From: Christian Brauner Date: Thu, 23 Apr 2026 17:10:21 +0000 (+0200) Subject: chase: add explicit root_fd parameter to chaseat() and drop CHASE_AT_RESOLVE_IN_ROOT... X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9e865599f7539b90e79cdfb3ed749163f6f6086d;p=thirdparty%2Fsystemd.git chase: add explicit root_fd parameter to chaseat() and drop CHASE_AT_RESOLVE_IN_ROOT (#41652) Split the single directory fd that chaseat() used to take into two separate fds: a root_fd that sets the chroot boundary (symlinks may not escape it, absolute symlinks resolve relative to it), and a dir_fd that path resolution starts from. This makes the chroot semantics of chaseat() explicit at every call site instead of encoding them in the CHASE_AT_RESOLVE_IN_ROOT flag, which is removed. It also decouples the starting directory from the root boundary, so callers can descend from any inode inside the tree without having to reopen the root separately. XAT_FDROOT passed as root_fd means "no containment" (host root); as dir_fd it means "start at root_fd". For a smoother transition, AT_FDCWD is also accepted as root_fd and treated as XAT_FDROOT. When root_fd points to a directory that is actually the host root, it is normalized to XAT_FDROOT up front so the existing shortcut path can kick in. Absolute paths returned by chaseat() are now relative to root_fd, and relative paths are relative to dir_fd. The result is absolute only when there is no chroot boundary (root_fd is XAT_FDROOT), or when an absolute symlink made resolution jump out of the dir_fd subtree; otherwise callers get a relative path they can feed straight back into an openat()-style call against dir_fd. Specifically, when dir_fd == root_fd and we're not operating on the host's root directory, we return a relative path even if we received an absolute path or resolved an absolute symlink to allow passing the path directly to openat() style functions. We do this to not have to go modify every caller of chaseat() to make sure they deal properly with any absolute paths they might receive. Only when root_fd != dir_fd do we have to return an absolute path to indicate that the path is relative to root_fd and not dir_fd. The shortcut that skips the per-component walk is reworked around a new chase_xopenat() helper that funnels CHASE_NOFOLLOW, CHASE_MUST_BE_* and CHASE_TRIGGER_AUTOFS through xopenat_full()'s O_NOFOLLOW, O_DIRECTORY, XO_REGULAR, XO_SOCKET and XO_TRIGGER_AUTOMOUNT flags. As a result these flags no longer force us off the shortcut and can be dropped from CHASE_NO_SHORTCUT_MASK, and the old openat_opath_with_automount() helper goes away. A CHASE_MUST_BE_ANY alias is introduced for shortcut callers (stat/access paths) that don't go through xopenat_full() and still need to bail on those flags locally. All *_and_* helpers built on top of chaseat() (chase_and_openat, chase_and_opendirat, chase_and_statat, chase_and_accessat, chase_and_fopenat_unlocked, chase_and_unlinkat, chase_and_open_parent_at) gain the same root_fd parameter, and every call site in the tree is ported to the new signature. --- 9e865599f7539b90e79cdfb3ed749163f6f6086d