bootmisc: clean_run safety improvements.

If /tmp or / are read-only, the clean_run function can fail in some very
bad ways.

1. dir=$(mktemp -d) returns an EMPTY string on error.
2. "mount -o bind / $dir", and don't check the result of that,
3. "rm -rf $dir/run/*", which removes the REAL /run contents
4. box gets very weird from this point forward

Signed-Off-By: Robin H. Johnson <robbat2@gentoo.org>
Signed-Off-By: Chip Parker <infowolfe@gmail.com>
Reported-by: Chip Parker <infowolfe@gmail.com>
Tested-by: Chip Parker <infowolfe@gmail.com>

init.d/bootmisc.in

@@ -119,11 +119,32 @@ clean_run()
 {
 	[ "$RC_SYS" = VSERVER -o "$RC_SYS" = LXC ] && return 0
 	local dir
+	# If / is still read-only due to a problem, this will fail!
+	if ! checkpath -W /; then
+		eerror "/ is not writable; unable to clean up underlying /run"
+		return 1
+	fi
+	if ! checkpath -W /tmp; then
+		eerror "/tmp is not writable; unable to clean up underlying /run"
+		return 1
+	fi
+	# Now we know that we can modify /tmp and /
+	# if mktemp -d fails, it returns an EMPTY string
+	# STDERR: mktemp: failed to create directory via template ‘/tmp/tmp.XXXXXXXXXX’: Read-only file system
+	# STDOUT: ''
+	rc=0
 	dir=$(mktemp -d)
-	mount --bind / $dir
+	if [ -n "$dir" -a -d $dir -a -w $dir ]; then
-	rm -rf $dir/run/*
+		mount --bind / $dir && rm -rf $dir/run/* || rc=1
 		umount $dir
 		rm -rf $dir
+	else
+		rc=1
+	fi
+	if [ $rc -ne 0 ]; then
+		eerror "Could not clean up underlying /run on /"
+		return 1
+	fi
 }
 
 start()