1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2010 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 //#include <stdio_ext.h>
25 #include <sys/mount.h>
27 #include <sys/statvfs.h>
31 //#include <libmount.h>
33 #include "alloc-util.h"
35 //#include "extract-word.h"
40 #include "mount-util.h"
41 #include "parse-util.h"
42 #include "path-util.h"
44 #include "stdio-util.h"
45 #include "string-util.h"
48 /* This is the original MAX_HANDLE_SZ definition from the kernel, when the API was introduced. We use that in place of
49 * any more currently defined value to future-proof things: if the size is increased in the API headers, and our code
50 * is recompiled then it would cease working on old kernels, as those refuse any sizes larger than this value with
51 * EINVAL right-away. Hence, let's disconnect ourselves from any such API changes, and stick to the original definition
52 * from when it was introduced. We use it as a start value only anyway (see below), and hence should be able to deal
53 * with large file handles anyway. */
54 #define ORIGINAL_MAX_HANDLE_SZ 128
56 int name_to_handle_at_loop(
59 struct file_handle **ret_handle,
63 _cleanup_free_ struct file_handle *h = NULL;
64 size_t n = ORIGINAL_MAX_HANDLE_SZ;
66 /* We need to invoke name_to_handle_at() in a loop, given that it might return EOVERFLOW when the specified
67 * buffer is too small. Note that in contrast to what the docs might suggest, MAX_HANDLE_SZ is only good as a
68 * start value, it is not an upper bound on the buffer size required.
70 * This improves on raw name_to_handle_at() also in one other regard: ret_handle and ret_mnt_id can be passed
71 * as NULL if there's no interest in either. */
76 h = malloc0(offsetof(struct file_handle, f_handle) + n);
82 if (name_to_handle_at(fd, path, h, &mnt_id, flags) >= 0) {
94 if (errno != EOVERFLOW)
97 if (!ret_handle && ret_mnt_id && mnt_id >= 0) {
99 /* As it appears, name_to_handle_at() fills in mnt_id even when it returns EOVERFLOW when the
100 * buffer is too small, but that's undocumented. Hence, let's make use of this if it appears to
101 * be filled in, and the caller was interested in only the mount ID an nothing else. */
103 *ret_mnt_id = mnt_id;
107 /* If name_to_handle_at() didn't increase the byte size, then this EOVERFLOW is caused by something
108 * else (apparently EOVERFLOW is returned for untriggered nfs4 mounts sometimes), not by the too small
109 * buffer. In that case propagate EOVERFLOW */
110 if (h->handle_bytes <= n)
113 /* The buffer was too small. Size the new buffer by what name_to_handle_at() returned. */
115 if (offsetof(struct file_handle, f_handle) + n < n) /* check for addition overflow */
122 static int fd_fdinfo_mnt_id(int fd, const char *filename, int flags, int *mnt_id) {
123 char path[STRLEN("/proc/self/fdinfo/") + DECIMAL_STR_MAX(int)];
124 _cleanup_free_ char *fdinfo = NULL;
125 _cleanup_close_ int subfd = -1;
129 if ((flags & AT_EMPTY_PATH) && isempty(filename))
130 xsprintf(path, "/proc/self/fdinfo/%i", fd);
132 subfd = openat(fd, filename, O_CLOEXEC|O_PATH);
136 xsprintf(path, "/proc/self/fdinfo/%i", subfd);
139 r = read_full_file(path, &fdinfo, NULL);
140 if (r == -ENOENT) /* The fdinfo directory is a relatively new addition */
145 p = startswith(fdinfo, "mnt_id:");
147 p = strstr(fdinfo, "\nmnt_id:");
148 if (!p) /* The mnt_id field is a relatively new addition */
154 p += strspn(p, WHITESPACE);
155 p[strcspn(p, WHITESPACE)] = 0;
157 return safe_atoi(p, mnt_id);
160 int fd_is_mount_point(int fd, const char *filename, int flags) {
161 _cleanup_free_ struct file_handle *h = NULL, *h_parent = NULL;
162 int mount_id = -1, mount_id_parent = -1;
163 bool nosupp = false, check_st_dev = true;
170 /* First we will try the name_to_handle_at() syscall, which
171 * tells us the mount id and an opaque file "handle". It is
172 * not supported everywhere though (kernel compile-time
173 * option, not all file systems are hooked up). If it works
174 * the mount id is usually good enough to tell us whether
175 * something is a mount point.
177 * If that didn't work we will try to read the mount id from
178 * /proc/self/fdinfo/<fd>. This is almost as good as
179 * name_to_handle_at(), however, does not return the
180 * opaque file handle. The opaque file handle is pretty useful
181 * to detect the root directory, which we should always
182 * consider a mount point. Hence we use this only as
183 * fallback. Exporting the mnt_id in fdinfo is a pretty recent
186 * As last fallback we do traditional fstat() based st_dev
187 * comparisons. This is how things were traditionally done,
188 * but unionfs breaks this since it exposes file
189 * systems with a variety of st_dev reported. Also, btrfs
190 * subvolumes have different st_dev, even though they aren't
191 * real mounts of their own. */
193 r = name_to_handle_at_loop(fd, filename, &h, &mount_id, flags);
194 if (IN_SET(r, -ENOSYS, -EACCES, -EPERM, -EOVERFLOW, -EINVAL))
195 /* This kernel does not support name_to_handle_at() at all (ENOSYS), or the syscall was blocked
196 * (EACCES/EPERM; maybe through seccomp, because we are running inside of a container?), or the mount
197 * point is not triggered yet (EOVERFLOW, think nfs4), or some general name_to_handle_at() flakiness
198 * (EINVAL): fall back to simpler logic. */
199 goto fallback_fdinfo;
200 else if (r == -EOPNOTSUPP)
201 /* This kernel or file system does not support name_to_handle_at(), hence let's see if the upper fs
202 * supports it (in which case it is a mount point), otherwise fallback to the traditional stat()
208 r = name_to_handle_at_loop(fd, "", &h_parent, &mount_id_parent, AT_EMPTY_PATH);
209 if (r == -EOPNOTSUPP) {
211 /* Neither parent nor child do name_to_handle_at()? We have no choice but to fall back. */
212 goto fallback_fdinfo;
214 /* The parent can't do name_to_handle_at() but the directory we are interested in can? If so,
215 * it must be a mount point. */
220 /* The parent can do name_to_handle_at() but the
221 * directory we are interested in can't? If so, it
222 * must be a mount point. */
226 /* If the file handle for the directory we are
227 * interested in and its parent are identical, we
228 * assume this is the root directory, which is a mount
231 if (h->handle_bytes == h_parent->handle_bytes &&
232 h->handle_type == h_parent->handle_type &&
233 memcmp(h->f_handle, h_parent->f_handle, h->handle_bytes) == 0)
236 return mount_id != mount_id_parent;
239 r = fd_fdinfo_mnt_id(fd, filename, flags, &mount_id);
240 if (IN_SET(r, -EOPNOTSUPP, -EACCES, -EPERM))
245 r = fd_fdinfo_mnt_id(fd, "", AT_EMPTY_PATH, &mount_id_parent);
249 if (mount_id != mount_id_parent)
252 /* Hmm, so, the mount ids are the same. This leaves one
253 * special case though for the root file system. For that,
254 * let's see if the parent directory has the same inode as we
255 * are interested in. Hence, let's also do fstat() checks now,
256 * too, but avoid the st_dev comparisons, since they aren't
257 * that useful on unionfs mounts. */
258 check_st_dev = false;
261 /* yay for fstatat() taking a different set of flags than the other
263 if (flags & AT_SYMLINK_FOLLOW)
264 flags &= ~AT_SYMLINK_FOLLOW;
266 flags |= AT_SYMLINK_NOFOLLOW;
267 if (fstatat(fd, filename, &a, flags) < 0)
270 if (fstatat(fd, "", &b, AT_EMPTY_PATH) < 0)
273 /* A directory with same device and inode as its parent? Must
274 * be the root directory */
275 if (a.st_dev == b.st_dev &&
276 a.st_ino == b.st_ino)
279 return check_st_dev && (a.st_dev != b.st_dev);
282 /* flags can be AT_SYMLINK_FOLLOW or 0 */
283 int path_is_mount_point(const char *t, const char *root, int flags) {
284 _cleanup_free_ char *canonical = NULL, *parent = NULL;
285 _cleanup_close_ int fd = -1;
289 assert((flags & ~AT_SYMLINK_FOLLOW) == 0);
291 if (path_equal(t, "/"))
294 /* we need to resolve symlinks manually, we can't just rely on
295 * fd_is_mount_point() to do that for us; if we have a structure like
296 * /bin -> /usr/bin/ and /usr is a mount point, then the parent that we
297 * look at needs to be /usr, not /. */
298 if (flags & AT_SYMLINK_FOLLOW) {
299 r = chase_symlinks(t, root, 0, &canonical);
306 parent = dirname_malloc(t);
310 fd = openat(AT_FDCWD, parent, O_DIRECTORY|O_CLOEXEC|O_PATH);
314 return fd_is_mount_point(fd, last_path_component(t), flags);
317 int path_get_mnt_id(const char *path, int *ret) {
320 r = name_to_handle_at_loop(AT_FDCWD, path, NULL, ret, 0);
321 if (IN_SET(r, -EOPNOTSUPP, -ENOSYS, -EACCES, -EPERM, -EOVERFLOW, -EINVAL)) /* kernel/fs don't support this, or seccomp blocks access, or untriggered mount, or name_to_handle_at() is flaky */
322 return fd_fdinfo_mnt_id(AT_FDCWD, path, 0, ret);
327 #if 0 /// UNNEEDED by elogind
328 int umount_recursive(const char *prefix, int flags) {
332 /* Try to umount everything recursively below a
333 * directory. Also, take care of stacked mounts, and keep
334 * unmounting them until they are gone. */
337 _cleanup_fclose_ FILE *proc_self_mountinfo = NULL;
342 proc_self_mountinfo = fopen("/proc/self/mountinfo", "re");
343 if (!proc_self_mountinfo)
346 (void) __fsetlocking(proc_self_mountinfo, FSETLOCKING_BYCALLER);
349 _cleanup_free_ char *path = NULL, *p = NULL;
352 k = fscanf(proc_self_mountinfo,
353 "%*s " /* (1) mount id */
354 "%*s " /* (2) parent id */
355 "%*s " /* (3) major:minor */
356 "%*s " /* (4) root */
357 "%ms " /* (5) mount point */
358 "%*s" /* (6) mount options */
359 "%*[^-]" /* (7) optional fields */
360 "- " /* (8) separator */
361 "%*s " /* (9) file system type */
362 "%*s" /* (10) mount source */
363 "%*s" /* (11) mount options 2 */
364 "%*[^\n]", /* some rubbish at the end */
373 r = cunescape(path, UNESCAPE_RELAX, &p);
377 if (!path_startswith(p, prefix))
380 if (umount2(p, flags) < 0) {
381 r = log_debug_errno(errno, "Failed to umount %s: %m", p);
385 log_debug("Successfully unmounted %s", p);
398 static int get_mount_flags(const char *path, unsigned long *flags) {
401 if (statvfs(path, &buf) < 0)
407 /* Use this function only if do you have direct access to /proc/self/mountinfo
408 * and need the caller to open it for you. This is the case when /proc is
409 * masked or not mounted. Otherwise, use bind_remount_recursive. */
410 int bind_remount_recursive_with_mountinfo(const char *prefix, bool ro, char **blacklist, FILE *proc_self_mountinfo) {
411 _cleanup_set_free_free_ Set *done = NULL;
412 _cleanup_free_ char *cleaned = NULL;
415 assert(proc_self_mountinfo);
417 /* Recursively remount a directory (and all its submounts) read-only or read-write. If the directory is already
418 * mounted, we reuse the mount and simply mark it MS_BIND|MS_RDONLY (or remove the MS_RDONLY for read-write
419 * operation). If it isn't we first make it one. Afterwards we apply MS_BIND|MS_RDONLY (or remove MS_RDONLY) to
420 * all submounts we can access, too. When mounts are stacked on the same mount point we only care for each
421 * individual "top-level" mount on each point, as we cannot influence/access the underlying mounts anyway. We
422 * do not have any effect on future submounts that might get propagated, they migt be writable. This includes
423 * future submounts that have been triggered via autofs.
425 * If the "blacklist" parameter is specified it may contain a list of subtrees to exclude from the
426 * remount operation. Note that we'll ignore the blacklist for the top-level path. */
428 cleaned = strdup(prefix);
432 path_kill_slashes(cleaned);
434 done = set_new(&path_hash_ops);
439 _cleanup_set_free_free_ Set *todo = NULL;
440 bool top_autofs = false;
442 unsigned long orig_flags;
444 todo = set_new(&path_hash_ops);
448 rewind(proc_self_mountinfo);
451 _cleanup_free_ char *path = NULL, *p = NULL, *type = NULL;
454 k = fscanf(proc_self_mountinfo,
455 "%*s " /* (1) mount id */
456 "%*s " /* (2) parent id */
457 "%*s " /* (3) major:minor */
458 "%*s " /* (4) root */
459 "%ms " /* (5) mount point */
460 "%*s" /* (6) mount options (superblock) */
461 "%*[^-]" /* (7) optional fields */
462 "- " /* (8) separator */
463 "%ms " /* (9) file system type */
464 "%*s" /* (10) mount source */
465 "%*s" /* (11) mount options (bind mount) */
466 "%*[^\n]", /* some rubbish at the end */
476 r = cunescape(path, UNESCAPE_RELAX, &p);
480 if (!path_startswith(p, cleaned))
483 /* Ignore this mount if it is blacklisted, but only if it isn't the top-level mount we shall
485 if (!path_equal(cleaned, p)) {
486 bool blacklisted = false;
489 STRV_FOREACH(i, blacklist) {
491 if (path_equal(*i, cleaned))
494 if (!path_startswith(*i, cleaned))
497 if (path_startswith(p, *i)) {
499 log_debug("Not remounting %s, because blacklisted by %s, called for %s", p, *i, cleaned);
507 /* Let's ignore autofs mounts. If they aren't
508 * triggered yet, we want to avoid triggering
509 * them, as we don't make any guarantees for
510 * future submounts anyway. If they are
511 * already triggered, then we will find
512 * another entry for this. */
513 if (streq(type, "autofs")) {
514 top_autofs = top_autofs || path_equal(cleaned, p);
518 if (!set_contains(done, p)) {
519 r = set_consume(todo, p);
528 /* If we have no submounts to process anymore and if
529 * the root is either already done, or an autofs, we
531 if (set_isempty(todo) &&
532 (top_autofs || set_contains(done, cleaned)))
535 if (!set_contains(done, cleaned) &&
536 !set_contains(todo, cleaned)) {
537 /* The prefix directory itself is not yet a mount, make it one. */
538 if (mount(cleaned, cleaned, NULL, MS_BIND|MS_REC, NULL) < 0)
542 (void) get_mount_flags(cleaned, &orig_flags);
543 orig_flags &= ~MS_RDONLY;
545 if (mount(NULL, prefix, NULL, orig_flags|MS_BIND|MS_REMOUNT|(ro ? MS_RDONLY : 0), NULL) < 0)
548 log_debug("Made top-level directory %s a mount point.", prefix);
554 r = set_consume(done, x);
559 while ((x = set_steal_first(todo))) {
561 r = set_consume(done, x);
562 if (IN_SET(r, 0, -EEXIST))
567 /* Deal with mount points that are obstructed by a later mount */
568 r = path_is_mount_point(x, NULL, 0);
569 if (IN_SET(r, 0, -ENOENT))
574 /* Try to reuse the original flag set */
576 (void) get_mount_flags(x, &orig_flags);
577 orig_flags &= ~MS_RDONLY;
579 if (mount(NULL, x, NULL, orig_flags|MS_BIND|MS_REMOUNT|(ro ? MS_RDONLY : 0), NULL) < 0)
582 log_debug("Remounted %s read-only.", x);
587 int bind_remount_recursive(const char *prefix, bool ro, char **blacklist) {
588 _cleanup_fclose_ FILE *proc_self_mountinfo = NULL;
590 proc_self_mountinfo = fopen("/proc/self/mountinfo", "re");
591 if (!proc_self_mountinfo)
594 (void) __fsetlocking(proc_self_mountinfo, FSETLOCKING_BYCALLER);
596 return bind_remount_recursive_with_mountinfo(prefix, ro, blacklist, proc_self_mountinfo);
599 int mount_move_root(const char *path) {
605 if (mount(path, "/", NULL, MS_MOVE, NULL) < 0)
617 bool fstype_is_network(const char *fstype) {
620 x = startswith(fstype, "fuse.");
624 return STR_IN_SET(fstype,
636 "pvfs2", /* OrangeFS */
641 bool fstype_is_api_vfs(const char *fstype) {
642 return STR_IN_SET(fstype,
665 bool fstype_is_ro(const char *fstype) {
666 /* All Linux file systems that are necessarily read-only */
667 return STR_IN_SET(fstype,
673 bool fstype_can_discard(const char *fstype) {
674 return STR_IN_SET(fstype,
681 bool fstype_can_uid_gid(const char *fstype) {
683 /* All file systems that have a uid=/gid= mount option that fixates the owners of all files and directories,
684 * current and future. */
686 return STR_IN_SET(fstype,
697 int repeat_unmount(const char *path, int flags) {
702 /* If there are multiple mounts on a mount point, this
703 * removes them all */
706 if (umount2(path, flags) < 0) {
719 const char* mode_to_inaccessible_node(mode_t mode) {
720 /* This function maps a node type to the correspondent inaccessible node type.
721 * Character and block inaccessible devices may not be created (because major=0 and minor=0),
722 * in such case we map character and block devices to the inaccessible node type socket. */
723 switch(mode & S_IFMT) {
725 return "/run/systemd/inaccessible/reg";
727 return "/run/systemd/inaccessible/dir";
729 if (access("/run/systemd/inaccessible/chr", F_OK) == 0)
730 return "/run/systemd/inaccessible/chr";
731 return "/run/systemd/inaccessible/sock";
733 if (access("/run/systemd/inaccessible/blk", F_OK) == 0)
734 return "/run/systemd/inaccessible/blk";
735 return "/run/systemd/inaccessible/sock";
737 return "/run/systemd/inaccessible/fifo";
739 return "/run/systemd/inaccessible/sock";
744 #if 0 /// UNNEEDED by elogind
745 #define FLAG(name) (flags & name ? STRINGIFY(name) "|" : "")
746 static char* mount_flags_to_string(long unsigned flags) {
748 _cleanup_free_ char *y = NULL;
749 long unsigned overflow;
751 overflow = flags & ~(MS_RDONLY |
776 if (flags == 0 || overflow != 0)
777 if (asprintf(&y, "%lx", overflow) < 0)
780 x = strjoin(FLAG(MS_RDONLY),
784 FLAG(MS_SYNCHRONOUS),
802 FLAG(MS_STRICTATIME),
808 x[strlen(x) - 1] = '\0'; /* truncate the last | */
818 const char *options) {
820 _cleanup_free_ char *fl = NULL, *o = NULL;
824 r = mount_option_mangle(options, flags, &f, &o);
826 return log_full_errno(error_log_level, r,
827 "Failed to mangle mount options %s: %m",
830 fl = mount_flags_to_string(f);
832 if ((f & MS_REMOUNT) && !what && !type)
833 log_debug("Remounting %s (%s \"%s\")...",
834 where, strnull(fl), strempty(o));
835 else if (!what && !type)
836 log_debug("Mounting %s (%s \"%s\")...",
837 where, strnull(fl), strempty(o));
838 else if ((f & MS_BIND) && !type)
839 log_debug("Bind-mounting %s on %s (%s \"%s\")...",
840 what, where, strnull(fl), strempty(o));
841 else if (f & MS_MOVE)
842 log_debug("Moving mount %s → %s (%s \"%s\")...",
843 what, where, strnull(fl), strempty(o));
845 log_debug("Mounting %s on %s (%s \"%s\")...",
846 strna(type), where, strnull(fl), strempty(o));
847 if (mount(what, where, type, f, o) < 0)
848 return log_full_errno(error_log_level, errno,
849 "Failed to mount %s on %s (%s \"%s\"): %m",
850 strna(type), where, strnull(fl), strempty(o));
854 int umount_verbose(const char *what) {
855 log_debug("Umounting %s...", what);
856 if (umount(what) < 0)
857 return log_error_errno(errno, "Failed to unmount %s: %m", what);
862 const char *mount_propagation_flags_to_string(unsigned long flags) {
864 switch (flags & (MS_SHARED|MS_SLAVE|MS_PRIVATE)) {
879 int mount_propagation_flags_from_string(const char *name, unsigned long *ret) {
883 else if (streq(name, "shared"))
885 else if (streq(name, "slave"))
887 else if (streq(name, "private"))
894 int mount_option_mangle(
896 unsigned long mount_flags,
897 unsigned long *ret_mount_flags,
898 char **ret_remaining_options) {
900 const struct libmnt_optmap *map;
901 _cleanup_free_ char *ret = NULL;
905 /* This extracts mount flags from the mount options, and store
906 * non-mount-flag options to '*ret_remaining_options'.
908 * "rw,nosuid,nodev,relatime,size=1630748k,mode=700,uid=1000,gid=1000"
909 * is split to MS_NOSUID|MS_NODEV|MS_RELATIME and
910 * "size=1630748k,mode=700,uid=1000,gid=1000".
911 * See more examples in test-mount-utils.c.
913 * Note that if 'options' does not contain any non-mount-flag options,
914 * then '*ret_remaining_options' is set to NULL instread of empty string.
915 * Note that this does not check validity of options stored in
916 * '*ret_remaining_options'.
917 * Note that if 'options' is NULL, then this just copies 'mount_flags'
918 * to '*ret_mount_flags'. */
920 assert(ret_mount_flags);
921 assert(ret_remaining_options);
923 map = mnt_get_builtin_optmap(MNT_LINUX_MAP);
929 _cleanup_free_ char *word = NULL;
930 const struct libmnt_optmap *ent;
932 r = extract_first_word(&p, &word, ",", EXTRACT_QUOTES);
938 for (ent = map; ent->name; ent++) {
939 /* All entries in MNT_LINUX_MAP do not take any argument.
940 * Thus, ent->name does not contain "=" or "[=]". */
941 if (!streq(word, ent->name))
944 if (!(ent->mask & MNT_INVERT))
945 mount_flags |= ent->id;
946 else if (mount_flags & ent->id)
947 mount_flags ^= ent->id;
952 /* If 'word' is not a mount flag, then store it in '*ret_remaining_options'. */
953 if (!ent->name && !strextend_with_separator(&ret, ",", word, NULL))
957 *ret_mount_flags = mount_flags;
958 *ret_remaining_options = ret;
~ianmdlvl / elogind.git / blob