]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/fs-util.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #11827 from keszybz/pkgconfig-variables
[thirdparty/systemd.git] / src / basic / fs-util.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #include <errno.h>
4 #include <stddef.h>
5 #include <stdio.h>
6 #include <stdlib.h>
7 #include <string.h>
8 #include <sys/stat.h>
9 #include <linux/magic.h>
10 #include <time.h>
11 #include <unistd.h>
12
13 #include "alloc-util.h"
14 #include "dirent-util.h"
15 #include "fd-util.h"
16 #include "fs-util.h"
17 #include "locale-util.h"
18 #include "log.h"
19 #include "macro.h"
20 #include "missing.h"
21 #include "mkdir.h"
22 #include "parse-util.h"
23 #include "path-util.h"
24 #include "process-util.h"
25 #include "stat-util.h"
26 #include "stdio-util.h"
27 #include "string-util.h"
28 #include "strv.h"
29 #include "time-util.h"
30 #include "tmpfile-util.h"
31 #include "user-util.h"
32 #include "util.h"
33
34 int unlink_noerrno(const char *path) {
35 PROTECT_ERRNO;
36 int r;
37
38 r = unlink(path);
39 if (r < 0)
40 return -errno;
41
42 return 0;
43 }
44
45 int rmdir_parents(const char *path, const char *stop) {
46 size_t l;
47 int r = 0;
48
49 assert(path);
50 assert(stop);
51
52 l = strlen(path);
53
54 /* Skip trailing slashes */
55 while (l > 0 && path[l-1] == '/')
56 l--;
57
58 while (l > 0) {
59 char *t;
60
61 /* Skip last component */
62 while (l > 0 && path[l-1] != '/')
63 l--;
64
65 /* Skip trailing slashes */
66 while (l > 0 && path[l-1] == '/')
67 l--;
68
69 if (l <= 0)
70 break;
71
72 t = strndup(path, l);
73 if (!t)
74 return -ENOMEM;
75
76 if (path_startswith(stop, t)) {
77 free(t);
78 return 0;
79 }
80
81 r = rmdir(t);
82 free(t);
83
84 if (r < 0)
85 if (errno != ENOENT)
86 return -errno;
87 }
88
89 return 0;
90 }
91
92 int rename_noreplace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) {
93 int r;
94
95 /* Try the ideal approach first */
96 if (renameat2(olddirfd, oldpath, newdirfd, newpath, RENAME_NOREPLACE) >= 0)
97 return 0;
98
99 /* renameat2() exists since Linux 3.15, btrfs and FAT added support for it later. If it is not implemented,
100 * fall back to a different method. */
101 if (!IN_SET(errno, EINVAL, ENOSYS, ENOTTY))
102 return -errno;
103
104 /* Let's try to use linkat()+unlinkat() as fallback. This doesn't work on directories and on some file systems
105 * that do not support hard links (such as FAT, most prominently), but for files it's pretty close to what we
106 * want — though not atomic (i.e. for a short period both the new and the old filename will exist). */
107 if (linkat(olddirfd, oldpath, newdirfd, newpath, 0) >= 0) {
108
109 if (unlinkat(olddirfd, oldpath, 0) < 0) {
110 r = -errno; /* Backup errno before the following unlinkat() alters it */
111 (void) unlinkat(newdirfd, newpath, 0);
112 return r;
113 }
114
115 return 0;
116 }
117
118 if (!IN_SET(errno, EINVAL, ENOSYS, ENOTTY, EPERM)) /* FAT returns EPERM on link()â€Ļ */
119 return -errno;
120
121 /* OK, neither RENAME_NOREPLACE nor linkat()+unlinkat() worked. Let's then fallback to the racy TOCTOU
122 * vulnerable accessat(F_OK) check followed by classic, replacing renameat(), we have nothing better. */
123
124 if (faccessat(newdirfd, newpath, F_OK, AT_SYMLINK_NOFOLLOW) >= 0)
125 return -EEXIST;
126 if (errno != ENOENT)
127 return -errno;
128
129 if (renameat(olddirfd, oldpath, newdirfd, newpath) < 0)
130 return -errno;
131
132 return 0;
133 }
134
135 int readlinkat_malloc(int fd, const char *p, char **ret) {
136 size_t l = FILENAME_MAX+1;
137 int r;
138
139 assert(p);
140 assert(ret);
141
142 for (;;) {
143 char *c;
144 ssize_t n;
145
146 c = new(char, l);
147 if (!c)
148 return -ENOMEM;
149
150 n = readlinkat(fd, p, c, l-1);
151 if (n < 0) {
152 r = -errno;
153 free(c);
154 return r;
155 }
156
157 if ((size_t) n < l-1) {
158 c[n] = 0;
159 *ret = c;
160 return 0;
161 }
162
163 free(c);
164 l *= 2;
165 }
166 }
167
168 int readlink_malloc(const char *p, char **ret) {
169 return readlinkat_malloc(AT_FDCWD, p, ret);
170 }
171
172 int readlink_value(const char *p, char **ret) {
173 _cleanup_free_ char *link = NULL;
174 char *value;
175 int r;
176
177 r = readlink_malloc(p, &link);
178 if (r < 0)
179 return r;
180
181 value = basename(link);
182 if (!value)
183 return -ENOENT;
184
185 value = strdup(value);
186 if (!value)
187 return -ENOMEM;
188
189 *ret = value;
190
191 return 0;
192 }
193
194 int readlink_and_make_absolute(const char *p, char **r) {
195 _cleanup_free_ char *target = NULL;
196 char *k;
197 int j;
198
199 assert(p);
200 assert(r);
201
202 j = readlink_malloc(p, &target);
203 if (j < 0)
204 return j;
205
206 k = file_in_same_dir(p, target);
207 if (!k)
208 return -ENOMEM;
209
210 *r = k;
211 return 0;
212 }
213
214 int chmod_and_chown(const char *path, mode_t mode, uid_t uid, gid_t gid) {
215 char fd_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
216 _cleanup_close_ int fd = -1;
217 assert(path);
218
219 /* Under the assumption that we are running privileged we first change the access mode and only then hand out
220 * ownership to avoid a window where access is too open. */
221
222 fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW); /* Let's acquire an O_PATH fd, as precaution to change mode/owner
223 * on the same file */
224 if (fd < 0)
225 return -errno;
226
227 xsprintf(fd_path, "/proc/self/fd/%i", fd);
228
229 if (mode != MODE_INVALID) {
230
231 if ((mode & S_IFMT) != 0) {
232 struct stat st;
233
234 if (stat(fd_path, &st) < 0)
235 return -errno;
236
237 if ((mode & S_IFMT) != (st.st_mode & S_IFMT))
238 return -EINVAL;
239 }
240
241 if (chmod(fd_path, mode & 07777) < 0)
242 return -errno;
243 }
244
245 if (uid != UID_INVALID || gid != GID_INVALID)
246 if (chown(fd_path, uid, gid) < 0)
247 return -errno;
248
249 return 0;
250 }
251
252 int fchmod_and_chown(int fd, mode_t mode, uid_t uid, gid_t gid) {
253 /* Under the assumption that we are running privileged we first change the access mode and only then hand out
254 * ownership to avoid a window where access is too open. */
255
256 if (mode != MODE_INVALID) {
257
258 if ((mode & S_IFMT) != 0) {
259 struct stat st;
260
261 if (fstat(fd, &st) < 0)
262 return -errno;
263
264 if ((mode & S_IFMT) != (st.st_mode & S_IFMT))
265 return -EINVAL;
266 }
267
268 if (fchmod(fd, mode & 0777) < 0)
269 return -errno;
270 }
271
272 if (uid != UID_INVALID || gid != GID_INVALID)
273 if (fchown(fd, uid, gid) < 0)
274 return -errno;
275
276 return 0;
277 }
278
279 int fchmod_umask(int fd, mode_t m) {
280 mode_t u;
281 int r;
282
283 u = umask(0777);
284 r = fchmod(fd, m & (~u)) < 0 ? -errno : 0;
285 umask(u);
286
287 return r;
288 }
289
290 int fchmod_opath(int fd, mode_t m) {
291 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
292
293 /* This function operates also on fd that might have been opened with
294 * O_PATH. Indeed fchmodat() doesn't have the AT_EMPTY_PATH flag like
295 * fchownat() does. */
296
297 xsprintf(procfs_path, "/proc/self/fd/%i", fd);
298 if (chmod(procfs_path, m) < 0)
299 return -errno;
300
301 return 0;
302 }
303
304 int fd_warn_permissions(const char *path, int fd) {
305 struct stat st;
306
307 if (fstat(fd, &st) < 0)
308 return -errno;
309
310 if (st.st_mode & 0111)
311 log_warning("Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway.", path);
312
313 if (st.st_mode & 0002)
314 log_warning("Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway.", path);
315
316 if (getpid_cached() == 1 && (st.st_mode & 0044) != 0044)
317 log_warning("Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.", path);
318
319 return 0;
320 }
321
322 int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode) {
323 char fdpath[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
324 _cleanup_close_ int fd = -1;
325 int r, ret = 0;
326
327 assert(path);
328
329 /* Note that touch_file() does not follow symlinks: if invoked on an existing symlink, then it is the symlink
330 * itself which is updated, not its target
331 *
332 * Returns the first error we encounter, but tries to apply as much as possible. */
333
334 if (parents)
335 (void) mkdir_parents(path, 0755);
336
337 /* Initially, we try to open the node with O_PATH, so that we get a reference to the node. This is useful in
338 * case the path refers to an existing device or socket node, as we can open it successfully in all cases, and
339 * won't trigger any driver magic or so. */
340 fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW);
341 if (fd < 0) {
342 if (errno != ENOENT)
343 return -errno;
344
345 /* if the node doesn't exist yet, we create it, but with O_EXCL, so that we only create a regular file
346 * here, and nothing else */
347 fd = open(path, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, IN_SET(mode, 0, MODE_INVALID) ? 0644 : mode);
348 if (fd < 0)
349 return -errno;
350 }
351
352 /* Let's make a path from the fd, and operate on that. With this logic, we can adjust the access mode,
353 * ownership and time of the file node in all cases, even if the fd refers to an O_PATH object — which is
354 * something fchown(), fchmod(), futimensat() don't allow. */
355 xsprintf(fdpath, "/proc/self/fd/%i", fd);
356
357 if (mode != MODE_INVALID)
358 if (chmod(fdpath, mode) < 0)
359 ret = -errno;
360
361 if (uid_is_valid(uid) || gid_is_valid(gid))
362 if (chown(fdpath, uid, gid) < 0 && ret >= 0)
363 ret = -errno;
364
365 if (stamp != USEC_INFINITY) {
366 struct timespec ts[2];
367
368 timespec_store(&ts[0], stamp);
369 ts[1] = ts[0];
370 r = utimensat(AT_FDCWD, fdpath, ts, 0);
371 } else
372 r = utimensat(AT_FDCWD, fdpath, NULL, 0);
373 if (r < 0 && ret >= 0)
374 return -errno;
375
376 return ret;
377 }
378
379 int touch(const char *path) {
380 return touch_file(path, false, USEC_INFINITY, UID_INVALID, GID_INVALID, MODE_INVALID);
381 }
382
383 int symlink_idempotent(const char *from, const char *to, bool make_relative) {
384 _cleanup_free_ char *relpath = NULL;
385 int r;
386
387 assert(from);
388 assert(to);
389
390 if (make_relative) {
391 _cleanup_free_ char *parent = NULL;
392
393 parent = dirname_malloc(to);
394 if (!parent)
395 return -ENOMEM;
396
397 r = path_make_relative(parent, from, &relpath);
398 if (r < 0)
399 return r;
400
401 from = relpath;
402 }
403
404 if (symlink(from, to) < 0) {
405 _cleanup_free_ char *p = NULL;
406
407 if (errno != EEXIST)
408 return -errno;
409
410 r = readlink_malloc(to, &p);
411 if (r == -EINVAL) /* Not a symlink? In that case return the original error we encountered: -EEXIST */
412 return -EEXIST;
413 if (r < 0) /* Any other error? In that case propagate it as is */
414 return r;
415
416 if (!streq(p, from)) /* Not the symlink we want it to be? In that case, propagate the original -EEXIST */
417 return -EEXIST;
418 }
419
420 return 0;
421 }
422
423 int symlink_atomic(const char *from, const char *to) {
424 _cleanup_free_ char *t = NULL;
425 int r;
426
427 assert(from);
428 assert(to);
429
430 r = tempfn_random(to, NULL, &t);
431 if (r < 0)
432 return r;
433
434 if (symlink(from, t) < 0)
435 return -errno;
436
437 if (rename(t, to) < 0) {
438 unlink_noerrno(t);
439 return -errno;
440 }
441
442 return 0;
443 }
444
445 int mknod_atomic(const char *path, mode_t mode, dev_t dev) {
446 _cleanup_free_ char *t = NULL;
447 int r;
448
449 assert(path);
450
451 r = tempfn_random(path, NULL, &t);
452 if (r < 0)
453 return r;
454
455 if (mknod(t, mode, dev) < 0)
456 return -errno;
457
458 if (rename(t, path) < 0) {
459 unlink_noerrno(t);
460 return -errno;
461 }
462
463 return 0;
464 }
465
466 int mkfifo_atomic(const char *path, mode_t mode) {
467 _cleanup_free_ char *t = NULL;
468 int r;
469
470 assert(path);
471
472 r = tempfn_random(path, NULL, &t);
473 if (r < 0)
474 return r;
475
476 if (mkfifo(t, mode) < 0)
477 return -errno;
478
479 if (rename(t, path) < 0) {
480 unlink_noerrno(t);
481 return -errno;
482 }
483
484 return 0;
485 }
486
487 int mkfifoat_atomic(int dirfd, const char *path, mode_t mode) {
488 _cleanup_free_ char *t = NULL;
489 int r;
490
491 assert(path);
492
493 if (path_is_absolute(path))
494 return mkfifo_atomic(path, mode);
495
496 /* We're only interested in the (random) filename. */
497 r = tempfn_random_child("", NULL, &t);
498 if (r < 0)
499 return r;
500
501 if (mkfifoat(dirfd, t, mode) < 0)
502 return -errno;
503
504 if (renameat(dirfd, t, dirfd, path) < 0) {
505 unlink_noerrno(t);
506 return -errno;
507 }
508
509 return 0;
510 }
511
512 int get_files_in_directory(const char *path, char ***list) {
513 _cleanup_closedir_ DIR *d = NULL;
514 struct dirent *de;
515 size_t bufsize = 0, n = 0;
516 _cleanup_strv_free_ char **l = NULL;
517
518 assert(path);
519
520 /* Returns all files in a directory in *list, and the number
521 * of files as return value. If list is NULL returns only the
522 * number. */
523
524 d = opendir(path);
525 if (!d)
526 return -errno;
527
528 FOREACH_DIRENT_ALL(de, d, return -errno) {
529 dirent_ensure_type(d, de);
530
531 if (!dirent_is_file(de))
532 continue;
533
534 if (list) {
535 /* one extra slot is needed for the terminating NULL */
536 if (!GREEDY_REALLOC(l, bufsize, n + 2))
537 return -ENOMEM;
538
539 l[n] = strdup(de->d_name);
540 if (!l[n])
541 return -ENOMEM;
542
543 l[++n] = NULL;
544 } else
545 n++;
546 }
547
548 if (list)
549 *list = TAKE_PTR(l);
550
551 return n;
552 }
553
554 static int getenv_tmp_dir(const char **ret_path) {
555 const char *n;
556 int r, ret = 0;
557
558 assert(ret_path);
559
560 /* We use the same order of environment variables python uses in tempfile.gettempdir():
561 * https://docs.python.org/3/library/tempfile.html#tempfile.gettempdir */
562 FOREACH_STRING(n, "TMPDIR", "TEMP", "TMP") {
563 const char *e;
564
565 e = secure_getenv(n);
566 if (!e)
567 continue;
568 if (!path_is_absolute(e)) {
569 r = -ENOTDIR;
570 goto next;
571 }
572 if (!path_is_normalized(e)) {
573 r = -EPERM;
574 goto next;
575 }
576
577 r = is_dir(e, true);
578 if (r < 0)
579 goto next;
580 if (r == 0) {
581 r = -ENOTDIR;
582 goto next;
583 }
584
585 *ret_path = e;
586 return 1;
587
588 next:
589 /* Remember first error, to make this more debuggable */
590 if (ret >= 0)
591 ret = r;
592 }
593
594 if (ret < 0)
595 return ret;
596
597 *ret_path = NULL;
598 return ret;
599 }
600
601 static int tmp_dir_internal(const char *def, const char **ret) {
602 const char *e;
603 int r, k;
604
605 assert(def);
606 assert(ret);
607
608 r = getenv_tmp_dir(&e);
609 if (r > 0) {
610 *ret = e;
611 return 0;
612 }
613
614 k = is_dir(def, true);
615 if (k == 0)
616 k = -ENOTDIR;
617 if (k < 0)
618 return r < 0 ? r : k;
619
620 *ret = def;
621 return 0;
622 }
623
624 int var_tmp_dir(const char **ret) {
625
626 /* Returns the location for "larger" temporary files, that is backed by physical storage if available, and thus
627 * even might survive a boot: /var/tmp. If $TMPDIR (or related environment variables) are set, its value is
628 * returned preferably however. Note that both this function and tmp_dir() below are affected by $TMPDIR,
629 * making it a variable that overrides all temporary file storage locations. */
630
631 return tmp_dir_internal("/var/tmp", ret);
632 }
633
634 int tmp_dir(const char **ret) {
635
636 /* Similar to var_tmp_dir() above, but returns the location for "smaller" temporary files, which is usually
637 * backed by an in-memory file system: /tmp. */
638
639 return tmp_dir_internal("/tmp", ret);
640 }
641
642 int unlink_or_warn(const char *filename) {
643 if (unlink(filename) < 0 && errno != ENOENT)
644 /* If the file doesn't exist and the fs simply was read-only (in which
645 * case unlink() returns EROFS even if the file doesn't exist), don't
646 * complain */
647 if (errno != EROFS || access(filename, F_OK) >= 0)
648 return log_error_errno(errno, "Failed to remove \"%s\": %m", filename);
649
650 return 0;
651 }
652
653 int inotify_add_watch_fd(int fd, int what, uint32_t mask) {
654 char path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
655 int r;
656
657 /* This is like inotify_add_watch(), except that the file to watch is not referenced by a path, but by an fd */
658 xsprintf(path, "/proc/self/fd/%i", what);
659
660 r = inotify_add_watch(fd, path, mask);
661 if (r < 0)
662 return -errno;
663
664 return r;
665 }
666
667 static bool unsafe_transition(const struct stat *a, const struct stat *b) {
668 /* Returns true if the transition from a to b is safe, i.e. that we never transition from unprivileged to
669 * privileged files or directories. Why bother? So that unprivileged code can't symlink to privileged files
670 * making us believe we read something safe even though it isn't safe in the specific context we open it in. */
671
672 if (a->st_uid == 0) /* Transitioning from privileged to unprivileged is always fine */
673 return false;
674
675 return a->st_uid != b->st_uid; /* Otherwise we need to stay within the same UID */
676 }
677
678 static int log_unsafe_transition(int a, int b, const char *path, unsigned flags) {
679 _cleanup_free_ char *n1 = NULL, *n2 = NULL;
680
681 if (!FLAGS_SET(flags, CHASE_WARN))
682 return -ENOLINK;
683
684 (void) fd_get_path(a, &n1);
685 (void) fd_get_path(b, &n2);
686
687 return log_warning_errno(SYNTHETIC_ERRNO(ENOLINK),
688 "Detected unsafe path transition %s %s %s during canonicalization of %s.",
689 n1, special_glyph(SPECIAL_GLYPH_ARROW), n2, path);
690 }
691
692 static int log_autofs_mount_point(int fd, const char *path, unsigned flags) {
693 _cleanup_free_ char *n1 = NULL;
694
695 if (!FLAGS_SET(flags, CHASE_WARN))
696 return -EREMOTE;
697
698 (void) fd_get_path(fd, &n1);
699
700 return log_warning_errno(SYNTHETIC_ERRNO(EREMOTE),
701 "Detected autofs mount point %s during canonicalization of %s.",
702 n1, path);
703 }
704
705 int chase_symlinks(const char *path, const char *original_root, unsigned flags, char **ret) {
706 _cleanup_free_ char *buffer = NULL, *done = NULL, *root = NULL;
707 _cleanup_close_ int fd = -1;
708 unsigned max_follow = CHASE_SYMLINKS_MAX; /* how many symlinks to follow before giving up and returning ELOOP */
709 struct stat previous_stat;
710 bool exists = true;
711 char *todo;
712 int r;
713
714 assert(path);
715
716 /* Either the file may be missing, or we return an fd to the final object, but both make no sense */
717 if (FLAGS_SET(flags, CHASE_NONEXISTENT | CHASE_OPEN))
718 return -EINVAL;
719
720 if (FLAGS_SET(flags, CHASE_STEP | CHASE_OPEN))
721 return -EINVAL;
722
723 if (isempty(path))
724 return -EINVAL;
725
726 /* This is a lot like canonicalize_file_name(), but takes an additional "root" parameter, that allows following
727 * symlinks relative to a root directory, instead of the root of the host.
728 *
729 * Note that "root" primarily matters if we encounter an absolute symlink. It is also used when following
730 * relative symlinks to ensure they cannot be used to "escape" the root directory. The path parameter passed is
731 * assumed to be already prefixed by it, except if the CHASE_PREFIX_ROOT flag is set, in which case it is first
732 * prefixed accordingly.
733 *
734 * Algorithmically this operates on two path buffers: "done" are the components of the path we already
735 * processed and resolved symlinks, "." and ".." of. "todo" are the components of the path we still need to
736 * process. On each iteration, we move one component from "todo" to "done", processing it's special meaning
737 * each time. The "todo" path always starts with at least one slash, the "done" path always ends in no
738 * slash. We always keep an O_PATH fd to the component we are currently processing, thus keeping lookup races
739 * at a minimum.
740 *
741 * Suggested usage: whenever you want to canonicalize a path, use this function. Pass the absolute path you got
742 * as-is: fully qualified and relative to your host's root. Optionally, specify the root parameter to tell this
743 * function what to do when encountering a symlink with an absolute path as directory: prefix it by the
744 * specified path.
745 *
746 * There are three ways to invoke this function:
747 *
748 * 1. Without CHASE_STEP or CHASE_OPEN: in this case the path is resolved and the normalized path is returned
749 * in `ret`. The return value is < 0 on error. If CHASE_NONEXISTENT is also set 0 is returned if the file
750 * doesn't exist, > 0 otherwise. If CHASE_NONEXISTENT is not set >= 0 is returned if the destination was
751 * found, -ENOENT if it doesn't.
752 *
753 * 2. With CHASE_OPEN: in this case the destination is opened after chasing it as O_PATH and this file
754 * descriptor is returned as return value. This is useful to open files relative to some root
755 * directory. Note that the returned O_PATH file descriptors must be converted into a regular one (using
756 * fd_reopen() or such) before it can be used for reading/writing. CHASE_OPEN may not be combined with
757 * CHASE_NONEXISTENT.
758 *
759 * 3. With CHASE_STEP: in this case only a single step of the normalization is executed, i.e. only the first
760 * symlink or ".." component of the path is resolved, and the resulting path is returned. This is useful if
761 * a caller wants to trace the a path through the file system verbosely. Returns < 0 on error, > 0 if the
762 * path is fully normalized, and == 0 for each normalization step. This may be combined with
763 * CHASE_NONEXISTENT, in which case 1 is returned when a component is not found.
764 *
765 * 4. With CHASE_SAFE: in this case the path must not contain unsafe transitions, i.e. transitions from
766 * unprivileged to privileged files or directories. In such cases the return value is -ENOLINK. If
767 * CHASE_WARN is also set a warning describing the unsafe transition is emitted.
768 *
769 * 5. With CHASE_NO_AUTOFS: in this case if an autofs mount point is encountered, the path normalization is
770 * aborted and -EREMOTE is returned. If CHASE_WARN is also set a warning showing the path of the mount point
771 * is emitted.
772 *
773 * */
774
775 /* A root directory of "/" or "" is identical to none */
776 if (empty_or_root(original_root))
777 original_root = NULL;
778
779 if (!original_root && !ret && (flags & (CHASE_NONEXISTENT|CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_OPEN|CHASE_STEP)) == CHASE_OPEN) {
780 /* Shortcut the CHASE_OPEN case if the caller isn't interested in the actual path and has no root set
781 * and doesn't care about any of the other special features we provide either. */
782 r = open(path, O_PATH|O_CLOEXEC|((flags & CHASE_NOFOLLOW) ? O_NOFOLLOW : 0));
783 if (r < 0)
784 return -errno;
785
786 return r;
787 }
788
789 if (original_root) {
790 r = path_make_absolute_cwd(original_root, &root);
791 if (r < 0)
792 return r;
793
794 if (flags & CHASE_PREFIX_ROOT) {
795
796 /* We don't support relative paths in combination with a root directory */
797 if (!path_is_absolute(path))
798 return -EINVAL;
799
800 path = prefix_roota(root, path);
801 }
802 }
803
804 r = path_make_absolute_cwd(path, &buffer);
805 if (r < 0)
806 return r;
807
808 fd = open("/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
809 if (fd < 0)
810 return -errno;
811
812 if (flags & CHASE_SAFE) {
813 if (fstat(fd, &previous_stat) < 0)
814 return -errno;
815 }
816
817 todo = buffer;
818 for (;;) {
819 _cleanup_free_ char *first = NULL;
820 _cleanup_close_ int child = -1;
821 struct stat st;
822 size_t n, m;
823
824 /* Determine length of first component in the path */
825 n = strspn(todo, "/"); /* The slashes */
826 m = n + strcspn(todo + n, "/"); /* The entire length of the component */
827
828 /* Extract the first component. */
829 first = strndup(todo, m);
830 if (!first)
831 return -ENOMEM;
832
833 todo += m;
834
835 /* Empty? Then we reached the end. */
836 if (isempty(first))
837 break;
838
839 /* Just a single slash? Then we reached the end. */
840 if (path_equal(first, "/")) {
841 /* Preserve the trailing slash */
842
843 if (flags & CHASE_TRAIL_SLASH)
844 if (!strextend(&done, "/", NULL))
845 return -ENOMEM;
846
847 break;
848 }
849
850 /* Just a dot? Then let's eat this up. */
851 if (path_equal(first, "/."))
852 continue;
853
854 /* Two dots? Then chop off the last bit of what we already found out. */
855 if (path_equal(first, "/..")) {
856 _cleanup_free_ char *parent = NULL;
857 _cleanup_close_ int fd_parent = -1;
858
859 /* If we already are at the top, then going up will not change anything. This is in-line with
860 * how the kernel handles this. */
861 if (empty_or_root(done))
862 continue;
863
864 parent = dirname_malloc(done);
865 if (!parent)
866 return -ENOMEM;
867
868 /* Don't allow this to leave the root dir. */
869 if (root &&
870 path_startswith(done, root) &&
871 !path_startswith(parent, root))
872 continue;
873
874 free_and_replace(done, parent);
875
876 if (flags & CHASE_STEP)
877 goto chased_one;
878
879 fd_parent = openat(fd, "..", O_CLOEXEC|O_NOFOLLOW|O_PATH);
880 if (fd_parent < 0)
881 return -errno;
882
883 if (flags & CHASE_SAFE) {
884 if (fstat(fd_parent, &st) < 0)
885 return -errno;
886
887 if (unsafe_transition(&previous_stat, &st))
888 return log_unsafe_transition(fd, fd_parent, path, flags);
889
890 previous_stat = st;
891 }
892
893 safe_close(fd);
894 fd = TAKE_FD(fd_parent);
895
896 continue;
897 }
898
899 /* Otherwise let's see what this is. */
900 child = openat(fd, first + n, O_CLOEXEC|O_NOFOLLOW|O_PATH);
901 if (child < 0) {
902
903 if (errno == ENOENT &&
904 (flags & CHASE_NONEXISTENT) &&
905 (isempty(todo) || path_is_normalized(todo))) {
906
907 /* If CHASE_NONEXISTENT is set, and the path does not exist, then that's OK, return
908 * what we got so far. But don't allow this if the remaining path contains "../ or "./"
909 * or something else weird. */
910
911 /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */
912 if (streq_ptr(done, "/"))
913 *done = '\0';
914
915 if (!strextend(&done, first, todo, NULL))
916 return -ENOMEM;
917
918 exists = false;
919 break;
920 }
921
922 return -errno;
923 }
924
925 if (fstat(child, &st) < 0)
926 return -errno;
927 if ((flags & CHASE_SAFE) &&
928 unsafe_transition(&previous_stat, &st))
929 return log_unsafe_transition(fd, child, path, flags);
930
931 previous_stat = st;
932
933 if ((flags & CHASE_NO_AUTOFS) &&
934 fd_is_fs_type(child, AUTOFS_SUPER_MAGIC) > 0)
935 return log_autofs_mount_point(child, path, flags);
936
937 if (S_ISLNK(st.st_mode) && !((flags & CHASE_NOFOLLOW) && isempty(todo))) {
938 char *joined;
939
940 _cleanup_free_ char *destination = NULL;
941
942 /* This is a symlink, in this case read the destination. But let's make sure we don't follow
943 * symlinks without bounds. */
944 if (--max_follow <= 0)
945 return -ELOOP;
946
947 r = readlinkat_malloc(fd, first + n, &destination);
948 if (r < 0)
949 return r;
950 if (isempty(destination))
951 return -EINVAL;
952
953 if (path_is_absolute(destination)) {
954
955 /* An absolute destination. Start the loop from the beginning, but use the root
956 * directory as base. */
957
958 safe_close(fd);
959 fd = open(root ?: "/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
960 if (fd < 0)
961 return -errno;
962
963 if (flags & CHASE_SAFE) {
964 if (fstat(fd, &st) < 0)
965 return -errno;
966
967 if (unsafe_transition(&previous_stat, &st))
968 return log_unsafe_transition(child, fd, path, flags);
969
970 previous_stat = st;
971 }
972
973 free(done);
974
975 /* Note that we do not revalidate the root, we take it as is. */
976 if (isempty(root))
977 done = NULL;
978 else {
979 done = strdup(root);
980 if (!done)
981 return -ENOMEM;
982 }
983
984 /* Prefix what's left to do with what we just read, and start the loop again, but
985 * remain in the current directory. */
986 joined = strjoin(destination, todo);
987 } else
988 joined = strjoin("/", destination, todo);
989 if (!joined)
990 return -ENOMEM;
991
992 free(buffer);
993 todo = buffer = joined;
994
995 if (flags & CHASE_STEP)
996 goto chased_one;
997
998 continue;
999 }
1000
1001 /* If this is not a symlink, then let's just add the name we read to what we already verified. */
1002 if (!done)
1003 done = TAKE_PTR(first);
1004 else {
1005 /* If done is "/", as first also contains slash at the head, then remove this redundant slash. */
1006 if (streq(done, "/"))
1007 *done = '\0';
1008
1009 if (!strextend(&done, first, NULL))
1010 return -ENOMEM;
1011 }
1012
1013 /* And iterate again, but go one directory further down. */
1014 safe_close(fd);
1015 fd = TAKE_FD(child);
1016 }
1017
1018 if (!done) {
1019 /* Special case, turn the empty string into "/", to indicate the root directory. */
1020 done = strdup("/");
1021 if (!done)
1022 return -ENOMEM;
1023 }
1024
1025 if (ret)
1026 *ret = TAKE_PTR(done);
1027
1028 if (flags & CHASE_OPEN) {
1029 /* Return the O_PATH fd we currently are looking to the caller. It can translate it to a proper fd by
1030 * opening /proc/self/fd/xyz. */
1031
1032 assert(fd >= 0);
1033 return TAKE_FD(fd);
1034 }
1035
1036 if (flags & CHASE_STEP)
1037 return 1;
1038
1039 return exists;
1040
1041 chased_one:
1042 if (ret) {
1043 char *c;
1044
1045 c = strjoin(strempty(done), todo);
1046 if (!c)
1047 return -ENOMEM;
1048
1049 *ret = c;
1050 }
1051
1052 return 0;
1053 }
1054
1055 int chase_symlinks_and_open(
1056 const char *path,
1057 const char *root,
1058 unsigned chase_flags,
1059 int open_flags,
1060 char **ret_path) {
1061
1062 _cleanup_close_ int path_fd = -1;
1063 _cleanup_free_ char *p = NULL;
1064 int r;
1065
1066 if (chase_flags & CHASE_NONEXISTENT)
1067 return -EINVAL;
1068
1069 if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
1070 /* Shortcut this call if none of the special features of this call are requested */
1071 r = open(path, open_flags);
1072 if (r < 0)
1073 return -errno;
1074
1075 return r;
1076 }
1077
1078 path_fd = chase_symlinks(path, root, chase_flags|CHASE_OPEN, ret_path ? &p : NULL);
1079 if (path_fd < 0)
1080 return path_fd;
1081
1082 r = fd_reopen(path_fd, open_flags);
1083 if (r < 0)
1084 return r;
1085
1086 if (ret_path)
1087 *ret_path = TAKE_PTR(p);
1088
1089 return r;
1090 }
1091
1092 int chase_symlinks_and_opendir(
1093 const char *path,
1094 const char *root,
1095 unsigned chase_flags,
1096 char **ret_path,
1097 DIR **ret_dir) {
1098
1099 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
1100 _cleanup_close_ int path_fd = -1;
1101 _cleanup_free_ char *p = NULL;
1102 DIR *d;
1103
1104 if (!ret_dir)
1105 return -EINVAL;
1106 if (chase_flags & CHASE_NONEXISTENT)
1107 return -EINVAL;
1108
1109 if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
1110 /* Shortcut this call if none of the special features of this call are requested */
1111 d = opendir(path);
1112 if (!d)
1113 return -errno;
1114
1115 *ret_dir = d;
1116 return 0;
1117 }
1118
1119 path_fd = chase_symlinks(path, root, chase_flags|CHASE_OPEN, ret_path ? &p : NULL);
1120 if (path_fd < 0)
1121 return path_fd;
1122
1123 xsprintf(procfs_path, "/proc/self/fd/%i", path_fd);
1124 d = opendir(procfs_path);
1125 if (!d)
1126 return -errno;
1127
1128 if (ret_path)
1129 *ret_path = TAKE_PTR(p);
1130
1131 *ret_dir = d;
1132 return 0;
1133 }
1134
1135 int chase_symlinks_and_stat(
1136 const char *path,
1137 const char *root,
1138 unsigned chase_flags,
1139 char **ret_path,
1140 struct stat *ret_stat) {
1141
1142 _cleanup_close_ int path_fd = -1;
1143 _cleanup_free_ char *p = NULL;
1144
1145 assert(path);
1146 assert(ret_stat);
1147
1148 if (chase_flags & CHASE_NONEXISTENT)
1149 return -EINVAL;
1150
1151 if (empty_or_root(root) && !ret_path && (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE)) == 0) {
1152 /* Shortcut this call if none of the special features of this call are requested */
1153 if (stat(path, ret_stat) < 0)
1154 return -errno;
1155
1156 return 1;
1157 }
1158
1159 path_fd = chase_symlinks(path, root, chase_flags|CHASE_OPEN, ret_path ? &p : NULL);
1160 if (path_fd < 0)
1161 return path_fd;
1162
1163 if (fstat(path_fd, ret_stat) < 0)
1164 return -errno;
1165
1166 if (ret_path)
1167 *ret_path = TAKE_PTR(p);
1168
1169 if (chase_flags & CHASE_OPEN)
1170 return TAKE_FD(path_fd);
1171
1172 return 1;
1173 }
1174
1175 int access_fd(int fd, int mode) {
1176 char p[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(fd) + 1];
1177 int r;
1178
1179 /* Like access() but operates on an already open fd */
1180
1181 xsprintf(p, "/proc/self/fd/%i", fd);
1182 r = access(p, mode);
1183 if (r < 0)
1184 return -errno;
1185
1186 return r;
1187 }
1188
1189 void unlink_tempfilep(char (*p)[]) {
1190 /* If the file is created with mkstemp(), it will (almost always)
1191 * change the suffix. Treat this as a sign that the file was
1192 * successfully created. We ignore both the rare case where the
1193 * original suffix is used and unlink failures. */
1194 if (!endswith(*p, ".XXXXXX"))
1195 (void) unlink_noerrno(*p);
1196 }
1197
1198 int unlinkat_deallocate(int fd, const char *name, int flags) {
1199 _cleanup_close_ int truncate_fd = -1;
1200 struct stat st;
1201 off_t l, bs;
1202
1203 /* Operates like unlinkat() but also deallocates the file contents if it is a regular file and there's no other
1204 * link to it. This is useful to ensure that other processes that might have the file open for reading won't be
1205 * able to keep the data pinned on disk forever. This call is particular useful whenever we execute clean-up
1206 * jobs ("vacuuming"), where we want to make sure the data is really gone and the disk space released and
1207 * returned to the free pool.
1208 *
1209 * Deallocation is preferably done by FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE (👊) if supported, which means
1210 * the file won't change size. That's a good thing since we shouldn't needlessly trigger SIGBUS in other
1211 * programs that have mmap()ed the file. (The assumption here is that changing file contents to all zeroes
1212 * underneath those programs is the better choice than simply triggering SIGBUS in them which truncation does.)
1213 * However if hole punching is not implemented in the kernel or file system we'll fall back to normal file
1214 * truncation (đŸ”Ē), as our goal of deallocating the data space trumps our goal of being nice to readers (💐).
1215 *
1216 * Note that we attempt deallocation, but failure to succeed with that is not considered fatal, as long as the
1217 * primary job – to delete the file – is accomplished. */
1218
1219 if ((flags & AT_REMOVEDIR) == 0) {
1220 truncate_fd = openat(fd, name, O_WRONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|O_NONBLOCK);
1221 if (truncate_fd < 0) {
1222
1223 /* If this failed because the file doesn't exist propagate the error right-away. Also,
1224 * AT_REMOVEDIR wasn't set, and we tried to open the file for writing, which means EISDIR is
1225 * returned when this is a directory but we are not supposed to delete those, hence propagate
1226 * the error right-away too. */
1227 if (IN_SET(errno, ENOENT, EISDIR))
1228 return -errno;
1229
1230 if (errno != ELOOP) /* don't complain if this is a symlink */
1231 log_debug_errno(errno, "Failed to open file '%s' for deallocation, ignoring: %m", name);
1232 }
1233 }
1234
1235 if (unlinkat(fd, name, flags) < 0)
1236 return -errno;
1237
1238 if (truncate_fd < 0) /* Don't have a file handle, can't do more ☚ī¸ */
1239 return 0;
1240
1241 if (fstat(truncate_fd, &st) < 0) {
1242 log_debug_errno(errno, "Failed to stat file '%s' for deallocation, ignoring: %m", name);
1243 return 0;
1244 }
1245
1246 if (!S_ISREG(st.st_mode) || st.st_blocks == 0 || st.st_nlink > 0)
1247 return 0;
1248
1249 /* If this is a regular file, it actually took up space on disk and there are no other links it's time to
1250 * punch-hole/truncate this to release the disk space. */
1251
1252 bs = MAX(st.st_blksize, 512);
1253 l = DIV_ROUND_UP(st.st_size, bs) * bs; /* Round up to next block size */
1254
1255 if (fallocate(truncate_fd, FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE, 0, l) >= 0)
1256 return 0; /* Successfully punched a hole! 😊 */
1257
1258 /* Fall back to truncation */
1259 if (ftruncate(truncate_fd, 0) < 0) {
1260 log_debug_errno(errno, "Failed to truncate file to 0, ignoring: %m");
1261 return 0;
1262 }
1263
1264 return 0;
1265 }
1266
1267 int fsync_directory_of_file(int fd) {
1268 _cleanup_free_ char *path = NULL;
1269 _cleanup_close_ int dfd = -1;
1270 int r;
1271
1272 r = fd_verify_regular(fd);
1273 if (r < 0)
1274 return r;
1275
1276 r = fd_get_path(fd, &path);
1277 if (r < 0) {
1278 log_debug_errno(r, "Failed to query /proc/self/fd/%d%s: %m",
1279 fd,
1280 r == -EOPNOTSUPP ? ", ignoring" : "");
1281
1282 if (r == -EOPNOTSUPP)
1283 /* If /proc is not available, we're most likely running in some
1284 * chroot environment, and syncing the directory is not very
1285 * important in that case. Let's just silently do nothing. */
1286 return 0;
1287
1288 return r;
1289 }
1290
1291 if (!path_is_absolute(path))
1292 return -EINVAL;
1293
1294 dfd = open_parent(path, O_CLOEXEC, 0);
1295 if (dfd < 0)
1296 return dfd;
1297
1298 if (fsync(dfd) < 0)
1299 return -errno;
1300
1301 return 0;
1302 }
1303
1304 int fsync_path_at(int at_fd, const char *path) {
1305 _cleanup_close_ int opened_fd = -1;
1306 int fd;
1307
1308 if (isempty(path)) {
1309 if (at_fd == AT_FDCWD) {
1310 opened_fd = open(".", O_RDONLY|O_DIRECTORY|O_CLOEXEC);
1311 if (opened_fd < 0)
1312 return -errno;
1313
1314 fd = opened_fd;
1315 } else
1316 fd = at_fd;
1317 } else {
1318
1319 opened_fd = openat(at_fd, path, O_RDONLY|O_CLOEXEC);
1320 if (opened_fd < 0)
1321 return -errno;
1322
1323 fd = opened_fd;
1324 }
1325
1326 if (fsync(fd) < 0)
1327 return -errno;
1328
1329 return 0;
1330 }
1331
1332 int open_parent(const char *path, int flags, mode_t mode) {
1333 _cleanup_free_ char *parent = NULL;
1334 int fd;
1335
1336 if (isempty(path))
1337 return -EINVAL;
1338 if (path_equal(path, "/")) /* requesting the parent of the root dir is fishy, let's prohibit that */
1339 return -EINVAL;
1340
1341 parent = dirname_malloc(path);
1342 if (!parent)
1343 return -ENOMEM;
1344
1345 /* Let's insist on O_DIRECTORY since the parent of a file or directory is a directory. Except if we open an
1346 * O_TMPFILE file, because in that case we are actually create a regular file below the parent directory. */
1347
1348 if ((flags & O_PATH) == O_PATH)
1349 flags |= O_DIRECTORY;
1350 else if ((flags & O_TMPFILE) != O_TMPFILE)
1351 flags |= O_DIRECTORY|O_RDONLY;
1352
1353 fd = open(parent, flags, mode);
1354 if (fd < 0)
1355 return -errno;
1356
1357 return fd;
1358 }
Unnamed repository; edit this file 'description' to name the repository.