]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/basic/fs-util.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
fs-util: suppress world-writable warnings if we read /dev/null
[thirdparty/systemd.git] / src / basic / fs-util.c
CommitLineData
53e1b683 1/* SPDX-License-Identifier: LGPL-2.1+ */
f4f15635 2
11c3a366
TA		 3#include <errno.h>
4#include <stddef.h>
5#include <stdio.h>
6#include <stdlib.h>
7#include <string.h>
8#include <sys/stat.h>
1c73b069 9#include <linux/falloc.h>
655f2da0 10#include <linux/magic.h>
11c3a366
TA		 11#include <time.h>
12#include <unistd.h>
13
b5efdb8a 14#include "alloc-util.h"
f4f15635
LP		 15#include "dirent-util.h"
16#include "fd-util.h"
f4f15635 17#include "fs-util.h"
fd74c6f3 18#include "locale-util.h"
11c3a366
TA		 19#include "log.h"
20#include "macro.h"
21#include "missing.h"
93cc7779
TA		 22#include "mkdir.h"
23#include "parse-util.h"
24#include "path-util.h"
dccca82b 25#include "process-util.h"
34a8f081 26#include "stat-util.h"
430fbf8e 27#include "stdio-util.h"
f4f15635
LP		 28#include "string-util.h"
29#include "strv.h"
93cc7779 30#include "time-util.h"
e4de7287 31#include "tmpfile-util.h"
ee104e11 32#include "user-util.h"
f4f15635
LP		 33#include "util.h"
34
35int unlink_noerrno(const char *path) {
36 PROTECT_ERRNO;
37 int r;
38
39 r = unlink(path);
40 if (r < 0)
41 return -errno;
42
43 return 0;
44}
45
46int rmdir_parents(const char *path, const char *stop) {
47 size_t l;
48 int r = 0;
49
50 assert(path);
51 assert(stop);
52
53 l = strlen(path);
54
55 /* Skip trailing slashes */
56 while (l > 0 && path[l-1] == '/')
57 l--;
58
59 while (l > 0) {
60 char *t;
61
62 /* Skip last component */
63 while (l > 0 && path[l-1] != '/')
64 l--;
65
66 /* Skip trailing slashes */
67 while (l > 0 && path[l-1] == '/')
68 l--;
69
70 if (l <= 0)
71 break;
72
73 t = strndup(path, l);
74 if (!t)
75 return -ENOMEM;
76
77 if (path_startswith(stop, t)) {
78 free(t);
79 return 0;
80 }
81
82 r = rmdir(t);
83 free(t);
84
85 if (r < 0)
86 if (errno != ENOENT)
87 return -errno;
88 }
89
90 return 0;
91}
92
f4f15635 93int rename_noreplace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) {
2f15b625 94 int r;
f4f15635 95
2f15b625
LP		 96 /* Try the ideal approach first */
97 if (renameat2(olddirfd, oldpath, newdirfd, newpath, RENAME_NOREPLACE) >= 0)
f4f15635
LP		 98 return 0;
99
2f15b625
LP		 100 /* renameat2() exists since Linux 3.15, btrfs and FAT added support for it later. If it is not implemented,
101 * fall back to a different method. */
102 if (!IN_SET(errno, EINVAL, ENOSYS, ENOTTY))
f4f15635
LP		 103 return -errno;
104
2f15b625
LP		 105 /* Let's try to use linkat()+unlinkat() as fallback. This doesn't work on directories and on some file systems
106 * that do not support hard links (such as FAT, most prominently), but for files it's pretty close to what we
107 * want — though not atomic (i.e. for a short period both the new and the old filename will exist). */
108 if (linkat(olddirfd, oldpath, newdirfd, newpath, 0) >= 0) {
109
110 if (unlinkat(olddirfd, oldpath, 0) < 0) {
111 r = -errno; /* Backup errno before the following unlinkat() alters it */
112 (void) unlinkat(newdirfd, newpath, 0);
113 return r;
114 }
115
116 return 0;
f4f15635
LP		 117 }
118
2f15b625 119 if (!IN_SET(errno, EINVAL, ENOSYS, ENOTTY, EPERM)) /* FAT returns EPERM on link()… */
f4f15635
LP		 120 return -errno;
121
2f15b625
LP		 122 /* OK, neither RENAME_NOREPLACE nor linkat()+unlinkat() worked. Let's then fallback to the racy TOCTOU
123 * vulnerable accessat(F_OK) check followed by classic, replacing renameat(), we have nothing better. */
124
125 if (faccessat(newdirfd, newpath, F_OK, AT_SYMLINK_NOFOLLOW) >= 0)
126 return -EEXIST;
127 if (errno != ENOENT)
128 return -errno;
129
130 if (renameat(olddirfd, oldpath, newdirfd, newpath) < 0)
f4f15635 131 return -errno;
f4f15635
LP		 132
133 return 0;
134}
135
136int readlinkat_malloc(int fd, const char *p, char **ret) {
8e060ec2 137 size_t l = FILENAME_MAX+1;
f4f15635
LP		 138 int r;
139
140 assert(p);
141 assert(ret);
142
143 for (;;) {
144 char *c;
145 ssize_t n;
146
147 c = new(char, l);
148 if (!c)
149 return -ENOMEM;
150
151 n = readlinkat(fd, p, c, l-1);
152 if (n < 0) {
153 r = -errno;
154 free(c);
155 return r;
156 }
157
158 if ((size_t) n < l-1) {
159 c[n] = 0;
160 *ret = c;
161 return 0;
162 }
163
164 free(c);
165 l *= 2;
166 }
167}
168
169int readlink_malloc(const char *p, char **ret) {
170 return readlinkat_malloc(AT_FDCWD, p, ret);
171}
172
173int readlink_value(const char *p, char **ret) {
174 _cleanup_free_ char *link = NULL;
175 char *value;
176 int r;
177
178 r = readlink_malloc(p, &link);
179 if (r < 0)
180 return r;
181
182 value = basename(link);
183 if (!value)
184 return -ENOENT;
185
186 value = strdup(value);
187 if (!value)
188 return -ENOMEM;
189
190 *ret = value;
191
192 return 0;
193}
194
195int readlink_and_make_absolute(const char *p, char **r) {
196 _cleanup_free_ char *target = NULL;
197 char *k;
198 int j;
199
200 assert(p);
201 assert(r);
202
203 j = readlink_malloc(p, &target);
204 if (j < 0)
205 return j;
206
207 k = file_in_same_dir(p, target);
208 if (!k)
209 return -ENOMEM;
210
211 *r = k;
212 return 0;
213}
214
f4f15635 215int chmod_and_chown(const char *path, mode_t mode, uid_t uid, gid_t gid) {
de321f52
LP		 216 char fd_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
217 _cleanup_close_ int fd = -1;
30ff18d8
LP		 218 bool st_valid = false;
219 struct stat st;
220 int r;
221
f4f15635
LP		 222 assert(path);
223
30ff18d8
LP		 224 /* Under the assumption that we are running privileged we first change the access mode and only then
225 * hand out ownership to avoid a window where access is too open. */
f4f15635 226
30ff18d8
LP		 227 fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW); /* Let's acquire an O_PATH fd, as precaution to change
228 * mode/owner on the same file */
de321f52
LP		 229 if (fd < 0)
230 return -errno;
231
232 xsprintf(fd_path, "/proc/self/fd/%i", fd);
233
234 if (mode != MODE_INVALID) {
de321f52 235 if ((mode & S_IFMT) != 0) {
de321f52
LP		 236
237 if (stat(fd_path, &st) < 0)
238 return -errno;
239
240 if ((mode & S_IFMT) != (st.st_mode & S_IFMT))
241 return -EINVAL;
30ff18d8
LP		 242
243 st_valid = true;
de321f52
LP		 244 }
245
30ff18d8
LP		 246 if (chmod(fd_path, mode & 07777) < 0) {
247 r = -errno;
248
249 if (!st_valid && stat(fd_path, &st) < 0)
250 return -errno;
251
252 if ((mode & 07777) != (st.st_mode & 07777))
253 return r;
254
255 st_valid = true;
256 }
de321f52 257 }
f4f15635 258
30ff18d8
LP		 259 if (uid != UID_INVALID || gid != GID_INVALID) {
260 if (chown(fd_path, uid, gid) < 0) {
261 r = -errno;
262
263 if (!st_valid && stat(fd_path, &st) < 0)
264 return -errno;
265
266 if (uid != UID_INVALID && st.st_uid != uid)
267 return r;
268 if (gid != GID_INVALID && st.st_gid != gid)
269 return r;
270 }
271 }
b8da477e
YW		 272
273 return 0;
274}
275
276int fchmod_and_chown(int fd, mode_t mode, uid_t uid, gid_t gid) {
30ff18d8
LP		 277 bool st_valid = false;
278 struct stat st;
279 int r;
280
de321f52 281 /* Under the assumption that we are running privileged we first change the access mode and only then hand out
b8da477e
YW		 282 * ownership to avoid a window where access is too open. */
283
de321f52 284 if (mode != MODE_INVALID) {
de321f52 285 if ((mode & S_IFMT) != 0) {
de321f52
LP		 286
287 if (fstat(fd, &st) < 0)
288 return -errno;
289
290 if ((mode & S_IFMT) != (st.st_mode & S_IFMT))
291 return -EINVAL;
30ff18d8
LP		 292
293 st_valid = true;
de321f52
LP		 294 }
295
30ff18d8
LP		 296 if (fchmod(fd, mode & 07777) < 0) {
297 r = -errno;
298
299 if (!st_valid && fstat(fd, &st) < 0)
300 return -errno;
301
302 if ((mode & 07777) != (st.st_mode & 07777))
303 return r;
304
305 st_valid = true;
306 }
de321f52 307 }
b8da477e
YW		 308
309 if (uid != UID_INVALID || gid != GID_INVALID)
30ff18d8
LP		 310 if (fchown(fd, uid, gid) < 0) {
311 r = -errno;
312
313 if (!st_valid && fstat(fd, &st) < 0)
314 return -errno;
315
316 if (uid != UID_INVALID && st.st_uid != uid)
317 return r;
318 if (gid != GID_INVALID && st.st_gid != gid)
319 return r;
320 }
f4f15635
LP		 321
322 return 0;
323}
324
f4f15635
LP		 325int fchmod_umask(int fd, mode_t m) {
326 mode_t u;
327 int r;
328
329 u = umask(0777);
330 r = fchmod(fd, m & (~u)) < 0 ? -errno : 0;
331 umask(u);
332
333 return r;
334}
335
4dfaa528 336int fchmod_opath(int fd, mode_t m) {
22dd8d35 337 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
4dfaa528
FB		 338
339 /* This function operates also on fd that might have been opened with
340 * O_PATH. Indeed fchmodat() doesn't have the AT_EMPTY_PATH flag like
341 * fchownat() does. */
342
343 xsprintf(procfs_path, "/proc/self/fd/%i", fd);
4dfaa528
FB		 344 if (chmod(procfs_path, m) < 0)
345 return -errno;
346
347 return 0;
348}
349
f4f15635
LP		 350int fd_warn_permissions(const char *path, int fd) {
351 struct stat st;
352
353 if (fstat(fd, &st) < 0)
354 return -errno;
355
b6cceaae
LP		 356 /* Don't complain if we are reading something that is not a file, for example /dev/null */
357 if (!S_ISREG(st.st_mode))
358 return 0;
359
f4f15635
LP		 360 if (st.st_mode & 0111)
361 log_warning("Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway.", path);
362
363 if (st.st_mode & 0002)
364 log_warning("Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway.", path);
365
df0ff127 366 if (getpid_cached() == 1 && (st.st_mode & 0044) != 0044)
f4f15635
LP		 367 log_warning("Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.", path);
368
369 return 0;
370}
371
372int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode) {
9e3fa6e8
LP		 373 char fdpath[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
374 _cleanup_close_ int fd = -1;
375 int r, ret = 0;
f4f15635
LP		 376
377 assert(path);
378
9e3fa6e8
LP		 379 /* Note that touch_file() does not follow symlinks: if invoked on an existing symlink, then it is the symlink
380 * itself which is updated, not its target
381 *
382 * Returns the first error we encounter, but tries to apply as much as possible. */
f4f15635 383
9e3fa6e8
LP		 384 if (parents)
385 (void) mkdir_parents(path, 0755);
386
387 /* Initially, we try to open the node with O_PATH, so that we get a reference to the node. This is useful in
388 * case the path refers to an existing device or socket node, as we can open it successfully in all cases, and
389 * won't trigger any driver magic or so. */
390 fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW);
391 if (fd < 0) {
392 if (errno != ENOENT)
f4f15635 393 return -errno;
f4f15635 394
9e3fa6e8
LP		 395 /* if the node doesn't exist yet, we create it, but with O_EXCL, so that we only create a regular file
396 * here, and nothing else */
397 fd = open(path, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, IN_SET(mode, 0, MODE_INVALID) ? 0644 : mode);
398 if (fd < 0)
f4f15635
LP		 399 return -errno;
400 }
401
9e3fa6e8
LP		 402 /* Let's make a path from the fd, and operate on that. With this logic, we can adjust the access mode,
403 * ownership and time of the file node in all cases, even if the fd refers to an O_PATH object — which is
404 * something fchown(), fchmod(), futimensat() don't allow. */
405 xsprintf(fdpath, "/proc/self/fd/%i", fd);
406
407 if (mode != MODE_INVALID)
408 if (chmod(fdpath, mode) < 0)
409 ret = -errno;
410
411 if (uid_is_valid(uid) || gid_is_valid(gid))
412 if (chown(fdpath, uid, gid) < 0 && ret >= 0)
413 ret = -errno;
414
f4f15635
LP		 415 if (stamp != USEC_INFINITY) {
416 struct timespec ts[2];
417
418 timespec_store(&ts[0], stamp);
419 ts[1] = ts[0];
9e3fa6e8 420 r = utimensat(AT_FDCWD, fdpath, ts, 0);
f4f15635 421 } else
9e3fa6e8
LP		 422 r = utimensat(AT_FDCWD, fdpath, NULL, 0);
423 if (r < 0 && ret >= 0)
f4f15635
LP		 424 return -errno;
425
9e3fa6e8 426 return ret;
f4f15635
LP		 427}
428
429int touch(const char *path) {
ee735086 430 return touch_file(path, false, USEC_INFINITY, UID_INVALID, GID_INVALID, MODE_INVALID);
f4f15635
LP		 431}
432
6c9c51e5
YW		 433int symlink_idempotent(const char *from, const char *to, bool make_relative) {
434 _cleanup_free_ char *relpath = NULL;
f4f15635
LP		 435 int r;
436
437 assert(from);
438 assert(to);
439
6c9c51e5
YW		 440 if (make_relative) {
441 _cleanup_free_ char *parent = NULL;
442
443 parent = dirname_malloc(to);
444 if (!parent)
445 return -ENOMEM;
446
447 r = path_make_relative(parent, from, &relpath);
448 if (r < 0)
449 return r;
450
451 from = relpath;
452 }
453
f4f15635 454 if (symlink(from, to) < 0) {
77b79723
LP		 455 _cleanup_free_ char *p = NULL;
456
f4f15635
LP		 457 if (errno != EEXIST)
458 return -errno;
459
460 r = readlink_malloc(to, &p);
77b79723
LP		 461 if (r == -EINVAL) /* Not a symlink? In that case return the original error we encountered: -EEXIST */
462 return -EEXIST;
463 if (r < 0) /* Any other error? In that case propagate it as is */
f4f15635
LP		 464 return r;
465
77b79723
LP		 466 if (!streq(p, from)) /* Not the symlink we want it to be? In that case, propagate the original -EEXIST */
467 return -EEXIST;
f4f15635
LP		 468 }
469
470 return 0;
471}
472
473int symlink_atomic(const char *from, const char *to) {
474 _cleanup_free_ char *t = NULL;
475 int r;
476
477 assert(from);
478 assert(to);
479
480 r = tempfn_random(to, NULL, &t);
481 if (r < 0)
482 return r;
483
484 if (symlink(from, t) < 0)
485 return -errno;
486
487 if (rename(t, to) < 0) {
488 unlink_noerrno(t);
489 return -errno;
490 }
491
492 return 0;
493}
494
495int mknod_atomic(const char *path, mode_t mode, dev_t dev) {
496 _cleanup_free_ char *t = NULL;
497 int r;
498
499 assert(path);
500
501 r = tempfn_random(path, NULL, &t);
502 if (r < 0)
503 return r;
504
505 if (mknod(t, mode, dev) < 0)
506 return -errno;
507
508 if (rename(t, path) < 0) {
509 unlink_noerrno(t);
510 return -errno;
511 }
512
513 return 0;
514}
515
516int mkfifo_atomic(const char *path, mode_t mode) {
517 _cleanup_free_ char *t = NULL;
518 int r;
519
520 assert(path);
521
522 r = tempfn_random(path, NULL, &t);
523 if (r < 0)
524 return r;
525
526 if (mkfifo(t, mode) < 0)
527 return -errno;
528
529 if (rename(t, path) < 0) {
4fe3828c
FB		 530 unlink_noerrno(t);
531 return -errno;
532 }
533
534 return 0;
535}
536
537int mkfifoat_atomic(int dirfd, const char *path, mode_t mode) {
538 _cleanup_free_ char *t = NULL;
539 int r;
540
541 assert(path);
542
543 if (path_is_absolute(path))
544 return mkfifo_atomic(path, mode);
545
546 /* We're only interested in the (random) filename. */
547 r = tempfn_random_child("", NULL, &t);
548 if (r < 0)
549 return r;
550
551 if (mkfifoat(dirfd, t, mode) < 0)
552 return -errno;
553
554 if (renameat(dirfd, t, dirfd, path) < 0) {
f4f15635
LP		 555 unlink_noerrno(t);
556 return -errno;
557 }
558
559 return 0;
560}
561
562int get_files_in_directory(const char *path, char ***list) {
563 _cleanup_closedir_ DIR *d = NULL;
8fb3f009 564 struct dirent *de;
f4f15635
LP		 565 size_t bufsize = 0, n = 0;
566 _cleanup_strv_free_ char **l = NULL;
567
568 assert(path);
569
570 /* Returns all files in a directory in *list, and the number
571 * of files as return value. If list is NULL returns only the
572 * number. */
573
574 d = opendir(path);
575 if (!d)
576 return -errno;
577
8fb3f009 578 FOREACH_DIRENT_ALL(de, d, return -errno) {
f4f15635
LP		 579 dirent_ensure_type(d, de);
580
581 if (!dirent_is_file(de))
582 continue;
583
584 if (list) {
585 /* one extra slot is needed for the terminating NULL */
586 if (!GREEDY_REALLOC(l, bufsize, n + 2))
587 return -ENOMEM;
588
589 l[n] = strdup(de->d_name);
590 if (!l[n])
591 return -ENOMEM;
592
593 l[++n] = NULL;
594 } else
595 n++;
596 }
597
ae2a15bc
LP		 598 if (list)
599 *list = TAKE_PTR(l);
f4f15635
LP		 600
601 return n;
602}
430fbf8e 603
992e8f22
LP		 604static int getenv_tmp_dir(const char **ret_path) {
605 const char *n;
606 int r, ret = 0;
34a8f081 607
992e8f22 608 assert(ret_path);
34a8f081 609
992e8f22
LP		 610 /* We use the same order of environment variables python uses in tempfile.gettempdir():
611 * https://docs.python.org/3/library/tempfile.html#tempfile.gettempdir */
612 FOREACH_STRING(n, "TMPDIR", "TEMP", "TMP") {
613 const char *e;
614
615 e = secure_getenv(n);
616 if (!e)
617 continue;
618 if (!path_is_absolute(e)) {
619 r = -ENOTDIR;
620 goto next;
621 }
99be45a4 622 if (!path_is_normalized(e)) {
992e8f22
LP		 623 r = -EPERM;
624 goto next;
625 }
626
627 r = is_dir(e, true);
628 if (r < 0)
629 goto next;
630 if (r == 0) {
631 r = -ENOTDIR;
632 goto next;
633 }
634
635 *ret_path = e;
636 return 1;
637
638 next:
639 /* Remember first error, to make this more debuggable */
640 if (ret >= 0)
641 ret = r;
34a8f081
OW		 642 }
643
992e8f22
LP		 644 if (ret < 0)
645 return ret;
34a8f081 646
992e8f22
LP		 647 *ret_path = NULL;
648 return ret;
649}
34a8f081 650
992e8f22
LP		 651static int tmp_dir_internal(const char *def, const char **ret) {
652 const char *e;
653 int r, k;
654
655 assert(def);
656 assert(ret);
657
658 r = getenv_tmp_dir(&e);
659 if (r > 0) {
660 *ret = e;
661 return 0;
662 }
663
664 k = is_dir(def, true);
665 if (k == 0)
666 k = -ENOTDIR;
667 if (k < 0)
668 return r < 0 ? r : k;
669
670 *ret = def;
34a8f081
OW		 671 return 0;
672}
673
992e8f22
LP		 674int var_tmp_dir(const char **ret) {
675
676 /* Returns the location for "larger" temporary files, that is backed by physical storage if available, and thus
677 * even might survive a boot: /var/tmp. If $TMPDIR (or related environment variables) are set, its value is
678 * returned preferably however. Note that both this function and tmp_dir() below are affected by $TMPDIR,
679 * making it a variable that overrides all temporary file storage locations. */
680
681 return tmp_dir_internal("/var/tmp", ret);
682}
683
684int tmp_dir(const char **ret) {
685
686 /* Similar to var_tmp_dir() above, but returns the location for "smaller" temporary files, which is usually
687 * backed by an in-memory file system: /tmp. */
688
689 return tmp_dir_internal("/tmp", ret);
690}
691
af229d7a
ZJS		 692int unlink_or_warn(const char *filename) {
693 if (unlink(filename) < 0 && errno != ENOENT)
694 /* If the file doesn't exist and the fs simply was read-only (in which
695 * case unlink() returns EROFS even if the file doesn't exist), don't
696 * complain */
697 if (errno != EROFS || access(filename, F_OK) >= 0)
698 return log_error_errno(errno, "Failed to remove \"%s\": %m", filename);
699
700 return 0;
701}
702
430fbf8e 703int inotify_add_watch_fd(int fd, int what, uint32_t mask) {
fbd0b64f 704 char path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
430fbf8e
LP		 705 int r;
706
707 /* This is like inotify_add_watch(), except that the file to watch is not referenced by a path, but by an fd */
708 xsprintf(path, "/proc/self/fd/%i", what);
709
710 r = inotify_add_watch(fd, path, mask);
711 if (r < 0)
712 return -errno;
713
714 return r;
715}
d944dc95 716
b85ee2ec 717static bool unsafe_transition(const struct stat *a, const struct stat *b) {
f14f1806
LP		 718 /* Returns true if the transition from a to b is safe, i.e. that we never transition from unprivileged to
719 * privileged files or directories. Why bother? So that unprivileged code can't symlink to privileged files
720 * making us believe we read something safe even though it isn't safe in the specific context we open it in. */
721
722 if (a->st_uid == 0) /* Transitioning from privileged to unprivileged is always fine */
b85ee2ec 723 return false;
f14f1806 724
b85ee2ec 725 return a->st_uid != b->st_uid; /* Otherwise we need to stay within the same UID */
f14f1806
LP		 726}
727
fd74c6f3
FB		 728static int log_unsafe_transition(int a, int b, const char *path, unsigned flags) {
729 _cleanup_free_ char *n1 = NULL, *n2 = NULL;
730
731 if (!FLAGS_SET(flags, CHASE_WARN))
36c97dec 732 return -ENOLINK;
fd74c6f3
FB		 733
734 (void) fd_get_path(a, &n1);
735 (void) fd_get_path(b, &n2);
736
36c97dec 737 return log_warning_errno(SYNTHETIC_ERRNO(ENOLINK),
fd74c6f3 738 "Detected unsafe path transition %s %s %s during canonicalization of %s.",
9a6f746f 739 n1, special_glyph(SPECIAL_GLYPH_ARROW), n2, path);
fd74c6f3
FB		 740}
741
145b8d0f
FB		 742static int log_autofs_mount_point(int fd, const char *path, unsigned flags) {
743 _cleanup_free_ char *n1 = NULL;
744
745 if (!FLAGS_SET(flags, CHASE_WARN))
746 return -EREMOTE;
747
748 (void) fd_get_path(fd, &n1);
749
750 return log_warning_errno(SYNTHETIC_ERRNO(EREMOTE),
751 "Detected autofs mount point %s during canonicalization of %s.",
752 n1, path);
f14f1806
LP		 753}
754
c4f4fce7 755int chase_symlinks(const char *path, const char *original_root, unsigned flags, char **ret) {
d944dc95
LP		 756 _cleanup_free_ char *buffer = NULL, *done = NULL, *root = NULL;
757 _cleanup_close_ int fd = -1;
f10f4215 758 unsigned max_follow = CHASE_SYMLINKS_MAX; /* how many symlinks to follow before giving up and returning ELOOP */
f14f1806 759 struct stat previous_stat;
a9fb0867 760 bool exists = true;
d944dc95
LP		 761 char *todo;
762 int r;
763
764 assert(path);
765
1ed34d75 766 /* Either the file may be missing, or we return an fd to the final object, but both make no sense */
d94a24ca 767 if (FLAGS_SET(flags, CHASE_NONEXISTENT | CHASE_OPEN))
1ed34d75
LP		 768 return -EINVAL;
769
d94a24ca 770 if (FLAGS_SET(flags, CHASE_STEP | CHASE_OPEN))
49eb3659
LP		 771 return -EINVAL;
772
a49424af
LP		 773 if (isempty(path))
774 return -EINVAL;
775
d944dc95
LP		 776 /* This is a lot like canonicalize_file_name(), but takes an additional "root" parameter, that allows following
777 * symlinks relative to a root directory, instead of the root of the host.
778 *
fc4b68e5 779 * Note that "root" primarily matters if we encounter an absolute symlink. It is also used when following
c4f4fce7
LP		 780 * relative symlinks to ensure they cannot be used to "escape" the root directory. The path parameter passed is
781 * assumed to be already prefixed by it, except if the CHASE_PREFIX_ROOT flag is set, in which case it is first
782 * prefixed accordingly.
d944dc95
LP		 783 *
784 * Algorithmically this operates on two path buffers: "done" are the components of the path we already
785 * processed and resolved symlinks, "." and ".." of. "todo" are the components of the path we still need to
786 * process. On each iteration, we move one component from "todo" to "done", processing it's special meaning
787 * each time. The "todo" path always starts with at least one slash, the "done" path always ends in no
788 * slash. We always keep an O_PATH fd to the component we are currently processing, thus keeping lookup races
fc4b68e5
LP		 789 * at a minimum.
790 *
791 * Suggested usage: whenever you want to canonicalize a path, use this function. Pass the absolute path you got
792 * as-is: fully qualified and relative to your host's root. Optionally, specify the root parameter to tell this
793 * function what to do when encountering a symlink with an absolute path as directory: prefix it by the
49eb3659
LP		 794 * specified path.
795 *
796 * There are three ways to invoke this function:
797 *
798 * 1. Without CHASE_STEP or CHASE_OPEN: in this case the path is resolved and the normalized path is returned
799 * in `ret`. The return value is < 0 on error. If CHASE_NONEXISTENT is also set 0 is returned if the file
800 * doesn't exist, > 0 otherwise. If CHASE_NONEXISTENT is not set >= 0 is returned if the destination was
801 * found, -ENOENT if it doesn't.
802 *
803 * 2. With CHASE_OPEN: in this case the destination is opened after chasing it as O_PATH and this file
804 * descriptor is returned as return value. This is useful to open files relative to some root
805 * directory. Note that the returned O_PATH file descriptors must be converted into a regular one (using
806 * fd_reopen() or such) before it can be used for reading/writing. CHASE_OPEN may not be combined with
807 * CHASE_NONEXISTENT.
808 *
809 * 3. With CHASE_STEP: in this case only a single step of the normalization is executed, i.e. only the first
810 * symlink or ".." component of the path is resolved, and the resulting path is returned. This is useful if
811 * a caller wants to trace the a path through the file system verbosely. Returns < 0 on error, > 0 if the
812 * path is fully normalized, and == 0 for each normalization step. This may be combined with
813 * CHASE_NONEXISTENT, in which case 1 is returned when a component is not found.
814 *
36c97dec
FB		 815 * 4. With CHASE_SAFE: in this case the path must not contain unsafe transitions, i.e. transitions from
816 * unprivileged to privileged files or directories. In such cases the return value is -ENOLINK. If
817 * CHASE_WARN is also set a warning describing the unsafe transition is emitted.
818 *
145b8d0f
FB		 819 * 5. With CHASE_NO_AUTOFS: in this case if an autofs mount point is encountered, the path normalization is
820 * aborted and -EREMOTE is returned. If CHASE_WARN is also set a warning showing the path of the mount point
821 * is emitted.
822 *
49eb3659 823 * */
d944dc95 824
22bc57c5 825 /* A root directory of "/" or "" is identical to none */
57ea45e1 826 if (empty_or_root(original_root))
22bc57c5 827 original_root = NULL;
b1bfb848 828
49eb3659 829 if (!original_root && !ret && (flags & (CHASE_NONEXISTENT|CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_OPEN|CHASE_STEP)) == CHASE_OPEN) {
244d2f07
LP		 830 /* Shortcut the CHASE_OPEN case if the caller isn't interested in the actual path and has no root set
831 * and doesn't care about any of the other special features we provide either. */
1f56e4ce 832 r = open(path, O_PATH|O_CLOEXEC|((flags & CHASE_NOFOLLOW) ? O_NOFOLLOW : 0));
244d2f07
LP		 833 if (r < 0)
834 return -errno;
835
836 return r;
837 }
838
c4f4fce7
LP		 839 if (original_root) {
840 r = path_make_absolute_cwd(original_root, &root);
d944dc95
LP		 841 if (r < 0)
842 return r;
c4f4fce7 843
382a5078
LP		 844 if (flags & CHASE_PREFIX_ROOT) {
845
846 /* We don't support relative paths in combination with a root directory */
847 if (!path_is_absolute(path))
848 return -EINVAL;
849
c4f4fce7 850 path = prefix_roota(root, path);
382a5078 851 }
d944dc95
LP		 852 }
853
c4f4fce7
LP		 854 r = path_make_absolute_cwd(path, &buffer);
855 if (r < 0)
856 return r;
857
d944dc95
LP		 858 fd = open("/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
859 if (fd < 0)
860 return -errno;
861
f14f1806
LP		 862 if (flags & CHASE_SAFE) {
863 if (fstat(fd, &previous_stat) < 0)
864 return -errno;
865 }
866
d944dc95
LP		 867 todo = buffer;
868 for (;;) {
869 _cleanup_free_ char *first = NULL;
870 _cleanup_close_ int child = -1;
871 struct stat st;
872 size_t n, m;
873
874 /* Determine length of first component in the path */
875 n = strspn(todo, "/"); /* The slashes */
876 m = n + strcspn(todo + n, "/"); /* The entire length of the component */
877
878 /* Extract the first component. */
879 first = strndup(todo, m);
880 if (!first)
881 return -ENOMEM;
882
883 todo += m;
884
b12d25a8
ZJS		 885 /* Empty? Then we reached the end. */
886 if (isempty(first))
887 break;
888
d944dc95 889 /* Just a single slash? Then we reached the end. */
b12d25a8
ZJS		 890 if (path_equal(first, "/")) {
891 /* Preserve the trailing slash */
62570f6f
LP		 892
893 if (flags & CHASE_TRAIL_SLASH)
894 if (!strextend(&done, "/", NULL))
895 return -ENOMEM;
b12d25a8 896
d944dc95 897 break;
b12d25a8 898 }
d944dc95
LP		 899
900 /* Just a dot? Then let's eat this up. */
901 if (path_equal(first, "/."))
902 continue;
903
904 /* Two dots? Then chop off the last bit of what we already found out. */
905 if (path_equal(first, "/..")) {
906 _cleanup_free_ char *parent = NULL;
2b6d2dda 907 _cleanup_close_ int fd_parent = -1;
d944dc95 908
a4eaf3cf
LP		 909 /* If we already are at the top, then going up will not change anything. This is in-line with
910 * how the kernel handles this. */
57ea45e1 911 if (empty_or_root(done))
a4eaf3cf 912 continue;
d944dc95
LP		 913
914 parent = dirname_malloc(done);
915 if (!parent)
916 return -ENOMEM;
917
a4eaf3cf 918 /* Don't allow this to leave the root dir. */
d944dc95
LP		 919 if (root &&
920 path_startswith(done, root) &&
921 !path_startswith(parent, root))
a4eaf3cf 922 continue;
d944dc95 923
3b319885 924 free_and_replace(done, parent);
d944dc95 925
49eb3659
LP		 926 if (flags & CHASE_STEP)
927 goto chased_one;
928
d944dc95
LP		 929 fd_parent = openat(fd, "..", O_CLOEXEC|O_NOFOLLOW|O_PATH);
930 if (fd_parent < 0)
931 return -errno;
932
f14f1806
LP		 933 if (flags & CHASE_SAFE) {
934 if (fstat(fd_parent, &st) < 0)
935 return -errno;
936
b85ee2ec 937 if (unsafe_transition(&previous_stat, &st))
fd74c6f3 938 return log_unsafe_transition(fd, fd_parent, path, flags);
f14f1806
LP		 939
940 previous_stat = st;
941 }
942
d944dc95 943 safe_close(fd);
c10d6bdb 944 fd = TAKE_FD(fd_parent);
d944dc95
LP		 945
946 continue;
947 }
948
949 /* Otherwise let's see what this is. */
950 child = openat(fd, first + n, O_CLOEXEC|O_NOFOLLOW|O_PATH);
a9fb0867
LP		 951 if (child < 0) {
952
953 if (errno == ENOENT &&
cb638b5e 954 (flags & CHASE_NONEXISTENT) &&
99be45a4 955 (isempty(todo) || path_is_normalized(todo))) {
a9fb0867 956
cb638b5e 957 /* If CHASE_NONEXISTENT is set, and the path does not exist, then that's OK, return
a9fb0867
LP		 958 * what we got so far. But don't allow this if the remaining path contains "../ or "./"
959 * or something else weird. */
960
a1904a46
YW		 961 /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */
962 if (streq_ptr(done, "/"))
963 *done = '\0';
964
a9fb0867
LP		 965 if (!strextend(&done, first, todo, NULL))
966 return -ENOMEM;
967
968 exists = false;
969 break;
970 }
971
d944dc95 972 return -errno;
a9fb0867 973 }
d944dc95
LP		 974
975 if (fstat(child, &st) < 0)
976 return -errno;
f14f1806 977 if ((flags & CHASE_SAFE) &&
cc14a6c0 978 (empty_or_root(root) || (size_t)(todo - buffer) > strlen(root)) &&
b85ee2ec 979 unsafe_transition(&previous_stat, &st))
fd74c6f3 980 return log_unsafe_transition(fd, child, path, flags);
f14f1806
LP		 981
982 previous_stat = st;
983
655f2da0 984 if ((flags & CHASE_NO_AUTOFS) &&
a66fee2e 985 fd_is_fs_type(child, AUTOFS_SUPER_MAGIC) > 0)
145b8d0f 986 return log_autofs_mount_point(child, path, flags);
d944dc95 987
1f56e4ce 988 if (S_ISLNK(st.st_mode) && !((flags & CHASE_NOFOLLOW) && isempty(todo))) {
877777d7
CCW		 989 char *joined;
990
d944dc95
LP		 991 _cleanup_free_ char *destination = NULL;
992
993 /* This is a symlink, in this case read the destination. But let's make sure we don't follow
994 * symlinks without bounds. */
995 if (--max_follow <= 0)
996 return -ELOOP;
997
998 r = readlinkat_malloc(fd, first + n, &destination);
999 if (r < 0)
1000 return r;
1001 if (isempty(destination))
1002 return -EINVAL;
1003
1004 if (path_is_absolute(destination)) {
1005
1006 /* An absolute destination. Start the loop from the beginning, but use the root
1007 * directory as base. */
1008
1009 safe_close(fd);
1010 fd = open(root ?: "/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
1011 if (fd < 0)
1012 return -errno;
1013
f14f1806
LP		 1014 if (flags & CHASE_SAFE) {
1015 if (fstat(fd, &st) < 0)
1016 return -errno;
1017
b85ee2ec 1018 if (unsafe_transition(&previous_stat, &st))
fd74c6f3 1019 return log_unsafe_transition(child, fd, path, flags);
f14f1806
LP		 1020
1021 previous_stat = st;
1022 }
1023
b539437a
YW		 1024 free(done);
1025
d944dc95
LP		 1026 /* Note that we do not revalidate the root, we take it as is. */
1027 if (isempty(root))
1028 done = NULL;
1029 else {
1030 done = strdup(root);
1031 if (!done)
1032 return -ENOMEM;
1033 }
1034
8c4a8ea2
LP		 1035 /* Prefix what's left to do with what we just read, and start the loop again, but
1036 * remain in the current directory. */
1037 joined = strjoin(destination, todo);
1038 } else
1039 joined = strjoin("/", destination, todo);
877777d7
CCW		 1040 if (!joined)
1041 return -ENOMEM;
d944dc95 1042
877777d7
CCW		 1043 free(buffer);
1044 todo = buffer = joined;
d944dc95 1045
49eb3659
LP		 1046 if (flags & CHASE_STEP)
1047 goto chased_one;
1048
d944dc95
LP		 1049 continue;
1050 }
1051
1052 /* If this is not a symlink, then let's just add the name we read to what we already verified. */
ae2a15bc
LP		 1053 if (!done)
1054 done = TAKE_PTR(first);
1055 else {
a1904a46
YW		 1056 /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */
1057 if (streq(done, "/"))
1058 *done = '\0';
1059
d944dc95
LP		 1060 if (!strextend(&done, first, NULL))
1061 return -ENOMEM;
1062 }
1063
1064 /* And iterate again, but go one directory further down. */
1065 safe_close(fd);
c10d6bdb 1066 fd = TAKE_FD(child);
d944dc95
LP		 1067 }
1068
1069 if (!done) {
1070 /* Special case, turn the empty string into "/", to indicate the root directory. */
1071 done = strdup("/");
1072 if (!done)
1073 return -ENOMEM;
1074 }
1075
ae2a15bc
LP		 1076 if (ret)
1077 *ret = TAKE_PTR(done);
d944dc95 1078
1ed34d75 1079 if (flags & CHASE_OPEN) {
1ed34d75
LP		 1080 /* Return the O_PATH fd we currently are looking to the caller. It can translate it to a proper fd by
1081 * opening /proc/self/fd/xyz. */
1082
1083 assert(fd >= 0);
c10d6bdb 1084 return TAKE_FD(fd);
1ed34d75
LP		 1085 }
1086
49eb3659
LP		 1087 if (flags & CHASE_STEP)
1088 return 1;
1089
a9fb0867 1090 return exists;
49eb3659
LP		 1091
1092chased_one:
49eb3659
LP		 1093 if (ret) {
1094 char *c;
1095
027cc9c9
ZJS		 1096 c = strjoin(strempty(done), todo);
1097 if (!c)
1098 return -ENOMEM;
49eb3659
LP		 1099
1100 *ret = c;
1101 }
1102
1103 return 0;
d944dc95 1104}
57a4359e 1105
21c692e9
LP		 1106int chase_symlinks_and_open(
1107 const char *path,
1108 const char *root,
1109 unsigned chase_flags,
1110 int open_flags,
1111 char **ret_path) {
1112
1113 _cleanup_close_ int path_fd = -1;
1114 _cleanup_free_ char *p = NULL;
1115 int r;
1116
1117 if (chase_flags & CHASE_NONEXISTENT)
1118 return -EINVAL;
1119
57ea45e1 1120 if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
21c692e9
LP		 1121 /* Shortcut this call if none of the special features of this call are requested */
1122 r = open(path, open_flags);
1123 if (r < 0)
1124 return -errno;
1125
1126 return r;
1127 }
1128
1129 path_fd = chase_symlinks(path, root, chase_flags|CHASE_OPEN, ret_path ? &p : NULL);
1130 if (path_fd < 0)
1131 return path_fd;
1132
1133 r = fd_reopen(path_fd, open_flags);
1134 if (r < 0)
1135 return r;
1136
1137 if (ret_path)
1138 *ret_path = TAKE_PTR(p);
1139
1140 return r;
1141}
1142
1143int chase_symlinks_and_opendir(
1144 const char *path,
1145 const char *root,
1146 unsigned chase_flags,
1147 char **ret_path,
1148 DIR **ret_dir) {
1149
1150 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
1151 _cleanup_close_ int path_fd = -1;
1152 _cleanup_free_ char *p = NULL;
1153 DIR *d;
1154
1155 if (!ret_dir)
1156 return -EINVAL;
1157 if (chase_flags & CHASE_NONEXISTENT)
1158 return -EINVAL;
1159
57ea45e1 1160 if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
21c692e9
LP		 1161 /* Shortcut this call if none of the special features of this call are requested */
1162 d = opendir(path);
1163 if (!d)
1164 return -errno;
1165
1166 *ret_dir = d;
1167 return 0;
1168 }
1169
1170 path_fd = chase_symlinks(path, root, chase_flags|CHASE_OPEN, ret_path ? &p : NULL);
1171 if (path_fd < 0)
1172 return path_fd;
1173
1174 xsprintf(procfs_path, "/proc/self/fd/%i", path_fd);
1175 d = opendir(procfs_path);
1176 if (!d)
1177 return -errno;
1178
1179 if (ret_path)
1180 *ret_path = TAKE_PTR(p);
1181
1182 *ret_dir = d;
1183 return 0;
1184}
1185
d2bcd0ba
LP		 1186int chase_symlinks_and_stat(
1187 const char *path,
1188 const char *root,
1189 unsigned chase_flags,
1190 char **ret_path,
1191 struct stat *ret_stat) {
1192
1193 _cleanup_close_ int path_fd = -1;
1194 _cleanup_free_ char *p = NULL;
1195
1196 assert(path);
1197 assert(ret_stat);
1198
1199 if (chase_flags & CHASE_NONEXISTENT)
1200 return -EINVAL;
1201
1202 if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
1203 /* Shortcut this call if none of the special features of this call are requested */
1204 if (stat(path, ret_stat) < 0)
1205 return -errno;
1206
1207 return 1;
1208 }
1209
1210 path_fd = chase_symlinks(path, root, chase_flags|CHASE_OPEN, ret_path ? &p : NULL);
1211 if (path_fd < 0)
1212 return path_fd;
1213
1214 if (fstat(path_fd, ret_stat) < 0)
1215 return -errno;
1216
1217 if (ret_path)
1218 *ret_path = TAKE_PTR(p);
1219
1220 if (chase_flags & CHASE_OPEN)
1221 return TAKE_FD(path_fd);
1222
1223 return 1;
1224}
1225
57a4359e 1226int access_fd(int fd, int mode) {
fbd0b64f 1227 char p[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(fd) + 1];
57a4359e
LP		 1228 int r;
1229
1230 /* Like access() but operates on an already open fd */
1231
1232 xsprintf(p, "/proc/self/fd/%i", fd);
57a4359e
LP		 1233 r = access(p, mode);
1234 if (r < 0)
21c692e9 1235 return -errno;
57a4359e
LP		 1236
1237 return r;
1238}
43767d9d 1239
627d2bac
ZJS		 1240void unlink_tempfilep(char (*p)[]) {
1241 /* If the file is created with mkstemp(), it will (almost always)
1242 * change the suffix. Treat this as a sign that the file was
1243 * successfully created. We ignore both the rare case where the
1244 * original suffix is used and unlink failures. */
1245 if (!endswith(*p, ".XXXXXX"))
69821560 1246 (void) unlink_noerrno(*p);
627d2bac
ZJS		 1247}
1248
43767d9d
LP		 1249int unlinkat_deallocate(int fd, const char *name, int flags) {
1250 _cleanup_close_ int truncate_fd = -1;
1251 struct stat st;
1252 off_t l, bs;
1253
1254 /* Operates like unlinkat() but also deallocates the file contents if it is a regular file and there's no other
1255 * link to it. This is useful to ensure that other processes that might have the file open for reading won't be
1256 * able to keep the data pinned on disk forever. This call is particular useful whenever we execute clean-up
1257 * jobs ("vacuuming"), where we want to make sure the data is really gone and the disk space released and
1258 * returned to the free pool.
1259 *
1260 * Deallocation is preferably done by FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE (👊) if supported, which means
1261 * the file won't change size. That's a good thing since we shouldn't needlessly trigger SIGBUS in other
1262 * programs that have mmap()ed the file. (The assumption here is that changing file contents to all zeroes
1263 * underneath those programs is the better choice than simply triggering SIGBUS in them which truncation does.)
1264 * However if hole punching is not implemented in the kernel or file system we'll fall back to normal file
1265 * truncation (🔪), as our goal of deallocating the data space trumps our goal of being nice to readers (💐).
1266 *
1267 * Note that we attempt deallocation, but failure to succeed with that is not considered fatal, as long as the
1268 * primary job – to delete the file – is accomplished. */
1269
1270 if ((flags & AT_REMOVEDIR) == 0) {
1271 truncate_fd = openat(fd, name, O_WRONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|O_NONBLOCK);
1272 if (truncate_fd < 0) {
1273
1274 /* If this failed because the file doesn't exist propagate the error right-away. Also,
1275 * AT_REMOVEDIR wasn't set, and we tried to open the file for writing, which means EISDIR is
1276 * returned when this is a directory but we are not supposed to delete those, hence propagate
1277 * the error right-away too. */
1278 if (IN_SET(errno, ENOENT, EISDIR))
1279 return -errno;
1280
1281 if (errno != ELOOP) /* don't complain if this is a symlink */
1282 log_debug_errno(errno, "Failed to open file '%s' for deallocation, ignoring: %m", name);
1283 }
1284 }
1285
1286 if (unlinkat(fd, name, flags) < 0)
1287 return -errno;
1288
1289 if (truncate_fd < 0) /* Don't have a file handle, can't do more ☹️ */
1290 return 0;
1291
1292 if (fstat(truncate_fd, &st) < 0) {
011723a4 1293 log_debug_errno(errno, "Failed to stat file '%s' for deallocation, ignoring: %m", name);
43767d9d
LP		 1294 return 0;
1295 }
1296
1297 if (!S_ISREG(st.st_mode) || st.st_blocks == 0 || st.st_nlink > 0)
1298 return 0;
1299
1300 /* If this is a regular file, it actually took up space on disk and there are no other links it's time to
1301 * punch-hole/truncate this to release the disk space. */
1302
1303 bs = MAX(st.st_blksize, 512);
1304 l = DIV_ROUND_UP(st.st_size, bs) * bs; /* Round up to next block size */
1305
1306 if (fallocate(truncate_fd, FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE, 0, l) >= 0)
1307 return 0; /* Successfully punched a hole! 😊 */
1308
1309 /* Fall back to truncation */
1310 if (ftruncate(truncate_fd, 0) < 0) {
1311 log_debug_errno(errno, "Failed to truncate file to 0, ignoring: %m");
1312 return 0;
1313 }
1314
1315 return 0;
1316}
11b29a96
LP		 1317
1318int fsync_directory_of_file(int fd) {
0c462ea4 1319 _cleanup_free_ char *path = NULL;
11b29a96
LP		 1320 _cleanup_close_ int dfd = -1;
1321 int r;
1322
1323 r = fd_verify_regular(fd);
1324 if (r < 0)
1325 return r;
1326
1327 r = fd_get_path(fd, &path);
3ceae1bc 1328 if (r < 0) {
b8b846d7
LP		 1329 log_debug_errno(r, "Failed to query /proc/self/fd/%d%s: %m",
1330 fd,
1331 r == -EOPNOTSUPP ? ", ignoring" : "");
3ceae1bc
ZJS		 1332
1333 if (r == -EOPNOTSUPP)
1334 /* If /proc is not available, we're most likely running in some
1335 * chroot environment, and syncing the directory is not very
1336 * important in that case. Let's just silently do nothing. */
1337 return 0;
1338
11b29a96 1339 return r;
3ceae1bc 1340 }
11b29a96
LP		 1341
1342 if (!path_is_absolute(path))
1343 return -EINVAL;
1344
0c462ea4 1345 dfd = open_parent(path, O_CLOEXEC, 0);
11b29a96 1346 if (dfd < 0)
0c462ea4 1347 return dfd;
11b29a96
LP		 1348
1349 if (fsync(dfd) < 0)
1350 return -errno;
1351
1352 return 0;
1353}
ef8becfa 1354
36695e88
LP		 1355int fsync_path_at(int at_fd, const char *path) {
1356 _cleanup_close_ int opened_fd = -1;
1357 int fd;
1358
1359 if (isempty(path)) {
1360 if (at_fd == AT_FDCWD) {
1361 opened_fd = open(".", O_RDONLY|O_DIRECTORY|O_CLOEXEC);
1362 if (opened_fd < 0)
1363 return -errno;
1364
1365 fd = opened_fd;
1366 } else
1367 fd = at_fd;
1368 } else {
1369
1370 opened_fd = openat(at_fd, path, O_RDONLY|O_CLOEXEC);
1371 if (opened_fd < 0)
1372 return -errno;
1373
1374 fd = opened_fd;
1375 }
1376
1377 if (fsync(fd) < 0)
1378 return -errno;
1379
1380 return 0;
1381}
1382
71f51416
LP		 1383int syncfs_path(int atfd, const char *path) {
1384 _cleanup_close_ int fd = -1;
1385
1386 assert(path);
1387
1388 fd = openat(atfd, path, O_CLOEXEC|O_RDONLY|O_NONBLOCK);
1389 if (fd < 0)
1390 return -errno;
1391
1392 if (syncfs(fd) < 0)
1393 return -errno;
1394
1395 return 0;
1396}
1397
ef8becfa
LP		 1398int open_parent(const char *path, int flags, mode_t mode) {
1399 _cleanup_free_ char *parent = NULL;
1400 int fd;
1401
1402 if (isempty(path))
1403 return -EINVAL;
1404 if (path_equal(path, "/")) /* requesting the parent of the root dir is fishy, let's prohibit that */
1405 return -EINVAL;
1406
1407 parent = dirname_malloc(path);
1408 if (!parent)
1409 return -ENOMEM;
1410
1411 /* Let's insist on O_DIRECTORY since the parent of a file or directory is a directory. Except if we open an
1412 * O_TMPFILE file, because in that case we are actually create a regular file below the parent directory. */
1413
1414 if ((flags & O_PATH) == O_PATH)
1415 flags |= O_DIRECTORY;
1416 else if ((flags & O_TMPFILE) != O_TMPFILE)
1417 flags |= O_DIRECTORY|O_RDONLY;
1418
1419 fd = open(parent, flags, mode);
1420 if (fd < 0)
1421 return -errno;
1422
1423 return fd;
1424}
Unnamed repository; edit this file 'description' to name the repository.