1 /* SPDX-License-Identifier: LGPL-2.1+ */
4 //#include <stdio_ext.h>
9 #include <sys/statvfs.h>
13 //#include <libmount.h>
15 #include "alloc-util.h"
17 //#include "extract-word.h"
22 #include "mount-util.h"
23 #include "parse-util.h"
24 #include "path-util.h"
26 #include "stdio-util.h"
27 #include "string-util.h"
30 /* This is the original MAX_HANDLE_SZ definition from the kernel, when the API was introduced. We use that in place of
31 * any more currently defined value to future-proof things: if the size is increased in the API headers, and our code
32 * is recompiled then it would cease working on old kernels, as those refuse any sizes larger than this value with
33 * EINVAL right-away. Hence, let's disconnect ourselves from any such API changes, and stick to the original definition
34 * from when it was introduced. We use it as a start value only anyway (see below), and hence should be able to deal
35 * with large file handles anyway. */
36 #define ORIGINAL_MAX_HANDLE_SZ 128
38 int name_to_handle_at_loop(
41 struct file_handle **ret_handle,
45 _cleanup_free_ struct file_handle *h = NULL;
46 size_t n = ORIGINAL_MAX_HANDLE_SZ;
48 /* We need to invoke name_to_handle_at() in a loop, given that it might return EOVERFLOW when the specified
49 * buffer is too small. Note that in contrast to what the docs might suggest, MAX_HANDLE_SZ is only good as a
50 * start value, it is not an upper bound on the buffer size required.
52 * This improves on raw name_to_handle_at() also in one other regard: ret_handle and ret_mnt_id can be passed
53 * as NULL if there's no interest in either. */
58 h = malloc0(offsetof(struct file_handle, f_handle) + n);
64 if (name_to_handle_at(fd, path, h, &mnt_id, flags) >= 0) {
67 *ret_handle = TAKE_PTR(h);
74 if (errno != EOVERFLOW)
77 if (!ret_handle && ret_mnt_id && mnt_id >= 0) {
79 /* As it appears, name_to_handle_at() fills in mnt_id even when it returns EOVERFLOW when the
80 * buffer is too small, but that's undocumented. Hence, let's make use of this if it appears to
81 * be filled in, and the caller was interested in only the mount ID an nothing else. */
87 /* If name_to_handle_at() didn't increase the byte size, then this EOVERFLOW is caused by something
88 * else (apparently EOVERFLOW is returned for untriggered nfs4 mounts sometimes), not by the too small
89 * buffer. In that case propagate EOVERFLOW */
90 if (h->handle_bytes <= n)
93 /* The buffer was too small. Size the new buffer by what name_to_handle_at() returned. */
95 if (offsetof(struct file_handle, f_handle) + n < n) /* check for addition overflow */
102 static int fd_fdinfo_mnt_id(int fd, const char *filename, int flags, int *mnt_id) {
103 char path[STRLEN("/proc/self/fdinfo/") + DECIMAL_STR_MAX(int)];
104 _cleanup_free_ char *fdinfo = NULL;
105 _cleanup_close_ int subfd = -1;
109 if ((flags & AT_EMPTY_PATH) && isempty(filename))
110 xsprintf(path, "/proc/self/fdinfo/%i", fd);
112 subfd = openat(fd, filename, O_CLOEXEC|O_PATH);
116 xsprintf(path, "/proc/self/fdinfo/%i", subfd);
119 r = read_full_file(path, &fdinfo, NULL);
120 if (r == -ENOENT) /* The fdinfo directory is a relatively new addition */
125 p = startswith(fdinfo, "mnt_id:");
127 p = strstr(fdinfo, "\nmnt_id:");
128 if (!p) /* The mnt_id field is a relatively new addition */
134 p += strspn(p, WHITESPACE);
135 p[strcspn(p, WHITESPACE)] = 0;
137 return safe_atoi(p, mnt_id);
140 int fd_is_mount_point(int fd, const char *filename, int flags) {
141 _cleanup_free_ struct file_handle *h = NULL, *h_parent = NULL;
142 int mount_id = -1, mount_id_parent = -1;
143 bool nosupp = false, check_st_dev = true;
150 /* First we will try the name_to_handle_at() syscall, which
151 * tells us the mount id and an opaque file "handle". It is
152 * not supported everywhere though (kernel compile-time
153 * option, not all file systems are hooked up). If it works
154 * the mount id is usually good enough to tell us whether
155 * something is a mount point.
157 * If that didn't work we will try to read the mount id from
158 * /proc/self/fdinfo/<fd>. This is almost as good as
159 * name_to_handle_at(), however, does not return the
160 * opaque file handle. The opaque file handle is pretty useful
161 * to detect the root directory, which we should always
162 * consider a mount point. Hence we use this only as
163 * fallback. Exporting the mnt_id in fdinfo is a pretty recent
166 * As last fallback we do traditional fstat() based st_dev
167 * comparisons. This is how things were traditionally done,
168 * but unionfs breaks this since it exposes file
169 * systems with a variety of st_dev reported. Also, btrfs
170 * subvolumes have different st_dev, even though they aren't
171 * real mounts of their own. */
173 r = name_to_handle_at_loop(fd, filename, &h, &mount_id, flags);
174 if (IN_SET(r, -ENOSYS, -EACCES, -EPERM, -EOVERFLOW, -EINVAL))
175 /* This kernel does not support name_to_handle_at() at all (ENOSYS), or the syscall was blocked
176 * (EACCES/EPERM; maybe through seccomp, because we are running inside of a container?), or the mount
177 * point is not triggered yet (EOVERFLOW, think nfs4), or some general name_to_handle_at() flakiness
178 * (EINVAL): fall back to simpler logic. */
179 goto fallback_fdinfo;
180 else if (r == -EOPNOTSUPP)
181 /* This kernel or file system does not support name_to_handle_at(), hence let's see if the upper fs
182 * supports it (in which case it is a mount point), otherwise fallback to the traditional stat()
188 r = name_to_handle_at_loop(fd, "", &h_parent, &mount_id_parent, AT_EMPTY_PATH);
189 if (r == -EOPNOTSUPP) {
191 /* Neither parent nor child do name_to_handle_at()? We have no choice but to fall back. */
192 goto fallback_fdinfo;
194 /* The parent can't do name_to_handle_at() but the directory we are interested in can? If so,
195 * it must be a mount point. */
200 /* The parent can do name_to_handle_at() but the
201 * directory we are interested in can't? If so, it
202 * must be a mount point. */
206 /* If the file handle for the directory we are
207 * interested in and its parent are identical, we
208 * assume this is the root directory, which is a mount
211 if (h->handle_bytes == h_parent->handle_bytes &&
212 h->handle_type == h_parent->handle_type &&
213 memcmp(h->f_handle, h_parent->f_handle, h->handle_bytes) == 0)
216 return mount_id != mount_id_parent;
219 r = fd_fdinfo_mnt_id(fd, filename, flags, &mount_id);
220 if (IN_SET(r, -EOPNOTSUPP, -EACCES, -EPERM))
225 r = fd_fdinfo_mnt_id(fd, "", AT_EMPTY_PATH, &mount_id_parent);
229 if (mount_id != mount_id_parent)
232 /* Hmm, so, the mount ids are the same. This leaves one
233 * special case though for the root file system. For that,
234 * let's see if the parent directory has the same inode as we
235 * are interested in. Hence, let's also do fstat() checks now,
236 * too, but avoid the st_dev comparisons, since they aren't
237 * that useful on unionfs mounts. */
238 check_st_dev = false;
241 /* yay for fstatat() taking a different set of flags than the other
243 if (flags & AT_SYMLINK_FOLLOW)
244 flags &= ~AT_SYMLINK_FOLLOW;
246 flags |= AT_SYMLINK_NOFOLLOW;
247 if (fstatat(fd, filename, &a, flags) < 0)
250 if (fstatat(fd, "", &b, AT_EMPTY_PATH) < 0)
253 /* A directory with same device and inode as its parent? Must
254 * be the root directory */
255 if (a.st_dev == b.st_dev &&
256 a.st_ino == b.st_ino)
259 return check_st_dev && (a.st_dev != b.st_dev);
262 /* flags can be AT_SYMLINK_FOLLOW or 0 */
263 int path_is_mount_point(const char *t, const char *root, int flags) {
264 _cleanup_free_ char *canonical = NULL, *parent = NULL;
265 _cleanup_close_ int fd = -1;
269 assert((flags & ~AT_SYMLINK_FOLLOW) == 0);
271 if (path_equal(t, "/"))
274 /* we need to resolve symlinks manually, we can't just rely on
275 * fd_is_mount_point() to do that for us; if we have a structure like
276 * /bin -> /usr/bin/ and /usr is a mount point, then the parent that we
277 * look at needs to be /usr, not /. */
278 if (flags & AT_SYMLINK_FOLLOW) {
279 r = chase_symlinks(t, root, CHASE_TRAIL_SLASH, &canonical);
286 parent = dirname_malloc(t);
290 fd = openat(AT_FDCWD, parent, O_DIRECTORY|O_CLOEXEC|O_PATH);
294 return fd_is_mount_point(fd, last_path_component(t), flags);
297 int path_get_mnt_id(const char *path, int *ret) {
300 r = name_to_handle_at_loop(AT_FDCWD, path, NULL, ret, 0);
301 if (IN_SET(r, -EOPNOTSUPP, -ENOSYS, -EACCES, -EPERM, -EOVERFLOW, -EINVAL)) /* kernel/fs don't support this, or seccomp blocks access, or untriggered mount, or name_to_handle_at() is flaky */
302 return fd_fdinfo_mnt_id(AT_FDCWD, path, 0, ret);
307 #if 0 /// UNNEEDED by elogind
308 int umount_recursive(const char *prefix, int flags) {
312 /* Try to umount everything recursively below a
313 * directory. Also, take care of stacked mounts, and keep
314 * unmounting them until they are gone. */
317 _cleanup_fclose_ FILE *proc_self_mountinfo = NULL;
322 proc_self_mountinfo = fopen("/proc/self/mountinfo", "re");
323 if (!proc_self_mountinfo)
326 (void) __fsetlocking(proc_self_mountinfo, FSETLOCKING_BYCALLER);
329 _cleanup_free_ char *path = NULL, *p = NULL;
332 k = fscanf(proc_self_mountinfo,
333 "%*s " /* (1) mount id */
334 "%*s " /* (2) parent id */
335 "%*s " /* (3) major:minor */
336 "%*s " /* (4) root */
337 "%ms " /* (5) mount point */
338 "%*s" /* (6) mount options */
339 "%*[^-]" /* (7) optional fields */
340 "- " /* (8) separator */
341 "%*s " /* (9) file system type */
342 "%*s" /* (10) mount source */
343 "%*s" /* (11) mount options 2 */
344 "%*[^\n]", /* some rubbish at the end */
353 r = cunescape(path, UNESCAPE_RELAX, &p);
357 if (!path_startswith(p, prefix))
360 if (umount2(p, flags) < 0) {
361 r = log_debug_errno(errno, "Failed to umount %s: %m", p);
365 log_debug("Successfully unmounted %s", p);
378 static int get_mount_flags(const char *path, unsigned long *flags) {
381 if (statvfs(path, &buf) < 0)
387 /* Use this function only if do you have direct access to /proc/self/mountinfo
388 * and need the caller to open it for you. This is the case when /proc is
389 * masked or not mounted. Otherwise, use bind_remount_recursive. */
390 int bind_remount_recursive_with_mountinfo(const char *prefix, bool ro, char **blacklist, FILE *proc_self_mountinfo) {
391 _cleanup_set_free_free_ Set *done = NULL;
392 _cleanup_free_ char *cleaned = NULL;
395 assert(proc_self_mountinfo);
397 /* Recursively remount a directory (and all its submounts) read-only or read-write. If the directory is already
398 * mounted, we reuse the mount and simply mark it MS_BIND|MS_RDONLY (or remove the MS_RDONLY for read-write
399 * operation). If it isn't we first make it one. Afterwards we apply MS_BIND|MS_RDONLY (or remove MS_RDONLY) to
400 * all submounts we can access, too. When mounts are stacked on the same mount point we only care for each
401 * individual "top-level" mount on each point, as we cannot influence/access the underlying mounts anyway. We
402 * do not have any effect on future submounts that might get propagated, they migt be writable. This includes
403 * future submounts that have been triggered via autofs.
405 * If the "blacklist" parameter is specified it may contain a list of subtrees to exclude from the
406 * remount operation. Note that we'll ignore the blacklist for the top-level path. */
408 cleaned = strdup(prefix);
412 path_simplify(cleaned, false);
414 done = set_new(&path_hash_ops);
419 _cleanup_set_free_free_ Set *todo = NULL;
420 bool top_autofs = false;
422 unsigned long orig_flags;
424 todo = set_new(&path_hash_ops);
428 rewind(proc_self_mountinfo);
431 _cleanup_free_ char *path = NULL, *p = NULL, *type = NULL;
434 k = fscanf(proc_self_mountinfo,
435 "%*s " /* (1) mount id */
436 "%*s " /* (2) parent id */
437 "%*s " /* (3) major:minor */
438 "%*s " /* (4) root */
439 "%ms " /* (5) mount point */
440 "%*s" /* (6) mount options (superblock) */
441 "%*[^-]" /* (7) optional fields */
442 "- " /* (8) separator */
443 "%ms " /* (9) file system type */
444 "%*s" /* (10) mount source */
445 "%*s" /* (11) mount options (bind mount) */
446 "%*[^\n]", /* some rubbish at the end */
456 r = cunescape(path, UNESCAPE_RELAX, &p);
460 if (!path_startswith(p, cleaned))
463 /* Ignore this mount if it is blacklisted, but only if it isn't the top-level mount we shall
465 if (!path_equal(cleaned, p)) {
466 bool blacklisted = false;
469 STRV_FOREACH(i, blacklist) {
471 if (path_equal(*i, cleaned))
474 if (!path_startswith(*i, cleaned))
477 if (path_startswith(p, *i)) {
479 log_debug("Not remounting %s, because blacklisted by %s, called for %s", p, *i, cleaned);
487 /* Let's ignore autofs mounts. If they aren't
488 * triggered yet, we want to avoid triggering
489 * them, as we don't make any guarantees for
490 * future submounts anyway. If they are
491 * already triggered, then we will find
492 * another entry for this. */
493 if (streq(type, "autofs")) {
494 top_autofs = top_autofs || path_equal(cleaned, p);
498 if (!set_contains(done, p)) {
499 r = set_consume(todo, p);
508 /* If we have no submounts to process anymore and if
509 * the root is either already done, or an autofs, we
511 if (set_isempty(todo) &&
512 (top_autofs || set_contains(done, cleaned)))
515 if (!set_contains(done, cleaned) &&
516 !set_contains(todo, cleaned)) {
517 /* The prefix directory itself is not yet a mount, make it one. */
518 if (mount(cleaned, cleaned, NULL, MS_BIND|MS_REC, NULL) < 0)
522 (void) get_mount_flags(cleaned, &orig_flags);
523 orig_flags &= ~MS_RDONLY;
525 if (mount(NULL, prefix, NULL, orig_flags|MS_BIND|MS_REMOUNT|(ro ? MS_RDONLY : 0), NULL) < 0)
528 log_debug("Made top-level directory %s a mount point.", prefix);
534 r = set_consume(done, x);
539 while ((x = set_steal_first(todo))) {
541 r = set_consume(done, x);
542 if (IN_SET(r, 0, -EEXIST))
547 /* Deal with mount points that are obstructed by a later mount */
548 r = path_is_mount_point(x, NULL, 0);
549 if (IN_SET(r, 0, -ENOENT))
554 /* Try to reuse the original flag set */
556 (void) get_mount_flags(x, &orig_flags);
557 orig_flags &= ~MS_RDONLY;
559 if (mount(NULL, x, NULL, orig_flags|MS_BIND|MS_REMOUNT|(ro ? MS_RDONLY : 0), NULL) < 0)
562 log_debug("Remounted %s read-only.", x);
567 int bind_remount_recursive(const char *prefix, bool ro, char **blacklist) {
568 _cleanup_fclose_ FILE *proc_self_mountinfo = NULL;
570 proc_self_mountinfo = fopen("/proc/self/mountinfo", "re");
571 if (!proc_self_mountinfo)
574 (void) __fsetlocking(proc_self_mountinfo, FSETLOCKING_BYCALLER);
576 return bind_remount_recursive_with_mountinfo(prefix, ro, blacklist, proc_self_mountinfo);
579 int mount_move_root(const char *path) {
585 if (mount(path, "/", NULL, MS_MOVE, NULL) < 0)
597 bool fstype_is_network(const char *fstype) {
600 x = startswith(fstype, "fuse.");
604 return STR_IN_SET(fstype,
616 "pvfs2", /* OrangeFS */
621 bool fstype_is_api_vfs(const char *fstype) {
622 return STR_IN_SET(fstype,
645 bool fstype_is_ro(const char *fstype) {
646 /* All Linux file systems that are necessarily read-only */
647 return STR_IN_SET(fstype,
653 bool fstype_can_discard(const char *fstype) {
654 return STR_IN_SET(fstype,
661 bool fstype_can_uid_gid(const char *fstype) {
663 /* All file systems that have a uid=/gid= mount option that fixates the owners of all files and directories,
664 * current and future. */
666 return STR_IN_SET(fstype,
677 int repeat_unmount(const char *path, int flags) {
682 /* If there are multiple mounts on a mount point, this
683 * removes them all */
686 if (umount2(path, flags) < 0) {
699 const char* mode_to_inaccessible_node(mode_t mode) {
700 /* This function maps a node type to a corresponding inaccessible file node. These nodes are created during
701 * early boot by PID 1. In some cases we lacked the privs to create the character and block devices (maybe
702 * because we run in an userns environment, or miss CAP_SYS_MKNOD, or run with a devices policy that excludes
703 * device nodes with major and minor of 0), but that's fine, in that case we use an AF_UNIX file node instead,
704 * which is not the same, but close enough for most uses. And most importantly, the kernel allows bind mounts
705 * from socket nodes to any non-directory file nodes, and that's the most important thing that matters. */
707 switch(mode & S_IFMT) {
709 return "/run/systemd/inaccessible/reg";
712 return "/run/systemd/inaccessible/dir";
715 if (access("/run/systemd/inaccessible/chr", F_OK) == 0)
716 return "/run/systemd/inaccessible/chr";
717 return "/run/systemd/inaccessible/sock";
720 if (access("/run/systemd/inaccessible/blk", F_OK) == 0)
721 return "/run/systemd/inaccessible/blk";
722 return "/run/systemd/inaccessible/sock";
725 return "/run/systemd/inaccessible/fifo";
728 return "/run/systemd/inaccessible/sock";
733 #if 0 /// UNNEEDED by elogind
734 #define FLAG(name) (flags & name ? STRINGIFY(name) "|" : "")
735 static char* mount_flags_to_string(long unsigned flags) {
737 _cleanup_free_ char *y = NULL;
738 long unsigned overflow;
740 overflow = flags & ~(MS_RDONLY |
765 if (flags == 0 || overflow != 0)
766 if (asprintf(&y, "%lx", overflow) < 0)
769 x = strjoin(FLAG(MS_RDONLY),
773 FLAG(MS_SYNCHRONOUS),
791 FLAG(MS_STRICTATIME),
797 x[strlen(x) - 1] = '\0'; /* truncate the last | */
807 const char *options) {
809 _cleanup_free_ char *fl = NULL, *o = NULL;
813 r = mount_option_mangle(options, flags, &f, &o);
815 return log_full_errno(error_log_level, r,
816 "Failed to mangle mount options %s: %m",
819 fl = mount_flags_to_string(f);
821 if ((f & MS_REMOUNT) && !what && !type)
822 log_debug("Remounting %s (%s \"%s\")...",
823 where, strnull(fl), strempty(o));
824 else if (!what && !type)
825 log_debug("Mounting %s (%s \"%s\")...",
826 where, strnull(fl), strempty(o));
827 else if ((f & MS_BIND) && !type)
828 log_debug("Bind-mounting %s on %s (%s \"%s\")...",
829 what, where, strnull(fl), strempty(o));
830 else if (f & MS_MOVE)
831 log_debug("Moving mount %s → %s (%s \"%s\")...",
832 what, where, strnull(fl), strempty(o));
834 log_debug("Mounting %s on %s (%s \"%s\")...",
835 strna(type), where, strnull(fl), strempty(o));
836 if (mount(what, where, type, f, o) < 0)
837 return log_full_errno(error_log_level, errno,
838 "Failed to mount %s on %s (%s \"%s\"): %m",
839 strna(type), where, strnull(fl), strempty(o));
843 int umount_verbose(const char *what) {
844 log_debug("Umounting %s...", what);
845 if (umount(what) < 0)
846 return log_error_errno(errno, "Failed to unmount %s: %m", what);
851 const char *mount_propagation_flags_to_string(unsigned long flags) {
853 switch (flags & (MS_SHARED|MS_SLAVE|MS_PRIVATE)) {
867 int mount_propagation_flags_from_string(const char *name, unsigned long *ret) {
871 else if (streq(name, "shared"))
873 else if (streq(name, "slave"))
875 else if (streq(name, "private"))
882 #if 0 /// UNNEEDED by elogind
883 int mount_option_mangle(
885 unsigned long mount_flags,
886 unsigned long *ret_mount_flags,
887 char **ret_remaining_options) {
889 const struct libmnt_optmap *map;
890 _cleanup_free_ char *ret = NULL;
894 /* This extracts mount flags from the mount options, and store
895 * non-mount-flag options to '*ret_remaining_options'.
897 * "rw,nosuid,nodev,relatime,size=1630748k,mode=700,uid=1000,gid=1000"
898 * is split to MS_NOSUID|MS_NODEV|MS_RELATIME and
899 * "size=1630748k,mode=700,uid=1000,gid=1000".
900 * See more examples in test-mount-utils.c.
902 * Note that if 'options' does not contain any non-mount-flag options,
903 * then '*ret_remaining_options' is set to NULL instread of empty string.
904 * Note that this does not check validity of options stored in
905 * '*ret_remaining_options'.
906 * Note that if 'options' is NULL, then this just copies 'mount_flags'
907 * to '*ret_mount_flags'. */
909 assert(ret_mount_flags);
910 assert(ret_remaining_options);
912 map = mnt_get_builtin_optmap(MNT_LINUX_MAP);
918 _cleanup_free_ char *word = NULL;
919 const struct libmnt_optmap *ent;
921 r = extract_first_word(&p, &word, ",", EXTRACT_QUOTES);
927 for (ent = map; ent->name; ent++) {
928 /* All entries in MNT_LINUX_MAP do not take any argument.
929 * Thus, ent->name does not contain "=" or "[=]". */
930 if (!streq(word, ent->name))
933 if (!(ent->mask & MNT_INVERT))
934 mount_flags |= ent->id;
935 else if (mount_flags & ent->id)
936 mount_flags ^= ent->id;
941 /* If 'word' is not a mount flag, then store it in '*ret_remaining_options'. */
942 if (!ent->name && !strextend_with_separator(&ret, ",", word, NULL))
946 *ret_mount_flags = mount_flags;
947 *ret_remaining_options = TAKE_PTR(ret);