1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2010 Lennart Poettering
10 #include <sys/resource.h>
11 #include <sys/socket.h>
15 #include "dirent-util.h"
20 #include "memfd-util.h"
22 #include "parse-util.h"
23 #include "path-util.h"
24 #include "process-util.h"
25 #include "socket-util.h"
26 #include "stdio-util.h"
29 int close_nointr(int fd) {
36 * Just ignore EINTR; a retry loop is the wrong thing to do on
39 * http://lkml.indiana.edu/hypermail/linux/kernel/0509.1/0877.html
40 * https://bugzilla.gnome.org/show_bug.cgi?id=682819
41 * http://utcc.utoronto.ca/~cks/space/blog/unix/CloseEINTR
42 * https://sites.google.com/site/michaelsafyan/software-engineering/checkforeintrwheninvokingclosethinkagain
50 int safe_close(int fd) {
53 * Like close_nointr() but cannot fail. Guarantees errno is
54 * unchanged. Is a NOP with negative fds passed, and returns
55 * -1, so that it can be used in this syntax:
57 * fd = safe_close(fd);
63 /* The kernel might return pretty much any error code
64 * via close(), but the fd will be closed anyway. The
65 * only condition we want to check for here is whether
66 * the fd was invalid at all... */
68 assert_se(close_nointr(fd) != -EBADF);
74 void safe_close_pair(int p[]) {
78 /* Special case pairs which use the same fd in both
80 p[0] = p[1] = safe_close(p[0]);
84 p[0] = safe_close(p[0]);
85 p[1] = safe_close(p[1]);
88 void close_many(const int fds[], size_t n_fd) {
91 assert(fds || n_fd <= 0);
93 for (i = 0; i < n_fd; i++)
97 int fclose_nointr(FILE *f) {
100 /* Same as close_nointr(), but for fclose() */
111 FILE* safe_fclose(FILE *f) {
113 /* Same as safe_close(), but for fclose() */
118 assert_se(fclose_nointr(f) != EBADF);
124 #if 0 /// UNNEEDED by elogind
125 DIR* safe_closedir(DIR *d) {
130 assert_se(closedir(d) >= 0 || errno != EBADF);
137 int fd_nonblock(int fd, bool nonblock) {
142 flags = fcntl(fd, F_GETFL, 0);
147 nflags = flags | O_NONBLOCK;
149 nflags = flags & ~O_NONBLOCK;
154 if (fcntl(fd, F_SETFL, nflags) < 0)
160 int fd_cloexec(int fd, bool cloexec) {
165 flags = fcntl(fd, F_GETFD, 0);
170 nflags = flags | FD_CLOEXEC;
172 nflags = flags & ~FD_CLOEXEC;
177 if (fcntl(fd, F_SETFD, nflags) < 0)
183 _pure_ static bool fd_in_set(int fd, const int fdset[], size_t n_fdset) {
186 assert(n_fdset == 0 || fdset);
188 for (i = 0; i < n_fdset; i++)
195 int close_all_fds(const int except[], size_t n_except) {
196 _cleanup_closedir_ DIR *d = NULL;
200 assert(n_except == 0 || except);
202 d = opendir("/proc/self/fd");
207 /* When /proc isn't available (for example in chroots) the fallback is brute forcing through the fd
210 assert_se(getrlimit(RLIMIT_NOFILE, &rl) >= 0);
212 if (rl.rlim_max == 0)
215 /* Let's take special care if the resource limit is set to unlimited, or actually larger than the range
216 * of 'int'. Let's avoid implicit overflows. */
217 max_fd = (rl.rlim_max == RLIM_INFINITY || rl.rlim_max > INT_MAX) ? INT_MAX : (int) (rl.rlim_max - 1);
219 for (fd = 3; fd >= 0; fd = fd < max_fd ? fd + 1 : -1) {
222 if (fd_in_set(fd, except, n_except))
225 q = close_nointr(fd);
226 if (q < 0 && q != -EBADF && r >= 0)
233 FOREACH_DIRENT(de, d, return -errno) {
236 if (safe_atoi(de->d_name, &fd) < 0)
237 /* Let's better ignore this, just in case */
246 if (fd_in_set(fd, except, n_except))
249 q = close_nointr(fd);
250 if (q < 0 && q != -EBADF && r >= 0) /* Valgrind has its own FD and doesn't want to have it closed */
257 #if 0 /// UNNEEDED by elogind
258 int same_fd(int a, int b) {
259 struct stat sta, stb;
266 /* Compares two file descriptors. Note that semantics are
267 * quite different depending on whether we have kcmp() or we
268 * don't. If we have kcmp() this will only return true for
269 * dup()ed file descriptors, but not otherwise. If we don't
270 * have kcmp() this will also return true for two fds of the same
271 * file, created by separate open() calls. Since we use this
272 * call mostly for filtering out duplicates in the fd store
273 * this difference hopefully doesn't matter too much. */
278 /* Try to use kcmp() if we have it. */
279 pid = getpid_cached();
280 r = kcmp(pid, pid, KCMP_FILE, a, b);
288 /* We don't have kcmp(), use fstat() instead. */
289 if (fstat(a, &sta) < 0)
292 if (fstat(b, &stb) < 0)
295 if ((sta.st_mode & S_IFMT) != (stb.st_mode & S_IFMT))
298 /* We consider all device fds different, since two device fds
299 * might refer to quite different device contexts even though
300 * they share the same inode and backing dev_t. */
302 if (S_ISCHR(sta.st_mode) || S_ISBLK(sta.st_mode))
305 if (sta.st_dev != stb.st_dev || sta.st_ino != stb.st_ino)
308 /* The fds refer to the same inode on disk, let's also check
309 * if they have the same fd flags. This is useful to
310 * distinguish the read and write side of a pipe created with
312 fa = fcntl(a, F_GETFL);
316 fb = fcntl(b, F_GETFL);
323 void cmsg_close_all(struct msghdr *mh) {
324 struct cmsghdr *cmsg;
328 CMSG_FOREACH(cmsg, mh)
329 if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS)
330 close_many((int*) CMSG_DATA(cmsg), (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int));
333 bool fdname_is_valid(const char *s) {
336 /* Validates a name for $LISTEN_FDNAMES. We basically allow
337 * everything ASCII that's not a control character. Also, as
338 * special exception the ":" character is not allowed, as we
339 * use that as field separator in $LISTEN_FDNAMES.
341 * Note that the empty string is explicitly allowed
342 * here. However, we limit the length of the names to 255
348 for (p = s; *p; p++) {
361 int fd_get_path(int fd, char **ret) {
362 _cleanup_close_ int dir = -1;
363 char fdname[DECIMAL_STR_MAX(int)];
366 dir = open("/proc/self/fd/", O_CLOEXEC | O_DIRECTORY | O_PATH);
368 /* /proc is not available or not set up properly, we're most likely
369 * in some chroot environment. */
370 return errno == ENOENT ? -EOPNOTSUPP : -errno;
372 xsprintf(fdname, "%i", fd);
374 r = readlinkat_malloc(dir, fdname, ret);
376 /* If the file doesn't exist the fd is invalid */
382 int move_fd(int from, int to, int cloexec) {
385 /* Move fd 'from' to 'to', make sure FD_CLOEXEC remains equal if requested, and release the old fd. If
386 * 'cloexec' is passed as -1, the original FD_CLOEXEC is inherited for the new fd. If it is 0, it is turned
387 * off, if it is > 0 it is turned on. */
397 r = fd_cloexec(to, cloexec);
408 fl = fcntl(from, F_GETFD, 0);
412 cloexec = !!(fl & FD_CLOEXEC);
415 r = dup3(from, to, cloexec ? O_CLOEXEC : 0);
426 int acquire_data_fd(const void *data, size_t size, unsigned flags) {
428 _cleanup_close_pair_ int pipefds[2] = { -1, -1 };
429 char pattern[] = "/dev/shm/data-fd-XXXXXX";
430 _cleanup_close_ int fd = -1;
435 assert(data || size == 0);
437 /* Acquire a read-only file descriptor that when read from returns the specified data. This is much more
438 * complex than I wish it was. But here's why:
440 * a) First we try to use memfds. They are the best option, as we can seal them nicely to make them
441 * read-only. Unfortunately they require kernel 3.17, and – at the time of writing – we still support 3.14.
443 * b) Then, we try classic pipes. They are the second best options, as we can close the writing side, retaining
444 * a nicely read-only fd in the reading side. However, they are by default quite small, and unprivileged
445 * clients can only bump their size to a system-wide limit, which might be quite low.
447 * c) Then, we try an O_TMPFILE file in /dev/shm (that dir is the only suitable one known to exist from
448 * earliest boot on). To make it read-only we open the fd a second time with O_RDONLY via
449 * /proc/self/<fd>. Unfortunately O_TMPFILE is not available on older kernels on tmpfs.
451 * d) Finally, we try creating a regular file in /dev/shm, which we then delete.
453 * It sucks a bit that depending on the situation we return very different objects here, but that's Linux I
456 if (size == 0 && ((flags & ACQUIRE_NO_DEV_NULL) == 0)) {
457 /* As a special case, return /dev/null if we have been called for an empty data block */
458 r = open("/dev/null", O_RDONLY|O_CLOEXEC|O_NOCTTY);
465 if ((flags & ACQUIRE_NO_MEMFD) == 0) {
466 fd = memfd_new("data-fd");
470 n = write(fd, data, size);
473 if ((size_t) n != size)
476 f = lseek(fd, 0, SEEK_SET);
480 r = memfd_set_sealed(fd);
488 if ((flags & ACQUIRE_NO_PIPE) == 0) {
489 if (pipe2(pipefds, O_CLOEXEC|O_NONBLOCK) < 0)
492 isz = fcntl(pipefds[1], F_GETPIPE_SZ, 0);
496 if ((size_t) isz < size) {
498 if (isz < 0 || (size_t) isz != size)
501 /* Try to bump the pipe size */
502 (void) fcntl(pipefds[1], F_SETPIPE_SZ, isz);
504 /* See if that worked */
505 isz = fcntl(pipefds[1], F_GETPIPE_SZ, 0);
509 if ((size_t) isz < size)
513 n = write(pipefds[1], data, size);
516 if ((size_t) n != size)
519 (void) fd_nonblock(pipefds[0], false);
521 return TAKE_FD(pipefds[0]);
525 if ((flags & ACQUIRE_NO_TMPFILE) == 0) {
526 fd = open("/dev/shm", O_RDWR|O_TMPFILE|O_CLOEXEC, 0500);
528 goto try_dev_shm_without_o_tmpfile;
530 n = write(fd, data, size);
533 if ((size_t) n != size)
536 /* Let's reopen the thing, in order to get an O_RDONLY fd for the original O_RDWR one */
537 return fd_reopen(fd, O_RDONLY|O_CLOEXEC);
540 try_dev_shm_without_o_tmpfile:
541 if ((flags & ACQUIRE_NO_REGULAR) == 0) {
542 fd = mkostemp_safe(pattern);
546 n = write(fd, data, size);
549 goto unlink_and_return;
551 if ((size_t) n != size) {
553 goto unlink_and_return;
556 /* Let's reopen the thing, in order to get an O_RDONLY fd for the original O_RDWR one */
557 r = open(pattern, O_RDONLY|O_CLOEXEC);
562 (void) unlink(pattern);
569 int fd_move_above_stdio(int fd) {
573 /* Moves the specified file descriptor if possible out of the range [0…2], i.e. the range of
574 * stdin/stdout/stderr. If it can't be moved outside of this range the original file descriptor is
575 * returned. This call is supposed to be used for long-lasting file descriptors we allocate in our code that
576 * might get loaded into foreign code, and where we want ensure our fds are unlikely used accidentally as
577 * stdin/stdout/stderr of unrelated code.
579 * Note that this doesn't fix any real bugs, it just makes it less likely that our code will be affected by
580 * buggy code from others that mindlessly invokes 'fprintf(stderr, …' or similar in places where stderr has
581 * been closed before.
583 * This function is written in a "best-effort" and "least-impact" style. This means whenever we encounter an
584 * error we simply return the original file descriptor, and we do not touch errno. */
586 if (fd < 0 || fd > 2)
589 flags = fcntl(fd, F_GETFD, 0);
593 if (flags & FD_CLOEXEC)
594 copy = fcntl(fd, F_DUPFD_CLOEXEC, 3);
596 copy = fcntl(fd, F_DUPFD, 3);
606 int rearrange_stdio(int original_input_fd, int original_output_fd, int original_error_fd) {
608 int fd[3] = { /* Put together an array of fds we work on */
615 null_fd = -1, /* if we open /dev/null, we store the fd to it here */
616 copy_fd[3] = { -1, -1, -1 }; /* This contains all fds we duplicate here temporarily, and hence need to close at the end */
617 bool null_readable, null_writable;
619 /* Sets up stdin, stdout, stderr with the three file descriptors passed in. If any of the descriptors is
620 * specified as -1 it will be connected with /dev/null instead. If any of the file descriptors is passed as
621 * itself (e.g. stdin as STDIN_FILENO) it is left unmodified, but the O_CLOEXEC bit is turned off should it be
624 * Note that if any of the passed file descriptors are > 2 they will be closed — both on success and on
625 * failure! Thus, callers should assume that when this function returns the input fds are invalidated.
627 * Note that when this function fails stdin/stdout/stderr might remain half set up!
629 * O_CLOEXEC is turned off for all three file descriptors (which is how it should be for
630 * stdin/stdout/stderr). */
632 null_readable = original_input_fd < 0;
633 null_writable = original_output_fd < 0 || original_error_fd < 0;
635 /* First step, open /dev/null once, if we need it */
636 if (null_readable || null_writable) {
638 /* Let's open this with O_CLOEXEC first, and convert it to non-O_CLOEXEC when we move the fd to the final position. */
639 null_fd = open("/dev/null", (null_readable && null_writable ? O_RDWR :
640 null_readable ? O_RDONLY : O_WRONLY) | O_CLOEXEC);
646 /* If this fd is in the 0…2 range, let's move it out of it */
650 copy = fcntl(null_fd, F_DUPFD_CLOEXEC, 3); /* Duplicate this with O_CLOEXEC set */
661 /* Let's assemble fd[] with the fds to install in place of stdin/stdout/stderr */
662 for (i = 0; i < 3; i++) {
665 fd[i] = null_fd; /* A negative parameter means: connect this one to /dev/null */
666 else if (fd[i] != i && fd[i] < 3) {
667 /* This fd is in the 0…2 territory, but not at its intended place, move it out of there, so that we can work there. */
668 copy_fd[i] = fcntl(fd[i], F_DUPFD_CLOEXEC, 3); /* Duplicate this with O_CLOEXEC set */
669 if (copy_fd[i] < 0) {
678 /* At this point we now have the fds to use in fd[], and they are all above the stdio range, so that we
679 * have freedom to move them around. If the fds already were at the right places then the specific fds are
680 * -1. Let's now move them to the right places. This is the point of no return. */
681 for (i = 0; i < 3; i++) {
685 /* fd is already in place, but let's make sure O_CLOEXEC is off */
686 r = fd_cloexec(i, false);
693 if (dup2(fd[i], i) < 0) { /* Turns off O_CLOEXEC on the new fd. */
703 /* Close the original fds, but only if they were outside of the stdio range. Also, properly check for the same
704 * fd passed in multiple times. */
705 safe_close_above_stdio(original_input_fd);
706 if (original_output_fd != original_input_fd)
707 safe_close_above_stdio(original_output_fd);
708 if (original_error_fd != original_input_fd && original_error_fd != original_output_fd)
709 safe_close_above_stdio(original_error_fd);
711 /* Close the copies we moved > 2 */
712 for (i = 0; i < 3; i++)
713 safe_close(copy_fd[i]);
715 /* Close our null fd, if it's > 2 */
716 safe_close_above_stdio(null_fd);
721 int fd_reopen(int fd, int flags) {
722 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
725 /* Reopens the specified fd with new flags. This is useful for convert an O_PATH fd into a regular one, or to
726 * turn O_RDWR fds into O_RDONLY fds.
728 * This doesn't work on sockets (since they cannot be open()ed, ever).
730 * This implicitly resets the file read index to 0. */
732 xsprintf(procfs_path, "/proc/self/fd/%i", fd);
733 new_fd = open(procfs_path, flags);