]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_filedb/lib/AtomicFile.cpp
projects / apple / security.git / blob
? search:


6c21d12d2ab272967dd019f3802627475467881f
[apple/security.git] / OSX / libsecurity_filedb / lib / AtomicFile.cpp
1 /*
2 * Copyright (c) 2000-2013 Apple Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 #include <security_filedb/AtomicFile.h>
20
21 #include <CommonCrypto/CommonDigest.h>
22 #include <security_cdsa_utilities/cssmerrors.h>
23 #include <Security/cssm.h>
24 #include <Security/SecRandom.h>
25 #include <errno.h>
26 #include <fcntl.h>
27 #include <limits.h>
28 #include <syslog.h>
29 #include <sys/param.h>
30 #include <sys/types.h>
31 #include <sys/mount.h>
32 #include <sys/file.h>
33 #include <sys/stat.h>
34 #include <sys/time.h>
35 #include <sys/mman.h>
36 #include <copyfile.h>
37 #include <sandbox.h>
38 #include <set>
39 #include <assert.h>
40
41 #define kAtomicFileMaxBlockSize INT_MAX
42
43
44 //
45 // AtomicFile.cpp
46 //
47 AtomicFile::AtomicFile(const std::string &inPath) :
48 mPath(inPath)
49 {
50 pathSplit(inPath, mDir, mFile);
51
52 if (mDir.length() == 0)
53 {
54 const char* buffer = getwd(NULL);
55 mDir = buffer;
56 free((void*) buffer);
57 }
58
59 mDir += '/';
60
61 // determine if the path is on a local or a networked volume
62 struct statfs info;
63 int result = statfs(mDir.c_str(), &info);
64 if (result == -1) // error on opening?
65 {
66 mIsLocalFileSystem = false; // revert to the old ways if we can't tell what kind of system we have
67 }
68 else
69 {
70 mIsLocalFileSystem = (info.f_flags & MNT_LOCAL) != 0;
71 if (mIsLocalFileSystem)
72 {
73 // compute the name of the lock file for this file
74 CC_SHA1_CTX ctx;
75 CC_SHA1_Init(&ctx);
76 CC_SHA1_Update(&ctx, (const void*) mFile.c_str(), (CC_LONG)mFile.length());
77 u_int8_t digest[CC_SHA1_DIGEST_LENGTH];
78 CC_SHA1_Final(digest, &ctx);
79
80 u_int32_t hash = (digest[0] << 24) | (digest[1] << 16) | (digest[2] << 8) | digest[3];
81
82 char buffer[256];
83 sprintf(buffer, "%08X", hash);
84 mLockFilePath = mDir + ".fl" + buffer;
85 }
86 }
87 }
88
89 AtomicFile::~AtomicFile()
90 {
91 }
92
93 // Acquire the write lock and remove the file.
94 void
95 AtomicFile::performDelete()
96 {
97 AtomicLockedFile lock(*this);
98 if (::unlink(mPath.c_str()) != 0)
99 {
100 int error = errno;
101 secinfo("atomicfile", "unlink %s: %s", mPath.c_str(), strerror(error));
102 if (error == ENOENT)
103 CssmError::throwMe(CSSMERR_DL_DATASTORE_DOESNOT_EXIST);
104 else
105 UnixError::throwMe(error);
106 }
107
108 // unlink our lock file
109 ::unlink(mLockFilePath.c_str());
110 }
111
112 // Acquire the write lock and rename the file (and bump the version and stuff).
113 void
114 AtomicFile::rename(const std::string &inNewPath)
115 {
116 const char *path = mPath.c_str();
117 const char *newPath = inNewPath.c_str();
118
119 // @@@ lock the destination file too.
120 AtomicLockedFile lock(*this);
121 if (::rename(path, newPath) != 0)
122 {
123 int error = errno;
124 secinfo("atomicfile", "rename(%s, %s): %s", path, newPath, strerror(error));
125 UnixError::throwMe(error);
126 }
127 }
128
129 // Lock the file for writing and return a newly created AtomicTempFile.
130 RefPointer<AtomicTempFile>
131 AtomicFile::create(mode_t mode)
132 {
133 const char *path = mPath.c_str();
134
135 // First make sure the directory to this file exists and is writable
136 mkpath(mDir);
137
138 RefPointer<AtomicLockedFile> lock(new AtomicLockedFile(*this));
139 int fileRef = ropen(path, O_WRONLY|O_CREAT|O_EXCL, mode);
140 if (fileRef == -1)
141 {
142 int error = errno;
143 secinfo("atomicfile", "open %s: %s", path, strerror(error));
144
145 // Do the obvious error code translations here.
146 // @@@ Consider moving these up a level.
147 if (error == EACCES)
148 CssmError::throwMe(CSSM_ERRCODE_OS_ACCESS_DENIED);
149 else if (error == EEXIST)
150 CssmError::throwMe(CSSMERR_DL_DATASTORE_ALREADY_EXISTS);
151 else
152 UnixError::throwMe(error);
153 }
154 rclose(fileRef);
155
156 try
157 {
158 // Now that we have created the lock and the new db file create a tempfile
159 // object.
160 RefPointer<AtomicTempFile> temp(new AtomicTempFile(*this, lock, mode));
161 secinfo("atomicfile", "%p created %s", this, path);
162 return temp;
163 }
164 catch (...)
165 {
166 // Creating the temp file failed so remove the db file we just created too.
167 if (::unlink(path) == -1)
168 {
169 secnotice("atomicfile", "unlink %s: %s", path, strerror(errno));
170 }
171 throw;
172 }
173 }
174
175 // Lock the database file for writing and return a newly created AtomicTempFile.
176 // If the parent directory allows the write we're going to allow this. Previous
177 // versions checked for writability of the db file and that caused problems when
178 // setuid programs had made entries. As long as the db (keychain) file is readable
179 // this function can make the newer keychain file with the correct owner just by virtue
180 // of the copy that takes place.
181
182 RefPointer<AtomicTempFile>
183 AtomicFile::write()
184 {
185
186 RefPointer<AtomicLockedFile> lock(new AtomicLockedFile(*this));
187 return new AtomicTempFile(*this, lock);
188 }
189
190 // Return a bufferedFile containing current version of the file for reading.
191 RefPointer<AtomicBufferedFile>
192 AtomicFile::read()
193 {
194 return new AtomicBufferedFile(mPath, mIsLocalFileSystem);
195 }
196
197 mode_t
198 AtomicFile::mode() const
199 {
200 const char *path = mPath.c_str();
201 struct stat st;
202 if (::stat(path, &st) == -1)
203 {
204 int error = errno;
205 secinfo("atomicfile", "stat %s: %s", path, strerror(error));
206 UnixError::throwMe(error);
207 }
208 return st.st_mode;
209 }
210
211 // Split full into a dir and file component.
212 void
213 AtomicFile::pathSplit(const std::string &inFull, std::string &outDir, std::string &outFile)
214 {
215 std::string::size_type slash, len = inFull.size();
216 slash = inFull.rfind('/');
217 if (slash == std::string::npos)
218 {
219 outDir = "";
220 outFile = inFull;
221 }
222 else if (slash + 1 == len)
223 {
224 outDir = inFull;
225 outFile = "";
226 }
227 else
228 {
229 outDir = inFull.substr(0, slash + 1);
230 outFile = inFull.substr(slash + 1, len);
231 }
232 }
233
234 //
235 // Make sure the directory up to inDir exists inDir *must* end in a slash.
236 //
237 void
238 AtomicFile::mkpath(const std::string &inDir, mode_t mode)
239 {
240 // see if the file already exists and is a directory
241 struct stat st;
242 int result = stat(inDir.c_str(), &st);
243
244 if (result == 0) // file exists
245 {
246 if ((st.st_mode & S_IFDIR) == 0)
247 {
248 // whatever was there, it wasn't a directory. That's really bad, so complain
249 syslog(LOG_ALERT, "Needed a directory at %s, but the file that was there was not one.\n", inDir.c_str());
250 UnixError::throwMe(ENOTDIR);
251 }
252 }
253 else
254 {
255 // the file did not exist, try to create it
256 result = mkpath_np(inDir.c_str(), 0777); // make the directory with umask
257 if (result != 0)
258 {
259 // mkpath_np does not set errno, you have to look at the result.
260 UnixError::throwMe(result);
261 }
262 }
263
264 // Double check and see if we got what we hoped for
265 result = stat(inDir.c_str(), &st);
266 if (result != 0)
267 {
268 UnixError::throwMe(errno);
269 }
270
271 if ((st.st_mode & S_IFDIR) == 0)
272 {
273 // we didn't create a dictionary? That's curious...
274 syslog(LOG_ALERT, "Failed to create a directory when we asked for one to be created at %s\n", inDir.c_str());
275 UnixError::throwMe(ENOTDIR);
276 }
277 }
278
279 int
280 AtomicFile::ropen(const char *const name, int flags, mode_t mode)
281 {
282 bool isCreate = (flags & O_CREAT) != 0;
283
284 /*
285 The purpose of checkForRead and checkForWrite is to mitigate
286 spamming of the log when a user has installed certain third
287 party software packages which create additional keychains.
288 Certain applications use a custom sandbox profile which do not
289 permit this and so the user gets a ton of spam in the log.
290 This turns into a serious performance problem.
291
292 We handle this situation by checking two factors:
293
294 1: If the user is trying to create a file, we send the
295 request directly to open. This is the right thing
296 to do, as we don't want most applications creating
297 keychains unless they have been expressly authorized
298 to do so.
299
300 The layers above this one only set O_CREAT when a file
301 doesn't exist, so the case where O_CREAT can be called
302 on an existing file is irrelevant.
303
304 2: If the user is trying to open the file for reading or
305 writing, we check with the sandbox mechanism to see if
306 the operation will be permitted (and tell it not to
307 log if it the operation will fail).
308
309 If the operation is not permitted, we return -1 which
310 emulates the behavior of open. sandbox_check sets
311 errno properly, so the layers which call this function
312 will be able to act as though open had been called.
313 */
314
315 bool checkForRead = false;
316 bool checkForWrite = false;
317
318 int fd, tries_left = 4 /* kNoResRetry */;
319
320 if (!isCreate)
321 {
322 switch (flags & O_ACCMODE)
323 {
324 case O_RDONLY:
325 checkForRead = true;
326 break;
327 case O_WRONLY:
328 checkForWrite = true;
329 break;
330 case O_RDWR:
331 checkForRead = true;
332 checkForWrite = true;
333 break;
334 }
335
336 if (checkForRead)
337 {
338 int result = sandbox_check(getpid(), "file-read-data", (sandbox_filter_type) (SANDBOX_FILTER_PATH | SANDBOX_CHECK_NO_REPORT), name);
339 if (result != 0)
340 {
341 secdebug("atomicfile", "sandboxing rejected read access to %s", name);
342 return -1;
343 }
344 }
345
346 if (checkForWrite)
347 {
348 int result = sandbox_check(getpid(), "file-write-data", (sandbox_filter_type) (SANDBOX_FILTER_PATH | SANDBOX_CHECK_NO_REPORT), name);
349 if (result != 0)
350 {
351 secdebug("atomicfile", "sandboxing rejected write access to %s", name);
352 return -1;
353 }
354 }
355 }
356
357 do
358 {
359 fd = ::open(name, flags, mode);
360 } while (fd < 0 && (errno == EINTR || (errno == ENFILE && --tries_left >= 0)));
361
362 return fd;
363 }
364
365 int
366 AtomicFile::rclose(int fd)
367 {
368 int result;
369 do
370 {
371 result = ::close(fd);
372 } while(result && errno == EINTR);
373
374 return result;
375 }
376
377 //
378 // AtomicBufferedFile - This represents an instance of a file opened for reading.
379 // The file is read into memory and closed after this is done.
380 // The memory is released when this object is destroyed.
381 //
382 AtomicBufferedFile::AtomicBufferedFile(const std::string &inPath, bool isLocal) :
383 mPath(inPath),
384 mFileRef(-1),
385 mBuffer(NULL),
386 mLength(0)
387 {
388 }
389
390 AtomicBufferedFile::~AtomicBufferedFile()
391 {
392 if (mFileRef >= 0)
393 {
394 // In release mode, the assert() is compiled out so rv may be unused.
395 __unused int rv = AtomicFile::rclose(mFileRef);
396 assert(rv == 0);
397 secinfo("atomicfile", "%p closed %s", this, mPath.c_str());
398 }
399
400 if (mBuffer)
401 {
402 secinfo("atomicfile", "%p free %s buffer %p", this, mPath.c_str(), mBuffer);
403 unloadBuffer();
404 }
405 }
406
407 //
408 // Open the file and return the length in bytes.
409 //
410 off_t
411 AtomicBufferedFile::open()
412 {
413 const char *path = mPath.c_str();
414 if (mFileRef >= 0)
415 {
416 secinfo("atomicfile", "open %s: already open, closing and reopening", path);
417 close();
418 }
419
420 mFileRef = AtomicFile::ropen(path, O_RDONLY, 0);
421 if (mFileRef == -1)
422 {
423 int error = errno;
424 secinfo("atomicfile", "open %s: %s", path, strerror(error));
425
426 // Do the obvious error code translations here.
427 // @@@ Consider moving these up a level.
428 if (error == ENOENT)
429 CssmError::throwMe(CSSMERR_DL_DATASTORE_DOESNOT_EXIST);
430 else if (error == EACCES)
431 CssmError::throwMe(CSSM_ERRCODE_OS_ACCESS_DENIED);
432 else
433 UnixError::throwMe(error);
434 }
435
436 struct stat st;
437 int result = fstat(mFileRef, &st);
438 if (result == 0)
439 {
440 mLength = st.st_size;
441 }
442 else
443 {
444 int error = errno;
445 secinfo("atomicfile", "lseek(%s, END): %s", path, strerror(error));
446 AtomicFile::rclose(mFileRef);
447 mFileRef = -1;
448 UnixError::throwMe(error);
449 }
450
451 secinfo("atomicfile", "%p opened %s: %qd bytes", this, path, mLength);
452
453 return mLength;
454 }
455
456 //
457 // Unload the contents of the file.
458 //
459 void
460 AtomicBufferedFile::unloadBuffer()
461 {
462 if(mBuffer) {
463 delete [] mBuffer;
464 mBuffer = NULL;
465 }
466 }
467
468 //
469 // Load the contents of the file into memory.
470 void
471 AtomicBufferedFile::loadBuffer()
472 {
473 // make a buffer big enough to hold the entire file
474 mBuffer = new uint8[(size_t) mLength];
475 if(lseek(mFileRef, 0, SEEK_SET) < 0) {
476 int error = errno;
477 secinfo("atomicfile", "lseek(%s, BEGINNING): %s", mPath.c_str(), strerror(error));
478 UnixError::throwMe(error);
479 }
480 ssize_t pos = 0;
481
482 ssize_t bytesToRead = (ssize_t)mLength;
483 while (bytesToRead > 0)
484 {
485 ssize_t bytesRead = ::read(mFileRef, mBuffer + pos, bytesToRead);
486 if (bytesRead == -1)
487 {
488 if (errno != EINTR)
489 {
490 int error = errno;
491 secinfo("atomicfile", "read(%s, %zd): %s", mPath.c_str(), bytesToRead, strerror(error));
492 AtomicFile::rclose(mFileRef);
493 mFileRef = -1;
494 UnixError::throwMe(error);
495 }
496 }
497 else
498 {
499 bytesToRead -= bytesRead;
500 pos += bytesRead;
501 }
502 }
503 }
504
505
506
507 //
508 // Read the file starting at inOffset for inLength bytes into the buffer and return
509 // a pointer to it. On return outLength contain the actual number of bytes read, it
510 // will only ever be less than inLength if EOF was reached, and it will never be more
511 // than inLength.
512 //
513 const uint8 *
514 AtomicBufferedFile::read(off_t inOffset, off_t inLength, off_t &outLength)
515 {
516 if (mFileRef < 0)
517 {
518 secinfo("atomicfile", "read %s: file yet not opened, opening", mPath.c_str());
519 open();
520 }
521
522 off_t bytesLeft = inLength;
523 if (mBuffer)
524 {
525 secinfo("atomicfile", "%p free %s buffer %p", this, mPath.c_str(), mBuffer);
526 unloadBuffer();
527 }
528
529 loadBuffer();
530
531 secinfo("atomicfile", "%p allocated %s buffer %p size %qd", this, mPath.c_str(), mBuffer, bytesLeft);
532
533 off_t maxEnd = inOffset + inLength;
534 if (maxEnd > mLength)
535 {
536 maxEnd = mLength;
537 }
538
539 outLength = maxEnd - inOffset;
540
541 return mBuffer + inOffset;
542 }
543
544 void
545 AtomicBufferedFile::close()
546 {
547 if (mFileRef < 0)
548 {
549 secinfo("atomicfile", "close %s: already closed", mPath.c_str());
550 }
551 else
552 {
553 int result = AtomicFile::rclose(mFileRef);
554 mFileRef = -1;
555 if (result == -1)
556 {
557 int error = errno;
558 secnotice("atomicfile", "close %s: %s", mPath.c_str(), strerror(errno));
559 UnixError::throwMe(error);
560 }
561
562 secinfo("atomicfile", "%p closed %s", this, mPath.c_str());
563 }
564 }
565
566
567 //
568 // AtomicTempFile - A temporary file to write changes to.
569 //
570 AtomicTempFile::AtomicTempFile(AtomicFile &inFile, const RefPointer<AtomicLockedFile> &inLockedFile, mode_t mode) :
571 mFile(inFile),
572 mLockedFile(inLockedFile),
573 mCreating(true)
574 {
575 create(mode);
576 }
577
578 AtomicTempFile::AtomicTempFile(AtomicFile &inFile, const RefPointer<AtomicLockedFile> &inLockedFile) :
579 mFile(inFile),
580 mLockedFile(inLockedFile),
581 mCreating(false)
582 {
583 create(mFile.mode());
584 }
585
586 AtomicTempFile::~AtomicTempFile()
587 {
588 // rollback if we didn't commit yet.
589 if (mFileRef >= 0)
590 rollback();
591 }
592
593 //
594 // Open the file and return the length in bytes.
595 //
596 void
597 AtomicTempFile::create(mode_t mode)
598 {
599 // we now generate our temporary file name through sandbox API's.
600
601 // put the dir into a canonical form
602 string dir = mFile.dir();
603 int i = (int)dir.length() - 1;
604
605 // walk backwards until we get to a non / character
606 while (i >= 0 && dir[i] == '/')
607 {
608 i -= 1;
609 }
610
611 // point one beyond the string
612 i += 1;
613
614 const char* temp = _amkrtemp((dir.substr(0, i) + "/" + mFile.file()).c_str());
615 if (temp == NULL)
616 {
617 UnixError::throwMe(errno);
618 }
619
620 mPath = temp;
621 free((void*) temp);
622
623 const char *path = mPath.c_str();
624
625 mFileRef = AtomicFile::ropen(path, O_WRONLY|O_CREAT|O_TRUNC, mode);
626 if (mFileRef == -1)
627 {
628 int error = errno;
629 secnotice("atomicfile", "create %s: %s", path, strerror(error));
630
631 // Do the obvious error code translations here.
632 // @@@ Consider moving these up a level.
633 if (error == EACCES)
634 CssmError::throwMe(CSSM_ERRCODE_OS_ACCESS_DENIED);
635 else
636 UnixError::throwMe(error);
637 }
638
639 // If we aren't creating the inital file, make sure we preserve
640 // the mode of the old file regardless of the current umask.
641 // If we are creating the inital file we respect the users
642 // current umask.
643 if (!mCreating)
644 {
645 if (::fchmod(mFileRef, mode))
646 {
647 int error = errno;
648 secnotice("atomicfile", "fchmod %s: %s", path, strerror(error));
649 UnixError::throwMe(error);
650 }
651 }
652
653 secinfo("atomicfile", "%p created %s", this, path);
654 }
655
656 void
657 AtomicTempFile::write(AtomicFile::OffsetType inOffsetType, off_t inOffset, const uint32 inData)
658 {
659 uint32 aData = htonl(inData);
660 write(inOffsetType, inOffset, reinterpret_cast<uint8 *>(&aData), sizeof(aData));
661 }
662
663 void
664 AtomicTempFile::write(AtomicFile::OffsetType inOffsetType, off_t inOffset,
665 const uint32 *inData, uint32 inCount)
666 {
667 #ifdef HOST_LONG_IS_NETWORK_LONG
668 // Optimize this for the case where hl == nl
669 const uint32 *aBuffer = inData;
670 #else
671 auto_array<uint32> aBuffer(inCount);
672 for (uint32 i = 0; i < inCount; i++)
673 aBuffer.get()[i] = htonl(inData[i]);
674 #endif
675
676 write(inOffsetType, inOffset, reinterpret_cast<const uint8 *>(aBuffer.get()),
677 inCount * sizeof(*inData));
678 }
679
680 void
681 AtomicTempFile::write(AtomicFile::OffsetType inOffsetType, off_t inOffset, const uint8 *inData, size_t inLength)
682 {
683 off_t pos;
684 if (inOffsetType == AtomicFile::FromEnd)
685 {
686 pos = ::lseek(mFileRef, 0, SEEK_END);
687 if (pos == -1)
688 {
689 int error = errno;
690 secnotice("atomicfile", "lseek(%s, %qd): %s", mPath.c_str(), inOffset, strerror(error));
691 UnixError::throwMe(error);
692 }
693 }
694 else if (inOffsetType == AtomicFile::FromStart)
695 pos = inOffset;
696 else
697 CssmError::throwMe(CSSM_ERRCODE_INTERNAL_ERROR);
698
699 off_t bytesLeft = inLength;
700 const uint8 *ptr = inData;
701 while (bytesLeft)
702 {
703 size_t toWrite = bytesLeft > kAtomicFileMaxBlockSize ? kAtomicFileMaxBlockSize : size_t(bytesLeft);
704 ssize_t bytesWritten = ::pwrite(mFileRef, ptr, toWrite, pos);
705 if (bytesWritten == -1)
706 {
707 int error = errno;
708 if (error == EINTR)
709 {
710 // We got interrupted by a signal, so try again.
711 secnotice("atomicfile", "write %s: interrupted, retrying", mPath.c_str());
712 continue;
713 }
714
715 secnotice("atomicfile", "write %s: %s", mPath.c_str(), strerror(error));
716 UnixError::throwMe(error);
717 }
718
719 // Write returning 0 is bad mmkay.
720 if (bytesWritten == 0)
721 {
722 secnotice("atomicfile", "write %s: 0 bytes written", mPath.c_str());
723 CssmError::throwMe(CSSMERR_DL_INTERNAL_ERROR);
724 }
725
726 secdebug("atomicfile", "%p wrote %s %ld bytes from %p", this, mPath.c_str(), bytesWritten, ptr);
727
728 bytesLeft -= bytesWritten;
729 ptr += bytesWritten;
730 pos += bytesWritten;
731 }
732 }
733
734 void
735 AtomicTempFile::fsync()
736 {
737 if (mFileRef < 0)
738 {
739 secnotice("atomicfile", "fsync %s: already closed", mPath.c_str());
740 }
741 else
742 {
743 int result;
744 do
745 {
746 result = ::fsync(mFileRef);
747 } while (result && errno == EINTR);
748
749 if (result == -1)
750 {
751 int error = errno;
752 secnotice("atomicfile", "fsync %s: %s", mPath.c_str(), strerror(errno));
753 UnixError::throwMe(error);
754 }
755
756 secinfo("atomicfile", "%p fsynced %s", this, mPath.c_str());
757 }
758 }
759
760 void
761 AtomicTempFile::close()
762 {
763 if (mFileRef < 0)
764 {
765 secnotice("atomicfile", "close %s: already closed", mPath.c_str());
766 }
767 else
768 {
769 int result = AtomicFile::rclose(mFileRef);
770 mFileRef = -1;
771 if (result == -1)
772 {
773 int error = errno;
774 secnotice("atomicfile", "close %s: %s", mPath.c_str(), strerror(errno));
775 UnixError::throwMe(error);
776 }
777
778 secinfo("atomicfile", "%p closed %s", this, mPath.c_str());
779 }
780 }
781
782 // Commit the current create or write and close the write file. Note that a throw during the commit does an automatic rollback.
783 void
784 AtomicTempFile::commit()
785 {
786 try
787 {
788 fsync();
789 close();
790 const char *oldPath = mPath.c_str();
791 const char *newPath = mFile.path().c_str();
792
793 // <rdar://problem/6991037>
794 // Copy the security parameters of one file to another
795 // Adding this to guard against setuid utilities that are re-writing a user's keychain. We don't want to leave them root-owned.
796 // In order to not break backward compatability we'll make a best effort, but continue if these efforts fail.
797 //
798 // To clear something up - newPath is the name the keychain will become - which is the name of the file being replaced
799 // oldPath is the "temp filename".
800
801 copyfile_state_t s;
802 s = copyfile_state_alloc();
803
804 if(copyfile(newPath, oldPath, s, COPYFILE_SECURITY | COPYFILE_NOFOLLOW) == -1) // Not fatal
805 secnotice("atomicfile", "copyfile (%s, %s): %s", oldPath, newPath, strerror(errno));
806
807 copyfile_state_free(s);
808 // END <rdar://problem/6991037>
809
810 ::utimes(oldPath, NULL);
811
812 if (::rename(oldPath, newPath) == -1)
813 {
814 int error = errno;
815 secnotice("atomicfile", "rename (%s, %s): %s", oldPath, newPath, strerror(errno));
816 UnixError::throwMe(error);
817 }
818
819 secnotice("atomicfile", "%p commited %s to %s", this, oldPath, newPath);
820
821 // Unlock the lockfile
822 mLockedFile = NULL;
823 }
824 catch (...)
825 {
826 rollback();
827 throw;
828 }
829 }
830
831 // Rollback the current create or write (happens automatically if commit() isn't called before the destructor is.
832 void
833 AtomicTempFile::rollback() throw()
834 {
835 if (mFileRef >= 0)
836 {
837 AtomicFile::rclose(mFileRef);
838 mFileRef = -1;
839 }
840
841 // @@@ Log errors if this fails.
842 const char *path = mPath.c_str();
843 if (::unlink(path) == -1)
844 {
845 secnotice("atomicfile", "unlink %s: %s", path, strerror(errno));
846 // rollback can't throw
847 }
848
849 // @@@ Think about this. Depending on how we do locking we might not need this.
850 if (mCreating)
851 {
852 const char *path = mFile.path().c_str();
853 if (::unlink(path) == -1)
854 {
855 secnotice("atomicfile", "unlink %s: %s", path, strerror(errno));
856 // rollback can't throw
857 }
858 }
859 }
860
861
862 //
863 // An advisory write lock for inFile.
864 //
865 FileLocker::~FileLocker()
866 {
867 }
868
869
870
871 LocalFileLocker::LocalFileLocker(AtomicFile &inFile) :
872 mPath(inFile.lockFileName())
873 {
874 }
875
876
877 LocalFileLocker::~LocalFileLocker()
878 {
879 }
880
881
882
883 #ifndef NDEBUG
884 static double GetTime()
885 {
886 struct timeval t;
887 gettimeofday(&t, NULL);
888 return ((double) t.tv_sec) + ((double) t.tv_usec) / 1000000.0;
889 }
890 #endif
891
892
893
894 void
895 LocalFileLocker::lock(mode_t mode)
896 {
897 struct stat st;
898
899 do
900 {
901 // if the lock file doesn't exist, create it
902 mLockFile = open(mPath.c_str(), O_RDONLY | O_CREAT, mode);
903
904 // if we can't open or create the file, something is wrong
905 if (mLockFile == -1)
906 {
907 UnixError::throwMe(errno);
908 }
909
910 // try to get exclusive access to the file
911 IFDEBUG(double startTime = GetTime());
912 int result = flock(mLockFile, LOCK_EX);
913 IFDEBUG(double endTime = GetTime());
914
915 IFDEBUG(secnotice("atomictime", "Waited %.4f milliseconds for file lock", (endTime - startTime) * 1000.0));
916
917 // errors at this point are bad
918 if (result == -1)
919 {
920 UnixError::throwMe(errno);
921 }
922
923 // check and see if the file we have access to still exists. If not, another file shared our file lock
924 // due to a hash collision and has thrown our lock away -- that, or a user blew the lock file away himself.
925
926 result = fstat(mLockFile, &st);
927
928 // errors at this point are bad
929 if (result == -1)
930 {
931 UnixError::throwMe(errno);
932 }
933
934 if (st.st_nlink == 0) // we've been unlinked!
935 {
936 close(mLockFile);
937 }
938 } while (st.st_nlink == 0);
939 }
940
941
942 void
943 LocalFileLocker::unlock()
944 {
945 flock(mLockFile, LOCK_UN);
946 close(mLockFile);
947 }
948
949
950
951 NetworkFileLocker::NetworkFileLocker(AtomicFile &inFile) :
952 mDir(inFile.dir()),
953 mPath(inFile.dir() + "lck~" + inFile.file())
954 {
955 }
956
957 NetworkFileLocker::~NetworkFileLocker()
958 {
959 }
960
961 std::string
962 NetworkFileLocker::unique(mode_t mode)
963 {
964 static const int randomPart = 16;
965 std::string::size_type dirSize = mDir.size();
966 std::string fullname(dirSize + randomPart + 2, '\0');
967 fullname.replace(0, dirSize, mDir);
968 fullname[dirSize] = '~'; /* UNIQ_PREFIX */
969 char buf[randomPart];
970 struct stat filebuf;
971 int result, fd = -1;
972
973 for (int retries = 0; retries < 10; ++retries)
974 {
975 /* Make a random filename. */
976 MacOSError::check(SecRandomCopyBytes(kSecRandomDefault, randomPart, buf));
977 for (int ix = 0; ix < randomPart; ++ix)
978 {
979 char ch = buf[ix] & 0x3f;
980 fullname[ix + dirSize + 1] = ch +
981 ( ch < 26 ? 'A'
982 : ch < 26 + 26 ? 'a' - 26
983 : ch < 26 + 26 + 10 ? '0' - 26 - 26
984 : ch == 26 + 26 + 10 ? '-' - 26 - 26 - 10
985 : '_' - 26 - 26 - 11);
986 }
987
988 result = lstat(fullname.c_str(), &filebuf);
989 if (result && errno == ENAMETOOLONG)
990 {
991 do
992 fullname.erase(fullname.end() - 1);
993 while((result = lstat(fullname.c_str(), &filebuf)) && errno == ENAMETOOLONG && fullname.size() > dirSize + 8);
994 } /* either it stopped being a problem or we ran out of filename */
995
996 if (result && errno == ENOENT)
997 {
998 fd = AtomicFile::ropen(fullname.c_str(), O_WRONLY|O_CREAT|O_EXCL, mode);
999 if (fd >= 0 || errno != EEXIST)
1000 break;
1001 }
1002 }
1003
1004 if (fd < 0)
1005 {
1006 int error = errno;
1007 ::syslog(LOG_ERR, "Couldn't create temp file %s: %s", fullname.c_str(), strerror(error));
1008 secnotice("atomicfile", "Couldn't create temp file %s: %s", fullname.c_str(), strerror(error));
1009 UnixError::throwMe(error);
1010 }
1011
1012 /* @@@ Check for EINTR. */
1013 write(fd, "0", 1); /* pid 0, `works' across networks */
1014
1015 AtomicFile::rclose(fd);
1016
1017 return fullname;
1018 }
1019
1020 /* Return 0 on success and 1 on failure if st is set to the result of stat(old) and -1 on failure if the stat(old) failed. */
1021 int
1022 NetworkFileLocker::rlink(const char *const old, const char *const newn, struct stat &sto)
1023 {
1024 int result = ::link(old,newn);
1025 if (result)
1026 {
1027 int serrno = errno;
1028 if (::lstat(old, &sto) == 0)
1029 {
1030 struct stat stn;
1031 if (::lstat(newn, &stn) == 0
1032 && sto.st_dev == stn.st_dev
1033 && sto.st_ino == stn.st_ino
1034 && sto.st_uid == stn.st_uid
1035 && sto.st_gid == stn.st_gid
1036 && !S_ISLNK(sto.st_mode))
1037 {
1038 /* Link failed but files are the same so the link really went ok. */
1039 return 0;
1040 }
1041 else
1042 result = 1;
1043 }
1044 errno = serrno; /* Restore errno from link() */
1045 }
1046
1047 return result;
1048 }
1049
1050 /* NFS-resistant rename()
1051 * rename with fallback for systems that don't support it
1052 * Note that this does not preserve the contents of the file. */
1053 int
1054 NetworkFileLocker::myrename(const char *const old, const char *const newn)
1055 {
1056 struct stat stbuf;
1057 int fd = -1;
1058 int ret;
1059
1060 /* Try a real hardlink */
1061 ret = rlink(old, newn, stbuf);
1062 if (ret > 0)
1063 {
1064 if (stbuf.st_nlink < 2 && (errno == EXDEV || errno == ENOTSUP))
1065 {
1066 /* Hard link failed so just create a new file with O_EXCL instead. */
1067 fd = AtomicFile::ropen(newn, O_WRONLY|O_CREAT|O_EXCL, stbuf.st_mode);
1068 if (fd >= 0)
1069 ret = 0;
1070 }
1071 }
1072
1073 /* We want the errno from the link or the ropen, not that of the unlink. */
1074 int serrno = errno;
1075
1076 /* Unlink the temp file. */
1077 ::unlink(old);
1078 if (fd > 0)
1079 AtomicFile::rclose(fd);
1080
1081 errno = serrno;
1082 return ret;
1083 }
1084
1085 int
1086 NetworkFileLocker::xcreat(const char *const name, mode_t mode, time_t &tim)
1087 {
1088 std::string uniqueName = unique(mode);
1089 const char *uniquePath = uniqueName.c_str();
1090 struct stat stbuf; /* return the filesystem time to the caller */
1091 stat(uniquePath, &stbuf);
1092 tim = stbuf.st_mtime;
1093 return myrename(uniquePath, name);
1094 }
1095
1096 void
1097 NetworkFileLocker::lock(mode_t mode)
1098 {
1099 const char *path = mPath.c_str();
1100 bool triedforce = false;
1101 struct stat stbuf;
1102 time_t t, locktimeout = 1024; /* DEFlocktimeout, 17 minutes. */
1103 bool doSyslog = false;
1104 bool failed = false;
1105 int retries = 0;
1106
1107 while (!failed)
1108 {
1109 /* Don't syslog first time through. */
1110 if (doSyslog)
1111 ::syslog(LOG_NOTICE, "Locking %s", path);
1112 else
1113 doSyslog = true;
1114
1115 secinfo("atomicfile", "Locking %s", path); /* in order to cater for clock skew: get */
1116 if (!xcreat(path, mode, t)) /* time t from the filesystem */
1117 {
1118 /* lock acquired, hurray! */
1119 break;
1120 }
1121 switch(errno)
1122 {
1123 case EEXIST: /* check if it's time for a lock override */
1124 if (!lstat(path, &stbuf) && stbuf.st_size <= 16 /* MAX_locksize */ && locktimeout
1125 && !lstat(path, &stbuf) && locktimeout < t - stbuf.st_mtime)
1126 /* stat() till unlink() should be atomic, but can't guarantee that. */
1127 {
1128 if (triedforce)
1129 {
1130 /* Already tried, force lock override, not trying again */
1131 failed = true;
1132 break;
1133 }
1134 else if (S_ISDIR(stbuf.st_mode) || ::unlink(path))
1135 {
1136 triedforce=true;
1137 ::syslog(LOG_ERR, "Forced unlock denied on %s", path);
1138 secnotice("atomicfile", "Forced unlock denied on %s", path);
1139 }
1140 else
1141 {
1142 ::syslog(LOG_ERR, "Forcing lock on %s", path);
1143 secnotice("atomicfile", "Forcing lock on %s", path);
1144 sleep(16 /* DEFsuspend */);
1145 break;
1146 }
1147 }
1148 else
1149 triedforce = false; /* legitimate iteration, clear flag */
1150
1151 /* Reset retry counter. */
1152 retries = 0;
1153 usleep(250000);
1154 break;
1155
1156 case ENOSPC: /* no space left, treat it as a transient */
1157 #ifdef EDQUOT /* NFS failure */
1158 case EDQUOT: /* maybe it was a short term shortage? */
1159 #endif
1160 case ENOENT:
1161 case ENOTDIR:
1162 case EIO:
1163 /*case EACCES:*/
1164 if(++retries < (256 + 1)) /* nfsTRY number of times+1 to ignore spurious NFS errors */
1165 usleep(250000);
1166 else
1167 failed = true;
1168 break;
1169
1170 #ifdef ENAMETOOLONG
1171 case ENAMETOOLONG: /* Filename is too long, shorten and retry */
1172 if (mPath.size() > mDir.size() + 8)
1173 {
1174 secnotice("atomicfile", "Truncating %s and retrying lock", path);
1175 mPath.erase(mPath.end() - 1);
1176 path = mPath.c_str();
1177 /* Reset retry counter. */
1178 retries = 0;
1179 break;
1180 }
1181 /* DROPTHROUGH */
1182 #endif
1183 default:
1184 failed = true;
1185 break;
1186 }
1187 }
1188
1189 if (failed)
1190 {
1191 int error = errno;
1192 ::syslog(LOG_ERR, "Lock failure on %s: %s", path, strerror(error));
1193 secnotice("atomicfile", "Lock failure on %s: %s", path, strerror(error));
1194 UnixError::throwMe(error);
1195 }
1196 }
1197
1198 void
1199 NetworkFileLocker::unlock()
1200 {
1201 const char *path = mPath.c_str();
1202 if (::unlink(path) == -1)
1203 {
1204 secnotice("atomicfile", "unlink %s: %s", path, strerror(errno));
1205 // unlock can't throw
1206 }
1207 }
1208
1209
1210
1211 AtomicLockedFile::AtomicLockedFile(AtomicFile &inFile)
1212 {
1213 if (inFile.isOnLocalFileSystem())
1214 {
1215 mFileLocker = new LocalFileLocker(inFile);
1216 }
1217 else
1218 {
1219 mFileLocker = new NetworkFileLocker(inFile);
1220 }
1221
1222 lock();
1223 }
1224
1225
1226
1227 AtomicLockedFile::~AtomicLockedFile()
1228 {
1229 unlock();
1230 delete mFileLocker;
1231 }
1232
1233
1234
1235 void
1236 AtomicLockedFile::lock(mode_t mode)
1237 {
1238 mFileLocker->lock(mode);
1239 }
1240
1241
1242
1243 void AtomicLockedFile::unlock() throw()
1244 {
1245 mFileLocker->unlock();
1246 }
1247
1248
1249
1250 #undef kAtomicFileMaxBlockSize
mirror of Security