feature/runtime: Use own utility to switch root

legionus · legionus · commit 53e1fbc687c3 · 2025-06-17T15:39:15.000+02:00
Since it is now possible to boot via compressed image and overlayfs,
support for the ability to unmount root in initramfs is now required.

Th switch_root from busybox or util-linux does not allow this. Moreover,
if initramfs is not on ramfs/tmpfs these utilities will not remove the
content and will leave it untouched.

So we need our own utility that allows us to unmount old rootfs if
possible.

As an added benefit, it will be possible to do away with unnecessary
actions when switching rootfs.

Signed-off-by: Alexey Gladkov &lt;gladkov.alexey@gmail.com&gt;
diff --git a/features/runtime/data/etc/rc.d/rc.sysexec b/features/runtime/data/etc/rc.d/rc.sysexec
@@ -9,4 +9,4 @@
 msg "INIT: Running init ($INIT)"
 
 # Run system init with arguments. Goodbye!
-exec runas /sbin/init /bin/environ -cf /.initrd/kernenv /sbin/switch_root "$rootmnt" "$INIT" "$@"
+exec runas /sbin/init /bin/environ -cf /.initrd/kernenv /sbin/sysexec "$rootmnt" "$INIT" "$@"
diff --git a/features/runtime/src/sysexec/Makefile.mk b/features/runtime/src/sysexec/Makefile.mk
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+sysexec_DEST = $(dest_data_sbindir)/sysexec
+sysexec_SRCS = $(runtime_srcdir)/sysexec/sysexec.c
+
+PROGS += sysexec
diff --git a/features/runtime/src/sysexec/sysexec.c b/features/runtime/src/sysexec/sysexec.c
@@ -0,0 +1,211 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+#include "config.h"
+
+#include <linux/magic.h>
+
+#include <sys/syscall.h>
+#include <sys/mount.h>
+#include <sys/statfs.h>
+#include <sys/stat.h>
+
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <dirent.h>
+#include <errno.h>
+#include <err.h>
+
+/* Because statfs.t_type can be int on some architectures, we have to cast
+ * the const magic to the type, otherwise the compiler warns about
+ * signed/unsigned comparison, because the magic can be 32 bit unsigned.
+ */
+#define F_TYPE_EQUAL(a, b) (a == (typeof(a)) b)
+
+#ifndef pivot_root
+static inline long pivot_root(const char *new_root, const char *put_old)
+{
+	return syscall(SYS_pivot_root, new_root, put_old);
+}
+#endif
+
+static int is_dot_dir(struct dirent *ent)
+{
+	return (ent->d_type == DT_DIR &&
+	        (ent->d_name[0] == '.' && (ent->d_name[1] == '\0' ||
+	                                   (ent->d_name[1] == '.' && ent->d_name[2] == '\0') )));
+}
+
+/* remove all files/directories below dirName -- don't cross mountpoints */
+static int remove_recursive_at(int fd)
+{
+	struct stat rb;
+	DIR *dir;
+	int dfd, rc = -1;
+
+	if (!(dir = fdopendir(fd))) {
+		warn("failed to open directory");
+		goto done;
+	}
+
+	/* fdopendir() precludes us from continuing to use the input fd */
+	dfd = dirfd(dir);
+
+	if (fstat(dfd, &rb)) {
+		warn("stat failed");
+		goto done;
+	}
+
+	while(1) {
+		struct dirent *d;
+		int isdir = 0;
+
+		errno = 0;
+		if (!(d = readdir(dir))) {
+			if (errno) {
+				warn("failed to read directory");
+				goto done;
+			}
+			break;
+		}
+
+		if (is_dot_dir(d))
+			continue;
+
+		if (d->d_type == DT_DIR || d->d_type == DT_UNKNOWN) {
+			struct stat sb;
+
+			if (fstatat(dfd, d->d_name, &sb, AT_SYMLINK_NOFOLLOW)) {
+				warn("stat of %s failed", d->d_name);
+				continue;
+			}
+
+			/* skip if device is not the same */
+			if (sb.st_dev != rb.st_dev)
+				continue;
+
+			/* remove subdirectories */
+			if (S_ISDIR(sb.st_mode)) {
+				int cfd;
+
+				cfd = openat(dfd, d->d_name, O_RDONLY | O_CLOEXEC);
+
+				if (cfd >= 0)
+					remove_recursive_at(cfd);
+
+				isdir = 1;
+			}
+		}
+
+		if (unlinkat(dfd, d->d_name, isdir ? AT_REMOVEDIR : 0))
+			warn("failed to unlink %s", d->d_name);
+	}
+
+	rc = 0;
+done:
+	if (dir)
+		closedir(dir);
+	else
+		close(fd);
+	return rc;
+}
+
+static bool is_temporary_fs(int fd)
+{
+	struct statfs stfs;
+
+	if (fstatfs(fd, &stfs)) {
+		warn("stat failed");
+		return 0;
+	}
+	return (F_TYPE_EQUAL(stfs.f_type, RAMFS_MAGIC) ||
+	        F_TYPE_EQUAL(stfs.f_type, TMPFS_MAGIC));
+}
+
+static void usage(int retcode)
+{
+	printf("Usage: %s <newrootdir> <init> [<args ...>]\n", program_invocation_short_name);
+	exit(retcode);
+}
+
+int main(int argc, char *argv[])
+{
+	char *newroot, *initprog, **initargs;
+
+	if (argc == 1) {
+		usage(EXIT_SUCCESS);
+	}
+
+	if (argc < 3) {
+		warnx("not enough arguments");
+		usage(EXIT_FAILURE);
+	}
+
+	newroot  = argv[1];
+	initprog = argv[2];
+	initargs = &argv[2];
+
+	if (!*newroot || !*initprog) {
+		warnx("bad usage");
+		usage(EXIT_FAILURE);
+	}
+
+	int old_root_fd = open("/", O_RDONLY | O_DIRECTORY | O_CLOEXEC);
+
+	if (old_root_fd < 0)
+		err(EXIT_FAILURE, "failed to open current root directory");
+
+	int new_root_fd = open(newroot, O_RDONLY | O_DIRECTORY | O_CLOEXEC);
+
+	if (new_root_fd < 0)
+		err(EXIT_FAILURE, "failed to open new root directory: %s", newroot);
+
+	/*
+	 * Work-around for kernel design: the kernel refuses MS_MOVE if any file
+	 * systems are mounted MS_SHARED. Hence remount them MS_PRIVATE here as
+	 * a work-around.
+	 *
+	 * https://bugzilla.redhat.com/show_bug.cgi?id=847418
+	 */
+	if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL) < 0)
+		err(EXIT_FAILURE, "failed to set / mount propagation to private");
+
+	/*
+	 * Note: implementation details of pivot_root may change with
+	 * time. In order to ensure compatibility, the following points
+	 * should be observed:
+	 *
+	 * - before calling pivot_root, the current directory of the
+	 *   invoking process should point to the new root directory
+	 * - use . as the first argument, and the _relative_ path of the
+	 *   directory for the old root as the second argument
+	 * - a chroot program must be available under the old and the
+	 *   new root
+	 * - chroot to the new root afterwards
+	 * - use relative paths for dev/console in the exec command
+	 *
+	 * Documentation/admin-guide/initrd.rst#n251
+	 */
+	if (fchdir(new_root_fd))
+		err(EXIT_FAILURE, "failed to change directory to %s", newroot);
+
+	long ret = pivot_root(".", ".");
+	if (ret >= 0) {
+		if (umount2(".", MNT_DETACH))
+			err(EXIT_FAILURE, "failed to unmount the old root");
+
+	} else if (mount(".", "/", NULL, MS_MOVE, NULL)) {
+		err(EXIT_FAILURE, "failed to move new root to /");
+	}
+
+	if (chroot(".") || chdir("/"))
+		err(EXIT_FAILURE, "failed to chroot");
+
+	if (is_temporary_fs(old_root_fd))
+		remove_recursive_at(old_root_fd);
+
+	execvp(initprog, initargs);
+	err(EXIT_FAILURE, "failed to execute %s", initprog);
+}
