When using `FICLONE`, the kernel does a full file clone and disregards the
fd offsets. Users of this API however assume that it *is*
offset-sensitive. So we need to verify that the fd offsets are at the
start of the files before we call `FICLONE`. This was done in systemd also
in:
https://github.com/systemd/systemd/commit/c622fbdb8d37
The commit message does not explain this but `ioctl_ficlone(2)` says:
The `FICLONE` ioctl clones entire files.
(Compare with `FICLONERANGE`, which takes a struct with offsets and the
length).
Similarly, we need to seek to the end of the file descriptors on success
so that we're consistent with the behaviour of the other backends
available (`copy_file_range`, `sendfile` and manual copying). This also
matches what systemd does nowadays:
https://github.com/systemd/systemd/blob/80f967311ac5/src/shared/copy.c#L199
If we keep this module closer to warnings-clean, then it can be
submoduled into Meson projects that enable warnings by default without
having to override it to a lower warning-level.
Signed-off-by: Simon McVittie <smcv@collabora.com>
g_variant_n_children() returns a size_t (or gsize, which is equivalent)
so in principle it could overflow an int, although in practice we are
not going to have that many extended attributes. This silences a
warning from gcc -Wsign-compare.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This is documented as taking a length of -1, but the parameter is
unsigned, so it's more correctly ((gsize) -1). This silences a warning
from gcc -Wsign-compare.
Signed-off-by: Simon McVittie <smcv@collabora.com>
gcc -Wsign-compare warns about this. The iteration limit is constant
and small enough that either int or guint would be fine.
Signed-off-by: Simon McVittie <smcv@collabora.com>
These functions take a GCancellable for consistency with other file
APIs, but are not actually cancellable at the moment.
Signed-off-by: Simon McVittie <smcv@collabora.com>
fallocate() is only visible in fcntl.h if _GNU_SOURCE is defined.
Most users of libglnx will want to do that anyway, but it seems nicer
to avoid "implicit declaration of function ‘fallocate’" warnings from
simply including <libglnx.h> into naive code.
Signed-off-by: Simon McVittie <smcv@collabora.com>
What isn't tested usually doesn't work, and the only way to use libglnx
is as a subproject, so test it like that.
Signed-off-by: Simon McVittie <smcv@collabora.com>
If we're building libglnx as a subproject in a larger project, we won't
necessarily want to run these.
Signed-off-by: Simon McVittie <smcv@collabora.com>
One of Flatpak's unit tests uses this, for _GLNX_TEST_SCOPED_TEMP_DIR.
Its API is not really stable, but libglnx is a "copylib" anyway, so
none of it has (or needs) a strictly stable API.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This copylib isn't intended to be part of anyone's ABI. In Autotools,
this is typically implemented by doing some ad-hoc compiler checks and
adding -fvisibility=hidden to the global CFLAGS of any library that
pulls in libglnx, but in Meson it's a build system feature.
Signed-off-by: Simon McVittie <smcv@collabora.com>
If we don't do this, users of libglnx all have to add this dependency
themselves, otherwise they'll get errors like:
fatal error: gio/gfiledescriptorbased.h: No such file or directory
Signed-off-by: Simon McVittie <smcv@collabora.com>
It seems that on SELinux systems, files in /proc have extended
attributes that cannot be copied by an unprivileged user.
Signed-off-by: Simon McVittie <smcv@debian.org>
To fill in some gaps, I've had to make some assumptions:
* trivial changes (such as checking for an additional function or
header file in libglnx.m4) are assumed to not be copyrightable
* Will Thompson and Matthew Leeds are assumed to be contributing on
behalf of Endless Mobile Inc.
* files with no explicit licensing information are assumed to be
under the license found in COPYING
Reference: https://reuse.software/
Signed-off-by: Simon McVittie <smcv@debian.org>
Some pseudo-files in /proc and /sys list a size of 0 bytes in stat()
results, but do in fact have content. For these pseudo-files, the only
way to find out the true file size is to try read() until EOF, so leave
the max_bytes set to -1.
copy_file_range() and sendfile() don't work for such files in some
kernel versions (see <https://lwn.net/Articles/846403/>), so skip the
fast-paths and use a read() and write() loop. For pseudo-files, we
expect to be able to copy the whole content in one read() in any case.
Signed-off-by: Simon McVittie <smcv@debian.org>
Although EINVAL usually indicates a programming error, ecryptfs (and
possibly other stacked filesystems) returns EINVAL for attempts to
copy_file_range() or sendfile() between files on that filesystem.
Resolves: https://gitlab.gnome.org/GNOME/libglnx/-/issues/3
When we free `xattr_name`, we need to transfer ownership away to avoid
potential for a double-free if we hit `ENOTSUP` on the next iteration.
Reported-by: Seth Arnold <seth.arnold@canonical.com>
This avoids colliding with a config.h generated by a parent Meson
project.
In the Meson build system, we generate libglnx-config.h by doing our
own checks, so we want to avoid it colliding.
In the Autotools build system, we assume that the parent project will
generate its own config.h that contains the results of LIBGLNX_CONFIGURE,
and create a forwarding header libglnx-config.h in the $(top_builddir)
(so that it is next to config.h).
Note that after updating libglnx in an Autotools non-recursive-Make
project (libostree, flatpak, flatpak-builder) it will be necessary to
re-run autogen.sh.
Signed-off-by: Simon McVittie <smcv@collabora.com>
It's not smart enough to follow the conditionals here to see
that `textlen > 0` implies `text != NULL`. But the cost of an additional
check is probably nil, so let's be robust to future code refactoring.
This is useful in the same situations rewinddir() is. My use-case right
now is to remove some of the files from a directory, then go back through
the directory removing symlinks that pointed to those files.
Signed-off-by: Simon McVittie <smcv@collabora.com>
In some contexts, we may want to copy a root-owned file but we're not
running as root so we can't `fchown` it. (The case I'm interested in is
actually a bit more obscure than this: running in a supermin VM as root,
and wanting to copy a file we created onto a 9p mount where we don't
have perms to `fchown`).
Add a `GLNX_FILE_COPY_NOCHOWN` to handle this case.
This make replaced files have a strictly increasing st_mtime. The main
usecase I have for this is to ensure the summary file mtime increases
because the flatpak tests are failing due to the python httpd used
in the tests rely on st_mtime for the http If-Modified-Since header.
For the tests this breaks all the time since we're just doing a lot of
summary updates. However, I can see this accidentally happening in the
wild too, so i think its proper to always ensure the new summary is
"newer", even though it means it will be timestamped slightly in the
future. In practice this will not happen regularly, and the times it
*does* happen we really do need it.
