2017-05-19 14:38:40 +02:00
assert(proc_self_mountinfo);
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
/* Recursively remount a directory (and all its submounts) read-only or read-write. If the directory is already
* mounted, we reuse the mount and simply mark it MS_BIND|MS_RDONLY (or remove the MS_RDONLY for read-write
* operation). If it isn't we first make it one. Afterwards we apply MS_BIND|MS_RDONLY (or remove MS_RDONLY) to
* all submounts we can access, too. When mounts are stacked on the same mount point we only care for each
* individual "top-level" mount on each point, as we cannot influence/access the underlying mounts anyway. We
tree-wide: fix spelling errors Based on a report from Fossies.org using Codespell. Followup to #15436
2020-04-21 20:46:53 +02:00
* do not have any effect on future submounts that might get propagated, they might be writable. This includes
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
* future submounts that have been triggered via autofs.
*
tree-wide: avoid some loaded terms https://tools.ietf.org/html/draft-knodel-terminology-02 https://lwn.net/Articles/823224/ This gets rid of most but not occasions of these loaded terms: 1. scsi_id and friends are something that is supposed to be removed from our tree (see #7594) 2. The test suite defines an API used by the ubuntu CI. We can remove this too later, but this needs to be done in sync with the ubuntu CI. 3. In some cases the terms are part of APIs we call or where we expose concepts the kernel names the way it names them. (In particular all remaining uses of the word "slave" in our codebase are like this, it's used by the POSIX PTY layer, by the network subsystem, the mount API and the block device subsystem). Getting rid of the term in these contexts would mean doing some major fixes of the kernel ABI first. Regarding the replacements: when whitelist/blacklist is used as noun we replace with with allow list/deny list, and when used as verb with allow-list/deny-list.
2020-06-23 08:31:16 +02:00
* If the "deny_list" parameter is specified it may contain a list of subtrees to exclude from the
* remount operation. Note that we'll ignore the deny list for the top-level path. */
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
mount-util: rename cleaned → simplified, because that's what we actually did here
2020-01-09 14:53:36 +01:00
simplified = strdup(prefix);
if (!simplified)
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
return -ENOMEM;
mount-util: rename cleaned → simplified, because that's what we actually did here
2020-01-09 14:53:36 +01:00
path_simplify(simplified, false);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
tree-wide: use path_hash_ops instead of string_hash_ops whenever we key by a path Let's make use of our new hash_ops!
2018-02-08 18:58:35 +01:00
done = set_new(&path_hash_ops);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
if (!done)
return -ENOMEM;
for (;;) {
_cleanup_set_free_free_ Set *todo = NULL;
shared/mount-util: convert to libmount It seems better to use just a single parsing algorithm for /proc/self/mountinfo. Also, unify the naming of variables in all places that use mnt_table_next_fs(). It makes it easier to compare the different call sites.
2019-04-04 13:36:19 +02:00
_cleanup_(mnt_free_tablep) struct libmnt_table *table = NULL;
_cleanup_(mnt_free_iterp) struct libmnt_iter *iter = NULL;
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
bool top_autofs = false;
char *x;
unsigned long orig_flags;
tree-wide: use path_hash_ops instead of string_hash_ops whenever we key by a path Let's make use of our new hash_ops!
2018-02-08 18:58:35 +01:00
todo = set_new(&path_hash_ops);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
if (!todo)
return -ENOMEM;
core: open /proc/self/mountinfo early to allow mounts over /proc (#5985) Enable masking the /proc folder using the 'InaccessiblePaths' unit option. This also slightly simplify mounts setup as the bind_remount_recursive function will only open /proc/self/mountinfo once. This is based on the suggestion at: https://lists.freedesktop.org/archives/systemd-devel/2017-April/038634.html
2017-05-19 14:38:40 +02:00
rewind(proc_self_mountinfo);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
Add helper function for mnt_table_parse_{stream,mtab} This wraps a few common steps. It is defined as inline function instead of in a .c file to avoid having a .c file. With a .c file, we would have three choices: - either link it into libshared, but then then libshared would have to be linked to libmount. - or compile the .c file into each target separately. This has the disdvantage that configuration of every target has to be updated and stuff will be compiled multiple times anyway, which is not too different from keeping this in the header file. - or create a new convenience library just for this. This also has the disadvantage that the every target would have to be updated, and a separate library for a 10 line function seems overkill. By keeping everything in a header file, we compile this a few times, but otherwise it's the least painful option. The compiler can optimize most of the function away, because it knows if 'source' is set or not.
2019-04-05 14:43:06 +02:00
r = libmount_parse("/proc/self/mountinfo", proc_self_mountinfo, &table, &iter);
shared/mount-util: convert to libmount It seems better to use just a single parsing algorithm for /proc/self/mountinfo. Also, unify the naming of variables in all places that use mnt_table_next_fs(). It makes it easier to compare the different call sites.
2019-04-04 13:36:19 +02:00
if (r < 0)
return log_debug_errno(r, "Failed to parse /proc/self/mountinfo: %m");
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
shared/mount-util: convert to libmount It seems better to use just a single parsing algorithm for /proc/self/mountinfo. Also, unify the naming of variables in all places that use mnt_table_next_fs(). It makes it easier to compare the different call sites.
2019-04-04 13:36:19 +02:00
for (;;) {
struct libmnt_fs *fs;
const char *path, *type;
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
shared/mount-util: convert to libmount It seems better to use just a single parsing algorithm for /proc/self/mountinfo. Also, unify the naming of variables in all places that use mnt_table_next_fs(). It makes it easier to compare the different call sites.
2019-04-04 13:36:19 +02:00
r = mnt_table_next_fs(table, iter, &fs);
if (r == 1)
break;
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
if (r < 0)
shared/mount-util: convert to libmount It seems better to use just a single parsing algorithm for /proc/self/mountinfo. Also, unify the naming of variables in all places that use mnt_table_next_fs(). It makes it easier to compare the different call sites.
2019-04-04 13:36:19 +02:00
return log_debug_errno(r, "Failed to get next entry from /proc/self/mountinfo: %m");
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
shared/mount-util: convert to libmount It seems better to use just a single parsing algorithm for /proc/self/mountinfo. Also, unify the naming of variables in all places that use mnt_table_next_fs(). It makes it easier to compare the different call sites.
2019-04-04 13:36:19 +02:00
path = mnt_fs_get_target(fs);
type = mnt_fs_get_fstype(fs);
if (!path || !type)
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
continue;
mount-util: rename cleaned → simplified, because that's what we actually did here
2020-01-09 14:53:36 +01:00
if (!path_startswith(path, simplified))
shared/mount-util: convert to libmount It seems better to use just a single parsing algorithm for /proc/self/mountinfo. Also, unify the naming of variables in all places that use mnt_table_next_fs(). It makes it easier to compare the different call sites.
2019-04-04 13:36:19 +02:00
continue;
tree-wide: avoid some loaded terms https://tools.ietf.org/html/draft-knodel-terminology-02 https://lwn.net/Articles/823224/ This gets rid of most but not occasions of these loaded terms: 1. scsi_id and friends are something that is supposed to be removed from our tree (see #7594) 2. The test suite defines an API used by the ubuntu CI. We can remove this too later, but this needs to be done in sync with the ubuntu CI. 3. In some cases the terms are part of APIs we call or where we expose concepts the kernel names the way it names them. (In particular all remaining uses of the word "slave" in our codebase are like this, it's used by the POSIX PTY layer, by the network subsystem, the mount API and the block device subsystem). Getting rid of the term in these contexts would mean doing some major fixes of the kernel ABI first. Regarding the replacements: when whitelist/blacklist is used as noun we replace with with allow list/deny list, and when used as verb with allow-list/deny-list.
2020-06-23 08:31:16 +02:00
/* Ignore this mount if it is deny-listed, but only if it isn't the top-level mount
shared/mount-util: convert to libmount It seems better to use just a single parsing algorithm for /proc/self/mountinfo. Also, unify the naming of variables in all places that use mnt_table_next_fs(). It makes it easier to compare the different call sites.
2019-04-04 13:36:19 +02:00
* we shall operate on. */
mount-util: rename cleaned → simplified, because that's what we actually did here
2020-01-09 14:53:36 +01:00
if (!path_equal(path, simplified)) {
tree-wide: avoid some loaded terms https://tools.ietf.org/html/draft-knodel-terminology-02 https://lwn.net/Articles/823224/ This gets rid of most but not occasions of these loaded terms: 1. scsi_id and friends are something that is supposed to be removed from our tree (see #7594) 2. The test suite defines an API used by the ubuntu CI. We can remove this too later, but this needs to be done in sync with the ubuntu CI. 3. In some cases the terms are part of APIs we call or where we expose concepts the kernel names the way it names them. (In particular all remaining uses of the word "slave" in our codebase are like this, it's used by the POSIX PTY layer, by the network subsystem, the mount API and the block device subsystem). Getting rid of the term in these contexts would mean doing some major fixes of the kernel ABI first. Regarding the replacements: when whitelist/blacklist is used as noun we replace with with allow list/deny list, and when used as verb with allow-list/deny-list.
2020-06-23 08:31:16 +02:00
bool deny_listed = false;
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
char **i;
tree-wide: avoid some loaded terms https://tools.ietf.org/html/draft-knodel-terminology-02 https://lwn.net/Articles/823224/ This gets rid of most but not occasions of these loaded terms: 1. scsi_id and friends are something that is supposed to be removed from our tree (see #7594) 2. The test suite defines an API used by the ubuntu CI. We can remove this too later, but this needs to be done in sync with the ubuntu CI. 3. In some cases the terms are part of APIs we call or where we expose concepts the kernel names the way it names them. (In particular all remaining uses of the word "slave" in our codebase are like this, it's used by the POSIX PTY layer, by the network subsystem, the mount API and the block device subsystem). Getting rid of the term in these contexts would mean doing some major fixes of the kernel ABI first. Regarding the replacements: when whitelist/blacklist is used as noun we replace with with allow list/deny list, and when used as verb with allow-list/deny-list.
2020-06-23 08:31:16 +02:00
STRV_FOREACH(i, deny_list) {
mount-util: rename cleaned → simplified, because that's what we actually did here
2020-01-09 14:53:36 +01:00
if (path_equal(*i, simplified))
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
continue;
mount-util: rename cleaned → simplified, because that's what we actually did here
2020-01-09 14:53:36 +01:00
if (!path_startswith(*i, simplified))
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
continue;
shared/mount-util: convert to libmount It seems better to use just a single parsing algorithm for /proc/self/mountinfo. Also, unify the naming of variables in all places that use mnt_table_next_fs(). It makes it easier to compare the different call sites.
2019-04-04 13:36:19 +02:00
if (path_startswith(path, *i)) {
tree-wide: avoid some loaded terms https://tools.ietf.org/html/draft-knodel-terminology-02 https://lwn.net/Articles/823224/ This gets rid of most but not occasions of these loaded terms: 1. scsi_id and friends are something that is supposed to be removed from our tree (see #7594) 2. The test suite defines an API used by the ubuntu CI. We can remove this too later, but this needs to be done in sync with the ubuntu CI. 3. In some cases the terms are part of APIs we call or where we expose concepts the kernel names the way it names them. (In particular all remaining uses of the word "slave" in our codebase are like this, it's used by the POSIX PTY layer, by the network subsystem, the mount API and the block device subsystem). Getting rid of the term in these contexts would mean doing some major fixes of the kernel ABI first. Regarding the replacements: when whitelist/blacklist is used as noun we replace with with allow list/deny list, and when used as verb with allow-list/deny-list.
2020-06-23 08:31:16 +02:00
deny_listed = true;
log_debug("Not remounting %s deny-listed by %s, called for %s",
mount-util: rename cleaned → simplified, because that's what we actually did here
2020-01-09 14:53:36 +01:00
path, *i, simplified);
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
break;
}
}
tree-wide: avoid some loaded terms https://tools.ietf.org/html/draft-knodel-terminology-02 https://lwn.net/Articles/823224/ This gets rid of most but not occasions of these loaded terms: 1. scsi_id and friends are something that is supposed to be removed from our tree (see #7594) 2. The test suite defines an API used by the ubuntu CI. We can remove this too later, but this needs to be done in sync with the ubuntu CI. 3. In some cases the terms are part of APIs we call or where we expose concepts the kernel names the way it names them. (In particular all remaining uses of the word "slave" in our codebase are like this, it's used by the POSIX PTY layer, by the network subsystem, the mount API and the block device subsystem). Getting rid of the term in these contexts would mean doing some major fixes of the kernel ABI first. Regarding the replacements: when whitelist/blacklist is used as noun we replace with with allow list/deny list, and when used as verb with allow-list/deny-list.
2020-06-23 08:31:16 +02:00
if (deny_listed)
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
continue;
}
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
/* Let's ignore autofs mounts. If they aren't
* triggered yet, we want to avoid triggering
* them, as we don't make any guarantees for
* future submounts anyway. If they are
* already triggered, then we will find
* another entry for this. */
if (streq(type, "autofs")) {
mount-util: rename cleaned → simplified, because that's what we actually did here
2020-01-09 14:53:36 +01:00
top_autofs = top_autofs || path_equal(path, simplified);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
continue;
}
shared/mount-util: convert to libmount It seems better to use just a single parsing algorithm for /proc/self/mountinfo. Also, unify the naming of variables in all places that use mnt_table_next_fs(). It makes it easier to compare the different call sites.
2019-04-04 13:36:19 +02:00
if (!set_contains(done, path)) {
basic/set: let set_put_strdup() create the set with string hash ops If we're using a set with _put_strdup(), most of the time we want to use string hash ops on the set, and free the strings when done. This defines the appropriate a new string_hash_ops_free structure to automatically free the keys when removing the set, and makes set_put_strdup() and set_put_strdupv() instantiate the set with those hash ops. hashmap_put_strdup() was already doing something similar. (It is OK to instantiate the set earlier, possibly with a different hash ops structure. set_put_strdup() will then use the existing set. It is also OK to call set_free_free() instead of set_free() on a set with string_hash_ops_free, the effect is the same, we're just overriding the override of the cleanup function.) No functional change intended.
2020-04-29 08:47:51 +02:00
r = set_put_strdup(&todo, path);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
if (r < 0)
return r;
}
}
/* If we have no submounts to process anymore and if
* the root is either already done, or an autofs, we
* are done */
if (set_isempty(todo) &&
mount-util: rename cleaned → simplified, because that's what we actually did here
2020-01-09 14:53:36 +01:00
(top_autofs || set_contains(done, simplified)))
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
return 0;
mount-util: rename cleaned → simplified, because that's what we actually did here
2020-01-09 14:53:36 +01:00
if (!set_contains(done, simplified) &&
!set_contains(todo, simplified)) {
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
/* The prefix directory itself is not yet a mount, make it one. */
mount-util: switch most mount_verbose() code over to not follow symlinks
2020-09-22 15:51:17 +02:00
r = mount_nofollow(simplified, simplified, NULL, MS_BIND|MS_REC, NULL);
if (r < 0)
return r;
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
orig_flags = 0;
mount-util: clean up get_mount_flags() This cleans up the function in multiple ways: - change order of parameters to follow our usualy system of putting return parameters last - rename return parameter "ret" as we usually do - don't initialize local variables we override immediately anyway - downgrade log messages to LOG_DEBUG (since we don't log about any other errors here above LOG_DEBUG, as this is mostly an "API"-style function) - handle that mnt_fs_get_vfs_options() may return NULL (according to docs) - manually map the ST_xyz to MS_xyz flags on statvfs(), because while they are mostly the same, they aren't entirely the same, MS_RELATIME and ST_RELATIME are defined differently (sad!)
2020-01-09 14:59:41 +01:00
(void) get_mount_flags(table, simplified, &orig_flags);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
mount-util: switch most mount_verbose() code over to not follow symlinks
2020-09-22 15:51:17 +02:00
r = mount_nofollow(NULL, simplified, NULL, (orig_flags & ~flags_mask)|MS_BIND|MS_REMOUNT|new_flags, NULL);
if (r < 0)
return r;
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
log_debug("Made top-level directory %s a mount point.", prefix);
basic/set: let set_put_strdup() create the set with string hash ops If we're using a set with _put_strdup(), most of the time we want to use string hash ops on the set, and free the strings when done. This defines the appropriate a new string_hash_ops_free structure to automatically free the keys when removing the set, and makes set_put_strdup() and set_put_strdupv() instantiate the set with those hash ops. hashmap_put_strdup() was already doing something similar. (It is OK to instantiate the set earlier, possibly with a different hash ops structure. set_put_strdup() will then use the existing set. It is also OK to call set_free_free() instead of set_free() on a set with string_hash_ops_free, the effect is the same, we're just overriding the override of the cleanup function.) No functional change intended.
2020-04-29 08:47:51 +02:00
r = set_put_strdup(&done, simplified);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
if (r < 0)
return r;
}
while ((x = set_steal_first(todo))) {
r = set_consume(done, x);
tree-wide: use IN_SET macro (#6977)
2017-10-04 16:01:32 +02:00
if (IN_SET(r, 0, -EEXIST))
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
continue;
if (r < 0)
return r;
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
/* Deal with mount points that are obstructed by a later mount */
tree-wide: stop using canonicalize_file_name(), use chase_symlinks() instead Let's use chase_symlinks() everywhere, and stop using GNU canonicalize_file_name() everywhere. For most cases this should not change behaviour, however increase exposure of our function to get better tested. Most importantly in a few cases (most notably nspawn) it can take the correct root directory into account when chasing symlinks.
2016-11-18 21:35:21 +01:00
r = path_is_mount_point(x, NULL, 0);
tree-wide: use IN_SET macro (#6977)
2017-10-04 16:01:32 +02:00
if (IN_SET(r, 0, -ENOENT))
namespace: don't fail on masked mounts (#3794) Before this patch, a service file with ReadWriteDirectories=/file... could fail if the file exists but is not a mountpoint, despite being listed in /proc/self/mountinfo. It could happen with masked mounts. Fixes https://github.com/systemd/systemd/issues/3793
2016-07-25 15:39:46 +02:00
continue;
tree-wide: use ERRNO_IS_PRIVILEGE() whereever appropriate
2020-09-22 14:13:18 +02:00
if (r < 0) {
if (!ERRNO_IS_PRIVILEGE(r))
return r;
util: improve comments why we ignore EACCES and EPERM Follow-up for ef454fd1936813fa45d3e3b459d43fa30be7bf49 (#9848).
2018-08-11 15:47:22 +02:00
/* Even if root user invoke this, submounts under private FUSE or NFS mount points
* may not be acceessed. E.g.,
*
* $ bindfs --no-allow-other ~/mnt/mnt ~/mnt/mnt
* $ bindfs --no-allow-other ~/mnt ~/mnt
*
* Then, root user cannot access the mount point ~/mnt/mnt.
* In such cases, the submounts are ignored, as we have no way to manage them. */
util: bind_remount_recursive_with_mountinfo(): ignore submounts which cannot be accessed Fixes #9844.
2018-08-10 07:30:55 +02:00
log_debug_errno(r, "Failed to determine '%s' is mount point or not, ignoring: %m", x);
continue;
}
namespace: don't fail on masked mounts (#3794) Before this patch, a service file with ReadWriteDirectories=/file... could fail if the file exists but is not a mountpoint, despite being listed in /proc/self/mountinfo. It could happen with masked mounts. Fixes https://github.com/systemd/systemd/issues/3793
2016-07-25 15:39:46 +02:00
/* Try to reuse the original flag set */
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
orig_flags = 0;
mount-util: clean up get_mount_flags() This cleans up the function in multiple ways: - change order of parameters to follow our usualy system of putting return parameters last - rename return parameter "ret" as we usually do - don't initialize local variables we override immediately anyway - downgrade log messages to LOG_DEBUG (since we don't log about any other errors here above LOG_DEBUG, as this is mostly an "API"-style function) - handle that mnt_fs_get_vfs_options() may return NULL (according to docs) - manually map the ST_xyz to MS_xyz flags on statvfs(), because while they are mostly the same, they aren't entirely the same, MS_RELATIME and ST_RELATIME are defined differently (sad!)
2020-01-09 14:59:41 +01:00
(void) get_mount_flags(table, x, &orig_flags);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
mount-util: switch most mount_verbose() code over to not follow symlinks
2020-09-22 15:51:17 +02:00
r = mount_nofollow(NULL, x, NULL, (orig_flags & ~flags_mask)|MS_BIND|MS_REMOUNT|new_flags, NULL);
if (r < 0)
return r;
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
log_debug("Remounted %s read-only.", x);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
}
}
}
mount-util: line break overly long function prototypes
2020-01-09 15:05:55 +01:00
int bind_remount_recursive(
const char *prefix,
unsigned long new_flags,
unsigned long flags_mask,
tree-wide: avoid some loaded terms https://tools.ietf.org/html/draft-knodel-terminology-02 https://lwn.net/Articles/823224/ This gets rid of most but not occasions of these loaded terms: 1. scsi_id and friends are something that is supposed to be removed from our tree (see #7594) 2. The test suite defines an API used by the ubuntu CI. We can remove this too later, but this needs to be done in sync with the ubuntu CI. 3. In some cases the terms are part of APIs we call or where we expose concepts the kernel names the way it names them. (In particular all remaining uses of the word "slave" in our codebase are like this, it's used by the POSIX PTY layer, by the network subsystem, the mount API and the block device subsystem). Getting rid of the term in these contexts would mean doing some major fixes of the kernel ABI first. Regarding the replacements: when whitelist/blacklist is used as noun we replace with with allow list/deny list, and when used as verb with allow-list/deny-list.
2020-06-23 08:31:16 +02:00
char **deny_list) {
mount-util: line break overly long function prototypes
2020-01-09 15:05:55 +01:00
core: open /proc/self/mountinfo early to allow mounts over /proc (#5985) Enable masking the /proc folder using the 'InaccessiblePaths' unit option. This also slightly simplify mounts setup as the bind_remount_recursive function will only open /proc/self/mountinfo once. This is based on the suggestion at: https://lists.freedesktop.org/archives/systemd-devel/2017-April/038634.html
2017-05-19 14:38:40 +02:00
_cleanup_fclose_ FILE *proc_self_mountinfo = NULL;
Add fopen_unlocked() wrapper
2019-04-04 10:17:16 +02:00
int r;
core: open /proc/self/mountinfo early to allow mounts over /proc (#5985) Enable masking the /proc folder using the 'InaccessiblePaths' unit option. This also slightly simplify mounts setup as the bind_remount_recursive function will only open /proc/self/mountinfo once. This is based on the suggestion at: https://lists.freedesktop.org/archives/systemd-devel/2017-April/038634.html
2017-05-19 14:38:40 +02:00
Add fopen_unlocked() wrapper
2019-04-04 10:17:16 +02:00
r = fopen_unlocked("/proc/self/mountinfo", "re", &proc_self_mountinfo);
if (r < 0)
return r;
basic: turn off stdio locking for a couple of helper calls These helper calls are potentially called often, and allocate FILE* objects internally for a very short period of time, let's turn off locking for them too.
2017-12-11 20:01:55 +01:00
tree-wide: avoid some loaded terms https://tools.ietf.org/html/draft-knodel-terminology-02 https://lwn.net/Articles/823224/ This gets rid of most but not occasions of these loaded terms: 1. scsi_id and friends are something that is supposed to be removed from our tree (see #7594) 2. The test suite defines an API used by the ubuntu CI. We can remove this too later, but this needs to be done in sync with the ubuntu CI. 3. In some cases the terms are part of APIs we call or where we expose concepts the kernel names the way it names them. (In particular all remaining uses of the word "slave" in our codebase are like this, it's used by the POSIX PTY layer, by the network subsystem, the mount API and the block device subsystem). Getting rid of the term in these contexts would mean doing some major fixes of the kernel ABI first. Regarding the replacements: when whitelist/blacklist is used as noun we replace with with allow list/deny list, and when used as verb with allow-list/deny-list.
2020-06-23 08:31:16 +02:00
return bind_remount_recursive_with_mountinfo(prefix, new_flags, flags_mask, deny_list, proc_self_mountinfo);
core: open /proc/self/mountinfo early to allow mounts over /proc (#5985) Enable masking the /proc folder using the 'InaccessiblePaths' unit option. This also slightly simplify mounts setup as the bind_remount_recursive function will only open /proc/self/mountinfo once. This is based on the suggestion at: https://lists.freedesktop.org/archives/systemd-devel/2017-April/038634.html
2017-05-19 14:38:40 +02:00
}
core: make sure we use the correct mount flag when re-mounting bind mounts When in a userns environment we cannot take away per-mount point flags set on a mount point that was passed to us. Hence we need to be careful to always check the actual mount flags in place and manipulate only those flags of them that we actually want to change and not reset more as side-effect. We mostly got this right already in bind_remount_recursive_with_mountinfo(), but didn't in the simpler bind_remount_one_with_mountinfo(). Catch up. (The old code assumed that the MountEntry.flags field contained the right flag settings, but it actually doesn't for new mounts we just established as for those mount() establishes the initial flags for us, and we have to read them back to figure out which ones the kernel picked.) Fixes: #13622
2020-01-09 15:06:06 +01:00
int bind_remount_one_with_mountinfo(
const char *path,
unsigned long new_flags,
unsigned long flags_mask,
FILE *proc_self_mountinfo) {
_cleanup_(mnt_free_tablep) struct libmnt_table *table = NULL;
unsigned long orig_flags = 0;
int r;
assert(path);
assert(proc_self_mountinfo);
rewind(proc_self_mountinfo);
table = mnt_new_table();
if (!table)
return -ENOMEM;
r = mnt_table_parse_stream(table, proc_self_mountinfo, "/proc/self/mountinfo");
if (r < 0)
return r;
/* Try to reuse the original flag set */
(void) get_mount_flags(table, path, &orig_flags);
mount-util: switch most mount_verbose() code over to not follow symlinks
2020-09-22 15:51:17 +02:00
r = mount_nofollow(NULL, path, NULL, (orig_flags & ~flags_mask)|MS_BIND|MS_REMOUNT|new_flags, NULL);
if (r < 0)
return r;
core: make sure we use the correct mount flag when re-mounting bind mounts When in a userns environment we cannot take away per-mount point flags set on a mount point that was passed to us. Hence we need to be careful to always check the actual mount flags in place and manipulate only those flags of them that we actually want to change and not reset more as side-effect. We mostly got this right already in bind_remount_recursive_with_mountinfo(), but didn't in the simpler bind_remount_one_with_mountinfo(). Catch up. (The old code assumed that the MountEntry.flags field contained the right flag settings, but it actually doesn't for new mounts we just established as for those mount() establishes the initial flags for us, and we have to read them back to figure out which ones the kernel picked.) Fixes: #13622
2020-01-09 15:06:06 +01:00
return 0;
}
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
int mount_move_root(const char *path) {
assert(path);
if (chdir(path) < 0)
return -errno;
if (mount(path, "/", NULL, MS_MOVE, NULL) < 0)
return -errno;
if (chroot(".") < 0)
return -errno;
if (chdir("/") < 0)
return -errno;
return 0;
}
mount-util: move fstype_is_network() and name_to_handle_at() definitions over
2015-10-27 13:45:00 +01:00
automount: move generically userful call repeat_mount() into mount-util.[ch]
2015-10-27 14:25:58 +01:00
int repeat_unmount(const char *path, int flags) {
bool done = false;
assert(path);
/* If there are multiple mounts on a mount point, this
* removes them all */
for (;;) {
if (umount2(path, flags) < 0) {
if (errno == EINVAL)
return done;
return -errno;
}
done = true;
}
}
namespace: unify limit behavior on non-directory paths Despite the name, `Read{Write,Only}Directories=` already allows for regular file paths to be masked. This commit adds the same behavior to `InaccessibleDirectories=` and makes it explicit in the doc. This patch introduces `/run/systemd/inaccessible/{reg,dir,chr,blk,fifo,sock}` {dile,device}nodes and mounts on the appropriate one the paths specified in `InacessibleDirectories=`. Based on Luca's patch from https://github.com/systemd/systemd/pull/3327
2016-07-06 09:48:58 +02:00
inaccessible: move inaccessible file nodes to /systemd/ subdir in runtime dir always Let's make sure $XDG_RUNTIME_DIR for the user instance and /run for the system instance is always organized the same way: the "inaccessible" device nodes should be placed in a subdir of either called "systemd" and a subdir of that called "inaccessible". This way we can emphasize the common behaviour, and only differ where really necessary. Follow-up for #13823
2020-06-09 16:22:24 +02:00
int mode_to_inaccessible_node(
const char *runtime_dir,
mode_t mode,
char **ret) {
/* This function maps a node type to a corresponding inaccessible file node. These nodes are created
* during early boot by PID 1. In some cases we lacked the privs to create the character and block
* devices (maybe because we run in an userns environment, or miss CAP_SYS_MKNOD, or run with a
* devices policy that excludes device nodes with major and minor of 0), but that's fine, in that
* case we use an AF_UNIX file node instead, which is not the same, but close enough for most
* uses. And most importantly, the kernel allows bind mounts from socket nodes to any non-directory
* file nodes, and that's the most important thing that matters.
*
* Note that the runtime directory argument shall be the top-level runtime directory, i.e. /run/ if
* we operate in system context and $XDG_RUNTIME_DIR if we operate in user context. */
core: create inaccessible nodes for users when making runtime dirs To support ProtectHome=y in a user namespace (which mounts the inaccessible nodes), the nodes need to be accessible by the user. Create these paths and devices in the user runtime directory so they can be used later if needed.
2019-11-19 23:24:52 +01:00
_cleanup_free_ char *d = NULL;
const char *node = NULL;
inaccessible: move inaccessible file nodes to /systemd/ subdir in runtime dir always Let's make sure $XDG_RUNTIME_DIR for the user instance and /run for the system instance is always organized the same way: the "inaccessible" device nodes should be placed in a subdir of either called "systemd" and a subdir of that called "inaccessible". This way we can emphasize the common behaviour, and only differ where really necessary. Follow-up for #13823
2020-06-09 16:22:24 +02:00
assert(ret);
if (!runtime_dir)
runtime_dir = "/run";
mount-setup: add a comment that the character/block device nodes are "optional" (#8893) if we lack privs to create device nodes that's fine, and creating /run/systemd/inaccessible/chr or /run/systemd/inaccessible/blk won't work then. Document this in longer comments. Fixes: #4484
2018-05-03 16:10:35 +02:00
namespace: unify limit behavior on non-directory paths Despite the name, `Read{Write,Only}Directories=` already allows for regular file paths to be masked. This commit adds the same behavior to `InaccessibleDirectories=` and makes it explicit in the doc. This patch introduces `/run/systemd/inaccessible/{reg,dir,chr,blk,fifo,sock}` {dile,device}nodes and mounts on the appropriate one the paths specified in `InacessibleDirectories=`. Based on Luca's patch from https://github.com/systemd/systemd/pull/3327
2016-07-06 09:48:58 +02:00
switch(mode & S_IFMT) {
case S_IFREG:
inaccessible: move inaccessible file nodes to /systemd/ subdir in runtime dir always Let's make sure $XDG_RUNTIME_DIR for the user instance and /run for the system instance is always organized the same way: the "inaccessible" device nodes should be placed in a subdir of either called "systemd" and a subdir of that called "inaccessible". This way we can emphasize the common behaviour, and only differ where really necessary. Follow-up for #13823
2020-06-09 16:22:24 +02:00
node = "/systemd/inaccessible/reg";
core: create inaccessible nodes for users when making runtime dirs To support ProtectHome=y in a user namespace (which mounts the inaccessible nodes), the nodes need to be accessible by the user. Create these paths and devices in the user runtime directory so they can be used later if needed.
2019-11-19 23:24:52 +01:00
break;
mount-setup: add a comment that the character/block device nodes are "optional" (#8893) if we lack privs to create device nodes that's fine, and creating /run/systemd/inaccessible/chr or /run/systemd/inaccessible/blk won't work then. Document this in longer comments. Fixes: #4484
2018-05-03 16:10:35 +02:00
namespace: unify limit behavior on non-directory paths Despite the name, `Read{Write,Only}Directories=` already allows for regular file paths to be masked. This commit adds the same behavior to `InaccessibleDirectories=` and makes it explicit in the doc. This patch introduces `/run/systemd/inaccessible/{reg,dir,chr,blk,fifo,sock}` {dile,device}nodes and mounts on the appropriate one the paths specified in `InacessibleDirectories=`. Based on Luca's patch from https://github.com/systemd/systemd/pull/3327
2016-07-06 09:48:58 +02:00
case S_IFDIR:
inaccessible: move inaccessible file nodes to /systemd/ subdir in runtime dir always Let's make sure $XDG_RUNTIME_DIR for the user instance and /run for the system instance is always organized the same way: the "inaccessible" device nodes should be placed in a subdir of either called "systemd" and a subdir of that called "inaccessible". This way we can emphasize the common behaviour, and only differ where really necessary. Follow-up for #13823
2020-06-09 16:22:24 +02:00
node = "/systemd/inaccessible/dir";
core: create inaccessible nodes for users when making runtime dirs To support ProtectHome=y in a user namespace (which mounts the inaccessible nodes), the nodes need to be accessible by the user. Create these paths and devices in the user runtime directory so they can be used later if needed.
2019-11-19 23:24:52 +01:00
break;
mount-setup: add a comment that the character/block device nodes are "optional" (#8893) if we lack privs to create device nodes that's fine, and creating /run/systemd/inaccessible/chr or /run/systemd/inaccessible/blk won't work then. Document this in longer comments. Fixes: #4484
2018-05-03 16:10:35 +02:00
namespace: unify limit behavior on non-directory paths Despite the name, `Read{Write,Only}Directories=` already allows for regular file paths to be masked. This commit adds the same behavior to `InaccessibleDirectories=` and makes it explicit in the doc. This patch introduces `/run/systemd/inaccessible/{reg,dir,chr,blk,fifo,sock}` {dile,device}nodes and mounts on the appropriate one the paths specified in `InacessibleDirectories=`. Based on Luca's patch from https://github.com/systemd/systemd/pull/3327
2016-07-06 09:48:58 +02:00
case S_IFCHR:
inaccessible: move inaccessible file nodes to /systemd/ subdir in runtime dir always Let's make sure $XDG_RUNTIME_DIR for the user instance and /run for the system instance is always organized the same way: the "inaccessible" device nodes should be placed in a subdir of either called "systemd" and a subdir of that called "inaccessible". This way we can emphasize the common behaviour, and only differ where really necessary. Follow-up for #13823
2020-06-09 16:22:24 +02:00
node = "/systemd/inaccessible/chr";
core: create inaccessible nodes for users when making runtime dirs To support ProtectHome=y in a user namespace (which mounts the inaccessible nodes), the nodes need to be accessible by the user. Create these paths and devices in the user runtime directory so they can be used later if needed.
2019-11-19 23:24:52 +01:00
break;
mount-setup: add a comment that the character/block device nodes are "optional" (#8893) if we lack privs to create device nodes that's fine, and creating /run/systemd/inaccessible/chr or /run/systemd/inaccessible/blk won't work then. Document this in longer comments. Fixes: #4484
2018-05-03 16:10:35 +02:00
namespace: unify limit behavior on non-directory paths Despite the name, `Read{Write,Only}Directories=` already allows for regular file paths to be masked. This commit adds the same behavior to `InaccessibleDirectories=` and makes it explicit in the doc. This patch introduces `/run/systemd/inaccessible/{reg,dir,chr,blk,fifo,sock}` {dile,device}nodes and mounts on the appropriate one the paths specified in `InacessibleDirectories=`. Based on Luca's patch from https://github.com/systemd/systemd/pull/3327
2016-07-06 09:48:58 +02:00
case S_IFBLK:
inaccessible: move inaccessible file nodes to /systemd/ subdir in runtime dir always Let's make sure $XDG_RUNTIME_DIR for the user instance and /run for the system instance is always organized the same way: the "inaccessible" device nodes should be placed in a subdir of either called "systemd" and a subdir of that called "inaccessible". This way we can emphasize the common behaviour, and only differ where really necessary. Follow-up for #13823
2020-06-09 16:22:24 +02:00
node = "/systemd/inaccessible/blk";
core: create inaccessible nodes for users when making runtime dirs To support ProtectHome=y in a user namespace (which mounts the inaccessible nodes), the nodes need to be accessible by the user. Create these paths and devices in the user runtime directory so they can be used later if needed.
2019-11-19 23:24:52 +01:00
break;
mount-setup: add a comment that the character/block device nodes are "optional" (#8893) if we lack privs to create device nodes that's fine, and creating /run/systemd/inaccessible/chr or /run/systemd/inaccessible/blk won't work then. Document this in longer comments. Fixes: #4484
2018-05-03 16:10:35 +02:00
namespace: unify limit behavior on non-directory paths Despite the name, `Read{Write,Only}Directories=` already allows for regular file paths to be masked. This commit adds the same behavior to `InaccessibleDirectories=` and makes it explicit in the doc. This patch introduces `/run/systemd/inaccessible/{reg,dir,chr,blk,fifo,sock}` {dile,device}nodes and mounts on the appropriate one the paths specified in `InacessibleDirectories=`. Based on Luca's patch from https://github.com/systemd/systemd/pull/3327
2016-07-06 09:48:58 +02:00
case S_IFIFO:
inaccessible: move inaccessible file nodes to /systemd/ subdir in runtime dir always Let's make sure $XDG_RUNTIME_DIR for the user instance and /run for the system instance is always organized the same way: the "inaccessible" device nodes should be placed in a subdir of either called "systemd" and a subdir of that called "inaccessible". This way we can emphasize the common behaviour, and only differ where really necessary. Follow-up for #13823
2020-06-09 16:22:24 +02:00
node = "/systemd/inaccessible/fifo";
core: create inaccessible nodes for users when making runtime dirs To support ProtectHome=y in a user namespace (which mounts the inaccessible nodes), the nodes need to be accessible by the user. Create these paths and devices in the user runtime directory so they can be used later if needed.
2019-11-19 23:24:52 +01:00
break;
mount-setup: add a comment that the character/block device nodes are "optional" (#8893) if we lack privs to create device nodes that's fine, and creating /run/systemd/inaccessible/chr or /run/systemd/inaccessible/blk won't work then. Document this in longer comments. Fixes: #4484
2018-05-03 16:10:35 +02:00
namespace: unify limit behavior on non-directory paths Despite the name, `Read{Write,Only}Directories=` already allows for regular file paths to be masked. This commit adds the same behavior to `InaccessibleDirectories=` and makes it explicit in the doc. This patch introduces `/run/systemd/inaccessible/{reg,dir,chr,blk,fifo,sock}` {dile,device}nodes and mounts on the appropriate one the paths specified in `InacessibleDirectories=`. Based on Luca's patch from https://github.com/systemd/systemd/pull/3327
2016-07-06 09:48:58 +02:00
case S_IFSOCK:
inaccessible: move inaccessible file nodes to /systemd/ subdir in runtime dir always Let's make sure $XDG_RUNTIME_DIR for the user instance and /run for the system instance is always organized the same way: the "inaccessible" device nodes should be placed in a subdir of either called "systemd" and a subdir of that called "inaccessible". This way we can emphasize the common behaviour, and only differ where really necessary. Follow-up for #13823
2020-06-09 16:22:24 +02:00
node = "/systemd/inaccessible/sock";
core: create inaccessible nodes for users when making runtime dirs To support ProtectHome=y in a user namespace (which mounts the inaccessible nodes), the nodes need to be accessible by the user. Create these paths and devices in the user runtime directory so they can be used later if needed.
2019-11-19 23:24:52 +01:00
break;
namespace: unify limit behavior on non-directory paths Despite the name, `Read{Write,Only}Directories=` already allows for regular file paths to be masked. This commit adds the same behavior to `InaccessibleDirectories=` and makes it explicit in the doc. This patch introduces `/run/systemd/inaccessible/{reg,dir,chr,blk,fifo,sock}` {dile,device}nodes and mounts on the appropriate one the paths specified in `InacessibleDirectories=`. Based on Luca's patch from https://github.com/systemd/systemd/pull/3327
2016-07-06 09:48:58 +02:00
}
core: create inaccessible nodes for users when making runtime dirs To support ProtectHome=y in a user namespace (which mounts the inaccessible nodes), the nodes need to be accessible by the user. Create these paths and devices in the user runtime directory so they can be used later if needed.
2019-11-19 23:24:52 +01:00
if (!node)
return -EINVAL;
inaccessible: move inaccessible file nodes to /systemd/ subdir in runtime dir always Let's make sure $XDG_RUNTIME_DIR for the user instance and /run for the system instance is always organized the same way: the "inaccessible" device nodes should be placed in a subdir of either called "systemd" and a subdir of that called "inaccessible". This way we can emphasize the common behaviour, and only differ where really necessary. Follow-up for #13823
2020-06-09 16:22:24 +02:00
d = path_join(runtime_dir, node);
if (!d)
return -ENOMEM;
mount-util: tweak how we find inaccessible device nodes On new kernels (>= 5.8) unprivileged users may create the 0:0 character device node. Which is great, as we can use that as inaccessible device nodes if we run unprivileged. Hence, change how we find the right inaccessible device inodes: when the user asks for a block device node, but we have none, try the char device node first. If that doesn't exist, fall back to the socket node as before. This means that: 1. in the best case we'll return a node if the right device node type 2. otherwise we hopefully at least can return a device node if one asked for even if the type doesn't match (i.e. we return char instead of the requested block device node) 3. in the worst case (old kernels…) we'll return a socket node
2020-08-19 17:25:33 +02:00
/* On new kernels unprivileged users are permitted to create 0:0 char device nodes (because they also
* act as whiteout inode for overlayfs), but no other char or block device nodes. On old kernels no
* device node whatsoever may be created by unprivileged processes. Hence, if the caller asks for the
* inaccessible block device node let's see if the block device node actually exists, and if not,
* fall back to the character device node. From there fall back to the socket device node. This means
* in the best case we'll get the right device node type but if not we'll hopefully at least get a
* device node at all. */
if (S_ISBLK(mode) &&
access(d, F_OK) < 0 && errno == ENOENT) {
free(d);
d = path_join(runtime_dir, "/systemd/inaccessible/chr");
if (!d)
return -ENOMEM;
}
if (IN_SET(mode & S_IFMT, S_IFBLK, S_IFCHR) &&
access(d, F_OK) < 0 && errno == ENOENT) {
inaccessible: move inaccessible file nodes to /systemd/ subdir in runtime dir always Let's make sure $XDG_RUNTIME_DIR for the user instance and /run for the system instance is always organized the same way: the "inaccessible" device nodes should be placed in a subdir of either called "systemd" and a subdir of that called "inaccessible". This way we can emphasize the common behaviour, and only differ where really necessary. Follow-up for #13823
2020-06-09 16:22:24 +02:00
free(d);
d = path_join(runtime_dir, "/systemd/inaccessible/sock");
if (!d)
return -ENOMEM;
}
core: create inaccessible nodes for users when making runtime dirs To support ProtectHome=y in a user namespace (which mounts the inaccessible nodes), the nodes need to be accessible by the user. Create these paths and devices in the user runtime directory so they can be used later if needed.
2019-11-19 23:24:52 +01:00
inaccessible: move inaccessible file nodes to /systemd/ subdir in runtime dir always Let's make sure $XDG_RUNTIME_DIR for the user instance and /run for the system instance is always organized the same way: the "inaccessible" device nodes should be placed in a subdir of either called "systemd" and a subdir of that called "inaccessible". This way we can emphasize the common behaviour, and only differ where really necessary. Follow-up for #13823
2020-06-09 16:22:24 +02:00
*ret = TAKE_PTR(d);
core: create inaccessible nodes for users when making runtime dirs To support ProtectHome=y in a user namespace (which mounts the inaccessible nodes), the nodes need to be accessible by the user. Create these paths and devices in the user runtime directory so they can be used later if needed.
2019-11-19 23:24:52 +01:00
return 0;
namespace: unify limit behavior on non-directory paths Despite the name, `Read{Write,Only}Directories=` already allows for regular file paths to be masked. This commit adds the same behavior to `InaccessibleDirectories=` and makes it explicit in the doc. This patch introduces `/run/systemd/inaccessible/{reg,dir,chr,blk,fifo,sock}` {dile,device}nodes and mounts on the appropriate one the paths specified in `InacessibleDirectories=`. Based on Luca's patch from https://github.com/systemd/systemd/pull/3327
2016-07-06 09:48:58 +02:00
}
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
#define FLAG(name) (flags & name ? STRINGIFY(name) "|" : "")
static char* mount_flags_to_string(long unsigned flags) {
char *x;
_cleanup_free_ char *y = NULL;
long unsigned overflow;
overflow = flags & ~(MS_RDONLY |
MS_NOSUID |
MS_NODEV |
MS_NOEXEC |
MS_SYNCHRONOUS |
MS_REMOUNT |
MS_MANDLOCK |
MS_DIRSYNC |
MS_NOATIME |
MS_NODIRATIME |
MS_BIND |
MS_MOVE |
MS_REC |
MS_SILENT |
MS_POSIXACL |
MS_UNBINDABLE |
MS_PRIVATE |
MS_SLAVE |
MS_SHARED |
MS_RELATIME |
MS_KERNMOUNT |
MS_I_VERSION |
MS_STRICTATIME |
MS_LAZYTIME);
if (flags == 0 || overflow != 0)
if (asprintf(&y, "%lx", overflow) < 0)
return NULL;
x = strjoin(FLAG(MS_RDONLY),
FLAG(MS_NOSUID),
FLAG(MS_NODEV),
FLAG(MS_NOEXEC),
FLAG(MS_SYNCHRONOUS),
FLAG(MS_REMOUNT),
FLAG(MS_MANDLOCK),
FLAG(MS_DIRSYNC),
FLAG(MS_NOATIME),
FLAG(MS_NODIRATIME),
FLAG(MS_BIND),
FLAG(MS_MOVE),
FLAG(MS_REC),
FLAG(MS_SILENT),
FLAG(MS_POSIXACL),
FLAG(MS_UNBINDABLE),
FLAG(MS_PRIVATE),
FLAG(MS_SLAVE),
FLAG(MS_SHARED),
FLAG(MS_RELATIME),
FLAG(MS_KERNMOUNT),
FLAG(MS_I_VERSION),
FLAG(MS_STRICTATIME),
FLAG(MS_LAZYTIME),
tree-wide: drop NULL sentinel from strjoin This makes strjoin and strjoina more similar and avoids the useless final argument. spatch -I . -I ./src -I ./src/basic -I ./src/basic -I ./src/shared -I ./src/shared -I ./src/network -I ./src/locale -I ./src/login -I ./src/journal -I ./src/journal -I ./src/timedate -I ./src/timesync -I ./src/nspawn -I ./src/resolve -I ./src/resolve -I ./src/systemd -I ./src/core -I ./src/core -I ./src/libudev -I ./src/udev -I ./src/udev/net -I ./src/udev -I ./src/libsystemd/sd-bus -I ./src/libsystemd/sd-event -I ./src/libsystemd/sd-login -I ./src/libsystemd/sd-netlink -I ./src/libsystemd/sd-network -I ./src/libsystemd/sd-hwdb -I ./src/libsystemd/sd-device -I ./src/libsystemd/sd-id128 -I ./src/libsystemd-network --sp-file coccinelle/strjoin.cocci --in-place $(git ls-files src/*.c) git grep -e '\bstrjoin\b.*NULL' -l|xargs sed -i -r 's/strjoin\((.*), NULL\)/strjoin(\1)/' This might have missed a few cases (spatch has a really hard time dealing with _cleanup_ macros), but that's no big issue, they can always be fixed later.
2016-10-23 17:43:27 +02:00
y);
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
if (!x)
return NULL;
if (!y)
x[strlen(x) - 1] = '\0'; /* truncate the last | */
return x;
}
mount-util: switch most mount_verbose() code over to not follow symlinks
2020-09-22 15:51:17 +02:00
int mount_verbose_full(
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
int error_log_level,
const char *what,
const char *where,
const char *type,
unsigned long flags,
mount-util: switch most mount_verbose() code over to not follow symlinks
2020-09-22 15:51:17 +02:00
const char *options,
bool follow_symlink) {
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
mount-util: call mount_option_mangle() in mount_verbose()
2018-02-15 01:43:02 +01:00
_cleanup_free_ char *fl = NULL, *o = NULL;
unsigned long f;
int r;
r = mount_option_mangle(options, flags, &f, &o);
if (r < 0)
return log_full_errno(error_log_level, r,
"Failed to mangle mount options %s: %m",
strempty(options));
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
mount-util: call mount_option_mangle() in mount_verbose()
2018-02-15 01:43:02 +01:00
fl = mount_flags_to_string(f);
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
mount-util: call mount_option_mangle() in mount_verbose()
2018-02-15 01:43:02 +01:00
if ((f & MS_REMOUNT) && !what && !type)
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
log_debug("Remounting %s (%s \"%s\")...",
mount-util: call mount_option_mangle() in mount_verbose()
2018-02-15 01:43:02 +01:00
where, strnull(fl), strempty(o));
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
else if (!what && !type)
log_debug("Mounting %s (%s \"%s\")...",
mount-util: call mount_option_mangle() in mount_verbose()
2018-02-15 01:43:02 +01:00
where, strnull(fl), strempty(o));
else if ((f & MS_BIND) && !type)
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
log_debug("Bind-mounting %s on %s (%s \"%s\")...",
mount-util: call mount_option_mangle() in mount_verbose()
2018-02-15 01:43:02 +01:00
what, where, strnull(fl), strempty(o));
else if (f & MS_MOVE)
util-lib: make verbose_mount() grok MS_MOVE Let's print a proper message if we see MS_MOVE.
2016-12-09 17:35:48 +01:00
log_debug("Moving mount %s → %s (%s \"%s\")...",
mount-util: call mount_option_mangle() in mount_verbose()
2018-02-15 01:43:02 +01:00
what, where, strnull(fl), strempty(o));
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
else
mount-util: show mount source in mount_verbose_full() debug output
2020-09-24 15:07:52 +02:00
log_debug("Mounting %s (%s) on %s (%s \"%s\")...",
strna(what), strna(type), where, strnull(fl), strempty(o));
mount-util: switch most mount_verbose() code over to not follow symlinks
2020-09-22 15:51:17 +02:00
if (follow_symlink)
r = mount(what, where, type, f, o) < 0 ? -errno : 0;
else
r = mount_nofollow(what, where, type, f, o);
if (r < 0)
return log_full_errno(error_log_level, r,
mount-util: show mount source in failure log message (#10312)
2018-10-08 20:59:11 +02:00
"Failed to mount %s (type %s) on %s (%s \"%s\"): %m",
strna(what), strna(type), where, strnull(fl), strempty(o));
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
return 0;
}
mount-util: rework umount_verbose() to take log level and flags arg Let's make umount_verbose() more like mount_verbose_xyz(), i.e. take log level and flags param. In particular the latter matters, since we typically don't actually want to follow symlinks when unmounting.
2020-09-22 16:32:07 +02:00
int umount_verbose(
int error_log_level,
const char *what,
int flags) {
assert(what);
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
log_debug("Umounting %s...", what);
mount-util: rework umount_verbose() to take log level and flags arg Let's make umount_verbose() more like mount_verbose_xyz(), i.e. take log level and flags param. In particular the latter matters, since we typically don't actually want to follow symlinks when unmounting.
2020-09-22 16:32:07 +02:00
if (umount2(what, flags) < 0)
return log_full_errno(error_log_level, errno,
"Failed to unmount %s: %m", what);
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
return 0;
}
core: hook up MountFlags= to the transient unit logic This makes "systemd-run -p MountFlags=shared -t /bin/sh" work, by making MountFlags= to the list of properties that may be accessed transiently.
2016-11-22 20:19:08 +01:00
mount-util: add mount_option_mangle() This is used in the later commits.
2018-02-15 01:32:04 +01:00
int mount_option_mangle(
const char *options,
unsigned long mount_flags,
unsigned long *ret_mount_flags,
char **ret_remaining_options) {
const struct libmnt_optmap *map;
_cleanup_free_ char *ret = NULL;
const char *p;
int r;
/* This extracts mount flags from the mount options, and store
* non-mount-flag options to '*ret_remaining_options'.
* E.g.,
* "rw,nosuid,nodev,relatime,size=1630748k,mode=700,uid=1000,gid=1000"
* is split to MS_NOSUID|MS_NODEV|MS_RELATIME and
* "size=1630748k,mode=700,uid=1000,gid=1000".
* See more examples in test-mount-utils.c.
*
* Note that if 'options' does not contain any non-mount-flag options,
codespell: fix spelling errors
2019-04-27 02:22:40 +02:00
* then '*ret_remaining_options' is set to NULL instead of empty string.
mount-util: add mount_option_mangle() This is used in the later commits.
2018-02-15 01:32:04 +01:00
* Note that this does not check validity of options stored in
* '*ret_remaining_options'.
* Note that if 'options' is NULL, then this just copies 'mount_flags'
* to '*ret_mount_flags'. */
assert(ret_mount_flags);
assert(ret_remaining_options);
map = mnt_get_builtin_optmap(MNT_LINUX_MAP);
if (!map)
return -EINVAL;
p = options;
for (;;) {
_cleanup_free_ char *word = NULL;
const struct libmnt_optmap *ent;
Rename EXTRACT_QUOTES to EXTRACT_UNQUOTE Whenever I see EXTRACT_QUOTES, I'm always confused whether it means to leave the quotes in or to take them out. Let's say "unquote", like we say "cunescape".
2019-06-28 11:15:05 +02:00
r = extract_first_word(&p, &word, ",", EXTRACT_UNQUOTE);
mount-util: add mount_option_mangle() This is used in the later commits.
2018-02-15 01:32:04 +01:00
if (r < 0)
return r;
if (r == 0)
break;
for (ent = map; ent->name; ent++) {
/* All entries in MNT_LINUX_MAP do not take any argument.
* Thus, ent->name does not contain "=" or "[=]". */
if (!streq(word, ent->name))
continue;
if (!(ent->mask & MNT_INVERT))
mount_flags |= ent->id;
else if (mount_flags & ent->id)
mount_flags ^= ent->id;
break;
}
/* If 'word' is not a mount flag, then store it in '*ret_remaining_options'. */
string-util: imply NULL termination of strextend() argument list The trailing NULL in the argument list is now implied (similar to what we already have in place in strjoin()).
2021-01-05 15:03:41 +01:00
if (!ent->name && !strextend_with_separator(&ret, ",", word))
mount-util: add mount_option_mangle() This is used in the later commits.
2018-02-15 01:32:04 +01:00
return -ENOMEM;
}
*ret_mount_flags = mount_flags;
macro: introduce TAKE_PTR() macro This macro will read a pointer of any type, return it, and set the pointer to NULL. This is useful as an explicit concept of passing ownership of a memory area between pointers. This takes inspiration from Rust: https://doc.rust-lang.org/std/option/enum.Option.html#method.take and was suggested by Alan Jenkins (@sourcejedi). It drops ~160 lines of code from our codebase, which makes me like it. Also, I think it clarifies passing of ownership, and thus helps readability a bit (at least for the initiated who know the new macro)
2018-03-22 16:53:26 +01:00
*ret_remaining_options = TAKE_PTR(ret);
mount-util: add mount_option_mangle() This is used in the later commits.
2018-02-15 01:32:04 +01:00
return 0;
}