]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
f4f15635 | 2 | |
11c3a366 TA |
3 | #include <errno.h> |
4 | #include <stddef.h> | |
11c3a366 | 5 | #include <stdlib.h> |
2646b86d | 6 | #include <sys/file.h> |
1c73b069 | 7 | #include <linux/falloc.h> |
655f2da0 | 8 | #include <linux/magic.h> |
11c3a366 TA |
9 | #include <unistd.h> |
10 | ||
b5efdb8a | 11 | #include "alloc-util.h" |
bc6a6130 | 12 | #include "btrfs.h" |
f4f15635 LP |
13 | #include "dirent-util.h" |
14 | #include "fd-util.h" | |
ed9c0851 | 15 | #include "fileio.h" |
f4f15635 | 16 | #include "fs-util.h" |
68def5a9 | 17 | #include "hostname-util.h" |
420d2e31 | 18 | #include "label.h" |
2646b86d | 19 | #include "lock-util.h" |
11c3a366 TA |
20 | #include "log.h" |
21 | #include "macro.h" | |
0499585f | 22 | #include "missing_fcntl.h" |
f5947a5e YW |
23 | #include "missing_fs.h" |
24 | #include "missing_syscall.h" | |
93cc7779 TA |
25 | #include "mkdir.h" |
26 | #include "parse-util.h" | |
27 | #include "path-util.h" | |
dccca82b | 28 | #include "process-util.h" |
053e0626 | 29 | #include "random-util.h" |
4c54768c | 30 | #include "ratelimit.h" |
34a8f081 | 31 | #include "stat-util.h" |
430fbf8e | 32 | #include "stdio-util.h" |
f4f15635 LP |
33 | #include "string-util.h" |
34 | #include "strv.h" | |
93cc7779 | 35 | #include "time-util.h" |
e4de7287 | 36 | #include "tmpfile-util.h" |
7c248223 | 37 | #include "umask-util.h" |
ee104e11 | 38 | #include "user-util.h" |
f4f15635 | 39 | |
f4f15635 | 40 | int rmdir_parents(const char *path, const char *stop) { |
4e046c5c YW |
41 | char *p; |
42 | int r; | |
f4f15635 LP |
43 | |
44 | assert(path); | |
45 | assert(stop); | |
46 | ||
4e046c5c YW |
47 | if (!path_is_safe(path)) |
48 | return -EINVAL; | |
f4f15635 | 49 | |
4e046c5c YW |
50 | if (!path_is_safe(stop)) |
51 | return -EINVAL; | |
f4f15635 | 52 | |
2f82562b | 53 | p = strdupa_safe(path); |
f4f15635 | 54 | |
4e046c5c YW |
55 | for (;;) { |
56 | char *slash = NULL; | |
f4f15635 | 57 | |
4e046c5c YW |
58 | /* skip the last component. */ |
59 | r = path_find_last_component(p, /* accept_dot_dot= */ false, (const char **) &slash, NULL); | |
60 | if (r <= 0) | |
61 | return r; | |
62 | if (slash == p) | |
63 | return 0; | |
f4f15635 | 64 | |
4e046c5c YW |
65 | assert(*slash == '/'); |
66 | *slash = '\0'; | |
f4f15635 | 67 | |
4e046c5c | 68 | if (path_startswith_full(stop, p, /* accept_dot_dot= */ false)) |
f4f15635 | 69 | return 0; |
f4f15635 | 70 | |
4e046c5c YW |
71 | if (rmdir(p) < 0 && errno != ENOENT) |
72 | return -errno; | |
f4f15635 | 73 | } |
f4f15635 LP |
74 | } |
75 | ||
f4f15635 | 76 | int rename_noreplace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) { |
2f15b625 | 77 | int r; |
f4f15635 | 78 | |
2f15b625 LP |
79 | /* Try the ideal approach first */ |
80 | if (renameat2(olddirfd, oldpath, newdirfd, newpath, RENAME_NOREPLACE) >= 0) | |
f4f15635 LP |
81 | return 0; |
82 | ||
2f15b625 LP |
83 | /* renameat2() exists since Linux 3.15, btrfs and FAT added support for it later. If it is not implemented, |
84 | * fall back to a different method. */ | |
62e10065 | 85 | if (!ERRNO_IS_NOT_SUPPORTED(errno) && errno != EINVAL) |
f4f15635 LP |
86 | return -errno; |
87 | ||
2f15b625 LP |
88 | /* Let's try to use linkat()+unlinkat() as fallback. This doesn't work on directories and on some file systems |
89 | * that do not support hard links (such as FAT, most prominently), but for files it's pretty close to what we | |
90 | * want — though not atomic (i.e. for a short period both the new and the old filename will exist). */ | |
91 | if (linkat(olddirfd, oldpath, newdirfd, newpath, 0) >= 0) { | |
92 | ||
7c248223 LP |
93 | r = RET_NERRNO(unlinkat(olddirfd, oldpath, 0)); |
94 | if (r < 0) { | |
2f15b625 LP |
95 | (void) unlinkat(newdirfd, newpath, 0); |
96 | return r; | |
97 | } | |
98 | ||
99 | return 0; | |
f4f15635 LP |
100 | } |
101 | ||
62e10065 | 102 | if (!ERRNO_IS_NOT_SUPPORTED(errno) && !IN_SET(errno, EINVAL, EPERM)) /* FAT returns EPERM on link()… */ |
f4f15635 LP |
103 | return -errno; |
104 | ||
2aed63f4 | 105 | /* OK, neither RENAME_NOREPLACE nor linkat()+unlinkat() worked. Let's then fall back to the racy TOCTOU |
2f15b625 LP |
106 | * vulnerable accessat(F_OK) check followed by classic, replacing renameat(), we have nothing better. */ |
107 | ||
108 | if (faccessat(newdirfd, newpath, F_OK, AT_SYMLINK_NOFOLLOW) >= 0) | |
109 | return -EEXIST; | |
110 | if (errno != ENOENT) | |
111 | return -errno; | |
112 | ||
7c248223 | 113 | return RET_NERRNO(renameat(olddirfd, oldpath, newdirfd, newpath)); |
f4f15635 LP |
114 | } |
115 | ||
116 | int readlinkat_malloc(int fd, const char *p, char **ret) { | |
db220032 | 117 | size_t l = PATH_MAX; |
f4f15635 | 118 | |
e4c094c0 YW |
119 | assert(fd >= 0 || fd == AT_FDCWD); |
120 | ||
121 | if (fd < 0 && isempty(p)) | |
122 | return -EISDIR; /* In this case, the fd points to the current working directory, and is | |
123 | * definitely not a symlink. Let's return earlier. */ | |
f4f15635 LP |
124 | |
125 | for (;;) { | |
db220032 | 126 | _cleanup_free_ char *c = NULL; |
f4f15635 LP |
127 | ssize_t n; |
128 | ||
db220032 | 129 | c = new(char, l+1); |
f4f15635 LP |
130 | if (!c) |
131 | return -ENOMEM; | |
132 | ||
e4c094c0 | 133 | n = readlinkat(fd, strempty(p), c, l); |
db220032 LP |
134 | if (n < 0) |
135 | return -errno; | |
f4f15635 | 136 | |
db220032 | 137 | if ((size_t) n < l) { |
f4f15635 | 138 | c[n] = 0; |
aed3c5ec LP |
139 | |
140 | if (ret) | |
141 | *ret = TAKE_PTR(c); | |
142 | ||
f4f15635 LP |
143 | return 0; |
144 | } | |
145 | ||
db220032 LP |
146 | if (l > (SSIZE_MAX-1)/2) /* readlinkat() returns an ssize_t, and we want an extra byte for a |
147 | * trailing NUL, hence do an overflow check relative to SSIZE_MAX-1 | |
148 | * here */ | |
149 | return -EFBIG; | |
150 | ||
f4f15635 LP |
151 | l *= 2; |
152 | } | |
153 | } | |
154 | ||
155 | int readlink_malloc(const char *p, char **ret) { | |
156 | return readlinkat_malloc(AT_FDCWD, p, ret); | |
157 | } | |
158 | ||
159 | int readlink_value(const char *p, char **ret) { | |
bb60956b | 160 | _cleanup_free_ char *link = NULL, *name = NULL; |
f4f15635 LP |
161 | int r; |
162 | ||
ce8394f9 YW |
163 | assert(p); |
164 | assert(ret); | |
165 | ||
f4f15635 LP |
166 | r = readlink_malloc(p, &link); |
167 | if (r < 0) | |
168 | return r; | |
169 | ||
bb60956b YW |
170 | r = path_extract_filename(link, &name); |
171 | if (r < 0) | |
172 | return r; | |
173 | if (r == O_DIRECTORY) | |
174 | return -EINVAL; | |
175 | ||
176 | *ret = TAKE_PTR(name); | |
177 | return 0; | |
f4f15635 LP |
178 | } |
179 | ||
162f6477 | 180 | int readlink_and_make_absolute(const char *p, char **ret) { |
f4f15635 | 181 | _cleanup_free_ char *target = NULL; |
162f6477 | 182 | int r; |
f4f15635 LP |
183 | |
184 | assert(p); | |
162f6477 | 185 | assert(ret); |
f4f15635 | 186 | |
162f6477 LP |
187 | r = readlink_malloc(p, &target); |
188 | if (r < 0) | |
189 | return r; | |
f4f15635 | 190 | |
162f6477 | 191 | return file_in_same_dir(p, target, ret); |
f4f15635 LP |
192 | } |
193 | ||
55451417 | 194 | int chmod_and_chown_at(int dir_fd, const char *path, mode_t mode, uid_t uid, gid_t gid) { |
254d1313 | 195 | _cleanup_close_ int fd = -EBADF; |
30ff18d8 | 196 | |
7d000133 DDM |
197 | assert(dir_fd >= 0 || dir_fd == AT_FDCWD); |
198 | ||
55451417 DDM |
199 | if (path) { |
200 | /* Let's acquire an O_PATH fd, as precaution to change mode/owner on the same file */ | |
201 | fd = openat(dir_fd, path, O_PATH|O_CLOEXEC|O_NOFOLLOW); | |
202 | if (fd < 0) | |
203 | return -errno; | |
340bc268 YW |
204 | dir_fd = fd; |
205 | ||
206 | } else if (dir_fd == AT_FDCWD) { | |
207 | /* Let's acquire an O_PATH fd of the current directory */ | |
208 | fd = openat(dir_fd, ".", O_PATH|O_CLOEXEC|O_NOFOLLOW|O_DIRECTORY); | |
209 | if (fd < 0) | |
210 | return -errno; | |
211 | dir_fd = fd; | |
55451417 | 212 | } |
de321f52 | 213 | |
340bc268 | 214 | return fchmod_and_chown(dir_fd, mode, uid, gid); |
b8da477e YW |
215 | } |
216 | ||
0520564d | 217 | int fchmod_and_chown_with_fallback(int fd, const char *path, mode_t mode, uid_t uid, gid_t gid) { |
2dbb7e94 | 218 | bool do_chown, do_chmod; |
30ff18d8 | 219 | struct stat st; |
dee00c19 | 220 | int r; |
30ff18d8 | 221 | |
2dbb7e94 LP |
222 | /* Change ownership and access mode of the specified fd. Tries to do so safely, ensuring that at no |
223 | * point in time the access mode is above the old access mode under the old ownership or the new | |
224 | * access mode under the new ownership. Note: this call tries hard to leave the access mode | |
225 | * unaffected if the uid/gid is changed, i.e. it undoes implicit suid/sgid dropping the kernel does | |
226 | * on chown(). | |
227 | * | |
0520564d ZJS |
228 | * This call is happy with O_PATH fds. |
229 | * | |
230 | * If path is given, allow a fallback path which does not use /proc/self/fd/. On any normal system | |
231 | * /proc will be mounted, but in certain improperly assembled environments it might not be. This is | |
232 | * less secure (potential TOCTOU), so should only be used after consideration. */ | |
b8da477e | 233 | |
71ec74d1 | 234 | if (fstat(fd, &st) < 0) |
2dbb7e94 | 235 | return -errno; |
de321f52 | 236 | |
2dbb7e94 LP |
237 | do_chown = |
238 | (uid != UID_INVALID && st.st_uid != uid) || | |
239 | (gid != GID_INVALID && st.st_gid != gid); | |
de321f52 | 240 | |
2dbb7e94 LP |
241 | do_chmod = |
242 | !S_ISLNK(st.st_mode) && /* chmod is not defined on symlinks */ | |
243 | ((mode != MODE_INVALID && ((st.st_mode ^ mode) & 07777) != 0) || | |
244 | do_chown); /* If we change ownership, make sure we reset the mode afterwards, since chown() | |
245 | * modifies the access mode too */ | |
30ff18d8 | 246 | |
2dbb7e94 LP |
247 | if (mode == MODE_INVALID) |
248 | mode = st.st_mode; /* If we only shall do a chown(), save original mode, since chown() might break it. */ | |
249 | else if ((mode & S_IFMT) != 0 && ((mode ^ st.st_mode) & S_IFMT) != 0) | |
250 | return -EINVAL; /* insist on the right file type if it was specified */ | |
de321f52 | 251 | |
2dbb7e94 LP |
252 | if (do_chown && do_chmod) { |
253 | mode_t minimal = st.st_mode & mode; /* the subset of the old and the new mask */ | |
30ff18d8 | 254 | |
dee00c19 LP |
255 | if (((minimal ^ st.st_mode) & 07777) != 0) { |
256 | r = fchmod_opath(fd, minimal & 07777); | |
0520564d ZJS |
257 | if (r < 0) { |
258 | if (!path || r != -ENOSYS) | |
259 | return r; | |
260 | ||
261 | /* Fallback path which doesn't use /proc/self/fd/. */ | |
262 | if (chmod(path, minimal & 07777) < 0) | |
263 | return -errno; | |
264 | } | |
dee00c19 | 265 | } |
de321f52 | 266 | } |
b8da477e | 267 | |
2dbb7e94 | 268 | if (do_chown) |
71ec74d1 | 269 | if (fchownat(fd, "", uid, gid, AT_EMPTY_PATH) < 0) |
2dbb7e94 | 270 | return -errno; |
30ff18d8 | 271 | |
dee00c19 LP |
272 | if (do_chmod) { |
273 | r = fchmod_opath(fd, mode & 07777); | |
0520564d ZJS |
274 | if (r < 0) { |
275 | if (!path || r != -ENOSYS) | |
276 | return r; | |
277 | ||
278 | /* Fallback path which doesn't use /proc/self/fd/. */ | |
279 | if (chmod(path, mode & 07777) < 0) | |
280 | return -errno; | |
281 | } | |
dee00c19 | 282 | } |
30ff18d8 | 283 | |
2dbb7e94 | 284 | return do_chown || do_chmod; |
f4f15635 LP |
285 | } |
286 | ||
f4f15635 | 287 | int fchmod_umask(int fd, mode_t m) { |
7c248223 | 288 | _cleanup_umask_ mode_t u = umask(0777); |
f4f15635 | 289 | |
7c248223 | 290 | return RET_NERRNO(fchmod(fd, m & (~u))); |
f4f15635 LP |
291 | } |
292 | ||
4dfaa528 | 293 | int fchmod_opath(int fd, mode_t m) { |
4dfaa528 | 294 | /* This function operates also on fd that might have been opened with |
adecfb3b AM |
295 | * O_PATH. The tool set we have is non-intuitive: |
296 | * - fchmod(2) only operates on open files (i. e., fds with an open file description); | |
297 | * - fchmodat(2) does not have a flag arg like fchownat(2) does, so no way to pass AT_EMPTY_PATH; | |
298 | * + it should not be confused with the libc fchmodat(3) interface, which adds 4th flag argument, | |
299 | * but does not support AT_EMPTY_PATH (only supports AT_SYMLINK_NOFOLLOW); | |
300 | * - fchmodat2(2) supports all the AT_* flags, but is still very recent. | |
301 | * | |
302 | * We try to use fchmodat2(), and, if it is not supported, resort | |
303 | * to the /proc/self/fd dance. */ | |
304 | ||
305 | assert(fd >= 0); | |
306 | ||
307 | if (fchmodat2(fd, "", m, AT_EMPTY_PATH) >= 0) | |
308 | return 0; | |
309 | if (!IN_SET(errno, ENOSYS, EPERM)) /* Some container managers block unknown syscalls with EPERM */ | |
310 | return -errno; | |
4dfaa528 | 311 | |
ddb6eeaf | 312 | if (chmod(FORMAT_PROC_FD_PATH(fd), m) < 0) { |
f8606626 LP |
313 | if (errno != ENOENT) |
314 | return -errno; | |
315 | ||
316 | if (proc_mounted() == 0) | |
317 | return -ENOSYS; /* if we have no /proc/, the concept is not implementable */ | |
318 | ||
319 | return -ENOENT; | |
320 | } | |
4dfaa528 FB |
321 | |
322 | return 0; | |
323 | } | |
324 | ||
f25bff5e | 325 | int futimens_opath(int fd, const struct timespec ts[2]) { |
150231d2 | 326 | /* Similar to fchmod_opath() but for futimens() */ |
f25bff5e | 327 | |
973464ad MY |
328 | assert(fd >= 0); |
329 | ||
330 | if (utimensat(fd, "", ts, AT_EMPTY_PATH) >= 0) | |
331 | return 0; | |
332 | if (errno != EINVAL) | |
333 | return -errno; | |
334 | ||
335 | /* Support for AT_EMPTY_PATH is added rather late (kernel 5.8), so fall back to going through /proc/ | |
336 | * if unavailable. */ | |
337 | ||
338 | if (utimensat(AT_FDCWD, FORMAT_PROC_FD_PATH(fd), ts, /* flags = */ 0) < 0) { | |
f25bff5e LP |
339 | if (errno != ENOENT) |
340 | return -errno; | |
341 | ||
342 | if (proc_mounted() == 0) | |
973464ad | 343 | return -ENOSYS; |
f25bff5e LP |
344 | |
345 | return -ENOENT; | |
346 | } | |
347 | ||
348 | return 0; | |
349 | } | |
350 | ||
22ed4a6d LP |
351 | int stat_warn_permissions(const char *path, const struct stat *st) { |
352 | assert(path); | |
353 | assert(st); | |
f4f15635 | 354 | |
b6cceaae | 355 | /* Don't complain if we are reading something that is not a file, for example /dev/null */ |
22ed4a6d | 356 | if (!S_ISREG(st->st_mode)) |
b6cceaae LP |
357 | return 0; |
358 | ||
22ed4a6d | 359 | if (st->st_mode & 0111) |
f4f15635 LP |
360 | log_warning("Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway.", path); |
361 | ||
22ed4a6d | 362 | if (st->st_mode & 0002) |
f4f15635 LP |
363 | log_warning("Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway.", path); |
364 | ||
22ed4a6d | 365 | if (getpid_cached() == 1 && (st->st_mode & 0044) != 0044) |
f4f15635 LP |
366 | log_warning("Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.", path); |
367 | ||
368 | return 0; | |
369 | } | |
370 | ||
22ed4a6d LP |
371 | int fd_warn_permissions(const char *path, int fd) { |
372 | struct stat st; | |
373 | ||
374 | assert(path); | |
375 | assert(fd >= 0); | |
376 | ||
377 | if (fstat(fd, &st) < 0) | |
378 | return -errno; | |
379 | ||
380 | return stat_warn_permissions(path, &st); | |
381 | } | |
382 | ||
f4f15635 | 383 | int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode) { |
254d1313 | 384 | _cleanup_close_ int fd = -EBADF; |
b71dbc6b | 385 | int r, ret; |
f4f15635 LP |
386 | |
387 | assert(path); | |
388 | ||
9e3fa6e8 LP |
389 | /* Note that touch_file() does not follow symlinks: if invoked on an existing symlink, then it is the symlink |
390 | * itself which is updated, not its target | |
391 | * | |
392 | * Returns the first error we encounter, but tries to apply as much as possible. */ | |
f4f15635 | 393 | |
9e3fa6e8 LP |
394 | if (parents) |
395 | (void) mkdir_parents(path, 0755); | |
396 | ||
397 | /* Initially, we try to open the node with O_PATH, so that we get a reference to the node. This is useful in | |
398 | * case the path refers to an existing device or socket node, as we can open it successfully in all cases, and | |
399 | * won't trigger any driver magic or so. */ | |
400 | fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW); | |
401 | if (fd < 0) { | |
402 | if (errno != ENOENT) | |
f4f15635 | 403 | return -errno; |
f4f15635 | 404 | |
9e3fa6e8 LP |
405 | /* if the node doesn't exist yet, we create it, but with O_EXCL, so that we only create a regular file |
406 | * here, and nothing else */ | |
407 | fd = open(path, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, IN_SET(mode, 0, MODE_INVALID) ? 0644 : mode); | |
408 | if (fd < 0) | |
f4f15635 LP |
409 | return -errno; |
410 | } | |
411 | ||
9e3fa6e8 LP |
412 | /* Let's make a path from the fd, and operate on that. With this logic, we can adjust the access mode, |
413 | * ownership and time of the file node in all cases, even if the fd refers to an O_PATH object — which is | |
414 | * something fchown(), fchmod(), futimensat() don't allow. */ | |
4b3b5bc7 | 415 | ret = fchmod_and_chown(fd, mode, uid, gid); |
9e3fa6e8 | 416 | |
f4f15635 LP |
417 | if (stamp != USEC_INFINITY) { |
418 | struct timespec ts[2]; | |
419 | ||
420 | timespec_store(&ts[0], stamp); | |
421 | ts[1] = ts[0]; | |
b5794711 | 422 | r = futimens_opath(fd, ts); |
f4f15635 | 423 | } else |
b5794711 | 424 | r = futimens_opath(fd, NULL); |
9e3fa6e8 | 425 | if (r < 0 && ret >= 0) |
b5794711 | 426 | return r; |
f4f15635 | 427 | |
9e3fa6e8 | 428 | return ret; |
f4f15635 LP |
429 | } |
430 | ||
6c9c51e5 YW |
431 | int symlink_idempotent(const char *from, const char *to, bool make_relative) { |
432 | _cleanup_free_ char *relpath = NULL; | |
f4f15635 LP |
433 | int r; |
434 | ||
435 | assert(from); | |
436 | assert(to); | |
437 | ||
6c9c51e5 | 438 | if (make_relative) { |
449375d2 | 439 | r = path_make_relative_parent(to, from, &relpath); |
6c9c51e5 YW |
440 | if (r < 0) |
441 | return r; | |
442 | ||
443 | from = relpath; | |
444 | } | |
445 | ||
f4f15635 | 446 | if (symlink(from, to) < 0) { |
77b79723 LP |
447 | _cleanup_free_ char *p = NULL; |
448 | ||
f4f15635 LP |
449 | if (errno != EEXIST) |
450 | return -errno; | |
451 | ||
452 | r = readlink_malloc(to, &p); | |
77b79723 LP |
453 | if (r == -EINVAL) /* Not a symlink? In that case return the original error we encountered: -EEXIST */ |
454 | return -EEXIST; | |
455 | if (r < 0) /* Any other error? In that case propagate it as is */ | |
f4f15635 LP |
456 | return r; |
457 | ||
77b79723 LP |
458 | if (!streq(p, from)) /* Not the symlink we want it to be? In that case, propagate the original -EEXIST */ |
459 | return -EEXIST; | |
f4f15635 LP |
460 | } |
461 | ||
462 | return 0; | |
463 | } | |
464 | ||
da9dd029 | 465 | int symlinkat_atomic_full(const char *from, int atfd, const char *to, bool make_relative) { |
590d8100 | 466 | _cleanup_free_ char *relpath = NULL, *t = NULL; |
f4f15635 LP |
467 | int r; |
468 | ||
469 | assert(from); | |
470 | assert(to); | |
471 | ||
590d8100 YW |
472 | if (make_relative) { |
473 | r = path_make_relative_parent(to, from, &relpath); | |
474 | if (r < 0) | |
475 | return r; | |
476 | ||
477 | from = relpath; | |
478 | } | |
479 | ||
f4f15635 LP |
480 | r = tempfn_random(to, NULL, &t); |
481 | if (r < 0) | |
482 | return r; | |
483 | ||
da9dd029 | 484 | if (symlinkat(from, atfd, t) < 0) |
f4f15635 LP |
485 | return -errno; |
486 | ||
da9dd029 LP |
487 | r = RET_NERRNO(renameat(atfd, t, atfd, to)); |
488 | if (r < 0) { | |
489 | (void) unlinkat(atfd, t, 0); | |
490 | return r; | |
f4f15635 LP |
491 | } |
492 | ||
493 | return 0; | |
494 | } | |
495 | ||
497ca785 | 496 | int mknodat_atomic(int atfd, const char *path, mode_t mode, dev_t dev) { |
f4f15635 LP |
497 | _cleanup_free_ char *t = NULL; |
498 | int r; | |
499 | ||
500 | assert(path); | |
501 | ||
502 | r = tempfn_random(path, NULL, &t); | |
503 | if (r < 0) | |
504 | return r; | |
505 | ||
497ca785 | 506 | if (mknodat(atfd, t, mode, dev) < 0) |
f4f15635 LP |
507 | return -errno; |
508 | ||
497ca785 LP |
509 | r = RET_NERRNO(renameat(atfd, t, atfd, path)); |
510 | if (r < 0) { | |
511 | (void) unlinkat(atfd, t, 0); | |
512 | return r; | |
f4f15635 LP |
513 | } |
514 | ||
515 | return 0; | |
516 | } | |
517 | ||
4f477796 | 518 | int mkfifoat_atomic(int atfd, const char *path, mode_t mode) { |
f4f15635 LP |
519 | _cleanup_free_ char *t = NULL; |
520 | int r; | |
521 | ||
522 | assert(path); | |
523 | ||
4f477796 | 524 | /* We're only interested in the (random) filename. */ |
f4f15635 LP |
525 | r = tempfn_random(path, NULL, &t); |
526 | if (r < 0) | |
527 | return r; | |
528 | ||
4f477796 | 529 | if (mkfifoat(atfd, t, mode) < 0) |
4fe3828c | 530 | return -errno; |
4fe3828c | 531 | |
4f477796 LP |
532 | r = RET_NERRNO(renameat(atfd, t, atfd, path)); |
533 | if (r < 0) { | |
534 | (void) unlinkat(atfd, t, 0); | |
4fe3828c | 535 | return r; |
f4f15635 LP |
536 | } |
537 | ||
538 | return 0; | |
539 | } | |
540 | ||
541 | int get_files_in_directory(const char *path, char ***list) { | |
319a4f4b | 542 | _cleanup_strv_free_ char **l = NULL; |
f4f15635 | 543 | _cleanup_closedir_ DIR *d = NULL; |
319a4f4b | 544 | size_t n = 0; |
f4f15635 LP |
545 | |
546 | assert(path); | |
547 | ||
548 | /* Returns all files in a directory in *list, and the number | |
549 | * of files as return value. If list is NULL returns only the | |
550 | * number. */ | |
551 | ||
552 | d = opendir(path); | |
553 | if (!d) | |
554 | return -errno; | |
555 | ||
8fb3f009 | 556 | FOREACH_DIRENT_ALL(de, d, return -errno) { |
f4f15635 LP |
557 | if (!dirent_is_file(de)) |
558 | continue; | |
559 | ||
560 | if (list) { | |
561 | /* one extra slot is needed for the terminating NULL */ | |
319a4f4b | 562 | if (!GREEDY_REALLOC(l, n + 2)) |
f4f15635 LP |
563 | return -ENOMEM; |
564 | ||
565 | l[n] = strdup(de->d_name); | |
566 | if (!l[n]) | |
567 | return -ENOMEM; | |
568 | ||
569 | l[++n] = NULL; | |
570 | } else | |
571 | n++; | |
572 | } | |
573 | ||
ae2a15bc LP |
574 | if (list) |
575 | *list = TAKE_PTR(l); | |
f4f15635 LP |
576 | |
577 | return n; | |
578 | } | |
430fbf8e | 579 | |
992e8f22 | 580 | static int getenv_tmp_dir(const char **ret_path) { |
992e8f22 | 581 | int r, ret = 0; |
34a8f081 | 582 | |
992e8f22 | 583 | assert(ret_path); |
34a8f081 | 584 | |
992e8f22 LP |
585 | /* We use the same order of environment variables python uses in tempfile.gettempdir(): |
586 | * https://docs.python.org/3/library/tempfile.html#tempfile.gettempdir */ | |
587 | FOREACH_STRING(n, "TMPDIR", "TEMP", "TMP") { | |
588 | const char *e; | |
589 | ||
590 | e = secure_getenv(n); | |
591 | if (!e) | |
592 | continue; | |
593 | if (!path_is_absolute(e)) { | |
594 | r = -ENOTDIR; | |
595 | goto next; | |
596 | } | |
99be45a4 | 597 | if (!path_is_normalized(e)) { |
992e8f22 LP |
598 | r = -EPERM; |
599 | goto next; | |
600 | } | |
601 | ||
602 | r = is_dir(e, true); | |
603 | if (r < 0) | |
604 | goto next; | |
605 | if (r == 0) { | |
606 | r = -ENOTDIR; | |
607 | goto next; | |
608 | } | |
609 | ||
610 | *ret_path = e; | |
611 | return 1; | |
612 | ||
613 | next: | |
614 | /* Remember first error, to make this more debuggable */ | |
615 | if (ret >= 0) | |
616 | ret = r; | |
34a8f081 OW |
617 | } |
618 | ||
992e8f22 LP |
619 | if (ret < 0) |
620 | return ret; | |
34a8f081 | 621 | |
992e8f22 LP |
622 | *ret_path = NULL; |
623 | return ret; | |
624 | } | |
34a8f081 | 625 | |
992e8f22 LP |
626 | static int tmp_dir_internal(const char *def, const char **ret) { |
627 | const char *e; | |
628 | int r, k; | |
629 | ||
630 | assert(def); | |
631 | assert(ret); | |
632 | ||
633 | r = getenv_tmp_dir(&e); | |
634 | if (r > 0) { | |
635 | *ret = e; | |
636 | return 0; | |
637 | } | |
638 | ||
639 | k = is_dir(def, true); | |
640 | if (k == 0) | |
641 | k = -ENOTDIR; | |
642 | if (k < 0) | |
643 | return r < 0 ? r : k; | |
644 | ||
645 | *ret = def; | |
34a8f081 OW |
646 | return 0; |
647 | } | |
648 | ||
992e8f22 LP |
649 | int var_tmp_dir(const char **ret) { |
650 | ||
651 | /* Returns the location for "larger" temporary files, that is backed by physical storage if available, and thus | |
652 | * even might survive a boot: /var/tmp. If $TMPDIR (or related environment variables) are set, its value is | |
653 | * returned preferably however. Note that both this function and tmp_dir() below are affected by $TMPDIR, | |
654 | * making it a variable that overrides all temporary file storage locations. */ | |
655 | ||
656 | return tmp_dir_internal("/var/tmp", ret); | |
657 | } | |
658 | ||
659 | int tmp_dir(const char **ret) { | |
660 | ||
661 | /* Similar to var_tmp_dir() above, but returns the location for "smaller" temporary files, which is usually | |
662 | * backed by an in-memory file system: /tmp. */ | |
663 | ||
664 | return tmp_dir_internal("/tmp", ret); | |
665 | } | |
666 | ||
af229d7a ZJS |
667 | int unlink_or_warn(const char *filename) { |
668 | if (unlink(filename) < 0 && errno != ENOENT) | |
669 | /* If the file doesn't exist and the fs simply was read-only (in which | |
670 | * case unlink() returns EROFS even if the file doesn't exist), don't | |
671 | * complain */ | |
672 | if (errno != EROFS || access(filename, F_OK) >= 0) | |
673 | return log_error_errno(errno, "Failed to remove \"%s\": %m", filename); | |
674 | ||
675 | return 0; | |
676 | } | |
677 | ||
57a4359e | 678 | int access_fd(int fd, int mode) { |
57a4359e LP |
679 | /* Like access() but operates on an already open fd */ |
680 | ||
ddb6eeaf | 681 | if (access(FORMAT_PROC_FD_PATH(fd), mode) < 0) { |
4265a66a LP |
682 | if (errno != ENOENT) |
683 | return -errno; | |
57a4359e | 684 | |
4265a66a LP |
685 | /* ENOENT can mean two things: that the fd does not exist or that /proc is not mounted. Let's |
686 | * make things debuggable and distinguish the two. */ | |
687 | ||
688 | if (proc_mounted() == 0) | |
689 | return -ENOSYS; /* /proc is not available or not set up properly, we're most likely in some chroot | |
690 | * environment. */ | |
691 | ||
692 | return -EBADF; /* The directory exists, hence it's the fd that doesn't. */ | |
693 | } | |
694 | ||
695 | return 0; | |
57a4359e | 696 | } |
43767d9d | 697 | |
627d2bac ZJS |
698 | void unlink_tempfilep(char (*p)[]) { |
699 | /* If the file is created with mkstemp(), it will (almost always) | |
700 | * change the suffix. Treat this as a sign that the file was | |
701 | * successfully created. We ignore both the rare case where the | |
702 | * original suffix is used and unlink failures. */ | |
703 | if (!endswith(*p, ".XXXXXX")) | |
39eb3ffa | 704 | (void) unlink(*p); |
627d2bac ZJS |
705 | } |
706 | ||
053e0626 | 707 | int unlinkat_deallocate(int fd, const char *name, UnlinkDeallocateFlags flags) { |
254d1313 | 708 | _cleanup_close_ int truncate_fd = -EBADF; |
43767d9d LP |
709 | struct stat st; |
710 | off_t l, bs; | |
711 | ||
053e0626 LP |
712 | assert((flags & ~(UNLINK_REMOVEDIR|UNLINK_ERASE)) == 0); |
713 | ||
43767d9d LP |
714 | /* Operates like unlinkat() but also deallocates the file contents if it is a regular file and there's no other |
715 | * link to it. This is useful to ensure that other processes that might have the file open for reading won't be | |
716 | * able to keep the data pinned on disk forever. This call is particular useful whenever we execute clean-up | |
717 | * jobs ("vacuuming"), where we want to make sure the data is really gone and the disk space released and | |
718 | * returned to the free pool. | |
719 | * | |
720 | * Deallocation is preferably done by FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE (👊) if supported, which means | |
721 | * the file won't change size. That's a good thing since we shouldn't needlessly trigger SIGBUS in other | |
722 | * programs that have mmap()ed the file. (The assumption here is that changing file contents to all zeroes | |
723 | * underneath those programs is the better choice than simply triggering SIGBUS in them which truncation does.) | |
724 | * However if hole punching is not implemented in the kernel or file system we'll fall back to normal file | |
725 | * truncation (🔪), as our goal of deallocating the data space trumps our goal of being nice to readers (💐). | |
726 | * | |
727 | * Note that we attempt deallocation, but failure to succeed with that is not considered fatal, as long as the | |
728 | * primary job – to delete the file – is accomplished. */ | |
729 | ||
053e0626 | 730 | if (!FLAGS_SET(flags, UNLINK_REMOVEDIR)) { |
43767d9d LP |
731 | truncate_fd = openat(fd, name, O_WRONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|O_NONBLOCK); |
732 | if (truncate_fd < 0) { | |
733 | ||
734 | /* If this failed because the file doesn't exist propagate the error right-away. Also, | |
735 | * AT_REMOVEDIR wasn't set, and we tried to open the file for writing, which means EISDIR is | |
736 | * returned when this is a directory but we are not supposed to delete those, hence propagate | |
737 | * the error right-away too. */ | |
738 | if (IN_SET(errno, ENOENT, EISDIR)) | |
739 | return -errno; | |
740 | ||
741 | if (errno != ELOOP) /* don't complain if this is a symlink */ | |
742 | log_debug_errno(errno, "Failed to open file '%s' for deallocation, ignoring: %m", name); | |
743 | } | |
744 | } | |
745 | ||
053e0626 | 746 | if (unlinkat(fd, name, FLAGS_SET(flags, UNLINK_REMOVEDIR) ? AT_REMOVEDIR : 0) < 0) |
43767d9d LP |
747 | return -errno; |
748 | ||
749 | if (truncate_fd < 0) /* Don't have a file handle, can't do more ☹️ */ | |
750 | return 0; | |
751 | ||
752 | if (fstat(truncate_fd, &st) < 0) { | |
011723a4 | 753 | log_debug_errno(errno, "Failed to stat file '%s' for deallocation, ignoring: %m", name); |
43767d9d LP |
754 | return 0; |
755 | } | |
756 | ||
053e0626 LP |
757 | if (!S_ISREG(st.st_mode)) |
758 | return 0; | |
759 | ||
760 | if (FLAGS_SET(flags, UNLINK_ERASE) && st.st_size > 0 && st.st_nlink == 0) { | |
761 | uint64_t left = st.st_size; | |
762 | char buffer[64 * 1024]; | |
763 | ||
764 | /* If erasing is requested, let's overwrite the file with random data once before deleting | |
765 | * it. This isn't going to give you shred(1) semantics, but hopefully should be good enough | |
766 | * for stuff backed by tmpfs at least. | |
767 | * | |
15dd4515 | 768 | * Note that we only erase like this if the link count of the file is zero. If it is higher it |
053e0626 LP |
769 | * is still linked by someone else and we'll leave it to them to remove it securely |
770 | * eventually! */ | |
771 | ||
772 | random_bytes(buffer, sizeof(buffer)); | |
773 | ||
774 | while (left > 0) { | |
775 | ssize_t n; | |
776 | ||
777 | n = write(truncate_fd, buffer, MIN(sizeof(buffer), left)); | |
778 | if (n < 0) { | |
779 | log_debug_errno(errno, "Failed to erase data in file '%s', ignoring.", name); | |
780 | break; | |
781 | } | |
782 | ||
783 | assert(left >= (size_t) n); | |
784 | left -= n; | |
785 | } | |
786 | ||
787 | /* Let's refresh metadata */ | |
788 | if (fstat(truncate_fd, &st) < 0) { | |
789 | log_debug_errno(errno, "Failed to stat file '%s' for deallocation, ignoring: %m", name); | |
790 | return 0; | |
791 | } | |
792 | } | |
793 | ||
794 | /* Don't dallocate if there's nothing to deallocate or if the file is linked elsewhere */ | |
795 | if (st.st_blocks == 0 || st.st_nlink > 0) | |
43767d9d LP |
796 | return 0; |
797 | ||
798 | /* If this is a regular file, it actually took up space on disk and there are no other links it's time to | |
799 | * punch-hole/truncate this to release the disk space. */ | |
800 | ||
801 | bs = MAX(st.st_blksize, 512); | |
4dcaab9c | 802 | l = ROUND_UP(st.st_size, bs); /* Round up to next block size */ |
43767d9d LP |
803 | |
804 | if (fallocate(truncate_fd, FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE, 0, l) >= 0) | |
805 | return 0; /* Successfully punched a hole! 😊 */ | |
806 | ||
807 | /* Fall back to truncation */ | |
808 | if (ftruncate(truncate_fd, 0) < 0) { | |
809 | log_debug_errno(errno, "Failed to truncate file to 0, ignoring: %m"); | |
810 | return 0; | |
811 | } | |
812 | ||
813 | return 0; | |
814 | } | |
11b29a96 | 815 | |
14460a8a | 816 | int open_parent_at(int dir_fd, const char *path, int flags, mode_t mode) { |
ef8becfa | 817 | _cleanup_free_ char *parent = NULL; |
7c248223 | 818 | int r; |
ef8becfa | 819 | |
14460a8a DDM |
820 | assert(dir_fd >= 0 || dir_fd == AT_FDCWD); |
821 | assert(path); | |
822 | ||
30cdcd62 | 823 | r = path_extract_directory(path, &parent); |
14460a8a DDM |
824 | if (r == -EDESTADDRREQ) { |
825 | parent = strdup("."); | |
826 | if (!parent) | |
827 | return -ENOMEM; | |
828 | } else if (r == -EADDRNOTAVAIL) { | |
829 | parent = strdup(path); | |
830 | if (!parent) | |
831 | return -ENOMEM; | |
832 | } else if (r < 0) | |
30cdcd62 | 833 | return r; |
ef8becfa LP |
834 | |
835 | /* Let's insist on O_DIRECTORY since the parent of a file or directory is a directory. Except if we open an | |
836 | * O_TMPFILE file, because in that case we are actually create a regular file below the parent directory. */ | |
837 | ||
0c21dafb | 838 | if (FLAGS_SET(flags, O_PATH)) |
ef8becfa | 839 | flags |= O_DIRECTORY; |
0c21dafb | 840 | else if (!FLAGS_SET(flags, O_TMPFILE)) |
ef8becfa LP |
841 | flags |= O_DIRECTORY|O_RDONLY; |
842 | ||
14460a8a | 843 | return RET_NERRNO(openat(dir_fd, parent, flags, mode)); |
ef8becfa | 844 | } |
ed9c0851 | 845 | |
10195179 | 846 | int conservative_renameat( |
10981424 LP |
847 | int olddirfd, const char *oldpath, |
848 | int newdirfd, const char *newpath) { | |
849 | ||
254d1313 | 850 | _cleanup_close_ int old_fd = -EBADF, new_fd = -EBADF; |
10981424 LP |
851 | struct stat old_stat, new_stat; |
852 | ||
737a9edc | 853 | /* Renames the old path to the new path, much like renameat() — except if both are regular files and |
10981424 LP |
854 | * have the exact same contents and basic file attributes already. In that case remove the new file |
855 | * instead. This call is useful for reducing inotify wakeups on files that are updated but don't | |
856 | * actually change. This function is written in a style that we rather rename too often than suppress | |
2657d5bd | 857 | * too much. I.e. whenever we are in doubt, we rather rename than fail. After all reducing inotify |
10981424 LP |
858 | * events is an optimization only, not more. */ |
859 | ||
860 | old_fd = openat(olddirfd, oldpath, O_CLOEXEC|O_RDONLY|O_NOCTTY|O_NOFOLLOW); | |
861 | if (old_fd < 0) | |
862 | goto do_rename; | |
863 | ||
864 | new_fd = openat(newdirfd, newpath, O_CLOEXEC|O_RDONLY|O_NOCTTY|O_NOFOLLOW); | |
865 | if (new_fd < 0) | |
866 | goto do_rename; | |
867 | ||
868 | if (fstat(old_fd, &old_stat) < 0) | |
869 | goto do_rename; | |
870 | ||
871 | if (!S_ISREG(old_stat.st_mode)) | |
872 | goto do_rename; | |
873 | ||
874 | if (fstat(new_fd, &new_stat) < 0) | |
875 | goto do_rename; | |
876 | ||
a9dac7a6 | 877 | if (stat_inode_same(&new_stat, &old_stat)) |
10981424 LP |
878 | goto is_same; |
879 | ||
880 | if (old_stat.st_mode != new_stat.st_mode || | |
881 | old_stat.st_size != new_stat.st_size || | |
882 | old_stat.st_uid != new_stat.st_uid || | |
883 | old_stat.st_gid != new_stat.st_gid) | |
884 | goto do_rename; | |
885 | ||
886 | for (;;) { | |
eff57d1c LP |
887 | uint8_t buf1[16*1024]; |
888 | uint8_t buf2[sizeof(buf1)]; | |
10981424 LP |
889 | ssize_t l1, l2; |
890 | ||
891 | l1 = read(old_fd, buf1, sizeof(buf1)); | |
892 | if (l1 < 0) | |
893 | goto do_rename; | |
894 | ||
eff57d1c LP |
895 | if (l1 == sizeof(buf1)) |
896 | /* Read the full block, hence read a full block in the other file too */ | |
10981424 | 897 | |
eff57d1c LP |
898 | l2 = read(new_fd, buf2, l1); |
899 | else { | |
900 | assert((size_t) l1 < sizeof(buf1)); | |
901 | ||
902 | /* Short read. This hence was the last block in the first file, and then came | |
903 | * EOF. Read one byte more in the second file, so that we can verify we hit EOF there | |
904 | * too. */ | |
905 | ||
906 | assert((size_t) (l1 + 1) <= sizeof(buf2)); | |
907 | l2 = read(new_fd, buf2, l1 + 1); | |
908 | } | |
909 | if (l2 != l1) | |
910 | goto do_rename; | |
10981424 LP |
911 | |
912 | if (memcmp(buf1, buf2, l1) != 0) | |
913 | goto do_rename; | |
eff57d1c LP |
914 | |
915 | if ((size_t) l1 < sizeof(buf1)) /* We hit EOF on the first file, and the second file too, hence exit | |
916 | * now. */ | |
917 | break; | |
10981424 LP |
918 | } |
919 | ||
920 | is_same: | |
921 | /* Everything matches? Then don't rename, instead remove the source file, and leave the existing | |
922 | * destination in place */ | |
923 | ||
924 | if (unlinkat(olddirfd, oldpath, 0) < 0) | |
925 | goto do_rename; | |
926 | ||
927 | return 0; | |
928 | ||
929 | do_rename: | |
930 | if (renameat(olddirfd, oldpath, newdirfd, newpath) < 0) | |
931 | return -errno; | |
932 | ||
933 | return 1; | |
934 | } | |
4c54768c IZ |
935 | |
936 | int posix_fallocate_loop(int fd, uint64_t offset, uint64_t size) { | |
937 | RateLimit rl; | |
938 | int r; | |
939 | ||
940 | r = posix_fallocate(fd, offset, size); /* returns positive errnos on error */ | |
941 | if (r != EINTR) | |
942 | return -r; /* Let's return negative errnos, like common in our codebase */ | |
943 | ||
944 | /* On EINTR try a couple of times more, but protect against busy looping | |
945 | * (not more than 16 times per 10s) */ | |
7d1e61ca | 946 | rl = (const RateLimit) { 10 * USEC_PER_SEC, 16 }; |
4c54768c IZ |
947 | while (ratelimit_below(&rl)) { |
948 | r = posix_fallocate(fd, offset, size); | |
949 | if (r != EINTR) | |
950 | return -r; | |
951 | } | |
952 | ||
953 | return -EINTR; | |
954 | } | |
68def5a9 LP |
955 | |
956 | int parse_cifs_service( | |
957 | const char *s, | |
958 | char **ret_host, | |
959 | char **ret_service, | |
960 | char **ret_path) { | |
961 | ||
962 | _cleanup_free_ char *h = NULL, *ss = NULL, *x = NULL; | |
963 | const char *p, *e, *d; | |
964 | char delimiter; | |
965 | ||
966 | /* Parses a CIFS service in form of //host/service/path… and splitting it in three parts. The last | |
967 | * part is optional, in which case NULL is returned there. To maximize compatibility syntax with | |
968 | * backslashes instead of slashes is accepted too. */ | |
969 | ||
970 | if (!s) | |
971 | return -EINVAL; | |
972 | ||
973 | p = startswith(s, "//"); | |
974 | if (!p) { | |
975 | p = startswith(s, "\\\\"); | |
976 | if (!p) | |
977 | return -EINVAL; | |
978 | } | |
979 | ||
980 | delimiter = s[0]; | |
981 | e = strchr(p, delimiter); | |
982 | if (!e) | |
983 | return -EINVAL; | |
984 | ||
985 | h = strndup(p, e - p); | |
986 | if (!h) | |
987 | return -ENOMEM; | |
988 | ||
989 | if (!hostname_is_valid(h, 0)) | |
990 | return -EINVAL; | |
991 | ||
992 | e++; | |
993 | ||
994 | d = strchrnul(e, delimiter); | |
995 | ||
996 | ss = strndup(e, d - e); | |
997 | if (!ss) | |
998 | return -ENOMEM; | |
999 | ||
1000 | if (!filename_is_valid(ss)) | |
1001 | return -EINVAL; | |
1002 | ||
1003 | if (!isempty(d)) { | |
1004 | x = strdup(skip_leading_chars(d, CHAR_TO_STR(delimiter))); | |
1005 | if (!x) | |
1006 | return -EINVAL; | |
1007 | ||
1008 | /* Make sure to convert Windows-style "\" → Unix-style / */ | |
1009 | for (char *i = x; *i; i++) | |
1010 | if (*i == delimiter) | |
1011 | *i = '/'; | |
1012 | ||
1013 | if (!path_is_valid(x)) | |
1014 | return -EINVAL; | |
1015 | ||
1016 | path_simplify(x); | |
1017 | if (!path_is_normalized(x)) | |
1018 | return -EINVAL; | |
1019 | } | |
1020 | ||
1021 | if (ret_host) | |
1022 | *ret_host = TAKE_PTR(h); | |
1023 | if (ret_service) | |
1024 | *ret_service = TAKE_PTR(ss); | |
1025 | if (ret_path) | |
1026 | *ret_path = TAKE_PTR(x); | |
1027 | ||
1028 | return 0; | |
1029 | } | |
c73094f3 LP |
1030 | |
1031 | int open_mkdir_at(int dirfd, const char *path, int flags, mode_t mode) { | |
254d1313 | 1032 | _cleanup_close_ int fd = -EBADF, parent_fd = -EBADF; |
797f6cc5 | 1033 | _cleanup_free_ char *fname = NULL, *parent = NULL; |
c73094f3 LP |
1034 | int r; |
1035 | ||
1036 | /* Creates a directory with mkdirat() and then opens it, in the "most atomic" fashion we can | |
1037 | * do. Guarantees that the returned fd refers to a directory. If O_EXCL is specified will fail if the | |
1038 | * dir already exists. Otherwise will open an existing dir, but only if it is one. */ | |
1039 | ||
1040 | if (flags & ~(O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_EXCL|O_NOATIME|O_NOFOLLOW|O_PATH)) | |
1041 | return -EINVAL; | |
1042 | if ((flags & O_ACCMODE) != O_RDONLY) | |
1043 | return -EINVAL; | |
1044 | ||
1045 | /* Note that O_DIRECTORY|O_NOFOLLOW is implied, but we allow specifying it anyway. The following | |
1046 | * flags actually make sense to specify: O_CLOEXEC, O_EXCL, O_NOATIME, O_PATH */ | |
1047 | ||
797f6cc5 LP |
1048 | /* If this is not a valid filename, it's a path. Let's open the parent directory then, so |
1049 | * that we can pin it, and operate below it. */ | |
1050 | r = path_extract_directory(path, &parent); | |
1051 | if (r < 0) { | |
1052 | if (!IN_SET(r, -EDESTADDRREQ, -EADDRNOTAVAIL)) | |
c73094f3 | 1053 | return r; |
797f6cc5 | 1054 | } else { |
c73094f3 LP |
1055 | r = path_extract_filename(path, &fname); |
1056 | if (r < 0) | |
1057 | return r; | |
1058 | ||
1059 | parent_fd = openat(dirfd, parent, O_PATH|O_DIRECTORY|O_CLOEXEC); | |
1060 | if (parent_fd < 0) | |
1061 | return -errno; | |
1062 | ||
1063 | dirfd = parent_fd; | |
1064 | path = fname; | |
1065 | } | |
1066 | ||
e40b11be | 1067 | fd = xopenat_full(dirfd, path, flags|O_CREAT|O_DIRECTORY|O_NOFOLLOW, /* xopen_flags = */ 0, mode); |
7486f9c3 DDM |
1068 | if (IN_SET(fd, -ELOOP, -ENOTDIR)) |
1069 | return -EEXIST; | |
1070 | if (fd < 0) | |
c73094f3 | 1071 | return fd; |
c73094f3 LP |
1072 | |
1073 | return TAKE_FD(fd); | |
1074 | } | |
ca8503f1 LP |
1075 | |
1076 | int openat_report_new(int dirfd, const char *pathname, int flags, mode_t mode, bool *ret_newly_created) { | |
1077 | unsigned attempts = 7; | |
4d5dacbe | 1078 | int fd; |
ca8503f1 LP |
1079 | |
1080 | /* Just like openat(), but adds one thing: optionally returns whether we created the file anew or if | |
b3122369 | 1081 | * it already existed before. This is only relevant if O_CREAT is set without O_EXCL, and thus will |
ca8503f1 LP |
1082 | * shortcut to openat() otherwise */ |
1083 | ||
4d5dacbe | 1084 | if (!ret_newly_created) |
ca8503f1 LP |
1085 | return RET_NERRNO(openat(dirfd, pathname, flags, mode)); |
1086 | ||
4d5dacbe LP |
1087 | if (!FLAGS_SET(flags, O_CREAT) || FLAGS_SET(flags, O_EXCL)) { |
1088 | fd = openat(dirfd, pathname, flags, mode); | |
1089 | if (fd < 0) | |
1090 | return -errno; | |
ca8503f1 | 1091 | |
4d5dacbe LP |
1092 | *ret_newly_created = FLAGS_SET(flags, O_CREAT); |
1093 | return fd; | |
1094 | } | |
1095 | ||
1096 | for (;;) { | |
ca8503f1 LP |
1097 | /* First, attempt to open without O_CREAT/O_EXCL, i.e. open existing file */ |
1098 | fd = openat(dirfd, pathname, flags & ~(O_CREAT | O_EXCL), mode); | |
1099 | if (fd >= 0) { | |
1100 | *ret_newly_created = false; | |
1101 | return fd; | |
1102 | } | |
1103 | if (errno != ENOENT) | |
1104 | return -errno; | |
1105 | ||
1106 | /* So the file didn't exist yet, hence create it with O_CREAT/O_EXCL. */ | |
1107 | fd = openat(dirfd, pathname, flags | O_CREAT | O_EXCL, mode); | |
1108 | if (fd >= 0) { | |
1109 | *ret_newly_created = true; | |
1110 | return fd; | |
1111 | } | |
1112 | if (errno != EEXIST) | |
1113 | return -errno; | |
1114 | ||
1115 | /* Hmm, so now we got EEXIST? So it apparently exists now? If so, let's try to open again | |
b3122369 | 1116 | * without the two flags. But let's not spin forever, hence put a limit on things */ |
ca8503f1 LP |
1117 | |
1118 | if (--attempts == 0) /* Give up eventually, somebody is playing with us */ | |
1119 | return -EEXIST; | |
1120 | } | |
1121 | } | |
7486f9c3 | 1122 | |
e40b11be | 1123 | int xopenat_full(int dir_fd, const char *path, int open_flags, XOpenFlags xopen_flags, mode_t mode) { |
7486f9c3 DDM |
1124 | _cleanup_close_ int fd = -EBADF; |
1125 | bool made = false; | |
1126 | int r; | |
1127 | ||
2646b86d | 1128 | assert(dir_fd >= 0 || dir_fd == AT_FDCWD); |
2646b86d | 1129 | |
9b85e907 LP |
1130 | /* This is like openat(), but has a few tricks up its sleeves, extending behaviour: |
1131 | * | |
1132 | * • O_DIRECTORY|O_CREAT is supported, which causes a directory to be created, and immediately | |
1133 | * opened. When used with the XO_SUBVOLUME flag this will even create a btrfs subvolume. | |
1134 | * | |
1135 | * • If O_CREAT is used with XO_LABEL, any created file will be immediately relabelled. | |
1136 | * | |
1137 | * • If the path is specified NULL or empty, behaves like fd_reopen(). | |
1138 | */ | |
1139 | ||
06ca2db3 | 1140 | if (isempty(path)) { |
420d2e31 DDM |
1141 | assert(!FLAGS_SET(open_flags, O_CREAT|O_EXCL)); |
1142 | return fd_reopen(dir_fd, open_flags & ~O_NOFOLLOW); | |
06ca2db3 DDM |
1143 | } |
1144 | ||
420d2e31 DDM |
1145 | if (FLAGS_SET(open_flags, O_CREAT) && FLAGS_SET(xopen_flags, XO_LABEL)) { |
1146 | r = label_ops_pre(dir_fd, path, FLAGS_SET(open_flags, O_DIRECTORY) ? S_IFDIR : S_IFREG); | |
1147 | if (r < 0) | |
1148 | return r; | |
1149 | } | |
1150 | ||
1151 | if (FLAGS_SET(open_flags, O_DIRECTORY|O_CREAT)) { | |
bc6a6130 DDM |
1152 | if (FLAGS_SET(xopen_flags, XO_SUBVOLUME)) |
1153 | r = btrfs_subvol_make_fallback(dir_fd, path, mode); | |
1154 | else | |
1155 | r = RET_NERRNO(mkdirat(dir_fd, path, mode)); | |
7486f9c3 | 1156 | if (r == -EEXIST) { |
420d2e31 | 1157 | if (FLAGS_SET(open_flags, O_EXCL)) |
7486f9c3 DDM |
1158 | return -EEXIST; |
1159 | ||
1160 | made = false; | |
1161 | } else if (r < 0) | |
1162 | return r; | |
1163 | else | |
1164 | made = true; | |
1165 | ||
420d2e31 DDM |
1166 | if (FLAGS_SET(xopen_flags, XO_LABEL)) { |
1167 | r = label_ops_post(dir_fd, path); | |
1168 | if (r < 0) | |
1169 | return r; | |
1170 | } | |
1171 | ||
1172 | open_flags &= ~(O_EXCL|O_CREAT); | |
1173 | xopen_flags &= ~XO_LABEL; | |
7486f9c3 DDM |
1174 | } |
1175 | ||
420d2e31 | 1176 | fd = RET_NERRNO(openat(dir_fd, path, open_flags, mode)); |
7486f9c3 DDM |
1177 | if (fd < 0) { |
1178 | if (IN_SET(fd, | |
1179 | /* We got ENOENT? then someone else immediately removed it after we | |
1180 | * created it. In that case let's return immediately without unlinking | |
1181 | * anything, because there simply isn't anything to unlink anymore. */ | |
1182 | -ENOENT, | |
1183 | /* is a symlink? exists already → created by someone else, don't unlink */ | |
1184 | -ELOOP, | |
1185 | /* not a directory? exists already → created by someone else, don't unlink */ | |
1186 | -ENOTDIR)) | |
1187 | return fd; | |
1188 | ||
1189 | if (made) | |
1190 | (void) unlinkat(dir_fd, path, AT_REMOVEDIR); | |
1191 | ||
1192 | return fd; | |
1193 | } | |
1194 | ||
420d2e31 DDM |
1195 | if (FLAGS_SET(open_flags, O_CREAT) && FLAGS_SET(xopen_flags, XO_LABEL)) { |
1196 | r = label_ops_post(dir_fd, path); | |
1197 | if (r < 0) | |
1198 | return r; | |
1199 | } | |
1200 | ||
7486f9c3 DDM |
1201 | return TAKE_FD(fd); |
1202 | } | |
2646b86d | 1203 | |
e40b11be | 1204 | int xopenat_lock_full( |
420d2e31 DDM |
1205 | int dir_fd, |
1206 | const char *path, | |
1207 | int open_flags, | |
1208 | XOpenFlags xopen_flags, | |
1209 | mode_t mode, | |
1210 | LockType locktype, | |
1211 | int operation) { | |
1212 | ||
2646b86d DDM |
1213 | _cleanup_close_ int fd = -EBADF; |
1214 | int r; | |
1215 | ||
1216 | assert(dir_fd >= 0 || dir_fd == AT_FDCWD); | |
2646b86d DDM |
1217 | assert(IN_SET(operation & ~LOCK_NB, LOCK_EX, LOCK_SH)); |
1218 | ||
1219 | /* POSIX/UNPOSIX locks don't work on directories (errno is set to -EBADF so let's return early with | |
1220 | * the same error here). */ | |
0867a465 | 1221 | if (FLAGS_SET(open_flags, O_DIRECTORY) && !IN_SET(locktype, LOCK_BSD, LOCK_NONE)) |
2646b86d DDM |
1222 | return -EBADF; |
1223 | ||
1224 | for (;;) { | |
1225 | struct stat st; | |
1226 | ||
e40b11be | 1227 | fd = xopenat_full(dir_fd, path, open_flags, xopen_flags, mode); |
2646b86d DDM |
1228 | if (fd < 0) |
1229 | return fd; | |
1230 | ||
1231 | r = lock_generic(fd, locktype, operation); | |
1232 | if (r < 0) | |
1233 | return r; | |
1234 | ||
1235 | /* If we acquired the lock, let's check if the file/directory still exists in the file | |
1236 | * system. If not, then the previous exclusive owner removed it and then closed it. In such a | |
1237 | * case our acquired lock is worthless, hence try again. */ | |
1238 | ||
1239 | if (fstat(fd, &st) < 0) | |
1240 | return -errno; | |
1241 | if (st.st_nlink > 0) | |
1242 | break; | |
1243 | ||
1244 | fd = safe_close(fd); | |
1245 | } | |
1246 | ||
1247 | return TAKE_FD(fd); | |
1248 | } | |
0b8e36f0 LP |
1249 | |
1250 | int link_fd(int fd, int newdirfd, const char *newpath) { | |
1251 | int r; | |
1252 | ||
1253 | assert(fd >= 0); | |
1254 | assert(newdirfd >= 0 || newdirfd == AT_FDCWD); | |
1255 | assert(newpath); | |
1256 | ||
1257 | /* Try linking via /proc/self/fd/ first. */ | |
1258 | r = RET_NERRNO(linkat(AT_FDCWD, FORMAT_PROC_FD_PATH(fd), newdirfd, newpath, AT_SYMLINK_FOLLOW)); | |
1259 | if (r != -ENOENT) | |
1260 | return r; | |
1261 | ||
1262 | /* Fall back to symlinking via AT_EMPTY_PATH as fallback (this requires CAP_DAC_READ_SEARCH and a | |
1263 | * more recent kernel, but does not require /proc/ mounted) */ | |
1264 | if (proc_mounted() != 0) | |
1265 | return r; | |
1266 | ||
1267 | return RET_NERRNO(linkat(fd, "", newdirfd, newpath, AT_EMPTY_PATH)); | |
1268 | } | |
1f27e7b7 LP |
1269 | |
1270 | int linkat_replace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) { | |
1271 | _cleanup_close_ int old_fd = -EBADF; | |
1272 | int r; | |
1273 | ||
1274 | assert(olddirfd >= 0 || olddirfd == AT_FDCWD); | |
1275 | assert(newdirfd >= 0 || newdirfd == AT_FDCWD); | |
1276 | assert(!isempty(newpath)); /* source path is optional, but the target path is not */ | |
1277 | ||
1278 | /* Like linkat() but replaces the target if needed. Is a NOP if source and target already share the | |
1279 | * same inode. */ | |
1280 | ||
1281 | if (olddirfd == AT_FDCWD && isempty(oldpath)) /* Refuse operating on the cwd (which is a dir, and dirs can't be hardlinked) */ | |
1282 | return -EISDIR; | |
1283 | ||
1284 | if (path_implies_directory(oldpath)) /* Refuse these definite directories early */ | |
1285 | return -EISDIR; | |
1286 | ||
1287 | if (path_implies_directory(newpath)) | |
1288 | return -EISDIR; | |
1289 | ||
1290 | /* First, try to link this directly */ | |
1291 | if (oldpath) | |
1292 | r = RET_NERRNO(linkat(olddirfd, oldpath, newdirfd, newpath, 0)); | |
1293 | else | |
1294 | r = link_fd(olddirfd, newdirfd, newpath); | |
1295 | if (r >= 0) | |
1296 | return 0; | |
1297 | if (r != -EEXIST) | |
1298 | return r; | |
1299 | ||
1300 | old_fd = xopenat(olddirfd, oldpath, O_PATH|O_CLOEXEC); | |
1301 | if (old_fd < 0) | |
1302 | return old_fd; | |
1303 | ||
1304 | struct stat old_st; | |
1305 | if (fstat(old_fd, &old_st) < 0) | |
1306 | return -errno; | |
1307 | ||
1308 | if (S_ISDIR(old_st.st_mode)) /* Don't bother if we are operating on a directory */ | |
1309 | return -EISDIR; | |
1310 | ||
1311 | struct stat new_st; | |
1312 | if (fstatat(newdirfd, newpath, &new_st, AT_SYMLINK_NOFOLLOW) < 0) | |
1313 | return -errno; | |
1314 | ||
1315 | if (S_ISDIR(new_st.st_mode)) /* Refuse replacing directories */ | |
1316 | return -EEXIST; | |
1317 | ||
1318 | if (stat_inode_same(&old_st, &new_st)) /* Already the same inode? Then shortcut this */ | |
1319 | return 0; | |
1320 | ||
1321 | _cleanup_free_ char *tmp_path = NULL; | |
1322 | r = tempfn_random(newpath, /* extra= */ NULL, &tmp_path); | |
1323 | if (r < 0) | |
1324 | return r; | |
1325 | ||
1326 | r = link_fd(old_fd, newdirfd, tmp_path); | |
1327 | if (r < 0) { | |
1328 | if (!ERRNO_IS_PRIVILEGE(r)) | |
1329 | return r; | |
1330 | ||
1331 | /* If that didn't work due to permissions then go via the path of the dentry */ | |
1332 | r = RET_NERRNO(linkat(olddirfd, oldpath, newdirfd, tmp_path, 0)); | |
1333 | if (r < 0) | |
1334 | return r; | |
1335 | } | |
1336 | ||
1337 | r = RET_NERRNO(renameat(newdirfd, tmp_path, newdirfd, newpath)); | |
1338 | if (r < 0) { | |
1339 | (void) unlinkat(newdirfd, tmp_path, /* flags= */ 0); | |
1340 | return r; | |
1341 | } | |
1342 | ||
1343 | return 0; | |
1344 | } |