1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
13 #include <sys/xattr.h>
21 #include "alloc-util.h"
22 #include "btrfs-util.h"
24 #include "capability-util.h"
26 #include "chattr-util.h"
27 #include "conf-files.h"
28 #include "constants.h"
30 #include "creds-util.h"
31 #include "devnum-util.h"
32 #include "dirent-util.h"
33 #include "dissect-image.h"
35 #include "errno-util.h"
39 #include "format-util.h"
41 #include "glob-util.h"
42 #include "hexdecoct.h"
44 #include "label-util.h"
47 #include "main-func.h"
48 #include "missing_syscall.h"
49 #include "mkdir-label.h"
50 #include "mount-util.h"
51 #include "mountpoint-util.h"
52 #include "nulstr-util.h"
53 #include "offline-passwd.h"
55 #include "parse-argument.h"
56 #include "parse-util.h"
57 #include "path-lookup.h"
58 #include "path-util.h"
59 #include "pretty-print.h"
60 #include "rlimit-util.h"
62 #include "selinux-util.h"
64 #include "sort-util.h"
65 #include "specifier.h"
66 #include "stat-util.h"
67 #include "stdio-util.h"
68 #include "string-table.h"
69 #include "string-util.h"
71 #include "terminal-util.h"
72 #include "umask-util.h"
73 #include "user-util.h"
76 /* This reads all files listed in /etc/tmpfiles.d/?*.conf and creates
77 * them in the file system. This is intended to be used to create
78 * properly owned directories beneath /tmp, /var/tmp, /run, which are
79 * volatile and hence need to be recreated on bootup. */
81 typedef enum OperationMask
{
82 OPERATION_CREATE
= 1 << 0,
83 OPERATION_REMOVE
= 1 << 1,
84 OPERATION_CLEAN
= 1 << 2,
85 OPERATION_PURGE
= 1 << 3,
88 typedef enum ItemType
{
89 /* These ones take file names */
91 TRUNCATE_FILE
= 'F', /* deprecated: use f+ */
92 CREATE_DIRECTORY
= 'd',
93 TRUNCATE_DIRECTORY
= 'D',
94 CREATE_SUBVOLUME
= 'v',
95 CREATE_SUBVOLUME_INHERIT_QUOTA
= 'q',
96 CREATE_SUBVOLUME_NEW_QUOTA
= 'Q',
99 CREATE_CHAR_DEVICE
= 'c',
100 CREATE_BLOCK_DEVICE
= 'b',
103 /* These ones take globs */
105 EMPTY_DIRECTORY
= 'e',
107 RECURSIVE_SET_XATTR
= 'T',
109 RECURSIVE_SET_ACL
= 'A',
111 RECURSIVE_SET_ATTRIBUTE
= 'H',
113 IGNORE_DIRECTORY_PATH
= 'X',
115 RECURSIVE_REMOVE_PATH
= 'R',
117 RECURSIVE_RELABEL_PATH
= 'Z',
118 ADJUST_MODE
= 'm', /* legacy, 'z' is identical to this */
122 AGE_BY_ATIME
= 1 << 0,
123 AGE_BY_BTIME
= 1 << 1,
124 AGE_BY_CTIME
= 1 << 2,
125 AGE_BY_MTIME
= 1 << 3,
127 /* All file timestamp types are checked by default. */
128 AGE_BY_DEFAULT_FILE
= AGE_BY_ATIME
| AGE_BY_BTIME
| AGE_BY_CTIME
| AGE_BY_MTIME
,
129 AGE_BY_DEFAULT_DIR
= AGE_BY_ATIME
| AGE_BY_BTIME
| AGE_BY_MTIME
,
132 typedef struct Item
{
137 void *binary_argument
; /* set if binary data, in which case it takes precedence over 'argument' */
138 size_t binary_argument_size
;
142 acl_t acl_access_exec
;
149 AgeBy age_by_file
, age_by_dir
;
152 unsigned attribute_value
;
153 unsigned attribute_mask
;
158 bool uid_only_create
:1;
159 bool gid_only_create
:1;
160 bool mode_only_create
:1;
163 bool attribute_set
:1;
165 bool keep_first_level
:1;
167 bool append_or_force
:1;
169 bool allow_failure
:1;
176 typedef struct ItemArray
{
180 struct ItemArray
*parent
;
184 typedef enum DirectoryType
{
197 _CREATION_MODE_INVALID
= -EINVAL
,
200 static CatFlags arg_cat_flags
= CAT_CONFIG_OFF
;
201 static RuntimeScope arg_runtime_scope
= RUNTIME_SCOPE_SYSTEM
;
202 static OperationMask arg_operation
= 0;
203 static bool arg_boot
= false;
204 static bool arg_graceful
= false;
205 static PagerFlags arg_pager_flags
= 0;
207 static char **arg_include_prefixes
= NULL
;
208 static char **arg_exclude_prefixes
= NULL
;
209 static char *arg_root
= NULL
;
210 static char *arg_image
= NULL
;
211 static char *arg_replace
= NULL
;
212 static ImagePolicy
*arg_image_policy
= NULL
;
214 #define MAX_DEPTH 256
216 typedef struct Context
{
217 OrderedHashmap
*items
, *globs
;
221 STATIC_DESTRUCTOR_REGISTER(arg_include_prefixes
, strv_freep
);
222 STATIC_DESTRUCTOR_REGISTER(arg_exclude_prefixes
, strv_freep
);
223 STATIC_DESTRUCTOR_REGISTER(arg_root
, freep
);
224 STATIC_DESTRUCTOR_REGISTER(arg_image
, freep
);
225 STATIC_DESTRUCTOR_REGISTER(arg_image_policy
, image_policy_freep
);
227 static const char *const creation_mode_verb_table
[_CREATION_MODE_MAX
] = {
228 [CREATION_NORMAL
] = "Created",
229 [CREATION_EXISTING
] = "Found existing",
230 [CREATION_FORCE
] = "Created replacement",
233 DEFINE_PRIVATE_STRING_TABLE_LOOKUP_TO_STRING(creation_mode_verb
, CreationMode
);
235 static void context_done(Context
*c
) {
238 ordered_hashmap_free(c
->items
);
239 ordered_hashmap_free(c
->globs
);
241 set_free(c
->unix_sockets
);
244 /* Different kinds of errors that mean that information is not available in the environment. */
245 static bool ERRNO_IS_NOINFO(int r
) {
246 return IN_SET(abs(r
),
247 EUNATCH
, /* os-release or machine-id missing */
248 ENOMEDIUM
, /* machine-id or another file empty */
249 ENOPKG
, /* machine-id is uninitialized */
250 ENXIO
); /* env var is unset */
253 static int specifier_directory(char specifier
, const void *data
, const char *root
, const void *userdata
, char **ret
) {
259 static const struct table_entry paths_system
[] = {
260 [DIRECTORY_RUNTIME
] = { SD_PATH_SYSTEM_RUNTIME
},
261 [DIRECTORY_STATE
] = { SD_PATH_SYSTEM_STATE_PRIVATE
},
262 [DIRECTORY_CACHE
] = { SD_PATH_SYSTEM_STATE_CACHE
},
263 [DIRECTORY_LOGS
] = { SD_PATH_SYSTEM_STATE_LOGS
},
266 static const struct table_entry paths_user
[] = {
267 [DIRECTORY_RUNTIME
] = { SD_PATH_USER_RUNTIME
},
268 [DIRECTORY_STATE
] = { SD_PATH_USER_STATE_PRIVATE
},
269 [DIRECTORY_CACHE
] = { SD_PATH_USER_STATE_CACHE
},
270 [DIRECTORY_LOGS
] = { SD_PATH_USER_STATE_PRIVATE
, "log" },
273 const struct table_entry
*paths
;
274 _cleanup_free_
char *p
= NULL
;
278 assert_cc(ELEMENTSOF(paths_system
) == ELEMENTSOF(paths_user
));
279 paths
= arg_runtime_scope
== RUNTIME_SCOPE_USER
? paths_user
: paths_system
;
281 i
= PTR_TO_UINT(data
);
282 assert(i
< ELEMENTSOF(paths_system
));
284 r
= sd_path_lookup(paths
[i
].type
, paths
[i
].suffix
, &p
);
289 _cleanup_free_
char *j
= NULL
;
291 j
= path_join(arg_root
, p
);
302 static int log_unresolvable_specifier(const char *filename
, unsigned line
) {
303 static bool notified
= false;
305 /* In system mode, this is called when /etc is not fully initialized and some specifiers are
306 * unresolvable. In user mode, this is called when some variables are not defined. These cases are
307 * not considered a fatal error, so log at LOG_NOTICE only for the first time and then downgrade this
308 * to LOG_DEBUG for the rest.
310 * If we're running in a chroot (--root was used or sd_booted() reports that systemd is not running),
311 * always use LOG_DEBUG. We may be called to initialize a chroot before booting and there is no
312 * expectation that machine-id and other files will be populated.
315 int log_level
= notified
|| arg_root
|| running_in_chroot() > 0 ?
316 LOG_DEBUG
: LOG_NOTICE
;
321 "Failed to resolve specifier: %s, skipping.",
322 arg_runtime_scope
== RUNTIME_SCOPE_USER
? "Required $XDG_... variable not defined" : "uninitialized /etc/ detected");
326 "All rules containing unresolvable specifiers will be skipped.");
332 static int user_config_paths(char*** ret
) {
333 _cleanup_strv_free_
char **config_dirs
= NULL
, **data_dirs
= NULL
;
334 _cleanup_free_
char *persistent_config
= NULL
, *runtime_config
= NULL
, *data_home
= NULL
;
335 _cleanup_strv_free_
char **res
= NULL
;
338 r
= xdg_user_dirs(&config_dirs
, &data_dirs
);
342 r
= xdg_user_config_dir(&persistent_config
, "/user-tmpfiles.d");
343 if (r
< 0 && !ERRNO_IS_NOINFO(r
))
346 r
= xdg_user_runtime_dir(&runtime_config
, "/user-tmpfiles.d");
347 if (r
< 0 && !ERRNO_IS_NOINFO(r
))
350 r
= xdg_user_data_dir(&data_home
, "/user-tmpfiles.d");
351 if (r
< 0 && !ERRNO_IS_NOINFO(r
))
354 r
= strv_extend_strv_concat(&res
, config_dirs
, "/user-tmpfiles.d");
358 r
= strv_extend(&res
, persistent_config
);
362 r
= strv_extend(&res
, runtime_config
);
366 r
= strv_extend(&res
, data_home
);
370 r
= strv_extend_strv_concat(&res
, data_dirs
, "/user-tmpfiles.d");
374 r
= path_strv_make_absolute_cwd(res
);
378 *ret
= TAKE_PTR(res
);
382 static bool needs_purge(ItemType t
) {
390 CREATE_SUBVOLUME_INHERIT_QUOTA
,
391 CREATE_SUBVOLUME_NEW_QUOTA
,
400 static bool needs_glob(ItemType t
) {
409 RECURSIVE_SET_ATTRIBUTE
,
411 IGNORE_DIRECTORY_PATH
,
413 RECURSIVE_REMOVE_PATH
,
415 RECURSIVE_RELABEL_PATH
,
419 static bool takes_ownership(ItemType t
) {
426 CREATE_SUBVOLUME_INHERIT_QUOTA
,
427 CREATE_SUBVOLUME_NEW_QUOTA
,
436 IGNORE_DIRECTORY_PATH
,
438 RECURSIVE_REMOVE_PATH
);
441 static struct Item
* find_glob(OrderedHashmap
*h
, const char *match
) {
444 ORDERED_HASHMAP_FOREACH(j
, h
) {
447 for (n
= 0; n
< j
->n_items
; n
++) {
448 Item
*item
= j
->items
+ n
;
450 if (fnmatch(item
->path
, match
, FNM_PATHNAME
|FNM_PERIOD
) == 0)
458 static int load_unix_sockets(Context
*c
) {
459 _cleanup_set_free_ Set
*sockets
= NULL
;
460 _cleanup_fclose_
FILE *f
= NULL
;
466 /* We maintain a cache of the sockets we found in /proc/net/unix to speed things up a little. */
468 f
= fopen("/proc/net/unix", "re");
470 return log_full_errno(errno
== ENOENT
? LOG_DEBUG
: LOG_WARNING
, errno
,
471 "Failed to open /proc/net/unix, ignoring: %m");
474 r
= read_line(f
, LONG_LINE_MAX
, NULL
);
476 return log_warning_errno(r
, "Failed to skip /proc/net/unix header line: %m");
478 return log_warning_errno(SYNTHETIC_ERRNO(EIO
), "Premature end of file reading /proc/net/unix.");
481 _cleanup_free_
char *line
= NULL
;
484 r
= read_line(f
, LONG_LINE_MAX
, &line
);
486 return log_warning_errno(r
, "Failed to read /proc/net/unix line, ignoring: %m");
487 if (r
== 0) /* EOF */
490 p
= strchr(line
, ':');
498 p
+= strspn(p
, WHITESPACE
);
499 p
+= strcspn(p
, WHITESPACE
); /* skip one more word */
500 p
+= strspn(p
, WHITESPACE
);
502 if (!path_is_absolute(p
))
505 r
= set_put_strdup_full(&sockets
, &path_hash_ops_free
, p
);
507 return log_warning_errno(r
, "Failed to add AF_UNIX socket to set, ignoring: %m");
510 c
->unix_sockets
= TAKE_PTR(sockets
);
514 static bool unix_socket_alive(Context
*c
, const char *fn
) {
518 if (load_unix_sockets(c
) < 0)
519 return true; /* We don't know, so assume yes */
521 return set_contains(c
->unix_sockets
, fn
);
524 /* Accessors for the argument in binary format */
525 static const void* item_binary_argument(const Item
*i
) {
527 return i
->binary_argument
?: i
->argument
;
530 static size_t item_binary_argument_size(const Item
*i
) {
532 return i
->binary_argument
? i
->binary_argument_size
: strlen_ptr(i
->argument
);
535 static DIR* xopendirat_nomod(int dirfd
, const char *path
) {
538 dir
= xopendirat(dirfd
, path
, O_NOFOLLOW
|O_NOATIME
);
542 if (!IN_SET(errno
, ENOENT
, ELOOP
))
543 log_debug_errno(errno
, "Cannot open %sdirectory \"%s\": %m", dirfd
== AT_FDCWD
? "" : "sub", path
);
548 dir
= xopendirat(dirfd
, path
, O_NOFOLLOW
);
550 log_debug_errno(errno
, "Cannot open %sdirectory \"%s\": %m", dirfd
== AT_FDCWD
? "" : "sub", path
);
555 static DIR* opendir_nomod(const char *path
) {
556 return xopendirat_nomod(AT_FDCWD
, path
);
559 static bool needs_cleanup(
565 const char *sub_path
,
569 if (FLAGS_SET(age_by
, AGE_BY_MTIME
) && mtime
!= NSEC_INFINITY
&& mtime
>= cutoff
) {
570 /* Follows spelling in stat(1). */
571 log_debug("%s \"%s\": modify time %s is too new.",
572 is_dir
? "Directory" : "File",
574 FORMAT_TIMESTAMP_STYLE(mtime
/ NSEC_PER_USEC
, TIMESTAMP_US
));
579 if (FLAGS_SET(age_by
, AGE_BY_ATIME
) && atime
!= NSEC_INFINITY
&& atime
>= cutoff
) {
580 log_debug("%s \"%s\": access time %s is too new.",
581 is_dir
? "Directory" : "File",
583 FORMAT_TIMESTAMP_STYLE(atime
/ NSEC_PER_USEC
, TIMESTAMP_US
));
589 * Note: Unless explicitly specified by the user, "ctime" is ignored
590 * by default for directories, because we change it when deleting.
592 if (FLAGS_SET(age_by
, AGE_BY_CTIME
) && ctime
!= NSEC_INFINITY
&& ctime
>= cutoff
) {
593 log_debug("%s \"%s\": change time %s is too new.",
594 is_dir
? "Directory" : "File",
596 FORMAT_TIMESTAMP_STYLE(ctime
/ NSEC_PER_USEC
, TIMESTAMP_US
));
601 if (FLAGS_SET(age_by
, AGE_BY_BTIME
) && btime
!= NSEC_INFINITY
&& btime
>= cutoff
) {
602 log_debug("%s \"%s\": birth time %s is too new.",
603 is_dir
? "Directory" : "File",
605 FORMAT_TIMESTAMP_STYLE(btime
/ NSEC_PER_USEC
, TIMESTAMP_US
));
613 static int dir_cleanup(
618 nsec_t self_atime_nsec
,
619 nsec_t self_mtime_nsec
,
625 bool keep_this_level
,
629 bool deleted
= false;
636 FOREACH_DIRENT_ALL(de
, d
, break) {
637 _cleanup_free_
char *sub_path
= NULL
;
638 nsec_t atime_nsec
, mtime_nsec
, ctime_nsec
, btime_nsec
;
640 if (dot_or_dot_dot(de
->d_name
))
643 /* If statx() is supported, use it. It's preferable over fstatat() since it tells us
644 * explicitly where we are looking at a mount point, for free as side information. Determining
645 * the same information without statx() is hard, see the complexity of path_is_mount_point(),
646 * and also much slower as it requires a number of syscalls instead of just one. Hence, when
647 * we have modern statx() we use it instead of fstat() and do proper mount point checks,
648 * while on older kernels's well do traditional st_dev based detection of mount points.
650 * Using statx() for detecting mount points also has the benefit that we handle weird file
651 * systems such as overlayfs better where each file is originating from a different
654 STRUCT_STATX_DEFINE(sx
);
657 dirfd(d
), de
->d_name
,
658 AT_SYMLINK_NOFOLLOW
|AT_NO_AUTOMOUNT
,
659 STATX_TYPE
|STATX_MODE
|STATX_UID
|STATX_ATIME
|STATX_MTIME
|STATX_CTIME
|STATX_BTIME
,
664 /* FUSE, NFS mounts, SELinux might return EACCES */
665 r
= log_full_errno(r
== -EACCES
? LOG_DEBUG
: LOG_ERR
, r
,
666 "statx(%s/%s) failed: %m", p
, de
->d_name
);
670 if (FLAGS_SET(sx
.stx_attributes_mask
, STATX_ATTR_MOUNT_ROOT
)) {
671 /* Yay, we have the mount point API, use it */
672 if (FLAGS_SET(sx
.stx_attributes
, STATX_ATTR_MOUNT_ROOT
)) {
673 log_debug("Ignoring \"%s/%s\": different mount points.", p
, de
->d_name
);
677 /* So we might have statx() but the STATX_ATTR_MOUNT_ROOT flag is not supported, fall
678 * back to traditional stx_dev checking. */
679 if (sx
.stx_dev_major
!= rootdev_major
||
680 sx
.stx_dev_minor
!= rootdev_minor
) {
681 log_debug("Ignoring \"%s/%s\": different filesystem.", p
, de
->d_name
);
685 /* Try to detect bind mounts of the same filesystem instance; they do not differ in device
686 * major/minors. This type of query is not supported on all kernels or filesystem types
688 if (S_ISDIR(sx
.stx_mode
)) {
691 q
= fd_is_mount_point(dirfd(d
), de
->d_name
, 0);
693 log_debug_errno(q
, "Failed to determine whether \"%s/%s\" is a mount point, ignoring: %m", p
, de
->d_name
);
695 log_debug("Ignoring \"%s/%s\": different mount of the same filesystem.", p
, de
->d_name
);
701 atime_nsec
= FLAGS_SET(sx
.stx_mask
, STATX_ATIME
) ? statx_timestamp_load_nsec(&sx
.stx_atime
) : 0;
702 mtime_nsec
= FLAGS_SET(sx
.stx_mask
, STATX_MTIME
) ? statx_timestamp_load_nsec(&sx
.stx_mtime
) : 0;
703 ctime_nsec
= FLAGS_SET(sx
.stx_mask
, STATX_CTIME
) ? statx_timestamp_load_nsec(&sx
.stx_ctime
) : 0;
704 btime_nsec
= FLAGS_SET(sx
.stx_mask
, STATX_BTIME
) ? statx_timestamp_load_nsec(&sx
.stx_btime
) : 0;
706 sub_path
= path_join(p
, de
->d_name
);
712 /* Is there an item configured for this path? */
713 if (ordered_hashmap_get(c
->items
, sub_path
)) {
714 log_debug("Ignoring \"%s\": a separate entry exists.", sub_path
);
718 if (find_glob(c
->globs
, sub_path
)) {
719 log_debug("Ignoring \"%s\": a separate glob exists.", sub_path
);
723 if (S_ISDIR(sx
.stx_mode
)) {
724 _cleanup_closedir_
DIR *sub_dir
= NULL
;
727 streq(de
->d_name
, "lost+found") &&
729 log_debug("Ignoring directory \"%s\".", sub_path
);
734 log_warning("Reached max depth on \"%s\".", sub_path
);
738 sub_dir
= xopendirat_nomod(dirfd(d
), de
->d_name
);
741 r
= log_warning_errno(errno
, "Opening directory \"%s\" failed, ignoring: %m", sub_path
);
746 if (flock(dirfd(sub_dir
), LOCK_EX
|LOCK_NB
) < 0) {
747 log_debug_errno(errno
, "Couldn't acquire shared BSD lock on directory \"%s\", skipping: %m", sub_path
);
751 q
= dir_cleanup(c
, i
,
753 atime_nsec
, mtime_nsec
, cutoff_nsec
,
754 rootdev_major
, rootdev_minor
,
755 false, maxdepth
-1, false,
756 age_by_file
, age_by_dir
);
761 /* Note: if you are wondering why we don't support the sticky bit for excluding
762 * directories from cleaning like we do it for other file system objects: well, the
763 * sticky bit already has a meaning for directories, so we don't want to overload
766 if (keep_this_level
) {
767 log_debug("Keeping directory \"%s\".", sub_path
);
772 * Check the file timestamps of an entry against the
773 * given cutoff time; delete if it is older.
775 if (!needs_cleanup(atime_nsec
, btime_nsec
, ctime_nsec
, mtime_nsec
,
776 cutoff_nsec
, sub_path
, age_by_dir
, true))
779 log_debug("Removing directory \"%s\".", sub_path
);
780 if (unlinkat(dirfd(d
), de
->d_name
, AT_REMOVEDIR
) < 0)
781 if (!IN_SET(errno
, ENOENT
, ENOTEMPTY
))
782 r
= log_warning_errno(errno
, "Failed to remove directory \"%s\", ignoring: %m", sub_path
);
785 _cleanup_close_
int fd
= -EBADF
;
787 /* Skip files for which the sticky bit is set. These are semantics we define, and are
788 * unknown elsewhere. See XDG_RUNTIME_DIR specification for details. */
789 if (sx
.stx_mode
& S_ISVTX
) {
790 log_debug("Skipping \"%s\": sticky bit set.", sub_path
);
795 S_ISREG(sx
.stx_mode
) &&
797 STR_IN_SET(de
->d_name
,
801 log_debug("Skipping \"%s\".", sub_path
);
805 /* Ignore sockets that are listed in /proc/net/unix */
806 if (S_ISSOCK(sx
.stx_mode
) && unix_socket_alive(c
, sub_path
)) {
807 log_debug("Skipping \"%s\": live socket.", sub_path
);
811 /* Ignore device nodes */
812 if (S_ISCHR(sx
.stx_mode
) || S_ISBLK(sx
.stx_mode
)) {
813 log_debug("Skipping \"%s\": a device.", sub_path
);
817 /* Keep files on this level around if this is requested */
818 if (keep_this_level
) {
819 log_debug("Keeping \"%s\".", sub_path
);
823 if (!needs_cleanup(atime_nsec
, btime_nsec
, ctime_nsec
, mtime_nsec
,
824 cutoff_nsec
, sub_path
, age_by_file
, false))
827 fd
= xopenat(dirfd(d
),
829 O_RDONLY
|O_CLOEXEC
|O_NOFOLLOW
|O_NOATIME
,
830 /* xopen_flags = */ 0,
832 if (fd
< 0 && !IN_SET(fd
, -ENOENT
, -ELOOP
))
833 log_warning_errno(fd
, "Opening file \"%s\" failed, ignoring: %m", sub_path
);
834 if (fd
>= 0 && flock(fd
, LOCK_EX
|LOCK_NB
) < 0 && errno
== EAGAIN
) {
835 log_debug_errno(errno
, "Couldn't acquire shared BSD lock on file \"%s\", skipping: %m", sub_path
);
839 log_debug("Removing \"%s\".", sub_path
);
840 if (unlinkat(dirfd(d
), de
->d_name
, 0) < 0)
842 r
= log_warning_errno(errno
, "Failed to remove \"%s\", ignoring: %m", sub_path
);
850 struct timespec ts
[2];
852 log_debug("Restoring access and modification time on \"%s\": %s, %s",
854 FORMAT_TIMESTAMP_STYLE(self_atime_nsec
/ NSEC_PER_USEC
, TIMESTAMP_US
),
855 FORMAT_TIMESTAMP_STYLE(self_mtime_nsec
/ NSEC_PER_USEC
, TIMESTAMP_US
));
857 timespec_store_nsec(ts
+ 0, self_atime_nsec
);
858 timespec_store_nsec(ts
+ 1, self_mtime_nsec
);
860 /* Restore original directory timestamps */
861 if (futimens(dirfd(d
), ts
) < 0)
862 log_warning_errno(errno
, "Failed to revert timestamps of '%s', ignoring: %m", p
);
868 static bool dangerous_hardlinks(void) {
869 _cleanup_free_
char *value
= NULL
;
870 static int cached
= -1;
873 /* Check whether the fs.protected_hardlinks sysctl is on. If we can't determine it we assume its off, as that's
874 * what the upstream default is. */
879 r
= read_one_line_file("/proc/sys/fs/protected_hardlinks", &value
);
881 log_debug_errno(r
, "Failed to read fs.protected_hardlinks sysctl: %m");
885 r
= parse_boolean(value
);
887 log_debug_errno(r
, "Failed to parse fs.protected_hardlinks sysctl: %m");
895 static bool hardlink_vulnerable(const struct stat
*st
) {
898 return !S_ISDIR(st
->st_mode
) && st
->st_nlink
> 1 && dangerous_hardlinks();
901 static mode_t
process_mask_perms(mode_t mode
, mode_t current
) {
903 if ((current
& 0111) == 0)
905 if ((current
& 0222) == 0)
907 if ((current
& 0444) == 0)
909 if (!S_ISDIR(current
))
910 mode
&= ~07000; /* remove sticky/sgid/suid bit, unless directory */
915 static int fd_set_perms(
920 const struct stat
*st
,
921 CreationMode creation
) {
923 bool do_chown
, do_chmod
;
935 if (!i
->mode_set
&& !i
->uid_set
&& !i
->gid_set
)
939 if (fstat(fd
, &stbuf
) < 0)
940 return log_error_errno(errno
, "fstat(%s) failed: %m", path
);
944 if (hardlink_vulnerable(st
))
945 return log_error_errno(SYNTHETIC_ERRNO(EPERM
),
946 "Refusing to set permissions on hardlinked file %s while the fs.protected_hardlinks sysctl is turned off.",
948 new_uid
= i
->uid_set
&& (creation
!= CREATION_EXISTING
|| !i
->uid_only_create
) ? i
->uid
: st
->st_uid
;
949 new_gid
= i
->gid_set
&& (creation
!= CREATION_EXISTING
|| !i
->gid_only_create
) ? i
->gid
: st
->st_gid
;
951 /* Do we need a chown()? */
952 do_chown
= (new_uid
!= st
->st_uid
) || (new_gid
!= st
->st_gid
);
954 /* Calculate the mode to apply */
955 new_mode
= i
->mode_set
&& (creation
!= CREATION_EXISTING
|| !i
->mode_only_create
) ?
956 (i
->mask_perms
? process_mask_perms(i
->mode
, st
->st_mode
) : i
->mode
) :
957 (st
->st_mode
& 07777);
959 do_chmod
= ((new_mode
^ st
->st_mode
) & 07777) != 0;
961 if (do_chmod
&& do_chown
) {
962 /* Before we issue the chmod() let's reduce the access mode to the common bits of the old and
963 * the new mode. That way there's no time window where the file exists under the old owner
964 * with more than the old access modes — and not under the new owner with more than the new
965 * access modes either. */
967 if (S_ISLNK(st
->st_mode
))
968 log_debug("Skipping temporary mode fix for symlink %s.", path
);
970 mode_t m
= new_mode
& st
->st_mode
; /* Mask new mode by old mode */
972 if (((m
^ st
->st_mode
) & 07777) == 0)
973 log_debug("\"%s\" matches temporary mode %o already.", path
, m
);
975 log_debug("Temporarily changing \"%s\" to mode %o.", path
, m
);
976 r
= fchmod_opath(fd
, m
);
978 return log_error_errno(r
, "fchmod() of %s failed: %m", path
);
984 log_debug("Changing \"%s\" to owner "UID_FMT
":"GID_FMT
, path
, new_uid
, new_gid
);
987 new_uid
!= st
->st_uid
? new_uid
: UID_INVALID
,
988 new_gid
!= st
->st_gid
? new_gid
: GID_INVALID
,
990 return log_error_errno(errno
, "fchownat() of %s failed: %m", path
);
993 /* Now, apply the final mode. We do this in two cases: when the user set a mode explicitly, or after a
994 * chown(), since chown()'s mangle the access mode in regards to sgid/suid in some conditions. */
995 if (do_chmod
|| do_chown
) {
996 if (S_ISLNK(st
->st_mode
))
997 log_debug("Skipping mode fix for symlink %s.", path
);
999 log_debug("Changing \"%s\" to mode %o.", path
, new_mode
);
1000 r
= fchmod_opath(fd
, new_mode
);
1002 return log_error_errno(r
, "fchmod() of %s failed: %m", path
);
1007 return label_fix_full(fd
, /* inode_path= */ NULL
, /* label_path= */ path
, 0);
1010 static int path_open_parent_safe(const char *path
, bool allow_failure
) {
1011 _cleanup_free_
char *dn
= NULL
;
1014 if (!path_is_normalized(path
))
1015 return log_full_errno(allow_failure
? LOG_INFO
: LOG_ERR
,
1016 SYNTHETIC_ERRNO(EINVAL
),
1017 "Failed to open parent of '%s': path not normalized%s.",
1019 allow_failure
? ", ignoring" : "");
1021 r
= path_extract_directory(path
, &dn
);
1023 return log_full_errno(allow_failure
? LOG_INFO
: LOG_ERR
,
1025 "Unable to determine parent directory of '%s'%s: %m",
1027 allow_failure
? ", ignoring" : "");
1029 r
= chase(dn
, arg_root
, allow_failure
? CHASE_SAFE
: CHASE_SAFE
|CHASE_WARN
, NULL
, &fd
);
1030 if (r
== -ENOLINK
) /* Unsafe symlink: already covered by CHASE_WARN */
1033 return log_full_errno(allow_failure
? LOG_INFO
: LOG_ERR
,
1035 "Failed to open path '%s'%s: %m",
1037 allow_failure
? ", ignoring" : "");
1042 static int path_open_safe(const char *path
) {
1045 /* path_open_safe() returns a file descriptor opened with O_PATH after
1046 * verifying that the path doesn't contain unsafe transitions, except
1047 * for its final component as the function does not follow symlink. */
1051 if (!path_is_normalized(path
))
1052 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to open invalid path '%s'.", path
);
1054 r
= chase(path
, arg_root
, CHASE_SAFE
|CHASE_WARN
|CHASE_NOFOLLOW
, NULL
, &fd
);
1056 return r
; /* Unsafe symlink: already covered by CHASE_WARN */
1058 return log_error_errno(r
, "Failed to open path %s: %m", path
);
1063 static int path_set_perms(
1067 CreationMode creation
) {
1069 _cleanup_close_
int fd
= -EBADF
;
1075 fd
= path_open_safe(path
);
1079 return fd_set_perms(c
, i
, fd
, path
, /* st= */ NULL
, creation
);
1082 static int parse_xattrs_from_arg(Item
*i
) {
1088 assert_se(p
= i
->argument
);
1090 _cleanup_free_
char *name
= NULL
, *value
= NULL
, *xattr
= NULL
;
1092 r
= extract_first_word(&p
, &xattr
, NULL
, EXTRACT_UNQUOTE
|EXTRACT_CUNESCAPE
);
1094 log_warning_errno(r
, "Failed to parse extended attribute '%s', ignoring: %m", p
);
1098 r
= split_pair(xattr
, "=", &name
, &value
);
1100 log_warning_errno(r
, "Failed to parse extended attribute, ignoring: %s", xattr
);
1104 if (isempty(name
) || isempty(value
)) {
1105 log_warning("Malformed extended attribute found, ignoring: %s", xattr
);
1109 if (strv_push_pair(&i
->xattrs
, name
, value
) < 0)
1112 name
= value
= NULL
;
1118 static int fd_set_xattrs(
1123 const struct stat
*st
,
1124 CreationMode creation
) {
1131 STRV_FOREACH_PAIR(name
, value
, i
->xattrs
) {
1132 log_debug("Setting extended attribute '%s=%s' on %s.", *name
, *value
, path
);
1133 if (setxattr(FORMAT_PROC_FD_PATH(fd
), *name
, *value
, strlen(*value
), 0) < 0)
1134 return log_error_errno(errno
, "Setting extended attribute %s=%s on %s failed: %m",
1135 *name
, *value
, path
);
1140 static int path_set_xattrs(
1144 CreationMode creation
) {
1146 _cleanup_close_
int fd
= -EBADF
;
1152 fd
= path_open_safe(path
);
1156 return fd_set_xattrs(c
, i
, fd
, path
, /* st = */ NULL
, creation
);
1159 static int parse_acls_from_arg(Item
*item
) {
1165 /* If append_or_force (= modify) is set, we will not modify the acl
1166 * afterwards, so the mask can be added now if necessary. */
1168 r
= parse_acl(item
->argument
, &item
->acl_access
, &item
->acl_access_exec
,
1169 &item
->acl_default
, !item
->append_or_force
);
1171 log_full_errno(arg_graceful
&& IN_SET(r
, -EINVAL
, -ENOENT
, -ESRCH
) ? LOG_DEBUG
: LOG_WARNING
,
1172 r
, "Failed to parse ACL \"%s\", ignoring: %m", item
->argument
);
1174 log_warning("ACLs are not supported, ignoring.");
1181 static int parse_acl_cond_exec(
1183 acl_t access
, /* could be empty (NULL) */
1185 const struct stat
*st
,
1189 _cleanup_(acl_freep
) acl_t parsed
= NULL
;
1191 acl_permset_t permset
;
1199 parsed
= access
? acl_dup(access
) : acl_init(0);
1203 /* Since we substitute 'X' with 'x' in parse_acl(), we just need to copy the entries over
1204 * for directories */
1205 if (S_ISDIR(st
->st_mode
)) {
1206 for (r
= acl_get_entry(cond_exec
, ACL_FIRST_ENTRY
, &entry
);
1208 r
= acl_get_entry(cond_exec
, ACL_NEXT_ENTRY
, &entry
)) {
1210 acl_entry_t parsed_entry
;
1212 if (acl_create_entry(&parsed
, &parsed_entry
) < 0)
1215 if (acl_copy_entry(parsed_entry
, entry
) < 0)
1224 has_exec
= st
->st_mode
& S_IXUSR
;
1226 if (!has_exec
&& append
) {
1227 _cleanup_(acl_freep
) acl_t old
= NULL
;
1229 old
= acl_get_file(path
, ACL_TYPE_ACCESS
);
1233 for (r
= acl_get_entry(old
, ACL_FIRST_ENTRY
, &entry
);
1235 r
= acl_get_entry(old
, ACL_NEXT_ENTRY
, &entry
)) {
1237 if (acl_get_permset(entry
, &permset
) < 0)
1240 r
= acl_get_perm(permset
, ACL_EXECUTE
);
1252 /* Check if we're about to set the execute bit in acl_access */
1253 if (!has_exec
&& access
) {
1254 for (r
= acl_get_entry(access
, ACL_FIRST_ENTRY
, &entry
);
1256 r
= acl_get_entry(access
, ACL_NEXT_ENTRY
, &entry
)) {
1258 if (acl_get_permset(entry
, &permset
) < 0)
1261 r
= acl_get_perm(permset
, ACL_EXECUTE
);
1273 for (r
= acl_get_entry(cond_exec
, ACL_FIRST_ENTRY
, &entry
);
1275 r
= acl_get_entry(cond_exec
, ACL_NEXT_ENTRY
, &entry
)) {
1277 acl_entry_t parsed_entry
;
1279 if (acl_create_entry(&parsed
, &parsed_entry
) < 0)
1282 if (acl_copy_entry(parsed_entry
, entry
) < 0)
1286 if (acl_get_permset(parsed_entry
, &permset
) < 0)
1289 if (acl_delete_perm(permset
, ACL_EXECUTE
) < 0)
1297 if (!append
) { /* want_mask = true */
1298 r
= calc_acl_mask_if_needed(&parsed
);
1303 *ret
= TAKE_PTR(parsed
);
1308 static int path_set_acl(
1316 _cleanup_(acl_free_charpp
) char *t
= NULL
;
1317 _cleanup_(acl_freep
) acl_t dup
= NULL
;
1322 /* Returns 0 for success, positive error if already warned, negative error otherwise. */
1325 r
= acls_for_file(path
, type
, acl
, &dup
);
1329 r
= calc_acl_mask_if_needed(&dup
);
1337 /* the mask was already added earlier if needed */
1340 r
= add_base_acls_if_needed(&dup
, path
);
1344 t
= acl_to_any_text(dup
, NULL
, ',', TEXT_ABBREVIATE
);
1345 log_debug("Setting %s ACL %s on %s.",
1346 type
== ACL_TYPE_ACCESS
? "access" : "default",
1349 r
= acl_set_file(path
, type
, dup
);
1351 if (ERRNO_IS_NOT_SUPPORTED(errno
))
1352 /* No error if filesystem doesn't support ACLs. Return negative. */
1355 /* Return positive to indicate we already warned */
1356 return -log_error_errno(errno
,
1357 "Setting %s ACL \"%s\" on %s failed: %m",
1358 type
== ACL_TYPE_ACCESS
? "access" : "default",
1365 static int fd_set_acls(
1370 const struct stat
*st
,
1371 CreationMode creation
) {
1375 _cleanup_(acl_freep
) acl_t access_with_exec_parsed
= NULL
;
1384 if (fstat(fd
, &stbuf
) < 0)
1385 return log_error_errno(errno
, "fstat(%s) failed: %m", path
);
1389 if (hardlink_vulnerable(st
))
1390 return log_error_errno(SYNTHETIC_ERRNO(EPERM
),
1391 "Refusing to set ACLs on hardlinked file %s while the fs.protected_hardlinks sysctl is turned off.",
1394 if (S_ISLNK(st
->st_mode
)) {
1395 log_debug("Skipping ACL fix for symlink %s.", path
);
1399 if (item
->acl_access_exec
) {
1400 r
= parse_acl_cond_exec(FORMAT_PROC_FD_PATH(fd
),
1402 item
->acl_access_exec
,
1404 item
->append_or_force
,
1405 &access_with_exec_parsed
);
1407 return log_error_errno(r
, "Failed to parse conditionalized execute bit for \"%s\": %m", path
);
1409 r
= path_set_acl(c
, FORMAT_PROC_FD_PATH(fd
), path
, ACL_TYPE_ACCESS
, access_with_exec_parsed
, item
->append_or_force
);
1410 } else if (item
->acl_access
)
1411 r
= path_set_acl(c
, FORMAT_PROC_FD_PATH(fd
), path
, ACL_TYPE_ACCESS
, item
->acl_access
, item
->append_or_force
);
1413 /* set only default acls to folders */
1414 if (r
== 0 && item
->acl_default
&& S_ISDIR(st
->st_mode
))
1415 r
= path_set_acl(c
, FORMAT_PROC_FD_PATH(fd
), path
, ACL_TYPE_DEFAULT
, item
->acl_default
, item
->append_or_force
);
1417 if (ERRNO_IS_NOT_SUPPORTED(r
)) {
1418 log_debug_errno(r
, "ACLs not supported by file system at %s", path
);
1423 return -r
; /* already warned in path_set_acl */
1425 /* The above procfs paths don't work if /proc is not mounted. */
1426 if (r
== -ENOENT
&& proc_mounted() == 0)
1430 return log_error_errno(r
, "ACL operation on \"%s\" failed: %m", path
);
1435 static int path_set_acls(
1439 CreationMode creation
) {
1443 _cleanup_close_
int fd
= -EBADF
;
1449 fd
= path_open_safe(path
);
1453 r
= fd_set_acls(c
, item
, fd
, path
, /* st= */ NULL
, creation
);
1458 static int parse_attribute_from_arg(Item
*item
) {
1460 static const struct {
1464 { 'A', FS_NOATIME_FL
}, /* do not update atime */
1465 { 'S', FS_SYNC_FL
}, /* Synchronous updates */
1466 { 'D', FS_DIRSYNC_FL
}, /* dirsync behaviour (directories only) */
1467 { 'a', FS_APPEND_FL
}, /* writes to file may only append */
1468 { 'c', FS_COMPR_FL
}, /* Compress file */
1469 { 'd', FS_NODUMP_FL
}, /* do not dump file */
1470 { 'e', FS_EXTENT_FL
}, /* Extents */
1471 { 'i', FS_IMMUTABLE_FL
}, /* Immutable file */
1472 { 'j', FS_JOURNAL_DATA_FL
}, /* Reserved for ext3 */
1473 { 's', FS_SECRM_FL
}, /* Secure deletion */
1474 { 'u', FS_UNRM_FL
}, /* Undelete */
1475 { 't', FS_NOTAIL_FL
}, /* file tail should not be merged */
1476 { 'T', FS_TOPDIR_FL
}, /* Top of directory hierarchies */
1477 { 'C', FS_NOCOW_FL
}, /* Do not cow file */
1478 { 'P', FS_PROJINHERIT_FL
}, /* Inherit the quota project ID */
1487 unsigned value
= 0, mask
= 0;
1497 } else if (*p
== '-') {
1500 } else if (*p
== '=') {
1506 if (isempty(p
) && mode
!= MODE_SET
)
1507 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1508 "Setting file attribute on '%s' needs an attribute specification.",
1511 for (; p
&& *p
; p
++) {
1514 for (i
= 0; i
< ELEMENTSOF(attributes
); i
++)
1515 if (*p
== attributes
[i
].character
)
1518 if (i
>= ELEMENTSOF(attributes
))
1519 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1520 "Unknown file attribute '%c' on '%s'.",
1523 v
= attributes
[i
].value
;
1525 SET_FLAG(value
, v
, IN_SET(mode
, MODE_ADD
, MODE_SET
));
1530 if (mode
== MODE_SET
)
1531 mask
|= CHATTR_ALL_FL
;
1535 item
->attribute_mask
= mask
;
1536 item
->attribute_value
= value
;
1537 item
->attribute_set
= true;
1542 static int fd_set_attribute(
1547 const struct stat
*st
,
1548 CreationMode creation
) {
1550 _cleanup_close_
int procfs_fd
= -EBADF
;
1560 if (!item
->attribute_set
|| item
->attribute_mask
== 0)
1564 if (fstat(fd
, &stbuf
) < 0)
1565 return log_error_errno(errno
, "fstat(%s) failed: %m", path
);
1569 /* Issuing the file attribute ioctls on device nodes is not safe, as that will be delivered to the
1570 * drivers, not the file system containing the device node. */
1571 if (!S_ISREG(st
->st_mode
) && !S_ISDIR(st
->st_mode
))
1572 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1573 "Setting file flags is only supported on regular files and directories, cannot set on '%s'.",
1576 f
= item
->attribute_value
& item
->attribute_mask
;
1578 /* Mask away directory-specific flags */
1579 if (!S_ISDIR(st
->st_mode
))
1580 f
&= ~FS_DIRSYNC_FL
;
1582 procfs_fd
= fd_reopen(fd
, O_RDONLY
|O_CLOEXEC
|O_NOATIME
);
1584 return log_error_errno(procfs_fd
, "Failed to re-open '%s': %m", path
);
1586 unsigned previous
, current
;
1587 r
= chattr_full(procfs_fd
, NULL
, f
, item
->attribute_mask
, &previous
, ¤t
, CHATTR_FALLBACK_BITWISE
);
1589 log_warning("Cannot set file attributes for '%s', maybe due to incompatibility in specified attributes, "
1590 "previous=0x%08x, current=0x%08x, expected=0x%08x, ignoring.",
1591 path
, previous
, current
, (previous
& ~item
->attribute_mask
) | (f
& item
->attribute_mask
));
1593 log_full_errno(ERRNO_IS_NOT_SUPPORTED(r
) ? LOG_DEBUG
: LOG_WARNING
, r
,
1594 "Cannot set file attributes for '%s', value=0x%08x, mask=0x%08x, ignoring: %m",
1595 path
, item
->attribute_value
, item
->attribute_mask
);
1600 static int path_set_attribute(
1604 CreationMode creation
) {
1606 _cleanup_close_
int fd
= -EBADF
;
1611 if (!item
->attribute_set
|| item
->attribute_mask
== 0)
1614 fd
= path_open_safe(path
);
1618 return fd_set_attribute(c
, item
, fd
, path
, /* st= */ NULL
, creation
);
1621 static int write_argument_data(Item
*i
, int fd
, const char *path
) {
1628 if (item_binary_argument_size(i
) == 0)
1631 assert(item_binary_argument(i
));
1633 log_debug("Writing to \"%s\".", path
);
1635 r
= loop_write(fd
, item_binary_argument(i
), item_binary_argument_size(i
));
1637 return log_error_errno(r
, "Failed to write file \"%s\": %m", path
);
1642 static int write_one_file(Context
*c
, Item
*i
, const char *path
, CreationMode creation
) {
1643 _cleanup_close_
int fd
= -EBADF
, dir_fd
= -EBADF
;
1644 _cleanup_free_
char *bn
= NULL
;
1650 assert(i
->type
== WRITE_FILE
);
1652 r
= path_extract_filename(path
, &bn
);
1654 return log_error_errno(r
, "Failed to extract filename from path '%s': %m", path
);
1655 if (r
== O_DIRECTORY
)
1656 return log_error_errno(SYNTHETIC_ERRNO(EISDIR
), "Cannot open path '%s' for writing, is a directory.", path
);
1658 /* Validate the path and keep the fd on the directory for opening the file so we're sure that it
1659 * can't be changed behind our back. */
1660 dir_fd
= path_open_parent_safe(path
, i
->allow_failure
);
1664 /* Follows symlinks */
1665 fd
= openat(dir_fd
, bn
,
1666 O_NONBLOCK
|O_CLOEXEC
|O_WRONLY
|O_NOCTTY
|(i
->append_or_force
? O_APPEND
: 0),
1669 if (errno
== ENOENT
) {
1670 log_debug_errno(errno
, "Not writing missing file \"%s\": %m", path
);
1674 if (i
->allow_failure
)
1675 return log_debug_errno(errno
, "Failed to open file \"%s\", ignoring: %m", path
);
1677 return log_error_errno(errno
, "Failed to open file \"%s\": %m", path
);
1680 /* 'w' is allowed to write into any kind of files. */
1682 r
= write_argument_data(i
, fd
, path
);
1686 return fd_set_perms(c
, i
, fd
, path
, NULL
, creation
);
1689 static int create_file(
1694 _cleanup_close_
int fd
= -EBADF
, dir_fd
= -EBADF
;
1695 _cleanup_free_
char *bn
= NULL
;
1696 struct stat stbuf
, *st
= NULL
;
1697 CreationMode creation
;
1703 assert(i
->type
== CREATE_FILE
);
1705 /* 'f' operates on regular files exclusively. */
1707 r
= path_extract_filename(path
, &bn
);
1709 return log_error_errno(r
, "Failed to extract filename from path '%s': %m", path
);
1710 if (r
== O_DIRECTORY
)
1711 return log_error_errno(SYNTHETIC_ERRNO(EISDIR
), "Cannot open path '%s' for writing, is a directory.", path
);
1713 /* Validate the path and keep the fd on the directory for opening the file so we're sure that it
1714 * can't be changed behind our back. */
1715 dir_fd
= path_open_parent_safe(path
, i
->allow_failure
);
1720 mac_selinux_create_file_prepare(path
, S_IFREG
);
1721 fd
= RET_NERRNO(openat(dir_fd
, bn
, O_CREAT
|O_EXCL
|O_NOFOLLOW
|O_NONBLOCK
|O_CLOEXEC
|O_WRONLY
|O_NOCTTY
, i
->mode
));
1722 mac_selinux_create_file_clear();
1726 /* Even on a read-only filesystem, open(2) returns EEXIST if the file already exists. It
1727 * returns EROFS only if it needs to create the file. */
1729 return log_error_errno(fd
, "Failed to create file %s: %m", path
);
1731 /* Re-open the file. At that point it must exist since open(2) failed with EEXIST. We still
1732 * need to check if the perms/mode need to be changed. For read-only filesystems, we let
1733 * fd_set_perms() report the error if the perms need to be modified. */
1734 fd
= openat(dir_fd
, bn
, O_NOFOLLOW
|O_CLOEXEC
|O_PATH
, i
->mode
);
1736 return log_error_errno(errno
, "Failed to re-open file %s: %m", path
);
1738 if (fstat(fd
, &stbuf
) < 0)
1739 return log_error_errno(errno
, "stat(%s) failed: %m", path
);
1741 if (!S_ISREG(stbuf
.st_mode
))
1742 return log_error_errno(SYNTHETIC_ERRNO(EEXIST
),
1743 "%s exists and is not a regular file.",
1747 creation
= CREATION_EXISTING
;
1749 r
= write_argument_data(i
, fd
, path
);
1753 creation
= CREATION_NORMAL
;
1756 return fd_set_perms(c
, i
, fd
, path
, st
, creation
);
1759 static int truncate_file(
1764 _cleanup_close_
int fd
= -EBADF
, dir_fd
= -EBADF
;
1765 _cleanup_free_
char *bn
= NULL
;
1766 struct stat stbuf
, *st
= NULL
;
1767 CreationMode creation
;
1774 assert(i
->type
== TRUNCATE_FILE
|| (i
->type
== CREATE_FILE
&& i
->append_or_force
));
1776 /* We want to operate on regular file exclusively especially since O_TRUNC is unspecified if the file
1777 * is neither a regular file nor a fifo nor a terminal device. Therefore we first open the file and
1778 * make sure it's a regular one before truncating it. */
1780 r
= path_extract_filename(path
, &bn
);
1782 return log_error_errno(r
, "Failed to extract filename from path '%s': %m", path
);
1783 if (r
== O_DIRECTORY
)
1784 return log_error_errno(SYNTHETIC_ERRNO(EISDIR
), "Cannot open path '%s' for truncation, is a directory.", path
);
1786 /* Validate the path and keep the fd on the directory for opening the file so we're sure that it
1787 * can't be changed behind our back. */
1788 dir_fd
= path_open_parent_safe(path
, i
->allow_failure
);
1792 creation
= CREATION_EXISTING
;
1793 fd
= RET_NERRNO(openat(dir_fd
, bn
, O_NOFOLLOW
|O_NONBLOCK
|O_CLOEXEC
|O_WRONLY
|O_NOCTTY
, i
->mode
));
1794 if (fd
== -ENOENT
) {
1795 creation
= CREATION_NORMAL
; /* Didn't work without O_CREATE, try again with */
1798 mac_selinux_create_file_prepare(path
, S_IFREG
);
1799 fd
= RET_NERRNO(openat(dir_fd
, bn
, O_CREAT
|O_NOFOLLOW
|O_NONBLOCK
|O_CLOEXEC
|O_WRONLY
|O_NOCTTY
, i
->mode
));
1800 mac_selinux_create_file_clear();
1806 return log_error_errno(fd
, "Failed to open/create file %s: %m", path
);
1808 /* On a read-only filesystem, we don't want to fail if the target is already empty and the
1809 * perms are set. So we still proceed with the sanity checks and let the remaining operations
1810 * fail with EROFS if they try to modify the target file. */
1812 fd
= openat(dir_fd
, bn
, O_NOFOLLOW
|O_CLOEXEC
|O_PATH
, i
->mode
);
1814 if (errno
== ENOENT
)
1815 return log_error_errno(SYNTHETIC_ERRNO(EROFS
),
1816 "Cannot create file %s on a read-only file system.",
1819 return log_error_errno(errno
, "Failed to re-open file %s: %m", path
);
1823 creation
= CREATION_EXISTING
;
1826 if (fstat(fd
, &stbuf
) < 0)
1827 return log_error_errno(errno
, "stat(%s) failed: %m", path
);
1829 if (!S_ISREG(stbuf
.st_mode
))
1830 return log_error_errno(SYNTHETIC_ERRNO(EEXIST
),
1831 "%s exists and is not a regular file.",
1834 if (stbuf
.st_size
> 0) {
1835 if (ftruncate(fd
, 0) < 0) {
1836 r
= erofs
? -EROFS
: -errno
;
1837 return log_error_errno(r
, "Failed to truncate file %s: %m", path
);
1842 log_debug("\"%s\" has been created.", path
);
1844 if (item_binary_argument(i
)) {
1845 r
= write_argument_data(i
, fd
, path
);
1850 return fd_set_perms(c
, i
, fd
, path
, st
, creation
);
1853 static int copy_files(Context
*c
, Item
*i
) {
1854 _cleanup_close_
int dfd
= -EBADF
, fd
= -EBADF
;
1855 _cleanup_free_
char *bn
= NULL
;
1859 log_debug("Copying tree \"%s\" to \"%s\".", i
->argument
, i
->path
);
1861 r
= path_extract_filename(i
->path
, &bn
);
1863 return log_error_errno(r
, "Failed to extract filename from path '%s': %m", i
->path
);
1865 /* Validate the path and use the returned directory fd for copying the target so we're sure that the
1866 * path can't be changed behind our back. */
1867 dfd
= path_open_parent_safe(i
->path
, i
->allow_failure
);
1871 r
= copy_tree_at(AT_FDCWD
, i
->argument
,
1873 i
->uid_set
? i
->uid
: UID_INVALID
,
1874 i
->gid_set
? i
->gid
: GID_INVALID
,
1875 COPY_REFLINK
| ((i
->append_or_force
) ? COPY_MERGE
: COPY_MERGE_EMPTY
) | COPY_MAC_CREATE
| COPY_HARDLINKS
,
1878 fd
= openat(dfd
, bn
, O_NOFOLLOW
|O_CLOEXEC
|O_PATH
);
1880 if (r
< 0) /* Look at original error first */
1881 return log_error_errno(r
, "Failed to copy files to %s: %m", i
->path
);
1883 return log_error_errno(errno
, "Failed to openat(%s): %m", i
->path
);
1886 if (fstat(fd
, &st
) < 0)
1887 return log_error_errno(errno
, "Failed to fstat(%s): %m", i
->path
);
1889 if (stat(i
->argument
, &a
) < 0)
1890 return log_error_errno(errno
, "Failed to stat(%s): %m", i
->argument
);
1892 if (((st
.st_mode
^ a
.st_mode
) & S_IFMT
) != 0) {
1893 log_debug("Can't copy to %s, file exists already and is of different type", i
->path
);
1897 return fd_set_perms(c
, i
, fd
, i
->path
, &st
, _CREATION_MODE_INVALID
);
1900 static int create_directory_or_subvolume(
1905 struct stat
*ret_st
,
1906 CreationMode
*ret_creation
) {
1908 _cleanup_free_
char *bn
= NULL
;
1909 _cleanup_close_
int pfd
= -EBADF
;
1910 CreationMode creation
;
1916 r
= path_extract_filename(path
, &bn
);
1918 return log_error_errno(r
, "Failed to extract filename from path '%s': %m", path
);
1920 pfd
= path_open_parent_safe(path
, allow_failure
);
1925 r
= getenv_bool("SYSTEMD_TMPFILES_FORCE_SUBVOL");
1927 if (r
!= -ENXIO
) /* env var is unset */
1928 log_warning_errno(r
, "Cannot parse value of $SYSTEMD_TMPFILES_FORCE_SUBVOL, ignoring.");
1929 r
= btrfs_is_subvol(empty_to_root(arg_root
)) > 0;
1932 /* Don't create a subvolume unless the root directory is one, too. We do this under
1933 * the assumption that if the root directory is just a plain directory (i.e. very
1934 * light-weight), we shouldn't try to split it up into subvolumes (i.e. more
1935 * heavy-weight). Thus, chroot() environments and suchlike will get a full brtfs
1936 * subvolume set up below their tree only if they specifically set up a btrfs
1937 * subvolume for the root dir too. */
1941 WITH_UMASK((~mode
) & 0777)
1942 r
= btrfs_subvol_make(pfd
, bn
);
1947 if (!subvol
|| ERRNO_IS_NEG_NOT_SUPPORTED(r
))
1949 r
= mkdirat_label(pfd
, bn
, mode
);
1951 creation
= r
>= 0 ? CREATION_NORMAL
: CREATION_EXISTING
;
1953 fd
= openat(pfd
, bn
, O_NOFOLLOW
|O_CLOEXEC
|O_DIRECTORY
|O_PATH
);
1955 /* We couldn't open it because it is not actually a directory? */
1956 if (errno
== ENOTDIR
)
1957 return log_error_errno(SYNTHETIC_ERRNO(EEXIST
), "\"%s\" already exists and is not a directory.", path
);
1959 /* Then look at the original error */
1961 return log_full_errno(allow_failure
? LOG_INFO
: LOG_ERR
,
1963 "Failed to create directory or subvolume \"%s\"%s: %m",
1965 allow_failure
? ", ignoring" : "");
1967 return log_error_errno(errno
, "Failed to open directory/subvolume we just created '%s': %m", path
);
1970 if (fstat(fd
, &st
) < 0)
1971 return log_error_errno(errno
, "Failed to fstat(%s): %m", path
);
1973 assert(S_ISDIR(st
.st_mode
)); /* we used O_DIRECTORY above */
1975 log_debug("%s directory \"%s\".", creation_mode_verb_to_string(creation
), path
);
1980 *ret_creation
= creation
;
1985 static int create_directory(
1990 _cleanup_close_
int fd
= -EBADF
;
1991 CreationMode creation
;
1996 assert(IN_SET(i
->type
, CREATE_DIRECTORY
, TRUNCATE_DIRECTORY
));
1998 fd
= create_directory_or_subvolume(path
, i
->mode
, /* subvol= */ false, i
->allow_failure
, &st
, &creation
);
2004 return fd_set_perms(c
, i
, fd
, path
, &st
, creation
);
2007 static int create_subvolume(
2012 _cleanup_close_
int fd
= -EBADF
;
2013 CreationMode creation
;
2019 assert(IN_SET(i
->type
, CREATE_SUBVOLUME
, CREATE_SUBVOLUME_NEW_QUOTA
, CREATE_SUBVOLUME_INHERIT_QUOTA
));
2021 fd
= create_directory_or_subvolume(path
, i
->mode
, /* subvol = */ true, i
->allow_failure
, &st
, &creation
);
2027 if (creation
== CREATION_NORMAL
&&
2028 IN_SET(i
->type
, CREATE_SUBVOLUME_NEW_QUOTA
, CREATE_SUBVOLUME_INHERIT_QUOTA
)) {
2029 r
= btrfs_subvol_auto_qgroup_fd(fd
, 0, i
->type
== CREATE_SUBVOLUME_NEW_QUOTA
);
2031 log_debug_errno(r
, "Couldn't adjust quota for subvolume \"%s\" (unsupported fs or dir not a subvolume): %m", i
->path
);
2032 else if (r
== -EROFS
)
2033 log_debug_errno(r
, "Couldn't adjust quota for subvolume \"%s\" (fs is read-only).", i
->path
);
2034 else if (r
== -ENOTCONN
)
2035 log_debug_errno(r
, "Couldn't adjust quota for subvolume \"%s\" (quota support is disabled).", i
->path
);
2037 q
= log_error_errno(r
, "Failed to adjust quota for subvolume \"%s\": %m", i
->path
);
2039 log_debug("Adjusted quota for subvolume \"%s\".", i
->path
);
2041 log_debug("Quota for subvolume \"%s\" already in place, no change made.", i
->path
);
2044 r
= fd_set_perms(c
, i
, fd
, path
, &st
, creation
);
2045 if (q
< 0) /* prefer the quota change error from above */
2051 static int empty_directory(
2055 CreationMode creation
) {
2057 _cleanup_close_
int fd
= -EBADF
;
2063 assert(i
->type
== EMPTY_DIRECTORY
);
2065 r
= chase(path
, arg_root
, CHASE_SAFE
|CHASE_WARN
, NULL
, &fd
);
2066 if (r
== -ENOLINK
) /* Unsafe symlink: already covered by CHASE_WARN */
2069 /* Option "e" operates only on existing objects. Do not print errors about non-existent files
2071 log_debug_errno(r
, "Skipping missing directory: %s", path
);
2075 return log_error_errno(r
, "Failed to open directory '%s': %m", path
);
2077 if (fstat(fd
, &st
) < 0)
2078 return log_error_errno(errno
, "Failed to fstat(%s): %m", path
);
2079 if (!S_ISDIR(st
.st_mode
)) {
2080 log_warning("'%s' already exists and is not a directory.", path
);
2084 return fd_set_perms(c
, i
, fd
, path
, &st
, creation
);
2087 static int create_device(
2092 _cleanup_close_
int dfd
= -EBADF
, fd
= -EBADF
;
2093 _cleanup_free_
char *bn
= NULL
;
2094 CreationMode creation
;
2100 assert(IN_SET(i
->type
, CREATE_BLOCK_DEVICE
, CREATE_CHAR_DEVICE
));
2101 assert(IN_SET(file_type
, S_IFBLK
, S_IFCHR
));
2103 r
= path_extract_filename(i
->path
, &bn
);
2105 return log_error_errno(r
, "Failed to extract filename from path '%s': %m", i
->path
);
2106 if (r
== O_DIRECTORY
)
2107 return log_error_errno(SYNTHETIC_ERRNO(EISDIR
), "Cannot open path '%s' for creating device node, is a directory.", i
->path
);
2109 /* Validate the path and use the returned directory fd for copying the target so we're sure that the
2110 * path can't be changed behind our back. */
2111 dfd
= path_open_parent_safe(i
->path
, i
->allow_failure
);
2116 mac_selinux_create_file_prepare(i
->path
, file_type
);
2117 r
= RET_NERRNO(mknodat(dfd
, bn
, i
->mode
| file_type
, i
->major_minor
));
2118 mac_selinux_create_file_clear();
2120 creation
= r
>= 0 ? CREATION_NORMAL
: CREATION_EXISTING
;
2122 /* Try to open the inode via O_PATH, regardless if we could create it or not. Maybe everything is in
2123 * order anyway and we hence can ignore the error to create the device node */
2124 fd
= openat(dfd
, bn
, O_NOFOLLOW
|O_CLOEXEC
|O_PATH
);
2126 /* OK, so opening the inode failed, let's look at the original error then. */
2129 if (ERRNO_IS_PRIVILEGE(r
))
2130 goto handle_privilege
;
2132 return log_error_errno(r
, "Failed to create device node '%s': %m", i
->path
);
2135 return log_error_errno(errno
, "Failed to open device node '%s' we just created: %m", i
->path
);
2138 if (fstat(fd
, &st
) < 0)
2139 return log_error_errno(errno
, "Failed to fstat(%s): %m", i
->path
);
2141 if (((st
.st_mode
^ file_type
) & S_IFMT
) != 0) {
2143 if (i
->append_or_force
) {
2144 fd
= safe_close(fd
);
2147 mac_selinux_create_file_prepare(i
->path
, file_type
);
2148 r
= mknodat_atomic(dfd
, bn
, i
->mode
| file_type
, i
->major_minor
);
2149 mac_selinux_create_file_clear();
2151 if (ERRNO_IS_PRIVILEGE(r
))
2152 goto handle_privilege
;
2153 if (IN_SET(r
, -EISDIR
, -EEXIST
, -ENOTEMPTY
)) {
2154 r
= rm_rf_child(dfd
, bn
, REMOVE_PHYSICAL
);
2156 return log_error_errno(r
, "rm -rf %s failed: %m", i
->path
);
2158 mac_selinux_create_file_prepare(i
->path
, file_type
);
2159 r
= RET_NERRNO(mknodat(dfd
, bn
, i
->mode
| file_type
, i
->major_minor
));
2160 mac_selinux_create_file_clear();
2163 return log_error_errno(r
, "Failed to create device node '%s': %m", i
->path
);
2165 fd
= openat(dfd
, bn
, O_NOFOLLOW
|O_CLOEXEC
|O_PATH
);
2167 return log_error_errno(errno
, "Failed to open device node we just created '%s': %m", i
->path
);
2169 /* Validate type before change ownership below */
2170 if (fstat(fd
, &st
) < 0)
2171 return log_error_errno(errno
, "Failed to fstat(%s): %m", i
->path
);
2173 if (((st
.st_mode
^ file_type
) & S_IFMT
) != 0)
2174 return log_error_errno(SYNTHETIC_ERRNO(EBADF
), "Device node we just created is not a device node, refusing.");
2176 creation
= CREATION_FORCE
;
2178 log_warning("\"%s\" already exists and is not a device node.", i
->path
);
2183 log_debug("%s %s device node \"%s\" %u:%u.",
2184 creation_mode_verb_to_string(creation
),
2185 i
->type
== CREATE_BLOCK_DEVICE
? "block" : "char",
2186 i
->path
, major(i
->mode
), minor(i
->mode
));
2188 return fd_set_perms(c
, i
, fd
, i
->path
, &st
, creation
);
2192 "We lack permissions, possibly because of cgroup configuration; "
2193 "skipping creation of device node '%s'.", i
->path
);
2197 static int create_fifo(Context
*c
, Item
*i
) {
2198 _cleanup_close_
int pfd
= -EBADF
, fd
= -EBADF
;
2199 _cleanup_free_
char *bn
= NULL
;
2200 CreationMode creation
;
2206 assert(i
->type
== CREATE_FIFO
);
2208 r
= path_extract_filename(i
->path
, &bn
);
2210 return log_error_errno(r
, "Failed to extract filename from path '%s': %m", i
->path
);
2211 if (r
== O_DIRECTORY
)
2212 return log_error_errno(SYNTHETIC_ERRNO(EISDIR
), "Cannot open path '%s' for creating FIFO, is a directory.", i
->path
);
2214 pfd
= path_open_parent_safe(i
->path
, i
->allow_failure
);
2219 mac_selinux_create_file_prepare(i
->path
, S_IFIFO
);
2220 r
= RET_NERRNO(mkfifoat(pfd
, bn
, i
->mode
));
2221 mac_selinux_create_file_clear();
2224 creation
= r
>= 0 ? CREATION_NORMAL
: CREATION_EXISTING
;
2226 /* Open the inode via O_PATH, regardless if we managed to create it or not. Maybe it is already the FIFO we want */
2227 fd
= openat(pfd
, bn
, O_NOFOLLOW
|O_CLOEXEC
|O_PATH
);
2230 return log_error_errno(r
, "Failed to create FIFO %s: %m", i
->path
); /* original error! */
2232 return log_error_errno(errno
, "Failed to open FIFO we just created %s: %m", i
->path
);
2235 if (fstat(fd
, &st
) < 0)
2236 return log_error_errno(errno
, "Failed to fstat(%s): %m", i
->path
);
2238 if (!S_ISFIFO(st
.st_mode
)) {
2240 if (i
->append_or_force
) {
2241 fd
= safe_close(fd
);
2244 mac_selinux_create_file_prepare(i
->path
, S_IFIFO
);
2245 r
= mkfifoat_atomic(pfd
, bn
, i
->mode
);
2246 mac_selinux_create_file_clear();
2248 if (IN_SET(r
, -EISDIR
, -EEXIST
, -ENOTEMPTY
)) {
2249 r
= rm_rf_child(pfd
, bn
, REMOVE_PHYSICAL
);
2251 return log_error_errno(r
, "rm -rf %s failed: %m", i
->path
);
2253 mac_selinux_create_file_prepare(i
->path
, S_IFIFO
);
2254 r
= RET_NERRNO(mkfifoat(pfd
, bn
, i
->mode
));
2255 mac_selinux_create_file_clear();
2258 return log_error_errno(r
, "Failed to create FIFO %s: %m", i
->path
);
2260 fd
= openat(pfd
, bn
, O_NOFOLLOW
|O_CLOEXEC
|O_PATH
);
2262 return log_error_errno(errno
, "Failed to open FIFO we just created '%s': %m", i
->path
);
2264 /* Validate type before change ownership below */
2265 if (fstat(fd
, &st
) < 0)
2266 return log_error_errno(errno
, "Failed to fstat(%s): %m", i
->path
);
2268 if (!S_ISFIFO(st
.st_mode
))
2269 return log_error_errno(SYNTHETIC_ERRNO(EBADF
), "FIFO inode we just created is not a FIFO, refusing.");
2271 creation
= CREATION_FORCE
;
2273 log_warning("\"%s\" already exists and is not a FIFO.", i
->path
);
2278 log_debug("%s fifo \"%s\".", creation_mode_verb_to_string(creation
), i
->path
);
2280 return fd_set_perms(c
, i
, fd
, i
->path
, &st
, creation
);
2283 static int create_symlink(Context
*c
, Item
*i
) {
2284 _cleanup_close_
int pfd
= -EBADF
, fd
= -EBADF
;
2285 _cleanup_free_
char *bn
= NULL
;
2286 CreationMode creation
;
2294 r
= path_extract_filename(i
->path
, &bn
);
2296 return log_error_errno(r
, "Failed to extract filename from path '%s': %m", i
->path
);
2297 if (r
== O_DIRECTORY
)
2298 return log_error_errno(SYNTHETIC_ERRNO(EISDIR
), "Cannot open path '%s' for creating FIFO, is a directory.", i
->path
);
2300 pfd
= path_open_parent_safe(i
->path
, i
->allow_failure
);
2304 mac_selinux_create_file_prepare(i
->path
, S_IFLNK
);
2305 r
= RET_NERRNO(symlinkat(i
->argument
, pfd
, bn
));
2306 mac_selinux_create_file_clear();
2308 creation
= r
>= 0 ? CREATION_NORMAL
: CREATION_EXISTING
;
2310 fd
= openat(pfd
, bn
, O_NOFOLLOW
|O_CLOEXEC
|O_PATH
);
2313 return log_error_errno(r
, "Failed to create symlink '%s': %m", i
->path
); /* original error! */
2315 return log_error_errno(errno
, "Failed to open symlink we just created '%s': %m", i
->path
);
2318 if (fstat(fd
, &st
) < 0)
2319 return log_error_errno(errno
, "Failed to fstat(%s): %m", i
->path
);
2321 if (S_ISLNK(st
.st_mode
)) {
2322 _cleanup_free_
char *x
= NULL
;
2324 r
= readlinkat_malloc(fd
, "", &x
);
2326 return log_error_errno(r
, "readlinkat(%s) failed: %m", i
->path
);
2328 good
= streq(x
, i
->argument
);
2333 if (!i
->append_or_force
) {
2334 log_debug("\"%s\" is not a symlink or does not point to the correct path.", i
->path
);
2338 fd
= safe_close(fd
);
2340 mac_selinux_create_file_prepare(i
->path
, S_IFLNK
);
2341 r
= symlinkat_atomic_full(i
->argument
, pfd
, bn
, /* make_relative= */ false);
2342 mac_selinux_create_file_clear();
2343 if (IN_SET(r
, -EISDIR
, -EEXIST
, -ENOTEMPTY
)) {
2344 r
= rm_rf_child(pfd
, bn
, REMOVE_PHYSICAL
);
2346 return log_error_errno(r
, "rm -rf %s failed: %m", i
->path
);
2348 mac_selinux_create_file_prepare(i
->path
, S_IFLNK
);
2349 r
= RET_NERRNO(symlinkat(i
->argument
, pfd
, i
->path
));
2350 mac_selinux_create_file_clear();
2353 return log_error_errno(r
, "symlink(%s, %s) failed: %m", i
->argument
, i
->path
);
2355 fd
= openat(pfd
, bn
, O_NOFOLLOW
|O_CLOEXEC
|O_PATH
);
2357 return log_error_errno(errno
, "Failed to open symlink we just created '%s': %m", i
->path
);
2359 /* Validate type before change ownership below */
2360 if (fstat(fd
, &st
) < 0)
2361 return log_error_errno(errno
, "Failed to fstat(%s): %m", i
->path
);
2363 if (!S_ISLNK(st
.st_mode
))
2364 return log_error_errno(SYNTHETIC_ERRNO(EBADF
), "Symlink we just created is not a symlink, refusing.");
2366 creation
= CREATION_FORCE
;
2369 log_debug("%s symlink \"%s\".", creation_mode_verb_to_string(creation
), i
->path
);
2370 return fd_set_perms(c
, i
, fd
, i
->path
, &st
, creation
);
2373 typedef int (*action_t
)(Context
*c
, Item
*i
, const char *path
, CreationMode creation
);
2374 typedef int (*fdaction_t
)(Context
*c
, Item
*i
, int fd
, const char *path
, const struct stat
*st
, CreationMode creation
);
2381 CreationMode creation
,
2382 fdaction_t action
) {
2392 if (fstat(fd
, &st
) < 0) {
2393 r
= log_error_errno(errno
, "fstat() on file failed: %m");
2397 /* This returns the first error we run into, but nevertheless tries to go on */
2398 r
= action(c
, i
, fd
, path
, &st
, creation
);
2400 if (S_ISDIR(st
.st_mode
)) {
2401 _cleanup_closedir_
DIR *d
= NULL
;
2403 /* The passed 'fd' was opened with O_PATH. We need to convert it into a 'regular' fd before
2404 * reading the directory content. */
2405 d
= opendir(FORMAT_PROC_FD_PATH(fd
));
2407 log_error_errno(errno
, "Failed to opendir() '%s': %m", FORMAT_PROC_FD_PATH(fd
));
2413 FOREACH_DIRENT_ALL(de
, d
, q
= -errno
; goto finish
) {
2416 if (dot_or_dot_dot(de
->d_name
))
2419 de_fd
= openat(fd
, de
->d_name
, O_NOFOLLOW
|O_CLOEXEC
|O_PATH
);
2421 q
= log_error_errno(errno
, "Failed to open() file '%s': %m", de
->d_name
);
2423 _cleanup_free_
char *de_path
= NULL
;
2425 de_path
= path_join(path
, de
->d_name
);
2429 /* Pass ownership of dirent fd over */
2430 q
= item_do(c
, i
, de_fd
, de_path
, CREATION_EXISTING
, action
);
2433 if (q
< 0 && r
== 0)
2442 static int glob_item(Context
*c
, Item
*i
, action_t action
) {
2443 _cleanup_globfree_ glob_t g
= {
2444 .gl_opendir
= (void *(*)(const char *)) opendir_nomod
,
2451 k
= safe_glob(i
->path
, GLOB_NOSORT
|GLOB_BRACE
, &g
);
2452 if (k
< 0 && k
!= -ENOENT
)
2453 return log_error_errno(k
, "glob(%s) failed: %m", i
->path
);
2455 STRV_FOREACH(fn
, g
.gl_pathv
) {
2456 /* We pass CREATION_EXISTING here, since if we are globbing for it, it always has to exist */
2457 k
= action(c
, i
, *fn
, CREATION_EXISTING
);
2458 if (k
< 0 && r
== 0)
2465 static int glob_item_recursively(
2468 fdaction_t action
) {
2470 _cleanup_globfree_ glob_t g
= {
2471 .gl_opendir
= (void *(*)(const char *)) opendir_nomod
,
2475 k
= safe_glob(i
->path
, GLOB_NOSORT
|GLOB_BRACE
, &g
);
2476 if (k
< 0 && k
!= -ENOENT
)
2477 return log_error_errno(k
, "glob(%s) failed: %m", i
->path
);
2479 STRV_FOREACH(fn
, g
.gl_pathv
) {
2480 _cleanup_close_
int fd
= -EBADF
;
2482 /* Make sure we won't trigger/follow file object (such as
2483 * device nodes, automounts, ...) pointed out by 'fn' with
2484 * O_PATH. Note, when O_PATH is used, flags other than
2485 * O_CLOEXEC, O_DIRECTORY, and O_NOFOLLOW are ignored. */
2487 fd
= open(*fn
, O_CLOEXEC
|O_NOFOLLOW
|O_PATH
);
2489 log_error_errno(errno
, "Opening '%s' failed: %m", *fn
);
2495 k
= item_do(c
, i
, fd
, *fn
, CREATION_EXISTING
, action
);
2496 if (k
< 0 && r
== 0)
2499 /* we passed fd ownership to the previous call */
2506 static int rm_if_wrong_type_safe(
2509 const struct stat
*parent_st
, /* Only used if follow_links below is true. */
2512 _cleanup_free_
char *parent_name
= NULL
;
2513 bool follow_links
= !FLAGS_SET(flags
, AT_SYMLINK_NOFOLLOW
);
2518 assert((mode
& ~S_IFMT
) == 0);
2519 assert(!follow_links
|| parent_st
);
2520 assert((flags
& ~AT_SYMLINK_NOFOLLOW
) == 0);
2522 if (!filename_is_valid(name
))
2523 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "\"%s\" is not a valid filename.", name
);
2525 r
= fstatat_harder(parent_fd
, name
, &st
, flags
, REMOVE_CHMOD
| REMOVE_CHMOD_RESTORE
);
2527 (void) fd_get_path(parent_fd
, &parent_name
);
2528 return log_full_errno(r
== -ENOENT
? LOG_DEBUG
: LOG_ERR
, r
,
2529 "Failed to stat \"%s\" at \"%s\": %m", name
, strna(parent_name
));
2532 /* Fail before removing anything if this is an unsafe transition. */
2533 if (follow_links
&& unsafe_transition(parent_st
, &st
)) {
2534 (void) fd_get_path(parent_fd
, &parent_name
);
2535 return log_error_errno(SYNTHETIC_ERRNO(ENOLINK
),
2536 "Unsafe transition from \"%s\" to \"%s\".", parent_name
, name
);
2539 if ((st
.st_mode
& S_IFMT
) == mode
)
2542 (void) fd_get_path(parent_fd
, &parent_name
);
2543 log_notice("Wrong file type 0o%o; rm -rf \"%s/%s\"", st
.st_mode
& S_IFMT
, strna(parent_name
), name
);
2545 /* If the target of the symlink was the wrong type, the link needs to be removed instead of the
2546 * target, so make sure it is identified as a link and not a directory. */
2548 r
= fstatat_harder(parent_fd
, name
, &st
, AT_SYMLINK_NOFOLLOW
, REMOVE_CHMOD
| REMOVE_CHMOD_RESTORE
);
2550 return log_error_errno(r
, "Failed to stat \"%s\" at \"%s\": %m", name
, strna(parent_name
));
2553 /* Do not remove mount points. */
2554 r
= fd_is_mount_point(parent_fd
, name
, follow_links
? AT_SYMLINK_FOLLOW
: 0);
2556 (void) log_warning_errno(r
, "Failed to check if \"%s/%s\" is a mount point: %m; Continuing",
2557 strna(parent_name
), name
);
2559 return log_error_errno(SYNTHETIC_ERRNO(EBUSY
),
2560 "Not removing \"%s/%s\" because it is a mount point.", strna(parent_name
), name
);
2562 if ((st
.st_mode
& S_IFMT
) == S_IFDIR
) {
2563 _cleanup_close_
int child_fd
= -EBADF
;
2565 child_fd
= openat(parent_fd
, name
, O_NOCTTY
| O_CLOEXEC
| O_DIRECTORY
);
2567 return log_error_errno(errno
, "Failed to open \"%s\" at \"%s\": %m", name
, strna(parent_name
));
2569 r
= rm_rf_children(TAKE_FD(child_fd
), REMOVE_ROOT
|REMOVE_SUBVOLUME
|REMOVE_PHYSICAL
, &st
);
2571 return log_error_errno(r
, "Failed to remove contents of \"%s\" at \"%s\": %m", name
, strna(parent_name
));
2573 r
= unlinkat_harder(parent_fd
, name
, AT_REMOVEDIR
, REMOVE_CHMOD
| REMOVE_CHMOD_RESTORE
);
2575 r
= unlinkat_harder(parent_fd
, name
, 0, REMOVE_CHMOD
| REMOVE_CHMOD_RESTORE
);
2577 return log_error_errno(r
, "Failed to remove \"%s\" at \"%s\": %m", name
, strna(parent_name
));
2579 /* This is covered by the log_notice "Wrong file type..." It is logged earlier because it gives
2580 * context to other error messages that might follow. */
2584 /* If child_mode is non-zero, rm_if_wrong_type_safe will be executed for the last path component. */
2585 static int mkdir_parents_rm_if_wrong_type(mode_t child_mode
, const char *path
) {
2586 _cleanup_close_
int parent_fd
= -EBADF
;
2587 struct stat parent_st
;
2592 assert((child_mode
& ~S_IFMT
) == 0);
2594 path_len
= strlen(path
);
2597 /* rm_if_wrong_type_safe already logs errors. */
2598 return child_mode
!= 0 ? rm_if_wrong_type_safe(child_mode
, AT_FDCWD
, NULL
, path
, AT_SYMLINK_NOFOLLOW
) : 0;
2600 if (child_mode
!= 0 && endswith(path
, "/"))
2601 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
2602 "Trailing path separators are only allowed if child_mode is not set; got \"%s\"", path
);
2604 /* Get the parent_fd and stat. */
2605 parent_fd
= openat(AT_FDCWD
, path_is_absolute(path
) ? "/" : ".", O_NOCTTY
| O_CLOEXEC
| O_DIRECTORY
);
2607 return log_error_errno(errno
, "Failed to open root: %m");
2609 if (fstat(parent_fd
, &parent_st
) < 0)
2610 return log_error_errno(errno
, "Failed to stat root: %m");
2612 /* Check every parent directory in the path, except the last component */
2613 for (const char *e
= path
;;) {
2614 _cleanup_close_
int next_fd
= -EBADF
;
2615 char t
[path_len
+ 1];
2618 /* Find the start of the next path component. */
2619 s
= e
+ strspn(e
, "/");
2620 /* Find the end of the next path component. */
2621 e
= s
+ strcspn(s
, "/");
2623 /* Copy the path component to t so it can be a null terminated string. */
2624 *((char*) mempcpy(t
, s
, e
- s
)) = 0;
2626 /* Is this the last component? If so, then check the type */
2628 return child_mode
!= 0 ? rm_if_wrong_type_safe(child_mode
, parent_fd
, &parent_st
, t
, AT_SYMLINK_NOFOLLOW
) : 0;
2630 r
= rm_if_wrong_type_safe(S_IFDIR
, parent_fd
, &parent_st
, t
, 0);
2631 /* Remove dangling symlinks. */
2633 r
= rm_if_wrong_type_safe(S_IFDIR
, parent_fd
, &parent_st
, t
, AT_SYMLINK_NOFOLLOW
);
2636 r
= mkdirat_label(parent_fd
, t
, 0755);
2638 _cleanup_free_
char *parent_name
= NULL
;
2640 (void) fd_get_path(parent_fd
, &parent_name
);
2641 return log_error_errno(r
, "Failed to mkdir \"%s\" at \"%s\": %m", t
, strnull(parent_name
));
2644 /* rm_if_wrong_type_safe already logs errors. */
2647 next_fd
= RET_NERRNO(openat(parent_fd
, t
, O_NOCTTY
| O_CLOEXEC
| O_DIRECTORY
));
2649 _cleanup_free_
char *parent_name
= NULL
;
2651 (void) fd_get_path(parent_fd
, &parent_name
);
2652 return log_error_errno(next_fd
, "Failed to open \"%s\" at \"%s\": %m", t
, strnull(parent_name
));
2654 r
= RET_NERRNO(fstat(next_fd
, &parent_st
));
2656 _cleanup_free_
char *parent_name
= NULL
;
2658 (void) fd_get_path(parent_fd
, &parent_name
);
2659 return log_error_errno(r
, "Failed to stat \"%s\" at \"%s\": %m", t
, strnull(parent_name
));
2662 close_and_replace(parent_fd
, next_fd
);
2666 static int mkdir_parents_item(Item
*i
, mode_t child_mode
) {
2668 if (i
->try_replace
) {
2669 r
= mkdir_parents_rm_if_wrong_type(child_mode
, i
->path
);
2670 if (r
< 0 && r
!= -ENOENT
)
2674 (void) mkdir_parents_label(i
->path
, 0755);
2679 static int create_item(Context
*c
, Item
*i
) {
2685 log_debug("Running create action for entry %c %s", (char) i
->type
, i
->path
);
2690 case IGNORE_DIRECTORY_PATH
:
2692 case RECURSIVE_REMOVE_PATH
:
2697 r
= mkdir_parents_item(i
, S_IFREG
);
2701 if ((i
->type
== CREATE_FILE
&& i
->append_or_force
) || i
->type
== TRUNCATE_FILE
)
2702 r
= truncate_file(c
, i
, i
->path
);
2704 r
= create_file(c
, i
, i
->path
);
2710 r
= mkdir_parents_item(i
, 0);
2714 r
= copy_files(c
, i
);
2720 r
= glob_item(c
, i
, write_one_file
);
2726 case CREATE_DIRECTORY
:
2727 case TRUNCATE_DIRECTORY
:
2728 r
= mkdir_parents_item(i
, S_IFDIR
);
2732 r
= create_directory(c
, i
, i
->path
);
2737 case CREATE_SUBVOLUME
:
2738 case CREATE_SUBVOLUME_INHERIT_QUOTA
:
2739 case CREATE_SUBVOLUME_NEW_QUOTA
:
2740 r
= mkdir_parents_item(i
, S_IFDIR
);
2744 r
= create_subvolume(c
, i
, i
->path
);
2749 case EMPTY_DIRECTORY
:
2750 r
= glob_item(c
, i
, empty_directory
);
2756 r
= mkdir_parents_item(i
, S_IFIFO
);
2760 r
= create_fifo(c
, i
);
2765 case CREATE_SYMLINK
:
2766 r
= mkdir_parents_item(i
, S_IFLNK
);
2770 r
= create_symlink(c
, i
);
2776 case CREATE_BLOCK_DEVICE
:
2777 case CREATE_CHAR_DEVICE
:
2778 if (have_effective_cap(CAP_MKNOD
) <= 0) {
2779 /* In a container we lack CAP_MKNOD. We shouldn't attempt to create the device node in that
2780 * case to avoid noise, and we don't support virtualized devices in containers anyway. */
2782 log_debug("We lack CAP_MKNOD, skipping creation of device node %s.", i
->path
);
2786 r
= mkdir_parents_item(i
, i
->type
== CREATE_BLOCK_DEVICE
? S_IFBLK
: S_IFCHR
);
2790 r
= create_device(c
, i
, i
->type
== CREATE_BLOCK_DEVICE
? S_IFBLK
: S_IFCHR
);
2798 r
= glob_item(c
, i
, path_set_perms
);
2803 case RECURSIVE_RELABEL_PATH
:
2804 r
= glob_item_recursively(c
, i
, fd_set_perms
);
2810 r
= glob_item(c
, i
, path_set_xattrs
);
2815 case RECURSIVE_SET_XATTR
:
2816 r
= glob_item_recursively(c
, i
, fd_set_xattrs
);
2822 r
= glob_item(c
, i
, path_set_acls
);
2827 case RECURSIVE_SET_ACL
:
2828 r
= glob_item_recursively(c
, i
, fd_set_acls
);
2834 r
= glob_item(c
, i
, path_set_attribute
);
2839 case RECURSIVE_SET_ATTRIBUTE
:
2840 r
= glob_item_recursively(c
, i
, fd_set_attribute
);
2849 static int purge_item_instance(Context
*c
, Item
*i
, const char *instance
, CreationMode creation
) {
2852 /* FIXME: we probably should use dir_cleanup() here instead of rm_rf() so that 'x' is honoured. */
2853 log_debug("rm -rf \"%s\"", instance
);
2854 r
= rm_rf(instance
, REMOVE_ROOT
|REMOVE_SUBVOLUME
|REMOVE_PHYSICAL
);
2855 if (r
< 0 && r
!= -ENOENT
)
2856 return log_error_errno(r
, "rm_rf(%s): %m", instance
);
2861 static int purge_item(Context
*c
, Item
*i
) {
2865 if (!needs_purge(i
->type
))
2868 log_debug("Running purge owned action for entry %c %s", (char) i
->type
, i
->path
);
2870 if (needs_glob(i
->type
))
2871 return glob_item(c
, i
, purge_item_instance
);
2873 return purge_item_instance(c
, i
, i
->path
, CREATION_EXISTING
);
2876 static int remove_item_instance(
2879 const char *instance
,
2880 CreationMode creation
) {
2890 if (remove(instance
) < 0 && errno
!= ENOENT
)
2891 return log_error_errno(errno
, "rm(%s): %m", instance
);
2895 case RECURSIVE_REMOVE_PATH
:
2896 /* FIXME: we probably should use dir_cleanup() here instead of rm_rf() so that 'x' is honoured. */
2897 log_debug("rm -rf \"%s\"", instance
);
2898 r
= rm_rf(instance
, REMOVE_ROOT
|REMOVE_SUBVOLUME
|REMOVE_PHYSICAL
);
2899 if (r
< 0 && r
!= -ENOENT
)
2900 return log_error_errno(r
, "rm_rf(%s): %m", instance
);
2905 assert_not_reached();
2911 static int remove_item(Context
*c
, Item
*i
) {
2917 log_debug("Running remove action for entry %c %s", (char) i
->type
, i
->path
);
2921 case TRUNCATE_DIRECTORY
:
2922 /* FIXME: we probably should use dir_cleanup() here instead of rm_rf() so that 'x' is honoured. */
2923 log_debug("rm -rf \"%s\"", i
->path
);
2924 r
= rm_rf(i
->path
, REMOVE_PHYSICAL
);
2925 if (r
< 0 && r
!= -ENOENT
)
2926 return log_error_errno(r
, "rm_rf(%s): %m", i
->path
);
2931 case RECURSIVE_REMOVE_PATH
:
2932 return glob_item(c
, i
, remove_item_instance
);
2939 static char *age_by_to_string(AgeBy ab
, bool is_dir
) {
2940 static const char ab_map
[] = { 'a', 'b', 'c', 'm' };
2944 ret
= new(char, ELEMENTSOF(ab_map
) + 1);
2948 for (size_t i
= 0; i
< ELEMENTSOF(ab_map
); i
++)
2949 if (FLAGS_SET(ab
, 1U << i
))
2950 ret
[j
++] = is_dir
? ascii_toupper(ab_map
[i
]) : ab_map
[i
];
2956 static int clean_item_instance(
2959 const char* instance
,
2960 CreationMode creation
) {
2962 _cleanup_closedir_
DIR *d
= NULL
;
2963 STRUCT_STATX_DEFINE(sx
);
2972 n
= now(CLOCK_REALTIME
);
2976 cutoff
= n
- i
->age
;
2978 d
= opendir_nomod(instance
);
2980 if (IN_SET(errno
, ENOENT
, ENOTDIR
)) {
2981 log_debug_errno(errno
, "Directory \"%s\": %m", instance
);
2985 return log_error_errno(errno
, "Failed to open directory %s: %m", instance
);
2988 r
= statx_fallback(dirfd(d
), "", AT_EMPTY_PATH
, STATX_MODE
|STATX_INO
|STATX_ATIME
|STATX_MTIME
, &sx
);
2990 return log_error_errno(r
, "statx(%s) failed: %m", instance
);
2992 if (FLAGS_SET(sx
.stx_attributes_mask
, STATX_ATTR_MOUNT_ROOT
))
2993 mountpoint
= FLAGS_SET(sx
.stx_attributes
, STATX_ATTR_MOUNT_ROOT
);
2997 if (fstatat(dirfd(d
), "..", &ps
, AT_SYMLINK_NOFOLLOW
) != 0)
2998 return log_error_errno(errno
, "stat(%s/..) failed: %m", i
->path
);
3001 sx
.stx_dev_major
!= major(ps
.st_dev
) ||
3002 sx
.stx_dev_minor
!= minor(ps
.st_dev
) ||
3003 sx
.stx_ino
!= ps
.st_ino
;
3006 if (DEBUG_LOGGING
) {
3007 _cleanup_free_
char *ab_f
= NULL
, *ab_d
= NULL
;
3009 ab_f
= age_by_to_string(i
->age_by_file
, false);
3013 ab_d
= age_by_to_string(i
->age_by_dir
, true);
3017 log_debug("Cleanup threshold for %s \"%s\" is %s; age-by: %s%s",
3018 mountpoint
? "mount point" : "directory",
3020 FORMAT_TIMESTAMP_STYLE(cutoff
, TIMESTAMP_US
),
3024 return dir_cleanup(c
, i
, instance
, d
,
3025 statx_timestamp_load_nsec(&sx
.stx_atime
),
3026 statx_timestamp_load_nsec(&sx
.stx_mtime
),
3027 cutoff
* NSEC_PER_USEC
,
3028 sx
.stx_dev_major
, sx
.stx_dev_minor
, mountpoint
,
3029 MAX_DEPTH
, i
->keep_first_level
,
3030 i
->age_by_file
, i
->age_by_dir
);
3033 static int clean_item(Context
*c
, Item
*i
) {
3037 log_debug("Running clean action for entry %c %s", (char) i
->type
, i
->path
);
3041 case CREATE_DIRECTORY
:
3042 case TRUNCATE_DIRECTORY
:
3043 case CREATE_SUBVOLUME
:
3044 case CREATE_SUBVOLUME_INHERIT_QUOTA
:
3045 case CREATE_SUBVOLUME_NEW_QUOTA
:
3047 clean_item_instance(c
, i
, i
->path
, CREATION_EXISTING
);
3050 case EMPTY_DIRECTORY
:
3052 case IGNORE_DIRECTORY_PATH
:
3053 return glob_item(c
, i
, clean_item_instance
);
3060 static int process_item(
3063 OperationMask operation
) {
3066 _cleanup_free_
char *_path
= NULL
;
3073 todo
= operation
& ~i
->done
;
3074 if (todo
== 0) /* Everything already done? */
3077 i
->done
|= operation
;
3080 if (string_is_glob(path
)) {
3081 /* We can't easily check whether a glob matches any autofs path, so let's do the check only
3082 * for the non-glob part. */
3084 r
= glob_non_glob_prefix(path
, &_path
);
3085 if (r
< 0 && r
!= -ENOENT
)
3086 return log_debug_errno(r
, "Failed to deglob path: %m");
3091 r
= chase(path
, arg_root
, CHASE_NO_AUTOFS
|CHASE_NONEXISTENT
|CHASE_WARN
, NULL
, NULL
);
3092 if (r
== -EREMOTE
) {
3093 log_notice_errno(r
, "Skipping %s", i
->path
); /* We log the configured path, to not confuse the user. */
3097 log_debug_errno(r
, "Failed to determine whether '%s' is below autofs, ignoring: %m", i
->path
);
3099 r
= FLAGS_SET(operation
, OPERATION_CREATE
) ? create_item(c
, i
) : 0;
3100 /* Failure can only be tolerated for create */
3101 if (i
->allow_failure
)
3104 RET_GATHER(r
, FLAGS_SET(operation
, OPERATION_REMOVE
) ? remove_item(c
, i
) : 0);
3105 RET_GATHER(r
, FLAGS_SET(operation
, OPERATION_CLEAN
) ? clean_item(c
, i
) : 0);
3106 RET_GATHER(r
, FLAGS_SET(operation
, OPERATION_PURGE
) ? purge_item(c
, i
) : 0);
3111 static int process_item_array(
3114 OperationMask operation
) {
3122 /* Create any parent first. */
3123 if (FLAGS_SET(operation
, OPERATION_CREATE
) && array
->parent
)
3124 r
= process_item_array(c
, array
->parent
, operation
& OPERATION_CREATE
);
3126 /* Clean up all children first */
3127 if ((operation
& (OPERATION_REMOVE
|OPERATION_CLEAN
|OPERATION_PURGE
)) && !set_isempty(array
->children
)) {
3130 SET_FOREACH(cc
, array
->children
) {
3133 k
= process_item_array(c
, cc
, operation
& (OPERATION_REMOVE
|OPERATION_CLEAN
|OPERATION_PURGE
));
3134 if (k
< 0 && r
== 0)
3139 for (n
= 0; n
< array
->n_items
; n
++) {
3142 k
= process_item(c
, array
->items
+ n
, operation
);
3143 if (k
< 0 && r
== 0)
3150 static void item_free_contents(Item
*i
) {
3154 free(i
->binary_argument
);
3155 strv_free(i
->xattrs
);
3159 acl_free(i
->acl_access
);
3161 if (i
->acl_access_exec
)
3162 acl_free(i
->acl_access_exec
);
3165 acl_free(i
->acl_default
);
3169 static ItemArray
* item_array_free(ItemArray
*a
) {
3175 for (n
= 0; n
< a
->n_items
; n
++)
3176 item_free_contents(a
->items
+ n
);
3178 set_free(a
->children
);
3183 static int item_compare(const Item
*a
, const Item
*b
) {
3184 /* Make sure that the ownership taking item is put first, so
3185 * that we first create the node, and then can adjust it */
3187 if (takes_ownership(a
->type
) && !takes_ownership(b
->type
))
3189 if (!takes_ownership(a
->type
) && takes_ownership(b
->type
))
3192 return CMP(a
->type
, b
->type
);
3195 static bool item_compatible(const Item
*a
, const Item
*b
) {
3198 assert(streq(a
->path
, b
->path
));
3200 if (takes_ownership(a
->type
) && takes_ownership(b
->type
))
3201 /* check if the items are the same */
3202 return memcmp_nn(item_binary_argument(a
), item_binary_argument_size(a
),
3203 item_binary_argument(b
), item_binary_argument_size(b
)) == 0 &&
3205 a
->uid_set
== b
->uid_set
&&
3207 a
->uid_only_create
== b
->uid_only_create
&&
3209 a
->gid_set
== b
->gid_set
&&
3211 a
->gid_only_create
== b
->gid_only_create
&&
3213 a
->mode_set
== b
->mode_set
&&
3214 a
->mode
== b
->mode
&&
3215 a
->mode_only_create
== b
->mode_only_create
&&
3217 a
->age_set
== b
->age_set
&&
3220 a
->age_by_file
== b
->age_by_file
&&
3221 a
->age_by_dir
== b
->age_by_dir
&&
3223 a
->mask_perms
== b
->mask_perms
&&
3225 a
->keep_first_level
== b
->keep_first_level
&&
3227 a
->major_minor
== b
->major_minor
;
3232 static bool should_include_path(const char *path
) {
3233 STRV_FOREACH(prefix
, arg_exclude_prefixes
)
3234 if (path_startswith(path
, *prefix
)) {
3235 log_debug("Entry \"%s\" matches exclude prefix \"%s\", skipping.",
3240 STRV_FOREACH(prefix
, arg_include_prefixes
)
3241 if (path_startswith(path
, *prefix
)) {
3242 log_debug("Entry \"%s\" matches include prefix \"%s\".", path
, *prefix
);
3246 /* no matches, so we should include this path only if we have no allow list at all */
3247 if (strv_isempty(arg_include_prefixes
))
3250 log_debug("Entry \"%s\" does not match any include prefix, skipping.", path
);
3254 static int specifier_expansion_from_arg(const Specifier
*specifier_table
, Item
*i
) {
3264 case CREATE_SYMLINK
:
3268 _cleanup_free_
char *unescaped
= NULL
, *resolved
= NULL
;
3271 l
= cunescape(i
->argument
, 0, &unescaped
);
3273 return log_error_errno(l
, "Failed to unescape parameter to write: %s", i
->argument
);
3275 r
= specifier_printf(unescaped
, PATH_MAX
-1, specifier_table
, arg_root
, NULL
, &resolved
);
3279 return free_and_replace(i
->argument
, resolved
);
3282 case RECURSIVE_SET_XATTR
:
3283 STRV_FOREACH(xattr
, i
->xattrs
) {
3284 _cleanup_free_
char *resolved
= NULL
;
3286 r
= specifier_printf(*xattr
, SIZE_MAX
, specifier_table
, arg_root
, NULL
, &resolved
);
3290 free_and_replace(*xattr
, resolved
);
3299 static int patch_var_run(const char *fname
, unsigned line
, char **path
) {
3306 /* Optionally rewrites lines referencing /var/run/, to use /run/ instead. Why bother? tmpfiles merges lines in
3307 * some cases and detects conflicts in others. If files/directories are specified through two equivalent lines
3308 * this is problematic as neither case will be detected. Ideally we'd detect these cases by resolving symlinks
3309 * early, but that's precisely not what we can do here as this code very likely is running very early on, at a
3310 * time where the paths in question are not available yet, or even more importantly, our own tmpfiles rules
3311 * might create the paths that are intermediary to the listed paths. We can't really cover the generic case,
3312 * but the least we can do is cover the specific case of /var/run vs. /run, as /var/run is a legacy name for
3313 * /run only, and we explicitly document that and require that on systemd systems the former is a symlink to
3314 * the latter. Moreover files below this path are by far the primary use case for tmpfiles.d/. */
3316 k
= path_startswith(*path
, "/var/run/");
3317 if (isempty(k
)) /* Don't complain about other paths than /var/run, and not about /var/run itself either. */
3320 n
= path_join("/run", k
);
3324 /* Also log about this briefly. We do so at LOG_NOTICE level, as we fixed up the situation automatically, hence
3325 * there's no immediate need for action by the user. However, in the interest of making things less confusing
3326 * to the user, let's still inform the user that these snippets should really be updated. */
3327 log_syntax(NULL
, LOG_NOTICE
, fname
, line
, 0,
3328 "Line references path below legacy directory /var/run/, updating %s → %s; please update the tmpfiles.d/ drop-in file accordingly.",
3331 free_and_replace(*path
, n
);
3336 static int find_uid(const char *user
, uid_t
*ret_uid
, Hashmap
**cache
) {
3342 /* First: parse as numeric UID string */
3343 r
= parse_uid(user
, ret_uid
);
3347 /* Second: pass to NSS if we are running "online" */
3349 return get_user_creds(&user
, ret_uid
, NULL
, NULL
, NULL
, 0);
3351 /* Third, synthesize "root" unconditionally */
3352 if (streq(user
, "root")) {
3357 /* Fourth: use fgetpwent() to read /etc/passwd directly, if we are "offline" */
3358 return name_to_uid_offline(arg_root
, user
, ret_uid
, cache
);
3361 static int find_gid(const char *group
, gid_t
*ret_gid
, Hashmap
**cache
) {
3367 /* First: parse as numeric GID string */
3368 r
= parse_gid(group
, ret_gid
);
3372 /* Second: pass to NSS if we are running "online" */
3374 return get_group_creds(&group
, ret_gid
, 0);
3376 /* Third, synthesize "root" unconditionally */
3377 if (streq(group
, "root")) {
3382 /* Fourth: use fgetgrent() to read /etc/group directly, if we are "offline" */
3383 return name_to_gid_offline(arg_root
, group
, ret_gid
, cache
);
3386 static int parse_age_by_from_arg(const char *age_by_str
, Item
*item
) {
3387 AgeBy ab_f
= 0, ab_d
= 0;
3389 static const struct {
3392 } age_by_types
[] = {
3393 { 'a', AGE_BY_ATIME
},
3394 { 'b', AGE_BY_BTIME
},
3395 { 'c', AGE_BY_CTIME
},
3396 { 'm', AGE_BY_MTIME
},
3402 if (isempty(age_by_str
))
3405 for (const char *s
= age_by_str
; *s
!= 0; s
++) {
3408 /* Ignore whitespace. */
3409 if (strchr(WHITESPACE
, *s
))
3412 for (i
= 0; i
< ELEMENTSOF(age_by_types
); i
++) {
3413 /* Check lower-case for files, upper-case for directories. */
3414 if (*s
== age_by_types
[i
].age_by_chr
) {
3415 ab_f
|= age_by_types
[i
].age_by_flag
;
3417 } else if (*s
== ascii_toupper(age_by_types
[i
].age_by_chr
)) {
3418 ab_d
|= age_by_types
[i
].age_by_flag
;
3423 /* Invalid character. */
3424 if (i
>= ELEMENTSOF(age_by_types
))
3429 if (ab_f
== 0 && ab_d
== 0)
3432 item
->age_by_file
= ab_f
> 0 ? ab_f
: AGE_BY_DEFAULT_FILE
;
3433 item
->age_by_dir
= ab_d
> 0 ? ab_d
: AGE_BY_DEFAULT_DIR
;
3438 static bool is_duplicated_item(ItemArray
*existing
, const Item
*i
) {
3443 for (size_t n
= 0; n
< existing
->n_items
; n
++) {
3444 const Item
*e
= existing
->items
+ n
;
3446 if (item_compatible(e
, i
))
3449 /* Only multiple 'w+' lines for the same path are allowed. */
3450 if (e
->type
!= WRITE_FILE
|| !e
->append_or_force
||
3451 i
->type
!= WRITE_FILE
|| !i
->append_or_force
)
3458 static int parse_line(
3463 bool *invalid_config
,
3464 Hashmap
**uid_cache
,
3465 Hashmap
**gid_cache
) {
3467 _cleanup_free_
char *action
= NULL
, *mode
= NULL
, *user
= NULL
, *group
= NULL
, *age
= NULL
, *path
= NULL
;
3468 _cleanup_(item_free_contents
) Item i
= {
3469 /* The "age-by" argument considers all file timestamp types by default. */
3470 .age_by_file
= AGE_BY_DEFAULT_FILE
,
3471 .age_by_dir
= AGE_BY_DEFAULT_DIR
,
3473 ItemArray
*existing
;
3476 bool append_or_force
= false, boot
= false, allow_failure
= false, try_replace
= false,
3477 unbase64
= false, from_cred
= false, missing_user_or_group
= false;
3484 const Specifier specifier_table
[] = {
3485 { 'a', specifier_architecture
, NULL
},
3486 { 'b', specifier_boot_id
, NULL
},
3487 { 'B', specifier_os_build_id
, NULL
},
3488 { 'H', specifier_hostname
, NULL
},
3489 { 'l', specifier_short_hostname
, NULL
},
3490 { 'm', specifier_machine_id
, NULL
},
3491 { 'o', specifier_os_id
, NULL
},
3492 { 'v', specifier_kernel_release
, NULL
},
3493 { 'w', specifier_os_version_id
, NULL
},
3494 { 'W', specifier_os_variant_id
, NULL
},
3496 { 'h', specifier_user_home
, NULL
},
3498 { 'C', specifier_directory
, UINT_TO_PTR(DIRECTORY_CACHE
) },
3499 { 'L', specifier_directory
, UINT_TO_PTR(DIRECTORY_LOGS
) },
3500 { 'S', specifier_directory
, UINT_TO_PTR(DIRECTORY_STATE
) },
3501 { 't', specifier_directory
, UINT_TO_PTR(DIRECTORY_RUNTIME
) },
3503 COMMON_CREDS_SPECIFIERS(arg_runtime_scope
),
3504 COMMON_TMP_SPECIFIERS
,
3508 r
= extract_many_words(
3511 EXTRACT_UNQUOTE
| EXTRACT_CUNESCAPE
,
3520 if (IN_SET(r
, -EINVAL
, -EBADSLT
))
3521 /* invalid quoting and such or an unknown specifier */
3522 *invalid_config
= true;
3523 return log_syntax(NULL
, LOG_ERR
, fname
, line
, r
, "Failed to parse line: %m");
3525 *invalid_config
= true;
3526 return log_syntax(NULL
, LOG_ERR
, fname
, line
, SYNTHETIC_ERRNO(EBADMSG
), "Syntax error.");
3529 if (!empty_or_dash(buffer
)) {
3530 i
.argument
= strdup(buffer
);
3535 if (isempty(action
)) {
3536 *invalid_config
= true;
3537 return log_syntax(NULL
, LOG_ERR
, fname
, line
, SYNTHETIC_ERRNO(EBADMSG
), "Command too short '%s'.", action
);
3540 for (pos
= 1; action
[pos
]; pos
++) {
3541 if (action
[pos
] == '!' && !boot
)
3543 else if (action
[pos
] == '+' && !append_or_force
)
3544 append_or_force
= true;
3545 else if (action
[pos
] == '-' && !allow_failure
)
3546 allow_failure
= true;
3547 else if (action
[pos
] == '=' && !try_replace
)
3549 else if (action
[pos
] == '~' && !unbase64
)
3551 else if (action
[pos
] == '^' && !from_cred
)
3554 *invalid_config
= true;
3555 return log_syntax(NULL
, LOG_ERR
, fname
, line
, SYNTHETIC_ERRNO(EBADMSG
), "Unknown modifiers in command '%s'", action
);
3559 if (boot
&& !arg_boot
) {
3560 log_syntax(NULL
, LOG_DEBUG
, fname
, line
, 0, "Ignoring entry %s \"%s\" because --boot is not specified.", action
, path
);
3565 i
.append_or_force
= append_or_force
;
3566 i
.allow_failure
= allow_failure
;
3567 i
.try_replace
= try_replace
;
3569 r
= specifier_printf(path
, PATH_MAX
-1, specifier_table
, arg_root
, NULL
, &i
.path
);
3570 if (ERRNO_IS_NOINFO(r
))
3571 return log_unresolvable_specifier(fname
, line
);
3573 if (IN_SET(r
, -EINVAL
, -EBADSLT
))
3574 *invalid_config
= true;
3575 return log_syntax(NULL
, LOG_ERR
, fname
, line
, r
, "Failed to replace specifiers in '%s': %m", path
);
3578 r
= patch_var_run(fname
, line
, &i
.path
);
3582 if (!path_is_absolute(i
.path
)) {
3583 *invalid_config
= true;
3584 return log_syntax(NULL
, LOG_ERR
, fname
, line
, SYNTHETIC_ERRNO(EBADMSG
),
3585 "Path '%s' not absolute.", i
.path
);
3588 path_simplify(i
.path
);
3592 case CREATE_DIRECTORY
:
3593 case CREATE_SUBVOLUME
:
3594 case CREATE_SUBVOLUME_INHERIT_QUOTA
:
3595 case CREATE_SUBVOLUME_NEW_QUOTA
:
3596 case EMPTY_DIRECTORY
:
3597 case TRUNCATE_DIRECTORY
:
3600 case IGNORE_DIRECTORY_PATH
:
3602 case RECURSIVE_REMOVE_PATH
:
3605 case RECURSIVE_RELABEL_PATH
:
3612 "%c lines don't take argument fields, ignoring.",
3621 case CREATE_SYMLINK
:
3623 *invalid_config
= true;
3624 return log_syntax(NULL
, LOG_ERR
, fname
, line
, SYNTHETIC_ERRNO(EBADMSG
), "base64 decoding not supported for symlink targets.");
3630 *invalid_config
= true;
3631 return log_syntax(NULL
, LOG_ERR
, fname
, line
, SYNTHETIC_ERRNO(EBADMSG
), "Write file requires argument.");
3637 *invalid_config
= true;
3638 return log_syntax(NULL
, LOG_ERR
, fname
, line
, SYNTHETIC_ERRNO(EBADMSG
), "base64 decoding not supported for copy sources.");
3642 case CREATE_CHAR_DEVICE
:
3643 case CREATE_BLOCK_DEVICE
:
3645 *invalid_config
= true;
3646 return log_syntax(NULL
, LOG_ERR
, fname
, line
, SYNTHETIC_ERRNO(EBADMSG
), "base64 decoding not supported for device node creation.");
3650 *invalid_config
= true;
3651 return log_syntax(NULL
, LOG_ERR
, fname
, line
, SYNTHETIC_ERRNO(EBADMSG
), "Device file requires argument.");
3654 r
= parse_devnum(i
.argument
, &i
.major_minor
);
3656 *invalid_config
= true;
3657 return log_syntax(NULL
, LOG_ERR
, fname
, line
, r
, "Can't parse device file major/minor '%s'.", i
.argument
);
3663 case RECURSIVE_SET_XATTR
:
3665 *invalid_config
= true;
3666 return log_syntax(NULL
, LOG_ERR
, fname
, line
, SYNTHETIC_ERRNO(EBADMSG
), "base64 decoding not supported for extended attributes.");
3669 *invalid_config
= true;
3670 return log_syntax(NULL
, LOG_ERR
, fname
, line
, SYNTHETIC_ERRNO(EBADMSG
),
3671 "Set extended attribute requires argument.");
3673 r
= parse_xattrs_from_arg(&i
);
3679 case RECURSIVE_SET_ACL
:
3681 *invalid_config
= true;
3682 return log_syntax(NULL
, LOG_ERR
, fname
, line
, SYNTHETIC_ERRNO(EBADMSG
), "base64 decoding not supported for ACLs.");
3685 *invalid_config
= true;
3686 return log_syntax(NULL
, LOG_ERR
, fname
, line
, SYNTHETIC_ERRNO(EBADMSG
),
3687 "Set ACLs requires argument.");
3689 r
= parse_acls_from_arg(&i
);
3695 case RECURSIVE_SET_ATTRIBUTE
:
3697 *invalid_config
= true;
3698 return log_syntax(NULL
, LOG_ERR
, fname
, line
, SYNTHETIC_ERRNO(EBADMSG
), "base64 decoding not supported for file attributes.");
3701 *invalid_config
= true;
3702 return log_syntax(NULL
, LOG_ERR
, fname
, line
, SYNTHETIC_ERRNO(EBADMSG
),
3703 "Set file attribute requires argument.");
3705 r
= parse_attribute_from_arg(&i
);
3706 if (IN_SET(r
, -EINVAL
, -EBADSLT
))
3707 *invalid_config
= true;
3713 *invalid_config
= true;
3714 return log_syntax(NULL
, LOG_ERR
, fname
, line
, SYNTHETIC_ERRNO(EBADMSG
),
3715 "Unknown command type '%c'.", (char) i
.type
);
3718 if (!should_include_path(i
.path
))
3722 /* Do specifier expansion except if base64 mode is enabled */
3723 r
= specifier_expansion_from_arg(specifier_table
, &i
);
3724 if (ERRNO_IS_NOINFO(r
))
3725 return log_unresolvable_specifier(fname
, line
);
3727 if (IN_SET(r
, -EINVAL
, -EBADSLT
))
3728 *invalid_config
= true;
3729 return log_syntax(NULL
, LOG_ERR
, fname
, line
, r
, "Failed to substitute specifiers in argument: %m");
3734 case CREATE_SYMLINK
:
3736 i
.argument
= path_join("/usr/share/factory", i
.path
);
3744 i
.argument
= path_join("/usr/share/factory", i
.path
);
3747 } else if (!path_is_absolute(i
.argument
)) {
3748 *invalid_config
= true;
3749 return log_syntax(NULL
, LOG_ERR
, fname
, line
, SYNTHETIC_ERRNO(EBADMSG
), "Source path '%s' is not absolute.", i
.argument
);
3753 if (!empty_or_root(arg_root
)) {
3756 p
= path_join(arg_root
, i
.argument
);
3759 free_and_replace(i
.argument
, p
);
3762 path_simplify(i
.argument
);
3764 if (laccess(i
.argument
, F_OK
) == -ENOENT
) {
3765 /* Silently skip over lines where the source file is missing. */
3766 log_syntax(NULL
, LOG_DEBUG
, fname
, line
, 0, "Copy source path '%s' does not exist, skipping line.", i
.argument
);
3778 return log_syntax(NULL
, LOG_ERR
, fname
, line
, SYNTHETIC_ERRNO(EINVAL
), "Reading from credential requested, but no credential name specified.");
3779 if (!credential_name_valid(i
.argument
))
3780 return log_syntax(NULL
, LOG_ERR
, fname
, line
, SYNTHETIC_ERRNO(EINVAL
), "Credential name not valid: %s", i
.argument
);
3782 r
= read_credential(i
.argument
, &i
.binary_argument
, &i
.binary_argument_size
);
3783 if (IN_SET(r
, -ENXIO
, -ENOENT
)) {
3784 /* Silently skip over lines that have no credentials passed */
3785 log_syntax(NULL
, LOG_DEBUG
, fname
, line
, 0,
3786 "Credential '%s' not specified, skipping line.", i
.argument
);
3790 return log_error_errno(r
, "Failed to read credential '%s': %m", i
.argument
);
3793 /* If base64 decoding is requested, do so now */
3794 if (unbase64
&& item_binary_argument(&i
)) {
3795 _cleanup_free_
void *data
= NULL
;
3796 size_t data_size
= 0;
3798 r
= unbase64mem_full(item_binary_argument(&i
), item_binary_argument_size(&i
), /* secure = */ false,
3801 return log_syntax(NULL
, LOG_ERR
, fname
, line
, r
, "Failed to base64 decode specified argument '%s': %m", i
.argument
);
3803 free_and_replace(i
.binary_argument
, data
);
3804 i
.binary_argument_size
= data_size
;
3807 if (!empty_or_root(arg_root
)) {
3810 p
= path_join(arg_root
, i
.path
);
3813 free_and_replace(i
.path
, p
);
3816 if (!empty_or_dash(user
)) {
3819 u
= startswith(user
, ":");
3821 i
.uid_only_create
= true;
3825 r
= find_uid(u
, &i
.uid
, uid_cache
);
3826 if (r
== -ESRCH
&& arg_graceful
) {
3827 log_syntax(NULL
, LOG_DEBUG
, fname
, line
, r
,
3828 "%s: user '%s' not found, not adjusting ownership.", i
.path
, u
);
3829 missing_user_or_group
= true;
3831 *invalid_config
= true;
3832 return log_syntax(NULL
, LOG_ERR
, fname
, line
, r
, "Failed to resolve user '%s': %m", u
);
3837 if (!empty_or_dash(group
)) {
3840 g
= startswith(group
, ":");
3842 i
.gid_only_create
= true;
3846 r
= find_gid(g
, &i
.gid
, gid_cache
);
3847 if (r
== -ESRCH
&& arg_graceful
) {
3848 log_syntax(NULL
, LOG_DEBUG
, fname
, line
, r
,
3849 "%s: group '%s' not found, not adjusting ownership.", i
.path
, g
);
3850 missing_user_or_group
= true;
3852 *invalid_config
= true;
3853 return log_syntax(NULL
, LOG_ERR
, fname
, line
, r
, "Failed to resolve group '%s': %m", g
);
3858 if (!empty_or_dash(mode
)) {
3862 for (mm
= mode
;; mm
++) {
3864 i
.mask_perms
= true;
3865 else if (*mm
== ':')
3866 i
.mode_only_create
= true;
3871 r
= parse_mode(mm
, &m
);
3873 *invalid_config
= true;
3874 return log_syntax(NULL
, LOG_ERR
, fname
, line
, r
, "Invalid mode '%s'.", mode
);
3880 i
.mode
= IN_SET(i
.type
,
3884 CREATE_SUBVOLUME_INHERIT_QUOTA
,
3885 CREATE_SUBVOLUME_NEW_QUOTA
) ? 0755 : 0644;
3887 if (missing_user_or_group
&& (i
.mode
& ~0777) != 0) {
3888 /* Refuse any special bits for nodes where we couldn't resolve the ownership properly. */
3889 mode_t adjusted
= i
.mode
& 0777;
3890 log_syntax(NULL
, LOG_INFO
, fname
, line
, 0,
3891 "Changing mode 0%o to 0%o because of changed ownership.", i
.mode
, adjusted
);
3895 if (!empty_or_dash(age
)) {
3896 const char *a
= age
;
3897 _cleanup_free_
char *seconds
= NULL
, *age_by
= NULL
;
3900 i
.keep_first_level
= true;
3904 /* Format: "age-by:age"; where age-by is "[abcmABCM]+". */
3905 r
= split_pair(a
, ":", &age_by
, &seconds
);
3908 if (r
< 0 && r
!= -EINVAL
)
3909 return log_error_errno(r
, "Failed to parse age-by for '%s': %m", age
);
3911 /* We found a ":", parse the "age-by" part. */
3912 r
= parse_age_by_from_arg(age_by
, &i
);
3916 *invalid_config
= true;
3917 return log_syntax(NULL
, LOG_ERR
, fname
, line
, r
, "Invalid age-by '%s'.", age_by
);
3920 /* For parsing the "age" part, after the ":". */
3924 r
= parse_sec(a
, &i
.age
);
3926 *invalid_config
= true;
3927 return log_syntax(NULL
, LOG_ERR
, fname
, line
, r
, "Invalid age '%s'.", a
);
3933 h
= needs_glob(i
.type
) ? c
->globs
: c
->items
;
3935 existing
= ordered_hashmap_get(h
, i
.path
);
3937 if (is_duplicated_item(existing
, &i
)) {
3938 log_syntax(NULL
, LOG_NOTICE
, fname
, line
, 0,
3939 "Duplicate line for path \"%s\", ignoring.", i
.path
);
3943 existing
= new0(ItemArray
, 1);
3947 r
= ordered_hashmap_put(h
, i
.path
, existing
);
3954 if (!GREEDY_REALLOC(existing
->items
, existing
->n_items
+ 1))
3957 existing
->items
[existing
->n_items
++] = TAKE_STRUCT(i
);
3959 /* Sort item array, to enforce stable ordering of application */
3960 typesafe_qsort(existing
->items
, existing
->n_items
, item_compare
);
3965 static int cat_config(char **config_dirs
, char **args
) {
3966 _cleanup_strv_free_
char **files
= NULL
;
3969 r
= conf_files_list_with_replacement(arg_root
, config_dirs
, arg_replace
, &files
, NULL
);
3973 pager_open(arg_pager_flags
);
3975 return cat_files(NULL
, files
, arg_cat_flags
);
3978 static int exclude_default_prefixes(void) {
3981 /* Provide an easy way to exclude virtual/memory file systems from what we do here. Useful in
3982 * combination with --root= where we probably don't want to apply stuff to these dirs as they are
3983 * likely over-mounted if the root directory is actually used, and it wouldbe less than ideal to have
3984 * all kinds of files created/adjusted underneath these mount points. */
3986 r
= strv_extend_strv(
3987 &arg_exclude_prefixes
,
3999 static int help(void) {
4000 _cleanup_free_
char *link
= NULL
;
4003 r
= terminal_urlify_man("systemd-tmpfiles", "8", &link
);
4007 printf("%s [OPTIONS...] [CONFIGURATION FILE...]\n"
4008 "\n%sCreates, deletes and cleans up volatile and temporary files and directories.%s\n\n"
4009 " -h --help Show this help\n"
4010 " --user Execute user configuration\n"
4011 " --version Show package version\n"
4012 " --cat-config Show configuration files\n"
4013 " --tldr Show non-comment parts of configuration\n"
4014 " --create Create marked files/directories\n"
4015 " --clean Clean up marked directories\n"
4016 " --remove Remove marked files/directories\n"
4017 " --boot Execute actions only safe at boot\n"
4018 " --graceful Quietly ignore unknown users or groups\n"
4019 " --purge Delete all files owned by the configuration files\n"
4020 " --prefix=PATH Only apply rules with the specified prefix\n"
4021 " --exclude-prefix=PATH Ignore rules with the specified prefix\n"
4022 " -E Ignore rules prefixed with /dev, /proc, /run, /sys\n"
4023 " --root=PATH Operate on an alternate filesystem root\n"
4024 " --image=PATH Operate on disk image as filesystem root\n"
4025 " --image-policy=POLICY Specify disk image dissection policy\n"
4026 " --replace=PATH Treat arguments as replacement for PATH\n"
4027 " --no-pager Do not pipe output into a pager\n"
4028 "\nSee the %s for details.\n",
4029 program_invocation_short_name
,
4037 static int parse_argv(int argc
, char *argv
[]) {
4040 ARG_VERSION
= 0x100,
4059 static const struct option options
[] = {
4060 { "help", no_argument
, NULL
, 'h' },
4061 { "user", no_argument
, NULL
, ARG_USER
},
4062 { "version", no_argument
, NULL
, ARG_VERSION
},
4063 { "cat-config", no_argument
, NULL
, ARG_CAT_CONFIG
},
4064 { "tldr", no_argument
, NULL
, ARG_TLDR
},
4065 { "create", no_argument
, NULL
, ARG_CREATE
},
4066 { "clean", no_argument
, NULL
, ARG_CLEAN
},
4067 { "remove", no_argument
, NULL
, ARG_REMOVE
},
4068 { "purge", no_argument
, NULL
, ARG_PURGE
},
4069 { "boot", no_argument
, NULL
, ARG_BOOT
},
4070 { "graceful", no_argument
, NULL
, ARG_GRACEFUL
},
4071 { "prefix", required_argument
, NULL
, ARG_PREFIX
},
4072 { "exclude-prefix", required_argument
, NULL
, ARG_EXCLUDE_PREFIX
},
4073 { "root", required_argument
, NULL
, ARG_ROOT
},
4074 { "image", required_argument
, NULL
, ARG_IMAGE
},
4075 { "image-policy", required_argument
, NULL
, ARG_IMAGE_POLICY
},
4076 { "replace", required_argument
, NULL
, ARG_REPLACE
},
4077 { "no-pager", no_argument
, NULL
, ARG_NO_PAGER
},
4086 while ((c
= getopt_long(argc
, argv
, "hE", options
, NULL
)) >= 0)
4096 case ARG_CAT_CONFIG
:
4097 arg_cat_flags
= CAT_CONFIG_ON
;
4101 arg_cat_flags
= CAT_TLDR
;
4105 arg_runtime_scope
= RUNTIME_SCOPE_USER
;
4109 arg_operation
|= OPERATION_CREATE
;
4113 arg_operation
|= OPERATION_CLEAN
;
4117 arg_operation
|= OPERATION_REMOVE
;
4125 arg_operation
|= OPERATION_PURGE
;
4129 arg_graceful
= true;
4133 if (strv_extend(&arg_include_prefixes
, optarg
) < 0)
4137 case ARG_EXCLUDE_PREFIX
:
4138 if (strv_extend(&arg_exclude_prefixes
, optarg
) < 0)
4143 r
= parse_path_argument(optarg
, /* suppress_root= */ false, &arg_root
);
4150 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
),
4151 "This systemd-tmpfiles version is compiled without support for --image=.");
4153 r
= parse_path_argument(optarg
, /* suppress_root= */ false, &arg_image
);
4157 /* Imply -E here since it makes little sense to create files persistently in the /run mountpoint of a disk image */
4161 r
= exclude_default_prefixes();
4167 case ARG_IMAGE_POLICY
:
4168 r
= parse_image_policy_argument(optarg
, &arg_image_policy
);
4174 if (!path_is_absolute(optarg
) ||
4175 !endswith(optarg
, ".conf"))
4176 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
4177 "The argument to --replace= must an absolute path to a config file");
4179 arg_replace
= optarg
;
4183 arg_pager_flags
|= PAGER_DISABLE
;
4190 assert_not_reached();
4193 if (arg_operation
== 0 && arg_cat_flags
== CAT_CONFIG_OFF
)
4194 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
4195 "You need to specify at least one of --clean, --create, --remove, or --purge.");
4197 if (arg_replace
&& arg_cat_flags
!= CAT_CONFIG_OFF
)
4198 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
4199 "Option --replace= is not supported with --cat-config/--tldr.");
4201 if (arg_replace
&& optind
>= argc
)
4202 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
4203 "When --replace= is given, some configuration items must be specified.");
4205 if (arg_root
&& arg_runtime_scope
== RUNTIME_SCOPE_USER
)
4206 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
4207 "Combination of --user and --root= is not supported.");
4209 if (arg_image
&& arg_root
)
4210 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Please specify either --root= or --image=, the combination of both is not supported.");
4215 static int read_config_file(
4220 bool *invalid_config
) {
4222 _cleanup_hashmap_free_ Hashmap
*uid_cache
= NULL
, *gid_cache
= NULL
;
4223 _cleanup_fclose_
FILE *_f
= NULL
;
4224 _cleanup_free_
char *pp
= NULL
;
4233 if (streq(fn
, "-")) {
4234 log_debug("Reading config from stdin%s", special_glyph(SPECIAL_GLYPH_ELLIPSIS
));
4238 r
= search_and_fopen(fn
, "re", arg_root
, (const char**) config_dirs
, &_f
, &pp
);
4240 if (ignore_enoent
&& r
== -ENOENT
) {
4241 log_debug_errno(r
, "Failed to open \"%s\", ignoring: %m", fn
);
4245 return log_error_errno(r
, "Failed to open '%s': %m", fn
);
4248 log_debug("Reading config file \"%s\"%s", pp
, special_glyph(SPECIAL_GLYPH_ELLIPSIS
));
4254 _cleanup_free_
char *line
= NULL
;
4255 bool invalid_line
= false;
4258 k
= read_stripped_line(f
, LONG_LINE_MAX
, &line
);
4260 return log_error_errno(k
, "Failed to read '%s': %m", fn
);
4266 if (IN_SET(line
[0], 0, '#'))
4269 k
= parse_line(c
, fn
, v
, line
, &invalid_line
, &uid_cache
, &gid_cache
);
4272 /* Allow reporting with a special code if the caller requested this */
4273 *invalid_config
= true;
4275 /* The first error becomes our return value */
4280 /* we have to determine age parameter for each entry of type X */
4281 ORDERED_HASHMAP_FOREACH(ia
, c
->globs
)
4282 for (size_t ni
= 0; ni
< ia
->n_items
; ni
++) {
4284 Item
*i
= ia
->items
+ ni
, *candidate_item
= NULL
;
4286 if (i
->type
!= IGNORE_DIRECTORY_PATH
)
4289 ORDERED_HASHMAP_FOREACH(ja
, c
->items
)
4290 for (size_t nj
= 0; nj
< ja
->n_items
; nj
++) {
4291 Item
*j
= ja
->items
+ nj
;
4293 if (!IN_SET(j
->type
, CREATE_DIRECTORY
,
4296 CREATE_SUBVOLUME_INHERIT_QUOTA
,
4297 CREATE_SUBVOLUME_NEW_QUOTA
))
4300 if (path_equal(j
->path
, i
->path
)) {
4306 ? (path_startswith(j
->path
, candidate_item
->path
) && fnmatch(i
->path
, j
->path
, FNM_PATHNAME
| FNM_PERIOD
) == 0)
4307 : path_startswith(i
->path
, j
->path
) != NULL
)
4311 if (candidate_item
&& candidate_item
->age_set
) {
4312 i
->age
= candidate_item
->age
;
4318 log_error_errno(errno
, "Failed to read from file %s: %m", fn
);
4326 static int parse_arguments(
4330 bool *invalid_config
) {
4335 STRV_FOREACH(arg
, args
) {
4336 r
= read_config_file(c
, config_dirs
, *arg
, false, invalid_config
);
4344 static int read_config_files(
4348 bool *invalid_config
) {
4350 _cleanup_strv_free_
char **files
= NULL
;
4351 _cleanup_free_
char *p
= NULL
;
4356 r
= conf_files_list_with_replacement(arg_root
, config_dirs
, arg_replace
, &files
, &p
);
4360 STRV_FOREACH(f
, files
)
4361 if (p
&& path_equal(*f
, p
)) {
4362 log_debug("Parsing arguments at position \"%s\"%s", *f
, special_glyph(SPECIAL_GLYPH_ELLIPSIS
));
4364 r
= parse_arguments(c
, config_dirs
, args
, invalid_config
);
4368 /* Just warn, ignore result otherwise.
4369 * read_config_file() has some debug output, so no need to print anything. */
4370 (void) read_config_file(c
, config_dirs
, *f
, true, invalid_config
);
4375 static int read_credential_lines(Context
*c
, bool *invalid_config
) {
4377 _cleanup_free_
char *j
= NULL
;
4383 r
= get_credentials_dir(&d
);
4387 return log_error_errno(r
, "Failed to get credentials directory: %m");
4389 j
= path_join(d
, "tmpfiles.extra");
4393 (void) read_config_file(c
, /* config_dirs= */ NULL
, j
, /* ignore_enoent= */ true, invalid_config
);
4397 static int link_parent(Context
*c
, ItemArray
*a
) {
4405 /* Finds the closest "parent" item array for the specified item array. Then registers the specified item array
4406 * as child of it, and fills the parent in, linking them both ways. This allows us to later create parents
4407 * before their children, and clean up/remove children before their parents. */
4409 if (a
->n_items
<= 0)
4412 path
= a
->items
[0].path
;
4413 prefix
= newa(char, strlen(path
) + 1);
4414 PATH_FOREACH_PREFIX(prefix
, path
) {
4417 j
= ordered_hashmap_get(c
->items
, prefix
);
4419 j
= ordered_hashmap_get(c
->globs
, prefix
);
4421 r
= set_ensure_put(&j
->children
, NULL
, a
);
4433 DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(item_array_hash_ops
, char, string_hash_func
, string_compare_func
,
4434 ItemArray
, item_array_free
);
4436 static int run(int argc
, char *argv
[]) {
4438 _cleanup_(loop_device_unrefp
) LoopDevice
*loop_device
= NULL
;
4439 _cleanup_(umount_and_freep
) char *mounted_dir
= NULL
;
4441 _cleanup_strv_free_
char **config_dirs
= NULL
;
4442 _cleanup_(context_done
) Context c
= {};
4443 bool invalid_config
= false;
4447 PHASE_REMOVE_AND_CLEAN
,
4453 r
= parse_argv(argc
, argv
);
4459 /* We require /proc/ for a lot of our operations, i.e. for adjusting access modes, for anything
4460 * SELinux related, for recursive operation, for xattr, acl and chattr handling, for btrfs stuff and
4461 * a lot more. It's probably the majority of invocations where /proc/ is required. Since people
4462 * apparently invoke it without anyway and are surprised about the failures, let's catch this early
4463 * and output a nice and friendly warning. */
4464 if (proc_mounted() == 0)
4465 return log_error_errno(SYNTHETIC_ERRNO(ENOSYS
),
4466 "/proc/ is not mounted, but required for successful operation of systemd-tmpfiles. "
4467 "Please mount /proc/. Alternatively, consider using the --root= or --image= switches.");
4469 /* Descending down file system trees might take a lot of fds */
4470 (void) rlimit_nofile_bump(HIGH_RLIMIT_NOFILE
);
4472 switch (arg_runtime_scope
) {
4474 case RUNTIME_SCOPE_USER
:
4475 r
= user_config_paths(&config_dirs
);
4477 return log_error_errno(r
, "Failed to initialize configuration directory list: %m");
4480 case RUNTIME_SCOPE_SYSTEM
:
4481 config_dirs
= strv_split_nulstr(CONF_PATHS_NULSTR("tmpfiles.d"));
4487 assert_not_reached();
4490 if (DEBUG_LOGGING
) {
4491 _cleanup_free_
char *t
= NULL
;
4493 STRV_FOREACH(i
, config_dirs
) {
4494 _cleanup_free_
char *j
= NULL
;
4496 j
= path_join(arg_root
, *i
);
4500 if (!strextend(&t
, "\n\t", j
))
4504 log_debug("Looking for configuration files in (higher priority first):%s", t
);
4507 if (arg_cat_flags
!= CAT_CONFIG_OFF
)
4508 return cat_config(config_dirs
, argv
+ optind
);
4520 r
= mount_image_privately_interactively(
4523 DISSECT_IMAGE_GENERIC_ROOT
|
4524 DISSECT_IMAGE_REQUIRE_ROOT
|
4525 DISSECT_IMAGE_VALIDATE_OS
|
4526 DISSECT_IMAGE_RELAX_VAR_CHECK
|
4527 DISSECT_IMAGE_FSCK
|
4528 DISSECT_IMAGE_GROWFS
,
4530 /* ret_dir_fd= */ NULL
,
4535 arg_root
= strdup(mounted_dir
);
4543 c
.items
= ordered_hashmap_new(&item_array_hash_ops
);
4544 c
.globs
= ordered_hashmap_new(&item_array_hash_ops
);
4545 if (!c
.items
|| !c
.globs
)
4548 /* If command line arguments are specified along with --replace, read all
4549 * configuration files and insert the positional arguments at the specified
4550 * place. Otherwise, if command line arguments are specified, execute just
4551 * them, and finally, without --replace= or any positional arguments, just
4552 * read configuration and execute it.
4554 if (arg_replace
|| optind
>= argc
)
4555 r
= read_config_files(&c
, config_dirs
, argv
+ optind
, &invalid_config
);
4557 r
= parse_arguments(&c
, config_dirs
, argv
+ optind
, &invalid_config
);
4561 r
= read_credential_lines(&c
, &invalid_config
);
4565 /* Let's now link up all child/parent relationships */
4566 ORDERED_HASHMAP_FOREACH(a
, c
.items
) {
4567 r
= link_parent(&c
, a
);
4571 ORDERED_HASHMAP_FOREACH(a
, c
.globs
) {
4572 r
= link_parent(&c
, a
);
4577 /* If multiple operations are requested, let's first run the remove/clean operations, and only then the create
4578 * operations. i.e. that we first clean out the platform we then build on. */
4579 for (phase
= 0; phase
< _PHASE_MAX
; phase
++) {
4582 if (phase
== PHASE_PURGE
)
4583 op
= arg_operation
& OPERATION_PURGE
;
4584 else if (phase
== PHASE_REMOVE_AND_CLEAN
)
4585 op
= arg_operation
& (OPERATION_REMOVE
|OPERATION_CLEAN
);
4586 else if (phase
== PHASE_CREATE
)
4587 op
= arg_operation
& OPERATION_CREATE
;
4589 assert_not_reached();
4591 if (op
== 0) /* Nothing requested in this phase */
4594 /* The non-globbing ones usually create things, hence we apply them first */
4595 ORDERED_HASHMAP_FOREACH(a
, c
.items
) {
4596 k
= process_item_array(&c
, a
, op
);
4597 if (k
< 0 && r
>= 0)
4601 /* The globbing ones usually alter things, hence we apply them second. */
4602 ORDERED_HASHMAP_FOREACH(a
, c
.globs
) {
4603 k
= process_item_array(&c
, a
, op
);
4604 if (k
< 0 && r
>= 0)
4609 if (ERRNO_IS_RESOURCE(r
))
4614 return EX_CANTCREAT
;
4618 DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run
);