search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
udev: String substitutions can be done in ENV, too
[systemd_ALT.git] / src / basic / fs-util.c
blob6ade22740b430647d285ce59ddfc9badcdcc36ea
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <errno.h>
4 #include <stddef.h>
5 #include <stdlib.h>
6 #include <sys/file.h>
7 #include <linux/falloc.h>
8 #include <linux/magic.h>
9 #include <unistd.h>
10
11 #include "alloc-util.h"
12 #include "dirent-util.h"
13 #include "fd-util.h"
14 #include "fileio.h"
15 #include "fs-util.h"
16 #include "hostname-util.h"
17 #include "label.h"
18 #include "lock-util.h"
19 #include "log.h"
20 #include "macro.h"
21 #include "missing_fcntl.h"
22 #include "missing_fs.h"
23 #include "missing_syscall.h"
24 #include "mkdir.h"
25 #include "parse-util.h"
26 #include "path-util.h"
27 #include "process-util.h"
28 #include "random-util.h"
29 #include "ratelimit.h"
30 #include "stat-util.h"
31 #include "stdio-util.h"
32 #include "string-util.h"
33 #include "strv.h"
34 #include "time-util.h"
35 #include "tmpfile-util.h"
36 #include "umask-util.h"
37 #include "user-util.h"
38
39 int rmdir_parents(const char *path, const char *stop) {
40 char *p;
41 int r;
42
43 assert(path);
44 assert(stop);
45
46 if (!path_is_safe(path))
47 return -EINVAL;
48
49 if (!path_is_safe(stop))
50 return -EINVAL;
51
52 p = strdupa_safe(path);
53
54 for (;;) {
55 char *slash = NULL;
56
57 /* skip the last component. */
58 r = path_find_last_component(p, /* accept_dot_dot= */ false, (const char **) &slash, NULL);
59 if (r <= 0)
60 return r;
61 if (slash == p)
62 return 0;
63
64 assert(*slash == '/');
65 *slash = '\0';
66
67 if (path_startswith_full(stop, p, /* accept_dot_dot= */ false))
68 return 0;
69
70 if (rmdir(p) < 0 && errno != ENOENT)
71 return -errno;
72 }
73 }
74
75 int rename_noreplace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath) {
76 int r;
77
78 /* Try the ideal approach first */
79 if (renameat2(olddirfd, oldpath, newdirfd, newpath, RENAME_NOREPLACE) >= 0)
80 return 0;
81
82 /* renameat2() exists since Linux 3.15, btrfs and FAT added support for it later. If it is not implemented,
83 * fall back to a different method. */
84 if (!ERRNO_IS_NOT_SUPPORTED(errno) && errno != EINVAL)
85 return -errno;
86
87 /* Let's try to use linkat()+unlinkat() as fallback. This doesn't work on directories and on some file systems
88 * that do not support hard links (such as FAT, most prominently), but for files it's pretty close to what we
89 * want — though not atomic (i.e. for a short period both the new and the old filename will exist). */
90 if (linkat(olddirfd, oldpath, newdirfd, newpath, 0) >= 0) {
91
92 r = RET_NERRNO(unlinkat(olddirfd, oldpath, 0));
93 if (r < 0) {
94 (void) unlinkat(newdirfd, newpath, 0);
95 return r;
96 }
97
98 return 0;
99 }
100
101 if (!ERRNO_IS_NOT_SUPPORTED(errno) && !IN_SET(errno, EINVAL, EPERM)) /* FAT returns EPERM on link()… */
102 return -errno;
103
104 /* OK, neither RENAME_NOREPLACE nor linkat()+unlinkat() worked. Let's then fall back to the racy TOCTOU
105 * vulnerable accessat(F_OK) check followed by classic, replacing renameat(), we have nothing better. */
106
107 if (faccessat(newdirfd, newpath, F_OK, AT_SYMLINK_NOFOLLOW) >= 0)
108 return -EEXIST;
109 if (errno != ENOENT)
110 return -errno;
111
112 return RET_NERRNO(renameat(olddirfd, oldpath, newdirfd, newpath));
113 }
114
115 int readlinkat_malloc(int fd, const char *p, char **ret) {
116 size_t l = PATH_MAX;
117
118 assert(fd >= 0 || fd == AT_FDCWD);
119
120 if (fd < 0 && isempty(p))
121 return -EISDIR; /* In this case, the fd points to the current working directory, and is
122 * definitely not a symlink. Let's return earlier. */
123
124 for (;;) {
125 _cleanup_free_ char *c = NULL;
126 ssize_t n;
127
128 c = new(char, l+1);
129 if (!c)
130 return -ENOMEM;
131
132 n = readlinkat(fd, strempty(p), c, l);
133 if (n < 0)
134 return -errno;
135
136 if ((size_t) n < l) {
137 c[n] = 0;
138
139 if (ret)
140 *ret = TAKE_PTR(c);
141
142 return 0;
143 }
144
145 if (l > (SSIZE_MAX-1)/2) /* readlinkat() returns an ssize_t, and we want an extra byte for a
146 * trailing NUL, hence do an overflow check relative to SSIZE_MAX-1
147 * here */
148 return -EFBIG;
149
150 l *= 2;
151 }
152 }
153
154 int readlink_malloc(const char *p, char **ret) {
155 return readlinkat_malloc(AT_FDCWD, p, ret);
156 }
157
158 int readlink_value(const char *p, char **ret) {
159 _cleanup_free_ char *link = NULL, *name = NULL;
160 int r;
161
162 assert(p);
163 assert(ret);
164
165 r = readlink_malloc(p, &link);
166 if (r < 0)
167 return r;
168
169 r = path_extract_filename(link, &name);
170 if (r < 0)
171 return r;
172 if (r == O_DIRECTORY)
173 return -EINVAL;
174
175 *ret = TAKE_PTR(name);
176 return 0;
177 }
178
179 int readlink_and_make_absolute(const char *p, char **ret) {
180 _cleanup_free_ char *target = NULL;
181 int r;
182
183 assert(p);
184 assert(ret);
185
186 r = readlink_malloc(p, &target);
187 if (r < 0)
188 return r;
189
190 return file_in_same_dir(p, target, ret);
191 }
192
193 int chmod_and_chown_at(int dir_fd, const char *path, mode_t mode, uid_t uid, gid_t gid) {
194 _cleanup_close_ int fd = -EBADF;
195
196 assert(dir_fd >= 0 || dir_fd == AT_FDCWD);
197
198 if (path) {
199 /* Let's acquire an O_PATH fd, as precaution to change mode/owner on the same file */
200 fd = openat(dir_fd, path, O_PATH|O_CLOEXEC|O_NOFOLLOW);
201 if (fd < 0)
202 return -errno;
203 dir_fd = fd;
204
205 } else if (dir_fd == AT_FDCWD) {
206 /* Let's acquire an O_PATH fd of the current directory */
207 fd = openat(dir_fd, ".", O_PATH|O_CLOEXEC|O_NOFOLLOW|O_DIRECTORY);
208 if (fd < 0)
209 return -errno;
210 dir_fd = fd;
211 }
212
213 return fchmod_and_chown(dir_fd, mode, uid, gid);
214 }
215
216 int fchmod_and_chown_with_fallback(int fd, const char *path, mode_t mode, uid_t uid, gid_t gid) {
217 bool do_chown, do_chmod;
218 struct stat st;
219 int r;
220
221 /* Change ownership and access mode of the specified fd. Tries to do so safely, ensuring that at no
222 * point in time the access mode is above the old access mode under the old ownership or the new
223 * access mode under the new ownership. Note: this call tries hard to leave the access mode
224 * unaffected if the uid/gid is changed, i.e. it undoes implicit suid/sgid dropping the kernel does
225 * on chown().
226 *
227 * This call is happy with O_PATH fds.
228 *
229 * If path is given, allow a fallback path which does not use /proc/self/fd/. On any normal system
230 * /proc will be mounted, but in certain improperly assembled environments it might not be. This is
231 * less secure (potential TOCTOU), so should only be used after consideration. */
232
233 if (fstat(fd, &st) < 0)
234 return -errno;
235
236 do_chown =
237 (uid != UID_INVALID && st.st_uid != uid) ||
238 (gid != GID_INVALID && st.st_gid != gid);
239
240 do_chmod =
241 !S_ISLNK(st.st_mode) && /* chmod is not defined on symlinks */
242 ((mode != MODE_INVALID && ((st.st_mode ^ mode) & 07777) != 0) ||
243 do_chown); /* If we change ownership, make sure we reset the mode afterwards, since chown()
244 * modifies the access mode too */
245
246 if (mode == MODE_INVALID)
247 mode = st.st_mode; /* If we only shall do a chown(), save original mode, since chown() might break it. */
248 else if ((mode & S_IFMT) != 0 && ((mode ^ st.st_mode) & S_IFMT) != 0)
249 return -EINVAL; /* insist on the right file type if it was specified */
250
251 if (do_chown && do_chmod) {
252 mode_t minimal = st.st_mode & mode; /* the subset of the old and the new mask */
253
254 if (((minimal ^ st.st_mode) & 07777) != 0) {
255 r = fchmod_opath(fd, minimal & 07777);
256 if (r < 0) {
257 if (!path || r != -ENOSYS)
258 return r;
259
260 /* Fallback path which doesn't use /proc/self/fd/. */
261 if (chmod(path, minimal & 07777) < 0)
262 return -errno;
263 }
264 }
265 }
266
267 if (do_chown)
268 if (fchownat(fd, "", uid, gid, AT_EMPTY_PATH) < 0)
269 return -errno;
270
271 if (do_chmod) {
272 r = fchmod_opath(fd, mode & 07777);
273 if (r < 0) {
274 if (!path || r != -ENOSYS)
275 return r;
276
277 /* Fallback path which doesn't use /proc/self/fd/. */
278 if (chmod(path, mode & 07777) < 0)
279 return -errno;
280 }
281 }
282
283 return do_chown || do_chmod;
284 }
285
286 int fchmod_umask(int fd, mode_t m) {
287 _cleanup_umask_ mode_t u = umask(0777);
288
289 return RET_NERRNO(fchmod(fd, m & (~u)));
290 }
291
292 int fchmod_opath(int fd, mode_t m) {
293 /* This function operates also on fd that might have been opened with
294 * O_PATH. Indeed fchmodat() doesn't have the AT_EMPTY_PATH flag like
295 * fchownat() does. */
296
297 if (chmod(FORMAT_PROC_FD_PATH(fd), m) < 0) {
298 if (errno != ENOENT)
299 return -errno;
300
301 if (proc_mounted() == 0)
302 return -ENOSYS; /* if we have no /proc/, the concept is not implementable */
303
304 return -ENOENT;
305 }
306
307 return 0;
308 }
309
310 int futimens_opath(int fd, const struct timespec ts[2]) {
311 /* Similar to fchmod_opath() but for futimens() */
312
313 if (utimensat(AT_FDCWD, FORMAT_PROC_FD_PATH(fd), ts, 0) < 0) {
314 if (errno != ENOENT)
315 return -errno;
316
317 if (proc_mounted() == 0)
318 return -ENOSYS; /* if we have no /proc/, the concept is not implementable */
319
320 return -ENOENT;
321 }
322
323 return 0;
324 }
325
326 int stat_warn_permissions(const char *path, const struct stat *st) {
327 assert(path);
328 assert(st);
329
330 /* Don't complain if we are reading something that is not a file, for example /dev/null */
331 if (!S_ISREG(st->st_mode))
332 return 0;
333
334 if (st->st_mode & 0111)
335 log_warning("Configuration file %s is marked executable. Please remove executable permission bits. Proceeding anyway.", path);
336
337 if (st->st_mode & 0002)
338 log_warning("Configuration file %s is marked world-writable. Please remove world writability permission bits. Proceeding anyway.", path);
339
340 if (getpid_cached() == 1 && (st->st_mode & 0044) != 0044)
341 log_warning("Configuration file %s is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.", path);
342
343 return 0;
344 }
345
346 int fd_warn_permissions(const char *path, int fd) {
347 struct stat st;
348
349 assert(path);
350 assert(fd >= 0);
351
352 if (fstat(fd, &st) < 0)
353 return -errno;
354
355 return stat_warn_permissions(path, &st);
356 }
357
358 int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode) {
359 _cleanup_close_ int fd = -EBADF;
360 int r, ret;
361
362 assert(path);
363
364 /* Note that touch_file() does not follow symlinks: if invoked on an existing symlink, then it is the symlink
365 * itself which is updated, not its target
366 *
367 * Returns the first error we encounter, but tries to apply as much as possible. */
368
369 if (parents)
370 (void) mkdir_parents(path, 0755);
371
372 /* Initially, we try to open the node with O_PATH, so that we get a reference to the node. This is useful in
373 * case the path refers to an existing device or socket node, as we can open it successfully in all cases, and
374 * won't trigger any driver magic or so. */
375 fd = open(path, O_PATH|O_CLOEXEC|O_NOFOLLOW);
376 if (fd < 0) {
377 if (errno != ENOENT)
378 return -errno;
379
380 /* if the node doesn't exist yet, we create it, but with O_EXCL, so that we only create a regular file
381 * here, and nothing else */
382 fd = open(path, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, IN_SET(mode, 0, MODE_INVALID) ? 0644 : mode);
383 if (fd < 0)
384 return -errno;
385 }
386
387 /* Let's make a path from the fd, and operate on that. With this logic, we can adjust the access mode,
388 * ownership and time of the file node in all cases, even if the fd refers to an O_PATH object — which is
389 * something fchown(), fchmod(), futimensat() don't allow. */
390 ret = fchmod_and_chown(fd, mode, uid, gid);
391
392 if (stamp != USEC_INFINITY) {
393 struct timespec ts[2];
394
395 timespec_store(&ts[0], stamp);
396 ts[1] = ts[0];
397 r = futimens_opath(fd, ts);
398 } else
399 r = futimens_opath(fd, NULL);
400 if (r < 0 && ret >= 0)
401 return r;
402
403 return ret;
404 }
405
406 int symlink_idempotent(const char *from, const char *to, bool make_relative) {
407 _cleanup_free_ char *relpath = NULL;
408 int r;
409
410 assert(from);
411 assert(to);
412
413 if (make_relative) {
414 r = path_make_relative_parent(to, from, &relpath);
415 if (r < 0)
416 return r;
417
418 from = relpath;
419 }
420
421 if (symlink(from, to) < 0) {
422 _cleanup_free_ char *p = NULL;
423
424 if (errno != EEXIST)
425 return -errno;
426
427 r = readlink_malloc(to, &p);
428 if (r == -EINVAL) /* Not a symlink? In that case return the original error we encountered: -EEXIST */
429 return -EEXIST;
430 if (r < 0) /* Any other error? In that case propagate it as is */
431 return r;
432
433 if (!streq(p, from)) /* Not the symlink we want it to be? In that case, propagate the original -EEXIST */
434 return -EEXIST;
435 }
436
437 return 0;
438 }
439
440 int symlinkat_atomic_full(const char *from, int atfd, const char *to, bool make_relative) {
441 _cleanup_free_ char *relpath = NULL, *t = NULL;
442 int r;
443
444 assert(from);
445 assert(to);
446
447 if (make_relative) {
448 r = path_make_relative_parent(to, from, &relpath);
449 if (r < 0)
450 return r;
451
452 from = relpath;
453 }
454
455 r = tempfn_random(to, NULL, &t);
456 if (r < 0)
457 return r;
458
459 if (symlinkat(from, atfd, t) < 0)
460 return -errno;
461
462 r = RET_NERRNO(renameat(atfd, t, atfd, to));
463 if (r < 0) {
464 (void) unlinkat(atfd, t, 0);
465 return r;
466 }
467
468 return 0;
469 }
470
471 int mknodat_atomic(int atfd, const char *path, mode_t mode, dev_t dev) {
472 _cleanup_free_ char *t = NULL;
473 int r;
474
475 assert(path);
476
477 r = tempfn_random(path, NULL, &t);
478 if (r < 0)
479 return r;
480
481 if (mknodat(atfd, t, mode, dev) < 0)
482 return -errno;
483
484 r = RET_NERRNO(renameat(atfd, t, atfd, path));
485 if (r < 0) {
486 (void) unlinkat(atfd, t, 0);
487 return r;
488 }
489
490 return 0;
491 }
492
493 int mkfifoat_atomic(int atfd, const char *path, mode_t mode) {
494 _cleanup_free_ char *t = NULL;
495 int r;
496
497 assert(path);
498
499 /* We're only interested in the (random) filename. */
500 r = tempfn_random(path, NULL, &t);
501 if (r < 0)
502 return r;
503
504 if (mkfifoat(atfd, t, mode) < 0)
505 return -errno;
506
507 r = RET_NERRNO(renameat(atfd, t, atfd, path));
508 if (r < 0) {
509 (void) unlinkat(atfd, t, 0);
510 return r;
511 }
512
513 return 0;
514 }
515
516 int get_files_in_directory(const char *path, char ***list) {
517 _cleanup_strv_free_ char **l = NULL;
518 _cleanup_closedir_ DIR *d = NULL;
519 size_t n = 0;
520
521 assert(path);
522
523 /* Returns all files in a directory in *list, and the number
524 * of files as return value. If list is NULL returns only the
525 * number. */
526
527 d = opendir(path);
528 if (!d)
529 return -errno;
530
531 FOREACH_DIRENT_ALL(de, d, return -errno) {
532 if (!dirent_is_file(de))
533 continue;
534
535 if (list) {
536 /* one extra slot is needed for the terminating NULL */
537 if (!GREEDY_REALLOC(l, n + 2))
538 return -ENOMEM;
539
540 l[n] = strdup(de->d_name);
541 if (!l[n])
542 return -ENOMEM;
543
544 l[++n] = NULL;
545 } else
546 n++;
547 }
548
549 if (list)
550 *list = TAKE_PTR(l);
551
552 return n;
553 }
554
555 static int getenv_tmp_dir(const char **ret_path) {
556 int r, ret = 0;
557
558 assert(ret_path);
559
560 /* We use the same order of environment variables python uses in tempfile.gettempdir():
561 * https://docs.python.org/3/library/tempfile.html#tempfile.gettempdir */
562 FOREACH_STRING(n, "TMPDIR", "TEMP", "TMP") {
563 const char *e;
564
565 e = secure_getenv(n);
566 if (!e)
567 continue;
568 if (!path_is_absolute(e)) {
569 r = -ENOTDIR;
570 goto next;
571 }
572 if (!path_is_normalized(e)) {
573 r = -EPERM;
574 goto next;
575 }
576
577 r = is_dir(e, true);
578 if (r < 0)
579 goto next;
580 if (r == 0) {
581 r = -ENOTDIR;
582 goto next;
583 }
584
585 *ret_path = e;
586 return 1;
587
588 next:
589 /* Remember first error, to make this more debuggable */
590 if (ret >= 0)
591 ret = r;
592 }
593
594 if (ret < 0)
595 return ret;
596
597 *ret_path = NULL;
598 return ret;
599 }
600
601 static int tmp_dir_internal(const char *def, const char **ret) {
602 const char *e;
603 int r, k;
604
605 assert(def);
606 assert(ret);
607
608 r = getenv_tmp_dir(&e);
609 if (r > 0) {
610 *ret = e;
611 return 0;
612 }
613
614 k = is_dir(def, true);
615 if (k == 0)
616 k = -ENOTDIR;
617 if (k < 0)
618 return r < 0 ? r : k;
619
620 *ret = def;
621 return 0;
622 }
623
624 int var_tmp_dir(const char **ret) {
625
626 /* Returns the location for "larger" temporary files, that is backed by physical storage if available, and thus
627 * even might survive a boot: /var/tmp. If $TMPDIR (or related environment variables) are set, its value is
628 * returned preferably however. Note that both this function and tmp_dir() below are affected by $TMPDIR,
629 * making it a variable that overrides all temporary file storage locations. */
630
631 return tmp_dir_internal("/var/tmp", ret);
632 }
633
634 int tmp_dir(const char **ret) {
635
636 /* Similar to var_tmp_dir() above, but returns the location for "smaller" temporary files, which is usually
637 * backed by an in-memory file system: /tmp. */
638
639 return tmp_dir_internal("/tmp", ret);
640 }
641
642 int unlink_or_warn(const char *filename) {
643 if (unlink(filename) < 0 && errno != ENOENT)
644 /* If the file doesn't exist and the fs simply was read-only (in which
645 * case unlink() returns EROFS even if the file doesn't exist), don't
646 * complain */
647 if (errno != EROFS || access(filename, F_OK) >= 0)
648 return log_error_errno(errno, "Failed to remove \"%s\": %m", filename);
649
650 return 0;
651 }
652
653 int access_fd(int fd, int mode) {
654 /* Like access() but operates on an already open fd */
655
656 if (access(FORMAT_PROC_FD_PATH(fd), mode) < 0) {
657 if (errno != ENOENT)
658 return -errno;
659
660 /* ENOENT can mean two things: that the fd does not exist or that /proc is not mounted. Let's
661 * make things debuggable and distinguish the two. */
662
663 if (proc_mounted() == 0)
664 return -ENOSYS; /* /proc is not available or not set up properly, we're most likely in some chroot
665 * environment. */
666
667 return -EBADF; /* The directory exists, hence it's the fd that doesn't. */
668 }
669
670 return 0;
671 }
672
673 void unlink_tempfilep(char (*p)[]) {
674 /* If the file is created with mkstemp(), it will (almost always)
675 * change the suffix. Treat this as a sign that the file was
676 * successfully created. We ignore both the rare case where the
677 * original suffix is used and unlink failures. */
678 if (!endswith(*p, ".XXXXXX"))
679 (void) unlink(*p);
680 }
681
682 int unlinkat_deallocate(int fd, const char *name, UnlinkDeallocateFlags flags) {
683 _cleanup_close_ int truncate_fd = -EBADF;
684 struct stat st;
685 off_t l, bs;
686
687 assert((flags & ~(UNLINK_REMOVEDIR|UNLINK_ERASE)) == 0);
688
689 /* Operates like unlinkat() but also deallocates the file contents if it is a regular file and there's no other
690 * link to it. This is useful to ensure that other processes that might have the file open for reading won't be
691 * able to keep the data pinned on disk forever. This call is particular useful whenever we execute clean-up
692 * jobs ("vacuuming"), where we want to make sure the data is really gone and the disk space released and
693 * returned to the free pool.
694 *
695 * Deallocation is preferably done by FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE (👊) if supported, which means
696 * the file won't change size. That's a good thing since we shouldn't needlessly trigger SIGBUS in other
697 * programs that have mmap()ed the file. (The assumption here is that changing file contents to all zeroes
698 * underneath those programs is the better choice than simply triggering SIGBUS in them which truncation does.)
699 * However if hole punching is not implemented in the kernel or file system we'll fall back to normal file
700 * truncation (🔪), as our goal of deallocating the data space trumps our goal of being nice to readers (💐).
701 *
702 * Note that we attempt deallocation, but failure to succeed with that is not considered fatal, as long as the
703 * primary job – to delete the file – is accomplished. */
704
705 if (!FLAGS_SET(flags, UNLINK_REMOVEDIR)) {
706 truncate_fd = openat(fd, name, O_WRONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|O_NONBLOCK);
707 if (truncate_fd < 0) {
708
709 /* If this failed because the file doesn't exist propagate the error right-away. Also,
710 * AT_REMOVEDIR wasn't set, and we tried to open the file for writing, which means EISDIR is
711 * returned when this is a directory but we are not supposed to delete those, hence propagate
712 * the error right-away too. */
713 if (IN_SET(errno, ENOENT, EISDIR))
714 return -errno;
715
716 if (errno != ELOOP) /* don't complain if this is a symlink */
717 log_debug_errno(errno, "Failed to open file '%s' for deallocation, ignoring: %m", name);
718 }
719 }
720
721 if (unlinkat(fd, name, FLAGS_SET(flags, UNLINK_REMOVEDIR) ? AT_REMOVEDIR : 0) < 0)
722 return -errno;
723
724 if (truncate_fd < 0) /* Don't have a file handle, can't do more ☹️ */
725 return 0;
726
727 if (fstat(truncate_fd, &st) < 0) {
728 log_debug_errno(errno, "Failed to stat file '%s' for deallocation, ignoring: %m", name);
729 return 0;
730 }
731
732 if (!S_ISREG(st.st_mode))
733 return 0;
734
735 if (FLAGS_SET(flags, UNLINK_ERASE) && st.st_size > 0 && st.st_nlink == 0) {
736 uint64_t left = st.st_size;
737 char buffer[64 * 1024];
738
739 /* If erasing is requested, let's overwrite the file with random data once before deleting
740 * it. This isn't going to give you shred(1) semantics, but hopefully should be good enough
741 * for stuff backed by tmpfs at least.
742 *
743 * Note that we only erase like this if the link count of the file is zero. If it is higher it
744 * is still linked by someone else and we'll leave it to them to remove it securely
745 * eventually! */
746
747 random_bytes(buffer, sizeof(buffer));
748
749 while (left > 0) {
750 ssize_t n;
751
752 n = write(truncate_fd, buffer, MIN(sizeof(buffer), left));
753 if (n < 0) {
754 log_debug_errno(errno, "Failed to erase data in file '%s', ignoring.", name);
755 break;
756 }
757
758 assert(left >= (size_t) n);
759 left -= n;
760 }
761
762 /* Let's refresh metadata */
763 if (fstat(truncate_fd, &st) < 0) {
764 log_debug_errno(errno, "Failed to stat file '%s' for deallocation, ignoring: %m", name);
765 return 0;
766 }
767 }
768
769 /* Don't dallocate if there's nothing to deallocate or if the file is linked elsewhere */
770 if (st.st_blocks == 0 || st.st_nlink > 0)
771 return 0;
772
773 /* If this is a regular file, it actually took up space on disk and there are no other links it's time to
774 * punch-hole/truncate this to release the disk space. */
775
776 bs = MAX(st.st_blksize, 512);
777 l = ROUND_UP(st.st_size, bs); /* Round up to next block size */
778
779 if (fallocate(truncate_fd, FALLOC_FL_PUNCH_HOLE|FALLOC_FL_KEEP_SIZE, 0, l) >= 0)
780 return 0; /* Successfully punched a hole! 😊 */
781
782 /* Fall back to truncation */
783 if (ftruncate(truncate_fd, 0) < 0) {
784 log_debug_errno(errno, "Failed to truncate file to 0, ignoring: %m");
785 return 0;
786 }
787
788 return 0;
789 }
790
791 int open_parent_at(int dir_fd, const char *path, int flags, mode_t mode) {
792 _cleanup_free_ char *parent = NULL;
793 int r;
794
795 assert(dir_fd >= 0 || dir_fd == AT_FDCWD);
796 assert(path);
797
798 r = path_extract_directory(path, &parent);
799 if (r == -EDESTADDRREQ) {
800 parent = strdup(".");
801 if (!parent)
802 return -ENOMEM;
803 } else if (r == -EADDRNOTAVAIL) {
804 parent = strdup(path);
805 if (!parent)
806 return -ENOMEM;
807 } else if (r < 0)
808 return r;
809
810 /* Let's insist on O_DIRECTORY since the parent of a file or directory is a directory. Except if we open an
811 * O_TMPFILE file, because in that case we are actually create a regular file below the parent directory. */
812
813 if (FLAGS_SET(flags, O_PATH))
814 flags |= O_DIRECTORY;
815 else if (!FLAGS_SET(flags, O_TMPFILE))
816 flags |= O_DIRECTORY|O_RDONLY;
817
818 return RET_NERRNO(openat(dir_fd, parent, flags, mode));
819 }
820
821 int conservative_renameat(
822 int olddirfd, const char *oldpath,
823 int newdirfd, const char *newpath) {
824
825 _cleanup_close_ int old_fd = -EBADF, new_fd = -EBADF;
826 struct stat old_stat, new_stat;
827
828 /* Renames the old path to the new path, much like renameat() — except if both are regular files and
829 * have the exact same contents and basic file attributes already. In that case remove the new file
830 * instead. This call is useful for reducing inotify wakeups on files that are updated but don't
831 * actually change. This function is written in a style that we rather rename too often than suppress
832 * too much. I.e. whenever we are in doubt, we rather rename than fail. After all reducing inotify
833 * events is an optimization only, not more. */
834
835 old_fd = openat(olddirfd, oldpath, O_CLOEXEC|O_RDONLY|O_NOCTTY|O_NOFOLLOW);
836 if (old_fd < 0)
837 goto do_rename;
838
839 new_fd = openat(newdirfd, newpath, O_CLOEXEC|O_RDONLY|O_NOCTTY|O_NOFOLLOW);
840 if (new_fd < 0)
841 goto do_rename;
842
843 if (fstat(old_fd, &old_stat) < 0)
844 goto do_rename;
845
846 if (!S_ISREG(old_stat.st_mode))
847 goto do_rename;
848
849 if (fstat(new_fd, &new_stat) < 0)
850 goto do_rename;
851
852 if (stat_inode_same(&new_stat, &old_stat))
853 goto is_same;
854
855 if (old_stat.st_mode != new_stat.st_mode ||
856 old_stat.st_size != new_stat.st_size ||
857 old_stat.st_uid != new_stat.st_uid ||
858 old_stat.st_gid != new_stat.st_gid)
859 goto do_rename;
860
861 for (;;) {
862 uint8_t buf1[16*1024];
863 uint8_t buf2[sizeof(buf1)];
864 ssize_t l1, l2;
865
866 l1 = read(old_fd, buf1, sizeof(buf1));
867 if (l1 < 0)
868 goto do_rename;
869
870 if (l1 == sizeof(buf1))
871 /* Read the full block, hence read a full block in the other file too */
872
873 l2 = read(new_fd, buf2, l1);
874 else {
875 assert((size_t) l1 < sizeof(buf1));
876
877 /* Short read. This hence was the last block in the first file, and then came
878 * EOF. Read one byte more in the second file, so that we can verify we hit EOF there
879 * too. */
880
881 assert((size_t) (l1 + 1) <= sizeof(buf2));
882 l2 = read(new_fd, buf2, l1 + 1);
883 }
884 if (l2 != l1)
885 goto do_rename;
886
887 if (memcmp(buf1, buf2, l1) != 0)
888 goto do_rename;
889
890 if ((size_t) l1 < sizeof(buf1)) /* We hit EOF on the first file, and the second file too, hence exit
891 * now. */
892 break;
893 }
894
895 is_same:
896 /* Everything matches? Then don't rename, instead remove the source file, and leave the existing
897 * destination in place */
898
899 if (unlinkat(olddirfd, oldpath, 0) < 0)
900 goto do_rename;
901
902 return 0;
903
904 do_rename:
905 if (renameat(olddirfd, oldpath, newdirfd, newpath) < 0)
906 return -errno;
907
908 return 1;
909 }
910
911 int posix_fallocate_loop(int fd, uint64_t offset, uint64_t size) {
912 RateLimit rl;
913 int r;
914
915 r = posix_fallocate(fd, offset, size); /* returns positive errnos on error */
916 if (r != EINTR)
917 return -r; /* Let's return negative errnos, like common in our codebase */
918
919 /* On EINTR try a couple of times more, but protect against busy looping
920 * (not more than 16 times per 10s) */
921 rl = (const RateLimit) { 10 * USEC_PER_SEC, 16 };
922 while (ratelimit_below(&rl)) {
923 r = posix_fallocate(fd, offset, size);
924 if (r != EINTR)
925 return -r;
926 }
927
928 return -EINTR;
929 }
930
931 int parse_cifs_service(
932 const char *s,
933 char **ret_host,
934 char **ret_service,
935 char **ret_path) {
936
937 _cleanup_free_ char *h = NULL, *ss = NULL, *x = NULL;
938 const char *p, *e, *d;
939 char delimiter;
940
941 /* Parses a CIFS service in form of //host/service/path… and splitting it in three parts. The last
942 * part is optional, in which case NULL is returned there. To maximize compatibility syntax with
943 * backslashes instead of slashes is accepted too. */
944
945 if (!s)
946 return -EINVAL;
947
948 p = startswith(s, "//");
949 if (!p) {
950 p = startswith(s, "\\\\");
951 if (!p)
952 return -EINVAL;
953 }
954
955 delimiter = s[0];
956 e = strchr(p, delimiter);
957 if (!e)
958 return -EINVAL;
959
960 h = strndup(p, e - p);
961 if (!h)
962 return -ENOMEM;
963
964 if (!hostname_is_valid(h, 0))
965 return -EINVAL;
966
967 e++;
968
969 d = strchrnul(e, delimiter);
970
971 ss = strndup(e, d - e);
972 if (!ss)
973 return -ENOMEM;
974
975 if (!filename_is_valid(ss))
976 return -EINVAL;
977
978 if (!isempty(d)) {
979 x = strdup(skip_leading_chars(d, CHAR_TO_STR(delimiter)));
980 if (!x)
981 return -EINVAL;
982
983 /* Make sure to convert Windows-style "\" → Unix-style / */
984 for (char *i = x; *i; i++)
985 if (*i == delimiter)
986 *i = '/';
987
988 if (!path_is_valid(x))
989 return -EINVAL;
990
991 path_simplify(x);
992 if (!path_is_normalized(x))
993 return -EINVAL;
994 }
995
996 if (ret_host)
997 *ret_host = TAKE_PTR(h);
998 if (ret_service)
999 *ret_service = TAKE_PTR(ss);
1000 if (ret_path)
1001 *ret_path = TAKE_PTR(x);
1002
1003 return 0;
1004 }
1005
1006 int open_mkdir_at(int dirfd, const char *path, int flags, mode_t mode) {
1007 _cleanup_close_ int fd = -EBADF, parent_fd = -EBADF;
1008 _cleanup_free_ char *fname = NULL, *parent = NULL;
1009 int r;
1010
1011 /* Creates a directory with mkdirat() and then opens it, in the "most atomic" fashion we can
1012 * do. Guarantees that the returned fd refers to a directory. If O_EXCL is specified will fail if the
1013 * dir already exists. Otherwise will open an existing dir, but only if it is one. */
1014
1015 if (flags & ~(O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_EXCL|O_NOATIME|O_NOFOLLOW|O_PATH))
1016 return -EINVAL;
1017 if ((flags & O_ACCMODE) != O_RDONLY)
1018 return -EINVAL;
1019
1020 /* Note that O_DIRECTORY|O_NOFOLLOW is implied, but we allow specifying it anyway. The following
1021 * flags actually make sense to specify: O_CLOEXEC, O_EXCL, O_NOATIME, O_PATH */
1022
1023 /* If this is not a valid filename, it's a path. Let's open the parent directory then, so
1024 * that we can pin it, and operate below it. */
1025 r = path_extract_directory(path, &parent);
1026 if (r < 0) {
1027 if (!IN_SET(r, -EDESTADDRREQ, -EADDRNOTAVAIL))
1028 return r;
1029 } else {
1030 r = path_extract_filename(path, &fname);
1031 if (r < 0)
1032 return r;
1033
1034 parent_fd = openat(dirfd, parent, O_PATH|O_DIRECTORY|O_CLOEXEC);
1035 if (parent_fd < 0)
1036 return -errno;
1037
1038 dirfd = parent_fd;
1039 path = fname;
1040 }
1041
1042 fd = xopenat(dirfd, path, flags|O_CREAT|O_DIRECTORY|O_NOFOLLOW, /* xopen_flags = */ 0, mode);
1043 if (IN_SET(fd, -ELOOP, -ENOTDIR))
1044 return -EEXIST;
1045 if (fd < 0)
1046 return fd;
1047
1048 return TAKE_FD(fd);
1049 }
1050
1051 int openat_report_new(int dirfd, const char *pathname, int flags, mode_t mode, bool *ret_newly_created) {
1052 unsigned attempts = 7;
1053 int fd;
1054
1055 /* Just like openat(), but adds one thing: optionally returns whether we created the file anew or if
1056 * it already existed before. This is only relevant if O_CREAT is set without O_EXCL, and thus will
1057 * shortcut to openat() otherwise */
1058
1059 if (!ret_newly_created)
1060 return RET_NERRNO(openat(dirfd, pathname, flags, mode));
1061
1062 if (!FLAGS_SET(flags, O_CREAT) || FLAGS_SET(flags, O_EXCL)) {
1063 fd = openat(dirfd, pathname, flags, mode);
1064 if (fd < 0)
1065 return -errno;
1066
1067 *ret_newly_created = FLAGS_SET(flags, O_CREAT);
1068 return fd;
1069 }
1070
1071 for (;;) {
1072 /* First, attempt to open without O_CREAT/O_EXCL, i.e. open existing file */
1073 fd = openat(dirfd, pathname, flags & ~(O_CREAT | O_EXCL), mode);
1074 if (fd >= 0) {
1075 *ret_newly_created = false;
1076 return fd;
1077 }
1078 if (errno != ENOENT)
1079 return -errno;
1080
1081 /* So the file didn't exist yet, hence create it with O_CREAT/O_EXCL. */
1082 fd = openat(dirfd, pathname, flags | O_CREAT | O_EXCL, mode);
1083 if (fd >= 0) {
1084 *ret_newly_created = true;
1085 return fd;
1086 }
1087 if (errno != EEXIST)
1088 return -errno;
1089
1090 /* Hmm, so now we got EEXIST? So it apparently exists now? If so, let's try to open again
1091 * without the two flags. But let's not spin forever, hence put a limit on things */
1092
1093 if (--attempts == 0) /* Give up eventually, somebody is playing with us */
1094 return -EEXIST;
1095 }
1096 }
1097
1098 int xopenat(int dir_fd, const char *path, int open_flags, XOpenFlags xopen_flags, mode_t mode) {
1099 _cleanup_close_ int fd = -EBADF;
1100 bool made = false;
1101 int r;
1102
1103 assert(dir_fd >= 0 || dir_fd == AT_FDCWD);
1104
1105 if (isempty(path)) {
1106 assert(!FLAGS_SET(open_flags, O_CREAT|O_EXCL));
1107 return fd_reopen(dir_fd, open_flags & ~O_NOFOLLOW);
1108 }
1109
1110 if (FLAGS_SET(open_flags, O_CREAT) && FLAGS_SET(xopen_flags, XO_LABEL)) {
1111 r = label_ops_pre(dir_fd, path, FLAGS_SET(open_flags, O_DIRECTORY) ? S_IFDIR : S_IFREG);
1112 if (r < 0)
1113 return r;
1114 }
1115
1116 if (FLAGS_SET(open_flags, O_DIRECTORY|O_CREAT)) {
1117 r = RET_NERRNO(mkdirat(dir_fd, path, mode));
1118 if (r == -EEXIST) {
1119 if (FLAGS_SET(open_flags, O_EXCL))
1120 return -EEXIST;
1121
1122 made = false;
1123 } else if (r < 0)
1124 return r;
1125 else
1126 made = true;
1127
1128 if (FLAGS_SET(xopen_flags, XO_LABEL)) {
1129 r = label_ops_post(dir_fd, path);
1130 if (r < 0)
1131 return r;
1132 }
1133
1134 open_flags &= ~(O_EXCL|O_CREAT);
1135 xopen_flags &= ~XO_LABEL;
1136 }
1137
1138 fd = RET_NERRNO(openat(dir_fd, path, open_flags, mode));
1139 if (fd < 0) {
1140 if (IN_SET(fd,
1141 /* We got ENOENT? then someone else immediately removed it after we
1142 * created it. In that case let's return immediately without unlinking
1143 * anything, because there simply isn't anything to unlink anymore. */
1144 -ENOENT,
1145 /* is a symlink? exists already → created by someone else, don't unlink */
1146 -ELOOP,
1147 /* not a directory? exists already → created by someone else, don't unlink */
1148 -ENOTDIR))
1149 return fd;
1150
1151 if (made)
1152 (void) unlinkat(dir_fd, path, AT_REMOVEDIR);
1153
1154 return fd;
1155 }
1156
1157 if (FLAGS_SET(open_flags, O_CREAT) && FLAGS_SET(xopen_flags, XO_LABEL)) {
1158 r = label_ops_post(dir_fd, path);
1159 if (r < 0)
1160 return r;
1161 }
1162
1163 return TAKE_FD(fd);
1164 }
1165
1166 int xopenat_lock(
1167 int dir_fd,
1168 const char *path,
1169 int open_flags,
1170 XOpenFlags xopen_flags,
1171 mode_t mode,
1172 LockType locktype,
1173 int operation) {
1174
1175 _cleanup_close_ int fd = -EBADF;
1176 int r;
1177
1178 assert(dir_fd >= 0 || dir_fd == AT_FDCWD);
1179 assert(IN_SET(operation & ~LOCK_NB, LOCK_EX, LOCK_SH));
1180
1181 /* POSIX/UNPOSIX locks don't work on directories (errno is set to -EBADF so let's return early with
1182 * the same error here). */
1183 if (FLAGS_SET(open_flags, O_DIRECTORY) && !IN_SET(locktype, LOCK_BSD, LOCK_NONE))
1184 return -EBADF;
1185
1186 for (;;) {
1187 struct stat st;
1188
1189 fd = xopenat(dir_fd, path, open_flags, xopen_flags, mode);
1190 if (fd < 0)
1191 return fd;
1192
1193 r = lock_generic(fd, locktype, operation);
1194 if (r < 0)
1195 return r;
1196
1197 /* If we acquired the lock, let's check if the file/directory still exists in the file
1198 * system. If not, then the previous exclusive owner removed it and then closed it. In such a
1199 * case our acquired lock is worthless, hence try again. */
1200
1201 if (fstat(fd, &st) < 0)
1202 return -errno;
1203 if (st.st_nlink > 0)
1204 break;
1205
1206 fd = safe_close(fd);
1207 }
1208
1209 return TAKE_FD(fd);
1210 }
A System and Session Manager (ALT Linux package)