picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Systemd/src/basic/mount-util.c

956 lines
36 KiB
C
Raw Normal View History

Add SPDX license identifiers to source files under the LGPL This follows what the kernel is doing, c.f. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5fd54ace4721fc5ce2bb5aef6318fcf17f421460.
2017-11-18 17:09:20 +01:00
/* SPDX-License-Identifier: LGPL-2.1+ */
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
/***
This file is part of systemd.
Copyright 2010 Lennart Poettering
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
basic: include only what we use This is a cleaned up result of running iwyu but without forward declarations on src/basic.
2015-11-30 21:43:37 +01:00
#include <errno.h>
basic: turn off stdio locking for a couple of helper calls These helper calls are potentially called often, and allocate FILE* objects internally for a very short period of time, let's turn off locking for them too.
2017-12-11 20:01:55 +01:00
#include <stdio_ext.h>
basic: include only what we use This is a cleaned up result of running iwyu but without forward declarations on src/basic.
2015-11-30 21:43:37 +01:00
#include <stdlib.h>
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
#include <string.h>
#include <sys/mount.h>
basic: include only what we use This is a cleaned up result of running iwyu but without forward declarations on src/basic.
2015-11-30 21:43:37 +01:00
#include <sys/stat.h>
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
#include <sys/statvfs.h>
basic: include only what we use This is a cleaned up result of running iwyu but without forward declarations on src/basic.
2015-11-30 21:43:37 +01:00
#include <unistd.h>
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
mount-util: add mount_option_mangle() This is used in the later commits.
2018-02-15 01:32:04 +01:00
/* Include later */
#include <libmount.h>
util-lib: split out allocation calls into alloc-util.[ch]
2015-10-27 03:01:06 +01:00
#include "alloc-util.h"
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
#include "escape.h"
mount-util: add mount_option_mangle() This is used in the later commits.
2018-02-15 01:32:04 +01:00
#include "extract-word.h"
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
#include "fd-util.h"
#include "fileio.h"
tree-wide: stop using canonicalize_file_name(), use chase_symlinks() instead Let's use chase_symlinks() everywhere, and stop using GNU canonicalize_file_name() everywhere. For most cases this should not change behaviour, however increase exposure of our function to get better tested. Most importantly in a few cases (most notably nspawn) it can take the correct root directory into account when chasing symlinks.
2016-11-18 21:35:21 +01:00
#include "fs-util.h"
basic: re-sort includes My previous patch to only include what we use accidentially placed the added inlcudes in non-sorted order.
2015-12-01 23:22:03 +01:00
#include "hashmap.h"
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
#include "mount-util.h"
#include "parse-util.h"
#include "path-util.h"
#include "set.h"
util-lib: split out printf() helpers to stdio-util.h
2015-10-27 01:26:31 +01:00
#include "stdio-util.h"
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
#include "string-util.h"
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
#include "strv.h"
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
mount-util: do not use the official MAX_HANDLE_SZ (#7523) If we'd use the system header's version of MAX_HANDLE_SZ then our code would break on older kernels as soon as the value is increased, as old kernels refuse larger buffers with EINVAL.
2017-12-03 12:18:33 +01:00
/* This is the original MAX_HANDLE_SZ definition from the kernel, when the API was introduced. We use that in place of
* any more currently defined value to future-proof things: if the size is increased in the API headers, and our code
* is recompiled then it would cease working on old kernels, as those refuse any sizes larger than this value with
* EINVAL right-away. Hence, let's disconnect ourselves from any such API changes, and stick to the original definition
* from when it was introduced. We use it as a start value only anyway (see below), and hence should be able to deal
* with large file handles anyway. */
#define ORIGINAL_MAX_HANDLE_SZ 128
mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at() As it turns out MAX_HANDLE_SZ is a lie, the handle buffer we pass into name_to_handle_at() might need to be larger than MAX_HANDLE_SZ, and we thus need to invoke name_to_handle_at() in a loop, growing the buffer as needed. This adds a new wrapper name_to_handle_at_loop() around name_to_handle_at() that does the necessary looping, and ports over all users. Fixes: #7082
2017-11-20 15:29:53 +01:00
int name_to_handle_at_loop(
int fd,
const char *path,
struct file_handle **ret_handle,
int *ret_mnt_id,
int flags) {
mount-util: shorten the loop a bit (#7545) The loop preparation and part of the loop contents are actually the same, let's merge this. Also, it's so much fun tweaking around in the name_to_handle_at() code, let's do more of it with this patch! (This also adds two NULL assignments, that aren't strictly necessary. However, I figured its safer to place them in there, just in case the for() condition is changed later. After all the freeing of the handle and the invalidation of the cleanup-controller pointer to it are otherwise really far away from each other...)
2017-12-06 05:19:03 +01:00
_cleanup_free_ struct file_handle *h = NULL;
mount-util: do not use the official MAX_HANDLE_SZ (#7523) If we'd use the system header's version of MAX_HANDLE_SZ then our code would break on older kernels as soon as the value is increased, as old kernels refuse larger buffers with EINVAL.
2017-12-03 12:18:33 +01:00
size_t n = ORIGINAL_MAX_HANDLE_SZ;
mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at() As it turns out MAX_HANDLE_SZ is a lie, the handle buffer we pass into name_to_handle_at() might need to be larger than MAX_HANDLE_SZ, and we thus need to invoke name_to_handle_at() in a loop, growing the buffer as needed. This adds a new wrapper name_to_handle_at_loop() around name_to_handle_at() that does the necessary looping, and ports over all users. Fixes: #7082
2017-11-20 15:29:53 +01:00
/* We need to invoke name_to_handle_at() in a loop, given that it might return EOVERFLOW when the specified
* buffer is too small. Note that in contrast to what the docs might suggest, MAX_HANDLE_SZ is only good as a
* start value, it is not an upper bound on the buffer size required.
*
* This improves on raw name_to_handle_at() also in one other regard: ret_handle and ret_mnt_id can be passed
* as NULL if there's no interest in either. */
for (;;) {
int mnt_id = -1;
mount-util: shorten the loop a bit (#7545) The loop preparation and part of the loop contents are actually the same, let's merge this. Also, it's so much fun tweaking around in the name_to_handle_at() code, let's do more of it with this patch! (This also adds two NULL assignments, that aren't strictly necessary. However, I figured its safer to place them in there, just in case the for() condition is changed later. After all the freeing of the handle and the invalidation of the cleanup-controller pointer to it are otherwise really far away from each other...)
2017-12-06 05:19:03 +01:00
h = malloc0(offsetof(struct file_handle, f_handle) + n);
if (!h)
return -ENOMEM;
h->handle_bytes = n;
mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at() As it turns out MAX_HANDLE_SZ is a lie, the handle buffer we pass into name_to_handle_at() might need to be larger than MAX_HANDLE_SZ, and we thus need to invoke name_to_handle_at() in a loop, growing the buffer as needed. This adds a new wrapper name_to_handle_at_loop() around name_to_handle_at() that does the necessary looping, and ports over all users. Fixes: #7082
2017-11-20 15:29:53 +01:00
if (name_to_handle_at(fd, path, h, &mnt_id, flags) >= 0) {
macro: introduce TAKE_PTR() macro This macro will read a pointer of any type, return it, and set the pointer to NULL. This is useful as an explicit concept of passing ownership of a memory area between pointers. This takes inspiration from Rust: https://doc.rust-lang.org/std/option/enum.Option.html#method.take and was suggested by Alan Jenkins (@sourcejedi). It drops ~160 lines of code from our codebase, which makes me like it. Also, I think it clarifies passing of ownership, and thus helps readability a bit (at least for the initiated who know the new macro)
2018-03-22 16:53:26 +01:00
if (ret_handle)
*ret_handle = TAKE_PTR(h);
mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at() As it turns out MAX_HANDLE_SZ is a lie, the handle buffer we pass into name_to_handle_at() might need to be larger than MAX_HANDLE_SZ, and we thus need to invoke name_to_handle_at() in a loop, growing the buffer as needed. This adds a new wrapper name_to_handle_at_loop() around name_to_handle_at() that does the necessary looping, and ports over all users. Fixes: #7082
2017-11-20 15:29:53 +01:00
if (ret_mnt_id)
*ret_mnt_id = mnt_id;
return 0;
}
if (errno != EOVERFLOW)
return -errno;
if (!ret_handle && ret_mnt_id && mnt_id >= 0) {
mount-util: drop exponential buffer growing in name_to_handle_at_loop() So, it appears name_to_handle_at() always returns the right buffer size on EOVERFLOW, when it's returned due to a too small buffer. Let's rely on that exclusively for sizing the buffer, and let's drop the exponential buffer growing. The new logic is now: if we see EOVERFLOW and the returned size has increased, resize our buffer and try again. But if it didn't increase, then propagate the EOVERFLOW as it likely has other causes.
2017-11-23 12:42:24 +01:00
/* As it appears, name_to_handle_at() fills in mnt_id even when it returns EOVERFLOW when the
* buffer is too small, but that's undocumented. Hence, let's make use of this if it appears to
* be filled in, and the caller was interested in only the mount ID an nothing else. */
mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at() As it turns out MAX_HANDLE_SZ is a lie, the handle buffer we pass into name_to_handle_at() might need to be larger than MAX_HANDLE_SZ, and we thus need to invoke name_to_handle_at() in a loop, growing the buffer as needed. This adds a new wrapper name_to_handle_at_loop() around name_to_handle_at() that does the necessary looping, and ports over all users. Fixes: #7082
2017-11-20 15:29:53 +01:00
*ret_mnt_id = mnt_id;
return 0;
}
mount-util: drop exponential buffer growing in name_to_handle_at_loop() So, it appears name_to_handle_at() always returns the right buffer size on EOVERFLOW, when it's returned due to a too small buffer. Let's rely on that exclusively for sizing the buffer, and let's drop the exponential buffer growing. The new logic is now: if we see EOVERFLOW and the returned size has increased, resize our buffer and try again. But if it didn't increase, then propagate the EOVERFLOW as it likely has other causes.
2017-11-23 12:42:24 +01:00
/* If name_to_handle_at() didn't increase the byte size, then this EOVERFLOW is caused by something
* else (apparently EOVERFLOW is returned for untriggered nfs4 mounts sometimes), not by the too small
* buffer. In that case propagate EOVERFLOW */
if (h->handle_bytes <= n)
mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at() As it turns out MAX_HANDLE_SZ is a lie, the handle buffer we pass into name_to_handle_at() might need to be larger than MAX_HANDLE_SZ, and we thus need to invoke name_to_handle_at() in a loop, growing the buffer as needed. This adds a new wrapper name_to_handle_at_loop() around name_to_handle_at() that does the necessary looping, and ports over all users. Fixes: #7082
2017-11-20 15:29:53 +01:00
return -EOVERFLOW;
mount-util: drop exponential buffer growing in name_to_handle_at_loop() So, it appears name_to_handle_at() always returns the right buffer size on EOVERFLOW, when it's returned due to a too small buffer. Let's rely on that exclusively for sizing the buffer, and let's drop the exponential buffer growing. The new logic is now: if we see EOVERFLOW and the returned size has increased, resize our buffer and try again. But if it didn't increase, then propagate the EOVERFLOW as it likely has other causes.
2017-11-23 12:42:24 +01:00
/* The buffer was too small. Size the new buffer by what name_to_handle_at() returned. */
n = h->handle_bytes;
if (offsetof(struct file_handle, f_handle) + n < n) /* check for addition overflow */
mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at() As it turns out MAX_HANDLE_SZ is a lie, the handle buffer we pass into name_to_handle_at() might need to be larger than MAX_HANDLE_SZ, and we thus need to invoke name_to_handle_at() in a loop, growing the buffer as needed. This adds a new wrapper name_to_handle_at_loop() around name_to_handle_at() that does the necessary looping, and ports over all users. Fixes: #7082
2017-11-20 15:29:53 +01:00
return -EOVERFLOW;
mount-util: shorten the loop a bit (#7545) The loop preparation and part of the loop contents are actually the same, let's merge this. Also, it's so much fun tweaking around in the name_to_handle_at() code, let's do more of it with this patch! (This also adds two NULL assignments, that aren't strictly necessary. However, I figured its safer to place them in there, just in case the for() condition is changed later. After all the freeing of the handle and the invalidation of the cleanup-controller pointer to it are otherwise really far away from each other...)
2017-12-06 05:19:03 +01:00
h = mfree(h);
mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at() As it turns out MAX_HANDLE_SZ is a lie, the handle buffer we pass into name_to_handle_at() might need to be larger than MAX_HANDLE_SZ, and we thus need to invoke name_to_handle_at() in a loop, growing the buffer as needed. This adds a new wrapper name_to_handle_at_loop() around name_to_handle_at() that does the necessary looping, and ports over all users. Fixes: #7082
2017-11-20 15:29:53 +01:00
}
}
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
static int fd_fdinfo_mnt_id(int fd, const char *filename, int flags, int *mnt_id) {
tree-wide: make use of new STRLEN() macro everywhere (#7639) Let's employ coccinelle to do this for us. Follow-up for #7625.
2017-12-14 19:02:29 +01:00
char path[STRLEN("/proc/self/fdinfo/") + DECIMAL_STR_MAX(int)];
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
_cleanup_free_ char *fdinfo = NULL;
_cleanup_close_ int subfd = -1;
char *p;
int r;
if ((flags & AT_EMPTY_PATH) && isempty(filename))
xsprintf(path, "/proc/self/fdinfo/%i", fd);
else {
tree-wide: no need to pass excess flags to open()/openat() if O_PATH is passed As described in the documentation: When O_PATH is specified in flags, flag bits other than O_CLOEXEC, O_DIRECTORY, and O_NOFOLLOW are ignored. So, we can remove unnecessary flags in a case when O_PATH is passed to the open() or openat().
2016-03-01 19:25:09 +01:00
subfd = openat(fd, filename, O_CLOEXEC|O_PATH);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
if (subfd < 0)
return -errno;
xsprintf(path, "/proc/self/fdinfo/%i", subfd);
}
r = read_full_file(path, &fdinfo, NULL);
if (r == -ENOENT) /* The fdinfo directory is a relatively new addition */
return -EOPNOTSUPP;
if (r < 0)
mount-util: fix error propagation in fd_fdinfo_mnt_id()
2017-11-23 12:44:17 +01:00
return r;
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
p = startswith(fdinfo, "mnt_id:");
if (!p) {
p = strstr(fdinfo, "\nmnt_id:");
if (!p) /* The mnt_id field is a relatively new addition */
return -EOPNOTSUPP;
p += 8;
}
p += strspn(p, WHITESPACE);
p[strcspn(p, WHITESPACE)] = 0;
return safe_atoi(p, mnt_id);
}
int fd_is_mount_point(int fd, const char *filename, int flags) {
mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at() As it turns out MAX_HANDLE_SZ is a lie, the handle buffer we pass into name_to_handle_at() might need to be larger than MAX_HANDLE_SZ, and we thus need to invoke name_to_handle_at() in a loop, growing the buffer as needed. This adds a new wrapper name_to_handle_at_loop() around name_to_handle_at() that does the necessary looping, and ports over all users. Fixes: #7082
2017-11-20 15:29:53 +01:00
_cleanup_free_ struct file_handle *h = NULL, *h_parent = NULL;
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
int mount_id = -1, mount_id_parent = -1;
bool nosupp = false, check_st_dev = true;
struct stat a, b;
int r;
assert(fd >= 0);
assert(filename);
/* First we will try the name_to_handle_at() syscall, which
* tells us the mount id and an opaque file "handle". It is
* not supported everywhere though (kernel compile-time
* option, not all file systems are hooked up). If it works
* the mount id is usually good enough to tell us whether
* something is a mount point.
*
* If that didn't work we will try to read the mount id from
* /proc/self/fdinfo/<fd>. This is almost as good as
* name_to_handle_at(), however, does not return the
* opaque file handle. The opaque file handle is pretty useful
* to detect the root directory, which we should always
* consider a mount point. Hence we use this only as
* fallback. Exporting the mnt_id in fdinfo is a pretty recent
* kernel addition.
*
* As last fallback we do traditional fstat() based st_dev
* comparisons. This is how things were traditionally done,
treewide: fix typos and remove accidental repetition of words
2016-07-10 14:48:23 +02:00
* but unionfs breaks this since it exposes file
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
* systems with a variety of st_dev reported. Also, btrfs
* subvolumes have different st_dev, even though they aren't
* real mounts of their own. */
mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at() As it turns out MAX_HANDLE_SZ is a lie, the handle buffer we pass into name_to_handle_at() might need to be larger than MAX_HANDLE_SZ, and we thus need to invoke name_to_handle_at() in a loop, growing the buffer as needed. This adds a new wrapper name_to_handle_at_loop() around name_to_handle_at() that does the necessary looping, and ports over all users. Fixes: #7082
2017-11-20 15:29:53 +01:00
r = name_to_handle_at_loop(fd, filename, &h, &mount_id, flags);
mount-util: tape over name_to_handle_at() flakiness (#7517) Apparently, the kernel returns EINVAL on NFS4 sometimes, even if we do everything right, let's fallback in that case and find a different approach to determine if something's a mount point. See discussion at: https://github.com/systemd/systemd/issues/7082#issuecomment-348001289
2017-12-01 12:59:16 +01:00
if (IN_SET(r, -ENOSYS, -EACCES, -EPERM, -EOVERFLOW, -EINVAL))
mount-util: EOVERFLOW might have other causes than buffer size issues When we get EOVERFLOW this might be caused by untriggered nfs4 mounts (see discussion at https://github.com/systemd/systemd/pull/7395#issuecomment-346164481 and further down). Handle this nicely by falling back to fdinfo-based mntid determination. Fixes: #7082
2017-11-23 12:44:49 +01:00
/* This kernel does not support name_to_handle_at() at all (ENOSYS), or the syscall was blocked
* (EACCES/EPERM; maybe through seccomp, because we are running inside of a container?), or the mount
mount-util: tape over name_to_handle_at() flakiness (#7517) Apparently, the kernel returns EINVAL on NFS4 sometimes, even if we do everything right, let's fallback in that case and find a different approach to determine if something's a mount point. See discussion at: https://github.com/systemd/systemd/issues/7082#issuecomment-348001289
2017-12-01 12:59:16 +01:00
* point is not triggered yet (EOVERFLOW, think nfs4), or some general name_to_handle_at() flakiness
* (EINVAL): fall back to simpler logic. */
mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at() As it turns out MAX_HANDLE_SZ is a lie, the handle buffer we pass into name_to_handle_at() might need to be larger than MAX_HANDLE_SZ, and we thus need to invoke name_to_handle_at() in a loop, growing the buffer as needed. This adds a new wrapper name_to_handle_at_loop() around name_to_handle_at() that does the necessary looping, and ports over all users. Fixes: #7082
2017-11-20 15:29:53 +01:00
goto fallback_fdinfo;
else if (r == -EOPNOTSUPP)
/* This kernel or file system does not support name_to_handle_at(), hence let's see if the upper fs
* supports it (in which case it is a mount point), otherwise fallback to the traditional stat()
* logic */
nosupp = true;
else if (r < 0)
return r;
r = name_to_handle_at_loop(fd, "", &h_parent, &mount_id_parent, AT_EMPTY_PATH);
if (r == -EOPNOTSUPP) {
if (nosupp)
/* Neither parent nor child do name_to_handle_at()? We have no choice but to fall back. */
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
goto fallback_fdinfo;
else
mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at() As it turns out MAX_HANDLE_SZ is a lie, the handle buffer we pass into name_to_handle_at() might need to be larger than MAX_HANDLE_SZ, and we thus need to invoke name_to_handle_at() in a loop, growing the buffer as needed. This adds a new wrapper name_to_handle_at_loop() around name_to_handle_at() that does the necessary looping, and ports over all users. Fixes: #7082
2017-11-20 15:29:53 +01:00
/* The parent can't do name_to_handle_at() but the directory we are interested in can? If so,
* it must be a mount point. */
return 1;
} else if (r < 0)
mount-util: fix bad indenting
2017-11-23 12:48:12 +01:00
return r;
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
/* The parent can do name_to_handle_at() but the
* directory we are interested in can't? If so, it
* must be a mount point. */
if (nosupp)
return 1;
/* If the file handle for the directory we are
* interested in and its parent are identical, we
* assume this is the root directory, which is a mount
* point. */
mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at() As it turns out MAX_HANDLE_SZ is a lie, the handle buffer we pass into name_to_handle_at() might need to be larger than MAX_HANDLE_SZ, and we thus need to invoke name_to_handle_at() in a loop, growing the buffer as needed. This adds a new wrapper name_to_handle_at_loop() around name_to_handle_at() that does the necessary looping, and ports over all users. Fixes: #7082
2017-11-20 15:29:53 +01:00
if (h->handle_bytes == h_parent->handle_bytes &&
h->handle_type == h_parent->handle_type &&
memcmp(h->f_handle, h_parent->f_handle, h->handle_bytes) == 0)
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
return 1;
return mount_id != mount_id_parent;
fallback_fdinfo:
r = fd_fdinfo_mnt_id(fd, filename, flags, &mount_id);
mount-util: accept that name_to_handle_at() might fail with EPERM (#5499) Container managers frequently block name_to_handle_at(), returning EACCES or EPERM when this is issued. Accept that, and simply fall back to to fdinfo-based checks. Note that we accept either EACCES or EPERM here, as container managers can choose the error code and aren't very good on agreeing on just one. (note that this is a non-issue with nspawn, as we permit name_to_handle_at() there, only block open_by_handle_at(), which should be sufficiently safe).
2017-03-01 17:35:05 +01:00
if (IN_SET(r, -EOPNOTSUPP, -EACCES, -EPERM))
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
goto fallback_fstat;
if (r < 0)
return r;
r = fd_fdinfo_mnt_id(fd, "", AT_EMPTY_PATH, &mount_id_parent);
if (r < 0)
return r;
if (mount_id != mount_id_parent)
return 1;
/* Hmm, so, the mount ids are the same. This leaves one
* special case though for the root file system. For that,
* let's see if the parent directory has the same inode as we
* are interested in. Hence, let's also do fstat() checks now,
* too, but avoid the st_dev comparisons, since they aren't
* that useful on unionfs mounts. */
check_st_dev = false;
fallback_fstat:
/* yay for fstatat() taking a different set of flags than the other
* _at() above */
if (flags & AT_SYMLINK_FOLLOW)
flags &= ~AT_SYMLINK_FOLLOW;
else
flags |= AT_SYMLINK_NOFOLLOW;
if (fstatat(fd, filename, &a, flags) < 0)
return -errno;
if (fstatat(fd, "", &b, AT_EMPTY_PATH) < 0)
return -errno;
/* A directory with same device and inode as its parent? Must
* be the root directory */
if (a.st_dev == b.st_dev &&
a.st_ino == b.st_ino)
return 1;
return check_st_dev && (a.st_dev != b.st_dev);
}
/* flags can be AT_SYMLINK_FOLLOW or 0 */
tree-wide: stop using canonicalize_file_name(), use chase_symlinks() instead Let's use chase_symlinks() everywhere, and stop using GNU canonicalize_file_name() everywhere. For most cases this should not change behaviour, however increase exposure of our function to get better tested. Most importantly in a few cases (most notably nspawn) it can take the correct root directory into account when chasing symlinks.
2016-11-18 21:35:21 +01:00
int path_is_mount_point(const char *t, const char *root, int flags) {
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
_cleanup_free_ char *canonical = NULL, *parent = NULL;
tree-wide: stop using canonicalize_file_name(), use chase_symlinks() instead Let's use chase_symlinks() everywhere, and stop using GNU canonicalize_file_name() everywhere. For most cases this should not change behaviour, however increase exposure of our function to get better tested. Most importantly in a few cases (most notably nspawn) it can take the correct root directory into account when chasing symlinks.
2016-11-18 21:35:21 +01:00
_cleanup_close_ int fd = -1;
int r;
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
assert(t);
util-lib: use trailing slash in chase_symlinks, fd_is_mount_point, path_is_mount_point The kernel will reply with -ENOTDIR when we try to access a non-directory under a name which ends with a slash. But our functions would strip the trailing slash under various circumstances. Keep the trailing slash, so that path_is_mount_point("/path/to/file/") return -ENOTDIR when /path/to/file/ is a file. Tests are added for this change in behaviour. Also, when called with a trailing slash, path_is_mount_point() would get "" from basename(), and call name_to_handle_at(3, "", ...), and always return -ENOENT. Now it'll return -ENOTDIR if the mount point is a file, and true if it is a directory and a mount point. v2: - use strip_trailing_chars() v3: - instead of stripping trailing chars(), do the opposite — preserve them.
2017-10-31 11:08:30 +01:00
assert((flags & ~AT_SYMLINK_FOLLOW) == 0);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
if (path_equal(t, "/"))
return 1;
/* we need to resolve symlinks manually, we can't just rely on
* fd_is_mount_point() to do that for us; if we have a structure like
* /bin -> /usr/bin/ and /usr is a mount point, then the parent that we
* look at needs to be /usr, not /. */
if (flags & AT_SYMLINK_FOLLOW) {
fs-util: add flags parameter to chase_symlinks() Let's remove chase_symlinks_prefix() and instead introduce a flags parameter to chase_symlinks(), with a flag CHASE_PREFIX_ROOT that exposes the behaviour of chase_symlinks_prefix().
2016-11-29 16:49:30 +01:00
r = chase_symlinks(t, root, 0, &canonical);
tree-wide: stop using canonicalize_file_name(), use chase_symlinks() instead Let's use chase_symlinks() everywhere, and stop using GNU canonicalize_file_name() everywhere. For most cases this should not change behaviour, however increase exposure of our function to get better tested. Most importantly in a few cases (most notably nspawn) it can take the correct root directory into account when chasing symlinks.
2016-11-18 21:35:21 +01:00
if (r < 0)
return r;
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
t = canonical;
}
parent = dirname_malloc(t);
if (!parent)
return -ENOMEM;
tree-wide: no need to pass excess flags to open()/openat() if O_PATH is passed As described in the documentation: When O_PATH is specified in flags, flag bits other than O_CLOEXEC, O_DIRECTORY, and O_NOFOLLOW are ignored. So, we can remove unnecessary flags in a case when O_PATH is passed to the open() or openat().
2016-03-01 19:25:09 +01:00
fd = openat(AT_FDCWD, parent, O_DIRECTORY|O_CLOEXEC|O_PATH);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
if (fd < 0)
return -errno;
util-lib: use trailing slash in chase_symlinks, fd_is_mount_point, path_is_mount_point The kernel will reply with -ENOTDIR when we try to access a non-directory under a name which ends with a slash. But our functions would strip the trailing slash under various circumstances. Keep the trailing slash, so that path_is_mount_point("/path/to/file/") return -ENOTDIR when /path/to/file/ is a file. Tests are added for this change in behaviour. Also, when called with a trailing slash, path_is_mount_point() would get "" from basename(), and call name_to_handle_at(3, "", ...), and always return -ENOENT. Now it'll return -ENOTDIR if the mount point is a file, and true if it is a directory and a mount point. v2: - use strip_trailing_chars() v3: - instead of stripping trailing chars(), do the opposite — preserve them.
2017-10-31 11:08:30 +01:00
return fd_is_mount_point(fd, last_path_component(t), flags);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
}
mount-util: add new path_get_mnt_id() call that queries the mnt ID of a path This is a simple wrapper around name_to_handle_at_loop() and fd_fdinfo_mnt_id() to query the mnt ID of a path. It uses name_to_handle_at() where it can, and falls back to to fd_fdinfo_mnt_id() where that doesn't work. This is a best-effort thing of course, since neither name_to_handle_at() nor the fdinfo logic work on all kernels.
2017-11-20 16:05:41 +01:00
int path_get_mnt_id(const char *path, int *ret) {
int r;
r = name_to_handle_at_loop(AT_FDCWD, path, NULL, ret, 0);
mount-util: tape over name_to_handle_at() flakiness (#7517) Apparently, the kernel returns EINVAL on NFS4 sometimes, even if we do everything right, let's fallback in that case and find a different approach to determine if something's a mount point. See discussion at: https://github.com/systemd/systemd/issues/7082#issuecomment-348001289
2017-12-01 12:59:16 +01:00
if (IN_SET(r, -EOPNOTSUPP, -ENOSYS, -EACCES, -EPERM, -EOVERFLOW, -EINVAL)) /* kernel/fs don't support this, or seccomp blocks access, or untriggered mount, or name_to_handle_at() is flaky */
mount-util: add new path_get_mnt_id() call that queries the mnt ID of a path This is a simple wrapper around name_to_handle_at_loop() and fd_fdinfo_mnt_id() to query the mnt ID of a path. It uses name_to_handle_at() where it can, and falls back to to fd_fdinfo_mnt_id() where that doesn't work. This is a best-effort thing of course, since neither name_to_handle_at() nor the fdinfo logic work on all kernels.
2017-11-20 16:05:41 +01:00
return fd_fdinfo_mnt_id(AT_FDCWD, path, 0, ret);
return r;
}
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
int umount_recursive(const char *prefix, int flags) {
bool again;
int n = 0, r;
/* Try to umount everything recursively below a
* directory. Also, take care of stacked mounts, and keep
* unmounting them until they are gone. */
do {
_cleanup_fclose_ FILE *proc_self_mountinfo = NULL;
again = false;
r = 0;
proc_self_mountinfo = fopen("/proc/self/mountinfo", "re");
if (!proc_self_mountinfo)
return -errno;
basic: turn off stdio locking for a couple of helper calls These helper calls are potentially called often, and allocate FILE* objects internally for a very short period of time, let's turn off locking for them too.
2017-12-11 20:01:55 +01:00
(void) __fsetlocking(proc_self_mountinfo, FSETLOCKING_BYCALLER);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
for (;;) {
_cleanup_free_ char *path = NULL, *p = NULL;
int k;
k = fscanf(proc_self_mountinfo,
"%*s " /* (1) mount id */
"%*s " /* (2) parent id */
"%*s " /* (3) major:minor */
"%*s " /* (4) root */
"%ms " /* (5) mount point */
"%*s" /* (6) mount options */
"%*[^-]" /* (7) optional fields */
"- " /* (8) separator */
"%*s " /* (9) file system type */
"%*s" /* (10) mount source */
"%*s" /* (11) mount options 2 */
"%*[^\n]", /* some rubbish at the end */
&path);
if (k != 1) {
if (k == EOF)
break;
continue;
}
r = cunescape(path, UNESCAPE_RELAX, &p);
if (r < 0)
return r;
if (!path_startswith(p, prefix))
continue;
if (umount2(p, flags) < 0) {
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
r = log_debug_errno(errno, "Failed to umount %s: %m", p);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
continue;
}
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
log_debug("Successfully unmounted %s", p);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
again = true;
n++;
break;
}
} while (again);
return r ? r : n;
}
static int get_mount_flags(const char *path, unsigned long *flags) {
struct statvfs buf;
if (statvfs(path, &buf) < 0)
return -errno;
*flags = buf.f_flag;
return 0;
}
core: open /proc/self/mountinfo early to allow mounts over /proc (#5985) Enable masking the /proc folder using the 'InaccessiblePaths' unit option. This also slightly simplify mounts setup as the bind_remount_recursive function will only open /proc/self/mountinfo once. This is based on the suggestion at: https://lists.freedesktop.org/archives/systemd-devel/2017-April/038634.html
2017-05-19 14:38:40 +02:00
/* Use this function only if do you have direct access to /proc/self/mountinfo
* and need the caller to open it for you. This is the case when /proc is
* masked or not mounted. Otherwise, use bind_remount_recursive. */
int bind_remount_recursive_with_mountinfo(const char *prefix, bool ro, char **blacklist, FILE *proc_self_mountinfo) {
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
_cleanup_set_free_free_ Set *done = NULL;
_cleanup_free_ char *cleaned = NULL;
int r;
core: open /proc/self/mountinfo early to allow mounts over /proc (#5985) Enable masking the /proc folder using the 'InaccessiblePaths' unit option. This also slightly simplify mounts setup as the bind_remount_recursive function will only open /proc/self/mountinfo once. This is based on the suggestion at: https://lists.freedesktop.org/archives/systemd-devel/2017-April/038634.html
2017-05-19 14:38:40 +02:00
assert(proc_self_mountinfo);
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
/* Recursively remount a directory (and all its submounts) read-only or read-write. If the directory is already
* mounted, we reuse the mount and simply mark it MS_BIND|MS_RDONLY (or remove the MS_RDONLY for read-write
* operation). If it isn't we first make it one. Afterwards we apply MS_BIND|MS_RDONLY (or remove MS_RDONLY) to
* all submounts we can access, too. When mounts are stacked on the same mount point we only care for each
* individual "top-level" mount on each point, as we cannot influence/access the underlying mounts anyway. We
* do not have any effect on future submounts that might get propagated, they migt be writable. This includes
* future submounts that have been triggered via autofs.
*
* If the "blacklist" parameter is specified it may contain a list of subtrees to exclude from the
* remount operation. Note that we'll ignore the blacklist for the top-level path. */
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
cleaned = strdup(prefix);
if (!cleaned)
return -ENOMEM;
path_kill_slashes(cleaned);
tree-wide: use path_hash_ops instead of string_hash_ops whenever we key by a path Let's make use of our new hash_ops!
2018-02-08 18:58:35 +01:00
done = set_new(&path_hash_ops);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
if (!done)
return -ENOMEM;
for (;;) {
_cleanup_set_free_free_ Set *todo = NULL;
bool top_autofs = false;
char *x;
unsigned long orig_flags;
tree-wide: use path_hash_ops instead of string_hash_ops whenever we key by a path Let's make use of our new hash_ops!
2018-02-08 18:58:35 +01:00
todo = set_new(&path_hash_ops);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
if (!todo)
return -ENOMEM;
core: open /proc/self/mountinfo early to allow mounts over /proc (#5985) Enable masking the /proc folder using the 'InaccessiblePaths' unit option. This also slightly simplify mounts setup as the bind_remount_recursive function will only open /proc/self/mountinfo once. This is based on the suggestion at: https://lists.freedesktop.org/archives/systemd-devel/2017-April/038634.html
2017-05-19 14:38:40 +02:00
rewind(proc_self_mountinfo);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
for (;;) {
_cleanup_free_ char *path = NULL, *p = NULL, *type = NULL;
int k;
k = fscanf(proc_self_mountinfo,
"%*s " /* (1) mount id */
"%*s " /* (2) parent id */
"%*s " /* (3) major:minor */
"%*s " /* (4) root */
"%ms " /* (5) mount point */
"%*s" /* (6) mount options (superblock) */
"%*[^-]" /* (7) optional fields */
"- " /* (8) separator */
"%ms " /* (9) file system type */
"%*s" /* (10) mount source */
"%*s" /* (11) mount options (bind mount) */
"%*[^\n]", /* some rubbish at the end */
&path,
&type);
if (k != 2) {
if (k == EOF)
break;
continue;
}
r = cunescape(path, UNESCAPE_RELAX, &p);
if (r < 0)
return r;
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
if (!path_startswith(p, cleaned))
continue;
/* Ignore this mount if it is blacklisted, but only if it isn't the top-level mount we shall
* operate on. */
if (!path_equal(cleaned, p)) {
bool blacklisted = false;
char **i;
STRV_FOREACH(i, blacklist) {
if (path_equal(*i, cleaned))
continue;
if (!path_startswith(*i, cleaned))
continue;
if (path_startswith(p, *i)) {
blacklisted = true;
log_debug("Not remounting %s, because blacklisted by %s, called for %s", p, *i, cleaned);
break;
}
}
if (blacklisted)
continue;
}
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
/* Let's ignore autofs mounts. If they aren't
* triggered yet, we want to avoid triggering
* them, as we don't make any guarantees for
* future submounts anyway. If they are
* already triggered, then we will find
* another entry for this. */
if (streq(type, "autofs")) {
top_autofs = top_autofs || path_equal(cleaned, p);
continue;
}
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
if (!set_contains(done, p)) {
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
r = set_consume(todo, p);
p = NULL;
if (r == -EEXIST)
continue;
if (r < 0)
return r;
}
}
/* If we have no submounts to process anymore and if
* the root is either already done, or an autofs, we
* are done */
if (set_isempty(todo) &&
(top_autofs || set_contains(done, cleaned)))
return 0;
if (!set_contains(done, cleaned) &&
!set_contains(todo, cleaned)) {
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
/* The prefix directory itself is not yet a mount, make it one. */
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
if (mount(cleaned, cleaned, NULL, MS_BIND|MS_REC, NULL) < 0)
return -errno;
orig_flags = 0;
(void) get_mount_flags(cleaned, &orig_flags);
orig_flags &= ~MS_RDONLY;
if (mount(NULL, prefix, NULL, orig_flags|MS_BIND|MS_REMOUNT|(ro ? MS_RDONLY : 0), NULL) < 0)
return -errno;
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
log_debug("Made top-level directory %s a mount point.", prefix);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
x = strdup(cleaned);
if (!x)
return -ENOMEM;
r = set_consume(done, x);
if (r < 0)
return r;
}
while ((x = set_steal_first(todo))) {
r = set_consume(done, x);
tree-wide: use IN_SET macro (#6977)
2017-10-04 16:01:32 +02:00
if (IN_SET(r, 0, -EEXIST))
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
continue;
if (r < 0)
return r;
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
/* Deal with mount points that are obstructed by a later mount */
tree-wide: stop using canonicalize_file_name(), use chase_symlinks() instead Let's use chase_symlinks() everywhere, and stop using GNU canonicalize_file_name() everywhere. For most cases this should not change behaviour, however increase exposure of our function to get better tested. Most importantly in a few cases (most notably nspawn) it can take the correct root directory into account when chasing symlinks.
2016-11-18 21:35:21 +01:00
r = path_is_mount_point(x, NULL, 0);
tree-wide: use IN_SET macro (#6977)
2017-10-04 16:01:32 +02:00
if (IN_SET(r, 0, -ENOENT))
namespace: don't fail on masked mounts (#3794) Before this patch, a service file with ReadWriteDirectories=/file... could fail if the file exists but is not a mountpoint, despite being listed in /proc/self/mountinfo. It could happen with masked mounts. Fixes https://github.com/systemd/systemd/issues/3793
2016-07-25 15:39:46 +02:00
continue;
if (r < 0)
return r;
/* Try to reuse the original flag set */
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
orig_flags = 0;
(void) get_mount_flags(x, &orig_flags);
orig_flags &= ~MS_RDONLY;
namespace: don't fail on masked mounts (#3794) Before this patch, a service file with ReadWriteDirectories=/file... could fail if the file exists but is not a mountpoint, despite being listed in /proc/self/mountinfo. It could happen with masked mounts. Fixes https://github.com/systemd/systemd/issues/3793
2016-07-25 15:39:46 +02:00
if (mount(NULL, x, NULL, orig_flags|MS_BIND|MS_REMOUNT|(ro ? MS_RDONLY : 0), NULL) < 0)
return -errno;
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
log_debug("Remounted %s read-only.", x);
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
}
}
}
core: open /proc/self/mountinfo early to allow mounts over /proc (#5985) Enable masking the /proc folder using the 'InaccessiblePaths' unit option. This also slightly simplify mounts setup as the bind_remount_recursive function will only open /proc/self/mountinfo once. This is based on the suggestion at: https://lists.freedesktop.org/archives/systemd-devel/2017-April/038634.html
2017-05-19 14:38:40 +02:00
int bind_remount_recursive(const char *prefix, bool ro, char **blacklist) {
_cleanup_fclose_ FILE *proc_self_mountinfo = NULL;
proc_self_mountinfo = fopen("/proc/self/mountinfo", "re");
if (!proc_self_mountinfo)
return -errno;
basic: turn off stdio locking for a couple of helper calls These helper calls are potentially called often, and allocate FILE* objects internally for a very short period of time, let's turn off locking for them too.
2017-12-11 20:01:55 +01:00
(void) __fsetlocking(proc_self_mountinfo, FSETLOCKING_BYCALLER);
core: open /proc/self/mountinfo early to allow mounts over /proc (#5985) Enable masking the /proc folder using the 'InaccessiblePaths' unit option. This also slightly simplify mounts setup as the bind_remount_recursive function will only open /proc/self/mountinfo once. This is based on the suggestion at: https://lists.freedesktop.org/archives/systemd-devel/2017-April/038634.html
2017-05-19 14:38:40 +02:00
return bind_remount_recursive_with_mountinfo(prefix, ro, blacklist, proc_self_mountinfo);
}
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
int mount_move_root(const char *path) {
assert(path);
if (chdir(path) < 0)
return -errno;
if (mount(path, "/", NULL, MS_MOVE, NULL) < 0)
return -errno;
if (chroot(".") < 0)
return -errno;
if (chdir("/") < 0)
return -errno;
return 0;
}
mount-util: move fstype_is_network() and name_to_handle_at() definitions over
2015-10-27 13:45:00 +01:00
bool fstype_is_network(const char *fstype) {
const char *x;
x = startswith(fstype, "fuse.");
if (x)
fstype = x;
udevadm,basic: replace nulstr_contains with STR_IN_SET (#6965) STR_IN_SET is a newer approach which is easier to write and read, and which seems to result in space savings too: before: 4949848 build/src/shared/libsystemd-shared-234.so 350704 build/systemctl 4967184 build/systemd 826216 build/udevadm after: 4949848 build/src/shared/libsystemd-shared-234.so 350704 build/systemctl 4966888 build/systemd 826168 build/udevadm
2017-10-04 19:32:12 +02:00
return STR_IN_SET(fstype,
"afs",
"cifs",
"smbfs",
"sshfs",
"ncpfs",
"ncp",
"nfs",
"nfs4",
"gfs",
"gfs2",
"glusterfs",
"pvfs2", /* OrangeFS */
"ocfs2",
"lustre");
mount-util: move fstype_is_network() and name_to_handle_at() definitions over
2015-10-27 13:45:00 +01:00
}
automount: move generically userful call repeat_mount() into mount-util.[ch]
2015-10-27 14:25:58 +01:00
systemd-mount: allow to specify an arbitrary string for arg_mount_what when vfs is used Fixes #6591.
2017-09-04 03:55:51 +02:00
bool fstype_is_api_vfs(const char *fstype) {
udevadm,basic: replace nulstr_contains with STR_IN_SET (#6965) STR_IN_SET is a newer approach which is easier to write and read, and which seems to result in space savings too: before: 4949848 build/src/shared/libsystemd-shared-234.so 350704 build/systemctl 4967184 build/systemd 826216 build/udevadm after: 4949848 build/src/shared/libsystemd-shared-234.so 350704 build/systemctl 4966888 build/systemd 826168 build/udevadm
2017-10-04 19:32:12 +02:00
return STR_IN_SET(fstype,
"autofs",
"bpf",
"cgroup",
"cgroup2",
"configfs",
"cpuset",
"debugfs",
"devpts",
"devtmpfs",
"efivarfs",
"fusectl",
"hugetlbfs",
"mqueue",
"proc",
"pstore",
"ramfs",
"securityfs",
"sysfs",
"tmpfs",
"tracefs");
systemd-mount: allow to specify an arbitrary string for arg_mount_what when vfs is used Fixes #6591.
2017-09-04 03:55:51 +02:00
}
dissect: automatically mark partitions read-only that have a read-only file system Specifically, squashfs and iso9660 are always read-only, hence make sure we never even think about mounting them writable.
2017-09-29 14:19:22 +02:00
bool fstype_is_ro(const char *fstype) {
/* All Linux file systems that are necessarily read-only */
udevadm,basic: replace nulstr_contains with STR_IN_SET (#6965) STR_IN_SET is a newer approach which is easier to write and read, and which seems to result in space savings too: before: 4949848 build/src/shared/libsystemd-shared-234.so 350704 build/systemctl 4967184 build/systemd 826216 build/udevadm after: 4949848 build/src/shared/libsystemd-shared-234.so 350704 build/systemctl 4966888 build/systemd 826168 build/udevadm
2017-10-04 19:32:12 +02:00
return STR_IN_SET(fstype,
"DM_verity_hash",
"iso9660",
"squashfs");
dissect: automatically mark partitions read-only that have a read-only file system Specifically, squashfs and iso9660 are always read-only, hence make sure we never even think about mounting them writable.
2017-09-29 14:19:22 +02:00
}
dissect: split list of discard-supporting fs out into mount-util.c Let's manage the list of file systems that do a specific thing at one place, following similar naming. No functional changes.
2017-09-29 14:23:17 +02:00
bool fstype_can_discard(const char *fstype) {
udevadm,basic: replace nulstr_contains with STR_IN_SET (#6965) STR_IN_SET is a newer approach which is easier to write and read, and which seems to result in space savings too: before: 4949848 build/src/shared/libsystemd-shared-234.so 350704 build/systemctl 4967184 build/systemd 826216 build/udevadm after: 4949848 build/src/shared/libsystemd-shared-234.so 350704 build/systemctl 4966888 build/systemd 826168 build/udevadm
2017-10-04 19:32:12 +02:00
return STR_IN_SET(fstype,
"btrfs",
"ext4",
"vfat",
"xfs");
dissect: split list of discard-supporting fs out into mount-util.c Let's manage the list of file systems that do a specific thing at one place, following similar naming. No functional changes.
2017-09-29 14:23:17 +02:00
}
nspawn: make sure images containing an ESP are compatible with userns -U mode In -U mode we might need to re-chown() all files and directories to match the UID shift we want for the image. That's problematic on fat partitions, such as the ESP (and which is generated by mkosi's --bootable switch), because fat of course knows no UID/GID file ownership natively. With this change we take benefit of the uid= and gid= mount options FAT knows: instead of chown()ing all files and directories we can just specify the right UID/GID to use at mount time. This beefs up the image dissection logic in two ways: 1. First of all support for mounting relevant file systems with uid=/gid= is added: when a UID is specified during mount it is used for all applicable file systems. 2. Secondly, two new mount flags are added: DISSECT_IMAGE_MOUNT_ROOT_ONLY and DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY. If one is specified the mount routine will either only mount the root partition of an image, or all partitions except the root partition. This is used by nspawn: first the root partition is mounted, so that we can determine the UID shift in use so far, based on ownership of the image's root directory. Then, we mount the remaining partitions in a second go, this time with the right UID/GID information.
2017-11-28 16:46:26 +01:00
bool fstype_can_uid_gid(const char *fstype) {
/* All file systems that have a uid=/gid= mount option that fixates the owners of all files and directories,
* current and future. */
return STR_IN_SET(fstype,
"adfs",
"fat",
"hfs",
"hpfs",
"iso9660",
"msdos",
"ntfs",
"vfat");
}
automount: move generically userful call repeat_mount() into mount-util.[ch]
2015-10-27 14:25:58 +01:00
int repeat_unmount(const char *path, int flags) {
bool done = false;
assert(path);
/* If there are multiple mounts on a mount point, this
* removes them all */
for (;;) {
if (umount2(path, flags) < 0) {
if (errno == EINVAL)
return done;
return -errno;
}
done = true;
}
}
namespace: unify limit behavior on non-directory paths Despite the name, `Read{Write,Only}Directories=` already allows for regular file paths to be masked. This commit adds the same behavior to `InaccessibleDirectories=` and makes it explicit in the doc. This patch introduces `/run/systemd/inaccessible/{reg,dir,chr,blk,fifo,sock}` {dile,device}nodes and mounts on the appropriate one the paths specified in `InacessibleDirectories=`. Based on Luca's patch from https://github.com/systemd/systemd/pull/3327
2016-07-06 09:48:58 +02:00
const char* mode_to_inaccessible_node(mode_t mode) {
namespace: ensure to return a valid inaccessible nodes (#3778) Because /run/systemd/inaccessible/{chr,blk} are devices with major=0 and minor=0 it might be possible that these devices cannot be created so we use /run/systemd/inaccessible/sock instead to map them.
2016-07-22 15:59:14 +02:00
/* This function maps a node type to the correspondent inaccessible node type.
* Character and block inaccessible devices may not be created (because major=0 and minor=0),
* in such case we map character and block devices to the inaccessible node type socket. */
namespace: unify limit behavior on non-directory paths Despite the name, `Read{Write,Only}Directories=` already allows for regular file paths to be masked. This commit adds the same behavior to `InaccessibleDirectories=` and makes it explicit in the doc. This patch introduces `/run/systemd/inaccessible/{reg,dir,chr,blk,fifo,sock}` {dile,device}nodes and mounts on the appropriate one the paths specified in `InacessibleDirectories=`. Based on Luca's patch from https://github.com/systemd/systemd/pull/3327
2016-07-06 09:48:58 +02:00
switch(mode & S_IFMT) {
case S_IFREG:
return "/run/systemd/inaccessible/reg";
case S_IFDIR:
return "/run/systemd/inaccessible/dir";
case S_IFCHR:
namespace: ensure to return a valid inaccessible nodes (#3778) Because /run/systemd/inaccessible/{chr,blk} are devices with major=0 and minor=0 it might be possible that these devices cannot be created so we use /run/systemd/inaccessible/sock instead to map them.
2016-07-22 15:59:14 +02:00
if (access("/run/systemd/inaccessible/chr", F_OK) == 0)
return "/run/systemd/inaccessible/chr";
return "/run/systemd/inaccessible/sock";
namespace: unify limit behavior on non-directory paths Despite the name, `Read{Write,Only}Directories=` already allows for regular file paths to be masked. This commit adds the same behavior to `InaccessibleDirectories=` and makes it explicit in the doc. This patch introduces `/run/systemd/inaccessible/{reg,dir,chr,blk,fifo,sock}` {dile,device}nodes and mounts on the appropriate one the paths specified in `InacessibleDirectories=`. Based on Luca's patch from https://github.com/systemd/systemd/pull/3327
2016-07-06 09:48:58 +02:00
case S_IFBLK:
namespace: ensure to return a valid inaccessible nodes (#3778) Because /run/systemd/inaccessible/{chr,blk} are devices with major=0 and minor=0 it might be possible that these devices cannot be created so we use /run/systemd/inaccessible/sock instead to map them.
2016-07-22 15:59:14 +02:00
if (access("/run/systemd/inaccessible/blk", F_OK) == 0)
return "/run/systemd/inaccessible/blk";
return "/run/systemd/inaccessible/sock";
namespace: unify limit behavior on non-directory paths Despite the name, `Read{Write,Only}Directories=` already allows for regular file paths to be masked. This commit adds the same behavior to `InaccessibleDirectories=` and makes it explicit in the doc. This patch introduces `/run/systemd/inaccessible/{reg,dir,chr,blk,fifo,sock}` {dile,device}nodes and mounts on the appropriate one the paths specified in `InacessibleDirectories=`. Based on Luca's patch from https://github.com/systemd/systemd/pull/3327
2016-07-06 09:48:58 +02:00
case S_IFIFO:
return "/run/systemd/inaccessible/fifo";
case S_IFSOCK:
return "/run/systemd/inaccessible/sock";
}
return NULL;
}
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
#define FLAG(name) (flags & name ? STRINGIFY(name) "|" : "")
static char* mount_flags_to_string(long unsigned flags) {
char *x;
_cleanup_free_ char *y = NULL;
long unsigned overflow;
overflow = flags & ~(MS_RDONLY |
MS_NOSUID |
MS_NODEV |
MS_NOEXEC |
MS_SYNCHRONOUS |
MS_REMOUNT |
MS_MANDLOCK |
MS_DIRSYNC |
MS_NOATIME |
MS_NODIRATIME |
MS_BIND |
MS_MOVE |
MS_REC |
MS_SILENT |
MS_POSIXACL |
MS_UNBINDABLE |
MS_PRIVATE |
MS_SLAVE |
MS_SHARED |
MS_RELATIME |
MS_KERNMOUNT |
MS_I_VERSION |
MS_STRICTATIME |
MS_LAZYTIME);
if (flags == 0 || overflow != 0)
if (asprintf(&y, "%lx", overflow) < 0)
return NULL;
x = strjoin(FLAG(MS_RDONLY),
FLAG(MS_NOSUID),
FLAG(MS_NODEV),
FLAG(MS_NOEXEC),
FLAG(MS_SYNCHRONOUS),
FLAG(MS_REMOUNT),
FLAG(MS_MANDLOCK),
FLAG(MS_DIRSYNC),
FLAG(MS_NOATIME),
FLAG(MS_NODIRATIME),
FLAG(MS_BIND),
FLAG(MS_MOVE),
FLAG(MS_REC),
FLAG(MS_SILENT),
FLAG(MS_POSIXACL),
FLAG(MS_UNBINDABLE),
FLAG(MS_PRIVATE),
FLAG(MS_SLAVE),
FLAG(MS_SHARED),
FLAG(MS_RELATIME),
FLAG(MS_KERNMOUNT),
FLAG(MS_I_VERSION),
FLAG(MS_STRICTATIME),
FLAG(MS_LAZYTIME),
tree-wide: drop NULL sentinel from strjoin This makes strjoin and strjoina more similar and avoids the useless final argument. spatch -I . -I ./src -I ./src/basic -I ./src/basic -I ./src/shared -I ./src/shared -I ./src/network -I ./src/locale -I ./src/login -I ./src/journal -I ./src/journal -I ./src/timedate -I ./src/timesync -I ./src/nspawn -I ./src/resolve -I ./src/resolve -I ./src/systemd -I ./src/core -I ./src/core -I ./src/libudev -I ./src/udev -I ./src/udev/net -I ./src/udev -I ./src/libsystemd/sd-bus -I ./src/libsystemd/sd-event -I ./src/libsystemd/sd-login -I ./src/libsystemd/sd-netlink -I ./src/libsystemd/sd-network -I ./src/libsystemd/sd-hwdb -I ./src/libsystemd/sd-device -I ./src/libsystemd/sd-id128 -I ./src/libsystemd-network --sp-file coccinelle/strjoin.cocci --in-place $(git ls-files src/*.c) git grep -e '\bstrjoin\b.*NULL' -l|xargs sed -i -r 's/strjoin\((.*), NULL\)/strjoin(\1)/' This might have missed a few cases (spatch has a really hard time dealing with _cleanup_ macros), but that's no big issue, they can always be fixed later.
2016-10-23 17:43:27 +02:00
y);
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
if (!x)
return NULL;
if (!y)
x[strlen(x) - 1] = '\0'; /* truncate the last | */
return x;
}
int mount_verbose(
int error_log_level,
const char *what,
const char *where,
const char *type,
unsigned long flags,
const char *options) {
mount-util: call mount_option_mangle() in mount_verbose()
2018-02-15 01:43:02 +01:00
_cleanup_free_ char *fl = NULL, *o = NULL;
unsigned long f;
int r;
r = mount_option_mangle(options, flags, &f, &o);
if (r < 0)
return log_full_errno(error_log_level, r,
"Failed to mangle mount options %s: %m",
strempty(options));
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
mount-util: call mount_option_mangle() in mount_verbose()
2018-02-15 01:43:02 +01:00
fl = mount_flags_to_string(f);
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
mount-util: call mount_option_mangle() in mount_verbose()
2018-02-15 01:43:02 +01:00
if ((f & MS_REMOUNT) && !what && !type)
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
log_debug("Remounting %s (%s \"%s\")...",
mount-util: call mount_option_mangle() in mount_verbose()
2018-02-15 01:43:02 +01:00
where, strnull(fl), strempty(o));
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
else if (!what && !type)
log_debug("Mounting %s (%s \"%s\")...",
mount-util: call mount_option_mangle() in mount_verbose()
2018-02-15 01:43:02 +01:00
where, strnull(fl), strempty(o));
else if ((f & MS_BIND) && !type)
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
log_debug("Bind-mounting %s on %s (%s \"%s\")...",
mount-util: call mount_option_mangle() in mount_verbose()
2018-02-15 01:43:02 +01:00
what, where, strnull(fl), strempty(o));
else if (f & MS_MOVE)
util-lib: make verbose_mount() grok MS_MOVE Let's print a proper message if we see MS_MOVE.
2016-12-09 17:35:48 +01:00
log_debug("Moving mount %s → %s (%s \"%s\")...",
mount-util: call mount_option_mangle() in mount_verbose()
2018-02-15 01:43:02 +01:00
what, where, strnull(fl), strempty(o));
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
else
log_debug("Mounting %s on %s (%s \"%s\")...",
mount-util: call mount_option_mangle() in mount_verbose()
2018-02-15 01:43:02 +01:00
strna(type), where, strnull(fl), strempty(o));
if (mount(what, where, type, f, o) < 0)
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
return log_full_errno(error_log_level, errno,
"Failed to mount %s on %s (%s \"%s\"): %m",
mount-util: call mount_option_mangle() in mount_verbose()
2018-02-15 01:43:02 +01:00
strna(type), where, strnull(fl), strempty(o));
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
return 0;
}
int umount_verbose(const char *what) {
log_debug("Umounting %s...", what);
if (umount(what) < 0)
return log_error_errno(errno, "Failed to unmount %s: %m", what);
return 0;
}
core: hook up MountFlags= to the transient unit logic This makes "systemd-run -p MountFlags=shared -t /bin/sh" work, by making MountFlags= to the list of properties that may be accessed transiently.
2016-11-22 20:19:08 +01:00
const char *mount_propagation_flags_to_string(unsigned long flags) {
switch (flags & (MS_SHARED|MS_SLAVE|MS_PRIVATE)) {
Modify mount_propagation_flags_from_string to return a normal int code This means that callers can distiguish an error from flags==0, and don't have to special-case the empty string.
2016-12-03 19:57:42 +01:00
case 0:
return "";
core: hook up MountFlags= to the transient unit logic This makes "systemd-run -p MountFlags=shared -t /bin/sh" work, by making MountFlags= to the list of properties that may be accessed transiently.
2016-11-22 20:19:08 +01:00
case MS_SHARED:
return "shared";
case MS_SLAVE:
return "slave";
case MS_PRIVATE:
return "private";
}
return NULL;
}
Modify mount_propagation_flags_from_string to return a normal int code This means that callers can distiguish an error from flags==0, and don't have to special-case the empty string.
2016-12-03 19:57:42 +01:00
int mount_propagation_flags_from_string(const char *name, unsigned long *ret) {
core: hook up MountFlags= to the transient unit logic This makes "systemd-run -p MountFlags=shared -t /bin/sh" work, by making MountFlags= to the list of properties that may be accessed transiently.
2016-11-22 20:19:08 +01:00
Modify mount_propagation_flags_from_string to return a normal int code This means that callers can distiguish an error from flags==0, and don't have to special-case the empty string.
2016-12-03 19:57:42 +01:00
if (isempty(name))
*ret = 0;
else if (streq(name, "shared"))
*ret = MS_SHARED;
else if (streq(name, "slave"))
*ret = MS_SLAVE;
else if (streq(name, "private"))
*ret = MS_PRIVATE;
else
return -EINVAL;
core: hook up MountFlags= to the transient unit logic This makes "systemd-run -p MountFlags=shared -t /bin/sh" work, by making MountFlags= to the list of properties that may be accessed transiently.
2016-11-22 20:19:08 +01:00
return 0;
}
mount-util: add mount_option_mangle() This is used in the later commits.
2018-02-15 01:32:04 +01:00
int mount_option_mangle(
const char *options,
unsigned long mount_flags,
unsigned long *ret_mount_flags,
char **ret_remaining_options) {
const struct libmnt_optmap *map;
_cleanup_free_ char *ret = NULL;
const char *p;
int r;
/* This extracts mount flags from the mount options, and store
* non-mount-flag options to '*ret_remaining_options'.
* E.g.,
* "rw,nosuid,nodev,relatime,size=1630748k,mode=700,uid=1000,gid=1000"
* is split to MS_NOSUID|MS_NODEV|MS_RELATIME and
* "size=1630748k,mode=700,uid=1000,gid=1000".
* See more examples in test-mount-utils.c.
*
* Note that if 'options' does not contain any non-mount-flag options,
* then '*ret_remaining_options' is set to NULL instread of empty string.
* Note that this does not check validity of options stored in
* '*ret_remaining_options'.
* Note that if 'options' is NULL, then this just copies 'mount_flags'
* to '*ret_mount_flags'. */
assert(ret_mount_flags);
assert(ret_remaining_options);
map = mnt_get_builtin_optmap(MNT_LINUX_MAP);
if (!map)
return -EINVAL;
p = options;
for (;;) {
_cleanup_free_ char *word = NULL;
const struct libmnt_optmap *ent;
r = extract_first_word(&p, &word, ",", EXTRACT_QUOTES);
if (r < 0)
return r;
if (r == 0)
break;
for (ent = map; ent->name; ent++) {
/* All entries in MNT_LINUX_MAP do not take any argument.
* Thus, ent->name does not contain "=" or "[=]". */
if (!streq(word, ent->name))
continue;
if (!(ent->mask & MNT_INVERT))
mount_flags |= ent->id;
else if (mount_flags & ent->id)
mount_flags ^= ent->id;
break;
}
/* If 'word' is not a mount flag, then store it in '*ret_remaining_options'. */
if (!ent->name && !strextend_with_separator(&ret, ",", word, NULL))
return -ENOMEM;
}
*ret_mount_flags = mount_flags;
macro: introduce TAKE_PTR() macro This macro will read a pointer of any type, return it, and set the pointer to NULL. This is useful as an explicit concept of passing ownership of a memory area between pointers. This takes inspiration from Rust: https://doc.rust-lang.org/std/option/enum.Option.html#method.take and was suggested by Alan Jenkins (@sourcejedi). It drops ~160 lines of code from our codebase, which makes me like it. Also, I think it clarifies passing of ownership, and thus helps readability a bit (at least for the initiated who know the new macro)
2018-03-22 16:53:26 +01:00
*ret_remaining_options = TAKE_PTR(ret);
mount-util: add mount_option_mangle() This is used in the later commits.
2018-02-15 01:32:04 +01:00
return 0;
}