]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/tmpfiles/tmpfiles.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tmpfiles: consider an argument of "-" as non-specified
[thirdparty/systemd.git] / src / tmpfiles / tmpfiles.c
1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
2
3 /***
4 This file is part of systemd.
5
6 Copyright 2010 Lennart Poettering, Kay Sievers
7 Copyright 2015 Zbigniew Jędrzejewski-Szmek
8
9 systemd is free software; you can redistribute it and/or modify it
10 under the terms of the GNU Lesser General Public License as published by
11 the Free Software Foundation; either version 2.1 of the License, or
12 (at your option) any later version.
13
14 systemd is distributed in the hope that it will be useful, but
15 WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 Lesser General Public License for more details.
18
19 You should have received a copy of the GNU Lesser General Public License
20 along with systemd; If not, see <http://www.gnu.org/licenses/>.
21 ***/
22
23 #include <unistd.h>
24 #include <fcntl.h>
25 #include <errno.h>
26 #include <string.h>
27 #include <limits.h>
28 #include <dirent.h>
29 #include <stdio.h>
30 #include <stdlib.h>
31 #include <stddef.h>
32 #include <getopt.h>
33 #include <stdbool.h>
34 #include <time.h>
35 #include <glob.h>
36 #include <fnmatch.h>
37 #include <sys/stat.h>
38 #include <sys/xattr.h>
39 #include <linux/fs.h>
40
41 #include "log.h"
42 #include "util.h"
43 #include "macro.h"
44 #include "missing.h"
45 #include "mkdir.h"
46 #include "path-util.h"
47 #include "strv.h"
48 #include "label.h"
49 #include "set.h"
50 #include "conf-files.h"
51 #include "capability.h"
52 #include "specifier.h"
53 #include "build.h"
54 #include "copy.h"
55 #include "rm-rf.h"
56 #include "selinux-util.h"
57 #include "btrfs-util.h"
58 #include "acl-util.h"
59 #include "formats-util.h"
60
61 /* This reads all files listed in /etc/tmpfiles.d/?*.conf and creates
62 * them in the file system. This is intended to be used to create
63 * properly owned directories beneath /tmp, /var/tmp, /run, which are
64 * volatile and hence need to be recreated on bootup. */
65
66 typedef enum ItemType {
67 /* These ones take file names */
68 CREATE_FILE = 'f',
69 TRUNCATE_FILE = 'F',
70 CREATE_DIRECTORY = 'd',
71 TRUNCATE_DIRECTORY = 'D',
72 CREATE_SUBVOLUME = 'v',
73 CREATE_FIFO = 'p',
74 CREATE_SYMLINK = 'L',
75 CREATE_CHAR_DEVICE = 'c',
76 CREATE_BLOCK_DEVICE = 'b',
77 COPY_FILES = 'C',
78
79 /* These ones take globs */
80 WRITE_FILE = 'w',
81 SET_XATTR = 't',
82 RECURSIVE_SET_XATTR = 'T',
83 SET_ACL = 'a',
84 RECURSIVE_SET_ACL = 'A',
85 SET_ATTRIBUTE = 'h',
86 RECURSIVE_SET_ATTRIBUTE = 'H',
87 IGNORE_PATH = 'x',
88 IGNORE_DIRECTORY_PATH = 'X',
89 REMOVE_PATH = 'r',
90 RECURSIVE_REMOVE_PATH = 'R',
91 RELABEL_PATH = 'z',
92 RECURSIVE_RELABEL_PATH = 'Z',
93 ADJUST_MODE = 'm', /* legacy, 'z' is identical to this */
94 } ItemType;
95
96 typedef struct Item {
97 ItemType type;
98
99 char *path;
100 char *argument;
101 char **xattrs;
102 #ifdef HAVE_ACL
103 acl_t acl_access;
104 acl_t acl_default;
105 #endif
106 uid_t uid;
107 gid_t gid;
108 mode_t mode;
109 usec_t age;
110
111 dev_t major_minor;
112 unsigned attribute_value;
113 unsigned attribute_mask;
114
115 bool uid_set:1;
116 bool gid_set:1;
117 bool mode_set:1;
118 bool age_set:1;
119 bool mask_perms:1;
120 bool attribute_set:1;
121
122 bool keep_first_level:1;
123
124 bool force:1;
125
126 bool done:1;
127 } Item;
128
129 typedef struct ItemArray {
130 Item *items;
131 size_t count;
132 size_t size;
133 } ItemArray;
134
135 static bool arg_create = false;
136 static bool arg_clean = false;
137 static bool arg_remove = false;
138 static bool arg_boot = false;
139
140 static char **arg_include_prefixes = NULL;
141 static char **arg_exclude_prefixes = NULL;
142 static char *arg_root = NULL;
143
144 static const char conf_file_dirs[] = CONF_DIRS_NULSTR("tmpfiles");
145
146 #define MAX_DEPTH 256
147
148 static Hashmap *items = NULL, *globs = NULL;
149 static Set *unix_sockets = NULL;
150
151 static const Specifier specifier_table[] = {
152 { 'm', specifier_machine_id, NULL },
153 { 'b', specifier_boot_id, NULL },
154 { 'H', specifier_host_name, NULL },
155 { 'v', specifier_kernel_release, NULL },
156 {}
157 };
158
159 static bool needs_glob(ItemType t) {
160 return IN_SET(t,
161 WRITE_FILE,
162 IGNORE_PATH,
163 IGNORE_DIRECTORY_PATH,
164 REMOVE_PATH,
165 RECURSIVE_REMOVE_PATH,
166 ADJUST_MODE,
167 RELABEL_PATH,
168 RECURSIVE_RELABEL_PATH,
169 SET_XATTR,
170 RECURSIVE_SET_XATTR,
171 SET_ACL,
172 RECURSIVE_SET_ACL,
173 SET_ATTRIBUTE,
174 RECURSIVE_SET_ATTRIBUTE);
175 }
176
177 static bool takes_ownership(ItemType t) {
178 return IN_SET(t,
179 CREATE_FILE,
180 TRUNCATE_FILE,
181 CREATE_DIRECTORY,
182 TRUNCATE_DIRECTORY,
183 CREATE_SUBVOLUME,
184 CREATE_FIFO,
185 CREATE_SYMLINK,
186 CREATE_CHAR_DEVICE,
187 CREATE_BLOCK_DEVICE,
188 COPY_FILES,
189 WRITE_FILE,
190 IGNORE_PATH,
191 IGNORE_DIRECTORY_PATH,
192 REMOVE_PATH,
193 RECURSIVE_REMOVE_PATH);
194 }
195
196 static struct Item* find_glob(Hashmap *h, const char *match) {
197 ItemArray *j;
198 Iterator i;
199
200 HASHMAP_FOREACH(j, h, i) {
201 unsigned n;
202
203 for (n = 0; n < j->count; n++) {
204 Item *item = j->items + n;
205
206 if (fnmatch(item->path, match, FNM_PATHNAME|FNM_PERIOD) == 0)
207 return item;
208 }
209 }
210
211 return NULL;
212 }
213
214 static void load_unix_sockets(void) {
215 _cleanup_fclose_ FILE *f = NULL;
216 char line[LINE_MAX];
217
218 if (unix_sockets)
219 return;
220
221 /* We maintain a cache of the sockets we found in
222 * /proc/net/unix to speed things up a little. */
223
224 unix_sockets = set_new(&string_hash_ops);
225 if (!unix_sockets)
226 return;
227
228 f = fopen("/proc/net/unix", "re");
229 if (!f)
230 return;
231
232 /* Skip header */
233 if (!fgets(line, sizeof(line), f))
234 goto fail;
235
236 for (;;) {
237 char *p, *s;
238 int k;
239
240 if (!fgets(line, sizeof(line), f))
241 break;
242
243 truncate_nl(line);
244
245 p = strchr(line, ':');
246 if (!p)
247 continue;
248
249 if (strlen(p) < 37)
250 continue;
251
252 p += 37;
253 p += strspn(p, WHITESPACE);
254 p += strcspn(p, WHITESPACE); /* skip one more word */
255 p += strspn(p, WHITESPACE);
256
257 if (*p != '/')
258 continue;
259
260 s = strdup(p);
261 if (!s)
262 goto fail;
263
264 path_kill_slashes(s);
265
266 k = set_consume(unix_sockets, s);
267 if (k < 0 && k != -EEXIST)
268 goto fail;
269 }
270
271 return;
272
273 fail:
274 set_free_free(unix_sockets);
275 unix_sockets = NULL;
276 }
277
278 static bool unix_socket_alive(const char *fn) {
279 assert(fn);
280
281 load_unix_sockets();
282
283 if (unix_sockets)
284 return !!set_get(unix_sockets, (char*) fn);
285
286 /* We don't know, so assume yes */
287 return true;
288 }
289
290 static int dir_is_mount_point(DIR *d, const char *subdir) {
291
292 union file_handle_union h = FILE_HANDLE_INIT;
293 int mount_id_parent, mount_id;
294 int r_p, r;
295
296 r_p = name_to_handle_at(dirfd(d), ".", &h.handle, &mount_id_parent, 0);
297 if (r_p < 0)
298 r_p = -errno;
299
300 h.handle.handle_bytes = MAX_HANDLE_SZ;
301 r = name_to_handle_at(dirfd(d), subdir, &h.handle, &mount_id, 0);
302 if (r < 0)
303 r = -errno;
304
305 /* got no handle; make no assumptions, return error */
306 if (r_p < 0 && r < 0)
307 return r_p;
308
309 /* got both handles; if they differ, it is a mount point */
310 if (r_p >= 0 && r >= 0)
311 return mount_id_parent != mount_id;
312
313 /* got only one handle; assume different mount points if one
314 * of both queries was not supported by the filesystem */
315 if (r_p == -ENOSYS || r_p == -EOPNOTSUPP || r == -ENOSYS || r == -EOPNOTSUPP)
316 return true;
317
318 /* return error */
319 if (r_p < 0)
320 return r_p;
321 return r;
322 }
323
324 static DIR* xopendirat_nomod(int dirfd, const char *path) {
325 DIR *dir;
326
327 dir = xopendirat(dirfd, path, O_NOFOLLOW|O_NOATIME);
328 if (dir)
329 return dir;
330
331 log_debug_errno(errno, "Cannot open %sdirectory \"%s\": %m", dirfd == AT_FDCWD ? "" : "sub", path);
332 if (errno != EPERM)
333 return NULL;
334
335 dir = xopendirat(dirfd, path, O_NOFOLLOW);
336 if (!dir)
337 log_debug_errno(errno, "Cannot open %sdirectory \"%s\": %m", dirfd == AT_FDCWD ? "" : "sub", path);
338
339 return dir;
340 }
341
342 static DIR* opendir_nomod(const char *path) {
343 return xopendirat_nomod(AT_FDCWD, path);
344 }
345
346 static int dir_cleanup(
347 Item *i,
348 const char *p,
349 DIR *d,
350 const struct stat *ds,
351 usec_t cutoff,
352 dev_t rootdev,
353 bool mountpoint,
354 int maxdepth,
355 bool keep_this_level) {
356
357 struct dirent *dent;
358 struct timespec times[2];
359 bool deleted = false;
360 int r = 0;
361
362 while ((dent = readdir(d))) {
363 struct stat s;
364 usec_t age;
365 _cleanup_free_ char *sub_path = NULL;
366
367 if (STR_IN_SET(dent->d_name, ".", ".."))
368 continue;
369
370 if (fstatat(dirfd(d), dent->d_name, &s, AT_SYMLINK_NOFOLLOW) < 0) {
371 if (errno == ENOENT)
372 continue;
373
374 /* FUSE, NFS mounts, SELinux might return EACCES */
375 if (errno == EACCES)
376 log_debug_errno(errno, "stat(%s/%s) failed: %m", p, dent->d_name);
377 else
378 log_error_errno(errno, "stat(%s/%s) failed: %m", p, dent->d_name);
379 r = -errno;
380 continue;
381 }
382
383 /* Stay on the same filesystem */
384 if (s.st_dev != rootdev) {
385 log_debug("Ignoring \"%s/%s\": different filesystem.", p, dent->d_name);
386 continue;
387 }
388
389 /* Try to detect bind mounts of the same filesystem instance; they
390 * do not differ in device major/minors. This type of query is not
391 * supported on all kernels or filesystem types though. */
392 if (S_ISDIR(s.st_mode) && dir_is_mount_point(d, dent->d_name) > 0) {
393 log_debug("Ignoring \"%s/%s\": different mount of the same filesystem.",
394 p, dent->d_name);
395 continue;
396 }
397
398 /* Do not delete read-only files owned by root */
399 if (s.st_uid == 0 && !(s.st_mode & S_IWUSR)) {
400 log_debug("Ignoring \"%s/%s\": read-only and owner by root.", p, dent->d_name);
401 continue;
402 }
403
404 sub_path = strjoin(p, "/", dent->d_name, NULL);
405 if (!sub_path) {
406 r = log_oom();
407 goto finish;
408 }
409
410 /* Is there an item configured for this path? */
411 if (hashmap_get(items, sub_path)) {
412 log_debug("Ignoring \"%s\": a separate entry exists.", sub_path);
413 continue;
414 }
415
416 if (find_glob(globs, sub_path)) {
417 log_debug("Ignoring \"%s\": a separate glob exists.", sub_path);
418 continue;
419 }
420
421 if (S_ISDIR(s.st_mode)) {
422
423 if (mountpoint &&
424 streq(dent->d_name, "lost+found") &&
425 s.st_uid == 0) {
426 log_debug("Ignoring \"%s\".", sub_path);
427 continue;
428 }
429
430 if (maxdepth <= 0)
431 log_warning("Reached max depth on \"%s\".", sub_path);
432 else {
433 _cleanup_closedir_ DIR *sub_dir;
434 int q;
435
436 sub_dir = xopendirat_nomod(dirfd(d), dent->d_name);
437 if (!sub_dir) {
438 if (errno != ENOENT)
439 r = log_error_errno(errno, "opendir(%s) failed: %m", sub_path);
440
441 continue;
442 }
443
444 q = dir_cleanup(i, sub_path, sub_dir, &s, cutoff, rootdev, false, maxdepth-1, false);
445 if (q < 0)
446 r = q;
447 }
448
449 /* Note: if you are wondering why we don't
450 * support the sticky bit for excluding
451 * directories from cleaning like we do it for
452 * other file system objects: well, the sticky
453 * bit already has a meaning for directories,
454 * so we don't want to overload that. */
455
456 if (keep_this_level) {
457 log_debug("Keeping \"%s\".", sub_path);
458 continue;
459 }
460
461 /* Ignore ctime, we change it when deleting */
462 age = timespec_load(&s.st_mtim);
463 if (age >= cutoff) {
464 char a[FORMAT_TIMESTAMP_MAX];
465 /* Follows spelling in stat(1). */
466 log_debug("Directory \"%s\": modify time %s is too new.",
467 sub_path,
468 format_timestamp_us(a, sizeof(a), age));
469 continue;
470 }
471
472 age = timespec_load(&s.st_atim);
473 if (age >= cutoff) {
474 char a[FORMAT_TIMESTAMP_MAX];
475 log_debug("Directory \"%s\": access time %s is too new.",
476 sub_path,
477 format_timestamp_us(a, sizeof(a), age));
478 continue;
479 }
480
481 log_debug("Removing directory \"%s\".", sub_path);
482 if (unlinkat(dirfd(d), dent->d_name, AT_REMOVEDIR) < 0)
483 if (errno != ENOENT && errno != ENOTEMPTY) {
484 log_error_errno(errno, "rmdir(%s): %m", sub_path);
485 r = -errno;
486 }
487
488 } else {
489 /* Skip files for which the sticky bit is
490 * set. These are semantics we define, and are
491 * unknown elsewhere. See XDG_RUNTIME_DIR
492 * specification for details. */
493 if (s.st_mode & S_ISVTX) {
494 log_debug("Skipping \"%s\": sticky bit set.", sub_path);
495 continue;
496 }
497
498 if (mountpoint && S_ISREG(s.st_mode))
499 if ((streq(dent->d_name, ".journal") && s.st_uid == 0) ||
500 streq(dent->d_name, "aquota.user") ||
501 streq(dent->d_name, "aquota.group")) {
502 log_debug("Skipping \"%s\".", sub_path);
503 continue;
504 }
505
506 /* Ignore sockets that are listed in /proc/net/unix */
507 if (S_ISSOCK(s.st_mode) && unix_socket_alive(sub_path)) {
508 log_debug("Skipping \"%s\": live socket.", sub_path);
509 continue;
510 }
511
512 /* Ignore device nodes */
513 if (S_ISCHR(s.st_mode) || S_ISBLK(s.st_mode)) {
514 log_debug("Skipping \"%s\": a device.", sub_path);
515 continue;
516 }
517
518 /* Keep files on this level around if this is
519 * requested */
520 if (keep_this_level) {
521 log_debug("Keeping \"%s\".", sub_path);
522 continue;
523 }
524
525 age = timespec_load(&s.st_mtim);
526 if (age >= cutoff) {
527 char a[FORMAT_TIMESTAMP_MAX];
528 /* Follows spelling in stat(1). */
529 log_debug("File \"%s\": modify time %s is too new.",
530 sub_path,
531 format_timestamp_us(a, sizeof(a), age));
532 continue;
533 }
534
535 age = timespec_load(&s.st_atim);
536 if (age >= cutoff) {
537 char a[FORMAT_TIMESTAMP_MAX];
538 log_debug("File \"%s\": access time %s is too new.",
539 sub_path,
540 format_timestamp_us(a, sizeof(a), age));
541 continue;
542 }
543
544 age = timespec_load(&s.st_ctim);
545 if (age >= cutoff) {
546 char a[FORMAT_TIMESTAMP_MAX];
547 log_debug("File \"%s\": change time %s is too new.",
548 sub_path,
549 format_timestamp_us(a, sizeof(a), age));
550 continue;
551 }
552
553 log_debug("unlink \"%s\"", sub_path);
554
555 if (unlinkat(dirfd(d), dent->d_name, 0) < 0)
556 if (errno != ENOENT)
557 r = log_error_errno(errno, "unlink(%s): %m", sub_path);
558
559 deleted = true;
560 }
561 }
562
563 finish:
564 if (deleted) {
565 usec_t age1, age2;
566 char a[FORMAT_TIMESTAMP_MAX], b[FORMAT_TIMESTAMP_MAX];
567
568 /* Restore original directory timestamps */
569 times[0] = ds->st_atim;
570 times[1] = ds->st_mtim;
571
572 age1 = timespec_load(&ds->st_atim);
573 age2 = timespec_load(&ds->st_mtim);
574 log_debug("Restoring access and modification time on \"%s\": %s, %s",
575 p,
576 format_timestamp_us(a, sizeof(a), age1),
577 format_timestamp_us(b, sizeof(b), age2));
578 if (futimens(dirfd(d), times) < 0)
579 log_error_errno(errno, "utimensat(%s): %m", p);
580 }
581
582 return r;
583 }
584
585 static int path_set_perms(Item *i, const char *path) {
586 _cleanup_close_ int fd = -1;
587 struct stat st;
588
589 assert(i);
590 assert(path);
591
592 /* We open the file with O_PATH here, to make the operation
593 * somewhat atomic. Also there's unfortunately no fchmodat()
594 * with AT_SYMLINK_NOFOLLOW, hence we emulate it here via
595 * O_PATH. */
596
597 fd = open(path, O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH|O_NOATIME);
598 if (fd < 0)
599 return log_error_errno(errno, "Adjusting owner and mode for %s failed: %m", path);
600
601 if (fstatat(fd, "", &st, AT_EMPTY_PATH) < 0)
602 return log_error_errno(errno, "Failed to fstat() file %s: %m", path);
603
604 if (S_ISLNK(st.st_mode))
605 log_debug("Skipping mode an owner fix for symlink %s.", path);
606 else {
607 char fn[strlen("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
608 xsprintf(fn, "/proc/self/fd/%i", fd);
609
610 /* not using i->path directly because it may be a glob */
611 if (i->mode_set) {
612 mode_t m = i->mode;
613
614 if (i->mask_perms) {
615 if (!(st.st_mode & 0111))
616 m &= ~0111;
617 if (!(st.st_mode & 0222))
618 m &= ~0222;
619 if (!(st.st_mode & 0444))
620 m &= ~0444;
621 if (!S_ISDIR(st.st_mode))
622 m &= ~07000; /* remove sticky/sgid/suid bit, unless directory */
623 }
624
625 if (m == (st.st_mode & 07777))
626 log_debug("\"%s\" has right mode %o", path, st.st_mode);
627 else {
628 log_debug("chmod \"%s\" to mode %o", path, m);
629 if (chmod(fn, m) < 0)
630 return log_error_errno(errno, "chmod(%s) failed: %m", path);
631 }
632 }
633
634 if ((i->uid != st.st_uid || i->gid != st.st_gid) &&
635 (i->uid_set || i->gid_set)) {
636 log_debug("chown \"%s\" to "UID_FMT"."GID_FMT,
637 path,
638 i->uid_set ? i->uid : UID_INVALID,
639 i->gid_set ? i->gid : GID_INVALID);
640 if (chown(fn,
641 i->uid_set ? i->uid : UID_INVALID,
642 i->gid_set ? i->gid : GID_INVALID) < 0)
643 return log_error_errno(errno, "chown(%s) failed: %m", path);
644 }
645 }
646
647 fd = safe_close(fd);
648
649 return label_fix(path, false, false);
650 }
651
652 static int parse_xattrs_from_arg(Item *i) {
653 const char *p;
654 int r;
655
656 assert(i);
657 assert(i->argument);
658
659 p = i->argument;
660
661 for (;;) {
662 _cleanup_free_ char *name = NULL, *value = NULL, *xattr = NULL, *xattr_replaced = NULL;
663
664 r = unquote_first_word(&p, &xattr, UNQUOTE_CUNESCAPE);
665 if (r < 0)
666 log_warning_errno(r, "Failed to parse extended attribute '%s', ignoring: %m", p);
667 if (r <= 0)
668 break;
669
670 r = specifier_printf(xattr, specifier_table, NULL, &xattr_replaced);
671 if (r < 0)
672 return log_error_errno(r, "Failed to replace specifiers in extended attribute '%s': %m", xattr);
673
674 r = split_pair(xattr_replaced, "=", &name, &value);
675 if (r < 0) {
676 log_warning_errno(r, "Failed to parse extended attribute, ignoring: %s", xattr);
677 continue;
678 }
679
680 if (isempty(name) || isempty(value)) {
681 log_warning("Malformed extended attribute found, ignoring: %s", xattr);
682 continue;
683 }
684
685 if (strv_push_pair(&i->xattrs, name, value) < 0)
686 return log_oom();
687
688 name = value = NULL;
689 }
690
691 return 0;
692 }
693
694 static int path_set_xattrs(Item *i, const char *path) {
695 char **name, **value;
696
697 assert(i);
698 assert(path);
699
700 STRV_FOREACH_PAIR(name, value, i->xattrs) {
701 int n;
702
703 n = strlen(*value);
704 log_debug("Setting extended attribute '%s=%s' on %s.", *name, *value, path);
705 if (lsetxattr(path, *name, *value, n, 0) < 0) {
706 log_error("Setting extended attribute %s=%s on %s failed: %m", *name, *value, path);
707 return -errno;
708 }
709 }
710 return 0;
711 }
712
713 static int parse_acls_from_arg(Item *item) {
714 #ifdef HAVE_ACL
715 int r;
716
717 assert(item);
718
719 /* If force (= modify) is set, we will not modify the acl
720 * afterwards, so the mask can be added now if necessary. */
721
722 r = parse_acl(item->argument, &item->acl_access, &item->acl_default, !item->force);
723 if (r < 0)
724 log_warning_errno(r, "Failed to parse ACL \"%s\": %m. Ignoring", item->argument);
725 #else
726 log_warning_errno(ENOSYS, "ACLs are not supported. Ignoring");
727 #endif
728
729 return 0;
730 }
731
732 #ifdef HAVE_ACL
733 static int path_set_acl(const char *path, const char *pretty, acl_type_t type, acl_t acl, bool modify) {
734 _cleanup_(acl_free_charpp) char *t = NULL;
735 _cleanup_(acl_freep) acl_t dup = NULL;
736 int r;
737
738 /* Returns 0 for success, positive error if already warned,
739 * negative error otherwise. */
740
741 if (modify) {
742 r = acls_for_file(path, type, acl, &dup);
743 if (r < 0)
744 return r;
745
746 r = calc_acl_mask_if_needed(&dup);
747 if (r < 0)
748 return r;
749 } else {
750 dup = acl_dup(acl);
751 if (!dup)
752 return -errno;
753
754 /* the mask was already added earlier if needed */
755 }
756
757 r = add_base_acls_if_needed(&dup, path);
758 if (r < 0)
759 return r;
760
761 t = acl_to_any_text(dup, NULL, ',', TEXT_ABBREVIATE);
762 log_debug("Setting %s ACL %s on %s.",
763 type == ACL_TYPE_ACCESS ? "access" : "default",
764 strna(t), pretty);
765
766 r = acl_set_file(path, type, dup);
767 if (r < 0)
768 /* Return positive to indicate we already warned */
769 return -log_error_errno(errno,
770 "Setting %s ACL \"%s\" on %s failed: %m",
771 type == ACL_TYPE_ACCESS ? "access" : "default",
772 strna(t), pretty);
773
774 return 0;
775 }
776 #endif
777
778 static int path_set_acls(Item *item, const char *path) {
779 int r = 0;
780 #ifdef HAVE_ACL
781 char fn[strlen("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
782 _cleanup_close_ int fd = -1;
783 struct stat st;
784
785 assert(item);
786 assert(path);
787
788 fd = open(path, O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH|O_NOATIME);
789 if (fd < 0)
790 return log_error_errno(errno, "Adjusting ACL of %s failed: %m", path);
791
792 if (fstatat(fd, "", &st, AT_EMPTY_PATH) < 0)
793 return log_error_errno(errno, "Failed to fstat() file %s: %m", path);
794
795 if (S_ISLNK(st.st_mode)) {
796 log_debug("Skipping ACL fix for symlink %s.", path);
797 return 0;
798 }
799
800 xsprintf(fn, "/proc/self/fd/%i", fd);
801
802 if (item->acl_access)
803 r = path_set_acl(fn, path, ACL_TYPE_ACCESS, item->acl_access, item->force);
804
805 if (r == 0 && item->acl_default)
806 r = path_set_acl(fn, path, ACL_TYPE_DEFAULT, item->acl_default, item->force);
807
808 if (r > 0)
809 return -r; /* already warned */
810 else if (r == -EOPNOTSUPP) {
811 log_debug_errno(r, "ACLs not supported by file system at %s", path);
812 return 0;
813 } else if (r < 0)
814 log_error_errno(r, "ACL operation on \"%s\" failed: %m", path);
815 #endif
816 return r;
817 }
818
819 #define ATTRIBUTES_ALL \
820 (FS_NOATIME_FL | \
821 FS_SYNC_FL | \
822 FS_DIRSYNC_FL | \
823 FS_APPEND_FL | \
824 FS_COMPR_FL | \
825 FS_NODUMP_FL | \
826 FS_EXTENT_FL | \
827 FS_IMMUTABLE_FL | \
828 FS_JOURNAL_DATA_FL | \
829 FS_SECRM_FL | \
830 FS_UNRM_FL | \
831 FS_NOTAIL_FL | \
832 FS_TOPDIR_FL | \
833 FS_NOCOW_FL)
834
835 static int parse_attribute_from_arg(Item *item) {
836
837 static const struct {
838 char character;
839 unsigned value;
840 } attributes[] = {
841 { 'A', FS_NOATIME_FL }, /* do not update atime */
842 { 'S', FS_SYNC_FL }, /* Synchronous updates */
843 { 'D', FS_DIRSYNC_FL }, /* dirsync behaviour (directories only) */
844 { 'a', FS_APPEND_FL }, /* writes to file may only append */
845 { 'c', FS_COMPR_FL }, /* Compress file */
846 { 'd', FS_NODUMP_FL }, /* do not dump file */
847 { 'e', FS_EXTENT_FL }, /* Top of directory hierarchies*/
848 { 'i', FS_IMMUTABLE_FL }, /* Immutable file */
849 { 'j', FS_JOURNAL_DATA_FL }, /* Reserved for ext3 */
850 { 's', FS_SECRM_FL }, /* Secure deletion */
851 { 'u', FS_UNRM_FL }, /* Undelete */
852 { 't', FS_NOTAIL_FL }, /* file tail should not be merged */
853 { 'T', FS_TOPDIR_FL }, /* Top of directory hierarchies*/
854 { 'C', FS_NOCOW_FL }, /* Do not cow file */
855 };
856
857 enum {
858 MODE_ADD,
859 MODE_DEL,
860 MODE_SET
861 } mode = MODE_ADD;
862
863 unsigned value = 0, mask = 0;
864 const char *p;
865
866 assert(item);
867
868 p = item->argument;
869 if (p) {
870 if (*p == '+') {
871 mode = MODE_ADD;
872 p++;
873 } else if (*p == '-') {
874 mode = MODE_DEL;
875 p++;
876 } else if (*p == '=') {
877 mode = MODE_SET;
878 p++;
879 }
880 }
881
882 if (isempty(p) && mode != MODE_SET) {
883 log_error("Setting file attribute on '%s' needs an attribute specification.", item->path);
884 return -EINVAL;
885 }
886
887 for (; p && *p ; p++) {
888 unsigned i, v;
889
890 for (i = 0; i < ELEMENTSOF(attributes); i++)
891 if (*p == attributes[i].character)
892 break;
893
894 if (i >= ELEMENTSOF(attributes)) {
895 log_error("Unknown file attribute '%c' on '%s'.", *p, item->path);
896 return -EINVAL;
897 }
898
899 v = attributes[i].value;
900
901 if (mode == MODE_ADD || mode == MODE_SET)
902 value |= v;
903 else
904 value &= ~v;
905
906 mask |= v;
907 }
908
909 if (mode == MODE_SET)
910 mask |= ATTRIBUTES_ALL;
911
912 assert(mask != 0);
913
914 item->attribute_mask = mask;
915 item->attribute_value = value;
916 item->attribute_set = true;
917
918 return 0;
919 }
920
921 static int path_set_attribute(Item *item, const char *path) {
922 _cleanup_close_ int fd = -1;
923 struct stat st;
924 unsigned f;
925 int r;
926
927 if (!item->attribute_set || item->attribute_mask == 0)
928 return 0;
929
930 fd = open(path, O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_NOATIME|O_NOFOLLOW);
931 if (fd < 0) {
932 if (errno == ELOOP)
933 return log_error_errno(errno, "Skipping file attributes adjustment on symlink %s.", path);
934
935 return log_error_errno(errno, "Cannot open '%s': %m", path);
936 }
937
938 if (fstat(fd, &st) < 0)
939 return log_error_errno(errno, "Cannot stat '%s': %m", path);
940
941 /* Issuing the file attribute ioctls on device nodes is not
942 * safe, as that will be delivered to the drivers, not the
943 * file system containing the device node. */
944 if (!S_ISREG(st.st_mode) && !S_ISDIR(st.st_mode)) {
945 log_error("Setting file flags is only supported on regular files and directories, cannot set on '%s'.", path);
946 return -EINVAL;
947 }
948
949 f = item->attribute_value & item->attribute_mask;
950
951 /* Mask away directory-specific flags */
952 if (!S_ISDIR(st.st_mode))
953 f &= ~FS_DIRSYNC_FL;
954
955 r = chattr_fd(fd, f, item->attribute_mask);
956 if (r < 0)
957 return log_error_errno(r,
958 "Cannot set file attribute for '%s', value=0x%08x, mask=0x%08x: %m",
959 path, item->attribute_value, item->attribute_mask);
960
961 return 0;
962 }
963
964 static int write_one_file(Item *i, const char *path) {
965 _cleanup_close_ int fd = -1;
966 int flags, r = 0;
967 struct stat st;
968
969 assert(i);
970 assert(path);
971
972 flags = i->type == CREATE_FILE ? O_CREAT|O_APPEND|O_NOFOLLOW :
973 i->type == TRUNCATE_FILE ? O_CREAT|O_TRUNC|O_NOFOLLOW : 0;
974
975 RUN_WITH_UMASK(0000) {
976 mac_selinux_create_file_prepare(path, S_IFREG);
977 fd = open(path, flags|O_NDELAY|O_CLOEXEC|O_WRONLY|O_NOCTTY, i->mode);
978 mac_selinux_create_file_clear();
979 }
980
981 if (fd < 0) {
982 if (i->type == WRITE_FILE && errno == ENOENT) {
983 log_debug_errno(errno, "Not writing \"%s\": %m", path);
984 return 0;
985 }
986
987 log_error_errno(errno, "Failed to create file %s: %m", path);
988 return -errno;
989 }
990
991 if (i->argument) {
992 _cleanup_free_ char *unescaped = NULL, *replaced = NULL;
993
994 log_debug("%s to \"%s\".", i->type == CREATE_FILE ? "Appending" : "Writing", path);
995
996 r = cunescape(i->argument, 0, &unescaped);
997 if (r < 0)
998 return log_error_errno(r, "Failed to unescape parameter to write: %s", i->argument);
999
1000 r = specifier_printf(unescaped, specifier_table, NULL, &replaced);
1001 if (r < 0)
1002 return log_error_errno(r, "Failed to replace specifiers in parameter to write '%s': %m", unescaped);
1003
1004 r = loop_write(fd, replaced, strlen(replaced), false);
1005 if (r < 0)
1006 return log_error_errno(r, "Failed to write file \"%s\": %m", path);
1007 } else
1008 log_debug("\"%s\" has been created.", path);
1009
1010 fd = safe_close(fd);
1011
1012 if (stat(path, &st) < 0)
1013 return log_error_errno(errno, "stat(%s) failed: %m", path);
1014
1015 if (!S_ISREG(st.st_mode)) {
1016 log_error("%s is not a file.", path);
1017 return -EEXIST;
1018 }
1019
1020 r = path_set_perms(i, path);
1021 if (r < 0)
1022 return r;
1023
1024 return 0;
1025 }
1026
1027 typedef int (*action_t)(Item *, const char *);
1028
1029 static int item_do_children(Item *i, const char *path, action_t action) {
1030 _cleanup_closedir_ DIR *d;
1031 int r = 0;
1032
1033 assert(i);
1034 assert(path);
1035
1036 /* This returns the first error we run into, but nevertheless
1037 * tries to go on */
1038
1039 d = opendir_nomod(path);
1040 if (!d)
1041 return errno == ENOENT || errno == ENOTDIR ? 0 : -errno;
1042
1043 for (;;) {
1044 _cleanup_free_ char *p = NULL;
1045 struct dirent *de;
1046 int q;
1047
1048 errno = 0;
1049 de = readdir(d);
1050 if (!de) {
1051 if (errno != 0 && r == 0)
1052 r = -errno;
1053
1054 break;
1055 }
1056
1057 if (STR_IN_SET(de->d_name, ".", ".."))
1058 continue;
1059
1060 p = strjoin(path, "/", de->d_name, NULL);
1061 if (!p)
1062 return -ENOMEM;
1063
1064 q = action(i, p);
1065 if (q < 0 && q != -ENOENT && r == 0)
1066 r = q;
1067
1068 if (IN_SET(de->d_type, DT_UNKNOWN, DT_DIR)) {
1069 q = item_do_children(i, p, action);
1070 if (q < 0 && r == 0)
1071 r = q;
1072 }
1073 }
1074
1075 return r;
1076 }
1077
1078 static int glob_item(Item *i, action_t action, bool recursive) {
1079 _cleanup_globfree_ glob_t g = {
1080 .gl_closedir = (void (*)(void *)) closedir,
1081 .gl_readdir = (struct dirent *(*)(void *)) readdir,
1082 .gl_opendir = (void *(*)(const char *)) opendir_nomod,
1083 .gl_lstat = lstat,
1084 .gl_stat = stat,
1085 };
1086 int r = 0, k;
1087 char **fn;
1088
1089 errno = 0;
1090 k = glob(i->path, GLOB_NOSORT|GLOB_BRACE|GLOB_ALTDIRFUNC, NULL, &g);
1091 if (k != 0 && k != GLOB_NOMATCH)
1092 return log_error_errno(errno ?: EIO, "glob(%s) failed: %m", i->path);
1093
1094 STRV_FOREACH(fn, g.gl_pathv) {
1095 k = action(i, *fn);
1096 if (k < 0 && r == 0)
1097 r = k;
1098
1099 if (recursive) {
1100 k = item_do_children(i, *fn, action);
1101 if (k < 0 && r == 0)
1102 r = k;
1103 }
1104 }
1105
1106 return r;
1107 }
1108
1109 typedef enum {
1110 CREATION_NORMAL,
1111 CREATION_EXISTING,
1112 CREATION_FORCE,
1113 _CREATION_MODE_MAX,
1114 _CREATION_MODE_INVALID = -1
1115 } CreationMode;
1116
1117 static const char *creation_mode_verb_table[_CREATION_MODE_MAX] = {
1118 [CREATION_NORMAL] = "Created",
1119 [CREATION_EXISTING] = "Found existing",
1120 [CREATION_FORCE] = "Created replacement",
1121 };
1122
1123 DEFINE_PRIVATE_STRING_TABLE_LOOKUP_TO_STRING(creation_mode_verb, CreationMode);
1124
1125 static int create_item(Item *i) {
1126 _cleanup_free_ char *resolved = NULL;
1127 struct stat st;
1128 int r = 0;
1129 CreationMode creation;
1130
1131 assert(i);
1132
1133 log_debug("Running create action for entry %c %s", (char) i->type, i->path);
1134
1135 switch (i->type) {
1136
1137 case IGNORE_PATH:
1138 case IGNORE_DIRECTORY_PATH:
1139 case REMOVE_PATH:
1140 case RECURSIVE_REMOVE_PATH:
1141 return 0;
1142
1143 case CREATE_FILE:
1144 case TRUNCATE_FILE:
1145 r = write_one_file(i, i->path);
1146 if (r < 0)
1147 return r;
1148 break;
1149
1150 case COPY_FILES: {
1151 r = specifier_printf(i->argument, specifier_table, NULL, &resolved);
1152 if (r < 0)
1153 return log_error_errno(r, "Failed to substitute specifiers in copy source %s: %m", i->argument);
1154
1155 log_debug("Copying tree \"%s\" to \"%s\".", resolved, i->path);
1156 r = copy_tree(resolved, i->path, false);
1157 if (r < 0) {
1158 struct stat a, b;
1159
1160 if (r != -EEXIST)
1161 return log_error_errno(r, "Failed to copy files to %s: %m", i->path);
1162
1163 if (stat(resolved, &a) < 0)
1164 return log_error_errno(errno, "stat(%s) failed: %m", resolved);
1165
1166 if (stat(i->path, &b) < 0)
1167 return log_error_errno(errno, "stat(%s) failed: %m", i->path);
1168
1169 if ((a.st_mode ^ b.st_mode) & S_IFMT) {
1170 log_debug("Can't copy to %s, file exists already and is of different type", i->path);
1171 return 0;
1172 }
1173 }
1174
1175 r = path_set_perms(i, i->path);
1176 if (r < 0)
1177 return r;
1178
1179 break;
1180
1181 case WRITE_FILE:
1182 r = glob_item(i, write_one_file, false);
1183 if (r < 0)
1184 return r;
1185
1186 break;
1187
1188 case CREATE_DIRECTORY:
1189 case TRUNCATE_DIRECTORY:
1190 case CREATE_SUBVOLUME:
1191
1192 RUN_WITH_UMASK(0000)
1193 mkdir_parents_label(i->path, 0755);
1194
1195 if (i->type == CREATE_SUBVOLUME)
1196 RUN_WITH_UMASK((~i->mode) & 0777) {
1197 r = btrfs_subvol_make(i->path);
1198 log_debug_errno(r, "Creating subvolume \"%s\": %m", i->path);
1199 }
1200 else
1201 r = 0;
1202
1203 if (IN_SET(i->type, CREATE_DIRECTORY, TRUNCATE_DIRECTORY) || r == -ENOTTY)
1204 RUN_WITH_UMASK(0000)
1205 r = mkdir_label(i->path, i->mode);
1206
1207 if (r < 0) {
1208 if (r != -EEXIST)
1209 return log_error_errno(r, "Failed to create directory or subvolume \"%s\": %m", i->path);
1210
1211 if (stat(i->path, &st) < 0)
1212 return log_error_errno(errno, "stat(%s) failed: %m", i->path);
1213
1214 if (!S_ISDIR(st.st_mode)) {
1215 log_debug("\"%s\" already exists and is not a directory.", i->path);
1216 return 0;
1217 }
1218
1219 creation = CREATION_EXISTING;
1220 } else
1221 creation = CREATION_NORMAL;
1222 log_debug("%s directory \"%s\".", creation_mode_verb_to_string(creation), i->path);
1223
1224 r = path_set_perms(i, i->path);
1225 if (r < 0)
1226 return r;
1227
1228 break;
1229
1230 case CREATE_FIFO:
1231
1232 RUN_WITH_UMASK(0000) {
1233 mac_selinux_create_file_prepare(i->path, S_IFIFO);
1234 r = mkfifo(i->path, i->mode);
1235 mac_selinux_create_file_clear();
1236 }
1237
1238 if (r < 0) {
1239 if (errno != EEXIST)
1240 return log_error_errno(errno, "Failed to create fifo %s: %m", i->path);
1241
1242 if (stat(i->path, &st) < 0)
1243 return log_error_errno(errno, "stat(%s) failed: %m", i->path);
1244
1245 if (!S_ISFIFO(st.st_mode)) {
1246
1247 if (i->force) {
1248
1249 RUN_WITH_UMASK(0000) {
1250 mac_selinux_create_file_prepare(i->path, S_IFIFO);
1251 r = mkfifo_atomic(i->path, i->mode);
1252 mac_selinux_create_file_clear();
1253 }
1254
1255 if (r < 0)
1256 return log_error_errno(r, "Failed to create fifo %s: %m", i->path);
1257 creation = CREATION_FORCE;
1258 } else {
1259 log_debug("%s is not a fifo.", i->path);
1260 return 0;
1261 }
1262 } else
1263 creation = CREATION_EXISTING;
1264 } else
1265 creation = CREATION_NORMAL;
1266 log_debug("%s fifo \"%s\".", creation_mode_verb_to_string(creation), i->path);
1267
1268 r = path_set_perms(i, i->path);
1269 if (r < 0)
1270 return r;
1271
1272 break;
1273 }
1274
1275 case CREATE_SYMLINK: {
1276 r = specifier_printf(i->argument, specifier_table, NULL, &resolved);
1277 if (r < 0)
1278 return log_error_errno(r, "Failed to substitute specifiers in symlink target %s: %m", i->argument);
1279
1280 mac_selinux_create_file_prepare(i->path, S_IFLNK);
1281 r = symlink(resolved, i->path);
1282 mac_selinux_create_file_clear();
1283
1284 if (r < 0) {
1285 _cleanup_free_ char *x = NULL;
1286
1287 if (errno != EEXIST)
1288 return log_error_errno(errno, "symlink(%s, %s) failed: %m", resolved, i->path);
1289
1290 r = readlink_malloc(i->path, &x);
1291 if (r < 0 || !streq(resolved, x)) {
1292
1293 if (i->force) {
1294 mac_selinux_create_file_prepare(i->path, S_IFLNK);
1295 r = symlink_atomic(resolved, i->path);
1296 mac_selinux_create_file_clear();
1297
1298 if (r < 0)
1299 return log_error_errno(r, "symlink(%s, %s) failed: %m", resolved, i->path);
1300 creation = CREATION_FORCE;
1301 } else {
1302 log_debug("\"%s\" is not a symlink or does not point to the correct path.", i->path);
1303 return 0;
1304 }
1305 } else
1306 creation = CREATION_EXISTING;
1307 } else
1308 creation = CREATION_NORMAL;
1309 log_debug("%s symlink \"%s\".", creation_mode_verb_to_string(creation), i->path);
1310
1311 break;
1312 }
1313
1314 case CREATE_BLOCK_DEVICE:
1315 case CREATE_CHAR_DEVICE: {
1316 mode_t file_type;
1317
1318 if (have_effective_cap(CAP_MKNOD) == 0) {
1319 /* In a container we lack CAP_MKNOD. We
1320 shouldn't attempt to create the device node in
1321 that case to avoid noise, and we don't support
1322 virtualized devices in containers anyway. */
1323
1324 log_debug("We lack CAP_MKNOD, skipping creation of device node %s.", i->path);
1325 return 0;
1326 }
1327
1328 file_type = i->type == CREATE_BLOCK_DEVICE ? S_IFBLK : S_IFCHR;
1329
1330 RUN_WITH_UMASK(0000) {
1331 mac_selinux_create_file_prepare(i->path, file_type);
1332 r = mknod(i->path, i->mode | file_type, i->major_minor);
1333 mac_selinux_create_file_clear();
1334 }
1335
1336 if (r < 0) {
1337 if (errno == EPERM) {
1338 log_debug("We lack permissions, possibly because of cgroup configuration; "
1339 "skipping creation of device node %s.", i->path);
1340 return 0;
1341 }
1342
1343 if (errno != EEXIST)
1344 return log_error_errno(errno, "Failed to create device node %s: %m", i->path);
1345
1346 if (stat(i->path, &st) < 0)
1347 return log_error_errno(errno, "stat(%s) failed: %m", i->path);
1348
1349 if ((st.st_mode & S_IFMT) != file_type) {
1350
1351 if (i->force) {
1352
1353 RUN_WITH_UMASK(0000) {
1354 mac_selinux_create_file_prepare(i->path, file_type);
1355 r = mknod_atomic(i->path, i->mode | file_type, i->major_minor);
1356 mac_selinux_create_file_clear();
1357 }
1358
1359 if (r < 0)
1360 return log_error_errno(r, "Failed to create device node \"%s\": %m", i->path);
1361 creation = CREATION_FORCE;
1362 } else {
1363 log_debug("%s is not a device node.", i->path);
1364 return 0;
1365 }
1366 } else
1367 creation = CREATION_EXISTING;
1368 } else
1369 creation = CREATION_NORMAL;
1370 log_debug("%s %s device node \"%s\" %u:%u.",
1371 creation_mode_verb_to_string(creation),
1372 i->type == CREATE_BLOCK_DEVICE ? "block" : "char",
1373 i->path, major(i->mode), minor(i->mode));
1374
1375 r = path_set_perms(i, i->path);
1376 if (r < 0)
1377 return r;
1378
1379 break;
1380 }
1381
1382 case ADJUST_MODE:
1383 case RELABEL_PATH:
1384 r = glob_item(i, path_set_perms, false);
1385 if (r < 0)
1386 return r;
1387 break;
1388
1389 case RECURSIVE_RELABEL_PATH:
1390 r = glob_item(i, path_set_perms, true);
1391 if (r < 0)
1392 return r;
1393 break;
1394
1395 case SET_XATTR:
1396 r = glob_item(i, path_set_xattrs, false);
1397 if (r < 0)
1398 return r;
1399 break;
1400
1401 case RECURSIVE_SET_XATTR:
1402 r = glob_item(i, path_set_xattrs, true);
1403 if (r < 0)
1404 return r;
1405 break;
1406
1407 case SET_ACL:
1408 r = glob_item(i, path_set_acls, false);
1409 if (r < 0)
1410 return r;
1411 break;
1412
1413 case RECURSIVE_SET_ACL:
1414 r = glob_item(i, path_set_acls, true);
1415 if (r < 0)
1416 return r;
1417 break;
1418
1419 case SET_ATTRIBUTE:
1420 r = glob_item(i, path_set_attribute, false);
1421 if (r < 0)
1422 return r;
1423 break;
1424
1425 case RECURSIVE_SET_ATTRIBUTE:
1426 r = glob_item(i, path_set_attribute, true);
1427 if (r < 0)
1428 return r;
1429 break;
1430 }
1431
1432 return 0;
1433 }
1434
1435 static int remove_item_instance(Item *i, const char *instance) {
1436 int r;
1437
1438 assert(i);
1439
1440 switch (i->type) {
1441
1442 case REMOVE_PATH:
1443 if (remove(instance) < 0 && errno != ENOENT)
1444 return log_error_errno(errno, "rm(%s): %m", instance);
1445
1446 break;
1447
1448 case TRUNCATE_DIRECTORY:
1449 case RECURSIVE_REMOVE_PATH:
1450 /* FIXME: we probably should use dir_cleanup() here
1451 * instead of rm_rf() so that 'x' is honoured. */
1452 log_debug("rm -rf \"%s\"", instance);
1453 r = rm_rf(instance, (i->type == RECURSIVE_REMOVE_PATH ? REMOVE_ROOT : 0) | REMOVE_PHYSICAL);
1454 if (r < 0 && r != -ENOENT)
1455 return log_error_errno(r, "rm_rf(%s): %m", instance);
1456
1457 break;
1458
1459 default:
1460 assert_not_reached("wut?");
1461 }
1462
1463 return 0;
1464 }
1465
1466 static int remove_item(Item *i) {
1467 int r = 0;
1468
1469 assert(i);
1470
1471 log_debug("Running remove action for entry %c %s", (char) i->type, i->path);
1472
1473 switch (i->type) {
1474
1475 case CREATE_FILE:
1476 case TRUNCATE_FILE:
1477 case CREATE_DIRECTORY:
1478 case CREATE_SUBVOLUME:
1479 case CREATE_FIFO:
1480 case CREATE_SYMLINK:
1481 case CREATE_CHAR_DEVICE:
1482 case CREATE_BLOCK_DEVICE:
1483 case IGNORE_PATH:
1484 case IGNORE_DIRECTORY_PATH:
1485 case ADJUST_MODE:
1486 case RELABEL_PATH:
1487 case RECURSIVE_RELABEL_PATH:
1488 case WRITE_FILE:
1489 case COPY_FILES:
1490 case SET_XATTR:
1491 case RECURSIVE_SET_XATTR:
1492 case SET_ACL:
1493 case RECURSIVE_SET_ACL:
1494 case SET_ATTRIBUTE:
1495 case RECURSIVE_SET_ATTRIBUTE:
1496 break;
1497
1498 case REMOVE_PATH:
1499 case TRUNCATE_DIRECTORY:
1500 case RECURSIVE_REMOVE_PATH:
1501 r = glob_item(i, remove_item_instance, false);
1502 break;
1503 }
1504
1505 return r;
1506 }
1507
1508 static int clean_item_instance(Item *i, const char* instance) {
1509 _cleanup_closedir_ DIR *d = NULL;
1510 struct stat s, ps;
1511 bool mountpoint;
1512 usec_t cutoff, n;
1513 char timestamp[FORMAT_TIMESTAMP_MAX];
1514
1515 assert(i);
1516
1517 if (!i->age_set)
1518 return 0;
1519
1520 n = now(CLOCK_REALTIME);
1521 if (n < i->age)
1522 return 0;
1523
1524 cutoff = n - i->age;
1525
1526 d = opendir_nomod(instance);
1527 if (!d) {
1528 if (errno == ENOENT || errno == ENOTDIR) {
1529 log_debug_errno(errno, "Directory \"%s\": %m", instance);
1530 return 0;
1531 }
1532
1533 log_error_errno(errno, "Failed to open directory %s: %m", instance);
1534 return -errno;
1535 }
1536
1537 if (fstat(dirfd(d), &s) < 0)
1538 return log_error_errno(errno, "stat(%s) failed: %m", i->path);
1539
1540 if (!S_ISDIR(s.st_mode)) {
1541 log_error("%s is not a directory.", i->path);
1542 return -ENOTDIR;
1543 }
1544
1545 if (fstatat(dirfd(d), "..", &ps, AT_SYMLINK_NOFOLLOW) != 0)
1546 return log_error_errno(errno, "stat(%s/..) failed: %m", i->path);
1547
1548 mountpoint = s.st_dev != ps.st_dev ||
1549 (s.st_dev == ps.st_dev && s.st_ino == ps.st_ino);
1550
1551 log_debug("Cleanup threshold for %s \"%s\" is %s",
1552 mountpoint ? "mount point" : "directory",
1553 instance,
1554 format_timestamp_us(timestamp, sizeof(timestamp), cutoff));
1555
1556 return dir_cleanup(i, instance, d, &s, cutoff, s.st_dev, mountpoint,
1557 MAX_DEPTH, i->keep_first_level);
1558 }
1559
1560 static int clean_item(Item *i) {
1561 int r = 0;
1562
1563 assert(i);
1564
1565 log_debug("Running clean action for entry %c %s", (char) i->type, i->path);
1566
1567 switch (i->type) {
1568 case CREATE_DIRECTORY:
1569 case CREATE_SUBVOLUME:
1570 case TRUNCATE_DIRECTORY:
1571 case IGNORE_PATH:
1572 case COPY_FILES:
1573 clean_item_instance(i, i->path);
1574 break;
1575 case IGNORE_DIRECTORY_PATH:
1576 r = glob_item(i, clean_item_instance, false);
1577 break;
1578 default:
1579 break;
1580 }
1581
1582 return r;
1583 }
1584
1585 static int process_item_array(ItemArray *array);
1586
1587 static int process_item(Item *i) {
1588 int r, q, p, t = 0;
1589 _cleanup_free_ char *prefix = NULL;
1590
1591 assert(i);
1592
1593 if (i->done)
1594 return 0;
1595
1596 i->done = true;
1597
1598 prefix = malloc(strlen(i->path) + 1);
1599 if (!prefix)
1600 return log_oom();
1601
1602 PATH_FOREACH_PREFIX(prefix, i->path) {
1603 ItemArray *j;
1604
1605 j = hashmap_get(items, prefix);
1606 if (j) {
1607 int s;
1608
1609 s = process_item_array(j);
1610 if (s < 0 && t == 0)
1611 t = s;
1612 }
1613 }
1614
1615 r = arg_create ? create_item(i) : 0;
1616 q = arg_remove ? remove_item(i) : 0;
1617 p = arg_clean ? clean_item(i) : 0;
1618
1619 return t < 0 ? t :
1620 r < 0 ? r :
1621 q < 0 ? q :
1622 p;
1623 }
1624
1625 static int process_item_array(ItemArray *array) {
1626 unsigned n;
1627 int r = 0, k;
1628
1629 assert(array);
1630
1631 for (n = 0; n < array->count; n++) {
1632 k = process_item(array->items + n);
1633 if (k < 0 && r == 0)
1634 r = k;
1635 }
1636
1637 return r;
1638 }
1639
1640 static void item_free_contents(Item *i) {
1641 assert(i);
1642 free(i->path);
1643 free(i->argument);
1644 strv_free(i->xattrs);
1645
1646 #ifdef HAVE_ACL
1647 acl_free(i->acl_access);
1648 acl_free(i->acl_default);
1649 #endif
1650 }
1651
1652 static void item_array_free(ItemArray *a) {
1653 unsigned n;
1654
1655 if (!a)
1656 return;
1657
1658 for (n = 0; n < a->count; n++)
1659 item_free_contents(a->items + n);
1660 free(a->items);
1661 free(a);
1662 }
1663
1664 static int item_compare(const void *a, const void *b) {
1665 const Item *x = a, *y = b;
1666
1667 /* Make sure that the ownership taking item is put first, so
1668 * that we first create the node, and then can adjust it */
1669
1670 if (takes_ownership(x->type) && !takes_ownership(y->type))
1671 return -1;
1672 if (!takes_ownership(x->type) && takes_ownership(y->type))
1673 return 1;
1674
1675 return (int) x->type - (int) y->type;
1676 }
1677
1678 static bool item_compatible(Item *a, Item *b) {
1679 assert(a);
1680 assert(b);
1681 assert(streq(a->path, b->path));
1682
1683 if (takes_ownership(a->type) && takes_ownership(b->type))
1684 /* check if the items are the same */
1685 return streq_ptr(a->argument, b->argument) &&
1686
1687 a->uid_set == b->uid_set &&
1688 a->uid == b->uid &&
1689
1690 a->gid_set == b->gid_set &&
1691 a->gid == b->gid &&
1692
1693 a->mode_set == b->mode_set &&
1694 a->mode == b->mode &&
1695
1696 a->age_set == b->age_set &&
1697 a->age == b->age &&
1698
1699 a->mask_perms == b->mask_perms &&
1700
1701 a->keep_first_level == b->keep_first_level &&
1702
1703 a->major_minor == b->major_minor;
1704
1705 return true;
1706 }
1707
1708 static bool should_include_path(const char *path) {
1709 char **prefix;
1710
1711 STRV_FOREACH(prefix, arg_exclude_prefixes)
1712 if (path_startswith(path, *prefix)) {
1713 log_debug("Entry \"%s\" matches exclude prefix \"%s\", skipping.",
1714 path, *prefix);
1715 return false;
1716 }
1717
1718 STRV_FOREACH(prefix, arg_include_prefixes)
1719 if (path_startswith(path, *prefix)) {
1720 log_debug("Entry \"%s\" matches include prefix \"%s\".", path, *prefix);
1721 return true;
1722 }
1723
1724 /* no matches, so we should include this path only if we
1725 * have no whitelist at all */
1726 if (strv_length(arg_include_prefixes) == 0)
1727 return true;
1728
1729 log_debug("Entry \"%s\" does not match any include prefix, skipping.", path);
1730 return false;
1731 }
1732
1733 static int parse_line(const char *fname, unsigned line, const char *buffer) {
1734
1735 _cleanup_free_ char *action = NULL, *mode = NULL, *user = NULL, *group = NULL, *age = NULL, *path = NULL;
1736 _cleanup_(item_free_contents) Item i = {};
1737 ItemArray *existing;
1738 Hashmap *h;
1739 int r, pos;
1740 bool force = false, boot = false;
1741
1742 assert(fname);
1743 assert(line >= 1);
1744 assert(buffer);
1745
1746 r = unquote_many_words(
1747 &buffer,
1748 0,
1749 &action,
1750 &path,
1751 &mode,
1752 &user,
1753 &group,
1754 &age,
1755 NULL);
1756 if (r < 0)
1757 return log_error_errno(r, "[%s:%u] Failed to parse line: %m", fname, line);
1758 else if (r < 2) {
1759 log_error("[%s:%u] Syntax error.", fname, line);
1760 return -EIO;
1761 }
1762
1763 if (!isempty(buffer) && !streq(buffer, "-")) {
1764 i.argument = strdup(buffer);
1765 if (!i.argument)
1766 return log_oom();
1767 }
1768
1769 if (isempty(action)) {
1770 log_error("[%s:%u] Command too short '%s'.", fname, line, action);
1771 return -EINVAL;
1772 }
1773
1774 for (pos = 1; action[pos]; pos++) {
1775 if (action[pos] == '!' && !boot)
1776 boot = true;
1777 else if (action[pos] == '+' && !force)
1778 force = true;
1779 else {
1780 log_error("[%s:%u] Unknown modifiers in command '%s'",
1781 fname, line, action);
1782 return -EINVAL;
1783 }
1784 }
1785
1786 if (boot && !arg_boot) {
1787 log_debug("Ignoring entry %s \"%s\" because --boot is not specified.",
1788 action, path);
1789 return 0;
1790 }
1791
1792 i.type = action[0];
1793 i.force = force;
1794
1795 r = specifier_printf(path, specifier_table, NULL, &i.path);
1796 if (r < 0) {
1797 log_error("[%s:%u] Failed to replace specifiers: %s", fname, line, path);
1798 return r;
1799 }
1800
1801 switch (i.type) {
1802
1803 case CREATE_DIRECTORY:
1804 case CREATE_SUBVOLUME:
1805 case TRUNCATE_DIRECTORY:
1806 case CREATE_FIFO:
1807 case IGNORE_PATH:
1808 case IGNORE_DIRECTORY_PATH:
1809 case REMOVE_PATH:
1810 case RECURSIVE_REMOVE_PATH:
1811 case ADJUST_MODE:
1812 case RELABEL_PATH:
1813 case RECURSIVE_RELABEL_PATH:
1814 if (i.argument)
1815 log_warning("[%s:%u] %c lines don't take argument fields, ignoring.", fname, line, i.type);
1816
1817 break;
1818
1819 case CREATE_FILE:
1820 case TRUNCATE_FILE:
1821 break;
1822
1823 case CREATE_SYMLINK:
1824 if (!i.argument) {
1825 i.argument = strappend("/usr/share/factory/", i.path);
1826 if (!i.argument)
1827 return log_oom();
1828 }
1829 break;
1830
1831 case WRITE_FILE:
1832 if (!i.argument) {
1833 log_error("[%s:%u] Write file requires argument.", fname, line);
1834 return -EBADMSG;
1835 }
1836 break;
1837
1838 case COPY_FILES:
1839 if (!i.argument) {
1840 i.argument = strappend("/usr/share/factory/", i.path);
1841 if (!i.argument)
1842 return log_oom();
1843 } else if (!path_is_absolute(i.argument)) {
1844 log_error("[%s:%u] Source path is not absolute.", fname, line);
1845 return -EBADMSG;
1846 }
1847
1848 path_kill_slashes(i.argument);
1849 break;
1850
1851 case CREATE_CHAR_DEVICE:
1852 case CREATE_BLOCK_DEVICE: {
1853 unsigned major, minor;
1854
1855 if (!i.argument) {
1856 log_error("[%s:%u] Device file requires argument.", fname, line);
1857 return -EBADMSG;
1858 }
1859
1860 if (sscanf(i.argument, "%u:%u", &major, &minor) != 2) {
1861 log_error("[%s:%u] Can't parse device file major/minor '%s'.", fname, line, i.argument);
1862 return -EBADMSG;
1863 }
1864
1865 i.major_minor = makedev(major, minor);
1866 break;
1867 }
1868
1869 case SET_XATTR:
1870 case RECURSIVE_SET_XATTR:
1871 if (!i.argument) {
1872 log_error("[%s:%u] Set extended attribute requires argument.", fname, line);
1873 return -EBADMSG;
1874 }
1875 r = parse_xattrs_from_arg(&i);
1876 if (r < 0)
1877 return r;
1878 break;
1879
1880 case SET_ACL:
1881 case RECURSIVE_SET_ACL:
1882 if (!i.argument) {
1883 log_error("[%s:%u] Set ACLs requires argument.", fname, line);
1884 return -EBADMSG;
1885 }
1886 r = parse_acls_from_arg(&i);
1887 if (r < 0)
1888 return r;
1889 break;
1890
1891 case SET_ATTRIBUTE:
1892 case RECURSIVE_SET_ATTRIBUTE:
1893 if (!i.argument) {
1894 log_error("[%s:%u] Set file attribute requires argument.", fname, line);
1895 return -EBADMSG;
1896 }
1897 r = parse_attribute_from_arg(&i);
1898 if (r < 0)
1899 return r;
1900 break;
1901
1902 default:
1903 log_error("[%s:%u] Unknown command type '%c'.", fname, line, (char) i.type);
1904 return -EBADMSG;
1905 }
1906
1907 if (!path_is_absolute(i.path)) {
1908 log_error("[%s:%u] Path '%s' not absolute.", fname, line, i.path);
1909 return -EBADMSG;
1910 }
1911
1912 path_kill_slashes(i.path);
1913
1914 if (!should_include_path(i.path))
1915 return 0;
1916
1917 if (arg_root) {
1918 char *p;
1919
1920 p = strappend(arg_root, i.path);
1921 if (!p)
1922 return log_oom();
1923
1924 free(i.path);
1925 i.path = p;
1926 }
1927
1928 if (!isempty(user) && !streq(user, "-")) {
1929 const char *u = user;
1930
1931 r = get_user_creds(&u, &i.uid, NULL, NULL, NULL);
1932 if (r < 0) {
1933 log_error("[%s:%u] Unknown user '%s'.", fname, line, user);
1934 return r;
1935 }
1936
1937 i.uid_set = true;
1938 }
1939
1940 if (!isempty(group) && !streq(group, "-")) {
1941 const char *g = group;
1942
1943 r = get_group_creds(&g, &i.gid);
1944 if (r < 0) {
1945 log_error("[%s:%u] Unknown group '%s'.", fname, line, group);
1946 return r;
1947 }
1948
1949 i.gid_set = true;
1950 }
1951
1952 if (!isempty(mode) && !streq(mode, "-")) {
1953 const char *mm = mode;
1954 unsigned m;
1955
1956 if (*mm == '~') {
1957 i.mask_perms = true;
1958 mm++;
1959 }
1960
1961 if (parse_mode(mm, &m) < 0) {
1962 log_error("[%s:%u] Invalid mode '%s'.", fname, line, mode);
1963 return -EBADMSG;
1964 }
1965
1966 i.mode = m;
1967 i.mode_set = true;
1968 } else
1969 i.mode = IN_SET(i.type, CREATE_DIRECTORY, CREATE_SUBVOLUME, TRUNCATE_DIRECTORY)
1970 ? 0755 : 0644;
1971
1972 if (!isempty(age) && !streq(age, "-")) {
1973 const char *a = age;
1974
1975 if (*a == '~') {
1976 i.keep_first_level = true;
1977 a++;
1978 }
1979
1980 if (parse_sec(a, &i.age) < 0) {
1981 log_error("[%s:%u] Invalid age '%s'.", fname, line, age);
1982 return -EBADMSG;
1983 }
1984
1985 i.age_set = true;
1986 }
1987
1988 h = needs_glob(i.type) ? globs : items;
1989
1990 existing = hashmap_get(h, i.path);
1991 if (existing) {
1992 unsigned n;
1993
1994 for (n = 0; n < existing->count; n++) {
1995 if (!item_compatible(existing->items + n, &i)) {
1996 log_warning("[%s:%u] Duplicate line for path \"%s\", ignoring.",
1997 fname, line, i.path);
1998 return 0;
1999 }
2000 }
2001 } else {
2002 existing = new0(ItemArray, 1);
2003 r = hashmap_put(h, i.path, existing);
2004 if (r < 0)
2005 return log_oom();
2006 }
2007
2008 if (!GREEDY_REALLOC(existing->items, existing->size, existing->count + 1))
2009 return log_oom();
2010
2011 memcpy(existing->items + existing->count++, &i, sizeof(i));
2012
2013 /* Sort item array, to enforce stable ordering of application */
2014 qsort_safe(existing->items, existing->count, sizeof(Item), item_compare);
2015
2016 zero(i);
2017 return 0;
2018 }
2019
2020 static void help(void) {
2021 printf("%s [OPTIONS...] [CONFIGURATION FILE...]\n\n"
2022 "Creates, deletes and cleans up volatile and temporary files and directories.\n\n"
2023 " -h --help Show this help\n"
2024 " --version Show package version\n"
2025 " --create Create marked files/directories\n"
2026 " --clean Clean up marked directories\n"
2027 " --remove Remove marked files/directories\n"
2028 " --boot Execute actions only safe at boot\n"
2029 " --prefix=PATH Only apply rules with the specified prefix\n"
2030 " --exclude-prefix=PATH Ignore rules with the specified prefix\n"
2031 " --root=PATH Operate on an alternate filesystem root\n",
2032 program_invocation_short_name);
2033 }
2034
2035 static int parse_argv(int argc, char *argv[]) {
2036
2037 enum {
2038 ARG_VERSION = 0x100,
2039 ARG_CREATE,
2040 ARG_CLEAN,
2041 ARG_REMOVE,
2042 ARG_BOOT,
2043 ARG_PREFIX,
2044 ARG_EXCLUDE_PREFIX,
2045 ARG_ROOT,
2046 };
2047
2048 static const struct option options[] = {
2049 { "help", no_argument, NULL, 'h' },
2050 { "version", no_argument, NULL, ARG_VERSION },
2051 { "create", no_argument, NULL, ARG_CREATE },
2052 { "clean", no_argument, NULL, ARG_CLEAN },
2053 { "remove", no_argument, NULL, ARG_REMOVE },
2054 { "boot", no_argument, NULL, ARG_BOOT },
2055 { "prefix", required_argument, NULL, ARG_PREFIX },
2056 { "exclude-prefix", required_argument, NULL, ARG_EXCLUDE_PREFIX },
2057 { "root", required_argument, NULL, ARG_ROOT },
2058 {}
2059 };
2060
2061 int c;
2062
2063 assert(argc >= 0);
2064 assert(argv);
2065
2066 while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
2067
2068 switch (c) {
2069
2070 case 'h':
2071 help();
2072 return 0;
2073
2074 case ARG_VERSION:
2075 puts(PACKAGE_STRING);
2076 puts(SYSTEMD_FEATURES);
2077 return 0;
2078
2079 case ARG_CREATE:
2080 arg_create = true;
2081 break;
2082
2083 case ARG_CLEAN:
2084 arg_clean = true;
2085 break;
2086
2087 case ARG_REMOVE:
2088 arg_remove = true;
2089 break;
2090
2091 case ARG_BOOT:
2092 arg_boot = true;
2093 break;
2094
2095 case ARG_PREFIX:
2096 if (strv_push(&arg_include_prefixes, optarg) < 0)
2097 return log_oom();
2098 break;
2099
2100 case ARG_EXCLUDE_PREFIX:
2101 if (strv_push(&arg_exclude_prefixes, optarg) < 0)
2102 return log_oom();
2103 break;
2104
2105 case ARG_ROOT:
2106 free(arg_root);
2107 arg_root = path_make_absolute_cwd(optarg);
2108 if (!arg_root)
2109 return log_oom();
2110
2111 path_kill_slashes(arg_root);
2112 break;
2113
2114 case '?':
2115 return -EINVAL;
2116
2117 default:
2118 assert_not_reached("Unhandled option");
2119 }
2120
2121 if (!arg_clean && !arg_create && !arg_remove) {
2122 log_error("You need to specify at least one of --clean, --create or --remove.");
2123 return -EINVAL;
2124 }
2125
2126 return 1;
2127 }
2128
2129 static int read_config_file(const char *fn, bool ignore_enoent) {
2130 _cleanup_fclose_ FILE *f = NULL;
2131 char line[LINE_MAX];
2132 Iterator iterator;
2133 unsigned v = 0;
2134 Item *i;
2135 int r;
2136
2137 assert(fn);
2138
2139 r = search_and_fopen_nulstr(fn, "re", arg_root, conf_file_dirs, &f);
2140 if (r < 0) {
2141 if (ignore_enoent && r == -ENOENT) {
2142 log_debug_errno(r, "Failed to open \"%s\": %m", fn);
2143 return 0;
2144 }
2145
2146 return log_error_errno(r, "Failed to open '%s', ignoring: %m", fn);
2147 }
2148 log_debug("Reading config file \"%s\".", fn);
2149
2150 FOREACH_LINE(line, f, break) {
2151 char *l;
2152 int k;
2153
2154 v++;
2155
2156 l = strstrip(line);
2157 if (*l == '#' || *l == 0)
2158 continue;
2159
2160 k = parse_line(fn, v, l);
2161 if (k < 0 && r == 0)
2162 r = k;
2163 }
2164
2165 /* we have to determine age parameter for each entry of type X */
2166 HASHMAP_FOREACH(i, globs, iterator) {
2167 Iterator iter;
2168 Item *j, *candidate_item = NULL;
2169
2170 if (i->type != IGNORE_DIRECTORY_PATH)
2171 continue;
2172
2173 HASHMAP_FOREACH(j, items, iter) {
2174 if (j->type != CREATE_DIRECTORY && j->type != TRUNCATE_DIRECTORY && j->type != CREATE_SUBVOLUME)
2175 continue;
2176
2177 if (path_equal(j->path, i->path)) {
2178 candidate_item = j;
2179 break;
2180 }
2181
2182 if ((!candidate_item && path_startswith(i->path, j->path)) ||
2183 (candidate_item && path_startswith(j->path, candidate_item->path) && (fnmatch(i->path, j->path, FNM_PATHNAME | FNM_PERIOD) == 0)))
2184 candidate_item = j;
2185 }
2186
2187 if (candidate_item && candidate_item->age_set) {
2188 i->age = candidate_item->age;
2189 i->age_set = true;
2190 }
2191 }
2192
2193 if (ferror(f)) {
2194 log_error_errno(errno, "Failed to read from file %s: %m", fn);
2195 if (r == 0)
2196 r = -EIO;
2197 }
2198
2199 return r;
2200 }
2201
2202 int main(int argc, char *argv[]) {
2203 int r, k;
2204 ItemArray *a;
2205 Iterator iterator;
2206
2207 r = parse_argv(argc, argv);
2208 if (r <= 0)
2209 goto finish;
2210
2211 log_set_target(LOG_TARGET_AUTO);
2212 log_parse_environment();
2213 log_open();
2214
2215 umask(0022);
2216
2217 mac_selinux_init(NULL);
2218
2219 items = hashmap_new(&string_hash_ops);
2220 globs = hashmap_new(&string_hash_ops);
2221
2222 if (!items || !globs) {
2223 r = log_oom();
2224 goto finish;
2225 }
2226
2227 r = 0;
2228
2229 if (optind < argc) {
2230 int j;
2231
2232 for (j = optind; j < argc; j++) {
2233 k = read_config_file(argv[j], false);
2234 if (k < 0 && r == 0)
2235 r = k;
2236 }
2237
2238 } else {
2239 _cleanup_strv_free_ char **files = NULL;
2240 char **f;
2241
2242 r = conf_files_list_nulstr(&files, ".conf", arg_root, conf_file_dirs);
2243 if (r < 0) {
2244 log_error_errno(r, "Failed to enumerate tmpfiles.d files: %m");
2245 goto finish;
2246 }
2247
2248 STRV_FOREACH(f, files) {
2249 k = read_config_file(*f, true);
2250 if (k < 0 && r == 0)
2251 r = k;
2252 }
2253 }
2254
2255 /* The non-globbing ones usually create things, hence we apply
2256 * them first */
2257 HASHMAP_FOREACH(a, items, iterator) {
2258 k = process_item_array(a);
2259 if (k < 0 && r == 0)
2260 r = k;
2261 }
2262
2263 /* The globbing ones usually alter things, hence we apply them
2264 * second. */
2265 HASHMAP_FOREACH(a, globs, iterator) {
2266 k = process_item_array(a);
2267 if (k < 0 && r == 0)
2268 r = k;
2269 }
2270
2271 finish:
2272 while ((a = hashmap_steal_first(items)))
2273 item_array_free(a);
2274
2275 while ((a = hashmap_steal_first(globs)))
2276 item_array_free(a);
2277
2278 hashmap_free(items);
2279 hashmap_free(globs);
2280
2281 free(arg_include_prefixes);
2282 free(arg_exclude_prefixes);
2283 free(arg_root);
2284
2285 set_free_free(unix_sockets);
2286
2287 mac_selinux_finish();
2288
2289 return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
2290 }
Unnamed repository; edit this file 'description' to name the repository.