]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/core/execute.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
includes: remove duplicate includes
[thirdparty/systemd.git] / src / core / execute.c
CommitLineData
d6c9574f 1/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
5cb5a6ff 2
a7334b09
LP		 3/***
4 This file is part of systemd.
5
6 Copyright 2010 Lennart Poettering
7
8 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
a7334b09
LP		 11 (at your option) any later version.
12
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 16 Lesser General Public License for more details.
a7334b09 17
5430f7f2 18 You should have received a copy of the GNU Lesser General Public License
a7334b09
LP		 19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20***/
21
5cb5a6ff 22#include <assert.h>
034c6ed7
LP		 23#include <dirent.h>
24#include <errno.h>
25#include <fcntl.h>
26#include <unistd.h>
44d8db9e 27#include <string.h>
309bff19 28#include <signal.h>
071830ff
LP		 29#include <sys/socket.h>
30#include <sys/un.h>
94f04347 31#include <sys/prctl.h>
66ee3769 32#include <linux/sched.h>
451a074f
LP		 33#include <sys/types.h>
34#include <sys/stat.h>
81a2b7ce
LP		 35#include <grp.h>
36#include <pwd.h>
15ae422b 37#include <sys/mount.h>
25e870b5 38#include <linux/fs.h>
dd6c17b1 39#include <linux/oom.h>
f2b68789 40#include <sys/poll.h>
8351ceae 41#include <linux/seccomp-bpf.h>
2bef10ab 42#include <glob.h>
d34cd374 43#include <libgen.h>
2b6bf07d 44#undef basename
5cb5a6ff 45
5b6319dc
LP		 46#ifdef HAVE_PAM
47#include <security/pam_appl.h>
48#endif
49
5cb5a6ff
LP		 50#include "execute.h"
51#include "strv.h"
52#include "macro.h"
d7832d2c 53#include "capability.h"
5cb5a6ff 54#include "util.h"
acbb0225 55#include "log.h"
20ad4cfd 56#include "sd-messages.h"
9eba9da4 57#include "ioprio.h"
94f04347 58#include "securebits.h"
15ae422b 59#include "namespace.h"
df1f0afe 60#include "tcpwrap.h"
d06dacd0 61#include "exit-status.h"
dd6c17b1 62#include "missing.h"
169c1bda 63#include "utmp-wtmp.h"
f6a6225e 64#include "def.h"
9eb977db 65#include "path-util.h"
8351ceae 66#include "syscall-list.h"
4d1a6904 67#include "env-util.h"
a5c32cff 68#include "fileio.h"
4ad49000 69#include "unit.h"
f485606b 70#include "async.h"
5cb5a6ff 71
e056b01d 72#define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
31a7eb86 73#define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
e6a26745 74
02a51aba
LP		 75/* This assumes there is a 'tty' group */
76#define TTY_MODE 0620
77
531dca78
LP		 78#define SNDBUF_SIZE (8*1024*1024)
79
034c6ed7
LP		 80static int shift_fds(int fds[], unsigned n_fds) {
81 int start, restart_from;
82
83 if (n_fds <= 0)
84 return 0;
85
a0d40ac5
LP		 86 /* Modifies the fds array! (sorts it) */
87
034c6ed7
LP		 88 assert(fds);
89
90 start = 0;
91 for (;;) {
92 int i;
93
94 restart_from = -1;
95
96 for (i = start; i < (int) n_fds; i++) {
97 int nfd;
98
99 /* Already at right index? */
100 if (fds[i] == i+3)
101 continue;
102
103 if ((nfd = fcntl(fds[i], F_DUPFD, i+3)) < 0)
104 return -errno;
105
e1f5e051 106 close_nointr_nofail(fds[i]);
034c6ed7
LP		 107 fds[i] = nfd;
108
109 /* Hmm, the fd we wanted isn't free? Then
110 * let's remember that and try again from here*/
111 if (nfd != i+3 && restart_from < 0)
112 restart_from = i;
113 }
114
115 if (restart_from < 0)
116 break;
117
118 start = restart_from;
119 }
120
121 return 0;
122}
123
c2748801 124static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
47a71eed 125 unsigned i;
e2c76839 126 int r;
47a71eed
LP		 127
128 if (n_fds <= 0)
129 return 0;
130
131 assert(fds);
132
451a074f 133 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
47a71eed
LP		 134
135 for (i = 0; i < n_fds; i++) {
47a71eed 136
e2c76839
LP		 137 if ((r = fd_nonblock(fds[i], nonblock)) < 0)
138 return r;
47a71eed 139
451a074f
LP		 140 /* We unconditionally drop FD_CLOEXEC from the fds,
141 * since after all we want to pass these fds to our
142 * children */
47a71eed 143
e2c76839
LP		 144 if ((r = fd_cloexec(fds[i], false)) < 0)
145 return r;
47a71eed
LP		 146 }
147
148 return 0;
149}
150
44a6b1b6 151_pure_ static const char *tty_path(const ExecContext *context) {
80876c20
LP		 152 assert(context);
153
154 if (context->tty_path)
155 return context->tty_path;
156
157 return "/dev/console";
158}
159
9588bc32 160static void exec_context_tty_reset(const ExecContext *context) {
6ea832a2
LP		 161 assert(context);
162
163 if (context->tty_vhangup)
164 terminal_vhangup(tty_path(context));
165
166 if (context->tty_reset)
167 reset_terminal(tty_path(context));
168
169 if (context->tty_vt_disallocate && context->tty_path)
170 vt_disallocate(context->tty_path);
171}
172
3a1286b6
MS		 173static bool is_terminal_output(ExecOutput o) {
174 return
175 o == EXEC_OUTPUT_TTY ||
176 o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
177 o == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
178 o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE;
179}
180
80876c20
LP		 181static int open_null_as(int flags, int nfd) {
182 int fd, r;
071830ff 183
80876c20 184 assert(nfd >= 0);
071830ff 185
613b411c
LP		 186 fd = open("/dev/null", flags|O_NOCTTY);
187 if (fd < 0)
071830ff
LP		 188 return -errno;
189
80876c20
LP		 190 if (fd != nfd) {
191 r = dup2(fd, nfd) < 0 ? -errno : nfd;
e1f5e051 192 close_nointr_nofail(fd);
80876c20
LP		 193 } else
194 r = nfd;
071830ff 195
80876c20 196 return r;
071830ff
LP		 197}
198
62bca2c6 199static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd) {
80876c20 200 int fd, r;
b92bea5d
ZJS		 201 union sockaddr_union sa = {
202 .un.sun_family = AF_UNIX,
203 .un.sun_path = "/run/systemd/journal/stdout",
204 };
071830ff
LP		 205
206 assert(context);
80876c20
LP		 207 assert(output < _EXEC_OUTPUT_MAX);
208 assert(ident);
209 assert(nfd >= 0);
071830ff 210
54fe0cdb
LP		 211 fd = socket(AF_UNIX, SOCK_STREAM, 0);
212 if (fd < 0)
80876c20 213 return -errno;
071830ff 214
54fe0cdb
LP		 215 r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path));
216 if (r < 0) {
80876c20
LP		 217 close_nointr_nofail(fd);
218 return -errno;
219 }
071830ff 220
80876c20
LP		 221 if (shutdown(fd, SHUT_RD) < 0) {
222 close_nointr_nofail(fd);
223 return -errno;
224 }
071830ff 225
531dca78
LP		 226 fd_inc_sndbuf(fd, SNDBUF_SIZE);
227
80876c20 228 dprintf(fd,
62bca2c6 229 "%s\n"
80876c20
LP		 230 "%s\n"
231 "%i\n"
54fe0cdb
LP		 232 "%i\n"
233 "%i\n"
234 "%i\n"
4f4a1dbf 235 "%i\n",
4f4a1dbf 236 context->syslog_identifier ? context->syslog_identifier : ident,
62bca2c6 237 unit_id,
54fe0cdb
LP		 238 context->syslog_priority,
239 !!context->syslog_level_prefix,
240 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
241 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
3a1286b6 242 is_terminal_output(output));
80876c20
LP		 243
244 if (fd != nfd) {
245 r = dup2(fd, nfd) < 0 ? -errno : nfd;
e1f5e051 246 close_nointr_nofail(fd);
80876c20
LP		 247 } else
248 r = nfd;
071830ff 249
80876c20
LP		 250 return r;
251}
252static int open_terminal_as(const char *path, mode_t mode, int nfd) {
253 int fd, r;
071830ff 254
80876c20
LP		 255 assert(path);
256 assert(nfd >= 0);
071830ff 257
80876c20
LP		 258 if ((fd = open_terminal(path, mode | O_NOCTTY)) < 0)
259 return fd;
071830ff 260
80876c20
LP		 261 if (fd != nfd) {
262 r = dup2(fd, nfd) < 0 ? -errno : nfd;
263 close_nointr_nofail(fd);
264 } else
265 r = nfd;
071830ff 266
80876c20
LP		 267 return r;
268}
071830ff 269
80876c20
LP		 270static bool is_terminal_input(ExecInput i) {
271 return
272 i == EXEC_INPUT_TTY ||
273 i == EXEC_INPUT_TTY_FORCE ||
274 i == EXEC_INPUT_TTY_FAIL;
275}
071830ff 276
1e3ad081
LP		 277static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
278
279 if (is_terminal_input(std_input) && !apply_tty_stdin)
280 return EXEC_INPUT_NULL;
071830ff 281
03fd9c49 282 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 283 return EXEC_INPUT_NULL;
284
03fd9c49 285 return std_input;
4f2d528d
LP		 286}
287
03fd9c49 288static int fixup_output(ExecOutput std_output, int socket_fd) {
4f2d528d 289
03fd9c49 290 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 291 return EXEC_OUTPUT_INHERIT;
292
03fd9c49 293 return std_output;
4f2d528d
LP		 294}
295
1e3ad081 296static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty_stdin) {
4f2d528d
LP		 297 ExecInput i;
298
299 assert(context);
300
1e3ad081 301 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
4f2d528d
LP		 302
303 switch (i) {
071830ff 304
80876c20
LP		 305 case EXEC_INPUT_NULL:
306 return open_null_as(O_RDONLY, STDIN_FILENO);
307
308 case EXEC_INPUT_TTY:
309 case EXEC_INPUT_TTY_FORCE:
310 case EXEC_INPUT_TTY_FAIL: {
311 int fd, r;
071830ff 312
970edce6
ZJS		 313 fd = acquire_terminal(tty_path(context),
314 i == EXEC_INPUT_TTY_FAIL,
315 i == EXEC_INPUT_TTY_FORCE,
316 false,
317 (usec_t) -1);
318 if (fd < 0)
80876c20
LP		 319 return fd;
320
321 if (fd != STDIN_FILENO) {
322 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
071830ff 323 close_nointr_nofail(fd);
80876c20
LP		 324 } else
325 r = STDIN_FILENO;
326
327 return r;
328 }
329
4f2d528d
LP		 330 case EXEC_INPUT_SOCKET:
331 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
332
80876c20
LP		 333 default:
334 assert_not_reached("Unknown input type");
335 }
336}
337
eb17e935 338static int setup_output(const ExecContext *context, int fileno, int socket_fd, const char *ident, const char *unit_id, bool apply_tty_stdin) {
4f2d528d
LP		 339 ExecOutput o;
340 ExecInput i;
47c1d80d 341 int r;
4f2d528d 342
80876c20
LP		 343 assert(context);
344 assert(ident);
345
1e3ad081 346 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
03fd9c49 347 o = fixup_output(context->std_output, socket_fd);
4f2d528d 348
eb17e935
MS		 349 if (fileno == STDERR_FILENO) {
350 ExecOutput e;
351 e = fixup_output(context->std_error, socket_fd);
80876c20 352
eb17e935
MS		 353 /* This expects the input and output are already set up */
354
355 /* Don't change the stderr file descriptor if we inherit all
356 * the way and are not on a tty */
357 if (e == EXEC_OUTPUT_INHERIT &&
358 o == EXEC_OUTPUT_INHERIT &&
359 i == EXEC_INPUT_NULL &&
360 !is_terminal_input(context->std_input) &&
361 getppid () != 1)
362 return fileno;
363
364 /* Duplicate from stdout if possible */
365 if (e == o || e == EXEC_OUTPUT_INHERIT)
366 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 367
eb17e935 368 o = e;
80876c20 369
eb17e935 370 } else if (o == EXEC_OUTPUT_INHERIT) {
21d21ea4
LP		 371 /* If input got downgraded, inherit the original value */
372 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
eb17e935 373 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
21d21ea4 374
acb591e4 375 /* If the input is connected to anything that's not a /dev/null, inherit that... */
ff876e28 376 if (i != EXEC_INPUT_NULL)
eb17e935 377 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 378
acb591e4
LP		 379 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
380 if (getppid() != 1)
eb17e935 381 return fileno;
94f04347 382
eb17e935
MS		 383 /* We need to open /dev/null here anew, to get the right access mode. */
384 return open_null_as(O_WRONLY, fileno);
071830ff 385 }
94f04347 386
eb17e935 387 switch (o) {
80876c20
LP		 388
389 case EXEC_OUTPUT_NULL:
eb17e935 390 return open_null_as(O_WRONLY, fileno);
80876c20
LP		 391
392 case EXEC_OUTPUT_TTY:
4f2d528d 393 if (is_terminal_input(i))
eb17e935 394 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
80876c20
LP		 395
396 /* We don't reset the terminal if this is just about output */
eb17e935 397 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
80876c20
LP		 398
399 case EXEC_OUTPUT_SYSLOG:
28dbc1e8 400 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
9a6bca7a 401 case EXEC_OUTPUT_KMSG:
28dbc1e8 402 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
706343f4
LP		 403 case EXEC_OUTPUT_JOURNAL:
404 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
eb17e935 405 r = connect_logger_as(context, o, ident, unit_id, fileno);
47c1d80d 406 if (r < 0) {
80cbda35
MS		 407 log_struct_unit(LOG_CRIT, unit_id,
408 "MESSAGE=Failed to connect std%s of %s to the journal socket: %s",
eb17e935 409 fileno == STDOUT_FILENO ? "out" : "err",
80cbda35
MS		 410 unit_id, strerror(-r),
411 "ERRNO=%d", -r,
412 NULL);
eb17e935 413 r = open_null_as(O_WRONLY, fileno);
47c1d80d
MS		 414 }
415 return r;
4f2d528d
LP		 416
417 case EXEC_OUTPUT_SOCKET:
418 assert(socket_fd >= 0);
eb17e935 419 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
94f04347
LP		 420
421 default:
80876c20 422 assert_not_reached("Unknown error type");
94f04347 423 }
071830ff
LP		 424}
425
02a51aba
LP		 426static int chown_terminal(int fd, uid_t uid) {
427 struct stat st;
428
429 assert(fd >= 0);
02a51aba
LP		 430
431 /* This might fail. What matters are the results. */
bab45044
LP		 432 (void) fchown(fd, uid, -1);
433 (void) fchmod(fd, TTY_MODE);
02a51aba
LP		 434
435 if (fstat(fd, &st) < 0)
436 return -errno;
437
d8b4e2e9 438 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
02a51aba
LP		 439 return -EPERM;
440
441 return 0;
442}
443
af6da548 444static int setup_confirm_stdio(int *_saved_stdin,
80876c20
LP		 445 int *_saved_stdout) {
446 int fd = -1, saved_stdin, saved_stdout = -1, r;
447
80876c20
LP		 448 assert(_saved_stdin);
449 assert(_saved_stdout);
450
af6da548
LP		 451 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
452 if (saved_stdin < 0)
453 return -errno;
80876c20 454
af6da548
LP		 455 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
456 if (saved_stdout < 0) {
457 r = errno;
80876c20
LP		 458 goto fail;
459 }
460
af6da548
LP		 461 fd = acquire_terminal(
462 "/dev/console",
463 false,
464 false,
465 false,
466 DEFAULT_CONFIRM_USEC);
467 if (fd < 0) {
468 r = fd;
80876c20
LP		 469 goto fail;
470 }
471
af6da548
LP		 472 r = chown_terminal(fd, getuid());
473 if (r < 0)
02a51aba 474 goto fail;
02a51aba 475
80876c20 476 if (dup2(fd, STDIN_FILENO) < 0) {
af6da548 477 r = -errno;
80876c20
LP		 478 goto fail;
479 }
480
481 if (dup2(fd, STDOUT_FILENO) < 0) {
af6da548 482 r = -errno;
80876c20
LP		 483 goto fail;
484 }
485
486 if (fd >= 2)
487 close_nointr_nofail(fd);
488
489 *_saved_stdin = saved_stdin;
490 *_saved_stdout = saved_stdout;
491
492 return 0;
493
494fail:
495 if (saved_stdout >= 0)
496 close_nointr_nofail(saved_stdout);
497
498 if (saved_stdin >= 0)
499 close_nointr_nofail(saved_stdin);
500
501 if (fd >= 0)
502 close_nointr_nofail(fd);
503
504 return r;
505}
506
44b601bc 507_printf_(1, 2) static int write_confirm_message(const char *format, ...) {
af6da548
LP		 508 int fd;
509 va_list ap;
80876c20 510
af6da548 511 assert(format);
80876c20 512
af6da548
LP		 513 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
514 if (fd < 0)
515 return fd;
80876c20 516
af6da548
LP		 517 va_start(ap, format);
518 vdprintf(fd, format, ap);
519 va_end(ap);
80876c20 520
af6da548 521 close_nointr_nofail(fd);
80876c20 522
af6da548
LP		 523 return 0;
524}
80876c20 525
af6da548
LP		 526static int restore_confirm_stdio(int *saved_stdin,
527 int *saved_stdout) {
80876c20 528
af6da548 529 int r = 0;
80876c20 530
af6da548
LP		 531 assert(saved_stdin);
532 assert(saved_stdout);
533
534 release_terminal();
535
536 if (*saved_stdin >= 0)
80876c20 537 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
af6da548 538 r = -errno;
80876c20 539
af6da548 540 if (*saved_stdout >= 0)
80876c20 541 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
af6da548 542 r = -errno;
80876c20 543
af6da548
LP		 544 if (*saved_stdin >= 0)
545 close_nointr_nofail(*saved_stdin);
80876c20 546
af6da548
LP		 547 if (*saved_stdout >= 0)
548 close_nointr_nofail(*saved_stdout);
549
550 return r;
551}
552
553static int ask_for_confirmation(char *response, char **argv) {
554 int saved_stdout = -1, saved_stdin = -1, r;
555 char *line;
556
557 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
558 if (r < 0)
559 return r;
560
561 line = exec_command_line(argv);
562 if (!line)
563 return -ENOMEM;
564
565 r = ask(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
566 free(line);
567
568 restore_confirm_stdio(&saved_stdin, &saved_stdout);
569
570 return r;
80876c20
LP		 571}
572
81a2b7ce
LP		 573static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
574 bool keep_groups = false;
575 int r;
576
577 assert(context);
578
35b8ca3a 579 /* Lookup and set GID and supplementary group list. Here too
81a2b7ce
LP		 580 * we avoid NSS lookups for gid=0. */
581
582 if (context->group || username) {
583
4b67834e
LP		 584 if (context->group) {
585 const char *g = context->group;
586
587 if ((r = get_group_creds(&g, &gid)) < 0)
81a2b7ce 588 return r;
4b67834e 589 }
81a2b7ce
LP		 590
591 /* First step, initialize groups from /etc/groups */
592 if (username && gid != 0) {
593 if (initgroups(username, gid) < 0)
594 return -errno;
595
596 keep_groups = true;
597 }
598
599 /* Second step, set our gids */
600 if (setresgid(gid, gid, gid) < 0)
601 return -errno;
602 }
603
604 if (context->supplementary_groups) {
605 int ngroups_max, k;
606 gid_t *gids;
607 char **i;
608
609 /* Final step, initialize any manually set supplementary groups */
da19d5c1 610 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
81a2b7ce
LP		 611
612 if (!(gids = new(gid_t, ngroups_max)))
613 return -ENOMEM;
614
615 if (keep_groups) {
616 if ((k = getgroups(ngroups_max, gids)) < 0) {
617 free(gids);
618 return -errno;
619 }
620 } else
621 k = 0;
622
623 STRV_FOREACH(i, context->supplementary_groups) {
4b67834e 624 const char *g;
81a2b7ce
LP		 625
626 if (k >= ngroups_max) {
627 free(gids);
628 return -E2BIG;
629 }
630
4b67834e
LP		 631 g = *i;
632 r = get_group_creds(&g, gids+k);
633 if (r < 0) {
81a2b7ce
LP		 634 free(gids);
635 return r;
636 }
637
638 k++;
639 }
640
641 if (setgroups(k, gids) < 0) {
642 free(gids);
643 return -errno;
644 }
645
646 free(gids);
647 }
648
649 return 0;
650}
651
652static int enforce_user(const ExecContext *context, uid_t uid) {
81a2b7ce
LP		 653 assert(context);
654
655 /* Sets (but doesn't lookup) the uid and make sure we keep the
656 * capabilities while doing so. */
657
658 if (context->capabilities) {
5ce70e5b 659 _cleanup_cap_free_ cap_t d = NULL;
81a2b7ce
LP		 660 static const cap_value_t bits[] = {
661 CAP_SETUID, /* Necessary so that we can run setresuid() below */
662 CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
663 };
664
665 /* First step: If we need to keep capabilities but
666 * drop privileges we need to make sure we keep our
cbb21cca 667 * caps, while we drop privileges. */
693ced48 668 if (uid != 0) {
cbb21cca 669 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
693ced48
LP		 670
671 if (prctl(PR_GET_SECUREBITS) != sb)
672 if (prctl(PR_SET_SECUREBITS, sb) < 0)
673 return -errno;
674 }
81a2b7ce 675
35b8ca3a 676 /* Second step: set the capabilities. This will reduce
81a2b7ce
LP		 677 * the capabilities to the minimum we need. */
678
5ce70e5b
ZJS		 679 d = cap_dup(context->capabilities);
680 if (!d)
81a2b7ce
LP		 681 return -errno;
682
683 if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
5ce70e5b
ZJS		 684 cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0)
685 return -errno;
81a2b7ce 686
5ce70e5b
ZJS		 687 if (cap_set_proc(d) < 0)
688 return -errno;
81a2b7ce
LP		 689 }
690
691 /* Third step: actually set the uids */
692 if (setresuid(uid, uid, uid) < 0)
693 return -errno;
694
695 /* At this point we should have all necessary capabilities but
696 are otherwise a normal user. However, the caps might got
697 corrupted due to the setresuid() so we need clean them up
698 later. This is done outside of this call. */
699
700 return 0;
701}
702
5b6319dc
LP		 703#ifdef HAVE_PAM
704
705static int null_conv(
706 int num_msg,
707 const struct pam_message **msg,
708 struct pam_response **resp,
709 void *appdata_ptr) {
710
711 /* We don't support conversations */
712
713 return PAM_CONV_ERR;
714}
715
716static int setup_pam(
717 const char *name,
718 const char *user,
940c5210 719 uid_t uid,
5b6319dc
LP		 720 const char *tty,
721 char ***pam_env,
722 int fds[], unsigned n_fds) {
723
724 static const struct pam_conv conv = {
725 .conv = null_conv,
726 .appdata_ptr = NULL
727 };
728
729 pam_handle_t *handle = NULL;
730 sigset_t ss, old_ss;
731 int pam_code = PAM_SUCCESS;
9ba35398 732 int err;
5b6319dc
LP		 733 char **e = NULL;
734 bool close_session = false;
735 pid_t pam_pid = 0, parent_pid;
970edce6 736 int flags = 0;
5b6319dc
LP		 737
738 assert(name);
739 assert(user);
740 assert(pam_env);
741
742 /* We set up PAM in the parent process, then fork. The child
35b8ca3a 743 * will then stay around until killed via PR_GET_PDEATHSIG or
5b6319dc
LP		 744 * systemd via the cgroup logic. It will then remove the PAM
745 * session again. The parent process will exec() the actual
746 * daemon. We do things this way to ensure that the main PID
747 * of the daemon is the one we initially fork()ed. */
748
970edce6
ZJS		 749 if (log_get_max_level() < LOG_PRI(LOG_DEBUG))
750 flags |= PAM_SILENT;
751
f546241b
ZJS		 752 pam_code = pam_start(name, user, &conv, &handle);
753 if (pam_code != PAM_SUCCESS) {
5b6319dc
LP		 754 handle = NULL;
755 goto fail;
756 }
757
f546241b
ZJS		 758 if (tty) {
759 pam_code = pam_set_item(handle, PAM_TTY, tty);
760 if (pam_code != PAM_SUCCESS)
5b6319dc 761 goto fail;
f546241b 762 }
5b6319dc 763
970edce6 764 pam_code = pam_acct_mgmt(handle, flags);
f546241b 765 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 766 goto fail;
767
970edce6 768 pam_code = pam_open_session(handle, flags);
f546241b 769 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 770 goto fail;
771
772 close_session = true;
773
f546241b
ZJS		 774 e = pam_getenvlist(handle);
775 if (!e) {
5b6319dc
LP		 776 pam_code = PAM_BUF_ERR;
777 goto fail;
778 }
779
780 /* Block SIGTERM, so that we know that it won't get lost in
781 * the child */
782 if (sigemptyset(&ss) < 0 ||
783 sigaddset(&ss, SIGTERM) < 0 ||
784 sigprocmask(SIG_BLOCK, &ss, &old_ss) < 0)
785 goto fail;
786
787 parent_pid = getpid();
788
f546241b
ZJS		 789 pam_pid = fork();
790 if (pam_pid < 0)
5b6319dc
LP		 791 goto fail;
792
793 if (pam_pid == 0) {
794 int sig;
795 int r = EXIT_PAM;
796
797 /* The child's job is to reset the PAM session on
798 * termination */
799
800 /* This string must fit in 10 chars (i.e. the length
5d6b1584
LP		 801 * of "/sbin/init"), to look pretty in /bin/ps */
802 rename_process("(sd-pam)");
5b6319dc
LP		 803
804 /* Make sure we don't keep open the passed fds in this
805 child. We assume that otherwise only those fds are
806 open here that have been opened by PAM. */
807 close_many(fds, n_fds);
808
940c5210
AK		 809 /* Drop privileges - we don't need any to pam_close_session
810 * and this will make PR_SET_PDEATHSIG work in most cases.
811 * If this fails, ignore the error - but expect sd-pam threads
812 * to fail to exit normally */
813 if (setresuid(uid, uid, uid) < 0)
814 log_error("Error: Failed to setresuid() in sd-pam: %s", strerror(-r));
815
816 /* Wait until our parent died. This will only work if
817 * the above setresuid() succeeds, otherwise the kernel
818 * will not allow unprivileged parents kill their privileged
819 * children this way. We rely on the control groups kill logic
5b6319dc
LP		 820 * to do the rest for us. */
821 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
822 goto child_finish;
823
824 /* Check if our parent process might already have
825 * died? */
826 if (getppid() == parent_pid) {
3dead8d9
LP		 827 for (;;) {
828 if (sigwait(&ss, &sig) < 0) {
829 if (errno == EINTR)
830 continue;
831
832 goto child_finish;
833 }
5b6319dc 834
3dead8d9
LP		 835 assert(sig == SIGTERM);
836 break;
837 }
5b6319dc
LP		 838 }
839
3dead8d9 840 /* If our parent died we'll end the session */
f546241b 841 if (getppid() != parent_pid) {
970edce6 842 pam_code = pam_close_session(handle, flags);
f546241b 843 if (pam_code != PAM_SUCCESS)
5b6319dc 844 goto child_finish;
f546241b 845 }
5b6319dc
LP		 846
847 r = 0;
848
849 child_finish:
970edce6 850 pam_end(handle, pam_code | flags);
5b6319dc
LP		 851 _exit(r);
852 }
853
854 /* If the child was forked off successfully it will do all the
855 * cleanups, so forget about the handle here. */
856 handle = NULL;
857
3b8bddde 858 /* Unblock SIGTERM again in the parent */
5b6319dc
LP		 859 if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0)
860 goto fail;
861
862 /* We close the log explicitly here, since the PAM modules
863 * might have opened it, but we don't want this fd around. */
864 closelog();
865
aa87e624
LP		 866 *pam_env = e;
867 e = NULL;
868
5b6319dc
LP		 869 return 0;
870
871fail:
970edce6
ZJS		 872 if (pam_code != PAM_SUCCESS) {
873 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
9ba35398 874 err = -EPERM; /* PAM errors do not map to errno */
970edce6
ZJS		 875 } else {
876 log_error("PAM failed: %m");
9ba35398 877 err = -errno;
970edce6 878 }
9ba35398 879
5b6319dc
LP		 880 if (handle) {
881 if (close_session)
970edce6 882 pam_code = pam_close_session(handle, flags);
5b6319dc 883
970edce6 884 pam_end(handle, pam_code | flags);
5b6319dc
LP		 885 }
886
887 strv_free(e);
888
889 closelog();
890
430c18ed 891 if (pam_pid > 1) {
5b6319dc 892 kill(pam_pid, SIGTERM);
430c18ed
LP		 893 kill(pam_pid, SIGCONT);
894 }
5b6319dc 895
9ba35398 896 return err;
5b6319dc
LP		 897}
898#endif
899
5d6b1584
LP		 900static void rename_process_from_path(const char *path) {
901 char process_name[11];
902 const char *p;
903 size_t l;
904
905 /* This resulting string must fit in 10 chars (i.e. the length
906 * of "/sbin/init") to look pretty in /bin/ps */
907
2b6bf07d 908 p = basename(path);
5d6b1584
LP		 909 if (isempty(p)) {
910 rename_process("(...)");
911 return;
912 }
913
914 l = strlen(p);
915 if (l > 8) {
916 /* The end of the process name is usually more
917 * interesting, since the first bit might just be
918 * "systemd-" */
919 p = p + l - 8;
920 l = 8;
921 }
922
923 process_name[0] = '(';
924 memcpy(process_name+1, p, l);
925 process_name[1+l] = ')';
926 process_name[1+l+1] = 0;
927
928 rename_process(process_name);
929}
930
8351ceae
LP		 931static int apply_seccomp(uint32_t *syscall_filter) {
932 static const struct sock_filter header[] = {
933 VALIDATE_ARCHITECTURE,
934 EXAMINE_SYSCALL
935 };
936 static const struct sock_filter footer[] = {
937 _KILL_PROCESS
938 };
939
940 int i;
941 unsigned n;
942 struct sock_filter *f;
b92bea5d 943 struct sock_fprog prog = {};
8351ceae
LP		 944
945 assert(syscall_filter);
946
947 /* First: count the syscalls to check for */
948 for (i = 0, n = 0; i < syscall_max(); i++)
949 if (syscall_filter[i >> 4] & (1 << (i & 31)))
950 n++;
951
952 /* Second: build the filter program from a header the syscall
953 * matches and the footer */
954 f = alloca(sizeof(struct sock_filter) * (ELEMENTSOF(header) + 2*n + ELEMENTSOF(footer)));
955 memcpy(f, header, sizeof(header));
956
957 for (i = 0, n = 0; i < syscall_max(); i++)
958 if (syscall_filter[i >> 4] & (1 << (i & 31))) {
959 struct sock_filter item[] = {
843fc7f7 960 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, INDEX_TO_SYSCALL(i), 0, 1),
8351ceae
LP		 961 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
962 };
963
964 assert_cc(ELEMENTSOF(item) == 2);
965
966 f[ELEMENTSOF(header) + 2*n] = item[0];
967 f[ELEMENTSOF(header) + 2*n+1] = item[1];
968
969 n++;
970 }
971
972 memcpy(f + (ELEMENTSOF(header) + 2*n), footer, sizeof(footer));
973
974 /* Third: install the filter */
8351ceae
LP		 975 prog.len = ELEMENTSOF(header) + ELEMENTSOF(footer) + 2*n;
976 prog.filter = f;
977 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0)
978 return -errno;
979
980 return 0;
981}
982
31a7eb86
ZJS		 983static void do_idle_pipe_dance(int idle_pipe[4]) {
984 assert(idle_pipe);
985
986 if (idle_pipe[1] >= 0)
987 close_nointr_nofail(idle_pipe[1]);
988 if (idle_pipe[2] >= 0)
989 close_nointr_nofail(idle_pipe[2]);
990
991 if (idle_pipe[0] >= 0) {
992 int r;
993
994 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
995
996 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
997 /* Signal systemd that we are bored and want to continue. */
998 write(idle_pipe[3], "x", 1);
999
1000 /* Wait for systemd to react to the signal above. */
1001 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1002 }
1003
1004 close_nointr_nofail(idle_pipe[0]);
1005
1006 }
1007
1008 if (idle_pipe[3] >= 0)
1009 close_nointr_nofail(idle_pipe[3]);
1010}
1011
7cae38c4
LP		 1012static int build_environment(
1013 ExecContext *c,
1014 unsigned n_fds,
09812eb7 1015 usec_t watchdog_usec,
7cae38c4
LP		 1016 const char *home,
1017 const char *username,
1018 const char *shell,
1019 char ***ret) {
1020
1021 _cleanup_strv_free_ char **our_env = NULL;
1022 unsigned n_env = 0;
1023 char *x;
1024
1025 assert(c);
1026 assert(ret);
1027
09812eb7 1028 our_env = new0(char*, 10);
7cae38c4
LP		 1029 if (!our_env)
1030 return -ENOMEM;
1031
1032 if (n_fds > 0) {
ccd06097 1033 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
7cae38c4
LP		 1034 return -ENOMEM;
1035 our_env[n_env++] = x;
1036
1037 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1038 return -ENOMEM;
1039 our_env[n_env++] = x;
1040 }
1041
09812eb7 1042 if (watchdog_usec > 0) {
ccd06097 1043 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
09812eb7
LP		 1044 return -ENOMEM;
1045 our_env[n_env++] = x;
1046
1047 if (asprintf(&x, "WATCHDOG_USEC=%llu", (unsigned long long) watchdog_usec) < 0)
1048 return -ENOMEM;
1049 our_env[n_env++] = x;
1050 }
1051
7cae38c4
LP		 1052 if (home) {
1053 x = strappend("HOME=", home);
1054 if (!x)
1055 return -ENOMEM;
1056 our_env[n_env++] = x;
1057 }
1058
1059 if (username) {
1060 x = strappend("LOGNAME=", username);
1061 if (!x)
1062 return -ENOMEM;
1063 our_env[n_env++] = x;
1064
1065 x = strappend("USER=", username);
1066 if (!x)
1067 return -ENOMEM;
1068 our_env[n_env++] = x;
1069 }
1070
1071 if (shell) {
1072 x = strappend("SHELL=", shell);
1073 if (!x)
1074 return -ENOMEM;
1075 our_env[n_env++] = x;
1076 }
1077
1078 if (is_terminal_input(c->std_input) ||
1079 c->std_output == EXEC_OUTPUT_TTY ||
1080 c->std_error == EXEC_OUTPUT_TTY ||
1081 c->tty_path) {
1082
1083 x = strdup(default_term_for_tty(tty_path(c)));
1084 if (!x)
1085 return -ENOMEM;
1086 our_env[n_env++] = x;
1087 }
1088
1089 our_env[n_env++] = NULL;
09812eb7 1090 assert(n_env <= 10);
7cae38c4
LP		 1091
1092 *ret = our_env;
1093 our_env = NULL;
1094
1095 return 0;
1096}
1097
9fb86720 1098int exec_spawn(ExecCommand *command,
9e2f7c11 1099 char **argv,
c17ec25e 1100 ExecContext *context,
c2748801 1101 int fds[], unsigned n_fds,
1137a57c 1102 char **environment,
81a2b7ce
LP		 1103 bool apply_permissions,
1104 bool apply_chroot,
1e3ad081 1105 bool apply_tty_stdin,
80876c20 1106 bool confirm_spawn,
13b84ec7 1107 CGroupControllerMask cgroup_supported,
4ad49000 1108 const char *cgroup_path,
62bca2c6 1109 const char *unit_id,
09812eb7 1110 usec_t watchdog_usec,
31a7eb86 1111 int idle_pipe[4],
613b411c 1112 ExecRuntime *runtime,
81a2b7ce
LP		 1113 pid_t *ret) {
1114
4ad49000
LP		 1115 _cleanup_strv_free_ char **files_env = NULL;
1116 int socket_fd;
1117 char *line;
034c6ed7 1118 pid_t pid;
8e274523 1119 int r;
034c6ed7 1120
5cb5a6ff
LP		 1121 assert(command);
1122 assert(context);
1123 assert(ret);
034c6ed7
LP		 1124 assert(fds || n_fds <= 0);
1125
4f2d528d
LP		 1126 if (context->std_input == EXEC_INPUT_SOCKET ||
1127 context->std_output == EXEC_OUTPUT_SOCKET ||
1128 context->std_error == EXEC_OUTPUT_SOCKET) {
1129
1130 if (n_fds != 1)
1131 return -EINVAL;
1132
1133 socket_fd = fds[0];
1134
1135 fds = NULL;
1136 n_fds = 0;
1137 } else
1138 socket_fd = -1;
1139
b66871da
ZJS		 1140 r = exec_context_load_environment(context, &files_env);
1141 if (r < 0) {
bbc9006e
MT		 1142 log_struct_unit(LOG_ERR,
1143 unit_id,
23635a85
ZJS		 1144 "MESSAGE=Failed to load environment files: %s", strerror(-r),
1145 "ERRNO=%d", -r,
1146 NULL);
8c7be95e
LP		 1147 return r;
1148 }
1149
9e2f7c11
LP		 1150 if (!argv)
1151 argv = command->argv;
1152
af6da548 1153 line = exec_command_line(argv);
b66871da
ZJS		 1154 if (!line)
1155 return log_oom();
1a63a750 1156
bbc9006e 1157 log_struct_unit(LOG_DEBUG,
099a804b
LP		 1158 unit_id,
1159 "EXECUTABLE=%s", command->path,
1160 "MESSAGE=About to execute: %s", line,
1161 NULL);
1a63a750 1162 free(line);
acbb0225 1163
b66871da
ZJS		 1164 pid = fork();
1165 if (pid < 0)
1166 return -errno;
034c6ed7
LP		 1167
1168 if (pid == 0) {
613b411c 1169 _cleanup_strv_free_ char **our_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL;
59fccd82 1170 const char *username = NULL, *home = NULL, *shell = NULL;
7cae38c4 1171 unsigned n_dont_close = 0;
613b411c 1172 int dont_close[n_fds + 3];
81a2b7ce
LP		 1173 uid_t uid = (uid_t) -1;
1174 gid_t gid = (gid_t) -1;
613b411c
LP		 1175 sigset_t ss;
1176 int i, err;
309bff19 1177
034c6ed7 1178 /* child */
5cb5a6ff 1179
5d6b1584 1180 rename_process_from_path(command->path);
5b6319dc 1181
1b91d3e8
LP		 1182 /* We reset exactly these signals, since they are the
1183 * only ones we set to SIG_IGN in the main daemon. All
1184 * others we leave untouched because we set them to
1185 * SIG_DFL or a valid handler initially, both of which
1186 * will be demoted to SIG_DFL. */
1187 default_signals(SIGNALS_CRASH_HANDLER,
9a34ec5f 1188 SIGNALS_IGNORE, -1);
7b683879 1189
353e12c2
LP		 1190 if (context->ignore_sigpipe)
1191 ignore_signals(SIGPIPE, -1);
1192
1193 assert_se(sigemptyset(&ss) == 0);
1194 if (sigprocmask(SIG_SETMASK, &ss, NULL) < 0) {
4c2630eb 1195 err = -errno;
309bff19 1196 r = EXIT_SIGNAL_MASK;
8c7be95e 1197 goto fail_child;
309bff19
LP		 1198 }
1199
31a7eb86
ZJS		 1200 if (idle_pipe)
1201 do_idle_pipe_dance(idle_pipe);
f2b68789 1202
85d73053
LP		 1203 /* Close sockets very early to make sure we don't
1204 * block init reexecution because it cannot bind its
1205 * sockets */
4d8a7798 1206 log_forget_fds();
613b411c
LP		 1207
1208 if (socket_fd >= 0)
1209 dont_close[n_dont_close++] = socket_fd;
1210 if (n_fds > 0) {
1211 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
1212 n_dont_close += n_fds;
1213 }
1214 if (runtime) {
1215 if (runtime->netns_storage_socket[0] >= 0)
1216 dont_close[n_dont_close++] = runtime->netns_storage_socket[0];
1217 if (runtime->netns_storage_socket[1] >= 0)
1218 dont_close[n_dont_close++] = runtime->netns_storage_socket[1];
1219 }
1220
1221 err = close_all_fds(dont_close, n_dont_close);
4c2630eb 1222 if (err < 0) {
fc9b2a84 1223 r = EXIT_FDS;
8c7be95e 1224 goto fail_child;
fc9b2a84
LP		 1225 }
1226
74922904 1227 if (!context->same_pgrp)
8d567588 1228 if (setsid() < 0) {
4c2630eb 1229 err = -errno;
8d567588 1230 r = EXIT_SETSID;
8c7be95e 1231 goto fail_child;
8d567588 1232 }
80876c20 1233
c5da34ef
LP		 1234 if (context->tcpwrap_name) {
1235 if (socket_fd >= 0)
1236 if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) {
4c2630eb 1237 err = -EACCES;
c5da34ef 1238 r = EXIT_TCPWRAP;
8c7be95e 1239 goto fail_child;
c5da34ef
LP		 1240 }
1241
1242 for (i = 0; i < (int) n_fds; i++) {
1243 if (!socket_tcpwrap(fds[i], context->tcpwrap_name)) {
4c2630eb 1244 err = -EACCES;
c5da34ef 1245 r = EXIT_TCPWRAP;
8c7be95e 1246 goto fail_child;
c5da34ef 1247 }
df1f0afe 1248 }
c5da34ef 1249 }
df1f0afe 1250
6ea832a2
LP		 1251 exec_context_tty_reset(context);
1252
af6da548 1253 if (confirm_spawn) {
80876c20
LP		 1254 char response;
1255
af6da548
LP		 1256 err = ask_for_confirmation(&response, argv);
1257 if (err == -ETIMEDOUT)
1258 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1259 else if (err < 0)
1260 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-err));
1261 else if (response == 's') {
1262 write_confirm_message("Skipping execution.\n");
4c2630eb 1263 err = -ECANCELED;
80876c20 1264 r = EXIT_CONFIRM;
8c7be95e 1265 goto fail_child;
af6da548
LP		 1266 } else if (response == 'n') {
1267 write_confirm_message("Failing execution.\n");
4c2630eb 1268 err = r = 0;
8c7be95e 1269 goto fail_child;
ee2b4894 1270 }
034c6ed7
LP		 1271 }
1272
da726a4d
LP		 1273 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1274 * must sure to drop O_NONBLOCK */
1275 if (socket_fd >= 0)
1276 fd_nonblock(socket_fd, false);
1277
af6da548
LP		 1278 err = setup_input(context, socket_fd, apply_tty_stdin);
1279 if (err < 0) {
1280 r = EXIT_STDIN;
1281 goto fail_child;
4c2630eb 1282 }
9eba9da4 1283
2b6bf07d 1284 err = setup_output(context, STDOUT_FILENO, socket_fd, basename(command->path), unit_id, apply_tty_stdin);
af6da548
LP		 1285 if (err < 0) {
1286 r = EXIT_STDOUT;
1287 goto fail_child;
4c2630eb 1288 }
94f04347 1289
2b6bf07d 1290 err = setup_output(context, STDERR_FILENO, socket_fd, basename(command->path), unit_id, apply_tty_stdin);
4c2630eb 1291 if (err < 0) {
80876c20 1292 r = EXIT_STDERR;
8c7be95e 1293 goto fail_child;
071830ff
LP		 1294 }
1295
4ad49000 1296 if (cgroup_path) {
13b84ec7 1297 err = cg_attach_everywhere(cgroup_supported, cgroup_path, 0);
4c2630eb 1298 if (err < 0) {
8e274523 1299 r = EXIT_CGROUP;
8c7be95e 1300 goto fail_child;
8e274523 1301 }
4c2630eb 1302 }
8e274523 1303
dd6c17b1 1304 if (context->oom_score_adjust_set) {
fb33a393 1305 char t[16];
034c6ed7 1306
dd6c17b1 1307 snprintf(t, sizeof(t), "%i", context->oom_score_adjust);
fb33a393 1308 char_array_0(t);
034c6ed7 1309
574d5f2d 1310 if (write_string_file("/proc/self/oom_score_adj", t) < 0) {
8600c525
KS		 1311 err = -errno;
1312 r = EXIT_OOM_ADJUST;
1313 goto fail_child;
fb33a393 1314 }
034c6ed7
LP		 1315 }
1316
fb33a393
LP		 1317 if (context->nice_set)
1318 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
4c2630eb 1319 err = -errno;
fb33a393 1320 r = EXIT_NICE;
8c7be95e 1321 goto fail_child;
fb33a393
LP		 1322 }
1323
94f04347 1324 if (context->cpu_sched_set) {
b92bea5d
ZJS		 1325 struct sched_param param = {
1326 .sched_priority = context->cpu_sched_priority,
1327 };
94f04347 1328
e62d8c39
ZJS		 1329 r = sched_setscheduler(0,
1330 context->cpu_sched_policy |
1331 (context->cpu_sched_reset_on_fork ?
1332 SCHED_RESET_ON_FORK : 0),
1333 &param);
1334 if (r < 0) {
4c2630eb 1335 err = -errno;
94f04347 1336 r = EXIT_SETSCHEDULER;
8c7be95e 1337 goto fail_child;
94f04347
LP		 1338 }
1339 }
1340
82c121a4
LP		 1341 if (context->cpuset)
1342 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
4c2630eb 1343 err = -errno;
94f04347 1344 r = EXIT_CPUAFFINITY;
8c7be95e 1345 goto fail_child;
94f04347
LP		 1346 }
1347
9eba9da4
LP		 1348 if (context->ioprio_set)
1349 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
4c2630eb 1350 err = -errno;
9eba9da4 1351 r = EXIT_IOPRIO;
8c7be95e 1352 goto fail_child;
9eba9da4
LP		 1353 }
1354
d88a251b 1355 if (context->timer_slack_nsec != (nsec_t) -1)
03fae018 1356 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
4c2630eb 1357 err = -errno;
94f04347 1358 r = EXIT_TIMERSLACK;
8c7be95e 1359 goto fail_child;
94f04347
LP		 1360 }
1361
169c1bda 1362 if (context->utmp_id)
0ad26e09 1363 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path);
169c1bda 1364
81a2b7ce
LP		 1365 if (context->user) {
1366 username = context->user;
59fccd82 1367 err = get_user_creds(&username, &uid, &gid, &home, &shell);
4c2630eb 1368 if (err < 0) {
81a2b7ce 1369 r = EXIT_USER;
8c7be95e 1370 goto fail_child;
81a2b7ce 1371 }
d8b4e2e9 1372
4c2630eb
MS		 1373 if (is_terminal_input(context->std_input)) {
1374 err = chown_terminal(STDIN_FILENO, uid);
1375 if (err < 0) {
d8b4e2e9 1376 r = EXIT_STDIN;
8c7be95e 1377 goto fail_child;
d8b4e2e9 1378 }
4c2630eb 1379 }
81a2b7ce
LP		 1380 }
1381
8aa75193
LP		 1382#ifdef HAVE_PAM
1383 if (cgroup_path && context->user && context->pam_name) {
1384 err = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, 0644, uid, gid);
1385 if (err < 0) {
1386 r = EXIT_CGROUP;
1387 goto fail_child;
1388 }
1389
1390
1391 err = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, 0755, uid, gid);
1392 if (err < 0) {
1393 r = EXIT_CGROUP;
1394 goto fail_child;
1395 }
1396 }
1397#endif
1398
4c2630eb
MS		 1399 if (apply_permissions) {
1400 err = enforce_groups(context, username, gid);
1401 if (err < 0) {
3b8bddde
LP		 1402 r = EXIT_GROUP;
1403 goto fail_child;
1404 }
4c2630eb 1405 }
3b8bddde
LP		 1406
1407 umask(context->umask);
1408
5b6319dc 1409#ifdef HAVE_PAM
b7848021 1410 if (apply_permissions && context->pam_name && username) {
940c5210 1411 err = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
4c2630eb 1412 if (err < 0) {
5b6319dc 1413 r = EXIT_PAM;
8c7be95e 1414 goto fail_child;
5b6319dc
LP		 1415 }
1416 }
1417#endif
613b411c
LP		 1418 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
1419 err = setup_netns(runtime->netns_storage_socket);
1420 if (err < 0) {
ff01d048
LP		 1421 r = EXIT_NETWORK;
1422 goto fail_child;
1423 }
ff01d048 1424 }
5b6319dc 1425
613b411c
LP		 1426 if (!strv_isempty(context->read_write_dirs) ||
1427 !strv_isempty(context->read_only_dirs) ||
1428 !strv_isempty(context->inaccessible_dirs) ||
ac0930c8 1429 context->mount_flags != 0 ||
7f112f50
LP		 1430 (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) ||
1431 context->private_devices) {
613b411c
LP		 1432
1433 char *tmp = NULL, *var = NULL;
1434
1435 /* The runtime struct only contains the parent
1436 * of the private /tmp, which is
1437 * non-accessible to world users. Inside of it
1438 * there's a /tmp that is sticky, and that's
1439 * the one we want to use here. */
1440
1441 if (context->private_tmp && runtime) {
1442 if (runtime->tmp_dir)
1443 tmp = strappenda(runtime->tmp_dir, "/tmp");
1444 if (runtime->var_tmp_dir)
1445 var = strappenda(runtime->var_tmp_dir, "/tmp");
1446 }
1447
1448 err = setup_namespace(
1449 context->read_write_dirs,
1450 context->read_only_dirs,
1451 context->inaccessible_dirs,
1452 tmp,
1453 var,
7f112f50 1454 context->private_devices,
613b411c
LP		 1455 context->mount_flags);
1456
4c2630eb
MS		 1457 if (err < 0) {
1458 r = EXIT_NAMESPACE;
8c7be95e 1459 goto fail_child;
4c2630eb
MS		 1460 }
1461 }
04aa0cb9 1462
81a2b7ce
LP		 1463 if (apply_chroot) {
1464 if (context->root_directory)
1465 if (chroot(context->root_directory) < 0) {
4c2630eb 1466 err = -errno;
81a2b7ce 1467 r = EXIT_CHROOT;
8c7be95e 1468 goto fail_child;
81a2b7ce
LP		 1469 }
1470
1471 if (chdir(context->working_directory ? context->working_directory : "/") < 0) {
4c2630eb 1472 err = -errno;
81a2b7ce 1473 r = EXIT_CHDIR;
8c7be95e 1474 goto fail_child;
81a2b7ce
LP		 1475 }
1476 } else {
7fd1b19b 1477 _cleanup_free_ char *d = NULL;
81a2b7ce
LP		 1478
1479 if (asprintf(&d, "%s/%s",
1480 context->root_directory ? context->root_directory : "",
1481 context->working_directory ? context->working_directory : "") < 0) {
4c2630eb 1482 err = -ENOMEM;
81a2b7ce 1483 r = EXIT_MEMORY;
8c7be95e 1484 goto fail_child;
81a2b7ce
LP		 1485 }
1486
1487 if (chdir(d) < 0) {
4c2630eb 1488 err = -errno;
81a2b7ce 1489 r = EXIT_CHDIR;
8c7be95e 1490 goto fail_child;
81a2b7ce 1491 }
81a2b7ce
LP		 1492 }
1493
fc9b2a84
LP		 1494 /* We repeat the fd closing here, to make sure that
1495 * nothing is leaked from the PAM modules */
4c2630eb
MS		 1496 err = close_all_fds(fds, n_fds);
1497 if (err >= 0)
1498 err = shift_fds(fds, n_fds);
1499 if (err >= 0)
1500 err = flags_fds(fds, n_fds, context->non_blocking);
1501 if (err < 0) {
034c6ed7 1502 r = EXIT_FDS;
8c7be95e 1503 goto fail_child;
034c6ed7
LP		 1504 }
1505
81a2b7ce 1506 if (apply_permissions) {
034c6ed7 1507
81a2b7ce
LP		 1508 for (i = 0; i < RLIMIT_NLIMITS; i++) {
1509 if (!context->rlimit[i])
1510 continue;
1511
68faf98c 1512 if (setrlimit_closest(i, context->rlimit[i]) < 0) {
4c2630eb 1513 err = -errno;
81a2b7ce 1514 r = EXIT_LIMITS;
8c7be95e 1515 goto fail_child;
81a2b7ce 1516 }
034c6ed7 1517 }
034c6ed7 1518
4c2630eb 1519 if (context->capability_bounding_set_drop) {
ec8927ca 1520 err = capability_bounding_set_drop(context->capability_bounding_set_drop, false);
4c2630eb 1521 if (err < 0) {
73090dc8
LP		 1522 r = EXIT_CAPABILITIES;
1523 goto fail_child;
1524 }
4c2630eb 1525 }
260abb78 1526
4c2630eb
MS		 1527 if (context->user) {
1528 err = enforce_user(context, uid);
1529 if (err < 0) {
81a2b7ce 1530 r = EXIT_USER;
8c7be95e 1531 goto fail_child;
81a2b7ce 1532 }
4c2630eb 1533 }
81a2b7ce 1534
35b8ca3a 1535 /* PR_GET_SECUREBITS is not privileged, while
693ced48
LP		 1536 * PR_SET_SECUREBITS is. So to suppress
1537 * potential EPERMs we'll try not to call
1538 * PR_SET_SECUREBITS unless necessary. */
1539 if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
1540 if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
4c2630eb 1541 err = -errno;
693ced48 1542 r = EXIT_SECUREBITS;
8c7be95e 1543 goto fail_child;
693ced48 1544 }
81a2b7ce
LP		 1545
1546 if (context->capabilities)
1547 if (cap_set_proc(context->capabilities) < 0) {
4c2630eb 1548 err = -errno;
81a2b7ce 1549 r = EXIT_CAPABILITIES;
8c7be95e 1550 goto fail_child;
81a2b7ce 1551 }
8351ceae
LP		 1552
1553 if (context->no_new_privileges)
1554 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
1555 err = -errno;
1556 r = EXIT_NO_NEW_PRIVILEGES;
1557 goto fail_child;
1558 }
1559
1560 if (context->syscall_filter) {
1561 err = apply_seccomp(context->syscall_filter);
1562 if (err < 0) {
1563 r = EXIT_SECCOMP;
1564 goto fail_child;
1565 }
1566 }
94f04347
LP		 1567 }
1568
09812eb7 1569 err = build_environment(context, n_fds, watchdog_usec, home, username, shell, &our_env);
7cae38c4 1570 if (r < 0) {
81a2b7ce 1571 r = EXIT_MEMORY;
8c7be95e 1572 goto fail_child;
81a2b7ce 1573 }
034c6ed7 1574
e62d8c39
ZJS		 1575 final_env = strv_env_merge(5,
1576 environment,
1577 our_env,
1578 context->environment,
1579 files_env,
1580 pam_env,
1581 NULL);
1582 if (!final_env) {
4c2630eb 1583 err = -ENOMEM;
81a2b7ce 1584 r = EXIT_MEMORY;
8c7be95e 1585 goto fail_child;
81a2b7ce 1586 }
034c6ed7 1587
e62d8c39
ZJS		 1588 final_argv = replace_env_argv(argv, final_env);
1589 if (!final_argv) {
4c2630eb 1590 err = -ENOMEM;
fab56fc5 1591 r = EXIT_MEMORY;
8c7be95e 1592 goto fail_child;
fab56fc5
LP		 1593 }
1594
a6ff950e
LP		 1595 final_env = strv_env_clean(final_env);
1596
03bb799e
HH		 1597 if (_unlikely_(log_get_max_level() >= LOG_PRI(LOG_DEBUG))) {
1598 line = exec_command_line(final_argv);
1599 if (line) {
1600 log_open();
1601 log_struct_unit(LOG_DEBUG,
1602 unit_id,
1603 "EXECUTABLE=%s", command->path,
099a804b
LP		 1604 "MESSAGE=Executing: %s", line,
1605 NULL);
03bb799e
HH		 1606 log_close();
1607 free(line);
1608 line = NULL;
1609 }
1610 }
fab56fc5 1611 execve(command->path, final_argv, final_env);
4c2630eb 1612 err = -errno;
034c6ed7
LP		 1613 r = EXIT_EXEC;
1614
8c7be95e 1615 fail_child:
4c2630eb
MS		 1616 if (r != 0) {
1617 log_open();
23635a85
ZJS		 1618 log_struct(LOG_ERR, MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
1619 "EXECUTABLE=%s", command->path,
1620 "MESSAGE=Failed at step %s spawning %s: %s",
1621 exit_status_to_string(r, EXIT_STATUS_SYSTEMD),
1622 command->path, strerror(-err),
1623 "ERRNO=%d", -err,
1624 NULL);
1625 log_close();
4c2630eb
MS		 1626 }
1627
034c6ed7
LP		 1628 _exit(r);
1629 }
1630
bbc9006e 1631 log_struct_unit(LOG_DEBUG,
e62d8c39 1632 unit_id,
ccd06097
ZJS		 1633 "MESSAGE=Forked %s as "PID_FMT,
1634 command->path, pid,
e62d8c39 1635 NULL);
23635a85 1636
80876c20
LP		 1637 /* We add the new process to the cgroup both in the child (so
1638 * that we can be sure that no user code is ever executed
1639 * outside of the cgroup) and in the parent (so that we can be
1640 * sure that when we kill the cgroup the process will be
1641 * killed too). */
4ad49000
LP		 1642 if (cgroup_path)
1643 cg_attach(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, pid);
2da3263a 1644
b58b4116 1645 exec_status_start(&command->exec_status, pid);
9fb86720 1646
034c6ed7 1647 *ret = pid;
5cb5a6ff
LP		 1648 return 0;
1649}
1650
034c6ed7
LP		 1651void exec_context_init(ExecContext *c) {
1652 assert(c);
1653
4c12626c 1654 c->umask = 0022;
9eba9da4 1655 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
94f04347 1656 c->cpu_sched_policy = SCHED_OTHER;
071830ff 1657 c->syslog_priority = LOG_DAEMON|LOG_INFO;
74922904 1658 c->syslog_level_prefix = true;
353e12c2 1659 c->ignore_sigpipe = true;
d88a251b 1660 c->timer_slack_nsec = (nsec_t) -1;
034c6ed7
LP		 1661}
1662
613b411c 1663void exec_context_done(ExecContext *c) {
5cb5a6ff
LP		 1664 unsigned l;
1665
1666 assert(c);
1667
1668 strv_free(c->environment);
034c6ed7 1669 c->environment = NULL;
5cb5a6ff 1670
8c7be95e
LP		 1671 strv_free(c->environment_files);
1672 c->environment_files = NULL;
1673
034c6ed7 1674 for (l = 0; l < ELEMENTSOF(c->rlimit); l++) {
5cb5a6ff 1675 free(c->rlimit[l]);
034c6ed7
LP		 1676 c->rlimit[l] = NULL;
1677 }
1678
9eba9da4
LP		 1679 free(c->working_directory);
1680 c->working_directory = NULL;
1681 free(c->root_directory);
1682 c->root_directory = NULL;
5cb5a6ff 1683
80876c20
LP		 1684 free(c->tty_path);
1685 c->tty_path = NULL;
1686
df1f0afe
LP		 1687 free(c->tcpwrap_name);
1688 c->tcpwrap_name = NULL;
1689
071830ff
LP		 1690 free(c->syslog_identifier);
1691 c->syslog_identifier = NULL;
1692
5cb5a6ff 1693 free(c->user);
034c6ed7
LP		 1694 c->user = NULL;
1695
5cb5a6ff 1696 free(c->group);
034c6ed7
LP		 1697 c->group = NULL;
1698
1699 strv_free(c->supplementary_groups);
1700 c->supplementary_groups = NULL;
94f04347 1701
5b6319dc
LP		 1702 free(c->pam_name);
1703 c->pam_name = NULL;
1704
94f04347
LP		 1705 if (c->capabilities) {
1706 cap_free(c->capabilities);
1707 c->capabilities = NULL;
1708 }
15ae422b
LP		 1709
1710 strv_free(c->read_only_dirs);
1711 c->read_only_dirs = NULL;
1712
1713 strv_free(c->read_write_dirs);
1714 c->read_write_dirs = NULL;
1715
1716 strv_free(c->inaccessible_dirs);
1717 c->inaccessible_dirs = NULL;
82c121a4
LP		 1718
1719 if (c->cpuset)
1720 CPU_FREE(c->cpuset);
86a3475b
LP		 1721
1722 free(c->utmp_id);
1723 c->utmp_id = NULL;
b9a0e010
LP		 1724
1725 free(c->syscall_filter);
1726 c->syscall_filter = NULL;
5cb5a6ff
LP		 1727}
1728
43d0fcbd
LP		 1729void exec_command_done(ExecCommand *c) {
1730 assert(c);
1731
1732 free(c->path);
1733 c->path = NULL;
1734
1735 strv_free(c->argv);
1736 c->argv = NULL;
1737}
1738
1739void exec_command_done_array(ExecCommand *c, unsigned n) {
1740 unsigned i;
1741
1742 for (i = 0; i < n; i++)
1743 exec_command_done(c+i);
1744}
1745
5cb5a6ff
LP		 1746void exec_command_free_list(ExecCommand *c) {
1747 ExecCommand *i;
1748
1749 while ((i = c)) {
71fda00f 1750 LIST_REMOVE(command, c, i);
43d0fcbd 1751 exec_command_done(i);
5cb5a6ff
LP		 1752 free(i);
1753 }
1754}
1755
034c6ed7
LP		 1756void exec_command_free_array(ExecCommand **c, unsigned n) {
1757 unsigned i;
1758
1759 for (i = 0; i < n; i++) {
1760 exec_command_free_list(c[i]);
1761 c[i] = NULL;
1762 }
1763}
1764
8c7be95e
LP		 1765int exec_context_load_environment(const ExecContext *c, char ***l) {
1766 char **i, **r = NULL;
1767
1768 assert(c);
1769 assert(l);
1770
1771 STRV_FOREACH(i, c->environment_files) {
1772 char *fn;
1773 int k;
1774 bool ignore = false;
1775 char **p;
7fd1b19b 1776 _cleanup_globfree_ glob_t pglob = {};
2bef10ab 1777 int count, n;
8c7be95e
LP		 1778
1779 fn = *i;
1780
1781 if (fn[0] == '-') {
1782 ignore = true;
1783 fn ++;
1784 }
1785
1786 if (!path_is_absolute(fn)) {
8c7be95e
LP		 1787 if (ignore)
1788 continue;
1789
1790 strv_free(r);
1791 return -EINVAL;
1792 }
1793
2bef10ab 1794 /* Filename supports globbing, take all matching files */
2bef10ab
PL		 1795 errno = 0;
1796 if (glob(fn, 0, NULL, &pglob) != 0) {
2bef10ab
PL		 1797 if (ignore)
1798 continue;
8c7be95e 1799
2bef10ab
PL		 1800 strv_free(r);
1801 return errno ? -errno : -EINVAL;
1802 }
1803 count = pglob.gl_pathc;
1804 if (count == 0) {
8c7be95e
LP		 1805 if (ignore)
1806 continue;
1807
1808 strv_free(r);
2bef10ab 1809 return -EINVAL;
8c7be95e 1810 }
2bef10ab 1811 for (n = 0; n < count; n++) {
f73141d7 1812 k = load_env_file(pglob.gl_pathv[n], NULL, &p);
2bef10ab
PL		 1813 if (k < 0) {
1814 if (ignore)
1815 continue;
8c7be95e 1816
2bef10ab 1817 strv_free(r);
2bef10ab 1818 return k;
e9c1ea9d 1819 }
ebc05a09 1820 /* Log invalid environment variables with filename */
e9c1ea9d
JSJ		 1821 if (p)
1822 p = strv_env_clean_log(p, pglob.gl_pathv[n]);
8c7be95e 1823
2bef10ab
PL		 1824 if (r == NULL)
1825 r = p;
1826 else {
1827 char **m;
8c7be95e 1828
2bef10ab
PL		 1829 m = strv_env_merge(2, r, p);
1830 strv_free(r);
1831 strv_free(p);
c84a9488 1832 if (!m)
2bef10ab 1833 return -ENOMEM;
2bef10ab
PL		 1834
1835 r = m;
1836 }
8c7be95e
LP		 1837 }
1838 }
1839
1840 *l = r;
1841
1842 return 0;
1843}
1844
6ac8fdc9
MS		 1845static bool tty_may_match_dev_console(const char *tty) {
1846 char *active = NULL, *console;
1847 bool b;
1848
1849 if (startswith(tty, "/dev/"))
1850 tty += 5;
1851
1852 /* trivial identity? */
1853 if (streq(tty, "console"))
1854 return true;
1855
1856 console = resolve_dev_console(&active);
1857 /* if we could not resolve, assume it may */
1858 if (!console)
1859 return true;
1860
1861 /* "tty0" means the active VC, so it may be the same sometimes */
1862 b = streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
1863 free(active);
1864
1865 return b;
1866}
1867
1868bool exec_context_may_touch_console(ExecContext *ec) {
1869 return (ec->tty_reset || ec->tty_vhangup || ec->tty_vt_disallocate ||
1870 is_terminal_input(ec->std_input) ||
1871 is_terminal_output(ec->std_output) ||
1872 is_terminal_output(ec->std_error)) &&
1873 tty_may_match_dev_console(tty_path(ec));
1874}
1875
15ae422b
LP		 1876static void strv_fprintf(FILE *f, char **l) {
1877 char **g;
1878
1879 assert(f);
1880
1881 STRV_FOREACH(g, l)
1882 fprintf(f, " %s", *g);
1883}
1884
5cb5a6ff 1885void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
507f22bd 1886 char **e;
94f04347 1887 unsigned i;
9eba9da4 1888
5cb5a6ff
LP		 1889 assert(c);
1890 assert(f);
1891
4ad49000 1892 prefix = strempty(prefix);
5cb5a6ff
LP		 1893
1894 fprintf(f,
94f04347
LP		 1895 "%sUMask: %04o\n"
1896 "%sWorkingDirectory: %s\n"
451a074f 1897 "%sRootDirectory: %s\n"
15ae422b 1898 "%sNonBlocking: %s\n"
64747e2d 1899 "%sPrivateTmp: %s\n"
4819ff03 1900 "%sPrivateNetwork: %s\n"
7f112f50 1901 "%sPrivateDevices: %s\n"
4819ff03 1902 "%sIgnoreSIGPIPE: %s\n",
5cb5a6ff 1903 prefix, c->umask,
9eba9da4 1904 prefix, c->working_directory ? c->working_directory : "/",
451a074f 1905 prefix, c->root_directory ? c->root_directory : "/",
15ae422b 1906 prefix, yes_no(c->non_blocking),
64747e2d 1907 prefix, yes_no(c->private_tmp),
4819ff03 1908 prefix, yes_no(c->private_network),
7f112f50 1909 prefix, yes_no(c->private_devices),
4819ff03 1910 prefix, yes_no(c->ignore_sigpipe));
fb33a393 1911
8c7be95e
LP		 1912 STRV_FOREACH(e, c->environment)
1913 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
1914
1915 STRV_FOREACH(e, c->environment_files)
1916 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
94f04347 1917
df1f0afe
LP		 1918 if (c->tcpwrap_name)
1919 fprintf(f,
1920 "%sTCPWrapName: %s\n",
1921 prefix, c->tcpwrap_name);
1922
fb33a393
LP		 1923 if (c->nice_set)
1924 fprintf(f,
1925 "%sNice: %i\n",
1926 prefix, c->nice);
1927
dd6c17b1 1928 if (c->oom_score_adjust_set)
fb33a393 1929 fprintf(f,
dd6c17b1
LP		 1930 "%sOOMScoreAdjust: %i\n",
1931 prefix, c->oom_score_adjust);
9eba9da4 1932
94f04347
LP		 1933 for (i = 0; i < RLIM_NLIMITS; i++)
1934 if (c->rlimit[i])
ea430986 1935 fprintf(f, "%s%s: %llu\n", prefix, rlimit_to_string(i), (unsigned long long) c->rlimit[i]->rlim_max);
94f04347 1936
f8b69d1d
MS		 1937 if (c->ioprio_set) {
1938 char *class_str;
1939 int r;
1940
1941 r = ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
1942 if (r < 0)
1943 class_str = NULL;
9eba9da4
LP		 1944 fprintf(f,
1945 "%sIOSchedulingClass: %s\n"
1946 "%sIOPriority: %i\n",
f8b69d1d 1947 prefix, strna(class_str),
9eba9da4 1948 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
f8b69d1d
MS		 1949 free(class_str);
1950 }
94f04347 1951
f8b69d1d
MS		 1952 if (c->cpu_sched_set) {
1953 char *policy_str;
1954 int r;
1955
1956 r = sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
1957 if (r < 0)
1958 policy_str = NULL;
94f04347
LP		 1959 fprintf(f,
1960 "%sCPUSchedulingPolicy: %s\n"
38b48754
LP		 1961 "%sCPUSchedulingPriority: %i\n"
1962 "%sCPUSchedulingResetOnFork: %s\n",
f8b69d1d 1963 prefix, strna(policy_str),
38b48754
LP		 1964 prefix, c->cpu_sched_priority,
1965 prefix, yes_no(c->cpu_sched_reset_on_fork));
f8b69d1d 1966 free(policy_str);
b929bf04 1967 }
94f04347 1968
82c121a4 1969 if (c->cpuset) {
94f04347 1970 fprintf(f, "%sCPUAffinity:", prefix);
82c121a4
LP		 1971 for (i = 0; i < c->cpuset_ncpus; i++)
1972 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
43a99a7a 1973 fprintf(f, " %u", i);
94f04347
LP		 1974 fputs("\n", f);
1975 }
1976
d88a251b 1977 if (c->timer_slack_nsec != (nsec_t) -1)
ccd06097 1978 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
94f04347
LP		 1979
1980 fprintf(f,
80876c20
LP		 1981 "%sStandardInput: %s\n"
1982 "%sStandardOutput: %s\n"
1983 "%sStandardError: %s\n",
1984 prefix, exec_input_to_string(c->std_input),
1985 prefix, exec_output_to_string(c->std_output),
1986 prefix, exec_output_to_string(c->std_error));
1987
1988 if (c->tty_path)
1989 fprintf(f,
6ea832a2
LP		 1990 "%sTTYPath: %s\n"
1991 "%sTTYReset: %s\n"
1992 "%sTTYVHangup: %s\n"
1993 "%sTTYVTDisallocate: %s\n",
1994 prefix, c->tty_path,
1995 prefix, yes_no(c->tty_reset),
1996 prefix, yes_no(c->tty_vhangup),
1997 prefix, yes_no(c->tty_vt_disallocate));
94f04347 1998
5ce70e5b
ZJS		 1999 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
2000 c->std_output == EXEC_OUTPUT_KMSG ||
2001 c->std_output == EXEC_OUTPUT_JOURNAL ||
2002 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2003 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2004 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
2005 c->std_error == EXEC_OUTPUT_SYSLOG ||
2006 c->std_error == EXEC_OUTPUT_KMSG ||
2007 c->std_error == EXEC_OUTPUT_JOURNAL ||
2008 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2009 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2010 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
f8b69d1d 2011
5ce70e5b 2012 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
f8b69d1d 2013
5ce70e5b
ZJS		 2014 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
2015 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
f8b69d1d 2016
94f04347
LP		 2017 fprintf(f,
2018 "%sSyslogFacility: %s\n"
2019 "%sSyslogLevel: %s\n",
f8b69d1d
MS		 2020 prefix, strna(fac_str),
2021 prefix, strna(lvl_str));
f8b69d1d 2022 }
94f04347
LP		 2023
2024 if (c->capabilities) {
5ce70e5b
ZJS		 2025 _cleanup_cap_free_charp_ char *t;
2026
2027 t = cap_to_text(c->capabilities, NULL);
2028 if (t)
2029 fprintf(f, "%sCapabilities: %s\n", prefix, t);
94f04347
LP		 2030 }
2031
2032 if (c->secure_bits)
2033 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
2034 prefix,
cbb21cca
ZJS		 2035 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
2036 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
2037 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
2038 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
2039 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
2040 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
94f04347
LP		 2041
2042 if (c->capability_bounding_set_drop) {
ae556c21 2043 unsigned long l;
260abb78 2044 fprintf(f, "%sCapabilityBoundingSet:", prefix);
94f04347 2045
64685e0c 2046 for (l = 0; l <= cap_last_cap(); l++)
ae556c21 2047 if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) {
5ce70e5b 2048 _cleanup_cap_free_charp_ char *t;
94f04347 2049
5ce70e5b
ZJS		 2050 t = cap_to_name(l);
2051 if (t)
94f04347 2052 fprintf(f, " %s", t);
94f04347
LP		 2053 }
2054
2055 fputs("\n", f);
2056 }
2057
2058 if (c->user)
f2d3769a 2059 fprintf(f, "%sUser: %s\n", prefix, c->user);
94f04347 2060 if (c->group)
f2d3769a 2061 fprintf(f, "%sGroup: %s\n", prefix, c->group);
94f04347 2062
15ae422b 2063 if (strv_length(c->supplementary_groups) > 0) {
94f04347 2064 fprintf(f, "%sSupplementaryGroups:", prefix);
15ae422b
LP		 2065 strv_fprintf(f, c->supplementary_groups);
2066 fputs("\n", f);
2067 }
94f04347 2068
5b6319dc 2069 if (c->pam_name)
f2d3769a 2070 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
5b6319dc 2071
15ae422b
LP		 2072 if (strv_length(c->read_write_dirs) > 0) {
2073 fprintf(f, "%sReadWriteDirs:", prefix);
2074 strv_fprintf(f, c->read_write_dirs);
2075 fputs("\n", f);
2076 }
2077
2078 if (strv_length(c->read_only_dirs) > 0) {
2079 fprintf(f, "%sReadOnlyDirs:", prefix);
2080 strv_fprintf(f, c->read_only_dirs);
2081 fputs("\n", f);
2082 }
94f04347 2083
15ae422b
LP		 2084 if (strv_length(c->inaccessible_dirs) > 0) {
2085 fprintf(f, "%sInaccessibleDirs:", prefix);
2086 strv_fprintf(f, c->inaccessible_dirs);
94f04347
LP		 2087 fputs("\n", f);
2088 }
2e22afe9 2089
169c1bda
LP		 2090 if (c->utmp_id)
2091 fprintf(f,
2092 "%sUtmpIdentifier: %s\n",
2093 prefix, c->utmp_id);
5cb5a6ff
LP		 2094}
2095
b58b4116 2096void exec_status_start(ExecStatus *s, pid_t pid) {
034c6ed7 2097 assert(s);
5cb5a6ff 2098
b58b4116
LP		 2099 zero(*s);
2100 s->pid = pid;
2101 dual_timestamp_get(&s->start_timestamp);
2102}
2103
6ea832a2 2104void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
b58b4116
LP		 2105 assert(s);
2106
0b1f4ae6 2107 if (s->pid && s->pid != pid)
b58b4116
LP		 2108 zero(*s);
2109
034c6ed7 2110 s->pid = pid;
63983207 2111 dual_timestamp_get(&s->exit_timestamp);
9fb86720 2112
034c6ed7
LP		 2113 s->code = code;
2114 s->status = status;
169c1bda 2115
6ea832a2
LP		 2116 if (context) {
2117 if (context->utmp_id)
2118 utmp_put_dead_process(context->utmp_id, pid, code, status);
2119
2120 exec_context_tty_reset(context);
2121 }
9fb86720
LP		 2122}
2123
2124void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
2125 char buf[FORMAT_TIMESTAMP_MAX];
2126
2127 assert(s);
2128 assert(f);
2129
2130 if (!prefix)
2131 prefix = "";
2132
2133 if (s->pid <= 0)
2134 return;
2135
2136 fprintf(f,
ccd06097
ZJS		 2137 "%sPID: "PID_FMT"\n",
2138 prefix, s->pid);
9fb86720 2139
63983207 2140 if (s->start_timestamp.realtime > 0)
9fb86720
LP		 2141 fprintf(f,
2142 "%sStart Timestamp: %s\n",
63983207 2143 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
9fb86720 2144
63983207 2145 if (s->exit_timestamp.realtime > 0)
9fb86720
LP		 2146 fprintf(f,
2147 "%sExit Timestamp: %s\n"
2148 "%sExit Code: %s\n"
2149 "%sExit Status: %i\n",
63983207 2150 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
9fb86720
LP		 2151 prefix, sigchld_code_to_string(s->code),
2152 prefix, s->status);
5cb5a6ff 2153}
44d8db9e 2154
9e2f7c11 2155char *exec_command_line(char **argv) {
44d8db9e
LP		 2156 size_t k;
2157 char *n, *p, **a;
2158 bool first = true;
2159
9e2f7c11 2160 assert(argv);
44d8db9e 2161
9164977d 2162 k = 1;
9e2f7c11 2163 STRV_FOREACH(a, argv)
44d8db9e
LP		 2164 k += strlen(*a)+3;
2165
2166 if (!(n = new(char, k)))
2167 return NULL;
2168
2169 p = n;
9e2f7c11 2170 STRV_FOREACH(a, argv) {
44d8db9e
LP		 2171
2172 if (!first)
2173 *(p++) = ' ';
2174 else
2175 first = false;
2176
2177 if (strpbrk(*a, WHITESPACE)) {
2178 *(p++) = '\'';
2179 p = stpcpy(p, *a);
2180 *(p++) = '\'';
2181 } else
2182 p = stpcpy(p, *a);
2183
2184 }
2185
9164977d
LP		 2186 *p = 0;
2187
44d8db9e
LP		 2188 /* FIXME: this doesn't really handle arguments that have
2189 * spaces and ticks in them */
2190
2191 return n;
2192}
2193
2194void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
9fb86720
LP		 2195 char *p2;
2196 const char *prefix2;
2197
44d8db9e
LP		 2198 char *cmd;
2199
2200 assert(c);
2201 assert(f);
2202
2203 if (!prefix)
2204 prefix = "";
9fb86720
LP		 2205 p2 = strappend(prefix, "\t");
2206 prefix2 = p2 ? p2 : prefix;
44d8db9e 2207
9e2f7c11 2208 cmd = exec_command_line(c->argv);
44d8db9e
LP		 2209
2210 fprintf(f,
2211 "%sCommand Line: %s\n",
2212 prefix, cmd ? cmd : strerror(ENOMEM));
2213
2214 free(cmd);
9fb86720
LP		 2215
2216 exec_status_dump(&c->exec_status, f, prefix2);
2217
2218 free(p2);
44d8db9e
LP		 2219}
2220
2221void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2222 assert(f);
2223
2224 if (!prefix)
2225 prefix = "";
2226
2227 LIST_FOREACH(command, c, c)
2228 exec_command_dump(c, f, prefix);
2229}
94f04347 2230
a6a80b4f
LP		 2231void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2232 ExecCommand *end;
2233
2234 assert(l);
2235 assert(e);
2236
2237 if (*l) {
35b8ca3a 2238 /* It's kind of important, that we keep the order here */
71fda00f
LP		 2239 LIST_FIND_TAIL(command, *l, end);
2240 LIST_INSERT_AFTER(command, *l, end, e);
a6a80b4f
LP		 2241 } else
2242 *l = e;
2243}
2244
26fd040d
LP		 2245int exec_command_set(ExecCommand *c, const char *path, ...) {
2246 va_list ap;
2247 char **l, *p;
2248
2249 assert(c);
2250 assert(path);
2251
2252 va_start(ap, path);
2253 l = strv_new_ap(path, ap);
2254 va_end(ap);
2255
2256 if (!l)
2257 return -ENOMEM;
2258
250a918d
LP		 2259 p = strdup(path);
2260 if (!p) {
26fd040d
LP		 2261 strv_free(l);
2262 return -ENOMEM;
2263 }
2264
2265 free(c->path);
2266 c->path = p;
2267
2268 strv_free(c->argv);
2269 c->argv = l;
2270
2271 return 0;
2272}
2273
613b411c
LP		 2274static int exec_runtime_allocate(ExecRuntime **rt) {
2275
2276 if (*rt)
2277 return 0;
2278
2279 *rt = new0(ExecRuntime, 1);
f146f5e1 2280 if (!*rt)
613b411c
LP		 2281 return -ENOMEM;
2282
2283 (*rt)->n_ref = 1;
2284 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
2285
2286 return 0;
2287}
2288
2289int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
2290 int r;
2291
2292 assert(rt);
2293 assert(c);
2294 assert(id);
2295
2296 if (*rt)
2297 return 1;
2298
2299 if (!c->private_network && !c->private_tmp)
2300 return 0;
2301
2302 r = exec_runtime_allocate(rt);
2303 if (r < 0)
2304 return r;
2305
2306 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
2307 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, (*rt)->netns_storage_socket) < 0)
2308 return -errno;
2309 }
2310
2311 if (c->private_tmp && !(*rt)->tmp_dir) {
2312 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
2313 if (r < 0)
2314 return r;
2315 }
2316
2317 return 1;
2318}
2319
2320ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
2321 assert(r);
2322 assert(r->n_ref > 0);
2323
2324 r->n_ref++;
2325 return r;
2326}
2327
2328ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
2329
2330 if (!r)
2331 return NULL;
2332
2333 assert(r->n_ref > 0);
2334
2335 r->n_ref--;
2336 if (r->n_ref <= 0) {
2337 free(r->tmp_dir);
2338 free(r->var_tmp_dir);
2339 close_pipe(r->netns_storage_socket);
2340 free(r);
2341 }
2342
2343 return NULL;
2344}
2345
2346int exec_runtime_serialize(ExecRuntime *rt, Unit *u, FILE *f, FDSet *fds) {
2347 assert(u);
2348 assert(f);
2349 assert(fds);
2350
2351 if (!rt)
2352 return 0;
2353
2354 if (rt->tmp_dir)
2355 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
2356
2357 if (rt->var_tmp_dir)
2358 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
2359
2360 if (rt->netns_storage_socket[0] >= 0) {
2361 int copy;
2362
2363 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
2364 if (copy < 0)
2365 return copy;
2366
2367 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
2368 }
2369
2370 if (rt->netns_storage_socket[1] >= 0) {
2371 int copy;
2372
2373 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
2374 if (copy < 0)
2375 return copy;
2376
2377 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
2378 }
2379
2380 return 0;
2381}
2382
2383int exec_runtime_deserialize_item(ExecRuntime **rt, Unit *u, const char *key, const char *value, FDSet *fds) {
2384 int r;
2385
2386 assert(rt);
2387 assert(key);
2388 assert(value);
2389
2390 if (streq(key, "tmp-dir")) {
2391 char *copy;
2392
2393 r = exec_runtime_allocate(rt);
2394 if (r < 0)
2395 return r;
2396
2397 copy = strdup(value);
2398 if (!copy)
2399 return log_oom();
2400
2401 free((*rt)->tmp_dir);
2402 (*rt)->tmp_dir = copy;
2403
2404 } else if (streq(key, "var-tmp-dir")) {
2405 char *copy;
2406
2407 r = exec_runtime_allocate(rt);
2408 if (r < 0)
2409 return r;
2410
2411 copy = strdup(value);
2412 if (!copy)
2413 return log_oom();
2414
2415 free((*rt)->var_tmp_dir);
2416 (*rt)->var_tmp_dir = copy;
2417
2418 } else if (streq(key, "netns-socket-0")) {
2419 int fd;
2420
2421 r = exec_runtime_allocate(rt);
2422 if (r < 0)
2423 return r;
2424
2425 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2426 log_debug_unit(u->id, "Failed to parse netns socket value %s", value);
2427 else {
2428 if ((*rt)->netns_storage_socket[0] >= 0)
2429 close_nointr_nofail((*rt)->netns_storage_socket[0]);
2430
2431 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
2432 }
2433 } else if (streq(key, "netns-socket-1")) {
2434 int fd;
2435
2436 r = exec_runtime_allocate(rt);
2437 if (r < 0)
2438 return r;
2439
2440 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2441 log_debug_unit(u->id, "Failed to parse netns socket value %s", value);
2442 else {
2443 if ((*rt)->netns_storage_socket[1] >= 0)
2444 close_nointr_nofail((*rt)->netns_storage_socket[1]);
2445
2446 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
2447 }
2448 } else
2449 return 0;
2450
2451 return 1;
2452}
2453
2454static void *remove_tmpdir_thread(void *p) {
2455 _cleanup_free_ char *path = p;
2456
2457 rm_rf_dangerous(path, false, true, false);
2458 return NULL;
2459}
2460
2461void exec_runtime_destroy(ExecRuntime *rt) {
2462 if (!rt)
2463 return;
2464
2465 /* If there are multiple users of this, let's leave the stuff around */
2466 if (rt->n_ref > 1)
2467 return;
2468
2469 if (rt->tmp_dir) {
2470 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
2471 asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
2472 rt->tmp_dir = NULL;
2473 }
2474
2475 if (rt->var_tmp_dir) {
2476 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
2477 asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
2478 rt->var_tmp_dir = NULL;
2479 }
2480
2481 close_pipe(rt->netns_storage_socket);
2482}
2483
80876c20
LP		 2484static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
2485 [EXEC_INPUT_NULL] = "null",
2486 [EXEC_INPUT_TTY] = "tty",
2487 [EXEC_INPUT_TTY_FORCE] = "tty-force",
4f2d528d
LP		 2488 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
2489 [EXEC_INPUT_SOCKET] = "socket"
80876c20
LP		 2490};
2491
8a0867d6
LP		 2492DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
2493
94f04347 2494static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
80876c20 2495 [EXEC_OUTPUT_INHERIT] = "inherit",
94f04347 2496 [EXEC_OUTPUT_NULL] = "null",
80876c20 2497 [EXEC_OUTPUT_TTY] = "tty",
94f04347 2498 [EXEC_OUTPUT_SYSLOG] = "syslog",
28dbc1e8 2499 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
9a6bca7a 2500 [EXEC_OUTPUT_KMSG] = "kmsg",
28dbc1e8 2501 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
706343f4
LP		 2502 [EXEC_OUTPUT_JOURNAL] = "journal",
2503 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
4f2d528d 2504 [EXEC_OUTPUT_SOCKET] = "socket"
94f04347
LP		 2505};
2506
2507DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
Unnamed repository; edit this file 'description' to name the repository.