tmpfiles: don't attempt creation of device nodes when we run in a container

[elogind.git] / src / tmpfiles / tmpfiles.c

diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index 841d1635239e25a81fc596c99dadb594be013f4d..323781f9737ac547aac6ff5693f7626d94f6f6ff 100644 (file)
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -38,6 +38,7 @@
 #include <sys/param.h>
 #include <glob.h>
 #include <fnmatch.h>
+#include <sys/capability.h>
 
 #include "log.h"
 #include "util.h"
@@ -47,6 +48,7 @@
 #include "label.h"
 #include "set.h"
 #include "conf-files.h"
+#include "capability.h"
 
 /* This reads all files listed in /etc/tmpfiles.d/?*.conf and creates
  * them in the file system. This is intended to be used to create
@@ -107,6 +109,9 @@ static const char * const conf_file_dirs[] = {
         "/run/tmpfiles.d",
         "/usr/local/lib/tmpfiles.d",
         "/usr/lib/tmpfiles.d",
+#ifdef HAVE_SPLIT_USR
+        "/lib/tmpfiles.d",
+#endif
         NULL
 };
 
@@ -257,8 +262,7 @@ static int dir_cleanup(
                 sub_path = NULL;
 
                 if (asprintf(&sub_path, "%s/%s", p, dent->d_name) < 0) {
-                        log_error("Out of memory");
-                        r = -ENOMEM;
+                        r = log_oom();
                         goto finish;
                 }
 
@@ -469,7 +473,7 @@ static int item_set_perms(Item *i, const char *path) {
                         return -errno;
                 }
 
-        return label_fix(path, false);
+        return label_fix(path, false, false);
 }
 
 static int recursive_relabel_children(Item *i, const char *path) {
@@ -762,7 +766,19 @@ static int create_item(Item *i) {
 
         case CREATE_BLOCK_DEVICE:
         case CREATE_CHAR_DEVICE: {
-                mode_t file_type = (i->type == CREATE_BLOCK_DEVICE ? S_IFBLK : S_IFCHR);
+                mode_t file_type;
+
+                if (have_effective_cap(CAP_MKNOD) == 0) {
+                        /* In a container we lack CAP_MKNOD. We
+                        shouldnt attempt to create the device node in
+                        that case to avoid noise, and we don't support
+                        virtualized devices in containers anyway. */
+
+                        log_debug("We lack CAP_MKNOD, skipping creation of device node %s.", i->path);
+                        return 0;
+                }
+
+                file_type = (i->type == CREATE_BLOCK_DEVICE ? S_IFBLK : S_IFCHR);
 
                 u = umask(0);
                 label_context_set(i->path, file_type);
@@ -843,7 +859,9 @@ static int remove_item_instance(Item *i, const char *instance) {
 
         case TRUNCATE_DIRECTORY:
         case RECURSIVE_REMOVE_PATH:
-                r = rm_rf(instance, false, i->type == RECURSIVE_REMOVE_PATH, false);
+                /* FIXME: we probably should use dir_cleanup() here
+                 * instead of rm_rf() so that 'x' is honoured. */
+                r = rm_rf_dangerous(instance, false, i->type == RECURSIVE_REMOVE_PATH, false);
                 if (r < 0 && r != -ENOENT) {
                         log_error("rm_rf(%s): %s", instance, strerror(-r));
                         return r;
@@ -964,10 +982,8 @@ static int parse_line(const char *fname, unsigned line, const char *buffer) {
         assert(buffer);
 
         i = new0(Item, 1);
-        if (!i) {
-                log_error("Out of memory");
-                return -ENOMEM;
-        }
+        if (!i)
+                return log_oom();
 
         if (sscanf(buffer,
                    "%c "
@@ -993,10 +1009,8 @@ static int parse_line(const char *fname, unsigned line, const char *buffer) {
                 n += strspn(buffer+n, WHITESPACE);
                 if (buffer[n] != 0 && (buffer[n] != '-' || buffer[n+1] != 0)) {
                         i->argument = unquote(buffer+n, "\"");
-                        if (!i->argument) {
-                                log_error("Out of memory");
-                                return -ENOMEM;
-                        }
+                        if (!i->argument)
+                                return log_oom();
                 }
         }
 
@@ -1074,7 +1088,7 @@ static int parse_line(const char *fname, unsigned line, const char *buffer) {
         if (user && !streq(user, "-")) {
                 const char *u = user;
 
-                r = get_user_creds(&u, &i->uid, NULL, NULL);
+                r = get_user_creds(&u, &i->uid, NULL, NULL, NULL);
                 if (r < 0) {
                         log_error("[%s:%u] Unknown user '%s'.", fname, line, user);
                         goto finish;
@@ -1295,9 +1309,9 @@ static char *resolve_fragment(const char *fragment, const char **search_paths) {
                 return strdup(fragment);
 
         STRV_FOREACH(p, search_paths) {
-                resolved_path = join(*p, "/", fragment, NULL);
+                resolved_path = strjoin(*p, "/", fragment, NULL);
                 if (resolved_path == NULL) {
-                        log_error("Out of memory");
+                        log_oom();
                         return NULL;
                 }
 
@@ -1332,7 +1346,7 @@ int main(int argc, char *argv[]) {
         globs = hashmap_new(string_hash_func, string_compare_func);
 
         if (!items || !globs) {
-                log_error("Out of memory");
+                log_oom();
                 r = EXIT_FAILURE;
                 goto finish;
         }