]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/core/execute.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
µhttpd-util: use #pragma to silence warning about nonliteral pattern
[thirdparty/systemd.git] / src / core / execute.c
CommitLineData
a7334b09
LP		 1/***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
a7334b09
LP		 9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 14 Lesser General Public License for more details.
a7334b09 15
5430f7f2 16 You should have received a copy of the GNU Lesser General Public License
a7334b09
LP		 17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18***/
19
034c6ed7
LP		 20#include <errno.h>
21#include <fcntl.h>
8dd4c05b
LP		 22#include <glob.h>
23#include <grp.h>
24#include <poll.h>
309bff19 25#include <signal.h>
8dd4c05b 26#include <string.h>
19c0b0b9 27#include <sys/capability.h>
d251207d 28#include <sys/eventfd.h>
f3e43635 29#include <sys/mman.h>
8dd4c05b 30#include <sys/personality.h>
94f04347 31#include <sys/prctl.h>
d2ffa389 32#include <sys/shm.h>
8dd4c05b 33#include <sys/socket.h>
451a074f 34#include <sys/stat.h>
d2ffa389 35#include <sys/types.h>
8dd4c05b
LP		 36#include <sys/un.h>
37#include <unistd.h>
023a4f67 38#include <utmpx.h>
5cb5a6ff 39
5b6319dc
LP		 40#ifdef HAVE_PAM
41#include <security/pam_appl.h>
42#endif
43
7b52a628
MS		 44#ifdef HAVE_SELINUX
45#include <selinux/selinux.h>
46#endif
47
17df7223
LP		 48#ifdef HAVE_SECCOMP
49#include <seccomp.h>
50#endif
51
eef65bf3
MS		 52#ifdef HAVE_APPARMOR
53#include <sys/apparmor.h>
54#endif
55
24882e06 56#include "sd-messages.h"
8dd4c05b
LP		 57
58#include "af-list.h"
b5efdb8a 59#include "alloc-util.h"
3ffd4af2
LP		 60#ifdef HAVE_APPARMOR
61#include "apparmor-util.h"
62#endif
8dd4c05b
LP		 63#include "async.h"
64#include "barrier.h"
8dd4c05b 65#include "cap-list.h"
430f0182 66#include "capability-util.h"
f6a6225e 67#include "def.h"
4d1a6904 68#include "env-util.h"
17df7223 69#include "errno-list.h"
3ffd4af2 70#include "execute.h"
8dd4c05b 71#include "exit-status.h"
3ffd4af2 72#include "fd-util.h"
8dd4c05b 73#include "fileio.h"
f97b34a6 74#include "format-util.h"
f4f15635 75#include "fs-util.h"
7d50b32a 76#include "glob-util.h"
c004493c 77#include "io-util.h"
8dd4c05b
LP		 78#include "ioprio.h"
79#include "log.h"
80#include "macro.h"
81#include "missing.h"
82#include "mkdir.h"
83#include "namespace.h"
6bedfcbb 84#include "parse-util.h"
8dd4c05b 85#include "path-util.h"
0b452006 86#include "process-util.h"
78f22b97 87#include "rlimit-util.h"
8dd4c05b 88#include "rm-rf.h"
3ffd4af2
LP		 89#ifdef HAVE_SECCOMP
90#include "seccomp-util.h"
91#endif
8dd4c05b
LP		 92#include "securebits.h"
93#include "selinux-util.h"
24882e06 94#include "signal-util.h"
8dd4c05b 95#include "smack-util.h"
fd63e712 96#include "special.h"
8b43440b 97#include "string-table.h"
07630cea 98#include "string-util.h"
8dd4c05b 99#include "strv.h"
7ccbd1ae 100#include "syslog-util.h"
8dd4c05b
LP		 101#include "terminal-util.h"
102#include "unit.h"
b1d4f8e1 103#include "user-util.h"
8dd4c05b
LP		 104#include "util.h"
105#include "utmp-wtmp.h"
5cb5a6ff 106
e056b01d 107#define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
31a7eb86 108#define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
e6a26745 109
02a51aba
LP		 110/* This assumes there is a 'tty' group */
111#define TTY_MODE 0620
112
531dca78
LP		 113#define SNDBUF_SIZE (8*1024*1024)
114
034c6ed7
LP		 115static int shift_fds(int fds[], unsigned n_fds) {
116 int start, restart_from;
117
118 if (n_fds <= 0)
119 return 0;
120
a0d40ac5
LP		 121 /* Modifies the fds array! (sorts it) */
122
034c6ed7
LP		 123 assert(fds);
124
125 start = 0;
126 for (;;) {
127 int i;
128
129 restart_from = -1;
130
131 for (i = start; i < (int) n_fds; i++) {
132 int nfd;
133
134 /* Already at right index? */
135 if (fds[i] == i+3)
136 continue;
137
3cc2aff1
LP		 138 nfd = fcntl(fds[i], F_DUPFD, i + 3);
139 if (nfd < 0)
034c6ed7
LP		 140 return -errno;
141
03e334a1 142 safe_close(fds[i]);
034c6ed7
LP		 143 fds[i] = nfd;
144
145 /* Hmm, the fd we wanted isn't free? Then
ee33e53a 146 * let's remember that and try again from here */
034c6ed7
LP		 147 if (nfd != i+3 && restart_from < 0)
148 restart_from = i;
149 }
150
151 if (restart_from < 0)
152 break;
153
154 start = restart_from;
155 }
156
157 return 0;
158}
159
c2748801 160static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
47a71eed 161 unsigned i;
e2c76839 162 int r;
47a71eed
LP		 163
164 if (n_fds <= 0)
165 return 0;
166
167 assert(fds);
168
451a074f 169 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
47a71eed
LP		 170
171 for (i = 0; i < n_fds; i++) {
47a71eed 172
3cc2aff1
LP		 173 r = fd_nonblock(fds[i], nonblock);
174 if (r < 0)
e2c76839 175 return r;
47a71eed 176
451a074f
LP		 177 /* We unconditionally drop FD_CLOEXEC from the fds,
178 * since after all we want to pass these fds to our
179 * children */
47a71eed 180
3cc2aff1
LP		 181 r = fd_cloexec(fds[i], false);
182 if (r < 0)
e2c76839 183 return r;
47a71eed
LP		 184 }
185
186 return 0;
187}
188
1e22b5cd 189static const char *exec_context_tty_path(const ExecContext *context) {
80876c20
LP		 190 assert(context);
191
1e22b5cd
LP		 192 if (context->stdio_as_fds)
193 return NULL;
194
80876c20
LP		 195 if (context->tty_path)
196 return context->tty_path;
197
198 return "/dev/console";
199}
200
1e22b5cd
LP		 201static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
202 const char *path;
203
6ea832a2
LP		 204 assert(context);
205
1e22b5cd 206 path = exec_context_tty_path(context);
6ea832a2 207
1e22b5cd
LP		 208 if (context->tty_vhangup) {
209 if (p && p->stdin_fd >= 0)
210 (void) terminal_vhangup_fd(p->stdin_fd);
211 else if (path)
212 (void) terminal_vhangup(path);
213 }
6ea832a2 214
1e22b5cd
LP		 215 if (context->tty_reset) {
216 if (p && p->stdin_fd >= 0)
217 (void) reset_terminal_fd(p->stdin_fd, true);
218 else if (path)
219 (void) reset_terminal(path);
220 }
221
222 if (context->tty_vt_disallocate && path)
223 (void) vt_disallocate(path);
6ea832a2
LP		 224}
225
6af760f3
LP		 226static bool is_terminal_input(ExecInput i) {
227 return IN_SET(i,
228 EXEC_INPUT_TTY,
229 EXEC_INPUT_TTY_FORCE,
230 EXEC_INPUT_TTY_FAIL);
231}
232
3a1286b6 233static bool is_terminal_output(ExecOutput o) {
6af760f3
LP		 234 return IN_SET(o,
235 EXEC_OUTPUT_TTY,
236 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
237 EXEC_OUTPUT_KMSG_AND_CONSOLE,
238 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
239}
240
241static bool exec_context_needs_term(const ExecContext *c) {
242 assert(c);
243
244 /* Return true if the execution context suggests we should set $TERM to something useful. */
245
246 if (is_terminal_input(c->std_input))
247 return true;
248
249 if (is_terminal_output(c->std_output))
250 return true;
251
252 if (is_terminal_output(c->std_error))
253 return true;
254
255 return !!c->tty_path;
3a1286b6
MS		 256}
257
80876c20
LP		 258static int open_null_as(int flags, int nfd) {
259 int fd, r;
071830ff 260
80876c20 261 assert(nfd >= 0);
071830ff 262
613b411c
LP		 263 fd = open("/dev/null", flags|O_NOCTTY);
264 if (fd < 0)
071830ff
LP		 265 return -errno;
266
80876c20
LP		 267 if (fd != nfd) {
268 r = dup2(fd, nfd) < 0 ? -errno : nfd;
03e334a1 269 safe_close(fd);
80876c20
LP		 270 } else
271 r = nfd;
071830ff 272
80876c20 273 return r;
071830ff
LP		 274}
275
524daa8c 276static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
b92bea5d
ZJS		 277 union sockaddr_union sa = {
278 .un.sun_family = AF_UNIX,
279 .un.sun_path = "/run/systemd/journal/stdout",
280 };
524daa8c
ZJS		 281 uid_t olduid = UID_INVALID;
282 gid_t oldgid = GID_INVALID;
283 int r;
284
285 if (gid != GID_INVALID) {
286 oldgid = getgid();
287
288 r = setegid(gid);
289 if (r < 0)
290 return -errno;
291 }
292
293 if (uid != UID_INVALID) {
294 olduid = getuid();
295
296 r = seteuid(uid);
297 if (r < 0) {
298 r = -errno;
299 goto restore_gid;
300 }
301 }
302
fc2fffe7 303 r = connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
524daa8c
ZJS		 304 if (r < 0)
305 r = -errno;
306
307 /* If we fail to restore the uid or gid, things will likely
308 fail later on. This should only happen if an LSM interferes. */
309
310 if (uid != UID_INVALID)
311 (void) seteuid(olduid);
312
313 restore_gid:
314 if (gid != GID_INVALID)
315 (void) setegid(oldgid);
316
317 return r;
318}
319
fd1f9c89 320static int connect_logger_as(
7a1ab780 321 Unit *unit,
fd1f9c89
LP		 322 const ExecContext *context,
323 ExecOutput output,
324 const char *ident,
fd1f9c89
LP		 325 int nfd,
326 uid_t uid,
327 gid_t gid) {
328
524daa8c 329 int fd, r;
071830ff
LP		 330
331 assert(context);
80876c20
LP		 332 assert(output < _EXEC_OUTPUT_MAX);
333 assert(ident);
334 assert(nfd >= 0);
071830ff 335
54fe0cdb
LP		 336 fd = socket(AF_UNIX, SOCK_STREAM, 0);
337 if (fd < 0)
80876c20 338 return -errno;
071830ff 339
524daa8c
ZJS		 340 r = connect_journal_socket(fd, uid, gid);
341 if (r < 0)
342 return r;
071830ff 343
80876c20 344 if (shutdown(fd, SHUT_RD) < 0) {
03e334a1 345 safe_close(fd);
80876c20
LP		 346 return -errno;
347 }
071830ff 348
fd1f9c89 349 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
531dca78 350
80876c20 351 dprintf(fd,
62bca2c6 352 "%s\n"
80876c20
LP		 353 "%s\n"
354 "%i\n"
54fe0cdb
LP		 355 "%i\n"
356 "%i\n"
357 "%i\n"
4f4a1dbf 358 "%i\n",
4f4a1dbf 359 context->syslog_identifier ? context->syslog_identifier : ident,
7a1ab780 360 unit->id,
54fe0cdb
LP		 361 context->syslog_priority,
362 !!context->syslog_level_prefix,
363 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
364 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
3a1286b6 365 is_terminal_output(output));
80876c20 366
fd1f9c89
LP		 367 if (fd == nfd)
368 return nfd;
369
370 r = dup2(fd, nfd) < 0 ? -errno : nfd;
371 safe_close(fd);
071830ff 372
80876c20
LP		 373 return r;
374}
375static int open_terminal_as(const char *path, mode_t mode, int nfd) {
376 int fd, r;
071830ff 377
80876c20
LP		 378 assert(path);
379 assert(nfd >= 0);
071830ff 380
3cc2aff1
LP		 381 fd = open_terminal(path, mode | O_NOCTTY);
382 if (fd < 0)
80876c20 383 return fd;
071830ff 384
80876c20
LP		 385 if (fd != nfd) {
386 r = dup2(fd, nfd) < 0 ? -errno : nfd;
03e334a1 387 safe_close(fd);
80876c20
LP		 388 } else
389 r = nfd;
071830ff 390
80876c20
LP		 391 return r;
392}
071830ff 393
1e3ad081
LP		 394static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
395
396 if (is_terminal_input(std_input) && !apply_tty_stdin)
397 return EXEC_INPUT_NULL;
071830ff 398
03fd9c49 399 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 400 return EXEC_INPUT_NULL;
401
03fd9c49 402 return std_input;
4f2d528d
LP		 403}
404
03fd9c49 405static int fixup_output(ExecOutput std_output, int socket_fd) {
4f2d528d 406
03fd9c49 407 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 408 return EXEC_OUTPUT_INHERIT;
409
03fd9c49 410 return std_output;
4f2d528d
LP		 411}
412
a34ceba6
LP		 413static int setup_input(
414 const ExecContext *context,
415 const ExecParameters *params,
52c239d7
LB		 416 int socket_fd,
417 int named_iofds[3]) {
a34ceba6 418
4f2d528d
LP		 419 ExecInput i;
420
421 assert(context);
a34ceba6
LP		 422 assert(params);
423
424 if (params->stdin_fd >= 0) {
425 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
426 return -errno;
427
428 /* Try to make this the controlling tty, if it is a tty, and reset it */
429 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
430 (void) reset_terminal_fd(STDIN_FILENO, true);
431
432 return STDIN_FILENO;
433 }
4f2d528d 434
c39f1ce2 435 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
4f2d528d
LP		 436
437 switch (i) {
071830ff 438
80876c20
LP		 439 case EXEC_INPUT_NULL:
440 return open_null_as(O_RDONLY, STDIN_FILENO);
441
442 case EXEC_INPUT_TTY:
443 case EXEC_INPUT_TTY_FORCE:
444 case EXEC_INPUT_TTY_FAIL: {
445 int fd, r;
071830ff 446
1e22b5cd 447 fd = acquire_terminal(exec_context_tty_path(context),
970edce6
ZJS		 448 i == EXEC_INPUT_TTY_FAIL,
449 i == EXEC_INPUT_TTY_FORCE,
450 false,
3a43da28 451 USEC_INFINITY);
970edce6 452 if (fd < 0)
80876c20
LP		 453 return fd;
454
455 if (fd != STDIN_FILENO) {
456 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
03e334a1 457 safe_close(fd);
80876c20
LP		 458 } else
459 r = STDIN_FILENO;
460
461 return r;
462 }
463
4f2d528d
LP		 464 case EXEC_INPUT_SOCKET:
465 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
466
52c239d7
LB		 467 case EXEC_INPUT_NAMED_FD:
468 (void) fd_nonblock(named_iofds[STDIN_FILENO], false);
469 return dup2(named_iofds[STDIN_FILENO], STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
470
80876c20
LP		 471 default:
472 assert_not_reached("Unknown input type");
473 }
474}
475
a34ceba6
LP		 476static int setup_output(
477 Unit *unit,
478 const ExecContext *context,
479 const ExecParameters *params,
480 int fileno,
481 int socket_fd,
52c239d7 482 int named_iofds[3],
a34ceba6 483 const char *ident,
7bce046b
LP		 484 uid_t uid,
485 gid_t gid,
486 dev_t *journal_stream_dev,
487 ino_t *journal_stream_ino) {
a34ceba6 488
4f2d528d
LP		 489 ExecOutput o;
490 ExecInput i;
47c1d80d 491 int r;
4f2d528d 492
f2341e0a 493 assert(unit);
80876c20 494 assert(context);
a34ceba6 495 assert(params);
80876c20 496 assert(ident);
7bce046b
LP		 497 assert(journal_stream_dev);
498 assert(journal_stream_ino);
80876c20 499
a34ceba6
LP		 500 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
501
502 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
503 return -errno;
504
505 return STDOUT_FILENO;
506 }
507
508 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
509 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
510 return -errno;
511
512 return STDERR_FILENO;
513 }
514
c39f1ce2 515 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
03fd9c49 516 o = fixup_output(context->std_output, socket_fd);
4f2d528d 517
eb17e935
MS		 518 if (fileno == STDERR_FILENO) {
519 ExecOutput e;
520 e = fixup_output(context->std_error, socket_fd);
80876c20 521
eb17e935
MS		 522 /* This expects the input and output are already set up */
523
524 /* Don't change the stderr file descriptor if we inherit all
525 * the way and are not on a tty */
526 if (e == EXEC_OUTPUT_INHERIT &&
527 o == EXEC_OUTPUT_INHERIT &&
528 i == EXEC_INPUT_NULL &&
529 !is_terminal_input(context->std_input) &&
530 getppid () != 1)
531 return fileno;
532
533 /* Duplicate from stdout if possible */
52c239d7 534 if ((e == o && e != EXEC_OUTPUT_NAMED_FD) || e == EXEC_OUTPUT_INHERIT)
eb17e935 535 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 536
eb17e935 537 o = e;
80876c20 538
eb17e935 539 } else if (o == EXEC_OUTPUT_INHERIT) {
21d21ea4
LP		 540 /* If input got downgraded, inherit the original value */
541 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
1e22b5cd 542 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
21d21ea4 543
acb591e4 544 /* If the input is connected to anything that's not a /dev/null, inherit that... */
ff876e28 545 if (i != EXEC_INPUT_NULL)
eb17e935 546 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 547
acb591e4
LP		 548 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
549 if (getppid() != 1)
eb17e935 550 return fileno;
94f04347 551
eb17e935
MS		 552 /* We need to open /dev/null here anew, to get the right access mode. */
553 return open_null_as(O_WRONLY, fileno);
071830ff 554 }
94f04347 555
eb17e935 556 switch (o) {
80876c20
LP		 557
558 case EXEC_OUTPUT_NULL:
eb17e935 559 return open_null_as(O_WRONLY, fileno);
80876c20
LP		 560
561 case EXEC_OUTPUT_TTY:
4f2d528d 562 if (is_terminal_input(i))
eb17e935 563 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
80876c20
LP		 564
565 /* We don't reset the terminal if this is just about output */
1e22b5cd 566 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
80876c20
LP		 567
568 case EXEC_OUTPUT_SYSLOG:
28dbc1e8 569 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
9a6bca7a 570 case EXEC_OUTPUT_KMSG:
28dbc1e8 571 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
706343f4
LP		 572 case EXEC_OUTPUT_JOURNAL:
573 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
7a1ab780 574 r = connect_logger_as(unit, context, o, ident, fileno, uid, gid);
47c1d80d 575 if (r < 0) {
f2341e0a 576 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
eb17e935 577 r = open_null_as(O_WRONLY, fileno);
7bce046b
LP		 578 } else {
579 struct stat st;
580
581 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
582 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
583 * services to detect whether they are connected to the journal or not. */
584
585 if (fstat(fileno, &st) >= 0) {
586 *journal_stream_dev = st.st_dev;
587 *journal_stream_ino = st.st_ino;
588 }
47c1d80d
MS		 589 }
590 return r;
4f2d528d
LP		 591
592 case EXEC_OUTPUT_SOCKET:
593 assert(socket_fd >= 0);
eb17e935 594 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
94f04347 595
52c239d7
LB		 596 case EXEC_OUTPUT_NAMED_FD:
597 (void) fd_nonblock(named_iofds[fileno], false);
598 return dup2(named_iofds[fileno], fileno) < 0 ? -errno : fileno;
599
94f04347 600 default:
80876c20 601 assert_not_reached("Unknown error type");
94f04347 602 }
071830ff
LP		 603}
604
02a51aba
LP		 605static int chown_terminal(int fd, uid_t uid) {
606 struct stat st;
607
608 assert(fd >= 0);
02a51aba 609
1ff74fb6
LP		 610 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
611 if (isatty(fd) < 1)
612 return 0;
613
02a51aba 614 /* This might fail. What matters are the results. */
bab45044
LP		 615 (void) fchown(fd, uid, -1);
616 (void) fchmod(fd, TTY_MODE);
02a51aba
LP		 617
618 if (fstat(fd, &st) < 0)
619 return -errno;
620
d8b4e2e9 621 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
02a51aba
LP		 622 return -EPERM;
623
624 return 0;
625}
626
7d5ceb64 627static int setup_confirm_stdio(const char *vc, int *_saved_stdin, int *_saved_stdout) {
3d18b167
LP		 628 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
629 int r;
80876c20 630
80876c20
LP		 631 assert(_saved_stdin);
632 assert(_saved_stdout);
633
af6da548
LP		 634 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
635 if (saved_stdin < 0)
636 return -errno;
80876c20 637
af6da548 638 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
3d18b167
LP		 639 if (saved_stdout < 0)
640 return -errno;
80876c20 641
7d5ceb64 642 fd = acquire_terminal(vc, false, false, false, DEFAULT_CONFIRM_USEC);
3d18b167
LP		 643 if (fd < 0)
644 return fd;
80876c20 645
af6da548
LP		 646 r = chown_terminal(fd, getuid());
647 if (r < 0)
3d18b167 648 return r;
02a51aba 649
3d18b167
LP		 650 r = reset_terminal_fd(fd, true);
651 if (r < 0)
652 return r;
80876c20 653
3d18b167
LP		 654 if (dup2(fd, STDIN_FILENO) < 0)
655 return -errno;
656
657 if (dup2(fd, STDOUT_FILENO) < 0)
658 return -errno;
80876c20
LP		 659
660 if (fd >= 2)
03e334a1 661 safe_close(fd);
3d18b167 662 fd = -1;
80876c20
LP		 663
664 *_saved_stdin = saved_stdin;
665 *_saved_stdout = saved_stdout;
666
3d18b167 667 saved_stdin = saved_stdout = -1;
80876c20 668
3d18b167 669 return 0;
80876c20
LP		 670}
671
63d77c92 672static void write_confirm_error_fd(int err, int fd, const Unit *u) {
3b20f877
FB		 673 assert(err < 0);
674
675 if (err == -ETIMEDOUT)
63d77c92 676 dprintf(fd, "Confirmation question timed out for %s, assuming positive response.\n", u->id);
3b20f877
FB		 677 else {
678 errno = -err;
63d77c92 679 dprintf(fd, "Couldn't ask confirmation for %s: %m, assuming positive response.\n", u->id);
3b20f877
FB		 680 }
681}
682
63d77c92 683static void write_confirm_error(int err, const char *vc, const Unit *u) {
03e334a1 684 _cleanup_close_ int fd = -1;
80876c20 685
3b20f877 686 assert(vc);
80876c20 687
7d5ceb64 688 fd = open_terminal(vc, O_WRONLY|O_NOCTTY|O_CLOEXEC);
af6da548 689 if (fd < 0)
3b20f877 690 return;
80876c20 691
63d77c92 692 write_confirm_error_fd(err, fd, u);
af6da548 693}
80876c20 694
3d18b167 695static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
af6da548 696 int r = 0;
80876c20 697
af6da548
LP		 698 assert(saved_stdin);
699 assert(saved_stdout);
700
701 release_terminal();
702
703 if (*saved_stdin >= 0)
80876c20 704 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
af6da548 705 r = -errno;
80876c20 706
af6da548 707 if (*saved_stdout >= 0)
80876c20 708 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
af6da548 709 r = -errno;
80876c20 710
3d18b167
LP		 711 *saved_stdin = safe_close(*saved_stdin);
712 *saved_stdout = safe_close(*saved_stdout);
af6da548
LP		 713
714 return r;
715}
716
3b20f877
FB		 717enum {
718 CONFIRM_PRETEND_FAILURE = -1,
719 CONFIRM_PRETEND_SUCCESS = 0,
720 CONFIRM_EXECUTE = 1,
721};
722
eedf223a 723static int ask_for_confirmation(const char *vc, Unit *u, const char *cmdline) {
af6da548 724 int saved_stdout = -1, saved_stdin = -1, r;
2bcd3c26 725 _cleanup_free_ char *e = NULL;
3b20f877 726 char c;
af6da548 727
3b20f877 728 /* For any internal errors, assume a positive response. */
7d5ceb64 729 r = setup_confirm_stdio(vc, &saved_stdin, &saved_stdout);
3b20f877 730 if (r < 0) {
63d77c92 731 write_confirm_error(r, vc, u);
3b20f877
FB		 732 return CONFIRM_EXECUTE;
733 }
af6da548 734
b0eb2944
FB		 735 /* confirm_spawn might have been disabled while we were sleeping. */
736 if (manager_is_confirm_spawn_disabled(u->manager)) {
737 r = 1;
738 goto restore_stdio;
739 }
af6da548 740
2bcd3c26
FB		 741 e = ellipsize(cmdline, 60, 100);
742 if (!e) {
743 log_oom();
744 r = CONFIRM_EXECUTE;
745 goto restore_stdio;
746 }
af6da548 747
d172b175 748 for (;;) {
539622bd 749 r = ask_char(&c, "yfshiDjcn", "Execute %s? [y, f, s – h for help] ", e);
d172b175 750 if (r < 0) {
63d77c92 751 write_confirm_error_fd(r, STDOUT_FILENO, u);
d172b175
FB		 752 r = CONFIRM_EXECUTE;
753 goto restore_stdio;
754 }
af6da548 755
d172b175 756 switch (c) {
b0eb2944
FB		 757 case 'c':
758 printf("Resuming normal execution.\n");
759 manager_disable_confirm_spawn();
760 r = 1;
761 break;
dd6f9ac0
FB		 762 case 'D':
763 unit_dump(u, stdout, " ");
764 continue; /* ask again */
d172b175
FB		 765 case 'f':
766 printf("Failing execution.\n");
767 r = CONFIRM_PRETEND_FAILURE;
768 break;
769 case 'h':
b0eb2944
FB		 770 printf(" c - continue, proceed without asking anymore\n"
771 " D - dump, show the state of the unit\n"
dd6f9ac0 772 " f - fail, don't execute the command and pretend it failed\n"
d172b175 773 " h - help\n"
eedf223a 774 " i - info, show a short summary of the unit\n"
56fde33a 775 " j - jobs, show jobs that are in progress\n"
d172b175
FB		 776 " s - skip, don't execute the command and pretend it succeeded\n"
777 " y - yes, execute the command\n");
dd6f9ac0 778 continue; /* ask again */
eedf223a
FB		 779 case 'i':
780 printf(" Description: %s\n"
781 " Unit: %s\n"
782 " Command: %s\n",
783 u->id, u->description, cmdline);
784 continue; /* ask again */
56fde33a
FB		 785 case 'j':
786 manager_dump_jobs(u->manager, stdout, " ");
787 continue; /* ask again */
539622bd
FB		 788 case 'n':
789 /* 'n' was removed in favor of 'f'. */
790 printf("Didn't understand 'n', did you mean 'f'?\n");
791 continue; /* ask again */
d172b175
FB		 792 case 's':
793 printf("Skipping execution.\n");
794 r = CONFIRM_PRETEND_SUCCESS;
795 break;
796 case 'y':
797 r = CONFIRM_EXECUTE;
798 break;
799 default:
800 assert_not_reached("Unhandled choice");
801 }
3b20f877 802 break;
3b20f877 803 }
af6da548 804
3b20f877 805restore_stdio:
af6da548 806 restore_confirm_stdio(&saved_stdin, &saved_stdout);
af6da548 807 return r;
80876c20
LP		 808}
809
4d885bd3
DH		 810static int get_fixed_user(const ExecContext *c, const char **user,
811 uid_t *uid, gid_t *gid,
812 const char **home, const char **shell) {
81a2b7ce 813 int r;
4d885bd3 814 const char *name;
81a2b7ce 815
4d885bd3 816 assert(c);
81a2b7ce 817
23deef88
LP		 818 if (!c->user)
819 return 0;
820
4d885bd3
DH		 821 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
822 * (i.e. are "/" or "/bin/nologin"). */
81a2b7ce 823
23deef88 824 name = c->user;
4d885bd3
DH		 825 r = get_user_creds_clean(&name, uid, gid, home, shell);
826 if (r < 0)
827 return r;
81a2b7ce 828
4d885bd3
DH		 829 *user = name;
830 return 0;
831}
832
833static int get_fixed_group(const ExecContext *c, const char **group, gid_t *gid) {
834 int r;
835 const char *name;
836
837 assert(c);
838
839 if (!c->group)
840 return 0;
841
842 name = c->group;
843 r = get_group_creds(&name, gid);
844 if (r < 0)
845 return r;
846
847 *group = name;
848 return 0;
849}
850
cdc5d5c5
DH		 851static int get_supplementary_groups(const ExecContext *c, const char *user,
852 const char *group, gid_t gid,
853 gid_t **supplementary_gids, int *ngids) {
4d885bd3
DH		 854 char **i;
855 int r, k = 0;
856 int ngroups_max;
857 bool keep_groups = false;
858 gid_t *groups = NULL;
859 _cleanup_free_ gid_t *l_gids = NULL;
860
861 assert(c);
862
bbeea271
DH		 863 /*
864 * If user is given, then lookup GID and supplementary groups list.
865 * We avoid NSS lookups for gid=0. Also we have to initialize groups
cdc5d5c5
DH		 866 * here and as early as possible so we keep the list of supplementary
867 * groups of the caller.
bbeea271
DH		 868 */
869 if (user && gid_is_valid(gid) && gid != 0) {
870 /* First step, initialize groups from /etc/groups */
871 if (initgroups(user, gid) < 0)
872 return -errno;
873
874 keep_groups = true;
875 }
876
4d885bd3
DH		 877 if (!c->supplementary_groups)
878 return 0;
879
366ddd25
DH		 880 /*
881 * If SupplementaryGroups= was passed then NGROUPS_MAX has to
882 * be positive, otherwise fail.
883 */
884 errno = 0;
885 ngroups_max = (int) sysconf(_SC_NGROUPS_MAX);
886 if (ngroups_max <= 0) {
887 if (errno > 0)
888 return -errno;
889 else
890 return -EOPNOTSUPP; /* For all other values */
891 }
892
4d885bd3
DH		 893 l_gids = new(gid_t, ngroups_max);
894 if (!l_gids)
895 return -ENOMEM;
81a2b7ce 896
4d885bd3
DH		 897 if (keep_groups) {
898 /*
899 * Lookup the list of groups that the user belongs to, we
900 * avoid NSS lookups here too for gid=0.
901 */
902 k = ngroups_max;
903 if (getgrouplist(user, gid, l_gids, &k) < 0)
904 return -EINVAL;
905 } else
906 k = 0;
81a2b7ce 907
4d885bd3
DH		 908 STRV_FOREACH(i, c->supplementary_groups) {
909 const char *g;
81a2b7ce 910
4d885bd3
DH		 911 if (k >= ngroups_max)
912 return -E2BIG;
81a2b7ce 913
4d885bd3
DH		 914 g = *i;
915 r = get_group_creds(&g, l_gids+k);
916 if (r < 0)
917 return r;
81a2b7ce 918
4d885bd3
DH		 919 k++;
920 }
81a2b7ce 921
4d885bd3
DH		 922 /*
923 * Sets ngids to zero to drop all supplementary groups, happens
924 * when we are under root and SupplementaryGroups= is empty.
925 */
926 if (k == 0) {
927 *ngids = 0;
928 return 0;
929 }
81a2b7ce 930
4d885bd3
DH		 931 /* Otherwise get the final list of supplementary groups */
932 groups = memdup(l_gids, sizeof(gid_t) * k);
933 if (!groups)
934 return -ENOMEM;
935
936 *supplementary_gids = groups;
937 *ngids = k;
938
939 groups = NULL;
940
941 return 0;
942}
943
944static int enforce_groups(const ExecContext *context, gid_t gid,
945 gid_t *supplementary_gids, int ngids) {
946 int r;
947
948 assert(context);
949
950 /* Handle SupplementaryGroups= even if it is empty */
951 if (context->supplementary_groups) {
952 r = maybe_setgroups(ngids, supplementary_gids);
953 if (r < 0)
97f0e76f 954 return r;
4d885bd3 955 }
81a2b7ce 956
4d885bd3
DH		 957 if (gid_is_valid(gid)) {
958 /* Then set our gids */
959 if (setresgid(gid, gid, gid) < 0)
960 return -errno;
81a2b7ce
LP		 961 }
962
963 return 0;
964}
965
966static int enforce_user(const ExecContext *context, uid_t uid) {
81a2b7ce
LP		 967 assert(context);
968
4d885bd3
DH		 969 if (!uid_is_valid(uid))
970 return 0;
971
479050b3 972 /* Sets (but doesn't look up) the uid and make sure we keep the
81a2b7ce
LP		 973 * capabilities while doing so. */
974
479050b3 975 if (context->capability_ambient_set != 0) {
81a2b7ce
LP		 976
977 /* First step: If we need to keep capabilities but
978 * drop privileges we need to make sure we keep our
cbb21cca 979 * caps, while we drop privileges. */
693ced48 980 if (uid != 0) {
cbb21cca 981 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
693ced48
LP		 982
983 if (prctl(PR_GET_SECUREBITS) != sb)
984 if (prctl(PR_SET_SECUREBITS, sb) < 0)
985 return -errno;
986 }
81a2b7ce
LP		 987 }
988
479050b3 989 /* Second step: actually set the uids */
81a2b7ce
LP		 990 if (setresuid(uid, uid, uid) < 0)
991 return -errno;
992
993 /* At this point we should have all necessary capabilities but
994 are otherwise a normal user. However, the caps might got
995 corrupted due to the setresuid() so we need clean them up
996 later. This is done outside of this call. */
997
998 return 0;
999}
1000
5b6319dc
LP		 1001#ifdef HAVE_PAM
1002
1003static int null_conv(
1004 int num_msg,
1005 const struct pam_message **msg,
1006 struct pam_response **resp,
1007 void *appdata_ptr) {
1008
1009 /* We don't support conversations */
1010
1011 return PAM_CONV_ERR;
1012}
1013
cefc33ae
LP		 1014#endif
1015
5b6319dc
LP		 1016static int setup_pam(
1017 const char *name,
1018 const char *user,
940c5210 1019 uid_t uid,
2d6fce8d 1020 gid_t gid,
5b6319dc 1021 const char *tty,
2065ca69 1022 char ***env,
5b6319dc
LP		 1023 int fds[], unsigned n_fds) {
1024
cefc33ae
LP		 1025#ifdef HAVE_PAM
1026
5b6319dc
LP		 1027 static const struct pam_conv conv = {
1028 .conv = null_conv,
1029 .appdata_ptr = NULL
1030 };
1031
2d7c6aa2 1032 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
5b6319dc 1033 pam_handle_t *handle = NULL;
d6e5f3ad 1034 sigset_t old_ss;
7bb70b6e 1035 int pam_code = PAM_SUCCESS, r;
84eada2f 1036 char **nv, **e = NULL;
5b6319dc
LP		 1037 bool close_session = false;
1038 pid_t pam_pid = 0, parent_pid;
970edce6 1039 int flags = 0;
5b6319dc
LP		 1040
1041 assert(name);
1042 assert(user);
2065ca69 1043 assert(env);
5b6319dc
LP		 1044
1045 /* We set up PAM in the parent process, then fork. The child
35b8ca3a 1046 * will then stay around until killed via PR_GET_PDEATHSIG or
5b6319dc
LP		 1047 * systemd via the cgroup logic. It will then remove the PAM
1048 * session again. The parent process will exec() the actual
1049 * daemon. We do things this way to ensure that the main PID
1050 * of the daemon is the one we initially fork()ed. */
1051
7bb70b6e
LP		 1052 r = barrier_create(&barrier);
1053 if (r < 0)
2d7c6aa2
DH		 1054 goto fail;
1055
553d2243 1056 if (log_get_max_level() < LOG_DEBUG)
970edce6
ZJS		 1057 flags |= PAM_SILENT;
1058
f546241b
ZJS		 1059 pam_code = pam_start(name, user, &conv, &handle);
1060 if (pam_code != PAM_SUCCESS) {
5b6319dc
LP		 1061 handle = NULL;
1062 goto fail;
1063 }
1064
f546241b
ZJS		 1065 if (tty) {
1066 pam_code = pam_set_item(handle, PAM_TTY, tty);
1067 if (pam_code != PAM_SUCCESS)
5b6319dc 1068 goto fail;
f546241b 1069 }
5b6319dc 1070
84eada2f
JW		 1071 STRV_FOREACH(nv, *env) {
1072 pam_code = pam_putenv(handle, *nv);
2065ca69
JW		 1073 if (pam_code != PAM_SUCCESS)
1074 goto fail;
1075 }
1076
970edce6 1077 pam_code = pam_acct_mgmt(handle, flags);
f546241b 1078 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1079 goto fail;
1080
970edce6 1081 pam_code = pam_open_session(handle, flags);
f546241b 1082 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1083 goto fail;
1084
1085 close_session = true;
1086
f546241b
ZJS		 1087 e = pam_getenvlist(handle);
1088 if (!e) {
5b6319dc
LP		 1089 pam_code = PAM_BUF_ERR;
1090 goto fail;
1091 }
1092
1093 /* Block SIGTERM, so that we know that it won't get lost in
1094 * the child */
ce30c8dc 1095
72c0a2c2 1096 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
5b6319dc
LP		 1097
1098 parent_pid = getpid();
1099
f546241b 1100 pam_pid = fork();
7bb70b6e
LP		 1101 if (pam_pid < 0) {
1102 r = -errno;
5b6319dc 1103 goto fail;
7bb70b6e 1104 }
5b6319dc
LP		 1105
1106 if (pam_pid == 0) {
7bb70b6e 1107 int sig, ret = EXIT_PAM;
5b6319dc
LP		 1108
1109 /* The child's job is to reset the PAM session on
1110 * termination */
2d7c6aa2 1111 barrier_set_role(&barrier, BARRIER_CHILD);
5b6319dc
LP		 1112
1113 /* This string must fit in 10 chars (i.e. the length
5d6b1584
LP		 1114 * of "/sbin/init"), to look pretty in /bin/ps */
1115 rename_process("(sd-pam)");
5b6319dc
LP		 1116
1117 /* Make sure we don't keep open the passed fds in this
1118 child. We assume that otherwise only those fds are
1119 open here that have been opened by PAM. */
1120 close_many(fds, n_fds);
1121
940c5210
AK		 1122 /* Drop privileges - we don't need any to pam_close_session
1123 * and this will make PR_SET_PDEATHSIG work in most cases.
1124 * If this fails, ignore the error - but expect sd-pam threads
1125 * to fail to exit normally */
2d6fce8d 1126
97f0e76f
LP		 1127 r = maybe_setgroups(0, NULL);
1128 if (r < 0)
1129 log_warning_errno(r, "Failed to setgroups() in sd-pam: %m");
2d6fce8d
LP		 1130 if (setresgid(gid, gid, gid) < 0)
1131 log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
940c5210 1132 if (setresuid(uid, uid, uid) < 0)
2d6fce8d 1133 log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
940c5210 1134
ce30c8dc
LP		 1135 (void) ignore_signals(SIGPIPE, -1);
1136
940c5210
AK		 1137 /* Wait until our parent died. This will only work if
1138 * the above setresuid() succeeds, otherwise the kernel
1139 * will not allow unprivileged parents kill their privileged
1140 * children this way. We rely on the control groups kill logic
5b6319dc
LP		 1141 * to do the rest for us. */
1142 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
1143 goto child_finish;
1144
2d7c6aa2
DH		 1145 /* Tell the parent that our setup is done. This is especially
1146 * important regarding dropping privileges. Otherwise, unit
643f4706
ZJS		 1147 * setup might race against our setresuid(2) call.
1148 *
1149 * If the parent aborted, we'll detect this below, hence ignore
1150 * return failure here. */
1151 (void) barrier_place(&barrier);
2d7c6aa2 1152
643f4706 1153 /* Check if our parent process might already have died? */
5b6319dc 1154 if (getppid() == parent_pid) {
d6e5f3ad
DM		 1155 sigset_t ss;
1156
1157 assert_se(sigemptyset(&ss) >= 0);
1158 assert_se(sigaddset(&ss, SIGTERM) >= 0);
1159
3dead8d9
LP		 1160 for (;;) {
1161 if (sigwait(&ss, &sig) < 0) {
1162 if (errno == EINTR)
1163 continue;
1164
1165 goto child_finish;
1166 }
5b6319dc 1167
3dead8d9
LP		 1168 assert(sig == SIGTERM);
1169 break;
1170 }
5b6319dc
LP		 1171 }
1172
3dead8d9 1173 /* If our parent died we'll end the session */
f546241b 1174 if (getppid() != parent_pid) {
970edce6 1175 pam_code = pam_close_session(handle, flags);
f546241b 1176 if (pam_code != PAM_SUCCESS)
5b6319dc 1177 goto child_finish;
f546241b 1178 }
5b6319dc 1179
7bb70b6e 1180 ret = 0;
5b6319dc
LP		 1181
1182 child_finish:
970edce6 1183 pam_end(handle, pam_code | flags);
7bb70b6e 1184 _exit(ret);
5b6319dc
LP		 1185 }
1186
2d7c6aa2
DH		 1187 barrier_set_role(&barrier, BARRIER_PARENT);
1188
5b6319dc
LP		 1189 /* If the child was forked off successfully it will do all the
1190 * cleanups, so forget about the handle here. */
1191 handle = NULL;
1192
3b8bddde 1193 /* Unblock SIGTERM again in the parent */
72c0a2c2 1194 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
5b6319dc
LP		 1195
1196 /* We close the log explicitly here, since the PAM modules
1197 * might have opened it, but we don't want this fd around. */
1198 closelog();
1199
2d7c6aa2
DH		 1200 /* Synchronously wait for the child to initialize. We don't care for
1201 * errors as we cannot recover. However, warn loudly if it happens. */
1202 if (!barrier_place_and_sync(&barrier))
1203 log_error("PAM initialization failed");
1204
2065ca69
JW		 1205 strv_free(*env);
1206 *env = e;
aa87e624 1207
5b6319dc
LP		 1208 return 0;
1209
1210fail:
970edce6
ZJS		 1211 if (pam_code != PAM_SUCCESS) {
1212 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
7bb70b6e
LP		 1213 r = -EPERM; /* PAM errors do not map to errno */
1214 } else
1215 log_error_errno(r, "PAM failed: %m");
9ba35398 1216
5b6319dc
LP		 1217 if (handle) {
1218 if (close_session)
970edce6 1219 pam_code = pam_close_session(handle, flags);
5b6319dc 1220
970edce6 1221 pam_end(handle, pam_code | flags);
5b6319dc
LP		 1222 }
1223
1224 strv_free(e);
5b6319dc
LP		 1225 closelog();
1226
7bb70b6e 1227 return r;
cefc33ae
LP		 1228#else
1229 return 0;
5b6319dc 1230#endif
cefc33ae 1231}
5b6319dc 1232
5d6b1584
LP		 1233static void rename_process_from_path(const char *path) {
1234 char process_name[11];
1235 const char *p;
1236 size_t l;
1237
1238 /* This resulting string must fit in 10 chars (i.e. the length
1239 * of "/sbin/init") to look pretty in /bin/ps */
1240
2b6bf07d 1241 p = basename(path);
5d6b1584
LP		 1242 if (isempty(p)) {
1243 rename_process("(...)");
1244 return;
1245 }
1246
1247 l = strlen(p);
1248 if (l > 8) {
1249 /* The end of the process name is usually more
1250 * interesting, since the first bit might just be
1251 * "systemd-" */
1252 p = p + l - 8;
1253 l = 8;
1254 }
1255
1256 process_name[0] = '(';
1257 memcpy(process_name+1, p, l);
1258 process_name[1+l] = ')';
1259 process_name[1+l+1] = 0;
1260
1261 rename_process(process_name);
1262}
1263
469830d1
LP		 1264static bool context_has_address_families(const ExecContext *c) {
1265 assert(c);
1266
1267 return c->address_families_whitelist ||
1268 !set_isempty(c->address_families);
1269}
1270
1271static bool context_has_syscall_filters(const ExecContext *c) {
1272 assert(c);
1273
1274 return c->syscall_whitelist ||
1275 !set_isempty(c->syscall_filter);
1276}
1277
1278static bool context_has_no_new_privileges(const ExecContext *c) {
1279 assert(c);
1280
1281 if (c->no_new_privileges)
1282 return true;
1283
1284 if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
1285 return false;
1286
1287 /* We need NNP if we have any form of seccomp and are unprivileged */
1288 return context_has_address_families(c) ||
1289 c->memory_deny_write_execute ||
1290 c->restrict_realtime ||
1291 exec_context_restrict_namespaces_set(c) ||
1292 c->protect_kernel_tunables ||
1293 c->protect_kernel_modules ||
1294 c->private_devices ||
1295 context_has_syscall_filters(c) ||
1296 !set_isempty(c->syscall_archs);
1297}
1298
c0467cf3 1299#ifdef HAVE_SECCOMP
17df7223 1300
83f12b27 1301static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
f673b62d
LP		 1302
1303 if (is_seccomp_available())
1304 return false;
1305
1306 log_open();
1307 log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
1308 log_close();
1309 return true;
83f12b27
FS		 1310}
1311
469830d1
LP		 1312static int apply_syscall_filter(const Unit* u, const ExecContext *c) {
1313 uint32_t negative_action, default_action, action;
8351ceae 1314
469830d1 1315 assert(u);
c0467cf3 1316 assert(c);
8351ceae 1317
469830d1 1318 if (!context_has_syscall_filters(c))
83f12b27
FS		 1319 return 0;
1320
469830d1
LP		 1321 if (skip_seccomp_unavailable(u, "SystemCallFilter="))
1322 return 0;
e9642be2 1323
469830d1 1324 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
e9642be2 1325
469830d1
LP		 1326 if (c->syscall_whitelist) {
1327 default_action = negative_action;
1328 action = SCMP_ACT_ALLOW;
7c66bae2 1329 } else {
469830d1
LP		 1330 default_action = SCMP_ACT_ALLOW;
1331 action = negative_action;
57183d11 1332 }
8351ceae 1333
469830d1 1334 return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action);
4298d0b5
LP		 1335}
1336
469830d1
LP		 1337static int apply_syscall_archs(const Unit *u, const ExecContext *c) {
1338 assert(u);
4298d0b5
LP		 1339 assert(c);
1340
469830d1 1341 if (set_isempty(c->syscall_archs))
83f12b27
FS		 1342 return 0;
1343
469830d1
LP		 1344 if (skip_seccomp_unavailable(u, "SystemCallArchitectures="))
1345 return 0;
4298d0b5 1346
469830d1
LP		 1347 return seccomp_restrict_archs(c->syscall_archs);
1348}
4298d0b5 1349
469830d1
LP		 1350static int apply_address_families(const Unit* u, const ExecContext *c) {
1351 assert(u);
1352 assert(c);
4298d0b5 1353
469830d1
LP		 1354 if (!context_has_address_families(c))
1355 return 0;
4298d0b5 1356
469830d1
LP		 1357 if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
1358 return 0;
4298d0b5 1359
469830d1 1360 return seccomp_restrict_address_families(c->address_families, c->address_families_whitelist);
8351ceae 1361}
4298d0b5 1362
83f12b27 1363static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) {
469830d1 1364 assert(u);
f3e43635
TM		 1365 assert(c);
1366
469830d1 1367 if (!c->memory_deny_write_execute)
83f12b27
FS		 1368 return 0;
1369
469830d1
LP		 1370 if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute="))
1371 return 0;
f3e43635 1372
469830d1 1373 return seccomp_memory_deny_write_execute();
f3e43635
TM		 1374}
1375
83f12b27 1376static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
469830d1 1377 assert(u);
f4170c67
LP		 1378 assert(c);
1379
469830d1 1380 if (!c->restrict_realtime)
83f12b27
FS		 1381 return 0;
1382
469830d1
LP		 1383 if (skip_seccomp_unavailable(u, "RestrictRealtime="))
1384 return 0;
f4170c67 1385
469830d1 1386 return seccomp_restrict_realtime();
f4170c67
LP		 1387}
1388
59e856c7 1389static int apply_protect_sysctl(const Unit *u, const ExecContext *c) {
469830d1 1390 assert(u);
59eeb84b
LP		 1391 assert(c);
1392
1393 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1394 * let's protect even those systems where this is left on in the kernel. */
1395
469830d1 1396 if (!c->protect_kernel_tunables)
59eeb84b
LP		 1397 return 0;
1398
469830d1
LP		 1399 if (skip_seccomp_unavailable(u, "ProtectKernelTunables="))
1400 return 0;
59eeb84b 1401
469830d1 1402 return seccomp_protect_sysctl();
59eeb84b
LP		 1403}
1404
59e856c7 1405static int apply_protect_kernel_modules(const Unit *u, const ExecContext *c) {
469830d1 1406 assert(u);
502d704e
DH		 1407 assert(c);
1408
25a8d8a0 1409 /* Turn off module syscalls on ProtectKernelModules=yes */
502d704e 1410
469830d1
LP		 1411 if (!c->protect_kernel_modules)
1412 return 0;
1413
502d704e
DH		 1414 if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
1415 return 0;
1416
469830d1 1417 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM));
502d704e
DH		 1418}
1419
59e856c7 1420static int apply_private_devices(const Unit *u, const ExecContext *c) {
469830d1 1421 assert(u);
ba128bb8
LP		 1422 assert(c);
1423
8f81a5f6 1424 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
ba128bb8 1425
469830d1
LP		 1426 if (!c->private_devices)
1427 return 0;
1428
ba128bb8
LP		 1429 if (skip_seccomp_unavailable(u, "PrivateDevices="))
1430 return 0;
1431
469830d1 1432 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
ba128bb8
LP		 1433}
1434
add00535 1435static int apply_restrict_namespaces(Unit *u, const ExecContext *c) {
469830d1 1436 assert(u);
add00535
LP		 1437 assert(c);
1438
1439 if (!exec_context_restrict_namespaces_set(c))
1440 return 0;
1441
1442 if (skip_seccomp_unavailable(u, "RestrictNamespaces="))
1443 return 0;
1444
1445 return seccomp_restrict_namespaces(c->restrict_namespaces);
1446}
1447
c0467cf3 1448#endif
8351ceae 1449
31a7eb86
ZJS		 1450static void do_idle_pipe_dance(int idle_pipe[4]) {
1451 assert(idle_pipe);
1452
54eb2300
LP		 1453 idle_pipe[1] = safe_close(idle_pipe[1]);
1454 idle_pipe[2] = safe_close(idle_pipe[2]);
31a7eb86
ZJS		 1455
1456 if (idle_pipe[0] >= 0) {
1457 int r;
1458
1459 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1460
1461 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
c7cc737f
LP		 1462 ssize_t n;
1463
31a7eb86 1464 /* Signal systemd that we are bored and want to continue. */
c7cc737f
LP		 1465 n = write(idle_pipe[3], "x", 1);
1466 if (n > 0)
cd972d69
ZJS		 1467 /* Wait for systemd to react to the signal above. */
1468 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
31a7eb86
ZJS		 1469 }
1470
54eb2300 1471 idle_pipe[0] = safe_close(idle_pipe[0]);
31a7eb86
ZJS		 1472
1473 }
1474
54eb2300 1475 idle_pipe[3] = safe_close(idle_pipe[3]);
31a7eb86
ZJS		 1476}
1477
7cae38c4 1478static int build_environment(
fd63e712 1479 Unit *u,
9fa95f85 1480 const ExecContext *c,
1e22b5cd 1481 const ExecParameters *p,
7cae38c4
LP		 1482 unsigned n_fds,
1483 const char *home,
1484 const char *username,
1485 const char *shell,
7bce046b
LP		 1486 dev_t journal_stream_dev,
1487 ino_t journal_stream_ino,
7cae38c4
LP		 1488 char ***ret) {
1489
1490 _cleanup_strv_free_ char **our_env = NULL;
1491 unsigned n_env = 0;
1492 char *x;
1493
4b58153d 1494 assert(u);
7cae38c4
LP		 1495 assert(c);
1496 assert(ret);
1497
4b58153d 1498 our_env = new0(char*, 14);
7cae38c4
LP		 1499 if (!our_env)
1500 return -ENOMEM;
1501
1502 if (n_fds > 0) {
8dd4c05b
LP		 1503 _cleanup_free_ char *joined = NULL;
1504
ccd06097 1505 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
7cae38c4
LP		 1506 return -ENOMEM;
1507 our_env[n_env++] = x;
1508
1509 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1510 return -ENOMEM;
1511 our_env[n_env++] = x;
8dd4c05b 1512
1e22b5cd 1513 joined = strv_join(p->fd_names, ":");
8dd4c05b
LP		 1514 if (!joined)
1515 return -ENOMEM;
1516
605405c6 1517 x = strjoin("LISTEN_FDNAMES=", joined);
8dd4c05b
LP		 1518 if (!x)
1519 return -ENOMEM;
1520 our_env[n_env++] = x;
7cae38c4
LP		 1521 }
1522
b08af3b1 1523 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
ccd06097 1524 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
09812eb7
LP		 1525 return -ENOMEM;
1526 our_env[n_env++] = x;
1527
1e22b5cd 1528 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
09812eb7
LP		 1529 return -ENOMEM;
1530 our_env[n_env++] = x;
1531 }
1532
fd63e712
LP		 1533 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1534 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1535 * check the database directly. */
1536 if (unit_has_name(u, SPECIAL_DBUS_SERVICE)) {
1537 x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1538 if (!x)
1539 return -ENOMEM;
1540 our_env[n_env++] = x;
1541 }
1542
7cae38c4
LP		 1543 if (home) {
1544 x = strappend("HOME=", home);
1545 if (!x)
1546 return -ENOMEM;
1547 our_env[n_env++] = x;
1548 }
1549
1550 if (username) {
1551 x = strappend("LOGNAME=", username);
1552 if (!x)
1553 return -ENOMEM;
1554 our_env[n_env++] = x;
1555
1556 x = strappend("USER=", username);
1557 if (!x)
1558 return -ENOMEM;
1559 our_env[n_env++] = x;
1560 }
1561
1562 if (shell) {
1563 x = strappend("SHELL=", shell);
1564 if (!x)
1565 return -ENOMEM;
1566 our_env[n_env++] = x;
1567 }
1568
4b58153d
LP		 1569 if (!sd_id128_is_null(u->invocation_id)) {
1570 if (asprintf(&x, "INVOCATION_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id)) < 0)
1571 return -ENOMEM;
1572
1573 our_env[n_env++] = x;
1574 }
1575
6af760f3
LP		 1576 if (exec_context_needs_term(c)) {
1577 const char *tty_path, *term = NULL;
1578
1579 tty_path = exec_context_tty_path(c);
1580
1581 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try to inherit
1582 * the $TERM set for PID 1. This is useful for containers so that the $TERM the container manager
1583 * passes to PID 1 ends up all the way in the console login shown. */
1584
1585 if (path_equal(tty_path, "/dev/console") && getppid() == 1)
1586 term = getenv("TERM");
1587 if (!term)
1588 term = default_term_for_tty(tty_path);
7cae38c4 1589
6af760f3 1590 x = strappend("TERM=", term);
7cae38c4
LP		 1591 if (!x)
1592 return -ENOMEM;
1593 our_env[n_env++] = x;
1594 }
1595
7bce046b
LP		 1596 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1597 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1598 return -ENOMEM;
1599
1600 our_env[n_env++] = x;
1601 }
1602
7cae38c4 1603 our_env[n_env++] = NULL;
7bce046b 1604 assert(n_env <= 12);
7cae38c4
LP		 1605
1606 *ret = our_env;
1607 our_env = NULL;
1608
1609 return 0;
1610}
1611
b4c14404
FB		 1612static int build_pass_environment(const ExecContext *c, char ***ret) {
1613 _cleanup_strv_free_ char **pass_env = NULL;
1614 size_t n_env = 0, n_bufsize = 0;
1615 char **i;
1616
1617 STRV_FOREACH(i, c->pass_environment) {
1618 _cleanup_free_ char *x = NULL;
1619 char *v;
1620
1621 v = getenv(*i);
1622 if (!v)
1623 continue;
605405c6 1624 x = strjoin(*i, "=", v);
b4c14404
FB		 1625 if (!x)
1626 return -ENOMEM;
1627 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1628 return -ENOMEM;
1629 pass_env[n_env++] = x;
1630 pass_env[n_env] = NULL;
1631 x = NULL;
1632 }
1633
1634 *ret = pass_env;
1635 pass_env = NULL;
1636
1637 return 0;
1638}
1639
8b44a3d2
LP		 1640static bool exec_needs_mount_namespace(
1641 const ExecContext *context,
1642 const ExecParameters *params,
1643 ExecRuntime *runtime) {
1644
1645 assert(context);
1646 assert(params);
1647
915e6d16
LP		 1648 if (context->root_image)
1649 return true;
1650
2a624c36
AP		 1651 if (!strv_isempty(context->read_write_paths) ||
1652 !strv_isempty(context->read_only_paths) ||
1653 !strv_isempty(context->inaccessible_paths))
8b44a3d2
LP		 1654 return true;
1655
d2d6c096
LP		 1656 if (context->n_bind_mounts > 0)
1657 return true;
1658
8b44a3d2
LP		 1659 if (context->mount_flags != 0)
1660 return true;
1661
1662 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1663 return true;
1664
8b44a3d2
LP		 1665 if (context->private_devices ||
1666 context->protect_system != PROTECT_SYSTEM_NO ||
59eeb84b
LP		 1667 context->protect_home != PROTECT_HOME_NO ||
1668 context->protect_kernel_tunables ||
c575770b 1669 context->protect_kernel_modules ||
59eeb84b 1670 context->protect_control_groups)
8b44a3d2
LP		 1671 return true;
1672
5d997827
LP		 1673 if (context->mount_apivfs)
1674 return true;
1675
8b44a3d2
LP		 1676 return false;
1677}
1678
d251207d
LP		 1679static int setup_private_users(uid_t uid, gid_t gid) {
1680 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
1681 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
1682 _cleanup_close_ int unshare_ready_fd = -1;
1683 _cleanup_(sigkill_waitp) pid_t pid = 0;
1684 uint64_t c = 1;
1685 siginfo_t si;
1686 ssize_t n;
1687 int r;
1688
1689 /* Set up a user namespace and map root to root, the selected UID/GID to itself, and everything else to
1690 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1691 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1692 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1693 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
1694 * continues execution normally. */
1695
587ab01b
ZJS		 1696 if (uid != 0 && uid_is_valid(uid)) {
1697 r = asprintf(&uid_map,
1698 "0 0 1\n" /* Map root → root */
1699 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
1700 uid, uid);
1701 if (r < 0)
1702 return -ENOMEM;
1703 } else {
e0f3720e 1704 uid_map = strdup("0 0 1\n"); /* The case where the above is the same */
587ab01b
ZJS		 1705 if (!uid_map)
1706 return -ENOMEM;
1707 }
d251207d 1708
587ab01b
ZJS		 1709 if (gid != 0 && gid_is_valid(gid)) {
1710 r = asprintf(&gid_map,
1711 "0 0 1\n" /* Map root → root */
1712 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
1713 gid, gid);
1714 if (r < 0)
1715 return -ENOMEM;
1716 } else {
d251207d 1717 gid_map = strdup("0 0 1\n"); /* The case where the above is the same */
587ab01b
ZJS		 1718 if (!gid_map)
1719 return -ENOMEM;
1720 }
d251207d
LP		 1721
1722 /* Create a communication channel so that the parent can tell the child when it finished creating the user
1723 * namespace. */
1724 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
1725 if (unshare_ready_fd < 0)
1726 return -errno;
1727
1728 /* Create a communication channel so that the child can tell the parent a proper error code in case it
1729 * failed. */
1730 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
1731 return -errno;
1732
1733 pid = fork();
1734 if (pid < 0)
1735 return -errno;
1736
1737 if (pid == 0) {
1738 _cleanup_close_ int fd = -1;
1739 const char *a;
1740 pid_t ppid;
1741
1742 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
1743 * here, after the parent opened its own user namespace. */
1744
1745 ppid = getppid();
1746 errno_pipe[0] = safe_close(errno_pipe[0]);
1747
1748 /* Wait until the parent unshared the user namespace */
1749 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
1750 r = -errno;
1751 goto child_fail;
1752 }
1753
1754 /* Disable the setgroups() system call in the child user namespace, for good. */
1755 a = procfs_file_alloca(ppid, "setgroups");
1756 fd = open(a, O_WRONLY|O_CLOEXEC);
1757 if (fd < 0) {
1758 if (errno != ENOENT) {
1759 r = -errno;
1760 goto child_fail;
1761 }
1762
1763 /* If the file is missing the kernel is too old, let's continue anyway. */
1764 } else {
1765 if (write(fd, "deny\n", 5) < 0) {
1766 r = -errno;
1767 goto child_fail;
1768 }
1769
1770 fd = safe_close(fd);
1771 }
1772
1773 /* First write the GID map */
1774 a = procfs_file_alloca(ppid, "gid_map");
1775 fd = open(a, O_WRONLY|O_CLOEXEC);
1776 if (fd < 0) {
1777 r = -errno;
1778 goto child_fail;
1779 }
1780 if (write(fd, gid_map, strlen(gid_map)) < 0) {
1781 r = -errno;
1782 goto child_fail;
1783 }
1784 fd = safe_close(fd);
1785
1786 /* The write the UID map */
1787 a = procfs_file_alloca(ppid, "uid_map");
1788 fd = open(a, O_WRONLY|O_CLOEXEC);
1789 if (fd < 0) {
1790 r = -errno;
1791 goto child_fail;
1792 }
1793 if (write(fd, uid_map, strlen(uid_map)) < 0) {
1794 r = -errno;
1795 goto child_fail;
1796 }
1797
1798 _exit(EXIT_SUCCESS);
1799
1800 child_fail:
1801 (void) write(errno_pipe[1], &r, sizeof(r));
1802 _exit(EXIT_FAILURE);
1803 }
1804
1805 errno_pipe[1] = safe_close(errno_pipe[1]);
1806
1807 if (unshare(CLONE_NEWUSER) < 0)
1808 return -errno;
1809
1810 /* Let the child know that the namespace is ready now */
1811 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
1812 return -errno;
1813
1814 /* Try to read an error code from the child */
1815 n = read(errno_pipe[0], &r, sizeof(r));
1816 if (n < 0)
1817 return -errno;
1818 if (n == sizeof(r)) { /* an error code was sent to us */
1819 if (r < 0)
1820 return r;
1821 return -EIO;
1822 }
1823 if (n != 0) /* on success we should have read 0 bytes */
1824 return -EIO;
1825
1826 r = wait_for_terminate(pid, &si);
1827 if (r < 0)
1828 return r;
1829 pid = 0;
1830
1831 /* If something strange happened with the child, let's consider this fatal, too */
1832 if (si.si_code != CLD_EXITED || si.si_status != 0)
1833 return -EIO;
1834
1835 return 0;
1836}
1837
07689d5d
LP		 1838static int setup_runtime_directory(
1839 const ExecContext *context,
1840 const ExecParameters *params,
1841 uid_t uid,
1842 gid_t gid) {
1843
1844 char **rt;
1845 int r;
1846
1847 assert(context);
1848 assert(params);
1849
1850 STRV_FOREACH(rt, context->runtime_directory) {
1851 _cleanup_free_ char *p;
1852
605405c6 1853 p = strjoin(params->runtime_prefix, "/", *rt);
07689d5d
LP		 1854 if (!p)
1855 return -ENOMEM;
1856
1857 r = mkdir_p_label(p, context->runtime_directory_mode);
1858 if (r < 0)
1859 return r;
1860
1861 r = chmod_and_chown(p, context->runtime_directory_mode, uid, gid);
1862 if (r < 0)
1863 return r;
1864 }
1865
1866 return 0;
1867}
1868
cefc33ae
LP		 1869static int setup_smack(
1870 const ExecContext *context,
1871 const ExecCommand *command) {
1872
1873#ifdef HAVE_SMACK
1874 int r;
1875
1876 assert(context);
1877 assert(command);
1878
1879 if (!mac_smack_use())
1880 return 0;
1881
1882 if (context->smack_process_label) {
1883 r = mac_smack_apply_pid(0, context->smack_process_label);
1884 if (r < 0)
1885 return r;
1886 }
1887#ifdef SMACK_DEFAULT_PROCESS_LABEL
1888 else {
1889 _cleanup_free_ char *exec_label = NULL;
1890
1891 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
1892 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP)
1893 return r;
1894
1895 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
1896 if (r < 0)
1897 return r;
1898 }
1899#endif
1900#endif
1901
1902 return 0;
1903}
1904
3fbe8dbe
LP		 1905static int compile_read_write_paths(
1906 const ExecContext *context,
1907 const ExecParameters *params,
1908 char ***ret) {
1909
1910 _cleanup_strv_free_ char **l = NULL;
1911 char **rt;
1912
06ec51d8
ZJS		 1913 /* Compile the list of writable paths. This is the combination of
1914 * the explicitly configured paths, plus all runtime directories. */
3fbe8dbe
LP		 1915
1916 if (strv_isempty(context->read_write_paths) &&
1917 strv_isempty(context->runtime_directory)) {
1918 *ret = NULL; /* NOP if neither is set */
1919 return 0;
1920 }
1921
1922 l = strv_copy(context->read_write_paths);
1923 if (!l)
1924 return -ENOMEM;
1925
1926 STRV_FOREACH(rt, context->runtime_directory) {
1927 char *s;
1928
605405c6 1929 s = strjoin(params->runtime_prefix, "/", *rt);
3fbe8dbe
LP		 1930 if (!s)
1931 return -ENOMEM;
1932
1933 if (strv_consume(&l, s) < 0)
1934 return -ENOMEM;
1935 }
1936
1937 *ret = l;
1938 l = NULL;
1939
1940 return 0;
1941}
1942
6818c54c
LP		 1943static int apply_mount_namespace(
1944 Unit *u,
1945 ExecCommand *command,
1946 const ExecContext *context,
1947 const ExecParameters *params,
1948 ExecRuntime *runtime) {
1949
06ec51d8 1950 _cleanup_strv_free_ char **rw = NULL;
93c6bb51 1951 char *tmp = NULL, *var = NULL;
915e6d16 1952 const char *root_dir = NULL, *root_image = NULL;
93c6bb51 1953 NameSpaceInfo ns_info = {
af964954 1954 .ignore_protect_paths = false,
93c6bb51
DH		 1955 .private_dev = context->private_devices,
1956 .protect_control_groups = context->protect_control_groups,
1957 .protect_kernel_tunables = context->protect_kernel_tunables,
1958 .protect_kernel_modules = context->protect_kernel_modules,
5d997827 1959 .mount_apivfs = context->mount_apivfs,
93c6bb51 1960 };
6818c54c
LP		 1961 bool apply_restrictions;
1962 int r;
93c6bb51 1963
2b3c1b9e
DH		 1964 assert(context);
1965
93c6bb51
DH		 1966 /* The runtime struct only contains the parent of the private /tmp,
1967 * which is non-accessible to world users. Inside of it there's a /tmp
1968 * that is sticky, and that's the one we want to use here. */
1969
1970 if (context->private_tmp && runtime) {
1971 if (runtime->tmp_dir)
1972 tmp = strjoina(runtime->tmp_dir, "/tmp");
1973 if (runtime->var_tmp_dir)
1974 var = strjoina(runtime->var_tmp_dir, "/tmp");
1975 }
1976
1977 r = compile_read_write_paths(context, params, &rw);
1978 if (r < 0)
1979 return r;
1980
915e6d16
LP		 1981 if (params->flags & EXEC_APPLY_CHROOT) {
1982 root_image = context->root_image;
1983
1984 if (!root_image)
1985 root_dir = context->root_directory;
1986 }
93c6bb51 1987
af964954
DH		 1988 /*
1989 * If DynamicUser=no and RootDirectory= is set then lets pass a relaxed
1990 * sandbox info, otherwise enforce it, don't ignore protected paths and
1991 * fail if we are enable to apply the sandbox inside the mount namespace.
1992 */
1993 if (!context->dynamic_user && root_dir)
1994 ns_info.ignore_protect_paths = true;
1995
6818c54c
LP		 1996 apply_restrictions = (params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged;
1997
915e6d16
LP		 1998 r = setup_namespace(root_dir, root_image,
1999 &ns_info, rw,
6818c54c
LP		 2000 apply_restrictions ? context->read_only_paths : NULL,
2001 apply_restrictions ? context->inaccessible_paths : NULL,
d2d6c096
LP		 2002 context->bind_mounts,
2003 context->n_bind_mounts,
93c6bb51
DH		 2004 tmp,
2005 var,
6818c54c
LP		 2006 apply_restrictions ? context->protect_home : PROTECT_HOME_NO,
2007 apply_restrictions ? context->protect_system : PROTECT_SYSTEM_NO,
915e6d16
LP		 2008 context->mount_flags,
2009 DISSECT_IMAGE_DISCARD_ON_LOOP);
93c6bb51
DH		 2010
2011 /* If we couldn't set up the namespace this is probably due to a
2012 * missing capability. In this case, silently proceeed. */
2013 if (IN_SET(r, -EPERM, -EACCES)) {
2014 log_open();
2015 log_unit_debug_errno(u, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
2016 log_close();
2017 r = 0;
2018 }
2019
2020 return r;
2021}
2022
915e6d16
LP		 2023static int apply_working_directory(
2024 const ExecContext *context,
2025 const ExecParameters *params,
2026 const char *home,
376fecf6
LP		 2027 const bool needs_mount_ns,
2028 int *exit_status) {
915e6d16 2029
6732edab 2030 const char *d, *wd;
2b3c1b9e
DH		 2031
2032 assert(context);
376fecf6 2033 assert(exit_status);
2b3c1b9e 2034
6732edab
LP		 2035 if (context->working_directory_home) {
2036
376fecf6
LP		 2037 if (!home) {
2038 *exit_status = EXIT_CHDIR;
6732edab 2039 return -ENXIO;
376fecf6 2040 }
6732edab 2041
2b3c1b9e 2042 wd = home;
6732edab
LP		 2043
2044 } else if (context->working_directory)
2b3c1b9e
DH		 2045 wd = context->working_directory;
2046 else
2047 wd = "/";
e7f1e7c6
DH		 2048
2049 if (params->flags & EXEC_APPLY_CHROOT) {
2050 if (!needs_mount_ns && context->root_directory)
376fecf6
LP		 2051 if (chroot(context->root_directory) < 0) {
2052 *exit_status = EXIT_CHROOT;
e7f1e7c6 2053 return -errno;
376fecf6 2054 }
e7f1e7c6 2055
2b3c1b9e
DH		 2056 d = wd;
2057 } else
3b0e5bb5 2058 d = prefix_roota(context->root_directory, wd);
e7f1e7c6 2059
376fecf6
LP		 2060 if (chdir(d) < 0 && !context->working_directory_missing_ok) {
2061 *exit_status = EXIT_CHDIR;
2b3c1b9e 2062 return -errno;
376fecf6 2063 }
e7f1e7c6
DH		 2064
2065 return 0;
2066}
2067
74dd6b51
LP		 2068static int setup_keyring(Unit *u, const ExecParameters *p, uid_t uid, gid_t gid) {
2069 key_serial_t keyring;
2070
2071 assert(u);
2072 assert(p);
2073
2074 /* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that
2075 * each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond
2076 * that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be
2077 * automatically created on-demand and then linked to the per-UID keyring, by the kernel. The kernel's built-in
2078 * on-demand behaviour is very appropriate for login users, but probably not so much for system services, where
2079 * UIDs are not necessarily specific to a service but reused (at least in the case of UID 0). */
2080
2081 if (!(p->flags & EXEC_NEW_KEYRING))
2082 return 0;
2083
2084 keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0);
2085 if (keyring == -1) {
2086 if (errno == ENOSYS)
2087 log_debug_errno(errno, "Kernel keyring not supported, ignoring.");
2088 else if (IN_SET(errno, EACCES, EPERM))
2089 log_debug_errno(errno, "Kernel keyring access prohibited, ignoring.");
2090 else if (errno == EDQUOT)
2091 log_debug_errno(errno, "Out of kernel keyrings to allocate, ignoring.");
2092 else
2093 return log_error_errno(errno, "Setting up kernel keyring failed: %m");
2094
2095 return 0;
2096 }
2097
b3415f5d
LP		 2098 /* Populate they keyring with the invocation ID by default. */
2099 if (!sd_id128_is_null(u->invocation_id)) {
2100 key_serial_t key;
2101
2102 key = add_key("user", "invocation_id", &u->invocation_id, sizeof(u->invocation_id), KEY_SPEC_SESSION_KEYRING);
2103 if (key == -1)
2104 log_debug_errno(errno, "Failed to add invocation ID to keyring, ignoring: %m");
2105 else {
2106 if (keyctl(KEYCTL_SETPERM, key,
2107 KEY_POS_VIEW|KEY_POS_READ|KEY_POS_SEARCH|
2108 KEY_USR_VIEW|KEY_USR_READ|KEY_USR_SEARCH, 0, 0) < 0)
2109 return log_error_errno(errno, "Failed to restrict invocation ID permission: %m");
2110 }
2111 }
2112
74dd6b51
LP		 2113 /* And now, make the keyring owned by the service's user */
2114 if (uid_is_valid(uid) || gid_is_valid(gid))
2115 if (keyctl(KEYCTL_CHOWN, keyring, uid, gid, 0) < 0)
2116 return log_error_errno(errno, "Failed to change ownership of session keyring: %m");
2117
2118 return 0;
2119}
2120
29206d46
LP		 2121static void append_socket_pair(int *array, unsigned *n, int pair[2]) {
2122 assert(array);
2123 assert(n);
2124
2125 if (!pair)
2126 return;
2127
2128 if (pair[0] >= 0)
2129 array[(*n)++] = pair[0];
2130 if (pair[1] >= 0)
2131 array[(*n)++] = pair[1];
2132}
2133
a34ceba6
LP		 2134static int close_remaining_fds(
2135 const ExecParameters *params,
2136 ExecRuntime *runtime,
29206d46 2137 DynamicCreds *dcreds,
00d9ef85 2138 int user_lookup_fd,
a34ceba6
LP		 2139 int socket_fd,
2140 int *fds, unsigned n_fds) {
2141
2142 unsigned n_dont_close = 0;
00d9ef85 2143 int dont_close[n_fds + 12];
a34ceba6
LP		 2144
2145 assert(params);
2146
2147 if (params->stdin_fd >= 0)
2148 dont_close[n_dont_close++] = params->stdin_fd;
2149 if (params->stdout_fd >= 0)
2150 dont_close[n_dont_close++] = params->stdout_fd;
2151 if (params->stderr_fd >= 0)
2152 dont_close[n_dont_close++] = params->stderr_fd;
2153
2154 if (socket_fd >= 0)
2155 dont_close[n_dont_close++] = socket_fd;
2156 if (n_fds > 0) {
2157 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
2158 n_dont_close += n_fds;
2159 }
2160
29206d46
LP		 2161 if (runtime)
2162 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
2163
2164 if (dcreds) {
2165 if (dcreds->user)
2166 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
2167 if (dcreds->group)
2168 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
a34ceba6
LP		 2169 }
2170
00d9ef85
LP		 2171 if (user_lookup_fd >= 0)
2172 dont_close[n_dont_close++] = user_lookup_fd;
2173
a34ceba6
LP		 2174 return close_all_fds(dont_close, n_dont_close);
2175}
2176
00d9ef85
LP		 2177static int send_user_lookup(
2178 Unit *unit,
2179 int user_lookup_fd,
2180 uid_t uid,
2181 gid_t gid) {
2182
2183 assert(unit);
2184
2185 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2186 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2187 * specified. */
2188
2189 if (user_lookup_fd < 0)
2190 return 0;
2191
2192 if (!uid_is_valid(uid) && !gid_is_valid(gid))
2193 return 0;
2194
2195 if (writev(user_lookup_fd,
2196 (struct iovec[]) {
2197 { .iov_base = &uid, .iov_len = sizeof(uid) },
2198 { .iov_base = &gid, .iov_len = sizeof(gid) },
2199 { .iov_base = unit->id, .iov_len = strlen(unit->id) }}, 3) < 0)
2200 return -errno;
2201
2202 return 0;
2203}
2204
6732edab
LP		 2205static int acquire_home(const ExecContext *c, uid_t uid, const char** home, char **buf) {
2206 int r;
2207
2208 assert(c);
2209 assert(home);
2210 assert(buf);
2211
2212 /* If WorkingDirectory=~ is set, try to acquire a usable home directory. */
2213
2214 if (*home)
2215 return 0;
2216
2217 if (!c->working_directory_home)
2218 return 0;
2219
2220 if (uid == 0) {
2221 /* Hardcode /root as home directory for UID 0 */
2222 *home = "/root";
2223 return 1;
2224 }
2225
2226 r = get_home_dir(buf);
2227 if (r < 0)
2228 return r;
2229
2230 *home = *buf;
2231 return 1;
2232}
2233
ff0af2a1 2234static int exec_child(
f2341e0a 2235 Unit *unit,
ff0af2a1
LP		 2236 ExecCommand *command,
2237 const ExecContext *context,
2238 const ExecParameters *params,
2239 ExecRuntime *runtime,
29206d46 2240 DynamicCreds *dcreds,
ff0af2a1
LP		 2241 char **argv,
2242 int socket_fd,
52c239d7 2243 int named_iofds[3],
ff0af2a1
LP		 2244 int *fds, unsigned n_fds,
2245 char **files_env,
00d9ef85 2246 int user_lookup_fd,
70dd455c
ZJS		 2247 int *exit_status,
2248 char **error_message) {
d35fbf6b 2249
2065ca69 2250 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **final_argv = NULL;
6732edab 2251 _cleanup_free_ char *mac_selinux_context_net = NULL, *home_buffer = NULL;
4d885bd3
DH		 2252 _cleanup_free_ gid_t *supplementary_gids = NULL;
2253 const char *username = NULL, *groupname = NULL;
2b3c1b9e 2254 const char *home = NULL, *shell = NULL;
7bce046b
LP		 2255 dev_t journal_stream_dev = 0;
2256 ino_t journal_stream_ino = 0;
2257 bool needs_mount_namespace;
fed1e721
LP		 2258 uid_t uid = UID_INVALID;
2259 gid_t gid = GID_INVALID;
4d885bd3 2260 int i, r, ngids = 0;
034c6ed7 2261
f2341e0a 2262 assert(unit);
5cb5a6ff
LP		 2263 assert(command);
2264 assert(context);
d35fbf6b 2265 assert(params);
ff0af2a1 2266 assert(exit_status);
70dd455c
ZJS		 2267 assert(error_message);
2268 /* We don't always set error_message, hence it must be initialized */
2269 assert(*error_message == NULL);
d35fbf6b
DM		 2270
2271 rename_process_from_path(command->path);
2272
2273 /* We reset exactly these signals, since they are the
2274 * only ones we set to SIG_IGN in the main daemon. All
2275 * others we leave untouched because we set them to
2276 * SIG_DFL or a valid handler initially, both of which
2277 * will be demoted to SIG_DFL. */
ce30c8dc
LP		 2278 (void) default_signals(SIGNALS_CRASH_HANDLER,
2279 SIGNALS_IGNORE, -1);
d35fbf6b
DM		 2280
2281 if (context->ignore_sigpipe)
ce30c8dc 2282 (void) ignore_signals(SIGPIPE, -1);
d35fbf6b 2283
ff0af2a1
LP		 2284 r = reset_signal_mask();
2285 if (r < 0) {
2286 *exit_status = EXIT_SIGNAL_MASK;
70dd455c
ZJS		 2287 *error_message = strdup("Failed to reset signal mask");
2288 /* If strdup fails, here and below, we will just print the generic error message. */
ff0af2a1 2289 return r;
d35fbf6b 2290 }
034c6ed7 2291
d35fbf6b
DM		 2292 if (params->idle_pipe)
2293 do_idle_pipe_dance(params->idle_pipe);
4f2d528d 2294
d35fbf6b
DM		 2295 /* Close sockets very early to make sure we don't
2296 * block init reexecution because it cannot bind its
2297 * sockets */
ff0af2a1 2298
d35fbf6b 2299 log_forget_fds();
4f2d528d 2300
00d9ef85 2301 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, fds, n_fds);
ff0af2a1
LP		 2302 if (r < 0) {
2303 *exit_status = EXIT_FDS;
70dd455c 2304 *error_message = strdup("Failed to close remaining fds");
ff0af2a1 2305 return r;
8c7be95e
LP		 2306 }
2307
d35fbf6b
DM		 2308 if (!context->same_pgrp)
2309 if (setsid() < 0) {
ff0af2a1 2310 *exit_status = EXIT_SETSID;
d35fbf6b
DM		 2311 return -errno;
2312 }
9e2f7c11 2313
1e22b5cd 2314 exec_context_tty_reset(context, params);
d35fbf6b 2315
c891efaf 2316 if (unit_shall_confirm_spawn(unit)) {
7d5ceb64 2317 const char *vc = params->confirm_spawn;
3b20f877
FB		 2318 _cleanup_free_ char *cmdline = NULL;
2319
2320 cmdline = exec_command_line(argv);
2321 if (!cmdline) {
2322 *exit_status = EXIT_CONFIRM;
2323 return -ENOMEM;
2324 }
d35fbf6b 2325
eedf223a 2326 r = ask_for_confirmation(vc, unit, cmdline);
3b20f877
FB		 2327 if (r != CONFIRM_EXECUTE) {
2328 if (r == CONFIRM_PRETEND_SUCCESS) {
2329 *exit_status = EXIT_SUCCESS;
2330 return 0;
2331 }
ff0af2a1 2332 *exit_status = EXIT_CONFIRM;
70dd455c 2333 *error_message = strdup("Execution cancelled");
d35fbf6b 2334 return -ECANCELED;
d35fbf6b
DM		 2335 }
2336 }
1a63a750 2337
29206d46
LP		 2338 if (context->dynamic_user && dcreds) {
2339
409093fe
LP		 2340 /* Make sure we bypass our own NSS module for any NSS checks */
2341 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
2342 *exit_status = EXIT_USER;
70dd455c 2343 *error_message = strdup("Failed to update environment");
409093fe
LP		 2344 return -errno;
2345 }
2346
29206d46 2347 r = dynamic_creds_realize(dcreds, &uid, &gid);
ff0af2a1
LP		 2348 if (r < 0) {
2349 *exit_status = EXIT_USER;
70dd455c 2350 *error_message = strdup("Failed to update dynamic user credentials");
ff0af2a1 2351 return r;
524daa8c 2352 }
524daa8c 2353
70dd455c 2354 if (!uid_is_valid(uid)) {
29206d46 2355 *exit_status = EXIT_USER;
70dd455c
ZJS		 2356 (void) asprintf(error_message, "UID validation failed for \""UID_FMT"\"", uid);
2357 /* If asprintf fails, here and below, we will just print the generic error message. */
2358 return -ESRCH;
2359 }
2360
2361 if (!gid_is_valid(gid)) {
2362 *exit_status = EXIT_USER;
2363 (void) asprintf(error_message, "GID validation failed for \""GID_FMT"\"", gid);
29206d46
LP		 2364 return -ESRCH;
2365 }
5bc7452b 2366
29206d46
LP		 2367 if (dcreds->user)
2368 username = dcreds->user->name;
2369
2370 } else {
4d885bd3
DH		 2371 r = get_fixed_user(context, &username, &uid, &gid, &home, &shell);
2372 if (r < 0) {
2373 *exit_status = EXIT_USER;
70dd455c 2374 *error_message = strdup("Failed to determine user credentials");
4d885bd3 2375 return r;
5bc7452b 2376 }
5bc7452b 2377
4d885bd3
DH		 2378 r = get_fixed_group(context, &groupname, &gid);
2379 if (r < 0) {
2380 *exit_status = EXIT_GROUP;
70dd455c 2381 *error_message = strdup("Failed to determine group credentials");
4d885bd3
DH		 2382 return r;
2383 }
cdc5d5c5 2384 }
29206d46 2385
cdc5d5c5
DH		 2386 /* Initialize user supplementary groups and get SupplementaryGroups= ones */
2387 r = get_supplementary_groups(context, username, groupname, gid,
2388 &supplementary_gids, &ngids);
2389 if (r < 0) {
2390 *exit_status = EXIT_GROUP;
70dd455c 2391 *error_message = strdup("Failed to determine supplementary groups");
cdc5d5c5 2392 return r;
29206d46 2393 }
5bc7452b 2394
00d9ef85
LP		 2395 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
2396 if (r < 0) {
2397 *exit_status = EXIT_USER;
70dd455c 2398 *error_message = strdup("Failed to send user credentials to PID1");
00d9ef85
LP		 2399 return r;
2400 }
2401
2402 user_lookup_fd = safe_close(user_lookup_fd);
2403
6732edab
LP		 2404 r = acquire_home(context, uid, &home, &home_buffer);
2405 if (r < 0) {
2406 *exit_status = EXIT_CHDIR;
2407 *error_message = strdup("Failed to determine $HOME for user");
2408 return r;
2409 }
2410
d35fbf6b
DM		 2411 /* If a socket is connected to STDIN/STDOUT/STDERR, we
2412 * must sure to drop O_NONBLOCK */
2413 if (socket_fd >= 0)
a34ceba6 2414 (void) fd_nonblock(socket_fd, false);
acbb0225 2415
52c239d7 2416 r = setup_input(context, params, socket_fd, named_iofds);
ff0af2a1
LP		 2417 if (r < 0) {
2418 *exit_status = EXIT_STDIN;
70dd455c 2419 *error_message = strdup("Failed to set up stdin");
ff0af2a1 2420 return r;
d35fbf6b 2421 }
034c6ed7 2422
52c239d7 2423 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 2424 if (r < 0) {
2425 *exit_status = EXIT_STDOUT;
70dd455c 2426 *error_message = strdup("Failed to set up stdout");
ff0af2a1 2427 return r;
d35fbf6b
DM		 2428 }
2429
52c239d7 2430 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 2431 if (r < 0) {
2432 *exit_status = EXIT_STDERR;
70dd455c 2433 *error_message = strdup("Failed to set up stderr");
ff0af2a1 2434 return r;
d35fbf6b
DM		 2435 }
2436
2437 if (params->cgroup_path) {
ff0af2a1
LP		 2438 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
2439 if (r < 0) {
2440 *exit_status = EXIT_CGROUP;
70dd455c 2441 (void) asprintf(error_message, "Failed to attach to cgroup %s", params->cgroup_path);
ff0af2a1 2442 return r;
309bff19 2443 }
d35fbf6b 2444 }
309bff19 2445
d35fbf6b 2446 if (context->oom_score_adjust_set) {
d5243d62 2447 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
f2b68789 2448
d5243d62
LP		 2449 /* When we can't make this change due to EPERM, then
2450 * let's silently skip over it. User namespaces
2451 * prohibit write access to this file, and we
2452 * shouldn't trip up over that. */
613b411c 2453
d5243d62 2454 sprintf(t, "%i", context->oom_score_adjust);
ad118bda 2455 r = write_string_file("/proc/self/oom_score_adj", t, 0);
6cb7fa17 2456 if (r == -EPERM || r == -EACCES) {
ff0af2a1 2457 log_open();
f2341e0a 2458 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
ff0af2a1
LP		 2459 log_close();
2460 } else if (r < 0) {
2461 *exit_status = EXIT_OOM_ADJUST;
70dd455c 2462 *error_message = strdup("Failed to write /proc/self/oom_score_adj");
d35fbf6b 2463 return -errno;
613b411c 2464 }
d35fbf6b
DM		 2465 }
2466
2467 if (context->nice_set)
2468 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
ff0af2a1 2469 *exit_status = EXIT_NICE;
d35fbf6b 2470 return -errno;
613b411c
LP		 2471 }
2472
d35fbf6b
DM		 2473 if (context->cpu_sched_set) {
2474 struct sched_param param = {
2475 .sched_priority = context->cpu_sched_priority,
2476 };
2477
ff0af2a1
LP		 2478 r = sched_setscheduler(0,
2479 context->cpu_sched_policy |
2480 (context->cpu_sched_reset_on_fork ?
2481 SCHED_RESET_ON_FORK : 0),
2482 &param);
2483 if (r < 0) {
2484 *exit_status = EXIT_SETSCHEDULER;
d35fbf6b 2485 return -errno;
fc9b2a84 2486 }
d35fbf6b 2487 }
fc9b2a84 2488
d35fbf6b
DM		 2489 if (context->cpuset)
2490 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
ff0af2a1 2491 *exit_status = EXIT_CPUAFFINITY;
d35fbf6b 2492 return -errno;
034c6ed7
LP		 2493 }
2494
d35fbf6b
DM		 2495 if (context->ioprio_set)
2496 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
ff0af2a1 2497 *exit_status = EXIT_IOPRIO;
d35fbf6b
DM		 2498 return -errno;
2499 }
da726a4d 2500
d35fbf6b
DM		 2501 if (context->timer_slack_nsec != NSEC_INFINITY)
2502 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
ff0af2a1 2503 *exit_status = EXIT_TIMERSLACK;
d35fbf6b 2504 return -errno;
4c2630eb 2505 }
9eba9da4 2506
050f7277 2507 if (context->personality != PERSONALITY_INVALID)
d35fbf6b 2508 if (personality(context->personality) < 0) {
ff0af2a1 2509 *exit_status = EXIT_PERSONALITY;
d35fbf6b 2510 return -errno;
4c2630eb 2511 }
94f04347 2512
d35fbf6b 2513 if (context->utmp_id)
6a93917d
ZJS		 2514 utmp_put_init_process(context->utmp_id, getpid(), getsid(0),
2515 context->tty_path,
023a4f67
LP		 2516 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
2517 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
2518 USER_PROCESS,
6a93917d 2519 username);
d35fbf6b 2520
e0d2adfd 2521 if (context->user) {
ff0af2a1
LP		 2522 r = chown_terminal(STDIN_FILENO, uid);
2523 if (r < 0) {
2524 *exit_status = EXIT_STDIN;
2525 return r;
071830ff 2526 }
d35fbf6b 2527 }
8e274523 2528
a931ad47
LP		 2529 /* If delegation is enabled we'll pass ownership of the cgroup
2530 * (but only in systemd's own controller hierarchy!) to the
2531 * user of the new process. */
2532 if (params->cgroup_path && context->user && params->cgroup_delegate) {
ff0af2a1
LP		 2533 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
2534 if (r < 0) {
2535 *exit_status = EXIT_CGROUP;
2536 return r;
d35fbf6b 2537 }
034c6ed7 2538
034c6ed7 2539
ff0af2a1
LP		 2540 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
2541 if (r < 0) {
2542 *exit_status = EXIT_CGROUP;
2543 return r;
034c6ed7 2544 }
d35fbf6b 2545 }
034c6ed7 2546
d35fbf6b 2547 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
07689d5d
LP		 2548 r = setup_runtime_directory(context, params, uid, gid);
2549 if (r < 0) {
2550 *exit_status = EXIT_RUNTIME_DIRECTORY;
2551 return r;
d35fbf6b
DM		 2552 }
2553 }
94f04347 2554
7bce046b 2555 r = build_environment(
fd63e712 2556 unit,
7bce046b
LP		 2557 context,
2558 params,
2559 n_fds,
2560 home,
2561 username,
2562 shell,
2563 journal_stream_dev,
2564 journal_stream_ino,
2565 &our_env);
2065ca69
JW		 2566 if (r < 0) {
2567 *exit_status = EXIT_MEMORY;
2568 return r;
2569 }
2570
2571 r = build_pass_environment(context, &pass_env);
2572 if (r < 0) {
2573 *exit_status = EXIT_MEMORY;
2574 return r;
2575 }
2576
2577 accum_env = strv_env_merge(5,
2578 params->environment,
2579 our_env,
2580 pass_env,
2581 context->environment,
2582 files_env,
2583 NULL);
2584 if (!accum_env) {
2585 *exit_status = EXIT_MEMORY;
2586 return -ENOMEM;
2587 }
1280503b 2588 accum_env = strv_env_clean(accum_env);
2065ca69 2589
096424d1 2590 (void) umask(context->umask);
b213e1c1 2591
74dd6b51
LP		 2592 r = setup_keyring(unit, params, uid, gid);
2593 if (r < 0) {
2594 *exit_status = EXIT_KEYRING;
2595 return r;
2596 }
2597
c39f1ce2 2598 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
b213e1c1 2599 if (context->pam_name && username) {
2d6fce8d 2600 r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
b213e1c1
SW		 2601 if (r < 0) {
2602 *exit_status = EXIT_PAM;
2603 return r;
2604 }
d35fbf6b 2605 }
b213e1c1 2606 }
ac45f971 2607
d35fbf6b 2608 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
ff0af2a1
LP		 2609 r = setup_netns(runtime->netns_storage_socket);
2610 if (r < 0) {
2611 *exit_status = EXIT_NETWORK;
2612 return r;
d35fbf6b
DM		 2613 }
2614 }
169c1bda 2615
ee818b89 2616 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
ee818b89 2617 if (needs_mount_namespace) {
6818c54c 2618 r = apply_mount_namespace(unit, command, context, params, runtime);
3fbe8dbe
LP		 2619 if (r < 0) {
2620 *exit_status = EXIT_NAMESPACE;
2621 return r;
2622 }
d35fbf6b 2623 }
81a2b7ce 2624
50b3dfb9 2625 /* Apply just after mount namespace setup */
376fecf6
LP		 2626 r = apply_working_directory(context, params, home, needs_mount_namespace, exit_status);
2627 if (r < 0)
50b3dfb9 2628 return r;
50b3dfb9 2629
bbeea271 2630 /* Drop groups as early as possbile */
096424d1 2631 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
4d885bd3 2632 r = enforce_groups(context, gid, supplementary_gids, ngids);
096424d1
LP		 2633 if (r < 0) {
2634 *exit_status = EXIT_GROUP;
2635 return r;
2636 }
2637 }
2638
9008e1ac 2639#ifdef HAVE_SELINUX
c39f1ce2
LP		 2640 if ((params->flags & EXEC_APPLY_PERMISSIONS) &&
2641 mac_selinux_use() &&
2642 params->selinux_context_net &&
2643 socket_fd >= 0 &&
2644 !command->privileged) {
2645
ff0af2a1
LP		 2646 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
2647 if (r < 0) {
2648 *exit_status = EXIT_SELINUX_CONTEXT;
2649 return r;
9008e1ac
MS		 2650 }
2651 }
2652#endif
2653
d87a2ef7 2654 if ((params->flags & EXEC_APPLY_PERMISSIONS) && context->private_users) {
d251207d
LP		 2655 r = setup_private_users(uid, gid);
2656 if (r < 0) {
2657 *exit_status = EXIT_USER;
2658 return r;
2659 }
2660 }
2661
d35fbf6b
DM		 2662 /* We repeat the fd closing here, to make sure that
2663 * nothing is leaked from the PAM modules. Note that
2664 * we are more aggressive this time since socket_fd
e44da745
DM		 2665 * and the netns fds we don't need anymore. The custom
2666 * endpoint fd was needed to upload the policy and can
2667 * now be closed as well. */
ff0af2a1
LP		 2668 r = close_all_fds(fds, n_fds);
2669 if (r >= 0)
2670 r = shift_fds(fds, n_fds);
2671 if (r >= 0)
2672 r = flags_fds(fds, n_fds, context->non_blocking);
2673 if (r < 0) {
2674 *exit_status = EXIT_FDS;
2675 return r;
d35fbf6b 2676 }
e66cf1a3 2677
c39f1ce2 2678 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
e66cf1a3 2679
755d4b67
IP		 2680 int secure_bits = context->secure_bits;
2681
d35fbf6b 2682 for (i = 0; i < _RLIMIT_MAX; i++) {
03857c43 2683
d35fbf6b
DM		 2684 if (!context->rlimit[i])
2685 continue;
2686
03857c43
LP		 2687 r = setrlimit_closest(i, context->rlimit[i]);
2688 if (r < 0) {
ff0af2a1 2689 *exit_status = EXIT_LIMITS;
03857c43 2690 return r;
e66cf1a3
LP		 2691 }
2692 }
2693
f4170c67
LP		 2694 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
2695 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
2696 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
2697 *exit_status = EXIT_LIMITS;
2698 return -errno;
2699 }
2700 }
2701
a103496c
IP		 2702 if (!cap_test_all(context->capability_bounding_set)) {
2703 r = capability_bounding_set_drop(context->capability_bounding_set, false);
ff0af2a1
LP		 2704 if (r < 0) {
2705 *exit_status = EXIT_CAPABILITIES;
70dd455c 2706 *error_message = strdup("Failed to drop capabilities");
ff0af2a1 2707 return r;
3b8bddde 2708 }
4c2630eb 2709 }
3b8bddde 2710
755d4b67
IP		 2711 /* This is done before enforce_user, but ambient set
2712 * does not survive over setresuid() if keep_caps is not set. */
2713 if (context->capability_ambient_set != 0) {
2714 r = capability_ambient_set_apply(context->capability_ambient_set, true);
2715 if (r < 0) {
2716 *exit_status = EXIT_CAPABILITIES;
70dd455c 2717 *error_message = strdup("Failed to apply ambient capabilities (before UID change)");
755d4b67
IP		 2718 return r;
2719 }
755d4b67
IP		 2720 }
2721
d35fbf6b 2722 if (context->user) {
ff0af2a1
LP		 2723 r = enforce_user(context, uid);
2724 if (r < 0) {
2725 *exit_status = EXIT_USER;
70dd455c 2726 (void) asprintf(error_message, "Failed to change UID to "UID_FMT, uid);
ff0af2a1 2727 return r;
5b6319dc 2728 }
755d4b67
IP		 2729 if (context->capability_ambient_set != 0) {
2730
2731 /* Fix the ambient capabilities after user change. */
2732 r = capability_ambient_set_apply(context->capability_ambient_set, false);
2733 if (r < 0) {
2734 *exit_status = EXIT_CAPABILITIES;
70dd455c 2735 *error_message = strdup("Failed to apply ambient capabilities (after UID change)");
755d4b67
IP		 2736 return r;
2737 }
2738
2739 /* If we were asked to change user and ambient capabilities
2740 * were requested, we had to add keep-caps to the securebits
2741 * so that we would maintain the inherited capability set
2742 * through the setresuid(). Make sure that the bit is added
2743 * also to the context secure_bits so that we don't try to
2744 * drop the bit away next. */
2745
7f508f2c 2746 secure_bits |= 1<<SECURE_KEEP_CAPS;
755d4b67 2747 }
5b6319dc 2748 }
d35fbf6b 2749
5cd9cd35
LP		 2750 /* Apply the MAC contexts late, but before seccomp syscall filtering, as those should really be last to
2751 * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
2752 * syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
2753 * are restricted. */
2754
2755#ifdef HAVE_SELINUX
2756 if (mac_selinux_use()) {
2757 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
2758
2759 if (exec_context) {
2760 r = setexeccon(exec_context);
2761 if (r < 0) {
2762 *exit_status = EXIT_SELINUX_CONTEXT;
70dd455c 2763 (void) asprintf(error_message, "Failed to set SELinux context to %s", exec_context);
5cd9cd35
LP		 2764 return r;
2765 }
2766 }
2767 }
2768#endif
2769
2770 r = setup_smack(context, command);
2771 if (r < 0) {
2772 *exit_status = EXIT_SMACK_PROCESS_LABEL;
70dd455c 2773 *error_message = strdup("Failed to set SMACK process label");
5cd9cd35
LP		 2774 return r;
2775 }
2776
2777#ifdef HAVE_APPARMOR
2778 if (context->apparmor_profile && mac_apparmor_use()) {
2779 r = aa_change_onexec(context->apparmor_profile);
2780 if (r < 0 && !context->apparmor_profile_ignore) {
2781 *exit_status = EXIT_APPARMOR_PROFILE;
70dd455c
ZJS		 2782 (void) asprintf(error_message,
2783 "Failed to prepare AppArmor profile change to %s",
2784 context->apparmor_profile);
5cd9cd35
LP		 2785 return -errno;
2786 }
2787 }
2788#endif
2789
d35fbf6b
DM		 2790 /* PR_GET_SECUREBITS is not privileged, while
2791 * PR_SET_SECUREBITS is. So to suppress
2792 * potential EPERMs we'll try not to call
2793 * PR_SET_SECUREBITS unless necessary. */
755d4b67
IP		 2794 if (prctl(PR_GET_SECUREBITS) != secure_bits)
2795 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
ff0af2a1 2796 *exit_status = EXIT_SECUREBITS;
70dd455c 2797 *error_message = strdup("Failed to set secure bits");
d35fbf6b 2798 return -errno;
ff01d048 2799 }
5b6319dc 2800
59eeb84b 2801 if (context_has_no_new_privileges(context))
d35fbf6b 2802 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
ff0af2a1 2803 *exit_status = EXIT_NO_NEW_PRIVILEGES;
70dd455c 2804 *error_message = strdup("Failed to disable new privileges");
d35fbf6b
DM		 2805 return -errno;
2806 }
2807
2808#ifdef HAVE_SECCOMP
469830d1
LP		 2809 r = apply_address_families(unit, context);
2810 if (r < 0) {
2811 *exit_status = EXIT_ADDRESS_FAMILIES;
5b3637b4 2812 *error_message = strdup("Failed to restrict address families");
469830d1 2813 return r;
4c2630eb 2814 }
04aa0cb9 2815
469830d1
LP		 2816 r = apply_memory_deny_write_execute(unit, context);
2817 if (r < 0) {
2818 *exit_status = EXIT_SECCOMP;
5b3637b4 2819 *error_message = strdup("Failed to disable writing to executable memory");
469830d1 2820 return r;
f3e43635 2821 }
f4170c67 2822
469830d1
LP		 2823 r = apply_restrict_realtime(unit, context);
2824 if (r < 0) {
2825 *exit_status = EXIT_SECCOMP;
5b3637b4 2826 *error_message = strdup("Failed to apply realtime restrictions");
469830d1 2827 return r;
f4170c67
LP		 2828 }
2829
add00535
LP		 2830 r = apply_restrict_namespaces(unit, context);
2831 if (r < 0) {
2832 *exit_status = EXIT_SECCOMP;
70dd455c 2833 *error_message = strdup("Failed to apply namespace restrictions");
add00535
LP		 2834 return r;
2835 }
2836
469830d1
LP		 2837 r = apply_protect_sysctl(unit, context);
2838 if (r < 0) {
2839 *exit_status = EXIT_SECCOMP;
5b3637b4 2840 *error_message = strdup("Failed to apply sysctl restrictions");
469830d1 2841 return r;
502d704e
DH		 2842 }
2843
469830d1
LP		 2844 r = apply_protect_kernel_modules(unit, context);
2845 if (r < 0) {
2846 *exit_status = EXIT_SECCOMP;
5b3637b4 2847 *error_message = strdup("Failed to apply module loading restrictions");
469830d1 2848 return r;
59eeb84b
LP		 2849 }
2850
469830d1
LP		 2851 r = apply_private_devices(unit, context);
2852 if (r < 0) {
2853 *exit_status = EXIT_SECCOMP;
5b3637b4 2854 *error_message = strdup("Failed to set up private devices");
469830d1
LP		 2855 return r;
2856 }
2857
2858 r = apply_syscall_archs(unit, context);
2859 if (r < 0) {
2860 *exit_status = EXIT_SECCOMP;
5b3637b4 2861 *error_message = strdup("Failed to apply syscall architecture restrictions");
469830d1 2862 return r;
ba128bb8
LP		 2863 }
2864
5cd9cd35
LP		 2865 /* This really should remain the last step before the execve(), to make sure our own code is unaffected
2866 * by the filter as little as possible. */
469830d1
LP		 2867 r = apply_syscall_filter(unit, context);
2868 if (r < 0) {
2869 *exit_status = EXIT_SECCOMP;
5b3637b4 2870 *error_message = strdup("Failed to apply syscall filters");
469830d1 2871 return r;
d35fbf6b
DM		 2872 }
2873#endif
d35fbf6b 2874 }
034c6ed7 2875
2065ca69 2876 final_argv = replace_env_argv(argv, accum_env);
d35fbf6b 2877 if (!final_argv) {
ff0af2a1 2878 *exit_status = EXIT_MEMORY;
70dd455c 2879 *error_message = strdup("Failed to prepare process arguments");
d35fbf6b
DM		 2880 return -ENOMEM;
2881 }
034c6ed7 2882
553d2243 2883 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
d35fbf6b 2884 _cleanup_free_ char *line;
81a2b7ce 2885
d35fbf6b
DM		 2886 line = exec_command_line(final_argv);
2887 if (line) {
2888 log_open();
f2341e0a
LP		 2889 log_struct(LOG_DEBUG,
2890 LOG_UNIT_ID(unit),
2891 "EXECUTABLE=%s", command->path,
2892 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
2893 NULL);
d35fbf6b
DM		 2894 log_close();
2895 }
2896 }
dd305ec9 2897
2065ca69 2898 execve(command->path, final_argv, accum_env);
ff0af2a1 2899 *exit_status = EXIT_EXEC;
d35fbf6b
DM		 2900 return -errno;
2901}
81a2b7ce 2902
f2341e0a
LP		 2903int exec_spawn(Unit *unit,
2904 ExecCommand *command,
d35fbf6b
DM		 2905 const ExecContext *context,
2906 const ExecParameters *params,
2907 ExecRuntime *runtime,
29206d46 2908 DynamicCreds *dcreds,
d35fbf6b 2909 pid_t *ret) {
8351ceae 2910
d35fbf6b
DM		 2911 _cleanup_strv_free_ char **files_env = NULL;
2912 int *fds = NULL; unsigned n_fds = 0;
ff0af2a1
LP		 2913 _cleanup_free_ char *line = NULL;
2914 int socket_fd, r;
52c239d7 2915 int named_iofds[3] = { -1, -1, -1 };
ff0af2a1 2916 char **argv;
d35fbf6b 2917 pid_t pid;
8351ceae 2918
f2341e0a 2919 assert(unit);
d35fbf6b
DM		 2920 assert(command);
2921 assert(context);
2922 assert(ret);
2923 assert(params);
2924 assert(params->fds || params->n_fds <= 0);
4298d0b5 2925
d35fbf6b
DM		 2926 if (context->std_input == EXEC_INPUT_SOCKET ||
2927 context->std_output == EXEC_OUTPUT_SOCKET ||
2928 context->std_error == EXEC_OUTPUT_SOCKET) {
17df7223 2929
ff0af2a1 2930 if (params->n_fds != 1) {
f2341e0a 2931 log_unit_error(unit, "Got more than one socket.");
d35fbf6b 2932 return -EINVAL;
ff0af2a1 2933 }
eef65bf3 2934
d35fbf6b
DM		 2935 socket_fd = params->fds[0];
2936 } else {
2937 socket_fd = -1;
2938 fds = params->fds;
2939 n_fds = params->n_fds;
2940 }
94f04347 2941
52c239d7
LB		 2942 r = exec_context_named_iofds(unit, context, params, named_iofds);
2943 if (r < 0)
2944 return log_unit_error_errno(unit, r, "Failed to load a named file descriptor: %m");
2945
f2341e0a 2946 r = exec_context_load_environment(unit, context, &files_env);
ff0af2a1 2947 if (r < 0)
f2341e0a 2948 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
034c6ed7 2949
d35fbf6b 2950 argv = params->argv ?: command->argv;
d35fbf6b
DM		 2951 line = exec_command_line(argv);
2952 if (!line)
2953 return log_oom();
fab56fc5 2954
f2341e0a
LP		 2955 log_struct(LOG_DEBUG,
2956 LOG_UNIT_ID(unit),
2957 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
2958 "EXECUTABLE=%s", command->path,
2959 NULL);
d35fbf6b
DM		 2960 pid = fork();
2961 if (pid < 0)
74129a12 2962 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
d35fbf6b
DM		 2963
2964 if (pid == 0) {
ff0af2a1 2965 int exit_status;
70dd455c 2966 _cleanup_free_ char *error_message = NULL;
ff0af2a1 2967
f2341e0a
LP		 2968 r = exec_child(unit,
2969 command,
ff0af2a1
LP		 2970 context,
2971 params,
2972 runtime,
29206d46 2973 dcreds,
ff0af2a1
LP		 2974 argv,
2975 socket_fd,
52c239d7 2976 named_iofds,
ff0af2a1
LP		 2977 fds, n_fds,
2978 files_env,
00d9ef85 2979 unit->manager->user_lookup_fds[1],
70dd455c
ZJS		 2980 &exit_status,
2981 &error_message);
ff0af2a1 2982 if (r < 0) {
4c2630eb 2983 log_open();
70dd455c
ZJS		 2984 if (error_message)
2985 log_struct_errno(LOG_ERR, r,
2b044526 2986 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
70dd455c
ZJS		 2987 LOG_UNIT_ID(unit),
2988 LOG_UNIT_MESSAGE(unit, "%s: %m",
2989 error_message),
2990 "EXECUTABLE=%s", command->path,
2991 NULL);
2992 else
2993 log_struct_errno(LOG_ERR, r,
2b044526 2994 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
70dd455c
ZJS		 2995 LOG_UNIT_ID(unit),
2996 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
2997 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
2998 command->path),
2999 "EXECUTABLE=%s", command->path,
3000 NULL);
4c2630eb
MS		 3001 }
3002
ff0af2a1 3003 _exit(exit_status);
034c6ed7
LP		 3004 }
3005
f2341e0a 3006 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
23635a85 3007
80876c20
LP		 3008 /* We add the new process to the cgroup both in the child (so
3009 * that we can be sure that no user code is ever executed
3010 * outside of the cgroup) and in the parent (so that we can be
3011 * sure that when we kill the cgroup the process will be
3012 * killed too). */
d35fbf6b 3013 if (params->cgroup_path)
dd305ec9 3014 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
2da3263a 3015
b58b4116 3016 exec_status_start(&command->exec_status, pid);
9fb86720 3017
034c6ed7 3018 *ret = pid;
5cb5a6ff
LP		 3019 return 0;
3020}
3021
034c6ed7
LP		 3022void exec_context_init(ExecContext *c) {
3023 assert(c);
3024
4c12626c 3025 c->umask = 0022;
9eba9da4 3026 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
94f04347 3027 c->cpu_sched_policy = SCHED_OTHER;
071830ff 3028 c->syslog_priority = LOG_DAEMON|LOG_INFO;
74922904 3029 c->syslog_level_prefix = true;
353e12c2 3030 c->ignore_sigpipe = true;
3a43da28 3031 c->timer_slack_nsec = NSEC_INFINITY;
050f7277 3032 c->personality = PERSONALITY_INVALID;
e66cf1a3 3033 c->runtime_directory_mode = 0755;
a103496c 3034 c->capability_bounding_set = CAP_ALL;
add00535 3035 c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
034c6ed7
LP		 3036}
3037
613b411c 3038void exec_context_done(ExecContext *c) {
5cb5a6ff
LP		 3039 unsigned l;
3040
3041 assert(c);
3042
6796073e
LP		 3043 c->environment = strv_free(c->environment);
3044 c->environment_files = strv_free(c->environment_files);
b4c14404 3045 c->pass_environment = strv_free(c->pass_environment);
8c7be95e 3046
1f6b4113 3047 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
a1e58e8e 3048 c->rlimit[l] = mfree(c->rlimit[l]);
034c6ed7 3049
52c239d7
LB		 3050 for (l = 0; l < 3; l++)
3051 c->stdio_fdname[l] = mfree(c->stdio_fdname[l]);
3052
a1e58e8e
LP		 3053 c->working_directory = mfree(c->working_directory);
3054 c->root_directory = mfree(c->root_directory);
915e6d16 3055 c->root_image = mfree(c->root_image);
a1e58e8e
LP		 3056 c->tty_path = mfree(c->tty_path);
3057 c->syslog_identifier = mfree(c->syslog_identifier);
3058 c->user = mfree(c->user);
3059 c->group = mfree(c->group);
034c6ed7 3060
6796073e 3061 c->supplementary_groups = strv_free(c->supplementary_groups);
94f04347 3062
a1e58e8e 3063 c->pam_name = mfree(c->pam_name);
5b6319dc 3064
2a624c36
AP		 3065 c->read_only_paths = strv_free(c->read_only_paths);
3066 c->read_write_paths = strv_free(c->read_write_paths);
3067 c->inaccessible_paths = strv_free(c->inaccessible_paths);
82c121a4 3068
d2d6c096
LP		 3069 bind_mount_free_many(c->bind_mounts, c->n_bind_mounts);
3070
82c121a4
LP		 3071 if (c->cpuset)
3072 CPU_FREE(c->cpuset);
86a3475b 3073
a1e58e8e
LP		 3074 c->utmp_id = mfree(c->utmp_id);
3075 c->selinux_context = mfree(c->selinux_context);
3076 c->apparmor_profile = mfree(c->apparmor_profile);
eef65bf3 3077
525d3cc7
LP		 3078 c->syscall_filter = set_free(c->syscall_filter);
3079 c->syscall_archs = set_free(c->syscall_archs);
3080 c->address_families = set_free(c->address_families);
e66cf1a3 3081
6796073e 3082 c->runtime_directory = strv_free(c->runtime_directory);
e66cf1a3
LP		 3083}
3084
3085int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
3086 char **i;
3087
3088 assert(c);
3089
3090 if (!runtime_prefix)
3091 return 0;
3092
3093 STRV_FOREACH(i, c->runtime_directory) {
3094 _cleanup_free_ char *p;
3095
605405c6 3096 p = strjoin(runtime_prefix, "/", *i);
e66cf1a3
LP		 3097 if (!p)
3098 return -ENOMEM;
3099
3100 /* We execute this synchronously, since we need to be
3101 * sure this is gone when we start the service
3102 * next. */
c6878637 3103 (void) rm_rf(p, REMOVE_ROOT);
e66cf1a3
LP		 3104 }
3105
3106 return 0;
5cb5a6ff
LP		 3107}
3108
43d0fcbd
LP		 3109void exec_command_done(ExecCommand *c) {
3110 assert(c);
3111
a1e58e8e 3112 c->path = mfree(c->path);
43d0fcbd 3113
6796073e 3114 c->argv = strv_free(c->argv);
43d0fcbd
LP		 3115}
3116
3117void exec_command_done_array(ExecCommand *c, unsigned n) {
3118 unsigned i;
3119
3120 for (i = 0; i < n; i++)
3121 exec_command_done(c+i);
3122}
3123
f1acf85a 3124ExecCommand* exec_command_free_list(ExecCommand *c) {
5cb5a6ff
LP		 3125 ExecCommand *i;
3126
3127 while ((i = c)) {
71fda00f 3128 LIST_REMOVE(command, c, i);
43d0fcbd 3129 exec_command_done(i);
5cb5a6ff
LP		 3130 free(i);
3131 }
f1acf85a
ZJS		 3132
3133 return NULL;
5cb5a6ff
LP		 3134}
3135
034c6ed7
LP		 3136void exec_command_free_array(ExecCommand **c, unsigned n) {
3137 unsigned i;
3138
f1acf85a
ZJS		 3139 for (i = 0; i < n; i++)
3140 c[i] = exec_command_free_list(c[i]);
034c6ed7
LP		 3141}
3142
039f0e70 3143typedef struct InvalidEnvInfo {
f2341e0a 3144 Unit *unit;
039f0e70
LP		 3145 const char *path;
3146} InvalidEnvInfo;
3147
3148static void invalid_env(const char *p, void *userdata) {
3149 InvalidEnvInfo *info = userdata;
3150
f2341e0a 3151 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
039f0e70
LP		 3152}
3153
52c239d7
LB		 3154const char* exec_context_fdname(const ExecContext *c, int fd_index) {
3155 assert(c);
3156
3157 switch (fd_index) {
3158 case STDIN_FILENO:
3159 if (c->std_input != EXEC_INPUT_NAMED_FD)
3160 return NULL;
3161 return c->stdio_fdname[STDIN_FILENO] ?: "stdin";
3162 case STDOUT_FILENO:
3163 if (c->std_output != EXEC_OUTPUT_NAMED_FD)
3164 return NULL;
3165 return c->stdio_fdname[STDOUT_FILENO] ?: "stdout";
3166 case STDERR_FILENO:
3167 if (c->std_error != EXEC_OUTPUT_NAMED_FD)
3168 return NULL;
3169 return c->stdio_fdname[STDERR_FILENO] ?: "stderr";
3170 default:
3171 return NULL;
3172 }
3173}
3174
3175int exec_context_named_iofds(Unit *unit, const ExecContext *c, const ExecParameters *p, int named_iofds[3]) {
3176 unsigned i, targets;
56fbd561 3177 const char* stdio_fdname[3];
52c239d7
LB		 3178
3179 assert(c);
3180 assert(p);
3181
3182 targets = (c->std_input == EXEC_INPUT_NAMED_FD) +
3183 (c->std_output == EXEC_OUTPUT_NAMED_FD) +
3184 (c->std_error == EXEC_OUTPUT_NAMED_FD);
3185
3186 for (i = 0; i < 3; i++)
3187 stdio_fdname[i] = exec_context_fdname(c, i);
3188
3189 for (i = 0; i < p->n_fds && targets > 0; i++)
56fbd561
ZJS		 3190 if (named_iofds[STDIN_FILENO] < 0 &&
3191 c->std_input == EXEC_INPUT_NAMED_FD &&
3192 stdio_fdname[STDIN_FILENO] &&
3193 streq(p->fd_names[i], stdio_fdname[STDIN_FILENO])) {
3194
52c239d7
LB		 3195 named_iofds[STDIN_FILENO] = p->fds[i];
3196 targets--;
56fbd561
ZJS		 3197
3198 } else if (named_iofds[STDOUT_FILENO] < 0 &&
3199 c->std_output == EXEC_OUTPUT_NAMED_FD &&
3200 stdio_fdname[STDOUT_FILENO] &&
3201 streq(p->fd_names[i], stdio_fdname[STDOUT_FILENO])) {
3202
52c239d7
LB		 3203 named_iofds[STDOUT_FILENO] = p->fds[i];
3204 targets--;
56fbd561
ZJS		 3205
3206 } else if (named_iofds[STDERR_FILENO] < 0 &&
3207 c->std_error == EXEC_OUTPUT_NAMED_FD &&
3208 stdio_fdname[STDERR_FILENO] &&
3209 streq(p->fd_names[i], stdio_fdname[STDERR_FILENO])) {
3210
52c239d7
LB		 3211 named_iofds[STDERR_FILENO] = p->fds[i];
3212 targets--;
3213 }
3214
56fbd561 3215 return targets == 0 ? 0 : -ENOENT;
52c239d7
LB		 3216}
3217
f2341e0a 3218int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
8c7be95e
LP		 3219 char **i, **r = NULL;
3220
3221 assert(c);
3222 assert(l);
3223
3224 STRV_FOREACH(i, c->environment_files) {
3225 char *fn;
3226 int k;
3227 bool ignore = false;
3228 char **p;
7fd1b19b 3229 _cleanup_globfree_ glob_t pglob = {};
2bef10ab 3230 int count, n;
8c7be95e
LP		 3231
3232 fn = *i;
3233
3234 if (fn[0] == '-') {
3235 ignore = true;
313cefa1 3236 fn++;
8c7be95e
LP		 3237 }
3238
3239 if (!path_is_absolute(fn)) {
8c7be95e
LP		 3240 if (ignore)
3241 continue;
3242
3243 strv_free(r);
3244 return -EINVAL;
3245 }
3246
2bef10ab 3247 /* Filename supports globbing, take all matching files */
2bef10ab
PL		 3248 errno = 0;
3249 if (glob(fn, 0, NULL, &pglob) != 0) {
2bef10ab
PL		 3250 if (ignore)
3251 continue;
8c7be95e 3252
2bef10ab 3253 strv_free(r);
f5e5c28f 3254 return errno > 0 ? -errno : -EINVAL;
2bef10ab
PL		 3255 }
3256 count = pglob.gl_pathc;
3257 if (count == 0) {
8c7be95e
LP		 3258 if (ignore)
3259 continue;
3260
3261 strv_free(r);
2bef10ab 3262 return -EINVAL;
8c7be95e 3263 }
2bef10ab 3264 for (n = 0; n < count; n++) {
717603e3 3265 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
2bef10ab
PL		 3266 if (k < 0) {
3267 if (ignore)
3268 continue;
8c7be95e 3269
2bef10ab 3270 strv_free(r);
2bef10ab 3271 return k;
e9c1ea9d 3272 }
ebc05a09 3273 /* Log invalid environment variables with filename */
039f0e70
LP		 3274 if (p) {
3275 InvalidEnvInfo info = {
f2341e0a 3276 .unit = unit,
039f0e70
LP		 3277 .path = pglob.gl_pathv[n]
3278 };
3279
3280 p = strv_env_clean_with_callback(p, invalid_env, &info);
3281 }
8c7be95e 3282
2bef10ab
PL		 3283 if (r == NULL)
3284 r = p;
3285 else {
3286 char **m;
8c7be95e 3287
2bef10ab
PL		 3288 m = strv_env_merge(2, r, p);
3289 strv_free(r);
3290 strv_free(p);
c84a9488 3291 if (!m)
2bef10ab 3292 return -ENOMEM;
2bef10ab
PL		 3293
3294 r = m;
3295 }
8c7be95e
LP		 3296 }
3297 }
3298
3299 *l = r;
3300
3301 return 0;
3302}
3303
6ac8fdc9 3304static bool tty_may_match_dev_console(const char *tty) {
e1d75803 3305 _cleanup_free_ char *active = NULL;
7d6884b6 3306 char *console;
6ac8fdc9 3307
1e22b5cd
LP		 3308 if (!tty)
3309 return true;
3310
6ac8fdc9
MS		 3311 if (startswith(tty, "/dev/"))
3312 tty += 5;
3313
3314 /* trivial identity? */
3315 if (streq(tty, "console"))
3316 return true;
3317
3318 console = resolve_dev_console(&active);
3319 /* if we could not resolve, assume it may */
3320 if (!console)
3321 return true;
3322
3323 /* "tty0" means the active VC, so it may be the same sometimes */
e1d75803 3324 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
6ac8fdc9
MS		 3325}
3326
3327bool exec_context_may_touch_console(ExecContext *ec) {
1e22b5cd
LP		 3328
3329 return (ec->tty_reset ||
3330 ec->tty_vhangup ||
3331 ec->tty_vt_disallocate ||
6ac8fdc9
MS		 3332 is_terminal_input(ec->std_input) ||
3333 is_terminal_output(ec->std_output) ||
3334 is_terminal_output(ec->std_error)) &&
1e22b5cd 3335 tty_may_match_dev_console(exec_context_tty_path(ec));
6ac8fdc9
MS		 3336}
3337
15ae422b
LP		 3338static void strv_fprintf(FILE *f, char **l) {
3339 char **g;
3340
3341 assert(f);
3342
3343 STRV_FOREACH(g, l)
3344 fprintf(f, " %s", *g);
3345}
3346
5cb5a6ff 3347void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
c2bbd90b 3348 char **e, **d;
94f04347 3349 unsigned i;
add00535 3350 int r;
9eba9da4 3351
5cb5a6ff
LP		 3352 assert(c);
3353 assert(f);
3354
4ad49000 3355 prefix = strempty(prefix);
5cb5a6ff
LP		 3356
3357 fprintf(f,
94f04347
LP		 3358 "%sUMask: %04o\n"
3359 "%sWorkingDirectory: %s\n"
451a074f 3360 "%sRootDirectory: %s\n"
15ae422b 3361 "%sNonBlocking: %s\n"
64747e2d 3362 "%sPrivateTmp: %s\n"
7f112f50 3363 "%sPrivateDevices: %s\n"
59eeb84b 3364 "%sProtectKernelTunables: %s\n"
e66a2f65 3365 "%sProtectKernelModules: %s\n"
59eeb84b 3366 "%sProtectControlGroups: %s\n"
d251207d
LP		 3367 "%sPrivateNetwork: %s\n"
3368 "%sPrivateUsers: %s\n"
1b8689f9
LP		 3369 "%sProtectHome: %s\n"
3370 "%sProtectSystem: %s\n"
5d997827 3371 "%sMountAPIVFS: %s\n"
f3e43635 3372 "%sIgnoreSIGPIPE: %s\n"
f4170c67
LP		 3373 "%sMemoryDenyWriteExecute: %s\n"
3374 "%sRestrictRealtime: %s\n",
5cb5a6ff 3375 prefix, c->umask,
9eba9da4 3376 prefix, c->working_directory ? c->working_directory : "/",
451a074f 3377 prefix, c->root_directory ? c->root_directory : "/",
15ae422b 3378 prefix, yes_no(c->non_blocking),
64747e2d 3379 prefix, yes_no(c->private_tmp),
7f112f50 3380 prefix, yes_no(c->private_devices),
59eeb84b 3381 prefix, yes_no(c->protect_kernel_tunables),
e66a2f65 3382 prefix, yes_no(c->protect_kernel_modules),
59eeb84b 3383 prefix, yes_no(c->protect_control_groups),
d251207d
LP		 3384 prefix, yes_no(c->private_network),
3385 prefix, yes_no(c->private_users),
1b8689f9
LP		 3386 prefix, protect_home_to_string(c->protect_home),
3387 prefix, protect_system_to_string(c->protect_system),
5d997827 3388 prefix, yes_no(c->mount_apivfs),
f3e43635 3389 prefix, yes_no(c->ignore_sigpipe),
f4170c67
LP		 3390 prefix, yes_no(c->memory_deny_write_execute),
3391 prefix, yes_no(c->restrict_realtime));
fb33a393 3392
915e6d16
LP		 3393 if (c->root_image)
3394 fprintf(f, "%sRootImage: %s\n", prefix, c->root_image);
3395
8c7be95e
LP		 3396 STRV_FOREACH(e, c->environment)
3397 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
3398
3399 STRV_FOREACH(e, c->environment_files)
3400 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
94f04347 3401
b4c14404
FB		 3402 STRV_FOREACH(e, c->pass_environment)
3403 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
3404
c2bbd90b
EV		 3405 fprintf(f, "%sRuntimeDirectoryMode: %04o\n", prefix, c->runtime_directory_mode);
3406
3407 STRV_FOREACH(d, c->runtime_directory)
3408 fprintf(f, "%sRuntimeDirectory: %s\n", prefix, *d);
3409
fb33a393
LP		 3410 if (c->nice_set)
3411 fprintf(f,
3412 "%sNice: %i\n",
3413 prefix, c->nice);
3414
dd6c17b1 3415 if (c->oom_score_adjust_set)
fb33a393 3416 fprintf(f,
dd6c17b1
LP		 3417 "%sOOMScoreAdjust: %i\n",
3418 prefix, c->oom_score_adjust);
9eba9da4 3419
94f04347 3420 for (i = 0; i < RLIM_NLIMITS; i++)
3c11da9d
EV		 3421 if (c->rlimit[i]) {
3422 fprintf(f, "%s%s: " RLIM_FMT "\n",
3423 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
3424 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
3425 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
3426 }
94f04347 3427
f8b69d1d 3428 if (c->ioprio_set) {
1756a011 3429 _cleanup_free_ char *class_str = NULL;
f8b69d1d 3430
1756a011 3431 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
9eba9da4
LP		 3432 fprintf(f,
3433 "%sIOSchedulingClass: %s\n"
3434 "%sIOPriority: %i\n",
f8b69d1d 3435 prefix, strna(class_str),
9eba9da4 3436 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
f8b69d1d 3437 }
94f04347 3438
f8b69d1d 3439 if (c->cpu_sched_set) {
1756a011 3440 _cleanup_free_ char *policy_str = NULL;
f8b69d1d 3441
1756a011 3442 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
94f04347
LP		 3443 fprintf(f,
3444 "%sCPUSchedulingPolicy: %s\n"
38b48754
LP		 3445 "%sCPUSchedulingPriority: %i\n"
3446 "%sCPUSchedulingResetOnFork: %s\n",
f8b69d1d 3447 prefix, strna(policy_str),
38b48754
LP		 3448 prefix, c->cpu_sched_priority,
3449 prefix, yes_no(c->cpu_sched_reset_on_fork));
b929bf04 3450 }
94f04347 3451
82c121a4 3452 if (c->cpuset) {
94f04347 3453 fprintf(f, "%sCPUAffinity:", prefix);
82c121a4
LP		 3454 for (i = 0; i < c->cpuset_ncpus; i++)
3455 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
43a99a7a 3456 fprintf(f, " %u", i);
94f04347
LP		 3457 fputs("\n", f);
3458 }
3459
3a43da28 3460 if (c->timer_slack_nsec != NSEC_INFINITY)
ccd06097 3461 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
94f04347
LP		 3462
3463 fprintf(f,
80876c20
LP		 3464 "%sStandardInput: %s\n"
3465 "%sStandardOutput: %s\n"
3466 "%sStandardError: %s\n",
3467 prefix, exec_input_to_string(c->std_input),
3468 prefix, exec_output_to_string(c->std_output),
3469 prefix, exec_output_to_string(c->std_error));
3470
3471 if (c->tty_path)
3472 fprintf(f,
6ea832a2
LP		 3473 "%sTTYPath: %s\n"
3474 "%sTTYReset: %s\n"
3475 "%sTTYVHangup: %s\n"
3476 "%sTTYVTDisallocate: %s\n",
3477 prefix, c->tty_path,
3478 prefix, yes_no(c->tty_reset),
3479 prefix, yes_no(c->tty_vhangup),
3480 prefix, yes_no(c->tty_vt_disallocate));
94f04347 3481
5ce70e5b
ZJS		 3482 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
3483 c->std_output == EXEC_OUTPUT_KMSG ||
3484 c->std_output == EXEC_OUTPUT_JOURNAL ||
3485 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3486 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3487 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
3488 c->std_error == EXEC_OUTPUT_SYSLOG ||
3489 c->std_error == EXEC_OUTPUT_KMSG ||
3490 c->std_error == EXEC_OUTPUT_JOURNAL ||
3491 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3492 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3493 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
f8b69d1d 3494
5ce70e5b 3495 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
f8b69d1d 3496
5ce70e5b
ZJS		 3497 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
3498 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
f8b69d1d 3499
94f04347
LP		 3500 fprintf(f,
3501 "%sSyslogFacility: %s\n"
3502 "%sSyslogLevel: %s\n",
f8b69d1d
MS		 3503 prefix, strna(fac_str),
3504 prefix, strna(lvl_str));
f8b69d1d 3505 }
94f04347 3506
94f04347
LP		 3507 if (c->secure_bits)
3508 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
3509 prefix,
cbb21cca
ZJS		 3510 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
3511 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
3512 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
3513 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
3514 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
3515 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
94f04347 3516
a103496c 3517 if (c->capability_bounding_set != CAP_ALL) {
ae556c21 3518 unsigned long l;
260abb78 3519 fprintf(f, "%sCapabilityBoundingSet:", prefix);
94f04347 3520
64685e0c 3521 for (l = 0; l <= cap_last_cap(); l++)
a103496c 3522 if (c->capability_bounding_set & (UINT64_C(1) << l))
2822da4f 3523 fprintf(f, " %s", strna(capability_to_name(l)));
94f04347
LP		 3524
3525 fputs("\n", f);
755d4b67
IP		 3526 }
3527
3528 if (c->capability_ambient_set != 0) {
3529 unsigned long l;
3530 fprintf(f, "%sAmbientCapabilities:", prefix);
3531
3532 for (l = 0; l <= cap_last_cap(); l++)
3533 if (c->capability_ambient_set & (UINT64_C(1) << l))
3534 fprintf(f, " %s", strna(capability_to_name(l)));
3535
3536 fputs("\n", f);
94f04347
LP		 3537 }
3538
3539 if (c->user)
f2d3769a 3540 fprintf(f, "%sUser: %s\n", prefix, c->user);
94f04347 3541 if (c->group)
f2d3769a 3542 fprintf(f, "%sGroup: %s\n", prefix, c->group);
94f04347 3543
29206d46
LP		 3544 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
3545
15ae422b 3546 if (strv_length(c->supplementary_groups) > 0) {
94f04347 3547 fprintf(f, "%sSupplementaryGroups:", prefix);
15ae422b
LP		 3548 strv_fprintf(f, c->supplementary_groups);
3549 fputs("\n", f);
3550 }
94f04347 3551
5b6319dc 3552 if (c->pam_name)
f2d3769a 3553 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
5b6319dc 3554
2a624c36
AP		 3555 if (strv_length(c->read_write_paths) > 0) {
3556 fprintf(f, "%sReadWritePaths:", prefix);
3557 strv_fprintf(f, c->read_write_paths);
15ae422b
LP		 3558 fputs("\n", f);
3559 }
3560
2a624c36
AP		 3561 if (strv_length(c->read_only_paths) > 0) {
3562 fprintf(f, "%sReadOnlyPaths:", prefix);
3563 strv_fprintf(f, c->read_only_paths);
15ae422b
LP		 3564 fputs("\n", f);
3565 }
94f04347 3566
2a624c36
AP		 3567 if (strv_length(c->inaccessible_paths) > 0) {
3568 fprintf(f, "%sInaccessiblePaths:", prefix);
3569 strv_fprintf(f, c->inaccessible_paths);
94f04347
LP		 3570 fputs("\n", f);
3571 }
2e22afe9 3572
d2d6c096
LP		 3573 if (c->n_bind_mounts > 0)
3574 for (i = 0; i < c->n_bind_mounts; i++) {
3575 fprintf(f, "%s%s: %s:%s:%s\n", prefix,
3576 c->bind_mounts[i].read_only ? "BindReadOnlyPaths" : "BindPaths",
3577 c->bind_mounts[i].source,
3578 c->bind_mounts[i].destination,
3579 c->bind_mounts[i].recursive ? "rbind" : "norbind");
3580 }
3581
169c1bda
LP		 3582 if (c->utmp_id)
3583 fprintf(f,
3584 "%sUtmpIdentifier: %s\n",
3585 prefix, c->utmp_id);
7b52a628
MS		 3586
3587 if (c->selinux_context)
3588 fprintf(f,
5f8640fb
LP		 3589 "%sSELinuxContext: %s%s\n",
3590 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
17df7223 3591
050f7277 3592 if (c->personality != PERSONALITY_INVALID)
ac45f971
LP		 3593 fprintf(f,
3594 "%sPersonality: %s\n",
3595 prefix, strna(personality_to_string(c->personality)));
3596
17df7223 3597 if (c->syscall_filter) {
351a19b1 3598#ifdef HAVE_SECCOMP
17df7223
LP		 3599 Iterator j;
3600 void *id;
3601 bool first = true;
351a19b1 3602#endif
17df7223
LP		 3603
3604 fprintf(f,
57183d11 3605 "%sSystemCallFilter: ",
17df7223
LP		 3606 prefix);
3607
3608 if (!c->syscall_whitelist)
3609 fputc('~', f);
3610
351a19b1 3611#ifdef HAVE_SECCOMP
17df7223
LP		 3612 SET_FOREACH(id, c->syscall_filter, j) {
3613 _cleanup_free_ char *name = NULL;
3614
3615 if (first)
3616 first = false;
3617 else
3618 fputc(' ', f);
3619
57183d11 3620 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
17df7223
LP		 3621 fputs(strna(name), f);
3622 }
351a19b1 3623#endif
17df7223
LP		 3624
3625 fputc('\n', f);
3626 }
3627
57183d11
LP		 3628 if (c->syscall_archs) {
3629#ifdef HAVE_SECCOMP
3630 Iterator j;
3631 void *id;
3632#endif
3633
3634 fprintf(f,
3635 "%sSystemCallArchitectures:",
3636 prefix);
3637
3638#ifdef HAVE_SECCOMP
3639 SET_FOREACH(id, c->syscall_archs, j)
3640 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
3641#endif
3642 fputc('\n', f);
3643 }
3644
add00535
LP		 3645 if (exec_context_restrict_namespaces_set(c)) {
3646 _cleanup_free_ char *s = NULL;
3647
3648 r = namespace_flag_to_string_many(c->restrict_namespaces, &s);
3649 if (r >= 0)
3650 fprintf(f, "%sRestrictNamespaces: %s\n",
3651 prefix, s);
3652 }
3653
b3267152 3654 if (c->syscall_errno > 0)
17df7223
LP		 3655 fprintf(f,
3656 "%sSystemCallErrorNumber: %s\n",
3657 prefix, strna(errno_to_name(c->syscall_errno)));
eef65bf3
MS		 3658
3659 if (c->apparmor_profile)
3660 fprintf(f,
3661 "%sAppArmorProfile: %s%s\n",
3662 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
5cb5a6ff
LP		 3663}
3664
a931ad47
LP		 3665bool exec_context_maintains_privileges(ExecContext *c) {
3666 assert(c);
3667
61233823 3668 /* Returns true if the process forked off would run under
a931ad47
LP		 3669 * an unchanged UID or as root. */
3670
3671 if (!c->user)
3672 return true;
3673
3674 if (streq(c->user, "root") || streq(c->user, "0"))
3675 return true;
3676
3677 return false;
3678}
3679
b58b4116 3680void exec_status_start(ExecStatus *s, pid_t pid) {
034c6ed7 3681 assert(s);
5cb5a6ff 3682
b58b4116
LP		 3683 zero(*s);
3684 s->pid = pid;
3685 dual_timestamp_get(&s->start_timestamp);
3686}
3687
6ea832a2 3688void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
b58b4116
LP		 3689 assert(s);
3690
0b1f4ae6 3691 if (s->pid && s->pid != pid)
b58b4116
LP		 3692 zero(*s);
3693
034c6ed7 3694 s->pid = pid;
63983207 3695 dual_timestamp_get(&s->exit_timestamp);
9fb86720 3696
034c6ed7
LP		 3697 s->code = code;
3698 s->status = status;
169c1bda 3699
6ea832a2
LP		 3700 if (context) {
3701 if (context->utmp_id)
3702 utmp_put_dead_process(context->utmp_id, pid, code, status);
3703
1e22b5cd 3704 exec_context_tty_reset(context, NULL);
6ea832a2 3705 }
9fb86720
LP		 3706}
3707
3708void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
3709 char buf[FORMAT_TIMESTAMP_MAX];
3710
3711 assert(s);
3712 assert(f);
3713
9fb86720
LP		 3714 if (s->pid <= 0)
3715 return;
3716
4c940960
LP		 3717 prefix = strempty(prefix);
3718
9fb86720 3719 fprintf(f,
ccd06097
ZJS		 3720 "%sPID: "PID_FMT"\n",
3721 prefix, s->pid);
9fb86720 3722
af9d16e1 3723 if (dual_timestamp_is_set(&s->start_timestamp))
9fb86720
LP		 3724 fprintf(f,
3725 "%sStart Timestamp: %s\n",
63983207 3726 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
9fb86720 3727
af9d16e1 3728 if (dual_timestamp_is_set(&s->exit_timestamp))
9fb86720
LP		 3729 fprintf(f,
3730 "%sExit Timestamp: %s\n"
3731 "%sExit Code: %s\n"
3732 "%sExit Status: %i\n",
63983207 3733 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
9fb86720
LP		 3734 prefix, sigchld_code_to_string(s->code),
3735 prefix, s->status);
5cb5a6ff 3736}
44d8db9e 3737
9e2f7c11 3738char *exec_command_line(char **argv) {
44d8db9e
LP		 3739 size_t k;
3740 char *n, *p, **a;
3741 bool first = true;
3742
9e2f7c11 3743 assert(argv);
44d8db9e 3744
9164977d 3745 k = 1;
9e2f7c11 3746 STRV_FOREACH(a, argv)
44d8db9e
LP		 3747 k += strlen(*a)+3;
3748
5cd9cd35
LP		 3749 n = new(char, k);
3750 if (!n)
44d8db9e
LP		 3751 return NULL;
3752
3753 p = n;
9e2f7c11 3754 STRV_FOREACH(a, argv) {
44d8db9e
LP		 3755
3756 if (!first)
3757 *(p++) = ' ';
3758 else
3759 first = false;
3760
3761 if (strpbrk(*a, WHITESPACE)) {
3762 *(p++) = '\'';
3763 p = stpcpy(p, *a);
3764 *(p++) = '\'';
3765 } else
3766 p = stpcpy(p, *a);
3767
3768 }
3769
9164977d
LP		 3770 *p = 0;
3771
44d8db9e
LP		 3772 /* FIXME: this doesn't really handle arguments that have
3773 * spaces and ticks in them */
3774
3775 return n;
3776}
3777
3778void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
e1d75803 3779 _cleanup_free_ char *cmd = NULL;
4c940960 3780 const char *prefix2;
44d8db9e
LP		 3781
3782 assert(c);
3783 assert(f);
3784
4c940960 3785 prefix = strempty(prefix);
63c372cb 3786 prefix2 = strjoina(prefix, "\t");
44d8db9e 3787
9e2f7c11 3788 cmd = exec_command_line(c->argv);
44d8db9e
LP		 3789 fprintf(f,
3790 "%sCommand Line: %s\n",
3791 prefix, cmd ? cmd : strerror(ENOMEM));
3792
9fb86720 3793 exec_status_dump(&c->exec_status, f, prefix2);
44d8db9e
LP		 3794}
3795
3796void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
3797 assert(f);
3798
4c940960 3799 prefix = strempty(prefix);
44d8db9e
LP		 3800
3801 LIST_FOREACH(command, c, c)
3802 exec_command_dump(c, f, prefix);
3803}
94f04347 3804
a6a80b4f
LP		 3805void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
3806 ExecCommand *end;
3807
3808 assert(l);
3809 assert(e);
3810
3811 if (*l) {
35b8ca3a 3812 /* It's kind of important, that we keep the order here */
71fda00f
LP		 3813 LIST_FIND_TAIL(command, *l, end);
3814 LIST_INSERT_AFTER(command, *l, end, e);
a6a80b4f
LP		 3815 } else
3816 *l = e;
3817}
3818
26fd040d
LP		 3819int exec_command_set(ExecCommand *c, const char *path, ...) {
3820 va_list ap;
3821 char **l, *p;
3822
3823 assert(c);
3824 assert(path);
3825
3826 va_start(ap, path);
3827 l = strv_new_ap(path, ap);
3828 va_end(ap);
3829
3830 if (!l)
3831 return -ENOMEM;
3832
250a918d
LP		 3833 p = strdup(path);
3834 if (!p) {
26fd040d
LP		 3835 strv_free(l);
3836 return -ENOMEM;
3837 }
3838
3839 free(c->path);
3840 c->path = p;
3841
3842 strv_free(c->argv);
3843 c->argv = l;
3844
3845 return 0;
3846}
3847
86b23b07 3848int exec_command_append(ExecCommand *c, const char *path, ...) {
e63ff941 3849 _cleanup_strv_free_ char **l = NULL;
86b23b07 3850 va_list ap;
86b23b07
JS		 3851 int r;
3852
3853 assert(c);
3854 assert(path);
3855
3856 va_start(ap, path);
3857 l = strv_new_ap(path, ap);
3858 va_end(ap);
3859
3860 if (!l)
3861 return -ENOMEM;
3862
e287086b 3863 r = strv_extend_strv(&c->argv, l, false);
e63ff941 3864 if (r < 0)
86b23b07 3865 return r;
86b23b07
JS		 3866
3867 return 0;
3868}
3869
3870
613b411c
LP		 3871static int exec_runtime_allocate(ExecRuntime **rt) {
3872
3873 if (*rt)
3874 return 0;
3875
3876 *rt = new0(ExecRuntime, 1);
f146f5e1 3877 if (!*rt)
613b411c
LP		 3878 return -ENOMEM;
3879
3880 (*rt)->n_ref = 1;
3881 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
3882
3883 return 0;
3884}
3885
3886int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
3887 int r;
3888
3889 assert(rt);
3890 assert(c);
3891 assert(id);
3892
3893 if (*rt)
3894 return 1;
3895
3896 if (!c->private_network && !c->private_tmp)
3897 return 0;
3898
3899 r = exec_runtime_allocate(rt);
3900 if (r < 0)
3901 return r;
3902
3903 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
33df919d 3904 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, (*rt)->netns_storage_socket) < 0)
613b411c
LP		 3905 return -errno;
3906 }
3907
3908 if (c->private_tmp && !(*rt)->tmp_dir) {
3909 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
3910 if (r < 0)
3911 return r;
3912 }
3913
3914 return 1;
3915}
3916
3917ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
3918 assert(r);
3919 assert(r->n_ref > 0);
3920
3921 r->n_ref++;
3922 return r;
3923}
3924
3925ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
3926
3927 if (!r)
3928 return NULL;
3929
3930 assert(r->n_ref > 0);
3931
3932 r->n_ref--;
f2341e0a
LP		 3933 if (r->n_ref > 0)
3934 return NULL;
3935
3936 free(r->tmp_dir);
3937 free(r->var_tmp_dir);
3938 safe_close_pair(r->netns_storage_socket);
6b430fdb 3939 return mfree(r);
613b411c
LP		 3940}
3941
f2341e0a 3942int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
613b411c
LP		 3943 assert(u);
3944 assert(f);
3945 assert(fds);
3946
3947 if (!rt)
3948 return 0;
3949
3950 if (rt->tmp_dir)
3951 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
3952
3953 if (rt->var_tmp_dir)
3954 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
3955
3956 if (rt->netns_storage_socket[0] >= 0) {
3957 int copy;
3958
3959 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
3960 if (copy < 0)
3961 return copy;
3962
3963 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
3964 }
3965
3966 if (rt->netns_storage_socket[1] >= 0) {
3967 int copy;
3968
3969 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
3970 if (copy < 0)
3971 return copy;
3972
3973 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
3974 }
3975
3976 return 0;
3977}
3978
f2341e0a 3979int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
613b411c
LP		 3980 int r;
3981
3982 assert(rt);
3983 assert(key);
3984 assert(value);
3985
3986 if (streq(key, "tmp-dir")) {
3987 char *copy;
3988
3989 r = exec_runtime_allocate(rt);
3990 if (r < 0)
f2341e0a 3991 return log_oom();
613b411c
LP		 3992
3993 copy = strdup(value);
3994 if (!copy)
3995 return log_oom();
3996
3997 free((*rt)->tmp_dir);
3998 (*rt)->tmp_dir = copy;
3999
4000 } else if (streq(key, "var-tmp-dir")) {
4001 char *copy;
4002
4003 r = exec_runtime_allocate(rt);
4004 if (r < 0)
f2341e0a 4005 return log_oom();
613b411c
LP		 4006
4007 copy = strdup(value);
4008 if (!copy)
4009 return log_oom();
4010
4011 free((*rt)->var_tmp_dir);
4012 (*rt)->var_tmp_dir = copy;
4013
4014 } else if (streq(key, "netns-socket-0")) {
4015 int fd;
4016
4017 r = exec_runtime_allocate(rt);
4018 if (r < 0)
f2341e0a 4019 return log_oom();
613b411c
LP		 4020
4021 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
f2341e0a 4022 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
613b411c 4023 else {
03e334a1 4024 safe_close((*rt)->netns_storage_socket[0]);
613b411c
LP		 4025 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
4026 }
4027 } else if (streq(key, "netns-socket-1")) {
4028 int fd;
4029
4030 r = exec_runtime_allocate(rt);
4031 if (r < 0)
f2341e0a 4032 return log_oom();
613b411c
LP		 4033
4034 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
f2341e0a 4035 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
613b411c 4036 else {
03e334a1 4037 safe_close((*rt)->netns_storage_socket[1]);
613b411c
LP		 4038 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
4039 }
4040 } else
4041 return 0;
4042
4043 return 1;
4044}
4045
4046static void *remove_tmpdir_thread(void *p) {
4047 _cleanup_free_ char *path = p;
4048
c6878637 4049 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
613b411c
LP		 4050 return NULL;
4051}
4052
4053void exec_runtime_destroy(ExecRuntime *rt) {
98b47d54
LP		 4054 int r;
4055
613b411c
LP		 4056 if (!rt)
4057 return;
4058
4059 /* If there are multiple users of this, let's leave the stuff around */
4060 if (rt->n_ref > 1)
4061 return;
4062
4063 if (rt->tmp_dir) {
4064 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
98b47d54
LP		 4065
4066 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
4067 if (r < 0) {
da927ba9 4068 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
98b47d54
LP		 4069 free(rt->tmp_dir);
4070 }
4071
613b411c
LP		 4072 rt->tmp_dir = NULL;
4073 }
4074
4075 if (rt->var_tmp_dir) {
4076 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
98b47d54
LP		 4077
4078 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
4079 if (r < 0) {
da927ba9 4080 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
98b47d54
LP		 4081 free(rt->var_tmp_dir);
4082 }
4083
613b411c
LP		 4084 rt->var_tmp_dir = NULL;
4085 }
4086
3d94f76c 4087 safe_close_pair(rt->netns_storage_socket);
613b411c
LP		 4088}
4089
80876c20
LP		 4090static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
4091 [EXEC_INPUT_NULL] = "null",
4092 [EXEC_INPUT_TTY] = "tty",
4093 [EXEC_INPUT_TTY_FORCE] = "tty-force",
4f2d528d 4094 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
52c239d7
LB		 4095 [EXEC_INPUT_SOCKET] = "socket",
4096 [EXEC_INPUT_NAMED_FD] = "fd",
80876c20
LP		 4097};
4098
8a0867d6
LP		 4099DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
4100
94f04347 4101static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
80876c20 4102 [EXEC_OUTPUT_INHERIT] = "inherit",
94f04347 4103 [EXEC_OUTPUT_NULL] = "null",
80876c20 4104 [EXEC_OUTPUT_TTY] = "tty",
94f04347 4105 [EXEC_OUTPUT_SYSLOG] = "syslog",
28dbc1e8 4106 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
9a6bca7a 4107 [EXEC_OUTPUT_KMSG] = "kmsg",
28dbc1e8 4108 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
706343f4
LP		 4109 [EXEC_OUTPUT_JOURNAL] = "journal",
4110 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
52c239d7
LB		 4111 [EXEC_OUTPUT_SOCKET] = "socket",
4112 [EXEC_OUTPUT_NAMED_FD] = "fd",
94f04347
LP		 4113};
4114
4115DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
023a4f67
LP		 4116
4117static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
4118 [EXEC_UTMP_INIT] = "init",
4119 [EXEC_UTMP_LOGIN] = "login",
4120 [EXEC_UTMP_USER] = "user",
4121};
4122
4123DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
Unnamed repository; edit this file 'description' to name the repository.