]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/fs-util.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #9199 from poettering/copy-file-atomic
[thirdparty/systemd.git] / src / basic / fs-util.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2 /***
3 This file is part of systemd.
4
5 Copyright 2010 Lennart Poettering
6 ***/
7
8 #include <errno.h>
9 #include <stddef.h>
10 #include <stdio.h>
11 #include <stdlib.h>
12 #include <string.h>
13 #include <sys/stat.h>
14 #include <linux/magic.h>
15 #include <time.h>
16 #include <unistd.h>
17
18 #include "alloc-util.h"
19 #include "dirent-util.h"
20 #include "fd-util.h"
21 #include "fileio.h"
22 #include "fs-util.h"
23 #include "log.h"
24 #include "macro.h"
25 #include "missing.h"
26 #include "mkdir.h"
27 #include "parse-util.h"
28 #include "path-util.h"
29 #include "process-util.h"
30 #include "stat-util.h"
31 #include "stdio-util.h"
32 #include "string-util.h"
33 #include "strv.h"
34 #include "time-util.h"
35 #include "user-util.h"
36 #include "util.h"
37
38 int unlink_noerrno(const char *path) {
39 PROTECT_ERRNO;
40 int r;
41
42 r = unlink(path);
43 if (r < 0)
44 return -errno;
45
46 return 0;
47 }
48
49 int rmdir_parents(const char *path, const char *stop) {
50 size_t l;
51 int r = 0;
52
53 assert(path);
54 assert(stop);
55
56 l = strlen(path);
57
58 /* Skip trailing slashes */
59 while (l > 0 && path[l-1] == '/')
60 l--;
61
62 while (l > 0) {
63 char *t;
64
65 /* Skip last component */
66 while (l > 0 && path[l-1] != '/')
67 l--;
68
69 /* Skip trailing slashes */
70 while (l > 0 && path[l-1] == '/')
71 l--;
72
73 if (l <= 0)
74 break;
75
76 t = strndup(path, l);
77 if (!t)
78 return -ENOMEM;
79
80 if (path_startswith(stop, t)) {
81 free(t);
82 return 0;
83 }
84
85 r = rmdir(t);
86 free(t);
87
88 if (r < 0)
89 if (errno != ENOENT)
90 return -errno;
91 }
92
93 return 0;
94 }
95
96 int rename_noreplace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) {
97 struct stat buf;
98 int ret;
99
100 ret = renameat2(olddirfd, oldpath, newdirfd, newpath, RENAME_NOREPLACE);
101 if (ret >= 0)
102 return 0;
103
104 /* renameat2() exists since Linux 3.15, btrfs added support for it later.
105 * If it is not implemented, fallback to another method. */
106 if (!IN_SET(errno, EINVAL, ENOSYS))
107 return -errno;
108
109 /* The link()/unlink() fallback does not work on directories. But
110 * renameat() without RENAME_NOREPLACE gives the same semantics on
111 * directories, except when newpath is an *empty* directory. This is
112 * good enough. */
113 ret = fstatat(olddirfd, oldpath, &buf, AT_SYMLINK_NOFOLLOW);
114 if (ret >= 0 && S_ISDIR(buf.st_mode)) {
115 ret = renameat(olddirfd, oldpath, newdirfd, newpath);
116 return ret >= 0 ? 0 : -errno;
117 }
118
119 /* If it is not a directory, use the link()/unlink() fallback. */
120 ret = linkat(olddirfd, oldpath, newdirfd, newpath, 0);
121 if (ret < 0)
122 return -errno;
123
124 ret = unlinkat(olddirfd, oldpath, 0);
125 if (ret < 0) {
126 /* backup errno before the following unlinkat() alters it */
127 ret = errno;
128 (void) unlinkat(newdirfd, newpath, 0);
129 errno = ret;
130 return -errno;
131 }
132
133 return 0;
134 }
135
136 int readlinkat_malloc(int fd, const char *p, char **ret) {
137 size_t l = 100;
138 int r;
139
140 assert(p);
141 assert(ret);
142
143 for (;;) {
144 char *c;
145 ssize_t n;
146
147 c = new(char, l);
148 if (!c)
149 return -ENOMEM;
150
151 n = readlinkat(fd, p, c, l-1);
152 if (n < 0) {
153 r = -errno;
154 free(c);
155 return r;
156 }
157
158 if ((size_t) n < l-1) {
159 c[n] = 0;
160 *ret = c;
161 return 0;
162 }
163
164 free(c);
165 l *= 2;
166 }
167 }
168
169 int readlink_malloc(const char *p, char **ret) {
170 return readlinkat_malloc(AT_FDCWD, p, ret);
171 }
172
173 int readlink_value(const char *p, char **ret) {
174 _cleanup_free_ char *link = NULL;
175 char *value;
176 int r;
177
178 r = readlink_malloc(p, &link);
179 if (r < 0)
180 return r;
181
182 value = basename(link);
183 if (!value)
184 return -ENOENT;
185
186 value = strdup(value);
187 if (!value)
188 return -ENOMEM;
189
190 *ret = value;
191
192 return 0;
193 }
194
195 int readlink_and_make_absolute(const char *p, char **r) {
196 _cleanup_free_ char *target = NULL;
197 char *k;
198 int j;
199
200 assert(p);
201 assert(r);
202
203 j = readlink_malloc(p, &target);
204 if (j < 0)
205 return j;
206
207 k = file_in_same_dir(p, target);
208 if (!k)
209 return -ENOMEM;
210
211 *r = k;
212 return 0;
213 }
214
215 int chmod_and_chown(const char *path, mode_t mode, uid_t uid, gid_t gid) {
216 assert(path);
217
218 /* Under the assumption that we are running privileged we
219 * first change the access mode and only then hand out
220 * ownership to avoid a window where access is too open. */
221
222 if (mode != MODE_INVALID)
223 if (chmod(path, mode) < 0)
224 return -errno;
225
226 if (uid != UID_INVALID || gid != GID_INVALID)
227 if (chown(path, uid, gid) < 0)
228 return -errno;
229
230 return 0;
231 }
232
233 int fchmod_and_chown(int fd, mode_t mode, uid_t uid, gid_t gid) {
234 /* Under the assumption that we are running privileged we
235 * first change the access mode and only then hand out
236 * ownership to avoid a window where access is too open. */
237
238 if (mode != MODE_INVALID)
239 if (fchmod(fd, mode) < 0)
240 return -errno;
241
242 if (uid != UID_INVALID || gid != GID_INVALID)
243 if (fchown(fd, uid, gid) < 0)
244 return -errno;
245
246 return 0;
247 }
248
249 int fchmod_umask(int fd, mode_t m) {
250 mode_t u;
251 int r;
252
253 u = umask(0777);
254 r = fchmod(fd, m & (~u)) < 0 ? -errno : 0;
255 umask(u);
256
257 return r;
258 }
259
260 int fchmod_opath(int fd, mode_t m) {
261 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
262
263 /* This function operates also on fd that might have been opened with
264 * O_PATH. Indeed fchmodat() doesn't have the AT_EMPTY_PATH flag like
265 * fchownat() does. */
266
267 xsprintf(procfs_path, "/proc/self/fd/%i", fd);
268
269 if (chmod(procfs_path, m) < 0)
270 return -errno;
271
272 return 0;
273 }
274
275 int fd_warn_permissions(const char *path, int fd) {
276 struct stat st;
277
278 if (fstat(fd, &st) < 0)
279 return -errno;
280
281 if (st.st_mode & 0111)
282 log_warning("Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway.", path);
283
284 if (st.st_mode & 0002)
285 log_warning("Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway.", path);
286
287 if (getpid_cached() == 1 && (st.st_mode & 0044) != 0044)
288 log_warning("Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.", path);
289
290 return 0;
291 }
292
293 int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode) {
294 char fdpath[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
295 _cleanup_close_ int fd = -1;
296 int r, ret = 0;
297
298 assert(path);
299
300 /* Note that touch_file() does not follow symlinks: if invoked on an existing symlink, then it is the symlink
301 * itself which is updated, not its target
302 *
303 * Returns the first error we encounter, but tries to apply as much as possible. */
304
305 if (parents)
306 (void) mkdir_parents(path, 0755);
307
308 /* Initially, we try to open the node with O_PATH, so that we get a reference to the node. This is useful in
309 * case the path refers to an existing device or socket node, as we can open it successfully in all cases, and
310 * won't trigger any driver magic or so. */
311 fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW);
312 if (fd < 0) {
313 if (errno != ENOENT)
314 return -errno;
315
316 /* if the node doesn't exist yet, we create it, but with O_EXCL, so that we only create a regular file
317 * here, and nothing else */
318 fd = open(path, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, IN_SET(mode, 0, MODE_INVALID) ? 0644 : mode);
319 if (fd < 0)
320 return -errno;
321 }
322
323 /* Let's make a path from the fd, and operate on that. With this logic, we can adjust the access mode,
324 * ownership and time of the file node in all cases, even if the fd refers to an O_PATH object — which is
325 * something fchown(), fchmod(), futimensat() don't allow. */
326 xsprintf(fdpath, "/proc/self/fd/%i", fd);
327
328 if (mode != MODE_INVALID)
329 if (chmod(fdpath, mode) < 0)
330 ret = -errno;
331
332 if (uid_is_valid(uid) || gid_is_valid(gid))
333 if (chown(fdpath, uid, gid) < 0 && ret >= 0)
334 ret = -errno;
335
336 if (stamp != USEC_INFINITY) {
337 struct timespec ts[2];
338
339 timespec_store(&ts[0], stamp);
340 ts[1] = ts[0];
341 r = utimensat(AT_FDCWD, fdpath, ts, 0);
342 } else
343 r = utimensat(AT_FDCWD, fdpath, NULL, 0);
344 if (r < 0 && ret >= 0)
345 return -errno;
346
347 return ret;
348 }
349
350 int touch(const char *path) {
351 return touch_file(path, false, USEC_INFINITY, UID_INVALID, GID_INVALID, MODE_INVALID);
352 }
353
354 int symlink_idempotent(const char *from, const char *to) {
355 int r;
356
357 assert(from);
358 assert(to);
359
360 if (symlink(from, to) < 0) {
361 _cleanup_free_ char *p = NULL;
362
363 if (errno != EEXIST)
364 return -errno;
365
366 r = readlink_malloc(to, &p);
367 if (r == -EINVAL) /* Not a symlink? In that case return the original error we encountered: -EEXIST */
368 return -EEXIST;
369 if (r < 0) /* Any other error? In that case propagate it as is */
370 return r;
371
372 if (!streq(p, from)) /* Not the symlink we want it to be? In that case, propagate the original -EEXIST */
373 return -EEXIST;
374 }
375
376 return 0;
377 }
378
379 int symlink_atomic(const char *from, const char *to) {
380 _cleanup_free_ char *t = NULL;
381 int r;
382
383 assert(from);
384 assert(to);
385
386 r = tempfn_random(to, NULL, &t);
387 if (r < 0)
388 return r;
389
390 if (symlink(from, t) < 0)
391 return -errno;
392
393 if (rename(t, to) < 0) {
394 unlink_noerrno(t);
395 return -errno;
396 }
397
398 return 0;
399 }
400
401 int mknod_atomic(const char *path, mode_t mode, dev_t dev) {
402 _cleanup_free_ char *t = NULL;
403 int r;
404
405 assert(path);
406
407 r = tempfn_random(path, NULL, &t);
408 if (r < 0)
409 return r;
410
411 if (mknod(t, mode, dev) < 0)
412 return -errno;
413
414 if (rename(t, path) < 0) {
415 unlink_noerrno(t);
416 return -errno;
417 }
418
419 return 0;
420 }
421
422 int mkfifo_atomic(const char *path, mode_t mode) {
423 _cleanup_free_ char *t = NULL;
424 int r;
425
426 assert(path);
427
428 r = tempfn_random(path, NULL, &t);
429 if (r < 0)
430 return r;
431
432 if (mkfifo(t, mode) < 0)
433 return -errno;
434
435 if (rename(t, path) < 0) {
436 unlink_noerrno(t);
437 return -errno;
438 }
439
440 return 0;
441 }
442
443 int get_files_in_directory(const char *path, char ***list) {
444 _cleanup_closedir_ DIR *d = NULL;
445 struct dirent *de;
446 size_t bufsize = 0, n = 0;
447 _cleanup_strv_free_ char **l = NULL;
448
449 assert(path);
450
451 /* Returns all files in a directory in *list, and the number
452 * of files as return value. If list is NULL returns only the
453 * number. */
454
455 d = opendir(path);
456 if (!d)
457 return -errno;
458
459 FOREACH_DIRENT_ALL(de, d, return -errno) {
460 dirent_ensure_type(d, de);
461
462 if (!dirent_is_file(de))
463 continue;
464
465 if (list) {
466 /* one extra slot is needed for the terminating NULL */
467 if (!GREEDY_REALLOC(l, bufsize, n + 2))
468 return -ENOMEM;
469
470 l[n] = strdup(de->d_name);
471 if (!l[n])
472 return -ENOMEM;
473
474 l[++n] = NULL;
475 } else
476 n++;
477 }
478
479 if (list)
480 *list = TAKE_PTR(l);
481
482 return n;
483 }
484
485 static int getenv_tmp_dir(const char **ret_path) {
486 const char *n;
487 int r, ret = 0;
488
489 assert(ret_path);
490
491 /* We use the same order of environment variables python uses in tempfile.gettempdir():
492 * https://docs.python.org/3/library/tempfile.html#tempfile.gettempdir */
493 FOREACH_STRING(n, "TMPDIR", "TEMP", "TMP") {
494 const char *e;
495
496 e = secure_getenv(n);
497 if (!e)
498 continue;
499 if (!path_is_absolute(e)) {
500 r = -ENOTDIR;
501 goto next;
502 }
503 if (!path_is_normalized(e)) {
504 r = -EPERM;
505 goto next;
506 }
507
508 r = is_dir(e, true);
509 if (r < 0)
510 goto next;
511 if (r == 0) {
512 r = -ENOTDIR;
513 goto next;
514 }
515
516 *ret_path = e;
517 return 1;
518
519 next:
520 /* Remember first error, to make this more debuggable */
521 if (ret >= 0)
522 ret = r;
523 }
524
525 if (ret < 0)
526 return ret;
527
528 *ret_path = NULL;
529 return ret;
530 }
531
532 static int tmp_dir_internal(const char *def, const char **ret) {
533 const char *e;
534 int r, k;
535
536 assert(def);
537 assert(ret);
538
539 r = getenv_tmp_dir(&e);
540 if (r > 0) {
541 *ret = e;
542 return 0;
543 }
544
545 k = is_dir(def, true);
546 if (k == 0)
547 k = -ENOTDIR;
548 if (k < 0)
549 return r < 0 ? r : k;
550
551 *ret = def;
552 return 0;
553 }
554
555 int var_tmp_dir(const char **ret) {
556
557 /* Returns the location for "larger" temporary files, that is backed by physical storage if available, and thus
558 * even might survive a boot: /var/tmp. If $TMPDIR (or related environment variables) are set, its value is
559 * returned preferably however. Note that both this function and tmp_dir() below are affected by $TMPDIR,
560 * making it a variable that overrides all temporary file storage locations. */
561
562 return tmp_dir_internal("/var/tmp", ret);
563 }
564
565 int tmp_dir(const char **ret) {
566
567 /* Similar to var_tmp_dir() above, but returns the location for "smaller" temporary files, which is usually
568 * backed by an in-memory file system: /tmp. */
569
570 return tmp_dir_internal("/tmp", ret);
571 }
572
573 int unlink_or_warn(const char *filename) {
574 if (unlink(filename) < 0 && errno != ENOENT)
575 /* If the file doesn't exist and the fs simply was read-only (in which
576 * case unlink() returns EROFS even if the file doesn't exist), don't
577 * complain */
578 if (errno != EROFS || access(filename, F_OK) >= 0)
579 return log_error_errno(errno, "Failed to remove \"%s\": %m", filename);
580
581 return 0;
582 }
583
584 int inotify_add_watch_fd(int fd, int what, uint32_t mask) {
585 char path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
586 int r;
587
588 /* This is like inotify_add_watch(), except that the file to watch is not referenced by a path, but by an fd */
589 xsprintf(path, "/proc/self/fd/%i", what);
590
591 r = inotify_add_watch(fd, path, mask);
592 if (r < 0)
593 return -errno;
594
595 return r;
596 }
597
598 static bool safe_transition(const struct stat *a, const struct stat *b) {
599 /* Returns true if the transition from a to b is safe, i.e. that we never transition from unprivileged to
600 * privileged files or directories. Why bother? So that unprivileged code can't symlink to privileged files
601 * making us believe we read something safe even though it isn't safe in the specific context we open it in. */
602
603 if (a->st_uid == 0) /* Transitioning from privileged to unprivileged is always fine */
604 return true;
605
606 return a->st_uid == b->st_uid; /* Otherwise we need to stay within the same UID */
607 }
608
609 int chase_symlinks(const char *path, const char *original_root, unsigned flags, char **ret) {
610 _cleanup_free_ char *buffer = NULL, *done = NULL, *root = NULL;
611 _cleanup_close_ int fd = -1;
612 unsigned max_follow = CHASE_SYMLINKS_MAX; /* how many symlinks to follow before giving up and returning ELOOP */
613 struct stat previous_stat;
614 bool exists = true;
615 char *todo;
616 int r;
617
618 assert(path);
619
620 /* Either the file may be missing, or we return an fd to the final object, but both make no sense */
621 if (FLAGS_SET(flags, CHASE_NONEXISTENT | CHASE_OPEN))
622 return -EINVAL;
623
624 if (FLAGS_SET(flags, CHASE_STEP | CHASE_OPEN))
625 return -EINVAL;
626
627 if (isempty(path))
628 return -EINVAL;
629
630 /* This is a lot like canonicalize_file_name(), but takes an additional "root" parameter, that allows following
631 * symlinks relative to a root directory, instead of the root of the host.
632 *
633 * Note that "root" primarily matters if we encounter an absolute symlink. It is also used when following
634 * relative symlinks to ensure they cannot be used to "escape" the root directory. The path parameter passed is
635 * assumed to be already prefixed by it, except if the CHASE_PREFIX_ROOT flag is set, in which case it is first
636 * prefixed accordingly.
637 *
638 * Algorithmically this operates on two path buffers: "done" are the components of the path we already
639 * processed and resolved symlinks, "." and ".." of. "todo" are the components of the path we still need to
640 * process. On each iteration, we move one component from "todo" to "done", processing it's special meaning
641 * each time. The "todo" path always starts with at least one slash, the "done" path always ends in no
642 * slash. We always keep an O_PATH fd to the component we are currently processing, thus keeping lookup races
643 * at a minimum.
644 *
645 * Suggested usage: whenever you want to canonicalize a path, use this function. Pass the absolute path you got
646 * as-is: fully qualified and relative to your host's root. Optionally, specify the root parameter to tell this
647 * function what to do when encountering a symlink with an absolute path as directory: prefix it by the
648 * specified path.
649 *
650 * There are three ways to invoke this function:
651 *
652 * 1. Without CHASE_STEP or CHASE_OPEN: in this case the path is resolved and the normalized path is returned
653 * in `ret`. The return value is < 0 on error. If CHASE_NONEXISTENT is also set 0 is returned if the file
654 * doesn't exist, > 0 otherwise. If CHASE_NONEXISTENT is not set >= 0 is returned if the destination was
655 * found, -ENOENT if it doesn't.
656 *
657 * 2. With CHASE_OPEN: in this case the destination is opened after chasing it as O_PATH and this file
658 * descriptor is returned as return value. This is useful to open files relative to some root
659 * directory. Note that the returned O_PATH file descriptors must be converted into a regular one (using
660 * fd_reopen() or such) before it can be used for reading/writing. CHASE_OPEN may not be combined with
661 * CHASE_NONEXISTENT.
662 *
663 * 3. With CHASE_STEP: in this case only a single step of the normalization is executed, i.e. only the first
664 * symlink or ".." component of the path is resolved, and the resulting path is returned. This is useful if
665 * a caller wants to trace the a path through the file system verbosely. Returns < 0 on error, > 0 if the
666 * path is fully normalized, and == 0 for each normalization step. This may be combined with
667 * CHASE_NONEXISTENT, in which case 1 is returned when a component is not found.
668 *
669 * */
670
671 /* A root directory of "/" or "" is identical to none */
672 if (empty_or_root(original_root))
673 original_root = NULL;
674
675 if (!original_root && !ret && (flags & (CHASE_NONEXISTENT|CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_OPEN|CHASE_STEP)) == CHASE_OPEN) {
676 /* Shortcut the CHASE_OPEN case if the caller isn't interested in the actual path and has no root set
677 * and doesn't care about any of the other special features we provide either. */
678 r = open(path, O_PATH|O_CLOEXEC);
679 if (r < 0)
680 return -errno;
681
682 return r;
683 }
684
685 if (original_root) {
686 r = path_make_absolute_cwd(original_root, &root);
687 if (r < 0)
688 return r;
689
690 if (flags & CHASE_PREFIX_ROOT) {
691
692 /* We don't support relative paths in combination with a root directory */
693 if (!path_is_absolute(path))
694 return -EINVAL;
695
696 path = prefix_roota(root, path);
697 }
698 }
699
700 r = path_make_absolute_cwd(path, &buffer);
701 if (r < 0)
702 return r;
703
704 fd = open("/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
705 if (fd < 0)
706 return -errno;
707
708 if (flags & CHASE_SAFE) {
709 if (fstat(fd, &previous_stat) < 0)
710 return -errno;
711 }
712
713 todo = buffer;
714 for (;;) {
715 _cleanup_free_ char *first = NULL;
716 _cleanup_close_ int child = -1;
717 struct stat st;
718 size_t n, m;
719
720 /* Determine length of first component in the path */
721 n = strspn(todo, "/"); /* The slashes */
722 m = n + strcspn(todo + n, "/"); /* The entire length of the component */
723
724 /* Extract the first component. */
725 first = strndup(todo, m);
726 if (!first)
727 return -ENOMEM;
728
729 todo += m;
730
731 /* Empty? Then we reached the end. */
732 if (isempty(first))
733 break;
734
735 /* Just a single slash? Then we reached the end. */
736 if (path_equal(first, "/")) {
737 /* Preserve the trailing slash */
738
739 if (flags & CHASE_TRAIL_SLASH)
740 if (!strextend(&done, "/", NULL))
741 return -ENOMEM;
742
743 break;
744 }
745
746 /* Just a dot? Then let's eat this up. */
747 if (path_equal(first, "/."))
748 continue;
749
750 /* Two dots? Then chop off the last bit of what we already found out. */
751 if (path_equal(first, "/..")) {
752 _cleanup_free_ char *parent = NULL;
753 _cleanup_close_ int fd_parent = -1;
754
755 /* If we already are at the top, then going up will not change anything. This is in-line with
756 * how the kernel handles this. */
757 if (empty_or_root(done))
758 continue;
759
760 parent = dirname_malloc(done);
761 if (!parent)
762 return -ENOMEM;
763
764 /* Don't allow this to leave the root dir. */
765 if (root &&
766 path_startswith(done, root) &&
767 !path_startswith(parent, root))
768 continue;
769
770 free_and_replace(done, parent);
771
772 if (flags & CHASE_STEP)
773 goto chased_one;
774
775 fd_parent = openat(fd, "..", O_CLOEXEC|O_NOFOLLOW|O_PATH);
776 if (fd_parent < 0)
777 return -errno;
778
779 if (flags & CHASE_SAFE) {
780 if (fstat(fd_parent, &st) < 0)
781 return -errno;
782
783 if (!safe_transition(&previous_stat, &st))
784 return -EPERM;
785
786 previous_stat = st;
787 }
788
789 safe_close(fd);
790 fd = TAKE_FD(fd_parent);
791
792 continue;
793 }
794
795 /* Otherwise let's see what this is. */
796 child = openat(fd, first + n, O_CLOEXEC|O_NOFOLLOW|O_PATH);
797 if (child < 0) {
798
799 if (errno == ENOENT &&
800 (flags & CHASE_NONEXISTENT) &&
801 (isempty(todo) || path_is_normalized(todo))) {
802
803 /* If CHASE_NONEXISTENT is set, and the path does not exist, then that's OK, return
804 * what we got so far. But don't allow this if the remaining path contains "../ or "./"
805 * or something else weird. */
806
807 /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */
808 if (streq_ptr(done, "/"))
809 *done = '\0';
810
811 if (!strextend(&done, first, todo, NULL))
812 return -ENOMEM;
813
814 exists = false;
815 break;
816 }
817
818 return -errno;
819 }
820
821 if (fstat(child, &st) < 0)
822 return -errno;
823 if ((flags & CHASE_SAFE) &&
824 !safe_transition(&previous_stat, &st))
825 return -EPERM;
826
827 previous_stat = st;
828
829 if ((flags & CHASE_NO_AUTOFS) &&
830 fd_is_fs_type(child, AUTOFS_SUPER_MAGIC) > 0)
831 return -EREMOTE;
832
833 if (S_ISLNK(st.st_mode)) {
834 char *joined;
835
836 _cleanup_free_ char *destination = NULL;
837
838 /* This is a symlink, in this case read the destination. But let's make sure we don't follow
839 * symlinks without bounds. */
840 if (--max_follow <= 0)
841 return -ELOOP;
842
843 r = readlinkat_malloc(fd, first + n, &destination);
844 if (r < 0)
845 return r;
846 if (isempty(destination))
847 return -EINVAL;
848
849 if (path_is_absolute(destination)) {
850
851 /* An absolute destination. Start the loop from the beginning, but use the root
852 * directory as base. */
853
854 safe_close(fd);
855 fd = open(root ?: "/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
856 if (fd < 0)
857 return -errno;
858
859 if (flags & CHASE_SAFE) {
860 if (fstat(fd, &st) < 0)
861 return -errno;
862
863 if (!safe_transition(&previous_stat, &st))
864 return -EPERM;
865
866 previous_stat = st;
867 }
868
869 free(done);
870
871 /* Note that we do not revalidate the root, we take it as is. */
872 if (isempty(root))
873 done = NULL;
874 else {
875 done = strdup(root);
876 if (!done)
877 return -ENOMEM;
878 }
879
880 /* Prefix what's left to do with what we just read, and start the loop again, but
881 * remain in the current directory. */
882 joined = strjoin(destination, todo);
883 } else
884 joined = strjoin("/", destination, todo);
885 if (!joined)
886 return -ENOMEM;
887
888 free(buffer);
889 todo = buffer = joined;
890
891 if (flags & CHASE_STEP)
892 goto chased_one;
893
894 continue;
895 }
896
897 /* If this is not a symlink, then let's just add the name we read to what we already verified. */
898 if (!done)
899 done = TAKE_PTR(first);
900 else {
901 /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */
902 if (streq(done, "/"))
903 *done = '\0';
904
905 if (!strextend(&done, first, NULL))
906 return -ENOMEM;
907 }
908
909 /* And iterate again, but go one directory further down. */
910 safe_close(fd);
911 fd = TAKE_FD(child);
912 }
913
914 if (!done) {
915 /* Special case, turn the empty string into "/", to indicate the root directory. */
916 done = strdup("/");
917 if (!done)
918 return -ENOMEM;
919 }
920
921 if (ret)
922 *ret = TAKE_PTR(done);
923
924 if (flags & CHASE_OPEN) {
925 /* Return the O_PATH fd we currently are looking to the caller. It can translate it to a proper fd by
926 * opening /proc/self/fd/xyz. */
927
928 assert(fd >= 0);
929 return TAKE_FD(fd);
930 }
931
932 if (flags & CHASE_STEP)
933 return 1;
934
935 return exists;
936
937 chased_one:
938 if (ret) {
939 char *c;
940
941 c = strjoin(strempty(done), todo);
942 if (!c)
943 return -ENOMEM;
944
945 *ret = c;
946 }
947
948 return 0;
949 }
950
951 int chase_symlinks_and_open(
952 const char *path,
953 const char *root,
954 unsigned chase_flags,
955 int open_flags,
956 char **ret_path) {
957
958 _cleanup_close_ int path_fd = -1;
959 _cleanup_free_ char *p = NULL;
960 int r;
961
962 if (chase_flags & CHASE_NONEXISTENT)
963 return -EINVAL;
964
965 if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
966 /* Shortcut this call if none of the special features of this call are requested */
967 r = open(path, open_flags);
968 if (r < 0)
969 return -errno;
970
971 return r;
972 }
973
974 path_fd = chase_symlinks(path, root, chase_flags|CHASE_OPEN, ret_path ? &p : NULL);
975 if (path_fd < 0)
976 return path_fd;
977
978 r = fd_reopen(path_fd, open_flags);
979 if (r < 0)
980 return r;
981
982 if (ret_path)
983 *ret_path = TAKE_PTR(p);
984
985 return r;
986 }
987
988 int chase_symlinks_and_opendir(
989 const char *path,
990 const char *root,
991 unsigned chase_flags,
992 char **ret_path,
993 DIR **ret_dir) {
994
995 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
996 _cleanup_close_ int path_fd = -1;
997 _cleanup_free_ char *p = NULL;
998 DIR *d;
999
1000 if (!ret_dir)
1001 return -EINVAL;
1002 if (chase_flags & CHASE_NONEXISTENT)
1003 return -EINVAL;
1004
1005 if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
1006 /* Shortcut this call if none of the special features of this call are requested */
1007 d = opendir(path);
1008 if (!d)
1009 return -errno;
1010
1011 *ret_dir = d;
1012 return 0;
1013 }
1014
1015 path_fd = chase_symlinks(path, root, chase_flags|CHASE_OPEN, ret_path ? &p : NULL);
1016 if (path_fd < 0)
1017 return path_fd;
1018
1019 xsprintf(procfs_path, "/proc/self/fd/%i", path_fd);
1020 d = opendir(procfs_path);
1021 if (!d)
1022 return -errno;
1023
1024 if (ret_path)
1025 *ret_path = TAKE_PTR(p);
1026
1027 *ret_dir = d;
1028 return 0;
1029 }
1030
1031 int chase_symlinks_and_stat(
1032 const char *path,
1033 const char *root,
1034 unsigned chase_flags,
1035 char **ret_path,
1036 struct stat *ret_stat) {
1037
1038 _cleanup_close_ int path_fd = -1;
1039 _cleanup_free_ char *p = NULL;
1040
1041 assert(path);
1042 assert(ret_stat);
1043
1044 if (chase_flags & CHASE_NONEXISTENT)
1045 return -EINVAL;
1046
1047 if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
1048 /* Shortcut this call if none of the special features of this call are requested */
1049 if (stat(path, ret_stat) < 0)
1050 return -errno;
1051
1052 return 1;
1053 }
1054
1055 path_fd = chase_symlinks(path, root, chase_flags|CHASE_OPEN, ret_path ? &p : NULL);
1056 if (path_fd < 0)
1057 return path_fd;
1058
1059 if (fstat(path_fd, ret_stat) < 0)
1060 return -errno;
1061
1062 if (ret_path)
1063 *ret_path = TAKE_PTR(p);
1064
1065 if (chase_flags & CHASE_OPEN)
1066 return TAKE_FD(path_fd);
1067
1068 return 1;
1069 }
1070
1071 int access_fd(int fd, int mode) {
1072 char p[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(fd) + 1];
1073 int r;
1074
1075 /* Like access() but operates on an already open fd */
1076
1077 xsprintf(p, "/proc/self/fd/%i", fd);
1078 r = access(p, mode);
1079 if (r < 0)
1080 return -errno;
1081
1082 return r;
1083 }
1084
1085 void unlink_tempfilep(char (*p)[]) {
1086 /* If the file is created with mkstemp(), it will (almost always)
1087 * change the suffix. Treat this as a sign that the file was
1088 * successfully created. We ignore both the rare case where the
1089 * original suffix is used and unlink failures. */
1090 if (!endswith(*p, ".XXXXXX"))
1091 (void) unlink_noerrno(*p);
1092 }
1093
1094 int unlinkat_deallocate(int fd, const char *name, int flags) {
1095 _cleanup_close_ int truncate_fd = -1;
1096 struct stat st;
1097 off_t l, bs;
1098
1099 /* Operates like unlinkat() but also deallocates the file contents if it is a regular file and there's no other
1100 * link to it. This is useful to ensure that other processes that might have the file open for reading won't be
1101 * able to keep the data pinned on disk forever. This call is particular useful whenever we execute clean-up
1102 * jobs ("vacuuming"), where we want to make sure the data is really gone and the disk space released and
1103 * returned to the free pool.
1104 *
1105 * Deallocation is preferably done by FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE (👊) if supported, which means
1106 * the file won't change size. That's a good thing since we shouldn't needlessly trigger SIGBUS in other
1107 * programs that have mmap()ed the file. (The assumption here is that changing file contents to all zeroes
1108 * underneath those programs is the better choice than simply triggering SIGBUS in them which truncation does.)
1109 * However if hole punching is not implemented in the kernel or file system we'll fall back to normal file
1110 * truncation (đŸ”Ē), as our goal of deallocating the data space trumps our goal of being nice to readers (💐).
1111 *
1112 * Note that we attempt deallocation, but failure to succeed with that is not considered fatal, as long as the
1113 * primary job – to delete the file – is accomplished. */
1114
1115 if ((flags & AT_REMOVEDIR) == 0) {
1116 truncate_fd = openat(fd, name, O_WRONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|O_NONBLOCK);
1117 if (truncate_fd < 0) {
1118
1119 /* If this failed because the file doesn't exist propagate the error right-away. Also,
1120 * AT_REMOVEDIR wasn't set, and we tried to open the file for writing, which means EISDIR is
1121 * returned when this is a directory but we are not supposed to delete those, hence propagate
1122 * the error right-away too. */
1123 if (IN_SET(errno, ENOENT, EISDIR))
1124 return -errno;
1125
1126 if (errno != ELOOP) /* don't complain if this is a symlink */
1127 log_debug_errno(errno, "Failed to open file '%s' for deallocation, ignoring: %m", name);
1128 }
1129 }
1130
1131 if (unlinkat(fd, name, flags) < 0)
1132 return -errno;
1133
1134 if (truncate_fd < 0) /* Don't have a file handle, can't do more ☚ī¸ */
1135 return 0;
1136
1137 if (fstat(truncate_fd, &st) < 0) {
1138 log_debug_errno(errno, "Failed to stat file '%s' for deallocation, ignoring.", name);
1139 return 0;
1140 }
1141
1142 if (!S_ISREG(st.st_mode) || st.st_blocks == 0 || st.st_nlink > 0)
1143 return 0;
1144
1145 /* If this is a regular file, it actually took up space on disk and there are no other links it's time to
1146 * punch-hole/truncate this to release the disk space. */
1147
1148 bs = MAX(st.st_blksize, 512);
1149 l = DIV_ROUND_UP(st.st_size, bs) * bs; /* Round up to next block size */
1150
1151 if (fallocate(truncate_fd, FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE, 0, l) >= 0)
1152 return 0; /* Successfully punched a hole! 😊 */
1153
1154 /* Fall back to truncation */
1155 if (ftruncate(truncate_fd, 0) < 0) {
1156 log_debug_errno(errno, "Failed to truncate file to 0, ignoring: %m");
1157 return 0;
1158 }
1159
1160 return 0;
1161 }
1162
1163 int fsync_directory_of_file(int fd) {
1164 _cleanup_free_ char *path = NULL, *dn = NULL;
1165 _cleanup_close_ int dfd = -1;
1166 int r;
1167
1168 r = fd_verify_regular(fd);
1169 if (r < 0)
1170 return r;
1171
1172 r = fd_get_path(fd, &path);
1173 if (r < 0) {
1174 log_debug_errno(r, "Failed to query /proc/self/fd/%d%s: %m",
1175 fd,
1176 r == -EOPNOTSUPP ? ", ignoring" : "");
1177
1178 if (r == -EOPNOTSUPP)
1179 /* If /proc is not available, we're most likely running in some
1180 * chroot environment, and syncing the directory is not very
1181 * important in that case. Let's just silently do nothing. */
1182 return 0;
1183
1184 return r;
1185 }
1186
1187 if (!path_is_absolute(path))
1188 return -EINVAL;
1189
1190 dn = dirname_malloc(path);
1191 if (!dn)
1192 return -ENOMEM;
1193
1194 dfd = open(dn, O_RDONLY|O_CLOEXEC|O_DIRECTORY);
1195 if (dfd < 0)
1196 return -errno;
1197
1198 if (fsync(dfd) < 0)
1199 return -errno;
1200
1201 return 0;
1202 }
Unnamed repository; edit this file 'description' to name the repository.