+static int wall_tty_block(void) {
+ char *p;
+ int fd, r;
+ dev_t devnr;
+
+ if ((r = get_ctty_devnr(&devnr)) < 0)
+ return -r;
+
+ if (asprintf(&p, "/run/systemd/ask-password-block/%u:%u", major(devnr), minor(devnr)) < 0)
+ return -ENOMEM;
+
+ mkdir_parents(p, 0700);
+ mkfifo(p, 0600);
+
+ fd = open(p, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
+ free(p);
+
+ if (fd < 0)
+ return -errno;
+
+ return fd;
+}
+
+static bool wall_tty_match(const char *path) {
+ int fd, k;
+ char *p;
+ struct stat st;
+
+ if (path_is_absolute(path))
+ k = lstat(path, &st);
+ else {
+ if (asprintf(&p, "/dev/%s", path) < 0)
+ return true;
+
+ k = lstat(p, &st);
+ free(p);
+ }
+
+ if (k < 0)
+ return true;
+
+ if (!S_ISCHR(st.st_mode))
+ return true;
+
+ /* We use named pipes to ensure that wall messages suggesting
+ * password entry are not printed over password prompts
+ * already shown. We use the fact here that opening a pipe in
+ * non-blocking mode for write-only will succeed only if
+ * there's some writer behind it. Using pipes has the
+ * advantage that the block will automatically go away if the
+ * process dies. */
+
+ if (asprintf(&p, "/run/systemd/ask-password-block/%u:%u", major(st.st_rdev), minor(st.st_rdev)) < 0)
+ return true;
+
+ fd = open(p, O_WRONLY|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
+ free(p);
+
+ if (fd < 0)
+ return true;
+
+ /* What, we managed to open the pipe? Then this tty is filtered. */
+ close_nointr_nofail(fd);
+ return false;
+}
+