]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
3ffd4af2 | 2 | |
11c3a366 TA |
3 | #include <errno.h> |
4 | #include <fcntl.h> | |
65ddc2c5 ZJS |
5 | #include <linux/btrfs.h> |
6 | #include <linux/magic.h> | |
7 | #include <sys/ioctl.h> | |
11c3a366 | 8 | #include <sys/resource.h> |
11c3a366 TA |
9 | #include <sys/stat.h> |
10 | #include <unistd.h> | |
11 | ||
4960ce43 | 12 | #include "alloc-util.h" |
8fb3f009 | 13 | #include "dirent-util.h" |
3ffd4af2 | 14 | #include "fd-util.h" |
a548e14d | 15 | #include "fileio.h" |
4aeb20f5 | 16 | #include "fs-util.h" |
4960ce43 | 17 | #include "io-util.h" |
11c3a366 | 18 | #include "macro.h" |
0499585f | 19 | #include "missing_fcntl.h" |
f5947a5e | 20 | #include "missing_syscall.h" |
93cc7779 | 21 | #include "parse-util.h" |
11c3a366 | 22 | #include "path-util.h" |
df0ff127 | 23 | #include "process-util.h" |
93cc7779 | 24 | #include "socket-util.h" |
b8cfa2da | 25 | #include "sort-util.h" |
f8606626 | 26 | #include "stat-util.h" |
4aeb20f5 | 27 | #include "stdio-util.h" |
e4de7287 | 28 | #include "tmpfile-util.h" |
f8606626 | 29 | #include "util.h" |
3ffd4af2 | 30 | |
6a461d1f ZJS |
31 | /* The maximum number of iterations in the loop to close descriptors in the fallback case |
32 | * when /proc/self/fd/ is inaccessible. */ | |
33 | #define MAX_FD_LOOP_LIMIT (1024*1024) | |
34 | ||
3ffd4af2 LP |
35 | int close_nointr(int fd) { |
36 | assert(fd >= 0); | |
37 | ||
38 | if (close(fd) >= 0) | |
39 | return 0; | |
40 | ||
41 | /* | |
42 | * Just ignore EINTR; a retry loop is the wrong thing to do on | |
43 | * Linux. | |
44 | * | |
45 | * http://lkml.indiana.edu/hypermail/linux/kernel/0509.1/0877.html | |
46 | * https://bugzilla.gnome.org/show_bug.cgi?id=682819 | |
47 | * http://utcc.utoronto.ca/~cks/space/blog/unix/CloseEINTR | |
48 | * https://sites.google.com/site/michaelsafyan/software-engineering/checkforeintrwheninvokingclosethinkagain | |
49 | */ | |
50 | if (errno == EINTR) | |
51 | return 0; | |
52 | ||
53 | return -errno; | |
54 | } | |
55 | ||
56 | int safe_close(int fd) { | |
57 | ||
58 | /* | |
59 | * Like close_nointr() but cannot fail. Guarantees errno is | |
60 | * unchanged. Is a NOP with negative fds passed, and returns | |
61 | * -1, so that it can be used in this syntax: | |
62 | * | |
63 | * fd = safe_close(fd); | |
64 | */ | |
65 | ||
66 | if (fd >= 0) { | |
67 | PROTECT_ERRNO; | |
68 | ||
69 | /* The kernel might return pretty much any error code | |
70 | * via close(), but the fd will be closed anyway. The | |
71 | * only condition we want to check for here is whether | |
72 | * the fd was invalid at all... */ | |
73 | ||
74 | assert_se(close_nointr(fd) != -EBADF); | |
75 | } | |
76 | ||
77 | return -1; | |
78 | } | |
79 | ||
3042bbeb | 80 | void safe_close_pair(int p[static 2]) { |
3ffd4af2 LP |
81 | assert(p); |
82 | ||
83 | if (p[0] == p[1]) { | |
84 | /* Special case pairs which use the same fd in both | |
85 | * directions... */ | |
86 | p[0] = p[1] = safe_close(p[0]); | |
87 | return; | |
88 | } | |
89 | ||
90 | p[0] = safe_close(p[0]); | |
91 | p[1] = safe_close(p[1]); | |
92 | } | |
93 | ||
da6053d0 | 94 | void close_many(const int fds[], size_t n_fd) { |
3ffd4af2 LP |
95 | assert(fds || n_fd <= 0); |
96 | ||
fe96c0f8 | 97 | for (size_t i = 0; i < n_fd; i++) |
3ffd4af2 LP |
98 | safe_close(fds[i]); |
99 | } | |
100 | ||
101 | int fclose_nointr(FILE *f) { | |
102 | assert(f); | |
103 | ||
104 | /* Same as close_nointr(), but for fclose() */ | |
105 | ||
75f6d5d8 LP |
106 | errno = 0; /* Extra safety: if the FILE* object is not encapsulating an fd, it might not set errno |
107 | * correctly. Let's hence initialize it to zero first, so that we aren't confused by any | |
108 | * prior errno here */ | |
3ffd4af2 LP |
109 | if (fclose(f) == 0) |
110 | return 0; | |
111 | ||
112 | if (errno == EINTR) | |
113 | return 0; | |
114 | ||
75f6d5d8 | 115 | return errno_or_else(EIO); |
3ffd4af2 LP |
116 | } |
117 | ||
118 | FILE* safe_fclose(FILE *f) { | |
119 | ||
120 | /* Same as safe_close(), but for fclose() */ | |
121 | ||
122 | if (f) { | |
123 | PROTECT_ERRNO; | |
124 | ||
6dce3bb4 | 125 | assert_se(fclose_nointr(f) != -EBADF); |
3ffd4af2 LP |
126 | } |
127 | ||
128 | return NULL; | |
129 | } | |
130 | ||
131 | DIR* safe_closedir(DIR *d) { | |
132 | ||
133 | if (d) { | |
134 | PROTECT_ERRNO; | |
135 | ||
136 | assert_se(closedir(d) >= 0 || errno != EBADF); | |
137 | } | |
138 | ||
139 | return NULL; | |
140 | } | |
141 | ||
142 | int fd_nonblock(int fd, bool nonblock) { | |
143 | int flags, nflags; | |
144 | ||
145 | assert(fd >= 0); | |
146 | ||
147 | flags = fcntl(fd, F_GETFL, 0); | |
148 | if (flags < 0) | |
149 | return -errno; | |
150 | ||
0da96503 | 151 | nflags = UPDATE_FLAG(flags, O_NONBLOCK, nonblock); |
3ffd4af2 LP |
152 | if (nflags == flags) |
153 | return 0; | |
154 | ||
7c248223 | 155 | return RET_NERRNO(fcntl(fd, F_SETFL, nflags)); |
3ffd4af2 LP |
156 | } |
157 | ||
158 | int fd_cloexec(int fd, bool cloexec) { | |
159 | int flags, nflags; | |
160 | ||
161 | assert(fd >= 0); | |
162 | ||
163 | flags = fcntl(fd, F_GETFD, 0); | |
164 | if (flags < 0) | |
165 | return -errno; | |
166 | ||
0da96503 | 167 | nflags = UPDATE_FLAG(flags, FD_CLOEXEC, cloexec); |
3ffd4af2 LP |
168 | if (nflags == flags) |
169 | return 0; | |
170 | ||
7c248223 | 171 | return RET_NERRNO(fcntl(fd, F_SETFD, nflags)); |
3ffd4af2 LP |
172 | } |
173 | ||
da6053d0 | 174 | _pure_ static bool fd_in_set(int fd, const int fdset[], size_t n_fdset) { |
3ffd4af2 LP |
175 | assert(n_fdset == 0 || fdset); |
176 | ||
fe96c0f8 | 177 | for (size_t i = 0; i < n_fdset; i++) |
3ffd4af2 LP |
178 | if (fdset[i] == fd) |
179 | return true; | |
180 | ||
181 | return false; | |
182 | } | |
183 | ||
73fc0cbc | 184 | int get_max_fd(void) { |
498e265d LP |
185 | struct rlimit rl; |
186 | rlim_t m; | |
187 | ||
188 | /* Return the highest possible fd, based RLIMIT_NOFILE, but enforcing FD_SETSIZE-1 as lower boundary | |
189 | * and INT_MAX as upper boundary. */ | |
190 | ||
191 | if (getrlimit(RLIMIT_NOFILE, &rl) < 0) | |
192 | return -errno; | |
193 | ||
194 | m = MAX(rl.rlim_cur, rl.rlim_max); | |
195 | if (m < FD_SETSIZE) /* Let's always cover at least 1024 fds */ | |
196 | return FD_SETSIZE-1; | |
197 | ||
198 | if (m == RLIM_INFINITY || m > INT_MAX) /* Saturate on overflow. After all fds are "int", hence can | |
199 | * never be above INT_MAX */ | |
200 | return INT_MAX; | |
201 | ||
202 | return (int) (m - 1); | |
203 | } | |
204 | ||
5cfa0798 | 205 | static int close_all_fds_frugal(const int except[], size_t n_except) { |
11966552 LP |
206 | int max_fd, r = 0; |
207 | ||
208 | assert(n_except == 0 || except); | |
209 | ||
210 | /* This is the inner fallback core of close_all_fds(). This never calls malloc() or opendir() or so | |
211 | * and hence is safe to be called in signal handler context. Most users should call close_all_fds(), | |
212 | * but when we assume we are called from signal handler context, then use this simpler call | |
213 | * instead. */ | |
214 | ||
215 | max_fd = get_max_fd(); | |
216 | if (max_fd < 0) | |
217 | return max_fd; | |
218 | ||
219 | /* Refuse to do the loop over more too many elements. It's better to fail immediately than to | |
220 | * spin the CPU for a long time. */ | |
221 | if (max_fd > MAX_FD_LOOP_LIMIT) | |
222 | return log_debug_errno(SYNTHETIC_ERRNO(EPERM), | |
223 | "Refusing to loop over %d potential fds.", | |
224 | max_fd); | |
225 | ||
226 | for (int fd = 3; fd >= 0; fd = fd < max_fd ? fd + 1 : -1) { | |
227 | int q; | |
228 | ||
229 | if (fd_in_set(fd, except, n_except)) | |
230 | continue; | |
231 | ||
232 | q = close_nointr(fd); | |
233 | if (q < 0 && q != -EBADF && r >= 0) | |
234 | r = q; | |
235 | } | |
236 | ||
237 | return r; | |
238 | } | |
239 | ||
5cfa0798 | 240 | static bool have_close_range = true; /* Assume we live in the future */ |
3ffd4af2 | 241 | |
5cfa0798 | 242 | static int close_all_fds_special_case(const int except[], size_t n_except) { |
3ffd4af2 LP |
243 | assert(n_except == 0 || except); |
244 | ||
5cfa0798 LP |
245 | /* Handles a few common special cases separately, since they are common and can be optimized really |
246 | * nicely, since we won't need sorting for them. Returns > 0 if the special casing worked, 0 | |
247 | * otherwise. */ | |
b8cfa2da | 248 | |
5cfa0798 LP |
249 | if (!have_close_range) |
250 | return 0; | |
b8cfa2da | 251 | |
5cfa0798 | 252 | switch (n_except) { |
b8cfa2da | 253 | |
5cfa0798 LP |
254 | case 0: |
255 | /* Close everything. Yay! */ | |
b8cfa2da | 256 | |
5cfa0798 LP |
257 | if (close_range(3, -1, 0) >= 0) |
258 | return 1; | |
f498720a | 259 | |
5cfa0798 LP |
260 | if (ERRNO_IS_NOT_SUPPORTED(errno) || ERRNO_IS_PRIVILEGE(errno)) { |
261 | have_close_range = false; | |
262 | return 0; | |
263 | } | |
f498720a | 264 | |
5cfa0798 | 265 | return -errno; |
f498720a | 266 | |
5cfa0798 LP |
267 | case 1: |
268 | /* Close all but exactly one, then we don't need no sorting. This is a pretty common | |
269 | * case, hence let's handle it specially. */ | |
f498720a | 270 | |
5cfa0798 LP |
271 | if ((except[0] <= 3 || close_range(3, except[0]-1, 0) >= 0) && |
272 | (except[0] >= INT_MAX || close_range(MAX(3, except[0]+1), -1, 0) >= 0)) | |
273 | return 1; | |
f498720a | 274 | |
5cfa0798 | 275 | if (ERRNO_IS_NOT_SUPPORTED(errno) || ERRNO_IS_PRIVILEGE(errno)) { |
f498720a | 276 | have_close_range = false; |
5cfa0798 LP |
277 | return 0; |
278 | } | |
f498720a | 279 | |
5cfa0798 | 280 | return -errno; |
c85cb3bc | 281 | |
5cfa0798 LP |
282 | default: |
283 | return 0; | |
284 | } | |
285 | } | |
c85cb3bc | 286 | |
5cfa0798 LP |
287 | int close_all_fds_without_malloc(const int except[], size_t n_except) { |
288 | int r; | |
c85cb3bc | 289 | |
5cfa0798 | 290 | assert(n_except == 0 || except); |
c85cb3bc | 291 | |
5cfa0798 LP |
292 | r = close_all_fds_special_case(except, n_except); |
293 | if (r < 0) | |
294 | return r; | |
295 | if (r > 0) /* special case worked! */ | |
296 | return 0; | |
b8cfa2da | 297 | |
5cfa0798 LP |
298 | return close_all_fds_frugal(except, n_except); |
299 | } | |
b8cfa2da | 300 | |
5cfa0798 LP |
301 | int close_all_fds(const int except[], size_t n_except) { |
302 | _cleanup_closedir_ DIR *d = NULL; | |
5cfa0798 LP |
303 | int r = 0; |
304 | ||
305 | assert(n_except == 0 || except); | |
306 | ||
307 | r = close_all_fds_special_case(except, n_except); | |
308 | if (r < 0) | |
309 | return r; | |
310 | if (r > 0) /* special case worked! */ | |
311 | return 0; | |
312 | ||
313 | if (have_close_range) { | |
314 | _cleanup_free_ int *sorted_malloc = NULL; | |
315 | size_t n_sorted; | |
316 | int *sorted; | |
317 | ||
318 | /* In the best case we have close_range() to close all fds between a start and an end fd, | |
319 | * which we can use on the "inverted" exception array, i.e. all intervals between all | |
320 | * adjacent pairs from the sorted exception array. This changes loop complexity from O(n) | |
321 | * where n is number of open fds to O(m⋅log(m)) where m is the number of fds to keep | |
322 | * open. Given that we assume n ≫ m that's preferable to us. */ | |
b8cfa2da | 323 | |
5cfa0798 LP |
324 | assert(n_except < SIZE_MAX); |
325 | n_sorted = n_except + 1; | |
c85cb3bc | 326 | |
5cfa0798 LP |
327 | if (n_sorted > 64) /* Use heap for large numbers of fds, stack otherwise */ |
328 | sorted = sorted_malloc = new(int, n_sorted); | |
329 | else | |
330 | sorted = newa(int, n_sorted); | |
c85cb3bc | 331 | |
5cfa0798 LP |
332 | if (sorted) { |
333 | memcpy(sorted, except, n_except * sizeof(int)); | |
c85cb3bc | 334 | |
5cfa0798 LP |
335 | /* Let's add fd 2 to the list of fds, to simplify the loop below, as this |
336 | * allows us to cover the head of the array the same way as the body */ | |
337 | sorted[n_sorted-1] = 2; | |
b8cfa2da | 338 | |
5cfa0798 LP |
339 | typesafe_qsort(sorted, n_sorted, cmp_int); |
340 | ||
341 | for (size_t i = 0; i < n_sorted-1; i++) { | |
342 | int start, end; | |
b8cfa2da | 343 | |
5cfa0798 LP |
344 | start = MAX(sorted[i], 2); /* The first three fds shall always remain open */ |
345 | end = MAX(sorted[i+1], 2); | |
b8cfa2da | 346 | |
5cfa0798 | 347 | assert(end >= start); |
b8cfa2da | 348 | |
5cfa0798 LP |
349 | if (end - start <= 1) |
350 | continue; | |
b8cfa2da | 351 | |
5cfa0798 LP |
352 | /* Close everything between the start and end fds (both of which shall stay open) */ |
353 | if (close_range(start + 1, end - 1, 0) < 0) { | |
c85cb3bc LP |
354 | if (!ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) |
355 | return -errno; | |
b8cfa2da | 356 | |
c85cb3bc | 357 | have_close_range = false; |
5cfa0798 | 358 | break; |
c85cb3bc LP |
359 | } |
360 | } | |
5cfa0798 LP |
361 | |
362 | if (have_close_range) { | |
363 | /* The loop succeeded. Let's now close everything beyond the end */ | |
364 | ||
365 | if (sorted[n_sorted-1] >= INT_MAX) /* Dont let the addition below overflow */ | |
366 | return 0; | |
367 | ||
368 | if (close_range(sorted[n_sorted-1] + 1, -1, 0) >= 0) | |
369 | return 0; | |
370 | ||
371 | if (!ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) | |
372 | return -errno; | |
373 | ||
374 | have_close_range = false; | |
375 | } | |
b8cfa2da | 376 | } |
c85cb3bc LP |
377 | |
378 | /* Fallback on OOM or if close_range() is not supported */ | |
b8cfa2da LP |
379 | } |
380 | ||
e7e7c07c | 381 | d = opendir("/proc/self/fd"); |
11966552 | 382 | if (!d) |
5cfa0798 | 383 | return close_all_fds_frugal(except, n_except); /* ultimate fallback if /proc/ is not available */ |
3ffd4af2 | 384 | |
c85cb3bc LP |
385 | FOREACH_DIRENT(de, d, return -errno) { |
386 | int fd = -1, q; | |
3ffd4af2 | 387 | |
1f6639ea LP |
388 | if (!IN_SET(de->d_type, DT_LNK, DT_UNKNOWN)) |
389 | continue; | |
390 | ||
c85cb3bc LP |
391 | if (safe_atoi(de->d_name, &fd) < 0) |
392 | /* Let's better ignore this, just in case */ | |
393 | continue; | |
3ffd4af2 | 394 | |
c85cb3bc LP |
395 | if (fd < 3) |
396 | continue; | |
3ffd4af2 | 397 | |
c85cb3bc LP |
398 | if (fd == dirfd(d)) |
399 | continue; | |
3ffd4af2 LP |
400 | |
401 | if (fd_in_set(fd, except, n_except)) | |
402 | continue; | |
403 | ||
e43bc9f5 | 404 | q = close_nointr(fd); |
c85cb3bc | 405 | if (q < 0 && q != -EBADF && r >= 0) /* Valgrind has its own FD and doesn't want to have it closed */ |
e43bc9f5 | 406 | r = q; |
3ffd4af2 LP |
407 | } |
408 | ||
409 | return r; | |
410 | } | |
411 | ||
412 | int same_fd(int a, int b) { | |
413 | struct stat sta, stb; | |
414 | pid_t pid; | |
415 | int r, fa, fb; | |
416 | ||
417 | assert(a >= 0); | |
418 | assert(b >= 0); | |
419 | ||
420 | /* Compares two file descriptors. Note that semantics are | |
421 | * quite different depending on whether we have kcmp() or we | |
422 | * don't. If we have kcmp() this will only return true for | |
423 | * dup()ed file descriptors, but not otherwise. If we don't | |
424 | * have kcmp() this will also return true for two fds of the same | |
425 | * file, created by separate open() calls. Since we use this | |
426 | * call mostly for filtering out duplicates in the fd store | |
427 | * this difference hopefully doesn't matter too much. */ | |
428 | ||
429 | if (a == b) | |
430 | return true; | |
431 | ||
432 | /* Try to use kcmp() if we have it. */ | |
df0ff127 | 433 | pid = getpid_cached(); |
3ffd4af2 LP |
434 | r = kcmp(pid, pid, KCMP_FILE, a, b); |
435 | if (r == 0) | |
436 | return true; | |
437 | if (r > 0) | |
438 | return false; | |
9e2acd1d | 439 | if (!IN_SET(errno, ENOSYS, EACCES, EPERM)) |
3ffd4af2 LP |
440 | return -errno; |
441 | ||
442 | /* We don't have kcmp(), use fstat() instead. */ | |
443 | if (fstat(a, &sta) < 0) | |
444 | return -errno; | |
445 | ||
446 | if (fstat(b, &stb) < 0) | |
447 | return -errno; | |
448 | ||
449 | if ((sta.st_mode & S_IFMT) != (stb.st_mode & S_IFMT)) | |
450 | return false; | |
451 | ||
452 | /* We consider all device fds different, since two device fds | |
453 | * might refer to quite different device contexts even though | |
454 | * they share the same inode and backing dev_t. */ | |
455 | ||
456 | if (S_ISCHR(sta.st_mode) || S_ISBLK(sta.st_mode)) | |
457 | return false; | |
458 | ||
459 | if (sta.st_dev != stb.st_dev || sta.st_ino != stb.st_ino) | |
460 | return false; | |
461 | ||
462 | /* The fds refer to the same inode on disk, let's also check | |
463 | * if they have the same fd flags. This is useful to | |
464 | * distinguish the read and write side of a pipe created with | |
465 | * pipe(). */ | |
466 | fa = fcntl(a, F_GETFL); | |
467 | if (fa < 0) | |
468 | return -errno; | |
469 | ||
470 | fb = fcntl(b, F_GETFL); | |
471 | if (fb < 0) | |
472 | return -errno; | |
473 | ||
474 | return fa == fb; | |
475 | } | |
476 | ||
477 | void cmsg_close_all(struct msghdr *mh) { | |
478 | struct cmsghdr *cmsg; | |
479 | ||
480 | assert(mh); | |
481 | ||
482 | CMSG_FOREACH(cmsg, mh) | |
483 | if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) | |
484 | close_many((int*) CMSG_DATA(cmsg), (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int)); | |
485 | } | |
4fee3975 LP |
486 | |
487 | bool fdname_is_valid(const char *s) { | |
488 | const char *p; | |
489 | ||
490 | /* Validates a name for $LISTEN_FDNAMES. We basically allow | |
491 | * everything ASCII that's not a control character. Also, as | |
492 | * special exception the ":" character is not allowed, as we | |
493 | * use that as field separator in $LISTEN_FDNAMES. | |
494 | * | |
495 | * Note that the empty string is explicitly allowed | |
496 | * here. However, we limit the length of the names to 255 | |
497 | * characters. */ | |
498 | ||
499 | if (!s) | |
500 | return false; | |
501 | ||
502 | for (p = s; *p; p++) { | |
503 | if (*p < ' ') | |
504 | return false; | |
505 | if (*p >= 127) | |
506 | return false; | |
507 | if (*p == ':') | |
508 | return false; | |
509 | } | |
510 | ||
ae3f4bae | 511 | return p - s <= FDNAME_MAX; |
4fee3975 | 512 | } |
4aeb20f5 LP |
513 | |
514 | int fd_get_path(int fd, char **ret) { | |
a0fe2a2d | 515 | int r; |
4aeb20f5 | 516 | |
ddb6eeaf | 517 | r = readlink_malloc(FORMAT_PROC_FD_PATH(fd), ret); |
f267719c LP |
518 | if (r == -ENOENT) { |
519 | /* ENOENT can mean two things: that the fd does not exist or that /proc is not mounted. Let's make | |
5238e957 | 520 | * things debuggable and distinguish the two. */ |
4aeb20f5 | 521 | |
8fe8f3aa LP |
522 | if (proc_mounted() == 0) |
523 | return -ENOSYS; /* /proc is not available or not set up properly, we're most likely in some chroot | |
524 | * environment. */ | |
f267719c LP |
525 | return -EBADF; /* The directory exists, hence it's the fd that doesn't. */ |
526 | } | |
a0fe2a2d LP |
527 | |
528 | return r; | |
4aeb20f5 | 529 | } |
046a82c1 LP |
530 | |
531 | int move_fd(int from, int to, int cloexec) { | |
532 | int r; | |
533 | ||
534 | /* Move fd 'from' to 'to', make sure FD_CLOEXEC remains equal if requested, and release the old fd. If | |
535 | * 'cloexec' is passed as -1, the original FD_CLOEXEC is inherited for the new fd. If it is 0, it is turned | |
536 | * off, if it is > 0 it is turned on. */ | |
537 | ||
538 | if (from < 0) | |
539 | return -EBADF; | |
540 | if (to < 0) | |
541 | return -EBADF; | |
542 | ||
543 | if (from == to) { | |
544 | ||
545 | if (cloexec >= 0) { | |
546 | r = fd_cloexec(to, cloexec); | |
547 | if (r < 0) | |
548 | return r; | |
549 | } | |
550 | ||
551 | return to; | |
552 | } | |
553 | ||
554 | if (cloexec < 0) { | |
555 | int fl; | |
556 | ||
557 | fl = fcntl(from, F_GETFD, 0); | |
558 | if (fl < 0) | |
559 | return -errno; | |
560 | ||
561 | cloexec = !!(fl & FD_CLOEXEC); | |
562 | } | |
563 | ||
564 | r = dup3(from, to, cloexec ? O_CLOEXEC : 0); | |
565 | if (r < 0) | |
566 | return -errno; | |
567 | ||
568 | assert(r == to); | |
569 | ||
570 | safe_close(from); | |
571 | ||
572 | return to; | |
573 | } | |
a548e14d | 574 | |
7fe2903c LP |
575 | int fd_move_above_stdio(int fd) { |
576 | int flags, copy; | |
577 | PROTECT_ERRNO; | |
578 | ||
579 | /* Moves the specified file descriptor if possible out of the range [0…2], i.e. the range of | |
580 | * stdin/stdout/stderr. If it can't be moved outside of this range the original file descriptor is | |
581 | * returned. This call is supposed to be used for long-lasting file descriptors we allocate in our code that | |
582 | * might get loaded into foreign code, and where we want ensure our fds are unlikely used accidentally as | |
583 | * stdin/stdout/stderr of unrelated code. | |
584 | * | |
585 | * Note that this doesn't fix any real bugs, it just makes it less likely that our code will be affected by | |
586 | * buggy code from others that mindlessly invokes 'fprintf(stderr, …' or similar in places where stderr has | |
587 | * been closed before. | |
588 | * | |
589 | * This function is written in a "best-effort" and "least-impact" style. This means whenever we encounter an | |
590 | * error we simply return the original file descriptor, and we do not touch errno. */ | |
591 | ||
592 | if (fd < 0 || fd > 2) | |
593 | return fd; | |
594 | ||
595 | flags = fcntl(fd, F_GETFD, 0); | |
596 | if (flags < 0) | |
597 | return fd; | |
598 | ||
599 | if (flags & FD_CLOEXEC) | |
600 | copy = fcntl(fd, F_DUPFD_CLOEXEC, 3); | |
601 | else | |
602 | copy = fcntl(fd, F_DUPFD, 3); | |
603 | if (copy < 0) | |
604 | return fd; | |
605 | ||
606 | assert(copy > 2); | |
607 | ||
608 | (void) close(fd); | |
609 | return copy; | |
610 | } | |
aa11e28b LP |
611 | |
612 | int rearrange_stdio(int original_input_fd, int original_output_fd, int original_error_fd) { | |
613 | ||
614 | int fd[3] = { /* Put together an array of fds we work on */ | |
615 | original_input_fd, | |
616 | original_output_fd, | |
617 | original_error_fd | |
618 | }; | |
619 | ||
620 | int r, i, | |
621 | null_fd = -1, /* if we open /dev/null, we store the fd to it here */ | |
622 | copy_fd[3] = { -1, -1, -1 }; /* This contains all fds we duplicate here temporarily, and hence need to close at the end */ | |
623 | bool null_readable, null_writable; | |
624 | ||
625 | /* Sets up stdin, stdout, stderr with the three file descriptors passed in. If any of the descriptors is | |
626 | * specified as -1 it will be connected with /dev/null instead. If any of the file descriptors is passed as | |
627 | * itself (e.g. stdin as STDIN_FILENO) it is left unmodified, but the O_CLOEXEC bit is turned off should it be | |
628 | * on. | |
629 | * | |
630 | * Note that if any of the passed file descriptors are > 2 they will be closed — both on success and on | |
631 | * failure! Thus, callers should assume that when this function returns the input fds are invalidated. | |
632 | * | |
633 | * Note that when this function fails stdin/stdout/stderr might remain half set up! | |
634 | * | |
635 | * O_CLOEXEC is turned off for all three file descriptors (which is how it should be for | |
636 | * stdin/stdout/stderr). */ | |
637 | ||
638 | null_readable = original_input_fd < 0; | |
639 | null_writable = original_output_fd < 0 || original_error_fd < 0; | |
640 | ||
641 | /* First step, open /dev/null once, if we need it */ | |
642 | if (null_readable || null_writable) { | |
643 | ||
644 | /* Let's open this with O_CLOEXEC first, and convert it to non-O_CLOEXEC when we move the fd to the final position. */ | |
645 | null_fd = open("/dev/null", (null_readable && null_writable ? O_RDWR : | |
646 | null_readable ? O_RDONLY : O_WRONLY) | O_CLOEXEC); | |
647 | if (null_fd < 0) { | |
648 | r = -errno; | |
649 | goto finish; | |
650 | } | |
651 | ||
652 | /* If this fd is in the 0…2 range, let's move it out of it */ | |
653 | if (null_fd < 3) { | |
654 | int copy; | |
655 | ||
656 | copy = fcntl(null_fd, F_DUPFD_CLOEXEC, 3); /* Duplicate this with O_CLOEXEC set */ | |
657 | if (copy < 0) { | |
658 | r = -errno; | |
659 | goto finish; | |
660 | } | |
661 | ||
0706c012 | 662 | CLOSE_AND_REPLACE(null_fd, copy); |
aa11e28b LP |
663 | } |
664 | } | |
665 | ||
666 | /* Let's assemble fd[] with the fds to install in place of stdin/stdout/stderr */ | |
667 | for (i = 0; i < 3; i++) { | |
668 | ||
669 | if (fd[i] < 0) | |
670 | fd[i] = null_fd; /* A negative parameter means: connect this one to /dev/null */ | |
671 | else if (fd[i] != i && fd[i] < 3) { | |
672 | /* This fd is in the 0…2 territory, but not at its intended place, move it out of there, so that we can work there. */ | |
673 | copy_fd[i] = fcntl(fd[i], F_DUPFD_CLOEXEC, 3); /* Duplicate this with O_CLOEXEC set */ | |
674 | if (copy_fd[i] < 0) { | |
675 | r = -errno; | |
676 | goto finish; | |
677 | } | |
678 | ||
679 | fd[i] = copy_fd[i]; | |
680 | } | |
681 | } | |
682 | ||
683 | /* At this point we now have the fds to use in fd[], and they are all above the stdio range, so that we | |
684 | * have freedom to move them around. If the fds already were at the right places then the specific fds are | |
685 | * -1. Let's now move them to the right places. This is the point of no return. */ | |
686 | for (i = 0; i < 3; i++) { | |
687 | ||
688 | if (fd[i] == i) { | |
689 | ||
690 | /* fd is already in place, but let's make sure O_CLOEXEC is off */ | |
691 | r = fd_cloexec(i, false); | |
692 | if (r < 0) | |
693 | goto finish; | |
694 | ||
695 | } else { | |
696 | assert(fd[i] > 2); | |
697 | ||
698 | if (dup2(fd[i], i) < 0) { /* Turns off O_CLOEXEC on the new fd. */ | |
699 | r = -errno; | |
700 | goto finish; | |
701 | } | |
702 | } | |
703 | } | |
704 | ||
705 | r = 0; | |
706 | ||
707 | finish: | |
708 | /* Close the original fds, but only if they were outside of the stdio range. Also, properly check for the same | |
709 | * fd passed in multiple times. */ | |
710 | safe_close_above_stdio(original_input_fd); | |
711 | if (original_output_fd != original_input_fd) | |
712 | safe_close_above_stdio(original_output_fd); | |
713 | if (original_error_fd != original_input_fd && original_error_fd != original_output_fd) | |
714 | safe_close_above_stdio(original_error_fd); | |
715 | ||
716 | /* Close the copies we moved > 2 */ | |
717 | for (i = 0; i < 3; i++) | |
718 | safe_close(copy_fd[i]); | |
719 | ||
720 | /* Close our null fd, if it's > 2 */ | |
721 | safe_close_above_stdio(null_fd); | |
722 | ||
723 | return r; | |
724 | } | |
f2324783 LP |
725 | |
726 | int fd_reopen(int fd, int flags) { | |
d6274e6b | 727 | int new_fd, r; |
f2324783 LP |
728 | |
729 | /* Reopens the specified fd with new flags. This is useful for convert an O_PATH fd into a regular one, or to | |
730 | * turn O_RDWR fds into O_RDONLY fds. | |
731 | * | |
732 | * This doesn't work on sockets (since they cannot be open()ed, ever). | |
733 | * | |
734 | * This implicitly resets the file read index to 0. */ | |
735 | ||
b4f73d1e LP |
736 | if (FLAGS_SET(flags, O_DIRECTORY)) { |
737 | /* If we shall reopen the fd as directory we can just go via "." and thus bypass the whole | |
738 | * magic /proc/ directory, and make ourselves independent of that being mounted. */ | |
739 | new_fd = openat(fd, ".", flags); | |
740 | if (new_fd < 0) | |
741 | return -errno; | |
742 | ||
743 | return new_fd; | |
744 | } | |
745 | ||
ddb6eeaf | 746 | new_fd = open(FORMAT_PROC_FD_PATH(fd), flags); |
f8606626 LP |
747 | if (new_fd < 0) { |
748 | if (errno != ENOENT) | |
749 | return -errno; | |
750 | ||
d6274e6b LP |
751 | r = proc_mounted(); |
752 | if (r == 0) | |
f8606626 LP |
753 | return -ENOSYS; /* if we have no /proc/, the concept is not implementable */ |
754 | ||
d6274e6b LP |
755 | return r > 0 ? -EBADF : -ENOENT; /* If /proc/ is definitely around then this means the fd is |
756 | * not valid, otherwise let's propagate the original | |
757 | * error */ | |
f8606626 | 758 | } |
f2324783 LP |
759 | |
760 | return new_fd; | |
761 | } | |
9264cc39 LP |
762 | |
763 | int read_nr_open(void) { | |
764 | _cleanup_free_ char *nr_open = NULL; | |
765 | int r; | |
766 | ||
767 | /* Returns the kernel's current fd limit, either by reading it of /proc/sys if that works, or using the | |
768 | * hard-coded default compiled-in value of current kernels (1M) if not. This call will never fail. */ | |
769 | ||
770 | r = read_one_line_file("/proc/sys/fs/nr_open", &nr_open); | |
771 | if (r < 0) | |
772 | log_debug_errno(r, "Failed to read /proc/sys/fs/nr_open, ignoring: %m"); | |
773 | else { | |
774 | int v; | |
775 | ||
776 | r = safe_atoi(nr_open, &v); | |
777 | if (r < 0) | |
778 | log_debug_errno(r, "Failed to parse /proc/sys/fs/nr_open value '%s', ignoring: %m", nr_open); | |
779 | else | |
780 | return v; | |
781 | } | |
782 | ||
2aed63f4 | 783 | /* If we fail, fall back to the hard-coded kernel limit of 1024 * 1024. */ |
9264cc39 LP |
784 | return 1024 * 1024; |
785 | } | |
65ddc2c5 ZJS |
786 | |
787 | /* This is here because it's fd-related and is called from sd-journal code. Other btrfs-related utilities are | |
788 | * in src/shared, but libsystemd must not link to libsystemd-shared, see docs/ARCHITECTURE.md. */ | |
789 | int btrfs_defrag_fd(int fd) { | |
790 | int r; | |
791 | ||
792 | assert(fd >= 0); | |
793 | ||
794 | r = fd_verify_regular(fd); | |
795 | if (r < 0) | |
796 | return r; | |
797 | ||
7c248223 | 798 | return RET_NERRNO(ioctl(fd, BTRFS_IOC_DEFRAG, NULL)); |
65ddc2c5 | 799 | } |