2 This file is part of systemd.
4 Copyright 2010 Lennart Poettering
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
27 #include <sys/capability.h>
28 #include <sys/eventfd.h>
30 #include <sys/personality.h>
31 #include <sys/prctl.h>
32 #include <sys/socket.h>
39 #include <security/pam_appl.h>
43 #include <selinux/selinux.h>
51 #include <sys/apparmor.h>
54 #include "sd-messages.h"
57 #include "alloc-util.h"
59 #include "apparmor-util.h"
64 #include "capability-util.h"
67 #include "errno-list.h"
69 #include "exit-status.h"
72 #include "formats-util.h"
74 #include "glob-util.h"
81 #include "namespace.h"
82 #include "parse-util.h"
83 #include "path-util.h"
84 #include "process-util.h"
85 #include "rlimit-util.h"
88 #include "seccomp-util.h"
90 #include "securebits.h"
91 #include "selinux-util.h"
92 #include "signal-util.h"
93 #include "smack-util.h"
95 #include "string-table.h"
96 #include "string-util.h"
98 #include "syslog-util.h"
99 #include "terminal-util.h"
101 #include "user-util.h"
103 #include "utmp-wtmp.h"
105 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
106 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
108 /* This assumes there is a 'tty' group */
109 #define TTY_MODE 0620
111 #define SNDBUF_SIZE (8*1024*1024)
113 static int shift_fds(int fds
[], unsigned n_fds
) {
114 int start
, restart_from
;
119 /* Modifies the fds array! (sorts it) */
129 for (i
= start
; i
< (int) n_fds
; i
++) {
132 /* Already at right index? */
136 nfd
= fcntl(fds
[i
], F_DUPFD
, i
+ 3);
143 /* Hmm, the fd we wanted isn't free? Then
144 * let's remember that and try again from here */
145 if (nfd
!= i
+3 && restart_from
< 0)
149 if (restart_from
< 0)
152 start
= restart_from
;
158 static int flags_fds(const int fds
[], unsigned n_fds
, bool nonblock
) {
167 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
169 for (i
= 0; i
< n_fds
; i
++) {
171 r
= fd_nonblock(fds
[i
], nonblock
);
175 /* We unconditionally drop FD_CLOEXEC from the fds,
176 * since after all we want to pass these fds to our
179 r
= fd_cloexec(fds
[i
], false);
187 static const char *exec_context_tty_path(const ExecContext
*context
) {
190 if (context
->stdio_as_fds
)
193 if (context
->tty_path
)
194 return context
->tty_path
;
196 return "/dev/console";
199 static void exec_context_tty_reset(const ExecContext
*context
, const ExecParameters
*p
) {
204 path
= exec_context_tty_path(context
);
206 if (context
->tty_vhangup
) {
207 if (p
&& p
->stdin_fd
>= 0)
208 (void) terminal_vhangup_fd(p
->stdin_fd
);
210 (void) terminal_vhangup(path
);
213 if (context
->tty_reset
) {
214 if (p
&& p
->stdin_fd
>= 0)
215 (void) reset_terminal_fd(p
->stdin_fd
, true);
217 (void) reset_terminal(path
);
220 if (context
->tty_vt_disallocate
&& path
)
221 (void) vt_disallocate(path
);
224 static bool is_terminal_input(ExecInput i
) {
227 EXEC_INPUT_TTY_FORCE
,
228 EXEC_INPUT_TTY_FAIL
);
231 static bool is_terminal_output(ExecOutput o
) {
234 EXEC_OUTPUT_SYSLOG_AND_CONSOLE
,
235 EXEC_OUTPUT_KMSG_AND_CONSOLE
,
236 EXEC_OUTPUT_JOURNAL_AND_CONSOLE
);
239 static bool exec_context_needs_term(const ExecContext
*c
) {
242 /* Return true if the execution context suggests we should set $TERM to something useful. */
244 if (is_terminal_input(c
->std_input
))
247 if (is_terminal_output(c
->std_output
))
250 if (is_terminal_output(c
->std_error
))
253 return !!c
->tty_path
;
256 static int open_null_as(int flags
, int nfd
) {
261 fd
= open("/dev/null", flags
|O_NOCTTY
);
266 r
= dup2(fd
, nfd
) < 0 ? -errno
: nfd
;
274 static int connect_journal_socket(int fd
, uid_t uid
, gid_t gid
) {
275 union sockaddr_union sa
= {
276 .un
.sun_family
= AF_UNIX
,
277 .un
.sun_path
= "/run/systemd/journal/stdout",
279 uid_t olduid
= UID_INVALID
;
280 gid_t oldgid
= GID_INVALID
;
283 if (gid
!= GID_INVALID
) {
291 if (uid
!= UID_INVALID
) {
301 r
= connect(fd
, &sa
.sa
, SOCKADDR_UN_LEN(sa
.un
));
305 /* If we fail to restore the uid or gid, things will likely
306 fail later on. This should only happen if an LSM interferes. */
308 if (uid
!= UID_INVALID
)
309 (void) seteuid(olduid
);
312 if (gid
!= GID_INVALID
)
313 (void) setegid(oldgid
);
318 static int connect_logger_as(
320 const ExecContext
*context
,
330 assert(output
< _EXEC_OUTPUT_MAX
);
334 fd
= socket(AF_UNIX
, SOCK_STREAM
, 0);
338 r
= connect_journal_socket(fd
, uid
, gid
);
342 if (shutdown(fd
, SHUT_RD
) < 0) {
347 (void) fd_inc_sndbuf(fd
, SNDBUF_SIZE
);
357 context
->syslog_identifier
? context
->syslog_identifier
: ident
,
359 context
->syslog_priority
,
360 !!context
->syslog_level_prefix
,
361 output
== EXEC_OUTPUT_SYSLOG
|| output
== EXEC_OUTPUT_SYSLOG_AND_CONSOLE
,
362 output
== EXEC_OUTPUT_KMSG
|| output
== EXEC_OUTPUT_KMSG_AND_CONSOLE
,
363 is_terminal_output(output
));
368 r
= dup2(fd
, nfd
) < 0 ? -errno
: nfd
;
373 static int open_terminal_as(const char *path
, mode_t mode
, int nfd
) {
379 fd
= open_terminal(path
, mode
| O_NOCTTY
);
384 r
= dup2(fd
, nfd
) < 0 ? -errno
: nfd
;
392 static int fixup_input(ExecInput std_input
, int socket_fd
, bool apply_tty_stdin
) {
394 if (is_terminal_input(std_input
) && !apply_tty_stdin
)
395 return EXEC_INPUT_NULL
;
397 if (std_input
== EXEC_INPUT_SOCKET
&& socket_fd
< 0)
398 return EXEC_INPUT_NULL
;
403 static int fixup_output(ExecOutput std_output
, int socket_fd
) {
405 if (std_output
== EXEC_OUTPUT_SOCKET
&& socket_fd
< 0)
406 return EXEC_OUTPUT_INHERIT
;
411 static int setup_input(
412 const ExecContext
*context
,
413 const ExecParameters
*params
,
415 int named_iofds
[3]) {
422 if (params
->stdin_fd
>= 0) {
423 if (dup2(params
->stdin_fd
, STDIN_FILENO
) < 0)
426 /* Try to make this the controlling tty, if it is a tty, and reset it */
427 (void) ioctl(STDIN_FILENO
, TIOCSCTTY
, context
->std_input
== EXEC_INPUT_TTY_FORCE
);
428 (void) reset_terminal_fd(STDIN_FILENO
, true);
433 i
= fixup_input(context
->std_input
, socket_fd
, params
->flags
& EXEC_APPLY_TTY_STDIN
);
437 case EXEC_INPUT_NULL
:
438 return open_null_as(O_RDONLY
, STDIN_FILENO
);
441 case EXEC_INPUT_TTY_FORCE
:
442 case EXEC_INPUT_TTY_FAIL
: {
445 fd
= acquire_terminal(exec_context_tty_path(context
),
446 i
== EXEC_INPUT_TTY_FAIL
,
447 i
== EXEC_INPUT_TTY_FORCE
,
453 if (fd
!= STDIN_FILENO
) {
454 r
= dup2(fd
, STDIN_FILENO
) < 0 ? -errno
: STDIN_FILENO
;
462 case EXEC_INPUT_SOCKET
:
463 return dup2(socket_fd
, STDIN_FILENO
) < 0 ? -errno
: STDIN_FILENO
;
465 case EXEC_INPUT_NAMED_FD
:
466 (void) fd_nonblock(named_iofds
[STDIN_FILENO
], false);
467 return dup2(named_iofds
[STDIN_FILENO
], STDIN_FILENO
) < 0 ? -errno
: STDIN_FILENO
;
470 assert_not_reached("Unknown input type");
474 static int setup_output(
476 const ExecContext
*context
,
477 const ExecParameters
*params
,
484 dev_t
*journal_stream_dev
,
485 ino_t
*journal_stream_ino
) {
495 assert(journal_stream_dev
);
496 assert(journal_stream_ino
);
498 if (fileno
== STDOUT_FILENO
&& params
->stdout_fd
>= 0) {
500 if (dup2(params
->stdout_fd
, STDOUT_FILENO
) < 0)
503 return STDOUT_FILENO
;
506 if (fileno
== STDERR_FILENO
&& params
->stderr_fd
>= 0) {
507 if (dup2(params
->stderr_fd
, STDERR_FILENO
) < 0)
510 return STDERR_FILENO
;
513 i
= fixup_input(context
->std_input
, socket_fd
, params
->flags
& EXEC_APPLY_TTY_STDIN
);
514 o
= fixup_output(context
->std_output
, socket_fd
);
516 if (fileno
== STDERR_FILENO
) {
518 e
= fixup_output(context
->std_error
, socket_fd
);
520 /* This expects the input and output are already set up */
522 /* Don't change the stderr file descriptor if we inherit all
523 * the way and are not on a tty */
524 if (e
== EXEC_OUTPUT_INHERIT
&&
525 o
== EXEC_OUTPUT_INHERIT
&&
526 i
== EXEC_INPUT_NULL
&&
527 !is_terminal_input(context
->std_input
) &&
531 /* Duplicate from stdout if possible */
532 if ((e
== o
&& e
!= EXEC_OUTPUT_NAMED_FD
) || e
== EXEC_OUTPUT_INHERIT
)
533 return dup2(STDOUT_FILENO
, fileno
) < 0 ? -errno
: fileno
;
537 } else if (o
== EXEC_OUTPUT_INHERIT
) {
538 /* If input got downgraded, inherit the original value */
539 if (i
== EXEC_INPUT_NULL
&& is_terminal_input(context
->std_input
))
540 return open_terminal_as(exec_context_tty_path(context
), O_WRONLY
, fileno
);
542 /* If the input is connected to anything that's not a /dev/null, inherit that... */
543 if (i
!= EXEC_INPUT_NULL
)
544 return dup2(STDIN_FILENO
, fileno
) < 0 ? -errno
: fileno
;
546 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
550 /* We need to open /dev/null here anew, to get the right access mode. */
551 return open_null_as(O_WRONLY
, fileno
);
556 case EXEC_OUTPUT_NULL
:
557 return open_null_as(O_WRONLY
, fileno
);
559 case EXEC_OUTPUT_TTY
:
560 if (is_terminal_input(i
))
561 return dup2(STDIN_FILENO
, fileno
) < 0 ? -errno
: fileno
;
563 /* We don't reset the terminal if this is just about output */
564 return open_terminal_as(exec_context_tty_path(context
), O_WRONLY
, fileno
);
566 case EXEC_OUTPUT_SYSLOG
:
567 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE
:
568 case EXEC_OUTPUT_KMSG
:
569 case EXEC_OUTPUT_KMSG_AND_CONSOLE
:
570 case EXEC_OUTPUT_JOURNAL
:
571 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE
:
572 r
= connect_logger_as(unit
, context
, o
, ident
, fileno
, uid
, gid
);
574 log_unit_error_errno(unit
, r
, "Failed to connect %s to the journal socket, ignoring: %m", fileno
== STDOUT_FILENO
? "stdout" : "stderr");
575 r
= open_null_as(O_WRONLY
, fileno
);
579 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
580 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
581 * services to detect whether they are connected to the journal or not. */
583 if (fstat(fileno
, &st
) >= 0) {
584 *journal_stream_dev
= st
.st_dev
;
585 *journal_stream_ino
= st
.st_ino
;
590 case EXEC_OUTPUT_SOCKET
:
591 assert(socket_fd
>= 0);
592 return dup2(socket_fd
, fileno
) < 0 ? -errno
: fileno
;
594 case EXEC_OUTPUT_NAMED_FD
:
595 (void) fd_nonblock(named_iofds
[fileno
], false);
596 return dup2(named_iofds
[fileno
], fileno
) < 0 ? -errno
: fileno
;
599 assert_not_reached("Unknown error type");
603 static int chown_terminal(int fd
, uid_t uid
) {
608 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
612 /* This might fail. What matters are the results. */
613 (void) fchown(fd
, uid
, -1);
614 (void) fchmod(fd
, TTY_MODE
);
616 if (fstat(fd
, &st
) < 0)
619 if (st
.st_uid
!= uid
|| (st
.st_mode
& 0777) != TTY_MODE
)
625 static int setup_confirm_stdio(int *_saved_stdin
, int *_saved_stdout
) {
626 _cleanup_close_
int fd
= -1, saved_stdin
= -1, saved_stdout
= -1;
629 assert(_saved_stdin
);
630 assert(_saved_stdout
);
632 saved_stdin
= fcntl(STDIN_FILENO
, F_DUPFD
, 3);
636 saved_stdout
= fcntl(STDOUT_FILENO
, F_DUPFD
, 3);
637 if (saved_stdout
< 0)
640 fd
= acquire_terminal(
645 DEFAULT_CONFIRM_USEC
);
649 r
= chown_terminal(fd
, getuid());
653 r
= reset_terminal_fd(fd
, true);
657 if (dup2(fd
, STDIN_FILENO
) < 0)
660 if (dup2(fd
, STDOUT_FILENO
) < 0)
667 *_saved_stdin
= saved_stdin
;
668 *_saved_stdout
= saved_stdout
;
670 saved_stdin
= saved_stdout
= -1;
675 _printf_(1, 2) static int write_confirm_message(const char *format
, ...) {
676 _cleanup_close_
int fd
= -1;
681 fd
= open_terminal("/dev/console", O_WRONLY
|O_NOCTTY
|O_CLOEXEC
);
685 va_start(ap
, format
);
686 vdprintf(fd
, format
, ap
);
692 static int restore_confirm_stdio(int *saved_stdin
, int *saved_stdout
) {
696 assert(saved_stdout
);
700 if (*saved_stdin
>= 0)
701 if (dup2(*saved_stdin
, STDIN_FILENO
) < 0)
704 if (*saved_stdout
>= 0)
705 if (dup2(*saved_stdout
, STDOUT_FILENO
) < 0)
708 *saved_stdin
= safe_close(*saved_stdin
);
709 *saved_stdout
= safe_close(*saved_stdout
);
714 static int ask_for_confirmation(char *response
, char **argv
) {
715 int saved_stdout
= -1, saved_stdin
= -1, r
;
716 _cleanup_free_
char *line
= NULL
;
718 r
= setup_confirm_stdio(&saved_stdin
, &saved_stdout
);
722 line
= exec_command_line(argv
);
726 r
= ask_char(response
, "yns", "Execute %s? [Yes, No, Skip] ", line
);
728 restore_confirm_stdio(&saved_stdin
, &saved_stdout
);
733 static int get_fixed_user(const ExecContext
*c
, const char **user
,
734 uid_t
*uid
, gid_t
*gid
,
735 const char **home
, const char **shell
) {
744 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
745 * (i.e. are "/" or "/bin/nologin"). */
748 r
= get_user_creds_clean(&name
, uid
, gid
, home
, shell
);
756 static int get_fixed_group(const ExecContext
*c
, const char **group
, gid_t
*gid
) {
766 r
= get_group_creds(&name
, gid
);
774 static int get_fixed_supplementary_groups(const ExecContext
*c
,
778 gid_t
**supplementary_gids
, int *ngids
) {
782 bool keep_groups
= false;
783 gid_t
*groups
= NULL
;
784 _cleanup_free_ gid_t
*l_gids
= NULL
;
788 if (!c
->supplementary_groups
)
792 * If SupplementaryGroups= was passed then NGROUPS_MAX has to
793 * be positive, otherwise fail.
796 ngroups_max
= (int) sysconf(_SC_NGROUPS_MAX
);
797 if (ngroups_max
<= 0) {
801 return -EOPNOTSUPP
; /* For all other values */
805 * If user is given, then lookup GID and supplementary group list.
806 * We avoid NSS lookups for gid=0.
808 if (user
&& gid_is_valid(gid
) && gid
!= 0) {
809 /* First step, initialize groups from /etc/groups */
810 if (initgroups(user
, gid
) < 0)
816 l_gids
= new(gid_t
, ngroups_max
);
822 * Lookup the list of groups that the user belongs to, we
823 * avoid NSS lookups here too for gid=0.
826 if (getgrouplist(user
, gid
, l_gids
, &k
) < 0)
831 STRV_FOREACH(i
, c
->supplementary_groups
) {
834 if (k
>= ngroups_max
)
838 r
= get_group_creds(&g
, l_gids
+k
);
846 * Sets ngids to zero to drop all supplementary groups, happens
847 * when we are under root and SupplementaryGroups= is empty.
854 /* Otherwise get the final list of supplementary groups */
855 groups
= memdup(l_gids
, sizeof(gid_t
) * k
);
859 *supplementary_gids
= groups
;
867 static int enforce_groups(const ExecContext
*context
, gid_t gid
,
868 gid_t
*supplementary_gids
, int ngids
) {
873 /* Handle SupplementaryGroups= even if it is empty */
874 if (context
->supplementary_groups
) {
875 r
= maybe_setgroups(ngids
, supplementary_gids
);
880 if (gid_is_valid(gid
)) {
881 /* Then set our gids */
882 if (setresgid(gid
, gid
, gid
) < 0)
889 static int enforce_user(const ExecContext
*context
, uid_t uid
) {
892 if (!uid_is_valid(uid
))
895 /* Sets (but doesn't look up) the uid and make sure we keep the
896 * capabilities while doing so. */
898 if (context
->capability_ambient_set
!= 0) {
900 /* First step: If we need to keep capabilities but
901 * drop privileges we need to make sure we keep our
902 * caps, while we drop privileges. */
904 int sb
= context
->secure_bits
| 1<<SECURE_KEEP_CAPS
;
906 if (prctl(PR_GET_SECUREBITS
) != sb
)
907 if (prctl(PR_SET_SECUREBITS
, sb
) < 0)
912 /* Second step: actually set the uids */
913 if (setresuid(uid
, uid
, uid
) < 0)
916 /* At this point we should have all necessary capabilities but
917 are otherwise a normal user. However, the caps might got
918 corrupted due to the setresuid() so we need clean them up
919 later. This is done outside of this call. */
926 static int null_conv(
928 const struct pam_message
**msg
,
929 struct pam_response
**resp
,
932 /* We don't support conversations */
939 static int setup_pam(
946 int fds
[], unsigned n_fds
) {
950 static const struct pam_conv conv
= {
955 _cleanup_(barrier_destroy
) Barrier barrier
= BARRIER_NULL
;
956 pam_handle_t
*handle
= NULL
;
958 int pam_code
= PAM_SUCCESS
, r
;
959 char **nv
, **e
= NULL
;
960 bool close_session
= false;
961 pid_t pam_pid
= 0, parent_pid
;
968 /* We set up PAM in the parent process, then fork. The child
969 * will then stay around until killed via PR_GET_PDEATHSIG or
970 * systemd via the cgroup logic. It will then remove the PAM
971 * session again. The parent process will exec() the actual
972 * daemon. We do things this way to ensure that the main PID
973 * of the daemon is the one we initially fork()ed. */
975 r
= barrier_create(&barrier
);
979 if (log_get_max_level() < LOG_DEBUG
)
982 pam_code
= pam_start(name
, user
, &conv
, &handle
);
983 if (pam_code
!= PAM_SUCCESS
) {
989 pam_code
= pam_set_item(handle
, PAM_TTY
, tty
);
990 if (pam_code
!= PAM_SUCCESS
)
994 STRV_FOREACH(nv
, *env
) {
995 pam_code
= pam_putenv(handle
, *nv
);
996 if (pam_code
!= PAM_SUCCESS
)
1000 pam_code
= pam_acct_mgmt(handle
, flags
);
1001 if (pam_code
!= PAM_SUCCESS
)
1004 pam_code
= pam_open_session(handle
, flags
);
1005 if (pam_code
!= PAM_SUCCESS
)
1008 close_session
= true;
1010 e
= pam_getenvlist(handle
);
1012 pam_code
= PAM_BUF_ERR
;
1016 /* Block SIGTERM, so that we know that it won't get lost in
1019 assert_se(sigprocmask_many(SIG_BLOCK
, &old_ss
, SIGTERM
, -1) >= 0);
1021 parent_pid
= getpid();
1030 int sig
, ret
= EXIT_PAM
;
1032 /* The child's job is to reset the PAM session on
1034 barrier_set_role(&barrier
, BARRIER_CHILD
);
1036 /* This string must fit in 10 chars (i.e. the length
1037 * of "/sbin/init"), to look pretty in /bin/ps */
1038 rename_process("(sd-pam)");
1040 /* Make sure we don't keep open the passed fds in this
1041 child. We assume that otherwise only those fds are
1042 open here that have been opened by PAM. */
1043 close_many(fds
, n_fds
);
1045 /* Drop privileges - we don't need any to pam_close_session
1046 * and this will make PR_SET_PDEATHSIG work in most cases.
1047 * If this fails, ignore the error - but expect sd-pam threads
1048 * to fail to exit normally */
1050 r
= maybe_setgroups(0, NULL
);
1052 log_warning_errno(r
, "Failed to setgroups() in sd-pam: %m");
1053 if (setresgid(gid
, gid
, gid
) < 0)
1054 log_warning_errno(errno
, "Failed to setresgid() in sd-pam: %m");
1055 if (setresuid(uid
, uid
, uid
) < 0)
1056 log_warning_errno(errno
, "Failed to setresuid() in sd-pam: %m");
1058 (void) ignore_signals(SIGPIPE
, -1);
1060 /* Wait until our parent died. This will only work if
1061 * the above setresuid() succeeds, otherwise the kernel
1062 * will not allow unprivileged parents kill their privileged
1063 * children this way. We rely on the control groups kill logic
1064 * to do the rest for us. */
1065 if (prctl(PR_SET_PDEATHSIG
, SIGTERM
) < 0)
1068 /* Tell the parent that our setup is done. This is especially
1069 * important regarding dropping privileges. Otherwise, unit
1070 * setup might race against our setresuid(2) call. */
1071 barrier_place(&barrier
);
1073 /* Check if our parent process might already have
1075 if (getppid() == parent_pid
) {
1078 assert_se(sigemptyset(&ss
) >= 0);
1079 assert_se(sigaddset(&ss
, SIGTERM
) >= 0);
1082 if (sigwait(&ss
, &sig
) < 0) {
1089 assert(sig
== SIGTERM
);
1094 /* If our parent died we'll end the session */
1095 if (getppid() != parent_pid
) {
1096 pam_code
= pam_close_session(handle
, flags
);
1097 if (pam_code
!= PAM_SUCCESS
)
1104 pam_end(handle
, pam_code
| flags
);
1108 barrier_set_role(&barrier
, BARRIER_PARENT
);
1110 /* If the child was forked off successfully it will do all the
1111 * cleanups, so forget about the handle here. */
1114 /* Unblock SIGTERM again in the parent */
1115 assert_se(sigprocmask(SIG_SETMASK
, &old_ss
, NULL
) >= 0);
1117 /* We close the log explicitly here, since the PAM modules
1118 * might have opened it, but we don't want this fd around. */
1121 /* Synchronously wait for the child to initialize. We don't care for
1122 * errors as we cannot recover. However, warn loudly if it happens. */
1123 if (!barrier_place_and_sync(&barrier
))
1124 log_error("PAM initialization failed");
1132 if (pam_code
!= PAM_SUCCESS
) {
1133 log_error("PAM failed: %s", pam_strerror(handle
, pam_code
));
1134 r
= -EPERM
; /* PAM errors do not map to errno */
1136 log_error_errno(r
, "PAM failed: %m");
1140 pam_code
= pam_close_session(handle
, flags
);
1142 pam_end(handle
, pam_code
| flags
);
1154 static void rename_process_from_path(const char *path
) {
1155 char process_name
[11];
1159 /* This resulting string must fit in 10 chars (i.e. the length
1160 * of "/sbin/init") to look pretty in /bin/ps */
1164 rename_process("(...)");
1170 /* The end of the process name is usually more
1171 * interesting, since the first bit might just be
1177 process_name
[0] = '(';
1178 memcpy(process_name
+1, p
, l
);
1179 process_name
[1+l
] = ')';
1180 process_name
[1+l
+1] = 0;
1182 rename_process(process_name
);
1187 static bool skip_seccomp_unavailable(const Unit
* u
, const char* msg
) {
1188 if (!is_seccomp_available()) {
1190 log_unit_debug(u
, "SECCOMP features not detected in the kernel, skipping %s", msg
);
1197 static int apply_seccomp(const Unit
* u
, const ExecContext
*c
) {
1198 uint32_t negative_action
, action
;
1199 scmp_filter_ctx
*seccomp
;
1206 if (skip_seccomp_unavailable(u
, "syscall filtering"))
1209 negative_action
= c
->syscall_errno
== 0 ? SCMP_ACT_KILL
: SCMP_ACT_ERRNO(c
->syscall_errno
);
1211 seccomp
= seccomp_init(c
->syscall_whitelist
? negative_action
: SCMP_ACT_ALLOW
);
1215 if (c
->syscall_archs
) {
1217 SET_FOREACH(id
, c
->syscall_archs
, i
) {
1218 r
= seccomp_arch_add(seccomp
, PTR_TO_UINT32(id
) - 1);
1226 r
= seccomp_add_secondary_archs(seccomp
);
1231 action
= c
->syscall_whitelist
? SCMP_ACT_ALLOW
: negative_action
;
1232 SET_FOREACH(id
, c
->syscall_filter
, i
) {
1233 r
= seccomp_rule_add(seccomp
, action
, PTR_TO_INT(id
) - 1, 0);
1238 r
= seccomp_attr_set(seccomp
, SCMP_FLTATR_CTL_NNP
, 0);
1242 r
= seccomp_load(seccomp
);
1245 seccomp_release(seccomp
);
1249 static int apply_address_families(const Unit
* u
, const ExecContext
*c
) {
1250 scmp_filter_ctx
*seccomp
;
1256 if (skip_seccomp_unavailable(u
, "RestrictAddressFamilies="))
1259 seccomp
= seccomp_init(SCMP_ACT_ALLOW
);
1263 r
= seccomp_add_secondary_archs(seccomp
);
1267 if (c
->address_families_whitelist
) {
1268 int af
, first
= 0, last
= 0;
1271 /* If this is a whitelist, we first block the address
1272 * families that are out of range and then everything
1273 * that is not in the set. First, we find the lowest
1274 * and highest address family in the set. */
1276 SET_FOREACH(afp
, c
->address_families
, i
) {
1277 af
= PTR_TO_INT(afp
);
1279 if (af
<= 0 || af
>= af_max())
1282 if (first
== 0 || af
< first
)
1285 if (last
== 0 || af
> last
)
1289 assert((first
== 0) == (last
== 0));
1293 /* No entries in the valid range, block everything */
1294 r
= seccomp_rule_add(
1296 SCMP_ACT_ERRNO(EPROTONOSUPPORT
),
1304 /* Block everything below the first entry */
1305 r
= seccomp_rule_add(
1307 SCMP_ACT_ERRNO(EPROTONOSUPPORT
),
1310 SCMP_A0(SCMP_CMP_LT
, first
));
1314 /* Block everything above the last entry */
1315 r
= seccomp_rule_add(
1317 SCMP_ACT_ERRNO(EPROTONOSUPPORT
),
1320 SCMP_A0(SCMP_CMP_GT
, last
));
1324 /* Block everything between the first and last
1326 for (af
= 1; af
< af_max(); af
++) {
1328 if (set_contains(c
->address_families
, INT_TO_PTR(af
)))
1331 r
= seccomp_rule_add(
1333 SCMP_ACT_ERRNO(EPROTONOSUPPORT
),
1336 SCMP_A0(SCMP_CMP_EQ
, af
));
1345 /* If this is a blacklist, then generate one rule for
1346 * each address family that are then combined in OR
1349 SET_FOREACH(af
, c
->address_families
, i
) {
1351 r
= seccomp_rule_add(
1353 SCMP_ACT_ERRNO(EPROTONOSUPPORT
),
1356 SCMP_A0(SCMP_CMP_EQ
, PTR_TO_INT(af
)));
1362 r
= seccomp_attr_set(seccomp
, SCMP_FLTATR_CTL_NNP
, 0);
1366 r
= seccomp_load(seccomp
);
1369 seccomp_release(seccomp
);
1373 static int apply_memory_deny_write_execute(const Unit
* u
, const ExecContext
*c
) {
1374 scmp_filter_ctx
*seccomp
;
1379 if (skip_seccomp_unavailable(u
, "MemoryDenyWriteExecute="))
1382 seccomp
= seccomp_init(SCMP_ACT_ALLOW
);
1386 r
= seccomp_add_secondary_archs(seccomp
);
1390 r
= seccomp_rule_add(
1392 SCMP_ACT_ERRNO(EPERM
),
1395 SCMP_A2(SCMP_CMP_MASKED_EQ
, PROT_EXEC
|PROT_WRITE
, PROT_EXEC
|PROT_WRITE
));
1399 r
= seccomp_rule_add(
1401 SCMP_ACT_ERRNO(EPERM
),
1404 SCMP_A2(SCMP_CMP_MASKED_EQ
, PROT_EXEC
, PROT_EXEC
));
1408 r
= seccomp_attr_set(seccomp
, SCMP_FLTATR_CTL_NNP
, 0);
1412 r
= seccomp_load(seccomp
);
1415 seccomp_release(seccomp
);
1419 static int apply_restrict_realtime(const Unit
* u
, const ExecContext
*c
) {
1420 static const int permitted_policies
[] = {
1426 scmp_filter_ctx
*seccomp
;
1428 int r
, p
, max_policy
= 0;
1432 if (skip_seccomp_unavailable(u
, "RestrictRealtime="))
1435 seccomp
= seccomp_init(SCMP_ACT_ALLOW
);
1439 r
= seccomp_add_secondary_archs(seccomp
);
1443 /* Determine the highest policy constant we want to allow */
1444 for (i
= 0; i
< ELEMENTSOF(permitted_policies
); i
++)
1445 if (permitted_policies
[i
] > max_policy
)
1446 max_policy
= permitted_policies
[i
];
1448 /* Go through all policies with lower values than that, and block them -- unless they appear in the
1450 for (p
= 0; p
< max_policy
; p
++) {
1453 /* Check if this is in the whitelist. */
1454 for (i
= 0; i
< ELEMENTSOF(permitted_policies
); i
++)
1455 if (permitted_policies
[i
] == p
) {
1463 /* Deny this policy */
1464 r
= seccomp_rule_add(
1466 SCMP_ACT_ERRNO(EPERM
),
1467 SCMP_SYS(sched_setscheduler
),
1469 SCMP_A1(SCMP_CMP_EQ
, p
));
1474 /* Blacklist all other policies, i.e. the ones with higher values. Note that all comparisons are unsigned here,
1475 * hence no need no check for < 0 values. */
1476 r
= seccomp_rule_add(
1478 SCMP_ACT_ERRNO(EPERM
),
1479 SCMP_SYS(sched_setscheduler
),
1481 SCMP_A1(SCMP_CMP_GT
, max_policy
));
1485 r
= seccomp_attr_set(seccomp
, SCMP_FLTATR_CTL_NNP
, 0);
1489 r
= seccomp_load(seccomp
);
1492 seccomp_release(seccomp
);
1496 static int apply_protect_sysctl(Unit
*u
, const ExecContext
*c
) {
1497 scmp_filter_ctx
*seccomp
;
1502 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1503 * let's protect even those systems where this is left on in the kernel. */
1505 if (skip_seccomp_unavailable(u
, "ProtectKernelTunables="))
1508 seccomp
= seccomp_init(SCMP_ACT_ALLOW
);
1512 r
= seccomp_add_secondary_archs(seccomp
);
1516 r
= seccomp_rule_add(
1518 SCMP_ACT_ERRNO(EPERM
),
1524 r
= seccomp_attr_set(seccomp
, SCMP_FLTATR_CTL_NNP
, 0);
1528 r
= seccomp_load(seccomp
);
1531 seccomp_release(seccomp
);
1535 static int apply_protect_kernel_modules(Unit
*u
, const ExecContext
*c
) {
1536 static const int module_syscalls
[] = {
1537 SCMP_SYS(delete_module
),
1538 SCMP_SYS(finit_module
),
1539 SCMP_SYS(init_module
),
1542 scmp_filter_ctx
*seccomp
;
1548 /* Turn of module syscalls on ProtectKernelModules=yes */
1550 if (skip_seccomp_unavailable(u
, "ProtectKernelModules="))
1553 seccomp
= seccomp_init(SCMP_ACT_ALLOW
);
1557 r
= seccomp_add_secondary_archs(seccomp
);
1561 for (i
= 0; i
< ELEMENTSOF(module_syscalls
); i
++) {
1562 r
= seccomp_rule_add(seccomp
, SCMP_ACT_ERRNO(EPERM
),
1563 module_syscalls
[i
], 0);
1568 r
= seccomp_attr_set(seccomp
, SCMP_FLTATR_CTL_NNP
, 0);
1572 r
= seccomp_load(seccomp
);
1575 seccomp_release(seccomp
);
1579 static int apply_private_devices(Unit
*u
, const ExecContext
*c
) {
1580 const SystemCallFilterSet
*set
;
1581 scmp_filter_ctx
*seccomp
;
1583 bool syscalls_found
= false;
1588 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
1590 if (skip_seccomp_unavailable(u
, "PrivateDevices="))
1593 seccomp
= seccomp_init(SCMP_ACT_ALLOW
);
1597 r
= seccomp_add_secondary_archs(seccomp
);
1601 for (set
= syscall_filter_sets
; set
->set_name
; set
++)
1602 if (streq(set
->set_name
, "@raw-io")) {
1603 syscalls_found
= true;
1607 /* We should never fail here */
1608 if (!syscalls_found
) {
1613 NULSTR_FOREACH(sys
, set
->value
) {
1617 #ifndef __NR_s390_pci_mmio_read
1618 if (streq(sys
, "s390_pci_mmio_read"))
1621 #ifndef __NR_s390_pci_mmio_write
1622 if (streq(sys
, "s390_pci_mmio_write"))
1629 id
= seccomp_syscall_resolve_name(sys
);
1631 r
= seccomp_rule_add(
1633 SCMP_ACT_ERRNO(EPERM
),
1639 r
= seccomp_attr_set(seccomp
, SCMP_FLTATR_CTL_NNP
, 0);
1643 r
= seccomp_load(seccomp
);
1646 seccomp_release(seccomp
);
1652 static void do_idle_pipe_dance(int idle_pipe
[4]) {
1655 idle_pipe
[1] = safe_close(idle_pipe
[1]);
1656 idle_pipe
[2] = safe_close(idle_pipe
[2]);
1658 if (idle_pipe
[0] >= 0) {
1661 r
= fd_wait_for_event(idle_pipe
[0], POLLHUP
, IDLE_TIMEOUT_USEC
);
1663 if (idle_pipe
[3] >= 0 && r
== 0 /* timeout */) {
1666 /* Signal systemd that we are bored and want to continue. */
1667 n
= write(idle_pipe
[3], "x", 1);
1669 /* Wait for systemd to react to the signal above. */
1670 fd_wait_for_event(idle_pipe
[0], POLLHUP
, IDLE_TIMEOUT2_USEC
);
1673 idle_pipe
[0] = safe_close(idle_pipe
[0]);
1677 idle_pipe
[3] = safe_close(idle_pipe
[3]);
1680 static int build_environment(
1682 const ExecContext
*c
,
1683 const ExecParameters
*p
,
1686 const char *username
,
1688 dev_t journal_stream_dev
,
1689 ino_t journal_stream_ino
,
1692 _cleanup_strv_free_
char **our_env
= NULL
;
1700 our_env
= new0(char*, 14);
1705 _cleanup_free_
char *joined
= NULL
;
1707 if (asprintf(&x
, "LISTEN_PID="PID_FMT
, getpid()) < 0)
1709 our_env
[n_env
++] = x
;
1711 if (asprintf(&x
, "LISTEN_FDS=%u", n_fds
) < 0)
1713 our_env
[n_env
++] = x
;
1715 joined
= strv_join(p
->fd_names
, ":");
1719 x
= strjoin("LISTEN_FDNAMES=", joined
, NULL
);
1722 our_env
[n_env
++] = x
;
1725 if ((p
->flags
& EXEC_SET_WATCHDOG
) && p
->watchdog_usec
> 0) {
1726 if (asprintf(&x
, "WATCHDOG_PID="PID_FMT
, getpid()) < 0)
1728 our_env
[n_env
++] = x
;
1730 if (asprintf(&x
, "WATCHDOG_USEC="USEC_FMT
, p
->watchdog_usec
) < 0)
1732 our_env
[n_env
++] = x
;
1735 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1736 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1737 * check the database directly. */
1738 if (unit_has_name(u
, SPECIAL_DBUS_SERVICE
)) {
1739 x
= strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1742 our_env
[n_env
++] = x
;
1746 x
= strappend("HOME=", home
);
1749 our_env
[n_env
++] = x
;
1753 x
= strappend("LOGNAME=", username
);
1756 our_env
[n_env
++] = x
;
1758 x
= strappend("USER=", username
);
1761 our_env
[n_env
++] = x
;
1765 x
= strappend("SHELL=", shell
);
1768 our_env
[n_env
++] = x
;
1771 if (!sd_id128_is_null(u
->invocation_id
)) {
1772 if (asprintf(&x
, "INVOCATION_ID=" SD_ID128_FORMAT_STR
, SD_ID128_FORMAT_VAL(u
->invocation_id
)) < 0)
1775 our_env
[n_env
++] = x
;
1778 if (exec_context_needs_term(c
)) {
1779 const char *tty_path
, *term
= NULL
;
1781 tty_path
= exec_context_tty_path(c
);
1783 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try to inherit
1784 * the $TERM set for PID 1. This is useful for containers so that the $TERM the container manager
1785 * passes to PID 1 ends up all the way in the console login shown. */
1787 if (path_equal(tty_path
, "/dev/console") && getppid() == 1)
1788 term
= getenv("TERM");
1790 term
= default_term_for_tty(tty_path
);
1792 x
= strappend("TERM=", term
);
1795 our_env
[n_env
++] = x
;
1798 if (journal_stream_dev
!= 0 && journal_stream_ino
!= 0) {
1799 if (asprintf(&x
, "JOURNAL_STREAM=" DEV_FMT
":" INO_FMT
, journal_stream_dev
, journal_stream_ino
) < 0)
1802 our_env
[n_env
++] = x
;
1805 our_env
[n_env
++] = NULL
;
1806 assert(n_env
<= 12);
1814 static int build_pass_environment(const ExecContext
*c
, char ***ret
) {
1815 _cleanup_strv_free_
char **pass_env
= NULL
;
1816 size_t n_env
= 0, n_bufsize
= 0;
1819 STRV_FOREACH(i
, c
->pass_environment
) {
1820 _cleanup_free_
char *x
= NULL
;
1826 x
= strjoin(*i
, "=", v
, NULL
);
1829 if (!GREEDY_REALLOC(pass_env
, n_bufsize
, n_env
+ 2))
1831 pass_env
[n_env
++] = x
;
1832 pass_env
[n_env
] = NULL
;
1842 static bool exec_needs_mount_namespace(
1843 const ExecContext
*context
,
1844 const ExecParameters
*params
,
1845 ExecRuntime
*runtime
) {
1850 if (!strv_isempty(context
->read_write_paths
) ||
1851 !strv_isempty(context
->read_only_paths
) ||
1852 !strv_isempty(context
->inaccessible_paths
))
1855 if (context
->mount_flags
!= 0)
1858 if (context
->private_tmp
&& runtime
&& (runtime
->tmp_dir
|| runtime
->var_tmp_dir
))
1861 if (context
->private_devices
||
1862 context
->protect_system
!= PROTECT_SYSTEM_NO
||
1863 context
->protect_home
!= PROTECT_HOME_NO
||
1864 context
->protect_kernel_tunables
||
1865 context
->protect_kernel_modules
||
1866 context
->protect_control_groups
)
1872 static int setup_private_users(uid_t uid
, gid_t gid
) {
1873 _cleanup_free_
char *uid_map
= NULL
, *gid_map
= NULL
;
1874 _cleanup_close_pair_
int errno_pipe
[2] = { -1, -1 };
1875 _cleanup_close_
int unshare_ready_fd
= -1;
1876 _cleanup_(sigkill_waitp
) pid_t pid
= 0;
1882 /* Set up a user namespace and map root to root, the selected UID/GID to itself, and everything else to
1883 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1884 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1885 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1886 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
1887 * continues execution normally. */
1889 if (uid
!= 0 && uid_is_valid(uid
))
1891 "0 0 1\n" /* Map root → root */
1892 UID_FMT
" " UID_FMT
" 1\n", /* Map $UID → $UID */
1893 uid
, uid
); /* The case where the above is the same */
1895 uid_map
= strdup("0 0 1\n");
1899 if (gid
!= 0 && gid_is_valid(gid
))
1901 "0 0 1\n" /* Map root → root */
1902 GID_FMT
" " GID_FMT
" 1\n", /* Map $GID → $GID */
1905 gid_map
= strdup("0 0 1\n"); /* The case where the above is the same */
1909 /* Create a communication channel so that the parent can tell the child when it finished creating the user
1911 unshare_ready_fd
= eventfd(0, EFD_CLOEXEC
);
1912 if (unshare_ready_fd
< 0)
1915 /* Create a communication channel so that the child can tell the parent a proper error code in case it
1917 if (pipe2(errno_pipe
, O_CLOEXEC
) < 0)
1925 _cleanup_close_
int fd
= -1;
1929 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
1930 * here, after the parent opened its own user namespace. */
1933 errno_pipe
[0] = safe_close(errno_pipe
[0]);
1935 /* Wait until the parent unshared the user namespace */
1936 if (read(unshare_ready_fd
, &c
, sizeof(c
)) < 0) {
1941 /* Disable the setgroups() system call in the child user namespace, for good. */
1942 a
= procfs_file_alloca(ppid
, "setgroups");
1943 fd
= open(a
, O_WRONLY
|O_CLOEXEC
);
1945 if (errno
!= ENOENT
) {
1950 /* If the file is missing the kernel is too old, let's continue anyway. */
1952 if (write(fd
, "deny\n", 5) < 0) {
1957 fd
= safe_close(fd
);
1960 /* First write the GID map */
1961 a
= procfs_file_alloca(ppid
, "gid_map");
1962 fd
= open(a
, O_WRONLY
|O_CLOEXEC
);
1967 if (write(fd
, gid_map
, strlen(gid_map
)) < 0) {
1971 fd
= safe_close(fd
);
1973 /* The write the UID map */
1974 a
= procfs_file_alloca(ppid
, "uid_map");
1975 fd
= open(a
, O_WRONLY
|O_CLOEXEC
);
1980 if (write(fd
, uid_map
, strlen(uid_map
)) < 0) {
1985 _exit(EXIT_SUCCESS
);
1988 (void) write(errno_pipe
[1], &r
, sizeof(r
));
1989 _exit(EXIT_FAILURE
);
1992 errno_pipe
[1] = safe_close(errno_pipe
[1]);
1994 if (unshare(CLONE_NEWUSER
) < 0)
1997 /* Let the child know that the namespace is ready now */
1998 if (write(unshare_ready_fd
, &c
, sizeof(c
)) < 0)
2001 /* Try to read an error code from the child */
2002 n
= read(errno_pipe
[0], &r
, sizeof(r
));
2005 if (n
== sizeof(r
)) { /* an error code was sent to us */
2010 if (n
!= 0) /* on success we should have read 0 bytes */
2013 r
= wait_for_terminate(pid
, &si
);
2018 /* If something strange happened with the child, let's consider this fatal, too */
2019 if (si
.si_code
!= CLD_EXITED
|| si
.si_status
!= 0)
2025 static int setup_runtime_directory(
2026 const ExecContext
*context
,
2027 const ExecParameters
*params
,
2037 STRV_FOREACH(rt
, context
->runtime_directory
) {
2038 _cleanup_free_
char *p
;
2040 p
= strjoin(params
->runtime_prefix
, "/", *rt
, NULL
);
2044 r
= mkdir_p_label(p
, context
->runtime_directory_mode
);
2048 r
= chmod_and_chown(p
, context
->runtime_directory_mode
, uid
, gid
);
2056 static int setup_smack(
2057 const ExecContext
*context
,
2058 const ExecCommand
*command
) {
2066 if (!mac_smack_use())
2069 if (context
->smack_process_label
) {
2070 r
= mac_smack_apply_pid(0, context
->smack_process_label
);
2074 #ifdef SMACK_DEFAULT_PROCESS_LABEL
2076 _cleanup_free_
char *exec_label
= NULL
;
2078 r
= mac_smack_read(command
->path
, SMACK_ATTR_EXEC
, &exec_label
);
2079 if (r
< 0 && r
!= -ENODATA
&& r
!= -EOPNOTSUPP
)
2082 r
= mac_smack_apply_pid(0, exec_label
? : SMACK_DEFAULT_PROCESS_LABEL
);
2092 static int compile_read_write_paths(
2093 const ExecContext
*context
,
2094 const ExecParameters
*params
,
2097 _cleanup_strv_free_
char **l
= NULL
;
2100 /* Compile the list of writable paths. This is the combination of the explicitly configured paths, plus all
2101 * runtime directories. */
2103 if (strv_isempty(context
->read_write_paths
) &&
2104 strv_isempty(context
->runtime_directory
)) {
2105 *ret
= NULL
; /* NOP if neither is set */
2109 l
= strv_copy(context
->read_write_paths
);
2113 STRV_FOREACH(rt
, context
->runtime_directory
) {
2116 s
= strjoin(params
->runtime_prefix
, "/", *rt
, NULL
);
2120 if (strv_consume(&l
, s
) < 0)
2130 static void append_socket_pair(int *array
, unsigned *n
, int pair
[2]) {
2138 array
[(*n
)++] = pair
[0];
2140 array
[(*n
)++] = pair
[1];
2143 static int close_remaining_fds(
2144 const ExecParameters
*params
,
2145 ExecRuntime
*runtime
,
2146 DynamicCreds
*dcreds
,
2149 int *fds
, unsigned n_fds
) {
2151 unsigned n_dont_close
= 0;
2152 int dont_close
[n_fds
+ 12];
2156 if (params
->stdin_fd
>= 0)
2157 dont_close
[n_dont_close
++] = params
->stdin_fd
;
2158 if (params
->stdout_fd
>= 0)
2159 dont_close
[n_dont_close
++] = params
->stdout_fd
;
2160 if (params
->stderr_fd
>= 0)
2161 dont_close
[n_dont_close
++] = params
->stderr_fd
;
2164 dont_close
[n_dont_close
++] = socket_fd
;
2166 memcpy(dont_close
+ n_dont_close
, fds
, sizeof(int) * n_fds
);
2167 n_dont_close
+= n_fds
;
2171 append_socket_pair(dont_close
, &n_dont_close
, runtime
->netns_storage_socket
);
2175 append_socket_pair(dont_close
, &n_dont_close
, dcreds
->user
->storage_socket
);
2177 append_socket_pair(dont_close
, &n_dont_close
, dcreds
->group
->storage_socket
);
2180 if (user_lookup_fd
>= 0)
2181 dont_close
[n_dont_close
++] = user_lookup_fd
;
2183 return close_all_fds(dont_close
, n_dont_close
);
2186 static bool context_has_address_families(const ExecContext
*c
) {
2189 return c
->address_families_whitelist
||
2190 !set_isempty(c
->address_families
);
2193 static bool context_has_syscall_filters(const ExecContext
*c
) {
2196 return c
->syscall_whitelist
||
2197 !set_isempty(c
->syscall_filter
) ||
2198 !set_isempty(c
->syscall_archs
);
2201 static bool context_has_no_new_privileges(const ExecContext
*c
) {
2204 if (c
->no_new_privileges
)
2207 if (have_effective_cap(CAP_SYS_ADMIN
)) /* if we are privileged, we don't need NNP */
2210 return context_has_address_families(c
) || /* we need NNP if we have any form of seccomp and are unprivileged */
2211 c
->memory_deny_write_execute
||
2212 c
->restrict_realtime
||
2213 c
->protect_kernel_tunables
||
2214 c
->protect_kernel_modules
||
2215 c
->private_devices
||
2216 context_has_syscall_filters(c
);
2219 static int send_user_lookup(
2227 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2228 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2231 if (user_lookup_fd
< 0)
2234 if (!uid_is_valid(uid
) && !gid_is_valid(gid
))
2237 if (writev(user_lookup_fd
,
2239 { .iov_base
= &uid
, .iov_len
= sizeof(uid
) },
2240 { .iov_base
= &gid
, .iov_len
= sizeof(gid
) },
2241 { .iov_base
= unit
->id
, .iov_len
= strlen(unit
->id
) }}, 3) < 0)
2247 static int exec_child(
2249 ExecCommand
*command
,
2250 const ExecContext
*context
,
2251 const ExecParameters
*params
,
2252 ExecRuntime
*runtime
,
2253 DynamicCreds
*dcreds
,
2257 int *fds
, unsigned n_fds
,
2262 _cleanup_strv_free_
char **our_env
= NULL
, **pass_env
= NULL
, **accum_env
= NULL
, **final_argv
= NULL
;
2263 _cleanup_free_
char *mac_selinux_context_net
= NULL
;
2264 _cleanup_free_ gid_t
*supplementary_gids
= NULL
;
2265 const char *username
= NULL
, *groupname
= NULL
;
2266 const char *home
= NULL
, *shell
= NULL
, *wd
;
2267 dev_t journal_stream_dev
= 0;
2268 ino_t journal_stream_ino
= 0;
2269 bool needs_mount_namespace
;
2270 uid_t uid
= UID_INVALID
;
2271 gid_t gid
= GID_INVALID
;
2272 int i
, r
, ngids
= 0;
2278 assert(exit_status
);
2280 rename_process_from_path(command
->path
);
2282 /* We reset exactly these signals, since they are the
2283 * only ones we set to SIG_IGN in the main daemon. All
2284 * others we leave untouched because we set them to
2285 * SIG_DFL or a valid handler initially, both of which
2286 * will be demoted to SIG_DFL. */
2287 (void) default_signals(SIGNALS_CRASH_HANDLER
,
2288 SIGNALS_IGNORE
, -1);
2290 if (context
->ignore_sigpipe
)
2291 (void) ignore_signals(SIGPIPE
, -1);
2293 r
= reset_signal_mask();
2295 *exit_status
= EXIT_SIGNAL_MASK
;
2299 if (params
->idle_pipe
)
2300 do_idle_pipe_dance(params
->idle_pipe
);
2302 /* Close sockets very early to make sure we don't
2303 * block init reexecution because it cannot bind its
2308 r
= close_remaining_fds(params
, runtime
, dcreds
, user_lookup_fd
, socket_fd
, fds
, n_fds
);
2310 *exit_status
= EXIT_FDS
;
2314 if (!context
->same_pgrp
)
2316 *exit_status
= EXIT_SETSID
;
2320 exec_context_tty_reset(context
, params
);
2322 if (params
->flags
& EXEC_CONFIRM_SPAWN
) {
2325 r
= ask_for_confirmation(&response
, argv
);
2326 if (r
== -ETIMEDOUT
)
2327 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
2329 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-r
));
2330 else if (response
== 's') {
2331 write_confirm_message("Skipping execution.\n");
2332 *exit_status
= EXIT_CONFIRM
;
2334 } else if (response
== 'n') {
2335 write_confirm_message("Failing execution.\n");
2341 if (context
->dynamic_user
&& dcreds
) {
2343 /* Make sure we bypass our own NSS module for any NSS checks */
2344 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
2345 *exit_status
= EXIT_USER
;
2349 r
= dynamic_creds_realize(dcreds
, &uid
, &gid
);
2351 *exit_status
= EXIT_USER
;
2355 if (!uid_is_valid(uid
) || !gid_is_valid(gid
)) {
2356 *exit_status
= EXIT_USER
;
2361 username
= dcreds
->user
->name
;
2364 r
= get_fixed_user(context
, &username
, &uid
, &gid
, &home
, &shell
);
2366 *exit_status
= EXIT_USER
;
2370 r
= get_fixed_group(context
, &groupname
, &gid
);
2372 *exit_status
= EXIT_GROUP
;
2376 r
= get_fixed_supplementary_groups(context
, username
, groupname
,
2377 gid
, &supplementary_gids
, &ngids
);
2379 *exit_status
= EXIT_GROUP
;
2384 r
= send_user_lookup(unit
, user_lookup_fd
, uid
, gid
);
2386 *exit_status
= EXIT_USER
;
2390 user_lookup_fd
= safe_close(user_lookup_fd
);
2392 /* If a socket is connected to STDIN/STDOUT/STDERR, we
2393 * must sure to drop O_NONBLOCK */
2395 (void) fd_nonblock(socket_fd
, false);
2397 r
= setup_input(context
, params
, socket_fd
, named_iofds
);
2399 *exit_status
= EXIT_STDIN
;
2403 r
= setup_output(unit
, context
, params
, STDOUT_FILENO
, socket_fd
, named_iofds
, basename(command
->path
), uid
, gid
, &journal_stream_dev
, &journal_stream_ino
);
2405 *exit_status
= EXIT_STDOUT
;
2409 r
= setup_output(unit
, context
, params
, STDERR_FILENO
, socket_fd
, named_iofds
, basename(command
->path
), uid
, gid
, &journal_stream_dev
, &journal_stream_ino
);
2411 *exit_status
= EXIT_STDERR
;
2415 if (params
->cgroup_path
) {
2416 r
= cg_attach_everywhere(params
->cgroup_supported
, params
->cgroup_path
, 0, NULL
, NULL
);
2418 *exit_status
= EXIT_CGROUP
;
2423 if (context
->oom_score_adjust_set
) {
2424 char t
[DECIMAL_STR_MAX(context
->oom_score_adjust
)];
2426 /* When we can't make this change due to EPERM, then
2427 * let's silently skip over it. User namespaces
2428 * prohibit write access to this file, and we
2429 * shouldn't trip up over that. */
2431 sprintf(t
, "%i", context
->oom_score_adjust
);
2432 r
= write_string_file("/proc/self/oom_score_adj", t
, 0);
2433 if (r
== -EPERM
|| r
== -EACCES
) {
2435 log_unit_debug_errno(unit
, r
, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
2438 *exit_status
= EXIT_OOM_ADJUST
;
2443 if (context
->nice_set
)
2444 if (setpriority(PRIO_PROCESS
, 0, context
->nice
) < 0) {
2445 *exit_status
= EXIT_NICE
;
2449 if (context
->cpu_sched_set
) {
2450 struct sched_param param
= {
2451 .sched_priority
= context
->cpu_sched_priority
,
2454 r
= sched_setscheduler(0,
2455 context
->cpu_sched_policy
|
2456 (context
->cpu_sched_reset_on_fork
?
2457 SCHED_RESET_ON_FORK
: 0),
2460 *exit_status
= EXIT_SETSCHEDULER
;
2465 if (context
->cpuset
)
2466 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context
->cpuset_ncpus
), context
->cpuset
) < 0) {
2467 *exit_status
= EXIT_CPUAFFINITY
;
2471 if (context
->ioprio_set
)
2472 if (ioprio_set(IOPRIO_WHO_PROCESS
, 0, context
->ioprio
) < 0) {
2473 *exit_status
= EXIT_IOPRIO
;
2477 if (context
->timer_slack_nsec
!= NSEC_INFINITY
)
2478 if (prctl(PR_SET_TIMERSLACK
, context
->timer_slack_nsec
) < 0) {
2479 *exit_status
= EXIT_TIMERSLACK
;
2483 if (context
->personality
!= PERSONALITY_INVALID
)
2484 if (personality(context
->personality
) < 0) {
2485 *exit_status
= EXIT_PERSONALITY
;
2489 if (context
->utmp_id
)
2490 utmp_put_init_process(context
->utmp_id
, getpid(), getsid(0), context
->tty_path
,
2491 context
->utmp_mode
== EXEC_UTMP_INIT
? INIT_PROCESS
:
2492 context
->utmp_mode
== EXEC_UTMP_LOGIN
? LOGIN_PROCESS
:
2494 username
? "root" : context
->user
);
2496 if (context
->user
) {
2497 r
= chown_terminal(STDIN_FILENO
, uid
);
2499 *exit_status
= EXIT_STDIN
;
2504 /* If delegation is enabled we'll pass ownership of the cgroup
2505 * (but only in systemd's own controller hierarchy!) to the
2506 * user of the new process. */
2507 if (params
->cgroup_path
&& context
->user
&& params
->cgroup_delegate
) {
2508 r
= cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER
, params
->cgroup_path
, 0644, uid
, gid
);
2510 *exit_status
= EXIT_CGROUP
;
2515 r
= cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER
, params
->cgroup_path
, 0755, uid
, gid
);
2517 *exit_status
= EXIT_CGROUP
;
2522 if (!strv_isempty(context
->runtime_directory
) && params
->runtime_prefix
) {
2523 r
= setup_runtime_directory(context
, params
, uid
, gid
);
2525 *exit_status
= EXIT_RUNTIME_DIRECTORY
;
2530 r
= build_environment(
2542 *exit_status
= EXIT_MEMORY
;
2546 r
= build_pass_environment(context
, &pass_env
);
2548 *exit_status
= EXIT_MEMORY
;
2552 accum_env
= strv_env_merge(5,
2553 params
->environment
,
2556 context
->environment
,
2560 *exit_status
= EXIT_MEMORY
;
2563 accum_env
= strv_env_clean(accum_env
);
2565 (void) umask(context
->umask
);
2567 if ((params
->flags
& EXEC_APPLY_PERMISSIONS
) && !command
->privileged
) {
2568 r
= setup_smack(context
, command
);
2570 *exit_status
= EXIT_SMACK_PROCESS_LABEL
;
2574 if (context
->pam_name
&& username
) {
2575 r
= setup_pam(context
->pam_name
, username
, uid
, gid
, context
->tty_path
, &accum_env
, fds
, n_fds
);
2577 *exit_status
= EXIT_PAM
;
2583 if (context
->private_network
&& runtime
&& runtime
->netns_storage_socket
[0] >= 0) {
2584 r
= setup_netns(runtime
->netns_storage_socket
);
2586 *exit_status
= EXIT_NETWORK
;
2591 needs_mount_namespace
= exec_needs_mount_namespace(context
, params
, runtime
);
2592 if (needs_mount_namespace
) {
2593 _cleanup_free_
char **rw
= NULL
;
2594 char *tmp
= NULL
, *var
= NULL
;
2595 NameSpaceInfo ns_info
= {
2596 .private_dev
= context
->private_devices
,
2597 .protect_control_groups
= context
->protect_control_groups
,
2598 .protect_kernel_tunables
= context
->protect_kernel_tunables
,
2599 .protect_kernel_modules
= context
->protect_kernel_modules
,
2602 /* The runtime struct only contains the parent
2603 * of the private /tmp, which is
2604 * non-accessible to world users. Inside of it
2605 * there's a /tmp that is sticky, and that's
2606 * the one we want to use here. */
2608 if (context
->private_tmp
&& runtime
) {
2609 if (runtime
->tmp_dir
)
2610 tmp
= strjoina(runtime
->tmp_dir
, "/tmp");
2611 if (runtime
->var_tmp_dir
)
2612 var
= strjoina(runtime
->var_tmp_dir
, "/tmp");
2615 r
= compile_read_write_paths(context
, params
, &rw
);
2617 *exit_status
= EXIT_NAMESPACE
;
2621 r
= setup_namespace(
2622 (params
->flags
& EXEC_APPLY_CHROOT
) ? context
->root_directory
: NULL
,
2625 context
->read_only_paths
,
2626 context
->inaccessible_paths
,
2629 context
->protect_home
,
2630 context
->protect_system
,
2631 context
->mount_flags
);
2633 /* If we couldn't set up the namespace this is
2634 * probably due to a missing capability. In this case,
2635 * silently proceeed. */
2636 if (r
== -EPERM
|| r
== -EACCES
) {
2638 log_unit_debug_errno(unit
, r
, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
2641 *exit_status
= EXIT_NAMESPACE
;
2646 if (context
->working_directory_home
)
2648 else if (context
->working_directory
)
2649 wd
= context
->working_directory
;
2653 /* Drop group as early as possbile */
2654 if ((params
->flags
& EXEC_APPLY_PERMISSIONS
) && !command
->privileged
) {
2655 r
= enforce_groups(context
, gid
, supplementary_gids
, ngids
);
2657 *exit_status
= EXIT_GROUP
;
2662 if (params
->flags
& EXEC_APPLY_CHROOT
) {
2663 if (!needs_mount_namespace
&& context
->root_directory
)
2664 if (chroot(context
->root_directory
) < 0) {
2665 *exit_status
= EXIT_CHROOT
;
2669 if (chdir(wd
) < 0 &&
2670 !context
->working_directory_missing_ok
) {
2671 *exit_status
= EXIT_CHDIR
;
2677 d
= strjoina(strempty(context
->root_directory
), "/", strempty(wd
));
2679 !context
->working_directory_missing_ok
) {
2680 *exit_status
= EXIT_CHDIR
;
2686 if ((params
->flags
& EXEC_APPLY_PERMISSIONS
) &&
2687 mac_selinux_use() &&
2688 params
->selinux_context_net
&&
2690 !command
->privileged
) {
2692 r
= mac_selinux_get_child_mls_label(socket_fd
, command
->path
, context
->selinux_context
, &mac_selinux_context_net
);
2694 *exit_status
= EXIT_SELINUX_CONTEXT
;
2700 if ((params
->flags
& EXEC_APPLY_PERMISSIONS
) && context
->private_users
) {
2701 r
= setup_private_users(uid
, gid
);
2703 *exit_status
= EXIT_USER
;
2708 /* We repeat the fd closing here, to make sure that
2709 * nothing is leaked from the PAM modules. Note that
2710 * we are more aggressive this time since socket_fd
2711 * and the netns fds we don't need anymore. The custom
2712 * endpoint fd was needed to upload the policy and can
2713 * now be closed as well. */
2714 r
= close_all_fds(fds
, n_fds
);
2716 r
= shift_fds(fds
, n_fds
);
2718 r
= flags_fds(fds
, n_fds
, context
->non_blocking
);
2720 *exit_status
= EXIT_FDS
;
2724 if ((params
->flags
& EXEC_APPLY_PERMISSIONS
) && !command
->privileged
) {
2726 int secure_bits
= context
->secure_bits
;
2728 for (i
= 0; i
< _RLIMIT_MAX
; i
++) {
2730 if (!context
->rlimit
[i
])
2733 r
= setrlimit_closest(i
, context
->rlimit
[i
]);
2735 *exit_status
= EXIT_LIMITS
;
2740 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
2741 if (context
->restrict_realtime
&& !context
->rlimit
[RLIMIT_RTPRIO
]) {
2742 if (setrlimit(RLIMIT_RTPRIO
, &RLIMIT_MAKE_CONST(0)) < 0) {
2743 *exit_status
= EXIT_LIMITS
;
2748 if (!cap_test_all(context
->capability_bounding_set
)) {
2749 r
= capability_bounding_set_drop(context
->capability_bounding_set
, false);
2751 *exit_status
= EXIT_CAPABILITIES
;
2756 /* This is done before enforce_user, but ambient set
2757 * does not survive over setresuid() if keep_caps is not set. */
2758 if (context
->capability_ambient_set
!= 0) {
2759 r
= capability_ambient_set_apply(context
->capability_ambient_set
, true);
2761 *exit_status
= EXIT_CAPABILITIES
;
2766 if (context
->user
) {
2767 r
= enforce_user(context
, uid
);
2769 *exit_status
= EXIT_USER
;
2772 if (context
->capability_ambient_set
!= 0) {
2774 /* Fix the ambient capabilities after user change. */
2775 r
= capability_ambient_set_apply(context
->capability_ambient_set
, false);
2777 *exit_status
= EXIT_CAPABILITIES
;
2781 /* If we were asked to change user and ambient capabilities
2782 * were requested, we had to add keep-caps to the securebits
2783 * so that we would maintain the inherited capability set
2784 * through the setresuid(). Make sure that the bit is added
2785 * also to the context secure_bits so that we don't try to
2786 * drop the bit away next. */
2788 secure_bits
|= 1<<SECURE_KEEP_CAPS
;
2792 /* PR_GET_SECUREBITS is not privileged, while
2793 * PR_SET_SECUREBITS is. So to suppress
2794 * potential EPERMs we'll try not to call
2795 * PR_SET_SECUREBITS unless necessary. */
2796 if (prctl(PR_GET_SECUREBITS
) != secure_bits
)
2797 if (prctl(PR_SET_SECUREBITS
, secure_bits
) < 0) {
2798 *exit_status
= EXIT_SECUREBITS
;
2802 if (context_has_no_new_privileges(context
))
2803 if (prctl(PR_SET_NO_NEW_PRIVS
, 1, 0, 0, 0) < 0) {
2804 *exit_status
= EXIT_NO_NEW_PRIVILEGES
;
2809 if (context_has_address_families(context
)) {
2810 r
= apply_address_families(unit
, context
);
2812 *exit_status
= EXIT_ADDRESS_FAMILIES
;
2817 if (context
->memory_deny_write_execute
) {
2818 r
= apply_memory_deny_write_execute(unit
, context
);
2820 *exit_status
= EXIT_SECCOMP
;
2825 if (context
->restrict_realtime
) {
2826 r
= apply_restrict_realtime(unit
, context
);
2828 *exit_status
= EXIT_SECCOMP
;
2833 if (context
->protect_kernel_tunables
) {
2834 r
= apply_protect_sysctl(unit
, context
);
2836 *exit_status
= EXIT_SECCOMP
;
2841 if (context
->protect_kernel_modules
) {
2842 r
= apply_protect_kernel_modules(unit
, context
);
2844 *exit_status
= EXIT_SECCOMP
;
2849 if (context
->private_devices
) {
2850 r
= apply_private_devices(unit
, context
);
2852 *exit_status
= EXIT_SECCOMP
;
2857 if (context_has_syscall_filters(context
)) {
2858 r
= apply_seccomp(unit
, context
);
2860 *exit_status
= EXIT_SECCOMP
;
2867 if (mac_selinux_use()) {
2868 char *exec_context
= mac_selinux_context_net
?: context
->selinux_context
;
2871 r
= setexeccon(exec_context
);
2873 *exit_status
= EXIT_SELINUX_CONTEXT
;
2880 #ifdef HAVE_APPARMOR
2881 if (context
->apparmor_profile
&& mac_apparmor_use()) {
2882 r
= aa_change_onexec(context
->apparmor_profile
);
2883 if (r
< 0 && !context
->apparmor_profile_ignore
) {
2884 *exit_status
= EXIT_APPARMOR_PROFILE
;
2891 final_argv
= replace_env_argv(argv
, accum_env
);
2893 *exit_status
= EXIT_MEMORY
;
2897 if (_unlikely_(log_get_max_level() >= LOG_DEBUG
)) {
2898 _cleanup_free_
char *line
;
2900 line
= exec_command_line(final_argv
);
2903 log_struct(LOG_DEBUG
,
2905 "EXECUTABLE=%s", command
->path
,
2906 LOG_UNIT_MESSAGE(unit
, "Executing: %s", line
),
2912 execve(command
->path
, final_argv
, accum_env
);
2913 *exit_status
= EXIT_EXEC
;
2917 int exec_spawn(Unit
*unit
,
2918 ExecCommand
*command
,
2919 const ExecContext
*context
,
2920 const ExecParameters
*params
,
2921 ExecRuntime
*runtime
,
2922 DynamicCreds
*dcreds
,
2925 _cleanup_strv_free_
char **files_env
= NULL
;
2926 int *fds
= NULL
; unsigned n_fds
= 0;
2927 _cleanup_free_
char *line
= NULL
;
2929 int named_iofds
[3] = { -1, -1, -1 };
2938 assert(params
->fds
|| params
->n_fds
<= 0);
2940 if (context
->std_input
== EXEC_INPUT_SOCKET
||
2941 context
->std_output
== EXEC_OUTPUT_SOCKET
||
2942 context
->std_error
== EXEC_OUTPUT_SOCKET
) {
2944 if (params
->n_fds
!= 1) {
2945 log_unit_error(unit
, "Got more than one socket.");
2949 socket_fd
= params
->fds
[0];
2953 n_fds
= params
->n_fds
;
2956 r
= exec_context_named_iofds(unit
, context
, params
, named_iofds
);
2958 return log_unit_error_errno(unit
, r
, "Failed to load a named file descriptor: %m");
2960 r
= exec_context_load_environment(unit
, context
, &files_env
);
2962 return log_unit_error_errno(unit
, r
, "Failed to load environment files: %m");
2964 argv
= params
->argv
?: command
->argv
;
2965 line
= exec_command_line(argv
);
2969 log_struct(LOG_DEBUG
,
2971 LOG_UNIT_MESSAGE(unit
, "About to execute: %s", line
),
2972 "EXECUTABLE=%s", command
->path
,
2976 return log_unit_error_errno(unit
, errno
, "Failed to fork: %m");
2981 r
= exec_child(unit
,
2992 unit
->manager
->user_lookup_fds
[1],
2996 log_struct_errno(LOG_ERR
, r
,
2997 LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED
),
2999 LOG_UNIT_MESSAGE(unit
, "Failed at step %s spawning %s: %m",
3000 exit_status_to_string(exit_status
, EXIT_STATUS_SYSTEMD
),
3002 "EXECUTABLE=%s", command
->path
,
3009 log_unit_debug(unit
, "Forked %s as "PID_FMT
, command
->path
, pid
);
3011 /* We add the new process to the cgroup both in the child (so
3012 * that we can be sure that no user code is ever executed
3013 * outside of the cgroup) and in the parent (so that we can be
3014 * sure that when we kill the cgroup the process will be
3016 if (params
->cgroup_path
)
3017 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER
, params
->cgroup_path
, pid
);
3019 exec_status_start(&command
->exec_status
, pid
);
3025 void exec_context_init(ExecContext
*c
) {
3029 c
->ioprio
= IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE
, 0);
3030 c
->cpu_sched_policy
= SCHED_OTHER
;
3031 c
->syslog_priority
= LOG_DAEMON
|LOG_INFO
;
3032 c
->syslog_level_prefix
= true;
3033 c
->ignore_sigpipe
= true;
3034 c
->timer_slack_nsec
= NSEC_INFINITY
;
3035 c
->personality
= PERSONALITY_INVALID
;
3036 c
->runtime_directory_mode
= 0755;
3037 c
->capability_bounding_set
= CAP_ALL
;
3040 void exec_context_done(ExecContext
*c
) {
3045 c
->environment
= strv_free(c
->environment
);
3046 c
->environment_files
= strv_free(c
->environment_files
);
3047 c
->pass_environment
= strv_free(c
->pass_environment
);
3049 for (l
= 0; l
< ELEMENTSOF(c
->rlimit
); l
++)
3050 c
->rlimit
[l
] = mfree(c
->rlimit
[l
]);
3052 for (l
= 0; l
< 3; l
++)
3053 c
->stdio_fdname
[l
] = mfree(c
->stdio_fdname
[l
]);
3055 c
->working_directory
= mfree(c
->working_directory
);
3056 c
->root_directory
= mfree(c
->root_directory
);
3057 c
->tty_path
= mfree(c
->tty_path
);
3058 c
->syslog_identifier
= mfree(c
->syslog_identifier
);
3059 c
->user
= mfree(c
->user
);
3060 c
->group
= mfree(c
->group
);
3062 c
->supplementary_groups
= strv_free(c
->supplementary_groups
);
3064 c
->pam_name
= mfree(c
->pam_name
);
3066 c
->read_only_paths
= strv_free(c
->read_only_paths
);
3067 c
->read_write_paths
= strv_free(c
->read_write_paths
);
3068 c
->inaccessible_paths
= strv_free(c
->inaccessible_paths
);
3071 CPU_FREE(c
->cpuset
);
3073 c
->utmp_id
= mfree(c
->utmp_id
);
3074 c
->selinux_context
= mfree(c
->selinux_context
);
3075 c
->apparmor_profile
= mfree(c
->apparmor_profile
);
3077 c
->syscall_filter
= set_free(c
->syscall_filter
);
3078 c
->syscall_archs
= set_free(c
->syscall_archs
);
3079 c
->address_families
= set_free(c
->address_families
);
3081 c
->runtime_directory
= strv_free(c
->runtime_directory
);
3084 int exec_context_destroy_runtime_directory(ExecContext
*c
, const char *runtime_prefix
) {
3089 if (!runtime_prefix
)
3092 STRV_FOREACH(i
, c
->runtime_directory
) {
3093 _cleanup_free_
char *p
;
3095 p
= strjoin(runtime_prefix
, "/", *i
, NULL
);
3099 /* We execute this synchronously, since we need to be
3100 * sure this is gone when we start the service
3102 (void) rm_rf(p
, REMOVE_ROOT
);
3108 void exec_command_done(ExecCommand
*c
) {
3111 c
->path
= mfree(c
->path
);
3113 c
->argv
= strv_free(c
->argv
);
3116 void exec_command_done_array(ExecCommand
*c
, unsigned n
) {
3119 for (i
= 0; i
< n
; i
++)
3120 exec_command_done(c
+i
);
3123 ExecCommand
* exec_command_free_list(ExecCommand
*c
) {
3127 LIST_REMOVE(command
, c
, i
);
3128 exec_command_done(i
);
3135 void exec_command_free_array(ExecCommand
**c
, unsigned n
) {
3138 for (i
= 0; i
< n
; i
++)
3139 c
[i
] = exec_command_free_list(c
[i
]);
3142 typedef struct InvalidEnvInfo
{
3147 static void invalid_env(const char *p
, void *userdata
) {
3148 InvalidEnvInfo
*info
= userdata
;
3150 log_unit_error(info
->unit
, "Ignoring invalid environment assignment '%s': %s", p
, info
->path
);
3153 const char* exec_context_fdname(const ExecContext
*c
, int fd_index
) {
3158 if (c
->std_input
!= EXEC_INPUT_NAMED_FD
)
3160 return c
->stdio_fdname
[STDIN_FILENO
] ?: "stdin";
3162 if (c
->std_output
!= EXEC_OUTPUT_NAMED_FD
)
3164 return c
->stdio_fdname
[STDOUT_FILENO
] ?: "stdout";
3166 if (c
->std_error
!= EXEC_OUTPUT_NAMED_FD
)
3168 return c
->stdio_fdname
[STDERR_FILENO
] ?: "stderr";
3174 int exec_context_named_iofds(Unit
*unit
, const ExecContext
*c
, const ExecParameters
*p
, int named_iofds
[3]) {
3175 unsigned i
, targets
;
3176 const char *stdio_fdname
[3];
3181 targets
= (c
->std_input
== EXEC_INPUT_NAMED_FD
) +
3182 (c
->std_output
== EXEC_OUTPUT_NAMED_FD
) +
3183 (c
->std_error
== EXEC_OUTPUT_NAMED_FD
);
3185 for (i
= 0; i
< 3; i
++)
3186 stdio_fdname
[i
] = exec_context_fdname(c
, i
);
3188 for (i
= 0; i
< p
->n_fds
&& targets
> 0; i
++)
3189 if (named_iofds
[STDIN_FILENO
] < 0 && c
->std_input
== EXEC_INPUT_NAMED_FD
&& stdio_fdname
[STDIN_FILENO
] && streq(p
->fd_names
[i
], stdio_fdname
[STDIN_FILENO
])) {
3190 named_iofds
[STDIN_FILENO
] = p
->fds
[i
];
3192 } else if (named_iofds
[STDOUT_FILENO
] < 0 && c
->std_output
== EXEC_OUTPUT_NAMED_FD
&& stdio_fdname
[STDOUT_FILENO
] && streq(p
->fd_names
[i
], stdio_fdname
[STDOUT_FILENO
])) {
3193 named_iofds
[STDOUT_FILENO
] = p
->fds
[i
];
3195 } else if (named_iofds
[STDERR_FILENO
] < 0 && c
->std_error
== EXEC_OUTPUT_NAMED_FD
&& stdio_fdname
[STDERR_FILENO
] && streq(p
->fd_names
[i
], stdio_fdname
[STDERR_FILENO
])) {
3196 named_iofds
[STDERR_FILENO
] = p
->fds
[i
];
3200 return (targets
== 0 ? 0 : -ENOENT
);
3203 int exec_context_load_environment(Unit
*unit
, const ExecContext
*c
, char ***l
) {
3204 char **i
, **r
= NULL
;
3209 STRV_FOREACH(i
, c
->environment_files
) {
3212 bool ignore
= false;
3214 _cleanup_globfree_ glob_t pglob
= {};
3224 if (!path_is_absolute(fn
)) {
3232 /* Filename supports globbing, take all matching files */
3234 if (glob(fn
, 0, NULL
, &pglob
) != 0) {
3239 return errno
> 0 ? -errno
: -EINVAL
;
3241 count
= pglob
.gl_pathc
;
3249 for (n
= 0; n
< count
; n
++) {
3250 k
= load_env_file(NULL
, pglob
.gl_pathv
[n
], NULL
, &p
);
3258 /* Log invalid environment variables with filename */
3260 InvalidEnvInfo info
= {
3262 .path
= pglob
.gl_pathv
[n
]
3265 p
= strv_env_clean_with_callback(p
, invalid_env
, &info
);
3273 m
= strv_env_merge(2, r
, p
);
3289 static bool tty_may_match_dev_console(const char *tty
) {
3290 _cleanup_free_
char *active
= NULL
;
3296 if (startswith(tty
, "/dev/"))
3299 /* trivial identity? */
3300 if (streq(tty
, "console"))
3303 console
= resolve_dev_console(&active
);
3304 /* if we could not resolve, assume it may */
3308 /* "tty0" means the active VC, so it may be the same sometimes */
3309 return streq(console
, tty
) || (streq(console
, "tty0") && tty_is_vc(tty
));
3312 bool exec_context_may_touch_console(ExecContext
*ec
) {
3314 return (ec
->tty_reset
||
3316 ec
->tty_vt_disallocate
||
3317 is_terminal_input(ec
->std_input
) ||
3318 is_terminal_output(ec
->std_output
) ||
3319 is_terminal_output(ec
->std_error
)) &&
3320 tty_may_match_dev_console(exec_context_tty_path(ec
));
3323 static void strv_fprintf(FILE *f
, char **l
) {
3329 fprintf(f
, " %s", *g
);
3332 void exec_context_dump(ExecContext
*c
, FILE* f
, const char *prefix
) {
3339 prefix
= strempty(prefix
);
3343 "%sWorkingDirectory: %s\n"
3344 "%sRootDirectory: %s\n"
3345 "%sNonBlocking: %s\n"
3346 "%sPrivateTmp: %s\n"
3347 "%sPrivateDevices: %s\n"
3348 "%sProtectKernelTunables: %s\n"
3349 "%sProtectKernelModules: %s\n"
3350 "%sProtectControlGroups: %s\n"
3351 "%sPrivateNetwork: %s\n"
3352 "%sPrivateUsers: %s\n"
3353 "%sProtectHome: %s\n"
3354 "%sProtectSystem: %s\n"
3355 "%sIgnoreSIGPIPE: %s\n"
3356 "%sMemoryDenyWriteExecute: %s\n"
3357 "%sRestrictRealtime: %s\n",
3359 prefix
, c
->working_directory
? c
->working_directory
: "/",
3360 prefix
, c
->root_directory
? c
->root_directory
: "/",
3361 prefix
, yes_no(c
->non_blocking
),
3362 prefix
, yes_no(c
->private_tmp
),
3363 prefix
, yes_no(c
->private_devices
),
3364 prefix
, yes_no(c
->protect_kernel_tunables
),
3365 prefix
, yes_no(c
->protect_kernel_modules
),
3366 prefix
, yes_no(c
->protect_control_groups
),
3367 prefix
, yes_no(c
->private_network
),
3368 prefix
, yes_no(c
->private_users
),
3369 prefix
, protect_home_to_string(c
->protect_home
),
3370 prefix
, protect_system_to_string(c
->protect_system
),
3371 prefix
, yes_no(c
->ignore_sigpipe
),
3372 prefix
, yes_no(c
->memory_deny_write_execute
),
3373 prefix
, yes_no(c
->restrict_realtime
));
3375 STRV_FOREACH(e
, c
->environment
)
3376 fprintf(f
, "%sEnvironment: %s\n", prefix
, *e
);
3378 STRV_FOREACH(e
, c
->environment_files
)
3379 fprintf(f
, "%sEnvironmentFile: %s\n", prefix
, *e
);
3381 STRV_FOREACH(e
, c
->pass_environment
)
3382 fprintf(f
, "%sPassEnvironment: %s\n", prefix
, *e
);
3384 fprintf(f
, "%sRuntimeDirectoryMode: %04o\n", prefix
, c
->runtime_directory_mode
);
3386 STRV_FOREACH(d
, c
->runtime_directory
)
3387 fprintf(f
, "%sRuntimeDirectory: %s\n", prefix
, *d
);
3394 if (c
->oom_score_adjust_set
)
3396 "%sOOMScoreAdjust: %i\n",
3397 prefix
, c
->oom_score_adjust
);
3399 for (i
= 0; i
< RLIM_NLIMITS
; i
++)
3401 fprintf(f
, "%s%s: " RLIM_FMT
"\n",
3402 prefix
, rlimit_to_string(i
), c
->rlimit
[i
]->rlim_max
);
3403 fprintf(f
, "%s%sSoft: " RLIM_FMT
"\n",
3404 prefix
, rlimit_to_string(i
), c
->rlimit
[i
]->rlim_cur
);
3407 if (c
->ioprio_set
) {
3408 _cleanup_free_
char *class_str
= NULL
;
3410 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c
->ioprio
), &class_str
);
3412 "%sIOSchedulingClass: %s\n"
3413 "%sIOPriority: %i\n",
3414 prefix
, strna(class_str
),
3415 prefix
, (int) IOPRIO_PRIO_DATA(c
->ioprio
));
3418 if (c
->cpu_sched_set
) {
3419 _cleanup_free_
char *policy_str
= NULL
;
3421 sched_policy_to_string_alloc(c
->cpu_sched_policy
, &policy_str
);
3423 "%sCPUSchedulingPolicy: %s\n"
3424 "%sCPUSchedulingPriority: %i\n"
3425 "%sCPUSchedulingResetOnFork: %s\n",
3426 prefix
, strna(policy_str
),
3427 prefix
, c
->cpu_sched_priority
,
3428 prefix
, yes_no(c
->cpu_sched_reset_on_fork
));
3432 fprintf(f
, "%sCPUAffinity:", prefix
);
3433 for (i
= 0; i
< c
->cpuset_ncpus
; i
++)
3434 if (CPU_ISSET_S(i
, CPU_ALLOC_SIZE(c
->cpuset_ncpus
), c
->cpuset
))
3435 fprintf(f
, " %u", i
);
3439 if (c
->timer_slack_nsec
!= NSEC_INFINITY
)
3440 fprintf(f
, "%sTimerSlackNSec: "NSEC_FMT
"\n", prefix
, c
->timer_slack_nsec
);
3443 "%sStandardInput: %s\n"
3444 "%sStandardOutput: %s\n"
3445 "%sStandardError: %s\n",
3446 prefix
, exec_input_to_string(c
->std_input
),
3447 prefix
, exec_output_to_string(c
->std_output
),
3448 prefix
, exec_output_to_string(c
->std_error
));
3454 "%sTTYVHangup: %s\n"
3455 "%sTTYVTDisallocate: %s\n",
3456 prefix
, c
->tty_path
,
3457 prefix
, yes_no(c
->tty_reset
),
3458 prefix
, yes_no(c
->tty_vhangup
),
3459 prefix
, yes_no(c
->tty_vt_disallocate
));
3461 if (c
->std_output
== EXEC_OUTPUT_SYSLOG
||
3462 c
->std_output
== EXEC_OUTPUT_KMSG
||
3463 c
->std_output
== EXEC_OUTPUT_JOURNAL
||
3464 c
->std_output
== EXEC_OUTPUT_SYSLOG_AND_CONSOLE
||
3465 c
->std_output
== EXEC_OUTPUT_KMSG_AND_CONSOLE
||
3466 c
->std_output
== EXEC_OUTPUT_JOURNAL_AND_CONSOLE
||
3467 c
->std_error
== EXEC_OUTPUT_SYSLOG
||
3468 c
->std_error
== EXEC_OUTPUT_KMSG
||
3469 c
->std_error
== EXEC_OUTPUT_JOURNAL
||
3470 c
->std_error
== EXEC_OUTPUT_SYSLOG_AND_CONSOLE
||
3471 c
->std_error
== EXEC_OUTPUT_KMSG_AND_CONSOLE
||
3472 c
->std_error
== EXEC_OUTPUT_JOURNAL_AND_CONSOLE
) {
3474 _cleanup_free_
char *fac_str
= NULL
, *lvl_str
= NULL
;
3476 log_facility_unshifted_to_string_alloc(c
->syslog_priority
>> 3, &fac_str
);
3477 log_level_to_string_alloc(LOG_PRI(c
->syslog_priority
), &lvl_str
);
3480 "%sSyslogFacility: %s\n"
3481 "%sSyslogLevel: %s\n",
3482 prefix
, strna(fac_str
),
3483 prefix
, strna(lvl_str
));
3487 fprintf(f
, "%sSecure Bits:%s%s%s%s%s%s\n",
3489 (c
->secure_bits
& 1<<SECURE_KEEP_CAPS
) ? " keep-caps" : "",
3490 (c
->secure_bits
& 1<<SECURE_KEEP_CAPS_LOCKED
) ? " keep-caps-locked" : "",
3491 (c
->secure_bits
& 1<<SECURE_NO_SETUID_FIXUP
) ? " no-setuid-fixup" : "",
3492 (c
->secure_bits
& 1<<SECURE_NO_SETUID_FIXUP_LOCKED
) ? " no-setuid-fixup-locked" : "",
3493 (c
->secure_bits
& 1<<SECURE_NOROOT
) ? " noroot" : "",
3494 (c
->secure_bits
& 1<<SECURE_NOROOT_LOCKED
) ? "noroot-locked" : "");
3496 if (c
->capability_bounding_set
!= CAP_ALL
) {
3498 fprintf(f
, "%sCapabilityBoundingSet:", prefix
);
3500 for (l
= 0; l
<= cap_last_cap(); l
++)
3501 if (c
->capability_bounding_set
& (UINT64_C(1) << l
))
3502 fprintf(f
, " %s", strna(capability_to_name(l
)));
3507 if (c
->capability_ambient_set
!= 0) {
3509 fprintf(f
, "%sAmbientCapabilities:", prefix
);
3511 for (l
= 0; l
<= cap_last_cap(); l
++)
3512 if (c
->capability_ambient_set
& (UINT64_C(1) << l
))
3513 fprintf(f
, " %s", strna(capability_to_name(l
)));
3519 fprintf(f
, "%sUser: %s\n", prefix
, c
->user
);
3521 fprintf(f
, "%sGroup: %s\n", prefix
, c
->group
);
3523 fprintf(f
, "%sDynamicUser: %s\n", prefix
, yes_no(c
->dynamic_user
));
3525 if (strv_length(c
->supplementary_groups
) > 0) {
3526 fprintf(f
, "%sSupplementaryGroups:", prefix
);
3527 strv_fprintf(f
, c
->supplementary_groups
);
3532 fprintf(f
, "%sPAMName: %s\n", prefix
, c
->pam_name
);
3534 if (strv_length(c
->read_write_paths
) > 0) {
3535 fprintf(f
, "%sReadWritePaths:", prefix
);
3536 strv_fprintf(f
, c
->read_write_paths
);
3540 if (strv_length(c
->read_only_paths
) > 0) {
3541 fprintf(f
, "%sReadOnlyPaths:", prefix
);
3542 strv_fprintf(f
, c
->read_only_paths
);
3546 if (strv_length(c
->inaccessible_paths
) > 0) {
3547 fprintf(f
, "%sInaccessiblePaths:", prefix
);
3548 strv_fprintf(f
, c
->inaccessible_paths
);
3554 "%sUtmpIdentifier: %s\n",
3555 prefix
, c
->utmp_id
);
3557 if (c
->selinux_context
)
3559 "%sSELinuxContext: %s%s\n",
3560 prefix
, c
->selinux_context_ignore
? "-" : "", c
->selinux_context
);
3562 if (c
->personality
!= PERSONALITY_INVALID
)
3564 "%sPersonality: %s\n",
3565 prefix
, strna(personality_to_string(c
->personality
)));
3567 if (c
->syscall_filter
) {
3575 "%sSystemCallFilter: ",
3578 if (!c
->syscall_whitelist
)
3582 SET_FOREACH(id
, c
->syscall_filter
, j
) {
3583 _cleanup_free_
char *name
= NULL
;
3590 name
= seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE
, PTR_TO_INT(id
) - 1);
3591 fputs(strna(name
), f
);
3598 if (c
->syscall_archs
) {
3605 "%sSystemCallArchitectures:",
3609 SET_FOREACH(id
, c
->syscall_archs
, j
)
3610 fprintf(f
, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id
) - 1)));
3615 if (c
->syscall_errno
> 0)
3617 "%sSystemCallErrorNumber: %s\n",
3618 prefix
, strna(errno_to_name(c
->syscall_errno
)));
3620 if (c
->apparmor_profile
)
3622 "%sAppArmorProfile: %s%s\n",
3623 prefix
, c
->apparmor_profile_ignore
? "-" : "", c
->apparmor_profile
);
3626 bool exec_context_maintains_privileges(ExecContext
*c
) {
3629 /* Returns true if the process forked off would run under
3630 * an unchanged UID or as root. */
3635 if (streq(c
->user
, "root") || streq(c
->user
, "0"))
3641 void exec_status_start(ExecStatus
*s
, pid_t pid
) {
3646 dual_timestamp_get(&s
->start_timestamp
);
3649 void exec_status_exit(ExecStatus
*s
, ExecContext
*context
, pid_t pid
, int code
, int status
) {
3652 if (s
->pid
&& s
->pid
!= pid
)
3656 dual_timestamp_get(&s
->exit_timestamp
);
3662 if (context
->utmp_id
)
3663 utmp_put_dead_process(context
->utmp_id
, pid
, code
, status
);
3665 exec_context_tty_reset(context
, NULL
);
3669 void exec_status_dump(ExecStatus
*s
, FILE *f
, const char *prefix
) {
3670 char buf
[FORMAT_TIMESTAMP_MAX
];
3678 prefix
= strempty(prefix
);
3681 "%sPID: "PID_FMT
"\n",
3684 if (dual_timestamp_is_set(&s
->start_timestamp
))
3686 "%sStart Timestamp: %s\n",
3687 prefix
, format_timestamp(buf
, sizeof(buf
), s
->start_timestamp
.realtime
));
3689 if (dual_timestamp_is_set(&s
->exit_timestamp
))
3691 "%sExit Timestamp: %s\n"
3693 "%sExit Status: %i\n",
3694 prefix
, format_timestamp(buf
, sizeof(buf
), s
->exit_timestamp
.realtime
),
3695 prefix
, sigchld_code_to_string(s
->code
),
3699 char *exec_command_line(char **argv
) {
3707 STRV_FOREACH(a
, argv
)
3710 if (!(n
= new(char, k
)))
3714 STRV_FOREACH(a
, argv
) {
3721 if (strpbrk(*a
, WHITESPACE
)) {
3732 /* FIXME: this doesn't really handle arguments that have
3733 * spaces and ticks in them */
3738 void exec_command_dump(ExecCommand
*c
, FILE *f
, const char *prefix
) {
3739 _cleanup_free_
char *cmd
= NULL
;
3740 const char *prefix2
;
3745 prefix
= strempty(prefix
);
3746 prefix2
= strjoina(prefix
, "\t");
3748 cmd
= exec_command_line(c
->argv
);
3750 "%sCommand Line: %s\n",
3751 prefix
, cmd
? cmd
: strerror(ENOMEM
));
3753 exec_status_dump(&c
->exec_status
, f
, prefix2
);
3756 void exec_command_dump_list(ExecCommand
*c
, FILE *f
, const char *prefix
) {
3759 prefix
= strempty(prefix
);
3761 LIST_FOREACH(command
, c
, c
)
3762 exec_command_dump(c
, f
, prefix
);
3765 void exec_command_append_list(ExecCommand
**l
, ExecCommand
*e
) {
3772 /* It's kind of important, that we keep the order here */
3773 LIST_FIND_TAIL(command
, *l
, end
);
3774 LIST_INSERT_AFTER(command
, *l
, end
, e
);
3779 int exec_command_set(ExecCommand
*c
, const char *path
, ...) {
3787 l
= strv_new_ap(path
, ap
);
3808 int exec_command_append(ExecCommand
*c
, const char *path
, ...) {
3809 _cleanup_strv_free_
char **l
= NULL
;
3817 l
= strv_new_ap(path
, ap
);
3823 r
= strv_extend_strv(&c
->argv
, l
, false);
3831 static int exec_runtime_allocate(ExecRuntime
**rt
) {
3836 *rt
= new0(ExecRuntime
, 1);
3841 (*rt
)->netns_storage_socket
[0] = (*rt
)->netns_storage_socket
[1] = -1;
3846 int exec_runtime_make(ExecRuntime
**rt
, ExecContext
*c
, const char *id
) {
3856 if (!c
->private_network
&& !c
->private_tmp
)
3859 r
= exec_runtime_allocate(rt
);
3863 if (c
->private_network
&& (*rt
)->netns_storage_socket
[0] < 0) {
3864 if (socketpair(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
, 0, (*rt
)->netns_storage_socket
) < 0)
3868 if (c
->private_tmp
&& !(*rt
)->tmp_dir
) {
3869 r
= setup_tmp_dirs(id
, &(*rt
)->tmp_dir
, &(*rt
)->var_tmp_dir
);
3877 ExecRuntime
*exec_runtime_ref(ExecRuntime
*r
) {
3879 assert(r
->n_ref
> 0);
3885 ExecRuntime
*exec_runtime_unref(ExecRuntime
*r
) {
3890 assert(r
->n_ref
> 0);
3897 free(r
->var_tmp_dir
);
3898 safe_close_pair(r
->netns_storage_socket
);
3902 int exec_runtime_serialize(Unit
*u
, ExecRuntime
*rt
, FILE *f
, FDSet
*fds
) {
3911 unit_serialize_item(u
, f
, "tmp-dir", rt
->tmp_dir
);
3913 if (rt
->var_tmp_dir
)
3914 unit_serialize_item(u
, f
, "var-tmp-dir", rt
->var_tmp_dir
);
3916 if (rt
->netns_storage_socket
[0] >= 0) {
3919 copy
= fdset_put_dup(fds
, rt
->netns_storage_socket
[0]);
3923 unit_serialize_item_format(u
, f
, "netns-socket-0", "%i", copy
);
3926 if (rt
->netns_storage_socket
[1] >= 0) {
3929 copy
= fdset_put_dup(fds
, rt
->netns_storage_socket
[1]);
3933 unit_serialize_item_format(u
, f
, "netns-socket-1", "%i", copy
);
3939 int exec_runtime_deserialize_item(Unit
*u
, ExecRuntime
**rt
, const char *key
, const char *value
, FDSet
*fds
) {
3946 if (streq(key
, "tmp-dir")) {
3949 r
= exec_runtime_allocate(rt
);
3953 copy
= strdup(value
);
3957 free((*rt
)->tmp_dir
);
3958 (*rt
)->tmp_dir
= copy
;
3960 } else if (streq(key
, "var-tmp-dir")) {
3963 r
= exec_runtime_allocate(rt
);
3967 copy
= strdup(value
);
3971 free((*rt
)->var_tmp_dir
);
3972 (*rt
)->var_tmp_dir
= copy
;
3974 } else if (streq(key
, "netns-socket-0")) {
3977 r
= exec_runtime_allocate(rt
);
3981 if (safe_atoi(value
, &fd
) < 0 || !fdset_contains(fds
, fd
))
3982 log_unit_debug(u
, "Failed to parse netns socket value: %s", value
);
3984 safe_close((*rt
)->netns_storage_socket
[0]);
3985 (*rt
)->netns_storage_socket
[0] = fdset_remove(fds
, fd
);
3987 } else if (streq(key
, "netns-socket-1")) {
3990 r
= exec_runtime_allocate(rt
);
3994 if (safe_atoi(value
, &fd
) < 0 || !fdset_contains(fds
, fd
))
3995 log_unit_debug(u
, "Failed to parse netns socket value: %s", value
);
3997 safe_close((*rt
)->netns_storage_socket
[1]);
3998 (*rt
)->netns_storage_socket
[1] = fdset_remove(fds
, fd
);
4006 static void *remove_tmpdir_thread(void *p
) {
4007 _cleanup_free_
char *path
= p
;
4009 (void) rm_rf(path
, REMOVE_ROOT
|REMOVE_PHYSICAL
);
4013 void exec_runtime_destroy(ExecRuntime
*rt
) {
4019 /* If there are multiple users of this, let's leave the stuff around */
4024 log_debug("Spawning thread to nuke %s", rt
->tmp_dir
);
4026 r
= asynchronous_job(remove_tmpdir_thread
, rt
->tmp_dir
);
4028 log_warning_errno(r
, "Failed to nuke %s: %m", rt
->tmp_dir
);
4035 if (rt
->var_tmp_dir
) {
4036 log_debug("Spawning thread to nuke %s", rt
->var_tmp_dir
);
4038 r
= asynchronous_job(remove_tmpdir_thread
, rt
->var_tmp_dir
);
4040 log_warning_errno(r
, "Failed to nuke %s: %m", rt
->var_tmp_dir
);
4041 free(rt
->var_tmp_dir
);
4044 rt
->var_tmp_dir
= NULL
;
4047 safe_close_pair(rt
->netns_storage_socket
);
4050 static const char* const exec_input_table
[_EXEC_INPUT_MAX
] = {
4051 [EXEC_INPUT_NULL
] = "null",
4052 [EXEC_INPUT_TTY
] = "tty",
4053 [EXEC_INPUT_TTY_FORCE
] = "tty-force",
4054 [EXEC_INPUT_TTY_FAIL
] = "tty-fail",
4055 [EXEC_INPUT_SOCKET
] = "socket",
4056 [EXEC_INPUT_NAMED_FD
] = "fd",
4059 DEFINE_STRING_TABLE_LOOKUP(exec_input
, ExecInput
);
4061 static const char* const exec_output_table
[_EXEC_OUTPUT_MAX
] = {
4062 [EXEC_OUTPUT_INHERIT
] = "inherit",
4063 [EXEC_OUTPUT_NULL
] = "null",
4064 [EXEC_OUTPUT_TTY
] = "tty",
4065 [EXEC_OUTPUT_SYSLOG
] = "syslog",
4066 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE
] = "syslog+console",
4067 [EXEC_OUTPUT_KMSG
] = "kmsg",
4068 [EXEC_OUTPUT_KMSG_AND_CONSOLE
] = "kmsg+console",
4069 [EXEC_OUTPUT_JOURNAL
] = "journal",
4070 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE
] = "journal+console",
4071 [EXEC_OUTPUT_SOCKET
] = "socket",
4072 [EXEC_OUTPUT_NAMED_FD
] = "fd",
4075 DEFINE_STRING_TABLE_LOOKUP(exec_output
, ExecOutput
);
4077 static const char* const exec_utmp_mode_table
[_EXEC_UTMP_MODE_MAX
] = {
4078 [EXEC_UTMP_INIT
] = "init",
4079 [EXEC_UTMP_LOGIN
] = "login",
4080 [EXEC_UTMP_USER
] = "user",
4083 DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode
, ExecUtmpMode
);