install: Never traverse mount points with --wipe

If we encounter a mount point when attempting to
wipe a filesystem, then something has definitely gone
wrong. At the install phase we should only be operating
on a single physical filesystem.

Signed-off-by: Colin Walters <[email protected]>

Author: cgwalters

lib/src/install.rs

@@ -28,6 +28,7 @@ use camino::Utf8Path;
 use camino::Utf8PathBuf;
 use cap_std::fs::{Dir, MetadataExt};
 use cap_std_ext::cap_std;
+use cap_std_ext::cap_std::fs::FileType;
 use cap_std_ext::cap_std::fs_utf8::DirEntry as DirEntryUtf8;
 use cap_std_ext::cap_tempfile::TempDir;
 use cap_std_ext::cmdext::CapStdExtCommandExt;
@@ -56,7 +57,7 @@ use crate::progress_jsonl::ProgressWriter;
 use crate::spec::ImageReference;
 use crate::store::Storage;
 use crate::task::Task;
-use crate::utils::sigpolicy_from_opts;
+use crate::utils::{open_dir_noxdev, sigpolicy_from_opts};
 
 /// The toplevel boot directory
 const BOOT: &str = "boot";
@@ -1560,12 +1561,18 @@ fn require_empty_rootdir(rootfs_fd: &Dir) -> Result<()> {
 /// Remove all entries in a directory, but do not traverse across distinct devices.
 #[context("Removing entries (noxdev)")]
 fn remove_all_in_dir_no_xdev(d: &Dir) -> Result<()> {
-    let parent_dev = d.dir_metadata()?.dev();
     for entry in d.entries()? {
         let entry = entry?;
-        let entry_dev = entry.metadata()?.dev();
-        if entry_dev == parent_dev {
-            d.remove_all_optional(entry.file_name())?;
+        let name = entry.file_name();
+        let etype = entry.file_type()?;
+        if etype == FileType::dir() {
+            if let Some(subdir) = open_dir_noxdev(d, &name)? {
+                remove_all_in_dir_no_xdev(&subdir)?;
+            } else {
+                anyhow::bail!("Found unexpected mount point {name:?}");
+            }
+        } else {
+            d.remove_file_optional(&name)?;
         }
     }
     anyhow::Ok(())