]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/basic/fs-util.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
fs-util: try AT_EMPTY_PATH first for futimens_opath
[thirdparty/systemd.git] / src / basic / fs-util.c
CommitLineData
db9ecf05 1/* SPDX-License-Identifier: LGPL-2.1-or-later */
f4f15635 2
11c3a366
TA		 3#include <errno.h>
4#include <stddef.h>
11c3a366 5#include <stdlib.h>
2646b86d 6#include <sys/file.h>
1c73b069 7#include <linux/falloc.h>
655f2da0 8#include <linux/magic.h>
11c3a366
TA		 9#include <unistd.h>
10
b5efdb8a 11#include "alloc-util.h"
bc6a6130 12#include "btrfs.h"
f4f15635
LP		 13#include "dirent-util.h"
14#include "fd-util.h"
ed9c0851 15#include "fileio.h"
f4f15635 16#include "fs-util.h"
68def5a9 17#include "hostname-util.h"
420d2e31 18#include "label.h"
2646b86d 19#include "lock-util.h"
11c3a366
TA		 20#include "log.h"
21#include "macro.h"
0499585f 22#include "missing_fcntl.h"
f5947a5e
YW		 23#include "missing_fs.h"
24#include "missing_syscall.h"
93cc7779
TA		 25#include "mkdir.h"
26#include "parse-util.h"
27#include "path-util.h"
dccca82b 28#include "process-util.h"
053e0626 29#include "random-util.h"
4c54768c 30#include "ratelimit.h"
34a8f081 31#include "stat-util.h"
430fbf8e 32#include "stdio-util.h"
f4f15635
LP		 33#include "string-util.h"
34#include "strv.h"
93cc7779 35#include "time-util.h"
e4de7287 36#include "tmpfile-util.h"
7c248223 37#include "umask-util.h"
ee104e11 38#include "user-util.h"
f4f15635 39
f4f15635 40int rmdir_parents(const char *path, const char *stop) {
4e046c5c
YW		 41 char *p;
42 int r;
f4f15635
LP		 43
44 assert(path);
45 assert(stop);
46
4e046c5c
YW		 47 if (!path_is_safe(path))
48 return -EINVAL;
f4f15635 49
4e046c5c
YW		 50 if (!path_is_safe(stop))
51 return -EINVAL;
f4f15635 52
2f82562b 53 p = strdupa_safe(path);
f4f15635 54
4e046c5c
YW		 55 for (;;) {
56 char *slash = NULL;
f4f15635 57
4e046c5c
YW		 58 /* skip the last component. */
59 r = path_find_last_component(p, /* accept_dot_dot= */ false, (const char **) &slash, NULL);
60 if (r <= 0)
61 return r;
62 if (slash == p)
63 return 0;
f4f15635 64
4e046c5c
YW		 65 assert(*slash == '/');
66 *slash = '\0';
f4f15635 67
4e046c5c 68 if (path_startswith_full(stop, p, /* accept_dot_dot= */ false))
f4f15635 69 return 0;
f4f15635 70
4e046c5c
YW		 71 if (rmdir(p) < 0 && errno != ENOENT)
72 return -errno;
f4f15635 73 }
f4f15635
LP		 74}
75
f4f15635 76int rename_noreplace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) {
2f15b625 77 int r;
f4f15635 78
2f15b625
LP		 79 /* Try the ideal approach first */
80 if (renameat2(olddirfd, oldpath, newdirfd, newpath, RENAME_NOREPLACE) >= 0)
f4f15635
LP		 81 return 0;
82
2f15b625
LP		 83 /* renameat2() exists since Linux 3.15, btrfs and FAT added support for it later. If it is not implemented,
84 * fall back to a different method. */
62e10065 85 if (!ERRNO_IS_NOT_SUPPORTED(errno) && errno != EINVAL)
f4f15635
LP		 86 return -errno;
87
2f15b625
LP		 88 /* Let's try to use linkat()+unlinkat() as fallback. This doesn't work on directories and on some file systems
89 * that do not support hard links (such as FAT, most prominently), but for files it's pretty close to what we
90 * want — though not atomic (i.e. for a short period both the new and the old filename will exist). */
91 if (linkat(olddirfd, oldpath, newdirfd, newpath, 0) >= 0) {
92
7c248223
LP		 93 r = RET_NERRNO(unlinkat(olddirfd, oldpath, 0));
94 if (r < 0) {
2f15b625
LP		 95 (void) unlinkat(newdirfd, newpath, 0);
96 return r;
97 }
98
99 return 0;
f4f15635
LP		 100 }
101
62e10065 102 if (!ERRNO_IS_NOT_SUPPORTED(errno) && !IN_SET(errno, EINVAL, EPERM)) /* FAT returns EPERM on link()… */
f4f15635
LP		 103 return -errno;
104
2aed63f4 105 /* OK, neither RENAME_NOREPLACE nor linkat()+unlinkat() worked. Let's then fall back to the racy TOCTOU
2f15b625
LP		 106 * vulnerable accessat(F_OK) check followed by classic, replacing renameat(), we have nothing better. */
107
108 if (faccessat(newdirfd, newpath, F_OK, AT_SYMLINK_NOFOLLOW) >= 0)
109 return -EEXIST;
110 if (errno != ENOENT)
111 return -errno;
112
7c248223 113 return RET_NERRNO(renameat(olddirfd, oldpath, newdirfd, newpath));
f4f15635
LP		 114}
115
116int readlinkat_malloc(int fd, const char *p, char **ret) {
db220032 117 size_t l = PATH_MAX;
f4f15635 118
e4c094c0
YW		 119 assert(fd >= 0 || fd == AT_FDCWD);
120
121 if (fd < 0 && isempty(p))
122 return -EISDIR; /* In this case, the fd points to the current working directory, and is
123 * definitely not a symlink. Let's return earlier. */
f4f15635
LP		 124
125 for (;;) {
db220032 126 _cleanup_free_ char *c = NULL;
f4f15635
LP		 127 ssize_t n;
128
db220032 129 c = new(char, l+1);
f4f15635
LP		 130 if (!c)
131 return -ENOMEM;
132
e4c094c0 133 n = readlinkat(fd, strempty(p), c, l);
db220032
LP		 134 if (n < 0)
135 return -errno;
f4f15635 136
db220032 137 if ((size_t) n < l) {
f4f15635 138 c[n] = 0;
aed3c5ec
LP		 139
140 if (ret)
141 *ret = TAKE_PTR(c);
142
f4f15635
LP		 143 return 0;
144 }
145
db220032
LP		 146 if (l > (SSIZE_MAX-1)/2) /* readlinkat() returns an ssize_t, and we want an extra byte for a
147 * trailing NUL, hence do an overflow check relative to SSIZE_MAX-1
148 * here */
149 return -EFBIG;
150
f4f15635
LP		 151 l *= 2;
152 }
153}
154
155int readlink_malloc(const char *p, char **ret) {
156 return readlinkat_malloc(AT_FDCWD, p, ret);
157}
158
159int readlink_value(const char *p, char **ret) {
bb60956b 160 _cleanup_free_ char *link = NULL, *name = NULL;
f4f15635
LP		 161 int r;
162
ce8394f9
YW		 163 assert(p);
164 assert(ret);
165
f4f15635
LP		 166 r = readlink_malloc(p, &link);
167 if (r < 0)
168 return r;
169
bb60956b
YW		 170 r = path_extract_filename(link, &name);
171 if (r < 0)
172 return r;
173 if (r == O_DIRECTORY)
174 return -EINVAL;
175
176 *ret = TAKE_PTR(name);
177 return 0;
f4f15635
LP		 178}
179
162f6477 180int readlink_and_make_absolute(const char *p, char **ret) {
f4f15635 181 _cleanup_free_ char *target = NULL;
162f6477 182 int r;
f4f15635
LP		 183
184 assert(p);
162f6477 185 assert(ret);
f4f15635 186
162f6477
LP		 187 r = readlink_malloc(p, &target);
188 if (r < 0)
189 return r;
f4f15635 190
162f6477 191 return file_in_same_dir(p, target, ret);
f4f15635
LP		 192}
193
55451417 194int chmod_and_chown_at(int dir_fd, const char *path, mode_t mode, uid_t uid, gid_t gid) {
254d1313 195 _cleanup_close_ int fd = -EBADF;
30ff18d8 196
7d000133
DDM		 197 assert(dir_fd >= 0 || dir_fd == AT_FDCWD);
198
55451417
DDM		 199 if (path) {
200 /* Let's acquire an O_PATH fd, as precaution to change mode/owner on the same file */
201 fd = openat(dir_fd, path, O_PATH|O_CLOEXEC|O_NOFOLLOW);
202 if (fd < 0)
203 return -errno;
340bc268
YW		 204 dir_fd = fd;
205
206 } else if (dir_fd == AT_FDCWD) {
207 /* Let's acquire an O_PATH fd of the current directory */
208 fd = openat(dir_fd, ".", O_PATH|O_CLOEXEC|O_NOFOLLOW|O_DIRECTORY);
209 if (fd < 0)
210 return -errno;
211 dir_fd = fd;
55451417 212 }
de321f52 213
340bc268 214 return fchmod_and_chown(dir_fd, mode, uid, gid);
b8da477e
YW		 215}
216
0520564d 217int fchmod_and_chown_with_fallback(int fd, const char *path, mode_t mode, uid_t uid, gid_t gid) {
2dbb7e94 218 bool do_chown, do_chmod;
30ff18d8 219 struct stat st;
dee00c19 220 int r;
30ff18d8 221
2dbb7e94
LP		 222 /* Change ownership and access mode of the specified fd. Tries to do so safely, ensuring that at no
223 * point in time the access mode is above the old access mode under the old ownership or the new
224 * access mode under the new ownership. Note: this call tries hard to leave the access mode
225 * unaffected if the uid/gid is changed, i.e. it undoes implicit suid/sgid dropping the kernel does
226 * on chown().
227 *
0520564d
ZJS		 228 * This call is happy with O_PATH fds.
229 *
230 * If path is given, allow a fallback path which does not use /proc/self/fd/. On any normal system
231 * /proc will be mounted, but in certain improperly assembled environments it might not be. This is
232 * less secure (potential TOCTOU), so should only be used after consideration. */
b8da477e 233
71ec74d1 234 if (fstat(fd, &st) < 0)
2dbb7e94 235 return -errno;
de321f52 236
2dbb7e94
LP		 237 do_chown =
238 (uid != UID_INVALID && st.st_uid != uid) ||
239 (gid != GID_INVALID && st.st_gid != gid);
de321f52 240
2dbb7e94
LP		 241 do_chmod =
242 !S_ISLNK(st.st_mode) && /* chmod is not defined on symlinks */
243 ((mode != MODE_INVALID && ((st.st_mode ^ mode) & 07777) != 0) ||
244 do_chown); /* If we change ownership, make sure we reset the mode afterwards, since chown()
245 * modifies the access mode too */
30ff18d8 246
2dbb7e94
LP		 247 if (mode == MODE_INVALID)
248 mode = st.st_mode; /* If we only shall do a chown(), save original mode, since chown() might break it. */
249 else if ((mode & S_IFMT) != 0 && ((mode ^ st.st_mode) & S_IFMT) != 0)
250 return -EINVAL; /* insist on the right file type if it was specified */
de321f52 251
2dbb7e94
LP		 252 if (do_chown && do_chmod) {
253 mode_t minimal = st.st_mode & mode; /* the subset of the old and the new mask */
30ff18d8 254
dee00c19
LP		 255 if (((minimal ^ st.st_mode) & 07777) != 0) {
256 r = fchmod_opath(fd, minimal & 07777);
0520564d
ZJS		 257 if (r < 0) {
258 if (!path || r != -ENOSYS)
259 return r;
260
261 /* Fallback path which doesn't use /proc/self/fd/. */
262 if (chmod(path, minimal & 07777) < 0)
263 return -errno;
264 }
dee00c19 265 }
de321f52 266 }
b8da477e 267
2dbb7e94 268 if (do_chown)
71ec74d1 269 if (fchownat(fd, "", uid, gid, AT_EMPTY_PATH) < 0)
2dbb7e94 270 return -errno;
30ff18d8 271
dee00c19
LP		 272 if (do_chmod) {
273 r = fchmod_opath(fd, mode & 07777);
0520564d
ZJS		 274 if (r < 0) {
275 if (!path || r != -ENOSYS)
276 return r;
277
278 /* Fallback path which doesn't use /proc/self/fd/. */
279 if (chmod(path, mode & 07777) < 0)
280 return -errno;
281 }
dee00c19 282 }
30ff18d8 283
2dbb7e94 284 return do_chown || do_chmod;
f4f15635
LP		 285}
286
f4f15635 287int fchmod_umask(int fd, mode_t m) {
7c248223 288 _cleanup_umask_ mode_t u = umask(0777);
f4f15635 289
7c248223 290 return RET_NERRNO(fchmod(fd, m & (~u)));
f4f15635
LP		 291}
292
4dfaa528 293int fchmod_opath(int fd, mode_t m) {
4dfaa528 294 /* This function operates also on fd that might have been opened with
adecfb3b
AM		 295 * O_PATH. The tool set we have is non-intuitive:
296 * - fchmod(2) only operates on open files (i. e., fds with an open file description);
297 * - fchmodat(2) does not have a flag arg like fchownat(2) does, so no way to pass AT_EMPTY_PATH;
298 * + it should not be confused with the libc fchmodat(3) interface, which adds 4th flag argument,
299 * but does not support AT_EMPTY_PATH (only supports AT_SYMLINK_NOFOLLOW);
300 * - fchmodat2(2) supports all the AT_* flags, but is still very recent.
301 *
302 * We try to use fchmodat2(), and, if it is not supported, resort
303 * to the /proc/self/fd dance. */
304
305 assert(fd >= 0);
306
307 if (fchmodat2(fd, "", m, AT_EMPTY_PATH) >= 0)
308 return 0;
309 if (!IN_SET(errno, ENOSYS, EPERM)) /* Some container managers block unknown syscalls with EPERM */
310 return -errno;
4dfaa528 311
ddb6eeaf 312 if (chmod(FORMAT_PROC_FD_PATH(fd), m) < 0) {
f8606626
LP		 313 if (errno != ENOENT)
314 return -errno;
315
316 if (proc_mounted() == 0)
317 return -ENOSYS; /* if we have no /proc/, the concept is not implementable */
318
319 return -ENOENT;
320 }
4dfaa528
FB		 321
322 return 0;
323}
324
f25bff5e 325int futimens_opath(int fd, const struct timespec ts[2]) {
150231d2 326 /* Similar to fchmod_opath() but for futimens() */
f25bff5e 327
973464ad
MY		 328 assert(fd >= 0);
329
330 if (utimensat(fd, "", ts, AT_EMPTY_PATH) >= 0)
331 return 0;
332 if (errno != EINVAL)
333 return -errno;
334
335 /* Support for AT_EMPTY_PATH is added rather late (kernel 5.8), so fall back to going through /proc/
336 * if unavailable. */
337
338 if (utimensat(AT_FDCWD, FORMAT_PROC_FD_PATH(fd), ts, /* flags = */ 0) < 0) {
f25bff5e
LP		 339 if (errno != ENOENT)
340 return -errno;
341
342 if (proc_mounted() == 0)
973464ad 343 return -ENOSYS;
f25bff5e
LP		 344
345 return -ENOENT;
346 }
347
348 return 0;
349}
350
22ed4a6d
LP		 351int stat_warn_permissions(const char *path, const struct stat *st) {
352 assert(path);
353 assert(st);
f4f15635 354
b6cceaae 355 /* Don't complain if we are reading something that is not a file, for example /dev/null */
22ed4a6d 356 if (!S_ISREG(st->st_mode))
b6cceaae
LP		 357 return 0;
358
22ed4a6d 359 if (st->st_mode & 0111)
f4f15635
LP		 360 log_warning("Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway.", path);
361
22ed4a6d 362 if (st->st_mode & 0002)
f4f15635
LP		 363 log_warning("Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway.", path);
364
22ed4a6d 365 if (getpid_cached() == 1 && (st->st_mode & 0044) != 0044)
f4f15635
LP		 366 log_warning("Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.", path);
367
368 return 0;
369}
370
22ed4a6d
LP		 371int fd_warn_permissions(const char *path, int fd) {
372 struct stat st;
373
374 assert(path);
375 assert(fd >= 0);
376
377 if (fstat(fd, &st) < 0)
378 return -errno;
379
380 return stat_warn_permissions(path, &st);
381}
382
f4f15635 383int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode) {
254d1313 384 _cleanup_close_ int fd = -EBADF;
b71dbc6b 385 int r, ret;
f4f15635
LP		 386
387 assert(path);
388
9e3fa6e8
LP		 389 /* Note that touch_file() does not follow symlinks: if invoked on an existing symlink, then it is the symlink
390 * itself which is updated, not its target
391 *
392 * Returns the first error we encounter, but tries to apply as much as possible. */
f4f15635 393
9e3fa6e8
LP		 394 if (parents)
395 (void) mkdir_parents(path, 0755);
396
397 /* Initially, we try to open the node with O_PATH, so that we get a reference to the node. This is useful in
398 * case the path refers to an existing device or socket node, as we can open it successfully in all cases, and
399 * won't trigger any driver magic or so. */
400 fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW);
401 if (fd < 0) {
402 if (errno != ENOENT)
f4f15635 403 return -errno;
f4f15635 404
9e3fa6e8
LP		 405 /* if the node doesn't exist yet, we create it, but with O_EXCL, so that we only create a regular file
406 * here, and nothing else */
407 fd = open(path, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, IN_SET(mode, 0, MODE_INVALID) ? 0644 : mode);
408 if (fd < 0)
f4f15635
LP		 409 return -errno;
410 }
411
9e3fa6e8
LP		 412 /* Let's make a path from the fd, and operate on that. With this logic, we can adjust the access mode,
413 * ownership and time of the file node in all cases, even if the fd refers to an O_PATH object — which is
414 * something fchown(), fchmod(), futimensat() don't allow. */
4b3b5bc7 415 ret = fchmod_and_chown(fd, mode, uid, gid);
9e3fa6e8 416
f4f15635
LP		 417 if (stamp != USEC_INFINITY) {
418 struct timespec ts[2];
419
420 timespec_store(&ts[0], stamp);
421 ts[1] = ts[0];
b5794711 422 r = futimens_opath(fd, ts);
f4f15635 423 } else
b5794711 424 r = futimens_opath(fd, NULL);
9e3fa6e8 425 if (r < 0 && ret >= 0)
b5794711 426 return r;
f4f15635 427
9e3fa6e8 428 return ret;
f4f15635
LP		 429}
430
6c9c51e5
YW		 431int symlink_idempotent(const char *from, const char *to, bool make_relative) {
432 _cleanup_free_ char *relpath = NULL;
f4f15635
LP		 433 int r;
434
435 assert(from);
436 assert(to);
437
6c9c51e5 438 if (make_relative) {
449375d2 439 r = path_make_relative_parent(to, from, &relpath);
6c9c51e5
YW		 440 if (r < 0)
441 return r;
442
443 from = relpath;
444 }
445
f4f15635 446 if (symlink(from, to) < 0) {
77b79723
LP		 447 _cleanup_free_ char *p = NULL;
448
f4f15635
LP		 449 if (errno != EEXIST)
450 return -errno;
451
452 r = readlink_malloc(to, &p);
77b79723
LP		 453 if (r == -EINVAL) /* Not a symlink? In that case return the original error we encountered: -EEXIST */
454 return -EEXIST;
455 if (r < 0) /* Any other error? In that case propagate it as is */
f4f15635
LP		 456 return r;
457
77b79723
LP		 458 if (!streq(p, from)) /* Not the symlink we want it to be? In that case, propagate the original -EEXIST */
459 return -EEXIST;
f4f15635
LP		 460 }
461
462 return 0;
463}
464
da9dd029 465int symlinkat_atomic_full(const char *from, int atfd, const char *to, bool make_relative) {
590d8100 466 _cleanup_free_ char *relpath = NULL, *t = NULL;
f4f15635
LP		 467 int r;
468
469 assert(from);
470 assert(to);
471
590d8100
YW		 472 if (make_relative) {
473 r = path_make_relative_parent(to, from, &relpath);
474 if (r < 0)
475 return r;
476
477 from = relpath;
478 }
479
f4f15635
LP		 480 r = tempfn_random(to, NULL, &t);
481 if (r < 0)
482 return r;
483
da9dd029 484 if (symlinkat(from, atfd, t) < 0)
f4f15635
LP		 485 return -errno;
486
da9dd029
LP		 487 r = RET_NERRNO(renameat(atfd, t, atfd, to));
488 if (r < 0) {
489 (void) unlinkat(atfd, t, 0);
490 return r;
f4f15635
LP		 491 }
492
493 return 0;
494}
495
497ca785 496int mknodat_atomic(int atfd, const char *path, mode_t mode, dev_t dev) {
f4f15635
LP		 497 _cleanup_free_ char *t = NULL;
498 int r;
499
500 assert(path);
501
502 r = tempfn_random(path, NULL, &t);
503 if (r < 0)
504 return r;
505
497ca785 506 if (mknodat(atfd, t, mode, dev) < 0)
f4f15635
LP		 507 return -errno;
508
497ca785
LP		 509 r = RET_NERRNO(renameat(atfd, t, atfd, path));
510 if (r < 0) {
511 (void) unlinkat(atfd, t, 0);
512 return r;
f4f15635
LP		 513 }
514
515 return 0;
516}
517
4f477796 518int mkfifoat_atomic(int atfd, const char *path, mode_t mode) {
f4f15635
LP		 519 _cleanup_free_ char *t = NULL;
520 int r;
521
522 assert(path);
523
4f477796 524 /* We're only interested in the (random) filename. */
f4f15635
LP		 525 r = tempfn_random(path, NULL, &t);
526 if (r < 0)
527 return r;
528
4f477796 529 if (mkfifoat(atfd, t, mode) < 0)
4fe3828c 530 return -errno;
4fe3828c 531
4f477796
LP		 532 r = RET_NERRNO(renameat(atfd, t, atfd, path));
533 if (r < 0) {
534 (void) unlinkat(atfd, t, 0);
4fe3828c 535 return r;
f4f15635
LP		 536 }
537
538 return 0;
539}
540
541int get_files_in_directory(const char *path, char ***list) {
319a4f4b 542 _cleanup_strv_free_ char **l = NULL;
f4f15635 543 _cleanup_closedir_ DIR *d = NULL;
319a4f4b 544 size_t n = 0;
f4f15635
LP		 545
546 assert(path);
547
548 /* Returns all files in a directory in *list, and the number
549 * of files as return value. If list is NULL returns only the
550 * number. */
551
552 d = opendir(path);
553 if (!d)
554 return -errno;
555
8fb3f009 556 FOREACH_DIRENT_ALL(de, d, return -errno) {
f4f15635
LP		 557 if (!dirent_is_file(de))
558 continue;
559
560 if (list) {
561 /* one extra slot is needed for the terminating NULL */
319a4f4b 562 if (!GREEDY_REALLOC(l, n + 2))
f4f15635
LP		 563 return -ENOMEM;
564
565 l[n] = strdup(de->d_name);
566 if (!l[n])
567 return -ENOMEM;
568
569 l[++n] = NULL;
570 } else
571 n++;
572 }
573
ae2a15bc
LP		 574 if (list)
575 *list = TAKE_PTR(l);
f4f15635
LP		 576
577 return n;
578}
430fbf8e 579
992e8f22 580static int getenv_tmp_dir(const char **ret_path) {
992e8f22 581 int r, ret = 0;
34a8f081 582
992e8f22 583 assert(ret_path);
34a8f081 584
992e8f22
LP		 585 /* We use the same order of environment variables python uses in tempfile.gettempdir():
586 * https://docs.python.org/3/library/tempfile.html#tempfile.gettempdir */
587 FOREACH_STRING(n, "TMPDIR", "TEMP", "TMP") {
588 const char *e;
589
590 e = secure_getenv(n);
591 if (!e)
592 continue;
593 if (!path_is_absolute(e)) {
594 r = -ENOTDIR;
595 goto next;
596 }
99be45a4 597 if (!path_is_normalized(e)) {
992e8f22
LP		 598 r = -EPERM;
599 goto next;
600 }
601
602 r = is_dir(e, true);
603 if (r < 0)
604 goto next;
605 if (r == 0) {
606 r = -ENOTDIR;
607 goto next;
608 }
609
610 *ret_path = e;
611 return 1;
612
613 next:
614 /* Remember first error, to make this more debuggable */
615 if (ret >= 0)
616 ret = r;
34a8f081
OW		 617 }
618
992e8f22
LP		 619 if (ret < 0)
620 return ret;
34a8f081 621
992e8f22
LP		 622 *ret_path = NULL;
623 return ret;
624}
34a8f081 625
992e8f22
LP		 626static int tmp_dir_internal(const char *def, const char **ret) {
627 const char *e;
628 int r, k;
629
630 assert(def);
631 assert(ret);
632
633 r = getenv_tmp_dir(&e);
634 if (r > 0) {
635 *ret = e;
636 return 0;
637 }
638
639 k = is_dir(def, true);
640 if (k == 0)
641 k = -ENOTDIR;
642 if (k < 0)
643 return r < 0 ? r : k;
644
645 *ret = def;
34a8f081
OW		 646 return 0;
647}
648
992e8f22
LP		 649int var_tmp_dir(const char **ret) {
650
651 /* Returns the location for "larger" temporary files, that is backed by physical storage if available, and thus
652 * even might survive a boot: /var/tmp. If $TMPDIR (or related environment variables) are set, its value is
653 * returned preferably however. Note that both this function and tmp_dir() below are affected by $TMPDIR,
654 * making it a variable that overrides all temporary file storage locations. */
655
656 return tmp_dir_internal("/var/tmp", ret);
657}
658
659int tmp_dir(const char **ret) {
660
661 /* Similar to var_tmp_dir() above, but returns the location for "smaller" temporary files, which is usually
662 * backed by an in-memory file system: /tmp. */
663
664 return tmp_dir_internal("/tmp", ret);
665}
666
af229d7a
ZJS		 667int unlink_or_warn(const char *filename) {
668 if (unlink(filename) < 0 && errno != ENOENT)
669 /* If the file doesn't exist and the fs simply was read-only (in which
670 * case unlink() returns EROFS even if the file doesn't exist), don't
671 * complain */
672 if (errno != EROFS || access(filename, F_OK) >= 0)
673 return log_error_errno(errno, "Failed to remove \"%s\": %m", filename);
674
675 return 0;
676}
677
57a4359e 678int access_fd(int fd, int mode) {
57a4359e
LP		 679 /* Like access() but operates on an already open fd */
680
ddb6eeaf 681 if (access(FORMAT_PROC_FD_PATH(fd), mode) < 0) {
4265a66a
LP		 682 if (errno != ENOENT)
683 return -errno;
57a4359e 684
4265a66a
LP		 685 /* ENOENT can mean two things: that the fd does not exist or that /proc is not mounted. Let's
686 * make things debuggable and distinguish the two. */
687
688 if (proc_mounted() == 0)
689 return -ENOSYS; /* /proc is not available or not set up properly, we're most likely in some chroot
690 * environment. */
691
692 return -EBADF; /* The directory exists, hence it's the fd that doesn't. */
693 }
694
695 return 0;
57a4359e 696}
43767d9d 697
627d2bac
ZJS		 698void unlink_tempfilep(char (*p)[]) {
699 /* If the file is created with mkstemp(), it will (almost always)
700 * change the suffix. Treat this as a sign that the file was
701 * successfully created. We ignore both the rare case where the
702 * original suffix is used and unlink failures. */
703 if (!endswith(*p, ".XXXXXX"))
39eb3ffa 704 (void) unlink(*p);
627d2bac
ZJS		 705}
706
053e0626 707int unlinkat_deallocate(int fd, const char *name, UnlinkDeallocateFlags flags) {
254d1313 708 _cleanup_close_ int truncate_fd = -EBADF;
43767d9d
LP		 709 struct stat st;
710 off_t l, bs;
711
053e0626
LP		 712 assert((flags & ~(UNLINK_REMOVEDIR|UNLINK_ERASE)) == 0);
713
43767d9d
LP		 714 /* Operates like unlinkat() but also deallocates the file contents if it is a regular file and there's no other
715 * link to it. This is useful to ensure that other processes that might have the file open for reading won't be
716 * able to keep the data pinned on disk forever. This call is particular useful whenever we execute clean-up
717 * jobs ("vacuuming"), where we want to make sure the data is really gone and the disk space released and
718 * returned to the free pool.
719 *
720 * Deallocation is preferably done by FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE (👊) if supported, which means
721 * the file won't change size. That's a good thing since we shouldn't needlessly trigger SIGBUS in other
722 * programs that have mmap()ed the file. (The assumption here is that changing file contents to all zeroes
723 * underneath those programs is the better choice than simply triggering SIGBUS in them which truncation does.)
724 * However if hole punching is not implemented in the kernel or file system we'll fall back to normal file
725 * truncation (🔪), as our goal of deallocating the data space trumps our goal of being nice to readers (💐).
726 *
727 * Note that we attempt deallocation, but failure to succeed with that is not considered fatal, as long as the
728 * primary job – to delete the file – is accomplished. */
729
053e0626 730 if (!FLAGS_SET(flags, UNLINK_REMOVEDIR)) {
43767d9d
LP		 731 truncate_fd = openat(fd, name, O_WRONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|O_NONBLOCK);
732 if (truncate_fd < 0) {
733
734 /* If this failed because the file doesn't exist propagate the error right-away. Also,
735 * AT_REMOVEDIR wasn't set, and we tried to open the file for writing, which means EISDIR is
736 * returned when this is a directory but we are not supposed to delete those, hence propagate
737 * the error right-away too. */
738 if (IN_SET(errno, ENOENT, EISDIR))
739 return -errno;
740
741 if (errno != ELOOP) /* don't complain if this is a symlink */
742 log_debug_errno(errno, "Failed to open file '%s' for deallocation, ignoring: %m", name);
743 }
744 }
745
053e0626 746 if (unlinkat(fd, name, FLAGS_SET(flags, UNLINK_REMOVEDIR) ? AT_REMOVEDIR : 0) < 0)
43767d9d
LP		 747 return -errno;
748
749 if (truncate_fd < 0) /* Don't have a file handle, can't do more ☹️ */
750 return 0;
751
752 if (fstat(truncate_fd, &st) < 0) {
011723a4 753 log_debug_errno(errno, "Failed to stat file '%s' for deallocation, ignoring: %m", name);
43767d9d
LP		 754 return 0;
755 }
756
053e0626
LP		 757 if (!S_ISREG(st.st_mode))
758 return 0;
759
760 if (FLAGS_SET(flags, UNLINK_ERASE) && st.st_size > 0 && st.st_nlink == 0) {
761 uint64_t left = st.st_size;
762 char buffer[64 * 1024];
763
764 /* If erasing is requested, let's overwrite the file with random data once before deleting
765 * it. This isn't going to give you shred(1) semantics, but hopefully should be good enough
766 * for stuff backed by tmpfs at least.
767 *
15dd4515 768 * Note that we only erase like this if the link count of the file is zero. If it is higher it
053e0626
LP		 769 * is still linked by someone else and we'll leave it to them to remove it securely
770 * eventually! */
771
772 random_bytes(buffer, sizeof(buffer));
773
774 while (left > 0) {
775 ssize_t n;
776
777 n = write(truncate_fd, buffer, MIN(sizeof(buffer), left));
778 if (n < 0) {
779 log_debug_errno(errno, "Failed to erase data in file '%s', ignoring.", name);
780 break;
781 }
782
783 assert(left >= (size_t) n);
784 left -= n;
785 }
786
787 /* Let's refresh metadata */
788 if (fstat(truncate_fd, &st) < 0) {
789 log_debug_errno(errno, "Failed to stat file '%s' for deallocation, ignoring: %m", name);
790 return 0;
791 }
792 }
793
794 /* Don't dallocate if there's nothing to deallocate or if the file is linked elsewhere */
795 if (st.st_blocks == 0 || st.st_nlink > 0)
43767d9d
LP		 796 return 0;
797
798 /* If this is a regular file, it actually took up space on disk and there are no other links it's time to
799 * punch-hole/truncate this to release the disk space. */
800
801 bs = MAX(st.st_blksize, 512);
4dcaab9c 802 l = ROUND_UP(st.st_size, bs); /* Round up to next block size */
43767d9d
LP		 803
804 if (fallocate(truncate_fd, FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE, 0, l) >= 0)
805 return 0; /* Successfully punched a hole! 😊 */
806
807 /* Fall back to truncation */
808 if (ftruncate(truncate_fd, 0) < 0) {
809 log_debug_errno(errno, "Failed to truncate file to 0, ignoring: %m");
810 return 0;
811 }
812
813 return 0;
814}
11b29a96 815
14460a8a 816int open_parent_at(int dir_fd, const char *path, int flags, mode_t mode) {
ef8becfa 817 _cleanup_free_ char *parent = NULL;
7c248223 818 int r;
ef8becfa 819
14460a8a
DDM		 820 assert(dir_fd >= 0 || dir_fd == AT_FDCWD);
821 assert(path);
822
30cdcd62 823 r = path_extract_directory(path, &parent);
14460a8a
DDM		 824 if (r == -EDESTADDRREQ) {
825 parent = strdup(".");
826 if (!parent)
827 return -ENOMEM;
828 } else if (r == -EADDRNOTAVAIL) {
829 parent = strdup(path);
830 if (!parent)
831 return -ENOMEM;
832 } else if (r < 0)
30cdcd62 833 return r;
ef8becfa
LP		 834
835 /* Let's insist on O_DIRECTORY since the parent of a file or directory is a directory. Except if we open an
836 * O_TMPFILE file, because in that case we are actually create a regular file below the parent directory. */
837
0c21dafb 838 if (FLAGS_SET(flags, O_PATH))
ef8becfa 839 flags |= O_DIRECTORY;
0c21dafb 840 else if (!FLAGS_SET(flags, O_TMPFILE))
ef8becfa
LP		 841 flags |= O_DIRECTORY|O_RDONLY;
842
14460a8a 843 return RET_NERRNO(openat(dir_fd, parent, flags, mode));
ef8becfa 844}
ed9c0851 845
10195179 846int conservative_renameat(
10981424
LP		 847 int olddirfd, const char *oldpath,
848 int newdirfd, const char *newpath) {
849
254d1313 850 _cleanup_close_ int old_fd = -EBADF, new_fd = -EBADF;
10981424
LP		 851 struct stat old_stat, new_stat;
852
737a9edc 853 /* Renames the old path to the new path, much like renameat() — except if both are regular files and
10981424
LP		 854 * have the exact same contents and basic file attributes already. In that case remove the new file
855 * instead. This call is useful for reducing inotify wakeups on files that are updated but don't
856 * actually change. This function is written in a style that we rather rename too often than suppress
2657d5bd 857 * too much. I.e. whenever we are in doubt, we rather rename than fail. After all reducing inotify
10981424
LP		 858 * events is an optimization only, not more. */
859
860 old_fd = openat(olddirfd, oldpath, O_CLOEXEC|O_RDONLY|O_NOCTTY|O_NOFOLLOW);
861 if (old_fd < 0)
862 goto do_rename;
863
864 new_fd = openat(newdirfd, newpath, O_CLOEXEC|O_RDONLY|O_NOCTTY|O_NOFOLLOW);
865 if (new_fd < 0)
866 goto do_rename;
867
868 if (fstat(old_fd, &old_stat) < 0)
869 goto do_rename;
870
871 if (!S_ISREG(old_stat.st_mode))
872 goto do_rename;
873
874 if (fstat(new_fd, &new_stat) < 0)
875 goto do_rename;
876
a9dac7a6 877 if (stat_inode_same(&new_stat, &old_stat))
10981424
LP		 878 goto is_same;
879
880 if (old_stat.st_mode != new_stat.st_mode ||
881 old_stat.st_size != new_stat.st_size ||
882 old_stat.st_uid != new_stat.st_uid ||
883 old_stat.st_gid != new_stat.st_gid)
884 goto do_rename;
885
886 for (;;) {
eff57d1c
LP		 887 uint8_t buf1[16*1024];
888 uint8_t buf2[sizeof(buf1)];
10981424
LP		 889 ssize_t l1, l2;
890
891 l1 = read(old_fd, buf1, sizeof(buf1));
892 if (l1 < 0)
893 goto do_rename;
894
eff57d1c
LP		 895 if (l1 == sizeof(buf1))
896 /* Read the full block, hence read a full block in the other file too */
10981424 897
eff57d1c
LP		 898 l2 = read(new_fd, buf2, l1);
899 else {
900 assert((size_t) l1 < sizeof(buf1));
901
902 /* Short read. This hence was the last block in the first file, and then came
903 * EOF. Read one byte more in the second file, so that we can verify we hit EOF there
904 * too. */
905
906 assert((size_t) (l1 + 1) <= sizeof(buf2));
907 l2 = read(new_fd, buf2, l1 + 1);
908 }
909 if (l2 != l1)
910 goto do_rename;
10981424
LP		 911
912 if (memcmp(buf1, buf2, l1) != 0)
913 goto do_rename;
eff57d1c
LP		 914
915 if ((size_t) l1 < sizeof(buf1)) /* We hit EOF on the first file, and the second file too, hence exit
916 * now. */
917 break;
10981424
LP		 918 }
919
920is_same:
921 /* Everything matches? Then don't rename, instead remove the source file, and leave the existing
922 * destination in place */
923
924 if (unlinkat(olddirfd, oldpath, 0) < 0)
925 goto do_rename;
926
927 return 0;
928
929do_rename:
930 if (renameat(olddirfd, oldpath, newdirfd, newpath) < 0)
931 return -errno;
932
933 return 1;
934}
4c54768c
IZ		 935
936int posix_fallocate_loop(int fd, uint64_t offset, uint64_t size) {
937 RateLimit rl;
938 int r;
939
940 r = posix_fallocate(fd, offset, size); /* returns positive errnos on error */
941 if (r != EINTR)
942 return -r; /* Let's return negative errnos, like common in our codebase */
943
944 /* On EINTR try a couple of times more, but protect against busy looping
945 * (not more than 16 times per 10s) */
7d1e61ca 946 rl = (const RateLimit) { 10 * USEC_PER_SEC, 16 };
4c54768c
IZ		 947 while (ratelimit_below(&rl)) {
948 r = posix_fallocate(fd, offset, size);
949 if (r != EINTR)
950 return -r;
951 }
952
953 return -EINTR;
954}
68def5a9
LP		 955
956int parse_cifs_service(
957 const char *s,
958 char **ret_host,
959 char **ret_service,
960 char **ret_path) {
961
962 _cleanup_free_ char *h = NULL, *ss = NULL, *x = NULL;
963 const char *p, *e, *d;
964 char delimiter;
965
966 /* Parses a CIFS service in form of //host/service/path… and splitting it in three parts. The last
967 * part is optional, in which case NULL is returned there. To maximize compatibility syntax with
968 * backslashes instead of slashes is accepted too. */
969
970 if (!s)
971 return -EINVAL;
972
973 p = startswith(s, "//");
974 if (!p) {
975 p = startswith(s, "\\\\");
976 if (!p)
977 return -EINVAL;
978 }
979
980 delimiter = s[0];
981 e = strchr(p, delimiter);
982 if (!e)
983 return -EINVAL;
984
985 h = strndup(p, e - p);
986 if (!h)
987 return -ENOMEM;
988
989 if (!hostname_is_valid(h, 0))
990 return -EINVAL;
991
992 e++;
993
994 d = strchrnul(e, delimiter);
995
996 ss = strndup(e, d - e);
997 if (!ss)
998 return -ENOMEM;
999
1000 if (!filename_is_valid(ss))
1001 return -EINVAL;
1002
1003 if (!isempty(d)) {
1004 x = strdup(skip_leading_chars(d, CHAR_TO_STR(delimiter)));
1005 if (!x)
1006 return -EINVAL;
1007
1008 /* Make sure to convert Windows-style "\" → Unix-style / */
1009 for (char *i = x; *i; i++)
1010 if (*i == delimiter)
1011 *i = '/';
1012
1013 if (!path_is_valid(x))
1014 return -EINVAL;
1015
1016 path_simplify(x);
1017 if (!path_is_normalized(x))
1018 return -EINVAL;
1019 }
1020
1021 if (ret_host)
1022 *ret_host = TAKE_PTR(h);
1023 if (ret_service)
1024 *ret_service = TAKE_PTR(ss);
1025 if (ret_path)
1026 *ret_path = TAKE_PTR(x);
1027
1028 return 0;
1029}
c73094f3
LP		 1030
1031int open_mkdir_at(int dirfd, const char *path, int flags, mode_t mode) {
254d1313 1032 _cleanup_close_ int fd = -EBADF, parent_fd = -EBADF;
797f6cc5 1033 _cleanup_free_ char *fname = NULL, *parent = NULL;
c73094f3
LP		 1034 int r;
1035
1036 /* Creates a directory with mkdirat() and then opens it, in the "most atomic" fashion we can
1037 * do. Guarantees that the returned fd refers to a directory. If O_EXCL is specified will fail if the
1038 * dir already exists. Otherwise will open an existing dir, but only if it is one. */
1039
1040 if (flags & ~(O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_EXCL|O_NOATIME|O_NOFOLLOW|O_PATH))
1041 return -EINVAL;
1042 if ((flags & O_ACCMODE) != O_RDONLY)
1043 return -EINVAL;
1044
1045 /* Note that O_DIRECTORY|O_NOFOLLOW is implied, but we allow specifying it anyway. The following
1046 * flags actually make sense to specify: O_CLOEXEC, O_EXCL, O_NOATIME, O_PATH */
1047
797f6cc5
LP		 1048 /* If this is not a valid filename, it's a path. Let's open the parent directory then, so
1049 * that we can pin it, and operate below it. */
1050 r = path_extract_directory(path, &parent);
1051 if (r < 0) {
1052 if (!IN_SET(r, -EDESTADDRREQ, -EADDRNOTAVAIL))
c73094f3 1053 return r;
797f6cc5 1054 } else {
c73094f3
LP		 1055 r = path_extract_filename(path, &fname);
1056 if (r < 0)
1057 return r;
1058
1059 parent_fd = openat(dirfd, parent, O_PATH|O_DIRECTORY|O_CLOEXEC);
1060 if (parent_fd < 0)
1061 return -errno;
1062
1063 dirfd = parent_fd;
1064 path = fname;
1065 }
1066
e40b11be 1067 fd = xopenat_full(dirfd, path, flags|O_CREAT|O_DIRECTORY|O_NOFOLLOW, /* xopen_flags = */ 0, mode);
7486f9c3
DDM		 1068 if (IN_SET(fd, -ELOOP, -ENOTDIR))
1069 return -EEXIST;
1070 if (fd < 0)
c73094f3 1071 return fd;
c73094f3
LP		 1072
1073 return TAKE_FD(fd);
1074}
ca8503f1
LP		 1075
1076int openat_report_new(int dirfd, const char *pathname, int flags, mode_t mode, bool *ret_newly_created) {
1077 unsigned attempts = 7;
4d5dacbe 1078 int fd;
ca8503f1
LP		 1079
1080 /* Just like openat(), but adds one thing: optionally returns whether we created the file anew or if
b3122369 1081 * it already existed before. This is only relevant if O_CREAT is set without O_EXCL, and thus will
ca8503f1
LP		 1082 * shortcut to openat() otherwise */
1083
4d5dacbe 1084 if (!ret_newly_created)
ca8503f1
LP		 1085 return RET_NERRNO(openat(dirfd, pathname, flags, mode));
1086
4d5dacbe
LP		 1087 if (!FLAGS_SET(flags, O_CREAT) || FLAGS_SET(flags, O_EXCL)) {
1088 fd = openat(dirfd, pathname, flags, mode);
1089 if (fd < 0)
1090 return -errno;
ca8503f1 1091
4d5dacbe
LP		 1092 *ret_newly_created = FLAGS_SET(flags, O_CREAT);
1093 return fd;
1094 }
1095
1096 for (;;) {
ca8503f1
LP		 1097 /* First, attempt to open without O_CREAT/O_EXCL, i.e. open existing file */
1098 fd = openat(dirfd, pathname, flags & ~(O_CREAT | O_EXCL), mode);
1099 if (fd >= 0) {
1100 *ret_newly_created = false;
1101 return fd;
1102 }
1103 if (errno != ENOENT)
1104 return -errno;
1105
1106 /* So the file didn't exist yet, hence create it with O_CREAT/O_EXCL. */
1107 fd = openat(dirfd, pathname, flags | O_CREAT | O_EXCL, mode);
1108 if (fd >= 0) {
1109 *ret_newly_created = true;
1110 return fd;
1111 }
1112 if (errno != EEXIST)
1113 return -errno;
1114
1115 /* Hmm, so now we got EEXIST? So it apparently exists now? If so, let's try to open again
b3122369 1116 * without the two flags. But let's not spin forever, hence put a limit on things */
ca8503f1
LP		 1117
1118 if (--attempts == 0) /* Give up eventually, somebody is playing with us */
1119 return -EEXIST;
1120 }
1121}
7486f9c3 1122
e40b11be 1123int xopenat_full(int dir_fd, const char *path, int open_flags, XOpenFlags xopen_flags, mode_t mode) {
7486f9c3
DDM		 1124 _cleanup_close_ int fd = -EBADF;
1125 bool made = false;
1126 int r;
1127
2646b86d 1128 assert(dir_fd >= 0 || dir_fd == AT_FDCWD);
2646b86d 1129
9b85e907
LP		 1130 /* This is like openat(), but has a few tricks up its sleeves, extending behaviour:
1131 *
1132 * • O_DIRECTORY|O_CREAT is supported, which causes a directory to be created, and immediately
1133 * opened. When used with the XO_SUBVOLUME flag this will even create a btrfs subvolume.
1134 *
1135 * • If O_CREAT is used with XO_LABEL, any created file will be immediately relabelled.
1136 *
1137 * • If the path is specified NULL or empty, behaves like fd_reopen().
1138 */
1139
06ca2db3 1140 if (isempty(path)) {
420d2e31
DDM		 1141 assert(!FLAGS_SET(open_flags, O_CREAT|O_EXCL));
1142 return fd_reopen(dir_fd, open_flags & ~O_NOFOLLOW);
06ca2db3
DDM		 1143 }
1144
420d2e31
DDM		 1145 if (FLAGS_SET(open_flags, O_CREAT) && FLAGS_SET(xopen_flags, XO_LABEL)) {
1146 r = label_ops_pre(dir_fd, path, FLAGS_SET(open_flags, O_DIRECTORY) ? S_IFDIR : S_IFREG);
1147 if (r < 0)
1148 return r;
1149 }
1150
1151 if (FLAGS_SET(open_flags, O_DIRECTORY|O_CREAT)) {
bc6a6130
DDM		 1152 if (FLAGS_SET(xopen_flags, XO_SUBVOLUME))
1153 r = btrfs_subvol_make_fallback(dir_fd, path, mode);
1154 else
1155 r = RET_NERRNO(mkdirat(dir_fd, path, mode));
7486f9c3 1156 if (r == -EEXIST) {
420d2e31 1157 if (FLAGS_SET(open_flags, O_EXCL))
7486f9c3
DDM		 1158 return -EEXIST;
1159
1160 made = false;
1161 } else if (r < 0)
1162 return r;
1163 else
1164 made = true;
1165
420d2e31
DDM		 1166 if (FLAGS_SET(xopen_flags, XO_LABEL)) {
1167 r = label_ops_post(dir_fd, path);
1168 if (r < 0)
1169 return r;
1170 }
1171
1172 open_flags &= ~(O_EXCL|O_CREAT);
1173 xopen_flags &= ~XO_LABEL;
7486f9c3
DDM		 1174 }
1175
420d2e31 1176 fd = RET_NERRNO(openat(dir_fd, path, open_flags, mode));
7486f9c3
DDM		 1177 if (fd < 0) {
1178 if (IN_SET(fd,
1179 /* We got ENOENT? then someone else immediately removed it after we
1180 * created it. In that case let's return immediately without unlinking
1181 * anything, because there simply isn't anything to unlink anymore. */
1182 -ENOENT,
1183 /* is a symlink? exists already → created by someone else, don't unlink */
1184 -ELOOP,
1185 /* not a directory? exists already → created by someone else, don't unlink */
1186 -ENOTDIR))
1187 return fd;
1188
1189 if (made)
1190 (void) unlinkat(dir_fd, path, AT_REMOVEDIR);
1191
1192 return fd;
1193 }
1194
420d2e31
DDM		 1195 if (FLAGS_SET(open_flags, O_CREAT) && FLAGS_SET(xopen_flags, XO_LABEL)) {
1196 r = label_ops_post(dir_fd, path);
1197 if (r < 0)
1198 return r;
1199 }
1200
7486f9c3
DDM		 1201 return TAKE_FD(fd);
1202}
2646b86d 1203
e40b11be 1204int xopenat_lock_full(
420d2e31
DDM		 1205 int dir_fd,
1206 const char *path,
1207 int open_flags,
1208 XOpenFlags xopen_flags,
1209 mode_t mode,
1210 LockType locktype,
1211 int operation) {
1212
2646b86d
DDM		 1213 _cleanup_close_ int fd = -EBADF;
1214 int r;
1215
1216 assert(dir_fd >= 0 || dir_fd == AT_FDCWD);
2646b86d
DDM		 1217 assert(IN_SET(operation & ~LOCK_NB, LOCK_EX, LOCK_SH));
1218
1219 /* POSIX/UNPOSIX locks don't work on directories (errno is set to -EBADF so let's return early with
1220 * the same error here). */
0867a465 1221 if (FLAGS_SET(open_flags, O_DIRECTORY) && !IN_SET(locktype, LOCK_BSD, LOCK_NONE))
2646b86d
DDM		 1222 return -EBADF;
1223
1224 for (;;) {
1225 struct stat st;
1226
e40b11be 1227 fd = xopenat_full(dir_fd, path, open_flags, xopen_flags, mode);
2646b86d
DDM		 1228 if (fd < 0)
1229 return fd;
1230
1231 r = lock_generic(fd, locktype, operation);
1232 if (r < 0)
1233 return r;
1234
1235 /* If we acquired the lock, let's check if the file/directory still exists in the file
1236 * system. If not, then the previous exclusive owner removed it and then closed it. In such a
1237 * case our acquired lock is worthless, hence try again. */
1238
1239 if (fstat(fd, &st) < 0)
1240 return -errno;
1241 if (st.st_nlink > 0)
1242 break;
1243
1244 fd = safe_close(fd);
1245 }
1246
1247 return TAKE_FD(fd);
1248}
0b8e36f0
LP		 1249
1250int link_fd(int fd, int newdirfd, const char *newpath) {
1251 int r;
1252
1253 assert(fd >= 0);
1254 assert(newdirfd >= 0 || newdirfd == AT_FDCWD);
1255 assert(newpath);
1256
1257 /* Try linking via /proc/self/fd/ first. */
1258 r = RET_NERRNO(linkat(AT_FDCWD, FORMAT_PROC_FD_PATH(fd), newdirfd, newpath, AT_SYMLINK_FOLLOW));
1259 if (r != -ENOENT)
1260 return r;
1261
1262 /* Fall back to symlinking via AT_EMPTY_PATH as fallback (this requires CAP_DAC_READ_SEARCH and a
1263 * more recent kernel, but does not require /proc/ mounted) */
1264 if (proc_mounted() != 0)
1265 return r;
1266
1267 return RET_NERRNO(linkat(fd, "", newdirfd, newpath, AT_EMPTY_PATH));
1268}
1f27e7b7
LP		 1269
1270int linkat_replace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) {
1271 _cleanup_close_ int old_fd = -EBADF;
1272 int r;
1273
1274 assert(olddirfd >= 0 || olddirfd == AT_FDCWD);
1275 assert(newdirfd >= 0 || newdirfd == AT_FDCWD);
1276 assert(!isempty(newpath)); /* source path is optional, but the target path is not */
1277
1278 /* Like linkat() but replaces the target if needed. Is a NOP if source and target already share the
1279 * same inode. */
1280
1281 if (olddirfd == AT_FDCWD && isempty(oldpath)) /* Refuse operating on the cwd (which is a dir, and dirs can't be hardlinked) */
1282 return -EISDIR;
1283
1284 if (path_implies_directory(oldpath)) /* Refuse these definite directories early */
1285 return -EISDIR;
1286
1287 if (path_implies_directory(newpath))
1288 return -EISDIR;
1289
1290 /* First, try to link this directly */
1291 if (oldpath)
1292 r = RET_NERRNO(linkat(olddirfd, oldpath, newdirfd, newpath, 0));
1293 else
1294 r = link_fd(olddirfd, newdirfd, newpath);
1295 if (r >= 0)
1296 return 0;
1297 if (r != -EEXIST)
1298 return r;
1299
1300 old_fd = xopenat(olddirfd, oldpath, O_PATH|O_CLOEXEC);
1301 if (old_fd < 0)
1302 return old_fd;
1303
1304 struct stat old_st;
1305 if (fstat(old_fd, &old_st) < 0)
1306 return -errno;
1307
1308 if (S_ISDIR(old_st.st_mode)) /* Don't bother if we are operating on a directory */
1309 return -EISDIR;
1310
1311 struct stat new_st;
1312 if (fstatat(newdirfd, newpath, &new_st, AT_SYMLINK_NOFOLLOW) < 0)
1313 return -errno;
1314
1315 if (S_ISDIR(new_st.st_mode)) /* Refuse replacing directories */
1316 return -EEXIST;
1317
1318 if (stat_inode_same(&old_st, &new_st)) /* Already the same inode? Then shortcut this */
1319 return 0;
1320
1321 _cleanup_free_ char *tmp_path = NULL;
1322 r = tempfn_random(newpath, /* extra= */ NULL, &tmp_path);
1323 if (r < 0)
1324 return r;
1325
1326 r = link_fd(old_fd, newdirfd, tmp_path);
1327 if (r < 0) {
1328 if (!ERRNO_IS_PRIVILEGE(r))
1329 return r;
1330
1331 /* If that didn't work due to permissions then go via the path of the dentry */
1332 r = RET_NERRNO(linkat(olddirfd, oldpath, newdirfd, tmp_path, 0));
1333 if (r < 0)
1334 return r;
1335 }
1336
1337 r = RET_NERRNO(renameat(newdirfd, tmp_path, newdirfd, newpath));
1338 if (r < 0) {
1339 (void) unlinkat(newdirfd, tmp_path, /* flags= */ 0);
1340 return r;
1341 }
1342
1343 return 0;
1344}
Unnamed repository; edit this file 'description' to name the repository.