devel/coreutils/coreutils-selinux.patch

diff -urNp coreutils-8.0-orig/configure.ac coreutils-8.0/configure.ac
--- coreutils-8.0-orig/configure.ac	2009-10-07 10:09:43.000000000 +0200
+++ coreutils-8.0/configure.ac	2009-10-07 10:10:11.000000000 +0200
@@ -122,6 +122,13 @@ AC_ARG_ENABLE(pam, dnl
 LIB_PAM="-ldl -lpam -lpam_misc"
 AC_SUBST(LIB_PAM)])
 
+dnl Give the chance to enable SELINUX
+AC_ARG_ENABLE(selinux, dnl
+[  --enable-selinux              Enable use of the SELINUX libraries],
+[AC_DEFINE(WITH_SELINUX, 1, [Define if you want to use SELINUX])
+LIB_SELINUX="-lselinux"
+AC_SUBST(LIB_SELINUX)])
+
 AC_FUNC_FORK
 
 optional_bin_progs=
diff -urNp coreutils-8.0-orig/configure.ac.orig coreutils-8.0/configure.ac.orig
--- coreutils-8.0-orig/configure.ac.orig	2009-10-07 10:09:43.000000000 +0200
+++ coreutils-8.0/configure.ac.orig	2009-10-07 10:09:43.000000000 +0200
@@ -115,6 +115,13 @@ if test "$gl_gcc_warnings" = yes; then
   AC_DEFINE([GNULIB_PORTCHECK], [1], [enable some gnulib portability checks])
 fi
 
+dnl Give the chance to enable PAM
+AC_ARG_ENABLE(pam, dnl
+[  --enable-pam              Enable use of the PAM libraries],
+[AC_DEFINE(USE_PAM, 1, [Define if you want to use PAM])
+LIB_PAM="-ldl -lpam -lpam_misc"
+AC_SUBST(LIB_PAM)])
+
 AC_FUNC_FORK
 
 optional_bin_progs=
diff -urNp coreutils-8.0-orig/man/chcon.x coreutils-8.0/man/chcon.x
--- coreutils-8.0-orig/man/chcon.x	2009-09-01 13:01:16.000000000 +0200
+++ coreutils-8.0/man/chcon.x	2009-10-07 10:10:11.000000000 +0200
@@ -1,4 +1,4 @@
 [NAME]
-chcon \- change file security context
+chcon \- change file SELinux security context
 [DESCRIPTION]
 .\" Add any additional description here
diff -urNp coreutils-8.0-orig/man/runcon.x coreutils-8.0/man/runcon.x
--- coreutils-8.0-orig/man/runcon.x	2009-09-01 13:01:16.000000000 +0200
+++ coreutils-8.0/man/runcon.x	2009-10-07 10:10:11.000000000 +0200
@@ -1,5 +1,5 @@
 [NAME]
-runcon \- run command with specified security context
+runcon \- run command with specified SELinux security context
 [DESCRIPTION]
 Run COMMAND with completely-specified CONTEXT, or with current or
 transitioned security context modified by one or more of LEVEL,
diff -urNp coreutils-8.0-orig/src/copy.c coreutils-8.0/src/copy.c
--- coreutils-8.0-orig/src/copy.c	2009-09-29 15:27:54.000000000 +0200
+++ coreutils-8.0/src/copy.c	2009-10-07 10:10:11.000000000 +0200
@@ -1943,6 +1943,8 @@ copy_internal (char const *src_name, cha
         {
           /* Here, we are crossing a file system boundary and cp's -x option
              is in effect: so don't copy the contents of this directory. */
+        if (x->preserve_security_context)
+           restore_default_fscreatecon_or_die ();
         }
       else
         {
diff -urNp coreutils-8.0-orig/src/copy.c.orig coreutils-8.0/src/copy.c.orig
--- coreutils-8.0-orig/src/copy.c.orig	1970-01-01 01:00:00.000000000 +0100
+++ coreutils-8.0/src/copy.c.orig	2009-09-29 15:27:54.000000000 +0200
@@ -0,0 +1,2369 @@
+/* copy.c -- core functions for copying files and directories
+   Copyright (C) 89, 90, 91, 1995-2009 Free Software Foundation, Inc.
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
+
+/* Extracted from cp.c and librarified by Jim Meyering.  */
+
+#include <config.h>
+#include <stdio.h>
+#include <assert.h>
+#include <sys/types.h>
+#include <selinux/selinux.h>
+
+#if HAVE_HURD_H
+# include <hurd.h>
+#endif
+#if HAVE_PRIV_H
+# include <priv.h>
+#endif
+
+#include "system.h"
+#include "acl.h"
+#include "backupfile.h"
+#include "buffer-lcm.h"
+#include "copy.h"
+#include "cp-hash.h"
+#include "error.h"
+#include "fcntl--.h"
+#include "file-set.h"
+#include "filemode.h"
+#include "filenamecat.h"
+#include "full-write.h"
+#include "hash.h"
+#include "hash-triple.h"
+#include "ignore-value.h"
+#include "quote.h"
+#include "same.h"
+#include "savedir.h"
+#include "stat-time.h"
+#include "utimecmp.h"
+#include "utimens.h"
+#include "write-any-file.h"
+#include "areadlink.h"
+#include "yesno.h"
+
+#if USE_XATTR
+# include <attr/error_context.h>
+# include <attr/libattr.h>
+# include <stdarg.h>
+# include "verror.h"
+#endif
+
+#if HAVE_SYS_IOCTL_H
+# include <sys/ioctl.h>
+#endif
+
+#ifndef HAVE_FCHOWN
+# define HAVE_FCHOWN false
+# define fchown(fd, uid, gid) (-1)
+#endif
+
+#ifndef HAVE_LCHOWN
+# define HAVE_LCHOWN false
+# define lchown(name, uid, gid) chown (name, uid, gid)
+#endif
+
+#ifndef HAVE_MKFIFO
+static int
+rpl_mkfifo (char const *file, mode_t mode)
+{
+  errno = ENOTSUP;
+  return -1;
+}
+# define mkfifo rpl_mkfifo
+#endif
+
+#ifndef USE_ACL
+# define USE_ACL 0
+#endif
+
+#define SAME_OWNER(A, B) ((A).st_uid == (B).st_uid)
+#define SAME_GROUP(A, B) ((A).st_gid == (B).st_gid)
+#define SAME_OWNER_AND_GROUP(A, B) (SAME_OWNER (A, B) && SAME_GROUP (A, B))
+
+struct dir_list
+{
+  struct dir_list *parent;
+  ino_t ino;
+  dev_t dev;
+};
+
+/* Initial size of the cp.dest_info hash table.  */
+#define DEST_INFO_INITIAL_CAPACITY 61
+
+static bool copy_internal (char const *src_name, char const *dst_name,
+                           bool new_dst, dev_t device,
+                           struct dir_list *ancestors,
+                           const struct cp_options *x,
+                           bool command_line_arg,
+                           bool *first_dir_created_per_command_line_arg,
+                           bool *copy_into_self,
+                           bool *rename_succeeded);
+static bool owner_failure_ok (struct cp_options const *x);
+
+/* Pointers to the file names:  they're used in the diagnostic that is issued
+   when we detect the user is trying to copy a directory into itself.  */
+static char const *top_level_src_name;
+static char const *top_level_dst_name;
+
+/* Set the timestamp of symlink, FILE, to TIMESPEC.
+   If this system lacks support for that, simply return 0.  */
+static inline int
+utimens_symlink (char const *file, struct timespec const *timespec)
+{
+  int err = 0;
+
+#if HAVE_UTIMENSAT
+  err = utimensat (AT_FDCWD, file, timespec, AT_SYMLINK_NOFOLLOW);
+  /* When configuring on a system with new headers and libraries, and
+     running on one with a kernel that is old enough to lack the syscall,
+     utimensat fails with ENOSYS.  Ignore that.  */
+  if (err && errno == ENOSYS)
+    err = 0;
+#else
+  (void) file;
+  (void) timespec;
+#endif
+
+  return err;
+}
+
+/* Perform the O(1) btrfs clone operation, if possible.
+   Upon success, return 0.  Otherwise, return -1 and set errno.  */
+static inline int
+clone_file (int dest_fd, int src_fd)
+{
+#ifdef __linux__
+# undef BTRFS_IOCTL_MAGIC
+# define BTRFS_IOCTL_MAGIC 0x94
+# undef BTRFS_IOC_CLONE
+# define BTRFS_IOC_CLONE _IOW (BTRFS_IOCTL_MAGIC, 9, int)
+  return ioctl (dest_fd, BTRFS_IOC_CLONE, src_fd);
+#else
+  (void) dest_fd;
+  (void) src_fd;
+  errno = ENOTSUP;
+  return -1;
+#endif
+}
+
+/* FIXME: describe */
+/* FIXME: rewrite this to use a hash table so we avoid the quadratic
+   performance hit that's probably noticeable only on trees deeper
+   than a few hundred levels.  See use of active_dir_map in remove.c  */
+
+static bool
+is_ancestor (const struct stat *sb, const struct dir_list *ancestors)
+{
+  while (ancestors != 0)
+    {
+      if (ancestors->ino == sb->st_ino && ancestors->dev == sb->st_dev)
+        return true;
+      ancestors = ancestors->parent;
+    }
+  return false;
+}
+
+static bool
+errno_unsupported (int err)
+{
+  return err == ENOTSUP || err == ENODATA;
+}
+
+#if USE_XATTR
+static void
+copy_attr_error (struct error_context *ctx ATTRIBUTE_UNUSED,
+                 char const *fmt, ...)
+{
+  int err = errno;
+  va_list ap;
+
+  if (!errno_unsupported (errno))
+    {
+      /* use verror module to print error message */
+      va_start (ap, fmt);
+      verror (0, err, fmt, ap);
+      va_end (ap);
+    }
+}
+
+static void
+copy_attr_allerror (struct error_context *ctx ATTRIBUTE_UNUSED,
+                 char const *fmt, ...)
+{
+  int err = errno;
+  va_list ap;
+
+  /* use verror module to print error message */
+  va_start (ap, fmt);
+  verror (0, err, fmt, ap);
+  va_end (ap);
+}
+
+static char const *
+copy_attr_quote (struct error_context *ctx ATTRIBUTE_UNUSED, char const *str)
+{
+  return quote (str);
+}
+
+static void
+copy_attr_free (struct error_context *ctx ATTRIBUTE_UNUSED,
+                char const *str ATTRIBUTE_UNUSED)
+{
+}
+
+static bool
+copy_attr_by_fd (char const *src_path, int src_fd,
+                 char const *dst_path, int dst_fd, const struct cp_options *x)
+{
+  struct error_context ctx =
+  {
+    .error = x->require_preserve_xattr ? copy_attr_allerror : copy_attr_error,
+    .quote = copy_attr_quote,
+    .quote_free = copy_attr_free
+  };
+  return 0 == attr_copy_fd (src_path, src_fd, dst_path, dst_fd, 0,
+                            (x->reduce_diagnostics
+                             && !x->require_preserve_xattr)? NULL : &ctx);
+}
+
+static bool
+copy_attr_by_name (char const *src_path, char const *dst_path,
+                   const struct cp_options *x)
+{
+  struct error_context ctx =
+  {
+    .error = x->require_preserve_xattr ? copy_attr_allerror : copy_attr_error,
+    .quote = copy_attr_quote,
+    .quote_free = copy_attr_free
+  };
+  return 0 == attr_copy_file (src_path, dst_path, 0,
+                              (x-> reduce_diagnostics
+                               && !x->require_preserve_xattr) ? NULL : &ctx);
+}
+#else /* USE_XATTR */
+
+static bool
+copy_attr_by_fd (char const *src_path ATTRIBUTE_UNUSED,
+                 int src_fd ATTRIBUTE_UNUSED,
+                 char const *dst_path ATTRIBUTE_UNUSED,
+                 int dst_fd ATTRIBUTE_UNUSED,
+                 const struct cp_options *x ATTRIBUTE_UNUSED)
+{
+  return true;
+}
+
+static bool
+copy_attr_by_name (char const *src_path ATTRIBUTE_UNUSED,
+                   char const *dst_path ATTRIBUTE_UNUSED,
+                   const struct cp_options *x ATTRIBUTE_UNUSED)
+{
+  return true;
+}
+#endif /* USE_XATTR */
+
+/* Read the contents of the directory SRC_NAME_IN, and recursively
+   copy the contents to DST_NAME_IN.  NEW_DST is true if
+   DST_NAME_IN is a directory that was created previously in the
+   recursion.   SRC_SB and ANCESTORS describe SRC_NAME_IN.
+   Set *COPY_INTO_SELF if SRC_NAME_IN is a parent of
+   FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG  FIXME
+   (or the same as) DST_NAME_IN; otherwise, clear it.
+   Return true if successful.  */
+
+static bool
+copy_dir (char const *src_name_in, char const *dst_name_in, bool new_dst,
+          const struct stat *src_sb, struct dir_list *ancestors,
+          const struct cp_options *x,
+          bool *first_dir_created_per_command_line_arg,
+          bool *copy_into_self)
+{
+  char *name_space;
+  char *namep;
+  struct cp_options non_command_line_options = *x;
+  bool ok = true;
+
+  name_space = savedir (src_name_in);
+  if (name_space == NULL)
+    {
+      /* This diagnostic is a bit vague because savedir can fail in
+         several different ways.  */
+      error (0, errno, _("cannot access %s"), quote (src_name_in));
+      return false;
+    }
+
+  /* For cp's -H option, dereference command line arguments, but do not
+     dereference symlinks that are found via recursive traversal.  */
+  if (x->dereference == DEREF_COMMAND_LINE_ARGUMENTS)
+    non_command_line_options.dereference = DEREF_NEVER;
+
+  namep = name_space;
+  while (*namep != '\0')
+    {
+      bool local_copy_into_self;
+      char *src_name = file_name_concat (src_name_in, namep, NULL);
+      char *dst_name = file_name_concat (dst_name_in, namep, NULL);
+
+      ok &= copy_internal (src_name, dst_name, new_dst, src_sb->st_dev,
+                           ancestors, &non_command_line_options, false,
+                           first_dir_created_per_command_line_arg,
+                           &local_copy_into_self, NULL);
+      *copy_into_self |= local_copy_into_self;
+
+      free (dst_name);
+      free (src_name);
+
+      /* If we're copying into self, there's no point in continuing,
+         and in fact, that would even infloop, now that we record only
+         the first created directory per command line argument.  */
+      if (local_copy_into_self)
+        break;
+
+      namep += strlen (namep) + 1;
+    }
+  free (name_space);
+  return ok;
+}
+
+/* Set the owner and owning group of DEST_DESC to the st_uid and
+   st_gid fields of SRC_SB.  If DEST_DESC is undefined (-1), set
+   the owner and owning group of DST_NAME instead; for
+   safety prefer lchown if the system supports it since no
+   symbolic links should be involved.  DEST_DESC must
+   refer to the same file as DEST_NAME if defined.
+   Upon failure to set both UID and GID, try to set only the GID.
+   NEW_DST is true if the file was newly created; otherwise,
+   DST_SB is the status of the destination.
+   Return 1 if the initial syscall succeeds, 0 if it fails but it's OK
+   not to preserve ownership, -1 otherwise.  */
+
+static int
+set_owner (const struct cp_options *x, char const *dst_name, int dest_desc,
+           struct stat const *src_sb, bool new_dst,
+           struct stat const *dst_sb)
+{
+  uid_t uid = src_sb->st_uid;
+  gid_t gid = src_sb->st_gid;
+
+  /* Naively changing the ownership of an already-existing file before
+     changing its permissions would create a window of vulnerability if
+     the file's old permissions are too generous for the new owner and
+     group.  Avoid the window by first changing to a restrictive
+     temporary mode if necessary.  */
+
+  if (!new_dst && (x->preserve_mode || x->move_mode || x->set_mode))
+    {
+      mode_t old_mode = dst_sb->st_mode;
+      mode_t new_mode =
+        (x->preserve_mode || x->move_mode ? src_sb->st_mode : x->mode);
+      mode_t restrictive_temp_mode = old_mode & new_mode & S_IRWXU;
+
+      if ((USE_ACL
+           || (old_mode & CHMOD_MODE_BITS
+               & (~new_mode | S_ISUID | S_ISGID | S_ISVTX)))
+          && qset_acl (dst_name, dest_desc, restrictive_temp_mode) != 0)
+        {
+          if (! owner_failure_ok (x))
+            error (0, errno, _("clearing permissions for %s"), quote (dst_name));
+          return -x->require_preserve;
+        }
+    }
+
+  if (HAVE_FCHOWN && dest_desc != -1)
+    {
+      if (fchown (dest_desc, uid, gid) == 0)
+        return 1;
+      if (errno == EPERM || errno == EINVAL)
+        {
+          /* We've failed to set *both*.  Now, try to set just the group
+             ID, but ignore any failure here, and don't change errno.  */
+          int saved_errno = errno;
+          ignore_value (fchown (dest_desc, -1, gid));
+          errno = saved_errno;
+        }
+    }
+  else
+    {
+      if (lchown (dst_name, uid, gid) == 0)
+        return 1;
+      if (errno == EPERM || errno == EINVAL)
+        {
+          /* We've failed to set *both*.  Now, try to set just the group
+             ID, but ignore any failure here, and don't change errno.  */
+          int saved_errno = errno;
+          ignore_value (lchown (dst_name, -1, gid));
+          errno = saved_errno;
+        }
+    }
+
+  if (! chown_failure_ok (x))
+    {
+      error (0, errno, _("failed to preserve ownership for %s"),
+             quote (dst_name));
+      if (x->require_preserve)
+        return -1;
+    }
+
+  return 0;
+}
+
+/* Set the st_author field of DEST_DESC to the st_author field of
+   SRC_SB. If DEST_DESC is undefined (-1), set the st_author field
+   of DST_NAME instead.  DEST_DESC must refer to the same file as
+   DEST_NAME if defined.  */
+
+static void
+set_author (const char *dst_name, int dest_desc, const struct stat *src_sb)
+{
+#if HAVE_STRUCT_STAT_ST_AUTHOR
+  /* FIXME: Modify the following code so that it does not
+     follow symbolic links.  */
+
+  /* Preserve the st_author field.  */
+  file_t file = (dest_desc < 0
+                 ? file_name_lookup (dst_name, 0, 0)
+                 : getdport (dest_desc));
+  if (file == MACH_PORT_NULL)
+    error (0, errno, _("failed to lookup file %s"), quote (dst_name));
+  else
+    {
+      error_t err = file_chauthor (file, src_sb->st_author);
+      if (err)
+        error (0, err, _("failed to preserve authorship for %s"),
+               quote (dst_name));
+      mach_port_deallocate (mach_task_self (), file);
+    }
+#else
+  (void) dst_name;
+  (void) dest_desc;
+  (void) src_sb;
+#endif
+}
+
+/* Change the file mode bits of the file identified by DESC or NAME to MODE.
+   Use DESC if DESC is valid and fchmod is available, NAME otherwise.  */
+
+static int
+fchmod_or_lchmod (int desc, char const *name, mode_t mode)
+{
+#if HAVE_FCHMOD
+  if (0 <= desc)
+    return fchmod (desc, mode);
+#endif
+  return lchmod (name, mode);
+}
+
+/* Copy a regular file from SRC_NAME to DST_NAME.
+   If the source file contains holes, copies holes and blocks of zeros
+   in the source file as holes in the destination file.
+   (Holes are read as zeroes by the `read' system call.)
+   When creating the destination, use DST_MODE & ~OMITTED_PERMISSIONS
+   as the third argument in the call to open, adding
+   OMITTED_PERMISSIONS after copying as needed.
+   X provides many option settings.
+   Return true if successful.
+   *NEW_DST is as in copy_internal.
+   SRC_SB is the result of calling XSTAT (aka stat) on SRC_NAME.  */
+
+static bool
+copy_reg (char const *src_name, char const *dst_name,
+          const struct cp_options *x,
+          mode_t dst_mode, mode_t omitted_permissions, bool *new_dst,
+          struct stat const *src_sb)
+{
+  char *buf;
+  char *buf_alloc = NULL;
+  char *name_alloc = NULL;
+  int dest_desc;
+  int dest_errno;
+  int source_desc;
+  mode_t src_mode = src_sb->st_mode;
+  struct stat sb;
+  struct stat src_open_sb;
+  bool return_val = true;
+  bool data_copy_required = true;
+
+  source_desc = open (src_name,
+                      (O_RDONLY | O_BINARY
+                       | (x->dereference == DEREF_NEVER ? O_NOFOLLOW : 0)));
+  if (source_desc < 0)
+    {
+      error (0, errno, _("cannot open %s for reading"), quote (src_name));
+      return false;
+    }
+
+  if (fstat (source_desc, &src_open_sb) != 0)
+    {
+      error (0, errno, _("cannot fstat %s"), quote (src_name));
+      return_val = false;
+      goto close_src_desc;
+    }
+
+  /* Compare the source dev/ino from the open file to the incoming,
+     saved ones obtained via a previous call to stat.  */
+  if (! SAME_INODE (*src_sb, src_open_sb))
+    {
+      error (0, 0,
+             _("skipping file %s, as it was replaced while being copied"),
+             quote (src_name));
+      return_val = false;
+      goto close_src_desc;
+    }
+
+  /* The semantics of the following open calls are mandated
+     by the specs for both cp and mv.  */
+  if (! *new_dst)
+    {
+      dest_desc = open (dst_name, O_WRONLY | O_TRUNC | O_BINARY);
+      dest_errno = errno;
+
+      /* When using cp --preserve=context to copy to an existing destination,
+         use the default context rather than that of the source.  Why?
+         1) the src context may prohibit writing, and
+         2) because it's more consistent to use the same context
+         that is used when the destination file doesn't already exist.  */
+      if (x->preserve_security_context && 0 <= dest_desc)
+        {
+          security_context_t con = NULL;
+          if (getfscreatecon (&con) < 0)
+            {
+              if (!x->reduce_diagnostics || x->require_preserve_context)
+                error (0, errno, _("failed to get file system create context"));
+              if (x->require_preserve_context)
+                {
+                  return_val = false;
+                  goto close_src_and_dst_desc;
+                }
+            }
+
+          if (con)
+            {
+              if (fsetfilecon (dest_desc, con) < 0)
+                {
+                  if (!x->reduce_diagnostics || x->require_preserve_context)
+                    error (0, errno,
+                           _("failed to set the security context of %s to %s"),
+                           quote_n (0, dst_name), quote_n (1, con));
+                  if (x->require_preserve_context)
+                    {
+                      return_val = false;
+                      freecon (con);
+                      goto close_src_and_dst_desc;
+                    }
+                }
+              freecon (con);
+            }
+        }
+
+      if (dest_desc < 0 && x->unlink_dest_after_failed_open)
+        {
+          if (unlink (dst_name) != 0)
+            {
+              error (0, errno, _("cannot remove %s"), quote (dst_name));
+              return_val = false;
+              goto close_src_desc;
+            }
+          if (x->verbose)
+            printf (_("removed %s\n"), quote (dst_name));
+
+          /* Tell caller that the destination file was unlinked.  */
+          *new_dst = true;
+        }
+    }
+
+  if (*new_dst)
+    {
+      int open_flags = O_WRONLY | O_CREAT | O_BINARY;
+      dest_desc = open (dst_name, open_flags | O_EXCL,
+                        dst_mode & ~omitted_permissions);
+      dest_errno = errno;
+
+      /* When trying to copy through a dangling destination symlink,
+         the above open fails with EEXIST.  If that happens, and
+         lstat'ing the DST_NAME shows that it is a symlink, then we
+         have a problem: trying to resolve this dangling symlink to
+         a directory/destination-entry pair is fundamentally racy,
+         so punt.  If POSIXLY_CORRECT is set, simply call open again,
+         but without O_EXCL (potentially dangerous).  If not, fail
+         with a diagnostic.  These shenanigans are necessary only
+         when copying, i.e., not in move_mode.  */
+      if (dest_desc < 0 && dest_errno == EEXIST && ! x->move_mode)
+        {
+          struct stat dangling_link_sb;
+          if (lstat (dst_name, &dangling_link_sb) == 0
+              && S_ISLNK (dangling_link_sb.st_mode))
+            {
+              if (x->open_dangling_dest_symlink)
+                {
+                  dest_desc = open (dst_name, open_flags,
+                                    dst_mode & ~omitted_permissions);
+                  dest_errno = errno;
+                }
+              else
+                {
+                  error (0, 0, _("not writing through dangling symlink %s"),
+                         quote (dst_name));
+                  return_val = false;
+                  goto close_src_desc;
+                }
+            }
+        }
+    }
+  else
+    omitted_permissions = 0;
+
+  if (dest_desc < 0)
+    {
+      error (0, dest_errno, _("cannot create regular file %s"),
+             quote (dst_name));
+      return_val = false;
+      goto close_src_desc;
+    }
+
+  if (fstat (dest_desc, &sb) != 0)
+    {
+      error (0, errno, _("cannot fstat %s"), quote (dst_name));
+      return_val = false;
+      goto close_src_and_dst_desc;
+    }
+
+  if (x->reflink_mode)
+    {
+      bool clone_ok = clone_file (dest_desc, source_desc) == 0;
+      if (clone_ok || x->reflink_mode == REFLINK_ALWAYS)
+        {
+          if (!clone_ok)
+            {
+              error (0, errno, _("failed to clone %s"), quote (dst_name));
+              return_val = false;
+              goto close_src_and_dst_desc;
+            }
+          data_copy_required = false;
+        }
+    }
+
+  if (data_copy_required)
+    {
+      typedef uintptr_t word;
+      off_t n_read_total = 0;
+
+      /* Choose a suitable buffer size; it may be adjusted later.  */
+      size_t buf_alignment = lcm (getpagesize (), sizeof (word));
+      size_t buf_alignment_slop = sizeof (word) + buf_alignment - 1;
+      size_t buf_size = io_blksize (sb);
+
+      /* Deal with sparse files.  */
+      bool last_write_made_hole = false;
+      bool make_holes = false;
+
+      if (S_ISREG (sb.st_mode))
+        {
+          /* Even with --sparse=always, try to create holes only
+             if the destination is a regular file.  */
+          if (x->sparse_mode == SPARSE_ALWAYS)
+            make_holes = true;
+
+#if HAVE_STRUCT_STAT_ST_BLOCKS
+          /* Use a heuristic to determine whether SRC_NAME contains any sparse
+             blocks.  If the file has fewer blocks than would normally be
+             needed for a file of its size, then at least one of the blocks in
+             the file is a hole.  */
+          if (x->sparse_mode == SPARSE_AUTO && S_ISREG (src_open_sb.st_mode)
+              && ST_NBLOCKS (src_open_sb) < src_open_sb.st_size / ST_NBLOCKSIZE)
+            make_holes = true;
+#endif
+        }
+
+      /* If not making a sparse file, try to use a more-efficient
+         buffer size.  */
+      if (! make_holes)
+        {
+          /* Compute the least common multiple of the input and output
+             buffer sizes, adjusting for outlandish values.  */
+          size_t blcm_max = MIN (SIZE_MAX, SSIZE_MAX) - buf_alignment_slop;
+          size_t blcm = buffer_lcm (io_blksize (src_open_sb), buf_size,
+                                    blcm_max);
+
+          /* Do not bother with a buffer larger than the input file, plus one
+             byte to make sure the file has not grown while reading it.  */
+          if (S_ISREG (src_open_sb.st_mode) && src_open_sb.st_size < buf_size)
+            buf_size = src_open_sb.st_size + 1;
+
+          /* However, stick with a block size that is a positive multiple of
+             blcm, overriding the above adjustments.  Watch out for
+             overflow.  */
+          buf_size += blcm - 1;
+          buf_size -= buf_size % blcm;
+          if (buf_size == 0 || blcm_max < buf_size)
+            buf_size = blcm;
+        }
+
+      /* Make a buffer with space for a sentinel at the end.  */
+      buf_alloc = xmalloc (buf_size + buf_alignment_slop);
+      buf = ptr_align (buf_alloc, buf_alignment);
+
+      for (;;)
+        {
+          word *wp = NULL;
+
+          ssize_t n_read = read (source_desc, buf, buf_size);
+          if (n_read < 0)
+            {
+#ifdef EINTR
+              if (errno == EINTR)
+                continue;
+#endif
+              error (0, errno, _("reading %s"), quote (src_name));
+              return_val = false;
+              goto close_src_and_dst_desc;
+            }
+          if (n_read == 0)
+            break;
+
+          n_read_total += n_read;
+
+          if (make_holes)
+            {
+              char *cp;
+
+              /* Sentinel to stop loop.  */
+              buf[n_read] = '\1';
+#ifdef lint
+              /* Usually, buf[n_read] is not the byte just before a "word"
+                 (aka uintptr_t) boundary.  In that case, the word-oriented
+                 test below (*wp++ == 0) would read some uninitialized bytes
+                 after the sentinel.  To avoid false-positive reports about
+                 this condition (e.g., from a tool like valgrind), set the
+                 remaining bytes -- to any value.  */
+              memset (buf + n_read + 1, 0, sizeof (word) - 1);
+#endif
+
+              /* Find first nonzero *word*, or the word with the sentinel.  */
+
+              wp = (word *) buf;
+              while (*wp++ == 0)
+                continue;
+
+              /* Find the first nonzero *byte*, or the sentinel.  */
+
+              cp = (char *) (wp - 1);
+              while (*cp++ == 0)
+                continue;
+
+              if (cp <= buf + n_read)
+                /* Clear to indicate that a normal write is needed. */
+                wp = NULL;
+              else
+                {
+                  /* We found the sentinel, so the whole input block was zero.
+                     Make a hole.  */
+                  if (lseek (dest_desc, n_read, SEEK_CUR) < 0)
+                    {
+                      error (0, errno, _("cannot lseek %s"), quote (dst_name));
+                      return_val = false;
+                      goto close_src_and_dst_desc;
+                    }
+                  last_write_made_hole = true;
+                }
+            }
+
+          if (!wp)
+            {
+              size_t n = n_read;
+              if (full_write (dest_desc, buf, n) != n)
+                {
+                  error (0, errno, _("writing %s"), quote (dst_name));
+                  return_val = false;
+                  goto close_src_and_dst_desc;
+                }
+              last_write_made_hole = false;
+
+              /* It is tempting to return early here upon a short read from a
+                 regular file.  That would save the final read syscall for each
+                 file.  Unfortunately that doesn't work for certain files in
+                 /proc with linux kernels from at least 2.6.9 .. 2.6.29.  */
+            }
+        }
+
+      /* If the file ends with a `hole', we need to do something to record
+         the length of the file.  On modern systems, calling ftruncate does
+         the job.  On systems without native ftruncate support, we have to
+         write a byte at the ending position.  Otherwise the kernel would
+         truncate the file at the end of the last write operation.  */
+
+      if (last_write_made_hole)
+        {
+          if (HAVE_FTRUNCATE
+              ? /* ftruncate sets the file size,
+                   so there is no need for a write.  */
+              ftruncate (dest_desc, n_read_total) < 0
+              : /* Seek backwards one character and write a null.  */
+              (lseek (dest_desc, (off_t) -1, SEEK_CUR) < 0L
+               || full_write (dest_desc, "", 1) != 1))
+            {
+              error (0, errno, _("writing %s"), quote (dst_name));
+              return_val = false;
+              goto close_src_and_dst_desc;
+            }
+        }
+    }
+
+  if (x->preserve_timestamps)
+    {
+      struct timespec timespec[2];
+      timespec[0] = get_stat_atime (src_sb);
+      timespec[1] = get_stat_mtime (src_sb);
+
+      if (gl_futimens (dest_desc, dst_name, timespec) != 0)
+        {
+          error (0, errno, _("preserving times for %s"), quote (dst_name));
+          if (x->require_preserve)
+            {
+              return_val = false;
+              goto close_src_and_dst_desc;
+            }
+        }
+    }
+
+  /* To allow copying xattrs on read-only files, temporarily chmod u+rw.
+     This workaround is required as an inode permission check is done
+     by xattr_permission() in fs/xattr.c of the GNU/Linux kernel tree.  */
+  if (x->preserve_xattr)
+    {
+      bool access_changed = false;
+
+      if (!(sb.st_mode & S_IWUSR) && geteuid() != 0)
+        access_changed = fchmod_or_lchmod (dest_desc, dst_name, 0600) == 0;
+
+      if (!copy_attr_by_fd (src_name, source_desc, dst_name, dest_desc, x)
+          && x->require_preserve_xattr)
+        return_val = false;
+
+      if (access_changed)
+        fchmod_or_lchmod (dest_desc, dst_name, dst_mode & ~omitted_permissions);
+    }
+
+  if (x->preserve_ownership && ! SAME_OWNER_AND_GROUP (*src_sb, sb))
+    {
+      switch (set_owner (x, dst_name, dest_desc, src_sb, *new_dst, &sb))
+        {
+        case -1:
+          return_val = false;
+          goto close_src_and_dst_desc;
+
+        case 0:
+          src_mode &= ~ (S_ISUID | S_ISGID | S_ISVTX);
+          break;
+        }
+    }
+
+  set_author (dst_name, dest_desc, src_sb);
+
+  if (x->preserve_mode || x->move_mode)
+    {
+      if (copy_acl (src_name, source_desc, dst_name, dest_desc, src_mode) != 0
+          && x->require_preserve)
+        return_val = false;
+    }
+  else if (x->set_mode)
+    {
+      if (set_acl (dst_name, dest_desc, x->mode) != 0)
+        return_val = false;
+    }
+  else if (omitted_permissions)
+    {
+      omitted_permissions &= ~ cached_umask ();
+      if (omitted_permissions
+          && fchmod_or_lchmod (dest_desc, dst_name, dst_mode) != 0)
+        {
+          error (0, errno, _("preserving permissions for %s"),
+                 quote (dst_name));
+          if (x->require_preserve)
+            return_val = false;
+        }
+    }
+
+close_src_and_dst_desc:
+  if (close (dest_desc) < 0)
+    {
+      error (0, errno, _("closing %s"), quote (dst_name));
+      return_val = false;
+    }
+close_src_desc:
+  if (close (source_desc) < 0)
+    {
+      error (0, errno, _("closing %s"), quote (src_name));
+      return_val = false;
+    }
+
+  free (buf_alloc);
+  free (name_alloc);
+  return return_val;
+}
+
+/* Return true if it's ok that the source and destination
+   files are the `same' by some measure.  The goal is to avoid
+   making the `copy' operation remove both copies of the file
+   in that case, while still allowing the user to e.g., move or
+   copy a regular file onto a symlink that points to it.
+   Try to minimize the cost of this function in the common case.
+   Set *RETURN_NOW if we've determined that the caller has no more
+   work to do and should return successfully, right away.
+
+   Set *UNLINK_SRC if we've determined that the caller wants to do
+   `rename (a, b)' where `a' and `b' are distinct hard links to the same
+   file. In that case, the caller should try to unlink `a' and then return
+   successfully.  Ideally, we wouldn't have to do that, and we'd be
+   able to rely on rename to remove the source file.  However, POSIX
+   mistakenly requires that such a rename call do *nothing* and return
+   successfully.  */
+
+static bool
+same_file_ok (char const *src_name, struct stat const *src_sb,
+              char const *dst_name, struct stat const *dst_sb,
+              const struct cp_options *x, bool *return_now, bool *unlink_src)
+{
+  const struct stat *src_sb_link;
+  const struct stat *dst_sb_link;
+  struct stat tmp_dst_sb;
+  struct stat tmp_src_sb;
+
+  bool same_link;
+  bool same = SAME_INODE (*src_sb, *dst_sb);
+
+  *return_now = false;
+  *unlink_src = false;
+
+  /* FIXME: this should (at the very least) be moved into the following
+     if-block.  More likely, it should be removed, because it inhibits
+     making backups.  But removing it will result in a change in behavior
+     that will probably have to be documented -- and tests will have to
+     be updated.  */
+  if (same && x->hard_link)
+    {
+      *return_now = true;
+      return true;
+    }
+
+  if (x->dereference == DEREF_NEVER)
+    {
+      same_link = same;
+
+      /* If both the source and destination files are symlinks (and we'll
+         know this here IFF preserving symlinks), then it's ok -- as long
+         as they are distinct.  */
+      if (S_ISLNK (src_sb->st_mode) && S_ISLNK (dst_sb->st_mode))
+        return ! same_name (src_name, dst_name);
+
+      src_sb_link = src_sb;
+      dst_sb_link = dst_sb;
+    }
+  else
+    {
+      if (!same)
+        return true;
+
+      if (lstat (dst_name, &tmp_dst_sb) != 0
+          || lstat (src_name, &tmp_src_sb) != 0)
+        return true;
+
+      src_sb_link = &tmp_src_sb;
+      dst_sb_link = &tmp_dst_sb;
+
+      same_link = SAME_INODE (*src_sb_link, *dst_sb_link);
+
+      /* If both are symlinks, then it's ok, but only if the destination
+         will be unlinked before being opened.  This is like the test
+         above, but with the addition of the unlink_dest_before_opening
+         conjunct because otherwise, with two symlinks to the same target,
+         we'd end up truncating the source file.  */
+      if (S_ISLNK (src_sb_link->st_mode) && S_ISLNK (dst_sb_link->st_mode)
+          && x->unlink_dest_before_opening)
+        return true;
+    }
+
+  /* The backup code ensures there's a copy, so it's usually ok to
+     remove any destination file.  One exception is when both
+     source and destination are the same directory entry.  In that
+     case, moving the destination file aside (in making the backup)
+     would also rename the source file and result in an error.  */
+  if (x->backup_type != no_backups)
+    {
+      if (!same_link)
+        {
+          /* In copy mode when dereferencing symlinks, if the source is a
+             symlink and the dest is not, then backing up the destination
+             (moving it aside) would make it a dangling symlink, and the
+             subsequent attempt to open it in copy_reg would fail with
+             a misleading diagnostic.  Avoid that by returning zero in
+             that case so the caller can make cp (or mv when it has to
+             resort to reading the source file) fail now.  */
+
+          /* FIXME-note: even with the following kludge, we can still provoke
+             the offending diagnostic.  It's just a little harder to do :-)
+             $ rm -f a b c; touch c; ln -s c b; ln -s b a; cp -b a b
+             cp: cannot open `a' for reading: No such file or directory
+             That's misleading, since a subsequent `ls' shows that `a'
+             is still there.
+             One solution would be to open the source file *before* moving
+             aside the destination, but that'd involve a big rewrite. */
+          if ( ! x->move_mode
+               && x->dereference != DEREF_NEVER
+               && S_ISLNK (src_sb_link->st_mode)
+               && ! S_ISLNK (dst_sb_link->st_mode))
+            return false;
+
+          return true;
+        }
+
+      return ! same_name (src_name, dst_name);
+    }
+
+#if 0
+  /* FIXME: use or remove */
+
+  /* If we're making a backup, we'll detect the problem case in
+     copy_reg because SRC_NAME will no longer exist.  Allowing
+     the test to be deferred lets cp do some useful things.
+     But when creating hardlinks and SRC_NAME is a symlink
+     but DST_NAME is not we must test anyway.  */
+  if (x->hard_link
+      || !S_ISLNK (src_sb_link->st_mode)
+      || S_ISLNK (dst_sb_link->st_mode))
+    return true;
+
+  if (x->dereference != DEREF_NEVER)
+    return true;
+#endif
+
+  /* They may refer to the same file if we're in move mode and the
+     target is a symlink.  That is ok, since we remove any existing
+     destination file before opening it -- via `rename' if they're on
+     the same file system, via `unlink (DST_NAME)' otherwise.
+     It's also ok if they're distinct hard links to the same file.  */
+  if (x->move_mode || x->unlink_dest_before_opening)
+    {
+      if (S_ISLNK (dst_sb_link->st_mode))
+        return true;
+
+      if (same_link
+          && 1 < dst_sb_link->st_nlink
+          && ! same_name (src_name, dst_name))
+        {
+          if (x->move_mode)
+            {
+              *unlink_src = true;
+              *return_now = true;
+            }
+          return true;
+        }
+    }
+
+  /* If neither is a symlink, then it's ok as long as they aren't
+     hard links to the same file.  */
+  if (!S_ISLNK (src_sb_link->st_mode) && !S_ISLNK (dst_sb_link->st_mode))
+    {
+      if (!SAME_INODE (*src_sb_link, *dst_sb_link))
+        return true;
+
+      /* If they are the same file, it's ok if we're making hard links.  */
+      if (x->hard_link)
+        {
+          *return_now = true;
+          return true;
+        }
+    }
+
+  /* It's ok to remove a destination symlink.  But that works only when we
+     unlink before opening the destination and when the source and destination
+     files are on the same partition.  */
+  if (x->unlink_dest_before_opening
+      && S_ISLNK (dst_sb_link->st_mode))
+    return dst_sb_link->st_dev == src_sb_link->st_dev;
+
+  if (x->dereference == DEREF_NEVER)
+    {
+      if ( ! S_ISLNK (src_sb_link->st_mode))
+        tmp_src_sb = *src_sb_link;
+      else if (stat (src_name, &tmp_src_sb) != 0)
+        return true;
+
+      if ( ! S_ISLNK (dst_sb_link->st_mode))
+        tmp_dst_sb = *dst_sb_link;
+      else if (stat (dst_name, &tmp_dst_sb) != 0)
+        return true;
+
+      if ( ! SAME_INODE (tmp_src_sb, tmp_dst_sb))
+        return true;
+
+      /* FIXME: shouldn't this be testing whether we're making symlinks?  */
+      if (x->hard_link)
+        {
+          *return_now = true;
+          return true;
+        }
+    }
+
+  return false;
+}
+
+/* Return true if FILE, with mode MODE, is writable in the sense of 'mv'.
+   Always consider a symbolic link to be writable.  */
+static bool
+writable_destination (char const *file, mode_t mode)
+{
+  return (S_ISLNK (mode)
+          || can_write_any_file ()
+          || euidaccess (file, W_OK) == 0);
+}
+
+static void
+overwrite_prompt (char const *dst_name, struct stat const *dst_sb)
+{
+  if (! writable_destination (dst_name, dst_sb->st_mode))
+    {
+      char perms[12];		/* "-rwxrwxrwx " ls-style modes. */
+      strmode (dst_sb->st_mode, perms);
+      perms[10] = '\0';
+      fprintf (stderr,
+               _("%s: try to overwrite %s, overriding mode %04lo (%s)? "),
+               program_name, quote (dst_name),
+               (unsigned long int) (dst_sb->st_mode & CHMOD_MODE_BITS),
+               &perms[1]);
+    }
+  else
+    {
+      fprintf (stderr, _("%s: overwrite %s? "),
+               program_name, quote (dst_name));
+    }
+}
+
+/* Initialize the hash table implementing a set of F_triple entries
+   corresponding to destination files.  */
+extern void
+dest_info_init (struct cp_options *x)
+{
+  x->dest_info
+    = hash_initialize (DEST_INFO_INITIAL_CAPACITY,
+                       NULL,
+                       triple_hash,
+                       triple_compare,
+                       triple_free);
+}
+
+/* Initialize the hash table implementing a set of F_triple entries
+   corresponding to source files listed on the command line.  */
+extern void
+src_info_init (struct cp_options *x)
+{
+
+  /* Note that we use triple_hash_no_name here.
+     Contrast with the use of triple_hash above.
+     That is necessary because a source file may be specified
+     in many different ways.  We want to warn about this
+       cp a a d/
+     as well as this:
+       cp a ./a d/
+  */
+  x->src_info
+    = hash_initialize (DEST_INFO_INITIAL_CAPACITY,
+                       NULL,
+                       triple_hash_no_name,
+                       triple_compare,
+                       triple_free);
+}
+
+/* When effecting a move (e.g., for mv(1)), and given the name DST_NAME
+   of the destination and a corresponding stat buffer, DST_SB, return
+   true if the logical `move' operation should _not_ proceed.
+   Otherwise, return false.
+   Depending on options specified in X, this code may issue an
+   interactive prompt asking whether it's ok to overwrite DST_NAME.  */
+static bool
+abandon_move (const struct cp_options *x,
+              char const *dst_name,
+              struct stat const *dst_sb)
+{
+  assert (x->move_mode);
+  return (x->interactive == I_ALWAYS_NO
+          || ((x->interactive == I_ASK_USER
+               || (x->interactive == I_UNSPECIFIED
+                   && x->stdin_tty
+                   && ! writable_destination (dst_name, dst_sb->st_mode)))
+              && (overwrite_prompt (dst_name, dst_sb), 1)
+              && ! yesno ()));
+}
+
+/* Print --verbose output on standard output, e.g. `new' -> `old'.
+   If BACKUP_DST_NAME is non-NULL, then also indicate that it is
+   the name of a backup file.  */
+static void
+emit_verbose (char const *src, char const *dst, char const *backup_dst_name)
+{
+  printf ("%s -> %s", quote_n (0, src), quote_n (1, dst));
+  if (backup_dst_name)
+    printf (_(" (backup: %s)"), quote (backup_dst_name));
+  putchar ('\n');
+}
+
+/* A wrapper around "setfscreatecon (NULL)" that exits upon failure.  */
+static void
+restore_default_fscreatecon_or_die (void)
+{
+  if (setfscreatecon (NULL) != 0)
+    error (EXIT_FAILURE, errno,
+           _("failed to restore the default file creation context"));
+}
+
+/* Copy the file SRC_NAME to the file DST_NAME.  The files may be of
+   any type.  NEW_DST should be true if the file DST_NAME cannot
+   exist because its parent directory was just created; NEW_DST should
+   be false if DST_NAME might already exist.  DEVICE is the device
+   number of the parent directory, or 0 if the parent of this file is
+   not known.  ANCESTORS points to a linked, null terminated list of
+   devices and inodes of parent directories of SRC_NAME.  COMMAND_LINE_ARG
+   is true iff SRC_NAME was specified on the command line.
+   FIRST_DIR_CREATED_PER_COMMAND_LINE_ARG is both input and output.
+   Set *COPY_INTO_SELF if SRC_NAME is a parent of (or the
+   same as) DST_NAME; otherwise, clear it.
+   Return true if successful.  */
+static bool
+copy_internal (char const *src_name, char const *dst_name,
+               bool new_dst,
+               dev_t device,
+               struct dir_list *ancestors,
+               const struct cp_options *x,
+               bool command_line_arg,
+               bool *first_dir_created_per_command_line_arg,
+               bool *copy_into_self,
+               bool *rename_succeeded)
+{
+  struct stat src_sb;
+  struct stat dst_sb;
+  mode_t src_mode;
+  mode_t dst_mode IF_LINT (= 0);
+  mode_t dst_mode_bits;
+  mode_t omitted_permissions;
+  bool restore_dst_mode = false;
+  char *earlier_file = NULL;
+  char *dst_backup = NULL;
+  bool backup_succeeded = false;
+  bool delayed_ok;
+  bool copied_as_regular = false;
+  bool dest_is_symlink = false;
+  bool have_dst_lstat = false;
+
+  if (x->move_mode && rename_succeeded)
+    *rename_succeeded = false;
+
+  *copy_into_self = false;
+
+  if (XSTAT (x, src_name, &src_sb) != 0)
+    {
+      error (0, errno, _("cannot stat %s"), quote (src_name));
+      return false;
+    }
+
+  src_mode = src_sb.st_mode;
+
+  if (S_ISDIR (src_mode) && !x->recursive)
+    {
+      error (0, 0, _("omitting directory %s"), quote (src_name));
+      return false;
+    }
+
+  /* Detect the case in which the same source file appears more than
+     once on the command line and no backup option has been selected.
+     If so, simply warn and don't copy it the second time.
+     This check is enabled only if x->src_info is non-NULL.  */
+  if (command_line_arg)
+    {
+      if ( ! S_ISDIR (src_sb.st_mode)
+           && x->backup_type == no_backups
+           && seen_file (x->src_info, src_name, &src_sb))
+        {
+          error (0, 0, _("warning: source file %s specified more than once"),
+                 quote (src_name));
+          return true;
+        }
+
+      record_file (x->src_info, src_name, &src_sb);
+    }
+
+  if (!new_dst)
+    {
+      /* Regular files can be created by writing through symbolic
+         links, but other files cannot.  So use stat on the
+         destination when copying a regular file, and lstat otherwise.
+         However, if we intend to unlink or remove the destination
+         first, use lstat, since a copy won't actually be made to the
+         destination in that case.  */
+      bool use_stat =
+        ((S_ISREG (src_mode)
+          || (x->copy_as_regular
+              && ! (S_ISDIR (src_mode) || S_ISLNK (src_mode))))
+         && ! (x->move_mode || x->symbolic_link || x->hard_link
+               || x->backup_type != no_backups
+               || x->unlink_dest_before_opening));
+      if ((use_stat
+           ? stat (dst_name, &dst_sb)
+           : lstat (dst_name, &dst_sb))
+          != 0)
+        {
+          if (errno != ENOENT)
+            {
+              error (0, errno, _("cannot stat %s"), quote (dst_name));
+              return false;
+            }
+          else
+            {
+              new_dst = true;
+            }
+        }
+      else
+        { /* Here, we know that dst_name exists, at least to the point
+             that it is stat'able or lstat'able.  */
+          bool return_now;
+          bool unlink_src;
+
+          have_dst_lstat = !use_stat;
+          if (! same_file_ok (src_name, &src_sb, dst_name, &dst_sb,
+                              x, &return_now, &unlink_src))
+            {
+              error (0, 0, _("%s and %s are the same file"),
+                     quote_n (0, src_name), quote_n (1, dst_name));
+              return false;
+            }
+
+          if (!S_ISDIR (src_mode) && x->update)
+            {
+              /* When preserving time stamps (but not moving within a file
+                 system), don't worry if the destination time stamp is
+                 less than the source merely because of time stamp
+                 truncation.  */
+              int options = ((x->preserve_timestamps
+                              && ! (x->move_mode
+                                    && dst_sb.st_dev == src_sb.st_dev))
+                             ? UTIMECMP_TRUNCATE_SOURCE
+                             : 0);
+
+              if (0 <= utimecmp (dst_name, &dst_sb, &src_sb, options))
+                {
+                  /* We're using --update and the destination is not older
+                     than the source, so do not copy or move.  Pretend the
+                     rename succeeded, so the caller (if it's mv) doesn't
+                     end up removing the source file.  */
+                  if (rename_succeeded)
+                    *rename_succeeded = true;
+                  return true;
+                }
+            }
+
+          /* When there is an existing destination file, we may end up
+             returning early, and hence not copying/moving the file.
+             This may be due to an interactive `negative' reply to the
+             prompt about the existing file.  It may also be due to the
+             use of the --reply=no option.
+
+             cp and mv treat -i and -f differently.  */
+          if (x->move_mode)
+            {
+              if (abandon_move (x, dst_name, &dst_sb)
+                  || (unlink_src && unlink (src_name) == 0))
+                {
+                  /* Pretend the rename succeeded, so the caller (mv)
+                     doesn't end up removing the source file.  */
+                  if (rename_succeeded)
+                    *rename_succeeded = true;
+                  if (unlink_src && x->verbose)
+                    printf (_("removed %s\n"), quote (src_name));
+                  return true;
+                }
+              if (unlink_src)
+                {
+                  error (0, errno, _("cannot remove %s"), quote (src_name));
+                  return false;
+                }
+            }
+          else
+            {
+              if (! S_ISDIR (src_mode)
+                  && (x->interactive == I_ALWAYS_NO
+                      || (x->interactive == I_ASK_USER
+                          && (overwrite_prompt (dst_name, &dst_sb), 1)
+                          && ! yesno ())))
+                return true;
+            }
+
+          if (return_now)
+            return true;
+
+          if (!S_ISDIR (dst_sb.st_mode))
+            {
+              if (S_ISDIR (src_mode))
+                {
+                  if (x->move_mode && x->backup_type != no_backups)
+                    {
+                      /* Moving a directory onto an existing
+                         non-directory is ok only with --backup.  */
+                    }
+                  else
+                    {
+                      error (0, 0,
+                       _("cannot overwrite non-directory %s with directory %s"),
+                             quote_n (0, dst_name), quote_n (1, src_name));
+                      return false;
+                    }
+                }
+
+              /* Don't let the user destroy their data, even if they try hard:
+                 This mv command must fail (likewise for cp):
+                   rm -rf a b c; mkdir a b c; touch a/f b/f; mv a/f b/f c
+                 Otherwise, the contents of b/f would be lost.
+                 In the case of `cp', b/f would be lost if the user simulated
+                 a move using cp and rm.
+                 Note that it works fine if you use --backup=numbered.  */
+              if (command_line_arg
+                  && x->backup_type != numbered_backups
+                  && seen_file (x->dest_info, dst_name, &dst_sb))
+                {
+                  error (0, 0,
+                         _("will not overwrite just-created %s with %s"),
+                         quote_n (0, dst_name), quote_n (1, src_name));
+                  return false;
+                }
+            }
+
+          if (!S_ISDIR (src_mode))
+            {
+              if (S_ISDIR (dst_sb.st_mode))
+                {
+                  if (x->move_mode && x->backup_type != no_backups)
+                    {
+                      /* Moving a non-directory onto an existing
+                         directory is ok only with --backup.  */
+                    }
+                  else
+                    {
+                      error (0, 0,
+                         _("cannot overwrite directory %s with non-directory"),
+                             quote (dst_name));
+                      return false;
+                    }
+                }
+            }
+
+          if (x->move_mode)
+            {
+              /* Don't allow user to move a directory onto a non-directory.  */
+              if (S_ISDIR (src_sb.st_mode) && !S_ISDIR (dst_sb.st_mode)
+                  && x->backup_type == no_backups)
+                {
+                  error (0, 0,
+                       _("cannot move directory onto non-directory: %s -> %s"),
+                         quote_n (0, src_name), quote_n (0, dst_name));
+                  return false;
+                }
+            }
+
+          if (x->backup_type != no_backups
+              /* Don't try to back up a destination if the last
+                 component of src_name is "." or "..".  */
+              && ! dot_or_dotdot (last_component (src_name))
+              /* Create a backup of each destination directory in move mode,
+                 but not in copy mode.  FIXME: it might make sense to add an
+                 option to suppress backup creation also for move mode.
+                 That would let one use mv to merge new content into an
+                 existing hierarchy.  */
+              && (x->move_mode || ! S_ISDIR (dst_sb.st_mode)))
+            {
+              char *tmp_backup = find_backup_file_name (dst_name,
+                                                        x->backup_type);
+
+              /* Detect (and fail) when creating the backup file would
+                 destroy the source file.  Before, running the commands
+                 cd /tmp; rm -f a a~; : > a; echo A > a~; cp --b=simple a~ a
+                 would leave two zero-length files: a and a~.  */
+              /* FIXME: but simply change e.g., the final a~ to `./a~'
+                 and the source will still be destroyed.  */
+              if (STREQ (tmp_backup, src_name))
+                {
+                  const char *fmt;
+                  fmt = (x->move_mode
+                 ? _("backing up %s would destroy source;  %s not moved")
+                 : _("backing up %s would destroy source;  %s not copied"));
+                  error (0, 0, fmt,
+                         quote_n (0, dst_name),
+                         quote_n (1, src_name));
+                  free (tmp_backup);
+                  return false;
+                }
+
+              /* FIXME: use fts:
+                 Using alloca for a file name that may be arbitrarily
+                 long is not recommended.  In fact, even forming such a name
+                 should be discouraged.  Eventually, this code will be rewritten
+                 to use fts, so using alloca here will be less of a problem.  */
+              ASSIGN_STRDUPA (dst_backup, tmp_backup);
+              free (tmp_backup);
+              if (rename (dst_name, dst_backup) != 0)
+                {
+                  if (errno != ENOENT)
+                    {
+                      error (0, errno, _("cannot backup %s"), quote (dst_name));
+                      return false;
+                    }
+                  else
+                    {
+                      dst_backup = NULL;
+                    }
+                }
+              else
+                {
+                  backup_succeeded = true;
+                }
+              new_dst = true;
+            }
+          else if (! S_ISDIR (dst_sb.st_mode)
+                   /* Never unlink dst_name when in move mode.  */
+                   && ! x->move_mode
+                   && (x->unlink_dest_before_opening
+                       || (x->preserve_links && 1 < dst_sb.st_nlink)
+                       || (x->dereference == DEREF_NEVER
+                           && ! S_ISREG (src_sb.st_mode))
+                       ))
+            {
+              if (unlink (dst_name) != 0 && errno != ENOENT)
+                {
+                  error (0, errno, _("cannot remove %s"), quote (dst_name));
+                  return false;
+                }
+              new_dst = true;
+              if (x->verbose)
+                printf (_("removed %s\n"), quote (dst_name));
+            }
+        }
+    }
+
+  /* Ensure we don't try to copy through a symlink that was
+     created by a prior call to this function.  */
+  if (command_line_arg
+      && x->dest_info
+      && ! x->move_mode
+      && x->backup_type == no_backups)
+    {
+      bool lstat_ok = true;
+      struct stat tmp_buf;
+      struct stat *dst_lstat_sb;
+
+      /* If we called lstat above, good: use that data.
+         Otherwise, call lstat here, in case dst_name is a symlink.  */
+      if (have_dst_lstat)
+        dst_lstat_sb = &dst_sb;
+      else
+        {
+          if (lstat (dst_name, &tmp_buf) == 0)
+            dst_lstat_sb = &tmp_buf;
+          else
+            lstat_ok = false;
+        }
+
+      /* Never copy through a symlink we've just created.  */
+      if (lstat_ok
+          && S_ISLNK (dst_lstat_sb->st_mode)
+          && seen_file (x->dest_info, dst_name, dst_lstat_sb))
+        {
+          error (0, 0,
+                 _("will not copy %s through just-created symlink %s"),
+                 quote_n (0, src_name), quote_n (1, dst_name));
+          return false;
+        }
+    }
+
+  /* If the source is a directory, we don't always create the destination
+     directory.  So --verbose should not announce anything until we're
+     sure we'll create a directory. */
+  if (x->verbose && !S_ISDIR (src_mode))
+    emit_verbose (src_name, dst_name, backup_succeeded ? dst_backup : NULL);
+
+  /* Associate the destination file name with the source device and inode
+     so that if we encounter a matching dev/ino pair in the source tree
+     we can arrange to create a hard link between the corresponding names
+     in the destination tree.
+
+     When using the --link (-l) option, there is no need to take special
+     measures, because (barring race conditions) files that are hard-linked
+     in the source tree will also be hard-linked in the destination tree.
+
+     Sometimes, when preserving links, we have to record dev/ino even
+     though st_nlink == 1:
+     - when in move_mode, since we may be moving a group of N hard-linked
+        files (via two or more command line arguments) to a different
+        partition; the links may be distributed among the command line
+        arguments (possibly hierarchies) so that the link count of
+        the final, once-linked source file is reduced to 1 when it is
+        considered below.  But in this case (for mv) we don't need to
+        incur the expense of recording the dev/ino => name mapping; all we
+        really need is a lookup, to see if the dev/ino pair has already
+        been copied.
+     - when using -H and processing a command line argument;
+        that command line argument could be a symlink pointing to another
+        command line argument.  With `cp -H --preserve=link', we hard-link
+        those two destination files.
+     - likewise for -L except that it applies to all files, not just
+        command line arguments.
+
+     Also, with --recursive, record dev/ino of each command-line directory.
+     We'll use that info to detect this problem: cp -R dir dir.  */
+
+  if (x->move_mode && src_sb.st_nlink == 1)
+    {
+      earlier_file = src_to_dest_lookup (src_sb.st_ino, src_sb.st_dev);
+    }
+  else if (x->preserve_links
+           && !x->hard_link
+           && (1 < src_sb.st_nlink
+               || (command_line_arg
+                   && x->dereference == DEREF_COMMAND_LINE_ARGUMENTS)
+               || x->dereference == DEREF_ALWAYS))
+    {
+      earlier_file = remember_copied (dst_name, src_sb.st_ino, src_sb.st_dev);
+    }
+  else if (x->recursive && S_ISDIR (src_mode))
+    {
+      if (command_line_arg)
+        earlier_file = remember_copied (dst_name, src_sb.st_ino, src_sb.st_dev);
+      else
+        earlier_file = src_to_dest_lookup (src_sb.st_ino, src_sb.st_dev);
+    }
+
+  /* Did we copy this inode somewhere else (in this command line argument)
+     and therefore this is a second hard link to the inode?  */
+
+  if (earlier_file)
+    {
+      /* Avoid damaging the destination file system by refusing to preserve
+         hard-linked directories (which are found at least in Netapp snapshot
+         directories).  */
+      if (S_ISDIR (src_mode))
+        {
+          /* If src_name and earlier_file refer to the same directory entry,
+             then warn about copying a directory into itself.  */
+          if (same_name (src_name, earlier_file))
+            {
+              error (0, 0, _("cannot copy a directory, %s, into itself, %s"),
+                     quote_n (0, top_level_src_name),
+                     quote_n (1, top_level_dst_name));
+              *copy_into_self = true;
+              goto un_backup;
+            }
+          else if (x->dereference == DEREF_ALWAYS)
+            {
+              /* This happens when e.g., encountering a directory for the
+                 second or subsequent time via symlinks when cp is invoked
+                 with -R and -L.  E.g.,
+                 rm -rf a b c d; mkdir a b c d; ln -s ../c a; ln -s ../c b;
+                 cp -RL a b d
+              */
+            }
+          else
+            {
+              error (0, 0, _("will not create hard link %s to directory %s"),
+                     quote_n (0, dst_name), quote_n (1, earlier_file));
+              goto un_backup;
+            }
+        }
+      else
+        {
+          /* We want to guarantee that symlinks are not followed.  */
+          bool link_failed = (linkat (AT_FDCWD, earlier_file, AT_FDCWD,
+                                      dst_name, 0) != 0);
+
+          /* If the link failed because of an existing destination,
+             remove that file and then call link again.  */
+          if (link_failed && errno == EEXIST)
+            {
+              if (unlink (dst_name) != 0)
+                {
+                  error (0, errno, _("cannot remove %s"), quote (dst_name));
+                  goto un_backup;
+                }
+              if (x->verbose)
+                printf (_("removed %s\n"), quote (dst_name));
+              link_failed = (linkat (AT_FDCWD, earlier_file, AT_FDCWD,
+                                     dst_name, 0) != 0);
+            }
+
+          if (link_failed)
+            {
+              error (0, errno, _("cannot create hard link %s to %s"),
+                     quote_n (0, dst_name), quote_n (1, earlier_file));
+              goto un_backup;
+            }
+
+          return true;
+        }
+    }
+
+  if (x->move_mode)
+    {
+      if (rename (src_name, dst_name) == 0)
+        {
+          if (x->verbose && S_ISDIR (src_mode))
+            emit_verbose (src_name, dst_name,
+                          backup_succeeded ? dst_backup : NULL);
+
+          if (rename_succeeded)
+            *rename_succeeded = true;
+
+          if (command_line_arg)
+            {
+              /* Record destination dev/ino/name, so that if we are asked
+                 to overwrite that file again, we can detect it and fail.  */
+              /* It's fine to use the _source_ stat buffer (src_sb) to get the
+                 _destination_ dev/ino, since the rename above can't have
+                 changed those, and `mv' always uses lstat.
+                 We could limit it further by operating
+                 only on non-directories.  */
+              record_file (x->dest_info, dst_name, &src_sb);
+            }
+
+          return true;
+        }
+
+      /* FIXME: someday, consider what to do when moving a directory into
+         itself but when source and destination are on different devices.  */
+
+      /* This happens when attempting to rename a directory to a
+         subdirectory of itself.  */
+      if (errno == EINVAL)
+        {
+          /* FIXME: this is a little fragile in that it relies on rename(2)
+             failing with a specific errno value.  Expect problems on
+             non-POSIX systems.  */
+          error (0, 0, _("cannot move %s to a subdirectory of itself, %s"),
+                 quote_n (0, top_level_src_name),
+                 quote_n (1, top_level_dst_name));
+
+          /* Note that there is no need to call forget_created here,
+             (compare with the other calls in this file) since the
+             destination directory didn't exist before.  */
+
+          *copy_into_self = true;
+          /* FIXME-cleanup: Don't return true here; adjust mv.c accordingly.
+             The only caller that uses this code (mv.c) ends up setting its
+             exit status to nonzero when copy_into_self is nonzero.  */
+          return true;
+        }
+
+      /* WARNING: there probably exist systems for which an inter-device
+         rename fails with a value of errno not handled here.
+         If/as those are reported, add them to the condition below.
+         If this happens to you, please do the following and send the output
+         to the bug-reporting address (e.g., in the output of cp --help):
+           touch k; perl -e 'rename "k","/tmp/k" or print "$!(",$!+0,")\n"'
+         where your current directory is on one partion and /tmp is the other.
+         Also, please try to find the E* errno macro name corresponding to
+         the diagnostic and parenthesized integer, and include that in your
+         e-mail.  One way to do that is to run a command like this
+           find /usr/include/. -type f \
+             | xargs grep 'define.*\<E[A-Z]*\>.*\<18\>' /dev/null
+         where you'd replace `18' with the integer in parentheses that
+         was output from the perl one-liner above.
+         If necessary, of course, change `/tmp' to some other directory.  */
+      if (errno != EXDEV)
+        {
+          /* There are many ways this can happen due to a race condition.
+             When something happens between the initial XSTAT and the
+             subsequent rename, we can get many different types of errors.
+             For example, if the destination is initially a non-directory
+             or non-existent, but it is created as a directory, the rename
+             fails.  If two `mv' commands try to rename the same file at
+             about the same time, one will succeed and the other will fail.
+             If the permissions on the directory containing the source or
+             destination file are made too restrictive, the rename will
+             fail.  Etc.  */
+          error (0, errno,
+                 _("cannot move %s to %s"),
+                 quote_n (0, src_name), quote_n (1, dst_name));
+          forget_created (src_sb.st_ino, src_sb.st_dev);
+          return false;
+        }
+
+      /* The rename attempt has failed.  Remove any existing destination
+         file so that a cross-device `mv' acts as if it were really using
+         the rename syscall.  */
+      if (unlink (dst_name) != 0 && errno != ENOENT)
+        {
+          error (0, errno,
+             _("inter-device move failed: %s to %s; unable to remove target"),
+                 quote_n (0, src_name), quote_n (1, dst_name));
+          forget_created (src_sb.st_ino, src_sb.st_dev);
+          return false;
+        }
+
+      new_dst = true;
+    }
+
+  /* If the ownership might change, or if it is a directory (whose
+     special mode bits may change after the directory is created),
+     omit some permissions at first, so unauthorized users cannot nip
+     in before the file is ready.  */
+  dst_mode_bits = (x->set_mode ? x->mode : src_mode) & CHMOD_MODE_BITS;
+  omitted_permissions =
+    (dst_mode_bits
+     & (x->preserve_ownership ? S_IRWXG | S_IRWXO
+        : S_ISDIR (src_mode) ? S_IWGRP | S_IWOTH
+        : 0));
+
+  delayed_ok = true;
+
+  if (x->preserve_security_context)
+    {
+      security_context_t con;
+
+      if (0 <= lgetfilecon (src_name, &con))
+        {
+          if (setfscreatecon (con) < 0)
+            {
+              if (!x->reduce_diagnostics || x->require_preserve_context)
+                error (0, errno,
+                       _("failed to set default file creation context to %s"),
+                       quote (con));
+              if (x->require_preserve_context)
+                {
+                  freecon (con);
+                  return false;
+                }
+            }
+          freecon (con);
+        }
+      else
+        {
+          if (!errno_unsupported (errno) || x->require_preserve_context)
+            {
+              if (!x->reduce_diagnostics || x->require_preserve_context)
+                error (0, errno,
+                       _("failed to get security context of %s"),
+                       quote (src_name));
+              if (x->require_preserve_context)
+                return false;
+            }
+        }
+    }
+
+  if (S_ISDIR (src_mode))
+    {
+      struct dir_list *dir;
+
+      /* If this directory has been copied before during the
+         recursion, there is a symbolic link to an ancestor
+         directory of the symbolic link.  It is impossible to
+         continue to copy this, unless we've got an infinite disk.  */
+
+      if (is_ancestor (&src_sb, ancestors))
+        {
+          error (0, 0, _("cannot copy cyclic symbolic link %s"),
+                 quote (src_name));
+          goto un_backup;
+        }
+
+      /* Insert the current directory in the list of parents.  */
+
+      dir = alloca (sizeof *dir);
+      dir->parent = ancestors;
+      dir->ino = src_sb.st_ino;
+      dir->dev = src_sb.st_dev;
+
+      if (new_dst || !S_ISDIR (dst_sb.st_mode))
+        {
+          /* POSIX says mkdir's behavior is implementation-defined when
+             (src_mode & ~S_IRWXUGO) != 0.  However, common practice is
+             to ask mkdir to copy all the CHMOD_MODE_BITS, letting mkdir
+             decide what to do with S_ISUID | S_ISGID | S_ISVTX.  */
+          if (mkdir (dst_name, dst_mode_bits & ~omitted_permissions) != 0)
+            {
+              error (0, errno, _("cannot create directory %s"),
+                     quote (dst_name));
+              goto un_backup;
+            }
+
+          /* We need search and write permissions to the new directory
+             for writing the directory's contents. Check if these
+             permissions are there.  */
+
+          if (lstat (dst_name, &dst_sb) != 0)
+            {
+              error (0, errno, _("cannot stat %s"), quote (dst_name));
+              goto un_backup;
+            }
+          else if ((dst_sb.st_mode & S_IRWXU) != S_IRWXU)
+            {
+              /* Make the new directory searchable and writable.  */
+
+              dst_mode = dst_sb.st_mode;
+              restore_dst_mode = true;
+
+              if (lchmod (dst_name, dst_mode | S_IRWXU) != 0)
+                {
+        