journal: guarantee async-signal-safety in sd_journald_sendv

signal(7) provides a list of functions which may be called from a
signal handler. Other functions, which only call those functions and
don't access global memory and are reentrant are also safe.
sd_j_sendv was mostly OK, but would call mkostemp and writev in a
fallback path, which are unsafe.

Being able to call sd_j_sendv in a async-signal-safe way is important
because it allows it be used in signal handlers.

Safety is achieved by replacing mkostemp with open(O_TMPFILE) and an
open-coded writev replacement which uses write. Unfortunately,
O_TMPFILE is only available on kernels >= 3.11. When O_TMPFILE is
unavailable, an open-coded mkostemp is used.

https://bugzilla.gnome.org/show_bug.cgi?id=722889

4 files changed, 63 insertions, 11 deletions

diff --git a/src/shared/def.h b/src/shared/def.h
index a2304fddda..7777756aad 100644
--- a/src/shared/def.h
+++ b/src/shared/def.h
@@ -44,6 +44,7 @@
 #define LOWERCASE_LETTERS "abcdefghijklmnopqrstuvwxyz"
 #define UPPERCASE_LETTERS "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
 #define LETTERS LOWERCASE_LETTERS UPPERCASE_LETTERS
+#define ALPHANUMERICAL LETTERS DIGITS
 
 #define REBOOT_PARAM_FILE "/run/systemd/reboot-param"
 
diff --git a/src/shared/missing.h b/src/shared/missing.h
index 6c038d9f08..4e62100030 100644
--- a/src/shared/missing.h
+++ b/src/shared/missing.h
@@ -301,25 +301,29 @@ static inline int name_to_handle_at(int fd, const char *name, struct file_handle
 #endif
 
 #ifndef CIFS_MAGIC_NUMBER
-#define CIFS_MAGIC_NUMBER 0xFF534D42
+#  define CIFS_MAGIC_NUMBER 0xFF534D42
 #endif
 
 #ifndef TFD_TIMER_CANCEL_ON_SET
-#define TFD_TIMER_CANCEL_ON_SET (1 << 1)
+#  define TFD_TIMER_CANCEL_ON_SET (1 << 1)
 #endif
 
 #ifndef SO_REUSEPORT
-#define SO_REUSEPORT 15
+#  define SO_REUSEPORT 15
 #endif
 
 #ifndef EVIOCREVOKE
-#define EVIOCREVOKE _IOW('E', 0x91, int)
+#  define EVIOCREVOKE _IOW('E', 0x91, int)
 #endif
 
 #ifndef DRM_IOCTL_SET_MASTER
-#define DRM_IOCTL_SET_MASTER _IO('d', 0x1e)
+#  define DRM_IOCTL_SET_MASTER _IO('d', 0x1e)
 #endif
 
 #ifndef DRM_IOCTL_DROP_MASTER
-#define DRM_IOCTL_DROP_MASTER _IO('d', 0x1f)
+#  define DRM_IOCTL_DROP_MASTER _IO('d', 0x1f)
+#endif
+
+#ifndef TMP_MAX
+# define TMP_MAX 238328
 #endif
diff --git a/src/shared/util.c b/src/shared/util.c
index 27fc9594cd..a437d9b127 100644
--- a/src/shared/util.c
+++ b/src/shared/util.c
@@ -6109,6 +6109,53 @@ int getpeersec(int fd, char **ret) {
         return 0;
 }
 
+int writev_safe(int fd, const struct iovec *w, int j) {
+        for (int i = 0; i < j; i++) {
+                size_t written = 0;
+
+                while (written < w[i].iov_len) {
+                        ssize_t r;
+
+                        r = write(fd, (char*) w[i].iov_base + written, w[i].iov_len - written);
+                        if (r < 0 && errno != -EINTR)
+                                return -errno;
+
+                        written += r;
+                }
+        }
+
+        return 0;
+}
+
+int mkostemp_safe(char *pattern, int flags) {
+        char *s = pattern + strlen(pattern) - 6;
+        uint64_t tries = TMP_MAX;
+        int randfd, fd, i;
+
+        assert(streq(s, "XXXXXX"));
+
+        randfd = open("/dev/urandom", O_RDONLY);
+        if (randfd < 0)
+                return -ENOSYS;
+
+        while (tries--) {
+                fd = read(randfd, s, 6);
+                if (fd == 0)
+                        return -ENOSYS;
+
+                for (i = 0; i < 6; i++)
+                        s[i] = ALPHANUMERICAL[(unsigned) s[i] % strlen(ALPHANUMERICAL)];
+
+                fd = open(pattern, flags|O_EXCL|O_CREAT, S_IRUSR|S_IWUSR);
+                if (fd >= 0)
+                        return fd;
+                if (!IN_SET(errno, EEXIST, EINTR))
+                        return -errno;
+        }
+
+        return -EEXIST;
+}
+
 int open_tmpfile(const char *path, int flags) {
         int fd;
         char *p;
@@ -6120,12 +6167,9 @@ int open_tmpfile(const char *path, int flags) {
 #endif
         p = strappenda(path, "/systemd-tmp-XXXXXX");
 
-        RUN_WITH_UMASK(0077) {
-                fd = mkostemp(p, O_RDWR|O_CLOEXEC);
-        }
-
+        fd = mkostemp_safe(p, O_RDWR|O_CLOEXEC);
         if (fd < 0)
-                return -errno;
+                return fd;
 
         unlink(p);
         return fd;
diff --git a/src/shared/util.h b/src/shared/util.h
index 630137a53a..1169864c3a 100644
--- a/src/shared/util.h
+++ b/src/shared/util.h
@@ -850,4 +850,7 @@ bool pid_valid(pid_t pid);
 int getpeercred(int fd, struct ucred *ucred);
 int getpeersec(int fd, char **ret);
 
+int writev_safe(int fd, const struct iovec *w, int j);
+
+int mkostemp_safe(char *pattern, int flags);
 int open_tmpfile(const char *path, int flags);