]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/core/execute.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
nspawn: fix indentation
[thirdparty/systemd.git] / src / core / execute.c
CommitLineData
53e1b683 1/* SPDX-License-Identifier: LGPL-2.1+ */
a7334b09
LP		 2/***
3 This file is part of systemd.
4
5 Copyright 2010 Lennart Poettering
6
7 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
a7334b09
LP		 10 (at your option) any later version.
11
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 15 Lesser General Public License for more details.
a7334b09 16
5430f7f2 17 You should have received a copy of the GNU Lesser General Public License
a7334b09
LP		 18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
19***/
20
034c6ed7
LP		 21#include <errno.h>
22#include <fcntl.h>
8dd4c05b
LP		 23#include <glob.h>
24#include <grp.h>
25#include <poll.h>
309bff19 26#include <signal.h>
8dd4c05b 27#include <string.h>
19c0b0b9 28#include <sys/capability.h>
d251207d 29#include <sys/eventfd.h>
f3e43635 30#include <sys/mman.h>
8dd4c05b 31#include <sys/personality.h>
94f04347 32#include <sys/prctl.h>
d2ffa389 33#include <sys/shm.h>
8dd4c05b 34#include <sys/socket.h>
451a074f 35#include <sys/stat.h>
d2ffa389 36#include <sys/types.h>
8dd4c05b
LP		 37#include <sys/un.h>
38#include <unistd.h>
023a4f67 39#include <utmpx.h>
5cb5a6ff 40
349cc4a5 41#if HAVE_PAM
5b6319dc
LP		 42#include <security/pam_appl.h>
43#endif
44
349cc4a5 45#if HAVE_SELINUX
7b52a628
MS		 46#include <selinux/selinux.h>
47#endif
48
349cc4a5 49#if HAVE_SECCOMP
17df7223
LP		 50#include <seccomp.h>
51#endif
52
349cc4a5 53#if HAVE_APPARMOR
eef65bf3
MS		 54#include <sys/apparmor.h>
55#endif
56
24882e06 57#include "sd-messages.h"
8dd4c05b
LP		 58
59#include "af-list.h"
b5efdb8a 60#include "alloc-util.h"
349cc4a5 61#if HAVE_APPARMOR
3ffd4af2
LP		 62#include "apparmor-util.h"
63#endif
8dd4c05b
LP		 64#include "async.h"
65#include "barrier.h"
8dd4c05b 66#include "cap-list.h"
430f0182 67#include "capability-util.h"
a1164ae3 68#include "chown-recursive.h"
da681e1b 69#include "cpu-set-util.h"
f6a6225e 70#include "def.h"
4d1a6904 71#include "env-util.h"
17df7223 72#include "errno-list.h"
3ffd4af2 73#include "execute.h"
8dd4c05b 74#include "exit-status.h"
3ffd4af2 75#include "fd-util.h"
8dd4c05b 76#include "fileio.h"
f97b34a6 77#include "format-util.h"
f4f15635 78#include "fs-util.h"
7d50b32a 79#include "glob-util.h"
c004493c 80#include "io-util.h"
8dd4c05b 81#include "ioprio.h"
a1164ae3 82#include "label.h"
8dd4c05b
LP		 83#include "log.h"
84#include "macro.h"
e8a565cb 85#include "manager.h"
8dd4c05b
LP		 86#include "missing.h"
87#include "mkdir.h"
88#include "namespace.h"
6bedfcbb 89#include "parse-util.h"
8dd4c05b 90#include "path-util.h"
0b452006 91#include "process-util.h"
78f22b97 92#include "rlimit-util.h"
8dd4c05b 93#include "rm-rf.h"
349cc4a5 94#if HAVE_SECCOMP
3ffd4af2
LP		 95#include "seccomp-util.h"
96#endif
8dd4c05b 97#include "securebits.h"
07d46372 98#include "securebits-util.h"
8dd4c05b 99#include "selinux-util.h"
24882e06 100#include "signal-util.h"
8dd4c05b 101#include "smack-util.h"
fd63e712 102#include "special.h"
949befd3 103#include "stat-util.h"
8b43440b 104#include "string-table.h"
07630cea 105#include "string-util.h"
8dd4c05b 106#include "strv.h"
7ccbd1ae 107#include "syslog-util.h"
8dd4c05b
LP		 108#include "terminal-util.h"
109#include "unit.h"
b1d4f8e1 110#include "user-util.h"
8dd4c05b
LP		 111#include "util.h"
112#include "utmp-wtmp.h"
5cb5a6ff 113
e056b01d 114#define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
31a7eb86 115#define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
e6a26745 116
02a51aba
LP		 117/* This assumes there is a 'tty' group */
118#define TTY_MODE 0620
119
531dca78
LP		 120#define SNDBUF_SIZE (8*1024*1024)
121
034c6ed7
LP		 122static int shift_fds(int fds[], unsigned n_fds) {
123 int start, restart_from;
124
125 if (n_fds <= 0)
126 return 0;
127
a0d40ac5
LP		 128 /* Modifies the fds array! (sorts it) */
129
034c6ed7
LP		 130 assert(fds);
131
132 start = 0;
133 for (;;) {
134 int i;
135
136 restart_from = -1;
137
138 for (i = start; i < (int) n_fds; i++) {
139 int nfd;
140
141 /* Already at right index? */
142 if (fds[i] == i+3)
143 continue;
144
3cc2aff1
LP		 145 nfd = fcntl(fds[i], F_DUPFD, i + 3);
146 if (nfd < 0)
034c6ed7
LP		 147 return -errno;
148
03e334a1 149 safe_close(fds[i]);
034c6ed7
LP		 150 fds[i] = nfd;
151
152 /* Hmm, the fd we wanted isn't free? Then
ee33e53a 153 * let's remember that and try again from here */
034c6ed7
LP		 154 if (nfd != i+3 && restart_from < 0)
155 restart_from = i;
156 }
157
158 if (restart_from < 0)
159 break;
160
161 start = restart_from;
162 }
163
164 return 0;
165}
166
4c47affc
FB		 167static int flags_fds(const int fds[], unsigned n_storage_fds, unsigned n_socket_fds, bool nonblock) {
168 unsigned i, n_fds;
e2c76839 169 int r;
47a71eed 170
4c47affc 171 n_fds = n_storage_fds + n_socket_fds;
47a71eed
LP		 172 if (n_fds <= 0)
173 return 0;
174
175 assert(fds);
176
9b141911
FB		 177 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags.
178 * O_NONBLOCK only applies to socket activation though. */
47a71eed
LP		 179
180 for (i = 0; i < n_fds; i++) {
47a71eed 181
9b141911
FB		 182 if (i < n_socket_fds) {
183 r = fd_nonblock(fds[i], nonblock);
184 if (r < 0)
185 return r;
186 }
47a71eed 187
451a074f
LP		 188 /* We unconditionally drop FD_CLOEXEC from the fds,
189 * since after all we want to pass these fds to our
190 * children */
47a71eed 191
3cc2aff1
LP		 192 r = fd_cloexec(fds[i], false);
193 if (r < 0)
e2c76839 194 return r;
47a71eed
LP		 195 }
196
197 return 0;
198}
199
1e22b5cd 200static const char *exec_context_tty_path(const ExecContext *context) {
80876c20
LP		 201 assert(context);
202
1e22b5cd
LP		 203 if (context->stdio_as_fds)
204 return NULL;
205
80876c20
LP		 206 if (context->tty_path)
207 return context->tty_path;
208
209 return "/dev/console";
210}
211
1e22b5cd
LP		 212static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
213 const char *path;
214
6ea832a2
LP		 215 assert(context);
216
1e22b5cd 217 path = exec_context_tty_path(context);
6ea832a2 218
1e22b5cd
LP		 219 if (context->tty_vhangup) {
220 if (p && p->stdin_fd >= 0)
221 (void) terminal_vhangup_fd(p->stdin_fd);
222 else if (path)
223 (void) terminal_vhangup(path);
224 }
6ea832a2 225
1e22b5cd
LP		 226 if (context->tty_reset) {
227 if (p && p->stdin_fd >= 0)
228 (void) reset_terminal_fd(p->stdin_fd, true);
229 else if (path)
230 (void) reset_terminal(path);
231 }
232
233 if (context->tty_vt_disallocate && path)
234 (void) vt_disallocate(path);
6ea832a2
LP		 235}
236
6af760f3
LP		 237static bool is_terminal_input(ExecInput i) {
238 return IN_SET(i,
239 EXEC_INPUT_TTY,
240 EXEC_INPUT_TTY_FORCE,
241 EXEC_INPUT_TTY_FAIL);
242}
243
3a1286b6 244static bool is_terminal_output(ExecOutput o) {
6af760f3
LP		 245 return IN_SET(o,
246 EXEC_OUTPUT_TTY,
247 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
248 EXEC_OUTPUT_KMSG_AND_CONSOLE,
249 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
250}
251
aac8c0c3
LP		 252static bool is_syslog_output(ExecOutput o) {
253 return IN_SET(o,
254 EXEC_OUTPUT_SYSLOG,
255 EXEC_OUTPUT_SYSLOG_AND_CONSOLE);
256}
257
258static bool is_kmsg_output(ExecOutput o) {
259 return IN_SET(o,
260 EXEC_OUTPUT_KMSG,
261 EXEC_OUTPUT_KMSG_AND_CONSOLE);
262}
263
6af760f3
LP		 264static bool exec_context_needs_term(const ExecContext *c) {
265 assert(c);
266
267 /* Return true if the execution context suggests we should set $TERM to something useful. */
268
269 if (is_terminal_input(c->std_input))
270 return true;
271
272 if (is_terminal_output(c->std_output))
273 return true;
274
275 if (is_terminal_output(c->std_error))
276 return true;
277
278 return !!c->tty_path;
3a1286b6
MS		 279}
280
80876c20 281static int open_null_as(int flags, int nfd) {
046a82c1 282 int fd;
071830ff 283
80876c20 284 assert(nfd >= 0);
071830ff 285
613b411c
LP		 286 fd = open("/dev/null", flags|O_NOCTTY);
287 if (fd < 0)
071830ff
LP		 288 return -errno;
289
046a82c1 290 return move_fd(fd, nfd, false);
071830ff
LP		 291}
292
524daa8c 293static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
92a17af9 294 static const union sockaddr_union sa = {
b92bea5d
ZJS		 295 .un.sun_family = AF_UNIX,
296 .un.sun_path = "/run/systemd/journal/stdout",
297 };
524daa8c
ZJS		 298 uid_t olduid = UID_INVALID;
299 gid_t oldgid = GID_INVALID;
300 int r;
301
cad93f29 302 if (gid_is_valid(gid)) {
524daa8c
ZJS		 303 oldgid = getgid();
304
92a17af9 305 if (setegid(gid) < 0)
524daa8c
ZJS		 306 return -errno;
307 }
308
cad93f29 309 if (uid_is_valid(uid)) {
524daa8c
ZJS		 310 olduid = getuid();
311
92a17af9 312 if (seteuid(uid) < 0) {
524daa8c
ZJS		 313 r = -errno;
314 goto restore_gid;
315 }
316 }
317
92a17af9 318 r = connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un)) < 0 ? -errno : 0;
524daa8c
ZJS		 319
320 /* If we fail to restore the uid or gid, things will likely
321 fail later on. This should only happen if an LSM interferes. */
322
cad93f29 323 if (uid_is_valid(uid))
524daa8c
ZJS		 324 (void) seteuid(olduid);
325
326 restore_gid:
cad93f29 327 if (gid_is_valid(gid))
524daa8c
ZJS		 328 (void) setegid(oldgid);
329
330 return r;
331}
332
fd1f9c89 333static int connect_logger_as(
34cf6c43 334 const Unit *unit,
fd1f9c89 335 const ExecContext *context,
af635cf3 336 const ExecParameters *params,
fd1f9c89
LP		 337 ExecOutput output,
338 const char *ident,
fd1f9c89
LP		 339 int nfd,
340 uid_t uid,
341 gid_t gid) {
342
524daa8c 343 int fd, r;
071830ff
LP		 344
345 assert(context);
af635cf3 346 assert(params);
80876c20
LP		 347 assert(output < _EXEC_OUTPUT_MAX);
348 assert(ident);
349 assert(nfd >= 0);
071830ff 350
54fe0cdb
LP		 351 fd = socket(AF_UNIX, SOCK_STREAM, 0);
352 if (fd < 0)
80876c20 353 return -errno;
071830ff 354
524daa8c
ZJS		 355 r = connect_journal_socket(fd, uid, gid);
356 if (r < 0)
357 return r;
071830ff 358
80876c20 359 if (shutdown(fd, SHUT_RD) < 0) {
03e334a1 360 safe_close(fd);
80876c20
LP		 361 return -errno;
362 }
071830ff 363
fd1f9c89 364 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
531dca78 365
80876c20 366 dprintf(fd,
62bca2c6 367 "%s\n"
80876c20
LP		 368 "%s\n"
369 "%i\n"
54fe0cdb
LP		 370 "%i\n"
371 "%i\n"
372 "%i\n"
4f4a1dbf 373 "%i\n",
c867611e 374 context->syslog_identifier ?: ident,
af635cf3 375 params->flags & EXEC_PASS_LOG_UNIT ? unit->id : "",
54fe0cdb
LP		 376 context->syslog_priority,
377 !!context->syslog_level_prefix,
aac8c0c3
LP		 378 is_syslog_output(output),
379 is_kmsg_output(output),
3a1286b6 380 is_terminal_output(output));
80876c20 381
046a82c1 382 return move_fd(fd, nfd, false);
80876c20 383}
3a274a21 384static int open_terminal_as(const char *path, int flags, int nfd) {
046a82c1 385 int fd;
071830ff 386
80876c20
LP		 387 assert(path);
388 assert(nfd >= 0);
fd1f9c89 389
3a274a21 390 fd = open_terminal(path, flags | O_NOCTTY);
3cc2aff1 391 if (fd < 0)
80876c20 392 return fd;
071830ff 393
046a82c1 394 return move_fd(fd, nfd, false);
80876c20 395}
071830ff 396
2038c3f5
LP		 397static int acquire_path(const char *path, int flags, mode_t mode) {
398 union sockaddr_union sa = {
399 .sa.sa_family = AF_UNIX,
400 };
80876c20 401 int fd, r;
071830ff 402
80876c20 403 assert(path);
071830ff 404
2038c3f5
LP		 405 if (IN_SET(flags & O_ACCMODE, O_WRONLY, O_RDWR))
406 flags |= O_CREAT;
407
408 fd = open(path, flags|O_NOCTTY, mode);
409 if (fd >= 0)
80876c20 410 return fd;
071830ff 411
2038c3f5
LP		 412 if (errno != ENXIO) /* ENXIO is returned when we try to open() an AF_UNIX file system socket on Linux */
413 return -errno;
414 if (strlen(path) > sizeof(sa.un.sun_path)) /* Too long, can't be a UNIX socket */
415 return -ENXIO;
416
417 /* So, it appears the specified path could be an AF_UNIX socket. Let's see if we can connect to it. */
418
419 fd = socket(AF_UNIX, SOCK_STREAM, 0);
420 if (fd < 0)
421 return -errno;
422
423 strncpy(sa.un.sun_path, path, sizeof(sa.un.sun_path));
424 if (connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un)) < 0) {
03e334a1 425 safe_close(fd);
2038c3f5
LP		 426 return errno == EINVAL ? -ENXIO : -errno; /* Propagate initial error if we get EINVAL, i.e. we have
427 * indication that his wasn't an AF_UNIX socket after all */
428 }
071830ff 429
2038c3f5
LP		 430 if ((flags & O_ACCMODE) == O_RDONLY)
431 r = shutdown(fd, SHUT_WR);
432 else if ((flags & O_ACCMODE) == O_WRONLY)
433 r = shutdown(fd, SHUT_RD);
434 else
435 return fd;
436 if (r < 0) {
437 safe_close(fd);
438 return -errno;
439 }
440
441 return fd;
80876c20 442}
071830ff 443
08f3be7a
LP		 444static int fixup_input(
445 const ExecContext *context,
446 int socket_fd,
447 bool apply_tty_stdin) {
448
449 ExecInput std_input;
450
451 assert(context);
452
453 std_input = context->std_input;
1e3ad081
LP		 454
455 if (is_terminal_input(std_input) && !apply_tty_stdin)
456 return EXEC_INPUT_NULL;
071830ff 457
03fd9c49 458 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 459 return EXEC_INPUT_NULL;
460
08f3be7a
LP		 461 if (std_input == EXEC_INPUT_DATA && context->stdin_data_size == 0)
462 return EXEC_INPUT_NULL;
463
03fd9c49 464 return std_input;
4f2d528d
LP		 465}
466
03fd9c49 467static int fixup_output(ExecOutput std_output, int socket_fd) {
4f2d528d 468
03fd9c49 469 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 470 return EXEC_OUTPUT_INHERIT;
471
03fd9c49 472 return std_output;
4f2d528d
LP		 473}
474
a34ceba6
LP		 475static int setup_input(
476 const ExecContext *context,
477 const ExecParameters *params,
52c239d7
LB		 478 int socket_fd,
479 int named_iofds[3]) {
a34ceba6 480
4f2d528d
LP		 481 ExecInput i;
482
483 assert(context);
a34ceba6
LP		 484 assert(params);
485
486 if (params->stdin_fd >= 0) {
487 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
488 return -errno;
489
490 /* Try to make this the controlling tty, if it is a tty, and reset it */
1fb0682e
LP		 491 if (isatty(STDIN_FILENO)) {
492 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
493 (void) reset_terminal_fd(STDIN_FILENO, true);
494 }
a34ceba6
LP		 495
496 return STDIN_FILENO;
497 }
4f2d528d 498
08f3be7a 499 i = fixup_input(context, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
4f2d528d
LP		 500
501 switch (i) {
071830ff 502
80876c20
LP		 503 case EXEC_INPUT_NULL:
504 return open_null_as(O_RDONLY, STDIN_FILENO);
505
506 case EXEC_INPUT_TTY:
507 case EXEC_INPUT_TTY_FORCE:
508 case EXEC_INPUT_TTY_FAIL: {
046a82c1 509 int fd;
071830ff 510
1e22b5cd 511 fd = acquire_terminal(exec_context_tty_path(context),
8854d795
LP		 512 i == EXEC_INPUT_TTY_FAIL ? ACQUIRE_TERMINAL_TRY :
513 i == EXEC_INPUT_TTY_FORCE ? ACQUIRE_TERMINAL_FORCE :
514 ACQUIRE_TERMINAL_WAIT,
3a43da28 515 USEC_INFINITY);
970edce6 516 if (fd < 0)
80876c20
LP		 517 return fd;
518
046a82c1 519 return move_fd(fd, STDIN_FILENO, false);
80876c20
LP		 520 }
521
4f2d528d 522 case EXEC_INPUT_SOCKET:
e75a9ed1
LP		 523 assert(socket_fd >= 0);
524
4f2d528d
LP		 525 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
526
52c239d7 527 case EXEC_INPUT_NAMED_FD:
e75a9ed1
LP		 528 assert(named_iofds[STDIN_FILENO] >= 0);
529
52c239d7
LB		 530 (void) fd_nonblock(named_iofds[STDIN_FILENO], false);
531 return dup2(named_iofds[STDIN_FILENO], STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
532
08f3be7a
LP		 533 case EXEC_INPUT_DATA: {
534 int fd;
535
536 fd = acquire_data_fd(context->stdin_data, context->stdin_data_size, 0);
537 if (fd < 0)
538 return fd;
539
540 return move_fd(fd, STDIN_FILENO, false);
541 }
542
2038c3f5
LP		 543 case EXEC_INPUT_FILE: {
544 bool rw;
545 int fd;
546
547 assert(context->stdio_file[STDIN_FILENO]);
548
549 rw = (context->std_output == EXEC_OUTPUT_FILE && streq_ptr(context->stdio_file[STDIN_FILENO], context->stdio_file[STDOUT_FILENO])) ||
550 (context->std_error == EXEC_OUTPUT_FILE && streq_ptr(context->stdio_file[STDIN_FILENO], context->stdio_file[STDERR_FILENO]));
551
552 fd = acquire_path(context->stdio_file[STDIN_FILENO], rw ? O_RDWR : O_RDONLY, 0666 & ~context->umask);
553 if (fd < 0)
554 return fd;
555
556 return move_fd(fd, STDIN_FILENO, false);
557 }
558
80876c20
LP		 559 default:
560 assert_not_reached("Unknown input type");
561 }
562}
563
a34ceba6 564static int setup_output(
34cf6c43 565 const Unit *unit,
a34ceba6
LP		 566 const ExecContext *context,
567 const ExecParameters *params,
568 int fileno,
569 int socket_fd,
52c239d7 570 int named_iofds[3],
a34ceba6 571 const char *ident,
7bce046b
LP		 572 uid_t uid,
573 gid_t gid,
574 dev_t *journal_stream_dev,
575 ino_t *journal_stream_ino) {
a34ceba6 576
4f2d528d
LP		 577 ExecOutput o;
578 ExecInput i;
47c1d80d 579 int r;
4f2d528d 580
f2341e0a 581 assert(unit);
80876c20 582 assert(context);
a34ceba6 583 assert(params);
80876c20 584 assert(ident);
7bce046b
LP		 585 assert(journal_stream_dev);
586 assert(journal_stream_ino);
80876c20 587
a34ceba6
LP		 588 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
589
590 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
591 return -errno;
592
593 return STDOUT_FILENO;
594 }
595
596 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
597 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
598 return -errno;
599
600 return STDERR_FILENO;
601 }
602
08f3be7a 603 i = fixup_input(context, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
03fd9c49 604 o = fixup_output(context->std_output, socket_fd);
4f2d528d 605
eb17e935
MS		 606 if (fileno == STDERR_FILENO) {
607 ExecOutput e;
608 e = fixup_output(context->std_error, socket_fd);
80876c20 609
eb17e935
MS		 610 /* This expects the input and output are already set up */
611
612 /* Don't change the stderr file descriptor if we inherit all
613 * the way and are not on a tty */
614 if (e == EXEC_OUTPUT_INHERIT &&
615 o == EXEC_OUTPUT_INHERIT &&
616 i == EXEC_INPUT_NULL &&
617 !is_terminal_input(context->std_input) &&
618 getppid () != 1)
619 return fileno;
620
621 /* Duplicate from stdout if possible */
52c239d7 622 if ((e == o && e != EXEC_OUTPUT_NAMED_FD) || e == EXEC_OUTPUT_INHERIT)
eb17e935 623 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 624
eb17e935 625 o = e;
80876c20 626
eb17e935 627 } else if (o == EXEC_OUTPUT_INHERIT) {
21d21ea4
LP		 628 /* If input got downgraded, inherit the original value */
629 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
1e22b5cd 630 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
21d21ea4 631
08f3be7a
LP		 632 /* If the input is connected to anything that's not a /dev/null or a data fd, inherit that... */
633 if (!IN_SET(i, EXEC_INPUT_NULL, EXEC_INPUT_DATA))
eb17e935 634 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 635
acb591e4
LP		 636 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
637 if (getppid() != 1)
eb17e935 638 return fileno;
94f04347 639
eb17e935
MS		 640 /* We need to open /dev/null here anew, to get the right access mode. */
641 return open_null_as(O_WRONLY, fileno);
071830ff 642 }
94f04347 643
eb17e935 644 switch (o) {
80876c20
LP		 645
646 case EXEC_OUTPUT_NULL:
eb17e935 647 return open_null_as(O_WRONLY, fileno);
80876c20
LP		 648
649 case EXEC_OUTPUT_TTY:
4f2d528d 650 if (is_terminal_input(i))
eb17e935 651 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
80876c20
LP		 652
653 /* We don't reset the terminal if this is just about output */
1e22b5cd 654 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
80876c20
LP		 655
656 case EXEC_OUTPUT_SYSLOG:
28dbc1e8 657 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
9a6bca7a 658 case EXEC_OUTPUT_KMSG:
28dbc1e8 659 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
706343f4
LP		 660 case EXEC_OUTPUT_JOURNAL:
661 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
af635cf3 662 r = connect_logger_as(unit, context, params, o, ident, fileno, uid, gid);
47c1d80d 663 if (r < 0) {
82677ae4 664 log_unit_warning_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
eb17e935 665 r = open_null_as(O_WRONLY, fileno);
7bce046b
LP		 666 } else {
667 struct stat st;
668
669 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
670 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
ab2116b1
LP		 671 * services to detect whether they are connected to the journal or not.
672 *
673 * If both stdout and stderr are connected to a stream then let's make sure to store the data
674 * about STDERR as that's usually the best way to do logging. */
7bce046b 675
ab2116b1
LP		 676 if (fstat(fileno, &st) >= 0 &&
677 (*journal_stream_ino == 0 || fileno == STDERR_FILENO)) {
7bce046b
LP		 678 *journal_stream_dev = st.st_dev;
679 *journal_stream_ino = st.st_ino;
680 }
47c1d80d
MS		 681 }
682 return r;
4f2d528d
LP		 683
684 case EXEC_OUTPUT_SOCKET:
685 assert(socket_fd >= 0);
e75a9ed1 686
eb17e935 687 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
94f04347 688
52c239d7 689 case EXEC_OUTPUT_NAMED_FD:
e75a9ed1
LP		 690 assert(named_iofds[fileno] >= 0);
691
52c239d7
LB		 692 (void) fd_nonblock(named_iofds[fileno], false);
693 return dup2(named_iofds[fileno], fileno) < 0 ? -errno : fileno;
694
2038c3f5
LP		 695 case EXEC_OUTPUT_FILE: {
696 bool rw;
697 int fd;
698
699 assert(context->stdio_file[fileno]);
700
701 rw = context->std_input == EXEC_INPUT_FILE &&
702 streq_ptr(context->stdio_file[fileno], context->stdio_file[STDIN_FILENO]);
703
704 if (rw)
705 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
706
707 fd = acquire_path(context->stdio_file[fileno], O_WRONLY, 0666 & ~context->umask);
708 if (fd < 0)
709 return fd;
710
711 return move_fd(fd, fileno, false);
712 }
713
94f04347 714 default:
80876c20 715 assert_not_reached("Unknown error type");
94f04347 716 }
071830ff
LP		 717}
718
02a51aba
LP		 719static int chown_terminal(int fd, uid_t uid) {
720 struct stat st;
721
722 assert(fd >= 0);
02a51aba 723
1ff74fb6
LP		 724 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
725 if (isatty(fd) < 1)
726 return 0;
727
02a51aba 728 /* This might fail. What matters are the results. */
bab45044
LP		 729 (void) fchown(fd, uid, -1);
730 (void) fchmod(fd, TTY_MODE);
02a51aba
LP		 731
732 if (fstat(fd, &st) < 0)
733 return -errno;
734
d8b4e2e9 735 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
02a51aba
LP		 736 return -EPERM;
737
738 return 0;
739}
740
7d5ceb64 741static int setup_confirm_stdio(const char *vc, int *_saved_stdin, int *_saved_stdout) {
3d18b167
LP		 742 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
743 int r;
80876c20 744
80876c20
LP		 745 assert(_saved_stdin);
746 assert(_saved_stdout);
747
af6da548
LP		 748 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
749 if (saved_stdin < 0)
750 return -errno;
80876c20 751
af6da548 752 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
3d18b167
LP		 753 if (saved_stdout < 0)
754 return -errno;
80876c20 755
8854d795 756 fd = acquire_terminal(vc, ACQUIRE_TERMINAL_WAIT, DEFAULT_CONFIRM_USEC);
3d18b167
LP		 757 if (fd < 0)
758 return fd;
80876c20 759
af6da548
LP		 760 r = chown_terminal(fd, getuid());
761 if (r < 0)
3d18b167 762 return r;
02a51aba 763
3d18b167
LP		 764 r = reset_terminal_fd(fd, true);
765 if (r < 0)
766 return r;
80876c20 767
3d18b167
LP		 768 if (dup2(fd, STDIN_FILENO) < 0)
769 return -errno;
770
771 if (dup2(fd, STDOUT_FILENO) < 0)
772 return -errno;
80876c20
LP		 773
774 if (fd >= 2)
03e334a1 775 safe_close(fd);
3d18b167 776 fd = -1;
80876c20
LP		 777
778 *_saved_stdin = saved_stdin;
779 *_saved_stdout = saved_stdout;
780
3d18b167 781 saved_stdin = saved_stdout = -1;
80876c20 782
3d18b167 783 return 0;
80876c20
LP		 784}
785
63d77c92 786static void write_confirm_error_fd(int err, int fd, const Unit *u) {
3b20f877
FB		 787 assert(err < 0);
788
789 if (err == -ETIMEDOUT)
63d77c92 790 dprintf(fd, "Confirmation question timed out for %s, assuming positive response.\n", u->id);
3b20f877
FB		 791 else {
792 errno = -err;
63d77c92 793 dprintf(fd, "Couldn't ask confirmation for %s: %m, assuming positive response.\n", u->id);
3b20f877
FB		 794 }
795}
796
63d77c92 797static void write_confirm_error(int err, const char *vc, const Unit *u) {
03e334a1 798 _cleanup_close_ int fd = -1;
80876c20 799
3b20f877 800 assert(vc);
80876c20 801
7d5ceb64 802 fd = open_terminal(vc, O_WRONLY|O_NOCTTY|O_CLOEXEC);
af6da548 803 if (fd < 0)
3b20f877 804 return;
80876c20 805
63d77c92 806 write_confirm_error_fd(err, fd, u);
af6da548 807}
80876c20 808
3d18b167 809static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
af6da548 810 int r = 0;
80876c20 811
af6da548
LP		 812 assert(saved_stdin);
813 assert(saved_stdout);
814
815 release_terminal();
816
817 if (*saved_stdin >= 0)
80876c20 818 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
af6da548 819 r = -errno;
80876c20 820
af6da548 821 if (*saved_stdout >= 0)
80876c20 822 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
af6da548 823 r = -errno;
80876c20 824
3d18b167
LP		 825 *saved_stdin = safe_close(*saved_stdin);
826 *saved_stdout = safe_close(*saved_stdout);
af6da548
LP		 827
828 return r;
829}
830
3b20f877
FB		 831enum {
832 CONFIRM_PRETEND_FAILURE = -1,
833 CONFIRM_PRETEND_SUCCESS = 0,
834 CONFIRM_EXECUTE = 1,
835};
836
eedf223a 837static int ask_for_confirmation(const char *vc, Unit *u, const char *cmdline) {
af6da548 838 int saved_stdout = -1, saved_stdin = -1, r;
2bcd3c26 839 _cleanup_free_ char *e = NULL;
3b20f877 840 char c;
af6da548 841
3b20f877 842 /* For any internal errors, assume a positive response. */
7d5ceb64 843 r = setup_confirm_stdio(vc, &saved_stdin, &saved_stdout);
3b20f877 844 if (r < 0) {
63d77c92 845 write_confirm_error(r, vc, u);
3b20f877
FB		 846 return CONFIRM_EXECUTE;
847 }
af6da548 848
b0eb2944
FB		 849 /* confirm_spawn might have been disabled while we were sleeping. */
850 if (manager_is_confirm_spawn_disabled(u->manager)) {
851 r = 1;
852 goto restore_stdio;
853 }
af6da548 854
2bcd3c26
FB		 855 e = ellipsize(cmdline, 60, 100);
856 if (!e) {
857 log_oom();
858 r = CONFIRM_EXECUTE;
859 goto restore_stdio;
860 }
af6da548 861
d172b175 862 for (;;) {
539622bd 863 r = ask_char(&c, "yfshiDjcn", "Execute %s? [y, f, s – h for help] ", e);
d172b175 864 if (r < 0) {
63d77c92 865 write_confirm_error_fd(r, STDOUT_FILENO, u);
d172b175
FB		 866 r = CONFIRM_EXECUTE;
867 goto restore_stdio;
868 }
af6da548 869
d172b175 870 switch (c) {
b0eb2944
FB		 871 case 'c':
872 printf("Resuming normal execution.\n");
873 manager_disable_confirm_spawn();
874 r = 1;
875 break;
dd6f9ac0
FB		 876 case 'D':
877 unit_dump(u, stdout, " ");
878 continue; /* ask again */
d172b175
FB		 879 case 'f':
880 printf("Failing execution.\n");
881 r = CONFIRM_PRETEND_FAILURE;
882 break;
883 case 'h':
b0eb2944
FB		 884 printf(" c - continue, proceed without asking anymore\n"
885 " D - dump, show the state of the unit\n"
dd6f9ac0 886 " f - fail, don't execute the command and pretend it failed\n"
d172b175 887 " h - help\n"
eedf223a 888 " i - info, show a short summary of the unit\n"
56fde33a 889 " j - jobs, show jobs that are in progress\n"
d172b175
FB		 890 " s - skip, don't execute the command and pretend it succeeded\n"
891 " y - yes, execute the command\n");
dd6f9ac0 892 continue; /* ask again */
eedf223a
FB		 893 case 'i':
894 printf(" Description: %s\n"
895 " Unit: %s\n"
896 " Command: %s\n",
897 u->id, u->description, cmdline);
898 continue; /* ask again */
56fde33a
FB		 899 case 'j':
900 manager_dump_jobs(u->manager, stdout, " ");
901 continue; /* ask again */
539622bd
FB		 902 case 'n':
903 /* 'n' was removed in favor of 'f'. */
904 printf("Didn't understand 'n', did you mean 'f'?\n");
905 continue; /* ask again */
d172b175
FB		 906 case 's':
907 printf("Skipping execution.\n");
908 r = CONFIRM_PRETEND_SUCCESS;
909 break;
910 case 'y':
911 r = CONFIRM_EXECUTE;
912 break;
913 default:
914 assert_not_reached("Unhandled choice");
915 }
3b20f877 916 break;
3b20f877 917 }
af6da548 918
3b20f877 919restore_stdio:
af6da548 920 restore_confirm_stdio(&saved_stdin, &saved_stdout);
af6da548 921 return r;
80876c20
LP		 922}
923
4d885bd3
DH		 924static int get_fixed_user(const ExecContext *c, const char **user,
925 uid_t *uid, gid_t *gid,
926 const char **home, const char **shell) {
81a2b7ce 927 int r;
4d885bd3 928 const char *name;
81a2b7ce 929
4d885bd3 930 assert(c);
81a2b7ce 931
23deef88
LP		 932 if (!c->user)
933 return 0;
934
4d885bd3
DH		 935 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
936 * (i.e. are "/" or "/bin/nologin"). */
81a2b7ce 937
23deef88 938 name = c->user;
4d885bd3
DH		 939 r = get_user_creds_clean(&name, uid, gid, home, shell);
940 if (r < 0)
941 return r;
81a2b7ce 942
4d885bd3
DH		 943 *user = name;
944 return 0;
945}
946
947static int get_fixed_group(const ExecContext *c, const char **group, gid_t *gid) {
948 int r;
949 const char *name;
950
951 assert(c);
952
953 if (!c->group)
954 return 0;
955
956 name = c->group;
957 r = get_group_creds(&name, gid);
958 if (r < 0)
959 return r;
960
961 *group = name;
962 return 0;
963}
964
cdc5d5c5
DH		 965static int get_supplementary_groups(const ExecContext *c, const char *user,
966 const char *group, gid_t gid,
967 gid_t **supplementary_gids, int *ngids) {
4d885bd3
DH		 968 char **i;
969 int r, k = 0;
970 int ngroups_max;
971 bool keep_groups = false;
972 gid_t *groups = NULL;
973 _cleanup_free_ gid_t *l_gids = NULL;
974
975 assert(c);
976
bbeea271
DH		 977 /*
978 * If user is given, then lookup GID and supplementary groups list.
979 * We avoid NSS lookups for gid=0. Also we have to initialize groups
cdc5d5c5
DH		 980 * here and as early as possible so we keep the list of supplementary
981 * groups of the caller.
bbeea271
DH		 982 */
983 if (user && gid_is_valid(gid) && gid != 0) {
984 /* First step, initialize groups from /etc/groups */
985 if (initgroups(user, gid) < 0)
986 return -errno;
987
988 keep_groups = true;
989 }
990
ac6e8be6 991 if (strv_isempty(c->supplementary_groups))
4d885bd3
DH		 992 return 0;
993
366ddd25
DH		 994 /*
995 * If SupplementaryGroups= was passed then NGROUPS_MAX has to
996 * be positive, otherwise fail.
997 */
998 errno = 0;
999 ngroups_max = (int) sysconf(_SC_NGROUPS_MAX);
1000 if (ngroups_max <= 0) {
1001 if (errno > 0)
1002 return -errno;
1003 else
1004 return -EOPNOTSUPP; /* For all other values */
1005 }
1006
4d885bd3
DH		 1007 l_gids = new(gid_t, ngroups_max);
1008 if (!l_gids)
1009 return -ENOMEM;
81a2b7ce 1010
4d885bd3
DH		 1011 if (keep_groups) {
1012 /*
1013 * Lookup the list of groups that the user belongs to, we
1014 * avoid NSS lookups here too for gid=0.
1015 */
1016 k = ngroups_max;
1017 if (getgrouplist(user, gid, l_gids, &k) < 0)
1018 return -EINVAL;
1019 } else
1020 k = 0;
81a2b7ce 1021
4d885bd3
DH		 1022 STRV_FOREACH(i, c->supplementary_groups) {
1023 const char *g;
81a2b7ce 1024
4d885bd3
DH		 1025 if (k >= ngroups_max)
1026 return -E2BIG;
81a2b7ce 1027
4d885bd3
DH		 1028 g = *i;
1029 r = get_group_creds(&g, l_gids+k);
1030 if (r < 0)
1031 return r;
81a2b7ce 1032
4d885bd3
DH		 1033 k++;
1034 }
81a2b7ce 1035
4d885bd3
DH		 1036 /*
1037 * Sets ngids to zero to drop all supplementary groups, happens
1038 * when we are under root and SupplementaryGroups= is empty.
1039 */
1040 if (k == 0) {
1041 *ngids = 0;
1042 return 0;
1043 }
81a2b7ce 1044
4d885bd3
DH		 1045 /* Otherwise get the final list of supplementary groups */
1046 groups = memdup(l_gids, sizeof(gid_t) * k);
1047 if (!groups)
1048 return -ENOMEM;
1049
1050 *supplementary_gids = groups;
1051 *ngids = k;
1052
1053 groups = NULL;
1054
1055 return 0;
1056}
1057
34cf6c43 1058static int enforce_groups(gid_t gid, const gid_t *supplementary_gids, int ngids) {
4d885bd3
DH		 1059 int r;
1060
709dbeac
YW		 1061 /* Handle SupplementaryGroups= if it is not empty */
1062 if (ngids > 0) {
4d885bd3
DH		 1063 r = maybe_setgroups(ngids, supplementary_gids);
1064 if (r < 0)
97f0e76f 1065 return r;
4d885bd3 1066 }
81a2b7ce 1067
4d885bd3
DH		 1068 if (gid_is_valid(gid)) {
1069 /* Then set our gids */
1070 if (setresgid(gid, gid, gid) < 0)
1071 return -errno;
81a2b7ce
LP		 1072 }
1073
1074 return 0;
1075}
1076
1077static int enforce_user(const ExecContext *context, uid_t uid) {
81a2b7ce
LP		 1078 assert(context);
1079
4d885bd3
DH		 1080 if (!uid_is_valid(uid))
1081 return 0;
1082
479050b3 1083 /* Sets (but doesn't look up) the uid and make sure we keep the
81a2b7ce
LP		 1084 * capabilities while doing so. */
1085
479050b3 1086 if (context->capability_ambient_set != 0) {
81a2b7ce
LP		 1087
1088 /* First step: If we need to keep capabilities but
1089 * drop privileges we need to make sure we keep our
cbb21cca 1090 * caps, while we drop privileges. */
693ced48 1091 if (uid != 0) {
cbb21cca 1092 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
693ced48
LP		 1093
1094 if (prctl(PR_GET_SECUREBITS) != sb)
1095 if (prctl(PR_SET_SECUREBITS, sb) < 0)
1096 return -errno;
1097 }
81a2b7ce
LP		 1098 }
1099
479050b3 1100 /* Second step: actually set the uids */
81a2b7ce
LP		 1101 if (setresuid(uid, uid, uid) < 0)
1102 return -errno;
1103
1104 /* At this point we should have all necessary capabilities but
1105 are otherwise a normal user. However, the caps might got
1106 corrupted due to the setresuid() so we need clean them up
1107 later. This is done outside of this call. */
1108
1109 return 0;
1110}
1111
349cc4a5 1112#if HAVE_PAM
5b6319dc
LP		 1113
1114static int null_conv(
1115 int num_msg,
1116 const struct pam_message **msg,
1117 struct pam_response **resp,
1118 void *appdata_ptr) {
1119
1120 /* We don't support conversations */
1121
1122 return PAM_CONV_ERR;
1123}
1124
cefc33ae
LP		 1125#endif
1126
5b6319dc
LP		 1127static int setup_pam(
1128 const char *name,
1129 const char *user,
940c5210 1130 uid_t uid,
2d6fce8d 1131 gid_t gid,
5b6319dc 1132 const char *tty,
2065ca69 1133 char ***env,
5b6319dc
LP		 1134 int fds[], unsigned n_fds) {
1135
349cc4a5 1136#if HAVE_PAM
cefc33ae 1137
5b6319dc
LP		 1138 static const struct pam_conv conv = {
1139 .conv = null_conv,
1140 .appdata_ptr = NULL
1141 };
1142
2d7c6aa2 1143 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
5b6319dc 1144 pam_handle_t *handle = NULL;
d6e5f3ad 1145 sigset_t old_ss;
7bb70b6e 1146 int pam_code = PAM_SUCCESS, r;
84eada2f 1147 char **nv, **e = NULL;
5b6319dc
LP		 1148 bool close_session = false;
1149 pid_t pam_pid = 0, parent_pid;
970edce6 1150 int flags = 0;
5b6319dc
LP		 1151
1152 assert(name);
1153 assert(user);
2065ca69 1154 assert(env);
5b6319dc
LP		 1155
1156 /* We set up PAM in the parent process, then fork. The child
35b8ca3a 1157 * will then stay around until killed via PR_GET_PDEATHSIG or
5b6319dc
LP		 1158 * systemd via the cgroup logic. It will then remove the PAM
1159 * session again. The parent process will exec() the actual
1160 * daemon. We do things this way to ensure that the main PID
1161 * of the daemon is the one we initially fork()ed. */
1162
7bb70b6e
LP		 1163 r = barrier_create(&barrier);
1164 if (r < 0)
2d7c6aa2
DH		 1165 goto fail;
1166
553d2243 1167 if (log_get_max_level() < LOG_DEBUG)
970edce6
ZJS		 1168 flags |= PAM_SILENT;
1169
f546241b
ZJS		 1170 pam_code = pam_start(name, user, &conv, &handle);
1171 if (pam_code != PAM_SUCCESS) {
5b6319dc
LP		 1172 handle = NULL;
1173 goto fail;
1174 }
1175
f546241b
ZJS		 1176 if (tty) {
1177 pam_code = pam_set_item(handle, PAM_TTY, tty);
1178 if (pam_code != PAM_SUCCESS)
5b6319dc 1179 goto fail;
f546241b 1180 }
5b6319dc 1181
84eada2f
JW		 1182 STRV_FOREACH(nv, *env) {
1183 pam_code = pam_putenv(handle, *nv);
2065ca69
JW		 1184 if (pam_code != PAM_SUCCESS)
1185 goto fail;
1186 }
1187
970edce6 1188 pam_code = pam_acct_mgmt(handle, flags);
f546241b 1189 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1190 goto fail;
1191
970edce6 1192 pam_code = pam_open_session(handle, flags);
f546241b 1193 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1194 goto fail;
1195
1196 close_session = true;
1197
f546241b
ZJS		 1198 e = pam_getenvlist(handle);
1199 if (!e) {
5b6319dc
LP		 1200 pam_code = PAM_BUF_ERR;
1201 goto fail;
1202 }
1203
1204 /* Block SIGTERM, so that we know that it won't get lost in
1205 * the child */
ce30c8dc 1206
72c0a2c2 1207 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
5b6319dc 1208
df0ff127 1209 parent_pid = getpid_cached();
5b6319dc 1210
4c253ed1
LP		 1211 r = safe_fork("(sd-pam)", 0, &pam_pid);
1212 if (r < 0)
5b6319dc 1213 goto fail;
4c253ed1 1214 if (r == 0) {
7bb70b6e 1215 int sig, ret = EXIT_PAM;
5b6319dc
LP		 1216
1217 /* The child's job is to reset the PAM session on
1218 * termination */
2d7c6aa2 1219 barrier_set_role(&barrier, BARRIER_CHILD);
5b6319dc 1220
4c253ed1
LP		 1221 /* Make sure we don't keep open the passed fds in this child. We assume that otherwise only those fds
1222 * are open here that have been opened by PAM. */
1223 (void) close_many(fds, n_fds);
5b6319dc 1224
940c5210
AK		 1225 /* Drop privileges - we don't need any to pam_close_session
1226 * and this will make PR_SET_PDEATHSIG work in most cases.
1227 * If this fails, ignore the error - but expect sd-pam threads
1228 * to fail to exit normally */
2d6fce8d 1229
97f0e76f
LP		 1230 r = maybe_setgroups(0, NULL);
1231 if (r < 0)
1232 log_warning_errno(r, "Failed to setgroups() in sd-pam: %m");
2d6fce8d
LP		 1233 if (setresgid(gid, gid, gid) < 0)
1234 log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
940c5210 1235 if (setresuid(uid, uid, uid) < 0)
2d6fce8d 1236 log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
940c5210 1237
ce30c8dc
LP		 1238 (void) ignore_signals(SIGPIPE, -1);
1239
940c5210
AK		 1240 /* Wait until our parent died. This will only work if
1241 * the above setresuid() succeeds, otherwise the kernel
1242 * will not allow unprivileged parents kill their privileged
1243 * children this way. We rely on the control groups kill logic
5b6319dc
LP		 1244 * to do the rest for us. */
1245 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
1246 goto child_finish;
1247
2d7c6aa2
DH		 1248 /* Tell the parent that our setup is done. This is especially
1249 * important regarding dropping privileges. Otherwise, unit
643f4706
ZJS		 1250 * setup might race against our setresuid(2) call.
1251 *
1252 * If the parent aborted, we'll detect this below, hence ignore
1253 * return failure here. */
1254 (void) barrier_place(&barrier);
2d7c6aa2 1255
643f4706 1256 /* Check if our parent process might already have died? */
5b6319dc 1257 if (getppid() == parent_pid) {
d6e5f3ad
DM		 1258 sigset_t ss;
1259
1260 assert_se(sigemptyset(&ss) >= 0);
1261 assert_se(sigaddset(&ss, SIGTERM) >= 0);
1262
3dead8d9
LP		 1263 for (;;) {
1264 if (sigwait(&ss, &sig) < 0) {
1265 if (errno == EINTR)
1266 continue;
1267
1268 goto child_finish;
1269 }
5b6319dc 1270
3dead8d9
LP		 1271 assert(sig == SIGTERM);
1272 break;
1273 }
5b6319dc
LP		 1274 }
1275
3dead8d9 1276 /* If our parent died we'll end the session */
f546241b 1277 if (getppid() != parent_pid) {
970edce6 1278 pam_code = pam_close_session(handle, flags);
f546241b 1279 if (pam_code != PAM_SUCCESS)
5b6319dc 1280 goto child_finish;
f546241b 1281 }
5b6319dc 1282
7bb70b6e 1283 ret = 0;
5b6319dc
LP		 1284
1285 child_finish:
970edce6 1286 pam_end(handle, pam_code | flags);
7bb70b6e 1287 _exit(ret);
5b6319dc
LP		 1288 }
1289
2d7c6aa2
DH		 1290 barrier_set_role(&barrier, BARRIER_PARENT);
1291
5b6319dc
LP		 1292 /* If the child was forked off successfully it will do all the
1293 * cleanups, so forget about the handle here. */
1294 handle = NULL;
1295
3b8bddde 1296 /* Unblock SIGTERM again in the parent */
72c0a2c2 1297 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
5b6319dc
LP		 1298
1299 /* We close the log explicitly here, since the PAM modules
1300 * might have opened it, but we don't want this fd around. */
1301 closelog();
1302
2d7c6aa2
DH		 1303 /* Synchronously wait for the child to initialize. We don't care for
1304 * errors as we cannot recover. However, warn loudly if it happens. */
1305 if (!barrier_place_and_sync(&barrier))
1306 log_error("PAM initialization failed");
1307
2065ca69
JW		 1308 strv_free(*env);
1309 *env = e;
aa87e624 1310
5b6319dc
LP		 1311 return 0;
1312
1313fail:
970edce6
ZJS		 1314 if (pam_code != PAM_SUCCESS) {
1315 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
7bb70b6e
LP		 1316 r = -EPERM; /* PAM errors do not map to errno */
1317 } else
1318 log_error_errno(r, "PAM failed: %m");
9ba35398 1319
5b6319dc
LP		 1320 if (handle) {
1321 if (close_session)
970edce6 1322 pam_code = pam_close_session(handle, flags);
5b6319dc 1323
970edce6 1324 pam_end(handle, pam_code | flags);
5b6319dc
LP		 1325 }
1326
1327 strv_free(e);
5b6319dc
LP		 1328 closelog();
1329
7bb70b6e 1330 return r;
cefc33ae
LP		 1331#else
1332 return 0;
5b6319dc 1333#endif
cefc33ae 1334}
5b6319dc 1335
5d6b1584
LP		 1336static void rename_process_from_path(const char *path) {
1337 char process_name[11];
1338 const char *p;
1339 size_t l;
1340
1341 /* This resulting string must fit in 10 chars (i.e. the length
1342 * of "/sbin/init") to look pretty in /bin/ps */
1343
2b6bf07d 1344 p = basename(path);
5d6b1584
LP		 1345 if (isempty(p)) {
1346 rename_process("(...)");
1347 return;
1348 }
1349
1350 l = strlen(p);
1351 if (l > 8) {
1352 /* The end of the process name is usually more
1353 * interesting, since the first bit might just be
1354 * "systemd-" */
1355 p = p + l - 8;
1356 l = 8;
1357 }
1358
1359 process_name[0] = '(';
1360 memcpy(process_name+1, p, l);
1361 process_name[1+l] = ')';
1362 process_name[1+l+1] = 0;
1363
1364 rename_process(process_name);
1365}
1366
469830d1
LP		 1367static bool context_has_address_families(const ExecContext *c) {
1368 assert(c);
1369
1370 return c->address_families_whitelist ||
1371 !set_isempty(c->address_families);
1372}
1373
1374static bool context_has_syscall_filters(const ExecContext *c) {
1375 assert(c);
1376
1377 return c->syscall_whitelist ||
8cfa775f 1378 !hashmap_isempty(c->syscall_filter);
469830d1
LP		 1379}
1380
1381static bool context_has_no_new_privileges(const ExecContext *c) {
1382 assert(c);
1383
1384 if (c->no_new_privileges)
1385 return true;
1386
1387 if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
1388 return false;
1389
1390 /* We need NNP if we have any form of seccomp and are unprivileged */
1391 return context_has_address_families(c) ||
1392 c->memory_deny_write_execute ||
1393 c->restrict_realtime ||
1394 exec_context_restrict_namespaces_set(c) ||
1395 c->protect_kernel_tunables ||
1396 c->protect_kernel_modules ||
1397 c->private_devices ||
1398 context_has_syscall_filters(c) ||
78e864e5
TM		 1399 !set_isempty(c->syscall_archs) ||
1400 c->lock_personality;
469830d1
LP		 1401}
1402
349cc4a5 1403#if HAVE_SECCOMP
17df7223 1404
83f12b27 1405static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
f673b62d
LP		 1406
1407 if (is_seccomp_available())
1408 return false;
1409
f673b62d 1410 log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
f673b62d 1411 return true;
83f12b27
FS		 1412}
1413
165a31c0 1414static int apply_syscall_filter(const Unit* u, const ExecContext *c, bool needs_ambient_hack) {
469830d1 1415 uint32_t negative_action, default_action, action;
165a31c0 1416 int r;
8351ceae 1417
469830d1 1418 assert(u);
c0467cf3 1419 assert(c);
8351ceae 1420
469830d1 1421 if (!context_has_syscall_filters(c))
83f12b27
FS		 1422 return 0;
1423
469830d1
LP		 1424 if (skip_seccomp_unavailable(u, "SystemCallFilter="))
1425 return 0;
e9642be2 1426
469830d1 1427 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
e9642be2 1428
469830d1
LP		 1429 if (c->syscall_whitelist) {
1430 default_action = negative_action;
1431 action = SCMP_ACT_ALLOW;
7c66bae2 1432 } else {
469830d1
LP		 1433 default_action = SCMP_ACT_ALLOW;
1434 action = negative_action;
57183d11 1435 }
8351ceae 1436
165a31c0
LP		 1437 if (needs_ambient_hack) {
1438 r = seccomp_filter_set_add(c->syscall_filter, c->syscall_whitelist, syscall_filter_sets + SYSCALL_FILTER_SET_SETUID);
1439 if (r < 0)
1440 return r;
1441 }
1442
469830d1 1443 return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action);
4298d0b5
LP		 1444}
1445
469830d1
LP		 1446static int apply_syscall_archs(const Unit *u, const ExecContext *c) {
1447 assert(u);
4298d0b5
LP		 1448 assert(c);
1449
469830d1 1450 if (set_isempty(c->syscall_archs))
83f12b27
FS		 1451 return 0;
1452
469830d1
LP		 1453 if (skip_seccomp_unavailable(u, "SystemCallArchitectures="))
1454 return 0;
4298d0b5 1455
469830d1
LP		 1456 return seccomp_restrict_archs(c->syscall_archs);
1457}
4298d0b5 1458
469830d1
LP		 1459static int apply_address_families(const Unit* u, const ExecContext *c) {
1460 assert(u);
1461 assert(c);
4298d0b5 1462
469830d1
LP		 1463 if (!context_has_address_families(c))
1464 return 0;
4298d0b5 1465
469830d1
LP		 1466 if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
1467 return 0;
4298d0b5 1468
469830d1 1469 return seccomp_restrict_address_families(c->address_families, c->address_families_whitelist);
8351ceae 1470}
4298d0b5 1471
83f12b27 1472static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) {
469830d1 1473 assert(u);
f3e43635
TM		 1474 assert(c);
1475
469830d1 1476 if (!c->memory_deny_write_execute)
83f12b27
FS		 1477 return 0;
1478
469830d1
LP		 1479 if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute="))
1480 return 0;
f3e43635 1481
469830d1 1482 return seccomp_memory_deny_write_execute();
f3e43635
TM		 1483}
1484
83f12b27 1485static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
469830d1 1486 assert(u);
f4170c67
LP		 1487 assert(c);
1488
469830d1 1489 if (!c->restrict_realtime)
83f12b27
FS		 1490 return 0;
1491
469830d1
LP		 1492 if (skip_seccomp_unavailable(u, "RestrictRealtime="))
1493 return 0;
f4170c67 1494
469830d1 1495 return seccomp_restrict_realtime();
f4170c67
LP		 1496}
1497
59e856c7 1498static int apply_protect_sysctl(const Unit *u, const ExecContext *c) {
469830d1 1499 assert(u);
59eeb84b
LP		 1500 assert(c);
1501
1502 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1503 * let's protect even those systems where this is left on in the kernel. */
1504
469830d1 1505 if (!c->protect_kernel_tunables)
59eeb84b
LP		 1506 return 0;
1507
469830d1
LP		 1508 if (skip_seccomp_unavailable(u, "ProtectKernelTunables="))
1509 return 0;
59eeb84b 1510
469830d1 1511 return seccomp_protect_sysctl();
59eeb84b
LP		 1512}
1513
59e856c7 1514static int apply_protect_kernel_modules(const Unit *u, const ExecContext *c) {
469830d1 1515 assert(u);
502d704e
DH		 1516 assert(c);
1517
25a8d8a0 1518 /* Turn off module syscalls on ProtectKernelModules=yes */
502d704e 1519
469830d1
LP		 1520 if (!c->protect_kernel_modules)
1521 return 0;
1522
502d704e
DH		 1523 if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
1524 return 0;
1525
469830d1 1526 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM));
502d704e
DH		 1527}
1528
59e856c7 1529static int apply_private_devices(const Unit *u, const ExecContext *c) {
469830d1 1530 assert(u);
ba128bb8
LP		 1531 assert(c);
1532
8f81a5f6 1533 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
ba128bb8 1534
469830d1
LP		 1535 if (!c->private_devices)
1536 return 0;
1537
ba128bb8
LP		 1538 if (skip_seccomp_unavailable(u, "PrivateDevices="))
1539 return 0;
1540
469830d1 1541 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
ba128bb8
LP		 1542}
1543
34cf6c43 1544static int apply_restrict_namespaces(const Unit *u, const ExecContext *c) {
469830d1 1545 assert(u);
add00535
LP		 1546 assert(c);
1547
1548 if (!exec_context_restrict_namespaces_set(c))
1549 return 0;
1550
1551 if (skip_seccomp_unavailable(u, "RestrictNamespaces="))
1552 return 0;
1553
1554 return seccomp_restrict_namespaces(c->restrict_namespaces);
1555}
1556
78e864e5 1557static int apply_lock_personality(const Unit* u, const ExecContext *c) {
e8132d63
LP		 1558 unsigned long personality;
1559 int r;
78e864e5
TM		 1560
1561 assert(u);
1562 assert(c);
1563
1564 if (!c->lock_personality)
1565 return 0;
1566
1567 if (skip_seccomp_unavailable(u, "LockPersonality="))
1568 return 0;
1569
e8132d63
LP		 1570 personality = c->personality;
1571
1572 /* If personality is not specified, use either PER_LINUX or PER_LINUX32 depending on what is currently set. */
1573 if (personality == PERSONALITY_INVALID) {
1574
1575 r = opinionated_personality(&personality);
1576 if (r < 0)
1577 return r;
1578 }
78e864e5
TM		 1579
1580 return seccomp_lock_personality(personality);
1581}
1582
c0467cf3 1583#endif
8351ceae 1584
31a7eb86
ZJS		 1585static void do_idle_pipe_dance(int idle_pipe[4]) {
1586 assert(idle_pipe);
1587
54eb2300
LP		 1588 idle_pipe[1] = safe_close(idle_pipe[1]);
1589 idle_pipe[2] = safe_close(idle_pipe[2]);
31a7eb86
ZJS		 1590
1591 if (idle_pipe[0] >= 0) {
1592 int r;
1593
1594 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1595
1596 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
c7cc737f
LP		 1597 ssize_t n;
1598
31a7eb86 1599 /* Signal systemd that we are bored and want to continue. */
c7cc737f
LP		 1600 n = write(idle_pipe[3], "x", 1);
1601 if (n > 0)
cd972d69
ZJS		 1602 /* Wait for systemd to react to the signal above. */
1603 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
31a7eb86
ZJS		 1604 }
1605
54eb2300 1606 idle_pipe[0] = safe_close(idle_pipe[0]);
31a7eb86
ZJS		 1607
1608 }
1609
54eb2300 1610 idle_pipe[3] = safe_close(idle_pipe[3]);
31a7eb86
ZJS		 1611}
1612
7cae38c4 1613static int build_environment(
34cf6c43 1614 const Unit *u,
9fa95f85 1615 const ExecContext *c,
1e22b5cd 1616 const ExecParameters *p,
7cae38c4
LP		 1617 unsigned n_fds,
1618 const char *home,
1619 const char *username,
1620 const char *shell,
7bce046b
LP		 1621 dev_t journal_stream_dev,
1622 ino_t journal_stream_ino,
7cae38c4
LP		 1623 char ***ret) {
1624
1625 _cleanup_strv_free_ char **our_env = NULL;
1626 unsigned n_env = 0;
1627 char *x;
1628
4b58153d 1629 assert(u);
7cae38c4
LP		 1630 assert(c);
1631 assert(ret);
1632
4b58153d 1633 our_env = new0(char*, 14);
7cae38c4
LP		 1634 if (!our_env)
1635 return -ENOMEM;
1636
1637 if (n_fds > 0) {
8dd4c05b
LP		 1638 _cleanup_free_ char *joined = NULL;
1639
df0ff127 1640 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid_cached()) < 0)
7cae38c4
LP		 1641 return -ENOMEM;
1642 our_env[n_env++] = x;
1643
1644 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1645 return -ENOMEM;
1646 our_env[n_env++] = x;
8dd4c05b 1647
1e22b5cd 1648 joined = strv_join(p->fd_names, ":");
8dd4c05b
LP		 1649 if (!joined)
1650 return -ENOMEM;
1651
605405c6 1652 x = strjoin("LISTEN_FDNAMES=", joined);
8dd4c05b
LP		 1653 if (!x)
1654 return -ENOMEM;
1655 our_env[n_env++] = x;
7cae38c4
LP		 1656 }
1657
b08af3b1 1658 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
df0ff127 1659 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid_cached()) < 0)
09812eb7
LP		 1660 return -ENOMEM;
1661 our_env[n_env++] = x;
1662
1e22b5cd 1663 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
09812eb7
LP		 1664 return -ENOMEM;
1665 our_env[n_env++] = x;
1666 }
1667
fd63e712
LP		 1668 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1669 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1670 * check the database directly. */
ac647978 1671 if (p->flags & EXEC_NSS_BYPASS_BUS) {
fd63e712
LP		 1672 x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1673 if (!x)
1674 return -ENOMEM;
1675 our_env[n_env++] = x;
1676 }
1677
7cae38c4
LP		 1678 if (home) {
1679 x = strappend("HOME=", home);
1680 if (!x)
1681 return -ENOMEM;
1682 our_env[n_env++] = x;
1683 }
1684
1685 if (username) {
1686 x = strappend("LOGNAME=", username);
1687 if (!x)
1688 return -ENOMEM;
1689 our_env[n_env++] = x;
1690
1691 x = strappend("USER=", username);
1692 if (!x)
1693 return -ENOMEM;
1694 our_env[n_env++] = x;
1695 }
1696
1697 if (shell) {
1698 x = strappend("SHELL=", shell);
1699 if (!x)
1700 return -ENOMEM;
1701 our_env[n_env++] = x;
1702 }
1703
4b58153d
LP		 1704 if (!sd_id128_is_null(u->invocation_id)) {
1705 if (asprintf(&x, "INVOCATION_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id)) < 0)
1706 return -ENOMEM;
1707
1708 our_env[n_env++] = x;
1709 }
1710
6af760f3
LP		 1711 if (exec_context_needs_term(c)) {
1712 const char *tty_path, *term = NULL;
1713
1714 tty_path = exec_context_tty_path(c);
1715
1716 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try to inherit
1717 * the $TERM set for PID 1. This is useful for containers so that the $TERM the container manager
1718 * passes to PID 1 ends up all the way in the console login shown. */
1719
1720 if (path_equal(tty_path, "/dev/console") && getppid() == 1)
1721 term = getenv("TERM");
1722 if (!term)
1723 term = default_term_for_tty(tty_path);
7cae38c4 1724
6af760f3 1725 x = strappend("TERM=", term);
7cae38c4
LP		 1726 if (!x)
1727 return -ENOMEM;
1728 our_env[n_env++] = x;
1729 }
1730
7bce046b
LP		 1731 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1732 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1733 return -ENOMEM;
1734
1735 our_env[n_env++] = x;
1736 }
1737
7cae38c4 1738 our_env[n_env++] = NULL;
7bce046b 1739 assert(n_env <= 12);
7cae38c4
LP		 1740
1741 *ret = our_env;
1742 our_env = NULL;
1743
1744 return 0;
1745}
1746
b4c14404
FB		 1747static int build_pass_environment(const ExecContext *c, char ***ret) {
1748 _cleanup_strv_free_ char **pass_env = NULL;
1749 size_t n_env = 0, n_bufsize = 0;
1750 char **i;
1751
1752 STRV_FOREACH(i, c->pass_environment) {
1753 _cleanup_free_ char *x = NULL;
1754 char *v;
1755
1756 v = getenv(*i);
1757 if (!v)
1758 continue;
605405c6 1759 x = strjoin(*i, "=", v);
b4c14404
FB		 1760 if (!x)
1761 return -ENOMEM;
00819cc1 1762
b4c14404
FB		 1763 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1764 return -ENOMEM;
00819cc1 1765
b4c14404
FB		 1766 pass_env[n_env++] = x;
1767 pass_env[n_env] = NULL;
1768 x = NULL;
1769 }
1770
1771 *ret = pass_env;
1772 pass_env = NULL;
1773
1774 return 0;
1775}
1776
8b44a3d2
LP		 1777static bool exec_needs_mount_namespace(
1778 const ExecContext *context,
1779 const ExecParameters *params,
4657abb5 1780 const ExecRuntime *runtime) {
8b44a3d2
LP		 1781
1782 assert(context);
1783 assert(params);
1784
915e6d16
LP		 1785 if (context->root_image)
1786 return true;
1787
2a624c36
AP		 1788 if (!strv_isempty(context->read_write_paths) ||
1789 !strv_isempty(context->read_only_paths) ||
1790 !strv_isempty(context->inaccessible_paths))
8b44a3d2
LP		 1791 return true;
1792
42b1d8e0 1793 if (context->n_bind_mounts > 0)
d2d6c096
LP		 1794 return true;
1795
8b44a3d2
LP		 1796 if (context->mount_flags != 0)
1797 return true;
1798
1799 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1800 return true;
1801
8b44a3d2
LP		 1802 if (context->private_devices ||
1803 context->protect_system != PROTECT_SYSTEM_NO ||
59eeb84b
LP		 1804 context->protect_home != PROTECT_HOME_NO ||
1805 context->protect_kernel_tunables ||
c575770b 1806 context->protect_kernel_modules ||
59eeb84b 1807 context->protect_control_groups)
8b44a3d2
LP		 1808 return true;
1809
9c988f93 1810 if (context->mount_apivfs && (context->root_image || context->root_directory))
5d997827
LP		 1811 return true;
1812
42b1d8e0 1813 if (context->dynamic_user &&
b43ee82f 1814 (!strv_isempty(context->directories[EXEC_DIRECTORY_STATE].paths) ||
42b1d8e0
YW		 1815 !strv_isempty(context->directories[EXEC_DIRECTORY_CACHE].paths) ||
1816 !strv_isempty(context->directories[EXEC_DIRECTORY_LOGS].paths)))
1817 return true;
1818
8b44a3d2
LP		 1819 return false;
1820}
1821
d251207d
LP		 1822static int setup_private_users(uid_t uid, gid_t gid) {
1823 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
1824 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
1825 _cleanup_close_ int unshare_ready_fd = -1;
1826 _cleanup_(sigkill_waitp) pid_t pid = 0;
1827 uint64_t c = 1;
d251207d
LP		 1828 ssize_t n;
1829 int r;
1830
1831 /* Set up a user namespace and map root to root, the selected UID/GID to itself, and everything else to
1832 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1833 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1834 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1835 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
1836 * continues execution normally. */
1837
587ab01b
ZJS		 1838 if (uid != 0 && uid_is_valid(uid)) {
1839 r = asprintf(&uid_map,
1840 "0 0 1\n" /* Map root → root */
1841 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
1842 uid, uid);
1843 if (r < 0)
1844 return -ENOMEM;
1845 } else {
e0f3720e 1846 uid_map = strdup("0 0 1\n"); /* The case where the above is the same */
587ab01b
ZJS		 1847 if (!uid_map)
1848 return -ENOMEM;
1849 }
d251207d 1850
587ab01b
ZJS		 1851 if (gid != 0 && gid_is_valid(gid)) {
1852 r = asprintf(&gid_map,
1853 "0 0 1\n" /* Map root → root */
1854 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
1855 gid, gid);
1856 if (r < 0)
1857 return -ENOMEM;
1858 } else {
d251207d 1859 gid_map = strdup("0 0 1\n"); /* The case where the above is the same */
587ab01b
ZJS		 1860 if (!gid_map)
1861 return -ENOMEM;
1862 }
d251207d
LP		 1863
1864 /* Create a communication channel so that the parent can tell the child when it finished creating the user
1865 * namespace. */
1866 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
1867 if (unshare_ready_fd < 0)
1868 return -errno;
1869
1870 /* Create a communication channel so that the child can tell the parent a proper error code in case it
1871 * failed. */
1872 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
1873 return -errno;
1874
4c253ed1
LP		 1875 r = safe_fork("(sd-userns)", FORK_RESET_SIGNALS|FORK_DEATHSIG, &pid);
1876 if (r < 0)
1877 return r;
1878 if (r == 0) {
d251207d
LP		 1879 _cleanup_close_ int fd = -1;
1880 const char *a;
1881 pid_t ppid;
1882
1883 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
1884 * here, after the parent opened its own user namespace. */
1885
1886 ppid = getppid();
1887 errno_pipe[0] = safe_close(errno_pipe[0]);
1888
1889 /* Wait until the parent unshared the user namespace */
1890 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
1891 r = -errno;
1892 goto child_fail;
1893 }
1894
1895 /* Disable the setgroups() system call in the child user namespace, for good. */
1896 a = procfs_file_alloca(ppid, "setgroups");
1897 fd = open(a, O_WRONLY|O_CLOEXEC);
1898 if (fd < 0) {
1899 if (errno != ENOENT) {
1900 r = -errno;
1901 goto child_fail;
1902 }
1903
1904 /* If the file is missing the kernel is too old, let's continue anyway. */
1905 } else {
1906 if (write(fd, "deny\n", 5) < 0) {
1907 r = -errno;
1908 goto child_fail;
1909 }
1910
1911 fd = safe_close(fd);
1912 }
1913
1914 /* First write the GID map */
1915 a = procfs_file_alloca(ppid, "gid_map");
1916 fd = open(a, O_WRONLY|O_CLOEXEC);
1917 if (fd < 0) {
1918 r = -errno;
1919 goto child_fail;
1920 }
1921 if (write(fd, gid_map, strlen(gid_map)) < 0) {
1922 r = -errno;
1923 goto child_fail;
1924 }
1925 fd = safe_close(fd);
1926
1927 /* The write the UID map */
1928 a = procfs_file_alloca(ppid, "uid_map");
1929 fd = open(a, O_WRONLY|O_CLOEXEC);
1930 if (fd < 0) {
1931 r = -errno;
1932 goto child_fail;
1933 }
1934 if (write(fd, uid_map, strlen(uid_map)) < 0) {
1935 r = -errno;
1936 goto child_fail;
1937 }
1938
1939 _exit(EXIT_SUCCESS);
1940
1941 child_fail:
1942 (void) write(errno_pipe[1], &r, sizeof(r));
1943 _exit(EXIT_FAILURE);
1944 }
1945
1946 errno_pipe[1] = safe_close(errno_pipe[1]);
1947
1948 if (unshare(CLONE_NEWUSER) < 0)
1949 return -errno;
1950
1951 /* Let the child know that the namespace is ready now */
1952 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
1953 return -errno;
1954
1955 /* Try to read an error code from the child */
1956 n = read(errno_pipe[0], &r, sizeof(r));
1957 if (n < 0)
1958 return -errno;
1959 if (n == sizeof(r)) { /* an error code was sent to us */
1960 if (r < 0)
1961 return r;
1962 return -EIO;
1963 }
1964 if (n != 0) /* on success we should have read 0 bytes */
1965 return -EIO;
1966
2e87a1fd
LP		 1967 r = wait_for_terminate_and_check("(sd-userns)", pid, 0);
1968 pid = 0;
d251207d
LP		 1969 if (r < 0)
1970 return r;
2e87a1fd 1971 if (r != EXIT_SUCCESS) /* If something strange happened with the child, let's consider this fatal, too */
d251207d
LP		 1972 return -EIO;
1973
1974 return 0;
1975}
1976
3536f49e 1977static int setup_exec_directory(
07689d5d
LP		 1978 const ExecContext *context,
1979 const ExecParameters *params,
1980 uid_t uid,
3536f49e 1981 gid_t gid,
3536f49e
YW		 1982 ExecDirectoryType type,
1983 int *exit_status) {
07689d5d 1984
72fd1768 1985 static const int exit_status_table[_EXEC_DIRECTORY_TYPE_MAX] = {
3536f49e
YW		 1986 [EXEC_DIRECTORY_RUNTIME] = EXIT_RUNTIME_DIRECTORY,
1987 [EXEC_DIRECTORY_STATE] = EXIT_STATE_DIRECTORY,
1988 [EXEC_DIRECTORY_CACHE] = EXIT_CACHE_DIRECTORY,
1989 [EXEC_DIRECTORY_LOGS] = EXIT_LOGS_DIRECTORY,
1990 [EXEC_DIRECTORY_CONFIGURATION] = EXIT_CONFIGURATION_DIRECTORY,
1991 };
07689d5d
LP		 1992 char **rt;
1993 int r;
1994
1995 assert(context);
1996 assert(params);
72fd1768 1997 assert(type >= 0 && type < _EXEC_DIRECTORY_TYPE_MAX);
3536f49e 1998 assert(exit_status);
07689d5d 1999
3536f49e
YW		 2000 if (!params->prefix[type])
2001 return 0;
2002
8679efde 2003 if (params->flags & EXEC_CHOWN_DIRECTORIES) {
3536f49e
YW		 2004 if (!uid_is_valid(uid))
2005 uid = 0;
2006 if (!gid_is_valid(gid))
2007 gid = 0;
2008 }
2009
2010 STRV_FOREACH(rt, context->directories[type].paths) {
6c47cd7d
LP		 2011 _cleanup_free_ char *p = NULL, *pp = NULL;
2012 const char *effective;
07689d5d 2013
3536f49e
YW		 2014 p = strjoin(params->prefix[type], "/", *rt);
2015 if (!p) {
2016 r = -ENOMEM;
2017 goto fail;
2018 }
07689d5d 2019
23a7448e
YW		 2020 r = mkdir_parents_label(p, 0755);
2021 if (r < 0)
3536f49e 2022 goto fail;
23a7448e 2023
8092a48c
YW		 2024 if (context->dynamic_user &&
2025 !IN_SET(type, EXEC_DIRECTORY_RUNTIME, EXEC_DIRECTORY_CONFIGURATION)) {
6c47cd7d
LP		 2026 _cleanup_free_ char *private_root = NULL, *relative = NULL, *parent = NULL;
2027
2028 /* So, here's one extra complication when dealing with DynamicUser=1 units. In that case we
2029 * want to avoid leaving a directory around fully accessible that is owned by a dynamic user
2030 * whose UID is later on reused. To lock this down we use the same trick used by container
2031 * managers to prohibit host users to get access to files of the same UID in containers: we
2032 * place everything inside a directory that has an access mode of 0700 and is owned root:root,
2033 * so that it acts as security boundary for unprivileged host code. We then use fs namespacing
2034 * to make this directory permeable for the service itself.
2035 *
2036 * Specifically: for a service which wants a special directory "foo/" we first create a
2037 * directory "private/" with access mode 0700 owned by root:root. Then we place "foo" inside of
2038 * that directory (i.e. "private/foo/"), and make "foo" a symlink to "private/foo". This way,
2039 * privileged host users can access "foo/" as usual, but unprivileged host users can't look
2040 * into it. Inside of the namespaceof the container "private/" is replaced by a more liberally
2041 * accessible tmpfs, into which the host's "private/foo/" is mounted under the same name, thus
2042 * disabling the access boundary for the service and making sure it only gets access to the
2043 * dirs it needs but no others. Tricky? Yes, absolutely, but it works!
2044 *
2045 * Note that we don't do this for EXEC_DIRECTORY_CONFIGURATION as that's assumed not to be
8092a48c
YW		 2046 * owned by the service itself.
2047 * Also, note that we don't do this for EXEC_DIRECTORY_RUNTIME as that's often used for sharing
2048 * files or sockets with other services. */
6c47cd7d
LP		 2049
2050 private_root = strjoin(params->prefix[type], "/private");
2051 if (!private_root) {
2052 r = -ENOMEM;
2053 goto fail;
2054 }
2055
2056 /* First set up private root if it doesn't exist yet, with access mode 0700 and owned by root:root */
c31ad024 2057 r = mkdir_safe_label(private_root, 0700, 0, 0, false);
6c47cd7d
LP		 2058 if (r < 0)
2059 goto fail;
2060
2061 pp = strjoin(private_root, "/", *rt);
2062 if (!pp) {
2063 r = -ENOMEM;
2064 goto fail;
2065 }
2066
2067 /* Create all directories between the configured directory and this private root, and mark them 0755 */
2068 r = mkdir_parents_label(pp, 0755);
2069 if (r < 0)
2070 goto fail;
2071
949befd3
LP		 2072 if (is_dir(p, false) > 0 &&
2073 (laccess(pp, F_OK) < 0 && errno == ENOENT)) {
2074
2075 /* Hmm, the private directory doesn't exist yet, but the normal one exists? If so, move
2076 * it over. Most likely the service has been upgraded from one that didn't use
2077 * DynamicUser=1, to one that does. */
2078
2079 if (rename(p, pp) < 0) {
2080 r = -errno;
2081 goto fail;
2082 }
2083 } else {
2084 /* Otherwise, create the actual directory for the service */
2085
2086 r = mkdir_label(pp, context->directories[type].mode);
2087 if (r < 0 && r != -EEXIST)
2088 goto fail;
2089 }
6c47cd7d
LP		 2090
2091 parent = dirname_malloc(p);
2092 if (!parent) {
2093 r = -ENOMEM;
2094 goto fail;
2095 }
2096
2097 r = path_make_relative(parent, pp, &relative);
2098 if (r < 0)
2099 goto fail;
2100
2101 /* And link it up from the original place */
2102 r = symlink_idempotent(relative, p);
2103 if (r < 0)
2104 goto fail;
2105
2106 effective = pp;
2107
2108 } else {
2109 r = mkdir_label(p, context->directories[type].mode);
2110 if (r < 0 && r != -EEXIST)
2111 goto fail;
2112
2113 effective = p;
2114 }
a1164ae3
LP		 2115
2116 /* First lock down the access mode */
6c47cd7d 2117 if (chmod(effective, context->directories[type].mode) < 0) {
a1164ae3 2118 r = -errno;
3536f49e 2119 goto fail;
a1164ae3 2120 }
07689d5d 2121
c71b2eb7
LP		 2122 /* Don't change the owner of the configuration directory, as in the common case it is not written to by
2123 * a service, and shall not be writable. */
2124 if (type == EXEC_DIRECTORY_CONFIGURATION)
2125 continue;
2126
a1164ae3 2127 /* Then, change the ownership of the whole tree, if necessary */
6c47cd7d 2128 r = path_chown_recursive(effective, uid, gid);
07689d5d 2129 if (r < 0)
3536f49e 2130 goto fail;
07689d5d
LP		 2131 }
2132
2133 return 0;
3536f49e
YW		 2134
2135fail:
2136 *exit_status = exit_status_table[type];
3536f49e 2137 return r;
07689d5d
LP		 2138}
2139
92b423b9 2140#if ENABLE_SMACK
cefc33ae
LP		 2141static int setup_smack(
2142 const ExecContext *context,
2143 const ExecCommand *command) {
2144
cefc33ae
LP		 2145 int r;
2146
2147 assert(context);
2148 assert(command);
2149
cefc33ae
LP		 2150 if (context->smack_process_label) {
2151 r = mac_smack_apply_pid(0, context->smack_process_label);
2152 if (r < 0)
2153 return r;
2154 }
2155#ifdef SMACK_DEFAULT_PROCESS_LABEL
2156 else {
2157 _cleanup_free_ char *exec_label = NULL;
2158
2159 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
4c701096 2160 if (r < 0 && !IN_SET(r, -ENODATA, -EOPNOTSUPP))
cefc33ae
LP		 2161 return r;
2162
2163 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
2164 if (r < 0)
2165 return r;
2166 }
cefc33ae
LP		 2167#endif
2168
2169 return 0;
2170}
92b423b9 2171#endif
cefc33ae 2172
6c47cd7d
LP		 2173static int compile_bind_mounts(
2174 const ExecContext *context,
2175 const ExecParameters *params,
2176 BindMount **ret_bind_mounts,
2177 unsigned *ret_n_bind_mounts,
2178 char ***ret_empty_directories) {
2179
2180 _cleanup_strv_free_ char **empty_directories = NULL;
2181 BindMount *bind_mounts;
2182 unsigned n, h = 0, i;
2183 ExecDirectoryType t;
2184 int r;
2185
2186 assert(context);
2187 assert(params);
2188 assert(ret_bind_mounts);
2189 assert(ret_n_bind_mounts);
2190 assert(ret_empty_directories);
2191
2192 n = context->n_bind_mounts;
2193 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
2194 if (!params->prefix[t])
2195 continue;
2196
2197 n += strv_length(context->directories[t].paths);
2198 }
2199
2200 if (n <= 0) {
2201 *ret_bind_mounts = NULL;
2202 *ret_n_bind_mounts = 0;
2203 *ret_empty_directories = NULL;
2204 return 0;
2205 }
2206
2207 bind_mounts = new(BindMount, n);
2208 if (!bind_mounts)
2209 return -ENOMEM;
2210
a8cabc61 2211 for (i = 0; i < context->n_bind_mounts; i++) {
6c47cd7d
LP		 2212 BindMount *item = context->bind_mounts + i;
2213 char *s, *d;
2214
2215 s = strdup(item->source);
2216 if (!s) {
2217 r = -ENOMEM;
2218 goto finish;
2219 }
2220
2221 d = strdup(item->destination);
2222 if (!d) {
2223 free(s);
2224 r = -ENOMEM;
2225 goto finish;
2226 }
2227
2228 bind_mounts[h++] = (BindMount) {
2229 .source = s,
2230 .destination = d,
2231 .read_only = item->read_only,
2232 .recursive = item->recursive,
2233 .ignore_enoent = item->ignore_enoent,
2234 };
2235 }
2236
2237 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
2238 char **suffix;
2239
2240 if (!params->prefix[t])
2241 continue;
2242
2243 if (strv_isempty(context->directories[t].paths))
2244 continue;
2245
8092a48c
YW		 2246 if (context->dynamic_user &&
2247 !IN_SET(t, EXEC_DIRECTORY_RUNTIME, EXEC_DIRECTORY_CONFIGURATION)) {
6c47cd7d
LP		 2248 char *private_root;
2249
2250 /* So this is for a dynamic user, and we need to make sure the process can access its own
2251 * directory. For that we overmount the usually inaccessible "private" subdirectory with a
2252 * tmpfs that makes it accessible and is empty except for the submounts we do this for. */
2253
2254 private_root = strjoin(params->prefix[t], "/private");
2255 if (!private_root) {
2256 r = -ENOMEM;
2257 goto finish;
2258 }
2259
2260 r = strv_consume(&empty_directories, private_root);
2261 if (r < 0) {
2262 r = -ENOMEM;
2263 goto finish;
2264 }
2265 }
2266
2267 STRV_FOREACH(suffix, context->directories[t].paths) {
2268 char *s, *d;
2269
8092a48c
YW		 2270 if (context->dynamic_user &&
2271 !IN_SET(t, EXEC_DIRECTORY_RUNTIME, EXEC_DIRECTORY_CONFIGURATION))
6c47cd7d
LP		 2272 s = strjoin(params->prefix[t], "/private/", *suffix);
2273 else
2274 s = strjoin(params->prefix[t], "/", *suffix);
2275 if (!s) {
2276 r = -ENOMEM;
2277 goto finish;
2278 }
2279
2280 d = strdup(s);
2281 if (!d) {
2282 free(s);
2283 r = -ENOMEM;
2284 goto finish;
2285 }
2286
2287 bind_mounts[h++] = (BindMount) {
2288 .source = s,
2289 .destination = d,
2290 .read_only = false,
2291 .recursive = true,
2292 .ignore_enoent = false,
2293 };
2294 }
2295 }
2296
2297 assert(h == n);
2298
2299 *ret_bind_mounts = bind_mounts;
2300 *ret_n_bind_mounts = n;
2301 *ret_empty_directories = empty_directories;
2302
2303 empty_directories = NULL;
2304
2305 return (int) n;
2306
2307finish:
2308 bind_mount_free_many(bind_mounts, h);
2309 return r;
2310}
2311
6818c54c 2312static int apply_mount_namespace(
34cf6c43
YW		 2313 const Unit *u,
2314 const ExecCommand *command,
6818c54c
LP		 2315 const ExecContext *context,
2316 const ExecParameters *params,
34cf6c43 2317 const ExecRuntime *runtime) {
6818c54c 2318
7bcef4ef 2319 _cleanup_strv_free_ char **empty_directories = NULL;
93c6bb51 2320 char *tmp = NULL, *var = NULL;
915e6d16 2321 const char *root_dir = NULL, *root_image = NULL;
bb0ff3fb 2322 NamespaceInfo ns_info = {
af964954 2323 .ignore_protect_paths = false,
93c6bb51
DH		 2324 .private_dev = context->private_devices,
2325 .protect_control_groups = context->protect_control_groups,
2326 .protect_kernel_tunables = context->protect_kernel_tunables,
2327 .protect_kernel_modules = context->protect_kernel_modules,
5d997827 2328 .mount_apivfs = context->mount_apivfs,
93c6bb51 2329 };
165a31c0 2330 bool needs_sandboxing;
6c47cd7d
LP		 2331 BindMount *bind_mounts = NULL;
2332 unsigned n_bind_mounts = 0;
6818c54c 2333 int r;
93c6bb51 2334
2b3c1b9e
DH		 2335 assert(context);
2336
93c6bb51
DH		 2337 /* The runtime struct only contains the parent of the private /tmp,
2338 * which is non-accessible to world users. Inside of it there's a /tmp
2339 * that is sticky, and that's the one we want to use here. */
2340
2341 if (context->private_tmp && runtime) {
2342 if (runtime->tmp_dir)
2343 tmp = strjoina(runtime->tmp_dir, "/tmp");
2344 if (runtime->var_tmp_dir)
2345 var = strjoina(runtime->var_tmp_dir, "/tmp");
2346 }
2347
915e6d16
LP		 2348 if (params->flags & EXEC_APPLY_CHROOT) {
2349 root_image = context->root_image;
2350
2351 if (!root_image)
2352 root_dir = context->root_directory;
2353 }
93c6bb51 2354
6c47cd7d
LP		 2355 r = compile_bind_mounts(context, params, &bind_mounts, &n_bind_mounts, &empty_directories);
2356 if (r < 0)
2357 return r;
2358
af964954
DH		 2359 /*
2360 * If DynamicUser=no and RootDirectory= is set then lets pass a relaxed
2361 * sandbox info, otherwise enforce it, don't ignore protected paths and
2362 * fail if we are enable to apply the sandbox inside the mount namespace.
2363 */
2364 if (!context->dynamic_user && root_dir)
2365 ns_info.ignore_protect_paths = true;
2366
165a31c0 2367 needs_sandboxing = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & EXEC_COMMAND_FULLY_PRIVILEGED);
6818c54c 2368
915e6d16 2369 r = setup_namespace(root_dir, root_image,
7bcef4ef 2370 &ns_info, context->read_write_paths,
165a31c0
LP		 2371 needs_sandboxing ? context->read_only_paths : NULL,
2372 needs_sandboxing ? context->inaccessible_paths : NULL,
6c47cd7d
LP		 2373 empty_directories,
2374 bind_mounts,
2375 n_bind_mounts,
93c6bb51
DH		 2376 tmp,
2377 var,
165a31c0
LP		 2378 needs_sandboxing ? context->protect_home : PROTECT_HOME_NO,
2379 needs_sandboxing ? context->protect_system : PROTECT_SYSTEM_NO,
915e6d16
LP		 2380 context->mount_flags,
2381 DISSECT_IMAGE_DISCARD_ON_LOOP);
93c6bb51 2382
6c47cd7d
LP		 2383 bind_mount_free_many(bind_mounts, n_bind_mounts);
2384
93c6bb51
DH		 2385 /* If we couldn't set up the namespace this is probably due to a
2386 * missing capability. In this case, silently proceeed. */
2387 if (IN_SET(r, -EPERM, -EACCES)) {
93c6bb51 2388 log_unit_debug_errno(u, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
86ffb325 2389 return 0;
93c6bb51
DH		 2390 }
2391
2392 return r;
2393}
2394
915e6d16
LP		 2395static int apply_working_directory(
2396 const ExecContext *context,
2397 const ExecParameters *params,
2398 const char *home,
376fecf6
LP		 2399 const bool needs_mount_ns,
2400 int *exit_status) {
915e6d16 2401
6732edab 2402 const char *d, *wd;
2b3c1b9e
DH		 2403
2404 assert(context);
376fecf6 2405 assert(exit_status);
2b3c1b9e 2406
6732edab
LP		 2407 if (context->working_directory_home) {
2408
376fecf6
LP		 2409 if (!home) {
2410 *exit_status = EXIT_CHDIR;
6732edab 2411 return -ENXIO;
376fecf6 2412 }
6732edab 2413
2b3c1b9e 2414 wd = home;
6732edab
LP		 2415
2416 } else if (context->working_directory)
2b3c1b9e
DH		 2417 wd = context->working_directory;
2418 else
2419 wd = "/";
e7f1e7c6
DH		 2420
2421 if (params->flags & EXEC_APPLY_CHROOT) {
2422 if (!needs_mount_ns && context->root_directory)
376fecf6
LP		 2423 if (chroot(context->root_directory) < 0) {
2424 *exit_status = EXIT_CHROOT;
e7f1e7c6 2425 return -errno;
376fecf6 2426 }
e7f1e7c6 2427
2b3c1b9e
DH		 2428 d = wd;
2429 } else
3b0e5bb5 2430 d = prefix_roota(context->root_directory, wd);
e7f1e7c6 2431
376fecf6
LP		 2432 if (chdir(d) < 0 && !context->working_directory_missing_ok) {
2433 *exit_status = EXIT_CHDIR;
2b3c1b9e 2434 return -errno;
376fecf6 2435 }
e7f1e7c6
DH		 2436
2437 return 0;
2438}
2439
b1edf445 2440static int setup_keyring(
34cf6c43 2441 const Unit *u,
b1edf445
LP		 2442 const ExecContext *context,
2443 const ExecParameters *p,
2444 uid_t uid, gid_t gid) {
2445
74dd6b51 2446 key_serial_t keyring;
b1edf445 2447 int r;
74dd6b51
LP		 2448
2449 assert(u);
b1edf445 2450 assert(context);
74dd6b51
LP		 2451 assert(p);
2452
2453 /* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that
2454 * each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond
2455 * that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be
2456 * automatically created on-demand and then linked to the per-UID keyring, by the kernel. The kernel's built-in
2457 * on-demand behaviour is very appropriate for login users, but probably not so much for system services, where
2458 * UIDs are not necessarily specific to a service but reused (at least in the case of UID 0). */
2459
2460 if (!(p->flags & EXEC_NEW_KEYRING))
2461 return 0;
2462
b1edf445
LP		 2463 if (context->keyring_mode == EXEC_KEYRING_INHERIT)
2464 return 0;
2465
74dd6b51
LP		 2466 keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0);
2467 if (keyring == -1) {
2468 if (errno == ENOSYS)
8002fb97 2469 log_unit_debug_errno(u, errno, "Kernel keyring not supported, ignoring.");
74dd6b51 2470 else if (IN_SET(errno, EACCES, EPERM))
8002fb97 2471 log_unit_debug_errno(u, errno, "Kernel keyring access prohibited, ignoring.");
74dd6b51 2472 else if (errno == EDQUOT)
8002fb97 2473 log_unit_debug_errno(u, errno, "Out of kernel keyrings to allocate, ignoring.");
74dd6b51 2474 else
8002fb97 2475 return log_unit_error_errno(u, errno, "Setting up kernel keyring failed: %m");
74dd6b51
LP		 2476
2477 return 0;
2478 }
2479
b3415f5d
LP		 2480 /* Populate they keyring with the invocation ID by default. */
2481 if (!sd_id128_is_null(u->invocation_id)) {
2482 key_serial_t key;
2483
2484 key = add_key("user", "invocation_id", &u->invocation_id, sizeof(u->invocation_id), KEY_SPEC_SESSION_KEYRING);
2485 if (key == -1)
8002fb97 2486 log_unit_debug_errno(u, errno, "Failed to add invocation ID to keyring, ignoring: %m");
b3415f5d
LP		 2487 else {
2488 if (keyctl(KEYCTL_SETPERM, key,
2489 KEY_POS_VIEW|KEY_POS_READ|KEY_POS_SEARCH|
2490 KEY_USR_VIEW|KEY_USR_READ|KEY_USR_SEARCH, 0, 0) < 0)
8002fb97 2491 return log_unit_error_errno(u, errno, "Failed to restrict invocation ID permission: %m");
b3415f5d
LP		 2492 }
2493 }
2494
74dd6b51
LP		 2495 /* And now, make the keyring owned by the service's user */
2496 if (uid_is_valid(uid) || gid_is_valid(gid))
2497 if (keyctl(KEYCTL_CHOWN, keyring, uid, gid, 0) < 0)
8002fb97 2498 return log_unit_error_errno(u, errno, "Failed to change ownership of session keyring: %m");
74dd6b51 2499
b1edf445
LP		 2500 /* When requested link the user keyring into the session keyring. */
2501 if (context->keyring_mode == EXEC_KEYRING_SHARED) {
2502 uid_t saved_uid;
2503 gid_t saved_gid;
2504
2505 /* Acquiring a reference to the user keyring is nasty. We briefly change identity in order to get things
2506 * set up properly by the kernel. If we don't do that then we can't create it atomically, and that
2507 * sucks for parallel execution. This mimics what pam_keyinit does, too.*/
2508
2509 saved_uid = getuid();
2510 saved_gid = getgid();
2511
2512 if (gid_is_valid(gid) && gid != saved_gid) {
2513 if (setregid(gid, -1) < 0)
8002fb97 2514 return log_unit_error_errno(u, errno, "Failed to change GID for user keyring: %m");
b1edf445
LP		 2515 }
2516
2517 if (uid_is_valid(uid) && uid != saved_uid) {
2518 if (setreuid(uid, -1) < 0) {
2519 (void) setregid(saved_gid, -1);
8002fb97 2520 return log_unit_error_errno(u, errno, "Failed to change UID for user keyring: %m");
b1edf445
LP		 2521 }
2522 }
2523
2524 if (keyctl(KEYCTL_LINK,
2525 KEY_SPEC_USER_KEYRING,
2526 KEY_SPEC_SESSION_KEYRING, 0, 0) < 0) {
2527
2528 r = -errno;
2529
2530 (void) setreuid(saved_uid, -1);
2531 (void) setregid(saved_gid, -1);
2532
8002fb97 2533 return log_unit_error_errno(u, r, "Failed to link user keyring into session keyring: %m");
b1edf445
LP		 2534 }
2535
2536 if (uid_is_valid(uid) && uid != saved_uid) {
2537 if (setreuid(saved_uid, -1) < 0) {
2538 (void) setregid(saved_gid, -1);
8002fb97 2539 return log_unit_error_errno(u, errno, "Failed to change UID back for user keyring: %m");
b1edf445
LP		 2540 }
2541 }
2542
2543 if (gid_is_valid(gid) && gid != saved_gid) {
2544 if (setregid(saved_gid, -1) < 0)
8002fb97 2545 return log_unit_error_errno(u, errno, "Failed to change GID back for user keyring: %m");
b1edf445 2546 }
61ceaea5 2547 }
b1edf445 2548
74dd6b51
LP		 2549 return 0;
2550}
2551
34cf6c43 2552static void append_socket_pair(int *array, unsigned *n, const int pair[2]) {
29206d46
LP		 2553 assert(array);
2554 assert(n);
2555
2556 if (!pair)
2557 return;
2558
2559 if (pair[0] >= 0)
2560 array[(*n)++] = pair[0];
2561 if (pair[1] >= 0)
2562 array[(*n)++] = pair[1];
2563}
2564
a34ceba6
LP		 2565static int close_remaining_fds(
2566 const ExecParameters *params,
34cf6c43
YW		 2567 const ExecRuntime *runtime,
2568 const DynamicCreds *dcreds,
00d9ef85 2569 int user_lookup_fd,
a34ceba6
LP		 2570 int socket_fd,
2571 int *fds, unsigned n_fds) {
2572
2573 unsigned n_dont_close = 0;
00d9ef85 2574 int dont_close[n_fds + 12];
a34ceba6
LP		 2575
2576 assert(params);
2577
2578 if (params->stdin_fd >= 0)
2579 dont_close[n_dont_close++] = params->stdin_fd;
2580 if (params->stdout_fd >= 0)
2581 dont_close[n_dont_close++] = params->stdout_fd;
2582 if (params->stderr_fd >= 0)
2583 dont_close[n_dont_close++] = params->stderr_fd;
2584
2585 if (socket_fd >= 0)
2586 dont_close[n_dont_close++] = socket_fd;
2587 if (n_fds > 0) {
2588 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
2589 n_dont_close += n_fds;
2590 }
2591
29206d46
LP		 2592 if (runtime)
2593 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
2594
2595 if (dcreds) {
2596 if (dcreds->user)
2597 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
2598 if (dcreds->group)
2599 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
a34ceba6
LP		 2600 }
2601
00d9ef85
LP		 2602 if (user_lookup_fd >= 0)
2603 dont_close[n_dont_close++] = user_lookup_fd;
2604
a34ceba6
LP		 2605 return close_all_fds(dont_close, n_dont_close);
2606}
2607
00d9ef85
LP		 2608static int send_user_lookup(
2609 Unit *unit,
2610 int user_lookup_fd,
2611 uid_t uid,
2612 gid_t gid) {
2613
2614 assert(unit);
2615
2616 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2617 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2618 * specified. */
2619
2620 if (user_lookup_fd < 0)
2621 return 0;
2622
2623 if (!uid_is_valid(uid) && !gid_is_valid(gid))
2624 return 0;
2625
2626 if (writev(user_lookup_fd,
2627 (struct iovec[]) {
e6a7ec4b
LP		 2628 IOVEC_INIT(&uid, sizeof(uid)),
2629 IOVEC_INIT(&gid, sizeof(gid)),
2630 IOVEC_INIT_STRING(unit->id) }, 3) < 0)
00d9ef85
LP		 2631 return -errno;
2632
2633 return 0;
2634}
2635
6732edab
LP		 2636static int acquire_home(const ExecContext *c, uid_t uid, const char** home, char **buf) {
2637 int r;
2638
2639 assert(c);
2640 assert(home);
2641 assert(buf);
2642
2643 /* If WorkingDirectory=~ is set, try to acquire a usable home directory. */
2644
2645 if (*home)
2646 return 0;
2647
2648 if (!c->working_directory_home)
2649 return 0;
2650
2651 if (uid == 0) {
2652 /* Hardcode /root as home directory for UID 0 */
2653 *home = "/root";
2654 return 1;
2655 }
2656
2657 r = get_home_dir(buf);
2658 if (r < 0)
2659 return r;
2660
2661 *home = *buf;
2662 return 1;
2663}
2664
da50b85a
LP		 2665static int compile_suggested_paths(const ExecContext *c, const ExecParameters *p, char ***ret) {
2666 _cleanup_strv_free_ char ** list = NULL;
2667 ExecDirectoryType t;
2668 int r;
2669
2670 assert(c);
2671 assert(p);
2672 assert(ret);
2673
2674 assert(c->dynamic_user);
2675
2676 /* Compile a list of paths that it might make sense to read the owning UID from to use as initial candidate for
2677 * dynamic UID allocation, in order to save us from doing costly recursive chown()s of the special
2678 * directories. */
2679
2680 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
2681 char **i;
2682
2683 if (t == EXEC_DIRECTORY_CONFIGURATION)
2684 continue;
2685
2686 if (!p->prefix[t])
2687 continue;
2688
2689 STRV_FOREACH(i, c->directories[t].paths) {
2690 char *e;
2691
8092a48c
YW		 2692 if (t == EXEC_DIRECTORY_RUNTIME)
2693 e = strjoin(p->prefix[t], "/", *i);
2694 else
2695 e = strjoin(p->prefix[t], "/private/", *i);
da50b85a
LP		 2696 if (!e)
2697 return -ENOMEM;
2698
2699 r = strv_consume(&list, e);
2700 if (r < 0)
2701 return r;
2702 }
2703 }
2704
2705 *ret = list;
2706 list = NULL;
2707
2708 return 0;
2709}
2710
34cf6c43
YW		 2711static char *exec_command_line(char **argv);
2712
ff0af2a1 2713static int exec_child(
f2341e0a 2714 Unit *unit,
34cf6c43 2715 const ExecCommand *command,
ff0af2a1
LP		 2716 const ExecContext *context,
2717 const ExecParameters *params,
2718 ExecRuntime *runtime,
29206d46 2719 DynamicCreds *dcreds,
ff0af2a1
LP		 2720 char **argv,
2721 int socket_fd,
52c239d7 2722 int named_iofds[3],
4c47affc
FB		 2723 int *fds,
2724 unsigned n_storage_fds,
9b141911 2725 unsigned n_socket_fds,
ff0af2a1 2726 char **files_env,
00d9ef85 2727 int user_lookup_fd,
12145637 2728 int *exit_status) {
d35fbf6b 2729
2065ca69 2730 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **final_argv = NULL;
7f59dd35 2731 _cleanup_free_ char *home_buffer = NULL;
4d885bd3
DH		 2732 _cleanup_free_ gid_t *supplementary_gids = NULL;
2733 const char *username = NULL, *groupname = NULL;
2b3c1b9e 2734 const char *home = NULL, *shell = NULL;
7bce046b
LP		 2735 dev_t journal_stream_dev = 0;
2736 ino_t journal_stream_ino = 0;
165a31c0
LP		 2737 bool needs_sandboxing, /* Do we need to set up full sandboxing? (i.e. all namespacing, all MAC stuff, caps, yadda yadda */
2738 needs_setuid, /* Do we need to do the actual setresuid()/setresgid() calls? */
2739 needs_mount_namespace, /* Do we need to set up a mount namespace for this kernel? */
2740 needs_ambient_hack; /* Do we need to apply the ambient capabilities hack? */
349cc4a5 2741#if HAVE_SELINUX
7f59dd35 2742 _cleanup_free_ char *mac_selinux_context_net = NULL;
43b1f709 2743 bool use_selinux = false;
ecfbc84f 2744#endif
f9fa32f0 2745#if ENABLE_SMACK
43b1f709 2746 bool use_smack = false;
ecfbc84f 2747#endif
349cc4a5 2748#if HAVE_APPARMOR
43b1f709 2749 bool use_apparmor = false;
ecfbc84f 2750#endif
fed1e721
LP		 2751 uid_t uid = UID_INVALID;
2752 gid_t gid = GID_INVALID;
4d885bd3 2753 int i, r, ngids = 0;
4c47affc 2754 unsigned n_fds;
3536f49e 2755 ExecDirectoryType dt;
165a31c0 2756 int secure_bits;
034c6ed7 2757
f2341e0a 2758 assert(unit);
5cb5a6ff
LP		 2759 assert(command);
2760 assert(context);
d35fbf6b 2761 assert(params);
ff0af2a1 2762 assert(exit_status);
d35fbf6b
DM		 2763
2764 rename_process_from_path(command->path);
2765
2766 /* We reset exactly these signals, since they are the
2767 * only ones we set to SIG_IGN in the main daemon. All
2768 * others we leave untouched because we set them to
2769 * SIG_DFL or a valid handler initially, both of which
2770 * will be demoted to SIG_DFL. */
ce30c8dc
LP		 2771 (void) default_signals(SIGNALS_CRASH_HANDLER,
2772 SIGNALS_IGNORE, -1);
d35fbf6b
DM		 2773
2774 if (context->ignore_sigpipe)
ce30c8dc 2775 (void) ignore_signals(SIGPIPE, -1);
d35fbf6b 2776
ff0af2a1
LP		 2777 r = reset_signal_mask();
2778 if (r < 0) {
2779 *exit_status = EXIT_SIGNAL_MASK;
12145637 2780 return log_unit_error_errno(unit, r, "Failed to set process signal mask: %m");
d35fbf6b 2781 }
034c6ed7 2782
d35fbf6b
DM		 2783 if (params->idle_pipe)
2784 do_idle_pipe_dance(params->idle_pipe);
4f2d528d 2785
2c027c62
LP		 2786 /* Close fds we don't need very early to make sure we don't block init reexecution because it cannot bind its
2787 * sockets. Among the fds we close are the logging fds, and we want to keep them closed, so that we don't have
2788 * any fds open we don't really want open during the transition. In order to make logging work, we switch the
2789 * log subsystem into open_when_needed mode, so that it reopens the logs on every single log call. */
ff0af2a1 2790
d35fbf6b 2791 log_forget_fds();
2c027c62 2792 log_set_open_when_needed(true);
4f2d528d 2793
40a80078
LP		 2794 /* In case anything used libc syslog(), close this here, too */
2795 closelog();
2796
4c47affc 2797 n_fds = n_storage_fds + n_socket_fds;
00d9ef85 2798 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, fds, n_fds);
ff0af2a1
LP		 2799 if (r < 0) {
2800 *exit_status = EXIT_FDS;
12145637 2801 return log_unit_error_errno(unit, r, "Failed to close unwanted file descriptors: %m");
8c7be95e
LP		 2802 }
2803
d35fbf6b
DM		 2804 if (!context->same_pgrp)
2805 if (setsid() < 0) {
ff0af2a1 2806 *exit_status = EXIT_SETSID;
12145637 2807 return log_unit_error_errno(unit, errno, "Failed to create new process session: %m");
d35fbf6b 2808 }
9e2f7c11 2809
1e22b5cd 2810 exec_context_tty_reset(context, params);
d35fbf6b 2811
c891efaf 2812 if (unit_shall_confirm_spawn(unit)) {
7d5ceb64 2813 const char *vc = params->confirm_spawn;
3b20f877
FB		 2814 _cleanup_free_ char *cmdline = NULL;
2815
2816 cmdline = exec_command_line(argv);
2817 if (!cmdline) {
0460aa5c 2818 *exit_status = EXIT_MEMORY;
12145637 2819 return log_oom();
3b20f877 2820 }
d35fbf6b 2821
eedf223a 2822 r = ask_for_confirmation(vc, unit, cmdline);
3b20f877
FB		 2823 if (r != CONFIRM_EXECUTE) {
2824 if (r == CONFIRM_PRETEND_SUCCESS) {
2825 *exit_status = EXIT_SUCCESS;
2826 return 0;
2827 }
ff0af2a1 2828 *exit_status = EXIT_CONFIRM;
12145637 2829 log_unit_error(unit, "Execution cancelled by the user");
d35fbf6b 2830 return -ECANCELED;
d35fbf6b
DM		 2831 }
2832 }
1a63a750 2833
29206d46 2834 if (context->dynamic_user && dcreds) {
da50b85a 2835 _cleanup_strv_free_ char **suggested_paths = NULL;
29206d46 2836
409093fe
LP		 2837 /* Make sure we bypass our own NSS module for any NSS checks */
2838 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
2839 *exit_status = EXIT_USER;
12145637 2840 return log_unit_error_errno(unit, errno, "Failed to update environment: %m");
409093fe
LP		 2841 }
2842
da50b85a
LP		 2843 r = compile_suggested_paths(context, params, &suggested_paths);
2844 if (r < 0) {
2845 *exit_status = EXIT_MEMORY;
2846 return log_oom();
2847 }
2848
2849 r = dynamic_creds_realize(dcreds, suggested_paths, &uid, &gid);
ff0af2a1
LP		 2850 if (r < 0) {
2851 *exit_status = EXIT_USER;
e2b0cc34
YW		 2852 if (r == -EILSEQ) {
2853 log_unit_error(unit, "Failed to update dynamic user credentials: User or group with specified name already exists.");
2854 return -EOPNOTSUPP;
2855 }
12145637 2856 return log_unit_error_errno(unit, r, "Failed to update dynamic user credentials: %m");
524daa8c 2857 }
524daa8c 2858
70dd455c 2859 if (!uid_is_valid(uid)) {
29206d46 2860 *exit_status = EXIT_USER;
12145637 2861 log_unit_error(unit, "UID validation failed for \""UID_FMT"\"", uid);
70dd455c
ZJS		 2862 return -ESRCH;
2863 }
2864
2865 if (!gid_is_valid(gid)) {
2866 *exit_status = EXIT_USER;
12145637 2867 log_unit_error(unit, "GID validation failed for \""GID_FMT"\"", gid);
29206d46
LP		 2868 return -ESRCH;
2869 }
5bc7452b 2870
29206d46
LP		 2871 if (dcreds->user)
2872 username = dcreds->user->name;
2873
2874 } else {
4d885bd3
DH		 2875 r = get_fixed_user(context, &username, &uid, &gid, &home, &shell);
2876 if (r < 0) {
2877 *exit_status = EXIT_USER;
12145637 2878 return log_unit_error_errno(unit, r, "Failed to determine user credentials: %m");
5bc7452b 2879 }
5bc7452b 2880
4d885bd3
DH		 2881 r = get_fixed_group(context, &groupname, &gid);
2882 if (r < 0) {
2883 *exit_status = EXIT_GROUP;
12145637 2884 return log_unit_error_errno(unit, r, "Failed to determine group credentials: %m");
4d885bd3 2885 }
cdc5d5c5 2886 }
29206d46 2887
cdc5d5c5
DH		 2888 /* Initialize user supplementary groups and get SupplementaryGroups= ones */
2889 r = get_supplementary_groups(context, username, groupname, gid,
2890 &supplementary_gids, &ngids);
2891 if (r < 0) {
2892 *exit_status = EXIT_GROUP;
12145637 2893 return log_unit_error_errno(unit, r, "Failed to determine supplementary groups: %m");
29206d46 2894 }
5bc7452b 2895
00d9ef85
LP		 2896 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
2897 if (r < 0) {
2898 *exit_status = EXIT_USER;
12145637 2899 return log_unit_error_errno(unit, r, "Failed to send user credentials to PID1: %m");
00d9ef85
LP		 2900 }
2901
2902 user_lookup_fd = safe_close(user_lookup_fd);
2903
6732edab
LP		 2904 r = acquire_home(context, uid, &home, &home_buffer);
2905 if (r < 0) {
2906 *exit_status = EXIT_CHDIR;
12145637 2907 return log_unit_error_errno(unit, r, "Failed to determine $HOME for user: %m");
6732edab
LP		 2908 }
2909
d35fbf6b
DM		 2910 /* If a socket is connected to STDIN/STDOUT/STDERR, we
2911 * must sure to drop O_NONBLOCK */
2912 if (socket_fd >= 0)
a34ceba6 2913 (void) fd_nonblock(socket_fd, false);
acbb0225 2914
52c239d7 2915 r = setup_input(context, params, socket_fd, named_iofds);
ff0af2a1
LP		 2916 if (r < 0) {
2917 *exit_status = EXIT_STDIN;
12145637 2918 return log_unit_error_errno(unit, r, "Failed to set up standard input: %m");
d35fbf6b 2919 }
034c6ed7 2920
52c239d7 2921 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 2922 if (r < 0) {
2923 *exit_status = EXIT_STDOUT;
12145637 2924 return log_unit_error_errno(unit, r, "Failed to set up standard output: %m");
d35fbf6b
DM		 2925 }
2926
52c239d7 2927 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 2928 if (r < 0) {
2929 *exit_status = EXIT_STDERR;
12145637 2930 return log_unit_error_errno(unit, r, "Failed to set up standard error output: %m");
d35fbf6b
DM		 2931 }
2932
2933 if (params->cgroup_path) {
ff0af2a1
LP		 2934 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
2935 if (r < 0) {
2936 *exit_status = EXIT_CGROUP;
12145637 2937 return log_unit_error_errno(unit, r, "Failed to attach to cgroup %s: %m", params->cgroup_path);
309bff19 2938 }
d35fbf6b 2939 }
309bff19 2940
d35fbf6b 2941 if (context->oom_score_adjust_set) {
d5243d62 2942 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
f2b68789 2943
d5243d62
LP		 2944 /* When we can't make this change due to EPERM, then
2945 * let's silently skip over it. User namespaces
2946 * prohibit write access to this file, and we
2947 * shouldn't trip up over that. */
613b411c 2948
d5243d62 2949 sprintf(t, "%i", context->oom_score_adjust);
ad118bda 2950 r = write_string_file("/proc/self/oom_score_adj", t, 0);
12145637 2951 if (IN_SET(r, -EPERM, -EACCES))
f2341e0a 2952 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
12145637 2953 else if (r < 0) {
ff0af2a1 2954 *exit_status = EXIT_OOM_ADJUST;
12145637 2955 return log_unit_error_errno(unit, r, "Failed to adjust OOM setting: %m");
613b411c 2956 }
d35fbf6b
DM		 2957 }
2958
2959 if (context->nice_set)
2960 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
ff0af2a1 2961 *exit_status = EXIT_NICE;
12145637 2962 return log_unit_error_errno(unit, errno, "Failed to set up process scheduling priority (nice level): %m");
613b411c
LP		 2963 }
2964
d35fbf6b
DM		 2965 if (context->cpu_sched_set) {
2966 struct sched_param param = {
2967 .sched_priority = context->cpu_sched_priority,
2968 };
2969
ff0af2a1
LP		 2970 r = sched_setscheduler(0,
2971 context->cpu_sched_policy |
2972 (context->cpu_sched_reset_on_fork ?
2973 SCHED_RESET_ON_FORK : 0),
2974 &param);
2975 if (r < 0) {
2976 *exit_status = EXIT_SETSCHEDULER;
12145637 2977 return log_unit_error_errno(unit, errno, "Failed to set up CPU scheduling: %m");
fc9b2a84 2978 }
d35fbf6b 2979 }
fc9b2a84 2980
d35fbf6b
DM		 2981 if (context->cpuset)
2982 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
ff0af2a1 2983 *exit_status = EXIT_CPUAFFINITY;
12145637 2984 return log_unit_error_errno(unit, errno, "Failed to set up CPU affinity: %m");
034c6ed7
LP		 2985 }
2986
d35fbf6b
DM		 2987 if (context->ioprio_set)
2988 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
ff0af2a1 2989 *exit_status = EXIT_IOPRIO;
12145637 2990 return log_unit_error_errno(unit, errno, "Failed to set up IO scheduling priority: %m");
d35fbf6b 2991 }
da726a4d 2992
d35fbf6b
DM		 2993 if (context->timer_slack_nsec != NSEC_INFINITY)
2994 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
ff0af2a1 2995 *exit_status = EXIT_TIMERSLACK;
12145637 2996 return log_unit_error_errno(unit, errno, "Failed to set up timer slack: %m");
4c2630eb 2997 }
9eba9da4 2998
21022b9d
LP		 2999 if (context->personality != PERSONALITY_INVALID) {
3000 r = safe_personality(context->personality);
3001 if (r < 0) {
ff0af2a1 3002 *exit_status = EXIT_PERSONALITY;
12145637 3003 return log_unit_error_errno(unit, r, "Failed to set up execution domain (personality): %m");
4c2630eb 3004 }
21022b9d 3005 }
94f04347 3006
d35fbf6b 3007 if (context->utmp_id)
df0ff127 3008 utmp_put_init_process(context->utmp_id, getpid_cached(), getsid(0),
6a93917d 3009 context->tty_path,
023a4f67
LP		 3010 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
3011 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
3012 USER_PROCESS,
6a93917d 3013 username);
d35fbf6b 3014
e0d2adfd 3015 if (context->user) {
ff0af2a1
LP		 3016 r = chown_terminal(STDIN_FILENO, uid);
3017 if (r < 0) {
3018 *exit_status = EXIT_STDIN;
12145637 3019 return log_unit_error_errno(unit, r, "Failed to change ownership of terminal: %m");
071830ff 3020 }
d35fbf6b 3021 }
8e274523 3022
62b9bb26
LP		 3023 /* If delegation is enabled we'll pass ownership of the cgroup to the user of the new process. On cgroupsv1
3024 * this is only about systemd's own hierarchy, i.e. not the controller hierarchies, simply because that's not
3025 * safe. On cgroupsv2 there's only one hierarchy anyway, and delegation is safe there, hence in that case only
3026 * touch a single hierarchy too. */
584b8688 3027 if (params->cgroup_path && context->user && (params->flags & EXEC_CGROUP_DELEGATE)) {
62b9bb26 3028 r = cg_set_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, uid, gid);
ff0af2a1
LP		 3029 if (r < 0) {
3030 *exit_status = EXIT_CGROUP;
12145637 3031 return log_unit_error_errno(unit, r, "Failed to adjust control group access: %m");
034c6ed7 3032 }
d35fbf6b 3033 }
034c6ed7 3034
72fd1768 3035 for (dt = 0; dt < _EXEC_DIRECTORY_TYPE_MAX; dt++) {
8679efde 3036 r = setup_exec_directory(context, params, uid, gid, dt, exit_status);
12145637
LP		 3037 if (r < 0)
3038 return log_unit_error_errno(unit, r, "Failed to set up special execution directory in %s: %m", params->prefix[dt]);
d35fbf6b 3039 }
94f04347 3040
7bce046b 3041 r = build_environment(
fd63e712 3042 unit,
7bce046b
LP		 3043 context,
3044 params,
3045 n_fds,
3046 home,
3047 username,
3048 shell,
3049 journal_stream_dev,
3050 journal_stream_ino,
3051 &our_env);
2065ca69
JW		 3052 if (r < 0) {
3053 *exit_status = EXIT_MEMORY;
12145637 3054 return log_oom();
2065ca69
JW		 3055 }
3056
3057 r = build_pass_environment(context, &pass_env);
3058 if (r < 0) {
3059 *exit_status = EXIT_MEMORY;
12145637 3060 return log_oom();
2065ca69
JW		 3061 }
3062
3063 accum_env = strv_env_merge(5,
3064 params->environment,
3065 our_env,
3066 pass_env,
3067 context->environment,
3068 files_env,
3069 NULL);
3070 if (!accum_env) {
3071 *exit_status = EXIT_MEMORY;
12145637 3072 return log_oom();
2065ca69 3073 }
1280503b 3074 accum_env = strv_env_clean(accum_env);
2065ca69 3075
096424d1 3076 (void) umask(context->umask);
b213e1c1 3077
b1edf445 3078 r = setup_keyring(unit, context, params, uid, gid);
74dd6b51
LP		 3079 if (r < 0) {
3080 *exit_status = EXIT_KEYRING;
12145637 3081 return log_unit_error_errno(unit, r, "Failed to set up kernel keyring: %m");
74dd6b51
LP		 3082 }
3083
165a31c0 3084 /* We need sandboxing if the caller asked us to apply it and the command isn't explicitly excepted from it */
1703fa41 3085 needs_sandboxing = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & EXEC_COMMAND_FULLY_PRIVILEGED);
7f18ef0a 3086
165a31c0
LP		 3087 /* We need the ambient capability hack, if the caller asked us to apply it and the command is marked for it, and the kernel doesn't actually support ambient caps */
3088 needs_ambient_hack = (params->flags & EXEC_APPLY_SANDBOXING) && (command->flags & EXEC_COMMAND_AMBIENT_MAGIC) && !ambient_capabilities_supported();
7f18ef0a 3089
165a31c0
LP		 3090 /* We need setresuid() if the caller asked us to apply sandboxing and the command isn't explicitly excepted from either whole sandboxing or just setresuid() itself, and the ambient hack is not desired */
3091 if (needs_ambient_hack)
3092 needs_setuid = false;
3093 else
3094 needs_setuid = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & (EXEC_COMMAND_FULLY_PRIVILEGED|EXEC_COMMAND_NO_SETUID));
3095
3096 if (needs_sandboxing) {
7f18ef0a
FK		 3097 /* MAC enablement checks need to be done before a new mount ns is created, as they rely on /sys being
3098 * present. The actual MAC context application will happen later, as late as possible, to avoid
3099 * impacting our own code paths. */
3100
349cc4a5 3101#if HAVE_SELINUX
43b1f709 3102 use_selinux = mac_selinux_use();
7f18ef0a 3103#endif
f9fa32f0 3104#if ENABLE_SMACK
43b1f709 3105 use_smack = mac_smack_use();
7f18ef0a 3106#endif
349cc4a5 3107#if HAVE_APPARMOR
43b1f709 3108 use_apparmor = mac_apparmor_use();
7f18ef0a 3109#endif
165a31c0 3110 }
7f18ef0a 3111
165a31c0
LP		 3112 if (needs_setuid) {
3113 if (context->pam_name && username) {
3114 r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
3115 if (r < 0) {
3116 *exit_status = EXIT_PAM;
12145637 3117 return log_unit_error_errno(unit, r, "Failed to set up PAM session: %m");
165a31c0
LP		 3118 }
3119 }
b213e1c1 3120 }
ac45f971 3121
d35fbf6b 3122 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
6e2d7c4f
MS		 3123 if (ns_type_supported(NAMESPACE_NET)) {
3124 r = setup_netns(runtime->netns_storage_socket);
3125 if (r < 0) {
3126 *exit_status = EXIT_NETWORK;
3127 return log_unit_error_errno(unit, r, "Failed to set up network namespacing: %m");
3128 }
3129 } else
3130 log_unit_warning(unit, "PrivateNetwork=yes is configured, but the kernel does not support network namespaces, ignoring.");
d35fbf6b 3131 }
169c1bda 3132
ee818b89 3133 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
ee818b89 3134 if (needs_mount_namespace) {
6818c54c 3135 r = apply_mount_namespace(unit, command, context, params, runtime);
3fbe8dbe
LP		 3136 if (r < 0) {
3137 *exit_status = EXIT_NAMESPACE;
12145637 3138 return log_unit_error_errno(unit, r, "Failed to set up mount namespacing: %m");
3fbe8dbe 3139 }
d35fbf6b 3140 }
81a2b7ce 3141
50b3dfb9 3142 /* Apply just after mount namespace setup */
376fecf6 3143 r = apply_working_directory(context, params, home, needs_mount_namespace, exit_status);
12145637
LP		 3144 if (r < 0)
3145 return log_unit_error_errno(unit, r, "Changing to the requested working directory failed: %m");
50b3dfb9 3146
bbeea271 3147 /* Drop groups as early as possbile */
165a31c0 3148 if (needs_setuid) {
709dbeac 3149 r = enforce_groups(gid, supplementary_gids, ngids);
096424d1
LP		 3150 if (r < 0) {
3151 *exit_status = EXIT_GROUP;
12145637 3152 return log_unit_error_errno(unit, r, "Changing group credentials failed: %m");
096424d1 3153 }
165a31c0 3154 }
096424d1 3155
165a31c0 3156 if (needs_sandboxing) {
349cc4a5 3157#if HAVE_SELINUX
43b1f709 3158 if (use_selinux && params->selinux_context_net && socket_fd >= 0) {
937ccce9
LP		 3159 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
3160 if (r < 0) {
3161 *exit_status = EXIT_SELINUX_CONTEXT;
12145637 3162 return log_unit_error_errno(unit, r, "Failed to determine SELinux context: %m");
937ccce9 3163 }
9008e1ac 3164 }
9008e1ac
MS		 3165#endif
3166
937ccce9
LP		 3167 if (context->private_users) {
3168 r = setup_private_users(uid, gid);
3169 if (r < 0) {
3170 *exit_status = EXIT_USER;
12145637 3171 return log_unit_error_errno(unit, r, "Failed to set up user namespacing: %m");
937ccce9 3172 }
d251207d
LP		 3173 }
3174 }
3175
165a31c0
LP		 3176 /* We repeat the fd closing here, to make sure that nothing is leaked from the PAM modules. Note that we are
3177 * more aggressive this time since socket_fd and the netns fds we don't need anymore. The custom endpoint fd
3178 * was needed to upload the policy and can now be closed as well. */
ff0af2a1
LP		 3179 r = close_all_fds(fds, n_fds);
3180 if (r >= 0)
3181 r = shift_fds(fds, n_fds);
3182 if (r >= 0)
4c47affc 3183 r = flags_fds(fds, n_storage_fds, n_socket_fds, context->non_blocking);
ff0af2a1
LP		 3184 if (r < 0) {
3185 *exit_status = EXIT_FDS;
12145637 3186 return log_unit_error_errno(unit, r, "Failed to adjust passed file descriptors: %m");
d35fbf6b 3187 }
e66cf1a3 3188
165a31c0 3189 secure_bits = context->secure_bits;
e66cf1a3 3190
165a31c0
LP		 3191 if (needs_sandboxing) {
3192 uint64_t bset;
755d4b67 3193
d35fbf6b 3194 for (i = 0; i < _RLIMIT_MAX; i++) {
03857c43 3195
d35fbf6b
DM		 3196 if (!context->rlimit[i])
3197 continue;
3198
03857c43
LP		 3199 r = setrlimit_closest(i, context->rlimit[i]);
3200 if (r < 0) {
ff0af2a1 3201 *exit_status = EXIT_LIMITS;
12145637 3202 return log_unit_error_errno(unit, r, "Failed to adjust resource limit %s: %m", rlimit_to_string(i));
e66cf1a3
LP		 3203 }
3204 }
3205
f4170c67
LP		 3206 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
3207 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
3208 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
3209 *exit_status = EXIT_LIMITS;
12145637 3210 return log_unit_error_errno(unit, errno, "Failed to adjust RLIMIT_RTPRIO resource limit: %m");
f4170c67
LP		 3211 }
3212 }
3213
37ac2744
JB		 3214#if ENABLE_SMACK
3215 /* LSM Smack needs the capability CAP_MAC_ADMIN to change the current execution security context of the
3216 * process. This is the latest place before dropping capabilities. Other MAC context are set later. */
3217 if (use_smack) {
3218 r = setup_smack(context, command);
3219 if (r < 0) {
3220 *exit_status = EXIT_SMACK_PROCESS_LABEL;
3221 return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m");
3222 }
3223 }
3224#endif
3225
165a31c0
LP		 3226 bset = context->capability_bounding_set;
3227 /* If the ambient caps hack is enabled (which means the kernel can't do them, and the user asked for
3228 * our magic fallback), then let's add some extra caps, so that the service can drop privs of its own,
3229 * instead of us doing that */
3230 if (needs_ambient_hack)
3231 bset |= (UINT64_C(1) << CAP_SETPCAP) |
3232 (UINT64_C(1) << CAP_SETUID) |
3233 (UINT64_C(1) << CAP_SETGID);
3234
3235 if (!cap_test_all(bset)) {
3236 r = capability_bounding_set_drop(bset, false);
ff0af2a1
LP		 3237 if (r < 0) {
3238 *exit_status = EXIT_CAPABILITIES;
12145637 3239 return log_unit_error_errno(unit, r, "Failed to drop capabilities: %m");
3b8bddde 3240 }
4c2630eb 3241 }
3b8bddde 3242
755d4b67
IP		 3243 /* This is done before enforce_user, but ambient set
3244 * does not survive over setresuid() if keep_caps is not set. */
165a31c0
LP		 3245 if (!needs_ambient_hack &&
3246 context->capability_ambient_set != 0) {
755d4b67
IP		 3247 r = capability_ambient_set_apply(context->capability_ambient_set, true);
3248 if (r < 0) {
3249 *exit_status = EXIT_CAPABILITIES;
12145637 3250 return log_unit_error_errno(unit, r, "Failed to apply ambient capabilities (before UID change): %m");
755d4b67 3251 }
755d4b67 3252 }
165a31c0 3253 }
755d4b67 3254
165a31c0 3255 if (needs_setuid) {
d35fbf6b 3256 if (context->user) {
ff0af2a1
LP		 3257 r = enforce_user(context, uid);
3258 if (r < 0) {
3259 *exit_status = EXIT_USER;
12145637 3260 return log_unit_error_errno(unit, r, "Failed to change UID to " UID_FMT ": %m", uid);
5b6319dc 3261 }
165a31c0
LP		 3262
3263 if (!needs_ambient_hack &&
3264 context->capability_ambient_set != 0) {
755d4b67
IP		 3265
3266 /* Fix the ambient capabilities after user change. */
3267 r = capability_ambient_set_apply(context->capability_ambient_set, false);
3268 if (r < 0) {
3269 *exit_status = EXIT_CAPABILITIES;
12145637 3270 return log_unit_error_errno(unit, r, "Failed to apply ambient capabilities (after UID change): %m");
755d4b67
IP		 3271 }
3272
3273 /* If we were asked to change user and ambient capabilities
3274 * were requested, we had to add keep-caps to the securebits
3275 * so that we would maintain the inherited capability set
3276 * through the setresuid(). Make sure that the bit is added
3277 * also to the context secure_bits so that we don't try to
3278 * drop the bit away next. */
3279
7f508f2c 3280 secure_bits |= 1<<SECURE_KEEP_CAPS;
755d4b67 3281 }
5b6319dc 3282 }
165a31c0 3283 }
d35fbf6b 3284
165a31c0 3285 if (needs_sandboxing) {
37ac2744 3286 /* Apply other MAC contexts late, but before seccomp syscall filtering, as those should really be last to
5cd9cd35
LP		 3287 * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
3288 * syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
3289 * are restricted. */
3290
349cc4a5 3291#if HAVE_SELINUX
43b1f709 3292 if (use_selinux) {
5cd9cd35
LP		 3293 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
3294
3295 if (exec_context) {
3296 r = setexeccon(exec_context);
3297 if (r < 0) {
3298 *exit_status = EXIT_SELINUX_CONTEXT;
12145637 3299 return log_unit_error_errno(unit, r, "Failed to change SELinux context to %s: %m", exec_context);
5cd9cd35
LP		 3300 }
3301 }
3302 }
3303#endif
3304
349cc4a5 3305#if HAVE_APPARMOR
43b1f709 3306 if (use_apparmor && context->apparmor_profile) {
5cd9cd35
LP		 3307 r = aa_change_onexec(context->apparmor_profile);
3308 if (r < 0 && !context->apparmor_profile_ignore) {
3309 *exit_status = EXIT_APPARMOR_PROFILE;
12145637 3310 return log_unit_error_errno(unit, errno, "Failed to prepare AppArmor profile change to %s: %m", context->apparmor_profile);
5cd9cd35
LP		 3311 }
3312 }
3313#endif
3314
165a31c0
LP		 3315 /* PR_GET_SECUREBITS is not privileged, while PR_SET_SECUREBITS is. So to suppress potential EPERMs
3316 * we'll try not to call PR_SET_SECUREBITS unless necessary. */
755d4b67
IP		 3317 if (prctl(PR_GET_SECUREBITS) != secure_bits)
3318 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
ff0af2a1 3319 *exit_status = EXIT_SECUREBITS;
12145637 3320 return log_unit_error_errno(unit, errno, "Failed to set process secure bits: %m");
ff01d048 3321 }
5b6319dc 3322
59eeb84b 3323 if (context_has_no_new_privileges(context))
d35fbf6b 3324 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
ff0af2a1 3325 *exit_status = EXIT_NO_NEW_PRIVILEGES;
12145637 3326 return log_unit_error_errno(unit, errno, "Failed to disable new privileges: %m");
d35fbf6b
DM		 3327 }
3328
349cc4a5 3329#if HAVE_SECCOMP
469830d1
LP		 3330 r = apply_address_families(unit, context);
3331 if (r < 0) {
3332 *exit_status = EXIT_ADDRESS_FAMILIES;
12145637 3333 return log_unit_error_errno(unit, r, "Failed to restrict address families: %m");
4c2630eb 3334 }
04aa0cb9 3335
469830d1
LP		 3336 r = apply_memory_deny_write_execute(unit, context);
3337 if (r < 0) {
3338 *exit_status = EXIT_SECCOMP;
12145637 3339 return log_unit_error_errno(unit, r, "Failed to disable writing to executable memory: %m");
f3e43635 3340 }
f4170c67 3341
469830d1
LP		 3342 r = apply_restrict_realtime(unit, context);
3343 if (r < 0) {
3344 *exit_status = EXIT_SECCOMP;
12145637 3345 return log_unit_error_errno(unit, r, "Failed to apply realtime restrictions: %m");
f4170c67
LP		 3346 }
3347
add00535
LP		 3348 r = apply_restrict_namespaces(unit, context);
3349 if (r < 0) {
3350 *exit_status = EXIT_SECCOMP;
12145637 3351 return log_unit_error_errno(unit, r, "Failed to apply namespace restrictions: %m");
add00535
LP		 3352 }
3353
469830d1
LP		 3354 r = apply_protect_sysctl(unit, context);
3355 if (r < 0) {
3356 *exit_status = EXIT_SECCOMP;
12145637 3357 return log_unit_error_errno(unit, r, "Failed to apply sysctl restrictions: %m");
502d704e
DH		 3358 }
3359
469830d1
LP		 3360 r = apply_protect_kernel_modules(unit, context);
3361 if (r < 0) {
3362 *exit_status = EXIT_SECCOMP;
12145637 3363 return log_unit_error_errno(unit, r, "Failed to apply module loading restrictions: %m");
59eeb84b
LP		 3364 }
3365
469830d1
LP		 3366 r = apply_private_devices(unit, context);
3367 if (r < 0) {
3368 *exit_status = EXIT_SECCOMP;
12145637 3369 return log_unit_error_errno(unit, r, "Failed to set up private devices: %m");
469830d1
LP		 3370 }
3371
3372 r = apply_syscall_archs(unit, context);
3373 if (r < 0) {
3374 *exit_status = EXIT_SECCOMP;
12145637 3375 return log_unit_error_errno(unit, r, "Failed to apply syscall architecture restrictions: %m");
ba128bb8
LP		 3376 }
3377
78e864e5
TM		 3378 r = apply_lock_personality(unit, context);
3379 if (r < 0) {
3380 *exit_status = EXIT_SECCOMP;
12145637 3381 return log_unit_error_errno(unit, r, "Failed to lock personalities: %m");
78e864e5
TM		 3382 }
3383
5cd9cd35
LP		 3384 /* This really should remain the last step before the execve(), to make sure our own code is unaffected
3385 * by the filter as little as possible. */
165a31c0 3386 r = apply_syscall_filter(unit, context, needs_ambient_hack);
469830d1
LP		 3387 if (r < 0) {
3388 *exit_status = EXIT_SECCOMP;
12145637 3389 return log_unit_error_errno(unit, r, "Failed to apply system call filters: %m");
d35fbf6b
DM		 3390 }
3391#endif
d35fbf6b 3392 }
034c6ed7 3393
00819cc1
LP		 3394 if (!strv_isempty(context->unset_environment)) {
3395 char **ee = NULL;
3396
3397 ee = strv_env_delete(accum_env, 1, context->unset_environment);
3398 if (!ee) {
3399 *exit_status = EXIT_MEMORY;
12145637 3400 return log_oom();
00819cc1
LP		 3401 }
3402
3403 strv_free(accum_env);
3404 accum_env = ee;
3405 }
3406
2065ca69 3407 final_argv = replace_env_argv(argv, accum_env);
d35fbf6b 3408 if (!final_argv) {
ff0af2a1 3409 *exit_status = EXIT_MEMORY;
12145637 3410 return log_oom();
d35fbf6b 3411 }
034c6ed7 3412
f1d34068 3413 if (DEBUG_LOGGING) {
d35fbf6b 3414 _cleanup_free_ char *line;
81a2b7ce 3415
d35fbf6b
DM		 3416 line = exec_command_line(final_argv);
3417 if (line) {
f2341e0a 3418 log_struct(LOG_DEBUG,
f2341e0a
LP		 3419 "EXECUTABLE=%s", command->path,
3420 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
ba360bb0 3421 LOG_UNIT_ID(unit),
f1c50bec 3422 LOG_UNIT_INVOCATION_ID(unit),
f2341e0a 3423 NULL);
d35fbf6b
DM		 3424 }
3425 }
dd305ec9 3426
2065ca69 3427 execve(command->path, final_argv, accum_env);
12145637
LP		 3428
3429 if (errno == ENOENT && (command->flags & EXEC_COMMAND_IGNORE_FAILURE)) {
3430
3431 log_struct_errno(LOG_INFO, errno,
3432 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
3433 LOG_UNIT_ID(unit),
3434 LOG_UNIT_INVOCATION_ID(unit),
3435 LOG_UNIT_MESSAGE(unit, "Executable %s missing, skipping: %m",
3436 command->path),
3437 "EXECUTABLE=%s", command->path,
3438 NULL);
3439
3440 return 0;
3441 }
3442
ff0af2a1 3443 *exit_status = EXIT_EXEC;
12145637 3444 return log_unit_error_errno(unit, errno, "Failed to execute command: %m");
d35fbf6b 3445}
81a2b7ce 3446
34cf6c43
YW		 3447static int exec_context_load_environment(const Unit *unit, const ExecContext *c, char ***l);
3448static int exec_context_named_iofds(const ExecContext *c, const ExecParameters *p, int named_iofds[3]);
3449
f2341e0a
LP		 3450int exec_spawn(Unit *unit,
3451 ExecCommand *command,
d35fbf6b
DM		 3452 const ExecContext *context,
3453 const ExecParameters *params,
3454 ExecRuntime *runtime,
29206d46 3455 DynamicCreds *dcreds,
d35fbf6b 3456 pid_t *ret) {
8351ceae 3457
d35fbf6b 3458 _cleanup_strv_free_ char **files_env = NULL;
9b141911 3459 int *fds = NULL;
4c47affc 3460 unsigned n_storage_fds = 0, n_socket_fds = 0;
ff0af2a1
LP		 3461 _cleanup_free_ char *line = NULL;
3462 int socket_fd, r;
52c239d7 3463 int named_iofds[3] = { -1, -1, -1 };
ff0af2a1 3464 char **argv;
d35fbf6b 3465 pid_t pid;
8351ceae 3466
f2341e0a 3467 assert(unit);
d35fbf6b
DM		 3468 assert(command);
3469 assert(context);
3470 assert(ret);
3471 assert(params);
4c47affc 3472 assert(params->fds || (params->n_storage_fds + params->n_socket_fds <= 0));
4298d0b5 3473
d35fbf6b
DM		 3474 if (context->std_input == EXEC_INPUT_SOCKET ||
3475 context->std_output == EXEC_OUTPUT_SOCKET ||
3476 context->std_error == EXEC_OUTPUT_SOCKET) {
17df7223 3477
4c47affc 3478 if (params->n_socket_fds > 1) {
f2341e0a 3479 log_unit_error(unit, "Got more than one socket.");
d35fbf6b 3480 return -EINVAL;
ff0af2a1 3481 }
eef65bf3 3482
4c47affc 3483 if (params->n_socket_fds == 0) {
488ab41c
AA		 3484 log_unit_error(unit, "Got no socket.");
3485 return -EINVAL;
3486 }
3487
d35fbf6b
DM		 3488 socket_fd = params->fds[0];
3489 } else {
3490 socket_fd = -1;
3491 fds = params->fds;
4c47affc 3492 n_storage_fds = params->n_storage_fds;
9b141911 3493 n_socket_fds = params->n_socket_fds;
d35fbf6b 3494 }
94f04347 3495
34cf6c43 3496 r = exec_context_named_iofds(context, params, named_iofds);
52c239d7
LB		 3497 if (r < 0)
3498 return log_unit_error_errno(unit, r, "Failed to load a named file descriptor: %m");
3499
f2341e0a 3500 r = exec_context_load_environment(unit, context, &files_env);
ff0af2a1 3501 if (r < 0)
f2341e0a 3502 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
034c6ed7 3503
d35fbf6b 3504 argv = params->argv ?: command->argv;
d35fbf6b
DM		 3505 line = exec_command_line(argv);
3506 if (!line)
3507 return log_oom();
fab56fc5 3508
f2341e0a 3509 log_struct(LOG_DEBUG,
f2341e0a
LP		 3510 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
3511 "EXECUTABLE=%s", command->path,
ba360bb0 3512 LOG_UNIT_ID(unit),
f1c50bec 3513 LOG_UNIT_INVOCATION_ID(unit),
f2341e0a 3514 NULL);
12145637 3515
d35fbf6b
DM		 3516 pid = fork();
3517 if (pid < 0)
74129a12 3518 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
d35fbf6b
DM		 3519
3520 if (pid == 0) {
12145637 3521 int exit_status = EXIT_SUCCESS;
ff0af2a1 3522
f2341e0a
LP		 3523 r = exec_child(unit,
3524 command,
ff0af2a1
LP		 3525 context,
3526 params,
3527 runtime,
29206d46 3528 dcreds,
ff0af2a1
LP		 3529 argv,
3530 socket_fd,
52c239d7 3531 named_iofds,
4c47affc
FB		 3532 fds,
3533 n_storage_fds,
9b141911 3534 n_socket_fds,
ff0af2a1 3535 files_env,
00d9ef85 3536 unit->manager->user_lookup_fds[1],
12145637
LP		 3537 &exit_status);
3538
ff0af2a1 3539 if (r < 0) {
12145637
LP		 3540 log_struct_errno(LOG_ERR, r,
3541 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
3542 LOG_UNIT_ID(unit),
3543 LOG_UNIT_INVOCATION_ID(unit),
3544 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
3545 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
3546 command->path),
3547 "EXECUTABLE=%s", command->path,
3548 NULL);
4c2630eb
MS		 3549 }
3550
ff0af2a1 3551 _exit(exit_status);
034c6ed7
LP		 3552 }
3553
f2341e0a 3554 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
23635a85 3555
80876c20
LP		 3556 /* We add the new process to the cgroup both in the child (so
3557 * that we can be sure that no user code is ever executed
3558 * outside of the cgroup) and in the parent (so that we can be
3559 * sure that when we kill the cgroup the process will be
3560 * killed too). */
d35fbf6b 3561 if (params->cgroup_path)
dd305ec9 3562 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
2da3263a 3563
b58b4116 3564 exec_status_start(&command->exec_status, pid);
9fb86720 3565
034c6ed7 3566 *ret = pid;
5cb5a6ff
LP		 3567 return 0;
3568}
3569
034c6ed7 3570void exec_context_init(ExecContext *c) {
3536f49e
YW		 3571 ExecDirectoryType i;
3572
034c6ed7
LP		 3573 assert(c);
3574
4c12626c 3575 c->umask = 0022;
9eba9da4 3576 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
94f04347 3577 c->cpu_sched_policy = SCHED_OTHER;
071830ff 3578 c->syslog_priority = LOG_DAEMON|LOG_INFO;
74922904 3579 c->syslog_level_prefix = true;
353e12c2 3580 c->ignore_sigpipe = true;
3a43da28 3581 c->timer_slack_nsec = NSEC_INFINITY;
050f7277 3582 c->personality = PERSONALITY_INVALID;
72fd1768 3583 for (i = 0; i < _EXEC_DIRECTORY_TYPE_MAX; i++)
3536f49e 3584 c->directories[i].mode = 0755;
a103496c 3585 c->capability_bounding_set = CAP_ALL;
add00535 3586 c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
d3070fbd 3587 c->log_level_max = -1;
034c6ed7
LP		 3588}
3589
613b411c 3590void exec_context_done(ExecContext *c) {
3536f49e 3591 ExecDirectoryType i;
d3070fbd 3592 size_t l;
5cb5a6ff
LP		 3593
3594 assert(c);
3595
6796073e
LP		 3596 c->environment = strv_free(c->environment);
3597 c->environment_files = strv_free(c->environment_files);
b4c14404 3598 c->pass_environment = strv_free(c->pass_environment);
00819cc1 3599 c->unset_environment = strv_free(c->unset_environment);
8c7be95e 3600
1f6b4113 3601 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
a1e58e8e 3602 c->rlimit[l] = mfree(c->rlimit[l]);
034c6ed7 3603
2038c3f5 3604 for (l = 0; l < 3; l++) {
52c239d7 3605 c->stdio_fdname[l] = mfree(c->stdio_fdname[l]);
2038c3f5
LP		 3606 c->stdio_file[l] = mfree(c->stdio_file[l]);
3607 }
52c239d7 3608
a1e58e8e
LP		 3609 c->working_directory = mfree(c->working_directory);
3610 c->root_directory = mfree(c->root_directory);
915e6d16 3611 c->root_image = mfree(c->root_image);
a1e58e8e
LP		 3612 c->tty_path = mfree(c->tty_path);
3613 c->syslog_identifier = mfree(c->syslog_identifier);
3614 c->user = mfree(c->user);
3615 c->group = mfree(c->group);
034c6ed7 3616
6796073e 3617 c->supplementary_groups = strv_free(c->supplementary_groups);
94f04347 3618
a1e58e8e 3619 c->pam_name = mfree(c->pam_name);
5b6319dc 3620
2a624c36
AP		 3621 c->read_only_paths = strv_free(c->read_only_paths);
3622 c->read_write_paths = strv_free(c->read_write_paths);
3623 c->inaccessible_paths = strv_free(c->inaccessible_paths);
82c121a4 3624
d2d6c096
LP		 3625 bind_mount_free_many(c->bind_mounts, c->n_bind_mounts);
3626
da681e1b 3627 c->cpuset = cpu_set_mfree(c->cpuset);
86a3475b 3628
a1e58e8e
LP		 3629 c->utmp_id = mfree(c->utmp_id);
3630 c->selinux_context = mfree(c->selinux_context);
3631 c->apparmor_profile = mfree(c->apparmor_profile);
5b8e1b77 3632 c->smack_process_label = mfree(c->smack_process_label);
eef65bf3 3633
8cfa775f 3634 c->syscall_filter = hashmap_free(c->syscall_filter);
525d3cc7
LP		 3635 c->syscall_archs = set_free(c->syscall_archs);
3636 c->address_families = set_free(c->address_families);
e66cf1a3 3637
72fd1768 3638 for (i = 0; i < _EXEC_DIRECTORY_TYPE_MAX; i++)
3536f49e 3639 c->directories[i].paths = strv_free(c->directories[i].paths);
d3070fbd
LP		 3640
3641 c->log_level_max = -1;
3642
3643 exec_context_free_log_extra_fields(c);
08f3be7a
LP		 3644
3645 c->stdin_data = mfree(c->stdin_data);
3646 c->stdin_data_size = 0;
e66cf1a3
LP		 3647}
3648
34cf6c43 3649int exec_context_destroy_runtime_directory(const ExecContext *c, const char *runtime_prefix) {
e66cf1a3
LP		 3650 char **i;
3651
3652 assert(c);
3653
3654 if (!runtime_prefix)
3655 return 0;
3656
3536f49e 3657 STRV_FOREACH(i, c->directories[EXEC_DIRECTORY_RUNTIME].paths) {
e66cf1a3
LP		 3658 _cleanup_free_ char *p;
3659
605405c6 3660 p = strjoin(runtime_prefix, "/", *i);
e66cf1a3
LP		 3661 if (!p)
3662 return -ENOMEM;
3663
6c47cd7d 3664 /* We execute this synchronously, since we need to be sure this is gone when we start the service
e66cf1a3 3665 * next. */
c6878637 3666 (void) rm_rf(p, REMOVE_ROOT);
e66cf1a3
LP		 3667 }
3668
3669 return 0;
5cb5a6ff
LP		 3670}
3671
34cf6c43 3672static void exec_command_done(ExecCommand *c) {
43d0fcbd
LP		 3673 assert(c);
3674
a1e58e8e 3675 c->path = mfree(c->path);
43d0fcbd 3676
6796073e 3677 c->argv = strv_free(c->argv);
43d0fcbd
LP		 3678}
3679
3680void exec_command_done_array(ExecCommand *c, unsigned n) {
3681 unsigned i;
3682
3683 for (i = 0; i < n; i++)
3684 exec_command_done(c+i);
3685}
3686
f1acf85a 3687ExecCommand* exec_command_free_list(ExecCommand *c) {
5cb5a6ff
LP		 3688 ExecCommand *i;
3689
3690 while ((i = c)) {
71fda00f 3691 LIST_REMOVE(command, c, i);
43d0fcbd 3692 exec_command_done(i);
5cb5a6ff
LP		 3693 free(i);
3694 }
f1acf85a
ZJS		 3695
3696 return NULL;
5cb5a6ff
LP		 3697}
3698
034c6ed7
LP		 3699void exec_command_free_array(ExecCommand **c, unsigned n) {
3700 unsigned i;
3701
f1acf85a
ZJS		 3702 for (i = 0; i < n; i++)
3703 c[i] = exec_command_free_list(c[i]);
034c6ed7
LP		 3704}
3705
039f0e70 3706typedef struct InvalidEnvInfo {
34cf6c43 3707 const Unit *unit;
039f0e70
LP		 3708 const char *path;
3709} InvalidEnvInfo;
3710
3711static void invalid_env(const char *p, void *userdata) {
3712 InvalidEnvInfo *info = userdata;
3713
f2341e0a 3714 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
039f0e70
LP		 3715}
3716
52c239d7
LB		 3717const char* exec_context_fdname(const ExecContext *c, int fd_index) {
3718 assert(c);
3719
3720 switch (fd_index) {
5073ff6b 3721
52c239d7
LB		 3722 case STDIN_FILENO:
3723 if (c->std_input != EXEC_INPUT_NAMED_FD)
3724 return NULL;
5073ff6b 3725
52c239d7 3726 return c->stdio_fdname[STDIN_FILENO] ?: "stdin";
5073ff6b 3727
52c239d7
LB		 3728 case STDOUT_FILENO:
3729 if (c->std_output != EXEC_OUTPUT_NAMED_FD)
3730 return NULL;
5073ff6b 3731
52c239d7 3732 return c->stdio_fdname[STDOUT_FILENO] ?: "stdout";
5073ff6b 3733
52c239d7
LB		 3734 case STDERR_FILENO:
3735 if (c->std_error != EXEC_OUTPUT_NAMED_FD)
3736 return NULL;
5073ff6b 3737
52c239d7 3738 return c->stdio_fdname[STDERR_FILENO] ?: "stderr";
5073ff6b 3739
52c239d7
LB		 3740 default:
3741 return NULL;
3742 }
3743}
3744
34cf6c43 3745static int exec_context_named_iofds(const ExecContext *c, const ExecParameters *p, int named_iofds[3]) {
52c239d7 3746 unsigned i, targets;
56fbd561 3747 const char* stdio_fdname[3];
4c47affc 3748 unsigned n_fds;
52c239d7
LB		 3749
3750 assert(c);
3751 assert(p);
3752
3753 targets = (c->std_input == EXEC_INPUT_NAMED_FD) +
3754 (c->std_output == EXEC_OUTPUT_NAMED_FD) +
3755 (c->std_error == EXEC_OUTPUT_NAMED_FD);
3756
3757 for (i = 0; i < 3; i++)
3758 stdio_fdname[i] = exec_context_fdname(c, i);
3759
4c47affc
FB		 3760 n_fds = p->n_storage_fds + p->n_socket_fds;
3761
3762 for (i = 0; i < n_fds && targets > 0; i++)
56fbd561
ZJS		 3763 if (named_iofds[STDIN_FILENO] < 0 &&
3764 c->std_input == EXEC_INPUT_NAMED_FD &&
3765 stdio_fdname[STDIN_FILENO] &&
3766 streq(p->fd_names[i], stdio_fdname[STDIN_FILENO])) {
3767
52c239d7
LB		 3768 named_iofds[STDIN_FILENO] = p->fds[i];
3769 targets--;
56fbd561
ZJS		 3770
3771 } else if (named_iofds[STDOUT_FILENO] < 0 &&
3772 c->std_output == EXEC_OUTPUT_NAMED_FD &&
3773 stdio_fdname[STDOUT_FILENO] &&
3774 streq(p->fd_names[i], stdio_fdname[STDOUT_FILENO])) {
3775
52c239d7
LB		 3776 named_iofds[STDOUT_FILENO] = p->fds[i];
3777 targets--;
56fbd561
ZJS		 3778
3779 } else if (named_iofds[STDERR_FILENO] < 0 &&
3780 c->std_error == EXEC_OUTPUT_NAMED_FD &&
3781 stdio_fdname[STDERR_FILENO] &&
3782 streq(p->fd_names[i], stdio_fdname[STDERR_FILENO])) {
3783
52c239d7
LB		 3784 named_iofds[STDERR_FILENO] = p->fds[i];
3785 targets--;
3786 }
3787
56fbd561 3788 return targets == 0 ? 0 : -ENOENT;
52c239d7
LB		 3789}
3790
34cf6c43 3791static int exec_context_load_environment(const Unit *unit, const ExecContext *c, char ***l) {
8c7be95e
LP		 3792 char **i, **r = NULL;
3793
3794 assert(c);
3795 assert(l);
3796
3797 STRV_FOREACH(i, c->environment_files) {
3798 char *fn;
52511fae
ZJS		 3799 int k;
3800 unsigned n;
8c7be95e
LP		 3801 bool ignore = false;
3802 char **p;
7fd1b19b 3803 _cleanup_globfree_ glob_t pglob = {};
8c7be95e
LP		 3804
3805 fn = *i;
3806
3807 if (fn[0] == '-') {
3808 ignore = true;
313cefa1 3809 fn++;
8c7be95e
LP		 3810 }
3811
3812 if (!path_is_absolute(fn)) {
8c7be95e
LP		 3813 if (ignore)
3814 continue;
3815
3816 strv_free(r);
3817 return -EINVAL;
3818 }
3819
2bef10ab 3820 /* Filename supports globbing, take all matching files */
d8c92e8b
ZJS		 3821 k = safe_glob(fn, 0, &pglob);
3822 if (k < 0) {
2bef10ab
PL		 3823 if (ignore)
3824 continue;
8c7be95e 3825
2bef10ab 3826 strv_free(r);
d8c92e8b 3827 return k;
2bef10ab 3828 }
8c7be95e 3829
d8c92e8b
ZJS		 3830 /* When we don't match anything, -ENOENT should be returned */
3831 assert(pglob.gl_pathc > 0);
3832
3833 for (n = 0; n < pglob.gl_pathc; n++) {
717603e3 3834 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
2bef10ab
PL		 3835 if (k < 0) {
3836 if (ignore)
3837 continue;
8c7be95e 3838
2bef10ab 3839 strv_free(r);
2bef10ab 3840 return k;
e9c1ea9d 3841 }
ebc05a09 3842 /* Log invalid environment variables with filename */
039f0e70
LP		 3843 if (p) {
3844 InvalidEnvInfo info = {
f2341e0a 3845 .unit = unit,
039f0e70
LP		 3846 .path = pglob.gl_pathv[n]
3847 };
3848
3849 p = strv_env_clean_with_callback(p, invalid_env, &info);
3850 }
8c7be95e 3851
234519ae 3852 if (!r)
2bef10ab
PL		 3853 r = p;
3854 else {
3855 char **m;
8c7be95e 3856
2bef10ab
PL		 3857 m = strv_env_merge(2, r, p);
3858 strv_free(r);
3859 strv_free(p);
c84a9488 3860 if (!m)
2bef10ab 3861 return -ENOMEM;
2bef10ab
PL		 3862
3863 r = m;
3864 }
8c7be95e
LP		 3865 }
3866 }
3867
3868 *l = r;
3869
3870 return 0;
3871}
3872
6ac8fdc9 3873static bool tty_may_match_dev_console(const char *tty) {
7b912648 3874 _cleanup_free_ char *resolved = NULL;
6ac8fdc9 3875
1e22b5cd
LP		 3876 if (!tty)
3877 return true;
3878
a119ec7c 3879 tty = skip_dev_prefix(tty);
6ac8fdc9
MS		 3880
3881 /* trivial identity? */
3882 if (streq(tty, "console"))
3883 return true;
3884
7b912648
LP		 3885 if (resolve_dev_console(&resolved) < 0)
3886 return true; /* if we could not resolve, assume it may */
6ac8fdc9
MS		 3887
3888 /* "tty0" means the active VC, so it may be the same sometimes */
7b912648 3889 return streq(resolved, tty) || (streq(resolved, "tty0") && tty_is_vc(tty));
6ac8fdc9
MS		 3890}
3891
34cf6c43 3892bool exec_context_may_touch_console(const ExecContext *ec) {
1e22b5cd
LP		 3893
3894 return (ec->tty_reset ||
3895 ec->tty_vhangup ||
3896 ec->tty_vt_disallocate ||
6ac8fdc9
MS		 3897 is_terminal_input(ec->std_input) ||
3898 is_terminal_output(ec->std_output) ||
3899 is_terminal_output(ec->std_error)) &&
1e22b5cd 3900 tty_may_match_dev_console(exec_context_tty_path(ec));
6ac8fdc9
MS		 3901}
3902
15ae422b
LP		 3903static void strv_fprintf(FILE *f, char **l) {
3904 char **g;
3905
3906 assert(f);
3907
3908 STRV_FOREACH(g, l)
3909 fprintf(f, " %s", *g);
3910}
3911
34cf6c43 3912void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
d3070fbd 3913 ExecDirectoryType dt;
c2bbd90b 3914 char **e, **d;
94f04347 3915 unsigned i;
add00535 3916 int r;
9eba9da4 3917
5cb5a6ff
LP		 3918 assert(c);
3919 assert(f);
3920
4ad49000 3921 prefix = strempty(prefix);
5cb5a6ff
LP		 3922
3923 fprintf(f,
94f04347
LP		 3924 "%sUMask: %04o\n"
3925 "%sWorkingDirectory: %s\n"
451a074f 3926 "%sRootDirectory: %s\n"
15ae422b 3927 "%sNonBlocking: %s\n"
64747e2d 3928 "%sPrivateTmp: %s\n"
7f112f50 3929 "%sPrivateDevices: %s\n"
59eeb84b 3930 "%sProtectKernelTunables: %s\n"
e66a2f65 3931 "%sProtectKernelModules: %s\n"
59eeb84b 3932 "%sProtectControlGroups: %s\n"
d251207d
LP		 3933 "%sPrivateNetwork: %s\n"
3934 "%sPrivateUsers: %s\n"
1b8689f9
LP		 3935 "%sProtectHome: %s\n"
3936 "%sProtectSystem: %s\n"
5d997827 3937 "%sMountAPIVFS: %s\n"
f3e43635 3938 "%sIgnoreSIGPIPE: %s\n"
f4170c67 3939 "%sMemoryDenyWriteExecute: %s\n"
b1edf445
LP		 3940 "%sRestrictRealtime: %s\n"
3941 "%sKeyringMode: %s\n",
5cb5a6ff 3942 prefix, c->umask,
9eba9da4 3943 prefix, c->working_directory ? c->working_directory : "/",
451a074f 3944 prefix, c->root_directory ? c->root_directory : "/",
15ae422b 3945 prefix, yes_no(c->non_blocking),
64747e2d 3946 prefix, yes_no(c->private_tmp),
7f112f50 3947 prefix, yes_no(c->private_devices),
59eeb84b 3948 prefix, yes_no(c->protect_kernel_tunables),
e66a2f65 3949 prefix, yes_no(c->protect_kernel_modules),
59eeb84b 3950 prefix, yes_no(c->protect_control_groups),
d251207d
LP		 3951 prefix, yes_no(c->private_network),
3952 prefix, yes_no(c->private_users),
1b8689f9
LP		 3953 prefix, protect_home_to_string(c->protect_home),
3954 prefix, protect_system_to_string(c->protect_system),
5d997827 3955 prefix, yes_no(c->mount_apivfs),
f3e43635 3956 prefix, yes_no(c->ignore_sigpipe),
f4170c67 3957 prefix, yes_no(c->memory_deny_write_execute),
b1edf445
LP		 3958 prefix, yes_no(c->restrict_realtime),
3959 prefix, exec_keyring_mode_to_string(c->keyring_mode));
fb33a393 3960
915e6d16
LP		 3961 if (c->root_image)
3962 fprintf(f, "%sRootImage: %s\n", prefix, c->root_image);
3963
8c7be95e
LP		 3964 STRV_FOREACH(e, c->environment)
3965 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
3966
3967 STRV_FOREACH(e, c->environment_files)
3968 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
94f04347 3969
b4c14404
FB		 3970 STRV_FOREACH(e, c->pass_environment)
3971 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
3972
00819cc1
LP		 3973 STRV_FOREACH(e, c->unset_environment)
3974 fprintf(f, "%sUnsetEnvironment: %s\n", prefix, *e);
3975
53f47dfc
YW		 3976 fprintf(f, "%sRuntimeDirectoryPreserve: %s\n", prefix, exec_preserve_mode_to_string(c->runtime_directory_preserve_mode));
3977
72fd1768 3978 for (dt = 0; dt < _EXEC_DIRECTORY_TYPE_MAX; dt++) {
3536f49e
YW		 3979 fprintf(f, "%s%sMode: %04o\n", prefix, exec_directory_type_to_string(dt), c->directories[dt].mode);
3980
3981 STRV_FOREACH(d, c->directories[dt].paths)
3982 fprintf(f, "%s%s: %s\n", prefix, exec_directory_type_to_string(dt), *d);
3983 }
c2bbd90b 3984
fb33a393
LP		 3985 if (c->nice_set)
3986 fprintf(f,
3987 "%sNice: %i\n",
3988 prefix, c->nice);
3989
dd6c17b1 3990 if (c->oom_score_adjust_set)
fb33a393 3991 fprintf(f,
dd6c17b1
LP		 3992 "%sOOMScoreAdjust: %i\n",
3993 prefix, c->oom_score_adjust);
9eba9da4 3994
94f04347 3995 for (i = 0; i < RLIM_NLIMITS; i++)
3c11da9d
EV		 3996 if (c->rlimit[i]) {
3997 fprintf(f, "%s%s: " RLIM_FMT "\n",
3998 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
3999 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
4000 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
4001 }
94f04347 4002
f8b69d1d 4003 if (c->ioprio_set) {
1756a011 4004 _cleanup_free_ char *class_str = NULL;
f8b69d1d 4005
837df140
YW		 4006 r = ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
4007 if (r >= 0)
4008 fprintf(f, "%sIOSchedulingClass: %s\n", prefix, class_str);
4009
4010 fprintf(f, "%sIOPriority: %lu\n", prefix, IOPRIO_PRIO_DATA(c->ioprio));
f8b69d1d 4011 }
94f04347 4012
f8b69d1d 4013 if (c->cpu_sched_set) {
1756a011 4014 _cleanup_free_ char *policy_str = NULL;
f8b69d1d 4015
837df140
YW		 4016 r = sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
4017 if (r >= 0)
4018 fprintf(f, "%sCPUSchedulingPolicy: %s\n", prefix, policy_str);
4019
94f04347 4020 fprintf(f,
38b48754
LP		 4021 "%sCPUSchedulingPriority: %i\n"
4022 "%sCPUSchedulingResetOnFork: %s\n",
38b48754
LP		 4023 prefix, c->cpu_sched_priority,
4024 prefix, yes_no(c->cpu_sched_reset_on_fork));
b929bf04 4025 }
94f04347 4026
82c121a4 4027 if (c->cpuset) {
94f04347 4028 fprintf(f, "%sCPUAffinity:", prefix);
82c121a4
LP		 4029 for (i = 0; i < c->cpuset_ncpus; i++)
4030 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
43a99a7a 4031 fprintf(f, " %u", i);
94f04347
LP		 4032 fputs("\n", f);
4033 }
4034
3a43da28 4035 if (c->timer_slack_nsec != NSEC_INFINITY)
ccd06097 4036 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
94f04347
LP		 4037
4038 fprintf(f,
80876c20
LP		 4039 "%sStandardInput: %s\n"
4040 "%sStandardOutput: %s\n"
4041 "%sStandardError: %s\n",
4042 prefix, exec_input_to_string(c->std_input),
4043 prefix, exec_output_to_string(c->std_output),
4044 prefix, exec_output_to_string(c->std_error));
4045
befc4a80
LP		 4046 if (c->std_input == EXEC_INPUT_NAMED_FD)
4047 fprintf(f, "%sStandardInputFileDescriptorName: %s\n", prefix, c->stdio_fdname[STDIN_FILENO]);
4048 if (c->std_output == EXEC_OUTPUT_NAMED_FD)
4049 fprintf(f, "%sStandardOutputFileDescriptorName: %s\n", prefix, c->stdio_fdname[STDOUT_FILENO]);
4050 if (c->std_error == EXEC_OUTPUT_NAMED_FD)
4051 fprintf(f, "%sStandardErrorFileDescriptorName: %s\n", prefix, c->stdio_fdname[STDERR_FILENO]);
4052
4053 if (c->std_input == EXEC_INPUT_FILE)
4054 fprintf(f, "%sStandardInputFile: %s\n", prefix, c->stdio_file[STDIN_FILENO]);
4055 if (c->std_output == EXEC_OUTPUT_FILE)
4056 fprintf(f, "%sStandardOutputFile: %s\n", prefix, c->stdio_file[STDOUT_FILENO]);
4057 if (c->std_error == EXEC_OUTPUT_FILE)
4058 fprintf(f, "%sStandardErrorFile: %s\n", prefix, c->stdio_file[STDERR_FILENO]);
4059
80876c20
LP		 4060 if (c->tty_path)
4061 fprintf(f,
6ea832a2
LP		 4062 "%sTTYPath: %s\n"
4063 "%sTTYReset: %s\n"
4064 "%sTTYVHangup: %s\n"
4065 "%sTTYVTDisallocate: %s\n",
4066 prefix, c->tty_path,
4067 prefix, yes_no(c->tty_reset),
4068 prefix, yes_no(c->tty_vhangup),
4069 prefix, yes_no(c->tty_vt_disallocate));
94f04347 4070
9f6444eb
LP		 4071 if (IN_SET(c->std_output,
4072 EXEC_OUTPUT_SYSLOG,
4073 EXEC_OUTPUT_KMSG,
4074 EXEC_OUTPUT_JOURNAL,
4075 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
4076 EXEC_OUTPUT_KMSG_AND_CONSOLE,
4077 EXEC_OUTPUT_JOURNAL_AND_CONSOLE) ||
4078 IN_SET(c->std_error,
4079 EXEC_OUTPUT_SYSLOG,
4080 EXEC_OUTPUT_KMSG,
4081 EXEC_OUTPUT_JOURNAL,
4082 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
4083 EXEC_OUTPUT_KMSG_AND_CONSOLE,
4084 EXEC_OUTPUT_JOURNAL_AND_CONSOLE)) {
f8b69d1d 4085
5ce70e5b 4086 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
f8b69d1d 4087
837df140
YW		 4088 r = log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
4089 if (r >= 0)
4090 fprintf(f, "%sSyslogFacility: %s\n", prefix, fac_str);
f8b69d1d 4091
837df140
YW		 4092 r = log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
4093 if (r >= 0)
4094 fprintf(f, "%sSyslogLevel: %s\n", prefix, lvl_str);
f8b69d1d 4095 }
94f04347 4096
d3070fbd
LP		 4097 if (c->log_level_max >= 0) {
4098 _cleanup_free_ char *t = NULL;
4099
4100 (void) log_level_to_string_alloc(c->log_level_max, &t);
4101
4102 fprintf(f, "%sLogLevelMax: %s\n", prefix, strna(t));
4103 }
4104
4105 if (c->n_log_extra_fields > 0) {
4106 size_t j;
4107
4108 for (j = 0; j < c->n_log_extra_fields; j++) {
4109 fprintf(f, "%sLogExtraFields: ", prefix);
4110 fwrite(c->log_extra_fields[j].iov_base,
4111 1, c->log_extra_fields[j].iov_len,
4112 f);
4113 fputc('\n', f);
4114 }
4115 }
4116
07d46372
YW		 4117 if (c->secure_bits) {
4118 _cleanup_free_ char *str = NULL;
4119
4120 r = secure_bits_to_string_alloc(c->secure_bits, &str);
4121 if (r >= 0)
4122 fprintf(f, "%sSecure Bits: %s\n", prefix, str);
4123 }
94f04347 4124
a103496c 4125 if (c->capability_bounding_set != CAP_ALL) {
dd1f5bd0 4126 _cleanup_free_ char *str = NULL;
94f04347 4127
dd1f5bd0
YW		 4128 r = capability_set_to_string_alloc(c->capability_bounding_set, &str);
4129 if (r >= 0)
4130 fprintf(f, "%sCapabilityBoundingSet: %s\n", prefix, str);
755d4b67
IP		 4131 }
4132
4133 if (c->capability_ambient_set != 0) {
dd1f5bd0 4134 _cleanup_free_ char *str = NULL;
755d4b67 4135
dd1f5bd0
YW		 4136 r = capability_set_to_string_alloc(c->capability_ambient_set, &str);
4137 if (r >= 0)
4138 fprintf(f, "%sAmbientCapabilities: %s\n", prefix, str);
94f04347
LP		 4139 }
4140
4141 if (c->user)
f2d3769a 4142 fprintf(f, "%sUser: %s\n", prefix, c->user);
94f04347 4143 if (c->group)
f2d3769a 4144 fprintf(f, "%sGroup: %s\n", prefix, c->group);
94f04347 4145
29206d46
LP		 4146 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
4147
ac6e8be6 4148 if (!strv_isempty(c->supplementary_groups)) {
94f04347 4149 fprintf(f, "%sSupplementaryGroups:", prefix);
15ae422b
LP		 4150 strv_fprintf(f, c->supplementary_groups);
4151 fputs("\n", f);
4152 }
94f04347 4153
5b6319dc 4154 if (c->pam_name)
f2d3769a 4155 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
5b6319dc 4156
58629001 4157 if (!strv_isempty(c->read_write_paths)) {
2a624c36
AP		 4158 fprintf(f, "%sReadWritePaths:", prefix);
4159 strv_fprintf(f, c->read_write_paths);
15ae422b
LP		 4160 fputs("\n", f);
4161 }
4162
58629001 4163 if (!strv_isempty(c->read_only_paths)) {
2a624c36
AP		 4164 fprintf(f, "%sReadOnlyPaths:", prefix);
4165 strv_fprintf(f, c->read_only_paths);
15ae422b
LP		 4166 fputs("\n", f);
4167 }
94f04347 4168
58629001 4169 if (!strv_isempty(c->inaccessible_paths)) {
2a624c36
AP		 4170 fprintf(f, "%sInaccessiblePaths:", prefix);
4171 strv_fprintf(f, c->inaccessible_paths);
94f04347
LP		 4172 fputs("\n", f);
4173 }
2e22afe9 4174
d2d6c096
LP		 4175 if (c->n_bind_mounts > 0)
4176 for (i = 0; i < c->n_bind_mounts; i++) {
4177 fprintf(f, "%s%s: %s:%s:%s\n", prefix,
4178 c->bind_mounts[i].read_only ? "BindReadOnlyPaths" : "BindPaths",
4179 c->bind_mounts[i].source,
4180 c->bind_mounts[i].destination,
4181 c->bind_mounts[i].recursive ? "rbind" : "norbind");
4182 }
4183
169c1bda
LP		 4184 if (c->utmp_id)
4185 fprintf(f,
4186 "%sUtmpIdentifier: %s\n",
4187 prefix, c->utmp_id);
7b52a628
MS		 4188
4189 if (c->selinux_context)
4190 fprintf(f,
5f8640fb
LP		 4191 "%sSELinuxContext: %s%s\n",
4192 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
17df7223 4193
80c21aea
WC		 4194 if (c->apparmor_profile)
4195 fprintf(f,
4196 "%sAppArmorProfile: %s%s\n",
4197 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
4198
4199 if (c->smack_process_label)
4200 fprintf(f,
4201 "%sSmackProcessLabel: %s%s\n",
4202 prefix, c->smack_process_label_ignore ? "-" : "", c->smack_process_label);
4203
050f7277 4204 if (c->personality != PERSONALITY_INVALID)
ac45f971
LP		 4205 fprintf(f,
4206 "%sPersonality: %s\n",
4207 prefix, strna(personality_to_string(c->personality)));
4208
78e864e5
TM		 4209 fprintf(f,
4210 "%sLockPersonality: %s\n",
4211 prefix, yes_no(c->lock_personality));
4212
17df7223 4213 if (c->syscall_filter) {
349cc4a5 4214#if HAVE_SECCOMP
17df7223 4215 Iterator j;
8cfa775f 4216 void *id, *val;
17df7223 4217 bool first = true;
351a19b1 4218#endif
17df7223
LP		 4219
4220 fprintf(f,
57183d11 4221 "%sSystemCallFilter: ",
17df7223
LP		 4222 prefix);
4223
4224 if (!c->syscall_whitelist)
4225 fputc('~', f);
4226
349cc4a5 4227#if HAVE_SECCOMP
8cfa775f 4228 HASHMAP_FOREACH_KEY(val, id, c->syscall_filter, j) {
17df7223 4229 _cleanup_free_ char *name = NULL;
8cfa775f
YW		 4230 const char *errno_name = NULL;
4231 int num = PTR_TO_INT(val);
17df7223
LP		 4232
4233 if (first)
4234 first = false;
4235 else
4236 fputc(' ', f);
4237
57183d11 4238 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
17df7223 4239 fputs(strna(name), f);
8cfa775f
YW		 4240
4241 if (num >= 0) {
4242 errno_name = errno_to_name(num);
4243 if (errno_name)
4244 fprintf(f, ":%s", errno_name);
4245 else
4246 fprintf(f, ":%d", num);
4247 }
17df7223 4248 }
351a19b1 4249#endif
17df7223
LP		 4250
4251 fputc('\n', f);
4252 }
4253
57183d11 4254 if (c->syscall_archs) {
349cc4a5 4255#if HAVE_SECCOMP
57183d11
LP		 4256 Iterator j;
4257 void *id;
4258#endif
4259
4260 fprintf(f,
4261 "%sSystemCallArchitectures:",
4262 prefix);
4263
349cc4a5 4264#if HAVE_SECCOMP
57183d11
LP		 4265 SET_FOREACH(id, c->syscall_archs, j)
4266 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
4267#endif
4268 fputc('\n', f);
4269 }
4270
add00535
LP		 4271 if (exec_context_restrict_namespaces_set(c)) {
4272 _cleanup_free_ char *s = NULL;
4273
4274 r = namespace_flag_to_string_many(c->restrict_namespaces, &s);
4275 if (r >= 0)
4276 fprintf(f, "%sRestrictNamespaces: %s\n",
4277 prefix, s);
4278 }
4279
3df90f24
YW		 4280 if (c->syscall_errno > 0) {
4281 const char *errno_name;
4282
4283 fprintf(f, "%sSystemCallErrorNumber: ", prefix);
4284
4285 errno_name = errno_to_name(c->syscall_errno);
4286 if (errno_name)
4287 fprintf(f, "%s\n", errno_name);
4288 else
4289 fprintf(f, "%d\n", c->syscall_errno);
4290 }
eef65bf3
MS		 4291
4292 if (c->apparmor_profile)
4293 fprintf(f,
4294 "%sAppArmorProfile: %s%s\n",
4295 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
5cb5a6ff
LP		 4296}
4297
34cf6c43 4298bool exec_context_maintains_privileges(const ExecContext *c) {
a931ad47
LP		 4299 assert(c);
4300
61233823 4301 /* Returns true if the process forked off would run under
a931ad47
LP		 4302 * an unchanged UID or as root. */
4303
4304 if (!c->user)
4305 return true;
4306
4307 if (streq(c->user, "root") || streq(c->user, "0"))
4308 return true;
4309
4310 return false;
4311}
4312
34cf6c43 4313int exec_context_get_effective_ioprio(const ExecContext *c) {
7f452159
LP		 4314 int p;
4315
4316 assert(c);
4317
4318 if (c->ioprio_set)
4319 return c->ioprio;
4320
4321 p = ioprio_get(IOPRIO_WHO_PROCESS, 0);
4322 if (p < 0)
4323 return IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 4);
4324
4325 return p;
4326}
4327
d3070fbd
LP		 4328void exec_context_free_log_extra_fields(ExecContext *c) {
4329 size_t l;
4330
4331 assert(c);
4332
4333 for (l = 0; l < c->n_log_extra_fields; l++)
4334 free(c->log_extra_fields[l].iov_base);
4335 c->log_extra_fields = mfree(c->log_extra_fields);
4336 c->n_log_extra_fields = 0;
4337}
4338
b58b4116 4339void exec_status_start(ExecStatus *s, pid_t pid) {
034c6ed7 4340 assert(s);
5cb5a6ff 4341
b58b4116
LP		 4342 zero(*s);
4343 s->pid = pid;
4344 dual_timestamp_get(&s->start_timestamp);
4345}
4346
34cf6c43 4347void exec_status_exit(ExecStatus *s, const ExecContext *context, pid_t pid, int code, int status) {
b58b4116
LP		 4348 assert(s);
4349
0b1f4ae6 4350 if (s->pid && s->pid != pid)
b58b4116
LP		 4351 zero(*s);
4352
034c6ed7 4353 s->pid = pid;
63983207 4354 dual_timestamp_get(&s->exit_timestamp);
9fb86720 4355
034c6ed7
LP		 4356 s->code = code;
4357 s->status = status;
169c1bda 4358
6ea832a2
LP		 4359 if (context) {
4360 if (context->utmp_id)
4361 utmp_put_dead_process(context->utmp_id, pid, code, status);
4362
1e22b5cd 4363 exec_context_tty_reset(context, NULL);
6ea832a2 4364 }
9fb86720
LP		 4365}
4366
34cf6c43 4367void exec_status_dump(const ExecStatus *s, FILE *f, const char *prefix) {
9fb86720
LP		 4368 char buf[FORMAT_TIMESTAMP_MAX];
4369
4370 assert(s);
4371 assert(f);
4372
9fb86720
LP		 4373 if (s->pid <= 0)
4374 return;
4375
4c940960
LP		 4376 prefix = strempty(prefix);
4377
9fb86720 4378 fprintf(f,
ccd06097
ZJS		 4379 "%sPID: "PID_FMT"\n",
4380 prefix, s->pid);
9fb86720 4381
af9d16e1 4382 if (dual_timestamp_is_set(&s->start_timestamp))
9fb86720
LP		 4383 fprintf(f,
4384 "%sStart Timestamp: %s\n",
63983207 4385 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
9fb86720 4386
af9d16e1 4387 if (dual_timestamp_is_set(&s->exit_timestamp))
9fb86720
LP		 4388 fprintf(f,
4389 "%sExit Timestamp: %s\n"
4390 "%sExit Code: %s\n"
4391 "%sExit Status: %i\n",
63983207 4392 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
9fb86720
LP		 4393 prefix, sigchld_code_to_string(s->code),
4394 prefix, s->status);
5cb5a6ff 4395}
44d8db9e 4396
34cf6c43 4397static char *exec_command_line(char **argv) {
44d8db9e
LP		 4398 size_t k;
4399 char *n, *p, **a;
4400 bool first = true;
4401
9e2f7c11 4402 assert(argv);
44d8db9e 4403
9164977d 4404 k = 1;
9e2f7c11 4405 STRV_FOREACH(a, argv)
44d8db9e
LP		 4406 k += strlen(*a)+3;
4407
5cd9cd35
LP		 4408 n = new(char, k);
4409 if (!n)
44d8db9e
LP		 4410 return NULL;
4411
4412 p = n;
9e2f7c11 4413 STRV_FOREACH(a, argv) {
44d8db9e
LP		 4414
4415 if (!first)
4416 *(p++) = ' ';
4417 else
4418 first = false;
4419
4420 if (strpbrk(*a, WHITESPACE)) {
4421 *(p++) = '\'';
4422 p = stpcpy(p, *a);
4423 *(p++) = '\'';
4424 } else
4425 p = stpcpy(p, *a);
4426
4427 }
4428
9164977d
LP		 4429 *p = 0;
4430
44d8db9e
LP		 4431 /* FIXME: this doesn't really handle arguments that have
4432 * spaces and ticks in them */
4433
4434 return n;
4435}
4436
34cf6c43 4437static void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
e1d75803 4438 _cleanup_free_ char *cmd = NULL;
4c940960 4439 const char *prefix2;
44d8db9e
LP		 4440
4441 assert(c);
4442 assert(f);
4443
4c940960 4444 prefix = strempty(prefix);
63c372cb 4445 prefix2 = strjoina(prefix, "\t");
44d8db9e 4446
9e2f7c11 4447 cmd = exec_command_line(c->argv);
44d8db9e
LP		 4448 fprintf(f,
4449 "%sCommand Line: %s\n",
4450 prefix, cmd ? cmd : strerror(ENOMEM));
4451
9fb86720 4452 exec_status_dump(&c->exec_status, f, prefix2);
44d8db9e
LP		 4453}
4454
4455void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
4456 assert(f);
4457
4c940960 4458 prefix = strempty(prefix);
44d8db9e
LP		 4459
4460 LIST_FOREACH(command, c, c)
4461 exec_command_dump(c, f, prefix);
4462}
94f04347 4463
a6a80b4f
LP		 4464void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
4465 ExecCommand *end;
4466
4467 assert(l);
4468 assert(e);
4469
4470 if (*l) {
35b8ca3a 4471 /* It's kind of important, that we keep the order here */
71fda00f
LP		 4472 LIST_FIND_TAIL(command, *l, end);
4473 LIST_INSERT_AFTER(command, *l, end, e);
a6a80b4f
LP		 4474 } else
4475 *l = e;
4476}
4477
26fd040d
LP		 4478int exec_command_set(ExecCommand *c, const char *path, ...) {
4479 va_list ap;
4480 char **l, *p;
4481
4482 assert(c);
4483 assert(path);
4484
4485 va_start(ap, path);
4486 l = strv_new_ap(path, ap);
4487 va_end(ap);
4488
4489 if (!l)
4490 return -ENOMEM;
4491
250a918d
LP		 4492 p = strdup(path);
4493 if (!p) {
26fd040d
LP		 4494 strv_free(l);
4495 return -ENOMEM;
4496 }
4497
4498 free(c->path);
4499 c->path = p;
4500
4501 strv_free(c->argv);
4502 c->argv = l;
4503
4504 return 0;
4505}
4506
86b23b07 4507int exec_command_append(ExecCommand *c, const char *path, ...) {
e63ff941 4508 _cleanup_strv_free_ char **l = NULL;
86b23b07 4509 va_list ap;
86b23b07
JS		 4510 int r;
4511
4512 assert(c);
4513 assert(path);
4514
4515 va_start(ap, path);
4516 l = strv_new_ap(path, ap);
4517 va_end(ap);
4518
4519 if (!l)
4520 return -ENOMEM;
4521
e287086b 4522 r = strv_extend_strv(&c->argv, l, false);
e63ff941 4523 if (r < 0)
86b23b07 4524 return r;
86b23b07
JS		 4525
4526 return 0;
4527}
4528
e8a565cb
YW		 4529static void *remove_tmpdir_thread(void *p) {
4530 _cleanup_free_ char *path = p;
86b23b07 4531
e8a565cb
YW		 4532 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
4533 return NULL;
4534}
4535
4536static ExecRuntime* exec_runtime_free(ExecRuntime *rt, bool destroy) {
4537 int r;
4538
4539 if (!rt)
4540 return NULL;
4541
4542 if (rt->manager)
4543 (void) hashmap_remove(rt->manager->exec_runtime_by_id, rt->id);
4544
4545 /* When destroy is true, then rm_rf tmp_dir and var_tmp_dir. */
4546 if (destroy && rt->tmp_dir) {
4547 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
4548
4549 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
4550 if (r < 0) {
4551 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
4552 free(rt->tmp_dir);
4553 }
4554
4555 rt->tmp_dir = NULL;
4556 }
613b411c 4557
e8a565cb
YW		 4558 if (destroy && rt->var_tmp_dir) {
4559 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
4560
4561 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
4562 if (r < 0) {
4563 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
4564 free(rt->var_tmp_dir);
4565 }
4566
4567 rt->var_tmp_dir = NULL;
4568 }
4569
4570 rt->id = mfree(rt->id);
4571 rt->tmp_dir = mfree(rt->tmp_dir);
4572 rt->var_tmp_dir = mfree(rt->var_tmp_dir);
4573 safe_close_pair(rt->netns_storage_socket);
4574 return mfree(rt);
4575}
4576
4577static void exec_runtime_freep(ExecRuntime **rt) {
613b411c 4578 if (*rt)
e8a565cb
YW		 4579 (void) exec_runtime_free(*rt, false);
4580}
4581
4582static int exec_runtime_allocate(ExecRuntime **rt) {
4583 assert(rt);
613b411c
LP		 4584
4585 *rt = new0(ExecRuntime, 1);
f146f5e1 4586 if (!*rt)
613b411c
LP		 4587 return -ENOMEM;
4588
613b411c 4589 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
613b411c
LP		 4590 return 0;
4591}
4592
e8a565cb
YW		 4593static int exec_runtime_add(
4594 Manager *m,
4595 const char *id,
4596 const char *tmp_dir,
4597 const char *var_tmp_dir,
4598 const int netns_storage_socket[2],
4599 ExecRuntime **ret) {
4600
4601 _cleanup_(exec_runtime_freep) ExecRuntime *rt = NULL;
613b411c
LP		 4602 int r;
4603
e8a565cb 4604 assert(m);
613b411c
LP		 4605 assert(id);
4606
e8a565cb
YW		 4607 r = hashmap_ensure_allocated(&m->exec_runtime_by_id, &string_hash_ops);
4608 if (r < 0)
4609 return r;
613b411c 4610
e8a565cb 4611 r = exec_runtime_allocate(&rt);
613b411c
LP		 4612 if (r < 0)
4613 return r;
4614
e8a565cb
YW		 4615 rt->id = strdup(id);
4616 if (!rt->id)
4617 return -ENOMEM;
4618
4619 if (tmp_dir) {
4620 rt->tmp_dir = strdup(tmp_dir);
4621 if (!rt->tmp_dir)
4622 return -ENOMEM;
4623
4624 /* When tmp_dir is set, then we require var_tmp_dir is also set. */
4625 assert(var_tmp_dir);
4626 rt->var_tmp_dir = strdup(var_tmp_dir);
4627 if (!rt->var_tmp_dir)
4628 return -ENOMEM;
4629 }
4630
4631 if (netns_storage_socket) {
4632 rt->netns_storage_socket[0] = netns_storage_socket[0];
4633 rt->netns_storage_socket[1] = netns_storage_socket[1];
613b411c
LP		 4634 }
4635
e8a565cb
YW		 4636 r = hashmap_put(m->exec_runtime_by_id, rt->id, rt);
4637 if (r < 0)
4638 return r;
4639
4640 rt->manager = m;
4641
4642 if (ret)
4643 *ret = rt;
4644
4645 /* do not remove created ExecRuntime object when the operation succeeds. */
4646 rt = NULL;
4647 return 0;
4648}
4649
4650static int exec_runtime_make(Manager *m, const ExecContext *c, const char *id, ExecRuntime **ret) {
4651 _cleanup_free_ char *tmp_dir = NULL, *var_tmp_dir = NULL;
4652 _cleanup_close_pair_ int netns_storage_socket[2] = {-1, -1};
4653 int r;
4654
4655 assert(m);
4656 assert(c);
4657 assert(id);
4658
4659 /* It is not necessary to create ExecRuntime object. */
4660 if (!c->private_network && !c->private_tmp)
4661 return 0;
4662
4663 if (c->private_tmp) {
4664 r = setup_tmp_dirs(id, &tmp_dir, &var_tmp_dir);
613b411c
LP		 4665 if (r < 0)
4666 return r;
4667 }
4668
e8a565cb
YW		 4669 if (c->private_network) {
4670 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, netns_storage_socket) < 0)
4671 return -errno;
4672 }
4673
4674 r = exec_runtime_add(m, id, tmp_dir, var_tmp_dir, netns_storage_socket, ret);
4675 if (r < 0)
4676 return r;
4677
4678 /* Avoid cleanup */
4679 netns_storage_socket[0] = -1;
4680 netns_storage_socket[1] = -1;
613b411c
LP		 4681 return 1;
4682}
4683
e8a565cb
YW		 4684int exec_runtime_acquire(Manager *m, const ExecContext *c, const char *id, bool create, ExecRuntime **ret) {
4685 ExecRuntime *rt;
4686 int r;
613b411c 4687
e8a565cb
YW		 4688 assert(m);
4689 assert(id);
4690 assert(ret);
4691
4692 rt = hashmap_get(m->exec_runtime_by_id, id);
4693 if (rt)
4694 /* We already have a ExecRuntime object, let's increase the ref count and reuse it */
4695 goto ref;
4696
4697 if (!create)
4698 return 0;
4699
4700 /* If not found, then create a new object. */
4701 r = exec_runtime_make(m, c, id, &rt);
4702 if (r <= 0)
4703 /* When r == 0, it is not necessary to create ExecRuntime object. */
4704 return r;
613b411c 4705
e8a565cb
YW		 4706ref:
4707 /* increment reference counter. */
4708 rt->n_ref++;
4709 *ret = rt;
4710 return 1;
4711}
613b411c 4712
e8a565cb
YW		 4713ExecRuntime *exec_runtime_unref(ExecRuntime *rt, bool destroy) {
4714 if (!rt)
613b411c
LP		 4715 return NULL;
4716
e8a565cb 4717 assert(rt->n_ref > 0);
613b411c 4718
e8a565cb
YW		 4719 rt->n_ref--;
4720 if (rt->n_ref > 0)
f2341e0a
LP		 4721 return NULL;
4722
e8a565cb 4723 return exec_runtime_free(rt, destroy);
613b411c
LP		 4724}
4725
e8a565cb
YW		 4726int exec_runtime_serialize(const Manager *m, FILE *f, FDSet *fds) {
4727 ExecRuntime *rt;
4728 Iterator i;
4729
4730 assert(m);
613b411c
LP		 4731 assert(f);
4732 assert(fds);
4733
e8a565cb
YW		 4734 HASHMAP_FOREACH(rt, m->exec_runtime_by_id, i) {
4735 fprintf(f, "exec-runtime=%s", rt->id);
613b411c 4736
e8a565cb
YW		 4737 if (rt->tmp_dir)
4738 fprintf(f, " tmp-dir=%s", rt->tmp_dir);
613b411c 4739
e8a565cb
YW		 4740 if (rt->var_tmp_dir)
4741 fprintf(f, " var-tmp-dir=%s", rt->var_tmp_dir);
613b411c 4742
e8a565cb
YW		 4743 if (rt->netns_storage_socket[0] >= 0) {
4744 int copy;
613b411c 4745
e8a565cb
YW		 4746 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
4747 if (copy < 0)
4748 return copy;
613b411c 4749
e8a565cb
YW		 4750 fprintf(f, " netns-socket-0=%i", copy);
4751 }
613b411c 4752
e8a565cb
YW		 4753 if (rt->netns_storage_socket[1] >= 0) {
4754 int copy;
613b411c 4755
e8a565cb
YW		 4756 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
4757 if (copy < 0)
4758 return copy;
613b411c 4759
e8a565cb
YW		 4760 fprintf(f, " netns-socket-1=%i", copy);
4761 }
4762
4763 fputc('\n', f);
613b411c
LP		 4764 }
4765
4766 return 0;
4767}
4768
e8a565cb
YW		 4769int exec_runtime_deserialize_compat(Unit *u, const char *key, const char *value, FDSet *fds) {
4770 _cleanup_(exec_runtime_freep) ExecRuntime *rt_create = NULL;
4771 ExecRuntime *rt;
613b411c
LP		 4772 int r;
4773
e8a565cb
YW		 4774 /* This is for the migration from old (v237 or earlier) deserialization text.
4775 * Due to the bug #7790, this may not work with the units that use JoinsNamespaceOf=.
4776 * Even if the ExecRuntime object originally created by the other unit, we cannot judge
4777 * so or not from the serialized text, then we always creates a new object owned by this. */
4778
4779 assert(u);
613b411c
LP		 4780 assert(key);
4781 assert(value);
4782
e8a565cb
YW		 4783 /* Manager manages ExecRuntime objects by the unit id.
4784 * So, we omit the serialized text when the unit does not have id (yet?)... */
4785 if (isempty(u->id)) {
4786 log_unit_debug(u, "Invocation ID not found. Dropping runtime parameter.");
4787 return 0;
4788 }
613b411c 4789
e8a565cb
YW		 4790 r = hashmap_ensure_allocated(&u->manager->exec_runtime_by_id, &string_hash_ops);
4791 if (r < 0) {
4792 log_unit_debug_errno(u, r, "Failed to allocate storage for runtime parameter: %m");
4793 return 0;
4794 }
4795
4796 rt = hashmap_get(u->manager->exec_runtime_by_id, u->id);
4797 if (!rt) {
4798 r = exec_runtime_allocate(&rt_create);
613b411c 4799 if (r < 0)
f2341e0a 4800 return log_oom();
613b411c 4801
e8a565cb
YW		 4802 rt_create->id = strdup(u->id);
4803 if (!rt_create->id)
4804 return log_oom();
4805
4806 rt = rt_create;
4807 }
4808
4809 if (streq(key, "tmp-dir")) {
4810 char *copy;
4811
613b411c
LP		 4812 copy = strdup(value);
4813 if (!copy)
4814 return log_oom();
4815
e8a565cb 4816 free_and_replace(rt->tmp_dir, copy);
613b411c
LP		 4817
4818 } else if (streq(key, "var-tmp-dir")) {
4819 char *copy;
4820
613b411c
LP		 4821 copy = strdup(value);
4822 if (!copy)
4823 return log_oom();
4824
e8a565cb 4825 free_and_replace(rt->var_tmp_dir, copy);
613b411c
LP		 4826
4827 } else if (streq(key, "netns-socket-0")) {
4828 int fd;
4829
e8a565cb 4830 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd)) {
f2341e0a 4831 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
e8a565cb 4832 return 0;
613b411c 4833 }
e8a565cb
YW		 4834
4835 safe_close(rt->netns_storage_socket[0]);
4836 rt->netns_storage_socket[0] = fdset_remove(fds, fd);
4837
613b411c
LP		 4838 } else if (streq(key, "netns-socket-1")) {
4839 int fd;
4840
e8a565cb 4841 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd)) {
f2341e0a 4842 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
e8a565cb 4843 return 0;
613b411c 4844 }
e8a565cb
YW		 4845
4846 safe_close(rt->netns_storage_socket[1]);
4847 rt->netns_storage_socket[1] = fdset_remove(fds, fd);
613b411c
LP		 4848 } else
4849 return 0;
4850
613b411c 4851
e8a565cb
YW		 4852 /* If the object is newly created, then put it to the hashmap which manages ExecRuntime objects. */
4853 if (rt_create) {
4854 r = hashmap_put(u->manager->exec_runtime_by_id, rt_create->id, rt_create);
4855 if (r < 0) {
4856 log_unit_debug_errno(u, r, "Failed to put runtime paramter to manager's storage: %m");
4857 return 0;
4858 }
613b411c 4859
e8a565cb 4860 rt_create->manager = u->manager;
613b411c 4861
e8a565cb
YW		 4862 /* Avoid cleanup */
4863 rt_create = NULL;
4864 }
98b47d54 4865
e8a565cb
YW		 4866 return 1;
4867}
613b411c 4868
e8a565cb
YW		 4869void exec_runtime_deserialize_one(Manager *m, const char *value, FDSet *fds) {
4870 char *id = NULL, *tmp_dir = NULL, *var_tmp_dir = NULL;
4871 int r, fd0 = -1, fd1 = -1;
4872 const char *p, *v = value;
4873 size_t n;
613b411c 4874
e8a565cb
YW		 4875 assert(m);
4876 assert(value);
4877 assert(fds);
98b47d54 4878
e8a565cb
YW		 4879 n = strcspn(v, " ");
4880 id = strndupa(v, n);
4881 if (v[n] != ' ')
4882 goto finalize;
4883 p = v + n + 1;
4884
4885 v = startswith(p, "tmp-dir=");
4886 if (v) {
4887 n = strcspn(v, " ");
4888 tmp_dir = strndupa(v, n);
4889 if (v[n] != ' ')
4890 goto finalize;
4891 p = v + n + 1;
4892 }
4893
4894 v = startswith(p, "var-tmp-dir=");
4895 if (v) {
4896 n = strcspn(v, " ");
4897 var_tmp_dir = strndupa(v, n);
4898 if (v[n] != ' ')
4899 goto finalize;
4900 p = v + n + 1;
4901 }
4902
4903 v = startswith(p, "netns-socket-0=");
4904 if (v) {
4905 char *buf;
4906
4907 n = strcspn(v, " ");
4908 buf = strndupa(v, n);
4909 if (safe_atoi(buf, &fd0) < 0 || !fdset_contains(fds, fd0)) {
4910 log_debug("Unable to process exec-runtime netns fd specification.");
4911 return;
98b47d54 4912 }
e8a565cb
YW		 4913 fd0 = fdset_remove(fds, fd0);
4914 if (v[n] != ' ')
4915 goto finalize;
4916 p = v + n + 1;
613b411c
LP		 4917 }
4918
e8a565cb
YW		 4919 v = startswith(p, "netns-socket-1=");
4920 if (v) {
4921 char *buf;
98b47d54 4922
e8a565cb
YW		 4923 n = strcspn(v, " ");
4924 buf = strndupa(v, n);
4925 if (safe_atoi(buf, &fd1) < 0 || !fdset_contains(fds, fd1)) {
4926 log_debug("Unable to process exec-runtime netns fd specification.");
4927 return;
98b47d54 4928 }
e8a565cb
YW		 4929 fd1 = fdset_remove(fds, fd1);
4930 }
98b47d54 4931
e8a565cb
YW		 4932finalize:
4933
4934 r = exec_runtime_add(m, id, tmp_dir, var_tmp_dir, (int[]) { fd0, fd1 }, NULL);
4935 if (r < 0) {
4936 log_debug_errno(r, "Failed to add exec-runtime: %m");
4937 return;
613b411c 4938 }
e8a565cb 4939}
613b411c 4940
e8a565cb
YW		 4941void exec_runtime_vacuum(Manager *m) {
4942 ExecRuntime *rt;
4943 Iterator i;
4944
4945 assert(m);
4946
4947 /* Free unreferenced ExecRuntime objects. This is used after manager deserialization process. */
4948
4949 HASHMAP_FOREACH(rt, m->exec_runtime_by_id, i) {
4950 if (rt->n_ref > 0)
4951 continue;
4952
4953 (void) exec_runtime_free(rt, false);
4954 }
613b411c
LP		 4955}
4956
80876c20
LP		 4957static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
4958 [EXEC_INPUT_NULL] = "null",
4959 [EXEC_INPUT_TTY] = "tty",
4960 [EXEC_INPUT_TTY_FORCE] = "tty-force",
4f2d528d 4961 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
52c239d7
LB		 4962 [EXEC_INPUT_SOCKET] = "socket",
4963 [EXEC_INPUT_NAMED_FD] = "fd",
08f3be7a 4964 [EXEC_INPUT_DATA] = "data",
2038c3f5 4965 [EXEC_INPUT_FILE] = "file",
80876c20
LP		 4966};
4967
8a0867d6
LP		 4968DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
4969
94f04347 4970static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
80876c20 4971 [EXEC_OUTPUT_INHERIT] = "inherit",
94f04347 4972 [EXEC_OUTPUT_NULL] = "null",
80876c20 4973 [EXEC_OUTPUT_TTY] = "tty",
94f04347 4974 [EXEC_OUTPUT_SYSLOG] = "syslog",
28dbc1e8 4975 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
9a6bca7a 4976 [EXEC_OUTPUT_KMSG] = "kmsg",
28dbc1e8 4977 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
706343f4
LP		 4978 [EXEC_OUTPUT_JOURNAL] = "journal",
4979 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
52c239d7
LB		 4980 [EXEC_OUTPUT_SOCKET] = "socket",
4981 [EXEC_OUTPUT_NAMED_FD] = "fd",
2038c3f5 4982 [EXEC_OUTPUT_FILE] = "file",
94f04347
LP		 4983};
4984
4985DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
023a4f67
LP		 4986
4987static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
4988 [EXEC_UTMP_INIT] = "init",
4989 [EXEC_UTMP_LOGIN] = "login",
4990 [EXEC_UTMP_USER] = "user",
4991};
4992
4993DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
53f47dfc
YW		 4994
4995static const char* const exec_preserve_mode_table[_EXEC_PRESERVE_MODE_MAX] = {
4996 [EXEC_PRESERVE_NO] = "no",
4997 [EXEC_PRESERVE_YES] = "yes",
4998 [EXEC_PRESERVE_RESTART] = "restart",
4999};
5000
5001DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(exec_preserve_mode, ExecPreserveMode, EXEC_PRESERVE_YES);
3536f49e 5002
72fd1768 5003static const char* const exec_directory_type_table[_EXEC_DIRECTORY_TYPE_MAX] = {
3536f49e
YW		 5004 [EXEC_DIRECTORY_RUNTIME] = "RuntimeDirectory",
5005 [EXEC_DIRECTORY_STATE] = "StateDirectory",
5006 [EXEC_DIRECTORY_CACHE] = "CacheDirectory",
5007 [EXEC_DIRECTORY_LOGS] = "LogsDirectory",
5008 [EXEC_DIRECTORY_CONFIGURATION] = "ConfigurationDirectory",
5009};
5010
5011DEFINE_STRING_TABLE_LOOKUP(exec_directory_type, ExecDirectoryType);
b1edf445
LP		 5012
5013static const char* const exec_keyring_mode_table[_EXEC_KEYRING_MODE_MAX] = {
5014 [EXEC_KEYRING_INHERIT] = "inherit",
5015 [EXEC_KEYRING_PRIVATE] = "private",
5016 [EXEC_KEYRING_SHARED] = "shared",
5017};
5018
5019DEFINE_STRING_TABLE_LOOKUP(exec_keyring_mode, ExecKeyringMode);
Unnamed repository; edit this file 'description' to name the repository.