]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/fs-util.c
projects / thirdparty / systemd.git / blob
? search:


ce1f5454c83e1ba5a67d8067a0a2e4fb0ee204d7
[thirdparty/systemd.git] / src / basic / fs-util.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #include <errno.h>
4 #include <stddef.h>
5 #include <stdio.h>
6 #include <stdlib.h>
7 #include <string.h>
8 #include <sys/stat.h>
9 #include <linux/falloc.h>
10 #include <linux/magic.h>
11 #include <time.h>
12 #include <unistd.h>
13
14 #include "alloc-util.h"
15 #include "dirent-util.h"
16 #include "fd-util.h"
17 #include "fs-util.h"
18 #include "locale-util.h"
19 #include "log.h"
20 #include "macro.h"
21 #include "missing.h"
22 #include "mkdir.h"
23 #include "parse-util.h"
24 #include "path-util.h"
25 #include "process-util.h"
26 #include "stat-util.h"
27 #include "stdio-util.h"
28 #include "string-util.h"
29 #include "strv.h"
30 #include "time-util.h"
31 #include "tmpfile-util.h"
32 #include "user-util.h"
33 #include "util.h"
34
35 int unlink_noerrno(const char *path) {
36 PROTECT_ERRNO;
37 int r;
38
39 r = unlink(path);
40 if (r < 0)
41 return -errno;
42
43 return 0;
44 }
45
46 int rmdir_parents(const char *path, const char *stop) {
47 size_t l;
48 int r = 0;
49
50 assert(path);
51 assert(stop);
52
53 l = strlen(path);
54
55 /* Skip trailing slashes */
56 while (l > 0 && path[l-1] == '/')
57 l--;
58
59 while (l > 0) {
60 char *t;
61
62 /* Skip last component */
63 while (l > 0 && path[l-1] != '/')
64 l--;
65
66 /* Skip trailing slashes */
67 while (l > 0 && path[l-1] == '/')
68 l--;
69
70 if (l <= 0)
71 break;
72
73 t = strndup(path, l);
74 if (!t)
75 return -ENOMEM;
76
77 if (path_startswith(stop, t)) {
78 free(t);
79 return 0;
80 }
81
82 r = rmdir(t);
83 free(t);
84
85 if (r < 0)
86 if (errno != ENOENT)
87 return -errno;
88 }
89
90 return 0;
91 }
92
93 int rename_noreplace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) {
94 int r;
95
96 /* Try the ideal approach first */
97 if (renameat2(olddirfd, oldpath, newdirfd, newpath, RENAME_NOREPLACE) >= 0)
98 return 0;
99
100 /* renameat2() exists since Linux 3.15, btrfs and FAT added support for it later. If it is not implemented,
101 * fall back to a different method. */
102 if (!IN_SET(errno, EINVAL, ENOSYS, ENOTTY))
103 return -errno;
104
105 /* Let's try to use linkat()+unlinkat() as fallback. This doesn't work on directories and on some file systems
106 * that do not support hard links (such as FAT, most prominently), but for files it's pretty close to what we
107 * want — though not atomic (i.e. for a short period both the new and the old filename will exist). */
108 if (linkat(olddirfd, oldpath, newdirfd, newpath, 0) >= 0) {
109
110 if (unlinkat(olddirfd, oldpath, 0) < 0) {
111 r = -errno; /* Backup errno before the following unlinkat() alters it */
112 (void) unlinkat(newdirfd, newpath, 0);
113 return r;
114 }
115
116 return 0;
117 }
118
119 if (!IN_SET(errno, EINVAL, ENOSYS, ENOTTY, EPERM)) /* FAT returns EPERM on link()â€Ļ */
120 return -errno;
121
122 /* OK, neither RENAME_NOREPLACE nor linkat()+unlinkat() worked. Let's then fallback to the racy TOCTOU
123 * vulnerable accessat(F_OK) check followed by classic, replacing renameat(), we have nothing better. */
124
125 if (faccessat(newdirfd, newpath, F_OK, AT_SYMLINK_NOFOLLOW) >= 0)
126 return -EEXIST;
127 if (errno != ENOENT)
128 return -errno;
129
130 if (renameat(olddirfd, oldpath, newdirfd, newpath) < 0)
131 return -errno;
132
133 return 0;
134 }
135
136 int readlinkat_malloc(int fd, const char *p, char **ret) {
137 size_t l = FILENAME_MAX+1;
138 int r;
139
140 assert(p);
141 assert(ret);
142
143 for (;;) {
144 char *c;
145 ssize_t n;
146
147 c = new(char, l);
148 if (!c)
149 return -ENOMEM;
150
151 n = readlinkat(fd, p, c, l-1);
152 if (n < 0) {
153 r = -errno;
154 free(c);
155 return r;
156 }
157
158 if ((size_t) n < l-1) {
159 c[n] = 0;
160 *ret = c;
161 return 0;
162 }
163
164 free(c);
165 l *= 2;
166 }
167 }
168
169 int readlink_malloc(const char *p, char **ret) {
170 return readlinkat_malloc(AT_FDCWD, p, ret);
171 }
172
173 int readlink_value(const char *p, char **ret) {
174 _cleanup_free_ char *link = NULL;
175 char *value;
176 int r;
177
178 r = readlink_malloc(p, &link);
179 if (r < 0)
180 return r;
181
182 value = basename(link);
183 if (!value)
184 return -ENOENT;
185
186 value = strdup(value);
187 if (!value)
188 return -ENOMEM;
189
190 *ret = value;
191
192 return 0;
193 }
194
195 int readlink_and_make_absolute(const char *p, char **r) {
196 _cleanup_free_ char *target = NULL;
197 char *k;
198 int j;
199
200 assert(p);
201 assert(r);
202
203 j = readlink_malloc(p, &target);
204 if (j < 0)
205 return j;
206
207 k = file_in_same_dir(p, target);
208 if (!k)
209 return -ENOMEM;
210
211 *r = k;
212 return 0;
213 }
214
215 int chmod_and_chown(const char *path, mode_t mode, uid_t uid, gid_t gid) {
216 char fd_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
217 _cleanup_close_ int fd = -1;
218 bool st_valid = false;
219 struct stat st;
220 int r;
221
222 assert(path);
223
224 /* Under the assumption that we are running privileged we first change the access mode and only then
225 * hand out ownership to avoid a window where access is too open. */
226
227 fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW); /* Let's acquire an O_PATH fd, as precaution to change
228 * mode/owner on the same file */
229 if (fd < 0)
230 return -errno;
231
232 xsprintf(fd_path, "/proc/self/fd/%i", fd);
233
234 if (mode != MODE_INVALID) {
235 if ((mode & S_IFMT) != 0) {
236
237 if (stat(fd_path, &st) < 0)
238 return -errno;
239
240 if ((mode & S_IFMT) != (st.st_mode & S_IFMT))
241 return -EINVAL;
242
243 st_valid = true;
244 }
245
246 if (chmod(fd_path, mode & 07777) < 0) {
247 r = -errno;
248
249 if (!st_valid && stat(fd_path, &st) < 0)
250 return -errno;
251
252 if ((mode & 07777) != (st.st_mode & 07777))
253 return r;
254
255 st_valid = true;
256 }
257 }
258
259 if (uid != UID_INVALID || gid != GID_INVALID) {
260 if (chown(fd_path, uid, gid) < 0) {
261 r = -errno;
262
263 if (!st_valid && stat(fd_path, &st) < 0)
264 return -errno;
265
266 if (uid != UID_INVALID && st.st_uid != uid)
267 return r;
268 if (gid != GID_INVALID && st.st_gid != gid)
269 return r;
270 }
271 }
272
273 return 0;
274 }
275
276 int fchmod_and_chown(int fd, mode_t mode, uid_t uid, gid_t gid) {
277 bool st_valid = false;
278 struct stat st;
279 int r;
280
281 /* Under the assumption that we are running privileged we first change the access mode and only then hand out
282 * ownership to avoid a window where access is too open. */
283
284 if (mode != MODE_INVALID) {
285 if ((mode & S_IFMT) != 0) {
286
287 if (fstat(fd, &st) < 0)
288 return -errno;
289
290 if ((mode & S_IFMT) != (st.st_mode & S_IFMT))
291 return -EINVAL;
292
293 st_valid = true;
294 }
295
296 if (fchmod(fd, mode & 07777) < 0) {
297 r = -errno;
298
299 if (!st_valid && fstat(fd, &st) < 0)
300 return -errno;
301
302 if ((mode & 07777) != (st.st_mode & 07777))
303 return r;
304
305 st_valid = true;
306 }
307 }
308
309 if (uid != UID_INVALID || gid != GID_INVALID)
310 if (fchown(fd, uid, gid) < 0) {
311 r = -errno;
312
313 if (!st_valid && fstat(fd, &st) < 0)
314 return -errno;
315
316 if (uid != UID_INVALID && st.st_uid != uid)
317 return r;
318 if (gid != GID_INVALID && st.st_gid != gid)
319 return r;
320 }
321
322 return 0;
323 }
324
325 int fchmod_umask(int fd, mode_t m) {
326 mode_t u;
327 int r;
328
329 u = umask(0777);
330 r = fchmod(fd, m & (~u)) < 0 ? -errno : 0;
331 umask(u);
332
333 return r;
334 }
335
336 int fchmod_opath(int fd, mode_t m) {
337 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
338
339 /* This function operates also on fd that might have been opened with
340 * O_PATH. Indeed fchmodat() doesn't have the AT_EMPTY_PATH flag like
341 * fchownat() does. */
342
343 xsprintf(procfs_path, "/proc/self/fd/%i", fd);
344 if (chmod(procfs_path, m) < 0)
345 return -errno;
346
347 return 0;
348 }
349
350 int fd_warn_permissions(const char *path, int fd) {
351 struct stat st;
352
353 if (fstat(fd, &st) < 0)
354 return -errno;
355
356 if (st.st_mode & 0111)
357 log_warning("Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway.", path);
358
359 if (st.st_mode & 0002)
360 log_warning("Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway.", path);
361
362 if (getpid_cached() == 1 && (st.st_mode & 0044) != 0044)
363 log_warning("Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.", path);
364
365 return 0;
366 }
367
368 int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode) {
369 char fdpath[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
370 _cleanup_close_ int fd = -1;
371 int r, ret = 0;
372
373 assert(path);
374
375 /* Note that touch_file() does not follow symlinks: if invoked on an existing symlink, then it is the symlink
376 * itself which is updated, not its target
377 *
378 * Returns the first error we encounter, but tries to apply as much as possible. */
379
380 if (parents)
381 (void) mkdir_parents(path, 0755);
382
383 /* Initially, we try to open the node with O_PATH, so that we get a reference to the node. This is useful in
384 * case the path refers to an existing device or socket node, as we can open it successfully in all cases, and
385 * won't trigger any driver magic or so. */
386 fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW);
387 if (fd < 0) {
388 if (errno != ENOENT)
389 return -errno;
390
391 /* if the node doesn't exist yet, we create it, but with O_EXCL, so that we only create a regular file
392 * here, and nothing else */
393 fd = open(path, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, IN_SET(mode, 0, MODE_INVALID) ? 0644 : mode);
394 if (fd < 0)
395 return -errno;
396 }
397
398 /* Let's make a path from the fd, and operate on that. With this logic, we can adjust the access mode,
399 * ownership and time of the file node in all cases, even if the fd refers to an O_PATH object — which is
400 * something fchown(), fchmod(), futimensat() don't allow. */
401 xsprintf(fdpath, "/proc/self/fd/%i", fd);
402
403 if (mode != MODE_INVALID)
404 if (chmod(fdpath, mode) < 0)
405 ret = -errno;
406
407 if (uid_is_valid(uid) || gid_is_valid(gid))
408 if (chown(fdpath, uid, gid) < 0 && ret >= 0)
409 ret = -errno;
410
411 if (stamp != USEC_INFINITY) {
412 struct timespec ts[2];
413
414 timespec_store(&ts[0], stamp);
415 ts[1] = ts[0];
416 r = utimensat(AT_FDCWD, fdpath, ts, 0);
417 } else
418 r = utimensat(AT_FDCWD, fdpath, NULL, 0);
419 if (r < 0 && ret >= 0)
420 return -errno;
421
422 return ret;
423 }
424
425 int touch(const char *path) {
426 return touch_file(path, false, USEC_INFINITY, UID_INVALID, GID_INVALID, MODE_INVALID);
427 }
428
429 int symlink_idempotent(const char *from, const char *to, bool make_relative) {
430 _cleanup_free_ char *relpath = NULL;
431 int r;
432
433 assert(from);
434 assert(to);
435
436 if (make_relative) {
437 _cleanup_free_ char *parent = NULL;
438
439 parent = dirname_malloc(to);
440 if (!parent)
441 return -ENOMEM;
442
443 r = path_make_relative(parent, from, &relpath);
444 if (r < 0)
445 return r;
446
447 from = relpath;
448 }
449
450 if (symlink(from, to) < 0) {
451 _cleanup_free_ char *p = NULL;
452
453 if (errno != EEXIST)
454 return -errno;
455
456 r = readlink_malloc(to, &p);
457 if (r == -EINVAL) /* Not a symlink? In that case return the original error we encountered: -EEXIST */
458 return -EEXIST;
459 if (r < 0) /* Any other error? In that case propagate it as is */
460 return r;
461
462 if (!streq(p, from)) /* Not the symlink we want it to be? In that case, propagate the original -EEXIST */
463 return -EEXIST;
464 }
465
466 return 0;
467 }
468
469 int symlink_atomic(const char *from, const char *to) {
470 _cleanup_free_ char *t = NULL;
471 int r;
472
473 assert(from);
474 assert(to);
475
476 r = tempfn_random(to, NULL, &t);
477 if (r < 0)
478 return r;
479
480 if (symlink(from, t) < 0)
481 return -errno;
482
483 if (rename(t, to) < 0) {
484 unlink_noerrno(t);
485 return -errno;
486 }
487
488 return 0;
489 }
490
491 int mknod_atomic(const char *path, mode_t mode, dev_t dev) {
492 _cleanup_free_ char *t = NULL;
493 int r;
494
495 assert(path);
496
497 r = tempfn_random(path, NULL, &t);
498 if (r < 0)
499 return r;
500
501 if (mknod(t, mode, dev) < 0)
502 return -errno;
503
504 if (rename(t, path) < 0) {
505 unlink_noerrno(t);
506 return -errno;
507 }
508
509 return 0;
510 }
511
512 int mkfifo_atomic(const char *path, mode_t mode) {
513 _cleanup_free_ char *t = NULL;
514 int r;
515
516 assert(path);
517
518 r = tempfn_random(path, NULL, &t);
519 if (r < 0)
520 return r;
521
522 if (mkfifo(t, mode) < 0)
523 return -errno;
524
525 if (rename(t, path) < 0) {
526 unlink_noerrno(t);
527 return -errno;
528 }
529
530 return 0;
531 }
532
533 int mkfifoat_atomic(int dirfd, const char *path, mode_t mode) {
534 _cleanup_free_ char *t = NULL;
535 int r;
536
537 assert(path);
538
539 if (path_is_absolute(path))
540 return mkfifo_atomic(path, mode);
541
542 /* We're only interested in the (random) filename. */
543 r = tempfn_random_child("", NULL, &t);
544 if (r < 0)
545 return r;
546
547 if (mkfifoat(dirfd, t, mode) < 0)
548 return -errno;
549
550 if (renameat(dirfd, t, dirfd, path) < 0) {
551 unlink_noerrno(t);
552 return -errno;
553 }
554
555 return 0;
556 }
557
558 int get_files_in_directory(const char *path, char ***list) {
559 _cleanup_closedir_ DIR *d = NULL;
560 struct dirent *de;
561 size_t bufsize = 0, n = 0;
562 _cleanup_strv_free_ char **l = NULL;
563
564 assert(path);
565
566 /* Returns all files in a directory in *list, and the number
567 * of files as return value. If list is NULL returns only the
568 * number. */
569
570 d = opendir(path);
571 if (!d)
572 return -errno;
573
574 FOREACH_DIRENT_ALL(de, d, return -errno) {
575 dirent_ensure_type(d, de);
576
577 if (!dirent_is_file(de))
578 continue;
579
580 if (list) {
581 /* one extra slot is needed for the terminating NULL */
582 if (!GREEDY_REALLOC(l, bufsize, n + 2))
583 return -ENOMEM;
584
585 l[n] = strdup(de->d_name);
586 if (!l[n])
587 return -ENOMEM;
588
589 l[++n] = NULL;
590 } else
591 n++;
592 }
593
594 if (list)
595 *list = TAKE_PTR(l);
596
597 return n;
598 }
599
600 static int getenv_tmp_dir(const char **ret_path) {
601 const char *n;
602 int r, ret = 0;
603
604 assert(ret_path);
605
606 /* We use the same order of environment variables python uses in tempfile.gettempdir():
607 * https://docs.python.org/3/library/tempfile.html#tempfile.gettempdir */
608 FOREACH_STRING(n, "TMPDIR", "TEMP", "TMP") {
609 const char *e;
610
611 e = secure_getenv(n);
612 if (!e)
613 continue;
614 if (!path_is_absolute(e)) {
615 r = -ENOTDIR;
616 goto next;
617 }
618 if (!path_is_normalized(e)) {
619 r = -EPERM;
620 goto next;
621 }
622
623 r = is_dir(e, true);
624 if (r < 0)
625 goto next;
626 if (r == 0) {
627 r = -ENOTDIR;
628 goto next;
629 }
630
631 *ret_path = e;
632 return 1;
633
634 next:
635 /* Remember first error, to make this more debuggable */
636 if (ret >= 0)
637 ret = r;
638 }
639
640 if (ret < 0)
641 return ret;
642
643 *ret_path = NULL;
644 return ret;
645 }
646
647 static int tmp_dir_internal(const char *def, const char **ret) {
648 const char *e;
649 int r, k;
650
651 assert(def);
652 assert(ret);
653
654 r = getenv_tmp_dir(&e);
655 if (r > 0) {
656 *ret = e;
657 return 0;
658 }
659
660 k = is_dir(def, true);
661 if (k == 0)
662 k = -ENOTDIR;
663 if (k < 0)
664 return r < 0 ? r : k;
665
666 *ret = def;
667 return 0;
668 }
669
670 int var_tmp_dir(const char **ret) {
671
672 /* Returns the location for "larger" temporary files, that is backed by physical storage if available, and thus
673 * even might survive a boot: /var/tmp. If $TMPDIR (or related environment variables) are set, its value is
674 * returned preferably however. Note that both this function and tmp_dir() below are affected by $TMPDIR,
675 * making it a variable that overrides all temporary file storage locations. */
676
677 return tmp_dir_internal("/var/tmp", ret);
678 }
679
680 int tmp_dir(const char **ret) {
681
682 /* Similar to var_tmp_dir() above, but returns the location for "smaller" temporary files, which is usually
683 * backed by an in-memory file system: /tmp. */
684
685 return tmp_dir_internal("/tmp", ret);
686 }
687
688 int unlink_or_warn(const char *filename) {
689 if (unlink(filename) < 0 && errno != ENOENT)
690 /* If the file doesn't exist and the fs simply was read-only (in which
691 * case unlink() returns EROFS even if the file doesn't exist), don't
692 * complain */
693 if (errno != EROFS || access(filename, F_OK) >= 0)
694 return log_error_errno(errno, "Failed to remove \"%s\": %m", filename);
695
696 return 0;
697 }
698
699 int inotify_add_watch_fd(int fd, int what, uint32_t mask) {
700 char path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
701 int r;
702
703 /* This is like inotify_add_watch(), except that the file to watch is not referenced by a path, but by an fd */
704 xsprintf(path, "/proc/self/fd/%i", what);
705
706 r = inotify_add_watch(fd, path, mask);
707 if (r < 0)
708 return -errno;
709
710 return r;
711 }
712
713 static bool unsafe_transition(const struct stat *a, const struct stat *b) {
714 /* Returns true if the transition from a to b is safe, i.e. that we never transition from unprivileged to
715 * privileged files or directories. Why bother? So that unprivileged code can't symlink to privileged files
716 * making us believe we read something safe even though it isn't safe in the specific context we open it in. */
717
718 if (a->st_uid == 0) /* Transitioning from privileged to unprivileged is always fine */
719 return false;
720
721 return a->st_uid != b->st_uid; /* Otherwise we need to stay within the same UID */
722 }
723
724 static int log_unsafe_transition(int a, int b, const char *path, unsigned flags) {
725 _cleanup_free_ char *n1 = NULL, *n2 = NULL;
726
727 if (!FLAGS_SET(flags, CHASE_WARN))
728 return -ENOLINK;
729
730 (void) fd_get_path(a, &n1);
731 (void) fd_get_path(b, &n2);
732
733 return log_warning_errno(SYNTHETIC_ERRNO(ENOLINK),
734 "Detected unsafe path transition %s %s %s during canonicalization of %s.",
735 n1, special_glyph(SPECIAL_GLYPH_ARROW), n2, path);
736 }
737
738 static int log_autofs_mount_point(int fd, const char *path, unsigned flags) {
739 _cleanup_free_ char *n1 = NULL;
740
741 if (!FLAGS_SET(flags, CHASE_WARN))
742 return -EREMOTE;
743
744 (void) fd_get_path(fd, &n1);
745
746 return log_warning_errno(SYNTHETIC_ERRNO(EREMOTE),
747 "Detected autofs mount point %s during canonicalization of %s.",
748 n1, path);
749 }
750
751 int chase_symlinks(const char *path, const char *original_root, unsigned flags, char **ret) {
752 _cleanup_free_ char *buffer = NULL, *done = NULL, *root = NULL;
753 _cleanup_close_ int fd = -1;
754 unsigned max_follow = CHASE_SYMLINKS_MAX; /* how many symlinks to follow before giving up and returning ELOOP */
755 struct stat previous_stat;
756 bool exists = true;
757 char *todo;
758 int r;
759
760 assert(path);
761
762 /* Either the file may be missing, or we return an fd to the final object, but both make no sense */
763 if (FLAGS_SET(flags, CHASE_NONEXISTENT | CHASE_OPEN))
764 return -EINVAL;
765
766 if (FLAGS_SET(flags, CHASE_STEP | CHASE_OPEN))
767 return -EINVAL;
768
769 if (isempty(path))
770 return -EINVAL;
771
772 /* This is a lot like canonicalize_file_name(), but takes an additional "root" parameter, that allows following
773 * symlinks relative to a root directory, instead of the root of the host.
774 *
775 * Note that "root" primarily matters if we encounter an absolute symlink. It is also used when following
776 * relative symlinks to ensure they cannot be used to "escape" the root directory. The path parameter passed is
777 * assumed to be already prefixed by it, except if the CHASE_PREFIX_ROOT flag is set, in which case it is first
778 * prefixed accordingly.
779 *
780 * Algorithmically this operates on two path buffers: "done" are the components of the path we already
781 * processed and resolved symlinks, "." and ".." of. "todo" are the components of the path we still need to
782 * process. On each iteration, we move one component from "todo" to "done", processing it's special meaning
783 * each time. The "todo" path always starts with at least one slash, the "done" path always ends in no
784 * slash. We always keep an O_PATH fd to the component we are currently processing, thus keeping lookup races
785 * at a minimum.
786 *
787 * Suggested usage: whenever you want to canonicalize a path, use this function. Pass the absolute path you got
788 * as-is: fully qualified and relative to your host's root. Optionally, specify the root parameter to tell this
789 * function what to do when encountering a symlink with an absolute path as directory: prefix it by the
790 * specified path.
791 *
792 * There are three ways to invoke this function:
793 *
794 * 1. Without CHASE_STEP or CHASE_OPEN: in this case the path is resolved and the normalized path is returned
795 * in `ret`. The return value is < 0 on error. If CHASE_NONEXISTENT is also set 0 is returned if the file
796 * doesn't exist, > 0 otherwise. If CHASE_NONEXISTENT is not set >= 0 is returned if the destination was
797 * found, -ENOENT if it doesn't.
798 *
799 * 2. With CHASE_OPEN: in this case the destination is opened after chasing it as O_PATH and this file
800 * descriptor is returned as return value. This is useful to open files relative to some root
801 * directory. Note that the returned O_PATH file descriptors must be converted into a regular one (using
802 * fd_reopen() or such) before it can be used for reading/writing. CHASE_OPEN may not be combined with
803 * CHASE_NONEXISTENT.
804 *
805 * 3. With CHASE_STEP: in this case only a single step of the normalization is executed, i.e. only the first
806 * symlink or ".." component of the path is resolved, and the resulting path is returned. This is useful if
807 * a caller wants to trace the a path through the file system verbosely. Returns < 0 on error, > 0 if the
808 * path is fully normalized, and == 0 for each normalization step. This may be combined with
809 * CHASE_NONEXISTENT, in which case 1 is returned when a component is not found.
810 *
811 * 4. With CHASE_SAFE: in this case the path must not contain unsafe transitions, i.e. transitions from
812 * unprivileged to privileged files or directories. In such cases the return value is -ENOLINK. If
813 * CHASE_WARN is also set a warning describing the unsafe transition is emitted.
814 *
815 * 5. With CHASE_NO_AUTOFS: in this case if an autofs mount point is encountered, the path normalization is
816 * aborted and -EREMOTE is returned. If CHASE_WARN is also set a warning showing the path of the mount point
817 * is emitted.
818 *
819 * */
820
821 /* A root directory of "/" or "" is identical to none */
822 if (empty_or_root(original_root))
823 original_root = NULL;
824
825 if (!original_root && !ret && (flags & (CHASE_NONEXISTENT|CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_OPEN|CHASE_STEP)) == CHASE_OPEN) {
826 /* Shortcut the CHASE_OPEN case if the caller isn't interested in the actual path and has no root set
827 * and doesn't care about any of the other special features we provide either. */
828 r = open(path, O_PATH|O_CLOEXEC|((flags & CHASE_NOFOLLOW) ? O_NOFOLLOW : 0));
829 if (r < 0)
830 return -errno;
831
832 return r;
833 }
834
835 if (original_root) {
836 r = path_make_absolute_cwd(original_root, &root);
837 if (r < 0)
838 return r;
839
840 if (flags & CHASE_PREFIX_ROOT) {
841
842 /* We don't support relative paths in combination with a root directory */
843 if (!path_is_absolute(path))
844 return -EINVAL;
845
846 path = prefix_roota(root, path);
847 }
848 }
849
850 r = path_make_absolute_cwd(path, &buffer);
851 if (r < 0)
852 return r;
853
854 fd = open("/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
855 if (fd < 0)
856 return -errno;
857
858 if (flags & CHASE_SAFE) {
859 if (fstat(fd, &previous_stat) < 0)
860 return -errno;
861 }
862
863 todo = buffer;
864 for (;;) {
865 _cleanup_free_ char *first = NULL;
866 _cleanup_close_ int child = -1;
867 struct stat st;
868 size_t n, m;
869
870 /* Determine length of first component in the path */
871 n = strspn(todo, "/"); /* The slashes */
872 m = n + strcspn(todo + n, "/"); /* The entire length of the component */
873
874 /* Extract the first component. */
875 first = strndup(todo, m);
876 if (!first)
877 return -ENOMEM;
878
879 todo += m;
880
881 /* Empty? Then we reached the end. */
882 if (isempty(first))
883 break;
884
885 /* Just a single slash? Then we reached the end. */
886 if (path_equal(first, "/")) {
887 /* Preserve the trailing slash */
888
889 if (flags & CHASE_TRAIL_SLASH)
890 if (!strextend(&done, "/", NULL))
891 return -ENOMEM;
892
893 break;
894 }
895
896 /* Just a dot? Then let's eat this up. */
897 if (path_equal(first, "/."))
898 continue;
899
900 /* Two dots? Then chop off the last bit of what we already found out. */
901 if (path_equal(first, "/..")) {
902 _cleanup_free_ char *parent = NULL;
903 _cleanup_close_ int fd_parent = -1;
904
905 /* If we already are at the top, then going up will not change anything. This is in-line with
906 * how the kernel handles this. */
907 if (empty_or_root(done))
908 continue;
909
910 parent = dirname_malloc(done);
911 if (!parent)
912 return -ENOMEM;
913
914 /* Don't allow this to leave the root dir. */
915 if (root &&
916 path_startswith(done, root) &&
917 !path_startswith(parent, root))
918 continue;
919
920 free_and_replace(done, parent);
921
922 if (flags & CHASE_STEP)
923 goto chased_one;
924
925 fd_parent = openat(fd, "..", O_CLOEXEC|O_NOFOLLOW|O_PATH);
926 if (fd_parent < 0)
927 return -errno;
928
929 if (flags & CHASE_SAFE) {
930 if (fstat(fd_parent, &st) < 0)
931 return -errno;
932
933 if (unsafe_transition(&previous_stat, &st))
934 return log_unsafe_transition(fd, fd_parent, path, flags);
935
936 previous_stat = st;
937 }
938
939 safe_close(fd);
940 fd = TAKE_FD(fd_parent);
941
942 continue;
943 }
944
945 /* Otherwise let's see what this is. */
946 child = openat(fd, first + n, O_CLOEXEC|O_NOFOLLOW|O_PATH);
947 if (child < 0) {
948
949 if (errno == ENOENT &&
950 (flags & CHASE_NONEXISTENT) &&
951 (isempty(todo) || path_is_normalized(todo))) {
952
953 /* If CHASE_NONEXISTENT is set, and the path does not exist, then that's OK, return
954 * what we got so far. But don't allow this if the remaining path contains "../ or "./"
955 * or something else weird. */
956
957 /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */
958 if (streq_ptr(done, "/"))
959 *done = '\0';
960
961 if (!strextend(&done, first, todo, NULL))
962 return -ENOMEM;
963
964 exists = false;
965 break;
966 }
967
968 return -errno;
969 }
970
971 if (fstat(child, &st) < 0)
972 return -errno;
973 if ((flags & CHASE_SAFE) &&
974 (empty_or_root(root) || (size_t)(todo - buffer) > strlen(root)) &&
975 unsafe_transition(&previous_stat, &st))
976 return log_unsafe_transition(fd, child, path, flags);
977
978 previous_stat = st;
979
980 if ((flags & CHASE_NO_AUTOFS) &&
981 fd_is_fs_type(child, AUTOFS_SUPER_MAGIC) > 0)
982 return log_autofs_mount_point(child, path, flags);
983
984 if (S_ISLNK(st.st_mode) && !((flags & CHASE_NOFOLLOW) && isempty(todo))) {
985 char *joined;
986
987 _cleanup_free_ char *destination = NULL;
988
989 /* This is a symlink, in this case read the destination. But let's make sure we don't follow
990 * symlinks without bounds. */
991 if (--max_follow <= 0)
992 return -ELOOP;
993
994 r = readlinkat_malloc(fd, first + n, &destination);
995 if (r < 0)
996 return r;
997 if (isempty(destination))
998 return -EINVAL;
999
1000 if (path_is_absolute(destination)) {
1001
1002 /* An absolute destination. Start the loop from the beginning, but use the root
1003 * directory as base. */
1004
1005 safe_close(fd);
1006 fd = open(root ?: "/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
1007 if (fd < 0)
1008 return -errno;
1009
1010 if (flags & CHASE_SAFE) {
1011 if (fstat(fd, &st) < 0)
1012 return -errno;
1013
1014 if (unsafe_transition(&previous_stat, &st))
1015 return log_unsafe_transition(child, fd, path, flags);
1016
1017 previous_stat = st;
1018 }
1019
1020 free(done);
1021
1022 /* Note that we do not revalidate the root, we take it as is. */
1023 if (isempty(root))
1024 done = NULL;
1025 else {
1026 done = strdup(root);
1027 if (!done)
1028 return -ENOMEM;
1029 }
1030
1031 /* Prefix what's left to do with what we just read, and start the loop again, but
1032 * remain in the current directory. */
1033 joined = strjoin(destination, todo);
1034 } else
1035 joined = strjoin("/", destination, todo);
1036 if (!joined)
1037 return -ENOMEM;
1038
1039 free(buffer);
1040 todo = buffer = joined;
1041
1042 if (flags & CHASE_STEP)
1043 goto chased_one;
1044
1045 continue;
1046 }
1047
1048 /* If this is not a symlink, then let's just add the name we read to what we already verified. */
1049 if (!done)
1050 done = TAKE_PTR(first);
1051 else {
1052 /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */
1053 if (streq(done, "/"))
1054 *done = '\0';
1055
1056 if (!strextend(&done, first, NULL))
1057 return -ENOMEM;
1058 }
1059
1060 /* And iterate again, but go one directory further down. */
1061 safe_close(fd);
1062 fd = TAKE_FD(child);
1063 }
1064
1065 if (!done) {
1066 /* Special case, turn the empty string into "/", to indicate the root directory. */
1067 done = strdup("/");
1068 if (!done)
1069 return -ENOMEM;
1070 }
1071
1072 if (ret)
1073 *ret = TAKE_PTR(done);
1074
1075 if (flags & CHASE_OPEN) {
1076 /* Return the O_PATH fd we currently are looking to the caller. It can translate it to a proper fd by
1077 * opening /proc/self/fd/xyz. */
1078
1079 assert(fd >= 0);
1080 return TAKE_FD(fd);
1081 }
1082
1083 if (flags & CHASE_STEP)
1084 return 1;
1085
1086 return exists;
1087
1088 chased_one:
1089 if (ret) {
1090 char *c;
1091
1092 c = strjoin(strempty(done), todo);
1093 if (!c)
1094 return -ENOMEM;
1095
1096 *ret = c;
1097 }
1098
1099 return 0;
1100 }
1101
1102 int chase_symlinks_and_open(
1103 const char *path,
1104 const char *root,
1105 unsigned chase_flags,
1106 int open_flags,
1107 char **ret_path) {
1108
1109 _cleanup_close_ int path_fd = -1;
1110 _cleanup_free_ char *p = NULL;
1111 int r;
1112
1113 if (chase_flags & CHASE_NONEXISTENT)
1114 return -EINVAL;
1115
1116 if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
1117 /* Shortcut this call if none of the special features of this call are requested */
1118 r = open(path, open_flags);
1119 if (r < 0)
1120 return -errno;
1121
1122 return r;
1123 }
1124
1125 path_fd = chase_symlinks(path, root, chase_flags|CHASE_OPEN, ret_path ? &p : NULL);
1126 if (path_fd < 0)
1127 return path_fd;
1128
1129 r = fd_reopen(path_fd, open_flags);
1130 if (r < 0)
1131 return r;
1132
1133 if (ret_path)
1134 *ret_path = TAKE_PTR(p);
1135
1136 return r;
1137 }
1138
1139 int chase_symlinks_and_opendir(
1140 const char *path,
1141 const char *root,
1142 unsigned chase_flags,
1143 char **ret_path,
1144 DIR **ret_dir) {
1145
1146 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
1147 _cleanup_close_ int path_fd = -1;
1148 _cleanup_free_ char *p = NULL;
1149 DIR *d;
1150
1151 if (!ret_dir)
1152 return -EINVAL;
1153 if (chase_flags & CHASE_NONEXISTENT)
1154 return -EINVAL;
1155
1156 if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
1157 /* Shortcut this call if none of the special features of this call are requested */
1158 d = opendir(path);
1159 if (!d)
1160 return -errno;
1161
1162 *ret_dir = d;
1163 return 0;
1164 }
1165
1166 path_fd = chase_symlinks(path, root, chase_flags|CHASE_OPEN, ret_path ? &p : NULL);
1167 if (path_fd < 0)
1168 return path_fd;
1169
1170 xsprintf(procfs_path, "/proc/self/fd/%i", path_fd);
1171 d = opendir(procfs_path);
1172 if (!d)
1173 return -errno;
1174
1175 if (ret_path)
1176 *ret_path = TAKE_PTR(p);
1177
1178 *ret_dir = d;
1179 return 0;
1180 }
1181
1182 int chase_symlinks_and_stat(
1183 const char *path,
1184 const char *root,
1185 unsigned chase_flags,
1186 char **ret_path,
1187 struct stat *ret_stat) {
1188
1189 _cleanup_close_ int path_fd = -1;
1190 _cleanup_free_ char *p = NULL;
1191
1192 assert(path);
1193 assert(ret_stat);
1194
1195 if (chase_flags & CHASE_NONEXISTENT)
1196 return -EINVAL;
1197
1198 if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
1199 /* Shortcut this call if none of the special features of this call are requested */
1200 if (stat(path, ret_stat) < 0)
1201 return -errno;
1202
1203 return 1;
1204 }
1205
1206 path_fd = chase_symlinks(path, root, chase_flags|CHASE_OPEN, ret_path ? &p : NULL);
1207 if (path_fd < 0)
1208 return path_fd;
1209
1210 if (fstat(path_fd, ret_stat) < 0)
1211 return -errno;
1212
1213 if (ret_path)
1214 *ret_path = TAKE_PTR(p);
1215
1216 if (chase_flags & CHASE_OPEN)
1217 return TAKE_FD(path_fd);
1218
1219 return 1;
1220 }
1221
1222 int access_fd(int fd, int mode) {
1223 char p[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(fd) + 1];
1224 int r;
1225
1226 /* Like access() but operates on an already open fd */
1227
1228 xsprintf(p, "/proc/self/fd/%i", fd);
1229 r = access(p, mode);
1230 if (r < 0)
1231 return -errno;
1232
1233 return r;
1234 }
1235
1236 void unlink_tempfilep(char (*p)[]) {
1237 /* If the file is created with mkstemp(), it will (almost always)
1238 * change the suffix. Treat this as a sign that the file was
1239 * successfully created. We ignore both the rare case where the
1240 * original suffix is used and unlink failures. */
1241 if (!endswith(*p, ".XXXXXX"))
1242 (void) unlink_noerrno(*p);
1243 }
1244
1245 int unlinkat_deallocate(int fd, const char *name, int flags) {
1246 _cleanup_close_ int truncate_fd = -1;
1247 struct stat st;
1248 off_t l, bs;
1249
1250 /* Operates like unlinkat() but also deallocates the file contents if it is a regular file and there's no other
1251 * link to it. This is useful to ensure that other processes that might have the file open for reading won't be
1252 * able to keep the data pinned on disk forever. This call is particular useful whenever we execute clean-up
1253 * jobs ("vacuuming"), where we want to make sure the data is really gone and the disk space released and
1254 * returned to the free pool.
1255 *
1256 * Deallocation is preferably done by FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE (👊) if supported, which means
1257 * the file won't change size. That's a good thing since we shouldn't needlessly trigger SIGBUS in other
1258 * programs that have mmap()ed the file. (The assumption here is that changing file contents to all zeroes
1259 * underneath those programs is the better choice than simply triggering SIGBUS in them which truncation does.)
1260 * However if hole punching is not implemented in the kernel or file system we'll fall back to normal file
1261 * truncation (đŸ”Ē), as our goal of deallocating the data space trumps our goal of being nice to readers (💐).
1262 *
1263 * Note that we attempt deallocation, but failure to succeed with that is not considered fatal, as long as the
1264 * primary job – to delete the file – is accomplished. */
1265
1266 if ((flags & AT_REMOVEDIR) == 0) {
1267 truncate_fd = openat(fd, name, O_WRONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|O_NONBLOCK);
1268 if (truncate_fd < 0) {
1269
1270 /* If this failed because the file doesn't exist propagate the error right-away. Also,
1271 * AT_REMOVEDIR wasn't set, and we tried to open the file for writing, which means EISDIR is
1272 * returned when this is a directory but we are not supposed to delete those, hence propagate
1273 * the error right-away too. */
1274 if (IN_SET(errno, ENOENT, EISDIR))
1275 return -errno;
1276
1277 if (errno != ELOOP) /* don't complain if this is a symlink */
1278 log_debug_errno(errno, "Failed to open file '%s' for deallocation, ignoring: %m", name);
1279 }
1280 }
1281
1282 if (unlinkat(fd, name, flags) < 0)
1283 return -errno;
1284
1285 if (truncate_fd < 0) /* Don't have a file handle, can't do more ☚ī¸ */
1286 return 0;
1287
1288 if (fstat(truncate_fd, &st) < 0) {
1289 log_debug_errno(errno, "Failed to stat file '%s' for deallocation, ignoring: %m", name);
1290 return 0;
1291 }
1292
1293 if (!S_ISREG(st.st_mode) || st.st_blocks == 0 || st.st_nlink > 0)
1294 return 0;
1295
1296 /* If this is a regular file, it actually took up space on disk and there are no other links it's time to
1297 * punch-hole/truncate this to release the disk space. */
1298
1299 bs = MAX(st.st_blksize, 512);
1300 l = DIV_ROUND_UP(st.st_size, bs) * bs; /* Round up to next block size */
1301
1302 if (fallocate(truncate_fd, FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE, 0, l) >= 0)
1303 return 0; /* Successfully punched a hole! 😊 */
1304
1305 /* Fall back to truncation */
1306 if (ftruncate(truncate_fd, 0) < 0) {
1307 log_debug_errno(errno, "Failed to truncate file to 0, ignoring: %m");
1308 return 0;
1309 }
1310
1311 return 0;
1312 }
1313
1314 int fsync_directory_of_file(int fd) {
1315 _cleanup_free_ char *path = NULL;
1316 _cleanup_close_ int dfd = -1;
1317 int r;
1318
1319 r = fd_verify_regular(fd);
1320 if (r < 0)
1321 return r;
1322
1323 r = fd_get_path(fd, &path);
1324 if (r < 0) {
1325 log_debug_errno(r, "Failed to query /proc/self/fd/%d%s: %m",
1326 fd,
1327 r == -EOPNOTSUPP ? ", ignoring" : "");
1328
1329 if (r == -EOPNOTSUPP)
1330 /* If /proc is not available, we're most likely running in some
1331 * chroot environment, and syncing the directory is not very
1332 * important in that case. Let's just silently do nothing. */
1333 return 0;
1334
1335 return r;
1336 }
1337
1338 if (!path_is_absolute(path))
1339 return -EINVAL;
1340
1341 dfd = open_parent(path, O_CLOEXEC, 0);
1342 if (dfd < 0)
1343 return dfd;
1344
1345 if (fsync(dfd) < 0)
1346 return -errno;
1347
1348 return 0;
1349 }
1350
1351 int fsync_path_at(int at_fd, const char *path) {
1352 _cleanup_close_ int opened_fd = -1;
1353 int fd;
1354
1355 if (isempty(path)) {
1356 if (at_fd == AT_FDCWD) {
1357 opened_fd = open(".", O_RDONLY|O_DIRECTORY|O_CLOEXEC);
1358 if (opened_fd < 0)
1359 return -errno;
1360
1361 fd = opened_fd;
1362 } else
1363 fd = at_fd;
1364 } else {
1365
1366 opened_fd = openat(at_fd, path, O_RDONLY|O_CLOEXEC);
1367 if (opened_fd < 0)
1368 return -errno;
1369
1370 fd = opened_fd;
1371 }
1372
1373 if (fsync(fd) < 0)
1374 return -errno;
1375
1376 return 0;
1377 }
1378
1379 int syncfs_path(int atfd, const char *path) {
1380 _cleanup_close_ int fd = -1;
1381
1382 assert(path);
1383
1384 fd = openat(atfd, path, O_CLOEXEC|O_RDONLY|O_NONBLOCK);
1385 if (fd < 0)
1386 return -errno;
1387
1388 if (syncfs(fd) < 0)
1389 return -errno;
1390
1391 return 0;
1392 }
1393
1394 int open_parent(const char *path, int flags, mode_t mode) {
1395 _cleanup_free_ char *parent = NULL;
1396 int fd;
1397
1398 if (isempty(path))
1399 return -EINVAL;
1400 if (path_equal(path, "/")) /* requesting the parent of the root dir is fishy, let's prohibit that */
1401 return -EINVAL;
1402
1403 parent = dirname_malloc(path);
1404 if (!parent)
1405 return -ENOMEM;
1406
1407 /* Let's insist on O_DIRECTORY since the parent of a file or directory is a directory. Except if we open an
1408 * O_TMPFILE file, because in that case we are actually create a regular file below the parent directory. */
1409
1410 if ((flags & O_PATH) == O_PATH)
1411 flags |= O_DIRECTORY;
1412 else if ((flags & O_TMPFILE) != O_TMPFILE)
1413 flags |= O_DIRECTORY|O_RDONLY;
1414
1415 fd = open(parent, flags, mode);
1416 if (fd < 0)
1417 return -errno;
1418
1419 return fd;
1420 }
Unnamed repository; edit this file 'description' to name the repository.