]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/basic/fd-util.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tree-wide: drop socket.h when socket-util.h is included
[thirdparty/systemd.git] / src / basic / fd-util.c
CommitLineData
53e1b683 1/* SPDX-License-Identifier: LGPL-2.1+ */
3ffd4af2 2
11c3a366
TA		 3#include <errno.h>
4#include <fcntl.h>
5#include <sys/resource.h>
11c3a366
TA		 6#include <sys/stat.h>
7#include <unistd.h>
8
4960ce43
LP		 9#include "alloc-util.h"
10#include "copy.h"
8fb3f009 11#include "dirent-util.h"
3ffd4af2 12#include "fd-util.h"
a548e14d 13#include "fileio.h"
4aeb20f5 14#include "fs-util.h"
4960ce43 15#include "io-util.h"
11c3a366 16#include "macro.h"
a548e14d 17#include "memfd-util.h"
f5947a5e 18#include "missing_syscall.h"
93cc7779 19#include "parse-util.h"
11c3a366 20#include "path-util.h"
df0ff127 21#include "process-util.h"
93cc7779 22#include "socket-util.h"
4aeb20f5 23#include "stdio-util.h"
3ffd4af2 24#include "util.h"
e4de7287 25#include "tmpfile-util.h"
3ffd4af2 26
6a461d1f
ZJS		 27/* The maximum number of iterations in the loop to close descriptors in the fallback case
28 * when /proc/self/fd/ is inaccessible. */
29#define MAX_FD_LOOP_LIMIT (1024*1024)
30
3ffd4af2
LP		 31int close_nointr(int fd) {
32 assert(fd >= 0);
33
34 if (close(fd) >= 0)
35 return 0;
36
37 /*
38 * Just ignore EINTR; a retry loop is the wrong thing to do on
39 * Linux.
40 *
41 * http://lkml.indiana.edu/hypermail/linux/kernel/0509.1/0877.html
42 * https://bugzilla.gnome.org/show_bug.cgi?id=682819
43 * http://utcc.utoronto.ca/~cks/space/blog/unix/CloseEINTR
44 * https://sites.google.com/site/michaelsafyan/software-engineering/checkforeintrwheninvokingclosethinkagain
45 */
46 if (errno == EINTR)
47 return 0;
48
49 return -errno;
50}
51
52int safe_close(int fd) {
53
54 /*
55 * Like close_nointr() but cannot fail. Guarantees errno is
56 * unchanged. Is a NOP with negative fds passed, and returns
57 * -1, so that it can be used in this syntax:
58 *
59 * fd = safe_close(fd);
60 */
61
62 if (fd >= 0) {
63 PROTECT_ERRNO;
64
65 /* The kernel might return pretty much any error code
66 * via close(), but the fd will be closed anyway. The
67 * only condition we want to check for here is whether
68 * the fd was invalid at all... */
69
70 assert_se(close_nointr(fd) != -EBADF);
71 }
72
73 return -1;
74}
75
3042bbeb 76void safe_close_pair(int p[static 2]) {
3ffd4af2
LP		 77 assert(p);
78
79 if (p[0] == p[1]) {
80 /* Special case pairs which use the same fd in both
81 * directions... */
82 p[0] = p[1] = safe_close(p[0]);
83 return;
84 }
85
86 p[0] = safe_close(p[0]);
87 p[1] = safe_close(p[1]);
88}
89
da6053d0
LP		 90void close_many(const int fds[], size_t n_fd) {
91 size_t i;
3ffd4af2
LP		 92
93 assert(fds || n_fd <= 0);
94
95 for (i = 0; i < n_fd; i++)
96 safe_close(fds[i]);
97}
98
99int fclose_nointr(FILE *f) {
100 assert(f);
101
102 /* Same as close_nointr(), but for fclose() */
103
104 if (fclose(f) == 0)
105 return 0;
106
107 if (errno == EINTR)
108 return 0;
109
110 return -errno;
111}
112
113FILE* safe_fclose(FILE *f) {
114
115 /* Same as safe_close(), but for fclose() */
116
117 if (f) {
118 PROTECT_ERRNO;
119
6dce3bb4 120 assert_se(fclose_nointr(f) != -EBADF);
3ffd4af2
LP		 121 }
122
123 return NULL;
124}
125
126DIR* safe_closedir(DIR *d) {
127
128 if (d) {
129 PROTECT_ERRNO;
130
131 assert_se(closedir(d) >= 0 || errno != EBADF);
132 }
133
134 return NULL;
135}
136
137int fd_nonblock(int fd, bool nonblock) {
138 int flags, nflags;
139
140 assert(fd >= 0);
141
142 flags = fcntl(fd, F_GETFL, 0);
143 if (flags < 0)
144 return -errno;
145
146 if (nonblock)
147 nflags = flags | O_NONBLOCK;
148 else
149 nflags = flags & ~O_NONBLOCK;
150
151 if (nflags == flags)
152 return 0;
153
154 if (fcntl(fd, F_SETFL, nflags) < 0)
155 return -errno;
156
157 return 0;
158}
159
160int fd_cloexec(int fd, bool cloexec) {
161 int flags, nflags;
162
163 assert(fd >= 0);
164
165 flags = fcntl(fd, F_GETFD, 0);
166 if (flags < 0)
167 return -errno;
168
169 if (cloexec)
170 nflags = flags | FD_CLOEXEC;
171 else
172 nflags = flags & ~FD_CLOEXEC;
173
174 if (nflags == flags)
175 return 0;
176
177 if (fcntl(fd, F_SETFD, nflags) < 0)
178 return -errno;
179
180 return 0;
181}
182
da6053d0
LP		 183_pure_ static bool fd_in_set(int fd, const int fdset[], size_t n_fdset) {
184 size_t i;
3ffd4af2
LP		 185
186 assert(n_fdset == 0 || fdset);
187
188 for (i = 0; i < n_fdset; i++)
189 if (fdset[i] == fd)
190 return true;
191
192 return false;
193}
194
498e265d
LP		 195static int get_max_fd(void) {
196 struct rlimit rl;
197 rlim_t m;
198
199 /* Return the highest possible fd, based RLIMIT_NOFILE, but enforcing FD_SETSIZE-1 as lower boundary
200 * and INT_MAX as upper boundary. */
201
202 if (getrlimit(RLIMIT_NOFILE, &rl) < 0)
203 return -errno;
204
205 m = MAX(rl.rlim_cur, rl.rlim_max);
206 if (m < FD_SETSIZE) /* Let's always cover at least 1024 fds */
207 return FD_SETSIZE-1;
208
209 if (m == RLIM_INFINITY || m > INT_MAX) /* Saturate on overflow. After all fds are "int", hence can
210 * never be above INT_MAX */
211 return INT_MAX;
212
213 return (int) (m - 1);
214}
215
da6053d0 216int close_all_fds(const int except[], size_t n_except) {
3ffd4af2
LP		 217 _cleanup_closedir_ DIR *d = NULL;
218 struct dirent *de;
219 int r = 0;
220
221 assert(n_except == 0 || except);
222
223 d = opendir("/proc/self/fd");
224 if (!d) {
37bc14de 225 int fd, max_fd;
3ffd4af2 226
498e265d
LP		 227 /* When /proc isn't available (for example in chroots) the fallback is brute forcing through
228 * the fd table */
37bc14de 229
498e265d
LP		 230 max_fd = get_max_fd();
231 if (max_fd < 0)
232 return max_fd;
37bc14de 233
6a461d1f
ZJS		 234 /* Refuse to do the loop over more too many elements. It's better to fail immediately than to
235 * spin the CPU for a long time. */
236 if (max_fd > MAX_FD_LOOP_LIMIT)
237 return log_debug_errno(SYNTHETIC_ERRNO(EPERM),
238 "/proc/self/fd is inaccessible. Refusing to loop over %d potential fds.",
239 max_fd);
240
37bc14de 241 for (fd = 3; fd >= 0; fd = fd < max_fd ? fd + 1 : -1) {
e43bc9f5 242 int q;
3ffd4af2
LP		 243
244 if (fd_in_set(fd, except, n_except))
245 continue;
246
e43bc9f5
LP		 247 q = close_nointr(fd);
248 if (q < 0 && q != -EBADF && r >= 0)
249 r = q;
3ffd4af2
LP		 250 }
251
252 return r;
253 }
254
8fb3f009 255 FOREACH_DIRENT(de, d, return -errno) {
e43bc9f5 256 int fd = -1, q;
3ffd4af2 257
3ffd4af2
LP		 258 if (safe_atoi(de->d_name, &fd) < 0)
259 /* Let's better ignore this, just in case */
260 continue;
261
262 if (fd < 3)
263 continue;
264
265 if (fd == dirfd(d))
266 continue;
267
268 if (fd_in_set(fd, except, n_except))
269 continue;
270
e43bc9f5
LP		 271 q = close_nointr(fd);
272 if (q < 0 && q != -EBADF && r >= 0) /* Valgrind has its own FD and doesn't want to have it closed */
273 r = q;
3ffd4af2
LP		 274 }
275
276 return r;
277}
278
279int same_fd(int a, int b) {
280 struct stat sta, stb;
281 pid_t pid;
282 int r, fa, fb;
283
284 assert(a >= 0);
285 assert(b >= 0);
286
287 /* Compares two file descriptors. Note that semantics are
288 * quite different depending on whether we have kcmp() or we
289 * don't. If we have kcmp() this will only return true for
290 * dup()ed file descriptors, but not otherwise. If we don't
291 * have kcmp() this will also return true for two fds of the same
292 * file, created by separate open() calls. Since we use this
293 * call mostly for filtering out duplicates in the fd store
294 * this difference hopefully doesn't matter too much. */
295
296 if (a == b)
297 return true;
298
299 /* Try to use kcmp() if we have it. */
df0ff127 300 pid = getpid_cached();
3ffd4af2
LP		 301 r = kcmp(pid, pid, KCMP_FILE, a, b);
302 if (r == 0)
303 return true;
304 if (r > 0)
305 return false;
9e2acd1d 306 if (!IN_SET(errno, ENOSYS, EACCES, EPERM))
3ffd4af2
LP		 307 return -errno;
308
309 /* We don't have kcmp(), use fstat() instead. */
310 if (fstat(a, &sta) < 0)
311 return -errno;
312
313 if (fstat(b, &stb) < 0)
314 return -errno;
315
316 if ((sta.st_mode & S_IFMT) != (stb.st_mode & S_IFMT))
317 return false;
318
319 /* We consider all device fds different, since two device fds
320 * might refer to quite different device contexts even though
321 * they share the same inode and backing dev_t. */
322
323 if (S_ISCHR(sta.st_mode) || S_ISBLK(sta.st_mode))
324 return false;
325
326 if (sta.st_dev != stb.st_dev || sta.st_ino != stb.st_ino)
327 return false;
328
329 /* The fds refer to the same inode on disk, let's also check
330 * if they have the same fd flags. This is useful to
331 * distinguish the read and write side of a pipe created with
332 * pipe(). */
333 fa = fcntl(a, F_GETFL);
334 if (fa < 0)
335 return -errno;
336
337 fb = fcntl(b, F_GETFL);
338 if (fb < 0)
339 return -errno;
340
341 return fa == fb;
342}
343
344void cmsg_close_all(struct msghdr *mh) {
345 struct cmsghdr *cmsg;
346
347 assert(mh);
348
349 CMSG_FOREACH(cmsg, mh)
350 if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS)
351 close_many((int*) CMSG_DATA(cmsg), (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int));
352}
4fee3975
LP		 353
354bool fdname_is_valid(const char *s) {
355 const char *p;
356
357 /* Validates a name for $LISTEN_FDNAMES. We basically allow
358 * everything ASCII that's not a control character. Also, as
359 * special exception the ":" character is not allowed, as we
360 * use that as field separator in $LISTEN_FDNAMES.
361 *
362 * Note that the empty string is explicitly allowed
363 * here. However, we limit the length of the names to 255
364 * characters. */
365
366 if (!s)
367 return false;
368
369 for (p = s; *p; p++) {
370 if (*p < ' ')
371 return false;
372 if (*p >= 127)
373 return false;
374 if (*p == ':')
375 return false;
376 }
377
378 return p - s < 256;
379}
4aeb20f5
LP		 380
381int fd_get_path(int fd, char **ret) {
f267719c 382 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
a0fe2a2d 383 int r;
4aeb20f5 384
f267719c
LP		 385 xsprintf(procfs_path, "/proc/self/fd/%i", fd);
386 r = readlink_malloc(procfs_path, ret);
387 if (r == -ENOENT) {
388 /* ENOENT can mean two things: that the fd does not exist or that /proc is not mounted. Let's make
5238e957 389 * things debuggable and distinguish the two. */
4aeb20f5 390
f267719c
LP		 391 if (access("/proc/self/fd/", F_OK) < 0)
392 /* /proc is not available or not set up properly, we're most likely in some chroot
393 * environment. */
394 return errno == ENOENT ? -EOPNOTSUPP : -errno;
a0fe2a2d 395
f267719c
LP		 396 return -EBADF; /* The directory exists, hence it's the fd that doesn't. */
397 }
a0fe2a2d
LP		 398
399 return r;
4aeb20f5 400}
046a82c1
LP		 401
402int move_fd(int from, int to, int cloexec) {
403 int r;
404
405 /* Move fd 'from' to 'to', make sure FD_CLOEXEC remains equal if requested, and release the old fd. If
406 * 'cloexec' is passed as -1, the original FD_CLOEXEC is inherited for the new fd. If it is 0, it is turned
407 * off, if it is > 0 it is turned on. */
408
409 if (from < 0)
410 return -EBADF;
411 if (to < 0)
412 return -EBADF;
413
414 if (from == to) {
415
416 if (cloexec >= 0) {
417 r = fd_cloexec(to, cloexec);
418 if (r < 0)
419 return r;
420 }
421
422 return to;
423 }
424
425 if (cloexec < 0) {
426 int fl;
427
428 fl = fcntl(from, F_GETFD, 0);
429 if (fl < 0)
430 return -errno;
431
432 cloexec = !!(fl & FD_CLOEXEC);
433 }
434
435 r = dup3(from, to, cloexec ? O_CLOEXEC : 0);
436 if (r < 0)
437 return -errno;
438
439 assert(r == to);
440
441 safe_close(from);
442
443 return to;
444}
a548e14d
LP		 445
446int acquire_data_fd(const void *data, size_t size, unsigned flags) {
447
a548e14d
LP		 448 _cleanup_close_pair_ int pipefds[2] = { -1, -1 };
449 char pattern[] = "/dev/shm/data-fd-XXXXXX";
450 _cleanup_close_ int fd = -1;
451 int isz = 0, r;
452 ssize_t n;
453 off_t f;
454
455 assert(data || size == 0);
456
457 /* Acquire a read-only file descriptor that when read from returns the specified data. This is much more
458 * complex than I wish it was. But here's why:
459 *
460 * a) First we try to use memfds. They are the best option, as we can seal them nicely to make them
461 * read-only. Unfortunately they require kernel 3.17, and – at the time of writing – we still support 3.14.
462 *
463 * b) Then, we try classic pipes. They are the second best options, as we can close the writing side, retaining
464 * a nicely read-only fd in the reading side. However, they are by default quite small, and unprivileged
465 * clients can only bump their size to a system-wide limit, which might be quite low.
466 *
467 * c) Then, we try an O_TMPFILE file in /dev/shm (that dir is the only suitable one known to exist from
468 * earliest boot on). To make it read-only we open the fd a second time with O_RDONLY via
469 * /proc/self/<fd>. Unfortunately O_TMPFILE is not available on older kernels on tmpfs.
470 *
471 * d) Finally, we try creating a regular file in /dev/shm, which we then delete.
472 *
473 * It sucks a bit that depending on the situation we return very different objects here, but that's Linux I
474 * figure. */
475
476 if (size == 0 && ((flags & ACQUIRE_NO_DEV_NULL) == 0)) {
477 /* As a special case, return /dev/null if we have been called for an empty data block */
478 r = open("/dev/null", O_RDONLY|O_CLOEXEC|O_NOCTTY);
479 if (r < 0)
480 return -errno;
481
482 return r;
483 }
484
485 if ((flags & ACQUIRE_NO_MEMFD) == 0) {
486 fd = memfd_new("data-fd");
487 if (fd < 0)
488 goto try_pipe;
489
490 n = write(fd, data, size);
491 if (n < 0)
492 return -errno;
493 if ((size_t) n != size)
494 return -EIO;
495
496 f = lseek(fd, 0, SEEK_SET);
497 if (f != 0)
498 return -errno;
499
500 r = memfd_set_sealed(fd);
501 if (r < 0)
502 return r;
503
c10d6bdb 504 return TAKE_FD(fd);
a548e14d
LP		 505 }
506
507try_pipe:
508 if ((flags & ACQUIRE_NO_PIPE) == 0) {
509 if (pipe2(pipefds, O_CLOEXEC|O_NONBLOCK) < 0)
510 return -errno;
511
512 isz = fcntl(pipefds[1], F_GETPIPE_SZ, 0);
513 if (isz < 0)
514 return -errno;
515
516 if ((size_t) isz < size) {
517 isz = (int) size;
518 if (isz < 0 || (size_t) isz != size)
519 return -E2BIG;
520
521 /* Try to bump the pipe size */
522 (void) fcntl(pipefds[1], F_SETPIPE_SZ, isz);
523
524 /* See if that worked */
525 isz = fcntl(pipefds[1], F_GETPIPE_SZ, 0);
526 if (isz < 0)
527 return -errno;
528
529 if ((size_t) isz < size)
530 goto try_dev_shm;
531 }
532
533 n = write(pipefds[1], data, size);
534 if (n < 0)
535 return -errno;
536 if ((size_t) n != size)
537 return -EIO;
538
539 (void) fd_nonblock(pipefds[0], false);
540
c10d6bdb 541 return TAKE_FD(pipefds[0]);
a548e14d
LP		 542 }
543
544try_dev_shm:
545 if ((flags & ACQUIRE_NO_TMPFILE) == 0) {
546 fd = open("/dev/shm", O_RDWR|O_TMPFILE|O_CLOEXEC, 0500);
547 if (fd < 0)
548 goto try_dev_shm_without_o_tmpfile;
549
550 n = write(fd, data, size);
551 if (n < 0)
552 return -errno;
553 if ((size_t) n != size)
554 return -EIO;
555
556 /* Let's reopen the thing, in order to get an O_RDONLY fd for the original O_RDWR one */
f2324783 557 return fd_reopen(fd, O_RDONLY|O_CLOEXEC);
a548e14d
LP		 558 }
559
560try_dev_shm_without_o_tmpfile:
561 if ((flags & ACQUIRE_NO_REGULAR) == 0) {
562 fd = mkostemp_safe(pattern);
563 if (fd < 0)
564 return fd;
565
566 n = write(fd, data, size);
567 if (n < 0) {
568 r = -errno;
569 goto unlink_and_return;
570 }
571 if ((size_t) n != size) {
572 r = -EIO;
573 goto unlink_and_return;
574 }
575
576 /* Let's reopen the thing, in order to get an O_RDONLY fd for the original O_RDWR one */
577 r = open(pattern, O_RDONLY|O_CLOEXEC);
578 if (r < 0)
579 r = -errno;
580
581 unlink_and_return:
582 (void) unlink(pattern);
583 return r;
584 }
585
586 return -EOPNOTSUPP;
587}
7fe2903c 588
4960ce43
LP		 589/* When the data is smaller or equal to 64K, try to place the copy in a memfd/pipe */
590#define DATA_FD_MEMORY_LIMIT (64U*1024U)
591
592/* If memfd/pipe didn't work out, then let's use a file in /tmp up to a size of 1M. If it's large than that use /var/tmp instead. */
593#define DATA_FD_TMP_LIMIT (1024U*1024U)
594
595int fd_duplicate_data_fd(int fd) {
596
597 _cleanup_close_ int copy_fd = -1, tmp_fd = -1;
598 _cleanup_free_ void *remains = NULL;
4960ce43
LP		 599 size_t remains_size = 0;
600 const char *td;
601 struct stat st;
602 int r;
603
604 /* Creates a 'data' fd from the specified source fd, containing all the same data in a read-only fashion, but
605 * independent of it (i.e. the source fd can be closed and unmounted after this call succeeded). Tries to be
606 * somewhat smart about where to place the data. In the best case uses a memfd(). If memfd() are not supported
607 * uses a pipe instead. For larger data will use an unlinked file in /tmp, and for even larger data one in
608 * /var/tmp. */
609
610 if (fstat(fd, &st) < 0)
611 return -errno;
612
613 /* For now, let's only accept regular files, sockets, pipes and char devices */
614 if (S_ISDIR(st.st_mode))
615 return -EISDIR;
616 if (S_ISLNK(st.st_mode))
617 return -ELOOP;
618 if (!S_ISREG(st.st_mode) && !S_ISSOCK(st.st_mode) && !S_ISFIFO(st.st_mode) && !S_ISCHR(st.st_mode))
619 return -EBADFD;
620
621 /* If we have reason to believe the data is bounded in size, then let's use memfds or pipes as backing fd. Note
622 * that we use the reported regular file size only as a hint, given that there are plenty special files in
623 * /proc and /sys which report a zero file size but can be read from. */
624
625 if (!S_ISREG(st.st_mode) || st.st_size < DATA_FD_MEMORY_LIMIT) {
626
627 /* Try a memfd first */
628 copy_fd = memfd_new("data-fd");
629 if (copy_fd >= 0) {
630 off_t f;
631
632 r = copy_bytes(fd, copy_fd, DATA_FD_MEMORY_LIMIT, 0);
633 if (r < 0)
634 return r;
635
636 f = lseek(copy_fd, 0, SEEK_SET);
637 if (f != 0)
638 return -errno;
639
640 if (r == 0) {
641 /* Did it fit into the limit? If so, we are done. */
642 r = memfd_set_sealed(copy_fd);
643 if (r < 0)
644 return r;
645
646 return TAKE_FD(copy_fd);
647 }
648
649 /* Hmm, pity, this didn't fit. Let's fall back to /tmp then, see below */
650
651 } else {
652 _cleanup_(close_pairp) int pipefds[2] = { -1, -1 };
653 int isz;
654
655 /* If memfds aren't available, use a pipe. Set O_NONBLOCK so that we will get EAGAIN rather
656 * then block indefinitely when we hit the pipe size limit */
657
658 if (pipe2(pipefds, O_CLOEXEC|O_NONBLOCK) < 0)
659 return -errno;
660
661 isz = fcntl(pipefds[1], F_GETPIPE_SZ, 0);
662 if (isz < 0)
663 return -errno;
664
665 /* Try to enlarge the pipe size if necessary */
666 if ((size_t) isz < DATA_FD_MEMORY_LIMIT) {
667
668 (void) fcntl(pipefds[1], F_SETPIPE_SZ, DATA_FD_MEMORY_LIMIT);
669
670 isz = fcntl(pipefds[1], F_GETPIPE_SZ, 0);
671 if (isz < 0)
672 return -errno;
673 }
674
675 if ((size_t) isz >= DATA_FD_MEMORY_LIMIT) {
676
b3cade0c 677 r = copy_bytes_full(fd, pipefds[1], DATA_FD_MEMORY_LIMIT, 0, &remains, &remains_size, NULL, NULL);
4960ce43
LP		 678 if (r < 0 && r != -EAGAIN)
679 return r; /* If we get EAGAIN it could be because of the source or because of
680 * the destination fd, we can't know, as sendfile() and friends won't
681 * tell us. Hence, treat this as reason to fall back, just to be
682 * sure. */
683 if (r == 0) {
684 /* Everything fit in, yay! */
685 (void) fd_nonblock(pipefds[0], false);
686
687 return TAKE_FD(pipefds[0]);
688 }
689
690 /* Things didn't fit in. But we read data into the pipe, let's remember that, so that
691 * when writing the new file we incorporate this first. */
692 copy_fd = TAKE_FD(pipefds[0]);
693 }
694 }
695 }
696
697 /* If we have reason to believe this will fit fine in /tmp, then use that as first fallback. */
698 if ((!S_ISREG(st.st_mode) || st.st_size < DATA_FD_TMP_LIMIT) &&
699 (DATA_FD_MEMORY_LIMIT + remains_size) < DATA_FD_TMP_LIMIT) {
700 off_t f;
701
702 tmp_fd = open_tmpfile_unlinkable(NULL /* NULL as directory means /tmp */, O_RDWR|O_CLOEXEC);
703 if (tmp_fd < 0)
704 return tmp_fd;
705
706 if (copy_fd >= 0) {
707 /* If we tried a memfd/pipe first and it ended up being too large, then copy this into the
708 * temporary file first. */
709
710 r = copy_bytes(copy_fd, tmp_fd, UINT64_MAX, 0);
711 if (r < 0)
712 return r;
713
714 assert(r == 0);
715 }
716
717 if (remains_size > 0) {
718 /* If there were remaining bytes (i.e. read into memory, but not written out yet) from the
719 * failed copy operation, let's flush them out next. */
720
721 r = loop_write(tmp_fd, remains, remains_size, false);
722 if (r < 0)
723 return r;
724 }
725
726 r = copy_bytes(fd, tmp_fd, DATA_FD_TMP_LIMIT - DATA_FD_MEMORY_LIMIT - remains_size, COPY_REFLINK);
727 if (r < 0)
728 return r;
729 if (r == 0)
730 goto finish; /* Yay, it fit in */
731
732 /* It didn't fit in. Let's not forget to use what we already used */
733 f = lseek(tmp_fd, 0, SEEK_SET);
734 if (f != 0)
735 return -errno;
736
737 safe_close(copy_fd);
738 copy_fd = TAKE_FD(tmp_fd);
739
740 remains = mfree(remains);
741 remains_size = 0;
742 }
743
744 /* As last fallback use /var/tmp */
745 r = var_tmp_dir(&td);
746 if (r < 0)
747 return r;
748
749 tmp_fd = open_tmpfile_unlinkable(td, O_RDWR|O_CLOEXEC);
750 if (tmp_fd < 0)
751 return tmp_fd;
752
753 if (copy_fd >= 0) {
754 /* If we tried a memfd/pipe first, or a file in /tmp, and it ended up being too large, than copy this
755 * into the temporary file first. */
756 r = copy_bytes(copy_fd, tmp_fd, UINT64_MAX, COPY_REFLINK);
757 if (r < 0)
758 return r;
759
760 assert(r == 0);
761 }
762
763 if (remains_size > 0) {
764 /* Then, copy in any read but not yet written bytes. */
765 r = loop_write(tmp_fd, remains, remains_size, false);
766 if (r < 0)
767 return r;
768 }
769
770 /* Copy in the rest */
771 r = copy_bytes(fd, tmp_fd, UINT64_MAX, COPY_REFLINK);
772 if (r < 0)
773 return r;
774
775 assert(r == 0);
776
777finish:
778 /* Now convert the O_RDWR file descriptor into an O_RDONLY one (and as side effect seek to the beginning of the
779 * file again */
780
781 return fd_reopen(tmp_fd, O_RDONLY|O_CLOEXEC);
782}
783
7fe2903c
LP		 784int fd_move_above_stdio(int fd) {
785 int flags, copy;
786 PROTECT_ERRNO;
787
788 /* Moves the specified file descriptor if possible out of the range [0…2], i.e. the range of
789 * stdin/stdout/stderr. If it can't be moved outside of this range the original file descriptor is
790 * returned. This call is supposed to be used for long-lasting file descriptors we allocate in our code that
791 * might get loaded into foreign code, and where we want ensure our fds are unlikely used accidentally as
792 * stdin/stdout/stderr of unrelated code.
793 *
794 * Note that this doesn't fix any real bugs, it just makes it less likely that our code will be affected by
795 * buggy code from others that mindlessly invokes 'fprintf(stderr, …' or similar in places where stderr has
796 * been closed before.
797 *
798 * This function is written in a "best-effort" and "least-impact" style. This means whenever we encounter an
799 * error we simply return the original file descriptor, and we do not touch errno. */
800
801 if (fd < 0 || fd > 2)
802 return fd;
803
804 flags = fcntl(fd, F_GETFD, 0);
805 if (flags < 0)
806 return fd;
807
808 if (flags & FD_CLOEXEC)
809 copy = fcntl(fd, F_DUPFD_CLOEXEC, 3);
810 else
811 copy = fcntl(fd, F_DUPFD, 3);
812 if (copy < 0)
813 return fd;
814
815 assert(copy > 2);
816
817 (void) close(fd);
818 return copy;
819}
aa11e28b
LP		 820
821int rearrange_stdio(int original_input_fd, int original_output_fd, int original_error_fd) {
822
823 int fd[3] = { /* Put together an array of fds we work on */
824 original_input_fd,
825 original_output_fd,
826 original_error_fd
827 };
828
829 int r, i,
830 null_fd = -1, /* if we open /dev/null, we store the fd to it here */
831 copy_fd[3] = { -1, -1, -1 }; /* This contains all fds we duplicate here temporarily, and hence need to close at the end */
832 bool null_readable, null_writable;
833
834 /* Sets up stdin, stdout, stderr with the three file descriptors passed in. If any of the descriptors is
835 * specified as -1 it will be connected with /dev/null instead. If any of the file descriptors is passed as
836 * itself (e.g. stdin as STDIN_FILENO) it is left unmodified, but the O_CLOEXEC bit is turned off should it be
837 * on.
838 *
839 * Note that if any of the passed file descriptors are > 2 they will be closed — both on success and on
840 * failure! Thus, callers should assume that when this function returns the input fds are invalidated.
841 *
842 * Note that when this function fails stdin/stdout/stderr might remain half set up!
843 *
844 * O_CLOEXEC is turned off for all three file descriptors (which is how it should be for
845 * stdin/stdout/stderr). */
846
847 null_readable = original_input_fd < 0;
848 null_writable = original_output_fd < 0 || original_error_fd < 0;
849
850 /* First step, open /dev/null once, if we need it */
851 if (null_readable || null_writable) {
852
853 /* Let's open this with O_CLOEXEC first, and convert it to non-O_CLOEXEC when we move the fd to the final position. */
854 null_fd = open("/dev/null", (null_readable && null_writable ? O_RDWR :
855 null_readable ? O_RDONLY : O_WRONLY) | O_CLOEXEC);
856 if (null_fd < 0) {
857 r = -errno;
858 goto finish;
859 }
860
861 /* If this fd is in the 0…2 range, let's move it out of it */
862 if (null_fd < 3) {
863 int copy;
864
865 copy = fcntl(null_fd, F_DUPFD_CLOEXEC, 3); /* Duplicate this with O_CLOEXEC set */
866 if (copy < 0) {
867 r = -errno;
868 goto finish;
869 }
870
871 safe_close(null_fd);
872 null_fd = copy;
873 }
874 }
875
876 /* Let's assemble fd[] with the fds to install in place of stdin/stdout/stderr */
877 for (i = 0; i < 3; i++) {
878
879 if (fd[i] < 0)
880 fd[i] = null_fd; /* A negative parameter means: connect this one to /dev/null */
881 else if (fd[i] != i && fd[i] < 3) {
882 /* This fd is in the 0…2 territory, but not at its intended place, move it out of there, so that we can work there. */
883 copy_fd[i] = fcntl(fd[i], F_DUPFD_CLOEXEC, 3); /* Duplicate this with O_CLOEXEC set */
884 if (copy_fd[i] < 0) {
885 r = -errno;
886 goto finish;
887 }
888
889 fd[i] = copy_fd[i];
890 }
891 }
892
893 /* At this point we now have the fds to use in fd[], and they are all above the stdio range, so that we
894 * have freedom to move them around. If the fds already were at the right places then the specific fds are
895 * -1. Let's now move them to the right places. This is the point of no return. */
896 for (i = 0; i < 3; i++) {
897
898 if (fd[i] == i) {
899
900 /* fd is already in place, but let's make sure O_CLOEXEC is off */
901 r = fd_cloexec(i, false);
902 if (r < 0)
903 goto finish;
904
905 } else {
906 assert(fd[i] > 2);
907
908 if (dup2(fd[i], i) < 0) { /* Turns off O_CLOEXEC on the new fd. */
909 r = -errno;
910 goto finish;
911 }
912 }
913 }
914
915 r = 0;
916
917finish:
918 /* Close the original fds, but only if they were outside of the stdio range. Also, properly check for the same
919 * fd passed in multiple times. */
920 safe_close_above_stdio(original_input_fd);
921 if (original_output_fd != original_input_fd)
922 safe_close_above_stdio(original_output_fd);
923 if (original_error_fd != original_input_fd && original_error_fd != original_output_fd)
924 safe_close_above_stdio(original_error_fd);
925
926 /* Close the copies we moved > 2 */
927 for (i = 0; i < 3; i++)
928 safe_close(copy_fd[i]);
929
930 /* Close our null fd, if it's > 2 */
931 safe_close_above_stdio(null_fd);
932
933 return r;
934}
f2324783
LP		 935
936int fd_reopen(int fd, int flags) {
937 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
938 int new_fd;
939
940 /* Reopens the specified fd with new flags. This is useful for convert an O_PATH fd into a regular one, or to
941 * turn O_RDWR fds into O_RDONLY fds.
942 *
943 * This doesn't work on sockets (since they cannot be open()ed, ever).
944 *
945 * This implicitly resets the file read index to 0. */
946
947 xsprintf(procfs_path, "/proc/self/fd/%i", fd);
948 new_fd = open(procfs_path, flags);
949 if (new_fd < 0)
950 return -errno;
951
952 return new_fd;
953}
9264cc39
LP		 954
955int read_nr_open(void) {
956 _cleanup_free_ char *nr_open = NULL;
957 int r;
958
959 /* Returns the kernel's current fd limit, either by reading it of /proc/sys if that works, or using the
960 * hard-coded default compiled-in value of current kernels (1M) if not. This call will never fail. */
961
962 r = read_one_line_file("/proc/sys/fs/nr_open", &nr_open);
963 if (r < 0)
964 log_debug_errno(r, "Failed to read /proc/sys/fs/nr_open, ignoring: %m");
965 else {
966 int v;
967
968 r = safe_atoi(nr_open, &v);
969 if (r < 0)
970 log_debug_errno(r, "Failed to parse /proc/sys/fs/nr_open value '%s', ignoring: %m", nr_open);
971 else
972 return v;
973 }
974
975 /* If we fail, fallback to the hard-coded kernel limit of 1024 * 1024. */
976 return 1024 * 1024;
977}
Unnamed repository; edit this file 'description' to name the repository.