1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2010 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24 #include <sys/mount.h>
26 #include <sys/statvfs.h>
29 #include "alloc-util.h"
35 #include "mount-util.h"
36 #include "parse-util.h"
37 #include "path-util.h"
39 #include "stdio-util.h"
40 #include "string-util.h"
43 /* This is the original MAX_HANDLE_SZ definition from the kernel, when the API was introduced. We use that in place of
44 * any more currently defined value to future-proof things: if the size is increased in the API headers, and our code
45 * is recompiled then it would cease working on old kernels, as those refuse any sizes larger than this value with
46 * EINVAL right-away. Hence, let's disconnect ourselves from any such API changes, and stick to the original definition
47 * from when it was introduced. We use it as a start value only anyway (see below), and hence should be able to deal
48 * with large file handles anyway. */
49 #define ORIGINAL_MAX_HANDLE_SZ 128
51 int name_to_handle_at_loop(
54 struct file_handle
**ret_handle
,
58 _cleanup_free_
struct file_handle
*h
;
59 size_t n
= ORIGINAL_MAX_HANDLE_SZ
;
61 /* We need to invoke name_to_handle_at() in a loop, given that it might return EOVERFLOW when the specified
62 * buffer is too small. Note that in contrast to what the docs might suggest, MAX_HANDLE_SZ is only good as a
63 * start value, it is not an upper bound on the buffer size required.
65 * This improves on raw name_to_handle_at() also in one other regard: ret_handle and ret_mnt_id can be passed
66 * as NULL if there's no interest in either. */
68 h
= malloc0(offsetof(struct file_handle
, f_handle
) + n
);
77 if (name_to_handle_at(fd
, path
, h
, &mnt_id
, flags
) >= 0) {
89 if (errno
!= EOVERFLOW
)
92 if (!ret_handle
&& ret_mnt_id
&& mnt_id
>= 0) {
94 /* As it appears, name_to_handle_at() fills in mnt_id even when it returns EOVERFLOW when the
95 * buffer is too small, but that's undocumented. Hence, let's make use of this if it appears to
96 * be filled in, and the caller was interested in only the mount ID an nothing else. */
102 /* If name_to_handle_at() didn't increase the byte size, then this EOVERFLOW is caused by something
103 * else (apparently EOVERFLOW is returned for untriggered nfs4 mounts sometimes), not by the too small
104 * buffer. In that case propagate EOVERFLOW */
105 if (h
->handle_bytes
<= n
)
108 /* The buffer was too small. Size the new buffer by what name_to_handle_at() returned. */
110 if (offsetof(struct file_handle
, f_handle
) + n
< n
) /* check for addition overflow */
114 h
= malloc0(offsetof(struct file_handle
, f_handle
) + n
);
122 static int fd_fdinfo_mnt_id(int fd
, const char *filename
, int flags
, int *mnt_id
) {
123 char path
[strlen("/proc/self/fdinfo/") + DECIMAL_STR_MAX(int)];
124 _cleanup_free_
char *fdinfo
= NULL
;
125 _cleanup_close_
int subfd
= -1;
129 if ((flags
& AT_EMPTY_PATH
) && isempty(filename
))
130 xsprintf(path
, "/proc/self/fdinfo/%i", fd
);
132 subfd
= openat(fd
, filename
, O_CLOEXEC
|O_PATH
);
136 xsprintf(path
, "/proc/self/fdinfo/%i", subfd
);
139 r
= read_full_file(path
, &fdinfo
, NULL
);
140 if (r
== -ENOENT
) /* The fdinfo directory is a relatively new addition */
145 p
= startswith(fdinfo
, "mnt_id:");
147 p
= strstr(fdinfo
, "\nmnt_id:");
148 if (!p
) /* The mnt_id field is a relatively new addition */
154 p
+= strspn(p
, WHITESPACE
);
155 p
[strcspn(p
, WHITESPACE
)] = 0;
157 return safe_atoi(p
, mnt_id
);
160 int fd_is_mount_point(int fd
, const char *filename
, int flags
) {
161 _cleanup_free_
struct file_handle
*h
= NULL
, *h_parent
= NULL
;
162 int mount_id
= -1, mount_id_parent
= -1;
163 bool nosupp
= false, check_st_dev
= true;
170 /* First we will try the name_to_handle_at() syscall, which
171 * tells us the mount id and an opaque file "handle". It is
172 * not supported everywhere though (kernel compile-time
173 * option, not all file systems are hooked up). If it works
174 * the mount id is usually good enough to tell us whether
175 * something is a mount point.
177 * If that didn't work we will try to read the mount id from
178 * /proc/self/fdinfo/<fd>. This is almost as good as
179 * name_to_handle_at(), however, does not return the
180 * opaque file handle. The opaque file handle is pretty useful
181 * to detect the root directory, which we should always
182 * consider a mount point. Hence we use this only as
183 * fallback. Exporting the mnt_id in fdinfo is a pretty recent
186 * As last fallback we do traditional fstat() based st_dev
187 * comparisons. This is how things were traditionally done,
188 * but unionfs breaks this since it exposes file
189 * systems with a variety of st_dev reported. Also, btrfs
190 * subvolumes have different st_dev, even though they aren't
191 * real mounts of their own. */
193 r
= name_to_handle_at_loop(fd
, filename
, &h
, &mount_id
, flags
);
194 if (IN_SET(r
, -ENOSYS
, -EACCES
, -EPERM
, -EOVERFLOW
, -EINVAL
))
195 /* This kernel does not support name_to_handle_at() at all (ENOSYS), or the syscall was blocked
196 * (EACCES/EPERM; maybe through seccomp, because we are running inside of a container?), or the mount
197 * point is not triggered yet (EOVERFLOW, think nfs4), or some general name_to_handle_at() flakiness
198 * (EINVAL): fall back to simpler logic. */
199 goto fallback_fdinfo
;
200 else if (r
== -EOPNOTSUPP
)
201 /* This kernel or file system does not support name_to_handle_at(), hence let's see if the upper fs
202 * supports it (in which case it is a mount point), otherwise fallback to the traditional stat()
208 r
= name_to_handle_at_loop(fd
, "", &h_parent
, &mount_id_parent
, AT_EMPTY_PATH
);
209 if (r
== -EOPNOTSUPP
) {
211 /* Neither parent nor child do name_to_handle_at()? We have no choice but to fall back. */
212 goto fallback_fdinfo
;
214 /* The parent can't do name_to_handle_at() but the directory we are interested in can? If so,
215 * it must be a mount point. */
220 /* The parent can do name_to_handle_at() but the
221 * directory we are interested in can't? If so, it
222 * must be a mount point. */
226 /* If the file handle for the directory we are
227 * interested in and its parent are identical, we
228 * assume this is the root directory, which is a mount
231 if (h
->handle_bytes
== h_parent
->handle_bytes
&&
232 h
->handle_type
== h_parent
->handle_type
&&
233 memcmp(h
->f_handle
, h_parent
->f_handle
, h
->handle_bytes
) == 0)
236 return mount_id
!= mount_id_parent
;
239 r
= fd_fdinfo_mnt_id(fd
, filename
, flags
, &mount_id
);
240 if (IN_SET(r
, -EOPNOTSUPP
, -EACCES
, -EPERM
))
245 r
= fd_fdinfo_mnt_id(fd
, "", AT_EMPTY_PATH
, &mount_id_parent
);
249 if (mount_id
!= mount_id_parent
)
252 /* Hmm, so, the mount ids are the same. This leaves one
253 * special case though for the root file system. For that,
254 * let's see if the parent directory has the same inode as we
255 * are interested in. Hence, let's also do fstat() checks now,
256 * too, but avoid the st_dev comparisons, since they aren't
257 * that useful on unionfs mounts. */
258 check_st_dev
= false;
261 /* yay for fstatat() taking a different set of flags than the other
263 if (flags
& AT_SYMLINK_FOLLOW
)
264 flags
&= ~AT_SYMLINK_FOLLOW
;
266 flags
|= AT_SYMLINK_NOFOLLOW
;
267 if (fstatat(fd
, filename
, &a
, flags
) < 0)
270 if (fstatat(fd
, "", &b
, AT_EMPTY_PATH
) < 0)
273 /* A directory with same device and inode as its parent? Must
274 * be the root directory */
275 if (a
.st_dev
== b
.st_dev
&&
276 a
.st_ino
== b
.st_ino
)
279 return check_st_dev
&& (a
.st_dev
!= b
.st_dev
);
282 /* flags can be AT_SYMLINK_FOLLOW or 0 */
283 int path_is_mount_point(const char *t
, const char *root
, int flags
) {
284 _cleanup_free_
char *canonical
= NULL
, *parent
= NULL
;
285 _cleanup_close_
int fd
= -1;
289 assert((flags
& ~AT_SYMLINK_FOLLOW
) == 0);
291 if (path_equal(t
, "/"))
294 /* we need to resolve symlinks manually, we can't just rely on
295 * fd_is_mount_point() to do that for us; if we have a structure like
296 * /bin -> /usr/bin/ and /usr is a mount point, then the parent that we
297 * look at needs to be /usr, not /. */
298 if (flags
& AT_SYMLINK_FOLLOW
) {
299 r
= chase_symlinks(t
, root
, 0, &canonical
);
306 parent
= dirname_malloc(t
);
310 fd
= openat(AT_FDCWD
, parent
, O_DIRECTORY
|O_CLOEXEC
|O_PATH
);
314 return fd_is_mount_point(fd
, last_path_component(t
), flags
);
317 int path_get_mnt_id(const char *path
, int *ret
) {
320 r
= name_to_handle_at_loop(AT_FDCWD
, path
, NULL
, ret
, 0);
321 if (IN_SET(r
, -EOPNOTSUPP
, -ENOSYS
, -EACCES
, -EPERM
, -EOVERFLOW
, -EINVAL
)) /* kernel/fs don't support this, or seccomp blocks access, or untriggered mount, or name_to_handle_at() is flaky */
322 return fd_fdinfo_mnt_id(AT_FDCWD
, path
, 0, ret
);
327 int umount_recursive(const char *prefix
, int flags
) {
331 /* Try to umount everything recursively below a
332 * directory. Also, take care of stacked mounts, and keep
333 * unmounting them until they are gone. */
336 _cleanup_fclose_
FILE *proc_self_mountinfo
= NULL
;
341 proc_self_mountinfo
= fopen("/proc/self/mountinfo", "re");
342 if (!proc_self_mountinfo
)
346 _cleanup_free_
char *path
= NULL
, *p
= NULL
;
349 k
= fscanf(proc_self_mountinfo
,
350 "%*s " /* (1) mount id */
351 "%*s " /* (2) parent id */
352 "%*s " /* (3) major:minor */
353 "%*s " /* (4) root */
354 "%ms " /* (5) mount point */
355 "%*s" /* (6) mount options */
356 "%*[^-]" /* (7) optional fields */
357 "- " /* (8) separator */
358 "%*s " /* (9) file system type */
359 "%*s" /* (10) mount source */
360 "%*s" /* (11) mount options 2 */
361 "%*[^\n]", /* some rubbish at the end */
370 r
= cunescape(path
, UNESCAPE_RELAX
, &p
);
374 if (!path_startswith(p
, prefix
))
377 if (umount2(p
, flags
) < 0) {
378 r
= log_debug_errno(errno
, "Failed to umount %s: %m", p
);
382 log_debug("Successfully unmounted %s", p
);
395 static int get_mount_flags(const char *path
, unsigned long *flags
) {
398 if (statvfs(path
, &buf
) < 0)
404 /* Use this function only if do you have direct access to /proc/self/mountinfo
405 * and need the caller to open it for you. This is the case when /proc is
406 * masked or not mounted. Otherwise, use bind_remount_recursive. */
407 int bind_remount_recursive_with_mountinfo(const char *prefix
, bool ro
, char **blacklist
, FILE *proc_self_mountinfo
) {
408 _cleanup_set_free_free_ Set
*done
= NULL
;
409 _cleanup_free_
char *cleaned
= NULL
;
412 assert(proc_self_mountinfo
);
414 /* Recursively remount a directory (and all its submounts) read-only or read-write. If the directory is already
415 * mounted, we reuse the mount and simply mark it MS_BIND|MS_RDONLY (or remove the MS_RDONLY for read-write
416 * operation). If it isn't we first make it one. Afterwards we apply MS_BIND|MS_RDONLY (or remove MS_RDONLY) to
417 * all submounts we can access, too. When mounts are stacked on the same mount point we only care for each
418 * individual "top-level" mount on each point, as we cannot influence/access the underlying mounts anyway. We
419 * do not have any effect on future submounts that might get propagated, they migt be writable. This includes
420 * future submounts that have been triggered via autofs.
422 * If the "blacklist" parameter is specified it may contain a list of subtrees to exclude from the
423 * remount operation. Note that we'll ignore the blacklist for the top-level path. */
425 cleaned
= strdup(prefix
);
429 path_kill_slashes(cleaned
);
431 done
= set_new(&string_hash_ops
);
436 _cleanup_set_free_free_ Set
*todo
= NULL
;
437 bool top_autofs
= false;
439 unsigned long orig_flags
;
441 todo
= set_new(&string_hash_ops
);
445 rewind(proc_self_mountinfo
);
448 _cleanup_free_
char *path
= NULL
, *p
= NULL
, *type
= NULL
;
451 k
= fscanf(proc_self_mountinfo
,
452 "%*s " /* (1) mount id */
453 "%*s " /* (2) parent id */
454 "%*s " /* (3) major:minor */
455 "%*s " /* (4) root */
456 "%ms " /* (5) mount point */
457 "%*s" /* (6) mount options (superblock) */
458 "%*[^-]" /* (7) optional fields */
459 "- " /* (8) separator */
460 "%ms " /* (9) file system type */
461 "%*s" /* (10) mount source */
462 "%*s" /* (11) mount options (bind mount) */
463 "%*[^\n]", /* some rubbish at the end */
473 r
= cunescape(path
, UNESCAPE_RELAX
, &p
);
477 if (!path_startswith(p
, cleaned
))
480 /* Ignore this mount if it is blacklisted, but only if it isn't the top-level mount we shall
482 if (!path_equal(cleaned
, p
)) {
483 bool blacklisted
= false;
486 STRV_FOREACH(i
, blacklist
) {
488 if (path_equal(*i
, cleaned
))
491 if (!path_startswith(*i
, cleaned
))
494 if (path_startswith(p
, *i
)) {
496 log_debug("Not remounting %s, because blacklisted by %s, called for %s", p
, *i
, cleaned
);
504 /* Let's ignore autofs mounts. If they aren't
505 * triggered yet, we want to avoid triggering
506 * them, as we don't make any guarantees for
507 * future submounts anyway. If they are
508 * already triggered, then we will find
509 * another entry for this. */
510 if (streq(type
, "autofs")) {
511 top_autofs
= top_autofs
|| path_equal(cleaned
, p
);
515 if (!set_contains(done
, p
)) {
516 r
= set_consume(todo
, p
);
525 /* If we have no submounts to process anymore and if
526 * the root is either already done, or an autofs, we
528 if (set_isempty(todo
) &&
529 (top_autofs
|| set_contains(done
, cleaned
)))
532 if (!set_contains(done
, cleaned
) &&
533 !set_contains(todo
, cleaned
)) {
534 /* The prefix directory itself is not yet a mount, make it one. */
535 if (mount(cleaned
, cleaned
, NULL
, MS_BIND
|MS_REC
, NULL
) < 0)
539 (void) get_mount_flags(cleaned
, &orig_flags
);
540 orig_flags
&= ~MS_RDONLY
;
542 if (mount(NULL
, prefix
, NULL
, orig_flags
|MS_BIND
|MS_REMOUNT
|(ro
? MS_RDONLY
: 0), NULL
) < 0)
545 log_debug("Made top-level directory %s a mount point.", prefix
);
551 r
= set_consume(done
, x
);
556 while ((x
= set_steal_first(todo
))) {
558 r
= set_consume(done
, x
);
559 if (IN_SET(r
, 0, -EEXIST
))
564 /* Deal with mount points that are obstructed by a later mount */
565 r
= path_is_mount_point(x
, NULL
, 0);
566 if (IN_SET(r
, 0, -ENOENT
))
571 /* Try to reuse the original flag set */
573 (void) get_mount_flags(x
, &orig_flags
);
574 orig_flags
&= ~MS_RDONLY
;
576 if (mount(NULL
, x
, NULL
, orig_flags
|MS_BIND
|MS_REMOUNT
|(ro
? MS_RDONLY
: 0), NULL
) < 0)
579 log_debug("Remounted %s read-only.", x
);
584 int bind_remount_recursive(const char *prefix
, bool ro
, char **blacklist
) {
585 _cleanup_fclose_
FILE *proc_self_mountinfo
= NULL
;
587 proc_self_mountinfo
= fopen("/proc/self/mountinfo", "re");
588 if (!proc_self_mountinfo
)
591 return bind_remount_recursive_with_mountinfo(prefix
, ro
, blacklist
, proc_self_mountinfo
);
594 int mount_move_root(const char *path
) {
600 if (mount(path
, "/", NULL
, MS_MOVE
, NULL
) < 0)
612 bool fstype_is_network(const char *fstype
) {
615 x
= startswith(fstype
, "fuse.");
619 return STR_IN_SET(fstype
,
631 "pvfs2", /* OrangeFS */
636 bool fstype_is_api_vfs(const char *fstype
) {
637 return STR_IN_SET(fstype
,
660 bool fstype_is_ro(const char *fstype
) {
661 /* All Linux file systems that are necessarily read-only */
662 return STR_IN_SET(fstype
,
668 bool fstype_can_discard(const char *fstype
) {
669 return STR_IN_SET(fstype
,
676 int repeat_unmount(const char *path
, int flags
) {
681 /* If there are multiple mounts on a mount point, this
682 * removes them all */
685 if (umount2(path
, flags
) < 0) {
697 const char* mode_to_inaccessible_node(mode_t mode
) {
698 /* This function maps a node type to the correspondent inaccessible node type.
699 * Character and block inaccessible devices may not be created (because major=0 and minor=0),
700 * in such case we map character and block devices to the inaccessible node type socket. */
701 switch(mode
& S_IFMT
) {
703 return "/run/systemd/inaccessible/reg";
705 return "/run/systemd/inaccessible/dir";
707 if (access("/run/systemd/inaccessible/chr", F_OK
) == 0)
708 return "/run/systemd/inaccessible/chr";
709 return "/run/systemd/inaccessible/sock";
711 if (access("/run/systemd/inaccessible/blk", F_OK
) == 0)
712 return "/run/systemd/inaccessible/blk";
713 return "/run/systemd/inaccessible/sock";
715 return "/run/systemd/inaccessible/fifo";
717 return "/run/systemd/inaccessible/sock";
722 #define FLAG(name) (flags & name ? STRINGIFY(name) "|" : "")
723 static char* mount_flags_to_string(long unsigned flags
) {
725 _cleanup_free_
char *y
= NULL
;
726 long unsigned overflow
;
728 overflow
= flags
& ~(MS_RDONLY
|
753 if (flags
== 0 || overflow
!= 0)
754 if (asprintf(&y
, "%lx", overflow
) < 0)
757 x
= strjoin(FLAG(MS_RDONLY
),
761 FLAG(MS_SYNCHRONOUS
),
779 FLAG(MS_STRICTATIME
),
785 x
[strlen(x
) - 1] = '\0'; /* truncate the last | */
795 const char *options
) {
797 _cleanup_free_
char *fl
= NULL
;
799 fl
= mount_flags_to_string(flags
);
801 if ((flags
& MS_REMOUNT
) && !what
&& !type
)
802 log_debug("Remounting %s (%s \"%s\")...",
803 where
, strnull(fl
), strempty(options
));
804 else if (!what
&& !type
)
805 log_debug("Mounting %s (%s \"%s\")...",
806 where
, strnull(fl
), strempty(options
));
807 else if ((flags
& MS_BIND
) && !type
)
808 log_debug("Bind-mounting %s on %s (%s \"%s\")...",
809 what
, where
, strnull(fl
), strempty(options
));
810 else if (flags
& MS_MOVE
)
811 log_debug("Moving mount %s → %s (%s \"%s\")...",
812 what
, where
, strnull(fl
), strempty(options
));
814 log_debug("Mounting %s on %s (%s \"%s\")...",
815 strna(type
), where
, strnull(fl
), strempty(options
));
816 if (mount(what
, where
, type
, flags
, options
) < 0)
817 return log_full_errno(error_log_level
, errno
,
818 "Failed to mount %s on %s (%s \"%s\"): %m",
819 strna(type
), where
, strnull(fl
), strempty(options
));
823 int umount_verbose(const char *what
) {
824 log_debug("Umounting %s...", what
);
825 if (umount(what
) < 0)
826 return log_error_errno(errno
, "Failed to unmount %s: %m", what
);
830 const char *mount_propagation_flags_to_string(unsigned long flags
) {
832 switch (flags
& (MS_SHARED
|MS_SLAVE
|MS_PRIVATE
)) {
847 int mount_propagation_flags_from_string(const char *name
, unsigned long *ret
) {
851 else if (streq(name
, "shared"))
853 else if (streq(name
, "slave"))
855 else if (streq(name
, "private"))