]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/fileio.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
basic: spit out chase_symlinks() from fs-util.[ch] → chase-symlinks.[ch]
[thirdparty/systemd.git] / src / basic / fileio.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <ctype.h>
4 #include <errno.h>
5 #include <fcntl.h>
6 #include <limits.h>
7 #include <stdarg.h>
8 #include <stdint.h>
9 #include <stdio_ext.h>
10 #include <stdlib.h>
11 #include <sys/stat.h>
12 #include <sys/types.h>
13 #include <unistd.h>
14
15 #include "alloc-util.h"
16 #include "chase-symlinks.h"
17 #include "fd-util.h"
18 #include "fileio.h"
19 #include "fs-util.h"
20 #include "hexdecoct.h"
21 #include "log.h"
22 #include "macro.h"
23 #include "mkdir.h"
24 #include "parse-util.h"
25 #include "path-util.h"
26 #include "socket-util.h"
27 #include "stdio-util.h"
28 #include "string-util.h"
29 #include "sync-util.h"
30 #include "tmpfile-util.h"
31
32 /* The maximum size of the file we'll read in one go in read_full_file() (64M). */
33 #define READ_FULL_BYTES_MAX (64U*1024U*1024U - 1U)
34
35 /* The maximum size of virtual files (i.e. procfs, sysfs, and other virtual "API" files) we'll read in one go
36 * in read_virtual_file(). Note that this limit is different (and much lower) than the READ_FULL_BYTES_MAX
37 * limit. This reflects the fact that we use different strategies for reading virtual and regular files:
38 * virtual files we generally have to read in a single read() syscall since the kernel doesn't support
39 * continuation read()s for them. Thankfully they are somewhat size constrained. Thus we can allocate the
40 * full potential buffer in advance. Regular files OTOH can be much larger, and there we grow the allocations
41 * exponentially in a loop. We use a size limit of 4M-2 because 4M-1 is the maximum buffer that /proc/sys/
42 * allows us to read() (larger reads will fail with ENOMEM), and we want to read one extra byte so that we
43 * can detect EOFs. */
44 #define READ_VIRTUAL_BYTES_MAX (4U*1024U*1024U - 2U)
45
46 int fopen_unlocked(const char *path, const char *options, FILE **ret) {
47 assert(ret);
48
49 FILE *f = fopen(path, options);
50 if (!f)
51 return -errno;
52
53 (void) __fsetlocking(f, FSETLOCKING_BYCALLER);
54
55 *ret = f;
56 return 0;
57 }
58
59 int fdopen_unlocked(int fd, const char *options, FILE **ret) {
60 assert(ret);
61
62 FILE *f = fdopen(fd, options);
63 if (!f)
64 return -errno;
65
66 (void) __fsetlocking(f, FSETLOCKING_BYCALLER);
67
68 *ret = f;
69 return 0;
70 }
71
72 int take_fdopen_unlocked(int *fd, const char *options, FILE **ret) {
73 int r;
74
75 assert(fd);
76
77 r = fdopen_unlocked(*fd, options, ret);
78 if (r < 0)
79 return r;
80
81 *fd = -1;
82
83 return 0;
84 }
85
86 FILE* take_fdopen(int *fd, const char *options) {
87 assert(fd);
88
89 FILE *f = fdopen(*fd, options);
90 if (!f)
91 return NULL;
92
93 *fd = -1;
94
95 return f;
96 }
97
98 DIR* take_fdopendir(int *dfd) {
99 assert(dfd);
100
101 DIR *d = fdopendir(*dfd);
102 if (!d)
103 return NULL;
104
105 *dfd = -1;
106
107 return d;
108 }
109
110 FILE* open_memstream_unlocked(char **ptr, size_t *sizeloc) {
111 FILE *f = open_memstream(ptr, sizeloc);
112 if (!f)
113 return NULL;
114
115 (void) __fsetlocking(f, FSETLOCKING_BYCALLER);
116
117 return f;
118 }
119
120 FILE* fmemopen_unlocked(void *buf, size_t size, const char *mode) {
121 FILE *f = fmemopen(buf, size, mode);
122 if (!f)
123 return NULL;
124
125 (void) __fsetlocking(f, FSETLOCKING_BYCALLER);
126
127 return f;
128 }
129
130 int write_string_stream_ts(
131 FILE *f,
132 const char *line,
133 WriteStringFileFlags flags,
134 const struct timespec *ts) {
135
136 bool needs_nl;
137 int r, fd = -1;
138
139 assert(f);
140 assert(line);
141
142 if (ferror(f))
143 return -EIO;
144
145 if (ts) {
146 /* If we shall set the timestamp we need the fd. But fmemopen() streams generally don't have
147 * an fd. Let's fail early in that case. */
148 fd = fileno(f);
149 if (fd < 0)
150 return -EBADF;
151 }
152
153 if (flags & WRITE_STRING_FILE_SUPPRESS_REDUNDANT_VIRTUAL) {
154 _cleanup_free_ char *t = NULL;
155
156 /* If value to be written is same as that of the existing value, then suppress the write. */
157
158 if (fd < 0) {
159 fd = fileno(f);
160 if (fd < 0)
161 return -EBADF;
162 }
163
164 /* Read an additional byte to detect cases where the prefix matches but the rest
165 * doesn't. Also, 0 returned by read_virtual_file_fd() means the read was truncated and
166 * it won't be equal to the new value. */
167 if (read_virtual_file_fd(fd, strlen(line)+1, &t, NULL) > 0 &&
168 streq_skip_trailing_chars(line, t, NEWLINE)) {
169 log_debug("No change in value '%s', supressing write", line);
170 return 0;
171 }
172
173 if (lseek(fd, 0, SEEK_SET) < 0)
174 return -errno;
175 }
176
177 needs_nl = !(flags & WRITE_STRING_FILE_AVOID_NEWLINE) && !endswith(line, "\n");
178
179 if (needs_nl && (flags & WRITE_STRING_FILE_DISABLE_BUFFER)) {
180 /* If STDIO buffering was disabled, then let's append the newline character to the string
181 * itself, so that the write goes out in one go, instead of two */
182
183 line = strjoina(line, "\n");
184 needs_nl = false;
185 }
186
187 if (fputs(line, f) == EOF)
188 return -errno;
189
190 if (needs_nl)
191 if (fputc('\n', f) == EOF)
192 return -errno;
193
194 if (flags & WRITE_STRING_FILE_SYNC)
195 r = fflush_sync_and_check(f);
196 else
197 r = fflush_and_check(f);
198 if (r < 0)
199 return r;
200
201 if (ts) {
202 const struct timespec twice[2] = {*ts, *ts};
203
204 assert(fd >= 0);
205 if (futimens(fd, twice) < 0)
206 return -errno;
207 }
208
209 return 0;
210 }
211
212 static int write_string_file_atomic(
213 const char *fn,
214 const char *line,
215 WriteStringFileFlags flags,
216 const struct timespec *ts) {
217
218 _cleanup_fclose_ FILE *f = NULL;
219 _cleanup_free_ char *p = NULL;
220 int r;
221
222 assert(fn);
223 assert(line);
224
225 /* Note that we'd really like to use O_TMPFILE here, but can't really, since we want replacement
226 * semantics here, and O_TMPFILE can't offer that. i.e. rename() replaces but linkat() doesn't. */
227
228 r = fopen_temporary(fn, &f, &p);
229 if (r < 0)
230 return r;
231
232 r = write_string_stream_ts(f, line, flags, ts);
233 if (r < 0)
234 goto fail;
235
236 r = fchmod_umask(fileno(f), FLAGS_SET(flags, WRITE_STRING_FILE_MODE_0600) ? 0600 : 0644);
237 if (r < 0)
238 goto fail;
239
240 if (rename(p, fn) < 0) {
241 r = -errno;
242 goto fail;
243 }
244
245 if (FLAGS_SET(flags, WRITE_STRING_FILE_SYNC)) {
246 /* Sync the rename, too */
247 r = fsync_directory_of_file(fileno(f));
248 if (r < 0)
249 return r;
250 }
251
252 return 0;
253
254 fail:
255 (void) unlink(p);
256 return r;
257 }
258
259 int write_string_file_ts(
260 const char *fn,
261 const char *line,
262 WriteStringFileFlags flags,
263 const struct timespec *ts) {
264
265 _cleanup_fclose_ FILE *f = NULL;
266 int q, r, fd;
267
268 assert(fn);
269 assert(line);
270
271 /* We don't know how to verify whether the file contents was already on-disk. */
272 assert(!((flags & WRITE_STRING_FILE_VERIFY_ON_FAILURE) && (flags & WRITE_STRING_FILE_SYNC)));
273
274 if (flags & WRITE_STRING_FILE_MKDIR_0755) {
275 r = mkdir_parents(fn, 0755);
276 if (r < 0)
277 return r;
278 }
279
280 if (flags & WRITE_STRING_FILE_ATOMIC) {
281 assert(flags & WRITE_STRING_FILE_CREATE);
282
283 r = write_string_file_atomic(fn, line, flags, ts);
284 if (r < 0)
285 goto fail;
286
287 return r;
288 } else
289 assert(!ts);
290
291 /* We manually build our own version of fopen(..., "we") that works without O_CREAT and with O_NOFOLLOW if needed. */
292 fd = open(fn, O_CLOEXEC|O_NOCTTY |
293 (FLAGS_SET(flags, WRITE_STRING_FILE_NOFOLLOW) ? O_NOFOLLOW : 0) |
294 (FLAGS_SET(flags, WRITE_STRING_FILE_CREATE) ? O_CREAT : 0) |
295 (FLAGS_SET(flags, WRITE_STRING_FILE_TRUNCATE) ? O_TRUNC : 0) |
296 (FLAGS_SET(flags, WRITE_STRING_FILE_SUPPRESS_REDUNDANT_VIRTUAL) ? O_RDWR : O_WRONLY),
297 (FLAGS_SET(flags, WRITE_STRING_FILE_MODE_0600) ? 0600 : 0666));
298 if (fd < 0) {
299 r = -errno;
300 goto fail;
301 }
302
303 r = fdopen_unlocked(fd, "w", &f);
304 if (r < 0) {
305 safe_close(fd);
306 goto fail;
307 }
308
309 if (flags & WRITE_STRING_FILE_DISABLE_BUFFER)
310 setvbuf(f, NULL, _IONBF, 0);
311
312 r = write_string_stream_ts(f, line, flags, ts);
313 if (r < 0)
314 goto fail;
315
316 return 0;
317
318 fail:
319 if (!(flags & WRITE_STRING_FILE_VERIFY_ON_FAILURE))
320 return r;
321
322 f = safe_fclose(f);
323
324 /* OK, the operation failed, but let's see if the right
325 * contents in place already. If so, eat up the error. */
326
327 q = verify_file(fn, line, !(flags & WRITE_STRING_FILE_AVOID_NEWLINE) || (flags & WRITE_STRING_FILE_VERIFY_IGNORE_NEWLINE));
328 if (q <= 0)
329 return r;
330
331 return 0;
332 }
333
334 int write_string_filef(
335 const char *fn,
336 WriteStringFileFlags flags,
337 const char *format, ...) {
338
339 _cleanup_free_ char *p = NULL;
340 va_list ap;
341 int r;
342
343 va_start(ap, format);
344 r = vasprintf(&p, format, ap);
345 va_end(ap);
346
347 if (r < 0)
348 return -ENOMEM;
349
350 return write_string_file(fn, p, flags);
351 }
352
353 int read_one_line_file(const char *fn, char **line) {
354 _cleanup_fclose_ FILE *f = NULL;
355 int r;
356
357 assert(fn);
358 assert(line);
359
360 r = fopen_unlocked(fn, "re", &f);
361 if (r < 0)
362 return r;
363
364 return read_line(f, LONG_LINE_MAX, line);
365 }
366
367 int verify_file(const char *fn, const char *blob, bool accept_extra_nl) {
368 _cleanup_fclose_ FILE *f = NULL;
369 _cleanup_free_ char *buf = NULL;
370 size_t l, k;
371 int r;
372
373 assert(fn);
374 assert(blob);
375
376 l = strlen(blob);
377
378 if (accept_extra_nl && endswith(blob, "\n"))
379 accept_extra_nl = false;
380
381 buf = malloc(l + accept_extra_nl + 1);
382 if (!buf)
383 return -ENOMEM;
384
385 r = fopen_unlocked(fn, "re", &f);
386 if (r < 0)
387 return r;
388
389 /* We try to read one byte more than we need, so that we know whether we hit eof */
390 errno = 0;
391 k = fread(buf, 1, l + accept_extra_nl + 1, f);
392 if (ferror(f))
393 return errno_or_else(EIO);
394
395 if (k != l && k != l + accept_extra_nl)
396 return 0;
397 if (memcmp(buf, blob, l) != 0)
398 return 0;
399 if (k > l && buf[l] != '\n')
400 return 0;
401
402 return 1;
403 }
404
405 int read_virtual_file_fd(int fd, size_t max_size, char **ret_contents, size_t *ret_size) {
406 _cleanup_free_ char *buf = NULL;
407 size_t n, size;
408 int n_retries;
409 bool truncated = false;
410
411 /* Virtual filesystems such as sysfs or procfs use kernfs, and kernfs can work with two sorts of
412 * virtual files. One sort uses "seq_file", and the results of the first read are buffered for the
413 * second read. The other sort uses "raw" reads which always go direct to the device. In the latter
414 * case, the content of the virtual file must be retrieved with a single read otherwise a second read
415 * might get the new value instead of finding EOF immediately. That's the reason why the usage of
416 * fread(3) is prohibited in this case as it always performs a second call to read(2) looking for
417 * EOF. See issue #13585.
418 *
419 * max_size specifies a limit on the bytes read. If max_size is SIZE_MAX, the full file is read. If
420 * the full file is too large to read, an error is returned. For other values of max_size, *partial
421 * contents* may be returned. (Though the read is still done using one syscall.) Returns 0 on
422 * partial success, 1 if untruncated contents were read. */
423
424 assert(fd >= 0);
425 assert(max_size <= READ_VIRTUAL_BYTES_MAX || max_size == SIZE_MAX);
426
427 /* Limit the number of attempts to read the number of bytes returned by fstat(). */
428 n_retries = 3;
429
430 for (;;) {
431 struct stat st;
432
433 if (fstat(fd, &st) < 0)
434 return -errno;
435
436 if (!S_ISREG(st.st_mode))
437 return -EBADF;
438
439 /* Be prepared for files from /proc which generally report a file size of 0. */
440 assert_cc(READ_VIRTUAL_BYTES_MAX < SSIZE_MAX);
441 if (st.st_size > 0 && n_retries > 1) {
442 /* Let's use the file size if we have more than 1 attempt left. On the last attempt
443 * we'll ignore the file size */
444
445 if (st.st_size > SSIZE_MAX) { /* Avoid overflow with 32-bit size_t and 64-bit off_t. */
446
447 if (max_size == SIZE_MAX)
448 return -EFBIG;
449
450 size = max_size;
451 } else {
452 size = MIN((size_t) st.st_size, max_size);
453
454 if (size > READ_VIRTUAL_BYTES_MAX)
455 return -EFBIG;
456 }
457
458 n_retries--;
459 } else if (n_retries > 1) {
460 /* Files in /proc are generally smaller than the page size so let's start with
461 * a page size buffer from malloc and only use the max buffer on the final try. */
462 size = MIN3(page_size() - 1, READ_VIRTUAL_BYTES_MAX, max_size);
463 n_retries = 1;
464 } else {
465 size = MIN(READ_VIRTUAL_BYTES_MAX, max_size);
466 n_retries = 0;
467 }
468
469 buf = malloc(size + 1);
470 if (!buf)
471 return -ENOMEM;
472
473 /* Use a bigger allocation if we got it anyway, but not more than the limit. */
474 size = MIN3(MALLOC_SIZEOF_SAFE(buf) - 1, max_size, READ_VIRTUAL_BYTES_MAX);
475
476 for (;;) {
477 ssize_t k;
478
479 /* Read one more byte so we can detect whether the content of the
480 * file has already changed or the guessed size for files from /proc
481 * wasn't large enough . */
482 k = read(fd, buf, size + 1);
483 if (k >= 0) {
484 n = k;
485 break;
486 }
487
488 if (errno != EINTR)
489 return -errno;
490 }
491
492 /* Consider a short read as EOF */
493 if (n <= size)
494 break;
495
496 /* If a maximum size is specified and we already read more we know the file is larger, and
497 * can handle this as truncation case. Note that if the size of what we read equals the
498 * maximum size then this doesn't mean truncation, the file might or might not end on that
499 * byte. We need to rerun the loop in that case, with a larger buffer size, so that we read
500 * at least one more byte to be able to distinguish EOF from truncation. */
501 if (max_size != SIZE_MAX && n > max_size) {
502 n = size; /* Make sure we never use more than what we sized the buffer for (so that
503 * we have one free byte in it for the trailing NUL we add below).*/
504 truncated = true;
505 break;
506 }
507
508 /* We have no further attempts left? Then the file is apparently larger than our limits. Give up. */
509 if (n_retries <= 0)
510 return -EFBIG;
511
512 /* Hmm... either we read too few bytes from /proc or less likely the content of the file
513 * might have been changed (and is now bigger) while we were processing, let's try again
514 * either with the new file size. */
515
516 if (lseek(fd, 0, SEEK_SET) < 0)
517 return -errno;
518
519 buf = mfree(buf);
520 }
521
522 if (ret_contents) {
523
524 /* Safety check: if the caller doesn't want to know the size of what we just read it will
525 * rely on the trailing NUL byte. But if there's an embedded NUL byte, then we should refuse
526 * operation as otherwise there'd be ambiguity about what we just read. */
527 if (!ret_size && memchr(buf, 0, n))
528 return -EBADMSG;
529
530 if (n < size) {
531 char *p;
532
533 /* Return rest of the buffer to libc */
534 p = realloc(buf, n + 1);
535 if (!p)
536 return -ENOMEM;
537 buf = p;
538 }
539
540 buf[n] = 0;
541 *ret_contents = TAKE_PTR(buf);
542 }
543
544 if (ret_size)
545 *ret_size = n;
546
547 return !truncated;
548 }
549
550 int read_virtual_file(const char *filename, size_t max_size, char **ret_contents, size_t *ret_size) {
551 _cleanup_close_ int fd = -1;
552
553 assert(filename);
554
555 fd = open(filename, O_RDONLY | O_NOCTTY | O_CLOEXEC);
556 if (fd < 0)
557 return -errno;
558
559 return read_virtual_file_fd(fd, max_size, ret_contents, ret_size);
560 }
561
562 int read_full_stream_full(
563 FILE *f,
564 const char *filename,
565 uint64_t offset,
566 size_t size,
567 ReadFullFileFlags flags,
568 char **ret_contents,
569 size_t *ret_size) {
570
571 _cleanup_free_ char *buf = NULL;
572 size_t n, n_next = 0, l;
573 int fd, r;
574
575 assert(f);
576 assert(ret_contents);
577 assert(!FLAGS_SET(flags, READ_FULL_FILE_UNBASE64 | READ_FULL_FILE_UNHEX));
578 assert(size != SIZE_MAX || !FLAGS_SET(flags, READ_FULL_FILE_FAIL_WHEN_LARGER));
579
580 if (offset != UINT64_MAX && offset > LONG_MAX) /* fseek() can only deal with "long" offsets */
581 return -ERANGE;
582
583 fd = fileno(f);
584 if (fd >= 0) { /* If the FILE* object is backed by an fd (as opposed to memory or such, see
585 * fmemopen()), let's optimize our buffering */
586 struct stat st;
587
588 if (fstat(fd, &st) < 0)
589 return -errno;
590
591 if (S_ISREG(st.st_mode)) {
592
593 /* Try to start with the right file size if we shall read the file in full. Note
594 * that we increase the size to read here by one, so that the first read attempt
595 * already makes us notice the EOF. If the reported size of the file is zero, we
596 * avoid this logic however, since quite likely it might be a virtual file in procfs
597 * that all report a zero file size. */
598
599 if (st.st_size > 0 &&
600 (size == SIZE_MAX || FLAGS_SET(flags, READ_FULL_FILE_FAIL_WHEN_LARGER))) {
601
602 uint64_t rsize =
603 LESS_BY((uint64_t) st.st_size, offset == UINT64_MAX ? 0 : offset);
604
605 if (rsize < SIZE_MAX) /* overflow check */
606 n_next = rsize + 1;
607 }
608
609 if (flags & READ_FULL_FILE_WARN_WORLD_READABLE)
610 (void) warn_file_is_world_accessible(filename, &st, NULL, 0);
611 }
612 }
613
614 /* If we don't know how much to read, figure it out now. If we shall read a part of the file, then
615 * allocate the requested size. If we shall load the full file start with LINE_MAX. Note that if
616 * READ_FULL_FILE_FAIL_WHEN_LARGER we consider the specified size a safety limit, and thus also start
617 * with LINE_MAX, under assumption the file is most likely much shorter. */
618 if (n_next == 0)
619 n_next = size != SIZE_MAX && !FLAGS_SET(flags, READ_FULL_FILE_FAIL_WHEN_LARGER) ? size : LINE_MAX;
620
621 /* Never read more than we need to determine that our own limit is hit */
622 if (n_next > READ_FULL_BYTES_MAX)
623 n_next = READ_FULL_BYTES_MAX + 1;
624
625 if (offset != UINT64_MAX && fseek(f, offset, SEEK_SET) < 0)
626 return -errno;
627
628 n = l = 0;
629 for (;;) {
630 char *t;
631 size_t k;
632
633 /* If we shall fail when reading overly large data, then read exactly one byte more than the
634 * specified size at max, since that'll tell us if there's anymore data beyond the limit*/
635 if (FLAGS_SET(flags, READ_FULL_FILE_FAIL_WHEN_LARGER) && n_next > size)
636 n_next = size + 1;
637
638 if (flags & READ_FULL_FILE_SECURE) {
639 t = malloc(n_next + 1);
640 if (!t) {
641 r = -ENOMEM;
642 goto finalize;
643 }
644 memcpy_safe(t, buf, n);
645 explicit_bzero_safe(buf, n);
646 free(buf);
647 } else {
648 t = realloc(buf, n_next + 1);
649 if (!t)
650 return -ENOMEM;
651 }
652
653 buf = t;
654 /* Unless a size has been explicitly specified, try to read as much as fits into the memory
655 * we allocated (minus 1, to leave one byte for the safety NUL byte) */
656 n = size == SIZE_MAX ? MALLOC_SIZEOF_SAFE(buf) - 1 : n_next;
657
658 errno = 0;
659 k = fread(buf + l, 1, n - l, f);
660
661 assert(k <= n - l);
662 l += k;
663
664 if (ferror(f)) {
665 r = errno_or_else(EIO);
666 goto finalize;
667 }
668 if (feof(f))
669 break;
670
671 if (size != SIZE_MAX && !FLAGS_SET(flags, READ_FULL_FILE_FAIL_WHEN_LARGER)) { /* If we got asked to read some specific size, we already sized the buffer right, hence leave */
672 assert(l == size);
673 break;
674 }
675
676 assert(k > 0); /* we can't have read zero bytes because that would have been EOF */
677
678 if (FLAGS_SET(flags, READ_FULL_FILE_FAIL_WHEN_LARGER) && l > size) {
679 r = -E2BIG;
680 goto finalize;
681 }
682
683 if (n >= READ_FULL_BYTES_MAX) {
684 r = -E2BIG;
685 goto finalize;
686 }
687
688 n_next = MIN(n * 2, READ_FULL_BYTES_MAX);
689 }
690
691 if (flags & (READ_FULL_FILE_UNBASE64 | READ_FULL_FILE_UNHEX)) {
692 _cleanup_free_ void *decoded = NULL;
693 size_t decoded_size;
694
695 buf[l++] = 0;
696 if (flags & READ_FULL_FILE_UNBASE64)
697 r = unbase64mem_full(buf, l, flags & READ_FULL_FILE_SECURE, &decoded, &decoded_size);
698 else
699 r = unhexmem_full(buf, l, flags & READ_FULL_FILE_SECURE, &decoded, &decoded_size);
700 if (r < 0)
701 goto finalize;
702
703 if (flags & READ_FULL_FILE_SECURE)
704 explicit_bzero_safe(buf, n);
705 free_and_replace(buf, decoded);
706 n = l = decoded_size;
707 }
708
709 if (!ret_size) {
710 /* Safety check: if the caller doesn't want to know the size of what we just read it will rely on the
711 * trailing NUL byte. But if there's an embedded NUL byte, then we should refuse operation as otherwise
712 * there'd be ambiguity about what we just read. */
713
714 if (memchr(buf, 0, l)) {
715 r = -EBADMSG;
716 goto finalize;
717 }
718 }
719
720 buf[l] = 0;
721 *ret_contents = TAKE_PTR(buf);
722
723 if (ret_size)
724 *ret_size = l;
725
726 return 0;
727
728 finalize:
729 if (flags & READ_FULL_FILE_SECURE)
730 explicit_bzero_safe(buf, n);
731
732 return r;
733 }
734
735 int read_full_file_full(
736 int dir_fd,
737 const char *filename,
738 uint64_t offset,
739 size_t size,
740 ReadFullFileFlags flags,
741 const char *bind_name,
742 char **ret_contents,
743 size_t *ret_size) {
744
745 _cleanup_fclose_ FILE *f = NULL;
746 int r;
747
748 assert(filename);
749 assert(ret_contents);
750
751 r = xfopenat(dir_fd, filename, "re", 0, &f);
752 if (r < 0) {
753 _cleanup_close_ int dfd = -1, sk = -1;
754 union sockaddr_union sa;
755
756 /* ENXIO is what Linux returns if we open a node that is an AF_UNIX socket */
757 if (r != -ENXIO)
758 return r;
759
760 /* If this is enabled, let's try to connect to it */
761 if (!FLAGS_SET(flags, READ_FULL_FILE_CONNECT_SOCKET))
762 return -ENXIO;
763
764 /* Seeking is not supported on AF_UNIX sockets */
765 if (offset != UINT64_MAX)
766 return -ESPIPE;
767
768 if (dir_fd == AT_FDCWD)
769 r = sockaddr_un_set_path(&sa.un, filename);
770 else {
771 /* If we shall operate relative to some directory, then let's use O_PATH first to
772 * open the socket inode, and then connect to it via /proc/self/fd/. We have to do
773 * this since there's not connectat() that takes a directory fd as first arg. */
774
775 dfd = openat(dir_fd, filename, O_PATH|O_CLOEXEC);
776 if (dfd < 0)
777 return -errno;
778
779 r = sockaddr_un_set_path(&sa.un, FORMAT_PROC_FD_PATH(dfd));
780 }
781 if (r < 0)
782 return r;
783
784 sk = socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0);
785 if (sk < 0)
786 return -errno;
787
788 if (bind_name) {
789 /* If the caller specified a socket name to bind to, do so before connecting. This is
790 * useful to communicate some minor, short meta-information token from the client to
791 * the server. */
792 union sockaddr_union bsa;
793
794 r = sockaddr_un_set_path(&bsa.un, bind_name);
795 if (r < 0)
796 return r;
797
798 if (bind(sk, &bsa.sa, r) < 0)
799 return r;
800 }
801
802 if (connect(sk, &sa.sa, SOCKADDR_UN_LEN(sa.un)) < 0)
803 return errno == ENOTSOCK ? -ENXIO : -errno; /* propagate original error if this is
804 * not a socket after all */
805
806 if (shutdown(sk, SHUT_WR) < 0)
807 return -errno;
808
809 f = fdopen(sk, "r");
810 if (!f)
811 return -errno;
812
813 TAKE_FD(sk);
814 }
815
816 (void) __fsetlocking(f, FSETLOCKING_BYCALLER);
817
818 return read_full_stream_full(f, filename, offset, size, flags, ret_contents, ret_size);
819 }
820
821 int executable_is_script(const char *path, char **interpreter) {
822 _cleanup_free_ char *line = NULL;
823 size_t len;
824 char *ans;
825 int r;
826
827 assert(path);
828
829 r = read_one_line_file(path, &line);
830 if (r == -ENOBUFS) /* First line overly long? if so, then it's not a script */
831 return 0;
832 if (r < 0)
833 return r;
834
835 if (!startswith(line, "#!"))
836 return 0;
837
838 ans = strstrip(line + 2);
839 len = strcspn(ans, " \t");
840
841 if (len == 0)
842 return 0;
843
844 ans = strndup(ans, len);
845 if (!ans)
846 return -ENOMEM;
847
848 *interpreter = ans;
849 return 1;
850 }
851
852 /**
853 * Retrieve one field from a file like /proc/self/status. pattern
854 * should not include whitespace or the delimiter (':'). pattern matches only
855 * the beginning of a line. Whitespace before ':' is skipped. Whitespace and
856 * zeros after the ':' will be skipped. field must be freed afterwards.
857 * terminator specifies the terminating characters of the field value (not
858 * included in the value).
859 */
860 int get_proc_field(const char *filename, const char *pattern, const char *terminator, char **field) {
861 _cleanup_free_ char *status = NULL;
862 char *t, *f;
863 size_t len;
864 int r;
865
866 assert(terminator);
867 assert(filename);
868 assert(pattern);
869 assert(field);
870
871 r = read_full_virtual_file(filename, &status, NULL);
872 if (r < 0)
873 return r;
874
875 t = status;
876
877 do {
878 bool pattern_ok;
879
880 do {
881 t = strstr(t, pattern);
882 if (!t)
883 return -ENOENT;
884
885 /* Check that pattern occurs in beginning of line. */
886 pattern_ok = (t == status || t[-1] == '\n');
887
888 t += strlen(pattern);
889
890 } while (!pattern_ok);
891
892 t += strspn(t, " \t");
893 if (!*t)
894 return -ENOENT;
895
896 } while (*t != ':');
897
898 t++;
899
900 if (*t) {
901 t += strspn(t, " \t");
902
903 /* Also skip zeros, because when this is used for
904 * capabilities, we don't want the zeros. This way the
905 * same capability set always maps to the same string,
906 * irrespective of the total capability set size. For
907 * other numbers it shouldn't matter. */
908 t += strspn(t, "0");
909 /* Back off one char if there's nothing but whitespace
910 and zeros */
911 if (!*t || isspace(*t))
912 t--;
913 }
914
915 len = strcspn(t, terminator);
916
917 f = strndup(t, len);
918 if (!f)
919 return -ENOMEM;
920
921 *field = f;
922 return 0;
923 }
924
925 DIR *xopendirat(int fd, const char *name, int flags) {
926 int nfd;
927 DIR *d;
928
929 assert(!(flags & O_CREAT));
930
931 nfd = openat(fd, name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|flags, 0);
932 if (nfd < 0)
933 return NULL;
934
935 d = fdopendir(nfd);
936 if (!d) {
937 safe_close(nfd);
938 return NULL;
939 }
940
941 return d;
942 }
943
944 static int mode_to_flags(const char *mode) {
945 const char *p;
946 int flags;
947
948 if ((p = startswith(mode, "r+")))
949 flags = O_RDWR;
950 else if ((p = startswith(mode, "r")))
951 flags = O_RDONLY;
952 else if ((p = startswith(mode, "w+")))
953 flags = O_RDWR|O_CREAT|O_TRUNC;
954 else if ((p = startswith(mode, "w")))
955 flags = O_WRONLY|O_CREAT|O_TRUNC;
956 else if ((p = startswith(mode, "a+")))
957 flags = O_RDWR|O_CREAT|O_APPEND;
958 else if ((p = startswith(mode, "a")))
959 flags = O_WRONLY|O_CREAT|O_APPEND;
960 else
961 return -EINVAL;
962
963 for (; *p != 0; p++) {
964
965 switch (*p) {
966
967 case 'e':
968 flags |= O_CLOEXEC;
969 break;
970
971 case 'x':
972 flags |= O_EXCL;
973 break;
974
975 case 'm':
976 /* ignore this here, fdopen() might care later though */
977 break;
978
979 case 'c': /* not sure what to do about this one */
980 default:
981 return -EINVAL;
982 }
983 }
984
985 return flags;
986 }
987
988 int xfopenat(int dir_fd, const char *path, const char *mode, int flags, FILE **ret) {
989 FILE *f;
990
991 /* A combination of fopen() with openat() */
992
993 if (dir_fd == AT_FDCWD && flags == 0) {
994 f = fopen(path, mode);
995 if (!f)
996 return -errno;
997 } else {
998 int fd, mode_flags;
999
1000 mode_flags = mode_to_flags(mode);
1001 if (mode_flags < 0)
1002 return mode_flags;
1003
1004 fd = openat(dir_fd, path, mode_flags | flags);
1005 if (fd < 0)
1006 return -errno;
1007
1008 f = fdopen(fd, mode);
1009 if (!f) {
1010 safe_close(fd);
1011 return -errno;
1012 }
1013 }
1014
1015 *ret = f;
1016 return 0;
1017 }
1018
1019 static int search_and_fopen_internal(
1020 const char *path,
1021 const char *mode,
1022 const char *root,
1023 char **search,
1024 FILE **ret,
1025 char **ret_path) {
1026
1027 char **i;
1028
1029 assert(path);
1030 assert(mode);
1031 assert(ret);
1032
1033 if (!path_strv_resolve_uniq(search, root))
1034 return -ENOMEM;
1035
1036 STRV_FOREACH(i, search) {
1037 _cleanup_free_ char *p = NULL;
1038 FILE *f;
1039
1040 p = path_join(root, *i, path);
1041 if (!p)
1042 return -ENOMEM;
1043
1044 f = fopen(p, mode);
1045 if (f) {
1046 if (ret_path)
1047 *ret_path = path_simplify(TAKE_PTR(p));
1048
1049 *ret = f;
1050 return 0;
1051 }
1052
1053 if (errno != ENOENT)
1054 return -errno;
1055 }
1056
1057 return -ENOENT;
1058 }
1059
1060 int search_and_fopen(
1061 const char *filename,
1062 const char *mode,
1063 const char *root,
1064 const char **search,
1065 FILE **ret,
1066 char **ret_path) {
1067
1068 _cleanup_strv_free_ char **copy = NULL;
1069
1070 assert(filename);
1071 assert(mode);
1072 assert(ret);
1073
1074 if (path_is_absolute(filename)) {
1075 _cleanup_fclose_ FILE *f = NULL;
1076
1077 f = fopen(filename, mode);
1078 if (!f)
1079 return -errno;
1080
1081 if (ret_path) {
1082 char *p;
1083
1084 p = strdup(filename);
1085 if (!p)
1086 return -ENOMEM;
1087
1088 *ret_path = path_simplify(p);
1089 }
1090
1091 *ret = TAKE_PTR(f);
1092 return 0;
1093 }
1094
1095 copy = strv_copy((char**) search);
1096 if (!copy)
1097 return -ENOMEM;
1098
1099 return search_and_fopen_internal(filename, mode, root, copy, ret, ret_path);
1100 }
1101
1102 int search_and_fopen_nulstr(
1103 const char *filename,
1104 const char *mode,
1105 const char *root,
1106 const char *search,
1107 FILE **ret,
1108 char **ret_path) {
1109
1110 _cleanup_strv_free_ char **s = NULL;
1111
1112 if (path_is_absolute(filename)) {
1113 _cleanup_fclose_ FILE *f = NULL;
1114
1115 f = fopen(filename, mode);
1116 if (!f)
1117 return -errno;
1118
1119 if (ret_path) {
1120 char *p;
1121
1122 p = strdup(filename);
1123 if (!p)
1124 return -ENOMEM;
1125
1126 *ret_path = path_simplify(p);
1127 }
1128
1129 *ret = TAKE_PTR(f);
1130 return 0;
1131 }
1132
1133 s = strv_split_nulstr(search);
1134 if (!s)
1135 return -ENOMEM;
1136
1137 return search_and_fopen_internal(filename, mode, root, s, ret, ret_path);
1138 }
1139
1140 int chase_symlinks_and_fopen_unlocked(
1141 const char *path,
1142 const char *root,
1143 unsigned chase_flags,
1144 const char *open_flags,
1145 FILE **ret_file,
1146 char **ret_path) {
1147
1148 _cleanup_close_ int fd = -1;
1149 _cleanup_free_ char *final_path = NULL;
1150 int mode_flags, r;
1151
1152 assert(path);
1153 assert(open_flags);
1154 assert(ret_file);
1155
1156 mode_flags = mode_to_flags(open_flags);
1157 if (mode_flags < 0)
1158 return mode_flags;
1159
1160 fd = chase_symlinks_and_open(path, root, chase_flags, mode_flags, ret_path ? &final_path : NULL);
1161 if (fd < 0)
1162 return fd;
1163
1164 r = take_fdopen_unlocked(&fd, open_flags, ret_file);
1165 if (r < 0)
1166 return r;
1167
1168 if (ret_path)
1169 *ret_path = TAKE_PTR(final_path);
1170 return 0;
1171 }
1172
1173 int fflush_and_check(FILE *f) {
1174 assert(f);
1175
1176 errno = 0;
1177 fflush(f);
1178
1179 if (ferror(f))
1180 return errno_or_else(EIO);
1181
1182 return 0;
1183 }
1184
1185 int fflush_sync_and_check(FILE *f) {
1186 int r, fd;
1187
1188 assert(f);
1189
1190 r = fflush_and_check(f);
1191 if (r < 0)
1192 return r;
1193
1194 /* Not all file streams have an fd associated (think: fmemopen()), let's handle this gracefully and
1195 * assume that in that case we need no explicit syncing */
1196 fd = fileno(f);
1197 if (fd < 0)
1198 return 0;
1199
1200 r = fsync_full(fd);
1201 if (r < 0)
1202 return r;
1203
1204 return 0;
1205 }
1206
1207 int write_timestamp_file_atomic(const char *fn, usec_t n) {
1208 char ln[DECIMAL_STR_MAX(n)+2];
1209
1210 /* Creates a "timestamp" file, that contains nothing but a
1211 * usec_t timestamp, formatted in ASCII. */
1212
1213 if (n <= 0 || n >= USEC_INFINITY)
1214 return -ERANGE;
1215
1216 xsprintf(ln, USEC_FMT "\n", n);
1217
1218 return write_string_file(fn, ln, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_ATOMIC);
1219 }
1220
1221 int read_timestamp_file(const char *fn, usec_t *ret) {
1222 _cleanup_free_ char *ln = NULL;
1223 uint64_t t;
1224 int r;
1225
1226 r = read_one_line_file(fn, &ln);
1227 if (r < 0)
1228 return r;
1229
1230 r = safe_atou64(ln, &t);
1231 if (r < 0)
1232 return r;
1233
1234 if (t <= 0 || t >= (uint64_t) USEC_INFINITY)
1235 return -ERANGE;
1236
1237 *ret = (usec_t) t;
1238 return 0;
1239 }
1240
1241 int fputs_with_space(FILE *f, const char *s, const char *separator, bool *space) {
1242 int r;
1243
1244 assert(s);
1245
1246 /* Outputs the specified string with fputs(), but optionally prefixes it with a separator. The *space parameter
1247 * when specified shall initially point to a boolean variable initialized to false. It is set to true after the
1248 * first invocation. This call is supposed to be use in loops, where a separator shall be inserted between each
1249 * element, but not before the first one. */
1250
1251 if (!f)
1252 f = stdout;
1253
1254 if (space) {
1255 if (!separator)
1256 separator = " ";
1257
1258 if (*space) {
1259 r = fputs(separator, f);
1260 if (r < 0)
1261 return r;
1262 }
1263
1264 *space = true;
1265 }
1266
1267 return fputs(s, f);
1268 }
1269
1270 /* A bitmask of the EOL markers we know */
1271 typedef enum EndOfLineMarker {
1272 EOL_NONE = 0,
1273 EOL_ZERO = 1 << 0, /* \0 (aka NUL) */
1274 EOL_TEN = 1 << 1, /* \n (aka NL, aka LF) */
1275 EOL_THIRTEEN = 1 << 2, /* \r (aka CR) */
1276 } EndOfLineMarker;
1277
1278 static EndOfLineMarker categorize_eol(char c, ReadLineFlags flags) {
1279
1280 if (!IN_SET(flags, READ_LINE_ONLY_NUL)) {
1281 if (c == '\n')
1282 return EOL_TEN;
1283 if (c == '\r')
1284 return EOL_THIRTEEN;
1285 }
1286
1287 if (c == '\0')
1288 return EOL_ZERO;
1289
1290 return EOL_NONE;
1291 }
1292
1293 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(FILE*, funlockfile, NULL);
1294
1295 int read_line_full(FILE *f, size_t limit, ReadLineFlags flags, char **ret) {
1296 _cleanup_free_ char *buffer = NULL;
1297 size_t n = 0, count = 0;
1298 int r;
1299
1300 assert(f);
1301
1302 /* Something like a bounded version of getline().
1303 *
1304 * Considers EOF, \n, \r and \0 end of line delimiters (or combinations of these), and does not include these
1305 * delimiters in the string returned. Specifically, recognizes the following combinations of markers as line
1306 * endings:
1307 *
1308 * • \n (UNIX)
1309 * • \r (old MacOS)
1310 * • \0 (C strings)
1311 * • \n\0
1312 * • \r\0
1313 * • \r\n (Windows)
1314 * • \n\r
1315 * • \r\n\0
1316 * • \n\r\0
1317 *
1318 * Returns the number of bytes read from the files (i.e. including delimiters — this hence usually differs from
1319 * the number of characters in the returned string). When EOF is hit, 0 is returned.
1320 *
1321 * The input parameter limit is the maximum numbers of characters in the returned string, i.e. excluding
1322 * delimiters. If the limit is hit we fail and return -ENOBUFS.
1323 *
1324 * If a line shall be skipped ret may be initialized as NULL. */
1325
1326 if (ret) {
1327 if (!GREEDY_REALLOC(buffer, 1))
1328 return -ENOMEM;
1329 }
1330
1331 {
1332 _unused_ _cleanup_(funlockfilep) FILE *flocked = f;
1333 EndOfLineMarker previous_eol = EOL_NONE;
1334 flockfile(f);
1335
1336 for (;;) {
1337 EndOfLineMarker eol;
1338 char c;
1339
1340 if (n >= limit)
1341 return -ENOBUFS;
1342
1343 if (count >= INT_MAX) /* We couldn't return the counter anymore as "int", hence refuse this */
1344 return -ENOBUFS;
1345
1346 r = safe_fgetc(f, &c);
1347 if (r < 0)
1348 return r;
1349 if (r == 0) /* EOF is definitely EOL */
1350 break;
1351
1352 eol = categorize_eol(c, flags);
1353
1354 if (FLAGS_SET(previous_eol, EOL_ZERO) ||
1355 (eol == EOL_NONE && previous_eol != EOL_NONE) ||
1356 (eol != EOL_NONE && (previous_eol & eol) != 0)) {
1357 /* Previous char was a NUL? This is not an EOL, but the previous char was? This type of
1358 * EOL marker has been seen right before? In either of these three cases we are
1359 * done. But first, let's put this character back in the queue. (Note that we have to
1360 * cast this to (unsigned char) here as ungetc() expects a positive 'int', and if we
1361 * are on an architecture where 'char' equals 'signed char' we need to ensure we don't
1362 * pass a negative value here. That said, to complicate things further ungetc() is
1363 * actually happy with most negative characters and implicitly casts them back to
1364 * positive ones as needed, except for \xff (aka -1, aka EOF), which it refuses. What a
1365 * godawful API!) */
1366 assert_se(ungetc((unsigned char) c, f) != EOF);
1367 break;
1368 }
1369
1370 count++;
1371
1372 if (eol != EOL_NONE) {
1373 /* If we are on a tty, we can't shouldn't wait for more input, because that
1374 * generally means waiting for the user, interactively. In the case of a TTY
1375 * we expect only \n as the single EOL marker, so we are in the lucky
1376 * position that there is no need to wait. We check this condition last, to
1377 * avoid isatty() check if not necessary. */
1378
1379 if ((flags & (READ_LINE_IS_A_TTY|READ_LINE_NOT_A_TTY)) == 0) {
1380 int fd;
1381
1382 fd = fileno(f);
1383 if (fd < 0) /* Maybe an fmemopen() stream? Handle this gracefully,
1384 * and don't call isatty() on an invalid fd */
1385 flags |= READ_LINE_NOT_A_TTY;
1386 else
1387 flags |= isatty(fd) ? READ_LINE_IS_A_TTY : READ_LINE_NOT_A_TTY;
1388 }
1389 if (FLAGS_SET(flags, READ_LINE_IS_A_TTY))
1390 break;
1391 }
1392
1393 if (eol != EOL_NONE) {
1394 previous_eol |= eol;
1395 continue;
1396 }
1397
1398 if (ret) {
1399 if (!GREEDY_REALLOC(buffer, n + 2))
1400 return -ENOMEM;
1401
1402 buffer[n] = c;
1403 }
1404
1405 n++;
1406 }
1407 }
1408
1409 if (ret) {
1410 buffer[n] = 0;
1411
1412 *ret = TAKE_PTR(buffer);
1413 }
1414
1415 return (int) count;
1416 }
1417
1418 int safe_fgetc(FILE *f, char *ret) {
1419 int k;
1420
1421 assert(f);
1422
1423 /* A safer version of plain fgetc(): let's propagate the error that happened while reading as such, and
1424 * separate the EOF condition from the byte read, to avoid those confusion signed/unsigned issues fgetc()
1425 * has. */
1426
1427 errno = 0;
1428 k = fgetc(f);
1429 if (k == EOF) {
1430 if (ferror(f))
1431 return errno_or_else(EIO);
1432
1433 if (ret)
1434 *ret = 0;
1435
1436 return 0;
1437 }
1438
1439 if (ret)
1440 *ret = k;
1441
1442 return 1;
1443 }
1444
1445 int warn_file_is_world_accessible(const char *filename, struct stat *st, const char *unit, unsigned line) {
1446 struct stat _st;
1447
1448 if (!filename)
1449 return 0;
1450
1451 if (!st) {
1452 if (stat(filename, &_st) < 0)
1453 return -errno;
1454 st = &_st;
1455 }
1456
1457 if ((st->st_mode & S_IRWXO) == 0)
1458 return 0;
1459
1460 if (unit)
1461 log_syntax(unit, LOG_WARNING, filename, line, 0,
1462 "%s has %04o mode that is too permissive, please adjust the ownership and access mode.",
1463 filename, st->st_mode & 07777);
1464 else
1465 log_warning("%s has %04o mode that is too permissive, please adjust the ownership and access mode.",
1466 filename, st->st_mode & 07777);
1467 return 0;
1468 }
Unnamed repository; edit this file 'description' to name the repository.