tmpfiles: don't relabel files in dry run mode

tmpfiles attempts to correct the label of a file during various actions
via the function fd_set_perms().  Currently, said function generally
respects the dry-run mode.  However, it attempts to fix the label of a
given file regardless of the state of said dry-run mode.

This causes problems, because a user could attempt to run tmpfiles with
elevated permissions and dry run enabled, expecting the tool to not
modify their system.  Instead, tmpfiles would falsely relabel a file,
modifying their system.

This commit explicitly checks for when dry-run is enabled and skips the
file relabelling process.  Furthermore, I added logging for both cases.
I found helpful during debugging.  That said, I don't think it's
necessary to use the level LOG_INFO on the dry-run path, as it would
always produce an info log.

diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index 060914f27c951c8aa379d35c5255dfec328e08c3..4342ed70abd51c4bd49e4f6817aa4bff99cd3cb8 100644 (file)
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -1060,6 +1060,12 @@ static int fd_set_perms(
         }
 
 shortcut:
+        if (arg_dry_run) {
+                log_debug("Would relabel \"%s\"", path);
+                return 0;
+        }
+
+        log_debug("Relabelling \"%s\"", path);
         return label_fix_full(fd, /* inode_path= */ NULL, /* label_path= */ path, 0);
 }