]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/core/execute.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
man: drop some left-over mentions of StandardOutput=syslog
[thirdparty/systemd.git] / src / core / execute.c
CommitLineData
53e1b683 1/* SPDX-License-Identifier: LGPL-2.1+ */
a7334b09 2
034c6ed7
LP		 3#include <errno.h>
4#include <fcntl.h>
8dd4c05b 5#include <poll.h>
d251207d 6#include <sys/eventfd.h>
f5947a5e 7#include <sys/ioctl.h>
f3e43635 8#include <sys/mman.h>
8dd4c05b 9#include <sys/personality.h>
94f04347 10#include <sys/prctl.h>
d2ffa389 11#include <sys/shm.h>
d2ffa389 12#include <sys/types.h>
8dd4c05b
LP		 13#include <sys/un.h>
14#include <unistd.h>
023a4f67 15#include <utmpx.h>
5cb5a6ff 16
349cc4a5 17#if HAVE_PAM
5b6319dc
LP		 18#include <security/pam_appl.h>
19#endif
20
349cc4a5 21#if HAVE_SELINUX
7b52a628
MS		 22#include <selinux/selinux.h>
23#endif
24
349cc4a5 25#if HAVE_SECCOMP
17df7223
LP		 26#include <seccomp.h>
27#endif
28
349cc4a5 29#if HAVE_APPARMOR
eef65bf3
MS		 30#include <sys/apparmor.h>
31#endif
32
24882e06 33#include "sd-messages.h"
8dd4c05b
LP		 34
35#include "af-list.h"
b5efdb8a 36#include "alloc-util.h"
349cc4a5 37#if HAVE_APPARMOR
3ffd4af2
LP		 38#include "apparmor-util.h"
39#endif
8dd4c05b
LP		 40#include "async.h"
41#include "barrier.h"
8dd4c05b 42#include "cap-list.h"
430f0182 43#include "capability-util.h"
a1164ae3 44#include "chown-recursive.h"
fdb3deca 45#include "cgroup-setup.h"
da681e1b 46#include "cpu-set-util.h"
f6a6225e 47#include "def.h"
686d13b9 48#include "env-file.h"
4d1a6904 49#include "env-util.h"
17df7223 50#include "errno-list.h"
3ffd4af2 51#include "execute.h"
8dd4c05b 52#include "exit-status.h"
3ffd4af2 53#include "fd-util.h"
f97b34a6 54#include "format-util.h"
f4f15635 55#include "fs-util.h"
7d50b32a 56#include "glob-util.h"
c004493c 57#include "io-util.h"
8dd4c05b 58#include "ioprio.h"
a1164ae3 59#include "label.h"
8dd4c05b
LP		 60#include "log.h"
61#include "macro.h"
e8a565cb 62#include "manager.h"
0a970718 63#include "memory-util.h"
f5947a5e 64#include "missing_fs.h"
8dd4c05b
LP		 65#include "mkdir.h"
66#include "namespace.h"
6bedfcbb 67#include "parse-util.h"
8dd4c05b 68#include "path-util.h"
0b452006 69#include "process-util.h"
78f22b97 70#include "rlimit-util.h"
8dd4c05b 71#include "rm-rf.h"
349cc4a5 72#if HAVE_SECCOMP
3ffd4af2
LP		 73#include "seccomp-util.h"
74#endif
07d46372 75#include "securebits-util.h"
8dd4c05b 76#include "selinux-util.h"
24882e06 77#include "signal-util.h"
8dd4c05b 78#include "smack-util.h"
57b7a260 79#include "socket-util.h"
fd63e712 80#include "special.h"
949befd3 81#include "stat-util.h"
8b43440b 82#include "string-table.h"
07630cea 83#include "string-util.h"
8dd4c05b 84#include "strv.h"
7ccbd1ae 85#include "syslog-util.h"
8dd4c05b 86#include "terminal-util.h"
566b7d23 87#include "umask-util.h"
8dd4c05b 88#include "unit.h"
b1d4f8e1 89#include "user-util.h"
8dd4c05b 90#include "utmp-wtmp.h"
5cb5a6ff 91
e056b01d 92#define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
31a7eb86 93#define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
e6a26745 94
531dca78
LP		 95#define SNDBUF_SIZE (8*1024*1024)
96
da6053d0 97static int shift_fds(int fds[], size_t n_fds) {
034c6ed7
LP		 98 int start, restart_from;
99
100 if (n_fds <= 0)
101 return 0;
102
a0d40ac5
LP		 103 /* Modifies the fds array! (sorts it) */
104
034c6ed7
LP		 105 assert(fds);
106
107 start = 0;
108 for (;;) {
109 int i;
110
111 restart_from = -1;
112
113 for (i = start; i < (int) n_fds; i++) {
114 int nfd;
115
116 /* Already at right index? */
117 if (fds[i] == i+3)
118 continue;
119
3cc2aff1
LP		 120 nfd = fcntl(fds[i], F_DUPFD, i + 3);
121 if (nfd < 0)
034c6ed7
LP		 122 return -errno;
123
03e334a1 124 safe_close(fds[i]);
034c6ed7
LP		 125 fds[i] = nfd;
126
127 /* Hmm, the fd we wanted isn't free? Then
ee33e53a 128 * let's remember that and try again from here */
034c6ed7
LP		 129 if (nfd != i+3 && restart_from < 0)
130 restart_from = i;
131 }
132
133 if (restart_from < 0)
134 break;
135
136 start = restart_from;
137 }
138
139 return 0;
140}
141
25b583d7 142static int flags_fds(const int fds[], size_t n_socket_fds, size_t n_storage_fds, bool nonblock) {
da6053d0 143 size_t i, n_fds;
e2c76839 144 int r;
47a71eed 145
25b583d7 146 n_fds = n_socket_fds + n_storage_fds;
47a71eed
LP		 147 if (n_fds <= 0)
148 return 0;
149
150 assert(fds);
151
9b141911
FB		 152 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags.
153 * O_NONBLOCK only applies to socket activation though. */
47a71eed
LP		 154
155 for (i = 0; i < n_fds; i++) {
47a71eed 156
9b141911
FB		 157 if (i < n_socket_fds) {
158 r = fd_nonblock(fds[i], nonblock);
159 if (r < 0)
160 return r;
161 }
47a71eed 162
451a074f
LP		 163 /* We unconditionally drop FD_CLOEXEC from the fds,
164 * since after all we want to pass these fds to our
165 * children */
47a71eed 166
3cc2aff1
LP		 167 r = fd_cloexec(fds[i], false);
168 if (r < 0)
e2c76839 169 return r;
47a71eed
LP		 170 }
171
172 return 0;
173}
174
1e22b5cd 175static const char *exec_context_tty_path(const ExecContext *context) {
80876c20
LP		 176 assert(context);
177
1e22b5cd
LP		 178 if (context->stdio_as_fds)
179 return NULL;
180
80876c20
LP		 181 if (context->tty_path)
182 return context->tty_path;
183
184 return "/dev/console";
185}
186
1e22b5cd
LP		 187static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
188 const char *path;
189
6ea832a2
LP		 190 assert(context);
191
1e22b5cd 192 path = exec_context_tty_path(context);
6ea832a2 193
1e22b5cd
LP		 194 if (context->tty_vhangup) {
195 if (p && p->stdin_fd >= 0)
196 (void) terminal_vhangup_fd(p->stdin_fd);
197 else if (path)
198 (void) terminal_vhangup(path);
199 }
6ea832a2 200
1e22b5cd
LP		 201 if (context->tty_reset) {
202 if (p && p->stdin_fd >= 0)
203 (void) reset_terminal_fd(p->stdin_fd, true);
204 else if (path)
205 (void) reset_terminal(path);
206 }
207
208 if (context->tty_vt_disallocate && path)
209 (void) vt_disallocate(path);
6ea832a2
LP		 210}
211
6af760f3
LP		 212static bool is_terminal_input(ExecInput i) {
213 return IN_SET(i,
214 EXEC_INPUT_TTY,
215 EXEC_INPUT_TTY_FORCE,
216 EXEC_INPUT_TTY_FAIL);
217}
218
3a1286b6 219static bool is_terminal_output(ExecOutput o) {
6af760f3
LP		 220 return IN_SET(o,
221 EXEC_OUTPUT_TTY,
222 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
223 EXEC_OUTPUT_KMSG_AND_CONSOLE,
224 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
225}
226
aac8c0c3
LP		 227static bool is_syslog_output(ExecOutput o) {
228 return IN_SET(o,
229 EXEC_OUTPUT_SYSLOG,
230 EXEC_OUTPUT_SYSLOG_AND_CONSOLE);
231}
232
233static bool is_kmsg_output(ExecOutput o) {
234 return IN_SET(o,
235 EXEC_OUTPUT_KMSG,
236 EXEC_OUTPUT_KMSG_AND_CONSOLE);
237}
238
6af760f3
LP		 239static bool exec_context_needs_term(const ExecContext *c) {
240 assert(c);
241
242 /* Return true if the execution context suggests we should set $TERM to something useful. */
243
244 if (is_terminal_input(c->std_input))
245 return true;
246
247 if (is_terminal_output(c->std_output))
248 return true;
249
250 if (is_terminal_output(c->std_error))
251 return true;
252
253 return !!c->tty_path;
3a1286b6
MS		 254}
255
80876c20 256static int open_null_as(int flags, int nfd) {
046a82c1 257 int fd;
071830ff 258
80876c20 259 assert(nfd >= 0);
071830ff 260
613b411c
LP		 261 fd = open("/dev/null", flags|O_NOCTTY);
262 if (fd < 0)
071830ff
LP		 263 return -errno;
264
046a82c1 265 return move_fd(fd, nfd, false);
071830ff
LP		 266}
267
91dd5f7c
LP		 268static int connect_journal_socket(
269 int fd,
270 const char *log_namespace,
271 uid_t uid,
272 gid_t gid) {
273
f36a9d59
ZJS		 274 union sockaddr_union sa;
275 socklen_t sa_len;
524daa8c
ZJS		 276 uid_t olduid = UID_INVALID;
277 gid_t oldgid = GID_INVALID;
91dd5f7c 278 const char *j;
524daa8c
ZJS		 279 int r;
280
91dd5f7c
LP		 281 j = log_namespace ?
282 strjoina("/run/systemd/journal.", log_namespace, "/stdout") :
283 "/run/systemd/journal/stdout";
284 r = sockaddr_un_set_path(&sa.un, j);
285 if (r < 0)
286 return r;
f36a9d59 287 sa_len = r;
91dd5f7c 288
cad93f29 289 if (gid_is_valid(gid)) {
524daa8c
ZJS		 290 oldgid = getgid();
291
92a17af9 292 if (setegid(gid) < 0)
524daa8c
ZJS		 293 return -errno;
294 }
295
cad93f29 296 if (uid_is_valid(uid)) {
524daa8c
ZJS		 297 olduid = getuid();
298
92a17af9 299 if (seteuid(uid) < 0) {
524daa8c
ZJS		 300 r = -errno;
301 goto restore_gid;
302 }
303 }
304
f36a9d59 305 r = connect(fd, &sa.sa, sa_len) < 0 ? -errno : 0;
524daa8c
ZJS		 306
307 /* If we fail to restore the uid or gid, things will likely
308 fail later on. This should only happen if an LSM interferes. */
309
cad93f29 310 if (uid_is_valid(uid))
524daa8c
ZJS		 311 (void) seteuid(olduid);
312
313 restore_gid:
cad93f29 314 if (gid_is_valid(gid))
524daa8c
ZJS		 315 (void) setegid(oldgid);
316
317 return r;
318}
319
fd1f9c89 320static int connect_logger_as(
34cf6c43 321 const Unit *unit,
fd1f9c89 322 const ExecContext *context,
af635cf3 323 const ExecParameters *params,
fd1f9c89
LP		 324 ExecOutput output,
325 const char *ident,
fd1f9c89
LP		 326 int nfd,
327 uid_t uid,
328 gid_t gid) {
329
2ac1ff68
EV		 330 _cleanup_close_ int fd = -1;
331 int r;
071830ff
LP		 332
333 assert(context);
af635cf3 334 assert(params);
80876c20
LP		 335 assert(output < _EXEC_OUTPUT_MAX);
336 assert(ident);
337 assert(nfd >= 0);
071830ff 338
54fe0cdb
LP		 339 fd = socket(AF_UNIX, SOCK_STREAM, 0);
340 if (fd < 0)
80876c20 341 return -errno;
071830ff 342
91dd5f7c 343 r = connect_journal_socket(fd, context->log_namespace, uid, gid);
524daa8c
ZJS		 344 if (r < 0)
345 return r;
071830ff 346
2ac1ff68 347 if (shutdown(fd, SHUT_RD) < 0)
80876c20 348 return -errno;
071830ff 349
fd1f9c89 350 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
531dca78 351
2ac1ff68 352 if (dprintf(fd,
62bca2c6 353 "%s\n"
80876c20
LP		 354 "%s\n"
355 "%i\n"
54fe0cdb
LP		 356 "%i\n"
357 "%i\n"
358 "%i\n"
4f4a1dbf 359 "%i\n",
c867611e 360 context->syslog_identifier ?: ident,
af635cf3 361 params->flags & EXEC_PASS_LOG_UNIT ? unit->id : "",
54fe0cdb
LP		 362 context->syslog_priority,
363 !!context->syslog_level_prefix,
aac8c0c3
LP		 364 is_syslog_output(output),
365 is_kmsg_output(output),
2ac1ff68
EV		 366 is_terminal_output(output)) < 0)
367 return -errno;
80876c20 368
2ac1ff68 369 return move_fd(TAKE_FD(fd), nfd, false);
80876c20 370}
2ac1ff68 371
3a274a21 372static int open_terminal_as(const char *path, int flags, int nfd) {
046a82c1 373 int fd;
071830ff 374
80876c20
LP		 375 assert(path);
376 assert(nfd >= 0);
fd1f9c89 377
3a274a21 378 fd = open_terminal(path, flags | O_NOCTTY);
3cc2aff1 379 if (fd < 0)
80876c20 380 return fd;
071830ff 381
046a82c1 382 return move_fd(fd, nfd, false);
80876c20 383}
071830ff 384
2038c3f5 385static int acquire_path(const char *path, int flags, mode_t mode) {
86fca584
ZJS		 386 union sockaddr_union sa;
387 socklen_t sa_len;
15a3e96f 388 _cleanup_close_ int fd = -1;
86fca584 389 int r;
071830ff 390
80876c20 391 assert(path);
071830ff 392
2038c3f5
LP		 393 if (IN_SET(flags & O_ACCMODE, O_WRONLY, O_RDWR))
394 flags |= O_CREAT;
395
396 fd = open(path, flags|O_NOCTTY, mode);
397 if (fd >= 0)
15a3e96f 398 return TAKE_FD(fd);
071830ff 399
2038c3f5
LP		 400 if (errno != ENXIO) /* ENXIO is returned when we try to open() an AF_UNIX file system socket on Linux */
401 return -errno;
2038c3f5
LP		 402
403 /* So, it appears the specified path could be an AF_UNIX socket. Let's see if we can connect to it. */
404
86fca584
ZJS		 405 r = sockaddr_un_set_path(&sa.un, path);
406 if (r < 0)
407 return r == -EINVAL ? -ENXIO : r;
408 sa_len = r;
409
2038c3f5
LP		 410 fd = socket(AF_UNIX, SOCK_STREAM, 0);
411 if (fd < 0)
412 return -errno;
413
86fca584 414 if (connect(fd, &sa.sa, sa_len) < 0)
2038c3f5
LP		 415 return errno == EINVAL ? -ENXIO : -errno; /* Propagate initial error if we get EINVAL, i.e. we have
416 * indication that his wasn't an AF_UNIX socket after all */
071830ff 417
2038c3f5
LP		 418 if ((flags & O_ACCMODE) == O_RDONLY)
419 r = shutdown(fd, SHUT_WR);
420 else if ((flags & O_ACCMODE) == O_WRONLY)
421 r = shutdown(fd, SHUT_RD);
422 else
86fca584 423 r = 0;
15a3e96f 424 if (r < 0)
2038c3f5 425 return -errno;
2038c3f5 426
15a3e96f 427 return TAKE_FD(fd);
80876c20 428}
071830ff 429
08f3be7a
LP		 430static int fixup_input(
431 const ExecContext *context,
432 int socket_fd,
433 bool apply_tty_stdin) {
434
435 ExecInput std_input;
436
437 assert(context);
438
439 std_input = context->std_input;
1e3ad081
LP		 440
441 if (is_terminal_input(std_input) && !apply_tty_stdin)
442 return EXEC_INPUT_NULL;
071830ff 443
03fd9c49 444 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 445 return EXEC_INPUT_NULL;
446
08f3be7a
LP		 447 if (std_input == EXEC_INPUT_DATA && context->stdin_data_size == 0)
448 return EXEC_INPUT_NULL;
449
03fd9c49 450 return std_input;
4f2d528d
LP		 451}
452
03fd9c49 453static int fixup_output(ExecOutput std_output, int socket_fd) {
4f2d528d 454
03fd9c49 455 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 456 return EXEC_OUTPUT_INHERIT;
457
03fd9c49 458 return std_output;
4f2d528d
LP		 459}
460
a34ceba6
LP		 461static int setup_input(
462 const ExecContext *context,
463 const ExecParameters *params,
52c239d7 464 int socket_fd,
2caa38e9 465 const int named_iofds[static 3]) {
a34ceba6 466
4f2d528d
LP		 467 ExecInput i;
468
469 assert(context);
a34ceba6 470 assert(params);
2caa38e9 471 assert(named_iofds);
a34ceba6
LP		 472
473 if (params->stdin_fd >= 0) {
474 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
475 return -errno;
476
477 /* Try to make this the controlling tty, if it is a tty, and reset it */
1fb0682e
LP		 478 if (isatty(STDIN_FILENO)) {
479 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
480 (void) reset_terminal_fd(STDIN_FILENO, true);
481 }
a34ceba6
LP		 482
483 return STDIN_FILENO;
484 }
4f2d528d 485
08f3be7a 486 i = fixup_input(context, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
4f2d528d
LP		 487
488 switch (i) {
071830ff 489
80876c20
LP		 490 case EXEC_INPUT_NULL:
491 return open_null_as(O_RDONLY, STDIN_FILENO);
492
493 case EXEC_INPUT_TTY:
494 case EXEC_INPUT_TTY_FORCE:
495 case EXEC_INPUT_TTY_FAIL: {
046a82c1 496 int fd;
071830ff 497
1e22b5cd 498 fd = acquire_terminal(exec_context_tty_path(context),
8854d795
LP		 499 i == EXEC_INPUT_TTY_FAIL ? ACQUIRE_TERMINAL_TRY :
500 i == EXEC_INPUT_TTY_FORCE ? ACQUIRE_TERMINAL_FORCE :
501 ACQUIRE_TERMINAL_WAIT,
3a43da28 502 USEC_INFINITY);
970edce6 503 if (fd < 0)
80876c20
LP		 504 return fd;
505
046a82c1 506 return move_fd(fd, STDIN_FILENO, false);
80876c20
LP		 507 }
508
4f2d528d 509 case EXEC_INPUT_SOCKET:
e75a9ed1
LP		 510 assert(socket_fd >= 0);
511
4f2d528d
LP		 512 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
513
52c239d7 514 case EXEC_INPUT_NAMED_FD:
e75a9ed1
LP		 515 assert(named_iofds[STDIN_FILENO] >= 0);
516
52c239d7
LB		 517 (void) fd_nonblock(named_iofds[STDIN_FILENO], false);
518 return dup2(named_iofds[STDIN_FILENO], STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
519
08f3be7a
LP		 520 case EXEC_INPUT_DATA: {
521 int fd;
522
523 fd = acquire_data_fd(context->stdin_data, context->stdin_data_size, 0);
524 if (fd < 0)
525 return fd;
526
527 return move_fd(fd, STDIN_FILENO, false);
528 }
529
2038c3f5
LP		 530 case EXEC_INPUT_FILE: {
531 bool rw;
532 int fd;
533
534 assert(context->stdio_file[STDIN_FILENO]);
535
536 rw = (context->std_output == EXEC_OUTPUT_FILE && streq_ptr(context->stdio_file[STDIN_FILENO], context->stdio_file[STDOUT_FILENO])) ||
537 (context->std_error == EXEC_OUTPUT_FILE && streq_ptr(context->stdio_file[STDIN_FILENO], context->stdio_file[STDERR_FILENO]));
538
539 fd = acquire_path(context->stdio_file[STDIN_FILENO], rw ? O_RDWR : O_RDONLY, 0666 & ~context->umask);
540 if (fd < 0)
541 return fd;
542
543 return move_fd(fd, STDIN_FILENO, false);
544 }
545
80876c20
LP		 546 default:
547 assert_not_reached("Unknown input type");
548 }
549}
550
41fc585a
LP		 551static bool can_inherit_stderr_from_stdout(
552 const ExecContext *context,
553 ExecOutput o,
554 ExecOutput e) {
555
556 assert(context);
557
558 /* Returns true, if given the specified STDERR and STDOUT output we can directly dup() the stdout fd to the
559 * stderr fd */
560
561 if (e == EXEC_OUTPUT_INHERIT)
562 return true;
563 if (e != o)
564 return false;
565
566 if (e == EXEC_OUTPUT_NAMED_FD)
567 return streq_ptr(context->stdio_fdname[STDOUT_FILENO], context->stdio_fdname[STDERR_FILENO]);
568
569 if (IN_SET(e, EXEC_OUTPUT_FILE, EXEC_OUTPUT_FILE_APPEND))
570 return streq_ptr(context->stdio_file[STDOUT_FILENO], context->stdio_file[STDERR_FILENO]);
571
572 return true;
573}
574
a34ceba6 575static int setup_output(
34cf6c43 576 const Unit *unit,
a34ceba6
LP		 577 const ExecContext *context,
578 const ExecParameters *params,
579 int fileno,
580 int socket_fd,
2caa38e9 581 const int named_iofds[static 3],
a34ceba6 582 const char *ident,
7bce046b
LP		 583 uid_t uid,
584 gid_t gid,
585 dev_t *journal_stream_dev,
586 ino_t *journal_stream_ino) {
a34ceba6 587
4f2d528d
LP		 588 ExecOutput o;
589 ExecInput i;
47c1d80d 590 int r;
4f2d528d 591
f2341e0a 592 assert(unit);
80876c20 593 assert(context);
a34ceba6 594 assert(params);
80876c20 595 assert(ident);
7bce046b
LP		 596 assert(journal_stream_dev);
597 assert(journal_stream_ino);
80876c20 598
a34ceba6
LP		 599 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
600
601 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
602 return -errno;
603
604 return STDOUT_FILENO;
605 }
606
607 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
608 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
609 return -errno;
610
611 return STDERR_FILENO;
612 }
613
08f3be7a 614 i = fixup_input(context, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
03fd9c49 615 o = fixup_output(context->std_output, socket_fd);
4f2d528d 616
eb17e935
MS		 617 if (fileno == STDERR_FILENO) {
618 ExecOutput e;
619 e = fixup_output(context->std_error, socket_fd);
80876c20 620
eb17e935
MS		 621 /* This expects the input and output are already set up */
622
623 /* Don't change the stderr file descriptor if we inherit all
624 * the way and are not on a tty */
625 if (e == EXEC_OUTPUT_INHERIT &&
626 o == EXEC_OUTPUT_INHERIT &&
627 i == EXEC_INPUT_NULL &&
628 !is_terminal_input(context->std_input) &&
629 getppid () != 1)
630 return fileno;
631
632 /* Duplicate from stdout if possible */
41fc585a 633 if (can_inherit_stderr_from_stdout(context, o, e))
eb17e935 634 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 635
eb17e935 636 o = e;
80876c20 637
eb17e935 638 } else if (o == EXEC_OUTPUT_INHERIT) {
21d21ea4
LP		 639 /* If input got downgraded, inherit the original value */
640 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
1e22b5cd 641 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
21d21ea4 642
08f3be7a
LP		 643 /* If the input is connected to anything that's not a /dev/null or a data fd, inherit that... */
644 if (!IN_SET(i, EXEC_INPUT_NULL, EXEC_INPUT_DATA))
eb17e935 645 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 646
acb591e4
LP		 647 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
648 if (getppid() != 1)
eb17e935 649 return fileno;
94f04347 650
eb17e935
MS		 651 /* We need to open /dev/null here anew, to get the right access mode. */
652 return open_null_as(O_WRONLY, fileno);
071830ff 653 }
94f04347 654
eb17e935 655 switch (o) {
80876c20
LP		 656
657 case EXEC_OUTPUT_NULL:
eb17e935 658 return open_null_as(O_WRONLY, fileno);
80876c20
LP		 659
660 case EXEC_OUTPUT_TTY:
4f2d528d 661 if (is_terminal_input(i))
eb17e935 662 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
80876c20
LP		 663
664 /* We don't reset the terminal if this is just about output */
1e22b5cd 665 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
80876c20
LP		 666
667 case EXEC_OUTPUT_SYSLOG:
28dbc1e8 668 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
9a6bca7a 669 case EXEC_OUTPUT_KMSG:
28dbc1e8 670 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
706343f4
LP		 671 case EXEC_OUTPUT_JOURNAL:
672 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
af635cf3 673 r = connect_logger_as(unit, context, params, o, ident, fileno, uid, gid);
47c1d80d 674 if (r < 0) {
82677ae4 675 log_unit_warning_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
eb17e935 676 r = open_null_as(O_WRONLY, fileno);
7bce046b
LP		 677 } else {
678 struct stat st;
679
680 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
681 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
ab2116b1
LP		 682 * services to detect whether they are connected to the journal or not.
683 *
684 * If both stdout and stderr are connected to a stream then let's make sure to store the data
685 * about STDERR as that's usually the best way to do logging. */
7bce046b 686
ab2116b1
LP		 687 if (fstat(fileno, &st) >= 0 &&
688 (*journal_stream_ino == 0 || fileno == STDERR_FILENO)) {
7bce046b
LP		 689 *journal_stream_dev = st.st_dev;
690 *journal_stream_ino = st.st_ino;
691 }
47c1d80d
MS		 692 }
693 return r;
4f2d528d
LP		 694
695 case EXEC_OUTPUT_SOCKET:
696 assert(socket_fd >= 0);
e75a9ed1 697
eb17e935 698 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
94f04347 699
52c239d7 700 case EXEC_OUTPUT_NAMED_FD:
e75a9ed1
LP		 701 assert(named_iofds[fileno] >= 0);
702
52c239d7
LB		 703 (void) fd_nonblock(named_iofds[fileno], false);
704 return dup2(named_iofds[fileno], fileno) < 0 ? -errno : fileno;
705
566b7d23
ZD		 706 case EXEC_OUTPUT_FILE:
707 case EXEC_OUTPUT_FILE_APPEND: {
2038c3f5 708 bool rw;
566b7d23 709 int fd, flags;
2038c3f5
LP		 710
711 assert(context->stdio_file[fileno]);
712
713 rw = context->std_input == EXEC_INPUT_FILE &&
714 streq_ptr(context->stdio_file[fileno], context->stdio_file[STDIN_FILENO]);
715
716 if (rw)
717 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
718
566b7d23
ZD		 719 flags = O_WRONLY;
720 if (o == EXEC_OUTPUT_FILE_APPEND)
721 flags |= O_APPEND;
722
723 fd = acquire_path(context->stdio_file[fileno], flags, 0666 & ~context->umask);
2038c3f5
LP		 724 if (fd < 0)
725 return fd;
726
566b7d23 727 return move_fd(fd, fileno, 0);
2038c3f5
LP		 728 }
729
94f04347 730 default:
80876c20 731 assert_not_reached("Unknown error type");
94f04347 732 }
071830ff
LP		 733}
734
02a51aba 735static int chown_terminal(int fd, uid_t uid) {
4b3b5bc7 736 int r;
02a51aba
LP		 737
738 assert(fd >= 0);
02a51aba 739
1ff74fb6 740 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
4b3b5bc7
LP		 741 if (isatty(fd) < 1) {
742 if (IN_SET(errno, EINVAL, ENOTTY))
743 return 0; /* not a tty */
1ff74fb6 744
02a51aba 745 return -errno;
4b3b5bc7 746 }
02a51aba 747
4b3b5bc7
LP		 748 /* This might fail. What matters are the results. */
749 r = fchmod_and_chown(fd, TTY_MODE, uid, -1);
750 if (r < 0)
751 return r;
02a51aba 752
4b3b5bc7 753 return 1;
02a51aba
LP		 754}
755
7d5ceb64 756static int setup_confirm_stdio(const char *vc, int *_saved_stdin, int *_saved_stdout) {
3d18b167
LP		 757 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
758 int r;
80876c20 759
80876c20
LP		 760 assert(_saved_stdin);
761 assert(_saved_stdout);
762
af6da548
LP		 763 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
764 if (saved_stdin < 0)
765 return -errno;
80876c20 766
af6da548 767 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
3d18b167
LP		 768 if (saved_stdout < 0)
769 return -errno;
80876c20 770
8854d795 771 fd = acquire_terminal(vc, ACQUIRE_TERMINAL_WAIT, DEFAULT_CONFIRM_USEC);
3d18b167
LP		 772 if (fd < 0)
773 return fd;
80876c20 774
af6da548
LP		 775 r = chown_terminal(fd, getuid());
776 if (r < 0)
3d18b167 777 return r;
02a51aba 778
3d18b167
LP		 779 r = reset_terminal_fd(fd, true);
780 if (r < 0)
781 return r;
80876c20 782
2b33ab09 783 r = rearrange_stdio(fd, fd, STDERR_FILENO);
3d18b167 784 fd = -1;
2b33ab09
LP		 785 if (r < 0)
786 return r;
80876c20
LP		 787
788 *_saved_stdin = saved_stdin;
789 *_saved_stdout = saved_stdout;
790
3d18b167 791 saved_stdin = saved_stdout = -1;
80876c20 792
3d18b167 793 return 0;
80876c20
LP		 794}
795
63d77c92 796static void write_confirm_error_fd(int err, int fd, const Unit *u) {
3b20f877
FB		 797 assert(err < 0);
798
799 if (err == -ETIMEDOUT)
63d77c92 800 dprintf(fd, "Confirmation question timed out for %s, assuming positive response.\n", u->id);
3b20f877
FB		 801 else {
802 errno = -err;
63d77c92 803 dprintf(fd, "Couldn't ask confirmation for %s: %m, assuming positive response.\n", u->id);
3b20f877
FB		 804 }
805}
806
63d77c92 807static void write_confirm_error(int err, const char *vc, const Unit *u) {
03e334a1 808 _cleanup_close_ int fd = -1;
80876c20 809
3b20f877 810 assert(vc);
80876c20 811
7d5ceb64 812 fd = open_terminal(vc, O_WRONLY|O_NOCTTY|O_CLOEXEC);
af6da548 813 if (fd < 0)
3b20f877 814 return;
80876c20 815
63d77c92 816 write_confirm_error_fd(err, fd, u);
af6da548 817}
80876c20 818
3d18b167 819static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
af6da548 820 int r = 0;
80876c20 821
af6da548
LP		 822 assert(saved_stdin);
823 assert(saved_stdout);
824
825 release_terminal();
826
827 if (*saved_stdin >= 0)
80876c20 828 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
af6da548 829 r = -errno;
80876c20 830
af6da548 831 if (*saved_stdout >= 0)
80876c20 832 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
af6da548 833 r = -errno;
80876c20 834
3d18b167
LP		 835 *saved_stdin = safe_close(*saved_stdin);
836 *saved_stdout = safe_close(*saved_stdout);
af6da548
LP		 837
838 return r;
839}
840
3b20f877
FB		 841enum {
842 CONFIRM_PRETEND_FAILURE = -1,
843 CONFIRM_PRETEND_SUCCESS = 0,
844 CONFIRM_EXECUTE = 1,
845};
846
eedf223a 847static int ask_for_confirmation(const char *vc, Unit *u, const char *cmdline) {
af6da548 848 int saved_stdout = -1, saved_stdin = -1, r;
2bcd3c26 849 _cleanup_free_ char *e = NULL;
3b20f877 850 char c;
af6da548 851
3b20f877 852 /* For any internal errors, assume a positive response. */
7d5ceb64 853 r = setup_confirm_stdio(vc, &saved_stdin, &saved_stdout);
3b20f877 854 if (r < 0) {
63d77c92 855 write_confirm_error(r, vc, u);
3b20f877
FB		 856 return CONFIRM_EXECUTE;
857 }
af6da548 858
b0eb2944
FB		 859 /* confirm_spawn might have been disabled while we were sleeping. */
860 if (manager_is_confirm_spawn_disabled(u->manager)) {
861 r = 1;
862 goto restore_stdio;
863 }
af6da548 864
2bcd3c26
FB		 865 e = ellipsize(cmdline, 60, 100);
866 if (!e) {
867 log_oom();
868 r = CONFIRM_EXECUTE;
869 goto restore_stdio;
870 }
af6da548 871
d172b175 872 for (;;) {
539622bd 873 r = ask_char(&c, "yfshiDjcn", "Execute %s? [y, f, s – h for help] ", e);
d172b175 874 if (r < 0) {
63d77c92 875 write_confirm_error_fd(r, STDOUT_FILENO, u);
d172b175
FB		 876 r = CONFIRM_EXECUTE;
877 goto restore_stdio;
878 }
af6da548 879
d172b175 880 switch (c) {
b0eb2944
FB		 881 case 'c':
882 printf("Resuming normal execution.\n");
883 manager_disable_confirm_spawn();
884 r = 1;
885 break;
dd6f9ac0
FB		 886 case 'D':
887 unit_dump(u, stdout, " ");
888 continue; /* ask again */
d172b175
FB		 889 case 'f':
890 printf("Failing execution.\n");
891 r = CONFIRM_PRETEND_FAILURE;
892 break;
893 case 'h':
b0eb2944
FB		 894 printf(" c - continue, proceed without asking anymore\n"
895 " D - dump, show the state of the unit\n"
dd6f9ac0 896 " f - fail, don't execute the command and pretend it failed\n"
d172b175 897 " h - help\n"
eedf223a 898 " i - info, show a short summary of the unit\n"
56fde33a 899 " j - jobs, show jobs that are in progress\n"
d172b175
FB		 900 " s - skip, don't execute the command and pretend it succeeded\n"
901 " y - yes, execute the command\n");
dd6f9ac0 902 continue; /* ask again */
eedf223a
FB		 903 case 'i':
904 printf(" Description: %s\n"
905 " Unit: %s\n"
906 " Command: %s\n",
907 u->id, u->description, cmdline);
908 continue; /* ask again */
56fde33a
FB		 909 case 'j':
910 manager_dump_jobs(u->manager, stdout, " ");
911 continue; /* ask again */
539622bd
FB		 912 case 'n':
913 /* 'n' was removed in favor of 'f'. */
914 printf("Didn't understand 'n', did you mean 'f'?\n");
915 continue; /* ask again */
d172b175
FB		 916 case 's':
917 printf("Skipping execution.\n");
918 r = CONFIRM_PRETEND_SUCCESS;
919 break;
920 case 'y':
921 r = CONFIRM_EXECUTE;
922 break;
923 default:
924 assert_not_reached("Unhandled choice");
925 }
3b20f877 926 break;
3b20f877 927 }
af6da548 928
3b20f877 929restore_stdio:
af6da548 930 restore_confirm_stdio(&saved_stdin, &saved_stdout);
af6da548 931 return r;
80876c20
LP		 932}
933
4d885bd3
DH		 934static int get_fixed_user(const ExecContext *c, const char **user,
935 uid_t *uid, gid_t *gid,
936 const char **home, const char **shell) {
81a2b7ce 937 int r;
4d885bd3 938 const char *name;
81a2b7ce 939
4d885bd3 940 assert(c);
81a2b7ce 941
23deef88
LP		 942 if (!c->user)
943 return 0;
944
4d885bd3
DH		 945 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
946 * (i.e. are "/" or "/bin/nologin"). */
81a2b7ce 947
23deef88 948 name = c->user;
fafff8f1 949 r = get_user_creds(&name, uid, gid, home, shell, USER_CREDS_CLEAN);
4d885bd3
DH		 950 if (r < 0)
951 return r;
81a2b7ce 952
4d885bd3
DH		 953 *user = name;
954 return 0;
955}
956
957static int get_fixed_group(const ExecContext *c, const char **group, gid_t *gid) {
958 int r;
959 const char *name;
960
961 assert(c);
962
963 if (!c->group)
964 return 0;
965
966 name = c->group;
fafff8f1 967 r = get_group_creds(&name, gid, 0);
4d885bd3
DH		 968 if (r < 0)
969 return r;
970
971 *group = name;
972 return 0;
973}
974
cdc5d5c5
DH		 975static int get_supplementary_groups(const ExecContext *c, const char *user,
976 const char *group, gid_t gid,
977 gid_t **supplementary_gids, int *ngids) {
4d885bd3
DH		 978 char **i;
979 int r, k = 0;
980 int ngroups_max;
981 bool keep_groups = false;
982 gid_t *groups = NULL;
983 _cleanup_free_ gid_t *l_gids = NULL;
984
985 assert(c);
986
bbeea271
DH		 987 /*
988 * If user is given, then lookup GID and supplementary groups list.
989 * We avoid NSS lookups for gid=0. Also we have to initialize groups
cdc5d5c5
DH		 990 * here and as early as possible so we keep the list of supplementary
991 * groups of the caller.
bbeea271
DH		 992 */
993 if (user && gid_is_valid(gid) && gid != 0) {
994 /* First step, initialize groups from /etc/groups */
995 if (initgroups(user, gid) < 0)
996 return -errno;
997
998 keep_groups = true;
999 }
1000
ac6e8be6 1001 if (strv_isempty(c->supplementary_groups))
4d885bd3
DH		 1002 return 0;
1003
366ddd25
DH		 1004 /*
1005 * If SupplementaryGroups= was passed then NGROUPS_MAX has to
1006 * be positive, otherwise fail.
1007 */
1008 errno = 0;
1009 ngroups_max = (int) sysconf(_SC_NGROUPS_MAX);
66855de7
LP		 1010 if (ngroups_max <= 0)
1011 return errno_or_else(EOPNOTSUPP);
366ddd25 1012
4d885bd3
DH		 1013 l_gids = new(gid_t, ngroups_max);
1014 if (!l_gids)
1015 return -ENOMEM;
81a2b7ce 1016
4d885bd3
DH		 1017 if (keep_groups) {
1018 /*
1019 * Lookup the list of groups that the user belongs to, we
1020 * avoid NSS lookups here too for gid=0.
1021 */
1022 k = ngroups_max;
1023 if (getgrouplist(user, gid, l_gids, &k) < 0)
1024 return -EINVAL;
1025 } else
1026 k = 0;
81a2b7ce 1027
4d885bd3
DH		 1028 STRV_FOREACH(i, c->supplementary_groups) {
1029 const char *g;
81a2b7ce 1030
4d885bd3
DH		 1031 if (k >= ngroups_max)
1032 return -E2BIG;
81a2b7ce 1033
4d885bd3 1034 g = *i;
fafff8f1 1035 r = get_group_creds(&g, l_gids+k, 0);
4d885bd3
DH		 1036 if (r < 0)
1037 return r;
81a2b7ce 1038
4d885bd3
DH		 1039 k++;
1040 }
81a2b7ce 1041
4d885bd3
DH		 1042 /*
1043 * Sets ngids to zero to drop all supplementary groups, happens
1044 * when we are under root and SupplementaryGroups= is empty.
1045 */
1046 if (k == 0) {
1047 *ngids = 0;
1048 return 0;
1049 }
81a2b7ce 1050
4d885bd3
DH		 1051 /* Otherwise get the final list of supplementary groups */
1052 groups = memdup(l_gids, sizeof(gid_t) * k);
1053 if (!groups)
1054 return -ENOMEM;
1055
1056 *supplementary_gids = groups;
1057 *ngids = k;
1058
1059 groups = NULL;
1060
1061 return 0;
1062}
1063
34cf6c43 1064static int enforce_groups(gid_t gid, const gid_t *supplementary_gids, int ngids) {
4d885bd3
DH		 1065 int r;
1066
709dbeac
YW		 1067 /* Handle SupplementaryGroups= if it is not empty */
1068 if (ngids > 0) {
4d885bd3
DH		 1069 r = maybe_setgroups(ngids, supplementary_gids);
1070 if (r < 0)
97f0e76f 1071 return r;
4d885bd3 1072 }
81a2b7ce 1073
4d885bd3
DH		 1074 if (gid_is_valid(gid)) {
1075 /* Then set our gids */
1076 if (setresgid(gid, gid, gid) < 0)
1077 return -errno;
81a2b7ce
LP		 1078 }
1079
1080 return 0;
1081}
1082
1083static int enforce_user(const ExecContext *context, uid_t uid) {
81a2b7ce
LP		 1084 assert(context);
1085
4d885bd3
DH		 1086 if (!uid_is_valid(uid))
1087 return 0;
1088
479050b3 1089 /* Sets (but doesn't look up) the uid and make sure we keep the
81a2b7ce
LP		 1090 * capabilities while doing so. */
1091
479050b3 1092 if (context->capability_ambient_set != 0) {
81a2b7ce
LP		 1093
1094 /* First step: If we need to keep capabilities but
1095 * drop privileges we need to make sure we keep our
cbb21cca 1096 * caps, while we drop privileges. */
693ced48 1097 if (uid != 0) {
cbb21cca 1098 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
693ced48
LP		 1099
1100 if (prctl(PR_GET_SECUREBITS) != sb)
1101 if (prctl(PR_SET_SECUREBITS, sb) < 0)
1102 return -errno;
1103 }
81a2b7ce
LP		 1104 }
1105
479050b3 1106 /* Second step: actually set the uids */
81a2b7ce
LP		 1107 if (setresuid(uid, uid, uid) < 0)
1108 return -errno;
1109
1110 /* At this point we should have all necessary capabilities but
1111 are otherwise a normal user. However, the caps might got
1112 corrupted due to the setresuid() so we need clean them up
1113 later. This is done outside of this call. */
1114
1115 return 0;
1116}
1117
349cc4a5 1118#if HAVE_PAM
5b6319dc
LP		 1119
1120static int null_conv(
1121 int num_msg,
1122 const struct pam_message **msg,
1123 struct pam_response **resp,
1124 void *appdata_ptr) {
1125
1126 /* We don't support conversations */
1127
1128 return PAM_CONV_ERR;
1129}
1130
cefc33ae
LP		 1131#endif
1132
5b6319dc
LP		 1133static int setup_pam(
1134 const char *name,
1135 const char *user,
940c5210 1136 uid_t uid,
2d6fce8d 1137 gid_t gid,
5b6319dc 1138 const char *tty,
2065ca69 1139 char ***env,
5b8d1f6b 1140 const int fds[], size_t n_fds) {
5b6319dc 1141
349cc4a5 1142#if HAVE_PAM
cefc33ae 1143
5b6319dc
LP		 1144 static const struct pam_conv conv = {
1145 .conv = null_conv,
1146 .appdata_ptr = NULL
1147 };
1148
2d7c6aa2 1149 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
5b6319dc 1150 pam_handle_t *handle = NULL;
d6e5f3ad 1151 sigset_t old_ss;
7bb70b6e 1152 int pam_code = PAM_SUCCESS, r;
84eada2f 1153 char **nv, **e = NULL;
5b6319dc
LP		 1154 bool close_session = false;
1155 pid_t pam_pid = 0, parent_pid;
970edce6 1156 int flags = 0;
5b6319dc
LP		 1157
1158 assert(name);
1159 assert(user);
2065ca69 1160 assert(env);
5b6319dc
LP		 1161
1162 /* We set up PAM in the parent process, then fork. The child
35b8ca3a 1163 * will then stay around until killed via PR_GET_PDEATHSIG or
5b6319dc
LP		 1164 * systemd via the cgroup logic. It will then remove the PAM
1165 * session again. The parent process will exec() the actual
1166 * daemon. We do things this way to ensure that the main PID
1167 * of the daemon is the one we initially fork()ed. */
1168
7bb70b6e
LP		 1169 r = barrier_create(&barrier);
1170 if (r < 0)
2d7c6aa2
DH		 1171 goto fail;
1172
553d2243 1173 if (log_get_max_level() < LOG_DEBUG)
970edce6
ZJS		 1174 flags |= PAM_SILENT;
1175
f546241b
ZJS		 1176 pam_code = pam_start(name, user, &conv, &handle);
1177 if (pam_code != PAM_SUCCESS) {
5b6319dc
LP		 1178 handle = NULL;
1179 goto fail;
1180 }
1181
3cd24c1a
LP		 1182 if (!tty) {
1183 _cleanup_free_ char *q = NULL;
1184
1185 /* Hmm, so no TTY was explicitly passed, but an fd passed to us directly might be a TTY. Let's figure
1186 * out if that's the case, and read the TTY off it. */
1187
1188 if (getttyname_malloc(STDIN_FILENO, &q) >= 0)
1189 tty = strjoina("/dev/", q);
1190 }
1191
f546241b
ZJS		 1192 if (tty) {
1193 pam_code = pam_set_item(handle, PAM_TTY, tty);
1194 if (pam_code != PAM_SUCCESS)
5b6319dc 1195 goto fail;
f546241b 1196 }
5b6319dc 1197
84eada2f
JW		 1198 STRV_FOREACH(nv, *env) {
1199 pam_code = pam_putenv(handle, *nv);
2065ca69
JW		 1200 if (pam_code != PAM_SUCCESS)
1201 goto fail;
1202 }
1203
970edce6 1204 pam_code = pam_acct_mgmt(handle, flags);
f546241b 1205 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1206 goto fail;
1207
3bb39ea9
DG		 1208 pam_code = pam_setcred(handle, PAM_ESTABLISH_CRED | flags);
1209 if (pam_code != PAM_SUCCESS)
46d7c6af 1210 log_debug("pam_setcred() failed, ignoring: %s", pam_strerror(handle, pam_code));
3bb39ea9 1211
970edce6 1212 pam_code = pam_open_session(handle, flags);
f546241b 1213 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1214 goto fail;
1215
1216 close_session = true;
1217
f546241b
ZJS		 1218 e = pam_getenvlist(handle);
1219 if (!e) {
5b6319dc
LP		 1220 pam_code = PAM_BUF_ERR;
1221 goto fail;
1222 }
1223
1224 /* Block SIGTERM, so that we know that it won't get lost in
1225 * the child */
ce30c8dc 1226
72c0a2c2 1227 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
5b6319dc 1228
df0ff127 1229 parent_pid = getpid_cached();
5b6319dc 1230
4c253ed1
LP		 1231 r = safe_fork("(sd-pam)", 0, &pam_pid);
1232 if (r < 0)
5b6319dc 1233 goto fail;
4c253ed1 1234 if (r == 0) {
7bb70b6e 1235 int sig, ret = EXIT_PAM;
5b6319dc
LP		 1236
1237 /* The child's job is to reset the PAM session on
1238 * termination */
2d7c6aa2 1239 barrier_set_role(&barrier, BARRIER_CHILD);
5b6319dc 1240
4c253ed1
LP		 1241 /* Make sure we don't keep open the passed fds in this child. We assume that otherwise only those fds
1242 * are open here that have been opened by PAM. */
1243 (void) close_many(fds, n_fds);
5b6319dc 1244
940c5210
AK		 1245 /* Drop privileges - we don't need any to pam_close_session
1246 * and this will make PR_SET_PDEATHSIG work in most cases.
1247 * If this fails, ignore the error - but expect sd-pam threads
1248 * to fail to exit normally */
2d6fce8d 1249
97f0e76f
LP		 1250 r = maybe_setgroups(0, NULL);
1251 if (r < 0)
1252 log_warning_errno(r, "Failed to setgroups() in sd-pam: %m");
2d6fce8d
LP		 1253 if (setresgid(gid, gid, gid) < 0)
1254 log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
940c5210 1255 if (setresuid(uid, uid, uid) < 0)
2d6fce8d 1256 log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
940c5210 1257
ce30c8dc
LP		 1258 (void) ignore_signals(SIGPIPE, -1);
1259
940c5210
AK		 1260 /* Wait until our parent died. This will only work if
1261 * the above setresuid() succeeds, otherwise the kernel
1262 * will not allow unprivileged parents kill their privileged
1263 * children this way. We rely on the control groups kill logic
5b6319dc
LP		 1264 * to do the rest for us. */
1265 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
1266 goto child_finish;
1267
2d7c6aa2
DH		 1268 /* Tell the parent that our setup is done. This is especially
1269 * important regarding dropping privileges. Otherwise, unit
643f4706
ZJS		 1270 * setup might race against our setresuid(2) call.
1271 *
1272 * If the parent aborted, we'll detect this below, hence ignore
1273 * return failure here. */
1274 (void) barrier_place(&barrier);
2d7c6aa2 1275
643f4706 1276 /* Check if our parent process might already have died? */
5b6319dc 1277 if (getppid() == parent_pid) {
d6e5f3ad
DM		 1278 sigset_t ss;
1279
1280 assert_se(sigemptyset(&ss) >= 0);
1281 assert_se(sigaddset(&ss, SIGTERM) >= 0);
1282
3dead8d9
LP		 1283 for (;;) {
1284 if (sigwait(&ss, &sig) < 0) {
1285 if (errno == EINTR)
1286 continue;
1287
1288 goto child_finish;
1289 }
5b6319dc 1290
3dead8d9
LP		 1291 assert(sig == SIGTERM);
1292 break;
1293 }
5b6319dc
LP		 1294 }
1295
3bb39ea9
DG		 1296 pam_code = pam_setcred(handle, PAM_DELETE_CRED | flags);
1297 if (pam_code != PAM_SUCCESS)
1298 goto child_finish;
1299
3dead8d9 1300 /* If our parent died we'll end the session */
f546241b 1301 if (getppid() != parent_pid) {
970edce6 1302 pam_code = pam_close_session(handle, flags);
f546241b 1303 if (pam_code != PAM_SUCCESS)
5b6319dc 1304 goto child_finish;
f546241b 1305 }
5b6319dc 1306
7bb70b6e 1307 ret = 0;
5b6319dc
LP		 1308
1309 child_finish:
970edce6 1310 pam_end(handle, pam_code | flags);
7bb70b6e 1311 _exit(ret);
5b6319dc
LP		 1312 }
1313
2d7c6aa2
DH		 1314 barrier_set_role(&barrier, BARRIER_PARENT);
1315
5b6319dc
LP		 1316 /* If the child was forked off successfully it will do all the
1317 * cleanups, so forget about the handle here. */
1318 handle = NULL;
1319
3b8bddde 1320 /* Unblock SIGTERM again in the parent */
72c0a2c2 1321 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
5b6319dc
LP		 1322
1323 /* We close the log explicitly here, since the PAM modules
1324 * might have opened it, but we don't want this fd around. */
1325 closelog();
1326
2d7c6aa2
DH		 1327 /* Synchronously wait for the child to initialize. We don't care for
1328 * errors as we cannot recover. However, warn loudly if it happens. */
1329 if (!barrier_place_and_sync(&barrier))
1330 log_error("PAM initialization failed");
1331
130d3d22 1332 return strv_free_and_replace(*env, e);
5b6319dc
LP		 1333
1334fail:
970edce6
ZJS		 1335 if (pam_code != PAM_SUCCESS) {
1336 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
7bb70b6e
LP		 1337 r = -EPERM; /* PAM errors do not map to errno */
1338 } else
1339 log_error_errno(r, "PAM failed: %m");
9ba35398 1340
5b6319dc
LP		 1341 if (handle) {
1342 if (close_session)
970edce6 1343 pam_code = pam_close_session(handle, flags);
5b6319dc 1344
970edce6 1345 pam_end(handle, pam_code | flags);
5b6319dc
LP		 1346 }
1347
1348 strv_free(e);
5b6319dc
LP		 1349 closelog();
1350
7bb70b6e 1351 return r;
cefc33ae
LP		 1352#else
1353 return 0;
5b6319dc 1354#endif
cefc33ae 1355}
5b6319dc 1356
5d6b1584
LP		 1357static void rename_process_from_path(const char *path) {
1358 char process_name[11];
1359 const char *p;
1360 size_t l;
1361
1362 /* This resulting string must fit in 10 chars (i.e. the length
1363 * of "/sbin/init") to look pretty in /bin/ps */
1364
2b6bf07d 1365 p = basename(path);
5d6b1584
LP		 1366 if (isempty(p)) {
1367 rename_process("(...)");
1368 return;
1369 }
1370
1371 l = strlen(p);
1372 if (l > 8) {
1373 /* The end of the process name is usually more
1374 * interesting, since the first bit might just be
1375 * "systemd-" */
1376 p = p + l - 8;
1377 l = 8;
1378 }
1379
1380 process_name[0] = '(';
1381 memcpy(process_name+1, p, l);
1382 process_name[1+l] = ')';
1383 process_name[1+l+1] = 0;
1384
1385 rename_process(process_name);
1386}
1387
469830d1
LP		 1388static bool context_has_address_families(const ExecContext *c) {
1389 assert(c);
1390
1391 return c->address_families_whitelist ||
1392 !set_isempty(c->address_families);
1393}
1394
1395static bool context_has_syscall_filters(const ExecContext *c) {
1396 assert(c);
1397
1398 return c->syscall_whitelist ||
8cfa775f 1399 !hashmap_isempty(c->syscall_filter);
469830d1
LP		 1400}
1401
1402static bool context_has_no_new_privileges(const ExecContext *c) {
1403 assert(c);
1404
1405 if (c->no_new_privileges)
1406 return true;
1407
1408 if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
1409 return false;
1410
1411 /* We need NNP if we have any form of seccomp and are unprivileged */
1412 return context_has_address_families(c) ||
1413 c->memory_deny_write_execute ||
1414 c->restrict_realtime ||
f69567cb 1415 c->restrict_suid_sgid ||
469830d1 1416 exec_context_restrict_namespaces_set(c) ||
fc64760d 1417 c->protect_clock ||
469830d1
LP		 1418 c->protect_kernel_tunables ||
1419 c->protect_kernel_modules ||
84703040 1420 c->protect_kernel_logs ||
469830d1
LP		 1421 c->private_devices ||
1422 context_has_syscall_filters(c) ||
78e864e5 1423 !set_isempty(c->syscall_archs) ||
aecd5ac6
TM		 1424 c->lock_personality ||
1425 c->protect_hostname;
469830d1
LP		 1426}
1427
349cc4a5 1428#if HAVE_SECCOMP
17df7223 1429
83f12b27 1430static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
f673b62d
LP		 1431
1432 if (is_seccomp_available())
1433 return false;
1434
f673b62d 1435 log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
f673b62d 1436 return true;
83f12b27
FS		 1437}
1438
165a31c0 1439static int apply_syscall_filter(const Unit* u, const ExecContext *c, bool needs_ambient_hack) {
469830d1 1440 uint32_t negative_action, default_action, action;
165a31c0 1441 int r;
8351ceae 1442
469830d1 1443 assert(u);
c0467cf3 1444 assert(c);
8351ceae 1445
469830d1 1446 if (!context_has_syscall_filters(c))
83f12b27
FS		 1447 return 0;
1448
469830d1
LP		 1449 if (skip_seccomp_unavailable(u, "SystemCallFilter="))
1450 return 0;
e9642be2 1451
ccc16c78 1452 negative_action = c->syscall_errno == 0 ? scmp_act_kill_process() : SCMP_ACT_ERRNO(c->syscall_errno);
e9642be2 1453
469830d1
LP		 1454 if (c->syscall_whitelist) {
1455 default_action = negative_action;
1456 action = SCMP_ACT_ALLOW;
7c66bae2 1457 } else {
469830d1
LP		 1458 default_action = SCMP_ACT_ALLOW;
1459 action = negative_action;
57183d11 1460 }
8351ceae 1461
165a31c0
LP		 1462 if (needs_ambient_hack) {
1463 r = seccomp_filter_set_add(c->syscall_filter, c->syscall_whitelist, syscall_filter_sets + SYSCALL_FILTER_SET_SETUID);
1464 if (r < 0)
1465 return r;
1466 }
1467
b54f36c6 1468 return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action, false);
4298d0b5
LP		 1469}
1470
469830d1
LP		 1471static int apply_syscall_archs(const Unit *u, const ExecContext *c) {
1472 assert(u);
4298d0b5
LP		 1473 assert(c);
1474
469830d1 1475 if (set_isempty(c->syscall_archs))
83f12b27
FS		 1476 return 0;
1477
469830d1
LP		 1478 if (skip_seccomp_unavailable(u, "SystemCallArchitectures="))
1479 return 0;
4298d0b5 1480
469830d1
LP		 1481 return seccomp_restrict_archs(c->syscall_archs);
1482}
4298d0b5 1483
469830d1
LP		 1484static int apply_address_families(const Unit* u, const ExecContext *c) {
1485 assert(u);
1486 assert(c);
4298d0b5 1487
469830d1
LP		 1488 if (!context_has_address_families(c))
1489 return 0;
4298d0b5 1490
469830d1
LP		 1491 if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
1492 return 0;
4298d0b5 1493
469830d1 1494 return seccomp_restrict_address_families(c->address_families, c->address_families_whitelist);
8351ceae 1495}
4298d0b5 1496
83f12b27 1497static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) {
469830d1 1498 assert(u);
f3e43635
TM		 1499 assert(c);
1500
469830d1 1501 if (!c->memory_deny_write_execute)
83f12b27
FS		 1502 return 0;
1503
469830d1
LP		 1504 if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute="))
1505 return 0;
f3e43635 1506
469830d1 1507 return seccomp_memory_deny_write_execute();
f3e43635
TM		 1508}
1509
83f12b27 1510static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
469830d1 1511 assert(u);
f4170c67
LP		 1512 assert(c);
1513
469830d1 1514 if (!c->restrict_realtime)
83f12b27
FS		 1515 return 0;
1516
469830d1
LP		 1517 if (skip_seccomp_unavailable(u, "RestrictRealtime="))
1518 return 0;
f4170c67 1519
469830d1 1520 return seccomp_restrict_realtime();
f4170c67
LP		 1521}
1522
f69567cb
LP		 1523static int apply_restrict_suid_sgid(const Unit* u, const ExecContext *c) {
1524 assert(u);
1525 assert(c);
1526
1527 if (!c->restrict_suid_sgid)
1528 return 0;
1529
1530 if (skip_seccomp_unavailable(u, "RestrictSUIDSGID="))
1531 return 0;
1532
1533 return seccomp_restrict_suid_sgid();
1534}
1535
59e856c7 1536static int apply_protect_sysctl(const Unit *u, const ExecContext *c) {
469830d1 1537 assert(u);
59eeb84b
LP		 1538 assert(c);
1539
1540 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1541 * let's protect even those systems where this is left on in the kernel. */
1542
469830d1 1543 if (!c->protect_kernel_tunables)
59eeb84b
LP		 1544 return 0;
1545
469830d1
LP		 1546 if (skip_seccomp_unavailable(u, "ProtectKernelTunables="))
1547 return 0;
59eeb84b 1548
469830d1 1549 return seccomp_protect_sysctl();
59eeb84b
LP		 1550}
1551
59e856c7 1552static int apply_protect_kernel_modules(const Unit *u, const ExecContext *c) {
469830d1 1553 assert(u);
502d704e
DH		 1554 assert(c);
1555
25a8d8a0 1556 /* Turn off module syscalls on ProtectKernelModules=yes */
502d704e 1557
469830d1
LP		 1558 if (!c->protect_kernel_modules)
1559 return 0;
1560
502d704e
DH		 1561 if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
1562 return 0;
1563
b54f36c6 1564 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM), false);
502d704e
DH		 1565}
1566
84703040
KK		 1567static int apply_protect_kernel_logs(const Unit *u, const ExecContext *c) {
1568 assert(u);
1569 assert(c);
1570
1571 if (!c->protect_kernel_logs)
1572 return 0;
1573
1574 if (skip_seccomp_unavailable(u, "ProtectKernelLogs="))
1575 return 0;
1576
1577 return seccomp_protect_syslog();
1578}
1579
daf8f72b 1580static int apply_protect_clock(const Unit *u, const ExecContext *c) {
fc64760d
KK		 1581 assert(u);
1582 assert(c);
1583
1584 if (!c->protect_clock)
1585 return 0;
1586
1587 if (skip_seccomp_unavailable(u, "ProtectClock="))
1588 return 0;
1589
1590 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_CLOCK, SCMP_ACT_ERRNO(EPERM), false);
1591}
1592
59e856c7 1593static int apply_private_devices(const Unit *u, const ExecContext *c) {
469830d1 1594 assert(u);
ba128bb8
LP		 1595 assert(c);
1596
8f81a5f6 1597 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
ba128bb8 1598
469830d1
LP		 1599 if (!c->private_devices)
1600 return 0;
1601
ba128bb8
LP		 1602 if (skip_seccomp_unavailable(u, "PrivateDevices="))
1603 return 0;
1604
b54f36c6 1605 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM), false);
ba128bb8
LP		 1606}
1607
34cf6c43 1608static int apply_restrict_namespaces(const Unit *u, const ExecContext *c) {
469830d1 1609 assert(u);
add00535
LP		 1610 assert(c);
1611
1612 if (!exec_context_restrict_namespaces_set(c))
1613 return 0;
1614
1615 if (skip_seccomp_unavailable(u, "RestrictNamespaces="))
1616 return 0;
1617
1618 return seccomp_restrict_namespaces(c->restrict_namespaces);
1619}
1620
78e864e5 1621static int apply_lock_personality(const Unit* u, const ExecContext *c) {
e8132d63
LP		 1622 unsigned long personality;
1623 int r;
78e864e5
TM		 1624
1625 assert(u);
1626 assert(c);
1627
1628 if (!c->lock_personality)
1629 return 0;
1630
1631 if (skip_seccomp_unavailable(u, "LockPersonality="))
1632 return 0;
1633
e8132d63
LP		 1634 personality = c->personality;
1635
1636 /* If personality is not specified, use either PER_LINUX or PER_LINUX32 depending on what is currently set. */
1637 if (personality == PERSONALITY_INVALID) {
1638
1639 r = opinionated_personality(&personality);
1640 if (r < 0)
1641 return r;
1642 }
78e864e5
TM		 1643
1644 return seccomp_lock_personality(personality);
1645}
1646
c0467cf3 1647#endif
8351ceae 1648
daf8f72b 1649static int apply_protect_hostname(const Unit *u, const ExecContext *c, int *ret_exit_status) {
daf8f72b
LP		 1650 assert(u);
1651 assert(c);
1652
1653 if (!c->protect_hostname)
1654 return 0;
1655
1656 if (ns_type_supported(NAMESPACE_UTS)) {
1657 if (unshare(CLONE_NEWUTS) < 0) {
1658 if (!ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) {
1659 *ret_exit_status = EXIT_NAMESPACE;
1660 return log_unit_error_errno(u, errno, "Failed to set up UTS namespacing: %m");
1661 }
1662
1663 log_unit_warning(u, "ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup.");
1664 }
1665 } else
1666 log_unit_warning(u, "ProtectHostname=yes is configured, but the kernel does not support UTS namespaces, ignoring namespace setup.");
1667
1668#if HAVE_SECCOMP
8f3e342f
ZJS		 1669 int r;
1670
daf8f72b
LP		 1671 if (skip_seccomp_unavailable(u, "ProtectHostname="))
1672 return 0;
1673
1674 r = seccomp_protect_hostname();
1675 if (r < 0) {
1676 *ret_exit_status = EXIT_SECCOMP;
1677 return log_unit_error_errno(u, r, "Failed to apply hostname restrictions: %m");
1678 }
1679#endif
1680
1681 return 0;
1682}
1683
3042bbeb 1684static void do_idle_pipe_dance(int idle_pipe[static 4]) {
31a7eb86
ZJS		 1685 assert(idle_pipe);
1686
54eb2300
LP		 1687 idle_pipe[1] = safe_close(idle_pipe[1]);
1688 idle_pipe[2] = safe_close(idle_pipe[2]);
31a7eb86
ZJS		 1689
1690 if (idle_pipe[0] >= 0) {
1691 int r;
1692
1693 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1694
1695 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
c7cc737f
LP		 1696 ssize_t n;
1697
31a7eb86 1698 /* Signal systemd that we are bored and want to continue. */
c7cc737f
LP		 1699 n = write(idle_pipe[3], "x", 1);
1700 if (n > 0)
cd972d69 1701 /* Wait for systemd to react to the signal above. */
54756dce 1702 (void) fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
31a7eb86
ZJS		 1703 }
1704
54eb2300 1705 idle_pipe[0] = safe_close(idle_pipe[0]);
31a7eb86
ZJS		 1706
1707 }
1708
54eb2300 1709 idle_pipe[3] = safe_close(idle_pipe[3]);
31a7eb86
ZJS		 1710}
1711
fb2042dd
YW		 1712static const char *exec_directory_env_name_to_string(ExecDirectoryType t);
1713
7cae38c4 1714static int build_environment(
34cf6c43 1715 const Unit *u,
9fa95f85 1716 const ExecContext *c,
1e22b5cd 1717 const ExecParameters *p,
da6053d0 1718 size_t n_fds,
7cae38c4
LP		 1719 const char *home,
1720 const char *username,
1721 const char *shell,
7bce046b
LP		 1722 dev_t journal_stream_dev,
1723 ino_t journal_stream_ino,
7cae38c4
LP		 1724 char ***ret) {
1725
1726 _cleanup_strv_free_ char **our_env = NULL;
fb2042dd 1727 ExecDirectoryType t;
da6053d0 1728 size_t n_env = 0;
7cae38c4
LP		 1729 char *x;
1730
4b58153d 1731 assert(u);
7cae38c4 1732 assert(c);
7c1cb6f1 1733 assert(p);
7cae38c4
LP		 1734 assert(ret);
1735
91dd5f7c 1736 our_env = new0(char*, 15 + _EXEC_DIRECTORY_TYPE_MAX);
7cae38c4
LP		 1737 if (!our_env)
1738 return -ENOMEM;
1739
1740 if (n_fds > 0) {
8dd4c05b
LP		 1741 _cleanup_free_ char *joined = NULL;
1742
df0ff127 1743 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid_cached()) < 0)
7cae38c4
LP		 1744 return -ENOMEM;
1745 our_env[n_env++] = x;
1746
da6053d0 1747 if (asprintf(&x, "LISTEN_FDS=%zu", n_fds) < 0)
7cae38c4
LP		 1748 return -ENOMEM;
1749 our_env[n_env++] = x;
8dd4c05b 1750
1e22b5cd 1751 joined = strv_join(p->fd_names, ":");
8dd4c05b
LP		 1752 if (!joined)
1753 return -ENOMEM;
1754
605405c6 1755 x = strjoin("LISTEN_FDNAMES=", joined);
8dd4c05b
LP		 1756 if (!x)
1757 return -ENOMEM;
1758 our_env[n_env++] = x;
7cae38c4
LP		 1759 }
1760
b08af3b1 1761 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
df0ff127 1762 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid_cached()) < 0)
09812eb7
LP		 1763 return -ENOMEM;
1764 our_env[n_env++] = x;
1765
1e22b5cd 1766 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
09812eb7
LP		 1767 return -ENOMEM;
1768 our_env[n_env++] = x;
1769 }
1770
fd63e712
LP		 1771 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1772 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1773 * check the database directly. */
ac647978 1774 if (p->flags & EXEC_NSS_BYPASS_BUS) {
fd63e712
LP		 1775 x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1776 if (!x)
1777 return -ENOMEM;
1778 our_env[n_env++] = x;
1779 }
1780
7cae38c4 1781 if (home) {
b910cc72 1782 x = strjoin("HOME=", home);
7cae38c4
LP		 1783 if (!x)
1784 return -ENOMEM;
7bbead1d
LP		 1785
1786 path_simplify(x + 5, true);
7cae38c4
LP		 1787 our_env[n_env++] = x;
1788 }
1789
1790 if (username) {
b910cc72 1791 x = strjoin("LOGNAME=", username);
7cae38c4
LP		 1792 if (!x)
1793 return -ENOMEM;
1794 our_env[n_env++] = x;
1795
b910cc72 1796 x = strjoin("USER=", username);
7cae38c4
LP		 1797 if (!x)
1798 return -ENOMEM;
1799 our_env[n_env++] = x;
1800 }
1801
1802 if (shell) {
b910cc72 1803 x = strjoin("SHELL=", shell);
7cae38c4
LP		 1804 if (!x)
1805 return -ENOMEM;
7bbead1d
LP		 1806
1807 path_simplify(x + 6, true);
7cae38c4
LP		 1808 our_env[n_env++] = x;
1809 }
1810
4b58153d
LP		 1811 if (!sd_id128_is_null(u->invocation_id)) {
1812 if (asprintf(&x, "INVOCATION_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id)) < 0)
1813 return -ENOMEM;
1814
1815 our_env[n_env++] = x;
1816 }
1817
6af760f3
LP		 1818 if (exec_context_needs_term(c)) {
1819 const char *tty_path, *term = NULL;
1820
1821 tty_path = exec_context_tty_path(c);
1822
e8cf09b2
LP		 1823 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try
1824 * to inherit the $TERM set for PID 1. This is useful for containers so that the $TERM the
1825 * container manager passes to PID 1 ends up all the way in the console login shown. */
6af760f3 1826
e8cf09b2 1827 if (path_equal_ptr(tty_path, "/dev/console") && getppid() == 1)
6af760f3 1828 term = getenv("TERM");
e8cf09b2 1829
6af760f3
LP		 1830 if (!term)
1831 term = default_term_for_tty(tty_path);
7cae38c4 1832
b910cc72 1833 x = strjoin("TERM=", term);
7cae38c4
LP		 1834 if (!x)
1835 return -ENOMEM;
1836 our_env[n_env++] = x;
1837 }
1838
7bce046b
LP		 1839 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1840 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1841 return -ENOMEM;
1842
1843 our_env[n_env++] = x;
1844 }
1845
91dd5f7c
LP		 1846 if (c->log_namespace) {
1847 x = strjoin("LOG_NAMESPACE=", c->log_namespace);
1848 if (!x)
1849 return -ENOMEM;
1850
1851 our_env[n_env++] = x;
1852 }
1853
fb2042dd
YW		 1854 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
1855 _cleanup_free_ char *pre = NULL, *joined = NULL;
1856 const char *n;
1857
1858 if (!p->prefix[t])
1859 continue;
1860
1861 if (strv_isempty(c->directories[t].paths))
1862 continue;
1863
1864 n = exec_directory_env_name_to_string(t);
1865 if (!n)
1866 continue;
1867
1868 pre = strjoin(p->prefix[t], "/");
1869 if (!pre)
1870 return -ENOMEM;
1871
1872 joined = strv_join_prefix(c->directories[t].paths, ":", pre);
1873 if (!joined)
1874 return -ENOMEM;
1875
1876 x = strjoin(n, "=", joined);
1877 if (!x)
1878 return -ENOMEM;
1879
1880 our_env[n_env++] = x;
1881 }
1882
7cae38c4 1883 our_env[n_env++] = NULL;
fb2042dd 1884 assert(n_env <= 14 + _EXEC_DIRECTORY_TYPE_MAX);
7cae38c4 1885
ae2a15bc 1886 *ret = TAKE_PTR(our_env);
7cae38c4
LP		 1887
1888 return 0;
1889}
1890
b4c14404
FB		 1891static int build_pass_environment(const ExecContext *c, char ***ret) {
1892 _cleanup_strv_free_ char **pass_env = NULL;
1893 size_t n_env = 0, n_bufsize = 0;
1894 char **i;
1895
1896 STRV_FOREACH(i, c->pass_environment) {
1897 _cleanup_free_ char *x = NULL;
1898 char *v;
1899
1900 v = getenv(*i);
1901 if (!v)
1902 continue;
605405c6 1903 x = strjoin(*i, "=", v);
b4c14404
FB		 1904 if (!x)
1905 return -ENOMEM;
00819cc1 1906
b4c14404
FB		 1907 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1908 return -ENOMEM;
00819cc1 1909
1cc6c93a 1910 pass_env[n_env++] = TAKE_PTR(x);
b4c14404 1911 pass_env[n_env] = NULL;
b4c14404
FB		 1912 }
1913
ae2a15bc 1914 *ret = TAKE_PTR(pass_env);
b4c14404
FB		 1915
1916 return 0;
1917}
1918
8b44a3d2
LP		 1919static bool exec_needs_mount_namespace(
1920 const ExecContext *context,
1921 const ExecParameters *params,
4657abb5 1922 const ExecRuntime *runtime) {
8b44a3d2
LP		 1923
1924 assert(context);
1925 assert(params);
1926
915e6d16
LP		 1927 if (context->root_image)
1928 return true;
1929
2a624c36
AP		 1930 if (!strv_isempty(context->read_write_paths) ||
1931 !strv_isempty(context->read_only_paths) ||
1932 !strv_isempty(context->inaccessible_paths))
8b44a3d2
LP		 1933 return true;
1934
42b1d8e0 1935 if (context->n_bind_mounts > 0)
d2d6c096
LP		 1936 return true;
1937
2abd4e38
YW		 1938 if (context->n_temporary_filesystems > 0)
1939 return true;
1940
37ed15d7 1941 if (!IN_SET(context->mount_flags, 0, MS_SHARED))
8b44a3d2
LP		 1942 return true;
1943
1944 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1945 return true;
1946
8b44a3d2 1947 if (context->private_devices ||
228af36f 1948 context->private_mounts ||
8b44a3d2 1949 context->protect_system != PROTECT_SYSTEM_NO ||
59eeb84b
LP		 1950 context->protect_home != PROTECT_HOME_NO ||
1951 context->protect_kernel_tunables ||
c575770b 1952 context->protect_kernel_modules ||
94a7b275 1953 context->protect_kernel_logs ||
59eeb84b 1954 context->protect_control_groups)
8b44a3d2
LP		 1955 return true;
1956
37c56f89
YW		 1957 if (context->root_directory) {
1958 ExecDirectoryType t;
1959
1960 if (context->mount_apivfs)
1961 return true;
1962
1963 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
1964 if (!params->prefix[t])
1965 continue;
1966
1967 if (!strv_isempty(context->directories[t].paths))
1968 return true;
1969 }
1970 }
5d997827 1971
42b1d8e0 1972 if (context->dynamic_user &&
b43ee82f 1973 (!strv_isempty(context->directories[EXEC_DIRECTORY_STATE].paths) ||
42b1d8e0
YW		 1974 !strv_isempty(context->directories[EXEC_DIRECTORY_CACHE].paths) ||
1975 !strv_isempty(context->directories[EXEC_DIRECTORY_LOGS].paths)))
1976 return true;
1977
91dd5f7c
LP		 1978 if (context->log_namespace)
1979 return true;
1980
8b44a3d2
LP		 1981 return false;
1982}
1983
5749f855 1984static int setup_private_users(uid_t ouid, gid_t ogid, uid_t uid, gid_t gid) {
d251207d
LP		 1985 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
1986 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
1987 _cleanup_close_ int unshare_ready_fd = -1;
1988 _cleanup_(sigkill_waitp) pid_t pid = 0;
1989 uint64_t c = 1;
d251207d
LP		 1990 ssize_t n;
1991 int r;
1992
5749f855
AZ		 1993 /* Set up a user namespace and map the original UID/GID (IDs from before any user or group changes, i.e.
1994 * the IDs from the user or system manager(s)) to itself, the selected UID/GID to itself, and everything else to
d251207d
LP		 1995 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1996 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1997 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1998 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
5749f855
AZ		 1999 * continues execution normally.
2000 * For unprivileged users (i.e. without capabilities), the root to root mapping is excluded. As such, it
2001 * does not need CAP_SETUID to write the single line mapping to itself. */
d251207d 2002
5749f855
AZ		 2003 /* Can only set up multiple mappings with CAP_SETUID. */
2004 if (have_effective_cap(CAP_SETUID) && uid != ouid && uid_is_valid(uid))
587ab01b 2005 r = asprintf(&uid_map,
5749f855 2006 UID_FMT " " UID_FMT " 1\n" /* Map $OUID → $OUID */
587ab01b 2007 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
5749f855
AZ		 2008 ouid, ouid, uid, uid);
2009 else
2010 r = asprintf(&uid_map,
2011 UID_FMT " " UID_FMT " 1\n", /* Map $OUID → $OUID */
2012 ouid, ouid);
d251207d 2013
5749f855
AZ		 2014 if (r < 0)
2015 return -ENOMEM;
2016
2017 /* Can only set up multiple mappings with CAP_SETGID. */
2018 if (have_effective_cap(CAP_SETGID) && gid != ogid && gid_is_valid(gid))
587ab01b 2019 r = asprintf(&gid_map,
5749f855 2020 GID_FMT " " GID_FMT " 1\n" /* Map $OGID → $OGID */
587ab01b 2021 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
5749f855
AZ		 2022 ogid, ogid, gid, gid);
2023 else
2024 r = asprintf(&gid_map,
2025 GID_FMT " " GID_FMT " 1\n", /* Map $OGID -> $OGID */
2026 ogid, ogid);
2027
2028 if (r < 0)
2029 return -ENOMEM;
d251207d
LP		 2030
2031 /* Create a communication channel so that the parent can tell the child when it finished creating the user
2032 * namespace. */
2033 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
2034 if (unshare_ready_fd < 0)
2035 return -errno;
2036
2037 /* Create a communication channel so that the child can tell the parent a proper error code in case it
2038 * failed. */
2039 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
2040 return -errno;
2041
4c253ed1
LP		 2042 r = safe_fork("(sd-userns)", FORK_RESET_SIGNALS|FORK_DEATHSIG, &pid);
2043 if (r < 0)
2044 return r;
2045 if (r == 0) {
d251207d
LP		 2046 _cleanup_close_ int fd = -1;
2047 const char *a;
2048 pid_t ppid;
2049
2050 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
2051 * here, after the parent opened its own user namespace. */
2052
2053 ppid = getppid();
2054 errno_pipe[0] = safe_close(errno_pipe[0]);
2055
2056 /* Wait until the parent unshared the user namespace */
2057 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
2058 r = -errno;
2059 goto child_fail;
2060 }
2061
2062 /* Disable the setgroups() system call in the child user namespace, for good. */
2063 a = procfs_file_alloca(ppid, "setgroups");
2064 fd = open(a, O_WRONLY|O_CLOEXEC);
2065 if (fd < 0) {
2066 if (errno != ENOENT) {
2067 r = -errno;
2068 goto child_fail;
2069 }
2070
2071 /* If the file is missing the kernel is too old, let's continue anyway. */
2072 } else {
2073 if (write(fd, "deny\n", 5) < 0) {
2074 r = -errno;
2075 goto child_fail;
2076 }
2077
2078 fd = safe_close(fd);
2079 }
2080
2081 /* First write the GID map */
2082 a = procfs_file_alloca(ppid, "gid_map");
2083 fd = open(a, O_WRONLY|O_CLOEXEC);
2084 if (fd < 0) {
2085 r = -errno;
2086 goto child_fail;
2087 }
2088 if (write(fd, gid_map, strlen(gid_map)) < 0) {
2089 r = -errno;
2090 goto child_fail;
2091 }
2092 fd = safe_close(fd);
2093
2094 /* The write the UID map */
2095 a = procfs_file_alloca(ppid, "uid_map");
2096 fd = open(a, O_WRONLY|O_CLOEXEC);
2097 if (fd < 0) {
2098 r = -errno;
2099 goto child_fail;
2100 }
2101 if (write(fd, uid_map, strlen(uid_map)) < 0) {
2102 r = -errno;
2103 goto child_fail;
2104 }
2105
2106 _exit(EXIT_SUCCESS);
2107
2108 child_fail:
2109 (void) write(errno_pipe[1], &r, sizeof(r));
2110 _exit(EXIT_FAILURE);
2111 }
2112
2113 errno_pipe[1] = safe_close(errno_pipe[1]);
2114
2115 if (unshare(CLONE_NEWUSER) < 0)
2116 return -errno;
2117
2118 /* Let the child know that the namespace is ready now */
2119 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
2120 return -errno;
2121
2122 /* Try to read an error code from the child */
2123 n = read(errno_pipe[0], &r, sizeof(r));
2124 if (n < 0)
2125 return -errno;
2126 if (n == sizeof(r)) { /* an error code was sent to us */
2127 if (r < 0)
2128 return r;
2129 return -EIO;
2130 }
2131 if (n != 0) /* on success we should have read 0 bytes */
2132 return -EIO;
2133
2e87a1fd
LP		 2134 r = wait_for_terminate_and_check("(sd-userns)", pid, 0);
2135 pid = 0;
d251207d
LP		 2136 if (r < 0)
2137 return r;
2e87a1fd 2138 if (r != EXIT_SUCCESS) /* If something strange happened with the child, let's consider this fatal, too */
d251207d
LP		 2139 return -EIO;
2140
2141 return 0;
2142}
2143
494d0247
YW		 2144static bool exec_directory_is_private(const ExecContext *context, ExecDirectoryType type) {
2145 if (!context->dynamic_user)
2146 return false;
2147
2148 if (type == EXEC_DIRECTORY_CONFIGURATION)
2149 return false;
2150
2151 if (type == EXEC_DIRECTORY_RUNTIME && context->runtime_directory_preserve_mode == EXEC_PRESERVE_NO)
2152 return false;
2153
2154 return true;
2155}
2156
3536f49e 2157static int setup_exec_directory(
07689d5d
LP		 2158 const ExecContext *context,
2159 const ExecParameters *params,
2160 uid_t uid,
3536f49e 2161 gid_t gid,
3536f49e
YW		 2162 ExecDirectoryType type,
2163 int *exit_status) {
07689d5d 2164
72fd1768 2165 static const int exit_status_table[_EXEC_DIRECTORY_TYPE_MAX] = {
3536f49e
YW		 2166 [EXEC_DIRECTORY_RUNTIME] = EXIT_RUNTIME_DIRECTORY,
2167 [EXEC_DIRECTORY_STATE] = EXIT_STATE_DIRECTORY,
2168 [EXEC_DIRECTORY_CACHE] = EXIT_CACHE_DIRECTORY,
2169 [EXEC_DIRECTORY_LOGS] = EXIT_LOGS_DIRECTORY,
2170 [EXEC_DIRECTORY_CONFIGURATION] = EXIT_CONFIGURATION_DIRECTORY,
2171 };
07689d5d
LP		 2172 char **rt;
2173 int r;
2174
2175 assert(context);
2176 assert(params);
72fd1768 2177 assert(type >= 0 && type < _EXEC_DIRECTORY_TYPE_MAX);
3536f49e 2178 assert(exit_status);
07689d5d 2179
3536f49e
YW		 2180 if (!params->prefix[type])
2181 return 0;
2182
8679efde 2183 if (params->flags & EXEC_CHOWN_DIRECTORIES) {
3536f49e
YW		 2184 if (!uid_is_valid(uid))
2185 uid = 0;
2186 if (!gid_is_valid(gid))
2187 gid = 0;
2188 }
2189
2190 STRV_FOREACH(rt, context->directories[type].paths) {
6c47cd7d 2191 _cleanup_free_ char *p = NULL, *pp = NULL;
07689d5d 2192
edbfeb12 2193 p = path_join(params->prefix[type], *rt);
3536f49e
YW		 2194 if (!p) {
2195 r = -ENOMEM;
2196 goto fail;
2197 }
07689d5d 2198
23a7448e
YW		 2199 r = mkdir_parents_label(p, 0755);
2200 if (r < 0)
3536f49e 2201 goto fail;
23a7448e 2202
494d0247 2203 if (exec_directory_is_private(context, type)) {
6c9c51e5 2204 _cleanup_free_ char *private_root = NULL;
6c47cd7d 2205
3f5b1508
LP		 2206 /* So, here's one extra complication when dealing with DynamicUser=1 units. In that
2207 * case we want to avoid leaving a directory around fully accessible that is owned by
2208 * a dynamic user whose UID is later on reused. To lock this down we use the same
2209 * trick used by container managers to prohibit host users to get access to files of
2210 * the same UID in containers: we place everything inside a directory that has an
2211 * access mode of 0700 and is owned root:root, so that it acts as security boundary
2212 * for unprivileged host code. We then use fs namespacing to make this directory
2213 * permeable for the service itself.
6c47cd7d 2214 *
3f5b1508
LP		 2215 * Specifically: for a service which wants a special directory "foo/" we first create
2216 * a directory "private/" with access mode 0700 owned by root:root. Then we place
2217 * "foo" inside of that directory (i.e. "private/foo/"), and make "foo" a symlink to
2218 * "private/foo". This way, privileged host users can access "foo/" as usual, but
2219 * unprivileged host users can't look into it. Inside of the namespace of the unit
2220 * "private/" is replaced by a more liberally accessible tmpfs, into which the host's
2221 * "private/foo/" is mounted under the same name, thus disabling the access boundary
2222 * for the service and making sure it only gets access to the dirs it needs but no
2223 * others. Tricky? Yes, absolutely, but it works!
6c47cd7d 2224 *
3f5b1508
LP		 2225 * Note that we don't do this for EXEC_DIRECTORY_CONFIGURATION as that's assumed not
2226 * to be owned by the service itself.
2227 *
2228 * Also, note that we don't do this for EXEC_DIRECTORY_RUNTIME as that's often used
2229 * for sharing files or sockets with other services. */
6c47cd7d 2230
edbfeb12 2231 private_root = path_join(params->prefix[type], "private");
6c47cd7d
LP		 2232 if (!private_root) {
2233 r = -ENOMEM;
2234 goto fail;
2235 }
2236
2237 /* First set up private root if it doesn't exist yet, with access mode 0700 and owned by root:root */
37c1d5e9 2238 r = mkdir_safe_label(private_root, 0700, 0, 0, MKDIR_WARN_MODE);
6c47cd7d
LP		 2239 if (r < 0)
2240 goto fail;
2241
edbfeb12 2242 pp = path_join(private_root, *rt);
6c47cd7d
LP		 2243 if (!pp) {
2244 r = -ENOMEM;
2245 goto fail;
2246 }
2247
2248 /* Create all directories between the configured directory and this private root, and mark them 0755 */
2249 r = mkdir_parents_label(pp, 0755);
2250 if (r < 0)
2251 goto fail;
2252
949befd3
LP		 2253 if (is_dir(p, false) > 0 &&
2254 (laccess(pp, F_OK) < 0 && errno == ENOENT)) {
2255
2256 /* Hmm, the private directory doesn't exist yet, but the normal one exists? If so, move
2257 * it over. Most likely the service has been upgraded from one that didn't use
2258 * DynamicUser=1, to one that does. */
2259
cf52c45d
LP		 2260 log_info("Found pre-existing public %s= directory %s, migrating to %s.\n"
2261 "Apparently, service previously had DynamicUser= turned off, and has now turned it on.",
2262 exec_directory_type_to_string(type), p, pp);
2263
949befd3
LP		 2264 if (rename(p, pp) < 0) {
2265 r = -errno;
2266 goto fail;
2267 }
2268 } else {
2269 /* Otherwise, create the actual directory for the service */
2270
2271 r = mkdir_label(pp, context->directories[type].mode);
2272 if (r < 0 && r != -EEXIST)
2273 goto fail;
2274 }
6c47cd7d 2275
6c47cd7d 2276 /* And link it up from the original place */
6c9c51e5 2277 r = symlink_idempotent(pp, p, true);
6c47cd7d
LP		 2278 if (r < 0)
2279 goto fail;
2280
6c47cd7d 2281 } else {
5c6d40d1
LP		 2282 _cleanup_free_ char *target = NULL;
2283
2284 if (type != EXEC_DIRECTORY_CONFIGURATION &&
2285 readlink_and_make_absolute(p, &target) >= 0) {
578dc69f 2286 _cleanup_free_ char *q = NULL, *q_resolved = NULL, *target_resolved = NULL;
5c6d40d1
LP		 2287
2288 /* This already exists and is a symlink? Interesting. Maybe it's one created
2193f17c
LP		 2289 * by DynamicUser=1 (see above)?
2290 *
2291 * We do this for all directory types except for ConfigurationDirectory=,
2292 * since they all support the private/ symlink logic at least in some
2293 * configurations, see above. */
5c6d40d1 2294
578dc69f
YW		 2295 r = chase_symlinks(target, NULL, 0, &target_resolved, NULL);
2296 if (r < 0)
2297 goto fail;
2298
5c6d40d1
LP		 2299 q = path_join(params->prefix[type], "private", *rt);
2300 if (!q) {
2301 r = -ENOMEM;
2302 goto fail;
2303 }
2304
578dc69f
YW		 2305 /* /var/lib or friends may be symlinks. So, let's chase them also. */
2306 r = chase_symlinks(q, NULL, CHASE_NONEXISTENT, &q_resolved, NULL);
2307 if (r < 0)
2308 goto fail;
2309
2310 if (path_equal(q_resolved, target_resolved)) {
5c6d40d1
LP		 2311
2312 /* Hmm, apparently DynamicUser= was once turned on for this service,
2313 * but is no longer. Let's move the directory back up. */
2314
cf52c45d
LP		 2315 log_info("Found pre-existing private %s= directory %s, migrating to %s.\n"
2316 "Apparently, service previously had DynamicUser= turned on, and has now turned it off.",
2317 exec_directory_type_to_string(type), q, p);
2318
5c6d40d1
LP		 2319 if (unlink(p) < 0) {
2320 r = -errno;
2321 goto fail;
2322 }
2323
2324 if (rename(q, p) < 0) {
2325 r = -errno;
2326 goto fail;
2327 }
2328 }
2329 }
2330
6c47cd7d 2331 r = mkdir_label(p, context->directories[type].mode);
d484580c 2332 if (r < 0) {
d484580c
LP		 2333 if (r != -EEXIST)
2334 goto fail;
2335
206e9864
LP		 2336 if (type == EXEC_DIRECTORY_CONFIGURATION) {
2337 struct stat st;
2338
2339 /* Don't change the owner/access mode of the configuration directory,
2340 * as in the common case it is not written to by a service, and shall
2341 * not be writable. */
2342
2343 if (stat(p, &st) < 0) {
2344 r = -errno;
2345 goto fail;
2346 }
2347
2348 /* Still complain if the access mode doesn't match */
2349 if (((st.st_mode ^ context->directories[type].mode) & 07777) != 0)
2350 log_warning("%s \'%s\' already exists but the mode is different. "
2351 "(File system: %o %sMode: %o)",
2352 exec_directory_type_to_string(type), *rt,
2353 st.st_mode & 07777, exec_directory_type_to_string(type), context->directories[type].mode & 07777);
2354
6cff72eb 2355 continue;
206e9864 2356 }
6cff72eb 2357 }
a1164ae3 2358 }
07689d5d 2359
206e9864 2360 /* Lock down the access mode (we use chmod_and_chown() to make this idempotent. We don't
5238e957 2361 * specify UID/GID here, so that path_chown_recursive() can optimize things depending on the
206e9864
LP		 2362 * current UID/GID ownership.) */
2363 r = chmod_and_chown(pp ?: p, context->directories[type].mode, UID_INVALID, GID_INVALID);
2364 if (r < 0)
2365 goto fail;
c71b2eb7 2366
607b358e
LP		 2367 /* Then, change the ownership of the whole tree, if necessary. When dynamic users are used we
2368 * drop the suid/sgid bits, since we really don't want SUID/SGID files for dynamic UID/GID
2369 * assignments to exist.*/
2370 r = path_chown_recursive(pp ?: p, uid, gid, context->dynamic_user ? 01777 : 07777);
07689d5d 2371 if (r < 0)
3536f49e 2372 goto fail;
07689d5d
LP		 2373 }
2374
2375 return 0;
3536f49e
YW		 2376
2377fail:
2378 *exit_status = exit_status_table[type];
3536f49e 2379 return r;
07689d5d
LP		 2380}
2381
92b423b9 2382#if ENABLE_SMACK
cefc33ae
LP		 2383static int setup_smack(
2384 const ExecContext *context,
2385 const ExecCommand *command) {
2386
cefc33ae
LP		 2387 int r;
2388
2389 assert(context);
2390 assert(command);
2391
cefc33ae
LP		 2392 if (context->smack_process_label) {
2393 r = mac_smack_apply_pid(0, context->smack_process_label);
2394 if (r < 0)
2395 return r;
2396 }
2397#ifdef SMACK_DEFAULT_PROCESS_LABEL
2398 else {
2399 _cleanup_free_ char *exec_label = NULL;
2400
2401 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
4c701096 2402 if (r < 0 && !IN_SET(r, -ENODATA, -EOPNOTSUPP))
cefc33ae
LP		 2403 return r;
2404
2405 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
2406 if (r < 0)
2407 return r;
2408 }
cefc33ae
LP		 2409#endif
2410
2411 return 0;
2412}
92b423b9 2413#endif
cefc33ae 2414
6c47cd7d
LP		 2415static int compile_bind_mounts(
2416 const ExecContext *context,
2417 const ExecParameters *params,
2418 BindMount **ret_bind_mounts,
da6053d0 2419 size_t *ret_n_bind_mounts,
6c47cd7d
LP		 2420 char ***ret_empty_directories) {
2421
2422 _cleanup_strv_free_ char **empty_directories = NULL;
2423 BindMount *bind_mounts;
da6053d0 2424 size_t n, h = 0, i;
6c47cd7d
LP		 2425 ExecDirectoryType t;
2426 int r;
2427
2428 assert(context);
2429 assert(params);
2430 assert(ret_bind_mounts);
2431 assert(ret_n_bind_mounts);
2432 assert(ret_empty_directories);
2433
2434 n = context->n_bind_mounts;
2435 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
2436 if (!params->prefix[t])
2437 continue;
2438
2439 n += strv_length(context->directories[t].paths);
2440 }
2441
2442 if (n <= 0) {
2443 *ret_bind_mounts = NULL;
2444 *ret_n_bind_mounts = 0;
2445 *ret_empty_directories = NULL;
2446 return 0;
2447 }
2448
2449 bind_mounts = new(BindMount, n);
2450 if (!bind_mounts)
2451 return -ENOMEM;
2452
a8cabc61 2453 for (i = 0; i < context->n_bind_mounts; i++) {
6c47cd7d
LP		 2454 BindMount *item = context->bind_mounts + i;
2455 char *s, *d;
2456
2457 s = strdup(item->source);
2458 if (!s) {
2459 r = -ENOMEM;
2460 goto finish;
2461 }
2462
2463 d = strdup(item->destination);
2464 if (!d) {
2465 free(s);
2466 r = -ENOMEM;
2467 goto finish;
2468 }
2469
2470 bind_mounts[h++] = (BindMount) {
2471 .source = s,
2472 .destination = d,
2473 .read_only = item->read_only,
2474 .recursive = item->recursive,
2475 .ignore_enoent = item->ignore_enoent,
2476 };
2477 }
2478
2479 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
2480 char **suffix;
2481
2482 if (!params->prefix[t])
2483 continue;
2484
2485 if (strv_isempty(context->directories[t].paths))
2486 continue;
2487
494d0247 2488 if (exec_directory_is_private(context, t) &&
5609f688 2489 !(context->root_directory || context->root_image)) {
6c47cd7d
LP		 2490 char *private_root;
2491
2492 /* So this is for a dynamic user, and we need to make sure the process can access its own
2493 * directory. For that we overmount the usually inaccessible "private" subdirectory with a
2494 * tmpfs that makes it accessible and is empty except for the submounts we do this for. */
2495
657ee2d8 2496 private_root = path_join(params->prefix[t], "private");
6c47cd7d
LP		 2497 if (!private_root) {
2498 r = -ENOMEM;
2499 goto finish;
2500 }
2501
2502 r = strv_consume(&empty_directories, private_root);
a635a7ae 2503 if (r < 0)
6c47cd7d 2504 goto finish;
6c47cd7d
LP		 2505 }
2506
2507 STRV_FOREACH(suffix, context->directories[t].paths) {
2508 char *s, *d;
2509
494d0247 2510 if (exec_directory_is_private(context, t))
657ee2d8 2511 s = path_join(params->prefix[t], "private", *suffix);
6c47cd7d 2512 else
657ee2d8 2513 s = path_join(params->prefix[t], *suffix);
6c47cd7d
LP		 2514 if (!s) {
2515 r = -ENOMEM;
2516 goto finish;
2517 }
2518
494d0247 2519 if (exec_directory_is_private(context, t) &&
5609f688
YW		 2520 (context->root_directory || context->root_image))
2521 /* When RootDirectory= or RootImage= are set, then the symbolic link to the private
2522 * directory is not created on the root directory. So, let's bind-mount the directory
2523 * on the 'non-private' place. */
657ee2d8 2524 d = path_join(params->prefix[t], *suffix);
5609f688
YW		 2525 else
2526 d = strdup(s);
6c47cd7d
LP		 2527 if (!d) {
2528 free(s);
2529 r = -ENOMEM;
2530 goto finish;
2531 }
2532
2533 bind_mounts[h++] = (BindMount) {
2534 .source = s,
2535 .destination = d,
2536 .read_only = false,
9ce4e4b0 2537 .nosuid = context->dynamic_user, /* don't allow suid/sgid when DynamicUser= is on */
6c47cd7d
LP		 2538 .recursive = true,
2539 .ignore_enoent = false,
2540 };
2541 }
2542 }
2543
2544 assert(h == n);
2545
2546 *ret_bind_mounts = bind_mounts;
2547 *ret_n_bind_mounts = n;
ae2a15bc 2548 *ret_empty_directories = TAKE_PTR(empty_directories);
6c47cd7d
LP		 2549
2550 return (int) n;
2551
2552finish:
2553 bind_mount_free_many(bind_mounts, h);
2554 return r;
2555}
2556
4e677599
LP		 2557static bool insist_on_sandboxing(
2558 const ExecContext *context,
2559 const char *root_dir,
2560 const char *root_image,
2561 const BindMount *bind_mounts,
2562 size_t n_bind_mounts) {
2563
2564 size_t i;
2565
2566 assert(context);
2567 assert(n_bind_mounts == 0 || bind_mounts);
2568
2569 /* Checks whether we need to insist on fs namespacing. i.e. whether we have settings configured that
86b52a39 2570 * would alter the view on the file system beyond making things read-only or invisible, i.e. would
4e677599
LP		 2571 * rearrange stuff in a way we cannot ignore gracefully. */
2572
2573 if (context->n_temporary_filesystems > 0)
2574 return true;
2575
2576 if (root_dir || root_image)
2577 return true;
2578
2579 if (context->dynamic_user)
2580 return true;
2581
2582 /* If there are any bind mounts set that don't map back onto themselves, fs namespacing becomes
2583 * essential. */
2584 for (i = 0; i < n_bind_mounts; i++)
2585 if (!path_equal(bind_mounts[i].source, bind_mounts[i].destination))
2586 return true;
2587
91dd5f7c
LP		 2588 if (context->log_namespace)
2589 return true;
2590
4e677599
LP		 2591 return false;
2592}
2593
6818c54c 2594static int apply_mount_namespace(
34cf6c43
YW		 2595 const Unit *u,
2596 const ExecCommand *command,
6818c54c
LP		 2597 const ExecContext *context,
2598 const ExecParameters *params,
7cc5ef5f
ZJS		 2599 const ExecRuntime *runtime,
2600 char **error_path) {
6818c54c 2601
7bcef4ef 2602 _cleanup_strv_free_ char **empty_directories = NULL;
93c6bb51 2603 char *tmp = NULL, *var = NULL;
915e6d16 2604 const char *root_dir = NULL, *root_image = NULL;
228af36f 2605 NamespaceInfo ns_info;
165a31c0 2606 bool needs_sandboxing;
6c47cd7d 2607 BindMount *bind_mounts = NULL;
da6053d0 2608 size_t n_bind_mounts = 0;
6818c54c 2609 int r;
93c6bb51 2610
2b3c1b9e
DH		 2611 assert(context);
2612
915e6d16
LP		 2613 if (params->flags & EXEC_APPLY_CHROOT) {
2614 root_image = context->root_image;
2615
2616 if (!root_image)
2617 root_dir = context->root_directory;
2618 }
93c6bb51 2619
6c47cd7d
LP		 2620 r = compile_bind_mounts(context, params, &bind_mounts, &n_bind_mounts, &empty_directories);
2621 if (r < 0)
2622 return r;
2623
165a31c0 2624 needs_sandboxing = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & EXEC_COMMAND_FULLY_PRIVILEGED);
ecf63c91
NJ		 2625 if (needs_sandboxing) {
2626 /* The runtime struct only contains the parent of the private /tmp,
2627 * which is non-accessible to world users. Inside of it there's a /tmp
2628 * that is sticky, and that's the one we want to use here. */
2629
2630 if (context->private_tmp && runtime) {
2631 if (runtime->tmp_dir)
2632 tmp = strjoina(runtime->tmp_dir, "/tmp");
2633 if (runtime->var_tmp_dir)
2634 var = strjoina(runtime->var_tmp_dir, "/tmp");
2635 }
2636
b5a33299
YW		 2637 ns_info = (NamespaceInfo) {
2638 .ignore_protect_paths = false,
2639 .private_dev = context->private_devices,
2640 .protect_control_groups = context->protect_control_groups,
2641 .protect_kernel_tunables = context->protect_kernel_tunables,
2642 .protect_kernel_modules = context->protect_kernel_modules,
94a7b275 2643 .protect_kernel_logs = context->protect_kernel_logs,
aecd5ac6 2644 .protect_hostname = context->protect_hostname,
b5a33299 2645 .mount_apivfs = context->mount_apivfs,
228af36f 2646 .private_mounts = context->private_mounts,
b5a33299 2647 };
ecf63c91 2648 } else if (!context->dynamic_user && root_dir)
228af36f
LP		 2649 /*
2650 * If DynamicUser=no and RootDirectory= is set then lets pass a relaxed
2651 * sandbox info, otherwise enforce it, don't ignore protected paths and
2652 * fail if we are enable to apply the sandbox inside the mount namespace.
2653 */
2654 ns_info = (NamespaceInfo) {
2655 .ignore_protect_paths = true,
2656 };
2657 else
2658 ns_info = (NamespaceInfo) {};
b5a33299 2659
37ed15d7
FB		 2660 if (context->mount_flags == MS_SHARED)
2661 log_unit_debug(u, "shared mount propagation hidden by other fs namespacing unit settings: ignoring");
2662
915e6d16 2663 r = setup_namespace(root_dir, root_image,
7bcef4ef 2664 &ns_info, context->read_write_paths,
165a31c0
LP		 2665 needs_sandboxing ? context->read_only_paths : NULL,
2666 needs_sandboxing ? context->inaccessible_paths : NULL,
6c47cd7d
LP		 2667 empty_directories,
2668 bind_mounts,
2669 n_bind_mounts,
2abd4e38
YW		 2670 context->temporary_filesystems,
2671 context->n_temporary_filesystems,
93c6bb51
DH		 2672 tmp,
2673 var,
91dd5f7c 2674 context->log_namespace,
165a31c0
LP		 2675 needs_sandboxing ? context->protect_home : PROTECT_HOME_NO,
2676 needs_sandboxing ? context->protect_system : PROTECT_SYSTEM_NO,
915e6d16 2677 context->mount_flags,
8d251485 2678 DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK,
7cc5ef5f 2679 error_path);
93c6bb51 2680
1beab8b0 2681 /* If we couldn't set up the namespace this is probably due to a missing capability. setup_namespace() reports
5238e957 2682 * that with a special, recognizable error ENOANO. In this case, silently proceed, but only if exclusively
1beab8b0
LP		 2683 * sandboxing options were used, i.e. nothing such as RootDirectory= or BindMount= that would result in a
2684 * completely different execution environment. */
aca835ed 2685 if (r == -ENOANO) {
4e677599
LP		 2686 if (insist_on_sandboxing(
2687 context,
2688 root_dir, root_image,
2689 bind_mounts,
2690 n_bind_mounts)) {
2691 log_unit_debug(u, "Failed to set up namespace, and refusing to continue since the selected namespacing options alter mount environment non-trivially.\n"
2692 "Bind mounts: %zu, temporary filesystems: %zu, root directory: %s, root image: %s, dynamic user: %s",
2693 n_bind_mounts, context->n_temporary_filesystems, yes_no(root_dir), yes_no(root_image), yes_no(context->dynamic_user));
2694
2695 r = -EOPNOTSUPP;
2696 } else {
aca835ed 2697 log_unit_debug(u, "Failed to set up namespace, assuming containerized execution and ignoring.");
4e677599 2698 r = 0;
aca835ed 2699 }
93c6bb51
DH		 2700 }
2701
4e677599 2702 bind_mount_free_many(bind_mounts, n_bind_mounts);
93c6bb51
DH		 2703 return r;
2704}
2705
915e6d16
LP		 2706static int apply_working_directory(
2707 const ExecContext *context,
2708 const ExecParameters *params,
2709 const char *home,
376fecf6 2710 int *exit_status) {
915e6d16 2711
6732edab 2712 const char *d, *wd;
2b3c1b9e
DH		 2713
2714 assert(context);
376fecf6 2715 assert(exit_status);
2b3c1b9e 2716
6732edab
LP		 2717 if (context->working_directory_home) {
2718
376fecf6
LP		 2719 if (!home) {
2720 *exit_status = EXIT_CHDIR;
6732edab 2721 return -ENXIO;
376fecf6 2722 }
6732edab 2723
2b3c1b9e 2724 wd = home;
6732edab
LP		 2725
2726 } else if (context->working_directory)
2b3c1b9e
DH		 2727 wd = context->working_directory;
2728 else
2729 wd = "/";
e7f1e7c6 2730
fa97f630 2731 if (params->flags & EXEC_APPLY_CHROOT)
2b3c1b9e 2732 d = wd;
fa97f630 2733 else
3b0e5bb5 2734 d = prefix_roota(context->root_directory, wd);
e7f1e7c6 2735
376fecf6
LP		 2736 if (chdir(d) < 0 && !context->working_directory_missing_ok) {
2737 *exit_status = EXIT_CHDIR;
2b3c1b9e 2738 return -errno;
376fecf6 2739 }
e7f1e7c6
DH		 2740
2741 return 0;
2742}
2743
fa97f630
JB		 2744static int apply_root_directory(
2745 const ExecContext *context,
2746 const ExecParameters *params,
2747 const bool needs_mount_ns,
2748 int *exit_status) {
2749
2750 assert(context);
2751 assert(exit_status);
2752
2753 if (params->flags & EXEC_APPLY_CHROOT) {
2754 if (!needs_mount_ns && context->root_directory)
2755 if (chroot(context->root_directory) < 0) {
2756 *exit_status = EXIT_CHROOT;
2757 return -errno;
2758 }
2759 }
2760
2761 return 0;
2762}
2763
b1edf445 2764static int setup_keyring(
34cf6c43 2765 const Unit *u,
b1edf445
LP		 2766 const ExecContext *context,
2767 const ExecParameters *p,
2768 uid_t uid, gid_t gid) {
2769
74dd6b51 2770 key_serial_t keyring;
e64c2d0b
DJL		 2771 int r = 0;
2772 uid_t saved_uid;
2773 gid_t saved_gid;
74dd6b51
LP		 2774
2775 assert(u);
b1edf445 2776 assert(context);
74dd6b51
LP		 2777 assert(p);
2778
2779 /* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that
2780 * each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond
2781 * that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be
2782 * automatically created on-demand and then linked to the per-UID keyring, by the kernel. The kernel's built-in
2783 * on-demand behaviour is very appropriate for login users, but probably not so much for system services, where
2784 * UIDs are not necessarily specific to a service but reused (at least in the case of UID 0). */
2785
b1edf445
LP		 2786 if (context->keyring_mode == EXEC_KEYRING_INHERIT)
2787 return 0;
2788
e64c2d0b
DJL		 2789 /* Acquiring a reference to the user keyring is nasty. We briefly change identity in order to get things set up
2790 * properly by the kernel. If we don't do that then we can't create it atomically, and that sucks for parallel
2791 * execution. This mimics what pam_keyinit does, too. Setting up session keyring, to be owned by the right user
2792 * & group is just as nasty as acquiring a reference to the user keyring. */
2793
2794 saved_uid = getuid();
2795 saved_gid = getgid();
2796
2797 if (gid_is_valid(gid) && gid != saved_gid) {
2798 if (setregid(gid, -1) < 0)
2799 return log_unit_error_errno(u, errno, "Failed to change GID for user keyring: %m");
2800 }
2801
2802 if (uid_is_valid(uid) && uid != saved_uid) {
2803 if (setreuid(uid, -1) < 0) {
2804 r = log_unit_error_errno(u, errno, "Failed to change UID for user keyring: %m");
2805 goto out;
2806 }
2807 }
2808
74dd6b51
LP		 2809 keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0);
2810 if (keyring == -1) {
2811 if (errno == ENOSYS)
8002fb97 2812 log_unit_debug_errno(u, errno, "Kernel keyring not supported, ignoring.");
74dd6b51 2813 else if (IN_SET(errno, EACCES, EPERM))
8002fb97 2814 log_unit_debug_errno(u, errno, "Kernel keyring access prohibited, ignoring.");
74dd6b51 2815 else if (errno == EDQUOT)
8002fb97 2816 log_unit_debug_errno(u, errno, "Out of kernel keyrings to allocate, ignoring.");
74dd6b51 2817 else
e64c2d0b 2818 r = log_unit_error_errno(u, errno, "Setting up kernel keyring failed: %m");
74dd6b51 2819
e64c2d0b 2820 goto out;
74dd6b51
LP		 2821 }
2822
e64c2d0b
DJL		 2823 /* When requested link the user keyring into the session keyring. */
2824 if (context->keyring_mode == EXEC_KEYRING_SHARED) {
2825
2826 if (keyctl(KEYCTL_LINK,
2827 KEY_SPEC_USER_KEYRING,
2828 KEY_SPEC_SESSION_KEYRING, 0, 0) < 0) {
2829 r = log_unit_error_errno(u, errno, "Failed to link user keyring into session keyring: %m");
2830 goto out;
2831 }
2832 }
2833
2834 /* Restore uid/gid back */
2835 if (uid_is_valid(uid) && uid != saved_uid) {
2836 if (setreuid(saved_uid, -1) < 0) {
2837 r = log_unit_error_errno(u, errno, "Failed to change UID back for user keyring: %m");
2838 goto out;
2839 }
2840 }
2841
2842 if (gid_is_valid(gid) && gid != saved_gid) {
2843 if (setregid(saved_gid, -1) < 0)
2844 return log_unit_error_errno(u, errno, "Failed to change GID back for user keyring: %m");
2845 }
2846
2847 /* Populate they keyring with the invocation ID by default, as original saved_uid. */
b3415f5d
LP		 2848 if (!sd_id128_is_null(u->invocation_id)) {
2849 key_serial_t key;
2850
2851 key = add_key("user", "invocation_id", &u->invocation_id, sizeof(u->invocation_id), KEY_SPEC_SESSION_KEYRING);
2852 if (key == -1)
8002fb97 2853 log_unit_debug_errno(u, errno, "Failed to add invocation ID to keyring, ignoring: %m");
b3415f5d
LP		 2854 else {
2855 if (keyctl(KEYCTL_SETPERM, key,
2856 KEY_POS_VIEW|KEY_POS_READ|KEY_POS_SEARCH|
2857 KEY_USR_VIEW|KEY_USR_READ|KEY_USR_SEARCH, 0, 0) < 0)
e64c2d0b 2858 r = log_unit_error_errno(u, errno, "Failed to restrict invocation ID permission: %m");
b3415f5d
LP		 2859 }
2860 }
2861
e64c2d0b
DJL		 2862out:
2863 /* Revert back uid & gid for the the last time, and exit */
2864 /* no extra logging, as only the first already reported error matters */
2865 if (getuid() != saved_uid)
2866 (void) setreuid(saved_uid, -1);
b1edf445 2867
e64c2d0b
DJL		 2868 if (getgid() != saved_gid)
2869 (void) setregid(saved_gid, -1);
b1edf445 2870
e64c2d0b 2871 return r;
74dd6b51
LP		 2872}
2873
3042bbeb 2874static void append_socket_pair(int *array, size_t *n, const int pair[static 2]) {
29206d46
LP		 2875 assert(array);
2876 assert(n);
2caa38e9 2877 assert(pair);
29206d46
LP		 2878
2879 if (pair[0] >= 0)
2880 array[(*n)++] = pair[0];
2881 if (pair[1] >= 0)
2882 array[(*n)++] = pair[1];
2883}
2884
a34ceba6
LP		 2885static int close_remaining_fds(
2886 const ExecParameters *params,
34cf6c43
YW		 2887 const ExecRuntime *runtime,
2888 const DynamicCreds *dcreds,
00d9ef85 2889 int user_lookup_fd,
a34ceba6 2890 int socket_fd,
5686391b 2891 int exec_fd,
5b8d1f6b 2892 const int *fds, size_t n_fds) {
a34ceba6 2893
da6053d0 2894 size_t n_dont_close = 0;
00d9ef85 2895 int dont_close[n_fds + 12];
a34ceba6
LP		 2896
2897 assert(params);
2898
2899 if (params->stdin_fd >= 0)
2900 dont_close[n_dont_close++] = params->stdin_fd;
2901 if (params->stdout_fd >= 0)
2902 dont_close[n_dont_close++] = params->stdout_fd;
2903 if (params->stderr_fd >= 0)
2904 dont_close[n_dont_close++] = params->stderr_fd;
2905
2906 if (socket_fd >= 0)
2907 dont_close[n_dont_close++] = socket_fd;
5686391b
LP		 2908 if (exec_fd >= 0)
2909 dont_close[n_dont_close++] = exec_fd;
a34ceba6
LP		 2910 if (n_fds > 0) {
2911 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
2912 n_dont_close += n_fds;
2913 }
2914
29206d46
LP		 2915 if (runtime)
2916 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
2917
2918 if (dcreds) {
2919 if (dcreds->user)
2920 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
2921 if (dcreds->group)
2922 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
a34ceba6
LP		 2923 }
2924
00d9ef85
LP		 2925 if (user_lookup_fd >= 0)
2926 dont_close[n_dont_close++] = user_lookup_fd;
2927
a34ceba6
LP		 2928 return close_all_fds(dont_close, n_dont_close);
2929}
2930
00d9ef85
LP		 2931static int send_user_lookup(
2932 Unit *unit,
2933 int user_lookup_fd,
2934 uid_t uid,
2935 gid_t gid) {
2936
2937 assert(unit);
2938
2939 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2940 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2941 * specified. */
2942
2943 if (user_lookup_fd < 0)
2944 return 0;
2945
2946 if (!uid_is_valid(uid) && !gid_is_valid(gid))
2947 return 0;
2948
2949 if (writev(user_lookup_fd,
2950 (struct iovec[]) {
e6a7ec4b
LP		 2951 IOVEC_INIT(&uid, sizeof(uid)),
2952 IOVEC_INIT(&gid, sizeof(gid)),
2953 IOVEC_INIT_STRING(unit->id) }, 3) < 0)
00d9ef85
LP		 2954 return -errno;
2955
2956 return 0;
2957}
2958
6732edab
LP		 2959static int acquire_home(const ExecContext *c, uid_t uid, const char** home, char **buf) {
2960 int r;
2961
2962 assert(c);
2963 assert(home);
2964 assert(buf);
2965
2966 /* If WorkingDirectory=~ is set, try to acquire a usable home directory. */
2967
2968 if (*home)
2969 return 0;
2970
2971 if (!c->working_directory_home)
2972 return 0;
2973
6732edab
LP		 2974 r = get_home_dir(buf);
2975 if (r < 0)
2976 return r;
2977
2978 *home = *buf;
2979 return 1;
2980}
2981
da50b85a
LP		 2982static int compile_suggested_paths(const ExecContext *c, const ExecParameters *p, char ***ret) {
2983 _cleanup_strv_free_ char ** list = NULL;
2984 ExecDirectoryType t;
2985 int r;
2986
2987 assert(c);
2988 assert(p);
2989 assert(ret);
2990
2991 assert(c->dynamic_user);
2992
2993 /* Compile a list of paths that it might make sense to read the owning UID from to use as initial candidate for
2994 * dynamic UID allocation, in order to save us from doing costly recursive chown()s of the special
2995 * directories. */
2996
2997 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
2998 char **i;
2999
3000 if (t == EXEC_DIRECTORY_CONFIGURATION)
3001 continue;
3002
3003 if (!p->prefix[t])
3004 continue;
3005
3006 STRV_FOREACH(i, c->directories[t].paths) {
3007 char *e;
3008
494d0247 3009 if (exec_directory_is_private(c, t))
657ee2d8 3010 e = path_join(p->prefix[t], "private", *i);
494d0247
YW		 3011 else
3012 e = path_join(p->prefix[t], *i);
da50b85a
LP		 3013 if (!e)
3014 return -ENOMEM;
3015
3016 r = strv_consume(&list, e);
3017 if (r < 0)
3018 return r;
3019 }
3020 }
3021
ae2a15bc 3022 *ret = TAKE_PTR(list);
da50b85a
LP		 3023
3024 return 0;
3025}
3026
34cf6c43
YW		 3027static char *exec_command_line(char **argv);
3028
78f93209
LP		 3029static int exec_parameters_get_cgroup_path(const ExecParameters *params, char **ret) {
3030 bool using_subcgroup;
3031 char *p;
3032
3033 assert(params);
3034 assert(ret);
3035
3036 if (!params->cgroup_path)
3037 return -EINVAL;
3038
3039 /* If we are called for a unit where cgroup delegation is on, and the payload created its own populated
3040 * subcgroup (which we expect it to do, after all it asked for delegation), then we cannot place the control
3041 * processes started after the main unit's process in the unit's main cgroup because it is now an inner one,
3042 * and inner cgroups may not contain processes. Hence, if delegation is on, and this is a control process,
3043 * let's use ".control" as subcgroup instead. Note that we do so only for ExecStartPost=, ExecReload=,
3044 * ExecStop=, ExecStopPost=, i.e. for the commands where the main process is already forked. For ExecStartPre=
3045 * this is not necessary, the cgroup is still empty. We distinguish these cases with the EXEC_CONTROL_CGROUP
3046 * flag, which is only passed for the former statements, not for the latter. */
3047
3048 using_subcgroup = FLAGS_SET(params->flags, EXEC_CONTROL_CGROUP|EXEC_CGROUP_DELEGATE|EXEC_IS_CONTROL);
3049 if (using_subcgroup)
657ee2d8 3050 p = path_join(params->cgroup_path, ".control");
78f93209
LP		 3051 else
3052 p = strdup(params->cgroup_path);
3053 if (!p)
3054 return -ENOMEM;
3055
3056 *ret = p;
3057 return using_subcgroup;
3058}
3059
e2b2fb7f
MS		 3060static int exec_context_cpu_affinity_from_numa(const ExecContext *c, CPUSet *ret) {
3061 _cleanup_(cpu_set_reset) CPUSet s = {};
3062 int r;
3063
3064 assert(c);
3065 assert(ret);
3066
3067 if (!c->numa_policy.nodes.set) {
3068 log_debug("Can't derive CPU affinity mask from NUMA mask because NUMA mask is not set, ignoring");
3069 return 0;
3070 }
3071
3072 r = numa_to_cpu_set(&c->numa_policy, &s);
3073 if (r < 0)
3074 return r;
3075
3076 cpu_set_reset(ret);
3077
3078 return cpu_set_add_all(ret, &s);
3079}
3080
3081bool exec_context_get_cpu_affinity_from_numa(const ExecContext *c) {
3082 assert(c);
3083
3084 return c->cpu_affinity_from_numa;
3085}
3086
ff0af2a1 3087static int exec_child(
f2341e0a 3088 Unit *unit,
34cf6c43 3089 const ExecCommand *command,
ff0af2a1
LP		 3090 const ExecContext *context,
3091 const ExecParameters *params,
3092 ExecRuntime *runtime,
29206d46 3093 DynamicCreds *dcreds,
ff0af2a1 3094 int socket_fd,
2caa38e9 3095 const int named_iofds[static 3],
4c47affc 3096 int *fds,
da6053d0 3097 size_t n_socket_fds,
25b583d7 3098 size_t n_storage_fds,
ff0af2a1 3099 char **files_env,
00d9ef85 3100 int user_lookup_fd,
12145637 3101 int *exit_status) {
d35fbf6b 3102
7ca69792 3103 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **replaced_argv = NULL;
5686391b 3104 int *fds_with_exec_fd, n_fds_with_exec_fd, r, ngids = 0, exec_fd = -1;
4d885bd3
DH		 3105 _cleanup_free_ gid_t *supplementary_gids = NULL;
3106 const char *username = NULL, *groupname = NULL;
5686391b 3107 _cleanup_free_ char *home_buffer = NULL;
2b3c1b9e 3108 const char *home = NULL, *shell = NULL;
7ca69792 3109 char **final_argv = NULL;
7bce046b
LP		 3110 dev_t journal_stream_dev = 0;
3111 ino_t journal_stream_ino = 0;
5749f855 3112 bool userns_set_up = false;
165a31c0
LP		 3113 bool needs_sandboxing, /* Do we need to set up full sandboxing? (i.e. all namespacing, all MAC stuff, caps, yadda yadda */
3114 needs_setuid, /* Do we need to do the actual setresuid()/setresgid() calls? */
3115 needs_mount_namespace, /* Do we need to set up a mount namespace for this kernel? */
3116 needs_ambient_hack; /* Do we need to apply the ambient capabilities hack? */
349cc4a5 3117#if HAVE_SELINUX
7f59dd35 3118 _cleanup_free_ char *mac_selinux_context_net = NULL;
43b1f709 3119 bool use_selinux = false;
ecfbc84f 3120#endif
f9fa32f0 3121#if ENABLE_SMACK
43b1f709 3122 bool use_smack = false;
ecfbc84f 3123#endif
349cc4a5 3124#if HAVE_APPARMOR
43b1f709 3125 bool use_apparmor = false;
ecfbc84f 3126#endif
5749f855
AZ		 3127 uid_t saved_uid = getuid();
3128 gid_t saved_gid = getgid();
fed1e721
LP		 3129 uid_t uid = UID_INVALID;
3130 gid_t gid = GID_INVALID;
da6053d0 3131 size_t n_fds;
3536f49e 3132 ExecDirectoryType dt;
165a31c0 3133 int secure_bits;
afb11bf1
DG		 3134 _cleanup_free_ gid_t *gids_after_pam = NULL;
3135 int ngids_after_pam = 0;
034c6ed7 3136
f2341e0a 3137 assert(unit);
5cb5a6ff
LP		 3138 assert(command);
3139 assert(context);
d35fbf6b 3140 assert(params);
ff0af2a1 3141 assert(exit_status);
d35fbf6b
DM		 3142
3143 rename_process_from_path(command->path);
3144
3145 /* We reset exactly these signals, since they are the
3146 * only ones we set to SIG_IGN in the main daemon. All
3147 * others we leave untouched because we set them to
3148 * SIG_DFL or a valid handler initially, both of which
3149 * will be demoted to SIG_DFL. */
ce30c8dc
LP		 3150 (void) default_signals(SIGNALS_CRASH_HANDLER,
3151 SIGNALS_IGNORE, -1);
d35fbf6b
DM		 3152
3153 if (context->ignore_sigpipe)
ce30c8dc 3154 (void) ignore_signals(SIGPIPE, -1);
d35fbf6b 3155
ff0af2a1
LP		 3156 r = reset_signal_mask();
3157 if (r < 0) {
3158 *exit_status = EXIT_SIGNAL_MASK;
12145637 3159 return log_unit_error_errno(unit, r, "Failed to set process signal mask: %m");
d35fbf6b 3160 }
034c6ed7 3161
d35fbf6b
DM		 3162 if (params->idle_pipe)
3163 do_idle_pipe_dance(params->idle_pipe);
4f2d528d 3164
2c027c62
LP		 3165 /* Close fds we don't need very early to make sure we don't block init reexecution because it cannot bind its
3166 * sockets. Among the fds we close are the logging fds, and we want to keep them closed, so that we don't have
3167 * any fds open we don't really want open during the transition. In order to make logging work, we switch the
3168 * log subsystem into open_when_needed mode, so that it reopens the logs on every single log call. */
ff0af2a1 3169
d35fbf6b 3170 log_forget_fds();
2c027c62 3171 log_set_open_when_needed(true);
4f2d528d 3172
40a80078
LP		 3173 /* In case anything used libc syslog(), close this here, too */
3174 closelog();
3175
5686391b
LP		 3176 n_fds = n_socket_fds + n_storage_fds;
3177 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, params->exec_fd, fds, n_fds);
ff0af2a1
LP		 3178 if (r < 0) {
3179 *exit_status = EXIT_FDS;
12145637 3180 return log_unit_error_errno(unit, r, "Failed to close unwanted file descriptors: %m");
8c7be95e
LP		 3181 }
3182
d35fbf6b
DM		 3183 if (!context->same_pgrp)
3184 if (setsid() < 0) {
ff0af2a1 3185 *exit_status = EXIT_SETSID;
12145637 3186 return log_unit_error_errno(unit, errno, "Failed to create new process session: %m");
d35fbf6b 3187 }
9e2f7c11 3188
1e22b5cd 3189 exec_context_tty_reset(context, params);
d35fbf6b 3190
c891efaf 3191 if (unit_shall_confirm_spawn(unit)) {
7d5ceb64 3192 const char *vc = params->confirm_spawn;
3b20f877
FB		 3193 _cleanup_free_ char *cmdline = NULL;
3194
ee39ca20 3195 cmdline = exec_command_line(command->argv);
3b20f877 3196 if (!cmdline) {
0460aa5c 3197 *exit_status = EXIT_MEMORY;
12145637 3198 return log_oom();
3b20f877 3199 }
d35fbf6b 3200
eedf223a 3201 r = ask_for_confirmation(vc, unit, cmdline);
3b20f877
FB		 3202 if (r != CONFIRM_EXECUTE) {
3203 if (r == CONFIRM_PRETEND_SUCCESS) {
3204 *exit_status = EXIT_SUCCESS;
3205 return 0;
3206 }
ff0af2a1 3207 *exit_status = EXIT_CONFIRM;
12145637 3208 log_unit_error(unit, "Execution cancelled by the user");
d35fbf6b 3209 return -ECANCELED;
d35fbf6b
DM		 3210 }
3211 }
1a63a750 3212
d521916d
LP		 3213 /* We are about to invoke NSS and PAM modules. Let's tell them what we are doing here, maybe they care. This is
3214 * used by nss-resolve to disable itself when we are about to start systemd-resolved, to avoid deadlocks. Note
3215 * that these env vars do not survive the execve(), which means they really only apply to the PAM and NSS
3216 * invocations themselves. Also note that while we'll only invoke NSS modules involved in user management they
3217 * might internally call into other NSS modules that are involved in hostname resolution, we never know. */
3218 if (setenv("SYSTEMD_ACTIVATION_UNIT", unit->id, true) != 0 ||
3219 setenv("SYSTEMD_ACTIVATION_SCOPE", MANAGER_IS_SYSTEM(unit->manager) ? "system" : "user", true) != 0) {
3220 *exit_status = EXIT_MEMORY;
3221 return log_unit_error_errno(unit, errno, "Failed to update environment: %m");
3222 }
3223
29206d46 3224 if (context->dynamic_user && dcreds) {
da50b85a 3225 _cleanup_strv_free_ char **suggested_paths = NULL;
29206d46 3226
d521916d
LP		 3227 /* On top of that, make sure we bypass our own NSS module nss-systemd comprehensively for any NSS
3228 * checks, if DynamicUser=1 is used, as we shouldn't create a feedback loop with ourselves here.*/
409093fe
LP		 3229 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
3230 *exit_status = EXIT_USER;
12145637 3231 return log_unit_error_errno(unit, errno, "Failed to update environment: %m");
409093fe
LP		 3232 }
3233
da50b85a
LP		 3234 r = compile_suggested_paths(context, params, &suggested_paths);
3235 if (r < 0) {
3236 *exit_status = EXIT_MEMORY;
3237 return log_oom();
3238 }
3239
3240 r = dynamic_creds_realize(dcreds, suggested_paths, &uid, &gid);
ff0af2a1
LP		 3241 if (r < 0) {
3242 *exit_status = EXIT_USER;
e2b0cc34
YW		 3243 if (r == -EILSEQ) {
3244 log_unit_error(unit, "Failed to update dynamic user credentials: User or group with specified name already exists.");
3245 return -EOPNOTSUPP;
3246 }
12145637 3247 return log_unit_error_errno(unit, r, "Failed to update dynamic user credentials: %m");
524daa8c 3248 }
524daa8c 3249
70dd455c 3250 if (!uid_is_valid(uid)) {
29206d46 3251 *exit_status = EXIT_USER;
12145637 3252 log_unit_error(unit, "UID validation failed for \""UID_FMT"\"", uid);
70dd455c
ZJS		 3253 return -ESRCH;
3254 }
3255
3256 if (!gid_is_valid(gid)) {
3257 *exit_status = EXIT_USER;
12145637 3258 log_unit_error(unit, "GID validation failed for \""GID_FMT"\"", gid);
29206d46
LP		 3259 return -ESRCH;
3260 }
5bc7452b 3261
29206d46
LP		 3262 if (dcreds->user)
3263 username = dcreds->user->name;
3264
3265 } else {
4d885bd3
DH		 3266 r = get_fixed_user(context, &username, &uid, &gid, &home, &shell);
3267 if (r < 0) {
3268 *exit_status = EXIT_USER;
12145637 3269 return log_unit_error_errno(unit, r, "Failed to determine user credentials: %m");
5bc7452b 3270 }
5bc7452b 3271
4d885bd3
DH		 3272 r = get_fixed_group(context, &groupname, &gid);
3273 if (r < 0) {
3274 *exit_status = EXIT_GROUP;
12145637 3275 return log_unit_error_errno(unit, r, "Failed to determine group credentials: %m");
4d885bd3 3276 }
cdc5d5c5 3277 }
29206d46 3278
cdc5d5c5
DH		 3279 /* Initialize user supplementary groups and get SupplementaryGroups= ones */
3280 r = get_supplementary_groups(context, username, groupname, gid,
3281 &supplementary_gids, &ngids);
3282 if (r < 0) {
3283 *exit_status = EXIT_GROUP;
12145637 3284 return log_unit_error_errno(unit, r, "Failed to determine supplementary groups: %m");
29206d46 3285 }
5bc7452b 3286
00d9ef85
LP		 3287 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
3288 if (r < 0) {
3289 *exit_status = EXIT_USER;
12145637 3290 return log_unit_error_errno(unit, r, "Failed to send user credentials to PID1: %m");
00d9ef85
LP		 3291 }
3292
3293 user_lookup_fd = safe_close(user_lookup_fd);
3294
6732edab
LP		 3295 r = acquire_home(context, uid, &home, &home_buffer);
3296 if (r < 0) {
3297 *exit_status = EXIT_CHDIR;
12145637 3298 return log_unit_error_errno(unit, r, "Failed to determine $HOME for user: %m");
6732edab
LP		 3299 }
3300
d35fbf6b
DM		 3301 /* If a socket is connected to STDIN/STDOUT/STDERR, we
3302 * must sure to drop O_NONBLOCK */
3303 if (socket_fd >= 0)
a34ceba6 3304 (void) fd_nonblock(socket_fd, false);
acbb0225 3305
4c70a4a7
MS		 3306 /* Journald will try to look-up our cgroup in order to populate _SYSTEMD_CGROUP and _SYSTEMD_UNIT fields.
3307 * Hence we need to migrate to the target cgroup from init.scope before connecting to journald */
3308 if (params->cgroup_path) {
3309 _cleanup_free_ char *p = NULL;
3310
3311 r = exec_parameters_get_cgroup_path(params, &p);
3312 if (r < 0) {
3313 *exit_status = EXIT_CGROUP;
3314 return log_unit_error_errno(unit, r, "Failed to acquire cgroup path: %m");
3315 }
3316
3317 r = cg_attach_everywhere(params->cgroup_supported, p, 0, NULL, NULL);
3318 if (r < 0) {
3319 *exit_status = EXIT_CGROUP;
3320 return log_unit_error_errno(unit, r, "Failed to attach to cgroup %s: %m", p);
3321 }
3322 }
3323
a8d08f39
LP		 3324 if (context->network_namespace_path && runtime && runtime->netns_storage_socket[0] >= 0) {
3325 r = open_netns_path(runtime->netns_storage_socket, context->network_namespace_path);
3326 if (r < 0) {
3327 *exit_status = EXIT_NETWORK;
3328 return log_unit_error_errno(unit, r, "Failed to open network namespace path %s: %m", context->network_namespace_path);
3329 }
3330 }
3331
52c239d7 3332 r = setup_input(context, params, socket_fd, named_iofds);
ff0af2a1
LP		 3333 if (r < 0) {
3334 *exit_status = EXIT_STDIN;
12145637 3335 return log_unit_error_errno(unit, r, "Failed to set up standard input: %m");
d35fbf6b 3336 }
034c6ed7 3337
52c239d7 3338 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 3339 if (r < 0) {
3340 *exit_status = EXIT_STDOUT;
12145637 3341 return log_unit_error_errno(unit, r, "Failed to set up standard output: %m");
d35fbf6b
DM		 3342 }
3343
52c239d7 3344 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 3345 if (r < 0) {
3346 *exit_status = EXIT_STDERR;
12145637 3347 return log_unit_error_errno(unit, r, "Failed to set up standard error output: %m");
d35fbf6b
DM		 3348 }
3349
d35fbf6b 3350 if (context->oom_score_adjust_set) {
9f8168eb
LP		 3351 /* When we can't make this change due to EPERM, then let's silently skip over it. User namespaces
3352 * prohibit write access to this file, and we shouldn't trip up over that. */
3353 r = set_oom_score_adjust(context->oom_score_adjust);
12145637 3354 if (IN_SET(r, -EPERM, -EACCES))
f2341e0a 3355 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
12145637 3356 else if (r < 0) {
ff0af2a1 3357 *exit_status = EXIT_OOM_ADJUST;
12145637 3358 return log_unit_error_errno(unit, r, "Failed to adjust OOM setting: %m");
613b411c 3359 }
d35fbf6b
DM		 3360 }
3361
ad21e542
ZJS		 3362 if (context->coredump_filter_set) {
3363 r = set_coredump_filter(context->coredump_filter);
3364 if (ERRNO_IS_PRIVILEGE(r))
3365 log_unit_debug_errno(unit, r, "Failed to adjust coredump_filter, ignoring: %m");
3366 else if (r < 0)
3367 return log_unit_error_errno(unit, r, "Failed to adjust coredump_filter: %m");
3368 }
3369
39090201
DJL		 3370 if (context->nice_set) {
3371 r = setpriority_closest(context->nice);
3372 if (r < 0)
3373 return log_unit_error_errno(unit, r, "Failed to set up process scheduling priority (nice level): %m");
3374 }
613b411c 3375
d35fbf6b
DM		 3376 if (context->cpu_sched_set) {
3377 struct sched_param param = {
3378 .sched_priority = context->cpu_sched_priority,
3379 };
3380
ff0af2a1
LP		 3381 r = sched_setscheduler(0,
3382 context->cpu_sched_policy |
3383 (context->cpu_sched_reset_on_fork ?
3384 SCHED_RESET_ON_FORK : 0),
3385 &param);
3386 if (r < 0) {
3387 *exit_status = EXIT_SETSCHEDULER;
12145637 3388 return log_unit_error_errno(unit, errno, "Failed to set up CPU scheduling: %m");
fc9b2a84 3389 }
d35fbf6b 3390 }
fc9b2a84 3391
e2b2fb7f
MS		 3392 if (context->cpu_affinity_from_numa || context->cpu_set.set) {
3393 _cleanup_(cpu_set_reset) CPUSet converted_cpu_set = {};
3394 const CPUSet *cpu_set;
3395
3396 if (context->cpu_affinity_from_numa) {
3397 r = exec_context_cpu_affinity_from_numa(context, &converted_cpu_set);
3398 if (r < 0) {
3399 *exit_status = EXIT_CPUAFFINITY;
3400 return log_unit_error_errno(unit, r, "Failed to derive CPU affinity mask from NUMA mask: %m");
3401 }
3402
3403 cpu_set = &converted_cpu_set;
3404 } else
3405 cpu_set = &context->cpu_set;
3406
3407 if (sched_setaffinity(0, cpu_set->allocated, cpu_set->set) < 0) {
ff0af2a1 3408 *exit_status = EXIT_CPUAFFINITY;
12145637 3409 return log_unit_error_errno(unit, errno, "Failed to set up CPU affinity: %m");
034c6ed7 3410 }
e2b2fb7f 3411 }
034c6ed7 3412
b070c7c0
MS		 3413 if (mpol_is_valid(numa_policy_get_type(&context->numa_policy))) {
3414 r = apply_numa_policy(&context->numa_policy);
3415 if (r == -EOPNOTSUPP)
33fe9e3f 3416 log_unit_debug_errno(unit, r, "NUMA support not available, ignoring.");
b070c7c0
MS		 3417 else if (r < 0) {
3418 *exit_status = EXIT_NUMA_POLICY;
3419 return log_unit_error_errno(unit, r, "Failed to set NUMA memory policy: %m");
3420 }
3421 }
3422
d35fbf6b
DM		 3423 if (context->ioprio_set)
3424 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
ff0af2a1 3425 *exit_status = EXIT_IOPRIO;
12145637 3426 return log_unit_error_errno(unit, errno, "Failed to set up IO scheduling priority: %m");
d35fbf6b 3427 }
da726a4d 3428
d35fbf6b
DM		 3429 if (context->timer_slack_nsec != NSEC_INFINITY)
3430 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
ff0af2a1 3431 *exit_status = EXIT_TIMERSLACK;
12145637 3432 return log_unit_error_errno(unit, errno, "Failed to set up timer slack: %m");
4c2630eb 3433 }
9eba9da4 3434
21022b9d
LP		 3435 if (context->personality != PERSONALITY_INVALID) {
3436 r = safe_personality(context->personality);
3437 if (r < 0) {
ff0af2a1 3438 *exit_status = EXIT_PERSONALITY;
12145637 3439 return log_unit_error_errno(unit, r, "Failed to set up execution domain (personality): %m");
4c2630eb 3440 }
21022b9d 3441 }
94f04347 3442
d35fbf6b 3443 if (context->utmp_id)
df0ff127 3444 utmp_put_init_process(context->utmp_id, getpid_cached(), getsid(0),
6a93917d 3445 context->tty_path,
023a4f67
LP		 3446 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
3447 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
3448 USER_PROCESS,
6a93917d 3449 username);
d35fbf6b 3450
08f67696 3451 if (uid_is_valid(uid)) {
ff0af2a1
LP		 3452 r = chown_terminal(STDIN_FILENO, uid);
3453 if (r < 0) {
3454 *exit_status = EXIT_STDIN;
12145637 3455 return log_unit_error_errno(unit, r, "Failed to change ownership of terminal: %m");
071830ff 3456 }
d35fbf6b 3457 }
8e274523 3458
4e1dfa45 3459 /* If delegation is enabled we'll pass ownership of the cgroup to the user of the new process. On cgroup v1
62b9bb26 3460 * this is only about systemd's own hierarchy, i.e. not the controller hierarchies, simply because that's not
4e1dfa45 3461 * safe. On cgroup v2 there's only one hierarchy anyway, and delegation is safe there, hence in that case only
62b9bb26 3462 * touch a single hierarchy too. */
584b8688 3463 if (params->cgroup_path && context->user && (params->flags & EXEC_CGROUP_DELEGATE)) {
62b9bb26 3464 r = cg_set_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, uid, gid);
ff0af2a1
LP		 3465 if (r < 0) {
3466 *exit_status = EXIT_CGROUP;
12145637 3467 return log_unit_error_errno(unit, r, "Failed to adjust control group access: %m");
034c6ed7 3468 }
d35fbf6b 3469 }
034c6ed7 3470
72fd1768 3471 for (dt = 0; dt < _EXEC_DIRECTORY_TYPE_MAX; dt++) {
8679efde 3472 r = setup_exec_directory(context, params, uid, gid, dt, exit_status);
12145637
LP		 3473 if (r < 0)
3474 return log_unit_error_errno(unit, r, "Failed to set up special execution directory in %s: %m", params->prefix[dt]);
d35fbf6b 3475 }
94f04347 3476
7bce046b 3477 r = build_environment(
fd63e712 3478 unit,
7bce046b
LP		 3479 context,
3480 params,
3481 n_fds,
3482 home,
3483 username,
3484 shell,
3485 journal_stream_dev,
3486 journal_stream_ino,
3487 &our_env);
2065ca69
JW		 3488 if (r < 0) {
3489 *exit_status = EXIT_MEMORY;
12145637 3490 return log_oom();
2065ca69
JW		 3491 }
3492
3493 r = build_pass_environment(context, &pass_env);
3494 if (r < 0) {
3495 *exit_status = EXIT_MEMORY;
12145637 3496 return log_oom();
2065ca69
JW		 3497 }
3498
3499 accum_env = strv_env_merge(5,
3500 params->environment,
3501 our_env,
3502 pass_env,
3503 context->environment,
44e5d006 3504 files_env);
2065ca69
JW		 3505 if (!accum_env) {
3506 *exit_status = EXIT_MEMORY;
12145637 3507 return log_oom();
2065ca69 3508 }
1280503b 3509 accum_env = strv_env_clean(accum_env);
2065ca69 3510
096424d1 3511 (void) umask(context->umask);
b213e1c1 3512
b1edf445 3513 r = setup_keyring(unit, context, params, uid, gid);
74dd6b51
LP		 3514 if (r < 0) {
3515 *exit_status = EXIT_KEYRING;
12145637 3516 return log_unit_error_errno(unit, r, "Failed to set up kernel keyring: %m");
74dd6b51
LP		 3517 }
3518
165a31c0 3519 /* We need sandboxing if the caller asked us to apply it and the command isn't explicitly excepted from it */
1703fa41 3520 needs_sandboxing = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & EXEC_COMMAND_FULLY_PRIVILEGED);
7f18ef0a 3521
165a31c0
LP		 3522 /* We need the ambient capability hack, if the caller asked us to apply it and the command is marked for it, and the kernel doesn't actually support ambient caps */
3523 needs_ambient_hack = (params->flags & EXEC_APPLY_SANDBOXING) && (command->flags & EXEC_COMMAND_AMBIENT_MAGIC) && !ambient_capabilities_supported();
7f18ef0a 3524
165a31c0
LP		 3525 /* We need setresuid() if the caller asked us to apply sandboxing and the command isn't explicitly excepted from either whole sandboxing or just setresuid() itself, and the ambient hack is not desired */
3526 if (needs_ambient_hack)
3527 needs_setuid = false;
3528 else
3529 needs_setuid = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & (EXEC_COMMAND_FULLY_PRIVILEGED|EXEC_COMMAND_NO_SETUID));
3530
3531 if (needs_sandboxing) {
7f18ef0a
FK		 3532 /* MAC enablement checks need to be done before a new mount ns is created, as they rely on /sys being
3533 * present. The actual MAC context application will happen later, as late as possible, to avoid
3534 * impacting our own code paths. */
3535
349cc4a5 3536#if HAVE_SELINUX
43b1f709 3537 use_selinux = mac_selinux_use();
7f18ef0a 3538#endif
f9fa32f0 3539#if ENABLE_SMACK
43b1f709 3540 use_smack = mac_smack_use();
7f18ef0a 3541#endif
349cc4a5 3542#if HAVE_APPARMOR
43b1f709 3543 use_apparmor = mac_apparmor_use();
7f18ef0a 3544#endif
165a31c0 3545 }
7f18ef0a 3546
ce932d2d
LP		 3547 if (needs_sandboxing) {
3548 int which_failed;
3549
3550 /* Let's set the resource limits before we call into PAM, so that pam_limits wins over what
3551 * is set here. (See below.) */
3552
3553 r = setrlimit_closest_all((const struct rlimit* const *) context->rlimit, &which_failed);
3554 if (r < 0) {
3555 *exit_status = EXIT_LIMITS;
3556 return log_unit_error_errno(unit, r, "Failed to adjust resource limit RLIMIT_%s: %m", rlimit_to_string(which_failed));
3557 }
3558 }
3559
165a31c0 3560 if (needs_setuid) {
ce932d2d
LP		 3561
3562 /* Let's call into PAM after we set up our own idea of resource limits to that pam_limits
3563 * wins here. (See above.) */
3564
165a31c0
LP		 3565 if (context->pam_name && username) {
3566 r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
3567 if (r < 0) {
3568 *exit_status = EXIT_PAM;
12145637 3569 return log_unit_error_errno(unit, r, "Failed to set up PAM session: %m");
165a31c0 3570 }
afb11bf1
DG		 3571
3572 ngids_after_pam = getgroups_alloc(&gids_after_pam);
3573 if (ngids_after_pam < 0) {
3574 *exit_status = EXIT_MEMORY;
3575 return log_unit_error_errno(unit, ngids_after_pam, "Failed to obtain groups after setting up PAM: %m");
3576 }
165a31c0 3577 }
b213e1c1 3578 }
ac45f971 3579
5749f855
AZ		 3580 if (needs_sandboxing) {
3581#if HAVE_SELINUX
3582 if (use_selinux && params->selinux_context_net && socket_fd >= 0) {
3583 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
3584 if (r < 0) {
3585 *exit_status = EXIT_SELINUX_CONTEXT;
3586 return log_unit_error_errno(unit, r, "Failed to determine SELinux context: %m");
3587 }
3588 }
3589#endif
3590
3591 /* If we're unprivileged, set up the user namespace first to enable use of the other namespaces.
3592 * Users with CAP_SYS_ADMIN can set up user namespaces last because they will be able to
3593 * set up the all of the other namespaces (i.e. network, mount, UTS) without a user namespace. */
3594 if (context->private_users && !have_effective_cap(CAP_SYS_ADMIN)) {
3595 userns_set_up = true;
3596 r = setup_private_users(saved_uid, saved_gid, uid, gid);
3597 if (r < 0) {
3598 *exit_status = EXIT_USER;
3599 return log_unit_error_errno(unit, r, "Failed to set up user namespacing for unprivileged user: %m");
3600 }
3601 }
3602 }
3603
a8d08f39
LP		 3604 if ((context->private_network || context->network_namespace_path) && runtime && runtime->netns_storage_socket[0] >= 0) {
3605
6e2d7c4f
MS		 3606 if (ns_type_supported(NAMESPACE_NET)) {
3607 r = setup_netns(runtime->netns_storage_socket);
ee00d1e9
ZJS		 3608 if (r == -EPERM)
3609 log_unit_warning_errno(unit, r,
3610 "PrivateNetwork=yes is configured, but network namespace setup failed, ignoring: %m");
3611 else if (r < 0) {
6e2d7c4f
MS		 3612 *exit_status = EXIT_NETWORK;
3613 return log_unit_error_errno(unit, r, "Failed to set up network namespacing: %m");
3614 }
a8d08f39
LP		 3615 } else if (context->network_namespace_path) {
3616 *exit_status = EXIT_NETWORK;
ee00d1e9
ZJS		 3617 return log_unit_error_errno(unit, SYNTHETIC_ERRNO(EOPNOTSUPP),
3618 "NetworkNamespacePath= is not supported, refusing.");
6e2d7c4f
MS		 3619 } else
3620 log_unit_warning(unit, "PrivateNetwork=yes is configured, but the kernel does not support network namespaces, ignoring.");
d35fbf6b 3621 }
169c1bda 3622
ee818b89 3623 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
ee818b89 3624 if (needs_mount_namespace) {
7cc5ef5f
ZJS		 3625 _cleanup_free_ char *error_path = NULL;
3626
3627 r = apply_mount_namespace(unit, command, context, params, runtime, &error_path);
3fbe8dbe
LP		 3628 if (r < 0) {
3629 *exit_status = EXIT_NAMESPACE;
7cc5ef5f
ZJS		 3630 return log_unit_error_errno(unit, r, "Failed to set up mount namespacing%s%s: %m",
3631 error_path ? ": " : "", strempty(error_path));
3fbe8dbe 3632 }
d35fbf6b 3633 }
81a2b7ce 3634
daf8f72b
LP		 3635 if (needs_sandboxing) {
3636 r = apply_protect_hostname(unit, context, exit_status);
3637 if (r < 0)
3638 return r;
aecd5ac6
TM		 3639 }
3640
5749f855
AZ		 3641 /* Drop groups as early as possible.
3642 * This needs to be done after PrivateDevices=y setup as device nodes should be owned by the host's root.
3643 * For non-root in a userns, devices will be owned by the user/group before the group change, and nobody. */
165a31c0 3644 if (needs_setuid) {
afb11bf1
DG		 3645 _cleanup_free_ gid_t *gids_to_enforce = NULL;
3646 int ngids_to_enforce = 0;
3647
3648 ngids_to_enforce = merge_gid_lists(supplementary_gids,
3649 ngids,
3650 gids_after_pam,
3651 ngids_after_pam,
3652 &gids_to_enforce);
3653 if (ngids_to_enforce < 0) {
3654 *exit_status = EXIT_MEMORY;
3655 return log_unit_error_errno(unit,
3656 ngids_to_enforce,
3657 "Failed to merge group lists. Group membership might be incorrect: %m");
3658 }
3659
3660 r = enforce_groups(gid, gids_to_enforce, ngids_to_enforce);
096424d1
LP		 3661 if (r < 0) {
3662 *exit_status = EXIT_GROUP;
12145637 3663 return log_unit_error_errno(unit, r, "Changing group credentials failed: %m");
096424d1 3664 }
165a31c0 3665 }
096424d1 3666
5749f855
AZ		 3667 /* If the user namespace was not set up above, try to do it now.
3668 * It's preferred to set up the user namespace later (after all other namespaces) so as not to be
3669 * restricted by rules pertaining to combining user namspaces with other namespaces (e.g. in the
3670 * case of mount namespaces being less privileged when the mount point list is copied from a
3671 * different user namespace). */
9008e1ac 3672
5749f855
AZ		 3673 if (needs_sandboxing && context->private_users && !userns_set_up) {
3674 r = setup_private_users(saved_uid, saved_gid, uid, gid);
3675 if (r < 0) {
3676 *exit_status = EXIT_USER;
3677 return log_unit_error_errno(unit, r, "Failed to set up user namespacing: %m");
d251207d
LP		 3678 }
3679 }
3680
165a31c0 3681 /* We repeat the fd closing here, to make sure that nothing is leaked from the PAM modules. Note that we are
5686391b
LP		 3682 * more aggressive this time since socket_fd and the netns fds we don't need anymore. We do keep the exec_fd
3683 * however if we have it as we want to keep it open until the final execve(). */
3684
3685 if (params->exec_fd >= 0) {
3686 exec_fd = params->exec_fd;
3687
3688 if (exec_fd < 3 + (int) n_fds) {
3689 int moved_fd;
3690
3691 /* Let's move the exec fd far up, so that it's outside of the fd range we want to pass to the
3692 * process we are about to execute. */
3693
3694 moved_fd = fcntl(exec_fd, F_DUPFD_CLOEXEC, 3 + (int) n_fds);
3695 if (moved_fd < 0) {
3696 *exit_status = EXIT_FDS;
3697 return log_unit_error_errno(unit, errno, "Couldn't move exec fd up: %m");
3698 }
3699
3700 safe_close(exec_fd);
3701 exec_fd = moved_fd;
3702 } else {
3703 /* This fd should be FD_CLOEXEC already, but let's make sure. */
3704 r = fd_cloexec(exec_fd, true);
3705 if (r < 0) {
3706 *exit_status = EXIT_FDS;
3707 return log_unit_error_errno(unit, r, "Failed to make exec fd FD_CLOEXEC: %m");
3708 }
3709 }
3710
3711 fds_with_exec_fd = newa(int, n_fds + 1);
7e8d494b 3712 memcpy_safe(fds_with_exec_fd, fds, n_fds * sizeof(int));
5686391b
LP		 3713 fds_with_exec_fd[n_fds] = exec_fd;
3714 n_fds_with_exec_fd = n_fds + 1;
3715 } else {
3716 fds_with_exec_fd = fds;
3717 n_fds_with_exec_fd = n_fds;
3718 }
3719
3720 r = close_all_fds(fds_with_exec_fd, n_fds_with_exec_fd);
ff0af2a1
LP		 3721 if (r >= 0)
3722 r = shift_fds(fds, n_fds);
3723 if (r >= 0)
25b583d7 3724 r = flags_fds(fds, n_socket_fds, n_storage_fds, context->non_blocking);
ff0af2a1
LP		 3725 if (r < 0) {
3726 *exit_status = EXIT_FDS;
12145637 3727 return log_unit_error_errno(unit, r, "Failed to adjust passed file descriptors: %m");
d35fbf6b 3728 }
e66cf1a3 3729
5686391b
LP		 3730 /* At this point, the fds we want to pass to the program are all ready and set up, with O_CLOEXEC turned off
3731 * and at the right fd numbers. The are no other fds open, with one exception: the exec_fd if it is defined,
3732 * and it has O_CLOEXEC set, after all we want it to be closed by the execve(), so that our parent knows we
3733 * came this far. */
3734
165a31c0 3735 secure_bits = context->secure_bits;
e66cf1a3 3736
165a31c0
LP		 3737 if (needs_sandboxing) {
3738 uint64_t bset;
e66cf1a3 3739
ce932d2d
LP		 3740 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly
3741 * requested. (Note this is placed after the general resource limit initialization, see
3742 * above, in order to take precedence.) */
f4170c67
LP		 3743 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
3744 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
3745 *exit_status = EXIT_LIMITS;
12145637 3746 return log_unit_error_errno(unit, errno, "Failed to adjust RLIMIT_RTPRIO resource limit: %m");
f4170c67
LP		 3747 }
3748 }
3749
37ac2744
JB		 3750#if ENABLE_SMACK
3751 /* LSM Smack needs the capability CAP_MAC_ADMIN to change the current execution security context of the
3752 * process. This is the latest place before dropping capabilities. Other MAC context are set later. */
3753 if (use_smack) {
3754 r = setup_smack(context, command);
3755 if (r < 0) {
3756 *exit_status = EXIT_SMACK_PROCESS_LABEL;
3757 return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m");
3758 }
3759 }
3760#endif
3761
165a31c0
LP		 3762 bset = context->capability_bounding_set;
3763 /* If the ambient caps hack is enabled (which means the kernel can't do them, and the user asked for
3764 * our magic fallback), then let's add some extra caps, so that the service can drop privs of its own,
3765 * instead of us doing that */
3766 if (needs_ambient_hack)
3767 bset |= (UINT64_C(1) << CAP_SETPCAP) |
3768 (UINT64_C(1) << CAP_SETUID) |
3769 (UINT64_C(1) << CAP_SETGID);
3770
3771 if (!cap_test_all(bset)) {
3772 r = capability_bounding_set_drop(bset, false);
ff0af2a1
LP		 3773 if (r < 0) {
3774 *exit_status = EXIT_CAPABILITIES;
12145637 3775 return log_unit_error_errno(unit, r, "Failed to drop capabilities: %m");
3b8bddde 3776 }
4c2630eb 3777 }
3b8bddde 3778
755d4b67
IP		 3779 /* This is done before enforce_user, but ambient set
3780 * does not survive over setresuid() if keep_caps is not set. */
943800f4 3781 if (!needs_ambient_hack) {
755d4b67
IP		 3782 r = capability_ambient_set_apply(context->capability_ambient_set, true);
3783 if (r < 0) {
3784 *exit_status = EXIT_CAPABILITIES;
12145637 3785 return log_unit_error_errno(unit, r, "Failed to apply ambient capabilities (before UID change): %m");
755d4b67 3786 }
755d4b67 3787 }
165a31c0 3788 }
755d4b67 3789
fa97f630
JB		 3790 /* chroot to root directory first, before we lose the ability to chroot */
3791 r = apply_root_directory(context, params, needs_mount_namespace, exit_status);
3792 if (r < 0)
3793 return log_unit_error_errno(unit, r, "Chrooting to the requested root directory failed: %m");
3794
165a31c0 3795 if (needs_setuid) {
08f67696 3796 if (uid_is_valid(uid)) {
ff0af2a1
LP		 3797 r = enforce_user(context, uid);
3798 if (r < 0) {
3799 *exit_status = EXIT_USER;
12145637 3800 return log_unit_error_errno(unit, r, "Failed to change UID to " UID_FMT ": %m", uid);
5b6319dc 3801 }
165a31c0
LP		 3802
3803 if (!needs_ambient_hack &&
3804 context->capability_ambient_set != 0) {
755d4b67
IP		 3805
3806 /* Fix the ambient capabilities after user change. */
3807 r = capability_ambient_set_apply(context->capability_ambient_set, false);
3808 if (r < 0) {
3809 *exit_status = EXIT_CAPABILITIES;
12145637 3810 return log_unit_error_errno(unit, r, "Failed to apply ambient capabilities (after UID change): %m");
755d4b67
IP		 3811 }
3812
3813 /* If we were asked to change user and ambient capabilities
3814 * were requested, we had to add keep-caps to the securebits
3815 * so that we would maintain the inherited capability set
3816 * through the setresuid(). Make sure that the bit is added
3817 * also to the context secure_bits so that we don't try to
3818 * drop the bit away next. */
3819
7f508f2c 3820 secure_bits |= 1<<SECURE_KEEP_CAPS;
755d4b67 3821 }
5b6319dc 3822 }
165a31c0 3823 }
d35fbf6b 3824
56ef8db9
JB		 3825 /* Apply working directory here, because the working directory might be on NFS and only the user running
3826 * this service might have the correct privilege to change to the working directory */
fa97f630 3827 r = apply_working_directory(context, params, home, exit_status);
56ef8db9
JB		 3828 if (r < 0)
3829 return log_unit_error_errno(unit, r, "Changing to the requested working directory failed: %m");
3830
165a31c0 3831 if (needs_sandboxing) {
37ac2744 3832 /* Apply other MAC contexts late, but before seccomp syscall filtering, as those should really be last to
5cd9cd35
LP		 3833 * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
3834 * syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
3835 * are restricted. */
3836
349cc4a5 3837#if HAVE_SELINUX
43b1f709 3838 if (use_selinux) {
5cd9cd35
LP		 3839 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
3840
3841 if (exec_context) {
3842 r = setexeccon(exec_context);
3843 if (r < 0) {
3844 *exit_status = EXIT_SELINUX_CONTEXT;
12145637 3845 return log_unit_error_errno(unit, r, "Failed to change SELinux context to %s: %m", exec_context);
5cd9cd35
LP		 3846 }
3847 }
3848 }
3849#endif
3850
349cc4a5 3851#if HAVE_APPARMOR
43b1f709 3852 if (use_apparmor && context->apparmor_profile) {
5cd9cd35
LP		 3853 r = aa_change_onexec(context->apparmor_profile);
3854 if (r < 0 && !context->apparmor_profile_ignore) {
3855 *exit_status = EXIT_APPARMOR_PROFILE;
12145637 3856 return log_unit_error_errno(unit, errno, "Failed to prepare AppArmor profile change to %s: %m", context->apparmor_profile);
5cd9cd35
LP		 3857 }
3858 }
3859#endif
3860
165a31c0
LP		 3861 /* PR_GET_SECUREBITS is not privileged, while PR_SET_SECUREBITS is. So to suppress potential EPERMs
3862 * we'll try not to call PR_SET_SECUREBITS unless necessary. */
755d4b67
IP		 3863 if (prctl(PR_GET_SECUREBITS) != secure_bits)
3864 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
ff0af2a1 3865 *exit_status = EXIT_SECUREBITS;
12145637 3866 return log_unit_error_errno(unit, errno, "Failed to set process secure bits: %m");
ff01d048 3867 }
5b6319dc 3868
59eeb84b 3869 if (context_has_no_new_privileges(context))
d35fbf6b 3870 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
ff0af2a1 3871 *exit_status = EXIT_NO_NEW_PRIVILEGES;
12145637 3872 return log_unit_error_errno(unit, errno, "Failed to disable new privileges: %m");
d35fbf6b
DM		 3873 }
3874
349cc4a5 3875#if HAVE_SECCOMP
469830d1
LP		 3876 r = apply_address_families(unit, context);
3877 if (r < 0) {
3878 *exit_status = EXIT_ADDRESS_FAMILIES;
12145637 3879 return log_unit_error_errno(unit, r, "Failed to restrict address families: %m");
4c2630eb 3880 }
04aa0cb9 3881
469830d1
LP		 3882 r = apply_memory_deny_write_execute(unit, context);
3883 if (r < 0) {
3884 *exit_status = EXIT_SECCOMP;
12145637 3885 return log_unit_error_errno(unit, r, "Failed to disable writing to executable memory: %m");
f3e43635 3886 }
f4170c67 3887
469830d1
LP		 3888 r = apply_restrict_realtime(unit, context);
3889 if (r < 0) {
3890 *exit_status = EXIT_SECCOMP;
12145637 3891 return log_unit_error_errno(unit, r, "Failed to apply realtime restrictions: %m");
f4170c67
LP		 3892 }
3893
f69567cb
LP		 3894 r = apply_restrict_suid_sgid(unit, context);
3895 if (r < 0) {
3896 *exit_status = EXIT_SECCOMP;
3897 return log_unit_error_errno(unit, r, "Failed to apply SUID/SGID restrictions: %m");
3898 }
3899
add00535
LP		 3900 r = apply_restrict_namespaces(unit, context);
3901 if (r < 0) {
3902 *exit_status = EXIT_SECCOMP;
12145637 3903 return log_unit_error_errno(unit, r, "Failed to apply namespace restrictions: %m");
add00535
LP		 3904 }
3905
469830d1
LP		 3906 r = apply_protect_sysctl(unit, context);
3907 if (r < 0) {
3908 *exit_status = EXIT_SECCOMP;
12145637 3909 return log_unit_error_errno(unit, r, "Failed to apply sysctl restrictions: %m");
502d704e
DH		 3910 }
3911
469830d1
LP		 3912 r = apply_protect_kernel_modules(unit, context);
3913 if (r < 0) {
3914 *exit_status = EXIT_SECCOMP;
12145637 3915 return log_unit_error_errno(unit, r, "Failed to apply module loading restrictions: %m");
59eeb84b
LP		 3916 }
3917
84703040
KK		 3918 r = apply_protect_kernel_logs(unit, context);
3919 if (r < 0) {
3920 *exit_status = EXIT_SECCOMP;
3921 return log_unit_error_errno(unit, r, "Failed to apply kernel log restrictions: %m");
3922 }
3923
fc64760d
KK		 3924 r = apply_protect_clock(unit, context);
3925 if (r < 0) {
3926 *exit_status = EXIT_SECCOMP;
3927 return log_unit_error_errno(unit, r, "Failed to apply clock restrictions: %m");
3928 }
3929
469830d1
LP		 3930 r = apply_private_devices(unit, context);
3931 if (r < 0) {
3932 *exit_status = EXIT_SECCOMP;
12145637 3933 return log_unit_error_errno(unit, r, "Failed to set up private devices: %m");
469830d1
LP		 3934 }
3935
3936 r = apply_syscall_archs(unit, context);
3937 if (r < 0) {
3938 *exit_status = EXIT_SECCOMP;
12145637 3939 return log_unit_error_errno(unit, r, "Failed to apply syscall architecture restrictions: %m");
ba128bb8
LP		 3940 }
3941
78e864e5
TM		 3942 r = apply_lock_personality(unit, context);
3943 if (r < 0) {
3944 *exit_status = EXIT_SECCOMP;
12145637 3945 return log_unit_error_errno(unit, r, "Failed to lock personalities: %m");
78e864e5
TM		 3946 }
3947
5cd9cd35
LP		 3948 /* This really should remain the last step before the execve(), to make sure our own code is unaffected
3949 * by the filter as little as possible. */
165a31c0 3950 r = apply_syscall_filter(unit, context, needs_ambient_hack);
469830d1
LP		 3951 if (r < 0) {
3952 *exit_status = EXIT_SECCOMP;
12145637 3953 return log_unit_error_errno(unit, r, "Failed to apply system call filters: %m");
d35fbf6b
DM		 3954 }
3955#endif
d35fbf6b 3956 }
034c6ed7 3957
00819cc1
LP		 3958 if (!strv_isempty(context->unset_environment)) {
3959 char **ee = NULL;
3960
3961 ee = strv_env_delete(accum_env, 1, context->unset_environment);
3962 if (!ee) {
3963 *exit_status = EXIT_MEMORY;
12145637 3964 return log_oom();
00819cc1
LP		 3965 }
3966
130d3d22 3967 strv_free_and_replace(accum_env, ee);
00819cc1
LP		 3968 }
3969
7ca69792
AZ		 3970 if (!FLAGS_SET(command->flags, EXEC_COMMAND_NO_ENV_EXPAND)) {
3971 replaced_argv = replace_env_argv(command->argv, accum_env);
3972 if (!replaced_argv) {
3973 *exit_status = EXIT_MEMORY;
3974 return log_oom();
3975 }
3976 final_argv = replaced_argv;
3977 } else
3978 final_argv = command->argv;
034c6ed7 3979
f1d34068 3980 if (DEBUG_LOGGING) {
d35fbf6b 3981 _cleanup_free_ char *line;
81a2b7ce 3982
d35fbf6b 3983 line = exec_command_line(final_argv);
a1230ff9 3984 if (line)
f2341e0a 3985 log_struct(LOG_DEBUG,
f2341e0a
LP		 3986 "EXECUTABLE=%s", command->path,
3987 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
ba360bb0 3988 LOG_UNIT_ID(unit),
a1230ff9 3989 LOG_UNIT_INVOCATION_ID(unit));
d35fbf6b 3990 }
dd305ec9 3991
5686391b
LP		 3992 if (exec_fd >= 0) {
3993 uint8_t hot = 1;
3994
3995 /* We have finished with all our initializations. Let's now let the manager know that. From this point
3996 * on, if the manager sees POLLHUP on the exec_fd, then execve() was successful. */
3997
3998 if (write(exec_fd, &hot, sizeof(hot)) < 0) {
3999 *exit_status = EXIT_EXEC;
4000 return log_unit_error_errno(unit, errno, "Failed to enable exec_fd: %m");
4001 }
4002 }
4003
2065ca69 4004 execve(command->path, final_argv, accum_env);
5686391b
LP		 4005 r = -errno;
4006
4007 if (exec_fd >= 0) {
4008 uint8_t hot = 0;
4009
4010 /* The execve() failed. This means the exec_fd is still open. Which means we need to tell the manager
4011 * that POLLHUP on it no longer means execve() succeeded. */
4012
4013 if (write(exec_fd, &hot, sizeof(hot)) < 0) {
4014 *exit_status = EXIT_EXEC;
4015 return log_unit_error_errno(unit, errno, "Failed to disable exec_fd: %m");
4016 }
4017 }
12145637 4018
5686391b
LP		 4019 if (r == -ENOENT && (command->flags & EXEC_COMMAND_IGNORE_FAILURE)) {
4020 log_struct_errno(LOG_INFO, r,
12145637
LP		 4021 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
4022 LOG_UNIT_ID(unit),
4023 LOG_UNIT_INVOCATION_ID(unit),
4024 LOG_UNIT_MESSAGE(unit, "Executable %s missing, skipping: %m",
4025 command->path),
a1230ff9 4026 "EXECUTABLE=%s", command->path);
12145637
LP		 4027 return 0;
4028 }
4029
ff0af2a1 4030 *exit_status = EXIT_EXEC;
5686391b 4031 return log_unit_error_errno(unit, r, "Failed to execute command: %m");
d35fbf6b 4032}
81a2b7ce 4033
34cf6c43 4034static int exec_context_load_environment(const Unit *unit, const ExecContext *c, char ***l);
2caa38e9 4035static int exec_context_named_iofds(const ExecContext *c, const ExecParameters *p, int named_iofds[static 3]);
34cf6c43 4036
f2341e0a
LP		 4037int exec_spawn(Unit *unit,
4038 ExecCommand *command,
d35fbf6b
DM		 4039 const ExecContext *context,
4040 const ExecParameters *params,
4041 ExecRuntime *runtime,
29206d46 4042 DynamicCreds *dcreds,
d35fbf6b 4043 pid_t *ret) {
8351ceae 4044
ee39ca20 4045 int socket_fd, r, named_iofds[3] = { -1, -1, -1 }, *fds = NULL;
78f93209 4046 _cleanup_free_ char *subcgroup_path = NULL;
d35fbf6b 4047 _cleanup_strv_free_ char **files_env = NULL;
da6053d0 4048 size_t n_storage_fds = 0, n_socket_fds = 0;
ff0af2a1 4049 _cleanup_free_ char *line = NULL;
d35fbf6b 4050 pid_t pid;
8351ceae 4051
f2341e0a 4052 assert(unit);
d35fbf6b
DM		 4053 assert(command);
4054 assert(context);
4055 assert(ret);
4056 assert(params);
25b583d7 4057 assert(params->fds || (params->n_socket_fds + params->n_storage_fds <= 0));
4298d0b5 4058
d35fbf6b
DM		 4059 if (context->std_input == EXEC_INPUT_SOCKET ||
4060 context->std_output == EXEC_OUTPUT_SOCKET ||
4061 context->std_error == EXEC_OUTPUT_SOCKET) {
17df7223 4062
4c47affc 4063 if (params->n_socket_fds > 1) {
f2341e0a 4064 log_unit_error(unit, "Got more than one socket.");
d35fbf6b 4065 return -EINVAL;
ff0af2a1 4066 }
eef65bf3 4067
4c47affc 4068 if (params->n_socket_fds == 0) {
488ab41c
AA		 4069 log_unit_error(unit, "Got no socket.");
4070 return -EINVAL;
4071 }
4072
d35fbf6b
DM		 4073 socket_fd = params->fds[0];
4074 } else {
4075 socket_fd = -1;
4076 fds = params->fds;
9b141911 4077 n_socket_fds = params->n_socket_fds;
25b583d7 4078 n_storage_fds = params->n_storage_fds;
d35fbf6b 4079 }
94f04347 4080
34cf6c43 4081 r = exec_context_named_iofds(context, params, named_iofds);
52c239d7
LB		 4082 if (r < 0)
4083 return log_unit_error_errno(unit, r, "Failed to load a named file descriptor: %m");
4084
f2341e0a 4085 r = exec_context_load_environment(unit, context, &files_env);
ff0af2a1 4086 if (r < 0)
f2341e0a 4087 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
034c6ed7 4088
ee39ca20 4089 line = exec_command_line(command->argv);
d35fbf6b
DM		 4090 if (!line)
4091 return log_oom();
fab56fc5 4092
f2341e0a 4093 log_struct(LOG_DEBUG,
f2341e0a
LP		 4094 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
4095 "EXECUTABLE=%s", command->path,
ba360bb0 4096 LOG_UNIT_ID(unit),
a1230ff9 4097 LOG_UNIT_INVOCATION_ID(unit));
12145637 4098
78f93209
LP		 4099 if (params->cgroup_path) {
4100 r = exec_parameters_get_cgroup_path(params, &subcgroup_path);
4101 if (r < 0)
4102 return log_unit_error_errno(unit, r, "Failed to acquire subcgroup path: %m");
4103 if (r > 0) { /* We are using a child cgroup */
4104 r = cg_create(SYSTEMD_CGROUP_CONTROLLER, subcgroup_path);
4105 if (r < 0)
4106 return log_unit_error_errno(unit, r, "Failed to create control group '%s': %m", subcgroup_path);
4107 }
4108 }
4109
d35fbf6b
DM		 4110 pid = fork();
4111 if (pid < 0)
74129a12 4112 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
d35fbf6b
DM		 4113
4114 if (pid == 0) {
12145637 4115 int exit_status = EXIT_SUCCESS;
ff0af2a1 4116
f2341e0a
LP		 4117 r = exec_child(unit,
4118 command,
ff0af2a1
LP		 4119 context,
4120 params,
4121 runtime,
29206d46 4122 dcreds,
ff0af2a1 4123 socket_fd,
52c239d7 4124 named_iofds,
4c47affc 4125 fds,
9b141911 4126 n_socket_fds,
25b583d7 4127 n_storage_fds,
ff0af2a1 4128 files_env,
00d9ef85 4129 unit->manager->user_lookup_fds[1],
12145637
LP		 4130 &exit_status);
4131
e1714f02
ZJS		 4132 if (r < 0) {
4133 const char *status =
4134 exit_status_to_string(exit_status,
e04ed6db 4135 EXIT_STATUS_LIBC | EXIT_STATUS_SYSTEMD);
e1714f02 4136
12145637
LP		 4137 log_struct_errno(LOG_ERR, r,
4138 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
4139 LOG_UNIT_ID(unit),
4140 LOG_UNIT_INVOCATION_ID(unit),
4141 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
e1714f02 4142 status, command->path),
a1230ff9 4143 "EXECUTABLE=%s", command->path);
e1714f02 4144 }
4c2630eb 4145
ff0af2a1 4146 _exit(exit_status);
034c6ed7
LP		 4147 }
4148
f2341e0a 4149 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
23635a85 4150
78f93209
LP		 4151 /* We add the new process to the cgroup both in the child (so that we can be sure that no user code is ever
4152 * executed outside of the cgroup) and in the parent (so that we can be sure that when we kill the cgroup the
4153 * process will be killed too). */
4154 if (subcgroup_path)
4155 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, subcgroup_path, pid);
2da3263a 4156
b58b4116 4157 exec_status_start(&command->exec_status, pid);
9fb86720 4158
034c6ed7 4159 *ret = pid;
5cb5a6ff
LP		 4160 return 0;
4161}
4162
034c6ed7 4163void exec_context_init(ExecContext *c) {
3536f49e
YW		 4164 ExecDirectoryType i;
4165
034c6ed7
LP		 4166 assert(c);
4167
4c12626c 4168 c->umask = 0022;
9eba9da4 4169 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
94f04347 4170 c->cpu_sched_policy = SCHED_OTHER;
071830ff 4171 c->syslog_priority = LOG_DAEMON|LOG_INFO;
74922904 4172 c->syslog_level_prefix = true;
353e12c2 4173 c->ignore_sigpipe = true;
3a43da28 4174 c->timer_slack_nsec = NSEC_INFINITY;
050f7277 4175 c->personality = PERSONALITY_INVALID;
72fd1768 4176 for (i = 0; i < _EXEC_DIRECTORY_TYPE_MAX; i++)
3536f49e 4177 c->directories[i].mode = 0755;
12213aed 4178 c->timeout_clean_usec = USEC_INFINITY;
a103496c 4179 c->capability_bounding_set = CAP_ALL;
aa9d574d
YW		 4180 assert_cc(NAMESPACE_FLAGS_INITIAL != NAMESPACE_FLAGS_ALL);
4181 c->restrict_namespaces = NAMESPACE_FLAGS_INITIAL;
d3070fbd 4182 c->log_level_max = -1;
b070c7c0 4183 numa_policy_reset(&c->numa_policy);
034c6ed7
LP		 4184}
4185
613b411c 4186void exec_context_done(ExecContext *c) {
3536f49e 4187 ExecDirectoryType i;
d3070fbd 4188 size_t l;
5cb5a6ff
LP		 4189
4190 assert(c);
4191
6796073e
LP		 4192 c->environment = strv_free(c->environment);
4193 c->environment_files = strv_free(c->environment_files);
b4c14404 4194 c->pass_environment = strv_free(c->pass_environment);
00819cc1 4195 c->unset_environment = strv_free(c->unset_environment);
8c7be95e 4196
31ce987c 4197 rlimit_free_all(c->rlimit);
034c6ed7 4198
2038c3f5 4199 for (l = 0; l < 3; l++) {
52c239d7 4200 c->stdio_fdname[l] = mfree(c->stdio_fdname[l]);
2038c3f5
LP		 4201 c->stdio_file[l] = mfree(c->stdio_file[l]);
4202 }
52c239d7 4203
a1e58e8e
LP		 4204 c->working_directory = mfree(c->working_directory);
4205 c->root_directory = mfree(c->root_directory);
915e6d16 4206 c->root_image = mfree(c->root_image);
a1e58e8e
LP		 4207 c->tty_path = mfree(c->tty_path);
4208 c->syslog_identifier = mfree(c->syslog_identifier);
4209 c->user = mfree(c->user);
4210 c->group = mfree(c->group);
034c6ed7 4211
6796073e 4212 c->supplementary_groups = strv_free(c->supplementary_groups);
94f04347 4213
a1e58e8e 4214 c->pam_name = mfree(c->pam_name);
5b6319dc 4215
2a624c36
AP		 4216 c->read_only_paths = strv_free(c->read_only_paths);
4217 c->read_write_paths = strv_free(c->read_write_paths);
4218 c->inaccessible_paths = strv_free(c->inaccessible_paths);
82c121a4 4219
d2d6c096 4220 bind_mount_free_many(c->bind_mounts, c->n_bind_mounts);
8e06d57c
YW		 4221 c->bind_mounts = NULL;
4222 c->n_bind_mounts = 0;
2abd4e38
YW		 4223 temporary_filesystem_free_many(c->temporary_filesystems, c->n_temporary_filesystems);
4224 c->temporary_filesystems = NULL;
4225 c->n_temporary_filesystems = 0;
d2d6c096 4226
0985c7c4 4227 cpu_set_reset(&c->cpu_set);
b070c7c0 4228 numa_policy_reset(&c->numa_policy);
86a3475b 4229
a1e58e8e
LP		 4230 c->utmp_id = mfree(c->utmp_id);
4231 c->selinux_context = mfree(c->selinux_context);
4232 c->apparmor_profile = mfree(c->apparmor_profile);
5b8e1b77 4233 c->smack_process_label = mfree(c->smack_process_label);
eef65bf3 4234
8cfa775f 4235 c->syscall_filter = hashmap_free(c->syscall_filter);
525d3cc7
LP		 4236 c->syscall_archs = set_free(c->syscall_archs);
4237 c->address_families = set_free(c->address_families);
e66cf1a3 4238
72fd1768 4239 for (i = 0; i < _EXEC_DIRECTORY_TYPE_MAX; i++)
3536f49e 4240 c->directories[i].paths = strv_free(c->directories[i].paths);
d3070fbd
LP		 4241
4242 c->log_level_max = -1;
4243
4244 exec_context_free_log_extra_fields(c);
08f3be7a 4245
5ac1530e
ZJS		 4246 c->log_ratelimit_interval_usec = 0;
4247 c->log_ratelimit_burst = 0;
90fc172e 4248
08f3be7a
LP		 4249 c->stdin_data = mfree(c->stdin_data);
4250 c->stdin_data_size = 0;
a8d08f39
LP		 4251
4252 c->network_namespace_path = mfree(c->network_namespace_path);
91dd5f7c
LP		 4253
4254 c->log_namespace = mfree(c->log_namespace);
e66cf1a3
LP		 4255}
4256
34cf6c43 4257int exec_context_destroy_runtime_directory(const ExecContext *c, const char *runtime_prefix) {
e66cf1a3
LP		 4258 char **i;
4259
4260 assert(c);
4261
4262 if (!runtime_prefix)
4263 return 0;
4264
3536f49e 4265 STRV_FOREACH(i, c->directories[EXEC_DIRECTORY_RUNTIME].paths) {
e66cf1a3
LP		 4266 _cleanup_free_ char *p;
4267
494d0247
YW		 4268 if (exec_directory_is_private(c, EXEC_DIRECTORY_RUNTIME))
4269 p = path_join(runtime_prefix, "private", *i);
4270 else
4271 p = path_join(runtime_prefix, *i);
e66cf1a3
LP		 4272 if (!p)
4273 return -ENOMEM;
4274
7bc4bf4a
LP		 4275 /* We execute this synchronously, since we need to be sure this is gone when we start the
4276 * service next. */
c6878637 4277 (void) rm_rf(p, REMOVE_ROOT);
e66cf1a3
LP		 4278 }
4279
4280 return 0;
5cb5a6ff
LP		 4281}
4282
34cf6c43 4283static void exec_command_done(ExecCommand *c) {
43d0fcbd
LP		 4284 assert(c);
4285
a1e58e8e 4286 c->path = mfree(c->path);
6796073e 4287 c->argv = strv_free(c->argv);
43d0fcbd
LP		 4288}
4289
da6053d0
LP		 4290void exec_command_done_array(ExecCommand *c, size_t n) {
4291 size_t i;
43d0fcbd
LP		 4292
4293 for (i = 0; i < n; i++)
4294 exec_command_done(c+i);
4295}
4296
f1acf85a 4297ExecCommand* exec_command_free_list(ExecCommand *c) {
5cb5a6ff
LP		 4298 ExecCommand *i;
4299
4300 while ((i = c)) {
71fda00f 4301 LIST_REMOVE(command, c, i);
43d0fcbd 4302 exec_command_done(i);
5cb5a6ff
LP		 4303 free(i);
4304 }
f1acf85a
ZJS		 4305
4306 return NULL;
5cb5a6ff
LP		 4307}
4308
da6053d0
LP		 4309void exec_command_free_array(ExecCommand **c, size_t n) {
4310 size_t i;
034c6ed7 4311
f1acf85a
ZJS		 4312 for (i = 0; i < n; i++)
4313 c[i] = exec_command_free_list(c[i]);
034c6ed7
LP		 4314}
4315
6a1d4d9f
LP		 4316void exec_command_reset_status_array(ExecCommand *c, size_t n) {
4317 size_t i;
4318
4319 for (i = 0; i < n; i++)
4320 exec_status_reset(&c[i].exec_status);
4321}
4322
4323void exec_command_reset_status_list_array(ExecCommand **c, size_t n) {
4324 size_t i;
4325
4326 for (i = 0; i < n; i++) {
4327 ExecCommand *z;
4328
4329 LIST_FOREACH(command, z, c[i])
4330 exec_status_reset(&z->exec_status);
4331 }
4332}
4333
039f0e70 4334typedef struct InvalidEnvInfo {
34cf6c43 4335 const Unit *unit;
039f0e70
LP		 4336 const char *path;
4337} InvalidEnvInfo;
4338
4339static void invalid_env(const char *p, void *userdata) {
4340 InvalidEnvInfo *info = userdata;
4341
f2341e0a 4342 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
039f0e70
LP		 4343}
4344
52c239d7
LB		 4345const char* exec_context_fdname(const ExecContext *c, int fd_index) {
4346 assert(c);
4347
4348 switch (fd_index) {
5073ff6b 4349
52c239d7
LB		 4350 case STDIN_FILENO:
4351 if (c->std_input != EXEC_INPUT_NAMED_FD)
4352 return NULL;
5073ff6b 4353
52c239d7 4354 return c->stdio_fdname[STDIN_FILENO] ?: "stdin";
5073ff6b 4355
52c239d7
LB		 4356 case STDOUT_FILENO:
4357 if (c->std_output != EXEC_OUTPUT_NAMED_FD)
4358 return NULL;
5073ff6b 4359
52c239d7 4360 return c->stdio_fdname[STDOUT_FILENO] ?: "stdout";
5073ff6b 4361
52c239d7
LB		 4362 case STDERR_FILENO:
4363 if (c->std_error != EXEC_OUTPUT_NAMED_FD)
4364 return NULL;
5073ff6b 4365
52c239d7 4366 return c->stdio_fdname[STDERR_FILENO] ?: "stderr";
5073ff6b 4367
52c239d7
LB		 4368 default:
4369 return NULL;
4370 }
4371}
4372
2caa38e9
LP		 4373static int exec_context_named_iofds(
4374 const ExecContext *c,
4375 const ExecParameters *p,
4376 int named_iofds[static 3]) {
4377
da6053d0 4378 size_t i, targets;
56fbd561 4379 const char* stdio_fdname[3];
da6053d0 4380 size_t n_fds;
52c239d7
LB		 4381
4382 assert(c);
4383 assert(p);
2caa38e9 4384 assert(named_iofds);
52c239d7
LB		 4385
4386 targets = (c->std_input == EXEC_INPUT_NAMED_FD) +
4387 (c->std_output == EXEC_OUTPUT_NAMED_FD) +
4388 (c->std_error == EXEC_OUTPUT_NAMED_FD);
4389
4390 for (i = 0; i < 3; i++)
4391 stdio_fdname[i] = exec_context_fdname(c, i);
4392
4c47affc
FB		 4393 n_fds = p->n_storage_fds + p->n_socket_fds;
4394
4395 for (i = 0; i < n_fds && targets > 0; i++)
56fbd561
ZJS		 4396 if (named_iofds[STDIN_FILENO] < 0 &&
4397 c->std_input == EXEC_INPUT_NAMED_FD &&
4398 stdio_fdname[STDIN_FILENO] &&
4399 streq(p->fd_names[i], stdio_fdname[STDIN_FILENO])) {
4400
52c239d7
LB		 4401 named_iofds[STDIN_FILENO] = p->fds[i];
4402 targets--;
56fbd561
ZJS		 4403
4404 } else if (named_iofds[STDOUT_FILENO] < 0 &&
4405 c->std_output == EXEC_OUTPUT_NAMED_FD &&
4406 stdio_fdname[STDOUT_FILENO] &&
4407 streq(p->fd_names[i], stdio_fdname[STDOUT_FILENO])) {
4408
52c239d7
LB		 4409 named_iofds[STDOUT_FILENO] = p->fds[i];
4410 targets--;
56fbd561
ZJS		 4411
4412 } else if (named_iofds[STDERR_FILENO] < 0 &&
4413 c->std_error == EXEC_OUTPUT_NAMED_FD &&
4414 stdio_fdname[STDERR_FILENO] &&
4415 streq(p->fd_names[i], stdio_fdname[STDERR_FILENO])) {
4416
52c239d7
LB		 4417 named_iofds[STDERR_FILENO] = p->fds[i];
4418 targets--;
4419 }
4420
56fbd561 4421 return targets == 0 ? 0 : -ENOENT;
52c239d7
LB		 4422}
4423
34cf6c43 4424static int exec_context_load_environment(const Unit *unit, const ExecContext *c, char ***l) {
8c7be95e
LP		 4425 char **i, **r = NULL;
4426
4427 assert(c);
4428 assert(l);
4429
4430 STRV_FOREACH(i, c->environment_files) {
4431 char *fn;
52511fae
ZJS		 4432 int k;
4433 unsigned n;
8c7be95e
LP		 4434 bool ignore = false;
4435 char **p;
7fd1b19b 4436 _cleanup_globfree_ glob_t pglob = {};
8c7be95e
LP		 4437
4438 fn = *i;
4439
4440 if (fn[0] == '-') {
4441 ignore = true;
313cefa1 4442 fn++;
8c7be95e
LP		 4443 }
4444
4445 if (!path_is_absolute(fn)) {
8c7be95e
LP		 4446 if (ignore)
4447 continue;
4448
4449 strv_free(r);
4450 return -EINVAL;
4451 }
4452
2bef10ab 4453 /* Filename supports globbing, take all matching files */
d8c92e8b
ZJS		 4454 k = safe_glob(fn, 0, &pglob);
4455 if (k < 0) {
2bef10ab
PL		 4456 if (ignore)
4457 continue;
8c7be95e 4458
2bef10ab 4459 strv_free(r);
d8c92e8b 4460 return k;
2bef10ab 4461 }
8c7be95e 4462
d8c92e8b
ZJS		 4463 /* When we don't match anything, -ENOENT should be returned */
4464 assert(pglob.gl_pathc > 0);
4465
4466 for (n = 0; n < pglob.gl_pathc; n++) {
aa8fbc74 4467 k = load_env_file(NULL, pglob.gl_pathv[n], &p);
2bef10ab
PL		 4468 if (k < 0) {
4469 if (ignore)
4470 continue;
8c7be95e 4471
2bef10ab 4472 strv_free(r);
2bef10ab 4473 return k;
e9c1ea9d 4474 }
ebc05a09 4475 /* Log invalid environment variables with filename */
039f0e70
LP		 4476 if (p) {
4477 InvalidEnvInfo info = {
f2341e0a 4478 .unit = unit,
039f0e70
LP		 4479 .path = pglob.gl_pathv[n]
4480 };
4481
4482 p = strv_env_clean_with_callback(p, invalid_env, &info);
4483 }
8c7be95e 4484
234519ae 4485 if (!r)
2bef10ab
PL		 4486 r = p;
4487 else {
4488 char **m;
8c7be95e 4489
2bef10ab
PL		 4490 m = strv_env_merge(2, r, p);
4491 strv_free(r);
4492 strv_free(p);
c84a9488 4493 if (!m)
2bef10ab 4494 return -ENOMEM;
2bef10ab
PL		 4495
4496 r = m;
4497 }
8c7be95e
LP		 4498 }
4499 }
4500
4501 *l = r;
4502
4503 return 0;
4504}
4505
6ac8fdc9 4506static bool tty_may_match_dev_console(const char *tty) {
7b912648 4507 _cleanup_free_ char *resolved = NULL;
6ac8fdc9 4508
1e22b5cd
LP		 4509 if (!tty)
4510 return true;
4511
a119ec7c 4512 tty = skip_dev_prefix(tty);
6ac8fdc9
MS		 4513
4514 /* trivial identity? */
4515 if (streq(tty, "console"))
4516 return true;
4517
7b912648
LP		 4518 if (resolve_dev_console(&resolved) < 0)
4519 return true; /* if we could not resolve, assume it may */
6ac8fdc9
MS		 4520
4521 /* "tty0" means the active VC, so it may be the same sometimes */
955f1c85 4522 return path_equal(resolved, tty) || (streq(resolved, "tty0") && tty_is_vc(tty));
6ac8fdc9
MS		 4523}
4524
6c0ae739
LP		 4525static bool exec_context_may_touch_tty(const ExecContext *ec) {
4526 assert(ec);
1e22b5cd 4527
6c0ae739 4528 return ec->tty_reset ||
1e22b5cd
LP		 4529 ec->tty_vhangup ||
4530 ec->tty_vt_disallocate ||
6ac8fdc9
MS		 4531 is_terminal_input(ec->std_input) ||
4532 is_terminal_output(ec->std_output) ||
6c0ae739
LP		 4533 is_terminal_output(ec->std_error);
4534}
4535
4536bool exec_context_may_touch_console(const ExecContext *ec) {
4537
4538 return exec_context_may_touch_tty(ec) &&
1e22b5cd 4539 tty_may_match_dev_console(exec_context_tty_path(ec));
6ac8fdc9
MS		 4540}
4541
15ae422b
LP		 4542static void strv_fprintf(FILE *f, char **l) {
4543 char **g;
4544
4545 assert(f);
4546
4547 STRV_FOREACH(g, l)
4548 fprintf(f, " %s", *g);
4549}
4550
34cf6c43 4551void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
12213aed 4552 char **e, **d, buf_clean[FORMAT_TIMESPAN_MAX];
d3070fbd 4553 ExecDirectoryType dt;
94f04347 4554 unsigned i;
add00535 4555 int r;
9eba9da4 4556
5cb5a6ff
LP		 4557 assert(c);
4558 assert(f);
4559
4ad49000 4560 prefix = strempty(prefix);
5cb5a6ff
LP		 4561
4562 fprintf(f,
94f04347
LP		 4563 "%sUMask: %04o\n"
4564 "%sWorkingDirectory: %s\n"
451a074f 4565 "%sRootDirectory: %s\n"
15ae422b 4566 "%sNonBlocking: %s\n"
64747e2d 4567 "%sPrivateTmp: %s\n"
7f112f50 4568 "%sPrivateDevices: %s\n"
59eeb84b 4569 "%sProtectKernelTunables: %s\n"
e66a2f65 4570 "%sProtectKernelModules: %s\n"
84703040 4571 "%sProtectKernelLogs: %s\n"
fc64760d 4572 "%sProtectClock: %s\n"
59eeb84b 4573 "%sProtectControlGroups: %s\n"
d251207d
LP		 4574 "%sPrivateNetwork: %s\n"
4575 "%sPrivateUsers: %s\n"
1b8689f9
LP		 4576 "%sProtectHome: %s\n"
4577 "%sProtectSystem: %s\n"
5d997827 4578 "%sMountAPIVFS: %s\n"
f3e43635 4579 "%sIgnoreSIGPIPE: %s\n"
f4170c67 4580 "%sMemoryDenyWriteExecute: %s\n"
b1edf445 4581 "%sRestrictRealtime: %s\n"
f69567cb 4582 "%sRestrictSUIDSGID: %s\n"
aecd5ac6
TM		 4583 "%sKeyringMode: %s\n"
4584 "%sProtectHostname: %s\n",
5cb5a6ff 4585 prefix, c->umask,
9eba9da4 4586 prefix, c->working_directory ? c->working_directory : "/",
451a074f 4587 prefix, c->root_directory ? c->root_directory : "/",
15ae422b 4588 prefix, yes_no(c->non_blocking),
64747e2d 4589 prefix, yes_no(c->private_tmp),
7f112f50 4590 prefix, yes_no(c->private_devices),
59eeb84b 4591 prefix, yes_no(c->protect_kernel_tunables),
e66a2f65 4592 prefix, yes_no(c->protect_kernel_modules),
84703040 4593 prefix, yes_no(c->protect_kernel_logs),
fc64760d 4594 prefix, yes_no(c->protect_clock),
59eeb84b 4595 prefix, yes_no(c->protect_control_groups),
d251207d
LP		 4596 prefix, yes_no(c->private_network),
4597 prefix, yes_no(c->private_users),
1b8689f9
LP		 4598 prefix, protect_home_to_string(c->protect_home),
4599 prefix, protect_system_to_string(c->protect_system),
5d997827 4600 prefix, yes_no(c->mount_apivfs),
f3e43635 4601 prefix, yes_no(c->ignore_sigpipe),
f4170c67 4602 prefix, yes_no(c->memory_deny_write_execute),
b1edf445 4603 prefix, yes_no(c->restrict_realtime),
f69567cb 4604 prefix, yes_no(c->restrict_suid_sgid),
aecd5ac6
TM		 4605 prefix, exec_keyring_mode_to_string(c->keyring_mode),
4606 prefix, yes_no(c->protect_hostname));
fb33a393 4607
915e6d16
LP		 4608 if (c->root_image)
4609 fprintf(f, "%sRootImage: %s\n", prefix, c->root_image);
4610
8c7be95e
LP		 4611 STRV_FOREACH(e, c->environment)
4612 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
4613
4614 STRV_FOREACH(e, c->environment_files)
4615 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
94f04347 4616
b4c14404
FB		 4617 STRV_FOREACH(e, c->pass_environment)
4618 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
4619
00819cc1
LP		 4620 STRV_FOREACH(e, c->unset_environment)
4621 fprintf(f, "%sUnsetEnvironment: %s\n", prefix, *e);
4622
53f47dfc
YW		 4623 fprintf(f, "%sRuntimeDirectoryPreserve: %s\n", prefix, exec_preserve_mode_to_string(c->runtime_directory_preserve_mode));
4624
72fd1768 4625 for (dt = 0; dt < _EXEC_DIRECTORY_TYPE_MAX; dt++) {
3536f49e
YW		 4626 fprintf(f, "%s%sMode: %04o\n", prefix, exec_directory_type_to_string(dt), c->directories[dt].mode);
4627
4628 STRV_FOREACH(d, c->directories[dt].paths)
4629 fprintf(f, "%s%s: %s\n", prefix, exec_directory_type_to_string(dt), *d);
4630 }
c2bbd90b 4631
12213aed
YW		 4632 fprintf(f,
4633 "%sTimeoutCleanSec: %s\n",
4634 prefix, format_timespan(buf_clean, sizeof(buf_clean), c->timeout_clean_usec, USEC_PER_SEC));
4635
fb33a393
LP		 4636 if (c->nice_set)
4637 fprintf(f,
4638 "%sNice: %i\n",
4639 prefix, c->nice);
4640
dd6c17b1 4641 if (c->oom_score_adjust_set)
fb33a393 4642 fprintf(f,
dd6c17b1
LP		 4643 "%sOOMScoreAdjust: %i\n",
4644 prefix, c->oom_score_adjust);
9eba9da4 4645
ad21e542
ZJS		 4646 if (c->coredump_filter_set)
4647 fprintf(f,
4648 "%sCoredumpFilter: 0x%"PRIx64"\n",
4649 prefix, c->coredump_filter);
4650
94f04347 4651 for (i = 0; i < RLIM_NLIMITS; i++)
3c11da9d 4652 if (c->rlimit[i]) {
4c3a2b84 4653 fprintf(f, "%sLimit%s: " RLIM_FMT "\n",
3c11da9d 4654 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
4c3a2b84 4655 fprintf(f, "%sLimit%sSoft: " RLIM_FMT "\n",
3c11da9d
EV		 4656 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
4657 }
94f04347 4658
f8b69d1d 4659 if (c->ioprio_set) {
1756a011 4660 _cleanup_free_ char *class_str = NULL;
f8b69d1d 4661
837df140
YW		 4662 r = ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
4663 if (r >= 0)
4664 fprintf(f, "%sIOSchedulingClass: %s\n", prefix, class_str);
4665
4666 fprintf(f, "%sIOPriority: %lu\n", prefix, IOPRIO_PRIO_DATA(c->ioprio));
f8b69d1d 4667 }
94f04347 4668
f8b69d1d 4669 if (c->cpu_sched_set) {
1756a011 4670 _cleanup_free_ char *policy_str = NULL;
f8b69d1d 4671
837df140
YW		 4672 r = sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
4673 if (r >= 0)
4674 fprintf(f, "%sCPUSchedulingPolicy: %s\n", prefix, policy_str);
4675
94f04347 4676 fprintf(f,
38b48754
LP		 4677 "%sCPUSchedulingPriority: %i\n"
4678 "%sCPUSchedulingResetOnFork: %s\n",
38b48754
LP		 4679 prefix, c->cpu_sched_priority,
4680 prefix, yes_no(c->cpu_sched_reset_on_fork));
b929bf04 4681 }
94f04347 4682
0985c7c4 4683 if (c->cpu_set.set) {
e7fca352
MS		 4684 _cleanup_free_ char *affinity = NULL;
4685
4686 affinity = cpu_set_to_range_string(&c->cpu_set);
4687 fprintf(f, "%sCPUAffinity: %s\n", prefix, affinity);
94f04347
LP		 4688 }
4689
b070c7c0
MS		 4690 if (mpol_is_valid(numa_policy_get_type(&c->numa_policy))) {
4691 _cleanup_free_ char *nodes = NULL;
4692
4693 nodes = cpu_set_to_range_string(&c->numa_policy.nodes);
4694 fprintf(f, "%sNUMAPolicy: %s\n", prefix, mpol_to_string(numa_policy_get_type(&c->numa_policy)));
4695 fprintf(f, "%sNUMAMask: %s\n", prefix, strnull(nodes));
4696 }
4697
3a43da28 4698 if (c->timer_slack_nsec != NSEC_INFINITY)
ccd06097 4699 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
94f04347
LP		 4700
4701 fprintf(f,
80876c20
LP		 4702 "%sStandardInput: %s\n"
4703 "%sStandardOutput: %s\n"
4704 "%sStandardError: %s\n",
4705 prefix, exec_input_to_string(c->std_input),
4706 prefix, exec_output_to_string(c->std_output),
4707 prefix, exec_output_to_string(c->std_error));
4708
befc4a80
LP		 4709 if (c->std_input == EXEC_INPUT_NAMED_FD)
4710 fprintf(f, "%sStandardInputFileDescriptorName: %s\n", prefix, c->stdio_fdname[STDIN_FILENO]);
4711 if (c->std_output == EXEC_OUTPUT_NAMED_FD)
4712 fprintf(f, "%sStandardOutputFileDescriptorName: %s\n", prefix, c->stdio_fdname[STDOUT_FILENO]);
4713 if (c->std_error == EXEC_OUTPUT_NAMED_FD)
4714 fprintf(f, "%sStandardErrorFileDescriptorName: %s\n", prefix, c->stdio_fdname[STDERR_FILENO]);
4715
4716 if (c->std_input == EXEC_INPUT_FILE)
4717 fprintf(f, "%sStandardInputFile: %s\n", prefix, c->stdio_file[STDIN_FILENO]);
4718 if (c->std_output == EXEC_OUTPUT_FILE)
4719 fprintf(f, "%sStandardOutputFile: %s\n", prefix, c->stdio_file[STDOUT_FILENO]);
566b7d23
ZD		 4720 if (c->std_output == EXEC_OUTPUT_FILE_APPEND)
4721 fprintf(f, "%sStandardOutputFileToAppend: %s\n", prefix, c->stdio_file[STDOUT_FILENO]);
befc4a80
LP		 4722 if (c->std_error == EXEC_OUTPUT_FILE)
4723 fprintf(f, "%sStandardErrorFile: %s\n", prefix, c->stdio_file[STDERR_FILENO]);
566b7d23
ZD		 4724 if (c->std_error == EXEC_OUTPUT_FILE_APPEND)
4725 fprintf(f, "%sStandardErrorFileToAppend: %s\n", prefix, c->stdio_file[STDERR_FILENO]);
befc4a80 4726
80876c20
LP		 4727 if (c->tty_path)
4728 fprintf(f,
6ea832a2
LP		 4729 "%sTTYPath: %s\n"
4730 "%sTTYReset: %s\n"
4731 "%sTTYVHangup: %s\n"
4732 "%sTTYVTDisallocate: %s\n",
4733 prefix, c->tty_path,
4734 prefix, yes_no(c->tty_reset),
4735 prefix, yes_no(c->tty_vhangup),
4736 prefix, yes_no(c->tty_vt_disallocate));
94f04347 4737
9f6444eb
LP		 4738 if (IN_SET(c->std_output,
4739 EXEC_OUTPUT_SYSLOG,
4740 EXEC_OUTPUT_KMSG,
4741 EXEC_OUTPUT_JOURNAL,
4742 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
4743 EXEC_OUTPUT_KMSG_AND_CONSOLE,
4744 EXEC_OUTPUT_JOURNAL_AND_CONSOLE) ||
4745 IN_SET(c->std_error,
4746 EXEC_OUTPUT_SYSLOG,
4747 EXEC_OUTPUT_KMSG,
4748 EXEC_OUTPUT_JOURNAL,
4749 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
4750 EXEC_OUTPUT_KMSG_AND_CONSOLE,
4751 EXEC_OUTPUT_JOURNAL_AND_CONSOLE)) {
f8b69d1d 4752
5ce70e5b 4753 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
f8b69d1d 4754
837df140
YW		 4755 r = log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
4756 if (r >= 0)
4757 fprintf(f, "%sSyslogFacility: %s\n", prefix, fac_str);
f8b69d1d 4758
837df140
YW		 4759 r = log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
4760 if (r >= 0)
4761 fprintf(f, "%sSyslogLevel: %s\n", prefix, lvl_str);
f8b69d1d 4762 }
94f04347 4763
d3070fbd
LP		 4764 if (c->log_level_max >= 0) {
4765 _cleanup_free_ char *t = NULL;
4766
4767 (void) log_level_to_string_alloc(c->log_level_max, &t);
4768
4769 fprintf(f, "%sLogLevelMax: %s\n", prefix, strna(t));
4770 }
4771
5ac1530e 4772 if (c->log_ratelimit_interval_usec > 0) {
90fc172e
AZ		 4773 char buf_timespan[FORMAT_TIMESPAN_MAX];
4774
4775 fprintf(f,
4776 "%sLogRateLimitIntervalSec: %s\n",
5ac1530e 4777 prefix, format_timespan(buf_timespan, sizeof(buf_timespan), c->log_ratelimit_interval_usec, USEC_PER_SEC));
90fc172e
AZ		 4778 }
4779
5ac1530e
ZJS		 4780 if (c->log_ratelimit_burst > 0)
4781 fprintf(f, "%sLogRateLimitBurst: %u\n", prefix, c->log_ratelimit_burst);
90fc172e 4782
d3070fbd
LP		 4783 if (c->n_log_extra_fields > 0) {
4784 size_t j;
4785
4786 for (j = 0; j < c->n_log_extra_fields; j++) {
4787 fprintf(f, "%sLogExtraFields: ", prefix);
4788 fwrite(c->log_extra_fields[j].iov_base,
4789 1, c->log_extra_fields[j].iov_len,
4790 f);
4791 fputc('\n', f);
4792 }
4793 }
4794
91dd5f7c
LP		 4795 if (c->log_namespace)
4796 fprintf(f, "%sLogNamespace: %s\n", prefix, c->log_namespace);
4797
07d46372
YW		 4798 if (c->secure_bits) {
4799 _cleanup_free_ char *str = NULL;
4800
4801 r = secure_bits_to_string_alloc(c->secure_bits, &str);
4802 if (r >= 0)
4803 fprintf(f, "%sSecure Bits: %s\n", prefix, str);
4804 }
94f04347 4805
a103496c 4806 if (c->capability_bounding_set != CAP_ALL) {
dd1f5bd0 4807 _cleanup_free_ char *str = NULL;
94f04347 4808
dd1f5bd0
YW		 4809 r = capability_set_to_string_alloc(c->capability_bounding_set, &str);
4810 if (r >= 0)
4811 fprintf(f, "%sCapabilityBoundingSet: %s\n", prefix, str);
755d4b67
IP		 4812 }
4813
4814 if (c->capability_ambient_set != 0) {
dd1f5bd0 4815 _cleanup_free_ char *str = NULL;
755d4b67 4816
dd1f5bd0
YW		 4817 r = capability_set_to_string_alloc(c->capability_ambient_set, &str);
4818 if (r >= 0)
4819 fprintf(f, "%sAmbientCapabilities: %s\n", prefix, str);
94f04347
LP		 4820 }
4821
4822 if (c->user)
f2d3769a 4823 fprintf(f, "%sUser: %s\n", prefix, c->user);
94f04347 4824 if (c->group)
f2d3769a 4825 fprintf(f, "%sGroup: %s\n", prefix, c->group);
94f04347 4826
29206d46
LP		 4827 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
4828
ac6e8be6 4829 if (!strv_isempty(c->supplementary_groups)) {
94f04347 4830 fprintf(f, "%sSupplementaryGroups:", prefix);
15ae422b
LP		 4831 strv_fprintf(f, c->supplementary_groups);
4832 fputs("\n", f);
4833 }
94f04347 4834
5b6319dc 4835 if (c->pam_name)
f2d3769a 4836 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
5b6319dc 4837
58629001 4838 if (!strv_isempty(c->read_write_paths)) {
2a624c36
AP		 4839 fprintf(f, "%sReadWritePaths:", prefix);
4840 strv_fprintf(f, c->read_write_paths);
15ae422b
LP		 4841 fputs("\n", f);
4842 }
4843
58629001 4844 if (!strv_isempty(c->read_only_paths)) {
2a624c36
AP		 4845 fprintf(f, "%sReadOnlyPaths:", prefix);
4846 strv_fprintf(f, c->read_only_paths);
15ae422b
LP		 4847 fputs("\n", f);
4848 }
94f04347 4849
58629001 4850 if (!strv_isempty(c->inaccessible_paths)) {
2a624c36
AP		 4851 fprintf(f, "%sInaccessiblePaths:", prefix);
4852 strv_fprintf(f, c->inaccessible_paths);
94f04347
LP		 4853 fputs("\n", f);
4854 }
2e22afe9 4855
d2d6c096 4856 if (c->n_bind_mounts > 0)
4ca763a9
YW		 4857 for (i = 0; i < c->n_bind_mounts; i++)
4858 fprintf(f, "%s%s: %s%s:%s:%s\n", prefix,
d2d6c096 4859 c->bind_mounts[i].read_only ? "BindReadOnlyPaths" : "BindPaths",
4ca763a9 4860 c->bind_mounts[i].ignore_enoent ? "-": "",
d2d6c096
LP		 4861 c->bind_mounts[i].source,
4862 c->bind_mounts[i].destination,
4863 c->bind_mounts[i].recursive ? "rbind" : "norbind");
d2d6c096 4864
2abd4e38
YW		 4865 if (c->n_temporary_filesystems > 0)
4866 for (i = 0; i < c->n_temporary_filesystems; i++) {
4867 TemporaryFileSystem *t = c->temporary_filesystems + i;
4868
4869 fprintf(f, "%sTemporaryFileSystem: %s%s%s\n", prefix,
4870 t->path,
4871 isempty(t->options) ? "" : ":",
4872 strempty(t->options));
4873 }
4874
169c1bda
LP		 4875 if (c->utmp_id)
4876 fprintf(f,
4877 "%sUtmpIdentifier: %s\n",
4878 prefix, c->utmp_id);
7b52a628
MS		 4879
4880 if (c->selinux_context)
4881 fprintf(f,
5f8640fb
LP		 4882 "%sSELinuxContext: %s%s\n",
4883 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
17df7223 4884
80c21aea
WC		 4885 if (c->apparmor_profile)
4886 fprintf(f,
4887 "%sAppArmorProfile: %s%s\n",
4888 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
4889
4890 if (c->smack_process_label)
4891 fprintf(f,
4892 "%sSmackProcessLabel: %s%s\n",
4893 prefix, c->smack_process_label_ignore ? "-" : "", c->smack_process_label);
4894
050f7277 4895 if (c->personality != PERSONALITY_INVALID)
ac45f971
LP		 4896 fprintf(f,
4897 "%sPersonality: %s\n",
4898 prefix, strna(personality_to_string(c->personality)));
4899
78e864e5
TM		 4900 fprintf(f,
4901 "%sLockPersonality: %s\n",
4902 prefix, yes_no(c->lock_personality));
4903
17df7223 4904 if (c->syscall_filter) {
349cc4a5 4905#if HAVE_SECCOMP
17df7223 4906 Iterator j;
8cfa775f 4907 void *id, *val;
17df7223 4908 bool first = true;
351a19b1 4909#endif
17df7223
LP		 4910
4911 fprintf(f,
57183d11 4912 "%sSystemCallFilter: ",
17df7223
LP		 4913 prefix);
4914
4915 if (!c->syscall_whitelist)
4916 fputc('~', f);
4917
349cc4a5 4918#if HAVE_SECCOMP
8cfa775f 4919 HASHMAP_FOREACH_KEY(val, id, c->syscall_filter, j) {
17df7223 4920 _cleanup_free_ char *name = NULL;
8cfa775f
YW		 4921 const char *errno_name = NULL;
4922 int num = PTR_TO_INT(val);
17df7223
LP		 4923
4924 if (first)
4925 first = false;
4926 else
4927 fputc(' ', f);
4928
57183d11 4929 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
17df7223 4930 fputs(strna(name), f);
8cfa775f
YW		 4931
4932 if (num >= 0) {
4933 errno_name = errno_to_name(num);
4934 if (errno_name)
4935 fprintf(f, ":%s", errno_name);
4936 else
4937 fprintf(f, ":%d", num);
4938 }
17df7223 4939 }
351a19b1 4940#endif
17df7223
LP		 4941
4942 fputc('\n', f);
4943 }
4944
57183d11 4945 if (c->syscall_archs) {
349cc4a5 4946#if HAVE_SECCOMP
57183d11
LP		 4947 Iterator j;
4948 void *id;
4949#endif
4950
4951 fprintf(f,
4952 "%sSystemCallArchitectures:",
4953 prefix);
4954
349cc4a5 4955#if HAVE_SECCOMP
57183d11
LP		 4956 SET_FOREACH(id, c->syscall_archs, j)
4957 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
4958#endif
4959 fputc('\n', f);
4960 }
4961
add00535
LP		 4962 if (exec_context_restrict_namespaces_set(c)) {
4963 _cleanup_free_ char *s = NULL;
4964
86c2a9f1 4965 r = namespace_flags_to_string(c->restrict_namespaces, &s);
add00535
LP		 4966 if (r >= 0)
4967 fprintf(f, "%sRestrictNamespaces: %s\n",
dd0395b5 4968 prefix, strna(s));
add00535
LP		 4969 }
4970
a8d08f39
LP		 4971 if (c->network_namespace_path)
4972 fprintf(f,
4973 "%sNetworkNamespacePath: %s\n",
4974 prefix, c->network_namespace_path);
4975
3df90f24
YW		 4976 if (c->syscall_errno > 0) {
4977 const char *errno_name;
4978
4979 fprintf(f, "%sSystemCallErrorNumber: ", prefix);
4980
4981 errno_name = errno_to_name(c->syscall_errno);
4982 if (errno_name)
4983 fprintf(f, "%s\n", errno_name);
4984 else
4985 fprintf(f, "%d\n", c->syscall_errno);
4986 }
5cb5a6ff
LP		 4987}
4988
34cf6c43 4989bool exec_context_maintains_privileges(const ExecContext *c) {
a931ad47
LP		 4990 assert(c);
4991
61233823 4992 /* Returns true if the process forked off would run under
a931ad47
LP		 4993 * an unchanged UID or as root. */
4994
4995 if (!c->user)
4996 return true;
4997
4998 if (streq(c->user, "root") || streq(c->user, "0"))
4999 return true;
5000
5001 return false;
5002}
5003
34cf6c43 5004int exec_context_get_effective_ioprio(const ExecContext *c) {
7f452159
LP		 5005 int p;
5006
5007 assert(c);
5008
5009 if (c->ioprio_set)
5010 return c->ioprio;
5011
5012 p = ioprio_get(IOPRIO_WHO_PROCESS, 0);
5013 if (p < 0)
5014 return IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 4);
5015
5016 return p;
5017}
5018
d3070fbd
LP		 5019void exec_context_free_log_extra_fields(ExecContext *c) {
5020 size_t l;
5021
5022 assert(c);
5023
5024 for (l = 0; l < c->n_log_extra_fields; l++)
5025 free(c->log_extra_fields[l].iov_base);
5026 c->log_extra_fields = mfree(c->log_extra_fields);
5027 c->n_log_extra_fields = 0;
5028}
5029
6f765baf
LP		 5030void exec_context_revert_tty(ExecContext *c) {
5031 int r;
5032
5033 assert(c);
5034
5035 /* First, reset the TTY (possibly kicking everybody else from the TTY) */
5036 exec_context_tty_reset(c, NULL);
5037
5038 /* And then undo what chown_terminal() did earlier. Note that we only do this if we have a path
5039 * configured. If the TTY was passed to us as file descriptor we assume the TTY is opened and managed
5040 * by whoever passed it to us and thus knows better when and how to chmod()/chown() it back. */
5041
5042 if (exec_context_may_touch_tty(c)) {
5043 const char *path;
5044
5045 path = exec_context_tty_path(c);
5046 if (path) {
5047 r = chmod_and_chown(path, TTY_MODE, 0, TTY_GID);
5048 if (r < 0 && r != -ENOENT)
5049 log_warning_errno(r, "Failed to reset TTY ownership/access mode of %s, ignoring: %m", path);
5050 }
5051 }
5052}
5053
4c2f5842
LP		 5054int exec_context_get_clean_directories(
5055 ExecContext *c,
5056 char **prefix,
5057 ExecCleanMask mask,
5058 char ***ret) {
5059
5060 _cleanup_strv_free_ char **l = NULL;
5061 ExecDirectoryType t;
5062 int r;
5063
5064 assert(c);
5065 assert(prefix);
5066 assert(ret);
5067
5068 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
5069 char **i;
5070
5071 if (!FLAGS_SET(mask, 1U << t))
5072 continue;
5073
5074 if (!prefix[t])
5075 continue;
5076
5077 STRV_FOREACH(i, c->directories[t].paths) {
5078 char *j;
5079
5080 j = path_join(prefix[t], *i);
5081 if (!j)
5082 return -ENOMEM;
5083
5084 r = strv_consume(&l, j);
5085 if (r < 0)
5086 return r;
7f622a19
YW		 5087
5088 /* Also remove private directories unconditionally. */
5089 if (t != EXEC_DIRECTORY_CONFIGURATION) {
5090 j = path_join(prefix[t], "private", *i);
5091 if (!j)
5092 return -ENOMEM;
5093
5094 r = strv_consume(&l, j);
5095 if (r < 0)
5096 return r;
5097 }
4c2f5842
LP		 5098 }
5099 }
5100
5101 *ret = TAKE_PTR(l);
5102 return 0;
5103}
5104
5105int exec_context_get_clean_mask(ExecContext *c, ExecCleanMask *ret) {
5106 ExecCleanMask mask = 0;
5107
5108 assert(c);
5109 assert(ret);
5110
5111 for (ExecDirectoryType t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++)
5112 if (!strv_isempty(c->directories[t].paths))
5113 mask |= 1U << t;
5114
5115 *ret = mask;
5116 return 0;
5117}
5118
b58b4116 5119void exec_status_start(ExecStatus *s, pid_t pid) {
034c6ed7 5120 assert(s);
5cb5a6ff 5121
2ed26ed0
LP		 5122 *s = (ExecStatus) {
5123 .pid = pid,
5124 };
5125
b58b4116
LP		 5126 dual_timestamp_get(&s->start_timestamp);
5127}
5128
34cf6c43 5129void exec_status_exit(ExecStatus *s, const ExecContext *context, pid_t pid, int code, int status) {
b58b4116
LP		 5130 assert(s);
5131
2ed26ed0
LP		 5132 if (s->pid != pid) {
5133 *s = (ExecStatus) {
5134 .pid = pid,
5135 };
5136 }
b58b4116 5137
63983207 5138 dual_timestamp_get(&s->exit_timestamp);
9fb86720 5139
034c6ed7
LP		 5140 s->code = code;
5141 s->status = status;
169c1bda 5142
6f765baf
LP		 5143 if (context && context->utmp_id)
5144 (void) utmp_put_dead_process(context->utmp_id, pid, code, status);
9fb86720
LP		 5145}
5146
6a1d4d9f
LP		 5147void exec_status_reset(ExecStatus *s) {
5148 assert(s);
5149
5150 *s = (ExecStatus) {};
5151}
5152
34cf6c43 5153void exec_status_dump(const ExecStatus *s, FILE *f, const char *prefix) {
9fb86720
LP		 5154 char buf[FORMAT_TIMESTAMP_MAX];
5155
5156 assert(s);
5157 assert(f);
5158
9fb86720
LP		 5159 if (s->pid <= 0)
5160 return;
5161
4c940960
LP		 5162 prefix = strempty(prefix);
5163
9fb86720 5164 fprintf(f,
ccd06097
ZJS		 5165 "%sPID: "PID_FMT"\n",
5166 prefix, s->pid);
9fb86720 5167
af9d16e1 5168 if (dual_timestamp_is_set(&s->start_timestamp))
9fb86720
LP		 5169 fprintf(f,
5170 "%sStart Timestamp: %s\n",
63983207 5171 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
9fb86720 5172
af9d16e1 5173 if (dual_timestamp_is_set(&s->exit_timestamp))
9fb86720
LP		 5174 fprintf(f,
5175 "%sExit Timestamp: %s\n"
5176 "%sExit Code: %s\n"
5177 "%sExit Status: %i\n",
63983207 5178 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
9fb86720
LP		 5179 prefix, sigchld_code_to_string(s->code),
5180 prefix, s->status);
5cb5a6ff 5181}
44d8db9e 5182
34cf6c43 5183static char *exec_command_line(char **argv) {
44d8db9e
LP		 5184 size_t k;
5185 char *n, *p, **a;
5186 bool first = true;
5187
9e2f7c11 5188 assert(argv);
44d8db9e 5189
9164977d 5190 k = 1;
9e2f7c11 5191 STRV_FOREACH(a, argv)
44d8db9e
LP		 5192 k += strlen(*a)+3;
5193
5cd9cd35
LP		 5194 n = new(char, k);
5195 if (!n)
44d8db9e
LP		 5196 return NULL;
5197
5198 p = n;
9e2f7c11 5199 STRV_FOREACH(a, argv) {
44d8db9e
LP		 5200
5201 if (!first)
5202 *(p++) = ' ';
5203 else
5204 first = false;
5205
5206 if (strpbrk(*a, WHITESPACE)) {
5207 *(p++) = '\'';
5208 p = stpcpy(p, *a);
5209 *(p++) = '\'';
5210 } else
5211 p = stpcpy(p, *a);
5212
5213 }
5214
9164977d
LP		 5215 *p = 0;
5216
44d8db9e
LP		 5217 /* FIXME: this doesn't really handle arguments that have
5218 * spaces and ticks in them */
5219
5220 return n;
5221}
5222
34cf6c43 5223static void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
e1d75803 5224 _cleanup_free_ char *cmd = NULL;
4c940960 5225 const char *prefix2;
44d8db9e
LP		 5226
5227 assert(c);
5228 assert(f);
5229
4c940960 5230 prefix = strempty(prefix);
63c372cb 5231 prefix2 = strjoina(prefix, "\t");
44d8db9e 5232
9e2f7c11 5233 cmd = exec_command_line(c->argv);
44d8db9e
LP		 5234 fprintf(f,
5235 "%sCommand Line: %s\n",
4bbccb02 5236 prefix, cmd ? cmd : strerror_safe(ENOMEM));
44d8db9e 5237
9fb86720 5238 exec_status_dump(&c->exec_status, f, prefix2);
44d8db9e
LP		 5239}
5240
5241void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
5242 assert(f);
5243
4c940960 5244 prefix = strempty(prefix);
44d8db9e
LP		 5245
5246 LIST_FOREACH(command, c, c)
5247 exec_command_dump(c, f, prefix);
5248}
94f04347 5249
a6a80b4f
LP		 5250void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
5251 ExecCommand *end;
5252
5253 assert(l);
5254 assert(e);
5255
5256 if (*l) {
35b8ca3a 5257 /* It's kind of important, that we keep the order here */
71fda00f
LP		 5258 LIST_FIND_TAIL(command, *l, end);
5259 LIST_INSERT_AFTER(command, *l, end, e);
a6a80b4f
LP		 5260 } else
5261 *l = e;
5262}
5263
26fd040d
LP		 5264int exec_command_set(ExecCommand *c, const char *path, ...) {
5265 va_list ap;
5266 char **l, *p;
5267
5268 assert(c);
5269 assert(path);
5270
5271 va_start(ap, path);
5272 l = strv_new_ap(path, ap);
5273 va_end(ap);
5274
5275 if (!l)
5276 return -ENOMEM;
5277
250a918d
LP		 5278 p = strdup(path);
5279 if (!p) {
26fd040d
LP		 5280 strv_free(l);
5281 return -ENOMEM;
5282 }
5283
6897dfe8 5284 free_and_replace(c->path, p);
26fd040d 5285
130d3d22 5286 return strv_free_and_replace(c->argv, l);
26fd040d
LP		 5287}
5288
86b23b07 5289int exec_command_append(ExecCommand *c, const char *path, ...) {
e63ff941 5290 _cleanup_strv_free_ char **l = NULL;
86b23b07 5291 va_list ap;
86b23b07
JS		 5292 int r;
5293
5294 assert(c);
5295 assert(path);
5296
5297 va_start(ap, path);
5298 l = strv_new_ap(path, ap);
5299 va_end(ap);
5300
5301 if (!l)
5302 return -ENOMEM;
5303
e287086b 5304 r = strv_extend_strv(&c->argv, l, false);
e63ff941 5305 if (r < 0)
86b23b07 5306 return r;
86b23b07
JS		 5307
5308 return 0;
5309}
5310
e8a565cb
YW		 5311static void *remove_tmpdir_thread(void *p) {
5312 _cleanup_free_ char *path = p;
86b23b07 5313
e8a565cb
YW		 5314 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
5315 return NULL;
5316}
5317
5318static ExecRuntime* exec_runtime_free(ExecRuntime *rt, bool destroy) {
5319 int r;
5320
5321 if (!rt)
5322 return NULL;
5323
5324 if (rt->manager)
5325 (void) hashmap_remove(rt->manager->exec_runtime_by_id, rt->id);
5326
5327 /* When destroy is true, then rm_rf tmp_dir and var_tmp_dir. */
5328 if (destroy && rt->tmp_dir) {
5329 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
5330
5331 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
5332 if (r < 0) {
5333 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
5334 free(rt->tmp_dir);
5335 }
5336
5337 rt->tmp_dir = NULL;
5338 }
613b411c 5339
e8a565cb
YW		 5340 if (destroy && rt->var_tmp_dir) {
5341 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
5342
5343 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
5344 if (r < 0) {
5345 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
5346 free(rt->var_tmp_dir);
5347 }
5348
5349 rt->var_tmp_dir = NULL;
5350 }
5351
5352 rt->id = mfree(rt->id);
5353 rt->tmp_dir = mfree(rt->tmp_dir);
5354 rt->var_tmp_dir = mfree(rt->var_tmp_dir);
5355 safe_close_pair(rt->netns_storage_socket);
5356 return mfree(rt);
5357}
5358
5359static void exec_runtime_freep(ExecRuntime **rt) {
da6bc6ed 5360 (void) exec_runtime_free(*rt, false);
e8a565cb
YW		 5361}
5362
8e8009dc
LP		 5363static int exec_runtime_allocate(ExecRuntime **ret) {
5364 ExecRuntime *n;
613b411c 5365
8e8009dc 5366 assert(ret);
613b411c 5367
8e8009dc
LP		 5368 n = new(ExecRuntime, 1);
5369 if (!n)
613b411c
LP		 5370 return -ENOMEM;
5371
8e8009dc
LP		 5372 *n = (ExecRuntime) {
5373 .netns_storage_socket = { -1, -1 },
5374 };
5375
5376 *ret = n;
613b411c
LP		 5377 return 0;
5378}
5379
e8a565cb
YW		 5380static int exec_runtime_add(
5381 Manager *m,
5382 const char *id,
5383 const char *tmp_dir,
5384 const char *var_tmp_dir,
5385 const int netns_storage_socket[2],
5386 ExecRuntime **ret) {
5387
5388 _cleanup_(exec_runtime_freep) ExecRuntime *rt = NULL;
613b411c
LP		 5389 int r;
5390
e8a565cb 5391 assert(m);
613b411c
LP		 5392 assert(id);
5393
e8a565cb
YW		 5394 r = hashmap_ensure_allocated(&m->exec_runtime_by_id, &string_hash_ops);
5395 if (r < 0)
5396 return r;
613b411c 5397
e8a565cb 5398 r = exec_runtime_allocate(&rt);
613b411c
LP		 5399 if (r < 0)
5400 return r;
5401
e8a565cb
YW		 5402 rt->id = strdup(id);
5403 if (!rt->id)
5404 return -ENOMEM;
5405
5406 if (tmp_dir) {
5407 rt->tmp_dir = strdup(tmp_dir);
5408 if (!rt->tmp_dir)
5409 return -ENOMEM;
5410
5411 /* When tmp_dir is set, then we require var_tmp_dir is also set. */
5412 assert(var_tmp_dir);
5413 rt->var_tmp_dir = strdup(var_tmp_dir);
5414 if (!rt->var_tmp_dir)
5415 return -ENOMEM;
5416 }
5417
5418 if (netns_storage_socket) {
5419 rt->netns_storage_socket[0] = netns_storage_socket[0];
5420 rt->netns_storage_socket[1] = netns_storage_socket[1];
613b411c
LP		 5421 }
5422
e8a565cb
YW		 5423 r = hashmap_put(m->exec_runtime_by_id, rt->id, rt);
5424 if (r < 0)
5425 return r;
5426
5427 rt->manager = m;
5428
5429 if (ret)
5430 *ret = rt;
5431
5432 /* do not remove created ExecRuntime object when the operation succeeds. */
5433 rt = NULL;
5434 return 0;
5435}
5436
5437static int exec_runtime_make(Manager *m, const ExecContext *c, const char *id, ExecRuntime **ret) {
5438 _cleanup_free_ char *tmp_dir = NULL, *var_tmp_dir = NULL;
2fa3742d 5439 _cleanup_close_pair_ int netns_storage_socket[2] = { -1, -1 };
e8a565cb
YW		 5440 int r;
5441
5442 assert(m);
5443 assert(c);
5444 assert(id);
5445
5446 /* It is not necessary to create ExecRuntime object. */
a8d08f39 5447 if (!c->private_network && !c->private_tmp && !c->network_namespace_path)
e8a565cb
YW		 5448 return 0;
5449
efa2f3a1
TM		 5450 if (c->private_tmp &&
5451 !(prefixed_path_strv_contains(c->inaccessible_paths, "/tmp") &&
5452 (prefixed_path_strv_contains(c->inaccessible_paths, "/var/tmp") ||
5453 prefixed_path_strv_contains(c->inaccessible_paths, "/var")))) {
e8a565cb 5454 r = setup_tmp_dirs(id, &tmp_dir, &var_tmp_dir);
613b411c
LP		 5455 if (r < 0)
5456 return r;
5457 }
5458
a8d08f39 5459 if (c->private_network || c->network_namespace_path) {
e8a565cb
YW		 5460 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, netns_storage_socket) < 0)
5461 return -errno;
5462 }
5463
5464 r = exec_runtime_add(m, id, tmp_dir, var_tmp_dir, netns_storage_socket, ret);
5465 if (r < 0)
5466 return r;
5467
5468 /* Avoid cleanup */
2fa3742d 5469 netns_storage_socket[0] = netns_storage_socket[1] = -1;
613b411c
LP		 5470 return 1;
5471}
5472
e8a565cb
YW		 5473int exec_runtime_acquire(Manager *m, const ExecContext *c, const char *id, bool create, ExecRuntime **ret) {
5474 ExecRuntime *rt;
5475 int r;
613b411c 5476
e8a565cb
YW		 5477 assert(m);
5478 assert(id);
5479 assert(ret);
5480
5481 rt = hashmap_get(m->exec_runtime_by_id, id);
5482 if (rt)
5483 /* We already have a ExecRuntime object, let's increase the ref count and reuse it */
5484 goto ref;
5485
5486 if (!create)
5487 return 0;
5488
5489 /* If not found, then create a new object. */
5490 r = exec_runtime_make(m, c, id, &rt);
5491 if (r <= 0)
5492 /* When r == 0, it is not necessary to create ExecRuntime object. */
5493 return r;
613b411c 5494
e8a565cb
YW		 5495ref:
5496 /* increment reference counter. */
5497 rt->n_ref++;
5498 *ret = rt;
5499 return 1;
5500}
613b411c 5501
e8a565cb
YW		 5502ExecRuntime *exec_runtime_unref(ExecRuntime *rt, bool destroy) {
5503 if (!rt)
613b411c
LP		 5504 return NULL;
5505
e8a565cb 5506 assert(rt->n_ref > 0);
613b411c 5507
e8a565cb
YW		 5508 rt->n_ref--;
5509 if (rt->n_ref > 0)
f2341e0a
LP		 5510 return NULL;
5511
e8a565cb 5512 return exec_runtime_free(rt, destroy);
613b411c
LP		 5513}
5514
e8a565cb
YW		 5515int exec_runtime_serialize(const Manager *m, FILE *f, FDSet *fds) {
5516 ExecRuntime *rt;
5517 Iterator i;
5518
5519 assert(m);
613b411c
LP		 5520 assert(f);
5521 assert(fds);
5522
e8a565cb
YW		 5523 HASHMAP_FOREACH(rt, m->exec_runtime_by_id, i) {
5524 fprintf(f, "exec-runtime=%s", rt->id);
613b411c 5525
e8a565cb
YW		 5526 if (rt->tmp_dir)
5527 fprintf(f, " tmp-dir=%s", rt->tmp_dir);
613b411c 5528
e8a565cb
YW		 5529 if (rt->var_tmp_dir)
5530 fprintf(f, " var-tmp-dir=%s", rt->var_tmp_dir);
613b411c 5531
e8a565cb
YW		 5532 if (rt->netns_storage_socket[0] >= 0) {
5533 int copy;
613b411c 5534
e8a565cb
YW		 5535 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
5536 if (copy < 0)
5537 return copy;
613b411c 5538
e8a565cb
YW		 5539 fprintf(f, " netns-socket-0=%i", copy);
5540 }
613b411c 5541
e8a565cb
YW		 5542 if (rt->netns_storage_socket[1] >= 0) {
5543 int copy;
613b411c 5544
e8a565cb
YW		 5545 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
5546 if (copy < 0)
5547 return copy;
613b411c 5548
e8a565cb
YW		 5549 fprintf(f, " netns-socket-1=%i", copy);
5550 }
5551
5552 fputc('\n', f);
613b411c
LP		 5553 }
5554
5555 return 0;
5556}
5557
e8a565cb
YW		 5558int exec_runtime_deserialize_compat(Unit *u, const char *key, const char *value, FDSet *fds) {
5559 _cleanup_(exec_runtime_freep) ExecRuntime *rt_create = NULL;
5560 ExecRuntime *rt;
613b411c
LP		 5561 int r;
5562
e8a565cb
YW		 5563 /* This is for the migration from old (v237 or earlier) deserialization text.
5564 * Due to the bug #7790, this may not work with the units that use JoinsNamespaceOf=.
5565 * Even if the ExecRuntime object originally created by the other unit, we cannot judge
5566 * so or not from the serialized text, then we always creates a new object owned by this. */
5567
5568 assert(u);
613b411c
LP		 5569 assert(key);
5570 assert(value);
5571
e8a565cb
YW		 5572 /* Manager manages ExecRuntime objects by the unit id.
5573 * So, we omit the serialized text when the unit does not have id (yet?)... */
5574 if (isempty(u->id)) {
5575 log_unit_debug(u, "Invocation ID not found. Dropping runtime parameter.");
5576 return 0;
5577 }
613b411c 5578
e8a565cb
YW		 5579 r = hashmap_ensure_allocated(&u->manager->exec_runtime_by_id, &string_hash_ops);
5580 if (r < 0) {
5581 log_unit_debug_errno(u, r, "Failed to allocate storage for runtime parameter: %m");
5582 return 0;
5583 }
5584
5585 rt = hashmap_get(u->manager->exec_runtime_by_id, u->id);
5586 if (!rt) {
5587 r = exec_runtime_allocate(&rt_create);
613b411c 5588 if (r < 0)
f2341e0a 5589 return log_oom();
613b411c 5590
e8a565cb
YW		 5591 rt_create->id = strdup(u->id);
5592 if (!rt_create->id)
5593 return log_oom();
5594
5595 rt = rt_create;
5596 }
5597
5598 if (streq(key, "tmp-dir")) {
5599 char *copy;
5600
613b411c
LP		 5601 copy = strdup(value);
5602 if (!copy)
5603 return log_oom();
5604
e8a565cb 5605 free_and_replace(rt->tmp_dir, copy);
613b411c
LP		 5606
5607 } else if (streq(key, "var-tmp-dir")) {
5608 char *copy;
5609
613b411c
LP		 5610 copy = strdup(value);
5611 if (!copy)
5612 return log_oom();
5613
e8a565cb 5614 free_and_replace(rt->var_tmp_dir, copy);
613b411c
LP		 5615
5616 } else if (streq(key, "netns-socket-0")) {
5617 int fd;
5618
e8a565cb 5619 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd)) {
f2341e0a 5620 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
e8a565cb 5621 return 0;
613b411c 5622 }
e8a565cb
YW		 5623
5624 safe_close(rt->netns_storage_socket[0]);
5625 rt->netns_storage_socket[0] = fdset_remove(fds, fd);
5626
613b411c
LP		 5627 } else if (streq(key, "netns-socket-1")) {
5628 int fd;
5629
e8a565cb 5630 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd)) {
f2341e0a 5631 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
e8a565cb 5632 return 0;
613b411c 5633 }
e8a565cb
YW		 5634
5635 safe_close(rt->netns_storage_socket[1]);
5636 rt->netns_storage_socket[1] = fdset_remove(fds, fd);
613b411c
LP		 5637 } else
5638 return 0;
5639
e8a565cb
YW		 5640 /* If the object is newly created, then put it to the hashmap which manages ExecRuntime objects. */
5641 if (rt_create) {
5642 r = hashmap_put(u->manager->exec_runtime_by_id, rt_create->id, rt_create);
5643 if (r < 0) {
3fe91079 5644 log_unit_debug_errno(u, r, "Failed to put runtime parameter to manager's storage: %m");
e8a565cb
YW		 5645 return 0;
5646 }
613b411c 5647
e8a565cb 5648 rt_create->manager = u->manager;
613b411c 5649
e8a565cb
YW		 5650 /* Avoid cleanup */
5651 rt_create = NULL;
5652 }
98b47d54 5653
e8a565cb
YW		 5654 return 1;
5655}
613b411c 5656
e8a565cb
YW		 5657void exec_runtime_deserialize_one(Manager *m, const char *value, FDSet *fds) {
5658 char *id = NULL, *tmp_dir = NULL, *var_tmp_dir = NULL;
5659 int r, fd0 = -1, fd1 = -1;
5660 const char *p, *v = value;
5661 size_t n;
613b411c 5662
e8a565cb
YW		 5663 assert(m);
5664 assert(value);
5665 assert(fds);
98b47d54 5666
e8a565cb
YW		 5667 n = strcspn(v, " ");
5668 id = strndupa(v, n);
5669 if (v[n] != ' ')
5670 goto finalize;
5671 p = v + n + 1;
5672
5673 v = startswith(p, "tmp-dir=");
5674 if (v) {
5675 n = strcspn(v, " ");
5676 tmp_dir = strndupa(v, n);
5677 if (v[n] != ' ')
5678 goto finalize;
5679 p = v + n + 1;
5680 }
5681
5682 v = startswith(p, "var-tmp-dir=");
5683 if (v) {
5684 n = strcspn(v, " ");
5685 var_tmp_dir = strndupa(v, n);
5686 if (v[n] != ' ')
5687 goto finalize;
5688 p = v + n + 1;
5689 }
5690
5691 v = startswith(p, "netns-socket-0=");
5692 if (v) {
5693 char *buf;
5694
5695 n = strcspn(v, " ");
5696 buf = strndupa(v, n);
5697 if (safe_atoi(buf, &fd0) < 0 || !fdset_contains(fds, fd0)) {
5698 log_debug("Unable to process exec-runtime netns fd specification.");
5699 return;
98b47d54 5700 }
e8a565cb
YW		 5701 fd0 = fdset_remove(fds, fd0);
5702 if (v[n] != ' ')
5703 goto finalize;
5704 p = v + n + 1;
613b411c
LP		 5705 }
5706
e8a565cb
YW		 5707 v = startswith(p, "netns-socket-1=");
5708 if (v) {
5709 char *buf;
98b47d54 5710
e8a565cb
YW		 5711 n = strcspn(v, " ");
5712 buf = strndupa(v, n);
5713 if (safe_atoi(buf, &fd1) < 0 || !fdset_contains(fds, fd1)) {
5714 log_debug("Unable to process exec-runtime netns fd specification.");
5715 return;
98b47d54 5716 }
e8a565cb
YW		 5717 fd1 = fdset_remove(fds, fd1);
5718 }
98b47d54 5719
e8a565cb
YW		 5720finalize:
5721
5722 r = exec_runtime_add(m, id, tmp_dir, var_tmp_dir, (int[]) { fd0, fd1 }, NULL);
7d853ca6 5723 if (r < 0)
e8a565cb 5724 log_debug_errno(r, "Failed to add exec-runtime: %m");
e8a565cb 5725}
613b411c 5726
e8a565cb
YW		 5727void exec_runtime_vacuum(Manager *m) {
5728 ExecRuntime *rt;
5729 Iterator i;
5730
5731 assert(m);
5732
5733 /* Free unreferenced ExecRuntime objects. This is used after manager deserialization process. */
5734
5735 HASHMAP_FOREACH(rt, m->exec_runtime_by_id, i) {
5736 if (rt->n_ref > 0)
5737 continue;
5738
5739 (void) exec_runtime_free(rt, false);
5740 }
613b411c
LP		 5741}
5742
b9c04eaf
YW		 5743void exec_params_clear(ExecParameters *p) {
5744 if (!p)
5745 return;
5746
5747 strv_free(p->environment);
5748}
5749
80876c20
LP		 5750static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
5751 [EXEC_INPUT_NULL] = "null",
5752 [EXEC_INPUT_TTY] = "tty",
5753 [EXEC_INPUT_TTY_FORCE] = "tty-force",
4f2d528d 5754 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
52c239d7
LB		 5755 [EXEC_INPUT_SOCKET] = "socket",
5756 [EXEC_INPUT_NAMED_FD] = "fd",
08f3be7a 5757 [EXEC_INPUT_DATA] = "data",
2038c3f5 5758 [EXEC_INPUT_FILE] = "file",
80876c20
LP		 5759};
5760
8a0867d6
LP		 5761DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
5762
94f04347 5763static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
80876c20 5764 [EXEC_OUTPUT_INHERIT] = "inherit",
94f04347 5765 [EXEC_OUTPUT_NULL] = "null",
80876c20 5766 [EXEC_OUTPUT_TTY] = "tty",
94f04347 5767 [EXEC_OUTPUT_SYSLOG] = "syslog",
28dbc1e8 5768 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
9a6bca7a 5769 [EXEC_OUTPUT_KMSG] = "kmsg",
28dbc1e8 5770 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
706343f4
LP		 5771 [EXEC_OUTPUT_JOURNAL] = "journal",
5772 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
52c239d7
LB		 5773 [EXEC_OUTPUT_SOCKET] = "socket",
5774 [EXEC_OUTPUT_NAMED_FD] = "fd",
2038c3f5 5775 [EXEC_OUTPUT_FILE] = "file",
566b7d23 5776 [EXEC_OUTPUT_FILE_APPEND] = "append",
94f04347
LP		 5777};
5778
5779DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
023a4f67
LP		 5780
5781static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
5782 [EXEC_UTMP_INIT] = "init",
5783 [EXEC_UTMP_LOGIN] = "login",
5784 [EXEC_UTMP_USER] = "user",
5785};
5786
5787DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
53f47dfc
YW		 5788
5789static const char* const exec_preserve_mode_table[_EXEC_PRESERVE_MODE_MAX] = {
5790 [EXEC_PRESERVE_NO] = "no",
5791 [EXEC_PRESERVE_YES] = "yes",
5792 [EXEC_PRESERVE_RESTART] = "restart",
5793};
5794
5795DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(exec_preserve_mode, ExecPreserveMode, EXEC_PRESERVE_YES);
3536f49e 5796
6b7b2ed9 5797/* This table maps ExecDirectoryType to the setting it is configured with in the unit */
72fd1768 5798static const char* const exec_directory_type_table[_EXEC_DIRECTORY_TYPE_MAX] = {
3536f49e
YW		 5799 [EXEC_DIRECTORY_RUNTIME] = "RuntimeDirectory",
5800 [EXEC_DIRECTORY_STATE] = "StateDirectory",
5801 [EXEC_DIRECTORY_CACHE] = "CacheDirectory",
5802 [EXEC_DIRECTORY_LOGS] = "LogsDirectory",
5803 [EXEC_DIRECTORY_CONFIGURATION] = "ConfigurationDirectory",
5804};
5805
5806DEFINE_STRING_TABLE_LOOKUP(exec_directory_type, ExecDirectoryType);
b1edf445 5807
6b7b2ed9
LP		 5808/* And this table maps ExecDirectoryType too, but to a generic term identifying the type of resource. This
5809 * one is supposed to be generic enough to be used for unit types that don't use ExecContext and per-unit
5810 * directories, specifically .timer units with their timestamp touch file. */
5811static const char* const exec_resource_type_table[_EXEC_DIRECTORY_TYPE_MAX] = {
5812 [EXEC_DIRECTORY_RUNTIME] = "runtime",
5813 [EXEC_DIRECTORY_STATE] = "state",
5814 [EXEC_DIRECTORY_CACHE] = "cache",
5815 [EXEC_DIRECTORY_LOGS] = "logs",
5816 [EXEC_DIRECTORY_CONFIGURATION] = "configuration",
5817};
5818
5819DEFINE_STRING_TABLE_LOOKUP(exec_resource_type, ExecDirectoryType);
5820
5821/* And this table also maps ExecDirectoryType, to the environment variable we pass the selected directory to
5822 * the service payload in. */
fb2042dd
YW		 5823static const char* const exec_directory_env_name_table[_EXEC_DIRECTORY_TYPE_MAX] = {
5824 [EXEC_DIRECTORY_RUNTIME] = "RUNTIME_DIRECTORY",
5825 [EXEC_DIRECTORY_STATE] = "STATE_DIRECTORY",
5826 [EXEC_DIRECTORY_CACHE] = "CACHE_DIRECTORY",
5827 [EXEC_DIRECTORY_LOGS] = "LOGS_DIRECTORY",
5828 [EXEC_DIRECTORY_CONFIGURATION] = "CONFIGURATION_DIRECTORY",
5829};
5830
5831DEFINE_PRIVATE_STRING_TABLE_LOOKUP_TO_STRING(exec_directory_env_name, ExecDirectoryType);
5832
b1edf445
LP		 5833static const char* const exec_keyring_mode_table[_EXEC_KEYRING_MODE_MAX] = {
5834 [EXEC_KEYRING_INHERIT] = "inherit",
5835 [EXEC_KEYRING_PRIVATE] = "private",
5836 [EXEC_KEYRING_SHARED] = "shared",
5837};
5838
5839DEFINE_STRING_TABLE_LOOKUP(exec_keyring_mode, ExecKeyringMode);
Unnamed repository; edit this file 'description' to name the repository.