]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
f4f15635 | 2 | |
11c3a366 TA |
3 | #include <errno.h> |
4 | #include <stddef.h> | |
11c3a366 | 5 | #include <stdlib.h> |
1c73b069 | 6 | #include <linux/falloc.h> |
655f2da0 | 7 | #include <linux/magic.h> |
11c3a366 TA |
8 | #include <unistd.h> |
9 | ||
b5efdb8a | 10 | #include "alloc-util.h" |
ed9c0851 | 11 | #include "blockdev-util.h" |
f4f15635 LP |
12 | #include "dirent-util.h" |
13 | #include "fd-util.h" | |
ed9c0851 | 14 | #include "fileio.h" |
f4f15635 | 15 | #include "fs-util.h" |
fd74c6f3 | 16 | #include "locale-util.h" |
11c3a366 TA |
17 | #include "log.h" |
18 | #include "macro.h" | |
0499585f | 19 | #include "missing_fcntl.h" |
f5947a5e YW |
20 | #include "missing_fs.h" |
21 | #include "missing_syscall.h" | |
93cc7779 TA |
22 | #include "mkdir.h" |
23 | #include "parse-util.h" | |
24 | #include "path-util.h" | |
dccca82b | 25 | #include "process-util.h" |
053e0626 | 26 | #include "random-util.h" |
4c54768c | 27 | #include "ratelimit.h" |
34a8f081 | 28 | #include "stat-util.h" |
430fbf8e | 29 | #include "stdio-util.h" |
f4f15635 LP |
30 | #include "string-util.h" |
31 | #include "strv.h" | |
93cc7779 | 32 | #include "time-util.h" |
e4de7287 | 33 | #include "tmpfile-util.h" |
ee104e11 | 34 | #include "user-util.h" |
f4f15635 LP |
35 | #include "util.h" |
36 | ||
37 | int unlink_noerrno(const char *path) { | |
38 | PROTECT_ERRNO; | |
39 | int r; | |
40 | ||
41 | r = unlink(path); | |
42 | if (r < 0) | |
43 | return -errno; | |
44 | ||
45 | return 0; | |
46 | } | |
47 | ||
48 | int rmdir_parents(const char *path, const char *stop) { | |
49 | size_t l; | |
50 | int r = 0; | |
51 | ||
52 | assert(path); | |
53 | assert(stop); | |
54 | ||
55 | l = strlen(path); | |
56 | ||
57 | /* Skip trailing slashes */ | |
58 | while (l > 0 && path[l-1] == '/') | |
59 | l--; | |
60 | ||
61 | while (l > 0) { | |
62 | char *t; | |
63 | ||
64 | /* Skip last component */ | |
65 | while (l > 0 && path[l-1] != '/') | |
66 | l--; | |
67 | ||
68 | /* Skip trailing slashes */ | |
69 | while (l > 0 && path[l-1] == '/') | |
70 | l--; | |
71 | ||
72 | if (l <= 0) | |
73 | break; | |
74 | ||
75 | t = strndup(path, l); | |
76 | if (!t) | |
77 | return -ENOMEM; | |
78 | ||
79 | if (path_startswith(stop, t)) { | |
80 | free(t); | |
81 | return 0; | |
82 | } | |
83 | ||
84 | r = rmdir(t); | |
85 | free(t); | |
86 | ||
87 | if (r < 0) | |
88 | if (errno != ENOENT) | |
89 | return -errno; | |
90 | } | |
91 | ||
92 | return 0; | |
93 | } | |
94 | ||
f4f15635 | 95 | int rename_noreplace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) { |
2f15b625 | 96 | int r; |
f4f15635 | 97 | |
2f15b625 LP |
98 | /* Try the ideal approach first */ |
99 | if (renameat2(olddirfd, oldpath, newdirfd, newpath, RENAME_NOREPLACE) >= 0) | |
f4f15635 LP |
100 | return 0; |
101 | ||
2f15b625 LP |
102 | /* renameat2() exists since Linux 3.15, btrfs and FAT added support for it later. If it is not implemented, |
103 | * fall back to a different method. */ | |
62e10065 | 104 | if (!ERRNO_IS_NOT_SUPPORTED(errno) && errno != EINVAL) |
f4f15635 LP |
105 | return -errno; |
106 | ||
2f15b625 LP |
107 | /* Let's try to use linkat()+unlinkat() as fallback. This doesn't work on directories and on some file systems |
108 | * that do not support hard links (such as FAT, most prominently), but for files it's pretty close to what we | |
109 | * want — though not atomic (i.e. for a short period both the new and the old filename will exist). */ | |
110 | if (linkat(olddirfd, oldpath, newdirfd, newpath, 0) >= 0) { | |
111 | ||
112 | if (unlinkat(olddirfd, oldpath, 0) < 0) { | |
113 | r = -errno; /* Backup errno before the following unlinkat() alters it */ | |
114 | (void) unlinkat(newdirfd, newpath, 0); | |
115 | return r; | |
116 | } | |
117 | ||
118 | return 0; | |
f4f15635 LP |
119 | } |
120 | ||
62e10065 | 121 | if (!ERRNO_IS_NOT_SUPPORTED(errno) && !IN_SET(errno, EINVAL, EPERM)) /* FAT returns EPERM on link()… */ |
f4f15635 LP |
122 | return -errno; |
123 | ||
2aed63f4 | 124 | /* OK, neither RENAME_NOREPLACE nor linkat()+unlinkat() worked. Let's then fall back to the racy TOCTOU |
2f15b625 LP |
125 | * vulnerable accessat(F_OK) check followed by classic, replacing renameat(), we have nothing better. */ |
126 | ||
127 | if (faccessat(newdirfd, newpath, F_OK, AT_SYMLINK_NOFOLLOW) >= 0) | |
128 | return -EEXIST; | |
129 | if (errno != ENOENT) | |
130 | return -errno; | |
131 | ||
132 | if (renameat(olddirfd, oldpath, newdirfd, newpath) < 0) | |
f4f15635 | 133 | return -errno; |
f4f15635 LP |
134 | |
135 | return 0; | |
136 | } | |
137 | ||
138 | int readlinkat_malloc(int fd, const char *p, char **ret) { | |
db220032 | 139 | size_t l = PATH_MAX; |
f4f15635 LP |
140 | |
141 | assert(p); | |
142 | assert(ret); | |
143 | ||
144 | for (;;) { | |
db220032 | 145 | _cleanup_free_ char *c = NULL; |
f4f15635 LP |
146 | ssize_t n; |
147 | ||
db220032 | 148 | c = new(char, l+1); |
f4f15635 LP |
149 | if (!c) |
150 | return -ENOMEM; | |
151 | ||
db220032 LP |
152 | n = readlinkat(fd, p, c, l); |
153 | if (n < 0) | |
154 | return -errno; | |
f4f15635 | 155 | |
db220032 | 156 | if ((size_t) n < l) { |
f4f15635 | 157 | c[n] = 0; |
db220032 | 158 | *ret = TAKE_PTR(c); |
f4f15635 LP |
159 | return 0; |
160 | } | |
161 | ||
db220032 LP |
162 | if (l > (SSIZE_MAX-1)/2) /* readlinkat() returns an ssize_t, and we want an extra byte for a |
163 | * trailing NUL, hence do an overflow check relative to SSIZE_MAX-1 | |
164 | * here */ | |
165 | return -EFBIG; | |
166 | ||
f4f15635 LP |
167 | l *= 2; |
168 | } | |
169 | } | |
170 | ||
171 | int readlink_malloc(const char *p, char **ret) { | |
172 | return readlinkat_malloc(AT_FDCWD, p, ret); | |
173 | } | |
174 | ||
175 | int readlink_value(const char *p, char **ret) { | |
176 | _cleanup_free_ char *link = NULL; | |
177 | char *value; | |
178 | int r; | |
179 | ||
180 | r = readlink_malloc(p, &link); | |
181 | if (r < 0) | |
182 | return r; | |
183 | ||
184 | value = basename(link); | |
185 | if (!value) | |
186 | return -ENOENT; | |
187 | ||
188 | value = strdup(value); | |
189 | if (!value) | |
190 | return -ENOMEM; | |
191 | ||
192 | *ret = value; | |
193 | ||
194 | return 0; | |
195 | } | |
196 | ||
197 | int readlink_and_make_absolute(const char *p, char **r) { | |
198 | _cleanup_free_ char *target = NULL; | |
199 | char *k; | |
200 | int j; | |
201 | ||
202 | assert(p); | |
203 | assert(r); | |
204 | ||
205 | j = readlink_malloc(p, &target); | |
206 | if (j < 0) | |
207 | return j; | |
208 | ||
209 | k = file_in_same_dir(p, target); | |
210 | if (!k) | |
211 | return -ENOMEM; | |
212 | ||
213 | *r = k; | |
214 | return 0; | |
215 | } | |
216 | ||
f4f15635 | 217 | int chmod_and_chown(const char *path, mode_t mode, uid_t uid, gid_t gid) { |
de321f52 | 218 | _cleanup_close_ int fd = -1; |
30ff18d8 | 219 | |
f4f15635 LP |
220 | assert(path); |
221 | ||
30ff18d8 LP |
222 | fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW); /* Let's acquire an O_PATH fd, as precaution to change |
223 | * mode/owner on the same file */ | |
de321f52 LP |
224 | if (fd < 0) |
225 | return -errno; | |
226 | ||
2dbb7e94 | 227 | return fchmod_and_chown(fd, mode, uid, gid); |
b8da477e YW |
228 | } |
229 | ||
0520564d | 230 | int fchmod_and_chown_with_fallback(int fd, const char *path, mode_t mode, uid_t uid, gid_t gid) { |
2dbb7e94 | 231 | bool do_chown, do_chmod; |
30ff18d8 | 232 | struct stat st; |
dee00c19 | 233 | int r; |
30ff18d8 | 234 | |
2dbb7e94 LP |
235 | /* Change ownership and access mode of the specified fd. Tries to do so safely, ensuring that at no |
236 | * point in time the access mode is above the old access mode under the old ownership or the new | |
237 | * access mode under the new ownership. Note: this call tries hard to leave the access mode | |
238 | * unaffected if the uid/gid is changed, i.e. it undoes implicit suid/sgid dropping the kernel does | |
239 | * on chown(). | |
240 | * | |
0520564d ZJS |
241 | * This call is happy with O_PATH fds. |
242 | * | |
243 | * If path is given, allow a fallback path which does not use /proc/self/fd/. On any normal system | |
244 | * /proc will be mounted, but in certain improperly assembled environments it might not be. This is | |
245 | * less secure (potential TOCTOU), so should only be used after consideration. */ | |
b8da477e | 246 | |
71ec74d1 | 247 | if (fstat(fd, &st) < 0) |
2dbb7e94 | 248 | return -errno; |
de321f52 | 249 | |
2dbb7e94 LP |
250 | do_chown = |
251 | (uid != UID_INVALID && st.st_uid != uid) || | |
252 | (gid != GID_INVALID && st.st_gid != gid); | |
de321f52 | 253 | |
2dbb7e94 LP |
254 | do_chmod = |
255 | !S_ISLNK(st.st_mode) && /* chmod is not defined on symlinks */ | |
256 | ((mode != MODE_INVALID && ((st.st_mode ^ mode) & 07777) != 0) || | |
257 | do_chown); /* If we change ownership, make sure we reset the mode afterwards, since chown() | |
258 | * modifies the access mode too */ | |
30ff18d8 | 259 | |
2dbb7e94 LP |
260 | if (mode == MODE_INVALID) |
261 | mode = st.st_mode; /* If we only shall do a chown(), save original mode, since chown() might break it. */ | |
262 | else if ((mode & S_IFMT) != 0 && ((mode ^ st.st_mode) & S_IFMT) != 0) | |
263 | return -EINVAL; /* insist on the right file type if it was specified */ | |
de321f52 | 264 | |
2dbb7e94 LP |
265 | if (do_chown && do_chmod) { |
266 | mode_t minimal = st.st_mode & mode; /* the subset of the old and the new mask */ | |
30ff18d8 | 267 | |
dee00c19 LP |
268 | if (((minimal ^ st.st_mode) & 07777) != 0) { |
269 | r = fchmod_opath(fd, minimal & 07777); | |
0520564d ZJS |
270 | if (r < 0) { |
271 | if (!path || r != -ENOSYS) | |
272 | return r; | |
273 | ||
274 | /* Fallback path which doesn't use /proc/self/fd/. */ | |
275 | if (chmod(path, minimal & 07777) < 0) | |
276 | return -errno; | |
277 | } | |
dee00c19 | 278 | } |
de321f52 | 279 | } |
b8da477e | 280 | |
2dbb7e94 | 281 | if (do_chown) |
71ec74d1 | 282 | if (fchownat(fd, "", uid, gid, AT_EMPTY_PATH) < 0) |
2dbb7e94 | 283 | return -errno; |
30ff18d8 | 284 | |
dee00c19 LP |
285 | if (do_chmod) { |
286 | r = fchmod_opath(fd, mode & 07777); | |
0520564d ZJS |
287 | if (r < 0) { |
288 | if (!path || r != -ENOSYS) | |
289 | return r; | |
290 | ||
291 | /* Fallback path which doesn't use /proc/self/fd/. */ | |
292 | if (chmod(path, mode & 07777) < 0) | |
293 | return -errno; | |
294 | } | |
dee00c19 | 295 | } |
30ff18d8 | 296 | |
2dbb7e94 | 297 | return do_chown || do_chmod; |
f4f15635 LP |
298 | } |
299 | ||
f4f15635 LP |
300 | int fchmod_umask(int fd, mode_t m) { |
301 | mode_t u; | |
302 | int r; | |
303 | ||
304 | u = umask(0777); | |
305 | r = fchmod(fd, m & (~u)) < 0 ? -errno : 0; | |
306 | umask(u); | |
307 | ||
308 | return r; | |
309 | } | |
310 | ||
4dfaa528 | 311 | int fchmod_opath(int fd, mode_t m) { |
22dd8d35 | 312 | char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)]; |
4dfaa528 FB |
313 | |
314 | /* This function operates also on fd that might have been opened with | |
315 | * O_PATH. Indeed fchmodat() doesn't have the AT_EMPTY_PATH flag like | |
316 | * fchownat() does. */ | |
317 | ||
318 | xsprintf(procfs_path, "/proc/self/fd/%i", fd); | |
f8606626 LP |
319 | if (chmod(procfs_path, m) < 0) { |
320 | if (errno != ENOENT) | |
321 | return -errno; | |
322 | ||
323 | if (proc_mounted() == 0) | |
324 | return -ENOSYS; /* if we have no /proc/, the concept is not implementable */ | |
325 | ||
326 | return -ENOENT; | |
327 | } | |
4dfaa528 FB |
328 | |
329 | return 0; | |
330 | } | |
331 | ||
f25bff5e LP |
332 | int futimens_opath(int fd, const struct timespec ts[2]) { |
333 | char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)]; | |
334 | ||
335 | /* Similar to fchmod_path() but for futimens() */ | |
336 | ||
337 | xsprintf(procfs_path, "/proc/self/fd/%i", fd); | |
338 | if (utimensat(AT_FDCWD, procfs_path, ts, 0) < 0) { | |
339 | if (errno != ENOENT) | |
340 | return -errno; | |
341 | ||
342 | if (proc_mounted() == 0) | |
343 | return -ENOSYS; /* if we have no /proc/, the concept is not implementable */ | |
344 | ||
345 | return -ENOENT; | |
346 | } | |
347 | ||
348 | return 0; | |
349 | } | |
350 | ||
22ed4a6d LP |
351 | int stat_warn_permissions(const char *path, const struct stat *st) { |
352 | assert(path); | |
353 | assert(st); | |
f4f15635 | 354 | |
b6cceaae | 355 | /* Don't complain if we are reading something that is not a file, for example /dev/null */ |
22ed4a6d | 356 | if (!S_ISREG(st->st_mode)) |
b6cceaae LP |
357 | return 0; |
358 | ||
22ed4a6d | 359 | if (st->st_mode & 0111) |
f4f15635 LP |
360 | log_warning("Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway.", path); |
361 | ||
22ed4a6d | 362 | if (st->st_mode & 0002) |
f4f15635 LP |
363 | log_warning("Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway.", path); |
364 | ||
22ed4a6d | 365 | if (getpid_cached() == 1 && (st->st_mode & 0044) != 0044) |
f4f15635 LP |
366 | log_warning("Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.", path); |
367 | ||
368 | return 0; | |
369 | } | |
370 | ||
22ed4a6d LP |
371 | int fd_warn_permissions(const char *path, int fd) { |
372 | struct stat st; | |
373 | ||
374 | assert(path); | |
375 | assert(fd >= 0); | |
376 | ||
377 | if (fstat(fd, &st) < 0) | |
378 | return -errno; | |
379 | ||
380 | return stat_warn_permissions(path, &st); | |
381 | } | |
382 | ||
f4f15635 | 383 | int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode) { |
9e3fa6e8 LP |
384 | char fdpath[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)]; |
385 | _cleanup_close_ int fd = -1; | |
386 | int r, ret = 0; | |
f4f15635 LP |
387 | |
388 | assert(path); | |
389 | ||
9e3fa6e8 LP |
390 | /* Note that touch_file() does not follow symlinks: if invoked on an existing symlink, then it is the symlink |
391 | * itself which is updated, not its target | |
392 | * | |
393 | * Returns the first error we encounter, but tries to apply as much as possible. */ | |
f4f15635 | 394 | |
9e3fa6e8 LP |
395 | if (parents) |
396 | (void) mkdir_parents(path, 0755); | |
397 | ||
398 | /* Initially, we try to open the node with O_PATH, so that we get a reference to the node. This is useful in | |
399 | * case the path refers to an existing device or socket node, as we can open it successfully in all cases, and | |
400 | * won't trigger any driver magic or so. */ | |
401 | fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW); | |
402 | if (fd < 0) { | |
403 | if (errno != ENOENT) | |
f4f15635 | 404 | return -errno; |
f4f15635 | 405 | |
9e3fa6e8 LP |
406 | /* if the node doesn't exist yet, we create it, but with O_EXCL, so that we only create a regular file |
407 | * here, and nothing else */ | |
408 | fd = open(path, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, IN_SET(mode, 0, MODE_INVALID) ? 0644 : mode); | |
409 | if (fd < 0) | |
f4f15635 LP |
410 | return -errno; |
411 | } | |
412 | ||
9e3fa6e8 LP |
413 | /* Let's make a path from the fd, and operate on that. With this logic, we can adjust the access mode, |
414 | * ownership and time of the file node in all cases, even if the fd refers to an O_PATH object — which is | |
415 | * something fchown(), fchmod(), futimensat() don't allow. */ | |
416 | xsprintf(fdpath, "/proc/self/fd/%i", fd); | |
417 | ||
4b3b5bc7 | 418 | ret = fchmod_and_chown(fd, mode, uid, gid); |
9e3fa6e8 | 419 | |
f4f15635 LP |
420 | if (stamp != USEC_INFINITY) { |
421 | struct timespec ts[2]; | |
422 | ||
423 | timespec_store(&ts[0], stamp); | |
424 | ts[1] = ts[0]; | |
9e3fa6e8 | 425 | r = utimensat(AT_FDCWD, fdpath, ts, 0); |
f4f15635 | 426 | } else |
9e3fa6e8 LP |
427 | r = utimensat(AT_FDCWD, fdpath, NULL, 0); |
428 | if (r < 0 && ret >= 0) | |
f4f15635 LP |
429 | return -errno; |
430 | ||
9e3fa6e8 | 431 | return ret; |
f4f15635 LP |
432 | } |
433 | ||
434 | int touch(const char *path) { | |
ee735086 | 435 | return touch_file(path, false, USEC_INFINITY, UID_INVALID, GID_INVALID, MODE_INVALID); |
f4f15635 LP |
436 | } |
437 | ||
6c9c51e5 YW |
438 | int symlink_idempotent(const char *from, const char *to, bool make_relative) { |
439 | _cleanup_free_ char *relpath = NULL; | |
f4f15635 LP |
440 | int r; |
441 | ||
442 | assert(from); | |
443 | assert(to); | |
444 | ||
6c9c51e5 YW |
445 | if (make_relative) { |
446 | _cleanup_free_ char *parent = NULL; | |
447 | ||
9813d835 LP |
448 | r = path_extract_directory(to, &parent); |
449 | if (r < 0) | |
450 | return r; | |
6c9c51e5 YW |
451 | |
452 | r = path_make_relative(parent, from, &relpath); | |
453 | if (r < 0) | |
454 | return r; | |
455 | ||
456 | from = relpath; | |
457 | } | |
458 | ||
f4f15635 | 459 | if (symlink(from, to) < 0) { |
77b79723 LP |
460 | _cleanup_free_ char *p = NULL; |
461 | ||
f4f15635 LP |
462 | if (errno != EEXIST) |
463 | return -errno; | |
464 | ||
465 | r = readlink_malloc(to, &p); | |
77b79723 LP |
466 | if (r == -EINVAL) /* Not a symlink? In that case return the original error we encountered: -EEXIST */ |
467 | return -EEXIST; | |
468 | if (r < 0) /* Any other error? In that case propagate it as is */ | |
f4f15635 LP |
469 | return r; |
470 | ||
77b79723 LP |
471 | if (!streq(p, from)) /* Not the symlink we want it to be? In that case, propagate the original -EEXIST */ |
472 | return -EEXIST; | |
f4f15635 LP |
473 | } |
474 | ||
475 | return 0; | |
476 | } | |
477 | ||
478 | int symlink_atomic(const char *from, const char *to) { | |
479 | _cleanup_free_ char *t = NULL; | |
480 | int r; | |
481 | ||
482 | assert(from); | |
483 | assert(to); | |
484 | ||
485 | r = tempfn_random(to, NULL, &t); | |
486 | if (r < 0) | |
487 | return r; | |
488 | ||
489 | if (symlink(from, t) < 0) | |
490 | return -errno; | |
491 | ||
492 | if (rename(t, to) < 0) { | |
493 | unlink_noerrno(t); | |
494 | return -errno; | |
495 | } | |
496 | ||
497 | return 0; | |
498 | } | |
499 | ||
500 | int mknod_atomic(const char *path, mode_t mode, dev_t dev) { | |
501 | _cleanup_free_ char *t = NULL; | |
502 | int r; | |
503 | ||
504 | assert(path); | |
505 | ||
506 | r = tempfn_random(path, NULL, &t); | |
507 | if (r < 0) | |
508 | return r; | |
509 | ||
510 | if (mknod(t, mode, dev) < 0) | |
511 | return -errno; | |
512 | ||
513 | if (rename(t, path) < 0) { | |
514 | unlink_noerrno(t); | |
515 | return -errno; | |
516 | } | |
517 | ||
518 | return 0; | |
519 | } | |
520 | ||
521 | int mkfifo_atomic(const char *path, mode_t mode) { | |
522 | _cleanup_free_ char *t = NULL; | |
523 | int r; | |
524 | ||
525 | assert(path); | |
526 | ||
527 | r = tempfn_random(path, NULL, &t); | |
528 | if (r < 0) | |
529 | return r; | |
530 | ||
531 | if (mkfifo(t, mode) < 0) | |
532 | return -errno; | |
533 | ||
534 | if (rename(t, path) < 0) { | |
4fe3828c FB |
535 | unlink_noerrno(t); |
536 | return -errno; | |
537 | } | |
538 | ||
539 | return 0; | |
540 | } | |
541 | ||
542 | int mkfifoat_atomic(int dirfd, const char *path, mode_t mode) { | |
543 | _cleanup_free_ char *t = NULL; | |
544 | int r; | |
545 | ||
546 | assert(path); | |
547 | ||
548 | if (path_is_absolute(path)) | |
549 | return mkfifo_atomic(path, mode); | |
550 | ||
551 | /* We're only interested in the (random) filename. */ | |
552 | r = tempfn_random_child("", NULL, &t); | |
553 | if (r < 0) | |
554 | return r; | |
555 | ||
556 | if (mkfifoat(dirfd, t, mode) < 0) | |
557 | return -errno; | |
558 | ||
559 | if (renameat(dirfd, t, dirfd, path) < 0) { | |
f4f15635 LP |
560 | unlink_noerrno(t); |
561 | return -errno; | |
562 | } | |
563 | ||
564 | return 0; | |
565 | } | |
566 | ||
567 | int get_files_in_directory(const char *path, char ***list) { | |
319a4f4b | 568 | _cleanup_strv_free_ char **l = NULL; |
f4f15635 | 569 | _cleanup_closedir_ DIR *d = NULL; |
8fb3f009 | 570 | struct dirent *de; |
319a4f4b | 571 | size_t n = 0; |
f4f15635 LP |
572 | |
573 | assert(path); | |
574 | ||
575 | /* Returns all files in a directory in *list, and the number | |
576 | * of files as return value. If list is NULL returns only the | |
577 | * number. */ | |
578 | ||
579 | d = opendir(path); | |
580 | if (!d) | |
581 | return -errno; | |
582 | ||
8fb3f009 | 583 | FOREACH_DIRENT_ALL(de, d, return -errno) { |
f4f15635 LP |
584 | dirent_ensure_type(d, de); |
585 | ||
586 | if (!dirent_is_file(de)) | |
587 | continue; | |
588 | ||
589 | if (list) { | |
590 | /* one extra slot is needed for the terminating NULL */ | |
319a4f4b | 591 | if (!GREEDY_REALLOC(l, n + 2)) |
f4f15635 LP |
592 | return -ENOMEM; |
593 | ||
594 | l[n] = strdup(de->d_name); | |
595 | if (!l[n]) | |
596 | return -ENOMEM; | |
597 | ||
598 | l[++n] = NULL; | |
599 | } else | |
600 | n++; | |
601 | } | |
602 | ||
ae2a15bc LP |
603 | if (list) |
604 | *list = TAKE_PTR(l); | |
f4f15635 LP |
605 | |
606 | return n; | |
607 | } | |
430fbf8e | 608 | |
992e8f22 LP |
609 | static int getenv_tmp_dir(const char **ret_path) { |
610 | const char *n; | |
611 | int r, ret = 0; | |
34a8f081 | 612 | |
992e8f22 | 613 | assert(ret_path); |
34a8f081 | 614 | |
992e8f22 LP |
615 | /* We use the same order of environment variables python uses in tempfile.gettempdir(): |
616 | * https://docs.python.org/3/library/tempfile.html#tempfile.gettempdir */ | |
617 | FOREACH_STRING(n, "TMPDIR", "TEMP", "TMP") { | |
618 | const char *e; | |
619 | ||
620 | e = secure_getenv(n); | |
621 | if (!e) | |
622 | continue; | |
623 | if (!path_is_absolute(e)) { | |
624 | r = -ENOTDIR; | |
625 | goto next; | |
626 | } | |
99be45a4 | 627 | if (!path_is_normalized(e)) { |
992e8f22 LP |
628 | r = -EPERM; |
629 | goto next; | |
630 | } | |
631 | ||
632 | r = is_dir(e, true); | |
633 | if (r < 0) | |
634 | goto next; | |
635 | if (r == 0) { | |
636 | r = -ENOTDIR; | |
637 | goto next; | |
638 | } | |
639 | ||
640 | *ret_path = e; | |
641 | return 1; | |
642 | ||
643 | next: | |
644 | /* Remember first error, to make this more debuggable */ | |
645 | if (ret >= 0) | |
646 | ret = r; | |
34a8f081 OW |
647 | } |
648 | ||
992e8f22 LP |
649 | if (ret < 0) |
650 | return ret; | |
34a8f081 | 651 | |
992e8f22 LP |
652 | *ret_path = NULL; |
653 | return ret; | |
654 | } | |
34a8f081 | 655 | |
992e8f22 LP |
656 | static int tmp_dir_internal(const char *def, const char **ret) { |
657 | const char *e; | |
658 | int r, k; | |
659 | ||
660 | assert(def); | |
661 | assert(ret); | |
662 | ||
663 | r = getenv_tmp_dir(&e); | |
664 | if (r > 0) { | |
665 | *ret = e; | |
666 | return 0; | |
667 | } | |
668 | ||
669 | k = is_dir(def, true); | |
670 | if (k == 0) | |
671 | k = -ENOTDIR; | |
672 | if (k < 0) | |
673 | return r < 0 ? r : k; | |
674 | ||
675 | *ret = def; | |
34a8f081 OW |
676 | return 0; |
677 | } | |
678 | ||
992e8f22 LP |
679 | int var_tmp_dir(const char **ret) { |
680 | ||
681 | /* Returns the location for "larger" temporary files, that is backed by physical storage if available, and thus | |
682 | * even might survive a boot: /var/tmp. If $TMPDIR (or related environment variables) are set, its value is | |
683 | * returned preferably however. Note that both this function and tmp_dir() below are affected by $TMPDIR, | |
684 | * making it a variable that overrides all temporary file storage locations. */ | |
685 | ||
686 | return tmp_dir_internal("/var/tmp", ret); | |
687 | } | |
688 | ||
689 | int tmp_dir(const char **ret) { | |
690 | ||
691 | /* Similar to var_tmp_dir() above, but returns the location for "smaller" temporary files, which is usually | |
692 | * backed by an in-memory file system: /tmp. */ | |
693 | ||
694 | return tmp_dir_internal("/tmp", ret); | |
695 | } | |
696 | ||
af229d7a ZJS |
697 | int unlink_or_warn(const char *filename) { |
698 | if (unlink(filename) < 0 && errno != ENOENT) | |
699 | /* If the file doesn't exist and the fs simply was read-only (in which | |
700 | * case unlink() returns EROFS even if the file doesn't exist), don't | |
701 | * complain */ | |
702 | if (errno != EROFS || access(filename, F_OK) >= 0) | |
703 | return log_error_errno(errno, "Failed to remove \"%s\": %m", filename); | |
704 | ||
705 | return 0; | |
706 | } | |
707 | ||
430fbf8e | 708 | int inotify_add_watch_fd(int fd, int what, uint32_t mask) { |
fbd0b64f | 709 | char path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1]; |
f6f4f5fe | 710 | int wd; |
430fbf8e LP |
711 | |
712 | /* This is like inotify_add_watch(), except that the file to watch is not referenced by a path, but by an fd */ | |
713 | xsprintf(path, "/proc/self/fd/%i", what); | |
714 | ||
f6f4f5fe BP |
715 | wd = inotify_add_watch(fd, path, mask); |
716 | if (wd < 0) | |
430fbf8e LP |
717 | return -errno; |
718 | ||
f6f4f5fe | 719 | return wd; |
430fbf8e | 720 | } |
d944dc95 | 721 | |
27c3112d | 722 | int inotify_add_watch_and_warn(int fd, const char *pathname, uint32_t mask) { |
f6f4f5fe | 723 | int wd; |
27c3112d | 724 | |
f6f4f5fe BP |
725 | wd = inotify_add_watch(fd, pathname, mask); |
726 | if (wd < 0) { | |
27c3112d | 727 | if (errno == ENOSPC) |
fe573a79 | 728 | return log_error_errno(errno, "Failed to add a watch for %s: inotify watch limit reached", pathname); |
27c3112d | 729 | |
fe573a79 | 730 | return log_error_errno(errno, "Failed to add a watch for %s: %m", pathname); |
27c3112d FB |
731 | } |
732 | ||
f6f4f5fe | 733 | return wd; |
27c3112d FB |
734 | } |
735 | ||
b85ee2ec | 736 | static bool unsafe_transition(const struct stat *a, const struct stat *b) { |
f14f1806 LP |
737 | /* Returns true if the transition from a to b is safe, i.e. that we never transition from unprivileged to |
738 | * privileged files or directories. Why bother? So that unprivileged code can't symlink to privileged files | |
739 | * making us believe we read something safe even though it isn't safe in the specific context we open it in. */ | |
740 | ||
741 | if (a->st_uid == 0) /* Transitioning from privileged to unprivileged is always fine */ | |
b85ee2ec | 742 | return false; |
f14f1806 | 743 | |
b85ee2ec | 744 | return a->st_uid != b->st_uid; /* Otherwise we need to stay within the same UID */ |
f14f1806 LP |
745 | } |
746 | ||
fd74c6f3 FB |
747 | static int log_unsafe_transition(int a, int b, const char *path, unsigned flags) { |
748 | _cleanup_free_ char *n1 = NULL, *n2 = NULL; | |
749 | ||
750 | if (!FLAGS_SET(flags, CHASE_WARN)) | |
36c97dec | 751 | return -ENOLINK; |
fd74c6f3 FB |
752 | |
753 | (void) fd_get_path(a, &n1); | |
754 | (void) fd_get_path(b, &n2); | |
755 | ||
36c97dec | 756 | return log_warning_errno(SYNTHETIC_ERRNO(ENOLINK), |
fd74c6f3 | 757 | "Detected unsafe path transition %s %s %s during canonicalization of %s.", |
48d837cd | 758 | strna(n1), special_glyph(SPECIAL_GLYPH_ARROW), strna(n2), path); |
fd74c6f3 FB |
759 | } |
760 | ||
145b8d0f FB |
761 | static int log_autofs_mount_point(int fd, const char *path, unsigned flags) { |
762 | _cleanup_free_ char *n1 = NULL; | |
763 | ||
764 | if (!FLAGS_SET(flags, CHASE_WARN)) | |
765 | return -EREMOTE; | |
766 | ||
767 | (void) fd_get_path(fd, &n1); | |
768 | ||
769 | return log_warning_errno(SYNTHETIC_ERRNO(EREMOTE), | |
770 | "Detected autofs mount point %s during canonicalization of %s.", | |
48d837cd | 771 | strna(n1), path); |
f14f1806 LP |
772 | } |
773 | ||
a5648b80 | 774 | int chase_symlinks(const char *path, const char *original_root, unsigned flags, char **ret_path, int *ret_fd) { |
d944dc95 LP |
775 | _cleanup_free_ char *buffer = NULL, *done = NULL, *root = NULL; |
776 | _cleanup_close_ int fd = -1; | |
f10f4215 | 777 | unsigned max_follow = CHASE_SYMLINKS_MAX; /* how many symlinks to follow before giving up and returning ELOOP */ |
39d7af99 | 778 | bool exists = true, append_trail_slash = false; |
f14f1806 | 779 | struct stat previous_stat; |
39d7af99 | 780 | const char *todo; |
d944dc95 LP |
781 | int r; |
782 | ||
783 | assert(path); | |
784 | ||
1ed34d75 | 785 | /* Either the file may be missing, or we return an fd to the final object, but both make no sense */ |
a5648b80 | 786 | if ((flags & CHASE_NONEXISTENT) && ret_fd) |
1ed34d75 LP |
787 | return -EINVAL; |
788 | ||
a5648b80 | 789 | if ((flags & CHASE_STEP) && ret_fd) |
49eb3659 LP |
790 | return -EINVAL; |
791 | ||
a49424af LP |
792 | if (isempty(path)) |
793 | return -EINVAL; | |
794 | ||
d944dc95 LP |
795 | /* This is a lot like canonicalize_file_name(), but takes an additional "root" parameter, that allows following |
796 | * symlinks relative to a root directory, instead of the root of the host. | |
797 | * | |
fc4b68e5 | 798 | * Note that "root" primarily matters if we encounter an absolute symlink. It is also used when following |
c4f4fce7 LP |
799 | * relative symlinks to ensure they cannot be used to "escape" the root directory. The path parameter passed is |
800 | * assumed to be already prefixed by it, except if the CHASE_PREFIX_ROOT flag is set, in which case it is first | |
801 | * prefixed accordingly. | |
d944dc95 LP |
802 | * |
803 | * Algorithmically this operates on two path buffers: "done" are the components of the path we already | |
804 | * processed and resolved symlinks, "." and ".." of. "todo" are the components of the path we still need to | |
805 | * process. On each iteration, we move one component from "todo" to "done", processing it's special meaning | |
806 | * each time. The "todo" path always starts with at least one slash, the "done" path always ends in no | |
807 | * slash. We always keep an O_PATH fd to the component we are currently processing, thus keeping lookup races | |
4293c32b | 808 | * to a minimum. |
fc4b68e5 LP |
809 | * |
810 | * Suggested usage: whenever you want to canonicalize a path, use this function. Pass the absolute path you got | |
811 | * as-is: fully qualified and relative to your host's root. Optionally, specify the root parameter to tell this | |
812 | * function what to do when encountering a symlink with an absolute path as directory: prefix it by the | |
49eb3659 LP |
813 | * specified path. |
814 | * | |
a5648b80 | 815 | * There are five ways to invoke this function: |
49eb3659 | 816 | * |
a5648b80 ZJS |
817 | * 1. Without CHASE_STEP or ret_fd: in this case the path is resolved and the normalized path is |
818 | * returned in `ret_path`. The return value is < 0 on error. If CHASE_NONEXISTENT is also set, 0 | |
819 | * is returned if the file doesn't exist, > 0 otherwise. If CHASE_NONEXISTENT is not set, >= 0 is | |
820 | * returned if the destination was found, -ENOENT if it wasn't. | |
49eb3659 | 821 | * |
a5648b80 | 822 | * 2. With ret_fd: in this case the destination is opened after chasing it as O_PATH and this file |
49eb3659 LP |
823 | * descriptor is returned as return value. This is useful to open files relative to some root |
824 | * directory. Note that the returned O_PATH file descriptors must be converted into a regular one (using | |
a5648b80 | 825 | * fd_reopen() or such) before it can be used for reading/writing. ret_fd may not be combined with |
49eb3659 LP |
826 | * CHASE_NONEXISTENT. |
827 | * | |
828 | * 3. With CHASE_STEP: in this case only a single step of the normalization is executed, i.e. only the first | |
829 | * symlink or ".." component of the path is resolved, and the resulting path is returned. This is useful if | |
d51c4fca | 830 | * a caller wants to trace the path through the file system verbosely. Returns < 0 on error, > 0 if the |
49eb3659 LP |
831 | * path is fully normalized, and == 0 for each normalization step. This may be combined with |
832 | * CHASE_NONEXISTENT, in which case 1 is returned when a component is not found. | |
833 | * | |
36c97dec FB |
834 | * 4. With CHASE_SAFE: in this case the path must not contain unsafe transitions, i.e. transitions from |
835 | * unprivileged to privileged files or directories. In such cases the return value is -ENOLINK. If | |
4293c32b | 836 | * CHASE_WARN is also set, a warning describing the unsafe transition is emitted. |
36c97dec | 837 | * |
4293c32b ZJS |
838 | * 5. With CHASE_NO_AUTOFS: in this case if an autofs mount point is encountered, path normalization |
839 | * is aborted and -EREMOTE is returned. If CHASE_WARN is also set, a warning showing the path of | |
840 | * the mount point is emitted. | |
4293c32b | 841 | */ |
d944dc95 | 842 | |
22bc57c5 | 843 | /* A root directory of "/" or "" is identical to none */ |
57ea45e1 | 844 | if (empty_or_root(original_root)) |
22bc57c5 | 845 | original_root = NULL; |
b1bfb848 | 846 | |
a5648b80 ZJS |
847 | if (!original_root && !ret_path && !(flags & (CHASE_NONEXISTENT|CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_STEP)) && ret_fd) { |
848 | /* Shortcut the ret_fd case if the caller isn't interested in the actual path and has no root set | |
244d2f07 | 849 | * and doesn't care about any of the other special features we provide either. */ |
1f56e4ce | 850 | r = open(path, O_PATH|O_CLOEXEC|((flags & CHASE_NOFOLLOW) ? O_NOFOLLOW : 0)); |
244d2f07 LP |
851 | if (r < 0) |
852 | return -errno; | |
853 | ||
a5648b80 ZJS |
854 | *ret_fd = r; |
855 | return 0; | |
244d2f07 LP |
856 | } |
857 | ||
c4f4fce7 LP |
858 | if (original_root) { |
859 | r = path_make_absolute_cwd(original_root, &root); | |
d944dc95 LP |
860 | if (r < 0) |
861 | return r; | |
c4f4fce7 | 862 | |
47d7ab72 LP |
863 | /* Simplify the root directory, so that it has no duplicate slashes and nothing at the |
864 | * end. While we won't resolve the root path we still simplify it. Note that dropping the | |
865 | * trailing slash should not change behaviour, since when opening it we specify O_DIRECTORY | |
866 | * anyway. Moreover at the end of this function after processing everything we'll always turn | |
867 | * the empty string back to "/". */ | |
868 | delete_trailing_chars(root, "/"); | |
4ff361cc | 869 | path_simplify(root); |
47d7ab72 | 870 | |
382a5078 | 871 | if (flags & CHASE_PREFIX_ROOT) { |
382a5078 LP |
872 | /* We don't support relative paths in combination with a root directory */ |
873 | if (!path_is_absolute(path)) | |
874 | return -EINVAL; | |
875 | ||
c4f4fce7 | 876 | path = prefix_roota(root, path); |
382a5078 | 877 | } |
d944dc95 LP |
878 | } |
879 | ||
c4f4fce7 LP |
880 | r = path_make_absolute_cwd(path, &buffer); |
881 | if (r < 0) | |
882 | return r; | |
883 | ||
c2595d3b | 884 | fd = open(root ?: "/", O_CLOEXEC|O_DIRECTORY|O_PATH); |
d944dc95 LP |
885 | if (fd < 0) |
886 | return -errno; | |
887 | ||
39d7af99 | 888 | if (flags & CHASE_SAFE) |
f14f1806 LP |
889 | if (fstat(fd, &previous_stat) < 0) |
890 | return -errno; | |
f14f1806 | 891 | |
39d7af99 YW |
892 | if (flags & CHASE_TRAIL_SLASH) |
893 | append_trail_slash = endswith(buffer, "/") || endswith(buffer, "/."); | |
c2595d3b | 894 | |
39d7af99 | 895 | if (root) { |
c2595d3b LP |
896 | /* If we are operating on a root directory, let's take the root directory as it is. */ |
897 | ||
39d7af99 YW |
898 | todo = path_startswith(buffer, root); |
899 | if (!todo) | |
c2595d3b LP |
900 | return log_full_errno(flags & CHASE_WARN ? LOG_WARNING : LOG_DEBUG, |
901 | SYNTHETIC_ERRNO(ECHRNG), | |
902 | "Specified path '%s' is outside of specified root directory '%s', refusing to resolve.", | |
903 | path, root); | |
904 | ||
c2595d3b | 905 | done = strdup(root); |
39d7af99 YW |
906 | } else { |
907 | todo = buffer; | |
908 | done = strdup("/"); | |
c2595d3b LP |
909 | } |
910 | ||
d944dc95 LP |
911 | for (;;) { |
912 | _cleanup_free_ char *first = NULL; | |
913 | _cleanup_close_ int child = -1; | |
914 | struct stat st; | |
39d7af99 | 915 | const char *e; |
62570f6f | 916 | |
39d7af99 YW |
917 | r = path_find_first_component(&todo, true, &e); |
918 | if (r < 0) | |
919 | return r; | |
920 | if (r == 0) { /* We reached the end. */ | |
921 | if (append_trail_slash) | |
c2bc710b | 922 | if (!strextend(&done, "/")) |
62570f6f | 923 | return -ENOMEM; |
d944dc95 | 924 | break; |
b12d25a8 | 925 | } |
d944dc95 | 926 | |
39d7af99 YW |
927 | first = strndup(e, r); |
928 | if (!first) | |
929 | return -ENOMEM; | |
d944dc95 LP |
930 | |
931 | /* Two dots? Then chop off the last bit of what we already found out. */ | |
39d7af99 | 932 | if (path_equal(first, "..")) { |
d944dc95 | 933 | _cleanup_free_ char *parent = NULL; |
2b6d2dda | 934 | _cleanup_close_ int fd_parent = -1; |
d944dc95 | 935 | |
a4eaf3cf LP |
936 | /* If we already are at the top, then going up will not change anything. This is in-line with |
937 | * how the kernel handles this. */ | |
57ea45e1 | 938 | if (empty_or_root(done)) |
a4eaf3cf | 939 | continue; |
d944dc95 LP |
940 | |
941 | parent = dirname_malloc(done); | |
942 | if (!parent) | |
943 | return -ENOMEM; | |
944 | ||
a4eaf3cf | 945 | /* Don't allow this to leave the root dir. */ |
d944dc95 LP |
946 | if (root && |
947 | path_startswith(done, root) && | |
948 | !path_startswith(parent, root)) | |
a4eaf3cf | 949 | continue; |
d944dc95 | 950 | |
3b319885 | 951 | free_and_replace(done, parent); |
d944dc95 | 952 | |
49eb3659 LP |
953 | if (flags & CHASE_STEP) |
954 | goto chased_one; | |
955 | ||
d944dc95 LP |
956 | fd_parent = openat(fd, "..", O_CLOEXEC|O_NOFOLLOW|O_PATH); |
957 | if (fd_parent < 0) | |
958 | return -errno; | |
959 | ||
f14f1806 LP |
960 | if (flags & CHASE_SAFE) { |
961 | if (fstat(fd_parent, &st) < 0) | |
962 | return -errno; | |
963 | ||
b85ee2ec | 964 | if (unsafe_transition(&previous_stat, &st)) |
fd74c6f3 | 965 | return log_unsafe_transition(fd, fd_parent, path, flags); |
f14f1806 LP |
966 | |
967 | previous_stat = st; | |
968 | } | |
969 | ||
d944dc95 | 970 | safe_close(fd); |
c10d6bdb | 971 | fd = TAKE_FD(fd_parent); |
d944dc95 LP |
972 | |
973 | continue; | |
974 | } | |
975 | ||
976 | /* Otherwise let's see what this is. */ | |
39d7af99 | 977 | child = openat(fd, first, O_CLOEXEC|O_NOFOLLOW|O_PATH); |
a9fb0867 | 978 | if (child < 0) { |
a9fb0867 | 979 | if (errno == ENOENT && |
cb638b5e | 980 | (flags & CHASE_NONEXISTENT) && |
39d7af99 YW |
981 | (isempty(todo) || path_is_safe(todo))) { |
982 | /* If CHASE_NONEXISTENT is set, and the path does not exist, then | |
983 | * that's OK, return what we got so far. But don't allow this if the | |
984 | * remaining path contains "../" or something else weird. */ | |
a1904a46 | 985 | |
39d7af99 | 986 | if (!path_extend(&done, first, todo)) |
a9fb0867 LP |
987 | return -ENOMEM; |
988 | ||
989 | exists = false; | |
990 | break; | |
991 | } | |
992 | ||
d944dc95 | 993 | return -errno; |
a9fb0867 | 994 | } |
d944dc95 LP |
995 | |
996 | if (fstat(child, &st) < 0) | |
997 | return -errno; | |
f14f1806 | 998 | if ((flags & CHASE_SAFE) && |
b85ee2ec | 999 | unsafe_transition(&previous_stat, &st)) |
fd74c6f3 | 1000 | return log_unsafe_transition(fd, child, path, flags); |
f14f1806 LP |
1001 | |
1002 | previous_stat = st; | |
1003 | ||
655f2da0 | 1004 | if ((flags & CHASE_NO_AUTOFS) && |
a66fee2e | 1005 | fd_is_fs_type(child, AUTOFS_SUPER_MAGIC) > 0) |
145b8d0f | 1006 | return log_autofs_mount_point(child, path, flags); |
d944dc95 | 1007 | |
1f56e4ce | 1008 | if (S_ISLNK(st.st_mode) && !((flags & CHASE_NOFOLLOW) && isempty(todo))) { |
d944dc95 LP |
1009 | _cleanup_free_ char *destination = NULL; |
1010 | ||
39d7af99 YW |
1011 | /* This is a symlink, in this case read the destination. But let's make sure we |
1012 | * don't follow symlinks without bounds. */ | |
d944dc95 LP |
1013 | if (--max_follow <= 0) |
1014 | return -ELOOP; | |
1015 | ||
39d7af99 | 1016 | r = readlinkat_malloc(fd, first, &destination); |
d944dc95 LP |
1017 | if (r < 0) |
1018 | return r; | |
1019 | if (isempty(destination)) | |
1020 | return -EINVAL; | |
1021 | ||
1022 | if (path_is_absolute(destination)) { | |
1023 | ||
1024 | /* An absolute destination. Start the loop from the beginning, but use the root | |
1025 | * directory as base. */ | |
1026 | ||
1027 | safe_close(fd); | |
c2595d3b | 1028 | fd = open(root ?: "/", O_CLOEXEC|O_DIRECTORY|O_PATH); |
d944dc95 LP |
1029 | if (fd < 0) |
1030 | return -errno; | |
1031 | ||
f14f1806 LP |
1032 | if (flags & CHASE_SAFE) { |
1033 | if (fstat(fd, &st) < 0) | |
1034 | return -errno; | |
1035 | ||
b85ee2ec | 1036 | if (unsafe_transition(&previous_stat, &st)) |
fd74c6f3 | 1037 | return log_unsafe_transition(child, fd, path, flags); |
f14f1806 LP |
1038 | |
1039 | previous_stat = st; | |
1040 | } | |
1041 | ||
d944dc95 | 1042 | /* Note that we do not revalidate the root, we take it as is. */ |
39d7af99 YW |
1043 | r = free_and_strdup(&done, empty_to_root(root)); |
1044 | if (r < 0) | |
1045 | return r; | |
1046 | } | |
d944dc95 | 1047 | |
39d7af99 YW |
1048 | /* Prefix what's left to do with what we just read, and start the loop again, but |
1049 | * remain in the current directory. */ | |
1050 | if (!path_extend(&destination, todo)) | |
877777d7 | 1051 | return -ENOMEM; |
d944dc95 | 1052 | |
39d7af99 YW |
1053 | free_and_replace(buffer, destination); |
1054 | todo = buffer; | |
d944dc95 | 1055 | |
49eb3659 LP |
1056 | if (flags & CHASE_STEP) |
1057 | goto chased_one; | |
1058 | ||
d944dc95 LP |
1059 | continue; |
1060 | } | |
1061 | ||
1062 | /* If this is not a symlink, then let's just add the name we read to what we already verified. */ | |
39d7af99 YW |
1063 | if (!path_extend(&done, first)) |
1064 | return -ENOMEM; | |
d944dc95 LP |
1065 | |
1066 | /* And iterate again, but go one directory further down. */ | |
1067 | safe_close(fd); | |
c10d6bdb | 1068 | fd = TAKE_FD(child); |
d944dc95 LP |
1069 | } |
1070 | ||
a5648b80 ZJS |
1071 | if (ret_path) |
1072 | *ret_path = TAKE_PTR(done); | |
d944dc95 | 1073 | |
a5648b80 ZJS |
1074 | if (ret_fd) { |
1075 | /* Return the O_PATH fd we currently are looking to the caller. It can translate it to a | |
1076 | * proper fd by opening /proc/self/fd/xyz. */ | |
1ed34d75 LP |
1077 | |
1078 | assert(fd >= 0); | |
a5648b80 | 1079 | *ret_fd = TAKE_FD(fd); |
1ed34d75 LP |
1080 | } |
1081 | ||
49eb3659 LP |
1082 | if (flags & CHASE_STEP) |
1083 | return 1; | |
1084 | ||
a9fb0867 | 1085 | return exists; |
49eb3659 LP |
1086 | |
1087 | chased_one: | |
a5648b80 | 1088 | if (ret_path) { |
39d7af99 | 1089 | const char *e; |
49eb3659 | 1090 | |
39d7af99 YW |
1091 | /* todo may contain slashes at the beginning. */ |
1092 | r = path_find_first_component(&todo, true, &e); | |
1093 | if (r < 0) | |
1094 | return r; | |
1095 | if (r == 0) | |
1096 | *ret_path = TAKE_PTR(done); | |
1097 | else { | |
1098 | char *c; | |
49eb3659 | 1099 | |
39d7af99 YW |
1100 | c = path_join(done, e); |
1101 | if (!c) | |
1102 | return -ENOMEM; | |
1103 | ||
1104 | *ret_path = c; | |
1105 | } | |
49eb3659 LP |
1106 | } |
1107 | ||
1108 | return 0; | |
d944dc95 | 1109 | } |
57a4359e | 1110 | |
21c692e9 LP |
1111 | int chase_symlinks_and_open( |
1112 | const char *path, | |
1113 | const char *root, | |
1114 | unsigned chase_flags, | |
1115 | int open_flags, | |
1116 | char **ret_path) { | |
1117 | ||
1118 | _cleanup_close_ int path_fd = -1; | |
1119 | _cleanup_free_ char *p = NULL; | |
1120 | int r; | |
1121 | ||
1122 | if (chase_flags & CHASE_NONEXISTENT) | |
1123 | return -EINVAL; | |
1124 | ||
57ea45e1 | 1125 | if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) { |
21c692e9 LP |
1126 | /* Shortcut this call if none of the special features of this call are requested */ |
1127 | r = open(path, open_flags); | |
1128 | if (r < 0) | |
1129 | return -errno; | |
1130 | ||
1131 | return r; | |
1132 | } | |
1133 | ||
a5648b80 ZJS |
1134 | r = chase_symlinks(path, root, chase_flags, ret_path ? &p : NULL, &path_fd); |
1135 | if (r < 0) | |
1136 | return r; | |
1137 | assert(path_fd >= 0); | |
21c692e9 LP |
1138 | |
1139 | r = fd_reopen(path_fd, open_flags); | |
1140 | if (r < 0) | |
1141 | return r; | |
1142 | ||
1143 | if (ret_path) | |
1144 | *ret_path = TAKE_PTR(p); | |
1145 | ||
1146 | return r; | |
1147 | } | |
1148 | ||
1149 | int chase_symlinks_and_opendir( | |
1150 | const char *path, | |
1151 | const char *root, | |
1152 | unsigned chase_flags, | |
1153 | char **ret_path, | |
1154 | DIR **ret_dir) { | |
1155 | ||
1156 | char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)]; | |
1157 | _cleanup_close_ int path_fd = -1; | |
1158 | _cleanup_free_ char *p = NULL; | |
1159 | DIR *d; | |
a5648b80 | 1160 | int r; |
21c692e9 LP |
1161 | |
1162 | if (!ret_dir) | |
1163 | return -EINVAL; | |
1164 | if (chase_flags & CHASE_NONEXISTENT) | |
1165 | return -EINVAL; | |
1166 | ||
57ea45e1 | 1167 | if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) { |
21c692e9 LP |
1168 | /* Shortcut this call if none of the special features of this call are requested */ |
1169 | d = opendir(path); | |
1170 | if (!d) | |
1171 | return -errno; | |
1172 | ||
1173 | *ret_dir = d; | |
1174 | return 0; | |
1175 | } | |
1176 | ||
a5648b80 ZJS |
1177 | r = chase_symlinks(path, root, chase_flags, ret_path ? &p : NULL, &path_fd); |
1178 | if (r < 0) | |
1179 | return r; | |
1180 | assert(path_fd >= 0); | |
21c692e9 LP |
1181 | |
1182 | xsprintf(procfs_path, "/proc/self/fd/%i", path_fd); | |
1183 | d = opendir(procfs_path); | |
1184 | if (!d) | |
1185 | return -errno; | |
1186 | ||
1187 | if (ret_path) | |
1188 | *ret_path = TAKE_PTR(p); | |
1189 | ||
1190 | *ret_dir = d; | |
1191 | return 0; | |
1192 | } | |
1193 | ||
d2bcd0ba LP |
1194 | int chase_symlinks_and_stat( |
1195 | const char *path, | |
1196 | const char *root, | |
1197 | unsigned chase_flags, | |
1198 | char **ret_path, | |
a5648b80 ZJS |
1199 | struct stat *ret_stat, |
1200 | int *ret_fd) { | |
d2bcd0ba LP |
1201 | |
1202 | _cleanup_close_ int path_fd = -1; | |
1203 | _cleanup_free_ char *p = NULL; | |
a5648b80 | 1204 | int r; |
d2bcd0ba LP |
1205 | |
1206 | assert(path); | |
1207 | assert(ret_stat); | |
1208 | ||
1209 | if (chase_flags & CHASE_NONEXISTENT) | |
1210 | return -EINVAL; | |
1211 | ||
1212 | if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) { | |
1213 | /* Shortcut this call if none of the special features of this call are requested */ | |
1214 | if (stat(path, ret_stat) < 0) | |
1215 | return -errno; | |
1216 | ||
1217 | return 1; | |
1218 | } | |
1219 | ||
a5648b80 ZJS |
1220 | r = chase_symlinks(path, root, chase_flags, ret_path ? &p : NULL, &path_fd); |
1221 | if (r < 0) | |
1222 | return r; | |
1223 | assert(path_fd >= 0); | |
d2bcd0ba LP |
1224 | |
1225 | if (fstat(path_fd, ret_stat) < 0) | |
1226 | return -errno; | |
1227 | ||
1228 | if (ret_path) | |
1229 | *ret_path = TAKE_PTR(p); | |
a5648b80 ZJS |
1230 | if (ret_fd) |
1231 | *ret_fd = TAKE_FD(path_fd); | |
d2bcd0ba LP |
1232 | |
1233 | return 1; | |
1234 | } | |
1235 | ||
57a4359e | 1236 | int access_fd(int fd, int mode) { |
fbd0b64f | 1237 | char p[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(fd) + 1]; |
57a4359e LP |
1238 | |
1239 | /* Like access() but operates on an already open fd */ | |
1240 | ||
1241 | xsprintf(p, "/proc/self/fd/%i", fd); | |
4265a66a LP |
1242 | if (access(p, mode) < 0) { |
1243 | if (errno != ENOENT) | |
1244 | return -errno; | |
57a4359e | 1245 | |
4265a66a LP |
1246 | /* ENOENT can mean two things: that the fd does not exist or that /proc is not mounted. Let's |
1247 | * make things debuggable and distinguish the two. */ | |
1248 | ||
1249 | if (proc_mounted() == 0) | |
1250 | return -ENOSYS; /* /proc is not available or not set up properly, we're most likely in some chroot | |
1251 | * environment. */ | |
1252 | ||
1253 | return -EBADF; /* The directory exists, hence it's the fd that doesn't. */ | |
1254 | } | |
1255 | ||
1256 | return 0; | |
57a4359e | 1257 | } |
43767d9d | 1258 | |
627d2bac ZJS |
1259 | void unlink_tempfilep(char (*p)[]) { |
1260 | /* If the file is created with mkstemp(), it will (almost always) | |
1261 | * change the suffix. Treat this as a sign that the file was | |
1262 | * successfully created. We ignore both the rare case where the | |
1263 | * original suffix is used and unlink failures. */ | |
1264 | if (!endswith(*p, ".XXXXXX")) | |
69821560 | 1265 | (void) unlink_noerrno(*p); |
627d2bac ZJS |
1266 | } |
1267 | ||
053e0626 | 1268 | int unlinkat_deallocate(int fd, const char *name, UnlinkDeallocateFlags flags) { |
43767d9d LP |
1269 | _cleanup_close_ int truncate_fd = -1; |
1270 | struct stat st; | |
1271 | off_t l, bs; | |
1272 | ||
053e0626 LP |
1273 | assert((flags & ~(UNLINK_REMOVEDIR|UNLINK_ERASE)) == 0); |
1274 | ||
43767d9d LP |
1275 | /* Operates like unlinkat() but also deallocates the file contents if it is a regular file and there's no other |
1276 | * link to it. This is useful to ensure that other processes that might have the file open for reading won't be | |
1277 | * able to keep the data pinned on disk forever. This call is particular useful whenever we execute clean-up | |
1278 | * jobs ("vacuuming"), where we want to make sure the data is really gone and the disk space released and | |
1279 | * returned to the free pool. | |
1280 | * | |
1281 | * Deallocation is preferably done by FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE (👊) if supported, which means | |
1282 | * the file won't change size. That's a good thing since we shouldn't needlessly trigger SIGBUS in other | |
1283 | * programs that have mmap()ed the file. (The assumption here is that changing file contents to all zeroes | |
1284 | * underneath those programs is the better choice than simply triggering SIGBUS in them which truncation does.) | |
1285 | * However if hole punching is not implemented in the kernel or file system we'll fall back to normal file | |
1286 | * truncation (🔪), as our goal of deallocating the data space trumps our goal of being nice to readers (💐). | |
1287 | * | |
1288 | * Note that we attempt deallocation, but failure to succeed with that is not considered fatal, as long as the | |
1289 | * primary job – to delete the file – is accomplished. */ | |
1290 | ||
053e0626 | 1291 | if (!FLAGS_SET(flags, UNLINK_REMOVEDIR)) { |
43767d9d LP |
1292 | truncate_fd = openat(fd, name, O_WRONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|O_NONBLOCK); |
1293 | if (truncate_fd < 0) { | |
1294 | ||
1295 | /* If this failed because the file doesn't exist propagate the error right-away. Also, | |
1296 | * AT_REMOVEDIR wasn't set, and we tried to open the file for writing, which means EISDIR is | |
1297 | * returned when this is a directory but we are not supposed to delete those, hence propagate | |
1298 | * the error right-away too. */ | |
1299 | if (IN_SET(errno, ENOENT, EISDIR)) | |
1300 | return -errno; | |
1301 | ||
1302 | if (errno != ELOOP) /* don't complain if this is a symlink */ | |
1303 | log_debug_errno(errno, "Failed to open file '%s' for deallocation, ignoring: %m", name); | |
1304 | } | |
1305 | } | |
1306 | ||
053e0626 | 1307 | if (unlinkat(fd, name, FLAGS_SET(flags, UNLINK_REMOVEDIR) ? AT_REMOVEDIR : 0) < 0) |
43767d9d LP |
1308 | return -errno; |
1309 | ||
1310 | if (truncate_fd < 0) /* Don't have a file handle, can't do more ☹️ */ | |
1311 | return 0; | |
1312 | ||
1313 | if (fstat(truncate_fd, &st) < 0) { | |
011723a4 | 1314 | log_debug_errno(errno, "Failed to stat file '%s' for deallocation, ignoring: %m", name); |
43767d9d LP |
1315 | return 0; |
1316 | } | |
1317 | ||
053e0626 LP |
1318 | if (!S_ISREG(st.st_mode)) |
1319 | return 0; | |
1320 | ||
1321 | if (FLAGS_SET(flags, UNLINK_ERASE) && st.st_size > 0 && st.st_nlink == 0) { | |
1322 | uint64_t left = st.st_size; | |
1323 | char buffer[64 * 1024]; | |
1324 | ||
1325 | /* If erasing is requested, let's overwrite the file with random data once before deleting | |
1326 | * it. This isn't going to give you shred(1) semantics, but hopefully should be good enough | |
1327 | * for stuff backed by tmpfs at least. | |
1328 | * | |
15dd4515 | 1329 | * Note that we only erase like this if the link count of the file is zero. If it is higher it |
053e0626 LP |
1330 | * is still linked by someone else and we'll leave it to them to remove it securely |
1331 | * eventually! */ | |
1332 | ||
1333 | random_bytes(buffer, sizeof(buffer)); | |
1334 | ||
1335 | while (left > 0) { | |
1336 | ssize_t n; | |
1337 | ||
1338 | n = write(truncate_fd, buffer, MIN(sizeof(buffer), left)); | |
1339 | if (n < 0) { | |
1340 | log_debug_errno(errno, "Failed to erase data in file '%s', ignoring.", name); | |
1341 | break; | |
1342 | } | |
1343 | ||
1344 | assert(left >= (size_t) n); | |
1345 | left -= n; | |
1346 | } | |
1347 | ||
1348 | /* Let's refresh metadata */ | |
1349 | if (fstat(truncate_fd, &st) < 0) { | |
1350 | log_debug_errno(errno, "Failed to stat file '%s' for deallocation, ignoring: %m", name); | |
1351 | return 0; | |
1352 | } | |
1353 | } | |
1354 | ||
1355 | /* Don't dallocate if there's nothing to deallocate or if the file is linked elsewhere */ | |
1356 | if (st.st_blocks == 0 || st.st_nlink > 0) | |
43767d9d LP |
1357 | return 0; |
1358 | ||
1359 | /* If this is a regular file, it actually took up space on disk and there are no other links it's time to | |
1360 | * punch-hole/truncate this to release the disk space. */ | |
1361 | ||
1362 | bs = MAX(st.st_blksize, 512); | |
1363 | l = DIV_ROUND_UP(st.st_size, bs) * bs; /* Round up to next block size */ | |
1364 | ||
1365 | if (fallocate(truncate_fd, FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE, 0, l) >= 0) | |
1366 | return 0; /* Successfully punched a hole! 😊 */ | |
1367 | ||
1368 | /* Fall back to truncation */ | |
1369 | if (ftruncate(truncate_fd, 0) < 0) { | |
1370 | log_debug_errno(errno, "Failed to truncate file to 0, ignoring: %m"); | |
1371 | return 0; | |
1372 | } | |
1373 | ||
1374 | return 0; | |
1375 | } | |
11b29a96 LP |
1376 | |
1377 | int fsync_directory_of_file(int fd) { | |
0c462ea4 | 1378 | _cleanup_free_ char *path = NULL; |
11b29a96 | 1379 | _cleanup_close_ int dfd = -1; |
9041e36d | 1380 | struct stat st; |
11b29a96 LP |
1381 | int r; |
1382 | ||
9041e36d | 1383 | assert(fd >= 0); |
11b29a96 | 1384 | |
9041e36d LP |
1385 | /* We only reasonably can do this for regular files and directories, hence check for that */ |
1386 | if (fstat(fd, &st) < 0) | |
1387 | return -errno; | |
3ceae1bc | 1388 | |
9041e36d | 1389 | if (S_ISREG(st.st_mode)) { |
3ceae1bc | 1390 | |
9041e36d LP |
1391 | r = fd_get_path(fd, &path); |
1392 | if (r < 0) { | |
1393 | log_debug_errno(r, "Failed to query /proc/self/fd/%d%s: %m", | |
1394 | fd, | |
1395 | r == -ENOSYS ? ", ignoring" : ""); | |
11b29a96 | 1396 | |
9041e36d LP |
1397 | if (r == -ENOSYS) |
1398 | /* If /proc is not available, we're most likely running in some | |
1399 | * chroot environment, and syncing the directory is not very | |
1400 | * important in that case. Let's just silently do nothing. */ | |
1401 | return 0; | |
11b29a96 | 1402 | |
9041e36d LP |
1403 | return r; |
1404 | } | |
11b29a96 | 1405 | |
9041e36d LP |
1406 | if (!path_is_absolute(path)) |
1407 | return -EINVAL; | |
1408 | ||
1409 | dfd = open_parent(path, O_CLOEXEC|O_NOFOLLOW, 0); | |
1410 | if (dfd < 0) | |
1411 | return dfd; | |
1412 | ||
1413 | } else if (S_ISDIR(st.st_mode)) { | |
1414 | dfd = openat(fd, "..", O_RDONLY|O_DIRECTORY|O_CLOEXEC, 0); | |
1415 | if (dfd < 0) | |
1416 | return -errno; | |
1417 | } else | |
1418 | return -ENOTTY; | |
11b29a96 LP |
1419 | |
1420 | if (fsync(dfd) < 0) | |
1421 | return -errno; | |
1422 | ||
1423 | return 0; | |
1424 | } | |
ef8becfa | 1425 | |
63d59b8d LP |
1426 | int fsync_full(int fd) { |
1427 | int r, q; | |
1428 | ||
1429 | /* Sync both the file and the directory */ | |
1430 | ||
1431 | r = fsync(fd) < 0 ? -errno : 0; | |
63d59b8d | 1432 | |
ed4a653c LP |
1433 | q = fsync_directory_of_file(fd); |
1434 | if (r < 0) /* Return earlier error */ | |
1435 | return r; | |
1436 | if (q == -ENOTTY) /* Ignore if the 'fd' refers to a block device or so which doesn't really have a | |
1437 | * parent dir */ | |
1438 | return 0; | |
1439 | return q; | |
63d59b8d LP |
1440 | } |
1441 | ||
36695e88 LP |
1442 | int fsync_path_at(int at_fd, const char *path) { |
1443 | _cleanup_close_ int opened_fd = -1; | |
1444 | int fd; | |
1445 | ||
1446 | if (isempty(path)) { | |
1447 | if (at_fd == AT_FDCWD) { | |
1448 | opened_fd = open(".", O_RDONLY|O_DIRECTORY|O_CLOEXEC); | |
1449 | if (opened_fd < 0) | |
1450 | return -errno; | |
1451 | ||
1452 | fd = opened_fd; | |
1453 | } else | |
1454 | fd = at_fd; | |
1455 | } else { | |
1071c195 | 1456 | opened_fd = openat(at_fd, path, O_RDONLY|O_CLOEXEC|O_NONBLOCK); |
36695e88 LP |
1457 | if (opened_fd < 0) |
1458 | return -errno; | |
1459 | ||
1460 | fd = opened_fd; | |
1461 | } | |
1462 | ||
1463 | if (fsync(fd) < 0) | |
1464 | return -errno; | |
1465 | ||
1466 | return 0; | |
1467 | } | |
1468 | ||
71f51416 LP |
1469 | int syncfs_path(int atfd, const char *path) { |
1470 | _cleanup_close_ int fd = -1; | |
1471 | ||
1472 | assert(path); | |
1473 | ||
1474 | fd = openat(atfd, path, O_CLOEXEC|O_RDONLY|O_NONBLOCK); | |
1475 | if (fd < 0) | |
1476 | return -errno; | |
1477 | ||
1478 | if (syncfs(fd) < 0) | |
1479 | return -errno; | |
1480 | ||
1481 | return 0; | |
1482 | } | |
1483 | ||
ef8becfa LP |
1484 | int open_parent(const char *path, int flags, mode_t mode) { |
1485 | _cleanup_free_ char *parent = NULL; | |
30cdcd62 | 1486 | int fd, r; |
ef8becfa | 1487 | |
30cdcd62 LP |
1488 | r = path_extract_directory(path, &parent); |
1489 | if (r < 0) | |
1490 | return r; | |
ef8becfa LP |
1491 | |
1492 | /* Let's insist on O_DIRECTORY since the parent of a file or directory is a directory. Except if we open an | |
1493 | * O_TMPFILE file, because in that case we are actually create a regular file below the parent directory. */ | |
1494 | ||
0c21dafb | 1495 | if (FLAGS_SET(flags, O_PATH)) |
ef8becfa | 1496 | flags |= O_DIRECTORY; |
0c21dafb | 1497 | else if (!FLAGS_SET(flags, O_TMPFILE)) |
ef8becfa LP |
1498 | flags |= O_DIRECTORY|O_RDONLY; |
1499 | ||
1500 | fd = open(parent, flags, mode); | |
1501 | if (fd < 0) | |
1502 | return -errno; | |
1503 | ||
1504 | return fd; | |
1505 | } | |
ed9c0851 | 1506 | |
622e1cdb LP |
1507 | static int blockdev_is_encrypted(const char *sysfs_path, unsigned depth_left) { |
1508 | _cleanup_free_ char *p = NULL, *uuids = NULL; | |
1509 | _cleanup_closedir_ DIR *d = NULL; | |
1510 | int r, found_encrypted = false; | |
1511 | ||
1512 | assert(sysfs_path); | |
1513 | ||
1514 | if (depth_left == 0) | |
1515 | return -EINVAL; | |
1516 | ||
1517 | p = path_join(sysfs_path, "dm/uuid"); | |
1518 | if (!p) | |
1519 | return -ENOMEM; | |
1520 | ||
1521 | r = read_one_line_file(p, &uuids); | |
1522 | if (r != -ENOENT) { | |
1523 | if (r < 0) | |
1524 | return r; | |
1525 | ||
1526 | /* The DM device's uuid attribute is prefixed with "CRYPT-" if this is a dm-crypt device. */ | |
1527 | if (startswith(uuids, "CRYPT-")) | |
1528 | return true; | |
1529 | } | |
1530 | ||
1531 | /* Not a dm-crypt device itself. But maybe it is on top of one? Follow the links in the "slaves/" | |
1532 | * subdir. */ | |
1533 | ||
1534 | p = mfree(p); | |
1535 | p = path_join(sysfs_path, "slaves"); | |
1536 | if (!p) | |
1537 | return -ENOMEM; | |
1538 | ||
1539 | d = opendir(p); | |
1540 | if (!d) { | |
6b000af4 | 1541 | if (errno == ENOENT) /* Doesn't have underlying devices */ |
622e1cdb LP |
1542 | return false; |
1543 | ||
1544 | return -errno; | |
1545 | } | |
1546 | ||
1547 | for (;;) { | |
1548 | _cleanup_free_ char *q = NULL; | |
1549 | struct dirent *de; | |
1550 | ||
1551 | errno = 0; | |
1552 | de = readdir_no_dot(d); | |
1553 | if (!de) { | |
1554 | if (errno != 0) | |
1555 | return -errno; | |
1556 | ||
6b000af4 | 1557 | break; /* No more underlying devices */ |
622e1cdb LP |
1558 | } |
1559 | ||
1560 | q = path_join(p, de->d_name); | |
1561 | if (!q) | |
1562 | return -ENOMEM; | |
1563 | ||
1564 | r = blockdev_is_encrypted(q, depth_left - 1); | |
1565 | if (r < 0) | |
1566 | return r; | |
1567 | if (r == 0) /* we found one that is not encrypted? then propagate that immediately */ | |
1568 | return false; | |
1569 | ||
1570 | found_encrypted = true; | |
1571 | } | |
1572 | ||
1573 | return found_encrypted; | |
1574 | } | |
1575 | ||
ed9c0851 | 1576 | int path_is_encrypted(const char *path) { |
622e1cdb | 1577 | char p[SYS_BLOCK_PATH_MAX(NULL)]; |
ed9c0851 LP |
1578 | dev_t devt; |
1579 | int r; | |
1580 | ||
1581 | r = get_block_device(path, &devt); | |
1582 | if (r < 0) | |
1583 | return r; | |
1584 | if (r == 0) /* doesn't have a block device */ | |
1585 | return false; | |
1586 | ||
622e1cdb | 1587 | xsprintf_sys_block_path(p, NULL, devt); |
ed9c0851 | 1588 | |
622e1cdb | 1589 | return blockdev_is_encrypted(p, 10 /* safety net: maximum recursion depth */); |
ed9c0851 | 1590 | } |
10981424 | 1591 | |
10195179 | 1592 | int conservative_renameat( |
10981424 LP |
1593 | int olddirfd, const char *oldpath, |
1594 | int newdirfd, const char *newpath) { | |
1595 | ||
1596 | _cleanup_close_ int old_fd = -1, new_fd = -1; | |
1597 | struct stat old_stat, new_stat; | |
1598 | ||
1599 | /* Renames the old path to thew new path, much like renameat() — except if both are regular files and | |
1600 | * have the exact same contents and basic file attributes already. In that case remove the new file | |
1601 | * instead. This call is useful for reducing inotify wakeups on files that are updated but don't | |
1602 | * actually change. This function is written in a style that we rather rename too often than suppress | |
1603 | * too much. i.e. whenever we are in doubt we rather rename than fail. After all reducing inotify | |
1604 | * events is an optimization only, not more. */ | |
1605 | ||
1606 | old_fd = openat(olddirfd, oldpath, O_CLOEXEC|O_RDONLY|O_NOCTTY|O_NOFOLLOW); | |
1607 | if (old_fd < 0) | |
1608 | goto do_rename; | |
1609 | ||
1610 | new_fd = openat(newdirfd, newpath, O_CLOEXEC|O_RDONLY|O_NOCTTY|O_NOFOLLOW); | |
1611 | if (new_fd < 0) | |
1612 | goto do_rename; | |
1613 | ||
1614 | if (fstat(old_fd, &old_stat) < 0) | |
1615 | goto do_rename; | |
1616 | ||
1617 | if (!S_ISREG(old_stat.st_mode)) | |
1618 | goto do_rename; | |
1619 | ||
1620 | if (fstat(new_fd, &new_stat) < 0) | |
1621 | goto do_rename; | |
1622 | ||
1623 | if (new_stat.st_ino == old_stat.st_ino && | |
1624 | new_stat.st_dev == old_stat.st_dev) | |
1625 | goto is_same; | |
1626 | ||
1627 | if (old_stat.st_mode != new_stat.st_mode || | |
1628 | old_stat.st_size != new_stat.st_size || | |
1629 | old_stat.st_uid != new_stat.st_uid || | |
1630 | old_stat.st_gid != new_stat.st_gid) | |
1631 | goto do_rename; | |
1632 | ||
1633 | for (;;) { | |
eff57d1c LP |
1634 | uint8_t buf1[16*1024]; |
1635 | uint8_t buf2[sizeof(buf1)]; | |
10981424 LP |
1636 | ssize_t l1, l2; |
1637 | ||
1638 | l1 = read(old_fd, buf1, sizeof(buf1)); | |
1639 | if (l1 < 0) | |
1640 | goto do_rename; | |
1641 | ||
eff57d1c LP |
1642 | if (l1 == sizeof(buf1)) |
1643 | /* Read the full block, hence read a full block in the other file too */ | |
10981424 | 1644 | |
eff57d1c LP |
1645 | l2 = read(new_fd, buf2, l1); |
1646 | else { | |
1647 | assert((size_t) l1 < sizeof(buf1)); | |
1648 | ||
1649 | /* Short read. This hence was the last block in the first file, and then came | |
1650 | * EOF. Read one byte more in the second file, so that we can verify we hit EOF there | |
1651 | * too. */ | |
1652 | ||
1653 | assert((size_t) (l1 + 1) <= sizeof(buf2)); | |
1654 | l2 = read(new_fd, buf2, l1 + 1); | |
1655 | } | |
1656 | if (l2 != l1) | |
1657 | goto do_rename; | |
10981424 LP |
1658 | |
1659 | if (memcmp(buf1, buf2, l1) != 0) | |
1660 | goto do_rename; | |
eff57d1c LP |
1661 | |
1662 | if ((size_t) l1 < sizeof(buf1)) /* We hit EOF on the first file, and the second file too, hence exit | |
1663 | * now. */ | |
1664 | break; | |
10981424 LP |
1665 | } |
1666 | ||
1667 | is_same: | |
1668 | /* Everything matches? Then don't rename, instead remove the source file, and leave the existing | |
1669 | * destination in place */ | |
1670 | ||
1671 | if (unlinkat(olddirfd, oldpath, 0) < 0) | |
1672 | goto do_rename; | |
1673 | ||
1674 | return 0; | |
1675 | ||
1676 | do_rename: | |
1677 | if (renameat(olddirfd, oldpath, newdirfd, newpath) < 0) | |
1678 | return -errno; | |
1679 | ||
1680 | return 1; | |
1681 | } | |
4c54768c IZ |
1682 | |
1683 | int posix_fallocate_loop(int fd, uint64_t offset, uint64_t size) { | |
1684 | RateLimit rl; | |
1685 | int r; | |
1686 | ||
1687 | r = posix_fallocate(fd, offset, size); /* returns positive errnos on error */ | |
1688 | if (r != EINTR) | |
1689 | return -r; /* Let's return negative errnos, like common in our codebase */ | |
1690 | ||
1691 | /* On EINTR try a couple of times more, but protect against busy looping | |
1692 | * (not more than 16 times per 10s) */ | |
1693 | rl = (RateLimit) { 10 * USEC_PER_SEC, 16 }; | |
1694 | while (ratelimit_below(&rl)) { | |
1695 | r = posix_fallocate(fd, offset, size); | |
1696 | if (r != EINTR) | |
1697 | return -r; | |
1698 | } | |
1699 | ||
1700 | return -EINTR; | |
1701 | } |