rm-rf: never cross mount points

diff --git a/src/shared/path-util.c b/src/shared/path-util.c
index 53c007976078b90f9bec55e7c42ebf0deb73d107..6a984fc1d822db741d00ddf34b6dc49d559ff604 100644 (file)
--- a/src/shared/path-util.c
+++ b/src/shared/path-util.c
@@ -470,30 +470,17 @@ char* path_join(const char *root, const char *path, const char *rest) {
                                NULL);
 }
 
                                NULL);
 }
 

-int path_is_mount_point(const char *t, bool allow_symlink) {
-
+int fd_is_mount_point(int fd) {

         union file_handle_union h = FILE_HANDLE_INIT;
         int mount_id = -1, mount_id_parent = -1;
         union file_handle_union h = FILE_HANDLE_INIT;
         int mount_id = -1, mount_id_parent = -1;

+        bool nosupp = false;

         struct stat a, b;
         int r;
         struct stat a, b;
         int r;

-        _cleanup_close_ int fd = -1;
-        bool nosupp = false;

 
         /* We are not actually interested in the file handles, but
          * name_to_handle_at() also passes us the mount ID, hence use
          * it but throw the handle away */
 
 
         /* We are not actually interested in the file handles, but
          * name_to_handle_at() also passes us the mount ID, hence use
          * it but throw the handle away */
 

-        if (path_equal(t, "/"))
-                return 1;
-
-        fd = openat(AT_FDCWD, t, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|(allow_symlink ? 0 : O_PATH));
-        if (fd < 0) {
-                if (errno == ENOENT)
-                        return 0;
-
-                return -errno;
-        }
-

         r = name_to_handle_at(fd, "", &h.handle, &mount_id, AT_EMPTY_PATH);
         if (r < 0) {
                 if (errno == ENOSYS)
         r = name_to_handle_at(fd, "", &h.handle, &mount_id, AT_EMPTY_PATH);
         if (r < 0) {
                 if (errno == ENOSYS)


@@ -502,7 +489,9 @@ int path_is_mount_point(const char *t, bool allow_symlink) {
                         goto fallback;
                 else if (errno == EOPNOTSUPP)
                         /* This kernel or file system does not support
                         goto fallback;
                 else if (errno == EOPNOTSUPP)
                         /* This kernel or file system does not support

-                         * name_to_handle_at(), hence fallback to the
+                         * name_to_handle_at(), hence let's see if the
+                         * upper fs supports it (in which case it is a
+                         * mount point), otherwise fallback to the

                          * traditional stat() logic */
                         nosupp = true;
                 else if (errno == ENOENT)
                          * traditional stat() logic */
                         nosupp = true;
                 else if (errno == ENOENT)


@@ -511,29 +500,26 @@ int path_is_mount_point(const char *t, bool allow_symlink) {
                         return -errno;
         }
 
                         return -errno;
         }
 

-

         h.handle.handle_bytes = MAX_HANDLE_SZ;
         r = name_to_handle_at(fd, "..", &h.handle, &mount_id_parent, 0);
         h.handle.handle_bytes = MAX_HANDLE_SZ;
         r = name_to_handle_at(fd, "..", &h.handle, &mount_id_parent, 0);

-        if (r < 0)
-                if (errno == EOPNOTSUPP)
+        if (r < 0) {
+                if (errno == EOPNOTSUPP) {

                         if (nosupp)
                                 /* Neither parent nor child do name_to_handle_at()?
                                    We have no choice but to fall back. */
                                 goto fallback;
                         else
                         if (nosupp)
                                 /* Neither parent nor child do name_to_handle_at()?
                                    We have no choice but to fall back. */
                                 goto fallback;
                         else

-                                /* The parent can't do name_to_handle_at() but
-                                 * the directory we are interested in can?
-                                 * Or the other way around?
+                                /* The parent can't do name_to_handle_at() but the
+                                 * directory we are interested in can?

                                  * If so, it must be a mount point. */
                                 return 1;
                                  * If so, it must be a mount point. */
                                 return 1;

-                else
+                } else

                         return -errno;
                         return -errno;

-        else
+        } else

                 return mount_id != mount_id_parent;
 
 fallback:
         r = fstatat(fd, "", &a, AT_EMPTY_PATH);
                 return mount_id != mount_id_parent;
 
 fallback:
         r = fstatat(fd, "", &a, AT_EMPTY_PATH);

-

         if (r < 0) {
                 if (errno == ENOENT)
                         return 0;
         if (r < 0) {
                 if (errno == ENOENT)
                         return 0;


@@ -541,7 +527,6 @@ fallback:
                 return -errno;
         }
 
                 return -errno;
         }
 

-

         r = fstatat(fd, "..", &b, 0);
         if (r < 0)
                 return -errno;
         r = fstatat(fd, "..", &b, 0);
         if (r < 0)
                 return -errno;


@@ -549,6 +534,24 @@ fallback:
         return a.st_dev != b.st_dev;
 }
 
         return a.st_dev != b.st_dev;
 }
 

+int path_is_mount_point(const char *t, bool allow_symlink) {
+        _cleanup_close_ int fd = -1;
+        assert(t);
+
+        if (path_equal(t, "/"))
+                return 1;
+
+        fd = openat(AT_FDCWD, t, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|(allow_symlink ? 0 : O_PATH));
+        if (fd < 0) {
+                if (errno == ENOENT)
+                        return 0;
+
+                return -errno;
+        }
+
+        return fd_is_mount_point(fd);
+}
+

 int path_is_read_only_fs(const char *path) {
         struct statvfs st;
 
 int path_is_read_only_fs(const char *path) {
         struct statvfs st;
 

diff --git a/src/shared/path-util.h b/src/shared/path-util.h
index ca81b49cbfed681dc0645856bc9ca9d66c0e8398..5548ce4a9410b33be21316e8c74071cd05141ec2 100644 (file)
--- a/src/shared/path-util.h
+++ b/src/shared/path-util.h
@@ -53,6 +53,7 @@ char** path_strv_make_absolute_cwd(char **l);
 char** path_strv_resolve(char **l, const char *prefix);
 char** path_strv_resolve_uniq(char **l, const char *prefix);
 
 char** path_strv_resolve(char **l, const char *prefix);
 char** path_strv_resolve_uniq(char **l, const char *prefix);
 

+int fd_is_mount_point(int fd);

 int path_is_mount_point(const char *path, bool allow_symlink);
 int path_is_read_only_fs(const char *path);
 int path_is_os_tree(const char *path);
 int path_is_mount_point(const char *path, bool allow_symlink);
 int path_is_read_only_fs(const char *path);
 int path_is_os_tree(const char *path);

diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c
index 99d12b11c6da6362c111ba7f2105ccd449045a9a..eeb2e3919659a3d9a7a051dd1b5af915579a66c5 100644 (file)
--- a/src/shared/rm-rf.c
+++ b/src/shared/rm-rf.c
@@ -89,7 +89,7 @@ int rm_rf_children(int fd, RemoveFlags flags, struct stat *root_dev) {
                 if (is_dir) {
                         int subdir_fd;
 
                 if (is_dir) {
                         int subdir_fd;
 

-                        /* if root_dev is set, remove subdirectories only, if device is same as dir */
+                        /* if root_dev is set, remove subdirectories only if device is same */

                         if (root_dev && st.st_dev != root_dev->st_dev)
                                 continue;
 
                         if (root_dev && st.st_dev != root_dev->st_dev)
                                 continue;
 


@@ -100,6 +100,20 @@ int rm_rf_children(int fd, RemoveFlags flags, struct stat *root_dev) {
                                 continue;
                         }
 
                                 continue;
                         }
 

+                        /* Stop at mount points */
+                        r = fd_is_mount_point(subdir_fd);
+                        if (r < 0) {
+                                if (ret == 0 && r != -ENOENT)
+                                        ret = r;
+
+                                safe_close(subdir_fd);
+                                continue;
+                        }
+                        if (r) {
+                                safe_close(subdir_fd);
+                                continue;
+                        }
+

                         /* We pass REMOVE_PHYSICAL here, to avoid
                          * doing the fstatfs() to check the file
                          * system type again for each directory */
                         /* We pass REMOVE_PHYSICAL here, to avoid
                          * doing the fstatfs() to check the file
                          * system type again for each directory */


@@ -162,7 +176,6 @@ int rm_rf(const char *path, RemoveFlags flags) {
         r = rm_rf_children(fd, flags, NULL);
 
         if (flags & REMOVE_ROOT) {
         r = rm_rf_children(fd, flags, NULL);
 
         if (flags & REMOVE_ROOT) {

-

                 if (rmdir(path) < 0 && errno != ENOENT) {
                         if (r == 0)
                                 r = -errno;
                 if (rmdir(path) < 0 && errno != ENOENT) {
                         if (r == 0)
                                 r = -errno;