]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/fs-util.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ethtool: add several new link modes
[thirdparty/systemd.git] / src / basic / fs-util.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #include <errno.h>
4 #include <stddef.h>
5 #include <stdlib.h>
6 #include <linux/falloc.h>
7 #include <linux/magic.h>
8 #include <unistd.h>
9
10 #include "alloc-util.h"
11 #include "blockdev-util.h"
12 #include "dirent-util.h"
13 #include "fd-util.h"
14 #include "fileio.h"
15 #include "fs-util.h"
16 #include "locale-util.h"
17 #include "log.h"
18 #include "macro.h"
19 #include "missing_fcntl.h"
20 #include "missing_fs.h"
21 #include "missing_syscall.h"
22 #include "mkdir.h"
23 #include "parse-util.h"
24 #include "path-util.h"
25 #include "process-util.h"
26 #include "random-util.h"
27 #include "stat-util.h"
28 #include "stdio-util.h"
29 #include "string-util.h"
30 #include "strv.h"
31 #include "time-util.h"
32 #include "tmpfile-util.h"
33 #include "user-util.h"
34 #include "util.h"
35
36 int unlink_noerrno(const char *path) {
37 PROTECT_ERRNO;
38 int r;
39
40 r = unlink(path);
41 if (r < 0)
42 return -errno;
43
44 return 0;
45 }
46
47 int rmdir_parents(const char *path, const char *stop) {
48 size_t l;
49 int r = 0;
50
51 assert(path);
52 assert(stop);
53
54 l = strlen(path);
55
56 /* Skip trailing slashes */
57 while (l > 0 && path[l-1] == '/')
58 l--;
59
60 while (l > 0) {
61 char *t;
62
63 /* Skip last component */
64 while (l > 0 && path[l-1] != '/')
65 l--;
66
67 /* Skip trailing slashes */
68 while (l > 0 && path[l-1] == '/')
69 l--;
70
71 if (l <= 0)
72 break;
73
74 t = strndup(path, l);
75 if (!t)
76 return -ENOMEM;
77
78 if (path_startswith(stop, t)) {
79 free(t);
80 return 0;
81 }
82
83 r = rmdir(t);
84 free(t);
85
86 if (r < 0)
87 if (errno != ENOENT)
88 return -errno;
89 }
90
91 return 0;
92 }
93
94 int rename_noreplace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) {
95 int r;
96
97 /* Try the ideal approach first */
98 if (renameat2(olddirfd, oldpath, newdirfd, newpath, RENAME_NOREPLACE) >= 0)
99 return 0;
100
101 /* renameat2() exists since Linux 3.15, btrfs and FAT added support for it later. If it is not implemented,
102 * fall back to a different method. */
103 if (!IN_SET(errno, EINVAL, ENOSYS, ENOTTY))
104 return -errno;
105
106 /* Let's try to use linkat()+unlinkat() as fallback. This doesn't work on directories and on some file systems
107 * that do not support hard links (such as FAT, most prominently), but for files it's pretty close to what we
108 * want — though not atomic (i.e. for a short period both the new and the old filename will exist). */
109 if (linkat(olddirfd, oldpath, newdirfd, newpath, 0) >= 0) {
110
111 if (unlinkat(olddirfd, oldpath, 0) < 0) {
112 r = -errno; /* Backup errno before the following unlinkat() alters it */
113 (void) unlinkat(newdirfd, newpath, 0);
114 return r;
115 }
116
117 return 0;
118 }
119
120 if (!IN_SET(errno, EINVAL, ENOSYS, ENOTTY, EPERM)) /* FAT returns EPERM on link()… */
121 return -errno;
122
123 /* OK, neither RENAME_NOREPLACE nor linkat()+unlinkat() worked. Let's then fall back to the racy TOCTOU
124 * vulnerable accessat(F_OK) check followed by classic, replacing renameat(), we have nothing better. */
125
126 if (faccessat(newdirfd, newpath, F_OK, AT_SYMLINK_NOFOLLOW) >= 0)
127 return -EEXIST;
128 if (errno != ENOENT)
129 return -errno;
130
131 if (renameat(olddirfd, oldpath, newdirfd, newpath) < 0)
132 return -errno;
133
134 return 0;
135 }
136
137 int readlinkat_malloc(int fd, const char *p, char **ret) {
138 size_t l = FILENAME_MAX+1;
139 int r;
140
141 assert(p);
142 assert(ret);
143
144 for (;;) {
145 char *c;
146 ssize_t n;
147
148 c = new(char, l);
149 if (!c)
150 return -ENOMEM;
151
152 n = readlinkat(fd, p, c, l-1);
153 if (n < 0) {
154 r = -errno;
155 free(c);
156 return r;
157 }
158
159 if ((size_t) n < l-1) {
160 c[n] = 0;
161 *ret = c;
162 return 0;
163 }
164
165 free(c);
166 l *= 2;
167 }
168 }
169
170 int readlink_malloc(const char *p, char **ret) {
171 return readlinkat_malloc(AT_FDCWD, p, ret);
172 }
173
174 int readlink_value(const char *p, char **ret) {
175 _cleanup_free_ char *link = NULL;
176 char *value;
177 int r;
178
179 r = readlink_malloc(p, &link);
180 if (r < 0)
181 return r;
182
183 value = basename(link);
184 if (!value)
185 return -ENOENT;
186
187 value = strdup(value);
188 if (!value)
189 return -ENOMEM;
190
191 *ret = value;
192
193 return 0;
194 }
195
196 int readlink_and_make_absolute(const char *p, char **r) {
197 _cleanup_free_ char *target = NULL;
198 char *k;
199 int j;
200
201 assert(p);
202 assert(r);
203
204 j = readlink_malloc(p, &target);
205 if (j < 0)
206 return j;
207
208 k = file_in_same_dir(p, target);
209 if (!k)
210 return -ENOMEM;
211
212 *r = k;
213 return 0;
214 }
215
216 int chmod_and_chown(const char *path, mode_t mode, uid_t uid, gid_t gid) {
217 _cleanup_close_ int fd = -1;
218
219 assert(path);
220
221 fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW); /* Let's acquire an O_PATH fd, as precaution to change
222 * mode/owner on the same file */
223 if (fd < 0)
224 return -errno;
225
226 return fchmod_and_chown(fd, mode, uid, gid);
227 }
228
229 int fchmod_and_chown(int fd, mode_t mode, uid_t uid, gid_t gid) {
230 bool do_chown, do_chmod;
231 struct stat st;
232 int r;
233
234 /* Change ownership and access mode of the specified fd. Tries to do so safely, ensuring that at no
235 * point in time the access mode is above the old access mode under the old ownership or the new
236 * access mode under the new ownership. Note: this call tries hard to leave the access mode
237 * unaffected if the uid/gid is changed, i.e. it undoes implicit suid/sgid dropping the kernel does
238 * on chown().
239 *
240 * This call is happy with O_PATH fds. */
241
242 if (fstat(fd, &st) < 0)
243 return -errno;
244
245 do_chown =
246 (uid != UID_INVALID && st.st_uid != uid) ||
247 (gid != GID_INVALID && st.st_gid != gid);
248
249 do_chmod =
250 !S_ISLNK(st.st_mode) && /* chmod is not defined on symlinks */
251 ((mode != MODE_INVALID && ((st.st_mode ^ mode) & 07777) != 0) ||
252 do_chown); /* If we change ownership, make sure we reset the mode afterwards, since chown()
253 * modifies the access mode too */
254
255 if (mode == MODE_INVALID)
256 mode = st.st_mode; /* If we only shall do a chown(), save original mode, since chown() might break it. */
257 else if ((mode & S_IFMT) != 0 && ((mode ^ st.st_mode) & S_IFMT) != 0)
258 return -EINVAL; /* insist on the right file type if it was specified */
259
260 if (do_chown && do_chmod) {
261 mode_t minimal = st.st_mode & mode; /* the subset of the old and the new mask */
262
263 if (((minimal ^ st.st_mode) & 07777) != 0) {
264 r = fchmod_opath(fd, minimal & 07777);
265 if (r < 0)
266 return r;
267 }
268 }
269
270 if (do_chown)
271 if (fchownat(fd, "", uid, gid, AT_EMPTY_PATH) < 0)
272 return -errno;
273
274 if (do_chmod) {
275 r = fchmod_opath(fd, mode & 07777);
276 if (r < 0)
277 return r;
278 }
279
280 return do_chown || do_chmod;
281 }
282
283 int fchmod_umask(int fd, mode_t m) {
284 mode_t u;
285 int r;
286
287 u = umask(0777);
288 r = fchmod(fd, m & (~u)) < 0 ? -errno : 0;
289 umask(u);
290
291 return r;
292 }
293
294 int fchmod_opath(int fd, mode_t m) {
295 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
296
297 /* This function operates also on fd that might have been opened with
298 * O_PATH. Indeed fchmodat() doesn't have the AT_EMPTY_PATH flag like
299 * fchownat() does. */
300
301 xsprintf(procfs_path, "/proc/self/fd/%i", fd);
302 if (chmod(procfs_path, m) < 0) {
303 if (errno != ENOENT)
304 return -errno;
305
306 if (proc_mounted() == 0)
307 return -ENOSYS; /* if we have no /proc/, the concept is not implementable */
308
309 return -ENOENT;
310 }
311
312 return 0;
313 }
314
315 int stat_warn_permissions(const char *path, const struct stat *st) {
316 assert(path);
317 assert(st);
318
319 /* Don't complain if we are reading something that is not a file, for example /dev/null */
320 if (!S_ISREG(st->st_mode))
321 return 0;
322
323 if (st->st_mode & 0111)
324 log_warning("Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway.", path);
325
326 if (st->st_mode & 0002)
327 log_warning("Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway.", path);
328
329 if (getpid_cached() == 1 && (st->st_mode & 0044) != 0044)
330 log_warning("Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.", path);
331
332 return 0;
333 }
334
335 int fd_warn_permissions(const char *path, int fd) {
336 struct stat st;
337
338 assert(path);
339 assert(fd >= 0);
340
341 if (fstat(fd, &st) < 0)
342 return -errno;
343
344 return stat_warn_permissions(path, &st);
345 }
346
347 int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode) {
348 char fdpath[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
349 _cleanup_close_ int fd = -1;
350 int r, ret = 0;
351
352 assert(path);
353
354 /* Note that touch_file() does not follow symlinks: if invoked on an existing symlink, then it is the symlink
355 * itself which is updated, not its target
356 *
357 * Returns the first error we encounter, but tries to apply as much as possible. */
358
359 if (parents)
360 (void) mkdir_parents(path, 0755);
361
362 /* Initially, we try to open the node with O_PATH, so that we get a reference to the node. This is useful in
363 * case the path refers to an existing device or socket node, as we can open it successfully in all cases, and
364 * won't trigger any driver magic or so. */
365 fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW);
366 if (fd < 0) {
367 if (errno != ENOENT)
368 return -errno;
369
370 /* if the node doesn't exist yet, we create it, but with O_EXCL, so that we only create a regular file
371 * here, and nothing else */
372 fd = open(path, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, IN_SET(mode, 0, MODE_INVALID) ? 0644 : mode);
373 if (fd < 0)
374 return -errno;
375 }
376
377 /* Let's make a path from the fd, and operate on that. With this logic, we can adjust the access mode,
378 * ownership and time of the file node in all cases, even if the fd refers to an O_PATH object — which is
379 * something fchown(), fchmod(), futimensat() don't allow. */
380 xsprintf(fdpath, "/proc/self/fd/%i", fd);
381
382 ret = fchmod_and_chown(fd, mode, uid, gid);
383
384 if (stamp != USEC_INFINITY) {
385 struct timespec ts[2];
386
387 timespec_store(&ts[0], stamp);
388 ts[1] = ts[0];
389 r = utimensat(AT_FDCWD, fdpath, ts, 0);
390 } else
391 r = utimensat(AT_FDCWD, fdpath, NULL, 0);
392 if (r < 0 && ret >= 0)
393 return -errno;
394
395 return ret;
396 }
397
398 int touch(const char *path) {
399 return touch_file(path, false, USEC_INFINITY, UID_INVALID, GID_INVALID, MODE_INVALID);
400 }
401
402 int symlink_idempotent(const char *from, const char *to, bool make_relative) {
403 _cleanup_free_ char *relpath = NULL;
404 int r;
405
406 assert(from);
407 assert(to);
408
409 if (make_relative) {
410 _cleanup_free_ char *parent = NULL;
411
412 parent = dirname_malloc(to);
413 if (!parent)
414 return -ENOMEM;
415
416 r = path_make_relative(parent, from, &relpath);
417 if (r < 0)
418 return r;
419
420 from = relpath;
421 }
422
423 if (symlink(from, to) < 0) {
424 _cleanup_free_ char *p = NULL;
425
426 if (errno != EEXIST)
427 return -errno;
428
429 r = readlink_malloc(to, &p);
430 if (r == -EINVAL) /* Not a symlink? In that case return the original error we encountered: -EEXIST */
431 return -EEXIST;
432 if (r < 0) /* Any other error? In that case propagate it as is */
433 return r;
434
435 if (!streq(p, from)) /* Not the symlink we want it to be? In that case, propagate the original -EEXIST */
436 return -EEXIST;
437 }
438
439 return 0;
440 }
441
442 int symlink_atomic(const char *from, const char *to) {
443 _cleanup_free_ char *t = NULL;
444 int r;
445
446 assert(from);
447 assert(to);
448
449 r = tempfn_random(to, NULL, &t);
450 if (r < 0)
451 return r;
452
453 if (symlink(from, t) < 0)
454 return -errno;
455
456 if (rename(t, to) < 0) {
457 unlink_noerrno(t);
458 return -errno;
459 }
460
461 return 0;
462 }
463
464 int mknod_atomic(const char *path, mode_t mode, dev_t dev) {
465 _cleanup_free_ char *t = NULL;
466 int r;
467
468 assert(path);
469
470 r = tempfn_random(path, NULL, &t);
471 if (r < 0)
472 return r;
473
474 if (mknod(t, mode, dev) < 0)
475 return -errno;
476
477 if (rename(t, path) < 0) {
478 unlink_noerrno(t);
479 return -errno;
480 }
481
482 return 0;
483 }
484
485 int mkfifo_atomic(const char *path, mode_t mode) {
486 _cleanup_free_ char *t = NULL;
487 int r;
488
489 assert(path);
490
491 r = tempfn_random(path, NULL, &t);
492 if (r < 0)
493 return r;
494
495 if (mkfifo(t, mode) < 0)
496 return -errno;
497
498 if (rename(t, path) < 0) {
499 unlink_noerrno(t);
500 return -errno;
501 }
502
503 return 0;
504 }
505
506 int mkfifoat_atomic(int dirfd, const char *path, mode_t mode) {
507 _cleanup_free_ char *t = NULL;
508 int r;
509
510 assert(path);
511
512 if (path_is_absolute(path))
513 return mkfifo_atomic(path, mode);
514
515 /* We're only interested in the (random) filename. */
516 r = tempfn_random_child("", NULL, &t);
517 if (r < 0)
518 return r;
519
520 if (mkfifoat(dirfd, t, mode) < 0)
521 return -errno;
522
523 if (renameat(dirfd, t, dirfd, path) < 0) {
524 unlink_noerrno(t);
525 return -errno;
526 }
527
528 return 0;
529 }
530
531 int get_files_in_directory(const char *path, char ***list) {
532 _cleanup_closedir_ DIR *d = NULL;
533 struct dirent *de;
534 size_t bufsize = 0, n = 0;
535 _cleanup_strv_free_ char **l = NULL;
536
537 assert(path);
538
539 /* Returns all files in a directory in *list, and the number
540 * of files as return value. If list is NULL returns only the
541 * number. */
542
543 d = opendir(path);
544 if (!d)
545 return -errno;
546
547 FOREACH_DIRENT_ALL(de, d, return -errno) {
548 dirent_ensure_type(d, de);
549
550 if (!dirent_is_file(de))
551 continue;
552
553 if (list) {
554 /* one extra slot is needed for the terminating NULL */
555 if (!GREEDY_REALLOC(l, bufsize, n + 2))
556 return -ENOMEM;
557
558 l[n] = strdup(de->d_name);
559 if (!l[n])
560 return -ENOMEM;
561
562 l[++n] = NULL;
563 } else
564 n++;
565 }
566
567 if (list)
568 *list = TAKE_PTR(l);
569
570 return n;
571 }
572
573 static int getenv_tmp_dir(const char **ret_path) {
574 const char *n;
575 int r, ret = 0;
576
577 assert(ret_path);
578
579 /* We use the same order of environment variables python uses in tempfile.gettempdir():
580 * https://docs.python.org/3/library/tempfile.html#tempfile.gettempdir */
581 FOREACH_STRING(n, "TMPDIR", "TEMP", "TMP") {
582 const char *e;
583
584 e = secure_getenv(n);
585 if (!e)
586 continue;
587 if (!path_is_absolute(e)) {
588 r = -ENOTDIR;
589 goto next;
590 }
591 if (!path_is_normalized(e)) {
592 r = -EPERM;
593 goto next;
594 }
595
596 r = is_dir(e, true);
597 if (r < 0)
598 goto next;
599 if (r == 0) {
600 r = -ENOTDIR;
601 goto next;
602 }
603
604 *ret_path = e;
605 return 1;
606
607 next:
608 /* Remember first error, to make this more debuggable */
609 if (ret >= 0)
610 ret = r;
611 }
612
613 if (ret < 0)
614 return ret;
615
616 *ret_path = NULL;
617 return ret;
618 }
619
620 static int tmp_dir_internal(const char *def, const char **ret) {
621 const char *e;
622 int r, k;
623
624 assert(def);
625 assert(ret);
626
627 r = getenv_tmp_dir(&e);
628 if (r > 0) {
629 *ret = e;
630 return 0;
631 }
632
633 k = is_dir(def, true);
634 if (k == 0)
635 k = -ENOTDIR;
636 if (k < 0)
637 return r < 0 ? r : k;
638
639 *ret = def;
640 return 0;
641 }
642
643 int var_tmp_dir(const char **ret) {
644
645 /* Returns the location for "larger" temporary files, that is backed by physical storage if available, and thus
646 * even might survive a boot: /var/tmp. If $TMPDIR (or related environment variables) are set, its value is
647 * returned preferably however. Note that both this function and tmp_dir() below are affected by $TMPDIR,
648 * making it a variable that overrides all temporary file storage locations. */
649
650 return tmp_dir_internal("/var/tmp", ret);
651 }
652
653 int tmp_dir(const char **ret) {
654
655 /* Similar to var_tmp_dir() above, but returns the location for "smaller" temporary files, which is usually
656 * backed by an in-memory file system: /tmp. */
657
658 return tmp_dir_internal("/tmp", ret);
659 }
660
661 int unlink_or_warn(const char *filename) {
662 if (unlink(filename) < 0 && errno != ENOENT)
663 /* If the file doesn't exist and the fs simply was read-only (in which
664 * case unlink() returns EROFS even if the file doesn't exist), don't
665 * complain */
666 if (errno != EROFS || access(filename, F_OK) >= 0)
667 return log_error_errno(errno, "Failed to remove \"%s\": %m", filename);
668
669 return 0;
670 }
671
672 int inotify_add_watch_fd(int fd, int what, uint32_t mask) {
673 char path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
674 int wd;
675
676 /* This is like inotify_add_watch(), except that the file to watch is not referenced by a path, but by an fd */
677 xsprintf(path, "/proc/self/fd/%i", what);
678
679 wd = inotify_add_watch(fd, path, mask);
680 if (wd < 0)
681 return -errno;
682
683 return wd;
684 }
685
686 int inotify_add_watch_and_warn(int fd, const char *pathname, uint32_t mask) {
687 int wd;
688
689 wd = inotify_add_watch(fd, pathname, mask);
690 if (wd < 0) {
691 if (errno == ENOSPC)
692 return log_error_errno(errno, "Failed to add a watch for %s: inotify watch limit reached", pathname);
693
694 return log_error_errno(errno, "Failed to add a watch for %s: %m", pathname);
695 }
696
697 return wd;
698 }
699
700 static bool unsafe_transition(const struct stat *a, const struct stat *b) {
701 /* Returns true if the transition from a to b is safe, i.e. that we never transition from unprivileged to
702 * privileged files or directories. Why bother? So that unprivileged code can't symlink to privileged files
703 * making us believe we read something safe even though it isn't safe in the specific context we open it in. */
704
705 if (a->st_uid == 0) /* Transitioning from privileged to unprivileged is always fine */
706 return false;
707
708 return a->st_uid != b->st_uid; /* Otherwise we need to stay within the same UID */
709 }
710
711 static int log_unsafe_transition(int a, int b, const char *path, unsigned flags) {
712 _cleanup_free_ char *n1 = NULL, *n2 = NULL;
713
714 if (!FLAGS_SET(flags, CHASE_WARN))
715 return -ENOLINK;
716
717 (void) fd_get_path(a, &n1);
718 (void) fd_get_path(b, &n2);
719
720 return log_warning_errno(SYNTHETIC_ERRNO(ENOLINK),
721 "Detected unsafe path transition %s %s %s during canonicalization of %s.",
722 strna(n1), special_glyph(SPECIAL_GLYPH_ARROW), strna(n2), path);
723 }
724
725 static int log_autofs_mount_point(int fd, const char *path, unsigned flags) {
726 _cleanup_free_ char *n1 = NULL;
727
728 if (!FLAGS_SET(flags, CHASE_WARN))
729 return -EREMOTE;
730
731 (void) fd_get_path(fd, &n1);
732
733 return log_warning_errno(SYNTHETIC_ERRNO(EREMOTE),
734 "Detected autofs mount point %s during canonicalization of %s.",
735 strna(n1), path);
736 }
737
738 int chase_symlinks(const char *path, const char *original_root, unsigned flags, char **ret_path, int *ret_fd) {
739 _cleanup_free_ char *buffer = NULL, *done = NULL, *root = NULL;
740 _cleanup_close_ int fd = -1;
741 unsigned max_follow = CHASE_SYMLINKS_MAX; /* how many symlinks to follow before giving up and returning ELOOP */
742 struct stat previous_stat;
743 bool exists = true;
744 char *todo;
745 int r;
746
747 assert(path);
748
749 /* Either the file may be missing, or we return an fd to the final object, but both make no sense */
750 if ((flags & CHASE_NONEXISTENT) && ret_fd)
751 return -EINVAL;
752
753 if ((flags & CHASE_STEP) && ret_fd)
754 return -EINVAL;
755
756 if (isempty(path))
757 return -EINVAL;
758
759 /* This is a lot like canonicalize_file_name(), but takes an additional "root" parameter, that allows following
760 * symlinks relative to a root directory, instead of the root of the host.
761 *
762 * Note that "root" primarily matters if we encounter an absolute symlink. It is also used when following
763 * relative symlinks to ensure they cannot be used to "escape" the root directory. The path parameter passed is
764 * assumed to be already prefixed by it, except if the CHASE_PREFIX_ROOT flag is set, in which case it is first
765 * prefixed accordingly.
766 *
767 * Algorithmically this operates on two path buffers: "done" are the components of the path we already
768 * processed and resolved symlinks, "." and ".." of. "todo" are the components of the path we still need to
769 * process. On each iteration, we move one component from "todo" to "done", processing it's special meaning
770 * each time. The "todo" path always starts with at least one slash, the "done" path always ends in no
771 * slash. We always keep an O_PATH fd to the component we are currently processing, thus keeping lookup races
772 * to a minimum.
773 *
774 * Suggested usage: whenever you want to canonicalize a path, use this function. Pass the absolute path you got
775 * as-is: fully qualified and relative to your host's root. Optionally, specify the root parameter to tell this
776 * function what to do when encountering a symlink with an absolute path as directory: prefix it by the
777 * specified path.
778 *
779 * There are five ways to invoke this function:
780 *
781 * 1. Without CHASE_STEP or ret_fd: in this case the path is resolved and the normalized path is
782 * returned in `ret_path`. The return value is < 0 on error. If CHASE_NONEXISTENT is also set, 0
783 * is returned if the file doesn't exist, > 0 otherwise. If CHASE_NONEXISTENT is not set, >= 0 is
784 * returned if the destination was found, -ENOENT if it wasn't.
785 *
786 * 2. With ret_fd: in this case the destination is opened after chasing it as O_PATH and this file
787 * descriptor is returned as return value. This is useful to open files relative to some root
788 * directory. Note that the returned O_PATH file descriptors must be converted into a regular one (using
789 * fd_reopen() or such) before it can be used for reading/writing. ret_fd may not be combined with
790 * CHASE_NONEXISTENT.
791 *
792 * 3. With CHASE_STEP: in this case only a single step of the normalization is executed, i.e. only the first
793 * symlink or ".." component of the path is resolved, and the resulting path is returned. This is useful if
794 * a caller wants to trace the a path through the file system verbosely. Returns < 0 on error, > 0 if the
795 * path is fully normalized, and == 0 for each normalization step. This may be combined with
796 * CHASE_NONEXISTENT, in which case 1 is returned when a component is not found.
797 *
798 * 4. With CHASE_SAFE: in this case the path must not contain unsafe transitions, i.e. transitions from
799 * unprivileged to privileged files or directories. In such cases the return value is -ENOLINK. If
800 * CHASE_WARN is also set, a warning describing the unsafe transition is emitted.
801 *
802 * 5. With CHASE_NO_AUTOFS: in this case if an autofs mount point is encountered, path normalization
803 * is aborted and -EREMOTE is returned. If CHASE_WARN is also set, a warning showing the path of
804 * the mount point is emitted.
805 */
806
807 /* A root directory of "/" or "" is identical to none */
808 if (empty_or_root(original_root))
809 original_root = NULL;
810
811 if (!original_root && !ret_path && !(flags & (CHASE_NONEXISTENT|CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_STEP)) && ret_fd) {
812 /* Shortcut the ret_fd case if the caller isn't interested in the actual path and has no root set
813 * and doesn't care about any of the other special features we provide either. */
814 r = open(path, O_PATH|O_CLOEXEC|((flags & CHASE_NOFOLLOW) ? O_NOFOLLOW : 0));
815 if (r < 0)
816 return -errno;
817
818 *ret_fd = r;
819 return 0;
820 }
821
822 if (original_root) {
823 r = path_make_absolute_cwd(original_root, &root);
824 if (r < 0)
825 return r;
826
827 /* Simplify the root directory, so that it has no duplicate slashes and nothing at the
828 * end. While we won't resolve the root path we still simplify it. Note that dropping the
829 * trailing slash should not change behaviour, since when opening it we specify O_DIRECTORY
830 * anyway. Moreover at the end of this function after processing everything we'll always turn
831 * the empty string back to "/". */
832 delete_trailing_chars(root, "/");
833 path_simplify(root, true);
834
835 if (flags & CHASE_PREFIX_ROOT) {
836 /* We don't support relative paths in combination with a root directory */
837 if (!path_is_absolute(path))
838 return -EINVAL;
839
840 path = prefix_roota(root, path);
841 }
842 }
843
844 r = path_make_absolute_cwd(path, &buffer);
845 if (r < 0)
846 return r;
847
848 fd = open(root ?: "/", O_CLOEXEC|O_DIRECTORY|O_PATH);
849 if (fd < 0)
850 return -errno;
851
852 if (flags & CHASE_SAFE) {
853 if (fstat(fd, &previous_stat) < 0)
854 return -errno;
855 }
856
857 if (root) {
858 _cleanup_free_ char *absolute = NULL;
859 const char *e;
860
861 /* If we are operating on a root directory, let's take the root directory as it is. */
862
863 e = path_startswith(buffer, root);
864 if (!e)
865 return log_full_errno(flags & CHASE_WARN ? LOG_WARNING : LOG_DEBUG,
866 SYNTHETIC_ERRNO(ECHRNG),
867 "Specified path '%s' is outside of specified root directory '%s', refusing to resolve.",
868 path, root);
869
870 done = strdup(root);
871 if (!done)
872 return -ENOMEM;
873
874 /* Make sure "todo" starts with a slash */
875 absolute = strjoin("/", e);
876 if (!absolute)
877 return -ENOMEM;
878
879 free_and_replace(buffer, absolute);
880 }
881
882 todo = buffer;
883 for (;;) {
884 _cleanup_free_ char *first = NULL;
885 _cleanup_close_ int child = -1;
886 struct stat st;
887 size_t n, m;
888
889 /* Determine length of first component in the path */
890 n = strspn(todo, "/"); /* The slashes */
891
892 if (n > 1) {
893 /* If we are looking at more than a single slash then skip all but one, so that when
894 * we are done with everything we have a normalized path with only single slashes
895 * separating the path components. */
896 todo += n - 1;
897 n = 1;
898 }
899
900 m = n + strcspn(todo + n, "/"); /* The entire length of the component */
901
902 /* Extract the first component. */
903 first = strndup(todo, m);
904 if (!first)
905 return -ENOMEM;
906
907 todo += m;
908
909 /* Empty? Then we reached the end. */
910 if (isempty(first))
911 break;
912
913 /* Just a single slash? Then we reached the end. */
914 if (path_equal(first, "/")) {
915 /* Preserve the trailing slash */
916
917 if (flags & CHASE_TRAIL_SLASH)
918 if (!strextend(&done, "/", NULL))
919 return -ENOMEM;
920
921 break;
922 }
923
924 /* Just a dot? Then let's eat this up. */
925 if (path_equal(first, "/."))
926 continue;
927
928 /* Two dots? Then chop off the last bit of what we already found out. */
929 if (path_equal(first, "/..")) {
930 _cleanup_free_ char *parent = NULL;
931 _cleanup_close_ int fd_parent = -1;
932
933 /* If we already are at the top, then going up will not change anything. This is in-line with
934 * how the kernel handles this. */
935 if (empty_or_root(done))
936 continue;
937
938 parent = dirname_malloc(done);
939 if (!parent)
940 return -ENOMEM;
941
942 /* Don't allow this to leave the root dir. */
943 if (root &&
944 path_startswith(done, root) &&
945 !path_startswith(parent, root))
946 continue;
947
948 free_and_replace(done, parent);
949
950 if (flags & CHASE_STEP)
951 goto chased_one;
952
953 fd_parent = openat(fd, "..", O_CLOEXEC|O_NOFOLLOW|O_PATH);
954 if (fd_parent < 0)
955 return -errno;
956
957 if (flags & CHASE_SAFE) {
958 if (fstat(fd_parent, &st) < 0)
959 return -errno;
960
961 if (unsafe_transition(&previous_stat, &st))
962 return log_unsafe_transition(fd, fd_parent, path, flags);
963
964 previous_stat = st;
965 }
966
967 safe_close(fd);
968 fd = TAKE_FD(fd_parent);
969
970 continue;
971 }
972
973 /* Otherwise let's see what this is. */
974 child = openat(fd, first + n, O_CLOEXEC|O_NOFOLLOW|O_PATH);
975 if (child < 0) {
976
977 if (errno == ENOENT &&
978 (flags & CHASE_NONEXISTENT) &&
979 (isempty(todo) || path_is_normalized(todo))) {
980
981 /* If CHASE_NONEXISTENT is set, and the path does not exist, then that's OK, return
982 * what we got so far. But don't allow this if the remaining path contains "../ or "./"
983 * or something else weird. */
984
985 /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */
986 if (streq_ptr(done, "/"))
987 *done = '\0';
988
989 if (!strextend(&done, first, todo, NULL))
990 return -ENOMEM;
991
992 exists = false;
993 break;
994 }
995
996 return -errno;
997 }
998
999 if (fstat(child, &st) < 0)
1000 return -errno;
1001 if ((flags & CHASE_SAFE) &&
1002 unsafe_transition(&previous_stat, &st))
1003 return log_unsafe_transition(fd, child, path, flags);
1004
1005 previous_stat = st;
1006
1007 if ((flags & CHASE_NO_AUTOFS) &&
1008 fd_is_fs_type(child, AUTOFS_SUPER_MAGIC) > 0)
1009 return log_autofs_mount_point(child, path, flags);
1010
1011 if (S_ISLNK(st.st_mode) && !((flags & CHASE_NOFOLLOW) && isempty(todo))) {
1012 char *joined;
1013 _cleanup_free_ char *destination = NULL;
1014
1015 /* This is a symlink, in this case read the destination. But let's make sure we don't follow
1016 * symlinks without bounds. */
1017 if (--max_follow <= 0)
1018 return -ELOOP;
1019
1020 r = readlinkat_malloc(fd, first + n, &destination);
1021 if (r < 0)
1022 return r;
1023 if (isempty(destination))
1024 return -EINVAL;
1025
1026 if (path_is_absolute(destination)) {
1027
1028 /* An absolute destination. Start the loop from the beginning, but use the root
1029 * directory as base. */
1030
1031 safe_close(fd);
1032 fd = open(root ?: "/", O_CLOEXEC|O_DIRECTORY|O_PATH);
1033 if (fd < 0)
1034 return -errno;
1035
1036 if (flags & CHASE_SAFE) {
1037 if (fstat(fd, &st) < 0)
1038 return -errno;
1039
1040 if (unsafe_transition(&previous_stat, &st))
1041 return log_unsafe_transition(child, fd, path, flags);
1042
1043 previous_stat = st;
1044 }
1045
1046 free(done);
1047
1048 /* Note that we do not revalidate the root, we take it as is. */
1049 if (isempty(root))
1050 done = NULL;
1051 else {
1052 done = strdup(root);
1053 if (!done)
1054 return -ENOMEM;
1055 }
1056
1057 /* Prefix what's left to do with what we just read, and start the loop again, but
1058 * remain in the current directory. */
1059 joined = path_join(destination, todo);
1060 } else
1061 joined = path_join("/", destination, todo);
1062 if (!joined)
1063 return -ENOMEM;
1064
1065 free(buffer);
1066 todo = buffer = joined;
1067
1068 if (flags & CHASE_STEP)
1069 goto chased_one;
1070
1071 continue;
1072 }
1073
1074 /* If this is not a symlink, then let's just add the name we read to what we already verified. */
1075 if (!done)
1076 done = TAKE_PTR(first);
1077 else {
1078 /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */
1079 if (streq(done, "/"))
1080 *done = '\0';
1081
1082 if (!strextend(&done, first, NULL))
1083 return -ENOMEM;
1084 }
1085
1086 /* And iterate again, but go one directory further down. */
1087 safe_close(fd);
1088 fd = TAKE_FD(child);
1089 }
1090
1091 if (!done) {
1092 /* Special case, turn the empty string into "/", to indicate the root directory. */
1093 done = strdup("/");
1094 if (!done)
1095 return -ENOMEM;
1096 }
1097
1098 if (ret_path)
1099 *ret_path = TAKE_PTR(done);
1100
1101 if (ret_fd) {
1102 /* Return the O_PATH fd we currently are looking to the caller. It can translate it to a
1103 * proper fd by opening /proc/self/fd/xyz. */
1104
1105 assert(fd >= 0);
1106 *ret_fd = TAKE_FD(fd);
1107 }
1108
1109 if (flags & CHASE_STEP)
1110 return 1;
1111
1112 return exists;
1113
1114 chased_one:
1115 if (ret_path) {
1116 char *c;
1117
1118 c = strjoin(strempty(done), todo);
1119 if (!c)
1120 return -ENOMEM;
1121
1122 *ret_path = c;
1123 }
1124
1125 return 0;
1126 }
1127
1128 int chase_symlinks_and_open(
1129 const char *path,
1130 const char *root,
1131 unsigned chase_flags,
1132 int open_flags,
1133 char **ret_path) {
1134
1135 _cleanup_close_ int path_fd = -1;
1136 _cleanup_free_ char *p = NULL;
1137 int r;
1138
1139 if (chase_flags & CHASE_NONEXISTENT)
1140 return -EINVAL;
1141
1142 if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
1143 /* Shortcut this call if none of the special features of this call are requested */
1144 r = open(path, open_flags);
1145 if (r < 0)
1146 return -errno;
1147
1148 return r;
1149 }
1150
1151 r = chase_symlinks(path, root, chase_flags, ret_path ? &p : NULL, &path_fd);
1152 if (r < 0)
1153 return r;
1154 assert(path_fd >= 0);
1155
1156 r = fd_reopen(path_fd, open_flags);
1157 if (r < 0)
1158 return r;
1159
1160 if (ret_path)
1161 *ret_path = TAKE_PTR(p);
1162
1163 return r;
1164 }
1165
1166 int chase_symlinks_and_opendir(
1167 const char *path,
1168 const char *root,
1169 unsigned chase_flags,
1170 char **ret_path,
1171 DIR **ret_dir) {
1172
1173 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
1174 _cleanup_close_ int path_fd = -1;
1175 _cleanup_free_ char *p = NULL;
1176 DIR *d;
1177 int r;
1178
1179 if (!ret_dir)
1180 return -EINVAL;
1181 if (chase_flags & CHASE_NONEXISTENT)
1182 return -EINVAL;
1183
1184 if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
1185 /* Shortcut this call if none of the special features of this call are requested */
1186 d = opendir(path);
1187 if (!d)
1188 return -errno;
1189
1190 *ret_dir = d;
1191 return 0;
1192 }
1193
1194 r = chase_symlinks(path, root, chase_flags, ret_path ? &p : NULL, &path_fd);
1195 if (r < 0)
1196 return r;
1197 assert(path_fd >= 0);
1198
1199 xsprintf(procfs_path, "/proc/self/fd/%i", path_fd);
1200 d = opendir(procfs_path);
1201 if (!d)
1202 return -errno;
1203
1204 if (ret_path)
1205 *ret_path = TAKE_PTR(p);
1206
1207 *ret_dir = d;
1208 return 0;
1209 }
1210
1211 int chase_symlinks_and_stat(
1212 const char *path,
1213 const char *root,
1214 unsigned chase_flags,
1215 char **ret_path,
1216 struct stat *ret_stat,
1217 int *ret_fd) {
1218
1219 _cleanup_close_ int path_fd = -1;
1220 _cleanup_free_ char *p = NULL;
1221 int r;
1222
1223 assert(path);
1224 assert(ret_stat);
1225
1226 if (chase_flags & CHASE_NONEXISTENT)
1227 return -EINVAL;
1228
1229 if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
1230 /* Shortcut this call if none of the special features of this call are requested */
1231 if (stat(path, ret_stat) < 0)
1232 return -errno;
1233
1234 return 1;
1235 }
1236
1237 r = chase_symlinks(path, root, chase_flags, ret_path ? &p : NULL, &path_fd);
1238 if (r < 0)
1239 return r;
1240 assert(path_fd >= 0);
1241
1242 if (fstat(path_fd, ret_stat) < 0)
1243 return -errno;
1244
1245 if (ret_path)
1246 *ret_path = TAKE_PTR(p);
1247 if (ret_fd)
1248 *ret_fd = TAKE_FD(path_fd);
1249
1250 return 1;
1251 }
1252
1253 int access_fd(int fd, int mode) {
1254 char p[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(fd) + 1];
1255
1256 /* Like access() but operates on an already open fd */
1257
1258 xsprintf(p, "/proc/self/fd/%i", fd);
1259 if (access(p, mode) < 0) {
1260 if (errno != ENOENT)
1261 return -errno;
1262
1263 /* ENOENT can mean two things: that the fd does not exist or that /proc is not mounted. Let's
1264 * make things debuggable and distinguish the two. */
1265
1266 if (proc_mounted() == 0)
1267 return -ENOSYS; /* /proc is not available or not set up properly, we're most likely in some chroot
1268 * environment. */
1269
1270 return -EBADF; /* The directory exists, hence it's the fd that doesn't. */
1271 }
1272
1273 return 0;
1274 }
1275
1276 void unlink_tempfilep(char (*p)[]) {
1277 /* If the file is created with mkstemp(), it will (almost always)
1278 * change the suffix. Treat this as a sign that the file was
1279 * successfully created. We ignore both the rare case where the
1280 * original suffix is used and unlink failures. */
1281 if (!endswith(*p, ".XXXXXX"))
1282 (void) unlink_noerrno(*p);
1283 }
1284
1285 int unlinkat_deallocate(int fd, const char *name, UnlinkDeallocateFlags flags) {
1286 _cleanup_close_ int truncate_fd = -1;
1287 struct stat st;
1288 off_t l, bs;
1289
1290 assert((flags & ~(UNLINK_REMOVEDIR|UNLINK_ERASE)) == 0);
1291
1292 /* Operates like unlinkat() but also deallocates the file contents if it is a regular file and there's no other
1293 * link to it. This is useful to ensure that other processes that might have the file open for reading won't be
1294 * able to keep the data pinned on disk forever. This call is particular useful whenever we execute clean-up
1295 * jobs ("vacuuming"), where we want to make sure the data is really gone and the disk space released and
1296 * returned to the free pool.
1297 *
1298 * Deallocation is preferably done by FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE (👊) if supported, which means
1299 * the file won't change size. That's a good thing since we shouldn't needlessly trigger SIGBUS in other
1300 * programs that have mmap()ed the file. (The assumption here is that changing file contents to all zeroes
1301 * underneath those programs is the better choice than simply triggering SIGBUS in them which truncation does.)
1302 * However if hole punching is not implemented in the kernel or file system we'll fall back to normal file
1303 * truncation (🔪), as our goal of deallocating the data space trumps our goal of being nice to readers (💐).
1304 *
1305 * Note that we attempt deallocation, but failure to succeed with that is not considered fatal, as long as the
1306 * primary job – to delete the file – is accomplished. */
1307
1308 if (!FLAGS_SET(flags, UNLINK_REMOVEDIR)) {
1309 truncate_fd = openat(fd, name, O_WRONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|O_NONBLOCK);
1310 if (truncate_fd < 0) {
1311
1312 /* If this failed because the file doesn't exist propagate the error right-away. Also,
1313 * AT_REMOVEDIR wasn't set, and we tried to open the file for writing, which means EISDIR is
1314 * returned when this is a directory but we are not supposed to delete those, hence propagate
1315 * the error right-away too. */
1316 if (IN_SET(errno, ENOENT, EISDIR))
1317 return -errno;
1318
1319 if (errno != ELOOP) /* don't complain if this is a symlink */
1320 log_debug_errno(errno, "Failed to open file '%s' for deallocation, ignoring: %m", name);
1321 }
1322 }
1323
1324 if (unlinkat(fd, name, FLAGS_SET(flags, UNLINK_REMOVEDIR) ? AT_REMOVEDIR : 0) < 0)
1325 return -errno;
1326
1327 if (truncate_fd < 0) /* Don't have a file handle, can't do more ☹️ */
1328 return 0;
1329
1330 if (fstat(truncate_fd, &st) < 0) {
1331 log_debug_errno(errno, "Failed to stat file '%s' for deallocation, ignoring: %m", name);
1332 return 0;
1333 }
1334
1335 if (!S_ISREG(st.st_mode))
1336 return 0;
1337
1338 if (FLAGS_SET(flags, UNLINK_ERASE) && st.st_size > 0 && st.st_nlink == 0) {
1339 uint64_t left = st.st_size;
1340 char buffer[64 * 1024];
1341
1342 /* If erasing is requested, let's overwrite the file with random data once before deleting
1343 * it. This isn't going to give you shred(1) semantics, but hopefully should be good enough
1344 * for stuff backed by tmpfs at least.
1345 *
1346 * Note that we only erase like this if the link count of the file is zero. If it is higher it
1347 * is still linked by someone else and we'll leave it to them to remove it securely
1348 * eventually! */
1349
1350 random_bytes(buffer, sizeof(buffer));
1351
1352 while (left > 0) {
1353 ssize_t n;
1354
1355 n = write(truncate_fd, buffer, MIN(sizeof(buffer), left));
1356 if (n < 0) {
1357 log_debug_errno(errno, "Failed to erase data in file '%s', ignoring.", name);
1358 break;
1359 }
1360
1361 assert(left >= (size_t) n);
1362 left -= n;
1363 }
1364
1365 /* Let's refresh metadata */
1366 if (fstat(truncate_fd, &st) < 0) {
1367 log_debug_errno(errno, "Failed to stat file '%s' for deallocation, ignoring: %m", name);
1368 return 0;
1369 }
1370 }
1371
1372 /* Don't dallocate if there's nothing to deallocate or if the file is linked elsewhere */
1373 if (st.st_blocks == 0 || st.st_nlink > 0)
1374 return 0;
1375
1376 /* If this is a regular file, it actually took up space on disk and there are no other links it's time to
1377 * punch-hole/truncate this to release the disk space. */
1378
1379 bs = MAX(st.st_blksize, 512);
1380 l = DIV_ROUND_UP(st.st_size, bs) * bs; /* Round up to next block size */
1381
1382 if (fallocate(truncate_fd, FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE, 0, l) >= 0)
1383 return 0; /* Successfully punched a hole! 😊 */
1384
1385 /* Fall back to truncation */
1386 if (ftruncate(truncate_fd, 0) < 0) {
1387 log_debug_errno(errno, "Failed to truncate file to 0, ignoring: %m");
1388 return 0;
1389 }
1390
1391 return 0;
1392 }
1393
1394 int fsync_directory_of_file(int fd) {
1395 _cleanup_free_ char *path = NULL;
1396 _cleanup_close_ int dfd = -1;
1397 int r;
1398
1399 r = fd_verify_regular(fd);
1400 if (r < 0)
1401 return r;
1402
1403 r = fd_get_path(fd, &path);
1404 if (r < 0) {
1405 log_debug_errno(r, "Failed to query /proc/self/fd/%d%s: %m",
1406 fd,
1407 r == -ENOSYS ? ", ignoring" : "");
1408
1409 if (r == -ENOSYS)
1410 /* If /proc is not available, we're most likely running in some
1411 * chroot environment, and syncing the directory is not very
1412 * important in that case. Let's just silently do nothing. */
1413 return 0;
1414
1415 return r;
1416 }
1417
1418 if (!path_is_absolute(path))
1419 return -EINVAL;
1420
1421 dfd = open_parent(path, O_CLOEXEC, 0);
1422 if (dfd < 0)
1423 return dfd;
1424
1425 if (fsync(dfd) < 0)
1426 return -errno;
1427
1428 return 0;
1429 }
1430
1431 int fsync_full(int fd) {
1432 int r, q;
1433
1434 /* Sync both the file and the directory */
1435
1436 r = fsync(fd) < 0 ? -errno : 0;
1437 q = fsync_directory_of_file(fd);
1438
1439 return r < 0 ? r : q;
1440 }
1441
1442 int fsync_path_at(int at_fd, const char *path) {
1443 _cleanup_close_ int opened_fd = -1;
1444 int fd;
1445
1446 if (isempty(path)) {
1447 if (at_fd == AT_FDCWD) {
1448 opened_fd = open(".", O_RDONLY|O_DIRECTORY|O_CLOEXEC);
1449 if (opened_fd < 0)
1450 return -errno;
1451
1452 fd = opened_fd;
1453 } else
1454 fd = at_fd;
1455 } else {
1456
1457 opened_fd = openat(at_fd, path, O_RDONLY|O_CLOEXEC);
1458 if (opened_fd < 0)
1459 return -errno;
1460
1461 fd = opened_fd;
1462 }
1463
1464 if (fsync(fd) < 0)
1465 return -errno;
1466
1467 return 0;
1468 }
1469
1470 int syncfs_path(int atfd, const char *path) {
1471 _cleanup_close_ int fd = -1;
1472
1473 assert(path);
1474
1475 fd = openat(atfd, path, O_CLOEXEC|O_RDONLY|O_NONBLOCK);
1476 if (fd < 0)
1477 return -errno;
1478
1479 if (syncfs(fd) < 0)
1480 return -errno;
1481
1482 return 0;
1483 }
1484
1485 int open_parent(const char *path, int flags, mode_t mode) {
1486 _cleanup_free_ char *parent = NULL;
1487 int fd;
1488
1489 if (isempty(path))
1490 return -EINVAL;
1491 if (path_equal(path, "/")) /* requesting the parent of the root dir is fishy, let's prohibit that */
1492 return -EINVAL;
1493
1494 parent = dirname_malloc(path);
1495 if (!parent)
1496 return -ENOMEM;
1497
1498 /* Let's insist on O_DIRECTORY since the parent of a file or directory is a directory. Except if we open an
1499 * O_TMPFILE file, because in that case we are actually create a regular file below the parent directory. */
1500
1501 if (FLAGS_SET(flags, O_PATH))
1502 flags |= O_DIRECTORY;
1503 else if (!FLAGS_SET(flags, O_TMPFILE))
1504 flags |= O_DIRECTORY|O_RDONLY;
1505
1506 fd = open(parent, flags, mode);
1507 if (fd < 0)
1508 return -errno;
1509
1510 return fd;
1511 }
1512
1513 static int blockdev_is_encrypted(const char *sysfs_path, unsigned depth_left) {
1514 _cleanup_free_ char *p = NULL, *uuids = NULL;
1515 _cleanup_closedir_ DIR *d = NULL;
1516 int r, found_encrypted = false;
1517
1518 assert(sysfs_path);
1519
1520 if (depth_left == 0)
1521 return -EINVAL;
1522
1523 p = path_join(sysfs_path, "dm/uuid");
1524 if (!p)
1525 return -ENOMEM;
1526
1527 r = read_one_line_file(p, &uuids);
1528 if (r != -ENOENT) {
1529 if (r < 0)
1530 return r;
1531
1532 /* The DM device's uuid attribute is prefixed with "CRYPT-" if this is a dm-crypt device. */
1533 if (startswith(uuids, "CRYPT-"))
1534 return true;
1535 }
1536
1537 /* Not a dm-crypt device itself. But maybe it is on top of one? Follow the links in the "slaves/"
1538 * subdir. */
1539
1540 p = mfree(p);
1541 p = path_join(sysfs_path, "slaves");
1542 if (!p)
1543 return -ENOMEM;
1544
1545 d = opendir(p);
1546 if (!d) {
1547 if (errno == ENOENT) /* Doesn't have underlying devices */
1548 return false;
1549
1550 return -errno;
1551 }
1552
1553 for (;;) {
1554 _cleanup_free_ char *q = NULL;
1555 struct dirent *de;
1556
1557 errno = 0;
1558 de = readdir_no_dot(d);
1559 if (!de) {
1560 if (errno != 0)
1561 return -errno;
1562
1563 break; /* No more underlying devices */
1564 }
1565
1566 q = path_join(p, de->d_name);
1567 if (!q)
1568 return -ENOMEM;
1569
1570 r = blockdev_is_encrypted(q, depth_left - 1);
1571 if (r < 0)
1572 return r;
1573 if (r == 0) /* we found one that is not encrypted? then propagate that immediately */
1574 return false;
1575
1576 found_encrypted = true;
1577 }
1578
1579 return found_encrypted;
1580 }
1581
1582 int path_is_encrypted(const char *path) {
1583 char p[SYS_BLOCK_PATH_MAX(NULL)];
1584 dev_t devt;
1585 int r;
1586
1587 r = get_block_device(path, &devt);
1588 if (r < 0)
1589 return r;
1590 if (r == 0) /* doesn't have a block device */
1591 return false;
1592
1593 xsprintf_sys_block_path(p, NULL, devt);
1594
1595 return blockdev_is_encrypted(p, 10 /* safety net: maximum recursion depth */);
1596 }
Unnamed repository; edit this file 'description' to name the repository.