1 /* SPDX-License-Identifier: LGPL-2.1+ */
5 #include <sys/resource.h>
6 #include <sys/socket.h>
10 #include "alloc-util.h"
12 #include "dirent-util.h"
18 #include "memfd-util.h"
19 #include "missing_syscall.h"
20 #include "parse-util.h"
21 #include "path-util.h"
22 #include "process-util.h"
23 #include "socket-util.h"
24 #include "stdio-util.h"
26 #include "tmpfile-util.h"
28 /* The maximum number of iterations in the loop to close descriptors in the fallback case
29 * when /proc/self/fd/ is inaccessible. */
30 #define MAX_FD_LOOP_LIMIT (1024*1024)
32 int close_nointr(int fd
) {
39 * Just ignore EINTR; a retry loop is the wrong thing to do on
42 * http://lkml.indiana.edu/hypermail/linux/kernel/0509.1/0877.html
43 * https://bugzilla.gnome.org/show_bug.cgi?id=682819
44 * http://utcc.utoronto.ca/~cks/space/blog/unix/CloseEINTR
45 * https://sites.google.com/site/michaelsafyan/software-engineering/checkforeintrwheninvokingclosethinkagain
53 int safe_close(int fd
) {
56 * Like close_nointr() but cannot fail. Guarantees errno is
57 * unchanged. Is a NOP with negative fds passed, and returns
58 * -1, so that it can be used in this syntax:
60 * fd = safe_close(fd);
66 /* The kernel might return pretty much any error code
67 * via close(), but the fd will be closed anyway. The
68 * only condition we want to check for here is whether
69 * the fd was invalid at all... */
71 assert_se(close_nointr(fd
) != -EBADF
);
77 void safe_close_pair(int p
[static 2]) {
81 /* Special case pairs which use the same fd in both
83 p
[0] = p
[1] = safe_close(p
[0]);
87 p
[0] = safe_close(p
[0]);
88 p
[1] = safe_close(p
[1]);
91 void close_many(const int fds
[], size_t n_fd
) {
94 assert(fds
|| n_fd
<= 0);
96 for (i
= 0; i
< n_fd
; i
++)
100 int fclose_nointr(FILE *f
) {
103 /* Same as close_nointr(), but for fclose() */
114 FILE* safe_fclose(FILE *f
) {
116 /* Same as safe_close(), but for fclose() */
121 assert_se(fclose_nointr(f
) != -EBADF
);
127 DIR* safe_closedir(DIR *d
) {
132 assert_se(closedir(d
) >= 0 || errno
!= EBADF
);
138 int fd_nonblock(int fd
, bool nonblock
) {
143 flags
= fcntl(fd
, F_GETFL
, 0);
148 nflags
= flags
| O_NONBLOCK
;
150 nflags
= flags
& ~O_NONBLOCK
;
155 if (fcntl(fd
, F_SETFL
, nflags
) < 0)
161 int fd_cloexec(int fd
, bool cloexec
) {
166 flags
= fcntl(fd
, F_GETFD
, 0);
171 nflags
= flags
| FD_CLOEXEC
;
173 nflags
= flags
& ~FD_CLOEXEC
;
178 if (fcntl(fd
, F_SETFD
, nflags
) < 0)
184 _pure_
static bool fd_in_set(int fd
, const int fdset
[], size_t n_fdset
) {
187 assert(n_fdset
== 0 || fdset
);
189 for (i
= 0; i
< n_fdset
; i
++)
196 static int get_max_fd(void) {
200 /* Return the highest possible fd, based RLIMIT_NOFILE, but enforcing FD_SETSIZE-1 as lower boundary
201 * and INT_MAX as upper boundary. */
203 if (getrlimit(RLIMIT_NOFILE
, &rl
) < 0)
206 m
= MAX(rl
.rlim_cur
, rl
.rlim_max
);
207 if (m
< FD_SETSIZE
) /* Let's always cover at least 1024 fds */
210 if (m
== RLIM_INFINITY
|| m
> INT_MAX
) /* Saturate on overflow. After all fds are "int", hence can
211 * never be above INT_MAX */
214 return (int) (m
- 1);
217 int close_all_fds(const int except
[], size_t n_except
) {
218 _cleanup_closedir_
DIR *d
= NULL
;
222 assert(n_except
== 0 || except
);
224 d
= opendir("/proc/self/fd");
228 /* When /proc isn't available (for example in chroots) the fallback is brute forcing through
231 max_fd
= get_max_fd();
235 /* Refuse to do the loop over more too many elements. It's better to fail immediately than to
236 * spin the CPU for a long time. */
237 if (max_fd
> MAX_FD_LOOP_LIMIT
)
238 return log_debug_errno(SYNTHETIC_ERRNO(EPERM
),
239 "/proc/self/fd is inaccessible. Refusing to loop over %d potential fds.",
242 for (fd
= 3; fd
>= 0; fd
= fd
< max_fd
? fd
+ 1 : -1) {
245 if (fd_in_set(fd
, except
, n_except
))
248 q
= close_nointr(fd
);
249 if (q
< 0 && q
!= -EBADF
&& r
>= 0)
256 FOREACH_DIRENT(de
, d
, return -errno
) {
259 if (safe_atoi(de
->d_name
, &fd
) < 0)
260 /* Let's better ignore this, just in case */
269 if (fd_in_set(fd
, except
, n_except
))
272 q
= close_nointr(fd
);
273 if (q
< 0 && q
!= -EBADF
&& r
>= 0) /* Valgrind has its own FD and doesn't want to have it closed */
280 int same_fd(int a
, int b
) {
281 struct stat sta
, stb
;
288 /* Compares two file descriptors. Note that semantics are
289 * quite different depending on whether we have kcmp() or we
290 * don't. If we have kcmp() this will only return true for
291 * dup()ed file descriptors, but not otherwise. If we don't
292 * have kcmp() this will also return true for two fds of the same
293 * file, created by separate open() calls. Since we use this
294 * call mostly for filtering out duplicates in the fd store
295 * this difference hopefully doesn't matter too much. */
300 /* Try to use kcmp() if we have it. */
301 pid
= getpid_cached();
302 r
= kcmp(pid
, pid
, KCMP_FILE
, a
, b
);
307 if (!IN_SET(errno
, ENOSYS
, EACCES
, EPERM
))
310 /* We don't have kcmp(), use fstat() instead. */
311 if (fstat(a
, &sta
) < 0)
314 if (fstat(b
, &stb
) < 0)
317 if ((sta
.st_mode
& S_IFMT
) != (stb
.st_mode
& S_IFMT
))
320 /* We consider all device fds different, since two device fds
321 * might refer to quite different device contexts even though
322 * they share the same inode and backing dev_t. */
324 if (S_ISCHR(sta
.st_mode
) || S_ISBLK(sta
.st_mode
))
327 if (sta
.st_dev
!= stb
.st_dev
|| sta
.st_ino
!= stb
.st_ino
)
330 /* The fds refer to the same inode on disk, let's also check
331 * if they have the same fd flags. This is useful to
332 * distinguish the read and write side of a pipe created with
334 fa
= fcntl(a
, F_GETFL
);
338 fb
= fcntl(b
, F_GETFL
);
345 void cmsg_close_all(struct msghdr
*mh
) {
346 struct cmsghdr
*cmsg
;
350 CMSG_FOREACH(cmsg
, mh
)
351 if (cmsg
->cmsg_level
== SOL_SOCKET
&& cmsg
->cmsg_type
== SCM_RIGHTS
)
352 close_many((int*) CMSG_DATA(cmsg
), (cmsg
->cmsg_len
- CMSG_LEN(0)) / sizeof(int));
355 bool fdname_is_valid(const char *s
) {
358 /* Validates a name for $LISTEN_FDNAMES. We basically allow
359 * everything ASCII that's not a control character. Also, as
360 * special exception the ":" character is not allowed, as we
361 * use that as field separator in $LISTEN_FDNAMES.
363 * Note that the empty string is explicitly allowed
364 * here. However, we limit the length of the names to 255
370 for (p
= s
; *p
; p
++) {
382 int fd_get_path(int fd
, char **ret
) {
383 char procfs_path
[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
386 xsprintf(procfs_path
, "/proc/self/fd/%i", fd
);
387 r
= readlink_malloc(procfs_path
, ret
);
389 /* ENOENT can mean two things: that the fd does not exist or that /proc is not mounted. Let's make
390 * things debuggable and distinguish the two. */
392 if (access("/proc/self/fd/", F_OK
) < 0)
393 /* /proc is not available or not set up properly, we're most likely in some chroot
395 return errno
== ENOENT
? -EOPNOTSUPP
: -errno
;
397 return -EBADF
; /* The directory exists, hence it's the fd that doesn't. */
403 int move_fd(int from
, int to
, int cloexec
) {
406 /* Move fd 'from' to 'to', make sure FD_CLOEXEC remains equal if requested, and release the old fd. If
407 * 'cloexec' is passed as -1, the original FD_CLOEXEC is inherited for the new fd. If it is 0, it is turned
408 * off, if it is > 0 it is turned on. */
418 r
= fd_cloexec(to
, cloexec
);
429 fl
= fcntl(from
, F_GETFD
, 0);
433 cloexec
= !!(fl
& FD_CLOEXEC
);
436 r
= dup3(from
, to
, cloexec
? O_CLOEXEC
: 0);
447 int acquire_data_fd(const void *data
, size_t size
, unsigned flags
) {
449 _cleanup_close_pair_
int pipefds
[2] = { -1, -1 };
450 char pattern
[] = "/dev/shm/data-fd-XXXXXX";
451 _cleanup_close_
int fd
= -1;
456 assert(data
|| size
== 0);
458 /* Acquire a read-only file descriptor that when read from returns the specified data. This is much more
459 * complex than I wish it was. But here's why:
461 * a) First we try to use memfds. They are the best option, as we can seal them nicely to make them
462 * read-only. Unfortunately they require kernel 3.17, and – at the time of writing – we still support 3.14.
464 * b) Then, we try classic pipes. They are the second best options, as we can close the writing side, retaining
465 * a nicely read-only fd in the reading side. However, they are by default quite small, and unprivileged
466 * clients can only bump their size to a system-wide limit, which might be quite low.
468 * c) Then, we try an O_TMPFILE file in /dev/shm (that dir is the only suitable one known to exist from
469 * earliest boot on). To make it read-only we open the fd a second time with O_RDONLY via
470 * /proc/self/<fd>. Unfortunately O_TMPFILE is not available on older kernels on tmpfs.
472 * d) Finally, we try creating a regular file in /dev/shm, which we then delete.
474 * It sucks a bit that depending on the situation we return very different objects here, but that's Linux I
477 if (size
== 0 && ((flags
& ACQUIRE_NO_DEV_NULL
) == 0)) {
478 /* As a special case, return /dev/null if we have been called for an empty data block */
479 r
= open("/dev/null", O_RDONLY
|O_CLOEXEC
|O_NOCTTY
);
486 if ((flags
& ACQUIRE_NO_MEMFD
) == 0) {
487 fd
= memfd_new("data-fd");
491 n
= write(fd
, data
, size
);
494 if ((size_t) n
!= size
)
497 f
= lseek(fd
, 0, SEEK_SET
);
501 r
= memfd_set_sealed(fd
);
509 if ((flags
& ACQUIRE_NO_PIPE
) == 0) {
510 if (pipe2(pipefds
, O_CLOEXEC
|O_NONBLOCK
) < 0)
513 isz
= fcntl(pipefds
[1], F_GETPIPE_SZ
, 0);
517 if ((size_t) isz
< size
) {
519 if (isz
< 0 || (size_t) isz
!= size
)
522 /* Try to bump the pipe size */
523 (void) fcntl(pipefds
[1], F_SETPIPE_SZ
, isz
);
525 /* See if that worked */
526 isz
= fcntl(pipefds
[1], F_GETPIPE_SZ
, 0);
530 if ((size_t) isz
< size
)
534 n
= write(pipefds
[1], data
, size
);
537 if ((size_t) n
!= size
)
540 (void) fd_nonblock(pipefds
[0], false);
542 return TAKE_FD(pipefds
[0]);
546 if ((flags
& ACQUIRE_NO_TMPFILE
) == 0) {
547 fd
= open("/dev/shm", O_RDWR
|O_TMPFILE
|O_CLOEXEC
, 0500);
549 goto try_dev_shm_without_o_tmpfile
;
551 n
= write(fd
, data
, size
);
554 if ((size_t) n
!= size
)
557 /* Let's reopen the thing, in order to get an O_RDONLY fd for the original O_RDWR one */
558 return fd_reopen(fd
, O_RDONLY
|O_CLOEXEC
);
561 try_dev_shm_without_o_tmpfile
:
562 if ((flags
& ACQUIRE_NO_REGULAR
) == 0) {
563 fd
= mkostemp_safe(pattern
);
567 n
= write(fd
, data
, size
);
570 goto unlink_and_return
;
572 if ((size_t) n
!= size
) {
574 goto unlink_and_return
;
577 /* Let's reopen the thing, in order to get an O_RDONLY fd for the original O_RDWR one */
578 r
= open(pattern
, O_RDONLY
|O_CLOEXEC
);
583 (void) unlink(pattern
);
590 /* When the data is smaller or equal to 64K, try to place the copy in a memfd/pipe */
591 #define DATA_FD_MEMORY_LIMIT (64U*1024U)
593 /* If memfd/pipe didn't work out, then let's use a file in /tmp up to a size of 1M. If it's large than that use /var/tmp instead. */
594 #define DATA_FD_TMP_LIMIT (1024U*1024U)
596 int fd_duplicate_data_fd(int fd
) {
598 _cleanup_close_
int copy_fd
= -1, tmp_fd
= -1;
599 _cleanup_free_
void *remains
= NULL
;
600 size_t remains_size
= 0;
605 /* Creates a 'data' fd from the specified source fd, containing all the same data in a read-only fashion, but
606 * independent of it (i.e. the source fd can be closed and unmounted after this call succeeded). Tries to be
607 * somewhat smart about where to place the data. In the best case uses a memfd(). If memfd() are not supported
608 * uses a pipe instead. For larger data will use an unlinked file in /tmp, and for even larger data one in
611 if (fstat(fd
, &st
) < 0)
614 /* For now, let's only accept regular files, sockets, pipes and char devices */
615 if (S_ISDIR(st
.st_mode
))
617 if (S_ISLNK(st
.st_mode
))
619 if (!S_ISREG(st
.st_mode
) && !S_ISSOCK(st
.st_mode
) && !S_ISFIFO(st
.st_mode
) && !S_ISCHR(st
.st_mode
))
622 /* If we have reason to believe the data is bounded in size, then let's use memfds or pipes as backing fd. Note
623 * that we use the reported regular file size only as a hint, given that there are plenty special files in
624 * /proc and /sys which report a zero file size but can be read from. */
626 if (!S_ISREG(st
.st_mode
) || st
.st_size
< DATA_FD_MEMORY_LIMIT
) {
628 /* Try a memfd first */
629 copy_fd
= memfd_new("data-fd");
633 r
= copy_bytes(fd
, copy_fd
, DATA_FD_MEMORY_LIMIT
, 0);
637 f
= lseek(copy_fd
, 0, SEEK_SET
);
642 /* Did it fit into the limit? If so, we are done. */
643 r
= memfd_set_sealed(copy_fd
);
647 return TAKE_FD(copy_fd
);
650 /* Hmm, pity, this didn't fit. Let's fall back to /tmp then, see below */
653 _cleanup_(close_pairp
) int pipefds
[2] = { -1, -1 };
656 /* If memfds aren't available, use a pipe. Set O_NONBLOCK so that we will get EAGAIN rather
657 * then block indefinitely when we hit the pipe size limit */
659 if (pipe2(pipefds
, O_CLOEXEC
|O_NONBLOCK
) < 0)
662 isz
= fcntl(pipefds
[1], F_GETPIPE_SZ
, 0);
666 /* Try to enlarge the pipe size if necessary */
667 if ((size_t) isz
< DATA_FD_MEMORY_LIMIT
) {
669 (void) fcntl(pipefds
[1], F_SETPIPE_SZ
, DATA_FD_MEMORY_LIMIT
);
671 isz
= fcntl(pipefds
[1], F_GETPIPE_SZ
, 0);
676 if ((size_t) isz
>= DATA_FD_MEMORY_LIMIT
) {
678 r
= copy_bytes_full(fd
, pipefds
[1], DATA_FD_MEMORY_LIMIT
, 0, &remains
, &remains_size
, NULL
, NULL
);
679 if (r
< 0 && r
!= -EAGAIN
)
680 return r
; /* If we get EAGAIN it could be because of the source or because of
681 * the destination fd, we can't know, as sendfile() and friends won't
682 * tell us. Hence, treat this as reason to fall back, just to be
685 /* Everything fit in, yay! */
686 (void) fd_nonblock(pipefds
[0], false);
688 return TAKE_FD(pipefds
[0]);
691 /* Things didn't fit in. But we read data into the pipe, let's remember that, so that
692 * when writing the new file we incorporate this first. */
693 copy_fd
= TAKE_FD(pipefds
[0]);
698 /* If we have reason to believe this will fit fine in /tmp, then use that as first fallback. */
699 if ((!S_ISREG(st
.st_mode
) || st
.st_size
< DATA_FD_TMP_LIMIT
) &&
700 (DATA_FD_MEMORY_LIMIT
+ remains_size
) < DATA_FD_TMP_LIMIT
) {
703 tmp_fd
= open_tmpfile_unlinkable(NULL
/* NULL as directory means /tmp */, O_RDWR
|O_CLOEXEC
);
708 /* If we tried a memfd/pipe first and it ended up being too large, then copy this into the
709 * temporary file first. */
711 r
= copy_bytes(copy_fd
, tmp_fd
, UINT64_MAX
, 0);
718 if (remains_size
> 0) {
719 /* If there were remaining bytes (i.e. read into memory, but not written out yet) from the
720 * failed copy operation, let's flush them out next. */
722 r
= loop_write(tmp_fd
, remains
, remains_size
, false);
727 r
= copy_bytes(fd
, tmp_fd
, DATA_FD_TMP_LIMIT
- DATA_FD_MEMORY_LIMIT
- remains_size
, COPY_REFLINK
);
731 goto finish
; /* Yay, it fit in */
733 /* It didn't fit in. Let's not forget to use what we already used */
734 f
= lseek(tmp_fd
, 0, SEEK_SET
);
739 copy_fd
= TAKE_FD(tmp_fd
);
741 remains
= mfree(remains
);
745 /* As last fallback use /var/tmp */
746 r
= var_tmp_dir(&td
);
750 tmp_fd
= open_tmpfile_unlinkable(td
, O_RDWR
|O_CLOEXEC
);
755 /* If we tried a memfd/pipe first, or a file in /tmp, and it ended up being too large, than copy this
756 * into the temporary file first. */
757 r
= copy_bytes(copy_fd
, tmp_fd
, UINT64_MAX
, COPY_REFLINK
);
764 if (remains_size
> 0) {
765 /* Then, copy in any read but not yet written bytes. */
766 r
= loop_write(tmp_fd
, remains
, remains_size
, false);
771 /* Copy in the rest */
772 r
= copy_bytes(fd
, tmp_fd
, UINT64_MAX
, COPY_REFLINK
);
779 /* Now convert the O_RDWR file descriptor into an O_RDONLY one (and as side effect seek to the beginning of the
782 return fd_reopen(tmp_fd
, O_RDONLY
|O_CLOEXEC
);
785 int fd_move_above_stdio(int fd
) {
789 /* Moves the specified file descriptor if possible out of the range [0…2], i.e. the range of
790 * stdin/stdout/stderr. If it can't be moved outside of this range the original file descriptor is
791 * returned. This call is supposed to be used for long-lasting file descriptors we allocate in our code that
792 * might get loaded into foreign code, and where we want ensure our fds are unlikely used accidentally as
793 * stdin/stdout/stderr of unrelated code.
795 * Note that this doesn't fix any real bugs, it just makes it less likely that our code will be affected by
796 * buggy code from others that mindlessly invokes 'fprintf(stderr, …' or similar in places where stderr has
797 * been closed before.
799 * This function is written in a "best-effort" and "least-impact" style. This means whenever we encounter an
800 * error we simply return the original file descriptor, and we do not touch errno. */
802 if (fd
< 0 || fd
> 2)
805 flags
= fcntl(fd
, F_GETFD
, 0);
809 if (flags
& FD_CLOEXEC
)
810 copy
= fcntl(fd
, F_DUPFD_CLOEXEC
, 3);
812 copy
= fcntl(fd
, F_DUPFD
, 3);
822 int rearrange_stdio(int original_input_fd
, int original_output_fd
, int original_error_fd
) {
824 int fd
[3] = { /* Put together an array of fds we work on */
831 null_fd
= -1, /* if we open /dev/null, we store the fd to it here */
832 copy_fd
[3] = { -1, -1, -1 }; /* This contains all fds we duplicate here temporarily, and hence need to close at the end */
833 bool null_readable
, null_writable
;
835 /* Sets up stdin, stdout, stderr with the three file descriptors passed in. If any of the descriptors is
836 * specified as -1 it will be connected with /dev/null instead. If any of the file descriptors is passed as
837 * itself (e.g. stdin as STDIN_FILENO) it is left unmodified, but the O_CLOEXEC bit is turned off should it be
840 * Note that if any of the passed file descriptors are > 2 they will be closed — both on success and on
841 * failure! Thus, callers should assume that when this function returns the input fds are invalidated.
843 * Note that when this function fails stdin/stdout/stderr might remain half set up!
845 * O_CLOEXEC is turned off for all three file descriptors (which is how it should be for
846 * stdin/stdout/stderr). */
848 null_readable
= original_input_fd
< 0;
849 null_writable
= original_output_fd
< 0 || original_error_fd
< 0;
851 /* First step, open /dev/null once, if we need it */
852 if (null_readable
|| null_writable
) {
854 /* Let's open this with O_CLOEXEC first, and convert it to non-O_CLOEXEC when we move the fd to the final position. */
855 null_fd
= open("/dev/null", (null_readable
&& null_writable
? O_RDWR
:
856 null_readable
? O_RDONLY
: O_WRONLY
) | O_CLOEXEC
);
862 /* If this fd is in the 0…2 range, let's move it out of it */
866 copy
= fcntl(null_fd
, F_DUPFD_CLOEXEC
, 3); /* Duplicate this with O_CLOEXEC set */
877 /* Let's assemble fd[] with the fds to install in place of stdin/stdout/stderr */
878 for (i
= 0; i
< 3; i
++) {
881 fd
[i
] = null_fd
; /* A negative parameter means: connect this one to /dev/null */
882 else if (fd
[i
] != i
&& fd
[i
] < 3) {
883 /* This fd is in the 0…2 territory, but not at its intended place, move it out of there, so that we can work there. */
884 copy_fd
[i
] = fcntl(fd
[i
], F_DUPFD_CLOEXEC
, 3); /* Duplicate this with O_CLOEXEC set */
885 if (copy_fd
[i
] < 0) {
894 /* At this point we now have the fds to use in fd[], and they are all above the stdio range, so that we
895 * have freedom to move them around. If the fds already were at the right places then the specific fds are
896 * -1. Let's now move them to the right places. This is the point of no return. */
897 for (i
= 0; i
< 3; i
++) {
901 /* fd is already in place, but let's make sure O_CLOEXEC is off */
902 r
= fd_cloexec(i
, false);
909 if (dup2(fd
[i
], i
) < 0) { /* Turns off O_CLOEXEC on the new fd. */
919 /* Close the original fds, but only if they were outside of the stdio range. Also, properly check for the same
920 * fd passed in multiple times. */
921 safe_close_above_stdio(original_input_fd
);
922 if (original_output_fd
!= original_input_fd
)
923 safe_close_above_stdio(original_output_fd
);
924 if (original_error_fd
!= original_input_fd
&& original_error_fd
!= original_output_fd
)
925 safe_close_above_stdio(original_error_fd
);
927 /* Close the copies we moved > 2 */
928 for (i
= 0; i
< 3; i
++)
929 safe_close(copy_fd
[i
]);
931 /* Close our null fd, if it's > 2 */
932 safe_close_above_stdio(null_fd
);
937 int fd_reopen(int fd
, int flags
) {
938 char procfs_path
[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
941 /* Reopens the specified fd with new flags. This is useful for convert an O_PATH fd into a regular one, or to
942 * turn O_RDWR fds into O_RDONLY fds.
944 * This doesn't work on sockets (since they cannot be open()ed, ever).
946 * This implicitly resets the file read index to 0. */
948 xsprintf(procfs_path
, "/proc/self/fd/%i", fd
);
949 new_fd
= open(procfs_path
, flags
);
956 int read_nr_open(void) {
957 _cleanup_free_
char *nr_open
= NULL
;
960 /* Returns the kernel's current fd limit, either by reading it of /proc/sys if that works, or using the
961 * hard-coded default compiled-in value of current kernels (1M) if not. This call will never fail. */
963 r
= read_one_line_file("/proc/sys/fs/nr_open", &nr_open
);
965 log_debug_errno(r
, "Failed to read /proc/sys/fs/nr_open, ignoring: %m");
969 r
= safe_atoi(nr_open
, &v
);
971 log_debug_errno(r
, "Failed to parse /proc/sys/fs/nr_open value '%s', ignoring: %m", nr_open
);
976 /* If we fail, fallback to the hard-coded kernel limit of 1024 * 1024. */