]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/basic/fs-util.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
core: move reset_arguments() to the end of main's finish
[thirdparty/systemd.git] / src / basic / fs-util.c
CommitLineData
53e1b683 1/* SPDX-License-Identifier: LGPL-2.1+ */
f4f15635 2
11c3a366
TA		 3#include <errno.h>
4#include <stddef.h>
11c3a366 5#include <stdlib.h>
1c73b069 6#include <linux/falloc.h>
655f2da0 7#include <linux/magic.h>
11c3a366
TA		 8#include <unistd.h>
9
b5efdb8a 10#include "alloc-util.h"
ed9c0851 11#include "blockdev-util.h"
f4f15635
LP		 12#include "dirent-util.h"
13#include "fd-util.h"
ed9c0851 14#include "fileio.h"
f4f15635 15#include "fs-util.h"
fd74c6f3 16#include "locale-util.h"
11c3a366
TA		 17#include "log.h"
18#include "macro.h"
0499585f 19#include "missing_fcntl.h"
f5947a5e
YW		 20#include "missing_fs.h"
21#include "missing_syscall.h"
93cc7779
TA		 22#include "mkdir.h"
23#include "parse-util.h"
24#include "path-util.h"
dccca82b 25#include "process-util.h"
053e0626 26#include "random-util.h"
34a8f081 27#include "stat-util.h"
430fbf8e 28#include "stdio-util.h"
f4f15635
LP		 29#include "string-util.h"
30#include "strv.h"
93cc7779 31#include "time-util.h"
e4de7287 32#include "tmpfile-util.h"
ee104e11 33#include "user-util.h"
f4f15635
LP		 34#include "util.h"
35
36int unlink_noerrno(const char *path) {
37 PROTECT_ERRNO;
38 int r;
39
40 r = unlink(path);
41 if (r < 0)
42 return -errno;
43
44 return 0;
45}
46
47int rmdir_parents(const char *path, const char *stop) {
48 size_t l;
49 int r = 0;
50
51 assert(path);
52 assert(stop);
53
54 l = strlen(path);
55
56 /* Skip trailing slashes */
57 while (l > 0 && path[l-1] == '/')
58 l--;
59
60 while (l > 0) {
61 char *t;
62
63 /* Skip last component */
64 while (l > 0 && path[l-1] != '/')
65 l--;
66
67 /* Skip trailing slashes */
68 while (l > 0 && path[l-1] == '/')
69 l--;
70
71 if (l <= 0)
72 break;
73
74 t = strndup(path, l);
75 if (!t)
76 return -ENOMEM;
77
78 if (path_startswith(stop, t)) {
79 free(t);
80 return 0;
81 }
82
83 r = rmdir(t);
84 free(t);
85
86 if (r < 0)
87 if (errno != ENOENT)
88 return -errno;
89 }
90
91 return 0;
92}
93
f4f15635 94int rename_noreplace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) {
2f15b625 95 int r;
f4f15635 96
2f15b625
LP		 97 /* Try the ideal approach first */
98 if (renameat2(olddirfd, oldpath, newdirfd, newpath, RENAME_NOREPLACE) >= 0)
f4f15635
LP		 99 return 0;
100
2f15b625
LP		 101 /* renameat2() exists since Linux 3.15, btrfs and FAT added support for it later. If it is not implemented,
102 * fall back to a different method. */
103 if (!IN_SET(errno, EINVAL, ENOSYS, ENOTTY))
f4f15635
LP		 104 return -errno;
105
2f15b625
LP		 106 /* Let's try to use linkat()+unlinkat() as fallback. This doesn't work on directories and on some file systems
107 * that do not support hard links (such as FAT, most prominently), but for files it's pretty close to what we
108 * want — though not atomic (i.e. for a short period both the new and the old filename will exist). */
109 if (linkat(olddirfd, oldpath, newdirfd, newpath, 0) >= 0) {
110
111 if (unlinkat(olddirfd, oldpath, 0) < 0) {
112 r = -errno; /* Backup errno before the following unlinkat() alters it */
113 (void) unlinkat(newdirfd, newpath, 0);
114 return r;
115 }
116
117 return 0;
f4f15635
LP		 118 }
119
2f15b625 120 if (!IN_SET(errno, EINVAL, ENOSYS, ENOTTY, EPERM)) /* FAT returns EPERM on link()… */
f4f15635
LP		 121 return -errno;
122
2aed63f4 123 /* OK, neither RENAME_NOREPLACE nor linkat()+unlinkat() worked. Let's then fall back to the racy TOCTOU
2f15b625
LP		 124 * vulnerable accessat(F_OK) check followed by classic, replacing renameat(), we have nothing better. */
125
126 if (faccessat(newdirfd, newpath, F_OK, AT_SYMLINK_NOFOLLOW) >= 0)
127 return -EEXIST;
128 if (errno != ENOENT)
129 return -errno;
130
131 if (renameat(olddirfd, oldpath, newdirfd, newpath) < 0)
f4f15635 132 return -errno;
f4f15635
LP		 133
134 return 0;
135}
136
137int readlinkat_malloc(int fd, const char *p, char **ret) {
8e060ec2 138 size_t l = FILENAME_MAX+1;
f4f15635
LP		 139 int r;
140
141 assert(p);
142 assert(ret);
143
144 for (;;) {
145 char *c;
146 ssize_t n;
147
148 c = new(char, l);
149 if (!c)
150 return -ENOMEM;
151
152 n = readlinkat(fd, p, c, l-1);
153 if (n < 0) {
154 r = -errno;
155 free(c);
156 return r;
157 }
158
159 if ((size_t) n < l-1) {
160 c[n] = 0;
161 *ret = c;
162 return 0;
163 }
164
165 free(c);
166 l *= 2;
167 }
168}
169
170int readlink_malloc(const char *p, char **ret) {
171 return readlinkat_malloc(AT_FDCWD, p, ret);
172}
173
174int readlink_value(const char *p, char **ret) {
175 _cleanup_free_ char *link = NULL;
176 char *value;
177 int r;
178
179 r = readlink_malloc(p, &link);
180 if (r < 0)
181 return r;
182
183 value = basename(link);
184 if (!value)
185 return -ENOENT;
186
187 value = strdup(value);
188 if (!value)
189 return -ENOMEM;
190
191 *ret = value;
192
193 return 0;
194}
195
196int readlink_and_make_absolute(const char *p, char **r) {
197 _cleanup_free_ char *target = NULL;
198 char *k;
199 int j;
200
201 assert(p);
202 assert(r);
203
204 j = readlink_malloc(p, &target);
205 if (j < 0)
206 return j;
207
208 k = file_in_same_dir(p, target);
209 if (!k)
210 return -ENOMEM;
211
212 *r = k;
213 return 0;
214}
215
f4f15635 216int chmod_and_chown(const char *path, mode_t mode, uid_t uid, gid_t gid) {
de321f52 217 _cleanup_close_ int fd = -1;
30ff18d8 218
f4f15635
LP		 219 assert(path);
220
30ff18d8
LP		 221 fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW); /* Let's acquire an O_PATH fd, as precaution to change
222 * mode/owner on the same file */
de321f52
LP		 223 if (fd < 0)
224 return -errno;
225
2dbb7e94 226 return fchmod_and_chown(fd, mode, uid, gid);
b8da477e
YW		 227}
228
229int fchmod_and_chown(int fd, mode_t mode, uid_t uid, gid_t gid) {
2dbb7e94 230 bool do_chown, do_chmod;
30ff18d8 231 struct stat st;
dee00c19 232 int r;
30ff18d8 233
2dbb7e94
LP		 234 /* Change ownership and access mode of the specified fd. Tries to do so safely, ensuring that at no
235 * point in time the access mode is above the old access mode under the old ownership or the new
236 * access mode under the new ownership. Note: this call tries hard to leave the access mode
237 * unaffected if the uid/gid is changed, i.e. it undoes implicit suid/sgid dropping the kernel does
238 * on chown().
239 *
71ec74d1 240 * This call is happy with O_PATH fds. */
b8da477e 241
71ec74d1 242 if (fstat(fd, &st) < 0)
2dbb7e94 243 return -errno;
de321f52 244
2dbb7e94
LP		 245 do_chown =
246 (uid != UID_INVALID && st.st_uid != uid) ||
247 (gid != GID_INVALID && st.st_gid != gid);
de321f52 248
2dbb7e94
LP		 249 do_chmod =
250 !S_ISLNK(st.st_mode) && /* chmod is not defined on symlinks */
251 ((mode != MODE_INVALID && ((st.st_mode ^ mode) & 07777) != 0) ||
252 do_chown); /* If we change ownership, make sure we reset the mode afterwards, since chown()
253 * modifies the access mode too */
30ff18d8 254
2dbb7e94
LP		 255 if (mode == MODE_INVALID)
256 mode = st.st_mode; /* If we only shall do a chown(), save original mode, since chown() might break it. */
257 else if ((mode & S_IFMT) != 0 && ((mode ^ st.st_mode) & S_IFMT) != 0)
258 return -EINVAL; /* insist on the right file type if it was specified */
de321f52 259
2dbb7e94
LP		 260 if (do_chown && do_chmod) {
261 mode_t minimal = st.st_mode & mode; /* the subset of the old and the new mask */
30ff18d8 262
dee00c19
LP		 263 if (((minimal ^ st.st_mode) & 07777) != 0) {
264 r = fchmod_opath(fd, minimal & 07777);
265 if (r < 0)
266 return r;
267 }
de321f52 268 }
b8da477e 269
2dbb7e94 270 if (do_chown)
71ec74d1 271 if (fchownat(fd, "", uid, gid, AT_EMPTY_PATH) < 0)
2dbb7e94 272 return -errno;
30ff18d8 273
dee00c19
LP		 274 if (do_chmod) {
275 r = fchmod_opath(fd, mode & 07777);
276 if (r < 0)
277 return r;
278 }
30ff18d8 279
2dbb7e94 280 return do_chown || do_chmod;
f4f15635
LP		 281}
282
f4f15635
LP		 283int fchmod_umask(int fd, mode_t m) {
284 mode_t u;
285 int r;
286
287 u = umask(0777);
288 r = fchmod(fd, m & (~u)) < 0 ? -errno : 0;
289 umask(u);
290
291 return r;
292}
293
4dfaa528 294int fchmod_opath(int fd, mode_t m) {
22dd8d35 295 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
4dfaa528
FB		 296
297 /* This function operates also on fd that might have been opened with
298 * O_PATH. Indeed fchmodat() doesn't have the AT_EMPTY_PATH flag like
299 * fchownat() does. */
300
301 xsprintf(procfs_path, "/proc/self/fd/%i", fd);
f8606626
LP		 302 if (chmod(procfs_path, m) < 0) {
303 if (errno != ENOENT)
304 return -errno;
305
306 if (proc_mounted() == 0)
307 return -ENOSYS; /* if we have no /proc/, the concept is not implementable */
308
309 return -ENOENT;
310 }
4dfaa528
FB		 311
312 return 0;
313}
314
22ed4a6d
LP		 315int stat_warn_permissions(const char *path, const struct stat *st) {
316 assert(path);
317 assert(st);
f4f15635 318
b6cceaae 319 /* Don't complain if we are reading something that is not a file, for example /dev/null */
22ed4a6d 320 if (!S_ISREG(st->st_mode))
b6cceaae
LP		 321 return 0;
322
22ed4a6d 323 if (st->st_mode & 0111)
f4f15635
LP		 324 log_warning("Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway.", path);
325
22ed4a6d 326 if (st->st_mode & 0002)
f4f15635
LP		 327 log_warning("Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway.", path);
328
22ed4a6d 329 if (getpid_cached() == 1 && (st->st_mode & 0044) != 0044)
f4f15635
LP		 330 log_warning("Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.", path);
331
332 return 0;
333}
334
22ed4a6d
LP		 335int fd_warn_permissions(const char *path, int fd) {
336 struct stat st;
337
338 assert(path);
339 assert(fd >= 0);
340
341 if (fstat(fd, &st) < 0)
342 return -errno;
343
344 return stat_warn_permissions(path, &st);
345}
346
f4f15635 347int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode) {
9e3fa6e8
LP		 348 char fdpath[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
349 _cleanup_close_ int fd = -1;
350 int r, ret = 0;
f4f15635
LP		 351
352 assert(path);
353
9e3fa6e8
LP		 354 /* Note that touch_file() does not follow symlinks: if invoked on an existing symlink, then it is the symlink
355 * itself which is updated, not its target
356 *
357 * Returns the first error we encounter, but tries to apply as much as possible. */
f4f15635 358
9e3fa6e8
LP		 359 if (parents)
360 (void) mkdir_parents(path, 0755);
361
362 /* Initially, we try to open the node with O_PATH, so that we get a reference to the node. This is useful in
363 * case the path refers to an existing device or socket node, as we can open it successfully in all cases, and
364 * won't trigger any driver magic or so. */
365 fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW);
366 if (fd < 0) {
367 if (errno != ENOENT)
f4f15635 368 return -errno;
f4f15635 369
9e3fa6e8
LP		 370 /* if the node doesn't exist yet, we create it, but with O_EXCL, so that we only create a regular file
371 * here, and nothing else */
372 fd = open(path, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, IN_SET(mode, 0, MODE_INVALID) ? 0644 : mode);
373 if (fd < 0)
f4f15635
LP		 374 return -errno;
375 }
376
9e3fa6e8
LP		 377 /* Let's make a path from the fd, and operate on that. With this logic, we can adjust the access mode,
378 * ownership and time of the file node in all cases, even if the fd refers to an O_PATH object — which is
379 * something fchown(), fchmod(), futimensat() don't allow. */
380 xsprintf(fdpath, "/proc/self/fd/%i", fd);
381
4b3b5bc7 382 ret = fchmod_and_chown(fd, mode, uid, gid);
9e3fa6e8 383
f4f15635
LP		 384 if (stamp != USEC_INFINITY) {
385 struct timespec ts[2];
386
387 timespec_store(&ts[0], stamp);
388 ts[1] = ts[0];
9e3fa6e8 389 r = utimensat(AT_FDCWD, fdpath, ts, 0);
f4f15635 390 } else
9e3fa6e8
LP		 391 r = utimensat(AT_FDCWD, fdpath, NULL, 0);
392 if (r < 0 && ret >= 0)
f4f15635
LP		 393 return -errno;
394
9e3fa6e8 395 return ret;
f4f15635
LP		 396}
397
398int touch(const char *path) {
ee735086 399 return touch_file(path, false, USEC_INFINITY, UID_INVALID, GID_INVALID, MODE_INVALID);
f4f15635
LP		 400}
401
6c9c51e5
YW		 402int symlink_idempotent(const char *from, const char *to, bool make_relative) {
403 _cleanup_free_ char *relpath = NULL;
f4f15635
LP		 404 int r;
405
406 assert(from);
407 assert(to);
408
6c9c51e5
YW		 409 if (make_relative) {
410 _cleanup_free_ char *parent = NULL;
411
412 parent = dirname_malloc(to);
413 if (!parent)
414 return -ENOMEM;
415
416 r = path_make_relative(parent, from, &relpath);
417 if (r < 0)
418 return r;
419
420 from = relpath;
421 }
422
f4f15635 423 if (symlink(from, to) < 0) {
77b79723
LP		 424 _cleanup_free_ char *p = NULL;
425
f4f15635
LP		 426 if (errno != EEXIST)
427 return -errno;
428
429 r = readlink_malloc(to, &p);
77b79723
LP		 430 if (r == -EINVAL) /* Not a symlink? In that case return the original error we encountered: -EEXIST */
431 return -EEXIST;
432 if (r < 0) /* Any other error? In that case propagate it as is */
f4f15635
LP		 433 return r;
434
77b79723
LP		 435 if (!streq(p, from)) /* Not the symlink we want it to be? In that case, propagate the original -EEXIST */
436 return -EEXIST;
f4f15635
LP		 437 }
438
439 return 0;
440}
441
442int symlink_atomic(const char *from, const char *to) {
443 _cleanup_free_ char *t = NULL;
444 int r;
445
446 assert(from);
447 assert(to);
448
449 r = tempfn_random(to, NULL, &t);
450 if (r < 0)
451 return r;
452
453 if (symlink(from, t) < 0)
454 return -errno;
455
456 if (rename(t, to) < 0) {
457 unlink_noerrno(t);
458 return -errno;
459 }
460
461 return 0;
462}
463
464int mknod_atomic(const char *path, mode_t mode, dev_t dev) {
465 _cleanup_free_ char *t = NULL;
466 int r;
467
468 assert(path);
469
470 r = tempfn_random(path, NULL, &t);
471 if (r < 0)
472 return r;
473
474 if (mknod(t, mode, dev) < 0)
475 return -errno;
476
477 if (rename(t, path) < 0) {
478 unlink_noerrno(t);
479 return -errno;
480 }
481
482 return 0;
483}
484
485int mkfifo_atomic(const char *path, mode_t mode) {
486 _cleanup_free_ char *t = NULL;
487 int r;
488
489 assert(path);
490
491 r = tempfn_random(path, NULL, &t);
492 if (r < 0)
493 return r;
494
495 if (mkfifo(t, mode) < 0)
496 return -errno;
497
498 if (rename(t, path) < 0) {
4fe3828c
FB		 499 unlink_noerrno(t);
500 return -errno;
501 }
502
503 return 0;
504}
505
506int mkfifoat_atomic(int dirfd, const char *path, mode_t mode) {
507 _cleanup_free_ char *t = NULL;
508 int r;
509
510 assert(path);
511
512 if (path_is_absolute(path))
513 return mkfifo_atomic(path, mode);
514
515 /* We're only interested in the (random) filename. */
516 r = tempfn_random_child("", NULL, &t);
517 if (r < 0)
518 return r;
519
520 if (mkfifoat(dirfd, t, mode) < 0)
521 return -errno;
522
523 if (renameat(dirfd, t, dirfd, path) < 0) {
f4f15635
LP		 524 unlink_noerrno(t);
525 return -errno;
526 }
527
528 return 0;
529}
530
531int get_files_in_directory(const char *path, char ***list) {
532 _cleanup_closedir_ DIR *d = NULL;
8fb3f009 533 struct dirent *de;
f4f15635
LP		 534 size_t bufsize = 0, n = 0;
535 _cleanup_strv_free_ char **l = NULL;
536
537 assert(path);
538
539 /* Returns all files in a directory in *list, and the number
540 * of files as return value. If list is NULL returns only the
541 * number. */
542
543 d = opendir(path);
544 if (!d)
545 return -errno;
546
8fb3f009 547 FOREACH_DIRENT_ALL(de, d, return -errno) {
f4f15635
LP		 548 dirent_ensure_type(d, de);
549
550 if (!dirent_is_file(de))
551 continue;
552
553 if (list) {
554 /* one extra slot is needed for the terminating NULL */
555 if (!GREEDY_REALLOC(l, bufsize, n + 2))
556 return -ENOMEM;
557
558 l[n] = strdup(de->d_name);
559 if (!l[n])
560 return -ENOMEM;
561
562 l[++n] = NULL;
563 } else
564 n++;
565 }
566
ae2a15bc
LP		 567 if (list)
568 *list = TAKE_PTR(l);
f4f15635
LP		 569
570 return n;
571}
430fbf8e 572
992e8f22
LP		 573static int getenv_tmp_dir(const char **ret_path) {
574 const char *n;
575 int r, ret = 0;
34a8f081 576
992e8f22 577 assert(ret_path);
34a8f081 578
992e8f22
LP		 579 /* We use the same order of environment variables python uses in tempfile.gettempdir():
580 * https://docs.python.org/3/library/tempfile.html#tempfile.gettempdir */
581 FOREACH_STRING(n, "TMPDIR", "TEMP", "TMP") {
582 const char *e;
583
584 e = secure_getenv(n);
585 if (!e)
586 continue;
587 if (!path_is_absolute(e)) {
588 r = -ENOTDIR;
589 goto next;
590 }
99be45a4 591 if (!path_is_normalized(e)) {
992e8f22
LP		 592 r = -EPERM;
593 goto next;
594 }
595
596 r = is_dir(e, true);
597 if (r < 0)
598 goto next;
599 if (r == 0) {
600 r = -ENOTDIR;
601 goto next;
602 }
603
604 *ret_path = e;
605 return 1;
606
607 next:
608 /* Remember first error, to make this more debuggable */
609 if (ret >= 0)
610 ret = r;
34a8f081
OW		 611 }
612
992e8f22
LP		 613 if (ret < 0)
614 return ret;
34a8f081 615
992e8f22
LP		 616 *ret_path = NULL;
617 return ret;
618}
34a8f081 619
992e8f22
LP		 620static int tmp_dir_internal(const char *def, const char **ret) {
621 const char *e;
622 int r, k;
623
624 assert(def);
625 assert(ret);
626
627 r = getenv_tmp_dir(&e);
628 if (r > 0) {
629 *ret = e;
630 return 0;
631 }
632
633 k = is_dir(def, true);
634 if (k == 0)
635 k = -ENOTDIR;
636 if (k < 0)
637 return r < 0 ? r : k;
638
639 *ret = def;
34a8f081
OW		 640 return 0;
641}
642
992e8f22
LP		 643int var_tmp_dir(const char **ret) {
644
645 /* Returns the location for "larger" temporary files, that is backed by physical storage if available, and thus
646 * even might survive a boot: /var/tmp. If $TMPDIR (or related environment variables) are set, its value is
647 * returned preferably however. Note that both this function and tmp_dir() below are affected by $TMPDIR,
648 * making it a variable that overrides all temporary file storage locations. */
649
650 return tmp_dir_internal("/var/tmp", ret);
651}
652
653int tmp_dir(const char **ret) {
654
655 /* Similar to var_tmp_dir() above, but returns the location for "smaller" temporary files, which is usually
656 * backed by an in-memory file system: /tmp. */
657
658 return tmp_dir_internal("/tmp", ret);
659}
660
af229d7a
ZJS		 661int unlink_or_warn(const char *filename) {
662 if (unlink(filename) < 0 && errno != ENOENT)
663 /* If the file doesn't exist and the fs simply was read-only (in which
664 * case unlink() returns EROFS even if the file doesn't exist), don't
665 * complain */
666 if (errno != EROFS || access(filename, F_OK) >= 0)
667 return log_error_errno(errno, "Failed to remove \"%s\": %m", filename);
668
669 return 0;
670}
671
430fbf8e 672int inotify_add_watch_fd(int fd, int what, uint32_t mask) {
fbd0b64f 673 char path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
f6f4f5fe 674 int wd;
430fbf8e
LP		 675
676 /* This is like inotify_add_watch(), except that the file to watch is not referenced by a path, but by an fd */
677 xsprintf(path, "/proc/self/fd/%i", what);
678
f6f4f5fe
BP		 679 wd = inotify_add_watch(fd, path, mask);
680 if (wd < 0)
430fbf8e
LP		 681 return -errno;
682
f6f4f5fe 683 return wd;
430fbf8e 684}
d944dc95 685
27c3112d 686int inotify_add_watch_and_warn(int fd, const char *pathname, uint32_t mask) {
f6f4f5fe 687 int wd;
27c3112d 688
f6f4f5fe
BP		 689 wd = inotify_add_watch(fd, pathname, mask);
690 if (wd < 0) {
27c3112d 691 if (errno == ENOSPC)
fe573a79 692 return log_error_errno(errno, "Failed to add a watch for %s: inotify watch limit reached", pathname);
27c3112d 693
fe573a79 694 return log_error_errno(errno, "Failed to add a watch for %s: %m", pathname);
27c3112d
FB		 695 }
696
f6f4f5fe 697 return wd;
27c3112d
FB		 698}
699
b85ee2ec 700static bool unsafe_transition(const struct stat *a, const struct stat *b) {
f14f1806
LP		 701 /* Returns true if the transition from a to b is safe, i.e. that we never transition from unprivileged to
702 * privileged files or directories. Why bother? So that unprivileged code can't symlink to privileged files
703 * making us believe we read something safe even though it isn't safe in the specific context we open it in. */
704
705 if (a->st_uid == 0) /* Transitioning from privileged to unprivileged is always fine */
b85ee2ec 706 return false;
f14f1806 707
b85ee2ec 708 return a->st_uid != b->st_uid; /* Otherwise we need to stay within the same UID */
f14f1806
LP		 709}
710
fd74c6f3
FB		 711static int log_unsafe_transition(int a, int b, const char *path, unsigned flags) {
712 _cleanup_free_ char *n1 = NULL, *n2 = NULL;
713
714 if (!FLAGS_SET(flags, CHASE_WARN))
36c97dec 715 return -ENOLINK;
fd74c6f3
FB		 716
717 (void) fd_get_path(a, &n1);
718 (void) fd_get_path(b, &n2);
719
36c97dec 720 return log_warning_errno(SYNTHETIC_ERRNO(ENOLINK),
fd74c6f3 721 "Detected unsafe path transition %s %s %s during canonicalization of %s.",
48d837cd 722 strna(n1), special_glyph(SPECIAL_GLYPH_ARROW), strna(n2), path);
fd74c6f3
FB		 723}
724
145b8d0f
FB		 725static int log_autofs_mount_point(int fd, const char *path, unsigned flags) {
726 _cleanup_free_ char *n1 = NULL;
727
728 if (!FLAGS_SET(flags, CHASE_WARN))
729 return -EREMOTE;
730
731 (void) fd_get_path(fd, &n1);
732
733 return log_warning_errno(SYNTHETIC_ERRNO(EREMOTE),
734 "Detected autofs mount point %s during canonicalization of %s.",
48d837cd 735 strna(n1), path);
f14f1806
LP		 736}
737
a5648b80 738int chase_symlinks(const char *path, const char *original_root, unsigned flags, char **ret_path, int *ret_fd) {
d944dc95
LP		 739 _cleanup_free_ char *buffer = NULL, *done = NULL, *root = NULL;
740 _cleanup_close_ int fd = -1;
f10f4215 741 unsigned max_follow = CHASE_SYMLINKS_MAX; /* how many symlinks to follow before giving up and returning ELOOP */
f14f1806 742 struct stat previous_stat;
a9fb0867 743 bool exists = true;
d944dc95
LP		 744 char *todo;
745 int r;
746
747 assert(path);
748
1ed34d75 749 /* Either the file may be missing, or we return an fd to the final object, but both make no sense */
a5648b80 750 if ((flags & CHASE_NONEXISTENT) && ret_fd)
1ed34d75
LP		 751 return -EINVAL;
752
a5648b80 753 if ((flags & CHASE_STEP) && ret_fd)
49eb3659
LP		 754 return -EINVAL;
755
a49424af
LP		 756 if (isempty(path))
757 return -EINVAL;
758
d944dc95
LP		 759 /* This is a lot like canonicalize_file_name(), but takes an additional "root" parameter, that allows following
760 * symlinks relative to a root directory, instead of the root of the host.
761 *
fc4b68e5 762 * Note that "root" primarily matters if we encounter an absolute symlink. It is also used when following
c4f4fce7
LP		 763 * relative symlinks to ensure they cannot be used to "escape" the root directory. The path parameter passed is
764 * assumed to be already prefixed by it, except if the CHASE_PREFIX_ROOT flag is set, in which case it is first
765 * prefixed accordingly.
d944dc95
LP		 766 *
767 * Algorithmically this operates on two path buffers: "done" are the components of the path we already
768 * processed and resolved symlinks, "." and ".." of. "todo" are the components of the path we still need to
769 * process. On each iteration, we move one component from "todo" to "done", processing it's special meaning
770 * each time. The "todo" path always starts with at least one slash, the "done" path always ends in no
771 * slash. We always keep an O_PATH fd to the component we are currently processing, thus keeping lookup races
4293c32b 772 * to a minimum.
fc4b68e5
LP		 773 *
774 * Suggested usage: whenever you want to canonicalize a path, use this function. Pass the absolute path you got
775 * as-is: fully qualified and relative to your host's root. Optionally, specify the root parameter to tell this
776 * function what to do when encountering a symlink with an absolute path as directory: prefix it by the
49eb3659
LP		 777 * specified path.
778 *
a5648b80 779 * There are five ways to invoke this function:
49eb3659 780 *
a5648b80
ZJS		 781 * 1. Without CHASE_STEP or ret_fd: in this case the path is resolved and the normalized path is
782 * returned in `ret_path`. The return value is < 0 on error. If CHASE_NONEXISTENT is also set, 0
783 * is returned if the file doesn't exist, > 0 otherwise. If CHASE_NONEXISTENT is not set, >= 0 is
784 * returned if the destination was found, -ENOENT if it wasn't.
49eb3659 785 *
a5648b80 786 * 2. With ret_fd: in this case the destination is opened after chasing it as O_PATH and this file
49eb3659
LP		 787 * descriptor is returned as return value. This is useful to open files relative to some root
788 * directory. Note that the returned O_PATH file descriptors must be converted into a regular one (using
a5648b80 789 * fd_reopen() or such) before it can be used for reading/writing. ret_fd may not be combined with
49eb3659
LP		 790 * CHASE_NONEXISTENT.
791 *
792 * 3. With CHASE_STEP: in this case only a single step of the normalization is executed, i.e. only the first
793 * symlink or ".." component of the path is resolved, and the resulting path is returned. This is useful if
794 * a caller wants to trace the a path through the file system verbosely. Returns < 0 on error, > 0 if the
795 * path is fully normalized, and == 0 for each normalization step. This may be combined with
796 * CHASE_NONEXISTENT, in which case 1 is returned when a component is not found.
797 *
36c97dec
FB		 798 * 4. With CHASE_SAFE: in this case the path must not contain unsafe transitions, i.e. transitions from
799 * unprivileged to privileged files or directories. In such cases the return value is -ENOLINK. If
4293c32b 800 * CHASE_WARN is also set, a warning describing the unsafe transition is emitted.
36c97dec 801 *
4293c32b
ZJS		 802 * 5. With CHASE_NO_AUTOFS: in this case if an autofs mount point is encountered, path normalization
803 * is aborted and -EREMOTE is returned. If CHASE_WARN is also set, a warning showing the path of
804 * the mount point is emitted.
4293c32b 805 */
d944dc95 806
22bc57c5 807 /* A root directory of "/" or "" is identical to none */
57ea45e1 808 if (empty_or_root(original_root))
22bc57c5 809 original_root = NULL;
b1bfb848 810
a5648b80
ZJS		 811 if (!original_root && !ret_path && !(flags & (CHASE_NONEXISTENT|CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_STEP)) && ret_fd) {
812 /* Shortcut the ret_fd case if the caller isn't interested in the actual path and has no root set
244d2f07 813 * and doesn't care about any of the other special features we provide either. */
1f56e4ce 814 r = open(path, O_PATH|O_CLOEXEC|((flags & CHASE_NOFOLLOW) ? O_NOFOLLOW : 0));
244d2f07
LP		 815 if (r < 0)
816 return -errno;
817
a5648b80
ZJS		 818 *ret_fd = r;
819 return 0;
244d2f07
LP		 820 }
821
c4f4fce7
LP		 822 if (original_root) {
823 r = path_make_absolute_cwd(original_root, &root);
d944dc95
LP		 824 if (r < 0)
825 return r;
c4f4fce7 826
47d7ab72
LP		 827 /* Simplify the root directory, so that it has no duplicate slashes and nothing at the
828 * end. While we won't resolve the root path we still simplify it. Note that dropping the
829 * trailing slash should not change behaviour, since when opening it we specify O_DIRECTORY
830 * anyway. Moreover at the end of this function after processing everything we'll always turn
831 * the empty string back to "/". */
832 delete_trailing_chars(root, "/");
833 path_simplify(root, true);
834
382a5078 835 if (flags & CHASE_PREFIX_ROOT) {
382a5078
LP		 836 /* We don't support relative paths in combination with a root directory */
837 if (!path_is_absolute(path))
838 return -EINVAL;
839
c4f4fce7 840 path = prefix_roota(root, path);
382a5078 841 }
d944dc95
LP		 842 }
843
c4f4fce7
LP		 844 r = path_make_absolute_cwd(path, &buffer);
845 if (r < 0)
846 return r;
847
c2595d3b 848 fd = open(root ?: "/", O_CLOEXEC|O_DIRECTORY|O_PATH);
d944dc95
LP		 849 if (fd < 0)
850 return -errno;
851
f14f1806
LP		 852 if (flags & CHASE_SAFE) {
853 if (fstat(fd, &previous_stat) < 0)
854 return -errno;
855 }
856
c2595d3b
LP		 857 if (root) {
858 _cleanup_free_ char *absolute = NULL;
859 const char *e;
860
861 /* If we are operating on a root directory, let's take the root directory as it is. */
862
863 e = path_startswith(buffer, root);
864 if (!e)
865 return log_full_errno(flags & CHASE_WARN ? LOG_WARNING : LOG_DEBUG,
866 SYNTHETIC_ERRNO(ECHRNG),
867 "Specified path '%s' is outside of specified root directory '%s', refusing to resolve.",
868 path, root);
869
c2595d3b
LP		 870 done = strdup(root);
871 if (!done)
872 return -ENOMEM;
c2595d3b
LP		 873
874 /* Make sure "todo" starts with a slash */
875 absolute = strjoin("/", e);
876 if (!absolute)
877 return -ENOMEM;
878
879 free_and_replace(buffer, absolute);
880 }
881
d944dc95
LP		 882 todo = buffer;
883 for (;;) {
884 _cleanup_free_ char *first = NULL;
885 _cleanup_close_ int child = -1;
886 struct stat st;
887 size_t n, m;
888
889 /* Determine length of first component in the path */
890 n = strspn(todo, "/"); /* The slashes */
47d7ab72
LP		 891
892 if (n > 1) {
893 /* If we are looking at more than a single slash then skip all but one, so that when
894 * we are done with everything we have a normalized path with only single slashes
895 * separating the path components. */
896 todo += n - 1;
897 n = 1;
898 }
899
d944dc95
LP		 900 m = n + strcspn(todo + n, "/"); /* The entire length of the component */
901
902 /* Extract the first component. */
903 first = strndup(todo, m);
904 if (!first)
905 return -ENOMEM;
906
907 todo += m;
908
b12d25a8
ZJS		 909 /* Empty? Then we reached the end. */
910 if (isempty(first))
911 break;
912
d944dc95 913 /* Just a single slash? Then we reached the end. */
b12d25a8
ZJS		 914 if (path_equal(first, "/")) {
915 /* Preserve the trailing slash */
62570f6f
LP		 916
917 if (flags & CHASE_TRAIL_SLASH)
918 if (!strextend(&done, "/", NULL))
919 return -ENOMEM;
b12d25a8 920
d944dc95 921 break;
b12d25a8 922 }
d944dc95
LP		 923
924 /* Just a dot? Then let's eat this up. */
925 if (path_equal(first, "/."))
926 continue;
927
928 /* Two dots? Then chop off the last bit of what we already found out. */
929 if (path_equal(first, "/..")) {
930 _cleanup_free_ char *parent = NULL;
2b6d2dda 931 _cleanup_close_ int fd_parent = -1;
d944dc95 932
a4eaf3cf
LP		 933 /* If we already are at the top, then going up will not change anything. This is in-line with
934 * how the kernel handles this. */
57ea45e1 935 if (empty_or_root(done))
a4eaf3cf 936 continue;
d944dc95
LP		 937
938 parent = dirname_malloc(done);
939 if (!parent)
940 return -ENOMEM;
941
a4eaf3cf 942 /* Don't allow this to leave the root dir. */
d944dc95
LP		 943 if (root &&
944 path_startswith(done, root) &&
945 !path_startswith(parent, root))
a4eaf3cf 946 continue;
d944dc95 947
3b319885 948 free_and_replace(done, parent);
d944dc95 949
49eb3659
LP		 950 if (flags & CHASE_STEP)
951 goto chased_one;
952
d944dc95
LP		 953 fd_parent = openat(fd, "..", O_CLOEXEC|O_NOFOLLOW|O_PATH);
954 if (fd_parent < 0)
955 return -errno;
956
f14f1806
LP		 957 if (flags & CHASE_SAFE) {
958 if (fstat(fd_parent, &st) < 0)
959 return -errno;
960
b85ee2ec 961 if (unsafe_transition(&previous_stat, &st))
fd74c6f3 962 return log_unsafe_transition(fd, fd_parent, path, flags);
f14f1806
LP		 963
964 previous_stat = st;
965 }
966
d944dc95 967 safe_close(fd);
c10d6bdb 968 fd = TAKE_FD(fd_parent);
d944dc95
LP		 969
970 continue;
971 }
972
973 /* Otherwise let's see what this is. */
974 child = openat(fd, first + n, O_CLOEXEC|O_NOFOLLOW|O_PATH);
a9fb0867
LP		 975 if (child < 0) {
976
977 if (errno == ENOENT &&
cb638b5e 978 (flags & CHASE_NONEXISTENT) &&
99be45a4 979 (isempty(todo) || path_is_normalized(todo))) {
a9fb0867 980
cb638b5e 981 /* If CHASE_NONEXISTENT is set, and the path does not exist, then that's OK, return
a9fb0867
LP		 982 * what we got so far. But don't allow this if the remaining path contains "../ or "./"
983 * or something else weird. */
984
a1904a46
YW		 985 /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */
986 if (streq_ptr(done, "/"))
987 *done = '\0';
988
a9fb0867
LP		 989 if (!strextend(&done, first, todo, NULL))
990 return -ENOMEM;
991
992 exists = false;
993 break;
994 }
995
d944dc95 996 return -errno;
a9fb0867 997 }
d944dc95
LP		 998
999 if (fstat(child, &st) < 0)
1000 return -errno;
f14f1806 1001 if ((flags & CHASE_SAFE) &&
b85ee2ec 1002 unsafe_transition(&previous_stat, &st))
fd74c6f3 1003 return log_unsafe_transition(fd, child, path, flags);
f14f1806
LP		 1004
1005 previous_stat = st;
1006
655f2da0 1007 if ((flags & CHASE_NO_AUTOFS) &&
a66fee2e 1008 fd_is_fs_type(child, AUTOFS_SUPER_MAGIC) > 0)
145b8d0f 1009 return log_autofs_mount_point(child, path, flags);
d944dc95 1010
1f56e4ce 1011 if (S_ISLNK(st.st_mode) && !((flags & CHASE_NOFOLLOW) && isempty(todo))) {
877777d7 1012 char *joined;
d944dc95
LP		 1013 _cleanup_free_ char *destination = NULL;
1014
1015 /* This is a symlink, in this case read the destination. But let's make sure we don't follow
1016 * symlinks without bounds. */
1017 if (--max_follow <= 0)
1018 return -ELOOP;
1019
1020 r = readlinkat_malloc(fd, first + n, &destination);
1021 if (r < 0)
1022 return r;
1023 if (isempty(destination))
1024 return -EINVAL;
1025
1026 if (path_is_absolute(destination)) {
1027
1028 /* An absolute destination. Start the loop from the beginning, but use the root
1029 * directory as base. */
1030
1031 safe_close(fd);
c2595d3b 1032 fd = open(root ?: "/", O_CLOEXEC|O_DIRECTORY|O_PATH);
d944dc95
LP		 1033 if (fd < 0)
1034 return -errno;
1035
f14f1806
LP		 1036 if (flags & CHASE_SAFE) {
1037 if (fstat(fd, &st) < 0)
1038 return -errno;
1039
b85ee2ec 1040 if (unsafe_transition(&previous_stat, &st))
fd74c6f3 1041 return log_unsafe_transition(child, fd, path, flags);
f14f1806
LP		 1042
1043 previous_stat = st;
1044 }
1045
b539437a
YW		 1046 free(done);
1047
d944dc95
LP		 1048 /* Note that we do not revalidate the root, we take it as is. */
1049 if (isempty(root))
1050 done = NULL;
1051 else {
1052 done = strdup(root);
1053 if (!done)
1054 return -ENOMEM;
1055 }
1056
8c4a8ea2
LP		 1057 /* Prefix what's left to do with what we just read, and start the loop again, but
1058 * remain in the current directory. */
2d9b74ba 1059 joined = path_join(destination, todo);
8c4a8ea2 1060 } else
2d9b74ba 1061 joined = path_join("/", destination, todo);
877777d7
CCW		 1062 if (!joined)
1063 return -ENOMEM;
d944dc95 1064
877777d7
CCW		 1065 free(buffer);
1066 todo = buffer = joined;
d944dc95 1067
49eb3659
LP		 1068 if (flags & CHASE_STEP)
1069 goto chased_one;
1070
d944dc95
LP		 1071 continue;
1072 }
1073
1074 /* If this is not a symlink, then let's just add the name we read to what we already verified. */
ae2a15bc
LP		 1075 if (!done)
1076 done = TAKE_PTR(first);
1077 else {
a1904a46
YW		 1078 /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */
1079 if (streq(done, "/"))
1080 *done = '\0';
1081
d944dc95
LP		 1082 if (!strextend(&done, first, NULL))
1083 return -ENOMEM;
1084 }
1085
1086 /* And iterate again, but go one directory further down. */
1087 safe_close(fd);
c10d6bdb 1088 fd = TAKE_FD(child);
d944dc95
LP		 1089 }
1090
1091 if (!done) {
1092 /* Special case, turn the empty string into "/", to indicate the root directory. */
1093 done = strdup("/");
1094 if (!done)
1095 return -ENOMEM;
1096 }
1097
a5648b80
ZJS		 1098 if (ret_path)
1099 *ret_path = TAKE_PTR(done);
d944dc95 1100
a5648b80
ZJS		 1101 if (ret_fd) {
1102 /* Return the O_PATH fd we currently are looking to the caller. It can translate it to a
1103 * proper fd by opening /proc/self/fd/xyz. */
1ed34d75
LP		 1104
1105 assert(fd >= 0);
a5648b80 1106 *ret_fd = TAKE_FD(fd);
1ed34d75
LP		 1107 }
1108
49eb3659
LP		 1109 if (flags & CHASE_STEP)
1110 return 1;
1111
a9fb0867 1112 return exists;
49eb3659
LP		 1113
1114chased_one:
a5648b80 1115 if (ret_path) {
49eb3659
LP		 1116 char *c;
1117
027cc9c9
ZJS		 1118 c = strjoin(strempty(done), todo);
1119 if (!c)
1120 return -ENOMEM;
49eb3659 1121
a5648b80 1122 *ret_path = c;
49eb3659
LP		 1123 }
1124
1125 return 0;
d944dc95 1126}
57a4359e 1127
21c692e9
LP		 1128int chase_symlinks_and_open(
1129 const char *path,
1130 const char *root,
1131 unsigned chase_flags,
1132 int open_flags,
1133 char **ret_path) {
1134
1135 _cleanup_close_ int path_fd = -1;
1136 _cleanup_free_ char *p = NULL;
1137 int r;
1138
1139 if (chase_flags & CHASE_NONEXISTENT)
1140 return -EINVAL;
1141
57ea45e1 1142 if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
21c692e9
LP		 1143 /* Shortcut this call if none of the special features of this call are requested */
1144 r = open(path, open_flags);
1145 if (r < 0)
1146 return -errno;
1147
1148 return r;
1149 }
1150
a5648b80
ZJS		 1151 r = chase_symlinks(path, root, chase_flags, ret_path ? &p : NULL, &path_fd);
1152 if (r < 0)
1153 return r;
1154 assert(path_fd >= 0);
21c692e9
LP		 1155
1156 r = fd_reopen(path_fd, open_flags);
1157 if (r < 0)
1158 return r;
1159
1160 if (ret_path)
1161 *ret_path = TAKE_PTR(p);
1162
1163 return r;
1164}
1165
1166int chase_symlinks_and_opendir(
1167 const char *path,
1168 const char *root,
1169 unsigned chase_flags,
1170 char **ret_path,
1171 DIR **ret_dir) {
1172
1173 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
1174 _cleanup_close_ int path_fd = -1;
1175 _cleanup_free_ char *p = NULL;
1176 DIR *d;
a5648b80 1177 int r;
21c692e9
LP		 1178
1179 if (!ret_dir)
1180 return -EINVAL;
1181 if (chase_flags & CHASE_NONEXISTENT)
1182 return -EINVAL;
1183
57ea45e1 1184 if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
21c692e9
LP		 1185 /* Shortcut this call if none of the special features of this call are requested */
1186 d = opendir(path);
1187 if (!d)
1188 return -errno;
1189
1190 *ret_dir = d;
1191 return 0;
1192 }
1193
a5648b80
ZJS		 1194 r = chase_symlinks(path, root, chase_flags, ret_path ? &p : NULL, &path_fd);
1195 if (r < 0)
1196 return r;
1197 assert(path_fd >= 0);
21c692e9
LP		 1198
1199 xsprintf(procfs_path, "/proc/self/fd/%i", path_fd);
1200 d = opendir(procfs_path);
1201 if (!d)
1202 return -errno;
1203
1204 if (ret_path)
1205 *ret_path = TAKE_PTR(p);
1206
1207 *ret_dir = d;
1208 return 0;
1209}
1210
d2bcd0ba
LP		 1211int chase_symlinks_and_stat(
1212 const char *path,
1213 const char *root,
1214 unsigned chase_flags,
1215 char **ret_path,
a5648b80
ZJS		 1216 struct stat *ret_stat,
1217 int *ret_fd) {
d2bcd0ba
LP		 1218
1219 _cleanup_close_ int path_fd = -1;
1220 _cleanup_free_ char *p = NULL;
a5648b80 1221 int r;
d2bcd0ba
LP		 1222
1223 assert(path);
1224 assert(ret_stat);
1225
1226 if (chase_flags & CHASE_NONEXISTENT)
1227 return -EINVAL;
1228
1229 if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
1230 /* Shortcut this call if none of the special features of this call are requested */
1231 if (stat(path, ret_stat) < 0)
1232 return -errno;
1233
1234 return 1;
1235 }
1236
a5648b80
ZJS		 1237 r = chase_symlinks(path, root, chase_flags, ret_path ? &p : NULL, &path_fd);
1238 if (r < 0)
1239 return r;
1240 assert(path_fd >= 0);
d2bcd0ba
LP		 1241
1242 if (fstat(path_fd, ret_stat) < 0)
1243 return -errno;
1244
1245 if (ret_path)
1246 *ret_path = TAKE_PTR(p);
a5648b80
ZJS		 1247 if (ret_fd)
1248 *ret_fd = TAKE_FD(path_fd);
d2bcd0ba
LP		 1249
1250 return 1;
1251}
1252
57a4359e 1253int access_fd(int fd, int mode) {
fbd0b64f 1254 char p[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(fd) + 1];
57a4359e
LP		 1255
1256 /* Like access() but operates on an already open fd */
1257
1258 xsprintf(p, "/proc/self/fd/%i", fd);
4265a66a
LP		 1259 if (access(p, mode) < 0) {
1260 if (errno != ENOENT)
1261 return -errno;
57a4359e 1262
4265a66a
LP		 1263 /* ENOENT can mean two things: that the fd does not exist or that /proc is not mounted. Let's
1264 * make things debuggable and distinguish the two. */
1265
1266 if (proc_mounted() == 0)
1267 return -ENOSYS; /* /proc is not available or not set up properly, we're most likely in some chroot
1268 * environment. */
1269
1270 return -EBADF; /* The directory exists, hence it's the fd that doesn't. */
1271 }
1272
1273 return 0;
57a4359e 1274}
43767d9d 1275
627d2bac
ZJS		 1276void unlink_tempfilep(char (*p)[]) {
1277 /* If the file is created with mkstemp(), it will (almost always)
1278 * change the suffix. Treat this as a sign that the file was
1279 * successfully created. We ignore both the rare case where the
1280 * original suffix is used and unlink failures. */
1281 if (!endswith(*p, ".XXXXXX"))
69821560 1282 (void) unlink_noerrno(*p);
627d2bac
ZJS		 1283}
1284
053e0626 1285int unlinkat_deallocate(int fd, const char *name, UnlinkDeallocateFlags flags) {
43767d9d
LP		 1286 _cleanup_close_ int truncate_fd = -1;
1287 struct stat st;
1288 off_t l, bs;
1289
053e0626
LP		 1290 assert((flags & ~(UNLINK_REMOVEDIR|UNLINK_ERASE)) == 0);
1291
43767d9d
LP		 1292 /* Operates like unlinkat() but also deallocates the file contents if it is a regular file and there's no other
1293 * link to it. This is useful to ensure that other processes that might have the file open for reading won't be
1294 * able to keep the data pinned on disk forever. This call is particular useful whenever we execute clean-up
1295 * jobs ("vacuuming"), where we want to make sure the data is really gone and the disk space released and
1296 * returned to the free pool.
1297 *
1298 * Deallocation is preferably done by FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE (👊) if supported, which means
1299 * the file won't change size. That's a good thing since we shouldn't needlessly trigger SIGBUS in other
1300 * programs that have mmap()ed the file. (The assumption here is that changing file contents to all zeroes
1301 * underneath those programs is the better choice than simply triggering SIGBUS in them which truncation does.)
1302 * However if hole punching is not implemented in the kernel or file system we'll fall back to normal file
1303 * truncation (🔪), as our goal of deallocating the data space trumps our goal of being nice to readers (💐).
1304 *
1305 * Note that we attempt deallocation, but failure to succeed with that is not considered fatal, as long as the
1306 * primary job – to delete the file – is accomplished. */
1307
053e0626 1308 if (!FLAGS_SET(flags, UNLINK_REMOVEDIR)) {
43767d9d
LP		 1309 truncate_fd = openat(fd, name, O_WRONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|O_NONBLOCK);
1310 if (truncate_fd < 0) {
1311
1312 /* If this failed because the file doesn't exist propagate the error right-away. Also,
1313 * AT_REMOVEDIR wasn't set, and we tried to open the file for writing, which means EISDIR is
1314 * returned when this is a directory but we are not supposed to delete those, hence propagate
1315 * the error right-away too. */
1316 if (IN_SET(errno, ENOENT, EISDIR))
1317 return -errno;
1318
1319 if (errno != ELOOP) /* don't complain if this is a symlink */
1320 log_debug_errno(errno, "Failed to open file '%s' for deallocation, ignoring: %m", name);
1321 }
1322 }
1323
053e0626 1324 if (unlinkat(fd, name, FLAGS_SET(flags, UNLINK_REMOVEDIR) ? AT_REMOVEDIR : 0) < 0)
43767d9d
LP		 1325 return -errno;
1326
1327 if (truncate_fd < 0) /* Don't have a file handle, can't do more ☹️ */
1328 return 0;
1329
1330 if (fstat(truncate_fd, &st) < 0) {
011723a4 1331 log_debug_errno(errno, "Failed to stat file '%s' for deallocation, ignoring: %m", name);
43767d9d
LP		 1332 return 0;
1333 }
1334
053e0626
LP		 1335 if (!S_ISREG(st.st_mode))
1336 return 0;
1337
1338 if (FLAGS_SET(flags, UNLINK_ERASE) && st.st_size > 0 && st.st_nlink == 0) {
1339 uint64_t left = st.st_size;
1340 char buffer[64 * 1024];
1341
1342 /* If erasing is requested, let's overwrite the file with random data once before deleting
1343 * it. This isn't going to give you shred(1) semantics, but hopefully should be good enough
1344 * for stuff backed by tmpfs at least.
1345 *
15dd4515 1346 * Note that we only erase like this if the link count of the file is zero. If it is higher it
053e0626
LP		 1347 * is still linked by someone else and we'll leave it to them to remove it securely
1348 * eventually! */
1349
1350 random_bytes(buffer, sizeof(buffer));
1351
1352 while (left > 0) {
1353 ssize_t n;
1354
1355 n = write(truncate_fd, buffer, MIN(sizeof(buffer), left));
1356 if (n < 0) {
1357 log_debug_errno(errno, "Failed to erase data in file '%s', ignoring.", name);
1358 break;
1359 }
1360
1361 assert(left >= (size_t) n);
1362 left -= n;
1363 }
1364
1365 /* Let's refresh metadata */
1366 if (fstat(truncate_fd, &st) < 0) {
1367 log_debug_errno(errno, "Failed to stat file '%s' for deallocation, ignoring: %m", name);
1368 return 0;
1369 }
1370 }
1371
1372 /* Don't dallocate if there's nothing to deallocate or if the file is linked elsewhere */
1373 if (st.st_blocks == 0 || st.st_nlink > 0)
43767d9d
LP		 1374 return 0;
1375
1376 /* If this is a regular file, it actually took up space on disk and there are no other links it's time to
1377 * punch-hole/truncate this to release the disk space. */
1378
1379 bs = MAX(st.st_blksize, 512);
1380 l = DIV_ROUND_UP(st.st_size, bs) * bs; /* Round up to next block size */
1381
1382 if (fallocate(truncate_fd, FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE, 0, l) >= 0)
1383 return 0; /* Successfully punched a hole! 😊 */
1384
1385 /* Fall back to truncation */
1386 if (ftruncate(truncate_fd, 0) < 0) {
1387 log_debug_errno(errno, "Failed to truncate file to 0, ignoring: %m");
1388 return 0;
1389 }
1390
1391 return 0;
1392}
11b29a96
LP		 1393
1394int fsync_directory_of_file(int fd) {
0c462ea4 1395 _cleanup_free_ char *path = NULL;
11b29a96
LP		 1396 _cleanup_close_ int dfd = -1;
1397 int r;
1398
1399 r = fd_verify_regular(fd);
1400 if (r < 0)
1401 return r;
1402
1403 r = fd_get_path(fd, &path);
3ceae1bc 1404 if (r < 0) {
b8b846d7
LP		 1405 log_debug_errno(r, "Failed to query /proc/self/fd/%d%s: %m",
1406 fd,
8fe8f3aa 1407 r == -ENOSYS ? ", ignoring" : "");
3ceae1bc 1408
8fe8f3aa 1409 if (r == -ENOSYS)
3ceae1bc
ZJS		 1410 /* If /proc is not available, we're most likely running in some
1411 * chroot environment, and syncing the directory is not very
1412 * important in that case. Let's just silently do nothing. */
1413 return 0;
1414
11b29a96 1415 return r;
3ceae1bc 1416 }
11b29a96
LP		 1417
1418 if (!path_is_absolute(path))
1419 return -EINVAL;
1420
0c462ea4 1421 dfd = open_parent(path, O_CLOEXEC, 0);
11b29a96 1422 if (dfd < 0)
0c462ea4 1423 return dfd;
11b29a96
LP		 1424
1425 if (fsync(dfd) < 0)
1426 return -errno;
1427
1428 return 0;
1429}
ef8becfa 1430
63d59b8d
LP		 1431int fsync_full(int fd) {
1432 int r, q;
1433
1434 /* Sync both the file and the directory */
1435
1436 r = fsync(fd) < 0 ? -errno : 0;
1437 q = fsync_directory_of_file(fd);
1438
1439 return r < 0 ? r : q;
1440}
1441
36695e88
LP		 1442int fsync_path_at(int at_fd, const char *path) {
1443 _cleanup_close_ int opened_fd = -1;
1444 int fd;
1445
1446 if (isempty(path)) {
1447 if (at_fd == AT_FDCWD) {
1448 opened_fd = open(".", O_RDONLY|O_DIRECTORY|O_CLOEXEC);
1449 if (opened_fd < 0)
1450 return -errno;
1451
1452 fd = opened_fd;
1453 } else
1454 fd = at_fd;
1455 } else {
1456
1457 opened_fd = openat(at_fd, path, O_RDONLY|O_CLOEXEC);
1458 if (opened_fd < 0)
1459 return -errno;
1460
1461 fd = opened_fd;
1462 }
1463
1464 if (fsync(fd) < 0)
1465 return -errno;
1466
1467 return 0;
1468}
1469
71f51416
LP		 1470int syncfs_path(int atfd, const char *path) {
1471 _cleanup_close_ int fd = -1;
1472
1473 assert(path);
1474
1475 fd = openat(atfd, path, O_CLOEXEC|O_RDONLY|O_NONBLOCK);
1476 if (fd < 0)
1477 return -errno;
1478
1479 if (syncfs(fd) < 0)
1480 return -errno;
1481
1482 return 0;
1483}
1484
ef8becfa
LP		 1485int open_parent(const char *path, int flags, mode_t mode) {
1486 _cleanup_free_ char *parent = NULL;
1487 int fd;
1488
1489 if (isempty(path))
1490 return -EINVAL;
1491 if (path_equal(path, "/")) /* requesting the parent of the root dir is fishy, let's prohibit that */
1492 return -EINVAL;
1493
1494 parent = dirname_malloc(path);
1495 if (!parent)
1496 return -ENOMEM;
1497
1498 /* Let's insist on O_DIRECTORY since the parent of a file or directory is a directory. Except if we open an
1499 * O_TMPFILE file, because in that case we are actually create a regular file below the parent directory. */
1500
0c21dafb 1501 if (FLAGS_SET(flags, O_PATH))
ef8becfa 1502 flags |= O_DIRECTORY;
0c21dafb 1503 else if (!FLAGS_SET(flags, O_TMPFILE))
ef8becfa
LP		 1504 flags |= O_DIRECTORY|O_RDONLY;
1505
1506 fd = open(parent, flags, mode);
1507 if (fd < 0)
1508 return -errno;
1509
1510 return fd;
1511}
ed9c0851 1512
622e1cdb
LP		 1513static int blockdev_is_encrypted(const char *sysfs_path, unsigned depth_left) {
1514 _cleanup_free_ char *p = NULL, *uuids = NULL;
1515 _cleanup_closedir_ DIR *d = NULL;
1516 int r, found_encrypted = false;
1517
1518 assert(sysfs_path);
1519
1520 if (depth_left == 0)
1521 return -EINVAL;
1522
1523 p = path_join(sysfs_path, "dm/uuid");
1524 if (!p)
1525 return -ENOMEM;
1526
1527 r = read_one_line_file(p, &uuids);
1528 if (r != -ENOENT) {
1529 if (r < 0)
1530 return r;
1531
1532 /* The DM device's uuid attribute is prefixed with "CRYPT-" if this is a dm-crypt device. */
1533 if (startswith(uuids, "CRYPT-"))
1534 return true;
1535 }
1536
1537 /* Not a dm-crypt device itself. But maybe it is on top of one? Follow the links in the "slaves/"
1538 * subdir. */
1539
1540 p = mfree(p);
1541 p = path_join(sysfs_path, "slaves");
1542 if (!p)
1543 return -ENOMEM;
1544
1545 d = opendir(p);
1546 if (!d) {
6b000af4 1547 if (errno == ENOENT) /* Doesn't have underlying devices */
622e1cdb
LP		 1548 return false;
1549
1550 return -errno;
1551 }
1552
1553 for (;;) {
1554 _cleanup_free_ char *q = NULL;
1555 struct dirent *de;
1556
1557 errno = 0;
1558 de = readdir_no_dot(d);
1559 if (!de) {
1560 if (errno != 0)
1561 return -errno;
1562
6b000af4 1563 break; /* No more underlying devices */
622e1cdb
LP		 1564 }
1565
1566 q = path_join(p, de->d_name);
1567 if (!q)
1568 return -ENOMEM;
1569
1570 r = blockdev_is_encrypted(q, depth_left - 1);
1571 if (r < 0)
1572 return r;
1573 if (r == 0) /* we found one that is not encrypted? then propagate that immediately */
1574 return false;
1575
1576 found_encrypted = true;
1577 }
1578
1579 return found_encrypted;
1580}
1581
ed9c0851 1582int path_is_encrypted(const char *path) {
622e1cdb 1583 char p[SYS_BLOCK_PATH_MAX(NULL)];
ed9c0851
LP		 1584 dev_t devt;
1585 int r;
1586
1587 r = get_block_device(path, &devt);
1588 if (r < 0)
1589 return r;
1590 if (r == 0) /* doesn't have a block device */
1591 return false;
1592
622e1cdb 1593 xsprintf_sys_block_path(p, NULL, devt);
ed9c0851 1594
622e1cdb 1595 return blockdev_is_encrypted(p, 10 /* safety net: maximum recursion depth */);
ed9c0851 1596}
Unnamed repository; edit this file 'description' to name the repository.