2014-07-10 14:50:51 +00:00
# include "util.hh"
2017-01-17 17:21:02 +00:00
# include "sync.hh"
2017-03-15 13:40:47 +00:00
# include "finally.hh"
2018-03-16 15:59:31 +00:00
# include "serialise.hh"
2022-12-02 11:57:41 +00:00
# include "cgroup.hh"
2014-07-10 14:50:51 +00:00
2021-09-08 10:20:08 +00:00
# include <array>
2017-01-17 17:21:02 +00:00
# include <cctype>
2003-09-11 08:31:29 +00:00
# include <cerrno>
2021-07-30 18:08:54 +00:00
# include <climits>
2003-09-11 08:31:29 +00:00
# include <cstdio>
2008-05-21 11:17:31 +00:00
# include <cstdlib>
2007-12-14 14:49:35 +00:00
# include <cstring>
2021-07-30 18:08:54 +00:00
# include <future>
2017-01-17 17:21:02 +00:00
# include <iostream>
2021-07-30 18:08:54 +00:00
# include <mutex>
2017-01-17 17:21:02 +00:00
# include <sstream>
# include <thread>
2003-06-16 13:33:38 +00:00
2006-12-02 15:45:51 +00:00
# include <fcntl.h>
2019-05-11 20:35:53 +00:00
# include <grp.h>
2017-05-05 14:40:12 +00:00
# include <pwd.h>
2017-08-25 13:57:49 +00:00
# include <sys/ioctl.h>
2017-05-05 14:40:12 +00:00
# include <sys/types.h>
2018-09-25 10:36:11 +00:00
# include <sys/socket.h>
2017-05-05 14:40:12 +00:00
# include <sys/wait.h>
2019-05-28 20:35:41 +00:00
# include <sys/time.h>
2018-09-25 10:36:11 +00:00
# include <sys/un.h>
2017-05-05 14:40:12 +00:00
# include <unistd.h>
2006-09-27 21:04:07 +00:00
2013-03-18 15:13:53 +00:00
# ifdef __APPLE__
# include <sys/syscall.h>
2022-06-22 23:32:17 +00:00
# include <mach-o/dyld.h>
2013-03-18 15:13:53 +00:00
# endif
2014-08-21 13:31:43 +00:00
# ifdef __linux__
# include <sys/prctl.h>
2021-04-07 11:40:13 +00:00
# include <sys/resource.h>
2023-02-10 13:38:14 +00:00
# include <sys/mman.h>
2022-07-19 06:09:46 +00:00
# include <cmath>
2014-08-21 13:31:43 +00:00
# endif
2003-05-26 13:45:00 +00:00
2020-06-17 02:19:15 +00:00
extern char * * environ __attribute__ ( ( weak ) ) ;
2006-12-07 16:40:41 +00:00
2024-03-04 08:03:49 +00:00
# ifdef NDEBUG
# error "Nix may not be built with assertions disabled (i.e. with -DNDEBUG)."
# endif
2006-09-04 21:06:23 +00:00
namespace nix {
2023-02-01 12:34:32 +00:00
void initLibUtil ( ) {
2023-08-11 15:22:55 +00:00
// Check that exception handling works. Exception handling has been observed
// not to work on darwin when the linker flags aren't quite right.
// In this case we don't want to expose the user to some unrelated uncaught
// exception, but rather tell them exactly that exception handling is
// broken.
// When exception handling fails, the message tends to be printed by the
// C++ runtime, followed by an abort.
// For example on macOS we might see an error such as
// libc++abi: terminating with uncaught exception of type nix::SysError: error: C++ exception handling is broken. This would appear to be a problem with the way Nix was compiled and/or linked and/or loaded.
bool caught = false ;
try {
throwExceptionSelfCheck ( ) ;
2023-09-01 12:49:49 +00:00
} catch ( const nix : : Error & _e ) {
2023-08-11 15:22:55 +00:00
caught = true ;
}
// This is not actually the main point of this check, but let's make sure anyway:
assert ( caught ) ;
2023-02-01 12:34:32 +00:00
}
2019-11-22 15:06:44 +00:00
std : : optional < std : : string > getEnv ( const std : : string & key )
2004-05-12 09:35:51 +00:00
{
char * value = getenv ( key . c_str ( ) ) ;
2019-11-22 15:06:44 +00:00
if ( ! value ) return { } ;
return std : : string ( value ) ;
2004-05-12 09:35:51 +00:00
}
2023-03-01 19:01:36 +00:00
std : : optional < std : : string > getEnvNonEmpty ( const std : : string & key ) {
auto value = getEnv ( key ) ;
2023-03-03 10:34:36 +00:00
if ( value = = " " ) return { } ;
return value ;
2023-03-01 19:01:36 +00:00
}
2004-05-12 09:35:51 +00:00
2016-09-20 13:39:08 +00:00
std : : map < std : : string , std : : string > getEnv ( )
{
std : : map < std : : string , std : : string > env ;
for ( size_t i = 0 ; environ [ i ] ; + + i ) {
auto s = environ [ i ] ;
auto eq = strchr ( s , ' = ' ) ;
if ( ! eq )
// invalid env, just keep going
continue ;
env . emplace ( std : : string ( s , eq ) , std : : string ( eq + 1 ) ) ;
}
return env ;
}
2018-02-26 17:29:40 +00:00
void clearEnv ( )
{
for ( auto & name : getEnv ( ) )
unsetenv ( name . first . c_str ( ) ) ;
}
2022-03-31 08:39:53 +00:00
void replaceEnv ( const std : : map < std : : string , std : : string > & newEnv )
2019-07-11 18:23:03 +00:00
{
clearEnv ( ) ;
2022-03-31 08:39:53 +00:00
for ( auto & newEnvVar : newEnv )
2019-07-11 18:23:03 +00:00
setenv ( newEnvVar . first . c_str ( ) , newEnvVar . second . c_str ( ) , 1 ) ;
}
2018-02-26 17:29:40 +00:00
2022-01-21 16:55:51 +00:00
Path absPath ( Path path , std : : optional < PathView > dir , bool resolveSymlinks )
2003-05-26 13:45:00 +00:00
{
2024-03-07 02:35:47 +00:00
if ( path . empty ( ) | | path [ 0 ] ! = ' / ' ) {
2020-01-08 14:34:06 +00:00
if ( ! dir ) {
2010-02-10 15:55:50 +00:00
# ifdef __GNU__
/* GNU (aka. GNU/Hurd) doesn't have any limitation on path
lengths and doesn ' t define ` PATH_MAX ' . */
char * buf = getcwd ( NULL , 0 ) ;
if ( buf = = NULL )
# else
2003-05-26 13:45:00 +00:00
char buf [ PATH_MAX ] ;
if ( ! getcwd ( buf , sizeof ( buf ) ) )
2010-02-10 15:55:50 +00:00
# endif
2003-06-16 13:33:38 +00:00
throw SysError ( " cannot get cwd " ) ;
2022-01-21 16:55:51 +00:00
path = concatStrings ( buf , " / " , path ) ;
2010-02-10 15:55:50 +00:00
# ifdef __GNU__
free ( buf ) ;
# endif
2022-01-21 16:55:51 +00:00
} else
path = concatStrings ( * dir , " / " , path ) ;
2003-05-26 13:45:00 +00:00
}
2020-01-21 15:27:53 +00:00
return canonPath ( path , resolveSymlinks ) ;
2003-07-07 09:25:26 +00:00
}
2022-01-12 15:02:29 +00:00
Path canonPath ( PathView path , bool resolveSymlinks )
2003-07-07 09:25:26 +00:00
{
2017-04-13 13:32:43 +00:00
assert ( path ! = " " ) ;
2022-02-25 15:00:00 +00:00
std : : string s ;
2022-01-12 15:02:29 +00:00
s . reserve ( 256 ) ;
2003-07-08 19:58:41 +00:00
if ( path [ 0 ] ! = ' / ' )
2020-04-21 23:07:07 +00:00
throw Error ( " not an absolute path: '%1%' " , path ) ;
2003-07-08 19:58:41 +00:00
2022-02-25 15:00:00 +00:00
std : : string temp ;
2006-01-08 17:16:03 +00:00
/* Count the number of times we follow a symlink and stop at some
arbitrary ( but high ) limit to prevent infinite loops . */
unsigned int followCount = 0 , maxFollow = 1024 ;
2003-07-08 19:58:41 +00:00
while ( 1 ) {
/* Skip slashes. */
2022-01-12 15:02:29 +00:00
while ( ! path . empty ( ) & & path [ 0 ] = = ' / ' ) path . remove_prefix ( 1 ) ;
if ( path . empty ( ) ) break ;
2003-07-08 19:58:41 +00:00
/* Ignore `.'. */
2022-01-12 15:02:29 +00:00
if ( path = = " . " | | path . substr ( 0 , 2 ) = = " ./ " )
path . remove_prefix ( 1 ) ;
2003-07-08 19:58:41 +00:00
/* If `..', delete the last component. */
2022-01-12 15:02:29 +00:00
else if ( path = = " .. " | | path . substr ( 0 , 3 ) = = " ../ " )
2003-07-08 19:58:41 +00:00
{
if ( ! s . empty ( ) ) s . erase ( s . rfind ( ' / ' ) ) ;
2022-01-12 15:02:29 +00:00
path . remove_prefix ( 2 ) ;
2003-07-08 19:58:41 +00:00
}
/* Normal component; copy it. */
else {
s + = ' / ' ;
2022-02-25 15:00:00 +00:00
if ( const auto slash = path . find ( ' / ' ) ; slash = = std : : string : : npos ) {
2022-01-12 15:02:29 +00:00
s + = path ;
path = { } ;
} else {
s + = path . substr ( 0 , slash ) ;
2022-01-29 22:23:35 +00:00
path = path . substr ( slash ) ;
2022-01-12 15:02:29 +00:00
}
2006-01-08 17:16:03 +00:00
2021-03-31 02:20:41 +00:00
/* If s points to a symlink, resolve it and continue from there */
2006-01-08 17:16:03 +00:00
if ( resolveSymlinks & & isLink ( s ) ) {
2007-11-29 16:18:24 +00:00
if ( + + followCount > = maxFollow )
2020-04-21 23:07:07 +00:00
throw Error ( " infinite symlink recursion in path '%1%' " , path ) ;
2022-01-12 15:02:29 +00:00
temp = concatStrings ( readLink ( s ) , path ) ;
path = temp ;
2021-03-31 02:20:41 +00:00
if ( ! temp . empty ( ) & & temp [ 0 ] = = ' / ' ) {
s . clear ( ) ; /* restart for symlinks pointing to absolute path */
} else {
s = dirOf ( s ) ;
2021-05-18 21:38:55 +00:00
if ( s = = " / " ) { // we don’ t want trailing slashes here, which dirOf only produces if s = /
s . clear ( ) ;
}
2021-03-31 02:20:41 +00:00
}
2006-01-08 17:16:03 +00:00
}
2003-07-08 19:58:41 +00:00
}
}
2022-01-12 15:02:29 +00:00
return s . empty ( ) ? " / " : std : : move ( s ) ;
2003-06-16 13:33:38 +00:00
}
2022-01-21 16:55:51 +00:00
Path dirOf ( const PathView path )
2003-06-16 13:33:38 +00:00
{
2006-05-11 02:19:43 +00:00
Path : : size_type pos = path . rfind ( ' / ' ) ;
2022-02-25 15:00:00 +00:00
if ( pos = = std : : string : : npos )
2018-08-13 09:27:35 +00:00
return " . " ;
2006-01-09 14:52:46 +00:00
return pos = = 0 ? " / " : Path ( path , 0 , pos ) ;
2003-05-26 13:45:00 +00:00
}
2019-12-05 18:11:09 +00:00
std : : string_view baseNameOf ( std : : string_view path )
2003-05-26 13:45:00 +00:00
{
2015-07-13 12:25:13 +00:00
if ( path . empty ( ) )
2016-01-27 16:18:31 +00:00
return " " ;
2015-07-13 12:25:13 +00:00
2019-12-05 18:11:09 +00:00
auto last = path . size ( ) - 1 ;
2015-07-13 12:25:13 +00:00
if ( path [ last ] = = ' / ' & & last > 0 )
last - = 1 ;
2019-12-05 18:11:09 +00:00
auto pos = path . rfind ( ' / ' , last ) ;
2022-02-25 15:00:00 +00:00
if ( pos = = std : : string : : npos )
2015-07-13 12:25:13 +00:00
pos = 0 ;
else
pos + = 1 ;
2016-01-27 16:18:31 +00:00
2019-12-05 18:11:09 +00:00
return path . substr ( pos , last - pos + 1 ) ;
2003-05-26 13:45:00 +00:00
}
2022-02-19 13:26:34 +00:00
std : : string expandTilde ( std : : string_view path )
{
// TODO: expand ~user ?
auto tilde = path . substr ( 0 , 2 ) ;
if ( tilde = = " ~/ " | | tilde = = " ~ " )
return getHome ( ) + std : : string ( path . substr ( 1 ) ) ;
else
return std : : string ( path ) ;
}
2021-12-02 13:16:05 +00:00
bool isInDir ( std : : string_view path , std : : string_view dir )
2013-07-12 12:01:25 +00:00
{
2021-12-02 13:16:05 +00:00
return path . substr ( 0 , 1 ) = = " / "
& & path . substr ( 0 , dir . size ( ) ) = = dir
2015-10-21 21:40:35 +00:00
& & path . size ( ) > = dir . size ( ) + 2
& & path [ dir . size ( ) ] = = ' / ' ;
2013-07-12 12:01:25 +00:00
}
2021-12-02 13:16:05 +00:00
bool isDirOrInDir ( std : : string_view path , std : : string_view dir )
2018-01-16 17:50:38 +00:00
{
2018-12-13 02:45:50 +00:00
return path = = dir | | isInDir ( path , dir ) ;
2018-01-16 17:50:38 +00:00
}
2022-02-18 12:26:40 +00:00
struct stat stat ( const Path & path )
{
struct stat st ;
if ( stat ( path . c_str ( ) , & st ) )
throw SysError ( " getting status of '%1%' " , path ) ;
return st ;
}
2010-12-13 13:32:58 +00:00
struct stat lstat ( const Path & path )
{
struct stat st ;
if ( lstat ( path . c_str ( ) , & st ) )
2020-04-21 23:07:07 +00:00
throw SysError ( " getting status of '%1%' " , path ) ;
2010-12-13 13:32:58 +00:00
return st ;
}
2003-10-07 14:37:41 +00:00
bool pathExists ( const Path & path )
2003-07-08 13:22:08 +00:00
{
int res ;
struct stat st ;
2004-02-06 10:59:06 +00:00
res = lstat ( path . c_str ( ) , & st ) ;
2003-07-08 13:22:08 +00:00
if ( ! res ) return true ;
2004-08-04 09:25:21 +00:00
if ( errno ! = ENOENT & & errno ! = ENOTDIR )
2020-04-21 23:07:07 +00:00
throw SysError ( " getting status of %1% " , path ) ;
2003-07-08 13:22:08 +00:00
return false ;
}
2023-05-26 13:32:28 +00:00
bool pathAccessible ( const Path & path )
{
try {
return pathExists ( path ) ;
} catch ( SysError & e ) {
// swallow EPERM
if ( e . errNo = = EPERM ) return false ;
throw ;
}
}
2003-07-08 13:22:08 +00:00
2004-01-05 16:26:43 +00:00
Path readLink ( const Path & path )
{
2007-09-17 16:08:24 +00:00
checkInterrupt ( ) ;
2018-03-01 21:00:58 +00:00
std : : vector < char > buf ;
2017-10-27 16:15:31 +00:00
for ( ssize_t bufSize = PATH_MAX / 4 ; true ; bufSize + = bufSize / 2 ) {
2018-03-01 21:00:58 +00:00
buf . resize ( bufSize ) ;
ssize_t rlSize = readlink ( path . c_str ( ) , buf . data ( ) , bufSize ) ;
2017-10-27 16:15:31 +00:00
if ( rlSize = = - 1 )
if ( errno = = EINVAL )
2017-11-20 16:32:58 +00:00
throw Error ( " '%1%' is not a symlink " , path ) ;
2017-10-27 16:15:31 +00:00
else
2017-11-20 16:32:58 +00:00
throw SysError ( " reading symbolic link '%1%' " , path ) ;
2017-10-27 16:15:31 +00:00
else if ( rlSize < bufSize )
2022-02-25 15:00:00 +00:00
return std : : string ( buf . data ( ) , rlSize ) ;
2017-10-27 16:15:31 +00:00
}
2004-01-05 16:26:43 +00:00
}
2005-02-01 13:48:46 +00:00
bool isLink ( const Path & path )
{
2010-12-13 13:32:58 +00:00
struct stat st = lstat ( path ) ;
2005-02-01 13:48:46 +00:00
return S_ISLNK ( st . st_mode ) ;
}
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
DirEntries readDirectory ( DIR * dir , const Path & path )
2003-11-19 17:27:16 +00:00
{
2014-08-01 14:37:47 +00:00
DirEntries entries ;
entries . reserve ( 64 ) ;
2003-11-19 17:27:16 +00:00
struct dirent * dirent ;
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
while ( errno = 0 , dirent = readdir ( dir ) ) { /* sic */
2004-01-15 20:23:55 +00:00
checkInterrupt ( ) ;
2022-02-25 15:00:00 +00:00
std : : string name = dirent - > d_name ;
2003-11-19 17:27:16 +00:00
if ( name = = " . " | | name = = " .. " ) continue ;
2016-01-05 13:05:11 +00:00
entries . emplace_back ( name , dirent - > d_ino ,
# ifdef HAVE_STRUCT_DIRENT_D_TYPE
dirent - > d_type
# else
DT_UNKNOWN
# endif
) ;
2003-11-19 17:27:16 +00:00
}
2020-04-21 23:07:07 +00:00
if ( errno ) throw SysError ( " reading directory '%1%' " , path ) ;
2003-11-19 17:27:16 +00:00
2014-08-01 14:37:47 +00:00
return entries ;
2003-11-19 17:27:16 +00:00
}
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
DirEntries readDirectory ( const Path & path )
{
AutoCloseDir dir ( opendir ( path . c_str ( ) ) ) ;
2020-05-11 21:52:15 +00:00
if ( ! dir ) throw SysError ( " opening directory '%1%' " , path ) ;
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
return readDirectory ( dir . get ( ) , path ) ;
}
2003-11-19 17:27:16 +00:00
2014-10-03 20:37:51 +00:00
unsigned char getFileType ( const Path & path )
{
struct stat st = lstat ( path ) ;
if ( S_ISDIR ( st . st_mode ) ) return DT_DIR ;
if ( S_ISLNK ( st . st_mode ) ) return DT_LNK ;
if ( S_ISREG ( st . st_mode ) ) return DT_REG ;
return DT_UNKNOWN ;
}
2022-02-25 15:00:00 +00:00
std : : string readFile ( int fd )
2005-02-01 22:07:48 +00:00
{
2020-04-29 16:44:01 +00:00
struct stat st ;
if ( fstat ( fd , & st ) = = - 1 )
throw SysError ( " statting file " ) ;
return drainFD ( fd , true , st . st_size ) ;
2005-02-01 22:07:48 +00:00
}
2022-02-25 15:00:00 +00:00
std : : string readFile ( const Path & path )
2005-02-01 22:07:48 +00:00
{
2016-06-09 14:15:58 +00:00
AutoCloseFD fd = open ( path . c_str ( ) , O_RDONLY | O_CLOEXEC ) ;
2016-07-11 19:44:44 +00:00
if ( ! fd )
2020-05-11 21:52:15 +00:00
throw SysError ( " opening file '%1%' " , path ) ;
2020-04-29 16:42:19 +00:00
return readFile ( fd . get ( ) ) ;
2005-02-01 22:07:48 +00:00
}
2018-03-27 21:12:31 +00:00
void readFile ( const Path & path , Sink & sink )
{
AutoCloseFD fd = open ( path . c_str ( ) , O_RDONLY | O_CLOEXEC ) ;
2020-06-15 12:12:39 +00:00
if ( ! fd )
2020-05-06 20:07:20 +00:00
throw SysError ( " opening file '%s' " , path ) ;
2018-03-27 21:12:31 +00:00
drainFD ( fd . get ( ) , sink ) ;
}
2022-09-19 18:15:31 +00:00
void writeFile ( const Path & path , std : : string_view s , mode_t mode , bool sync )
2005-02-09 09:50:29 +00:00
{
2017-02-16 14:42:49 +00:00
AutoCloseFD fd = open ( path . c_str ( ) , O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC , mode ) ;
2016-07-11 19:44:44 +00:00
if ( ! fd )
2020-04-21 23:07:07 +00:00
throw SysError ( " opening file '%1%' " , path ) ;
2020-10-09 14:02:53 +00:00
try {
writeFull ( fd . get ( ) , s ) ;
} catch ( Error & e ) {
e . addTrace ( { } , " writing file '%1%' " , path ) ;
throw ;
}
2022-09-19 18:15:31 +00:00
if ( sync )
fd . fsync ( ) ;
// Explicitly close to make sure exceptions are propagated.
fd . close ( ) ;
if ( sync )
syncParent ( path ) ;
2005-02-09 09:50:29 +00:00
}
2022-09-19 18:15:31 +00:00
void writeFile ( const Path & path , Source & source , mode_t mode , bool sync )
2018-03-28 11:32:44 +00:00
{
AutoCloseFD fd = open ( path . c_str ( ) , O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC , mode ) ;
if ( ! fd )
2020-04-21 23:07:07 +00:00
throw SysError ( " opening file '%1%' " , path ) ;
2018-03-28 11:32:44 +00:00
2020-12-02 13:10:56 +00:00
std : : vector < char > buf ( 64 * 1024 ) ;
2018-03-28 11:32:44 +00:00
2020-10-09 14:02:53 +00:00
try {
while ( true ) {
try {
auto n = source . read ( buf . data ( ) , buf . size ( ) ) ;
2020-12-02 13:10:56 +00:00
writeFull ( fd . get ( ) , { buf . data ( ) , n } ) ;
2020-10-09 14:02:53 +00:00
} catch ( EndOfFile & ) { break ; }
}
} catch ( Error & e ) {
e . addTrace ( { } , " writing file '%1%' " , path ) ;
throw ;
2018-03-28 11:32:44 +00:00
}
2022-09-19 18:15:31 +00:00
if ( sync )
fd . fsync ( ) ;
// Explicitly close to make sure exceptions are propagated.
fd . close ( ) ;
if ( sync )
syncParent ( path ) ;
}
void syncParent ( const Path & path )
{
AutoCloseFD fd = open ( dirOf ( path ) . c_str ( ) , O_RDONLY , 0 ) ;
if ( ! fd )
throw SysError ( " opening file '%1%' " , path ) ;
fd . fsync ( ) ;
2018-03-28 11:32:44 +00:00
}
2022-02-25 15:00:00 +00:00
std : : string readLine ( int fd )
2009-03-28 19:29:55 +00:00
{
2022-02-25 15:00:00 +00:00
std : : string s ;
2009-03-28 19:29:55 +00:00
while ( 1 ) {
checkInterrupt ( ) ;
char ch ;
2017-08-09 14:22:05 +00:00
// FIXME: inefficient
2009-03-28 19:29:55 +00:00
ssize_t rd = read ( fd , & ch , 1 ) ;
if ( rd = = - 1 ) {
if ( errno ! = EINTR )
throw SysError ( " reading a line " ) ;
} else if ( rd = = 0 )
2012-08-01 15:19:24 +00:00
throw EndOfFile ( " unexpected EOF reading a line " ) ;
2009-03-28 19:29:55 +00:00
else {
if ( ch = = ' \n ' ) return s ;
s + = ch ;
}
}
}
2022-02-25 15:00:00 +00:00
void writeLine ( int fd , std : : string s )
2009-03-28 19:29:55 +00:00
{
s + = ' \n ' ;
2014-12-12 13:35:44 +00:00
writeFull ( fd , s ) ;
2009-03-28 19:29:55 +00:00
}
2020-07-30 11:10:49 +00:00
static void _deletePath ( int parentfd , const Path & path , uint64_t & bytesFreed )
2003-06-23 14:40:49 +00:00
{
2004-01-15 20:23:55 +00:00
checkInterrupt ( ) ;
2022-02-25 15:00:00 +00:00
std : : string name ( baseNameOf ( path ) ) ;
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
2016-02-24 16:44:12 +00:00
struct stat st ;
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
if ( fstatat ( parentfd , name . c_str ( ) , & st , AT_SYMLINK_NOFOLLOW ) = = - 1 ) {
2016-02-24 16:44:12 +00:00
if ( errno = = ENOENT ) return ;
2020-04-21 23:07:07 +00:00
throw SysError ( " getting status of '%1%' " , path ) ;
2016-02-24 16:44:12 +00:00
}
2003-06-23 14:40:49 +00:00
2022-03-12 21:56:08 +00:00
if ( ! S_ISDIR ( st . st_mode ) ) {
/* We are about to delete a file. Will it likely free space? */
switch ( st . st_nlink ) {
/* Yes: last link. */
case 1 :
bytesFreed + = st . st_size ;
break ;
/* Maybe: yes, if 'auto-optimise-store' or manual optimisation
was performed . Instead of checking for real let ' s assume
it ' s an optimised file and space will be freed .
In worst case we will double count on freed space for files
with exactly two hardlinks for unoptimised packages .
*/
case 2 :
bytesFreed + = st . st_size ;
break ;
/* No: 3+ links. */
default :
break ;
}
}
2005-12-15 21:11:39 +00:00
2003-06-23 14:40:49 +00:00
if ( S_ISDIR ( st . st_mode ) ) {
2016-07-25 22:00:08 +00:00
/* Make the directory accessible. */
const auto PERM_MASK = S_IRUSR | S_IWUSR | S_IXUSR ;
if ( ( st . st_mode & PERM_MASK ) ! = PERM_MASK ) {
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
if ( fchmodat ( parentfd , name . c_str ( ) , st . st_mode | PERM_MASK , 0 ) = = - 1 )
2020-05-11 21:52:15 +00:00
throw SysError ( " chmod '%1%' " , path ) ;
2013-01-03 12:00:46 +00:00
}
2003-08-22 20:12:44 +00:00
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
int fd = openat ( parentfd , path . c_str ( ) , O_RDONLY ) ;
2021-07-20 18:59:45 +00:00
if ( fd = = - 1 )
2020-05-11 21:52:15 +00:00
throw SysError ( " opening directory '%1%' " , path ) ;
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
AutoCloseDir dir ( fdopendir ( fd ) ) ;
if ( ! dir )
2020-05-11 21:52:15 +00:00
throw SysError ( " opening directory '%1%' " , path ) ;
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
for ( auto & i : readDirectory ( dir . get ( ) , path ) )
_deletePath ( dirfd ( dir . get ( ) ) , path + " / " + i . name , bytesFreed ) ;
2003-06-23 14:40:49 +00:00
}
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
int flags = S_ISDIR ( st . st_mode ) ? AT_REMOVEDIR : 0 ;
if ( unlinkat ( parentfd , name . c_str ( ) , flags ) = = - 1 ) {
2016-02-24 16:44:12 +00:00
if ( errno = = ENOENT ) return ;
2020-04-21 23:07:07 +00:00
throw SysError ( " cannot unlink '%1%' " , path ) ;
2016-02-24 16:44:12 +00:00
}
2003-08-22 20:12:44 +00:00
}
2020-07-30 11:10:49 +00:00
static void _deletePath ( const Path & path , uint64_t & bytesFreed )
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
{
Path dir = dirOf ( path ) ;
if ( dir = = " " )
dir = " / " ;
2021-07-24 09:19:48 +00:00
AutoCloseFD dirfd { open ( dir . c_str ( ) , O_RDONLY ) } ;
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
if ( ! dirfd ) {
if ( errno = = ENOENT ) return ;
2020-05-11 21:52:15 +00:00
throw SysError ( " opening directory '%1%' " , path ) ;
Fix long paths permanently breaking GC
Suppose I have a path /nix/store/[hash]-[name]/a/a/a/a/a/[...]/a,
long enough that everything after "/nix/store/" is longer than 4096
(MAX_PATH) bytes.
Nix will happily allow such a path to be inserted into the store,
because it doesn't look at all the nested structure. It just cares
about the /nix/store/[hash]-[name] part. But, when the path is deleted,
we encounter a problem. Nix will move the path to /nix/store/trash, but
then when it's trying to recursively delete the trash directory, it will
at some point try to unlink
/nix/store/trash/[hash]-[name]/a/a/a/a/a/[...]/a. This will fail,
because the path is too long. After this has failed, any store deletion
operation will never work again, because Nix needs to delete the trash
directory before recreating it to move new things to it. (I assume this
is because otherwise a path being deleted could already exist in the
trash, and then moving it would fail.)
This means that if I can trick somebody into just fetching a tarball
containing a path of the right length, they won't be able to delete
store paths or garbage collect ever again, until the offending path is
manually removed from /nix/store/trash. (And even fixing this manually
is quite difficult if you don't understand the issue, because the
absolute path that Nix says it failed to remove is also too long for
rm(1).)
This patch fixes the issue by making Nix's recursive delete operation
use unlinkat(2). This function takes a relative path and a directory
file descriptor. We ensure that the relative path is always just the
name of the directory entry, and therefore its length will never exceed
255 bytes. This means that it will never even come close to AX_PATH,
and Nix will therefore be able to handle removing arbitrarily deep
directory hierachies.
Since the directory file descriptor is used for recursion after being
used in readDirectory, I made a variant of readDirectory that takes an
already open directory stream, to avoid the directory being opened
multiple times. As we have seen from this issue, the less we have to
interact with paths, the better, and so it's good to reuse file
descriptors where possible.
I left _deletePath as succeeding even if the parent directory doesn't
exist, even though that feels wrong to me, because without that early
return, the linux-sandbox test failed.
Reported-by: Alyssa Ross <hi@alyssa.is>
Thanks-to: Puck Meerburg <puck@puckipedia.com>
Tested-by: Puck Meerburg <puck@puckipedia.com>
Reviewed-by: Puck Meerburg <puck@puckipedia.com>
2020-04-27 14:15:15 +00:00
}
_deletePath ( dirfd . get ( ) , path , bytesFreed ) ;
}
2003-08-22 20:12:44 +00:00
2004-03-22 21:42:28 +00:00
void deletePath ( const Path & path )
2005-12-15 21:11:39 +00:00
{
2020-07-30 11:10:49 +00:00
uint64_t dummy ;
2012-08-02 02:34:46 +00:00
deletePath ( path , dummy ) ;
2005-12-15 21:11:39 +00:00
}
2020-07-30 11:10:49 +00:00
void deletePath ( const Path & path , uint64_t & bytesFreed )
2004-03-22 21:42:28 +00:00
{
2023-03-02 14:44:19 +00:00
//Activity act(*logger, lvlDebug, "recursively deleting path '%1%'", path);
2005-12-15 21:11:39 +00:00
bytesFreed = 0 ;
2012-08-02 02:34:46 +00:00
_deletePath ( path , bytesFreed ) ;
2004-03-22 21:42:28 +00:00
}
2019-10-09 17:21:07 +00:00
std : : string getUserName ( )
{
auto pw = getpwuid ( geteuid ( ) ) ;
2019-11-22 15:06:44 +00:00
std : : string name = pw ? pw - > pw_name : getEnv ( " USER " ) . value_or ( " " ) ;
2019-10-09 17:21:07 +00:00
if ( name . empty ( ) )
throw Error ( " cannot figure out user name " ) ;
return name ;
}
2022-04-13 08:26:50 +00:00
Path getHomeOf ( uid_t userId )
{
std : : vector < char > buf ( 16384 ) ;
struct passwd pwbuf ;
struct passwd * pw ;
if ( getpwuid_r ( userId , & pwbuf , buf . data ( ) , buf . size ( ) , & pw ) ! = 0
| | ! pw | | ! pw - > pw_dir | | ! pw - > pw_dir [ 0 ] )
throw Error ( " cannot determine user's home directory " ) ;
return pw - > pw_dir ;
}
2019-10-09 17:21:07 +00:00
2020-10-09 15:54:59 +00:00
Path getHome ( )
{
static Path homeDir = [ ] ( )
{
2022-08-07 14:13:11 +00:00
std : : optional < std : : string > unownedUserHomeDir = { } ;
2020-10-09 15:54:59 +00:00
auto homeDir = getEnv ( " HOME " ) ;
2022-06-15 20:38:56 +00:00
if ( homeDir ) {
// Only use $HOME if doesn't exist or is owned by the current user.
struct stat st ;
int result = stat ( homeDir - > c_str ( ) , & st ) ;
if ( result ! = 0 ) {
if ( errno ! = ENOENT ) {
2022-06-22 13:35:52 +00:00
warn ( " couldn't stat $HOME ('%s') for reason other than not existing ('%d'), falling back to the one defined in the 'passwd' file " , * homeDir , errno ) ;
2022-06-15 20:38:56 +00:00
homeDir . reset ( ) ;
}
} else if ( st . st_uid ! = geteuid ( ) ) {
2022-08-07 14:13:11 +00:00
unownedUserHomeDir . swap ( homeDir ) ;
2022-06-15 20:38:56 +00:00
}
}
2020-10-09 15:54:59 +00:00
if ( ! homeDir ) {
2022-04-13 08:26:50 +00:00
homeDir = getHomeOf ( geteuid ( ) ) ;
2022-08-07 14:13:11 +00:00
if ( unownedUserHomeDir . has_value ( ) & & unownedUserHomeDir ! = homeDir ) {
warn ( " $HOME ('%s') is not owned by you, falling back to the one defined in the 'passwd' file ('%s') " , * unownedUserHomeDir , * homeDir ) ;
}
2020-10-09 15:54:59 +00:00
}
return * homeDir ;
} ( ) ;
return homeDir ;
}
2017-05-05 14:40:12 +00:00
2016-04-20 12:12:38 +00:00
Path getCacheDir ( )
{
2019-11-22 15:06:44 +00:00
auto cacheDir = getEnv ( " XDG_CACHE_HOME " ) ;
return cacheDir ? * cacheDir : getHome ( ) + " /.cache " ;
2016-04-20 12:12:38 +00:00
}
2017-04-20 12:58:16 +00:00
Path getConfigDir ( )
{
2019-11-22 15:06:44 +00:00
auto configDir = getEnv ( " XDG_CONFIG_HOME " ) ;
return configDir ? * configDir : getHome ( ) + " /.config " ;
2017-04-20 12:58:16 +00:00
}
2018-10-25 11:00:21 +00:00
std : : vector < Path > getConfigDirs ( )
{
Path configHome = getConfigDir ( ) ;
2022-02-25 15:00:00 +00:00
auto configDirs = getEnv ( " XDG_CONFIG_DIRS " ) . value_or ( " /etc/xdg " ) ;
std : : vector < Path > result = tokenizeString < std : : vector < std : : string > > ( configDirs , " : " ) ;
2018-10-25 11:00:21 +00:00
result . insert ( result . begin ( ) , configHome ) ;
return result ;
}
2017-04-20 12:58:16 +00:00
2017-04-25 16:56:29 +00:00
Path getDataDir ( )
{
2019-11-22 15:06:44 +00:00
auto dataDir = getEnv ( " XDG_DATA_HOME " ) ;
return dataDir ? * dataDir : getHome ( ) + " /.local/share " ;
2017-04-25 16:56:29 +00:00
}
2021-11-17 20:35:21 +00:00
Path getStateDir ( )
{
auto stateDir = getEnv ( " XDG_STATE_HOME " ) ;
return stateDir ? * stateDir : getHome ( ) + " /.local/state " ;
}
Path createNixStateDir ( )
{
Path dir = getStateDir ( ) + " /nix " ;
createDirs ( dir ) ;
return dir ;
}
2017-04-25 16:56:29 +00:00
2022-06-22 20:43:53 +00:00
std : : optional < Path > getSelfExe ( )
{
2022-06-22 23:32:17 +00:00
static auto cached = [ ] ( ) - > std : : optional < Path >
2022-06-22 20:43:53 +00:00
{
# if __linux__
return readLink ( " /proc/self/exe " ) ;
2022-06-22 23:32:17 +00:00
# elif __APPLE__
char buf [ 1024 ] ;
uint32_t size = sizeof ( buf ) ;
if ( _NSGetExecutablePath ( buf , & size ) = = 0 )
return buf ;
else
return std : : nullopt ;
2022-06-22 20:43:53 +00:00
# else
return std : : nullopt ;
# endif
} ( ) ;
return cached ;
}
2007-10-27 00:46:59 +00:00
Paths createDirs ( const Path & path )
2005-03-24 17:46:38 +00:00
{
2008-06-09 13:52:45 +00:00
Paths created ;
if ( path = = " / " ) return created ;
2010-12-13 13:32:58 +00:00
struct stat st ;
if ( lstat ( path . c_str ( ) , & st ) = = - 1 ) {
2008-06-09 13:52:45 +00:00
created = createDirs ( dirOf ( path ) ) ;
2010-12-13 13:32:58 +00:00
if ( mkdir ( path . c_str ( ) , 0777 ) = = - 1 & & errno ! = EEXIST )
2020-04-21 23:07:07 +00:00
throw SysError ( " creating directory '%1%' " , path ) ;
2010-12-13 13:32:58 +00:00
st = lstat ( path ) ;
2007-10-27 00:46:59 +00:00
created . push_back ( path ) ;
}
2010-12-13 13:32:58 +00:00
2014-10-03 14:53:28 +00:00
if ( S_ISLNK ( st . st_mode ) & & stat ( path . c_str ( ) , & st ) = = - 1 )
2020-04-21 23:07:07 +00:00
throw SysError ( " statting symlink '%1%' " , path ) ;
2014-10-03 14:53:28 +00:00
2020-04-21 23:07:07 +00:00
if ( ! S_ISDIR ( st . st_mode ) ) throw Error ( " '%1%' is not a directory " , path ) ;
2013-01-03 12:00:46 +00:00
2007-10-27 00:46:59 +00:00
return created ;
2005-03-24 17:46:38 +00:00
}
2020-12-02 13:10:56 +00:00
void readFull ( int fd , char * buf , size_t count )
2003-07-20 21:11:43 +00:00
{
while ( count ) {
2004-01-15 20:23:55 +00:00
checkInterrupt ( ) ;
2020-12-02 13:10:56 +00:00
ssize_t res = read ( fd , buf , count ) ;
2004-05-11 13:48:25 +00:00
if ( res = = - 1 ) {
if ( errno = = EINTR ) continue ;
throw SysError ( " reading from file " ) ;
}
2006-12-04 17:17:13 +00:00
if ( res = = 0 ) throw EndOfFile ( " unexpected end-of-file " ) ;
2003-07-20 21:11:43 +00:00
count - = res ;
buf + = res ;
}
}
2020-12-02 13:00:43 +00:00
void writeFull ( int fd , std : : string_view s , bool allowInterrupts )
2003-07-20 21:11:43 +00:00
{
2020-12-02 13:00:43 +00:00
while ( ! s . empty ( ) ) {
2017-04-06 15:18:56 +00:00
if ( allowInterrupts ) checkInterrupt ( ) ;
2020-12-02 13:00:43 +00:00
ssize_t res = write ( fd , s . data ( ) , s . size ( ) ) ;
2016-09-16 16:52:42 +00:00
if ( res = = - 1 & & errno ! = EINTR )
2004-05-11 13:48:25 +00:00
throw SysError ( " writing to file " ) ;
2020-12-02 13:00:43 +00:00
if ( res > 0 )
s . remove_prefix ( res ) ;
2003-07-20 21:11:43 +00:00
}
}
2003-10-22 10:48:22 +00:00
2022-02-25 15:00:00 +00:00
std : : string drainFD ( int fd , bool block , const size_t reserveSize )
2006-07-20 12:17:25 +00:00
{
2021-12-21 12:56:57 +00:00
// the parser needs two extra bytes to append terminating characters, other users will
// not care very much about the extra memory.
StringSink sink ( reserveSize + 2 ) ;
2018-03-20 14:17:59 +00:00
drainFD ( fd , sink , block ) ;
2022-01-17 21:20:05 +00:00
return std : : move ( sink . s ) ;
2018-03-16 15:59:31 +00:00
}
2018-03-20 14:17:59 +00:00
void drainFD ( int fd , Sink & sink , bool block )
2018-03-16 15:59:31 +00:00
{
2021-12-30 23:50:23 +00:00
// silence GCC maybe-uninitialized warning in finally
int saved = 0 ;
if ( ! block ) {
saved = fcntl ( fd , F_GETFL ) ;
if ( fcntl ( fd , F_SETFL , saved | O_NONBLOCK ) = = - 1 )
throw SysError ( " making file descriptor non-blocking " ) ;
}
2018-03-20 14:17:59 +00:00
Finally finally ( [ & ] ( ) {
if ( ! block ) {
if ( fcntl ( fd , F_SETFL , saved ) = = - 1 )
throw SysError ( " making file descriptor blocking " ) ;
}
} ) ;
2018-03-27 21:12:31 +00:00
std : : vector < unsigned char > buf ( 64 * 1024 ) ;
2006-07-20 12:17:25 +00:00
while ( 1 ) {
2007-08-12 00:29:28 +00:00
checkInterrupt ( ) ;
2018-03-16 15:59:31 +00:00
ssize_t rd = read ( fd , buf . data ( ) , buf . size ( ) ) ;
2006-07-20 12:17:25 +00:00
if ( rd = = - 1 ) {
2018-03-20 14:17:59 +00:00
if ( ! block & & ( errno = = EAGAIN | | errno = = EWOULDBLOCK ) )
break ;
2006-07-20 12:17:25 +00:00
if ( errno ! = EINTR )
throw SysError ( " reading from file " ) ;
}
else if ( rd = = 0 ) break ;
2020-12-02 13:00:43 +00:00
else sink ( { ( char * ) buf . data ( ) , ( size_t ) rd } ) ;
2006-07-20 12:17:25 +00:00
}
}
2022-07-19 06:09:46 +00:00
//////////////////////////////////////////////////////////////////////
unsigned int getMaxCPU ( )
{
# if __linux__
try {
2022-12-02 11:57:41 +00:00
auto cgroupFS = getCgroupFS ( ) ;
if ( ! cgroupFS ) return 0 ;
2022-07-19 06:09:46 +00:00
2022-12-04 17:22:11 +00:00
auto cgroups = getCgroups ( " /proc/self/cgroup " ) ;
2022-12-02 11:57:41 +00:00
auto cgroup = cgroups [ " " ] ;
if ( cgroup = = " " ) return 0 ;
2022-07-19 06:09:46 +00:00
2022-12-02 11:57:41 +00:00
auto cpuFile = * cgroupFS + " / " + cgroup + " /cpu.max " ;
2006-07-20 12:17:25 +00:00
2022-12-02 14:03:40 +00:00
auto cpuMax = readFile ( cpuFile ) ;
auto cpuMaxParts = tokenizeString < std : : vector < std : : string > > ( cpuMax , " \n " ) ;
2024-03-07 05:00:33 +00:00
if ( cpuMaxParts . size ( ) ! = 2 ) {
return 0 ;
}
2022-12-02 14:03:40 +00:00
auto quota = cpuMaxParts [ 0 ] ;
auto period = cpuMaxParts [ 1 ] ;
if ( quota ! = " max " )
2022-12-02 11:57:41 +00:00
return std : : ceil ( std : : stoi ( quota ) / std : : stof ( period ) ) ;
2022-12-02 14:03:40 +00:00
} catch ( Error & ) { ignoreException ( lvlDebug ) ; }
2022-07-19 06:09:46 +00:00
# endif
return 0 ;
}
2004-06-22 09:51:44 +00:00
//////////////////////////////////////////////////////////////////////
2015-11-16 10:53:10 +00:00
AutoDelete : : AutoDelete ( ) : del { false } { }
2022-02-25 15:00:00 +00:00
AutoDelete : : AutoDelete ( const std : : string & p , bool recursive ) : path ( p )
2003-10-22 10:48:22 +00:00
{
del = true ;
2007-10-27 00:46:59 +00:00
this - > recursive = recursive ;
2003-10-22 10:48:22 +00:00
}
AutoDelete : : ~ AutoDelete ( )
{
2007-10-27 00:46:59 +00:00
try {
2008-05-21 11:17:31 +00:00
if ( del ) {
2007-10-27 00:46:59 +00:00
if ( recursive )
deletePath ( path ) ;
else {
if ( remove ( path . c_str ( ) ) = = - 1 )
2020-04-21 23:07:07 +00:00
throw SysError ( " cannot unlink '%1%' " , path ) ;
2007-10-27 00:46:59 +00:00
}
2008-05-21 11:17:31 +00:00
}
2007-10-27 00:46:59 +00:00
} catch ( . . . ) {
ignoreException ( ) ;
}
2003-10-22 10:48:22 +00:00
}
void AutoDelete : : cancel ( )
{
del = false ;
}
2015-11-16 10:55:55 +00:00
void AutoDelete : : reset ( const Path & p , bool recursive ) {
2015-11-16 10:54:34 +00:00
path = p ;
2015-11-16 10:53:10 +00:00
this - > recursive = recursive ;
del = true ;
}
2003-10-22 10:48:22 +00:00
2004-06-22 09:51:44 +00:00
//////////////////////////////////////////////////////////////////////
2016-07-11 19:44:44 +00:00
AutoCloseFD : : AutoCloseFD ( ) : fd { - 1 } { }
AutoCloseFD : : AutoCloseFD ( int fd ) : fd { fd } { }
2003-10-22 10:48:22 +00:00
2004-06-22 09:51:44 +00:00
2021-04-07 10:21:31 +00:00
AutoCloseFD : : AutoCloseFD ( AutoCloseFD & & that ) : fd { that . fd }
2003-10-22 10:48:22 +00:00
{
2016-07-11 19:44:44 +00:00
that . fd = - 1 ;
2003-10-22 10:48:22 +00:00
}
2004-06-22 09:51:44 +00:00
2021-04-07 10:21:31 +00:00
AutoCloseFD & AutoCloseFD : : operator = ( AutoCloseFD & & that )
2005-01-31 10:27:25 +00:00
{
2016-07-11 19:44:44 +00:00
close ( ) ;
fd = that . fd ;
that . fd = - 1 ;
return * this ;
2005-01-31 10:27:25 +00:00
}
2003-10-22 10:48:22 +00:00
AutoCloseFD : : ~ AutoCloseFD ( )
{
2004-06-15 13:49:42 +00:00
try {
close ( ) ;
2007-05-01 15:16:17 +00:00
} catch ( . . . ) {
ignoreException ( ) ;
2004-06-15 13:49:42 +00:00
}
2003-10-22 10:48:22 +00:00
}
2004-06-22 09:51:44 +00:00
2016-07-11 19:44:44 +00:00
int AutoCloseFD : : get ( ) const
2003-10-22 10:48:22 +00:00
{
return fd ;
}
2004-06-22 09:51:44 +00:00
2004-06-15 13:49:42 +00:00
void AutoCloseFD : : close ( )
{
if ( fd ! = - 1 ) {
if ( : : close ( fd ) = = - 1 )
/* This should never happen. */
2020-04-21 23:07:07 +00:00
throw SysError ( " closing file descriptor %1% " , fd ) ;
2021-04-07 10:21:31 +00:00
fd = - 1 ;
2004-06-15 13:49:42 +00:00
}
}
2022-09-19 18:15:31 +00:00
void AutoCloseFD : : fsync ( )
{
if ( fd ! = - 1 ) {
int result ;
# if __APPLE__
result = : : fcntl ( fd , F_FULLFSYNC ) ;
# else
result = : : fsync ( fd ) ;
# endif
if ( result = = - 1 )
throw SysError ( " fsync file descriptor %1% " , fd ) ;
}
}
2004-06-22 09:51:44 +00:00
2016-07-11 19:44:44 +00:00
AutoCloseFD : : operator bool ( ) const
2004-06-15 13:49:42 +00:00
{
return fd ! = - 1 ;
}
2016-07-11 19:44:44 +00:00
int AutoCloseFD : : release ( )
2005-01-27 12:19:25 +00:00
{
int oldFD = fd ;
fd = - 1 ;
return oldFD ;
}
2004-06-15 13:49:42 +00:00
void Pipe : : create ( )
{
int fds [ 2 ] ;
2016-06-09 14:15:58 +00:00
# if HAVE_PIPE2
if ( pipe2 ( fds , O_CLOEXEC ) ! = 0 ) throw SysError ( " creating pipe " ) ;
# else
2004-06-15 13:49:42 +00:00
if ( pipe ( fds ) ! = 0 ) throw SysError ( " creating pipe " ) ;
2016-06-09 14:15:58 +00:00
closeOnExec ( fds [ 0 ] ) ;
closeOnExec ( fds [ 1 ] ) ;
# endif
2004-06-15 13:49:42 +00:00
readSide = fds [ 0 ] ;
writeSide = fds [ 1 ] ;
}
2003-10-22 10:48:22 +00:00
2021-04-07 10:21:31 +00:00
void Pipe : : close ( )
{
readSide . close ( ) ;
writeSide . close ( ) ;
}
2004-06-22 09:51:44 +00:00
//////////////////////////////////////////////////////////////////////
Pid : : Pid ( )
{
}
2014-07-10 14:50:51 +00:00
Pid : : Pid ( pid_t pid )
2017-01-19 15:58:39 +00:00
: pid ( pid )
2014-07-10 14:50:51 +00:00
{
}
2004-06-22 09:51:44 +00:00
Pid : : ~ Pid ( )
{
2017-01-19 15:58:39 +00:00
if ( pid ! = - 1 ) kill ( ) ;
2004-06-22 09:51:44 +00:00
}
void Pid : : operator = ( pid_t pid )
{
2017-01-19 15:58:39 +00:00
if ( this - > pid ! = - 1 & & this - > pid ! = pid ) kill ( ) ;
2004-06-22 09:51:44 +00:00
this - > pid = pid ;
2007-03-19 12:48:45 +00:00
killSignal = SIGKILL ; // reset signal to default
2004-06-22 09:51:44 +00:00
}
Pid : : operator pid_t ( )
{
return pid ;
}
2017-03-16 09:52:28 +00:00
int Pid : : kill ( )
2004-06-22 09:51:44 +00:00
{
2017-01-19 15:58:39 +00:00
assert ( pid ! = - 1 ) ;
2012-11-09 17:00:33 +00:00
2020-05-11 21:52:15 +00:00
debug ( " killing process %1% " , pid ) ;
2004-06-22 09:51:44 +00:00
2007-03-19 12:48:45 +00:00
/* Send the requested signal to the child. If it has its own
process group , send the signal to every process in the child
process group ( which hopefully includes * all * its children ) . */
2017-06-12 16:34:48 +00:00
if ( : : kill ( separatePG ? - pid : pid , killSignal ) ! = 0 ) {
/* On BSDs, killing a process group will return EPERM if all
processes in the group are zombies ( or something like
that ) . So try to detect and ignore that situation . */
# if __FreeBSD__ || __APPLE__
if ( errno ! = EPERM | | : : kill ( pid , 0 ) ! = 0 )
# endif
2020-05-13 15:52:36 +00:00
logError ( SysError ( " killing process %d " , pid ) . info ( ) ) ;
2017-06-12 16:34:48 +00:00
}
2004-06-25 15:36:09 +00:00
2017-01-19 15:58:39 +00:00
return wait ( ) ;
2004-06-22 09:51:44 +00:00
}
2017-01-19 15:58:39 +00:00
int Pid : : wait ( )
2004-06-22 09:51:44 +00:00
{
2013-06-20 09:55:15 +00:00
assert ( pid ! = - 1 ) ;
2004-06-22 09:51:44 +00:00
while ( 1 ) {
int status ;
2017-01-19 15:58:39 +00:00
int res = waitpid ( pid , & status , 0 ) ;
2004-06-22 09:51:44 +00:00
if ( res = = pid ) {
pid = - 1 ;
return status ;
}
if ( errno ! = EINTR )
2021-10-05 10:26:04 +00:00
throw SysError ( " cannot get exit status of PID %d " , pid ) ;
2006-12-04 17:17:13 +00:00
checkInterrupt ( ) ;
2004-06-22 09:51:44 +00:00
}
}
void Pid : : setSeparatePG ( bool separatePG )
{
this - > separatePG = separatePG ;
}
2007-03-19 12:48:45 +00:00
void Pid : : setKillSignal ( int signal )
{
this - > killSignal = signal ;
}
2016-10-12 13:49:37 +00:00
pid_t Pid : : release ( )
{
pid_t p = pid ;
pid = - 1 ;
return p ;
}
2006-12-07 00:16:07 +00:00
void killUser ( uid_t uid )
{
2020-05-11 21:52:15 +00:00
debug ( " killing all processes running under uid '%1%' " , uid ) ;
2006-12-07 00:16:07 +00:00
assert ( uid ! = 0 ) ; /* just to be safe... */
/* The system call kill(-1, sig) sends the signal `sig' to all
users to which the current process can send signals . So we
fork a process , switch to uid , and send a mass kill . */
2014-07-10 14:50:51 +00:00
Pid pid = startProcess ( [ & ] ( ) {
2006-12-07 00:16:07 +00:00
2014-07-10 14:50:51 +00:00
if ( setuid ( uid ) = = - 1 )
throw SysError ( " setting uid " ) ;
2006-12-07 00:16:07 +00:00
2014-07-10 14:50:51 +00:00
while ( true ) {
2013-03-18 15:13:53 +00:00
# ifdef __APPLE__
2014-07-10 14:50:51 +00:00
/* OSX's kill syscall takes a third parameter that, among
other things , determines if kill ( - 1 , signo ) affects the
calling process . In the OSX libc , it ' s set to true ,
which means " follow POSIX " , which we don ' t want here
2013-03-18 15:13:53 +00:00
*/
2014-07-10 14:50:51 +00:00
if ( syscall ( SYS_kill , - 1 , SIGKILL , false ) = = 0 ) break ;
2013-03-18 15:13:53 +00:00
# else
2014-07-10 14:50:51 +00:00
if ( kill ( - 1 , SIGKILL ) = = 0 ) break ;
2013-03-18 15:13:53 +00:00
# endif
libutil: EPERM from kill(-1, ...) is fine
I tested a trivial program that called kill(-1, SIGKILL), which was
run as the only process for an unpriveleged user, on Linux and
FreeBSD. On Linux, kill reported success, while on FreeBSD it failed
with EPERM.
POSIX says:
> If pid is -1, sig shall be sent to all processes (excluding an
> unspecified set of system processes) for which the process has
> permission to send that signal.
and
> The kill() function is successful if the process has permission to
> send sig to any of the processes specified by pid. If kill() fails,
> no signal shall be sent.
and
> [EPERM]
> The process does not have permission to send the signal to any
> receiving process.
My reading of this is that kill(-1, ...) may fail with EPERM when
there are no other processes to kill (since the current process is
ignored). Since kill(-1, ...) only attempts to kill processes the
user has permission to kill, it can't mean that we tried to do
something we didn't have permission to kill, so it should be fine to
interpret EPERM the same as success here for any POSIX-compliant
system.
This fixes an issue that Mic92 encountered[1] when he tried to review a
Nixpkgs PR on FreeBSD.
[1]: https://github.com/NixOS/nixpkgs/pull/81459#issuecomment-606073668
2021-02-07 13:56:50 +00:00
if ( errno = = ESRCH | | errno = = EPERM ) break ; /* no more processes */
2014-07-10 14:50:51 +00:00
if ( errno ! = EINTR )
2020-04-21 23:07:07 +00:00
throw SysError ( " cannot kill processes for uid '%1%' " , uid ) ;
2006-12-07 00:16:07 +00:00
}
2014-07-10 14:50:51 +00:00
2012-11-09 15:42:10 +00:00
_exit ( 0 ) ;
2021-10-06 11:54:59 +00:00
} ) ;
2013-01-03 12:00:46 +00:00
2017-01-19 15:58:39 +00:00
int status = pid . wait ( ) ;
2010-03-19 11:36:34 +00:00
if ( status ! = 0 )
2020-04-21 23:07:07 +00:00
throw Error ( " cannot kill processes for uid '%1%': %2% " , uid , statusToString ( status ) ) ;
2006-12-07 00:16:07 +00:00
/* !!! We should really do some check to make sure that there are
no processes left running under ` uid ' , but there is no portable
way to do so ( I think ) . The most reliable way may be ` ps - eo
uid | grep - q $ uid ' . */
}
2004-06-22 09:51:44 +00:00
2006-07-20 12:17:25 +00:00
//////////////////////////////////////////////////////////////////////
2014-12-10 15:35:42 +00:00
/* Wrapper around vfork to prevent the child process from clobbering
the caller ' s stack frame in the parent . */
2019-05-11 20:35:53 +00:00
static pid_t doFork ( bool allowVfork , std : : function < void ( ) > fun ) __attribute__ ( ( noinline ) ) ;
static pid_t doFork ( bool allowVfork , std : : function < void ( ) > fun )
2014-07-10 14:50:51 +00:00
{
2014-12-10 15:35:42 +00:00
# ifdef __linux__
pid_t pid = allowVfork ? vfork ( ) : fork ( ) ;
# else
2014-07-10 14:50:51 +00:00
pid_t pid = fork ( ) ;
2014-12-10 15:35:42 +00:00
# endif
if ( pid ! = 0 ) return pid ;
fun ( ) ;
abort ( ) ;
}
2014-07-10 14:50:51 +00:00
2014-12-10 15:35:42 +00:00
2023-03-13 12:31:03 +00:00
# if __linux__
2023-02-10 13:38:14 +00:00
static int childEntry ( void * arg )
{
auto main = ( std : : function < void ( ) > * ) arg ;
( * main ) ( ) ;
return 1 ;
}
2023-03-13 12:31:03 +00:00
# endif
2023-02-10 13:38:14 +00:00
2014-12-10 15:35:42 +00:00
pid_t startProcess ( std : : function < void ( ) > fun , const ProcessOptions & options )
{
2023-02-10 13:38:14 +00:00
std : : function < void ( ) > wrapper = [ & ] ( ) {
2016-04-25 13:26:07 +00:00
if ( ! options . allowVfork )
2020-06-05 15:01:02 +00:00
logger = makeSimpleLogger ( ) ;
2014-07-10 14:50:51 +00:00
try {
2014-08-21 13:31:43 +00:00
# if __linux__
2014-12-10 15:35:42 +00:00
if ( options . dieWithParent & & prctl ( PR_SET_PDEATHSIG , SIGKILL ) = = - 1 )
2014-08-21 13:31:43 +00:00
throw SysError ( " setting death signal " ) ;
# endif
2014-07-10 14:50:51 +00:00
fun ( ) ;
} catch ( std : : exception & e ) {
2014-07-23 17:11:26 +00:00
try {
2014-12-10 15:35:42 +00:00
std : : cerr < < options . errorPrefix < < e . what ( ) < < " \n " ;
2014-07-23 17:11:26 +00:00
} catch ( . . . ) { }
} catch ( . . . ) { }
2014-12-10 15:35:42 +00:00
if ( options . runExitHandlers )
2014-11-19 16:09:27 +00:00
exit ( 1 ) ;
else
_exit ( 1 ) ;
2014-12-10 15:35:42 +00:00
} ;
2023-02-10 13:38:14 +00:00
pid_t pid = - 1 ;
if ( options . cloneFlags ) {
2023-02-10 15:32:30 +00:00
# ifdef __linux__
2023-02-10 13:38:14 +00:00
// Not supported, since then we don't know when to free the stack.
assert ( ! ( options . cloneFlags & CLONE_VM ) ) ;
size_t stackSize = 1 * 1024 * 1024 ;
auto stack = ( char * ) mmap ( 0 , stackSize ,
PROT_WRITE | PROT_READ , MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK , - 1 , 0 ) ;
if ( stack = = MAP_FAILED ) throw SysError ( " allocating stack " ) ;
Finally freeStack ( [ & ] ( ) { munmap ( stack , stackSize ) ; } ) ;
pid = clone ( childEntry , stack + stackSize , options . cloneFlags | SIGCHLD , & wrapper ) ;
2023-02-10 15:32:30 +00:00
# else
throw Error ( " clone flags are only supported on Linux " ) ;
# endif
2023-02-10 13:38:14 +00:00
} else
pid = doFork ( options . allowVfork , wrapper ) ;
2014-12-10 15:35:42 +00:00
if ( pid = = - 1 ) throw SysError ( " unable to fork " ) ;
2014-07-10 14:50:51 +00:00
return pid ;
}
2015-06-09 08:50:55 +00:00
std : : vector < char * > stringsToCharPtrs ( const Strings & ss )
2014-12-12 14:01:16 +00:00
{
2015-06-09 08:50:55 +00:00
std : : vector < char * > res ;
for ( auto & s : ss ) res . push_back ( ( char * ) s . c_str ( ) ) ;
2014-12-12 14:01:16 +00:00
res . push_back ( 0 ) ;
return res ;
}
2022-02-25 15:00:00 +00:00
std : : string runProgram ( Path program , bool searchPath , const Strings & args ,
2023-05-18 10:18:34 +00:00
const std : : optional < std : : string > & input , bool isInteractive )
2017-11-01 17:43:11 +00:00
{
2023-05-18 10:18:34 +00:00
auto res = runProgram ( RunOptions { . program = program , . searchPath = searchPath , . args = args , . input = input , . isInteractive = isInteractive } ) ;
2017-11-01 17:43:11 +00:00
if ( ! statusOk ( res . first ) )
2020-06-18 17:54:16 +00:00
throw ExecError ( res . first , " program '%1%' %2% " , program , statusToString ( res . first ) ) ;
2017-11-01 17:43:11 +00:00
return res . second ;
}
2019-03-21 08:30:16 +00:00
// Output = error code + "standard out" output stream
2021-09-13 21:22:09 +00:00
std : : pair < int , std : : string > runProgram ( RunOptions & & options )
2018-03-16 15:59:31 +00:00
{
StringSink sink ;
2018-03-19 16:09:52 +00:00
options . standardOut = & sink ;
2018-03-16 15:59:31 +00:00
int status = 0 ;
try {
runProgram2 ( options ) ;
} catch ( ExecError & e ) {
status = e . status ;
}
2022-01-17 21:20:05 +00:00
return { status , std : : move ( sink . s ) } ;
2018-03-16 15:59:31 +00:00
}
void runProgram2 ( const RunOptions & options )
2006-07-20 12:17:25 +00:00
{
2007-08-12 00:29:28 +00:00
checkInterrupt ( ) ;
2012-11-09 15:58:51 +00:00
2018-03-19 16:09:52 +00:00
assert ( ! ( options . standardIn & & options . input ) ) ;
2018-03-16 15:59:31 +00:00
std : : unique_ptr < Source > source_ ;
2018-03-19 16:09:52 +00:00
Source * source = options . standardIn ;
2018-03-16 15:59:31 +00:00
if ( options . input ) {
source_ = std : : make_unique < StringSource > ( * options . input ) ;
source = source_ . get ( ) ;
}
2006-07-20 12:17:25 +00:00
/* Create a pipe. */
2015-05-13 07:37:56 +00:00
Pipe out , in ;
2018-03-19 16:09:52 +00:00
if ( options . standardOut ) out . create ( ) ;
2018-03-16 15:59:31 +00:00
if ( source ) in . create ( ) ;
2006-07-20 12:17:25 +00:00
2019-07-11 18:23:03 +00:00
ProcessOptions processOptions ;
// vfork implies that the environment of the main process and the fork will
// be shared (technically this is undefined, but in practice that's the
// case), so we can't use it if we alter the environment
2021-10-06 11:54:59 +00:00
processOptions . allowVfork = ! options . environment ;
2019-07-11 18:23:03 +00:00
2023-05-18 10:18:34 +00:00
std : : optional < Finally < std : : function < void ( ) > > > resumeLoggerDefer ;
if ( options . isInteractive ) {
logger - > pause ( ) ;
resumeLoggerDefer . emplace (
[ ] ( ) {
logger - > resume ( ) ;
}
) ;
}
2006-07-20 12:17:25 +00:00
/* Fork. */
2014-07-10 14:50:51 +00:00
Pid pid = startProcess ( [ & ] ( ) {
2019-07-11 18:23:03 +00:00
if ( options . environment )
replaceEnv ( * options . environment ) ;
2018-03-19 16:09:52 +00:00
if ( options . standardOut & & dup2 ( out . writeSide . get ( ) , STDOUT_FILENO ) = = - 1 )
2014-07-10 14:50:51 +00:00
throw SysError ( " dupping stdout " ) ;
2019-07-11 18:23:03 +00:00
if ( options . mergeStderrToStdout )
if ( dup2 ( STDOUT_FILENO , STDERR_FILENO ) = = - 1 )
throw SysError ( " cannot dup stdout into stderr " ) ;
2018-03-16 15:59:31 +00:00
if ( source & & dup2 ( in . readSide . get ( ) , STDIN_FILENO ) = = - 1 )
2017-03-15 13:40:47 +00:00
throw SysError ( " dupping stdin " ) ;
2006-07-20 12:17:25 +00:00
2019-05-12 21:03:01 +00:00
if ( options . chdir & & chdir ( ( * options . chdir ) . c_str ( ) ) = = - 1 )
throw SysError ( " chdir failed " ) ;
2019-05-11 20:35:53 +00:00
if ( options . gid & & setgid ( * options . gid ) = = - 1 )
throw SysError ( " setgid failed " ) ;
/* Drop all other groups if we're setgid. */
if ( options . gid & & setgroups ( 0 , 0 ) = = - 1 )
throw SysError ( " setgroups failed " ) ;
if ( options . uid & & setuid ( * options . uid ) = = - 1 )
throw SysError ( " setuid failed " ) ;
2017-11-01 17:43:11 +00:00
Strings args_ ( options . args ) ;
args_ . push_front ( options . program ) ;
2014-12-12 14:01:16 +00:00
2021-04-07 11:10:02 +00:00
restoreProcessContext ( ) ;
2017-02-01 12:00:21 +00:00
2017-11-01 17:43:11 +00:00
if ( options . searchPath )
execvp ( options . program . c_str ( ) , stringsToCharPtrs ( args_ ) . data ( ) ) ;
2019-03-21 08:30:16 +00:00
// This allows you to refer to a program with a pathname relative
// to the PATH variable.
2014-07-10 14:50:51 +00:00
else
2017-11-01 17:43:11 +00:00
execv ( options . program . c_str ( ) , stringsToCharPtrs ( args_ ) . data ( ) ) ;
2006-07-20 12:17:25 +00:00
2017-11-01 17:43:11 +00:00
throw SysError ( " executing '%1%' " , options . program ) ;
2019-07-11 18:23:03 +00:00
} , processOptions ) ;
2006-07-20 12:17:25 +00:00
2021-04-07 10:21:31 +00:00
out . writeSide . close ( ) ;
2015-02-04 15:43:32 +00:00
2017-03-13 13:56:33 +00:00
std : : thread writerThread ;
2017-03-15 13:40:47 +00:00
std : : promise < void > promise ;
Finally doJoin ( [ & ] ( ) {
if ( writerThread . joinable ( ) )
writerThread . join ( ) ;
} ) ;
2018-03-16 15:59:31 +00:00
if ( source ) {
2021-04-07 10:21:31 +00:00
in . readSide . close ( ) ;
2017-03-13 13:56:33 +00:00
writerThread = std : : thread ( [ & ] ( ) {
2017-03-15 13:40:47 +00:00
try {
2020-12-02 13:10:56 +00:00
std : : vector < char > buf ( 8 * 1024 ) ;
2018-03-16 15:59:31 +00:00
while ( true ) {
size_t n ;
try {
n = source - > read ( buf . data ( ) , buf . size ( ) ) ;
} catch ( EndOfFile & ) {
break ;
}
2020-12-02 13:10:56 +00:00
writeFull ( in . writeSide . get ( ) , { buf . data ( ) , n } ) ;
2018-03-16 15:59:31 +00:00
}
2017-03-15 13:40:47 +00:00
promise . set_value ( ) ;
} catch ( . . . ) {
promise . set_exception ( std : : current_exception ( ) ) ;
}
2021-04-07 10:21:31 +00:00
in . writeSide . close ( ) ;
2017-03-13 13:56:33 +00:00
} ) ;
2015-02-04 15:43:32 +00:00
}
2006-07-20 12:17:25 +00:00
2018-03-19 16:09:52 +00:00
if ( options . standardOut )
drainFD ( out . readSide . get ( ) , * options . standardOut ) ;
2006-07-20 12:17:25 +00:00
/* Wait for the child to finish. */
2017-01-19 15:58:39 +00:00
int status = pid . wait ( ) ;
2006-07-20 12:17:25 +00:00
2017-03-15 13:40:47 +00:00
/* Wait for the writer thread to finish. */
2018-03-16 15:59:31 +00:00
if ( source ) promise . get_future ( ) . get ( ) ;
2017-03-13 13:56:33 +00:00
2018-03-16 15:59:31 +00:00
if ( status )
2020-06-18 17:54:16 +00:00
throw ExecError ( status , " program '%1%' %2% " , options . program , statusToString ( status ) ) ;
2006-07-20 12:17:25 +00:00
}
2022-02-21 15:28:23 +00:00
void closeMostFDs ( const std : : set < int > & exceptions )
2008-08-02 12:54:35 +00:00
{
2017-08-09 14:22:05 +00:00
# if __linux__
try {
for ( auto & s : readDirectory ( " /proc/self/fd " ) ) {
auto fd = std : : stoi ( s . name ) ;
if ( ! exceptions . count ( fd ) ) {
debug ( " closing leaked FD %d " , fd ) ;
close ( fd ) ;
}
}
return ;
} catch ( SysError & ) {
}
# endif
2008-08-02 12:54:35 +00:00
int maxFD = 0 ;
maxFD = sysconf ( _SC_OPEN_MAX ) ;
for ( int fd = 0 ; fd < maxFD ; + + fd )
2017-08-09 14:22:05 +00:00
if ( ! exceptions . count ( fd ) )
2008-08-02 12:54:35 +00:00
close ( fd ) ; /* ignore result */
}
2012-03-05 19:29:00 +00:00
void closeOnExec ( int fd )
{
int prev ;
if ( ( prev = fcntl ( fd , F_GETFD , 0 ) ) = = - 1 | |
fcntl ( fd , F_SETFD , prev | FD_CLOEXEC ) = = - 1 )
throw SysError ( " setting close-on-exec flag " ) ;
}
2004-06-22 09:51:44 +00:00
//////////////////////////////////////////////////////////////////////
2021-11-24 13:50:08 +00:00
std : : atomic < bool > _isInterrupted = false ;
2004-01-15 20:23:55 +00:00
2017-04-21 14:28:10 +00:00
static thread_local bool interruptThrown = false ;
2017-09-08 13:31:24 +00:00
thread_local std : : function < bool ( ) > interruptCheck ;
2017-04-21 14:28:10 +00:00
void setInterruptThrown ( )
{
interruptThrown = true ;
}
2016-03-29 13:08:24 +00:00
2004-01-15 20:23:55 +00:00
void _interrupted ( )
{
2004-05-11 13:48:25 +00:00
/* Block user interrupts while an exception is being handled.
Throwing an exception while another exception is being handled
kills the program ! */
2020-06-17 02:15:47 +00:00
if ( ! interruptThrown & & ! std : : uncaught_exceptions ( ) ) {
2016-03-29 13:08:24 +00:00
interruptThrown = true ;
2006-12-04 17:17:13 +00:00
throw Interrupted ( " interrupted by the user " ) ;
2004-05-11 13:48:25 +00:00
}
2004-01-15 20:23:55 +00:00
}
2004-06-20 13:37:51 +00:00
2004-06-22 09:51:44 +00:00
//////////////////////////////////////////////////////////////////////
2022-01-12 15:02:29 +00:00
template < class C > C tokenizeString ( std : : string_view s , std : : string_view separators )
2005-09-22 15:43:22 +00:00
{
2012-09-19 19:43:23 +00:00
C result ;
2022-02-25 15:00:00 +00:00
auto pos = s . find_first_not_of ( separators , 0 ) ;
2022-04-05 20:13:45 +00:00
while ( pos ! = std : : string_view : : npos ) {
2022-02-25 15:00:00 +00:00
auto end = s . find_first_of ( separators , pos + 1 ) ;
2022-04-05 20:13:45 +00:00
if ( end = = std : : string_view : : npos ) end = s . size ( ) ;
2022-02-25 15:00:00 +00:00
result . insert ( result . end ( ) , std : : string ( s , pos , end - pos ) ) ;
2005-09-22 15:43:22 +00:00
pos = s . find_first_not_of ( separators , end ) ;
}
return result ;
}
2022-01-12 15:02:29 +00:00
template Strings tokenizeString ( std : : string_view s , std : : string_view separators ) ;
template StringSet tokenizeString ( std : : string_view s , std : : string_view separators ) ;
2022-02-25 15:00:00 +00:00
template std : : vector < std : : string > tokenizeString ( std : : string_view s , std : : string_view separators ) ;
2012-09-19 19:43:23 +00:00
2005-09-22 15:43:22 +00:00
2022-02-25 15:00:00 +00:00
std : : string chomp ( std : : string_view s )
2012-08-01 15:19:24 +00:00
{
size_t i = s . find_last_not_of ( " \n \r \t " ) ;
2022-02-25 15:00:00 +00:00
return i = = std : : string_view : : npos ? " " : std : : string ( s , 0 , i + 1 ) ;
2012-08-01 15:19:24 +00:00
}
2022-02-25 15:00:00 +00:00
std : : string trim ( std : : string_view s , std : : string_view whitespace )
2015-04-09 09:42:04 +00:00
{
auto i = s . find_first_not_of ( whitespace ) ;
2022-03-03 10:11:16 +00:00
if ( i = = s . npos ) return " " ;
2015-04-09 09:42:04 +00:00
auto j = s . find_last_not_of ( whitespace ) ;
2022-03-03 10:11:16 +00:00
return std : : string ( s , i , j = = s . npos ? j : j - i + 1 ) ;
2015-04-09 09:42:04 +00:00
}
2022-02-25 15:00:00 +00:00
std : : string replaceStrings (
std : : string res ,
std : : string_view from ,
std : : string_view to )
2015-06-17 14:20:11 +00:00
{
2020-11-10 13:59:03 +00:00
if ( from . empty ( ) ) return res ;
2015-06-17 14:20:11 +00:00
size_t pos = 0 ;
while ( ( pos = res . find ( from , pos ) ) ! = std : : string : : npos ) {
res . replace ( pos , from . size ( ) , to ) ;
pos + = to . size ( ) ;
}
return res ;
}
2022-02-25 15:00:00 +00:00
std : : string rewriteStrings ( std : : string s , const StringMap & rewrites )
2018-03-29 22:56:13 +00:00
{
for ( auto & i : rewrites ) {
if ( i . first = = i . second ) continue ;
size_t j = 0 ;
2022-02-25 15:00:00 +00:00
while ( ( j = s . find ( i . first , j ) ) ! = std : : string : : npos )
2018-03-29 22:56:13 +00:00
s . replace ( j , i . first . size ( ) , i . second ) ;
}
return s ;
}
2022-02-25 15:00:00 +00:00
std : : string statusToString ( int status )
2004-06-22 08:50:25 +00:00
{
if ( ! WIFEXITED ( status ) | | WEXITSTATUS ( status ) ! = 0 ) {
if ( WIFEXITED ( status ) )
2023-03-02 14:44:19 +00:00
return fmt ( " failed with exit code %1% " , WEXITSTATUS ( status ) ) ;
2007-12-14 14:49:35 +00:00
else if ( WIFSIGNALED ( status ) ) {
2013-01-03 12:00:46 +00:00
int sig = WTERMSIG ( status ) ;
2007-12-14 14:49:35 +00:00
# if HAVE_STRSIGNAL
const char * description = strsignal ( sig ) ;
2023-03-02 14:44:19 +00:00
return fmt ( " failed due to signal %1% (%2%) " , sig, description) ;
2007-12-14 14:49:35 +00:00
# else
2023-03-02 14:44:19 +00:00
return fmt ( " failed due to signal %1% " , sig ) ;
2007-12-14 14:49:35 +00:00
# endif
2013-01-03 12:00:46 +00:00
}
2004-06-22 08:50:25 +00:00
else
return " died abnormally " ;
} else return " succeeded " ;
}
2004-06-22 11:03:41 +00:00
bool statusOk ( int status )
{
return WIFEXITED ( status ) & & WEXITSTATUS ( status ) = = 0 ;
}
2004-09-10 13:32:08 +00:00
2020-06-12 21:12:36 +00:00
bool hasPrefix ( std : : string_view s , std : : string_view prefix )
2016-04-29 19:04:40 +00:00
{
2017-05-01 15:28:19 +00:00
return s . compare ( 0 , prefix . size ( ) , prefix ) = = 0 ;
2016-04-29 19:04:40 +00:00
}
2019-12-05 18:11:09 +00:00
bool hasSuffix ( std : : string_view s , std : : string_view suffix )
2008-08-25 13:31:57 +00:00
{
2019-12-05 18:11:09 +00:00
return s . size ( ) > = suffix . size ( )
& & s . substr ( s . size ( ) - suffix . size ( ) ) = = suffix ;
2008-08-25 13:31:57 +00:00
}
2016-09-14 12:42:15 +00:00
std : : string toLower ( const std : : string & s )
{
std : : string r ( s ) ;
for ( auto & c : r )
c = std : : tolower ( c ) ;
return r ;
}
2022-01-21 16:55:51 +00:00
std : : string shellEscape ( const std : : string_view s )
2017-10-25 11:01:50 +00:00
{
2022-01-21 16:55:51 +00:00
std : : string r ;
r . reserve ( s . size ( ) + 2 ) ;
r + = " ' " ;
2017-10-25 11:01:50 +00:00
for ( auto & i : s )
if ( i = = ' \' ' ) r + = " ' \\ '' " ; else r + = i ;
r + = ' \' ' ;
return r ;
}
2022-12-02 14:03:40 +00:00
void ignoreException ( Verbosity lvl )
2007-05-01 15:16:17 +00:00
{
2022-02-07 16:14:57 +00:00
/* Make sure no exceptions leave this function.
printError ( ) also throws when remote is closed . */
2007-05-01 15:16:17 +00:00
try {
2022-02-07 16:14:57 +00:00
try {
throw ;
} catch ( std : : exception & e ) {
2022-12-02 14:03:40 +00:00
printMsg ( lvl , " error (ignored): %1% " , e . what ( ) ) ;
2022-02-07 16:14:57 +00:00
}
} catch ( . . . ) { }
2007-05-01 15:16:17 +00:00
}
2021-07-02 00:19:01 +00:00
bool shouldANSI ( )
{
2021-07-02 15:33:54 +00:00
return isatty ( STDERR_FILENO )
& & getEnv ( " TERM " ) . value_or ( " dumb " ) ! = " dumb "
2024-03-04 02:47:11 +00:00
& & ! ( getEnv ( " NO_COLOR " ) . has_value ( ) | | getEnv ( " NOCOLOR " ) . has_value ( ) ) ;
2021-07-02 00:19:01 +00:00
}
2012-11-15 14:01:02 +00:00
2023-03-02 14:44:19 +00:00
std : : string filterANSIEscapes ( std : : string_view s , bool filterAll , unsigned int width )
2018-02-07 14:19:10 +00:00
{
std : : string t , e ;
size_t w = 0 ;
auto i = s . begin ( ) ;
while ( w < ( size_t ) width & & i ! = s . end ( ) ) {
if ( * i = = ' \e ' ) {
std : : string e ;
e + = * i + + ;
char last = 0 ;
if ( i ! = s . end ( ) & & * i = = ' [ ' ) {
e + = * i + + ;
// eat parameter bytes
while ( i ! = s . end ( ) & & * i > = 0x30 & & * i < = 0x3f ) e + = * i + + ;
// eat intermediate bytes
while ( i ! = s . end ( ) & & * i > = 0x20 & & * i < = 0x2f ) e + = * i + + ;
// eat final byte
if ( i ! = s . end ( ) & & * i > = 0x40 & & * i < = 0x7e ) e + = last = * i + + ;
} else {
if ( i ! = s . end ( ) & & * i > = 0x40 & & * i < = 0x5f ) e + = * i + + ;
2014-08-20 14:01:16 +00:00
}
2018-02-07 14:19:10 +00:00
2018-03-15 15:08:07 +00:00
if ( ! filterAll & & last = = ' m ' )
2018-02-07 14:19:10 +00:00
t + = e ;
}
else if ( * i = = ' \t ' ) {
i + + ; t + = ' ' ; w + + ;
while ( w < ( size_t ) width & & w % 8 ) {
t + = ' ' ; w + + ;
2014-08-20 14:01:16 +00:00
}
}
2018-02-07 14:19:10 +00:00
2022-03-01 23:08:36 +00:00
else if ( * i = = ' \r ' | | * i = = ' \a ' )
2018-02-07 14:19:10 +00:00
// do nothing for now
2018-02-19 15:32:11 +00:00
i + + ;
2018-02-07 14:19:10 +00:00
else {
2020-11-16 15:26:29 +00:00
w + + ;
// Copy one UTF-8 character.
if ( ( * i & 0xe0 ) = = 0xc0 ) {
t + = * i + + ;
if ( i ! = s . end ( ) & & ( ( * i & 0xc0 ) = = 0x80 ) ) t + = * i + + ;
} else if ( ( * i & 0xf0 ) = = 0xe0 ) {
t + = * i + + ;
if ( i ! = s . end ( ) & & ( ( * i & 0xc0 ) = = 0x80 ) ) {
t + = * i + + ;
if ( i ! = s . end ( ) & & ( ( * i & 0xc0 ) = = 0x80 ) ) t + = * i + + ;
}
} else if ( ( * i & 0xf8 ) = = 0xf0 ) {
t + = * i + + ;
if ( i ! = s . end ( ) & & ( ( * i & 0xc0 ) = = 0x80 ) ) {
t + = * i + + ;
if ( i ! = s . end ( ) & & ( ( * i & 0xc0 ) = = 0x80 ) ) {
t + = * i + + ;
if ( i ! = s . end ( ) & & ( ( * i & 0xc0 ) = = 0x80 ) ) t + = * i + + ;
}
}
} else
t + = * i + + ;
2018-02-07 14:19:10 +00:00
}
2014-08-20 14:01:16 +00:00
}
2018-02-07 14:19:10 +00:00
2014-08-20 14:01:16 +00:00
return t ;
}
2021-10-17 07:51:33 +00:00
constexpr char base64Chars [ ] = " ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ " ;
2015-02-09 14:09:39 +00:00
2022-02-25 15:00:00 +00:00
std : : string base64Encode ( std : : string_view s )
2015-02-09 14:09:39 +00:00
{
2022-02-25 15:00:00 +00:00
std : : string res ;
2022-04-05 19:16:11 +00:00
res . reserve ( ( s . size ( ) + 2 ) / 3 * 4 ) ;
2015-02-09 14:09:39 +00:00
int data = 0 , nbits = 0 ;
for ( char c : s ) {
data = data < < 8 | ( unsigned char ) c ;
nbits + = 8 ;
while ( nbits > = 6 ) {
nbits - = 6 ;
res . push_back ( base64Chars [ data > > nbits & 0x3f ] ) ;
}
}
if ( nbits ) res . push_back ( base64Chars [ data < < ( 6 - nbits ) & 0x3f ] ) ;
while ( res . size ( ) % 4 ) res . push_back ( ' = ' ) ;
return res ;
}
2022-02-25 15:00:00 +00:00
std : : string base64Decode ( std : : string_view s )
2015-02-09 14:09:39 +00:00
{
2021-10-17 07:51:33 +00:00
constexpr char npos = - 1 ;
constexpr std : : array < char , 256 > base64DecodeChars = [ & ] ( ) {
std : : array < char , 256 > result { } ;
for ( auto & c : result )
c = npos ;
2015-02-09 14:09:39 +00:00
for ( int i = 0 ; i < 64 ; i + + )
2021-10-17 07:51:33 +00:00
result [ base64Chars [ i ] ] = i ;
return result ;
} ( ) ;
2015-02-09 14:09:39 +00:00
2022-02-25 15:00:00 +00:00
std : : string res ;
2022-04-05 19:16:11 +00:00
// Some sequences are missing the padding consisting of up to two '='.
// vvv
res . reserve ( ( s . size ( ) + 2 ) / 4 * 3 ) ;
2015-02-09 14:09:39 +00:00
unsigned int d = 0 , bits = 0 ;
for ( char c : s ) {
if ( c = = ' = ' ) break ;
if ( c = = ' \n ' ) continue ;
2021-07-30 18:08:54 +00:00
char digit = base64DecodeChars [ ( unsigned char ) c ] ;
2021-10-17 07:51:33 +00:00
if ( digit = = npos )
2020-07-01 21:32:06 +00:00
throw Error ( " invalid character in Base64 string: '%c' " , c ) ;
2015-02-09 14:09:39 +00:00
bits + = 6 ;
d = d < < 6 | digit ;
if ( bits > = 8 ) {
res . push_back ( d > > ( bits - 8 ) & 0xff ) ;
bits - = 8 ;
}
}
return res ;
}
2020-08-20 10:21:46 +00:00
std : : string stripIndentation ( std : : string_view s )
{
size_t minIndent = 10000 ;
size_t curIndent = 0 ;
bool atStartOfLine = true ;
for ( auto & c : s ) {
if ( atStartOfLine & & c = = ' ' )
curIndent + + ;
else if ( c = = ' \n ' ) {
if ( atStartOfLine )
minIndent = std : : max ( minIndent , curIndent ) ;
curIndent = 0 ;
atStartOfLine = true ;
} else {
if ( atStartOfLine ) {
minIndent = std : : min ( minIndent , curIndent ) ;
atStartOfLine = false ;
}
}
}
std : : string res ;
size_t pos = 0 ;
while ( pos < s . size ( ) ) {
auto eol = s . find ( ' \n ' , pos ) ;
if ( eol = = s . npos ) eol = s . size ( ) ;
if ( eol - pos > minIndent )
res . append ( s . substr ( pos + minIndent , eol - pos - minIndent ) ) ;
res . push_back ( ' \n ' ) ;
pos = eol + 1 ;
}
return res ;
}
2022-12-07 11:58:58 +00:00
std : : pair < std : : string_view , std : : string_view > getLine ( std : : string_view s )
{
auto newline = s . find ( ' \n ' ) ;
if ( newline = = s . npos ) {
return { s , " " } ;
} else {
auto line = s . substr ( 0 , newline ) ;
if ( ! line . empty ( ) & & line [ line . size ( ) - 1 ] = = ' \r ' )
line = line . substr ( 0 , line . size ( ) - 1 ) ;
return { line , s . substr ( newline + 1 ) } ;
}
}
2020-08-20 10:21:46 +00:00
//////////////////////////////////////////////////////////////////////
2017-08-25 13:57:49 +00:00
static Sync < std : : pair < unsigned short , unsigned short > > windowSize { { 0 , 0 } } ;
static void updateWindowSize ( )
{
struct winsize ws ;
2019-11-03 21:46:59 +00:00
if ( ioctl ( 2 , TIOCGWINSZ , & ws ) = = 0 ) {
2017-08-25 13:57:49 +00:00
auto windowSize_ ( windowSize . lock ( ) ) ;
windowSize_ - > first = ws . ws_row ;
windowSize_ - > second = ws . ws_col ;
}
}
std : : pair < unsigned short , unsigned short > getWindowSize ( )
{
return * windowSize . lock ( ) ;
}
2022-02-06 12:25:56 +00:00
/* We keep track of interrupt callbacks using integer tokens, so we can iterate
safely without having to lock the data structure while executing arbitrary
functions .
*/
struct InterruptCallbacks {
typedef int64_t Token ;
/* We use unique tokens so that we can't accidentally delete the wrong
handler because of an erroneous double delete . */
Token nextToken = 0 ;
/* Used as a list, see InterruptCallbacks comment. */
std : : map < Token , std : : function < void ( ) > > callbacks ;
} ;
static Sync < InterruptCallbacks > _interruptCallbacks ;
2017-01-17 17:21:02 +00:00
static void signalHandlerThread ( sigset_t set )
{
while ( true ) {
int signal = 0 ;
sigwait ( & set , & signal ) ;
2017-01-25 12:37:02 +00:00
if ( signal = = SIGINT | | signal = = SIGTERM | | signal = = SIGHUP )
triggerInterrupt ( ) ;
2017-08-25 13:57:49 +00:00
else if ( signal = = SIGWINCH ) {
updateWindowSize ( ) ;
}
2017-01-25 12:37:02 +00:00
}
}
void triggerInterrupt ( )
{
2017-04-06 15:18:56 +00:00
_isInterrupted = true ;
2017-01-25 12:37:02 +00:00
{
2022-02-06 12:25:56 +00:00
InterruptCallbacks : : Token i = 0 ;
2022-02-21 14:43:43 +00:00
while ( true ) {
std : : function < void ( ) > callback ;
2022-02-06 12:25:56 +00:00
{
auto interruptCallbacks ( _interruptCallbacks . lock ( ) ) ;
auto lb = interruptCallbacks - > callbacks . lower_bound ( i ) ;
2022-02-21 14:43:43 +00:00
if ( lb = = interruptCallbacks - > callbacks . end ( ) )
break ;
callback = lb - > second ;
i = lb - > first + 1 ;
2022-02-06 12:25:56 +00:00
}
2017-01-25 12:37:02 +00:00
try {
callback ( ) ;
} catch ( . . . ) {
ignoreException ( ) ;
2017-01-17 17:21:02 +00:00
}
}
}
}
2017-02-01 12:00:21 +00:00
static sigset_t savedSignalMask ;
2023-02-01 17:38:54 +00:00
static bool savedSignalMaskIsSet = false ;
2017-02-01 12:00:21 +00:00
2023-02-01 17:38:54 +00:00
void setChildSignalMask ( sigset_t * sigs )
2017-01-17 17:21:02 +00:00
{
2023-02-01 17:38:54 +00:00
assert ( sigs ) ; // C style function, but think of sigs as a reference
# if _POSIX_C_SOURCE >= 1 || _XOPEN_SOURCE || _POSIX_SOURCE
sigemptyset ( & savedSignalMask ) ;
// There's no "assign" or "copy" function, so we rely on (math) idempotence
// of the or operator: a or a = a.
sigorset ( & savedSignalMask , sigs , sigs ) ;
# else
// Without sigorset, our best bet is to assume that sigset_t is a type that
// can be assigned directly, such as is the case for a sigset_t defined as
// an integer type.
savedSignalMask = * sigs ;
# endif
savedSignalMaskIsSet = true ;
}
2017-08-25 13:57:49 +00:00
2023-02-01 17:38:54 +00:00
void saveSignalMask ( ) {
2017-02-01 12:00:21 +00:00
if ( sigprocmask ( SIG_BLOCK , nullptr , & savedSignalMask ) )
2021-03-26 15:14:38 +00:00
throw SysError ( " querying signal mask " ) ;
2017-02-01 12:00:21 +00:00
2023-02-01 17:38:54 +00:00
savedSignalMaskIsSet = true ;
}
void startSignalHandlerThread ( )
{
updateWindowSize ( ) ;
saveSignalMask ( ) ;
2017-01-17 17:21:02 +00:00
sigset_t set ;
sigemptyset ( & set ) ;
sigaddset ( & set , SIGINT ) ;
sigaddset ( & set , SIGTERM ) ;
sigaddset ( & set , SIGHUP ) ;
2017-02-01 12:00:21 +00:00
sigaddset ( & set , SIGPIPE ) ;
2017-08-25 13:57:49 +00:00
sigaddset ( & set , SIGWINCH ) ;
2017-01-17 17:21:02 +00:00
if ( pthread_sigmask ( SIG_BLOCK , & set , nullptr ) )
throw SysError ( " blocking signals " ) ;
std : : thread ( signalHandlerThread , set ) . detach ( ) ;
}
2021-04-07 11:10:02 +00:00
static void restoreSignals ( )
2017-02-01 12:00:21 +00:00
{
2023-02-01 17:38:54 +00:00
// If startSignalHandlerThread wasn't called, that means we're not running
// in a proper libmain process, but a process that presumably manages its
// own signal handlers. Such a process should call either
// - initNix(), to be a proper libmain process
// - startSignalHandlerThread(), to resemble libmain regarding signal
// handling only
// - saveSignalMask(), for processes that define their own signal handling
// thread
// TODO: Warn about this? Have a default signal mask? The latter depends on
// whether we should generally inherit signal masks from the caller.
// I don't know what the larger unix ecosystem expects from us here.
if ( ! savedSignalMaskIsSet )
return ;
2017-02-01 12:00:21 +00:00
if ( sigprocmask ( SIG_SETMASK , & savedSignalMask , nullptr ) )
throw SysError ( " restoring signals " ) ;
}
2021-04-07 11:40:13 +00:00
rlim_t savedStackSize = 0 ;
2024-03-06 04:45:40 +00:00
void setStackSize ( rlim_t stackSize )
2021-04-07 11:40:13 +00:00
{
struct rlimit limit ;
if ( getrlimit ( RLIMIT_STACK , & limit ) = = 0 & & limit . rlim_cur < stackSize ) {
savedStackSize = limit . rlim_cur ;
2024-03-06 04:45:40 +00:00
limit . rlim_cur = std : : min ( stackSize , limit . rlim_max ) ;
if ( setrlimit ( RLIMIT_STACK , & limit ) ! = 0 ) {
logger - > log (
lvlError ,
hintfmt (
" Failed to increase stack size from %1% to %2% (maximum allowed stack size: %3%): %4% " ,
savedStackSize ,
stackSize ,
limit . rlim_max ,
std : : strerror ( errno )
) . str ( )
) ;
}
2021-04-07 11:40:13 +00:00
}
}
2021-11-16 13:23:05 +00:00
libutil: Fix restoring mount namespace
I regularly pass around simple scripts by using nix-shell as the script
interpreter, eg. like this:
#!/usr/bin/env nix-shell
#!nix-shell -p dd_rescue coreutils bash -i bash
While this works most of the time, I recently had one occasion where it
would not and the above would result in the following:
$ sudo ./myscript.sh
bash: ./myscript.sh: No such file or directory
Note the "sudo" here, because this error only occurs if we're root.
The reason for the latter is because running Nix as root means that we
can directly access the store, which makes sure we use a filesystem
namespace to make the store writable. XXX - REWORD!
So when stracing the process, I stumbled on the following sequence:
openat(AT_FDCWD, "/proc/self/ns/mnt", O_RDONLY) = 3
unshare(CLONE_NEWNS) = 0
... later ...
getcwd("/the/real/cwd", 4096) = 14
setns(3, CLONE_NEWNS) = 0
getcwd("/", 4096) = 2
In the whole strace output there are no calls to chdir() whatsoever, so
I decided to look into the kernel source to see what else could change
directories and found this[1]:
/* Update the pwd and root */
set_fs_pwd(fs, &root);
set_fs_root(fs, &root);
The set_fs_pwd() call is roughly equivalent to a chdir() syscall and
this is called when the setns() syscall is invoked[2].
[1]: https://github.com/torvalds/linux/blob/b14ffae378aa1db993e62b01392e70d1e585fb23/fs/namespace.c#L4659
[2]: https://github.com/torvalds/linux/blob/b14ffae378aa1db993e62b01392e70d1e585fb23/kernel/nsproxy.c#L346
2022-04-01 16:23:43 +00:00
# if __linux__
2021-10-15 14:25:49 +00:00
static AutoCloseFD fdSavedMountNamespace ;
2023-06-09 14:09:29 +00:00
static AutoCloseFD fdSavedRoot ;
libutil: Fix restoring mount namespace
I regularly pass around simple scripts by using nix-shell as the script
interpreter, eg. like this:
#!/usr/bin/env nix-shell
#!nix-shell -p dd_rescue coreutils bash -i bash
While this works most of the time, I recently had one occasion where it
would not and the above would result in the following:
$ sudo ./myscript.sh
bash: ./myscript.sh: No such file or directory
Note the "sudo" here, because this error only occurs if we're root.
The reason for the latter is because running Nix as root means that we
can directly access the store, which makes sure we use a filesystem
namespace to make the store writable. XXX - REWORD!
So when stracing the process, I stumbled on the following sequence:
openat(AT_FDCWD, "/proc/self/ns/mnt", O_RDONLY) = 3
unshare(CLONE_NEWNS) = 0
... later ...
getcwd("/the/real/cwd", 4096) = 14
setns(3, CLONE_NEWNS) = 0
getcwd("/", 4096) = 2
In the whole strace output there are no calls to chdir() whatsoever, so
I decided to look into the kernel source to see what else could change
directories and found this[1]:
/* Update the pwd and root */
set_fs_pwd(fs, &root);
set_fs_root(fs, &root);
The set_fs_pwd() call is roughly equivalent to a chdir() syscall and
this is called when the setns() syscall is invoked[2].
[1]: https://github.com/torvalds/linux/blob/b14ffae378aa1db993e62b01392e70d1e585fb23/fs/namespace.c#L4659
[2]: https://github.com/torvalds/linux/blob/b14ffae378aa1db993e62b01392e70d1e585fb23/kernel/nsproxy.c#L346
2022-04-01 16:23:43 +00:00
# endif
2021-04-07 11:40:13 +00:00
2021-10-15 14:25:49 +00:00
void saveMountNamespace ( )
{
# if __linux__
static std : : once_flag done ;
std : : call_once ( done , [ ] ( ) {
2023-06-09 14:09:29 +00:00
fdSavedMountNamespace = open ( " /proc/self/ns/mnt " , O_RDONLY ) ;
if ( ! fdSavedMountNamespace )
2021-10-15 14:25:49 +00:00
throw SysError ( " saving parent mount namespace " ) ;
2023-06-09 14:09:29 +00:00
fdSavedRoot = open ( " /proc/self/root " , O_RDONLY ) ;
2021-10-15 14:25:49 +00:00
} ) ;
# endif
}
void restoreMountNamespace ( )
{
# if __linux__
2021-11-16 13:23:05 +00:00
try {
2022-04-04 17:21:56 +00:00
auto savedCwd = absPath ( " . " ) ;
2021-11-16 13:23:05 +00:00
if ( fdSavedMountNamespace & & setns ( fdSavedMountNamespace . get ( ) , CLONE_NEWNS ) = = - 1 )
throw SysError ( " restoring parent mount namespace " ) ;
2023-06-09 14:09:29 +00:00
if ( fdSavedRoot ) {
if ( fchdir ( fdSavedRoot . get ( ) ) )
throw SysError ( " chdir into saved root " ) ;
if ( chroot ( " . " ) )
throw SysError ( " chroot into saved root " ) ;
2022-04-04 15:33:59 +00:00
}
2023-06-09 14:09:29 +00:00
if ( chdir ( savedCwd . c_str ( ) ) = = - 1 )
throw SysError ( " restoring cwd " ) ;
2021-11-16 13:23:05 +00:00
} catch ( Error & e ) {
debug ( e . msg ( ) ) ;
}
2021-10-15 14:25:49 +00:00
# endif
}
2021-12-16 20:26:22 +00:00
void unshareFilesystem ( )
{
# ifdef __linux__
if ( unshare ( CLONE_FS ) ! = 0 & & errno ! = EPERM )
throw SysError ( " unsharing filesystem state in download thread " ) ;
# endif
}
2021-10-15 14:25:49 +00:00
void restoreProcessContext ( bool restoreMounts )
2021-04-07 11:10:02 +00:00
{
restoreSignals ( ) ;
2021-10-15 14:25:49 +00:00
if ( restoreMounts ) {
restoreMountNamespace ( ) ;
}
2021-04-07 11:10:02 +00:00
2021-04-07 11:40:13 +00:00
if ( savedStackSize ) {
struct rlimit limit ;
if ( getrlimit ( RLIMIT_STACK , & limit ) = = 0 ) {
limit . rlim_cur = savedStackSize ;
setrlimit ( RLIMIT_STACK , & limit ) ;
}
}
2021-04-07 11:10:02 +00:00
}
2017-01-17 17:21:02 +00:00
/* RAII helper to automatically deregister a callback. */
struct InterruptCallbackImpl : InterruptCallback
{
2022-02-06 12:25:56 +00:00
InterruptCallbacks : : Token token ;
2017-01-17 17:21:02 +00:00
~ InterruptCallbackImpl ( ) override
{
2022-02-06 12:25:56 +00:00
auto interruptCallbacks ( _interruptCallbacks . lock ( ) ) ;
interruptCallbacks - > callbacks . erase ( token ) ;
2017-01-17 17:21:02 +00:00
}
} ;
std : : unique_ptr < InterruptCallback > createInterruptCallback ( std : : function < void ( ) > callback )
{
auto interruptCallbacks ( _interruptCallbacks . lock ( ) ) ;
2022-02-06 12:25:56 +00:00
auto token = interruptCallbacks - > nextToken + + ;
interruptCallbacks - > callbacks . emplace ( token , callback ) ;
2017-01-17 17:21:02 +00:00
auto res = std : : make_unique < InterruptCallbackImpl > ( ) ;
2022-02-06 12:25:56 +00:00
res - > token = token ;
2017-01-17 17:21:02 +00:00
2017-01-24 09:55:28 +00:00
return std : : unique_ptr < InterruptCallback > ( res . release ( ) ) ;
2017-01-17 17:21:02 +00:00
}
2018-09-25 10:36:11 +00:00
2021-08-16 18:03:32 +00:00
AutoCloseFD createUnixDomainSocket ( )
2018-09-25 10:36:11 +00:00
{
2019-11-05 09:25:09 +00:00
AutoCloseFD fdSocket = socket ( PF_UNIX , SOCK_STREAM
# ifdef SOCK_CLOEXEC
| SOCK_CLOEXEC
# endif
, 0 ) ;
2018-09-25 10:36:11 +00:00
if ( ! fdSocket )
throw SysError ( " cannot create Unix domain socket " ) ;
closeOnExec ( fdSocket . get ( ) ) ;
2021-08-16 18:03:32 +00:00
return fdSocket ;
}
AutoCloseFD createUnixDomainSocket ( const Path & path , mode_t mode )
{
auto fdSocket = nix : : createUnixDomainSocket ( ) ;
2018-09-25 10:36:11 +00:00
2021-08-24 11:52:55 +00:00
bind ( fdSocket . get ( ) , path ) ;
2018-09-25 10:36:11 +00:00
if ( chmod ( path . c_str ( ) , mode ) = = - 1 )
throw SysError ( " changing permissions on '%1%' " , path ) ;
2022-05-26 08:53:06 +00:00
if ( listen ( fdSocket . get ( ) , 100 ) = = - 1 )
2018-09-25 10:36:11 +00:00
throw SysError ( " cannot listen on socket '%1%' " , path ) ;
return fdSocket ;
}
2020-10-06 08:40:49 +00:00
2024-03-07 05:22:44 +00:00
static void bindConnectProcHelper (
std : : string_view operationName , auto & & operation ,
int fd , const std : : string & path )
2021-08-24 11:52:55 +00:00
{
struct sockaddr_un addr ;
addr . sun_family = AF_UNIX ;
2024-03-07 05:22:44 +00:00
// Casting between types like these legacy C library interfaces
// require is forbidden in C++. To maintain backwards
// compatibility, the implementation of the bind/connect functions
// contains some hints to the compiler that allow for this
// special case.
auto * psaddr = reinterpret_cast < struct sockaddr * > ( & addr ) ;
2021-08-24 11:52:55 +00:00
if ( path . size ( ) + 1 > = sizeof ( addr . sun_path ) ) {
2024-03-07 05:15:32 +00:00
Pipe pipe ;
pipe . create ( ) ;
2024-03-07 05:22:44 +00:00
Pid pid = startProcess ( [ & ] {
2024-03-07 05:15:32 +00:00
try {
pipe . readSide . close ( ) ;
Path dir = dirOf ( path ) ;
if ( chdir ( dir . c_str ( ) ) = = - 1 )
throw SysError ( " chdir to '%s' failed " , dir ) ;
std : : string base ( baseNameOf ( path ) ) ;
if ( base . size ( ) + 1 > = sizeof ( addr . sun_path ) )
throw Error ( " socket path '%s' is too long " , base ) ;
memcpy ( addr . sun_path , base . c_str ( ) , base . size ( ) + 1 ) ;
2024-03-07 05:22:44 +00:00
if ( operation ( fd , psaddr , sizeof ( addr ) ) = = - 1 )
throw SysError ( " cannot %s to socket at '%s' " , operationName , path ) ;
2024-03-07 05:15:32 +00:00
writeFull ( pipe . writeSide . get ( ) , " 0 \n " ) ;
} catch ( SysError & e ) {
writeFull ( pipe . writeSide . get ( ) , fmt ( " %d \n " , e . errNo ) ) ;
} catch ( . . . ) {
writeFull ( pipe . writeSide . get ( ) , " -1 \n " ) ;
}
2021-08-24 11:52:55 +00:00
} ) ;
2024-03-07 05:15:32 +00:00
pipe . writeSide . close ( ) ;
auto errNo = string2Int < int > ( chomp ( drainFD ( pipe . readSide . get ( ) ) ) ) ;
if ( ! errNo | | * errNo = = - 1 )
2024-03-07 05:22:44 +00:00
throw Error ( " cannot %s to socket at '%s' " , operationName , path ) ;
2024-03-07 05:15:32 +00:00
else if ( * errNo > 0 ) {
errno = * errNo ;
2024-03-07 05:22:44 +00:00
throw SysError ( " cannot %s to socket at '%s' " , operationName , path ) ;
2024-03-07 05:15:32 +00:00
}
2021-08-24 11:52:55 +00:00
} else {
2021-09-17 07:10:36 +00:00
memcpy ( addr . sun_path , path . c_str ( ) , path . size ( ) + 1 ) ;
2024-03-07 05:22:44 +00:00
if ( operation ( fd , psaddr , sizeof ( addr ) ) = = - 1 )
throw SysError ( " cannot %s to socket at '%s' " , operationName , path ) ;
2021-08-24 11:52:55 +00:00
}
}
2024-03-07 05:22:44 +00:00
void bind ( int fd , const std : : string & path )
{
unlink ( path . c_str ( ) ) ;
bindConnectProcHelper ( " bind " , : : bind , fd , path ) ;
}
void connect ( int fd , const std : : string & path )
{
bindConnectProcHelper ( " connect " , : : connect , fd , path ) ;
}
2022-02-25 15:00:00 +00:00
std : : string showBytes ( uint64_t bytes )
2020-10-06 08:40:49 +00:00
{
return fmt ( " %.2f MiB " , bytes / ( 1024.0 * 1024.0 ) ) ;
}
2021-04-07 11:10:02 +00:00
// FIXME: move to libstore/build
2023-03-20 17:06:08 +00:00
void commonChildInit ( )
2020-10-11 16:38:46 +00:00
{
2021-09-27 12:44:21 +00:00
logger = makeSimpleLogger ( ) ;
2022-02-25 15:00:00 +00:00
const static std : : string pathNullDevice = " /dev/null " ;
2021-10-15 14:25:49 +00:00
restoreProcessContext ( false ) ;
2020-10-11 16:38:46 +00:00
/* Put the child in a separate session (and thus a separate
process group ) so that it has no controlling terminal ( meaning
that e . g . ssh cannot open / dev / tty ) and it doesn ' t receive
terminal signals . */
if ( setsid ( ) = = - 1 )
throw SysError ( " creating a new session " ) ;
/* Dup stderr to stdout. */
if ( dup2 ( STDERR_FILENO , STDOUT_FILENO ) = = - 1 )
throw SysError ( " cannot dup stderr into stdout " ) ;
/* Reroute stdin to /dev/null. */
int fdDevNull = open ( pathNullDevice . c_str ( ) , O_RDWR ) ;
if ( fdDevNull = = - 1 )
throw SysError ( " cannot open '%1%' " , pathNullDevice ) ;
if ( dup2 ( fdDevNull , STDIN_FILENO ) = = - 1 )
throw SysError ( " cannot dup null device into stdin " ) ;
close ( fdDevNull ) ;
}
2006-09-04 21:06:23 +00:00
}