]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/fd-util.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #9197 from poettering/make-main-shorter
[thirdparty/systemd.git] / src / basic / fd-util.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2 /***
3 This file is part of systemd.
4
5 Copyright 2010 Lennart Poettering
6 ***/
7
8 #include <errno.h>
9 #include <fcntl.h>
10 #include <sys/resource.h>
11 #include <sys/socket.h>
12 #include <sys/stat.h>
13 #include <unistd.h>
14
15 #include "alloc-util.h"
16 #include "copy.h"
17 #include "dirent-util.h"
18 #include "fd-util.h"
19 #include "fileio.h"
20 #include "fs-util.h"
21 #include "io-util.h"
22 #include "macro.h"
23 #include "memfd-util.h"
24 #include "missing.h"
25 #include "parse-util.h"
26 #include "path-util.h"
27 #include "process-util.h"
28 #include "socket-util.h"
29 #include "stdio-util.h"
30 #include "util.h"
31
32 int close_nointr(int fd) {
33 assert(fd >= 0);
34
35 if (close(fd) >= 0)
36 return 0;
37
38 /*
39 * Just ignore EINTR; a retry loop is the wrong thing to do on
40 * Linux.
41 *
42 * http://lkml.indiana.edu/hypermail/linux/kernel/0509.1/0877.html
43 * https://bugzilla.gnome.org/show_bug.cgi?id=682819
44 * http://utcc.utoronto.ca/~cks/space/blog/unix/CloseEINTR
45 * https://sites.google.com/site/michaelsafyan/software-engineering/checkforeintrwheninvokingclosethinkagain
46 */
47 if (errno == EINTR)
48 return 0;
49
50 return -errno;
51 }
52
53 int safe_close(int fd) {
54
55 /*
56 * Like close_nointr() but cannot fail. Guarantees errno is
57 * unchanged. Is a NOP with negative fds passed, and returns
58 * -1, so that it can be used in this syntax:
59 *
60 * fd = safe_close(fd);
61 */
62
63 if (fd >= 0) {
64 PROTECT_ERRNO;
65
66 /* The kernel might return pretty much any error code
67 * via close(), but the fd will be closed anyway. The
68 * only condition we want to check for here is whether
69 * the fd was invalid at all... */
70
71 assert_se(close_nointr(fd) != -EBADF);
72 }
73
74 return -1;
75 }
76
77 void safe_close_pair(int p[]) {
78 assert(p);
79
80 if (p[0] == p[1]) {
81 /* Special case pairs which use the same fd in both
82 * directions... */
83 p[0] = p[1] = safe_close(p[0]);
84 return;
85 }
86
87 p[0] = safe_close(p[0]);
88 p[1] = safe_close(p[1]);
89 }
90
91 void close_many(const int fds[], size_t n_fd) {
92 size_t i;
93
94 assert(fds || n_fd <= 0);
95
96 for (i = 0; i < n_fd; i++)
97 safe_close(fds[i]);
98 }
99
100 int fclose_nointr(FILE *f) {
101 assert(f);
102
103 /* Same as close_nointr(), but for fclose() */
104
105 if (fclose(f) == 0)
106 return 0;
107
108 if (errno == EINTR)
109 return 0;
110
111 return -errno;
112 }
113
114 FILE* safe_fclose(FILE *f) {
115
116 /* Same as safe_close(), but for fclose() */
117
118 if (f) {
119 PROTECT_ERRNO;
120
121 assert_se(fclose_nointr(f) != EBADF);
122 }
123
124 return NULL;
125 }
126
127 DIR* safe_closedir(DIR *d) {
128
129 if (d) {
130 PROTECT_ERRNO;
131
132 assert_se(closedir(d) >= 0 || errno != EBADF);
133 }
134
135 return NULL;
136 }
137
138 int fd_nonblock(int fd, bool nonblock) {
139 int flags, nflags;
140
141 assert(fd >= 0);
142
143 flags = fcntl(fd, F_GETFL, 0);
144 if (flags < 0)
145 return -errno;
146
147 if (nonblock)
148 nflags = flags | O_NONBLOCK;
149 else
150 nflags = flags & ~O_NONBLOCK;
151
152 if (nflags == flags)
153 return 0;
154
155 if (fcntl(fd, F_SETFL, nflags) < 0)
156 return -errno;
157
158 return 0;
159 }
160
161 int fd_cloexec(int fd, bool cloexec) {
162 int flags, nflags;
163
164 assert(fd >= 0);
165
166 flags = fcntl(fd, F_GETFD, 0);
167 if (flags < 0)
168 return -errno;
169
170 if (cloexec)
171 nflags = flags | FD_CLOEXEC;
172 else
173 nflags = flags & ~FD_CLOEXEC;
174
175 if (nflags == flags)
176 return 0;
177
178 if (fcntl(fd, F_SETFD, nflags) < 0)
179 return -errno;
180
181 return 0;
182 }
183
184 _pure_ static bool fd_in_set(int fd, const int fdset[], size_t n_fdset) {
185 size_t i;
186
187 assert(n_fdset == 0 || fdset);
188
189 for (i = 0; i < n_fdset; i++)
190 if (fdset[i] == fd)
191 return true;
192
193 return false;
194 }
195
196 int close_all_fds(const int except[], size_t n_except) {
197 _cleanup_closedir_ DIR *d = NULL;
198 struct dirent *de;
199 int r = 0;
200
201 assert(n_except == 0 || except);
202
203 d = opendir("/proc/self/fd");
204 if (!d) {
205 struct rlimit rl;
206 int fd, max_fd;
207
208 /* When /proc isn't available (for example in chroots) the fallback is brute forcing through the fd
209 * table */
210
211 assert_se(getrlimit(RLIMIT_NOFILE, &rl) >= 0);
212
213 if (rl.rlim_max == 0)
214 return -EINVAL;
215
216 /* Let's take special care if the resource limit is set to unlimited, or actually larger than the range
217 * of 'int'. Let's avoid implicit overflows. */
218 max_fd = (rl.rlim_max == RLIM_INFINITY || rl.rlim_max > INT_MAX) ? INT_MAX : (int) (rl.rlim_max - 1);
219
220 for (fd = 3; fd >= 0; fd = fd < max_fd ? fd + 1 : -1) {
221 int q;
222
223 if (fd_in_set(fd, except, n_except))
224 continue;
225
226 q = close_nointr(fd);
227 if (q < 0 && q != -EBADF && r >= 0)
228 r = q;
229 }
230
231 return r;
232 }
233
234 FOREACH_DIRENT(de, d, return -errno) {
235 int fd = -1, q;
236
237 if (safe_atoi(de->d_name, &fd) < 0)
238 /* Let's better ignore this, just in case */
239 continue;
240
241 if (fd < 3)
242 continue;
243
244 if (fd == dirfd(d))
245 continue;
246
247 if (fd_in_set(fd, except, n_except))
248 continue;
249
250 q = close_nointr(fd);
251 if (q < 0 && q != -EBADF && r >= 0) /* Valgrind has its own FD and doesn't want to have it closed */
252 r = q;
253 }
254
255 return r;
256 }
257
258 int same_fd(int a, int b) {
259 struct stat sta, stb;
260 pid_t pid;
261 int r, fa, fb;
262
263 assert(a >= 0);
264 assert(b >= 0);
265
266 /* Compares two file descriptors. Note that semantics are
267 * quite different depending on whether we have kcmp() or we
268 * don't. If we have kcmp() this will only return true for
269 * dup()ed file descriptors, but not otherwise. If we don't
270 * have kcmp() this will also return true for two fds of the same
271 * file, created by separate open() calls. Since we use this
272 * call mostly for filtering out duplicates in the fd store
273 * this difference hopefully doesn't matter too much. */
274
275 if (a == b)
276 return true;
277
278 /* Try to use kcmp() if we have it. */
279 pid = getpid_cached();
280 r = kcmp(pid, pid, KCMP_FILE, a, b);
281 if (r == 0)
282 return true;
283 if (r > 0)
284 return false;
285 if (errno != ENOSYS)
286 return -errno;
287
288 /* We don't have kcmp(), use fstat() instead. */
289 if (fstat(a, &sta) < 0)
290 return -errno;
291
292 if (fstat(b, &stb) < 0)
293 return -errno;
294
295 if ((sta.st_mode & S_IFMT) != (stb.st_mode & S_IFMT))
296 return false;
297
298 /* We consider all device fds different, since two device fds
299 * might refer to quite different device contexts even though
300 * they share the same inode and backing dev_t. */
301
302 if (S_ISCHR(sta.st_mode) || S_ISBLK(sta.st_mode))
303 return false;
304
305 if (sta.st_dev != stb.st_dev || sta.st_ino != stb.st_ino)
306 return false;
307
308 /* The fds refer to the same inode on disk, let's also check
309 * if they have the same fd flags. This is useful to
310 * distinguish the read and write side of a pipe created with
311 * pipe(). */
312 fa = fcntl(a, F_GETFL);
313 if (fa < 0)
314 return -errno;
315
316 fb = fcntl(b, F_GETFL);
317 if (fb < 0)
318 return -errno;
319
320 return fa == fb;
321 }
322
323 void cmsg_close_all(struct msghdr *mh) {
324 struct cmsghdr *cmsg;
325
326 assert(mh);
327
328 CMSG_FOREACH(cmsg, mh)
329 if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS)
330 close_many((int*) CMSG_DATA(cmsg), (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int));
331 }
332
333 bool fdname_is_valid(const char *s) {
334 const char *p;
335
336 /* Validates a name for $LISTEN_FDNAMES. We basically allow
337 * everything ASCII that's not a control character. Also, as
338 * special exception the ":" character is not allowed, as we
339 * use that as field separator in $LISTEN_FDNAMES.
340 *
341 * Note that the empty string is explicitly allowed
342 * here. However, we limit the length of the names to 255
343 * characters. */
344
345 if (!s)
346 return false;
347
348 for (p = s; *p; p++) {
349 if (*p < ' ')
350 return false;
351 if (*p >= 127)
352 return false;
353 if (*p == ':')
354 return false;
355 }
356
357 return p - s < 256;
358 }
359
360 int fd_get_path(int fd, char **ret) {
361 _cleanup_close_ int dir = -1;
362 char fdname[DECIMAL_STR_MAX(int)];
363 int r;
364
365 dir = open("/proc/self/fd/", O_CLOEXEC | O_DIRECTORY | O_PATH);
366 if (dir < 0)
367 /* /proc is not available or not set up properly, we're most likely
368 * in some chroot environment. */
369 return errno == ENOENT ? -EOPNOTSUPP : -errno;
370
371 xsprintf(fdname, "%i", fd);
372
373 r = readlinkat_malloc(dir, fdname, ret);
374 if (r == -ENOENT)
375 /* If the file doesn't exist the fd is invalid */
376 return -EBADF;
377
378 return r;
379 }
380
381 int move_fd(int from, int to, int cloexec) {
382 int r;
383
384 /* Move fd 'from' to 'to', make sure FD_CLOEXEC remains equal if requested, and release the old fd. If
385 * 'cloexec' is passed as -1, the original FD_CLOEXEC is inherited for the new fd. If it is 0, it is turned
386 * off, if it is > 0 it is turned on. */
387
388 if (from < 0)
389 return -EBADF;
390 if (to < 0)
391 return -EBADF;
392
393 if (from == to) {
394
395 if (cloexec >= 0) {
396 r = fd_cloexec(to, cloexec);
397 if (r < 0)
398 return r;
399 }
400
401 return to;
402 }
403
404 if (cloexec < 0) {
405 int fl;
406
407 fl = fcntl(from, F_GETFD, 0);
408 if (fl < 0)
409 return -errno;
410
411 cloexec = !!(fl & FD_CLOEXEC);
412 }
413
414 r = dup3(from, to, cloexec ? O_CLOEXEC : 0);
415 if (r < 0)
416 return -errno;
417
418 assert(r == to);
419
420 safe_close(from);
421
422 return to;
423 }
424
425 int acquire_data_fd(const void *data, size_t size, unsigned flags) {
426
427 _cleanup_close_pair_ int pipefds[2] = { -1, -1 };
428 char pattern[] = "/dev/shm/data-fd-XXXXXX";
429 _cleanup_close_ int fd = -1;
430 int isz = 0, r;
431 ssize_t n;
432 off_t f;
433
434 assert(data || size == 0);
435
436 /* Acquire a read-only file descriptor that when read from returns the specified data. This is much more
437 * complex than I wish it was. But here's why:
438 *
439 * a) First we try to use memfds. They are the best option, as we can seal them nicely to make them
440 * read-only. Unfortunately they require kernel 3.17, and – at the time of writing – we still support 3.14.
441 *
442 * b) Then, we try classic pipes. They are the second best options, as we can close the writing side, retaining
443 * a nicely read-only fd in the reading side. However, they are by default quite small, and unprivileged
444 * clients can only bump their size to a system-wide limit, which might be quite low.
445 *
446 * c) Then, we try an O_TMPFILE file in /dev/shm (that dir is the only suitable one known to exist from
447 * earliest boot on). To make it read-only we open the fd a second time with O_RDONLY via
448 * /proc/self/<fd>. Unfortunately O_TMPFILE is not available on older kernels on tmpfs.
449 *
450 * d) Finally, we try creating a regular file in /dev/shm, which we then delete.
451 *
452 * It sucks a bit that depending on the situation we return very different objects here, but that's Linux I
453 * figure. */
454
455 if (size == 0 && ((flags & ACQUIRE_NO_DEV_NULL) == 0)) {
456 /* As a special case, return /dev/null if we have been called for an empty data block */
457 r = open("/dev/null", O_RDONLY|O_CLOEXEC|O_NOCTTY);
458 if (r < 0)
459 return -errno;
460
461 return r;
462 }
463
464 if ((flags & ACQUIRE_NO_MEMFD) == 0) {
465 fd = memfd_new("data-fd");
466 if (fd < 0)
467 goto try_pipe;
468
469 n = write(fd, data, size);
470 if (n < 0)
471 return -errno;
472 if ((size_t) n != size)
473 return -EIO;
474
475 f = lseek(fd, 0, SEEK_SET);
476 if (f != 0)
477 return -errno;
478
479 r = memfd_set_sealed(fd);
480 if (r < 0)
481 return r;
482
483 return TAKE_FD(fd);
484 }
485
486 try_pipe:
487 if ((flags & ACQUIRE_NO_PIPE) == 0) {
488 if (pipe2(pipefds, O_CLOEXEC|O_NONBLOCK) < 0)
489 return -errno;
490
491 isz = fcntl(pipefds[1], F_GETPIPE_SZ, 0);
492 if (isz < 0)
493 return -errno;
494
495 if ((size_t) isz < size) {
496 isz = (int) size;
497 if (isz < 0 || (size_t) isz != size)
498 return -E2BIG;
499
500 /* Try to bump the pipe size */
501 (void) fcntl(pipefds[1], F_SETPIPE_SZ, isz);
502
503 /* See if that worked */
504 isz = fcntl(pipefds[1], F_GETPIPE_SZ, 0);
505 if (isz < 0)
506 return -errno;
507
508 if ((size_t) isz < size)
509 goto try_dev_shm;
510 }
511
512 n = write(pipefds[1], data, size);
513 if (n < 0)
514 return -errno;
515 if ((size_t) n != size)
516 return -EIO;
517
518 (void) fd_nonblock(pipefds[0], false);
519
520 return TAKE_FD(pipefds[0]);
521 }
522
523 try_dev_shm:
524 if ((flags & ACQUIRE_NO_TMPFILE) == 0) {
525 fd = open("/dev/shm", O_RDWR|O_TMPFILE|O_CLOEXEC, 0500);
526 if (fd < 0)
527 goto try_dev_shm_without_o_tmpfile;
528
529 n = write(fd, data, size);
530 if (n < 0)
531 return -errno;
532 if ((size_t) n != size)
533 return -EIO;
534
535 /* Let's reopen the thing, in order to get an O_RDONLY fd for the original O_RDWR one */
536 return fd_reopen(fd, O_RDONLY|O_CLOEXEC);
537 }
538
539 try_dev_shm_without_o_tmpfile:
540 if ((flags & ACQUIRE_NO_REGULAR) == 0) {
541 fd = mkostemp_safe(pattern);
542 if (fd < 0)
543 return fd;
544
545 n = write(fd, data, size);
546 if (n < 0) {
547 r = -errno;
548 goto unlink_and_return;
549 }
550 if ((size_t) n != size) {
551 r = -EIO;
552 goto unlink_and_return;
553 }
554
555 /* Let's reopen the thing, in order to get an O_RDONLY fd for the original O_RDWR one */
556 r = open(pattern, O_RDONLY|O_CLOEXEC);
557 if (r < 0)
558 r = -errno;
559
560 unlink_and_return:
561 (void) unlink(pattern);
562 return r;
563 }
564
565 return -EOPNOTSUPP;
566 }
567
568 /* When the data is smaller or equal to 64K, try to place the copy in a memfd/pipe */
569 #define DATA_FD_MEMORY_LIMIT (64U*1024U)
570
571 /* If memfd/pipe didn't work out, then let's use a file in /tmp up to a size of 1M. If it's large than that use /var/tmp instead. */
572 #define DATA_FD_TMP_LIMIT (1024U*1024U)
573
574 int fd_duplicate_data_fd(int fd) {
575
576 _cleanup_close_ int copy_fd = -1, tmp_fd = -1;
577 _cleanup_free_ void *remains = NULL;
578 size_t remains_size = 0;
579 const char *td;
580 struct stat st;
581 int r;
582
583 /* Creates a 'data' fd from the specified source fd, containing all the same data in a read-only fashion, but
584 * independent of it (i.e. the source fd can be closed and unmounted after this call succeeded). Tries to be
585 * somewhat smart about where to place the data. In the best case uses a memfd(). If memfd() are not supported
586 * uses a pipe instead. For larger data will use an unlinked file in /tmp, and for even larger data one in
587 * /var/tmp. */
588
589 if (fstat(fd, &st) < 0)
590 return -errno;
591
592 /* For now, let's only accept regular files, sockets, pipes and char devices */
593 if (S_ISDIR(st.st_mode))
594 return -EISDIR;
595 if (S_ISLNK(st.st_mode))
596 return -ELOOP;
597 if (!S_ISREG(st.st_mode) && !S_ISSOCK(st.st_mode) && !S_ISFIFO(st.st_mode) && !S_ISCHR(st.st_mode))
598 return -EBADFD;
599
600 /* If we have reason to believe the data is bounded in size, then let's use memfds or pipes as backing fd. Note
601 * that we use the reported regular file size only as a hint, given that there are plenty special files in
602 * /proc and /sys which report a zero file size but can be read from. */
603
604 if (!S_ISREG(st.st_mode) || st.st_size < DATA_FD_MEMORY_LIMIT) {
605
606 /* Try a memfd first */
607 copy_fd = memfd_new("data-fd");
608 if (copy_fd >= 0) {
609 off_t f;
610
611 r = copy_bytes(fd, copy_fd, DATA_FD_MEMORY_LIMIT, 0);
612 if (r < 0)
613 return r;
614
615 f = lseek(copy_fd, 0, SEEK_SET);
616 if (f != 0)
617 return -errno;
618
619 if (r == 0) {
620 /* Did it fit into the limit? If so, we are done. */
621 r = memfd_set_sealed(copy_fd);
622 if (r < 0)
623 return r;
624
625 return TAKE_FD(copy_fd);
626 }
627
628 /* Hmm, pity, this didn't fit. Let's fall back to /tmp then, see below */
629
630 } else {
631 _cleanup_(close_pairp) int pipefds[2] = { -1, -1 };
632 int isz;
633
634 /* If memfds aren't available, use a pipe. Set O_NONBLOCK so that we will get EAGAIN rather
635 * then block indefinitely when we hit the pipe size limit */
636
637 if (pipe2(pipefds, O_CLOEXEC|O_NONBLOCK) < 0)
638 return -errno;
639
640 isz = fcntl(pipefds[1], F_GETPIPE_SZ, 0);
641 if (isz < 0)
642 return -errno;
643
644 /* Try to enlarge the pipe size if necessary */
645 if ((size_t) isz < DATA_FD_MEMORY_LIMIT) {
646
647 (void) fcntl(pipefds[1], F_SETPIPE_SZ, DATA_FD_MEMORY_LIMIT);
648
649 isz = fcntl(pipefds[1], F_GETPIPE_SZ, 0);
650 if (isz < 0)
651 return -errno;
652 }
653
654 if ((size_t) isz >= DATA_FD_MEMORY_LIMIT) {
655
656 r = copy_bytes_full(fd, pipefds[1], DATA_FD_MEMORY_LIMIT, 0, &remains, &remains_size);
657 if (r < 0 && r != -EAGAIN)
658 return r; /* If we get EAGAIN it could be because of the source or because of
659 * the destination fd, we can't know, as sendfile() and friends won't
660 * tell us. Hence, treat this as reason to fall back, just to be
661 * sure. */
662 if (r == 0) {
663 /* Everything fit in, yay! */
664 (void) fd_nonblock(pipefds[0], false);
665
666 return TAKE_FD(pipefds[0]);
667 }
668
669 /* Things didn't fit in. But we read data into the pipe, let's remember that, so that
670 * when writing the new file we incorporate this first. */
671 copy_fd = TAKE_FD(pipefds[0]);
672 }
673 }
674 }
675
676 /* If we have reason to believe this will fit fine in /tmp, then use that as first fallback. */
677 if ((!S_ISREG(st.st_mode) || st.st_size < DATA_FD_TMP_LIMIT) &&
678 (DATA_FD_MEMORY_LIMIT + remains_size) < DATA_FD_TMP_LIMIT) {
679 off_t f;
680
681 tmp_fd = open_tmpfile_unlinkable(NULL /* NULL as directory means /tmp */, O_RDWR|O_CLOEXEC);
682 if (tmp_fd < 0)
683 return tmp_fd;
684
685 if (copy_fd >= 0) {
686 /* If we tried a memfd/pipe first and it ended up being too large, then copy this into the
687 * temporary file first. */
688
689 r = copy_bytes(copy_fd, tmp_fd, UINT64_MAX, 0);
690 if (r < 0)
691 return r;
692
693 assert(r == 0);
694 }
695
696 if (remains_size > 0) {
697 /* If there were remaining bytes (i.e. read into memory, but not written out yet) from the
698 * failed copy operation, let's flush them out next. */
699
700 r = loop_write(tmp_fd, remains, remains_size, false);
701 if (r < 0)
702 return r;
703 }
704
705 r = copy_bytes(fd, tmp_fd, DATA_FD_TMP_LIMIT - DATA_FD_MEMORY_LIMIT - remains_size, COPY_REFLINK);
706 if (r < 0)
707 return r;
708 if (r == 0)
709 goto finish; /* Yay, it fit in */
710
711 /* It didn't fit in. Let's not forget to use what we already used */
712 f = lseek(tmp_fd, 0, SEEK_SET);
713 if (f != 0)
714 return -errno;
715
716 safe_close(copy_fd);
717 copy_fd = TAKE_FD(tmp_fd);
718
719 remains = mfree(remains);
720 remains_size = 0;
721 }
722
723 /* As last fallback use /var/tmp */
724 r = var_tmp_dir(&td);
725 if (r < 0)
726 return r;
727
728 tmp_fd = open_tmpfile_unlinkable(td, O_RDWR|O_CLOEXEC);
729 if (tmp_fd < 0)
730 return tmp_fd;
731
732 if (copy_fd >= 0) {
733 /* If we tried a memfd/pipe first, or a file in /tmp, and it ended up being too large, than copy this
734 * into the temporary file first. */
735 r = copy_bytes(copy_fd, tmp_fd, UINT64_MAX, COPY_REFLINK);
736 if (r < 0)
737 return r;
738
739 assert(r == 0);
740 }
741
742 if (remains_size > 0) {
743 /* Then, copy in any read but not yet written bytes. */
744 r = loop_write(tmp_fd, remains, remains_size, false);
745 if (r < 0)
746 return r;
747 }
748
749 /* Copy in the rest */
750 r = copy_bytes(fd, tmp_fd, UINT64_MAX, COPY_REFLINK);
751 if (r < 0)
752 return r;
753
754 assert(r == 0);
755
756 finish:
757 /* Now convert the O_RDWR file descriptor into an O_RDONLY one (and as side effect seek to the beginning of the
758 * file again */
759
760 return fd_reopen(tmp_fd, O_RDONLY|O_CLOEXEC);
761 }
762
763 int fd_move_above_stdio(int fd) {
764 int flags, copy;
765 PROTECT_ERRNO;
766
767 /* Moves the specified file descriptor if possible out of the range [0…2], i.e. the range of
768 * stdin/stdout/stderr. If it can't be moved outside of this range the original file descriptor is
769 * returned. This call is supposed to be used for long-lasting file descriptors we allocate in our code that
770 * might get loaded into foreign code, and where we want ensure our fds are unlikely used accidentally as
771 * stdin/stdout/stderr of unrelated code.
772 *
773 * Note that this doesn't fix any real bugs, it just makes it less likely that our code will be affected by
774 * buggy code from others that mindlessly invokes 'fprintf(stderr, …' or similar in places where stderr has
775 * been closed before.
776 *
777 * This function is written in a "best-effort" and "least-impact" style. This means whenever we encounter an
778 * error we simply return the original file descriptor, and we do not touch errno. */
779
780 if (fd < 0 || fd > 2)
781 return fd;
782
783 flags = fcntl(fd, F_GETFD, 0);
784 if (flags < 0)
785 return fd;
786
787 if (flags & FD_CLOEXEC)
788 copy = fcntl(fd, F_DUPFD_CLOEXEC, 3);
789 else
790 copy = fcntl(fd, F_DUPFD, 3);
791 if (copy < 0)
792 return fd;
793
794 assert(copy > 2);
795
796 (void) close(fd);
797 return copy;
798 }
799
800 int rearrange_stdio(int original_input_fd, int original_output_fd, int original_error_fd) {
801
802 int fd[3] = { /* Put together an array of fds we work on */
803 original_input_fd,
804 original_output_fd,
805 original_error_fd
806 };
807
808 int r, i,
809 null_fd = -1, /* if we open /dev/null, we store the fd to it here */
810 copy_fd[3] = { -1, -1, -1 }; /* This contains all fds we duplicate here temporarily, and hence need to close at the end */
811 bool null_readable, null_writable;
812
813 /* Sets up stdin, stdout, stderr with the three file descriptors passed in. If any of the descriptors is
814 * specified as -1 it will be connected with /dev/null instead. If any of the file descriptors is passed as
815 * itself (e.g. stdin as STDIN_FILENO) it is left unmodified, but the O_CLOEXEC bit is turned off should it be
816 * on.
817 *
818 * Note that if any of the passed file descriptors are > 2 they will be closed — both on success and on
819 * failure! Thus, callers should assume that when this function returns the input fds are invalidated.
820 *
821 * Note that when this function fails stdin/stdout/stderr might remain half set up!
822 *
823 * O_CLOEXEC is turned off for all three file descriptors (which is how it should be for
824 * stdin/stdout/stderr). */
825
826 null_readable = original_input_fd < 0;
827 null_writable = original_output_fd < 0 || original_error_fd < 0;
828
829 /* First step, open /dev/null once, if we need it */
830 if (null_readable || null_writable) {
831
832 /* Let's open this with O_CLOEXEC first, and convert it to non-O_CLOEXEC when we move the fd to the final position. */
833 null_fd = open("/dev/null", (null_readable && null_writable ? O_RDWR :
834 null_readable ? O_RDONLY : O_WRONLY) | O_CLOEXEC);
835 if (null_fd < 0) {
836 r = -errno;
837 goto finish;
838 }
839
840 /* If this fd is in the 0…2 range, let's move it out of it */
841 if (null_fd < 3) {
842 int copy;
843
844 copy = fcntl(null_fd, F_DUPFD_CLOEXEC, 3); /* Duplicate this with O_CLOEXEC set */
845 if (copy < 0) {
846 r = -errno;
847 goto finish;
848 }
849
850 safe_close(null_fd);
851 null_fd = copy;
852 }
853 }
854
855 /* Let's assemble fd[] with the fds to install in place of stdin/stdout/stderr */
856 for (i = 0; i < 3; i++) {
857
858 if (fd[i] < 0)
859 fd[i] = null_fd; /* A negative parameter means: connect this one to /dev/null */
860 else if (fd[i] != i && fd[i] < 3) {
861 /* This fd is in the 0…2 territory, but not at its intended place, move it out of there, so that we can work there. */
862 copy_fd[i] = fcntl(fd[i], F_DUPFD_CLOEXEC, 3); /* Duplicate this with O_CLOEXEC set */
863 if (copy_fd[i] < 0) {
864 r = -errno;
865 goto finish;
866 }
867
868 fd[i] = copy_fd[i];
869 }
870 }
871
872 /* At this point we now have the fds to use in fd[], and they are all above the stdio range, so that we
873 * have freedom to move them around. If the fds already were at the right places then the specific fds are
874 * -1. Let's now move them to the right places. This is the point of no return. */
875 for (i = 0; i < 3; i++) {
876
877 if (fd[i] == i) {
878
879 /* fd is already in place, but let's make sure O_CLOEXEC is off */
880 r = fd_cloexec(i, false);
881 if (r < 0)
882 goto finish;
883
884 } else {
885 assert(fd[i] > 2);
886
887 if (dup2(fd[i], i) < 0) { /* Turns off O_CLOEXEC on the new fd. */
888 r = -errno;
889 goto finish;
890 }
891 }
892 }
893
894 r = 0;
895
896 finish:
897 /* Close the original fds, but only if they were outside of the stdio range. Also, properly check for the same
898 * fd passed in multiple times. */
899 safe_close_above_stdio(original_input_fd);
900 if (original_output_fd != original_input_fd)
901 safe_close_above_stdio(original_output_fd);
902 if (original_error_fd != original_input_fd && original_error_fd != original_output_fd)
903 safe_close_above_stdio(original_error_fd);
904
905 /* Close the copies we moved > 2 */
906 for (i = 0; i < 3; i++)
907 safe_close(copy_fd[i]);
908
909 /* Close our null fd, if it's > 2 */
910 safe_close_above_stdio(null_fd);
911
912 return r;
913 }
914
915 int fd_reopen(int fd, int flags) {
916 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
917 int new_fd;
918
919 /* Reopens the specified fd with new flags. This is useful for convert an O_PATH fd into a regular one, or to
920 * turn O_RDWR fds into O_RDONLY fds.
921 *
922 * This doesn't work on sockets (since they cannot be open()ed, ever).
923 *
924 * This implicitly resets the file read index to 0. */
925
926 xsprintf(procfs_path, "/proc/self/fd/%i", fd);
927 new_fd = open(procfs_path, flags);
928 if (new_fd < 0)
929 return -errno;
930
931 return new_fd;
932 }
933
934 int read_nr_open(void) {
935 _cleanup_free_ char *nr_open = NULL;
936 int r;
937
938 /* Returns the kernel's current fd limit, either by reading it of /proc/sys if that works, or using the
939 * hard-coded default compiled-in value of current kernels (1M) if not. This call will never fail. */
940
941 r = read_one_line_file("/proc/sys/fs/nr_open", &nr_open);
942 if (r < 0)
943 log_debug_errno(r, "Failed to read /proc/sys/fs/nr_open, ignoring: %m");
944 else {
945 int v;
946
947 r = safe_atoi(nr_open, &v);
948 if (r < 0)
949 log_debug_errno(r, "Failed to parse /proc/sys/fs/nr_open value '%s', ignoring: %m", nr_open);
950 else
951 return v;
952 }
953
954 /* If we fail, fallback to the hard-coded kernel limit of 1024 * 1024. */
955 return 1024 * 1024;
956 }
Unnamed repository; edit this file 'description' to name the repository.