summaryrefslogtreecommitdiffstats
path: root/src/copy.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/copy.c')
-rw-r--r--src/copy.c3094
1 files changed, 3094 insertions, 0 deletions
diff --git a/src/copy.c b/src/copy.c
new file mode 100644
index 0000000..6e5efc7
--- /dev/null
+++ b/src/copy.c
@@ -0,0 +1,3094 @@
+/* copy.c -- core functions for copying files and directories
+ Copyright (C) 1989-2020 Free Software Foundation, Inc.
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>. */
+
+/* Extracted from cp.c and librarified by Jim Meyering. */
+
+#include <config.h>
+#include <stdio.h>
+#include <assert.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <selinux/selinux.h>
+
+#if HAVE_HURD_H
+# include <hurd.h>
+#endif
+#if HAVE_PRIV_H
+# include <priv.h>
+#endif
+
+#include "system.h"
+#include "acl.h"
+#include "backupfile.h"
+#include "buffer-lcm.h"
+#include "canonicalize.h"
+#include "copy.h"
+#include "cp-hash.h"
+#include "extent-scan.h"
+#include "die.h"
+#include "error.h"
+#include "fadvise.h"
+#include "fcntl--.h"
+#include "fiemap.h"
+#include "file-set.h"
+#include "filemode.h"
+#include "filenamecat.h"
+#include "force-link.h"
+#include "full-write.h"
+#include "hash.h"
+#include "hash-triple.h"
+#include "ignore-value.h"
+#include "ioblksize.h"
+#include "quote.h"
+#include "renameatu.h"
+#include "root-uid.h"
+#include "same.h"
+#include "savedir.h"
+#include "stat-size.h"
+#include "stat-time.h"
+#include "utimecmp.h"
+#include "utimens.h"
+#include "write-any-file.h"
+#include "areadlink.h"
+#include "yesno.h"
+#include "selinux.h"
+
+#if USE_XATTR
+# include <attr/error_context.h>
+# include <attr/libattr.h>
+# include <stdarg.h>
+# include "verror.h"
+#endif
+
+#if HAVE_LINUX_FALLOC_H
+# include <linux/falloc.h>
+#endif
+
+/* See HAVE_FALLOCATE workaround when including this file. */
+#ifdef HAVE_LINUX_FS_H
+# include <linux/fs.h>
+#endif
+
+#if !defined FICLONE && defined __linux__
+# define FICLONE _IOW (0x94, 9, int)
+#endif
+
+#ifndef HAVE_FCHOWN
+# define HAVE_FCHOWN false
+# define fchown(fd, uid, gid) (-1)
+#endif
+
+#ifndef HAVE_LCHOWN
+# define HAVE_LCHOWN false
+# define lchown(name, uid, gid) chown (name, uid, gid)
+#endif
+
+#ifndef HAVE_MKFIFO
+static int
+rpl_mkfifo (char const *file, mode_t mode)
+{
+ errno = ENOTSUP;
+ return -1;
+}
+# define mkfifo rpl_mkfifo
+#endif
+
+#ifndef USE_ACL
+# define USE_ACL 0
+#endif
+
+#define SAME_OWNER(A, B) ((A).st_uid == (B).st_uid)
+#define SAME_GROUP(A, B) ((A).st_gid == (B).st_gid)
+#define SAME_OWNER_AND_GROUP(A, B) (SAME_OWNER (A, B) && SAME_GROUP (A, B))
+
+/* LINK_FOLLOWS_SYMLINKS is tri-state; if it is -1, we don't know
+ how link() behaves, so assume we can't hardlink symlinks in that case. */
+#if (defined HAVE_LINKAT && ! LINKAT_SYMLINK_NOTSUP) || ! LINK_FOLLOWS_SYMLINKS
+# define CAN_HARDLINK_SYMLINKS 1
+#else
+# define CAN_HARDLINK_SYMLINKS 0
+#endif
+
+struct dir_list
+{
+ struct dir_list *parent;
+ ino_t ino;
+ dev_t dev;
+};
+
+/* Initial size of the cp.dest_info hash table. */
+#define DEST_INFO_INITIAL_CAPACITY 61
+
+static bool copy_internal (char const *src_name, char const *dst_name,
+ bool new_dst, struct stat const *parent,
+ struct dir_list *ancestors,
+ const struct cp_options *x,
+ bool command_line_arg,
+ bool *first_dir_created_per_command_line_arg,
+ bool *copy_into_self,
+ bool *rename_succeeded);
+static bool owner_failure_ok (struct cp_options const *x);
+
+/* Pointers to the file names: they're used in the diagnostic that is issued
+ when we detect the user is trying to copy a directory into itself. */
+static char const *top_level_src_name;
+static char const *top_level_dst_name;
+
+#ifndef DEV_FD_MIGHT_BE_CHR
+# define DEV_FD_MIGHT_BE_CHR false
+#endif
+
+/* Act like fstat (DIRFD, FILENAME, ST, FLAGS), except when following
+ symbolic links on Solaris-like systems, treat any character-special
+ device like /dev/fd/0 as if it were the file it is open on. */
+static int
+follow_fstatat (int dirfd, char const *filename, struct stat *st, int flags)
+{
+ int result = fstatat (dirfd, filename, st, flags);
+
+ if (DEV_FD_MIGHT_BE_CHR && result == 0 && !(flags & AT_SYMLINK_NOFOLLOW)
+ && S_ISCHR (st->st_mode))
+ {
+ static dev_t stdin_rdev;
+ static signed char stdin_rdev_status;
+ if (stdin_rdev_status == 0)
+ {
+ struct stat stdin_st;
+ if (stat ("/dev/stdin", &stdin_st) == 0 && S_ISCHR (stdin_st.st_mode)
+ && minor (stdin_st.st_rdev) == STDIN_FILENO)
+ {
+ stdin_rdev = stdin_st.st_rdev;
+ stdin_rdev_status = 1;
+ }
+ else
+ stdin_rdev_status = -1;
+ }
+ if (0 < stdin_rdev_status && major (stdin_rdev) == major (st->st_rdev))
+ result = fstat (minor (st->st_rdev), st);
+ }
+
+ return result;
+}
+
+/* Set the timestamp of symlink, FILE, to TIMESPEC.
+ If this system lacks support for that, simply return 0. */
+static inline int
+utimens_symlink (char const *file, struct timespec const *timespec)
+{
+ int err = lutimens (file, timespec);
+ /* When configuring on a system with new headers and libraries, and
+ running on one with a kernel that is old enough to lack the syscall,
+ utimensat fails with ENOSYS. Ignore that. */
+ if (err && errno == ENOSYS)
+ err = 0;
+ return err;
+}
+
+/* Attempt to punch a hole to avoid any permanent
+ speculative preallocation on file systems such as XFS.
+ Return values as per fallocate(2) except ENOSYS etc. are ignored. */
+
+static int
+punch_hole (int fd, off_t offset, off_t length)
+{
+ int ret = 0;
+/* +0 is to work around older <linux/fs.h> defining HAVE_FALLOCATE to empty. */
+#if HAVE_FALLOCATE + 0
+# if defined FALLOC_FL_PUNCH_HOLE && defined FALLOC_FL_KEEP_SIZE
+ ret = fallocate (fd, FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE,
+ offset, length);
+ if (ret < 0 && (is_ENOTSUP (errno) || errno == ENOSYS))
+ ret = 0;
+# endif
+#endif
+ return ret;
+}
+
+/* Create a hole at the end of a file,
+ avoiding preallocation if requested. */
+
+static bool
+create_hole (int fd, char const *name, bool punch_holes, off_t size)
+{
+ off_t file_end = lseek (fd, size, SEEK_CUR);
+
+ if (file_end < 0)
+ {
+ error (0, errno, _("cannot lseek %s"), quoteaf (name));
+ return false;
+ }
+
+ /* Some file systems (like XFS) preallocate when write extending a file.
+ I.e., a previous write() may have preallocated extra space
+ that the seek above will not discard. A subsequent write() could
+ then make this allocation permanent. */
+ if (punch_holes && punch_hole (fd, file_end - size, size) < 0)
+ {
+ error (0, errno, _("error deallocating %s"), quoteaf (name));
+ return false;
+ }
+
+ return true;
+}
+
+
+/* Copy the regular file open on SRC_FD/SRC_NAME to DST_FD/DST_NAME,
+ honoring the MAKE_HOLES setting and using the BUF_SIZE-byte buffer
+ BUF for temporary storage. Copy no more than MAX_N_READ bytes.
+ Return true upon successful completion;
+ print a diagnostic and return false upon error.
+ Note that for best results, BUF should be "well"-aligned.
+ BUF must have sizeof(uintptr_t)-1 bytes of additional space
+ beyond BUF[BUF_SIZE-1].
+ Set *LAST_WRITE_MADE_HOLE to true if the final operation on
+ DEST_FD introduced a hole. Set *TOTAL_N_READ to the number of
+ bytes read. */
+static bool
+sparse_copy (int src_fd, int dest_fd, char *buf, size_t buf_size,
+ size_t hole_size, bool punch_holes,
+ char const *src_name, char const *dst_name,
+ uintmax_t max_n_read, off_t *total_n_read,
+ bool *last_write_made_hole)
+{
+ *last_write_made_hole = false;
+ *total_n_read = 0;
+ bool make_hole = false;
+ off_t psize = 0;
+
+ while (max_n_read)
+ {
+ ssize_t n_read = read (src_fd, buf, MIN (max_n_read, buf_size));
+ if (n_read < 0)
+ {
+ if (errno == EINTR)
+ continue;
+ error (0, errno, _("error reading %s"), quoteaf (src_name));
+ return false;
+ }
+ if (n_read == 0)
+ break;
+ max_n_read -= n_read;
+ *total_n_read += n_read;
+
+ /* Loop over the input buffer in chunks of hole_size. */
+ size_t csize = hole_size ? hole_size : buf_size;
+ char *cbuf = buf;
+ char *pbuf = buf;
+
+ while (n_read)
+ {
+ bool prev_hole = make_hole;
+ csize = MIN (csize, n_read);
+
+ if (hole_size && csize)
+ make_hole = is_nul (cbuf, csize);
+
+ bool transition = (make_hole != prev_hole) && psize;
+ bool last_chunk = (n_read == csize && ! make_hole) || ! csize;
+
+ if (transition || last_chunk)
+ {
+ if (! transition)
+ psize += csize;
+
+ if (! prev_hole)
+ {
+ if (full_write (dest_fd, pbuf, psize) != psize)
+ {
+ error (0, errno, _("error writing %s"),
+ quoteaf (dst_name));
+ return false;
+ }
+ }
+ else
+ {
+ if (! create_hole (dest_fd, dst_name, punch_holes, psize))
+ return false;
+ }
+
+ pbuf = cbuf;
+ psize = csize;
+
+ if (last_chunk)
+ {
+ if (! csize)
+ n_read = 0; /* Finished processing buffer. */
+
+ if (transition)
+ csize = 0; /* Loop again to deal with last chunk. */
+ else
+ psize = 0; /* Reset for next read loop. */
+ }
+ }
+ else /* Coalesce writes/seeks. */
+ {
+ if (INT_ADD_WRAPV (psize, csize, &psize))
+ {
+ error (0, 0, _("overflow reading %s"), quoteaf (src_name));
+ return false;
+ }
+ }
+
+ n_read -= csize;
+ cbuf += csize;
+ }
+
+ *last_write_made_hole = make_hole;
+
+ /* It's tempting to break early here upon a short read from
+ a regular file. That would save the final read syscall
+ for each file. Unfortunately that doesn't work for
+ certain files in /proc or /sys with linux kernels. */
+ }
+
+ /* Ensure a trailing hole is created, so that subsequent
+ calls of sparse_copy() start at the correct offset. */
+ if (make_hole && ! create_hole (dest_fd, dst_name, punch_holes, psize))
+ return false;
+ else
+ return true;
+}
+
+/* Perform the O(1) btrfs clone operation, if possible.
+ Upon success, return 0. Otherwise, return -1 and set errno. */
+static inline int
+clone_file (int dest_fd, int src_fd)
+{
+#ifdef FICLONE
+ return ioctl (dest_fd, FICLONE, src_fd);
+#else
+ (void) dest_fd;
+ (void) src_fd;
+ errno = ENOTSUP;
+ return -1;
+#endif
+}
+
+/* Write N_BYTES zero bytes to file descriptor FD. Return true if successful.
+ Upon write failure, set errno and return false. */
+static bool
+write_zeros (int fd, off_t n_bytes)
+{
+ static char *zeros;
+ static size_t nz = IO_BUFSIZE;
+
+ /* Attempt to use a relatively large calloc'd source buffer for
+ efficiency, but if that allocation fails, resort to a smaller
+ statically allocated one. */
+ if (zeros == NULL)
+ {
+ static char fallback[1024];
+ zeros = calloc (nz, 1);
+ if (zeros == NULL)
+ {
+ zeros = fallback;
+ nz = sizeof fallback;
+ }
+ }
+
+ while (n_bytes)
+ {
+ size_t n = MIN (nz, n_bytes);
+ if ((full_write (fd, zeros, n)) != n)
+ return false;
+ n_bytes -= n;
+ }
+
+ return true;
+}
+
+/* Perform an efficient extent copy, if possible. This avoids
+ the overhead of detecting holes in hole-introducing/preserving
+ copy, and thus makes copying sparse files much more efficient.
+ Upon a successful copy, return true. If the initial extent scan
+ fails, set *NORMAL_COPY_REQUIRED to true and return false.
+ Upon any other failure, set *NORMAL_COPY_REQUIRED to false and
+ return false. */
+static bool
+extent_copy (int src_fd, int dest_fd, char *buf, size_t buf_size,
+ size_t hole_size, off_t src_total_size,
+ enum Sparse_type sparse_mode,
+ char const *src_name, char const *dst_name,
+ bool *require_normal_copy)
+{
+ struct extent_scan scan;
+ off_t last_ext_start = 0;
+ off_t last_ext_len = 0;
+
+ /* Keep track of the output position.
+ We may need this at the end, for a final ftruncate. */
+ off_t dest_pos = 0;
+
+ extent_scan_init (src_fd, &scan);
+
+ *require_normal_copy = false;
+ bool wrote_hole_at_eof = true;
+ do
+ {
+ bool ok = extent_scan_read (&scan);
+ if (! ok)
+ {
+ if (scan.hit_final_extent)
+ break;
+
+ if (scan.initial_scan_failed)
+ {
+ *require_normal_copy = true;
+ return false;
+ }
+
+ error (0, errno, _("%s: failed to get extents info"),
+ quotef (src_name));
+ return false;
+ }
+
+ bool empty_extent = false;
+ for (unsigned int i = 0; i < scan.ei_count || empty_extent; i++)
+ {
+ off_t ext_start;
+ off_t ext_len;
+ off_t ext_hole_size;
+
+ if (i < scan.ei_count)
+ {
+ ext_start = scan.ext_info[i].ext_logical;
+ ext_len = scan.ext_info[i].ext_length;
+ }
+ else /* empty extent at EOF. */
+ {
+ i--;
+ ext_start = last_ext_start + scan.ext_info[i].ext_length;
+ ext_len = 0;
+ }
+
+ /* Truncate extent to EOF. Extents starting after EOF are
+ treated as zero length extents starting right after EOF.
+ Generally this will trigger with an extent starting after
+ src_total_size, and result in creating a hole or zeros until EOF.
+ Though in a file in which extents have changed since src_total_size
+ was determined, we might have an extent spanning that size,
+ in which case we'll only copy data up to that size. */
+ if (src_total_size < ext_start + ext_len)
+ {
+ if (src_total_size < ext_start)
+ ext_start = src_total_size;
+ ext_len = src_total_size - ext_start;
+ }
+
+ ext_hole_size = ext_start - last_ext_start - last_ext_len;
+
+ wrote_hole_at_eof = false;
+
+ if (ext_hole_size)
+ {
+ if (lseek (src_fd, ext_start, SEEK_SET) < 0)
+ {
+ error (0, errno, _("cannot lseek %s"), quoteaf (src_name));
+ fail:
+ extent_scan_free (&scan);
+ return false;
+ }
+
+ if ((empty_extent && sparse_mode == SPARSE_ALWAYS)
+ || (!empty_extent && sparse_mode != SPARSE_NEVER))
+ {
+ if (! create_hole (dest_fd, dst_name,
+ sparse_mode == SPARSE_ALWAYS,
+ ext_hole_size))
+ goto fail;
+ wrote_hole_at_eof = true;
+ }
+ else
+ {
+ /* When not inducing holes and when there is a hole between
+ the end of the previous extent and the beginning of the
+ current one, write zeros to the destination file. */
+ off_t nzeros = ext_hole_size;
+ if (empty_extent)
+ nzeros = MIN (src_total_size - dest_pos, ext_hole_size);
+
+ if (! write_zeros (dest_fd, nzeros))
+ {
+ error (0, errno, _("%s: write failed"),
+ quotef (dst_name));
+ goto fail;
+ }
+
+ dest_pos = MIN (src_total_size, ext_start);
+ }
+ }
+
+ last_ext_start = ext_start;
+
+ /* Treat an unwritten but allocated extent much like a hole.
+ I.e., don't read, but don't convert to a hole in the destination,
+ unless SPARSE_ALWAYS. */
+ /* For now, do not treat FIEMAP_EXTENT_UNWRITTEN specially,
+ because that (in combination with no sync) would lead to data
+ loss at least on XFS and ext4 when using 2.6.39-rc3 kernels. */
+ if (0 && (scan.ext_info[i].ext_flags & FIEMAP_EXTENT_UNWRITTEN))
+ {
+ empty_extent = true;
+ last_ext_len = 0;
+ if (ext_len == 0) /* The last extent is empty and processed. */
+ empty_extent = false;
+ }
+ else
+ {
+ off_t n_read;
+ empty_extent = false;
+ last_ext_len = ext_len;
+ bool read_hole;
+
+ if ( ! sparse_copy (src_fd, dest_fd, buf, buf_size,
+ sparse_mode == SPARSE_ALWAYS ? hole_size: 0,
+ true, src_name, dst_name, ext_len, &n_read,
+ &read_hole))
+ goto fail;
+
+ dest_pos = ext_start + n_read;
+ if (n_read)
+ wrote_hole_at_eof = read_hole;
+ }
+
+ /* If the file ends with unwritten extents not accounted for in the
+ size, then skip processing them, and the associated redundant
+ read() calls which will always return 0. We will need to
+ remove this when we add fallocate() so that we can maintain
+ extents beyond the apparent size. */
+ if (dest_pos == src_total_size)
+ {
+ scan.hit_final_extent = true;
+ break;
+ }
+ }
+
+ /* Release the space allocated to scan->ext_info. */
+ extent_scan_free (&scan);
+
+ }
+ while (! scan.hit_final_extent);
+
+ /* When the source file ends with a hole, we have to do a little more work,
+ since the above copied only up to and including the final extent.
+ In order to complete the copy, we may have to insert a hole or write
+ zeros in the destination corresponding to the source file's hole-at-EOF.
+
+ In addition, if the final extent was a block of zeros at EOF and we've
+ just converted them to a hole in the destination, we must call ftruncate
+ here in order to record the proper length in the destination. */
+ if ((dest_pos < src_total_size || wrote_hole_at_eof)
+ && (sparse_mode != SPARSE_NEVER
+ ? ftruncate (dest_fd, src_total_size)
+ : ! write_zeros (dest_fd, src_total_size - dest_pos)))
+ {
+ error (0, errno, _("failed to extend %s"), quoteaf (dst_name));
+ return false;
+ }
+
+ if (sparse_mode == SPARSE_ALWAYS && dest_pos < src_total_size
+ && punch_hole (dest_fd, dest_pos, src_total_size - dest_pos) < 0)
+ {
+ error (0, errno, _("error deallocating %s"), quoteaf (dst_name));
+ return false;
+ }
+
+ return true;
+}
+
+/* FIXME: describe */
+/* FIXME: rewrite this to use a hash table so we avoid the quadratic
+ performance hit that's probably noticeable only on trees deeper
+ than a few hundred levels. See use of active_dir_map in remove.c */
+
+static bool _GL_ATTRIBUTE_PURE
+is_ancestor (const struct stat *sb, const struct dir_list *ancestors)
+{
+ while (ancestors != 0)
+ {
+ if (ancestors->ino == sb->st_ino && ancestors->dev == sb->st_dev)
+ return true;
+ ancestors = ancestors->parent;
+ }
+ return false;
+}
+
+static bool
+errno_unsupported (int err)
+{
+ return err == ENOTSUP || err == ENODATA;
+}
+
+#if USE_XATTR
+static void
+copy_attr_error (struct error_context *ctx _GL_UNUSED,
+ char const *fmt, ...)
+{
+ if (!errno_unsupported (errno))
+ {
+ int err = errno;
+ va_list ap;
+
+ /* use verror module to print error message */
+ va_start (ap, fmt);
+ verror (0, err, fmt, ap);
+ va_end (ap);
+ }
+}
+
+static void
+copy_attr_allerror (struct error_context *ctx _GL_UNUSED,
+ char const *fmt, ...)
+{
+ int err = errno;
+ va_list ap;
+
+ /* use verror module to print error message */
+ va_start (ap, fmt);
+ verror (0, err, fmt, ap);
+ va_end (ap);
+}
+
+static char const *
+copy_attr_quote (struct error_context *ctx _GL_UNUSED, char const *str)
+{
+ return quoteaf (str);
+}
+
+static void
+copy_attr_free (struct error_context *ctx _GL_UNUSED,
+ char const *str _GL_UNUSED)
+{
+}
+
+/* Exclude SELinux extended attributes that are otherwise handled,
+ and are problematic to copy again. Also honor attributes
+ configured for exclusion in /etc/xattr.conf.
+ FIXME: Should we handle POSIX ACLs similarly?
+ Return zero to skip. */
+static int
+check_selinux_attr (const char *name, struct error_context *ctx)
+{
+ return STRNCMP_LIT (name, "security.selinux")
+ && attr_copy_check_permissions (name, ctx);
+}
+
+/* If positive SRC_FD and DST_FD descriptors are passed,
+ then copy by fd, otherwise copy by name. */
+
+static bool
+copy_attr (char const *src_path, int src_fd,
+ char const *dst_path, int dst_fd, struct cp_options const *x)
+{
+ int ret;
+ bool all_errors = (!x->data_copy_required || x->require_preserve_xattr);
+ bool some_errors = (!all_errors && !x->reduce_diagnostics);
+ bool selinux_done = (x->preserve_security_context || x->set_security_context);
+ struct error_context ctx =
+ {
+ .error = all_errors ? copy_attr_allerror : copy_attr_error,
+ .quote = copy_attr_quote,
+ .quote_free = copy_attr_free
+ };
+ if (0 <= src_fd && 0 <= dst_fd)
+ ret = attr_copy_fd (src_path, src_fd, dst_path, dst_fd,
+ selinux_done ? check_selinux_attr : NULL,
+ (all_errors || some_errors ? &ctx : NULL));
+ else
+ ret = attr_copy_file (src_path, dst_path,
+ selinux_done ? check_selinux_attr : NULL,
+ (all_errors || some_errors ? &ctx : NULL));
+
+ return ret == 0;
+}
+#else /* USE_XATTR */
+
+static bool
+copy_attr (char const *src_path _GL_UNUSED,
+ int src_fd _GL_UNUSED,
+ char const *dst_path _GL_UNUSED,
+ int dst_fd _GL_UNUSED,
+ struct cp_options const *x _GL_UNUSED)
+{
+ return true;
+}
+#endif /* USE_XATTR */
+
+/* Read the contents of the directory SRC_NAME_IN, and recursively
+ copy the contents to DST_NAME_IN. NEW_DST is true if
+ DST_NAME_IN is a directory that was created previously in the
+ recursion. SRC_SB and ANCESTORS describe SRC_NAME_IN.
+ Set *COPY_INTO_SELF if SRC_NAME_IN is a parent of
+ (or the same as) DST_NAME_IN; otherwise, clear it.
+ Propagate *FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG from
+ caller to each invocation of copy_internal. Be careful to
+ pass the address of a temporary, and to update
+ *FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG only upon completion.
+ Return true if successful. */
+
+static bool
+copy_dir (char const *src_name_in, char const *dst_name_in, bool new_dst,
+ const struct stat *src_sb, struct dir_list *ancestors,
+ const struct cp_options *x,
+ bool *first_dir_created_per_command_line_arg,
+ bool *copy_into_self)
+{
+ char *name_space;
+ char *namep;
+ struct cp_options non_command_line_options = *x;
+ bool ok = true;
+
+ name_space = savedir (src_name_in, SAVEDIR_SORT_FASTREAD);
+ if (name_space == NULL)
+ {
+ /* This diagnostic is a bit vague because savedir can fail in
+ several different ways. */
+ error (0, errno, _("cannot access %s"), quoteaf (src_name_in));
+ return false;
+ }
+
+ /* For cp's -H option, dereference command line arguments, but do not
+ dereference symlinks that are found via recursive traversal. */
+ if (x->dereference == DEREF_COMMAND_LINE_ARGUMENTS)
+ non_command_line_options.dereference = DEREF_NEVER;
+
+ bool new_first_dir_created = false;
+ namep = name_space;
+ while (*namep != '\0')
+ {
+ bool local_copy_into_self;
+ char *src_name = file_name_concat (src_name_in, namep, NULL);
+ char *dst_name = file_name_concat (dst_name_in, namep, NULL);
+ bool first_dir_created = *first_dir_created_per_command_line_arg;
+
+ ok &= copy_internal (src_name, dst_name, new_dst, src_sb,
+ ancestors, &non_command_line_options, false,
+ &first_dir_created,
+ &local_copy_into_self, NULL);
+ *copy_into_self |= local_copy_into_self;
+
+ free (dst_name);
+ free (src_name);
+
+ /* If we're copying into self, there's no point in continuing,
+ and in fact, that would even infloop, now that we record only
+ the first created directory per command line argument. */
+ if (local_copy_into_self)
+ break;
+
+ new_first_dir_created |= first_dir_created;
+ namep += strlen (namep) + 1;
+ }
+ free (name_space);
+ *first_dir_created_per_command_line_arg = new_first_dir_created;
+
+ return ok;
+}
+
+/* Set the owner and owning group of DEST_DESC to the st_uid and
+ st_gid fields of SRC_SB. If DEST_DESC is undefined (-1), set
+ the owner and owning group of DST_NAME instead; for
+ safety prefer lchown if the system supports it since no
+ symbolic links should be involved. DEST_DESC must
+ refer to the same file as DEST_NAME if defined.
+ Upon failure to set both UID and GID, try to set only the GID.
+ NEW_DST is true if the file was newly created; otherwise,
+ DST_SB is the status of the destination.
+ Return 1 if the initial syscall succeeds, 0 if it fails but it's OK
+ not to preserve ownership, -1 otherwise. */
+
+static int
+set_owner (const struct cp_options *x, char const *dst_name, int dest_desc,
+ struct stat const *src_sb, bool new_dst,
+ struct stat const *dst_sb)
+{
+ uid_t uid = src_sb->st_uid;
+ gid_t gid = src_sb->st_gid;
+
+ /* Naively changing the ownership of an already-existing file before
+ changing its permissions would create a window of vulnerability if
+ the file's old permissions are too generous for the new owner and
+ group. Avoid the window by first changing to a restrictive
+ temporary mode if necessary. */
+
+ if (!new_dst && (x->preserve_mode || x->move_mode || x->set_mode))
+ {
+ mode_t old_mode = dst_sb->st_mode;
+ mode_t new_mode =
+ (x->preserve_mode || x->move_mode ? src_sb->st_mode : x->mode);
+ mode_t restrictive_temp_mode = old_mode & new_mode & S_IRWXU;
+
+ if ((USE_ACL
+ || (old_mode & CHMOD_MODE_BITS
+ & (~new_mode | S_ISUID | S_ISGID | S_ISVTX)))
+ && qset_acl (dst_name, dest_desc, restrictive_temp_mode) != 0)
+ {
+ if (! owner_failure_ok (x))
+ error (0, errno, _("clearing permissions for %s"),
+ quoteaf (dst_name));
+ return -x->require_preserve;
+ }
+ }
+
+ if (HAVE_FCHOWN && dest_desc != -1)
+ {
+ if (fchown (dest_desc, uid, gid) == 0)
+ return 1;
+ if (errno == EPERM || errno == EINVAL)
+ {
+ /* We've failed to set *both*. Now, try to set just the group
+ ID, but ignore any failure here, and don't change errno. */
+ int saved_errno = errno;
+ ignore_value (fchown (dest_desc, -1, gid));
+ errno = saved_errno;
+ }
+ }
+ else
+ {
+ if (lchown (dst_name, uid, gid) == 0)
+ return 1;
+ if (errno == EPERM || errno == EINVAL)
+ {
+ /* We've failed to set *both*. Now, try to set just the group
+ ID, but ignore any failure here, and don't change errno. */
+ int saved_errno = errno;
+ ignore_value (lchown (dst_name, -1, gid));
+ errno = saved_errno;
+ }
+ }
+
+ if (! chown_failure_ok (x))
+ {
+ error (0, errno, _("failed to preserve ownership for %s"),
+ quoteaf (dst_name));
+ if (x->require_preserve)
+ return -1;
+ }
+
+ return 0;
+}
+
+/* Set the st_author field of DEST_DESC to the st_author field of
+ SRC_SB. If DEST_DESC is undefined (-1), set the st_author field
+ of DST_NAME instead. DEST_DESC must refer to the same file as
+ DEST_NAME if defined. */
+
+static void
+set_author (const char *dst_name, int dest_desc, const struct stat *src_sb)
+{
+#if HAVE_STRUCT_STAT_ST_AUTHOR
+ /* FIXME: Modify the following code so that it does not
+ follow symbolic links. */
+
+ /* Preserve the st_author field. */
+ file_t file = (dest_desc < 0
+ ? file_name_lookup (dst_name, 0, 0)
+ : getdport (dest_desc));
+ if (file == MACH_PORT_NULL)
+ error (0, errno, _("failed to lookup file %s"), quoteaf (dst_name));
+ else
+ {
+ error_t err = file_chauthor (file, src_sb->st_author);
+ if (err)
+ error (0, err, _("failed to preserve authorship for %s"),
+ quoteaf (dst_name));
+ mach_port_deallocate (mach_task_self (), file);
+ }
+#else
+ (void) dst_name;
+ (void) dest_desc;
+ (void) src_sb;
+#endif
+}
+
+/* Set the default security context for the process. New files will
+ have this security context set. Also existing files can have their
+ context adjusted based on this process context, by
+ set_file_security_ctx() called with PROCESS_LOCAL=true.
+ This should be called before files are created so there is no race
+ where a file may be present without an appropriate security context.
+ Based on CP_OPTIONS, diagnose warnings and fail when appropriate.
+ Return FALSE on failure, TRUE on success. */
+
+bool
+set_process_security_ctx (char const *src_name, char const *dst_name,
+ mode_t mode, bool new_dst, const struct cp_options *x)
+{
+ if (x->preserve_security_context)
+ {
+ /* Set the default context for the process to match the source. */
+ bool all_errors = !x->data_copy_required || x->require_preserve_context;
+ bool some_errors = !all_errors && !x->reduce_diagnostics;
+ char *con;
+
+ if (0 <= lgetfilecon (src_name, &con))
+ {
+ if (setfscreatecon (con) < 0)
+ {
+ if (all_errors || (some_errors && !errno_unsupported (errno)))
+ error (0, errno,
+ _("failed to set default file creation context to %s"),
+ quote (con));
+ if (x->require_preserve_context)
+ {
+ freecon (con);
+ return false;
+ }
+ }
+ freecon (con);
+ }
+ else
+ {
+ if (all_errors || (some_errors && !errno_unsupported (errno)))
+ {
+ error (0, errno,
+ _("failed to get security context of %s"),
+ quoteaf (src_name));
+ }
+ if (x->require_preserve_context)
+ return false;
+ }
+ }
+ else if (x->set_security_context)
+ {
+ /* With -Z, adjust the default context for the process
+ to have the type component adjusted as per the destination path. */
+ if (new_dst && defaultcon (dst_name, mode) < 0
+ && ! ignorable_ctx_err (errno))
+ {
+ error (0, errno,
+ _("failed to set default file creation context for %s"),
+ quoteaf (dst_name));
+ }
+ }
+
+ return true;
+}
+
+/* Reset the security context of DST_NAME, to that already set
+ as the process default if PROCESS_LOCAL is true. Otherwise
+ adjust the type component of DST_NAME's security context as
+ per the system default for that path. Issue warnings upon
+ failure, when allowed by various settings in CP_OPTIONS.
+ Return FALSE on failure, TRUE on success. */
+
+bool
+set_file_security_ctx (char const *dst_name, bool process_local,
+ bool recurse, const struct cp_options *x)
+{
+ bool all_errors = (!x->data_copy_required
+ || x->require_preserve_context);
+ bool some_errors = !all_errors && !x->reduce_diagnostics;
+
+ if (! restorecon (dst_name, recurse, process_local))
+ {
+ if (all_errors || (some_errors && !errno_unsupported (errno)))
+ error (0, errno, _("failed to set the security context of %s"),
+ quoteaf_n (0, dst_name));
+ return false;
+ }
+
+ return true;
+}
+
+/* Change the file mode bits of the file identified by DESC or NAME to MODE.
+ Use DESC if DESC is valid and fchmod is available, NAME otherwise. */
+
+static int
+fchmod_or_lchmod (int desc, char const *name, mode_t mode)
+{
+#if HAVE_FCHMOD
+ if (0 <= desc)
+ return fchmod (desc, mode);
+#endif
+ return lchmod (name, mode);
+}
+
+#ifndef HAVE_STRUCT_STAT_ST_BLOCKS
+# define HAVE_STRUCT_STAT_ST_BLOCKS 0
+#endif
+
+/* Use a heuristic to determine whether stat buffer SB comes from a file
+ with sparse blocks. If the file has fewer blocks than would normally
+ be needed for a file of its size, then at least one of the blocks in
+ the file is a hole. In that case, return true. */
+static bool
+is_probably_sparse (struct stat const *sb)
+{
+ return (HAVE_STRUCT_STAT_ST_BLOCKS
+ && S_ISREG (sb->st_mode)
+ && ST_NBLOCKS (*sb) < sb->st_size / ST_NBLOCKSIZE);
+}
+
+
+/* Copy a regular file from SRC_NAME to DST_NAME.
+ If the source file contains holes, copies holes and blocks of zeros
+ in the source file as holes in the destination file.
+ (Holes are read as zeroes by the 'read' system call.)
+ When creating the destination, use DST_MODE & ~OMITTED_PERMISSIONS
+ as the third argument in the call to open, adding
+ OMITTED_PERMISSIONS after copying as needed.
+ X provides many option settings.
+ Return true if successful.
+ *NEW_DST is as in copy_internal.
+ SRC_SB is the result of calling follow_fstatat on SRC_NAME. */
+
+static bool
+copy_reg (char const *src_name, char const *dst_name,
+ const struct cp_options *x,
+ mode_t dst_mode, mode_t omitted_permissions, bool *new_dst,
+ struct stat const *src_sb)
+{
+ char *buf;
+ char *buf_alloc = NULL;
+ char *name_alloc = NULL;
+ int dest_desc;
+ int dest_errno;
+ int source_desc;
+ mode_t src_mode = src_sb->st_mode;
+ struct stat sb;
+ struct stat src_open_sb;
+ bool return_val = true;
+ bool data_copy_required = x->data_copy_required;
+
+ source_desc = open (src_name,
+ (O_RDONLY | O_BINARY
+ | (x->dereference == DEREF_NEVER ? O_NOFOLLOW : 0)));
+ if (source_desc < 0)
+ {
+ error (0, errno, _("cannot open %s for reading"), quoteaf (src_name));
+ return false;
+ }
+
+ if (fstat (source_desc, &src_open_sb) != 0)
+ {
+ error (0, errno, _("cannot fstat %s"), quoteaf (src_name));
+ return_val = false;
+ goto close_src_desc;
+ }
+
+ /* Compare the source dev/ino from the open file to the incoming,
+ saved ones obtained via a previous call to stat. */
+ if (! SAME_INODE (*src_sb, src_open_sb))
+ {
+ error (0, 0,
+ _("skipping file %s, as it was replaced while being copied"),
+ quoteaf (src_name));
+ return_val = false;
+ goto close_src_desc;
+ }
+
+ /* The semantics of the following open calls are mandated
+ by the specs for both cp and mv. */
+ if (! *new_dst)
+ {
+ int open_flags =
+ O_WRONLY | O_BINARY | (x->data_copy_required ? O_TRUNC : 0);
+ dest_desc = open (dst_name, open_flags);
+ dest_errno = errno;
+
+ /* When using cp --preserve=context to copy to an existing destination,
+ reset the context as per the default context, which has already been
+ set according to the src.
+ When using the mutually exclusive -Z option, then adjust the type of
+ the existing context according to the system default for the dest.
+ Note we set the context here, _after_ the file is opened, lest the
+ new context disallow that. */
+ if ((x->set_security_context || x->preserve_security_context)
+ && 0 <= dest_desc)
+ {
+ if (! set_file_security_ctx (dst_name, x->preserve_security_context,
+ false, x))
+ {
+ if (x->require_preserve_context)
+ {
+ return_val = false;
+ goto close_src_and_dst_desc;
+ }
+ }
+ }
+
+ if (dest_desc < 0 && x->unlink_dest_after_failed_open)
+ {
+ if (unlink (dst_name) != 0)
+ {
+ error (0, errno, _("cannot remove %s"), quoteaf (dst_name));
+ return_val = false;
+ goto close_src_desc;
+ }
+ if (x->verbose)
+ printf (_("removed %s\n"), quoteaf (dst_name));
+
+ /* Tell caller that the destination file was unlinked. */
+ *new_dst = true;
+
+ /* Ensure there is no race where a file may be left without
+ an appropriate security context. */
+ if (x->set_security_context)
+ {
+ if (! set_process_security_ctx (src_name, dst_name, dst_mode,
+ *new_dst, x))
+ {
+ return_val = false;
+ goto close_src_desc;
+ }
+ }
+ }
+ }
+
+ if (*new_dst)
+ {
+ open_with_O_CREAT:;
+
+ int open_flags = O_WRONLY | O_CREAT | O_BINARY;
+ dest_desc = open (dst_name, open_flags | O_EXCL,
+ dst_mode & ~omitted_permissions);
+ dest_errno = errno;
+
+ /* When trying to copy through a dangling destination symlink,
+ the above open fails with EEXIST. If that happens, and
+ lstat'ing the DST_NAME shows that it is a symlink, then we
+ have a problem: trying to resolve this dangling symlink to
+ a directory/destination-entry pair is fundamentally racy,
+ so punt. If x->open_dangling_dest_symlink is set (cp sets
+ that when POSIXLY_CORRECT is set in the environment), simply
+ call open again, but without O_EXCL (potentially dangerous).
+ If not, fail with a diagnostic. These shenanigans are necessary
+ only when copying, i.e., not in move_mode. */
+ if (dest_desc < 0 && dest_errno == EEXIST && ! x->move_mode)
+ {
+ struct stat dangling_link_sb;
+ if (lstat (dst_name, &dangling_link_sb) == 0
+ && S_ISLNK (dangling_link_sb.st_mode))
+ {
+ if (x->open_dangling_dest_symlink)
+ {
+ dest_desc = open (dst_name, open_flags,
+ dst_mode & ~omitted_permissions);
+ dest_errno = errno;
+ }
+ else
+ {
+ error (0, 0, _("not writing through dangling symlink %s"),
+ quoteaf (dst_name));
+ return_val = false;
+ goto close_src_desc;
+ }
+ }
+ }
+
+ /* Improve quality of diagnostic when a nonexistent dst_name
+ ends in a slash and open fails with errno == EISDIR. */
+ if (dest_desc < 0 && dest_errno == EISDIR
+ && *dst_name && dst_name[strlen (dst_name) - 1] == '/')
+ dest_errno = ENOTDIR;
+ }
+ else
+ {
+ omitted_permissions = 0;
+ }
+
+ if (dest_desc < 0)
+ {
+ /* If we've just failed due to ENOENT for an ostensibly preexisting
+ destination (*new_dst was 0), that's a bit of a contradiction/race:
+ the prior stat/lstat said the file existed (*new_dst was 0), yet
+ the subsequent open-existing-file failed with ENOENT. With NFS,
+ the race window is wider still, since its meta-data caching tends
+ to make the stat succeed for a just-removed remote file, while the
+ more-definitive initial open call will fail with ENOENT. When this
+ situation arises, we attempt to open again, but this time with
+ O_CREAT. Do this only when not in move-mode, since when handling
+ a cross-device move, we must never open an existing destination. */
+ if (dest_errno == ENOENT && ! *new_dst && ! x->move_mode)
+ {
+ *new_dst = 1;
+ goto open_with_O_CREAT;
+ }
+
+ /* Otherwise, it's an error. */
+ error (0, dest_errno, _("cannot create regular file %s"),
+ quoteaf (dst_name));
+ return_val = false;
+ goto close_src_desc;
+ }
+
+ if (fstat (dest_desc, &sb) != 0)
+ {
+ error (0, errno, _("cannot fstat %s"), quoteaf (dst_name));
+ return_val = false;
+ goto close_src_and_dst_desc;
+ }
+
+ /* --attributes-only overrides --reflink. */
+ if (data_copy_required && x->reflink_mode)
+ {
+ bool clone_ok = clone_file (dest_desc, source_desc) == 0;
+ if (clone_ok || x->reflink_mode == REFLINK_ALWAYS)
+ {
+ if (!clone_ok)
+ {
+ error (0, errno, _("failed to clone %s from %s"),
+ quoteaf_n (0, dst_name), quoteaf_n (1, src_name));
+ return_val = false;
+ goto close_src_and_dst_desc;
+ }
+ data_copy_required = false;
+ }
+ }
+
+ if (data_copy_required)
+ {
+ /* Choose a suitable buffer size; it may be adjusted later. */
+ size_t buf_alignment = getpagesize ();
+ size_t buf_size = io_blksize (sb);
+ size_t hole_size = ST_BLKSIZE (sb);
+
+ fdadvise (source_desc, 0, 0, FADVISE_SEQUENTIAL);
+
+ /* Deal with sparse files. */
+ bool make_holes = false;
+ bool sparse_src = is_probably_sparse (&src_open_sb);
+
+ if (S_ISREG (sb.st_mode))
+ {
+ /* Even with --sparse=always, try to create holes only
+ if the destination is a regular file. */
+ if (x->sparse_mode == SPARSE_ALWAYS)
+ make_holes = true;
+
+ /* Use a heuristic to determine whether SRC_NAME contains any sparse
+ blocks. If the file has fewer blocks than would normally be
+ needed for a file of its size, then at least one of the blocks in
+ the file is a hole. */
+ if (x->sparse_mode == SPARSE_AUTO && sparse_src)
+ make_holes = true;
+ }
+
+ /* If not making a sparse file, try to use a more-efficient
+ buffer size. */
+ if (! make_holes)
+ {
+ /* Compute the least common multiple of the input and output
+ buffer sizes, adjusting for outlandish values. */
+ size_t blcm_max = MIN (SIZE_MAX, SSIZE_MAX) - buf_alignment;
+ size_t blcm = buffer_lcm (io_blksize (src_open_sb), buf_size,
+ blcm_max);
+
+ /* Do not bother with a buffer larger than the input file, plus one
+ byte to make sure the file has not grown while reading it. */
+ if (S_ISREG (src_open_sb.st_mode) && src_open_sb.st_size < buf_size)
+ buf_size = src_open_sb.st_size + 1;
+
+ /* However, stick with a block size that is a positive multiple of
+ blcm, overriding the above adjustments. Watch out for
+ overflow. */
+ buf_size += blcm - 1;
+ buf_size -= buf_size % blcm;
+ if (buf_size == 0 || blcm_max < buf_size)
+ buf_size = blcm;
+ }
+
+ buf_alloc = xmalloc (buf_size + buf_alignment);
+ buf = ptr_align (buf_alloc, buf_alignment);
+
+ if (sparse_src)
+ {
+ bool normal_copy_required;
+
+ /* Perform an efficient extent-based copy, falling back to the
+ standard copy only if the initial extent scan fails. If the
+ '--sparse=never' option is specified, write all data but use
+ any extents to read more efficiently. */
+ if (extent_copy (source_desc, dest_desc, buf, buf_size, hole_size,
+ src_open_sb.st_size,
+ make_holes ? x->sparse_mode : SPARSE_NEVER,
+ src_name, dst_name, &normal_copy_required))
+ goto preserve_metadata;
+
+ if (! normal_copy_required)
+ {
+ return_val = false;
+ goto close_src_and_dst_desc;
+ }
+ }
+
+ off_t n_read;
+ bool wrote_hole_at_eof;
+ if (! sparse_copy (source_desc, dest_desc, buf, buf_size,
+ make_holes ? hole_size : 0,
+ x->sparse_mode == SPARSE_ALWAYS, src_name, dst_name,
+ UINTMAX_MAX, &n_read,
+ &wrote_hole_at_eof))
+ {
+ return_val = false;
+ goto close_src_and_dst_desc;
+ }
+ else if (wrote_hole_at_eof && ftruncate (dest_desc, n_read) < 0)
+ {
+ error (0, errno, _("failed to extend %s"), quoteaf (dst_name));
+ return_val = false;
+ goto close_src_and_dst_desc;
+ }
+ }
+
+preserve_metadata:
+ if (x->preserve_timestamps)
+ {
+ struct timespec timespec[2];
+ timespec[0] = get_stat_atime (src_sb);
+ timespec[1] = get_stat_mtime (src_sb);
+
+ if (fdutimens (dest_desc, dst_name, timespec) != 0)
+ {
+ error (0, errno, _("preserving times for %s"), quoteaf (dst_name));
+ if (x->require_preserve)
+ {
+ return_val = false;
+ goto close_src_and_dst_desc;
+ }
+ }
+ }
+
+ /* Set ownership before xattrs as changing owners will
+ clear capabilities. */
+ if (x->preserve_ownership && ! SAME_OWNER_AND_GROUP (*src_sb, sb))
+ {
+ switch (set_owner (x, dst_name, dest_desc, src_sb, *new_dst, &sb))
+ {
+ case -1:
+ return_val = false;
+ goto close_src_and_dst_desc;
+
+ case 0:
+ src_mode &= ~ (S_ISUID | S_ISGID | S_ISVTX);
+ break;
+ }
+ }
+
+ /* To allow copying xattrs on read-only files, temporarily chmod u+rw.
+ This workaround is required as an inode permission check is done
+ by xattr_permission() in fs/xattr.c of the GNU/Linux kernel tree. */
+ if (x->preserve_xattr)
+ {
+ bool access_changed = false;
+
+ if (!(sb.st_mode & S_IWUSR) && geteuid () != ROOT_UID)
+ {
+ access_changed = fchmod_or_lchmod (dest_desc, dst_name,
+ S_IRUSR | S_IWUSR) == 0;
+ }
+
+ if (!copy_attr (src_name, source_desc, dst_name, dest_desc, x)
+ && x->require_preserve_xattr)
+ return_val = false;
+
+ if (access_changed)
+ fchmod_or_lchmod (dest_desc, dst_name, dst_mode & ~omitted_permissions);
+ }
+
+ set_author (dst_name, dest_desc, src_sb);
+
+ if (x->preserve_mode || x->move_mode)
+ {
+ if (copy_acl (src_name, source_desc, dst_name, dest_desc, src_mode) != 0
+ && x->require_preserve)
+ return_val = false;
+ }
+ else if (x->set_mode)
+ {
+ if (set_acl (dst_name, dest_desc, x->mode) != 0)
+ return_val = false;
+ }
+ else if (x->explicit_no_preserve_mode && *new_dst)
+ {
+ if (set_acl (dst_name, dest_desc, MODE_RW_UGO & ~cached_umask ()) != 0)
+ return_val = false;
+ }
+ else if (omitted_permissions)
+ {
+ omitted_permissions &= ~ cached_umask ();
+ if (omitted_permissions
+ && fchmod_or_lchmod (dest_desc, dst_name, dst_mode) != 0)
+ {
+ error (0, errno, _("preserving permissions for %s"),
+ quoteaf (dst_name));
+ if (x->require_preserve)
+ return_val = false;
+ }
+ }
+
+close_src_and_dst_desc:
+ if (close (dest_desc) < 0)
+ {
+ error (0, errno, _("failed to close %s"), quoteaf (dst_name));
+ return_val = false;
+ }
+close_src_desc:
+ if (close (source_desc) < 0)
+ {
+ error (0, errno, _("failed to close %s"), quoteaf (src_name));
+ return_val = false;
+ }
+
+ free (buf_alloc);
+ free (name_alloc);
+ return return_val;
+}
+
+/* Return true if it's ok that the source and destination
+ files are the 'same' by some measure. The goal is to avoid
+ making the 'copy' operation remove both copies of the file
+ in that case, while still allowing the user to e.g., move or
+ copy a regular file onto a symlink that points to it.
+ Try to minimize the cost of this function in the common case.
+ Set *RETURN_NOW if we've determined that the caller has no more
+ work to do and should return successfully, right away. */
+
+static bool
+same_file_ok (char const *src_name, struct stat const *src_sb,
+ char const *dst_name, struct stat const *dst_sb,
+ const struct cp_options *x, bool *return_now)
+{
+ const struct stat *src_sb_link;
+ const struct stat *dst_sb_link;
+ struct stat tmp_dst_sb;
+ struct stat tmp_src_sb;
+
+ bool same_link;
+ bool same = SAME_INODE (*src_sb, *dst_sb);
+
+ *return_now = false;
+
+ /* FIXME: this should (at the very least) be moved into the following
+ if-block. More likely, it should be removed, because it inhibits
+ making backups. But removing it will result in a change in behavior
+ that will probably have to be documented -- and tests will have to
+ be updated. */
+ if (same && x->hard_link)
+ {
+ *return_now = true;
+ return true;
+ }
+
+ if (x->dereference == DEREF_NEVER)
+ {
+ same_link = same;
+
+ /* If both the source and destination files are symlinks (and we'll
+ know this here IFF preserving symlinks), then it's usually ok
+ when they are distinct. */
+ if (S_ISLNK (src_sb->st_mode) && S_ISLNK (dst_sb->st_mode))
+ {
+ bool sn = same_name (src_name, dst_name);
+ if ( ! sn)
+ {
+ /* It's fine when we're making any type of backup. */
+ if (x->backup_type != no_backups)
+ return true;
+
+ /* Here we have two symlinks that are hard-linked together,
+ and we're not making backups. In this unusual case, simply
+ returning true would lead to mv calling "rename(A,B)",
+ which would do nothing and return 0. */
+ if (same_link)
+ {
+ *return_now = true;
+ return ! x->move_mode;
+ }
+ }
+
+ return ! sn;
+ }
+
+ src_sb_link = src_sb;
+ dst_sb_link = dst_sb;
+ }
+ else
+ {
+ if (!same)
+ return true;
+
+ if (lstat (dst_name, &tmp_dst_sb) != 0
+ || lstat (src_name, &tmp_src_sb) != 0)
+ return true;
+
+ src_sb_link = &tmp_src_sb;
+ dst_sb_link = &tmp_dst_sb;
+
+ same_link = SAME_INODE (*src_sb_link, *dst_sb_link);
+
+ /* If both are symlinks, then it's ok, but only if the destination
+ will be unlinked before being opened. This is like the test
+ above, but with the addition of the unlink_dest_before_opening
+ conjunct because otherwise, with two symlinks to the same target,
+ we'd end up truncating the source file. */
+ if (S_ISLNK (src_sb_link->st_mode) && S_ISLNK (dst_sb_link->st_mode)
+ && x->unlink_dest_before_opening)
+ return true;
+ }
+
+ /* The backup code ensures there's a copy, so it's usually ok to
+ remove any destination file. One exception is when both
+ source and destination are the same directory entry. In that
+ case, moving the destination file aside (in making the backup)
+ would also rename the source file and result in an error. */
+ if (x->backup_type != no_backups)
+ {
+ if (!same_link)
+ {
+ /* In copy mode when dereferencing symlinks, if the source is a
+ symlink and the dest is not, then backing up the destination
+ (moving it aside) would make it a dangling symlink, and the
+ subsequent attempt to open it in copy_reg would fail with
+ a misleading diagnostic. Avoid that by returning zero in
+ that case so the caller can make cp (or mv when it has to
+ resort to reading the source file) fail now. */
+
+ /* FIXME-note: even with the following kludge, we can still provoke
+ the offending diagnostic. It's just a little harder to do :-)
+ $ rm -f a b c; touch c; ln -s c b; ln -s b a; cp -b a b
+ cp: cannot open 'a' for reading: No such file or directory
+ That's misleading, since a subsequent 'ls' shows that 'a'
+ is still there.
+ One solution would be to open the source file *before* moving
+ aside the destination, but that'd involve a big rewrite. */
+ if ( ! x->move_mode
+ && x->dereference != DEREF_NEVER
+ && S_ISLNK (src_sb_link->st_mode)
+ && ! S_ISLNK (dst_sb_link->st_mode))
+ return false;
+
+ return true;
+ }
+
+ /* FIXME: What about case insensitive file systems ? */
+ return ! same_name (src_name, dst_name);
+ }
+
+#if 0
+ /* FIXME: use or remove */
+
+ /* If we're making a backup, we'll detect the problem case in
+ copy_reg because SRC_NAME will no longer exist. Allowing
+ the test to be deferred lets cp do some useful things.
+ But when creating hardlinks and SRC_NAME is a symlink
+ but DST_NAME is not we must test anyway. */
+ if (x->hard_link
+ || !S_ISLNK (src_sb_link->st_mode)
+ || S_ISLNK (dst_sb_link->st_mode))
+ return true;
+
+ if (x->dereference != DEREF_NEVER)
+ return true;
+#endif
+
+ if (x->move_mode || x->unlink_dest_before_opening)
+ {
+ /* They may refer to the same file if we're in move mode and the
+ target is a symlink. That is ok, since we remove any existing
+ destination file before opening it -- via 'rename' if they're on
+ the same file system, via 'unlink (DST_NAME)' otherwise. */
+ if (S_ISLNK (dst_sb_link->st_mode))
+ return true;
+
+ /* It's not ok if they're distinct hard links to the same file as
+ this causes a race condition and we may lose data in this case. */
+ if (same_link
+ && 1 < dst_sb_link->st_nlink
+ && ! same_name (src_name, dst_name))
+ return ! x->move_mode;
+ }
+
+ /* If neither is a symlink, then it's ok as long as they aren't
+ hard links to the same file. */
+ if (!S_ISLNK (src_sb_link->st_mode) && !S_ISLNK (dst_sb_link->st_mode))
+ {
+ if (!SAME_INODE (*src_sb_link, *dst_sb_link))
+ return true;
+
+ /* If they are the same file, it's ok if we're making hard links. */
+ if (x->hard_link)
+ {
+ *return_now = true;
+ return true;
+ }
+ }
+
+ /* At this point, it is normally an error (data loss) to move a symlink
+ onto its referent, but in at least one narrow case, it is not:
+ In move mode, when
+ 1) src is a symlink,
+ 2) dest has a link count of 2 or more and
+ 3) dest and the referent of src are not the same directory entry,
+ then it's ok, since while we'll lose one of those hard links,
+ src will still point to a remaining link.
+ Note that technically, condition #3 obviates condition #2, but we
+ retain the 1 < st_nlink condition because that means fewer invocations
+ of the more expensive #3.
+
+ Given this,
+ $ touch f && ln f l && ln -s f s
+ $ ls -og f l s
+ -rw-------. 2 0 Jan 4 22:46 f
+ -rw-------. 2 0 Jan 4 22:46 l
+ lrwxrwxrwx. 1 1 Jan 4 22:46 s -> f
+ this must fail: mv s f
+ this must succeed: mv s l */
+ if (x->move_mode
+ && S_ISLNK (src_sb->st_mode)
+ && 1 < dst_sb_link->st_nlink)
+ {
+ char *abs_src = canonicalize_file_name (src_name);
+ if (abs_src)
+ {
+ bool result = ! same_name (abs_src, dst_name);
+ free (abs_src);
+ return result;
+ }
+ }
+
+ /* It's ok to recreate a destination symlink. */
+ if (x->symbolic_link && S_ISLNK (dst_sb_link->st_mode))
+ return true;
+
+ if (x->dereference == DEREF_NEVER)
+ {
+ if ( ! S_ISLNK (src_sb_link->st_mode))
+ tmp_src_sb = *src_sb_link;
+ else if (stat (src_name, &tmp_src_sb) != 0)
+ return true;
+
+ if ( ! S_ISLNK (dst_sb_link->st_mode))
+ tmp_dst_sb = *dst_sb_link;
+ else if (stat (dst_name, &tmp_dst_sb) != 0)
+ return true;
+
+ if ( ! SAME_INODE (tmp_src_sb, tmp_dst_sb))
+ return true;
+
+ if (x->hard_link)
+ {
+ /* It's ok to attempt to hardlink the same file,
+ and return early if not replacing a symlink.
+ Note we need to return early to avoid a later
+ unlink() of DST (when SRC is a symlink). */
+ *return_now = ! S_ISLNK (dst_sb_link->st_mode);
+ return true;
+ }
+ }
+
+ return false;
+}
+
+/* Return true if FILE, with mode MODE, is writable in the sense of 'mv'.
+ Always consider a symbolic link to be writable. */
+static bool
+writable_destination (char const *file, mode_t mode)
+{
+ return (S_ISLNK (mode)
+ || can_write_any_file ()
+ || euidaccess (file, W_OK) == 0);
+}
+
+static bool
+overwrite_ok (struct cp_options const *x, char const *dst_name,
+ struct stat const *dst_sb)
+{
+ if (! writable_destination (dst_name, dst_sb->st_mode))
+ {
+ char perms[12]; /* "-rwxrwxrwx " ls-style modes. */
+ strmode (dst_sb->st_mode, perms);
+ perms[10] = '\0';
+ fprintf (stderr,
+ (x->move_mode || x->unlink_dest_before_opening
+ || x->unlink_dest_after_failed_open)
+ ? _("%s: replace %s, overriding mode %04lo (%s)? ")
+ : _("%s: unwritable %s (mode %04lo, %s); try anyway? "),
+ program_name, quoteaf (dst_name),
+ (unsigned long int) (dst_sb->st_mode & CHMOD_MODE_BITS),
+ &perms[1]);
+ }
+ else
+ {
+ fprintf (stderr, _("%s: overwrite %s? "),
+ program_name, quoteaf (dst_name));
+ }
+
+ return yesno ();
+}
+
+/* Initialize the hash table implementing a set of F_triple entries
+ corresponding to destination files. */
+extern void
+dest_info_init (struct cp_options *x)
+{
+ x->dest_info
+ = hash_initialize (DEST_INFO_INITIAL_CAPACITY,
+ NULL,
+ triple_hash,
+ triple_compare,
+ triple_free);
+}
+
+/* Initialize the hash table implementing a set of F_triple entries
+ corresponding to source files listed on the command line. */
+extern void
+src_info_init (struct cp_options *x)
+{
+
+ /* Note that we use triple_hash_no_name here.
+ Contrast with the use of triple_hash above.
+ That is necessary because a source file may be specified
+ in many different ways. We want to warn about this
+ cp a a d/
+ as well as this:
+ cp a ./a d/
+ */
+ x->src_info
+ = hash_initialize (DEST_INFO_INITIAL_CAPACITY,
+ NULL,
+ triple_hash_no_name,
+ triple_compare,
+ triple_free);
+}
+
+/* When effecting a move (e.g., for mv(1)), and given the name DST_NAME
+ of the destination and a corresponding stat buffer, DST_SB, return
+ true if the logical 'move' operation should _not_ proceed.
+ Otherwise, return false.
+ Depending on options specified in X, this code may issue an
+ interactive prompt asking whether it's ok to overwrite DST_NAME. */
+static bool
+abandon_move (const struct cp_options *x,
+ char const *dst_name,
+ struct stat const *dst_sb)
+{
+ assert (x->move_mode);
+ return (x->interactive == I_ALWAYS_NO
+ || ((x->interactive == I_ASK_USER
+ || (x->interactive == I_UNSPECIFIED
+ && x->stdin_tty
+ && ! writable_destination (dst_name, dst_sb->st_mode)))
+ && ! overwrite_ok (x, dst_name, dst_sb)));
+}
+
+/* Print --verbose output on standard output, e.g. 'new' -> 'old'.
+ If BACKUP_DST_NAME is non-NULL, then also indicate that it is
+ the name of a backup file. */
+static void
+emit_verbose (char const *src, char const *dst, char const *backup_dst_name)
+{
+ printf ("%s -> %s", quoteaf_n (0, src), quoteaf_n (1, dst));
+ if (backup_dst_name)
+ printf (_(" (backup: %s)"), quoteaf (backup_dst_name));
+ putchar ('\n');
+}
+
+/* A wrapper around "setfscreatecon (NULL)" that exits upon failure. */
+static void
+restore_default_fscreatecon_or_die (void)
+{
+ if (setfscreatecon (NULL) != 0)
+ die (EXIT_FAILURE, errno,
+ _("failed to restore the default file creation context"));
+}
+
+/* Create a hard link DST_NAME to SRC_NAME, honoring the REPLACE, VERBOSE and
+ DEREFERENCE settings. Return true upon success. Otherwise, diagnose the
+ failure and return false. If SRC_NAME is a symbolic link, then it will not
+ be followed unless DEREFERENCE is true.
+ If the system doesn't support hard links to symbolic links, then DST_NAME
+ will be created as a symbolic link to SRC_NAME. */
+static bool
+create_hard_link (char const *src_name, char const *dst_name,
+ bool replace, bool verbose, bool dereference)
+{
+ int err = force_linkat (AT_FDCWD, src_name, AT_FDCWD, dst_name,
+ dereference ? AT_SYMLINK_FOLLOW : 0,
+ replace, -1);
+ if (0 < err)
+ {
+ error (0, err, _("cannot create hard link %s to %s"),
+ quoteaf_n (0, dst_name), quoteaf_n (1, src_name));
+ return false;
+ }
+ if (err < 0 && verbose)
+ printf (_("removed %s\n"), quoteaf (dst_name));
+ return true;
+}
+
+/* Return true if the current file should be (tried to be) dereferenced:
+ either for DEREF_ALWAYS or for DEREF_COMMAND_LINE_ARGUMENTS in the case
+ where the current file is a COMMAND_LINE_ARG; otherwise return false. */
+static inline bool _GL_ATTRIBUTE_PURE
+should_dereference (const struct cp_options *x, bool command_line_arg)
+{
+ return x->dereference == DEREF_ALWAYS
+ || (x->dereference == DEREF_COMMAND_LINE_ARGUMENTS
+ && command_line_arg);
+}
+
+/* Return true if the source file with basename SRCBASE and status SRC_ST
+ is likely to be the simple backup file for DST_NAME. */
+static bool
+source_is_dst_backup (char const *srcbase, struct stat const *src_st,
+ char const *dst_name)
+{
+ size_t srcbaselen = strlen (srcbase);
+ char const *dstbase = last_component (dst_name);
+ size_t dstbaselen = strlen (dstbase);
+ size_t suffixlen = strlen (simple_backup_suffix);
+ if (! (srcbaselen == dstbaselen + suffixlen
+ && memcmp (srcbase, dstbase, dstbaselen) == 0
+ && STREQ (srcbase + dstbaselen, simple_backup_suffix)))
+ return false;
+ size_t dstlen = strlen (dst_name);
+ char *dst_back = xmalloc (dstlen + suffixlen + 1);
+ strcpy (mempcpy (dst_back, dst_name, dstlen), simple_backup_suffix);
+ struct stat dst_back_sb;
+ int dst_back_status = stat (dst_back, &dst_back_sb);
+ free (dst_back);
+ return dst_back_status == 0 && SAME_INODE (*src_st, dst_back_sb);
+}
+
+/* Copy the file SRC_NAME to the file DST_NAME. The files may be of
+ any type. NEW_DST should be true if the file DST_NAME cannot
+ exist because its parent directory was just created; NEW_DST should
+ be false if DST_NAME might already exist. A non-null PARENT describes the
+ parent directory. ANCESTORS points to a linked, null terminated list of
+ devices and inodes of parent directories of SRC_NAME. COMMAND_LINE_ARG
+ is true iff SRC_NAME was specified on the command line.
+ FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG is both input and output.
+ Set *COPY_INTO_SELF if SRC_NAME is a parent of (or the
+ same as) DST_NAME; otherwise, clear it.
+ Return true if successful. */
+static bool
+copy_internal (char const *src_name, char const *dst_name,
+ bool new_dst,
+ struct stat const *parent,
+ struct dir_list *ancestors,
+ const struct cp_options *x,
+ bool command_line_arg,
+ bool *first_dir_created_per_command_line_arg,
+ bool *copy_into_self,
+ bool *rename_succeeded)
+{
+ struct stat src_sb;
+ struct stat dst_sb;
+ mode_t src_mode IF_LINT ( = 0);
+ mode_t dst_mode IF_LINT ( = 0);
+ mode_t dst_mode_bits;
+ mode_t omitted_permissions;
+ bool restore_dst_mode = false;
+ char *earlier_file = NULL;
+ char *dst_backup = NULL;
+ bool delayed_ok;
+ bool copied_as_regular = false;
+ bool dest_is_symlink = false;
+ bool have_dst_lstat = false;
+
+ *copy_into_self = false;
+
+ int rename_errno = x->rename_errno;
+ if (x->move_mode)
+ {
+ if (rename_errno < 0)
+ rename_errno = (renameatu (AT_FDCWD, src_name, AT_FDCWD, dst_name,
+ RENAME_NOREPLACE)
+ ? errno : 0);
+ new_dst = rename_errno == 0;
+ if (rename_succeeded)
+ *rename_succeeded = new_dst;
+ }
+
+ if (rename_errno == 0
+ ? !x->last_file
+ : rename_errno != EEXIST || x->interactive != I_ALWAYS_NO)
+ {
+ char const *name = rename_errno == 0 ? dst_name : src_name;
+ int fstatat_flags
+ = x->dereference == DEREF_NEVER ? AT_SYMLINK_NOFOLLOW : 0;
+ if (follow_fstatat (AT_FDCWD, name, &src_sb, fstatat_flags) != 0)
+ {
+ error (0, errno, _("cannot stat %s"), quoteaf (name));
+ return false;
+ }
+
+ src_mode = src_sb.st_mode;
+
+ if (S_ISDIR (src_mode) && !x->recursive)
+ {
+ error (0, 0, ! x->install_mode /* cp */
+ ? _("-r not specified; omitting directory %s")
+ : _("omitting directory %s"),
+ quoteaf (src_name));
+ return false;
+ }
+ }
+#ifdef lint
+ else
+ {
+ assert (x->move_mode);
+ memset (&src_sb, 0, sizeof src_sb);
+ }
+#endif
+
+ /* Detect the case in which the same source file appears more than
+ once on the command line and no backup option has been selected.
+ If so, simply warn and don't copy it the second time.
+ This check is enabled only if x->src_info is non-NULL. */
+ if (command_line_arg && x->src_info)
+ {
+ if ( ! S_ISDIR (src_mode)
+ && x->backup_type == no_backups
+ && seen_file (x->src_info, src_name, &src_sb))
+ {
+ error (0, 0, _("warning: source file %s specified more than once"),
+ quoteaf (src_name));
+ return true;
+ }
+
+ record_file (x->src_info, src_name, &src_sb);
+ }
+
+ bool dereference = should_dereference (x, command_line_arg);
+
+ if (!new_dst)
+ {
+ if (! (rename_errno == EEXIST && x->interactive == I_ALWAYS_NO))
+ {
+ /* Regular files can be created by writing through symbolic
+ links, but other files cannot. So use stat on the
+ destination when copying a regular file, and lstat otherwise.
+ However, if we intend to unlink or remove the destination
+ first, use lstat, since a copy won't actually be made to the
+ destination in that case. */
+ bool use_lstat
+ = ((! S_ISREG (src_mode)
+ && (! x->copy_as_regular
+ || S_ISDIR (src_mode) || S_ISLNK (src_mode)))
+ || x->move_mode || x->symbolic_link || x->hard_link
+ || x->backup_type != no_backups
+ || x->unlink_dest_before_opening);
+ int fstatat_flags = use_lstat ? AT_SYMLINK_NOFOLLOW : 0;
+ if (follow_fstatat (AT_FDCWD, dst_name, &dst_sb, fstatat_flags) == 0)
+ {
+ have_dst_lstat = use_lstat;
+ rename_errno = EEXIST;
+ }
+ else
+ {
+ if (errno == ELOOP && x->unlink_dest_after_failed_open)
+ /* leave new_dst=false so we unlink later. */;
+ else if (errno != ENOENT)
+ {
+ error (0, errno, _("cannot stat %s"), quoteaf (dst_name));
+ return false;
+ }
+ else
+ new_dst = true;
+ }
+ }
+
+ if (rename_errno == EEXIST)
+ {
+ bool return_now = false;
+
+ if (x->interactive != I_ALWAYS_NO
+ && ! same_file_ok (src_name, &src_sb, dst_name, &dst_sb,
+ x, &return_now))
+ {
+ error (0, 0, _("%s and %s are the same file"),
+ quoteaf_n (0, src_name), quoteaf_n (1, dst_name));
+ return false;
+ }
+
+ if (x->update && !S_ISDIR (src_mode))
+ {
+ /* When preserving timestamps (but not moving within a file
+ system), don't worry if the destination timestamp is
+ less than the source merely because of timestamp
+ truncation. */
+ int options = ((x->preserve_timestamps
+ && ! (x->move_mode
+ && dst_sb.st_dev == src_sb.st_dev))
+ ? UTIMECMP_TRUNCATE_SOURCE
+ : 0);
+
+ if (0 <= utimecmp (dst_name, &dst_sb, &src_sb, options))
+ {
+ /* We're using --update and the destination is not older
+ than the source, so do not copy or move. Pretend the
+ rename succeeded, so the caller (if it's mv) doesn't
+ end up removing the source file. */
+ if (rename_succeeded)
+ *rename_succeeded = true;
+
+ /* However, we still must record that we've processed
+ this src/dest pair, in case this source file is
+ hard-linked to another one. In that case, we'll use
+ the mapping information to link the corresponding
+ destination names. */
+ earlier_file = remember_copied (dst_name, src_sb.st_ino,
+ src_sb.st_dev);
+ if (earlier_file)
+ {
+ /* Note we currently replace DST_NAME unconditionally,
+ even if it was a newer separate file. */
+ if (! create_hard_link (earlier_file, dst_name, true,
+ x->verbose, dereference))
+ {
+ goto un_backup;
+ }
+ }
+
+ return true;
+ }
+ }
+
+ /* When there is an existing destination file, we may end up
+ returning early, and hence not copying/moving the file.
+ This may be due to an interactive 'negative' reply to the
+ prompt about the existing file. It may also be due to the
+ use of the --no-clobber option.
+
+ cp and mv treat -i and -f differently. */
+ if (x->move_mode)
+ {
+ if (abandon_move (x, dst_name, &dst_sb))
+ {
+ /* Pretend the rename succeeded, so the caller (mv)
+ doesn't end up removing the source file. */
+ if (rename_succeeded)
+ *rename_succeeded = true;
+ return true;
+ }
+ }
+ else
+ {
+ if (! S_ISDIR (src_mode)
+ && (x->interactive == I_ALWAYS_NO
+ || (x->interactive == I_ASK_USER
+ && ! overwrite_ok (x, dst_name, &dst_sb))))
+ return true;
+ }
+
+ if (return_now)
+ return true;
+
+ if (!S_ISDIR (dst_sb.st_mode))
+ {
+ if (S_ISDIR (src_mode))
+ {
+ if (x->move_mode && x->backup_type != no_backups)
+ {
+ /* Moving a directory onto an existing
+ non-directory is ok only with --backup. */
+ }
+ else
+ {
+ error (0, 0,
+ _("cannot overwrite non-directory %s with directory %s"),
+ quoteaf_n (0, dst_name), quoteaf_n (1, src_name));
+ return false;
+ }
+ }
+
+ /* Don't let the user destroy their data, even if they try hard:
+ This mv command must fail (likewise for cp):
+ rm -rf a b c; mkdir a b c; touch a/f b/f; mv a/f b/f c
+ Otherwise, the contents of b/f would be lost.
+ In the case of 'cp', b/f would be lost if the user simulated
+ a move using cp and rm.
+ Note that it works fine if you use --backup=numbered. */
+ if (command_line_arg
+ && x->backup_type != numbered_backups
+ && seen_file (x->dest_info, dst_name, &dst_sb))
+ {
+ error (0, 0,
+ _("will not overwrite just-created %s with %s"),
+ quoteaf_n (0, dst_name), quoteaf_n (1, src_name));
+ return false;
+ }
+ }
+
+ if (!S_ISDIR (src_mode))
+ {
+ if (S_ISDIR (dst_sb.st_mode))
+ {
+ if (x->move_mode && x->backup_type != no_backups)
+ {
+ /* Moving a non-directory onto an existing
+ directory is ok only with --backup. */
+ }
+ else
+ {
+ error (0, 0,
+ _("cannot overwrite directory %s with non-directory"),
+ quoteaf (dst_name));
+ return false;
+ }
+ }
+ }
+
+ if (x->move_mode)
+ {
+ /* Don't allow user to move a directory onto a non-directory. */
+ if (S_ISDIR (src_sb.st_mode) && !S_ISDIR (dst_sb.st_mode)
+ && x->backup_type == no_backups)
+ {
+ error (0, 0,
+ _("cannot move directory onto non-directory: %s -> %s"),
+ quotef_n (0, src_name), quotef_n (0, dst_name));
+ return false;
+ }
+ }
+
+ char const *srcbase;
+ if (x->backup_type != no_backups
+ /* Don't try to back up a destination if the last
+ component of src_name is "." or "..". */
+ && ! dot_or_dotdot (srcbase = last_component (src_name))
+ /* Create a backup of each destination directory in move mode,
+ but not in copy mode. FIXME: it might make sense to add an
+ option to suppress backup creation also for move mode.
+ That would let one use mv to merge new content into an
+ existing hierarchy. */
+ && (x->move_mode || ! S_ISDIR (dst_sb.st_mode)))
+ {
+ /* Fail if creating the backup file would likely destroy
+ the source file. Otherwise, the commands:
+ cd /tmp; rm -f a a~; : > a; echo A > a~; cp --b=simple a~ a
+ would leave two zero-length files: a and a~. */
+ if (x->backup_type != numbered_backups
+ && source_is_dst_backup (srcbase, &src_sb, dst_name))
+ {
+ const char *fmt;
+ fmt = (x->move_mode
+ ? _("backing up %s might destroy source; %s not moved")
+ : _("backing up %s might destroy source; %s not copied"));
+ error (0, 0, fmt,
+ quoteaf_n (0, dst_name),
+ quoteaf_n (1, src_name));
+ return false;
+ }
+
+ char *tmp_backup = backup_file_rename (AT_FDCWD, dst_name,
+ x->backup_type);
+
+ /* FIXME: use fts:
+ Using alloca for a file name that may be arbitrarily
+ long is not recommended. In fact, even forming such a name
+ should be discouraged. Eventually, this code will be rewritten
+ to use fts, so using alloca here will be less of a problem. */
+ if (tmp_backup)
+ {
+ ASSIGN_STRDUPA (dst_backup, tmp_backup);
+ free (tmp_backup);
+ }
+ else if (errno != ENOENT)
+ {
+ error (0, errno, _("cannot backup %s"), quoteaf (dst_name));
+ return false;
+ }
+ new_dst = true;
+ }
+ else if (! S_ISDIR (dst_sb.st_mode)
+ /* Never unlink dst_name when in move mode. */
+ && ! x->move_mode
+ && (x->unlink_dest_before_opening
+ || (x->preserve_links && 1 < dst_sb.st_nlink)
+ || (x->dereference == DEREF_NEVER
+ && ! S_ISREG (src_sb.st_mode))
+ ))
+ {
+ if (unlink (dst_name) != 0 && errno != ENOENT)
+ {
+ error (0, errno, _("cannot remove %s"), quoteaf (dst_name));
+ return false;
+ }
+ new_dst = true;
+ if (x->verbose)
+ printf (_("removed %s\n"), quoteaf (dst_name));
+ }
+ }
+ }
+
+ /* Ensure we don't try to copy through a symlink that was
+ created by a prior call to this function. */
+ if (command_line_arg
+ && x->dest_info
+ && ! x->move_mode
+ && x->backup_type == no_backups)
+ {
+ bool lstat_ok = true;
+ struct stat tmp_buf;
+ struct stat *dst_lstat_sb;
+
+ /* If we called lstat above, good: use that data.
+ Otherwise, call lstat here, in case dst_name is a symlink. */
+ if (have_dst_lstat)
+ dst_lstat_sb = &dst_sb;
+ else
+ {
+ if (lstat (dst_name, &tmp_buf) == 0)
+ dst_lstat_sb = &tmp_buf;
+ else
+ lstat_ok = false;
+ }
+
+ /* Never copy through a symlink we've just created. */
+ if (lstat_ok
+ && S_ISLNK (dst_lstat_sb->st_mode)
+ && seen_file (x->dest_info, dst_name, dst_lstat_sb))
+ {
+ error (0, 0,
+ _("will not copy %s through just-created symlink %s"),
+ quoteaf_n (0, src_name), quoteaf_n (1, dst_name));
+ return false;
+ }
+ }
+
+ /* If the source is a directory, we don't always create the destination
+ directory. So --verbose should not announce anything until we're
+ sure we'll create a directory. Also don't announce yet when moving
+ so we can distinguish renames versus copies. */
+ if (x->verbose && !x->move_mode && !S_ISDIR (src_mode))
+ emit_verbose (src_name, dst_name, dst_backup);
+
+ /* Associate the destination file name with the source device and inode
+ so that if we encounter a matching dev/ino pair in the source tree
+ we can arrange to create a hard link between the corresponding names
+ in the destination tree.
+
+ When using the --link (-l) option, there is no need to take special
+ measures, because (barring race conditions) files that are hard-linked
+ in the source tree will also be hard-linked in the destination tree.
+
+ Sometimes, when preserving links, we have to record dev/ino even
+ though st_nlink == 1:
+ - when in move_mode, since we may be moving a group of N hard-linked
+ files (via two or more command line arguments) to a different
+ partition; the links may be distributed among the command line
+ arguments (possibly hierarchies) so that the link count of
+ the final, once-linked source file is reduced to 1 when it is
+ considered below. But in this case (for mv) we don't need to
+ incur the expense of recording the dev/ino => name mapping; all we
+ really need is a lookup, to see if the dev/ino pair has already
+ been copied.
+ - when using -H and processing a command line argument;
+ that command line argument could be a symlink pointing to another
+ command line argument. With 'cp -H --preserve=link', we hard-link
+ those two destination files.
+ - likewise for -L except that it applies to all files, not just
+ command line arguments.
+
+ Also, with --recursive, record dev/ino of each command-line directory.
+ We'll use that info to detect this problem: cp -R dir dir. */
+
+ if (rename_errno == 0)
+ earlier_file = NULL;
+ else if (x->recursive && S_ISDIR (src_mode))
+ {
+ if (command_line_arg)
+ earlier_file = remember_copied (dst_name, src_sb.st_ino, src_sb.st_dev);
+ else
+ earlier_file = src_to_dest_lookup (src_sb.st_ino, src_sb.st_dev);
+ }
+ else if (x->move_mode && src_sb.st_nlink == 1)
+ {
+ earlier_file = src_to_dest_lookup (src_sb.st_ino, src_sb.st_dev);
+ }
+ else if (x->preserve_links
+ && !x->hard_link
+ && (1 < src_sb.st_nlink
+ || (command_line_arg
+ && x->dereference == DEREF_COMMAND_LINE_ARGUMENTS)
+ || x->dereference == DEREF_ALWAYS))
+ {
+ earlier_file = remember_copied (dst_name, src_sb.st_ino, src_sb.st_dev);
+ }
+
+ /* Did we copy this inode somewhere else (in this command line argument)
+ and therefore this is a second hard link to the inode? */
+
+ if (earlier_file)
+ {
+ /* Avoid damaging the destination file system by refusing to preserve
+ hard-linked directories (which are found at least in Netapp snapshot
+ directories). */
+ if (S_ISDIR (src_mode))
+ {
+ /* If src_name and earlier_file refer to the same directory entry,
+ then warn about copying a directory into itself. */
+ if (same_name (src_name, earlier_file))
+ {
+ error (0, 0, _("cannot copy a directory, %s, into itself, %s"),
+ quoteaf_n (0, top_level_src_name),
+ quoteaf_n (1, top_level_dst_name));
+ *copy_into_self = true;
+ goto un_backup;
+ }
+ else if (same_name (dst_name, earlier_file))
+ {
+ error (0, 0, _("warning: source directory %s "
+ "specified more than once"),
+ quoteaf (top_level_src_name));
+ /* In move mode, if a previous rename succeeded, then
+ we won't be in this path as the source is missing. If the
+ rename previously failed, then that has been handled, so
+ pretend this attempt succeeded so the source isn't removed. */
+ if (x->move_mode && rename_succeeded)
+ *rename_succeeded = true;
+ /* We only do backups in move mode, and for non directories.
+ So just ignore this repeated entry. */
+ return true;
+ }
+ else if (x->dereference == DEREF_ALWAYS
+ || (command_line_arg
+ && x->dereference == DEREF_COMMAND_LINE_ARGUMENTS))
+ {
+ /* This happens when e.g., encountering a directory for the
+ second or subsequent time via symlinks when cp is invoked
+ with -R and -L. E.g.,
+ rm -rf a b c d; mkdir a b c d; ln -s ../c a; ln -s ../c b;
+ cp -RL a b d
+ */
+ }
+ else
+ {
+ error (0, 0, _("will not create hard link %s to directory %s"),
+ quoteaf_n (0, dst_name), quoteaf_n (1, earlier_file));
+ goto un_backup;
+ }
+ }
+ else
+ {
+ if (! create_hard_link (earlier_file, dst_name, true, x->verbose,
+ dereference))
+ goto un_backup;
+
+ return true;
+ }
+ }
+
+ if (x->move_mode)
+ {
+ if (rename_errno == EEXIST)
+ rename_errno = rename (src_name, dst_name) == 0 ? 0 : errno;
+
+ if (rename_errno == 0)
+ {
+ if (x->verbose)
+ {
+ printf (_("renamed "));
+ emit_verbose (src_name, dst_name, dst_backup);
+ }
+
+ if (x->set_security_context)
+ {
+ /* -Z failures are only warnings currently. */
+ (void) set_file_security_ctx (dst_name, false, true, x);
+ }
+
+ if (rename_succeeded)
+ *rename_succeeded = true;
+
+ if (command_line_arg && !x->last_file)
+ {
+ /* Record destination dev/ino/name, so that if we are asked
+ to overwrite that file again, we can detect it and fail. */
+ /* It's fine to use the _source_ stat buffer (src_sb) to get the
+ _destination_ dev/ino, since the rename above can't have
+ changed those, and 'mv' always uses lstat.
+ We could limit it further by operating
+ only on non-directories. */
+ record_file (x->dest_info, dst_name, &src_sb);
+ }
+
+ return true;
+ }
+
+ /* FIXME: someday, consider what to do when moving a directory into
+ itself but when source and destination are on different devices. */
+
+ /* This happens when attempting to rename a directory to a
+ subdirectory of itself. */
+ if (rename_errno == EINVAL)
+ {
+ /* FIXME: this is a little fragile in that it relies on rename(2)
+ failing with a specific errno value. Expect problems on
+ non-POSIX systems. */
+ error (0, 0, _("cannot move %s to a subdirectory of itself, %s"),
+ quoteaf_n (0, top_level_src_name),
+ quoteaf_n (1, top_level_dst_name));
+
+ /* Note that there is no need to call forget_created here,
+ (compare with the other calls in this file) since the
+ destination directory didn't exist before. */
+
+ *copy_into_self = true;
+ /* FIXME-cleanup: Don't return true here; adjust mv.c accordingly.
+ The only caller that uses this code (mv.c) ends up setting its
+ exit status to nonzero when copy_into_self is nonzero. */
+ return true;
+ }
+
+ /* WARNING: there probably exist systems for which an inter-device
+ rename fails with a value of errno not handled here.
+ If/as those are reported, add them to the condition below.
+ If this happens to you, please do the following and send the output
+ to the bug-reporting address (e.g., in the output of cp --help):
+ touch k; perl -e 'rename "k","/tmp/k" or print "$!(",$!+0,")\n"'
+ where your current directory is on one partition and /tmp is the other.
+ Also, please try to find the E* errno macro name corresponding to
+ the diagnostic and parenthesized integer, and include that in your
+ e-mail. One way to do that is to run a command like this
+ find /usr/include/. -type f \
+ | xargs grep 'define.*\<E[A-Z]*\>.*\<18\>' /dev/null
+ where you'd replace '18' with the integer in parentheses that
+ was output from the perl one-liner above.
+ If necessary, of course, change '/tmp' to some other directory. */
+ if (rename_errno != EXDEV)
+ {
+ /* There are many ways this can happen due to a race condition.
+ When something happens between the initial follow_fstatat and the
+ subsequent rename, we can get many different types of errors.
+ For example, if the destination is initially a non-directory
+ or non-existent, but it is created as a directory, the rename
+ fails. If two 'mv' commands try to rename the same file at
+ about the same time, one will succeed and the other will fail.
+ If the permissions on the directory containing the source or
+ destination file are made too restrictive, the rename will
+ fail. Etc. */
+ error (0, rename_errno,
+ _("cannot move %s to %s"),
+ quoteaf_n (0, src_name), quoteaf_n (1, dst_name));
+ forget_created (src_sb.st_ino, src_sb.st_dev);
+ return false;
+ }
+
+ /* The rename attempt has failed. Remove any existing destination
+ file so that a cross-device 'mv' acts as if it were really using
+ the rename syscall. Note both src and dst must both be directories
+ or not, and this is enforced above. Therefore we check the src_mode
+ and operate on dst_name here as a tighter constraint and also because
+ src_mode is readily available here. */
+ if ((S_ISDIR (src_mode) ? rmdir (dst_name) : unlink (dst_name)) != 0
+ && errno != ENOENT)
+ {
+ error (0, errno,
+ _("inter-device move failed: %s to %s; unable to remove target"),
+ quoteaf_n (0, src_name), quoteaf_n (1, dst_name));
+ forget_created (src_sb.st_ino, src_sb.st_dev);
+ return false;
+ }
+
+ if (x->verbose && !S_ISDIR (src_mode))
+ {
+ printf (_("copied "));
+ emit_verbose (src_name, dst_name, dst_backup);
+ }
+ new_dst = true;
+ }
+
+ /* If the ownership might change, or if it is a directory (whose
+ special mode bits may change after the directory is created),
+ omit some permissions at first, so unauthorized users cannot nip
+ in before the file is ready. */
+ dst_mode_bits = (x->set_mode ? x->mode : src_mode) & CHMOD_MODE_BITS;
+ omitted_permissions =
+ (dst_mode_bits
+ & (x->preserve_ownership ? S_IRWXG | S_IRWXO
+ : S_ISDIR (src_mode) ? S_IWGRP | S_IWOTH
+ : 0));
+
+ delayed_ok = true;
+
+ /* If required, set the default security context for new files.
+ Also for existing files this is used as a reference
+ when copying the context with --preserve=context.
+ FIXME: Do we need to consider dst_mode_bits here? */
+ if (! set_process_security_ctx (src_name, dst_name, src_mode, new_dst, x))
+ return false;
+
+ if (S_ISDIR (src_mode))
+ {
+ struct dir_list *dir;
+
+ /* If this directory has been copied before during the
+ recursion, there is a symbolic link to an ancestor
+ directory of the symbolic link. It is impossible to
+ continue to copy this, unless we've got an infinite disk. */
+
+ if (is_ancestor (&src_sb, ancestors))
+ {
+ error (0, 0, _("cannot copy cyclic symbolic link %s"),
+ quoteaf (src_name));
+ goto un_backup;
+ }
+
+ /* Insert the current directory in the list of parents. */
+
+ dir = alloca (sizeof *dir);
+ dir->parent = ancestors;
+ dir->ino = src_sb.st_ino;
+ dir->dev = src_sb.st_dev;
+
+ if (new_dst || !S_ISDIR (dst_sb.st_mode))
+ {
+ /* POSIX says mkdir's behavior is implementation-defined when
+ (src_mode & ~S_IRWXUGO) != 0. However, common practice is
+ to ask mkdir to copy all the CHMOD_MODE_BITS, letting mkdir
+ decide what to do with S_ISUID | S_ISGID | S_ISVTX. */
+ if (mkdir (dst_name, dst_mode_bits & ~omitted_permissions) != 0)
+ {
+ error (0, errno, _("cannot create directory %s"),
+ quoteaf (dst_name));
+ goto un_backup;
+ }
+
+ /* We need search and write permissions to the new directory
+ for writing the directory's contents. Check if these
+ permissions are there. */
+
+ if (lstat (dst_name, &dst_sb) != 0)
+ {
+ error (0, errno, _("cannot stat %s"), quoteaf (dst_name));
+ goto un_backup;
+ }
+ else if ((dst_sb.st_mode & S_IRWXU) != S_IRWXU)
+ {
+ /* Make the new directory searchable and writable. */
+
+ dst_mode = dst_sb.st_mode;
+ restore_dst_mode = true;
+
+ if (lchmod (dst_name, dst_mode | S_IRWXU) != 0)
+ {
+ error (0, errno, _("setting permissions for %s"),
+ quoteaf (dst_name));
+ goto un_backup;
+ }
+ }
+
+ /* Record the created directory's inode and device numbers into
+ the search structure, so that we can avoid copying it again.
+ Do this only for the first directory that is created for each
+ source command line argument. */
+ if (!*first_dir_created_per_command_line_arg)
+ {
+ remember_copied (dst_name, dst_sb.st_ino, dst_sb.st_dev);
+ *first_dir_created_per_command_line_arg = true;
+ }
+
+ if (x->verbose)
+ {
+ if (x->move_mode)
+ printf (_("created directory %s\n"), quoteaf (dst_name));
+ else
+ emit_verbose (src_name, dst_name, NULL);
+ }
+ }
+ else
+ {
+ omitted_permissions = 0;
+
+ /* For directories, the process global context could be reset for
+ descendents, so use it to set the context for existing dirs here.
+ This will also give earlier indication of failure to set ctx. */
+ if (x->set_security_context || x->preserve_security_context)
+ if (! set_file_security_ctx (dst_name, x->preserve_security_context,
+ false, x))
+ {
+ if (x->require_preserve_context)
+ goto un_backup;
+ }
+ }
+
+ /* Decide whether to copy the contents of the directory. */
+ if (x->one_file_system && parent && parent->st_dev != src_sb.st_dev)
+ {
+ /* Here, we are crossing a file system boundary and cp's -x option
+ is in effect: so don't copy the contents of this directory. */
+ }
+ else
+ {
+ /* Copy the contents of the directory. Don't just return if
+ this fails -- otherwise, the failure to read a single file
+ in a source directory would cause the containing destination
+ directory not to have owner/perms set properly. */
+ delayed_ok = copy_dir (src_name, dst_name, new_dst, &src_sb, dir, x,
+ first_dir_created_per_command_line_arg,
+ copy_into_self);
+ }
+ }
+ else if (x->symbolic_link)
+ {
+ dest_is_symlink = true;
+ if (*src_name != '/')
+ {
+ /* Check that DST_NAME denotes a file in the current directory. */
+ struct stat dot_sb;
+ struct stat dst_parent_sb;
+ char *dst_parent;
+ bool in_current_dir;
+
+ dst_parent = dir_name (dst_name);
+
+ in_current_dir = (STREQ (".", dst_parent)
+ /* If either stat call fails, it's ok not to report
+ the failure and say dst_name is in the current
+ directory. Other things will fail later. */
+ || stat (".", &dot_sb) != 0
+ || stat (dst_parent, &dst_parent_sb) != 0
+ || SAME_INODE (dot_sb, dst_parent_sb));
+ free (dst_parent);
+
+ if (! in_current_dir)
+ {
+ error (0, 0,
+ _("%s: can make relative symbolic links only in current directory"),
+ quotef (dst_name));
+ goto un_backup;
+ }
+ }
+
+ int err = force_symlinkat (src_name, AT_FDCWD, dst_name,
+ x->unlink_dest_after_failed_open, -1);
+ if (0 < err)
+ {
+ error (0, err, _("cannot create symbolic link %s to %s"),
+ quoteaf_n (0, dst_name), quoteaf_n (1, src_name));
+ goto un_backup;
+ }
+ }
+
+ /* POSIX 2008 states that it is implementation-defined whether
+ link() on a symlink creates a hard-link to the symlink, or only
+ to the referent (effectively dereferencing the symlink) (POSIX
+ 2001 required the latter behavior, although many systems provided
+ the former). Yet cp, invoked with '--link --no-dereference',
+ should not follow the link. We can approximate the desired
+ behavior by skipping this hard-link creating block and instead
+ copying the symlink, via the 'S_ISLNK'- copying code below.
+
+ Note gnulib's linkat module, guarantees that the symlink is not
+ dereferenced. However its emulation currently doesn't maintain
+ timestamps or ownership so we only call it when we know the
+ emulation will not be needed. */
+ else if (x->hard_link
+ && !(! CAN_HARDLINK_SYMLINKS && S_ISLNK (src_mode)
+ && x->dereference == DEREF_NEVER))
+ {
+ bool replace = (x->unlink_dest_after_failed_open
+ || x->interactive == I_ASK_USER);
+ if (! create_hard_link (src_name, dst_name, replace, false, dereference))
+ goto un_backup;
+ }
+ else if (S_ISREG (src_mode)
+ || (x->copy_as_regular && !S_ISLNK (src_mode)))
+ {
+ copied_as_regular = true;
+ /* POSIX says the permission bits of the source file must be
+ used as the 3rd argument in the open call. Historical
+ practice passed all the source mode bits to 'open', but the extra
+ bits were ignored, so it should be the same either way.
+
+ This call uses DST_MODE_BITS, not SRC_MODE. These are
+ normally the same, and the exception (where x->set_mode) is
+ used only by 'install', which POSIX does not specify and
+ where DST_MODE_BITS is what's wanted. */
+ if (! copy_reg (src_name, dst_name, x, dst_mode_bits & S_IRWXUGO,
+ omitted_permissions, &new_dst, &src_sb))
+ goto un_backup;
+ }
+ else if (S_ISFIFO (src_mode))
+ {
+ /* Use mknod, rather than mkfifo, because the former preserves
+ the special mode bits of a fifo on Solaris 10, while mkfifo
+ does not. But fall back on mkfifo, because on some BSD systems,
+ mknod always fails when asked to create a FIFO. */
+ if (mknod (dst_name, src_mode & ~omitted_permissions, 0) != 0)
+ if (mkfifo (dst_name, src_mode & ~S_IFIFO & ~omitted_permissions) != 0)
+ {
+ error (0, errno, _("cannot create fifo %s"), quoteaf (dst_name));
+ goto un_backup;
+ }
+ }
+ else if (S_ISBLK (src_mode) || S_ISCHR (src_mode) || S_ISSOCK (src_mode))
+ {
+ if (mknod (dst_name, src_mode & ~omitted_permissions, src_sb.st_rdev)
+ != 0)
+ {
+ error (0, errno, _("cannot create special file %s"),
+ quoteaf (dst_name));
+ goto un_backup;
+ }
+ }
+ else if (S_ISLNK (src_mode))
+ {
+ char *src_link_val = areadlink_with_size (src_name, src_sb.st_size);
+ dest_is_symlink = true;
+ if (src_link_val == NULL)
+ {
+ error (0, errno, _("cannot read symbolic link %s"),
+ quoteaf (src_name));
+ goto un_backup;
+ }
+
+ int symlink_err = force_symlinkat (src_link_val, AT_FDCWD, dst_name,
+ x->unlink_dest_after_failed_open, -1);
+ if (0 < symlink_err && x->update && !new_dst && S_ISLNK (dst_sb.st_mode)
+ && dst_sb.st_size == strlen (src_link_val))
+ {
+ /* See if the destination is already the desired symlink.
+ FIXME: This behavior isn't documented, and seems wrong
+ in some cases, e.g., if the destination symlink has the
+ wrong ownership, permissions, or timestamps. */
+ char *dest_link_val =
+ areadlink_with_size (dst_name, dst_sb.st_size);
+ if (dest_link_val)
+ {
+ if (STREQ (dest_link_val, src_link_val))
+ symlink_err = 0;
+ free (dest_link_val);
+ }
+ }
+ free (src_link_val);
+ if (0 < symlink_err)
+ {
+ error (0, symlink_err, _("cannot create symbolic link %s"),
+ quoteaf (dst_name));
+ goto un_backup;
+ }
+
+ if (x->preserve_security_context)
+ restore_default_fscreatecon_or_die ();
+
+ if (x->preserve_ownership)
+ {
+ /* Preserve the owner and group of the just-'copied'
+ symbolic link, if possible. */
+ if (HAVE_LCHOWN
+ && lchown (dst_name, src_sb.st_uid, src_sb.st_gid) != 0
+ && ! chown_failure_ok (x))
+ {
+ error (0, errno, _("failed to preserve ownership for %s"),
+ dst_name);
+ if (x->require_preserve)
+ goto un_backup;
+ }
+ else
+ {
+ /* Can't preserve ownership of symlinks.
+ FIXME: maybe give a warning or even error for symlinks
+ in directories with the sticky bit set -- there, not
+ preserving owner/group is a potential security problem. */
+ }
+ }
+ }
+ else
+ {
+ error (0, 0, _("%s has unknown file type"), quoteaf (src_name));
+ goto un_backup;
+ }
+
+ /* With -Z or --preserve=context, set the context for existing files.
+ Note this is done already for copy_reg() for reasons described therein. */
+ if (!new_dst && !x->copy_as_regular && !S_ISDIR (src_mode)
+ && (x->set_security_context || x->preserve_security_context))
+ {
+ if (! set_file_security_ctx (dst_name, x->preserve_security_context,
+ false, x))
+ {
+ if (x->require_preserve_context)
+ goto un_backup;
+ }
+ }
+
+ if (command_line_arg && x->dest_info)
+ {
+ /* Now that the destination file is very likely to exist,
+ add its info to the set. */
+ struct stat sb;
+ if (lstat (dst_name, &sb) == 0)
+ record_file (x->dest_info, dst_name, &sb);
+ }
+
+ /* If we've just created a hard-link due to cp's --link option,
+ we're done. */
+ if (x->hard_link && ! S_ISDIR (src_mode)
+ && !(! CAN_HARDLINK_SYMLINKS && S_ISLNK (src_mode)
+ && x->dereference == DEREF_NEVER))
+ return delayed_ok;
+
+ if (copied_as_regular)
+ return delayed_ok;
+
+ /* POSIX says that 'cp -p' must restore the following:
+ - permission bits
+ - setuid, setgid bits
+ - owner and group
+ If it fails to restore any of those, we may give a warning but
+ the destination must not be removed.
+ FIXME: implement the above. */
+
+ /* Adjust the times (and if possible, ownership) for the copy.
+ chown turns off set[ug]id bits for non-root,
+ so do the chmod last. */
+
+ if (x->preserve_timestamps)
+ {
+ struct timespec timespec[2];
+ timespec[0] = get_stat_atime (&src_sb);
+ timespec[1] = get_stat_mtime (&src_sb);
+
+ if ((dest_is_symlink
+ ? utimens_symlink (dst_name, timespec)
+ : utimens (dst_name, timespec))
+ != 0)
+ {
+ error (0, errno, _("preserving times for %s"), quoteaf (dst_name));
+ if (x->require_preserve)
+ return false;
+ }
+ }
+
+ /* Avoid calling chown if we know it's not necessary. */
+ if (!dest_is_symlink && x->preserve_ownership
+ && (new_dst || !SAME_OWNER_AND_GROUP (src_sb, dst_sb)))
+ {
+ switch (set_owner (x, dst_name, -1, &src_sb, new_dst, &dst_sb))
+ {
+ case -1:
+ return false;
+
+ case 0:
+ src_mode &= ~ (S_ISUID | S_ISGID | S_ISVTX);
+ break;
+ }
+ }
+
+ /* Set xattrs after ownership as changing owners will clear capabilities. */
+ if (x->preserve_xattr && ! copy_attr (src_name, -1, dst_name, -1, x)
+ && x->require_preserve_xattr)
+ return false;
+
+ /* The operations beyond this point may dereference a symlink. */
+ if (dest_is_symlink)
+ return delayed_ok;
+
+ set_author (dst_name, -1, &src_sb);
+
+ if (x->preserve_mode || x->move_mode)
+ {
+ if (copy_acl (src_name, -1, dst_name, -1, src_mode) != 0
+ && x->require_preserve)
+ return false;
+ }
+ else if (x->set_mode)
+ {
+ if (set_acl (dst_name, -1, x->mode) != 0)
+ return false;
+ }
+ else if (x->explicit_no_preserve_mode && new_dst)
+ {
+ int default_permissions = S_ISDIR (src_mode) || S_ISSOCK (src_mode)
+ ? S_IRWXUGO : MODE_RW_UGO;
+ if (set_acl (dst_name, -1, default_permissions & ~cached_umask ()) != 0)
+ return false;
+ }
+ else
+ {
+ if (omitted_permissions)
+ {
+ omitted_permissions &= ~ cached_umask ();
+
+ if (omitted_permissions && !restore_dst_mode)
+ {
+ /* Permissions were deliberately omitted when the file
+ was created due to security concerns. See whether
+ they need to be re-added now. It'd be faster to omit
+ the lstat, but deducing the current destination mode
+ is tricky in the presence of implementation-defined
+ rules for special mode bits. */
+ if (new_dst && lstat (dst_name, &dst_sb) != 0)
+ {
+ error (0, errno, _("cannot stat %s"), quoteaf (dst_name));
+ return false;
+ }
+ dst_mode = dst_sb.st_mode;
+ if (omitted_permissions & ~dst_mode)
+ restore_dst_mode = true;
+ }
+ }
+
+ if (restore_dst_mode)
+ {
+ if (lchmod (dst_name, dst_mode | omitted_permissions) != 0)
+ {
+ error (0, errno, _("preserving permissions for %s"),
+ quoteaf (dst_name));
+ if (x->require_preserve)
+ return false;
+ }
+ }
+ }
+
+ return delayed_ok;
+
+un_backup:
+
+ if (x->preserve_security_context)
+ restore_default_fscreatecon_or_die ();
+
+ /* We have failed to create the destination file.
+ If we've just added a dev/ino entry via the remember_copied
+ call above (i.e., unless we've just failed to create a hard link),
+ remove the entry associating the source dev/ino with the
+ destination file name, so we don't try to 'preserve' a link
+ to a file we didn't create. */
+ if (earlier_file == NULL)
+ forget_created (src_sb.st_ino, src_sb.st_dev);
+
+ if (dst_backup)
+ {
+ if (rename (dst_backup, dst_name) != 0)
+ error (0, errno, _("cannot un-backup %s"), quoteaf (dst_name));
+ else
+ {
+ if (x->verbose)
+ printf (_("%s -> %s (unbackup)\n"),
+ quoteaf_n (0, dst_backup), quoteaf_n (1, dst_name));
+ }
+ }
+ return false;
+}
+
+static bool _GL_ATTRIBUTE_PURE
+valid_options (const struct cp_options *co)
+{
+ assert (co != NULL);
+ assert (VALID_BACKUP_TYPE (co->backup_type));
+ assert (VALID_SPARSE_MODE (co->sparse_mode));
+ assert (VALID_REFLINK_MODE (co->reflink_mode));
+ assert (!(co->hard_link && co->symbolic_link));
+ assert (!
+ (co->reflink_mode == REFLINK_ALWAYS
+ && co->sparse_mode != SPARSE_AUTO));
+ return true;
+}
+
+/* Copy the file SRC_NAME to the file DST_NAME. The files may be of
+ any type. NONEXISTENT_DST should be true if the file DST_NAME
+ is known not to exist (e.g., because its parent directory was just
+ created); NONEXISTENT_DST should be false if DST_NAME might already
+ exist. OPTIONS is ... FIXME-describe
+ Set *COPY_INTO_SELF if SRC_NAME is a parent of (or the
+ same as) DST_NAME; otherwise, set clear it.
+ Return true if successful. */
+
+extern bool
+copy (char const *src_name, char const *dst_name,
+ bool nonexistent_dst, const struct cp_options *options,
+ bool *copy_into_self, bool *rename_succeeded)
+{
+ assert (valid_options (options));
+
+ /* Record the file names: they're used in case of error, when copying
+ a directory into itself. I don't like to make these tools do *any*
+ extra work in the common case when that work is solely to handle
+ exceptional cases, but in this case, I don't see a way to derive the
+ top level source and destination directory names where they're used.
+ An alternative is to use COPY_INTO_SELF and print the diagnostic
+ from every caller -- but I don't want to do that. */
+ top_level_src_name = src_name;
+ top_level_dst_name = dst_name;
+
+ bool first_dir_created_per_command_line_arg = false;
+ return copy_internal (src_name, dst_name, nonexistent_dst, NULL, NULL,
+ options, true,
+ &first_dir_created_per_command_line_arg,
+ copy_into_self, rename_succeeded);
+}
+
+/* Set *X to the default options for a value of type struct cp_options. */
+
+extern void
+cp_options_default (struct cp_options *x)
+{
+ memset (x, 0, sizeof *x);
+#ifdef PRIV_FILE_CHOWN
+ {
+ priv_set_t *pset = priv_allocset ();
+ if (!pset)
+ xalloc_die ();
+ if (getppriv (PRIV_EFFECTIVE, pset) == 0)
+ {
+ x->chown_privileges = priv_ismember (pset, PRIV_FILE_CHOWN);
+ x->owner_privileges = priv_ismember (pset, PRIV_FILE_OWNER);
+ }
+ priv_freeset (pset);
+ }
+#else
+ x->chown_privileges = x->owner_privileges = (geteuid () == ROOT_UID);
+#endif
+ x->rename_errno = -1;
+}
+
+/* Return true if it's OK for chown to fail, where errno is
+ the error number that chown failed with and X is the copying
+ option set. */
+
+extern bool
+chown_failure_ok (struct cp_options const *x)
+{
+ /* If non-root uses -p, it's ok if we can't preserve ownership.
+ But root probably wants to know, e.g. if NFS disallows it,
+ or if the target system doesn't support file ownership. */
+
+ return ((errno == EPERM || errno == EINVAL) && !x->chown_privileges);
+}
+
+/* Similarly, return true if it's OK for chmod and similar operations
+ to fail, where errno is the error number that chmod failed with and
+ X is the copying option set. */
+
+static bool
+owner_failure_ok (struct cp_options const *x)
+{
+ return ((errno == EPERM || errno == EINVAL) && !x->owner_privileges);
+}
+
+/* Return the user's umask, caching the result.
+
+ FIXME: If the destination's parent directory has has a default ACL,
+ some operating systems (e.g., GNU/Linux's "POSIX" ACLs) use that
+ ACL's mask rather than the process umask. Currently, the callers
+ of cached_umask incorrectly assume that this situation cannot occur. */
+extern mode_t
+cached_umask (void)
+{
+ static mode_t mask = (mode_t) -1;
+ if (mask == (mode_t) -1)
+ {
+ mask = umask (0);
+ umask (mask);
+ }
+ return mask;
+}