]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/basic/fs-util.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
fileio: add additional safety checks
[thirdparty/systemd.git] / src / basic / fs-util.c
CommitLineData
53e1b683 1/* SPDX-License-Identifier: LGPL-2.1+ */
f4f15635 2
11c3a366
TA		 3#include <errno.h>
4#include <stddef.h>
5#include <stdio.h>
6#include <stdlib.h>
7#include <string.h>
8#include <sys/stat.h>
655f2da0 9#include <linux/magic.h>
11c3a366
TA		 10#include <time.h>
11#include <unistd.h>
12
b5efdb8a 13#include "alloc-util.h"
f4f15635
LP		 14#include "dirent-util.h"
15#include "fd-util.h"
16#include "fileio.h"
17#include "fs-util.h"
11c3a366
TA		 18#include "log.h"
19#include "macro.h"
20#include "missing.h"
93cc7779
TA		 21#include "mkdir.h"
22#include "parse-util.h"
23#include "path-util.h"
dccca82b 24#include "process-util.h"
34a8f081 25#include "stat-util.h"
430fbf8e 26#include "stdio-util.h"
f4f15635
LP		 27#include "string-util.h"
28#include "strv.h"
93cc7779 29#include "time-util.h"
ee104e11 30#include "user-util.h"
f4f15635
LP		 31#include "util.h"
32
33int unlink_noerrno(const char *path) {
34 PROTECT_ERRNO;
35 int r;
36
37 r = unlink(path);
38 if (r < 0)
39 return -errno;
40
41 return 0;
42}
43
44int rmdir_parents(const char *path, const char *stop) {
45 size_t l;
46 int r = 0;
47
48 assert(path);
49 assert(stop);
50
51 l = strlen(path);
52
53 /* Skip trailing slashes */
54 while (l > 0 && path[l-1] == '/')
55 l--;
56
57 while (l > 0) {
58 char *t;
59
60 /* Skip last component */
61 while (l > 0 && path[l-1] != '/')
62 l--;
63
64 /* Skip trailing slashes */
65 while (l > 0 && path[l-1] == '/')
66 l--;
67
68 if (l <= 0)
69 break;
70
71 t = strndup(path, l);
72 if (!t)
73 return -ENOMEM;
74
75 if (path_startswith(stop, t)) {
76 free(t);
77 return 0;
78 }
79
80 r = rmdir(t);
81 free(t);
82
83 if (r < 0)
84 if (errno != ENOENT)
85 return -errno;
86 }
87
88 return 0;
89}
90
f4f15635
LP		 91int rename_noreplace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) {
92 struct stat buf;
93 int ret;
94
95 ret = renameat2(olddirfd, oldpath, newdirfd, newpath, RENAME_NOREPLACE);
96 if (ret >= 0)
97 return 0;
98
99 /* renameat2() exists since Linux 3.15, btrfs added support for it later.
100 * If it is not implemented, fallback to another method. */
101 if (!IN_SET(errno, EINVAL, ENOSYS))
102 return -errno;
103
104 /* The link()/unlink() fallback does not work on directories. But
105 * renameat() without RENAME_NOREPLACE gives the same semantics on
106 * directories, except when newpath is an *empty* directory. This is
107 * good enough. */
108 ret = fstatat(olddirfd, oldpath, &buf, AT_SYMLINK_NOFOLLOW);
109 if (ret >= 0 && S_ISDIR(buf.st_mode)) {
110 ret = renameat(olddirfd, oldpath, newdirfd, newpath);
111 return ret >= 0 ? 0 : -errno;
112 }
113
114 /* If it is not a directory, use the link()/unlink() fallback. */
115 ret = linkat(olddirfd, oldpath, newdirfd, newpath, 0);
116 if (ret < 0)
117 return -errno;
118
119 ret = unlinkat(olddirfd, oldpath, 0);
120 if (ret < 0) {
121 /* backup errno before the following unlinkat() alters it */
122 ret = errno;
123 (void) unlinkat(newdirfd, newpath, 0);
124 errno = ret;
125 return -errno;
126 }
127
128 return 0;
129}
130
131int readlinkat_malloc(int fd, const char *p, char **ret) {
132 size_t l = 100;
133 int r;
134
135 assert(p);
136 assert(ret);
137
138 for (;;) {
139 char *c;
140 ssize_t n;
141
142 c = new(char, l);
143 if (!c)
144 return -ENOMEM;
145
146 n = readlinkat(fd, p, c, l-1);
147 if (n < 0) {
148 r = -errno;
149 free(c);
150 return r;
151 }
152
153 if ((size_t) n < l-1) {
154 c[n] = 0;
155 *ret = c;
156 return 0;
157 }
158
159 free(c);
160 l *= 2;
161 }
162}
163
164int readlink_malloc(const char *p, char **ret) {
165 return readlinkat_malloc(AT_FDCWD, p, ret);
166}
167
168int readlink_value(const char *p, char **ret) {
169 _cleanup_free_ char *link = NULL;
170 char *value;
171 int r;
172
173 r = readlink_malloc(p, &link);
174 if (r < 0)
175 return r;
176
177 value = basename(link);
178 if (!value)
179 return -ENOENT;
180
181 value = strdup(value);
182 if (!value)
183 return -ENOMEM;
184
185 *ret = value;
186
187 return 0;
188}
189
190int readlink_and_make_absolute(const char *p, char **r) {
191 _cleanup_free_ char *target = NULL;
192 char *k;
193 int j;
194
195 assert(p);
196 assert(r);
197
198 j = readlink_malloc(p, &target);
199 if (j < 0)
200 return j;
201
202 k = file_in_same_dir(p, target);
203 if (!k)
204 return -ENOMEM;
205
206 *r = k;
207 return 0;
208}
209
f4f15635
LP		 210int chmod_and_chown(const char *path, mode_t mode, uid_t uid, gid_t gid) {
211 assert(path);
212
213 /* Under the assumption that we are running privileged we
214 * first change the access mode and only then hand out
215 * ownership to avoid a window where access is too open. */
216
217 if (mode != MODE_INVALID)
218 if (chmod(path, mode) < 0)
219 return -errno;
220
221 if (uid != UID_INVALID || gid != GID_INVALID)
222 if (chown(path, uid, gid) < 0)
223 return -errno;
b8da477e
YW		 224
225 return 0;
226}
227
228int fchmod_and_chown(int fd, mode_t mode, uid_t uid, gid_t gid) {
229 /* Under the assumption that we are running privileged we
230 * first change the access mode and only then hand out
231 * ownership to avoid a window where access is too open. */
232
233 if (mode != MODE_INVALID)
234 if (fchmod(fd, mode) < 0)
235 return -errno;
236
237 if (uid != UID_INVALID || gid != GID_INVALID)
238 if (fchown(fd, uid, gid) < 0)
239 return -errno;
f4f15635
LP		 240
241 return 0;
242}
243
f4f15635
LP		 244int fchmod_umask(int fd, mode_t m) {
245 mode_t u;
246 int r;
247
248 u = umask(0777);
249 r = fchmod(fd, m & (~u)) < 0 ? -errno : 0;
250 umask(u);
251
252 return r;
253}
254
4dfaa528 255int fchmod_opath(int fd, mode_t m) {
22dd8d35 256 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
4dfaa528
FB		 257
258 /* This function operates also on fd that might have been opened with
259 * O_PATH. Indeed fchmodat() doesn't have the AT_EMPTY_PATH flag like
260 * fchownat() does. */
261
262 xsprintf(procfs_path, "/proc/self/fd/%i", fd);
263
264 if (chmod(procfs_path, m) < 0)
265 return -errno;
266
267 return 0;
268}
269
f4f15635
LP		 270int fd_warn_permissions(const char *path, int fd) {
271 struct stat st;
272
273 if (fstat(fd, &st) < 0)
274 return -errno;
275
276 if (st.st_mode & 0111)
277 log_warning("Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway.", path);
278
279 if (st.st_mode & 0002)
280 log_warning("Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway.", path);
281
df0ff127 282 if (getpid_cached() == 1 && (st.st_mode & 0044) != 0044)
f4f15635
LP		 283 log_warning("Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.", path);
284
285 return 0;
286}
287
288int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode) {
9e3fa6e8
LP		 289 char fdpath[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
290 _cleanup_close_ int fd = -1;
291 int r, ret = 0;
f4f15635
LP		 292
293 assert(path);
294
9e3fa6e8
LP		 295 /* Note that touch_file() does not follow symlinks: if invoked on an existing symlink, then it is the symlink
296 * itself which is updated, not its target
297 *
298 * Returns the first error we encounter, but tries to apply as much as possible. */
f4f15635 299
9e3fa6e8
LP		 300 if (parents)
301 (void) mkdir_parents(path, 0755);
302
303 /* Initially, we try to open the node with O_PATH, so that we get a reference to the node. This is useful in
304 * case the path refers to an existing device or socket node, as we can open it successfully in all cases, and
305 * won't trigger any driver magic or so. */
306 fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW);
307 if (fd < 0) {
308 if (errno != ENOENT)
f4f15635 309 return -errno;
f4f15635 310
9e3fa6e8
LP		 311 /* if the node doesn't exist yet, we create it, but with O_EXCL, so that we only create a regular file
312 * here, and nothing else */
313 fd = open(path, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, IN_SET(mode, 0, MODE_INVALID) ? 0644 : mode);
314 if (fd < 0)
f4f15635
LP		 315 return -errno;
316 }
317
9e3fa6e8
LP		 318 /* Let's make a path from the fd, and operate on that. With this logic, we can adjust the access mode,
319 * ownership and time of the file node in all cases, even if the fd refers to an O_PATH object — which is
320 * something fchown(), fchmod(), futimensat() don't allow. */
321 xsprintf(fdpath, "/proc/self/fd/%i", fd);
322
323 if (mode != MODE_INVALID)
324 if (chmod(fdpath, mode) < 0)
325 ret = -errno;
326
327 if (uid_is_valid(uid) || gid_is_valid(gid))
328 if (chown(fdpath, uid, gid) < 0 && ret >= 0)
329 ret = -errno;
330
f4f15635
LP		 331 if (stamp != USEC_INFINITY) {
332 struct timespec ts[2];
333
334 timespec_store(&ts[0], stamp);
335 ts[1] = ts[0];
9e3fa6e8 336 r = utimensat(AT_FDCWD, fdpath, ts, 0);
f4f15635 337 } else
9e3fa6e8
LP		 338 r = utimensat(AT_FDCWD, fdpath, NULL, 0);
339 if (r < 0 && ret >= 0)
f4f15635
LP		 340 return -errno;
341
9e3fa6e8 342 return ret;
f4f15635
LP		 343}
344
345int touch(const char *path) {
ee735086 346 return touch_file(path, false, USEC_INFINITY, UID_INVALID, GID_INVALID, MODE_INVALID);
f4f15635
LP		 347}
348
349int symlink_idempotent(const char *from, const char *to) {
f4f15635
LP		 350 int r;
351
352 assert(from);
353 assert(to);
354
355 if (symlink(from, to) < 0) {
77b79723
LP		 356 _cleanup_free_ char *p = NULL;
357
f4f15635
LP		 358 if (errno != EEXIST)
359 return -errno;
360
361 r = readlink_malloc(to, &p);
77b79723
LP		 362 if (r == -EINVAL) /* Not a symlink? In that case return the original error we encountered: -EEXIST */
363 return -EEXIST;
364 if (r < 0) /* Any other error? In that case propagate it as is */
f4f15635
LP		 365 return r;
366
77b79723
LP		 367 if (!streq(p, from)) /* Not the symlink we want it to be? In that case, propagate the original -EEXIST */
368 return -EEXIST;
f4f15635
LP		 369 }
370
371 return 0;
372}
373
374int symlink_atomic(const char *from, const char *to) {
375 _cleanup_free_ char *t = NULL;
376 int r;
377
378 assert(from);
379 assert(to);
380
381 r = tempfn_random(to, NULL, &t);
382 if (r < 0)
383 return r;
384
385 if (symlink(from, t) < 0)
386 return -errno;
387
388 if (rename(t, to) < 0) {
389 unlink_noerrno(t);
390 return -errno;
391 }
392
393 return 0;
394}
395
396int mknod_atomic(const char *path, mode_t mode, dev_t dev) {
397 _cleanup_free_ char *t = NULL;
398 int r;
399
400 assert(path);
401
402 r = tempfn_random(path, NULL, &t);
403 if (r < 0)
404 return r;
405
406 if (mknod(t, mode, dev) < 0)
407 return -errno;
408
409 if (rename(t, path) < 0) {
410 unlink_noerrno(t);
411 return -errno;
412 }
413
414 return 0;
415}
416
417int mkfifo_atomic(const char *path, mode_t mode) {
418 _cleanup_free_ char *t = NULL;
419 int r;
420
421 assert(path);
422
423 r = tempfn_random(path, NULL, &t);
424 if (r < 0)
425 return r;
426
427 if (mkfifo(t, mode) < 0)
428 return -errno;
429
430 if (rename(t, path) < 0) {
431 unlink_noerrno(t);
432 return -errno;
433 }
434
435 return 0;
436}
437
438int get_files_in_directory(const char *path, char ***list) {
439 _cleanup_closedir_ DIR *d = NULL;
8fb3f009 440 struct dirent *de;
f4f15635
LP		 441 size_t bufsize = 0, n = 0;
442 _cleanup_strv_free_ char **l = NULL;
443
444 assert(path);
445
446 /* Returns all files in a directory in *list, and the number
447 * of files as return value. If list is NULL returns only the
448 * number. */
449
450 d = opendir(path);
451 if (!d)
452 return -errno;
453
8fb3f009 454 FOREACH_DIRENT_ALL(de, d, return -errno) {
f4f15635
LP		 455 dirent_ensure_type(d, de);
456
457 if (!dirent_is_file(de))
458 continue;
459
460 if (list) {
461 /* one extra slot is needed for the terminating NULL */
462 if (!GREEDY_REALLOC(l, bufsize, n + 2))
463 return -ENOMEM;
464
465 l[n] = strdup(de->d_name);
466 if (!l[n])
467 return -ENOMEM;
468
469 l[++n] = NULL;
470 } else
471 n++;
472 }
473
ae2a15bc
LP		 474 if (list)
475 *list = TAKE_PTR(l);
f4f15635
LP		 476
477 return n;
478}
430fbf8e 479
992e8f22
LP		 480static int getenv_tmp_dir(const char **ret_path) {
481 const char *n;
482 int r, ret = 0;
34a8f081 483
992e8f22 484 assert(ret_path);
34a8f081 485
992e8f22
LP		 486 /* We use the same order of environment variables python uses in tempfile.gettempdir():
487 * https://docs.python.org/3/library/tempfile.html#tempfile.gettempdir */
488 FOREACH_STRING(n, "TMPDIR", "TEMP", "TMP") {
489 const char *e;
490
491 e = secure_getenv(n);
492 if (!e)
493 continue;
494 if (!path_is_absolute(e)) {
495 r = -ENOTDIR;
496 goto next;
497 }
99be45a4 498 if (!path_is_normalized(e)) {
992e8f22
LP		 499 r = -EPERM;
500 goto next;
501 }
502
503 r = is_dir(e, true);
504 if (r < 0)
505 goto next;
506 if (r == 0) {
507 r = -ENOTDIR;
508 goto next;
509 }
510
511 *ret_path = e;
512 return 1;
513
514 next:
515 /* Remember first error, to make this more debuggable */
516 if (ret >= 0)
517 ret = r;
34a8f081
OW		 518 }
519
992e8f22
LP		 520 if (ret < 0)
521 return ret;
34a8f081 522
992e8f22
LP		 523 *ret_path = NULL;
524 return ret;
525}
34a8f081 526
992e8f22
LP		 527static int tmp_dir_internal(const char *def, const char **ret) {
528 const char *e;
529 int r, k;
530
531 assert(def);
532 assert(ret);
533
534 r = getenv_tmp_dir(&e);
535 if (r > 0) {
536 *ret = e;
537 return 0;
538 }
539
540 k = is_dir(def, true);
541 if (k == 0)
542 k = -ENOTDIR;
543 if (k < 0)
544 return r < 0 ? r : k;
545
546 *ret = def;
34a8f081
OW		 547 return 0;
548}
549
992e8f22
LP		 550int var_tmp_dir(const char **ret) {
551
552 /* Returns the location for "larger" temporary files, that is backed by physical storage if available, and thus
553 * even might survive a boot: /var/tmp. If $TMPDIR (or related environment variables) are set, its value is
554 * returned preferably however. Note that both this function and tmp_dir() below are affected by $TMPDIR,
555 * making it a variable that overrides all temporary file storage locations. */
556
557 return tmp_dir_internal("/var/tmp", ret);
558}
559
560int tmp_dir(const char **ret) {
561
562 /* Similar to var_tmp_dir() above, but returns the location for "smaller" temporary files, which is usually
563 * backed by an in-memory file system: /tmp. */
564
565 return tmp_dir_internal("/tmp", ret);
566}
567
af229d7a
ZJS		 568int unlink_or_warn(const char *filename) {
569 if (unlink(filename) < 0 && errno != ENOENT)
570 /* If the file doesn't exist and the fs simply was read-only (in which
571 * case unlink() returns EROFS even if the file doesn't exist), don't
572 * complain */
573 if (errno != EROFS || access(filename, F_OK) >= 0)
574 return log_error_errno(errno, "Failed to remove \"%s\": %m", filename);
575
576 return 0;
577}
578
430fbf8e 579int inotify_add_watch_fd(int fd, int what, uint32_t mask) {
fbd0b64f 580 char path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
430fbf8e
LP		 581 int r;
582
583 /* This is like inotify_add_watch(), except that the file to watch is not referenced by a path, but by an fd */
584 xsprintf(path, "/proc/self/fd/%i", what);
585
586 r = inotify_add_watch(fd, path, mask);
587 if (r < 0)
588 return -errno;
589
590 return r;
591}
d944dc95 592
f14f1806
LP		 593static bool safe_transition(const struct stat *a, const struct stat *b) {
594 /* Returns true if the transition from a to b is safe, i.e. that we never transition from unprivileged to
595 * privileged files or directories. Why bother? So that unprivileged code can't symlink to privileged files
596 * making us believe we read something safe even though it isn't safe in the specific context we open it in. */
597
598 if (a->st_uid == 0) /* Transitioning from privileged to unprivileged is always fine */
599 return true;
600
601 return a->st_uid == b->st_uid; /* Otherwise we need to stay within the same UID */
602}
603
c4f4fce7 604int chase_symlinks(const char *path, const char *original_root, unsigned flags, char **ret) {
d944dc95
LP		 605 _cleanup_free_ char *buffer = NULL, *done = NULL, *root = NULL;
606 _cleanup_close_ int fd = -1;
f10f4215 607 unsigned max_follow = CHASE_SYMLINKS_MAX; /* how many symlinks to follow before giving up and returning ELOOP */
f14f1806 608 struct stat previous_stat;
a9fb0867 609 bool exists = true;
d944dc95
LP		 610 char *todo;
611 int r;
612
613 assert(path);
614
1ed34d75 615 /* Either the file may be missing, or we return an fd to the final object, but both make no sense */
d94a24ca 616 if (FLAGS_SET(flags, CHASE_NONEXISTENT | CHASE_OPEN))
1ed34d75
LP		 617 return -EINVAL;
618
d94a24ca 619 if (FLAGS_SET(flags, CHASE_STEP | CHASE_OPEN))
49eb3659
LP		 620 return -EINVAL;
621
a49424af
LP		 622 if (isempty(path))
623 return -EINVAL;
624
d944dc95
LP		 625 /* This is a lot like canonicalize_file_name(), but takes an additional "root" parameter, that allows following
626 * symlinks relative to a root directory, instead of the root of the host.
627 *
fc4b68e5 628 * Note that "root" primarily matters if we encounter an absolute symlink. It is also used when following
c4f4fce7
LP		 629 * relative symlinks to ensure they cannot be used to "escape" the root directory. The path parameter passed is
630 * assumed to be already prefixed by it, except if the CHASE_PREFIX_ROOT flag is set, in which case it is first
631 * prefixed accordingly.
d944dc95
LP		 632 *
633 * Algorithmically this operates on two path buffers: "done" are the components of the path we already
634 * processed and resolved symlinks, "." and ".." of. "todo" are the components of the path we still need to
635 * process. On each iteration, we move one component from "todo" to "done", processing it's special meaning
636 * each time. The "todo" path always starts with at least one slash, the "done" path always ends in no
637 * slash. We always keep an O_PATH fd to the component we are currently processing, thus keeping lookup races
fc4b68e5
LP		 638 * at a minimum.
639 *
640 * Suggested usage: whenever you want to canonicalize a path, use this function. Pass the absolute path you got
641 * as-is: fully qualified and relative to your host's root. Optionally, specify the root parameter to tell this
642 * function what to do when encountering a symlink with an absolute path as directory: prefix it by the
49eb3659
LP		 643 * specified path.
644 *
645 * There are three ways to invoke this function:
646 *
647 * 1. Without CHASE_STEP or CHASE_OPEN: in this case the path is resolved and the normalized path is returned
648 * in `ret`. The return value is < 0 on error. If CHASE_NONEXISTENT is also set 0 is returned if the file
649 * doesn't exist, > 0 otherwise. If CHASE_NONEXISTENT is not set >= 0 is returned if the destination was
650 * found, -ENOENT if it doesn't.
651 *
652 * 2. With CHASE_OPEN: in this case the destination is opened after chasing it as O_PATH and this file
653 * descriptor is returned as return value. This is useful to open files relative to some root
654 * directory. Note that the returned O_PATH file descriptors must be converted into a regular one (using
655 * fd_reopen() or such) before it can be used for reading/writing. CHASE_OPEN may not be combined with
656 * CHASE_NONEXISTENT.
657 *
658 * 3. With CHASE_STEP: in this case only a single step of the normalization is executed, i.e. only the first
659 * symlink or ".." component of the path is resolved, and the resulting path is returned. This is useful if
660 * a caller wants to trace the a path through the file system verbosely. Returns < 0 on error, > 0 if the
661 * path is fully normalized, and == 0 for each normalization step. This may be combined with
662 * CHASE_NONEXISTENT, in which case 1 is returned when a component is not found.
663 *
664 * */
d944dc95 665
22bc57c5 666 /* A root directory of "/" or "" is identical to none */
57ea45e1 667 if (empty_or_root(original_root))
22bc57c5 668 original_root = NULL;
b1bfb848 669
49eb3659 670 if (!original_root && !ret && (flags & (CHASE_NONEXISTENT|CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_OPEN|CHASE_STEP)) == CHASE_OPEN) {
244d2f07
LP		 671 /* Shortcut the CHASE_OPEN case if the caller isn't interested in the actual path and has no root set
672 * and doesn't care about any of the other special features we provide either. */
673 r = open(path, O_PATH|O_CLOEXEC);
674 if (r < 0)
675 return -errno;
676
677 return r;
678 }
679
c4f4fce7
LP		 680 if (original_root) {
681 r = path_make_absolute_cwd(original_root, &root);
d944dc95
LP		 682 if (r < 0)
683 return r;
c4f4fce7 684
382a5078
LP		 685 if (flags & CHASE_PREFIX_ROOT) {
686
687 /* We don't support relative paths in combination with a root directory */
688 if (!path_is_absolute(path))
689 return -EINVAL;
690
c4f4fce7 691 path = prefix_roota(root, path);
382a5078 692 }
d944dc95
LP		 693 }
694
c4f4fce7
LP		 695 r = path_make_absolute_cwd(path, &buffer);
696 if (r < 0)
697 return r;
698
d944dc95
LP		 699 fd = open("/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
700 if (fd < 0)
701 return -errno;
702
f14f1806
LP		 703 if (flags & CHASE_SAFE) {
704 if (fstat(fd, &previous_stat) < 0)
705 return -errno;
706 }
707
d944dc95
LP		 708 todo = buffer;
709 for (;;) {
710 _cleanup_free_ char *first = NULL;
711 _cleanup_close_ int child = -1;
712 struct stat st;
713 size_t n, m;
714
715 /* Determine length of first component in the path */
716 n = strspn(todo, "/"); /* The slashes */
717 m = n + strcspn(todo + n, "/"); /* The entire length of the component */
718
719 /* Extract the first component. */
720 first = strndup(todo, m);
721 if (!first)
722 return -ENOMEM;
723
724 todo += m;
725
b12d25a8
ZJS		 726 /* Empty? Then we reached the end. */
727 if (isempty(first))
728 break;
729
d944dc95 730 /* Just a single slash? Then we reached the end. */
b12d25a8
ZJS		 731 if (path_equal(first, "/")) {
732 /* Preserve the trailing slash */
62570f6f
LP		 733
734 if (flags & CHASE_TRAIL_SLASH)
735 if (!strextend(&done, "/", NULL))
736 return -ENOMEM;
b12d25a8 737
d944dc95 738 break;
b12d25a8 739 }
d944dc95
LP		 740
741 /* Just a dot? Then let's eat this up. */
742 if (path_equal(first, "/."))
743 continue;
744
745 /* Two dots? Then chop off the last bit of what we already found out. */
746 if (path_equal(first, "/..")) {
747 _cleanup_free_ char *parent = NULL;
2b6d2dda 748 _cleanup_close_ int fd_parent = -1;
d944dc95 749
a4eaf3cf
LP		 750 /* If we already are at the top, then going up will not change anything. This is in-line with
751 * how the kernel handles this. */
57ea45e1 752 if (empty_or_root(done))
a4eaf3cf 753 continue;
d944dc95
LP		 754
755 parent = dirname_malloc(done);
756 if (!parent)
757 return -ENOMEM;
758
a4eaf3cf 759 /* Don't allow this to leave the root dir. */
d944dc95
LP		 760 if (root &&
761 path_startswith(done, root) &&
762 !path_startswith(parent, root))
a4eaf3cf 763 continue;
d944dc95 764
3b319885 765 free_and_replace(done, parent);
d944dc95 766
49eb3659
LP		 767 if (flags & CHASE_STEP)
768 goto chased_one;
769
d944dc95
LP		 770 fd_parent = openat(fd, "..", O_CLOEXEC|O_NOFOLLOW|O_PATH);
771 if (fd_parent < 0)
772 return -errno;
773
f14f1806
LP		 774 if (flags & CHASE_SAFE) {
775 if (fstat(fd_parent, &st) < 0)
776 return -errno;
777
778 if (!safe_transition(&previous_stat, &st))
779 return -EPERM;
780
781 previous_stat = st;
782 }
783
d944dc95 784 safe_close(fd);
c10d6bdb 785 fd = TAKE_FD(fd_parent);
d944dc95
LP		 786
787 continue;
788 }
789
790 /* Otherwise let's see what this is. */
791 child = openat(fd, first + n, O_CLOEXEC|O_NOFOLLOW|O_PATH);
a9fb0867
LP		 792 if (child < 0) {
793
794 if (errno == ENOENT &&
cb638b5e 795 (flags & CHASE_NONEXISTENT) &&
99be45a4 796 (isempty(todo) || path_is_normalized(todo))) {
a9fb0867 797
cb638b5e 798 /* If CHASE_NONEXISTENT is set, and the path does not exist, then that's OK, return
a9fb0867
LP		 799 * what we got so far. But don't allow this if the remaining path contains "../ or "./"
800 * or something else weird. */
801
a1904a46
YW		 802 /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */
803 if (streq_ptr(done, "/"))
804 *done = '\0';
805
a9fb0867
LP		 806 if (!strextend(&done, first, todo, NULL))
807 return -ENOMEM;
808
809 exists = false;
810 break;
811 }
812
d944dc95 813 return -errno;
a9fb0867 814 }
d944dc95
LP		 815
816 if (fstat(child, &st) < 0)
817 return -errno;
f14f1806
LP		 818 if ((flags & CHASE_SAFE) &&
819 !safe_transition(&previous_stat, &st))
820 return -EPERM;
821
822 previous_stat = st;
823
655f2da0 824 if ((flags & CHASE_NO_AUTOFS) &&
a66fee2e 825 fd_is_fs_type(child, AUTOFS_SUPER_MAGIC) > 0)
655f2da0 826 return -EREMOTE;
d944dc95
LP		 827
828 if (S_ISLNK(st.st_mode)) {
877777d7
CCW		 829 char *joined;
830
d944dc95
LP		 831 _cleanup_free_ char *destination = NULL;
832
833 /* This is a symlink, in this case read the destination. But let's make sure we don't follow
834 * symlinks without bounds. */
835 if (--max_follow <= 0)
836 return -ELOOP;
837
838 r = readlinkat_malloc(fd, first + n, &destination);
839 if (r < 0)
840 return r;
841 if (isempty(destination))
842 return -EINVAL;
843
844 if (path_is_absolute(destination)) {
845
846 /* An absolute destination. Start the loop from the beginning, but use the root
847 * directory as base. */
848
849 safe_close(fd);
850 fd = open(root ?: "/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
851 if (fd < 0)
852 return -errno;
853
f14f1806
LP		 854 if (flags & CHASE_SAFE) {
855 if (fstat(fd, &st) < 0)
856 return -errno;
857
858 if (!safe_transition(&previous_stat, &st))
859 return -EPERM;
860
861 previous_stat = st;
862 }
863
b539437a
YW		 864 free(done);
865
d944dc95
LP		 866 /* Note that we do not revalidate the root, we take it as is. */
867 if (isempty(root))
868 done = NULL;
869 else {
870 done = strdup(root);
871 if (!done)
872 return -ENOMEM;
873 }
874
8c4a8ea2
LP		 875 /* Prefix what's left to do with what we just read, and start the loop again, but
876 * remain in the current directory. */
877 joined = strjoin(destination, todo);
878 } else
879 joined = strjoin("/", destination, todo);
877777d7
CCW		 880 if (!joined)
881 return -ENOMEM;
d944dc95 882
877777d7
CCW		 883 free(buffer);
884 todo = buffer = joined;
d944dc95 885
49eb3659
LP		 886 if (flags & CHASE_STEP)
887 goto chased_one;
888
d944dc95
LP		 889 continue;
890 }
891
892 /* If this is not a symlink, then let's just add the name we read to what we already verified. */
ae2a15bc
LP		 893 if (!done)
894 done = TAKE_PTR(first);
895 else {
a1904a46
YW		 896 /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */
897 if (streq(done, "/"))
898 *done = '\0';
899
d944dc95
LP		 900 if (!strextend(&done, first, NULL))
901 return -ENOMEM;
902 }
903
904 /* And iterate again, but go one directory further down. */
905 safe_close(fd);
c10d6bdb 906 fd = TAKE_FD(child);
d944dc95
LP		 907 }
908
909 if (!done) {
910 /* Special case, turn the empty string into "/", to indicate the root directory. */
911 done = strdup("/");
912 if (!done)
913 return -ENOMEM;
914 }
915
ae2a15bc
LP		 916 if (ret)
917 *ret = TAKE_PTR(done);
d944dc95 918
1ed34d75 919 if (flags & CHASE_OPEN) {
1ed34d75
LP		 920 /* Return the O_PATH fd we currently are looking to the caller. It can translate it to a proper fd by
921 * opening /proc/self/fd/xyz. */
922
923 assert(fd >= 0);
c10d6bdb 924 return TAKE_FD(fd);
1ed34d75
LP		 925 }
926
49eb3659
LP		 927 if (flags & CHASE_STEP)
928 return 1;
929
a9fb0867 930 return exists;
49eb3659
LP		 931
932chased_one:
49eb3659
LP		 933 if (ret) {
934 char *c;
935
027cc9c9
ZJS		 936 c = strjoin(strempty(done), todo);
937 if (!c)
938 return -ENOMEM;
49eb3659
LP		 939
940 *ret = c;
941 }
942
943 return 0;
d944dc95 944}
57a4359e 945
21c692e9
LP		 946int chase_symlinks_and_open(
947 const char *path,
948 const char *root,
949 unsigned chase_flags,
950 int open_flags,
951 char **ret_path) {
952
953 _cleanup_close_ int path_fd = -1;
954 _cleanup_free_ char *p = NULL;
955 int r;
956
957 if (chase_flags & CHASE_NONEXISTENT)
958 return -EINVAL;
959
57ea45e1 960 if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
21c692e9
LP		 961 /* Shortcut this call if none of the special features of this call are requested */
962 r = open(path, open_flags);
963 if (r < 0)
964 return -errno;
965
966 return r;
967 }
968
969 path_fd = chase_symlinks(path, root, chase_flags|CHASE_OPEN, ret_path ? &p : NULL);
970 if (path_fd < 0)
971 return path_fd;
972
973 r = fd_reopen(path_fd, open_flags);
974 if (r < 0)
975 return r;
976
977 if (ret_path)
978 *ret_path = TAKE_PTR(p);
979
980 return r;
981}
982
983int chase_symlinks_and_opendir(
984 const char *path,
985 const char *root,
986 unsigned chase_flags,
987 char **ret_path,
988 DIR **ret_dir) {
989
990 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
991 _cleanup_close_ int path_fd = -1;
992 _cleanup_free_ char *p = NULL;
993 DIR *d;
994
995 if (!ret_dir)
996 return -EINVAL;
997 if (chase_flags & CHASE_NONEXISTENT)
998 return -EINVAL;
999
57ea45e1 1000 if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
21c692e9
LP		 1001 /* Shortcut this call if none of the special features of this call are requested */
1002 d = opendir(path);
1003 if (!d)
1004 return -errno;
1005
1006 *ret_dir = d;
1007 return 0;
1008 }
1009
1010 path_fd = chase_symlinks(path, root, chase_flags|CHASE_OPEN, ret_path ? &p : NULL);
1011 if (path_fd < 0)
1012 return path_fd;
1013
1014 xsprintf(procfs_path, "/proc/self/fd/%i", path_fd);
1015 d = opendir(procfs_path);
1016 if (!d)
1017 return -errno;
1018
1019 if (ret_path)
1020 *ret_path = TAKE_PTR(p);
1021
1022 *ret_dir = d;
1023 return 0;
1024}
1025
d2bcd0ba
LP		 1026int chase_symlinks_and_stat(
1027 const char *path,
1028 const char *root,
1029 unsigned chase_flags,
1030 char **ret_path,
1031 struct stat *ret_stat) {
1032
1033 _cleanup_close_ int path_fd = -1;
1034 _cleanup_free_ char *p = NULL;
1035
1036 assert(path);
1037 assert(ret_stat);
1038
1039 if (chase_flags & CHASE_NONEXISTENT)
1040 return -EINVAL;
1041
1042 if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
1043 /* Shortcut this call if none of the special features of this call are requested */
1044 if (stat(path, ret_stat) < 0)
1045 return -errno;
1046
1047 return 1;
1048 }
1049
1050 path_fd = chase_symlinks(path, root, chase_flags|CHASE_OPEN, ret_path ? &p : NULL);
1051 if (path_fd < 0)
1052 return path_fd;
1053
1054 if (fstat(path_fd, ret_stat) < 0)
1055 return -errno;
1056
1057 if (ret_path)
1058 *ret_path = TAKE_PTR(p);
1059
1060 if (chase_flags & CHASE_OPEN)
1061 return TAKE_FD(path_fd);
1062
1063 return 1;
1064}
1065
57a4359e 1066int access_fd(int fd, int mode) {
fbd0b64f 1067 char p[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(fd) + 1];
57a4359e
LP		 1068 int r;
1069
1070 /* Like access() but operates on an already open fd */
1071
1072 xsprintf(p, "/proc/self/fd/%i", fd);
57a4359e
LP		 1073 r = access(p, mode);
1074 if (r < 0)
21c692e9 1075 return -errno;
57a4359e
LP		 1076
1077 return r;
1078}
43767d9d 1079
627d2bac
ZJS		 1080void unlink_tempfilep(char (*p)[]) {
1081 /* If the file is created with mkstemp(), it will (almost always)
1082 * change the suffix. Treat this as a sign that the file was
1083 * successfully created. We ignore both the rare case where the
1084 * original suffix is used and unlink failures. */
1085 if (!endswith(*p, ".XXXXXX"))
69821560 1086 (void) unlink_noerrno(*p);
627d2bac
ZJS		 1087}
1088
43767d9d
LP		 1089int unlinkat_deallocate(int fd, const char *name, int flags) {
1090 _cleanup_close_ int truncate_fd = -1;
1091 struct stat st;
1092 off_t l, bs;
1093
1094 /* Operates like unlinkat() but also deallocates the file contents if it is a regular file and there's no other
1095 * link to it. This is useful to ensure that other processes that might have the file open for reading won't be
1096 * able to keep the data pinned on disk forever. This call is particular useful whenever we execute clean-up
1097 * jobs ("vacuuming"), where we want to make sure the data is really gone and the disk space released and
1098 * returned to the free pool.
1099 *
1100 * Deallocation is preferably done by FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE (👊) if supported, which means
1101 * the file won't change size. That's a good thing since we shouldn't needlessly trigger SIGBUS in other
1102 * programs that have mmap()ed the file. (The assumption here is that changing file contents to all zeroes
1103 * underneath those programs is the better choice than simply triggering SIGBUS in them which truncation does.)
1104 * However if hole punching is not implemented in the kernel or file system we'll fall back to normal file
1105 * truncation (🔪), as our goal of deallocating the data space trumps our goal of being nice to readers (💐).
1106 *
1107 * Note that we attempt deallocation, but failure to succeed with that is not considered fatal, as long as the
1108 * primary job – to delete the file – is accomplished. */
1109
1110 if ((flags & AT_REMOVEDIR) == 0) {
1111 truncate_fd = openat(fd, name, O_WRONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|O_NONBLOCK);
1112 if (truncate_fd < 0) {
1113
1114 /* If this failed because the file doesn't exist propagate the error right-away. Also,
1115 * AT_REMOVEDIR wasn't set, and we tried to open the file for writing, which means EISDIR is
1116 * returned when this is a directory but we are not supposed to delete those, hence propagate
1117 * the error right-away too. */
1118 if (IN_SET(errno, ENOENT, EISDIR))
1119 return -errno;
1120
1121 if (errno != ELOOP) /* don't complain if this is a symlink */
1122 log_debug_errno(errno, "Failed to open file '%s' for deallocation, ignoring: %m", name);
1123 }
1124 }
1125
1126 if (unlinkat(fd, name, flags) < 0)
1127 return -errno;
1128
1129 if (truncate_fd < 0) /* Don't have a file handle, can't do more ☹️ */
1130 return 0;
1131
1132 if (fstat(truncate_fd, &st) < 0) {
1133 log_debug_errno(errno, "Failed to stat file '%s' for deallocation, ignoring.", name);
1134 return 0;
1135 }
1136
1137 if (!S_ISREG(st.st_mode) || st.st_blocks == 0 || st.st_nlink > 0)
1138 return 0;
1139
1140 /* If this is a regular file, it actually took up space on disk and there are no other links it's time to
1141 * punch-hole/truncate this to release the disk space. */
1142
1143 bs = MAX(st.st_blksize, 512);
1144 l = DIV_ROUND_UP(st.st_size, bs) * bs; /* Round up to next block size */
1145
1146 if (fallocate(truncate_fd, FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE, 0, l) >= 0)
1147 return 0; /* Successfully punched a hole! 😊 */
1148
1149 /* Fall back to truncation */
1150 if (ftruncate(truncate_fd, 0) < 0) {
1151 log_debug_errno(errno, "Failed to truncate file to 0, ignoring: %m");
1152 return 0;
1153 }
1154
1155 return 0;
1156}
11b29a96
LP		 1157
1158int fsync_directory_of_file(int fd) {
1159 _cleanup_free_ char *path = NULL, *dn = NULL;
1160 _cleanup_close_ int dfd = -1;
1161 int r;
1162
1163 r = fd_verify_regular(fd);
1164 if (r < 0)
1165 return r;
1166
1167 r = fd_get_path(fd, &path);
3ceae1bc 1168 if (r < 0) {
b8b846d7
LP		 1169 log_debug_errno(r, "Failed to query /proc/self/fd/%d%s: %m",
1170 fd,
1171 r == -EOPNOTSUPP ? ", ignoring" : "");
3ceae1bc
ZJS		 1172
1173 if (r == -EOPNOTSUPP)
1174 /* If /proc is not available, we're most likely running in some
1175 * chroot environment, and syncing the directory is not very
1176 * important in that case. Let's just silently do nothing. */
1177 return 0;
1178
11b29a96 1179 return r;
3ceae1bc 1180 }
11b29a96
LP		 1181
1182 if (!path_is_absolute(path))
1183 return -EINVAL;
1184
1185 dn = dirname_malloc(path);
1186 if (!dn)
1187 return -ENOMEM;
1188
1189 dfd = open(dn, O_RDONLY|O_CLOEXEC|O_DIRECTORY);
1190 if (dfd < 0)
1191 return -errno;
1192
1193 if (fsync(dfd) < 0)
1194 return -errno;
1195
1196 return 0;
1197}
Unnamed repository; edit this file 'description' to name the repository.