1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2010 Lennart Poettering
10 #include <sys/resource.h>
11 #include <sys/socket.h>
15 #include "dirent-util.h"
20 #include "memfd-util.h"
22 #include "parse-util.h"
23 #include "path-util.h"
24 #include "process-util.h"
25 #include "socket-util.h"
26 #include "stdio-util.h"
29 int close_nointr(int fd
) {
36 * Just ignore EINTR; a retry loop is the wrong thing to do on
39 * http://lkml.indiana.edu/hypermail/linux/kernel/0509.1/0877.html
40 * https://bugzilla.gnome.org/show_bug.cgi?id=682819
41 * http://utcc.utoronto.ca/~cks/space/blog/unix/CloseEINTR
42 * https://sites.google.com/site/michaelsafyan/software-engineering/checkforeintrwheninvokingclosethinkagain
50 int safe_close(int fd
) {
53 * Like close_nointr() but cannot fail. Guarantees errno is
54 * unchanged. Is a NOP with negative fds passed, and returns
55 * -1, so that it can be used in this syntax:
57 * fd = safe_close(fd);
63 /* The kernel might return pretty much any error code
64 * via close(), but the fd will be closed anyway. The
65 * only condition we want to check for here is whether
66 * the fd was invalid at all... */
68 assert_se(close_nointr(fd
) != -EBADF
);
74 void safe_close_pair(int p
[]) {
78 /* Special case pairs which use the same fd in both
80 p
[0] = p
[1] = safe_close(p
[0]);
84 p
[0] = safe_close(p
[0]);
85 p
[1] = safe_close(p
[1]);
88 void close_many(const int fds
[], size_t n_fd
) {
91 assert(fds
|| n_fd
<= 0);
93 for (i
= 0; i
< n_fd
; i
++)
97 int fclose_nointr(FILE *f
) {
100 /* Same as close_nointr(), but for fclose() */
111 FILE* safe_fclose(FILE *f
) {
113 /* Same as safe_close(), but for fclose() */
118 assert_se(fclose_nointr(f
) != EBADF
);
124 DIR* safe_closedir(DIR *d
) {
129 assert_se(closedir(d
) >= 0 || errno
!= EBADF
);
135 int fd_nonblock(int fd
, bool nonblock
) {
140 flags
= fcntl(fd
, F_GETFL
, 0);
145 nflags
= flags
| O_NONBLOCK
;
147 nflags
= flags
& ~O_NONBLOCK
;
152 if (fcntl(fd
, F_SETFL
, nflags
) < 0)
158 int fd_cloexec(int fd
, bool cloexec
) {
163 flags
= fcntl(fd
, F_GETFD
, 0);
168 nflags
= flags
| FD_CLOEXEC
;
170 nflags
= flags
& ~FD_CLOEXEC
;
175 if (fcntl(fd
, F_SETFD
, nflags
) < 0)
181 _pure_
static bool fd_in_set(int fd
, const int fdset
[], size_t n_fdset
) {
184 assert(n_fdset
== 0 || fdset
);
186 for (i
= 0; i
< n_fdset
; i
++)
193 int close_all_fds(const int except
[], size_t n_except
) {
194 _cleanup_closedir_
DIR *d
= NULL
;
198 assert(n_except
== 0 || except
);
200 d
= opendir("/proc/self/fd");
205 /* When /proc isn't available (for example in chroots)
206 * the fallback is brute forcing through the fd
209 assert_se(getrlimit(RLIMIT_NOFILE
, &rl
) >= 0);
210 for (fd
= 3; fd
< (int) rl
.rlim_max
; fd
++) {
213 if (fd_in_set(fd
, except
, n_except
))
216 q
= close_nointr(fd
);
217 if (q
< 0 && q
!= -EBADF
&& r
>= 0)
224 FOREACH_DIRENT(de
, d
, return -errno
) {
227 if (safe_atoi(de
->d_name
, &fd
) < 0)
228 /* Let's better ignore this, just in case */
237 if (fd_in_set(fd
, except
, n_except
))
240 q
= close_nointr(fd
);
241 if (q
< 0 && q
!= -EBADF
&& r
>= 0) /* Valgrind has its own FD and doesn't want to have it closed */
248 int same_fd(int a
, int b
) {
249 struct stat sta
, stb
;
256 /* Compares two file descriptors. Note that semantics are
257 * quite different depending on whether we have kcmp() or we
258 * don't. If we have kcmp() this will only return true for
259 * dup()ed file descriptors, but not otherwise. If we don't
260 * have kcmp() this will also return true for two fds of the same
261 * file, created by separate open() calls. Since we use this
262 * call mostly for filtering out duplicates in the fd store
263 * this difference hopefully doesn't matter too much. */
268 /* Try to use kcmp() if we have it. */
269 pid
= getpid_cached();
270 r
= kcmp(pid
, pid
, KCMP_FILE
, a
, b
);
278 /* We don't have kcmp(), use fstat() instead. */
279 if (fstat(a
, &sta
) < 0)
282 if (fstat(b
, &stb
) < 0)
285 if ((sta
.st_mode
& S_IFMT
) != (stb
.st_mode
& S_IFMT
))
288 /* We consider all device fds different, since two device fds
289 * might refer to quite different device contexts even though
290 * they share the same inode and backing dev_t. */
292 if (S_ISCHR(sta
.st_mode
) || S_ISBLK(sta
.st_mode
))
295 if (sta
.st_dev
!= stb
.st_dev
|| sta
.st_ino
!= stb
.st_ino
)
298 /* The fds refer to the same inode on disk, let's also check
299 * if they have the same fd flags. This is useful to
300 * distinguish the read and write side of a pipe created with
302 fa
= fcntl(a
, F_GETFL
);
306 fb
= fcntl(b
, F_GETFL
);
313 void cmsg_close_all(struct msghdr
*mh
) {
314 struct cmsghdr
*cmsg
;
318 CMSG_FOREACH(cmsg
, mh
)
319 if (cmsg
->cmsg_level
== SOL_SOCKET
&& cmsg
->cmsg_type
== SCM_RIGHTS
)
320 close_many((int*) CMSG_DATA(cmsg
), (cmsg
->cmsg_len
- CMSG_LEN(0)) / sizeof(int));
323 bool fdname_is_valid(const char *s
) {
326 /* Validates a name for $LISTEN_FDNAMES. We basically allow
327 * everything ASCII that's not a control character. Also, as
328 * special exception the ":" character is not allowed, as we
329 * use that as field separator in $LISTEN_FDNAMES.
331 * Note that the empty string is explicitly allowed
332 * here. However, we limit the length of the names to 255
338 for (p
= s
; *p
; p
++) {
350 int fd_get_path(int fd
, char **ret
) {
351 _cleanup_close_
int dir
= -1;
352 char fdname
[DECIMAL_STR_MAX(int)];
355 dir
= open("/proc/self/fd/", O_CLOEXEC
| O_DIRECTORY
| O_PATH
);
357 /* /proc is not available or not set up properly, we're most likely
358 * in some chroot environment. */
359 return errno
== ENOENT
? -EOPNOTSUPP
: -errno
;
361 xsprintf(fdname
, "%i", fd
);
363 r
= readlinkat_malloc(dir
, fdname
, ret
);
365 /* If the file doesn't exist the fd is invalid */
371 int move_fd(int from
, int to
, int cloexec
) {
374 /* Move fd 'from' to 'to', make sure FD_CLOEXEC remains equal if requested, and release the old fd. If
375 * 'cloexec' is passed as -1, the original FD_CLOEXEC is inherited for the new fd. If it is 0, it is turned
376 * off, if it is > 0 it is turned on. */
386 r
= fd_cloexec(to
, cloexec
);
397 fl
= fcntl(from
, F_GETFD
, 0);
401 cloexec
= !!(fl
& FD_CLOEXEC
);
404 r
= dup3(from
, to
, cloexec
? O_CLOEXEC
: 0);
415 int acquire_data_fd(const void *data
, size_t size
, unsigned flags
) {
417 _cleanup_close_pair_
int pipefds
[2] = { -1, -1 };
418 char pattern
[] = "/dev/shm/data-fd-XXXXXX";
419 _cleanup_close_
int fd
= -1;
424 assert(data
|| size
== 0);
426 /* Acquire a read-only file descriptor that when read from returns the specified data. This is much more
427 * complex than I wish it was. But here's why:
429 * a) First we try to use memfds. They are the best option, as we can seal them nicely to make them
430 * read-only. Unfortunately they require kernel 3.17, and – at the time of writing – we still support 3.14.
432 * b) Then, we try classic pipes. They are the second best options, as we can close the writing side, retaining
433 * a nicely read-only fd in the reading side. However, they are by default quite small, and unprivileged
434 * clients can only bump their size to a system-wide limit, which might be quite low.
436 * c) Then, we try an O_TMPFILE file in /dev/shm (that dir is the only suitable one known to exist from
437 * earliest boot on). To make it read-only we open the fd a second time with O_RDONLY via
438 * /proc/self/<fd>. Unfortunately O_TMPFILE is not available on older kernels on tmpfs.
440 * d) Finally, we try creating a regular file in /dev/shm, which we then delete.
442 * It sucks a bit that depending on the situation we return very different objects here, but that's Linux I
445 if (size
== 0 && ((flags
& ACQUIRE_NO_DEV_NULL
) == 0)) {
446 /* As a special case, return /dev/null if we have been called for an empty data block */
447 r
= open("/dev/null", O_RDONLY
|O_CLOEXEC
|O_NOCTTY
);
454 if ((flags
& ACQUIRE_NO_MEMFD
) == 0) {
455 fd
= memfd_new("data-fd");
459 n
= write(fd
, data
, size
);
462 if ((size_t) n
!= size
)
465 f
= lseek(fd
, 0, SEEK_SET
);
469 r
= memfd_set_sealed(fd
);
477 if ((flags
& ACQUIRE_NO_PIPE
) == 0) {
478 if (pipe2(pipefds
, O_CLOEXEC
|O_NONBLOCK
) < 0)
481 isz
= fcntl(pipefds
[1], F_GETPIPE_SZ
, 0);
485 if ((size_t) isz
< size
) {
487 if (isz
< 0 || (size_t) isz
!= size
)
490 /* Try to bump the pipe size */
491 (void) fcntl(pipefds
[1], F_SETPIPE_SZ
, isz
);
493 /* See if that worked */
494 isz
= fcntl(pipefds
[1], F_GETPIPE_SZ
, 0);
498 if ((size_t) isz
< size
)
502 n
= write(pipefds
[1], data
, size
);
505 if ((size_t) n
!= size
)
508 (void) fd_nonblock(pipefds
[0], false);
510 return TAKE_FD(pipefds
[0]);
514 if ((flags
& ACQUIRE_NO_TMPFILE
) == 0) {
515 fd
= open("/dev/shm", O_RDWR
|O_TMPFILE
|O_CLOEXEC
, 0500);
517 goto try_dev_shm_without_o_tmpfile
;
519 n
= write(fd
, data
, size
);
522 if ((size_t) n
!= size
)
525 /* Let's reopen the thing, in order to get an O_RDONLY fd for the original O_RDWR one */
526 return fd_reopen(fd
, O_RDONLY
|O_CLOEXEC
);
529 try_dev_shm_without_o_tmpfile
:
530 if ((flags
& ACQUIRE_NO_REGULAR
) == 0) {
531 fd
= mkostemp_safe(pattern
);
535 n
= write(fd
, data
, size
);
538 goto unlink_and_return
;
540 if ((size_t) n
!= size
) {
542 goto unlink_and_return
;
545 /* Let's reopen the thing, in order to get an O_RDONLY fd for the original O_RDWR one */
546 r
= open(pattern
, O_RDONLY
|O_CLOEXEC
);
551 (void) unlink(pattern
);
558 int fd_move_above_stdio(int fd
) {
562 /* Moves the specified file descriptor if possible out of the range [0…2], i.e. the range of
563 * stdin/stdout/stderr. If it can't be moved outside of this range the original file descriptor is
564 * returned. This call is supposed to be used for long-lasting file descriptors we allocate in our code that
565 * might get loaded into foreign code, and where we want ensure our fds are unlikely used accidentally as
566 * stdin/stdout/stderr of unrelated code.
568 * Note that this doesn't fix any real bugs, it just makes it less likely that our code will be affected by
569 * buggy code from others that mindlessly invokes 'fprintf(stderr, …' or similar in places where stderr has
570 * been closed before.
572 * This function is written in a "best-effort" and "least-impact" style. This means whenever we encounter an
573 * error we simply return the original file descriptor, and we do not touch errno. */
575 if (fd
< 0 || fd
> 2)
578 flags
= fcntl(fd
, F_GETFD
, 0);
582 if (flags
& FD_CLOEXEC
)
583 copy
= fcntl(fd
, F_DUPFD_CLOEXEC
, 3);
585 copy
= fcntl(fd
, F_DUPFD
, 3);
595 int rearrange_stdio(int original_input_fd
, int original_output_fd
, int original_error_fd
) {
597 int fd
[3] = { /* Put together an array of fds we work on */
604 null_fd
= -1, /* if we open /dev/null, we store the fd to it here */
605 copy_fd
[3] = { -1, -1, -1 }; /* This contains all fds we duplicate here temporarily, and hence need to close at the end */
606 bool null_readable
, null_writable
;
608 /* Sets up stdin, stdout, stderr with the three file descriptors passed in. If any of the descriptors is
609 * specified as -1 it will be connected with /dev/null instead. If any of the file descriptors is passed as
610 * itself (e.g. stdin as STDIN_FILENO) it is left unmodified, but the O_CLOEXEC bit is turned off should it be
613 * Note that if any of the passed file descriptors are > 2 they will be closed — both on success and on
614 * failure! Thus, callers should assume that when this function returns the input fds are invalidated.
616 * Note that when this function fails stdin/stdout/stderr might remain half set up!
618 * O_CLOEXEC is turned off for all three file descriptors (which is how it should be for
619 * stdin/stdout/stderr). */
621 null_readable
= original_input_fd
< 0;
622 null_writable
= original_output_fd
< 0 || original_error_fd
< 0;
624 /* First step, open /dev/null once, if we need it */
625 if (null_readable
|| null_writable
) {
627 /* Let's open this with O_CLOEXEC first, and convert it to non-O_CLOEXEC when we move the fd to the final position. */
628 null_fd
= open("/dev/null", (null_readable
&& null_writable
? O_RDWR
:
629 null_readable
? O_RDONLY
: O_WRONLY
) | O_CLOEXEC
);
635 /* If this fd is in the 0…2 range, let's move it out of it */
639 copy
= fcntl(null_fd
, F_DUPFD_CLOEXEC
, 3); /* Duplicate this with O_CLOEXEC set */
650 /* Let's assemble fd[] with the fds to install in place of stdin/stdout/stderr */
651 for (i
= 0; i
< 3; i
++) {
654 fd
[i
] = null_fd
; /* A negative parameter means: connect this one to /dev/null */
655 else if (fd
[i
] != i
&& fd
[i
] < 3) {
656 /* This fd is in the 0…2 territory, but not at its intended place, move it out of there, so that we can work there. */
657 copy_fd
[i
] = fcntl(fd
[i
], F_DUPFD_CLOEXEC
, 3); /* Duplicate this with O_CLOEXEC set */
658 if (copy_fd
[i
] < 0) {
667 /* At this point we now have the fds to use in fd[], and they are all above the stdio range, so that we
668 * have freedom to move them around. If the fds already were at the right places then the specific fds are
669 * -1. Let's now move them to the right places. This is the point of no return. */
670 for (i
= 0; i
< 3; i
++) {
674 /* fd is already in place, but let's make sure O_CLOEXEC is off */
675 r
= fd_cloexec(i
, false);
682 if (dup2(fd
[i
], i
) < 0) { /* Turns off O_CLOEXEC on the new fd. */
692 /* Close the original fds, but only if they were outside of the stdio range. Also, properly check for the same
693 * fd passed in multiple times. */
694 safe_close_above_stdio(original_input_fd
);
695 if (original_output_fd
!= original_input_fd
)
696 safe_close_above_stdio(original_output_fd
);
697 if (original_error_fd
!= original_input_fd
&& original_error_fd
!= original_output_fd
)
698 safe_close_above_stdio(original_error_fd
);
700 /* Close the copies we moved > 2 */
701 for (i
= 0; i
< 3; i
++)
702 safe_close(copy_fd
[i
]);
704 /* Close our null fd, if it's > 2 */
705 safe_close_above_stdio(null_fd
);
710 int fd_reopen(int fd
, int flags
) {
711 char procfs_path
[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
714 /* Reopens the specified fd with new flags. This is useful for convert an O_PATH fd into a regular one, or to
715 * turn O_RDWR fds into O_RDONLY fds.
717 * This doesn't work on sockets (since they cannot be open()ed, ever).
719 * This implicitly resets the file read index to 0. */
721 xsprintf(procfs_path
, "/proc/self/fd/%i", fd
);
722 new_fd
= open(procfs_path
, flags
);