1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
12 #include <sys/types.h>
15 #include "alloc-util.h"
20 #include "hexdecoct.h"
24 #include "nulstr-util.h"
25 #include "parse-util.h"
26 #include "path-util.h"
27 #include "socket-util.h"
28 #include "stdio-util.h"
29 #include "string-util.h"
30 #include "sync-util.h"
31 #include "terminal-util.h"
32 #include "tmpfile-util.h"
34 /* The maximum size of the file we'll read in one go in read_full_file() (64M). */
35 #define READ_FULL_BYTES_MAX (64U*1024U*1024U - 1U)
36 /* Used when a size is specified for read_full_file() with READ_FULL_FILE_UNBASE64 or _UNHEX */
37 #define READ_FULL_FILE_ENCODED_STRING_AMPLIFICATION_BOUNDARY 3
39 /* The maximum size of virtual files (i.e. procfs, sysfs, and other virtual "API" files) we'll read in one go
40 * in read_virtual_file(). Note that this limit is different (and much lower) than the READ_FULL_BYTES_MAX
41 * limit. This reflects the fact that we use different strategies for reading virtual and regular files:
42 * virtual files we generally have to read in a single read() syscall since the kernel doesn't support
43 * continuation read()s for them. Thankfully they are somewhat size constrained. Thus we can allocate the
44 * full potential buffer in advance. Regular files OTOH can be much larger, and there we grow the allocations
45 * exponentially in a loop. We use a size limit of 4M-2 because 4M-1 is the maximum buffer that /proc/sys/
46 * allows us to read() (larger reads will fail with ENOMEM), and we want to read one extra byte so that we
48 #define READ_VIRTUAL_BYTES_MAX (4U*1024U*1024U - 2U)
50 int fdopen_unlocked(int fd
, const char *options
, FILE **ret
) {
53 FILE *f
= fdopen(fd
, options
);
57 (void) __fsetlocking(f
, FSETLOCKING_BYCALLER
);
63 int take_fdopen_unlocked(int *fd
, const char *options
, FILE **ret
) {
68 r
= fdopen_unlocked(*fd
, options
, ret
);
77 FILE* take_fdopen(int *fd
, const char *options
) {
80 FILE *f
= fdopen(*fd
, options
);
89 DIR* take_fdopendir(int *dfd
) {
92 DIR *d
= fdopendir(*dfd
);
101 FILE* open_memstream_unlocked(char **ptr
, size_t *sizeloc
) {
102 FILE *f
= open_memstream(ptr
, sizeloc
);
106 (void) __fsetlocking(f
, FSETLOCKING_BYCALLER
);
111 FILE* fmemopen_unlocked(void *buf
, size_t size
, const char *mode
) {
112 FILE *f
= fmemopen(buf
, size
, mode
);
116 (void) __fsetlocking(f
, FSETLOCKING_BYCALLER
);
121 int write_string_stream_ts(
124 WriteStringFileFlags flags
,
125 const struct timespec
*ts
) {
137 /* If we shall set the timestamp we need the fd. But fmemopen() streams generally don't have
138 * an fd. Let's fail early in that case. */
144 if (flags
& WRITE_STRING_FILE_SUPPRESS_REDUNDANT_VIRTUAL
) {
145 _cleanup_free_
char *t
= NULL
;
147 /* If value to be written is same as that of the existing value, then suppress the write. */
155 /* Read an additional byte to detect cases where the prefix matches but the rest
156 * doesn't. Also, 0 returned by read_virtual_file_fd() means the read was truncated and
157 * it won't be equal to the new value. */
158 if (read_virtual_file_fd(fd
, strlen(line
)+1, &t
, NULL
) > 0 &&
159 streq_skip_trailing_chars(line
, t
, NEWLINE
)) {
160 log_debug("No change in value '%s', suppressing write", line
);
164 if (lseek(fd
, 0, SEEK_SET
) < 0)
168 needs_nl
= !(flags
& WRITE_STRING_FILE_AVOID_NEWLINE
) && !endswith(line
, "\n");
170 if (needs_nl
&& (flags
& WRITE_STRING_FILE_DISABLE_BUFFER
)) {
171 /* If STDIO buffering was disabled, then let's append the newline character to the string
172 * itself, so that the write goes out in one go, instead of two */
174 line
= strjoina(line
, "\n");
178 if (fputs(line
, f
) == EOF
)
182 if (fputc('\n', f
) == EOF
)
185 if (flags
& WRITE_STRING_FILE_SYNC
)
186 r
= fflush_sync_and_check(f
);
188 r
= fflush_and_check(f
);
193 const struct timespec twice
[2] = {*ts
, *ts
};
196 if (futimens(fd
, twice
) < 0)
203 static mode_t
write_string_file_flags_to_mode(WriteStringFileFlags flags
) {
205 /* We support three different modes, that are the ones that really make sense for text files like this:
207 * → 0600 (i.e. root-only)
208 * → 0444 (i.e. read-only)
209 * → 0644 (i.e. writable for root, readable for everyone else)
212 return FLAGS_SET(flags
, WRITE_STRING_FILE_MODE_0600
) ? 0600 :
213 FLAGS_SET(flags
, WRITE_STRING_FILE_MODE_0444
) ? 0444 : 0644;
216 static int write_string_file_atomic_at(
220 WriteStringFileFlags flags
,
221 const struct timespec
*ts
) {
223 _cleanup_fclose_
FILE *f
= NULL
;
224 _cleanup_free_
char *p
= NULL
;
230 /* Note that we'd really like to use O_TMPFILE here, but can't really, since we want replacement
231 * semantics here, and O_TMPFILE can't offer that. i.e. rename() replaces but linkat() doesn't. */
233 r
= fopen_temporary_at(dir_fd
, fn
, &f
, &p
);
237 r
= write_string_stream_ts(f
, line
, flags
, ts
);
241 r
= fchmod_umask(fileno(f
), write_string_file_flags_to_mode(flags
));
245 if (renameat(dir_fd
, p
, dir_fd
, fn
) < 0) {
250 if (FLAGS_SET(flags
, WRITE_STRING_FILE_SYNC
)) {
251 /* Sync the rename, too */
252 r
= fsync_directory_of_file(fileno(f
));
260 (void) unlinkat(dir_fd
, p
, 0);
264 int write_string_file_ts_at(
268 WriteStringFileFlags flags
,
269 const struct timespec
*ts
) {
271 _cleanup_fclose_
FILE *f
= NULL
;
272 _cleanup_close_
int fd
= -EBADF
;
278 /* We don't know how to verify whether the file contents was already on-disk. */
279 assert(!((flags
& WRITE_STRING_FILE_VERIFY_ON_FAILURE
) && (flags
& WRITE_STRING_FILE_SYNC
)));
281 if (flags
& WRITE_STRING_FILE_MKDIR_0755
) {
282 r
= mkdirat_parents(dir_fd
, fn
, 0755);
287 if (flags
& WRITE_STRING_FILE_ATOMIC
) {
288 assert(flags
& WRITE_STRING_FILE_CREATE
);
290 r
= write_string_file_atomic_at(dir_fd
, fn
, line
, flags
, ts
);
298 /* We manually build our own version of fopen(..., "we") that works without O_CREAT and with O_NOFOLLOW if needed. */
299 fd
= openat(dir_fd
, fn
, O_CLOEXEC
|O_NOCTTY
|
300 (FLAGS_SET(flags
, WRITE_STRING_FILE_NOFOLLOW
) ? O_NOFOLLOW
: 0) |
301 (FLAGS_SET(flags
, WRITE_STRING_FILE_CREATE
) ? O_CREAT
: 0) |
302 (FLAGS_SET(flags
, WRITE_STRING_FILE_TRUNCATE
) ? O_TRUNC
: 0) |
303 (FLAGS_SET(flags
, WRITE_STRING_FILE_SUPPRESS_REDUNDANT_VIRTUAL
) ? O_RDWR
: O_WRONLY
),
304 write_string_file_flags_to_mode(flags
));
310 r
= take_fdopen_unlocked(&fd
, "w", &f
);
314 if (flags
& WRITE_STRING_FILE_DISABLE_BUFFER
)
315 setvbuf(f
, NULL
, _IONBF
, 0);
317 r
= write_string_stream_ts(f
, line
, flags
, ts
);
324 if (!(flags
& WRITE_STRING_FILE_VERIFY_ON_FAILURE
))
329 /* OK, the operation failed, but let's see if the right
330 * contents in place already. If so, eat up the error. */
332 q
= verify_file(fn
, line
, !(flags
& WRITE_STRING_FILE_AVOID_NEWLINE
) || (flags
& WRITE_STRING_FILE_VERIFY_IGNORE_NEWLINE
));
339 int write_string_filef(
341 WriteStringFileFlags flags
,
342 const char *format
, ...) {
344 _cleanup_free_
char *p
= NULL
;
348 va_start(ap
, format
);
349 r
= vasprintf(&p
, format
, ap
);
355 return write_string_file(fn
, p
, flags
);
358 int read_one_line_file_at(int dir_fd
, const char *filename
, char **ret
) {
359 _cleanup_fclose_
FILE *f
= NULL
;
362 assert(dir_fd
>= 0 || dir_fd
== AT_FDCWD
);
366 r
= fopen_unlocked_at(dir_fd
, filename
, "re", 0, &f
);
370 return read_line(f
, LONG_LINE_MAX
, ret
);
373 int verify_file_at(int dir_fd
, const char *fn
, const char *blob
, bool accept_extra_nl
) {
374 _cleanup_fclose_
FILE *f
= NULL
;
375 _cleanup_free_
char *buf
= NULL
;
384 if (accept_extra_nl
&& endswith(blob
, "\n"))
385 accept_extra_nl
= false;
387 buf
= malloc(l
+ accept_extra_nl
+ 1);
391 r
= fopen_unlocked_at(dir_fd
, fn
, "re", 0, &f
);
395 /* We try to read one byte more than we need, so that we know whether we hit eof */
397 k
= fread(buf
, 1, l
+ accept_extra_nl
+ 1, f
);
399 return errno_or_else(EIO
);
401 if (k
!= l
&& k
!= l
+ accept_extra_nl
)
403 if (memcmp(buf
, blob
, l
) != 0)
405 if (k
> l
&& buf
[l
] != '\n')
411 int read_virtual_file_fd(int fd
, size_t max_size
, char **ret_contents
, size_t *ret_size
) {
412 _cleanup_free_
char *buf
= NULL
;
415 bool truncated
= false;
417 /* Virtual filesystems such as sysfs or procfs use kernfs, and kernfs can work with two sorts of
418 * virtual files. One sort uses "seq_file", and the results of the first read are buffered for the
419 * second read. The other sort uses "raw" reads which always go direct to the device. In the latter
420 * case, the content of the virtual file must be retrieved with a single read otherwise a second read
421 * might get the new value instead of finding EOF immediately. That's the reason why the usage of
422 * fread(3) is prohibited in this case as it always performs a second call to read(2) looking for
423 * EOF. See issue #13585.
425 * max_size specifies a limit on the bytes read. If max_size is SIZE_MAX, the full file is read. If
426 * the full file is too large to read, an error is returned. For other values of max_size, *partial
427 * contents* may be returned. (Though the read is still done using one syscall.) Returns 0 on
428 * partial success, 1 if untruncated contents were read. */
431 assert(max_size
<= READ_VIRTUAL_BYTES_MAX
|| max_size
== SIZE_MAX
);
433 /* Limit the number of attempts to read the number of bytes returned by fstat(). */
439 if (fstat(fd
, &st
) < 0)
442 if (!S_ISREG(st
.st_mode
))
445 /* Be prepared for files from /proc which generally report a file size of 0. */
446 assert_cc(READ_VIRTUAL_BYTES_MAX
< SSIZE_MAX
);
447 if (st
.st_size
> 0 && n_retries
> 1) {
448 /* Let's use the file size if we have more than 1 attempt left. On the last attempt
449 * we'll ignore the file size */
451 if (st
.st_size
> SSIZE_MAX
) { /* Avoid overflow with 32-bit size_t and 64-bit off_t. */
453 if (max_size
== SIZE_MAX
)
458 size
= MIN((size_t) st
.st_size
, max_size
);
460 if (size
> READ_VIRTUAL_BYTES_MAX
)
465 } else if (n_retries
> 1) {
466 /* Files in /proc are generally smaller than the page size so let's start with
467 * a page size buffer from malloc and only use the max buffer on the final try. */
468 size
= MIN3(page_size() - 1, READ_VIRTUAL_BYTES_MAX
, max_size
);
471 size
= MIN(READ_VIRTUAL_BYTES_MAX
, max_size
);
475 buf
= malloc(size
+ 1);
479 /* Use a bigger allocation if we got it anyway, but not more than the limit. */
480 size
= MIN3(MALLOC_SIZEOF_SAFE(buf
) - 1, max_size
, READ_VIRTUAL_BYTES_MAX
);
485 /* Read one more byte so we can detect whether the content of the
486 * file has already changed or the guessed size for files from /proc
487 * wasn't large enough . */
488 k
= read(fd
, buf
, size
+ 1);
498 /* Consider a short read as EOF */
502 /* If a maximum size is specified and we already read more we know the file is larger, and
503 * can handle this as truncation case. Note that if the size of what we read equals the
504 * maximum size then this doesn't mean truncation, the file might or might not end on that
505 * byte. We need to rerun the loop in that case, with a larger buffer size, so that we read
506 * at least one more byte to be able to distinguish EOF from truncation. */
507 if (max_size
!= SIZE_MAX
&& n
> max_size
) {
508 n
= size
; /* Make sure we never use more than what we sized the buffer for (so that
509 * we have one free byte in it for the trailing NUL we add below). */
514 /* We have no further attempts left? Then the file is apparently larger than our limits. Give up. */
518 /* Hmm... either we read too few bytes from /proc or less likely the content of the file
519 * might have been changed (and is now bigger) while we were processing, let's try again
520 * either with the new file size. */
522 if (lseek(fd
, 0, SEEK_SET
) < 0)
530 /* Safety check: if the caller doesn't want to know the size of what we just read it will
531 * rely on the trailing NUL byte. But if there's an embedded NUL byte, then we should refuse
532 * operation as otherwise there'd be ambiguity about what we just read. */
533 if (!ret_size
&& memchr(buf
, 0, n
))
539 /* Return rest of the buffer to libc */
540 p
= realloc(buf
, n
+ 1);
547 *ret_contents
= TAKE_PTR(buf
);
556 int read_virtual_file_at(
558 const char *filename
,
563 _cleanup_close_
int fd
= -EBADF
;
565 assert(dir_fd
>= 0 || dir_fd
== AT_FDCWD
);
568 if (dir_fd
== AT_FDCWD
)
571 return read_virtual_file_fd(dir_fd
, max_size
, ret_contents
, ret_size
);
574 fd
= openat(dir_fd
, filename
, O_RDONLY
| O_NOCTTY
| O_CLOEXEC
);
578 return read_virtual_file_fd(fd
, max_size
, ret_contents
, ret_size
);
581 int read_full_stream_full(
583 const char *filename
,
586 ReadFullFileFlags flags
,
590 _cleanup_free_
char *buf
= NULL
;
591 size_t n
, n_next
= 0, l
, expected_decoded_size
= size
;
595 assert(ret_contents
);
596 assert(!FLAGS_SET(flags
, READ_FULL_FILE_UNBASE64
| READ_FULL_FILE_UNHEX
));
597 assert(size
!= SIZE_MAX
|| !FLAGS_SET(flags
, READ_FULL_FILE_FAIL_WHEN_LARGER
));
599 if (offset
!= UINT64_MAX
&& offset
> LONG_MAX
) /* fseek() can only deal with "long" offsets */
602 if ((flags
& (READ_FULL_FILE_UNBASE64
| READ_FULL_FILE_UNHEX
)) != 0) {
603 if (size
<= SIZE_MAX
/ READ_FULL_FILE_ENCODED_STRING_AMPLIFICATION_BOUNDARY
)
604 size
*= READ_FULL_FILE_ENCODED_STRING_AMPLIFICATION_BOUNDARY
;
610 if (fd
>= 0) { /* If the FILE* object is backed by an fd (as opposed to memory or such, see
611 * fmemopen()), let's optimize our buffering */
614 if (fstat(fd
, &st
) < 0)
617 if (S_ISREG(st
.st_mode
)) {
619 /* Try to start with the right file size if we shall read the file in full. Note
620 * that we increase the size to read here by one, so that the first read attempt
621 * already makes us notice the EOF. If the reported size of the file is zero, we
622 * avoid this logic however, since quite likely it might be a virtual file in procfs
623 * that all report a zero file size. */
625 if (st
.st_size
> 0 &&
626 (size
== SIZE_MAX
|| FLAGS_SET(flags
, READ_FULL_FILE_FAIL_WHEN_LARGER
))) {
629 LESS_BY((uint64_t) st
.st_size
, offset
== UINT64_MAX
? 0 : offset
);
631 if (rsize
< SIZE_MAX
) /* overflow check */
635 if (flags
& READ_FULL_FILE_WARN_WORLD_READABLE
)
636 (void) warn_file_is_world_accessible(filename
, &st
, NULL
, 0);
640 /* If we don't know how much to read, figure it out now. If we shall read a part of the file, then
641 * allocate the requested size. If we shall load the full file start with LINE_MAX. Note that if
642 * READ_FULL_FILE_FAIL_WHEN_LARGER we consider the specified size a safety limit, and thus also start
643 * with LINE_MAX, under assumption the file is most likely much shorter. */
645 n_next
= size
!= SIZE_MAX
&& !FLAGS_SET(flags
, READ_FULL_FILE_FAIL_WHEN_LARGER
) ? size
: LINE_MAX
;
647 /* Never read more than we need to determine that our own limit is hit */
648 if (n_next
> READ_FULL_BYTES_MAX
)
649 n_next
= READ_FULL_BYTES_MAX
+ 1;
651 if (offset
!= UINT64_MAX
&& fseek(f
, offset
, SEEK_SET
) < 0)
659 /* If we shall fail when reading overly large data, then read exactly one byte more than the
660 * specified size at max, since that'll tell us if there's anymore data beyond the limit*/
661 if (FLAGS_SET(flags
, READ_FULL_FILE_FAIL_WHEN_LARGER
) && n_next
> size
)
664 if (flags
& READ_FULL_FILE_SECURE
) {
665 t
= malloc(n_next
+ 1);
670 memcpy_safe(t
, buf
, n
);
671 explicit_bzero_safe(buf
, n
);
674 t
= realloc(buf
, n_next
+ 1);
680 /* Unless a size has been explicitly specified, try to read as much as fits into the memory
681 * we allocated (minus 1, to leave one byte for the safety NUL byte) */
682 n
= size
== SIZE_MAX
? MALLOC_SIZEOF_SAFE(buf
) - 1 : n_next
;
685 k
= fread(buf
+ l
, 1, n
- l
, f
);
691 r
= errno_or_else(EIO
);
697 if (size
!= SIZE_MAX
&& !FLAGS_SET(flags
, READ_FULL_FILE_FAIL_WHEN_LARGER
)) { /* If we got asked to read some specific size, we already sized the buffer right, hence leave */
702 assert(k
> 0); /* we can't have read zero bytes because that would have been EOF */
704 if (FLAGS_SET(flags
, READ_FULL_FILE_FAIL_WHEN_LARGER
) && l
> size
) {
709 if (n
>= READ_FULL_BYTES_MAX
) {
714 n_next
= MIN(n
* 2, READ_FULL_BYTES_MAX
);
717 if (flags
& (READ_FULL_FILE_UNBASE64
| READ_FULL_FILE_UNHEX
)) {
718 _cleanup_free_
void *decoded
= NULL
;
722 if (flags
& READ_FULL_FILE_UNBASE64
)
723 r
= unbase64mem_full(buf
, l
, flags
& READ_FULL_FILE_SECURE
, &decoded
, &decoded_size
);
725 r
= unhexmem_full(buf
, l
, flags
& READ_FULL_FILE_SECURE
, &decoded
, &decoded_size
);
729 if (flags
& READ_FULL_FILE_SECURE
)
730 explicit_bzero_safe(buf
, n
);
731 free_and_replace(buf
, decoded
);
732 n
= l
= decoded_size
;
734 if (FLAGS_SET(flags
, READ_FULL_FILE_FAIL_WHEN_LARGER
) && l
> expected_decoded_size
) {
741 /* Safety check: if the caller doesn't want to know the size of what we just read it will rely on the
742 * trailing NUL byte. But if there's an embedded NUL byte, then we should refuse operation as otherwise
743 * there'd be ambiguity about what we just read. */
745 if (memchr(buf
, 0, l
)) {
752 *ret_contents
= TAKE_PTR(buf
);
760 if (flags
& READ_FULL_FILE_SECURE
)
761 explicit_bzero_safe(buf
, n
);
766 int read_full_file_full(
768 const char *filename
,
771 ReadFullFileFlags flags
,
772 const char *bind_name
,
776 _cleanup_fclose_
FILE *f
= NULL
;
777 XfopenFlags xflags
= XFOPEN_UNLOCKED
;
781 assert(ret_contents
);
783 if (FLAGS_SET(flags
, READ_FULL_FILE_CONNECT_SOCKET
) && /* If this is enabled, let's try to connect to it */
784 offset
== UINT64_MAX
) /* Seeking is not supported on AF_UNIX sockets */
785 xflags
|= XFOPEN_SOCKET
;
787 r
= xfopenat_full(dir_fd
, filename
, "re", 0, xflags
, bind_name
, &f
);
791 return read_full_stream_full(f
, filename
, offset
, size
, flags
, ret_contents
, ret_size
);
794 int executable_is_script(const char *path
, char **interpreter
) {
795 _cleanup_free_
char *line
= NULL
;
802 r
= read_one_line_file(path
, &line
);
803 if (r
== -ENOBUFS
) /* First line overly long? if so, then it's not a script */
808 if (!startswith(line
, "#!"))
811 ans
= strstrip(line
+ 2);
812 len
= strcspn(ans
, " \t");
817 ans
= strndup(ans
, len
);
826 * Retrieve one field from a file like /proc/self/status. pattern
827 * should not include whitespace or the delimiter (':'). pattern matches only
828 * the beginning of a line. Whitespace before ':' is skipped. Whitespace and
829 * zeros after the ':' will be skipped. field must be freed afterwards.
830 * terminator specifies the terminating characters of the field value (not
831 * included in the value).
833 int get_proc_field(const char *filename
, const char *pattern
, const char *terminator
, char **field
) {
834 _cleanup_free_
char *status
= NULL
;
843 r
= read_full_virtual_file(filename
, &status
, NULL
);
853 t
= strstr(t
, pattern
);
857 /* Check that pattern occurs in beginning of line. */
858 pattern_ok
= (t
== status
|| t
[-1] == '\n');
860 t
+= strlen(pattern
);
862 } while (!pattern_ok
);
864 t
+= strspn(t
, " \t");
873 t
+= strspn(t
, " \t");
875 /* Also skip zeros, because when this is used for
876 * capabilities, we don't want the zeros. This way the
877 * same capability set always maps to the same string,
878 * irrespective of the total capability set size. For
879 * other numbers it shouldn't matter. */
881 /* Back off one char if there's nothing but whitespace
883 if (!*t
|| isspace(*t
))
887 f
= strdupcspn(t
, terminator
);
895 DIR *xopendirat(int fd
, const char *name
, int flags
) {
896 _cleanup_close_
int nfd
= -EBADF
;
898 assert(!(flags
& O_CREAT
));
900 if (fd
== AT_FDCWD
&& flags
== 0)
901 return opendir(name
);
903 nfd
= openat(fd
, name
, O_RDONLY
|O_NONBLOCK
|O_DIRECTORY
|O_CLOEXEC
|flags
, 0);
907 return take_fdopendir(&nfd
);
910 int fopen_mode_to_flags(const char *mode
) {
916 if ((p
= startswith(mode
, "r+")))
918 else if ((p
= startswith(mode
, "r")))
920 else if ((p
= startswith(mode
, "w+")))
921 flags
= O_RDWR
|O_CREAT
|O_TRUNC
;
922 else if ((p
= startswith(mode
, "w")))
923 flags
= O_WRONLY
|O_CREAT
|O_TRUNC
;
924 else if ((p
= startswith(mode
, "a+")))
925 flags
= O_RDWR
|O_CREAT
|O_APPEND
;
926 else if ((p
= startswith(mode
, "a")))
927 flags
= O_WRONLY
|O_CREAT
|O_APPEND
;
931 for (; *p
!= 0; p
++) {
944 /* ignore this here, fdopen() might care later though */
947 case 'c': /* not sure what to do about this one */
956 static int xfopenat_regular(int dir_fd
, const char *path
, const char *mode
, int open_flags
, FILE **ret
) {
959 /* A combination of fopen() with openat() */
961 assert(dir_fd
>= 0 || dir_fd
== AT_FDCWD
);
966 if (dir_fd
== AT_FDCWD
&& open_flags
== 0)
967 f
= fopen(path
, mode
);
969 _cleanup_close_
int fd
= -EBADF
;
972 mode_flags
= fopen_mode_to_flags(mode
);
976 fd
= openat(dir_fd
, path
, mode_flags
| open_flags
);
980 f
= take_fdopen(&fd
, mode
);
989 static int xfopenat_unix_socket(int dir_fd
, const char *path
, const char *bind_name
, FILE **ret
) {
990 _cleanup_close_
int sk
= -EBADF
;
994 assert(dir_fd
>= 0 || dir_fd
== AT_FDCWD
);
998 sk
= socket(AF_UNIX
, SOCK_STREAM
|SOCK_CLOEXEC
, 0);
1003 /* If the caller specified a socket name to bind to, do so before connecting. This is
1004 * useful to communicate some minor, short meta-information token from the client to
1006 union sockaddr_union bsa
;
1008 r
= sockaddr_un_set_path(&bsa
.un
, bind_name
);
1012 if (bind(sk
, &bsa
.sa
, r
) < 0)
1016 r
= connect_unix_path(sk
, dir_fd
, path
);
1020 if (shutdown(sk
, SHUT_WR
) < 0)
1023 f
= take_fdopen(&sk
, "r");
1037 const char *bind_name
,
1040 FILE *f
= NULL
; /* avoid false maybe-uninitialized warning */
1043 assert(dir_fd
>= 0 || dir_fd
== AT_FDCWD
);
1048 r
= xfopenat_regular(dir_fd
, path
, mode
, open_flags
, &f
);
1049 if (r
== -ENXIO
&& FLAGS_SET(flags
, XFOPEN_SOCKET
)) {
1050 /* ENXIO is what Linux returns if we open a node that is an AF_UNIX socket */
1051 r
= xfopenat_unix_socket(dir_fd
, path
, bind_name
, &f
);
1052 if (IN_SET(r
, -ENOTSOCK
, -EINVAL
))
1053 return -ENXIO
; /* propagate original error if this is not a socket after all */
1058 if (FLAGS_SET(flags
, XFOPEN_UNLOCKED
))
1059 (void) __fsetlocking(f
, FSETLOCKING_BYCALLER
);
1065 int fdopen_independent(int fd
, const char *mode
, FILE **ret
) {
1066 _cleanup_close_
int copy_fd
= -EBADF
;
1067 _cleanup_fclose_
FILE *f
= NULL
;
1074 /* A combination of fdopen() + fd_reopen(). i.e. reopens the inode the specified fd points to and
1075 * returns a FILE* for it */
1077 mode_flags
= fopen_mode_to_flags(mode
);
1081 /* Flags returned by fopen_mode_to_flags might contain O_CREAT, but it doesn't make sense for fd_reopen
1082 * since we're working on an existing fd anyway. Let's drop it here to avoid triggering assertion. */
1083 copy_fd
= fd_reopen(fd
, mode_flags
& ~O_CREAT
);
1087 f
= take_fdopen(©_fd
, mode
);
1095 static int search_and_open_internal(
1097 int mode
, /* if ret_fd is NULL this is an [FRWX]_OK mode for access(), otherwise an open mode for open() */
1105 assert(!ret_fd
|| !FLAGS_SET(mode
, O_CREAT
)); /* We don't support O_CREAT for this */
1108 if (path_is_absolute(path
)) {
1109 _cleanup_close_
int fd
= -EBADF
;
1112 /* We only specify 0777 here to appease static analyzers, it's never used since we
1113 * don't support O_CREAT here */
1114 r
= fd
= RET_NERRNO(open(path
, mode
, 0777));
1116 r
= RET_NERRNO(access(path
, mode
));
1121 r
= path_simplify_alloc(path
, ret_path
);
1127 *ret_fd
= TAKE_FD(fd
);
1132 if (!path_strv_resolve_uniq(search
, root
))
1135 STRV_FOREACH(i
, search
) {
1136 _cleanup_close_
int fd
= -EBADF
;
1137 _cleanup_free_
char *p
= NULL
;
1139 p
= path_join(root
, *i
, path
);
1144 /* as above, 0777 is static analyzer appeasement */
1145 r
= fd
= RET_NERRNO(open(p
, mode
, 0777));
1147 r
= RET_NERRNO(access(p
, F_OK
));
1150 *ret_path
= path_simplify(TAKE_PTR(p
));
1153 *ret_fd
= TAKE_FD(fd
);
1164 int search_and_open(
1172 _cleanup_strv_free_
char **copy
= NULL
;
1176 copy
= strv_copy((char**) search
);
1180 return search_and_open_internal(path
, mode
, root
, copy
, ret_fd
, ret_path
);
1183 static int search_and_fopen_internal(
1191 _cleanup_free_
char *found_path
= NULL
;
1192 _cleanup_close_
int fd
= -EBADF
;
1196 assert(mode
|| !ret_file
);
1198 r
= search_and_open(
1200 mode
? fopen_mode_to_flags(mode
) : 0,
1203 ret_file
? &fd
: NULL
,
1204 ret_path
? &found_path
: NULL
);
1209 FILE *f
= take_fdopen(&fd
, mode
);
1217 *ret_path
= TAKE_PTR(found_path
);
1222 int search_and_fopen(
1226 const char **search
,
1230 _cleanup_strv_free_
char **copy
= NULL
;
1233 assert(mode
|| !ret_file
);
1235 copy
= strv_copy((char**) search
);
1239 return search_and_fopen_internal(path
, mode
, root
, copy
, ret_file
, ret_path
);
1242 int search_and_fopen_nulstr(
1250 _cleanup_strv_free_
char **l
= NULL
;
1253 assert(mode
|| !ret_file
);
1255 l
= strv_split_nulstr(search
);
1259 return search_and_fopen_internal(path
, mode
, root
, l
, ret_file
, ret_path
);
1262 int fflush_and_check(FILE *f
) {
1269 return errno_or_else(EIO
);
1274 int fflush_sync_and_check(FILE *f
) {
1279 r
= fflush_and_check(f
);
1283 /* Not all file streams have an fd associated (think: fmemopen()), let's handle this gracefully and
1284 * assume that in that case we need no explicit syncing */
1296 int write_timestamp_file_atomic(const char *fn
, usec_t n
) {
1297 char ln
[DECIMAL_STR_MAX(n
)+2];
1299 /* Creates a "timestamp" file, that contains nothing but a
1300 * usec_t timestamp, formatted in ASCII. */
1302 if (!timestamp_is_set(n
))
1305 xsprintf(ln
, USEC_FMT
"\n", n
);
1307 return write_string_file(fn
, ln
, WRITE_STRING_FILE_CREATE
|WRITE_STRING_FILE_ATOMIC
);
1310 int read_timestamp_file(const char *fn
, usec_t
*ret
) {
1311 _cleanup_free_
char *ln
= NULL
;
1315 r
= read_one_line_file(fn
, &ln
);
1319 r
= safe_atou64(ln
, &t
);
1323 if (!timestamp_is_set(t
))
1330 int fputs_with_separator(FILE *f
, const char *s
, const char *separator
, bool *space
) {
1334 /* Outputs the specified string with fputs(), but optionally prefixes it with a separator.
1335 * The *space parameter when specified shall initially point to a boolean variable initialized
1336 * to false. It is set to true after the first invocation. This call is supposed to be use in loops,
1337 * where a separator shall be inserted between each element, but not before the first one. */
1346 if (fputs(separator
, f
) < 0)
1351 if (fputs(s
, f
) < 0)
1357 /* A bitmask of the EOL markers we know */
1358 typedef enum EndOfLineMarker
{
1360 EOL_ZERO
= 1 << 0, /* \0 (aka NUL) */
1361 EOL_TEN
= 1 << 1, /* \n (aka NL, aka LF) */
1362 EOL_THIRTEEN
= 1 << 2, /* \r (aka CR) */
1365 static EndOfLineMarker
categorize_eol(char c
, ReadLineFlags flags
) {
1367 if (!FLAGS_SET(flags
, READ_LINE_ONLY_NUL
)) {
1371 return EOL_THIRTEEN
;
1380 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(FILE*, funlockfile
, NULL
);
1382 int read_line_full(FILE *f
, size_t limit
, ReadLineFlags flags
, char **ret
) {
1383 _cleanup_free_
char *buffer
= NULL
;
1384 size_t n
= 0, count
= 0;
1389 /* Something like a bounded version of getline().
1391 * Considers EOF, \n, \r and \0 end of line delimiters (or combinations of these), and does not include these
1392 * delimiters in the string returned. Specifically, recognizes the following combinations of markers as line
1405 * Returns the number of bytes read from the files (i.e. including delimiters — this hence usually differs from
1406 * the number of characters in the returned string). When EOF is hit, 0 is returned.
1408 * The input parameter limit is the maximum numbers of characters in the returned string, i.e. excluding
1409 * delimiters. If the limit is hit we fail and return -ENOBUFS.
1411 * If a line shall be skipped ret may be initialized as NULL. */
1414 if (!GREEDY_REALLOC(buffer
, 1))
1419 _unused_
_cleanup_(funlockfilep
) FILE *flocked
= f
;
1420 EndOfLineMarker previous_eol
= EOL_NONE
;
1424 EndOfLineMarker eol
;
1430 if (count
>= INT_MAX
) /* We couldn't return the counter anymore as "int", hence refuse this */
1433 r
= safe_fgetc(f
, &c
);
1436 if (r
== 0) /* EOF is definitely EOL */
1439 eol
= categorize_eol(c
, flags
);
1441 if (FLAGS_SET(previous_eol
, EOL_ZERO
) ||
1442 (eol
== EOL_NONE
&& previous_eol
!= EOL_NONE
) ||
1443 (eol
!= EOL_NONE
&& (previous_eol
& eol
) != 0)) {
1444 /* Previous char was a NUL? This is not an EOL, but the previous char was? This type of
1445 * EOL marker has been seen right before? In either of these three cases we are
1446 * done. But first, let's put this character back in the queue. (Note that we have to
1447 * cast this to (unsigned char) here as ungetc() expects a positive 'int', and if we
1448 * are on an architecture where 'char' equals 'signed char' we need to ensure we don't
1449 * pass a negative value here. That said, to complicate things further ungetc() is
1450 * actually happy with most negative characters and implicitly casts them back to
1451 * positive ones as needed, except for \xff (aka -1, aka EOF), which it refuses. What a
1453 assert_se(ungetc((unsigned char) c
, f
) != EOF
);
1459 if (eol
!= EOL_NONE
) {
1460 /* If we are on a tty, we can't shouldn't wait for more input, because that
1461 * generally means waiting for the user, interactively. In the case of a TTY
1462 * we expect only \n as the single EOL marker, so we are in the lucky
1463 * position that there is no need to wait. We check this condition last, to
1464 * avoid isatty() check if not necessary. */
1466 if ((flags
& (READ_LINE_IS_A_TTY
|READ_LINE_NOT_A_TTY
)) == 0) {
1470 if (fd
< 0) /* Maybe an fmemopen() stream? Handle this gracefully,
1471 * and don't call isatty() on an invalid fd */
1472 flags
|= READ_LINE_NOT_A_TTY
;
1474 flags
|= isatty_safe(fd
) ? READ_LINE_IS_A_TTY
: READ_LINE_NOT_A_TTY
;
1476 if (FLAGS_SET(flags
, READ_LINE_IS_A_TTY
))
1480 if (eol
!= EOL_NONE
) {
1481 previous_eol
|= eol
;
1486 if (!GREEDY_REALLOC(buffer
, n
+ 2))
1499 *ret
= TAKE_PTR(buffer
);
1505 int read_stripped_line(FILE *f
, size_t limit
, char **ret
) {
1506 _cleanup_free_
char *s
= NULL
;
1511 r
= read_line(f
, limit
, ret
? &s
: NULL
);
1535 int safe_fgetc(FILE *f
, char *ret
) {
1540 /* A safer version of plain fgetc(): let's propagate the error that happened while reading as such, and
1541 * separate the EOF condition from the byte read, to avoid those confusion signed/unsigned issues fgetc()
1548 return errno_or_else(EIO
);
1562 int warn_file_is_world_accessible(const char *filename
, struct stat
*st
, const char *unit
, unsigned line
) {
1569 if (stat(filename
, &_st
) < 0)
1574 if ((st
->st_mode
& S_IRWXO
) == 0)
1578 log_syntax(unit
, LOG_WARNING
, filename
, line
, 0,
1579 "%s has %04o mode that is too permissive, please adjust the ownership and access mode.",
1580 filename
, st
->st_mode
& 07777);
1582 log_warning("%s has %04o mode that is too permissive, please adjust the ownership and access mode.",
1583 filename
, st
->st_mode
& 07777);