From c83e410e095e775f393a09073e34ca8defee6b03 Mon Sep 17 00:00:00 2001 From: Jan Fooken Date: Fri, 22 Aug 2025 11:26:25 +0200 Subject: [PATCH] tmpfiles: don't relabel files in dry run mode tmpfiles attempts to correct the label of a file during various actions via the function fd_set_perms(). Currently, said function generally respects the dry-run mode. However, it attempts to fix the label of a given file regardless of the state of said dry-run mode. This causes problems, because a user could attempt to run tmpfiles with elevated permissions and dry run enabled, expecting the tool to not modify their system. Instead, tmpfiles would falsely relabel a file, modifying their system. This commit explicitly checks for when dry-run is enabled and skips the file relabelling process. Furthermore, I added logging for both cases. I found helpful during debugging. That said, I don't think it's necessary to use the level LOG_INFO on the dry-run path, as it would always produce an info log. (cherry picked from commit 7bb8e9e82f1b53081ad60ae71ff7045495130cd6) --- src/tmpfiles/tmpfiles.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c index 0e40896ec64..2376b5604c5 100644 --- a/src/tmpfiles/tmpfiles.c +++ b/src/tmpfiles/tmpfiles.c @@ -1069,6 +1069,12 @@ static int fd_set_perms( } shortcut: + if (arg_dry_run) { + log_debug("Would relabel \"%s\"", path); + return 0; + } + + log_debug("Relabelling \"%s\"", path); return label_fix_full(fd, /* inode_path= */ NULL, /* label_path= */ path, 0); } -- 2.47.3