1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
6 #include <linux/falloc.h>
7 #include <linux/magic.h>
10 #include "alloc-util.h"
11 #include "dirent-util.h"
15 #include "locale-util.h"
18 #include "missing_fcntl.h"
19 #include "missing_fs.h"
20 #include "missing_syscall.h"
22 #include "parse-util.h"
23 #include "path-util.h"
24 #include "process-util.h"
25 #include "random-util.h"
26 #include "ratelimit.h"
27 #include "stat-util.h"
28 #include "stdio-util.h"
29 #include "string-util.h"
31 #include "time-util.h"
32 #include "tmpfile-util.h"
33 #include "user-util.h"
36 int unlink_noerrno(const char *path
) {
47 int rmdir_parents(const char *path
, const char *stop
) {
56 /* Skip trailing slashes */
57 while (l
> 0 && path
[l
-1] == '/')
63 /* Skip last component */
64 while (l
> 0 && path
[l
-1] != '/')
67 /* Skip trailing slashes */
68 while (l
> 0 && path
[l
-1] == '/')
78 if (path_startswith(stop
, t
)) {
94 int rename_noreplace(int olddirfd
, const char *oldpath
, int newdirfd
, const char *newpath
) {
97 /* Try the ideal approach first */
98 if (renameat2(olddirfd
, oldpath
, newdirfd
, newpath
, RENAME_NOREPLACE
) >= 0)
101 /* renameat2() exists since Linux 3.15, btrfs and FAT added support for it later. If it is not implemented,
102 * fall back to a different method. */
103 if (!ERRNO_IS_NOT_SUPPORTED(errno
) && errno
!= EINVAL
)
106 /* Let's try to use linkat()+unlinkat() as fallback. This doesn't work on directories and on some file systems
107 * that do not support hard links (such as FAT, most prominently), but for files it's pretty close to what we
108 * want — though not atomic (i.e. for a short period both the new and the old filename will exist). */
109 if (linkat(olddirfd
, oldpath
, newdirfd
, newpath
, 0) >= 0) {
111 if (unlinkat(olddirfd
, oldpath
, 0) < 0) {
112 r
= -errno
; /* Backup errno before the following unlinkat() alters it */
113 (void) unlinkat(newdirfd
, newpath
, 0);
120 if (!ERRNO_IS_NOT_SUPPORTED(errno
) && !IN_SET(errno
, EINVAL
, EPERM
)) /* FAT returns EPERM on link()… */
123 /* OK, neither RENAME_NOREPLACE nor linkat()+unlinkat() worked. Let's then fall back to the racy TOCTOU
124 * vulnerable accessat(F_OK) check followed by classic, replacing renameat(), we have nothing better. */
126 if (faccessat(newdirfd
, newpath
, F_OK
, AT_SYMLINK_NOFOLLOW
) >= 0)
131 if (renameat(olddirfd
, oldpath
, newdirfd
, newpath
) < 0)
137 int readlinkat_malloc(int fd
, const char *p
, char **ret
) {
144 _cleanup_free_
char *c
= NULL
;
151 n
= readlinkat(fd
, p
, c
, l
);
155 if ((size_t) n
< l
) {
161 if (l
> (SSIZE_MAX
-1)/2) /* readlinkat() returns an ssize_t, and we want an extra byte for a
162 * trailing NUL, hence do an overflow check relative to SSIZE_MAX-1
170 int readlink_malloc(const char *p
, char **ret
) {
171 return readlinkat_malloc(AT_FDCWD
, p
, ret
);
174 int readlink_value(const char *p
, char **ret
) {
175 _cleanup_free_
char *link
= NULL
;
179 r
= readlink_malloc(p
, &link
);
183 value
= basename(link
);
187 value
= strdup(value
);
196 int readlink_and_make_absolute(const char *p
, char **r
) {
197 _cleanup_free_
char *target
= NULL
;
204 j
= readlink_malloc(p
, &target
);
208 k
= file_in_same_dir(p
, target
);
216 int chmod_and_chown(const char *path
, mode_t mode
, uid_t uid
, gid_t gid
) {
217 _cleanup_close_
int fd
= -1;
221 fd
= open(path
, O_PATH
|O_CLOEXEC
|O_NOFOLLOW
); /* Let's acquire an O_PATH fd, as precaution to change
222 * mode/owner on the same file */
226 return fchmod_and_chown(fd
, mode
, uid
, gid
);
229 int fchmod_and_chown_with_fallback(int fd
, const char *path
, mode_t mode
, uid_t uid
, gid_t gid
) {
230 bool do_chown
, do_chmod
;
234 /* Change ownership and access mode of the specified fd. Tries to do so safely, ensuring that at no
235 * point in time the access mode is above the old access mode under the old ownership or the new
236 * access mode under the new ownership. Note: this call tries hard to leave the access mode
237 * unaffected if the uid/gid is changed, i.e. it undoes implicit suid/sgid dropping the kernel does
240 * This call is happy with O_PATH fds.
242 * If path is given, allow a fallback path which does not use /proc/self/fd/. On any normal system
243 * /proc will be mounted, but in certain improperly assembled environments it might not be. This is
244 * less secure (potential TOCTOU), so should only be used after consideration. */
246 if (fstat(fd
, &st
) < 0)
250 (uid
!= UID_INVALID
&& st
.st_uid
!= uid
) ||
251 (gid
!= GID_INVALID
&& st
.st_gid
!= gid
);
254 !S_ISLNK(st
.st_mode
) && /* chmod is not defined on symlinks */
255 ((mode
!= MODE_INVALID
&& ((st
.st_mode
^ mode
) & 07777) != 0) ||
256 do_chown
); /* If we change ownership, make sure we reset the mode afterwards, since chown()
257 * modifies the access mode too */
259 if (mode
== MODE_INVALID
)
260 mode
= st
.st_mode
; /* If we only shall do a chown(), save original mode, since chown() might break it. */
261 else if ((mode
& S_IFMT
) != 0 && ((mode
^ st
.st_mode
) & S_IFMT
) != 0)
262 return -EINVAL
; /* insist on the right file type if it was specified */
264 if (do_chown
&& do_chmod
) {
265 mode_t minimal
= st
.st_mode
& mode
; /* the subset of the old and the new mask */
267 if (((minimal
^ st
.st_mode
) & 07777) != 0) {
268 r
= fchmod_opath(fd
, minimal
& 07777);
270 if (!path
|| r
!= -ENOSYS
)
273 /* Fallback path which doesn't use /proc/self/fd/. */
274 if (chmod(path
, minimal
& 07777) < 0)
281 if (fchownat(fd
, "", uid
, gid
, AT_EMPTY_PATH
) < 0)
285 r
= fchmod_opath(fd
, mode
& 07777);
287 if (!path
|| r
!= -ENOSYS
)
290 /* Fallback path which doesn't use /proc/self/fd/. */
291 if (chmod(path
, mode
& 07777) < 0)
296 return do_chown
|| do_chmod
;
299 int fchmod_umask(int fd
, mode_t m
) {
304 r
= fchmod(fd
, m
& (~u
)) < 0 ? -errno
: 0;
310 int fchmod_opath(int fd
, mode_t m
) {
311 /* This function operates also on fd that might have been opened with
312 * O_PATH. Indeed fchmodat() doesn't have the AT_EMPTY_PATH flag like
313 * fchownat() does. */
315 if (chmod(FORMAT_PROC_FD_PATH(fd
), m
) < 0) {
319 if (proc_mounted() == 0)
320 return -ENOSYS
; /* if we have no /proc/, the concept is not implementable */
328 int futimens_opath(int fd
, const struct timespec ts
[2]) {
329 /* Similar to fchmod_path() but for futimens() */
331 if (utimensat(AT_FDCWD
, FORMAT_PROC_FD_PATH(fd
), ts
, 0) < 0) {
335 if (proc_mounted() == 0)
336 return -ENOSYS
; /* if we have no /proc/, the concept is not implementable */
344 int stat_warn_permissions(const char *path
, const struct stat
*st
) {
348 /* Don't complain if we are reading something that is not a file, for example /dev/null */
349 if (!S_ISREG(st
->st_mode
))
352 if (st
->st_mode
& 0111)
353 log_warning("Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway.", path
);
355 if (st
->st_mode
& 0002)
356 log_warning("Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway.", path
);
358 if (getpid_cached() == 1 && (st
->st_mode
& 0044) != 0044)
359 log_warning("Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.", path
);
364 int fd_warn_permissions(const char *path
, int fd
) {
370 if (fstat(fd
, &st
) < 0)
373 return stat_warn_permissions(path
, &st
);
376 int touch_file(const char *path
, bool parents
, usec_t stamp
, uid_t uid
, gid_t gid
, mode_t mode
) {
377 _cleanup_close_
int fd
= -1;
382 /* Note that touch_file() does not follow symlinks: if invoked on an existing symlink, then it is the symlink
383 * itself which is updated, not its target
385 * Returns the first error we encounter, but tries to apply as much as possible. */
388 (void) mkdir_parents(path
, 0755);
390 /* Initially, we try to open the node with O_PATH, so that we get a reference to the node. This is useful in
391 * case the path refers to an existing device or socket node, as we can open it successfully in all cases, and
392 * won't trigger any driver magic or so. */
393 fd
= open(path
, O_PATH
|O_CLOEXEC
|O_NOFOLLOW
);
398 /* if the node doesn't exist yet, we create it, but with O_EXCL, so that we only create a regular file
399 * here, and nothing else */
400 fd
= open(path
, O_WRONLY
|O_CREAT
|O_EXCL
|O_CLOEXEC
, IN_SET(mode
, 0, MODE_INVALID
) ? 0644 : mode
);
405 /* Let's make a path from the fd, and operate on that. With this logic, we can adjust the access mode,
406 * ownership and time of the file node in all cases, even if the fd refers to an O_PATH object — which is
407 * something fchown(), fchmod(), futimensat() don't allow. */
408 ret
= fchmod_and_chown(fd
, mode
, uid
, gid
);
410 if (stamp
!= USEC_INFINITY
) {
411 struct timespec ts
[2];
413 timespec_store(&ts
[0], stamp
);
415 r
= utimensat(AT_FDCWD
, FORMAT_PROC_FD_PATH(fd
), ts
, 0);
417 r
= utimensat(AT_FDCWD
, FORMAT_PROC_FD_PATH(fd
), NULL
, 0);
418 if (r
< 0 && ret
>= 0)
424 int touch(const char *path
) {
425 return touch_file(path
, false, USEC_INFINITY
, UID_INVALID
, GID_INVALID
, MODE_INVALID
);
428 int symlink_idempotent(const char *from
, const char *to
, bool make_relative
) {
429 _cleanup_free_
char *relpath
= NULL
;
436 _cleanup_free_
char *parent
= NULL
;
438 r
= path_extract_directory(to
, &parent
);
442 r
= path_make_relative(parent
, from
, &relpath
);
449 if (symlink(from
, to
) < 0) {
450 _cleanup_free_
char *p
= NULL
;
455 r
= readlink_malloc(to
, &p
);
456 if (r
== -EINVAL
) /* Not a symlink? In that case return the original error we encountered: -EEXIST */
458 if (r
< 0) /* Any other error? In that case propagate it as is */
461 if (!streq(p
, from
)) /* Not the symlink we want it to be? In that case, propagate the original -EEXIST */
468 int symlink_atomic(const char *from
, const char *to
) {
469 _cleanup_free_
char *t
= NULL
;
475 r
= tempfn_random(to
, NULL
, &t
);
479 if (symlink(from
, t
) < 0)
482 if (rename(t
, to
) < 0) {
490 int mknod_atomic(const char *path
, mode_t mode
, dev_t dev
) {
491 _cleanup_free_
char *t
= NULL
;
496 r
= tempfn_random(path
, NULL
, &t
);
500 if (mknod(t
, mode
, dev
) < 0)
503 if (rename(t
, path
) < 0) {
511 int mkfifo_atomic(const char *path
, mode_t mode
) {
512 _cleanup_free_
char *t
= NULL
;
517 r
= tempfn_random(path
, NULL
, &t
);
521 if (mkfifo(t
, mode
) < 0)
524 if (rename(t
, path
) < 0) {
532 int mkfifoat_atomic(int dirfd
, const char *path
, mode_t mode
) {
533 _cleanup_free_
char *t
= NULL
;
538 if (path_is_absolute(path
))
539 return mkfifo_atomic(path
, mode
);
541 /* We're only interested in the (random) filename. */
542 r
= tempfn_random_child("", NULL
, &t
);
546 if (mkfifoat(dirfd
, t
, mode
) < 0)
549 if (renameat(dirfd
, t
, dirfd
, path
) < 0) {
557 int get_files_in_directory(const char *path
, char ***list
) {
558 _cleanup_strv_free_
char **l
= NULL
;
559 _cleanup_closedir_
DIR *d
= NULL
;
565 /* Returns all files in a directory in *list, and the number
566 * of files as return value. If list is NULL returns only the
573 FOREACH_DIRENT_ALL(de
, d
, return -errno
) {
574 if (!dirent_is_file(de
))
578 /* one extra slot is needed for the terminating NULL */
579 if (!GREEDY_REALLOC(l
, n
+ 2))
582 l
[n
] = strdup(de
->d_name
);
597 static int getenv_tmp_dir(const char **ret_path
) {
603 /* We use the same order of environment variables python uses in tempfile.gettempdir():
604 * https://docs.python.org/3/library/tempfile.html#tempfile.gettempdir */
605 FOREACH_STRING(n
, "TMPDIR", "TEMP", "TMP") {
608 e
= secure_getenv(n
);
611 if (!path_is_absolute(e
)) {
615 if (!path_is_normalized(e
)) {
632 /* Remember first error, to make this more debuggable */
644 static int tmp_dir_internal(const char *def
, const char **ret
) {
651 r
= getenv_tmp_dir(&e
);
657 k
= is_dir(def
, true);
661 return r
< 0 ? r
: k
;
667 int var_tmp_dir(const char **ret
) {
669 /* Returns the location for "larger" temporary files, that is backed by physical storage if available, and thus
670 * even might survive a boot: /var/tmp. If $TMPDIR (or related environment variables) are set, its value is
671 * returned preferably however. Note that both this function and tmp_dir() below are affected by $TMPDIR,
672 * making it a variable that overrides all temporary file storage locations. */
674 return tmp_dir_internal("/var/tmp", ret
);
677 int tmp_dir(const char **ret
) {
679 /* Similar to var_tmp_dir() above, but returns the location for "smaller" temporary files, which is usually
680 * backed by an in-memory file system: /tmp. */
682 return tmp_dir_internal("/tmp", ret
);
685 int unlink_or_warn(const char *filename
) {
686 if (unlink(filename
) < 0 && errno
!= ENOENT
)
687 /* If the file doesn't exist and the fs simply was read-only (in which
688 * case unlink() returns EROFS even if the file doesn't exist), don't
690 if (errno
!= EROFS
|| access(filename
, F_OK
) >= 0)
691 return log_error_errno(errno
, "Failed to remove \"%s\": %m", filename
);
696 int inotify_add_watch_fd(int fd
, int what
, uint32_t mask
) {
699 /* This is like inotify_add_watch(), except that the file to watch is not referenced by a path, but by an fd */
700 wd
= inotify_add_watch(fd
, FORMAT_PROC_FD_PATH(what
), mask
);
707 int inotify_add_watch_and_warn(int fd
, const char *pathname
, uint32_t mask
) {
710 wd
= inotify_add_watch(fd
, pathname
, mask
);
713 return log_error_errno(errno
, "Failed to add a watch for %s: inotify watch limit reached", pathname
);
715 return log_error_errno(errno
, "Failed to add a watch for %s: %m", pathname
);
721 bool unsafe_transition(const struct stat
*a
, const struct stat
*b
) {
722 /* Returns true if the transition from a to b is safe, i.e. that we never transition from unprivileged to
723 * privileged files or directories. Why bother? So that unprivileged code can't symlink to privileged files
724 * making us believe we read something safe even though it isn't safe in the specific context we open it in. */
726 if (a
->st_uid
== 0) /* Transitioning from privileged to unprivileged is always fine */
729 return a
->st_uid
!= b
->st_uid
; /* Otherwise we need to stay within the same UID */
732 static int log_unsafe_transition(int a
, int b
, const char *path
, unsigned flags
) {
733 _cleanup_free_
char *n1
= NULL
, *n2
= NULL
, *user_a
= NULL
, *user_b
= NULL
;
736 if (!FLAGS_SET(flags
, CHASE_WARN
))
739 (void) fd_get_path(a
, &n1
);
740 (void) fd_get_path(b
, &n2
);
742 if (fstat(a
, &st
) == 0)
743 user_a
= uid_to_name(st
.st_uid
);
744 if (fstat(b
, &st
) == 0)
745 user_b
= uid_to_name(st
.st_uid
);
747 return log_warning_errno(SYNTHETIC_ERRNO(ENOLINK
),
748 "Detected unsafe path transition %s (owned by %s) %s %s (owned by %s) during canonicalization of %s.",
749 strna(n1
), strna(user_a
), special_glyph(SPECIAL_GLYPH_ARROW
), strna(n2
), strna(user_b
), path
);
752 static int log_autofs_mount_point(int fd
, const char *path
, unsigned flags
) {
753 _cleanup_free_
char *n1
= NULL
;
755 if (!FLAGS_SET(flags
, CHASE_WARN
))
758 (void) fd_get_path(fd
, &n1
);
760 return log_warning_errno(SYNTHETIC_ERRNO(EREMOTE
),
761 "Detected autofs mount point %s during canonicalization of %s.",
765 int chase_symlinks(const char *path
, const char *original_root
, unsigned flags
, char **ret_path
, int *ret_fd
) {
766 _cleanup_free_
char *buffer
= NULL
, *done
= NULL
, *root
= NULL
;
767 _cleanup_close_
int fd
= -1;
768 unsigned max_follow
= CHASE_SYMLINKS_MAX
; /* how many symlinks to follow before giving up and returning ELOOP */
769 bool exists
= true, append_trail_slash
= false;
770 struct stat previous_stat
;
776 /* Either the file may be missing, or we return an fd to the final object, but both make no sense */
777 if ((flags
& CHASE_NONEXISTENT
) && ret_fd
)
780 if ((flags
& CHASE_STEP
) && ret_fd
)
786 /* This is a lot like canonicalize_file_name(), but takes an additional "root" parameter, that allows following
787 * symlinks relative to a root directory, instead of the root of the host.
789 * Note that "root" primarily matters if we encounter an absolute symlink. It is also used when following
790 * relative symlinks to ensure they cannot be used to "escape" the root directory. The path parameter passed is
791 * assumed to be already prefixed by it, except if the CHASE_PREFIX_ROOT flag is set, in which case it is first
792 * prefixed accordingly.
794 * Algorithmically this operates on two path buffers: "done" are the components of the path we already
795 * processed and resolved symlinks, "." and ".." of. "todo" are the components of the path we still need to
796 * process. On each iteration, we move one component from "todo" to "done", processing it's special meaning
797 * each time. The "todo" path always starts with at least one slash, the "done" path always ends in no
798 * slash. We always keep an O_PATH fd to the component we are currently processing, thus keeping lookup races
801 * Suggested usage: whenever you want to canonicalize a path, use this function. Pass the absolute path you got
802 * as-is: fully qualified and relative to your host's root. Optionally, specify the root parameter to tell this
803 * function what to do when encountering a symlink with an absolute path as directory: prefix it by the
806 * There are five ways to invoke this function:
808 * 1. Without CHASE_STEP or ret_fd: in this case the path is resolved and the normalized path is
809 * returned in `ret_path`. The return value is < 0 on error. If CHASE_NONEXISTENT is also set, 0
810 * is returned if the file doesn't exist, > 0 otherwise. If CHASE_NONEXISTENT is not set, >= 0 is
811 * returned if the destination was found, -ENOENT if it wasn't.
813 * 2. With ret_fd: in this case the destination is opened after chasing it as O_PATH and this file
814 * descriptor is returned as return value. This is useful to open files relative to some root
815 * directory. Note that the returned O_PATH file descriptors must be converted into a regular one (using
816 * fd_reopen() or such) before it can be used for reading/writing. ret_fd may not be combined with
819 * 3. With CHASE_STEP: in this case only a single step of the normalization is executed, i.e. only the first
820 * symlink or ".." component of the path is resolved, and the resulting path is returned. This is useful if
821 * a caller wants to trace the path through the file system verbosely. Returns < 0 on error, > 0 if the
822 * path is fully normalized, and == 0 for each normalization step. This may be combined with
823 * CHASE_NONEXISTENT, in which case 1 is returned when a component is not found.
825 * 4. With CHASE_SAFE: in this case the path must not contain unsafe transitions, i.e. transitions from
826 * unprivileged to privileged files or directories. In such cases the return value is -ENOLINK. If
827 * CHASE_WARN is also set, a warning describing the unsafe transition is emitted.
829 * 5. With CHASE_NO_AUTOFS: in this case if an autofs mount point is encountered, path normalization
830 * is aborted and -EREMOTE is returned. If CHASE_WARN is also set, a warning showing the path of
831 * the mount point is emitted.
834 /* A root directory of "/" or "" is identical to none */
835 if (empty_or_root(original_root
))
836 original_root
= NULL
;
838 if (!original_root
&& !ret_path
&& !(flags
& (CHASE_NONEXISTENT
|CHASE_NO_AUTOFS
|CHASE_SAFE
|CHASE_STEP
)) && ret_fd
) {
839 /* Shortcut the ret_fd case if the caller isn't interested in the actual path and has no root set
840 * and doesn't care about any of the other special features we provide either. */
841 r
= open(path
, O_PATH
|O_CLOEXEC
|((flags
& CHASE_NOFOLLOW
) ? O_NOFOLLOW
: 0));
850 r
= path_make_absolute_cwd(original_root
, &root
);
854 /* Simplify the root directory, so that it has no duplicate slashes and nothing at the
855 * end. While we won't resolve the root path we still simplify it. Note that dropping the
856 * trailing slash should not change behaviour, since when opening it we specify O_DIRECTORY
857 * anyway. Moreover at the end of this function after processing everything we'll always turn
858 * the empty string back to "/". */
859 delete_trailing_chars(root
, "/");
862 if (flags
& CHASE_PREFIX_ROOT
) {
863 /* We don't support relative paths in combination with a root directory */
864 if (!path_is_absolute(path
))
867 path
= prefix_roota(root
, path
);
871 r
= path_make_absolute_cwd(path
, &buffer
);
875 fd
= open(root
?: "/", O_CLOEXEC
|O_DIRECTORY
|O_PATH
);
879 if (flags
& CHASE_SAFE
)
880 if (fstat(fd
, &previous_stat
) < 0)
883 if (flags
& CHASE_TRAIL_SLASH
)
884 append_trail_slash
= endswith(buffer
, "/") || endswith(buffer
, "/.");
887 /* If we are operating on a root directory, let's take the root directory as it is. */
889 todo
= path_startswith(buffer
, root
);
891 return log_full_errno(flags
& CHASE_WARN
? LOG_WARNING
: LOG_DEBUG
,
892 SYNTHETIC_ERRNO(ECHRNG
),
893 "Specified path '%s' is outside of specified root directory '%s', refusing to resolve.",
903 _cleanup_free_
char *first
= NULL
;
904 _cleanup_close_
int child
= -1;
908 r
= path_find_first_component(&todo
, true, &e
);
911 if (r
== 0) { /* We reached the end. */
912 if (append_trail_slash
)
913 if (!strextend(&done
, "/"))
918 first
= strndup(e
, r
);
922 /* Two dots? Then chop off the last bit of what we already found out. */
923 if (path_equal(first
, "..")) {
924 _cleanup_free_
char *parent
= NULL
;
925 _cleanup_close_
int fd_parent
= -1;
927 /* If we already are at the top, then going up will not change anything. This is in-line with
928 * how the kernel handles this. */
929 if (empty_or_root(done
))
932 parent
= dirname_malloc(done
);
936 /* Don't allow this to leave the root dir. */
938 path_startswith(done
, root
) &&
939 !path_startswith(parent
, root
))
942 free_and_replace(done
, parent
);
944 if (flags
& CHASE_STEP
)
947 fd_parent
= openat(fd
, "..", O_CLOEXEC
|O_NOFOLLOW
|O_PATH
);
951 if (flags
& CHASE_SAFE
) {
952 if (fstat(fd_parent
, &st
) < 0)
955 if (unsafe_transition(&previous_stat
, &st
))
956 return log_unsafe_transition(fd
, fd_parent
, path
, flags
);
962 fd
= TAKE_FD(fd_parent
);
967 /* Otherwise let's see what this is. */
968 child
= openat(fd
, first
, O_CLOEXEC
|O_NOFOLLOW
|O_PATH
);
970 if (errno
== ENOENT
&&
971 (flags
& CHASE_NONEXISTENT
) &&
972 (isempty(todo
) || path_is_safe(todo
))) {
973 /* If CHASE_NONEXISTENT is set, and the path does not exist, then
974 * that's OK, return what we got so far. But don't allow this if the
975 * remaining path contains "../" or something else weird. */
977 if (!path_extend(&done
, first
, todo
))
987 if (fstat(child
, &st
) < 0)
989 if ((flags
& CHASE_SAFE
) &&
990 unsafe_transition(&previous_stat
, &st
))
991 return log_unsafe_transition(fd
, child
, path
, flags
);
995 if ((flags
& CHASE_NO_AUTOFS
) &&
996 fd_is_fs_type(child
, AUTOFS_SUPER_MAGIC
) > 0)
997 return log_autofs_mount_point(child
, path
, flags
);
999 if (S_ISLNK(st
.st_mode
) && !((flags
& CHASE_NOFOLLOW
) && isempty(todo
))) {
1000 _cleanup_free_
char *destination
= NULL
;
1002 /* This is a symlink, in this case read the destination. But let's make sure we
1003 * don't follow symlinks without bounds. */
1004 if (--max_follow
<= 0)
1007 r
= readlinkat_malloc(fd
, first
, &destination
);
1010 if (isempty(destination
))
1013 if (path_is_absolute(destination
)) {
1015 /* An absolute destination. Start the loop from the beginning, but use the root
1016 * directory as base. */
1019 fd
= open(root
?: "/", O_CLOEXEC
|O_DIRECTORY
|O_PATH
);
1023 if (flags
& CHASE_SAFE
) {
1024 if (fstat(fd
, &st
) < 0)
1027 if (unsafe_transition(&previous_stat
, &st
))
1028 return log_unsafe_transition(child
, fd
, path
, flags
);
1033 /* Note that we do not revalidate the root, we take it as is. */
1034 r
= free_and_strdup(&done
, empty_to_root(root
));
1039 /* Prefix what's left to do with what we just read, and start the loop again, but
1040 * remain in the current directory. */
1041 if (!path_extend(&destination
, todo
))
1044 free_and_replace(buffer
, destination
);
1047 if (flags
& CHASE_STEP
)
1053 /* If this is not a symlink, then let's just add the name we read to what we already verified. */
1054 if (!path_extend(&done
, first
))
1057 /* And iterate again, but go one directory further down. */
1059 fd
= TAKE_FD(child
);
1063 *ret_path
= TAKE_PTR(done
);
1066 /* Return the O_PATH fd we currently are looking to the caller. It can translate it to a
1067 * proper fd by opening /proc/self/fd/xyz. */
1070 *ret_fd
= TAKE_FD(fd
);
1073 if (flags
& CHASE_STEP
)
1082 /* todo may contain slashes at the beginning. */
1083 r
= path_find_first_component(&todo
, true, &e
);
1087 *ret_path
= TAKE_PTR(done
);
1091 c
= path_join(done
, e
);
1102 int chase_symlinks_and_open(
1105 unsigned chase_flags
,
1109 _cleanup_close_
int path_fd
= -1;
1110 _cleanup_free_
char *p
= NULL
;
1113 if (chase_flags
& CHASE_NONEXISTENT
)
1116 if (empty_or_root(root
) && !ret_path
&& (chase_flags
& (CHASE_NO_AUTOFS
|CHASE_SAFE
)) == 0) {
1117 /* Shortcut this call if none of the special features of this call are requested */
1118 r
= open(path
, open_flags
);
1125 r
= chase_symlinks(path
, root
, chase_flags
, ret_path
? &p
: NULL
, &path_fd
);
1128 assert(path_fd
>= 0);
1130 r
= fd_reopen(path_fd
, open_flags
);
1135 *ret_path
= TAKE_PTR(p
);
1140 int chase_symlinks_and_opendir(
1143 unsigned chase_flags
,
1147 _cleanup_close_
int path_fd
= -1;
1148 _cleanup_free_
char *p
= NULL
;
1154 if (chase_flags
& CHASE_NONEXISTENT
)
1157 if (empty_or_root(root
) && !ret_path
&& (chase_flags
& (CHASE_NO_AUTOFS
|CHASE_SAFE
)) == 0) {
1158 /* Shortcut this call if none of the special features of this call are requested */
1167 r
= chase_symlinks(path
, root
, chase_flags
, ret_path
? &p
: NULL
, &path_fd
);
1170 assert(path_fd
>= 0);
1172 d
= opendir(FORMAT_PROC_FD_PATH(path_fd
));
1177 *ret_path
= TAKE_PTR(p
);
1183 int chase_symlinks_and_stat(
1186 unsigned chase_flags
,
1188 struct stat
*ret_stat
,
1191 _cleanup_close_
int path_fd
= -1;
1192 _cleanup_free_
char *p
= NULL
;
1198 if (chase_flags
& CHASE_NONEXISTENT
)
1201 if (empty_or_root(root
) && !ret_path
&& (chase_flags
& (CHASE_NO_AUTOFS
|CHASE_SAFE
)) == 0) {
1202 /* Shortcut this call if none of the special features of this call are requested */
1203 if (stat(path
, ret_stat
) < 0)
1209 r
= chase_symlinks(path
, root
, chase_flags
, ret_path
? &p
: NULL
, &path_fd
);
1212 assert(path_fd
>= 0);
1214 if (fstat(path_fd
, ret_stat
) < 0)
1218 *ret_path
= TAKE_PTR(p
);
1220 *ret_fd
= TAKE_FD(path_fd
);
1225 int access_fd(int fd
, int mode
) {
1226 /* Like access() but operates on an already open fd */
1228 if (access(FORMAT_PROC_FD_PATH(fd
), mode
) < 0) {
1229 if (errno
!= ENOENT
)
1232 /* ENOENT can mean two things: that the fd does not exist or that /proc is not mounted. Let's
1233 * make things debuggable and distinguish the two. */
1235 if (proc_mounted() == 0)
1236 return -ENOSYS
; /* /proc is not available or not set up properly, we're most likely in some chroot
1239 return -EBADF
; /* The directory exists, hence it's the fd that doesn't. */
1245 void unlink_tempfilep(char (*p
)[]) {
1246 /* If the file is created with mkstemp(), it will (almost always)
1247 * change the suffix. Treat this as a sign that the file was
1248 * successfully created. We ignore both the rare case where the
1249 * original suffix is used and unlink failures. */
1250 if (!endswith(*p
, ".XXXXXX"))
1251 (void) unlink_noerrno(*p
);
1254 int unlinkat_deallocate(int fd
, const char *name
, UnlinkDeallocateFlags flags
) {
1255 _cleanup_close_
int truncate_fd
= -1;
1259 assert((flags
& ~(UNLINK_REMOVEDIR
|UNLINK_ERASE
)) == 0);
1261 /* Operates like unlinkat() but also deallocates the file contents if it is a regular file and there's no other
1262 * link to it. This is useful to ensure that other processes that might have the file open for reading won't be
1263 * able to keep the data pinned on disk forever. This call is particular useful whenever we execute clean-up
1264 * jobs ("vacuuming"), where we want to make sure the data is really gone and the disk space released and
1265 * returned to the free pool.
1267 * Deallocation is preferably done by FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE (👊) if supported, which means
1268 * the file won't change size. That's a good thing since we shouldn't needlessly trigger SIGBUS in other
1269 * programs that have mmap()ed the file. (The assumption here is that changing file contents to all zeroes
1270 * underneath those programs is the better choice than simply triggering SIGBUS in them which truncation does.)
1271 * However if hole punching is not implemented in the kernel or file system we'll fall back to normal file
1272 * truncation (🔪), as our goal of deallocating the data space trumps our goal of being nice to readers (💐).
1274 * Note that we attempt deallocation, but failure to succeed with that is not considered fatal, as long as the
1275 * primary job – to delete the file – is accomplished. */
1277 if (!FLAGS_SET(flags
, UNLINK_REMOVEDIR
)) {
1278 truncate_fd
= openat(fd
, name
, O_WRONLY
|O_CLOEXEC
|O_NOCTTY
|O_NOFOLLOW
|O_NONBLOCK
);
1279 if (truncate_fd
< 0) {
1281 /* If this failed because the file doesn't exist propagate the error right-away. Also,
1282 * AT_REMOVEDIR wasn't set, and we tried to open the file for writing, which means EISDIR is
1283 * returned when this is a directory but we are not supposed to delete those, hence propagate
1284 * the error right-away too. */
1285 if (IN_SET(errno
, ENOENT
, EISDIR
))
1288 if (errno
!= ELOOP
) /* don't complain if this is a symlink */
1289 log_debug_errno(errno
, "Failed to open file '%s' for deallocation, ignoring: %m", name
);
1293 if (unlinkat(fd
, name
, FLAGS_SET(flags
, UNLINK_REMOVEDIR
) ? AT_REMOVEDIR
: 0) < 0)
1296 if (truncate_fd
< 0) /* Don't have a file handle, can't do more ☹️ */
1299 if (fstat(truncate_fd
, &st
) < 0) {
1300 log_debug_errno(errno
, "Failed to stat file '%s' for deallocation, ignoring: %m", name
);
1304 if (!S_ISREG(st
.st_mode
))
1307 if (FLAGS_SET(flags
, UNLINK_ERASE
) && st
.st_size
> 0 && st
.st_nlink
== 0) {
1308 uint64_t left
= st
.st_size
;
1309 char buffer
[64 * 1024];
1311 /* If erasing is requested, let's overwrite the file with random data once before deleting
1312 * it. This isn't going to give you shred(1) semantics, but hopefully should be good enough
1313 * for stuff backed by tmpfs at least.
1315 * Note that we only erase like this if the link count of the file is zero. If it is higher it
1316 * is still linked by someone else and we'll leave it to them to remove it securely
1319 random_bytes(buffer
, sizeof(buffer
));
1324 n
= write(truncate_fd
, buffer
, MIN(sizeof(buffer
), left
));
1326 log_debug_errno(errno
, "Failed to erase data in file '%s', ignoring.", name
);
1330 assert(left
>= (size_t) n
);
1334 /* Let's refresh metadata */
1335 if (fstat(truncate_fd
, &st
) < 0) {
1336 log_debug_errno(errno
, "Failed to stat file '%s' for deallocation, ignoring: %m", name
);
1341 /* Don't dallocate if there's nothing to deallocate or if the file is linked elsewhere */
1342 if (st
.st_blocks
== 0 || st
.st_nlink
> 0)
1345 /* If this is a regular file, it actually took up space on disk and there are no other links it's time to
1346 * punch-hole/truncate this to release the disk space. */
1348 bs
= MAX(st
.st_blksize
, 512);
1349 l
= DIV_ROUND_UP(st
.st_size
, bs
) * bs
; /* Round up to next block size */
1351 if (fallocate(truncate_fd
, FALLOC_FL_PUNCH_HOLE
|FALLOC_FL_KEEP_SIZE
, 0, l
) >= 0)
1352 return 0; /* Successfully punched a hole! 😊 */
1354 /* Fall back to truncation */
1355 if (ftruncate(truncate_fd
, 0) < 0) {
1356 log_debug_errno(errno
, "Failed to truncate file to 0, ignoring: %m");
1363 int fsync_directory_of_file(int fd
) {
1364 _cleanup_close_
int dfd
= -1;
1370 /* We only reasonably can do this for regular files and directories, or for O_PATH fds, hence check
1371 * for the inode type first */
1372 if (fstat(fd
, &st
) < 0)
1375 if (S_ISDIR(st
.st_mode
)) {
1376 dfd
= openat(fd
, "..", O_RDONLY
|O_DIRECTORY
|O_CLOEXEC
, 0);
1380 } else if (!S_ISREG(st
.st_mode
)) { /* Regular files are OK regardless if O_PATH or not, for all other
1381 * types check O_PATH flag */
1384 flags
= fcntl(fd
, F_GETFL
);
1388 if (!FLAGS_SET(flags
, O_PATH
)) /* If O_PATH this refers to the inode in the fs, in which case
1389 * we can sensibly do what is requested. Otherwise this refers
1390 * to a socket, fifo or device node, where the concept of a
1391 * containing directory doesn't make too much sense. */
1396 _cleanup_free_
char *path
= NULL
;
1398 r
= fd_get_path(fd
, &path
);
1400 log_debug_errno(r
, "Failed to query /proc/self/fd/%d%s: %m",
1402 r
== -ENOSYS
? ", ignoring" : "");
1405 /* If /proc is not available, we're most likely running in some
1406 * chroot environment, and syncing the directory is not very
1407 * important in that case. Let's just silently do nothing. */
1413 if (!path_is_absolute(path
))
1416 dfd
= open_parent(path
, O_CLOEXEC
|O_NOFOLLOW
, 0);
1427 int fsync_full(int fd
) {
1430 /* Sync both the file and the directory */
1432 r
= fsync(fd
) < 0 ? -errno
: 0;
1434 q
= fsync_directory_of_file(fd
);
1435 if (r
< 0) /* Return earlier error */
1437 if (q
== -ENOTTY
) /* Ignore if the 'fd' refers to a block device or so which doesn't really have a
1443 int fsync_path_at(int at_fd
, const char *path
) {
1444 _cleanup_close_
int opened_fd
= -1;
1447 if (isempty(path
)) {
1448 if (at_fd
== AT_FDCWD
) {
1449 opened_fd
= open(".", O_RDONLY
|O_DIRECTORY
|O_CLOEXEC
);
1457 opened_fd
= openat(at_fd
, path
, O_RDONLY
|O_CLOEXEC
|O_NONBLOCK
);
1470 int fsync_parent_at(int at_fd
, const char *path
) {
1471 _cleanup_close_
int opened_fd
= -1;
1473 if (isempty(path
)) {
1474 if (at_fd
!= AT_FDCWD
)
1475 return fsync_directory_of_file(at_fd
);
1477 opened_fd
= open("..", O_RDONLY
|O_DIRECTORY
|O_CLOEXEC
);
1481 if (fsync(opened_fd
) < 0)
1487 opened_fd
= openat(at_fd
, path
, O_PATH
|O_CLOEXEC
|O_NOFOLLOW
);
1491 return fsync_directory_of_file(opened_fd
);
1494 int fsync_path_and_parent_at(int at_fd
, const char *path
) {
1495 _cleanup_close_
int opened_fd
= -1;
1497 if (isempty(path
)) {
1498 if (at_fd
!= AT_FDCWD
)
1499 return fsync_full(at_fd
);
1501 opened_fd
= open(".", O_RDONLY
|O_DIRECTORY
|O_CLOEXEC
);
1503 opened_fd
= openat(at_fd
, path
, O_RDONLY
|O_NOFOLLOW
|O_NONBLOCK
|O_CLOEXEC
);
1507 return fsync_full(opened_fd
);
1510 int syncfs_path(int atfd
, const char *path
) {
1511 _cleanup_close_
int fd
= -1;
1513 if (isempty(path
)) {
1514 if (atfd
!= AT_FDCWD
)
1515 return syncfs(atfd
) < 0 ? -errno
: 0;
1517 fd
= open(".", O_RDONLY
|O_DIRECTORY
|O_CLOEXEC
);
1519 fd
= openat(atfd
, path
, O_RDONLY
|O_CLOEXEC
|O_NONBLOCK
);
1529 int open_parent(const char *path
, int flags
, mode_t mode
) {
1530 _cleanup_free_
char *parent
= NULL
;
1533 r
= path_extract_directory(path
, &parent
);
1537 /* Let's insist on O_DIRECTORY since the parent of a file or directory is a directory. Except if we open an
1538 * O_TMPFILE file, because in that case we are actually create a regular file below the parent directory. */
1540 if (FLAGS_SET(flags
, O_PATH
))
1541 flags
|= O_DIRECTORY
;
1542 else if (!FLAGS_SET(flags
, O_TMPFILE
))
1543 flags
|= O_DIRECTORY
|O_RDONLY
;
1545 fd
= open(parent
, flags
, mode
);
1552 int conservative_renameat(
1553 int olddirfd
, const char *oldpath
,
1554 int newdirfd
, const char *newpath
) {
1556 _cleanup_close_
int old_fd
= -1, new_fd
= -1;
1557 struct stat old_stat
, new_stat
;
1559 /* Renames the old path to thew new path, much like renameat() — except if both are regular files and
1560 * have the exact same contents and basic file attributes already. In that case remove the new file
1561 * instead. This call is useful for reducing inotify wakeups on files that are updated but don't
1562 * actually change. This function is written in a style that we rather rename too often than suppress
1563 * too much. i.e. whenever we are in doubt we rather rename than fail. After all reducing inotify
1564 * events is an optimization only, not more. */
1566 old_fd
= openat(olddirfd
, oldpath
, O_CLOEXEC
|O_RDONLY
|O_NOCTTY
|O_NOFOLLOW
);
1570 new_fd
= openat(newdirfd
, newpath
, O_CLOEXEC
|O_RDONLY
|O_NOCTTY
|O_NOFOLLOW
);
1574 if (fstat(old_fd
, &old_stat
) < 0)
1577 if (!S_ISREG(old_stat
.st_mode
))
1580 if (fstat(new_fd
, &new_stat
) < 0)
1583 if (new_stat
.st_ino
== old_stat
.st_ino
&&
1584 new_stat
.st_dev
== old_stat
.st_dev
)
1587 if (old_stat
.st_mode
!= new_stat
.st_mode
||
1588 old_stat
.st_size
!= new_stat
.st_size
||
1589 old_stat
.st_uid
!= new_stat
.st_uid
||
1590 old_stat
.st_gid
!= new_stat
.st_gid
)
1594 uint8_t buf1
[16*1024];
1595 uint8_t buf2
[sizeof(buf1
)];
1598 l1
= read(old_fd
, buf1
, sizeof(buf1
));
1602 if (l1
== sizeof(buf1
))
1603 /* Read the full block, hence read a full block in the other file too */
1605 l2
= read(new_fd
, buf2
, l1
);
1607 assert((size_t) l1
< sizeof(buf1
));
1609 /* Short read. This hence was the last block in the first file, and then came
1610 * EOF. Read one byte more in the second file, so that we can verify we hit EOF there
1613 assert((size_t) (l1
+ 1) <= sizeof(buf2
));
1614 l2
= read(new_fd
, buf2
, l1
+ 1);
1619 if (memcmp(buf1
, buf2
, l1
) != 0)
1622 if ((size_t) l1
< sizeof(buf1
)) /* We hit EOF on the first file, and the second file too, hence exit
1628 /* Everything matches? Then don't rename, instead remove the source file, and leave the existing
1629 * destination in place */
1631 if (unlinkat(olddirfd
, oldpath
, 0) < 0)
1637 if (renameat(olddirfd
, oldpath
, newdirfd
, newpath
) < 0)
1643 int posix_fallocate_loop(int fd
, uint64_t offset
, uint64_t size
) {
1647 r
= posix_fallocate(fd
, offset
, size
); /* returns positive errnos on error */
1649 return -r
; /* Let's return negative errnos, like common in our codebase */
1651 /* On EINTR try a couple of times more, but protect against busy looping
1652 * (not more than 16 times per 10s) */
1653 rl
= (RateLimit
) { 10 * USEC_PER_SEC
, 16 };
1654 while (ratelimit_below(&rl
)) {
1655 r
= posix_fallocate(fd
, offset
, size
);