diff options
author | Lennart Poettering <lennart@poettering.net> | 2015-04-04 14:42:39 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2015-04-06 10:57:53 +0200 |
commit | f25afeb6ab515cf890eff58c0b53cf35b2be0e05 (patch) | |
tree | a5d852813c41728861aee2001d047f94c7892290 | |
parent | c6878637502b1717a110a9a7e8bba32a8583fcdf (diff) |
rm-rf: never cross mount points
-rw-r--r-- | src/shared/path-util.c | 55 | ||||
-rw-r--r-- | src/shared/path-util.h | 1 | ||||
-rw-r--r-- | src/shared/rm-rf.c | 17 |
3 files changed, 45 insertions, 28 deletions
diff --git a/src/shared/path-util.c b/src/shared/path-util.c index 53c0079760..6a984fc1d8 100644 --- a/src/shared/path-util.c +++ b/src/shared/path-util.c @@ -470,30 +470,17 @@ char* path_join(const char *root, const char *path, const char *rest) { NULL); } -int path_is_mount_point(const char *t, bool allow_symlink) { - +int fd_is_mount_point(int fd) { union file_handle_union h = FILE_HANDLE_INIT; int mount_id = -1, mount_id_parent = -1; + bool nosupp = false; struct stat a, b; int r; - _cleanup_close_ int fd = -1; - bool nosupp = false; /* We are not actually interested in the file handles, but * name_to_handle_at() also passes us the mount ID, hence use * it but throw the handle away */ - if (path_equal(t, "/")) - return 1; - - fd = openat(AT_FDCWD, t, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|(allow_symlink ? 0 : O_PATH)); - if (fd < 0) { - if (errno == ENOENT) - return 0; - - return -errno; - } - r = name_to_handle_at(fd, "", &h.handle, &mount_id, AT_EMPTY_PATH); if (r < 0) { if (errno == ENOSYS) @@ -502,7 +489,9 @@ int path_is_mount_point(const char *t, bool allow_symlink) { goto fallback; else if (errno == EOPNOTSUPP) /* This kernel or file system does not support - * name_to_handle_at(), hence fallback to the + * name_to_handle_at(), hence let's see if the + * upper fs supports it (in which case it is a + * mount point), otherwise fallback to the * traditional stat() logic */ nosupp = true; else if (errno == ENOENT) @@ -511,29 +500,26 @@ int path_is_mount_point(const char *t, bool allow_symlink) { return -errno; } - h.handle.handle_bytes = MAX_HANDLE_SZ; r = name_to_handle_at(fd, "..", &h.handle, &mount_id_parent, 0); - if (r < 0) - if (errno == EOPNOTSUPP) + if (r < 0) { + if (errno == EOPNOTSUPP) { if (nosupp) /* Neither parent nor child do name_to_handle_at()? We have no choice but to fall back. */ goto fallback; else - /* The parent can't do name_to_handle_at() but - * the directory we are interested in can? - * Or the other way around? + /* The parent can't do name_to_handle_at() but the + * directory we are interested in can? * If so, it must be a mount point. */ return 1; - else + } else return -errno; - else + } else return mount_id != mount_id_parent; fallback: r = fstatat(fd, "", &a, AT_EMPTY_PATH); - if (r < 0) { if (errno == ENOENT) return 0; @@ -541,7 +527,6 @@ fallback: return -errno; } - r = fstatat(fd, "..", &b, 0); if (r < 0) return -errno; @@ -549,6 +534,24 @@ fallback: return a.st_dev != b.st_dev; } +int path_is_mount_point(const char *t, bool allow_symlink) { + _cleanup_close_ int fd = -1; + assert(t); + + if (path_equal(t, "/")) + return 1; + + fd = openat(AT_FDCWD, t, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|(allow_symlink ? 0 : O_PATH)); + if (fd < 0) { + if (errno == ENOENT) + return 0; + + return -errno; + } + + return fd_is_mount_point(fd); +} + int path_is_read_only_fs(const char *path) { struct statvfs st; diff --git a/src/shared/path-util.h b/src/shared/path-util.h index ca81b49cbf..5548ce4a94 100644 --- a/src/shared/path-util.h +++ b/src/shared/path-util.h @@ -53,6 +53,7 @@ char** path_strv_make_absolute_cwd(char **l); char** path_strv_resolve(char **l, const char *prefix); char** path_strv_resolve_uniq(char **l, const char *prefix); +int fd_is_mount_point(int fd); int path_is_mount_point(const char *path, bool allow_symlink); int path_is_read_only_fs(const char *path); int path_is_os_tree(const char *path); diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c index 99d12b11c6..eeb2e39196 100644 --- a/src/shared/rm-rf.c +++ b/src/shared/rm-rf.c @@ -89,7 +89,7 @@ int rm_rf_children(int fd, RemoveFlags flags, struct stat *root_dev) { if (is_dir) { int subdir_fd; - /* if root_dev is set, remove subdirectories only, if device is same as dir */ + /* if root_dev is set, remove subdirectories only if device is same */ if (root_dev && st.st_dev != root_dev->st_dev) continue; @@ -100,6 +100,20 @@ int rm_rf_children(int fd, RemoveFlags flags, struct stat *root_dev) { continue; } + /* Stop at mount points */ + r = fd_is_mount_point(subdir_fd); + if (r < 0) { + if (ret == 0 && r != -ENOENT) + ret = r; + + safe_close(subdir_fd); + continue; + } + if (r) { + safe_close(subdir_fd); + continue; + } + /* We pass REMOVE_PHYSICAL here, to avoid * doing the fstatfs() to check the file * system type again for each directory */ @@ -162,7 +176,6 @@ int rm_rf(const char *path, RemoveFlags flags) { r = rm_rf_children(fd, flags, NULL); if (flags & REMOVE_ROOT) { - if (rmdir(path) < 0 && errno != ENOENT) { if (r == 0) r = -errno; |