]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/core/execute.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
core: move apply working directory code into its own apply_working_directory()
[thirdparty/systemd.git] / src / core / execute.c
CommitLineData
a7334b09
LP		 1/***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
a7334b09
LP		 9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 14 Lesser General Public License for more details.
a7334b09 15
5430f7f2 16 You should have received a copy of the GNU Lesser General Public License
a7334b09
LP		 17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18***/
19
034c6ed7
LP		 20#include <errno.h>
21#include <fcntl.h>
8dd4c05b
LP		 22#include <glob.h>
23#include <grp.h>
24#include <poll.h>
309bff19 25#include <signal.h>
8dd4c05b 26#include <string.h>
19c0b0b9 27#include <sys/capability.h>
d251207d 28#include <sys/eventfd.h>
f3e43635 29#include <sys/mman.h>
8dd4c05b 30#include <sys/personality.h>
94f04347 31#include <sys/prctl.h>
8dd4c05b 32#include <sys/socket.h>
451a074f 33#include <sys/stat.h>
8dd4c05b
LP		 34#include <sys/un.h>
35#include <unistd.h>
023a4f67 36#include <utmpx.h>
5cb5a6ff 37
5b6319dc
LP		 38#ifdef HAVE_PAM
39#include <security/pam_appl.h>
40#endif
41
7b52a628
MS		 42#ifdef HAVE_SELINUX
43#include <selinux/selinux.h>
44#endif
45
17df7223
LP		 46#ifdef HAVE_SECCOMP
47#include <seccomp.h>
48#endif
49
eef65bf3
MS		 50#ifdef HAVE_APPARMOR
51#include <sys/apparmor.h>
52#endif
53
24882e06 54#include "sd-messages.h"
8dd4c05b
LP		 55
56#include "af-list.h"
b5efdb8a 57#include "alloc-util.h"
3ffd4af2
LP		 58#ifdef HAVE_APPARMOR
59#include "apparmor-util.h"
60#endif
8dd4c05b
LP		 61#include "async.h"
62#include "barrier.h"
8dd4c05b 63#include "cap-list.h"
430f0182 64#include "capability-util.h"
f6a6225e 65#include "def.h"
4d1a6904 66#include "env-util.h"
17df7223 67#include "errno-list.h"
3ffd4af2 68#include "execute.h"
8dd4c05b 69#include "exit-status.h"
3ffd4af2 70#include "fd-util.h"
8dd4c05b 71#include "fileio.h"
6482f626 72#include "formats-util.h"
f4f15635 73#include "fs-util.h"
7d50b32a 74#include "glob-util.h"
c004493c 75#include "io-util.h"
8dd4c05b
LP		 76#include "ioprio.h"
77#include "log.h"
78#include "macro.h"
79#include "missing.h"
80#include "mkdir.h"
81#include "namespace.h"
6bedfcbb 82#include "parse-util.h"
8dd4c05b 83#include "path-util.h"
0b452006 84#include "process-util.h"
78f22b97 85#include "rlimit-util.h"
8dd4c05b 86#include "rm-rf.h"
3ffd4af2
LP		 87#ifdef HAVE_SECCOMP
88#include "seccomp-util.h"
89#endif
8dd4c05b
LP		 90#include "securebits.h"
91#include "selinux-util.h"
24882e06 92#include "signal-util.h"
8dd4c05b 93#include "smack-util.h"
fd63e712 94#include "special.h"
8b43440b 95#include "string-table.h"
07630cea 96#include "string-util.h"
8dd4c05b 97#include "strv.h"
7ccbd1ae 98#include "syslog-util.h"
8dd4c05b
LP		 99#include "terminal-util.h"
100#include "unit.h"
b1d4f8e1 101#include "user-util.h"
8dd4c05b
LP		 102#include "util.h"
103#include "utmp-wtmp.h"
5cb5a6ff 104
e056b01d 105#define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
31a7eb86 106#define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
e6a26745 107
02a51aba
LP		 108/* This assumes there is a 'tty' group */
109#define TTY_MODE 0620
110
531dca78
LP		 111#define SNDBUF_SIZE (8*1024*1024)
112
034c6ed7
LP		 113static int shift_fds(int fds[], unsigned n_fds) {
114 int start, restart_from;
115
116 if (n_fds <= 0)
117 return 0;
118
a0d40ac5
LP		 119 /* Modifies the fds array! (sorts it) */
120
034c6ed7
LP		 121 assert(fds);
122
123 start = 0;
124 for (;;) {
125 int i;
126
127 restart_from = -1;
128
129 for (i = start; i < (int) n_fds; i++) {
130 int nfd;
131
132 /* Already at right index? */
133 if (fds[i] == i+3)
134 continue;
135
3cc2aff1
LP		 136 nfd = fcntl(fds[i], F_DUPFD, i + 3);
137 if (nfd < 0)
034c6ed7
LP		 138 return -errno;
139
03e334a1 140 safe_close(fds[i]);
034c6ed7
LP		 141 fds[i] = nfd;
142
143 /* Hmm, the fd we wanted isn't free? Then
ee33e53a 144 * let's remember that and try again from here */
034c6ed7
LP		 145 if (nfd != i+3 && restart_from < 0)
146 restart_from = i;
147 }
148
149 if (restart_from < 0)
150 break;
151
152 start = restart_from;
153 }
154
155 return 0;
156}
157
c2748801 158static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
47a71eed 159 unsigned i;
e2c76839 160 int r;
47a71eed
LP		 161
162 if (n_fds <= 0)
163 return 0;
164
165 assert(fds);
166
451a074f 167 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
47a71eed
LP		 168
169 for (i = 0; i < n_fds; i++) {
47a71eed 170
3cc2aff1
LP		 171 r = fd_nonblock(fds[i], nonblock);
172 if (r < 0)
e2c76839 173 return r;
47a71eed 174
451a074f
LP		 175 /* We unconditionally drop FD_CLOEXEC from the fds,
176 * since after all we want to pass these fds to our
177 * children */
47a71eed 178
3cc2aff1
LP		 179 r = fd_cloexec(fds[i], false);
180 if (r < 0)
e2c76839 181 return r;
47a71eed
LP		 182 }
183
184 return 0;
185}
186
1e22b5cd 187static const char *exec_context_tty_path(const ExecContext *context) {
80876c20
LP		 188 assert(context);
189
1e22b5cd
LP		 190 if (context->stdio_as_fds)
191 return NULL;
192
80876c20
LP		 193 if (context->tty_path)
194 return context->tty_path;
195
196 return "/dev/console";
197}
198
1e22b5cd
LP		 199static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
200 const char *path;
201
6ea832a2
LP		 202 assert(context);
203
1e22b5cd 204 path = exec_context_tty_path(context);
6ea832a2 205
1e22b5cd
LP		 206 if (context->tty_vhangup) {
207 if (p && p->stdin_fd >= 0)
208 (void) terminal_vhangup_fd(p->stdin_fd);
209 else if (path)
210 (void) terminal_vhangup(path);
211 }
6ea832a2 212
1e22b5cd
LP		 213 if (context->tty_reset) {
214 if (p && p->stdin_fd >= 0)
215 (void) reset_terminal_fd(p->stdin_fd, true);
216 else if (path)
217 (void) reset_terminal(path);
218 }
219
220 if (context->tty_vt_disallocate && path)
221 (void) vt_disallocate(path);
6ea832a2
LP		 222}
223
6af760f3
LP		 224static bool is_terminal_input(ExecInput i) {
225 return IN_SET(i,
226 EXEC_INPUT_TTY,
227 EXEC_INPUT_TTY_FORCE,
228 EXEC_INPUT_TTY_FAIL);
229}
230
3a1286b6 231static bool is_terminal_output(ExecOutput o) {
6af760f3
LP		 232 return IN_SET(o,
233 EXEC_OUTPUT_TTY,
234 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
235 EXEC_OUTPUT_KMSG_AND_CONSOLE,
236 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
237}
238
239static bool exec_context_needs_term(const ExecContext *c) {
240 assert(c);
241
242 /* Return true if the execution context suggests we should set $TERM to something useful. */
243
244 if (is_terminal_input(c->std_input))
245 return true;
246
247 if (is_terminal_output(c->std_output))
248 return true;
249
250 if (is_terminal_output(c->std_error))
251 return true;
252
253 return !!c->tty_path;
3a1286b6
MS		 254}
255
80876c20
LP		 256static int open_null_as(int flags, int nfd) {
257 int fd, r;
071830ff 258
80876c20 259 assert(nfd >= 0);
071830ff 260
613b411c
LP		 261 fd = open("/dev/null", flags|O_NOCTTY);
262 if (fd < 0)
071830ff
LP		 263 return -errno;
264
80876c20
LP		 265 if (fd != nfd) {
266 r = dup2(fd, nfd) < 0 ? -errno : nfd;
03e334a1 267 safe_close(fd);
80876c20
LP		 268 } else
269 r = nfd;
071830ff 270
80876c20 271 return r;
071830ff
LP		 272}
273
524daa8c 274static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
b92bea5d
ZJS		 275 union sockaddr_union sa = {
276 .un.sun_family = AF_UNIX,
277 .un.sun_path = "/run/systemd/journal/stdout",
278 };
524daa8c
ZJS		 279 uid_t olduid = UID_INVALID;
280 gid_t oldgid = GID_INVALID;
281 int r;
282
283 if (gid != GID_INVALID) {
284 oldgid = getgid();
285
286 r = setegid(gid);
287 if (r < 0)
288 return -errno;
289 }
290
291 if (uid != UID_INVALID) {
292 olduid = getuid();
293
294 r = seteuid(uid);
295 if (r < 0) {
296 r = -errno;
297 goto restore_gid;
298 }
299 }
300
fc2fffe7 301 r = connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
524daa8c
ZJS		 302 if (r < 0)
303 r = -errno;
304
305 /* If we fail to restore the uid or gid, things will likely
306 fail later on. This should only happen if an LSM interferes. */
307
308 if (uid != UID_INVALID)
309 (void) seteuid(olduid);
310
311 restore_gid:
312 if (gid != GID_INVALID)
313 (void) setegid(oldgid);
314
315 return r;
316}
317
fd1f9c89 318static int connect_logger_as(
7a1ab780 319 Unit *unit,
fd1f9c89
LP		 320 const ExecContext *context,
321 ExecOutput output,
322 const char *ident,
fd1f9c89
LP		 323 int nfd,
324 uid_t uid,
325 gid_t gid) {
326
524daa8c 327 int fd, r;
071830ff
LP		 328
329 assert(context);
80876c20
LP		 330 assert(output < _EXEC_OUTPUT_MAX);
331 assert(ident);
332 assert(nfd >= 0);
071830ff 333
54fe0cdb
LP		 334 fd = socket(AF_UNIX, SOCK_STREAM, 0);
335 if (fd < 0)
80876c20 336 return -errno;
071830ff 337
524daa8c
ZJS		 338 r = connect_journal_socket(fd, uid, gid);
339 if (r < 0)
340 return r;
071830ff 341
80876c20 342 if (shutdown(fd, SHUT_RD) < 0) {
03e334a1 343 safe_close(fd);
80876c20
LP		 344 return -errno;
345 }
071830ff 346
fd1f9c89 347 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
531dca78 348
80876c20 349 dprintf(fd,
62bca2c6 350 "%s\n"
80876c20
LP		 351 "%s\n"
352 "%i\n"
54fe0cdb
LP		 353 "%i\n"
354 "%i\n"
355 "%i\n"
4f4a1dbf 356 "%i\n",
4f4a1dbf 357 context->syslog_identifier ? context->syslog_identifier : ident,
7a1ab780 358 unit->id,
54fe0cdb
LP		 359 context->syslog_priority,
360 !!context->syslog_level_prefix,
361 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
362 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
3a1286b6 363 is_terminal_output(output));
80876c20 364
fd1f9c89
LP		 365 if (fd == nfd)
366 return nfd;
367
368 r = dup2(fd, nfd) < 0 ? -errno : nfd;
369 safe_close(fd);
071830ff 370
80876c20
LP		 371 return r;
372}
373static int open_terminal_as(const char *path, mode_t mode, int nfd) {
374 int fd, r;
071830ff 375
80876c20
LP		 376 assert(path);
377 assert(nfd >= 0);
071830ff 378
3cc2aff1
LP		 379 fd = open_terminal(path, mode | O_NOCTTY);
380 if (fd < 0)
80876c20 381 return fd;
071830ff 382
80876c20
LP		 383 if (fd != nfd) {
384 r = dup2(fd, nfd) < 0 ? -errno : nfd;
03e334a1 385 safe_close(fd);
80876c20
LP		 386 } else
387 r = nfd;
071830ff 388
80876c20
LP		 389 return r;
390}
071830ff 391
1e3ad081
LP		 392static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
393
394 if (is_terminal_input(std_input) && !apply_tty_stdin)
395 return EXEC_INPUT_NULL;
071830ff 396
03fd9c49 397 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 398 return EXEC_INPUT_NULL;
399
03fd9c49 400 return std_input;
4f2d528d
LP		 401}
402
03fd9c49 403static int fixup_output(ExecOutput std_output, int socket_fd) {
4f2d528d 404
03fd9c49 405 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 406 return EXEC_OUTPUT_INHERIT;
407
03fd9c49 408 return std_output;
4f2d528d
LP		 409}
410
a34ceba6
LP		 411static int setup_input(
412 const ExecContext *context,
413 const ExecParameters *params,
52c239d7
LB		 414 int socket_fd,
415 int named_iofds[3]) {
a34ceba6 416
4f2d528d
LP		 417 ExecInput i;
418
419 assert(context);
a34ceba6
LP		 420 assert(params);
421
422 if (params->stdin_fd >= 0) {
423 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
424 return -errno;
425
426 /* Try to make this the controlling tty, if it is a tty, and reset it */
427 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
428 (void) reset_terminal_fd(STDIN_FILENO, true);
429
430 return STDIN_FILENO;
431 }
4f2d528d 432
c39f1ce2 433 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
4f2d528d
LP		 434
435 switch (i) {
071830ff 436
80876c20
LP		 437 case EXEC_INPUT_NULL:
438 return open_null_as(O_RDONLY, STDIN_FILENO);
439
440 case EXEC_INPUT_TTY:
441 case EXEC_INPUT_TTY_FORCE:
442 case EXEC_INPUT_TTY_FAIL: {
443 int fd, r;
071830ff 444
1e22b5cd 445 fd = acquire_terminal(exec_context_tty_path(context),
970edce6
ZJS		 446 i == EXEC_INPUT_TTY_FAIL,
447 i == EXEC_INPUT_TTY_FORCE,
448 false,
3a43da28 449 USEC_INFINITY);
970edce6 450 if (fd < 0)
80876c20
LP		 451 return fd;
452
453 if (fd != STDIN_FILENO) {
454 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
03e334a1 455 safe_close(fd);
80876c20
LP		 456 } else
457 r = STDIN_FILENO;
458
459 return r;
460 }
461
4f2d528d
LP		 462 case EXEC_INPUT_SOCKET:
463 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
464
52c239d7
LB		 465 case EXEC_INPUT_NAMED_FD:
466 (void) fd_nonblock(named_iofds[STDIN_FILENO], false);
467 return dup2(named_iofds[STDIN_FILENO], STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
468
80876c20
LP		 469 default:
470 assert_not_reached("Unknown input type");
471 }
472}
473
a34ceba6
LP		 474static int setup_output(
475 Unit *unit,
476 const ExecContext *context,
477 const ExecParameters *params,
478 int fileno,
479 int socket_fd,
52c239d7 480 int named_iofds[3],
a34ceba6 481 const char *ident,
7bce046b
LP		 482 uid_t uid,
483 gid_t gid,
484 dev_t *journal_stream_dev,
485 ino_t *journal_stream_ino) {
a34ceba6 486
4f2d528d
LP		 487 ExecOutput o;
488 ExecInput i;
47c1d80d 489 int r;
4f2d528d 490
f2341e0a 491 assert(unit);
80876c20 492 assert(context);
a34ceba6 493 assert(params);
80876c20 494 assert(ident);
7bce046b
LP		 495 assert(journal_stream_dev);
496 assert(journal_stream_ino);
80876c20 497
a34ceba6
LP		 498 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
499
500 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
501 return -errno;
502
503 return STDOUT_FILENO;
504 }
505
506 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
507 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
508 return -errno;
509
510 return STDERR_FILENO;
511 }
512
c39f1ce2 513 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
03fd9c49 514 o = fixup_output(context->std_output, socket_fd);
4f2d528d 515
eb17e935
MS		 516 if (fileno == STDERR_FILENO) {
517 ExecOutput e;
518 e = fixup_output(context->std_error, socket_fd);
80876c20 519
eb17e935
MS		 520 /* This expects the input and output are already set up */
521
522 /* Don't change the stderr file descriptor if we inherit all
523 * the way and are not on a tty */
524 if (e == EXEC_OUTPUT_INHERIT &&
525 o == EXEC_OUTPUT_INHERIT &&
526 i == EXEC_INPUT_NULL &&
527 !is_terminal_input(context->std_input) &&
528 getppid () != 1)
529 return fileno;
530
531 /* Duplicate from stdout if possible */
52c239d7 532 if ((e == o && e != EXEC_OUTPUT_NAMED_FD) || e == EXEC_OUTPUT_INHERIT)
eb17e935 533 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 534
eb17e935 535 o = e;
80876c20 536
eb17e935 537 } else if (o == EXEC_OUTPUT_INHERIT) {
21d21ea4
LP		 538 /* If input got downgraded, inherit the original value */
539 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
1e22b5cd 540 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
21d21ea4 541
acb591e4 542 /* If the input is connected to anything that's not a /dev/null, inherit that... */
ff876e28 543 if (i != EXEC_INPUT_NULL)
eb17e935 544 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 545
acb591e4
LP		 546 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
547 if (getppid() != 1)
eb17e935 548 return fileno;
94f04347 549
eb17e935
MS		 550 /* We need to open /dev/null here anew, to get the right access mode. */
551 return open_null_as(O_WRONLY, fileno);
071830ff 552 }
94f04347 553
eb17e935 554 switch (o) {
80876c20
LP		 555
556 case EXEC_OUTPUT_NULL:
eb17e935 557 return open_null_as(O_WRONLY, fileno);
80876c20
LP		 558
559 case EXEC_OUTPUT_TTY:
4f2d528d 560 if (is_terminal_input(i))
eb17e935 561 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
80876c20
LP		 562
563 /* We don't reset the terminal if this is just about output */
1e22b5cd 564 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
80876c20
LP		 565
566 case EXEC_OUTPUT_SYSLOG:
28dbc1e8 567 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
9a6bca7a 568 case EXEC_OUTPUT_KMSG:
28dbc1e8 569 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
706343f4
LP		 570 case EXEC_OUTPUT_JOURNAL:
571 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
7a1ab780 572 r = connect_logger_as(unit, context, o, ident, fileno, uid, gid);
47c1d80d 573 if (r < 0) {
f2341e0a 574 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
eb17e935 575 r = open_null_as(O_WRONLY, fileno);
7bce046b
LP		 576 } else {
577 struct stat st;
578
579 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
580 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
581 * services to detect whether they are connected to the journal or not. */
582
583 if (fstat(fileno, &st) >= 0) {
584 *journal_stream_dev = st.st_dev;
585 *journal_stream_ino = st.st_ino;
586 }
47c1d80d
MS		 587 }
588 return r;
4f2d528d
LP		 589
590 case EXEC_OUTPUT_SOCKET:
591 assert(socket_fd >= 0);
eb17e935 592 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
94f04347 593
52c239d7
LB		 594 case EXEC_OUTPUT_NAMED_FD:
595 (void) fd_nonblock(named_iofds[fileno], false);
596 return dup2(named_iofds[fileno], fileno) < 0 ? -errno : fileno;
597
94f04347 598 default:
80876c20 599 assert_not_reached("Unknown error type");
94f04347 600 }
071830ff
LP		 601}
602
02a51aba
LP		 603static int chown_terminal(int fd, uid_t uid) {
604 struct stat st;
605
606 assert(fd >= 0);
02a51aba 607
1ff74fb6
LP		 608 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
609 if (isatty(fd) < 1)
610 return 0;
611
02a51aba 612 /* This might fail. What matters are the results. */
bab45044
LP		 613 (void) fchown(fd, uid, -1);
614 (void) fchmod(fd, TTY_MODE);
02a51aba
LP		 615
616 if (fstat(fd, &st) < 0)
617 return -errno;
618
d8b4e2e9 619 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
02a51aba
LP		 620 return -EPERM;
621
622 return 0;
623}
624
3d18b167
LP		 625static int setup_confirm_stdio(int *_saved_stdin, int *_saved_stdout) {
626 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
627 int r;
80876c20 628
80876c20
LP		 629 assert(_saved_stdin);
630 assert(_saved_stdout);
631
af6da548
LP		 632 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
633 if (saved_stdin < 0)
634 return -errno;
80876c20 635
af6da548 636 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
3d18b167
LP		 637 if (saved_stdout < 0)
638 return -errno;
80876c20 639
af6da548
LP		 640 fd = acquire_terminal(
641 "/dev/console",
642 false,
643 false,
644 false,
645 DEFAULT_CONFIRM_USEC);
3d18b167
LP		 646 if (fd < 0)
647 return fd;
80876c20 648
af6da548
LP		 649 r = chown_terminal(fd, getuid());
650 if (r < 0)
3d18b167 651 return r;
02a51aba 652
3d18b167
LP		 653 r = reset_terminal_fd(fd, true);
654 if (r < 0)
655 return r;
80876c20 656
3d18b167
LP		 657 if (dup2(fd, STDIN_FILENO) < 0)
658 return -errno;
659
660 if (dup2(fd, STDOUT_FILENO) < 0)
661 return -errno;
80876c20
LP		 662
663 if (fd >= 2)
03e334a1 664 safe_close(fd);
3d18b167 665 fd = -1;
80876c20
LP		 666
667 *_saved_stdin = saved_stdin;
668 *_saved_stdout = saved_stdout;
669
3d18b167 670 saved_stdin = saved_stdout = -1;
80876c20 671
3d18b167 672 return 0;
80876c20
LP		 673}
674
44b601bc 675_printf_(1, 2) static int write_confirm_message(const char *format, ...) {
03e334a1 676 _cleanup_close_ int fd = -1;
af6da548 677 va_list ap;
80876c20 678
af6da548 679 assert(format);
80876c20 680
af6da548
LP		 681 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
682 if (fd < 0)
683 return fd;
80876c20 684
af6da548
LP		 685 va_start(ap, format);
686 vdprintf(fd, format, ap);
687 va_end(ap);
80876c20 688
af6da548
LP		 689 return 0;
690}
80876c20 691
3d18b167 692static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
af6da548 693 int r = 0;
80876c20 694
af6da548
LP		 695 assert(saved_stdin);
696 assert(saved_stdout);
697
698 release_terminal();
699
700 if (*saved_stdin >= 0)
80876c20 701 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
af6da548 702 r = -errno;
80876c20 703
af6da548 704 if (*saved_stdout >= 0)
80876c20 705 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
af6da548 706 r = -errno;
80876c20 707
3d18b167
LP		 708 *saved_stdin = safe_close(*saved_stdin);
709 *saved_stdout = safe_close(*saved_stdout);
af6da548
LP		 710
711 return r;
712}
713
714static int ask_for_confirmation(char *response, char **argv) {
715 int saved_stdout = -1, saved_stdin = -1, r;
e1d75803 716 _cleanup_free_ char *line = NULL;
af6da548
LP		 717
718 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
719 if (r < 0)
720 return r;
721
722 line = exec_command_line(argv);
723 if (!line)
724 return -ENOMEM;
725
418b9be5 726 r = ask_char(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
af6da548
LP		 727
728 restore_confirm_stdio(&saved_stdin, &saved_stdout);
729
730 return r;
80876c20
LP		 731}
732
4d885bd3
DH		 733static int get_fixed_user(const ExecContext *c, const char **user,
734 uid_t *uid, gid_t *gid,
735 const char **home, const char **shell) {
81a2b7ce 736 int r;
4d885bd3 737 const char *name;
81a2b7ce 738
4d885bd3 739 assert(c);
81a2b7ce 740
4d885bd3
DH		 741 if (!c->user)
742 return 0;
81a2b7ce 743
4d885bd3
DH		 744 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
745 * (i.e. are "/" or "/bin/nologin"). */
81a2b7ce 746
4d885bd3
DH		 747 name = c->user;
748 r = get_user_creds_clean(&name, uid, gid, home, shell);
749 if (r < 0)
750 return r;
81a2b7ce 751
4d885bd3
DH		 752 *user = name;
753 return 0;
754}
755
756static int get_fixed_group(const ExecContext *c, const char **group, gid_t *gid) {
757 int r;
758 const char *name;
759
760 assert(c);
761
762 if (!c->group)
763 return 0;
764
765 name = c->group;
766 r = get_group_creds(&name, gid);
767 if (r < 0)
768 return r;
769
770 *group = name;
771 return 0;
772}
773
774static int get_fixed_supplementary_groups(const ExecContext *c,
775 const char *user,
776 const char *group,
777 gid_t gid,
778 gid_t **supplementary_gids, int *ngids) {
779 char **i;
780 int r, k = 0;
781 int ngroups_max;
782 bool keep_groups = false;
783 gid_t *groups = NULL;
784 _cleanup_free_ gid_t *l_gids = NULL;
785
786 assert(c);
787
788 if (!c->supplementary_groups)
789 return 0;
790
366ddd25
DH		 791 /*
792 * If SupplementaryGroups= was passed then NGROUPS_MAX has to
793 * be positive, otherwise fail.
794 */
795 errno = 0;
796 ngroups_max = (int) sysconf(_SC_NGROUPS_MAX);
797 if (ngroups_max <= 0) {
798 if (errno > 0)
799 return -errno;
800 else
801 return -EOPNOTSUPP; /* For all other values */
802 }
803
4d885bd3
DH		 804 /*
805 * If user is given, then lookup GID and supplementary group list.
806 * We avoid NSS lookups for gid=0.
807 */
808 if (user && gid_is_valid(gid) && gid != 0) {
809 /* First step, initialize groups from /etc/groups */
810 if (initgroups(user, gid) < 0)
81a2b7ce 811 return -errno;
4d885bd3
DH		 812
813 keep_groups = true;
81a2b7ce
LP		 814 }
815
4d885bd3
DH		 816 l_gids = new(gid_t, ngroups_max);
817 if (!l_gids)
818 return -ENOMEM;
81a2b7ce 819
4d885bd3
DH		 820 if (keep_groups) {
821 /*
822 * Lookup the list of groups that the user belongs to, we
823 * avoid NSS lookups here too for gid=0.
824 */
825 k = ngroups_max;
826 if (getgrouplist(user, gid, l_gids, &k) < 0)
827 return -EINVAL;
828 } else
829 k = 0;
81a2b7ce 830
4d885bd3
DH		 831 STRV_FOREACH(i, c->supplementary_groups) {
832 const char *g;
81a2b7ce 833
4d885bd3
DH		 834 if (k >= ngroups_max)
835 return -E2BIG;
81a2b7ce 836
4d885bd3
DH		 837 g = *i;
838 r = get_group_creds(&g, l_gids+k);
839 if (r < 0)
840 return r;
81a2b7ce 841
4d885bd3
DH		 842 k++;
843 }
81a2b7ce 844
4d885bd3
DH		 845 /*
846 * Sets ngids to zero to drop all supplementary groups, happens
847 * when we are under root and SupplementaryGroups= is empty.
848 */
849 if (k == 0) {
850 *ngids = 0;
851 return 0;
852 }
81a2b7ce 853
4d885bd3
DH		 854 /* Otherwise get the final list of supplementary groups */
855 groups = memdup(l_gids, sizeof(gid_t) * k);
856 if (!groups)
857 return -ENOMEM;
858
859 *supplementary_gids = groups;
860 *ngids = k;
861
862 groups = NULL;
863
864 return 0;
865}
866
867static int enforce_groups(const ExecContext *context, gid_t gid,
868 gid_t *supplementary_gids, int ngids) {
869 int r;
870
871 assert(context);
872
873 /* Handle SupplementaryGroups= even if it is empty */
874 if (context->supplementary_groups) {
875 r = maybe_setgroups(ngids, supplementary_gids);
876 if (r < 0)
97f0e76f 877 return r;
4d885bd3 878 }
81a2b7ce 879
4d885bd3
DH		 880 if (gid_is_valid(gid)) {
881 /* Then set our gids */
882 if (setresgid(gid, gid, gid) < 0)
883 return -errno;
81a2b7ce
LP		 884 }
885
886 return 0;
887}
888
889static int enforce_user(const ExecContext *context, uid_t uid) {
81a2b7ce
LP		 890 assert(context);
891
4d885bd3
DH		 892 if (!uid_is_valid(uid))
893 return 0;
894
479050b3 895 /* Sets (but doesn't look up) the uid and make sure we keep the
81a2b7ce
LP		 896 * capabilities while doing so. */
897
479050b3 898 if (context->capability_ambient_set != 0) {
81a2b7ce
LP		 899
900 /* First step: If we need to keep capabilities but
901 * drop privileges we need to make sure we keep our
cbb21cca 902 * caps, while we drop privileges. */
693ced48 903 if (uid != 0) {
cbb21cca 904 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
693ced48
LP		 905
906 if (prctl(PR_GET_SECUREBITS) != sb)
907 if (prctl(PR_SET_SECUREBITS, sb) < 0)
908 return -errno;
909 }
81a2b7ce
LP		 910 }
911
479050b3 912 /* Second step: actually set the uids */
81a2b7ce
LP		 913 if (setresuid(uid, uid, uid) < 0)
914 return -errno;
915
916 /* At this point we should have all necessary capabilities but
917 are otherwise a normal user. However, the caps might got
918 corrupted due to the setresuid() so we need clean them up
919 later. This is done outside of this call. */
920
921 return 0;
922}
923
5b6319dc
LP		 924#ifdef HAVE_PAM
925
926static int null_conv(
927 int num_msg,
928 const struct pam_message **msg,
929 struct pam_response **resp,
930 void *appdata_ptr) {
931
932 /* We don't support conversations */
933
934 return PAM_CONV_ERR;
935}
936
cefc33ae
LP		 937#endif
938
5b6319dc
LP		 939static int setup_pam(
940 const char *name,
941 const char *user,
940c5210 942 uid_t uid,
2d6fce8d 943 gid_t gid,
5b6319dc 944 const char *tty,
2065ca69 945 char ***env,
5b6319dc
LP		 946 int fds[], unsigned n_fds) {
947
cefc33ae
LP		 948#ifdef HAVE_PAM
949
5b6319dc
LP		 950 static const struct pam_conv conv = {
951 .conv = null_conv,
952 .appdata_ptr = NULL
953 };
954
2d7c6aa2 955 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
5b6319dc 956 pam_handle_t *handle = NULL;
d6e5f3ad 957 sigset_t old_ss;
7bb70b6e 958 int pam_code = PAM_SUCCESS, r;
84eada2f 959 char **nv, **e = NULL;
5b6319dc
LP		 960 bool close_session = false;
961 pid_t pam_pid = 0, parent_pid;
970edce6 962 int flags = 0;
5b6319dc
LP		 963
964 assert(name);
965 assert(user);
2065ca69 966 assert(env);
5b6319dc
LP		 967
968 /* We set up PAM in the parent process, then fork. The child
35b8ca3a 969 * will then stay around until killed via PR_GET_PDEATHSIG or
5b6319dc
LP		 970 * systemd via the cgroup logic. It will then remove the PAM
971 * session again. The parent process will exec() the actual
972 * daemon. We do things this way to ensure that the main PID
973 * of the daemon is the one we initially fork()ed. */
974
7bb70b6e
LP		 975 r = barrier_create(&barrier);
976 if (r < 0)
2d7c6aa2
DH		 977 goto fail;
978
553d2243 979 if (log_get_max_level() < LOG_DEBUG)
970edce6
ZJS		 980 flags |= PAM_SILENT;
981
f546241b
ZJS		 982 pam_code = pam_start(name, user, &conv, &handle);
983 if (pam_code != PAM_SUCCESS) {
5b6319dc
LP		 984 handle = NULL;
985 goto fail;
986 }
987
f546241b
ZJS		 988 if (tty) {
989 pam_code = pam_set_item(handle, PAM_TTY, tty);
990 if (pam_code != PAM_SUCCESS)
5b6319dc 991 goto fail;
f546241b 992 }
5b6319dc 993
84eada2f
JW		 994 STRV_FOREACH(nv, *env) {
995 pam_code = pam_putenv(handle, *nv);
2065ca69
JW		 996 if (pam_code != PAM_SUCCESS)
997 goto fail;
998 }
999
970edce6 1000 pam_code = pam_acct_mgmt(handle, flags);
f546241b 1001 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1002 goto fail;
1003
970edce6 1004 pam_code = pam_open_session(handle, flags);
f546241b 1005 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1006 goto fail;
1007
1008 close_session = true;
1009
f546241b
ZJS		 1010 e = pam_getenvlist(handle);
1011 if (!e) {
5b6319dc
LP		 1012 pam_code = PAM_BUF_ERR;
1013 goto fail;
1014 }
1015
1016 /* Block SIGTERM, so that we know that it won't get lost in
1017 * the child */
ce30c8dc 1018
72c0a2c2 1019 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
5b6319dc
LP		 1020
1021 parent_pid = getpid();
1022
f546241b 1023 pam_pid = fork();
7bb70b6e
LP		 1024 if (pam_pid < 0) {
1025 r = -errno;
5b6319dc 1026 goto fail;
7bb70b6e 1027 }
5b6319dc
LP		 1028
1029 if (pam_pid == 0) {
7bb70b6e 1030 int sig, ret = EXIT_PAM;
5b6319dc
LP		 1031
1032 /* The child's job is to reset the PAM session on
1033 * termination */
2d7c6aa2 1034 barrier_set_role(&barrier, BARRIER_CHILD);
5b6319dc
LP		 1035
1036 /* This string must fit in 10 chars (i.e. the length
5d6b1584
LP		 1037 * of "/sbin/init"), to look pretty in /bin/ps */
1038 rename_process("(sd-pam)");
5b6319dc
LP		 1039
1040 /* Make sure we don't keep open the passed fds in this
1041 child. We assume that otherwise only those fds are
1042 open here that have been opened by PAM. */
1043 close_many(fds, n_fds);
1044
940c5210
AK		 1045 /* Drop privileges - we don't need any to pam_close_session
1046 * and this will make PR_SET_PDEATHSIG work in most cases.
1047 * If this fails, ignore the error - but expect sd-pam threads
1048 * to fail to exit normally */
2d6fce8d 1049
97f0e76f
LP		 1050 r = maybe_setgroups(0, NULL);
1051 if (r < 0)
1052 log_warning_errno(r, "Failed to setgroups() in sd-pam: %m");
2d6fce8d
LP		 1053 if (setresgid(gid, gid, gid) < 0)
1054 log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
940c5210 1055 if (setresuid(uid, uid, uid) < 0)
2d6fce8d 1056 log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
940c5210 1057
ce30c8dc
LP		 1058 (void) ignore_signals(SIGPIPE, -1);
1059
940c5210
AK		 1060 /* Wait until our parent died. This will only work if
1061 * the above setresuid() succeeds, otherwise the kernel
1062 * will not allow unprivileged parents kill their privileged
1063 * children this way. We rely on the control groups kill logic
5b6319dc
LP		 1064 * to do the rest for us. */
1065 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
1066 goto child_finish;
1067
2d7c6aa2
DH		 1068 /* Tell the parent that our setup is done. This is especially
1069 * important regarding dropping privileges. Otherwise, unit
1070 * setup might race against our setresuid(2) call. */
1071 barrier_place(&barrier);
1072
5b6319dc
LP		 1073 /* Check if our parent process might already have
1074 * died? */
1075 if (getppid() == parent_pid) {
d6e5f3ad
DM		 1076 sigset_t ss;
1077
1078 assert_se(sigemptyset(&ss) >= 0);
1079 assert_se(sigaddset(&ss, SIGTERM) >= 0);
1080
3dead8d9
LP		 1081 for (;;) {
1082 if (sigwait(&ss, &sig) < 0) {
1083 if (errno == EINTR)
1084 continue;
1085
1086 goto child_finish;
1087 }
5b6319dc 1088
3dead8d9
LP		 1089 assert(sig == SIGTERM);
1090 break;
1091 }
5b6319dc
LP		 1092 }
1093
3dead8d9 1094 /* If our parent died we'll end the session */
f546241b 1095 if (getppid() != parent_pid) {
970edce6 1096 pam_code = pam_close_session(handle, flags);
f546241b 1097 if (pam_code != PAM_SUCCESS)
5b6319dc 1098 goto child_finish;
f546241b 1099 }
5b6319dc 1100
7bb70b6e 1101 ret = 0;
5b6319dc
LP		 1102
1103 child_finish:
970edce6 1104 pam_end(handle, pam_code | flags);
7bb70b6e 1105 _exit(ret);
5b6319dc
LP		 1106 }
1107
2d7c6aa2
DH		 1108 barrier_set_role(&barrier, BARRIER_PARENT);
1109
5b6319dc
LP		 1110 /* If the child was forked off successfully it will do all the
1111 * cleanups, so forget about the handle here. */
1112 handle = NULL;
1113
3b8bddde 1114 /* Unblock SIGTERM again in the parent */
72c0a2c2 1115 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
5b6319dc
LP		 1116
1117 /* We close the log explicitly here, since the PAM modules
1118 * might have opened it, but we don't want this fd around. */
1119 closelog();
1120
2d7c6aa2
DH		 1121 /* Synchronously wait for the child to initialize. We don't care for
1122 * errors as we cannot recover. However, warn loudly if it happens. */
1123 if (!barrier_place_and_sync(&barrier))
1124 log_error("PAM initialization failed");
1125
2065ca69
JW		 1126 strv_free(*env);
1127 *env = e;
aa87e624 1128
5b6319dc
LP		 1129 return 0;
1130
1131fail:
970edce6
ZJS		 1132 if (pam_code != PAM_SUCCESS) {
1133 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
7bb70b6e
LP		 1134 r = -EPERM; /* PAM errors do not map to errno */
1135 } else
1136 log_error_errno(r, "PAM failed: %m");
9ba35398 1137
5b6319dc
LP		 1138 if (handle) {
1139 if (close_session)
970edce6 1140 pam_code = pam_close_session(handle, flags);
5b6319dc 1141
970edce6 1142 pam_end(handle, pam_code | flags);
5b6319dc
LP		 1143 }
1144
1145 strv_free(e);
5b6319dc
LP		 1146 closelog();
1147
7bb70b6e 1148 return r;
cefc33ae
LP		 1149#else
1150 return 0;
5b6319dc 1151#endif
cefc33ae 1152}
5b6319dc 1153
5d6b1584
LP		 1154static void rename_process_from_path(const char *path) {
1155 char process_name[11];
1156 const char *p;
1157 size_t l;
1158
1159 /* This resulting string must fit in 10 chars (i.e. the length
1160 * of "/sbin/init") to look pretty in /bin/ps */
1161
2b6bf07d 1162 p = basename(path);
5d6b1584
LP		 1163 if (isempty(p)) {
1164 rename_process("(...)");
1165 return;
1166 }
1167
1168 l = strlen(p);
1169 if (l > 8) {
1170 /* The end of the process name is usually more
1171 * interesting, since the first bit might just be
1172 * "systemd-" */
1173 p = p + l - 8;
1174 l = 8;
1175 }
1176
1177 process_name[0] = '(';
1178 memcpy(process_name+1, p, l);
1179 process_name[1+l] = ')';
1180 process_name[1+l+1] = 0;
1181
1182 rename_process(process_name);
1183}
1184
c0467cf3 1185#ifdef HAVE_SECCOMP
17df7223 1186
83f12b27 1187static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
f673b62d
LP		 1188
1189 if (is_seccomp_available())
1190 return false;
1191
1192 log_open();
1193 log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
1194 log_close();
1195 return true;
83f12b27
FS		 1196}
1197
1198static int apply_seccomp(const Unit* u, const ExecContext *c) {
17df7223 1199 uint32_t negative_action, action;
8d7b0c8f 1200 scmp_filter_ctx seccomp;
c0467cf3
RC		 1201 Iterator i;
1202 void *id;
17df7223 1203 int r;
8351ceae 1204
c0467cf3 1205 assert(c);
8351ceae 1206
83f12b27
FS		 1207 if (skip_seccomp_unavailable(u, "syscall filtering"))
1208 return 0;
1209
17df7223
LP		 1210 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
1211
1212 seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW);
1213 if (!seccomp)
1214 return -ENOMEM;
8351ceae 1215
e9642be2
LP		 1216 if (c->syscall_archs) {
1217
1218 SET_FOREACH(id, c->syscall_archs, i) {
1219 r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
1220 if (r == -EEXIST)
1221 continue;
7c66bae2
LP		 1222 if (r < 0)
1223 goto finish;
e9642be2 1224 }
e9642be2 1225
7c66bae2 1226 } else {
e9642be2 1227 r = seccomp_add_secondary_archs(seccomp);
7c66bae2
LP		 1228 if (r < 0)
1229 goto finish;
57183d11 1230 }
8351ceae 1231
57183d11 1232 action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
17df7223
LP		 1233 SET_FOREACH(id, c->syscall_filter, i) {
1234 r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
7c66bae2
LP		 1235 if (r < 0)
1236 goto finish;
c0467cf3 1237 }
8351ceae 1238
7c66bae2
LP		 1239 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1240 if (r < 0)
1241 goto finish;
1242
17df7223 1243 r = seccomp_load(seccomp);
7c66bae2
LP		 1244
1245finish:
17df7223 1246 seccomp_release(seccomp);
4298d0b5
LP		 1247 return r;
1248}
1249
83f12b27 1250static int apply_address_families(const Unit* u, const ExecContext *c) {
8d7b0c8f 1251 scmp_filter_ctx seccomp;
4298d0b5
LP		 1252 Iterator i;
1253 int r;
1254
1255 assert(c);
1256
83f12b27
FS		 1257 if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
1258 return 0;
1259
8d7b0c8f 1260 r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
4298d0b5 1261 if (r < 0)
8d7b0c8f 1262 return r;
4298d0b5
LP		 1263
1264 if (c->address_families_whitelist) {
1265 int af, first = 0, last = 0;
1266 void *afp;
1267
1268 /* If this is a whitelist, we first block the address
1269 * families that are out of range and then everything
1270 * that is not in the set. First, we find the lowest
1271 * and highest address family in the set. */
1272
1273 SET_FOREACH(afp, c->address_families, i) {
1274 af = PTR_TO_INT(afp);
17df7223 1275
4298d0b5
LP		 1276 if (af <= 0 || af >= af_max())
1277 continue;
1278
1279 if (first == 0 || af < first)
1280 first = af;
1281
1282 if (last == 0 || af > last)
1283 last = af;
1284 }
1285
1286 assert((first == 0) == (last == 0));
1287
1288 if (first == 0) {
1289
1290 /* No entries in the valid range, block everything */
1291 r = seccomp_rule_add(
1292 seccomp,
1293 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1294 SCMP_SYS(socket),
1295 0);
1296 if (r < 0)
1297 goto finish;
1298
1299 } else {
1300
1301 /* Block everything below the first entry */
1302 r = seccomp_rule_add(
1303 seccomp,
1304 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1305 SCMP_SYS(socket),
1306 1,
1307 SCMP_A0(SCMP_CMP_LT, first));
1308 if (r < 0)
1309 goto finish;
1310
1311 /* Block everything above the last entry */
1312 r = seccomp_rule_add(
1313 seccomp,
1314 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1315 SCMP_SYS(socket),
1316 1,
1317 SCMP_A0(SCMP_CMP_GT, last));
1318 if (r < 0)
1319 goto finish;
1320
1321 /* Block everything between the first and last
1322 * entry */
1323 for (af = 1; af < af_max(); af++) {
1324
1325 if (set_contains(c->address_families, INT_TO_PTR(af)))
1326 continue;
1327
1328 r = seccomp_rule_add(
1329 seccomp,
1330 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1331 SCMP_SYS(socket),
1332 1,
1333 SCMP_A0(SCMP_CMP_EQ, af));
1334 if (r < 0)
1335 goto finish;
1336 }
1337 }
1338
1339 } else {
1340 void *af;
1341
1342 /* If this is a blacklist, then generate one rule for
1343 * each address family that are then combined in OR
1344 * checks. */
1345
1346 SET_FOREACH(af, c->address_families, i) {
1347
1348 r = seccomp_rule_add(
1349 seccomp,
1350 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1351 SCMP_SYS(socket),
1352 1,
1353 SCMP_A0(SCMP_CMP_EQ, PTR_TO_INT(af)));
1354 if (r < 0)
1355 goto finish;
1356 }
1357 }
1358
4298d0b5
LP		 1359 r = seccomp_load(seccomp);
1360
1361finish:
1362 seccomp_release(seccomp);
17df7223 1363 return r;
8351ceae 1364}
4298d0b5 1365
83f12b27 1366static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) {
8d7b0c8f 1367 scmp_filter_ctx seccomp;
f3e43635
TM		 1368 int r;
1369
1370 assert(c);
1371
83f12b27
FS		 1372 if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute="))
1373 return 0;
1374
8d7b0c8f 1375 r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
72246c2a 1376 if (r < 0)
8d7b0c8f 1377 return r;
72246c2a 1378
f3e43635
TM		 1379 r = seccomp_rule_add(
1380 seccomp,
abd84d4d 1381 SCMP_ACT_ERRNO(EPERM),
f3e43635
TM		 1382 SCMP_SYS(mmap),
1383 1,
1384 SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE));
1385 if (r < 0)
1386 goto finish;
1387
1388 r = seccomp_rule_add(
1389 seccomp,
abd84d4d 1390 SCMP_ACT_ERRNO(EPERM),
f3e43635
TM		 1391 SCMP_SYS(mprotect),
1392 1,
1393 SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC));
1394 if (r < 0)
1395 goto finish;
1396
f3e43635
TM		 1397 r = seccomp_load(seccomp);
1398
1399finish:
1400 seccomp_release(seccomp);
1401 return r;
1402}
1403
83f12b27 1404static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
f4170c67
LP		 1405 static const int permitted_policies[] = {
1406 SCHED_OTHER,
1407 SCHED_BATCH,
1408 SCHED_IDLE,
1409 };
1410
8d7b0c8f 1411 scmp_filter_ctx seccomp;
f4170c67
LP		 1412 unsigned i;
1413 int r, p, max_policy = 0;
1414
1415 assert(c);
1416
83f12b27
FS		 1417 if (skip_seccomp_unavailable(u, "RestrictRealtime="))
1418 return 0;
1419
8d7b0c8f 1420 r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
72246c2a 1421 if (r < 0)
8d7b0c8f 1422 return r;
72246c2a 1423
f4170c67
LP		 1424 /* Determine the highest policy constant we want to allow */
1425 for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
1426 if (permitted_policies[i] > max_policy)
1427 max_policy = permitted_policies[i];
1428
1429 /* Go through all policies with lower values than that, and block them -- unless they appear in the
1430 * whitelist. */
1431 for (p = 0; p < max_policy; p++) {
1432 bool good = false;
1433
1434 /* Check if this is in the whitelist. */
1435 for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
1436 if (permitted_policies[i] == p) {
1437 good = true;
1438 break;
1439 }
1440
1441 if (good)
1442 continue;
1443
1444 /* Deny this policy */
1445 r = seccomp_rule_add(
1446 seccomp,
1447 SCMP_ACT_ERRNO(EPERM),
1448 SCMP_SYS(sched_setscheduler),
1449 1,
1450 SCMP_A1(SCMP_CMP_EQ, p));
1451 if (r < 0)
1452 goto finish;
1453 }
1454
1455 /* Blacklist all other policies, i.e. the ones with higher values. Note that all comparisons are unsigned here,
1456 * hence no need no check for < 0 values. */
1457 r = seccomp_rule_add(
1458 seccomp,
1459 SCMP_ACT_ERRNO(EPERM),
1460 SCMP_SYS(sched_setscheduler),
1461 1,
1462 SCMP_A1(SCMP_CMP_GT, max_policy));
1463 if (r < 0)
1464 goto finish;
1465
f4170c67
LP		 1466 r = seccomp_load(seccomp);
1467
1468finish:
1469 seccomp_release(seccomp);
1470 return r;
1471}
1472
59eeb84b 1473static int apply_protect_sysctl(Unit *u, const ExecContext *c) {
8d7b0c8f 1474 scmp_filter_ctx seccomp;
59eeb84b
LP		 1475 int r;
1476
1477 assert(c);
1478
1479 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1480 * let's protect even those systems where this is left on in the kernel. */
1481
1482 if (skip_seccomp_unavailable(u, "ProtectKernelTunables="))
1483 return 0;
1484
8d7b0c8f 1485 r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
59eeb84b 1486 if (r < 0)
8d7b0c8f 1487 return r;
59eeb84b
LP		 1488
1489 r = seccomp_rule_add(
1490 seccomp,
1491 SCMP_ACT_ERRNO(EPERM),
1492 SCMP_SYS(_sysctl),
1493 0);
1494 if (r < 0)
1495 goto finish;
1496
59eeb84b
LP		 1497 r = seccomp_load(seccomp);
1498
1499finish:
1500 seccomp_release(seccomp);
1501 return r;
1502}
1503
502d704e 1504static int apply_protect_kernel_modules(Unit *u, const ExecContext *c) {
502d704e
DH		 1505 assert(c);
1506
25a8d8a0 1507 /* Turn off module syscalls on ProtectKernelModules=yes */
502d704e
DH		 1508
1509 if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
1510 return 0;
1511
a3be2849 1512 return seccomp_load_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM));
502d704e
DH		 1513}
1514
ba128bb8 1515static int apply_private_devices(Unit *u, const ExecContext *c) {
ba128bb8
LP		 1516 assert(c);
1517
8f81a5f6 1518 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
ba128bb8
LP		 1519
1520 if (skip_seccomp_unavailable(u, "PrivateDevices="))
1521 return 0;
1522
a3be2849 1523 return seccomp_load_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
ba128bb8
LP		 1524}
1525
c0467cf3 1526#endif
8351ceae 1527
31a7eb86
ZJS		 1528static void do_idle_pipe_dance(int idle_pipe[4]) {
1529 assert(idle_pipe);
1530
54eb2300
LP		 1531 idle_pipe[1] = safe_close(idle_pipe[1]);
1532 idle_pipe[2] = safe_close(idle_pipe[2]);
31a7eb86
ZJS		 1533
1534 if (idle_pipe[0] >= 0) {
1535 int r;
1536
1537 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1538
1539 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
c7cc737f
LP		 1540 ssize_t n;
1541
31a7eb86 1542 /* Signal systemd that we are bored and want to continue. */
c7cc737f
LP		 1543 n = write(idle_pipe[3], "x", 1);
1544 if (n > 0)
cd972d69
ZJS		 1545 /* Wait for systemd to react to the signal above. */
1546 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
31a7eb86
ZJS		 1547 }
1548
54eb2300 1549 idle_pipe[0] = safe_close(idle_pipe[0]);
31a7eb86
ZJS		 1550
1551 }
1552
54eb2300 1553 idle_pipe[3] = safe_close(idle_pipe[3]);
31a7eb86
ZJS		 1554}
1555
7cae38c4 1556static int build_environment(
fd63e712 1557 Unit *u,
9fa95f85 1558 const ExecContext *c,
1e22b5cd 1559 const ExecParameters *p,
7cae38c4
LP		 1560 unsigned n_fds,
1561 const char *home,
1562 const char *username,
1563 const char *shell,
7bce046b
LP		 1564 dev_t journal_stream_dev,
1565 ino_t journal_stream_ino,
7cae38c4
LP		 1566 char ***ret) {
1567
1568 _cleanup_strv_free_ char **our_env = NULL;
1569 unsigned n_env = 0;
1570 char *x;
1571
4b58153d 1572 assert(u);
7cae38c4
LP		 1573 assert(c);
1574 assert(ret);
1575
4b58153d 1576 our_env = new0(char*, 14);
7cae38c4
LP		 1577 if (!our_env)
1578 return -ENOMEM;
1579
1580 if (n_fds > 0) {
8dd4c05b
LP		 1581 _cleanup_free_ char *joined = NULL;
1582
ccd06097 1583 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
7cae38c4
LP		 1584 return -ENOMEM;
1585 our_env[n_env++] = x;
1586
1587 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1588 return -ENOMEM;
1589 our_env[n_env++] = x;
8dd4c05b 1590
1e22b5cd 1591 joined = strv_join(p->fd_names, ":");
8dd4c05b
LP		 1592 if (!joined)
1593 return -ENOMEM;
1594
1595 x = strjoin("LISTEN_FDNAMES=", joined, NULL);
1596 if (!x)
1597 return -ENOMEM;
1598 our_env[n_env++] = x;
7cae38c4
LP		 1599 }
1600
b08af3b1 1601 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
ccd06097 1602 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
09812eb7
LP		 1603 return -ENOMEM;
1604 our_env[n_env++] = x;
1605
1e22b5cd 1606 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
09812eb7
LP		 1607 return -ENOMEM;
1608 our_env[n_env++] = x;
1609 }
1610
fd63e712
LP		 1611 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1612 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1613 * check the database directly. */
1614 if (unit_has_name(u, SPECIAL_DBUS_SERVICE)) {
1615 x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1616 if (!x)
1617 return -ENOMEM;
1618 our_env[n_env++] = x;
1619 }
1620
7cae38c4
LP		 1621 if (home) {
1622 x = strappend("HOME=", home);
1623 if (!x)
1624 return -ENOMEM;
1625 our_env[n_env++] = x;
1626 }
1627
1628 if (username) {
1629 x = strappend("LOGNAME=", username);
1630 if (!x)
1631 return -ENOMEM;
1632 our_env[n_env++] = x;
1633
1634 x = strappend("USER=", username);
1635 if (!x)
1636 return -ENOMEM;
1637 our_env[n_env++] = x;
1638 }
1639
1640 if (shell) {
1641 x = strappend("SHELL=", shell);
1642 if (!x)
1643 return -ENOMEM;
1644 our_env[n_env++] = x;
1645 }
1646
4b58153d
LP		 1647 if (!sd_id128_is_null(u->invocation_id)) {
1648 if (asprintf(&x, "INVOCATION_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id)) < 0)
1649 return -ENOMEM;
1650
1651 our_env[n_env++] = x;
1652 }
1653
6af760f3
LP		 1654 if (exec_context_needs_term(c)) {
1655 const char *tty_path, *term = NULL;
1656
1657 tty_path = exec_context_tty_path(c);
1658
1659 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try to inherit
1660 * the $TERM set for PID 1. This is useful for containers so that the $TERM the container manager
1661 * passes to PID 1 ends up all the way in the console login shown. */
1662
1663 if (path_equal(tty_path, "/dev/console") && getppid() == 1)
1664 term = getenv("TERM");
1665 if (!term)
1666 term = default_term_for_tty(tty_path);
7cae38c4 1667
6af760f3 1668 x = strappend("TERM=", term);
7cae38c4
LP		 1669 if (!x)
1670 return -ENOMEM;
1671 our_env[n_env++] = x;
1672 }
1673
7bce046b
LP		 1674 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1675 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1676 return -ENOMEM;
1677
1678 our_env[n_env++] = x;
1679 }
1680
7cae38c4 1681 our_env[n_env++] = NULL;
7bce046b 1682 assert(n_env <= 12);
7cae38c4
LP		 1683
1684 *ret = our_env;
1685 our_env = NULL;
1686
1687 return 0;
1688}
1689
b4c14404
FB		 1690static int build_pass_environment(const ExecContext *c, char ***ret) {
1691 _cleanup_strv_free_ char **pass_env = NULL;
1692 size_t n_env = 0, n_bufsize = 0;
1693 char **i;
1694
1695 STRV_FOREACH(i, c->pass_environment) {
1696 _cleanup_free_ char *x = NULL;
1697 char *v;
1698
1699 v = getenv(*i);
1700 if (!v)
1701 continue;
1702 x = strjoin(*i, "=", v, NULL);
1703 if (!x)
1704 return -ENOMEM;
1705 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1706 return -ENOMEM;
1707 pass_env[n_env++] = x;
1708 pass_env[n_env] = NULL;
1709 x = NULL;
1710 }
1711
1712 *ret = pass_env;
1713 pass_env = NULL;
1714
1715 return 0;
1716}
1717
8b44a3d2
LP		 1718static bool exec_needs_mount_namespace(
1719 const ExecContext *context,
1720 const ExecParameters *params,
1721 ExecRuntime *runtime) {
1722
1723 assert(context);
1724 assert(params);
1725
2a624c36
AP		 1726 if (!strv_isempty(context->read_write_paths) ||
1727 !strv_isempty(context->read_only_paths) ||
1728 !strv_isempty(context->inaccessible_paths))
8b44a3d2
LP		 1729 return true;
1730
1731 if (context->mount_flags != 0)
1732 return true;
1733
1734 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1735 return true;
1736
8b44a3d2
LP		 1737 if (context->private_devices ||
1738 context->protect_system != PROTECT_SYSTEM_NO ||
59eeb84b
LP		 1739 context->protect_home != PROTECT_HOME_NO ||
1740 context->protect_kernel_tunables ||
c575770b 1741 context->protect_kernel_modules ||
59eeb84b 1742 context->protect_control_groups)
8b44a3d2
LP		 1743 return true;
1744
1745 return false;
1746}
1747
d251207d
LP		 1748static int setup_private_users(uid_t uid, gid_t gid) {
1749 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
1750 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
1751 _cleanup_close_ int unshare_ready_fd = -1;
1752 _cleanup_(sigkill_waitp) pid_t pid = 0;
1753 uint64_t c = 1;
1754 siginfo_t si;
1755 ssize_t n;
1756 int r;
1757
1758 /* Set up a user namespace and map root to root, the selected UID/GID to itself, and everything else to
1759 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1760 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1761 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1762 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
1763 * continues execution normally. */
1764
1765 if (uid != 0 && uid_is_valid(uid))
1766 asprintf(&uid_map,
1767 "0 0 1\n" /* Map root → root */
1768 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
e0f3720e 1769 uid, uid);
d251207d 1770 else
e0f3720e 1771 uid_map = strdup("0 0 1\n"); /* The case where the above is the same */
d251207d
LP		 1772 if (!uid_map)
1773 return -ENOMEM;
1774
1775 if (gid != 0 && gid_is_valid(gid))
1776 asprintf(&gid_map,
1777 "0 0 1\n" /* Map root → root */
1778 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
1779 gid, gid);
1780 else
1781 gid_map = strdup("0 0 1\n"); /* The case where the above is the same */
1782 if (!gid_map)
1783 return -ENOMEM;
1784
1785 /* Create a communication channel so that the parent can tell the child when it finished creating the user
1786 * namespace. */
1787 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
1788 if (unshare_ready_fd < 0)
1789 return -errno;
1790
1791 /* Create a communication channel so that the child can tell the parent a proper error code in case it
1792 * failed. */
1793 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
1794 return -errno;
1795
1796 pid = fork();
1797 if (pid < 0)
1798 return -errno;
1799
1800 if (pid == 0) {
1801 _cleanup_close_ int fd = -1;
1802 const char *a;
1803 pid_t ppid;
1804
1805 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
1806 * here, after the parent opened its own user namespace. */
1807
1808 ppid = getppid();
1809 errno_pipe[0] = safe_close(errno_pipe[0]);
1810
1811 /* Wait until the parent unshared the user namespace */
1812 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
1813 r = -errno;
1814 goto child_fail;
1815 }
1816
1817 /* Disable the setgroups() system call in the child user namespace, for good. */
1818 a = procfs_file_alloca(ppid, "setgroups");
1819 fd = open(a, O_WRONLY|O_CLOEXEC);
1820 if (fd < 0) {
1821 if (errno != ENOENT) {
1822 r = -errno;
1823 goto child_fail;
1824 }
1825
1826 /* If the file is missing the kernel is too old, let's continue anyway. */
1827 } else {
1828 if (write(fd, "deny\n", 5) < 0) {
1829 r = -errno;
1830 goto child_fail;
1831 }
1832
1833 fd = safe_close(fd);
1834 }
1835
1836 /* First write the GID map */
1837 a = procfs_file_alloca(ppid, "gid_map");
1838 fd = open(a, O_WRONLY|O_CLOEXEC);
1839 if (fd < 0) {
1840 r = -errno;
1841 goto child_fail;
1842 }
1843 if (write(fd, gid_map, strlen(gid_map)) < 0) {
1844 r = -errno;
1845 goto child_fail;
1846 }
1847 fd = safe_close(fd);
1848
1849 /* The write the UID map */
1850 a = procfs_file_alloca(ppid, "uid_map");
1851 fd = open(a, O_WRONLY|O_CLOEXEC);
1852 if (fd < 0) {
1853 r = -errno;
1854 goto child_fail;
1855 }
1856 if (write(fd, uid_map, strlen(uid_map)) < 0) {
1857 r = -errno;
1858 goto child_fail;
1859 }
1860
1861 _exit(EXIT_SUCCESS);
1862
1863 child_fail:
1864 (void) write(errno_pipe[1], &r, sizeof(r));
1865 _exit(EXIT_FAILURE);
1866 }
1867
1868 errno_pipe[1] = safe_close(errno_pipe[1]);
1869
1870 if (unshare(CLONE_NEWUSER) < 0)
1871 return -errno;
1872
1873 /* Let the child know that the namespace is ready now */
1874 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
1875 return -errno;
1876
1877 /* Try to read an error code from the child */
1878 n = read(errno_pipe[0], &r, sizeof(r));
1879 if (n < 0)
1880 return -errno;
1881 if (n == sizeof(r)) { /* an error code was sent to us */
1882 if (r < 0)
1883 return r;
1884 return -EIO;
1885 }
1886 if (n != 0) /* on success we should have read 0 bytes */
1887 return -EIO;
1888
1889 r = wait_for_terminate(pid, &si);
1890 if (r < 0)
1891 return r;
1892 pid = 0;
1893
1894 /* If something strange happened with the child, let's consider this fatal, too */
1895 if (si.si_code != CLD_EXITED || si.si_status != 0)
1896 return -EIO;
1897
1898 return 0;
1899}
1900
07689d5d
LP		 1901static int setup_runtime_directory(
1902 const ExecContext *context,
1903 const ExecParameters *params,
1904 uid_t uid,
1905 gid_t gid) {
1906
1907 char **rt;
1908 int r;
1909
1910 assert(context);
1911 assert(params);
1912
1913 STRV_FOREACH(rt, context->runtime_directory) {
1914 _cleanup_free_ char *p;
1915
1916 p = strjoin(params->runtime_prefix, "/", *rt, NULL);
1917 if (!p)
1918 return -ENOMEM;
1919
1920 r = mkdir_p_label(p, context->runtime_directory_mode);
1921 if (r < 0)
1922 return r;
1923
1924 r = chmod_and_chown(p, context->runtime_directory_mode, uid, gid);
1925 if (r < 0)
1926 return r;
1927 }
1928
1929 return 0;
1930}
1931
cefc33ae
LP		 1932static int setup_smack(
1933 const ExecContext *context,
1934 const ExecCommand *command) {
1935
1936#ifdef HAVE_SMACK
1937 int r;
1938
1939 assert(context);
1940 assert(command);
1941
1942 if (!mac_smack_use())
1943 return 0;
1944
1945 if (context->smack_process_label) {
1946 r = mac_smack_apply_pid(0, context->smack_process_label);
1947 if (r < 0)
1948 return r;
1949 }
1950#ifdef SMACK_DEFAULT_PROCESS_LABEL
1951 else {
1952 _cleanup_free_ char *exec_label = NULL;
1953
1954 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
1955 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP)
1956 return r;
1957
1958 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
1959 if (r < 0)
1960 return r;
1961 }
1962#endif
1963#endif
1964
1965 return 0;
1966}
1967
3fbe8dbe
LP		 1968static int compile_read_write_paths(
1969 const ExecContext *context,
1970 const ExecParameters *params,
1971 char ***ret) {
1972
1973 _cleanup_strv_free_ char **l = NULL;
1974 char **rt;
1975
1976 /* Compile the list of writable paths. This is the combination of the explicitly configured paths, plus all
1977 * runtime directories. */
1978
1979 if (strv_isempty(context->read_write_paths) &&
1980 strv_isempty(context->runtime_directory)) {
1981 *ret = NULL; /* NOP if neither is set */
1982 return 0;
1983 }
1984
1985 l = strv_copy(context->read_write_paths);
1986 if (!l)
1987 return -ENOMEM;
1988
1989 STRV_FOREACH(rt, context->runtime_directory) {
1990 char *s;
1991
1992 s = strjoin(params->runtime_prefix, "/", *rt, NULL);
1993 if (!s)
1994 return -ENOMEM;
1995
1996 if (strv_consume(&l, s) < 0)
1997 return -ENOMEM;
1998 }
1999
2000 *ret = l;
2001 l = NULL;
2002
2003 return 0;
2004}
2005
93c6bb51
DH		 2006static int apply_mount_namespace(Unit *u, const ExecContext *context,
2007 const ExecParameters *params,
2008 ExecRuntime *runtime) {
2009 int r;
2010 _cleanup_free_ char **rw = NULL;
2011 char *tmp = NULL, *var = NULL;
2012 const char *root_dir = NULL;
2013 NameSpaceInfo ns_info = {
2014 .private_dev = context->private_devices,
2015 .protect_control_groups = context->protect_control_groups,
2016 .protect_kernel_tunables = context->protect_kernel_tunables,
2017 .protect_kernel_modules = context->protect_kernel_modules,
2018 };
2019
2020 /* The runtime struct only contains the parent of the private /tmp,
2021 * which is non-accessible to world users. Inside of it there's a /tmp
2022 * that is sticky, and that's the one we want to use here. */
2023
2024 if (context->private_tmp && runtime) {
2025 if (runtime->tmp_dir)
2026 tmp = strjoina(runtime->tmp_dir, "/tmp");
2027 if (runtime->var_tmp_dir)
2028 var = strjoina(runtime->var_tmp_dir, "/tmp");
2029 }
2030
2031 r = compile_read_write_paths(context, params, &rw);
2032 if (r < 0)
2033 return r;
2034
2035 if (params->flags & EXEC_APPLY_CHROOT)
2036 root_dir = context->root_directory;
2037
2038 r = setup_namespace(root_dir, &ns_info, rw,
2039 context->read_only_paths,
2040 context->inaccessible_paths,
2041 tmp,
2042 var,
2043 context->protect_home,
2044 context->protect_system,
2045 context->mount_flags);
2046
2047 /* If we couldn't set up the namespace this is probably due to a
2048 * missing capability. In this case, silently proceeed. */
2049 if (IN_SET(r, -EPERM, -EACCES)) {
2050 log_open();
2051 log_unit_debug_errno(u, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
2052 log_close();
2053 r = 0;
2054 }
2055
2056 return r;
2057}
2058
e7f1e7c6
DH		 2059static int apply_working_directory(const ExecContext *context,
2060 const ExecParameters *params,
2061 const char *working_directory,
2062 const bool needs_mount_ns) {
2063
2064 if (params->flags & EXEC_APPLY_CHROOT) {
2065 if (!needs_mount_ns && context->root_directory)
2066 if (chroot(context->root_directory) < 0)
2067 return -errno;
2068
2069 if (chdir(working_directory) < 0 &&
2070 !context->working_directory_missing_ok)
2071 return -errno;
2072
2073 } else {
2074 const char *d;
2075
2076 d = strjoina(strempty(context->root_directory), "/",
2077 strempty(working_directory));
2078 if (chdir(d) < 0 &&
2079 !context->working_directory_missing_ok)
2080 return -errno;
2081 }
2082
2083 return 0;
2084}
2085
29206d46
LP		 2086static void append_socket_pair(int *array, unsigned *n, int pair[2]) {
2087 assert(array);
2088 assert(n);
2089
2090 if (!pair)
2091 return;
2092
2093 if (pair[0] >= 0)
2094 array[(*n)++] = pair[0];
2095 if (pair[1] >= 0)
2096 array[(*n)++] = pair[1];
2097}
2098
a34ceba6
LP		 2099static int close_remaining_fds(
2100 const ExecParameters *params,
2101 ExecRuntime *runtime,
29206d46 2102 DynamicCreds *dcreds,
00d9ef85 2103 int user_lookup_fd,
a34ceba6
LP		 2104 int socket_fd,
2105 int *fds, unsigned n_fds) {
2106
2107 unsigned n_dont_close = 0;
00d9ef85 2108 int dont_close[n_fds + 12];
a34ceba6
LP		 2109
2110 assert(params);
2111
2112 if (params->stdin_fd >= 0)
2113 dont_close[n_dont_close++] = params->stdin_fd;
2114 if (params->stdout_fd >= 0)
2115 dont_close[n_dont_close++] = params->stdout_fd;
2116 if (params->stderr_fd >= 0)
2117 dont_close[n_dont_close++] = params->stderr_fd;
2118
2119 if (socket_fd >= 0)
2120 dont_close[n_dont_close++] = socket_fd;
2121 if (n_fds > 0) {
2122 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
2123 n_dont_close += n_fds;
2124 }
2125
29206d46
LP		 2126 if (runtime)
2127 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
2128
2129 if (dcreds) {
2130 if (dcreds->user)
2131 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
2132 if (dcreds->group)
2133 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
a34ceba6
LP		 2134 }
2135
00d9ef85
LP		 2136 if (user_lookup_fd >= 0)
2137 dont_close[n_dont_close++] = user_lookup_fd;
2138
a34ceba6
LP		 2139 return close_all_fds(dont_close, n_dont_close);
2140}
2141
59eeb84b
LP		 2142static bool context_has_address_families(const ExecContext *c) {
2143 assert(c);
2144
2145 return c->address_families_whitelist ||
2146 !set_isempty(c->address_families);
2147}
2148
2149static bool context_has_syscall_filters(const ExecContext *c) {
2150 assert(c);
2151
2152 return c->syscall_whitelist ||
2153 !set_isempty(c->syscall_filter) ||
2154 !set_isempty(c->syscall_archs);
2155}
2156
2157static bool context_has_no_new_privileges(const ExecContext *c) {
2158 assert(c);
2159
2160 if (c->no_new_privileges)
2161 return true;
2162
2163 if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
2164 return false;
2165
2166 return context_has_address_families(c) || /* we need NNP if we have any form of seccomp and are unprivileged */
2167 c->memory_deny_write_execute ||
2168 c->restrict_realtime ||
2169 c->protect_kernel_tunables ||
4084e8fc
DH		 2170 c->protect_kernel_modules ||
2171 c->private_devices ||
59eeb84b
LP		 2172 context_has_syscall_filters(c);
2173}
2174
00d9ef85
LP		 2175static int send_user_lookup(
2176 Unit *unit,
2177 int user_lookup_fd,
2178 uid_t uid,
2179 gid_t gid) {
2180
2181 assert(unit);
2182
2183 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2184 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2185 * specified. */
2186
2187 if (user_lookup_fd < 0)
2188 return 0;
2189
2190 if (!uid_is_valid(uid) && !gid_is_valid(gid))
2191 return 0;
2192
2193 if (writev(user_lookup_fd,
2194 (struct iovec[]) {
2195 { .iov_base = &uid, .iov_len = sizeof(uid) },
2196 { .iov_base = &gid, .iov_len = sizeof(gid) },
2197 { .iov_base = unit->id, .iov_len = strlen(unit->id) }}, 3) < 0)
2198 return -errno;
2199
2200 return 0;
2201}
2202
ff0af2a1 2203static int exec_child(
f2341e0a 2204 Unit *unit,
ff0af2a1
LP		 2205 ExecCommand *command,
2206 const ExecContext *context,
2207 const ExecParameters *params,
2208 ExecRuntime *runtime,
29206d46 2209 DynamicCreds *dcreds,
ff0af2a1
LP		 2210 char **argv,
2211 int socket_fd,
52c239d7 2212 int named_iofds[3],
ff0af2a1
LP		 2213 int *fds, unsigned n_fds,
2214 char **files_env,
00d9ef85 2215 int user_lookup_fd,
ff0af2a1 2216 int *exit_status) {
d35fbf6b 2217
2065ca69 2218 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **final_argv = NULL;
9008e1ac 2219 _cleanup_free_ char *mac_selinux_context_net = NULL;
4d885bd3
DH		 2220 _cleanup_free_ gid_t *supplementary_gids = NULL;
2221 const char *username = NULL, *groupname = NULL;
2222 const char *home = NULL, *shell = NULL, *wd;
7bce046b
LP		 2223 dev_t journal_stream_dev = 0;
2224 ino_t journal_stream_ino = 0;
2225 bool needs_mount_namespace;
fed1e721
LP		 2226 uid_t uid = UID_INVALID;
2227 gid_t gid = GID_INVALID;
4d885bd3 2228 int i, r, ngids = 0;
034c6ed7 2229
f2341e0a 2230 assert(unit);
5cb5a6ff
LP		 2231 assert(command);
2232 assert(context);
d35fbf6b 2233 assert(params);
ff0af2a1 2234 assert(exit_status);
d35fbf6b
DM		 2235
2236 rename_process_from_path(command->path);
2237
2238 /* We reset exactly these signals, since they are the
2239 * only ones we set to SIG_IGN in the main daemon. All
2240 * others we leave untouched because we set them to
2241 * SIG_DFL or a valid handler initially, both of which
2242 * will be demoted to SIG_DFL. */
ce30c8dc
LP		 2243 (void) default_signals(SIGNALS_CRASH_HANDLER,
2244 SIGNALS_IGNORE, -1);
d35fbf6b
DM		 2245
2246 if (context->ignore_sigpipe)
ce30c8dc 2247 (void) ignore_signals(SIGPIPE, -1);
d35fbf6b 2248
ff0af2a1
LP		 2249 r = reset_signal_mask();
2250 if (r < 0) {
2251 *exit_status = EXIT_SIGNAL_MASK;
2252 return r;
d35fbf6b 2253 }
034c6ed7 2254
d35fbf6b
DM		 2255 if (params->idle_pipe)
2256 do_idle_pipe_dance(params->idle_pipe);
4f2d528d 2257
d35fbf6b
DM		 2258 /* Close sockets very early to make sure we don't
2259 * block init reexecution because it cannot bind its
2260 * sockets */
ff0af2a1 2261
d35fbf6b 2262 log_forget_fds();
4f2d528d 2263
00d9ef85 2264 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, fds, n_fds);
ff0af2a1
LP		 2265 if (r < 0) {
2266 *exit_status = EXIT_FDS;
2267 return r;
8c7be95e
LP		 2268 }
2269
d35fbf6b
DM		 2270 if (!context->same_pgrp)
2271 if (setsid() < 0) {
ff0af2a1 2272 *exit_status = EXIT_SETSID;
d35fbf6b
DM		 2273 return -errno;
2274 }
9e2f7c11 2275
1e22b5cd 2276 exec_context_tty_reset(context, params);
d35fbf6b 2277
c39f1ce2 2278 if (params->flags & EXEC_CONFIRM_SPAWN) {
d35fbf6b
DM		 2279 char response;
2280
ff0af2a1
LP		 2281 r = ask_for_confirmation(&response, argv);
2282 if (r == -ETIMEDOUT)
d35fbf6b 2283 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
ff0af2a1
LP		 2284 else if (r < 0)
2285 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-r));
d35fbf6b
DM		 2286 else if (response == 's') {
2287 write_confirm_message("Skipping execution.\n");
ff0af2a1 2288 *exit_status = EXIT_CONFIRM;
d35fbf6b
DM		 2289 return -ECANCELED;
2290 } else if (response == 'n') {
2291 write_confirm_message("Failing execution.\n");
ff0af2a1 2292 *exit_status = 0;
d35fbf6b
DM		 2293 return 0;
2294 }
2295 }
1a63a750 2296
29206d46
LP		 2297 if (context->dynamic_user && dcreds) {
2298
409093fe
LP		 2299 /* Make sure we bypass our own NSS module for any NSS checks */
2300 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
2301 *exit_status = EXIT_USER;
2302 return -errno;
2303 }
2304
29206d46 2305 r = dynamic_creds_realize(dcreds, &uid, &gid);
ff0af2a1
LP		 2306 if (r < 0) {
2307 *exit_status = EXIT_USER;
2308 return r;
524daa8c 2309 }
524daa8c 2310
92b25bca 2311 if (!uid_is_valid(uid) || !gid_is_valid(gid)) {
29206d46
LP		 2312 *exit_status = EXIT_USER;
2313 return -ESRCH;
2314 }
5bc7452b 2315
29206d46
LP		 2316 if (dcreds->user)
2317 username = dcreds->user->name;
2318
2319 } else {
4d885bd3
DH		 2320 r = get_fixed_user(context, &username, &uid, &gid, &home, &shell);
2321 if (r < 0) {
2322 *exit_status = EXIT_USER;
2323 return r;
5bc7452b 2324 }
5bc7452b 2325
4d885bd3
DH		 2326 r = get_fixed_group(context, &groupname, &gid);
2327 if (r < 0) {
2328 *exit_status = EXIT_GROUP;
2329 return r;
2330 }
29206d46 2331
4d885bd3
DH		 2332 r = get_fixed_supplementary_groups(context, username, groupname,
2333 gid, &supplementary_gids, &ngids);
2334 if (r < 0) {
2335 *exit_status = EXIT_GROUP;
2336 return r;
29206d46
LP		 2337 }
2338 }
5bc7452b 2339
00d9ef85
LP		 2340 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
2341 if (r < 0) {
2342 *exit_status = EXIT_USER;
2343 return r;
2344 }
2345
2346 user_lookup_fd = safe_close(user_lookup_fd);
2347
d35fbf6b
DM		 2348 /* If a socket is connected to STDIN/STDOUT/STDERR, we
2349 * must sure to drop O_NONBLOCK */
2350 if (socket_fd >= 0)
a34ceba6 2351 (void) fd_nonblock(socket_fd, false);
acbb0225 2352
52c239d7 2353 r = setup_input(context, params, socket_fd, named_iofds);
ff0af2a1
LP		 2354 if (r < 0) {
2355 *exit_status = EXIT_STDIN;
2356 return r;
d35fbf6b 2357 }
034c6ed7 2358
52c239d7 2359 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 2360 if (r < 0) {
2361 *exit_status = EXIT_STDOUT;
2362 return r;
d35fbf6b
DM		 2363 }
2364
52c239d7 2365 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 2366 if (r < 0) {
2367 *exit_status = EXIT_STDERR;
2368 return r;
d35fbf6b
DM		 2369 }
2370
2371 if (params->cgroup_path) {
ff0af2a1
LP		 2372 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
2373 if (r < 0) {
2374 *exit_status = EXIT_CGROUP;
2375 return r;
309bff19 2376 }
d35fbf6b 2377 }
309bff19 2378
d35fbf6b 2379 if (context->oom_score_adjust_set) {
d5243d62 2380 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
f2b68789 2381
d5243d62
LP		 2382 /* When we can't make this change due to EPERM, then
2383 * let's silently skip over it. User namespaces
2384 * prohibit write access to this file, and we
2385 * shouldn't trip up over that. */
613b411c 2386
d5243d62 2387 sprintf(t, "%i", context->oom_score_adjust);
ad118bda 2388 r = write_string_file("/proc/self/oom_score_adj", t, 0);
6cb7fa17 2389 if (r == -EPERM || r == -EACCES) {
ff0af2a1 2390 log_open();
f2341e0a 2391 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
ff0af2a1
LP		 2392 log_close();
2393 } else if (r < 0) {
2394 *exit_status = EXIT_OOM_ADJUST;
d35fbf6b 2395 return -errno;
613b411c 2396 }
d35fbf6b
DM		 2397 }
2398
2399 if (context->nice_set)
2400 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
ff0af2a1 2401 *exit_status = EXIT_NICE;
d35fbf6b 2402 return -errno;
613b411c
LP		 2403 }
2404
d35fbf6b
DM		 2405 if (context->cpu_sched_set) {
2406 struct sched_param param = {
2407 .sched_priority = context->cpu_sched_priority,
2408 };
2409
ff0af2a1
LP		 2410 r = sched_setscheduler(0,
2411 context->cpu_sched_policy |
2412 (context->cpu_sched_reset_on_fork ?
2413 SCHED_RESET_ON_FORK : 0),
2414 &param);
2415 if (r < 0) {
2416 *exit_status = EXIT_SETSCHEDULER;
d35fbf6b 2417 return -errno;
fc9b2a84 2418 }
d35fbf6b 2419 }
fc9b2a84 2420
d35fbf6b
DM		 2421 if (context->cpuset)
2422 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
ff0af2a1 2423 *exit_status = EXIT_CPUAFFINITY;
d35fbf6b 2424 return -errno;
034c6ed7
LP		 2425 }
2426
d35fbf6b
DM		 2427 if (context->ioprio_set)
2428 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
ff0af2a1 2429 *exit_status = EXIT_IOPRIO;
d35fbf6b
DM		 2430 return -errno;
2431 }
da726a4d 2432
d35fbf6b
DM		 2433 if (context->timer_slack_nsec != NSEC_INFINITY)
2434 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
ff0af2a1 2435 *exit_status = EXIT_TIMERSLACK;
d35fbf6b 2436 return -errno;
4c2630eb 2437 }
9eba9da4 2438
050f7277 2439 if (context->personality != PERSONALITY_INVALID)
d35fbf6b 2440 if (personality(context->personality) < 0) {
ff0af2a1 2441 *exit_status = EXIT_PERSONALITY;
d35fbf6b 2442 return -errno;
4c2630eb 2443 }
94f04347 2444
d35fbf6b 2445 if (context->utmp_id)
023a4f67
LP		 2446 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path,
2447 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
2448 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
2449 USER_PROCESS,
2450 username ? "root" : context->user);
d35fbf6b 2451
e0d2adfd 2452 if (context->user) {
ff0af2a1
LP		 2453 r = chown_terminal(STDIN_FILENO, uid);
2454 if (r < 0) {
2455 *exit_status = EXIT_STDIN;
2456 return r;
071830ff 2457 }
d35fbf6b 2458 }
8e274523 2459
a931ad47
LP		 2460 /* If delegation is enabled we'll pass ownership of the cgroup
2461 * (but only in systemd's own controller hierarchy!) to the
2462 * user of the new process. */
2463 if (params->cgroup_path && context->user && params->cgroup_delegate) {
ff0af2a1
LP		 2464 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
2465 if (r < 0) {
2466 *exit_status = EXIT_CGROUP;
2467 return r;
d35fbf6b 2468 }
034c6ed7 2469
034c6ed7 2470
ff0af2a1
LP		 2471 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
2472 if (r < 0) {
2473 *exit_status = EXIT_CGROUP;
2474 return r;
034c6ed7 2475 }
d35fbf6b 2476 }
034c6ed7 2477
d35fbf6b 2478 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
07689d5d
LP		 2479 r = setup_runtime_directory(context, params, uid, gid);
2480 if (r < 0) {
2481 *exit_status = EXIT_RUNTIME_DIRECTORY;
2482 return r;
d35fbf6b
DM		 2483 }
2484 }
94f04347 2485
7bce046b 2486 r = build_environment(
fd63e712 2487 unit,
7bce046b
LP		 2488 context,
2489 params,
2490 n_fds,
2491 home,
2492 username,
2493 shell,
2494 journal_stream_dev,
2495 journal_stream_ino,
2496 &our_env);
2065ca69
JW		 2497 if (r < 0) {
2498 *exit_status = EXIT_MEMORY;
2499 return r;
2500 }
2501
2502 r = build_pass_environment(context, &pass_env);
2503 if (r < 0) {
2504 *exit_status = EXIT_MEMORY;
2505 return r;
2506 }
2507
2508 accum_env = strv_env_merge(5,
2509 params->environment,
2510 our_env,
2511 pass_env,
2512 context->environment,
2513 files_env,
2514 NULL);
2515 if (!accum_env) {
2516 *exit_status = EXIT_MEMORY;
2517 return -ENOMEM;
2518 }
1280503b 2519 accum_env = strv_env_clean(accum_env);
2065ca69 2520
096424d1 2521 (void) umask(context->umask);
b213e1c1 2522
c39f1ce2 2523 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
cefc33ae
LP		 2524 r = setup_smack(context, command);
2525 if (r < 0) {
2526 *exit_status = EXIT_SMACK_PROCESS_LABEL;
2527 return r;
6bf6e43e 2528 }
6bf6e43e 2529
b213e1c1 2530 if (context->pam_name && username) {
2d6fce8d 2531 r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
b213e1c1
SW		 2532 if (r < 0) {
2533 *exit_status = EXIT_PAM;
2534 return r;
2535 }
d35fbf6b 2536 }
b213e1c1 2537 }
ac45f971 2538
d35fbf6b 2539 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
ff0af2a1
LP		 2540 r = setup_netns(runtime->netns_storage_socket);
2541 if (r < 0) {
2542 *exit_status = EXIT_NETWORK;
2543 return r;
d35fbf6b
DM		 2544 }
2545 }
169c1bda 2546
ee818b89 2547 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
ee818b89 2548 if (needs_mount_namespace) {
93c6bb51 2549 r = apply_mount_namespace(unit, context, params, runtime);
3fbe8dbe
LP		 2550 if (r < 0) {
2551 *exit_status = EXIT_NAMESPACE;
2552 return r;
2553 }
d35fbf6b 2554 }
81a2b7ce 2555
8b6903ad
DH		 2556 if (context->working_directory_home)
2557 wd = home;
2558 else if (context->working_directory)
2559 wd = context->working_directory;
2560 else
2561 wd = "/";
2562
4d885bd3 2563 /* Drop group as early as possbile */
096424d1 2564 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
4d885bd3 2565 r = enforce_groups(context, gid, supplementary_gids, ngids);
096424d1
LP		 2566 if (r < 0) {
2567 *exit_status = EXIT_GROUP;
2568 return r;
2569 }
2570 }
2571
e7f1e7c6
DH		 2572 r = apply_working_directory(context, params, wd, needs_mount_namespace);
2573 if (r < 0) {
2574 *exit_status = EXIT_CHROOT;
2575 return r;
d35fbf6b 2576 }
e66cf1a3 2577
9008e1ac 2578#ifdef HAVE_SELINUX
c39f1ce2
LP		 2579 if ((params->flags & EXEC_APPLY_PERMISSIONS) &&
2580 mac_selinux_use() &&
2581 params->selinux_context_net &&
2582 socket_fd >= 0 &&
2583 !command->privileged) {
2584
ff0af2a1
LP		 2585 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
2586 if (r < 0) {
2587 *exit_status = EXIT_SELINUX_CONTEXT;
2588 return r;
9008e1ac
MS		 2589 }
2590 }
2591#endif
2592
d87a2ef7 2593 if ((params->flags & EXEC_APPLY_PERMISSIONS) && context->private_users) {
d251207d
LP		 2594 r = setup_private_users(uid, gid);
2595 if (r < 0) {
2596 *exit_status = EXIT_USER;
2597 return r;
2598 }
2599 }
2600
d35fbf6b
DM		 2601 /* We repeat the fd closing here, to make sure that
2602 * nothing is leaked from the PAM modules. Note that
2603 * we are more aggressive this time since socket_fd
e44da745
DM		 2604 * and the netns fds we don't need anymore. The custom
2605 * endpoint fd was needed to upload the policy and can
2606 * now be closed as well. */
ff0af2a1
LP		 2607 r = close_all_fds(fds, n_fds);
2608 if (r >= 0)
2609 r = shift_fds(fds, n_fds);
2610 if (r >= 0)
2611 r = flags_fds(fds, n_fds, context->non_blocking);
2612 if (r < 0) {
2613 *exit_status = EXIT_FDS;
2614 return r;
d35fbf6b 2615 }
e66cf1a3 2616
c39f1ce2 2617 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
e66cf1a3 2618
755d4b67
IP		 2619 int secure_bits = context->secure_bits;
2620
d35fbf6b 2621 for (i = 0; i < _RLIMIT_MAX; i++) {
03857c43 2622
d35fbf6b
DM		 2623 if (!context->rlimit[i])
2624 continue;
2625
03857c43
LP		 2626 r = setrlimit_closest(i, context->rlimit[i]);
2627 if (r < 0) {
ff0af2a1 2628 *exit_status = EXIT_LIMITS;
03857c43 2629 return r;
e66cf1a3
LP		 2630 }
2631 }
2632
f4170c67
LP		 2633 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
2634 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
2635 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
2636 *exit_status = EXIT_LIMITS;
2637 return -errno;
2638 }
2639 }
2640
a103496c
IP		 2641 if (!cap_test_all(context->capability_bounding_set)) {
2642 r = capability_bounding_set_drop(context->capability_bounding_set, false);
ff0af2a1
LP		 2643 if (r < 0) {
2644 *exit_status = EXIT_CAPABILITIES;
2645 return r;
3b8bddde 2646 }
4c2630eb 2647 }
3b8bddde 2648
755d4b67
IP		 2649 /* This is done before enforce_user, but ambient set
2650 * does not survive over setresuid() if keep_caps is not set. */
2651 if (context->capability_ambient_set != 0) {
2652 r = capability_ambient_set_apply(context->capability_ambient_set, true);
2653 if (r < 0) {
2654 *exit_status = EXIT_CAPABILITIES;
2655 return r;
2656 }
755d4b67
IP		 2657 }
2658
d35fbf6b 2659 if (context->user) {
ff0af2a1
LP		 2660 r = enforce_user(context, uid);
2661 if (r < 0) {
2662 *exit_status = EXIT_USER;
2663 return r;
5b6319dc 2664 }
755d4b67
IP		 2665 if (context->capability_ambient_set != 0) {
2666
2667 /* Fix the ambient capabilities after user change. */
2668 r = capability_ambient_set_apply(context->capability_ambient_set, false);
2669 if (r < 0) {
2670 *exit_status = EXIT_CAPABILITIES;
2671 return r;
2672 }
2673
2674 /* If we were asked to change user and ambient capabilities
2675 * were requested, we had to add keep-caps to the securebits
2676 * so that we would maintain the inherited capability set
2677 * through the setresuid(). Make sure that the bit is added
2678 * also to the context secure_bits so that we don't try to
2679 * drop the bit away next. */
2680
7f508f2c 2681 secure_bits |= 1<<SECURE_KEEP_CAPS;
755d4b67 2682 }
5b6319dc 2683 }
d35fbf6b
DM		 2684
2685 /* PR_GET_SECUREBITS is not privileged, while
2686 * PR_SET_SECUREBITS is. So to suppress
2687 * potential EPERMs we'll try not to call
2688 * PR_SET_SECUREBITS unless necessary. */
755d4b67
IP		 2689 if (prctl(PR_GET_SECUREBITS) != secure_bits)
2690 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
ff0af2a1 2691 *exit_status = EXIT_SECUREBITS;
d35fbf6b 2692 return -errno;
ff01d048 2693 }
5b6319dc 2694
59eeb84b 2695 if (context_has_no_new_privileges(context))
d35fbf6b 2696 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
ff0af2a1 2697 *exit_status = EXIT_NO_NEW_PRIVILEGES;
d35fbf6b
DM		 2698 return -errno;
2699 }
2700
2701#ifdef HAVE_SECCOMP
59eeb84b 2702 if (context_has_address_families(context)) {
83f12b27 2703 r = apply_address_families(unit, context);
ff0af2a1
LP		 2704 if (r < 0) {
2705 *exit_status = EXIT_ADDRESS_FAMILIES;
2706 return r;
4c2630eb
MS		 2707 }
2708 }
04aa0cb9 2709
f3e43635 2710 if (context->memory_deny_write_execute) {
83f12b27 2711 r = apply_memory_deny_write_execute(unit, context);
f3e43635
TM		 2712 if (r < 0) {
2713 *exit_status = EXIT_SECCOMP;
2714 return r;
2715 }
2716 }
f4170c67
LP		 2717
2718 if (context->restrict_realtime) {
83f12b27 2719 r = apply_restrict_realtime(unit, context);
f4170c67
LP		 2720 if (r < 0) {
2721 *exit_status = EXIT_SECCOMP;
2722 return r;
2723 }
2724 }
2725
59eeb84b
LP		 2726 if (context->protect_kernel_tunables) {
2727 r = apply_protect_sysctl(unit, context);
2728 if (r < 0) {
2729 *exit_status = EXIT_SECCOMP;
2730 return r;
502d704e
DH		 2731 }
2732 }
2733
2734 if (context->protect_kernel_modules) {
2735 r = apply_protect_kernel_modules(unit, context);
2736 if (r < 0) {
2737 *exit_status = EXIT_SECCOMP;
2738 return r;
59eeb84b
LP		 2739 }
2740 }
2741
ba128bb8
LP		 2742 if (context->private_devices) {
2743 r = apply_private_devices(unit, context);
2744 if (r < 0) {
2745 *exit_status = EXIT_SECCOMP;
2746 return r;
2747 }
2748 }
2749
59eeb84b 2750 if (context_has_syscall_filters(context)) {
83f12b27 2751 r = apply_seccomp(unit, context);
ff0af2a1
LP		 2752 if (r < 0) {
2753 *exit_status = EXIT_SECCOMP;
2754 return r;
81a2b7ce 2755 }
d35fbf6b
DM		 2756 }
2757#endif
81a2b7ce 2758
d35fbf6b 2759#ifdef HAVE_SELINUX
6baa7db0 2760 if (mac_selinux_use()) {
9008e1ac 2761 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
16115b0a 2762
9008e1ac 2763 if (exec_context) {
ff0af2a1
LP		 2764 r = setexeccon(exec_context);
2765 if (r < 0) {
2766 *exit_status = EXIT_SELINUX_CONTEXT;
2767 return r;
16115b0a 2768 }
81a2b7ce 2769 }
81a2b7ce 2770 }
d35fbf6b 2771#endif
81a2b7ce 2772
d35fbf6b 2773#ifdef HAVE_APPARMOR
6baa7db0 2774 if (context->apparmor_profile && mac_apparmor_use()) {
ff0af2a1
LP		 2775 r = aa_change_onexec(context->apparmor_profile);
2776 if (r < 0 && !context->apparmor_profile_ignore) {
2777 *exit_status = EXIT_APPARMOR_PROFILE;
5482192e 2778 return -errno;
d35fbf6b 2779 }
034c6ed7 2780 }
d35fbf6b
DM		 2781#endif
2782 }
034c6ed7 2783
2065ca69 2784 final_argv = replace_env_argv(argv, accum_env);
d35fbf6b 2785 if (!final_argv) {
ff0af2a1 2786 *exit_status = EXIT_MEMORY;
d35fbf6b
DM		 2787 return -ENOMEM;
2788 }
034c6ed7 2789
553d2243 2790 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
d35fbf6b 2791 _cleanup_free_ char *line;
81a2b7ce 2792
d35fbf6b
DM		 2793 line = exec_command_line(final_argv);
2794 if (line) {
2795 log_open();
f2341e0a
LP		 2796 log_struct(LOG_DEBUG,
2797 LOG_UNIT_ID(unit),
2798 "EXECUTABLE=%s", command->path,
2799 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
2800 NULL);
d35fbf6b
DM		 2801 log_close();
2802 }
2803 }
dd305ec9 2804
2065ca69 2805 execve(command->path, final_argv, accum_env);
ff0af2a1 2806 *exit_status = EXIT_EXEC;
d35fbf6b
DM		 2807 return -errno;
2808}
81a2b7ce 2809
f2341e0a
LP		 2810int exec_spawn(Unit *unit,
2811 ExecCommand *command,
d35fbf6b
DM		 2812 const ExecContext *context,
2813 const ExecParameters *params,
2814 ExecRuntime *runtime,
29206d46 2815 DynamicCreds *dcreds,
d35fbf6b 2816 pid_t *ret) {
8351ceae 2817
d35fbf6b
DM		 2818 _cleanup_strv_free_ char **files_env = NULL;
2819 int *fds = NULL; unsigned n_fds = 0;
ff0af2a1
LP		 2820 _cleanup_free_ char *line = NULL;
2821 int socket_fd, r;
52c239d7 2822 int named_iofds[3] = { -1, -1, -1 };
ff0af2a1 2823 char **argv;
d35fbf6b 2824 pid_t pid;
8351ceae 2825
f2341e0a 2826 assert(unit);
d35fbf6b
DM		 2827 assert(command);
2828 assert(context);
2829 assert(ret);
2830 assert(params);
2831 assert(params->fds || params->n_fds <= 0);
4298d0b5 2832
d35fbf6b
DM		 2833 if (context->std_input == EXEC_INPUT_SOCKET ||
2834 context->std_output == EXEC_OUTPUT_SOCKET ||
2835 context->std_error == EXEC_OUTPUT_SOCKET) {
17df7223 2836
ff0af2a1 2837 if (params->n_fds != 1) {
f2341e0a 2838 log_unit_error(unit, "Got more than one socket.");
d35fbf6b 2839 return -EINVAL;
ff0af2a1 2840 }
eef65bf3 2841
d35fbf6b
DM		 2842 socket_fd = params->fds[0];
2843 } else {
2844 socket_fd = -1;
2845 fds = params->fds;
2846 n_fds = params->n_fds;
2847 }
94f04347 2848
52c239d7
LB		 2849 r = exec_context_named_iofds(unit, context, params, named_iofds);
2850 if (r < 0)
2851 return log_unit_error_errno(unit, r, "Failed to load a named file descriptor: %m");
2852
f2341e0a 2853 r = exec_context_load_environment(unit, context, &files_env);
ff0af2a1 2854 if (r < 0)
f2341e0a 2855 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
034c6ed7 2856
d35fbf6b 2857 argv = params->argv ?: command->argv;
d35fbf6b
DM		 2858 line = exec_command_line(argv);
2859 if (!line)
2860 return log_oom();
fab56fc5 2861
f2341e0a
LP		 2862 log_struct(LOG_DEBUG,
2863 LOG_UNIT_ID(unit),
2864 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
2865 "EXECUTABLE=%s", command->path,
2866 NULL);
d35fbf6b
DM		 2867 pid = fork();
2868 if (pid < 0)
74129a12 2869 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
d35fbf6b
DM		 2870
2871 if (pid == 0) {
ff0af2a1
LP		 2872 int exit_status;
2873
f2341e0a
LP		 2874 r = exec_child(unit,
2875 command,
ff0af2a1
LP		 2876 context,
2877 params,
2878 runtime,
29206d46 2879 dcreds,
ff0af2a1
LP		 2880 argv,
2881 socket_fd,
52c239d7 2882 named_iofds,
ff0af2a1
LP		 2883 fds, n_fds,
2884 files_env,
00d9ef85 2885 unit->manager->user_lookup_fds[1],
ff0af2a1
LP		 2886 &exit_status);
2887 if (r < 0) {
4c2630eb 2888 log_open();
f2341e0a
LP		 2889 log_struct_errno(LOG_ERR, r,
2890 LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
2891 LOG_UNIT_ID(unit),
2892 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
2893 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
2894 command->path),
2895 "EXECUTABLE=%s", command->path,
2896 NULL);
4c2630eb
MS		 2897 }
2898
ff0af2a1 2899 _exit(exit_status);
034c6ed7
LP		 2900 }
2901
f2341e0a 2902 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
23635a85 2903
80876c20
LP		 2904 /* We add the new process to the cgroup both in the child (so
2905 * that we can be sure that no user code is ever executed
2906 * outside of the cgroup) and in the parent (so that we can be
2907 * sure that when we kill the cgroup the process will be
2908 * killed too). */
d35fbf6b 2909 if (params->cgroup_path)
dd305ec9 2910 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
2da3263a 2911
b58b4116 2912 exec_status_start(&command->exec_status, pid);
9fb86720 2913
034c6ed7 2914 *ret = pid;
5cb5a6ff
LP		 2915 return 0;
2916}
2917
034c6ed7
LP		 2918void exec_context_init(ExecContext *c) {
2919 assert(c);
2920
4c12626c 2921 c->umask = 0022;
9eba9da4 2922 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
94f04347 2923 c->cpu_sched_policy = SCHED_OTHER;
071830ff 2924 c->syslog_priority = LOG_DAEMON|LOG_INFO;
74922904 2925 c->syslog_level_prefix = true;
353e12c2 2926 c->ignore_sigpipe = true;
3a43da28 2927 c->timer_slack_nsec = NSEC_INFINITY;
050f7277 2928 c->personality = PERSONALITY_INVALID;
e66cf1a3 2929 c->runtime_directory_mode = 0755;
a103496c 2930 c->capability_bounding_set = CAP_ALL;
034c6ed7
LP		 2931}
2932
613b411c 2933void exec_context_done(ExecContext *c) {
5cb5a6ff
LP		 2934 unsigned l;
2935
2936 assert(c);
2937
6796073e
LP		 2938 c->environment = strv_free(c->environment);
2939 c->environment_files = strv_free(c->environment_files);
b4c14404 2940 c->pass_environment = strv_free(c->pass_environment);
8c7be95e 2941
1f6b4113 2942 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
a1e58e8e 2943 c->rlimit[l] = mfree(c->rlimit[l]);
034c6ed7 2944
52c239d7
LB		 2945 for (l = 0; l < 3; l++)
2946 c->stdio_fdname[l] = mfree(c->stdio_fdname[l]);
2947
a1e58e8e
LP		 2948 c->working_directory = mfree(c->working_directory);
2949 c->root_directory = mfree(c->root_directory);
2950 c->tty_path = mfree(c->tty_path);
2951 c->syslog_identifier = mfree(c->syslog_identifier);
2952 c->user = mfree(c->user);
2953 c->group = mfree(c->group);
034c6ed7 2954
6796073e 2955 c->supplementary_groups = strv_free(c->supplementary_groups);
94f04347 2956
a1e58e8e 2957 c->pam_name = mfree(c->pam_name);
5b6319dc 2958
2a624c36
AP		 2959 c->read_only_paths = strv_free(c->read_only_paths);
2960 c->read_write_paths = strv_free(c->read_write_paths);
2961 c->inaccessible_paths = strv_free(c->inaccessible_paths);
82c121a4
LP		 2962
2963 if (c->cpuset)
2964 CPU_FREE(c->cpuset);
86a3475b 2965
a1e58e8e
LP		 2966 c->utmp_id = mfree(c->utmp_id);
2967 c->selinux_context = mfree(c->selinux_context);
2968 c->apparmor_profile = mfree(c->apparmor_profile);
eef65bf3 2969
525d3cc7
LP		 2970 c->syscall_filter = set_free(c->syscall_filter);
2971 c->syscall_archs = set_free(c->syscall_archs);
2972 c->address_families = set_free(c->address_families);
e66cf1a3 2973
6796073e 2974 c->runtime_directory = strv_free(c->runtime_directory);
e66cf1a3
LP		 2975}
2976
2977int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
2978 char **i;
2979
2980 assert(c);
2981
2982 if (!runtime_prefix)
2983 return 0;
2984
2985 STRV_FOREACH(i, c->runtime_directory) {
2986 _cleanup_free_ char *p;
2987
2988 p = strjoin(runtime_prefix, "/", *i, NULL);
2989 if (!p)
2990 return -ENOMEM;
2991
2992 /* We execute this synchronously, since we need to be
2993 * sure this is gone when we start the service
2994 * next. */
c6878637 2995 (void) rm_rf(p, REMOVE_ROOT);
e66cf1a3
LP		 2996 }
2997
2998 return 0;
5cb5a6ff
LP		 2999}
3000
43d0fcbd
LP		 3001void exec_command_done(ExecCommand *c) {
3002 assert(c);
3003
a1e58e8e 3004 c->path = mfree(c->path);
43d0fcbd 3005
6796073e 3006 c->argv = strv_free(c->argv);
43d0fcbd
LP		 3007}
3008
3009void exec_command_done_array(ExecCommand *c, unsigned n) {
3010 unsigned i;
3011
3012 for (i = 0; i < n; i++)
3013 exec_command_done(c+i);
3014}
3015
f1acf85a 3016ExecCommand* exec_command_free_list(ExecCommand *c) {
5cb5a6ff
LP		 3017 ExecCommand *i;
3018
3019 while ((i = c)) {
71fda00f 3020 LIST_REMOVE(command, c, i);
43d0fcbd 3021 exec_command_done(i);
5cb5a6ff
LP		 3022 free(i);
3023 }
f1acf85a
ZJS		 3024
3025 return NULL;
5cb5a6ff
LP		 3026}
3027
034c6ed7
LP		 3028void exec_command_free_array(ExecCommand **c, unsigned n) {
3029 unsigned i;
3030
f1acf85a
ZJS		 3031 for (i = 0; i < n; i++)
3032 c[i] = exec_command_free_list(c[i]);
034c6ed7
LP		 3033}
3034
039f0e70 3035typedef struct InvalidEnvInfo {
f2341e0a 3036 Unit *unit;
039f0e70
LP		 3037 const char *path;
3038} InvalidEnvInfo;
3039
3040static void invalid_env(const char *p, void *userdata) {
3041 InvalidEnvInfo *info = userdata;
3042
f2341e0a 3043 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
039f0e70
LP		 3044}
3045
52c239d7
LB		 3046const char* exec_context_fdname(const ExecContext *c, int fd_index) {
3047 assert(c);
3048
3049 switch (fd_index) {
3050 case STDIN_FILENO:
3051 if (c->std_input != EXEC_INPUT_NAMED_FD)
3052 return NULL;
3053 return c->stdio_fdname[STDIN_FILENO] ?: "stdin";
3054 case STDOUT_FILENO:
3055 if (c->std_output != EXEC_OUTPUT_NAMED_FD)
3056 return NULL;
3057 return c->stdio_fdname[STDOUT_FILENO] ?: "stdout";
3058 case STDERR_FILENO:
3059 if (c->std_error != EXEC_OUTPUT_NAMED_FD)
3060 return NULL;
3061 return c->stdio_fdname[STDERR_FILENO] ?: "stderr";
3062 default:
3063 return NULL;
3064 }
3065}
3066
3067int exec_context_named_iofds(Unit *unit, const ExecContext *c, const ExecParameters *p, int named_iofds[3]) {
3068 unsigned i, targets;
3069 const char *stdio_fdname[3];
3070
3071 assert(c);
3072 assert(p);
3073
3074 targets = (c->std_input == EXEC_INPUT_NAMED_FD) +
3075 (c->std_output == EXEC_OUTPUT_NAMED_FD) +
3076 (c->std_error == EXEC_OUTPUT_NAMED_FD);
3077
3078 for (i = 0; i < 3; i++)
3079 stdio_fdname[i] = exec_context_fdname(c, i);
3080
3081 for (i = 0; i < p->n_fds && targets > 0; i++)
3082 if (named_iofds[STDIN_FILENO] < 0 && c->std_input == EXEC_INPUT_NAMED_FD && stdio_fdname[STDIN_FILENO] && streq(p->fd_names[i], stdio_fdname[STDIN_FILENO])) {
3083 named_iofds[STDIN_FILENO] = p->fds[i];
3084 targets--;
3085 } else if (named_iofds[STDOUT_FILENO] < 0 && c->std_output == EXEC_OUTPUT_NAMED_FD && stdio_fdname[STDOUT_FILENO] && streq(p->fd_names[i], stdio_fdname[STDOUT_FILENO])) {
3086 named_iofds[STDOUT_FILENO] = p->fds[i];
3087 targets--;
3088 } else if (named_iofds[STDERR_FILENO] < 0 && c->std_error == EXEC_OUTPUT_NAMED_FD && stdio_fdname[STDERR_FILENO] && streq(p->fd_names[i], stdio_fdname[STDERR_FILENO])) {
3089 named_iofds[STDERR_FILENO] = p->fds[i];
3090 targets--;
3091 }
3092
3093 return (targets == 0 ? 0 : -ENOENT);
3094}
3095
f2341e0a 3096int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
8c7be95e
LP		 3097 char **i, **r = NULL;
3098
3099 assert(c);
3100 assert(l);
3101
3102 STRV_FOREACH(i, c->environment_files) {
3103 char *fn;
3104 int k;
3105 bool ignore = false;
3106 char **p;
7fd1b19b 3107 _cleanup_globfree_ glob_t pglob = {};
2bef10ab 3108 int count, n;
8c7be95e
LP		 3109
3110 fn = *i;
3111
3112 if (fn[0] == '-') {
3113 ignore = true;
313cefa1 3114 fn++;
8c7be95e
LP		 3115 }
3116
3117 if (!path_is_absolute(fn)) {
8c7be95e
LP		 3118 if (ignore)
3119 continue;
3120
3121 strv_free(r);
3122 return -EINVAL;
3123 }
3124
2bef10ab 3125 /* Filename supports globbing, take all matching files */
2bef10ab
PL		 3126 errno = 0;
3127 if (glob(fn, 0, NULL, &pglob) != 0) {
2bef10ab
PL		 3128 if (ignore)
3129 continue;
8c7be95e 3130
2bef10ab 3131 strv_free(r);
f5e5c28f 3132 return errno > 0 ? -errno : -EINVAL;
2bef10ab
PL		 3133 }
3134 count = pglob.gl_pathc;
3135 if (count == 0) {
8c7be95e
LP		 3136 if (ignore)
3137 continue;
3138
3139 strv_free(r);
2bef10ab 3140 return -EINVAL;
8c7be95e 3141 }
2bef10ab 3142 for (n = 0; n < count; n++) {
717603e3 3143 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
2bef10ab
PL		 3144 if (k < 0) {
3145 if (ignore)
3146 continue;
8c7be95e 3147
2bef10ab 3148 strv_free(r);
2bef10ab 3149 return k;
e9c1ea9d 3150 }
ebc05a09 3151 /* Log invalid environment variables with filename */
039f0e70
LP		 3152 if (p) {
3153 InvalidEnvInfo info = {
f2341e0a 3154 .unit = unit,
039f0e70
LP		 3155 .path = pglob.gl_pathv[n]
3156 };
3157
3158 p = strv_env_clean_with_callback(p, invalid_env, &info);
3159 }
8c7be95e 3160
2bef10ab
PL		 3161 if (r == NULL)
3162 r = p;
3163 else {
3164 char **m;
8c7be95e 3165
2bef10ab
PL		 3166 m = strv_env_merge(2, r, p);
3167 strv_free(r);
3168 strv_free(p);
c84a9488 3169 if (!m)
2bef10ab 3170 return -ENOMEM;
2bef10ab
PL		 3171
3172 r = m;
3173 }
8c7be95e
LP		 3174 }
3175 }
3176
3177 *l = r;
3178
3179 return 0;
3180}
3181
6ac8fdc9 3182static bool tty_may_match_dev_console(const char *tty) {
e1d75803 3183 _cleanup_free_ char *active = NULL;
7d6884b6 3184 char *console;
6ac8fdc9 3185
1e22b5cd
LP		 3186 if (!tty)
3187 return true;
3188
6ac8fdc9
MS		 3189 if (startswith(tty, "/dev/"))
3190 tty += 5;
3191
3192 /* trivial identity? */
3193 if (streq(tty, "console"))
3194 return true;
3195
3196 console = resolve_dev_console(&active);
3197 /* if we could not resolve, assume it may */
3198 if (!console)
3199 return true;
3200
3201 /* "tty0" means the active VC, so it may be the same sometimes */
e1d75803 3202 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
6ac8fdc9
MS		 3203}
3204
3205bool exec_context_may_touch_console(ExecContext *ec) {
1e22b5cd
LP		 3206
3207 return (ec->tty_reset ||
3208 ec->tty_vhangup ||
3209 ec->tty_vt_disallocate ||
6ac8fdc9
MS		 3210 is_terminal_input(ec->std_input) ||
3211 is_terminal_output(ec->std_output) ||
3212 is_terminal_output(ec->std_error)) &&
1e22b5cd 3213 tty_may_match_dev_console(exec_context_tty_path(ec));
6ac8fdc9
MS		 3214}
3215
15ae422b
LP		 3216static void strv_fprintf(FILE *f, char **l) {
3217 char **g;
3218
3219 assert(f);
3220
3221 STRV_FOREACH(g, l)
3222 fprintf(f, " %s", *g);
3223}
3224
5cb5a6ff 3225void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
c2bbd90b 3226 char **e, **d;
94f04347 3227 unsigned i;
9eba9da4 3228
5cb5a6ff
LP		 3229 assert(c);
3230 assert(f);
3231
4ad49000 3232 prefix = strempty(prefix);
5cb5a6ff
LP		 3233
3234 fprintf(f,
94f04347
LP		 3235 "%sUMask: %04o\n"
3236 "%sWorkingDirectory: %s\n"
451a074f 3237 "%sRootDirectory: %s\n"
15ae422b 3238 "%sNonBlocking: %s\n"
64747e2d 3239 "%sPrivateTmp: %s\n"
7f112f50 3240 "%sPrivateDevices: %s\n"
59eeb84b 3241 "%sProtectKernelTunables: %s\n"
e66a2f65 3242 "%sProtectKernelModules: %s\n"
59eeb84b 3243 "%sProtectControlGroups: %s\n"
d251207d
LP		 3244 "%sPrivateNetwork: %s\n"
3245 "%sPrivateUsers: %s\n"
1b8689f9
LP		 3246 "%sProtectHome: %s\n"
3247 "%sProtectSystem: %s\n"
f3e43635 3248 "%sIgnoreSIGPIPE: %s\n"
f4170c67
LP		 3249 "%sMemoryDenyWriteExecute: %s\n"
3250 "%sRestrictRealtime: %s\n",
5cb5a6ff 3251 prefix, c->umask,
9eba9da4 3252 prefix, c->working_directory ? c->working_directory : "/",
451a074f 3253 prefix, c->root_directory ? c->root_directory : "/",
15ae422b 3254 prefix, yes_no(c->non_blocking),
64747e2d 3255 prefix, yes_no(c->private_tmp),
7f112f50 3256 prefix, yes_no(c->private_devices),
59eeb84b 3257 prefix, yes_no(c->protect_kernel_tunables),
e66a2f65 3258 prefix, yes_no(c->protect_kernel_modules),
59eeb84b 3259 prefix, yes_no(c->protect_control_groups),
d251207d
LP		 3260 prefix, yes_no(c->private_network),
3261 prefix, yes_no(c->private_users),
1b8689f9
LP		 3262 prefix, protect_home_to_string(c->protect_home),
3263 prefix, protect_system_to_string(c->protect_system),
f3e43635 3264 prefix, yes_no(c->ignore_sigpipe),
f4170c67
LP		 3265 prefix, yes_no(c->memory_deny_write_execute),
3266 prefix, yes_no(c->restrict_realtime));
fb33a393 3267
8c7be95e
LP		 3268 STRV_FOREACH(e, c->environment)
3269 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
3270
3271 STRV_FOREACH(e, c->environment_files)
3272 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
94f04347 3273
b4c14404
FB		 3274 STRV_FOREACH(e, c->pass_environment)
3275 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
3276
c2bbd90b
EV		 3277 fprintf(f, "%sRuntimeDirectoryMode: %04o\n", prefix, c->runtime_directory_mode);
3278
3279 STRV_FOREACH(d, c->runtime_directory)
3280 fprintf(f, "%sRuntimeDirectory: %s\n", prefix, *d);
3281
fb33a393
LP		 3282 if (c->nice_set)
3283 fprintf(f,
3284 "%sNice: %i\n",
3285 prefix, c->nice);
3286
dd6c17b1 3287 if (c->oom_score_adjust_set)
fb33a393 3288 fprintf(f,
dd6c17b1
LP		 3289 "%sOOMScoreAdjust: %i\n",
3290 prefix, c->oom_score_adjust);
9eba9da4 3291
94f04347 3292 for (i = 0; i < RLIM_NLIMITS; i++)
3c11da9d
EV		 3293 if (c->rlimit[i]) {
3294 fprintf(f, "%s%s: " RLIM_FMT "\n",
3295 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
3296 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
3297 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
3298 }
94f04347 3299
f8b69d1d 3300 if (c->ioprio_set) {
1756a011 3301 _cleanup_free_ char *class_str = NULL;
f8b69d1d 3302
1756a011 3303 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
9eba9da4
LP		 3304 fprintf(f,
3305 "%sIOSchedulingClass: %s\n"
3306 "%sIOPriority: %i\n",
f8b69d1d 3307 prefix, strna(class_str),
9eba9da4 3308 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
f8b69d1d 3309 }
94f04347 3310
f8b69d1d 3311 if (c->cpu_sched_set) {
1756a011 3312 _cleanup_free_ char *policy_str = NULL;
f8b69d1d 3313
1756a011 3314 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
94f04347
LP		 3315 fprintf(f,
3316 "%sCPUSchedulingPolicy: %s\n"
38b48754
LP		 3317 "%sCPUSchedulingPriority: %i\n"
3318 "%sCPUSchedulingResetOnFork: %s\n",
f8b69d1d 3319 prefix, strna(policy_str),
38b48754
LP		 3320 prefix, c->cpu_sched_priority,
3321 prefix, yes_no(c->cpu_sched_reset_on_fork));
b929bf04 3322 }
94f04347 3323
82c121a4 3324 if (c->cpuset) {
94f04347 3325 fprintf(f, "%sCPUAffinity:", prefix);
82c121a4
LP		 3326 for (i = 0; i < c->cpuset_ncpus; i++)
3327 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
43a99a7a 3328 fprintf(f, " %u", i);
94f04347
LP		 3329 fputs("\n", f);
3330 }
3331
3a43da28 3332 if (c->timer_slack_nsec != NSEC_INFINITY)
ccd06097 3333 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
94f04347
LP		 3334
3335 fprintf(f,
80876c20
LP		 3336 "%sStandardInput: %s\n"
3337 "%sStandardOutput: %s\n"
3338 "%sStandardError: %s\n",
3339 prefix, exec_input_to_string(c->std_input),
3340 prefix, exec_output_to_string(c->std_output),
3341 prefix, exec_output_to_string(c->std_error));
3342
3343 if (c->tty_path)
3344 fprintf(f,
6ea832a2
LP		 3345 "%sTTYPath: %s\n"
3346 "%sTTYReset: %s\n"
3347 "%sTTYVHangup: %s\n"
3348 "%sTTYVTDisallocate: %s\n",
3349 prefix, c->tty_path,
3350 prefix, yes_no(c->tty_reset),
3351 prefix, yes_no(c->tty_vhangup),
3352 prefix, yes_no(c->tty_vt_disallocate));
94f04347 3353
5ce70e5b
ZJS		 3354 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
3355 c->std_output == EXEC_OUTPUT_KMSG ||
3356 c->std_output == EXEC_OUTPUT_JOURNAL ||
3357 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3358 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3359 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
3360 c->std_error == EXEC_OUTPUT_SYSLOG ||
3361 c->std_error == EXEC_OUTPUT_KMSG ||
3362 c->std_error == EXEC_OUTPUT_JOURNAL ||
3363 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3364 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3365 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
f8b69d1d 3366
5ce70e5b 3367 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
f8b69d1d 3368
5ce70e5b
ZJS		 3369 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
3370 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
f8b69d1d 3371
94f04347
LP		 3372 fprintf(f,
3373 "%sSyslogFacility: %s\n"
3374 "%sSyslogLevel: %s\n",
f8b69d1d
MS		 3375 prefix, strna(fac_str),
3376 prefix, strna(lvl_str));
f8b69d1d 3377 }
94f04347 3378
94f04347
LP		 3379 if (c->secure_bits)
3380 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
3381 prefix,
cbb21cca
ZJS		 3382 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
3383 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
3384 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
3385 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
3386 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
3387 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
94f04347 3388
a103496c 3389 if (c->capability_bounding_set != CAP_ALL) {
ae556c21 3390 unsigned long l;
260abb78 3391 fprintf(f, "%sCapabilityBoundingSet:", prefix);
94f04347 3392
64685e0c 3393 for (l = 0; l <= cap_last_cap(); l++)
a103496c 3394 if (c->capability_bounding_set & (UINT64_C(1) << l))
2822da4f 3395 fprintf(f, " %s", strna(capability_to_name(l)));
94f04347
LP		 3396
3397 fputs("\n", f);
755d4b67
IP		 3398 }
3399
3400 if (c->capability_ambient_set != 0) {
3401 unsigned long l;
3402 fprintf(f, "%sAmbientCapabilities:", prefix);
3403
3404 for (l = 0; l <= cap_last_cap(); l++)
3405 if (c->capability_ambient_set & (UINT64_C(1) << l))
3406 fprintf(f, " %s", strna(capability_to_name(l)));
3407
3408 fputs("\n", f);
94f04347
LP		 3409 }
3410
3411 if (c->user)
f2d3769a 3412 fprintf(f, "%sUser: %s\n", prefix, c->user);
94f04347 3413 if (c->group)
f2d3769a 3414 fprintf(f, "%sGroup: %s\n", prefix, c->group);
94f04347 3415
29206d46
LP		 3416 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
3417
15ae422b 3418 if (strv_length(c->supplementary_groups) > 0) {
94f04347 3419 fprintf(f, "%sSupplementaryGroups:", prefix);
15ae422b
LP		 3420 strv_fprintf(f, c->supplementary_groups);
3421 fputs("\n", f);
3422 }
94f04347 3423
5b6319dc 3424 if (c->pam_name)
f2d3769a 3425 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
5b6319dc 3426
2a624c36
AP		 3427 if (strv_length(c->read_write_paths) > 0) {
3428 fprintf(f, "%sReadWritePaths:", prefix);
3429 strv_fprintf(f, c->read_write_paths);
15ae422b
LP		 3430 fputs("\n", f);
3431 }
3432
2a624c36
AP		 3433 if (strv_length(c->read_only_paths) > 0) {
3434 fprintf(f, "%sReadOnlyPaths:", prefix);
3435 strv_fprintf(f, c->read_only_paths);
15ae422b
LP		 3436 fputs("\n", f);
3437 }
94f04347 3438
2a624c36
AP		 3439 if (strv_length(c->inaccessible_paths) > 0) {
3440 fprintf(f, "%sInaccessiblePaths:", prefix);
3441 strv_fprintf(f, c->inaccessible_paths);
94f04347
LP		 3442 fputs("\n", f);
3443 }
2e22afe9 3444
169c1bda
LP		 3445 if (c->utmp_id)
3446 fprintf(f,
3447 "%sUtmpIdentifier: %s\n",
3448 prefix, c->utmp_id);
7b52a628
MS		 3449
3450 if (c->selinux_context)
3451 fprintf(f,
5f8640fb
LP		 3452 "%sSELinuxContext: %s%s\n",
3453 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
17df7223 3454
050f7277 3455 if (c->personality != PERSONALITY_INVALID)
ac45f971
LP		 3456 fprintf(f,
3457 "%sPersonality: %s\n",
3458 prefix, strna(personality_to_string(c->personality)));
3459
17df7223 3460 if (c->syscall_filter) {
351a19b1 3461#ifdef HAVE_SECCOMP
17df7223
LP		 3462 Iterator j;
3463 void *id;
3464 bool first = true;
351a19b1 3465#endif
17df7223
LP		 3466
3467 fprintf(f,
57183d11 3468 "%sSystemCallFilter: ",
17df7223
LP		 3469 prefix);
3470
3471 if (!c->syscall_whitelist)
3472 fputc('~', f);
3473
351a19b1 3474#ifdef HAVE_SECCOMP
17df7223
LP		 3475 SET_FOREACH(id, c->syscall_filter, j) {
3476 _cleanup_free_ char *name = NULL;
3477
3478 if (first)
3479 first = false;
3480 else
3481 fputc(' ', f);
3482
57183d11 3483 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
17df7223
LP		 3484 fputs(strna(name), f);
3485 }
351a19b1 3486#endif
17df7223
LP		 3487
3488 fputc('\n', f);
3489 }
3490
57183d11
LP		 3491 if (c->syscall_archs) {
3492#ifdef HAVE_SECCOMP
3493 Iterator j;
3494 void *id;
3495#endif
3496
3497 fprintf(f,
3498 "%sSystemCallArchitectures:",
3499 prefix);
3500
3501#ifdef HAVE_SECCOMP
3502 SET_FOREACH(id, c->syscall_archs, j)
3503 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
3504#endif
3505 fputc('\n', f);
3506 }
3507
b3267152 3508 if (c->syscall_errno > 0)
17df7223
LP		 3509 fprintf(f,
3510 "%sSystemCallErrorNumber: %s\n",
3511 prefix, strna(errno_to_name(c->syscall_errno)));
eef65bf3
MS		 3512
3513 if (c->apparmor_profile)
3514 fprintf(f,
3515 "%sAppArmorProfile: %s%s\n",
3516 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
5cb5a6ff
LP		 3517}
3518
a931ad47
LP		 3519bool exec_context_maintains_privileges(ExecContext *c) {
3520 assert(c);
3521
61233823 3522 /* Returns true if the process forked off would run under
a931ad47
LP		 3523 * an unchanged UID or as root. */
3524
3525 if (!c->user)
3526 return true;
3527
3528 if (streq(c->user, "root") || streq(c->user, "0"))
3529 return true;
3530
3531 return false;
3532}
3533
b58b4116 3534void exec_status_start(ExecStatus *s, pid_t pid) {
034c6ed7 3535 assert(s);
5cb5a6ff 3536
b58b4116
LP		 3537 zero(*s);
3538 s->pid = pid;
3539 dual_timestamp_get(&s->start_timestamp);
3540}
3541
6ea832a2 3542void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
b58b4116
LP		 3543 assert(s);
3544
0b1f4ae6 3545 if (s->pid && s->pid != pid)
b58b4116
LP		 3546 zero(*s);
3547
034c6ed7 3548 s->pid = pid;
63983207 3549 dual_timestamp_get(&s->exit_timestamp);
9fb86720 3550
034c6ed7
LP		 3551 s->code = code;
3552 s->status = status;
169c1bda 3553
6ea832a2
LP		 3554 if (context) {
3555 if (context->utmp_id)
3556 utmp_put_dead_process(context->utmp_id, pid, code, status);
3557
1e22b5cd 3558 exec_context_tty_reset(context, NULL);
6ea832a2 3559 }
9fb86720
LP		 3560}
3561
3562void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
3563 char buf[FORMAT_TIMESTAMP_MAX];
3564
3565 assert(s);
3566 assert(f);
3567
9fb86720
LP		 3568 if (s->pid <= 0)
3569 return;
3570
4c940960
LP		 3571 prefix = strempty(prefix);
3572
9fb86720 3573 fprintf(f,
ccd06097
ZJS		 3574 "%sPID: "PID_FMT"\n",
3575 prefix, s->pid);
9fb86720 3576
af9d16e1 3577 if (dual_timestamp_is_set(&s->start_timestamp))
9fb86720
LP		 3578 fprintf(f,
3579 "%sStart Timestamp: %s\n",
63983207 3580 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
9fb86720 3581
af9d16e1 3582 if (dual_timestamp_is_set(&s->exit_timestamp))
9fb86720
LP		 3583 fprintf(f,
3584 "%sExit Timestamp: %s\n"
3585 "%sExit Code: %s\n"
3586 "%sExit Status: %i\n",
63983207 3587 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
9fb86720
LP		 3588 prefix, sigchld_code_to_string(s->code),
3589 prefix, s->status);
5cb5a6ff 3590}
44d8db9e 3591
9e2f7c11 3592char *exec_command_line(char **argv) {
44d8db9e
LP		 3593 size_t k;
3594 char *n, *p, **a;
3595 bool first = true;
3596
9e2f7c11 3597 assert(argv);
44d8db9e 3598
9164977d 3599 k = 1;
9e2f7c11 3600 STRV_FOREACH(a, argv)
44d8db9e
LP		 3601 k += strlen(*a)+3;
3602
3603 if (!(n = new(char, k)))
3604 return NULL;
3605
3606 p = n;
9e2f7c11 3607 STRV_FOREACH(a, argv) {
44d8db9e
LP		 3608
3609 if (!first)
3610 *(p++) = ' ';
3611 else
3612 first = false;
3613
3614 if (strpbrk(*a, WHITESPACE)) {
3615 *(p++) = '\'';
3616 p = stpcpy(p, *a);
3617 *(p++) = '\'';
3618 } else
3619 p = stpcpy(p, *a);
3620
3621 }
3622
9164977d
LP		 3623 *p = 0;
3624
44d8db9e
LP		 3625 /* FIXME: this doesn't really handle arguments that have
3626 * spaces and ticks in them */
3627
3628 return n;
3629}
3630
3631void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
e1d75803 3632 _cleanup_free_ char *cmd = NULL;
4c940960 3633 const char *prefix2;
44d8db9e
LP		 3634
3635 assert(c);
3636 assert(f);
3637
4c940960 3638 prefix = strempty(prefix);
63c372cb 3639 prefix2 = strjoina(prefix, "\t");
44d8db9e 3640
9e2f7c11 3641 cmd = exec_command_line(c->argv);
44d8db9e
LP		 3642 fprintf(f,
3643 "%sCommand Line: %s\n",
3644 prefix, cmd ? cmd : strerror(ENOMEM));
3645
9fb86720 3646 exec_status_dump(&c->exec_status, f, prefix2);
44d8db9e
LP		 3647}
3648
3649void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
3650 assert(f);
3651
4c940960 3652 prefix = strempty(prefix);
44d8db9e
LP		 3653
3654 LIST_FOREACH(command, c, c)
3655 exec_command_dump(c, f, prefix);
3656}
94f04347 3657
a6a80b4f
LP		 3658void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
3659 ExecCommand *end;
3660
3661 assert(l);
3662 assert(e);
3663
3664 if (*l) {
35b8ca3a 3665 /* It's kind of important, that we keep the order here */
71fda00f
LP		 3666 LIST_FIND_TAIL(command, *l, end);
3667 LIST_INSERT_AFTER(command, *l, end, e);
a6a80b4f
LP		 3668 } else
3669 *l = e;
3670}
3671
26fd040d
LP		 3672int exec_command_set(ExecCommand *c, const char *path, ...) {
3673 va_list ap;
3674 char **l, *p;
3675
3676 assert(c);
3677 assert(path);
3678
3679 va_start(ap, path);
3680 l = strv_new_ap(path, ap);
3681 va_end(ap);
3682
3683 if (!l)
3684 return -ENOMEM;
3685
250a918d
LP		 3686 p = strdup(path);
3687 if (!p) {
26fd040d
LP		 3688 strv_free(l);
3689 return -ENOMEM;
3690 }
3691
3692 free(c->path);
3693 c->path = p;
3694
3695 strv_free(c->argv);
3696 c->argv = l;
3697
3698 return 0;
3699}
3700
86b23b07 3701int exec_command_append(ExecCommand *c, const char *path, ...) {
e63ff941 3702 _cleanup_strv_free_ char **l = NULL;
86b23b07 3703 va_list ap;
86b23b07
JS		 3704 int r;
3705
3706 assert(c);
3707 assert(path);
3708
3709 va_start(ap, path);
3710 l = strv_new_ap(path, ap);
3711 va_end(ap);
3712
3713 if (!l)
3714 return -ENOMEM;
3715
e287086b 3716 r = strv_extend_strv(&c->argv, l, false);
e63ff941 3717 if (r < 0)
86b23b07 3718 return r;
86b23b07
JS		 3719
3720 return 0;
3721}
3722
3723
613b411c
LP		 3724static int exec_runtime_allocate(ExecRuntime **rt) {
3725
3726 if (*rt)
3727 return 0;
3728
3729 *rt = new0(ExecRuntime, 1);
f146f5e1 3730 if (!*rt)
613b411c
LP		 3731 return -ENOMEM;
3732
3733 (*rt)->n_ref = 1;
3734 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
3735
3736 return 0;
3737}
3738
3739int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
3740 int r;
3741
3742 assert(rt);
3743 assert(c);
3744 assert(id);
3745
3746 if (*rt)
3747 return 1;
3748
3749 if (!c->private_network && !c->private_tmp)
3750 return 0;
3751
3752 r = exec_runtime_allocate(rt);
3753 if (r < 0)
3754 return r;
3755
3756 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
33df919d 3757 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, (*rt)->netns_storage_socket) < 0)
613b411c
LP		 3758 return -errno;
3759 }
3760
3761 if (c->private_tmp && !(*rt)->tmp_dir) {
3762 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
3763 if (r < 0)
3764 return r;
3765 }
3766
3767 return 1;
3768}
3769
3770ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
3771 assert(r);
3772 assert(r->n_ref > 0);
3773
3774 r->n_ref++;
3775 return r;
3776}
3777
3778ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
3779
3780 if (!r)
3781 return NULL;
3782
3783 assert(r->n_ref > 0);
3784
3785 r->n_ref--;
f2341e0a
LP		 3786 if (r->n_ref > 0)
3787 return NULL;
3788
3789 free(r->tmp_dir);
3790 free(r->var_tmp_dir);
3791 safe_close_pair(r->netns_storage_socket);
6b430fdb 3792 return mfree(r);
613b411c
LP		 3793}
3794
f2341e0a 3795int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
613b411c
LP		 3796 assert(u);
3797 assert(f);
3798 assert(fds);
3799
3800 if (!rt)
3801 return 0;
3802
3803 if (rt->tmp_dir)
3804 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
3805
3806 if (rt->var_tmp_dir)
3807 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
3808
3809 if (rt->netns_storage_socket[0] >= 0) {
3810 int copy;
3811
3812 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
3813 if (copy < 0)
3814 return copy;
3815
3816 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
3817 }
3818
3819 if (rt->netns_storage_socket[1] >= 0) {
3820 int copy;
3821
3822 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
3823 if (copy < 0)
3824 return copy;
3825
3826 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
3827 }
3828
3829 return 0;
3830}
3831
f2341e0a 3832int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
613b411c
LP		 3833 int r;
3834
3835 assert(rt);
3836 assert(key);
3837 assert(value);
3838
3839 if (streq(key, "tmp-dir")) {
3840 char *copy;
3841
3842 r = exec_runtime_allocate(rt);
3843 if (r < 0)
f2341e0a 3844 return log_oom();
613b411c
LP		 3845
3846 copy = strdup(value);
3847 if (!copy)
3848 return log_oom();
3849
3850 free((*rt)->tmp_dir);
3851 (*rt)->tmp_dir = copy;
3852
3853 } else if (streq(key, "var-tmp-dir")) {
3854 char *copy;
3855
3856 r = exec_runtime_allocate(rt);
3857 if (r < 0)
f2341e0a 3858 return log_oom();
613b411c
LP		 3859
3860 copy = strdup(value);
3861 if (!copy)
3862 return log_oom();
3863
3864 free((*rt)->var_tmp_dir);
3865 (*rt)->var_tmp_dir = copy;
3866
3867 } else if (streq(key, "netns-socket-0")) {
3868 int fd;
3869
3870 r = exec_runtime_allocate(rt);
3871 if (r < 0)
f2341e0a 3872 return log_oom();
613b411c
LP		 3873
3874 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
f2341e0a 3875 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
613b411c 3876 else {
03e334a1 3877 safe_close((*rt)->netns_storage_socket[0]);
613b411c
LP		 3878 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
3879 }
3880 } else if (streq(key, "netns-socket-1")) {
3881 int fd;
3882
3883 r = exec_runtime_allocate(rt);
3884 if (r < 0)
f2341e0a 3885 return log_oom();
613b411c
LP		 3886
3887 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
f2341e0a 3888 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
613b411c 3889 else {
03e334a1 3890 safe_close((*rt)->netns_storage_socket[1]);
613b411c
LP		 3891 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
3892 }
3893 } else
3894 return 0;
3895
3896 return 1;
3897}
3898
3899static void *remove_tmpdir_thread(void *p) {
3900 _cleanup_free_ char *path = p;
3901
c6878637 3902 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
613b411c
LP		 3903 return NULL;
3904}
3905
3906void exec_runtime_destroy(ExecRuntime *rt) {
98b47d54
LP		 3907 int r;
3908
613b411c
LP		 3909 if (!rt)
3910 return;
3911
3912 /* If there are multiple users of this, let's leave the stuff around */
3913 if (rt->n_ref > 1)
3914 return;
3915
3916 if (rt->tmp_dir) {
3917 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
98b47d54
LP		 3918
3919 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
3920 if (r < 0) {
da927ba9 3921 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
98b47d54
LP		 3922 free(rt->tmp_dir);
3923 }
3924
613b411c
LP		 3925 rt->tmp_dir = NULL;
3926 }
3927
3928 if (rt->var_tmp_dir) {
3929 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
98b47d54
LP		 3930
3931 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
3932 if (r < 0) {
da927ba9 3933 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
98b47d54
LP		 3934 free(rt->var_tmp_dir);
3935 }
3936
613b411c
LP		 3937 rt->var_tmp_dir = NULL;
3938 }
3939
3d94f76c 3940 safe_close_pair(rt->netns_storage_socket);
613b411c
LP		 3941}
3942
80876c20
LP		 3943static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
3944 [EXEC_INPUT_NULL] = "null",
3945 [EXEC_INPUT_TTY] = "tty",
3946 [EXEC_INPUT_TTY_FORCE] = "tty-force",
4f2d528d 3947 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
52c239d7
LB		 3948 [EXEC_INPUT_SOCKET] = "socket",
3949 [EXEC_INPUT_NAMED_FD] = "fd",
80876c20
LP		 3950};
3951
8a0867d6
LP		 3952DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
3953
94f04347 3954static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
80876c20 3955 [EXEC_OUTPUT_INHERIT] = "inherit",
94f04347 3956 [EXEC_OUTPUT_NULL] = "null",
80876c20 3957 [EXEC_OUTPUT_TTY] = "tty",
94f04347 3958 [EXEC_OUTPUT_SYSLOG] = "syslog",
28dbc1e8 3959 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
9a6bca7a 3960 [EXEC_OUTPUT_KMSG] = "kmsg",
28dbc1e8 3961 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
706343f4
LP		 3962 [EXEC_OUTPUT_JOURNAL] = "journal",
3963 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
52c239d7
LB		 3964 [EXEC_OUTPUT_SOCKET] = "socket",
3965 [EXEC_OUTPUT_NAMED_FD] = "fd",
94f04347
LP		 3966};
3967
3968DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
023a4f67
LP		 3969
3970static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
3971 [EXEC_UTMP_INIT] = "init",
3972 [EXEC_UTMP_LOGIN] = "login",
3973 [EXEC_UTMP_USER] = "user",
3974};
3975
3976DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
Unnamed repository; edit this file 'description' to name the repository.