]>
Commit | Line | Data |
---|---|---|
53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
f4f15635 | 2 | |
11c3a366 TA |
3 | #include <errno.h> |
4 | #include <stddef.h> | |
5 | #include <stdio.h> | |
6 | #include <stdlib.h> | |
7 | #include <string.h> | |
8 | #include <sys/stat.h> | |
1c73b069 | 9 | #include <linux/falloc.h> |
655f2da0 | 10 | #include <linux/magic.h> |
11c3a366 TA |
11 | #include <time.h> |
12 | #include <unistd.h> | |
13 | ||
b5efdb8a | 14 | #include "alloc-util.h" |
f4f15635 LP |
15 | #include "dirent-util.h" |
16 | #include "fd-util.h" | |
f4f15635 | 17 | #include "fs-util.h" |
fd74c6f3 | 18 | #include "locale-util.h" |
11c3a366 TA |
19 | #include "log.h" |
20 | #include "macro.h" | |
21 | #include "missing.h" | |
93cc7779 TA |
22 | #include "mkdir.h" |
23 | #include "parse-util.h" | |
24 | #include "path-util.h" | |
dccca82b | 25 | #include "process-util.h" |
34a8f081 | 26 | #include "stat-util.h" |
430fbf8e | 27 | #include "stdio-util.h" |
f4f15635 LP |
28 | #include "string-util.h" |
29 | #include "strv.h" | |
93cc7779 | 30 | #include "time-util.h" |
e4de7287 | 31 | #include "tmpfile-util.h" |
ee104e11 | 32 | #include "user-util.h" |
f4f15635 LP |
33 | #include "util.h" |
34 | ||
35 | int unlink_noerrno(const char *path) { | |
36 | PROTECT_ERRNO; | |
37 | int r; | |
38 | ||
39 | r = unlink(path); | |
40 | if (r < 0) | |
41 | return -errno; | |
42 | ||
43 | return 0; | |
44 | } | |
45 | ||
46 | int rmdir_parents(const char *path, const char *stop) { | |
47 | size_t l; | |
48 | int r = 0; | |
49 | ||
50 | assert(path); | |
51 | assert(stop); | |
52 | ||
53 | l = strlen(path); | |
54 | ||
55 | /* Skip trailing slashes */ | |
56 | while (l > 0 && path[l-1] == '/') | |
57 | l--; | |
58 | ||
59 | while (l > 0) { | |
60 | char *t; | |
61 | ||
62 | /* Skip last component */ | |
63 | while (l > 0 && path[l-1] != '/') | |
64 | l--; | |
65 | ||
66 | /* Skip trailing slashes */ | |
67 | while (l > 0 && path[l-1] == '/') | |
68 | l--; | |
69 | ||
70 | if (l <= 0) | |
71 | break; | |
72 | ||
73 | t = strndup(path, l); | |
74 | if (!t) | |
75 | return -ENOMEM; | |
76 | ||
77 | if (path_startswith(stop, t)) { | |
78 | free(t); | |
79 | return 0; | |
80 | } | |
81 | ||
82 | r = rmdir(t); | |
83 | free(t); | |
84 | ||
85 | if (r < 0) | |
86 | if (errno != ENOENT) | |
87 | return -errno; | |
88 | } | |
89 | ||
90 | return 0; | |
91 | } | |
92 | ||
f4f15635 | 93 | int rename_noreplace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) { |
2f15b625 | 94 | int r; |
f4f15635 | 95 | |
2f15b625 LP |
96 | /* Try the ideal approach first */ |
97 | if (renameat2(olddirfd, oldpath, newdirfd, newpath, RENAME_NOREPLACE) >= 0) | |
f4f15635 LP |
98 | return 0; |
99 | ||
2f15b625 LP |
100 | /* renameat2() exists since Linux 3.15, btrfs and FAT added support for it later. If it is not implemented, |
101 | * fall back to a different method. */ | |
102 | if (!IN_SET(errno, EINVAL, ENOSYS, ENOTTY)) | |
f4f15635 LP |
103 | return -errno; |
104 | ||
2f15b625 LP |
105 | /* Let's try to use linkat()+unlinkat() as fallback. This doesn't work on directories and on some file systems |
106 | * that do not support hard links (such as FAT, most prominently), but for files it's pretty close to what we | |
107 | * want — though not atomic (i.e. for a short period both the new and the old filename will exist). */ | |
108 | if (linkat(olddirfd, oldpath, newdirfd, newpath, 0) >= 0) { | |
109 | ||
110 | if (unlinkat(olddirfd, oldpath, 0) < 0) { | |
111 | r = -errno; /* Backup errno before the following unlinkat() alters it */ | |
112 | (void) unlinkat(newdirfd, newpath, 0); | |
113 | return r; | |
114 | } | |
115 | ||
116 | return 0; | |
f4f15635 LP |
117 | } |
118 | ||
2f15b625 | 119 | if (!IN_SET(errno, EINVAL, ENOSYS, ENOTTY, EPERM)) /* FAT returns EPERM on link()… */ |
f4f15635 LP |
120 | return -errno; |
121 | ||
2f15b625 LP |
122 | /* OK, neither RENAME_NOREPLACE nor linkat()+unlinkat() worked. Let's then fallback to the racy TOCTOU |
123 | * vulnerable accessat(F_OK) check followed by classic, replacing renameat(), we have nothing better. */ | |
124 | ||
125 | if (faccessat(newdirfd, newpath, F_OK, AT_SYMLINK_NOFOLLOW) >= 0) | |
126 | return -EEXIST; | |
127 | if (errno != ENOENT) | |
128 | return -errno; | |
129 | ||
130 | if (renameat(olddirfd, oldpath, newdirfd, newpath) < 0) | |
f4f15635 | 131 | return -errno; |
f4f15635 LP |
132 | |
133 | return 0; | |
134 | } | |
135 | ||
136 | int readlinkat_malloc(int fd, const char *p, char **ret) { | |
8e060ec2 | 137 | size_t l = FILENAME_MAX+1; |
f4f15635 LP |
138 | int r; |
139 | ||
140 | assert(p); | |
141 | assert(ret); | |
142 | ||
143 | for (;;) { | |
144 | char *c; | |
145 | ssize_t n; | |
146 | ||
147 | c = new(char, l); | |
148 | if (!c) | |
149 | return -ENOMEM; | |
150 | ||
151 | n = readlinkat(fd, p, c, l-1); | |
152 | if (n < 0) { | |
153 | r = -errno; | |
154 | free(c); | |
155 | return r; | |
156 | } | |
157 | ||
158 | if ((size_t) n < l-1) { | |
159 | c[n] = 0; | |
160 | *ret = c; | |
161 | return 0; | |
162 | } | |
163 | ||
164 | free(c); | |
165 | l *= 2; | |
166 | } | |
167 | } | |
168 | ||
169 | int readlink_malloc(const char *p, char **ret) { | |
170 | return readlinkat_malloc(AT_FDCWD, p, ret); | |
171 | } | |
172 | ||
173 | int readlink_value(const char *p, char **ret) { | |
174 | _cleanup_free_ char *link = NULL; | |
175 | char *value; | |
176 | int r; | |
177 | ||
178 | r = readlink_malloc(p, &link); | |
179 | if (r < 0) | |
180 | return r; | |
181 | ||
182 | value = basename(link); | |
183 | if (!value) | |
184 | return -ENOENT; | |
185 | ||
186 | value = strdup(value); | |
187 | if (!value) | |
188 | return -ENOMEM; | |
189 | ||
190 | *ret = value; | |
191 | ||
192 | return 0; | |
193 | } | |
194 | ||
195 | int readlink_and_make_absolute(const char *p, char **r) { | |
196 | _cleanup_free_ char *target = NULL; | |
197 | char *k; | |
198 | int j; | |
199 | ||
200 | assert(p); | |
201 | assert(r); | |
202 | ||
203 | j = readlink_malloc(p, &target); | |
204 | if (j < 0) | |
205 | return j; | |
206 | ||
207 | k = file_in_same_dir(p, target); | |
208 | if (!k) | |
209 | return -ENOMEM; | |
210 | ||
211 | *r = k; | |
212 | return 0; | |
213 | } | |
214 | ||
f4f15635 | 215 | int chmod_and_chown(const char *path, mode_t mode, uid_t uid, gid_t gid) { |
de321f52 LP |
216 | char fd_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1]; |
217 | _cleanup_close_ int fd = -1; | |
30ff18d8 LP |
218 | bool st_valid = false; |
219 | struct stat st; | |
220 | int r; | |
221 | ||
f4f15635 LP |
222 | assert(path); |
223 | ||
30ff18d8 LP |
224 | /* Under the assumption that we are running privileged we first change the access mode and only then |
225 | * hand out ownership to avoid a window where access is too open. */ | |
f4f15635 | 226 | |
30ff18d8 LP |
227 | fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW); /* Let's acquire an O_PATH fd, as precaution to change |
228 | * mode/owner on the same file */ | |
de321f52 LP |
229 | if (fd < 0) |
230 | return -errno; | |
231 | ||
232 | xsprintf(fd_path, "/proc/self/fd/%i", fd); | |
233 | ||
234 | if (mode != MODE_INVALID) { | |
de321f52 | 235 | if ((mode & S_IFMT) != 0) { |
de321f52 LP |
236 | |
237 | if (stat(fd_path, &st) < 0) | |
238 | return -errno; | |
239 | ||
240 | if ((mode & S_IFMT) != (st.st_mode & S_IFMT)) | |
241 | return -EINVAL; | |
30ff18d8 LP |
242 | |
243 | st_valid = true; | |
de321f52 LP |
244 | } |
245 | ||
30ff18d8 LP |
246 | if (chmod(fd_path, mode & 07777) < 0) { |
247 | r = -errno; | |
248 | ||
249 | if (!st_valid && stat(fd_path, &st) < 0) | |
250 | return -errno; | |
251 | ||
252 | if ((mode & 07777) != (st.st_mode & 07777)) | |
253 | return r; | |
254 | ||
255 | st_valid = true; | |
256 | } | |
de321f52 | 257 | } |
f4f15635 | 258 | |
30ff18d8 LP |
259 | if (uid != UID_INVALID || gid != GID_INVALID) { |
260 | if (chown(fd_path, uid, gid) < 0) { | |
261 | r = -errno; | |
262 | ||
263 | if (!st_valid && stat(fd_path, &st) < 0) | |
264 | return -errno; | |
265 | ||
266 | if (uid != UID_INVALID && st.st_uid != uid) | |
267 | return r; | |
268 | if (gid != GID_INVALID && st.st_gid != gid) | |
269 | return r; | |
270 | } | |
271 | } | |
b8da477e YW |
272 | |
273 | return 0; | |
274 | } | |
275 | ||
276 | int fchmod_and_chown(int fd, mode_t mode, uid_t uid, gid_t gid) { | |
30ff18d8 LP |
277 | bool st_valid = false; |
278 | struct stat st; | |
279 | int r; | |
280 | ||
de321f52 | 281 | /* Under the assumption that we are running privileged we first change the access mode and only then hand out |
b8da477e YW |
282 | * ownership to avoid a window where access is too open. */ |
283 | ||
de321f52 | 284 | if (mode != MODE_INVALID) { |
de321f52 | 285 | if ((mode & S_IFMT) != 0) { |
de321f52 LP |
286 | |
287 | if (fstat(fd, &st) < 0) | |
288 | return -errno; | |
289 | ||
290 | if ((mode & S_IFMT) != (st.st_mode & S_IFMT)) | |
291 | return -EINVAL; | |
30ff18d8 LP |
292 | |
293 | st_valid = true; | |
de321f52 LP |
294 | } |
295 | ||
30ff18d8 LP |
296 | if (fchmod(fd, mode & 07777) < 0) { |
297 | r = -errno; | |
298 | ||
299 | if (!st_valid && fstat(fd, &st) < 0) | |
300 | return -errno; | |
301 | ||
302 | if ((mode & 07777) != (st.st_mode & 07777)) | |
303 | return r; | |
304 | ||
305 | st_valid = true; | |
306 | } | |
de321f52 | 307 | } |
b8da477e YW |
308 | |
309 | if (uid != UID_INVALID || gid != GID_INVALID) | |
30ff18d8 LP |
310 | if (fchown(fd, uid, gid) < 0) { |
311 | r = -errno; | |
312 | ||
313 | if (!st_valid && fstat(fd, &st) < 0) | |
314 | return -errno; | |
315 | ||
316 | if (uid != UID_INVALID && st.st_uid != uid) | |
317 | return r; | |
318 | if (gid != GID_INVALID && st.st_gid != gid) | |
319 | return r; | |
320 | } | |
f4f15635 LP |
321 | |
322 | return 0; | |
323 | } | |
324 | ||
f4f15635 LP |
325 | int fchmod_umask(int fd, mode_t m) { |
326 | mode_t u; | |
327 | int r; | |
328 | ||
329 | u = umask(0777); | |
330 | r = fchmod(fd, m & (~u)) < 0 ? -errno : 0; | |
331 | umask(u); | |
332 | ||
333 | return r; | |
334 | } | |
335 | ||
4dfaa528 | 336 | int fchmod_opath(int fd, mode_t m) { |
22dd8d35 | 337 | char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)]; |
4dfaa528 FB |
338 | |
339 | /* This function operates also on fd that might have been opened with | |
340 | * O_PATH. Indeed fchmodat() doesn't have the AT_EMPTY_PATH flag like | |
341 | * fchownat() does. */ | |
342 | ||
343 | xsprintf(procfs_path, "/proc/self/fd/%i", fd); | |
4dfaa528 FB |
344 | if (chmod(procfs_path, m) < 0) |
345 | return -errno; | |
346 | ||
347 | return 0; | |
348 | } | |
349 | ||
f4f15635 LP |
350 | int fd_warn_permissions(const char *path, int fd) { |
351 | struct stat st; | |
352 | ||
353 | if (fstat(fd, &st) < 0) | |
354 | return -errno; | |
355 | ||
b6cceaae LP |
356 | /* Don't complain if we are reading something that is not a file, for example /dev/null */ |
357 | if (!S_ISREG(st.st_mode)) | |
358 | return 0; | |
359 | ||
f4f15635 LP |
360 | if (st.st_mode & 0111) |
361 | log_warning("Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway.", path); | |
362 | ||
363 | if (st.st_mode & 0002) | |
364 | log_warning("Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway.", path); | |
365 | ||
df0ff127 | 366 | if (getpid_cached() == 1 && (st.st_mode & 0044) != 0044) |
f4f15635 LP |
367 | log_warning("Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.", path); |
368 | ||
369 | return 0; | |
370 | } | |
371 | ||
372 | int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode) { | |
9e3fa6e8 LP |
373 | char fdpath[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)]; |
374 | _cleanup_close_ int fd = -1; | |
375 | int r, ret = 0; | |
f4f15635 LP |
376 | |
377 | assert(path); | |
378 | ||
9e3fa6e8 LP |
379 | /* Note that touch_file() does not follow symlinks: if invoked on an existing symlink, then it is the symlink |
380 | * itself which is updated, not its target | |
381 | * | |
382 | * Returns the first error we encounter, but tries to apply as much as possible. */ | |
f4f15635 | 383 | |
9e3fa6e8 LP |
384 | if (parents) |
385 | (void) mkdir_parents(path, 0755); | |
386 | ||
387 | /* Initially, we try to open the node with O_PATH, so that we get a reference to the node. This is useful in | |
388 | * case the path refers to an existing device or socket node, as we can open it successfully in all cases, and | |
389 | * won't trigger any driver magic or so. */ | |
390 | fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW); | |
391 | if (fd < 0) { | |
392 | if (errno != ENOENT) | |
f4f15635 | 393 | return -errno; |
f4f15635 | 394 | |
9e3fa6e8 LP |
395 | /* if the node doesn't exist yet, we create it, but with O_EXCL, so that we only create a regular file |
396 | * here, and nothing else */ | |
397 | fd = open(path, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, IN_SET(mode, 0, MODE_INVALID) ? 0644 : mode); | |
398 | if (fd < 0) | |
f4f15635 LP |
399 | return -errno; |
400 | } | |
401 | ||
9e3fa6e8 LP |
402 | /* Let's make a path from the fd, and operate on that. With this logic, we can adjust the access mode, |
403 | * ownership and time of the file node in all cases, even if the fd refers to an O_PATH object — which is | |
404 | * something fchown(), fchmod(), futimensat() don't allow. */ | |
405 | xsprintf(fdpath, "/proc/self/fd/%i", fd); | |
406 | ||
407 | if (mode != MODE_INVALID) | |
408 | if (chmod(fdpath, mode) < 0) | |
409 | ret = -errno; | |
410 | ||
411 | if (uid_is_valid(uid) || gid_is_valid(gid)) | |
412 | if (chown(fdpath, uid, gid) < 0 && ret >= 0) | |
413 | ret = -errno; | |
414 | ||
f4f15635 LP |
415 | if (stamp != USEC_INFINITY) { |
416 | struct timespec ts[2]; | |
417 | ||
418 | timespec_store(&ts[0], stamp); | |
419 | ts[1] = ts[0]; | |
9e3fa6e8 | 420 | r = utimensat(AT_FDCWD, fdpath, ts, 0); |
f4f15635 | 421 | } else |
9e3fa6e8 LP |
422 | r = utimensat(AT_FDCWD, fdpath, NULL, 0); |
423 | if (r < 0 && ret >= 0) | |
f4f15635 LP |
424 | return -errno; |
425 | ||
9e3fa6e8 | 426 | return ret; |
f4f15635 LP |
427 | } |
428 | ||
429 | int touch(const char *path) { | |
ee735086 | 430 | return touch_file(path, false, USEC_INFINITY, UID_INVALID, GID_INVALID, MODE_INVALID); |
f4f15635 LP |
431 | } |
432 | ||
6c9c51e5 YW |
433 | int symlink_idempotent(const char *from, const char *to, bool make_relative) { |
434 | _cleanup_free_ char *relpath = NULL; | |
f4f15635 LP |
435 | int r; |
436 | ||
437 | assert(from); | |
438 | assert(to); | |
439 | ||
6c9c51e5 YW |
440 | if (make_relative) { |
441 | _cleanup_free_ char *parent = NULL; | |
442 | ||
443 | parent = dirname_malloc(to); | |
444 | if (!parent) | |
445 | return -ENOMEM; | |
446 | ||
447 | r = path_make_relative(parent, from, &relpath); | |
448 | if (r < 0) | |
449 | return r; | |
450 | ||
451 | from = relpath; | |
452 | } | |
453 | ||
f4f15635 | 454 | if (symlink(from, to) < 0) { |
77b79723 LP |
455 | _cleanup_free_ char *p = NULL; |
456 | ||
f4f15635 LP |
457 | if (errno != EEXIST) |
458 | return -errno; | |
459 | ||
460 | r = readlink_malloc(to, &p); | |
77b79723 LP |
461 | if (r == -EINVAL) /* Not a symlink? In that case return the original error we encountered: -EEXIST */ |
462 | return -EEXIST; | |
463 | if (r < 0) /* Any other error? In that case propagate it as is */ | |
f4f15635 LP |
464 | return r; |
465 | ||
77b79723 LP |
466 | if (!streq(p, from)) /* Not the symlink we want it to be? In that case, propagate the original -EEXIST */ |
467 | return -EEXIST; | |
f4f15635 LP |
468 | } |
469 | ||
470 | return 0; | |
471 | } | |
472 | ||
473 | int symlink_atomic(const char *from, const char *to) { | |
474 | _cleanup_free_ char *t = NULL; | |
475 | int r; | |
476 | ||
477 | assert(from); | |
478 | assert(to); | |
479 | ||
480 | r = tempfn_random(to, NULL, &t); | |
481 | if (r < 0) | |
482 | return r; | |
483 | ||
484 | if (symlink(from, t) < 0) | |
485 | return -errno; | |
486 | ||
487 | if (rename(t, to) < 0) { | |
488 | unlink_noerrno(t); | |
489 | return -errno; | |
490 | } | |
491 | ||
492 | return 0; | |
493 | } | |
494 | ||
495 | int mknod_atomic(const char *path, mode_t mode, dev_t dev) { | |
496 | _cleanup_free_ char *t = NULL; | |
497 | int r; | |
498 | ||
499 | assert(path); | |
500 | ||
501 | r = tempfn_random(path, NULL, &t); | |
502 | if (r < 0) | |
503 | return r; | |
504 | ||
505 | if (mknod(t, mode, dev) < 0) | |
506 | return -errno; | |
507 | ||
508 | if (rename(t, path) < 0) { | |
509 | unlink_noerrno(t); | |
510 | return -errno; | |
511 | } | |
512 | ||
513 | return 0; | |
514 | } | |
515 | ||
516 | int mkfifo_atomic(const char *path, mode_t mode) { | |
517 | _cleanup_free_ char *t = NULL; | |
518 | int r; | |
519 | ||
520 | assert(path); | |
521 | ||
522 | r = tempfn_random(path, NULL, &t); | |
523 | if (r < 0) | |
524 | return r; | |
525 | ||
526 | if (mkfifo(t, mode) < 0) | |
527 | return -errno; | |
528 | ||
529 | if (rename(t, path) < 0) { | |
4fe3828c FB |
530 | unlink_noerrno(t); |
531 | return -errno; | |
532 | } | |
533 | ||
534 | return 0; | |
535 | } | |
536 | ||
537 | int mkfifoat_atomic(int dirfd, const char *path, mode_t mode) { | |
538 | _cleanup_free_ char *t = NULL; | |
539 | int r; | |
540 | ||
541 | assert(path); | |
542 | ||
543 | if (path_is_absolute(path)) | |
544 | return mkfifo_atomic(path, mode); | |
545 | ||
546 | /* We're only interested in the (random) filename. */ | |
547 | r = tempfn_random_child("", NULL, &t); | |
548 | if (r < 0) | |
549 | return r; | |
550 | ||
551 | if (mkfifoat(dirfd, t, mode) < 0) | |
552 | return -errno; | |
553 | ||
554 | if (renameat(dirfd, t, dirfd, path) < 0) { | |
f4f15635 LP |
555 | unlink_noerrno(t); |
556 | return -errno; | |
557 | } | |
558 | ||
559 | return 0; | |
560 | } | |
561 | ||
562 | int get_files_in_directory(const char *path, char ***list) { | |
563 | _cleanup_closedir_ DIR *d = NULL; | |
8fb3f009 | 564 | struct dirent *de; |
f4f15635 LP |
565 | size_t bufsize = 0, n = 0; |
566 | _cleanup_strv_free_ char **l = NULL; | |
567 | ||
568 | assert(path); | |
569 | ||
570 | /* Returns all files in a directory in *list, and the number | |
571 | * of files as return value. If list is NULL returns only the | |
572 | * number. */ | |
573 | ||
574 | d = opendir(path); | |
575 | if (!d) | |
576 | return -errno; | |
577 | ||
8fb3f009 | 578 | FOREACH_DIRENT_ALL(de, d, return -errno) { |
f4f15635 LP |
579 | dirent_ensure_type(d, de); |
580 | ||
581 | if (!dirent_is_file(de)) | |
582 | continue; | |
583 | ||
584 | if (list) { | |
585 | /* one extra slot is needed for the terminating NULL */ | |
586 | if (!GREEDY_REALLOC(l, bufsize, n + 2)) | |
587 | return -ENOMEM; | |
588 | ||
589 | l[n] = strdup(de->d_name); | |
590 | if (!l[n]) | |
591 | return -ENOMEM; | |
592 | ||
593 | l[++n] = NULL; | |
594 | } else | |
595 | n++; | |
596 | } | |
597 | ||
ae2a15bc LP |
598 | if (list) |
599 | *list = TAKE_PTR(l); | |
f4f15635 LP |
600 | |
601 | return n; | |
602 | } | |
430fbf8e | 603 | |
992e8f22 LP |
604 | static int getenv_tmp_dir(const char **ret_path) { |
605 | const char *n; | |
606 | int r, ret = 0; | |
34a8f081 | 607 | |
992e8f22 | 608 | assert(ret_path); |
34a8f081 | 609 | |
992e8f22 LP |
610 | /* We use the same order of environment variables python uses in tempfile.gettempdir(): |
611 | * https://docs.python.org/3/library/tempfile.html#tempfile.gettempdir */ | |
612 | FOREACH_STRING(n, "TMPDIR", "TEMP", "TMP") { | |
613 | const char *e; | |
614 | ||
615 | e = secure_getenv(n); | |
616 | if (!e) | |
617 | continue; | |
618 | if (!path_is_absolute(e)) { | |
619 | r = -ENOTDIR; | |
620 | goto next; | |
621 | } | |
99be45a4 | 622 | if (!path_is_normalized(e)) { |
992e8f22 LP |
623 | r = -EPERM; |
624 | goto next; | |
625 | } | |
626 | ||
627 | r = is_dir(e, true); | |
628 | if (r < 0) | |
629 | goto next; | |
630 | if (r == 0) { | |
631 | r = -ENOTDIR; | |
632 | goto next; | |
633 | } | |
634 | ||
635 | *ret_path = e; | |
636 | return 1; | |
637 | ||
638 | next: | |
639 | /* Remember first error, to make this more debuggable */ | |
640 | if (ret >= 0) | |
641 | ret = r; | |
34a8f081 OW |
642 | } |
643 | ||
992e8f22 LP |
644 | if (ret < 0) |
645 | return ret; | |
34a8f081 | 646 | |
992e8f22 LP |
647 | *ret_path = NULL; |
648 | return ret; | |
649 | } | |
34a8f081 | 650 | |
992e8f22 LP |
651 | static int tmp_dir_internal(const char *def, const char **ret) { |
652 | const char *e; | |
653 | int r, k; | |
654 | ||
655 | assert(def); | |
656 | assert(ret); | |
657 | ||
658 | r = getenv_tmp_dir(&e); | |
659 | if (r > 0) { | |
660 | *ret = e; | |
661 | return 0; | |
662 | } | |
663 | ||
664 | k = is_dir(def, true); | |
665 | if (k == 0) | |
666 | k = -ENOTDIR; | |
667 | if (k < 0) | |
668 | return r < 0 ? r : k; | |
669 | ||
670 | *ret = def; | |
34a8f081 OW |
671 | return 0; |
672 | } | |
673 | ||
992e8f22 LP |
674 | int var_tmp_dir(const char **ret) { |
675 | ||
676 | /* Returns the location for "larger" temporary files, that is backed by physical storage if available, and thus | |
677 | * even might survive a boot: /var/tmp. If $TMPDIR (or related environment variables) are set, its value is | |
678 | * returned preferably however. Note that both this function and tmp_dir() below are affected by $TMPDIR, | |
679 | * making it a variable that overrides all temporary file storage locations. */ | |
680 | ||
681 | return tmp_dir_internal("/var/tmp", ret); | |
682 | } | |
683 | ||
684 | int tmp_dir(const char **ret) { | |
685 | ||
686 | /* Similar to var_tmp_dir() above, but returns the location for "smaller" temporary files, which is usually | |
687 | * backed by an in-memory file system: /tmp. */ | |
688 | ||
689 | return tmp_dir_internal("/tmp", ret); | |
690 | } | |
691 | ||
af229d7a ZJS |
692 | int unlink_or_warn(const char *filename) { |
693 | if (unlink(filename) < 0 && errno != ENOENT) | |
694 | /* If the file doesn't exist and the fs simply was read-only (in which | |
695 | * case unlink() returns EROFS even if the file doesn't exist), don't | |
696 | * complain */ | |
697 | if (errno != EROFS || access(filename, F_OK) >= 0) | |
698 | return log_error_errno(errno, "Failed to remove \"%s\": %m", filename); | |
699 | ||
700 | return 0; | |
701 | } | |
702 | ||
430fbf8e | 703 | int inotify_add_watch_fd(int fd, int what, uint32_t mask) { |
fbd0b64f | 704 | char path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1]; |
430fbf8e LP |
705 | int r; |
706 | ||
707 | /* This is like inotify_add_watch(), except that the file to watch is not referenced by a path, but by an fd */ | |
708 | xsprintf(path, "/proc/self/fd/%i", what); | |
709 | ||
710 | r = inotify_add_watch(fd, path, mask); | |
711 | if (r < 0) | |
712 | return -errno; | |
713 | ||
714 | return r; | |
715 | } | |
d944dc95 | 716 | |
b85ee2ec | 717 | static bool unsafe_transition(const struct stat *a, const struct stat *b) { |
f14f1806 LP |
718 | /* Returns true if the transition from a to b is safe, i.e. that we never transition from unprivileged to |
719 | * privileged files or directories. Why bother? So that unprivileged code can't symlink to privileged files | |
720 | * making us believe we read something safe even though it isn't safe in the specific context we open it in. */ | |
721 | ||
722 | if (a->st_uid == 0) /* Transitioning from privileged to unprivileged is always fine */ | |
b85ee2ec | 723 | return false; |
f14f1806 | 724 | |
b85ee2ec | 725 | return a->st_uid != b->st_uid; /* Otherwise we need to stay within the same UID */ |
f14f1806 LP |
726 | } |
727 | ||
fd74c6f3 FB |
728 | static int log_unsafe_transition(int a, int b, const char *path, unsigned flags) { |
729 | _cleanup_free_ char *n1 = NULL, *n2 = NULL; | |
730 | ||
731 | if (!FLAGS_SET(flags, CHASE_WARN)) | |
36c97dec | 732 | return -ENOLINK; |
fd74c6f3 FB |
733 | |
734 | (void) fd_get_path(a, &n1); | |
735 | (void) fd_get_path(b, &n2); | |
736 | ||
36c97dec | 737 | return log_warning_errno(SYNTHETIC_ERRNO(ENOLINK), |
fd74c6f3 | 738 | "Detected unsafe path transition %s %s %s during canonicalization of %s.", |
9a6f746f | 739 | n1, special_glyph(SPECIAL_GLYPH_ARROW), n2, path); |
fd74c6f3 FB |
740 | } |
741 | ||
145b8d0f FB |
742 | static int log_autofs_mount_point(int fd, const char *path, unsigned flags) { |
743 | _cleanup_free_ char *n1 = NULL; | |
744 | ||
745 | if (!FLAGS_SET(flags, CHASE_WARN)) | |
746 | return -EREMOTE; | |
747 | ||
748 | (void) fd_get_path(fd, &n1); | |
749 | ||
750 | return log_warning_errno(SYNTHETIC_ERRNO(EREMOTE), | |
751 | "Detected autofs mount point %s during canonicalization of %s.", | |
752 | n1, path); | |
f14f1806 LP |
753 | } |
754 | ||
c4f4fce7 | 755 | int chase_symlinks(const char *path, const char *original_root, unsigned flags, char **ret) { |
d944dc95 LP |
756 | _cleanup_free_ char *buffer = NULL, *done = NULL, *root = NULL; |
757 | _cleanup_close_ int fd = -1; | |
f10f4215 | 758 | unsigned max_follow = CHASE_SYMLINKS_MAX; /* how many symlinks to follow before giving up and returning ELOOP */ |
f14f1806 | 759 | struct stat previous_stat; |
a9fb0867 | 760 | bool exists = true; |
d944dc95 LP |
761 | char *todo; |
762 | int r; | |
763 | ||
764 | assert(path); | |
765 | ||
1ed34d75 | 766 | /* Either the file may be missing, or we return an fd to the final object, but both make no sense */ |
d94a24ca | 767 | if (FLAGS_SET(flags, CHASE_NONEXISTENT | CHASE_OPEN)) |
1ed34d75 LP |
768 | return -EINVAL; |
769 | ||
d94a24ca | 770 | if (FLAGS_SET(flags, CHASE_STEP | CHASE_OPEN)) |
49eb3659 LP |
771 | return -EINVAL; |
772 | ||
a49424af LP |
773 | if (isempty(path)) |
774 | return -EINVAL; | |
775 | ||
d944dc95 LP |
776 | /* This is a lot like canonicalize_file_name(), but takes an additional "root" parameter, that allows following |
777 | * symlinks relative to a root directory, instead of the root of the host. | |
778 | * | |
fc4b68e5 | 779 | * Note that "root" primarily matters if we encounter an absolute symlink. It is also used when following |
c4f4fce7 LP |
780 | * relative symlinks to ensure they cannot be used to "escape" the root directory. The path parameter passed is |
781 | * assumed to be already prefixed by it, except if the CHASE_PREFIX_ROOT flag is set, in which case it is first | |
782 | * prefixed accordingly. | |
d944dc95 LP |
783 | * |
784 | * Algorithmically this operates on two path buffers: "done" are the components of the path we already | |
785 | * processed and resolved symlinks, "." and ".." of. "todo" are the components of the path we still need to | |
786 | * process. On each iteration, we move one component from "todo" to "done", processing it's special meaning | |
787 | * each time. The "todo" path always starts with at least one slash, the "done" path always ends in no | |
788 | * slash. We always keep an O_PATH fd to the component we are currently processing, thus keeping lookup races | |
fc4b68e5 LP |
789 | * at a minimum. |
790 | * | |
791 | * Suggested usage: whenever you want to canonicalize a path, use this function. Pass the absolute path you got | |
792 | * as-is: fully qualified and relative to your host's root. Optionally, specify the root parameter to tell this | |
793 | * function what to do when encountering a symlink with an absolute path as directory: prefix it by the | |
49eb3659 LP |
794 | * specified path. |
795 | * | |
796 | * There are three ways to invoke this function: | |
797 | * | |
798 | * 1. Without CHASE_STEP or CHASE_OPEN: in this case the path is resolved and the normalized path is returned | |
799 | * in `ret`. The return value is < 0 on error. If CHASE_NONEXISTENT is also set 0 is returned if the file | |
800 | * doesn't exist, > 0 otherwise. If CHASE_NONEXISTENT is not set >= 0 is returned if the destination was | |
801 | * found, -ENOENT if it doesn't. | |
802 | * | |
803 | * 2. With CHASE_OPEN: in this case the destination is opened after chasing it as O_PATH and this file | |
804 | * descriptor is returned as return value. This is useful to open files relative to some root | |
805 | * directory. Note that the returned O_PATH file descriptors must be converted into a regular one (using | |
806 | * fd_reopen() or such) before it can be used for reading/writing. CHASE_OPEN may not be combined with | |
807 | * CHASE_NONEXISTENT. | |
808 | * | |
809 | * 3. With CHASE_STEP: in this case only a single step of the normalization is executed, i.e. only the first | |
810 | * symlink or ".." component of the path is resolved, and the resulting path is returned. This is useful if | |
811 | * a caller wants to trace the a path through the file system verbosely. Returns < 0 on error, > 0 if the | |
812 | * path is fully normalized, and == 0 for each normalization step. This may be combined with | |
813 | * CHASE_NONEXISTENT, in which case 1 is returned when a component is not found. | |
814 | * | |
36c97dec FB |
815 | * 4. With CHASE_SAFE: in this case the path must not contain unsafe transitions, i.e. transitions from |
816 | * unprivileged to privileged files or directories. In such cases the return value is -ENOLINK. If | |
817 | * CHASE_WARN is also set a warning describing the unsafe transition is emitted. | |
818 | * | |
145b8d0f FB |
819 | * 5. With CHASE_NO_AUTOFS: in this case if an autofs mount point is encountered, the path normalization is |
820 | * aborted and -EREMOTE is returned. If CHASE_WARN is also set a warning showing the path of the mount point | |
821 | * is emitted. | |
822 | * | |
49eb3659 | 823 | * */ |
d944dc95 | 824 | |
22bc57c5 | 825 | /* A root directory of "/" or "" is identical to none */ |
57ea45e1 | 826 | if (empty_or_root(original_root)) |
22bc57c5 | 827 | original_root = NULL; |
b1bfb848 | 828 | |
49eb3659 | 829 | if (!original_root && !ret && (flags & (CHASE_NONEXISTENT|CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_OPEN|CHASE_STEP)) == CHASE_OPEN) { |
244d2f07 LP |
830 | /* Shortcut the CHASE_OPEN case if the caller isn't interested in the actual path and has no root set |
831 | * and doesn't care about any of the other special features we provide either. */ | |
1f56e4ce | 832 | r = open(path, O_PATH|O_CLOEXEC|((flags & CHASE_NOFOLLOW) ? O_NOFOLLOW : 0)); |
244d2f07 LP |
833 | if (r < 0) |
834 | return -errno; | |
835 | ||
836 | return r; | |
837 | } | |
838 | ||
c4f4fce7 LP |
839 | if (original_root) { |
840 | r = path_make_absolute_cwd(original_root, &root); | |
d944dc95 LP |
841 | if (r < 0) |
842 | return r; | |
c4f4fce7 | 843 | |
382a5078 LP |
844 | if (flags & CHASE_PREFIX_ROOT) { |
845 | ||
846 | /* We don't support relative paths in combination with a root directory */ | |
847 | if (!path_is_absolute(path)) | |
848 | return -EINVAL; | |
849 | ||
c4f4fce7 | 850 | path = prefix_roota(root, path); |
382a5078 | 851 | } |
d944dc95 LP |
852 | } |
853 | ||
c4f4fce7 LP |
854 | r = path_make_absolute_cwd(path, &buffer); |
855 | if (r < 0) | |
856 | return r; | |
857 | ||
d944dc95 LP |
858 | fd = open("/", O_CLOEXEC|O_NOFOLLOW|O_PATH); |
859 | if (fd < 0) | |
860 | return -errno; | |
861 | ||
f14f1806 LP |
862 | if (flags & CHASE_SAFE) { |
863 | if (fstat(fd, &previous_stat) < 0) | |
864 | return -errno; | |
865 | } | |
866 | ||
d944dc95 LP |
867 | todo = buffer; |
868 | for (;;) { | |
869 | _cleanup_free_ char *first = NULL; | |
870 | _cleanup_close_ int child = -1; | |
871 | struct stat st; | |
872 | size_t n, m; | |
873 | ||
874 | /* Determine length of first component in the path */ | |
875 | n = strspn(todo, "/"); /* The slashes */ | |
876 | m = n + strcspn(todo + n, "/"); /* The entire length of the component */ | |
877 | ||
878 | /* Extract the first component. */ | |
879 | first = strndup(todo, m); | |
880 | if (!first) | |
881 | return -ENOMEM; | |
882 | ||
883 | todo += m; | |
884 | ||
b12d25a8 ZJS |
885 | /* Empty? Then we reached the end. */ |
886 | if (isempty(first)) | |
887 | break; | |
888 | ||
d944dc95 | 889 | /* Just a single slash? Then we reached the end. */ |
b12d25a8 ZJS |
890 | if (path_equal(first, "/")) { |
891 | /* Preserve the trailing slash */ | |
62570f6f LP |
892 | |
893 | if (flags & CHASE_TRAIL_SLASH) | |
894 | if (!strextend(&done, "/", NULL)) | |
895 | return -ENOMEM; | |
b12d25a8 | 896 | |
d944dc95 | 897 | break; |
b12d25a8 | 898 | } |
d944dc95 LP |
899 | |
900 | /* Just a dot? Then let's eat this up. */ | |
901 | if (path_equal(first, "/.")) | |
902 | continue; | |
903 | ||
904 | /* Two dots? Then chop off the last bit of what we already found out. */ | |
905 | if (path_equal(first, "/..")) { | |
906 | _cleanup_free_ char *parent = NULL; | |
2b6d2dda | 907 | _cleanup_close_ int fd_parent = -1; |
d944dc95 | 908 | |
a4eaf3cf LP |
909 | /* If we already are at the top, then going up will not change anything. This is in-line with |
910 | * how the kernel handles this. */ | |
57ea45e1 | 911 | if (empty_or_root(done)) |
a4eaf3cf | 912 | continue; |
d944dc95 LP |
913 | |
914 | parent = dirname_malloc(done); | |
915 | if (!parent) | |
916 | return -ENOMEM; | |
917 | ||
a4eaf3cf | 918 | /* Don't allow this to leave the root dir. */ |
d944dc95 LP |
919 | if (root && |
920 | path_startswith(done, root) && | |
921 | !path_startswith(parent, root)) | |
a4eaf3cf | 922 | continue; |
d944dc95 | 923 | |
3b319885 | 924 | free_and_replace(done, parent); |
d944dc95 | 925 | |
49eb3659 LP |
926 | if (flags & CHASE_STEP) |
927 | goto chased_one; | |
928 | ||
d944dc95 LP |
929 | fd_parent = openat(fd, "..", O_CLOEXEC|O_NOFOLLOW|O_PATH); |
930 | if (fd_parent < 0) | |
931 | return -errno; | |
932 | ||
f14f1806 LP |
933 | if (flags & CHASE_SAFE) { |
934 | if (fstat(fd_parent, &st) < 0) | |
935 | return -errno; | |
936 | ||
b85ee2ec | 937 | if (unsafe_transition(&previous_stat, &st)) |
fd74c6f3 | 938 | return log_unsafe_transition(fd, fd_parent, path, flags); |
f14f1806 LP |
939 | |
940 | previous_stat = st; | |
941 | } | |
942 | ||
d944dc95 | 943 | safe_close(fd); |
c10d6bdb | 944 | fd = TAKE_FD(fd_parent); |
d944dc95 LP |
945 | |
946 | continue; | |
947 | } | |
948 | ||
949 | /* Otherwise let's see what this is. */ | |
950 | child = openat(fd, first + n, O_CLOEXEC|O_NOFOLLOW|O_PATH); | |
a9fb0867 LP |
951 | if (child < 0) { |
952 | ||
953 | if (errno == ENOENT && | |
cb638b5e | 954 | (flags & CHASE_NONEXISTENT) && |
99be45a4 | 955 | (isempty(todo) || path_is_normalized(todo))) { |
a9fb0867 | 956 | |
cb638b5e | 957 | /* If CHASE_NONEXISTENT is set, and the path does not exist, then that's OK, return |
a9fb0867 LP |
958 | * what we got so far. But don't allow this if the remaining path contains "../ or "./" |
959 | * or something else weird. */ | |
960 | ||
a1904a46 YW |
961 | /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */ |
962 | if (streq_ptr(done, "/")) | |
963 | *done = '\0'; | |
964 | ||
a9fb0867 LP |
965 | if (!strextend(&done, first, todo, NULL)) |
966 | return -ENOMEM; | |
967 | ||
968 | exists = false; | |
969 | break; | |
970 | } | |
971 | ||
d944dc95 | 972 | return -errno; |
a9fb0867 | 973 | } |
d944dc95 LP |
974 | |
975 | if (fstat(child, &st) < 0) | |
976 | return -errno; | |
f14f1806 | 977 | if ((flags & CHASE_SAFE) && |
cc14a6c0 | 978 | (empty_or_root(root) || (size_t)(todo - buffer) > strlen(root)) && |
b85ee2ec | 979 | unsafe_transition(&previous_stat, &st)) |
fd74c6f3 | 980 | return log_unsafe_transition(fd, child, path, flags); |
f14f1806 LP |
981 | |
982 | previous_stat = st; | |
983 | ||
655f2da0 | 984 | if ((flags & CHASE_NO_AUTOFS) && |
a66fee2e | 985 | fd_is_fs_type(child, AUTOFS_SUPER_MAGIC) > 0) |
145b8d0f | 986 | return log_autofs_mount_point(child, path, flags); |
d944dc95 | 987 | |
1f56e4ce | 988 | if (S_ISLNK(st.st_mode) && !((flags & CHASE_NOFOLLOW) && isempty(todo))) { |
877777d7 CCW |
989 | char *joined; |
990 | ||
d944dc95 LP |
991 | _cleanup_free_ char *destination = NULL; |
992 | ||
993 | /* This is a symlink, in this case read the destination. But let's make sure we don't follow | |
994 | * symlinks without bounds. */ | |
995 | if (--max_follow <= 0) | |
996 | return -ELOOP; | |
997 | ||
998 | r = readlinkat_malloc(fd, first + n, &destination); | |
999 | if (r < 0) | |
1000 | return r; | |
1001 | if (isempty(destination)) | |
1002 | return -EINVAL; | |
1003 | ||
1004 | if (path_is_absolute(destination)) { | |
1005 | ||
1006 | /* An absolute destination. Start the loop from the beginning, but use the root | |
1007 | * directory as base. */ | |
1008 | ||
1009 | safe_close(fd); | |
1010 | fd = open(root ?: "/", O_CLOEXEC|O_NOFOLLOW|O_PATH); | |
1011 | if (fd < 0) | |
1012 | return -errno; | |
1013 | ||
f14f1806 LP |
1014 | if (flags & CHASE_SAFE) { |
1015 | if (fstat(fd, &st) < 0) | |
1016 | return -errno; | |
1017 | ||
b85ee2ec | 1018 | if (unsafe_transition(&previous_stat, &st)) |
fd74c6f3 | 1019 | return log_unsafe_transition(child, fd, path, flags); |
f14f1806 LP |
1020 | |
1021 | previous_stat = st; | |
1022 | } | |
1023 | ||
b539437a YW |
1024 | free(done); |
1025 | ||
d944dc95 LP |
1026 | /* Note that we do not revalidate the root, we take it as is. */ |
1027 | if (isempty(root)) | |
1028 | done = NULL; | |
1029 | else { | |
1030 | done = strdup(root); | |
1031 | if (!done) | |
1032 | return -ENOMEM; | |
1033 | } | |
1034 | ||
8c4a8ea2 LP |
1035 | /* Prefix what's left to do with what we just read, and start the loop again, but |
1036 | * remain in the current directory. */ | |
1037 | joined = strjoin(destination, todo); | |
1038 | } else | |
1039 | joined = strjoin("/", destination, todo); | |
877777d7 CCW |
1040 | if (!joined) |
1041 | return -ENOMEM; | |
d944dc95 | 1042 | |
877777d7 CCW |
1043 | free(buffer); |
1044 | todo = buffer = joined; | |
d944dc95 | 1045 | |
49eb3659 LP |
1046 | if (flags & CHASE_STEP) |
1047 | goto chased_one; | |
1048 | ||
d944dc95 LP |
1049 | continue; |
1050 | } | |
1051 | ||
1052 | /* If this is not a symlink, then let's just add the name we read to what we already verified. */ | |
ae2a15bc LP |
1053 | if (!done) |
1054 | done = TAKE_PTR(first); | |
1055 | else { | |
a1904a46 YW |
1056 | /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */ |
1057 | if (streq(done, "/")) | |
1058 | *done = '\0'; | |
1059 | ||
d944dc95 LP |
1060 | if (!strextend(&done, first, NULL)) |
1061 | return -ENOMEM; | |
1062 | } | |
1063 | ||
1064 | /* And iterate again, but go one directory further down. */ | |
1065 | safe_close(fd); | |
c10d6bdb | 1066 | fd = TAKE_FD(child); |
d944dc95 LP |
1067 | } |
1068 | ||
1069 | if (!done) { | |
1070 | /* Special case, turn the empty string into "/", to indicate the root directory. */ | |
1071 | done = strdup("/"); | |
1072 | if (!done) | |
1073 | return -ENOMEM; | |
1074 | } | |
1075 | ||
ae2a15bc LP |
1076 | if (ret) |
1077 | *ret = TAKE_PTR(done); | |
d944dc95 | 1078 | |
1ed34d75 | 1079 | if (flags & CHASE_OPEN) { |
1ed34d75 LP |
1080 | /* Return the O_PATH fd we currently are looking to the caller. It can translate it to a proper fd by |
1081 | * opening /proc/self/fd/xyz. */ | |
1082 | ||
1083 | assert(fd >= 0); | |
c10d6bdb | 1084 | return TAKE_FD(fd); |
1ed34d75 LP |
1085 | } |
1086 | ||
49eb3659 LP |
1087 | if (flags & CHASE_STEP) |
1088 | return 1; | |
1089 | ||
a9fb0867 | 1090 | return exists; |
49eb3659 LP |
1091 | |
1092 | chased_one: | |
49eb3659 LP |
1093 | if (ret) { |
1094 | char *c; | |
1095 | ||
027cc9c9 ZJS |
1096 | c = strjoin(strempty(done), todo); |
1097 | if (!c) | |
1098 | return -ENOMEM; | |
49eb3659 LP |
1099 | |
1100 | *ret = c; | |
1101 | } | |
1102 | ||
1103 | return 0; | |
d944dc95 | 1104 | } |
57a4359e | 1105 | |
21c692e9 LP |
1106 | int chase_symlinks_and_open( |
1107 | const char *path, | |
1108 | const char *root, | |
1109 | unsigned chase_flags, | |
1110 | int open_flags, | |
1111 | char **ret_path) { | |
1112 | ||
1113 | _cleanup_close_ int path_fd = -1; | |
1114 | _cleanup_free_ char *p = NULL; | |
1115 | int r; | |
1116 | ||
1117 | if (chase_flags & CHASE_NONEXISTENT) | |
1118 | return -EINVAL; | |
1119 | ||
57ea45e1 | 1120 | if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) { |
21c692e9 LP |
1121 | /* Shortcut this call if none of the special features of this call are requested */ |
1122 | r = open(path, open_flags); | |
1123 | if (r < 0) | |
1124 | return -errno; | |
1125 | ||
1126 | return r; | |
1127 | } | |
1128 | ||
1129 | path_fd = chase_symlinks(path, root, chase_flags|CHASE_OPEN, ret_path ? &p : NULL); | |
1130 | if (path_fd < 0) | |
1131 | return path_fd; | |
1132 | ||
1133 | r = fd_reopen(path_fd, open_flags); | |
1134 | if (r < 0) | |
1135 | return r; | |
1136 | ||
1137 | if (ret_path) | |
1138 | *ret_path = TAKE_PTR(p); | |
1139 | ||
1140 | return r; | |
1141 | } | |
1142 | ||
1143 | int chase_symlinks_and_opendir( | |
1144 | const char *path, | |
1145 | const char *root, | |
1146 | unsigned chase_flags, | |
1147 | char **ret_path, | |
1148 | DIR **ret_dir) { | |
1149 | ||
1150 | char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)]; | |
1151 | _cleanup_close_ int path_fd = -1; | |
1152 | _cleanup_free_ char *p = NULL; | |
1153 | DIR *d; | |
1154 | ||
1155 | if (!ret_dir) | |
1156 | return -EINVAL; | |
1157 | if (chase_flags & CHASE_NONEXISTENT) | |
1158 | return -EINVAL; | |
1159 | ||
57ea45e1 | 1160 | if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) { |
21c692e9 LP |
1161 | /* Shortcut this call if none of the special features of this call are requested */ |
1162 | d = opendir(path); | |
1163 | if (!d) | |
1164 | return -errno; | |
1165 | ||
1166 | *ret_dir = d; | |
1167 | return 0; | |
1168 | } | |
1169 | ||
1170 | path_fd = chase_symlinks(path, root, chase_flags|CHASE_OPEN, ret_path ? &p : NULL); | |
1171 | if (path_fd < 0) | |
1172 | return path_fd; | |
1173 | ||
1174 | xsprintf(procfs_path, "/proc/self/fd/%i", path_fd); | |
1175 | d = opendir(procfs_path); | |
1176 | if (!d) | |
1177 | return -errno; | |
1178 | ||
1179 | if (ret_path) | |
1180 | *ret_path = TAKE_PTR(p); | |
1181 | ||
1182 | *ret_dir = d; | |
1183 | return 0; | |
1184 | } | |
1185 | ||
d2bcd0ba LP |
1186 | int chase_symlinks_and_stat( |
1187 | const char *path, | |
1188 | const char *root, | |
1189 | unsigned chase_flags, | |
1190 | char **ret_path, | |
1191 | struct stat *ret_stat) { | |
1192 | ||
1193 | _cleanup_close_ int path_fd = -1; | |
1194 | _cleanup_free_ char *p = NULL; | |
1195 | ||
1196 | assert(path); | |
1197 | assert(ret_stat); | |
1198 | ||
1199 | if (chase_flags & CHASE_NONEXISTENT) | |
1200 | return -EINVAL; | |
1201 | ||
1202 | if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) { | |
1203 | /* Shortcut this call if none of the special features of this call are requested */ | |
1204 | if (stat(path, ret_stat) < 0) | |
1205 | return -errno; | |
1206 | ||
1207 | return 1; | |
1208 | } | |
1209 | ||
1210 | path_fd = chase_symlinks(path, root, chase_flags|CHASE_OPEN, ret_path ? &p : NULL); | |
1211 | if (path_fd < 0) | |
1212 | return path_fd; | |
1213 | ||
1214 | if (fstat(path_fd, ret_stat) < 0) | |
1215 | return -errno; | |
1216 | ||
1217 | if (ret_path) | |
1218 | *ret_path = TAKE_PTR(p); | |
1219 | ||
1220 | if (chase_flags & CHASE_OPEN) | |
1221 | return TAKE_FD(path_fd); | |
1222 | ||
1223 | return 1; | |
1224 | } | |
1225 | ||
57a4359e | 1226 | int access_fd(int fd, int mode) { |
fbd0b64f | 1227 | char p[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(fd) + 1]; |
57a4359e LP |
1228 | int r; |
1229 | ||
1230 | /* Like access() but operates on an already open fd */ | |
1231 | ||
1232 | xsprintf(p, "/proc/self/fd/%i", fd); | |
57a4359e LP |
1233 | r = access(p, mode); |
1234 | if (r < 0) | |
21c692e9 | 1235 | return -errno; |
57a4359e LP |
1236 | |
1237 | return r; | |
1238 | } | |
43767d9d | 1239 | |
627d2bac ZJS |
1240 | void unlink_tempfilep(char (*p)[]) { |
1241 | /* If the file is created with mkstemp(), it will (almost always) | |
1242 | * change the suffix. Treat this as a sign that the file was | |
1243 | * successfully created. We ignore both the rare case where the | |
1244 | * original suffix is used and unlink failures. */ | |
1245 | if (!endswith(*p, ".XXXXXX")) | |
69821560 | 1246 | (void) unlink_noerrno(*p); |
627d2bac ZJS |
1247 | } |
1248 | ||
43767d9d LP |
1249 | int unlinkat_deallocate(int fd, const char *name, int flags) { |
1250 | _cleanup_close_ int truncate_fd = -1; | |
1251 | struct stat st; | |
1252 | off_t l, bs; | |
1253 | ||
1254 | /* Operates like unlinkat() but also deallocates the file contents if it is a regular file and there's no other | |
1255 | * link to it. This is useful to ensure that other processes that might have the file open for reading won't be | |
1256 | * able to keep the data pinned on disk forever. This call is particular useful whenever we execute clean-up | |
1257 | * jobs ("vacuuming"), where we want to make sure the data is really gone and the disk space released and | |
1258 | * returned to the free pool. | |
1259 | * | |
1260 | * Deallocation is preferably done by FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE (👊) if supported, which means | |
1261 | * the file won't change size. That's a good thing since we shouldn't needlessly trigger SIGBUS in other | |
1262 | * programs that have mmap()ed the file. (The assumption here is that changing file contents to all zeroes | |
1263 | * underneath those programs is the better choice than simply triggering SIGBUS in them which truncation does.) | |
1264 | * However if hole punching is not implemented in the kernel or file system we'll fall back to normal file | |
1265 | * truncation (🔪), as our goal of deallocating the data space trumps our goal of being nice to readers (💐). | |
1266 | * | |
1267 | * Note that we attempt deallocation, but failure to succeed with that is not considered fatal, as long as the | |
1268 | * primary job – to delete the file – is accomplished. */ | |
1269 | ||
1270 | if ((flags & AT_REMOVEDIR) == 0) { | |
1271 | truncate_fd = openat(fd, name, O_WRONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|O_NONBLOCK); | |
1272 | if (truncate_fd < 0) { | |
1273 | ||
1274 | /* If this failed because the file doesn't exist propagate the error right-away. Also, | |
1275 | * AT_REMOVEDIR wasn't set, and we tried to open the file for writing, which means EISDIR is | |
1276 | * returned when this is a directory but we are not supposed to delete those, hence propagate | |
1277 | * the error right-away too. */ | |
1278 | if (IN_SET(errno, ENOENT, EISDIR)) | |
1279 | return -errno; | |
1280 | ||
1281 | if (errno != ELOOP) /* don't complain if this is a symlink */ | |
1282 | log_debug_errno(errno, "Failed to open file '%s' for deallocation, ignoring: %m", name); | |
1283 | } | |
1284 | } | |
1285 | ||
1286 | if (unlinkat(fd, name, flags) < 0) | |
1287 | return -errno; | |
1288 | ||
1289 | if (truncate_fd < 0) /* Don't have a file handle, can't do more ☹️ */ | |
1290 | return 0; | |
1291 | ||
1292 | if (fstat(truncate_fd, &st) < 0) { | |
011723a4 | 1293 | log_debug_errno(errno, "Failed to stat file '%s' for deallocation, ignoring: %m", name); |
43767d9d LP |
1294 | return 0; |
1295 | } | |
1296 | ||
1297 | if (!S_ISREG(st.st_mode) || st.st_blocks == 0 || st.st_nlink > 0) | |
1298 | return 0; | |
1299 | ||
1300 | /* If this is a regular file, it actually took up space on disk and there are no other links it's time to | |
1301 | * punch-hole/truncate this to release the disk space. */ | |
1302 | ||
1303 | bs = MAX(st.st_blksize, 512); | |
1304 | l = DIV_ROUND_UP(st.st_size, bs) * bs; /* Round up to next block size */ | |
1305 | ||
1306 | if (fallocate(truncate_fd, FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE, 0, l) >= 0) | |
1307 | return 0; /* Successfully punched a hole! 😊 */ | |
1308 | ||
1309 | /* Fall back to truncation */ | |
1310 | if (ftruncate(truncate_fd, 0) < 0) { | |
1311 | log_debug_errno(errno, "Failed to truncate file to 0, ignoring: %m"); | |
1312 | return 0; | |
1313 | } | |
1314 | ||
1315 | return 0; | |
1316 | } | |
11b29a96 LP |
1317 | |
1318 | int fsync_directory_of_file(int fd) { | |
0c462ea4 | 1319 | _cleanup_free_ char *path = NULL; |
11b29a96 LP |
1320 | _cleanup_close_ int dfd = -1; |
1321 | int r; | |
1322 | ||
1323 | r = fd_verify_regular(fd); | |
1324 | if (r < 0) | |
1325 | return r; | |
1326 | ||
1327 | r = fd_get_path(fd, &path); | |
3ceae1bc | 1328 | if (r < 0) { |
b8b846d7 LP |
1329 | log_debug_errno(r, "Failed to query /proc/self/fd/%d%s: %m", |
1330 | fd, | |
1331 | r == -EOPNOTSUPP ? ", ignoring" : ""); | |
3ceae1bc ZJS |
1332 | |
1333 | if (r == -EOPNOTSUPP) | |
1334 | /* If /proc is not available, we're most likely running in some | |
1335 | * chroot environment, and syncing the directory is not very | |
1336 | * important in that case. Let's just silently do nothing. */ | |
1337 | return 0; | |
1338 | ||
11b29a96 | 1339 | return r; |
3ceae1bc | 1340 | } |
11b29a96 LP |
1341 | |
1342 | if (!path_is_absolute(path)) | |
1343 | return -EINVAL; | |
1344 | ||
0c462ea4 | 1345 | dfd = open_parent(path, O_CLOEXEC, 0); |
11b29a96 | 1346 | if (dfd < 0) |
0c462ea4 | 1347 | return dfd; |
11b29a96 LP |
1348 | |
1349 | if (fsync(dfd) < 0) | |
1350 | return -errno; | |
1351 | ||
1352 | return 0; | |
1353 | } | |
ef8becfa | 1354 | |
36695e88 LP |
1355 | int fsync_path_at(int at_fd, const char *path) { |
1356 | _cleanup_close_ int opened_fd = -1; | |
1357 | int fd; | |
1358 | ||
1359 | if (isempty(path)) { | |
1360 | if (at_fd == AT_FDCWD) { | |
1361 | opened_fd = open(".", O_RDONLY|O_DIRECTORY|O_CLOEXEC); | |
1362 | if (opened_fd < 0) | |
1363 | return -errno; | |
1364 | ||
1365 | fd = opened_fd; | |
1366 | } else | |
1367 | fd = at_fd; | |
1368 | } else { | |
1369 | ||
1370 | opened_fd = openat(at_fd, path, O_RDONLY|O_CLOEXEC); | |
1371 | if (opened_fd < 0) | |
1372 | return -errno; | |
1373 | ||
1374 | fd = opened_fd; | |
1375 | } | |
1376 | ||
1377 | if (fsync(fd) < 0) | |
1378 | return -errno; | |
1379 | ||
1380 | return 0; | |
1381 | } | |
1382 | ||
71f51416 LP |
1383 | int syncfs_path(int atfd, const char *path) { |
1384 | _cleanup_close_ int fd = -1; | |
1385 | ||
1386 | assert(path); | |
1387 | ||
1388 | fd = openat(atfd, path, O_CLOEXEC|O_RDONLY|O_NONBLOCK); | |
1389 | if (fd < 0) | |
1390 | return -errno; | |
1391 | ||
1392 | if (syncfs(fd) < 0) | |
1393 | return -errno; | |
1394 | ||
1395 | return 0; | |
1396 | } | |
1397 | ||
ef8becfa LP |
1398 | int open_parent(const char *path, int flags, mode_t mode) { |
1399 | _cleanup_free_ char *parent = NULL; | |
1400 | int fd; | |
1401 | ||
1402 | if (isempty(path)) | |
1403 | return -EINVAL; | |
1404 | if (path_equal(path, "/")) /* requesting the parent of the root dir is fishy, let's prohibit that */ | |
1405 | return -EINVAL; | |
1406 | ||
1407 | parent = dirname_malloc(path); | |
1408 | if (!parent) | |
1409 | return -ENOMEM; | |
1410 | ||
1411 | /* Let's insist on O_DIRECTORY since the parent of a file or directory is a directory. Except if we open an | |
1412 | * O_TMPFILE file, because in that case we are actually create a regular file below the parent directory. */ | |
1413 | ||
1414 | if ((flags & O_PATH) == O_PATH) | |
1415 | flags |= O_DIRECTORY; | |
1416 | else if ((flags & O_TMPFILE) != O_TMPFILE) | |
1417 | flags |= O_DIRECTORY|O_RDONLY; | |
1418 | ||
1419 | fd = open(parent, flags, mode); | |
1420 | if (fd < 0) | |
1421 | return -errno; | |
1422 | ||
1423 | return fd; | |
1424 | } |