Enabling libcrypsetup in libmount had several unintended side
effects.
First of all, it increases the Debian minimal image size by
~2.5% (5.6MB worth of new libraries).
Then, due to libcryptsetup linkage to OpenSSL and libjson-c,
it causes incompatibilities with external programs linking
against both libmount and a private, static, old version of
OpenSSL, or external programs linking against libjansson or
json-glib, which have one symbol in common with libjson-c.
If ./configure is ran with --with-crypsetup=dlopen,
instead of linking to libcrypsetup, use dlopen to resolve
the symbols at runtime only when the verity feature is
used, thus avoiding clashes and keeping images size down.
Fixes#1081
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
Let's simplify the loop where we add FS to the table. The optimization
for recoverable errors is a fragile overkill. The new code always
allocates and unrefs FS for each loop.
Addresses: https://github.com/karelzak/util-linux/pull/1068
Signed-off-by: Karel Zak <kzak@redhat.com>
This patch add support for a new tag. The tag is based on udev block
device ID (see /dev/disk/by-id). The usual use-case is to use
WWN for this purpose, for example
# mount ID=wwn-0x50026b724b09a1ff /mnt
Note that ID is not strictly defined and udevd generates various IDs
also for HW where WWN is undefined. This is reason why introduce ID=
seems better and more generic than more restrictive WWN=.
Addresses: https://github.com/karelzak/util-linux/issues/1008
Signed-off-by: Karel Zak <kzak@redhat.com>
fstab:
//rhel73/myshare/sub/path /mnt cifs
after mount in mountinfo:
# grep cifs /proc/self/mountinfo
47 39 0:40 /sub/path /mnt rw,relatime shared:60 - cifs //rhel73/myshare/sub/path ...
^^^^^^^^^
or:
# grep cifs /proc/self/mountinfo
47 39 0:40 / /mnt rw,relatime shared:60 - cifs //rhel73/myshare/sub/path ...
^
That is so since on kernel cifs code, cifs_get_root (which returns the
entry associated with mnt_root) return s_root if
CIFS_MOUNT_USE_PREFIX_PATH is set, no questions asked.
This situation can occurr often on CIFS mounts, as CIFS servers limit
frequently scope of access to the root path.
[kzak@redhat.com: - add more info to the commit message,
- clean up variable names]
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1826719
Signed-off-by: Roberto Bergantinos Corpas <rbergant@redhat.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
Before ecfeae90a2 ("libmount: Ensure utab.lock mode 644"), you could do
something like:
irc:/tmp umount --version
umount from util-linux 2.27.1 (libmount 2.27.0: selinux, assert, debug)
irc:/tmp mkdir foo bar
irc:/tmp unshare -Urm
irc:/tmp mount --bind foo bar
irc:/tmp umount bar
irc:/tmp echo $?
0
However, afterwards, you get:
/tmp unshare -Urm
/tmp mount --bind foo bar
/tmp umount bar
umount: /tmp/bar: filesystem was unmounted, but failed to update userspace mount table.
Because of the chmod failing:
fchmod(3, 0644) = -1 EPERM (Operation not permitted)
Let's figure out whether the chmod is necessary before doing it, and only
do it if it is necessary. This won't fix cases where the system is already
broken, but at least on healthy systems umount will behave as before.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
* 'clang' of https://github.com/neheb/util-linux:
[clang-tidy] fix misleading identation
[clang-tidy] use ceil
[clang-tidy] fix wrong *cmp usage
[clang-tidy] do not use else after return
[clang-tidy] do not return in void functions
[clang-tidy] fix mismatching declarations
Currently, umount /foo results in a statfs("/foo") call, which triggers
autofs. This can create another mountpoint on /foo, which is then unmounted
later instead of the actual /foo at the time umount was called.
This is especially an issue for umount -R /bar, which just fails with
-EBUSY as the accidental mountpoint is never accounted for and so it tries
to umount /bar before /bar/someautofs.
Replace the direct statfs call with open(path, O_PATH) + fstatfs, which sees
the autofs mount directly, without triggering it.
The classic mount(8) behavior is to try read-only on write-protected devices
if the first mount syscall attempt ends with EACCES.
It seems we can implement this feature also for EBUSY if the same mount source
is already mounted with "ro" superblock option.
The typical use-case is iso image (always read-only) mounted on two places.
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1809124
Signed-off-by: Karel Zak <kzak@redhat.com>
libmount returns EPERM for all X- and x- mount options for non-root
users when evaluate X-mount.mkdir. It's bug, we need to be sensitive
to only X-mount.mkdir and only if the target directory is missing.
Addresses: https://github.com/karelzak/util-linux/issues/941
Signed-off-by: Karel Zak <kzak@redhat.com>
A new API was added to libcryptsetup to make use of the kernel's new
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG feature, which allows to sign
root hashes. Add a verity.roothashsig option to use it.
Device reuse will be allowed only if signatures are used by all, or
by none.
Since v2.35 mount(8) drops suid on -EPERM and repeat necessary actions
before mount(2) syscall. This patch also improves this behavior for
X-mount.mkdir too.
mount(8):
* return -EPERM on sanitize_paths() rather than call err()
* call suid_drop() on failed sanitize_paths()
* update man page
libmount:
* mnt_context_prepare_target() refactoring
* return -EPERM when in restricted mode for X-mount.mkdir
Fixed version:
/home/kzak/mnt-foo sr.net.home:/home/kzak fuse.sshfs noauto,X-mount.mkdir
$ mount /home/kzak/mnt-foo
kzak@sr.net.home's password:
$ /home/projects/util-linux/util-linux findmnt /home/kzak/mnt-foo
TARGET SOURCE FSTYPE OPTIONS
/home/kzak/mnt-foo sr.net.home:/home/kzak fuse.sshfs rw,nosuid,nodev,relatime,user_id=1000,group_id=1000
Addresses: https://github.com/systemd/systemd/issues/14418
Signed-off-by: Karel Zak <kzak@redhat.com>
Allow users to point mount to a file to read the roothash, in addition
to passing it inline.
Allows a volume managed by a systemd mount unit to be updated without
changing the mount unit content itself, for easier and more user friendly
servicing.
The following new options are added:
verity.hashdevice
verity.roothash
verity.hashoffset
The source path will be used as a dm-verity object, and will be
opened using libcryptsetup APIs.
A new --with-cryptsetup build-time option is added, which adds a
dependency on libcryptsetup. To ease bootstrapping, given libcryptsetup
build-depends on util-linux for libuuid, if --with-cryptsetup=yes but
libcryptsetup is not installed only a warning will be printed at
configure time rather than an error. This way stage0/first stage/ring0
builds can use the same configure options but avoid installing
cryptsetup to get a working base set, and then rebuild util-linux in
the next step of the boostrapping process.
If verity options are selected but cannot be fullfilled due to lack of
dependencies, mounting a volume will fail even if using a loop device
would work as a fallback, to avoid silently skipping integrity checks.
The current libmount assumes that mount(8) and umount(8) are suid
binaries. For this reason it implements internal rules which
restrict what is allowed for non-root users. Unfortunately, it's
out of reality for some use-cases where root permissions are no
required. Nice example are fuse filesystems.
So, the current situation is to call exit() always when mount, umount or
libmount are unsure with non-root user rights. This patch removes the
exit() call and replaces it with suid permissions drop, after that it
continues as usually. It means after suid-drop all depend on kernel
and no another security rule is used by libmount (simply because any
rule is no more necessary).
Example:
old version:
$ mount -t fuse.sshfs kzak@192.168.111.1:/home/kzak /home/kzak/mnt
mount: only root can use "--types" option
new version:
$ mount -t fuse.sshfs kzak@192.168.111.1:/home/kzak /home/kzak/mnt
kzak@192.168.111.1's password:
$ findmnt /home/kzak/mnt
TARGET SOURCE FSTYPE OPTIONS
/home/kzak/mnt kzak@192.168.111.1:/home/kzak fuse.sshfs rw,nosuid,nodev,relatime,user_id=1000,group_id=1000
$ umount /home/kzak/mnt
$ echo $?
0
Note that fuse user umount is supported since v2.34 due to user_id= in
kernel mount table.
Signed-off-by: Karel Zak <kzak@redhat.com>
Since 34333e5244 we apply fstab options
manually by mnt_context_apply_fs() on --all. The function does not
work correctly when optsmode is zero.
Signed-off-by: Karel Zak <kzak@redhat.com>
For example:
# mount --verbose --all -t xfs -o ro
will mount all all XFS filesystems from fstab, but read-only.
Signed-off-by: Karel Zak <kzak@redhat.com>
The current implementation works, but the remount operation is done in
the cloned context and the original context (and calling application)
has no information about the final status/errors. This is mistake.
This new implementation works like mnt_context_next_mount(), it means
the same context (as used by application) is reused for all remounts.
The original setting is restored by mnt_context_apply_template().
Signed-off-by: Karel Zak <kzak@redhat.com>
This commit adds new functions to save and reuse the current FS
setting (mount options from command line, etc) after context reset.
It's usable for example in "mount --all" when we use the same context
for more times for more mount operations.
Signed-off-by: Karel Zak <kzak@redhat.com>
* don't ignore strdup() result
* cleanup mnt_context_prepare_helper() to have only one return point
(due to mnt_context_switch_ns())
* add mnt_context_prepare_helper() test program
Signed-off-by: Karel Zak <kzak@redhat.com>
* add set/get functions to context
* use prefix to detect already mounted filesystems
* use prefix when prepare target path
Signed-off-by: Karel Zak <kzak@redhat.com>
The current solution is to use /proc/mounts if previous attempt to
open /proc/self/mountinfo failed. The fallback should not be used when
mount table path is explicitly specified by application. The default
is NULL, only in this case libmount should be try to be smart.
Reported-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
Add libselinux dependency to libmount if it is compiled
with selinux support.
Without this fix, 'pkg-config --libs --static mount' doesn't
show libselinux related options.
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Sorry detail-oriented people tend to wipe these out if they notice them.
Add in automated tools and lots of excess end-of-line spaces get wiped
out.
Addresses: https://github.com/karelzak/util-linux/pull/849
Signed-off-by: Karel Zak <kzak@redhat.com>
* fix read() buffer size (stupid bug...)
* split read() EINTR and poll() based attempts
* use 100 attempts
* wait 10000 usec between attempts, but first 10 attempts are without
this delay. It makes the function usable for usual use-cases as well
as on very busy systems (successfully tested with 300 concurrent
mount/umount processes)
Signed-off-by: Karel Zak <kzak@redhat.com>
The standard way how we read mount table is not reliable because
during the read() syscalls the table may be modified by some another
process. The changes in the table is possible to detect by poll()
event, and in this case it seems better to lseek to the begin of the file
and read it again. It's expensive, but better than races...
This patch does not modify mountinfo parser, but it reads all file to
memory (by read()+poll()) and than it creates memory stream
from the buffer and use it rather than a regular file stream.
It means the parser is still possible to use for normal files
(e.g. fstab) as well as for mountinfo and it's also portable to
systems where for some reason is no fmemopen().
Note that re-read after poll() event is limited to 5 attempts (but
successful read() without event zeroize the counter). It's because we
do not want to wait for consistent mountinfo for ever. It seems better
to use old (less reliable) way than hang up in read()+poll()
loop.
Addresses: https://github.com/systemd/systemd/issues/10872
Reported-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Signed-off-by: Karel Zak <kzak@redhat.com>
There's an obvious copy-paste error in `mnt_parse_table_line` when
referring to the 6th field of the fstab format, where it says "freq"
instead of "passno". This has probably been copied from the 5th field,
which is in fact correctly labelled as "freq".
Fix the mistake by changing the comment to say "passno" instead.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
The "umount -f -a -r" get stuck in a endless loop when run with a
mountinfo like below:
15 0 179:2 / / ro,relatime - ext4 /dev/root ro
16 15 0:6 / /dev rw,relatime - devtmpfs devtmpfs rw,size=242896k,nr_inodes=60724,mode=755
17 15 0:4 / /proc rw,relatime - proc proc rw
18 15 0:15 / /mnt/.psplash rw,relatime - tmpfs tmpfs rw,size=40k
19 15 0:16 / /sys rw,relatime - sysfs sysfs rw
20 19 0:7 / /sys/kernel/debug rw,relatime - debugfs debugfs rw
21 15 0:17 / /run rw,nosuid,nodev - tmpfs tmpfs rw,mode=755
22 15 0:18 / /var/volatile rw,relatime - tmpfs tmpfs rw
23 15 179:1 / /boot rw,relatime - vfat /dev/mmcblk0p1 rw,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro
24 16 0:19 / /dev/pts rw,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=000
25 18 0:20 / /mnt/.psplash rw,relatime - tmpfs tmpfs rw,size=40k
The reason is that the two same mnt entry "/mnt/.psplash" will cause
the dst->tab set to NULL when umount this mnt entry the second time.
This will trigger an endless loop in mnt_reset_table() because that
mnt entry is linked on the libmnt_table but its .tab is set to NULL.
Signed-off-by: Kevin Hao <kexin.hao@windriver.com>
This is false positive warning, but lets silence it so that if and when
warnings crop up they are easy to notice and take seriously.
libmount/src/optstr.c:354:29: warning: potential null pointer dereference
[-Wnull-dereference]
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
* Added member 'struct libmnt_table *tab' to libmnt_fs structure.
* Added 'mnt_fs_get_table()'.
* Removed overhead from 'mnt_table_{insert,move,remove}_fs().
* Added check to 'mnt_table_set_iter()' that entry is member of table.
[kzak@redhat.com: - add to libmount.sys
- add to docs
- cleanup commit message
- set fs->tab = NULL before mnt_unref_fs() in mnt_table_remove_fs()]
Signed-off-by: Tim Hildering <hilderingt@posteo.net>
Signed-off-by: Karel Zak <kzak@redhat.com>
Add some fuse filesystems to the list of pseudofs and netfs.
There are still tens of filesystems that should be evaluated and added.
Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
Add functions to insert FS into table to specified position and to
move FS between two tables.
Co-Author: Tim Hildering <hilderingt@posteo.net>
Signed-off-by: Karel Zak <kzak@redhat.com>
Added validation to function 'mnt_table_add_fs()' to check that added @fs
is not already a member of another table.
Signed-off-by: Karel Zak <kzak@redhat.com>
This patch add to support for remount-all operation to
libmount and mount(8).
For example:
mount --all -o remount,ro -t vfat
to remount read-only all VFAT filesystems.
Addresses: https://github.com/karelzak/util-linux/issues/589
Signed-off-by: Karel Zak <kzak@redhat.com>
The option user= is already handled by evaluate_permissions() and by
classic mount and umount usermount support. It seems we do not need
to duplicate support for user= in is_fuse_usermount().
The option user_id= is fuse specific and it's maintained by
libfuse/kernel in /proc/self/mountinfo. This is feature we need to
support in umount(8).
Addresses: https://github.com/karelzak/util-linux/pull/705
Signed-off-by: Karel Zak <kzak@redhat.com>
FUSE mounts don't need an fstab entry to be unmounted.
This checks if a mount is a FUSE mount before checking for
the fstab entry, and if so returns success.
[kzak@redhat.com: - use libmount tools for mount options
- use namespace switches
- cleanup code
The requirement is user=<username> or user_id=<uid> in /proc/self/mountinfo
for fuse filesystem. The logic is the same as for user= mount options, but in
this case it is not maintained by libmount in userspace, but by fuse FS in kernel.]
Co-Author: Karel Zak <kzak@redhat.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
* add SPDX-License-Identifier (see https://spdx.org/licenses/)
* add "This file part of libmount from util-linux project."
* use proper text for LGPL-2.1-or-later
* use the same texts everywhere
Signed-off-by: Karel Zak <kzak@redhat.com>
Let's use standardized names for licenses. The names used by SPDX
makes things more obvious at first glance. For complete list see:
https://spdx.org/licenses/
Note, this commit does not change any license or so...
Signed-off-by: Karel Zak <kzak@redhat.com>
libmount/python/pylibmount.c:158:19: warning: cast between incompatible function types
from ‘PyObject * (*)(PyObject *)’ {aka ‘struct _object * (*)(struct _object *)’}
to ‘PyObject * (*)(PyObject *, PyObject *)’ {aka ‘struct _object * (*)(struct _object *, struct _object *)’}
[-Wcast-function-type]
This is generic problem in all Python C code and gcc v8. The another
possible (and probably more correct) way is to add unused argument to
all API functions. Unfortunately, this solution is pretty invasive. The
question is if gcc is not too paranoid in this case.
For more details see https://bugs.python.org/issue33012. It seems
Python guys also prefer CFLAGS modification for now.
Signed-off-by: Karel Zak <kzak@redhat.com>
The source of a mount in /proc/self/mountinfo can unfortunately be an
empty string. Before this patch, 'mount' and 'mountpoint' fail as
following:
$ sudo mount -t tmpfs "" /tmp/bb
$ mount
mount: /proc/self/mountinfo: parse error at line 64 -- ignored
$ mountpoint /tmp/bb
/tmp/bb is not a mountpoint
This patch fixes the parsing. It is unfortunately more complex because
sscanf() does not handle fields with empty strings easily.
Other projects have their own parser for mountinfo and have similar
issues. I know of runc and runtime-tools (I'll send a patch for those
two) but there are probably others.
Signed-off-by: Alban Crequy <alban@kinvolk.io>