tmpfiles: Don't traverse mount points

For the same reason we avoid doing this in other code like in lints.rs; it's reasonable for someone to mount a volume on `/var/cache/dnf` for example in a container build, and we don't want to try to convert it to tmpfiles.d. Signed-off-by: Colin Walters <walters@verbum.org>
containers · Feb 12, 2025 · 659218a · 659218a
1 parent eb55216
commit 659218a
Showing 1 changed file with 16 additions and 12 deletions.
diff --git a/tmpfiles/src/lib.rs b/tmpfiles/src/lib.rs
@@ -337,20 +337,24 @@ fn convert_path_to_tmpfiles_d_recurse<U: uzers::Users, G: uzers::Groups>(
         }
 
         if meta.is_dir() {
-            convert_path_to_tmpfiles_d_recurse(
-                out_entries,
-                out_unsupported,
-                users,
-                groups,
-                rootfs,
-                existing,
-                prefix,
-                readonly,
-            )?;
             // SAFETY: We know this path is absolute
             let relpath = prefix.strip_prefix("/").unwrap();
-            if !readonly {
-                rootfs.remove_dir_all(relpath)?;
+            // Avoid traversing mount points by default
+            if rootfs.open_dir_noxdev(relpath)?.is_some() {
+                convert_path_to_tmpfiles_d_recurse(
+                    out_entries,
+                    out_unsupported,
+                    users,
+                    groups,
+                    rootfs,
+                    existing,
+                    prefix,
+                    readonly,
+                )?;
+                let relpath = prefix.strip_prefix("/").unwrap();
+                if !readonly {
+                    rootfs.remove_dir_all(relpath)?;
+                }
             }
         } else {
             // SAFETY: We know this path is absolute