]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/core/execute.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
util-lib: [static] array argument sizes are apparently not OK for NULL parameters
[thirdparty/systemd.git] / src / core / execute.c
CommitLineData
53e1b683 1/* SPDX-License-Identifier: LGPL-2.1+ */
a7334b09 2
034c6ed7
LP		 3#include <errno.h>
4#include <fcntl.h>
8dd4c05b
LP		 5#include <glob.h>
6#include <grp.h>
7#include <poll.h>
309bff19 8#include <signal.h>
8dd4c05b 9#include <string.h>
19c0b0b9 10#include <sys/capability.h>
d251207d 11#include <sys/eventfd.h>
f3e43635 12#include <sys/mman.h>
8dd4c05b 13#include <sys/personality.h>
94f04347 14#include <sys/prctl.h>
d2ffa389 15#include <sys/shm.h>
8dd4c05b 16#include <sys/socket.h>
451a074f 17#include <sys/stat.h>
d2ffa389 18#include <sys/types.h>
8dd4c05b
LP		 19#include <sys/un.h>
20#include <unistd.h>
023a4f67 21#include <utmpx.h>
5cb5a6ff 22
349cc4a5 23#if HAVE_PAM
5b6319dc
LP		 24#include <security/pam_appl.h>
25#endif
26
349cc4a5 27#if HAVE_SELINUX
7b52a628
MS		 28#include <selinux/selinux.h>
29#endif
30
349cc4a5 31#if HAVE_SECCOMP
17df7223
LP		 32#include <seccomp.h>
33#endif
34
349cc4a5 35#if HAVE_APPARMOR
eef65bf3
MS		 36#include <sys/apparmor.h>
37#endif
38
24882e06 39#include "sd-messages.h"
8dd4c05b
LP		 40
41#include "af-list.h"
b5efdb8a 42#include "alloc-util.h"
349cc4a5 43#if HAVE_APPARMOR
3ffd4af2
LP		 44#include "apparmor-util.h"
45#endif
8dd4c05b
LP		 46#include "async.h"
47#include "barrier.h"
8dd4c05b 48#include "cap-list.h"
430f0182 49#include "capability-util.h"
a1164ae3 50#include "chown-recursive.h"
da681e1b 51#include "cpu-set-util.h"
f6a6225e 52#include "def.h"
686d13b9 53#include "env-file.h"
4d1a6904 54#include "env-util.h"
17df7223 55#include "errno-list.h"
3ffd4af2 56#include "execute.h"
8dd4c05b 57#include "exit-status.h"
3ffd4af2 58#include "fd-util.h"
f97b34a6 59#include "format-util.h"
f4f15635 60#include "fs-util.h"
7d50b32a 61#include "glob-util.h"
c004493c 62#include "io-util.h"
8dd4c05b 63#include "ioprio.h"
a1164ae3 64#include "label.h"
8dd4c05b
LP		 65#include "log.h"
66#include "macro.h"
e8a565cb 67#include "manager.h"
0a970718 68#include "memory-util.h"
8dd4c05b
LP		 69#include "missing.h"
70#include "mkdir.h"
71#include "namespace.h"
6bedfcbb 72#include "parse-util.h"
8dd4c05b 73#include "path-util.h"
0b452006 74#include "process-util.h"
78f22b97 75#include "rlimit-util.h"
8dd4c05b 76#include "rm-rf.h"
349cc4a5 77#if HAVE_SECCOMP
3ffd4af2
LP		 78#include "seccomp-util.h"
79#endif
07d46372 80#include "securebits-util.h"
8dd4c05b 81#include "selinux-util.h"
24882e06 82#include "signal-util.h"
8dd4c05b 83#include "smack-util.h"
57b7a260 84#include "socket-util.h"
fd63e712 85#include "special.h"
949befd3 86#include "stat-util.h"
8b43440b 87#include "string-table.h"
07630cea 88#include "string-util.h"
8dd4c05b 89#include "strv.h"
7ccbd1ae 90#include "syslog-util.h"
8dd4c05b 91#include "terminal-util.h"
566b7d23 92#include "umask-util.h"
8dd4c05b 93#include "unit.h"
b1d4f8e1 94#include "user-util.h"
8dd4c05b 95#include "utmp-wtmp.h"
5cb5a6ff 96
e056b01d 97#define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
31a7eb86 98#define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
e6a26745 99
531dca78
LP		 100#define SNDBUF_SIZE (8*1024*1024)
101
da6053d0 102static int shift_fds(int fds[], size_t n_fds) {
034c6ed7
LP		 103 int start, restart_from;
104
105 if (n_fds <= 0)
106 return 0;
107
a0d40ac5
LP		 108 /* Modifies the fds array! (sorts it) */
109
034c6ed7
LP		 110 assert(fds);
111
112 start = 0;
113 for (;;) {
114 int i;
115
116 restart_from = -1;
117
118 for (i = start; i < (int) n_fds; i++) {
119 int nfd;
120
121 /* Already at right index? */
122 if (fds[i] == i+3)
123 continue;
124
3cc2aff1
LP		 125 nfd = fcntl(fds[i], F_DUPFD, i + 3);
126 if (nfd < 0)
034c6ed7
LP		 127 return -errno;
128
03e334a1 129 safe_close(fds[i]);
034c6ed7
LP		 130 fds[i] = nfd;
131
132 /* Hmm, the fd we wanted isn't free? Then
ee33e53a 133 * let's remember that and try again from here */
034c6ed7
LP		 134 if (nfd != i+3 && restart_from < 0)
135 restart_from = i;
136 }
137
138 if (restart_from < 0)
139 break;
140
141 start = restart_from;
142 }
143
144 return 0;
145}
146
25b583d7 147static int flags_fds(const int fds[], size_t n_socket_fds, size_t n_storage_fds, bool nonblock) {
da6053d0 148 size_t i, n_fds;
e2c76839 149 int r;
47a71eed 150
25b583d7 151 n_fds = n_socket_fds + n_storage_fds;
47a71eed
LP		 152 if (n_fds <= 0)
153 return 0;
154
155 assert(fds);
156
9b141911
FB		 157 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags.
158 * O_NONBLOCK only applies to socket activation though. */
47a71eed
LP		 159
160 for (i = 0; i < n_fds; i++) {
47a71eed 161
9b141911
FB		 162 if (i < n_socket_fds) {
163 r = fd_nonblock(fds[i], nonblock);
164 if (r < 0)
165 return r;
166 }
47a71eed 167
451a074f
LP		 168 /* We unconditionally drop FD_CLOEXEC from the fds,
169 * since after all we want to pass these fds to our
170 * children */
47a71eed 171
3cc2aff1
LP		 172 r = fd_cloexec(fds[i], false);
173 if (r < 0)
e2c76839 174 return r;
47a71eed
LP		 175 }
176
177 return 0;
178}
179
1e22b5cd 180static const char *exec_context_tty_path(const ExecContext *context) {
80876c20
LP		 181 assert(context);
182
1e22b5cd
LP		 183 if (context->stdio_as_fds)
184 return NULL;
185
80876c20
LP		 186 if (context->tty_path)
187 return context->tty_path;
188
189 return "/dev/console";
190}
191
1e22b5cd
LP		 192static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
193 const char *path;
194
6ea832a2
LP		 195 assert(context);
196
1e22b5cd 197 path = exec_context_tty_path(context);
6ea832a2 198
1e22b5cd
LP		 199 if (context->tty_vhangup) {
200 if (p && p->stdin_fd >= 0)
201 (void) terminal_vhangup_fd(p->stdin_fd);
202 else if (path)
203 (void) terminal_vhangup(path);
204 }
6ea832a2 205
1e22b5cd
LP		 206 if (context->tty_reset) {
207 if (p && p->stdin_fd >= 0)
208 (void) reset_terminal_fd(p->stdin_fd, true);
209 else if (path)
210 (void) reset_terminal(path);
211 }
212
213 if (context->tty_vt_disallocate && path)
214 (void) vt_disallocate(path);
6ea832a2
LP		 215}
216
6af760f3
LP		 217static bool is_terminal_input(ExecInput i) {
218 return IN_SET(i,
219 EXEC_INPUT_TTY,
220 EXEC_INPUT_TTY_FORCE,
221 EXEC_INPUT_TTY_FAIL);
222}
223
3a1286b6 224static bool is_terminal_output(ExecOutput o) {
6af760f3
LP		 225 return IN_SET(o,
226 EXEC_OUTPUT_TTY,
227 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
228 EXEC_OUTPUT_KMSG_AND_CONSOLE,
229 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
230}
231
aac8c0c3
LP		 232static bool is_syslog_output(ExecOutput o) {
233 return IN_SET(o,
234 EXEC_OUTPUT_SYSLOG,
235 EXEC_OUTPUT_SYSLOG_AND_CONSOLE);
236}
237
238static bool is_kmsg_output(ExecOutput o) {
239 return IN_SET(o,
240 EXEC_OUTPUT_KMSG,
241 EXEC_OUTPUT_KMSG_AND_CONSOLE);
242}
243
6af760f3
LP		 244static bool exec_context_needs_term(const ExecContext *c) {
245 assert(c);
246
247 /* Return true if the execution context suggests we should set $TERM to something useful. */
248
249 if (is_terminal_input(c->std_input))
250 return true;
251
252 if (is_terminal_output(c->std_output))
253 return true;
254
255 if (is_terminal_output(c->std_error))
256 return true;
257
258 return !!c->tty_path;
3a1286b6
MS		 259}
260
80876c20 261static int open_null_as(int flags, int nfd) {
046a82c1 262 int fd;
071830ff 263
80876c20 264 assert(nfd >= 0);
071830ff 265
613b411c
LP		 266 fd = open("/dev/null", flags|O_NOCTTY);
267 if (fd < 0)
071830ff
LP		 268 return -errno;
269
046a82c1 270 return move_fd(fd, nfd, false);
071830ff
LP		 271}
272
524daa8c 273static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
92a17af9 274 static const union sockaddr_union sa = {
b92bea5d
ZJS		 275 .un.sun_family = AF_UNIX,
276 .un.sun_path = "/run/systemd/journal/stdout",
277 };
524daa8c
ZJS		 278 uid_t olduid = UID_INVALID;
279 gid_t oldgid = GID_INVALID;
280 int r;
281
cad93f29 282 if (gid_is_valid(gid)) {
524daa8c
ZJS		 283 oldgid = getgid();
284
92a17af9 285 if (setegid(gid) < 0)
524daa8c
ZJS		 286 return -errno;
287 }
288
cad93f29 289 if (uid_is_valid(uid)) {
524daa8c
ZJS		 290 olduid = getuid();
291
92a17af9 292 if (seteuid(uid) < 0) {
524daa8c
ZJS		 293 r = -errno;
294 goto restore_gid;
295 }
296 }
297
92a17af9 298 r = connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un)) < 0 ? -errno : 0;
524daa8c
ZJS		 299
300 /* If we fail to restore the uid or gid, things will likely
301 fail later on. This should only happen if an LSM interferes. */
302
cad93f29 303 if (uid_is_valid(uid))
524daa8c
ZJS		 304 (void) seteuid(olduid);
305
306 restore_gid:
cad93f29 307 if (gid_is_valid(gid))
524daa8c
ZJS		 308 (void) setegid(oldgid);
309
310 return r;
311}
312
fd1f9c89 313static int connect_logger_as(
34cf6c43 314 const Unit *unit,
fd1f9c89 315 const ExecContext *context,
af635cf3 316 const ExecParameters *params,
fd1f9c89
LP		 317 ExecOutput output,
318 const char *ident,
fd1f9c89
LP		 319 int nfd,
320 uid_t uid,
321 gid_t gid) {
322
2ac1ff68
EV		 323 _cleanup_close_ int fd = -1;
324 int r;
071830ff
LP		 325
326 assert(context);
af635cf3 327 assert(params);
80876c20
LP		 328 assert(output < _EXEC_OUTPUT_MAX);
329 assert(ident);
330 assert(nfd >= 0);
071830ff 331
54fe0cdb
LP		 332 fd = socket(AF_UNIX, SOCK_STREAM, 0);
333 if (fd < 0)
80876c20 334 return -errno;
071830ff 335
524daa8c
ZJS		 336 r = connect_journal_socket(fd, uid, gid);
337 if (r < 0)
338 return r;
071830ff 339
2ac1ff68 340 if (shutdown(fd, SHUT_RD) < 0)
80876c20 341 return -errno;
071830ff 342
fd1f9c89 343 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
531dca78 344
2ac1ff68 345 if (dprintf(fd,
62bca2c6 346 "%s\n"
80876c20
LP		 347 "%s\n"
348 "%i\n"
54fe0cdb
LP		 349 "%i\n"
350 "%i\n"
351 "%i\n"
4f4a1dbf 352 "%i\n",
c867611e 353 context->syslog_identifier ?: ident,
af635cf3 354 params->flags & EXEC_PASS_LOG_UNIT ? unit->id : "",
54fe0cdb
LP		 355 context->syslog_priority,
356 !!context->syslog_level_prefix,
aac8c0c3
LP		 357 is_syslog_output(output),
358 is_kmsg_output(output),
2ac1ff68
EV		 359 is_terminal_output(output)) < 0)
360 return -errno;
80876c20 361
2ac1ff68 362 return move_fd(TAKE_FD(fd), nfd, false);
80876c20 363}
2ac1ff68 364
3a274a21 365static int open_terminal_as(const char *path, int flags, int nfd) {
046a82c1 366 int fd;
071830ff 367
80876c20
LP		 368 assert(path);
369 assert(nfd >= 0);
fd1f9c89 370
3a274a21 371 fd = open_terminal(path, flags | O_NOCTTY);
3cc2aff1 372 if (fd < 0)
80876c20 373 return fd;
071830ff 374
046a82c1 375 return move_fd(fd, nfd, false);
80876c20 376}
071830ff 377
2038c3f5 378static int acquire_path(const char *path, int flags, mode_t mode) {
15a3e96f
LP		 379 union sockaddr_union sa = {};
380 _cleanup_close_ int fd = -1;
381 int r, salen;
071830ff 382
80876c20 383 assert(path);
071830ff 384
2038c3f5
LP		 385 if (IN_SET(flags & O_ACCMODE, O_WRONLY, O_RDWR))
386 flags |= O_CREAT;
387
388 fd = open(path, flags|O_NOCTTY, mode);
389 if (fd >= 0)
15a3e96f 390 return TAKE_FD(fd);
071830ff 391
2038c3f5
LP		 392 if (errno != ENXIO) /* ENXIO is returned when we try to open() an AF_UNIX file system socket on Linux */
393 return -errno;
15a3e96f 394 if (strlen(path) >= sizeof(sa.un.sun_path)) /* Too long, can't be a UNIX socket */
2038c3f5
LP		 395 return -ENXIO;
396
397 /* So, it appears the specified path could be an AF_UNIX socket. Let's see if we can connect to it. */
398
399 fd = socket(AF_UNIX, SOCK_STREAM, 0);
400 if (fd < 0)
401 return -errno;
402
15a3e96f
LP		 403 salen = sockaddr_un_set_path(&sa.un, path);
404 if (salen < 0)
405 return salen;
406
407 if (connect(fd, &sa.sa, salen) < 0)
2038c3f5
LP		 408 return errno == EINVAL ? -ENXIO : -errno; /* Propagate initial error if we get EINVAL, i.e. we have
409 * indication that his wasn't an AF_UNIX socket after all */
071830ff 410
2038c3f5
LP		 411 if ((flags & O_ACCMODE) == O_RDONLY)
412 r = shutdown(fd, SHUT_WR);
413 else if ((flags & O_ACCMODE) == O_WRONLY)
414 r = shutdown(fd, SHUT_RD);
415 else
15a3e96f
LP		 416 return TAKE_FD(fd);
417 if (r < 0)
2038c3f5 418 return -errno;
2038c3f5 419
15a3e96f 420 return TAKE_FD(fd);
80876c20 421}
071830ff 422
08f3be7a
LP		 423static int fixup_input(
424 const ExecContext *context,
425 int socket_fd,
426 bool apply_tty_stdin) {
427
428 ExecInput std_input;
429
430 assert(context);
431
432 std_input = context->std_input;
1e3ad081
LP		 433
434 if (is_terminal_input(std_input) && !apply_tty_stdin)
435 return EXEC_INPUT_NULL;
071830ff 436
03fd9c49 437 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 438 return EXEC_INPUT_NULL;
439
08f3be7a
LP		 440 if (std_input == EXEC_INPUT_DATA && context->stdin_data_size == 0)
441 return EXEC_INPUT_NULL;
442
03fd9c49 443 return std_input;
4f2d528d
LP		 444}
445
03fd9c49 446static int fixup_output(ExecOutput std_output, int socket_fd) {
4f2d528d 447
03fd9c49 448 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 449 return EXEC_OUTPUT_INHERIT;
450
03fd9c49 451 return std_output;
4f2d528d
LP		 452}
453
a34ceba6
LP		 454static int setup_input(
455 const ExecContext *context,
456 const ExecParameters *params,
52c239d7
LB		 457 int socket_fd,
458 int named_iofds[3]) {
a34ceba6 459
4f2d528d
LP		 460 ExecInput i;
461
462 assert(context);
a34ceba6
LP		 463 assert(params);
464
465 if (params->stdin_fd >= 0) {
466 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
467 return -errno;
468
469 /* Try to make this the controlling tty, if it is a tty, and reset it */
1fb0682e
LP		 470 if (isatty(STDIN_FILENO)) {
471 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
472 (void) reset_terminal_fd(STDIN_FILENO, true);
473 }
a34ceba6
LP		 474
475 return STDIN_FILENO;
476 }
4f2d528d 477
08f3be7a 478 i = fixup_input(context, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
4f2d528d
LP		 479
480 switch (i) {
071830ff 481
80876c20
LP		 482 case EXEC_INPUT_NULL:
483 return open_null_as(O_RDONLY, STDIN_FILENO);
484
485 case EXEC_INPUT_TTY:
486 case EXEC_INPUT_TTY_FORCE:
487 case EXEC_INPUT_TTY_FAIL: {
046a82c1 488 int fd;
071830ff 489
1e22b5cd 490 fd = acquire_terminal(exec_context_tty_path(context),
8854d795
LP		 491 i == EXEC_INPUT_TTY_FAIL ? ACQUIRE_TERMINAL_TRY :
492 i == EXEC_INPUT_TTY_FORCE ? ACQUIRE_TERMINAL_FORCE :
493 ACQUIRE_TERMINAL_WAIT,
3a43da28 494 USEC_INFINITY);
970edce6 495 if (fd < 0)
80876c20
LP		 496 return fd;
497
046a82c1 498 return move_fd(fd, STDIN_FILENO, false);
80876c20
LP		 499 }
500
4f2d528d 501 case EXEC_INPUT_SOCKET:
e75a9ed1
LP		 502 assert(socket_fd >= 0);
503
4f2d528d
LP		 504 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
505
52c239d7 506 case EXEC_INPUT_NAMED_FD:
e75a9ed1
LP		 507 assert(named_iofds[STDIN_FILENO] >= 0);
508
52c239d7
LB		 509 (void) fd_nonblock(named_iofds[STDIN_FILENO], false);
510 return dup2(named_iofds[STDIN_FILENO], STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
511
08f3be7a
LP		 512 case EXEC_INPUT_DATA: {
513 int fd;
514
515 fd = acquire_data_fd(context->stdin_data, context->stdin_data_size, 0);
516 if (fd < 0)
517 return fd;
518
519 return move_fd(fd, STDIN_FILENO, false);
520 }
521
2038c3f5
LP		 522 case EXEC_INPUT_FILE: {
523 bool rw;
524 int fd;
525
526 assert(context->stdio_file[STDIN_FILENO]);
527
528 rw = (context->std_output == EXEC_OUTPUT_FILE && streq_ptr(context->stdio_file[STDIN_FILENO], context->stdio_file[STDOUT_FILENO])) ||
529 (context->std_error == EXEC_OUTPUT_FILE && streq_ptr(context->stdio_file[STDIN_FILENO], context->stdio_file[STDERR_FILENO]));
530
531 fd = acquire_path(context->stdio_file[STDIN_FILENO], rw ? O_RDWR : O_RDONLY, 0666 & ~context->umask);
532 if (fd < 0)
533 return fd;
534
535 return move_fd(fd, STDIN_FILENO, false);
536 }
537
80876c20
LP		 538 default:
539 assert_not_reached("Unknown input type");
540 }
541}
542
41fc585a
LP		 543static bool can_inherit_stderr_from_stdout(
544 const ExecContext *context,
545 ExecOutput o,
546 ExecOutput e) {
547
548 assert(context);
549
550 /* Returns true, if given the specified STDERR and STDOUT output we can directly dup() the stdout fd to the
551 * stderr fd */
552
553 if (e == EXEC_OUTPUT_INHERIT)
554 return true;
555 if (e != o)
556 return false;
557
558 if (e == EXEC_OUTPUT_NAMED_FD)
559 return streq_ptr(context->stdio_fdname[STDOUT_FILENO], context->stdio_fdname[STDERR_FILENO]);
560
561 if (IN_SET(e, EXEC_OUTPUT_FILE, EXEC_OUTPUT_FILE_APPEND))
562 return streq_ptr(context->stdio_file[STDOUT_FILENO], context->stdio_file[STDERR_FILENO]);
563
564 return true;
565}
566
a34ceba6 567static int setup_output(
34cf6c43 568 const Unit *unit,
a34ceba6
LP		 569 const ExecContext *context,
570 const ExecParameters *params,
571 int fileno,
572 int socket_fd,
52c239d7 573 int named_iofds[3],
a34ceba6 574 const char *ident,
7bce046b
LP		 575 uid_t uid,
576 gid_t gid,
577 dev_t *journal_stream_dev,
578 ino_t *journal_stream_ino) {
a34ceba6 579
4f2d528d
LP		 580 ExecOutput o;
581 ExecInput i;
47c1d80d 582 int r;
4f2d528d 583
f2341e0a 584 assert(unit);
80876c20 585 assert(context);
a34ceba6 586 assert(params);
80876c20 587 assert(ident);
7bce046b
LP		 588 assert(journal_stream_dev);
589 assert(journal_stream_ino);
80876c20 590
a34ceba6
LP		 591 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
592
593 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
594 return -errno;
595
596 return STDOUT_FILENO;
597 }
598
599 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
600 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
601 return -errno;
602
603 return STDERR_FILENO;
604 }
605
08f3be7a 606 i = fixup_input(context, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
03fd9c49 607 o = fixup_output(context->std_output, socket_fd);
4f2d528d 608
eb17e935
MS		 609 if (fileno == STDERR_FILENO) {
610 ExecOutput e;
611 e = fixup_output(context->std_error, socket_fd);
80876c20 612
eb17e935
MS		 613 /* This expects the input and output are already set up */
614
615 /* Don't change the stderr file descriptor if we inherit all
616 * the way and are not on a tty */
617 if (e == EXEC_OUTPUT_INHERIT &&
618 o == EXEC_OUTPUT_INHERIT &&
619 i == EXEC_INPUT_NULL &&
620 !is_terminal_input(context->std_input) &&
621 getppid () != 1)
622 return fileno;
623
624 /* Duplicate from stdout if possible */
41fc585a 625 if (can_inherit_stderr_from_stdout(context, o, e))
eb17e935 626 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 627
eb17e935 628 o = e;
80876c20 629
eb17e935 630 } else if (o == EXEC_OUTPUT_INHERIT) {
21d21ea4
LP		 631 /* If input got downgraded, inherit the original value */
632 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
1e22b5cd 633 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
21d21ea4 634
08f3be7a
LP		 635 /* If the input is connected to anything that's not a /dev/null or a data fd, inherit that... */
636 if (!IN_SET(i, EXEC_INPUT_NULL, EXEC_INPUT_DATA))
eb17e935 637 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 638
acb591e4
LP		 639 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
640 if (getppid() != 1)
eb17e935 641 return fileno;
94f04347 642
eb17e935
MS		 643 /* We need to open /dev/null here anew, to get the right access mode. */
644 return open_null_as(O_WRONLY, fileno);
071830ff 645 }
94f04347 646
eb17e935 647 switch (o) {
80876c20
LP		 648
649 case EXEC_OUTPUT_NULL:
eb17e935 650 return open_null_as(O_WRONLY, fileno);
80876c20
LP		 651
652 case EXEC_OUTPUT_TTY:
4f2d528d 653 if (is_terminal_input(i))
eb17e935 654 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
80876c20
LP		 655
656 /* We don't reset the terminal if this is just about output */
1e22b5cd 657 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
80876c20
LP		 658
659 case EXEC_OUTPUT_SYSLOG:
28dbc1e8 660 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
9a6bca7a 661 case EXEC_OUTPUT_KMSG:
28dbc1e8 662 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
706343f4
LP		 663 case EXEC_OUTPUT_JOURNAL:
664 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
af635cf3 665 r = connect_logger_as(unit, context, params, o, ident, fileno, uid, gid);
47c1d80d 666 if (r < 0) {
82677ae4 667 log_unit_warning_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
eb17e935 668 r = open_null_as(O_WRONLY, fileno);
7bce046b
LP		 669 } else {
670 struct stat st;
671
672 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
673 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
ab2116b1
LP		 674 * services to detect whether they are connected to the journal or not.
675 *
676 * If both stdout and stderr are connected to a stream then let's make sure to store the data
677 * about STDERR as that's usually the best way to do logging. */
7bce046b 678
ab2116b1
LP		 679 if (fstat(fileno, &st) >= 0 &&
680 (*journal_stream_ino == 0 || fileno == STDERR_FILENO)) {
7bce046b
LP		 681 *journal_stream_dev = st.st_dev;
682 *journal_stream_ino = st.st_ino;
683 }
47c1d80d
MS		 684 }
685 return r;
4f2d528d
LP		 686
687 case EXEC_OUTPUT_SOCKET:
688 assert(socket_fd >= 0);
e75a9ed1 689
eb17e935 690 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
94f04347 691
52c239d7 692 case EXEC_OUTPUT_NAMED_FD:
e75a9ed1
LP		 693 assert(named_iofds[fileno] >= 0);
694
52c239d7
LB		 695 (void) fd_nonblock(named_iofds[fileno], false);
696 return dup2(named_iofds[fileno], fileno) < 0 ? -errno : fileno;
697
566b7d23
ZD		 698 case EXEC_OUTPUT_FILE:
699 case EXEC_OUTPUT_FILE_APPEND: {
2038c3f5 700 bool rw;
566b7d23 701 int fd, flags;
2038c3f5
LP		 702
703 assert(context->stdio_file[fileno]);
704
705 rw = context->std_input == EXEC_INPUT_FILE &&
706 streq_ptr(context->stdio_file[fileno], context->stdio_file[STDIN_FILENO]);
707
708 if (rw)
709 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
710
566b7d23
ZD		 711 flags = O_WRONLY;
712 if (o == EXEC_OUTPUT_FILE_APPEND)
713 flags |= O_APPEND;
714
715 fd = acquire_path(context->stdio_file[fileno], flags, 0666 & ~context->umask);
2038c3f5
LP		 716 if (fd < 0)
717 return fd;
718
566b7d23 719 return move_fd(fd, fileno, 0);
2038c3f5
LP		 720 }
721
94f04347 722 default:
80876c20 723 assert_not_reached("Unknown error type");
94f04347 724 }
071830ff
LP		 725}
726
02a51aba 727static int chown_terminal(int fd, uid_t uid) {
4b3b5bc7 728 int r;
02a51aba
LP		 729
730 assert(fd >= 0);
02a51aba 731
1ff74fb6 732 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
4b3b5bc7
LP		 733 if (isatty(fd) < 1) {
734 if (IN_SET(errno, EINVAL, ENOTTY))
735 return 0; /* not a tty */
1ff74fb6 736
02a51aba 737 return -errno;
4b3b5bc7 738 }
02a51aba 739
4b3b5bc7
LP		 740 /* This might fail. What matters are the results. */
741 r = fchmod_and_chown(fd, TTY_MODE, uid, -1);
742 if (r < 0)
743 return r;
02a51aba 744
4b3b5bc7 745 return 1;
02a51aba
LP		 746}
747
7d5ceb64 748static int setup_confirm_stdio(const char *vc, int *_saved_stdin, int *_saved_stdout) {
3d18b167
LP		 749 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
750 int r;
80876c20 751
80876c20
LP		 752 assert(_saved_stdin);
753 assert(_saved_stdout);
754
af6da548
LP		 755 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
756 if (saved_stdin < 0)
757 return -errno;
80876c20 758
af6da548 759 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
3d18b167
LP		 760 if (saved_stdout < 0)
761 return -errno;
80876c20 762
8854d795 763 fd = acquire_terminal(vc, ACQUIRE_TERMINAL_WAIT, DEFAULT_CONFIRM_USEC);
3d18b167
LP		 764 if (fd < 0)
765 return fd;
80876c20 766
af6da548
LP		 767 r = chown_terminal(fd, getuid());
768 if (r < 0)
3d18b167 769 return r;
02a51aba 770
3d18b167
LP		 771 r = reset_terminal_fd(fd, true);
772 if (r < 0)
773 return r;
80876c20 774
2b33ab09 775 r = rearrange_stdio(fd, fd, STDERR_FILENO);
3d18b167 776 fd = -1;
2b33ab09
LP		 777 if (r < 0)
778 return r;
80876c20
LP		 779
780 *_saved_stdin = saved_stdin;
781 *_saved_stdout = saved_stdout;
782
3d18b167 783 saved_stdin = saved_stdout = -1;
80876c20 784
3d18b167 785 return 0;
80876c20
LP		 786}
787
63d77c92 788static void write_confirm_error_fd(int err, int fd, const Unit *u) {
3b20f877
FB		 789 assert(err < 0);
790
791 if (err == -ETIMEDOUT)
63d77c92 792 dprintf(fd, "Confirmation question timed out for %s, assuming positive response.\n", u->id);
3b20f877
FB		 793 else {
794 errno = -err;
63d77c92 795 dprintf(fd, "Couldn't ask confirmation for %s: %m, assuming positive response.\n", u->id);
3b20f877
FB		 796 }
797}
798
63d77c92 799static void write_confirm_error(int err, const char *vc, const Unit *u) {
03e334a1 800 _cleanup_close_ int fd = -1;
80876c20 801
3b20f877 802 assert(vc);
80876c20 803
7d5ceb64 804 fd = open_terminal(vc, O_WRONLY|O_NOCTTY|O_CLOEXEC);
af6da548 805 if (fd < 0)
3b20f877 806 return;
80876c20 807
63d77c92 808 write_confirm_error_fd(err, fd, u);
af6da548 809}
80876c20 810
3d18b167 811static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
af6da548 812 int r = 0;
80876c20 813
af6da548
LP		 814 assert(saved_stdin);
815 assert(saved_stdout);
816
817 release_terminal();
818
819 if (*saved_stdin >= 0)
80876c20 820 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
af6da548 821 r = -errno;
80876c20 822
af6da548 823 if (*saved_stdout >= 0)
80876c20 824 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
af6da548 825 r = -errno;
80876c20 826
3d18b167
LP		 827 *saved_stdin = safe_close(*saved_stdin);
828 *saved_stdout = safe_close(*saved_stdout);
af6da548
LP		 829
830 return r;
831}
832
3b20f877
FB		 833enum {
834 CONFIRM_PRETEND_FAILURE = -1,
835 CONFIRM_PRETEND_SUCCESS = 0,
836 CONFIRM_EXECUTE = 1,
837};
838
eedf223a 839static int ask_for_confirmation(const char *vc, Unit *u, const char *cmdline) {
af6da548 840 int saved_stdout = -1, saved_stdin = -1, r;
2bcd3c26 841 _cleanup_free_ char *e = NULL;
3b20f877 842 char c;
af6da548 843
3b20f877 844 /* For any internal errors, assume a positive response. */
7d5ceb64 845 r = setup_confirm_stdio(vc, &saved_stdin, &saved_stdout);
3b20f877 846 if (r < 0) {
63d77c92 847 write_confirm_error(r, vc, u);
3b20f877
FB		 848 return CONFIRM_EXECUTE;
849 }
af6da548 850
b0eb2944
FB		 851 /* confirm_spawn might have been disabled while we were sleeping. */
852 if (manager_is_confirm_spawn_disabled(u->manager)) {
853 r = 1;
854 goto restore_stdio;
855 }
af6da548 856
2bcd3c26
FB		 857 e = ellipsize(cmdline, 60, 100);
858 if (!e) {
859 log_oom();
860 r = CONFIRM_EXECUTE;
861 goto restore_stdio;
862 }
af6da548 863
d172b175 864 for (;;) {
539622bd 865 r = ask_char(&c, "yfshiDjcn", "Execute %s? [y, f, s – h for help] ", e);
d172b175 866 if (r < 0) {
63d77c92 867 write_confirm_error_fd(r, STDOUT_FILENO, u);
d172b175
FB		 868 r = CONFIRM_EXECUTE;
869 goto restore_stdio;
870 }
af6da548 871
d172b175 872 switch (c) {
b0eb2944
FB		 873 case 'c':
874 printf("Resuming normal execution.\n");
875 manager_disable_confirm_spawn();
876 r = 1;
877 break;
dd6f9ac0
FB		 878 case 'D':
879 unit_dump(u, stdout, " ");
880 continue; /* ask again */
d172b175
FB		 881 case 'f':
882 printf("Failing execution.\n");
883 r = CONFIRM_PRETEND_FAILURE;
884 break;
885 case 'h':
b0eb2944
FB		 886 printf(" c - continue, proceed without asking anymore\n"
887 " D - dump, show the state of the unit\n"
dd6f9ac0 888 " f - fail, don't execute the command and pretend it failed\n"
d172b175 889 " h - help\n"
eedf223a 890 " i - info, show a short summary of the unit\n"
56fde33a 891 " j - jobs, show jobs that are in progress\n"
d172b175
FB		 892 " s - skip, don't execute the command and pretend it succeeded\n"
893 " y - yes, execute the command\n");
dd6f9ac0 894 continue; /* ask again */
eedf223a
FB		 895 case 'i':
896 printf(" Description: %s\n"
897 " Unit: %s\n"
898 " Command: %s\n",
899 u->id, u->description, cmdline);
900 continue; /* ask again */
56fde33a
FB		 901 case 'j':
902 manager_dump_jobs(u->manager, stdout, " ");
903 continue; /* ask again */
539622bd
FB		 904 case 'n':
905 /* 'n' was removed in favor of 'f'. */
906 printf("Didn't understand 'n', did you mean 'f'?\n");
907 continue; /* ask again */
d172b175
FB		 908 case 's':
909 printf("Skipping execution.\n");
910 r = CONFIRM_PRETEND_SUCCESS;
911 break;
912 case 'y':
913 r = CONFIRM_EXECUTE;
914 break;
915 default:
916 assert_not_reached("Unhandled choice");
917 }
3b20f877 918 break;
3b20f877 919 }
af6da548 920
3b20f877 921restore_stdio:
af6da548 922 restore_confirm_stdio(&saved_stdin, &saved_stdout);
af6da548 923 return r;
80876c20
LP		 924}
925
4d885bd3
DH		 926static int get_fixed_user(const ExecContext *c, const char **user,
927 uid_t *uid, gid_t *gid,
928 const char **home, const char **shell) {
81a2b7ce 929 int r;
4d885bd3 930 const char *name;
81a2b7ce 931
4d885bd3 932 assert(c);
81a2b7ce 933
23deef88
LP		 934 if (!c->user)
935 return 0;
936
4d885bd3
DH		 937 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
938 * (i.e. are "/" or "/bin/nologin"). */
81a2b7ce 939
23deef88 940 name = c->user;
fafff8f1 941 r = get_user_creds(&name, uid, gid, home, shell, USER_CREDS_CLEAN);
4d885bd3
DH		 942 if (r < 0)
943 return r;
81a2b7ce 944
4d885bd3
DH		 945 *user = name;
946 return 0;
947}
948
949static int get_fixed_group(const ExecContext *c, const char **group, gid_t *gid) {
950 int r;
951 const char *name;
952
953 assert(c);
954
955 if (!c->group)
956 return 0;
957
958 name = c->group;
fafff8f1 959 r = get_group_creds(&name, gid, 0);
4d885bd3
DH		 960 if (r < 0)
961 return r;
962
963 *group = name;
964 return 0;
965}
966
cdc5d5c5
DH		 967static int get_supplementary_groups(const ExecContext *c, const char *user,
968 const char *group, gid_t gid,
969 gid_t **supplementary_gids, int *ngids) {
4d885bd3
DH		 970 char **i;
971 int r, k = 0;
972 int ngroups_max;
973 bool keep_groups = false;
974 gid_t *groups = NULL;
975 _cleanup_free_ gid_t *l_gids = NULL;
976
977 assert(c);
978
bbeea271
DH		 979 /*
980 * If user is given, then lookup GID and supplementary groups list.
981 * We avoid NSS lookups for gid=0. Also we have to initialize groups
cdc5d5c5
DH		 982 * here and as early as possible so we keep the list of supplementary
983 * groups of the caller.
bbeea271
DH		 984 */
985 if (user && gid_is_valid(gid) && gid != 0) {
986 /* First step, initialize groups from /etc/groups */
987 if (initgroups(user, gid) < 0)
988 return -errno;
989
990 keep_groups = true;
991 }
992
ac6e8be6 993 if (strv_isempty(c->supplementary_groups))
4d885bd3
DH		 994 return 0;
995
366ddd25
DH		 996 /*
997 * If SupplementaryGroups= was passed then NGROUPS_MAX has to
998 * be positive, otherwise fail.
999 */
1000 errno = 0;
1001 ngroups_max = (int) sysconf(_SC_NGROUPS_MAX);
66855de7
LP		 1002 if (ngroups_max <= 0)
1003 return errno_or_else(EOPNOTSUPP);
366ddd25 1004
4d885bd3
DH		 1005 l_gids = new(gid_t, ngroups_max);
1006 if (!l_gids)
1007 return -ENOMEM;
81a2b7ce 1008
4d885bd3
DH		 1009 if (keep_groups) {
1010 /*
1011 * Lookup the list of groups that the user belongs to, we
1012 * avoid NSS lookups here too for gid=0.
1013 */
1014 k = ngroups_max;
1015 if (getgrouplist(user, gid, l_gids, &k) < 0)
1016 return -EINVAL;
1017 } else
1018 k = 0;
81a2b7ce 1019
4d885bd3
DH		 1020 STRV_FOREACH(i, c->supplementary_groups) {
1021 const char *g;
81a2b7ce 1022
4d885bd3
DH		 1023 if (k >= ngroups_max)
1024 return -E2BIG;
81a2b7ce 1025
4d885bd3 1026 g = *i;
fafff8f1 1027 r = get_group_creds(&g, l_gids+k, 0);
4d885bd3
DH		 1028 if (r < 0)
1029 return r;
81a2b7ce 1030
4d885bd3
DH		 1031 k++;
1032 }
81a2b7ce 1033
4d885bd3
DH		 1034 /*
1035 * Sets ngids to zero to drop all supplementary groups, happens
1036 * when we are under root and SupplementaryGroups= is empty.
1037 */
1038 if (k == 0) {
1039 *ngids = 0;
1040 return 0;
1041 }
81a2b7ce 1042
4d885bd3
DH		 1043 /* Otherwise get the final list of supplementary groups */
1044 groups = memdup(l_gids, sizeof(gid_t) * k);
1045 if (!groups)
1046 return -ENOMEM;
1047
1048 *supplementary_gids = groups;
1049 *ngids = k;
1050
1051 groups = NULL;
1052
1053 return 0;
1054}
1055
34cf6c43 1056static int enforce_groups(gid_t gid, const gid_t *supplementary_gids, int ngids) {
4d885bd3
DH		 1057 int r;
1058
709dbeac
YW		 1059 /* Handle SupplementaryGroups= if it is not empty */
1060 if (ngids > 0) {
4d885bd3
DH		 1061 r = maybe_setgroups(ngids, supplementary_gids);
1062 if (r < 0)
97f0e76f 1063 return r;
4d885bd3 1064 }
81a2b7ce 1065
4d885bd3
DH		 1066 if (gid_is_valid(gid)) {
1067 /* Then set our gids */
1068 if (setresgid(gid, gid, gid) < 0)
1069 return -errno;
81a2b7ce
LP		 1070 }
1071
1072 return 0;
1073}
1074
1075static int enforce_user(const ExecContext *context, uid_t uid) {
81a2b7ce
LP		 1076 assert(context);
1077
4d885bd3
DH		 1078 if (!uid_is_valid(uid))
1079 return 0;
1080
479050b3 1081 /* Sets (but doesn't look up) the uid and make sure we keep the
81a2b7ce
LP		 1082 * capabilities while doing so. */
1083
479050b3 1084 if (context->capability_ambient_set != 0) {
81a2b7ce
LP		 1085
1086 /* First step: If we need to keep capabilities but
1087 * drop privileges we need to make sure we keep our
cbb21cca 1088 * caps, while we drop privileges. */
693ced48 1089 if (uid != 0) {
cbb21cca 1090 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
693ced48
LP		 1091
1092 if (prctl(PR_GET_SECUREBITS) != sb)
1093 if (prctl(PR_SET_SECUREBITS, sb) < 0)
1094 return -errno;
1095 }
81a2b7ce
LP		 1096 }
1097
479050b3 1098 /* Second step: actually set the uids */
81a2b7ce
LP		 1099 if (setresuid(uid, uid, uid) < 0)
1100 return -errno;
1101
1102 /* At this point we should have all necessary capabilities but
1103 are otherwise a normal user. However, the caps might got
1104 corrupted due to the setresuid() so we need clean them up
1105 later. This is done outside of this call. */
1106
1107 return 0;
1108}
1109
349cc4a5 1110#if HAVE_PAM
5b6319dc
LP		 1111
1112static int null_conv(
1113 int num_msg,
1114 const struct pam_message **msg,
1115 struct pam_response **resp,
1116 void *appdata_ptr) {
1117
1118 /* We don't support conversations */
1119
1120 return PAM_CONV_ERR;
1121}
1122
cefc33ae
LP		 1123#endif
1124
5b6319dc
LP		 1125static int setup_pam(
1126 const char *name,
1127 const char *user,
940c5210 1128 uid_t uid,
2d6fce8d 1129 gid_t gid,
5b6319dc 1130 const char *tty,
2065ca69 1131 char ***env,
da6053d0 1132 int fds[], size_t n_fds) {
5b6319dc 1133
349cc4a5 1134#if HAVE_PAM
cefc33ae 1135
5b6319dc
LP		 1136 static const struct pam_conv conv = {
1137 .conv = null_conv,
1138 .appdata_ptr = NULL
1139 };
1140
2d7c6aa2 1141 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
5b6319dc 1142 pam_handle_t *handle = NULL;
d6e5f3ad 1143 sigset_t old_ss;
7bb70b6e 1144 int pam_code = PAM_SUCCESS, r;
84eada2f 1145 char **nv, **e = NULL;
5b6319dc
LP		 1146 bool close_session = false;
1147 pid_t pam_pid = 0, parent_pid;
970edce6 1148 int flags = 0;
5b6319dc
LP		 1149
1150 assert(name);
1151 assert(user);
2065ca69 1152 assert(env);
5b6319dc
LP		 1153
1154 /* We set up PAM in the parent process, then fork. The child
35b8ca3a 1155 * will then stay around until killed via PR_GET_PDEATHSIG or
5b6319dc
LP		 1156 * systemd via the cgroup logic. It will then remove the PAM
1157 * session again. The parent process will exec() the actual
1158 * daemon. We do things this way to ensure that the main PID
1159 * of the daemon is the one we initially fork()ed. */
1160
7bb70b6e
LP		 1161 r = barrier_create(&barrier);
1162 if (r < 0)
2d7c6aa2
DH		 1163 goto fail;
1164
553d2243 1165 if (log_get_max_level() < LOG_DEBUG)
970edce6
ZJS		 1166 flags |= PAM_SILENT;
1167
f546241b
ZJS		 1168 pam_code = pam_start(name, user, &conv, &handle);
1169 if (pam_code != PAM_SUCCESS) {
5b6319dc
LP		 1170 handle = NULL;
1171 goto fail;
1172 }
1173
3cd24c1a
LP		 1174 if (!tty) {
1175 _cleanup_free_ char *q = NULL;
1176
1177 /* Hmm, so no TTY was explicitly passed, but an fd passed to us directly might be a TTY. Let's figure
1178 * out if that's the case, and read the TTY off it. */
1179
1180 if (getttyname_malloc(STDIN_FILENO, &q) >= 0)
1181 tty = strjoina("/dev/", q);
1182 }
1183
f546241b
ZJS		 1184 if (tty) {
1185 pam_code = pam_set_item(handle, PAM_TTY, tty);
1186 if (pam_code != PAM_SUCCESS)
5b6319dc 1187 goto fail;
f546241b 1188 }
5b6319dc 1189
84eada2f
JW		 1190 STRV_FOREACH(nv, *env) {
1191 pam_code = pam_putenv(handle, *nv);
2065ca69
JW		 1192 if (pam_code != PAM_SUCCESS)
1193 goto fail;
1194 }
1195
970edce6 1196 pam_code = pam_acct_mgmt(handle, flags);
f546241b 1197 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1198 goto fail;
1199
970edce6 1200 pam_code = pam_open_session(handle, flags);
f546241b 1201 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1202 goto fail;
1203
1204 close_session = true;
1205
f546241b
ZJS		 1206 e = pam_getenvlist(handle);
1207 if (!e) {
5b6319dc
LP		 1208 pam_code = PAM_BUF_ERR;
1209 goto fail;
1210 }
1211
1212 /* Block SIGTERM, so that we know that it won't get lost in
1213 * the child */
ce30c8dc 1214
72c0a2c2 1215 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
5b6319dc 1216
df0ff127 1217 parent_pid = getpid_cached();
5b6319dc 1218
4c253ed1
LP		 1219 r = safe_fork("(sd-pam)", 0, &pam_pid);
1220 if (r < 0)
5b6319dc 1221 goto fail;
4c253ed1 1222 if (r == 0) {
7bb70b6e 1223 int sig, ret = EXIT_PAM;
5b6319dc
LP		 1224
1225 /* The child's job is to reset the PAM session on
1226 * termination */
2d7c6aa2 1227 barrier_set_role(&barrier, BARRIER_CHILD);
5b6319dc 1228
4c253ed1
LP		 1229 /* Make sure we don't keep open the passed fds in this child. We assume that otherwise only those fds
1230 * are open here that have been opened by PAM. */
1231 (void) close_many(fds, n_fds);
5b6319dc 1232
940c5210
AK		 1233 /* Drop privileges - we don't need any to pam_close_session
1234 * and this will make PR_SET_PDEATHSIG work in most cases.
1235 * If this fails, ignore the error - but expect sd-pam threads
1236 * to fail to exit normally */
2d6fce8d 1237
97f0e76f
LP		 1238 r = maybe_setgroups(0, NULL);
1239 if (r < 0)
1240 log_warning_errno(r, "Failed to setgroups() in sd-pam: %m");
2d6fce8d
LP		 1241 if (setresgid(gid, gid, gid) < 0)
1242 log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
940c5210 1243 if (setresuid(uid, uid, uid) < 0)
2d6fce8d 1244 log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
940c5210 1245
ce30c8dc
LP		 1246 (void) ignore_signals(SIGPIPE, -1);
1247
940c5210
AK		 1248 /* Wait until our parent died. This will only work if
1249 * the above setresuid() succeeds, otherwise the kernel
1250 * will not allow unprivileged parents kill their privileged
1251 * children this way. We rely on the control groups kill logic
5b6319dc
LP		 1252 * to do the rest for us. */
1253 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
1254 goto child_finish;
1255
2d7c6aa2
DH		 1256 /* Tell the parent that our setup is done. This is especially
1257 * important regarding dropping privileges. Otherwise, unit
643f4706
ZJS		 1258 * setup might race against our setresuid(2) call.
1259 *
1260 * If the parent aborted, we'll detect this below, hence ignore
1261 * return failure here. */
1262 (void) barrier_place(&barrier);
2d7c6aa2 1263
643f4706 1264 /* Check if our parent process might already have died? */
5b6319dc 1265 if (getppid() == parent_pid) {
d6e5f3ad
DM		 1266 sigset_t ss;
1267
1268 assert_se(sigemptyset(&ss) >= 0);
1269 assert_se(sigaddset(&ss, SIGTERM) >= 0);
1270
3dead8d9
LP		 1271 for (;;) {
1272 if (sigwait(&ss, &sig) < 0) {
1273 if (errno == EINTR)
1274 continue;
1275
1276 goto child_finish;
1277 }
5b6319dc 1278
3dead8d9
LP		 1279 assert(sig == SIGTERM);
1280 break;
1281 }
5b6319dc
LP		 1282 }
1283
3dead8d9 1284 /* If our parent died we'll end the session */
f546241b 1285 if (getppid() != parent_pid) {
970edce6 1286 pam_code = pam_close_session(handle, flags);
f546241b 1287 if (pam_code != PAM_SUCCESS)
5b6319dc 1288 goto child_finish;
f546241b 1289 }
5b6319dc 1290
7bb70b6e 1291 ret = 0;
5b6319dc
LP		 1292
1293 child_finish:
970edce6 1294 pam_end(handle, pam_code | flags);
7bb70b6e 1295 _exit(ret);
5b6319dc
LP		 1296 }
1297
2d7c6aa2
DH		 1298 barrier_set_role(&barrier, BARRIER_PARENT);
1299
5b6319dc
LP		 1300 /* If the child was forked off successfully it will do all the
1301 * cleanups, so forget about the handle here. */
1302 handle = NULL;
1303
3b8bddde 1304 /* Unblock SIGTERM again in the parent */
72c0a2c2 1305 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
5b6319dc
LP		 1306
1307 /* We close the log explicitly here, since the PAM modules
1308 * might have opened it, but we don't want this fd around. */
1309 closelog();
1310
2d7c6aa2
DH		 1311 /* Synchronously wait for the child to initialize. We don't care for
1312 * errors as we cannot recover. However, warn loudly if it happens. */
1313 if (!barrier_place_and_sync(&barrier))
1314 log_error("PAM initialization failed");
1315
130d3d22 1316 return strv_free_and_replace(*env, e);
5b6319dc
LP		 1317
1318fail:
970edce6
ZJS		 1319 if (pam_code != PAM_SUCCESS) {
1320 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
7bb70b6e
LP		 1321 r = -EPERM; /* PAM errors do not map to errno */
1322 } else
1323 log_error_errno(r, "PAM failed: %m");
9ba35398 1324
5b6319dc
LP		 1325 if (handle) {
1326 if (close_session)
970edce6 1327 pam_code = pam_close_session(handle, flags);
5b6319dc 1328
970edce6 1329 pam_end(handle, pam_code | flags);
5b6319dc
LP		 1330 }
1331
1332 strv_free(e);
5b6319dc
LP		 1333 closelog();
1334
7bb70b6e 1335 return r;
cefc33ae
LP		 1336#else
1337 return 0;
5b6319dc 1338#endif
cefc33ae 1339}
5b6319dc 1340
5d6b1584
LP		 1341static void rename_process_from_path(const char *path) {
1342 char process_name[11];
1343 const char *p;
1344 size_t l;
1345
1346 /* This resulting string must fit in 10 chars (i.e. the length
1347 * of "/sbin/init") to look pretty in /bin/ps */
1348
2b6bf07d 1349 p = basename(path);
5d6b1584
LP		 1350 if (isempty(p)) {
1351 rename_process("(...)");
1352 return;
1353 }
1354
1355 l = strlen(p);
1356 if (l > 8) {
1357 /* The end of the process name is usually more
1358 * interesting, since the first bit might just be
1359 * "systemd-" */
1360 p = p + l - 8;
1361 l = 8;
1362 }
1363
1364 process_name[0] = '(';
1365 memcpy(process_name+1, p, l);
1366 process_name[1+l] = ')';
1367 process_name[1+l+1] = 0;
1368
1369 rename_process(process_name);
1370}
1371
469830d1
LP		 1372static bool context_has_address_families(const ExecContext *c) {
1373 assert(c);
1374
1375 return c->address_families_whitelist ||
1376 !set_isempty(c->address_families);
1377}
1378
1379static bool context_has_syscall_filters(const ExecContext *c) {
1380 assert(c);
1381
1382 return c->syscall_whitelist ||
8cfa775f 1383 !hashmap_isempty(c->syscall_filter);
469830d1
LP		 1384}
1385
1386static bool context_has_no_new_privileges(const ExecContext *c) {
1387 assert(c);
1388
1389 if (c->no_new_privileges)
1390 return true;
1391
1392 if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
1393 return false;
1394
1395 /* We need NNP if we have any form of seccomp and are unprivileged */
1396 return context_has_address_families(c) ||
1397 c->memory_deny_write_execute ||
1398 c->restrict_realtime ||
f69567cb 1399 c->restrict_suid_sgid ||
469830d1
LP		 1400 exec_context_restrict_namespaces_set(c) ||
1401 c->protect_kernel_tunables ||
1402 c->protect_kernel_modules ||
1403 c->private_devices ||
1404 context_has_syscall_filters(c) ||
78e864e5 1405 !set_isempty(c->syscall_archs) ||
aecd5ac6
TM		 1406 c->lock_personality ||
1407 c->protect_hostname;
469830d1
LP		 1408}
1409
349cc4a5 1410#if HAVE_SECCOMP
17df7223 1411
83f12b27 1412static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
f673b62d
LP		 1413
1414 if (is_seccomp_available())
1415 return false;
1416
f673b62d 1417 log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
f673b62d 1418 return true;
83f12b27
FS		 1419}
1420
165a31c0 1421static int apply_syscall_filter(const Unit* u, const ExecContext *c, bool needs_ambient_hack) {
469830d1 1422 uint32_t negative_action, default_action, action;
165a31c0 1423 int r;
8351ceae 1424
469830d1 1425 assert(u);
c0467cf3 1426 assert(c);
8351ceae 1427
469830d1 1428 if (!context_has_syscall_filters(c))
83f12b27
FS		 1429 return 0;
1430
469830d1
LP		 1431 if (skip_seccomp_unavailable(u, "SystemCallFilter="))
1432 return 0;
e9642be2 1433
ccc16c78 1434 negative_action = c->syscall_errno == 0 ? scmp_act_kill_process() : SCMP_ACT_ERRNO(c->syscall_errno);
e9642be2 1435
469830d1
LP		 1436 if (c->syscall_whitelist) {
1437 default_action = negative_action;
1438 action = SCMP_ACT_ALLOW;
7c66bae2 1439 } else {
469830d1
LP		 1440 default_action = SCMP_ACT_ALLOW;
1441 action = negative_action;
57183d11 1442 }
8351ceae 1443
165a31c0
LP		 1444 if (needs_ambient_hack) {
1445 r = seccomp_filter_set_add(c->syscall_filter, c->syscall_whitelist, syscall_filter_sets + SYSCALL_FILTER_SET_SETUID);
1446 if (r < 0)
1447 return r;
1448 }
1449
b54f36c6 1450 return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action, false);
4298d0b5
LP		 1451}
1452
469830d1
LP		 1453static int apply_syscall_archs(const Unit *u, const ExecContext *c) {
1454 assert(u);
4298d0b5
LP		 1455 assert(c);
1456
469830d1 1457 if (set_isempty(c->syscall_archs))
83f12b27
FS		 1458 return 0;
1459
469830d1
LP		 1460 if (skip_seccomp_unavailable(u, "SystemCallArchitectures="))
1461 return 0;
4298d0b5 1462
469830d1
LP		 1463 return seccomp_restrict_archs(c->syscall_archs);
1464}
4298d0b5 1465
469830d1
LP		 1466static int apply_address_families(const Unit* u, const ExecContext *c) {
1467 assert(u);
1468 assert(c);
4298d0b5 1469
469830d1
LP		 1470 if (!context_has_address_families(c))
1471 return 0;
4298d0b5 1472
469830d1
LP		 1473 if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
1474 return 0;
4298d0b5 1475
469830d1 1476 return seccomp_restrict_address_families(c->address_families, c->address_families_whitelist);
8351ceae 1477}
4298d0b5 1478
83f12b27 1479static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) {
469830d1 1480 assert(u);
f3e43635
TM		 1481 assert(c);
1482
469830d1 1483 if (!c->memory_deny_write_execute)
83f12b27
FS		 1484 return 0;
1485
469830d1
LP		 1486 if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute="))
1487 return 0;
f3e43635 1488
469830d1 1489 return seccomp_memory_deny_write_execute();
f3e43635
TM		 1490}
1491
83f12b27 1492static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
469830d1 1493 assert(u);
f4170c67
LP		 1494 assert(c);
1495
469830d1 1496 if (!c->restrict_realtime)
83f12b27
FS		 1497 return 0;
1498
469830d1
LP		 1499 if (skip_seccomp_unavailable(u, "RestrictRealtime="))
1500 return 0;
f4170c67 1501
469830d1 1502 return seccomp_restrict_realtime();
f4170c67
LP		 1503}
1504
f69567cb
LP		 1505static int apply_restrict_suid_sgid(const Unit* u, const ExecContext *c) {
1506 assert(u);
1507 assert(c);
1508
1509 if (!c->restrict_suid_sgid)
1510 return 0;
1511
1512 if (skip_seccomp_unavailable(u, "RestrictSUIDSGID="))
1513 return 0;
1514
1515 return seccomp_restrict_suid_sgid();
1516}
1517
59e856c7 1518static int apply_protect_sysctl(const Unit *u, const ExecContext *c) {
469830d1 1519 assert(u);
59eeb84b
LP		 1520 assert(c);
1521
1522 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1523 * let's protect even those systems where this is left on in the kernel. */
1524
469830d1 1525 if (!c->protect_kernel_tunables)
59eeb84b
LP		 1526 return 0;
1527
469830d1
LP		 1528 if (skip_seccomp_unavailable(u, "ProtectKernelTunables="))
1529 return 0;
59eeb84b 1530
469830d1 1531 return seccomp_protect_sysctl();
59eeb84b
LP		 1532}
1533
59e856c7 1534static int apply_protect_kernel_modules(const Unit *u, const ExecContext *c) {
469830d1 1535 assert(u);
502d704e
DH		 1536 assert(c);
1537
25a8d8a0 1538 /* Turn off module syscalls on ProtectKernelModules=yes */
502d704e 1539
469830d1
LP		 1540 if (!c->protect_kernel_modules)
1541 return 0;
1542
502d704e
DH		 1543 if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
1544 return 0;
1545
b54f36c6 1546 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM), false);
502d704e
DH		 1547}
1548
59e856c7 1549static int apply_private_devices(const Unit *u, const ExecContext *c) {
469830d1 1550 assert(u);
ba128bb8
LP		 1551 assert(c);
1552
8f81a5f6 1553 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
ba128bb8 1554
469830d1
LP		 1555 if (!c->private_devices)
1556 return 0;
1557
ba128bb8
LP		 1558 if (skip_seccomp_unavailable(u, "PrivateDevices="))
1559 return 0;
1560
b54f36c6 1561 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM), false);
ba128bb8
LP		 1562}
1563
34cf6c43 1564static int apply_restrict_namespaces(const Unit *u, const ExecContext *c) {
469830d1 1565 assert(u);
add00535
LP		 1566 assert(c);
1567
1568 if (!exec_context_restrict_namespaces_set(c))
1569 return 0;
1570
1571 if (skip_seccomp_unavailable(u, "RestrictNamespaces="))
1572 return 0;
1573
1574 return seccomp_restrict_namespaces(c->restrict_namespaces);
1575}
1576
78e864e5 1577static int apply_lock_personality(const Unit* u, const ExecContext *c) {
e8132d63
LP		 1578 unsigned long personality;
1579 int r;
78e864e5
TM		 1580
1581 assert(u);
1582 assert(c);
1583
1584 if (!c->lock_personality)
1585 return 0;
1586
1587 if (skip_seccomp_unavailable(u, "LockPersonality="))
1588 return 0;
1589
e8132d63
LP		 1590 personality = c->personality;
1591
1592 /* If personality is not specified, use either PER_LINUX or PER_LINUX32 depending on what is currently set. */
1593 if (personality == PERSONALITY_INVALID) {
1594
1595 r = opinionated_personality(&personality);
1596 if (r < 0)
1597 return r;
1598 }
78e864e5
TM		 1599
1600 return seccomp_lock_personality(personality);
1601}
1602
c0467cf3 1603#endif
8351ceae 1604
3042bbeb 1605static void do_idle_pipe_dance(int idle_pipe[static 4]) {
31a7eb86
ZJS		 1606 assert(idle_pipe);
1607
54eb2300
LP		 1608 idle_pipe[1] = safe_close(idle_pipe[1]);
1609 idle_pipe[2] = safe_close(idle_pipe[2]);
31a7eb86
ZJS		 1610
1611 if (idle_pipe[0] >= 0) {
1612 int r;
1613
1614 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1615
1616 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
c7cc737f
LP		 1617 ssize_t n;
1618
31a7eb86 1619 /* Signal systemd that we are bored and want to continue. */
c7cc737f
LP		 1620 n = write(idle_pipe[3], "x", 1);
1621 if (n > 0)
cd972d69
ZJS		 1622 /* Wait for systemd to react to the signal above. */
1623 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
31a7eb86
ZJS		 1624 }
1625
54eb2300 1626 idle_pipe[0] = safe_close(idle_pipe[0]);
31a7eb86
ZJS		 1627
1628 }
1629
54eb2300 1630 idle_pipe[3] = safe_close(idle_pipe[3]);
31a7eb86
ZJS		 1631}
1632
fb2042dd
YW		 1633static const char *exec_directory_env_name_to_string(ExecDirectoryType t);
1634
7cae38c4 1635static int build_environment(
34cf6c43 1636 const Unit *u,
9fa95f85 1637 const ExecContext *c,
1e22b5cd 1638 const ExecParameters *p,
da6053d0 1639 size_t n_fds,
7cae38c4
LP		 1640 const char *home,
1641 const char *username,
1642 const char *shell,
7bce046b
LP		 1643 dev_t journal_stream_dev,
1644 ino_t journal_stream_ino,
7cae38c4
LP		 1645 char ***ret) {
1646
1647 _cleanup_strv_free_ char **our_env = NULL;
fb2042dd 1648 ExecDirectoryType t;
da6053d0 1649 size_t n_env = 0;
7cae38c4
LP		 1650 char *x;
1651
4b58153d 1652 assert(u);
7cae38c4 1653 assert(c);
7c1cb6f1 1654 assert(p);
7cae38c4
LP		 1655 assert(ret);
1656
fb2042dd 1657 our_env = new0(char*, 14 + _EXEC_DIRECTORY_TYPE_MAX);
7cae38c4
LP		 1658 if (!our_env)
1659 return -ENOMEM;
1660
1661 if (n_fds > 0) {
8dd4c05b
LP		 1662 _cleanup_free_ char *joined = NULL;
1663
df0ff127 1664 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid_cached()) < 0)
7cae38c4
LP		 1665 return -ENOMEM;
1666 our_env[n_env++] = x;
1667
da6053d0 1668 if (asprintf(&x, "LISTEN_FDS=%zu", n_fds) < 0)
7cae38c4
LP		 1669 return -ENOMEM;
1670 our_env[n_env++] = x;
8dd4c05b 1671
1e22b5cd 1672 joined = strv_join(p->fd_names, ":");
8dd4c05b
LP		 1673 if (!joined)
1674 return -ENOMEM;
1675
605405c6 1676 x = strjoin("LISTEN_FDNAMES=", joined);
8dd4c05b
LP		 1677 if (!x)
1678 return -ENOMEM;
1679 our_env[n_env++] = x;
7cae38c4
LP		 1680 }
1681
b08af3b1 1682 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
df0ff127 1683 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid_cached()) < 0)
09812eb7
LP		 1684 return -ENOMEM;
1685 our_env[n_env++] = x;
1686
1e22b5cd 1687 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
09812eb7
LP		 1688 return -ENOMEM;
1689 our_env[n_env++] = x;
1690 }
1691
fd63e712
LP		 1692 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1693 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1694 * check the database directly. */
ac647978 1695 if (p->flags & EXEC_NSS_BYPASS_BUS) {
fd63e712
LP		 1696 x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1697 if (!x)
1698 return -ENOMEM;
1699 our_env[n_env++] = x;
1700 }
1701
7cae38c4 1702 if (home) {
b910cc72 1703 x = strjoin("HOME=", home);
7cae38c4
LP		 1704 if (!x)
1705 return -ENOMEM;
7bbead1d
LP		 1706
1707 path_simplify(x + 5, true);
7cae38c4
LP		 1708 our_env[n_env++] = x;
1709 }
1710
1711 if (username) {
b910cc72 1712 x = strjoin("LOGNAME=", username);
7cae38c4
LP		 1713 if (!x)
1714 return -ENOMEM;
1715 our_env[n_env++] = x;
1716
b910cc72 1717 x = strjoin("USER=", username);
7cae38c4
LP		 1718 if (!x)
1719 return -ENOMEM;
1720 our_env[n_env++] = x;
1721 }
1722
1723 if (shell) {
b910cc72 1724 x = strjoin("SHELL=", shell);
7cae38c4
LP		 1725 if (!x)
1726 return -ENOMEM;
7bbead1d
LP		 1727
1728 path_simplify(x + 6, true);
7cae38c4
LP		 1729 our_env[n_env++] = x;
1730 }
1731
4b58153d
LP		 1732 if (!sd_id128_is_null(u->invocation_id)) {
1733 if (asprintf(&x, "INVOCATION_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id)) < 0)
1734 return -ENOMEM;
1735
1736 our_env[n_env++] = x;
1737 }
1738
6af760f3
LP		 1739 if (exec_context_needs_term(c)) {
1740 const char *tty_path, *term = NULL;
1741
1742 tty_path = exec_context_tty_path(c);
1743
1744 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try to inherit
1745 * the $TERM set for PID 1. This is useful for containers so that the $TERM the container manager
1746 * passes to PID 1 ends up all the way in the console login shown. */
1747
1748 if (path_equal(tty_path, "/dev/console") && getppid() == 1)
1749 term = getenv("TERM");
1750 if (!term)
1751 term = default_term_for_tty(tty_path);
7cae38c4 1752
b910cc72 1753 x = strjoin("TERM=", term);
7cae38c4
LP		 1754 if (!x)
1755 return -ENOMEM;
1756 our_env[n_env++] = x;
1757 }
1758
7bce046b
LP		 1759 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1760 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1761 return -ENOMEM;
1762
1763 our_env[n_env++] = x;
1764 }
1765
fb2042dd
YW		 1766 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
1767 _cleanup_free_ char *pre = NULL, *joined = NULL;
1768 const char *n;
1769
1770 if (!p->prefix[t])
1771 continue;
1772
1773 if (strv_isempty(c->directories[t].paths))
1774 continue;
1775
1776 n = exec_directory_env_name_to_string(t);
1777 if (!n)
1778 continue;
1779
1780 pre = strjoin(p->prefix[t], "/");
1781 if (!pre)
1782 return -ENOMEM;
1783
1784 joined = strv_join_prefix(c->directories[t].paths, ":", pre);
1785 if (!joined)
1786 return -ENOMEM;
1787
1788 x = strjoin(n, "=", joined);
1789 if (!x)
1790 return -ENOMEM;
1791
1792 our_env[n_env++] = x;
1793 }
1794
7cae38c4 1795 our_env[n_env++] = NULL;
fb2042dd 1796 assert(n_env <= 14 + _EXEC_DIRECTORY_TYPE_MAX);
7cae38c4 1797
ae2a15bc 1798 *ret = TAKE_PTR(our_env);
7cae38c4
LP		 1799
1800 return 0;
1801}
1802
b4c14404
FB		 1803static int build_pass_environment(const ExecContext *c, char ***ret) {
1804 _cleanup_strv_free_ char **pass_env = NULL;
1805 size_t n_env = 0, n_bufsize = 0;
1806 char **i;
1807
1808 STRV_FOREACH(i, c->pass_environment) {
1809 _cleanup_free_ char *x = NULL;
1810 char *v;
1811
1812 v = getenv(*i);
1813 if (!v)
1814 continue;
605405c6 1815 x = strjoin(*i, "=", v);
b4c14404
FB		 1816 if (!x)
1817 return -ENOMEM;
00819cc1 1818
b4c14404
FB		 1819 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1820 return -ENOMEM;
00819cc1 1821
1cc6c93a 1822 pass_env[n_env++] = TAKE_PTR(x);
b4c14404 1823 pass_env[n_env] = NULL;
b4c14404
FB		 1824 }
1825
ae2a15bc 1826 *ret = TAKE_PTR(pass_env);
b4c14404
FB		 1827
1828 return 0;
1829}
1830
8b44a3d2
LP		 1831static bool exec_needs_mount_namespace(
1832 const ExecContext *context,
1833 const ExecParameters *params,
4657abb5 1834 const ExecRuntime *runtime) {
8b44a3d2
LP		 1835
1836 assert(context);
1837 assert(params);
1838
915e6d16
LP		 1839 if (context->root_image)
1840 return true;
1841
2a624c36
AP		 1842 if (!strv_isempty(context->read_write_paths) ||
1843 !strv_isempty(context->read_only_paths) ||
1844 !strv_isempty(context->inaccessible_paths))
8b44a3d2
LP		 1845 return true;
1846
42b1d8e0 1847 if (context->n_bind_mounts > 0)
d2d6c096
LP		 1848 return true;
1849
2abd4e38
YW		 1850 if (context->n_temporary_filesystems > 0)
1851 return true;
1852
37ed15d7 1853 if (!IN_SET(context->mount_flags, 0, MS_SHARED))
8b44a3d2
LP		 1854 return true;
1855
1856 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1857 return true;
1858
8b44a3d2 1859 if (context->private_devices ||
228af36f 1860 context->private_mounts ||
8b44a3d2 1861 context->protect_system != PROTECT_SYSTEM_NO ||
59eeb84b
LP		 1862 context->protect_home != PROTECT_HOME_NO ||
1863 context->protect_kernel_tunables ||
c575770b 1864 context->protect_kernel_modules ||
59eeb84b 1865 context->protect_control_groups)
8b44a3d2
LP		 1866 return true;
1867
37c56f89
YW		 1868 if (context->root_directory) {
1869 ExecDirectoryType t;
1870
1871 if (context->mount_apivfs)
1872 return true;
1873
1874 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
1875 if (!params->prefix[t])
1876 continue;
1877
1878 if (!strv_isempty(context->directories[t].paths))
1879 return true;
1880 }
1881 }
5d997827 1882
42b1d8e0 1883 if (context->dynamic_user &&
b43ee82f 1884 (!strv_isempty(context->directories[EXEC_DIRECTORY_STATE].paths) ||
42b1d8e0
YW		 1885 !strv_isempty(context->directories[EXEC_DIRECTORY_CACHE].paths) ||
1886 !strv_isempty(context->directories[EXEC_DIRECTORY_LOGS].paths)))
1887 return true;
1888
8b44a3d2
LP		 1889 return false;
1890}
1891
d251207d
LP		 1892static int setup_private_users(uid_t uid, gid_t gid) {
1893 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
1894 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
1895 _cleanup_close_ int unshare_ready_fd = -1;
1896 _cleanup_(sigkill_waitp) pid_t pid = 0;
1897 uint64_t c = 1;
d251207d
LP		 1898 ssize_t n;
1899 int r;
1900
1901 /* Set up a user namespace and map root to root, the selected UID/GID to itself, and everything else to
1902 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1903 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1904 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1905 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
1906 * continues execution normally. */
1907
587ab01b
ZJS		 1908 if (uid != 0 && uid_is_valid(uid)) {
1909 r = asprintf(&uid_map,
1910 "0 0 1\n" /* Map root → root */
1911 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
1912 uid, uid);
1913 if (r < 0)
1914 return -ENOMEM;
1915 } else {
e0f3720e 1916 uid_map = strdup("0 0 1\n"); /* The case where the above is the same */
587ab01b
ZJS		 1917 if (!uid_map)
1918 return -ENOMEM;
1919 }
d251207d 1920
587ab01b
ZJS		 1921 if (gid != 0 && gid_is_valid(gid)) {
1922 r = asprintf(&gid_map,
1923 "0 0 1\n" /* Map root → root */
1924 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
1925 gid, gid);
1926 if (r < 0)
1927 return -ENOMEM;
1928 } else {
d251207d 1929 gid_map = strdup("0 0 1\n"); /* The case where the above is the same */
587ab01b
ZJS		 1930 if (!gid_map)
1931 return -ENOMEM;
1932 }
d251207d
LP		 1933
1934 /* Create a communication channel so that the parent can tell the child when it finished creating the user
1935 * namespace. */
1936 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
1937 if (unshare_ready_fd < 0)
1938 return -errno;
1939
1940 /* Create a communication channel so that the child can tell the parent a proper error code in case it
1941 * failed. */
1942 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
1943 return -errno;
1944
4c253ed1
LP		 1945 r = safe_fork("(sd-userns)", FORK_RESET_SIGNALS|FORK_DEATHSIG, &pid);
1946 if (r < 0)
1947 return r;
1948 if (r == 0) {
d251207d
LP		 1949 _cleanup_close_ int fd = -1;
1950 const char *a;
1951 pid_t ppid;
1952
1953 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
1954 * here, after the parent opened its own user namespace. */
1955
1956 ppid = getppid();
1957 errno_pipe[0] = safe_close(errno_pipe[0]);
1958
1959 /* Wait until the parent unshared the user namespace */
1960 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
1961 r = -errno;
1962 goto child_fail;
1963 }
1964
1965 /* Disable the setgroups() system call in the child user namespace, for good. */
1966 a = procfs_file_alloca(ppid, "setgroups");
1967 fd = open(a, O_WRONLY|O_CLOEXEC);
1968 if (fd < 0) {
1969 if (errno != ENOENT) {
1970 r = -errno;
1971 goto child_fail;
1972 }
1973
1974 /* If the file is missing the kernel is too old, let's continue anyway. */
1975 } else {
1976 if (write(fd, "deny\n", 5) < 0) {
1977 r = -errno;
1978 goto child_fail;
1979 }
1980
1981 fd = safe_close(fd);
1982 }
1983
1984 /* First write the GID map */
1985 a = procfs_file_alloca(ppid, "gid_map");
1986 fd = open(a, O_WRONLY|O_CLOEXEC);
1987 if (fd < 0) {
1988 r = -errno;
1989 goto child_fail;
1990 }
1991 if (write(fd, gid_map, strlen(gid_map)) < 0) {
1992 r = -errno;
1993 goto child_fail;
1994 }
1995 fd = safe_close(fd);
1996
1997 /* The write the UID map */
1998 a = procfs_file_alloca(ppid, "uid_map");
1999 fd = open(a, O_WRONLY|O_CLOEXEC);
2000 if (fd < 0) {
2001 r = -errno;
2002 goto child_fail;
2003 }
2004 if (write(fd, uid_map, strlen(uid_map)) < 0) {
2005 r = -errno;
2006 goto child_fail;
2007 }
2008
2009 _exit(EXIT_SUCCESS);
2010
2011 child_fail:
2012 (void) write(errno_pipe[1], &r, sizeof(r));
2013 _exit(EXIT_FAILURE);
2014 }
2015
2016 errno_pipe[1] = safe_close(errno_pipe[1]);
2017
2018 if (unshare(CLONE_NEWUSER) < 0)
2019 return -errno;
2020
2021 /* Let the child know that the namespace is ready now */
2022 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
2023 return -errno;
2024
2025 /* Try to read an error code from the child */
2026 n = read(errno_pipe[0], &r, sizeof(r));
2027 if (n < 0)
2028 return -errno;
2029 if (n == sizeof(r)) { /* an error code was sent to us */
2030 if (r < 0)
2031 return r;
2032 return -EIO;
2033 }
2034 if (n != 0) /* on success we should have read 0 bytes */
2035 return -EIO;
2036
2e87a1fd
LP		 2037 r = wait_for_terminate_and_check("(sd-userns)", pid, 0);
2038 pid = 0;
d251207d
LP		 2039 if (r < 0)
2040 return r;
2e87a1fd 2041 if (r != EXIT_SUCCESS) /* If something strange happened with the child, let's consider this fatal, too */
d251207d
LP		 2042 return -EIO;
2043
2044 return 0;
2045}
2046
3536f49e 2047static int setup_exec_directory(
07689d5d
LP		 2048 const ExecContext *context,
2049 const ExecParameters *params,
2050 uid_t uid,
3536f49e 2051 gid_t gid,
3536f49e
YW		 2052 ExecDirectoryType type,
2053 int *exit_status) {
07689d5d 2054
72fd1768 2055 static const int exit_status_table[_EXEC_DIRECTORY_TYPE_MAX] = {
3536f49e
YW		 2056 [EXEC_DIRECTORY_RUNTIME] = EXIT_RUNTIME_DIRECTORY,
2057 [EXEC_DIRECTORY_STATE] = EXIT_STATE_DIRECTORY,
2058 [EXEC_DIRECTORY_CACHE] = EXIT_CACHE_DIRECTORY,
2059 [EXEC_DIRECTORY_LOGS] = EXIT_LOGS_DIRECTORY,
2060 [EXEC_DIRECTORY_CONFIGURATION] = EXIT_CONFIGURATION_DIRECTORY,
2061 };
07689d5d
LP		 2062 char **rt;
2063 int r;
2064
2065 assert(context);
2066 assert(params);
72fd1768 2067 assert(type >= 0 && type < _EXEC_DIRECTORY_TYPE_MAX);
3536f49e 2068 assert(exit_status);
07689d5d 2069
3536f49e
YW		 2070 if (!params->prefix[type])
2071 return 0;
2072
8679efde 2073 if (params->flags & EXEC_CHOWN_DIRECTORIES) {
3536f49e
YW		 2074 if (!uid_is_valid(uid))
2075 uid = 0;
2076 if (!gid_is_valid(gid))
2077 gid = 0;
2078 }
2079
2080 STRV_FOREACH(rt, context->directories[type].paths) {
6c47cd7d 2081 _cleanup_free_ char *p = NULL, *pp = NULL;
07689d5d 2082
edbfeb12 2083 p = path_join(params->prefix[type], *rt);
3536f49e
YW		 2084 if (!p) {
2085 r = -ENOMEM;
2086 goto fail;
2087 }
07689d5d 2088
23a7448e
YW		 2089 r = mkdir_parents_label(p, 0755);
2090 if (r < 0)
3536f49e 2091 goto fail;
23a7448e 2092
8092a48c 2093 if (context->dynamic_user &&
40cd2ecc
LP		 2094 (!IN_SET(type, EXEC_DIRECTORY_RUNTIME, EXEC_DIRECTORY_CONFIGURATION) ||
2095 (type == EXEC_DIRECTORY_RUNTIME && context->runtime_directory_preserve_mode != EXEC_PRESERVE_NO))) {
6c9c51e5 2096 _cleanup_free_ char *private_root = NULL;
6c47cd7d 2097
3f5b1508
LP		 2098 /* So, here's one extra complication when dealing with DynamicUser=1 units. In that
2099 * case we want to avoid leaving a directory around fully accessible that is owned by
2100 * a dynamic user whose UID is later on reused. To lock this down we use the same
2101 * trick used by container managers to prohibit host users to get access to files of
2102 * the same UID in containers: we place everything inside a directory that has an
2103 * access mode of 0700 and is owned root:root, so that it acts as security boundary
2104 * for unprivileged host code. We then use fs namespacing to make this directory
2105 * permeable for the service itself.
6c47cd7d 2106 *
3f5b1508
LP		 2107 * Specifically: for a service which wants a special directory "foo/" we first create
2108 * a directory "private/" with access mode 0700 owned by root:root. Then we place
2109 * "foo" inside of that directory (i.e. "private/foo/"), and make "foo" a symlink to
2110 * "private/foo". This way, privileged host users can access "foo/" as usual, but
2111 * unprivileged host users can't look into it. Inside of the namespace of the unit
2112 * "private/" is replaced by a more liberally accessible tmpfs, into which the host's
2113 * "private/foo/" is mounted under the same name, thus disabling the access boundary
2114 * for the service and making sure it only gets access to the dirs it needs but no
2115 * others. Tricky? Yes, absolutely, but it works!
6c47cd7d 2116 *
3f5b1508
LP		 2117 * Note that we don't do this for EXEC_DIRECTORY_CONFIGURATION as that's assumed not
2118 * to be owned by the service itself.
2119 *
2120 * Also, note that we don't do this for EXEC_DIRECTORY_RUNTIME as that's often used
2121 * for sharing files or sockets with other services. */
6c47cd7d 2122
edbfeb12 2123 private_root = path_join(params->prefix[type], "private");
6c47cd7d
LP		 2124 if (!private_root) {
2125 r = -ENOMEM;
2126 goto fail;
2127 }
2128
2129 /* First set up private root if it doesn't exist yet, with access mode 0700 and owned by root:root */
37c1d5e9 2130 r = mkdir_safe_label(private_root, 0700, 0, 0, MKDIR_WARN_MODE);
6c47cd7d
LP		 2131 if (r < 0)
2132 goto fail;
2133
edbfeb12 2134 pp = path_join(private_root, *rt);
6c47cd7d
LP		 2135 if (!pp) {
2136 r = -ENOMEM;
2137 goto fail;
2138 }
2139
2140 /* Create all directories between the configured directory and this private root, and mark them 0755 */
2141 r = mkdir_parents_label(pp, 0755);
2142 if (r < 0)
2143 goto fail;
2144
949befd3
LP		 2145 if (is_dir(p, false) > 0 &&
2146 (laccess(pp, F_OK) < 0 && errno == ENOENT)) {
2147
2148 /* Hmm, the private directory doesn't exist yet, but the normal one exists? If so, move
2149 * it over. Most likely the service has been upgraded from one that didn't use
2150 * DynamicUser=1, to one that does. */
2151
cf52c45d
LP		 2152 log_info("Found pre-existing public %s= directory %s, migrating to %s.\n"
2153 "Apparently, service previously had DynamicUser= turned off, and has now turned it on.",
2154 exec_directory_type_to_string(type), p, pp);
2155
949befd3
LP		 2156 if (rename(p, pp) < 0) {
2157 r = -errno;
2158 goto fail;
2159 }
2160 } else {
2161 /* Otherwise, create the actual directory for the service */
2162
2163 r = mkdir_label(pp, context->directories[type].mode);
2164 if (r < 0 && r != -EEXIST)
2165 goto fail;
2166 }
6c47cd7d 2167
6c47cd7d 2168 /* And link it up from the original place */
6c9c51e5 2169 r = symlink_idempotent(pp, p, true);
6c47cd7d
LP		 2170 if (r < 0)
2171 goto fail;
2172
6c47cd7d 2173 } else {
5c6d40d1
LP		 2174 _cleanup_free_ char *target = NULL;
2175
2176 if (type != EXEC_DIRECTORY_CONFIGURATION &&
2177 readlink_and_make_absolute(p, &target) >= 0) {
2178 _cleanup_free_ char *q = NULL;
2179
2180 /* This already exists and is a symlink? Interesting. Maybe it's one created
2193f17c
LP		 2181 * by DynamicUser=1 (see above)?
2182 *
2183 * We do this for all directory types except for ConfigurationDirectory=,
2184 * since they all support the private/ symlink logic at least in some
2185 * configurations, see above. */
5c6d40d1
LP		 2186
2187 q = path_join(params->prefix[type], "private", *rt);
2188 if (!q) {
2189 r = -ENOMEM;
2190 goto fail;
2191 }
2192
2193 if (path_equal(q, target)) {
2194
2195 /* Hmm, apparently DynamicUser= was once turned on for this service,
2196 * but is no longer. Let's move the directory back up. */
2197
cf52c45d
LP		 2198 log_info("Found pre-existing private %s= directory %s, migrating to %s.\n"
2199 "Apparently, service previously had DynamicUser= turned on, and has now turned it off.",
2200 exec_directory_type_to_string(type), q, p);
2201
5c6d40d1
LP		 2202 if (unlink(p) < 0) {
2203 r = -errno;
2204 goto fail;
2205 }
2206
2207 if (rename(q, p) < 0) {
2208 r = -errno;
2209 goto fail;
2210 }
2211 }
2212 }
2213
6c47cd7d 2214 r = mkdir_label(p, context->directories[type].mode);
d484580c 2215 if (r < 0) {
d484580c
LP		 2216 if (r != -EEXIST)
2217 goto fail;
2218
206e9864
LP		 2219 if (type == EXEC_DIRECTORY_CONFIGURATION) {
2220 struct stat st;
2221
2222 /* Don't change the owner/access mode of the configuration directory,
2223 * as in the common case it is not written to by a service, and shall
2224 * not be writable. */
2225
2226 if (stat(p, &st) < 0) {
2227 r = -errno;
2228 goto fail;
2229 }
2230
2231 /* Still complain if the access mode doesn't match */
2232 if (((st.st_mode ^ context->directories[type].mode) & 07777) != 0)
2233 log_warning("%s \'%s\' already exists but the mode is different. "
2234 "(File system: %o %sMode: %o)",
2235 exec_directory_type_to_string(type), *rt,
2236 st.st_mode & 07777, exec_directory_type_to_string(type), context->directories[type].mode & 07777);
2237
6cff72eb 2238 continue;
206e9864 2239 }
6cff72eb 2240 }
a1164ae3 2241 }
07689d5d 2242
206e9864 2243 /* Lock down the access mode (we use chmod_and_chown() to make this idempotent. We don't
5238e957 2244 * specify UID/GID here, so that path_chown_recursive() can optimize things depending on the
206e9864
LP		 2245 * current UID/GID ownership.) */
2246 r = chmod_and_chown(pp ?: p, context->directories[type].mode, UID_INVALID, GID_INVALID);
2247 if (r < 0)
2248 goto fail;
c71b2eb7 2249
607b358e
LP		 2250 /* Then, change the ownership of the whole tree, if necessary. When dynamic users are used we
2251 * drop the suid/sgid bits, since we really don't want SUID/SGID files for dynamic UID/GID
2252 * assignments to exist.*/
2253 r = path_chown_recursive(pp ?: p, uid, gid, context->dynamic_user ? 01777 : 07777);
07689d5d 2254 if (r < 0)
3536f49e 2255 goto fail;
07689d5d
LP		 2256 }
2257
2258 return 0;
3536f49e
YW		 2259
2260fail:
2261 *exit_status = exit_status_table[type];
3536f49e 2262 return r;
07689d5d
LP		 2263}
2264
92b423b9 2265#if ENABLE_SMACK
cefc33ae
LP		 2266static int setup_smack(
2267 const ExecContext *context,
2268 const ExecCommand *command) {
2269
cefc33ae
LP		 2270 int r;
2271
2272 assert(context);
2273 assert(command);
2274
cefc33ae
LP		 2275 if (context->smack_process_label) {
2276 r = mac_smack_apply_pid(0, context->smack_process_label);
2277 if (r < 0)
2278 return r;
2279 }
2280#ifdef SMACK_DEFAULT_PROCESS_LABEL
2281 else {
2282 _cleanup_free_ char *exec_label = NULL;
2283
2284 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
4c701096 2285 if (r < 0 && !IN_SET(r, -ENODATA, -EOPNOTSUPP))
cefc33ae
LP		 2286 return r;
2287
2288 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
2289 if (r < 0)
2290 return r;
2291 }
cefc33ae
LP		 2292#endif
2293
2294 return 0;
2295}
92b423b9 2296#endif
cefc33ae 2297
6c47cd7d
LP		 2298static int compile_bind_mounts(
2299 const ExecContext *context,
2300 const ExecParameters *params,
2301 BindMount **ret_bind_mounts,
da6053d0 2302 size_t *ret_n_bind_mounts,
6c47cd7d
LP		 2303 char ***ret_empty_directories) {
2304
2305 _cleanup_strv_free_ char **empty_directories = NULL;
2306 BindMount *bind_mounts;
da6053d0 2307 size_t n, h = 0, i;
6c47cd7d
LP		 2308 ExecDirectoryType t;
2309 int r;
2310
2311 assert(context);
2312 assert(params);
2313 assert(ret_bind_mounts);
2314 assert(ret_n_bind_mounts);
2315 assert(ret_empty_directories);
2316
2317 n = context->n_bind_mounts;
2318 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
2319 if (!params->prefix[t])
2320 continue;
2321
2322 n += strv_length(context->directories[t].paths);
2323 }
2324
2325 if (n <= 0) {
2326 *ret_bind_mounts = NULL;
2327 *ret_n_bind_mounts = 0;
2328 *ret_empty_directories = NULL;
2329 return 0;
2330 }
2331
2332 bind_mounts = new(BindMount, n);
2333 if (!bind_mounts)
2334 return -ENOMEM;
2335
a8cabc61 2336 for (i = 0; i < context->n_bind_mounts; i++) {
6c47cd7d
LP		 2337 BindMount *item = context->bind_mounts + i;
2338 char *s, *d;
2339
2340 s = strdup(item->source);
2341 if (!s) {
2342 r = -ENOMEM;
2343 goto finish;
2344 }
2345
2346 d = strdup(item->destination);
2347 if (!d) {
2348 free(s);
2349 r = -ENOMEM;
2350 goto finish;
2351 }
2352
2353 bind_mounts[h++] = (BindMount) {
2354 .source = s,
2355 .destination = d,
2356 .read_only = item->read_only,
2357 .recursive = item->recursive,
2358 .ignore_enoent = item->ignore_enoent,
2359 };
2360 }
2361
2362 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
2363 char **suffix;
2364
2365 if (!params->prefix[t])
2366 continue;
2367
2368 if (strv_isempty(context->directories[t].paths))
2369 continue;
2370
8092a48c 2371 if (context->dynamic_user &&
5609f688
YW		 2372 !IN_SET(t, EXEC_DIRECTORY_RUNTIME, EXEC_DIRECTORY_CONFIGURATION) &&
2373 !(context->root_directory || context->root_image)) {
6c47cd7d
LP		 2374 char *private_root;
2375
2376 /* So this is for a dynamic user, and we need to make sure the process can access its own
2377 * directory. For that we overmount the usually inaccessible "private" subdirectory with a
2378 * tmpfs that makes it accessible and is empty except for the submounts we do this for. */
2379
657ee2d8 2380 private_root = path_join(params->prefix[t], "private");
6c47cd7d
LP		 2381 if (!private_root) {
2382 r = -ENOMEM;
2383 goto finish;
2384 }
2385
2386 r = strv_consume(&empty_directories, private_root);
a635a7ae 2387 if (r < 0)
6c47cd7d 2388 goto finish;
6c47cd7d
LP		 2389 }
2390
2391 STRV_FOREACH(suffix, context->directories[t].paths) {
2392 char *s, *d;
2393
8092a48c
YW		 2394 if (context->dynamic_user &&
2395 !IN_SET(t, EXEC_DIRECTORY_RUNTIME, EXEC_DIRECTORY_CONFIGURATION))
657ee2d8 2396 s = path_join(params->prefix[t], "private", *suffix);
6c47cd7d 2397 else
657ee2d8 2398 s = path_join(params->prefix[t], *suffix);
6c47cd7d
LP		 2399 if (!s) {
2400 r = -ENOMEM;
2401 goto finish;
2402 }
2403
5609f688
YW		 2404 if (context->dynamic_user &&
2405 !IN_SET(t, EXEC_DIRECTORY_RUNTIME, EXEC_DIRECTORY_CONFIGURATION) &&
2406 (context->root_directory || context->root_image))
2407 /* When RootDirectory= or RootImage= are set, then the symbolic link to the private
2408 * directory is not created on the root directory. So, let's bind-mount the directory
2409 * on the 'non-private' place. */
657ee2d8 2410 d = path_join(params->prefix[t], *suffix);
5609f688
YW		 2411 else
2412 d = strdup(s);
6c47cd7d
LP		 2413 if (!d) {
2414 free(s);
2415 r = -ENOMEM;
2416 goto finish;
2417 }
2418
2419 bind_mounts[h++] = (BindMount) {
2420 .source = s,
2421 .destination = d,
2422 .read_only = false,
9ce4e4b0 2423 .nosuid = context->dynamic_user, /* don't allow suid/sgid when DynamicUser= is on */
6c47cd7d
LP		 2424 .recursive = true,
2425 .ignore_enoent = false,
2426 };
2427 }
2428 }
2429
2430 assert(h == n);
2431
2432 *ret_bind_mounts = bind_mounts;
2433 *ret_n_bind_mounts = n;
ae2a15bc 2434 *ret_empty_directories = TAKE_PTR(empty_directories);
6c47cd7d
LP		 2435
2436 return (int) n;
2437
2438finish:
2439 bind_mount_free_many(bind_mounts, h);
2440 return r;
2441}
2442
6818c54c 2443static int apply_mount_namespace(
34cf6c43
YW		 2444 const Unit *u,
2445 const ExecCommand *command,
6818c54c
LP		 2446 const ExecContext *context,
2447 const ExecParameters *params,
7cc5ef5f
ZJS		 2448 const ExecRuntime *runtime,
2449 char **error_path) {
6818c54c 2450
7bcef4ef 2451 _cleanup_strv_free_ char **empty_directories = NULL;
93c6bb51 2452 char *tmp = NULL, *var = NULL;
915e6d16 2453 const char *root_dir = NULL, *root_image = NULL;
228af36f 2454 NamespaceInfo ns_info;
165a31c0 2455 bool needs_sandboxing;
6c47cd7d 2456 BindMount *bind_mounts = NULL;
da6053d0 2457 size_t n_bind_mounts = 0;
6818c54c 2458 int r;
93c6bb51 2459
2b3c1b9e
DH		 2460 assert(context);
2461
93c6bb51
DH		 2462 /* The runtime struct only contains the parent of the private /tmp,
2463 * which is non-accessible to world users. Inside of it there's a /tmp
2464 * that is sticky, and that's the one we want to use here. */
2465
2466 if (context->private_tmp && runtime) {
2467 if (runtime->tmp_dir)
2468 tmp = strjoina(runtime->tmp_dir, "/tmp");
2469 if (runtime->var_tmp_dir)
2470 var = strjoina(runtime->var_tmp_dir, "/tmp");
2471 }
2472
915e6d16
LP		 2473 if (params->flags & EXEC_APPLY_CHROOT) {
2474 root_image = context->root_image;
2475
2476 if (!root_image)
2477 root_dir = context->root_directory;
2478 }
93c6bb51 2479
6c47cd7d
LP		 2480 r = compile_bind_mounts(context, params, &bind_mounts, &n_bind_mounts, &empty_directories);
2481 if (r < 0)
2482 return r;
2483
165a31c0 2484 needs_sandboxing = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & EXEC_COMMAND_FULLY_PRIVILEGED);
b5a33299
YW		 2485 if (needs_sandboxing)
2486 ns_info = (NamespaceInfo) {
2487 .ignore_protect_paths = false,
2488 .private_dev = context->private_devices,
2489 .protect_control_groups = context->protect_control_groups,
2490 .protect_kernel_tunables = context->protect_kernel_tunables,
2491 .protect_kernel_modules = context->protect_kernel_modules,
aecd5ac6 2492 .protect_hostname = context->protect_hostname,
b5a33299 2493 .mount_apivfs = context->mount_apivfs,
228af36f 2494 .private_mounts = context->private_mounts,
b5a33299 2495 };
228af36f
LP		 2496 else if (!context->dynamic_user && root_dir)
2497 /*
2498 * If DynamicUser=no and RootDirectory= is set then lets pass a relaxed
2499 * sandbox info, otherwise enforce it, don't ignore protected paths and
2500 * fail if we are enable to apply the sandbox inside the mount namespace.
2501 */
2502 ns_info = (NamespaceInfo) {
2503 .ignore_protect_paths = true,
2504 };
2505 else
2506 ns_info = (NamespaceInfo) {};
b5a33299 2507
37ed15d7
FB		 2508 if (context->mount_flags == MS_SHARED)
2509 log_unit_debug(u, "shared mount propagation hidden by other fs namespacing unit settings: ignoring");
2510
915e6d16 2511 r = setup_namespace(root_dir, root_image,
7bcef4ef 2512 &ns_info, context->read_write_paths,
165a31c0
LP		 2513 needs_sandboxing ? context->read_only_paths : NULL,
2514 needs_sandboxing ? context->inaccessible_paths : NULL,
6c47cd7d
LP		 2515 empty_directories,
2516 bind_mounts,
2517 n_bind_mounts,
2abd4e38
YW		 2518 context->temporary_filesystems,
2519 context->n_temporary_filesystems,
93c6bb51
DH		 2520 tmp,
2521 var,
165a31c0
LP		 2522 needs_sandboxing ? context->protect_home : PROTECT_HOME_NO,
2523 needs_sandboxing ? context->protect_system : PROTECT_SYSTEM_NO,
915e6d16 2524 context->mount_flags,
7cc5ef5f
ZJS		 2525 DISSECT_IMAGE_DISCARD_ON_LOOP,
2526 error_path);
93c6bb51 2527
6c47cd7d
LP		 2528 bind_mount_free_many(bind_mounts, n_bind_mounts);
2529
1beab8b0 2530 /* If we couldn't set up the namespace this is probably due to a missing capability. setup_namespace() reports
5238e957 2531 * that with a special, recognizable error ENOANO. In this case, silently proceed, but only if exclusively
1beab8b0
LP		 2532 * sandboxing options were used, i.e. nothing such as RootDirectory= or BindMount= that would result in a
2533 * completely different execution environment. */
aca835ed
YW		 2534 if (r == -ENOANO) {
2535 if (n_bind_mounts == 0 &&
2536 context->n_temporary_filesystems == 0 &&
2537 !root_dir && !root_image &&
2538 !context->dynamic_user) {
2539 log_unit_debug(u, "Failed to set up namespace, assuming containerized execution and ignoring.");
2540 return 0;
2541 }
2542
2194547e
LP		 2543 log_unit_debug(u, "Failed to set up namespace, and refusing to continue since the selected namespacing options alter mount environment non-trivially.\n"
2544 "Bind mounts: %zu, temporary filesystems: %zu, root directory: %s, root image: %s, dynamic user: %s",
2545 n_bind_mounts, context->n_temporary_filesystems, yes_no(root_dir), yes_no(root_image), yes_no(context->dynamic_user));
2546
aca835ed 2547 return -EOPNOTSUPP;
93c6bb51
DH		 2548 }
2549
2550 return r;
2551}
2552
915e6d16
LP		 2553static int apply_working_directory(
2554 const ExecContext *context,
2555 const ExecParameters *params,
2556 const char *home,
376fecf6 2557 int *exit_status) {
915e6d16 2558
6732edab 2559 const char *d, *wd;
2b3c1b9e
DH		 2560
2561 assert(context);
376fecf6 2562 assert(exit_status);
2b3c1b9e 2563
6732edab
LP		 2564 if (context->working_directory_home) {
2565
376fecf6
LP		 2566 if (!home) {
2567 *exit_status = EXIT_CHDIR;
6732edab 2568 return -ENXIO;
376fecf6 2569 }
6732edab 2570
2b3c1b9e 2571 wd = home;
6732edab
LP		 2572
2573 } else if (context->working_directory)
2b3c1b9e
DH		 2574 wd = context->working_directory;
2575 else
2576 wd = "/";
e7f1e7c6 2577
fa97f630 2578 if (params->flags & EXEC_APPLY_CHROOT)
2b3c1b9e 2579 d = wd;
fa97f630 2580 else
3b0e5bb5 2581 d = prefix_roota(context->root_directory, wd);
e7f1e7c6 2582
376fecf6
LP		 2583 if (chdir(d) < 0 && !context->working_directory_missing_ok) {
2584 *exit_status = EXIT_CHDIR;
2b3c1b9e 2585 return -errno;
376fecf6 2586 }
e7f1e7c6
DH		 2587
2588 return 0;
2589}
2590
fa97f630
JB		 2591static int apply_root_directory(
2592 const ExecContext *context,
2593 const ExecParameters *params,
2594 const bool needs_mount_ns,
2595 int *exit_status) {
2596
2597 assert(context);
2598 assert(exit_status);
2599
2600 if (params->flags & EXEC_APPLY_CHROOT) {
2601 if (!needs_mount_ns && context->root_directory)
2602 if (chroot(context->root_directory) < 0) {
2603 *exit_status = EXIT_CHROOT;
2604 return -errno;
2605 }
2606 }
2607
2608 return 0;
2609}
2610
b1edf445 2611static int setup_keyring(
34cf6c43 2612 const Unit *u,
b1edf445
LP		 2613 const ExecContext *context,
2614 const ExecParameters *p,
2615 uid_t uid, gid_t gid) {
2616
74dd6b51 2617 key_serial_t keyring;
e64c2d0b
DJL		 2618 int r = 0;
2619 uid_t saved_uid;
2620 gid_t saved_gid;
74dd6b51
LP		 2621
2622 assert(u);
b1edf445 2623 assert(context);
74dd6b51
LP		 2624 assert(p);
2625
2626 /* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that
2627 * each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond
2628 * that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be
2629 * automatically created on-demand and then linked to the per-UID keyring, by the kernel. The kernel's built-in
2630 * on-demand behaviour is very appropriate for login users, but probably not so much for system services, where
2631 * UIDs are not necessarily specific to a service but reused (at least in the case of UID 0). */
2632
b1edf445
LP		 2633 if (context->keyring_mode == EXEC_KEYRING_INHERIT)
2634 return 0;
2635
e64c2d0b
DJL		 2636 /* Acquiring a reference to the user keyring is nasty. We briefly change identity in order to get things set up
2637 * properly by the kernel. If we don't do that then we can't create it atomically, and that sucks for parallel
2638 * execution. This mimics what pam_keyinit does, too. Setting up session keyring, to be owned by the right user
2639 * & group is just as nasty as acquiring a reference to the user keyring. */
2640
2641 saved_uid = getuid();
2642 saved_gid = getgid();
2643
2644 if (gid_is_valid(gid) && gid != saved_gid) {
2645 if (setregid(gid, -1) < 0)
2646 return log_unit_error_errno(u, errno, "Failed to change GID for user keyring: %m");
2647 }
2648
2649 if (uid_is_valid(uid) && uid != saved_uid) {
2650 if (setreuid(uid, -1) < 0) {
2651 r = log_unit_error_errno(u, errno, "Failed to change UID for user keyring: %m");
2652 goto out;
2653 }
2654 }
2655
74dd6b51
LP		 2656 keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0);
2657 if (keyring == -1) {
2658 if (errno == ENOSYS)
8002fb97 2659 log_unit_debug_errno(u, errno, "Kernel keyring not supported, ignoring.");
74dd6b51 2660 else if (IN_SET(errno, EACCES, EPERM))
8002fb97 2661 log_unit_debug_errno(u, errno, "Kernel keyring access prohibited, ignoring.");
74dd6b51 2662 else if (errno == EDQUOT)
8002fb97 2663 log_unit_debug_errno(u, errno, "Out of kernel keyrings to allocate, ignoring.");
74dd6b51 2664 else
e64c2d0b 2665 r = log_unit_error_errno(u, errno, "Setting up kernel keyring failed: %m");
74dd6b51 2666
e64c2d0b 2667 goto out;
74dd6b51
LP		 2668 }
2669
e64c2d0b
DJL		 2670 /* When requested link the user keyring into the session keyring. */
2671 if (context->keyring_mode == EXEC_KEYRING_SHARED) {
2672
2673 if (keyctl(KEYCTL_LINK,
2674 KEY_SPEC_USER_KEYRING,
2675 KEY_SPEC_SESSION_KEYRING, 0, 0) < 0) {
2676 r = log_unit_error_errno(u, errno, "Failed to link user keyring into session keyring: %m");
2677 goto out;
2678 }
2679 }
2680
2681 /* Restore uid/gid back */
2682 if (uid_is_valid(uid) && uid != saved_uid) {
2683 if (setreuid(saved_uid, -1) < 0) {
2684 r = log_unit_error_errno(u, errno, "Failed to change UID back for user keyring: %m");
2685 goto out;
2686 }
2687 }
2688
2689 if (gid_is_valid(gid) && gid != saved_gid) {
2690 if (setregid(saved_gid, -1) < 0)
2691 return log_unit_error_errno(u, errno, "Failed to change GID back for user keyring: %m");
2692 }
2693
2694 /* Populate they keyring with the invocation ID by default, as original saved_uid. */
b3415f5d
LP		 2695 if (!sd_id128_is_null(u->invocation_id)) {
2696 key_serial_t key;
2697
2698 key = add_key("user", "invocation_id", &u->invocation_id, sizeof(u->invocation_id), KEY_SPEC_SESSION_KEYRING);
2699 if (key == -1)
8002fb97 2700 log_unit_debug_errno(u, errno, "Failed to add invocation ID to keyring, ignoring: %m");
b3415f5d
LP		 2701 else {
2702 if (keyctl(KEYCTL_SETPERM, key,
2703 KEY_POS_VIEW|KEY_POS_READ|KEY_POS_SEARCH|
2704 KEY_USR_VIEW|KEY_USR_READ|KEY_USR_SEARCH, 0, 0) < 0)
e64c2d0b 2705 r = log_unit_error_errno(u, errno, "Failed to restrict invocation ID permission: %m");
b3415f5d
LP		 2706 }
2707 }
2708
e64c2d0b
DJL		 2709out:
2710 /* Revert back uid & gid for the the last time, and exit */
2711 /* no extra logging, as only the first already reported error matters */
2712 if (getuid() != saved_uid)
2713 (void) setreuid(saved_uid, -1);
b1edf445 2714
e64c2d0b
DJL		 2715 if (getgid() != saved_gid)
2716 (void) setregid(saved_gid, -1);
b1edf445 2717
e64c2d0b 2718 return r;
74dd6b51
LP		 2719}
2720
3042bbeb 2721static void append_socket_pair(int *array, size_t *n, const int pair[static 2]) {
29206d46
LP		 2722 assert(array);
2723 assert(n);
2724
2725 if (!pair)
2726 return;
2727
2728 if (pair[0] >= 0)
2729 array[(*n)++] = pair[0];
2730 if (pair[1] >= 0)
2731 array[(*n)++] = pair[1];
2732}
2733
a34ceba6
LP		 2734static int close_remaining_fds(
2735 const ExecParameters *params,
34cf6c43
YW		 2736 const ExecRuntime *runtime,
2737 const DynamicCreds *dcreds,
00d9ef85 2738 int user_lookup_fd,
a34ceba6 2739 int socket_fd,
5686391b 2740 int exec_fd,
da6053d0 2741 int *fds, size_t n_fds) {
a34ceba6 2742
da6053d0 2743 size_t n_dont_close = 0;
00d9ef85 2744 int dont_close[n_fds + 12];
a34ceba6
LP		 2745
2746 assert(params);
2747
2748 if (params->stdin_fd >= 0)
2749 dont_close[n_dont_close++] = params->stdin_fd;
2750 if (params->stdout_fd >= 0)
2751 dont_close[n_dont_close++] = params->stdout_fd;
2752 if (params->stderr_fd >= 0)
2753 dont_close[n_dont_close++] = params->stderr_fd;
2754
2755 if (socket_fd >= 0)
2756 dont_close[n_dont_close++] = socket_fd;
5686391b
LP		 2757 if (exec_fd >= 0)
2758 dont_close[n_dont_close++] = exec_fd;
a34ceba6
LP		 2759 if (n_fds > 0) {
2760 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
2761 n_dont_close += n_fds;
2762 }
2763
29206d46
LP		 2764 if (runtime)
2765 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
2766
2767 if (dcreds) {
2768 if (dcreds->user)
2769 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
2770 if (dcreds->group)
2771 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
a34ceba6
LP		 2772 }
2773
00d9ef85
LP		 2774 if (user_lookup_fd >= 0)
2775 dont_close[n_dont_close++] = user_lookup_fd;
2776
a34ceba6
LP		 2777 return close_all_fds(dont_close, n_dont_close);
2778}
2779
00d9ef85
LP		 2780static int send_user_lookup(
2781 Unit *unit,
2782 int user_lookup_fd,
2783 uid_t uid,
2784 gid_t gid) {
2785
2786 assert(unit);
2787
2788 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2789 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2790 * specified. */
2791
2792 if (user_lookup_fd < 0)
2793 return 0;
2794
2795 if (!uid_is_valid(uid) && !gid_is_valid(gid))
2796 return 0;
2797
2798 if (writev(user_lookup_fd,
2799 (struct iovec[]) {
e6a7ec4b
LP		 2800 IOVEC_INIT(&uid, sizeof(uid)),
2801 IOVEC_INIT(&gid, sizeof(gid)),
2802 IOVEC_INIT_STRING(unit->id) }, 3) < 0)
00d9ef85
LP		 2803 return -errno;
2804
2805 return 0;
2806}
2807
6732edab
LP		 2808static int acquire_home(const ExecContext *c, uid_t uid, const char** home, char **buf) {
2809 int r;
2810
2811 assert(c);
2812 assert(home);
2813 assert(buf);
2814
2815 /* If WorkingDirectory=~ is set, try to acquire a usable home directory. */
2816
2817 if (*home)
2818 return 0;
2819
2820 if (!c->working_directory_home)
2821 return 0;
2822
6732edab
LP		 2823 r = get_home_dir(buf);
2824 if (r < 0)
2825 return r;
2826
2827 *home = *buf;
2828 return 1;
2829}
2830
da50b85a
LP		 2831static int compile_suggested_paths(const ExecContext *c, const ExecParameters *p, char ***ret) {
2832 _cleanup_strv_free_ char ** list = NULL;
2833 ExecDirectoryType t;
2834 int r;
2835
2836 assert(c);
2837 assert(p);
2838 assert(ret);
2839
2840 assert(c->dynamic_user);
2841
2842 /* Compile a list of paths that it might make sense to read the owning UID from to use as initial candidate for
2843 * dynamic UID allocation, in order to save us from doing costly recursive chown()s of the special
2844 * directories. */
2845
2846 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
2847 char **i;
2848
2849 if (t == EXEC_DIRECTORY_CONFIGURATION)
2850 continue;
2851
2852 if (!p->prefix[t])
2853 continue;
2854
2855 STRV_FOREACH(i, c->directories[t].paths) {
2856 char *e;
2857
8092a48c 2858 if (t == EXEC_DIRECTORY_RUNTIME)
657ee2d8 2859 e = path_join(p->prefix[t], *i);
8092a48c 2860 else
657ee2d8 2861 e = path_join(p->prefix[t], "private", *i);
da50b85a
LP		 2862 if (!e)
2863 return -ENOMEM;
2864
2865 r = strv_consume(&list, e);
2866 if (r < 0)
2867 return r;
2868 }
2869 }
2870
ae2a15bc 2871 *ret = TAKE_PTR(list);
da50b85a
LP		 2872
2873 return 0;
2874}
2875
34cf6c43
YW		 2876static char *exec_command_line(char **argv);
2877
78f93209
LP		 2878static int exec_parameters_get_cgroup_path(const ExecParameters *params, char **ret) {
2879 bool using_subcgroup;
2880 char *p;
2881
2882 assert(params);
2883 assert(ret);
2884
2885 if (!params->cgroup_path)
2886 return -EINVAL;
2887
2888 /* If we are called for a unit where cgroup delegation is on, and the payload created its own populated
2889 * subcgroup (which we expect it to do, after all it asked for delegation), then we cannot place the control
2890 * processes started after the main unit's process in the unit's main cgroup because it is now an inner one,
2891 * and inner cgroups may not contain processes. Hence, if delegation is on, and this is a control process,
2892 * let's use ".control" as subcgroup instead. Note that we do so only for ExecStartPost=, ExecReload=,
2893 * ExecStop=, ExecStopPost=, i.e. for the commands where the main process is already forked. For ExecStartPre=
2894 * this is not necessary, the cgroup is still empty. We distinguish these cases with the EXEC_CONTROL_CGROUP
2895 * flag, which is only passed for the former statements, not for the latter. */
2896
2897 using_subcgroup = FLAGS_SET(params->flags, EXEC_CONTROL_CGROUP|EXEC_CGROUP_DELEGATE|EXEC_IS_CONTROL);
2898 if (using_subcgroup)
657ee2d8 2899 p = path_join(params->cgroup_path, ".control");
78f93209
LP		 2900 else
2901 p = strdup(params->cgroup_path);
2902 if (!p)
2903 return -ENOMEM;
2904
2905 *ret = p;
2906 return using_subcgroup;
2907}
2908
ff0af2a1 2909static int exec_child(
f2341e0a 2910 Unit *unit,
34cf6c43 2911 const ExecCommand *command,
ff0af2a1
LP		 2912 const ExecContext *context,
2913 const ExecParameters *params,
2914 ExecRuntime *runtime,
29206d46 2915 DynamicCreds *dcreds,
ff0af2a1 2916 int socket_fd,
52c239d7 2917 int named_iofds[3],
4c47affc 2918 int *fds,
da6053d0 2919 size_t n_socket_fds,
25b583d7 2920 size_t n_storage_fds,
ff0af2a1 2921 char **files_env,
00d9ef85 2922 int user_lookup_fd,
12145637 2923 int *exit_status) {
d35fbf6b 2924
7ca69792 2925 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **replaced_argv = NULL;
5686391b 2926 int *fds_with_exec_fd, n_fds_with_exec_fd, r, ngids = 0, exec_fd = -1;
4d885bd3
DH		 2927 _cleanup_free_ gid_t *supplementary_gids = NULL;
2928 const char *username = NULL, *groupname = NULL;
5686391b 2929 _cleanup_free_ char *home_buffer = NULL;
2b3c1b9e 2930 const char *home = NULL, *shell = NULL;
7ca69792 2931 char **final_argv = NULL;
7bce046b
LP		 2932 dev_t journal_stream_dev = 0;
2933 ino_t journal_stream_ino = 0;
165a31c0
LP		 2934 bool needs_sandboxing, /* Do we need to set up full sandboxing? (i.e. all namespacing, all MAC stuff, caps, yadda yadda */
2935 needs_setuid, /* Do we need to do the actual setresuid()/setresgid() calls? */
2936 needs_mount_namespace, /* Do we need to set up a mount namespace for this kernel? */
2937 needs_ambient_hack; /* Do we need to apply the ambient capabilities hack? */
349cc4a5 2938#if HAVE_SELINUX
7f59dd35 2939 _cleanup_free_ char *mac_selinux_context_net = NULL;
43b1f709 2940 bool use_selinux = false;
ecfbc84f 2941#endif
f9fa32f0 2942#if ENABLE_SMACK
43b1f709 2943 bool use_smack = false;
ecfbc84f 2944#endif
349cc4a5 2945#if HAVE_APPARMOR
43b1f709 2946 bool use_apparmor = false;
ecfbc84f 2947#endif
fed1e721
LP		 2948 uid_t uid = UID_INVALID;
2949 gid_t gid = GID_INVALID;
da6053d0 2950 size_t n_fds;
3536f49e 2951 ExecDirectoryType dt;
165a31c0 2952 int secure_bits;
034c6ed7 2953
f2341e0a 2954 assert(unit);
5cb5a6ff
LP		 2955 assert(command);
2956 assert(context);
d35fbf6b 2957 assert(params);
ff0af2a1 2958 assert(exit_status);
d35fbf6b
DM		 2959
2960 rename_process_from_path(command->path);
2961
2962 /* We reset exactly these signals, since they are the
2963 * only ones we set to SIG_IGN in the main daemon. All
2964 * others we leave untouched because we set them to
2965 * SIG_DFL or a valid handler initially, both of which
2966 * will be demoted to SIG_DFL. */
ce30c8dc
LP		 2967 (void) default_signals(SIGNALS_CRASH_HANDLER,
2968 SIGNALS_IGNORE, -1);
d35fbf6b
DM		 2969
2970 if (context->ignore_sigpipe)
ce30c8dc 2971 (void) ignore_signals(SIGPIPE, -1);
d35fbf6b 2972
ff0af2a1
LP		 2973 r = reset_signal_mask();
2974 if (r < 0) {
2975 *exit_status = EXIT_SIGNAL_MASK;
12145637 2976 return log_unit_error_errno(unit, r, "Failed to set process signal mask: %m");
d35fbf6b 2977 }
034c6ed7 2978
d35fbf6b
DM		 2979 if (params->idle_pipe)
2980 do_idle_pipe_dance(params->idle_pipe);
4f2d528d 2981
2c027c62
LP		 2982 /* Close fds we don't need very early to make sure we don't block init reexecution because it cannot bind its
2983 * sockets. Among the fds we close are the logging fds, and we want to keep them closed, so that we don't have
2984 * any fds open we don't really want open during the transition. In order to make logging work, we switch the
2985 * log subsystem into open_when_needed mode, so that it reopens the logs on every single log call. */
ff0af2a1 2986
d35fbf6b 2987 log_forget_fds();
2c027c62 2988 log_set_open_when_needed(true);
4f2d528d 2989
40a80078
LP		 2990 /* In case anything used libc syslog(), close this here, too */
2991 closelog();
2992
5686391b
LP		 2993 n_fds = n_socket_fds + n_storage_fds;
2994 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, params->exec_fd, fds, n_fds);
ff0af2a1
LP		 2995 if (r < 0) {
2996 *exit_status = EXIT_FDS;
12145637 2997 return log_unit_error_errno(unit, r, "Failed to close unwanted file descriptors: %m");
8c7be95e
LP		 2998 }
2999
d35fbf6b
DM		 3000 if (!context->same_pgrp)
3001 if (setsid() < 0) {
ff0af2a1 3002 *exit_status = EXIT_SETSID;
12145637 3003 return log_unit_error_errno(unit, errno, "Failed to create new process session: %m");
d35fbf6b 3004 }
9e2f7c11 3005
1e22b5cd 3006 exec_context_tty_reset(context, params);
d35fbf6b 3007
c891efaf 3008 if (unit_shall_confirm_spawn(unit)) {
7d5ceb64 3009 const char *vc = params->confirm_spawn;
3b20f877
FB		 3010 _cleanup_free_ char *cmdline = NULL;
3011
ee39ca20 3012 cmdline = exec_command_line(command->argv);
3b20f877 3013 if (!cmdline) {
0460aa5c 3014 *exit_status = EXIT_MEMORY;
12145637 3015 return log_oom();
3b20f877 3016 }
d35fbf6b 3017
eedf223a 3018 r = ask_for_confirmation(vc, unit, cmdline);
3b20f877
FB		 3019 if (r != CONFIRM_EXECUTE) {
3020 if (r == CONFIRM_PRETEND_SUCCESS) {
3021 *exit_status = EXIT_SUCCESS;
3022 return 0;
3023 }
ff0af2a1 3024 *exit_status = EXIT_CONFIRM;
12145637 3025 log_unit_error(unit, "Execution cancelled by the user");
d35fbf6b 3026 return -ECANCELED;
d35fbf6b
DM		 3027 }
3028 }
1a63a750 3029
d521916d
LP		 3030 /* We are about to invoke NSS and PAM modules. Let's tell them what we are doing here, maybe they care. This is
3031 * used by nss-resolve to disable itself when we are about to start systemd-resolved, to avoid deadlocks. Note
3032 * that these env vars do not survive the execve(), which means they really only apply to the PAM and NSS
3033 * invocations themselves. Also note that while we'll only invoke NSS modules involved in user management they
3034 * might internally call into other NSS modules that are involved in hostname resolution, we never know. */
3035 if (setenv("SYSTEMD_ACTIVATION_UNIT", unit->id, true) != 0 ||
3036 setenv("SYSTEMD_ACTIVATION_SCOPE", MANAGER_IS_SYSTEM(unit->manager) ? "system" : "user", true) != 0) {
3037 *exit_status = EXIT_MEMORY;
3038 return log_unit_error_errno(unit, errno, "Failed to update environment: %m");
3039 }
3040
29206d46 3041 if (context->dynamic_user && dcreds) {
da50b85a 3042 _cleanup_strv_free_ char **suggested_paths = NULL;
29206d46 3043
d521916d
LP		 3044 /* On top of that, make sure we bypass our own NSS module nss-systemd comprehensively for any NSS
3045 * checks, if DynamicUser=1 is used, as we shouldn't create a feedback loop with ourselves here.*/
409093fe
LP		 3046 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
3047 *exit_status = EXIT_USER;
12145637 3048 return log_unit_error_errno(unit, errno, "Failed to update environment: %m");
409093fe
LP		 3049 }
3050
da50b85a
LP		 3051 r = compile_suggested_paths(context, params, &suggested_paths);
3052 if (r < 0) {
3053 *exit_status = EXIT_MEMORY;
3054 return log_oom();
3055 }
3056
3057 r = dynamic_creds_realize(dcreds, suggested_paths, &uid, &gid);
ff0af2a1
LP		 3058 if (r < 0) {
3059 *exit_status = EXIT_USER;
e2b0cc34
YW		 3060 if (r == -EILSEQ) {
3061 log_unit_error(unit, "Failed to update dynamic user credentials: User or group with specified name already exists.");
3062 return -EOPNOTSUPP;
3063 }
12145637 3064 return log_unit_error_errno(unit, r, "Failed to update dynamic user credentials: %m");
524daa8c 3065 }
524daa8c 3066
70dd455c 3067 if (!uid_is_valid(uid)) {
29206d46 3068 *exit_status = EXIT_USER;
12145637 3069 log_unit_error(unit, "UID validation failed for \""UID_FMT"\"", uid);
70dd455c
ZJS		 3070 return -ESRCH;
3071 }
3072
3073 if (!gid_is_valid(gid)) {
3074 *exit_status = EXIT_USER;
12145637 3075 log_unit_error(unit, "GID validation failed for \""GID_FMT"\"", gid);
29206d46
LP		 3076 return -ESRCH;
3077 }
5bc7452b 3078
29206d46
LP		 3079 if (dcreds->user)
3080 username = dcreds->user->name;
3081
3082 } else {
4d885bd3
DH		 3083 r = get_fixed_user(context, &username, &uid, &gid, &home, &shell);
3084 if (r < 0) {
3085 *exit_status = EXIT_USER;
12145637 3086 return log_unit_error_errno(unit, r, "Failed to determine user credentials: %m");
5bc7452b 3087 }
5bc7452b 3088
4d885bd3
DH		 3089 r = get_fixed_group(context, &groupname, &gid);
3090 if (r < 0) {
3091 *exit_status = EXIT_GROUP;
12145637 3092 return log_unit_error_errno(unit, r, "Failed to determine group credentials: %m");
4d885bd3 3093 }
cdc5d5c5 3094 }
29206d46 3095
cdc5d5c5
DH		 3096 /* Initialize user supplementary groups and get SupplementaryGroups= ones */
3097 r = get_supplementary_groups(context, username, groupname, gid,
3098 &supplementary_gids, &ngids);
3099 if (r < 0) {
3100 *exit_status = EXIT_GROUP;
12145637 3101 return log_unit_error_errno(unit, r, "Failed to determine supplementary groups: %m");
29206d46 3102 }
5bc7452b 3103
00d9ef85
LP		 3104 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
3105 if (r < 0) {
3106 *exit_status = EXIT_USER;
12145637 3107 return log_unit_error_errno(unit, r, "Failed to send user credentials to PID1: %m");
00d9ef85
LP		 3108 }
3109
3110 user_lookup_fd = safe_close(user_lookup_fd);
3111
6732edab
LP		 3112 r = acquire_home(context, uid, &home, &home_buffer);
3113 if (r < 0) {
3114 *exit_status = EXIT_CHDIR;
12145637 3115 return log_unit_error_errno(unit, r, "Failed to determine $HOME for user: %m");
6732edab
LP		 3116 }
3117
d35fbf6b
DM		 3118 /* If a socket is connected to STDIN/STDOUT/STDERR, we
3119 * must sure to drop O_NONBLOCK */
3120 if (socket_fd >= 0)
a34ceba6 3121 (void) fd_nonblock(socket_fd, false);
acbb0225 3122
4c70a4a7
MS		 3123 /* Journald will try to look-up our cgroup in order to populate _SYSTEMD_CGROUP and _SYSTEMD_UNIT fields.
3124 * Hence we need to migrate to the target cgroup from init.scope before connecting to journald */
3125 if (params->cgroup_path) {
3126 _cleanup_free_ char *p = NULL;
3127
3128 r = exec_parameters_get_cgroup_path(params, &p);
3129 if (r < 0) {
3130 *exit_status = EXIT_CGROUP;
3131 return log_unit_error_errno(unit, r, "Failed to acquire cgroup path: %m");
3132 }
3133
3134 r = cg_attach_everywhere(params->cgroup_supported, p, 0, NULL, NULL);
3135 if (r < 0) {
3136 *exit_status = EXIT_CGROUP;
3137 return log_unit_error_errno(unit, r, "Failed to attach to cgroup %s: %m", p);
3138 }
3139 }
3140
a8d08f39
LP		 3141 if (context->network_namespace_path && runtime && runtime->netns_storage_socket[0] >= 0) {
3142 r = open_netns_path(runtime->netns_storage_socket, context->network_namespace_path);
3143 if (r < 0) {
3144 *exit_status = EXIT_NETWORK;
3145 return log_unit_error_errno(unit, r, "Failed to open network namespace path %s: %m", context->network_namespace_path);
3146 }
3147 }
3148
52c239d7 3149 r = setup_input(context, params, socket_fd, named_iofds);
ff0af2a1
LP		 3150 if (r < 0) {
3151 *exit_status = EXIT_STDIN;
12145637 3152 return log_unit_error_errno(unit, r, "Failed to set up standard input: %m");
d35fbf6b 3153 }
034c6ed7 3154
52c239d7 3155 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 3156 if (r < 0) {
3157 *exit_status = EXIT_STDOUT;
12145637 3158 return log_unit_error_errno(unit, r, "Failed to set up standard output: %m");
d35fbf6b
DM		 3159 }
3160
52c239d7 3161 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 3162 if (r < 0) {
3163 *exit_status = EXIT_STDERR;
12145637 3164 return log_unit_error_errno(unit, r, "Failed to set up standard error output: %m");
d35fbf6b
DM		 3165 }
3166
d35fbf6b 3167 if (context->oom_score_adjust_set) {
9f8168eb
LP		 3168 /* When we can't make this change due to EPERM, then let's silently skip over it. User namespaces
3169 * prohibit write access to this file, and we shouldn't trip up over that. */
3170 r = set_oom_score_adjust(context->oom_score_adjust);
12145637 3171 if (IN_SET(r, -EPERM, -EACCES))
f2341e0a 3172 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
12145637 3173 else if (r < 0) {
ff0af2a1 3174 *exit_status = EXIT_OOM_ADJUST;
12145637 3175 return log_unit_error_errno(unit, r, "Failed to adjust OOM setting: %m");
613b411c 3176 }
d35fbf6b
DM		 3177 }
3178
3179 if (context->nice_set)
3180 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
ff0af2a1 3181 *exit_status = EXIT_NICE;
12145637 3182 return log_unit_error_errno(unit, errno, "Failed to set up process scheduling priority (nice level): %m");
613b411c
LP		 3183 }
3184
d35fbf6b
DM		 3185 if (context->cpu_sched_set) {
3186 struct sched_param param = {
3187 .sched_priority = context->cpu_sched_priority,
3188 };
3189
ff0af2a1
LP		 3190 r = sched_setscheduler(0,
3191 context->cpu_sched_policy |
3192 (context->cpu_sched_reset_on_fork ?
3193 SCHED_RESET_ON_FORK : 0),
3194 &param);
3195 if (r < 0) {
3196 *exit_status = EXIT_SETSCHEDULER;
12145637 3197 return log_unit_error_errno(unit, errno, "Failed to set up CPU scheduling: %m");
fc9b2a84 3198 }
d35fbf6b 3199 }
fc9b2a84 3200
0985c7c4
ZJS		 3201 if (context->cpu_set.set)
3202 if (sched_setaffinity(0, context->cpu_set.allocated, context->cpu_set.set) < 0) {
ff0af2a1 3203 *exit_status = EXIT_CPUAFFINITY;
12145637 3204 return log_unit_error_errno(unit, errno, "Failed to set up CPU affinity: %m");
034c6ed7
LP		 3205 }
3206
b070c7c0
MS		 3207 if (mpol_is_valid(numa_policy_get_type(&context->numa_policy))) {
3208 r = apply_numa_policy(&context->numa_policy);
3209 if (r == -EOPNOTSUPP)
33fe9e3f 3210 log_unit_debug_errno(unit, r, "NUMA support not available, ignoring.");
b070c7c0
MS		 3211 else if (r < 0) {
3212 *exit_status = EXIT_NUMA_POLICY;
3213 return log_unit_error_errno(unit, r, "Failed to set NUMA memory policy: %m");
3214 }
3215 }
3216
d35fbf6b
DM		 3217 if (context->ioprio_set)
3218 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
ff0af2a1 3219 *exit_status = EXIT_IOPRIO;
12145637 3220 return log_unit_error_errno(unit, errno, "Failed to set up IO scheduling priority: %m");
d35fbf6b 3221 }
da726a4d 3222
d35fbf6b
DM		 3223 if (context->timer_slack_nsec != NSEC_INFINITY)
3224 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
ff0af2a1 3225 *exit_status = EXIT_TIMERSLACK;
12145637 3226 return log_unit_error_errno(unit, errno, "Failed to set up timer slack: %m");
4c2630eb 3227 }
9eba9da4 3228
21022b9d
LP		 3229 if (context->personality != PERSONALITY_INVALID) {
3230 r = safe_personality(context->personality);
3231 if (r < 0) {
ff0af2a1 3232 *exit_status = EXIT_PERSONALITY;
12145637 3233 return log_unit_error_errno(unit, r, "Failed to set up execution domain (personality): %m");
4c2630eb 3234 }
21022b9d 3235 }
94f04347 3236
d35fbf6b 3237 if (context->utmp_id)
df0ff127 3238 utmp_put_init_process(context->utmp_id, getpid_cached(), getsid(0),
6a93917d 3239 context->tty_path,
023a4f67
LP		 3240 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
3241 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
3242 USER_PROCESS,
6a93917d 3243 username);
d35fbf6b 3244
08f67696 3245 if (uid_is_valid(uid)) {
ff0af2a1
LP		 3246 r = chown_terminal(STDIN_FILENO, uid);
3247 if (r < 0) {
3248 *exit_status = EXIT_STDIN;
12145637 3249 return log_unit_error_errno(unit, r, "Failed to change ownership of terminal: %m");
071830ff 3250 }
d35fbf6b 3251 }
8e274523 3252
4e1dfa45 3253 /* If delegation is enabled we'll pass ownership of the cgroup to the user of the new process. On cgroup v1
62b9bb26 3254 * this is only about systemd's own hierarchy, i.e. not the controller hierarchies, simply because that's not
4e1dfa45 3255 * safe. On cgroup v2 there's only one hierarchy anyway, and delegation is safe there, hence in that case only
62b9bb26 3256 * touch a single hierarchy too. */
584b8688 3257 if (params->cgroup_path && context->user && (params->flags & EXEC_CGROUP_DELEGATE)) {
62b9bb26 3258 r = cg_set_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, uid, gid);
ff0af2a1
LP		 3259 if (r < 0) {
3260 *exit_status = EXIT_CGROUP;
12145637 3261 return log_unit_error_errno(unit, r, "Failed to adjust control group access: %m");
034c6ed7 3262 }
d35fbf6b 3263 }
034c6ed7 3264
72fd1768 3265 for (dt = 0; dt < _EXEC_DIRECTORY_TYPE_MAX; dt++) {
8679efde 3266 r = setup_exec_directory(context, params, uid, gid, dt, exit_status);
12145637
LP		 3267 if (r < 0)
3268 return log_unit_error_errno(unit, r, "Failed to set up special execution directory in %s: %m", params->prefix[dt]);
d35fbf6b 3269 }
94f04347 3270
7bce046b 3271 r = build_environment(
fd63e712 3272 unit,
7bce046b
LP		 3273 context,
3274 params,
3275 n_fds,
3276 home,
3277 username,
3278 shell,
3279 journal_stream_dev,
3280 journal_stream_ino,
3281 &our_env);
2065ca69
JW		 3282 if (r < 0) {
3283 *exit_status = EXIT_MEMORY;
12145637 3284 return log_oom();
2065ca69
JW		 3285 }
3286
3287 r = build_pass_environment(context, &pass_env);
3288 if (r < 0) {
3289 *exit_status = EXIT_MEMORY;
12145637 3290 return log_oom();
2065ca69
JW		 3291 }
3292
3293 accum_env = strv_env_merge(5,
3294 params->environment,
3295 our_env,
3296 pass_env,
3297 context->environment,
3298 files_env,
3299 NULL);
3300 if (!accum_env) {
3301 *exit_status = EXIT_MEMORY;
12145637 3302 return log_oom();
2065ca69 3303 }
1280503b 3304 accum_env = strv_env_clean(accum_env);
2065ca69 3305
096424d1 3306 (void) umask(context->umask);
b213e1c1 3307
b1edf445 3308 r = setup_keyring(unit, context, params, uid, gid);
74dd6b51
LP		 3309 if (r < 0) {
3310 *exit_status = EXIT_KEYRING;
12145637 3311 return log_unit_error_errno(unit, r, "Failed to set up kernel keyring: %m");
74dd6b51
LP		 3312 }
3313
165a31c0 3314 /* We need sandboxing if the caller asked us to apply it and the command isn't explicitly excepted from it */
1703fa41 3315 needs_sandboxing = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & EXEC_COMMAND_FULLY_PRIVILEGED);
7f18ef0a 3316
165a31c0
LP		 3317 /* We need the ambient capability hack, if the caller asked us to apply it and the command is marked for it, and the kernel doesn't actually support ambient caps */
3318 needs_ambient_hack = (params->flags & EXEC_APPLY_SANDBOXING) && (command->flags & EXEC_COMMAND_AMBIENT_MAGIC) && !ambient_capabilities_supported();
7f18ef0a 3319
165a31c0
LP		 3320 /* We need setresuid() if the caller asked us to apply sandboxing and the command isn't explicitly excepted from either whole sandboxing or just setresuid() itself, and the ambient hack is not desired */
3321 if (needs_ambient_hack)
3322 needs_setuid = false;
3323 else
3324 needs_setuid = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & (EXEC_COMMAND_FULLY_PRIVILEGED|EXEC_COMMAND_NO_SETUID));
3325
3326 if (needs_sandboxing) {
7f18ef0a
FK		 3327 /* MAC enablement checks need to be done before a new mount ns is created, as they rely on /sys being
3328 * present. The actual MAC context application will happen later, as late as possible, to avoid
3329 * impacting our own code paths. */
3330
349cc4a5 3331#if HAVE_SELINUX
43b1f709 3332 use_selinux = mac_selinux_use();
7f18ef0a 3333#endif
f9fa32f0 3334#if ENABLE_SMACK
43b1f709 3335 use_smack = mac_smack_use();
7f18ef0a 3336#endif
349cc4a5 3337#if HAVE_APPARMOR
43b1f709 3338 use_apparmor = mac_apparmor_use();
7f18ef0a 3339#endif
165a31c0 3340 }
7f18ef0a 3341
ce932d2d
LP		 3342 if (needs_sandboxing) {
3343 int which_failed;
3344
3345 /* Let's set the resource limits before we call into PAM, so that pam_limits wins over what
3346 * is set here. (See below.) */
3347
3348 r = setrlimit_closest_all((const struct rlimit* const *) context->rlimit, &which_failed);
3349 if (r < 0) {
3350 *exit_status = EXIT_LIMITS;
3351 return log_unit_error_errno(unit, r, "Failed to adjust resource limit RLIMIT_%s: %m", rlimit_to_string(which_failed));
3352 }
3353 }
3354
165a31c0 3355 if (needs_setuid) {
ce932d2d
LP		 3356
3357 /* Let's call into PAM after we set up our own idea of resource limits to that pam_limits
3358 * wins here. (See above.) */
3359
165a31c0
LP		 3360 if (context->pam_name && username) {
3361 r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
3362 if (r < 0) {
3363 *exit_status = EXIT_PAM;
12145637 3364 return log_unit_error_errno(unit, r, "Failed to set up PAM session: %m");
165a31c0
LP		 3365 }
3366 }
b213e1c1 3367 }
ac45f971 3368
a8d08f39
LP		 3369 if ((context->private_network || context->network_namespace_path) && runtime && runtime->netns_storage_socket[0] >= 0) {
3370
6e2d7c4f
MS		 3371 if (ns_type_supported(NAMESPACE_NET)) {
3372 r = setup_netns(runtime->netns_storage_socket);
3373 if (r < 0) {
3374 *exit_status = EXIT_NETWORK;
3375 return log_unit_error_errno(unit, r, "Failed to set up network namespacing: %m");
3376 }
a8d08f39
LP		 3377 } else if (context->network_namespace_path) {
3378 *exit_status = EXIT_NETWORK;
3379 return log_unit_error_errno(unit, SYNTHETIC_ERRNO(EOPNOTSUPP), "NetworkNamespacePath= is not supported, refusing.");
6e2d7c4f
MS		 3380 } else
3381 log_unit_warning(unit, "PrivateNetwork=yes is configured, but the kernel does not support network namespaces, ignoring.");
d35fbf6b 3382 }
169c1bda 3383
ee818b89 3384 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
ee818b89 3385 if (needs_mount_namespace) {
7cc5ef5f
ZJS		 3386 _cleanup_free_ char *error_path = NULL;
3387
3388 r = apply_mount_namespace(unit, command, context, params, runtime, &error_path);
3fbe8dbe
LP		 3389 if (r < 0) {
3390 *exit_status = EXIT_NAMESPACE;
7cc5ef5f
ZJS		 3391 return log_unit_error_errno(unit, r, "Failed to set up mount namespacing%s%s: %m",
3392 error_path ? ": " : "", strempty(error_path));
3fbe8dbe 3393 }
d35fbf6b 3394 }
81a2b7ce 3395
aecd5ac6
TM		 3396 if (context->protect_hostname) {
3397 if (ns_type_supported(NAMESPACE_UTS)) {
3398 if (unshare(CLONE_NEWUTS) < 0) {
3399 *exit_status = EXIT_NAMESPACE;
3400 return log_unit_error_errno(unit, errno, "Failed to set up UTS namespacing: %m");
3401 }
3402 } else
3403 log_unit_warning(unit, "ProtectHostname=yes is configured, but the kernel does not support UTS namespaces, ignoring namespace setup.");
3404#if HAVE_SECCOMP
3405 r = seccomp_protect_hostname();
3406 if (r < 0) {
3407 *exit_status = EXIT_SECCOMP;
3408 return log_unit_error_errno(unit, r, "Failed to apply hostname restrictions: %m");
3409 }
3410#endif
3411 }
3412
bbeea271 3413 /* Drop groups as early as possbile */
165a31c0 3414 if (needs_setuid) {
709dbeac 3415 r = enforce_groups(gid, supplementary_gids, ngids);
096424d1
LP		 3416 if (r < 0) {
3417 *exit_status = EXIT_GROUP;
12145637 3418 return log_unit_error_errno(unit, r, "Changing group credentials failed: %m");
096424d1 3419 }
165a31c0 3420 }
096424d1 3421
165a31c0 3422 if (needs_sandboxing) {
349cc4a5 3423#if HAVE_SELINUX
43b1f709 3424 if (use_selinux && params->selinux_context_net && socket_fd >= 0) {
937ccce9
LP		 3425 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
3426 if (r < 0) {
3427 *exit_status = EXIT_SELINUX_CONTEXT;
12145637 3428 return log_unit_error_errno(unit, r, "Failed to determine SELinux context: %m");
937ccce9 3429 }
9008e1ac 3430 }
9008e1ac
MS		 3431#endif
3432
937ccce9
LP		 3433 if (context->private_users) {
3434 r = setup_private_users(uid, gid);
3435 if (r < 0) {
3436 *exit_status = EXIT_USER;
12145637 3437 return log_unit_error_errno(unit, r, "Failed to set up user namespacing: %m");
937ccce9 3438 }
d251207d
LP		 3439 }
3440 }
3441
165a31c0 3442 /* We repeat the fd closing here, to make sure that nothing is leaked from the PAM modules. Note that we are
5686391b
LP		 3443 * more aggressive this time since socket_fd and the netns fds we don't need anymore. We do keep the exec_fd
3444 * however if we have it as we want to keep it open until the final execve(). */
3445
3446 if (params->exec_fd >= 0) {
3447 exec_fd = params->exec_fd;
3448
3449 if (exec_fd < 3 + (int) n_fds) {
3450 int moved_fd;
3451
3452 /* Let's move the exec fd far up, so that it's outside of the fd range we want to pass to the
3453 * process we are about to execute. */
3454
3455 moved_fd = fcntl(exec_fd, F_DUPFD_CLOEXEC, 3 + (int) n_fds);
3456 if (moved_fd < 0) {
3457 *exit_status = EXIT_FDS;
3458 return log_unit_error_errno(unit, errno, "Couldn't move exec fd up: %m");
3459 }
3460
3461 safe_close(exec_fd);
3462 exec_fd = moved_fd;
3463 } else {
3464 /* This fd should be FD_CLOEXEC already, but let's make sure. */
3465 r = fd_cloexec(exec_fd, true);
3466 if (r < 0) {
3467 *exit_status = EXIT_FDS;
3468 return log_unit_error_errno(unit, r, "Failed to make exec fd FD_CLOEXEC: %m");
3469 }
3470 }
3471
3472 fds_with_exec_fd = newa(int, n_fds + 1);
7e8d494b 3473 memcpy_safe(fds_with_exec_fd, fds, n_fds * sizeof(int));
5686391b
LP		 3474 fds_with_exec_fd[n_fds] = exec_fd;
3475 n_fds_with_exec_fd = n_fds + 1;
3476 } else {
3477 fds_with_exec_fd = fds;
3478 n_fds_with_exec_fd = n_fds;
3479 }
3480
3481 r = close_all_fds(fds_with_exec_fd, n_fds_with_exec_fd);
ff0af2a1
LP		 3482 if (r >= 0)
3483 r = shift_fds(fds, n_fds);
3484 if (r >= 0)
25b583d7 3485 r = flags_fds(fds, n_socket_fds, n_storage_fds, context->non_blocking);
ff0af2a1
LP		 3486 if (r < 0) {
3487 *exit_status = EXIT_FDS;
12145637 3488 return log_unit_error_errno(unit, r, "Failed to adjust passed file descriptors: %m");
d35fbf6b 3489 }
e66cf1a3 3490
5686391b
LP		 3491 /* At this point, the fds we want to pass to the program are all ready and set up, with O_CLOEXEC turned off
3492 * and at the right fd numbers. The are no other fds open, with one exception: the exec_fd if it is defined,
3493 * and it has O_CLOEXEC set, after all we want it to be closed by the execve(), so that our parent knows we
3494 * came this far. */
3495
165a31c0 3496 secure_bits = context->secure_bits;
e66cf1a3 3497
165a31c0
LP		 3498 if (needs_sandboxing) {
3499 uint64_t bset;
e66cf1a3 3500
ce932d2d
LP		 3501 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly
3502 * requested. (Note this is placed after the general resource limit initialization, see
3503 * above, in order to take precedence.) */
f4170c67
LP		 3504 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
3505 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
3506 *exit_status = EXIT_LIMITS;
12145637 3507 return log_unit_error_errno(unit, errno, "Failed to adjust RLIMIT_RTPRIO resource limit: %m");
f4170c67
LP		 3508 }
3509 }
3510
37ac2744
JB		 3511#if ENABLE_SMACK
3512 /* LSM Smack needs the capability CAP_MAC_ADMIN to change the current execution security context of the
3513 * process. This is the latest place before dropping capabilities. Other MAC context are set later. */
3514 if (use_smack) {
3515 r = setup_smack(context, command);
3516 if (r < 0) {
3517 *exit_status = EXIT_SMACK_PROCESS_LABEL;
3518 return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m");
3519 }
3520 }
3521#endif
3522
165a31c0
LP		 3523 bset = context->capability_bounding_set;
3524 /* If the ambient caps hack is enabled (which means the kernel can't do them, and the user asked for
3525 * our magic fallback), then let's add some extra caps, so that the service can drop privs of its own,
3526 * instead of us doing that */
3527 if (needs_ambient_hack)
3528 bset |= (UINT64_C(1) << CAP_SETPCAP) |
3529 (UINT64_C(1) << CAP_SETUID) |
3530 (UINT64_C(1) << CAP_SETGID);
3531
3532 if (!cap_test_all(bset)) {
3533 r = capability_bounding_set_drop(bset, false);
ff0af2a1
LP		 3534 if (r < 0) {
3535 *exit_status = EXIT_CAPABILITIES;
12145637 3536 return log_unit_error_errno(unit, r, "Failed to drop capabilities: %m");
3b8bddde 3537 }
4c2630eb 3538 }
3b8bddde 3539
755d4b67
IP		 3540 /* This is done before enforce_user, but ambient set
3541 * does not survive over setresuid() if keep_caps is not set. */
165a31c0
LP		 3542 if (!needs_ambient_hack &&
3543 context->capability_ambient_set != 0) {
755d4b67
IP		 3544 r = capability_ambient_set_apply(context->capability_ambient_set, true);
3545 if (r < 0) {
3546 *exit_status = EXIT_CAPABILITIES;
12145637 3547 return log_unit_error_errno(unit, r, "Failed to apply ambient capabilities (before UID change): %m");
755d4b67 3548 }
755d4b67 3549 }
165a31c0 3550 }
755d4b67 3551
fa97f630
JB		 3552 /* chroot to root directory first, before we lose the ability to chroot */
3553 r = apply_root_directory(context, params, needs_mount_namespace, exit_status);
3554 if (r < 0)
3555 return log_unit_error_errno(unit, r, "Chrooting to the requested root directory failed: %m");
3556
165a31c0 3557 if (needs_setuid) {
08f67696 3558 if (uid_is_valid(uid)) {
ff0af2a1
LP		 3559 r = enforce_user(context, uid);
3560 if (r < 0) {
3561 *exit_status = EXIT_USER;
12145637 3562 return log_unit_error_errno(unit, r, "Failed to change UID to " UID_FMT ": %m", uid);
5b6319dc 3563 }
165a31c0
LP		 3564
3565 if (!needs_ambient_hack &&
3566 context->capability_ambient_set != 0) {
755d4b67
IP		 3567
3568 /* Fix the ambient capabilities after user change. */
3569 r = capability_ambient_set_apply(context->capability_ambient_set, false);
3570 if (r < 0) {
3571 *exit_status = EXIT_CAPABILITIES;
12145637 3572 return log_unit_error_errno(unit, r, "Failed to apply ambient capabilities (after UID change): %m");
755d4b67
IP		 3573 }
3574
3575 /* If we were asked to change user and ambient capabilities
3576 * were requested, we had to add keep-caps to the securebits
3577 * so that we would maintain the inherited capability set
3578 * through the setresuid(). Make sure that the bit is added
3579 * also to the context secure_bits so that we don't try to
3580 * drop the bit away next. */
3581
7f508f2c 3582 secure_bits |= 1<<SECURE_KEEP_CAPS;
755d4b67 3583 }
5b6319dc 3584 }
165a31c0 3585 }
d35fbf6b 3586
56ef8db9
JB		 3587 /* Apply working directory here, because the working directory might be on NFS and only the user running
3588 * this service might have the correct privilege to change to the working directory */
fa97f630 3589 r = apply_working_directory(context, params, home, exit_status);
56ef8db9
JB		 3590 if (r < 0)
3591 return log_unit_error_errno(unit, r, "Changing to the requested working directory failed: %m");
3592
165a31c0 3593 if (needs_sandboxing) {
37ac2744 3594 /* Apply other MAC contexts late, but before seccomp syscall filtering, as those should really be last to
5cd9cd35
LP		 3595 * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
3596 * syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
3597 * are restricted. */
3598
349cc4a5 3599#if HAVE_SELINUX
43b1f709 3600 if (use_selinux) {
5cd9cd35
LP		 3601 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
3602
3603 if (exec_context) {
3604 r = setexeccon(exec_context);
3605 if (r < 0) {
3606 *exit_status = EXIT_SELINUX_CONTEXT;
12145637 3607 return log_unit_error_errno(unit, r, "Failed to change SELinux context to %s: %m", exec_context);
5cd9cd35
LP		 3608 }
3609 }
3610 }
3611#endif
3612
349cc4a5 3613#if HAVE_APPARMOR
43b1f709 3614 if (use_apparmor && context->apparmor_profile) {
5cd9cd35
LP		 3615 r = aa_change_onexec(context->apparmor_profile);
3616 if (r < 0 && !context->apparmor_profile_ignore) {
3617 *exit_status = EXIT_APPARMOR_PROFILE;
12145637 3618 return log_unit_error_errno(unit, errno, "Failed to prepare AppArmor profile change to %s: %m", context->apparmor_profile);
5cd9cd35
LP		 3619 }
3620 }
3621#endif
3622
165a31c0
LP		 3623 /* PR_GET_SECUREBITS is not privileged, while PR_SET_SECUREBITS is. So to suppress potential EPERMs
3624 * we'll try not to call PR_SET_SECUREBITS unless necessary. */
755d4b67
IP		 3625 if (prctl(PR_GET_SECUREBITS) != secure_bits)
3626 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
ff0af2a1 3627 *exit_status = EXIT_SECUREBITS;
12145637 3628 return log_unit_error_errno(unit, errno, "Failed to set process secure bits: %m");
ff01d048 3629 }
5b6319dc 3630
59eeb84b 3631 if (context_has_no_new_privileges(context))
d35fbf6b 3632 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
ff0af2a1 3633 *exit_status = EXIT_NO_NEW_PRIVILEGES;
12145637 3634 return log_unit_error_errno(unit, errno, "Failed to disable new privileges: %m");
d35fbf6b
DM		 3635 }
3636
349cc4a5 3637#if HAVE_SECCOMP
469830d1
LP		 3638 r = apply_address_families(unit, context);
3639 if (r < 0) {
3640 *exit_status = EXIT_ADDRESS_FAMILIES;
12145637 3641 return log_unit_error_errno(unit, r, "Failed to restrict address families: %m");
4c2630eb 3642 }
04aa0cb9 3643
469830d1
LP		 3644 r = apply_memory_deny_write_execute(unit, context);
3645 if (r < 0) {
3646 *exit_status = EXIT_SECCOMP;
12145637 3647 return log_unit_error_errno(unit, r, "Failed to disable writing to executable memory: %m");
f3e43635 3648 }
f4170c67 3649
469830d1
LP		 3650 r = apply_restrict_realtime(unit, context);
3651 if (r < 0) {
3652 *exit_status = EXIT_SECCOMP;
12145637 3653 return log_unit_error_errno(unit, r, "Failed to apply realtime restrictions: %m");
f4170c67
LP		 3654 }
3655
f69567cb
LP		 3656 r = apply_restrict_suid_sgid(unit, context);
3657 if (r < 0) {
3658 *exit_status = EXIT_SECCOMP;
3659 return log_unit_error_errno(unit, r, "Failed to apply SUID/SGID restrictions: %m");
3660 }
3661
add00535
LP		 3662 r = apply_restrict_namespaces(unit, context);
3663 if (r < 0) {
3664 *exit_status = EXIT_SECCOMP;
12145637 3665 return log_unit_error_errno(unit, r, "Failed to apply namespace restrictions: %m");
add00535
LP		 3666 }
3667
469830d1
LP		 3668 r = apply_protect_sysctl(unit, context);
3669 if (r < 0) {
3670 *exit_status = EXIT_SECCOMP;
12145637 3671 return log_unit_error_errno(unit, r, "Failed to apply sysctl restrictions: %m");
502d704e
DH		 3672 }
3673
469830d1
LP		 3674 r = apply_protect_kernel_modules(unit, context);
3675 if (r < 0) {
3676 *exit_status = EXIT_SECCOMP;
12145637 3677 return log_unit_error_errno(unit, r, "Failed to apply module loading restrictions: %m");
59eeb84b
LP		 3678 }
3679
469830d1
LP		 3680 r = apply_private_devices(unit, context);
3681 if (r < 0) {
3682 *exit_status = EXIT_SECCOMP;
12145637 3683 return log_unit_error_errno(unit, r, "Failed to set up private devices: %m");
469830d1
LP		 3684 }
3685
3686 r = apply_syscall_archs(unit, context);
3687 if (r < 0) {
3688 *exit_status = EXIT_SECCOMP;
12145637 3689 return log_unit_error_errno(unit, r, "Failed to apply syscall architecture restrictions: %m");
ba128bb8
LP		 3690 }
3691
78e864e5
TM		 3692 r = apply_lock_personality(unit, context);
3693 if (r < 0) {
3694 *exit_status = EXIT_SECCOMP;
12145637 3695 return log_unit_error_errno(unit, r, "Failed to lock personalities: %m");
78e864e5
TM		 3696 }
3697
5cd9cd35
LP		 3698 /* This really should remain the last step before the execve(), to make sure our own code is unaffected
3699 * by the filter as little as possible. */
165a31c0 3700 r = apply_syscall_filter(unit, context, needs_ambient_hack);
469830d1
LP		 3701 if (r < 0) {
3702 *exit_status = EXIT_SECCOMP;
12145637 3703 return log_unit_error_errno(unit, r, "Failed to apply system call filters: %m");
d35fbf6b
DM		 3704 }
3705#endif
d35fbf6b 3706 }
034c6ed7 3707
00819cc1
LP		 3708 if (!strv_isempty(context->unset_environment)) {
3709 char **ee = NULL;
3710
3711 ee = strv_env_delete(accum_env, 1, context->unset_environment);
3712 if (!ee) {
3713 *exit_status = EXIT_MEMORY;
12145637 3714 return log_oom();
00819cc1
LP		 3715 }
3716
130d3d22 3717 strv_free_and_replace(accum_env, ee);
00819cc1
LP		 3718 }
3719
7ca69792
AZ		 3720 if (!FLAGS_SET(command->flags, EXEC_COMMAND_NO_ENV_EXPAND)) {
3721 replaced_argv = replace_env_argv(command->argv, accum_env);
3722 if (!replaced_argv) {
3723 *exit_status = EXIT_MEMORY;
3724 return log_oom();
3725 }
3726 final_argv = replaced_argv;
3727 } else
3728 final_argv = command->argv;
034c6ed7 3729
f1d34068 3730 if (DEBUG_LOGGING) {
d35fbf6b 3731 _cleanup_free_ char *line;
81a2b7ce 3732
d35fbf6b 3733 line = exec_command_line(final_argv);
a1230ff9 3734 if (line)
f2341e0a 3735 log_struct(LOG_DEBUG,
f2341e0a
LP		 3736 "EXECUTABLE=%s", command->path,
3737 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
ba360bb0 3738 LOG_UNIT_ID(unit),
a1230ff9 3739 LOG_UNIT_INVOCATION_ID(unit));
d35fbf6b 3740 }
dd305ec9 3741
5686391b
LP		 3742 if (exec_fd >= 0) {
3743 uint8_t hot = 1;
3744
3745 /* We have finished with all our initializations. Let's now let the manager know that. From this point
3746 * on, if the manager sees POLLHUP on the exec_fd, then execve() was successful. */
3747
3748 if (write(exec_fd, &hot, sizeof(hot)) < 0) {
3749 *exit_status = EXIT_EXEC;
3750 return log_unit_error_errno(unit, errno, "Failed to enable exec_fd: %m");
3751 }
3752 }
3753
2065ca69 3754 execve(command->path, final_argv, accum_env);
5686391b
LP		 3755 r = -errno;
3756
3757 if (exec_fd >= 0) {
3758 uint8_t hot = 0;
3759
3760 /* The execve() failed. This means the exec_fd is still open. Which means we need to tell the manager
3761 * that POLLHUP on it no longer means execve() succeeded. */
3762
3763 if (write(exec_fd, &hot, sizeof(hot)) < 0) {
3764 *exit_status = EXIT_EXEC;
3765 return log_unit_error_errno(unit, errno, "Failed to disable exec_fd: %m");
3766 }
3767 }
12145637 3768
5686391b
LP		 3769 if (r == -ENOENT && (command->flags & EXEC_COMMAND_IGNORE_FAILURE)) {
3770 log_struct_errno(LOG_INFO, r,
12145637
LP		 3771 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
3772 LOG_UNIT_ID(unit),
3773 LOG_UNIT_INVOCATION_ID(unit),
3774 LOG_UNIT_MESSAGE(unit, "Executable %s missing, skipping: %m",
3775 command->path),
a1230ff9 3776 "EXECUTABLE=%s", command->path);
12145637
LP		 3777 return 0;
3778 }
3779
ff0af2a1 3780 *exit_status = EXIT_EXEC;
5686391b 3781 return log_unit_error_errno(unit, r, "Failed to execute command: %m");
d35fbf6b 3782}
81a2b7ce 3783
34cf6c43
YW		 3784static int exec_context_load_environment(const Unit *unit, const ExecContext *c, char ***l);
3785static int exec_context_named_iofds(const ExecContext *c, const ExecParameters *p, int named_iofds[3]);
3786
f2341e0a
LP		 3787int exec_spawn(Unit *unit,
3788 ExecCommand *command,
d35fbf6b
DM		 3789 const ExecContext *context,
3790 const ExecParameters *params,
3791 ExecRuntime *runtime,
29206d46 3792 DynamicCreds *dcreds,
d35fbf6b 3793 pid_t *ret) {
8351ceae 3794
ee39ca20 3795 int socket_fd, r, named_iofds[3] = { -1, -1, -1 }, *fds = NULL;
78f93209 3796 _cleanup_free_ char *subcgroup_path = NULL;
d35fbf6b 3797 _cleanup_strv_free_ char **files_env = NULL;
da6053d0 3798 size_t n_storage_fds = 0, n_socket_fds = 0;
ff0af2a1 3799 _cleanup_free_ char *line = NULL;
d35fbf6b 3800 pid_t pid;
8351ceae 3801
f2341e0a 3802 assert(unit);
d35fbf6b
DM		 3803 assert(command);
3804 assert(context);
3805 assert(ret);
3806 assert(params);
25b583d7 3807 assert(params->fds || (params->n_socket_fds + params->n_storage_fds <= 0));
4298d0b5 3808
d35fbf6b
DM		 3809 if (context->std_input == EXEC_INPUT_SOCKET ||
3810 context->std_output == EXEC_OUTPUT_SOCKET ||
3811 context->std_error == EXEC_OUTPUT_SOCKET) {
17df7223 3812
4c47affc 3813 if (params->n_socket_fds > 1) {
f2341e0a 3814 log_unit_error(unit, "Got more than one socket.");
d35fbf6b 3815 return -EINVAL;
ff0af2a1 3816 }
eef65bf3 3817
4c47affc 3818 if (params->n_socket_fds == 0) {
488ab41c
AA		 3819 log_unit_error(unit, "Got no socket.");
3820 return -EINVAL;
3821 }
3822
d35fbf6b
DM		 3823 socket_fd = params->fds[0];
3824 } else {
3825 socket_fd = -1;
3826 fds = params->fds;
9b141911 3827 n_socket_fds = params->n_socket_fds;
25b583d7 3828 n_storage_fds = params->n_storage_fds;
d35fbf6b 3829 }
94f04347 3830
34cf6c43 3831 r = exec_context_named_iofds(context, params, named_iofds);
52c239d7
LB		 3832 if (r < 0)
3833 return log_unit_error_errno(unit, r, "Failed to load a named file descriptor: %m");
3834
f2341e0a 3835 r = exec_context_load_environment(unit, context, &files_env);
ff0af2a1 3836 if (r < 0)
f2341e0a 3837 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
034c6ed7 3838
ee39ca20 3839 line = exec_command_line(command->argv);
d35fbf6b
DM		 3840 if (!line)
3841 return log_oom();
fab56fc5 3842
f2341e0a 3843 log_struct(LOG_DEBUG,
f2341e0a
LP		 3844 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
3845 "EXECUTABLE=%s", command->path,
ba360bb0 3846 LOG_UNIT_ID(unit),
a1230ff9 3847 LOG_UNIT_INVOCATION_ID(unit));
12145637 3848
78f93209
LP		 3849 if (params->cgroup_path) {
3850 r = exec_parameters_get_cgroup_path(params, &subcgroup_path);
3851 if (r < 0)
3852 return log_unit_error_errno(unit, r, "Failed to acquire subcgroup path: %m");
3853 if (r > 0) { /* We are using a child cgroup */
3854 r = cg_create(SYSTEMD_CGROUP_CONTROLLER, subcgroup_path);
3855 if (r < 0)
3856 return log_unit_error_errno(unit, r, "Failed to create control group '%s': %m", subcgroup_path);
3857 }
3858 }
3859
d35fbf6b
DM		 3860 pid = fork();
3861 if (pid < 0)
74129a12 3862 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
d35fbf6b
DM		 3863
3864 if (pid == 0) {
12145637 3865 int exit_status = EXIT_SUCCESS;
ff0af2a1 3866
f2341e0a
LP		 3867 r = exec_child(unit,
3868 command,
ff0af2a1
LP		 3869 context,
3870 params,
3871 runtime,
29206d46 3872 dcreds,
ff0af2a1 3873 socket_fd,
52c239d7 3874 named_iofds,
4c47affc 3875 fds,
9b141911 3876 n_socket_fds,
25b583d7 3877 n_storage_fds,
ff0af2a1 3878 files_env,
00d9ef85 3879 unit->manager->user_lookup_fds[1],
12145637
LP		 3880 &exit_status);
3881
a1230ff9 3882 if (r < 0)
12145637
LP		 3883 log_struct_errno(LOG_ERR, r,
3884 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
3885 LOG_UNIT_ID(unit),
3886 LOG_UNIT_INVOCATION_ID(unit),
3887 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
3888 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
3889 command->path),
a1230ff9 3890 "EXECUTABLE=%s", command->path);
4c2630eb 3891
ff0af2a1 3892 _exit(exit_status);
034c6ed7
LP		 3893 }
3894
f2341e0a 3895 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
23635a85 3896
78f93209
LP		 3897 /* We add the new process to the cgroup both in the child (so that we can be sure that no user code is ever
3898 * executed outside of the cgroup) and in the parent (so that we can be sure that when we kill the cgroup the
3899 * process will be killed too). */
3900 if (subcgroup_path)
3901 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, subcgroup_path, pid);
2da3263a 3902
b58b4116 3903 exec_status_start(&command->exec_status, pid);
9fb86720 3904
034c6ed7 3905 *ret = pid;
5cb5a6ff
LP		 3906 return 0;
3907}
3908
034c6ed7 3909void exec_context_init(ExecContext *c) {
3536f49e
YW		 3910 ExecDirectoryType i;
3911
034c6ed7
LP		 3912 assert(c);
3913
4c12626c 3914 c->umask = 0022;
9eba9da4 3915 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
94f04347 3916 c->cpu_sched_policy = SCHED_OTHER;
071830ff 3917 c->syslog_priority = LOG_DAEMON|LOG_INFO;
74922904 3918 c->syslog_level_prefix = true;
353e12c2 3919 c->ignore_sigpipe = true;
3a43da28 3920 c->timer_slack_nsec = NSEC_INFINITY;
050f7277 3921 c->personality = PERSONALITY_INVALID;
72fd1768 3922 for (i = 0; i < _EXEC_DIRECTORY_TYPE_MAX; i++)
3536f49e 3923 c->directories[i].mode = 0755;
a103496c 3924 c->capability_bounding_set = CAP_ALL;
aa9d574d
YW		 3925 assert_cc(NAMESPACE_FLAGS_INITIAL != NAMESPACE_FLAGS_ALL);
3926 c->restrict_namespaces = NAMESPACE_FLAGS_INITIAL;
d3070fbd 3927 c->log_level_max = -1;
b070c7c0 3928 numa_policy_reset(&c->numa_policy);
034c6ed7
LP		 3929}
3930
613b411c 3931void exec_context_done(ExecContext *c) {
3536f49e 3932 ExecDirectoryType i;
d3070fbd 3933 size_t l;
5cb5a6ff
LP		 3934
3935 assert(c);
3936
6796073e
LP		 3937 c->environment = strv_free(c->environment);
3938 c->environment_files = strv_free(c->environment_files);
b4c14404 3939 c->pass_environment = strv_free(c->pass_environment);
00819cc1 3940 c->unset_environment = strv_free(c->unset_environment);
8c7be95e 3941
31ce987c 3942 rlimit_free_all(c->rlimit);
034c6ed7 3943
2038c3f5 3944 for (l = 0; l < 3; l++) {
52c239d7 3945 c->stdio_fdname[l] = mfree(c->stdio_fdname[l]);
2038c3f5
LP		 3946 c->stdio_file[l] = mfree(c->stdio_file[l]);
3947 }
52c239d7 3948
a1e58e8e
LP		 3949 c->working_directory = mfree(c->working_directory);
3950 c->root_directory = mfree(c->root_directory);
915e6d16 3951 c->root_image = mfree(c->root_image);
a1e58e8e
LP		 3952 c->tty_path = mfree(c->tty_path);
3953 c->syslog_identifier = mfree(c->syslog_identifier);
3954 c->user = mfree(c->user);
3955 c->group = mfree(c->group);
034c6ed7 3956
6796073e 3957 c->supplementary_groups = strv_free(c->supplementary_groups);
94f04347 3958
a1e58e8e 3959 c->pam_name = mfree(c->pam_name);
5b6319dc 3960
2a624c36
AP		 3961 c->read_only_paths = strv_free(c->read_only_paths);
3962 c->read_write_paths = strv_free(c->read_write_paths);
3963 c->inaccessible_paths = strv_free(c->inaccessible_paths);
82c121a4 3964
d2d6c096 3965 bind_mount_free_many(c->bind_mounts, c->n_bind_mounts);
8e06d57c
YW		 3966 c->bind_mounts = NULL;
3967 c->n_bind_mounts = 0;
2abd4e38
YW		 3968 temporary_filesystem_free_many(c->temporary_filesystems, c->n_temporary_filesystems);
3969 c->temporary_filesystems = NULL;
3970 c->n_temporary_filesystems = 0;
d2d6c096 3971
0985c7c4 3972 cpu_set_reset(&c->cpu_set);
b070c7c0 3973 numa_policy_reset(&c->numa_policy);
86a3475b 3974
a1e58e8e
LP		 3975 c->utmp_id = mfree(c->utmp_id);
3976 c->selinux_context = mfree(c->selinux_context);
3977 c->apparmor_profile = mfree(c->apparmor_profile);
5b8e1b77 3978 c->smack_process_label = mfree(c->smack_process_label);
eef65bf3 3979
8cfa775f 3980 c->syscall_filter = hashmap_free(c->syscall_filter);
525d3cc7
LP		 3981 c->syscall_archs = set_free(c->syscall_archs);
3982 c->address_families = set_free(c->address_families);
e66cf1a3 3983
72fd1768 3984 for (i = 0; i < _EXEC_DIRECTORY_TYPE_MAX; i++)
3536f49e 3985 c->directories[i].paths = strv_free(c->directories[i].paths);
d3070fbd
LP		 3986
3987 c->log_level_max = -1;
3988
3989 exec_context_free_log_extra_fields(c);
08f3be7a 3990
90fc172e
AZ		 3991 c->log_rate_limit_interval_usec = 0;
3992 c->log_rate_limit_burst = 0;
3993
08f3be7a
LP		 3994 c->stdin_data = mfree(c->stdin_data);
3995 c->stdin_data_size = 0;
a8d08f39
LP		 3996
3997 c->network_namespace_path = mfree(c->network_namespace_path);
e66cf1a3
LP		 3998}
3999
34cf6c43 4000int exec_context_destroy_runtime_directory(const ExecContext *c, const char *runtime_prefix) {
e66cf1a3
LP		 4001 char **i;
4002
4003 assert(c);
4004
4005 if (!runtime_prefix)
4006 return 0;
4007
3536f49e 4008 STRV_FOREACH(i, c->directories[EXEC_DIRECTORY_RUNTIME].paths) {
e66cf1a3
LP		 4009 _cleanup_free_ char *p;
4010
7bc4bf4a 4011 p = path_join(runtime_prefix, *i);
e66cf1a3
LP		 4012 if (!p)
4013 return -ENOMEM;
4014
7bc4bf4a
LP		 4015 /* We execute this synchronously, since we need to be sure this is gone when we start the
4016 * service next. */
c6878637 4017 (void) rm_rf(p, REMOVE_ROOT);
e66cf1a3
LP		 4018 }
4019
4020 return 0;
5cb5a6ff
LP		 4021}
4022
34cf6c43 4023static void exec_command_done(ExecCommand *c) {
43d0fcbd
LP		 4024 assert(c);
4025
a1e58e8e 4026 c->path = mfree(c->path);
6796073e 4027 c->argv = strv_free(c->argv);
43d0fcbd
LP		 4028}
4029
da6053d0
LP		 4030void exec_command_done_array(ExecCommand *c, size_t n) {
4031 size_t i;
43d0fcbd
LP		 4032
4033 for (i = 0; i < n; i++)
4034 exec_command_done(c+i);
4035}
4036
f1acf85a 4037ExecCommand* exec_command_free_list(ExecCommand *c) {
5cb5a6ff
LP		 4038 ExecCommand *i;
4039
4040 while ((i = c)) {
71fda00f 4041 LIST_REMOVE(command, c, i);
43d0fcbd 4042 exec_command_done(i);
5cb5a6ff
LP		 4043 free(i);
4044 }
f1acf85a
ZJS		 4045
4046 return NULL;
5cb5a6ff
LP		 4047}
4048
da6053d0
LP		 4049void exec_command_free_array(ExecCommand **c, size_t n) {
4050 size_t i;
034c6ed7 4051
f1acf85a
ZJS		 4052 for (i = 0; i < n; i++)
4053 c[i] = exec_command_free_list(c[i]);
034c6ed7
LP		 4054}
4055
6a1d4d9f
LP		 4056void exec_command_reset_status_array(ExecCommand *c, size_t n) {
4057 size_t i;
4058
4059 for (i = 0; i < n; i++)
4060 exec_status_reset(&c[i].exec_status);
4061}
4062
4063void exec_command_reset_status_list_array(ExecCommand **c, size_t n) {
4064 size_t i;
4065
4066 for (i = 0; i < n; i++) {
4067 ExecCommand *z;
4068
4069 LIST_FOREACH(command, z, c[i])
4070 exec_status_reset(&z->exec_status);
4071 }
4072}
4073
039f0e70 4074typedef struct InvalidEnvInfo {
34cf6c43 4075 const Unit *unit;
039f0e70
LP		 4076 const char *path;
4077} InvalidEnvInfo;
4078
4079static void invalid_env(const char *p, void *userdata) {
4080 InvalidEnvInfo *info = userdata;
4081
f2341e0a 4082 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
039f0e70
LP		 4083}
4084
52c239d7
LB		 4085const char* exec_context_fdname(const ExecContext *c, int fd_index) {
4086 assert(c);
4087
4088 switch (fd_index) {
5073ff6b 4089
52c239d7
LB		 4090 case STDIN_FILENO:
4091 if (c->std_input != EXEC_INPUT_NAMED_FD)
4092 return NULL;
5073ff6b 4093
52c239d7 4094 return c->stdio_fdname[STDIN_FILENO] ?: "stdin";
5073ff6b 4095
52c239d7
LB		 4096 case STDOUT_FILENO:
4097 if (c->std_output != EXEC_OUTPUT_NAMED_FD)
4098 return NULL;
5073ff6b 4099
52c239d7 4100 return c->stdio_fdname[STDOUT_FILENO] ?: "stdout";
5073ff6b 4101
52c239d7
LB		 4102 case STDERR_FILENO:
4103 if (c->std_error != EXEC_OUTPUT_NAMED_FD)
4104 return NULL;
5073ff6b 4105
52c239d7 4106 return c->stdio_fdname[STDERR_FILENO] ?: "stderr";
5073ff6b 4107
52c239d7
LB		 4108 default:
4109 return NULL;
4110 }
4111}
4112
3042bbeb 4113static int exec_context_named_iofds(const ExecContext *c, const ExecParameters *p, int named_iofds[static 3]) {
da6053d0 4114 size_t i, targets;
56fbd561 4115 const char* stdio_fdname[3];
da6053d0 4116 size_t n_fds;
52c239d7
LB		 4117
4118 assert(c);
4119 assert(p);
4120
4121 targets = (c->std_input == EXEC_INPUT_NAMED_FD) +
4122 (c->std_output == EXEC_OUTPUT_NAMED_FD) +
4123 (c->std_error == EXEC_OUTPUT_NAMED_FD);
4124
4125 for (i = 0; i < 3; i++)
4126 stdio_fdname[i] = exec_context_fdname(c, i);
4127
4c47affc
FB		 4128 n_fds = p->n_storage_fds + p->n_socket_fds;
4129
4130 for (i = 0; i < n_fds && targets > 0; i++)
56fbd561
ZJS		 4131 if (named_iofds[STDIN_FILENO] < 0 &&
4132 c->std_input == EXEC_INPUT_NAMED_FD &&
4133 stdio_fdname[STDIN_FILENO] &&
4134 streq(p->fd_names[i], stdio_fdname[STDIN_FILENO])) {
4135
52c239d7
LB		 4136 named_iofds[STDIN_FILENO] = p->fds[i];
4137 targets--;
56fbd561
ZJS		 4138
4139 } else if (named_iofds[STDOUT_FILENO] < 0 &&
4140 c->std_output == EXEC_OUTPUT_NAMED_FD &&
4141 stdio_fdname[STDOUT_FILENO] &&
4142 streq(p->fd_names[i], stdio_fdname[STDOUT_FILENO])) {
4143
52c239d7
LB		 4144 named_iofds[STDOUT_FILENO] = p->fds[i];
4145 targets--;
56fbd561
ZJS		 4146
4147 } else if (named_iofds[STDERR_FILENO] < 0 &&
4148 c->std_error == EXEC_OUTPUT_NAMED_FD &&
4149 stdio_fdname[STDERR_FILENO] &&
4150 streq(p->fd_names[i], stdio_fdname[STDERR_FILENO])) {
4151
52c239d7
LB		 4152 named_iofds[STDERR_FILENO] = p->fds[i];
4153 targets--;
4154 }
4155
56fbd561 4156 return targets == 0 ? 0 : -ENOENT;
52c239d7
LB		 4157}
4158
34cf6c43 4159static int exec_context_load_environment(const Unit *unit, const ExecContext *c, char ***l) {
8c7be95e
LP		 4160 char **i, **r = NULL;
4161
4162 assert(c);
4163 assert(l);
4164
4165 STRV_FOREACH(i, c->environment_files) {
4166 char *fn;
52511fae
ZJS		 4167 int k;
4168 unsigned n;
8c7be95e
LP		 4169 bool ignore = false;
4170 char **p;
7fd1b19b 4171 _cleanup_globfree_ glob_t pglob = {};
8c7be95e
LP		 4172
4173 fn = *i;
4174
4175 if (fn[0] == '-') {
4176 ignore = true;
313cefa1 4177 fn++;
8c7be95e
LP		 4178 }
4179
4180 if (!path_is_absolute(fn)) {
8c7be95e
LP		 4181 if (ignore)
4182 continue;
4183
4184 strv_free(r);
4185 return -EINVAL;
4186 }
4187
2bef10ab 4188 /* Filename supports globbing, take all matching files */
d8c92e8b
ZJS		 4189 k = safe_glob(fn, 0, &pglob);
4190 if (k < 0) {
2bef10ab
PL		 4191 if (ignore)
4192 continue;
8c7be95e 4193
2bef10ab 4194 strv_free(r);
d8c92e8b 4195 return k;
2bef10ab 4196 }
8c7be95e 4197
d8c92e8b
ZJS		 4198 /* When we don't match anything, -ENOENT should be returned */
4199 assert(pglob.gl_pathc > 0);
4200
4201 for (n = 0; n < pglob.gl_pathc; n++) {
aa8fbc74 4202 k = load_env_file(NULL, pglob.gl_pathv[n], &p);
2bef10ab
PL		 4203 if (k < 0) {
4204 if (ignore)
4205 continue;
8c7be95e 4206
2bef10ab 4207 strv_free(r);
2bef10ab 4208 return k;
e9c1ea9d 4209 }
ebc05a09 4210 /* Log invalid environment variables with filename */
039f0e70
LP		 4211 if (p) {
4212 InvalidEnvInfo info = {
f2341e0a 4213 .unit = unit,
039f0e70
LP		 4214 .path = pglob.gl_pathv[n]
4215 };
4216
4217 p = strv_env_clean_with_callback(p, invalid_env, &info);
4218 }
8c7be95e 4219
234519ae 4220 if (!r)
2bef10ab
PL		 4221 r = p;
4222 else {
4223 char **m;
8c7be95e 4224
2bef10ab
PL		 4225 m = strv_env_merge(2, r, p);
4226 strv_free(r);
4227 strv_free(p);
c84a9488 4228 if (!m)
2bef10ab 4229 return -ENOMEM;
2bef10ab
PL		 4230
4231 r = m;
4232 }
8c7be95e
LP		 4233 }
4234 }
4235
4236 *l = r;
4237
4238 return 0;
4239}
4240
6ac8fdc9 4241static bool tty_may_match_dev_console(const char *tty) {
7b912648 4242 _cleanup_free_ char *resolved = NULL;
6ac8fdc9 4243
1e22b5cd
LP		 4244 if (!tty)
4245 return true;
4246
a119ec7c 4247 tty = skip_dev_prefix(tty);
6ac8fdc9
MS		 4248
4249 /* trivial identity? */
4250 if (streq(tty, "console"))
4251 return true;
4252
7b912648
LP		 4253 if (resolve_dev_console(&resolved) < 0)
4254 return true; /* if we could not resolve, assume it may */
6ac8fdc9
MS		 4255
4256 /* "tty0" means the active VC, so it may be the same sometimes */
955f1c85 4257 return path_equal(resolved, tty) || (streq(resolved, "tty0") && tty_is_vc(tty));
6ac8fdc9
MS		 4258}
4259
6c0ae739
LP		 4260static bool exec_context_may_touch_tty(const ExecContext *ec) {
4261 assert(ec);
1e22b5cd 4262
6c0ae739 4263 return ec->tty_reset ||
1e22b5cd
LP		 4264 ec->tty_vhangup ||
4265 ec->tty_vt_disallocate ||
6ac8fdc9
MS		 4266 is_terminal_input(ec->std_input) ||
4267 is_terminal_output(ec->std_output) ||
6c0ae739
LP		 4268 is_terminal_output(ec->std_error);
4269}
4270
4271bool exec_context_may_touch_console(const ExecContext *ec) {
4272
4273 return exec_context_may_touch_tty(ec) &&
1e22b5cd 4274 tty_may_match_dev_console(exec_context_tty_path(ec));
6ac8fdc9
MS		 4275}
4276
15ae422b
LP		 4277static void strv_fprintf(FILE *f, char **l) {
4278 char **g;
4279
4280 assert(f);
4281
4282 STRV_FOREACH(g, l)
4283 fprintf(f, " %s", *g);
4284}
4285
34cf6c43 4286void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
d3070fbd 4287 ExecDirectoryType dt;
c2bbd90b 4288 char **e, **d;
94f04347 4289 unsigned i;
add00535 4290 int r;
9eba9da4 4291
5cb5a6ff
LP		 4292 assert(c);
4293 assert(f);
4294
4ad49000 4295 prefix = strempty(prefix);
5cb5a6ff
LP		 4296
4297 fprintf(f,
94f04347
LP		 4298 "%sUMask: %04o\n"
4299 "%sWorkingDirectory: %s\n"
451a074f 4300 "%sRootDirectory: %s\n"
15ae422b 4301 "%sNonBlocking: %s\n"
64747e2d 4302 "%sPrivateTmp: %s\n"
7f112f50 4303 "%sPrivateDevices: %s\n"
59eeb84b 4304 "%sProtectKernelTunables: %s\n"
e66a2f65 4305 "%sProtectKernelModules: %s\n"
59eeb84b 4306 "%sProtectControlGroups: %s\n"
d251207d
LP		 4307 "%sPrivateNetwork: %s\n"
4308 "%sPrivateUsers: %s\n"
1b8689f9
LP		 4309 "%sProtectHome: %s\n"
4310 "%sProtectSystem: %s\n"
5d997827 4311 "%sMountAPIVFS: %s\n"
f3e43635 4312 "%sIgnoreSIGPIPE: %s\n"
f4170c67 4313 "%sMemoryDenyWriteExecute: %s\n"
b1edf445 4314 "%sRestrictRealtime: %s\n"
f69567cb 4315 "%sRestrictSUIDSGID: %s\n"
aecd5ac6
TM		 4316 "%sKeyringMode: %s\n"
4317 "%sProtectHostname: %s\n",
5cb5a6ff 4318 prefix, c->umask,
9eba9da4 4319 prefix, c->working_directory ? c->working_directory : "/",
451a074f 4320 prefix, c->root_directory ? c->root_directory : "/",
15ae422b 4321 prefix, yes_no(c->non_blocking),
64747e2d 4322 prefix, yes_no(c->private_tmp),
7f112f50 4323 prefix, yes_no(c->private_devices),
59eeb84b 4324 prefix, yes_no(c->protect_kernel_tunables),
e66a2f65 4325 prefix, yes_no(c->protect_kernel_modules),
59eeb84b 4326 prefix, yes_no(c->protect_control_groups),
d251207d
LP		 4327 prefix, yes_no(c->private_network),
4328 prefix, yes_no(c->private_users),
1b8689f9
LP		 4329 prefix, protect_home_to_string(c->protect_home),
4330 prefix, protect_system_to_string(c->protect_system),
5d997827 4331 prefix, yes_no(c->mount_apivfs),
f3e43635 4332 prefix, yes_no(c->ignore_sigpipe),
f4170c67 4333 prefix, yes_no(c->memory_deny_write_execute),
b1edf445 4334 prefix, yes_no(c->restrict_realtime),
f69567cb 4335 prefix, yes_no(c->restrict_suid_sgid),
aecd5ac6
TM		 4336 prefix, exec_keyring_mode_to_string(c->keyring_mode),
4337 prefix, yes_no(c->protect_hostname));
fb33a393 4338
915e6d16
LP		 4339 if (c->root_image)
4340 fprintf(f, "%sRootImage: %s\n", prefix, c->root_image);
4341
8c7be95e
LP		 4342 STRV_FOREACH(e, c->environment)
4343 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
4344
4345 STRV_FOREACH(e, c->environment_files)
4346 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
94f04347 4347
b4c14404
FB		 4348 STRV_FOREACH(e, c->pass_environment)
4349 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
4350
00819cc1
LP		 4351 STRV_FOREACH(e, c->unset_environment)
4352 fprintf(f, "%sUnsetEnvironment: %s\n", prefix, *e);
4353
53f47dfc
YW		 4354 fprintf(f, "%sRuntimeDirectoryPreserve: %s\n", prefix, exec_preserve_mode_to_string(c->runtime_directory_preserve_mode));
4355
72fd1768 4356 for (dt = 0; dt < _EXEC_DIRECTORY_TYPE_MAX; dt++) {
3536f49e
YW		 4357 fprintf(f, "%s%sMode: %04o\n", prefix, exec_directory_type_to_string(dt), c->directories[dt].mode);
4358
4359 STRV_FOREACH(d, c->directories[dt].paths)
4360 fprintf(f, "%s%s: %s\n", prefix, exec_directory_type_to_string(dt), *d);
4361 }
c2bbd90b 4362
fb33a393
LP		 4363 if (c->nice_set)
4364 fprintf(f,
4365 "%sNice: %i\n",
4366 prefix, c->nice);
4367
dd6c17b1 4368 if (c->oom_score_adjust_set)
fb33a393 4369 fprintf(f,
dd6c17b1
LP		 4370 "%sOOMScoreAdjust: %i\n",
4371 prefix, c->oom_score_adjust);
9eba9da4 4372
94f04347 4373 for (i = 0; i < RLIM_NLIMITS; i++)
3c11da9d 4374 if (c->rlimit[i]) {
4c3a2b84 4375 fprintf(f, "%sLimit%s: " RLIM_FMT "\n",
3c11da9d 4376 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
4c3a2b84 4377 fprintf(f, "%sLimit%sSoft: " RLIM_FMT "\n",
3c11da9d
EV		 4378 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
4379 }
94f04347 4380
f8b69d1d 4381 if (c->ioprio_set) {
1756a011 4382 _cleanup_free_ char *class_str = NULL;
f8b69d1d 4383
837df140
YW		 4384 r = ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
4385 if (r >= 0)
4386 fprintf(f, "%sIOSchedulingClass: %s\n", prefix, class_str);
4387
4388 fprintf(f, "%sIOPriority: %lu\n", prefix, IOPRIO_PRIO_DATA(c->ioprio));
f8b69d1d 4389 }
94f04347 4390
f8b69d1d 4391 if (c->cpu_sched_set) {
1756a011 4392 _cleanup_free_ char *policy_str = NULL;
f8b69d1d 4393
837df140
YW		 4394 r = sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
4395 if (r >= 0)
4396 fprintf(f, "%sCPUSchedulingPolicy: %s\n", prefix, policy_str);
4397
94f04347 4398 fprintf(f,
38b48754
LP		 4399 "%sCPUSchedulingPriority: %i\n"
4400 "%sCPUSchedulingResetOnFork: %s\n",
38b48754
LP		 4401 prefix, c->cpu_sched_priority,
4402 prefix, yes_no(c->cpu_sched_reset_on_fork));
b929bf04 4403 }
94f04347 4404
0985c7c4 4405 if (c->cpu_set.set) {
e7fca352
MS		 4406 _cleanup_free_ char *affinity = NULL;
4407
4408 affinity = cpu_set_to_range_string(&c->cpu_set);
4409 fprintf(f, "%sCPUAffinity: %s\n", prefix, affinity);
94f04347
LP		 4410 }
4411
b070c7c0
MS		 4412 if (mpol_is_valid(numa_policy_get_type(&c->numa_policy))) {
4413 _cleanup_free_ char *nodes = NULL;
4414
4415 nodes = cpu_set_to_range_string(&c->numa_policy.nodes);
4416 fprintf(f, "%sNUMAPolicy: %s\n", prefix, mpol_to_string(numa_policy_get_type(&c->numa_policy)));
4417 fprintf(f, "%sNUMAMask: %s\n", prefix, strnull(nodes));
4418 }
4419
3a43da28 4420 if (c->timer_slack_nsec != NSEC_INFINITY)
ccd06097 4421 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
94f04347
LP		 4422
4423 fprintf(f,
80876c20
LP		 4424 "%sStandardInput: %s\n"
4425 "%sStandardOutput: %s\n"
4426 "%sStandardError: %s\n",
4427 prefix, exec_input_to_string(c->std_input),
4428 prefix, exec_output_to_string(c->std_output),
4429 prefix, exec_output_to_string(c->std_error));
4430
befc4a80
LP		 4431 if (c->std_input == EXEC_INPUT_NAMED_FD)
4432 fprintf(f, "%sStandardInputFileDescriptorName: %s\n", prefix, c->stdio_fdname[STDIN_FILENO]);
4433 if (c->std_output == EXEC_OUTPUT_NAMED_FD)
4434 fprintf(f, "%sStandardOutputFileDescriptorName: %s\n", prefix, c->stdio_fdname[STDOUT_FILENO]);
4435 if (c->std_error == EXEC_OUTPUT_NAMED_FD)
4436 fprintf(f, "%sStandardErrorFileDescriptorName: %s\n", prefix, c->stdio_fdname[STDERR_FILENO]);
4437
4438 if (c->std_input == EXEC_INPUT_FILE)
4439 fprintf(f, "%sStandardInputFile: %s\n", prefix, c->stdio_file[STDIN_FILENO]);
4440 if (c->std_output == EXEC_OUTPUT_FILE)
4441 fprintf(f, "%sStandardOutputFile: %s\n", prefix, c->stdio_file[STDOUT_FILENO]);
566b7d23
ZD		 4442 if (c->std_output == EXEC_OUTPUT_FILE_APPEND)
4443 fprintf(f, "%sStandardOutputFileToAppend: %s\n", prefix, c->stdio_file[STDOUT_FILENO]);
befc4a80
LP		 4444 if (c->std_error == EXEC_OUTPUT_FILE)
4445 fprintf(f, "%sStandardErrorFile: %s\n", prefix, c->stdio_file[STDERR_FILENO]);
566b7d23
ZD		 4446 if (c->std_error == EXEC_OUTPUT_FILE_APPEND)
4447 fprintf(f, "%sStandardErrorFileToAppend: %s\n", prefix, c->stdio_file[STDERR_FILENO]);
befc4a80 4448
80876c20
LP		 4449 if (c->tty_path)
4450 fprintf(f,
6ea832a2
LP		 4451 "%sTTYPath: %s\n"
4452 "%sTTYReset: %s\n"
4453 "%sTTYVHangup: %s\n"
4454 "%sTTYVTDisallocate: %s\n",
4455 prefix, c->tty_path,
4456 prefix, yes_no(c->tty_reset),
4457 prefix, yes_no(c->tty_vhangup),
4458 prefix, yes_no(c->tty_vt_disallocate));
94f04347 4459
9f6444eb
LP		 4460 if (IN_SET(c->std_output,
4461 EXEC_OUTPUT_SYSLOG,
4462 EXEC_OUTPUT_KMSG,
4463 EXEC_OUTPUT_JOURNAL,
4464 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
4465 EXEC_OUTPUT_KMSG_AND_CONSOLE,
4466 EXEC_OUTPUT_JOURNAL_AND_CONSOLE) ||
4467 IN_SET(c->std_error,
4468 EXEC_OUTPUT_SYSLOG,
4469 EXEC_OUTPUT_KMSG,
4470 EXEC_OUTPUT_JOURNAL,
4471 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
4472 EXEC_OUTPUT_KMSG_AND_CONSOLE,
4473 EXEC_OUTPUT_JOURNAL_AND_CONSOLE)) {
f8b69d1d 4474
5ce70e5b 4475 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
f8b69d1d 4476
837df140
YW		 4477 r = log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
4478 if (r >= 0)
4479 fprintf(f, "%sSyslogFacility: %s\n", prefix, fac_str);
f8b69d1d 4480
837df140
YW		 4481 r = log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
4482 if (r >= 0)
4483 fprintf(f, "%sSyslogLevel: %s\n", prefix, lvl_str);
f8b69d1d 4484 }
94f04347 4485
d3070fbd
LP		 4486 if (c->log_level_max >= 0) {
4487 _cleanup_free_ char *t = NULL;
4488
4489 (void) log_level_to_string_alloc(c->log_level_max, &t);
4490
4491 fprintf(f, "%sLogLevelMax: %s\n", prefix, strna(t));
4492 }
4493
90fc172e
AZ		 4494 if (c->log_rate_limit_interval_usec > 0) {
4495 char buf_timespan[FORMAT_TIMESPAN_MAX];
4496
4497 fprintf(f,
4498 "%sLogRateLimitIntervalSec: %s\n",
4499 prefix, format_timespan(buf_timespan, sizeof(buf_timespan), c->log_rate_limit_interval_usec, USEC_PER_SEC));
4500 }
4501
4502 if (c->log_rate_limit_burst > 0)
4503 fprintf(f, "%sLogRateLimitBurst: %u\n", prefix, c->log_rate_limit_burst);
4504
d3070fbd
LP		 4505 if (c->n_log_extra_fields > 0) {
4506 size_t j;
4507
4508 for (j = 0; j < c->n_log_extra_fields; j++) {
4509 fprintf(f, "%sLogExtraFields: ", prefix);
4510 fwrite(c->log_extra_fields[j].iov_base,
4511 1, c->log_extra_fields[j].iov_len,
4512 f);
4513 fputc('\n', f);
4514 }
4515 }
4516
07d46372
YW		 4517 if (c->secure_bits) {
4518 _cleanup_free_ char *str = NULL;
4519
4520 r = secure_bits_to_string_alloc(c->secure_bits, &str);
4521 if (r >= 0)
4522 fprintf(f, "%sSecure Bits: %s\n", prefix, str);
4523 }
94f04347 4524
a103496c 4525 if (c->capability_bounding_set != CAP_ALL) {
dd1f5bd0 4526 _cleanup_free_ char *str = NULL;
94f04347 4527
dd1f5bd0
YW		 4528 r = capability_set_to_string_alloc(c->capability_bounding_set, &str);
4529 if (r >= 0)
4530 fprintf(f, "%sCapabilityBoundingSet: %s\n", prefix, str);
755d4b67
IP		 4531 }
4532
4533 if (c->capability_ambient_set != 0) {
dd1f5bd0 4534 _cleanup_free_ char *str = NULL;
755d4b67 4535
dd1f5bd0
YW		 4536 r = capability_set_to_string_alloc(c->capability_ambient_set, &str);
4537 if (r >= 0)
4538 fprintf(f, "%sAmbientCapabilities: %s\n", prefix, str);
94f04347
LP		 4539 }
4540
4541 if (c->user)
f2d3769a 4542 fprintf(f, "%sUser: %s\n", prefix, c->user);
94f04347 4543 if (c->group)
f2d3769a 4544 fprintf(f, "%sGroup: %s\n", prefix, c->group);
94f04347 4545
29206d46
LP		 4546 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
4547
ac6e8be6 4548 if (!strv_isempty(c->supplementary_groups)) {
94f04347 4549 fprintf(f, "%sSupplementaryGroups:", prefix);
15ae422b
LP		 4550 strv_fprintf(f, c->supplementary_groups);
4551 fputs("\n", f);
4552 }
94f04347 4553
5b6319dc 4554 if (c->pam_name)
f2d3769a 4555 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
5b6319dc 4556
58629001 4557 if (!strv_isempty(c->read_write_paths)) {
2a624c36
AP		 4558 fprintf(f, "%sReadWritePaths:", prefix);
4559 strv_fprintf(f, c->read_write_paths);
15ae422b
LP		 4560 fputs("\n", f);
4561 }
4562
58629001 4563 if (!strv_isempty(c->read_only_paths)) {
2a624c36
AP		 4564 fprintf(f, "%sReadOnlyPaths:", prefix);
4565 strv_fprintf(f, c->read_only_paths);
15ae422b
LP		 4566 fputs("\n", f);
4567 }
94f04347 4568
58629001 4569 if (!strv_isempty(c->inaccessible_paths)) {
2a624c36
AP		 4570 fprintf(f, "%sInaccessiblePaths:", prefix);
4571 strv_fprintf(f, c->inaccessible_paths);
94f04347
LP		 4572 fputs("\n", f);
4573 }
2e22afe9 4574
d2d6c096 4575 if (c->n_bind_mounts > 0)
4ca763a9
YW		 4576 for (i = 0; i < c->n_bind_mounts; i++)
4577 fprintf(f, "%s%s: %s%s:%s:%s\n", prefix,
d2d6c096 4578 c->bind_mounts[i].read_only ? "BindReadOnlyPaths" : "BindPaths",
4ca763a9 4579 c->bind_mounts[i].ignore_enoent ? "-": "",
d2d6c096
LP		 4580 c->bind_mounts[i].source,
4581 c->bind_mounts[i].destination,
4582 c->bind_mounts[i].recursive ? "rbind" : "norbind");
d2d6c096 4583
2abd4e38
YW		 4584 if (c->n_temporary_filesystems > 0)
4585 for (i = 0; i < c->n_temporary_filesystems; i++) {
4586 TemporaryFileSystem *t = c->temporary_filesystems + i;
4587
4588 fprintf(f, "%sTemporaryFileSystem: %s%s%s\n", prefix,
4589 t->path,
4590 isempty(t->options) ? "" : ":",
4591 strempty(t->options));
4592 }
4593
169c1bda
LP		 4594 if (c->utmp_id)
4595 fprintf(f,
4596 "%sUtmpIdentifier: %s\n",
4597 prefix, c->utmp_id);
7b52a628
MS		 4598
4599 if (c->selinux_context)
4600 fprintf(f,
5f8640fb
LP		 4601 "%sSELinuxContext: %s%s\n",
4602 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
17df7223 4603
80c21aea
WC		 4604 if (c->apparmor_profile)
4605 fprintf(f,
4606 "%sAppArmorProfile: %s%s\n",
4607 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
4608
4609 if (c->smack_process_label)
4610 fprintf(f,
4611 "%sSmackProcessLabel: %s%s\n",
4612 prefix, c->smack_process_label_ignore ? "-" : "", c->smack_process_label);
4613
050f7277 4614 if (c->personality != PERSONALITY_INVALID)
ac45f971
LP		 4615 fprintf(f,
4616 "%sPersonality: %s\n",
4617 prefix, strna(personality_to_string(c->personality)));
4618
78e864e5
TM		 4619 fprintf(f,
4620 "%sLockPersonality: %s\n",
4621 prefix, yes_no(c->lock_personality));
4622
17df7223 4623 if (c->syscall_filter) {
349cc4a5 4624#if HAVE_SECCOMP
17df7223 4625 Iterator j;
8cfa775f 4626 void *id, *val;
17df7223 4627 bool first = true;
351a19b1 4628#endif
17df7223
LP		 4629
4630 fprintf(f,
57183d11 4631 "%sSystemCallFilter: ",
17df7223
LP		 4632 prefix);
4633
4634 if (!c->syscall_whitelist)
4635 fputc('~', f);
4636
349cc4a5 4637#if HAVE_SECCOMP
8cfa775f 4638 HASHMAP_FOREACH_KEY(val, id, c->syscall_filter, j) {
17df7223 4639 _cleanup_free_ char *name = NULL;
8cfa775f
YW		 4640 const char *errno_name = NULL;
4641 int num = PTR_TO_INT(val);
17df7223
LP		 4642
4643 if (first)
4644 first = false;
4645 else
4646 fputc(' ', f);
4647
57183d11 4648 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
17df7223 4649 fputs(strna(name), f);
8cfa775f
YW		 4650
4651 if (num >= 0) {
4652 errno_name = errno_to_name(num);
4653 if (errno_name)
4654 fprintf(f, ":%s", errno_name);
4655 else
4656 fprintf(f, ":%d", num);
4657 }
17df7223 4658 }
351a19b1 4659#endif
17df7223
LP		 4660
4661 fputc('\n', f);
4662 }
4663
57183d11 4664 if (c->syscall_archs) {
349cc4a5 4665#if HAVE_SECCOMP
57183d11
LP		 4666 Iterator j;
4667 void *id;
4668#endif
4669
4670 fprintf(f,
4671 "%sSystemCallArchitectures:",
4672 prefix);
4673
349cc4a5 4674#if HAVE_SECCOMP
57183d11
LP		 4675 SET_FOREACH(id, c->syscall_archs, j)
4676 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
4677#endif
4678 fputc('\n', f);
4679 }
4680
add00535
LP		 4681 if (exec_context_restrict_namespaces_set(c)) {
4682 _cleanup_free_ char *s = NULL;
4683
86c2a9f1 4684 r = namespace_flags_to_string(c->restrict_namespaces, &s);
add00535
LP		 4685 if (r >= 0)
4686 fprintf(f, "%sRestrictNamespaces: %s\n",
4687 prefix, s);
4688 }
4689
a8d08f39
LP		 4690 if (c->network_namespace_path)
4691 fprintf(f,
4692 "%sNetworkNamespacePath: %s\n",
4693 prefix, c->network_namespace_path);
4694
3df90f24
YW		 4695 if (c->syscall_errno > 0) {
4696 const char *errno_name;
4697
4698 fprintf(f, "%sSystemCallErrorNumber: ", prefix);
4699
4700 errno_name = errno_to_name(c->syscall_errno);
4701 if (errno_name)
4702 fprintf(f, "%s\n", errno_name);
4703 else
4704 fprintf(f, "%d\n", c->syscall_errno);
4705 }
5cb5a6ff
LP		 4706}
4707
34cf6c43 4708bool exec_context_maintains_privileges(const ExecContext *c) {
a931ad47
LP		 4709 assert(c);
4710
61233823 4711 /* Returns true if the process forked off would run under
a931ad47
LP		 4712 * an unchanged UID or as root. */
4713
4714 if (!c->user)
4715 return true;
4716
4717 if (streq(c->user, "root") || streq(c->user, "0"))
4718 return true;
4719
4720 return false;
4721}
4722
34cf6c43 4723int exec_context_get_effective_ioprio(const ExecContext *c) {
7f452159
LP		 4724 int p;
4725
4726 assert(c);
4727
4728 if (c->ioprio_set)
4729 return c->ioprio;
4730
4731 p = ioprio_get(IOPRIO_WHO_PROCESS, 0);
4732 if (p < 0)
4733 return IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 4);
4734
4735 return p;
4736}
4737
d3070fbd
LP		 4738void exec_context_free_log_extra_fields(ExecContext *c) {
4739 size_t l;
4740
4741 assert(c);
4742
4743 for (l = 0; l < c->n_log_extra_fields; l++)
4744 free(c->log_extra_fields[l].iov_base);
4745 c->log_extra_fields = mfree(c->log_extra_fields);
4746 c->n_log_extra_fields = 0;
4747}
4748
6f765baf
LP		 4749void exec_context_revert_tty(ExecContext *c) {
4750 int r;
4751
4752 assert(c);
4753
4754 /* First, reset the TTY (possibly kicking everybody else from the TTY) */
4755 exec_context_tty_reset(c, NULL);
4756
4757 /* And then undo what chown_terminal() did earlier. Note that we only do this if we have a path
4758 * configured. If the TTY was passed to us as file descriptor we assume the TTY is opened and managed
4759 * by whoever passed it to us and thus knows better when and how to chmod()/chown() it back. */
4760
4761 if (exec_context_may_touch_tty(c)) {
4762 const char *path;
4763
4764 path = exec_context_tty_path(c);
4765 if (path) {
4766 r = chmod_and_chown(path, TTY_MODE, 0, TTY_GID);
4767 if (r < 0 && r != -ENOENT)
4768 log_warning_errno(r, "Failed to reset TTY ownership/access mode of %s, ignoring: %m", path);
4769 }
4770 }
4771}
4772
4c2f5842
LP		 4773int exec_context_get_clean_directories(
4774 ExecContext *c,
4775 char **prefix,
4776 ExecCleanMask mask,
4777 char ***ret) {
4778
4779 _cleanup_strv_free_ char **l = NULL;
4780 ExecDirectoryType t;
4781 int r;
4782
4783 assert(c);
4784 assert(prefix);
4785 assert(ret);
4786
4787 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
4788 char **i;
4789
4790 if (!FLAGS_SET(mask, 1U << t))
4791 continue;
4792
4793 if (!prefix[t])
4794 continue;
4795
4796 STRV_FOREACH(i, c->directories[t].paths) {
4797 char *j;
4798
4799 j = path_join(prefix[t], *i);
4800 if (!j)
4801 return -ENOMEM;
4802
4803 r = strv_consume(&l, j);
4804 if (r < 0)
4805 return r;
4806 }
4807 }
4808
4809 *ret = TAKE_PTR(l);
4810 return 0;
4811}
4812
4813int exec_context_get_clean_mask(ExecContext *c, ExecCleanMask *ret) {
4814 ExecCleanMask mask = 0;
4815
4816 assert(c);
4817 assert(ret);
4818
4819 for (ExecDirectoryType t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++)
4820 if (!strv_isempty(c->directories[t].paths))
4821 mask |= 1U << t;
4822
4823 *ret = mask;
4824 return 0;
4825}
4826
b58b4116 4827void exec_status_start(ExecStatus *s, pid_t pid) {
034c6ed7 4828 assert(s);
5cb5a6ff 4829
2ed26ed0
LP		 4830 *s = (ExecStatus) {
4831 .pid = pid,
4832 };
4833
b58b4116
LP		 4834 dual_timestamp_get(&s->start_timestamp);
4835}
4836
34cf6c43 4837void exec_status_exit(ExecStatus *s, const ExecContext *context, pid_t pid, int code, int status) {
b58b4116
LP		 4838 assert(s);
4839
2ed26ed0
LP		 4840 if (s->pid != pid) {
4841 *s = (ExecStatus) {
4842 .pid = pid,
4843 };
4844 }
b58b4116 4845
63983207 4846 dual_timestamp_get(&s->exit_timestamp);
9fb86720 4847
034c6ed7
LP		 4848 s->code = code;
4849 s->status = status;
169c1bda 4850
6f765baf
LP		 4851 if (context && context->utmp_id)
4852 (void) utmp_put_dead_process(context->utmp_id, pid, code, status);
9fb86720
LP		 4853}
4854
6a1d4d9f
LP		 4855void exec_status_reset(ExecStatus *s) {
4856 assert(s);
4857
4858 *s = (ExecStatus) {};
4859}
4860
34cf6c43 4861void exec_status_dump(const ExecStatus *s, FILE *f, const char *prefix) {
9fb86720
LP		 4862 char buf[FORMAT_TIMESTAMP_MAX];
4863
4864 assert(s);
4865 assert(f);
4866
9fb86720
LP		 4867 if (s->pid <= 0)
4868 return;
4869
4c940960
LP		 4870 prefix = strempty(prefix);
4871
9fb86720 4872 fprintf(f,
ccd06097
ZJS		 4873 "%sPID: "PID_FMT"\n",
4874 prefix, s->pid);
9fb86720 4875
af9d16e1 4876 if (dual_timestamp_is_set(&s->start_timestamp))
9fb86720
LP		 4877 fprintf(f,
4878 "%sStart Timestamp: %s\n",
63983207 4879 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
9fb86720 4880
af9d16e1 4881 if (dual_timestamp_is_set(&s->exit_timestamp))
9fb86720
LP		 4882 fprintf(f,
4883 "%sExit Timestamp: %s\n"
4884 "%sExit Code: %s\n"
4885 "%sExit Status: %i\n",
63983207 4886 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
9fb86720
LP		 4887 prefix, sigchld_code_to_string(s->code),
4888 prefix, s->status);
5cb5a6ff 4889}
44d8db9e 4890
34cf6c43 4891static char *exec_command_line(char **argv) {
44d8db9e
LP		 4892 size_t k;
4893 char *n, *p, **a;
4894 bool first = true;
4895
9e2f7c11 4896 assert(argv);
44d8db9e 4897
9164977d 4898 k = 1;
9e2f7c11 4899 STRV_FOREACH(a, argv)
44d8db9e
LP		 4900 k += strlen(*a)+3;
4901
5cd9cd35
LP		 4902 n = new(char, k);
4903 if (!n)
44d8db9e
LP		 4904 return NULL;
4905
4906 p = n;
9e2f7c11 4907 STRV_FOREACH(a, argv) {
44d8db9e
LP		 4908
4909 if (!first)
4910 *(p++) = ' ';
4911 else
4912 first = false;
4913
4914 if (strpbrk(*a, WHITESPACE)) {
4915 *(p++) = '\'';
4916 p = stpcpy(p, *a);
4917 *(p++) = '\'';
4918 } else
4919 p = stpcpy(p, *a);
4920
4921 }
4922
9164977d
LP		 4923 *p = 0;
4924
44d8db9e
LP		 4925 /* FIXME: this doesn't really handle arguments that have
4926 * spaces and ticks in them */
4927
4928 return n;
4929}
4930
34cf6c43 4931static void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
e1d75803 4932 _cleanup_free_ char *cmd = NULL;
4c940960 4933 const char *prefix2;
44d8db9e
LP		 4934
4935 assert(c);
4936 assert(f);
4937
4c940960 4938 prefix = strempty(prefix);
63c372cb 4939 prefix2 = strjoina(prefix, "\t");
44d8db9e 4940
9e2f7c11 4941 cmd = exec_command_line(c->argv);
44d8db9e
LP		 4942 fprintf(f,
4943 "%sCommand Line: %s\n",
4bbccb02 4944 prefix, cmd ? cmd : strerror_safe(ENOMEM));
44d8db9e 4945
9fb86720 4946 exec_status_dump(&c->exec_status, f, prefix2);
44d8db9e
LP		 4947}
4948
4949void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
4950 assert(f);
4951
4c940960 4952 prefix = strempty(prefix);
44d8db9e
LP		 4953
4954 LIST_FOREACH(command, c, c)
4955 exec_command_dump(c, f, prefix);
4956}
94f04347 4957
a6a80b4f
LP		 4958void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
4959 ExecCommand *end;
4960
4961 assert(l);
4962 assert(e);
4963
4964 if (*l) {
35b8ca3a 4965 /* It's kind of important, that we keep the order here */
71fda00f
LP		 4966 LIST_FIND_TAIL(command, *l, end);
4967 LIST_INSERT_AFTER(command, *l, end, e);
a6a80b4f
LP		 4968 } else
4969 *l = e;
4970}
4971
26fd040d
LP		 4972int exec_command_set(ExecCommand *c, const char *path, ...) {
4973 va_list ap;
4974 char **l, *p;
4975
4976 assert(c);
4977 assert(path);
4978
4979 va_start(ap, path);
4980 l = strv_new_ap(path, ap);
4981 va_end(ap);
4982
4983 if (!l)
4984 return -ENOMEM;
4985
250a918d
LP		 4986 p = strdup(path);
4987 if (!p) {
26fd040d
LP		 4988 strv_free(l);
4989 return -ENOMEM;
4990 }
4991
6897dfe8 4992 free_and_replace(c->path, p);
26fd040d 4993
130d3d22 4994 return strv_free_and_replace(c->argv, l);
26fd040d
LP		 4995}
4996
86b23b07 4997int exec_command_append(ExecCommand *c, const char *path, ...) {
e63ff941 4998 _cleanup_strv_free_ char **l = NULL;
86b23b07 4999 va_list ap;
86b23b07
JS		 5000 int r;
5001
5002 assert(c);
5003 assert(path);
5004
5005 va_start(ap, path);
5006 l = strv_new_ap(path, ap);
5007 va_end(ap);
5008
5009 if (!l)
5010 return -ENOMEM;
5011
e287086b 5012 r = strv_extend_strv(&c->argv, l, false);
e63ff941 5013 if (r < 0)
86b23b07 5014 return r;
86b23b07
JS		 5015
5016 return 0;
5017}
5018
e8a565cb
YW		 5019static void *remove_tmpdir_thread(void *p) {
5020 _cleanup_free_ char *path = p;
86b23b07 5021
e8a565cb
YW		 5022 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
5023 return NULL;
5024}
5025
5026static ExecRuntime* exec_runtime_free(ExecRuntime *rt, bool destroy) {
5027 int r;
5028
5029 if (!rt)
5030 return NULL;
5031
5032 if (rt->manager)
5033 (void) hashmap_remove(rt->manager->exec_runtime_by_id, rt->id);
5034
5035 /* When destroy is true, then rm_rf tmp_dir and var_tmp_dir. */
5036 if (destroy && rt->tmp_dir) {
5037 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
5038
5039 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
5040 if (r < 0) {
5041 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
5042 free(rt->tmp_dir);
5043 }
5044
5045 rt->tmp_dir = NULL;
5046 }
613b411c 5047
e8a565cb
YW		 5048 if (destroy && rt->var_tmp_dir) {
5049 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
5050
5051 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
5052 if (r < 0) {
5053 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
5054 free(rt->var_tmp_dir);
5055 }
5056
5057 rt->var_tmp_dir = NULL;
5058 }
5059
5060 rt->id = mfree(rt->id);
5061 rt->tmp_dir = mfree(rt->tmp_dir);
5062 rt->var_tmp_dir = mfree(rt->var_tmp_dir);
5063 safe_close_pair(rt->netns_storage_socket);
5064 return mfree(rt);
5065}
5066
5067static void exec_runtime_freep(ExecRuntime **rt) {
da6bc6ed 5068 (void) exec_runtime_free(*rt, false);
e8a565cb
YW		 5069}
5070
8e8009dc
LP		 5071static int exec_runtime_allocate(ExecRuntime **ret) {
5072 ExecRuntime *n;
613b411c 5073
8e8009dc 5074 assert(ret);
613b411c 5075
8e8009dc
LP		 5076 n = new(ExecRuntime, 1);
5077 if (!n)
613b411c
LP		 5078 return -ENOMEM;
5079
8e8009dc
LP		 5080 *n = (ExecRuntime) {
5081 .netns_storage_socket = { -1, -1 },
5082 };
5083
5084 *ret = n;
613b411c
LP		 5085 return 0;
5086}
5087
e8a565cb
YW		 5088static int exec_runtime_add(
5089 Manager *m,
5090 const char *id,
5091 const char *tmp_dir,
5092 const char *var_tmp_dir,
5093 const int netns_storage_socket[2],
5094 ExecRuntime **ret) {
5095
5096 _cleanup_(exec_runtime_freep) ExecRuntime *rt = NULL;
613b411c
LP		 5097 int r;
5098
e8a565cb 5099 assert(m);
613b411c
LP		 5100 assert(id);
5101
e8a565cb
YW		 5102 r = hashmap_ensure_allocated(&m->exec_runtime_by_id, &string_hash_ops);
5103 if (r < 0)
5104 return r;
613b411c 5105
e8a565cb 5106 r = exec_runtime_allocate(&rt);
613b411c
LP		 5107 if (r < 0)
5108 return r;
5109
e8a565cb
YW		 5110 rt->id = strdup(id);
5111 if (!rt->id)
5112 return -ENOMEM;
5113
5114 if (tmp_dir) {
5115 rt->tmp_dir = strdup(tmp_dir);
5116 if (!rt->tmp_dir)
5117 return -ENOMEM;
5118
5119 /* When tmp_dir is set, then we require var_tmp_dir is also set. */
5120 assert(var_tmp_dir);
5121 rt->var_tmp_dir = strdup(var_tmp_dir);
5122 if (!rt->var_tmp_dir)
5123 return -ENOMEM;
5124 }
5125
5126 if (netns_storage_socket) {
5127 rt->netns_storage_socket[0] = netns_storage_socket[0];
5128 rt->netns_storage_socket[1] = netns_storage_socket[1];
613b411c
LP		 5129 }
5130
e8a565cb
YW		 5131 r = hashmap_put(m->exec_runtime_by_id, rt->id, rt);
5132 if (r < 0)
5133 return r;
5134
5135 rt->manager = m;
5136
5137 if (ret)
5138 *ret = rt;
5139
5140 /* do not remove created ExecRuntime object when the operation succeeds. */
5141 rt = NULL;
5142 return 0;
5143}
5144
5145static int exec_runtime_make(Manager *m, const ExecContext *c, const char *id, ExecRuntime **ret) {
5146 _cleanup_free_ char *tmp_dir = NULL, *var_tmp_dir = NULL;
2fa3742d 5147 _cleanup_close_pair_ int netns_storage_socket[2] = { -1, -1 };
e8a565cb
YW		 5148 int r;
5149
5150 assert(m);
5151 assert(c);
5152 assert(id);
5153
5154 /* It is not necessary to create ExecRuntime object. */
a8d08f39 5155 if (!c->private_network && !c->private_tmp && !c->network_namespace_path)
e8a565cb
YW		 5156 return 0;
5157
5158 if (c->private_tmp) {
5159 r = setup_tmp_dirs(id, &tmp_dir, &var_tmp_dir);
613b411c
LP		 5160 if (r < 0)
5161 return r;
5162 }
5163
a8d08f39 5164 if (c->private_network || c->network_namespace_path) {
e8a565cb
YW		 5165 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, netns_storage_socket) < 0)
5166 return -errno;
5167 }
5168
5169 r = exec_runtime_add(m, id, tmp_dir, var_tmp_dir, netns_storage_socket, ret);
5170 if (r < 0)
5171 return r;
5172
5173 /* Avoid cleanup */
2fa3742d 5174 netns_storage_socket[0] = netns_storage_socket[1] = -1;
613b411c
LP		 5175 return 1;
5176}
5177
e8a565cb
YW		 5178int exec_runtime_acquire(Manager *m, const ExecContext *c, const char *id, bool create, ExecRuntime **ret) {
5179 ExecRuntime *rt;
5180 int r;
613b411c 5181
e8a565cb
YW		 5182 assert(m);
5183 assert(id);
5184 assert(ret);
5185
5186 rt = hashmap_get(m->exec_runtime_by_id, id);
5187 if (rt)
5188 /* We already have a ExecRuntime object, let's increase the ref count and reuse it */
5189 goto ref;
5190
5191 if (!create)
5192 return 0;
5193
5194 /* If not found, then create a new object. */
5195 r = exec_runtime_make(m, c, id, &rt);
5196 if (r <= 0)
5197 /* When r == 0, it is not necessary to create ExecRuntime object. */
5198 return r;
613b411c 5199
e8a565cb
YW		 5200ref:
5201 /* increment reference counter. */
5202 rt->n_ref++;
5203 *ret = rt;
5204 return 1;
5205}
613b411c 5206
e8a565cb
YW		 5207ExecRuntime *exec_runtime_unref(ExecRuntime *rt, bool destroy) {
5208 if (!rt)
613b411c
LP		 5209 return NULL;
5210
e8a565cb 5211 assert(rt->n_ref > 0);
613b411c 5212
e8a565cb
YW		 5213 rt->n_ref--;
5214 if (rt->n_ref > 0)
f2341e0a
LP		 5215 return NULL;
5216
e8a565cb 5217 return exec_runtime_free(rt, destroy);
613b411c
LP		 5218}
5219
e8a565cb
YW		 5220int exec_runtime_serialize(const Manager *m, FILE *f, FDSet *fds) {
5221 ExecRuntime *rt;
5222 Iterator i;
5223
5224 assert(m);
613b411c
LP		 5225 assert(f);
5226 assert(fds);
5227
e8a565cb
YW		 5228 HASHMAP_FOREACH(rt, m->exec_runtime_by_id, i) {
5229 fprintf(f, "exec-runtime=%s", rt->id);
613b411c 5230
e8a565cb
YW		 5231 if (rt->tmp_dir)
5232 fprintf(f, " tmp-dir=%s", rt->tmp_dir);
613b411c 5233
e8a565cb
YW		 5234 if (rt->var_tmp_dir)
5235 fprintf(f, " var-tmp-dir=%s", rt->var_tmp_dir);
613b411c 5236
e8a565cb
YW		 5237 if (rt->netns_storage_socket[0] >= 0) {
5238 int copy;
613b411c 5239
e8a565cb
YW		 5240 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
5241 if (copy < 0)
5242 return copy;
613b411c 5243
e8a565cb
YW		 5244 fprintf(f, " netns-socket-0=%i", copy);
5245 }
613b411c 5246
e8a565cb
YW		 5247 if (rt->netns_storage_socket[1] >= 0) {
5248 int copy;
613b411c 5249
e8a565cb
YW		 5250 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
5251 if (copy < 0)
5252 return copy;
613b411c 5253
e8a565cb
YW		 5254 fprintf(f, " netns-socket-1=%i", copy);
5255 }
5256
5257 fputc('\n', f);
613b411c
LP		 5258 }
5259
5260 return 0;
5261}
5262
e8a565cb
YW		 5263int exec_runtime_deserialize_compat(Unit *u, const char *key, const char *value, FDSet *fds) {
5264 _cleanup_(exec_runtime_freep) ExecRuntime *rt_create = NULL;
5265 ExecRuntime *rt;
613b411c
LP		 5266 int r;
5267
e8a565cb
YW		 5268 /* This is for the migration from old (v237 or earlier) deserialization text.
5269 * Due to the bug #7790, this may not work with the units that use JoinsNamespaceOf=.
5270 * Even if the ExecRuntime object originally created by the other unit, we cannot judge
5271 * so or not from the serialized text, then we always creates a new object owned by this. */
5272
5273 assert(u);
613b411c
LP		 5274 assert(key);
5275 assert(value);
5276
e8a565cb
YW		 5277 /* Manager manages ExecRuntime objects by the unit id.
5278 * So, we omit the serialized text when the unit does not have id (yet?)... */
5279 if (isempty(u->id)) {
5280 log_unit_debug(u, "Invocation ID not found. Dropping runtime parameter.");
5281 return 0;
5282 }
613b411c 5283
e8a565cb
YW		 5284 r = hashmap_ensure_allocated(&u->manager->exec_runtime_by_id, &string_hash_ops);
5285 if (r < 0) {
5286 log_unit_debug_errno(u, r, "Failed to allocate storage for runtime parameter: %m");
5287 return 0;
5288 }
5289
5290 rt = hashmap_get(u->manager->exec_runtime_by_id, u->id);
5291 if (!rt) {
5292 r = exec_runtime_allocate(&rt_create);
613b411c 5293 if (r < 0)
f2341e0a 5294 return log_oom();
613b411c 5295
e8a565cb
YW		 5296 rt_create->id = strdup(u->id);
5297 if (!rt_create->id)
5298 return log_oom();
5299
5300 rt = rt_create;
5301 }
5302
5303 if (streq(key, "tmp-dir")) {
5304 char *copy;
5305
613b411c
LP		 5306 copy = strdup(value);
5307 if (!copy)
5308 return log_oom();
5309
e8a565cb 5310 free_and_replace(rt->tmp_dir, copy);
613b411c
LP		 5311
5312 } else if (streq(key, "var-tmp-dir")) {
5313 char *copy;
5314
613b411c
LP		 5315 copy = strdup(value);
5316 if (!copy)
5317 return log_oom();
5318
e8a565cb 5319 free_and_replace(rt->var_tmp_dir, copy);
613b411c
LP		 5320
5321 } else if (streq(key, "netns-socket-0")) {
5322 int fd;
5323
e8a565cb 5324 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd)) {
f2341e0a 5325 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
e8a565cb 5326 return 0;
613b411c 5327 }
e8a565cb
YW		 5328
5329 safe_close(rt->netns_storage_socket[0]);
5330 rt->netns_storage_socket[0] = fdset_remove(fds, fd);
5331
613b411c
LP		 5332 } else if (streq(key, "netns-socket-1")) {
5333 int fd;
5334
e8a565cb 5335 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd)) {
f2341e0a 5336 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
e8a565cb 5337 return 0;
613b411c 5338 }
e8a565cb
YW		 5339
5340 safe_close(rt->netns_storage_socket[1]);
5341 rt->netns_storage_socket[1] = fdset_remove(fds, fd);
613b411c
LP		 5342 } else
5343 return 0;
5344
e8a565cb
YW		 5345 /* If the object is newly created, then put it to the hashmap which manages ExecRuntime objects. */
5346 if (rt_create) {
5347 r = hashmap_put(u->manager->exec_runtime_by_id, rt_create->id, rt_create);
5348 if (r < 0) {
3fe91079 5349 log_unit_debug_errno(u, r, "Failed to put runtime parameter to manager's storage: %m");
e8a565cb
YW		 5350 return 0;
5351 }
613b411c 5352
e8a565cb 5353 rt_create->manager = u->manager;
613b411c 5354
e8a565cb
YW		 5355 /* Avoid cleanup */
5356 rt_create = NULL;
5357 }
98b47d54 5358
e8a565cb
YW		 5359 return 1;
5360}
613b411c 5361
e8a565cb
YW		 5362void exec_runtime_deserialize_one(Manager *m, const char *value, FDSet *fds) {
5363 char *id = NULL, *tmp_dir = NULL, *var_tmp_dir = NULL;
5364 int r, fd0 = -1, fd1 = -1;
5365 const char *p, *v = value;
5366 size_t n;
613b411c 5367
e8a565cb
YW		 5368 assert(m);
5369 assert(value);
5370 assert(fds);
98b47d54 5371
e8a565cb
YW		 5372 n = strcspn(v, " ");
5373 id = strndupa(v, n);
5374 if (v[n] != ' ')
5375 goto finalize;
5376 p = v + n + 1;
5377
5378 v = startswith(p, "tmp-dir=");
5379 if (v) {
5380 n = strcspn(v, " ");
5381 tmp_dir = strndupa(v, n);
5382 if (v[n] != ' ')
5383 goto finalize;
5384 p = v + n + 1;
5385 }
5386
5387 v = startswith(p, "var-tmp-dir=");
5388 if (v) {
5389 n = strcspn(v, " ");
5390 var_tmp_dir = strndupa(v, n);
5391 if (v[n] != ' ')
5392 goto finalize;
5393 p = v + n + 1;
5394 }
5395
5396 v = startswith(p, "netns-socket-0=");
5397 if (v) {
5398 char *buf;
5399
5400 n = strcspn(v, " ");
5401 buf = strndupa(v, n);
5402 if (safe_atoi(buf, &fd0) < 0 || !fdset_contains(fds, fd0)) {
5403 log_debug("Unable to process exec-runtime netns fd specification.");
5404 return;
98b47d54 5405 }
e8a565cb
YW		 5406 fd0 = fdset_remove(fds, fd0);
5407 if (v[n] != ' ')
5408 goto finalize;
5409 p = v + n + 1;
613b411c
LP		 5410 }
5411
e8a565cb
YW		 5412 v = startswith(p, "netns-socket-1=");
5413 if (v) {
5414 char *buf;
98b47d54 5415
e8a565cb
YW		 5416 n = strcspn(v, " ");
5417 buf = strndupa(v, n);
5418 if (safe_atoi(buf, &fd1) < 0 || !fdset_contains(fds, fd1)) {
5419 log_debug("Unable to process exec-runtime netns fd specification.");
5420 return;
98b47d54 5421 }
e8a565cb
YW		 5422 fd1 = fdset_remove(fds, fd1);
5423 }
98b47d54 5424
e8a565cb
YW		 5425finalize:
5426
5427 r = exec_runtime_add(m, id, tmp_dir, var_tmp_dir, (int[]) { fd0, fd1 }, NULL);
7d853ca6 5428 if (r < 0)
e8a565cb 5429 log_debug_errno(r, "Failed to add exec-runtime: %m");
e8a565cb 5430}
613b411c 5431
e8a565cb
YW		 5432void exec_runtime_vacuum(Manager *m) {
5433 ExecRuntime *rt;
5434 Iterator i;
5435
5436 assert(m);
5437
5438 /* Free unreferenced ExecRuntime objects. This is used after manager deserialization process. */
5439
5440 HASHMAP_FOREACH(rt, m->exec_runtime_by_id, i) {
5441 if (rt->n_ref > 0)
5442 continue;
5443
5444 (void) exec_runtime_free(rt, false);
5445 }
613b411c
LP		 5446}
5447
b9c04eaf
YW		 5448void exec_params_clear(ExecParameters *p) {
5449 if (!p)
5450 return;
5451
5452 strv_free(p->environment);
5453}
5454
80876c20
LP		 5455static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
5456 [EXEC_INPUT_NULL] = "null",
5457 [EXEC_INPUT_TTY] = "tty",
5458 [EXEC_INPUT_TTY_FORCE] = "tty-force",
4f2d528d 5459 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
52c239d7
LB		 5460 [EXEC_INPUT_SOCKET] = "socket",
5461 [EXEC_INPUT_NAMED_FD] = "fd",
08f3be7a 5462 [EXEC_INPUT_DATA] = "data",
2038c3f5 5463 [EXEC_INPUT_FILE] = "file",
80876c20
LP		 5464};
5465
8a0867d6
LP		 5466DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
5467
94f04347 5468static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
80876c20 5469 [EXEC_OUTPUT_INHERIT] = "inherit",
94f04347 5470 [EXEC_OUTPUT_NULL] = "null",
80876c20 5471 [EXEC_OUTPUT_TTY] = "tty",
94f04347 5472 [EXEC_OUTPUT_SYSLOG] = "syslog",
28dbc1e8 5473 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
9a6bca7a 5474 [EXEC_OUTPUT_KMSG] = "kmsg",
28dbc1e8 5475 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
706343f4
LP		 5476 [EXEC_OUTPUT_JOURNAL] = "journal",
5477 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
52c239d7
LB		 5478 [EXEC_OUTPUT_SOCKET] = "socket",
5479 [EXEC_OUTPUT_NAMED_FD] = "fd",
2038c3f5 5480 [EXEC_OUTPUT_FILE] = "file",
566b7d23 5481 [EXEC_OUTPUT_FILE_APPEND] = "append",
94f04347
LP		 5482};
5483
5484DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
023a4f67
LP		 5485
5486static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
5487 [EXEC_UTMP_INIT] = "init",
5488 [EXEC_UTMP_LOGIN] = "login",
5489 [EXEC_UTMP_USER] = "user",
5490};
5491
5492DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
53f47dfc
YW		 5493
5494static const char* const exec_preserve_mode_table[_EXEC_PRESERVE_MODE_MAX] = {
5495 [EXEC_PRESERVE_NO] = "no",
5496 [EXEC_PRESERVE_YES] = "yes",
5497 [EXEC_PRESERVE_RESTART] = "restart",
5498};
5499
5500DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(exec_preserve_mode, ExecPreserveMode, EXEC_PRESERVE_YES);
3536f49e 5501
6b7b2ed9 5502/* This table maps ExecDirectoryType to the setting it is configured with in the unit */
72fd1768 5503static const char* const exec_directory_type_table[_EXEC_DIRECTORY_TYPE_MAX] = {
3536f49e
YW		 5504 [EXEC_DIRECTORY_RUNTIME] = "RuntimeDirectory",
5505 [EXEC_DIRECTORY_STATE] = "StateDirectory",
5506 [EXEC_DIRECTORY_CACHE] = "CacheDirectory",
5507 [EXEC_DIRECTORY_LOGS] = "LogsDirectory",
5508 [EXEC_DIRECTORY_CONFIGURATION] = "ConfigurationDirectory",
5509};
5510
5511DEFINE_STRING_TABLE_LOOKUP(exec_directory_type, ExecDirectoryType);
b1edf445 5512
6b7b2ed9
LP		 5513/* And this table maps ExecDirectoryType too, but to a generic term identifying the type of resource. This
5514 * one is supposed to be generic enough to be used for unit types that don't use ExecContext and per-unit
5515 * directories, specifically .timer units with their timestamp touch file. */
5516static const char* const exec_resource_type_table[_EXEC_DIRECTORY_TYPE_MAX] = {
5517 [EXEC_DIRECTORY_RUNTIME] = "runtime",
5518 [EXEC_DIRECTORY_STATE] = "state",
5519 [EXEC_DIRECTORY_CACHE] = "cache",
5520 [EXEC_DIRECTORY_LOGS] = "logs",
5521 [EXEC_DIRECTORY_CONFIGURATION] = "configuration",
5522};
5523
5524DEFINE_STRING_TABLE_LOOKUP(exec_resource_type, ExecDirectoryType);
5525
5526/* And this table also maps ExecDirectoryType, to the environment variable we pass the selected directory to
5527 * the service payload in. */
fb2042dd
YW		 5528static const char* const exec_directory_env_name_table[_EXEC_DIRECTORY_TYPE_MAX] = {
5529 [EXEC_DIRECTORY_RUNTIME] = "RUNTIME_DIRECTORY",
5530 [EXEC_DIRECTORY_STATE] = "STATE_DIRECTORY",
5531 [EXEC_DIRECTORY_CACHE] = "CACHE_DIRECTORY",
5532 [EXEC_DIRECTORY_LOGS] = "LOGS_DIRECTORY",
5533 [EXEC_DIRECTORY_CONFIGURATION] = "CONFIGURATION_DIRECTORY",
5534};
5535
5536DEFINE_PRIVATE_STRING_TABLE_LOOKUP_TO_STRING(exec_directory_env_name, ExecDirectoryType);
5537
b1edf445
LP		 5538static const char* const exec_keyring_mode_table[_EXEC_KEYRING_MODE_MAX] = {
5539 [EXEC_KEYRING_INHERIT] = "inherit",
5540 [EXEC_KEYRING_PRIVATE] = "private",
5541 [EXEC_KEYRING_SHARED] = "shared",
5542};
5543
5544DEFINE_STRING_TABLE_LOOKUP(exec_keyring_mode, ExecKeyringMode);
Unnamed repository; edit this file 'description' to name the repository.