]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/fileio.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #25608 from poettering/dissect-moar
[thirdparty/systemd.git] / src / basic / fileio.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <ctype.h>
4 #include <errno.h>
5 #include <fcntl.h>
6 #include <limits.h>
7 #include <stdarg.h>
8 #include <stdint.h>
9 #include <stdio_ext.h>
10 #include <stdlib.h>
11 #include <sys/stat.h>
12 #include <sys/types.h>
13 #include <unistd.h>
14
15 #include "alloc-util.h"
16 #include "chase.h"
17 #include "fd-util.h"
18 #include "fileio.h"
19 #include "fs-util.h"
20 #include "hexdecoct.h"
21 #include "log.h"
22 #include "macro.h"
23 #include "mkdir.h"
24 #include "nulstr-util.h"
25 #include "parse-util.h"
26 #include "path-util.h"
27 #include "socket-util.h"
28 #include "stdio-util.h"
29 #include "string-util.h"
30 #include "sync-util.h"
31 #include "tmpfile-util.h"
32
33 /* The maximum size of the file we'll read in one go in read_full_file() (64M). */
34 #define READ_FULL_BYTES_MAX (64U*1024U*1024U - 1U)
35
36 /* The maximum size of virtual files (i.e. procfs, sysfs, and other virtual "API" files) we'll read in one go
37 * in read_virtual_file(). Note that this limit is different (and much lower) than the READ_FULL_BYTES_MAX
38 * limit. This reflects the fact that we use different strategies for reading virtual and regular files:
39 * virtual files we generally have to read in a single read() syscall since the kernel doesn't support
40 * continuation read()s for them. Thankfully they are somewhat size constrained. Thus we can allocate the
41 * full potential buffer in advance. Regular files OTOH can be much larger, and there we grow the allocations
42 * exponentially in a loop. We use a size limit of 4M-2 because 4M-1 is the maximum buffer that /proc/sys/
43 * allows us to read() (larger reads will fail with ENOMEM), and we want to read one extra byte so that we
44 * can detect EOFs. */
45 #define READ_VIRTUAL_BYTES_MAX (4U*1024U*1024U - 2U)
46
47 int fdopen_unlocked(int fd, const char *options, FILE **ret) {
48 assert(ret);
49
50 FILE *f = fdopen(fd, options);
51 if (!f)
52 return -errno;
53
54 (void) __fsetlocking(f, FSETLOCKING_BYCALLER);
55
56 *ret = f;
57 return 0;
58 }
59
60 int take_fdopen_unlocked(int *fd, const char *options, FILE **ret) {
61 int r;
62
63 assert(fd);
64
65 r = fdopen_unlocked(*fd, options, ret);
66 if (r < 0)
67 return r;
68
69 *fd = -EBADF;
70
71 return 0;
72 }
73
74 FILE* take_fdopen(int *fd, const char *options) {
75 assert(fd);
76
77 FILE *f = fdopen(*fd, options);
78 if (!f)
79 return NULL;
80
81 *fd = -EBADF;
82
83 return f;
84 }
85
86 DIR* take_fdopendir(int *dfd) {
87 assert(dfd);
88
89 DIR *d = fdopendir(*dfd);
90 if (!d)
91 return NULL;
92
93 *dfd = -EBADF;
94
95 return d;
96 }
97
98 FILE* open_memstream_unlocked(char **ptr, size_t *sizeloc) {
99 FILE *f = open_memstream(ptr, sizeloc);
100 if (!f)
101 return NULL;
102
103 (void) __fsetlocking(f, FSETLOCKING_BYCALLER);
104
105 return f;
106 }
107
108 FILE* fmemopen_unlocked(void *buf, size_t size, const char *mode) {
109 FILE *f = fmemopen(buf, size, mode);
110 if (!f)
111 return NULL;
112
113 (void) __fsetlocking(f, FSETLOCKING_BYCALLER);
114
115 return f;
116 }
117
118 int write_string_stream_ts(
119 FILE *f,
120 const char *line,
121 WriteStringFileFlags flags,
122 const struct timespec *ts) {
123
124 bool needs_nl;
125 int r, fd = -EBADF;
126
127 assert(f);
128 assert(line);
129
130 if (ferror(f))
131 return -EIO;
132
133 if (ts) {
134 /* If we shall set the timestamp we need the fd. But fmemopen() streams generally don't have
135 * an fd. Let's fail early in that case. */
136 fd = fileno(f);
137 if (fd < 0)
138 return -EBADF;
139 }
140
141 if (flags & WRITE_STRING_FILE_SUPPRESS_REDUNDANT_VIRTUAL) {
142 _cleanup_free_ char *t = NULL;
143
144 /* If value to be written is same as that of the existing value, then suppress the write. */
145
146 if (fd < 0) {
147 fd = fileno(f);
148 if (fd < 0)
149 return -EBADF;
150 }
151
152 /* Read an additional byte to detect cases where the prefix matches but the rest
153 * doesn't. Also, 0 returned by read_virtual_file_fd() means the read was truncated and
154 * it won't be equal to the new value. */
155 if (read_virtual_file_fd(fd, strlen(line)+1, &t, NULL) > 0 &&
156 streq_skip_trailing_chars(line, t, NEWLINE)) {
157 log_debug("No change in value '%s', suppressing write", line);
158 return 0;
159 }
160
161 if (lseek(fd, 0, SEEK_SET) < 0)
162 return -errno;
163 }
164
165 needs_nl = !(flags & WRITE_STRING_FILE_AVOID_NEWLINE) && !endswith(line, "\n");
166
167 if (needs_nl && (flags & WRITE_STRING_FILE_DISABLE_BUFFER)) {
168 /* If STDIO buffering was disabled, then let's append the newline character to the string
169 * itself, so that the write goes out in one go, instead of two */
170
171 line = strjoina(line, "\n");
172 needs_nl = false;
173 }
174
175 if (fputs(line, f) == EOF)
176 return -errno;
177
178 if (needs_nl)
179 if (fputc('\n', f) == EOF)
180 return -errno;
181
182 if (flags & WRITE_STRING_FILE_SYNC)
183 r = fflush_sync_and_check(f);
184 else
185 r = fflush_and_check(f);
186 if (r < 0)
187 return r;
188
189 if (ts) {
190 const struct timespec twice[2] = {*ts, *ts};
191
192 assert(fd >= 0);
193 if (futimens(fd, twice) < 0)
194 return -errno;
195 }
196
197 return 0;
198 }
199
200 static int write_string_file_atomic_at(
201 int dir_fd,
202 const char *fn,
203 const char *line,
204 WriteStringFileFlags flags,
205 const struct timespec *ts) {
206
207 _cleanup_fclose_ FILE *f = NULL;
208 _cleanup_free_ char *p = NULL;
209 int r;
210
211 assert(fn);
212 assert(line);
213
214 /* Note that we'd really like to use O_TMPFILE here, but can't really, since we want replacement
215 * semantics here, and O_TMPFILE can't offer that. i.e. rename() replaces but linkat() doesn't. */
216
217 r = fopen_temporary_at(dir_fd, fn, &f, &p);
218 if (r < 0)
219 return r;
220
221 r = write_string_stream_ts(f, line, flags, ts);
222 if (r < 0)
223 goto fail;
224
225 r = fchmod_umask(fileno(f), FLAGS_SET(flags, WRITE_STRING_FILE_MODE_0600) ? 0600 : 0644);
226 if (r < 0)
227 goto fail;
228
229 if (renameat(dir_fd, p, dir_fd, fn) < 0) {
230 r = -errno;
231 goto fail;
232 }
233
234 if (FLAGS_SET(flags, WRITE_STRING_FILE_SYNC)) {
235 /* Sync the rename, too */
236 r = fsync_directory_of_file(fileno(f));
237 if (r < 0)
238 return r;
239 }
240
241 return 0;
242
243 fail:
244 (void) unlinkat(dir_fd, p, 0);
245 return r;
246 }
247
248 int write_string_file_ts_at(
249 int dir_fd,
250 const char *fn,
251 const char *line,
252 WriteStringFileFlags flags,
253 const struct timespec *ts) {
254
255 _cleanup_fclose_ FILE *f = NULL;
256 _cleanup_close_ int fd = -EBADF;
257 int q, r;
258
259 assert(fn);
260 assert(line);
261
262 /* We don't know how to verify whether the file contents was already on-disk. */
263 assert(!((flags & WRITE_STRING_FILE_VERIFY_ON_FAILURE) && (flags & WRITE_STRING_FILE_SYNC)));
264
265 if (flags & WRITE_STRING_FILE_MKDIR_0755) {
266 r = mkdirat_parents(dir_fd, fn, 0755);
267 if (r < 0)
268 return r;
269 }
270
271 if (flags & WRITE_STRING_FILE_ATOMIC) {
272 assert(flags & WRITE_STRING_FILE_CREATE);
273
274 r = write_string_file_atomic_at(dir_fd, fn, line, flags, ts);
275 if (r < 0)
276 goto fail;
277
278 return r;
279 } else
280 assert(!ts);
281
282 /* We manually build our own version of fopen(..., "we") that works without O_CREAT and with O_NOFOLLOW if needed. */
283 fd = openat(dir_fd, fn, O_CLOEXEC|O_NOCTTY |
284 (FLAGS_SET(flags, WRITE_STRING_FILE_NOFOLLOW) ? O_NOFOLLOW : 0) |
285 (FLAGS_SET(flags, WRITE_STRING_FILE_CREATE) ? O_CREAT : 0) |
286 (FLAGS_SET(flags, WRITE_STRING_FILE_TRUNCATE) ? O_TRUNC : 0) |
287 (FLAGS_SET(flags, WRITE_STRING_FILE_SUPPRESS_REDUNDANT_VIRTUAL) ? O_RDWR : O_WRONLY),
288 (FLAGS_SET(flags, WRITE_STRING_FILE_MODE_0600) ? 0600 : 0666));
289 if (fd < 0) {
290 r = -errno;
291 goto fail;
292 }
293
294 r = take_fdopen_unlocked(&fd, "w", &f);
295 if (r < 0)
296 goto fail;
297
298 if (flags & WRITE_STRING_FILE_DISABLE_BUFFER)
299 setvbuf(f, NULL, _IONBF, 0);
300
301 r = write_string_stream_ts(f, line, flags, ts);
302 if (r < 0)
303 goto fail;
304
305 return 0;
306
307 fail:
308 if (!(flags & WRITE_STRING_FILE_VERIFY_ON_FAILURE))
309 return r;
310
311 f = safe_fclose(f);
312
313 /* OK, the operation failed, but let's see if the right
314 * contents in place already. If so, eat up the error. */
315
316 q = verify_file(fn, line, !(flags & WRITE_STRING_FILE_AVOID_NEWLINE) || (flags & WRITE_STRING_FILE_VERIFY_IGNORE_NEWLINE));
317 if (q <= 0)
318 return r;
319
320 return 0;
321 }
322
323 int write_string_filef(
324 const char *fn,
325 WriteStringFileFlags flags,
326 const char *format, ...) {
327
328 _cleanup_free_ char *p = NULL;
329 va_list ap;
330 int r;
331
332 va_start(ap, format);
333 r = vasprintf(&p, format, ap);
334 va_end(ap);
335
336 if (r < 0)
337 return -ENOMEM;
338
339 return write_string_file(fn, p, flags);
340 }
341
342 int read_one_line_file_at(int dir_fd, const char *filename, char **ret) {
343 _cleanup_fclose_ FILE *f = NULL;
344 int r;
345
346 assert(dir_fd >= 0 || dir_fd == AT_FDCWD);
347 assert(filename);
348 assert(ret);
349
350 r = fopen_unlocked_at(dir_fd, filename, "re", 0, &f);
351 if (r < 0)
352 return r;
353
354 return read_line(f, LONG_LINE_MAX, ret);
355 }
356
357 int verify_file_at(int dir_fd, const char *fn, const char *blob, bool accept_extra_nl) {
358 _cleanup_fclose_ FILE *f = NULL;
359 _cleanup_free_ char *buf = NULL;
360 size_t l, k;
361 int r;
362
363 assert(fn);
364 assert(blob);
365
366 l = strlen(blob);
367
368 if (accept_extra_nl && endswith(blob, "\n"))
369 accept_extra_nl = false;
370
371 buf = malloc(l + accept_extra_nl + 1);
372 if (!buf)
373 return -ENOMEM;
374
375 r = fopen_unlocked_at(dir_fd, fn, "re", 0, &f);
376 if (r < 0)
377 return r;
378
379 /* We try to read one byte more than we need, so that we know whether we hit eof */
380 errno = 0;
381 k = fread(buf, 1, l + accept_extra_nl + 1, f);
382 if (ferror(f))
383 return errno_or_else(EIO);
384
385 if (k != l && k != l + accept_extra_nl)
386 return 0;
387 if (memcmp(buf, blob, l) != 0)
388 return 0;
389 if (k > l && buf[l] != '\n')
390 return 0;
391
392 return 1;
393 }
394
395 int read_virtual_file_fd(int fd, size_t max_size, char **ret_contents, size_t *ret_size) {
396 _cleanup_free_ char *buf = NULL;
397 size_t n, size;
398 int n_retries;
399 bool truncated = false;
400
401 /* Virtual filesystems such as sysfs or procfs use kernfs, and kernfs can work with two sorts of
402 * virtual files. One sort uses "seq_file", and the results of the first read are buffered for the
403 * second read. The other sort uses "raw" reads which always go direct to the device. In the latter
404 * case, the content of the virtual file must be retrieved with a single read otherwise a second read
405 * might get the new value instead of finding EOF immediately. That's the reason why the usage of
406 * fread(3) is prohibited in this case as it always performs a second call to read(2) looking for
407 * EOF. See issue #13585.
408 *
409 * max_size specifies a limit on the bytes read. If max_size is SIZE_MAX, the full file is read. If
410 * the full file is too large to read, an error is returned. For other values of max_size, *partial
411 * contents* may be returned. (Though the read is still done using one syscall.) Returns 0 on
412 * partial success, 1 if untruncated contents were read. */
413
414 assert(fd >= 0);
415 assert(max_size <= READ_VIRTUAL_BYTES_MAX || max_size == SIZE_MAX);
416
417 /* Limit the number of attempts to read the number of bytes returned by fstat(). */
418 n_retries = 3;
419
420 for (;;) {
421 struct stat st;
422
423 if (fstat(fd, &st) < 0)
424 return -errno;
425
426 if (!S_ISREG(st.st_mode))
427 return -EBADF;
428
429 /* Be prepared for files from /proc which generally report a file size of 0. */
430 assert_cc(READ_VIRTUAL_BYTES_MAX < SSIZE_MAX);
431 if (st.st_size > 0 && n_retries > 1) {
432 /* Let's use the file size if we have more than 1 attempt left. On the last attempt
433 * we'll ignore the file size */
434
435 if (st.st_size > SSIZE_MAX) { /* Avoid overflow with 32-bit size_t and 64-bit off_t. */
436
437 if (max_size == SIZE_MAX)
438 return -EFBIG;
439
440 size = max_size;
441 } else {
442 size = MIN((size_t) st.st_size, max_size);
443
444 if (size > READ_VIRTUAL_BYTES_MAX)
445 return -EFBIG;
446 }
447
448 n_retries--;
449 } else if (n_retries > 1) {
450 /* Files in /proc are generally smaller than the page size so let's start with
451 * a page size buffer from malloc and only use the max buffer on the final try. */
452 size = MIN3(page_size() - 1, READ_VIRTUAL_BYTES_MAX, max_size);
453 n_retries = 1;
454 } else {
455 size = MIN(READ_VIRTUAL_BYTES_MAX, max_size);
456 n_retries = 0;
457 }
458
459 buf = malloc(size + 1);
460 if (!buf)
461 return -ENOMEM;
462
463 /* Use a bigger allocation if we got it anyway, but not more than the limit. */
464 size = MIN3(MALLOC_SIZEOF_SAFE(buf) - 1, max_size, READ_VIRTUAL_BYTES_MAX);
465
466 for (;;) {
467 ssize_t k;
468
469 /* Read one more byte so we can detect whether the content of the
470 * file has already changed or the guessed size for files from /proc
471 * wasn't large enough . */
472 k = read(fd, buf, size + 1);
473 if (k >= 0) {
474 n = k;
475 break;
476 }
477
478 if (errno != EINTR)
479 return -errno;
480 }
481
482 /* Consider a short read as EOF */
483 if (n <= size)
484 break;
485
486 /* If a maximum size is specified and we already read more we know the file is larger, and
487 * can handle this as truncation case. Note that if the size of what we read equals the
488 * maximum size then this doesn't mean truncation, the file might or might not end on that
489 * byte. We need to rerun the loop in that case, with a larger buffer size, so that we read
490 * at least one more byte to be able to distinguish EOF from truncation. */
491 if (max_size != SIZE_MAX && n > max_size) {
492 n = size; /* Make sure we never use more than what we sized the buffer for (so that
493 * we have one free byte in it for the trailing NUL we add below). */
494 truncated = true;
495 break;
496 }
497
498 /* We have no further attempts left? Then the file is apparently larger than our limits. Give up. */
499 if (n_retries <= 0)
500 return -EFBIG;
501
502 /* Hmm... either we read too few bytes from /proc or less likely the content of the file
503 * might have been changed (and is now bigger) while we were processing, let's try again
504 * either with the new file size. */
505
506 if (lseek(fd, 0, SEEK_SET) < 0)
507 return -errno;
508
509 buf = mfree(buf);
510 }
511
512 if (ret_contents) {
513
514 /* Safety check: if the caller doesn't want to know the size of what we just read it will
515 * rely on the trailing NUL byte. But if there's an embedded NUL byte, then we should refuse
516 * operation as otherwise there'd be ambiguity about what we just read. */
517 if (!ret_size && memchr(buf, 0, n))
518 return -EBADMSG;
519
520 if (n < size) {
521 char *p;
522
523 /* Return rest of the buffer to libc */
524 p = realloc(buf, n + 1);
525 if (!p)
526 return -ENOMEM;
527 buf = p;
528 }
529
530 buf[n] = 0;
531 *ret_contents = TAKE_PTR(buf);
532 }
533
534 if (ret_size)
535 *ret_size = n;
536
537 return !truncated;
538 }
539
540 int read_virtual_file_at(
541 int dir_fd,
542 const char *filename,
543 size_t max_size,
544 char **ret_contents,
545 size_t *ret_size) {
546
547 _cleanup_close_ int fd = -EBADF;
548
549 assert(dir_fd >= 0 || dir_fd == AT_FDCWD);
550
551 if (!filename) {
552 if (dir_fd == AT_FDCWD)
553 return -EBADF;
554
555 return read_virtual_file_fd(dir_fd, max_size, ret_contents, ret_size);
556 }
557
558 fd = openat(dir_fd, filename, O_RDONLY | O_NOCTTY | O_CLOEXEC);
559 if (fd < 0)
560 return -errno;
561
562 return read_virtual_file_fd(fd, max_size, ret_contents, ret_size);
563 }
564
565 int read_full_stream_full(
566 FILE *f,
567 const char *filename,
568 uint64_t offset,
569 size_t size,
570 ReadFullFileFlags flags,
571 char **ret_contents,
572 size_t *ret_size) {
573
574 _cleanup_free_ char *buf = NULL;
575 size_t n, n_next = 0, l;
576 int fd, r;
577
578 assert(f);
579 assert(ret_contents);
580 assert(!FLAGS_SET(flags, READ_FULL_FILE_UNBASE64 | READ_FULL_FILE_UNHEX));
581 assert(size != SIZE_MAX || !FLAGS_SET(flags, READ_FULL_FILE_FAIL_WHEN_LARGER));
582
583 if (offset != UINT64_MAX && offset > LONG_MAX) /* fseek() can only deal with "long" offsets */
584 return -ERANGE;
585
586 fd = fileno(f);
587 if (fd >= 0) { /* If the FILE* object is backed by an fd (as opposed to memory or such, see
588 * fmemopen()), let's optimize our buffering */
589 struct stat st;
590
591 if (fstat(fd, &st) < 0)
592 return -errno;
593
594 if (S_ISREG(st.st_mode)) {
595
596 /* Try to start with the right file size if we shall read the file in full. Note
597 * that we increase the size to read here by one, so that the first read attempt
598 * already makes us notice the EOF. If the reported size of the file is zero, we
599 * avoid this logic however, since quite likely it might be a virtual file in procfs
600 * that all report a zero file size. */
601
602 if (st.st_size > 0 &&
603 (size == SIZE_MAX || FLAGS_SET(flags, READ_FULL_FILE_FAIL_WHEN_LARGER))) {
604
605 uint64_t rsize =
606 LESS_BY((uint64_t) st.st_size, offset == UINT64_MAX ? 0 : offset);
607
608 if (rsize < SIZE_MAX) /* overflow check */
609 n_next = rsize + 1;
610 }
611
612 if (flags & READ_FULL_FILE_WARN_WORLD_READABLE)
613 (void) warn_file_is_world_accessible(filename, &st, NULL, 0);
614 }
615 }
616
617 /* If we don't know how much to read, figure it out now. If we shall read a part of the file, then
618 * allocate the requested size. If we shall load the full file start with LINE_MAX. Note that if
619 * READ_FULL_FILE_FAIL_WHEN_LARGER we consider the specified size a safety limit, and thus also start
620 * with LINE_MAX, under assumption the file is most likely much shorter. */
621 if (n_next == 0)
622 n_next = size != SIZE_MAX && !FLAGS_SET(flags, READ_FULL_FILE_FAIL_WHEN_LARGER) ? size : LINE_MAX;
623
624 /* Never read more than we need to determine that our own limit is hit */
625 if (n_next > READ_FULL_BYTES_MAX)
626 n_next = READ_FULL_BYTES_MAX + 1;
627
628 if (offset != UINT64_MAX && fseek(f, offset, SEEK_SET) < 0)
629 return -errno;
630
631 n = l = 0;
632 for (;;) {
633 char *t;
634 size_t k;
635
636 /* If we shall fail when reading overly large data, then read exactly one byte more than the
637 * specified size at max, since that'll tell us if there's anymore data beyond the limit*/
638 if (FLAGS_SET(flags, READ_FULL_FILE_FAIL_WHEN_LARGER) && n_next > size)
639 n_next = size + 1;
640
641 if (flags & READ_FULL_FILE_SECURE) {
642 t = malloc(n_next + 1);
643 if (!t) {
644 r = -ENOMEM;
645 goto finalize;
646 }
647 memcpy_safe(t, buf, n);
648 explicit_bzero_safe(buf, n);
649 free(buf);
650 } else {
651 t = realloc(buf, n_next + 1);
652 if (!t)
653 return -ENOMEM;
654 }
655
656 buf = t;
657 /* Unless a size has been explicitly specified, try to read as much as fits into the memory
658 * we allocated (minus 1, to leave one byte for the safety NUL byte) */
659 n = size == SIZE_MAX ? MALLOC_SIZEOF_SAFE(buf) - 1 : n_next;
660
661 errno = 0;
662 k = fread(buf + l, 1, n - l, f);
663
664 assert(k <= n - l);
665 l += k;
666
667 if (ferror(f)) {
668 r = errno_or_else(EIO);
669 goto finalize;
670 }
671 if (feof(f))
672 break;
673
674 if (size != SIZE_MAX && !FLAGS_SET(flags, READ_FULL_FILE_FAIL_WHEN_LARGER)) { /* If we got asked to read some specific size, we already sized the buffer right, hence leave */
675 assert(l == size);
676 break;
677 }
678
679 assert(k > 0); /* we can't have read zero bytes because that would have been EOF */
680
681 if (FLAGS_SET(flags, READ_FULL_FILE_FAIL_WHEN_LARGER) && l > size) {
682 r = -E2BIG;
683 goto finalize;
684 }
685
686 if (n >= READ_FULL_BYTES_MAX) {
687 r = -E2BIG;
688 goto finalize;
689 }
690
691 n_next = MIN(n * 2, READ_FULL_BYTES_MAX);
692 }
693
694 if (flags & (READ_FULL_FILE_UNBASE64 | READ_FULL_FILE_UNHEX)) {
695 _cleanup_free_ void *decoded = NULL;
696 size_t decoded_size;
697
698 buf[l++] = 0;
699 if (flags & READ_FULL_FILE_UNBASE64)
700 r = unbase64mem_full(buf, l, flags & READ_FULL_FILE_SECURE, &decoded, &decoded_size);
701 else
702 r = unhexmem_full(buf, l, flags & READ_FULL_FILE_SECURE, &decoded, &decoded_size);
703 if (r < 0)
704 goto finalize;
705
706 if (flags & READ_FULL_FILE_SECURE)
707 explicit_bzero_safe(buf, n);
708 free_and_replace(buf, decoded);
709 n = l = decoded_size;
710 }
711
712 if (!ret_size) {
713 /* Safety check: if the caller doesn't want to know the size of what we just read it will rely on the
714 * trailing NUL byte. But if there's an embedded NUL byte, then we should refuse operation as otherwise
715 * there'd be ambiguity about what we just read. */
716
717 if (memchr(buf, 0, l)) {
718 r = -EBADMSG;
719 goto finalize;
720 }
721 }
722
723 buf[l] = 0;
724 *ret_contents = TAKE_PTR(buf);
725
726 if (ret_size)
727 *ret_size = l;
728
729 return 0;
730
731 finalize:
732 if (flags & READ_FULL_FILE_SECURE)
733 explicit_bzero_safe(buf, n);
734
735 return r;
736 }
737
738 int read_full_file_full(
739 int dir_fd,
740 const char *filename,
741 uint64_t offset,
742 size_t size,
743 ReadFullFileFlags flags,
744 const char *bind_name,
745 char **ret_contents,
746 size_t *ret_size) {
747
748 _cleanup_fclose_ FILE *f = NULL;
749 XfopenFlags xflags = XFOPEN_UNLOCKED;
750 int r;
751
752 assert(filename);
753 assert(ret_contents);
754
755 if (FLAGS_SET(flags, READ_FULL_FILE_CONNECT_SOCKET) && /* If this is enabled, let's try to connect to it */
756 offset == UINT64_MAX) /* Seeking is not supported on AF_UNIX sockets */
757 xflags |= XFOPEN_SOCKET;
758
759 r = xfopenat_full(dir_fd, filename, "re", 0, xflags, bind_name, &f);
760 if (r < 0)
761 return r;
762
763 return read_full_stream_full(f, filename, offset, size, flags, ret_contents, ret_size);
764 }
765
766 int executable_is_script(const char *path, char **interpreter) {
767 _cleanup_free_ char *line = NULL;
768 size_t len;
769 char *ans;
770 int r;
771
772 assert(path);
773
774 r = read_one_line_file(path, &line);
775 if (r == -ENOBUFS) /* First line overly long? if so, then it's not a script */
776 return 0;
777 if (r < 0)
778 return r;
779
780 if (!startswith(line, "#!"))
781 return 0;
782
783 ans = strstrip(line + 2);
784 len = strcspn(ans, " \t");
785
786 if (len == 0)
787 return 0;
788
789 ans = strndup(ans, len);
790 if (!ans)
791 return -ENOMEM;
792
793 *interpreter = ans;
794 return 1;
795 }
796
797 /**
798 * Retrieve one field from a file like /proc/self/status. pattern
799 * should not include whitespace or the delimiter (':'). pattern matches only
800 * the beginning of a line. Whitespace before ':' is skipped. Whitespace and
801 * zeros after the ':' will be skipped. field must be freed afterwards.
802 * terminator specifies the terminating characters of the field value (not
803 * included in the value).
804 */
805 int get_proc_field(const char *filename, const char *pattern, const char *terminator, char **field) {
806 _cleanup_free_ char *status = NULL;
807 char *t, *f;
808 int r;
809
810 assert(terminator);
811 assert(filename);
812 assert(pattern);
813 assert(field);
814
815 r = read_full_virtual_file(filename, &status, NULL);
816 if (r < 0)
817 return r;
818
819 t = status;
820
821 do {
822 bool pattern_ok;
823
824 do {
825 t = strstr(t, pattern);
826 if (!t)
827 return -ENOENT;
828
829 /* Check that pattern occurs in beginning of line. */
830 pattern_ok = (t == status || t[-1] == '\n');
831
832 t += strlen(pattern);
833
834 } while (!pattern_ok);
835
836 t += strspn(t, " \t");
837 if (!*t)
838 return -ENOENT;
839
840 } while (*t != ':');
841
842 t++;
843
844 if (*t) {
845 t += strspn(t, " \t");
846
847 /* Also skip zeros, because when this is used for
848 * capabilities, we don't want the zeros. This way the
849 * same capability set always maps to the same string,
850 * irrespective of the total capability set size. For
851 * other numbers it shouldn't matter. */
852 t += strspn(t, "0");
853 /* Back off one char if there's nothing but whitespace
854 and zeros */
855 if (!*t || isspace(*t))
856 t--;
857 }
858
859 f = strdupcspn(t, terminator);
860 if (!f)
861 return -ENOMEM;
862
863 *field = f;
864 return 0;
865 }
866
867 DIR *xopendirat(int fd, const char *name, int flags) {
868 _cleanup_close_ int nfd = -EBADF;
869
870 assert(!(flags & O_CREAT));
871
872 if (fd == AT_FDCWD && flags == 0)
873 return opendir(name);
874
875 nfd = openat(fd, name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|flags, 0);
876 if (nfd < 0)
877 return NULL;
878
879 return take_fdopendir(&nfd);
880 }
881
882 int fopen_mode_to_flags(const char *mode) {
883 const char *p;
884 int flags;
885
886 assert(mode);
887
888 if ((p = startswith(mode, "r+")))
889 flags = O_RDWR;
890 else if ((p = startswith(mode, "r")))
891 flags = O_RDONLY;
892 else if ((p = startswith(mode, "w+")))
893 flags = O_RDWR|O_CREAT|O_TRUNC;
894 else if ((p = startswith(mode, "w")))
895 flags = O_WRONLY|O_CREAT|O_TRUNC;
896 else if ((p = startswith(mode, "a+")))
897 flags = O_RDWR|O_CREAT|O_APPEND;
898 else if ((p = startswith(mode, "a")))
899 flags = O_WRONLY|O_CREAT|O_APPEND;
900 else
901 return -EINVAL;
902
903 for (; *p != 0; p++) {
904
905 switch (*p) {
906
907 case 'e':
908 flags |= O_CLOEXEC;
909 break;
910
911 case 'x':
912 flags |= O_EXCL;
913 break;
914
915 case 'm':
916 /* ignore this here, fdopen() might care later though */
917 break;
918
919 case 'c': /* not sure what to do about this one */
920 default:
921 return -EINVAL;
922 }
923 }
924
925 return flags;
926 }
927
928 static int xfopenat_regular(int dir_fd, const char *path, const char *mode, int open_flags, FILE **ret) {
929 FILE *f;
930
931 /* A combination of fopen() with openat() */
932
933 assert(dir_fd >= 0 || dir_fd == AT_FDCWD);
934 assert(path);
935 assert(mode);
936 assert(ret);
937
938 if (dir_fd == AT_FDCWD && open_flags == 0)
939 f = fopen(path, mode);
940 else {
941 _cleanup_close_ int fd = -EBADF;
942 int mode_flags;
943
944 mode_flags = fopen_mode_to_flags(mode);
945 if (mode_flags < 0)
946 return mode_flags;
947
948 fd = openat(dir_fd, path, mode_flags | open_flags);
949 if (fd < 0)
950 return -errno;
951
952 f = take_fdopen(&fd, mode);
953 }
954 if (!f)
955 return -errno;
956
957 *ret = f;
958 return 0;
959 }
960
961 static int xfopenat_unix_socket(int dir_fd, const char *path, const char *bind_name, FILE **ret) {
962 _cleanup_close_ int sk = -EBADF;
963 FILE *f;
964 int r;
965
966 assert(dir_fd >= 0 || dir_fd == AT_FDCWD);
967 assert(path);
968 assert(ret);
969
970 sk = socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0);
971 if (sk < 0)
972 return -errno;
973
974 if (bind_name) {
975 /* If the caller specified a socket name to bind to, do so before connecting. This is
976 * useful to communicate some minor, short meta-information token from the client to
977 * the server. */
978 union sockaddr_union bsa;
979
980 r = sockaddr_un_set_path(&bsa.un, bind_name);
981 if (r < 0)
982 return r;
983
984 if (bind(sk, &bsa.sa, r) < 0)
985 return -errno;
986 }
987
988 r = connect_unix_path(sk, dir_fd, path);
989 if (r < 0)
990 return r;
991
992 if (shutdown(sk, SHUT_WR) < 0)
993 return -errno;
994
995 f = take_fdopen(&sk, "r");
996 if (!f)
997 return -errno;
998
999 *ret = f;
1000 return 0;
1001 }
1002
1003 int xfopenat_full(
1004 int dir_fd,
1005 const char *path,
1006 const char *mode,
1007 int open_flags,
1008 XfopenFlags flags,
1009 const char *bind_name,
1010 FILE **ret) {
1011
1012 FILE *f = NULL; /* avoid false maybe-uninitialized warning */
1013 int r;
1014
1015 assert(dir_fd >= 0 || dir_fd == AT_FDCWD);
1016 assert(path);
1017 assert(mode);
1018 assert(ret);
1019
1020 r = xfopenat_regular(dir_fd, path, mode, open_flags, &f);
1021 if (r == -ENXIO && FLAGS_SET(flags, XFOPEN_SOCKET)) {
1022 /* ENXIO is what Linux returns if we open a node that is an AF_UNIX socket */
1023 r = xfopenat_unix_socket(dir_fd, path, bind_name, &f);
1024 if (IN_SET(r, -ENOTSOCK, -EINVAL))
1025 return -ENXIO; /* propagate original error if this is not a socket after all */
1026 }
1027 if (r < 0)
1028 return r;
1029
1030 if (FLAGS_SET(flags, XFOPEN_UNLOCKED))
1031 (void) __fsetlocking(f, FSETLOCKING_BYCALLER);
1032
1033 *ret = f;
1034 return 0;
1035 }
1036
1037 int fdopen_independent(int fd, const char *mode, FILE **ret) {
1038 _cleanup_close_ int copy_fd = -EBADF;
1039 _cleanup_fclose_ FILE *f = NULL;
1040 int mode_flags;
1041
1042 assert(fd >= 0);
1043 assert(mode);
1044 assert(ret);
1045
1046 /* A combination of fdopen() + fd_reopen(). i.e. reopens the inode the specified fd points to and
1047 * returns a FILE* for it */
1048
1049 mode_flags = fopen_mode_to_flags(mode);
1050 if (mode_flags < 0)
1051 return mode_flags;
1052
1053 copy_fd = fd_reopen(fd, mode_flags);
1054 if (copy_fd < 0)
1055 return copy_fd;
1056
1057 f = take_fdopen(&copy_fd, mode);
1058 if (!f)
1059 return -errno;
1060
1061 *ret = TAKE_PTR(f);
1062 return 0;
1063 }
1064
1065 static int search_and_fopen_internal(
1066 const char *path,
1067 const char *mode,
1068 const char *root,
1069 char **search,
1070 FILE **ret,
1071 char **ret_path) {
1072
1073 assert(path);
1074 assert(mode);
1075 assert(ret);
1076
1077 if (!path_strv_resolve_uniq(search, root))
1078 return -ENOMEM;
1079
1080 STRV_FOREACH(i, search) {
1081 _cleanup_free_ char *p = NULL;
1082 FILE *f;
1083
1084 p = path_join(root, *i, path);
1085 if (!p)
1086 return -ENOMEM;
1087
1088 f = fopen(p, mode);
1089 if (f) {
1090 if (ret_path)
1091 *ret_path = path_simplify(TAKE_PTR(p));
1092
1093 *ret = f;
1094 return 0;
1095 }
1096
1097 if (errno != ENOENT)
1098 return -errno;
1099 }
1100
1101 return -ENOENT;
1102 }
1103
1104 int search_and_fopen(
1105 const char *filename,
1106 const char *mode,
1107 const char *root,
1108 const char **search,
1109 FILE **ret,
1110 char **ret_path) {
1111
1112 _cleanup_strv_free_ char **copy = NULL;
1113
1114 assert(filename);
1115 assert(mode);
1116 assert(ret);
1117
1118 if (path_is_absolute(filename)) {
1119 _cleanup_fclose_ FILE *f = NULL;
1120
1121 f = fopen(filename, mode);
1122 if (!f)
1123 return -errno;
1124
1125 if (ret_path) {
1126 char *p;
1127
1128 p = strdup(filename);
1129 if (!p)
1130 return -ENOMEM;
1131
1132 *ret_path = path_simplify(p);
1133 }
1134
1135 *ret = TAKE_PTR(f);
1136 return 0;
1137 }
1138
1139 copy = strv_copy((char**) search);
1140 if (!copy)
1141 return -ENOMEM;
1142
1143 return search_and_fopen_internal(filename, mode, root, copy, ret, ret_path);
1144 }
1145
1146 int search_and_fopen_nulstr(
1147 const char *filename,
1148 const char *mode,
1149 const char *root,
1150 const char *search,
1151 FILE **ret,
1152 char **ret_path) {
1153
1154 _cleanup_strv_free_ char **s = NULL;
1155
1156 if (path_is_absolute(filename)) {
1157 _cleanup_fclose_ FILE *f = NULL;
1158
1159 f = fopen(filename, mode);
1160 if (!f)
1161 return -errno;
1162
1163 if (ret_path) {
1164 char *p;
1165
1166 p = strdup(filename);
1167 if (!p)
1168 return -ENOMEM;
1169
1170 *ret_path = path_simplify(p);
1171 }
1172
1173 *ret = TAKE_PTR(f);
1174 return 0;
1175 }
1176
1177 s = strv_split_nulstr(search);
1178 if (!s)
1179 return -ENOMEM;
1180
1181 return search_and_fopen_internal(filename, mode, root, s, ret, ret_path);
1182 }
1183
1184 int fflush_and_check(FILE *f) {
1185 assert(f);
1186
1187 errno = 0;
1188 fflush(f);
1189
1190 if (ferror(f))
1191 return errno_or_else(EIO);
1192
1193 return 0;
1194 }
1195
1196 int fflush_sync_and_check(FILE *f) {
1197 int r, fd;
1198
1199 assert(f);
1200
1201 r = fflush_and_check(f);
1202 if (r < 0)
1203 return r;
1204
1205 /* Not all file streams have an fd associated (think: fmemopen()), let's handle this gracefully and
1206 * assume that in that case we need no explicit syncing */
1207 fd = fileno(f);
1208 if (fd < 0)
1209 return 0;
1210
1211 r = fsync_full(fd);
1212 if (r < 0)
1213 return r;
1214
1215 return 0;
1216 }
1217
1218 int write_timestamp_file_atomic(const char *fn, usec_t n) {
1219 char ln[DECIMAL_STR_MAX(n)+2];
1220
1221 /* Creates a "timestamp" file, that contains nothing but a
1222 * usec_t timestamp, formatted in ASCII. */
1223
1224 if (!timestamp_is_set(n))
1225 return -ERANGE;
1226
1227 xsprintf(ln, USEC_FMT "\n", n);
1228
1229 return write_string_file(fn, ln, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_ATOMIC);
1230 }
1231
1232 int read_timestamp_file(const char *fn, usec_t *ret) {
1233 _cleanup_free_ char *ln = NULL;
1234 uint64_t t;
1235 int r;
1236
1237 r = read_one_line_file(fn, &ln);
1238 if (r < 0)
1239 return r;
1240
1241 r = safe_atou64(ln, &t);
1242 if (r < 0)
1243 return r;
1244
1245 if (!timestamp_is_set(t))
1246 return -ERANGE;
1247
1248 *ret = (usec_t) t;
1249 return 0;
1250 }
1251
1252 int fputs_with_space(FILE *f, const char *s, const char *separator, bool *space) {
1253 int r;
1254
1255 assert(s);
1256
1257 /* Outputs the specified string with fputs(), but optionally prefixes it with a separator. The *space parameter
1258 * when specified shall initially point to a boolean variable initialized to false. It is set to true after the
1259 * first invocation. This call is supposed to be use in loops, where a separator shall be inserted between each
1260 * element, but not before the first one. */
1261
1262 if (!f)
1263 f = stdout;
1264
1265 if (space) {
1266 if (!separator)
1267 separator = " ";
1268
1269 if (*space) {
1270 r = fputs(separator, f);
1271 if (r < 0)
1272 return r;
1273 }
1274
1275 *space = true;
1276 }
1277
1278 return fputs(s, f);
1279 }
1280
1281 /* A bitmask of the EOL markers we know */
1282 typedef enum EndOfLineMarker {
1283 EOL_NONE = 0,
1284 EOL_ZERO = 1 << 0, /* \0 (aka NUL) */
1285 EOL_TEN = 1 << 1, /* \n (aka NL, aka LF) */
1286 EOL_THIRTEEN = 1 << 2, /* \r (aka CR) */
1287 } EndOfLineMarker;
1288
1289 static EndOfLineMarker categorize_eol(char c, ReadLineFlags flags) {
1290
1291 if (!FLAGS_SET(flags, READ_LINE_ONLY_NUL)) {
1292 if (c == '\n')
1293 return EOL_TEN;
1294 if (c == '\r')
1295 return EOL_THIRTEEN;
1296 }
1297
1298 if (c == '\0')
1299 return EOL_ZERO;
1300
1301 return EOL_NONE;
1302 }
1303
1304 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(FILE*, funlockfile, NULL);
1305
1306 int read_line_full(FILE *f, size_t limit, ReadLineFlags flags, char **ret) {
1307 _cleanup_free_ char *buffer = NULL;
1308 size_t n = 0, count = 0;
1309 int r;
1310
1311 assert(f);
1312
1313 /* Something like a bounded version of getline().
1314 *
1315 * Considers EOF, \n, \r and \0 end of line delimiters (or combinations of these), and does not include these
1316 * delimiters in the string returned. Specifically, recognizes the following combinations of markers as line
1317 * endings:
1318 *
1319 * • \n (UNIX)
1320 * • \r (old MacOS)
1321 * • \0 (C strings)
1322 * • \n\0
1323 * • \r\0
1324 * • \r\n (Windows)
1325 * • \n\r
1326 * • \r\n\0
1327 * • \n\r\0
1328 *
1329 * Returns the number of bytes read from the files (i.e. including delimiters — this hence usually differs from
1330 * the number of characters in the returned string). When EOF is hit, 0 is returned.
1331 *
1332 * The input parameter limit is the maximum numbers of characters in the returned string, i.e. excluding
1333 * delimiters. If the limit is hit we fail and return -ENOBUFS.
1334 *
1335 * If a line shall be skipped ret may be initialized as NULL. */
1336
1337 if (ret) {
1338 if (!GREEDY_REALLOC(buffer, 1))
1339 return -ENOMEM;
1340 }
1341
1342 {
1343 _unused_ _cleanup_(funlockfilep) FILE *flocked = f;
1344 EndOfLineMarker previous_eol = EOL_NONE;
1345 flockfile(f);
1346
1347 for (;;) {
1348 EndOfLineMarker eol;
1349 char c;
1350
1351 if (n >= limit)
1352 return -ENOBUFS;
1353
1354 if (count >= INT_MAX) /* We couldn't return the counter anymore as "int", hence refuse this */
1355 return -ENOBUFS;
1356
1357 r = safe_fgetc(f, &c);
1358 if (r < 0)
1359 return r;
1360 if (r == 0) /* EOF is definitely EOL */
1361 break;
1362
1363 eol = categorize_eol(c, flags);
1364
1365 if (FLAGS_SET(previous_eol, EOL_ZERO) ||
1366 (eol == EOL_NONE && previous_eol != EOL_NONE) ||
1367 (eol != EOL_NONE && (previous_eol & eol) != 0)) {
1368 /* Previous char was a NUL? This is not an EOL, but the previous char was? This type of
1369 * EOL marker has been seen right before? In either of these three cases we are
1370 * done. But first, let's put this character back in the queue. (Note that we have to
1371 * cast this to (unsigned char) here as ungetc() expects a positive 'int', and if we
1372 * are on an architecture where 'char' equals 'signed char' we need to ensure we don't
1373 * pass a negative value here. That said, to complicate things further ungetc() is
1374 * actually happy with most negative characters and implicitly casts them back to
1375 * positive ones as needed, except for \xff (aka -1, aka EOF), which it refuses. What a
1376 * godawful API!) */
1377 assert_se(ungetc((unsigned char) c, f) != EOF);
1378 break;
1379 }
1380
1381 count++;
1382
1383 if (eol != EOL_NONE) {
1384 /* If we are on a tty, we can't shouldn't wait for more input, because that
1385 * generally means waiting for the user, interactively. In the case of a TTY
1386 * we expect only \n as the single EOL marker, so we are in the lucky
1387 * position that there is no need to wait. We check this condition last, to
1388 * avoid isatty() check if not necessary. */
1389
1390 if ((flags & (READ_LINE_IS_A_TTY|READ_LINE_NOT_A_TTY)) == 0) {
1391 int fd;
1392
1393 fd = fileno(f);
1394 if (fd < 0) /* Maybe an fmemopen() stream? Handle this gracefully,
1395 * and don't call isatty() on an invalid fd */
1396 flags |= READ_LINE_NOT_A_TTY;
1397 else
1398 flags |= isatty(fd) ? READ_LINE_IS_A_TTY : READ_LINE_NOT_A_TTY;
1399 }
1400 if (FLAGS_SET(flags, READ_LINE_IS_A_TTY))
1401 break;
1402 }
1403
1404 if (eol != EOL_NONE) {
1405 previous_eol |= eol;
1406 continue;
1407 }
1408
1409 if (ret) {
1410 if (!GREEDY_REALLOC(buffer, n + 2))
1411 return -ENOMEM;
1412
1413 buffer[n] = c;
1414 }
1415
1416 n++;
1417 }
1418 }
1419
1420 if (ret) {
1421 buffer[n] = 0;
1422
1423 *ret = TAKE_PTR(buffer);
1424 }
1425
1426 return (int) count;
1427 }
1428
1429 int safe_fgetc(FILE *f, char *ret) {
1430 int k;
1431
1432 assert(f);
1433
1434 /* A safer version of plain fgetc(): let's propagate the error that happened while reading as such, and
1435 * separate the EOF condition from the byte read, to avoid those confusion signed/unsigned issues fgetc()
1436 * has. */
1437
1438 errno = 0;
1439 k = fgetc(f);
1440 if (k == EOF) {
1441 if (ferror(f))
1442 return errno_or_else(EIO);
1443
1444 if (ret)
1445 *ret = 0;
1446
1447 return 0;
1448 }
1449
1450 if (ret)
1451 *ret = k;
1452
1453 return 1;
1454 }
1455
1456 int warn_file_is_world_accessible(const char *filename, struct stat *st, const char *unit, unsigned line) {
1457 struct stat _st;
1458
1459 if (!filename)
1460 return 0;
1461
1462 if (!st) {
1463 if (stat(filename, &_st) < 0)
1464 return -errno;
1465 st = &_st;
1466 }
1467
1468 if ((st->st_mode & S_IRWXO) == 0)
1469 return 0;
1470
1471 if (unit)
1472 log_syntax(unit, LOG_WARNING, filename, line, 0,
1473 "%s has %04o mode that is too permissive, please adjust the ownership and access mode.",
1474 filename, st->st_mode & 07777);
1475 else
1476 log_warning("%s has %04o mode that is too permissive, please adjust the ownership and access mode.",
1477 filename, st->st_mode & 07777);
1478 return 0;
1479 }
Unnamed repository; edit this file 'description' to name the repository.