]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/core/execute.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
execute: add one more ExecFlags flag, for controlling unconditional directory chowning
[thirdparty/systemd.git] / src / core / execute.c
CommitLineData
a7334b09
LP		 1/***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
a7334b09
LP		 9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 14 Lesser General Public License for more details.
a7334b09 15
5430f7f2 16 You should have received a copy of the GNU Lesser General Public License
a7334b09
LP		 17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18***/
19
034c6ed7
LP		 20#include <errno.h>
21#include <fcntl.h>
8dd4c05b
LP		 22#include <glob.h>
23#include <grp.h>
24#include <poll.h>
309bff19 25#include <signal.h>
8dd4c05b 26#include <string.h>
19c0b0b9 27#include <sys/capability.h>
d251207d 28#include <sys/eventfd.h>
f3e43635 29#include <sys/mman.h>
8dd4c05b 30#include <sys/personality.h>
94f04347 31#include <sys/prctl.h>
d2ffa389 32#include <sys/shm.h>
8dd4c05b 33#include <sys/socket.h>
451a074f 34#include <sys/stat.h>
d2ffa389 35#include <sys/types.h>
8dd4c05b
LP		 36#include <sys/un.h>
37#include <unistd.h>
023a4f67 38#include <utmpx.h>
5cb5a6ff 39
5b6319dc
LP		 40#ifdef HAVE_PAM
41#include <security/pam_appl.h>
42#endif
43
7b52a628
MS		 44#ifdef HAVE_SELINUX
45#include <selinux/selinux.h>
46#endif
47
17df7223
LP		 48#ifdef HAVE_SECCOMP
49#include <seccomp.h>
50#endif
51
eef65bf3
MS		 52#ifdef HAVE_APPARMOR
53#include <sys/apparmor.h>
54#endif
55
24882e06 56#include "sd-messages.h"
8dd4c05b
LP		 57
58#include "af-list.h"
b5efdb8a 59#include "alloc-util.h"
3ffd4af2
LP		 60#ifdef HAVE_APPARMOR
61#include "apparmor-util.h"
62#endif
8dd4c05b
LP		 63#include "async.h"
64#include "barrier.h"
8dd4c05b 65#include "cap-list.h"
430f0182 66#include "capability-util.h"
f6a6225e 67#include "def.h"
4d1a6904 68#include "env-util.h"
17df7223 69#include "errno-list.h"
3ffd4af2 70#include "execute.h"
8dd4c05b 71#include "exit-status.h"
3ffd4af2 72#include "fd-util.h"
8dd4c05b 73#include "fileio.h"
f97b34a6 74#include "format-util.h"
f4f15635 75#include "fs-util.h"
7d50b32a 76#include "glob-util.h"
c004493c 77#include "io-util.h"
8dd4c05b
LP		 78#include "ioprio.h"
79#include "log.h"
80#include "macro.h"
81#include "missing.h"
82#include "mkdir.h"
83#include "namespace.h"
6bedfcbb 84#include "parse-util.h"
8dd4c05b 85#include "path-util.h"
0b452006 86#include "process-util.h"
78f22b97 87#include "rlimit-util.h"
8dd4c05b 88#include "rm-rf.h"
3ffd4af2
LP		 89#ifdef HAVE_SECCOMP
90#include "seccomp-util.h"
91#endif
8dd4c05b 92#include "securebits.h"
07d46372 93#include "securebits-util.h"
8dd4c05b 94#include "selinux-util.h"
24882e06 95#include "signal-util.h"
8dd4c05b 96#include "smack-util.h"
fd63e712 97#include "special.h"
8b43440b 98#include "string-table.h"
07630cea 99#include "string-util.h"
8dd4c05b 100#include "strv.h"
7ccbd1ae 101#include "syslog-util.h"
8dd4c05b
LP		 102#include "terminal-util.h"
103#include "unit.h"
b1d4f8e1 104#include "user-util.h"
8dd4c05b
LP		 105#include "util.h"
106#include "utmp-wtmp.h"
5cb5a6ff 107
e056b01d 108#define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
31a7eb86 109#define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
e6a26745 110
02a51aba
LP		 111/* This assumes there is a 'tty' group */
112#define TTY_MODE 0620
113
531dca78
LP		 114#define SNDBUF_SIZE (8*1024*1024)
115
034c6ed7
LP		 116static int shift_fds(int fds[], unsigned n_fds) {
117 int start, restart_from;
118
119 if (n_fds <= 0)
120 return 0;
121
a0d40ac5
LP		 122 /* Modifies the fds array! (sorts it) */
123
034c6ed7
LP		 124 assert(fds);
125
126 start = 0;
127 for (;;) {
128 int i;
129
130 restart_from = -1;
131
132 for (i = start; i < (int) n_fds; i++) {
133 int nfd;
134
135 /* Already at right index? */
136 if (fds[i] == i+3)
137 continue;
138
3cc2aff1
LP		 139 nfd = fcntl(fds[i], F_DUPFD, i + 3);
140 if (nfd < 0)
034c6ed7
LP		 141 return -errno;
142
03e334a1 143 safe_close(fds[i]);
034c6ed7
LP		 144 fds[i] = nfd;
145
146 /* Hmm, the fd we wanted isn't free? Then
ee33e53a 147 * let's remember that and try again from here */
034c6ed7
LP		 148 if (nfd != i+3 && restart_from < 0)
149 restart_from = i;
150 }
151
152 if (restart_from < 0)
153 break;
154
155 start = restart_from;
156 }
157
158 return 0;
159}
160
4c47affc
FB		 161static int flags_fds(const int fds[], unsigned n_storage_fds, unsigned n_socket_fds, bool nonblock) {
162 unsigned i, n_fds;
e2c76839 163 int r;
47a71eed 164
4c47affc 165 n_fds = n_storage_fds + n_socket_fds;
47a71eed
LP		 166 if (n_fds <= 0)
167 return 0;
168
169 assert(fds);
170
9b141911
FB		 171 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags.
172 * O_NONBLOCK only applies to socket activation though. */
47a71eed
LP		 173
174 for (i = 0; i < n_fds; i++) {
47a71eed 175
9b141911
FB		 176 if (i < n_socket_fds) {
177 r = fd_nonblock(fds[i], nonblock);
178 if (r < 0)
179 return r;
180 }
47a71eed 181
451a074f
LP		 182 /* We unconditionally drop FD_CLOEXEC from the fds,
183 * since after all we want to pass these fds to our
184 * children */
47a71eed 185
3cc2aff1
LP		 186 r = fd_cloexec(fds[i], false);
187 if (r < 0)
e2c76839 188 return r;
47a71eed
LP		 189 }
190
191 return 0;
192}
193
1e22b5cd 194static const char *exec_context_tty_path(const ExecContext *context) {
80876c20
LP		 195 assert(context);
196
1e22b5cd
LP		 197 if (context->stdio_as_fds)
198 return NULL;
199
80876c20
LP		 200 if (context->tty_path)
201 return context->tty_path;
202
203 return "/dev/console";
204}
205
1e22b5cd
LP		 206static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
207 const char *path;
208
6ea832a2
LP		 209 assert(context);
210
1e22b5cd 211 path = exec_context_tty_path(context);
6ea832a2 212
1e22b5cd
LP		 213 if (context->tty_vhangup) {
214 if (p && p->stdin_fd >= 0)
215 (void) terminal_vhangup_fd(p->stdin_fd);
216 else if (path)
217 (void) terminal_vhangup(path);
218 }
6ea832a2 219
1e22b5cd
LP		 220 if (context->tty_reset) {
221 if (p && p->stdin_fd >= 0)
222 (void) reset_terminal_fd(p->stdin_fd, true);
223 else if (path)
224 (void) reset_terminal(path);
225 }
226
227 if (context->tty_vt_disallocate && path)
228 (void) vt_disallocate(path);
6ea832a2
LP		 229}
230
6af760f3
LP		 231static bool is_terminal_input(ExecInput i) {
232 return IN_SET(i,
233 EXEC_INPUT_TTY,
234 EXEC_INPUT_TTY_FORCE,
235 EXEC_INPUT_TTY_FAIL);
236}
237
3a1286b6 238static bool is_terminal_output(ExecOutput o) {
6af760f3
LP		 239 return IN_SET(o,
240 EXEC_OUTPUT_TTY,
241 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
242 EXEC_OUTPUT_KMSG_AND_CONSOLE,
243 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
244}
245
246static bool exec_context_needs_term(const ExecContext *c) {
247 assert(c);
248
249 /* Return true if the execution context suggests we should set $TERM to something useful. */
250
251 if (is_terminal_input(c->std_input))
252 return true;
253
254 if (is_terminal_output(c->std_output))
255 return true;
256
257 if (is_terminal_output(c->std_error))
258 return true;
259
260 return !!c->tty_path;
3a1286b6
MS		 261}
262
80876c20
LP		 263static int open_null_as(int flags, int nfd) {
264 int fd, r;
071830ff 265
80876c20 266 assert(nfd >= 0);
071830ff 267
613b411c
LP		 268 fd = open("/dev/null", flags|O_NOCTTY);
269 if (fd < 0)
071830ff
LP		 270 return -errno;
271
80876c20
LP		 272 if (fd != nfd) {
273 r = dup2(fd, nfd) < 0 ? -errno : nfd;
03e334a1 274 safe_close(fd);
80876c20
LP		 275 } else
276 r = nfd;
071830ff 277
80876c20 278 return r;
071830ff
LP		 279}
280
524daa8c 281static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
92a17af9 282 static const union sockaddr_union sa = {
b92bea5d
ZJS		 283 .un.sun_family = AF_UNIX,
284 .un.sun_path = "/run/systemd/journal/stdout",
285 };
524daa8c
ZJS		 286 uid_t olduid = UID_INVALID;
287 gid_t oldgid = GID_INVALID;
288 int r;
289
cad93f29 290 if (gid_is_valid(gid)) {
524daa8c
ZJS		 291 oldgid = getgid();
292
92a17af9 293 if (setegid(gid) < 0)
524daa8c
ZJS		 294 return -errno;
295 }
296
cad93f29 297 if (uid_is_valid(uid)) {
524daa8c
ZJS		 298 olduid = getuid();
299
92a17af9 300 if (seteuid(uid) < 0) {
524daa8c
ZJS		 301 r = -errno;
302 goto restore_gid;
303 }
304 }
305
92a17af9 306 r = connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un)) < 0 ? -errno : 0;
524daa8c
ZJS		 307
308 /* If we fail to restore the uid or gid, things will likely
309 fail later on. This should only happen if an LSM interferes. */
310
cad93f29 311 if (uid_is_valid(uid))
524daa8c
ZJS		 312 (void) seteuid(olduid);
313
314 restore_gid:
cad93f29 315 if (gid_is_valid(gid))
524daa8c
ZJS		 316 (void) setegid(oldgid);
317
318 return r;
319}
320
fd1f9c89 321static int connect_logger_as(
7a1ab780 322 Unit *unit,
fd1f9c89 323 const ExecContext *context,
af635cf3 324 const ExecParameters *params,
fd1f9c89
LP		 325 ExecOutput output,
326 const char *ident,
fd1f9c89
LP		 327 int nfd,
328 uid_t uid,
329 gid_t gid) {
330
524daa8c 331 int fd, r;
071830ff
LP		 332
333 assert(context);
af635cf3 334 assert(params);
80876c20
LP		 335 assert(output < _EXEC_OUTPUT_MAX);
336 assert(ident);
337 assert(nfd >= 0);
071830ff 338
54fe0cdb
LP		 339 fd = socket(AF_UNIX, SOCK_STREAM, 0);
340 if (fd < 0)
80876c20 341 return -errno;
071830ff 342
524daa8c
ZJS		 343 r = connect_journal_socket(fd, uid, gid);
344 if (r < 0)
345 return r;
071830ff 346
80876c20 347 if (shutdown(fd, SHUT_RD) < 0) {
03e334a1 348 safe_close(fd);
80876c20
LP		 349 return -errno;
350 }
071830ff 351
fd1f9c89 352 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
531dca78 353
80876c20 354 dprintf(fd,
62bca2c6 355 "%s\n"
80876c20
LP		 356 "%s\n"
357 "%i\n"
54fe0cdb
LP		 358 "%i\n"
359 "%i\n"
360 "%i\n"
4f4a1dbf 361 "%i\n",
c867611e 362 context->syslog_identifier ?: ident,
af635cf3 363 params->flags & EXEC_PASS_LOG_UNIT ? unit->id : "",
54fe0cdb
LP		 364 context->syslog_priority,
365 !!context->syslog_level_prefix,
366 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
367 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
3a1286b6 368 is_terminal_output(output));
80876c20 369
fd1f9c89
LP		 370 if (fd == nfd)
371 return nfd;
372
373 r = dup2(fd, nfd) < 0 ? -errno : nfd;
374 safe_close(fd);
071830ff 375
80876c20
LP		 376 return r;
377}
378static int open_terminal_as(const char *path, mode_t mode, int nfd) {
379 int fd, r;
071830ff 380
80876c20
LP		 381 assert(path);
382 assert(nfd >= 0);
071830ff 383
3cc2aff1
LP		 384 fd = open_terminal(path, mode | O_NOCTTY);
385 if (fd < 0)
80876c20 386 return fd;
071830ff 387
80876c20
LP		 388 if (fd != nfd) {
389 r = dup2(fd, nfd) < 0 ? -errno : nfd;
03e334a1 390 safe_close(fd);
80876c20
LP		 391 } else
392 r = nfd;
071830ff 393
80876c20
LP		 394 return r;
395}
071830ff 396
1e3ad081
LP		 397static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
398
399 if (is_terminal_input(std_input) && !apply_tty_stdin)
400 return EXEC_INPUT_NULL;
071830ff 401
03fd9c49 402 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 403 return EXEC_INPUT_NULL;
404
03fd9c49 405 return std_input;
4f2d528d
LP		 406}
407
03fd9c49 408static int fixup_output(ExecOutput std_output, int socket_fd) {
4f2d528d 409
03fd9c49 410 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 411 return EXEC_OUTPUT_INHERIT;
412
03fd9c49 413 return std_output;
4f2d528d
LP		 414}
415
a34ceba6
LP		 416static int setup_input(
417 const ExecContext *context,
418 const ExecParameters *params,
52c239d7
LB		 419 int socket_fd,
420 int named_iofds[3]) {
a34ceba6 421
4f2d528d
LP		 422 ExecInput i;
423
424 assert(context);
a34ceba6
LP		 425 assert(params);
426
427 if (params->stdin_fd >= 0) {
428 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
429 return -errno;
430
431 /* Try to make this the controlling tty, if it is a tty, and reset it */
432 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
433 (void) reset_terminal_fd(STDIN_FILENO, true);
434
435 return STDIN_FILENO;
436 }
4f2d528d 437
c39f1ce2 438 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
4f2d528d
LP		 439
440 switch (i) {
071830ff 441
80876c20
LP		 442 case EXEC_INPUT_NULL:
443 return open_null_as(O_RDONLY, STDIN_FILENO);
444
445 case EXEC_INPUT_TTY:
446 case EXEC_INPUT_TTY_FORCE:
447 case EXEC_INPUT_TTY_FAIL: {
448 int fd, r;
071830ff 449
1e22b5cd 450 fd = acquire_terminal(exec_context_tty_path(context),
970edce6
ZJS		 451 i == EXEC_INPUT_TTY_FAIL,
452 i == EXEC_INPUT_TTY_FORCE,
453 false,
3a43da28 454 USEC_INFINITY);
970edce6 455 if (fd < 0)
80876c20
LP		 456 return fd;
457
458 if (fd != STDIN_FILENO) {
459 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
03e334a1 460 safe_close(fd);
80876c20
LP		 461 } else
462 r = STDIN_FILENO;
463
464 return r;
465 }
466
4f2d528d
LP		 467 case EXEC_INPUT_SOCKET:
468 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
469
52c239d7
LB		 470 case EXEC_INPUT_NAMED_FD:
471 (void) fd_nonblock(named_iofds[STDIN_FILENO], false);
472 return dup2(named_iofds[STDIN_FILENO], STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
473
80876c20
LP		 474 default:
475 assert_not_reached("Unknown input type");
476 }
477}
478
a34ceba6
LP		 479static int setup_output(
480 Unit *unit,
481 const ExecContext *context,
482 const ExecParameters *params,
483 int fileno,
484 int socket_fd,
52c239d7 485 int named_iofds[3],
a34ceba6 486 const char *ident,
7bce046b
LP		 487 uid_t uid,
488 gid_t gid,
489 dev_t *journal_stream_dev,
490 ino_t *journal_stream_ino) {
a34ceba6 491
4f2d528d
LP		 492 ExecOutput o;
493 ExecInput i;
47c1d80d 494 int r;
4f2d528d 495
f2341e0a 496 assert(unit);
80876c20 497 assert(context);
a34ceba6 498 assert(params);
80876c20 499 assert(ident);
7bce046b
LP		 500 assert(journal_stream_dev);
501 assert(journal_stream_ino);
80876c20 502
a34ceba6
LP		 503 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
504
505 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
506 return -errno;
507
508 return STDOUT_FILENO;
509 }
510
511 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
512 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
513 return -errno;
514
515 return STDERR_FILENO;
516 }
517
c39f1ce2 518 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
03fd9c49 519 o = fixup_output(context->std_output, socket_fd);
4f2d528d 520
eb17e935
MS		 521 if (fileno == STDERR_FILENO) {
522 ExecOutput e;
523 e = fixup_output(context->std_error, socket_fd);
80876c20 524
eb17e935
MS		 525 /* This expects the input and output are already set up */
526
527 /* Don't change the stderr file descriptor if we inherit all
528 * the way and are not on a tty */
529 if (e == EXEC_OUTPUT_INHERIT &&
530 o == EXEC_OUTPUT_INHERIT &&
531 i == EXEC_INPUT_NULL &&
532 !is_terminal_input(context->std_input) &&
533 getppid () != 1)
534 return fileno;
535
536 /* Duplicate from stdout if possible */
52c239d7 537 if ((e == o && e != EXEC_OUTPUT_NAMED_FD) || e == EXEC_OUTPUT_INHERIT)
eb17e935 538 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 539
eb17e935 540 o = e;
80876c20 541
eb17e935 542 } else if (o == EXEC_OUTPUT_INHERIT) {
21d21ea4
LP		 543 /* If input got downgraded, inherit the original value */
544 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
1e22b5cd 545 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
21d21ea4 546
acb591e4 547 /* If the input is connected to anything that's not a /dev/null, inherit that... */
ff876e28 548 if (i != EXEC_INPUT_NULL)
eb17e935 549 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 550
acb591e4
LP		 551 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
552 if (getppid() != 1)
eb17e935 553 return fileno;
94f04347 554
eb17e935
MS		 555 /* We need to open /dev/null here anew, to get the right access mode. */
556 return open_null_as(O_WRONLY, fileno);
071830ff 557 }
94f04347 558
eb17e935 559 switch (o) {
80876c20
LP		 560
561 case EXEC_OUTPUT_NULL:
eb17e935 562 return open_null_as(O_WRONLY, fileno);
80876c20
LP		 563
564 case EXEC_OUTPUT_TTY:
4f2d528d 565 if (is_terminal_input(i))
eb17e935 566 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
80876c20
LP		 567
568 /* We don't reset the terminal if this is just about output */
1e22b5cd 569 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
80876c20
LP		 570
571 case EXEC_OUTPUT_SYSLOG:
28dbc1e8 572 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
9a6bca7a 573 case EXEC_OUTPUT_KMSG:
28dbc1e8 574 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
706343f4
LP		 575 case EXEC_OUTPUT_JOURNAL:
576 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
af635cf3 577 r = connect_logger_as(unit, context, params, o, ident, fileno, uid, gid);
47c1d80d 578 if (r < 0) {
f2341e0a 579 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
eb17e935 580 r = open_null_as(O_WRONLY, fileno);
7bce046b
LP		 581 } else {
582 struct stat st;
583
584 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
585 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
586 * services to detect whether they are connected to the journal or not. */
587
588 if (fstat(fileno, &st) >= 0) {
589 *journal_stream_dev = st.st_dev;
590 *journal_stream_ino = st.st_ino;
591 }
47c1d80d
MS		 592 }
593 return r;
4f2d528d
LP		 594
595 case EXEC_OUTPUT_SOCKET:
596 assert(socket_fd >= 0);
eb17e935 597 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
94f04347 598
52c239d7
LB		 599 case EXEC_OUTPUT_NAMED_FD:
600 (void) fd_nonblock(named_iofds[fileno], false);
601 return dup2(named_iofds[fileno], fileno) < 0 ? -errno : fileno;
602
94f04347 603 default:
80876c20 604 assert_not_reached("Unknown error type");
94f04347 605 }
071830ff
LP		 606}
607
02a51aba
LP		 608static int chown_terminal(int fd, uid_t uid) {
609 struct stat st;
610
611 assert(fd >= 0);
02a51aba 612
1ff74fb6
LP		 613 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
614 if (isatty(fd) < 1)
615 return 0;
616
02a51aba 617 /* This might fail. What matters are the results. */
bab45044
LP		 618 (void) fchown(fd, uid, -1);
619 (void) fchmod(fd, TTY_MODE);
02a51aba
LP		 620
621 if (fstat(fd, &st) < 0)
622 return -errno;
623
d8b4e2e9 624 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
02a51aba
LP		 625 return -EPERM;
626
627 return 0;
628}
629
7d5ceb64 630static int setup_confirm_stdio(const char *vc, int *_saved_stdin, int *_saved_stdout) {
3d18b167
LP		 631 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
632 int r;
80876c20 633
80876c20
LP		 634 assert(_saved_stdin);
635 assert(_saved_stdout);
636
af6da548
LP		 637 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
638 if (saved_stdin < 0)
639 return -errno;
80876c20 640
af6da548 641 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
3d18b167
LP		 642 if (saved_stdout < 0)
643 return -errno;
80876c20 644
7d5ceb64 645 fd = acquire_terminal(vc, false, false, false, DEFAULT_CONFIRM_USEC);
3d18b167
LP		 646 if (fd < 0)
647 return fd;
80876c20 648
af6da548
LP		 649 r = chown_terminal(fd, getuid());
650 if (r < 0)
3d18b167 651 return r;
02a51aba 652
3d18b167
LP		 653 r = reset_terminal_fd(fd, true);
654 if (r < 0)
655 return r;
80876c20 656
3d18b167
LP		 657 if (dup2(fd, STDIN_FILENO) < 0)
658 return -errno;
659
660 if (dup2(fd, STDOUT_FILENO) < 0)
661 return -errno;
80876c20
LP		 662
663 if (fd >= 2)
03e334a1 664 safe_close(fd);
3d18b167 665 fd = -1;
80876c20
LP		 666
667 *_saved_stdin = saved_stdin;
668 *_saved_stdout = saved_stdout;
669
3d18b167 670 saved_stdin = saved_stdout = -1;
80876c20 671
3d18b167 672 return 0;
80876c20
LP		 673}
674
63d77c92 675static void write_confirm_error_fd(int err, int fd, const Unit *u) {
3b20f877
FB		 676 assert(err < 0);
677
678 if (err == -ETIMEDOUT)
63d77c92 679 dprintf(fd, "Confirmation question timed out for %s, assuming positive response.\n", u->id);
3b20f877
FB		 680 else {
681 errno = -err;
63d77c92 682 dprintf(fd, "Couldn't ask confirmation for %s: %m, assuming positive response.\n", u->id);
3b20f877
FB		 683 }
684}
685
63d77c92 686static void write_confirm_error(int err, const char *vc, const Unit *u) {
03e334a1 687 _cleanup_close_ int fd = -1;
80876c20 688
3b20f877 689 assert(vc);
80876c20 690
7d5ceb64 691 fd = open_terminal(vc, O_WRONLY|O_NOCTTY|O_CLOEXEC);
af6da548 692 if (fd < 0)
3b20f877 693 return;
80876c20 694
63d77c92 695 write_confirm_error_fd(err, fd, u);
af6da548 696}
80876c20 697
3d18b167 698static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
af6da548 699 int r = 0;
80876c20 700
af6da548
LP		 701 assert(saved_stdin);
702 assert(saved_stdout);
703
704 release_terminal();
705
706 if (*saved_stdin >= 0)
80876c20 707 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
af6da548 708 r = -errno;
80876c20 709
af6da548 710 if (*saved_stdout >= 0)
80876c20 711 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
af6da548 712 r = -errno;
80876c20 713
3d18b167
LP		 714 *saved_stdin = safe_close(*saved_stdin);
715 *saved_stdout = safe_close(*saved_stdout);
af6da548
LP		 716
717 return r;
718}
719
3b20f877
FB		 720enum {
721 CONFIRM_PRETEND_FAILURE = -1,
722 CONFIRM_PRETEND_SUCCESS = 0,
723 CONFIRM_EXECUTE = 1,
724};
725
eedf223a 726static int ask_for_confirmation(const char *vc, Unit *u, const char *cmdline) {
af6da548 727 int saved_stdout = -1, saved_stdin = -1, r;
2bcd3c26 728 _cleanup_free_ char *e = NULL;
3b20f877 729 char c;
af6da548 730
3b20f877 731 /* For any internal errors, assume a positive response. */
7d5ceb64 732 r = setup_confirm_stdio(vc, &saved_stdin, &saved_stdout);
3b20f877 733 if (r < 0) {
63d77c92 734 write_confirm_error(r, vc, u);
3b20f877
FB		 735 return CONFIRM_EXECUTE;
736 }
af6da548 737
b0eb2944
FB		 738 /* confirm_spawn might have been disabled while we were sleeping. */
739 if (manager_is_confirm_spawn_disabled(u->manager)) {
740 r = 1;
741 goto restore_stdio;
742 }
af6da548 743
2bcd3c26
FB		 744 e = ellipsize(cmdline, 60, 100);
745 if (!e) {
746 log_oom();
747 r = CONFIRM_EXECUTE;
748 goto restore_stdio;
749 }
af6da548 750
d172b175 751 for (;;) {
539622bd 752 r = ask_char(&c, "yfshiDjcn", "Execute %s? [y, f, s – h for help] ", e);
d172b175 753 if (r < 0) {
63d77c92 754 write_confirm_error_fd(r, STDOUT_FILENO, u);
d172b175
FB		 755 r = CONFIRM_EXECUTE;
756 goto restore_stdio;
757 }
af6da548 758
d172b175 759 switch (c) {
b0eb2944
FB		 760 case 'c':
761 printf("Resuming normal execution.\n");
762 manager_disable_confirm_spawn();
763 r = 1;
764 break;
dd6f9ac0
FB		 765 case 'D':
766 unit_dump(u, stdout, " ");
767 continue; /* ask again */
d172b175
FB		 768 case 'f':
769 printf("Failing execution.\n");
770 r = CONFIRM_PRETEND_FAILURE;
771 break;
772 case 'h':
b0eb2944
FB		 773 printf(" c - continue, proceed without asking anymore\n"
774 " D - dump, show the state of the unit\n"
dd6f9ac0 775 " f - fail, don't execute the command and pretend it failed\n"
d172b175 776 " h - help\n"
eedf223a 777 " i - info, show a short summary of the unit\n"
56fde33a 778 " j - jobs, show jobs that are in progress\n"
d172b175
FB		 779 " s - skip, don't execute the command and pretend it succeeded\n"
780 " y - yes, execute the command\n");
dd6f9ac0 781 continue; /* ask again */
eedf223a
FB		 782 case 'i':
783 printf(" Description: %s\n"
784 " Unit: %s\n"
785 " Command: %s\n",
786 u->id, u->description, cmdline);
787 continue; /* ask again */
56fde33a
FB		 788 case 'j':
789 manager_dump_jobs(u->manager, stdout, " ");
790 continue; /* ask again */
539622bd
FB		 791 case 'n':
792 /* 'n' was removed in favor of 'f'. */
793 printf("Didn't understand 'n', did you mean 'f'?\n");
794 continue; /* ask again */
d172b175
FB		 795 case 's':
796 printf("Skipping execution.\n");
797 r = CONFIRM_PRETEND_SUCCESS;
798 break;
799 case 'y':
800 r = CONFIRM_EXECUTE;
801 break;
802 default:
803 assert_not_reached("Unhandled choice");
804 }
3b20f877 805 break;
3b20f877 806 }
af6da548 807
3b20f877 808restore_stdio:
af6da548 809 restore_confirm_stdio(&saved_stdin, &saved_stdout);
af6da548 810 return r;
80876c20
LP		 811}
812
4d885bd3
DH		 813static int get_fixed_user(const ExecContext *c, const char **user,
814 uid_t *uid, gid_t *gid,
815 const char **home, const char **shell) {
81a2b7ce 816 int r;
4d885bd3 817 const char *name;
81a2b7ce 818
4d885bd3 819 assert(c);
81a2b7ce 820
23deef88
LP		 821 if (!c->user)
822 return 0;
823
4d885bd3
DH		 824 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
825 * (i.e. are "/" or "/bin/nologin"). */
81a2b7ce 826
23deef88 827 name = c->user;
4d885bd3
DH		 828 r = get_user_creds_clean(&name, uid, gid, home, shell);
829 if (r < 0)
830 return r;
81a2b7ce 831
4d885bd3
DH		 832 *user = name;
833 return 0;
834}
835
836static int get_fixed_group(const ExecContext *c, const char **group, gid_t *gid) {
837 int r;
838 const char *name;
839
840 assert(c);
841
842 if (!c->group)
843 return 0;
844
845 name = c->group;
846 r = get_group_creds(&name, gid);
847 if (r < 0)
848 return r;
849
850 *group = name;
851 return 0;
852}
853
cdc5d5c5
DH		 854static int get_supplementary_groups(const ExecContext *c, const char *user,
855 const char *group, gid_t gid,
856 gid_t **supplementary_gids, int *ngids) {
4d885bd3
DH		 857 char **i;
858 int r, k = 0;
859 int ngroups_max;
860 bool keep_groups = false;
861 gid_t *groups = NULL;
862 _cleanup_free_ gid_t *l_gids = NULL;
863
864 assert(c);
865
bbeea271
DH		 866 /*
867 * If user is given, then lookup GID and supplementary groups list.
868 * We avoid NSS lookups for gid=0. Also we have to initialize groups
cdc5d5c5
DH		 869 * here and as early as possible so we keep the list of supplementary
870 * groups of the caller.
bbeea271
DH		 871 */
872 if (user && gid_is_valid(gid) && gid != 0) {
873 /* First step, initialize groups from /etc/groups */
874 if (initgroups(user, gid) < 0)
875 return -errno;
876
877 keep_groups = true;
878 }
879
4d885bd3
DH		 880 if (!c->supplementary_groups)
881 return 0;
882
366ddd25
DH		 883 /*
884 * If SupplementaryGroups= was passed then NGROUPS_MAX has to
885 * be positive, otherwise fail.
886 */
887 errno = 0;
888 ngroups_max = (int) sysconf(_SC_NGROUPS_MAX);
889 if (ngroups_max <= 0) {
890 if (errno > 0)
891 return -errno;
892 else
893 return -EOPNOTSUPP; /* For all other values */
894 }
895
4d885bd3
DH		 896 l_gids = new(gid_t, ngroups_max);
897 if (!l_gids)
898 return -ENOMEM;
81a2b7ce 899
4d885bd3
DH		 900 if (keep_groups) {
901 /*
902 * Lookup the list of groups that the user belongs to, we
903 * avoid NSS lookups here too for gid=0.
904 */
905 k = ngroups_max;
906 if (getgrouplist(user, gid, l_gids, &k) < 0)
907 return -EINVAL;
908 } else
909 k = 0;
81a2b7ce 910
4d885bd3
DH		 911 STRV_FOREACH(i, c->supplementary_groups) {
912 const char *g;
81a2b7ce 913
4d885bd3
DH		 914 if (k >= ngroups_max)
915 return -E2BIG;
81a2b7ce 916
4d885bd3
DH		 917 g = *i;
918 r = get_group_creds(&g, l_gids+k);
919 if (r < 0)
920 return r;
81a2b7ce 921
4d885bd3
DH		 922 k++;
923 }
81a2b7ce 924
4d885bd3
DH		 925 /*
926 * Sets ngids to zero to drop all supplementary groups, happens
927 * when we are under root and SupplementaryGroups= is empty.
928 */
929 if (k == 0) {
930 *ngids = 0;
931 return 0;
932 }
81a2b7ce 933
4d885bd3
DH		 934 /* Otherwise get the final list of supplementary groups */
935 groups = memdup(l_gids, sizeof(gid_t) * k);
936 if (!groups)
937 return -ENOMEM;
938
939 *supplementary_gids = groups;
940 *ngids = k;
941
942 groups = NULL;
943
944 return 0;
945}
946
947static int enforce_groups(const ExecContext *context, gid_t gid,
948 gid_t *supplementary_gids, int ngids) {
949 int r;
950
951 assert(context);
952
953 /* Handle SupplementaryGroups= even if it is empty */
954 if (context->supplementary_groups) {
955 r = maybe_setgroups(ngids, supplementary_gids);
956 if (r < 0)
97f0e76f 957 return r;
4d885bd3 958 }
81a2b7ce 959
4d885bd3
DH		 960 if (gid_is_valid(gid)) {
961 /* Then set our gids */
962 if (setresgid(gid, gid, gid) < 0)
963 return -errno;
81a2b7ce
LP		 964 }
965
966 return 0;
967}
968
969static int enforce_user(const ExecContext *context, uid_t uid) {
81a2b7ce
LP		 970 assert(context);
971
4d885bd3
DH		 972 if (!uid_is_valid(uid))
973 return 0;
974
479050b3 975 /* Sets (but doesn't look up) the uid and make sure we keep the
81a2b7ce
LP		 976 * capabilities while doing so. */
977
479050b3 978 if (context->capability_ambient_set != 0) {
81a2b7ce
LP		 979
980 /* First step: If we need to keep capabilities but
981 * drop privileges we need to make sure we keep our
cbb21cca 982 * caps, while we drop privileges. */
693ced48 983 if (uid != 0) {
cbb21cca 984 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
693ced48
LP		 985
986 if (prctl(PR_GET_SECUREBITS) != sb)
987 if (prctl(PR_SET_SECUREBITS, sb) < 0)
988 return -errno;
989 }
81a2b7ce
LP		 990 }
991
479050b3 992 /* Second step: actually set the uids */
81a2b7ce
LP		 993 if (setresuid(uid, uid, uid) < 0)
994 return -errno;
995
996 /* At this point we should have all necessary capabilities but
997 are otherwise a normal user. However, the caps might got
998 corrupted due to the setresuid() so we need clean them up
999 later. This is done outside of this call. */
1000
1001 return 0;
1002}
1003
5b6319dc
LP		 1004#ifdef HAVE_PAM
1005
1006static int null_conv(
1007 int num_msg,
1008 const struct pam_message **msg,
1009 struct pam_response **resp,
1010 void *appdata_ptr) {
1011
1012 /* We don't support conversations */
1013
1014 return PAM_CONV_ERR;
1015}
1016
cefc33ae
LP		 1017#endif
1018
5b6319dc
LP		 1019static int setup_pam(
1020 const char *name,
1021 const char *user,
940c5210 1022 uid_t uid,
2d6fce8d 1023 gid_t gid,
5b6319dc 1024 const char *tty,
2065ca69 1025 char ***env,
5b6319dc
LP		 1026 int fds[], unsigned n_fds) {
1027
cefc33ae
LP		 1028#ifdef HAVE_PAM
1029
5b6319dc
LP		 1030 static const struct pam_conv conv = {
1031 .conv = null_conv,
1032 .appdata_ptr = NULL
1033 };
1034
2d7c6aa2 1035 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
5b6319dc 1036 pam_handle_t *handle = NULL;
d6e5f3ad 1037 sigset_t old_ss;
7bb70b6e 1038 int pam_code = PAM_SUCCESS, r;
84eada2f 1039 char **nv, **e = NULL;
5b6319dc
LP		 1040 bool close_session = false;
1041 pid_t pam_pid = 0, parent_pid;
970edce6 1042 int flags = 0;
5b6319dc
LP		 1043
1044 assert(name);
1045 assert(user);
2065ca69 1046 assert(env);
5b6319dc
LP		 1047
1048 /* We set up PAM in the parent process, then fork. The child
35b8ca3a 1049 * will then stay around until killed via PR_GET_PDEATHSIG or
5b6319dc
LP		 1050 * systemd via the cgroup logic. It will then remove the PAM
1051 * session again. The parent process will exec() the actual
1052 * daemon. We do things this way to ensure that the main PID
1053 * of the daemon is the one we initially fork()ed. */
1054
7bb70b6e
LP		 1055 r = barrier_create(&barrier);
1056 if (r < 0)
2d7c6aa2
DH		 1057 goto fail;
1058
553d2243 1059 if (log_get_max_level() < LOG_DEBUG)
970edce6
ZJS		 1060 flags |= PAM_SILENT;
1061
f546241b
ZJS		 1062 pam_code = pam_start(name, user, &conv, &handle);
1063 if (pam_code != PAM_SUCCESS) {
5b6319dc
LP		 1064 handle = NULL;
1065 goto fail;
1066 }
1067
f546241b
ZJS		 1068 if (tty) {
1069 pam_code = pam_set_item(handle, PAM_TTY, tty);
1070 if (pam_code != PAM_SUCCESS)
5b6319dc 1071 goto fail;
f546241b 1072 }
5b6319dc 1073
84eada2f
JW		 1074 STRV_FOREACH(nv, *env) {
1075 pam_code = pam_putenv(handle, *nv);
2065ca69
JW		 1076 if (pam_code != PAM_SUCCESS)
1077 goto fail;
1078 }
1079
970edce6 1080 pam_code = pam_acct_mgmt(handle, flags);
f546241b 1081 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1082 goto fail;
1083
970edce6 1084 pam_code = pam_open_session(handle, flags);
f546241b 1085 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1086 goto fail;
1087
1088 close_session = true;
1089
f546241b
ZJS		 1090 e = pam_getenvlist(handle);
1091 if (!e) {
5b6319dc
LP		 1092 pam_code = PAM_BUF_ERR;
1093 goto fail;
1094 }
1095
1096 /* Block SIGTERM, so that we know that it won't get lost in
1097 * the child */
ce30c8dc 1098
72c0a2c2 1099 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
5b6319dc 1100
df0ff127 1101 parent_pid = getpid_cached();
5b6319dc 1102
f546241b 1103 pam_pid = fork();
7bb70b6e
LP		 1104 if (pam_pid < 0) {
1105 r = -errno;
5b6319dc 1106 goto fail;
7bb70b6e 1107 }
5b6319dc
LP		 1108
1109 if (pam_pid == 0) {
7bb70b6e 1110 int sig, ret = EXIT_PAM;
5b6319dc
LP		 1111
1112 /* The child's job is to reset the PAM session on
1113 * termination */
2d7c6aa2 1114 barrier_set_role(&barrier, BARRIER_CHILD);
5b6319dc
LP		 1115
1116 /* This string must fit in 10 chars (i.e. the length
5d6b1584
LP		 1117 * of "/sbin/init"), to look pretty in /bin/ps */
1118 rename_process("(sd-pam)");
5b6319dc
LP		 1119
1120 /* Make sure we don't keep open the passed fds in this
1121 child. We assume that otherwise only those fds are
1122 open here that have been opened by PAM. */
1123 close_many(fds, n_fds);
1124
940c5210
AK		 1125 /* Drop privileges - we don't need any to pam_close_session
1126 * and this will make PR_SET_PDEATHSIG work in most cases.
1127 * If this fails, ignore the error - but expect sd-pam threads
1128 * to fail to exit normally */
2d6fce8d 1129
97f0e76f
LP		 1130 r = maybe_setgroups(0, NULL);
1131 if (r < 0)
1132 log_warning_errno(r, "Failed to setgroups() in sd-pam: %m");
2d6fce8d
LP		 1133 if (setresgid(gid, gid, gid) < 0)
1134 log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
940c5210 1135 if (setresuid(uid, uid, uid) < 0)
2d6fce8d 1136 log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
940c5210 1137
ce30c8dc
LP		 1138 (void) ignore_signals(SIGPIPE, -1);
1139
940c5210
AK		 1140 /* Wait until our parent died. This will only work if
1141 * the above setresuid() succeeds, otherwise the kernel
1142 * will not allow unprivileged parents kill their privileged
1143 * children this way. We rely on the control groups kill logic
5b6319dc
LP		 1144 * to do the rest for us. */
1145 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
1146 goto child_finish;
1147
2d7c6aa2
DH		 1148 /* Tell the parent that our setup is done. This is especially
1149 * important regarding dropping privileges. Otherwise, unit
643f4706
ZJS		 1150 * setup might race against our setresuid(2) call.
1151 *
1152 * If the parent aborted, we'll detect this below, hence ignore
1153 * return failure here. */
1154 (void) barrier_place(&barrier);
2d7c6aa2 1155
643f4706 1156 /* Check if our parent process might already have died? */
5b6319dc 1157 if (getppid() == parent_pid) {
d6e5f3ad
DM		 1158 sigset_t ss;
1159
1160 assert_se(sigemptyset(&ss) >= 0);
1161 assert_se(sigaddset(&ss, SIGTERM) >= 0);
1162
3dead8d9
LP		 1163 for (;;) {
1164 if (sigwait(&ss, &sig) < 0) {
1165 if (errno == EINTR)
1166 continue;
1167
1168 goto child_finish;
1169 }
5b6319dc 1170
3dead8d9
LP		 1171 assert(sig == SIGTERM);
1172 break;
1173 }
5b6319dc
LP		 1174 }
1175
3dead8d9 1176 /* If our parent died we'll end the session */
f546241b 1177 if (getppid() != parent_pid) {
970edce6 1178 pam_code = pam_close_session(handle, flags);
f546241b 1179 if (pam_code != PAM_SUCCESS)
5b6319dc 1180 goto child_finish;
f546241b 1181 }
5b6319dc 1182
7bb70b6e 1183 ret = 0;
5b6319dc
LP		 1184
1185 child_finish:
970edce6 1186 pam_end(handle, pam_code | flags);
7bb70b6e 1187 _exit(ret);
5b6319dc
LP		 1188 }
1189
2d7c6aa2
DH		 1190 barrier_set_role(&barrier, BARRIER_PARENT);
1191
5b6319dc
LP		 1192 /* If the child was forked off successfully it will do all the
1193 * cleanups, so forget about the handle here. */
1194 handle = NULL;
1195
3b8bddde 1196 /* Unblock SIGTERM again in the parent */
72c0a2c2 1197 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
5b6319dc
LP		 1198
1199 /* We close the log explicitly here, since the PAM modules
1200 * might have opened it, but we don't want this fd around. */
1201 closelog();
1202
2d7c6aa2
DH		 1203 /* Synchronously wait for the child to initialize. We don't care for
1204 * errors as we cannot recover. However, warn loudly if it happens. */
1205 if (!barrier_place_and_sync(&barrier))
1206 log_error("PAM initialization failed");
1207
2065ca69
JW		 1208 strv_free(*env);
1209 *env = e;
aa87e624 1210
5b6319dc
LP		 1211 return 0;
1212
1213fail:
970edce6
ZJS		 1214 if (pam_code != PAM_SUCCESS) {
1215 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
7bb70b6e
LP		 1216 r = -EPERM; /* PAM errors do not map to errno */
1217 } else
1218 log_error_errno(r, "PAM failed: %m");
9ba35398 1219
5b6319dc
LP		 1220 if (handle) {
1221 if (close_session)
970edce6 1222 pam_code = pam_close_session(handle, flags);
5b6319dc 1223
970edce6 1224 pam_end(handle, pam_code | flags);
5b6319dc
LP		 1225 }
1226
1227 strv_free(e);
5b6319dc
LP		 1228 closelog();
1229
7bb70b6e 1230 return r;
cefc33ae
LP		 1231#else
1232 return 0;
5b6319dc 1233#endif
cefc33ae 1234}
5b6319dc 1235
5d6b1584
LP		 1236static void rename_process_from_path(const char *path) {
1237 char process_name[11];
1238 const char *p;
1239 size_t l;
1240
1241 /* This resulting string must fit in 10 chars (i.e. the length
1242 * of "/sbin/init") to look pretty in /bin/ps */
1243
2b6bf07d 1244 p = basename(path);
5d6b1584
LP		 1245 if (isempty(p)) {
1246 rename_process("(...)");
1247 return;
1248 }
1249
1250 l = strlen(p);
1251 if (l > 8) {
1252 /* The end of the process name is usually more
1253 * interesting, since the first bit might just be
1254 * "systemd-" */
1255 p = p + l - 8;
1256 l = 8;
1257 }
1258
1259 process_name[0] = '(';
1260 memcpy(process_name+1, p, l);
1261 process_name[1+l] = ')';
1262 process_name[1+l+1] = 0;
1263
1264 rename_process(process_name);
1265}
1266
469830d1
LP		 1267static bool context_has_address_families(const ExecContext *c) {
1268 assert(c);
1269
1270 return c->address_families_whitelist ||
1271 !set_isempty(c->address_families);
1272}
1273
1274static bool context_has_syscall_filters(const ExecContext *c) {
1275 assert(c);
1276
1277 return c->syscall_whitelist ||
1278 !set_isempty(c->syscall_filter);
1279}
1280
1281static bool context_has_no_new_privileges(const ExecContext *c) {
1282 assert(c);
1283
1284 if (c->no_new_privileges)
1285 return true;
1286
1287 if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
1288 return false;
1289
1290 /* We need NNP if we have any form of seccomp and are unprivileged */
1291 return context_has_address_families(c) ||
1292 c->memory_deny_write_execute ||
1293 c->restrict_realtime ||
1294 exec_context_restrict_namespaces_set(c) ||
1295 c->protect_kernel_tunables ||
1296 c->protect_kernel_modules ||
1297 c->private_devices ||
1298 context_has_syscall_filters(c) ||
1299 !set_isempty(c->syscall_archs);
1300}
1301
c0467cf3 1302#ifdef HAVE_SECCOMP
17df7223 1303
83f12b27 1304static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
f673b62d
LP		 1305
1306 if (is_seccomp_available())
1307 return false;
1308
1309 log_open();
1310 log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
1311 log_close();
1312 return true;
83f12b27
FS		 1313}
1314
469830d1
LP		 1315static int apply_syscall_filter(const Unit* u, const ExecContext *c) {
1316 uint32_t negative_action, default_action, action;
8351ceae 1317
469830d1 1318 assert(u);
c0467cf3 1319 assert(c);
8351ceae 1320
469830d1 1321 if (!context_has_syscall_filters(c))
83f12b27
FS		 1322 return 0;
1323
469830d1
LP		 1324 if (skip_seccomp_unavailable(u, "SystemCallFilter="))
1325 return 0;
e9642be2 1326
469830d1 1327 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
e9642be2 1328
469830d1
LP		 1329 if (c->syscall_whitelist) {
1330 default_action = negative_action;
1331 action = SCMP_ACT_ALLOW;
7c66bae2 1332 } else {
469830d1
LP		 1333 default_action = SCMP_ACT_ALLOW;
1334 action = negative_action;
57183d11 1335 }
8351ceae 1336
469830d1 1337 return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action);
4298d0b5
LP		 1338}
1339
469830d1
LP		 1340static int apply_syscall_archs(const Unit *u, const ExecContext *c) {
1341 assert(u);
4298d0b5
LP		 1342 assert(c);
1343
469830d1 1344 if (set_isempty(c->syscall_archs))
83f12b27
FS		 1345 return 0;
1346
469830d1
LP		 1347 if (skip_seccomp_unavailable(u, "SystemCallArchitectures="))
1348 return 0;
4298d0b5 1349
469830d1
LP		 1350 return seccomp_restrict_archs(c->syscall_archs);
1351}
4298d0b5 1352
469830d1
LP		 1353static int apply_address_families(const Unit* u, const ExecContext *c) {
1354 assert(u);
1355 assert(c);
4298d0b5 1356
469830d1
LP		 1357 if (!context_has_address_families(c))
1358 return 0;
4298d0b5 1359
469830d1
LP		 1360 if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
1361 return 0;
4298d0b5 1362
469830d1 1363 return seccomp_restrict_address_families(c->address_families, c->address_families_whitelist);
8351ceae 1364}
4298d0b5 1365
83f12b27 1366static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) {
469830d1 1367 assert(u);
f3e43635
TM		 1368 assert(c);
1369
469830d1 1370 if (!c->memory_deny_write_execute)
83f12b27
FS		 1371 return 0;
1372
469830d1
LP		 1373 if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute="))
1374 return 0;
f3e43635 1375
469830d1 1376 return seccomp_memory_deny_write_execute();
f3e43635
TM		 1377}
1378
83f12b27 1379static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
469830d1 1380 assert(u);
f4170c67
LP		 1381 assert(c);
1382
469830d1 1383 if (!c->restrict_realtime)
83f12b27
FS		 1384 return 0;
1385
469830d1
LP		 1386 if (skip_seccomp_unavailable(u, "RestrictRealtime="))
1387 return 0;
f4170c67 1388
469830d1 1389 return seccomp_restrict_realtime();
f4170c67
LP		 1390}
1391
59e856c7 1392static int apply_protect_sysctl(const Unit *u, const ExecContext *c) {
469830d1 1393 assert(u);
59eeb84b
LP		 1394 assert(c);
1395
1396 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1397 * let's protect even those systems where this is left on in the kernel. */
1398
469830d1 1399 if (!c->protect_kernel_tunables)
59eeb84b
LP		 1400 return 0;
1401
469830d1
LP		 1402 if (skip_seccomp_unavailable(u, "ProtectKernelTunables="))
1403 return 0;
59eeb84b 1404
469830d1 1405 return seccomp_protect_sysctl();
59eeb84b
LP		 1406}
1407
59e856c7 1408static int apply_protect_kernel_modules(const Unit *u, const ExecContext *c) {
469830d1 1409 assert(u);
502d704e
DH		 1410 assert(c);
1411
25a8d8a0 1412 /* Turn off module syscalls on ProtectKernelModules=yes */
502d704e 1413
469830d1
LP		 1414 if (!c->protect_kernel_modules)
1415 return 0;
1416
502d704e
DH		 1417 if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
1418 return 0;
1419
469830d1 1420 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM));
502d704e
DH		 1421}
1422
59e856c7 1423static int apply_private_devices(const Unit *u, const ExecContext *c) {
469830d1 1424 assert(u);
ba128bb8
LP		 1425 assert(c);
1426
8f81a5f6 1427 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
ba128bb8 1428
469830d1
LP		 1429 if (!c->private_devices)
1430 return 0;
1431
ba128bb8
LP		 1432 if (skip_seccomp_unavailable(u, "PrivateDevices="))
1433 return 0;
1434
469830d1 1435 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
ba128bb8
LP		 1436}
1437
add00535 1438static int apply_restrict_namespaces(Unit *u, const ExecContext *c) {
469830d1 1439 assert(u);
add00535
LP		 1440 assert(c);
1441
1442 if (!exec_context_restrict_namespaces_set(c))
1443 return 0;
1444
1445 if (skip_seccomp_unavailable(u, "RestrictNamespaces="))
1446 return 0;
1447
1448 return seccomp_restrict_namespaces(c->restrict_namespaces);
1449}
1450
c0467cf3 1451#endif
8351ceae 1452
31a7eb86
ZJS		 1453static void do_idle_pipe_dance(int idle_pipe[4]) {
1454 assert(idle_pipe);
1455
54eb2300
LP		 1456 idle_pipe[1] = safe_close(idle_pipe[1]);
1457 idle_pipe[2] = safe_close(idle_pipe[2]);
31a7eb86
ZJS		 1458
1459 if (idle_pipe[0] >= 0) {
1460 int r;
1461
1462 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1463
1464 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
c7cc737f
LP		 1465 ssize_t n;
1466
31a7eb86 1467 /* Signal systemd that we are bored and want to continue. */
c7cc737f
LP		 1468 n = write(idle_pipe[3], "x", 1);
1469 if (n > 0)
cd972d69
ZJS		 1470 /* Wait for systemd to react to the signal above. */
1471 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
31a7eb86
ZJS		 1472 }
1473
54eb2300 1474 idle_pipe[0] = safe_close(idle_pipe[0]);
31a7eb86
ZJS		 1475
1476 }
1477
54eb2300 1478 idle_pipe[3] = safe_close(idle_pipe[3]);
31a7eb86
ZJS		 1479}
1480
7cae38c4 1481static int build_environment(
fd63e712 1482 Unit *u,
9fa95f85 1483 const ExecContext *c,
1e22b5cd 1484 const ExecParameters *p,
7cae38c4
LP		 1485 unsigned n_fds,
1486 const char *home,
1487 const char *username,
1488 const char *shell,
7bce046b
LP		 1489 dev_t journal_stream_dev,
1490 ino_t journal_stream_ino,
7cae38c4
LP		 1491 char ***ret) {
1492
1493 _cleanup_strv_free_ char **our_env = NULL;
1494 unsigned n_env = 0;
1495 char *x;
1496
4b58153d 1497 assert(u);
7cae38c4
LP		 1498 assert(c);
1499 assert(ret);
1500
4b58153d 1501 our_env = new0(char*, 14);
7cae38c4
LP		 1502 if (!our_env)
1503 return -ENOMEM;
1504
1505 if (n_fds > 0) {
8dd4c05b
LP		 1506 _cleanup_free_ char *joined = NULL;
1507
df0ff127 1508 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid_cached()) < 0)
7cae38c4
LP		 1509 return -ENOMEM;
1510 our_env[n_env++] = x;
1511
1512 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1513 return -ENOMEM;
1514 our_env[n_env++] = x;
8dd4c05b 1515
1e22b5cd 1516 joined = strv_join(p->fd_names, ":");
8dd4c05b
LP		 1517 if (!joined)
1518 return -ENOMEM;
1519
605405c6 1520 x = strjoin("LISTEN_FDNAMES=", joined);
8dd4c05b
LP		 1521 if (!x)
1522 return -ENOMEM;
1523 our_env[n_env++] = x;
7cae38c4
LP		 1524 }
1525
b08af3b1 1526 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
df0ff127 1527 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid_cached()) < 0)
09812eb7
LP		 1528 return -ENOMEM;
1529 our_env[n_env++] = x;
1530
1e22b5cd 1531 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
09812eb7
LP		 1532 return -ENOMEM;
1533 our_env[n_env++] = x;
1534 }
1535
fd63e712
LP		 1536 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1537 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1538 * check the database directly. */
1539 if (unit_has_name(u, SPECIAL_DBUS_SERVICE)) {
1540 x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1541 if (!x)
1542 return -ENOMEM;
1543 our_env[n_env++] = x;
1544 }
1545
7cae38c4
LP		 1546 if (home) {
1547 x = strappend("HOME=", home);
1548 if (!x)
1549 return -ENOMEM;
1550 our_env[n_env++] = x;
1551 }
1552
1553 if (username) {
1554 x = strappend("LOGNAME=", username);
1555 if (!x)
1556 return -ENOMEM;
1557 our_env[n_env++] = x;
1558
1559 x = strappend("USER=", username);
1560 if (!x)
1561 return -ENOMEM;
1562 our_env[n_env++] = x;
1563 }
1564
1565 if (shell) {
1566 x = strappend("SHELL=", shell);
1567 if (!x)
1568 return -ENOMEM;
1569 our_env[n_env++] = x;
1570 }
1571
4b58153d
LP		 1572 if (!sd_id128_is_null(u->invocation_id)) {
1573 if (asprintf(&x, "INVOCATION_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id)) < 0)
1574 return -ENOMEM;
1575
1576 our_env[n_env++] = x;
1577 }
1578
6af760f3
LP		 1579 if (exec_context_needs_term(c)) {
1580 const char *tty_path, *term = NULL;
1581
1582 tty_path = exec_context_tty_path(c);
1583
1584 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try to inherit
1585 * the $TERM set for PID 1. This is useful for containers so that the $TERM the container manager
1586 * passes to PID 1 ends up all the way in the console login shown. */
1587
1588 if (path_equal(tty_path, "/dev/console") && getppid() == 1)
1589 term = getenv("TERM");
1590 if (!term)
1591 term = default_term_for_tty(tty_path);
7cae38c4 1592
6af760f3 1593 x = strappend("TERM=", term);
7cae38c4
LP		 1594 if (!x)
1595 return -ENOMEM;
1596 our_env[n_env++] = x;
1597 }
1598
7bce046b
LP		 1599 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1600 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1601 return -ENOMEM;
1602
1603 our_env[n_env++] = x;
1604 }
1605
7cae38c4 1606 our_env[n_env++] = NULL;
7bce046b 1607 assert(n_env <= 12);
7cae38c4
LP		 1608
1609 *ret = our_env;
1610 our_env = NULL;
1611
1612 return 0;
1613}
1614
b4c14404
FB		 1615static int build_pass_environment(const ExecContext *c, char ***ret) {
1616 _cleanup_strv_free_ char **pass_env = NULL;
1617 size_t n_env = 0, n_bufsize = 0;
1618 char **i;
1619
1620 STRV_FOREACH(i, c->pass_environment) {
1621 _cleanup_free_ char *x = NULL;
1622 char *v;
1623
1624 v = getenv(*i);
1625 if (!v)
1626 continue;
605405c6 1627 x = strjoin(*i, "=", v);
b4c14404
FB		 1628 if (!x)
1629 return -ENOMEM;
1630 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1631 return -ENOMEM;
1632 pass_env[n_env++] = x;
1633 pass_env[n_env] = NULL;
1634 x = NULL;
1635 }
1636
1637 *ret = pass_env;
1638 pass_env = NULL;
1639
1640 return 0;
1641}
1642
8b44a3d2
LP		 1643static bool exec_needs_mount_namespace(
1644 const ExecContext *context,
1645 const ExecParameters *params,
1646 ExecRuntime *runtime) {
1647
1648 assert(context);
1649 assert(params);
1650
915e6d16
LP		 1651 if (context->root_image)
1652 return true;
1653
2a624c36
AP		 1654 if (!strv_isempty(context->read_write_paths) ||
1655 !strv_isempty(context->read_only_paths) ||
1656 !strv_isempty(context->inaccessible_paths))
8b44a3d2
LP		 1657 return true;
1658
d2d6c096
LP		 1659 if (context->n_bind_mounts > 0)
1660 return true;
1661
8b44a3d2
LP		 1662 if (context->mount_flags != 0)
1663 return true;
1664
1665 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1666 return true;
1667
8b44a3d2
LP		 1668 if (context->private_devices ||
1669 context->protect_system != PROTECT_SYSTEM_NO ||
59eeb84b
LP		 1670 context->protect_home != PROTECT_HOME_NO ||
1671 context->protect_kernel_tunables ||
c575770b 1672 context->protect_kernel_modules ||
59eeb84b 1673 context->protect_control_groups)
8b44a3d2
LP		 1674 return true;
1675
9c988f93 1676 if (context->mount_apivfs && (context->root_image || context->root_directory))
5d997827
LP		 1677 return true;
1678
8b44a3d2
LP		 1679 return false;
1680}
1681
d251207d
LP		 1682static int setup_private_users(uid_t uid, gid_t gid) {
1683 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
1684 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
1685 _cleanup_close_ int unshare_ready_fd = -1;
1686 _cleanup_(sigkill_waitp) pid_t pid = 0;
1687 uint64_t c = 1;
1688 siginfo_t si;
1689 ssize_t n;
1690 int r;
1691
1692 /* Set up a user namespace and map root to root, the selected UID/GID to itself, and everything else to
1693 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1694 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1695 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1696 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
1697 * continues execution normally. */
1698
587ab01b
ZJS		 1699 if (uid != 0 && uid_is_valid(uid)) {
1700 r = asprintf(&uid_map,
1701 "0 0 1\n" /* Map root → root */
1702 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
1703 uid, uid);
1704 if (r < 0)
1705 return -ENOMEM;
1706 } else {
e0f3720e 1707 uid_map = strdup("0 0 1\n"); /* The case where the above is the same */
587ab01b
ZJS		 1708 if (!uid_map)
1709 return -ENOMEM;
1710 }
d251207d 1711
587ab01b
ZJS		 1712 if (gid != 0 && gid_is_valid(gid)) {
1713 r = asprintf(&gid_map,
1714 "0 0 1\n" /* Map root → root */
1715 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
1716 gid, gid);
1717 if (r < 0)
1718 return -ENOMEM;
1719 } else {
d251207d 1720 gid_map = strdup("0 0 1\n"); /* The case where the above is the same */
587ab01b
ZJS		 1721 if (!gid_map)
1722 return -ENOMEM;
1723 }
d251207d
LP		 1724
1725 /* Create a communication channel so that the parent can tell the child when it finished creating the user
1726 * namespace. */
1727 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
1728 if (unshare_ready_fd < 0)
1729 return -errno;
1730
1731 /* Create a communication channel so that the child can tell the parent a proper error code in case it
1732 * failed. */
1733 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
1734 return -errno;
1735
1736 pid = fork();
1737 if (pid < 0)
1738 return -errno;
1739
1740 if (pid == 0) {
1741 _cleanup_close_ int fd = -1;
1742 const char *a;
1743 pid_t ppid;
1744
1745 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
1746 * here, after the parent opened its own user namespace. */
1747
1748 ppid = getppid();
1749 errno_pipe[0] = safe_close(errno_pipe[0]);
1750
1751 /* Wait until the parent unshared the user namespace */
1752 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
1753 r = -errno;
1754 goto child_fail;
1755 }
1756
1757 /* Disable the setgroups() system call in the child user namespace, for good. */
1758 a = procfs_file_alloca(ppid, "setgroups");
1759 fd = open(a, O_WRONLY|O_CLOEXEC);
1760 if (fd < 0) {
1761 if (errno != ENOENT) {
1762 r = -errno;
1763 goto child_fail;
1764 }
1765
1766 /* If the file is missing the kernel is too old, let's continue anyway. */
1767 } else {
1768 if (write(fd, "deny\n", 5) < 0) {
1769 r = -errno;
1770 goto child_fail;
1771 }
1772
1773 fd = safe_close(fd);
1774 }
1775
1776 /* First write the GID map */
1777 a = procfs_file_alloca(ppid, "gid_map");
1778 fd = open(a, O_WRONLY|O_CLOEXEC);
1779 if (fd < 0) {
1780 r = -errno;
1781 goto child_fail;
1782 }
1783 if (write(fd, gid_map, strlen(gid_map)) < 0) {
1784 r = -errno;
1785 goto child_fail;
1786 }
1787 fd = safe_close(fd);
1788
1789 /* The write the UID map */
1790 a = procfs_file_alloca(ppid, "uid_map");
1791 fd = open(a, O_WRONLY|O_CLOEXEC);
1792 if (fd < 0) {
1793 r = -errno;
1794 goto child_fail;
1795 }
1796 if (write(fd, uid_map, strlen(uid_map)) < 0) {
1797 r = -errno;
1798 goto child_fail;
1799 }
1800
1801 _exit(EXIT_SUCCESS);
1802
1803 child_fail:
1804 (void) write(errno_pipe[1], &r, sizeof(r));
1805 _exit(EXIT_FAILURE);
1806 }
1807
1808 errno_pipe[1] = safe_close(errno_pipe[1]);
1809
1810 if (unshare(CLONE_NEWUSER) < 0)
1811 return -errno;
1812
1813 /* Let the child know that the namespace is ready now */
1814 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
1815 return -errno;
1816
1817 /* Try to read an error code from the child */
1818 n = read(errno_pipe[0], &r, sizeof(r));
1819 if (n < 0)
1820 return -errno;
1821 if (n == sizeof(r)) { /* an error code was sent to us */
1822 if (r < 0)
1823 return r;
1824 return -EIO;
1825 }
1826 if (n != 0) /* on success we should have read 0 bytes */
1827 return -EIO;
1828
1829 r = wait_for_terminate(pid, &si);
1830 if (r < 0)
1831 return r;
1832 pid = 0;
1833
1834 /* If something strange happened with the child, let's consider this fatal, too */
1835 if (si.si_code != CLD_EXITED || si.si_status != 0)
1836 return -EIO;
1837
1838 return 0;
1839}
1840
3536f49e 1841static int setup_exec_directory(
07689d5d
LP		 1842 const ExecContext *context,
1843 const ExecParameters *params,
1844 uid_t uid,
3536f49e 1845 gid_t gid,
3536f49e
YW		 1846 ExecDirectoryType type,
1847 int *exit_status) {
07689d5d 1848
3536f49e
YW		 1849 static const int exit_status_table[_EXEC_DIRECTORY_MAX] = {
1850 [EXEC_DIRECTORY_RUNTIME] = EXIT_RUNTIME_DIRECTORY,
1851 [EXEC_DIRECTORY_STATE] = EXIT_STATE_DIRECTORY,
1852 [EXEC_DIRECTORY_CACHE] = EXIT_CACHE_DIRECTORY,
1853 [EXEC_DIRECTORY_LOGS] = EXIT_LOGS_DIRECTORY,
1854 [EXEC_DIRECTORY_CONFIGURATION] = EXIT_CONFIGURATION_DIRECTORY,
1855 };
07689d5d
LP		 1856 char **rt;
1857 int r;
1858
1859 assert(context);
1860 assert(params);
3536f49e
YW		 1861 assert(type >= 0 && type < _EXEC_DIRECTORY_MAX);
1862 assert(exit_status);
07689d5d 1863
3536f49e
YW		 1864 if (!params->prefix[type])
1865 return 0;
1866
8679efde 1867 if (params->flags & EXEC_CHOWN_DIRECTORIES) {
3536f49e
YW		 1868 if (!uid_is_valid(uid))
1869 uid = 0;
1870 if (!gid_is_valid(gid))
1871 gid = 0;
1872 }
1873
1874 STRV_FOREACH(rt, context->directories[type].paths) {
07689d5d
LP		 1875 _cleanup_free_ char *p;
1876
3536f49e
YW		 1877 p = strjoin(params->prefix[type], "/", *rt);
1878 if (!p) {
1879 r = -ENOMEM;
1880 goto fail;
1881 }
07689d5d 1882
23a7448e
YW		 1883 r = mkdir_parents_label(p, 0755);
1884 if (r < 0)
3536f49e 1885 goto fail;
23a7448e 1886
3536f49e 1887 r = mkdir_p_label(p, context->directories[type].mode);
07689d5d 1888 if (r < 0)
3536f49e 1889 goto fail;
07689d5d 1890
3536f49e 1891 r = chmod_and_chown(p, context->directories[type].mode, uid, gid);
07689d5d 1892 if (r < 0)
3536f49e 1893 goto fail;
07689d5d
LP		 1894 }
1895
1896 return 0;
3536f49e
YW		 1897
1898fail:
1899 *exit_status = exit_status_table[type];
1900
1901 return r;
07689d5d
LP		 1902}
1903
cefc33ae
LP		 1904static int setup_smack(
1905 const ExecContext *context,
1906 const ExecCommand *command) {
1907
cefc33ae
LP		 1908 int r;
1909
1910 assert(context);
1911 assert(command);
1912
cefc33ae
LP		 1913 if (context->smack_process_label) {
1914 r = mac_smack_apply_pid(0, context->smack_process_label);
1915 if (r < 0)
1916 return r;
1917 }
1918#ifdef SMACK_DEFAULT_PROCESS_LABEL
1919 else {
1920 _cleanup_free_ char *exec_label = NULL;
1921
1922 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
1923 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP)
1924 return r;
1925
1926 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
1927 if (r < 0)
1928 return r;
1929 }
cefc33ae
LP		 1930#endif
1931
1932 return 0;
1933}
1934
3fbe8dbe
LP		 1935static int compile_read_write_paths(
1936 const ExecContext *context,
1937 const ExecParameters *params,
1938 char ***ret) {
1939
1940 _cleanup_strv_free_ char **l = NULL;
1941 char **rt;
3536f49e 1942 ExecDirectoryType i;
3fbe8dbe 1943
06ec51d8
ZJS		 1944 /* Compile the list of writable paths. This is the combination of
1945 * the explicitly configured paths, plus all runtime directories. */
3fbe8dbe 1946
3536f49e
YW		 1947 if (strv_isempty(context->read_write_paths)) {
1948 for (i = 0; i < _EXEC_DIRECTORY_MAX; i++)
1949 if (!strv_isempty(context->directories[i].paths))
1950 break;
1951
1952 if (i == _EXEC_DIRECTORY_MAX) {
1953 *ret = NULL; /* NOP if neither is set */
1954 return 0;
1955 }
3fbe8dbe
LP		 1956 }
1957
1958 l = strv_copy(context->read_write_paths);
1959 if (!l)
1960 return -ENOMEM;
1961
3536f49e
YW		 1962 for (i = 0; i < _EXEC_DIRECTORY_MAX; i++) {
1963 if (!params->prefix[i])
1964 continue;
3fbe8dbe 1965
3536f49e
YW		 1966 STRV_FOREACH(rt, context->directories[i].paths) {
1967 char *s;
3fbe8dbe 1968
3536f49e
YW		 1969 s = strjoin(params->prefix[i], "/", *rt);
1970 if (!s)
1971 return -ENOMEM;
1972
1973 if (strv_consume(&l, s) < 0)
1974 return -ENOMEM;
1975 }
3fbe8dbe
LP		 1976 }
1977
1978 *ret = l;
1979 l = NULL;
1980
1981 return 0;
1982}
1983
6818c54c
LP		 1984static int apply_mount_namespace(
1985 Unit *u,
1986 ExecCommand *command,
1987 const ExecContext *context,
1988 const ExecParameters *params,
1989 ExecRuntime *runtime) {
1990
06ec51d8 1991 _cleanup_strv_free_ char **rw = NULL;
93c6bb51 1992 char *tmp = NULL, *var = NULL;
915e6d16 1993 const char *root_dir = NULL, *root_image = NULL;
93c6bb51 1994 NameSpaceInfo ns_info = {
af964954 1995 .ignore_protect_paths = false,
93c6bb51
DH		 1996 .private_dev = context->private_devices,
1997 .protect_control_groups = context->protect_control_groups,
1998 .protect_kernel_tunables = context->protect_kernel_tunables,
1999 .protect_kernel_modules = context->protect_kernel_modules,
5d997827 2000 .mount_apivfs = context->mount_apivfs,
93c6bb51 2001 };
6818c54c
LP		 2002 bool apply_restrictions;
2003 int r;
93c6bb51 2004
2b3c1b9e
DH		 2005 assert(context);
2006
93c6bb51
DH		 2007 /* The runtime struct only contains the parent of the private /tmp,
2008 * which is non-accessible to world users. Inside of it there's a /tmp
2009 * that is sticky, and that's the one we want to use here. */
2010
2011 if (context->private_tmp && runtime) {
2012 if (runtime->tmp_dir)
2013 tmp = strjoina(runtime->tmp_dir, "/tmp");
2014 if (runtime->var_tmp_dir)
2015 var = strjoina(runtime->var_tmp_dir, "/tmp");
2016 }
2017
2018 r = compile_read_write_paths(context, params, &rw);
2019 if (r < 0)
2020 return r;
2021
915e6d16
LP		 2022 if (params->flags & EXEC_APPLY_CHROOT) {
2023 root_image = context->root_image;
2024
2025 if (!root_image)
2026 root_dir = context->root_directory;
2027 }
93c6bb51 2028
af964954
DH		 2029 /*
2030 * If DynamicUser=no and RootDirectory= is set then lets pass a relaxed
2031 * sandbox info, otherwise enforce it, don't ignore protected paths and
2032 * fail if we are enable to apply the sandbox inside the mount namespace.
2033 */
2034 if (!context->dynamic_user && root_dir)
2035 ns_info.ignore_protect_paths = true;
2036
3ed0cd26 2037 apply_restrictions = (params->flags & EXEC_APPLY_PERMISSIONS) && !(command->flags & EXEC_COMMAND_FULLY_PRIVILEGED);
6818c54c 2038
915e6d16
LP		 2039 r = setup_namespace(root_dir, root_image,
2040 &ns_info, rw,
6818c54c
LP		 2041 apply_restrictions ? context->read_only_paths : NULL,
2042 apply_restrictions ? context->inaccessible_paths : NULL,
d2d6c096
LP		 2043 context->bind_mounts,
2044 context->n_bind_mounts,
93c6bb51
DH		 2045 tmp,
2046 var,
6818c54c
LP		 2047 apply_restrictions ? context->protect_home : PROTECT_HOME_NO,
2048 apply_restrictions ? context->protect_system : PROTECT_SYSTEM_NO,
915e6d16
LP		 2049 context->mount_flags,
2050 DISSECT_IMAGE_DISCARD_ON_LOOP);
93c6bb51
DH		 2051
2052 /* If we couldn't set up the namespace this is probably due to a
2053 * missing capability. In this case, silently proceeed. */
2054 if (IN_SET(r, -EPERM, -EACCES)) {
2055 log_open();
2056 log_unit_debug_errno(u, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
2057 log_close();
2058 r = 0;
2059 }
2060
2061 return r;
2062}
2063
915e6d16
LP		 2064static int apply_working_directory(
2065 const ExecContext *context,
2066 const ExecParameters *params,
2067 const char *home,
376fecf6
LP		 2068 const bool needs_mount_ns,
2069 int *exit_status) {
915e6d16 2070
6732edab 2071 const char *d, *wd;
2b3c1b9e
DH		 2072
2073 assert(context);
376fecf6 2074 assert(exit_status);
2b3c1b9e 2075
6732edab
LP		 2076 if (context->working_directory_home) {
2077
376fecf6
LP		 2078 if (!home) {
2079 *exit_status = EXIT_CHDIR;
6732edab 2080 return -ENXIO;
376fecf6 2081 }
6732edab 2082
2b3c1b9e 2083 wd = home;
6732edab
LP		 2084
2085 } else if (context->working_directory)
2b3c1b9e
DH		 2086 wd = context->working_directory;
2087 else
2088 wd = "/";
e7f1e7c6
DH		 2089
2090 if (params->flags & EXEC_APPLY_CHROOT) {
2091 if (!needs_mount_ns && context->root_directory)
376fecf6
LP		 2092 if (chroot(context->root_directory) < 0) {
2093 *exit_status = EXIT_CHROOT;
e7f1e7c6 2094 return -errno;
376fecf6 2095 }
e7f1e7c6 2096
2b3c1b9e
DH		 2097 d = wd;
2098 } else
3b0e5bb5 2099 d = prefix_roota(context->root_directory, wd);
e7f1e7c6 2100
376fecf6
LP		 2101 if (chdir(d) < 0 && !context->working_directory_missing_ok) {
2102 *exit_status = EXIT_CHDIR;
2b3c1b9e 2103 return -errno;
376fecf6 2104 }
e7f1e7c6
DH		 2105
2106 return 0;
2107}
2108
74dd6b51
LP		 2109static int setup_keyring(Unit *u, const ExecParameters *p, uid_t uid, gid_t gid) {
2110 key_serial_t keyring;
2111
2112 assert(u);
2113 assert(p);
2114
2115 /* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that
2116 * each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond
2117 * that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be
2118 * automatically created on-demand and then linked to the per-UID keyring, by the kernel. The kernel's built-in
2119 * on-demand behaviour is very appropriate for login users, but probably not so much for system services, where
2120 * UIDs are not necessarily specific to a service but reused (at least in the case of UID 0). */
2121
2122 if (!(p->flags & EXEC_NEW_KEYRING))
2123 return 0;
2124
2125 keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0);
2126 if (keyring == -1) {
2127 if (errno == ENOSYS)
2128 log_debug_errno(errno, "Kernel keyring not supported, ignoring.");
2129 else if (IN_SET(errno, EACCES, EPERM))
2130 log_debug_errno(errno, "Kernel keyring access prohibited, ignoring.");
2131 else if (errno == EDQUOT)
2132 log_debug_errno(errno, "Out of kernel keyrings to allocate, ignoring.");
2133 else
2134 return log_error_errno(errno, "Setting up kernel keyring failed: %m");
2135
2136 return 0;
2137 }
2138
b3415f5d
LP		 2139 /* Populate they keyring with the invocation ID by default. */
2140 if (!sd_id128_is_null(u->invocation_id)) {
2141 key_serial_t key;
2142
2143 key = add_key("user", "invocation_id", &u->invocation_id, sizeof(u->invocation_id), KEY_SPEC_SESSION_KEYRING);
2144 if (key == -1)
2145 log_debug_errno(errno, "Failed to add invocation ID to keyring, ignoring: %m");
2146 else {
2147 if (keyctl(KEYCTL_SETPERM, key,
2148 KEY_POS_VIEW|KEY_POS_READ|KEY_POS_SEARCH|
2149 KEY_USR_VIEW|KEY_USR_READ|KEY_USR_SEARCH, 0, 0) < 0)
2150 return log_error_errno(errno, "Failed to restrict invocation ID permission: %m");
2151 }
2152 }
2153
74dd6b51
LP		 2154 /* And now, make the keyring owned by the service's user */
2155 if (uid_is_valid(uid) || gid_is_valid(gid))
2156 if (keyctl(KEYCTL_CHOWN, keyring, uid, gid, 0) < 0)
2157 return log_error_errno(errno, "Failed to change ownership of session keyring: %m");
2158
2159 return 0;
2160}
2161
29206d46
LP		 2162static void append_socket_pair(int *array, unsigned *n, int pair[2]) {
2163 assert(array);
2164 assert(n);
2165
2166 if (!pair)
2167 return;
2168
2169 if (pair[0] >= 0)
2170 array[(*n)++] = pair[0];
2171 if (pair[1] >= 0)
2172 array[(*n)++] = pair[1];
2173}
2174
a34ceba6
LP		 2175static int close_remaining_fds(
2176 const ExecParameters *params,
2177 ExecRuntime *runtime,
29206d46 2178 DynamicCreds *dcreds,
00d9ef85 2179 int user_lookup_fd,
a34ceba6
LP		 2180 int socket_fd,
2181 int *fds, unsigned n_fds) {
2182
2183 unsigned n_dont_close = 0;
00d9ef85 2184 int dont_close[n_fds + 12];
a34ceba6
LP		 2185
2186 assert(params);
2187
2188 if (params->stdin_fd >= 0)
2189 dont_close[n_dont_close++] = params->stdin_fd;
2190 if (params->stdout_fd >= 0)
2191 dont_close[n_dont_close++] = params->stdout_fd;
2192 if (params->stderr_fd >= 0)
2193 dont_close[n_dont_close++] = params->stderr_fd;
2194
2195 if (socket_fd >= 0)
2196 dont_close[n_dont_close++] = socket_fd;
2197 if (n_fds > 0) {
2198 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
2199 n_dont_close += n_fds;
2200 }
2201
29206d46
LP		 2202 if (runtime)
2203 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
2204
2205 if (dcreds) {
2206 if (dcreds->user)
2207 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
2208 if (dcreds->group)
2209 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
a34ceba6
LP		 2210 }
2211
00d9ef85
LP		 2212 if (user_lookup_fd >= 0)
2213 dont_close[n_dont_close++] = user_lookup_fd;
2214
a34ceba6
LP		 2215 return close_all_fds(dont_close, n_dont_close);
2216}
2217
00d9ef85
LP		 2218static int send_user_lookup(
2219 Unit *unit,
2220 int user_lookup_fd,
2221 uid_t uid,
2222 gid_t gid) {
2223
2224 assert(unit);
2225
2226 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2227 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2228 * specified. */
2229
2230 if (user_lookup_fd < 0)
2231 return 0;
2232
2233 if (!uid_is_valid(uid) && !gid_is_valid(gid))
2234 return 0;
2235
2236 if (writev(user_lookup_fd,
2237 (struct iovec[]) {
2238 { .iov_base = &uid, .iov_len = sizeof(uid) },
2239 { .iov_base = &gid, .iov_len = sizeof(gid) },
2240 { .iov_base = unit->id, .iov_len = strlen(unit->id) }}, 3) < 0)
2241 return -errno;
2242
2243 return 0;
2244}
2245
6732edab
LP		 2246static int acquire_home(const ExecContext *c, uid_t uid, const char** home, char **buf) {
2247 int r;
2248
2249 assert(c);
2250 assert(home);
2251 assert(buf);
2252
2253 /* If WorkingDirectory=~ is set, try to acquire a usable home directory. */
2254
2255 if (*home)
2256 return 0;
2257
2258 if (!c->working_directory_home)
2259 return 0;
2260
2261 if (uid == 0) {
2262 /* Hardcode /root as home directory for UID 0 */
2263 *home = "/root";
2264 return 1;
2265 }
2266
2267 r = get_home_dir(buf);
2268 if (r < 0)
2269 return r;
2270
2271 *home = *buf;
2272 return 1;
2273}
2274
ff0af2a1 2275static int exec_child(
f2341e0a 2276 Unit *unit,
ff0af2a1
LP		 2277 ExecCommand *command,
2278 const ExecContext *context,
2279 const ExecParameters *params,
2280 ExecRuntime *runtime,
29206d46 2281 DynamicCreds *dcreds,
ff0af2a1
LP		 2282 char **argv,
2283 int socket_fd,
52c239d7 2284 int named_iofds[3],
4c47affc
FB		 2285 int *fds,
2286 unsigned n_storage_fds,
9b141911 2287 unsigned n_socket_fds,
ff0af2a1 2288 char **files_env,
00d9ef85 2289 int user_lookup_fd,
70dd455c
ZJS		 2290 int *exit_status,
2291 char **error_message) {
d35fbf6b 2292
2065ca69 2293 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **final_argv = NULL;
6732edab 2294 _cleanup_free_ char *mac_selinux_context_net = NULL, *home_buffer = NULL;
4d885bd3
DH		 2295 _cleanup_free_ gid_t *supplementary_gids = NULL;
2296 const char *username = NULL, *groupname = NULL;
2b3c1b9e 2297 const char *home = NULL, *shell = NULL;
7bce046b
LP		 2298 dev_t journal_stream_dev = 0;
2299 ino_t journal_stream_ino = 0;
ecfbc84f
YW		 2300 bool needs_exec_restrictions, needs_mount_namespace;
2301#ifdef HAVE_SELINUX
2302 bool needs_selinux = false;
2303#endif
2304#ifdef HAVE_SMACK
2305 bool needs_smack = false;
2306#endif
2307#ifdef HAVE_APPARMOR
2308 bool needs_apparmor = false;
2309#endif
fed1e721
LP		 2310 uid_t uid = UID_INVALID;
2311 gid_t gid = GID_INVALID;
4d885bd3 2312 int i, r, ngids = 0;
4c47affc 2313 unsigned n_fds;
3536f49e 2314 ExecDirectoryType dt;
034c6ed7 2315
f2341e0a 2316 assert(unit);
5cb5a6ff
LP		 2317 assert(command);
2318 assert(context);
d35fbf6b 2319 assert(params);
ff0af2a1 2320 assert(exit_status);
70dd455c
ZJS		 2321 assert(error_message);
2322 /* We don't always set error_message, hence it must be initialized */
2323 assert(*error_message == NULL);
d35fbf6b
DM		 2324
2325 rename_process_from_path(command->path);
2326
2327 /* We reset exactly these signals, since they are the
2328 * only ones we set to SIG_IGN in the main daemon. All
2329 * others we leave untouched because we set them to
2330 * SIG_DFL or a valid handler initially, both of which
2331 * will be demoted to SIG_DFL. */
ce30c8dc
LP		 2332 (void) default_signals(SIGNALS_CRASH_HANDLER,
2333 SIGNALS_IGNORE, -1);
d35fbf6b
DM		 2334
2335 if (context->ignore_sigpipe)
ce30c8dc 2336 (void) ignore_signals(SIGPIPE, -1);
d35fbf6b 2337
ff0af2a1
LP		 2338 r = reset_signal_mask();
2339 if (r < 0) {
2340 *exit_status = EXIT_SIGNAL_MASK;
70dd455c
ZJS		 2341 *error_message = strdup("Failed to reset signal mask");
2342 /* If strdup fails, here and below, we will just print the generic error message. */
ff0af2a1 2343 return r;
d35fbf6b 2344 }
034c6ed7 2345
d35fbf6b
DM		 2346 if (params->idle_pipe)
2347 do_idle_pipe_dance(params->idle_pipe);
4f2d528d 2348
d35fbf6b
DM		 2349 /* Close sockets very early to make sure we don't
2350 * block init reexecution because it cannot bind its
2351 * sockets */
ff0af2a1 2352
d35fbf6b 2353 log_forget_fds();
4f2d528d 2354
4c47affc 2355 n_fds = n_storage_fds + n_socket_fds;
00d9ef85 2356 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, fds, n_fds);
ff0af2a1
LP		 2357 if (r < 0) {
2358 *exit_status = EXIT_FDS;
70dd455c 2359 *error_message = strdup("Failed to close remaining fds");
ff0af2a1 2360 return r;
8c7be95e
LP		 2361 }
2362
d35fbf6b
DM		 2363 if (!context->same_pgrp)
2364 if (setsid() < 0) {
ff0af2a1 2365 *exit_status = EXIT_SETSID;
d35fbf6b
DM		 2366 return -errno;
2367 }
9e2f7c11 2368
1e22b5cd 2369 exec_context_tty_reset(context, params);
d35fbf6b 2370
c891efaf 2371 if (unit_shall_confirm_spawn(unit)) {
7d5ceb64 2372 const char *vc = params->confirm_spawn;
3b20f877
FB		 2373 _cleanup_free_ char *cmdline = NULL;
2374
2375 cmdline = exec_command_line(argv);
2376 if (!cmdline) {
2377 *exit_status = EXIT_CONFIRM;
2378 return -ENOMEM;
2379 }
d35fbf6b 2380
eedf223a 2381 r = ask_for_confirmation(vc, unit, cmdline);
3b20f877
FB		 2382 if (r != CONFIRM_EXECUTE) {
2383 if (r == CONFIRM_PRETEND_SUCCESS) {
2384 *exit_status = EXIT_SUCCESS;
2385 return 0;
2386 }
ff0af2a1 2387 *exit_status = EXIT_CONFIRM;
70dd455c 2388 *error_message = strdup("Execution cancelled");
d35fbf6b 2389 return -ECANCELED;
d35fbf6b
DM		 2390 }
2391 }
1a63a750 2392
29206d46
LP		 2393 if (context->dynamic_user && dcreds) {
2394
409093fe
LP		 2395 /* Make sure we bypass our own NSS module for any NSS checks */
2396 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
2397 *exit_status = EXIT_USER;
70dd455c 2398 *error_message = strdup("Failed to update environment");
409093fe
LP		 2399 return -errno;
2400 }
2401
29206d46 2402 r = dynamic_creds_realize(dcreds, &uid, &gid);
ff0af2a1
LP		 2403 if (r < 0) {
2404 *exit_status = EXIT_USER;
70dd455c 2405 *error_message = strdup("Failed to update dynamic user credentials");
ff0af2a1 2406 return r;
524daa8c 2407 }
524daa8c 2408
70dd455c 2409 if (!uid_is_valid(uid)) {
29206d46 2410 *exit_status = EXIT_USER;
70dd455c
ZJS		 2411 (void) asprintf(error_message, "UID validation failed for \""UID_FMT"\"", uid);
2412 /* If asprintf fails, here and below, we will just print the generic error message. */
2413 return -ESRCH;
2414 }
2415
2416 if (!gid_is_valid(gid)) {
2417 *exit_status = EXIT_USER;
2418 (void) asprintf(error_message, "GID validation failed for \""GID_FMT"\"", gid);
29206d46
LP		 2419 return -ESRCH;
2420 }
5bc7452b 2421
29206d46
LP		 2422 if (dcreds->user)
2423 username = dcreds->user->name;
2424
2425 } else {
4d885bd3
DH		 2426 r = get_fixed_user(context, &username, &uid, &gid, &home, &shell);
2427 if (r < 0) {
2428 *exit_status = EXIT_USER;
70dd455c 2429 *error_message = strdup("Failed to determine user credentials");
4d885bd3 2430 return r;
5bc7452b 2431 }
5bc7452b 2432
4d885bd3
DH		 2433 r = get_fixed_group(context, &groupname, &gid);
2434 if (r < 0) {
2435 *exit_status = EXIT_GROUP;
70dd455c 2436 *error_message = strdup("Failed to determine group credentials");
4d885bd3
DH		 2437 return r;
2438 }
cdc5d5c5 2439 }
29206d46 2440
cdc5d5c5
DH		 2441 /* Initialize user supplementary groups and get SupplementaryGroups= ones */
2442 r = get_supplementary_groups(context, username, groupname, gid,
2443 &supplementary_gids, &ngids);
2444 if (r < 0) {
2445 *exit_status = EXIT_GROUP;
70dd455c 2446 *error_message = strdup("Failed to determine supplementary groups");
cdc5d5c5 2447 return r;
29206d46 2448 }
5bc7452b 2449
00d9ef85
LP		 2450 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
2451 if (r < 0) {
2452 *exit_status = EXIT_USER;
70dd455c 2453 *error_message = strdup("Failed to send user credentials to PID1");
00d9ef85
LP		 2454 return r;
2455 }
2456
2457 user_lookup_fd = safe_close(user_lookup_fd);
2458
6732edab
LP		 2459 r = acquire_home(context, uid, &home, &home_buffer);
2460 if (r < 0) {
2461 *exit_status = EXIT_CHDIR;
2462 *error_message = strdup("Failed to determine $HOME for user");
2463 return r;
2464 }
2465
d35fbf6b
DM		 2466 /* If a socket is connected to STDIN/STDOUT/STDERR, we
2467 * must sure to drop O_NONBLOCK */
2468 if (socket_fd >= 0)
a34ceba6 2469 (void) fd_nonblock(socket_fd, false);
acbb0225 2470
52c239d7 2471 r = setup_input(context, params, socket_fd, named_iofds);
ff0af2a1
LP		 2472 if (r < 0) {
2473 *exit_status = EXIT_STDIN;
70dd455c 2474 *error_message = strdup("Failed to set up stdin");
ff0af2a1 2475 return r;
d35fbf6b 2476 }
034c6ed7 2477
52c239d7 2478 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 2479 if (r < 0) {
2480 *exit_status = EXIT_STDOUT;
70dd455c 2481 *error_message = strdup("Failed to set up stdout");
ff0af2a1 2482 return r;
d35fbf6b
DM		 2483 }
2484
52c239d7 2485 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 2486 if (r < 0) {
2487 *exit_status = EXIT_STDERR;
70dd455c 2488 *error_message = strdup("Failed to set up stderr");
ff0af2a1 2489 return r;
d35fbf6b
DM		 2490 }
2491
2492 if (params->cgroup_path) {
ff0af2a1
LP		 2493 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
2494 if (r < 0) {
2495 *exit_status = EXIT_CGROUP;
70dd455c 2496 (void) asprintf(error_message, "Failed to attach to cgroup %s", params->cgroup_path);
ff0af2a1 2497 return r;
309bff19 2498 }
d35fbf6b 2499 }
309bff19 2500
d35fbf6b 2501 if (context->oom_score_adjust_set) {
d5243d62 2502 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
f2b68789 2503
d5243d62
LP		 2504 /* When we can't make this change due to EPERM, then
2505 * let's silently skip over it. User namespaces
2506 * prohibit write access to this file, and we
2507 * shouldn't trip up over that. */
613b411c 2508
d5243d62 2509 sprintf(t, "%i", context->oom_score_adjust);
ad118bda 2510 r = write_string_file("/proc/self/oom_score_adj", t, 0);
6cb7fa17 2511 if (r == -EPERM || r == -EACCES) {
ff0af2a1 2512 log_open();
f2341e0a 2513 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
ff0af2a1
LP		 2514 log_close();
2515 } else if (r < 0) {
2516 *exit_status = EXIT_OOM_ADJUST;
70dd455c 2517 *error_message = strdup("Failed to write /proc/self/oom_score_adj");
d35fbf6b 2518 return -errno;
613b411c 2519 }
d35fbf6b
DM		 2520 }
2521
2522 if (context->nice_set)
2523 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
ff0af2a1 2524 *exit_status = EXIT_NICE;
d35fbf6b 2525 return -errno;
613b411c
LP		 2526 }
2527
d35fbf6b
DM		 2528 if (context->cpu_sched_set) {
2529 struct sched_param param = {
2530 .sched_priority = context->cpu_sched_priority,
2531 };
2532
ff0af2a1
LP		 2533 r = sched_setscheduler(0,
2534 context->cpu_sched_policy |
2535 (context->cpu_sched_reset_on_fork ?
2536 SCHED_RESET_ON_FORK : 0),
2537 &param);
2538 if (r < 0) {
2539 *exit_status = EXIT_SETSCHEDULER;
d35fbf6b 2540 return -errno;
fc9b2a84 2541 }
d35fbf6b 2542 }
fc9b2a84 2543
d35fbf6b
DM		 2544 if (context->cpuset)
2545 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
ff0af2a1 2546 *exit_status = EXIT_CPUAFFINITY;
d35fbf6b 2547 return -errno;
034c6ed7
LP		 2548 }
2549
d35fbf6b
DM		 2550 if (context->ioprio_set)
2551 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
ff0af2a1 2552 *exit_status = EXIT_IOPRIO;
d35fbf6b
DM		 2553 return -errno;
2554 }
da726a4d 2555
d35fbf6b
DM		 2556 if (context->timer_slack_nsec != NSEC_INFINITY)
2557 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
ff0af2a1 2558 *exit_status = EXIT_TIMERSLACK;
d35fbf6b 2559 return -errno;
4c2630eb 2560 }
9eba9da4 2561
050f7277 2562 if (context->personality != PERSONALITY_INVALID)
d35fbf6b 2563 if (personality(context->personality) < 0) {
ff0af2a1 2564 *exit_status = EXIT_PERSONALITY;
d35fbf6b 2565 return -errno;
4c2630eb 2566 }
94f04347 2567
d35fbf6b 2568 if (context->utmp_id)
df0ff127 2569 utmp_put_init_process(context->utmp_id, getpid_cached(), getsid(0),
6a93917d 2570 context->tty_path,
023a4f67
LP		 2571 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
2572 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
2573 USER_PROCESS,
6a93917d 2574 username);
d35fbf6b 2575
e0d2adfd 2576 if (context->user) {
ff0af2a1
LP		 2577 r = chown_terminal(STDIN_FILENO, uid);
2578 if (r < 0) {
2579 *exit_status = EXIT_STDIN;
2580 return r;
071830ff 2581 }
d35fbf6b 2582 }
8e274523 2583
a931ad47
LP		 2584 /* If delegation is enabled we'll pass ownership of the cgroup
2585 * (but only in systemd's own controller hierarchy!) to the
2586 * user of the new process. */
2587 if (params->cgroup_path && context->user && params->cgroup_delegate) {
ff0af2a1
LP		 2588 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
2589 if (r < 0) {
2590 *exit_status = EXIT_CGROUP;
2591 return r;
d35fbf6b 2592 }
034c6ed7 2593
034c6ed7 2594
ff0af2a1
LP		 2595 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
2596 if (r < 0) {
2597 *exit_status = EXIT_CGROUP;
2598 return r;
034c6ed7 2599 }
d35fbf6b 2600 }
034c6ed7 2601
3536f49e 2602 for (dt = 0; dt < _EXEC_DIRECTORY_MAX; dt++) {
8679efde 2603 r = setup_exec_directory(context, params, uid, gid, dt, exit_status);
3536f49e 2604 if (r < 0)
07689d5d 2605 return r;
d35fbf6b 2606 }
94f04347 2607
7bce046b 2608 r = build_environment(
fd63e712 2609 unit,
7bce046b
LP		 2610 context,
2611 params,
2612 n_fds,
2613 home,
2614 username,
2615 shell,
2616 journal_stream_dev,
2617 journal_stream_ino,
2618 &our_env);
2065ca69
JW		 2619 if (r < 0) {
2620 *exit_status = EXIT_MEMORY;
2621 return r;
2622 }
2623
2624 r = build_pass_environment(context, &pass_env);
2625 if (r < 0) {
2626 *exit_status = EXIT_MEMORY;
2627 return r;
2628 }
2629
2630 accum_env = strv_env_merge(5,
2631 params->environment,
2632 our_env,
2633 pass_env,
2634 context->environment,
2635 files_env,
2636 NULL);
2637 if (!accum_env) {
2638 *exit_status = EXIT_MEMORY;
2639 return -ENOMEM;
2640 }
1280503b 2641 accum_env = strv_env_clean(accum_env);
2065ca69 2642
096424d1 2643 (void) umask(context->umask);
b213e1c1 2644
74dd6b51
LP		 2645 r = setup_keyring(unit, params, uid, gid);
2646 if (r < 0) {
2647 *exit_status = EXIT_KEYRING;
2648 return r;
2649 }
2650
3ed0cd26 2651 needs_exec_restrictions = (params->flags & EXEC_APPLY_PERMISSIONS) && !(command->flags & EXEC_COMMAND_FULLY_PRIVILEGED);
7f18ef0a
FK		 2652
2653 if (needs_exec_restrictions) {
b213e1c1 2654 if (context->pam_name && username) {
2d6fce8d 2655 r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
b213e1c1
SW		 2656 if (r < 0) {
2657 *exit_status = EXIT_PAM;
2658 return r;
2659 }
d35fbf6b 2660 }
7f18ef0a
FK		 2661
2662 /* MAC enablement checks need to be done before a new mount ns is created, as they rely on /sys being
2663 * present. The actual MAC context application will happen later, as late as possible, to avoid
2664 * impacting our own code paths. */
2665
2666#ifdef HAVE_SELINUX
2667 needs_selinux = mac_selinux_use();
2668#endif
2669
2670#ifdef HAVE_SMACK
2671 needs_smack = mac_smack_use();
2672#endif
2673
2674#ifdef HAVE_APPARMOR
2675 needs_apparmor = context->apparmor_profile && mac_apparmor_use();
2676#endif
2677
b213e1c1 2678 }
ac45f971 2679
d35fbf6b 2680 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
ff0af2a1
LP		 2681 r = setup_netns(runtime->netns_storage_socket);
2682 if (r < 0) {
2683 *exit_status = EXIT_NETWORK;
2684 return r;
d35fbf6b
DM		 2685 }
2686 }
169c1bda 2687
ee818b89 2688 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
ee818b89 2689 if (needs_mount_namespace) {
6818c54c 2690 r = apply_mount_namespace(unit, command, context, params, runtime);
3fbe8dbe
LP		 2691 if (r < 0) {
2692 *exit_status = EXIT_NAMESPACE;
2693 return r;
2694 }
d35fbf6b 2695 }
81a2b7ce 2696
50b3dfb9 2697 /* Apply just after mount namespace setup */
376fecf6
LP		 2698 r = apply_working_directory(context, params, home, needs_mount_namespace, exit_status);
2699 if (r < 0)
50b3dfb9 2700 return r;
50b3dfb9 2701
bbeea271 2702 /* Drop groups as early as possbile */
7f18ef0a 2703 if (needs_exec_restrictions) {
4d885bd3 2704 r = enforce_groups(context, gid, supplementary_gids, ngids);
096424d1
LP		 2705 if (r < 0) {
2706 *exit_status = EXIT_GROUP;
2707 return r;
2708 }
2709 }
2710
9008e1ac 2711#ifdef HAVE_SELINUX
7f18ef0a 2712 if (needs_exec_restrictions && needs_selinux && params->selinux_context_net && socket_fd >= 0) {
ff0af2a1
LP		 2713 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
2714 if (r < 0) {
2715 *exit_status = EXIT_SELINUX_CONTEXT;
2716 return r;
9008e1ac
MS		 2717 }
2718 }
2719#endif
2720
d87a2ef7 2721 if ((params->flags & EXEC_APPLY_PERMISSIONS) && context->private_users) {
d251207d
LP		 2722 r = setup_private_users(uid, gid);
2723 if (r < 0) {
2724 *exit_status = EXIT_USER;
2725 return r;
2726 }
2727 }
2728
d35fbf6b
DM		 2729 /* We repeat the fd closing here, to make sure that
2730 * nothing is leaked from the PAM modules. Note that
2731 * we are more aggressive this time since socket_fd
e44da745
DM		 2732 * and the netns fds we don't need anymore. The custom
2733 * endpoint fd was needed to upload the policy and can
2734 * now be closed as well. */
ff0af2a1
LP		 2735 r = close_all_fds(fds, n_fds);
2736 if (r >= 0)
2737 r = shift_fds(fds, n_fds);
2738 if (r >= 0)
4c47affc 2739 r = flags_fds(fds, n_storage_fds, n_socket_fds, context->non_blocking);
ff0af2a1
LP		 2740 if (r < 0) {
2741 *exit_status = EXIT_FDS;
2742 return r;
d35fbf6b 2743 }
e66cf1a3 2744
7f18ef0a 2745 if (needs_exec_restrictions) {
e66cf1a3 2746
755d4b67
IP		 2747 int secure_bits = context->secure_bits;
2748
d35fbf6b 2749 for (i = 0; i < _RLIMIT_MAX; i++) {
03857c43 2750
d35fbf6b
DM		 2751 if (!context->rlimit[i])
2752 continue;
2753
03857c43
LP		 2754 r = setrlimit_closest(i, context->rlimit[i]);
2755 if (r < 0) {
ff0af2a1 2756 *exit_status = EXIT_LIMITS;
03857c43 2757 return r;
e66cf1a3
LP		 2758 }
2759 }
2760
f4170c67
LP		 2761 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
2762 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
2763 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
2764 *exit_status = EXIT_LIMITS;
2765 return -errno;
2766 }
2767 }
2768
a103496c
IP		 2769 if (!cap_test_all(context->capability_bounding_set)) {
2770 r = capability_bounding_set_drop(context->capability_bounding_set, false);
ff0af2a1
LP		 2771 if (r < 0) {
2772 *exit_status = EXIT_CAPABILITIES;
70dd455c 2773 *error_message = strdup("Failed to drop capabilities");
ff0af2a1 2774 return r;
3b8bddde 2775 }
4c2630eb 2776 }
3b8bddde 2777
755d4b67
IP		 2778 /* This is done before enforce_user, but ambient set
2779 * does not survive over setresuid() if keep_caps is not set. */
2780 if (context->capability_ambient_set != 0) {
2781 r = capability_ambient_set_apply(context->capability_ambient_set, true);
2782 if (r < 0) {
2783 *exit_status = EXIT_CAPABILITIES;
70dd455c 2784 *error_message = strdup("Failed to apply ambient capabilities (before UID change)");
755d4b67
IP		 2785 return r;
2786 }
755d4b67
IP		 2787 }
2788
d35fbf6b 2789 if (context->user) {
ff0af2a1
LP		 2790 r = enforce_user(context, uid);
2791 if (r < 0) {
2792 *exit_status = EXIT_USER;
70dd455c 2793 (void) asprintf(error_message, "Failed to change UID to "UID_FMT, uid);
ff0af2a1 2794 return r;
5b6319dc 2795 }
755d4b67
IP		 2796 if (context->capability_ambient_set != 0) {
2797
2798 /* Fix the ambient capabilities after user change. */
2799 r = capability_ambient_set_apply(context->capability_ambient_set, false);
2800 if (r < 0) {
2801 *exit_status = EXIT_CAPABILITIES;
70dd455c 2802 *error_message = strdup("Failed to apply ambient capabilities (after UID change)");
755d4b67
IP		 2803 return r;
2804 }
2805
2806 /* If we were asked to change user and ambient capabilities
2807 * were requested, we had to add keep-caps to the securebits
2808 * so that we would maintain the inherited capability set
2809 * through the setresuid(). Make sure that the bit is added
2810 * also to the context secure_bits so that we don't try to
2811 * drop the bit away next. */
2812
7f508f2c 2813 secure_bits |= 1<<SECURE_KEEP_CAPS;
755d4b67 2814 }
5b6319dc 2815 }
d35fbf6b 2816
5cd9cd35
LP		 2817 /* Apply the MAC contexts late, but before seccomp syscall filtering, as those should really be last to
2818 * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
2819 * syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
2820 * are restricted. */
2821
2822#ifdef HAVE_SELINUX
7f18ef0a 2823 if (needs_selinux) {
5cd9cd35
LP		 2824 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
2825
2826 if (exec_context) {
2827 r = setexeccon(exec_context);
2828 if (r < 0) {
2829 *exit_status = EXIT_SELINUX_CONTEXT;
70dd455c 2830 (void) asprintf(error_message, "Failed to set SELinux context to %s", exec_context);
5cd9cd35
LP		 2831 return r;
2832 }
2833 }
2834 }
2835#endif
2836
7f18ef0a
FK		 2837#ifdef HAVE_SMACK
2838 if (needs_smack) {
2839 r = setup_smack(context, command);
2840 if (r < 0) {
2841 *exit_status = EXIT_SMACK_PROCESS_LABEL;
2842 *error_message = strdup("Failed to set SMACK process label");
2843 return r;
2844 }
5cd9cd35 2845 }
7f18ef0a 2846#endif
5cd9cd35
LP		 2847
2848#ifdef HAVE_APPARMOR
7f18ef0a 2849 if (needs_apparmor) {
5cd9cd35
LP		 2850 r = aa_change_onexec(context->apparmor_profile);
2851 if (r < 0 && !context->apparmor_profile_ignore) {
2852 *exit_status = EXIT_APPARMOR_PROFILE;
70dd455c
ZJS		 2853 (void) asprintf(error_message,
2854 "Failed to prepare AppArmor profile change to %s",
2855 context->apparmor_profile);
5cd9cd35
LP		 2856 return -errno;
2857 }
2858 }
2859#endif
2860
d35fbf6b
DM		 2861 /* PR_GET_SECUREBITS is not privileged, while
2862 * PR_SET_SECUREBITS is. So to suppress
2863 * potential EPERMs we'll try not to call
2864 * PR_SET_SECUREBITS unless necessary. */
755d4b67
IP		 2865 if (prctl(PR_GET_SECUREBITS) != secure_bits)
2866 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
ff0af2a1 2867 *exit_status = EXIT_SECUREBITS;
70dd455c 2868 *error_message = strdup("Failed to set secure bits");
d35fbf6b 2869 return -errno;
ff01d048 2870 }
5b6319dc 2871
59eeb84b 2872 if (context_has_no_new_privileges(context))
d35fbf6b 2873 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
ff0af2a1 2874 *exit_status = EXIT_NO_NEW_PRIVILEGES;
70dd455c 2875 *error_message = strdup("Failed to disable new privileges");
d35fbf6b
DM		 2876 return -errno;
2877 }
2878
2879#ifdef HAVE_SECCOMP
469830d1
LP		 2880 r = apply_address_families(unit, context);
2881 if (r < 0) {
2882 *exit_status = EXIT_ADDRESS_FAMILIES;
5b3637b4 2883 *error_message = strdup("Failed to restrict address families");
469830d1 2884 return r;
4c2630eb 2885 }
04aa0cb9 2886
469830d1
LP		 2887 r = apply_memory_deny_write_execute(unit, context);
2888 if (r < 0) {
2889 *exit_status = EXIT_SECCOMP;
5b3637b4 2890 *error_message = strdup("Failed to disable writing to executable memory");
469830d1 2891 return r;
f3e43635 2892 }
f4170c67 2893
469830d1
LP		 2894 r = apply_restrict_realtime(unit, context);
2895 if (r < 0) {
2896 *exit_status = EXIT_SECCOMP;
5b3637b4 2897 *error_message = strdup("Failed to apply realtime restrictions");
469830d1 2898 return r;
f4170c67
LP		 2899 }
2900
add00535
LP		 2901 r = apply_restrict_namespaces(unit, context);
2902 if (r < 0) {
2903 *exit_status = EXIT_SECCOMP;
70dd455c 2904 *error_message = strdup("Failed to apply namespace restrictions");
add00535
LP		 2905 return r;
2906 }
2907
469830d1
LP		 2908 r = apply_protect_sysctl(unit, context);
2909 if (r < 0) {
2910 *exit_status = EXIT_SECCOMP;
5b3637b4 2911 *error_message = strdup("Failed to apply sysctl restrictions");
469830d1 2912 return r;
502d704e
DH		 2913 }
2914
469830d1
LP		 2915 r = apply_protect_kernel_modules(unit, context);
2916 if (r < 0) {
2917 *exit_status = EXIT_SECCOMP;
5b3637b4 2918 *error_message = strdup("Failed to apply module loading restrictions");
469830d1 2919 return r;
59eeb84b
LP		 2920 }
2921
469830d1
LP		 2922 r = apply_private_devices(unit, context);
2923 if (r < 0) {
2924 *exit_status = EXIT_SECCOMP;
5b3637b4 2925 *error_message = strdup("Failed to set up private devices");
469830d1
LP		 2926 return r;
2927 }
2928
2929 r = apply_syscall_archs(unit, context);
2930 if (r < 0) {
2931 *exit_status = EXIT_SECCOMP;
5b3637b4 2932 *error_message = strdup("Failed to apply syscall architecture restrictions");
469830d1 2933 return r;
ba128bb8
LP		 2934 }
2935
5cd9cd35
LP		 2936 /* This really should remain the last step before the execve(), to make sure our own code is unaffected
2937 * by the filter as little as possible. */
469830d1
LP		 2938 r = apply_syscall_filter(unit, context);
2939 if (r < 0) {
2940 *exit_status = EXIT_SECCOMP;
5b3637b4 2941 *error_message = strdup("Failed to apply syscall filters");
469830d1 2942 return r;
d35fbf6b
DM		 2943 }
2944#endif
d35fbf6b 2945 }
034c6ed7 2946
2065ca69 2947 final_argv = replace_env_argv(argv, accum_env);
d35fbf6b 2948 if (!final_argv) {
ff0af2a1 2949 *exit_status = EXIT_MEMORY;
70dd455c 2950 *error_message = strdup("Failed to prepare process arguments");
d35fbf6b
DM		 2951 return -ENOMEM;
2952 }
034c6ed7 2953
553d2243 2954 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
d35fbf6b 2955 _cleanup_free_ char *line;
81a2b7ce 2956
d35fbf6b
DM		 2957 line = exec_command_line(final_argv);
2958 if (line) {
2959 log_open();
f2341e0a 2960 log_struct(LOG_DEBUG,
f2341e0a
LP		 2961 "EXECUTABLE=%s", command->path,
2962 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
ba360bb0 2963 LOG_UNIT_ID(unit),
f2341e0a 2964 NULL);
d35fbf6b
DM		 2965 log_close();
2966 }
2967 }
dd305ec9 2968
2065ca69 2969 execve(command->path, final_argv, accum_env);
ff0af2a1 2970 *exit_status = EXIT_EXEC;
d35fbf6b
DM		 2971 return -errno;
2972}
81a2b7ce 2973
f2341e0a
LP		 2974int exec_spawn(Unit *unit,
2975 ExecCommand *command,
d35fbf6b
DM		 2976 const ExecContext *context,
2977 const ExecParameters *params,
2978 ExecRuntime *runtime,
29206d46 2979 DynamicCreds *dcreds,
d35fbf6b 2980 pid_t *ret) {
8351ceae 2981
d35fbf6b 2982 _cleanup_strv_free_ char **files_env = NULL;
9b141911 2983 int *fds = NULL;
4c47affc 2984 unsigned n_storage_fds = 0, n_socket_fds = 0;
ff0af2a1
LP		 2985 _cleanup_free_ char *line = NULL;
2986 int socket_fd, r;
52c239d7 2987 int named_iofds[3] = { -1, -1, -1 };
ff0af2a1 2988 char **argv;
d35fbf6b 2989 pid_t pid;
8351ceae 2990
f2341e0a 2991 assert(unit);
d35fbf6b
DM		 2992 assert(command);
2993 assert(context);
2994 assert(ret);
2995 assert(params);
4c47affc 2996 assert(params->fds || (params->n_storage_fds + params->n_socket_fds <= 0));
4298d0b5 2997
d35fbf6b
DM		 2998 if (context->std_input == EXEC_INPUT_SOCKET ||
2999 context->std_output == EXEC_OUTPUT_SOCKET ||
3000 context->std_error == EXEC_OUTPUT_SOCKET) {
17df7223 3001
4c47affc 3002 if (params->n_socket_fds > 1) {
f2341e0a 3003 log_unit_error(unit, "Got more than one socket.");
d35fbf6b 3004 return -EINVAL;
ff0af2a1 3005 }
eef65bf3 3006
4c47affc 3007 if (params->n_socket_fds == 0) {
488ab41c
AA		 3008 log_unit_error(unit, "Got no socket.");
3009 return -EINVAL;
3010 }
3011
d35fbf6b
DM		 3012 socket_fd = params->fds[0];
3013 } else {
3014 socket_fd = -1;
3015 fds = params->fds;
4c47affc 3016 n_storage_fds = params->n_storage_fds;
9b141911 3017 n_socket_fds = params->n_socket_fds;
d35fbf6b 3018 }
94f04347 3019
52c239d7
LB		 3020 r = exec_context_named_iofds(unit, context, params, named_iofds);
3021 if (r < 0)
3022 return log_unit_error_errno(unit, r, "Failed to load a named file descriptor: %m");
3023
f2341e0a 3024 r = exec_context_load_environment(unit, context, &files_env);
ff0af2a1 3025 if (r < 0)
f2341e0a 3026 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
034c6ed7 3027
d35fbf6b 3028 argv = params->argv ?: command->argv;
d35fbf6b
DM		 3029 line = exec_command_line(argv);
3030 if (!line)
3031 return log_oom();
fab56fc5 3032
f2341e0a 3033 log_struct(LOG_DEBUG,
f2341e0a
LP		 3034 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
3035 "EXECUTABLE=%s", command->path,
ba360bb0 3036 LOG_UNIT_ID(unit),
f2341e0a 3037 NULL);
d35fbf6b
DM		 3038 pid = fork();
3039 if (pid < 0)
74129a12 3040 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
d35fbf6b
DM		 3041
3042 if (pid == 0) {
ff0af2a1 3043 int exit_status;
70dd455c 3044 _cleanup_free_ char *error_message = NULL;
ff0af2a1 3045
f2341e0a
LP		 3046 r = exec_child(unit,
3047 command,
ff0af2a1
LP		 3048 context,
3049 params,
3050 runtime,
29206d46 3051 dcreds,
ff0af2a1
LP		 3052 argv,
3053 socket_fd,
52c239d7 3054 named_iofds,
4c47affc
FB		 3055 fds,
3056 n_storage_fds,
9b141911 3057 n_socket_fds,
ff0af2a1 3058 files_env,
00d9ef85 3059 unit->manager->user_lookup_fds[1],
70dd455c
ZJS		 3060 &exit_status,
3061 &error_message);
ff0af2a1 3062 if (r < 0) {
4c2630eb 3063 log_open();
70dd455c
ZJS		 3064 if (error_message)
3065 log_struct_errno(LOG_ERR, r,
2b044526 3066 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
70dd455c
ZJS		 3067 LOG_UNIT_ID(unit),
3068 LOG_UNIT_MESSAGE(unit, "%s: %m",
3069 error_message),
3070 "EXECUTABLE=%s", command->path,
3071 NULL);
3ed0cd26 3072 else if (r == -ENOENT && (command->flags & EXEC_COMMAND_IGNORE_FAILURE))
4d8b0f0f
YW		 3073 log_struct_errno(LOG_INFO, r,
3074 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
3075 LOG_UNIT_ID(unit),
3076 LOG_UNIT_MESSAGE(unit, "Skipped spawning %s: %m",
3077 command->path),
3078 "EXECUTABLE=%s", command->path,
3079 NULL);
70dd455c
ZJS		 3080 else
3081 log_struct_errno(LOG_ERR, r,
2b044526 3082 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
70dd455c
ZJS		 3083 LOG_UNIT_ID(unit),
3084 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
3085 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
3086 command->path),
3087 "EXECUTABLE=%s", command->path,
3088 NULL);
4c2630eb
MS		 3089 }
3090
ff0af2a1 3091 _exit(exit_status);
034c6ed7
LP		 3092 }
3093
f2341e0a 3094 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
23635a85 3095
80876c20
LP		 3096 /* We add the new process to the cgroup both in the child (so
3097 * that we can be sure that no user code is ever executed
3098 * outside of the cgroup) and in the parent (so that we can be
3099 * sure that when we kill the cgroup the process will be
3100 * killed too). */
d35fbf6b 3101 if (params->cgroup_path)
dd305ec9 3102 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
2da3263a 3103
b58b4116 3104 exec_status_start(&command->exec_status, pid);
9fb86720 3105
034c6ed7 3106 *ret = pid;
5cb5a6ff
LP		 3107 return 0;
3108}
3109
034c6ed7 3110void exec_context_init(ExecContext *c) {
3536f49e
YW		 3111 ExecDirectoryType i;
3112
034c6ed7
LP		 3113 assert(c);
3114
4c12626c 3115 c->umask = 0022;
9eba9da4 3116 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
94f04347 3117 c->cpu_sched_policy = SCHED_OTHER;
071830ff 3118 c->syslog_priority = LOG_DAEMON|LOG_INFO;
74922904 3119 c->syslog_level_prefix = true;
353e12c2 3120 c->ignore_sigpipe = true;
3a43da28 3121 c->timer_slack_nsec = NSEC_INFINITY;
050f7277 3122 c->personality = PERSONALITY_INVALID;
3536f49e
YW		 3123 for (i = 0; i < _EXEC_DIRECTORY_MAX; i++)
3124 c->directories[i].mode = 0755;
a103496c 3125 c->capability_bounding_set = CAP_ALL;
add00535 3126 c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
034c6ed7
LP		 3127}
3128
613b411c 3129void exec_context_done(ExecContext *c) {
5cb5a6ff 3130 unsigned l;
3536f49e 3131 ExecDirectoryType i;
5cb5a6ff
LP		 3132
3133 assert(c);
3134
6796073e
LP		 3135 c->environment = strv_free(c->environment);
3136 c->environment_files = strv_free(c->environment_files);
b4c14404 3137 c->pass_environment = strv_free(c->pass_environment);
8c7be95e 3138
1f6b4113 3139 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
a1e58e8e 3140 c->rlimit[l] = mfree(c->rlimit[l]);
034c6ed7 3141
52c239d7
LB		 3142 for (l = 0; l < 3; l++)
3143 c->stdio_fdname[l] = mfree(c->stdio_fdname[l]);
3144
a1e58e8e
LP		 3145 c->working_directory = mfree(c->working_directory);
3146 c->root_directory = mfree(c->root_directory);
915e6d16 3147 c->root_image = mfree(c->root_image);
a1e58e8e
LP		 3148 c->tty_path = mfree(c->tty_path);
3149 c->syslog_identifier = mfree(c->syslog_identifier);
3150 c->user = mfree(c->user);
3151 c->group = mfree(c->group);
034c6ed7 3152
6796073e 3153 c->supplementary_groups = strv_free(c->supplementary_groups);
94f04347 3154
a1e58e8e 3155 c->pam_name = mfree(c->pam_name);
5b6319dc 3156
2a624c36
AP		 3157 c->read_only_paths = strv_free(c->read_only_paths);
3158 c->read_write_paths = strv_free(c->read_write_paths);
3159 c->inaccessible_paths = strv_free(c->inaccessible_paths);
82c121a4 3160
d2d6c096
LP		 3161 bind_mount_free_many(c->bind_mounts, c->n_bind_mounts);
3162
82c121a4
LP		 3163 if (c->cpuset)
3164 CPU_FREE(c->cpuset);
86a3475b 3165
a1e58e8e
LP		 3166 c->utmp_id = mfree(c->utmp_id);
3167 c->selinux_context = mfree(c->selinux_context);
3168 c->apparmor_profile = mfree(c->apparmor_profile);
5b8e1b77 3169 c->smack_process_label = mfree(c->smack_process_label);
eef65bf3 3170
525d3cc7
LP		 3171 c->syscall_filter = set_free(c->syscall_filter);
3172 c->syscall_archs = set_free(c->syscall_archs);
3173 c->address_families = set_free(c->address_families);
e66cf1a3 3174
3536f49e
YW		 3175 for (i = 0; i < _EXEC_DIRECTORY_MAX; i++)
3176 c->directories[i].paths = strv_free(c->directories[i].paths);
e66cf1a3
LP		 3177}
3178
3179int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
3180 char **i;
3181
3182 assert(c);
3183
3184 if (!runtime_prefix)
3185 return 0;
3186
3536f49e 3187 STRV_FOREACH(i, c->directories[EXEC_DIRECTORY_RUNTIME].paths) {
e66cf1a3
LP		 3188 _cleanup_free_ char *p;
3189
605405c6 3190 p = strjoin(runtime_prefix, "/", *i);
e66cf1a3
LP		 3191 if (!p)
3192 return -ENOMEM;
3193
3194 /* We execute this synchronously, since we need to be
3195 * sure this is gone when we start the service
3196 * next. */
c6878637 3197 (void) rm_rf(p, REMOVE_ROOT);
e66cf1a3
LP		 3198 }
3199
3200 return 0;
5cb5a6ff
LP		 3201}
3202
43d0fcbd
LP		 3203void exec_command_done(ExecCommand *c) {
3204 assert(c);
3205
a1e58e8e 3206 c->path = mfree(c->path);
43d0fcbd 3207
6796073e 3208 c->argv = strv_free(c->argv);
43d0fcbd
LP		 3209}
3210
3211void exec_command_done_array(ExecCommand *c, unsigned n) {
3212 unsigned i;
3213
3214 for (i = 0; i < n; i++)
3215 exec_command_done(c+i);
3216}
3217
f1acf85a 3218ExecCommand* exec_command_free_list(ExecCommand *c) {
5cb5a6ff
LP		 3219 ExecCommand *i;
3220
3221 while ((i = c)) {
71fda00f 3222 LIST_REMOVE(command, c, i);
43d0fcbd 3223 exec_command_done(i);
5cb5a6ff
LP		 3224 free(i);
3225 }
f1acf85a
ZJS		 3226
3227 return NULL;
5cb5a6ff
LP		 3228}
3229
034c6ed7
LP		 3230void exec_command_free_array(ExecCommand **c, unsigned n) {
3231 unsigned i;
3232
f1acf85a
ZJS		 3233 for (i = 0; i < n; i++)
3234 c[i] = exec_command_free_list(c[i]);
034c6ed7
LP		 3235}
3236
039f0e70 3237typedef struct InvalidEnvInfo {
f2341e0a 3238 Unit *unit;
039f0e70
LP		 3239 const char *path;
3240} InvalidEnvInfo;
3241
3242static void invalid_env(const char *p, void *userdata) {
3243 InvalidEnvInfo *info = userdata;
3244
f2341e0a 3245 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
039f0e70
LP		 3246}
3247
52c239d7
LB		 3248const char* exec_context_fdname(const ExecContext *c, int fd_index) {
3249 assert(c);
3250
3251 switch (fd_index) {
3252 case STDIN_FILENO:
3253 if (c->std_input != EXEC_INPUT_NAMED_FD)
3254 return NULL;
3255 return c->stdio_fdname[STDIN_FILENO] ?: "stdin";
3256 case STDOUT_FILENO:
3257 if (c->std_output != EXEC_OUTPUT_NAMED_FD)
3258 return NULL;
3259 return c->stdio_fdname[STDOUT_FILENO] ?: "stdout";
3260 case STDERR_FILENO:
3261 if (c->std_error != EXEC_OUTPUT_NAMED_FD)
3262 return NULL;
3263 return c->stdio_fdname[STDERR_FILENO] ?: "stderr";
3264 default:
3265 return NULL;
3266 }
3267}
3268
3269int exec_context_named_iofds(Unit *unit, const ExecContext *c, const ExecParameters *p, int named_iofds[3]) {
3270 unsigned i, targets;
56fbd561 3271 const char* stdio_fdname[3];
4c47affc 3272 unsigned n_fds;
52c239d7
LB		 3273
3274 assert(c);
3275 assert(p);
3276
3277 targets = (c->std_input == EXEC_INPUT_NAMED_FD) +
3278 (c->std_output == EXEC_OUTPUT_NAMED_FD) +
3279 (c->std_error == EXEC_OUTPUT_NAMED_FD);
3280
3281 for (i = 0; i < 3; i++)
3282 stdio_fdname[i] = exec_context_fdname(c, i);
3283
4c47affc
FB		 3284 n_fds = p->n_storage_fds + p->n_socket_fds;
3285
3286 for (i = 0; i < n_fds && targets > 0; i++)
56fbd561
ZJS		 3287 if (named_iofds[STDIN_FILENO] < 0 &&
3288 c->std_input == EXEC_INPUT_NAMED_FD &&
3289 stdio_fdname[STDIN_FILENO] &&
3290 streq(p->fd_names[i], stdio_fdname[STDIN_FILENO])) {
3291
52c239d7
LB		 3292 named_iofds[STDIN_FILENO] = p->fds[i];
3293 targets--;
56fbd561
ZJS		 3294
3295 } else if (named_iofds[STDOUT_FILENO] < 0 &&
3296 c->std_output == EXEC_OUTPUT_NAMED_FD &&
3297 stdio_fdname[STDOUT_FILENO] &&
3298 streq(p->fd_names[i], stdio_fdname[STDOUT_FILENO])) {
3299
52c239d7
LB		 3300 named_iofds[STDOUT_FILENO] = p->fds[i];
3301 targets--;
56fbd561
ZJS		 3302
3303 } else if (named_iofds[STDERR_FILENO] < 0 &&
3304 c->std_error == EXEC_OUTPUT_NAMED_FD &&
3305 stdio_fdname[STDERR_FILENO] &&
3306 streq(p->fd_names[i], stdio_fdname[STDERR_FILENO])) {
3307
52c239d7
LB		 3308 named_iofds[STDERR_FILENO] = p->fds[i];
3309 targets--;
3310 }
3311
56fbd561 3312 return targets == 0 ? 0 : -ENOENT;
52c239d7
LB		 3313}
3314
f2341e0a 3315int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
8c7be95e
LP		 3316 char **i, **r = NULL;
3317
3318 assert(c);
3319 assert(l);
3320
3321 STRV_FOREACH(i, c->environment_files) {
3322 char *fn;
52511fae
ZJS		 3323 int k;
3324 unsigned n;
8c7be95e
LP		 3325 bool ignore = false;
3326 char **p;
7fd1b19b 3327 _cleanup_globfree_ glob_t pglob = {};
8c7be95e
LP		 3328
3329 fn = *i;
3330
3331 if (fn[0] == '-') {
3332 ignore = true;
313cefa1 3333 fn++;
8c7be95e
LP		 3334 }
3335
3336 if (!path_is_absolute(fn)) {
8c7be95e
LP		 3337 if (ignore)
3338 continue;
3339
3340 strv_free(r);
3341 return -EINVAL;
3342 }
3343
2bef10ab 3344 /* Filename supports globbing, take all matching files */
d8c92e8b
ZJS		 3345 k = safe_glob(fn, 0, &pglob);
3346 if (k < 0) {
2bef10ab
PL		 3347 if (ignore)
3348 continue;
8c7be95e 3349
2bef10ab 3350 strv_free(r);
d8c92e8b 3351 return k;
2bef10ab 3352 }
8c7be95e 3353
d8c92e8b
ZJS		 3354 /* When we don't match anything, -ENOENT should be returned */
3355 assert(pglob.gl_pathc > 0);
3356
3357 for (n = 0; n < pglob.gl_pathc; n++) {
717603e3 3358 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
2bef10ab
PL		 3359 if (k < 0) {
3360 if (ignore)
3361 continue;
8c7be95e 3362
2bef10ab 3363 strv_free(r);
2bef10ab 3364 return k;
e9c1ea9d 3365 }
ebc05a09 3366 /* Log invalid environment variables with filename */
039f0e70
LP		 3367 if (p) {
3368 InvalidEnvInfo info = {
f2341e0a 3369 .unit = unit,
039f0e70
LP		 3370 .path = pglob.gl_pathv[n]
3371 };
3372
3373 p = strv_env_clean_with_callback(p, invalid_env, &info);
3374 }
8c7be95e 3375
2bef10ab
PL		 3376 if (r == NULL)
3377 r = p;
3378 else {
3379 char **m;
8c7be95e 3380
2bef10ab
PL		 3381 m = strv_env_merge(2, r, p);
3382 strv_free(r);
3383 strv_free(p);
c84a9488 3384 if (!m)
2bef10ab 3385 return -ENOMEM;
2bef10ab
PL		 3386
3387 r = m;
3388 }
8c7be95e
LP		 3389 }
3390 }
3391
3392 *l = r;
3393
3394 return 0;
3395}
3396
6ac8fdc9 3397static bool tty_may_match_dev_console(const char *tty) {
e1d75803 3398 _cleanup_free_ char *active = NULL;
7d6884b6 3399 char *console;
6ac8fdc9 3400
1e22b5cd
LP		 3401 if (!tty)
3402 return true;
3403
6ac8fdc9
MS		 3404 if (startswith(tty, "/dev/"))
3405 tty += 5;
3406
3407 /* trivial identity? */
3408 if (streq(tty, "console"))
3409 return true;
3410
3411 console = resolve_dev_console(&active);
3412 /* if we could not resolve, assume it may */
3413 if (!console)
3414 return true;
3415
3416 /* "tty0" means the active VC, so it may be the same sometimes */
e1d75803 3417 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
6ac8fdc9
MS		 3418}
3419
3420bool exec_context_may_touch_console(ExecContext *ec) {
1e22b5cd
LP		 3421
3422 return (ec->tty_reset ||
3423 ec->tty_vhangup ||
3424 ec->tty_vt_disallocate ||
6ac8fdc9
MS		 3425 is_terminal_input(ec->std_input) ||
3426 is_terminal_output(ec->std_output) ||
3427 is_terminal_output(ec->std_error)) &&
1e22b5cd 3428 tty_may_match_dev_console(exec_context_tty_path(ec));
6ac8fdc9
MS		 3429}
3430
15ae422b
LP		 3431static void strv_fprintf(FILE *f, char **l) {
3432 char **g;
3433
3434 assert(f);
3435
3436 STRV_FOREACH(g, l)
3437 fprintf(f, " %s", *g);
3438}
3439
5cb5a6ff 3440void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
c2bbd90b 3441 char **e, **d;
94f04347 3442 unsigned i;
3536f49e 3443 ExecDirectoryType dt;
add00535 3444 int r;
9eba9da4 3445
5cb5a6ff
LP		 3446 assert(c);
3447 assert(f);
3448
4ad49000 3449 prefix = strempty(prefix);
5cb5a6ff
LP		 3450
3451 fprintf(f,
94f04347
LP		 3452 "%sUMask: %04o\n"
3453 "%sWorkingDirectory: %s\n"
451a074f 3454 "%sRootDirectory: %s\n"
15ae422b 3455 "%sNonBlocking: %s\n"
64747e2d 3456 "%sPrivateTmp: %s\n"
7f112f50 3457 "%sPrivateDevices: %s\n"
59eeb84b 3458 "%sProtectKernelTunables: %s\n"
e66a2f65 3459 "%sProtectKernelModules: %s\n"
59eeb84b 3460 "%sProtectControlGroups: %s\n"
d251207d
LP		 3461 "%sPrivateNetwork: %s\n"
3462 "%sPrivateUsers: %s\n"
1b8689f9
LP		 3463 "%sProtectHome: %s\n"
3464 "%sProtectSystem: %s\n"
5d997827 3465 "%sMountAPIVFS: %s\n"
f3e43635 3466 "%sIgnoreSIGPIPE: %s\n"
f4170c67
LP		 3467 "%sMemoryDenyWriteExecute: %s\n"
3468 "%sRestrictRealtime: %s\n",
5cb5a6ff 3469 prefix, c->umask,
9eba9da4 3470 prefix, c->working_directory ? c->working_directory : "/",
451a074f 3471 prefix, c->root_directory ? c->root_directory : "/",
15ae422b 3472 prefix, yes_no(c->non_blocking),
64747e2d 3473 prefix, yes_no(c->private_tmp),
7f112f50 3474 prefix, yes_no(c->private_devices),
59eeb84b 3475 prefix, yes_no(c->protect_kernel_tunables),
e66a2f65 3476 prefix, yes_no(c->protect_kernel_modules),
59eeb84b 3477 prefix, yes_no(c->protect_control_groups),
d251207d
LP		 3478 prefix, yes_no(c->private_network),
3479 prefix, yes_no(c->private_users),
1b8689f9
LP		 3480 prefix, protect_home_to_string(c->protect_home),
3481 prefix, protect_system_to_string(c->protect_system),
5d997827 3482 prefix, yes_no(c->mount_apivfs),
f3e43635 3483 prefix, yes_no(c->ignore_sigpipe),
f4170c67
LP		 3484 prefix, yes_no(c->memory_deny_write_execute),
3485 prefix, yes_no(c->restrict_realtime));
fb33a393 3486
915e6d16
LP		 3487 if (c->root_image)
3488 fprintf(f, "%sRootImage: %s\n", prefix, c->root_image);
3489
8c7be95e
LP		 3490 STRV_FOREACH(e, c->environment)
3491 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
3492
3493 STRV_FOREACH(e, c->environment_files)
3494 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
94f04347 3495
b4c14404
FB		 3496 STRV_FOREACH(e, c->pass_environment)
3497 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
3498
53f47dfc
YW		 3499 fprintf(f, "%sRuntimeDirectoryPreserve: %s\n", prefix, exec_preserve_mode_to_string(c->runtime_directory_preserve_mode));
3500
3536f49e
YW		 3501 for (dt = 0; dt < _EXEC_DIRECTORY_MAX; dt++) {
3502 fprintf(f, "%s%sMode: %04o\n", prefix, exec_directory_type_to_string(dt), c->directories[dt].mode);
3503
3504 STRV_FOREACH(d, c->directories[dt].paths)
3505 fprintf(f, "%s%s: %s\n", prefix, exec_directory_type_to_string(dt), *d);
3506 }
c2bbd90b 3507
fb33a393
LP		 3508 if (c->nice_set)
3509 fprintf(f,
3510 "%sNice: %i\n",
3511 prefix, c->nice);
3512
dd6c17b1 3513 if (c->oom_score_adjust_set)
fb33a393 3514 fprintf(f,
dd6c17b1
LP		 3515 "%sOOMScoreAdjust: %i\n",
3516 prefix, c->oom_score_adjust);
9eba9da4 3517
94f04347 3518 for (i = 0; i < RLIM_NLIMITS; i++)
3c11da9d
EV		 3519 if (c->rlimit[i]) {
3520 fprintf(f, "%s%s: " RLIM_FMT "\n",
3521 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
3522 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
3523 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
3524 }
94f04347 3525
f8b69d1d 3526 if (c->ioprio_set) {
1756a011 3527 _cleanup_free_ char *class_str = NULL;
f8b69d1d 3528
837df140
YW		 3529 r = ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
3530 if (r >= 0)
3531 fprintf(f, "%sIOSchedulingClass: %s\n", prefix, class_str);
3532
3533 fprintf(f, "%sIOPriority: %lu\n", prefix, IOPRIO_PRIO_DATA(c->ioprio));
f8b69d1d 3534 }
94f04347 3535
f8b69d1d 3536 if (c->cpu_sched_set) {
1756a011 3537 _cleanup_free_ char *policy_str = NULL;
f8b69d1d 3538
837df140
YW		 3539 r = sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
3540 if (r >= 0)
3541 fprintf(f, "%sCPUSchedulingPolicy: %s\n", prefix, policy_str);
3542
94f04347 3543 fprintf(f,
38b48754
LP		 3544 "%sCPUSchedulingPriority: %i\n"
3545 "%sCPUSchedulingResetOnFork: %s\n",
38b48754
LP		 3546 prefix, c->cpu_sched_priority,
3547 prefix, yes_no(c->cpu_sched_reset_on_fork));
b929bf04 3548 }
94f04347 3549
82c121a4 3550 if (c->cpuset) {
94f04347 3551 fprintf(f, "%sCPUAffinity:", prefix);
82c121a4
LP		 3552 for (i = 0; i < c->cpuset_ncpus; i++)
3553 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
43a99a7a 3554 fprintf(f, " %u", i);
94f04347
LP		 3555 fputs("\n", f);
3556 }
3557
3a43da28 3558 if (c->timer_slack_nsec != NSEC_INFINITY)
ccd06097 3559 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
94f04347
LP		 3560
3561 fprintf(f,
80876c20
LP		 3562 "%sStandardInput: %s\n"
3563 "%sStandardOutput: %s\n"
3564 "%sStandardError: %s\n",
3565 prefix, exec_input_to_string(c->std_input),
3566 prefix, exec_output_to_string(c->std_output),
3567 prefix, exec_output_to_string(c->std_error));
3568
3569 if (c->tty_path)
3570 fprintf(f,
6ea832a2
LP		 3571 "%sTTYPath: %s\n"
3572 "%sTTYReset: %s\n"
3573 "%sTTYVHangup: %s\n"
3574 "%sTTYVTDisallocate: %s\n",
3575 prefix, c->tty_path,
3576 prefix, yes_no(c->tty_reset),
3577 prefix, yes_no(c->tty_vhangup),
3578 prefix, yes_no(c->tty_vt_disallocate));
94f04347 3579
5ce70e5b
ZJS		 3580 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
3581 c->std_output == EXEC_OUTPUT_KMSG ||
3582 c->std_output == EXEC_OUTPUT_JOURNAL ||
3583 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3584 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3585 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
3586 c->std_error == EXEC_OUTPUT_SYSLOG ||
3587 c->std_error == EXEC_OUTPUT_KMSG ||
3588 c->std_error == EXEC_OUTPUT_JOURNAL ||
3589 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3590 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3591 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
f8b69d1d 3592
5ce70e5b 3593 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
f8b69d1d 3594
837df140
YW		 3595 r = log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
3596 if (r >= 0)
3597 fprintf(f, "%sSyslogFacility: %s\n", prefix, fac_str);
f8b69d1d 3598
837df140
YW		 3599 r = log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
3600 if (r >= 0)
3601 fprintf(f, "%sSyslogLevel: %s\n", prefix, lvl_str);
f8b69d1d 3602 }
94f04347 3603
07d46372
YW		 3604 if (c->secure_bits) {
3605 _cleanup_free_ char *str = NULL;
3606
3607 r = secure_bits_to_string_alloc(c->secure_bits, &str);
3608 if (r >= 0)
3609 fprintf(f, "%sSecure Bits: %s\n", prefix, str);
3610 }
94f04347 3611
a103496c 3612 if (c->capability_bounding_set != CAP_ALL) {
dd1f5bd0 3613 _cleanup_free_ char *str = NULL;
94f04347 3614
dd1f5bd0
YW		 3615 r = capability_set_to_string_alloc(c->capability_bounding_set, &str);
3616 if (r >= 0)
3617 fprintf(f, "%sCapabilityBoundingSet: %s\n", prefix, str);
755d4b67
IP		 3618 }
3619
3620 if (c->capability_ambient_set != 0) {
dd1f5bd0 3621 _cleanup_free_ char *str = NULL;
755d4b67 3622
dd1f5bd0
YW		 3623 r = capability_set_to_string_alloc(c->capability_ambient_set, &str);
3624 if (r >= 0)
3625 fprintf(f, "%sAmbientCapabilities: %s\n", prefix, str);
94f04347
LP		 3626 }
3627
3628 if (c->user)
f2d3769a 3629 fprintf(f, "%sUser: %s\n", prefix, c->user);
94f04347 3630 if (c->group)
f2d3769a 3631 fprintf(f, "%sGroup: %s\n", prefix, c->group);
94f04347 3632
29206d46
LP		 3633 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
3634
15ae422b 3635 if (strv_length(c->supplementary_groups) > 0) {
94f04347 3636 fprintf(f, "%sSupplementaryGroups:", prefix);
15ae422b
LP		 3637 strv_fprintf(f, c->supplementary_groups);
3638 fputs("\n", f);
3639 }
94f04347 3640
5b6319dc 3641 if (c->pam_name)
f2d3769a 3642 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
5b6319dc 3643
2a624c36
AP		 3644 if (strv_length(c->read_write_paths) > 0) {
3645 fprintf(f, "%sReadWritePaths:", prefix);
3646 strv_fprintf(f, c->read_write_paths);
15ae422b
LP		 3647 fputs("\n", f);
3648 }
3649
2a624c36
AP		 3650 if (strv_length(c->read_only_paths) > 0) {
3651 fprintf(f, "%sReadOnlyPaths:", prefix);
3652 strv_fprintf(f, c->read_only_paths);
15ae422b
LP		 3653 fputs("\n", f);
3654 }
94f04347 3655
2a624c36
AP		 3656 if (strv_length(c->inaccessible_paths) > 0) {
3657 fprintf(f, "%sInaccessiblePaths:", prefix);
3658 strv_fprintf(f, c->inaccessible_paths);
94f04347
LP		 3659 fputs("\n", f);
3660 }
2e22afe9 3661
d2d6c096
LP		 3662 if (c->n_bind_mounts > 0)
3663 for (i = 0; i < c->n_bind_mounts; i++) {
3664 fprintf(f, "%s%s: %s:%s:%s\n", prefix,
3665 c->bind_mounts[i].read_only ? "BindReadOnlyPaths" : "BindPaths",
3666 c->bind_mounts[i].source,
3667 c->bind_mounts[i].destination,
3668 c->bind_mounts[i].recursive ? "rbind" : "norbind");
3669 }
3670
169c1bda
LP		 3671 if (c->utmp_id)
3672 fprintf(f,
3673 "%sUtmpIdentifier: %s\n",
3674 prefix, c->utmp_id);
7b52a628
MS		 3675
3676 if (c->selinux_context)
3677 fprintf(f,
5f8640fb
LP		 3678 "%sSELinuxContext: %s%s\n",
3679 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
17df7223 3680
80c21aea
WC		 3681 if (c->apparmor_profile)
3682 fprintf(f,
3683 "%sAppArmorProfile: %s%s\n",
3684 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
3685
3686 if (c->smack_process_label)
3687 fprintf(f,
3688 "%sSmackProcessLabel: %s%s\n",
3689 prefix, c->smack_process_label_ignore ? "-" : "", c->smack_process_label);
3690
050f7277 3691 if (c->personality != PERSONALITY_INVALID)
ac45f971
LP		 3692 fprintf(f,
3693 "%sPersonality: %s\n",
3694 prefix, strna(personality_to_string(c->personality)));
3695
17df7223 3696 if (c->syscall_filter) {
351a19b1 3697#ifdef HAVE_SECCOMP
17df7223
LP		 3698 Iterator j;
3699 void *id;
3700 bool first = true;
351a19b1 3701#endif
17df7223
LP		 3702
3703 fprintf(f,
57183d11 3704 "%sSystemCallFilter: ",
17df7223
LP		 3705 prefix);
3706
3707 if (!c->syscall_whitelist)
3708 fputc('~', f);
3709
351a19b1 3710#ifdef HAVE_SECCOMP
17df7223
LP		 3711 SET_FOREACH(id, c->syscall_filter, j) {
3712 _cleanup_free_ char *name = NULL;
3713
3714 if (first)
3715 first = false;
3716 else
3717 fputc(' ', f);
3718
57183d11 3719 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
17df7223
LP		 3720 fputs(strna(name), f);
3721 }
351a19b1 3722#endif
17df7223
LP		 3723
3724 fputc('\n', f);
3725 }
3726
57183d11
LP		 3727 if (c->syscall_archs) {
3728#ifdef HAVE_SECCOMP
3729 Iterator j;
3730 void *id;
3731#endif
3732
3733 fprintf(f,
3734 "%sSystemCallArchitectures:",
3735 prefix);
3736
3737#ifdef HAVE_SECCOMP
3738 SET_FOREACH(id, c->syscall_archs, j)
3739 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
3740#endif
3741 fputc('\n', f);
3742 }
3743
add00535
LP		 3744 if (exec_context_restrict_namespaces_set(c)) {
3745 _cleanup_free_ char *s = NULL;
3746
3747 r = namespace_flag_to_string_many(c->restrict_namespaces, &s);
3748 if (r >= 0)
3749 fprintf(f, "%sRestrictNamespaces: %s\n",
3750 prefix, s);
3751 }
3752
b3267152 3753 if (c->syscall_errno > 0)
17df7223
LP		 3754 fprintf(f,
3755 "%sSystemCallErrorNumber: %s\n",
3756 prefix, strna(errno_to_name(c->syscall_errno)));
eef65bf3
MS		 3757
3758 if (c->apparmor_profile)
3759 fprintf(f,
3760 "%sAppArmorProfile: %s%s\n",
3761 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
5cb5a6ff
LP		 3762}
3763
a931ad47
LP		 3764bool exec_context_maintains_privileges(ExecContext *c) {
3765 assert(c);
3766
61233823 3767 /* Returns true if the process forked off would run under
a931ad47
LP		 3768 * an unchanged UID or as root. */
3769
3770 if (!c->user)
3771 return true;
3772
3773 if (streq(c->user, "root") || streq(c->user, "0"))
3774 return true;
3775
3776 return false;
3777}
3778
7f452159
LP		 3779int exec_context_get_effective_ioprio(ExecContext *c) {
3780 int p;
3781
3782 assert(c);
3783
3784 if (c->ioprio_set)
3785 return c->ioprio;
3786
3787 p = ioprio_get(IOPRIO_WHO_PROCESS, 0);
3788 if (p < 0)
3789 return IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 4);
3790
3791 return p;
3792}
3793
b58b4116 3794void exec_status_start(ExecStatus *s, pid_t pid) {
034c6ed7 3795 assert(s);
5cb5a6ff 3796
b58b4116
LP		 3797 zero(*s);
3798 s->pid = pid;
3799 dual_timestamp_get(&s->start_timestamp);
3800}
3801
6ea832a2 3802void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
b58b4116
LP		 3803 assert(s);
3804
0b1f4ae6 3805 if (s->pid && s->pid != pid)
b58b4116
LP		 3806 zero(*s);
3807
034c6ed7 3808 s->pid = pid;
63983207 3809 dual_timestamp_get(&s->exit_timestamp);
9fb86720 3810
034c6ed7
LP		 3811 s->code = code;
3812 s->status = status;
169c1bda 3813
6ea832a2
LP		 3814 if (context) {
3815 if (context->utmp_id)
3816 utmp_put_dead_process(context->utmp_id, pid, code, status);
3817
1e22b5cd 3818 exec_context_tty_reset(context, NULL);
6ea832a2 3819 }
9fb86720
LP		 3820}
3821
3822void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
3823 char buf[FORMAT_TIMESTAMP_MAX];
3824
3825 assert(s);
3826 assert(f);
3827
9fb86720
LP		 3828 if (s->pid <= 0)
3829 return;
3830
4c940960
LP		 3831 prefix = strempty(prefix);
3832
9fb86720 3833 fprintf(f,
ccd06097
ZJS		 3834 "%sPID: "PID_FMT"\n",
3835 prefix, s->pid);
9fb86720 3836
af9d16e1 3837 if (dual_timestamp_is_set(&s->start_timestamp))
9fb86720
LP		 3838 fprintf(f,
3839 "%sStart Timestamp: %s\n",
63983207 3840 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
9fb86720 3841
af9d16e1 3842 if (dual_timestamp_is_set(&s->exit_timestamp))
9fb86720
LP		 3843 fprintf(f,
3844 "%sExit Timestamp: %s\n"
3845 "%sExit Code: %s\n"
3846 "%sExit Status: %i\n",
63983207 3847 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
9fb86720
LP		 3848 prefix, sigchld_code_to_string(s->code),
3849 prefix, s->status);
5cb5a6ff 3850}
44d8db9e 3851
9e2f7c11 3852char *exec_command_line(char **argv) {
44d8db9e
LP		 3853 size_t k;
3854 char *n, *p, **a;
3855 bool first = true;
3856
9e2f7c11 3857 assert(argv);
44d8db9e 3858
9164977d 3859 k = 1;
9e2f7c11 3860 STRV_FOREACH(a, argv)
44d8db9e
LP		 3861 k += strlen(*a)+3;
3862
5cd9cd35
LP		 3863 n = new(char, k);
3864 if (!n)
44d8db9e
LP		 3865 return NULL;
3866
3867 p = n;
9e2f7c11 3868 STRV_FOREACH(a, argv) {
44d8db9e
LP		 3869
3870 if (!first)
3871 *(p++) = ' ';
3872 else
3873 first = false;
3874
3875 if (strpbrk(*a, WHITESPACE)) {
3876 *(p++) = '\'';
3877 p = stpcpy(p, *a);
3878 *(p++) = '\'';
3879 } else
3880 p = stpcpy(p, *a);
3881
3882 }
3883
9164977d
LP		 3884 *p = 0;
3885
44d8db9e
LP		 3886 /* FIXME: this doesn't really handle arguments that have
3887 * spaces and ticks in them */
3888
3889 return n;
3890}
3891
3892void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
e1d75803 3893 _cleanup_free_ char *cmd = NULL;
4c940960 3894 const char *prefix2;
44d8db9e
LP		 3895
3896 assert(c);
3897 assert(f);
3898
4c940960 3899 prefix = strempty(prefix);
63c372cb 3900 prefix2 = strjoina(prefix, "\t");
44d8db9e 3901
9e2f7c11 3902 cmd = exec_command_line(c->argv);
44d8db9e
LP		 3903 fprintf(f,
3904 "%sCommand Line: %s\n",
3905 prefix, cmd ? cmd : strerror(ENOMEM));
3906
9fb86720 3907 exec_status_dump(&c->exec_status, f, prefix2);
44d8db9e
LP		 3908}
3909
3910void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
3911 assert(f);
3912
4c940960 3913 prefix = strempty(prefix);
44d8db9e
LP		 3914
3915 LIST_FOREACH(command, c, c)
3916 exec_command_dump(c, f, prefix);
3917}
94f04347 3918
a6a80b4f
LP		 3919void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
3920 ExecCommand *end;
3921
3922 assert(l);
3923 assert(e);
3924
3925 if (*l) {
35b8ca3a 3926 /* It's kind of important, that we keep the order here */
71fda00f
LP		 3927 LIST_FIND_TAIL(command, *l, end);
3928 LIST_INSERT_AFTER(command, *l, end, e);
a6a80b4f
LP		 3929 } else
3930 *l = e;
3931}
3932
26fd040d
LP		 3933int exec_command_set(ExecCommand *c, const char *path, ...) {
3934 va_list ap;
3935 char **l, *p;
3936
3937 assert(c);
3938 assert(path);
3939
3940 va_start(ap, path);
3941 l = strv_new_ap(path, ap);
3942 va_end(ap);
3943
3944 if (!l)
3945 return -ENOMEM;
3946
250a918d
LP		 3947 p = strdup(path);
3948 if (!p) {
26fd040d
LP		 3949 strv_free(l);
3950 return -ENOMEM;
3951 }
3952
3953 free(c->path);
3954 c->path = p;
3955
3956 strv_free(c->argv);
3957 c->argv = l;
3958
3959 return 0;
3960}
3961
86b23b07 3962int exec_command_append(ExecCommand *c, const char *path, ...) {
e63ff941 3963 _cleanup_strv_free_ char **l = NULL;
86b23b07 3964 va_list ap;
86b23b07
JS		 3965 int r;
3966
3967 assert(c);
3968 assert(path);
3969
3970 va_start(ap, path);
3971 l = strv_new_ap(path, ap);
3972 va_end(ap);
3973
3974 if (!l)
3975 return -ENOMEM;
3976
e287086b 3977 r = strv_extend_strv(&c->argv, l, false);
e63ff941 3978 if (r < 0)
86b23b07 3979 return r;
86b23b07
JS		 3980
3981 return 0;
3982}
3983
3984
613b411c
LP		 3985static int exec_runtime_allocate(ExecRuntime **rt) {
3986
3987 if (*rt)
3988 return 0;
3989
3990 *rt = new0(ExecRuntime, 1);
f146f5e1 3991 if (!*rt)
613b411c
LP		 3992 return -ENOMEM;
3993
3994 (*rt)->n_ref = 1;
3995 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
3996
3997 return 0;
3998}
3999
4000int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
4001 int r;
4002
4003 assert(rt);
4004 assert(c);
4005 assert(id);
4006
4007 if (*rt)
4008 return 1;
4009
4010 if (!c->private_network && !c->private_tmp)
4011 return 0;
4012
4013 r = exec_runtime_allocate(rt);
4014 if (r < 0)
4015 return r;
4016
4017 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
33df919d 4018 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, (*rt)->netns_storage_socket) < 0)
613b411c
LP		 4019 return -errno;
4020 }
4021
4022 if (c->private_tmp && !(*rt)->tmp_dir) {
4023 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
4024 if (r < 0)
4025 return r;
4026 }
4027
4028 return 1;
4029}
4030
4031ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
4032 assert(r);
4033 assert(r->n_ref > 0);
4034
4035 r->n_ref++;
4036 return r;
4037}
4038
4039ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
4040
4041 if (!r)
4042 return NULL;
4043
4044 assert(r->n_ref > 0);
4045
4046 r->n_ref--;
f2341e0a
LP		 4047 if (r->n_ref > 0)
4048 return NULL;
4049
4050 free(r->tmp_dir);
4051 free(r->var_tmp_dir);
4052 safe_close_pair(r->netns_storage_socket);
6b430fdb 4053 return mfree(r);
613b411c
LP		 4054}
4055
f2341e0a 4056int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
613b411c
LP		 4057 assert(u);
4058 assert(f);
4059 assert(fds);
4060
4061 if (!rt)
4062 return 0;
4063
4064 if (rt->tmp_dir)
4065 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
4066
4067 if (rt->var_tmp_dir)
4068 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
4069
4070 if (rt->netns_storage_socket[0] >= 0) {
4071 int copy;
4072
4073 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
4074 if (copy < 0)
4075 return copy;
4076
4077 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
4078 }
4079
4080 if (rt->netns_storage_socket[1] >= 0) {
4081 int copy;
4082
4083 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
4084 if (copy < 0)
4085 return copy;
4086
4087 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
4088 }
4089
4090 return 0;
4091}
4092
f2341e0a 4093int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
613b411c
LP		 4094 int r;
4095
4096 assert(rt);
4097 assert(key);
4098 assert(value);
4099
4100 if (streq(key, "tmp-dir")) {
4101 char *copy;
4102
4103 r = exec_runtime_allocate(rt);
4104 if (r < 0)
f2341e0a 4105 return log_oom();
613b411c
LP		 4106
4107 copy = strdup(value);
4108 if (!copy)
4109 return log_oom();
4110
4111 free((*rt)->tmp_dir);
4112 (*rt)->tmp_dir = copy;
4113
4114 } else if (streq(key, "var-tmp-dir")) {
4115 char *copy;
4116
4117 r = exec_runtime_allocate(rt);
4118 if (r < 0)
f2341e0a 4119 return log_oom();
613b411c
LP		 4120
4121 copy = strdup(value);
4122 if (!copy)
4123 return log_oom();
4124
4125 free((*rt)->var_tmp_dir);
4126 (*rt)->var_tmp_dir = copy;
4127
4128 } else if (streq(key, "netns-socket-0")) {
4129 int fd;
4130
4131 r = exec_runtime_allocate(rt);
4132 if (r < 0)
f2341e0a 4133 return log_oom();
613b411c
LP		 4134
4135 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
f2341e0a 4136 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
613b411c 4137 else {
03e334a1 4138 safe_close((*rt)->netns_storage_socket[0]);
613b411c
LP		 4139 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
4140 }
4141 } else if (streq(key, "netns-socket-1")) {
4142 int fd;
4143
4144 r = exec_runtime_allocate(rt);
4145 if (r < 0)
f2341e0a 4146 return log_oom();
613b411c
LP		 4147
4148 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
f2341e0a 4149 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
613b411c 4150 else {
03e334a1 4151 safe_close((*rt)->netns_storage_socket[1]);
613b411c
LP		 4152 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
4153 }
4154 } else
4155 return 0;
4156
4157 return 1;
4158}
4159
4160static void *remove_tmpdir_thread(void *p) {
4161 _cleanup_free_ char *path = p;
4162
c6878637 4163 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
613b411c
LP		 4164 return NULL;
4165}
4166
4167void exec_runtime_destroy(ExecRuntime *rt) {
98b47d54
LP		 4168 int r;
4169
613b411c
LP		 4170 if (!rt)
4171 return;
4172
4173 /* If there are multiple users of this, let's leave the stuff around */
4174 if (rt->n_ref > 1)
4175 return;
4176
4177 if (rt->tmp_dir) {
4178 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
98b47d54
LP		 4179
4180 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
4181 if (r < 0) {
da927ba9 4182 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
98b47d54
LP		 4183 free(rt->tmp_dir);
4184 }
4185
613b411c
LP		 4186 rt->tmp_dir = NULL;
4187 }
4188
4189 if (rt->var_tmp_dir) {
4190 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
98b47d54
LP		 4191
4192 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
4193 if (r < 0) {
da927ba9 4194 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
98b47d54
LP		 4195 free(rt->var_tmp_dir);
4196 }
4197
613b411c
LP		 4198 rt->var_tmp_dir = NULL;
4199 }
4200
3d94f76c 4201 safe_close_pair(rt->netns_storage_socket);
613b411c
LP		 4202}
4203
80876c20
LP		 4204static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
4205 [EXEC_INPUT_NULL] = "null",
4206 [EXEC_INPUT_TTY] = "tty",
4207 [EXEC_INPUT_TTY_FORCE] = "tty-force",
4f2d528d 4208 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
52c239d7
LB		 4209 [EXEC_INPUT_SOCKET] = "socket",
4210 [EXEC_INPUT_NAMED_FD] = "fd",
80876c20
LP		 4211};
4212
8a0867d6
LP		 4213DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
4214
94f04347 4215static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
80876c20 4216 [EXEC_OUTPUT_INHERIT] = "inherit",
94f04347 4217 [EXEC_OUTPUT_NULL] = "null",
80876c20 4218 [EXEC_OUTPUT_TTY] = "tty",
94f04347 4219 [EXEC_OUTPUT_SYSLOG] = "syslog",
28dbc1e8 4220 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
9a6bca7a 4221 [EXEC_OUTPUT_KMSG] = "kmsg",
28dbc1e8 4222 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
706343f4
LP		 4223 [EXEC_OUTPUT_JOURNAL] = "journal",
4224 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
52c239d7
LB		 4225 [EXEC_OUTPUT_SOCKET] = "socket",
4226 [EXEC_OUTPUT_NAMED_FD] = "fd",
94f04347
LP		 4227};
4228
4229DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
023a4f67
LP		 4230
4231static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
4232 [EXEC_UTMP_INIT] = "init",
4233 [EXEC_UTMP_LOGIN] = "login",
4234 [EXEC_UTMP_USER] = "user",
4235};
4236
4237DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
53f47dfc
YW		 4238
4239static const char* const exec_preserve_mode_table[_EXEC_PRESERVE_MODE_MAX] = {
4240 [EXEC_PRESERVE_NO] = "no",
4241 [EXEC_PRESERVE_YES] = "yes",
4242 [EXEC_PRESERVE_RESTART] = "restart",
4243};
4244
4245DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(exec_preserve_mode, ExecPreserveMode, EXEC_PRESERVE_YES);
3536f49e
YW		 4246
4247static const char* const exec_directory_type_table[_EXEC_DIRECTORY_MAX] = {
4248 [EXEC_DIRECTORY_RUNTIME] = "RuntimeDirectory",
4249 [EXEC_DIRECTORY_STATE] = "StateDirectory",
4250 [EXEC_DIRECTORY_CACHE] = "CacheDirectory",
4251 [EXEC_DIRECTORY_LOGS] = "LogsDirectory",
4252 [EXEC_DIRECTORY_CONFIGURATION] = "ConfigurationDirectory",
4253};
4254
4255DEFINE_STRING_TABLE_LOOKUP(exec_directory_type, ExecDirectoryType);
Unnamed repository; edit this file 'description' to name the repository.