]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/import/import-common.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 Copyright 2015 Lennart Poettering
11 #include "btrfs-util.h"
12 #include "capability-util.h"
14 #include "import-common.h"
15 #include "process-util.h"
16 #include "signal-util.h"
19 int import_make_read_only_fd(int fd
) {
24 /* First, let's make this a read-only subvolume if it refers
26 r
= btrfs_subvol_set_read_only_fd(fd
, true);
27 if (IN_SET(r
, -ENOTTY
, -ENOTDIR
, -EINVAL
)) {
30 /* This doesn't refer to a subvolume, or the file
31 * system isn't even btrfs. In that, case fall back to
36 return log_error_errno(errno
, "Failed to stat temporary image: %m");
39 if (fchmod(fd
, st
.st_mode
& 07555) < 0)
40 return log_error_errno(errno
, "Failed to chmod() final image: %m");
45 return log_error_errno(r
, "Failed to make subvolume read-only: %m");
50 int import_make_read_only(const char *path
) {
51 _cleanup_close_
int fd
= 1;
53 fd
= open(path
, O_RDONLY
|O_NOCTTY
|O_CLOEXEC
);
55 return log_error_errno(errno
, "Failed to open %s: %m", path
);
57 return import_make_read_only_fd(fd
);
60 int import_fork_tar_x(const char *path
, pid_t
*ret
) {
61 _cleanup_close_pair_
int pipefd
[2] = { -1, -1 };
68 if (pipe2(pipefd
, O_CLOEXEC
) < 0)
69 return log_error_errno(errno
, "Failed to create pipe for tar: %m");
71 r
= safe_fork("(tar)", FORK_RESET_SIGNALS
|FORK_DEATHSIG
|FORK_LOG
, &pid
);
77 (1ULL << CAP_FOWNER
) |
78 (1ULL << CAP_FSETID
) |
80 (1ULL << CAP_SETFCAP
) |
81 (1ULL << CAP_DAC_OVERRIDE
);
85 pipefd
[1] = safe_close(pipefd
[1]);
87 r
= rearrange_stdio(pipefd
[0], -1, STDERR_FILENO
);
89 log_error_errno(r
, "Failed to rearrange stdin/stdout: %m");
93 if (unshare(CLONE_NEWNET
) < 0)
94 log_error_errno(errno
, "Failed to lock tar into network namespace, ignoring: %m");
96 r
= capability_bounding_set_drop(retain
, true);
98 log_error_errno(r
, "Failed to drop capabilities, ignoring: %m");
100 execlp("tar", "tar", "--numeric-owner", "-C", path
, "-px", "--xattrs", "--xattrs-include=*", NULL
);
101 log_error_errno(errno
, "Failed to execute tar: %m");
107 return TAKE_FD(pipefd
[1]);
110 int import_fork_tar_c(const char *path
, pid_t
*ret
) {
111 _cleanup_close_pair_
int pipefd
[2] = { -1, -1 };
118 if (pipe2(pipefd
, O_CLOEXEC
) < 0)
119 return log_error_errno(errno
, "Failed to create pipe for tar: %m");
121 r
= safe_fork("(tar)", FORK_RESET_SIGNALS
|FORK_DEATHSIG
|FORK_LOG
, &pid
);
125 uint64_t retain
= (1ULL << CAP_DAC_OVERRIDE
);
129 pipefd
[0] = safe_close(pipefd
[0]);
131 r
= rearrange_stdio(-1, pipefd
[1], STDERR_FILENO
);
133 log_error_errno(r
, "Failed to rearrange stdin/stdout: %m");
137 if (unshare(CLONE_NEWNET
) < 0)
138 log_error_errno(errno
, "Failed to lock tar into network namespace, ignoring: %m");
140 r
= capability_bounding_set_drop(retain
, true);
142 log_error_errno(r
, "Failed to drop capabilities, ignoring: %m");
144 execlp("tar", "tar", "-C", path
, "-c", "--xattrs", "--xattrs-include=*", ".", NULL
);
145 log_error_errno(errno
, "Failed to execute tar: %m");
151 return TAKE_FD(pipefd
[0]);