]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/core/execute.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
sd-bus: standarize on NULL for empty signature in method calls
[thirdparty/systemd.git] / src / core / execute.c
CommitLineData
db9ecf05 1/* SPDX-License-Identifier: LGPL-2.1-or-later */
a7334b09 2
034c6ed7
LP		 3#include <errno.h>
4#include <fcntl.h>
8dd4c05b 5#include <poll.h>
d251207d 6#include <sys/eventfd.h>
f5947a5e 7#include <sys/ioctl.h>
f3e43635 8#include <sys/mman.h>
bb0c0d6f 9#include <sys/mount.h>
8dd4c05b 10#include <sys/personality.h>
94f04347 11#include <sys/prctl.h>
d2ffa389 12#include <sys/shm.h>
d2ffa389 13#include <sys/types.h>
8dd4c05b
LP		 14#include <sys/un.h>
15#include <unistd.h>
023a4f67 16#include <utmpx.h>
5cb5a6ff 17
349cc4a5 18#if HAVE_PAM
5b6319dc
LP		 19#include <security/pam_appl.h>
20#endif
21
349cc4a5 22#if HAVE_SELINUX
7b52a628
MS		 23#include <selinux/selinux.h>
24#endif
25
349cc4a5 26#if HAVE_SECCOMP
17df7223
LP		 27#include <seccomp.h>
28#endif
29
349cc4a5 30#if HAVE_APPARMOR
eef65bf3
MS		 31#include <sys/apparmor.h>
32#endif
33
24882e06 34#include "sd-messages.h"
8dd4c05b 35
bb0c0d6f 36#include "acl-util.h"
8dd4c05b 37#include "af-list.h"
b5efdb8a 38#include "alloc-util.h"
349cc4a5 39#if HAVE_APPARMOR
3ffd4af2
LP		 40#include "apparmor-util.h"
41#endif
8dd4c05b
LP		 42#include "async.h"
43#include "barrier.h"
8dd4c05b 44#include "cap-list.h"
430f0182 45#include "capability-util.h"
fdb3deca 46#include "cgroup-setup.h"
bb0c0d6f 47#include "chown-recursive.h"
da681e1b 48#include "cpu-set-util.h"
f6a6225e 49#include "def.h"
686d13b9 50#include "env-file.h"
4d1a6904 51#include "env-util.h"
17df7223 52#include "errno-list.h"
3ffd4af2 53#include "execute.h"
8dd4c05b 54#include "exit-status.h"
3ffd4af2 55#include "fd-util.h"
bb0c0d6f 56#include "fileio.h"
f97b34a6 57#include "format-util.h"
f4f15635 58#include "fs-util.h"
7d50b32a 59#include "glob-util.h"
0389f4fa 60#include "hexdecoct.h"
c004493c 61#include "io-util.h"
8dd4c05b 62#include "ioprio.h"
a1164ae3 63#include "label.h"
8dd4c05b
LP		 64#include "log.h"
65#include "macro.h"
e8a565cb 66#include "manager.h"
0a970718 67#include "memory-util.h"
f5947a5e 68#include "missing_fs.h"
8dd4c05b 69#include "mkdir.h"
21935150 70#include "mount-util.h"
bb0c0d6f 71#include "mountpoint-util.h"
8dd4c05b 72#include "namespace.h"
6bedfcbb 73#include "parse-util.h"
8dd4c05b 74#include "path-util.h"
0b452006 75#include "process-util.h"
d3dcf4e3 76#include "random-util.h"
78f22b97 77#include "rlimit-util.h"
8dd4c05b 78#include "rm-rf.h"
349cc4a5 79#if HAVE_SECCOMP
3ffd4af2
LP		 80#include "seccomp-util.h"
81#endif
07d46372 82#include "securebits-util.h"
8dd4c05b 83#include "selinux-util.h"
24882e06 84#include "signal-util.h"
8dd4c05b 85#include "smack-util.h"
57b7a260 86#include "socket-util.h"
fd63e712 87#include "special.h"
949befd3 88#include "stat-util.h"
8b43440b 89#include "string-table.h"
07630cea 90#include "string-util.h"
8dd4c05b 91#include "strv.h"
7ccbd1ae 92#include "syslog-util.h"
8dd4c05b 93#include "terminal-util.h"
bb0c0d6f 94#include "tmpfile-util.h"
566b7d23 95#include "umask-util.h"
8dd4c05b 96#include "unit.h"
b1d4f8e1 97#include "user-util.h"
8dd4c05b 98#include "utmp-wtmp.h"
5cb5a6ff 99
e056b01d 100#define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
31a7eb86 101#define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
e6a26745 102
531dca78
LP		 103#define SNDBUF_SIZE (8*1024*1024)
104
da6053d0 105static int shift_fds(int fds[], size_t n_fds) {
034c6ed7
LP		 106 if (n_fds <= 0)
107 return 0;
108
a0d40ac5
LP		 109 /* Modifies the fds array! (sorts it) */
110
034c6ed7
LP		 111 assert(fds);
112
5b10116e
ZJS		 113 for (int start = 0;;) {
114 int restart_from = -1;
034c6ed7 115
5b10116e 116 for (int i = start; i < (int) n_fds; i++) {
034c6ed7
LP		 117 int nfd;
118
119 /* Already at right index? */
120 if (fds[i] == i+3)
121 continue;
122
3cc2aff1
LP		 123 nfd = fcntl(fds[i], F_DUPFD, i + 3);
124 if (nfd < 0)
034c6ed7
LP		 125 return -errno;
126
03e334a1 127 safe_close(fds[i]);
034c6ed7
LP		 128 fds[i] = nfd;
129
130 /* Hmm, the fd we wanted isn't free? Then
ee33e53a 131 * let's remember that and try again from here */
034c6ed7
LP		 132 if (nfd != i+3 && restart_from < 0)
133 restart_from = i;
134 }
135
136 if (restart_from < 0)
137 break;
138
139 start = restart_from;
140 }
141
142 return 0;
143}
144
25b583d7 145static int flags_fds(const int fds[], size_t n_socket_fds, size_t n_storage_fds, bool nonblock) {
5b10116e 146 size_t n_fds;
e2c76839 147 int r;
47a71eed 148
25b583d7 149 n_fds = n_socket_fds + n_storage_fds;
47a71eed
LP		 150 if (n_fds <= 0)
151 return 0;
152
153 assert(fds);
154
9b141911
FB		 155 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags.
156 * O_NONBLOCK only applies to socket activation though. */
47a71eed 157
5b10116e 158 for (size_t i = 0; i < n_fds; i++) {
47a71eed 159
9b141911
FB		 160 if (i < n_socket_fds) {
161 r = fd_nonblock(fds[i], nonblock);
162 if (r < 0)
163 return r;
164 }
47a71eed 165
451a074f
LP		 166 /* We unconditionally drop FD_CLOEXEC from the fds,
167 * since after all we want to pass these fds to our
168 * children */
47a71eed 169
3cc2aff1
LP		 170 r = fd_cloexec(fds[i], false);
171 if (r < 0)
e2c76839 172 return r;
47a71eed
LP		 173 }
174
175 return 0;
176}
177
1e22b5cd 178static const char *exec_context_tty_path(const ExecContext *context) {
80876c20
LP		 179 assert(context);
180
1e22b5cd
LP		 181 if (context->stdio_as_fds)
182 return NULL;
183
80876c20
LP		 184 if (context->tty_path)
185 return context->tty_path;
186
187 return "/dev/console";
188}
189
1e22b5cd
LP		 190static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
191 const char *path;
192
6ea832a2
LP		 193 assert(context);
194
1e22b5cd 195 path = exec_context_tty_path(context);
6ea832a2 196
1e22b5cd
LP		 197 if (context->tty_vhangup) {
198 if (p && p->stdin_fd >= 0)
199 (void) terminal_vhangup_fd(p->stdin_fd);
200 else if (path)
201 (void) terminal_vhangup(path);
202 }
6ea832a2 203
1e22b5cd
LP		 204 if (context->tty_reset) {
205 if (p && p->stdin_fd >= 0)
206 (void) reset_terminal_fd(p->stdin_fd, true);
207 else if (path)
208 (void) reset_terminal(path);
209 }
210
211 if (context->tty_vt_disallocate && path)
212 (void) vt_disallocate(path);
6ea832a2
LP		 213}
214
6af760f3
LP		 215static bool is_terminal_input(ExecInput i) {
216 return IN_SET(i,
217 EXEC_INPUT_TTY,
218 EXEC_INPUT_TTY_FORCE,
219 EXEC_INPUT_TTY_FAIL);
220}
221
3a1286b6 222static bool is_terminal_output(ExecOutput o) {
6af760f3
LP		 223 return IN_SET(o,
224 EXEC_OUTPUT_TTY,
6af760f3
LP		 225 EXEC_OUTPUT_KMSG_AND_CONSOLE,
226 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
227}
228
aac8c0c3
LP		 229static bool is_kmsg_output(ExecOutput o) {
230 return IN_SET(o,
231 EXEC_OUTPUT_KMSG,
232 EXEC_OUTPUT_KMSG_AND_CONSOLE);
233}
234
6af760f3
LP		 235static bool exec_context_needs_term(const ExecContext *c) {
236 assert(c);
237
238 /* Return true if the execution context suggests we should set $TERM to something useful. */
239
240 if (is_terminal_input(c->std_input))
241 return true;
242
243 if (is_terminal_output(c->std_output))
244 return true;
245
246 if (is_terminal_output(c->std_error))
247 return true;
248
249 return !!c->tty_path;
3a1286b6
MS		 250}
251
80876c20 252static int open_null_as(int flags, int nfd) {
046a82c1 253 int fd;
071830ff 254
80876c20 255 assert(nfd >= 0);
071830ff 256
613b411c
LP		 257 fd = open("/dev/null", flags|O_NOCTTY);
258 if (fd < 0)
071830ff
LP		 259 return -errno;
260
046a82c1 261 return move_fd(fd, nfd, false);
071830ff
LP		 262}
263
91dd5f7c
LP		 264static int connect_journal_socket(
265 int fd,
266 const char *log_namespace,
267 uid_t uid,
268 gid_t gid) {
269
f36a9d59
ZJS		 270 union sockaddr_union sa;
271 socklen_t sa_len;
524daa8c
ZJS		 272 uid_t olduid = UID_INVALID;
273 gid_t oldgid = GID_INVALID;
91dd5f7c 274 const char *j;
524daa8c
ZJS		 275 int r;
276
91dd5f7c
LP		 277 j = log_namespace ?
278 strjoina("/run/systemd/journal.", log_namespace, "/stdout") :
279 "/run/systemd/journal/stdout";
280 r = sockaddr_un_set_path(&sa.un, j);
281 if (r < 0)
282 return r;
f36a9d59 283 sa_len = r;
91dd5f7c 284
cad93f29 285 if (gid_is_valid(gid)) {
524daa8c
ZJS		 286 oldgid = getgid();
287
92a17af9 288 if (setegid(gid) < 0)
524daa8c
ZJS		 289 return -errno;
290 }
291
cad93f29 292 if (uid_is_valid(uid)) {
524daa8c
ZJS		 293 olduid = getuid();
294
92a17af9 295 if (seteuid(uid) < 0) {
524daa8c
ZJS		 296 r = -errno;
297 goto restore_gid;
298 }
299 }
300
f36a9d59 301 r = connect(fd, &sa.sa, sa_len) < 0 ? -errno : 0;
524daa8c
ZJS		 302
303 /* If we fail to restore the uid or gid, things will likely
304 fail later on. This should only happen if an LSM interferes. */
305
cad93f29 306 if (uid_is_valid(uid))
524daa8c
ZJS		 307 (void) seteuid(olduid);
308
309 restore_gid:
cad93f29 310 if (gid_is_valid(gid))
524daa8c
ZJS		 311 (void) setegid(oldgid);
312
313 return r;
314}
315
fd1f9c89 316static int connect_logger_as(
34cf6c43 317 const Unit *unit,
fd1f9c89 318 const ExecContext *context,
af635cf3 319 const ExecParameters *params,
fd1f9c89
LP		 320 ExecOutput output,
321 const char *ident,
fd1f9c89
LP		 322 int nfd,
323 uid_t uid,
324 gid_t gid) {
325
2ac1ff68
EV		 326 _cleanup_close_ int fd = -1;
327 int r;
071830ff
LP		 328
329 assert(context);
af635cf3 330 assert(params);
80876c20
LP		 331 assert(output < _EXEC_OUTPUT_MAX);
332 assert(ident);
333 assert(nfd >= 0);
071830ff 334
54fe0cdb
LP		 335 fd = socket(AF_UNIX, SOCK_STREAM, 0);
336 if (fd < 0)
80876c20 337 return -errno;
071830ff 338
91dd5f7c 339 r = connect_journal_socket(fd, context->log_namespace, uid, gid);
524daa8c
ZJS		 340 if (r < 0)
341 return r;
071830ff 342
2ac1ff68 343 if (shutdown(fd, SHUT_RD) < 0)
80876c20 344 return -errno;
071830ff 345
fd1f9c89 346 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
531dca78 347
2ac1ff68 348 if (dprintf(fd,
62bca2c6 349 "%s\n"
80876c20
LP		 350 "%s\n"
351 "%i\n"
54fe0cdb
LP		 352 "%i\n"
353 "%i\n"
354 "%i\n"
4f4a1dbf 355 "%i\n",
c867611e 356 context->syslog_identifier ?: ident,
af635cf3 357 params->flags & EXEC_PASS_LOG_UNIT ? unit->id : "",
54fe0cdb
LP		 358 context->syslog_priority,
359 !!context->syslog_level_prefix,
f3dc6af2 360 false,
aac8c0c3 361 is_kmsg_output(output),
2ac1ff68
EV		 362 is_terminal_output(output)) < 0)
363 return -errno;
80876c20 364
2ac1ff68 365 return move_fd(TAKE_FD(fd), nfd, false);
80876c20 366}
2ac1ff68 367
3a274a21 368static int open_terminal_as(const char *path, int flags, int nfd) {
046a82c1 369 int fd;
071830ff 370
80876c20
LP		 371 assert(path);
372 assert(nfd >= 0);
fd1f9c89 373
3a274a21 374 fd = open_terminal(path, flags | O_NOCTTY);
3cc2aff1 375 if (fd < 0)
80876c20 376 return fd;
071830ff 377
046a82c1 378 return move_fd(fd, nfd, false);
80876c20 379}
071830ff 380
2038c3f5 381static int acquire_path(const char *path, int flags, mode_t mode) {
86fca584
ZJS		 382 union sockaddr_union sa;
383 socklen_t sa_len;
15a3e96f 384 _cleanup_close_ int fd = -1;
86fca584 385 int r;
071830ff 386
80876c20 387 assert(path);
071830ff 388
2038c3f5
LP		 389 if (IN_SET(flags & O_ACCMODE, O_WRONLY, O_RDWR))
390 flags |= O_CREAT;
391
392 fd = open(path, flags|O_NOCTTY, mode);
393 if (fd >= 0)
15a3e96f 394 return TAKE_FD(fd);
071830ff 395
2038c3f5
LP		 396 if (errno != ENXIO) /* ENXIO is returned when we try to open() an AF_UNIX file system socket on Linux */
397 return -errno;
2038c3f5
LP		 398
399 /* So, it appears the specified path could be an AF_UNIX socket. Let's see if we can connect to it. */
400
86fca584
ZJS		 401 r = sockaddr_un_set_path(&sa.un, path);
402 if (r < 0)
403 return r == -EINVAL ? -ENXIO : r;
404 sa_len = r;
405
2038c3f5
LP		 406 fd = socket(AF_UNIX, SOCK_STREAM, 0);
407 if (fd < 0)
408 return -errno;
409
86fca584 410 if (connect(fd, &sa.sa, sa_len) < 0)
2038c3f5 411 return errno == EINVAL ? -ENXIO : -errno; /* Propagate initial error if we get EINVAL, i.e. we have
e8607daf 412 * indication that this wasn't an AF_UNIX socket after all */
071830ff 413
2038c3f5
LP		 414 if ((flags & O_ACCMODE) == O_RDONLY)
415 r = shutdown(fd, SHUT_WR);
416 else if ((flags & O_ACCMODE) == O_WRONLY)
417 r = shutdown(fd, SHUT_RD);
418 else
86fca584 419 r = 0;
15a3e96f 420 if (r < 0)
2038c3f5 421 return -errno;
2038c3f5 422
15a3e96f 423 return TAKE_FD(fd);
80876c20 424}
071830ff 425
08f3be7a
LP		 426static int fixup_input(
427 const ExecContext *context,
428 int socket_fd,
429 bool apply_tty_stdin) {
430
431 ExecInput std_input;
432
433 assert(context);
434
435 std_input = context->std_input;
1e3ad081
LP		 436
437 if (is_terminal_input(std_input) && !apply_tty_stdin)
438 return EXEC_INPUT_NULL;
071830ff 439
03fd9c49 440 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 441 return EXEC_INPUT_NULL;
442
08f3be7a
LP		 443 if (std_input == EXEC_INPUT_DATA && context->stdin_data_size == 0)
444 return EXEC_INPUT_NULL;
445
03fd9c49 446 return std_input;
4f2d528d
LP		 447}
448
03fd9c49 449static int fixup_output(ExecOutput std_output, int socket_fd) {
4f2d528d 450
03fd9c49 451 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 452 return EXEC_OUTPUT_INHERIT;
453
03fd9c49 454 return std_output;
4f2d528d
LP		 455}
456
a34ceba6
LP		 457static int setup_input(
458 const ExecContext *context,
459 const ExecParameters *params,
52c239d7 460 int socket_fd,
2caa38e9 461 const int named_iofds[static 3]) {
a34ceba6 462
4f2d528d
LP		 463 ExecInput i;
464
465 assert(context);
a34ceba6 466 assert(params);
2caa38e9 467 assert(named_iofds);
a34ceba6
LP		 468
469 if (params->stdin_fd >= 0) {
470 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
471 return -errno;
472
473 /* Try to make this the controlling tty, if it is a tty, and reset it */
1fb0682e
LP		 474 if (isatty(STDIN_FILENO)) {
475 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
476 (void) reset_terminal_fd(STDIN_FILENO, true);
477 }
a34ceba6
LP		 478
479 return STDIN_FILENO;
480 }
4f2d528d 481
08f3be7a 482 i = fixup_input(context, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
4f2d528d
LP		 483
484 switch (i) {
071830ff 485
80876c20
LP		 486 case EXEC_INPUT_NULL:
487 return open_null_as(O_RDONLY, STDIN_FILENO);
488
489 case EXEC_INPUT_TTY:
490 case EXEC_INPUT_TTY_FORCE:
491 case EXEC_INPUT_TTY_FAIL: {
046a82c1 492 int fd;
071830ff 493
1e22b5cd 494 fd = acquire_terminal(exec_context_tty_path(context),
8854d795
LP		 495 i == EXEC_INPUT_TTY_FAIL ? ACQUIRE_TERMINAL_TRY :
496 i == EXEC_INPUT_TTY_FORCE ? ACQUIRE_TERMINAL_FORCE :
497 ACQUIRE_TERMINAL_WAIT,
3a43da28 498 USEC_INFINITY);
970edce6 499 if (fd < 0)
80876c20
LP		 500 return fd;
501
046a82c1 502 return move_fd(fd, STDIN_FILENO, false);
80876c20
LP		 503 }
504
4f2d528d 505 case EXEC_INPUT_SOCKET:
e75a9ed1
LP		 506 assert(socket_fd >= 0);
507
4f2d528d
LP		 508 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
509
52c239d7 510 case EXEC_INPUT_NAMED_FD:
e75a9ed1
LP		 511 assert(named_iofds[STDIN_FILENO] >= 0);
512
52c239d7
LB		 513 (void) fd_nonblock(named_iofds[STDIN_FILENO], false);
514 return dup2(named_iofds[STDIN_FILENO], STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
515
08f3be7a
LP		 516 case EXEC_INPUT_DATA: {
517 int fd;
518
519 fd = acquire_data_fd(context->stdin_data, context->stdin_data_size, 0);
520 if (fd < 0)
521 return fd;
522
523 return move_fd(fd, STDIN_FILENO, false);
524 }
525
2038c3f5
LP		 526 case EXEC_INPUT_FILE: {
527 bool rw;
528 int fd;
529
530 assert(context->stdio_file[STDIN_FILENO]);
531
532 rw = (context->std_output == EXEC_OUTPUT_FILE && streq_ptr(context->stdio_file[STDIN_FILENO], context->stdio_file[STDOUT_FILENO])) ||
533 (context->std_error == EXEC_OUTPUT_FILE && streq_ptr(context->stdio_file[STDIN_FILENO], context->stdio_file[STDERR_FILENO]));
534
535 fd = acquire_path(context->stdio_file[STDIN_FILENO], rw ? O_RDWR : O_RDONLY, 0666 & ~context->umask);
536 if (fd < 0)
537 return fd;
538
539 return move_fd(fd, STDIN_FILENO, false);
540 }
541
80876c20
LP		 542 default:
543 assert_not_reached("Unknown input type");
544 }
545}
546
41fc585a
LP		 547static bool can_inherit_stderr_from_stdout(
548 const ExecContext *context,
549 ExecOutput o,
550 ExecOutput e) {
551
552 assert(context);
553
554 /* Returns true, if given the specified STDERR and STDOUT output we can directly dup() the stdout fd to the
555 * stderr fd */
556
557 if (e == EXEC_OUTPUT_INHERIT)
558 return true;
559 if (e != o)
560 return false;
561
562 if (e == EXEC_OUTPUT_NAMED_FD)
563 return streq_ptr(context->stdio_fdname[STDOUT_FILENO], context->stdio_fdname[STDERR_FILENO]);
564
8d7dab1f 565 if (IN_SET(e, EXEC_OUTPUT_FILE, EXEC_OUTPUT_FILE_APPEND, EXEC_OUTPUT_FILE_TRUNCATE))
41fc585a
LP		 566 return streq_ptr(context->stdio_file[STDOUT_FILENO], context->stdio_file[STDERR_FILENO]);
567
568 return true;
569}
570
a34ceba6 571static int setup_output(
34cf6c43 572 const Unit *unit,
a34ceba6
LP		 573 const ExecContext *context,
574 const ExecParameters *params,
575 int fileno,
576 int socket_fd,
2caa38e9 577 const int named_iofds[static 3],
a34ceba6 578 const char *ident,
7bce046b
LP		 579 uid_t uid,
580 gid_t gid,
581 dev_t *journal_stream_dev,
582 ino_t *journal_stream_ino) {
a34ceba6 583
4f2d528d
LP		 584 ExecOutput o;
585 ExecInput i;
47c1d80d 586 int r;
4f2d528d 587
f2341e0a 588 assert(unit);
80876c20 589 assert(context);
a34ceba6 590 assert(params);
80876c20 591 assert(ident);
7bce046b
LP		 592 assert(journal_stream_dev);
593 assert(journal_stream_ino);
80876c20 594
a34ceba6
LP		 595 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
596
597 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
598 return -errno;
599
600 return STDOUT_FILENO;
601 }
602
603 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
604 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
605 return -errno;
606
607 return STDERR_FILENO;
608 }
609
08f3be7a 610 i = fixup_input(context, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
03fd9c49 611 o = fixup_output(context->std_output, socket_fd);
4f2d528d 612
eb17e935
MS		 613 if (fileno == STDERR_FILENO) {
614 ExecOutput e;
615 e = fixup_output(context->std_error, socket_fd);
80876c20 616
eb17e935
MS		 617 /* This expects the input and output are already set up */
618
619 /* Don't change the stderr file descriptor if we inherit all
620 * the way and are not on a tty */
621 if (e == EXEC_OUTPUT_INHERIT &&
622 o == EXEC_OUTPUT_INHERIT &&
623 i == EXEC_INPUT_NULL &&
624 !is_terminal_input(context->std_input) &&
625 getppid () != 1)
626 return fileno;
627
628 /* Duplicate from stdout if possible */
41fc585a 629 if (can_inherit_stderr_from_stdout(context, o, e))
eb17e935 630 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 631
eb17e935 632 o = e;
80876c20 633
eb17e935 634 } else if (o == EXEC_OUTPUT_INHERIT) {
21d21ea4
LP		 635 /* If input got downgraded, inherit the original value */
636 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
1e22b5cd 637 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
21d21ea4 638
08f3be7a
LP		 639 /* If the input is connected to anything that's not a /dev/null or a data fd, inherit that... */
640 if (!IN_SET(i, EXEC_INPUT_NULL, EXEC_INPUT_DATA))
eb17e935 641 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 642
acb591e4
LP		 643 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
644 if (getppid() != 1)
eb17e935 645 return fileno;
94f04347 646
eb17e935
MS		 647 /* We need to open /dev/null here anew, to get the right access mode. */
648 return open_null_as(O_WRONLY, fileno);
071830ff 649 }
94f04347 650
eb17e935 651 switch (o) {
80876c20
LP		 652
653 case EXEC_OUTPUT_NULL:
eb17e935 654 return open_null_as(O_WRONLY, fileno);
80876c20
LP		 655
656 case EXEC_OUTPUT_TTY:
4f2d528d 657 if (is_terminal_input(i))
eb17e935 658 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
80876c20
LP		 659
660 /* We don't reset the terminal if this is just about output */
1e22b5cd 661 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
80876c20 662
9a6bca7a 663 case EXEC_OUTPUT_KMSG:
28dbc1e8 664 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
706343f4
LP		 665 case EXEC_OUTPUT_JOURNAL:
666 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
af635cf3 667 r = connect_logger_as(unit, context, params, o, ident, fileno, uid, gid);
47c1d80d 668 if (r < 0) {
82677ae4 669 log_unit_warning_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
eb17e935 670 r = open_null_as(O_WRONLY, fileno);
7bce046b
LP		 671 } else {
672 struct stat st;
673
674 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
675 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
ab2116b1
LP		 676 * services to detect whether they are connected to the journal or not.
677 *
678 * If both stdout and stderr are connected to a stream then let's make sure to store the data
679 * about STDERR as that's usually the best way to do logging. */
7bce046b 680
ab2116b1
LP		 681 if (fstat(fileno, &st) >= 0 &&
682 (*journal_stream_ino == 0 || fileno == STDERR_FILENO)) {
7bce046b
LP		 683 *journal_stream_dev = st.st_dev;
684 *journal_stream_ino = st.st_ino;
685 }
47c1d80d
MS		 686 }
687 return r;
4f2d528d
LP		 688
689 case EXEC_OUTPUT_SOCKET:
690 assert(socket_fd >= 0);
e75a9ed1 691
eb17e935 692 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
94f04347 693
52c239d7 694 case EXEC_OUTPUT_NAMED_FD:
e75a9ed1
LP		 695 assert(named_iofds[fileno] >= 0);
696
52c239d7
LB		 697 (void) fd_nonblock(named_iofds[fileno], false);
698 return dup2(named_iofds[fileno], fileno) < 0 ? -errno : fileno;
699
566b7d23 700 case EXEC_OUTPUT_FILE:
8d7dab1f
LW		 701 case EXEC_OUTPUT_FILE_APPEND:
702 case EXEC_OUTPUT_FILE_TRUNCATE: {
2038c3f5 703 bool rw;
566b7d23 704 int fd, flags;
2038c3f5
LP		 705
706 assert(context->stdio_file[fileno]);
707
708 rw = context->std_input == EXEC_INPUT_FILE &&
709 streq_ptr(context->stdio_file[fileno], context->stdio_file[STDIN_FILENO]);
710
711 if (rw)
712 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
713
566b7d23
ZD		 714 flags = O_WRONLY;
715 if (o == EXEC_OUTPUT_FILE_APPEND)
716 flags |= O_APPEND;
8d7dab1f
LW		 717 else if (o == EXEC_OUTPUT_FILE_TRUNCATE)
718 flags |= O_TRUNC;
566b7d23
ZD		 719
720 fd = acquire_path(context->stdio_file[fileno], flags, 0666 & ~context->umask);
2038c3f5
LP		 721 if (fd < 0)
722 return fd;
723
566b7d23 724 return move_fd(fd, fileno, 0);
2038c3f5
LP		 725 }
726
94f04347 727 default:
80876c20 728 assert_not_reached("Unknown error type");
94f04347 729 }
071830ff
LP		 730}
731
02a51aba 732static int chown_terminal(int fd, uid_t uid) {
4b3b5bc7 733 int r;
02a51aba
LP		 734
735 assert(fd >= 0);
02a51aba 736
1ff74fb6 737 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
4b3b5bc7
LP		 738 if (isatty(fd) < 1) {
739 if (IN_SET(errno, EINVAL, ENOTTY))
740 return 0; /* not a tty */
1ff74fb6 741
02a51aba 742 return -errno;
4b3b5bc7 743 }
02a51aba 744
4b3b5bc7
LP		 745 /* This might fail. What matters are the results. */
746 r = fchmod_and_chown(fd, TTY_MODE, uid, -1);
747 if (r < 0)
748 return r;
02a51aba 749
4b3b5bc7 750 return 1;
02a51aba
LP		 751}
752
7d5ceb64 753static int setup_confirm_stdio(const char *vc, int *_saved_stdin, int *_saved_stdout) {
3d18b167
LP		 754 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
755 int r;
80876c20 756
80876c20
LP		 757 assert(_saved_stdin);
758 assert(_saved_stdout);
759
af6da548
LP		 760 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
761 if (saved_stdin < 0)
762 return -errno;
80876c20 763
af6da548 764 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
3d18b167
LP		 765 if (saved_stdout < 0)
766 return -errno;
80876c20 767
8854d795 768 fd = acquire_terminal(vc, ACQUIRE_TERMINAL_WAIT, DEFAULT_CONFIRM_USEC);
3d18b167
LP		 769 if (fd < 0)
770 return fd;
80876c20 771
af6da548
LP		 772 r = chown_terminal(fd, getuid());
773 if (r < 0)
3d18b167 774 return r;
02a51aba 775
3d18b167
LP		 776 r = reset_terminal_fd(fd, true);
777 if (r < 0)
778 return r;
80876c20 779
2b33ab09 780 r = rearrange_stdio(fd, fd, STDERR_FILENO);
3d18b167 781 fd = -1;
2b33ab09
LP		 782 if (r < 0)
783 return r;
80876c20
LP		 784
785 *_saved_stdin = saved_stdin;
786 *_saved_stdout = saved_stdout;
787
3d18b167 788 saved_stdin = saved_stdout = -1;
80876c20 789
3d18b167 790 return 0;
80876c20
LP		 791}
792
63d77c92 793static void write_confirm_error_fd(int err, int fd, const Unit *u) {
3b20f877
FB		 794 assert(err < 0);
795
796 if (err == -ETIMEDOUT)
63d77c92 797 dprintf(fd, "Confirmation question timed out for %s, assuming positive response.\n", u->id);
3b20f877
FB		 798 else {
799 errno = -err;
63d77c92 800 dprintf(fd, "Couldn't ask confirmation for %s: %m, assuming positive response.\n", u->id);
3b20f877
FB		 801 }
802}
803
63d77c92 804static void write_confirm_error(int err, const char *vc, const Unit *u) {
03e334a1 805 _cleanup_close_ int fd = -1;
80876c20 806
3b20f877 807 assert(vc);
80876c20 808
7d5ceb64 809 fd = open_terminal(vc, O_WRONLY|O_NOCTTY|O_CLOEXEC);
af6da548 810 if (fd < 0)
3b20f877 811 return;
80876c20 812
63d77c92 813 write_confirm_error_fd(err, fd, u);
af6da548 814}
80876c20 815
3d18b167 816static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
af6da548 817 int r = 0;
80876c20 818
af6da548
LP		 819 assert(saved_stdin);
820 assert(saved_stdout);
821
822 release_terminal();
823
824 if (*saved_stdin >= 0)
80876c20 825 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
af6da548 826 r = -errno;
80876c20 827
af6da548 828 if (*saved_stdout >= 0)
80876c20 829 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
af6da548 830 r = -errno;
80876c20 831
3d18b167
LP		 832 *saved_stdin = safe_close(*saved_stdin);
833 *saved_stdout = safe_close(*saved_stdout);
af6da548
LP		 834
835 return r;
836}
837
3b20f877
FB		 838enum {
839 CONFIRM_PRETEND_FAILURE = -1,
840 CONFIRM_PRETEND_SUCCESS = 0,
841 CONFIRM_EXECUTE = 1,
842};
843
eedf223a 844static int ask_for_confirmation(const char *vc, Unit *u, const char *cmdline) {
af6da548 845 int saved_stdout = -1, saved_stdin = -1, r;
2bcd3c26 846 _cleanup_free_ char *e = NULL;
3b20f877 847 char c;
af6da548 848
3b20f877 849 /* For any internal errors, assume a positive response. */
7d5ceb64 850 r = setup_confirm_stdio(vc, &saved_stdin, &saved_stdout);
3b20f877 851 if (r < 0) {
63d77c92 852 write_confirm_error(r, vc, u);
3b20f877
FB		 853 return CONFIRM_EXECUTE;
854 }
af6da548 855
b0eb2944
FB		 856 /* confirm_spawn might have been disabled while we were sleeping. */
857 if (manager_is_confirm_spawn_disabled(u->manager)) {
858 r = 1;
859 goto restore_stdio;
860 }
af6da548 861
2bcd3c26
FB		 862 e = ellipsize(cmdline, 60, 100);
863 if (!e) {
864 log_oom();
865 r = CONFIRM_EXECUTE;
866 goto restore_stdio;
867 }
af6da548 868
d172b175 869 for (;;) {
539622bd 870 r = ask_char(&c, "yfshiDjcn", "Execute %s? [y, f, s – h for help] ", e);
d172b175 871 if (r < 0) {
63d77c92 872 write_confirm_error_fd(r, STDOUT_FILENO, u);
d172b175
FB		 873 r = CONFIRM_EXECUTE;
874 goto restore_stdio;
875 }
af6da548 876
d172b175 877 switch (c) {
b0eb2944
FB		 878 case 'c':
879 printf("Resuming normal execution.\n");
880 manager_disable_confirm_spawn();
881 r = 1;
882 break;
dd6f9ac0
FB		 883 case 'D':
884 unit_dump(u, stdout, " ");
885 continue; /* ask again */
d172b175
FB		 886 case 'f':
887 printf("Failing execution.\n");
888 r = CONFIRM_PRETEND_FAILURE;
889 break;
890 case 'h':
b0eb2944
FB		 891 printf(" c - continue, proceed without asking anymore\n"
892 " D - dump, show the state of the unit\n"
dd6f9ac0 893 " f - fail, don't execute the command and pretend it failed\n"
d172b175 894 " h - help\n"
eedf223a 895 " i - info, show a short summary of the unit\n"
56fde33a 896 " j - jobs, show jobs that are in progress\n"
d172b175
FB		 897 " s - skip, don't execute the command and pretend it succeeded\n"
898 " y - yes, execute the command\n");
dd6f9ac0 899 continue; /* ask again */
eedf223a
FB		 900 case 'i':
901 printf(" Description: %s\n"
902 " Unit: %s\n"
903 " Command: %s\n",
904 u->id, u->description, cmdline);
905 continue; /* ask again */
56fde33a
FB		 906 case 'j':
907 manager_dump_jobs(u->manager, stdout, " ");
908 continue; /* ask again */
539622bd
FB		 909 case 'n':
910 /* 'n' was removed in favor of 'f'. */
911 printf("Didn't understand 'n', did you mean 'f'?\n");
912 continue; /* ask again */
d172b175
FB		 913 case 's':
914 printf("Skipping execution.\n");
915 r = CONFIRM_PRETEND_SUCCESS;
916 break;
917 case 'y':
918 r = CONFIRM_EXECUTE;
919 break;
920 default:
921 assert_not_reached("Unhandled choice");
922 }
3b20f877 923 break;
3b20f877 924 }
af6da548 925
3b20f877 926restore_stdio:
af6da548 927 restore_confirm_stdio(&saved_stdin, &saved_stdout);
af6da548 928 return r;
80876c20
LP		 929}
930
4d885bd3
DH		 931static int get_fixed_user(const ExecContext *c, const char **user,
932 uid_t *uid, gid_t *gid,
933 const char **home, const char **shell) {
81a2b7ce 934 int r;
4d885bd3 935 const char *name;
81a2b7ce 936
4d885bd3 937 assert(c);
81a2b7ce 938
23deef88
LP		 939 if (!c->user)
940 return 0;
941
4d885bd3
DH		 942 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
943 * (i.e. are "/" or "/bin/nologin"). */
81a2b7ce 944
23deef88 945 name = c->user;
fafff8f1 946 r = get_user_creds(&name, uid, gid, home, shell, USER_CREDS_CLEAN);
4d885bd3
DH		 947 if (r < 0)
948 return r;
81a2b7ce 949
4d885bd3
DH		 950 *user = name;
951 return 0;
952}
953
954static int get_fixed_group(const ExecContext *c, const char **group, gid_t *gid) {
955 int r;
956 const char *name;
957
958 assert(c);
959
960 if (!c->group)
961 return 0;
962
963 name = c->group;
fafff8f1 964 r = get_group_creds(&name, gid, 0);
4d885bd3
DH		 965 if (r < 0)
966 return r;
967
968 *group = name;
969 return 0;
970}
971
cdc5d5c5
DH		 972static int get_supplementary_groups(const ExecContext *c, const char *user,
973 const char *group, gid_t gid,
974 gid_t **supplementary_gids, int *ngids) {
4d885bd3
DH		 975 char **i;
976 int r, k = 0;
977 int ngroups_max;
978 bool keep_groups = false;
979 gid_t *groups = NULL;
980 _cleanup_free_ gid_t *l_gids = NULL;
981
982 assert(c);
983
bbeea271
DH		 984 /*
985 * If user is given, then lookup GID and supplementary groups list.
986 * We avoid NSS lookups for gid=0. Also we have to initialize groups
cdc5d5c5
DH		 987 * here and as early as possible so we keep the list of supplementary
988 * groups of the caller.
bbeea271
DH		 989 */
990 if (user && gid_is_valid(gid) && gid != 0) {
991 /* First step, initialize groups from /etc/groups */
992 if (initgroups(user, gid) < 0)
993 return -errno;
994
995 keep_groups = true;
996 }
997
ac6e8be6 998 if (strv_isempty(c->supplementary_groups))
4d885bd3
DH		 999 return 0;
1000
366ddd25
DH		 1001 /*
1002 * If SupplementaryGroups= was passed then NGROUPS_MAX has to
1003 * be positive, otherwise fail.
1004 */
1005 errno = 0;
1006 ngroups_max = (int) sysconf(_SC_NGROUPS_MAX);
66855de7
LP		 1007 if (ngroups_max <= 0)
1008 return errno_or_else(EOPNOTSUPP);
366ddd25 1009
4d885bd3
DH		 1010 l_gids = new(gid_t, ngroups_max);
1011 if (!l_gids)
1012 return -ENOMEM;
81a2b7ce 1013
4d885bd3
DH		 1014 if (keep_groups) {
1015 /*
1016 * Lookup the list of groups that the user belongs to, we
1017 * avoid NSS lookups here too for gid=0.
1018 */
1019 k = ngroups_max;
1020 if (getgrouplist(user, gid, l_gids, &k) < 0)
1021 return -EINVAL;
1022 } else
1023 k = 0;
81a2b7ce 1024
4d885bd3
DH		 1025 STRV_FOREACH(i, c->supplementary_groups) {
1026 const char *g;
81a2b7ce 1027
4d885bd3
DH		 1028 if (k >= ngroups_max)
1029 return -E2BIG;
81a2b7ce 1030
4d885bd3 1031 g = *i;
fafff8f1 1032 r = get_group_creds(&g, l_gids+k, 0);
4d885bd3
DH		 1033 if (r < 0)
1034 return r;
81a2b7ce 1035
4d885bd3
DH		 1036 k++;
1037 }
81a2b7ce 1038
4d885bd3
DH		 1039 /*
1040 * Sets ngids to zero to drop all supplementary groups, happens
1041 * when we are under root and SupplementaryGroups= is empty.
1042 */
1043 if (k == 0) {
1044 *ngids = 0;
1045 return 0;
1046 }
81a2b7ce 1047
4d885bd3
DH		 1048 /* Otherwise get the final list of supplementary groups */
1049 groups = memdup(l_gids, sizeof(gid_t) * k);
1050 if (!groups)
1051 return -ENOMEM;
1052
1053 *supplementary_gids = groups;
1054 *ngids = k;
1055
1056 groups = NULL;
1057
1058 return 0;
1059}
1060
34cf6c43 1061static int enforce_groups(gid_t gid, const gid_t *supplementary_gids, int ngids) {
4d885bd3
DH		 1062 int r;
1063
709dbeac
YW		 1064 /* Handle SupplementaryGroups= if it is not empty */
1065 if (ngids > 0) {
4d885bd3
DH		 1066 r = maybe_setgroups(ngids, supplementary_gids);
1067 if (r < 0)
97f0e76f 1068 return r;
4d885bd3 1069 }
81a2b7ce 1070
4d885bd3
DH		 1071 if (gid_is_valid(gid)) {
1072 /* Then set our gids */
1073 if (setresgid(gid, gid, gid) < 0)
1074 return -errno;
81a2b7ce
LP		 1075 }
1076
1077 return 0;
1078}
1079
dbdc4098
TK		 1080static int set_securebits(int bits, int mask) {
1081 int current, applied;
1082 current = prctl(PR_GET_SECUREBITS);
1083 if (current < 0)
1084 return -errno;
1085 /* Clear all securebits defined in mask and set bits */
1086 applied = (current & ~mask) | bits;
1087 if (current == applied)
1088 return 0;
1089 if (prctl(PR_SET_SECUREBITS, applied) < 0)
1090 return -errno;
1091 return 1;
1092}
1093
81a2b7ce 1094static int enforce_user(const ExecContext *context, uid_t uid) {
81a2b7ce 1095 assert(context);
dbdc4098 1096 int r;
81a2b7ce 1097
4d885bd3
DH		 1098 if (!uid_is_valid(uid))
1099 return 0;
1100
479050b3 1101 /* Sets (but doesn't look up) the uid and make sure we keep the
dbdc4098
TK		 1102 * capabilities while doing so. For setting secure bits the capability CAP_SETPCAP is
1103 * required, so we also need keep-caps in this case.
1104 */
81a2b7ce 1105
dbdc4098 1106 if (context->capability_ambient_set != 0 || context->secure_bits != 0) {
81a2b7ce
LP		 1107
1108 /* First step: If we need to keep capabilities but
1109 * drop privileges we need to make sure we keep our
cbb21cca 1110 * caps, while we drop privileges. */
693ced48 1111 if (uid != 0) {
dbdc4098
TK		 1112 /* Add KEEP_CAPS to the securebits */
1113 r = set_securebits(1<<SECURE_KEEP_CAPS, 0);
1114 if (r < 0)
1115 return r;
693ced48 1116 }
81a2b7ce
LP		 1117 }
1118
479050b3 1119 /* Second step: actually set the uids */
81a2b7ce
LP		 1120 if (setresuid(uid, uid, uid) < 0)
1121 return -errno;
1122
1123 /* At this point we should have all necessary capabilities but
1124 are otherwise a normal user. However, the caps might got
1125 corrupted due to the setresuid() so we need clean them up
1126 later. This is done outside of this call. */
1127
1128 return 0;
1129}
1130
349cc4a5 1131#if HAVE_PAM
5b6319dc
LP		 1132
1133static int null_conv(
1134 int num_msg,
1135 const struct pam_message **msg,
1136 struct pam_response **resp,
1137 void *appdata_ptr) {
1138
1139 /* We don't support conversations */
1140
1141 return PAM_CONV_ERR;
1142}
1143
cefc33ae
LP		 1144#endif
1145
5b6319dc
LP		 1146static int setup_pam(
1147 const char *name,
1148 const char *user,
940c5210 1149 uid_t uid,
2d6fce8d 1150 gid_t gid,
5b6319dc 1151 const char *tty,
2065ca69 1152 char ***env,
5b8d1f6b 1153 const int fds[], size_t n_fds) {
5b6319dc 1154
349cc4a5 1155#if HAVE_PAM
cefc33ae 1156
5b6319dc
LP		 1157 static const struct pam_conv conv = {
1158 .conv = null_conv,
1159 .appdata_ptr = NULL
1160 };
1161
2d7c6aa2 1162 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
5b6319dc 1163 pam_handle_t *handle = NULL;
d6e5f3ad 1164 sigset_t old_ss;
7bb70b6e 1165 int pam_code = PAM_SUCCESS, r;
84eada2f 1166 char **nv, **e = NULL;
5b6319dc
LP		 1167 bool close_session = false;
1168 pid_t pam_pid = 0, parent_pid;
970edce6 1169 int flags = 0;
5b6319dc
LP		 1170
1171 assert(name);
1172 assert(user);
2065ca69 1173 assert(env);
5b6319dc
LP		 1174
1175 /* We set up PAM in the parent process, then fork. The child
35b8ca3a 1176 * will then stay around until killed via PR_GET_PDEATHSIG or
5b6319dc
LP		 1177 * systemd via the cgroup logic. It will then remove the PAM
1178 * session again. The parent process will exec() the actual
1179 * daemon. We do things this way to ensure that the main PID
1180 * of the daemon is the one we initially fork()ed. */
1181
7bb70b6e
LP		 1182 r = barrier_create(&barrier);
1183 if (r < 0)
2d7c6aa2
DH		 1184 goto fail;
1185
553d2243 1186 if (log_get_max_level() < LOG_DEBUG)
970edce6
ZJS		 1187 flags |= PAM_SILENT;
1188
f546241b
ZJS		 1189 pam_code = pam_start(name, user, &conv, &handle);
1190 if (pam_code != PAM_SUCCESS) {
5b6319dc
LP		 1191 handle = NULL;
1192 goto fail;
1193 }
1194
3cd24c1a
LP		 1195 if (!tty) {
1196 _cleanup_free_ char *q = NULL;
1197
1198 /* Hmm, so no TTY was explicitly passed, but an fd passed to us directly might be a TTY. Let's figure
1199 * out if that's the case, and read the TTY off it. */
1200
1201 if (getttyname_malloc(STDIN_FILENO, &q) >= 0)
1202 tty = strjoina("/dev/", q);
1203 }
1204
f546241b
ZJS		 1205 if (tty) {
1206 pam_code = pam_set_item(handle, PAM_TTY, tty);
1207 if (pam_code != PAM_SUCCESS)
5b6319dc 1208 goto fail;
f546241b 1209 }
5b6319dc 1210
84eada2f
JW		 1211 STRV_FOREACH(nv, *env) {
1212 pam_code = pam_putenv(handle, *nv);
2065ca69
JW		 1213 if (pam_code != PAM_SUCCESS)
1214 goto fail;
1215 }
1216
970edce6 1217 pam_code = pam_acct_mgmt(handle, flags);
f546241b 1218 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1219 goto fail;
1220
3bb39ea9
DG		 1221 pam_code = pam_setcred(handle, PAM_ESTABLISH_CRED | flags);
1222 if (pam_code != PAM_SUCCESS)
46d7c6af 1223 log_debug("pam_setcred() failed, ignoring: %s", pam_strerror(handle, pam_code));
3bb39ea9 1224
970edce6 1225 pam_code = pam_open_session(handle, flags);
f546241b 1226 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1227 goto fail;
1228
1229 close_session = true;
1230
f546241b
ZJS		 1231 e = pam_getenvlist(handle);
1232 if (!e) {
5b6319dc
LP		 1233 pam_code = PAM_BUF_ERR;
1234 goto fail;
1235 }
1236
1237 /* Block SIGTERM, so that we know that it won't get lost in
1238 * the child */
ce30c8dc 1239
72c0a2c2 1240 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
5b6319dc 1241
df0ff127 1242 parent_pid = getpid_cached();
5b6319dc 1243
4c253ed1
LP		 1244 r = safe_fork("(sd-pam)", 0, &pam_pid);
1245 if (r < 0)
5b6319dc 1246 goto fail;
4c253ed1 1247 if (r == 0) {
7bb70b6e 1248 int sig, ret = EXIT_PAM;
5b6319dc
LP		 1249
1250 /* The child's job is to reset the PAM session on
1251 * termination */
2d7c6aa2 1252 barrier_set_role(&barrier, BARRIER_CHILD);
5b6319dc 1253
1da37e58
ZJS		 1254 /* Make sure we don't keep open the passed fds in this child. We assume that otherwise only
1255 * those fds are open here that have been opened by PAM. */
4c253ed1 1256 (void) close_many(fds, n_fds);
5b6319dc 1257
940c5210
AK		 1258 /* Drop privileges - we don't need any to pam_close_session
1259 * and this will make PR_SET_PDEATHSIG work in most cases.
1260 * If this fails, ignore the error - but expect sd-pam threads
1261 * to fail to exit normally */
2d6fce8d 1262
97f0e76f
LP		 1263 r = maybe_setgroups(0, NULL);
1264 if (r < 0)
1265 log_warning_errno(r, "Failed to setgroups() in sd-pam: %m");
2d6fce8d
LP		 1266 if (setresgid(gid, gid, gid) < 0)
1267 log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
940c5210 1268 if (setresuid(uid, uid, uid) < 0)
2d6fce8d 1269 log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
940c5210 1270
ce30c8dc
LP		 1271 (void) ignore_signals(SIGPIPE, -1);
1272
940c5210
AK		 1273 /* Wait until our parent died. This will only work if
1274 * the above setresuid() succeeds, otherwise the kernel
1275 * will not allow unprivileged parents kill their privileged
1276 * children this way. We rely on the control groups kill logic
5b6319dc
LP		 1277 * to do the rest for us. */
1278 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
1279 goto child_finish;
1280
2d7c6aa2
DH		 1281 /* Tell the parent that our setup is done. This is especially
1282 * important regarding dropping privileges. Otherwise, unit
643f4706
ZJS		 1283 * setup might race against our setresuid(2) call.
1284 *
1285 * If the parent aborted, we'll detect this below, hence ignore
1286 * return failure here. */
1287 (void) barrier_place(&barrier);
2d7c6aa2 1288
643f4706 1289 /* Check if our parent process might already have died? */
5b6319dc 1290 if (getppid() == parent_pid) {
d6e5f3ad
DM		 1291 sigset_t ss;
1292
1293 assert_se(sigemptyset(&ss) >= 0);
1294 assert_se(sigaddset(&ss, SIGTERM) >= 0);
1295
3dead8d9
LP		 1296 for (;;) {
1297 if (sigwait(&ss, &sig) < 0) {
1298 if (errno == EINTR)
1299 continue;
1300
1301 goto child_finish;
1302 }
5b6319dc 1303
3dead8d9
LP		 1304 assert(sig == SIGTERM);
1305 break;
1306 }
5b6319dc
LP		 1307 }
1308
3bb39ea9
DG		 1309 pam_code = pam_setcred(handle, PAM_DELETE_CRED | flags);
1310 if (pam_code != PAM_SUCCESS)
1311 goto child_finish;
1312
3dead8d9 1313 /* If our parent died we'll end the session */
f546241b 1314 if (getppid() != parent_pid) {
970edce6 1315 pam_code = pam_close_session(handle, flags);
f546241b 1316 if (pam_code != PAM_SUCCESS)
5b6319dc 1317 goto child_finish;
f546241b 1318 }
5b6319dc 1319
7bb70b6e 1320 ret = 0;
5b6319dc
LP		 1321
1322 child_finish:
970edce6 1323 pam_end(handle, pam_code | flags);
7bb70b6e 1324 _exit(ret);
5b6319dc
LP		 1325 }
1326
2d7c6aa2
DH		 1327 barrier_set_role(&barrier, BARRIER_PARENT);
1328
5b6319dc
LP		 1329 /* If the child was forked off successfully it will do all the
1330 * cleanups, so forget about the handle here. */
1331 handle = NULL;
1332
3b8bddde 1333 /* Unblock SIGTERM again in the parent */
72c0a2c2 1334 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
5b6319dc
LP		 1335
1336 /* We close the log explicitly here, since the PAM modules
1337 * might have opened it, but we don't want this fd around. */
1338 closelog();
1339
2d7c6aa2
DH		 1340 /* Synchronously wait for the child to initialize. We don't care for
1341 * errors as we cannot recover. However, warn loudly if it happens. */
1342 if (!barrier_place_and_sync(&barrier))
1343 log_error("PAM initialization failed");
1344
130d3d22 1345 return strv_free_and_replace(*env, e);
5b6319dc
LP		 1346
1347fail:
970edce6
ZJS		 1348 if (pam_code != PAM_SUCCESS) {
1349 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
7bb70b6e
LP		 1350 r = -EPERM; /* PAM errors do not map to errno */
1351 } else
1352 log_error_errno(r, "PAM failed: %m");
9ba35398 1353
5b6319dc
LP		 1354 if (handle) {
1355 if (close_session)
970edce6 1356 pam_code = pam_close_session(handle, flags);
5b6319dc 1357
970edce6 1358 pam_end(handle, pam_code | flags);
5b6319dc
LP		 1359 }
1360
1361 strv_free(e);
5b6319dc
LP		 1362 closelog();
1363
7bb70b6e 1364 return r;
cefc33ae
LP		 1365#else
1366 return 0;
5b6319dc 1367#endif
cefc33ae 1368}
5b6319dc 1369
5d6b1584
LP		 1370static void rename_process_from_path(const char *path) {
1371 char process_name[11];
1372 const char *p;
1373 size_t l;
1374
1375 /* This resulting string must fit in 10 chars (i.e. the length
1376 * of "/sbin/init") to look pretty in /bin/ps */
1377
2b6bf07d 1378 p = basename(path);
5d6b1584
LP		 1379 if (isempty(p)) {
1380 rename_process("(...)");
1381 return;
1382 }
1383
1384 l = strlen(p);
1385 if (l > 8) {
1386 /* The end of the process name is usually more
1387 * interesting, since the first bit might just be
1388 * "systemd-" */
1389 p = p + l - 8;
1390 l = 8;
1391 }
1392
1393 process_name[0] = '(';
1394 memcpy(process_name+1, p, l);
1395 process_name[1+l] = ')';
1396 process_name[1+l+1] = 0;
1397
1398 rename_process(process_name);
1399}
1400
469830d1
LP		 1401static bool context_has_address_families(const ExecContext *c) {
1402 assert(c);
1403
6b000af4 1404 return c->address_families_allow_list ||
469830d1
LP		 1405 !set_isempty(c->address_families);
1406}
1407
1408static bool context_has_syscall_filters(const ExecContext *c) {
1409 assert(c);
1410
6b000af4 1411 return c->syscall_allow_list ||
8cfa775f 1412 !hashmap_isempty(c->syscall_filter);
469830d1
LP		 1413}
1414
9df2cdd8
TM		 1415static bool context_has_syscall_logs(const ExecContext *c) {
1416 assert(c);
1417
1418 return c->syscall_log_allow_list ||
1419 !hashmap_isempty(c->syscall_log);
1420}
1421
469830d1
LP		 1422static bool context_has_no_new_privileges(const ExecContext *c) {
1423 assert(c);
1424
1425 if (c->no_new_privileges)
1426 return true;
1427
1428 if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
1429 return false;
1430
1431 /* We need NNP if we have any form of seccomp and are unprivileged */
1432 return context_has_address_families(c) ||
1433 c->memory_deny_write_execute ||
1434 c->restrict_realtime ||
f69567cb 1435 c->restrict_suid_sgid ||
469830d1 1436 exec_context_restrict_namespaces_set(c) ||
fc64760d 1437 c->protect_clock ||
469830d1
LP		 1438 c->protect_kernel_tunables ||
1439 c->protect_kernel_modules ||
84703040 1440 c->protect_kernel_logs ||
469830d1
LP		 1441 c->private_devices ||
1442 context_has_syscall_filters(c) ||
9df2cdd8 1443 context_has_syscall_logs(c) ||
78e864e5 1444 !set_isempty(c->syscall_archs) ||
aecd5ac6
TM		 1445 c->lock_personality ||
1446 c->protect_hostname;
469830d1
LP		 1447}
1448
bb0c0d6f
LP		 1449static bool exec_context_has_credentials(const ExecContext *context) {
1450
1451 assert(context);
1452
1453 return !hashmap_isempty(context->set_credentials) ||
1454 context->load_credentials;
1455}
1456
349cc4a5 1457#if HAVE_SECCOMP
17df7223 1458
83f12b27 1459static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
f673b62d
LP		 1460
1461 if (is_seccomp_available())
1462 return false;
1463
f673b62d 1464 log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
f673b62d 1465 return true;
83f12b27
FS		 1466}
1467
165a31c0 1468static int apply_syscall_filter(const Unit* u, const ExecContext *c, bool needs_ambient_hack) {
469830d1 1469 uint32_t negative_action, default_action, action;
165a31c0 1470 int r;
8351ceae 1471
469830d1 1472 assert(u);
c0467cf3 1473 assert(c);
8351ceae 1474
469830d1 1475 if (!context_has_syscall_filters(c))
83f12b27
FS		 1476 return 0;
1477
469830d1
LP		 1478 if (skip_seccomp_unavailable(u, "SystemCallFilter="))
1479 return 0;
e9642be2 1480
005bfaf1 1481 negative_action = c->syscall_errno == SECCOMP_ERROR_NUMBER_KILL ? scmp_act_kill_process() : SCMP_ACT_ERRNO(c->syscall_errno);
e9642be2 1482
6b000af4 1483 if (c->syscall_allow_list) {
469830d1
LP		 1484 default_action = negative_action;
1485 action = SCMP_ACT_ALLOW;
7c66bae2 1486 } else {
469830d1
LP		 1487 default_action = SCMP_ACT_ALLOW;
1488 action = negative_action;
57183d11 1489 }
8351ceae 1490
165a31c0 1491 if (needs_ambient_hack) {
6b000af4 1492 r = seccomp_filter_set_add(c->syscall_filter, c->syscall_allow_list, syscall_filter_sets + SYSCALL_FILTER_SET_SETUID);
165a31c0
LP		 1493 if (r < 0)
1494 return r;
1495 }
1496
b54f36c6 1497 return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action, false);
4298d0b5
LP		 1498}
1499
9df2cdd8
TM		 1500static int apply_syscall_log(const Unit* u, const ExecContext *c) {
1501#ifdef SCMP_ACT_LOG
1502 uint32_t default_action, action;
1503#endif
1504
1505 assert(u);
1506 assert(c);
1507
1508 if (!context_has_syscall_logs(c))
1509 return 0;
1510
1511#ifdef SCMP_ACT_LOG
1512 if (skip_seccomp_unavailable(u, "SystemCallLog="))
1513 return 0;
1514
1515 if (c->syscall_log_allow_list) {
1516 /* Log nothing but the ones listed */
1517 default_action = SCMP_ACT_ALLOW;
1518 action = SCMP_ACT_LOG;
1519 } else {
1520 /* Log everything but the ones listed */
1521 default_action = SCMP_ACT_LOG;
1522 action = SCMP_ACT_ALLOW;
1523 }
1524
1525 return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_log, action, false);
1526#else
1527 /* old libseccomp */
1528 log_unit_debug(u, "SECCOMP feature SCMP_ACT_LOG not available, skipping SystemCallLog=");
1529 return 0;
1530#endif
1531}
1532
469830d1
LP		 1533static int apply_syscall_archs(const Unit *u, const ExecContext *c) {
1534 assert(u);
4298d0b5
LP		 1535 assert(c);
1536
469830d1 1537 if (set_isempty(c->syscall_archs))
83f12b27
FS		 1538 return 0;
1539
469830d1
LP		 1540 if (skip_seccomp_unavailable(u, "SystemCallArchitectures="))
1541 return 0;
4298d0b5 1542
469830d1
LP		 1543 return seccomp_restrict_archs(c->syscall_archs);
1544}
4298d0b5 1545
469830d1
LP		 1546static int apply_address_families(const Unit* u, const ExecContext *c) {
1547 assert(u);
1548 assert(c);
4298d0b5 1549
469830d1
LP		 1550 if (!context_has_address_families(c))
1551 return 0;
4298d0b5 1552
469830d1
LP		 1553 if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
1554 return 0;
4298d0b5 1555
6b000af4 1556 return seccomp_restrict_address_families(c->address_families, c->address_families_allow_list);
8351ceae 1557}
4298d0b5 1558
83f12b27 1559static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) {
469830d1 1560 assert(u);
f3e43635
TM		 1561 assert(c);
1562
469830d1 1563 if (!c->memory_deny_write_execute)
83f12b27
FS		 1564 return 0;
1565
469830d1
LP		 1566 if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute="))
1567 return 0;
f3e43635 1568
469830d1 1569 return seccomp_memory_deny_write_execute();
f3e43635
TM		 1570}
1571
83f12b27 1572static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
469830d1 1573 assert(u);
f4170c67
LP		 1574 assert(c);
1575
469830d1 1576 if (!c->restrict_realtime)
83f12b27
FS		 1577 return 0;
1578
469830d1
LP		 1579 if (skip_seccomp_unavailable(u, "RestrictRealtime="))
1580 return 0;
f4170c67 1581
469830d1 1582 return seccomp_restrict_realtime();
f4170c67
LP		 1583}
1584
f69567cb
LP		 1585static int apply_restrict_suid_sgid(const Unit* u, const ExecContext *c) {
1586 assert(u);
1587 assert(c);
1588
1589 if (!c->restrict_suid_sgid)
1590 return 0;
1591
1592 if (skip_seccomp_unavailable(u, "RestrictSUIDSGID="))
1593 return 0;
1594
1595 return seccomp_restrict_suid_sgid();
1596}
1597
59e856c7 1598static int apply_protect_sysctl(const Unit *u, const ExecContext *c) {
469830d1 1599 assert(u);
59eeb84b
LP		 1600 assert(c);
1601
1602 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1603 * let's protect even those systems where this is left on in the kernel. */
1604
469830d1 1605 if (!c->protect_kernel_tunables)
59eeb84b
LP		 1606 return 0;
1607
469830d1
LP		 1608 if (skip_seccomp_unavailable(u, "ProtectKernelTunables="))
1609 return 0;
59eeb84b 1610
469830d1 1611 return seccomp_protect_sysctl();
59eeb84b
LP		 1612}
1613
59e856c7 1614static int apply_protect_kernel_modules(const Unit *u, const ExecContext *c) {
469830d1 1615 assert(u);
502d704e
DH		 1616 assert(c);
1617
25a8d8a0 1618 /* Turn off module syscalls on ProtectKernelModules=yes */
502d704e 1619
469830d1
LP		 1620 if (!c->protect_kernel_modules)
1621 return 0;
1622
502d704e
DH		 1623 if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
1624 return 0;
1625
b54f36c6 1626 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM), false);
502d704e
DH		 1627}
1628
84703040
KK		 1629static int apply_protect_kernel_logs(const Unit *u, const ExecContext *c) {
1630 assert(u);
1631 assert(c);
1632
1633 if (!c->protect_kernel_logs)
1634 return 0;
1635
1636 if (skip_seccomp_unavailable(u, "ProtectKernelLogs="))
1637 return 0;
1638
1639 return seccomp_protect_syslog();
1640}
1641
daf8f72b 1642static int apply_protect_clock(const Unit *u, const ExecContext *c) {
fc64760d
KK		 1643 assert(u);
1644 assert(c);
1645
1646 if (!c->protect_clock)
1647 return 0;
1648
1649 if (skip_seccomp_unavailable(u, "ProtectClock="))
1650 return 0;
1651
1652 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_CLOCK, SCMP_ACT_ERRNO(EPERM), false);
1653}
1654
59e856c7 1655static int apply_private_devices(const Unit *u, const ExecContext *c) {
469830d1 1656 assert(u);
ba128bb8
LP		 1657 assert(c);
1658
8f81a5f6 1659 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
ba128bb8 1660
469830d1
LP		 1661 if (!c->private_devices)
1662 return 0;
1663
ba128bb8
LP		 1664 if (skip_seccomp_unavailable(u, "PrivateDevices="))
1665 return 0;
1666
b54f36c6 1667 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM), false);
ba128bb8
LP		 1668}
1669
34cf6c43 1670static int apply_restrict_namespaces(const Unit *u, const ExecContext *c) {
469830d1 1671 assert(u);
add00535
LP		 1672 assert(c);
1673
1674 if (!exec_context_restrict_namespaces_set(c))
1675 return 0;
1676
1677 if (skip_seccomp_unavailable(u, "RestrictNamespaces="))
1678 return 0;
1679
1680 return seccomp_restrict_namespaces(c->restrict_namespaces);
1681}
1682
78e864e5 1683static int apply_lock_personality(const Unit* u, const ExecContext *c) {
e8132d63
LP		 1684 unsigned long personality;
1685 int r;
78e864e5
TM		 1686
1687 assert(u);
1688 assert(c);
1689
1690 if (!c->lock_personality)
1691 return 0;
1692
1693 if (skip_seccomp_unavailable(u, "LockPersonality="))
1694 return 0;
1695
e8132d63
LP		 1696 personality = c->personality;
1697
1698 /* If personality is not specified, use either PER_LINUX or PER_LINUX32 depending on what is currently set. */
1699 if (personality == PERSONALITY_INVALID) {
1700
1701 r = opinionated_personality(&personality);
1702 if (r < 0)
1703 return r;
1704 }
78e864e5
TM		 1705
1706 return seccomp_lock_personality(personality);
1707}
1708
c0467cf3 1709#endif
8351ceae 1710
daf8f72b 1711static int apply_protect_hostname(const Unit *u, const ExecContext *c, int *ret_exit_status) {
daf8f72b
LP		 1712 assert(u);
1713 assert(c);
1714
1715 if (!c->protect_hostname)
1716 return 0;
1717
1718 if (ns_type_supported(NAMESPACE_UTS)) {
1719 if (unshare(CLONE_NEWUTS) < 0) {
1720 if (!ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) {
1721 *ret_exit_status = EXIT_NAMESPACE;
1722 return log_unit_error_errno(u, errno, "Failed to set up UTS namespacing: %m");
1723 }
1724
1725 log_unit_warning(u, "ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup.");
1726 }
1727 } else
1728 log_unit_warning(u, "ProtectHostname=yes is configured, but the kernel does not support UTS namespaces, ignoring namespace setup.");
1729
1730#if HAVE_SECCOMP
8f3e342f
ZJS		 1731 int r;
1732
daf8f72b
LP		 1733 if (skip_seccomp_unavailable(u, "ProtectHostname="))
1734 return 0;
1735
1736 r = seccomp_protect_hostname();
1737 if (r < 0) {
1738 *ret_exit_status = EXIT_SECCOMP;
1739 return log_unit_error_errno(u, r, "Failed to apply hostname restrictions: %m");
1740 }
1741#endif
1742
1743 return 0;
1744}
1745
3042bbeb 1746static void do_idle_pipe_dance(int idle_pipe[static 4]) {
31a7eb86
ZJS		 1747 assert(idle_pipe);
1748
54eb2300
LP		 1749 idle_pipe[1] = safe_close(idle_pipe[1]);
1750 idle_pipe[2] = safe_close(idle_pipe[2]);
31a7eb86
ZJS		 1751
1752 if (idle_pipe[0] >= 0) {
1753 int r;
1754
1755 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1756
1757 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
c7cc737f
LP		 1758 ssize_t n;
1759
31a7eb86 1760 /* Signal systemd that we are bored and want to continue. */
c7cc737f
LP		 1761 n = write(idle_pipe[3], "x", 1);
1762 if (n > 0)
cd972d69 1763 /* Wait for systemd to react to the signal above. */
54756dce 1764 (void) fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
31a7eb86
ZJS		 1765 }
1766
54eb2300 1767 idle_pipe[0] = safe_close(idle_pipe[0]);
31a7eb86
ZJS		 1768
1769 }
1770
54eb2300 1771 idle_pipe[3] = safe_close(idle_pipe[3]);
31a7eb86
ZJS		 1772}
1773
fb2042dd
YW		 1774static const char *exec_directory_env_name_to_string(ExecDirectoryType t);
1775
7cae38c4 1776static int build_environment(
34cf6c43 1777 const Unit *u,
9fa95f85 1778 const ExecContext *c,
1e22b5cd 1779 const ExecParameters *p,
da6053d0 1780 size_t n_fds,
7cae38c4
LP		 1781 const char *home,
1782 const char *username,
1783 const char *shell,
7bce046b
LP		 1784 dev_t journal_stream_dev,
1785 ino_t journal_stream_ino,
7cae38c4
LP		 1786 char ***ret) {
1787
1788 _cleanup_strv_free_ char **our_env = NULL;
da6053d0 1789 size_t n_env = 0;
7cae38c4
LP		 1790 char *x;
1791
4b58153d 1792 assert(u);
7cae38c4 1793 assert(c);
7c1cb6f1 1794 assert(p);
7cae38c4
LP		 1795 assert(ret);
1796
dc4e2940 1797#define N_ENV_VARS 17
8d5bb13d 1798 our_env = new0(char*, N_ENV_VARS + _EXEC_DIRECTORY_TYPE_MAX);
7cae38c4
LP		 1799 if (!our_env)
1800 return -ENOMEM;
1801
1802 if (n_fds > 0) {
8dd4c05b
LP		 1803 _cleanup_free_ char *joined = NULL;
1804
df0ff127 1805 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid_cached()) < 0)
7cae38c4
LP		 1806 return -ENOMEM;
1807 our_env[n_env++] = x;
1808
da6053d0 1809 if (asprintf(&x, "LISTEN_FDS=%zu", n_fds) < 0)
7cae38c4
LP		 1810 return -ENOMEM;
1811 our_env[n_env++] = x;
8dd4c05b 1812
1e22b5cd 1813 joined = strv_join(p->fd_names, ":");
8dd4c05b
LP		 1814 if (!joined)
1815 return -ENOMEM;
1816
605405c6 1817 x = strjoin("LISTEN_FDNAMES=", joined);
8dd4c05b
LP		 1818 if (!x)
1819 return -ENOMEM;
1820 our_env[n_env++] = x;
7cae38c4
LP		 1821 }
1822
b08af3b1 1823 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
df0ff127 1824 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid_cached()) < 0)
09812eb7
LP		 1825 return -ENOMEM;
1826 our_env[n_env++] = x;
1827
1e22b5cd 1828 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
09812eb7
LP		 1829 return -ENOMEM;
1830 our_env[n_env++] = x;
1831 }
1832
fd63e712
LP		 1833 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1834 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1835 * check the database directly. */
ac647978 1836 if (p->flags & EXEC_NSS_BYPASS_BUS) {
fd63e712
LP		 1837 x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1838 if (!x)
1839 return -ENOMEM;
1840 our_env[n_env++] = x;
1841 }
1842
7cae38c4 1843 if (home) {
b910cc72 1844 x = strjoin("HOME=", home);
7cae38c4
LP		 1845 if (!x)
1846 return -ENOMEM;
7bbead1d
LP		 1847
1848 path_simplify(x + 5, true);
7cae38c4
LP		 1849 our_env[n_env++] = x;
1850 }
1851
1852 if (username) {
b910cc72 1853 x = strjoin("LOGNAME=", username);
7cae38c4
LP		 1854 if (!x)
1855 return -ENOMEM;
1856 our_env[n_env++] = x;
1857
b910cc72 1858 x = strjoin("USER=", username);
7cae38c4
LP		 1859 if (!x)
1860 return -ENOMEM;
1861 our_env[n_env++] = x;
1862 }
1863
1864 if (shell) {
b910cc72 1865 x = strjoin("SHELL=", shell);
7cae38c4
LP		 1866 if (!x)
1867 return -ENOMEM;
7bbead1d
LP		 1868
1869 path_simplify(x + 6, true);
7cae38c4
LP		 1870 our_env[n_env++] = x;
1871 }
1872
4b58153d
LP		 1873 if (!sd_id128_is_null(u->invocation_id)) {
1874 if (asprintf(&x, "INVOCATION_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id)) < 0)
1875 return -ENOMEM;
1876
1877 our_env[n_env++] = x;
1878 }
1879
6af760f3
LP		 1880 if (exec_context_needs_term(c)) {
1881 const char *tty_path, *term = NULL;
1882
1883 tty_path = exec_context_tty_path(c);
1884
e8cf09b2
LP		 1885 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try
1886 * to inherit the $TERM set for PID 1. This is useful for containers so that the $TERM the
1887 * container manager passes to PID 1 ends up all the way in the console login shown. */
6af760f3 1888
e8cf09b2 1889 if (path_equal_ptr(tty_path, "/dev/console") && getppid() == 1)
6af760f3 1890 term = getenv("TERM");
e8cf09b2 1891
6af760f3
LP		 1892 if (!term)
1893 term = default_term_for_tty(tty_path);
7cae38c4 1894
b910cc72 1895 x = strjoin("TERM=", term);
7cae38c4
LP		 1896 if (!x)
1897 return -ENOMEM;
1898 our_env[n_env++] = x;
1899 }
1900
7bce046b
LP		 1901 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1902 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1903 return -ENOMEM;
1904
1905 our_env[n_env++] = x;
1906 }
1907
91dd5f7c
LP		 1908 if (c->log_namespace) {
1909 x = strjoin("LOG_NAMESPACE=", c->log_namespace);
1910 if (!x)
1911 return -ENOMEM;
1912
1913 our_env[n_env++] = x;
1914 }
1915
5b10116e 1916 for (ExecDirectoryType t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
fb2042dd
YW		 1917 _cleanup_free_ char *pre = NULL, *joined = NULL;
1918 const char *n;
1919
1920 if (!p->prefix[t])
1921 continue;
1922
1923 if (strv_isempty(c->directories[t].paths))
1924 continue;
1925
1926 n = exec_directory_env_name_to_string(t);
1927 if (!n)
1928 continue;
1929
1930 pre = strjoin(p->prefix[t], "/");
1931 if (!pre)
1932 return -ENOMEM;
1933
48904c8b 1934 joined = strv_join_full(c->directories[t].paths, ":", pre, true);
fb2042dd
YW		 1935 if (!joined)
1936 return -ENOMEM;
1937
1938 x = strjoin(n, "=", joined);
1939 if (!x)
1940 return -ENOMEM;
1941
1942 our_env[n_env++] = x;
1943 }
1944
bb0c0d6f
LP		 1945 if (exec_context_has_credentials(c) && p->prefix[EXEC_DIRECTORY_RUNTIME]) {
1946 x = strjoin("CREDENTIALS_DIRECTORY=", p->prefix[EXEC_DIRECTORY_RUNTIME], "/credentials/", u->id);
1947 if (!x)
1948 return -ENOMEM;
1949
1950 our_env[n_env++] = x;
1951 }
1952
dc4e2940
YW		 1953 if (asprintf(&x, "SYSTEMD_EXEC_PID=" PID_FMT, getpid_cached()) < 0)
1954 return -ENOMEM;
1955
1956 our_env[n_env++] = x;
1957
7cae38c4 1958 our_env[n_env++] = NULL;
8d5bb13d
LP		 1959 assert(n_env <= N_ENV_VARS + _EXEC_DIRECTORY_TYPE_MAX);
1960#undef N_ENV_VARS
7cae38c4 1961
ae2a15bc 1962 *ret = TAKE_PTR(our_env);
7cae38c4
LP		 1963
1964 return 0;
1965}
1966
b4c14404
FB		 1967static int build_pass_environment(const ExecContext *c, char ***ret) {
1968 _cleanup_strv_free_ char **pass_env = NULL;
1969 size_t n_env = 0, n_bufsize = 0;
1970 char **i;
1971
1972 STRV_FOREACH(i, c->pass_environment) {
1973 _cleanup_free_ char *x = NULL;
1974 char *v;
1975
1976 v = getenv(*i);
1977 if (!v)
1978 continue;
605405c6 1979 x = strjoin(*i, "=", v);
b4c14404
FB		 1980 if (!x)
1981 return -ENOMEM;
00819cc1 1982
b4c14404
FB		 1983 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1984 return -ENOMEM;
00819cc1 1985
1cc6c93a 1986 pass_env[n_env++] = TAKE_PTR(x);
b4c14404 1987 pass_env[n_env] = NULL;
b4c14404
FB		 1988 }
1989
ae2a15bc 1990 *ret = TAKE_PTR(pass_env);
b4c14404
FB		 1991
1992 return 0;
1993}
1994
5e8deb94 1995bool exec_needs_mount_namespace(
8b44a3d2
LP		 1996 const ExecContext *context,
1997 const ExecParameters *params,
4657abb5 1998 const ExecRuntime *runtime) {
8b44a3d2
LP		 1999
2000 assert(context);
8b44a3d2 2001
915e6d16
LP		 2002 if (context->root_image)
2003 return true;
2004
2a624c36
AP		 2005 if (!strv_isempty(context->read_write_paths) ||
2006 !strv_isempty(context->read_only_paths) ||
ddc155b2
TM		 2007 !strv_isempty(context->inaccessible_paths) ||
2008 !strv_isempty(context->exec_paths) ||
2009 !strv_isempty(context->no_exec_paths))
8b44a3d2
LP		 2010 return true;
2011
42b1d8e0 2012 if (context->n_bind_mounts > 0)
d2d6c096
LP		 2013 return true;
2014
2abd4e38
YW		 2015 if (context->n_temporary_filesystems > 0)
2016 return true;
2017
b3d13314
LB		 2018 if (context->n_mount_images > 0)
2019 return true;
2020
37ed15d7 2021 if (!IN_SET(context->mount_flags, 0, MS_SHARED))
8b44a3d2
LP		 2022 return true;
2023
2024 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
2025 return true;
2026
8b44a3d2 2027 if (context->private_devices ||
228af36f 2028 context->private_mounts ||
8b44a3d2 2029 context->protect_system != PROTECT_SYSTEM_NO ||
59eeb84b
LP		 2030 context->protect_home != PROTECT_HOME_NO ||
2031 context->protect_kernel_tunables ||
c575770b 2032 context->protect_kernel_modules ||
94a7b275 2033 context->protect_kernel_logs ||
4e399953
LP		 2034 context->protect_control_groups ||
2035 context->protect_proc != PROTECT_PROC_DEFAULT ||
2036 context->proc_subset != PROC_SUBSET_ALL)
8b44a3d2
LP		 2037 return true;
2038
37c56f89 2039 if (context->root_directory) {
5e98086d 2040 if (exec_context_get_effective_mount_apivfs(context))
37c56f89
YW		 2041 return true;
2042
5b10116e 2043 for (ExecDirectoryType t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
5e8deb94 2044 if (params && !params->prefix[t])
37c56f89
YW		 2045 continue;
2046
2047 if (!strv_isempty(context->directories[t].paths))
2048 return true;
2049 }
2050 }
5d997827 2051
42b1d8e0 2052 if (context->dynamic_user &&
b43ee82f 2053 (!strv_isempty(context->directories[EXEC_DIRECTORY_STATE].paths) ||
42b1d8e0
YW		 2054 !strv_isempty(context->directories[EXEC_DIRECTORY_CACHE].paths) ||
2055 !strv_isempty(context->directories[EXEC_DIRECTORY_LOGS].paths)))
2056 return true;
2057
91dd5f7c
LP		 2058 if (context->log_namespace)
2059 return true;
2060
8b44a3d2
LP		 2061 return false;
2062}
2063
5749f855 2064static int setup_private_users(uid_t ouid, gid_t ogid, uid_t uid, gid_t gid) {
d251207d
LP		 2065 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
2066 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
2067 _cleanup_close_ int unshare_ready_fd = -1;
2068 _cleanup_(sigkill_waitp) pid_t pid = 0;
2069 uint64_t c = 1;
d251207d
LP		 2070 ssize_t n;
2071 int r;
2072
5749f855
AZ		 2073 /* Set up a user namespace and map the original UID/GID (IDs from before any user or group changes, i.e.
2074 * the IDs from the user or system manager(s)) to itself, the selected UID/GID to itself, and everything else to
d251207d
LP		 2075 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
2076 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
2077 * which waits for the parent to create the new user namespace while staying in the original namespace. The
2078 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
5749f855
AZ		 2079 * continues execution normally.
2080 * For unprivileged users (i.e. without capabilities), the root to root mapping is excluded. As such, it
2081 * does not need CAP_SETUID to write the single line mapping to itself. */
d251207d 2082
5749f855
AZ		 2083 /* Can only set up multiple mappings with CAP_SETUID. */
2084 if (have_effective_cap(CAP_SETUID) && uid != ouid && uid_is_valid(uid))
587ab01b 2085 r = asprintf(&uid_map,
5749f855 2086 UID_FMT " " UID_FMT " 1\n" /* Map $OUID → $OUID */
587ab01b 2087 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
5749f855
AZ		 2088 ouid, ouid, uid, uid);
2089 else
2090 r = asprintf(&uid_map,
2091 UID_FMT " " UID_FMT " 1\n", /* Map $OUID → $OUID */
2092 ouid, ouid);
d251207d 2093
5749f855
AZ		 2094 if (r < 0)
2095 return -ENOMEM;
2096
2097 /* Can only set up multiple mappings with CAP_SETGID. */
2098 if (have_effective_cap(CAP_SETGID) && gid != ogid && gid_is_valid(gid))
587ab01b 2099 r = asprintf(&gid_map,
5749f855 2100 GID_FMT " " GID_FMT " 1\n" /* Map $OGID → $OGID */
587ab01b 2101 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
5749f855
AZ		 2102 ogid, ogid, gid, gid);
2103 else
2104 r = asprintf(&gid_map,
2105 GID_FMT " " GID_FMT " 1\n", /* Map $OGID -> $OGID */
2106 ogid, ogid);
2107
2108 if (r < 0)
2109 return -ENOMEM;
d251207d
LP		 2110
2111 /* Create a communication channel so that the parent can tell the child when it finished creating the user
2112 * namespace. */
2113 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
2114 if (unshare_ready_fd < 0)
2115 return -errno;
2116
2117 /* Create a communication channel so that the child can tell the parent a proper error code in case it
2118 * failed. */
2119 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
2120 return -errno;
2121
4c253ed1
LP		 2122 r = safe_fork("(sd-userns)", FORK_RESET_SIGNALS|FORK_DEATHSIG, &pid);
2123 if (r < 0)
2124 return r;
2125 if (r == 0) {
d251207d
LP		 2126 _cleanup_close_ int fd = -1;
2127 const char *a;
2128 pid_t ppid;
2129
2130 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
2131 * here, after the parent opened its own user namespace. */
2132
2133 ppid = getppid();
2134 errno_pipe[0] = safe_close(errno_pipe[0]);
2135
2136 /* Wait until the parent unshared the user namespace */
2137 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
2138 r = -errno;
2139 goto child_fail;
2140 }
2141
2142 /* Disable the setgroups() system call in the child user namespace, for good. */
2143 a = procfs_file_alloca(ppid, "setgroups");
2144 fd = open(a, O_WRONLY|O_CLOEXEC);
2145 if (fd < 0) {
2146 if (errno != ENOENT) {
2147 r = -errno;
2148 goto child_fail;
2149 }
2150
2151 /* If the file is missing the kernel is too old, let's continue anyway. */
2152 } else {
2153 if (write(fd, "deny\n", 5) < 0) {
2154 r = -errno;
2155 goto child_fail;
2156 }
2157
2158 fd = safe_close(fd);
2159 }
2160
2161 /* First write the GID map */
2162 a = procfs_file_alloca(ppid, "gid_map");
2163 fd = open(a, O_WRONLY|O_CLOEXEC);
2164 if (fd < 0) {
2165 r = -errno;
2166 goto child_fail;
2167 }
2168 if (write(fd, gid_map, strlen(gid_map)) < 0) {
2169 r = -errno;
2170 goto child_fail;
2171 }
2172 fd = safe_close(fd);
2173
2174 /* The write the UID map */
2175 a = procfs_file_alloca(ppid, "uid_map");
2176 fd = open(a, O_WRONLY|O_CLOEXEC);
2177 if (fd < 0) {
2178 r = -errno;
2179 goto child_fail;
2180 }
2181 if (write(fd, uid_map, strlen(uid_map)) < 0) {
2182 r = -errno;
2183 goto child_fail;
2184 }
2185
2186 _exit(EXIT_SUCCESS);
2187
2188 child_fail:
2189 (void) write(errno_pipe[1], &r, sizeof(r));
2190 _exit(EXIT_FAILURE);
2191 }
2192
2193 errno_pipe[1] = safe_close(errno_pipe[1]);
2194
2195 if (unshare(CLONE_NEWUSER) < 0)
2196 return -errno;
2197
2198 /* Let the child know that the namespace is ready now */
2199 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
2200 return -errno;
2201
2202 /* Try to read an error code from the child */
2203 n = read(errno_pipe[0], &r, sizeof(r));
2204 if (n < 0)
2205 return -errno;
2206 if (n == sizeof(r)) { /* an error code was sent to us */
2207 if (r < 0)
2208 return r;
2209 return -EIO;
2210 }
2211 if (n != 0) /* on success we should have read 0 bytes */
2212 return -EIO;
2213
2e87a1fd
LP		 2214 r = wait_for_terminate_and_check("(sd-userns)", pid, 0);
2215 pid = 0;
d251207d
LP		 2216 if (r < 0)
2217 return r;
2e87a1fd 2218 if (r != EXIT_SUCCESS) /* If something strange happened with the child, let's consider this fatal, too */
d251207d
LP		 2219 return -EIO;
2220
2221 return 0;
2222}
2223
494d0247
YW		 2224static bool exec_directory_is_private(const ExecContext *context, ExecDirectoryType type) {
2225 if (!context->dynamic_user)
2226 return false;
2227
2228 if (type == EXEC_DIRECTORY_CONFIGURATION)
2229 return false;
2230
2231 if (type == EXEC_DIRECTORY_RUNTIME && context->runtime_directory_preserve_mode == EXEC_PRESERVE_NO)
2232 return false;
2233
2234 return true;
2235}
2236
3536f49e 2237static int setup_exec_directory(
07689d5d
LP		 2238 const ExecContext *context,
2239 const ExecParameters *params,
2240 uid_t uid,
3536f49e 2241 gid_t gid,
3536f49e
YW		 2242 ExecDirectoryType type,
2243 int *exit_status) {
07689d5d 2244
72fd1768 2245 static const int exit_status_table[_EXEC_DIRECTORY_TYPE_MAX] = {
3536f49e
YW		 2246 [EXEC_DIRECTORY_RUNTIME] = EXIT_RUNTIME_DIRECTORY,
2247 [EXEC_DIRECTORY_STATE] = EXIT_STATE_DIRECTORY,
2248 [EXEC_DIRECTORY_CACHE] = EXIT_CACHE_DIRECTORY,
2249 [EXEC_DIRECTORY_LOGS] = EXIT_LOGS_DIRECTORY,
2250 [EXEC_DIRECTORY_CONFIGURATION] = EXIT_CONFIGURATION_DIRECTORY,
2251 };
07689d5d
LP		 2252 char **rt;
2253 int r;
2254
2255 assert(context);
2256 assert(params);
72fd1768 2257 assert(type >= 0 && type < _EXEC_DIRECTORY_TYPE_MAX);
3536f49e 2258 assert(exit_status);
07689d5d 2259
3536f49e
YW		 2260 if (!params->prefix[type])
2261 return 0;
2262
8679efde 2263 if (params->flags & EXEC_CHOWN_DIRECTORIES) {
3536f49e
YW		 2264 if (!uid_is_valid(uid))
2265 uid = 0;
2266 if (!gid_is_valid(gid))
2267 gid = 0;
2268 }
2269
2270 STRV_FOREACH(rt, context->directories[type].paths) {
6c47cd7d 2271 _cleanup_free_ char *p = NULL, *pp = NULL;
07689d5d 2272
edbfeb12 2273 p = path_join(params->prefix[type], *rt);
3536f49e
YW		 2274 if (!p) {
2275 r = -ENOMEM;
2276 goto fail;
2277 }
07689d5d 2278
23a7448e
YW		 2279 r = mkdir_parents_label(p, 0755);
2280 if (r < 0)
3536f49e 2281 goto fail;
23a7448e 2282
494d0247 2283 if (exec_directory_is_private(context, type)) {
6c9c51e5 2284 _cleanup_free_ char *private_root = NULL;
6c47cd7d 2285
3f5b1508
LP		 2286 /* So, here's one extra complication when dealing with DynamicUser=1 units. In that
2287 * case we want to avoid leaving a directory around fully accessible that is owned by
2288 * a dynamic user whose UID is later on reused. To lock this down we use the same
2289 * trick used by container managers to prohibit host users to get access to files of
2290 * the same UID in containers: we place everything inside a directory that has an
2291 * access mode of 0700 and is owned root:root, so that it acts as security boundary
2292 * for unprivileged host code. We then use fs namespacing to make this directory
2293 * permeable for the service itself.
6c47cd7d 2294 *
3f5b1508
LP		 2295 * Specifically: for a service which wants a special directory "foo/" we first create
2296 * a directory "private/" with access mode 0700 owned by root:root. Then we place
2297 * "foo" inside of that directory (i.e. "private/foo/"), and make "foo" a symlink to
2298 * "private/foo". This way, privileged host users can access "foo/" as usual, but
2299 * unprivileged host users can't look into it. Inside of the namespace of the unit
2300 * "private/" is replaced by a more liberally accessible tmpfs, into which the host's
2301 * "private/foo/" is mounted under the same name, thus disabling the access boundary
2302 * for the service and making sure it only gets access to the dirs it needs but no
2303 * others. Tricky? Yes, absolutely, but it works!
6c47cd7d 2304 *
3f5b1508
LP		 2305 * Note that we don't do this for EXEC_DIRECTORY_CONFIGURATION as that's assumed not
2306 * to be owned by the service itself.
2307 *
2308 * Also, note that we don't do this for EXEC_DIRECTORY_RUNTIME as that's often used
2309 * for sharing files or sockets with other services. */
6c47cd7d 2310
edbfeb12 2311 private_root = path_join(params->prefix[type], "private");
6c47cd7d
LP		 2312 if (!private_root) {
2313 r = -ENOMEM;
2314 goto fail;
2315 }
2316
2317 /* First set up private root if it doesn't exist yet, with access mode 0700 and owned by root:root */
37c1d5e9 2318 r = mkdir_safe_label(private_root, 0700, 0, 0, MKDIR_WARN_MODE);
6c47cd7d
LP		 2319 if (r < 0)
2320 goto fail;
2321
edbfeb12 2322 pp = path_join(private_root, *rt);
6c47cd7d
LP		 2323 if (!pp) {
2324 r = -ENOMEM;
2325 goto fail;
2326 }
2327
2328 /* Create all directories between the configured directory and this private root, and mark them 0755 */
2329 r = mkdir_parents_label(pp, 0755);
2330 if (r < 0)
2331 goto fail;
2332
949befd3
LP		 2333 if (is_dir(p, false) > 0 &&
2334 (laccess(pp, F_OK) < 0 && errno == ENOENT)) {
2335
2336 /* Hmm, the private directory doesn't exist yet, but the normal one exists? If so, move
2337 * it over. Most likely the service has been upgraded from one that didn't use
2338 * DynamicUser=1, to one that does. */
2339
cf52c45d
LP		 2340 log_info("Found pre-existing public %s= directory %s, migrating to %s.\n"
2341 "Apparently, service previously had DynamicUser= turned off, and has now turned it on.",
2342 exec_directory_type_to_string(type), p, pp);
2343
949befd3
LP		 2344 if (rename(p, pp) < 0) {
2345 r = -errno;
2346 goto fail;
2347 }
2348 } else {
2349 /* Otherwise, create the actual directory for the service */
2350
2351 r = mkdir_label(pp, context->directories[type].mode);
2352 if (r < 0 && r != -EEXIST)
2353 goto fail;
2354 }
6c47cd7d 2355
6c47cd7d 2356 /* And link it up from the original place */
6c9c51e5 2357 r = symlink_idempotent(pp, p, true);
6c47cd7d
LP		 2358 if (r < 0)
2359 goto fail;
2360
6c47cd7d 2361 } else {
5c6d40d1
LP		 2362 _cleanup_free_ char *target = NULL;
2363
2364 if (type != EXEC_DIRECTORY_CONFIGURATION &&
2365 readlink_and_make_absolute(p, &target) >= 0) {
578dc69f 2366 _cleanup_free_ char *q = NULL, *q_resolved = NULL, *target_resolved = NULL;
5c6d40d1
LP		 2367
2368 /* This already exists and is a symlink? Interesting. Maybe it's one created
2193f17c
LP		 2369 * by DynamicUser=1 (see above)?
2370 *
2371 * We do this for all directory types except for ConfigurationDirectory=,
2372 * since they all support the private/ symlink logic at least in some
2373 * configurations, see above. */
5c6d40d1 2374
578dc69f
YW		 2375 r = chase_symlinks(target, NULL, 0, &target_resolved, NULL);
2376 if (r < 0)
2377 goto fail;
2378
5c6d40d1
LP		 2379 q = path_join(params->prefix[type], "private", *rt);
2380 if (!q) {
2381 r = -ENOMEM;
2382 goto fail;
2383 }
2384
578dc69f
YW		 2385 /* /var/lib or friends may be symlinks. So, let's chase them also. */
2386 r = chase_symlinks(q, NULL, CHASE_NONEXISTENT, &q_resolved, NULL);
2387 if (r < 0)
2388 goto fail;
2389
2390 if (path_equal(q_resolved, target_resolved)) {
5c6d40d1
LP		 2391
2392 /* Hmm, apparently DynamicUser= was once turned on for this service,
2393 * but is no longer. Let's move the directory back up. */
2394
cf52c45d
LP		 2395 log_info("Found pre-existing private %s= directory %s, migrating to %s.\n"
2396 "Apparently, service previously had DynamicUser= turned on, and has now turned it off.",
2397 exec_directory_type_to_string(type), q, p);
2398
5c6d40d1
LP		 2399 if (unlink(p) < 0) {
2400 r = -errno;
2401 goto fail;
2402 }
2403
2404 if (rename(q, p) < 0) {
2405 r = -errno;
2406 goto fail;
2407 }
2408 }
2409 }
2410
6c47cd7d 2411 r = mkdir_label(p, context->directories[type].mode);
d484580c 2412 if (r < 0) {
d484580c
LP		 2413 if (r != -EEXIST)
2414 goto fail;
2415
206e9864
LP		 2416 if (type == EXEC_DIRECTORY_CONFIGURATION) {
2417 struct stat st;
2418
2419 /* Don't change the owner/access mode of the configuration directory,
2420 * as in the common case it is not written to by a service, and shall
2421 * not be writable. */
2422
2423 if (stat(p, &st) < 0) {
2424 r = -errno;
2425 goto fail;
2426 }
2427
2428 /* Still complain if the access mode doesn't match */
2429 if (((st.st_mode ^ context->directories[type].mode) & 07777) != 0)
2430 log_warning("%s \'%s\' already exists but the mode is different. "
2431 "(File system: %o %sMode: %o)",
2432 exec_directory_type_to_string(type), *rt,
2433 st.st_mode & 07777, exec_directory_type_to_string(type), context->directories[type].mode & 07777);
2434
6cff72eb 2435 continue;
206e9864 2436 }
6cff72eb 2437 }
a1164ae3 2438 }
07689d5d 2439
206e9864 2440 /* Lock down the access mode (we use chmod_and_chown() to make this idempotent. We don't
5238e957 2441 * specify UID/GID here, so that path_chown_recursive() can optimize things depending on the
206e9864
LP		 2442 * current UID/GID ownership.) */
2443 r = chmod_and_chown(pp ?: p, context->directories[type].mode, UID_INVALID, GID_INVALID);
2444 if (r < 0)
2445 goto fail;
c71b2eb7 2446
607b358e
LP		 2447 /* Then, change the ownership of the whole tree, if necessary. When dynamic users are used we
2448 * drop the suid/sgid bits, since we really don't want SUID/SGID files for dynamic UID/GID
2449 * assignments to exist.*/
2450 r = path_chown_recursive(pp ?: p, uid, gid, context->dynamic_user ? 01777 : 07777);
07689d5d 2451 if (r < 0)
3536f49e 2452 goto fail;
07689d5d
LP		 2453 }
2454
2455 return 0;
3536f49e
YW		 2456
2457fail:
2458 *exit_status = exit_status_table[type];
3536f49e 2459 return r;
07689d5d
LP		 2460}
2461
bb0c0d6f
LP		 2462static int write_credential(
2463 int dfd,
2464 const char *id,
2465 const void *data,
2466 size_t size,
2467 uid_t uid,
2468 bool ownership_ok) {
2469
2470 _cleanup_(unlink_and_freep) char *tmp = NULL;
2471 _cleanup_close_ int fd = -1;
2472 int r;
2473
2474 r = tempfn_random_child("", "cred", &tmp);
2475 if (r < 0)
2476 return r;
2477
2478 fd = openat(dfd, tmp, O_CREAT|O_RDWR|O_CLOEXEC|O_EXCL|O_NOFOLLOW|O_NOCTTY, 0600);
2479 if (fd < 0) {
2480 tmp = mfree(tmp);
2481 return -errno;
2482 }
2483
2484 r = loop_write(fd, data, size, /* do_pool = */ false);
2485 if (r < 0)
2486 return r;
2487
2488 if (fchmod(fd, 0400) < 0) /* Take away "w" bit */
2489 return -errno;
2490
2491 if (uid_is_valid(uid) && uid != getuid()) {
567aeb58 2492 r = fd_add_uid_acl_permission(fd, uid, ACL_READ);
bb0c0d6f
LP		 2493 if (r < 0) {
2494 if (!ERRNO_IS_NOT_SUPPORTED(r) && !ERRNO_IS_PRIVILEGE(r))
2495 return r;
2496
2497 if (!ownership_ok) /* Ideally we use ACLs, since we can neatly express what we want
2498 * to express: that the user gets read access and nothing
2499 * else. But if the backing fs can't support that (e.g. ramfs)
2500 * then we can use file ownership instead. But that's only safe if
2501 * we can then re-mount the whole thing read-only, so that the
2502 * user can no longer chmod() the file to gain write access. */
2503 return r;
2504
2505 if (fchown(fd, uid, (gid_t) -1) < 0)
2506 return -errno;
2507 }
2508 }
2509
2510 if (renameat(dfd, tmp, dfd, id) < 0)
2511 return -errno;
2512
2513 tmp = mfree(tmp);
2514 return 0;
2515}
2516
2517#define CREDENTIALS_BYTES_MAX (1024LU * 1024LU) /* Refuse to pass more than 1M, after all this is unswappable memory */
2518
2519static int acquire_credentials(
2520 const ExecContext *context,
2521 const ExecParameters *params,
d3dcf4e3 2522 const char *unit,
bb0c0d6f
LP		 2523 const char *p,
2524 uid_t uid,
2525 bool ownership_ok) {
2526
2527 uint64_t left = CREDENTIALS_BYTES_MAX;
2528 _cleanup_close_ int dfd = -1;
2529 ExecSetCredential *sc;
2530 char **id, **fn;
bb0c0d6f
LP		 2531 int r;
2532
2533 assert(context);
2534 assert(p);
2535
2536 dfd = open(p, O_DIRECTORY|O_CLOEXEC);
2537 if (dfd < 0)
2538 return -errno;
2539
69e3234d 2540 /* First we use the literally specified credentials. Note that they might be overridden again below,
bb0c0d6f 2541 * and thus act as a "default" if the same credential is specified multiple times */
90e74a66 2542 HASHMAP_FOREACH(sc, context->set_credentials) {
bb0c0d6f
LP		 2543 size_t add;
2544
2545 add = strlen(sc->id) + sc->size;
2546 if (add > left)
2547 return -E2BIG;
2548
2549 r = write_credential(dfd, sc->id, sc->data, sc->size, uid, ownership_ok);
2550 if (r < 0)
2551 return r;
2552
2553 left -= add;
2554 }
2555
2556 /* Then, load credential off disk (or acquire via AF_UNIX socket) */
2557 STRV_FOREACH_PAIR(id, fn, context->load_credentials) {
2558 ReadFullFileFlags flags = READ_FULL_FILE_SECURE;
2559 _cleanup_(erase_and_freep) char *data = NULL;
d3dcf4e3 2560 _cleanup_free_ char *j = NULL, *bindname = NULL;
bb0c0d6f
LP		 2561 const char *source;
2562 size_t size, add;
2563
2564 if (path_is_absolute(*fn)) {
2565 /* If this is an absolute path, read the data directly from it, and support AF_UNIX sockets */
2566 source = *fn;
2567 flags |= READ_FULL_FILE_CONNECT_SOCKET;
d3dcf4e3
LP		 2568
2569 /* Pass some minimal info about the unit and the credential name we are looking to acquire
2570 * via the source socket address in case we read off an AF_UNIX socket. */
2571 if (asprintf(&bindname, "@%" PRIx64"/unit/%s/%s", random_u64(), unit, *id) < 0)
2572 return -ENOMEM;
2573
bb0c0d6f
LP		 2574 } else if (params->received_credentials) {
2575 /* If this is a relative path, take it relative to the credentials we received
2576 * ourselves. We don't support the AF_UNIX stuff in this mode, since we are operating
2577 * on a credential store, i.e. this is guaranteed to be regular files. */
2578 j = path_join(params->received_credentials, *fn);
2579 if (!j)
2580 return -ENOMEM;
2581
2582 source = j;
2583 } else
2584 source = NULL;
2585
d3dcf4e3 2586
bb0c0d6f 2587 if (source)
986311c2 2588 r = read_full_file_full(AT_FDCWD, source, UINT64_MAX, SIZE_MAX, flags, bindname, &data, &size);
bb0c0d6f
LP		 2589 else
2590 r = -ENOENT;
2591 if (r == -ENOENT &&
2592 faccessat(dfd, *id, F_OK, AT_SYMLINK_NOFOLLOW) >= 0) /* If the source file doesn't exist, but we already acquired the key otherwise, then don't fail */
2593 continue;
2594 if (r < 0)
2595 return r;
2596
2597 add = strlen(*id) + size;
2598 if (add > left)
2599 return -E2BIG;
2600
2601 r = write_credential(dfd, *id, data, size, uid, ownership_ok);
2602 if (r < 0)
2603 return r;
2604
2605 left -= add;
2606 }
2607
2608 if (fchmod(dfd, 0500) < 0) /* Now take away the "w" bit */
2609 return -errno;
2610
2611 /* After we created all keys with the right perms, also make sure the credential store as a whole is
2612 * accessible */
2613
2614 if (uid_is_valid(uid) && uid != getuid()) {
567aeb58 2615 r = fd_add_uid_acl_permission(dfd, uid, ACL_READ | ACL_EXECUTE);
bb0c0d6f
LP		 2616 if (r < 0) {
2617 if (!ERRNO_IS_NOT_SUPPORTED(r) && !ERRNO_IS_PRIVILEGE(r))
2618 return r;
2619
2620 if (!ownership_ok)
2621 return r;
2622
2623 if (fchown(dfd, uid, (gid_t) -1) < 0)
2624 return -errno;
2625 }
2626 }
2627
2628 return 0;
2629}
2630
2631static int setup_credentials_internal(
2632 const ExecContext *context,
2633 const ExecParameters *params,
d3dcf4e3 2634 const char *unit,
bb0c0d6f
LP		 2635 const char *final, /* This is where the credential store shall eventually end up at */
2636 const char *workspace, /* This is where we can prepare it before moving it to the final place */
2637 bool reuse_workspace, /* Whether to reuse any existing workspace mount if it already is a mount */
2638 bool must_mount, /* Whether to require that we mount something, it's not OK to use the plain directory fall back */
2639 uid_t uid) {
2640
2641 int r, workspace_mounted; /* negative if we don't know yet whether we have/can mount something; true
2642 * if we mounted something; false if we definitely can't mount anything */
2643 bool final_mounted;
2644 const char *where;
2645
2646 assert(context);
2647 assert(final);
2648 assert(workspace);
2649
2650 if (reuse_workspace) {
2651 r = path_is_mount_point(workspace, NULL, 0);
2652 if (r < 0)
2653 return r;
2654 if (r > 0)
2655 workspace_mounted = true; /* If this is already a mount, and we are supposed to reuse it, let's keep this in mind */
2656 else
2657 workspace_mounted = -1; /* We need to figure out if we can mount something to the workspace */
2658 } else
2659 workspace_mounted = -1; /* ditto */
2660
2661 r = path_is_mount_point(final, NULL, 0);
2662 if (r < 0)
2663 return r;
2664 if (r > 0) {
2665 /* If the final place already has something mounted, we use that. If the workspace also has
2666 * something mounted we assume it's actually the same mount (but with MS_RDONLY
2667 * different). */
2668 final_mounted = true;
2669
2670 if (workspace_mounted < 0) {
2671 /* If the final place is mounted, but the workspace we isn't, then let's bind mount
2672 * the final version to the workspace, and make it writable, so that we can make
2673 * changes */
2674
21935150
LP		 2675 r = mount_nofollow_verbose(LOG_DEBUG, final, workspace, NULL, MS_BIND|MS_REC, NULL);
2676 if (r < 0)
2677 return r;
bb0c0d6f 2678
21935150
LP		 2679 r = mount_nofollow_verbose(LOG_DEBUG, NULL, workspace, NULL, MS_BIND|MS_REMOUNT|MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL);
2680 if (r < 0)
2681 return r;
bb0c0d6f
LP		 2682
2683 workspace_mounted = true;
2684 }
2685 } else
2686 final_mounted = false;
2687
2688 if (workspace_mounted < 0) {
2689 /* Nothing is mounted on the workspace yet, let's try to mount something now */
2690 for (int try = 0;; try++) {
2691
2692 if (try == 0) {
2693 /* Try "ramfs" first, since it's not swap backed */
21935150
LP		 2694 r = mount_nofollow_verbose(LOG_DEBUG, "ramfs", workspace, "ramfs", MS_NODEV|MS_NOEXEC|MS_NOSUID, "mode=0700");
2695 if (r >= 0) {
bb0c0d6f
LP		 2696 workspace_mounted = true;
2697 break;
2698 }
2699
2700 } else if (try == 1) {
2701 _cleanup_free_ char *opts = NULL;
2702
2703 if (asprintf(&opts, "mode=0700,nr_inodes=1024,size=%lu", CREDENTIALS_BYTES_MAX) < 0)
2704 return -ENOMEM;
2705
2706 /* Fall back to "tmpfs" otherwise */
21935150
LP		 2707 r = mount_nofollow_verbose(LOG_DEBUG, "tmpfs", workspace, "tmpfs", MS_NODEV|MS_NOEXEC|MS_NOSUID, opts);
2708 if (r >= 0) {
bb0c0d6f
LP		 2709 workspace_mounted = true;
2710 break;
2711 }
2712
2713 } else {
2714 /* If that didn't work, try to make a bind mount from the final to the workspace, so that we can make it writable there. */
21935150
LP		 2715 r = mount_nofollow_verbose(LOG_DEBUG, final, workspace, NULL, MS_BIND|MS_REC, NULL);
2716 if (r < 0) {
2717 if (!ERRNO_IS_PRIVILEGE(r)) /* Propagate anything that isn't a permission problem */
2718 return r;
bb0c0d6f
LP		 2719
2720 if (must_mount) /* If we it's not OK to use the plain directory
2721 * fallback, propagate all errors too */
21935150 2722 return r;
bb0c0d6f
LP		 2723
2724 /* If we lack privileges to bind mount stuff, then let's gracefully
2725 * proceed for compat with container envs, and just use the final dir
2726 * as is. */
2727
2728 workspace_mounted = false;
2729 break;
2730 }
2731
2732 /* Make the new bind mount writable (i.e. drop MS_RDONLY) */
21935150
LP		 2733 r = mount_nofollow_verbose(LOG_DEBUG, NULL, workspace, NULL, MS_BIND|MS_REMOUNT|MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL);
2734 if (r < 0)
2735 return r;
bb0c0d6f
LP		 2736
2737 workspace_mounted = true;
2738 break;
2739 }
2740 }
2741 }
2742
2743 assert(!must_mount || workspace_mounted > 0);
2744 where = workspace_mounted ? workspace : final;
2745
d3dcf4e3 2746 r = acquire_credentials(context, params, unit, where, uid, workspace_mounted);
bb0c0d6f
LP		 2747 if (r < 0)
2748 return r;
2749
2750 if (workspace_mounted) {
2751 /* Make workspace read-only now, so that any bind mount we make from it defaults to read-only too */
21935150
LP		 2752 r = mount_nofollow_verbose(LOG_DEBUG, NULL, workspace, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL);
2753 if (r < 0)
2754 return r;
bb0c0d6f
LP		 2755
2756 /* And mount it to the final place, read-only */
21935150
LP		 2757 if (final_mounted)
2758 r = umount_verbose(LOG_DEBUG, workspace, MNT_DETACH|UMOUNT_NOFOLLOW);
2759 else
2760 r = mount_nofollow_verbose(LOG_DEBUG, workspace, final, NULL, MS_MOVE, NULL);
2761 if (r < 0)
2762 return r;
bb0c0d6f
LP		 2763 } else {
2764 _cleanup_free_ char *parent = NULL;
2765
2766 /* If we do not have our own mount put used the plain directory fallback, then we need to
2767 * open access to the top-level credential directory and the per-service directory now */
2768
2769 parent = dirname_malloc(final);
2770 if (!parent)
2771 return -ENOMEM;
2772 if (chmod(parent, 0755) < 0)
2773 return -errno;
2774 }
2775
2776 return 0;
2777}
2778
2779static int setup_credentials(
2780 const ExecContext *context,
2781 const ExecParameters *params,
2782 const char *unit,
2783 uid_t uid) {
2784
2785 _cleanup_free_ char *p = NULL, *q = NULL;
2786 const char *i;
2787 int r;
2788
2789 assert(context);
2790 assert(params);
2791
2792 if (!exec_context_has_credentials(context))
2793 return 0;
2794
2795 if (!params->prefix[EXEC_DIRECTORY_RUNTIME])
2796 return -EINVAL;
2797
2798 /* This where we'll place stuff when we are done; this main credentials directory is world-readable,
2799 * and the subdir we mount over with a read-only file system readable by the service's user */
2800 q = path_join(params->prefix[EXEC_DIRECTORY_RUNTIME], "credentials");
2801 if (!q)
2802 return -ENOMEM;
2803
2804 r = mkdir_label(q, 0755); /* top-level dir: world readable/searchable */
2805 if (r < 0 && r != -EEXIST)
2806 return r;
2807
2808 p = path_join(q, unit);
2809 if (!p)
2810 return -ENOMEM;
2811
2812 r = mkdir_label(p, 0700); /* per-unit dir: private to user */
2813 if (r < 0 && r != -EEXIST)
2814 return r;
2815
2816 r = safe_fork("(sd-mkdcreds)", FORK_DEATHSIG|FORK_WAIT|FORK_NEW_MOUNTNS, NULL);
2817 if (r < 0) {
2818 _cleanup_free_ char *t = NULL, *u = NULL;
2819
2820 /* If this is not a privilege or support issue then propagate the error */
2821 if (!ERRNO_IS_NOT_SUPPORTED(r) && !ERRNO_IS_PRIVILEGE(r))
2822 return r;
2823
2824 /* Temporary workspace, that remains inaccessible all the time. We prepare stuff there before moving
2825 * it into place, so that users can't access half-initialized credential stores. */
2826 t = path_join(params->prefix[EXEC_DIRECTORY_RUNTIME], "systemd/temporary-credentials");
2827 if (!t)
2828 return -ENOMEM;
2829
2830 /* We can't set up a mount namespace. In that case operate on a fixed, inaccessible per-unit
2831 * directory outside of /run/credentials/ first, and then move it over to /run/credentials/
2832 * after it is fully set up */
2833 u = path_join(t, unit);
2834 if (!u)
2835 return -ENOMEM;
2836
2837 FOREACH_STRING(i, t, u) {
2838 r = mkdir_label(i, 0700);
2839 if (r < 0 && r != -EEXIST)
2840 return r;
2841 }
2842
2843 r = setup_credentials_internal(
2844 context,
2845 params,
d3dcf4e3 2846 unit,
bb0c0d6f
LP		 2847 p, /* final mount point */
2848 u, /* temporary workspace to overmount */
2849 true, /* reuse the workspace if it is already a mount */
2850 false, /* it's OK to fall back to a plain directory if we can't mount anything */
2851 uid);
2852
2853 (void) rmdir(u); /* remove the workspace again if we can. */
2854
2855 if (r < 0)
2856 return r;
2857
2858 } else if (r == 0) {
2859
2860 /* We managed to set up a mount namespace, and are now in a child. That's great. In this case
2861 * we can use the same directory for all cases, after turning off propagation. Question
2862 * though is: where do we turn off propagation exactly, and where do we place the workspace
2863 * directory? We need some place that is guaranteed to be a mount point in the host, and
2864 * which is guaranteed to have a subdir we can mount over. /run/ is not suitable for this,
2865 * since we ultimately want to move the resulting file system there, i.e. we need propagation
2866 * for /run/ eventually. We could use our own /run/systemd/bind mount on itself, but that
2867 * would be visible in the host mount table all the time, which we want to avoid. Hence, what
2868 * we do here instead we use /dev/ and /dev/shm/ for our purposes. We know for sure that
2869 * /dev/ is a mount point and we now for sure that /dev/shm/ exists. Hence we can turn off
2870 * propagation on the former, and then overmount the latter.
2871 *
2872 * Yes it's nasty playing games with /dev/ and /dev/shm/ like this, since it does not exist
2873 * for this purpose, but there are few other candidates that work equally well for us, and
2874 * given that the we do this in a privately namespaced short-lived single-threaded process
69e3234d 2875 * that no one else sees this should be OK to do.*/
bb0c0d6f 2876
21935150
LP		 2877 r = mount_nofollow_verbose(LOG_DEBUG, NULL, "/dev", NULL, MS_SLAVE|MS_REC, NULL); /* Turn off propagation from our namespace to host */
2878 if (r < 0)
bb0c0d6f
LP		 2879 goto child_fail;
2880
2881 r = setup_credentials_internal(
2882 context,
2883 params,
d3dcf4e3 2884 unit,
bb0c0d6f
LP		 2885 p, /* final mount point */
2886 "/dev/shm", /* temporary workspace to overmount */
2887 false, /* do not reuse /dev/shm if it is already a mount, under no circumstances */
2888 true, /* insist that something is mounted, do not allow fallback to plain directory */
2889 uid);
2890 if (r < 0)
2891 goto child_fail;
2892
2893 _exit(EXIT_SUCCESS);
2894
2895 child_fail:
2896 _exit(EXIT_FAILURE);
2897 }
2898
2899 return 0;
2900}
2901
92b423b9 2902#if ENABLE_SMACK
cefc33ae
LP		 2903static int setup_smack(
2904 const ExecContext *context,
b83d5050 2905 int executable_fd) {
cefc33ae
LP		 2906 int r;
2907
2908 assert(context);
b83d5050 2909 assert(executable_fd >= 0);
cefc33ae 2910
cefc33ae
LP		 2911 if (context->smack_process_label) {
2912 r = mac_smack_apply_pid(0, context->smack_process_label);
2913 if (r < 0)
2914 return r;
2915 }
2916#ifdef SMACK_DEFAULT_PROCESS_LABEL
2917 else {
2918 _cleanup_free_ char *exec_label = NULL;
2919
b83d5050 2920 r = mac_smack_read_fd(executable_fd, SMACK_ATTR_EXEC, &exec_label);
4c701096 2921 if (r < 0 && !IN_SET(r, -ENODATA, -EOPNOTSUPP))
cefc33ae
LP		 2922 return r;
2923
2924 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
2925 if (r < 0)
2926 return r;
2927 }
cefc33ae
LP		 2928#endif
2929
2930 return 0;
2931}
92b423b9 2932#endif
cefc33ae 2933
6c47cd7d
LP		 2934static int compile_bind_mounts(
2935 const ExecContext *context,
2936 const ExecParameters *params,
2937 BindMount **ret_bind_mounts,
da6053d0 2938 size_t *ret_n_bind_mounts,
6c47cd7d
LP		 2939 char ***ret_empty_directories) {
2940
2941 _cleanup_strv_free_ char **empty_directories = NULL;
2942 BindMount *bind_mounts;
5b10116e 2943 size_t n, h = 0;
6c47cd7d
LP		 2944 int r;
2945
2946 assert(context);
2947 assert(params);
2948 assert(ret_bind_mounts);
2949 assert(ret_n_bind_mounts);
2950 assert(ret_empty_directories);
2951
2952 n = context->n_bind_mounts;
5b10116e 2953 for (ExecDirectoryType t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
6c47cd7d
LP		 2954 if (!params->prefix[t])
2955 continue;
2956
2957 n += strv_length(context->directories[t].paths);
2958 }
2959
2960 if (n <= 0) {
2961 *ret_bind_mounts = NULL;
2962 *ret_n_bind_mounts = 0;
2963 *ret_empty_directories = NULL;
2964 return 0;
2965 }
2966
2967 bind_mounts = new(BindMount, n);
2968 if (!bind_mounts)
2969 return -ENOMEM;
2970
5b10116e 2971 for (size_t i = 0; i < context->n_bind_mounts; i++) {
6c47cd7d
LP		 2972 BindMount *item = context->bind_mounts + i;
2973 char *s, *d;
2974
2975 s = strdup(item->source);
2976 if (!s) {
2977 r = -ENOMEM;
2978 goto finish;
2979 }
2980
2981 d = strdup(item->destination);
2982 if (!d) {
2983 free(s);
2984 r = -ENOMEM;
2985 goto finish;
2986 }
2987
2988 bind_mounts[h++] = (BindMount) {
2989 .source = s,
2990 .destination = d,
2991 .read_only = item->read_only,
2992 .recursive = item->recursive,
2993 .ignore_enoent = item->ignore_enoent,
2994 };
2995 }
2996
5b10116e 2997 for (ExecDirectoryType t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
6c47cd7d
LP		 2998 char **suffix;
2999
3000 if (!params->prefix[t])
3001 continue;
3002
3003 if (strv_isempty(context->directories[t].paths))
3004 continue;
3005
494d0247 3006 if (exec_directory_is_private(context, t) &&
74e12520 3007 !exec_context_with_rootfs(context)) {
6c47cd7d
LP		 3008 char *private_root;
3009
3010 /* So this is for a dynamic user, and we need to make sure the process can access its own
3011 * directory. For that we overmount the usually inaccessible "private" subdirectory with a
3012 * tmpfs that makes it accessible and is empty except for the submounts we do this for. */
3013
657ee2d8 3014 private_root = path_join(params->prefix[t], "private");
6c47cd7d
LP		 3015 if (!private_root) {
3016 r = -ENOMEM;
3017 goto finish;
3018 }
3019
3020 r = strv_consume(&empty_directories, private_root);
a635a7ae 3021 if (r < 0)
6c47cd7d 3022 goto finish;
6c47cd7d
LP		 3023 }
3024
3025 STRV_FOREACH(suffix, context->directories[t].paths) {
3026 char *s, *d;
3027
494d0247 3028 if (exec_directory_is_private(context, t))
657ee2d8 3029 s = path_join(params->prefix[t], "private", *suffix);
6c47cd7d 3030 else
657ee2d8 3031 s = path_join(params->prefix[t], *suffix);
6c47cd7d
LP		 3032 if (!s) {
3033 r = -ENOMEM;
3034 goto finish;
3035 }
3036
494d0247 3037 if (exec_directory_is_private(context, t) &&
74e12520 3038 exec_context_with_rootfs(context))
5609f688
YW		 3039 /* When RootDirectory= or RootImage= are set, then the symbolic link to the private
3040 * directory is not created on the root directory. So, let's bind-mount the directory
3041 * on the 'non-private' place. */
657ee2d8 3042 d = path_join(params->prefix[t], *suffix);
5609f688
YW		 3043 else
3044 d = strdup(s);
6c47cd7d
LP		 3045 if (!d) {
3046 free(s);
3047 r = -ENOMEM;
3048 goto finish;
3049 }
3050
3051 bind_mounts[h++] = (BindMount) {
3052 .source = s,
3053 .destination = d,
3054 .read_only = false,
9ce4e4b0 3055 .nosuid = context->dynamic_user, /* don't allow suid/sgid when DynamicUser= is on */
6c47cd7d
LP		 3056 .recursive = true,
3057 .ignore_enoent = false,
3058 };
3059 }
3060 }
3061
3062 assert(h == n);
3063
3064 *ret_bind_mounts = bind_mounts;
3065 *ret_n_bind_mounts = n;
ae2a15bc 3066 *ret_empty_directories = TAKE_PTR(empty_directories);
6c47cd7d
LP		 3067
3068 return (int) n;
3069
3070finish:
3071 bind_mount_free_many(bind_mounts, h);
3072 return r;
3073}
3074
4e677599
LP		 3075static bool insist_on_sandboxing(
3076 const ExecContext *context,
3077 const char *root_dir,
3078 const char *root_image,
3079 const BindMount *bind_mounts,
3080 size_t n_bind_mounts) {
3081
4e677599
LP		 3082 assert(context);
3083 assert(n_bind_mounts == 0 || bind_mounts);
3084
3085 /* Checks whether we need to insist on fs namespacing. i.e. whether we have settings configured that
86b52a39 3086 * would alter the view on the file system beyond making things read-only or invisible, i.e. would
4e677599
LP		 3087 * rearrange stuff in a way we cannot ignore gracefully. */
3088
3089 if (context->n_temporary_filesystems > 0)
3090 return true;
3091
3092 if (root_dir || root_image)
3093 return true;
3094
b3d13314
LB		 3095 if (context->n_mount_images > 0)
3096 return true;
3097
4e677599
LP		 3098 if (context->dynamic_user)
3099 return true;
3100
3101 /* If there are any bind mounts set that don't map back onto themselves, fs namespacing becomes
3102 * essential. */
5b10116e 3103 for (size_t i = 0; i < n_bind_mounts; i++)
4e677599
LP		 3104 if (!path_equal(bind_mounts[i].source, bind_mounts[i].destination))
3105 return true;
3106
91dd5f7c
LP		 3107 if (context->log_namespace)
3108 return true;
3109
4e677599
LP		 3110 return false;
3111}
3112
6818c54c 3113static int apply_mount_namespace(
34cf6c43 3114 const Unit *u,
9f71ba8d 3115 ExecCommandFlags command_flags,
6818c54c
LP		 3116 const ExecContext *context,
3117 const ExecParameters *params,
7cc5ef5f
ZJS		 3118 const ExecRuntime *runtime,
3119 char **error_path) {
6818c54c 3120
7bcef4ef 3121 _cleanup_strv_free_ char **empty_directories = NULL;
56a13a49 3122 const char *tmp_dir = NULL, *var_tmp_dir = NULL;
915e6d16 3123 const char *root_dir = NULL, *root_image = NULL;
5e8deb94 3124 _cleanup_free_ char *creds_path = NULL, *incoming_dir = NULL, *propagate_dir = NULL;
228af36f 3125 NamespaceInfo ns_info;
165a31c0 3126 bool needs_sandboxing;
6c47cd7d 3127 BindMount *bind_mounts = NULL;
da6053d0 3128 size_t n_bind_mounts = 0;
6818c54c 3129 int r;
93c6bb51 3130
2b3c1b9e
DH		 3131 assert(context);
3132
915e6d16
LP		 3133 if (params->flags & EXEC_APPLY_CHROOT) {
3134 root_image = context->root_image;
3135
3136 if (!root_image)
3137 root_dir = context->root_directory;
3138 }
93c6bb51 3139
6c47cd7d
LP		 3140 r = compile_bind_mounts(context, params, &bind_mounts, &n_bind_mounts, &empty_directories);
3141 if (r < 0)
3142 return r;
3143
9f71ba8d 3144 needs_sandboxing = (params->flags & EXEC_APPLY_SANDBOXING) && !(command_flags & EXEC_COMMAND_FULLY_PRIVILEGED);
ecf63c91
NJ		 3145 if (needs_sandboxing) {
3146 /* The runtime struct only contains the parent of the private /tmp,
3147 * which is non-accessible to world users. Inside of it there's a /tmp
56a13a49
ZJS		 3148 * that is sticky, and that's the one we want to use here.
3149 * This does not apply when we are using /run/systemd/empty as fallback. */
ecf63c91
NJ		 3150
3151 if (context->private_tmp && runtime) {
56a13a49
ZJS		 3152 if (streq_ptr(runtime->tmp_dir, RUN_SYSTEMD_EMPTY))
3153 tmp_dir = runtime->tmp_dir;
3154 else if (runtime->tmp_dir)
3155 tmp_dir = strjoina(runtime->tmp_dir, "/tmp");
3156
3157 if (streq_ptr(runtime->var_tmp_dir, RUN_SYSTEMD_EMPTY))
3158 var_tmp_dir = runtime->var_tmp_dir;
f63ef937 3159 else if (runtime->var_tmp_dir)
56a13a49 3160 var_tmp_dir = strjoina(runtime->var_tmp_dir, "/tmp");
ecf63c91
NJ		 3161 }
3162
b5a33299
YW		 3163 ns_info = (NamespaceInfo) {
3164 .ignore_protect_paths = false,
3165 .private_dev = context->private_devices,
3166 .protect_control_groups = context->protect_control_groups,
3167 .protect_kernel_tunables = context->protect_kernel_tunables,
3168 .protect_kernel_modules = context->protect_kernel_modules,
94a7b275 3169 .protect_kernel_logs = context->protect_kernel_logs,
aecd5ac6 3170 .protect_hostname = context->protect_hostname,
5e98086d 3171 .mount_apivfs = exec_context_get_effective_mount_apivfs(context),
228af36f 3172 .private_mounts = context->private_mounts,
52b3d652
LP		 3173 .protect_home = context->protect_home,
3174 .protect_system = context->protect_system,
4e399953
LP		 3175 .protect_proc = context->protect_proc,
3176 .proc_subset = context->proc_subset,
b5a33299 3177 };
ecf63c91 3178 } else if (!context->dynamic_user && root_dir)
228af36f
LP		 3179 /*
3180 * If DynamicUser=no and RootDirectory= is set then lets pass a relaxed
3181 * sandbox info, otherwise enforce it, don't ignore protected paths and
3182 * fail if we are enable to apply the sandbox inside the mount namespace.
3183 */
3184 ns_info = (NamespaceInfo) {
3185 .ignore_protect_paths = true,
3186 };
3187 else
3188 ns_info = (NamespaceInfo) {};
b5a33299 3189
37ed15d7
FB		 3190 if (context->mount_flags == MS_SHARED)
3191 log_unit_debug(u, "shared mount propagation hidden by other fs namespacing unit settings: ignoring");
3192
a631cbfa
LP		 3193 if (exec_context_has_credentials(context) &&
3194 params->prefix[EXEC_DIRECTORY_RUNTIME] &&
3195 FLAGS_SET(params->flags, EXEC_WRITE_CREDENTIALS)) {
bbb4e7f3 3196 creds_path = path_join(params->prefix[EXEC_DIRECTORY_RUNTIME], "credentials", u->id);
8062e643
YW		 3197 if (!creds_path) {
3198 r = -ENOMEM;
3199 goto finalize;
3200 }
bbb4e7f3
LP		 3201 }
3202
5e8deb94
LB		 3203 if (MANAGER_IS_SYSTEM(u->manager)) {
3204 propagate_dir = path_join("/run/systemd/propagate/", u->id);
3205 if (!propagate_dir)
3206 return -ENOMEM;
3207 incoming_dir = strdup("/run/systemd/incoming");
3208 if (!incoming_dir)
3209 return -ENOMEM;
3210 }
3211
18d73705 3212 r = setup_namespace(root_dir, root_image, context->root_image_options,
7bcef4ef 3213 &ns_info, context->read_write_paths,
165a31c0
LP		 3214 needs_sandboxing ? context->read_only_paths : NULL,
3215 needs_sandboxing ? context->inaccessible_paths : NULL,
ddc155b2
TM		 3216 needs_sandboxing ? context->exec_paths : NULL,
3217 needs_sandboxing ? context->no_exec_paths : NULL,
6c47cd7d
LP		 3218 empty_directories,
3219 bind_mounts,
3220 n_bind_mounts,
2abd4e38
YW		 3221 context->temporary_filesystems,
3222 context->n_temporary_filesystems,
b3d13314
LB		 3223 context->mount_images,
3224 context->n_mount_images,
56a13a49
ZJS		 3225 tmp_dir,
3226 var_tmp_dir,
bbb4e7f3 3227 creds_path,
91dd5f7c 3228 context->log_namespace,
915e6d16 3229 context->mount_flags,
d4d55b0d
LB		 3230 context->root_hash, context->root_hash_size, context->root_hash_path,
3231 context->root_hash_sig, context->root_hash_sig_size, context->root_hash_sig_path,
3232 context->root_verity,
5e8deb94
LB		 3233 propagate_dir,
3234 incoming_dir,
3bdc25a4 3235 root_dir || root_image ? params->notify_socket : NULL,
8d251485 3236 DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK,
7cc5ef5f 3237 error_path);
93c6bb51 3238
1beab8b0 3239 /* If we couldn't set up the namespace this is probably due to a missing capability. setup_namespace() reports
5238e957 3240 * that with a special, recognizable error ENOANO. In this case, silently proceed, but only if exclusively
1beab8b0
LP		 3241 * sandboxing options were used, i.e. nothing such as RootDirectory= or BindMount= that would result in a
3242 * completely different execution environment. */
aca835ed 3243 if (r == -ENOANO) {
4e677599
LP		 3244 if (insist_on_sandboxing(
3245 context,
3246 root_dir, root_image,
3247 bind_mounts,
3248 n_bind_mounts)) {
3249 log_unit_debug(u, "Failed to set up namespace, and refusing to continue since the selected namespacing options alter mount environment non-trivially.\n"
3250 "Bind mounts: %zu, temporary filesystems: %zu, root directory: %s, root image: %s, dynamic user: %s",
3251 n_bind_mounts, context->n_temporary_filesystems, yes_no(root_dir), yes_no(root_image), yes_no(context->dynamic_user));
3252
3253 r = -EOPNOTSUPP;
3254 } else {
aca835ed 3255 log_unit_debug(u, "Failed to set up namespace, assuming containerized execution and ignoring.");
4e677599 3256 r = 0;
aca835ed 3257 }
93c6bb51
DH		 3258 }
3259
8062e643 3260finalize:
4e677599 3261 bind_mount_free_many(bind_mounts, n_bind_mounts);
93c6bb51
DH		 3262 return r;
3263}
3264
915e6d16
LP		 3265static int apply_working_directory(
3266 const ExecContext *context,
3267 const ExecParameters *params,
3268 const char *home,
376fecf6 3269 int *exit_status) {
915e6d16 3270
6732edab 3271 const char *d, *wd;
2b3c1b9e
DH		 3272
3273 assert(context);
376fecf6 3274 assert(exit_status);
2b3c1b9e 3275
6732edab
LP		 3276 if (context->working_directory_home) {
3277
376fecf6
LP		 3278 if (!home) {
3279 *exit_status = EXIT_CHDIR;
6732edab 3280 return -ENXIO;
376fecf6 3281 }
6732edab 3282
2b3c1b9e 3283 wd = home;
6732edab 3284
14eb3285
LP		 3285 } else
3286 wd = empty_to_root(context->working_directory);
e7f1e7c6 3287
fa97f630 3288 if (params->flags & EXEC_APPLY_CHROOT)
2b3c1b9e 3289 d = wd;
fa97f630 3290 else
3b0e5bb5 3291 d = prefix_roota(context->root_directory, wd);
e7f1e7c6 3292
376fecf6
LP		 3293 if (chdir(d) < 0 && !context->working_directory_missing_ok) {
3294 *exit_status = EXIT_CHDIR;
2b3c1b9e 3295 return -errno;
376fecf6 3296 }
e7f1e7c6
DH		 3297
3298 return 0;
3299}
3300
fa97f630
JB		 3301static int apply_root_directory(
3302 const ExecContext *context,
3303 const ExecParameters *params,
3304 const bool needs_mount_ns,
3305 int *exit_status) {
3306
3307 assert(context);
3308 assert(exit_status);
3309
5b10116e 3310 if (params->flags & EXEC_APPLY_CHROOT)
fa97f630
JB		 3311 if (!needs_mount_ns && context->root_directory)
3312 if (chroot(context->root_directory) < 0) {
3313 *exit_status = EXIT_CHROOT;
3314 return -errno;
3315 }
fa97f630
JB		 3316
3317 return 0;
3318}
3319
b1edf445 3320static int setup_keyring(
34cf6c43 3321 const Unit *u,
b1edf445
LP		 3322 const ExecContext *context,
3323 const ExecParameters *p,
3324 uid_t uid, gid_t gid) {
3325
74dd6b51 3326 key_serial_t keyring;
e64c2d0b
DJL		 3327 int r = 0;
3328 uid_t saved_uid;
3329 gid_t saved_gid;
74dd6b51
LP		 3330
3331 assert(u);
b1edf445 3332 assert(context);
74dd6b51
LP		 3333 assert(p);
3334
3335 /* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that
3336 * each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond
3337 * that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be
3338 * automatically created on-demand and then linked to the per-UID keyring, by the kernel. The kernel's built-in
3339 * on-demand behaviour is very appropriate for login users, but probably not so much for system services, where
3340 * UIDs are not necessarily specific to a service but reused (at least in the case of UID 0). */
3341
b1edf445
LP		 3342 if (context->keyring_mode == EXEC_KEYRING_INHERIT)
3343 return 0;
3344
e64c2d0b
DJL		 3345 /* Acquiring a reference to the user keyring is nasty. We briefly change identity in order to get things set up
3346 * properly by the kernel. If we don't do that then we can't create it atomically, and that sucks for parallel
3347 * execution. This mimics what pam_keyinit does, too. Setting up session keyring, to be owned by the right user
3348 * & group is just as nasty as acquiring a reference to the user keyring. */
3349
3350 saved_uid = getuid();
3351 saved_gid = getgid();
3352
3353 if (gid_is_valid(gid) && gid != saved_gid) {
3354 if (setregid(gid, -1) < 0)
3355 return log_unit_error_errno(u, errno, "Failed to change GID for user keyring: %m");
3356 }
3357
3358 if (uid_is_valid(uid) && uid != saved_uid) {
3359 if (setreuid(uid, -1) < 0) {
3360 r = log_unit_error_errno(u, errno, "Failed to change UID for user keyring: %m");
3361 goto out;
3362 }
3363 }
3364
74dd6b51
LP		 3365 keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0);
3366 if (keyring == -1) {
3367 if (errno == ENOSYS)
8002fb97 3368 log_unit_debug_errno(u, errno, "Kernel keyring not supported, ignoring.");
065b4774 3369 else if (ERRNO_IS_PRIVILEGE(errno))
8002fb97 3370 log_unit_debug_errno(u, errno, "Kernel keyring access prohibited, ignoring.");
74dd6b51 3371 else if (errno == EDQUOT)
8002fb97 3372 log_unit_debug_errno(u, errno, "Out of kernel keyrings to allocate, ignoring.");
74dd6b51 3373 else
e64c2d0b 3374 r = log_unit_error_errno(u, errno, "Setting up kernel keyring failed: %m");
74dd6b51 3375
e64c2d0b 3376 goto out;
74dd6b51
LP		 3377 }
3378
e64c2d0b
DJL		 3379 /* When requested link the user keyring into the session keyring. */
3380 if (context->keyring_mode == EXEC_KEYRING_SHARED) {
3381
3382 if (keyctl(KEYCTL_LINK,
3383 KEY_SPEC_USER_KEYRING,
3384 KEY_SPEC_SESSION_KEYRING, 0, 0) < 0) {
3385 r = log_unit_error_errno(u, errno, "Failed to link user keyring into session keyring: %m");
3386 goto out;
3387 }
3388 }
3389
3390 /* Restore uid/gid back */
3391 if (uid_is_valid(uid) && uid != saved_uid) {
3392 if (setreuid(saved_uid, -1) < 0) {
3393 r = log_unit_error_errno(u, errno, "Failed to change UID back for user keyring: %m");
3394 goto out;
3395 }
3396 }
3397
3398 if (gid_is_valid(gid) && gid != saved_gid) {
3399 if (setregid(saved_gid, -1) < 0)
3400 return log_unit_error_errno(u, errno, "Failed to change GID back for user keyring: %m");
3401 }
3402
3403 /* Populate they keyring with the invocation ID by default, as original saved_uid. */
b3415f5d
LP		 3404 if (!sd_id128_is_null(u->invocation_id)) {
3405 key_serial_t key;
3406
3407 key = add_key("user", "invocation_id", &u->invocation_id, sizeof(u->invocation_id), KEY_SPEC_SESSION_KEYRING);
3408 if (key == -1)
8002fb97 3409 log_unit_debug_errno(u, errno, "Failed to add invocation ID to keyring, ignoring: %m");
b3415f5d
LP		 3410 else {
3411 if (keyctl(KEYCTL_SETPERM, key,
3412 KEY_POS_VIEW|KEY_POS_READ|KEY_POS_SEARCH|
3413 KEY_USR_VIEW|KEY_USR_READ|KEY_USR_SEARCH, 0, 0) < 0)
e64c2d0b 3414 r = log_unit_error_errno(u, errno, "Failed to restrict invocation ID permission: %m");
b3415f5d
LP		 3415 }
3416 }
3417
e64c2d0b 3418out:
37b22b3b 3419 /* Revert back uid & gid for the last time, and exit */
e64c2d0b
DJL		 3420 /* no extra logging, as only the first already reported error matters */
3421 if (getuid() != saved_uid)
3422 (void) setreuid(saved_uid, -1);
b1edf445 3423
e64c2d0b
DJL		 3424 if (getgid() != saved_gid)
3425 (void) setregid(saved_gid, -1);
b1edf445 3426
e64c2d0b 3427 return r;
74dd6b51
LP		 3428}
3429
3042bbeb 3430static void append_socket_pair(int *array, size_t *n, const int pair[static 2]) {
29206d46
LP		 3431 assert(array);
3432 assert(n);
2caa38e9 3433 assert(pair);
29206d46
LP		 3434
3435 if (pair[0] >= 0)
3436 array[(*n)++] = pair[0];
3437 if (pair[1] >= 0)
3438 array[(*n)++] = pair[1];
3439}
3440
a34ceba6
LP		 3441static int close_remaining_fds(
3442 const ExecParameters *params,
34cf6c43
YW		 3443 const ExecRuntime *runtime,
3444 const DynamicCreds *dcreds,
00d9ef85 3445 int user_lookup_fd,
a34ceba6 3446 int socket_fd,
5b8d1f6b 3447 const int *fds, size_t n_fds) {
a34ceba6 3448
da6053d0 3449 size_t n_dont_close = 0;
00d9ef85 3450 int dont_close[n_fds + 12];
a34ceba6
LP		 3451
3452 assert(params);
3453
3454 if (params->stdin_fd >= 0)
3455 dont_close[n_dont_close++] = params->stdin_fd;
3456 if (params->stdout_fd >= 0)
3457 dont_close[n_dont_close++] = params->stdout_fd;
3458 if (params->stderr_fd >= 0)
3459 dont_close[n_dont_close++] = params->stderr_fd;
3460
3461 if (socket_fd >= 0)
3462 dont_close[n_dont_close++] = socket_fd;
3463 if (n_fds > 0) {
3464 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
3465 n_dont_close += n_fds;
3466 }
3467
29206d46
LP		 3468 if (runtime)
3469 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
3470
3471 if (dcreds) {
3472 if (dcreds->user)
3473 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
3474 if (dcreds->group)
3475 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
a34ceba6
LP		 3476 }
3477
00d9ef85
LP		 3478 if (user_lookup_fd >= 0)
3479 dont_close[n_dont_close++] = user_lookup_fd;
3480
a34ceba6
LP		 3481 return close_all_fds(dont_close, n_dont_close);
3482}
3483
00d9ef85
LP		 3484static int send_user_lookup(
3485 Unit *unit,
3486 int user_lookup_fd,
3487 uid_t uid,
3488 gid_t gid) {
3489
3490 assert(unit);
3491
3492 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
3493 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
3494 * specified. */
3495
3496 if (user_lookup_fd < 0)
3497 return 0;
3498
3499 if (!uid_is_valid(uid) && !gid_is_valid(gid))
3500 return 0;
3501
3502 if (writev(user_lookup_fd,
3503 (struct iovec[]) {
e6a7ec4b
LP		 3504 IOVEC_INIT(&uid, sizeof(uid)),
3505 IOVEC_INIT(&gid, sizeof(gid)),
3506 IOVEC_INIT_STRING(unit->id) }, 3) < 0)
00d9ef85
LP		 3507 return -errno;
3508
3509 return 0;
3510}
3511
6732edab
LP		 3512static int acquire_home(const ExecContext *c, uid_t uid, const char** home, char **buf) {
3513 int r;
3514
3515 assert(c);
3516 assert(home);
3517 assert(buf);
3518
3519 /* If WorkingDirectory=~ is set, try to acquire a usable home directory. */
3520
3521 if (*home)
3522 return 0;
3523
3524 if (!c->working_directory_home)
3525 return 0;
3526
6732edab
LP		 3527 r = get_home_dir(buf);
3528 if (r < 0)
3529 return r;
3530
3531 *home = *buf;
3532 return 1;
3533}
3534
da50b85a
LP		 3535static int compile_suggested_paths(const ExecContext *c, const ExecParameters *p, char ***ret) {
3536 _cleanup_strv_free_ char ** list = NULL;
da50b85a
LP		 3537 int r;
3538
3539 assert(c);
3540 assert(p);
3541 assert(ret);
3542
3543 assert(c->dynamic_user);
3544
3545 /* Compile a list of paths that it might make sense to read the owning UID from to use as initial candidate for
3546 * dynamic UID allocation, in order to save us from doing costly recursive chown()s of the special
3547 * directories. */
3548
5b10116e 3549 for (ExecDirectoryType t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
da50b85a
LP		 3550 char **i;
3551
3552 if (t == EXEC_DIRECTORY_CONFIGURATION)
3553 continue;
3554
3555 if (!p->prefix[t])
3556 continue;
3557
3558 STRV_FOREACH(i, c->directories[t].paths) {
3559 char *e;
3560
494d0247 3561 if (exec_directory_is_private(c, t))
657ee2d8 3562 e = path_join(p->prefix[t], "private", *i);
494d0247
YW		 3563 else
3564 e = path_join(p->prefix[t], *i);
da50b85a
LP		 3565 if (!e)
3566 return -ENOMEM;
3567
3568 r = strv_consume(&list, e);
3569 if (r < 0)
3570 return r;
3571 }
3572 }
3573
ae2a15bc 3574 *ret = TAKE_PTR(list);
da50b85a
LP		 3575
3576 return 0;
3577}
3578
34cf6c43
YW		 3579static char *exec_command_line(char **argv);
3580
78f93209
LP		 3581static int exec_parameters_get_cgroup_path(const ExecParameters *params, char **ret) {
3582 bool using_subcgroup;
3583 char *p;
3584
3585 assert(params);
3586 assert(ret);
3587
3588 if (!params->cgroup_path)
3589 return -EINVAL;
3590
3591 /* If we are called for a unit where cgroup delegation is on, and the payload created its own populated
3592 * subcgroup (which we expect it to do, after all it asked for delegation), then we cannot place the control
3593 * processes started after the main unit's process in the unit's main cgroup because it is now an inner one,
3594 * and inner cgroups may not contain processes. Hence, if delegation is on, and this is a control process,
3595 * let's use ".control" as subcgroup instead. Note that we do so only for ExecStartPost=, ExecReload=,
3596 * ExecStop=, ExecStopPost=, i.e. for the commands where the main process is already forked. For ExecStartPre=
3597 * this is not necessary, the cgroup is still empty. We distinguish these cases with the EXEC_CONTROL_CGROUP
3598 * flag, which is only passed for the former statements, not for the latter. */
3599
3600 using_subcgroup = FLAGS_SET(params->flags, EXEC_CONTROL_CGROUP|EXEC_CGROUP_DELEGATE|EXEC_IS_CONTROL);
3601 if (using_subcgroup)
657ee2d8 3602 p = path_join(params->cgroup_path, ".control");
78f93209
LP		 3603 else
3604 p = strdup(params->cgroup_path);
3605 if (!p)
3606 return -ENOMEM;
3607
3608 *ret = p;
3609 return using_subcgroup;
3610}
3611
e2b2fb7f
MS		 3612static int exec_context_cpu_affinity_from_numa(const ExecContext *c, CPUSet *ret) {
3613 _cleanup_(cpu_set_reset) CPUSet s = {};
3614 int r;
3615
3616 assert(c);
3617 assert(ret);
3618
3619 if (!c->numa_policy.nodes.set) {
3620 log_debug("Can't derive CPU affinity mask from NUMA mask because NUMA mask is not set, ignoring");
3621 return 0;
3622 }
3623
3624 r = numa_to_cpu_set(&c->numa_policy, &s);
3625 if (r < 0)
3626 return r;
3627
3628 cpu_set_reset(ret);
3629
3630 return cpu_set_add_all(ret, &s);
3631}
3632
3633bool exec_context_get_cpu_affinity_from_numa(const ExecContext *c) {
3634 assert(c);
3635
3636 return c->cpu_affinity_from_numa;
3637}
3638
1da37e58
ZJS		 3639static int add_shifted_fd(int *fds, size_t fds_size, size_t *n_fds, int fd, int *ret_fd) {
3640 int r;
3641
3642 assert(fds);
3643 assert(n_fds);
3644 assert(*n_fds < fds_size);
3645 assert(ret_fd);
3646
3647 if (fd < 0) {
3648 *ret_fd = -1;
3649 return 0;
3650 }
3651
3652 if (fd < 3 + (int) *n_fds) {
3653 /* Let's move the fd up, so that it's outside of the fd range we will use to store
3654 * the fds we pass to the process (or which are closed only during execve). */
3655
3656 r = fcntl(fd, F_DUPFD_CLOEXEC, 3 + (int) *n_fds);
3657 if (r < 0)
3658 return -errno;
3659
3660 CLOSE_AND_REPLACE(fd, r);
3661 }
3662
3663 *ret_fd = fds[*n_fds] = fd;
3664 (*n_fds) ++;
3665 return 1;
3666}
3667
ff0af2a1 3668static int exec_child(
f2341e0a 3669 Unit *unit,
34cf6c43 3670 const ExecCommand *command,
ff0af2a1
LP		 3671 const ExecContext *context,
3672 const ExecParameters *params,
3673 ExecRuntime *runtime,
29206d46 3674 DynamicCreds *dcreds,
ff0af2a1 3675 int socket_fd,
2caa38e9 3676 const int named_iofds[static 3],
4c47affc 3677 int *fds,
da6053d0 3678 size_t n_socket_fds,
25b583d7 3679 size_t n_storage_fds,
ff0af2a1 3680 char **files_env,
00d9ef85 3681 int user_lookup_fd,
12145637 3682 int *exit_status) {
d35fbf6b 3683
7ca69792 3684 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **replaced_argv = NULL;
1da37e58 3685 int r, ngids = 0, exec_fd;
4d885bd3
DH		 3686 _cleanup_free_ gid_t *supplementary_gids = NULL;
3687 const char *username = NULL, *groupname = NULL;
5686391b 3688 _cleanup_free_ char *home_buffer = NULL;
2b3c1b9e 3689 const char *home = NULL, *shell = NULL;
7ca69792 3690 char **final_argv = NULL;
7bce046b
LP		 3691 dev_t journal_stream_dev = 0;
3692 ino_t journal_stream_ino = 0;
5749f855 3693 bool userns_set_up = false;
165a31c0
LP		 3694 bool needs_sandboxing, /* Do we need to set up full sandboxing? (i.e. all namespacing, all MAC stuff, caps, yadda yadda */
3695 needs_setuid, /* Do we need to do the actual setresuid()/setresgid() calls? */
3696 needs_mount_namespace, /* Do we need to set up a mount namespace for this kernel? */
3697 needs_ambient_hack; /* Do we need to apply the ambient capabilities hack? */
349cc4a5 3698#if HAVE_SELINUX
7f59dd35 3699 _cleanup_free_ char *mac_selinux_context_net = NULL;
43b1f709 3700 bool use_selinux = false;
ecfbc84f 3701#endif
f9fa32f0 3702#if ENABLE_SMACK
43b1f709 3703 bool use_smack = false;
ecfbc84f 3704#endif
349cc4a5 3705#if HAVE_APPARMOR
43b1f709 3706 bool use_apparmor = false;
ecfbc84f 3707#endif
5749f855
AZ		 3708 uid_t saved_uid = getuid();
3709 gid_t saved_gid = getgid();
fed1e721
LP		 3710 uid_t uid = UID_INVALID;
3711 gid_t gid = GID_INVALID;
1da37e58
ZJS		 3712 size_t n_fds = n_socket_fds + n_storage_fds, /* fds to pass to the child */
3713 n_keep_fds; /* total number of fds not to close */
165a31c0 3714 int secure_bits;
afb11bf1
DG		 3715 _cleanup_free_ gid_t *gids_after_pam = NULL;
3716 int ngids_after_pam = 0;
034c6ed7 3717
f2341e0a 3718 assert(unit);
5cb5a6ff
LP		 3719 assert(command);
3720 assert(context);
d35fbf6b 3721 assert(params);
ff0af2a1 3722 assert(exit_status);
d35fbf6b
DM		 3723
3724 rename_process_from_path(command->path);
3725
3726 /* We reset exactly these signals, since they are the
3727 * only ones we set to SIG_IGN in the main daemon. All
3728 * others we leave untouched because we set them to
3729 * SIG_DFL or a valid handler initially, both of which
3730 * will be demoted to SIG_DFL. */
ce30c8dc
LP		 3731 (void) default_signals(SIGNALS_CRASH_HANDLER,
3732 SIGNALS_IGNORE, -1);
d35fbf6b
DM		 3733
3734 if (context->ignore_sigpipe)
ce30c8dc 3735 (void) ignore_signals(SIGPIPE, -1);
d35fbf6b 3736
ff0af2a1
LP		 3737 r = reset_signal_mask();
3738 if (r < 0) {
3739 *exit_status = EXIT_SIGNAL_MASK;
12145637 3740 return log_unit_error_errno(unit, r, "Failed to set process signal mask: %m");
d35fbf6b 3741 }
034c6ed7 3742
d35fbf6b
DM		 3743 if (params->idle_pipe)
3744 do_idle_pipe_dance(params->idle_pipe);
4f2d528d 3745
2c027c62
LP		 3746 /* Close fds we don't need very early to make sure we don't block init reexecution because it cannot bind its
3747 * sockets. Among the fds we close are the logging fds, and we want to keep them closed, so that we don't have
3748 * any fds open we don't really want open during the transition. In order to make logging work, we switch the
3749 * log subsystem into open_when_needed mode, so that it reopens the logs on every single log call. */
ff0af2a1 3750
d35fbf6b 3751 log_forget_fds();
2c027c62 3752 log_set_open_when_needed(true);
4f2d528d 3753
40a80078
LP		 3754 /* In case anything used libc syslog(), close this here, too */
3755 closelog();
3756
b83d5050 3757 int keep_fds[n_fds + 2];
1da37e58
ZJS		 3758 memcpy_safe(keep_fds, fds, n_fds * sizeof(int));
3759 n_keep_fds = n_fds;
3760
3761 r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, params->exec_fd, &exec_fd);
3762 if (r < 0) {
3763 *exit_status = EXIT_FDS;
3764 return log_unit_error_errno(unit, r, "Failed to shift fd and set FD_CLOEXEC: %m");
3765 }
3766
3767 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, keep_fds, n_keep_fds);
ff0af2a1
LP		 3768 if (r < 0) {
3769 *exit_status = EXIT_FDS;
12145637 3770 return log_unit_error_errno(unit, r, "Failed to close unwanted file descriptors: %m");
8c7be95e
LP		 3771 }
3772
0af07108
ZJS		 3773 if (!context->same_pgrp &&
3774 setsid() < 0) {
3775 *exit_status = EXIT_SETSID;
3776 return log_unit_error_errno(unit, errno, "Failed to create new process session: %m");
3777 }
9e2f7c11 3778
1e22b5cd 3779 exec_context_tty_reset(context, params);
d35fbf6b 3780
c891efaf 3781 if (unit_shall_confirm_spawn(unit)) {
7d5ceb64 3782 const char *vc = params->confirm_spawn;
3b20f877
FB		 3783 _cleanup_free_ char *cmdline = NULL;
3784
ee39ca20 3785 cmdline = exec_command_line(command->argv);
3b20f877 3786 if (!cmdline) {
0460aa5c 3787 *exit_status = EXIT_MEMORY;
12145637 3788 return log_oom();
3b20f877 3789 }
d35fbf6b 3790
eedf223a 3791 r = ask_for_confirmation(vc, unit, cmdline);
3b20f877
FB		 3792 if (r != CONFIRM_EXECUTE) {
3793 if (r == CONFIRM_PRETEND_SUCCESS) {
3794 *exit_status = EXIT_SUCCESS;
3795 return 0;
3796 }
ff0af2a1 3797 *exit_status = EXIT_CONFIRM;
0af07108
ZJS		 3798 return log_unit_error_errno(unit, SYNTHETIC_ERRNO(ECANCELED),
3799 "Execution cancelled by the user");
d35fbf6b
DM		 3800 }
3801 }
1a63a750 3802
d521916d
LP		 3803 /* We are about to invoke NSS and PAM modules. Let's tell them what we are doing here, maybe they care. This is
3804 * used by nss-resolve to disable itself when we are about to start systemd-resolved, to avoid deadlocks. Note
3805 * that these env vars do not survive the execve(), which means they really only apply to the PAM and NSS
3806 * invocations themselves. Also note that while we'll only invoke NSS modules involved in user management they
3807 * might internally call into other NSS modules that are involved in hostname resolution, we never know. */
3808 if (setenv("SYSTEMD_ACTIVATION_UNIT", unit->id, true) != 0 ||
3809 setenv("SYSTEMD_ACTIVATION_SCOPE", MANAGER_IS_SYSTEM(unit->manager) ? "system" : "user", true) != 0) {
3810 *exit_status = EXIT_MEMORY;
3811 return log_unit_error_errno(unit, errno, "Failed to update environment: %m");
3812 }
3813
29206d46 3814 if (context->dynamic_user && dcreds) {
da50b85a 3815 _cleanup_strv_free_ char **suggested_paths = NULL;
29206d46 3816
d521916d
LP		 3817 /* On top of that, make sure we bypass our own NSS module nss-systemd comprehensively for any NSS
3818 * checks, if DynamicUser=1 is used, as we shouldn't create a feedback loop with ourselves here.*/
409093fe
LP		 3819 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
3820 *exit_status = EXIT_USER;
12145637 3821 return log_unit_error_errno(unit, errno, "Failed to update environment: %m");
409093fe
LP		 3822 }
3823
da50b85a
LP		 3824 r = compile_suggested_paths(context, params, &suggested_paths);
3825 if (r < 0) {
3826 *exit_status = EXIT_MEMORY;
3827 return log_oom();
3828 }
3829
3830 r = dynamic_creds_realize(dcreds, suggested_paths, &uid, &gid);
ff0af2a1
LP		 3831 if (r < 0) {
3832 *exit_status = EXIT_USER;
d85ff944
YW		 3833 if (r == -EILSEQ)
3834 return log_unit_error_errno(unit, SYNTHETIC_ERRNO(EOPNOTSUPP),
3835 "Failed to update dynamic user credentials: User or group with specified name already exists.");
12145637 3836 return log_unit_error_errno(unit, r, "Failed to update dynamic user credentials: %m");
524daa8c 3837 }
524daa8c 3838
70dd455c 3839 if (!uid_is_valid(uid)) {
29206d46 3840 *exit_status = EXIT_USER;
d85ff944 3841 return log_unit_error_errno(unit, SYNTHETIC_ERRNO(ESRCH), "UID validation failed for \""UID_FMT"\"", uid);
70dd455c
ZJS		 3842 }
3843
3844 if (!gid_is_valid(gid)) {
3845 *exit_status = EXIT_USER;
d85ff944 3846 return log_unit_error_errno(unit, SYNTHETIC_ERRNO(ESRCH), "GID validation failed for \""GID_FMT"\"", gid);
29206d46 3847 }
5bc7452b 3848
29206d46
LP		 3849 if (dcreds->user)
3850 username = dcreds->user->name;
3851
3852 } else {
4d885bd3
DH		 3853 r = get_fixed_user(context, &username, &uid, &gid, &home, &shell);
3854 if (r < 0) {
3855 *exit_status = EXIT_USER;
12145637 3856 return log_unit_error_errno(unit, r, "Failed to determine user credentials: %m");
5bc7452b 3857 }
5bc7452b 3858
4d885bd3
DH		 3859 r = get_fixed_group(context, &groupname, &gid);
3860 if (r < 0) {
3861 *exit_status = EXIT_GROUP;
12145637 3862 return log_unit_error_errno(unit, r, "Failed to determine group credentials: %m");
4d885bd3 3863 }
cdc5d5c5 3864 }
29206d46 3865
cdc5d5c5
DH		 3866 /* Initialize user supplementary groups and get SupplementaryGroups= ones */
3867 r = get_supplementary_groups(context, username, groupname, gid,
3868 &supplementary_gids, &ngids);
3869 if (r < 0) {
3870 *exit_status = EXIT_GROUP;
12145637 3871 return log_unit_error_errno(unit, r, "Failed to determine supplementary groups: %m");
29206d46 3872 }
5bc7452b 3873
00d9ef85
LP		 3874 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
3875 if (r < 0) {
3876 *exit_status = EXIT_USER;
12145637 3877 return log_unit_error_errno(unit, r, "Failed to send user credentials to PID1: %m");
00d9ef85
LP		 3878 }
3879
3880 user_lookup_fd = safe_close(user_lookup_fd);
3881
6732edab
LP		 3882 r = acquire_home(context, uid, &home, &home_buffer);
3883 if (r < 0) {
3884 *exit_status = EXIT_CHDIR;
12145637 3885 return log_unit_error_errno(unit, r, "Failed to determine $HOME for user: %m");
6732edab
LP		 3886 }
3887
d35fbf6b
DM		 3888 /* If a socket is connected to STDIN/STDOUT/STDERR, we
3889 * must sure to drop O_NONBLOCK */
3890 if (socket_fd >= 0)
a34ceba6 3891 (void) fd_nonblock(socket_fd, false);
acbb0225 3892
4c70a4a7
MS		 3893 /* Journald will try to look-up our cgroup in order to populate _SYSTEMD_CGROUP and _SYSTEMD_UNIT fields.
3894 * Hence we need to migrate to the target cgroup from init.scope before connecting to journald */
3895 if (params->cgroup_path) {
3896 _cleanup_free_ char *p = NULL;
3897
3898 r = exec_parameters_get_cgroup_path(params, &p);
3899 if (r < 0) {
3900 *exit_status = EXIT_CGROUP;
3901 return log_unit_error_errno(unit, r, "Failed to acquire cgroup path: %m");
3902 }
3903
3904 r = cg_attach_everywhere(params->cgroup_supported, p, 0, NULL, NULL);
3905 if (r < 0) {
3906 *exit_status = EXIT_CGROUP;
3907 return log_unit_error_errno(unit, r, "Failed to attach to cgroup %s: %m", p);
3908 }
3909 }
3910
a8d08f39
LP		 3911 if (context->network_namespace_path && runtime && runtime->netns_storage_socket[0] >= 0) {
3912 r = open_netns_path(runtime->netns_storage_socket, context->network_namespace_path);
3913 if (r < 0) {
3914 *exit_status = EXIT_NETWORK;
3915 return log_unit_error_errno(unit, r, "Failed to open network namespace path %s: %m", context->network_namespace_path);
3916 }
3917 }
3918
52c239d7 3919 r = setup_input(context, params, socket_fd, named_iofds);
ff0af2a1
LP		 3920 if (r < 0) {
3921 *exit_status = EXIT_STDIN;
12145637 3922 return log_unit_error_errno(unit, r, "Failed to set up standard input: %m");
d35fbf6b 3923 }
034c6ed7 3924
52c239d7 3925 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 3926 if (r < 0) {
3927 *exit_status = EXIT_STDOUT;
12145637 3928 return log_unit_error_errno(unit, r, "Failed to set up standard output: %m");
d35fbf6b
DM		 3929 }
3930
52c239d7 3931 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 3932 if (r < 0) {
3933 *exit_status = EXIT_STDERR;
12145637 3934 return log_unit_error_errno(unit, r, "Failed to set up standard error output: %m");
d35fbf6b
DM		 3935 }
3936
d35fbf6b 3937 if (context->oom_score_adjust_set) {
9f8168eb
LP		 3938 /* When we can't make this change due to EPERM, then let's silently skip over it. User namespaces
3939 * prohibit write access to this file, and we shouldn't trip up over that. */
3940 r = set_oom_score_adjust(context->oom_score_adjust);
065b4774 3941 if (ERRNO_IS_PRIVILEGE(r))
f2341e0a 3942 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
12145637 3943 else if (r < 0) {
ff0af2a1 3944 *exit_status = EXIT_OOM_ADJUST;
12145637 3945 return log_unit_error_errno(unit, r, "Failed to adjust OOM setting: %m");
613b411c 3946 }
d35fbf6b
DM		 3947 }
3948
ad21e542
ZJS		 3949 if (context->coredump_filter_set) {
3950 r = set_coredump_filter(context->coredump_filter);
3951 if (ERRNO_IS_PRIVILEGE(r))
3952 log_unit_debug_errno(unit, r, "Failed to adjust coredump_filter, ignoring: %m");
3953 else if (r < 0)
3954 return log_unit_error_errno(unit, r, "Failed to adjust coredump_filter: %m");
3955 }
3956
39090201
DJL		 3957 if (context->nice_set) {
3958 r = setpriority_closest(context->nice);
3959 if (r < 0)
3960 return log_unit_error_errno(unit, r, "Failed to set up process scheduling priority (nice level): %m");
3961 }
613b411c 3962
d35fbf6b
DM		 3963 if (context->cpu_sched_set) {
3964 struct sched_param param = {
3965 .sched_priority = context->cpu_sched_priority,
3966 };
3967
ff0af2a1
LP		 3968 r = sched_setscheduler(0,
3969 context->cpu_sched_policy |
3970 (context->cpu_sched_reset_on_fork ?
3971 SCHED_RESET_ON_FORK : 0),
3972 &param);
3973 if (r < 0) {
3974 *exit_status = EXIT_SETSCHEDULER;
12145637 3975 return log_unit_error_errno(unit, errno, "Failed to set up CPU scheduling: %m");
fc9b2a84 3976 }
d35fbf6b 3977 }
fc9b2a84 3978
e2b2fb7f
MS		 3979 if (context->cpu_affinity_from_numa || context->cpu_set.set) {
3980 _cleanup_(cpu_set_reset) CPUSet converted_cpu_set = {};
3981 const CPUSet *cpu_set;
3982
3983 if (context->cpu_affinity_from_numa) {
3984 r = exec_context_cpu_affinity_from_numa(context, &converted_cpu_set);
3985 if (r < 0) {
3986 *exit_status = EXIT_CPUAFFINITY;
3987 return log_unit_error_errno(unit, r, "Failed to derive CPU affinity mask from NUMA mask: %m");
3988 }
3989
3990 cpu_set = &converted_cpu_set;
3991 } else
3992 cpu_set = &context->cpu_set;
3993
3994 if (sched_setaffinity(0, cpu_set->allocated, cpu_set->set) < 0) {
ff0af2a1 3995 *exit_status = EXIT_CPUAFFINITY;
12145637 3996 return log_unit_error_errno(unit, errno, "Failed to set up CPU affinity: %m");
034c6ed7 3997 }
e2b2fb7f 3998 }
034c6ed7 3999
b070c7c0
MS		 4000 if (mpol_is_valid(numa_policy_get_type(&context->numa_policy))) {
4001 r = apply_numa_policy(&context->numa_policy);
4002 if (r == -EOPNOTSUPP)
33fe9e3f 4003 log_unit_debug_errno(unit, r, "NUMA support not available, ignoring.");
b070c7c0
MS		 4004 else if (r < 0) {
4005 *exit_status = EXIT_NUMA_POLICY;
4006 return log_unit_error_errno(unit, r, "Failed to set NUMA memory policy: %m");
4007 }
4008 }
4009
d35fbf6b
DM		 4010 if (context->ioprio_set)
4011 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
ff0af2a1 4012 *exit_status = EXIT_IOPRIO;
12145637 4013 return log_unit_error_errno(unit, errno, "Failed to set up IO scheduling priority: %m");
d35fbf6b 4014 }
da726a4d 4015
d35fbf6b
DM		 4016 if (context->timer_slack_nsec != NSEC_INFINITY)
4017 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
ff0af2a1 4018 *exit_status = EXIT_TIMERSLACK;
12145637 4019 return log_unit_error_errno(unit, errno, "Failed to set up timer slack: %m");
4c2630eb 4020 }
9eba9da4 4021
21022b9d
LP		 4022 if (context->personality != PERSONALITY_INVALID) {
4023 r = safe_personality(context->personality);
4024 if (r < 0) {
ff0af2a1 4025 *exit_status = EXIT_PERSONALITY;
12145637 4026 return log_unit_error_errno(unit, r, "Failed to set up execution domain (personality): %m");
4c2630eb 4027 }
21022b9d 4028 }
94f04347 4029
d35fbf6b 4030 if (context->utmp_id)
df0ff127 4031 utmp_put_init_process(context->utmp_id, getpid_cached(), getsid(0),
6a93917d 4032 context->tty_path,
023a4f67
LP		 4033 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
4034 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
4035 USER_PROCESS,
6a93917d 4036 username);
d35fbf6b 4037
08f67696 4038 if (uid_is_valid(uid)) {
ff0af2a1
LP		 4039 r = chown_terminal(STDIN_FILENO, uid);
4040 if (r < 0) {
4041 *exit_status = EXIT_STDIN;
12145637 4042 return log_unit_error_errno(unit, r, "Failed to change ownership of terminal: %m");
071830ff 4043 }
d35fbf6b 4044 }
8e274523 4045
4e1dfa45 4046 /* If delegation is enabled we'll pass ownership of the cgroup to the user of the new process. On cgroup v1
62b9bb26 4047 * this is only about systemd's own hierarchy, i.e. not the controller hierarchies, simply because that's not
4e1dfa45 4048 * safe. On cgroup v2 there's only one hierarchy anyway, and delegation is safe there, hence in that case only
62b9bb26 4049 * touch a single hierarchy too. */
584b8688 4050 if (params->cgroup_path && context->user && (params->flags & EXEC_CGROUP_DELEGATE)) {
62b9bb26 4051 r = cg_set_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, uid, gid);
ff0af2a1
LP		 4052 if (r < 0) {
4053 *exit_status = EXIT_CGROUP;
12145637 4054 return log_unit_error_errno(unit, r, "Failed to adjust control group access: %m");
034c6ed7 4055 }
d35fbf6b 4056 }
034c6ed7 4057
5b10116e 4058 for (ExecDirectoryType dt = 0; dt < _EXEC_DIRECTORY_TYPE_MAX; dt++) {
8679efde 4059 r = setup_exec_directory(context, params, uid, gid, dt, exit_status);
12145637
LP		 4060 if (r < 0)
4061 return log_unit_error_errno(unit, r, "Failed to set up special execution directory in %s: %m", params->prefix[dt]);
d35fbf6b 4062 }
94f04347 4063
bb0c0d6f
LP		 4064 if (FLAGS_SET(params->flags, EXEC_WRITE_CREDENTIALS)) {
4065 r = setup_credentials(context, params, unit->id, uid);
4066 if (r < 0) {
4067 *exit_status = EXIT_CREDENTIALS;
4068 return log_unit_error_errno(unit, r, "Failed to set up credentials: %m");
4069 }
4070 }
4071
7bce046b 4072 r = build_environment(
fd63e712 4073 unit,
7bce046b
LP		 4074 context,
4075 params,
4076 n_fds,
4077 home,
4078 username,
4079 shell,
4080 journal_stream_dev,
4081 journal_stream_ino,
4082 &our_env);
2065ca69
JW		 4083 if (r < 0) {
4084 *exit_status = EXIT_MEMORY;
12145637 4085 return log_oom();
2065ca69
JW		 4086 }
4087
4088 r = build_pass_environment(context, &pass_env);
4089 if (r < 0) {
4090 *exit_status = EXIT_MEMORY;
12145637 4091 return log_oom();
2065ca69
JW		 4092 }
4093
4094 accum_env = strv_env_merge(5,
4095 params->environment,
4096 our_env,
4097 pass_env,
4098 context->environment,
44e5d006 4099 files_env);
2065ca69
JW		 4100 if (!accum_env) {
4101 *exit_status = EXIT_MEMORY;
12145637 4102 return log_oom();
2065ca69 4103 }
1280503b 4104 accum_env = strv_env_clean(accum_env);
2065ca69 4105
096424d1 4106 (void) umask(context->umask);
b213e1c1 4107
b1edf445 4108 r = setup_keyring(unit, context, params, uid, gid);
74dd6b51
LP		 4109 if (r < 0) {
4110 *exit_status = EXIT_KEYRING;
12145637 4111 return log_unit_error_errno(unit, r, "Failed to set up kernel keyring: %m");
74dd6b51
LP		 4112 }
4113
165a31c0 4114 /* We need sandboxing if the caller asked us to apply it and the command isn't explicitly excepted from it */
1703fa41 4115 needs_sandboxing = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & EXEC_COMMAND_FULLY_PRIVILEGED);
7f18ef0a 4116
165a31c0
LP		 4117 /* We need the ambient capability hack, if the caller asked us to apply it and the command is marked for it, and the kernel doesn't actually support ambient caps */
4118 needs_ambient_hack = (params->flags & EXEC_APPLY_SANDBOXING) && (command->flags & EXEC_COMMAND_AMBIENT_MAGIC) && !ambient_capabilities_supported();
7f18ef0a 4119
165a31c0
LP		 4120 /* We need setresuid() if the caller asked us to apply sandboxing and the command isn't explicitly excepted from either whole sandboxing or just setresuid() itself, and the ambient hack is not desired */
4121 if (needs_ambient_hack)
4122 needs_setuid = false;
4123 else
4124 needs_setuid = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & (EXEC_COMMAND_FULLY_PRIVILEGED|EXEC_COMMAND_NO_SETUID));
4125
4126 if (needs_sandboxing) {
7f18ef0a
FK		 4127 /* MAC enablement checks need to be done before a new mount ns is created, as they rely on /sys being
4128 * present. The actual MAC context application will happen later, as late as possible, to avoid
4129 * impacting our own code paths. */
4130
349cc4a5 4131#if HAVE_SELINUX
43b1f709 4132 use_selinux = mac_selinux_use();
7f18ef0a 4133#endif
f9fa32f0 4134#if ENABLE_SMACK
43b1f709 4135 use_smack = mac_smack_use();
7f18ef0a 4136#endif
349cc4a5 4137#if HAVE_APPARMOR
43b1f709 4138 use_apparmor = mac_apparmor_use();
7f18ef0a 4139#endif
165a31c0 4140 }
7f18ef0a 4141
ce932d2d
LP		 4142 if (needs_sandboxing) {
4143 int which_failed;
4144
4145 /* Let's set the resource limits before we call into PAM, so that pam_limits wins over what
4146 * is set here. (See below.) */
4147
4148 r = setrlimit_closest_all((const struct rlimit* const *) context->rlimit, &which_failed);
4149 if (r < 0) {
4150 *exit_status = EXIT_LIMITS;
4151 return log_unit_error_errno(unit, r, "Failed to adjust resource limit RLIMIT_%s: %m", rlimit_to_string(which_failed));
4152 }
4153 }
4154
0af07108 4155 if (needs_setuid && context->pam_name && username) {
ce932d2d
LP		 4156 /* Let's call into PAM after we set up our own idea of resource limits to that pam_limits
4157 * wins here. (See above.) */
4158
1da37e58 4159 /* All fds passed in the fds array will be closed in the pam child process. */
0af07108
ZJS		 4160 r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
4161 if (r < 0) {
4162 *exit_status = EXIT_PAM;
4163 return log_unit_error_errno(unit, r, "Failed to set up PAM session: %m");
165a31c0 4164 }
ac45f971 4165
0af07108
ZJS		 4166 ngids_after_pam = getgroups_alloc(&gids_after_pam);
4167 if (ngids_after_pam < 0) {
4168 *exit_status = EXIT_MEMORY;
4169 return log_unit_error_errno(unit, ngids_after_pam, "Failed to obtain groups after setting up PAM: %m");
5749f855 4170 }
b213e1c1 4171 }
5749f855 4172
0af07108 4173 if (needs_sandboxing && context->private_users && !have_effective_cap(CAP_SYS_ADMIN)) {
5749f855
AZ		 4174 /* If we're unprivileged, set up the user namespace first to enable use of the other namespaces.
4175 * Users with CAP_SYS_ADMIN can set up user namespaces last because they will be able to
4176 * set up the all of the other namespaces (i.e. network, mount, UTS) without a user namespace. */
0af07108
ZJS		 4177
4178 userns_set_up = true;
4179 r = setup_private_users(saved_uid, saved_gid, uid, gid);
4180 if (r < 0) {
4181 *exit_status = EXIT_USER;
4182 return log_unit_error_errno(unit, r, "Failed to set up user namespacing for unprivileged user: %m");
5749f855
AZ		 4183 }
4184 }
4185
a8d08f39
LP		 4186 if ((context->private_network || context->network_namespace_path) && runtime && runtime->netns_storage_socket[0] >= 0) {
4187
6e2d7c4f
MS		 4188 if (ns_type_supported(NAMESPACE_NET)) {
4189 r = setup_netns(runtime->netns_storage_socket);
ee00d1e9
ZJS		 4190 if (r == -EPERM)
4191 log_unit_warning_errno(unit, r,
4192 "PrivateNetwork=yes is configured, but network namespace setup failed, ignoring: %m");
4193 else if (r < 0) {
6e2d7c4f
MS		 4194 *exit_status = EXIT_NETWORK;
4195 return log_unit_error_errno(unit, r, "Failed to set up network namespacing: %m");
4196 }
a8d08f39
LP		 4197 } else if (context->network_namespace_path) {
4198 *exit_status = EXIT_NETWORK;
ee00d1e9
ZJS		 4199 return log_unit_error_errno(unit, SYNTHETIC_ERRNO(EOPNOTSUPP),
4200 "NetworkNamespacePath= is not supported, refusing.");
6e2d7c4f
MS		 4201 } else
4202 log_unit_warning(unit, "PrivateNetwork=yes is configured, but the kernel does not support network namespaces, ignoring.");
d35fbf6b 4203 }
169c1bda 4204
ee818b89 4205 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
ee818b89 4206 if (needs_mount_namespace) {
7cc5ef5f
ZJS		 4207 _cleanup_free_ char *error_path = NULL;
4208
9f71ba8d 4209 r = apply_mount_namespace(unit, command->flags, context, params, runtime, &error_path);
3fbe8dbe
LP		 4210 if (r < 0) {
4211 *exit_status = EXIT_NAMESPACE;
7cc5ef5f
ZJS		 4212 return log_unit_error_errno(unit, r, "Failed to set up mount namespacing%s%s: %m",
4213 error_path ? ": " : "", strempty(error_path));
3fbe8dbe 4214 }
d35fbf6b 4215 }
81a2b7ce 4216
daf8f72b
LP		 4217 if (needs_sandboxing) {
4218 r = apply_protect_hostname(unit, context, exit_status);
4219 if (r < 0)
4220 return r;
aecd5ac6
TM		 4221 }
4222
5749f855
AZ		 4223 /* Drop groups as early as possible.
4224 * This needs to be done after PrivateDevices=y setup as device nodes should be owned by the host's root.
4225 * For non-root in a userns, devices will be owned by the user/group before the group change, and nobody. */
165a31c0 4226 if (needs_setuid) {
afb11bf1
DG		 4227 _cleanup_free_ gid_t *gids_to_enforce = NULL;
4228 int ngids_to_enforce = 0;
4229
4230 ngids_to_enforce = merge_gid_lists(supplementary_gids,
4231 ngids,
4232 gids_after_pam,
4233 ngids_after_pam,
4234 &gids_to_enforce);
4235 if (ngids_to_enforce < 0) {
4236 *exit_status = EXIT_MEMORY;
4237 return log_unit_error_errno(unit,
4238 ngids_to_enforce,
4239 "Failed to merge group lists. Group membership might be incorrect: %m");
4240 }
4241
4242 r = enforce_groups(gid, gids_to_enforce, ngids_to_enforce);
096424d1
LP		 4243 if (r < 0) {
4244 *exit_status = EXIT_GROUP;
12145637 4245 return log_unit_error_errno(unit, r, "Changing group credentials failed: %m");
096424d1 4246 }
165a31c0 4247 }
096424d1 4248
5749f855
AZ		 4249 /* If the user namespace was not set up above, try to do it now.
4250 * It's preferred to set up the user namespace later (after all other namespaces) so as not to be
4251 * restricted by rules pertaining to combining user namspaces with other namespaces (e.g. in the
4252 * case of mount namespaces being less privileged when the mount point list is copied from a
4253 * different user namespace). */
9008e1ac 4254
5749f855
AZ		 4255 if (needs_sandboxing && context->private_users && !userns_set_up) {
4256 r = setup_private_users(saved_uid, saved_gid, uid, gid);
4257 if (r < 0) {
4258 *exit_status = EXIT_USER;
4259 return log_unit_error_errno(unit, r, "Failed to set up user namespacing: %m");
d251207d
LP		 4260 }
4261 }
4262
9f71ba8d
ZJS		 4263 /* Now that the mount namespace has been set up and privileges adjusted, let's look for the thing we
4264 * shall execute. */
4265
4266 _cleanup_free_ char *executable = NULL;
b83d5050
ZJS		 4267 _cleanup_close_ int executable_fd = -1;
4268 r = find_executable_full(command->path, false, &executable, &executable_fd);
9f71ba8d
ZJS		 4269 if (r < 0) {
4270 if (r != -ENOMEM && (command->flags & EXEC_COMMAND_IGNORE_FAILURE)) {
4271 log_struct_errno(LOG_INFO, r,
4272 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
4273 LOG_UNIT_ID(unit),
4274 LOG_UNIT_INVOCATION_ID(unit),
4275 LOG_UNIT_MESSAGE(unit, "Executable %s missing, skipping: %m",
4276 command->path),
4277 "EXECUTABLE=%s", command->path);
4278 return 0;
4279 }
4280
4281 *exit_status = EXIT_EXEC;
4282 return log_struct_errno(LOG_INFO, r,
4283 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
4284 LOG_UNIT_ID(unit),
4285 LOG_UNIT_INVOCATION_ID(unit),
4286 LOG_UNIT_MESSAGE(unit, "Failed to locate executable %s: %m",
4287 command->path),
4288 "EXECUTABLE=%s", command->path);
4289 }
4290
b83d5050
ZJS		 4291 r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, executable_fd, &executable_fd);
4292 if (r < 0) {
4293 *exit_status = EXIT_FDS;
4294 return log_unit_error_errno(unit, r, "Failed to shift fd and set FD_CLOEXEC: %m");
4295 }
4296
9f71ba8d
ZJS		 4297#if HAVE_SELINUX
4298 if (needs_sandboxing && use_selinux && params->selinux_context_net && socket_fd >= 0) {
4299 r = mac_selinux_get_child_mls_label(socket_fd, executable, context->selinux_context, &mac_selinux_context_net);
4300 if (r < 0) {
4301 *exit_status = EXIT_SELINUX_CONTEXT;
4302 return log_unit_error_errno(unit, r, "Failed to determine SELinux context: %m");
4303 }
4304 }
4305#endif
4306
165a31c0 4307 /* We repeat the fd closing here, to make sure that nothing is leaked from the PAM modules. Note that we are
5686391b
LP		 4308 * more aggressive this time since socket_fd and the netns fds we don't need anymore. We do keep the exec_fd
4309 * however if we have it as we want to keep it open until the final execve(). */
4310
1da37e58 4311 r = close_all_fds(keep_fds, n_keep_fds);
ff0af2a1
LP		 4312 if (r >= 0)
4313 r = shift_fds(fds, n_fds);
4314 if (r >= 0)
25b583d7 4315 r = flags_fds(fds, n_socket_fds, n_storage_fds, context->non_blocking);
ff0af2a1
LP		 4316 if (r < 0) {
4317 *exit_status = EXIT_FDS;
12145637 4318 return log_unit_error_errno(unit, r, "Failed to adjust passed file descriptors: %m");
d35fbf6b 4319 }
e66cf1a3 4320
5686391b
LP		 4321 /* At this point, the fds we want to pass to the program are all ready and set up, with O_CLOEXEC turned off
4322 * and at the right fd numbers. The are no other fds open, with one exception: the exec_fd if it is defined,
4323 * and it has O_CLOEXEC set, after all we want it to be closed by the execve(), so that our parent knows we
4324 * came this far. */
4325
165a31c0 4326 secure_bits = context->secure_bits;
e66cf1a3 4327
165a31c0
LP		 4328 if (needs_sandboxing) {
4329 uint64_t bset;
e66cf1a3 4330
ce932d2d
LP		 4331 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly
4332 * requested. (Note this is placed after the general resource limit initialization, see
4333 * above, in order to take precedence.) */
f4170c67
LP		 4334 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
4335 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
4336 *exit_status = EXIT_LIMITS;
12145637 4337 return log_unit_error_errno(unit, errno, "Failed to adjust RLIMIT_RTPRIO resource limit: %m");
f4170c67
LP		 4338 }
4339 }
4340
37ac2744
JB		 4341#if ENABLE_SMACK
4342 /* LSM Smack needs the capability CAP_MAC_ADMIN to change the current execution security context of the
4343 * process. This is the latest place before dropping capabilities. Other MAC context are set later. */
4344 if (use_smack) {
b83d5050 4345 r = setup_smack(context, executable_fd);
37ac2744
JB		 4346 if (r < 0) {
4347 *exit_status = EXIT_SMACK_PROCESS_LABEL;
4348 return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m");
4349 }
4350 }
4351#endif
4352
165a31c0
LP		 4353 bset = context->capability_bounding_set;
4354 /* If the ambient caps hack is enabled (which means the kernel can't do them, and the user asked for
4355 * our magic fallback), then let's add some extra caps, so that the service can drop privs of its own,
4356 * instead of us doing that */
4357 if (needs_ambient_hack)
4358 bset |= (UINT64_C(1) << CAP_SETPCAP) |
4359 (UINT64_C(1) << CAP_SETUID) |
4360 (UINT64_C(1) << CAP_SETGID);
4361
4362 if (!cap_test_all(bset)) {
4363 r = capability_bounding_set_drop(bset, false);
ff0af2a1
LP		 4364 if (r < 0) {
4365 *exit_status = EXIT_CAPABILITIES;
12145637 4366 return log_unit_error_errno(unit, r, "Failed to drop capabilities: %m");
3b8bddde 4367 }
4c2630eb 4368 }
3b8bddde 4369
16fcb191
TK		 4370 /* Ambient capabilities are cleared during setresuid() (in enforce_user()) even with
4371 * keep-caps set.
4372 * To be able to raise the ambient capabilities after setresuid() they have to be
4373 * added to the inherited set and keep caps has to be set (done in enforce_user()).
4374 * After setresuid() the ambient capabilities can be raised as they are present in
4375 * the permitted and inhertiable set. However it is possible that someone wants to
4376 * set ambient capabilities without changing the user, so we also set the ambient
4377 * capabilities here.
4378 * The requested ambient capabilities are raised in the inheritable set if the
4379 * second argument is true. */
943800f4 4380 if (!needs_ambient_hack) {
755d4b67
IP		 4381 r = capability_ambient_set_apply(context->capability_ambient_set, true);
4382 if (r < 0) {
4383 *exit_status = EXIT_CAPABILITIES;
12145637 4384 return log_unit_error_errno(unit, r, "Failed to apply ambient capabilities (before UID change): %m");
755d4b67 4385 }
755d4b67 4386 }
165a31c0 4387 }
755d4b67 4388
fa97f630
JB		 4389 /* chroot to root directory first, before we lose the ability to chroot */
4390 r = apply_root_directory(context, params, needs_mount_namespace, exit_status);
4391 if (r < 0)
4392 return log_unit_error_errno(unit, r, "Chrooting to the requested root directory failed: %m");
4393
165a31c0 4394 if (needs_setuid) {
08f67696 4395 if (uid_is_valid(uid)) {
ff0af2a1
LP		 4396 r = enforce_user(context, uid);
4397 if (r < 0) {
4398 *exit_status = EXIT_USER;
12145637 4399 return log_unit_error_errno(unit, r, "Failed to change UID to " UID_FMT ": %m", uid);
5b6319dc 4400 }
165a31c0
LP		 4401
4402 if (!needs_ambient_hack &&
4403 context->capability_ambient_set != 0) {
755d4b67 4404
16fcb191 4405 /* Raise the ambient capabilities after user change. */
755d4b67
IP		 4406 r = capability_ambient_set_apply(context->capability_ambient_set, false);
4407 if (r < 0) {
4408 *exit_status = EXIT_CAPABILITIES;
12145637 4409 return log_unit_error_errno(unit, r, "Failed to apply ambient capabilities (after UID change): %m");
755d4b67 4410 }
755d4b67 4411 }
5b6319dc 4412 }
165a31c0 4413 }
d35fbf6b 4414
56ef8db9
JB		 4415 /* Apply working directory here, because the working directory might be on NFS and only the user running
4416 * this service might have the correct privilege to change to the working directory */
fa97f630 4417 r = apply_working_directory(context, params, home, exit_status);
56ef8db9
JB		 4418 if (r < 0)
4419 return log_unit_error_errno(unit, r, "Changing to the requested working directory failed: %m");
4420
165a31c0 4421 if (needs_sandboxing) {
37ac2744 4422 /* Apply other MAC contexts late, but before seccomp syscall filtering, as those should really be last to
5cd9cd35
LP		 4423 * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
4424 * syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
4425 * are restricted. */
4426
349cc4a5 4427#if HAVE_SELINUX
43b1f709 4428 if (use_selinux) {
5cd9cd35
LP		 4429 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
4430
4431 if (exec_context) {
4432 r = setexeccon(exec_context);
4433 if (r < 0) {
4434 *exit_status = EXIT_SELINUX_CONTEXT;
12145637 4435 return log_unit_error_errno(unit, r, "Failed to change SELinux context to %s: %m", exec_context);
5cd9cd35
LP		 4436 }
4437 }
4438 }
4439#endif
4440
349cc4a5 4441#if HAVE_APPARMOR
43b1f709 4442 if (use_apparmor && context->apparmor_profile) {
5cd9cd35
LP		 4443 r = aa_change_onexec(context->apparmor_profile);
4444 if (r < 0 && !context->apparmor_profile_ignore) {
4445 *exit_status = EXIT_APPARMOR_PROFILE;
12145637 4446 return log_unit_error_errno(unit, errno, "Failed to prepare AppArmor profile change to %s: %m", context->apparmor_profile);
5cd9cd35
LP		 4447 }
4448 }
4449#endif
4450
165a31c0 4451 /* PR_GET_SECUREBITS is not privileged, while PR_SET_SECUREBITS is. So to suppress potential EPERMs
dbdc4098
TK		 4452 * we'll try not to call PR_SET_SECUREBITS unless necessary. Setting securebits requires
4453 * CAP_SETPCAP. */
4454 if (prctl(PR_GET_SECUREBITS) != secure_bits) {
69e3234d 4455 /* CAP_SETPCAP is required to set securebits. This capability is raised into the
dbdc4098
TK		 4456 * effective set here.
4457 * The effective set is overwritten during execve with the following values:
4458 * - ambient set (for non-root processes)
4459 * - (inheritable | bounding) set for root processes)
4460 *
4461 * Hence there is no security impact to raise it in the effective set before execve
4462 */
4463 r = capability_gain_cap_setpcap(NULL);
4464 if (r < 0) {
4465 *exit_status = EXIT_CAPABILITIES;
4466 return log_unit_error_errno(unit, r, "Failed to gain CAP_SETPCAP for setting secure bits");
4467 }
755d4b67 4468 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
ff0af2a1 4469 *exit_status = EXIT_SECUREBITS;
12145637 4470 return log_unit_error_errno(unit, errno, "Failed to set process secure bits: %m");
ff01d048 4471 }
dbdc4098 4472 }
5b6319dc 4473
59eeb84b 4474 if (context_has_no_new_privileges(context))
d35fbf6b 4475 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
ff0af2a1 4476 *exit_status = EXIT_NO_NEW_PRIVILEGES;
12145637 4477 return log_unit_error_errno(unit, errno, "Failed to disable new privileges: %m");
d35fbf6b
DM		 4478 }
4479
349cc4a5 4480#if HAVE_SECCOMP
469830d1
LP		 4481 r = apply_address_families(unit, context);
4482 if (r < 0) {
4483 *exit_status = EXIT_ADDRESS_FAMILIES;
12145637 4484 return log_unit_error_errno(unit, r, "Failed to restrict address families: %m");
4c2630eb 4485 }
04aa0cb9 4486
469830d1
LP		 4487 r = apply_memory_deny_write_execute(unit, context);
4488 if (r < 0) {
4489 *exit_status = EXIT_SECCOMP;
12145637 4490 return log_unit_error_errno(unit, r, "Failed to disable writing to executable memory: %m");
f3e43635 4491 }
f4170c67 4492
469830d1
LP		 4493 r = apply_restrict_realtime(unit, context);
4494 if (r < 0) {
4495 *exit_status = EXIT_SECCOMP;
12145637 4496 return log_unit_error_errno(unit, r, "Failed to apply realtime restrictions: %m");
f4170c67
LP		 4497 }
4498
f69567cb
LP		 4499 r = apply_restrict_suid_sgid(unit, context);
4500 if (r < 0) {
4501 *exit_status = EXIT_SECCOMP;
4502 return log_unit_error_errno(unit, r, "Failed to apply SUID/SGID restrictions: %m");
4503 }
4504
add00535
LP		 4505 r = apply_restrict_namespaces(unit, context);
4506 if (r < 0) {
4507 *exit_status = EXIT_SECCOMP;
12145637 4508 return log_unit_error_errno(unit, r, "Failed to apply namespace restrictions: %m");
add00535
LP		 4509 }
4510
469830d1
LP		 4511 r = apply_protect_sysctl(unit, context);
4512 if (r < 0) {
4513 *exit_status = EXIT_SECCOMP;
12145637 4514 return log_unit_error_errno(unit, r, "Failed to apply sysctl restrictions: %m");
502d704e
DH		 4515 }
4516
469830d1
LP		 4517 r = apply_protect_kernel_modules(unit, context);
4518 if (r < 0) {
4519 *exit_status = EXIT_SECCOMP;
12145637 4520 return log_unit_error_errno(unit, r, "Failed to apply module loading restrictions: %m");
59eeb84b
LP		 4521 }
4522
84703040
KK		 4523 r = apply_protect_kernel_logs(unit, context);
4524 if (r < 0) {
4525 *exit_status = EXIT_SECCOMP;
4526 return log_unit_error_errno(unit, r, "Failed to apply kernel log restrictions: %m");
4527 }
4528
fc64760d
KK		 4529 r = apply_protect_clock(unit, context);
4530 if (r < 0) {
4531 *exit_status = EXIT_SECCOMP;
4532 return log_unit_error_errno(unit, r, "Failed to apply clock restrictions: %m");
4533 }
4534
469830d1
LP		 4535 r = apply_private_devices(unit, context);
4536 if (r < 0) {
4537 *exit_status = EXIT_SECCOMP;
12145637 4538 return log_unit_error_errno(unit, r, "Failed to set up private devices: %m");
469830d1
LP		 4539 }
4540
4541 r = apply_syscall_archs(unit, context);
4542 if (r < 0) {
4543 *exit_status = EXIT_SECCOMP;
12145637 4544 return log_unit_error_errno(unit, r, "Failed to apply syscall architecture restrictions: %m");
ba128bb8
LP		 4545 }
4546
78e864e5
TM		 4547 r = apply_lock_personality(unit, context);
4548 if (r < 0) {
4549 *exit_status = EXIT_SECCOMP;
12145637 4550 return log_unit_error_errno(unit, r, "Failed to lock personalities: %m");
78e864e5
TM		 4551 }
4552
9df2cdd8
TM		 4553 r = apply_syscall_log(unit, context);
4554 if (r < 0) {
4555 *exit_status = EXIT_SECCOMP;
4556 return log_unit_error_errno(unit, r, "Failed to apply system call log filters: %m");
4557 }
4558
5cd9cd35
LP		 4559 /* This really should remain the last step before the execve(), to make sure our own code is unaffected
4560 * by the filter as little as possible. */
165a31c0 4561 r = apply_syscall_filter(unit, context, needs_ambient_hack);
469830d1
LP		 4562 if (r < 0) {
4563 *exit_status = EXIT_SECCOMP;
12145637 4564 return log_unit_error_errno(unit, r, "Failed to apply system call filters: %m");
d35fbf6b
DM		 4565 }
4566#endif
d35fbf6b 4567 }
034c6ed7 4568
00819cc1
LP		 4569 if (!strv_isempty(context->unset_environment)) {
4570 char **ee = NULL;
4571
4572 ee = strv_env_delete(accum_env, 1, context->unset_environment);
4573 if (!ee) {
4574 *exit_status = EXIT_MEMORY;
12145637 4575 return log_oom();
00819cc1
LP		 4576 }
4577
130d3d22 4578 strv_free_and_replace(accum_env, ee);
00819cc1
LP		 4579 }
4580
7ca69792
AZ		 4581 if (!FLAGS_SET(command->flags, EXEC_COMMAND_NO_ENV_EXPAND)) {
4582 replaced_argv = replace_env_argv(command->argv, accum_env);
4583 if (!replaced_argv) {
4584 *exit_status = EXIT_MEMORY;
4585 return log_oom();
4586 }
4587 final_argv = replaced_argv;
4588 } else
4589 final_argv = command->argv;
034c6ed7 4590
f1d34068 4591 if (DEBUG_LOGGING) {
d35fbf6b 4592 _cleanup_free_ char *line;
81a2b7ce 4593
d35fbf6b 4594 line = exec_command_line(final_argv);
a1230ff9 4595 if (line)
f2341e0a 4596 log_struct(LOG_DEBUG,
9f71ba8d 4597 "EXECUTABLE=%s", executable,
f2341e0a 4598 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
ba360bb0 4599 LOG_UNIT_ID(unit),
a1230ff9 4600 LOG_UNIT_INVOCATION_ID(unit));
d35fbf6b 4601 }
dd305ec9 4602
5686391b
LP		 4603 if (exec_fd >= 0) {
4604 uint8_t hot = 1;
4605
4606 /* We have finished with all our initializations. Let's now let the manager know that. From this point
4607 * on, if the manager sees POLLHUP on the exec_fd, then execve() was successful. */
4608
4609 if (write(exec_fd, &hot, sizeof(hot)) < 0) {
4610 *exit_status = EXIT_EXEC;
4611 return log_unit_error_errno(unit, errno, "Failed to enable exec_fd: %m");
4612 }
4613 }
4614
a6d9111c 4615 r = fexecve_or_execve(executable_fd, executable, final_argv, accum_env);
5686391b
LP		 4616
4617 if (exec_fd >= 0) {
4618 uint8_t hot = 0;
4619
4620 /* The execve() failed. This means the exec_fd is still open. Which means we need to tell the manager
4621 * that POLLHUP on it no longer means execve() succeeded. */
4622
4623 if (write(exec_fd, &hot, sizeof(hot)) < 0) {
4624 *exit_status = EXIT_EXEC;
4625 return log_unit_error_errno(unit, errno, "Failed to disable exec_fd: %m");
4626 }
4627 }
12145637 4628
ff0af2a1 4629 *exit_status = EXIT_EXEC;
9f71ba8d 4630 return log_unit_error_errno(unit, r, "Failed to execute %s: %m", executable);
d35fbf6b 4631}
81a2b7ce 4632
34cf6c43 4633static int exec_context_load_environment(const Unit *unit, const ExecContext *c, char ***l);
2caa38e9 4634static int exec_context_named_iofds(const ExecContext *c, const ExecParameters *p, int named_iofds[static 3]);
34cf6c43 4635
f2341e0a
LP		 4636int exec_spawn(Unit *unit,
4637 ExecCommand *command,
d35fbf6b
DM		 4638 const ExecContext *context,
4639 const ExecParameters *params,
4640 ExecRuntime *runtime,
29206d46 4641 DynamicCreds *dcreds,
d35fbf6b 4642 pid_t *ret) {
8351ceae 4643
ee39ca20 4644 int socket_fd, r, named_iofds[3] = { -1, -1, -1 }, *fds = NULL;
78f93209 4645 _cleanup_free_ char *subcgroup_path = NULL;
d35fbf6b 4646 _cleanup_strv_free_ char **files_env = NULL;
da6053d0 4647 size_t n_storage_fds = 0, n_socket_fds = 0;
ff0af2a1 4648 _cleanup_free_ char *line = NULL;
d35fbf6b 4649 pid_t pid;
8351ceae 4650
f2341e0a 4651 assert(unit);
d35fbf6b
DM		 4652 assert(command);
4653 assert(context);
4654 assert(ret);
4655 assert(params);
25b583d7 4656 assert(params->fds || (params->n_socket_fds + params->n_storage_fds <= 0));
4298d0b5 4657
d35fbf6b
DM		 4658 if (context->std_input == EXEC_INPUT_SOCKET ||
4659 context->std_output == EXEC_OUTPUT_SOCKET ||
4660 context->std_error == EXEC_OUTPUT_SOCKET) {
17df7223 4661
d85ff944
YW		 4662 if (params->n_socket_fds > 1)
4663 return log_unit_error_errno(unit, SYNTHETIC_ERRNO(EINVAL), "Got more than one socket.");
eef65bf3 4664
d85ff944
YW		 4665 if (params->n_socket_fds == 0)
4666 return log_unit_error_errno(unit, SYNTHETIC_ERRNO(EINVAL), "Got no socket.");
488ab41c 4667
d35fbf6b
DM		 4668 socket_fd = params->fds[0];
4669 } else {
4670 socket_fd = -1;
4671 fds = params->fds;
9b141911 4672 n_socket_fds = params->n_socket_fds;
25b583d7 4673 n_storage_fds = params->n_storage_fds;
d35fbf6b 4674 }
94f04347 4675
34cf6c43 4676 r = exec_context_named_iofds(context, params, named_iofds);
52c239d7
LB		 4677 if (r < 0)
4678 return log_unit_error_errno(unit, r, "Failed to load a named file descriptor: %m");
4679
f2341e0a 4680 r = exec_context_load_environment(unit, context, &files_env);
ff0af2a1 4681 if (r < 0)
f2341e0a 4682 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
034c6ed7 4683
ee39ca20 4684 line = exec_command_line(command->argv);
d35fbf6b
DM		 4685 if (!line)
4686 return log_oom();
fab56fc5 4687
9f71ba8d
ZJS		 4688 /* Fork with up-to-date SELinux label database, so the child inherits the up-to-date db
4689 and, until the next SELinux policy changes, we save further reloads in future children. */
2df2152c
CG		 4690 mac_selinux_maybe_reload();
4691
f2341e0a 4692 log_struct(LOG_DEBUG,
9f71ba8d
ZJS		 4693 LOG_UNIT_MESSAGE(unit, "About to execute %s", line),
4694 "EXECUTABLE=%s", command->path, /* We won't know the real executable path until we create
4695 the mount namespace in the child, but we want to log
4696 from the parent, so we need to use the (possibly
4697 inaccurate) path here. */
ba360bb0 4698 LOG_UNIT_ID(unit),
a1230ff9 4699 LOG_UNIT_INVOCATION_ID(unit));
12145637 4700
78f93209
LP		 4701 if (params->cgroup_path) {
4702 r = exec_parameters_get_cgroup_path(params, &subcgroup_path);
4703 if (r < 0)
4704 return log_unit_error_errno(unit, r, "Failed to acquire subcgroup path: %m");
4705 if (r > 0) { /* We are using a child cgroup */
4706 r = cg_create(SYSTEMD_CGROUP_CONTROLLER, subcgroup_path);
4707 if (r < 0)
4708 return log_unit_error_errno(unit, r, "Failed to create control group '%s': %m", subcgroup_path);
4709 }
4710 }
4711
d35fbf6b
DM		 4712 pid = fork();
4713 if (pid < 0)
74129a12 4714 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
d35fbf6b
DM		 4715
4716 if (pid == 0) {
12145637 4717 int exit_status = EXIT_SUCCESS;
ff0af2a1 4718
f2341e0a
LP		 4719 r = exec_child(unit,
4720 command,
ff0af2a1
LP		 4721 context,
4722 params,
4723 runtime,
29206d46 4724 dcreds,
ff0af2a1 4725 socket_fd,
52c239d7 4726 named_iofds,
4c47affc 4727 fds,
9b141911 4728 n_socket_fds,
25b583d7 4729 n_storage_fds,
ff0af2a1 4730 files_env,
00d9ef85 4731 unit->manager->user_lookup_fds[1],
12145637
LP		 4732 &exit_status);
4733
e1714f02
ZJS		 4734 if (r < 0) {
4735 const char *status =
4736 exit_status_to_string(exit_status,
e04ed6db 4737 EXIT_STATUS_LIBC | EXIT_STATUS_SYSTEMD);
e1714f02 4738
12145637
LP		 4739 log_struct_errno(LOG_ERR, r,
4740 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
4741 LOG_UNIT_ID(unit),
4742 LOG_UNIT_INVOCATION_ID(unit),
4743 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
e1714f02 4744 status, command->path),
a1230ff9 4745 "EXECUTABLE=%s", command->path);
e1714f02 4746 }
4c2630eb 4747
ff0af2a1 4748 _exit(exit_status);
034c6ed7
LP		 4749 }
4750
f2341e0a 4751 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
23635a85 4752
78f93209
LP		 4753 /* We add the new process to the cgroup both in the child (so that we can be sure that no user code is ever
4754 * executed outside of the cgroup) and in the parent (so that we can be sure that when we kill the cgroup the
4755 * process will be killed too). */
4756 if (subcgroup_path)
4757 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, subcgroup_path, pid);
2da3263a 4758
b58b4116 4759 exec_status_start(&command->exec_status, pid);
9fb86720 4760
034c6ed7 4761 *ret = pid;
5cb5a6ff
LP		 4762 return 0;
4763}
4764
034c6ed7
LP		 4765void exec_context_init(ExecContext *c) {
4766 assert(c);
4767
4c12626c 4768 c->umask = 0022;
9eba9da4 4769 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
94f04347 4770 c->cpu_sched_policy = SCHED_OTHER;
071830ff 4771 c->syslog_priority = LOG_DAEMON|LOG_INFO;
74922904 4772 c->syslog_level_prefix = true;
353e12c2 4773 c->ignore_sigpipe = true;
3a43da28 4774 c->timer_slack_nsec = NSEC_INFINITY;
050f7277 4775 c->personality = PERSONALITY_INVALID;
5b10116e
ZJS		 4776 for (ExecDirectoryType t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++)
4777 c->directories[t].mode = 0755;
12213aed 4778 c->timeout_clean_usec = USEC_INFINITY;
a103496c 4779 c->capability_bounding_set = CAP_ALL;
aa9d574d
YW		 4780 assert_cc(NAMESPACE_FLAGS_INITIAL != NAMESPACE_FLAGS_ALL);
4781 c->restrict_namespaces = NAMESPACE_FLAGS_INITIAL;
d3070fbd 4782 c->log_level_max = -1;
005bfaf1
TM		 4783#if HAVE_SECCOMP
4784 c->syscall_errno = SECCOMP_ERROR_NUMBER_KILL;
4785#endif
b070c7c0 4786 numa_policy_reset(&c->numa_policy);
034c6ed7
LP		 4787}
4788
613b411c 4789void exec_context_done(ExecContext *c) {
5cb5a6ff
LP		 4790 assert(c);
4791
6796073e
LP		 4792 c->environment = strv_free(c->environment);
4793 c->environment_files = strv_free(c->environment_files);
b4c14404 4794 c->pass_environment = strv_free(c->pass_environment);
00819cc1 4795 c->unset_environment = strv_free(c->unset_environment);
8c7be95e 4796
31ce987c 4797 rlimit_free_all(c->rlimit);
034c6ed7 4798
5b10116e 4799 for (size_t l = 0; l < 3; l++) {
52c239d7 4800 c->stdio_fdname[l] = mfree(c->stdio_fdname[l]);
2038c3f5
LP		 4801 c->stdio_file[l] = mfree(c->stdio_file[l]);
4802 }
52c239d7 4803
a1e58e8e
LP		 4804 c->working_directory = mfree(c->working_directory);
4805 c->root_directory = mfree(c->root_directory);
915e6d16 4806 c->root_image = mfree(c->root_image);
18d73705 4807 c->root_image_options = mount_options_free_all(c->root_image_options);
0389f4fa
LB		 4808 c->root_hash = mfree(c->root_hash);
4809 c->root_hash_size = 0;
4810 c->root_hash_path = mfree(c->root_hash_path);
d4d55b0d
LB		 4811 c->root_hash_sig = mfree(c->root_hash_sig);
4812 c->root_hash_sig_size = 0;
4813 c->root_hash_sig_path = mfree(c->root_hash_sig_path);
0389f4fa 4814 c->root_verity = mfree(c->root_verity);
a1e58e8e
LP		 4815 c->tty_path = mfree(c->tty_path);
4816 c->syslog_identifier = mfree(c->syslog_identifier);
4817 c->user = mfree(c->user);
4818 c->group = mfree(c->group);
034c6ed7 4819
6796073e 4820 c->supplementary_groups = strv_free(c->supplementary_groups);
94f04347 4821
a1e58e8e 4822 c->pam_name = mfree(c->pam_name);
5b6319dc 4823
2a624c36
AP		 4824 c->read_only_paths = strv_free(c->read_only_paths);
4825 c->read_write_paths = strv_free(c->read_write_paths);
4826 c->inaccessible_paths = strv_free(c->inaccessible_paths);
ddc155b2
TM		 4827 c->exec_paths = strv_free(c->exec_paths);
4828 c->no_exec_paths = strv_free(c->no_exec_paths);
82c121a4 4829
d2d6c096 4830 bind_mount_free_many(c->bind_mounts, c->n_bind_mounts);
8e06d57c
YW		 4831 c->bind_mounts = NULL;
4832 c->n_bind_mounts = 0;
2abd4e38
YW		 4833 temporary_filesystem_free_many(c->temporary_filesystems, c->n_temporary_filesystems);
4834 c->temporary_filesystems = NULL;
4835 c->n_temporary_filesystems = 0;
b3d13314 4836 c->mount_images = mount_image_free_many(c->mount_images, &c->n_mount_images);
d2d6c096 4837
0985c7c4 4838 cpu_set_reset(&c->cpu_set);
b070c7c0 4839 numa_policy_reset(&c->numa_policy);
86a3475b 4840
a1e58e8e
LP		 4841 c->utmp_id = mfree(c->utmp_id);
4842 c->selinux_context = mfree(c->selinux_context);
4843 c->apparmor_profile = mfree(c->apparmor_profile);
5b8e1b77 4844 c->smack_process_label = mfree(c->smack_process_label);
eef65bf3 4845
8cfa775f 4846 c->syscall_filter = hashmap_free(c->syscall_filter);
525d3cc7
LP		 4847 c->syscall_archs = set_free(c->syscall_archs);
4848 c->address_families = set_free(c->address_families);
e66cf1a3 4849
5b10116e
ZJS		 4850 for (ExecDirectoryType t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++)
4851 c->directories[t].paths = strv_free(c->directories[t].paths);
d3070fbd
LP		 4852
4853 c->log_level_max = -1;
4854
4855 exec_context_free_log_extra_fields(c);
08f3be7a 4856
5ac1530e
ZJS		 4857 c->log_ratelimit_interval_usec = 0;
4858 c->log_ratelimit_burst = 0;
90fc172e 4859
08f3be7a
LP		 4860 c->stdin_data = mfree(c->stdin_data);
4861 c->stdin_data_size = 0;
a8d08f39
LP		 4862
4863 c->network_namespace_path = mfree(c->network_namespace_path);
91dd5f7c
LP		 4864
4865 c->log_namespace = mfree(c->log_namespace);
bb0c0d6f
LP		 4866
4867 c->load_credentials = strv_free(c->load_credentials);
4868 c->set_credentials = hashmap_free(c->set_credentials);
e66cf1a3
LP		 4869}
4870
34cf6c43 4871int exec_context_destroy_runtime_directory(const ExecContext *c, const char *runtime_prefix) {
e66cf1a3
LP		 4872 char **i;
4873
4874 assert(c);
4875
4876 if (!runtime_prefix)
4877 return 0;
4878
3536f49e 4879 STRV_FOREACH(i, c->directories[EXEC_DIRECTORY_RUNTIME].paths) {
e66cf1a3
LP		 4880 _cleanup_free_ char *p;
4881
494d0247
YW		 4882 if (exec_directory_is_private(c, EXEC_DIRECTORY_RUNTIME))
4883 p = path_join(runtime_prefix, "private", *i);
4884 else
4885 p = path_join(runtime_prefix, *i);
e66cf1a3
LP		 4886 if (!p)
4887 return -ENOMEM;
4888
7bc4bf4a
LP		 4889 /* We execute this synchronously, since we need to be sure this is gone when we start the
4890 * service next. */
c6878637 4891 (void) rm_rf(p, REMOVE_ROOT);
e66cf1a3
LP		 4892 }
4893
4894 return 0;
5cb5a6ff
LP		 4895}
4896
bb0c0d6f
LP		 4897int exec_context_destroy_credentials(const ExecContext *c, const char *runtime_prefix, const char *unit) {
4898 _cleanup_free_ char *p = NULL;
4899
4900 assert(c);
4901
4902 if (!runtime_prefix || !unit)
4903 return 0;
4904
4905 p = path_join(runtime_prefix, "credentials", unit);
4906 if (!p)
4907 return -ENOMEM;
4908
4909 /* This is either a tmpfs/ramfs of its own, or a plain directory. Either way, let's first try to
4910 * unmount it, and afterwards remove the mount point */
4911 (void) umount2(p, MNT_DETACH|UMOUNT_NOFOLLOW);
4912 (void) rm_rf(p, REMOVE_ROOT|REMOVE_CHMOD);
4913
4914 return 0;
4915}
4916
34cf6c43 4917static void exec_command_done(ExecCommand *c) {
43d0fcbd
LP		 4918 assert(c);
4919
a1e58e8e 4920 c->path = mfree(c->path);
6796073e 4921 c->argv = strv_free(c->argv);
43d0fcbd
LP		 4922}
4923
da6053d0 4924void exec_command_done_array(ExecCommand *c, size_t n) {
fe96c0f8 4925 for (size_t i = 0; i < n; i++)
43d0fcbd
LP		 4926 exec_command_done(c+i);
4927}
4928
f1acf85a 4929ExecCommand* exec_command_free_list(ExecCommand *c) {
5cb5a6ff
LP		 4930 ExecCommand *i;
4931
4932 while ((i = c)) {
71fda00f 4933 LIST_REMOVE(command, c, i);
43d0fcbd 4934 exec_command_done(i);
5cb5a6ff
LP		 4935 free(i);
4936 }
f1acf85a
ZJS		 4937
4938 return NULL;
5cb5a6ff
LP		 4939}
4940
da6053d0 4941void exec_command_free_array(ExecCommand **c, size_t n) {
5b10116e 4942 for (size_t i = 0; i < n; i++)
f1acf85a 4943 c[i] = exec_command_free_list(c[i]);
034c6ed7
LP		 4944}
4945
6a1d4d9f 4946void exec_command_reset_status_array(ExecCommand *c, size_t n) {
5b10116e 4947 for (size_t i = 0; i < n; i++)
6a1d4d9f
LP		 4948 exec_status_reset(&c[i].exec_status);
4949}
4950
4951void exec_command_reset_status_list_array(ExecCommand **c, size_t n) {
5b10116e 4952 for (size_t i = 0; i < n; i++) {
6a1d4d9f
LP		 4953 ExecCommand *z;
4954
4955 LIST_FOREACH(command, z, c[i])
4956 exec_status_reset(&z->exec_status);
4957 }
4958}
4959
039f0e70 4960typedef struct InvalidEnvInfo {
34cf6c43 4961 const Unit *unit;
039f0e70
LP		 4962 const char *path;
4963} InvalidEnvInfo;
4964
4965static void invalid_env(const char *p, void *userdata) {
4966 InvalidEnvInfo *info = userdata;
4967
f2341e0a 4968 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
039f0e70
LP		 4969}
4970
52c239d7
LB		 4971const char* exec_context_fdname(const ExecContext *c, int fd_index) {
4972 assert(c);
4973
4974 switch (fd_index) {
5073ff6b 4975
52c239d7
LB		 4976 case STDIN_FILENO:
4977 if (c->std_input != EXEC_INPUT_NAMED_FD)
4978 return NULL;
5073ff6b 4979
52c239d7 4980 return c->stdio_fdname[STDIN_FILENO] ?: "stdin";
5073ff6b 4981
52c239d7
LB		 4982 case STDOUT_FILENO:
4983 if (c->std_output != EXEC_OUTPUT_NAMED_FD)
4984 return NULL;
5073ff6b 4985
52c239d7 4986 return c->stdio_fdname[STDOUT_FILENO] ?: "stdout";
5073ff6b 4987
52c239d7
LB		 4988 case STDERR_FILENO:
4989 if (c->std_error != EXEC_OUTPUT_NAMED_FD)
4990 return NULL;
5073ff6b 4991
52c239d7 4992 return c->stdio_fdname[STDERR_FILENO] ?: "stderr";
5073ff6b 4993
52c239d7
LB		 4994 default:
4995 return NULL;
4996 }
4997}
4998
2caa38e9
LP		 4999static int exec_context_named_iofds(
5000 const ExecContext *c,
5001 const ExecParameters *p,
5002 int named_iofds[static 3]) {
5003
5b10116e 5004 size_t targets;
56fbd561 5005 const char* stdio_fdname[3];
da6053d0 5006 size_t n_fds;
52c239d7
LB		 5007
5008 assert(c);
5009 assert(p);
2caa38e9 5010 assert(named_iofds);
52c239d7
LB		 5011
5012 targets = (c->std_input == EXEC_INPUT_NAMED_FD) +
5013 (c->std_output == EXEC_OUTPUT_NAMED_FD) +
5014 (c->std_error == EXEC_OUTPUT_NAMED_FD);
5015
5b10116e 5016 for (size_t i = 0; i < 3; i++)
52c239d7
LB		 5017 stdio_fdname[i] = exec_context_fdname(c, i);
5018
4c47affc
FB		 5019 n_fds = p->n_storage_fds + p->n_socket_fds;
5020
5b10116e 5021 for (size_t i = 0; i < n_fds && targets > 0; i++)
56fbd561
ZJS		 5022 if (named_iofds[STDIN_FILENO] < 0 &&
5023 c->std_input == EXEC_INPUT_NAMED_FD &&
5024 stdio_fdname[STDIN_FILENO] &&
5025 streq(p->fd_names[i], stdio_fdname[STDIN_FILENO])) {
5026
52c239d7
LB		 5027 named_iofds[STDIN_FILENO] = p->fds[i];
5028 targets--;
56fbd561
ZJS		 5029
5030 } else if (named_iofds[STDOUT_FILENO] < 0 &&
5031 c->std_output == EXEC_OUTPUT_NAMED_FD &&
5032 stdio_fdname[STDOUT_FILENO] &&
5033 streq(p->fd_names[i], stdio_fdname[STDOUT_FILENO])) {
5034
52c239d7
LB		 5035 named_iofds[STDOUT_FILENO] = p->fds[i];
5036 targets--;
56fbd561
ZJS		 5037
5038 } else if (named_iofds[STDERR_FILENO] < 0 &&
5039 c->std_error == EXEC_OUTPUT_NAMED_FD &&
5040 stdio_fdname[STDERR_FILENO] &&
5041 streq(p->fd_names[i], stdio_fdname[STDERR_FILENO])) {
5042
52c239d7
LB		 5043 named_iofds[STDERR_FILENO] = p->fds[i];
5044 targets--;
5045 }
5046
56fbd561 5047 return targets == 0 ? 0 : -ENOENT;
52c239d7
LB		 5048}
5049
34cf6c43 5050static int exec_context_load_environment(const Unit *unit, const ExecContext *c, char ***l) {
8c7be95e
LP		 5051 char **i, **r = NULL;
5052
5053 assert(c);
5054 assert(l);
5055
5056 STRV_FOREACH(i, c->environment_files) {
5057 char *fn;
52511fae 5058 int k;
8c7be95e
LP		 5059 bool ignore = false;
5060 char **p;
7fd1b19b 5061 _cleanup_globfree_ glob_t pglob = {};
8c7be95e
LP		 5062
5063 fn = *i;
5064
5065 if (fn[0] == '-') {
5066 ignore = true;
313cefa1 5067 fn++;
8c7be95e
LP		 5068 }
5069
5070 if (!path_is_absolute(fn)) {
8c7be95e
LP		 5071 if (ignore)
5072 continue;
5073
5074 strv_free(r);
5075 return -EINVAL;
5076 }
5077
2bef10ab 5078 /* Filename supports globbing, take all matching files */
d8c92e8b
ZJS		 5079 k = safe_glob(fn, 0, &pglob);
5080 if (k < 0) {
2bef10ab
PL		 5081 if (ignore)
5082 continue;
8c7be95e 5083
2bef10ab 5084 strv_free(r);
d8c92e8b 5085 return k;
2bef10ab 5086 }
8c7be95e 5087
d8c92e8b
ZJS		 5088 /* When we don't match anything, -ENOENT should be returned */
5089 assert(pglob.gl_pathc > 0);
5090
5b10116e 5091 for (unsigned n = 0; n < pglob.gl_pathc; n++) {
aa8fbc74 5092 k = load_env_file(NULL, pglob.gl_pathv[n], &p);
2bef10ab
PL		 5093 if (k < 0) {
5094 if (ignore)
5095 continue;
8c7be95e 5096
2bef10ab 5097 strv_free(r);
2bef10ab 5098 return k;
e9c1ea9d 5099 }
ebc05a09 5100 /* Log invalid environment variables with filename */
039f0e70
LP		 5101 if (p) {
5102 InvalidEnvInfo info = {
f2341e0a 5103 .unit = unit,
039f0e70
LP		 5104 .path = pglob.gl_pathv[n]
5105 };
5106
5107 p = strv_env_clean_with_callback(p, invalid_env, &info);
5108 }
8c7be95e 5109
234519ae 5110 if (!r)
2bef10ab
PL		 5111 r = p;
5112 else {
5113 char **m;
8c7be95e 5114
2bef10ab
PL		 5115 m = strv_env_merge(2, r, p);
5116 strv_free(r);
5117 strv_free(p);
c84a9488 5118 if (!m)
2bef10ab 5119 return -ENOMEM;
2bef10ab
PL		 5120
5121 r = m;
5122 }
8c7be95e
LP		 5123 }
5124 }
5125
5126 *l = r;
5127
5128 return 0;
5129}
5130
6ac8fdc9 5131static bool tty_may_match_dev_console(const char *tty) {
7b912648 5132 _cleanup_free_ char *resolved = NULL;
6ac8fdc9 5133
1e22b5cd
LP		 5134 if (!tty)
5135 return true;
5136
a119ec7c 5137 tty = skip_dev_prefix(tty);
6ac8fdc9
MS		 5138
5139 /* trivial identity? */
5140 if (streq(tty, "console"))
5141 return true;
5142
7b912648
LP		 5143 if (resolve_dev_console(&resolved) < 0)
5144 return true; /* if we could not resolve, assume it may */
6ac8fdc9
MS		 5145
5146 /* "tty0" means the active VC, so it may be the same sometimes */
955f1c85 5147 return path_equal(resolved, tty) || (streq(resolved, "tty0") && tty_is_vc(tty));
6ac8fdc9
MS		 5148}
5149
6c0ae739
LP		 5150static bool exec_context_may_touch_tty(const ExecContext *ec) {
5151 assert(ec);
1e22b5cd 5152
6c0ae739 5153 return ec->tty_reset ||
1e22b5cd
LP		 5154 ec->tty_vhangup ||
5155 ec->tty_vt_disallocate ||
6ac8fdc9
MS		 5156 is_terminal_input(ec->std_input) ||
5157 is_terminal_output(ec->std_output) ||
6c0ae739
LP		 5158 is_terminal_output(ec->std_error);
5159}
5160
5161bool exec_context_may_touch_console(const ExecContext *ec) {
5162
5163 return exec_context_may_touch_tty(ec) &&
1e22b5cd 5164 tty_may_match_dev_console(exec_context_tty_path(ec));
6ac8fdc9
MS		 5165}
5166
15ae422b
LP		 5167static void strv_fprintf(FILE *f, char **l) {
5168 char **g;
5169
5170 assert(f);
5171
5172 STRV_FOREACH(g, l)
5173 fprintf(f, " %s", *g);
5174}
5175
ddc155b2
TM		 5176static void strv_dump(FILE* f, const char *prefix, const char *name, char **strv) {
5177 assert(f);
5178 assert(prefix);
5179 assert(name);
5180
5181 if (!strv_isempty(strv)) {
5182 fprintf(f, "%s%s:", name, prefix);
5183 strv_fprintf(f, strv);
5184 fputs("\n", f);
5185 }
5186}
5187
34cf6c43 5188void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
12213aed 5189 char **e, **d, buf_clean[FORMAT_TIMESPAN_MAX];
add00535 5190 int r;
9eba9da4 5191
5cb5a6ff
LP		 5192 assert(c);
5193 assert(f);
5194
4ad49000 5195 prefix = strempty(prefix);
5cb5a6ff
LP		 5196
5197 fprintf(f,
94f04347
LP		 5198 "%sUMask: %04o\n"
5199 "%sWorkingDirectory: %s\n"
451a074f 5200 "%sRootDirectory: %s\n"
15ae422b 5201 "%sNonBlocking: %s\n"
64747e2d 5202 "%sPrivateTmp: %s\n"
7f112f50 5203 "%sPrivateDevices: %s\n"
59eeb84b 5204 "%sProtectKernelTunables: %s\n"
e66a2f65 5205 "%sProtectKernelModules: %s\n"
84703040 5206 "%sProtectKernelLogs: %s\n"
fc64760d 5207 "%sProtectClock: %s\n"
59eeb84b 5208 "%sProtectControlGroups: %s\n"
d251207d
LP		 5209 "%sPrivateNetwork: %s\n"
5210 "%sPrivateUsers: %s\n"
1b8689f9
LP		 5211 "%sProtectHome: %s\n"
5212 "%sProtectSystem: %s\n"
5d997827 5213 "%sMountAPIVFS: %s\n"
f3e43635 5214 "%sIgnoreSIGPIPE: %s\n"
f4170c67 5215 "%sMemoryDenyWriteExecute: %s\n"
b1edf445 5216 "%sRestrictRealtime: %s\n"
f69567cb 5217 "%sRestrictSUIDSGID: %s\n"
aecd5ac6 5218 "%sKeyringMode: %s\n"
4e399953
LP		 5219 "%sProtectHostname: %s\n"
5220 "%sProtectProc: %s\n"
5221 "%sProcSubset: %s\n",
5cb5a6ff 5222 prefix, c->umask,
14eb3285
LP		 5223 prefix, empty_to_root(c->working_directory),
5224 prefix, empty_to_root(c->root_directory),
15ae422b 5225 prefix, yes_no(c->non_blocking),
64747e2d 5226 prefix, yes_no(c->private_tmp),
7f112f50 5227 prefix, yes_no(c->private_devices),
59eeb84b 5228 prefix, yes_no(c->protect_kernel_tunables),
e66a2f65 5229 prefix, yes_no(c->protect_kernel_modules),
84703040 5230 prefix, yes_no(c->protect_kernel_logs),
fc64760d 5231 prefix, yes_no(c->protect_clock),
59eeb84b 5232 prefix, yes_no(c->protect_control_groups),
d251207d
LP		 5233 prefix, yes_no(c->private_network),
5234 prefix, yes_no(c->private_users),
1b8689f9
LP		 5235 prefix, protect_home_to_string(c->protect_home),
5236 prefix, protect_system_to_string(c->protect_system),
5e98086d 5237 prefix, yes_no(exec_context_get_effective_mount_apivfs(c)),
f3e43635 5238 prefix, yes_no(c->ignore_sigpipe),
f4170c67 5239 prefix, yes_no(c->memory_deny_write_execute),
b1edf445 5240 prefix, yes_no(c->restrict_realtime),
f69567cb 5241 prefix, yes_no(c->restrict_suid_sgid),
aecd5ac6 5242 prefix, exec_keyring_mode_to_string(c->keyring_mode),
4e399953
LP		 5243 prefix, yes_no(c->protect_hostname),
5244 prefix, protect_proc_to_string(c->protect_proc),
5245 prefix, proc_subset_to_string(c->proc_subset));
fb33a393 5246
915e6d16
LP		 5247 if (c->root_image)
5248 fprintf(f, "%sRootImage: %s\n", prefix, c->root_image);
5249
18d73705
LB		 5250 if (c->root_image_options) {
5251 MountOptions *o;
5252
5253 fprintf(f, "%sRootImageOptions:", prefix);
5254 LIST_FOREACH(mount_options, o, c->root_image_options)
5255 if (!isempty(o->options))
9ece6444
LB		 5256 fprintf(f, " %s:%s",
5257 partition_designator_to_string(o->partition_designator),
5258 o->options);
18d73705
LB		 5259 fprintf(f, "\n");
5260 }
5261
0389f4fa
LB		 5262 if (c->root_hash) {
5263 _cleanup_free_ char *encoded = NULL;
5264 encoded = hexmem(c->root_hash, c->root_hash_size);
5265 if (encoded)
5266 fprintf(f, "%sRootHash: %s\n", prefix, encoded);
5267 }
5268
5269 if (c->root_hash_path)
5270 fprintf(f, "%sRootHash: %s\n", prefix, c->root_hash_path);
5271
d4d55b0d
LB		 5272 if (c->root_hash_sig) {
5273 _cleanup_free_ char *encoded = NULL;
5274 ssize_t len;
5275 len = base64mem(c->root_hash_sig, c->root_hash_sig_size, &encoded);
5276 if (len)
5277 fprintf(f, "%sRootHashSignature: base64:%s\n", prefix, encoded);
5278 }
5279
5280 if (c->root_hash_sig_path)
5281 fprintf(f, "%sRootHashSignature: %s\n", prefix, c->root_hash_sig_path);
5282
0389f4fa
LB		 5283 if (c->root_verity)
5284 fprintf(f, "%sRootVerity: %s\n", prefix, c->root_verity);
5285
8c7be95e
LP		 5286 STRV_FOREACH(e, c->environment)
5287 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
5288
5289 STRV_FOREACH(e, c->environment_files)
5290 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
94f04347 5291
b4c14404
FB		 5292 STRV_FOREACH(e, c->pass_environment)
5293 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
5294
00819cc1
LP		 5295 STRV_FOREACH(e, c->unset_environment)
5296 fprintf(f, "%sUnsetEnvironment: %s\n", prefix, *e);
5297
53f47dfc
YW		 5298 fprintf(f, "%sRuntimeDirectoryPreserve: %s\n", prefix, exec_preserve_mode_to_string(c->runtime_directory_preserve_mode));
5299
5b10116e 5300 for (ExecDirectoryType dt = 0; dt < _EXEC_DIRECTORY_TYPE_MAX; dt++) {
3536f49e
YW		 5301 fprintf(f, "%s%sMode: %04o\n", prefix, exec_directory_type_to_string(dt), c->directories[dt].mode);
5302
5303 STRV_FOREACH(d, c->directories[dt].paths)
5304 fprintf(f, "%s%s: %s\n", prefix, exec_directory_type_to_string(dt), *d);
5305 }
c2bbd90b 5306
12213aed
YW		 5307 fprintf(f,
5308 "%sTimeoutCleanSec: %s\n",
5309 prefix, format_timespan(buf_clean, sizeof(buf_clean), c->timeout_clean_usec, USEC_PER_SEC));
5310
fb33a393
LP		 5311 if (c->nice_set)
5312 fprintf(f,
5313 "%sNice: %i\n",
5314 prefix, c->nice);
5315
dd6c17b1 5316 if (c->oom_score_adjust_set)
fb33a393 5317 fprintf(f,
dd6c17b1
LP		 5318 "%sOOMScoreAdjust: %i\n",
5319 prefix, c->oom_score_adjust);
9eba9da4 5320
ad21e542
ZJS		 5321 if (c->coredump_filter_set)
5322 fprintf(f,
5323 "%sCoredumpFilter: 0x%"PRIx64"\n",
5324 prefix, c->coredump_filter);
5325
5b10116e 5326 for (unsigned i = 0; i < RLIM_NLIMITS; i++)
3c11da9d 5327 if (c->rlimit[i]) {
4c3a2b84 5328 fprintf(f, "%sLimit%s: " RLIM_FMT "\n",
3c11da9d 5329 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
4c3a2b84 5330 fprintf(f, "%sLimit%sSoft: " RLIM_FMT "\n",
3c11da9d
EV		 5331 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
5332 }
94f04347 5333
f8b69d1d 5334 if (c->ioprio_set) {
1756a011 5335 _cleanup_free_ char *class_str = NULL;
f8b69d1d 5336
837df140
YW		 5337 r = ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
5338 if (r >= 0)
5339 fprintf(f, "%sIOSchedulingClass: %s\n", prefix, class_str);
5340
5341 fprintf(f, "%sIOPriority: %lu\n", prefix, IOPRIO_PRIO_DATA(c->ioprio));
f8b69d1d 5342 }
94f04347 5343
f8b69d1d 5344 if (c->cpu_sched_set) {
1756a011 5345 _cleanup_free_ char *policy_str = NULL;
f8b69d1d 5346
837df140
YW		 5347 r = sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
5348 if (r >= 0)
5349 fprintf(f, "%sCPUSchedulingPolicy: %s\n", prefix, policy_str);
5350
94f04347 5351 fprintf(f,
38b48754
LP		 5352 "%sCPUSchedulingPriority: %i\n"
5353 "%sCPUSchedulingResetOnFork: %s\n",
38b48754
LP		 5354 prefix, c->cpu_sched_priority,
5355 prefix, yes_no(c->cpu_sched_reset_on_fork));
b929bf04 5356 }
94f04347 5357
0985c7c4 5358 if (c->cpu_set.set) {
e7fca352
MS		 5359 _cleanup_free_ char *affinity = NULL;
5360
5361 affinity = cpu_set_to_range_string(&c->cpu_set);
5362 fprintf(f, "%sCPUAffinity: %s\n", prefix, affinity);
94f04347
LP		 5363 }
5364
b070c7c0
MS		 5365 if (mpol_is_valid(numa_policy_get_type(&c->numa_policy))) {
5366 _cleanup_free_ char *nodes = NULL;
5367
5368 nodes = cpu_set_to_range_string(&c->numa_policy.nodes);
5369 fprintf(f, "%sNUMAPolicy: %s\n", prefix, mpol_to_string(numa_policy_get_type(&c->numa_policy)));
5370 fprintf(f, "%sNUMAMask: %s\n", prefix, strnull(nodes));
5371 }
5372
3a43da28 5373 if (c->timer_slack_nsec != NSEC_INFINITY)
ccd06097 5374 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
94f04347
LP		 5375
5376 fprintf(f,
80876c20
LP		 5377 "%sStandardInput: %s\n"
5378 "%sStandardOutput: %s\n"
5379 "%sStandardError: %s\n",
5380 prefix, exec_input_to_string(c->std_input),
5381 prefix, exec_output_to_string(c->std_output),
5382 prefix, exec_output_to_string(c->std_error));
5383
befc4a80
LP		 5384 if (c->std_input == EXEC_INPUT_NAMED_FD)
5385 fprintf(f, "%sStandardInputFileDescriptorName: %s\n", prefix, c->stdio_fdname[STDIN_FILENO]);
5386 if (c->std_output == EXEC_OUTPUT_NAMED_FD)
5387 fprintf(f, "%sStandardOutputFileDescriptorName: %s\n", prefix, c->stdio_fdname[STDOUT_FILENO]);
5388 if (c->std_error == EXEC_OUTPUT_NAMED_FD)
5389 fprintf(f, "%sStandardErrorFileDescriptorName: %s\n", prefix, c->stdio_fdname[STDERR_FILENO]);
5390
5391 if (c->std_input == EXEC_INPUT_FILE)
5392 fprintf(f, "%sStandardInputFile: %s\n", prefix, c->stdio_file[STDIN_FILENO]);
5393 if (c->std_output == EXEC_OUTPUT_FILE)
5394 fprintf(f, "%sStandardOutputFile: %s\n", prefix, c->stdio_file[STDOUT_FILENO]);
566b7d23
ZD		 5395 if (c->std_output == EXEC_OUTPUT_FILE_APPEND)
5396 fprintf(f, "%sStandardOutputFileToAppend: %s\n", prefix, c->stdio_file[STDOUT_FILENO]);
8d7dab1f
LW		 5397 if (c->std_output == EXEC_OUTPUT_FILE_TRUNCATE)
5398 fprintf(f, "%sStandardOutputFileToTruncate: %s\n", prefix, c->stdio_file[STDOUT_FILENO]);
befc4a80
LP		 5399 if (c->std_error == EXEC_OUTPUT_FILE)
5400 fprintf(f, "%sStandardErrorFile: %s\n", prefix, c->stdio_file[STDERR_FILENO]);
566b7d23
ZD		 5401 if (c->std_error == EXEC_OUTPUT_FILE_APPEND)
5402 fprintf(f, "%sStandardErrorFileToAppend: %s\n", prefix, c->stdio_file[STDERR_FILENO]);
8d7dab1f
LW		 5403 if (c->std_error == EXEC_OUTPUT_FILE_TRUNCATE)
5404 fprintf(f, "%sStandardErrorFileToTruncate: %s\n", prefix, c->stdio_file[STDERR_FILENO]);
befc4a80 5405
80876c20
LP		 5406 if (c->tty_path)
5407 fprintf(f,
6ea832a2
LP		 5408 "%sTTYPath: %s\n"
5409 "%sTTYReset: %s\n"
5410 "%sTTYVHangup: %s\n"
5411 "%sTTYVTDisallocate: %s\n",
5412 prefix, c->tty_path,
5413 prefix, yes_no(c->tty_reset),
5414 prefix, yes_no(c->tty_vhangup),
5415 prefix, yes_no(c->tty_vt_disallocate));
94f04347 5416
9f6444eb 5417 if (IN_SET(c->std_output,
9f6444eb
LP		 5418 EXEC_OUTPUT_KMSG,
5419 EXEC_OUTPUT_JOURNAL,
9f6444eb
LP		 5420 EXEC_OUTPUT_KMSG_AND_CONSOLE,
5421 EXEC_OUTPUT_JOURNAL_AND_CONSOLE) ||
5422 IN_SET(c->std_error,
9f6444eb
LP		 5423 EXEC_OUTPUT_KMSG,
5424 EXEC_OUTPUT_JOURNAL,
9f6444eb
LP		 5425 EXEC_OUTPUT_KMSG_AND_CONSOLE,
5426 EXEC_OUTPUT_JOURNAL_AND_CONSOLE)) {
f8b69d1d 5427
5ce70e5b 5428 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
f8b69d1d 5429
837df140
YW		 5430 r = log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
5431 if (r >= 0)
5432 fprintf(f, "%sSyslogFacility: %s\n", prefix, fac_str);
f8b69d1d 5433
837df140
YW		 5434 r = log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
5435 if (r >= 0)
5436 fprintf(f, "%sSyslogLevel: %s\n", prefix, lvl_str);
f8b69d1d 5437 }
94f04347 5438
d3070fbd
LP		 5439 if (c->log_level_max >= 0) {
5440 _cleanup_free_ char *t = NULL;
5441
5442 (void) log_level_to_string_alloc(c->log_level_max, &t);
5443
5444 fprintf(f, "%sLogLevelMax: %s\n", prefix, strna(t));
5445 }
5446
5ac1530e 5447 if (c->log_ratelimit_interval_usec > 0) {
90fc172e
AZ		 5448 char buf_timespan[FORMAT_TIMESPAN_MAX];
5449
5450 fprintf(f,
5451 "%sLogRateLimitIntervalSec: %s\n",
5ac1530e 5452 prefix, format_timespan(buf_timespan, sizeof(buf_timespan), c->log_ratelimit_interval_usec, USEC_PER_SEC));
90fc172e
AZ		 5453 }
5454
5ac1530e
ZJS		 5455 if (c->log_ratelimit_burst > 0)
5456 fprintf(f, "%sLogRateLimitBurst: %u\n", prefix, c->log_ratelimit_burst);
90fc172e 5457
5b10116e
ZJS		 5458 for (size_t j = 0; j < c->n_log_extra_fields; j++) {
5459 fprintf(f, "%sLogExtraFields: ", prefix);
5460 fwrite(c->log_extra_fields[j].iov_base,
5461 1, c->log_extra_fields[j].iov_len,
5462 f);
5463 fputc('\n', f);
d3070fbd
LP		 5464 }
5465
91dd5f7c
LP		 5466 if (c->log_namespace)
5467 fprintf(f, "%sLogNamespace: %s\n", prefix, c->log_namespace);
5468
07d46372
YW		 5469 if (c->secure_bits) {
5470 _cleanup_free_ char *str = NULL;
5471
5472 r = secure_bits_to_string_alloc(c->secure_bits, &str);
5473 if (r >= 0)
5474 fprintf(f, "%sSecure Bits: %s\n", prefix, str);
5475 }
94f04347 5476
a103496c 5477 if (c->capability_bounding_set != CAP_ALL) {
dd1f5bd0 5478 _cleanup_free_ char *str = NULL;
94f04347 5479
dd1f5bd0
YW		 5480 r = capability_set_to_string_alloc(c->capability_bounding_set, &str);
5481 if (r >= 0)
5482 fprintf(f, "%sCapabilityBoundingSet: %s\n", prefix, str);
755d4b67
IP		 5483 }
5484
5485 if (c->capability_ambient_set != 0) {
dd1f5bd0 5486 _cleanup_free_ char *str = NULL;
755d4b67 5487
dd1f5bd0
YW		 5488 r = capability_set_to_string_alloc(c->capability_ambient_set, &str);
5489 if (r >= 0)
5490 fprintf(f, "%sAmbientCapabilities: %s\n", prefix, str);
94f04347
LP		 5491 }
5492
5493 if (c->user)
f2d3769a 5494 fprintf(f, "%sUser: %s\n", prefix, c->user);
94f04347 5495 if (c->group)
f2d3769a 5496 fprintf(f, "%sGroup: %s\n", prefix, c->group);
94f04347 5497
29206d46
LP		 5498 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
5499
ddc155b2 5500 strv_dump(f, prefix, "SupplementaryGroups", c->supplementary_groups);
94f04347 5501
5b6319dc 5502 if (c->pam_name)
f2d3769a 5503 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
5b6319dc 5504
ddc155b2
TM		 5505 strv_dump(f, prefix, "ReadWritePaths", c->read_write_paths);
5506 strv_dump(f, prefix, "ReadOnlyPaths", c->read_only_paths);
5507 strv_dump(f, prefix, "InaccessiblePaths", c->inaccessible_paths);
5508 strv_dump(f, prefix, "ExecPaths", c->exec_paths);
5509 strv_dump(f, prefix, "NoExecPaths", c->no_exec_paths);
2e22afe9 5510
5b10116e
ZJS		 5511 for (size_t i = 0; i < c->n_bind_mounts; i++)
5512 fprintf(f, "%s%s: %s%s:%s:%s\n", prefix,
5513 c->bind_mounts[i].read_only ? "BindReadOnlyPaths" : "BindPaths",
5514 c->bind_mounts[i].ignore_enoent ? "-": "",
5515 c->bind_mounts[i].source,
5516 c->bind_mounts[i].destination,
5517 c->bind_mounts[i].recursive ? "rbind" : "norbind");
d2d6c096 5518
5b10116e
ZJS		 5519 for (size_t i = 0; i < c->n_temporary_filesystems; i++) {
5520 const TemporaryFileSystem *t = c->temporary_filesystems + i;
2abd4e38 5521
5b10116e
ZJS		 5522 fprintf(f, "%sTemporaryFileSystem: %s%s%s\n", prefix,
5523 t->path,
5524 isempty(t->options) ? "" : ":",
5525 strempty(t->options));
5526 }
2abd4e38 5527
169c1bda
LP		 5528 if (c->utmp_id)
5529 fprintf(f,
5530 "%sUtmpIdentifier: %s\n",
5531 prefix, c->utmp_id);
7b52a628
MS		 5532
5533 if (c->selinux_context)
5534 fprintf(f,
5f8640fb
LP		 5535 "%sSELinuxContext: %s%s\n",
5536 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
17df7223 5537
80c21aea
WC		 5538 if (c->apparmor_profile)
5539 fprintf(f,
5540 "%sAppArmorProfile: %s%s\n",
5541 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
5542
5543 if (c->smack_process_label)
5544 fprintf(f,
5545 "%sSmackProcessLabel: %s%s\n",
5546 prefix, c->smack_process_label_ignore ? "-" : "", c->smack_process_label);
5547
050f7277 5548 if (c->personality != PERSONALITY_INVALID)
ac45f971
LP		 5549 fprintf(f,
5550 "%sPersonality: %s\n",
5551 prefix, strna(personality_to_string(c->personality)));
5552
78e864e5
TM		 5553 fprintf(f,
5554 "%sLockPersonality: %s\n",
5555 prefix, yes_no(c->lock_personality));
5556
17df7223 5557 if (c->syscall_filter) {
349cc4a5 5558#if HAVE_SECCOMP
8cfa775f 5559 void *id, *val;
17df7223 5560 bool first = true;
351a19b1 5561#endif
17df7223
LP		 5562
5563 fprintf(f,
57183d11 5564 "%sSystemCallFilter: ",
17df7223
LP		 5565 prefix);
5566
6b000af4 5567 if (!c->syscall_allow_list)
17df7223
LP		 5568 fputc('~', f);
5569
349cc4a5 5570#if HAVE_SECCOMP
90e74a66 5571 HASHMAP_FOREACH_KEY(val, id, c->syscall_filter) {
17df7223 5572 _cleanup_free_ char *name = NULL;
8cfa775f
YW		 5573 const char *errno_name = NULL;
5574 int num = PTR_TO_INT(val);
17df7223
LP		 5575
5576 if (first)
5577 first = false;
5578 else
5579 fputc(' ', f);
5580
57183d11 5581 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
17df7223 5582 fputs(strna(name), f);
8cfa775f
YW		 5583
5584 if (num >= 0) {
005bfaf1 5585 errno_name = seccomp_errno_or_action_to_string(num);
8cfa775f
YW		 5586 if (errno_name)
5587 fprintf(f, ":%s", errno_name);
5588 else
5589 fprintf(f, ":%d", num);
5590 }
17df7223 5591 }
351a19b1 5592#endif
17df7223
LP		 5593
5594 fputc('\n', f);
5595 }
5596
57183d11 5597 if (c->syscall_archs) {
349cc4a5 5598#if HAVE_SECCOMP
57183d11
LP		 5599 void *id;
5600#endif
5601
5602 fprintf(f,
5603 "%sSystemCallArchitectures:",
5604 prefix);
5605
349cc4a5 5606#if HAVE_SECCOMP
90e74a66 5607 SET_FOREACH(id, c->syscall_archs)
57183d11
LP		 5608 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
5609#endif
5610 fputc('\n', f);
5611 }
5612
add00535
LP		 5613 if (exec_context_restrict_namespaces_set(c)) {
5614 _cleanup_free_ char *s = NULL;
5615
86c2a9f1 5616 r = namespace_flags_to_string(c->restrict_namespaces, &s);
add00535
LP		 5617 if (r >= 0)
5618 fprintf(f, "%sRestrictNamespaces: %s\n",
dd0395b5 5619 prefix, strna(s));
add00535
LP		 5620 }
5621
a8d08f39
LP		 5622 if (c->network_namespace_path)
5623 fprintf(f,
5624 "%sNetworkNamespacePath: %s\n",
5625 prefix, c->network_namespace_path);
5626
3df90f24 5627 if (c->syscall_errno > 0) {
005bfaf1 5628#if HAVE_SECCOMP
3df90f24 5629 const char *errno_name;
005bfaf1 5630#endif
3df90f24
YW		 5631
5632 fprintf(f, "%sSystemCallErrorNumber: ", prefix);
5633
005bfaf1
TM		 5634#if HAVE_SECCOMP
5635 errno_name = seccomp_errno_or_action_to_string(c->syscall_errno);
3df90f24 5636 if (errno_name)
005bfaf1 5637 fputs(errno_name, f);
3df90f24 5638 else
005bfaf1
TM		 5639 fprintf(f, "%d", c->syscall_errno);
5640#endif
5641 fputc('\n', f);
3df90f24 5642 }
b3d13314 5643
5b10116e 5644 for (size_t i = 0; i < c->n_mount_images; i++) {
427353f6
LB		 5645 MountOptions *o;
5646
5647 fprintf(f, "%sMountImages: %s%s:%s%s", prefix,
b3d13314
LB		 5648 c->mount_images[i].ignore_enoent ? "-": "",
5649 c->mount_images[i].source,
427353f6
LB		 5650 c->mount_images[i].destination,
5651 LIST_IS_EMPTY(c->mount_images[i].mount_options) ? "": ":");
5652 LIST_FOREACH(mount_options, o, c->mount_images[i].mount_options)
5653 fprintf(f, "%s:%s",
5654 partition_designator_to_string(o->partition_designator),
5655 o->options);
5656 fprintf(f, "\n");
5657 }
5cb5a6ff
LP		 5658}
5659
34cf6c43 5660bool exec_context_maintains_privileges(const ExecContext *c) {
a931ad47
LP		 5661 assert(c);
5662
61233823 5663 /* Returns true if the process forked off would run under
a931ad47
LP		 5664 * an unchanged UID or as root. */
5665
5666 if (!c->user)
5667 return true;
5668
5669 if (streq(c->user, "root") || streq(c->user, "0"))
5670 return true;
5671
5672 return false;
5673}
5674
34cf6c43 5675int exec_context_get_effective_ioprio(const ExecContext *c) {
7f452159
LP		 5676 int p;
5677
5678 assert(c);
5679
5680 if (c->ioprio_set)
5681 return c->ioprio;
5682
5683 p = ioprio_get(IOPRIO_WHO_PROCESS, 0);
5684 if (p < 0)
5685 return IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 4);
5686
5687 return p;
5688}
5689
5e98086d
ZJS		 5690bool exec_context_get_effective_mount_apivfs(const ExecContext *c) {
5691 assert(c);
5692
61198784 5693 /* Explicit setting wins */
5e98086d
ZJS		 5694 if (c->mount_apivfs_set)
5695 return c->mount_apivfs;
5696
61198784 5697 /* Default to "yes" if root directory or image are specified */
74e12520 5698 if (exec_context_with_rootfs(c))
61198784
ZJS		 5699 return true;
5700
5e98086d
ZJS		 5701 return false;
5702}
5703
d3070fbd 5704void exec_context_free_log_extra_fields(ExecContext *c) {
d3070fbd
LP		 5705 assert(c);
5706
5b10116e 5707 for (size_t l = 0; l < c->n_log_extra_fields; l++)
d3070fbd
LP		 5708 free(c->log_extra_fields[l].iov_base);
5709 c->log_extra_fields = mfree(c->log_extra_fields);
5710 c->n_log_extra_fields = 0;
5711}
5712
6f765baf
LP		 5713void exec_context_revert_tty(ExecContext *c) {
5714 int r;
5715
5716 assert(c);
5717
5718 /* First, reset the TTY (possibly kicking everybody else from the TTY) */
5719 exec_context_tty_reset(c, NULL);
5720
5721 /* And then undo what chown_terminal() did earlier. Note that we only do this if we have a path
5722 * configured. If the TTY was passed to us as file descriptor we assume the TTY is opened and managed
5723 * by whoever passed it to us and thus knows better when and how to chmod()/chown() it back. */
5724
5725 if (exec_context_may_touch_tty(c)) {
5726 const char *path;
5727
5728 path = exec_context_tty_path(c);
5729 if (path) {
5730 r = chmod_and_chown(path, TTY_MODE, 0, TTY_GID);
5731 if (r < 0 && r != -ENOENT)
5732 log_warning_errno(r, "Failed to reset TTY ownership/access mode of %s, ignoring: %m", path);
5733 }
5734 }
5735}
5736
4c2f5842
LP		 5737int exec_context_get_clean_directories(
5738 ExecContext *c,
5739 char **prefix,
5740 ExecCleanMask mask,
5741 char ***ret) {
5742
5743 _cleanup_strv_free_ char **l = NULL;
4c2f5842
LP		 5744 int r;
5745
5746 assert(c);
5747 assert(prefix);
5748 assert(ret);
5749
5b10116e 5750 for (ExecDirectoryType t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
4c2f5842
LP		 5751 char **i;
5752
5753 if (!FLAGS_SET(mask, 1U << t))
5754 continue;
5755
5756 if (!prefix[t])
5757 continue;
5758
5759 STRV_FOREACH(i, c->directories[t].paths) {
5760 char *j;
5761
5762 j = path_join(prefix[t], *i);
5763 if (!j)
5764 return -ENOMEM;
5765
5766 r = strv_consume(&l, j);
5767 if (r < 0)
5768 return r;
7f622a19
YW		 5769
5770 /* Also remove private directories unconditionally. */
5771 if (t != EXEC_DIRECTORY_CONFIGURATION) {
5772 j = path_join(prefix[t], "private", *i);
5773 if (!j)
5774 return -ENOMEM;
5775
5776 r = strv_consume(&l, j);
5777 if (r < 0)
5778 return r;
5779 }
4c2f5842
LP		 5780 }
5781 }
5782
5783 *ret = TAKE_PTR(l);
5784 return 0;
5785}
5786
5787int exec_context_get_clean_mask(ExecContext *c, ExecCleanMask *ret) {
5788 ExecCleanMask mask = 0;
5789
5790 assert(c);
5791 assert(ret);
5792
5793 for (ExecDirectoryType t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++)
5794 if (!strv_isempty(c->directories[t].paths))
5795 mask |= 1U << t;
5796
5797 *ret = mask;
5798 return 0;
5799}
5800
b58b4116 5801void exec_status_start(ExecStatus *s, pid_t pid) {
034c6ed7 5802 assert(s);
5cb5a6ff 5803
2ed26ed0
LP		 5804 *s = (ExecStatus) {
5805 .pid = pid,
5806 };
5807
b58b4116
LP		 5808 dual_timestamp_get(&s->start_timestamp);
5809}
5810
34cf6c43 5811void exec_status_exit(ExecStatus *s, const ExecContext *context, pid_t pid, int code, int status) {
b58b4116
LP		 5812 assert(s);
5813
d46b79bb 5814 if (s->pid != pid)
2ed26ed0
LP		 5815 *s = (ExecStatus) {
5816 .pid = pid,
5817 };
b58b4116 5818
63983207 5819 dual_timestamp_get(&s->exit_timestamp);
9fb86720 5820
034c6ed7
LP		 5821 s->code = code;
5822 s->status = status;
169c1bda 5823
6f765baf
LP		 5824 if (context && context->utmp_id)
5825 (void) utmp_put_dead_process(context->utmp_id, pid, code, status);
9fb86720
LP		 5826}
5827
6a1d4d9f
LP		 5828void exec_status_reset(ExecStatus *s) {
5829 assert(s);
5830
5831 *s = (ExecStatus) {};
5832}
5833
34cf6c43 5834void exec_status_dump(const ExecStatus *s, FILE *f, const char *prefix) {
9fb86720
LP		 5835 char buf[FORMAT_TIMESTAMP_MAX];
5836
5837 assert(s);
5838 assert(f);
5839
9fb86720
LP		 5840 if (s->pid <= 0)
5841 return;
5842
4c940960
LP		 5843 prefix = strempty(prefix);
5844
9fb86720 5845 fprintf(f,
ccd06097
ZJS		 5846 "%sPID: "PID_FMT"\n",
5847 prefix, s->pid);
9fb86720 5848
af9d16e1 5849 if (dual_timestamp_is_set(&s->start_timestamp))
9fb86720
LP		 5850 fprintf(f,
5851 "%sStart Timestamp: %s\n",
63983207 5852 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
9fb86720 5853
af9d16e1 5854 if (dual_timestamp_is_set(&s->exit_timestamp))
9fb86720
LP		 5855 fprintf(f,
5856 "%sExit Timestamp: %s\n"
5857 "%sExit Code: %s\n"
5858 "%sExit Status: %i\n",
63983207 5859 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
9fb86720
LP		 5860 prefix, sigchld_code_to_string(s->code),
5861 prefix, s->status);
5cb5a6ff 5862}
44d8db9e 5863
34cf6c43 5864static char *exec_command_line(char **argv) {
44d8db9e
LP		 5865 size_t k;
5866 char *n, *p, **a;
5867 bool first = true;
5868
9e2f7c11 5869 assert(argv);
44d8db9e 5870
9164977d 5871 k = 1;
9e2f7c11 5872 STRV_FOREACH(a, argv)
44d8db9e
LP		 5873 k += strlen(*a)+3;
5874
5cd9cd35
LP		 5875 n = new(char, k);
5876 if (!n)
44d8db9e
LP		 5877 return NULL;
5878
5879 p = n;
9e2f7c11 5880 STRV_FOREACH(a, argv) {
44d8db9e
LP		 5881
5882 if (!first)
5883 *(p++) = ' ';
5884 else
5885 first = false;
5886
5887 if (strpbrk(*a, WHITESPACE)) {
5888 *(p++) = '\'';
5889 p = stpcpy(p, *a);
5890 *(p++) = '\'';
5891 } else
5892 p = stpcpy(p, *a);
5893
5894 }
5895
9164977d
LP		 5896 *p = 0;
5897
44d8db9e
LP		 5898 /* FIXME: this doesn't really handle arguments that have
5899 * spaces and ticks in them */
5900
5901 return n;
5902}
5903
34cf6c43 5904static void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
e1d75803 5905 _cleanup_free_ char *cmd = NULL;
4c940960 5906 const char *prefix2;
44d8db9e
LP		 5907
5908 assert(c);
5909 assert(f);
5910
4c940960 5911 prefix = strempty(prefix);
63c372cb 5912 prefix2 = strjoina(prefix, "\t");
44d8db9e 5913
9e2f7c11 5914 cmd = exec_command_line(c->argv);
44d8db9e
LP		 5915 fprintf(f,
5916 "%sCommand Line: %s\n",
4bbccb02 5917 prefix, cmd ? cmd : strerror_safe(ENOMEM));
44d8db9e 5918
9fb86720 5919 exec_status_dump(&c->exec_status, f, prefix2);
44d8db9e
LP		 5920}
5921
5922void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
5923 assert(f);
5924
4c940960 5925 prefix = strempty(prefix);
44d8db9e
LP		 5926
5927 LIST_FOREACH(command, c, c)
5928 exec_command_dump(c, f, prefix);
5929}
94f04347 5930
a6a80b4f
LP		 5931void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
5932 ExecCommand *end;
5933
5934 assert(l);
5935 assert(e);
5936
5937 if (*l) {
35b8ca3a 5938 /* It's kind of important, that we keep the order here */
71fda00f
LP		 5939 LIST_FIND_TAIL(command, *l, end);
5940 LIST_INSERT_AFTER(command, *l, end, e);
a6a80b4f
LP		 5941 } else
5942 *l = e;
5943}
5944
26fd040d
LP		 5945int exec_command_set(ExecCommand *c, const char *path, ...) {
5946 va_list ap;
5947 char **l, *p;
5948
5949 assert(c);
5950 assert(path);
5951
5952 va_start(ap, path);
5953 l = strv_new_ap(path, ap);
5954 va_end(ap);
5955
5956 if (!l)
5957 return -ENOMEM;
5958
250a918d
LP		 5959 p = strdup(path);
5960 if (!p) {
26fd040d
LP		 5961 strv_free(l);
5962 return -ENOMEM;
5963 }
5964
6897dfe8 5965 free_and_replace(c->path, p);
26fd040d 5966
130d3d22 5967 return strv_free_and_replace(c->argv, l);
26fd040d
LP		 5968}
5969
86b23b07 5970int exec_command_append(ExecCommand *c, const char *path, ...) {
e63ff941 5971 _cleanup_strv_free_ char **l = NULL;
86b23b07 5972 va_list ap;
86b23b07
JS		 5973 int r;
5974
5975 assert(c);
5976 assert(path);
5977
5978 va_start(ap, path);
5979 l = strv_new_ap(path, ap);
5980 va_end(ap);
5981
5982 if (!l)
5983 return -ENOMEM;
5984
e287086b 5985 r = strv_extend_strv(&c->argv, l, false);
e63ff941 5986 if (r < 0)
86b23b07 5987 return r;
86b23b07
JS		 5988
5989 return 0;
5990}
5991
e8a565cb
YW		 5992static void *remove_tmpdir_thread(void *p) {
5993 _cleanup_free_ char *path = p;
86b23b07 5994
e8a565cb
YW		 5995 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
5996 return NULL;
5997}
5998
5999static ExecRuntime* exec_runtime_free(ExecRuntime *rt, bool destroy) {
6000 int r;
6001
6002 if (!rt)
6003 return NULL;
6004
6005 if (rt->manager)
6006 (void) hashmap_remove(rt->manager->exec_runtime_by_id, rt->id);
6007
6008 /* When destroy is true, then rm_rf tmp_dir and var_tmp_dir. */
56a13a49
ZJS		 6009
6010 if (destroy && rt->tmp_dir && !streq(rt->tmp_dir, RUN_SYSTEMD_EMPTY)) {
e8a565cb
YW		 6011 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
6012
6013 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
56a13a49 6014 if (r < 0)
e8a565cb 6015 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
56a13a49
ZJS		 6016 else
6017 rt->tmp_dir = NULL;
e8a565cb 6018 }
613b411c 6019
56a13a49 6020 if (destroy && rt->var_tmp_dir && !streq(rt->var_tmp_dir, RUN_SYSTEMD_EMPTY)) {
e8a565cb
YW		 6021 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
6022
6023 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
56a13a49 6024 if (r < 0)
e8a565cb 6025 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
56a13a49
ZJS		 6026 else
6027 rt->var_tmp_dir = NULL;
e8a565cb
YW		 6028 }
6029
6030 rt->id = mfree(rt->id);
6031 rt->tmp_dir = mfree(rt->tmp_dir);
6032 rt->var_tmp_dir = mfree(rt->var_tmp_dir);
6033 safe_close_pair(rt->netns_storage_socket);
6034 return mfree(rt);
6035}
6036
6037static void exec_runtime_freep(ExecRuntime **rt) {
da6bc6ed 6038 (void) exec_runtime_free(*rt, false);
e8a565cb
YW		 6039}
6040
56a13a49
ZJS		 6041static int exec_runtime_allocate(ExecRuntime **ret, const char *id) {
6042 _cleanup_free_ char *id_copy = NULL;
8e8009dc 6043 ExecRuntime *n;
613b411c 6044
8e8009dc 6045 assert(ret);
613b411c 6046
56a13a49
ZJS		 6047 id_copy = strdup(id);
6048 if (!id_copy)
6049 return -ENOMEM;
6050
8e8009dc
LP		 6051 n = new(ExecRuntime, 1);
6052 if (!n)
613b411c
LP		 6053 return -ENOMEM;
6054
8e8009dc 6055 *n = (ExecRuntime) {
56a13a49 6056 .id = TAKE_PTR(id_copy),
8e8009dc
LP		 6057 .netns_storage_socket = { -1, -1 },
6058 };
6059
6060 *ret = n;
613b411c
LP		 6061 return 0;
6062}
6063
e8a565cb
YW		 6064static int exec_runtime_add(
6065 Manager *m,
6066 const char *id,
56a13a49
ZJS		 6067 char **tmp_dir,
6068 char **var_tmp_dir,
6069 int netns_storage_socket[2],
e8a565cb
YW		 6070 ExecRuntime **ret) {
6071
6072 _cleanup_(exec_runtime_freep) ExecRuntime *rt = NULL;
613b411c
LP		 6073 int r;
6074
e8a565cb 6075 assert(m);
613b411c
LP		 6076 assert(id);
6077
56a13a49
ZJS		 6078 /* tmp_dir, var_tmp_dir, netns_storage_socket fds are donated on success */
6079
56a13a49 6080 r = exec_runtime_allocate(&rt, id);
613b411c
LP		 6081 if (r < 0)
6082 return r;
6083
63083706 6084 r = hashmap_ensure_put(&m->exec_runtime_by_id, &string_hash_ops, rt->id, rt);
56a13a49
ZJS		 6085 if (r < 0)
6086 return r;
e8a565cb 6087
56a13a49
ZJS		 6088 assert(!!rt->tmp_dir == !!rt->var_tmp_dir); /* We require both to be set together */
6089 rt->tmp_dir = TAKE_PTR(*tmp_dir);
6090 rt->var_tmp_dir = TAKE_PTR(*var_tmp_dir);
e8a565cb
YW		 6091
6092 if (netns_storage_socket) {
56a13a49
ZJS		 6093 rt->netns_storage_socket[0] = TAKE_FD(netns_storage_socket[0]);
6094 rt->netns_storage_socket[1] = TAKE_FD(netns_storage_socket[1]);
613b411c
LP		 6095 }
6096
e8a565cb
YW		 6097 rt->manager = m;
6098
6099 if (ret)
6100 *ret = rt;
e8a565cb 6101 /* do not remove created ExecRuntime object when the operation succeeds. */
56a13a49 6102 TAKE_PTR(rt);
e8a565cb
YW		 6103 return 0;
6104}
6105
74aaf59b
LP		 6106static int exec_runtime_make(
6107 Manager *m,
6108 const ExecContext *c,
6109 const char *id,
6110 ExecRuntime **ret) {
6111
56a13a49 6112 _cleanup_(namespace_cleanup_tmpdirp) char *tmp_dir = NULL, *var_tmp_dir = NULL;
2fa3742d 6113 _cleanup_close_pair_ int netns_storage_socket[2] = { -1, -1 };
e8a565cb
YW		 6114 int r;
6115
6116 assert(m);
6117 assert(c);
6118 assert(id);
6119
6120 /* It is not necessary to create ExecRuntime object. */
74aaf59b
LP		 6121 if (!c->private_network && !c->private_tmp && !c->network_namespace_path) {
6122 *ret = NULL;
e8a565cb 6123 return 0;
74aaf59b 6124 }
e8a565cb 6125
efa2f3a1
TM		 6126 if (c->private_tmp &&
6127 !(prefixed_path_strv_contains(c->inaccessible_paths, "/tmp") &&
6128 (prefixed_path_strv_contains(c->inaccessible_paths, "/var/tmp") ||
6129 prefixed_path_strv_contains(c->inaccessible_paths, "/var")))) {
e8a565cb 6130 r = setup_tmp_dirs(id, &tmp_dir, &var_tmp_dir);
613b411c
LP		 6131 if (r < 0)
6132 return r;
6133 }
6134
a8d08f39 6135 if (c->private_network || c->network_namespace_path) {
e8a565cb
YW		 6136 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, netns_storage_socket) < 0)
6137 return -errno;
6138 }
6139
56a13a49 6140 r = exec_runtime_add(m, id, &tmp_dir, &var_tmp_dir, netns_storage_socket, ret);
e8a565cb
YW		 6141 if (r < 0)
6142 return r;
6143
613b411c
LP		 6144 return 1;
6145}
6146
e8a565cb
YW		 6147int exec_runtime_acquire(Manager *m, const ExecContext *c, const char *id, bool create, ExecRuntime **ret) {
6148 ExecRuntime *rt;
6149 int r;
613b411c 6150
e8a565cb
YW		 6151 assert(m);
6152 assert(id);
6153 assert(ret);
6154
6155 rt = hashmap_get(m->exec_runtime_by_id, id);
6156 if (rt)
6157 /* We already have a ExecRuntime object, let's increase the ref count and reuse it */
6158 goto ref;
6159
74aaf59b
LP		 6160 if (!create) {
6161 *ret = NULL;
e8a565cb 6162 return 0;
74aaf59b 6163 }
e8a565cb
YW		 6164
6165 /* If not found, then create a new object. */
6166 r = exec_runtime_make(m, c, id, &rt);
74aaf59b 6167 if (r < 0)
e8a565cb 6168 return r;
74aaf59b
LP		 6169 if (r == 0) {
6170 /* When r == 0, it is not necessary to create ExecRuntime object. */
6171 *ret = NULL;
6172 return 0;
6173 }
613b411c 6174
e8a565cb
YW		 6175ref:
6176 /* increment reference counter. */
6177 rt->n_ref++;
6178 *ret = rt;
6179 return 1;
6180}
613b411c 6181
e8a565cb
YW		 6182ExecRuntime *exec_runtime_unref(ExecRuntime *rt, bool destroy) {
6183 if (!rt)
613b411c
LP		 6184 return NULL;
6185
e8a565cb 6186 assert(rt->n_ref > 0);
613b411c 6187
e8a565cb
YW		 6188 rt->n_ref--;
6189 if (rt->n_ref > 0)
f2341e0a
LP		 6190 return NULL;
6191
e8a565cb 6192 return exec_runtime_free(rt, destroy);
613b411c
LP		 6193}
6194
e8a565cb
YW		 6195int exec_runtime_serialize(const Manager *m, FILE *f, FDSet *fds) {
6196 ExecRuntime *rt;
e8a565cb
YW		 6197
6198 assert(m);
613b411c
LP		 6199 assert(f);
6200 assert(fds);
6201
90e74a66 6202 HASHMAP_FOREACH(rt, m->exec_runtime_by_id) {
e8a565cb 6203 fprintf(f, "exec-runtime=%s", rt->id);
613b411c 6204
e8a565cb
YW		 6205 if (rt->tmp_dir)
6206 fprintf(f, " tmp-dir=%s", rt->tmp_dir);
613b411c 6207
e8a565cb
YW		 6208 if (rt->var_tmp_dir)
6209 fprintf(f, " var-tmp-dir=%s", rt->var_tmp_dir);
613b411c 6210
e8a565cb
YW		 6211 if (rt->netns_storage_socket[0] >= 0) {
6212 int copy;
613b411c 6213
e8a565cb
YW		 6214 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
6215 if (copy < 0)
6216 return copy;
613b411c 6217
e8a565cb
YW		 6218 fprintf(f, " netns-socket-0=%i", copy);
6219 }
613b411c 6220
e8a565cb
YW		 6221 if (rt->netns_storage_socket[1] >= 0) {
6222 int copy;
613b411c 6223
e8a565cb
YW		 6224 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
6225 if (copy < 0)
6226 return copy;
613b411c 6227
e8a565cb
YW		 6228 fprintf(f, " netns-socket-1=%i", copy);
6229 }
6230
6231 fputc('\n', f);
613b411c
LP		 6232 }
6233
6234 return 0;
6235}
6236
e8a565cb
YW		 6237int exec_runtime_deserialize_compat(Unit *u, const char *key, const char *value, FDSet *fds) {
6238 _cleanup_(exec_runtime_freep) ExecRuntime *rt_create = NULL;
6239 ExecRuntime *rt;
613b411c
LP		 6240 int r;
6241
e8a565cb
YW		 6242 /* This is for the migration from old (v237 or earlier) deserialization text.
6243 * Due to the bug #7790, this may not work with the units that use JoinsNamespaceOf=.
6244 * Even if the ExecRuntime object originally created by the other unit, we cannot judge
6245 * so or not from the serialized text, then we always creates a new object owned by this. */
6246
6247 assert(u);
613b411c
LP		 6248 assert(key);
6249 assert(value);
6250
e8a565cb
YW		 6251 /* Manager manages ExecRuntime objects by the unit id.
6252 * So, we omit the serialized text when the unit does not have id (yet?)... */
6253 if (isempty(u->id)) {
6254 log_unit_debug(u, "Invocation ID not found. Dropping runtime parameter.");
6255 return 0;
6256 }
613b411c 6257
e8a565cb
YW		 6258 r = hashmap_ensure_allocated(&u->manager->exec_runtime_by_id, &string_hash_ops);
6259 if (r < 0) {
6260 log_unit_debug_errno(u, r, "Failed to allocate storage for runtime parameter: %m");
6261 return 0;
6262 }
6263
6264 rt = hashmap_get(u->manager->exec_runtime_by_id, u->id);
6265 if (!rt) {
56a13a49 6266 r = exec_runtime_allocate(&rt_create, u->id);
613b411c 6267 if (r < 0)
f2341e0a 6268 return log_oom();
613b411c 6269
e8a565cb
YW		 6270 rt = rt_create;
6271 }
6272
6273 if (streq(key, "tmp-dir")) {
6274 char *copy;
6275
613b411c
LP		 6276 copy = strdup(value);
6277 if (!copy)
6278 return log_oom();
6279
e8a565cb 6280 free_and_replace(rt->tmp_dir, copy);
613b411c
LP		 6281
6282 } else if (streq(key, "var-tmp-dir")) {
6283 char *copy;
6284
613b411c
LP		 6285 copy = strdup(value);
6286 if (!copy)
6287 return log_oom();
6288
e8a565cb 6289 free_and_replace(rt->var_tmp_dir, copy);
613b411c
LP		 6290
6291 } else if (streq(key, "netns-socket-0")) {
6292 int fd;
6293
e8a565cb 6294 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd)) {
f2341e0a 6295 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
e8a565cb 6296 return 0;
613b411c 6297 }
e8a565cb
YW		 6298
6299 safe_close(rt->netns_storage_socket[0]);
6300 rt->netns_storage_socket[0] = fdset_remove(fds, fd);
6301
613b411c
LP		 6302 } else if (streq(key, "netns-socket-1")) {
6303 int fd;
6304
e8a565cb 6305 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd)) {
f2341e0a 6306 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
e8a565cb 6307 return 0;
613b411c 6308 }
e8a565cb
YW		 6309
6310 safe_close(rt->netns_storage_socket[1]);
6311 rt->netns_storage_socket[1] = fdset_remove(fds, fd);
613b411c
LP		 6312 } else
6313 return 0;
6314
e8a565cb
YW		 6315 /* If the object is newly created, then put it to the hashmap which manages ExecRuntime objects. */
6316 if (rt_create) {
6317 r = hashmap_put(u->manager->exec_runtime_by_id, rt_create->id, rt_create);
6318 if (r < 0) {
3fe91079 6319 log_unit_debug_errno(u, r, "Failed to put runtime parameter to manager's storage: %m");
e8a565cb
YW		 6320 return 0;
6321 }
613b411c 6322
e8a565cb 6323 rt_create->manager = u->manager;
613b411c 6324
e8a565cb 6325 /* Avoid cleanup */
56a13a49 6326 TAKE_PTR(rt_create);
e8a565cb 6327 }
98b47d54 6328
e8a565cb
YW		 6329 return 1;
6330}
613b411c 6331
56a13a49
ZJS		 6332int exec_runtime_deserialize_one(Manager *m, const char *value, FDSet *fds) {
6333 _cleanup_free_ char *tmp_dir = NULL, *var_tmp_dir = NULL;
6334 char *id = NULL;
6335 int r, fdpair[] = {-1, -1};
e8a565cb
YW		 6336 const char *p, *v = value;
6337 size_t n;
613b411c 6338
e8a565cb
YW		 6339 assert(m);
6340 assert(value);
6341 assert(fds);
98b47d54 6342
e8a565cb
YW		 6343 n = strcspn(v, " ");
6344 id = strndupa(v, n);
6345 if (v[n] != ' ')
6346 goto finalize;
6347 p = v + n + 1;
6348
6349 v = startswith(p, "tmp-dir=");
6350 if (v) {
6351 n = strcspn(v, " ");
56a13a49
ZJS		 6352 tmp_dir = strndup(v, n);
6353 if (!tmp_dir)
6354 return log_oom();
e8a565cb
YW		 6355 if (v[n] != ' ')
6356 goto finalize;
6357 p = v + n + 1;
6358 }
6359
6360 v = startswith(p, "var-tmp-dir=");
6361 if (v) {
6362 n = strcspn(v, " ");
56a13a49
ZJS		 6363 var_tmp_dir = strndup(v, n);
6364 if (!var_tmp_dir)
6365 return log_oom();
e8a565cb
YW		 6366 if (v[n] != ' ')
6367 goto finalize;
6368 p = v + n + 1;
6369 }
6370
6371 v = startswith(p, "netns-socket-0=");
6372 if (v) {
6373 char *buf;
6374
6375 n = strcspn(v, " ");
6376 buf = strndupa(v, n);
c413bb28
ZJS		 6377
6378 r = safe_atoi(buf, &fdpair[0]);
6379 if (r < 0)
6380 return log_debug_errno(r, "Unable to parse exec-runtime specification netns-socket-0=%s: %m", buf);
6381 if (!fdset_contains(fds, fdpair[0]))
6382 return log_debug_errno(SYNTHETIC_ERRNO(EBADF),
6383 "exec-runtime specification netns-socket-0= refers to unknown fd %d: %m", fdpair[0]);
56a13a49 6384 fdpair[0] = fdset_remove(fds, fdpair[0]);
e8a565cb
YW		 6385 if (v[n] != ' ')
6386 goto finalize;
6387 p = v + n + 1;
613b411c
LP		 6388 }
6389
e8a565cb
YW		 6390 v = startswith(p, "netns-socket-1=");
6391 if (v) {
6392 char *buf;
98b47d54 6393
e8a565cb
YW		 6394 n = strcspn(v, " ");
6395 buf = strndupa(v, n);
c413bb28
ZJS		 6396 r = safe_atoi(buf, &fdpair[1]);
6397 if (r < 0)
6398 return log_debug_errno(r, "Unable to parse exec-runtime specification netns-socket-1=%s: %m", buf);
f5fa352f 6399 if (!fdset_contains(fds, fdpair[1]))
c413bb28
ZJS		 6400 return log_debug_errno(SYNTHETIC_ERRNO(EBADF),
6401 "exec-runtime specification netns-socket-1= refers to unknown fd %d: %m", fdpair[1]);
56a13a49 6402 fdpair[1] = fdset_remove(fds, fdpair[1]);
e8a565cb 6403 }
98b47d54 6404
e8a565cb 6405finalize:
56a13a49 6406 r = exec_runtime_add(m, id, &tmp_dir, &var_tmp_dir, fdpair, NULL);
7d853ca6 6407 if (r < 0)
56a13a49
ZJS		 6408 return log_debug_errno(r, "Failed to add exec-runtime: %m");
6409 return 0;
e8a565cb 6410}
613b411c 6411
e8a565cb
YW		 6412void exec_runtime_vacuum(Manager *m) {
6413 ExecRuntime *rt;
e8a565cb
YW		 6414
6415 assert(m);
6416
6417 /* Free unreferenced ExecRuntime objects. This is used after manager deserialization process. */
6418
90e74a66 6419 HASHMAP_FOREACH(rt, m->exec_runtime_by_id) {
e8a565cb
YW		 6420 if (rt->n_ref > 0)
6421 continue;
6422
6423 (void) exec_runtime_free(rt, false);
6424 }
613b411c
LP		 6425}
6426
b9c04eaf
YW		 6427void exec_params_clear(ExecParameters *p) {
6428 if (!p)
6429 return;
6430
c3f8a065
LP		 6431 p->environment = strv_free(p->environment);
6432 p->fd_names = strv_free(p->fd_names);
6433 p->fds = mfree(p->fds);
6434 p->exec_fd = safe_close(p->exec_fd);
b9c04eaf
YW		 6435}
6436
bb0c0d6f
LP		 6437ExecSetCredential *exec_set_credential_free(ExecSetCredential *sc) {
6438 if (!sc)
6439 return NULL;
6440
6441 free(sc->id);
6442 free(sc->data);
6443 return mfree(sc);
6444}
6445
6446DEFINE_HASH_OPS_WITH_VALUE_DESTRUCTOR(exec_set_credential_hash_ops, char, string_hash_func, string_compare_func, ExecSetCredential, exec_set_credential_free);
6447
80876c20
LP		 6448static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
6449 [EXEC_INPUT_NULL] = "null",
6450 [EXEC_INPUT_TTY] = "tty",
6451 [EXEC_INPUT_TTY_FORCE] = "tty-force",
4f2d528d 6452 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
52c239d7
LB		 6453 [EXEC_INPUT_SOCKET] = "socket",
6454 [EXEC_INPUT_NAMED_FD] = "fd",
08f3be7a 6455 [EXEC_INPUT_DATA] = "data",
2038c3f5 6456 [EXEC_INPUT_FILE] = "file",
80876c20
LP		 6457};
6458
8a0867d6
LP		 6459DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
6460
94f04347 6461static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
80876c20 6462 [EXEC_OUTPUT_INHERIT] = "inherit",
94f04347 6463 [EXEC_OUTPUT_NULL] = "null",
80876c20 6464 [EXEC_OUTPUT_TTY] = "tty",
9a6bca7a 6465 [EXEC_OUTPUT_KMSG] = "kmsg",
28dbc1e8 6466 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
706343f4
LP		 6467 [EXEC_OUTPUT_JOURNAL] = "journal",
6468 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
52c239d7
LB		 6469 [EXEC_OUTPUT_SOCKET] = "socket",
6470 [EXEC_OUTPUT_NAMED_FD] = "fd",
2038c3f5 6471 [EXEC_OUTPUT_FILE] = "file",
566b7d23 6472 [EXEC_OUTPUT_FILE_APPEND] = "append",
8d7dab1f 6473 [EXEC_OUTPUT_FILE_TRUNCATE] = "truncate",
94f04347
LP		 6474};
6475
6476DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
023a4f67
LP		 6477
6478static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
6479 [EXEC_UTMP_INIT] = "init",
6480 [EXEC_UTMP_LOGIN] = "login",
6481 [EXEC_UTMP_USER] = "user",
6482};
6483
6484DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
53f47dfc
YW		 6485
6486static const char* const exec_preserve_mode_table[_EXEC_PRESERVE_MODE_MAX] = {
6487 [EXEC_PRESERVE_NO] = "no",
6488 [EXEC_PRESERVE_YES] = "yes",
6489 [EXEC_PRESERVE_RESTART] = "restart",
6490};
6491
6492DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(exec_preserve_mode, ExecPreserveMode, EXEC_PRESERVE_YES);
3536f49e 6493
6b7b2ed9 6494/* This table maps ExecDirectoryType to the setting it is configured with in the unit */
72fd1768 6495static const char* const exec_directory_type_table[_EXEC_DIRECTORY_TYPE_MAX] = {
3536f49e
YW		 6496 [EXEC_DIRECTORY_RUNTIME] = "RuntimeDirectory",
6497 [EXEC_DIRECTORY_STATE] = "StateDirectory",
6498 [EXEC_DIRECTORY_CACHE] = "CacheDirectory",
6499 [EXEC_DIRECTORY_LOGS] = "LogsDirectory",
6500 [EXEC_DIRECTORY_CONFIGURATION] = "ConfigurationDirectory",
6501};
6502
6503DEFINE_STRING_TABLE_LOOKUP(exec_directory_type, ExecDirectoryType);
b1edf445 6504
6b7b2ed9
LP		 6505/* And this table maps ExecDirectoryType too, but to a generic term identifying the type of resource. This
6506 * one is supposed to be generic enough to be used for unit types that don't use ExecContext and per-unit
6507 * directories, specifically .timer units with their timestamp touch file. */
6508static const char* const exec_resource_type_table[_EXEC_DIRECTORY_TYPE_MAX] = {
6509 [EXEC_DIRECTORY_RUNTIME] = "runtime",
6510 [EXEC_DIRECTORY_STATE] = "state",
6511 [EXEC_DIRECTORY_CACHE] = "cache",
6512 [EXEC_DIRECTORY_LOGS] = "logs",
6513 [EXEC_DIRECTORY_CONFIGURATION] = "configuration",
6514};
6515
6516DEFINE_STRING_TABLE_LOOKUP(exec_resource_type, ExecDirectoryType);
6517
6518/* And this table also maps ExecDirectoryType, to the environment variable we pass the selected directory to
6519 * the service payload in. */
fb2042dd
YW		 6520static const char* const exec_directory_env_name_table[_EXEC_DIRECTORY_TYPE_MAX] = {
6521 [EXEC_DIRECTORY_RUNTIME] = "RUNTIME_DIRECTORY",
6522 [EXEC_DIRECTORY_STATE] = "STATE_DIRECTORY",
6523 [EXEC_DIRECTORY_CACHE] = "CACHE_DIRECTORY",
6524 [EXEC_DIRECTORY_LOGS] = "LOGS_DIRECTORY",
6525 [EXEC_DIRECTORY_CONFIGURATION] = "CONFIGURATION_DIRECTORY",
6526};
6527
6528DEFINE_PRIVATE_STRING_TABLE_LOOKUP_TO_STRING(exec_directory_env_name, ExecDirectoryType);
6529
b1edf445
LP		 6530static const char* const exec_keyring_mode_table[_EXEC_KEYRING_MODE_MAX] = {
6531 [EXEC_KEYRING_INHERIT] = "inherit",
6532 [EXEC_KEYRING_PRIVATE] = "private",
6533 [EXEC_KEYRING_SHARED] = "shared",
6534};
6535
6536DEFINE_STRING_TABLE_LOOKUP(exec_keyring_mode, ExecKeyringMode);
Unnamed repository; edit this file 'description' to name the repository.