]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/basic/fd-util.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
update TODO
[thirdparty/systemd.git] / src / basic / fd-util.c
CommitLineData
53e1b683 1/* SPDX-License-Identifier: LGPL-2.1+ */
3ffd4af2 2
11c3a366
TA		 3#include <errno.h>
4#include <fcntl.h>
5#include <sys/resource.h>
11c3a366
TA		 6#include <sys/stat.h>
7#include <unistd.h>
8
4960ce43
LP		 9#include "alloc-util.h"
10#include "copy.h"
8fb3f009 11#include "dirent-util.h"
3ffd4af2 12#include "fd-util.h"
a548e14d 13#include "fileio.h"
4aeb20f5 14#include "fs-util.h"
4960ce43 15#include "io-util.h"
11c3a366 16#include "macro.h"
a548e14d 17#include "memfd-util.h"
0499585f 18#include "missing_fcntl.h"
f5947a5e 19#include "missing_syscall.h"
93cc7779 20#include "parse-util.h"
11c3a366 21#include "path-util.h"
df0ff127 22#include "process-util.h"
93cc7779 23#include "socket-util.h"
f8606626 24#include "stat-util.h"
4aeb20f5 25#include "stdio-util.h"
e4de7287 26#include "tmpfile-util.h"
f8606626 27#include "util.h"
3ffd4af2 28
6a461d1f
ZJS		 29/* The maximum number of iterations in the loop to close descriptors in the fallback case
30 * when /proc/self/fd/ is inaccessible. */
31#define MAX_FD_LOOP_LIMIT (1024*1024)
32
3ffd4af2
LP		 33int close_nointr(int fd) {
34 assert(fd >= 0);
35
36 if (close(fd) >= 0)
37 return 0;
38
39 /*
40 * Just ignore EINTR; a retry loop is the wrong thing to do on
41 * Linux.
42 *
43 * http://lkml.indiana.edu/hypermail/linux/kernel/0509.1/0877.html
44 * https://bugzilla.gnome.org/show_bug.cgi?id=682819
45 * http://utcc.utoronto.ca/~cks/space/blog/unix/CloseEINTR
46 * https://sites.google.com/site/michaelsafyan/software-engineering/checkforeintrwheninvokingclosethinkagain
47 */
48 if (errno == EINTR)
49 return 0;
50
51 return -errno;
52}
53
54int safe_close(int fd) {
55
56 /*
57 * Like close_nointr() but cannot fail. Guarantees errno is
58 * unchanged. Is a NOP with negative fds passed, and returns
59 * -1, so that it can be used in this syntax:
60 *
61 * fd = safe_close(fd);
62 */
63
64 if (fd >= 0) {
65 PROTECT_ERRNO;
66
67 /* The kernel might return pretty much any error code
68 * via close(), but the fd will be closed anyway. The
69 * only condition we want to check for here is whether
70 * the fd was invalid at all... */
71
72 assert_se(close_nointr(fd) != -EBADF);
73 }
74
75 return -1;
76}
77
3042bbeb 78void safe_close_pair(int p[static 2]) {
3ffd4af2
LP		 79 assert(p);
80
81 if (p[0] == p[1]) {
82 /* Special case pairs which use the same fd in both
83 * directions... */
84 p[0] = p[1] = safe_close(p[0]);
85 return;
86 }
87
88 p[0] = safe_close(p[0]);
89 p[1] = safe_close(p[1]);
90}
91
da6053d0
LP		 92void close_many(const int fds[], size_t n_fd) {
93 size_t i;
3ffd4af2
LP		 94
95 assert(fds || n_fd <= 0);
96
97 for (i = 0; i < n_fd; i++)
98 safe_close(fds[i]);
99}
100
101int fclose_nointr(FILE *f) {
102 assert(f);
103
104 /* Same as close_nointr(), but for fclose() */
105
106 if (fclose(f) == 0)
107 return 0;
108
109 if (errno == EINTR)
110 return 0;
111
112 return -errno;
113}
114
115FILE* safe_fclose(FILE *f) {
116
117 /* Same as safe_close(), but for fclose() */
118
119 if (f) {
120 PROTECT_ERRNO;
121
6dce3bb4 122 assert_se(fclose_nointr(f) != -EBADF);
3ffd4af2
LP		 123 }
124
125 return NULL;
126}
127
128DIR* safe_closedir(DIR *d) {
129
130 if (d) {
131 PROTECT_ERRNO;
132
133 assert_se(closedir(d) >= 0 || errno != EBADF);
134 }
135
136 return NULL;
137}
138
139int fd_nonblock(int fd, bool nonblock) {
140 int flags, nflags;
141
142 assert(fd >= 0);
143
144 flags = fcntl(fd, F_GETFL, 0);
145 if (flags < 0)
146 return -errno;
147
0da96503 148 nflags = UPDATE_FLAG(flags, O_NONBLOCK, nonblock);
3ffd4af2
LP		 149 if (nflags == flags)
150 return 0;
151
152 if (fcntl(fd, F_SETFL, nflags) < 0)
153 return -errno;
154
155 return 0;
156}
157
158int fd_cloexec(int fd, bool cloexec) {
159 int flags, nflags;
160
161 assert(fd >= 0);
162
163 flags = fcntl(fd, F_GETFD, 0);
164 if (flags < 0)
165 return -errno;
166
0da96503 167 nflags = UPDATE_FLAG(flags, FD_CLOEXEC, cloexec);
3ffd4af2
LP		 168 if (nflags == flags)
169 return 0;
170
171 if (fcntl(fd, F_SETFD, nflags) < 0)
172 return -errno;
173
174 return 0;
175}
176
da6053d0
LP		 177_pure_ static bool fd_in_set(int fd, const int fdset[], size_t n_fdset) {
178 size_t i;
3ffd4af2
LP		 179
180 assert(n_fdset == 0 || fdset);
181
182 for (i = 0; i < n_fdset; i++)
183 if (fdset[i] == fd)
184 return true;
185
186 return false;
187}
188
498e265d
LP		 189static int get_max_fd(void) {
190 struct rlimit rl;
191 rlim_t m;
192
193 /* Return the highest possible fd, based RLIMIT_NOFILE, but enforcing FD_SETSIZE-1 as lower boundary
194 * and INT_MAX as upper boundary. */
195
196 if (getrlimit(RLIMIT_NOFILE, &rl) < 0)
197 return -errno;
198
199 m = MAX(rl.rlim_cur, rl.rlim_max);
200 if (m < FD_SETSIZE) /* Let's always cover at least 1024 fds */
201 return FD_SETSIZE-1;
202
203 if (m == RLIM_INFINITY || m > INT_MAX) /* Saturate on overflow. After all fds are "int", hence can
204 * never be above INT_MAX */
205 return INT_MAX;
206
207 return (int) (m - 1);
208}
209
da6053d0 210int close_all_fds(const int except[], size_t n_except) {
3ffd4af2
LP		 211 _cleanup_closedir_ DIR *d = NULL;
212 struct dirent *de;
213 int r = 0;
214
215 assert(n_except == 0 || except);
216
217 d = opendir("/proc/self/fd");
218 if (!d) {
37bc14de 219 int fd, max_fd;
3ffd4af2 220
498e265d
LP		 221 /* When /proc isn't available (for example in chroots) the fallback is brute forcing through
222 * the fd table */
37bc14de 223
498e265d
LP		 224 max_fd = get_max_fd();
225 if (max_fd < 0)
226 return max_fd;
37bc14de 227
6a461d1f
ZJS		 228 /* Refuse to do the loop over more too many elements. It's better to fail immediately than to
229 * spin the CPU for a long time. */
230 if (max_fd > MAX_FD_LOOP_LIMIT)
231 return log_debug_errno(SYNTHETIC_ERRNO(EPERM),
232 "/proc/self/fd is inaccessible. Refusing to loop over %d potential fds.",
233 max_fd);
234
37bc14de 235 for (fd = 3; fd >= 0; fd = fd < max_fd ? fd + 1 : -1) {
e43bc9f5 236 int q;
3ffd4af2
LP		 237
238 if (fd_in_set(fd, except, n_except))
239 continue;
240
e43bc9f5
LP		 241 q = close_nointr(fd);
242 if (q < 0 && q != -EBADF && r >= 0)
243 r = q;
3ffd4af2
LP		 244 }
245
246 return r;
247 }
248
8fb3f009 249 FOREACH_DIRENT(de, d, return -errno) {
e43bc9f5 250 int fd = -1, q;
3ffd4af2 251
3ffd4af2
LP		 252 if (safe_atoi(de->d_name, &fd) < 0)
253 /* Let's better ignore this, just in case */
254 continue;
255
256 if (fd < 3)
257 continue;
258
259 if (fd == dirfd(d))
260 continue;
261
262 if (fd_in_set(fd, except, n_except))
263 continue;
264
e43bc9f5
LP		 265 q = close_nointr(fd);
266 if (q < 0 && q != -EBADF && r >= 0) /* Valgrind has its own FD and doesn't want to have it closed */
267 r = q;
3ffd4af2
LP		 268 }
269
270 return r;
271}
272
273int same_fd(int a, int b) {
274 struct stat sta, stb;
275 pid_t pid;
276 int r, fa, fb;
277
278 assert(a >= 0);
279 assert(b >= 0);
280
281 /* Compares two file descriptors. Note that semantics are
282 * quite different depending on whether we have kcmp() or we
283 * don't. If we have kcmp() this will only return true for
284 * dup()ed file descriptors, but not otherwise. If we don't
285 * have kcmp() this will also return true for two fds of the same
286 * file, created by separate open() calls. Since we use this
287 * call mostly for filtering out duplicates in the fd store
288 * this difference hopefully doesn't matter too much. */
289
290 if (a == b)
291 return true;
292
293 /* Try to use kcmp() if we have it. */
df0ff127 294 pid = getpid_cached();
3ffd4af2
LP		 295 r = kcmp(pid, pid, KCMP_FILE, a, b);
296 if (r == 0)
297 return true;
298 if (r > 0)
299 return false;
9e2acd1d 300 if (!IN_SET(errno, ENOSYS, EACCES, EPERM))
3ffd4af2
LP		 301 return -errno;
302
303 /* We don't have kcmp(), use fstat() instead. */
304 if (fstat(a, &sta) < 0)
305 return -errno;
306
307 if (fstat(b, &stb) < 0)
308 return -errno;
309
310 if ((sta.st_mode & S_IFMT) != (stb.st_mode & S_IFMT))
311 return false;
312
313 /* We consider all device fds different, since two device fds
314 * might refer to quite different device contexts even though
315 * they share the same inode and backing dev_t. */
316
317 if (S_ISCHR(sta.st_mode) || S_ISBLK(sta.st_mode))
318 return false;
319
320 if (sta.st_dev != stb.st_dev || sta.st_ino != stb.st_ino)
321 return false;
322
323 /* The fds refer to the same inode on disk, let's also check
324 * if they have the same fd flags. This is useful to
325 * distinguish the read and write side of a pipe created with
326 * pipe(). */
327 fa = fcntl(a, F_GETFL);
328 if (fa < 0)
329 return -errno;
330
331 fb = fcntl(b, F_GETFL);
332 if (fb < 0)
333 return -errno;
334
335 return fa == fb;
336}
337
338void cmsg_close_all(struct msghdr *mh) {
339 struct cmsghdr *cmsg;
340
341 assert(mh);
342
343 CMSG_FOREACH(cmsg, mh)
344 if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS)
345 close_many((int*) CMSG_DATA(cmsg), (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int));
346}
4fee3975
LP		 347
348bool fdname_is_valid(const char *s) {
349 const char *p;
350
351 /* Validates a name for $LISTEN_FDNAMES. We basically allow
352 * everything ASCII that's not a control character. Also, as
353 * special exception the ":" character is not allowed, as we
354 * use that as field separator in $LISTEN_FDNAMES.
355 *
356 * Note that the empty string is explicitly allowed
357 * here. However, we limit the length of the names to 255
358 * characters. */
359
360 if (!s)
361 return false;
362
363 for (p = s; *p; p++) {
364 if (*p < ' ')
365 return false;
366 if (*p >= 127)
367 return false;
368 if (*p == ':')
369 return false;
370 }
371
372 return p - s < 256;
373}
4aeb20f5
LP		 374
375int fd_get_path(int fd, char **ret) {
f267719c 376 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
a0fe2a2d 377 int r;
4aeb20f5 378
f267719c
LP		 379 xsprintf(procfs_path, "/proc/self/fd/%i", fd);
380 r = readlink_malloc(procfs_path, ret);
381 if (r == -ENOENT) {
382 /* ENOENT can mean two things: that the fd does not exist or that /proc is not mounted. Let's make
5238e957 383 * things debuggable and distinguish the two. */
4aeb20f5 384
f267719c
LP		 385 if (access("/proc/self/fd/", F_OK) < 0)
386 /* /proc is not available or not set up properly, we're most likely in some chroot
387 * environment. */
388 return errno == ENOENT ? -EOPNOTSUPP : -errno;
a0fe2a2d 389
f267719c
LP		 390 return -EBADF; /* The directory exists, hence it's the fd that doesn't. */
391 }
a0fe2a2d
LP		 392
393 return r;
4aeb20f5 394}
046a82c1
LP		 395
396int move_fd(int from, int to, int cloexec) {
397 int r;
398
399 /* Move fd 'from' to 'to', make sure FD_CLOEXEC remains equal if requested, and release the old fd. If
400 * 'cloexec' is passed as -1, the original FD_CLOEXEC is inherited for the new fd. If it is 0, it is turned
401 * off, if it is > 0 it is turned on. */
402
403 if (from < 0)
404 return -EBADF;
405 if (to < 0)
406 return -EBADF;
407
408 if (from == to) {
409
410 if (cloexec >= 0) {
411 r = fd_cloexec(to, cloexec);
412 if (r < 0)
413 return r;
414 }
415
416 return to;
417 }
418
419 if (cloexec < 0) {
420 int fl;
421
422 fl = fcntl(from, F_GETFD, 0);
423 if (fl < 0)
424 return -errno;
425
426 cloexec = !!(fl & FD_CLOEXEC);
427 }
428
429 r = dup3(from, to, cloexec ? O_CLOEXEC : 0);
430 if (r < 0)
431 return -errno;
432
433 assert(r == to);
434
435 safe_close(from);
436
437 return to;
438}
a548e14d
LP		 439
440int acquire_data_fd(const void *data, size_t size, unsigned flags) {
441
a548e14d
LP		 442 _cleanup_close_pair_ int pipefds[2] = { -1, -1 };
443 char pattern[] = "/dev/shm/data-fd-XXXXXX";
444 _cleanup_close_ int fd = -1;
445 int isz = 0, r;
446 ssize_t n;
447 off_t f;
448
449 assert(data || size == 0);
450
451 /* Acquire a read-only file descriptor that when read from returns the specified data. This is much more
452 * complex than I wish it was. But here's why:
453 *
454 * a) First we try to use memfds. They are the best option, as we can seal them nicely to make them
455 * read-only. Unfortunately they require kernel 3.17, and – at the time of writing – we still support 3.14.
456 *
457 * b) Then, we try classic pipes. They are the second best options, as we can close the writing side, retaining
458 * a nicely read-only fd in the reading side. However, they are by default quite small, and unprivileged
459 * clients can only bump their size to a system-wide limit, which might be quite low.
460 *
461 * c) Then, we try an O_TMPFILE file in /dev/shm (that dir is the only suitable one known to exist from
462 * earliest boot on). To make it read-only we open the fd a second time with O_RDONLY via
463 * /proc/self/<fd>. Unfortunately O_TMPFILE is not available on older kernels on tmpfs.
464 *
465 * d) Finally, we try creating a regular file in /dev/shm, which we then delete.
466 *
467 * It sucks a bit that depending on the situation we return very different objects here, but that's Linux I
468 * figure. */
469
470 if (size == 0 && ((flags & ACQUIRE_NO_DEV_NULL) == 0)) {
471 /* As a special case, return /dev/null if we have been called for an empty data block */
472 r = open("/dev/null", O_RDONLY|O_CLOEXEC|O_NOCTTY);
473 if (r < 0)
474 return -errno;
475
476 return r;
477 }
478
479 if ((flags & ACQUIRE_NO_MEMFD) == 0) {
480 fd = memfd_new("data-fd");
481 if (fd < 0)
482 goto try_pipe;
483
484 n = write(fd, data, size);
485 if (n < 0)
486 return -errno;
487 if ((size_t) n != size)
488 return -EIO;
489
490 f = lseek(fd, 0, SEEK_SET);
491 if (f != 0)
492 return -errno;
493
494 r = memfd_set_sealed(fd);
495 if (r < 0)
496 return r;
497
c10d6bdb 498 return TAKE_FD(fd);
a548e14d
LP		 499 }
500
501try_pipe:
502 if ((flags & ACQUIRE_NO_PIPE) == 0) {
503 if (pipe2(pipefds, O_CLOEXEC|O_NONBLOCK) < 0)
504 return -errno;
505
506 isz = fcntl(pipefds[1], F_GETPIPE_SZ, 0);
507 if (isz < 0)
508 return -errno;
509
510 if ((size_t) isz < size) {
511 isz = (int) size;
512 if (isz < 0 || (size_t) isz != size)
513 return -E2BIG;
514
515 /* Try to bump the pipe size */
516 (void) fcntl(pipefds[1], F_SETPIPE_SZ, isz);
517
518 /* See if that worked */
519 isz = fcntl(pipefds[1], F_GETPIPE_SZ, 0);
520 if (isz < 0)
521 return -errno;
522
523 if ((size_t) isz < size)
524 goto try_dev_shm;
525 }
526
527 n = write(pipefds[1], data, size);
528 if (n < 0)
529 return -errno;
530 if ((size_t) n != size)
531 return -EIO;
532
533 (void) fd_nonblock(pipefds[0], false);
534
c10d6bdb 535 return TAKE_FD(pipefds[0]);
a548e14d
LP		 536 }
537
538try_dev_shm:
539 if ((flags & ACQUIRE_NO_TMPFILE) == 0) {
540 fd = open("/dev/shm", O_RDWR|O_TMPFILE|O_CLOEXEC, 0500);
541 if (fd < 0)
542 goto try_dev_shm_without_o_tmpfile;
543
544 n = write(fd, data, size);
545 if (n < 0)
546 return -errno;
547 if ((size_t) n != size)
548 return -EIO;
549
550 /* Let's reopen the thing, in order to get an O_RDONLY fd for the original O_RDWR one */
f2324783 551 return fd_reopen(fd, O_RDONLY|O_CLOEXEC);
a548e14d
LP		 552 }
553
554try_dev_shm_without_o_tmpfile:
555 if ((flags & ACQUIRE_NO_REGULAR) == 0) {
556 fd = mkostemp_safe(pattern);
557 if (fd < 0)
558 return fd;
559
560 n = write(fd, data, size);
561 if (n < 0) {
562 r = -errno;
563 goto unlink_and_return;
564 }
565 if ((size_t) n != size) {
566 r = -EIO;
567 goto unlink_and_return;
568 }
569
570 /* Let's reopen the thing, in order to get an O_RDONLY fd for the original O_RDWR one */
571 r = open(pattern, O_RDONLY|O_CLOEXEC);
572 if (r < 0)
573 r = -errno;
574
575 unlink_and_return:
576 (void) unlink(pattern);
577 return r;
578 }
579
580 return -EOPNOTSUPP;
581}
7fe2903c 582
4960ce43
LP		 583/* When the data is smaller or equal to 64K, try to place the copy in a memfd/pipe */
584#define DATA_FD_MEMORY_LIMIT (64U*1024U)
585
586/* If memfd/pipe didn't work out, then let's use a file in /tmp up to a size of 1M. If it's large than that use /var/tmp instead. */
587#define DATA_FD_TMP_LIMIT (1024U*1024U)
588
589int fd_duplicate_data_fd(int fd) {
590
591 _cleanup_close_ int copy_fd = -1, tmp_fd = -1;
592 _cleanup_free_ void *remains = NULL;
4960ce43
LP		 593 size_t remains_size = 0;
594 const char *td;
595 struct stat st;
596 int r;
597
598 /* Creates a 'data' fd from the specified source fd, containing all the same data in a read-only fashion, but
599 * independent of it (i.e. the source fd can be closed and unmounted after this call succeeded). Tries to be
600 * somewhat smart about where to place the data. In the best case uses a memfd(). If memfd() are not supported
601 * uses a pipe instead. For larger data will use an unlinked file in /tmp, and for even larger data one in
602 * /var/tmp. */
603
604 if (fstat(fd, &st) < 0)
605 return -errno;
606
607 /* For now, let's only accept regular files, sockets, pipes and char devices */
608 if (S_ISDIR(st.st_mode))
609 return -EISDIR;
610 if (S_ISLNK(st.st_mode))
611 return -ELOOP;
612 if (!S_ISREG(st.st_mode) && !S_ISSOCK(st.st_mode) && !S_ISFIFO(st.st_mode) && !S_ISCHR(st.st_mode))
613 return -EBADFD;
614
615 /* If we have reason to believe the data is bounded in size, then let's use memfds or pipes as backing fd. Note
616 * that we use the reported regular file size only as a hint, given that there are plenty special files in
617 * /proc and /sys which report a zero file size but can be read from. */
618
619 if (!S_ISREG(st.st_mode) || st.st_size < DATA_FD_MEMORY_LIMIT) {
620
621 /* Try a memfd first */
622 copy_fd = memfd_new("data-fd");
623 if (copy_fd >= 0) {
624 off_t f;
625
626 r = copy_bytes(fd, copy_fd, DATA_FD_MEMORY_LIMIT, 0);
627 if (r < 0)
628 return r;
629
630 f = lseek(copy_fd, 0, SEEK_SET);
631 if (f != 0)
632 return -errno;
633
634 if (r == 0) {
635 /* Did it fit into the limit? If so, we are done. */
636 r = memfd_set_sealed(copy_fd);
637 if (r < 0)
638 return r;
639
640 return TAKE_FD(copy_fd);
641 }
642
643 /* Hmm, pity, this didn't fit. Let's fall back to /tmp then, see below */
644
645 } else {
646 _cleanup_(close_pairp) int pipefds[2] = { -1, -1 };
647 int isz;
648
649 /* If memfds aren't available, use a pipe. Set O_NONBLOCK so that we will get EAGAIN rather
650 * then block indefinitely when we hit the pipe size limit */
651
652 if (pipe2(pipefds, O_CLOEXEC|O_NONBLOCK) < 0)
653 return -errno;
654
655 isz = fcntl(pipefds[1], F_GETPIPE_SZ, 0);
656 if (isz < 0)
657 return -errno;
658
659 /* Try to enlarge the pipe size if necessary */
660 if ((size_t) isz < DATA_FD_MEMORY_LIMIT) {
661
662 (void) fcntl(pipefds[1], F_SETPIPE_SZ, DATA_FD_MEMORY_LIMIT);
663
664 isz = fcntl(pipefds[1], F_GETPIPE_SZ, 0);
665 if (isz < 0)
666 return -errno;
667 }
668
669 if ((size_t) isz >= DATA_FD_MEMORY_LIMIT) {
670
b3cade0c 671 r = copy_bytes_full(fd, pipefds[1], DATA_FD_MEMORY_LIMIT, 0, &remains, &remains_size, NULL, NULL);
4960ce43
LP		 672 if (r < 0 && r != -EAGAIN)
673 return r; /* If we get EAGAIN it could be because of the source or because of
674 * the destination fd, we can't know, as sendfile() and friends won't
675 * tell us. Hence, treat this as reason to fall back, just to be
676 * sure. */
677 if (r == 0) {
678 /* Everything fit in, yay! */
679 (void) fd_nonblock(pipefds[0], false);
680
681 return TAKE_FD(pipefds[0]);
682 }
683
684 /* Things didn't fit in. But we read data into the pipe, let's remember that, so that
685 * when writing the new file we incorporate this first. */
686 copy_fd = TAKE_FD(pipefds[0]);
687 }
688 }
689 }
690
691 /* If we have reason to believe this will fit fine in /tmp, then use that as first fallback. */
692 if ((!S_ISREG(st.st_mode) || st.st_size < DATA_FD_TMP_LIMIT) &&
693 (DATA_FD_MEMORY_LIMIT + remains_size) < DATA_FD_TMP_LIMIT) {
694 off_t f;
695
696 tmp_fd = open_tmpfile_unlinkable(NULL /* NULL as directory means /tmp */, O_RDWR|O_CLOEXEC);
697 if (tmp_fd < 0)
698 return tmp_fd;
699
700 if (copy_fd >= 0) {
701 /* If we tried a memfd/pipe first and it ended up being too large, then copy this into the
702 * temporary file first. */
703
704 r = copy_bytes(copy_fd, tmp_fd, UINT64_MAX, 0);
705 if (r < 0)
706 return r;
707
708 assert(r == 0);
709 }
710
711 if (remains_size > 0) {
712 /* If there were remaining bytes (i.e. read into memory, but not written out yet) from the
713 * failed copy operation, let's flush them out next. */
714
715 r = loop_write(tmp_fd, remains, remains_size, false);
716 if (r < 0)
717 return r;
718 }
719
720 r = copy_bytes(fd, tmp_fd, DATA_FD_TMP_LIMIT - DATA_FD_MEMORY_LIMIT - remains_size, COPY_REFLINK);
721 if (r < 0)
722 return r;
723 if (r == 0)
724 goto finish; /* Yay, it fit in */
725
726 /* It didn't fit in. Let's not forget to use what we already used */
727 f = lseek(tmp_fd, 0, SEEK_SET);
728 if (f != 0)
729 return -errno;
730
731 safe_close(copy_fd);
732 copy_fd = TAKE_FD(tmp_fd);
733
734 remains = mfree(remains);
735 remains_size = 0;
736 }
737
738 /* As last fallback use /var/tmp */
739 r = var_tmp_dir(&td);
740 if (r < 0)
741 return r;
742
743 tmp_fd = open_tmpfile_unlinkable(td, O_RDWR|O_CLOEXEC);
744 if (tmp_fd < 0)
745 return tmp_fd;
746
747 if (copy_fd >= 0) {
748 /* If we tried a memfd/pipe first, or a file in /tmp, and it ended up being too large, than copy this
749 * into the temporary file first. */
750 r = copy_bytes(copy_fd, tmp_fd, UINT64_MAX, COPY_REFLINK);
751 if (r < 0)
752 return r;
753
754 assert(r == 0);
755 }
756
757 if (remains_size > 0) {
758 /* Then, copy in any read but not yet written bytes. */
759 r = loop_write(tmp_fd, remains, remains_size, false);
760 if (r < 0)
761 return r;
762 }
763
764 /* Copy in the rest */
765 r = copy_bytes(fd, tmp_fd, UINT64_MAX, COPY_REFLINK);
766 if (r < 0)
767 return r;
768
769 assert(r == 0);
770
771finish:
772 /* Now convert the O_RDWR file descriptor into an O_RDONLY one (and as side effect seek to the beginning of the
773 * file again */
774
775 return fd_reopen(tmp_fd, O_RDONLY|O_CLOEXEC);
776}
777
7fe2903c
LP		 778int fd_move_above_stdio(int fd) {
779 int flags, copy;
780 PROTECT_ERRNO;
781
782 /* Moves the specified file descriptor if possible out of the range [0…2], i.e. the range of
783 * stdin/stdout/stderr. If it can't be moved outside of this range the original file descriptor is
784 * returned. This call is supposed to be used for long-lasting file descriptors we allocate in our code that
785 * might get loaded into foreign code, and where we want ensure our fds are unlikely used accidentally as
786 * stdin/stdout/stderr of unrelated code.
787 *
788 * Note that this doesn't fix any real bugs, it just makes it less likely that our code will be affected by
789 * buggy code from others that mindlessly invokes 'fprintf(stderr, …' or similar in places where stderr has
790 * been closed before.
791 *
792 * This function is written in a "best-effort" and "least-impact" style. This means whenever we encounter an
793 * error we simply return the original file descriptor, and we do not touch errno. */
794
795 if (fd < 0 || fd > 2)
796 return fd;
797
798 flags = fcntl(fd, F_GETFD, 0);
799 if (flags < 0)
800 return fd;
801
802 if (flags & FD_CLOEXEC)
803 copy = fcntl(fd, F_DUPFD_CLOEXEC, 3);
804 else
805 copy = fcntl(fd, F_DUPFD, 3);
806 if (copy < 0)
807 return fd;
808
809 assert(copy > 2);
810
811 (void) close(fd);
812 return copy;
813}
aa11e28b
LP		 814
815int rearrange_stdio(int original_input_fd, int original_output_fd, int original_error_fd) {
816
817 int fd[3] = { /* Put together an array of fds we work on */
818 original_input_fd,
819 original_output_fd,
820 original_error_fd
821 };
822
823 int r, i,
824 null_fd = -1, /* if we open /dev/null, we store the fd to it here */
825 copy_fd[3] = { -1, -1, -1 }; /* This contains all fds we duplicate here temporarily, and hence need to close at the end */
826 bool null_readable, null_writable;
827
828 /* Sets up stdin, stdout, stderr with the three file descriptors passed in. If any of the descriptors is
829 * specified as -1 it will be connected with /dev/null instead. If any of the file descriptors is passed as
830 * itself (e.g. stdin as STDIN_FILENO) it is left unmodified, but the O_CLOEXEC bit is turned off should it be
831 * on.
832 *
833 * Note that if any of the passed file descriptors are > 2 they will be closed — both on success and on
834 * failure! Thus, callers should assume that when this function returns the input fds are invalidated.
835 *
836 * Note that when this function fails stdin/stdout/stderr might remain half set up!
837 *
838 * O_CLOEXEC is turned off for all three file descriptors (which is how it should be for
839 * stdin/stdout/stderr). */
840
841 null_readable = original_input_fd < 0;
842 null_writable = original_output_fd < 0 || original_error_fd < 0;
843
844 /* First step, open /dev/null once, if we need it */
845 if (null_readable || null_writable) {
846
847 /* Let's open this with O_CLOEXEC first, and convert it to non-O_CLOEXEC when we move the fd to the final position. */
848 null_fd = open("/dev/null", (null_readable && null_writable ? O_RDWR :
849 null_readable ? O_RDONLY : O_WRONLY) | O_CLOEXEC);
850 if (null_fd < 0) {
851 r = -errno;
852 goto finish;
853 }
854
855 /* If this fd is in the 0…2 range, let's move it out of it */
856 if (null_fd < 3) {
857 int copy;
858
859 copy = fcntl(null_fd, F_DUPFD_CLOEXEC, 3); /* Duplicate this with O_CLOEXEC set */
860 if (copy < 0) {
861 r = -errno;
862 goto finish;
863 }
864
865 safe_close(null_fd);
866 null_fd = copy;
867 }
868 }
869
870 /* Let's assemble fd[] with the fds to install in place of stdin/stdout/stderr */
871 for (i = 0; i < 3; i++) {
872
873 if (fd[i] < 0)
874 fd[i] = null_fd; /* A negative parameter means: connect this one to /dev/null */
875 else if (fd[i] != i && fd[i] < 3) {
876 /* This fd is in the 0…2 territory, but not at its intended place, move it out of there, so that we can work there. */
877 copy_fd[i] = fcntl(fd[i], F_DUPFD_CLOEXEC, 3); /* Duplicate this with O_CLOEXEC set */
878 if (copy_fd[i] < 0) {
879 r = -errno;
880 goto finish;
881 }
882
883 fd[i] = copy_fd[i];
884 }
885 }
886
887 /* At this point we now have the fds to use in fd[], and they are all above the stdio range, so that we
888 * have freedom to move them around. If the fds already were at the right places then the specific fds are
889 * -1. Let's now move them to the right places. This is the point of no return. */
890 for (i = 0; i < 3; i++) {
891
892 if (fd[i] == i) {
893
894 /* fd is already in place, but let's make sure O_CLOEXEC is off */
895 r = fd_cloexec(i, false);
896 if (r < 0)
897 goto finish;
898
899 } else {
900 assert(fd[i] > 2);
901
902 if (dup2(fd[i], i) < 0) { /* Turns off O_CLOEXEC on the new fd. */
903 r = -errno;
904 goto finish;
905 }
906 }
907 }
908
909 r = 0;
910
911finish:
912 /* Close the original fds, but only if they were outside of the stdio range. Also, properly check for the same
913 * fd passed in multiple times. */
914 safe_close_above_stdio(original_input_fd);
915 if (original_output_fd != original_input_fd)
916 safe_close_above_stdio(original_output_fd);
917 if (original_error_fd != original_input_fd && original_error_fd != original_output_fd)
918 safe_close_above_stdio(original_error_fd);
919
920 /* Close the copies we moved > 2 */
921 for (i = 0; i < 3; i++)
922 safe_close(copy_fd[i]);
923
924 /* Close our null fd, if it's > 2 */
925 safe_close_above_stdio(null_fd);
926
927 return r;
928}
f2324783
LP		 929
930int fd_reopen(int fd, int flags) {
931 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
932 int new_fd;
933
934 /* Reopens the specified fd with new flags. This is useful for convert an O_PATH fd into a regular one, or to
935 * turn O_RDWR fds into O_RDONLY fds.
936 *
937 * This doesn't work on sockets (since they cannot be open()ed, ever).
938 *
939 * This implicitly resets the file read index to 0. */
940
941 xsprintf(procfs_path, "/proc/self/fd/%i", fd);
942 new_fd = open(procfs_path, flags);
f8606626
LP		 943 if (new_fd < 0) {
944 if (errno != ENOENT)
945 return -errno;
946
947 if (proc_mounted() == 0)
948 return -ENOSYS; /* if we have no /proc/, the concept is not implementable */
949
950 return -ENOENT;
951 }
f2324783
LP		 952
953 return new_fd;
954}
9264cc39
LP		 955
956int read_nr_open(void) {
957 _cleanup_free_ char *nr_open = NULL;
958 int r;
959
960 /* Returns the kernel's current fd limit, either by reading it of /proc/sys if that works, or using the
961 * hard-coded default compiled-in value of current kernels (1M) if not. This call will never fail. */
962
963 r = read_one_line_file("/proc/sys/fs/nr_open", &nr_open);
964 if (r < 0)
965 log_debug_errno(r, "Failed to read /proc/sys/fs/nr_open, ignoring: %m");
966 else {
967 int v;
968
969 r = safe_atoi(nr_open, &v);
970 if (r < 0)
971 log_debug_errno(r, "Failed to parse /proc/sys/fs/nr_open value '%s', ignoring: %m", nr_open);
972 else
973 return v;
974 }
975
976 /* If we fail, fallback to the hard-coded kernel limit of 1024 * 1024. */
977 return 1024 * 1024;
978}
Unnamed repository; edit this file 'description' to name the repository.