1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
4 #include <linux/loop.h>
8 #include <sys/statvfs.h>
11 #include "alloc-util.h"
12 #include "dissect-image.h"
13 #include "extract-word.h"
18 #include "libmount-util.h"
20 #include "mount-util.h"
21 #include "mountpoint-util.h"
22 #include "namespace-util.h"
23 #include "parse-util.h"
24 #include "path-util.h"
25 #include "process-util.h"
27 #include "stat-util.h"
28 #include "stdio-util.h"
29 #include "string-util.h"
31 #include "tmpfile-util.h"
32 #include "user-util.h"
34 int mount_fd(const char *source
,
36 const char *filesystemtype
,
37 unsigned long mountflags
,
40 char path
[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
42 xsprintf(path
, "/proc/self/fd/%i", target_fd
);
43 if (mount(source
, path
, filesystemtype
, mountflags
, data
) < 0) {
47 /* ENOENT can mean two things: either that the source is missing, or that /proc/ isn't
48 * mounted. Check for the latter to generate better error messages. */
49 if (proc_mounted() == 0)
61 const char *filesystemtype
,
62 unsigned long mountflags
,
65 _cleanup_close_
int fd
= -1;
67 /* In almost all cases we want to manipulate the mount table without following symlinks, hence
68 * mount_nofollow() is usually the way to go. The only exceptions are environments where /proc/ is
69 * not available yet, since we need /proc/self/fd/ for this logic to work. i.e. during the early
70 * initialization of namespacing/container stuff where /proc is not yet mounted (and maybe even the
71 * fs to mount) we can only use traditional mount() directly.
73 * Note that this disables following only for the final component of the target, i.e symlinks within
74 * the path of the target are honoured, as are symlinks in the source path everywhere. */
76 fd
= open(target
, O_PATH
|O_CLOEXEC
|O_NOFOLLOW
);
80 return mount_fd(source
, fd
, filesystemtype
, mountflags
, data
);
83 int umount_recursive(const char *prefix
, int flags
) {
87 /* Try to umount everything recursively below a
88 * directory. Also, take care of stacked mounts, and keep
89 * unmounting them until they are gone. */
92 _cleanup_(mnt_free_tablep
) struct libmnt_table
*table
= NULL
;
93 _cleanup_(mnt_free_iterp
) struct libmnt_iter
*iter
= NULL
;
97 r
= libmount_parse("/proc/self/mountinfo", NULL
, &table
, &iter
);
99 return log_debug_errno(r
, "Failed to parse /proc/self/mountinfo: %m");
102 struct libmnt_fs
*fs
;
105 r
= mnt_table_next_fs(table
, iter
, &fs
);
109 return log_debug_errno(r
, "Failed to get next entry from /proc/self/mountinfo: %m");
111 path
= mnt_fs_get_target(fs
);
115 if (!path_startswith(path
, prefix
))
118 if (umount2(path
, flags
| UMOUNT_NOFOLLOW
) < 0) {
119 log_debug_errno(errno
, "Failed to umount %s, ignoring: %m", path
);
123 log_debug("Successfully unmounted %s", path
);
135 static int get_mount_flags(
136 struct libmnt_table
*table
,
138 unsigned long *ret
) {
140 _cleanup_close_
int fd
= -1;
141 struct libmnt_fs
*fs
;
146 /* Get the mount flags for the mountpoint at "path" from "table". We have a fallback using statvfs()
147 * in place (which provides us with mostly the same info), but it's just a fallback, since using it
148 * means triggering autofs or NFS mounts, which we'd rather avoid needlessly.
150 * This generally doesn't follow symlinks. */
152 fs
= mnt_table_find_target(table
, path
, MNT_ITER_FORWARD
);
154 log_debug("Could not find '%s' in mount table, ignoring.", path
);
158 opts
= mnt_fs_get_vfs_options(fs
);
164 r
= mnt_optstr_get_flags(opts
, ret
, mnt_get_builtin_optmap(MNT_LINUX_MAP
));
166 log_debug_errno(r
, "Could not get flags for '%s', ignoring: %m", path
);
170 /* MS_RELATIME is default and trying to set it in an unprivileged container causes EPERM */
171 *ret
&= ~MS_RELATIME
;
175 fd
= open(path
, O_PATH
|O_CLOEXEC
|O_NOFOLLOW
);
179 if (fstatvfs(fd
, &buf
) < 0)
182 /* The statvfs() flags and the mount flags mostly have the same values, but for some cases do
183 * not. Hence map the flags manually. (Strictly speaking, ST_RELATIME/MS_RELATIME is the most
184 * prominent one that doesn't match, but that's the one we mask away anyway, see above.) */
187 FLAGS_SET(buf
.f_flag
, ST_RDONLY
) * MS_RDONLY
|
188 FLAGS_SET(buf
.f_flag
, ST_NODEV
) * MS_NODEV
|
189 FLAGS_SET(buf
.f_flag
, ST_NOEXEC
) * MS_NOEXEC
|
190 FLAGS_SET(buf
.f_flag
, ST_NOSUID
) * MS_NOSUID
|
191 FLAGS_SET(buf
.f_flag
, ST_NOATIME
) * MS_NOATIME
|
192 FLAGS_SET(buf
.f_flag
, ST_NODIRATIME
) * MS_NODIRATIME
;
197 /* Use this function only if you do not have direct access to /proc/self/mountinfo but the caller can open it
198 * for you. This is the case when /proc is masked or not mounted. Otherwise, use bind_remount_recursive. */
199 int bind_remount_recursive_with_mountinfo(
201 unsigned long new_flags
,
202 unsigned long flags_mask
,
204 FILE *proc_self_mountinfo
) {
206 _cleanup_set_free_free_ Set
*done
= NULL
;
207 _cleanup_free_
char *simplified
= NULL
;
211 assert(proc_self_mountinfo
);
213 /* Recursively remount a directory (and all its submounts) with desired flags (MS_READONLY,
214 * MS_NOSUID, MS_NOEXEC). If the directory is already mounted, we reuse the mount and simply mark it
215 * MS_BIND|MS_RDONLY (or remove the MS_RDONLY for read-write operation), ditto for other flags. If it
216 * isn't we first make it one. Afterwards we apply (or remove) the flags to all submounts we can
217 * access, too. When mounts are stacked on the same mount point we only care for each individual
218 * "top-level" mount on each point, as we cannot influence/access the underlying mounts anyway. We do
219 * not have any effect on future submounts that might get propagated, they might be writable
220 * etc. This includes future submounts that have been triggered via autofs.
222 * If the "deny_list" parameter is specified it may contain a list of subtrees to exclude from the
223 * remount operation. Note that we'll ignore the deny list for the top-level path. */
225 simplified
= strdup(prefix
);
229 path_simplify(simplified
, false);
231 done
= set_new(&path_hash_ops
);
236 _cleanup_set_free_free_ Set
*todo
= NULL
;
237 _cleanup_(mnt_free_tablep
) struct libmnt_table
*table
= NULL
;
238 _cleanup_(mnt_free_iterp
) struct libmnt_iter
*iter
= NULL
;
239 bool top_autofs
= false;
241 unsigned long orig_flags
;
243 todo
= set_new(&path_hash_ops
);
247 rewind(proc_self_mountinfo
);
249 r
= libmount_parse("/proc/self/mountinfo", proc_self_mountinfo
, &table
, &iter
);
251 return log_debug_errno(r
, "Failed to parse /proc/self/mountinfo: %m");
254 struct libmnt_fs
*fs
;
255 const char *path
, *type
;
257 r
= mnt_table_next_fs(table
, iter
, &fs
);
261 return log_debug_errno(r
, "Failed to get next entry from /proc/self/mountinfo: %m");
263 path
= mnt_fs_get_target(fs
);
264 type
= mnt_fs_get_fstype(fs
);
268 if (!path_startswith(path
, simplified
))
271 /* Ignore this mount if it is deny-listed, but only if it isn't the top-level mount
272 * we shall operate on. */
273 if (!path_equal(path
, simplified
)) {
274 bool deny_listed
= false;
277 STRV_FOREACH(i
, deny_list
) {
278 if (path_equal(*i
, simplified
))
281 if (!path_startswith(*i
, simplified
))
284 if (path_startswith(path
, *i
)) {
286 log_debug("Not remounting %s deny-listed by %s, called for %s",
287 path
, *i
, simplified
);
295 /* Let's ignore autofs mounts. If they aren't
296 * triggered yet, we want to avoid triggering
297 * them, as we don't make any guarantees for
298 * future submounts anyway. If they are
299 * already triggered, then we will find
300 * another entry for this. */
301 if (streq(type
, "autofs")) {
302 top_autofs
= top_autofs
|| path_equal(path
, simplified
);
306 if (!set_contains(done
, path
)) {
307 r
= set_put_strdup(&todo
, path
);
313 /* If we have no submounts to process anymore and if
314 * the root is either already done, or an autofs, we
316 if (set_isempty(todo
) &&
317 (top_autofs
|| set_contains(done
, simplified
)))
320 if (!set_contains(done
, simplified
) &&
321 !set_contains(todo
, simplified
)) {
322 /* The prefix directory itself is not yet a mount, make it one. */
323 r
= mount_nofollow(simplified
, simplified
, NULL
, MS_BIND
|MS_REC
, NULL
);
328 (void) get_mount_flags(table
, simplified
, &orig_flags
);
330 r
= mount_nofollow(NULL
, simplified
, NULL
, (orig_flags
& ~flags_mask
)|MS_BIND
|MS_REMOUNT
|new_flags
, NULL
);
334 log_debug("Made top-level directory %s a mount point.", prefix
);
336 r
= set_put_strdup(&done
, simplified
);
341 while ((x
= set_steal_first(todo
))) {
343 r
= set_consume(done
, x
);
344 if (IN_SET(r
, 0, -EEXIST
))
349 /* Deal with mount points that are obstructed by a later mount */
350 r
= path_is_mount_point(x
, NULL
, 0);
351 if (IN_SET(r
, 0, -ENOENT
))
354 if (!ERRNO_IS_PRIVILEGE(r
))
357 /* Even if root user invoke this, submounts under private FUSE or NFS mount points
358 * may not be acceessed. E.g.,
360 * $ bindfs --no-allow-other ~/mnt/mnt ~/mnt/mnt
361 * $ bindfs --no-allow-other ~/mnt ~/mnt
363 * Then, root user cannot access the mount point ~/mnt/mnt.
364 * In such cases, the submounts are ignored, as we have no way to manage them. */
365 log_debug_errno(r
, "Failed to determine '%s' is mount point or not, ignoring: %m", x
);
369 /* Try to reuse the original flag set */
371 (void) get_mount_flags(table
, x
, &orig_flags
);
373 r
= mount_nofollow(NULL
, x
, NULL
, (orig_flags
& ~flags_mask
)|MS_BIND
|MS_REMOUNT
|new_flags
, NULL
);
377 log_debug("Remounted %s read-only.", x
);
382 int bind_remount_recursive(
384 unsigned long new_flags
,
385 unsigned long flags_mask
,
388 _cleanup_fclose_
FILE *proc_self_mountinfo
= NULL
;
391 r
= fopen_unlocked("/proc/self/mountinfo", "re", &proc_self_mountinfo
);
395 return bind_remount_recursive_with_mountinfo(prefix
, new_flags
, flags_mask
, deny_list
, proc_self_mountinfo
);
398 int bind_remount_one_with_mountinfo(
400 unsigned long new_flags
,
401 unsigned long flags_mask
,
402 FILE *proc_self_mountinfo
) {
404 _cleanup_(mnt_free_tablep
) struct libmnt_table
*table
= NULL
;
405 unsigned long orig_flags
= 0;
409 assert(proc_self_mountinfo
);
411 rewind(proc_self_mountinfo
);
413 table
= mnt_new_table();
417 r
= mnt_table_parse_stream(table
, proc_self_mountinfo
, "/proc/self/mountinfo");
421 /* Try to reuse the original flag set */
422 (void) get_mount_flags(table
, path
, &orig_flags
);
424 r
= mount_nofollow(NULL
, path
, NULL
, (orig_flags
& ~flags_mask
)|MS_BIND
|MS_REMOUNT
|new_flags
, NULL
);
431 int mount_move_root(const char *path
) {
437 if (mount(path
, "/", NULL
, MS_MOVE
, NULL
) < 0)
449 int repeat_unmount(const char *path
, int flags
) {
454 /* If there are multiple mounts on a mount point, this
455 * removes them all */
458 if (umount2(path
, flags
) < 0) {
470 int mode_to_inaccessible_node(
471 const char *runtime_dir
,
475 /* This function maps a node type to a corresponding inaccessible file node. These nodes are created
476 * during early boot by PID 1. In some cases we lacked the privs to create the character and block
477 * devices (maybe because we run in an userns environment, or miss CAP_SYS_MKNOD, or run with a
478 * devices policy that excludes device nodes with major and minor of 0), but that's fine, in that
479 * case we use an AF_UNIX file node instead, which is not the same, but close enough for most
480 * uses. And most importantly, the kernel allows bind mounts from socket nodes to any non-directory
481 * file nodes, and that's the most important thing that matters.
483 * Note that the runtime directory argument shall be the top-level runtime directory, i.e. /run/ if
484 * we operate in system context and $XDG_RUNTIME_DIR if we operate in user context. */
486 _cleanup_free_
char *d
= NULL
;
487 const char *node
= NULL
;
492 runtime_dir
= "/run";
494 switch(mode
& S_IFMT
) {
496 node
= "/systemd/inaccessible/reg";
500 node
= "/systemd/inaccessible/dir";
504 node
= "/systemd/inaccessible/chr";
508 node
= "/systemd/inaccessible/blk";
512 node
= "/systemd/inaccessible/fifo";
516 node
= "/systemd/inaccessible/sock";
522 d
= path_join(runtime_dir
, node
);
526 /* On new kernels unprivileged users are permitted to create 0:0 char device nodes (because they also
527 * act as whiteout inode for overlayfs), but no other char or block device nodes. On old kernels no
528 * device node whatsoever may be created by unprivileged processes. Hence, if the caller asks for the
529 * inaccessible block device node let's see if the block device node actually exists, and if not,
530 * fall back to the character device node. From there fall back to the socket device node. This means
531 * in the best case we'll get the right device node type — but if not we'll hopefully at least get a
532 * device node at all. */
535 access(d
, F_OK
) < 0 && errno
== ENOENT
) {
537 d
= path_join(runtime_dir
, "/systemd/inaccessible/chr");
542 if (IN_SET(mode
& S_IFMT
, S_IFBLK
, S_IFCHR
) &&
543 access(d
, F_OK
) < 0 && errno
== ENOENT
) {
545 d
= path_join(runtime_dir
, "/systemd/inaccessible/sock");
554 #define FLAG(name) (flags & name ? STRINGIFY(name) "|" : "")
555 static char* mount_flags_to_string(long unsigned flags
) {
557 _cleanup_free_
char *y
= NULL
;
558 long unsigned overflow
;
560 overflow
= flags
& ~(MS_RDONLY
|
585 if (flags
== 0 || overflow
!= 0)
586 if (asprintf(&y
, "%lx", overflow
) < 0)
589 x
= strjoin(FLAG(MS_RDONLY
),
593 FLAG(MS_SYNCHRONOUS
),
611 FLAG(MS_STRICTATIME
),
617 x
[strlen(x
) - 1] = '\0'; /* truncate the last | */
621 int mount_verbose_full(
628 bool follow_symlink
) {
630 _cleanup_free_
char *fl
= NULL
, *o
= NULL
;
634 r
= mount_option_mangle(options
, flags
, &f
, &o
);
636 return log_full_errno(error_log_level
, r
,
637 "Failed to mangle mount options %s: %m",
640 fl
= mount_flags_to_string(f
);
642 if ((f
& MS_REMOUNT
) && !what
&& !type
)
643 log_debug("Remounting %s (%s \"%s\")...",
644 where
, strnull(fl
), strempty(o
));
645 else if (!what
&& !type
)
646 log_debug("Mounting %s (%s \"%s\")...",
647 where
, strnull(fl
), strempty(o
));
648 else if ((f
& MS_BIND
) && !type
)
649 log_debug("Bind-mounting %s on %s (%s \"%s\")...",
650 what
, where
, strnull(fl
), strempty(o
));
651 else if (f
& MS_MOVE
)
652 log_debug("Moving mount %s → %s (%s \"%s\")...",
653 what
, where
, strnull(fl
), strempty(o
));
655 log_debug("Mounting %s (%s) on %s (%s \"%s\")...",
656 strna(what
), strna(type
), where
, strnull(fl
), strempty(o
));
659 r
= mount(what
, where
, type
, f
, o
) < 0 ? -errno
: 0;
661 r
= mount_nofollow(what
, where
, type
, f
, o
);
663 return log_full_errno(error_log_level
, r
,
664 "Failed to mount %s (type %s) on %s (%s \"%s\"): %m",
665 strna(what
), strna(type
), where
, strnull(fl
), strempty(o
));
676 log_debug("Umounting %s...", what
);
678 if (umount2(what
, flags
) < 0)
679 return log_full_errno(error_log_level
, errno
,
680 "Failed to unmount %s: %m", what
);
685 int mount_option_mangle(
687 unsigned long mount_flags
,
688 unsigned long *ret_mount_flags
,
689 char **ret_remaining_options
) {
691 const struct libmnt_optmap
*map
;
692 _cleanup_free_
char *ret
= NULL
;
696 /* This extracts mount flags from the mount options, and store
697 * non-mount-flag options to '*ret_remaining_options'.
699 * "rw,nosuid,nodev,relatime,size=1630748k,mode=700,uid=1000,gid=1000"
700 * is split to MS_NOSUID|MS_NODEV|MS_RELATIME and
701 * "size=1630748k,mode=700,uid=1000,gid=1000".
702 * See more examples in test-mount-utils.c.
704 * Note that if 'options' does not contain any non-mount-flag options,
705 * then '*ret_remaining_options' is set to NULL instead of empty string.
706 * Note that this does not check validity of options stored in
707 * '*ret_remaining_options'.
708 * Note that if 'options' is NULL, then this just copies 'mount_flags'
709 * to '*ret_mount_flags'. */
711 assert(ret_mount_flags
);
712 assert(ret_remaining_options
);
714 map
= mnt_get_builtin_optmap(MNT_LINUX_MAP
);
720 _cleanup_free_
char *word
= NULL
;
721 const struct libmnt_optmap
*ent
;
723 r
= extract_first_word(&p
, &word
, ",", EXTRACT_UNQUOTE
);
729 for (ent
= map
; ent
->name
; ent
++) {
730 /* All entries in MNT_LINUX_MAP do not take any argument.
731 * Thus, ent->name does not contain "=" or "[=]". */
732 if (!streq(word
, ent
->name
))
735 if (!(ent
->mask
& MNT_INVERT
))
736 mount_flags
|= ent
->id
;
737 else if (mount_flags
& ent
->id
)
738 mount_flags
^= ent
->id
;
743 /* If 'word' is not a mount flag, then store it in '*ret_remaining_options'. */
744 if (!ent
->name
&& !strextend_with_separator(&ret
, ",", word
))
748 *ret_mount_flags
= mount_flags
;
749 *ret_remaining_options
= TAKE_PTR(ret
);
754 static int mount_in_namespace(
756 const char *propagate_path
,
757 const char *incoming_path
,
761 bool make_file_or_directory
,
762 const MountOptions
*options
,
765 _cleanup_close_pair_
int errno_pipe_fd
[2] = { -1, -1 };
766 _cleanup_close_
int self_mntns_fd
= -1, mntns_fd
= -1, root_fd
= -1, pidns_fd
= -1, chased_src_fd
= -1;
767 char mount_slave
[] = "/tmp/propagate.XXXXXX", *mount_tmp
, *mount_outside
, *p
,
768 chased_src
[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
769 bool mount_slave_created
= false, mount_slave_mounted
= false,
770 mount_tmp_created
= false, mount_tmp_mounted
= false,
771 mount_outside_created
= false, mount_outside_mounted
= false;
772 struct stat st
, self_mntns_st
;
777 assert(propagate_path
);
778 assert(incoming_path
);
781 assert(!options
|| is_image
);
783 r
= namespace_open(target
, &pidns_fd
, &mntns_fd
, NULL
, NULL
, &root_fd
);
785 return log_debug_errno(r
, "Failed to retrieve FDs of the target process' namespace: %m");
787 if (fstat(mntns_fd
, &st
) < 0)
788 return log_debug_errno(errno
, "Failed to fstat mount namespace FD of target process: %m");
790 r
= namespace_open(0, NULL
, &self_mntns_fd
, NULL
, NULL
, NULL
);
792 return log_debug_errno(r
, "Failed to retrieve FDs of systemd's namespace: %m");
794 if (fstat(self_mntns_fd
, &self_mntns_st
) < 0)
795 return log_debug_errno(errno
, "Failed to fstat mount namespace FD of systemd: %m");
797 /* We can't add new mounts at runtime if the process wasn't started in a namespace */
798 if (st
.st_ino
== self_mntns_st
.st_ino
&& st
.st_dev
== self_mntns_st
.st_dev
)
799 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to activate bind mount in target, not running in a mount namespace");
801 /* One day, when bind mounting /proc/self/fd/n works across
802 * namespace boundaries we should rework this logic to make
805 p
= strjoina(propagate_path
, "/");
806 r
= laccess(p
, F_OK
);
808 return log_debug_errno(r
== -ENOENT
? SYNTHETIC_ERRNO(EOPNOTSUPP
) : r
, "Target does not allow propagation of mount points");
810 r
= chase_symlinks(src
, NULL
, CHASE_TRAIL_SLASH
, NULL
, &chased_src_fd
);
812 return log_debug_errno(r
, "Failed to resolve source path of %s: %m", src
);
813 xsprintf(chased_src
, "/proc/self/fd/%i", chased_src_fd
);
815 if (fstat(chased_src_fd
, &st
) < 0)
816 return log_debug_errno(errno
, "Failed to stat() resolved source path %s: %m", src
);
817 if (S_ISLNK(st
.st_mode
)) /* This shouldn't really happen, given that we just chased the symlinks above, but let's better be safe… */
818 return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "Source directory %s can't be a symbolic link", src
);
820 /* Our goal is to install a new bind mount into the container,
821 possibly read-only. This is irritatingly complex
822 unfortunately, currently.
824 First, we start by creating a private playground in /tmp,
825 that we can mount MS_SLAVE. (Which is necessary, since
826 MS_MOVE cannot be applied to mounts with MS_SHARED parent
829 if (!mkdtemp(mount_slave
))
830 return log_debug_errno(errno
, "Failed to create playground %s: %m", mount_slave
);
832 mount_slave_created
= true;
834 r
= mount_nofollow_verbose(LOG_DEBUG
, mount_slave
, mount_slave
, NULL
, MS_BIND
, NULL
);
838 mount_slave_mounted
= true;
840 r
= mount_nofollow_verbose(LOG_DEBUG
, NULL
, mount_slave
, NULL
, MS_SLAVE
, NULL
);
844 /* Second, we mount the source file or directory to a directory inside of our MS_SLAVE playground. */
845 mount_tmp
= strjoina(mount_slave
, "/mount");
847 r
= mkdir_p(mount_tmp
, 0700);
849 r
= make_mount_point_inode_from_stat(&st
, mount_tmp
, 0700);
851 log_debug_errno(r
, "Failed to create temporary mount point %s: %m", mount_tmp
);
855 mount_tmp_created
= true;
858 r
= verity_dissect_and_mount(chased_src
, mount_tmp
, options
, NULL
, NULL
, NULL
);
860 r
= mount_follow_verbose(LOG_DEBUG
, chased_src
, mount_tmp
, NULL
, MS_BIND
, NULL
);
864 mount_tmp_mounted
= true;
866 /* Third, we remount the new bind mount read-only if requested. */
868 r
= mount_nofollow_verbose(LOG_DEBUG
, NULL
, mount_tmp
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
, NULL
);
873 /* Fourth, we move the new bind mount into the propagation directory. This way it will appear there read-only
876 mount_outside
= strjoina(propagate_path
, "/XXXXXX");
877 if (is_image
|| S_ISDIR(st
.st_mode
))
878 r
= mkdtemp(mount_outside
) ? 0 : -errno
;
880 r
= mkostemp_safe(mount_outside
);
884 log_debug_errno(r
, "Cannot create propagation file or directory %s: %m", mount_outside
);
888 mount_outside_created
= true;
890 r
= mount_nofollow_verbose(LOG_DEBUG
, mount_tmp
, mount_outside
, NULL
, MS_MOVE
, NULL
);
894 mount_outside_mounted
= true;
895 mount_tmp_mounted
= false;
897 if (is_image
|| S_ISDIR(st
.st_mode
))
898 (void) rmdir(mount_tmp
);
900 (void) unlink(mount_tmp
);
901 mount_tmp_created
= false;
903 (void) umount_verbose(LOG_DEBUG
, mount_slave
, UMOUNT_NOFOLLOW
);
904 mount_slave_mounted
= false;
906 (void) rmdir(mount_slave
);
907 mount_slave_created
= false;
909 if (pipe2(errno_pipe_fd
, O_CLOEXEC
|O_NONBLOCK
) < 0) {
910 log_debug_errno(errno
, "Failed to create pipe: %m");
914 r
= namespace_fork("(sd-bindmnt)", "(sd-bindmnt-inner)", NULL
, 0, FORK_RESET_SIGNALS
|FORK_DEATHSIG
,
915 pidns_fd
, mntns_fd
, -1, -1, root_fd
, &child
);
919 const char *mount_inside
;
921 errno_pipe_fd
[0] = safe_close(errno_pipe_fd
[0]);
923 if (make_file_or_directory
) {
925 (void) mkdir_parents(dest
, 0755);
926 (void) make_mount_point_inode_from_stat(&st
, dest
, 0700);
928 (void) mkdir_p(dest
, 0755);
931 /* Fifth, move the mount to the right place inside */
932 mount_inside
= strjoina(incoming_path
, basename(mount_outside
));
933 r
= mount_nofollow_verbose(LOG_ERR
, mount_inside
, dest
, NULL
, MS_MOVE
, NULL
);
940 (void) write(errno_pipe_fd
[1], &r
, sizeof(r
));
941 errno_pipe_fd
[1] = safe_close(errno_pipe_fd
[1]);
946 errno_pipe_fd
[1] = safe_close(errno_pipe_fd
[1]);
948 r
= wait_for_terminate_and_check("(sd-bindmnt)", child
, 0);
950 log_debug_errno(r
, "Failed to wait for child: %m");
953 if (r
!= EXIT_SUCCESS
) {
954 if (read(errno_pipe_fd
[0], &r
, sizeof(r
)) == sizeof(r
))
955 log_debug_errno(r
, "Failed to mount: %m");
957 log_debug("Child failed.");
962 if (mount_outside_mounted
)
963 (void) umount_verbose(LOG_DEBUG
, mount_outside
, UMOUNT_NOFOLLOW
);
964 if (mount_outside_created
) {
965 if (is_image
|| S_ISDIR(st
.st_mode
))
966 (void) rmdir(mount_outside
);
968 (void) unlink(mount_outside
);
971 if (mount_tmp_mounted
)
972 (void) umount_verbose(LOG_DEBUG
, mount_tmp
, UMOUNT_NOFOLLOW
);
973 if (mount_tmp_created
) {
974 if (is_image
|| S_ISDIR(st
.st_mode
))
975 (void) rmdir(mount_tmp
);
977 (void) unlink(mount_tmp
);
980 if (mount_slave_mounted
)
981 (void) umount_verbose(LOG_DEBUG
, mount_slave
, UMOUNT_NOFOLLOW
);
982 if (mount_slave_created
)
983 (void) rmdir(mount_slave
);
988 int bind_mount_in_namespace(
990 const char *propagate_path
,
991 const char *incoming_path
,
995 bool make_file_or_directory
) {
997 return mount_in_namespace(target
, propagate_path
, incoming_path
, src
, dest
, read_only
, make_file_or_directory
, NULL
, false);
1000 int mount_image_in_namespace(
1002 const char *propagate_path
,
1003 const char *incoming_path
,
1007 bool make_file_or_directory
,
1008 const MountOptions
*options
) {
1010 return mount_in_namespace(target
, propagate_path
, incoming_path
, src
, dest
, read_only
, make_file_or_directory
, options
, true);