Up on successful fdopendir(3) file descriptior that will be closed, that
happens in recursiveRemove() switch_root(8) function.
CID: 360697
Reference: https://pubs.opengroup.org/onlinepubs/9699919799/functions/fdopendir.html
Co-Author: Sami Kerola <kerolasa@iki.fi>
Signed-off-by: Karel Zak <kzak@redhat.com>
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
If a call to chroot is not followed by a call to chdir("/") the chroot jail
confinement can be violated. See also CWE-243.
CID: 360718
CID: 360800
Reference: http://cwe.mitre.org/data/definitions/243.html
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
before this change, switch_root would try to parse all arguments,
including 'initargs', using getopt, which would lead to an 'unrecognized
option' error when trying to pass a flag to the init program
changed in include/c.h and applied via sed:
sed -i 's/fprintf.*\(USAGE_MAN_TAIL.*\)/printf(\1/' $(git ls-files -- "*.c")
sed -i 's/print_usage_help_options\(.*\);/printf(USAGE_HELP_OPTIONS\1);/' $(git ls-files -- "*.c")
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
Consolidate --help and --version descriptions. We are
now able to align them to the other options.
We changed include/c.h. The rest of this patch was
generated by sed, plus manually setting the right
alignment numbers. We do not change anything but
white spaces in the --help output.
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
When _DIRENT_HAVE_D_TYPE is not defined, we need to always fstat the
directory entry in order to determine whether it is a directory or not.
If we determine that the file is indeed a directory on the same device,
we proceed to recursively remove its contents as well. Otherwise, we
simply skip removing the entry altogether.
This logic is not entirely correct though. Note that we actually skip
deletion of the entry if it is either not a directory or if it is not on
the same device. The second condition is obviously correct here, as we
do not want to delete files on other mounts here. But skipping deletion
of the entry itself if it is not a directory is wrong.
When _DIRENT_HAVE_D_TYPE is defined, this condition should never be
triggered, as we have already determined that the entry is a directory.
But if it is not, we will always do the fstat and check. Because of
this, we will now skip deletion of all files which are not directories,
which is wrong.
Fix the issue by disentangling both conditions. We now first check
whether we are still on the same device - if not, we skip recursive
deletion as well as deletion of the directory entry. Afterwards, we
check whether it is a directory - if so, we do delete its contents
recursively. And finally, we will now unlink the entry disregarding
whether it is a directory or not.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
The if statement in line 162 already ensures value of cfd to be 0 or
greater, so the later if is not needed.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
The message "stat failed %s" seems to say that stat() failed to
do something, or failed to pass a test, but of course it means
that the statting of something failed. So say so. Also make
two very similar messages equal to this one.
Signed-off-by: Benno Schulenberg <bensberg@justemail.net>
This adds a concise description of a tool to its usage text.
A first form of this patch was proposed by Steven Honeyman
(see http://www.spinics.net/lists/util-linux-ng/msg09994.html).
Signed-off-by: Benno Schulenberg <bensberg@justemail.net>
__SWORD_TYPE is not available everywhere, for example it's not defined
by musl libc. It also seems that __SWORD_TYPE is not used for f_type
on some architectures (s390x).
Reported-by: Natanael Copa <ncopa@alpinelinux.org>
Signed-off-by: Karel Zak <kzak@redhat.com>
Most of them catched on 32bit gcc and icc.
disk-utils/fsck.cramfs.c: printf format type
lib/boottime.c: unused variables
misc-utils/cal.c: set but never used
sys-utils/losetup.c: set but never used
sys-utils/lscpu-dmi.c: defined but not used
sys-utils/switch_root.c: comparison between signed and unsigned
tests/helpers/test_sysinfo.c: printf format type
As of linux 3.14, the initramfs device will have both major and
minor 0, causing our paranoia check to fail. Make this version agnostic
by checking the filesystem type, rather than a device number.
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
If a mount point cannot be moved to the new root, umount it with
MNT_DETACH, so that it is lazy umounted and does not show up in
/proc/mounts anymore.
[kzak@redhat.com: - add MNT_DETACH macro fallback]
Signed-off-by: Harald Hoyer <harald@redhat.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
Handle /run just like /dev, /sys and /proc
Do not mount move, if there is already something mounted on the
destination folder.
Signed-off-by: Harald Hoyer <harald@redhat.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
Solaris lacks err, errx, warn and warnx. This also means the err.h header
doesn't exist. Removed err.h include from all files, and included err.h from
c.h instead if it exists, otherwise alternatives are provided.
Signed-off-by: Fabian Groffen <grobian@gentoo.org>
This reverts commit a692a87459.
On Wed, Nov 18, 2009 at 03:33:12PM +0000, Daniel Drake wrote:
> Booting into a system this way just leads to problems because
> you cannot remount the root read-only at shutdown (leading to unclean
> shutdowns).
> Miklos Szeredi pointed out a trick to turn any directory into a
> mount point which avoids this problem. Therefore we can simplify
> switch_root again and simply document that its users should set
requested by dracut developers because:
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
Addresses-Red-Hat-Bug: #519237
Signed-off-by: Karel Zak <kzak@redhat.com>
The current switch_root can only switch to a new root that is the root
of a mount point.
This patch adds support for "subroots", where the new root is
somewhere below a mount point. It does this by adding in a few extra
steps to chroot into the subroot after the enclosing partition has
been moved and entered.
This will be used by OLPC, who sort-of have 2 copies of Fedora stored
on a single partition under different directory trees, where the
initramfs decides which one to boot into
[kzak@redhat.com:
- port to the current u-l-ng switch_root code
- don't use static buffer for "dir" in get_parent_mount()]
CC: Peter Jones <pjones@redhat.com>
Signed-off-by: Daniel Drake <dsd@laptop.org>
Signed-off-by: Karel Zak <kzak@redhat.com>
This way there's no race between unlinking the /newroot directory and
the MS_MOVE/chroot() to get away from it.
Signed-off-by: Peter Jones <pjones@redhat.com>
Fork before cleaning up the old filesystem, so it becomes asyncronous,
which results in a faster boot time.
Signed-off-by: Peter Jones <pjones@redhat.com>
This makes recursiveRemove() use fdopendir() instead of taking a path,
so we're always sure about which namespace we're starting from.
Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
Copied from Dracut project:
git://dracut.git.sourceforge.net/gitroot/dracut
switch_root history in dracut.git repository:
$ git shortlog switch_root.c
Harald Hoyer (5):
replace switch_root shell script with binary
add \n to switch_root
use switch_root code from http://pjones.fedorapeople.org/mkstart/usr/lib/mkstart/switchroot.c
mount move instead of umount and fix the search for fallback inits
setsid() and set controlling terminal for real /sbin/init
Victor Lowther (2):
Simplify switch_root.c a bit
Remove all files on the initramfs before switching root
Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
Thomas Deutschmann
Karel Zak
Sami Kerola
Paul Asmuth
Ruediger Meier
Patrick Steinhardt
Benno Schulenberg
Dave Reisner
Richard Weinberger
Harald Hoyer
Fabian Groffen
Daniel Drake
Peter Jones