summaryrefslogtreecommitdiffstats
path: root/src/dissect
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 13:00:47 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 13:00:47 +0000
commit2cb7e0aaedad73b076ea18c6900b0e86c5760d79 (patch)
treeda68ca54bb79f4080079bf0828acda937593a4e1 /src/dissect
parentInitial commit. (diff)
downloadsystemd-2cb7e0aaedad73b076ea18c6900b0e86c5760d79.tar.xz
systemd-2cb7e0aaedad73b076ea18c6900b0e86c5760d79.zip
Adding upstream version 247.3.upstream/247.3upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/dissect')
-rw-r--r--src/dissect/dissect.c776
1 files changed, 776 insertions, 0 deletions
diff --git a/src/dissect/dissect.c b/src/dissect/dissect.c
new file mode 100644
index 0000000..dc7e9dc
--- /dev/null
+++ b/src/dissect/dissect.c
@@ -0,0 +1,776 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <fcntl.h>
+#include <getopt.h>
+#include <linux/loop.h>
+#include <stdio.h>
+#include <sys/ioctl.h>
+#include <sys/mount.h>
+
+#include "architecture.h"
+#include "copy.h"
+#include "dissect-image.h"
+#include "fd-util.h"
+#include "fileio.h"
+#include "format-table.h"
+#include "format-util.h"
+#include "fs-util.h"
+#include "hexdecoct.h"
+#include "log.h"
+#include "loop-util.h"
+#include "main-func.h"
+#include "mkdir.h"
+#include "mount-util.h"
+#include "namespace-util.h"
+#include "parse-util.h"
+#include "path-util.h"
+#include "pretty-print.h"
+#include "stat-util.h"
+#include "string-util.h"
+#include "strv.h"
+#include "terminal-util.h"
+#include "tmpfile-util.h"
+#include "user-util.h"
+#include "util.h"
+
+static enum {
+ ACTION_DISSECT,
+ ACTION_MOUNT,
+ ACTION_COPY_FROM,
+ ACTION_COPY_TO,
+} arg_action = ACTION_DISSECT;
+static const char *arg_image = NULL;
+static const char *arg_path = NULL;
+static const char *arg_source = NULL;
+static const char *arg_target = NULL;
+static DissectImageFlags arg_flags = DISSECT_IMAGE_REQUIRE_ROOT|DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK;
+static VeritySettings arg_verity_settings = VERITY_SETTINGS_DEFAULT;
+static bool arg_json = false;
+static JsonFormatFlags arg_json_format_flags = 0;
+
+STATIC_DESTRUCTOR_REGISTER(arg_verity_settings, verity_settings_done);
+
+static int help(void) {
+ _cleanup_free_ char *link = NULL;
+ int r;
+
+ r = terminal_urlify_man("systemd-dissect", "1", &link);
+ if (r < 0)
+ return log_oom();
+
+ printf("%1$s [OPTIONS...] IMAGE\n"
+ "%1$s [OPTIONS...] --mount IMAGE PATH\n"
+ "%1$s [OPTIONS...] --copy-from IMAGE PATH [TARGET]\n"
+ "%1$s [OPTIONS...] --copy-to IMAGE [SOURCE] PATH\n\n"
+ "%5$sDissect a file system OS image.%6$s\n\n"
+ "%3$sOptions:%4$s\n"
+ " -r --read-only Mount read-only\n"
+ " --fsck=BOOL Run fsck before mounting\n"
+ " --mkdir Make mount directory before mounting, if missing\n"
+ " --discard=MODE Choose 'discard' mode (disabled, loop, all, crypto)\n"
+ " --root-hash=HASH Specify root hash for verity\n"
+ " --root-hash-sig=SIG Specify pkcs7 signature of root hash for verity\n"
+ " as a DER encoded PKCS7, either as a path to a file\n"
+ " or as an ASCII base64 encoded string prefixed by\n"
+ " 'base64:'\n"
+ " --verity-data=PATH Specify data file with hash tree for verity if it is\n"
+ " not embedded in IMAGE\n"
+ " --json=pretty|short|off\n"
+ " Generate JSON output\n"
+ "\n%3$sCommands:%4$s\n"
+ " -h --help Show this help\n"
+ " --version Show package version\n"
+ " -m --mount Mount the image to the specified directory\n"
+ " -M Shortcut for --mount --mkdir\n"
+ " -x --copy-from Copy files from image to host\n"
+ " -a --copy-to Copy files from host to image\n"
+ "\nSee the %2$s for details.\n"
+ , program_invocation_short_name
+ , link
+ , ansi_underline(), ansi_normal()
+ , ansi_highlight(), ansi_normal());
+
+ return 0;
+}
+
+static int parse_argv(int argc, char *argv[]) {
+
+ enum {
+ ARG_VERSION = 0x100,
+ ARG_DISCARD,
+ ARG_FSCK,
+ ARG_ROOT_HASH,
+ ARG_ROOT_HASH_SIG,
+ ARG_VERITY_DATA,
+ ARG_MKDIR,
+ ARG_JSON,
+ };
+
+ static const struct option options[] = {
+ { "help", no_argument, NULL, 'h' },
+ { "version", no_argument, NULL, ARG_VERSION },
+ { "mount", no_argument, NULL, 'm' },
+ { "read-only", no_argument, NULL, 'r' },
+ { "discard", required_argument, NULL, ARG_DISCARD },
+ { "fsck", required_argument, NULL, ARG_FSCK },
+ { "root-hash", required_argument, NULL, ARG_ROOT_HASH },
+ { "root-hash-sig", required_argument, NULL, ARG_ROOT_HASH_SIG },
+ { "verity-data", required_argument, NULL, ARG_VERITY_DATA },
+ { "mkdir", no_argument, NULL, ARG_MKDIR },
+ { "copy-from", no_argument, NULL, 'x' },
+ { "copy-to", no_argument, NULL, 'a' },
+ { "json", required_argument, NULL, ARG_JSON },
+ {}
+ };
+
+ int c, r;
+
+ assert(argc >= 0);
+ assert(argv);
+
+ while ((c = getopt_long(argc, argv, "hmrMxa", options, NULL)) >= 0) {
+
+ switch (c) {
+
+ case 'h':
+ return help();
+
+ case ARG_VERSION:
+ return version();
+
+ case 'm':
+ arg_action = ACTION_MOUNT;
+ break;
+
+ case ARG_MKDIR:
+ arg_flags |= DISSECT_IMAGE_MKDIR;
+ break;
+
+ case 'M':
+ /* Shortcut combination of the above two */
+ arg_action = ACTION_MOUNT;
+ arg_flags |= DISSECT_IMAGE_MKDIR;
+ break;
+
+ case 'x':
+ arg_action = ACTION_COPY_FROM;
+ arg_flags |= DISSECT_IMAGE_READ_ONLY;
+ break;
+
+ case 'a':
+ arg_action = ACTION_COPY_TO;
+ break;
+
+ case 'r':
+ arg_flags |= DISSECT_IMAGE_READ_ONLY;
+ break;
+
+ case ARG_DISCARD: {
+ DissectImageFlags flags;
+
+ if (streq(optarg, "disabled"))
+ flags = 0;
+ else if (streq(optarg, "loop"))
+ flags = DISSECT_IMAGE_DISCARD_ON_LOOP;
+ else if (streq(optarg, "all"))
+ flags = DISSECT_IMAGE_DISCARD_ON_LOOP | DISSECT_IMAGE_DISCARD;
+ else if (streq(optarg, "crypt"))
+ flags = DISSECT_IMAGE_DISCARD_ANY;
+ else if (streq(optarg, "list")) {
+ puts("disabled\n"
+ "all\n"
+ "crypt\n"
+ "loop");
+ return 0;
+ } else
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Unknown --discard= parameter: %s",
+ optarg);
+ arg_flags = (arg_flags & ~DISSECT_IMAGE_DISCARD_ANY) | flags;
+
+ break;
+ }
+
+ case ARG_ROOT_HASH: {
+ _cleanup_free_ void *p = NULL;
+ size_t l;
+
+ r = unhexmem(optarg, strlen(optarg), &p, &l);
+ if (r < 0)
+ return log_error_errno(r, "Failed to parse root hash '%s': %m", optarg);
+ if (l < sizeof(sd_id128_t))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Root hash must be at least 128bit long: %s", optarg);
+
+ free_and_replace(arg_verity_settings.root_hash, p);
+ arg_verity_settings.root_hash_size = l;
+ break;
+ }
+
+ case ARG_ROOT_HASH_SIG: {
+ char *value;
+ size_t l;
+ void *p;
+
+ if ((value = startswith(optarg, "base64:"))) {
+ r = unbase64mem(value, strlen(value), &p, &l);
+ if (r < 0)
+ return log_error_errno(r, "Failed to parse root hash signature '%s': %m", optarg);
+ } else {
+ r = read_full_file(optarg, (char**) &p, &l);
+ if (r < 0)
+ return log_error_errno(r, "Failed to read root hash signature file '%s': %m", optarg);
+ }
+
+ free_and_replace(arg_verity_settings.root_hash_sig, p);
+ arg_verity_settings.root_hash_sig_size = l;
+ break;
+ }
+
+ case ARG_VERITY_DATA:
+ r = parse_path_argument_and_warn(optarg, false, &arg_verity_settings.data_path);
+ if (r < 0)
+ return r;
+ break;
+
+ case ARG_FSCK:
+ r = parse_boolean(optarg);
+ if (r < 0)
+ return log_error_errno(r, "Failed to parse --fsck= parameter: %s", optarg);
+
+ SET_FLAG(arg_flags, DISSECT_IMAGE_FSCK, r);
+ break;
+
+ case ARG_JSON:
+ if (streq(optarg, "pretty")) {
+ arg_json = true;
+ arg_json_format_flags = JSON_FORMAT_PRETTY|JSON_FORMAT_COLOR_AUTO;
+ } else if (streq(optarg, "short")) {
+ arg_json = true;
+ arg_json_format_flags = JSON_FORMAT_NEWLINE;
+ } else if (streq(optarg, "off")) {
+ arg_json = false;
+ arg_json_format_flags = 0;
+ } else if (streq(optarg, "help")) {
+ puts("pretty\n"
+ "short\n"
+ "off");
+ return 0;
+ } else
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown argument to --json=: %s", optarg);
+
+ break;
+
+ case '?':
+ return -EINVAL;
+
+ default:
+ assert_not_reached("Unhandled option");
+ }
+
+ }
+
+ switch (arg_action) {
+
+ case ACTION_DISSECT:
+ if (optind + 1 != argc)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Expected an image file path as only argument.");
+
+ arg_image = argv[optind];
+ arg_flags |= DISSECT_IMAGE_READ_ONLY;
+ break;
+
+ case ACTION_MOUNT:
+ if (optind + 2 != argc)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Expected an image file path and mount point path as only arguments.");
+
+ arg_image = argv[optind];
+ arg_path = argv[optind + 1];
+ break;
+
+ case ACTION_COPY_FROM:
+ if (argc < optind + 2 || argc > optind + 3)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Expected an image file path, a source path and an optional destination path as only arguments.");
+
+ arg_image = argv[optind];
+ arg_source = argv[optind + 1];
+ arg_target = argc > optind + 2 ? argv[optind + 2] : "-" /* this means stdout */ ;
+
+ arg_flags |= DISSECT_IMAGE_READ_ONLY;
+ break;
+
+ case ACTION_COPY_TO:
+ if (argc < optind + 2 || argc > optind + 3)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Expected an image file path, an optional source path and a destination path as only arguments.");
+
+ arg_image = argv[optind];
+
+ if (argc > optind + 2) {
+ arg_source = argv[optind + 1];
+ arg_target = argv[optind + 2];
+ } else {
+ arg_source = "-"; /* this means stdin */
+ arg_target = argv[optind + 1];
+ }
+
+ break;
+
+ default:
+ assert_not_reached("Unknown action.");
+ }
+
+ return 1;
+}
+
+static int strv_pair_to_json(char **l, JsonVariant **ret) {
+ _cleanup_strv_free_ char **jl = NULL;
+ char **a, **b;
+
+ STRV_FOREACH_PAIR(a, b, l) {
+ char *j;
+
+ j = strjoin(*a, "=", *b);
+ if (!j)
+ return log_oom();
+
+ if (strv_consume(&jl, j) < 0)
+ return log_oom();
+ }
+
+ return json_variant_new_array_strv(ret, jl);
+}
+
+static int action_dissect(DissectedImage *m, LoopDevice *d) {
+ _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
+ _cleanup_(table_unrefp) Table *t = NULL;
+ uint64_t size = UINT64_MAX;
+ int r;
+
+ assert(m);
+ assert(d);
+
+ if (!arg_json)
+ printf(" Name: %s\n", basename(arg_image));
+
+ if (ioctl(d->fd, BLKGETSIZE64, &size) < 0)
+ log_debug_errno(errno, "Failed to query size of loopback device: %m");
+ else if (!arg_json) {
+ char s[FORMAT_BYTES_MAX];
+ printf(" Size: %s\n", format_bytes(s, sizeof(s), size));
+ }
+
+ if (!arg_json)
+ putc('\n', stdout);
+
+ r = dissected_image_acquire_metadata(m);
+ if (r == -ENXIO)
+ return log_error_errno(r, "No root partition discovered.");
+ if (r == -EUCLEAN)
+ return log_error_errno(r, "File system check of image failed.");
+ if (r == -EMEDIUMTYPE)
+ log_warning_errno(r, "Not a valid OS image, no os-release file included. Proceeding anyway.");
+ else if (r == -EUNATCH)
+ log_warning_errno(r, "OS image is encrypted, proceeding without showing OS image metadata.");
+ else if (r == -EBUSY)
+ log_warning_errno(r, "OS image is currently in use, proceeding without showing OS image metadata.");
+ else if (r < 0)
+ return log_error_errno(r, "Failed to acquire image metadata: %m");
+ else if (!arg_json) {
+ if (m->hostname)
+ printf(" Hostname: %s\n", m->hostname);
+
+ if (!sd_id128_is_null(m->machine_id))
+ printf("Machine ID: " SD_ID128_FORMAT_STR "\n", SD_ID128_FORMAT_VAL(m->machine_id));
+
+ if (!strv_isempty(m->machine_info)) {
+ char **p, **q;
+
+ STRV_FOREACH_PAIR(p, q, m->machine_info)
+ printf("%s %s=%s\n",
+ p == m->machine_info ? "Mach. Info:" : " ",
+ *p, *q);
+ }
+
+ if (!strv_isempty(m->os_release)) {
+ char **p, **q;
+
+ STRV_FOREACH_PAIR(p, q, m->os_release)
+ printf("%s %s=%s\n",
+ p == m->os_release ? "OS Release:" : " ",
+ *p, *q);
+ }
+
+ if (m->hostname ||
+ !sd_id128_is_null(m->machine_id) ||
+ !strv_isempty(m->machine_info) ||
+ !strv_isempty(m->os_release))
+ putc('\n', stdout);
+ } else {
+ _cleanup_(json_variant_unrefp) JsonVariant *mi = NULL, *osr = NULL;
+
+ if (!strv_isempty(m->machine_info)) {
+ r = strv_pair_to_json(m->machine_info, &mi);
+ if (r < 0)
+ return log_oom();
+ }
+
+ if (!strv_isempty(m->os_release)) {
+ r = strv_pair_to_json(m->os_release, &osr);
+ if (r < 0)
+ return log_oom();
+ }
+
+ r = json_build(&v, JSON_BUILD_OBJECT(
+ JSON_BUILD_PAIR("name", JSON_BUILD_STRING(basename(arg_image))),
+ JSON_BUILD_PAIR("size", JSON_BUILD_INTEGER(size)),
+ JSON_BUILD_PAIR_CONDITION(m->hostname, "hostname", JSON_BUILD_STRING(m->hostname)),
+ JSON_BUILD_PAIR_CONDITION(!sd_id128_is_null(m->machine_id), "machineId", JSON_BUILD_ID128(m->machine_id)),
+ JSON_BUILD_PAIR_CONDITION(mi, "machineInfo", JSON_BUILD_VARIANT(mi)),
+ JSON_BUILD_PAIR_CONDITION(osr, "osRelease", JSON_BUILD_VARIANT(osr))));
+ if (r < 0)
+ return log_oom();
+ }
+
+ t = table_new("rw", "designator", "partition uuid", "fstype", "architecture", "verity", "node", "partno");
+ if (!t)
+ return log_oom();
+
+ (void) table_set_empty_string(t, "-");
+ (void) table_set_align_percent(t, table_get_cell(t, 0, 7), 100);
+
+ for (PartitionDesignator i = 0; i < _PARTITION_DESIGNATOR_MAX; i++) {
+ DissectedPartition *p = m->partitions + i;
+
+ if (!p->found)
+ continue;
+
+ r = table_add_many(
+ t,
+ TABLE_STRING, p->rw ? "rw" : "ro",
+ TABLE_STRING, partition_designator_to_string(i));
+ if (r < 0)
+ return table_log_add_error(r);
+
+ if (sd_id128_is_null(p->uuid))
+ r = table_add_cell(t, NULL, TABLE_EMPTY, NULL);
+ else
+ r = table_add_cell(t, NULL, TABLE_UUID, &p->uuid);
+ if (r < 0)
+ return table_log_add_error(r);
+
+ r = table_add_many(
+ t,
+ TABLE_STRING, p->fstype,
+ TABLE_STRING, architecture_to_string(p->architecture));
+ if (r < 0)
+ return table_log_add_error(r);
+
+ if (arg_verity_settings.data_path)
+ r = table_add_cell(t, NULL, TABLE_STRING, "external");
+ else if (dissected_image_can_do_verity(m, i))
+ r = table_add_cell(t, NULL, TABLE_STRING, yes_no(dissected_image_has_verity(m, i)));
+ else
+ r = table_add_cell(t, NULL, TABLE_EMPTY, NULL);
+ if (r < 0)
+ return table_log_add_error(r);
+
+ if (p->partno < 0) /* no partition table, naked file system */ {
+ r = table_add_cell(t, NULL, TABLE_STRING, arg_image);
+ if (r < 0)
+ return table_log_add_error(r);
+
+ r = table_add_cell(t, NULL, TABLE_EMPTY, NULL);
+ } else {
+ r = table_add_cell(t, NULL, TABLE_STRING, p->node);
+ if (r < 0)
+ return table_log_add_error(r);
+
+ r = table_add_cell(t, NULL, TABLE_INT, &p->partno);
+ }
+ if (r < 0)
+ return table_log_add_error(r);
+ }
+
+ if (arg_json) {
+ _cleanup_(json_variant_unrefp) JsonVariant *jt = NULL;
+
+ r = table_to_json(t, &jt);
+ if (r < 0)
+ return log_error_errno(r, "Failed to convert table to JSON: %m");
+
+ r = json_variant_set_field(&v, "mounts", jt);
+ if (r < 0)
+ return log_oom();
+
+ json_variant_dump(v, arg_json_format_flags, stdout, NULL);
+ } else {
+ r = table_print(t, stdout);
+ if (r < 0)
+ return log_error_errno(r, "Failed to dump table: %m");
+ }
+
+ return 0;
+}
+
+static int action_mount(DissectedImage *m, LoopDevice *d) {
+ _cleanup_(decrypted_image_unrefp) DecryptedImage *di = NULL;
+ int r;
+
+ assert(m);
+ assert(d);
+
+ r = dissected_image_decrypt_interactively(
+ m, NULL,
+ &arg_verity_settings,
+ arg_flags,
+ &di);
+ if (r < 0)
+ return r;
+
+ r = dissected_image_mount_and_warn(m, arg_path, UID_INVALID, arg_flags);
+ if (r < 0)
+ return r;
+
+ if (di) {
+ r = decrypted_image_relinquish(di);
+ if (r < 0)
+ return log_error_errno(r, "Failed to relinquish DM devices: %m");
+ }
+
+ loop_device_relinquish(d);
+ return 0;
+}
+
+static int action_copy(DissectedImage *m, LoopDevice *d) {
+ _cleanup_(umount_and_rmdir_and_freep) char *mounted_dir = NULL;
+ _cleanup_(decrypted_image_unrefp) DecryptedImage *di = NULL;
+ _cleanup_(rmdir_and_freep) char *created_dir = NULL;
+ _cleanup_free_ char *temp = NULL;
+ int r;
+
+ assert(m);
+ assert(d);
+
+ r = dissected_image_decrypt_interactively(
+ m, NULL,
+ &arg_verity_settings,
+ arg_flags,
+ &di);
+ if (r < 0)
+ return r;
+
+ r = detach_mount_namespace();
+ if (r < 0)
+ return log_error_errno(r, "Failed to detach mount namespace: %m");
+
+ r = tempfn_random_child(NULL, program_invocation_short_name, &temp);
+ if (r < 0)
+ return log_error_errno(r, "Failed to generate temporary mount directory: %m");
+
+ r = mkdir_p(temp, 0700);
+ if (r < 0)
+ return log_error_errno(r, "Failed to create mount point: %m");
+
+ created_dir = TAKE_PTR(temp);
+
+ r = dissected_image_mount_and_warn(m, created_dir, UID_INVALID, arg_flags);
+ if (r < 0)
+ return r;
+
+ mounted_dir = TAKE_PTR(created_dir);
+
+ if (di) {
+ r = decrypted_image_relinquish(di);
+ if (r < 0)
+ return log_error_errno(r, "Failed to relinquish DM devices: %m");
+ }
+
+ loop_device_relinquish(d);
+
+ if (arg_action == ACTION_COPY_FROM) {
+ _cleanup_close_ int source_fd = -1, target_fd = -1;
+
+ source_fd = chase_symlinks_and_open(arg_source, mounted_dir, CHASE_PREFIX_ROOT|CHASE_WARN, O_RDONLY|O_CLOEXEC|O_NOCTTY, NULL);
+ if (source_fd < 0)
+ return log_error_errno(source_fd, "Failed to open source path '%s' in image '%s': %m", arg_source, arg_image);
+
+ /* Copying to stdout? */
+ if (streq(arg_target, "-")) {
+ r = copy_bytes(source_fd, STDOUT_FILENO, (uint64_t) -1, COPY_REFLINK);
+ if (r < 0)
+ return log_error_errno(r, "Failed to copy bytes from %s in mage '%s' to stdout: %m", arg_source, arg_image);
+
+ /* When we copy to stdou we don't copy any attributes (i.e. no access mode, no ownership, no xattr, no times) */
+ return 0;
+ }
+
+ /* Try to copy as directory? */
+ r = copy_directory_fd(source_fd, arg_target, COPY_REFLINK|COPY_MERGE_EMPTY|COPY_SIGINT|COPY_HARDLINKS);
+ if (r >= 0)
+ return 0;
+ if (r != -ENOTDIR)
+ return log_error_errno(r, "Failed to copy %s in image '%s' to '%s': %m", arg_source, arg_image, arg_target);
+
+ r = fd_verify_regular(source_fd);
+ if (r == -EISDIR)
+ return log_error_errno(r, "Target '%s' exists already and is not a directory.", arg_target);
+ if (r < 0)
+ return log_error_errno(r, "Source path %s in image '%s' is neither regular file nor directory, refusing: %m", arg_source, arg_image);
+
+ /* Nah, it's a plain file! */
+ target_fd = open(arg_target, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, 0600);
+ if (target_fd < 0)
+ return log_error_errno(errno, "Failed to create regular file at target path '%s': %m", arg_target);
+
+ r = copy_bytes(source_fd, target_fd, (uint64_t) -1, COPY_REFLINK);
+ if (r < 0)
+ return log_error_errno(r, "Failed to copy bytes from %s in mage '%s' to '%s': %m", arg_source, arg_image, arg_target);
+
+ (void) copy_xattr(source_fd, target_fd);
+ (void) copy_access(source_fd, target_fd);
+ (void) copy_times(source_fd, target_fd, 0);
+
+ /* When this is a regular file we don't copy ownership! */
+
+ } else {
+ _cleanup_close_ int source_fd = -1, target_fd = -1;
+ _cleanup_close_ int dfd = -1;
+ _cleanup_free_ char *dn = NULL;
+
+ assert(arg_action == ACTION_COPY_TO);
+
+ dn = dirname_malloc(arg_target);
+ if (!dn)
+ return log_oom();
+
+ r = chase_symlinks(dn, mounted_dir, CHASE_PREFIX_ROOT|CHASE_WARN, NULL, &dfd);
+ if (r < 0)
+ return log_error_errno(r, "Failed to open '%s': %m", dn);
+
+ /* Are we reading from stdin? */
+ if (streq(arg_source, "-")) {
+ target_fd = openat(dfd, basename(arg_target), O_WRONLY|O_CREAT|O_CLOEXEC|O_NOCTTY|O_EXCL, 0644);
+ if (target_fd < 0)
+ return log_error_errno(errno, "Failed to open target file '%s': %m", arg_target);
+
+ r = copy_bytes(STDIN_FILENO, target_fd, (uint64_t) -1, COPY_REFLINK);
+ if (r < 0)
+ return log_error_errno(r, "Failed to copy bytes from stdin to '%s' in image '%s': %m", arg_target, arg_image);
+
+ /* When we copy from stdin we don't copy any attributes (i.e. no access mode, no ownership, no xattr, no times) */
+ return 0;
+ }
+
+ source_fd = open(arg_source, O_RDONLY|O_CLOEXEC|O_NOCTTY);
+ if (source_fd < 0)
+ return log_error_errno(source_fd, "Failed to open source path '%s': %m", arg_source);
+
+ r = fd_verify_regular(source_fd);
+ if (r < 0) {
+ if (r != -EISDIR)
+ return log_error_errno(r, "Source '%s' is neither regular file nor directory: %m", arg_source);
+
+ /* We are looking at a directory. */
+
+ target_fd = openat(dfd, basename(arg_target), O_RDONLY|O_DIRECTORY|O_CLOEXEC);
+ if (target_fd < 0) {
+ if (errno != ENOENT)
+ return log_error_errno(errno, "Failed to open destination '%s': %m", arg_target);
+
+ r = copy_tree_at(source_fd, ".", dfd, basename(arg_target), UID_INVALID, GID_INVALID, COPY_REFLINK|COPY_REPLACE|COPY_SIGINT|COPY_HARDLINKS);
+ } else
+ r = copy_tree_at(source_fd, ".", target_fd, ".", UID_INVALID, GID_INVALID, COPY_REFLINK|COPY_REPLACE|COPY_SIGINT|COPY_HARDLINKS);
+ if (r < 0)
+ return log_error_errno(r, "Failed to copy '%s' to '%s' in image '%s': %m", arg_source, arg_target, arg_image);
+
+ return 0;
+ }
+
+ /* We area looking at a regular file */
+ target_fd = openat(dfd, basename(arg_target), O_WRONLY|O_CREAT|O_CLOEXEC|O_NOCTTY|O_EXCL, 0600);
+ if (target_fd < 0)
+ return log_error_errno(errno, "Failed to open target file '%s': %m", arg_target);
+
+ r = copy_bytes(source_fd, target_fd, (uint64_t) -1, COPY_REFLINK);
+ if (r < 0)
+ return log_error_errno(r, "Failed to copy bytes from '%s' to '%s' in image '%s': %m", arg_source, arg_target, arg_image);
+
+ (void) copy_xattr(source_fd, target_fd);
+ (void) copy_access(source_fd, target_fd);
+ (void) copy_times(source_fd, target_fd, 0);
+
+ /* When this is a regular file we don't copy ownership! */
+ }
+
+ return 0;
+}
+
+static int run(int argc, char *argv[]) {
+ _cleanup_(dissected_image_unrefp) DissectedImage *m = NULL;
+ _cleanup_(loop_device_unrefp) LoopDevice *d = NULL;
+ int r;
+
+ log_parse_environment();
+ log_open();
+
+ r = parse_argv(argc, argv);
+ if (r <= 0)
+ return r;
+
+ r = verity_settings_load(
+ &arg_verity_settings,
+ arg_image, NULL, NULL);
+ if (r < 0)
+ return log_error_errno(r, "Failed to read verity artifacts for %s: %m", arg_image);
+
+ if (arg_verity_settings.data_path)
+ arg_flags |= DISSECT_IMAGE_NO_PARTITION_TABLE; /* We only support Verity per file system,
+ * hence if there's external Verity data
+ * available we turn off partition table
+ * support */
+
+ r = loop_device_make_by_path(
+ arg_image,
+ FLAGS_SET(arg_flags, DISSECT_IMAGE_READ_ONLY) ? O_RDONLY : O_RDWR,
+ FLAGS_SET(arg_flags, DISSECT_IMAGE_NO_PARTITION_TABLE) ? 0 : LO_FLAGS_PARTSCAN,
+ &d);
+ if (r < 0)
+ return log_error_errno(r, "Failed to set up loopback device: %m");
+
+ r = dissect_image_and_warn(
+ d->fd,
+ arg_image,
+ &arg_verity_settings,
+ NULL,
+ arg_flags,
+ &m);
+ if (r < 0)
+ return r;
+
+ switch (arg_action) {
+
+ case ACTION_DISSECT:
+ r = action_dissect(m, d);
+ break;
+
+ case ACTION_MOUNT:
+ r = action_mount(m, d);
+ break;
+
+ case ACTION_COPY_FROM:
+ case ACTION_COPY_TO:
+ r = action_copy(m, d);
+ break;
+
+ default:
+ assert_not_reached("Unknown action.");
+ }
+
+ return r;
+}
+
+DEFINE_MAIN_FUNCTION(run);