]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/execute.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
core: store the invocation ID in the per-service keyring
[thirdparty/systemd.git] / src / core / execute.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <errno.h>
21 #include <fcntl.h>
22 #include <glob.h>
23 #include <grp.h>
24 #include <poll.h>
25 #include <signal.h>
26 #include <string.h>
27 #include <sys/capability.h>
28 #include <sys/eventfd.h>
29 #include <sys/mman.h>
30 #include <sys/personality.h>
31 #include <sys/prctl.h>
32 #include <sys/shm.h>
33 #include <sys/socket.h>
34 #include <sys/stat.h>
35 #include <sys/types.h>
36 #include <sys/un.h>
37 #include <unistd.h>
38 #include <utmpx.h>
39
40 #ifdef HAVE_PAM
41 #include <security/pam_appl.h>
42 #endif
43
44 #ifdef HAVE_SELINUX
45 #include <selinux/selinux.h>
46 #endif
47
48 #ifdef HAVE_SECCOMP
49 #include <seccomp.h>
50 #endif
51
52 #ifdef HAVE_APPARMOR
53 #include <sys/apparmor.h>
54 #endif
55
56 #include "sd-messages.h"
57
58 #include "af-list.h"
59 #include "alloc-util.h"
60 #ifdef HAVE_APPARMOR
61 #include "apparmor-util.h"
62 #endif
63 #include "async.h"
64 #include "barrier.h"
65 #include "cap-list.h"
66 #include "capability-util.h"
67 #include "def.h"
68 #include "env-util.h"
69 #include "errno-list.h"
70 #include "execute.h"
71 #include "exit-status.h"
72 #include "fd-util.h"
73 #include "fileio.h"
74 #include "format-util.h"
75 #include "fs-util.h"
76 #include "glob-util.h"
77 #include "io-util.h"
78 #include "ioprio.h"
79 #include "log.h"
80 #include "macro.h"
81 #include "missing.h"
82 #include "mkdir.h"
83 #include "namespace.h"
84 #include "parse-util.h"
85 #include "path-util.h"
86 #include "process-util.h"
87 #include "rlimit-util.h"
88 #include "rm-rf.h"
89 #ifdef HAVE_SECCOMP
90 #include "seccomp-util.h"
91 #endif
92 #include "securebits.h"
93 #include "selinux-util.h"
94 #include "signal-util.h"
95 #include "smack-util.h"
96 #include "special.h"
97 #include "string-table.h"
98 #include "string-util.h"
99 #include "strv.h"
100 #include "syslog-util.h"
101 #include "terminal-util.h"
102 #include "unit.h"
103 #include "user-util.h"
104 #include "util.h"
105 #include "utmp-wtmp.h"
106
107 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
108 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
109
110 /* This assumes there is a 'tty' group */
111 #define TTY_MODE 0620
112
113 #define SNDBUF_SIZE (8*1024*1024)
114
115 static int shift_fds(int fds[], unsigned n_fds) {
116 int start, restart_from;
117
118 if (n_fds <= 0)
119 return 0;
120
121 /* Modifies the fds array! (sorts it) */
122
123 assert(fds);
124
125 start = 0;
126 for (;;) {
127 int i;
128
129 restart_from = -1;
130
131 for (i = start; i < (int) n_fds; i++) {
132 int nfd;
133
134 /* Already at right index? */
135 if (fds[i] == i+3)
136 continue;
137
138 nfd = fcntl(fds[i], F_DUPFD, i + 3);
139 if (nfd < 0)
140 return -errno;
141
142 safe_close(fds[i]);
143 fds[i] = nfd;
144
145 /* Hmm, the fd we wanted isn't free? Then
146 * let's remember that and try again from here */
147 if (nfd != i+3 && restart_from < 0)
148 restart_from = i;
149 }
150
151 if (restart_from < 0)
152 break;
153
154 start = restart_from;
155 }
156
157 return 0;
158 }
159
160 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
161 unsigned i;
162 int r;
163
164 if (n_fds <= 0)
165 return 0;
166
167 assert(fds);
168
169 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
170
171 for (i = 0; i < n_fds; i++) {
172
173 r = fd_nonblock(fds[i], nonblock);
174 if (r < 0)
175 return r;
176
177 /* We unconditionally drop FD_CLOEXEC from the fds,
178 * since after all we want to pass these fds to our
179 * children */
180
181 r = fd_cloexec(fds[i], false);
182 if (r < 0)
183 return r;
184 }
185
186 return 0;
187 }
188
189 static const char *exec_context_tty_path(const ExecContext *context) {
190 assert(context);
191
192 if (context->stdio_as_fds)
193 return NULL;
194
195 if (context->tty_path)
196 return context->tty_path;
197
198 return "/dev/console";
199 }
200
201 static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
202 const char *path;
203
204 assert(context);
205
206 path = exec_context_tty_path(context);
207
208 if (context->tty_vhangup) {
209 if (p && p->stdin_fd >= 0)
210 (void) terminal_vhangup_fd(p->stdin_fd);
211 else if (path)
212 (void) terminal_vhangup(path);
213 }
214
215 if (context->tty_reset) {
216 if (p && p->stdin_fd >= 0)
217 (void) reset_terminal_fd(p->stdin_fd, true);
218 else if (path)
219 (void) reset_terminal(path);
220 }
221
222 if (context->tty_vt_disallocate && path)
223 (void) vt_disallocate(path);
224 }
225
226 static bool is_terminal_input(ExecInput i) {
227 return IN_SET(i,
228 EXEC_INPUT_TTY,
229 EXEC_INPUT_TTY_FORCE,
230 EXEC_INPUT_TTY_FAIL);
231 }
232
233 static bool is_terminal_output(ExecOutput o) {
234 return IN_SET(o,
235 EXEC_OUTPUT_TTY,
236 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
237 EXEC_OUTPUT_KMSG_AND_CONSOLE,
238 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
239 }
240
241 static bool exec_context_needs_term(const ExecContext *c) {
242 assert(c);
243
244 /* Return true if the execution context suggests we should set $TERM to something useful. */
245
246 if (is_terminal_input(c->std_input))
247 return true;
248
249 if (is_terminal_output(c->std_output))
250 return true;
251
252 if (is_terminal_output(c->std_error))
253 return true;
254
255 return !!c->tty_path;
256 }
257
258 static int open_null_as(int flags, int nfd) {
259 int fd, r;
260
261 assert(nfd >= 0);
262
263 fd = open("/dev/null", flags|O_NOCTTY);
264 if (fd < 0)
265 return -errno;
266
267 if (fd != nfd) {
268 r = dup2(fd, nfd) < 0 ? -errno : nfd;
269 safe_close(fd);
270 } else
271 r = nfd;
272
273 return r;
274 }
275
276 static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
277 union sockaddr_union sa = {
278 .un.sun_family = AF_UNIX,
279 .un.sun_path = "/run/systemd/journal/stdout",
280 };
281 uid_t olduid = UID_INVALID;
282 gid_t oldgid = GID_INVALID;
283 int r;
284
285 if (gid != GID_INVALID) {
286 oldgid = getgid();
287
288 r = setegid(gid);
289 if (r < 0)
290 return -errno;
291 }
292
293 if (uid != UID_INVALID) {
294 olduid = getuid();
295
296 r = seteuid(uid);
297 if (r < 0) {
298 r = -errno;
299 goto restore_gid;
300 }
301 }
302
303 r = connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
304 if (r < 0)
305 r = -errno;
306
307 /* If we fail to restore the uid or gid, things will likely
308 fail later on. This should only happen if an LSM interferes. */
309
310 if (uid != UID_INVALID)
311 (void) seteuid(olduid);
312
313 restore_gid:
314 if (gid != GID_INVALID)
315 (void) setegid(oldgid);
316
317 return r;
318 }
319
320 static int connect_logger_as(
321 Unit *unit,
322 const ExecContext *context,
323 ExecOutput output,
324 const char *ident,
325 int nfd,
326 uid_t uid,
327 gid_t gid) {
328
329 int fd, r;
330
331 assert(context);
332 assert(output < _EXEC_OUTPUT_MAX);
333 assert(ident);
334 assert(nfd >= 0);
335
336 fd = socket(AF_UNIX, SOCK_STREAM, 0);
337 if (fd < 0)
338 return -errno;
339
340 r = connect_journal_socket(fd, uid, gid);
341 if (r < 0)
342 return r;
343
344 if (shutdown(fd, SHUT_RD) < 0) {
345 safe_close(fd);
346 return -errno;
347 }
348
349 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
350
351 dprintf(fd,
352 "%s\n"
353 "%s\n"
354 "%i\n"
355 "%i\n"
356 "%i\n"
357 "%i\n"
358 "%i\n",
359 context->syslog_identifier ? context->syslog_identifier : ident,
360 unit->id,
361 context->syslog_priority,
362 !!context->syslog_level_prefix,
363 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
364 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
365 is_terminal_output(output));
366
367 if (fd == nfd)
368 return nfd;
369
370 r = dup2(fd, nfd) < 0 ? -errno : nfd;
371 safe_close(fd);
372
373 return r;
374 }
375 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
376 int fd, r;
377
378 assert(path);
379 assert(nfd >= 0);
380
381 fd = open_terminal(path, mode | O_NOCTTY);
382 if (fd < 0)
383 return fd;
384
385 if (fd != nfd) {
386 r = dup2(fd, nfd) < 0 ? -errno : nfd;
387 safe_close(fd);
388 } else
389 r = nfd;
390
391 return r;
392 }
393
394 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
395
396 if (is_terminal_input(std_input) && !apply_tty_stdin)
397 return EXEC_INPUT_NULL;
398
399 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
400 return EXEC_INPUT_NULL;
401
402 return std_input;
403 }
404
405 static int fixup_output(ExecOutput std_output, int socket_fd) {
406
407 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
408 return EXEC_OUTPUT_INHERIT;
409
410 return std_output;
411 }
412
413 static int setup_input(
414 const ExecContext *context,
415 const ExecParameters *params,
416 int socket_fd,
417 int named_iofds[3]) {
418
419 ExecInput i;
420
421 assert(context);
422 assert(params);
423
424 if (params->stdin_fd >= 0) {
425 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
426 return -errno;
427
428 /* Try to make this the controlling tty, if it is a tty, and reset it */
429 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
430 (void) reset_terminal_fd(STDIN_FILENO, true);
431
432 return STDIN_FILENO;
433 }
434
435 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
436
437 switch (i) {
438
439 case EXEC_INPUT_NULL:
440 return open_null_as(O_RDONLY, STDIN_FILENO);
441
442 case EXEC_INPUT_TTY:
443 case EXEC_INPUT_TTY_FORCE:
444 case EXEC_INPUT_TTY_FAIL: {
445 int fd, r;
446
447 fd = acquire_terminal(exec_context_tty_path(context),
448 i == EXEC_INPUT_TTY_FAIL,
449 i == EXEC_INPUT_TTY_FORCE,
450 false,
451 USEC_INFINITY);
452 if (fd < 0)
453 return fd;
454
455 if (fd != STDIN_FILENO) {
456 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
457 safe_close(fd);
458 } else
459 r = STDIN_FILENO;
460
461 return r;
462 }
463
464 case EXEC_INPUT_SOCKET:
465 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
466
467 case EXEC_INPUT_NAMED_FD:
468 (void) fd_nonblock(named_iofds[STDIN_FILENO], false);
469 return dup2(named_iofds[STDIN_FILENO], STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
470
471 default:
472 assert_not_reached("Unknown input type");
473 }
474 }
475
476 static int setup_output(
477 Unit *unit,
478 const ExecContext *context,
479 const ExecParameters *params,
480 int fileno,
481 int socket_fd,
482 int named_iofds[3],
483 const char *ident,
484 uid_t uid,
485 gid_t gid,
486 dev_t *journal_stream_dev,
487 ino_t *journal_stream_ino) {
488
489 ExecOutput o;
490 ExecInput i;
491 int r;
492
493 assert(unit);
494 assert(context);
495 assert(params);
496 assert(ident);
497 assert(journal_stream_dev);
498 assert(journal_stream_ino);
499
500 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
501
502 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
503 return -errno;
504
505 return STDOUT_FILENO;
506 }
507
508 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
509 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
510 return -errno;
511
512 return STDERR_FILENO;
513 }
514
515 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
516 o = fixup_output(context->std_output, socket_fd);
517
518 if (fileno == STDERR_FILENO) {
519 ExecOutput e;
520 e = fixup_output(context->std_error, socket_fd);
521
522 /* This expects the input and output are already set up */
523
524 /* Don't change the stderr file descriptor if we inherit all
525 * the way and are not on a tty */
526 if (e == EXEC_OUTPUT_INHERIT &&
527 o == EXEC_OUTPUT_INHERIT &&
528 i == EXEC_INPUT_NULL &&
529 !is_terminal_input(context->std_input) &&
530 getppid () != 1)
531 return fileno;
532
533 /* Duplicate from stdout if possible */
534 if ((e == o && e != EXEC_OUTPUT_NAMED_FD) || e == EXEC_OUTPUT_INHERIT)
535 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
536
537 o = e;
538
539 } else if (o == EXEC_OUTPUT_INHERIT) {
540 /* If input got downgraded, inherit the original value */
541 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
542 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
543
544 /* If the input is connected to anything that's not a /dev/null, inherit that... */
545 if (i != EXEC_INPUT_NULL)
546 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
547
548 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
549 if (getppid() != 1)
550 return fileno;
551
552 /* We need to open /dev/null here anew, to get the right access mode. */
553 return open_null_as(O_WRONLY, fileno);
554 }
555
556 switch (o) {
557
558 case EXEC_OUTPUT_NULL:
559 return open_null_as(O_WRONLY, fileno);
560
561 case EXEC_OUTPUT_TTY:
562 if (is_terminal_input(i))
563 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
564
565 /* We don't reset the terminal if this is just about output */
566 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
567
568 case EXEC_OUTPUT_SYSLOG:
569 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
570 case EXEC_OUTPUT_KMSG:
571 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
572 case EXEC_OUTPUT_JOURNAL:
573 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
574 r = connect_logger_as(unit, context, o, ident, fileno, uid, gid);
575 if (r < 0) {
576 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
577 r = open_null_as(O_WRONLY, fileno);
578 } else {
579 struct stat st;
580
581 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
582 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
583 * services to detect whether they are connected to the journal or not. */
584
585 if (fstat(fileno, &st) >= 0) {
586 *journal_stream_dev = st.st_dev;
587 *journal_stream_ino = st.st_ino;
588 }
589 }
590 return r;
591
592 case EXEC_OUTPUT_SOCKET:
593 assert(socket_fd >= 0);
594 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
595
596 case EXEC_OUTPUT_NAMED_FD:
597 (void) fd_nonblock(named_iofds[fileno], false);
598 return dup2(named_iofds[fileno], fileno) < 0 ? -errno : fileno;
599
600 default:
601 assert_not_reached("Unknown error type");
602 }
603 }
604
605 static int chown_terminal(int fd, uid_t uid) {
606 struct stat st;
607
608 assert(fd >= 0);
609
610 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
611 if (isatty(fd) < 1)
612 return 0;
613
614 /* This might fail. What matters are the results. */
615 (void) fchown(fd, uid, -1);
616 (void) fchmod(fd, TTY_MODE);
617
618 if (fstat(fd, &st) < 0)
619 return -errno;
620
621 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
622 return -EPERM;
623
624 return 0;
625 }
626
627 static int setup_confirm_stdio(const char *vc, int *_saved_stdin, int *_saved_stdout) {
628 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
629 int r;
630
631 assert(_saved_stdin);
632 assert(_saved_stdout);
633
634 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
635 if (saved_stdin < 0)
636 return -errno;
637
638 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
639 if (saved_stdout < 0)
640 return -errno;
641
642 fd = acquire_terminal(vc, false, false, false, DEFAULT_CONFIRM_USEC);
643 if (fd < 0)
644 return fd;
645
646 r = chown_terminal(fd, getuid());
647 if (r < 0)
648 return r;
649
650 r = reset_terminal_fd(fd, true);
651 if (r < 0)
652 return r;
653
654 if (dup2(fd, STDIN_FILENO) < 0)
655 return -errno;
656
657 if (dup2(fd, STDOUT_FILENO) < 0)
658 return -errno;
659
660 if (fd >= 2)
661 safe_close(fd);
662 fd = -1;
663
664 *_saved_stdin = saved_stdin;
665 *_saved_stdout = saved_stdout;
666
667 saved_stdin = saved_stdout = -1;
668
669 return 0;
670 }
671
672 static void write_confirm_error_fd(int err, int fd, const Unit *u) {
673 assert(err < 0);
674
675 if (err == -ETIMEDOUT)
676 dprintf(fd, "Confirmation question timed out for %s, assuming positive response.\n", u->id);
677 else {
678 errno = -err;
679 dprintf(fd, "Couldn't ask confirmation for %s: %m, assuming positive response.\n", u->id);
680 }
681 }
682
683 static void write_confirm_error(int err, const char *vc, const Unit *u) {
684 _cleanup_close_ int fd = -1;
685
686 assert(vc);
687
688 fd = open_terminal(vc, O_WRONLY|O_NOCTTY|O_CLOEXEC);
689 if (fd < 0)
690 return;
691
692 write_confirm_error_fd(err, fd, u);
693 }
694
695 static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
696 int r = 0;
697
698 assert(saved_stdin);
699 assert(saved_stdout);
700
701 release_terminal();
702
703 if (*saved_stdin >= 0)
704 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
705 r = -errno;
706
707 if (*saved_stdout >= 0)
708 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
709 r = -errno;
710
711 *saved_stdin = safe_close(*saved_stdin);
712 *saved_stdout = safe_close(*saved_stdout);
713
714 return r;
715 }
716
717 enum {
718 CONFIRM_PRETEND_FAILURE = -1,
719 CONFIRM_PRETEND_SUCCESS = 0,
720 CONFIRM_EXECUTE = 1,
721 };
722
723 static int ask_for_confirmation(const char *vc, Unit *u, const char *cmdline) {
724 int saved_stdout = -1, saved_stdin = -1, r;
725 _cleanup_free_ char *e = NULL;
726 char c;
727
728 /* For any internal errors, assume a positive response. */
729 r = setup_confirm_stdio(vc, &saved_stdin, &saved_stdout);
730 if (r < 0) {
731 write_confirm_error(r, vc, u);
732 return CONFIRM_EXECUTE;
733 }
734
735 /* confirm_spawn might have been disabled while we were sleeping. */
736 if (manager_is_confirm_spawn_disabled(u->manager)) {
737 r = 1;
738 goto restore_stdio;
739 }
740
741 e = ellipsize(cmdline, 60, 100);
742 if (!e) {
743 log_oom();
744 r = CONFIRM_EXECUTE;
745 goto restore_stdio;
746 }
747
748 for (;;) {
749 r = ask_char(&c, "yfshiDjcn", "Execute %s? [y, f, s – h for help] ", e);
750 if (r < 0) {
751 write_confirm_error_fd(r, STDOUT_FILENO, u);
752 r = CONFIRM_EXECUTE;
753 goto restore_stdio;
754 }
755
756 switch (c) {
757 case 'c':
758 printf("Resuming normal execution.\n");
759 manager_disable_confirm_spawn();
760 r = 1;
761 break;
762 case 'D':
763 unit_dump(u, stdout, " ");
764 continue; /* ask again */
765 case 'f':
766 printf("Failing execution.\n");
767 r = CONFIRM_PRETEND_FAILURE;
768 break;
769 case 'h':
770 printf(" c - continue, proceed without asking anymore\n"
771 " D - dump, show the state of the unit\n"
772 " f - fail, don't execute the command and pretend it failed\n"
773 " h - help\n"
774 " i - info, show a short summary of the unit\n"
775 " j - jobs, show jobs that are in progress\n"
776 " s - skip, don't execute the command and pretend it succeeded\n"
777 " y - yes, execute the command\n");
778 continue; /* ask again */
779 case 'i':
780 printf(" Description: %s\n"
781 " Unit: %s\n"
782 " Command: %s\n",
783 u->id, u->description, cmdline);
784 continue; /* ask again */
785 case 'j':
786 manager_dump_jobs(u->manager, stdout, " ");
787 continue; /* ask again */
788 case 'n':
789 /* 'n' was removed in favor of 'f'. */
790 printf("Didn't understand 'n', did you mean 'f'?\n");
791 continue; /* ask again */
792 case 's':
793 printf("Skipping execution.\n");
794 r = CONFIRM_PRETEND_SUCCESS;
795 break;
796 case 'y':
797 r = CONFIRM_EXECUTE;
798 break;
799 default:
800 assert_not_reached("Unhandled choice");
801 }
802 break;
803 }
804
805 restore_stdio:
806 restore_confirm_stdio(&saved_stdin, &saved_stdout);
807 return r;
808 }
809
810 static int get_fixed_user(const ExecContext *c, const char **user,
811 uid_t *uid, gid_t *gid,
812 const char **home, const char **shell) {
813 int r;
814 const char *name;
815
816 assert(c);
817
818 if (!c->user)
819 return 0;
820
821 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
822 * (i.e. are "/" or "/bin/nologin"). */
823
824 name = c->user;
825 r = get_user_creds_clean(&name, uid, gid, home, shell);
826 if (r < 0)
827 return r;
828
829 *user = name;
830 return 0;
831 }
832
833 static int get_fixed_group(const ExecContext *c, const char **group, gid_t *gid) {
834 int r;
835 const char *name;
836
837 assert(c);
838
839 if (!c->group)
840 return 0;
841
842 name = c->group;
843 r = get_group_creds(&name, gid);
844 if (r < 0)
845 return r;
846
847 *group = name;
848 return 0;
849 }
850
851 static int get_supplementary_groups(const ExecContext *c, const char *user,
852 const char *group, gid_t gid,
853 gid_t **supplementary_gids, int *ngids) {
854 char **i;
855 int r, k = 0;
856 int ngroups_max;
857 bool keep_groups = false;
858 gid_t *groups = NULL;
859 _cleanup_free_ gid_t *l_gids = NULL;
860
861 assert(c);
862
863 /*
864 * If user is given, then lookup GID and supplementary groups list.
865 * We avoid NSS lookups for gid=0. Also we have to initialize groups
866 * here and as early as possible so we keep the list of supplementary
867 * groups of the caller.
868 */
869 if (user && gid_is_valid(gid) && gid != 0) {
870 /* First step, initialize groups from /etc/groups */
871 if (initgroups(user, gid) < 0)
872 return -errno;
873
874 keep_groups = true;
875 }
876
877 if (!c->supplementary_groups)
878 return 0;
879
880 /*
881 * If SupplementaryGroups= was passed then NGROUPS_MAX has to
882 * be positive, otherwise fail.
883 */
884 errno = 0;
885 ngroups_max = (int) sysconf(_SC_NGROUPS_MAX);
886 if (ngroups_max <= 0) {
887 if (errno > 0)
888 return -errno;
889 else
890 return -EOPNOTSUPP; /* For all other values */
891 }
892
893 l_gids = new(gid_t, ngroups_max);
894 if (!l_gids)
895 return -ENOMEM;
896
897 if (keep_groups) {
898 /*
899 * Lookup the list of groups that the user belongs to, we
900 * avoid NSS lookups here too for gid=0.
901 */
902 k = ngroups_max;
903 if (getgrouplist(user, gid, l_gids, &k) < 0)
904 return -EINVAL;
905 } else
906 k = 0;
907
908 STRV_FOREACH(i, c->supplementary_groups) {
909 const char *g;
910
911 if (k >= ngroups_max)
912 return -E2BIG;
913
914 g = *i;
915 r = get_group_creds(&g, l_gids+k);
916 if (r < 0)
917 return r;
918
919 k++;
920 }
921
922 /*
923 * Sets ngids to zero to drop all supplementary groups, happens
924 * when we are under root and SupplementaryGroups= is empty.
925 */
926 if (k == 0) {
927 *ngids = 0;
928 return 0;
929 }
930
931 /* Otherwise get the final list of supplementary groups */
932 groups = memdup(l_gids, sizeof(gid_t) * k);
933 if (!groups)
934 return -ENOMEM;
935
936 *supplementary_gids = groups;
937 *ngids = k;
938
939 groups = NULL;
940
941 return 0;
942 }
943
944 static int enforce_groups(const ExecContext *context, gid_t gid,
945 gid_t *supplementary_gids, int ngids) {
946 int r;
947
948 assert(context);
949
950 /* Handle SupplementaryGroups= even if it is empty */
951 if (context->supplementary_groups) {
952 r = maybe_setgroups(ngids, supplementary_gids);
953 if (r < 0)
954 return r;
955 }
956
957 if (gid_is_valid(gid)) {
958 /* Then set our gids */
959 if (setresgid(gid, gid, gid) < 0)
960 return -errno;
961 }
962
963 return 0;
964 }
965
966 static int enforce_user(const ExecContext *context, uid_t uid) {
967 assert(context);
968
969 if (!uid_is_valid(uid))
970 return 0;
971
972 /* Sets (but doesn't look up) the uid and make sure we keep the
973 * capabilities while doing so. */
974
975 if (context->capability_ambient_set != 0) {
976
977 /* First step: If we need to keep capabilities but
978 * drop privileges we need to make sure we keep our
979 * caps, while we drop privileges. */
980 if (uid != 0) {
981 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
982
983 if (prctl(PR_GET_SECUREBITS) != sb)
984 if (prctl(PR_SET_SECUREBITS, sb) < 0)
985 return -errno;
986 }
987 }
988
989 /* Second step: actually set the uids */
990 if (setresuid(uid, uid, uid) < 0)
991 return -errno;
992
993 /* At this point we should have all necessary capabilities but
994 are otherwise a normal user. However, the caps might got
995 corrupted due to the setresuid() so we need clean them up
996 later. This is done outside of this call. */
997
998 return 0;
999 }
1000
1001 #ifdef HAVE_PAM
1002
1003 static int null_conv(
1004 int num_msg,
1005 const struct pam_message **msg,
1006 struct pam_response **resp,
1007 void *appdata_ptr) {
1008
1009 /* We don't support conversations */
1010
1011 return PAM_CONV_ERR;
1012 }
1013
1014 #endif
1015
1016 static int setup_pam(
1017 const char *name,
1018 const char *user,
1019 uid_t uid,
1020 gid_t gid,
1021 const char *tty,
1022 char ***env,
1023 int fds[], unsigned n_fds) {
1024
1025 #ifdef HAVE_PAM
1026
1027 static const struct pam_conv conv = {
1028 .conv = null_conv,
1029 .appdata_ptr = NULL
1030 };
1031
1032 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
1033 pam_handle_t *handle = NULL;
1034 sigset_t old_ss;
1035 int pam_code = PAM_SUCCESS, r;
1036 char **nv, **e = NULL;
1037 bool close_session = false;
1038 pid_t pam_pid = 0, parent_pid;
1039 int flags = 0;
1040
1041 assert(name);
1042 assert(user);
1043 assert(env);
1044
1045 /* We set up PAM in the parent process, then fork. The child
1046 * will then stay around until killed via PR_GET_PDEATHSIG or
1047 * systemd via the cgroup logic. It will then remove the PAM
1048 * session again. The parent process will exec() the actual
1049 * daemon. We do things this way to ensure that the main PID
1050 * of the daemon is the one we initially fork()ed. */
1051
1052 r = barrier_create(&barrier);
1053 if (r < 0)
1054 goto fail;
1055
1056 if (log_get_max_level() < LOG_DEBUG)
1057 flags |= PAM_SILENT;
1058
1059 pam_code = pam_start(name, user, &conv, &handle);
1060 if (pam_code != PAM_SUCCESS) {
1061 handle = NULL;
1062 goto fail;
1063 }
1064
1065 if (tty) {
1066 pam_code = pam_set_item(handle, PAM_TTY, tty);
1067 if (pam_code != PAM_SUCCESS)
1068 goto fail;
1069 }
1070
1071 STRV_FOREACH(nv, *env) {
1072 pam_code = pam_putenv(handle, *nv);
1073 if (pam_code != PAM_SUCCESS)
1074 goto fail;
1075 }
1076
1077 pam_code = pam_acct_mgmt(handle, flags);
1078 if (pam_code != PAM_SUCCESS)
1079 goto fail;
1080
1081 pam_code = pam_open_session(handle, flags);
1082 if (pam_code != PAM_SUCCESS)
1083 goto fail;
1084
1085 close_session = true;
1086
1087 e = pam_getenvlist(handle);
1088 if (!e) {
1089 pam_code = PAM_BUF_ERR;
1090 goto fail;
1091 }
1092
1093 /* Block SIGTERM, so that we know that it won't get lost in
1094 * the child */
1095
1096 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
1097
1098 parent_pid = getpid();
1099
1100 pam_pid = fork();
1101 if (pam_pid < 0) {
1102 r = -errno;
1103 goto fail;
1104 }
1105
1106 if (pam_pid == 0) {
1107 int sig, ret = EXIT_PAM;
1108
1109 /* The child's job is to reset the PAM session on
1110 * termination */
1111 barrier_set_role(&barrier, BARRIER_CHILD);
1112
1113 /* This string must fit in 10 chars (i.e. the length
1114 * of "/sbin/init"), to look pretty in /bin/ps */
1115 rename_process("(sd-pam)");
1116
1117 /* Make sure we don't keep open the passed fds in this
1118 child. We assume that otherwise only those fds are
1119 open here that have been opened by PAM. */
1120 close_many(fds, n_fds);
1121
1122 /* Drop privileges - we don't need any to pam_close_session
1123 * and this will make PR_SET_PDEATHSIG work in most cases.
1124 * If this fails, ignore the error - but expect sd-pam threads
1125 * to fail to exit normally */
1126
1127 r = maybe_setgroups(0, NULL);
1128 if (r < 0)
1129 log_warning_errno(r, "Failed to setgroups() in sd-pam: %m");
1130 if (setresgid(gid, gid, gid) < 0)
1131 log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
1132 if (setresuid(uid, uid, uid) < 0)
1133 log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
1134
1135 (void) ignore_signals(SIGPIPE, -1);
1136
1137 /* Wait until our parent died. This will only work if
1138 * the above setresuid() succeeds, otherwise the kernel
1139 * will not allow unprivileged parents kill their privileged
1140 * children this way. We rely on the control groups kill logic
1141 * to do the rest for us. */
1142 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
1143 goto child_finish;
1144
1145 /* Tell the parent that our setup is done. This is especially
1146 * important regarding dropping privileges. Otherwise, unit
1147 * setup might race against our setresuid(2) call. */
1148 barrier_place(&barrier);
1149
1150 /* Check if our parent process might already have
1151 * died? */
1152 if (getppid() == parent_pid) {
1153 sigset_t ss;
1154
1155 assert_se(sigemptyset(&ss) >= 0);
1156 assert_se(sigaddset(&ss, SIGTERM) >= 0);
1157
1158 for (;;) {
1159 if (sigwait(&ss, &sig) < 0) {
1160 if (errno == EINTR)
1161 continue;
1162
1163 goto child_finish;
1164 }
1165
1166 assert(sig == SIGTERM);
1167 break;
1168 }
1169 }
1170
1171 /* If our parent died we'll end the session */
1172 if (getppid() != parent_pid) {
1173 pam_code = pam_close_session(handle, flags);
1174 if (pam_code != PAM_SUCCESS)
1175 goto child_finish;
1176 }
1177
1178 ret = 0;
1179
1180 child_finish:
1181 pam_end(handle, pam_code | flags);
1182 _exit(ret);
1183 }
1184
1185 barrier_set_role(&barrier, BARRIER_PARENT);
1186
1187 /* If the child was forked off successfully it will do all the
1188 * cleanups, so forget about the handle here. */
1189 handle = NULL;
1190
1191 /* Unblock SIGTERM again in the parent */
1192 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
1193
1194 /* We close the log explicitly here, since the PAM modules
1195 * might have opened it, but we don't want this fd around. */
1196 closelog();
1197
1198 /* Synchronously wait for the child to initialize. We don't care for
1199 * errors as we cannot recover. However, warn loudly if it happens. */
1200 if (!barrier_place_and_sync(&barrier))
1201 log_error("PAM initialization failed");
1202
1203 strv_free(*env);
1204 *env = e;
1205
1206 return 0;
1207
1208 fail:
1209 if (pam_code != PAM_SUCCESS) {
1210 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
1211 r = -EPERM; /* PAM errors do not map to errno */
1212 } else
1213 log_error_errno(r, "PAM failed: %m");
1214
1215 if (handle) {
1216 if (close_session)
1217 pam_code = pam_close_session(handle, flags);
1218
1219 pam_end(handle, pam_code | flags);
1220 }
1221
1222 strv_free(e);
1223 closelog();
1224
1225 return r;
1226 #else
1227 return 0;
1228 #endif
1229 }
1230
1231 static void rename_process_from_path(const char *path) {
1232 char process_name[11];
1233 const char *p;
1234 size_t l;
1235
1236 /* This resulting string must fit in 10 chars (i.e. the length
1237 * of "/sbin/init") to look pretty in /bin/ps */
1238
1239 p = basename(path);
1240 if (isempty(p)) {
1241 rename_process("(...)");
1242 return;
1243 }
1244
1245 l = strlen(p);
1246 if (l > 8) {
1247 /* The end of the process name is usually more
1248 * interesting, since the first bit might just be
1249 * "systemd-" */
1250 p = p + l - 8;
1251 l = 8;
1252 }
1253
1254 process_name[0] = '(';
1255 memcpy(process_name+1, p, l);
1256 process_name[1+l] = ')';
1257 process_name[1+l+1] = 0;
1258
1259 rename_process(process_name);
1260 }
1261
1262 #ifdef HAVE_SECCOMP
1263
1264 static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
1265
1266 if (is_seccomp_available())
1267 return false;
1268
1269 log_open();
1270 log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
1271 log_close();
1272 return true;
1273 }
1274
1275 static int apply_seccomp(const Unit* u, const ExecContext *c) {
1276 uint32_t negative_action, action;
1277 scmp_filter_ctx seccomp;
1278 Iterator i;
1279 void *id;
1280 int r;
1281
1282 assert(c);
1283
1284 if (skip_seccomp_unavailable(u, "syscall filtering"))
1285 return 0;
1286
1287 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
1288
1289 seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW);
1290 if (!seccomp)
1291 return -ENOMEM;
1292
1293 if (c->syscall_archs) {
1294
1295 SET_FOREACH(id, c->syscall_archs, i) {
1296 r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
1297 if (r == -EEXIST)
1298 continue;
1299 if (r < 0)
1300 goto finish;
1301 }
1302
1303 } else {
1304 r = seccomp_add_secondary_archs(seccomp);
1305 if (r < 0)
1306 goto finish;
1307 }
1308
1309 action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
1310 SET_FOREACH(id, c->syscall_filter, i) {
1311 r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
1312 if (r < 0)
1313 goto finish;
1314 }
1315
1316 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1317 if (r < 0)
1318 goto finish;
1319
1320 r = seccomp_load(seccomp);
1321
1322 finish:
1323 seccomp_release(seccomp);
1324 return r;
1325 }
1326
1327 static int apply_address_families(const Unit* u, const ExecContext *c) {
1328 scmp_filter_ctx seccomp;
1329 Iterator i;
1330 int r;
1331
1332 assert(c);
1333
1334 if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
1335 return 0;
1336
1337 r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
1338 if (r < 0)
1339 return r;
1340
1341 if (c->address_families_whitelist) {
1342 int af, first = 0, last = 0;
1343 void *afp;
1344
1345 /* If this is a whitelist, we first block the address
1346 * families that are out of range and then everything
1347 * that is not in the set. First, we find the lowest
1348 * and highest address family in the set. */
1349
1350 SET_FOREACH(afp, c->address_families, i) {
1351 af = PTR_TO_INT(afp);
1352
1353 if (af <= 0 || af >= af_max())
1354 continue;
1355
1356 if (first == 0 || af < first)
1357 first = af;
1358
1359 if (last == 0 || af > last)
1360 last = af;
1361 }
1362
1363 assert((first == 0) == (last == 0));
1364
1365 if (first == 0) {
1366
1367 /* No entries in the valid range, block everything */
1368 r = seccomp_rule_add(
1369 seccomp,
1370 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1371 SCMP_SYS(socket),
1372 0);
1373 if (r < 0)
1374 goto finish;
1375
1376 } else {
1377
1378 /* Block everything below the first entry */
1379 r = seccomp_rule_add(
1380 seccomp,
1381 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1382 SCMP_SYS(socket),
1383 1,
1384 SCMP_A0(SCMP_CMP_LT, first));
1385 if (r < 0)
1386 goto finish;
1387
1388 /* Block everything above the last entry */
1389 r = seccomp_rule_add(
1390 seccomp,
1391 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1392 SCMP_SYS(socket),
1393 1,
1394 SCMP_A0(SCMP_CMP_GT, last));
1395 if (r < 0)
1396 goto finish;
1397
1398 /* Block everything between the first and last
1399 * entry */
1400 for (af = 1; af < af_max(); af++) {
1401
1402 if (set_contains(c->address_families, INT_TO_PTR(af)))
1403 continue;
1404
1405 r = seccomp_rule_add(
1406 seccomp,
1407 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1408 SCMP_SYS(socket),
1409 1,
1410 SCMP_A0(SCMP_CMP_EQ, af));
1411 if (r < 0)
1412 goto finish;
1413 }
1414 }
1415
1416 } else {
1417 void *af;
1418
1419 /* If this is a blacklist, then generate one rule for
1420 * each address family that are then combined in OR
1421 * checks. */
1422
1423 SET_FOREACH(af, c->address_families, i) {
1424
1425 r = seccomp_rule_add(
1426 seccomp,
1427 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1428 SCMP_SYS(socket),
1429 1,
1430 SCMP_A0(SCMP_CMP_EQ, PTR_TO_INT(af)));
1431 if (r < 0)
1432 goto finish;
1433 }
1434 }
1435
1436 r = seccomp_load(seccomp);
1437
1438 finish:
1439 seccomp_release(seccomp);
1440 return r;
1441 }
1442
1443 static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) {
1444 scmp_filter_ctx seccomp;
1445 int r;
1446
1447 assert(c);
1448
1449 if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute="))
1450 return 0;
1451
1452 r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
1453 if (r < 0)
1454 return r;
1455
1456 r = seccomp_rule_add(
1457 seccomp,
1458 SCMP_ACT_ERRNO(EPERM),
1459 SCMP_SYS(mmap),
1460 1,
1461 SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE));
1462 if (r < 0)
1463 goto finish;
1464
1465 r = seccomp_rule_add(
1466 seccomp,
1467 SCMP_ACT_ERRNO(EPERM),
1468 SCMP_SYS(mprotect),
1469 1,
1470 SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC));
1471 if (r < 0)
1472 goto finish;
1473
1474 r = seccomp_rule_add(
1475 seccomp,
1476 SCMP_ACT_ERRNO(EPERM),
1477 SCMP_SYS(shmat),
1478 1,
1479 SCMP_A2(SCMP_CMP_MASKED_EQ, SHM_EXEC, SHM_EXEC));
1480 if (r < 0)
1481 goto finish;
1482
1483 r = seccomp_load(seccomp);
1484
1485 finish:
1486 seccomp_release(seccomp);
1487 return r;
1488 }
1489
1490 static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
1491 static const int permitted_policies[] = {
1492 SCHED_OTHER,
1493 SCHED_BATCH,
1494 SCHED_IDLE,
1495 };
1496
1497 scmp_filter_ctx seccomp;
1498 unsigned i;
1499 int r, p, max_policy = 0;
1500
1501 assert(c);
1502
1503 if (skip_seccomp_unavailable(u, "RestrictRealtime="))
1504 return 0;
1505
1506 r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
1507 if (r < 0)
1508 return r;
1509
1510 /* Determine the highest policy constant we want to allow */
1511 for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
1512 if (permitted_policies[i] > max_policy)
1513 max_policy = permitted_policies[i];
1514
1515 /* Go through all policies with lower values than that, and block them -- unless they appear in the
1516 * whitelist. */
1517 for (p = 0; p < max_policy; p++) {
1518 bool good = false;
1519
1520 /* Check if this is in the whitelist. */
1521 for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
1522 if (permitted_policies[i] == p) {
1523 good = true;
1524 break;
1525 }
1526
1527 if (good)
1528 continue;
1529
1530 /* Deny this policy */
1531 r = seccomp_rule_add(
1532 seccomp,
1533 SCMP_ACT_ERRNO(EPERM),
1534 SCMP_SYS(sched_setscheduler),
1535 1,
1536 SCMP_A1(SCMP_CMP_EQ, p));
1537 if (r < 0)
1538 goto finish;
1539 }
1540
1541 /* Blacklist all other policies, i.e. the ones with higher values. Note that all comparisons are unsigned here,
1542 * hence no need no check for < 0 values. */
1543 r = seccomp_rule_add(
1544 seccomp,
1545 SCMP_ACT_ERRNO(EPERM),
1546 SCMP_SYS(sched_setscheduler),
1547 1,
1548 SCMP_A1(SCMP_CMP_GT, max_policy));
1549 if (r < 0)
1550 goto finish;
1551
1552 r = seccomp_load(seccomp);
1553
1554 finish:
1555 seccomp_release(seccomp);
1556 return r;
1557 }
1558
1559 static int apply_protect_sysctl(const Unit *u, const ExecContext *c) {
1560 scmp_filter_ctx seccomp;
1561 int r;
1562
1563 assert(c);
1564
1565 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1566 * let's protect even those systems where this is left on in the kernel. */
1567
1568 if (skip_seccomp_unavailable(u, "ProtectKernelTunables="))
1569 return 0;
1570
1571 r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
1572 if (r < 0)
1573 return r;
1574
1575 r = seccomp_rule_add(
1576 seccomp,
1577 SCMP_ACT_ERRNO(EPERM),
1578 SCMP_SYS(_sysctl),
1579 0);
1580 if (r < 0)
1581 goto finish;
1582
1583 r = seccomp_load(seccomp);
1584
1585 finish:
1586 seccomp_release(seccomp);
1587 return r;
1588 }
1589
1590 static int apply_protect_kernel_modules(const Unit *u, const ExecContext *c) {
1591 assert(c);
1592
1593 /* Turn off module syscalls on ProtectKernelModules=yes */
1594
1595 if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
1596 return 0;
1597
1598 return seccomp_load_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM));
1599 }
1600
1601 static int apply_private_devices(const Unit *u, const ExecContext *c) {
1602 assert(c);
1603
1604 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
1605
1606 if (skip_seccomp_unavailable(u, "PrivateDevices="))
1607 return 0;
1608
1609 return seccomp_load_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
1610 }
1611
1612 static int apply_restrict_namespaces(Unit *u, const ExecContext *c) {
1613 assert(c);
1614
1615 if (!exec_context_restrict_namespaces_set(c))
1616 return 0;
1617
1618 if (skip_seccomp_unavailable(u, "RestrictNamespaces="))
1619 return 0;
1620
1621 return seccomp_restrict_namespaces(c->restrict_namespaces);
1622 }
1623
1624 #endif
1625
1626 static void do_idle_pipe_dance(int idle_pipe[4]) {
1627 assert(idle_pipe);
1628
1629 idle_pipe[1] = safe_close(idle_pipe[1]);
1630 idle_pipe[2] = safe_close(idle_pipe[2]);
1631
1632 if (idle_pipe[0] >= 0) {
1633 int r;
1634
1635 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1636
1637 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1638 ssize_t n;
1639
1640 /* Signal systemd that we are bored and want to continue. */
1641 n = write(idle_pipe[3], "x", 1);
1642 if (n > 0)
1643 /* Wait for systemd to react to the signal above. */
1644 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1645 }
1646
1647 idle_pipe[0] = safe_close(idle_pipe[0]);
1648
1649 }
1650
1651 idle_pipe[3] = safe_close(idle_pipe[3]);
1652 }
1653
1654 static int build_environment(
1655 Unit *u,
1656 const ExecContext *c,
1657 const ExecParameters *p,
1658 unsigned n_fds,
1659 const char *home,
1660 const char *username,
1661 const char *shell,
1662 dev_t journal_stream_dev,
1663 ino_t journal_stream_ino,
1664 char ***ret) {
1665
1666 _cleanup_strv_free_ char **our_env = NULL;
1667 unsigned n_env = 0;
1668 char *x;
1669
1670 assert(u);
1671 assert(c);
1672 assert(ret);
1673
1674 our_env = new0(char*, 14);
1675 if (!our_env)
1676 return -ENOMEM;
1677
1678 if (n_fds > 0) {
1679 _cleanup_free_ char *joined = NULL;
1680
1681 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1682 return -ENOMEM;
1683 our_env[n_env++] = x;
1684
1685 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1686 return -ENOMEM;
1687 our_env[n_env++] = x;
1688
1689 joined = strv_join(p->fd_names, ":");
1690 if (!joined)
1691 return -ENOMEM;
1692
1693 x = strjoin("LISTEN_FDNAMES=", joined);
1694 if (!x)
1695 return -ENOMEM;
1696 our_env[n_env++] = x;
1697 }
1698
1699 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
1700 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1701 return -ENOMEM;
1702 our_env[n_env++] = x;
1703
1704 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
1705 return -ENOMEM;
1706 our_env[n_env++] = x;
1707 }
1708
1709 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1710 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1711 * check the database directly. */
1712 if (unit_has_name(u, SPECIAL_DBUS_SERVICE)) {
1713 x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1714 if (!x)
1715 return -ENOMEM;
1716 our_env[n_env++] = x;
1717 }
1718
1719 if (home) {
1720 x = strappend("HOME=", home);
1721 if (!x)
1722 return -ENOMEM;
1723 our_env[n_env++] = x;
1724 }
1725
1726 if (username) {
1727 x = strappend("LOGNAME=", username);
1728 if (!x)
1729 return -ENOMEM;
1730 our_env[n_env++] = x;
1731
1732 x = strappend("USER=", username);
1733 if (!x)
1734 return -ENOMEM;
1735 our_env[n_env++] = x;
1736 }
1737
1738 if (shell) {
1739 x = strappend("SHELL=", shell);
1740 if (!x)
1741 return -ENOMEM;
1742 our_env[n_env++] = x;
1743 }
1744
1745 if (!sd_id128_is_null(u->invocation_id)) {
1746 if (asprintf(&x, "INVOCATION_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id)) < 0)
1747 return -ENOMEM;
1748
1749 our_env[n_env++] = x;
1750 }
1751
1752 if (exec_context_needs_term(c)) {
1753 const char *tty_path, *term = NULL;
1754
1755 tty_path = exec_context_tty_path(c);
1756
1757 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try to inherit
1758 * the $TERM set for PID 1. This is useful for containers so that the $TERM the container manager
1759 * passes to PID 1 ends up all the way in the console login shown. */
1760
1761 if (path_equal(tty_path, "/dev/console") && getppid() == 1)
1762 term = getenv("TERM");
1763 if (!term)
1764 term = default_term_for_tty(tty_path);
1765
1766 x = strappend("TERM=", term);
1767 if (!x)
1768 return -ENOMEM;
1769 our_env[n_env++] = x;
1770 }
1771
1772 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1773 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1774 return -ENOMEM;
1775
1776 our_env[n_env++] = x;
1777 }
1778
1779 our_env[n_env++] = NULL;
1780 assert(n_env <= 12);
1781
1782 *ret = our_env;
1783 our_env = NULL;
1784
1785 return 0;
1786 }
1787
1788 static int build_pass_environment(const ExecContext *c, char ***ret) {
1789 _cleanup_strv_free_ char **pass_env = NULL;
1790 size_t n_env = 0, n_bufsize = 0;
1791 char **i;
1792
1793 STRV_FOREACH(i, c->pass_environment) {
1794 _cleanup_free_ char *x = NULL;
1795 char *v;
1796
1797 v = getenv(*i);
1798 if (!v)
1799 continue;
1800 x = strjoin(*i, "=", v);
1801 if (!x)
1802 return -ENOMEM;
1803 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1804 return -ENOMEM;
1805 pass_env[n_env++] = x;
1806 pass_env[n_env] = NULL;
1807 x = NULL;
1808 }
1809
1810 *ret = pass_env;
1811 pass_env = NULL;
1812
1813 return 0;
1814 }
1815
1816 static bool exec_needs_mount_namespace(
1817 const ExecContext *context,
1818 const ExecParameters *params,
1819 ExecRuntime *runtime) {
1820
1821 assert(context);
1822 assert(params);
1823
1824 if (!strv_isempty(context->read_write_paths) ||
1825 !strv_isempty(context->read_only_paths) ||
1826 !strv_isempty(context->inaccessible_paths))
1827 return true;
1828
1829 if (context->mount_flags != 0)
1830 return true;
1831
1832 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1833 return true;
1834
1835 if (context->private_devices ||
1836 context->protect_system != PROTECT_SYSTEM_NO ||
1837 context->protect_home != PROTECT_HOME_NO ||
1838 context->protect_kernel_tunables ||
1839 context->protect_kernel_modules ||
1840 context->protect_control_groups)
1841 return true;
1842
1843 return false;
1844 }
1845
1846 static int setup_private_users(uid_t uid, gid_t gid) {
1847 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
1848 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
1849 _cleanup_close_ int unshare_ready_fd = -1;
1850 _cleanup_(sigkill_waitp) pid_t pid = 0;
1851 uint64_t c = 1;
1852 siginfo_t si;
1853 ssize_t n;
1854 int r;
1855
1856 /* Set up a user namespace and map root to root, the selected UID/GID to itself, and everything else to
1857 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1858 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1859 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1860 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
1861 * continues execution normally. */
1862
1863 if (uid != 0 && uid_is_valid(uid))
1864 asprintf(&uid_map,
1865 "0 0 1\n" /* Map root → root */
1866 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
1867 uid, uid);
1868 else
1869 uid_map = strdup("0 0 1\n"); /* The case where the above is the same */
1870 if (!uid_map)
1871 return -ENOMEM;
1872
1873 if (gid != 0 && gid_is_valid(gid))
1874 asprintf(&gid_map,
1875 "0 0 1\n" /* Map root → root */
1876 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
1877 gid, gid);
1878 else
1879 gid_map = strdup("0 0 1\n"); /* The case where the above is the same */
1880 if (!gid_map)
1881 return -ENOMEM;
1882
1883 /* Create a communication channel so that the parent can tell the child when it finished creating the user
1884 * namespace. */
1885 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
1886 if (unshare_ready_fd < 0)
1887 return -errno;
1888
1889 /* Create a communication channel so that the child can tell the parent a proper error code in case it
1890 * failed. */
1891 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
1892 return -errno;
1893
1894 pid = fork();
1895 if (pid < 0)
1896 return -errno;
1897
1898 if (pid == 0) {
1899 _cleanup_close_ int fd = -1;
1900 const char *a;
1901 pid_t ppid;
1902
1903 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
1904 * here, after the parent opened its own user namespace. */
1905
1906 ppid = getppid();
1907 errno_pipe[0] = safe_close(errno_pipe[0]);
1908
1909 /* Wait until the parent unshared the user namespace */
1910 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
1911 r = -errno;
1912 goto child_fail;
1913 }
1914
1915 /* Disable the setgroups() system call in the child user namespace, for good. */
1916 a = procfs_file_alloca(ppid, "setgroups");
1917 fd = open(a, O_WRONLY|O_CLOEXEC);
1918 if (fd < 0) {
1919 if (errno != ENOENT) {
1920 r = -errno;
1921 goto child_fail;
1922 }
1923
1924 /* If the file is missing the kernel is too old, let's continue anyway. */
1925 } else {
1926 if (write(fd, "deny\n", 5) < 0) {
1927 r = -errno;
1928 goto child_fail;
1929 }
1930
1931 fd = safe_close(fd);
1932 }
1933
1934 /* First write the GID map */
1935 a = procfs_file_alloca(ppid, "gid_map");
1936 fd = open(a, O_WRONLY|O_CLOEXEC);
1937 if (fd < 0) {
1938 r = -errno;
1939 goto child_fail;
1940 }
1941 if (write(fd, gid_map, strlen(gid_map)) < 0) {
1942 r = -errno;
1943 goto child_fail;
1944 }
1945 fd = safe_close(fd);
1946
1947 /* The write the UID map */
1948 a = procfs_file_alloca(ppid, "uid_map");
1949 fd = open(a, O_WRONLY|O_CLOEXEC);
1950 if (fd < 0) {
1951 r = -errno;
1952 goto child_fail;
1953 }
1954 if (write(fd, uid_map, strlen(uid_map)) < 0) {
1955 r = -errno;
1956 goto child_fail;
1957 }
1958
1959 _exit(EXIT_SUCCESS);
1960
1961 child_fail:
1962 (void) write(errno_pipe[1], &r, sizeof(r));
1963 _exit(EXIT_FAILURE);
1964 }
1965
1966 errno_pipe[1] = safe_close(errno_pipe[1]);
1967
1968 if (unshare(CLONE_NEWUSER) < 0)
1969 return -errno;
1970
1971 /* Let the child know that the namespace is ready now */
1972 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
1973 return -errno;
1974
1975 /* Try to read an error code from the child */
1976 n = read(errno_pipe[0], &r, sizeof(r));
1977 if (n < 0)
1978 return -errno;
1979 if (n == sizeof(r)) { /* an error code was sent to us */
1980 if (r < 0)
1981 return r;
1982 return -EIO;
1983 }
1984 if (n != 0) /* on success we should have read 0 bytes */
1985 return -EIO;
1986
1987 r = wait_for_terminate(pid, &si);
1988 if (r < 0)
1989 return r;
1990 pid = 0;
1991
1992 /* If something strange happened with the child, let's consider this fatal, too */
1993 if (si.si_code != CLD_EXITED || si.si_status != 0)
1994 return -EIO;
1995
1996 return 0;
1997 }
1998
1999 static int setup_runtime_directory(
2000 const ExecContext *context,
2001 const ExecParameters *params,
2002 uid_t uid,
2003 gid_t gid) {
2004
2005 char **rt;
2006 int r;
2007
2008 assert(context);
2009 assert(params);
2010
2011 STRV_FOREACH(rt, context->runtime_directory) {
2012 _cleanup_free_ char *p;
2013
2014 p = strjoin(params->runtime_prefix, "/", *rt);
2015 if (!p)
2016 return -ENOMEM;
2017
2018 r = mkdir_p_label(p, context->runtime_directory_mode);
2019 if (r < 0)
2020 return r;
2021
2022 r = chmod_and_chown(p, context->runtime_directory_mode, uid, gid);
2023 if (r < 0)
2024 return r;
2025 }
2026
2027 return 0;
2028 }
2029
2030 static int setup_smack(
2031 const ExecContext *context,
2032 const ExecCommand *command) {
2033
2034 #ifdef HAVE_SMACK
2035 int r;
2036
2037 assert(context);
2038 assert(command);
2039
2040 if (!mac_smack_use())
2041 return 0;
2042
2043 if (context->smack_process_label) {
2044 r = mac_smack_apply_pid(0, context->smack_process_label);
2045 if (r < 0)
2046 return r;
2047 }
2048 #ifdef SMACK_DEFAULT_PROCESS_LABEL
2049 else {
2050 _cleanup_free_ char *exec_label = NULL;
2051
2052 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
2053 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP)
2054 return r;
2055
2056 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
2057 if (r < 0)
2058 return r;
2059 }
2060 #endif
2061 #endif
2062
2063 return 0;
2064 }
2065
2066 static int compile_read_write_paths(
2067 const ExecContext *context,
2068 const ExecParameters *params,
2069 char ***ret) {
2070
2071 _cleanup_strv_free_ char **l = NULL;
2072 char **rt;
2073
2074 /* Compile the list of writable paths. This is the combination of the explicitly configured paths, plus all
2075 * runtime directories. */
2076
2077 if (strv_isempty(context->read_write_paths) &&
2078 strv_isempty(context->runtime_directory)) {
2079 *ret = NULL; /* NOP if neither is set */
2080 return 0;
2081 }
2082
2083 l = strv_copy(context->read_write_paths);
2084 if (!l)
2085 return -ENOMEM;
2086
2087 STRV_FOREACH(rt, context->runtime_directory) {
2088 char *s;
2089
2090 s = strjoin(params->runtime_prefix, "/", *rt);
2091 if (!s)
2092 return -ENOMEM;
2093
2094 if (strv_consume(&l, s) < 0)
2095 return -ENOMEM;
2096 }
2097
2098 *ret = l;
2099 l = NULL;
2100
2101 return 0;
2102 }
2103
2104 static int apply_mount_namespace(Unit *u, const ExecContext *context,
2105 const ExecParameters *params,
2106 ExecRuntime *runtime) {
2107 int r;
2108 _cleanup_free_ char **rw = NULL;
2109 char *tmp = NULL, *var = NULL;
2110 const char *root_dir = NULL;
2111 NameSpaceInfo ns_info = {
2112 .ignore_protect_paths = false,
2113 .private_dev = context->private_devices,
2114 .protect_control_groups = context->protect_control_groups,
2115 .protect_kernel_tunables = context->protect_kernel_tunables,
2116 .protect_kernel_modules = context->protect_kernel_modules,
2117 };
2118
2119 assert(context);
2120
2121 /* The runtime struct only contains the parent of the private /tmp,
2122 * which is non-accessible to world users. Inside of it there's a /tmp
2123 * that is sticky, and that's the one we want to use here. */
2124
2125 if (context->private_tmp && runtime) {
2126 if (runtime->tmp_dir)
2127 tmp = strjoina(runtime->tmp_dir, "/tmp");
2128 if (runtime->var_tmp_dir)
2129 var = strjoina(runtime->var_tmp_dir, "/tmp");
2130 }
2131
2132 r = compile_read_write_paths(context, params, &rw);
2133 if (r < 0)
2134 return r;
2135
2136 if (params->flags & EXEC_APPLY_CHROOT)
2137 root_dir = context->root_directory;
2138
2139 /*
2140 * If DynamicUser=no and RootDirectory= is set then lets pass a relaxed
2141 * sandbox info, otherwise enforce it, don't ignore protected paths and
2142 * fail if we are enable to apply the sandbox inside the mount namespace.
2143 */
2144 if (!context->dynamic_user && root_dir)
2145 ns_info.ignore_protect_paths = true;
2146
2147 r = setup_namespace(root_dir, &ns_info, rw,
2148 context->read_only_paths,
2149 context->inaccessible_paths,
2150 tmp,
2151 var,
2152 context->protect_home,
2153 context->protect_system,
2154 context->mount_flags);
2155
2156 /* If we couldn't set up the namespace this is probably due to a
2157 * missing capability. In this case, silently proceeed. */
2158 if (IN_SET(r, -EPERM, -EACCES)) {
2159 log_open();
2160 log_unit_debug_errno(u, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
2161 log_close();
2162 r = 0;
2163 }
2164
2165 return r;
2166 }
2167
2168 static int apply_working_directory(const ExecContext *context,
2169 const ExecParameters *params,
2170 const char *home,
2171 const bool needs_mount_ns) {
2172 const char *d;
2173 const char *wd;
2174
2175 assert(context);
2176
2177 if (context->working_directory_home)
2178 wd = home;
2179 else if (context->working_directory)
2180 wd = context->working_directory;
2181 else
2182 wd = "/";
2183
2184 if (params->flags & EXEC_APPLY_CHROOT) {
2185 if (!needs_mount_ns && context->root_directory)
2186 if (chroot(context->root_directory) < 0)
2187 return -errno;
2188
2189 d = wd;
2190 } else
2191 d = strjoina(strempty(context->root_directory), "/", strempty(wd));
2192
2193 if (chdir(d) < 0 && !context->working_directory_missing_ok)
2194 return -errno;
2195
2196 return 0;
2197 }
2198
2199 static int setup_keyring(Unit *u, const ExecParameters *p, uid_t uid, gid_t gid) {
2200 key_serial_t keyring;
2201
2202 assert(u);
2203 assert(p);
2204
2205 /* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that
2206 * each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond
2207 * that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be
2208 * automatically created on-demand and then linked to the per-UID keyring, by the kernel. The kernel's built-in
2209 * on-demand behaviour is very appropriate for login users, but probably not so much for system services, where
2210 * UIDs are not necessarily specific to a service but reused (at least in the case of UID 0). */
2211
2212 if (!(p->flags & EXEC_NEW_KEYRING))
2213 return 0;
2214
2215 keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0);
2216 if (keyring == -1) {
2217 if (errno == ENOSYS)
2218 log_debug_errno(errno, "Kernel keyring not supported, ignoring.");
2219 else if (IN_SET(errno, EACCES, EPERM))
2220 log_debug_errno(errno, "Kernel keyring access prohibited, ignoring.");
2221 else if (errno == EDQUOT)
2222 log_debug_errno(errno, "Out of kernel keyrings to allocate, ignoring.");
2223 else
2224 return log_error_errno(errno, "Setting up kernel keyring failed: %m");
2225
2226 return 0;
2227 }
2228
2229 /* Populate they keyring with the invocation ID by default. */
2230 if (!sd_id128_is_null(u->invocation_id)) {
2231 key_serial_t key;
2232
2233 key = add_key("user", "invocation_id", &u->invocation_id, sizeof(u->invocation_id), KEY_SPEC_SESSION_KEYRING);
2234 if (key == -1)
2235 log_debug_errno(errno, "Failed to add invocation ID to keyring, ignoring: %m");
2236 else {
2237 if (keyctl(KEYCTL_SETPERM, key,
2238 KEY_POS_VIEW|KEY_POS_READ|KEY_POS_SEARCH|
2239 KEY_USR_VIEW|KEY_USR_READ|KEY_USR_SEARCH, 0, 0) < 0)
2240 return log_error_errno(errno, "Failed to restrict invocation ID permission: %m");
2241 }
2242 }
2243
2244 /* And now, make the keyring owned by the service's user */
2245 if (uid_is_valid(uid) || gid_is_valid(gid))
2246 if (keyctl(KEYCTL_CHOWN, keyring, uid, gid, 0) < 0)
2247 return log_error_errno(errno, "Failed to change ownership of session keyring: %m");
2248
2249 return 0;
2250 }
2251
2252 static void append_socket_pair(int *array, unsigned *n, int pair[2]) {
2253 assert(array);
2254 assert(n);
2255
2256 if (!pair)
2257 return;
2258
2259 if (pair[0] >= 0)
2260 array[(*n)++] = pair[0];
2261 if (pair[1] >= 0)
2262 array[(*n)++] = pair[1];
2263 }
2264
2265 static int close_remaining_fds(
2266 const ExecParameters *params,
2267 ExecRuntime *runtime,
2268 DynamicCreds *dcreds,
2269 int user_lookup_fd,
2270 int socket_fd,
2271 int *fds, unsigned n_fds) {
2272
2273 unsigned n_dont_close = 0;
2274 int dont_close[n_fds + 12];
2275
2276 assert(params);
2277
2278 if (params->stdin_fd >= 0)
2279 dont_close[n_dont_close++] = params->stdin_fd;
2280 if (params->stdout_fd >= 0)
2281 dont_close[n_dont_close++] = params->stdout_fd;
2282 if (params->stderr_fd >= 0)
2283 dont_close[n_dont_close++] = params->stderr_fd;
2284
2285 if (socket_fd >= 0)
2286 dont_close[n_dont_close++] = socket_fd;
2287 if (n_fds > 0) {
2288 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
2289 n_dont_close += n_fds;
2290 }
2291
2292 if (runtime)
2293 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
2294
2295 if (dcreds) {
2296 if (dcreds->user)
2297 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
2298 if (dcreds->group)
2299 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
2300 }
2301
2302 if (user_lookup_fd >= 0)
2303 dont_close[n_dont_close++] = user_lookup_fd;
2304
2305 return close_all_fds(dont_close, n_dont_close);
2306 }
2307
2308 static bool context_has_address_families(const ExecContext *c) {
2309 assert(c);
2310
2311 return c->address_families_whitelist ||
2312 !set_isempty(c->address_families);
2313 }
2314
2315 static bool context_has_syscall_filters(const ExecContext *c) {
2316 assert(c);
2317
2318 return c->syscall_whitelist ||
2319 !set_isempty(c->syscall_filter) ||
2320 !set_isempty(c->syscall_archs);
2321 }
2322
2323 static bool context_has_no_new_privileges(const ExecContext *c) {
2324 assert(c);
2325
2326 if (c->no_new_privileges)
2327 return true;
2328
2329 if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
2330 return false;
2331
2332 /* We need NNP if we have any form of seccomp and are unprivileged */
2333 return context_has_address_families(c) ||
2334 c->memory_deny_write_execute ||
2335 c->restrict_realtime ||
2336 exec_context_restrict_namespaces_set(c) ||
2337 c->protect_kernel_tunables ||
2338 c->protect_kernel_modules ||
2339 c->private_devices ||
2340 context_has_syscall_filters(c);
2341 }
2342
2343 static int send_user_lookup(
2344 Unit *unit,
2345 int user_lookup_fd,
2346 uid_t uid,
2347 gid_t gid) {
2348
2349 assert(unit);
2350
2351 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2352 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2353 * specified. */
2354
2355 if (user_lookup_fd < 0)
2356 return 0;
2357
2358 if (!uid_is_valid(uid) && !gid_is_valid(gid))
2359 return 0;
2360
2361 if (writev(user_lookup_fd,
2362 (struct iovec[]) {
2363 { .iov_base = &uid, .iov_len = sizeof(uid) },
2364 { .iov_base = &gid, .iov_len = sizeof(gid) },
2365 { .iov_base = unit->id, .iov_len = strlen(unit->id) }}, 3) < 0)
2366 return -errno;
2367
2368 return 0;
2369 }
2370
2371 static int exec_child(
2372 Unit *unit,
2373 ExecCommand *command,
2374 const ExecContext *context,
2375 const ExecParameters *params,
2376 ExecRuntime *runtime,
2377 DynamicCreds *dcreds,
2378 char **argv,
2379 int socket_fd,
2380 int named_iofds[3],
2381 int *fds, unsigned n_fds,
2382 char **files_env,
2383 int user_lookup_fd,
2384 int *exit_status) {
2385
2386 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **final_argv = NULL;
2387 _cleanup_free_ char *mac_selinux_context_net = NULL;
2388 _cleanup_free_ gid_t *supplementary_gids = NULL;
2389 const char *username = NULL, *groupname = NULL;
2390 const char *home = NULL, *shell = NULL;
2391 dev_t journal_stream_dev = 0;
2392 ino_t journal_stream_ino = 0;
2393 bool needs_mount_namespace;
2394 uid_t uid = UID_INVALID;
2395 gid_t gid = GID_INVALID;
2396 int i, r, ngids = 0;
2397
2398 assert(unit);
2399 assert(command);
2400 assert(context);
2401 assert(params);
2402 assert(exit_status);
2403
2404 rename_process_from_path(command->path);
2405
2406 /* We reset exactly these signals, since they are the
2407 * only ones we set to SIG_IGN in the main daemon. All
2408 * others we leave untouched because we set them to
2409 * SIG_DFL or a valid handler initially, both of which
2410 * will be demoted to SIG_DFL. */
2411 (void) default_signals(SIGNALS_CRASH_HANDLER,
2412 SIGNALS_IGNORE, -1);
2413
2414 if (context->ignore_sigpipe)
2415 (void) ignore_signals(SIGPIPE, -1);
2416
2417 r = reset_signal_mask();
2418 if (r < 0) {
2419 *exit_status = EXIT_SIGNAL_MASK;
2420 return r;
2421 }
2422
2423 if (params->idle_pipe)
2424 do_idle_pipe_dance(params->idle_pipe);
2425
2426 /* Close sockets very early to make sure we don't
2427 * block init reexecution because it cannot bind its
2428 * sockets */
2429
2430 log_forget_fds();
2431
2432 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, fds, n_fds);
2433 if (r < 0) {
2434 *exit_status = EXIT_FDS;
2435 return r;
2436 }
2437
2438 if (!context->same_pgrp)
2439 if (setsid() < 0) {
2440 *exit_status = EXIT_SETSID;
2441 return -errno;
2442 }
2443
2444 exec_context_tty_reset(context, params);
2445
2446 if (unit_shall_confirm_spawn(unit)) {
2447 const char *vc = params->confirm_spawn;
2448 _cleanup_free_ char *cmdline = NULL;
2449
2450 cmdline = exec_command_line(argv);
2451 if (!cmdline) {
2452 *exit_status = EXIT_CONFIRM;
2453 return -ENOMEM;
2454 }
2455
2456 r = ask_for_confirmation(vc, unit, cmdline);
2457 if (r != CONFIRM_EXECUTE) {
2458 if (r == CONFIRM_PRETEND_SUCCESS) {
2459 *exit_status = EXIT_SUCCESS;
2460 return 0;
2461 }
2462 *exit_status = EXIT_CONFIRM;
2463 return -ECANCELED;
2464 }
2465 }
2466
2467 if (context->dynamic_user && dcreds) {
2468
2469 /* Make sure we bypass our own NSS module for any NSS checks */
2470 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
2471 *exit_status = EXIT_USER;
2472 return -errno;
2473 }
2474
2475 r = dynamic_creds_realize(dcreds, &uid, &gid);
2476 if (r < 0) {
2477 *exit_status = EXIT_USER;
2478 return r;
2479 }
2480
2481 if (!uid_is_valid(uid) || !gid_is_valid(gid)) {
2482 *exit_status = EXIT_USER;
2483 return -ESRCH;
2484 }
2485
2486 if (dcreds->user)
2487 username = dcreds->user->name;
2488
2489 } else {
2490 r = get_fixed_user(context, &username, &uid, &gid, &home, &shell);
2491 if (r < 0) {
2492 *exit_status = EXIT_USER;
2493 return r;
2494 }
2495
2496 r = get_fixed_group(context, &groupname, &gid);
2497 if (r < 0) {
2498 *exit_status = EXIT_GROUP;
2499 return r;
2500 }
2501 }
2502
2503 /* Initialize user supplementary groups and get SupplementaryGroups= ones */
2504 r = get_supplementary_groups(context, username, groupname, gid,
2505 &supplementary_gids, &ngids);
2506 if (r < 0) {
2507 *exit_status = EXIT_GROUP;
2508 return r;
2509 }
2510
2511 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
2512 if (r < 0) {
2513 *exit_status = EXIT_USER;
2514 return r;
2515 }
2516
2517 user_lookup_fd = safe_close(user_lookup_fd);
2518
2519 /* If a socket is connected to STDIN/STDOUT/STDERR, we
2520 * must sure to drop O_NONBLOCK */
2521 if (socket_fd >= 0)
2522 (void) fd_nonblock(socket_fd, false);
2523
2524 r = setup_input(context, params, socket_fd, named_iofds);
2525 if (r < 0) {
2526 *exit_status = EXIT_STDIN;
2527 return r;
2528 }
2529
2530 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
2531 if (r < 0) {
2532 *exit_status = EXIT_STDOUT;
2533 return r;
2534 }
2535
2536 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
2537 if (r < 0) {
2538 *exit_status = EXIT_STDERR;
2539 return r;
2540 }
2541
2542 if (params->cgroup_path) {
2543 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
2544 if (r < 0) {
2545 *exit_status = EXIT_CGROUP;
2546 return r;
2547 }
2548 }
2549
2550 if (context->oom_score_adjust_set) {
2551 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
2552
2553 /* When we can't make this change due to EPERM, then
2554 * let's silently skip over it. User namespaces
2555 * prohibit write access to this file, and we
2556 * shouldn't trip up over that. */
2557
2558 sprintf(t, "%i", context->oom_score_adjust);
2559 r = write_string_file("/proc/self/oom_score_adj", t, 0);
2560 if (r == -EPERM || r == -EACCES) {
2561 log_open();
2562 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
2563 log_close();
2564 } else if (r < 0) {
2565 *exit_status = EXIT_OOM_ADJUST;
2566 return -errno;
2567 }
2568 }
2569
2570 if (context->nice_set)
2571 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
2572 *exit_status = EXIT_NICE;
2573 return -errno;
2574 }
2575
2576 if (context->cpu_sched_set) {
2577 struct sched_param param = {
2578 .sched_priority = context->cpu_sched_priority,
2579 };
2580
2581 r = sched_setscheduler(0,
2582 context->cpu_sched_policy |
2583 (context->cpu_sched_reset_on_fork ?
2584 SCHED_RESET_ON_FORK : 0),
2585 &param);
2586 if (r < 0) {
2587 *exit_status = EXIT_SETSCHEDULER;
2588 return -errno;
2589 }
2590 }
2591
2592 if (context->cpuset)
2593 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
2594 *exit_status = EXIT_CPUAFFINITY;
2595 return -errno;
2596 }
2597
2598 if (context->ioprio_set)
2599 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
2600 *exit_status = EXIT_IOPRIO;
2601 return -errno;
2602 }
2603
2604 if (context->timer_slack_nsec != NSEC_INFINITY)
2605 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
2606 *exit_status = EXIT_TIMERSLACK;
2607 return -errno;
2608 }
2609
2610 if (context->personality != PERSONALITY_INVALID)
2611 if (personality(context->personality) < 0) {
2612 *exit_status = EXIT_PERSONALITY;
2613 return -errno;
2614 }
2615
2616 if (context->utmp_id)
2617 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path,
2618 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
2619 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
2620 USER_PROCESS,
2621 username ? "root" : context->user);
2622
2623 if (context->user) {
2624 r = chown_terminal(STDIN_FILENO, uid);
2625 if (r < 0) {
2626 *exit_status = EXIT_STDIN;
2627 return r;
2628 }
2629 }
2630
2631 /* If delegation is enabled we'll pass ownership of the cgroup
2632 * (but only in systemd's own controller hierarchy!) to the
2633 * user of the new process. */
2634 if (params->cgroup_path && context->user && params->cgroup_delegate) {
2635 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
2636 if (r < 0) {
2637 *exit_status = EXIT_CGROUP;
2638 return r;
2639 }
2640
2641
2642 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
2643 if (r < 0) {
2644 *exit_status = EXIT_CGROUP;
2645 return r;
2646 }
2647 }
2648
2649 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
2650 r = setup_runtime_directory(context, params, uid, gid);
2651 if (r < 0) {
2652 *exit_status = EXIT_RUNTIME_DIRECTORY;
2653 return r;
2654 }
2655 }
2656
2657 r = build_environment(
2658 unit,
2659 context,
2660 params,
2661 n_fds,
2662 home,
2663 username,
2664 shell,
2665 journal_stream_dev,
2666 journal_stream_ino,
2667 &our_env);
2668 if (r < 0) {
2669 *exit_status = EXIT_MEMORY;
2670 return r;
2671 }
2672
2673 r = build_pass_environment(context, &pass_env);
2674 if (r < 0) {
2675 *exit_status = EXIT_MEMORY;
2676 return r;
2677 }
2678
2679 accum_env = strv_env_merge(5,
2680 params->environment,
2681 our_env,
2682 pass_env,
2683 context->environment,
2684 files_env,
2685 NULL);
2686 if (!accum_env) {
2687 *exit_status = EXIT_MEMORY;
2688 return -ENOMEM;
2689 }
2690 accum_env = strv_env_clean(accum_env);
2691
2692 (void) umask(context->umask);
2693
2694 r = setup_keyring(unit, params, uid, gid);
2695 if (r < 0) {
2696 *exit_status = EXIT_KEYRING;
2697 return r;
2698 }
2699
2700 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2701 if (context->pam_name && username) {
2702 r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
2703 if (r < 0) {
2704 *exit_status = EXIT_PAM;
2705 return r;
2706 }
2707 }
2708 }
2709
2710 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
2711 r = setup_netns(runtime->netns_storage_socket);
2712 if (r < 0) {
2713 *exit_status = EXIT_NETWORK;
2714 return r;
2715 }
2716 }
2717
2718 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
2719 if (needs_mount_namespace) {
2720 r = apply_mount_namespace(unit, context, params, runtime);
2721 if (r < 0) {
2722 *exit_status = EXIT_NAMESPACE;
2723 return r;
2724 }
2725 }
2726
2727 /* Apply just after mount namespace setup */
2728 r = apply_working_directory(context, params, home, needs_mount_namespace);
2729 if (r < 0) {
2730 *exit_status = EXIT_CHROOT;
2731 return r;
2732 }
2733
2734 /* Drop groups as early as possbile */
2735 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2736 r = enforce_groups(context, gid, supplementary_gids, ngids);
2737 if (r < 0) {
2738 *exit_status = EXIT_GROUP;
2739 return r;
2740 }
2741 }
2742
2743 #ifdef HAVE_SELINUX
2744 if ((params->flags & EXEC_APPLY_PERMISSIONS) &&
2745 mac_selinux_use() &&
2746 params->selinux_context_net &&
2747 socket_fd >= 0 &&
2748 !command->privileged) {
2749
2750 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
2751 if (r < 0) {
2752 *exit_status = EXIT_SELINUX_CONTEXT;
2753 return r;
2754 }
2755 }
2756 #endif
2757
2758 if ((params->flags & EXEC_APPLY_PERMISSIONS) && context->private_users) {
2759 r = setup_private_users(uid, gid);
2760 if (r < 0) {
2761 *exit_status = EXIT_USER;
2762 return r;
2763 }
2764 }
2765
2766 /* We repeat the fd closing here, to make sure that
2767 * nothing is leaked from the PAM modules. Note that
2768 * we are more aggressive this time since socket_fd
2769 * and the netns fds we don't need anymore. The custom
2770 * endpoint fd was needed to upload the policy and can
2771 * now be closed as well. */
2772 r = close_all_fds(fds, n_fds);
2773 if (r >= 0)
2774 r = shift_fds(fds, n_fds);
2775 if (r >= 0)
2776 r = flags_fds(fds, n_fds, context->non_blocking);
2777 if (r < 0) {
2778 *exit_status = EXIT_FDS;
2779 return r;
2780 }
2781
2782 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2783
2784 int secure_bits = context->secure_bits;
2785
2786 for (i = 0; i < _RLIMIT_MAX; i++) {
2787
2788 if (!context->rlimit[i])
2789 continue;
2790
2791 r = setrlimit_closest(i, context->rlimit[i]);
2792 if (r < 0) {
2793 *exit_status = EXIT_LIMITS;
2794 return r;
2795 }
2796 }
2797
2798 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
2799 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
2800 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
2801 *exit_status = EXIT_LIMITS;
2802 return -errno;
2803 }
2804 }
2805
2806 if (!cap_test_all(context->capability_bounding_set)) {
2807 r = capability_bounding_set_drop(context->capability_bounding_set, false);
2808 if (r < 0) {
2809 *exit_status = EXIT_CAPABILITIES;
2810 return r;
2811 }
2812 }
2813
2814 /* This is done before enforce_user, but ambient set
2815 * does not survive over setresuid() if keep_caps is not set. */
2816 if (context->capability_ambient_set != 0) {
2817 r = capability_ambient_set_apply(context->capability_ambient_set, true);
2818 if (r < 0) {
2819 *exit_status = EXIT_CAPABILITIES;
2820 return r;
2821 }
2822 }
2823
2824 if (context->user) {
2825 r = enforce_user(context, uid);
2826 if (r < 0) {
2827 *exit_status = EXIT_USER;
2828 return r;
2829 }
2830 if (context->capability_ambient_set != 0) {
2831
2832 /* Fix the ambient capabilities after user change. */
2833 r = capability_ambient_set_apply(context->capability_ambient_set, false);
2834 if (r < 0) {
2835 *exit_status = EXIT_CAPABILITIES;
2836 return r;
2837 }
2838
2839 /* If we were asked to change user and ambient capabilities
2840 * were requested, we had to add keep-caps to the securebits
2841 * so that we would maintain the inherited capability set
2842 * through the setresuid(). Make sure that the bit is added
2843 * also to the context secure_bits so that we don't try to
2844 * drop the bit away next. */
2845
2846 secure_bits |= 1<<SECURE_KEEP_CAPS;
2847 }
2848 }
2849
2850 /* Apply the MAC contexts late, but before seccomp syscall filtering, as those should really be last to
2851 * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
2852 * syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
2853 * are restricted. */
2854
2855 #ifdef HAVE_SELINUX
2856 if (mac_selinux_use()) {
2857 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
2858
2859 if (exec_context) {
2860 r = setexeccon(exec_context);
2861 if (r < 0) {
2862 *exit_status = EXIT_SELINUX_CONTEXT;
2863 return r;
2864 }
2865 }
2866 }
2867 #endif
2868
2869 r = setup_smack(context, command);
2870 if (r < 0) {
2871 *exit_status = EXIT_SMACK_PROCESS_LABEL;
2872 return r;
2873 }
2874
2875 #ifdef HAVE_APPARMOR
2876 if (context->apparmor_profile && mac_apparmor_use()) {
2877 r = aa_change_onexec(context->apparmor_profile);
2878 if (r < 0 && !context->apparmor_profile_ignore) {
2879 *exit_status = EXIT_APPARMOR_PROFILE;
2880 return -errno;
2881 }
2882 }
2883 #endif
2884
2885 /* PR_GET_SECUREBITS is not privileged, while
2886 * PR_SET_SECUREBITS is. So to suppress
2887 * potential EPERMs we'll try not to call
2888 * PR_SET_SECUREBITS unless necessary. */
2889 if (prctl(PR_GET_SECUREBITS) != secure_bits)
2890 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
2891 *exit_status = EXIT_SECUREBITS;
2892 return -errno;
2893 }
2894
2895 if (context_has_no_new_privileges(context))
2896 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
2897 *exit_status = EXIT_NO_NEW_PRIVILEGES;
2898 return -errno;
2899 }
2900
2901 #ifdef HAVE_SECCOMP
2902 if (context_has_address_families(context)) {
2903 r = apply_address_families(unit, context);
2904 if (r < 0) {
2905 *exit_status = EXIT_ADDRESS_FAMILIES;
2906 return r;
2907 }
2908 }
2909
2910 if (context->memory_deny_write_execute) {
2911 r = apply_memory_deny_write_execute(unit, context);
2912 if (r < 0) {
2913 *exit_status = EXIT_SECCOMP;
2914 return r;
2915 }
2916 }
2917
2918 if (context->restrict_realtime) {
2919 r = apply_restrict_realtime(unit, context);
2920 if (r < 0) {
2921 *exit_status = EXIT_SECCOMP;
2922 return r;
2923 }
2924 }
2925
2926 r = apply_restrict_namespaces(unit, context);
2927 if (r < 0) {
2928 *exit_status = EXIT_SECCOMP;
2929 return r;
2930 }
2931
2932 if (context->protect_kernel_tunables) {
2933 r = apply_protect_sysctl(unit, context);
2934 if (r < 0) {
2935 *exit_status = EXIT_SECCOMP;
2936 return r;
2937 }
2938 }
2939
2940 if (context->protect_kernel_modules) {
2941 r = apply_protect_kernel_modules(unit, context);
2942 if (r < 0) {
2943 *exit_status = EXIT_SECCOMP;
2944 return r;
2945 }
2946 }
2947
2948 if (context->private_devices) {
2949 r = apply_private_devices(unit, context);
2950 if (r < 0) {
2951 *exit_status = EXIT_SECCOMP;
2952 return r;
2953 }
2954 }
2955
2956 /* This really should remain the last step before the execve(), to make sure our own code is unaffected
2957 * by the filter as little as possible. */
2958 if (context_has_syscall_filters(context)) {
2959 r = apply_seccomp(unit, context);
2960 if (r < 0) {
2961 *exit_status = EXIT_SECCOMP;
2962 return r;
2963 }
2964 }
2965 #endif
2966 }
2967
2968 final_argv = replace_env_argv(argv, accum_env);
2969 if (!final_argv) {
2970 *exit_status = EXIT_MEMORY;
2971 return -ENOMEM;
2972 }
2973
2974 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
2975 _cleanup_free_ char *line;
2976
2977 line = exec_command_line(final_argv);
2978 if (line) {
2979 log_open();
2980 log_struct(LOG_DEBUG,
2981 LOG_UNIT_ID(unit),
2982 "EXECUTABLE=%s", command->path,
2983 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
2984 NULL);
2985 log_close();
2986 }
2987 }
2988
2989 execve(command->path, final_argv, accum_env);
2990 *exit_status = EXIT_EXEC;
2991 return -errno;
2992 }
2993
2994 int exec_spawn(Unit *unit,
2995 ExecCommand *command,
2996 const ExecContext *context,
2997 const ExecParameters *params,
2998 ExecRuntime *runtime,
2999 DynamicCreds *dcreds,
3000 pid_t *ret) {
3001
3002 _cleanup_strv_free_ char **files_env = NULL;
3003 int *fds = NULL; unsigned n_fds = 0;
3004 _cleanup_free_ char *line = NULL;
3005 int socket_fd, r;
3006 int named_iofds[3] = { -1, -1, -1 };
3007 char **argv;
3008 pid_t pid;
3009
3010 assert(unit);
3011 assert(command);
3012 assert(context);
3013 assert(ret);
3014 assert(params);
3015 assert(params->fds || params->n_fds <= 0);
3016
3017 if (context->std_input == EXEC_INPUT_SOCKET ||
3018 context->std_output == EXEC_OUTPUT_SOCKET ||
3019 context->std_error == EXEC_OUTPUT_SOCKET) {
3020
3021 if (params->n_fds != 1) {
3022 log_unit_error(unit, "Got more than one socket.");
3023 return -EINVAL;
3024 }
3025
3026 socket_fd = params->fds[0];
3027 } else {
3028 socket_fd = -1;
3029 fds = params->fds;
3030 n_fds = params->n_fds;
3031 }
3032
3033 r = exec_context_named_iofds(unit, context, params, named_iofds);
3034 if (r < 0)
3035 return log_unit_error_errno(unit, r, "Failed to load a named file descriptor: %m");
3036
3037 r = exec_context_load_environment(unit, context, &files_env);
3038 if (r < 0)
3039 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
3040
3041 argv = params->argv ?: command->argv;
3042 line = exec_command_line(argv);
3043 if (!line)
3044 return log_oom();
3045
3046 log_struct(LOG_DEBUG,
3047 LOG_UNIT_ID(unit),
3048 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
3049 "EXECUTABLE=%s", command->path,
3050 NULL);
3051 pid = fork();
3052 if (pid < 0)
3053 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
3054
3055 if (pid == 0) {
3056 int exit_status;
3057
3058 r = exec_child(unit,
3059 command,
3060 context,
3061 params,
3062 runtime,
3063 dcreds,
3064 argv,
3065 socket_fd,
3066 named_iofds,
3067 fds, n_fds,
3068 files_env,
3069 unit->manager->user_lookup_fds[1],
3070 &exit_status);
3071 if (r < 0) {
3072 log_open();
3073 log_struct_errno(LOG_ERR, r,
3074 LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
3075 LOG_UNIT_ID(unit),
3076 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
3077 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
3078 command->path),
3079 "EXECUTABLE=%s", command->path,
3080 NULL);
3081 }
3082
3083 _exit(exit_status);
3084 }
3085
3086 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
3087
3088 /* We add the new process to the cgroup both in the child (so
3089 * that we can be sure that no user code is ever executed
3090 * outside of the cgroup) and in the parent (so that we can be
3091 * sure that when we kill the cgroup the process will be
3092 * killed too). */
3093 if (params->cgroup_path)
3094 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
3095
3096 exec_status_start(&command->exec_status, pid);
3097
3098 *ret = pid;
3099 return 0;
3100 }
3101
3102 void exec_context_init(ExecContext *c) {
3103 assert(c);
3104
3105 c->umask = 0022;
3106 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
3107 c->cpu_sched_policy = SCHED_OTHER;
3108 c->syslog_priority = LOG_DAEMON|LOG_INFO;
3109 c->syslog_level_prefix = true;
3110 c->ignore_sigpipe = true;
3111 c->timer_slack_nsec = NSEC_INFINITY;
3112 c->personality = PERSONALITY_INVALID;
3113 c->runtime_directory_mode = 0755;
3114 c->capability_bounding_set = CAP_ALL;
3115 c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
3116 }
3117
3118 void exec_context_done(ExecContext *c) {
3119 unsigned l;
3120
3121 assert(c);
3122
3123 c->environment = strv_free(c->environment);
3124 c->environment_files = strv_free(c->environment_files);
3125 c->pass_environment = strv_free(c->pass_environment);
3126
3127 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
3128 c->rlimit[l] = mfree(c->rlimit[l]);
3129
3130 for (l = 0; l < 3; l++)
3131 c->stdio_fdname[l] = mfree(c->stdio_fdname[l]);
3132
3133 c->working_directory = mfree(c->working_directory);
3134 c->root_directory = mfree(c->root_directory);
3135 c->tty_path = mfree(c->tty_path);
3136 c->syslog_identifier = mfree(c->syslog_identifier);
3137 c->user = mfree(c->user);
3138 c->group = mfree(c->group);
3139
3140 c->supplementary_groups = strv_free(c->supplementary_groups);
3141
3142 c->pam_name = mfree(c->pam_name);
3143
3144 c->read_only_paths = strv_free(c->read_only_paths);
3145 c->read_write_paths = strv_free(c->read_write_paths);
3146 c->inaccessible_paths = strv_free(c->inaccessible_paths);
3147
3148 if (c->cpuset)
3149 CPU_FREE(c->cpuset);
3150
3151 c->utmp_id = mfree(c->utmp_id);
3152 c->selinux_context = mfree(c->selinux_context);
3153 c->apparmor_profile = mfree(c->apparmor_profile);
3154
3155 c->syscall_filter = set_free(c->syscall_filter);
3156 c->syscall_archs = set_free(c->syscall_archs);
3157 c->address_families = set_free(c->address_families);
3158
3159 c->runtime_directory = strv_free(c->runtime_directory);
3160 }
3161
3162 int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
3163 char **i;
3164
3165 assert(c);
3166
3167 if (!runtime_prefix)
3168 return 0;
3169
3170 STRV_FOREACH(i, c->runtime_directory) {
3171 _cleanup_free_ char *p;
3172
3173 p = strjoin(runtime_prefix, "/", *i);
3174 if (!p)
3175 return -ENOMEM;
3176
3177 /* We execute this synchronously, since we need to be
3178 * sure this is gone when we start the service
3179 * next. */
3180 (void) rm_rf(p, REMOVE_ROOT);
3181 }
3182
3183 return 0;
3184 }
3185
3186 void exec_command_done(ExecCommand *c) {
3187 assert(c);
3188
3189 c->path = mfree(c->path);
3190
3191 c->argv = strv_free(c->argv);
3192 }
3193
3194 void exec_command_done_array(ExecCommand *c, unsigned n) {
3195 unsigned i;
3196
3197 for (i = 0; i < n; i++)
3198 exec_command_done(c+i);
3199 }
3200
3201 ExecCommand* exec_command_free_list(ExecCommand *c) {
3202 ExecCommand *i;
3203
3204 while ((i = c)) {
3205 LIST_REMOVE(command, c, i);
3206 exec_command_done(i);
3207 free(i);
3208 }
3209
3210 return NULL;
3211 }
3212
3213 void exec_command_free_array(ExecCommand **c, unsigned n) {
3214 unsigned i;
3215
3216 for (i = 0; i < n; i++)
3217 c[i] = exec_command_free_list(c[i]);
3218 }
3219
3220 typedef struct InvalidEnvInfo {
3221 Unit *unit;
3222 const char *path;
3223 } InvalidEnvInfo;
3224
3225 static void invalid_env(const char *p, void *userdata) {
3226 InvalidEnvInfo *info = userdata;
3227
3228 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
3229 }
3230
3231 const char* exec_context_fdname(const ExecContext *c, int fd_index) {
3232 assert(c);
3233
3234 switch (fd_index) {
3235 case STDIN_FILENO:
3236 if (c->std_input != EXEC_INPUT_NAMED_FD)
3237 return NULL;
3238 return c->stdio_fdname[STDIN_FILENO] ?: "stdin";
3239 case STDOUT_FILENO:
3240 if (c->std_output != EXEC_OUTPUT_NAMED_FD)
3241 return NULL;
3242 return c->stdio_fdname[STDOUT_FILENO] ?: "stdout";
3243 case STDERR_FILENO:
3244 if (c->std_error != EXEC_OUTPUT_NAMED_FD)
3245 return NULL;
3246 return c->stdio_fdname[STDERR_FILENO] ?: "stderr";
3247 default:
3248 return NULL;
3249 }
3250 }
3251
3252 int exec_context_named_iofds(Unit *unit, const ExecContext *c, const ExecParameters *p, int named_iofds[3]) {
3253 unsigned i, targets;
3254 const char *stdio_fdname[3];
3255
3256 assert(c);
3257 assert(p);
3258
3259 targets = (c->std_input == EXEC_INPUT_NAMED_FD) +
3260 (c->std_output == EXEC_OUTPUT_NAMED_FD) +
3261 (c->std_error == EXEC_OUTPUT_NAMED_FD);
3262
3263 for (i = 0; i < 3; i++)
3264 stdio_fdname[i] = exec_context_fdname(c, i);
3265
3266 for (i = 0; i < p->n_fds && targets > 0; i++)
3267 if (named_iofds[STDIN_FILENO] < 0 && c->std_input == EXEC_INPUT_NAMED_FD && stdio_fdname[STDIN_FILENO] && streq(p->fd_names[i], stdio_fdname[STDIN_FILENO])) {
3268 named_iofds[STDIN_FILENO] = p->fds[i];
3269 targets--;
3270 } else if (named_iofds[STDOUT_FILENO] < 0 && c->std_output == EXEC_OUTPUT_NAMED_FD && stdio_fdname[STDOUT_FILENO] && streq(p->fd_names[i], stdio_fdname[STDOUT_FILENO])) {
3271 named_iofds[STDOUT_FILENO] = p->fds[i];
3272 targets--;
3273 } else if (named_iofds[STDERR_FILENO] < 0 && c->std_error == EXEC_OUTPUT_NAMED_FD && stdio_fdname[STDERR_FILENO] && streq(p->fd_names[i], stdio_fdname[STDERR_FILENO])) {
3274 named_iofds[STDERR_FILENO] = p->fds[i];
3275 targets--;
3276 }
3277
3278 return (targets == 0 ? 0 : -ENOENT);
3279 }
3280
3281 int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
3282 char **i, **r = NULL;
3283
3284 assert(c);
3285 assert(l);
3286
3287 STRV_FOREACH(i, c->environment_files) {
3288 char *fn;
3289 int k;
3290 bool ignore = false;
3291 char **p;
3292 _cleanup_globfree_ glob_t pglob = {};
3293 int count, n;
3294
3295 fn = *i;
3296
3297 if (fn[0] == '-') {
3298 ignore = true;
3299 fn++;
3300 }
3301
3302 if (!path_is_absolute(fn)) {
3303 if (ignore)
3304 continue;
3305
3306 strv_free(r);
3307 return -EINVAL;
3308 }
3309
3310 /* Filename supports globbing, take all matching files */
3311 errno = 0;
3312 if (glob(fn, 0, NULL, &pglob) != 0) {
3313 if (ignore)
3314 continue;
3315
3316 strv_free(r);
3317 return errno > 0 ? -errno : -EINVAL;
3318 }
3319 count = pglob.gl_pathc;
3320 if (count == 0) {
3321 if (ignore)
3322 continue;
3323
3324 strv_free(r);
3325 return -EINVAL;
3326 }
3327 for (n = 0; n < count; n++) {
3328 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
3329 if (k < 0) {
3330 if (ignore)
3331 continue;
3332
3333 strv_free(r);
3334 return k;
3335 }
3336 /* Log invalid environment variables with filename */
3337 if (p) {
3338 InvalidEnvInfo info = {
3339 .unit = unit,
3340 .path = pglob.gl_pathv[n]
3341 };
3342
3343 p = strv_env_clean_with_callback(p, invalid_env, &info);
3344 }
3345
3346 if (r == NULL)
3347 r = p;
3348 else {
3349 char **m;
3350
3351 m = strv_env_merge(2, r, p);
3352 strv_free(r);
3353 strv_free(p);
3354 if (!m)
3355 return -ENOMEM;
3356
3357 r = m;
3358 }
3359 }
3360 }
3361
3362 *l = r;
3363
3364 return 0;
3365 }
3366
3367 static bool tty_may_match_dev_console(const char *tty) {
3368 _cleanup_free_ char *active = NULL;
3369 char *console;
3370
3371 if (!tty)
3372 return true;
3373
3374 if (startswith(tty, "/dev/"))
3375 tty += 5;
3376
3377 /* trivial identity? */
3378 if (streq(tty, "console"))
3379 return true;
3380
3381 console = resolve_dev_console(&active);
3382 /* if we could not resolve, assume it may */
3383 if (!console)
3384 return true;
3385
3386 /* "tty0" means the active VC, so it may be the same sometimes */
3387 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
3388 }
3389
3390 bool exec_context_may_touch_console(ExecContext *ec) {
3391
3392 return (ec->tty_reset ||
3393 ec->tty_vhangup ||
3394 ec->tty_vt_disallocate ||
3395 is_terminal_input(ec->std_input) ||
3396 is_terminal_output(ec->std_output) ||
3397 is_terminal_output(ec->std_error)) &&
3398 tty_may_match_dev_console(exec_context_tty_path(ec));
3399 }
3400
3401 static void strv_fprintf(FILE *f, char **l) {
3402 char **g;
3403
3404 assert(f);
3405
3406 STRV_FOREACH(g, l)
3407 fprintf(f, " %s", *g);
3408 }
3409
3410 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
3411 char **e, **d;
3412 unsigned i;
3413 int r;
3414
3415 assert(c);
3416 assert(f);
3417
3418 prefix = strempty(prefix);
3419
3420 fprintf(f,
3421 "%sUMask: %04o\n"
3422 "%sWorkingDirectory: %s\n"
3423 "%sRootDirectory: %s\n"
3424 "%sNonBlocking: %s\n"
3425 "%sPrivateTmp: %s\n"
3426 "%sPrivateDevices: %s\n"
3427 "%sProtectKernelTunables: %s\n"
3428 "%sProtectKernelModules: %s\n"
3429 "%sProtectControlGroups: %s\n"
3430 "%sPrivateNetwork: %s\n"
3431 "%sPrivateUsers: %s\n"
3432 "%sProtectHome: %s\n"
3433 "%sProtectSystem: %s\n"
3434 "%sIgnoreSIGPIPE: %s\n"
3435 "%sMemoryDenyWriteExecute: %s\n"
3436 "%sRestrictRealtime: %s\n",
3437 prefix, c->umask,
3438 prefix, c->working_directory ? c->working_directory : "/",
3439 prefix, c->root_directory ? c->root_directory : "/",
3440 prefix, yes_no(c->non_blocking),
3441 prefix, yes_no(c->private_tmp),
3442 prefix, yes_no(c->private_devices),
3443 prefix, yes_no(c->protect_kernel_tunables),
3444 prefix, yes_no(c->protect_kernel_modules),
3445 prefix, yes_no(c->protect_control_groups),
3446 prefix, yes_no(c->private_network),
3447 prefix, yes_no(c->private_users),
3448 prefix, protect_home_to_string(c->protect_home),
3449 prefix, protect_system_to_string(c->protect_system),
3450 prefix, yes_no(c->ignore_sigpipe),
3451 prefix, yes_no(c->memory_deny_write_execute),
3452 prefix, yes_no(c->restrict_realtime));
3453
3454 STRV_FOREACH(e, c->environment)
3455 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
3456
3457 STRV_FOREACH(e, c->environment_files)
3458 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
3459
3460 STRV_FOREACH(e, c->pass_environment)
3461 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
3462
3463 fprintf(f, "%sRuntimeDirectoryMode: %04o\n", prefix, c->runtime_directory_mode);
3464
3465 STRV_FOREACH(d, c->runtime_directory)
3466 fprintf(f, "%sRuntimeDirectory: %s\n", prefix, *d);
3467
3468 if (c->nice_set)
3469 fprintf(f,
3470 "%sNice: %i\n",
3471 prefix, c->nice);
3472
3473 if (c->oom_score_adjust_set)
3474 fprintf(f,
3475 "%sOOMScoreAdjust: %i\n",
3476 prefix, c->oom_score_adjust);
3477
3478 for (i = 0; i < RLIM_NLIMITS; i++)
3479 if (c->rlimit[i]) {
3480 fprintf(f, "%s%s: " RLIM_FMT "\n",
3481 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
3482 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
3483 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
3484 }
3485
3486 if (c->ioprio_set) {
3487 _cleanup_free_ char *class_str = NULL;
3488
3489 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
3490 fprintf(f,
3491 "%sIOSchedulingClass: %s\n"
3492 "%sIOPriority: %i\n",
3493 prefix, strna(class_str),
3494 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
3495 }
3496
3497 if (c->cpu_sched_set) {
3498 _cleanup_free_ char *policy_str = NULL;
3499
3500 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
3501 fprintf(f,
3502 "%sCPUSchedulingPolicy: %s\n"
3503 "%sCPUSchedulingPriority: %i\n"
3504 "%sCPUSchedulingResetOnFork: %s\n",
3505 prefix, strna(policy_str),
3506 prefix, c->cpu_sched_priority,
3507 prefix, yes_no(c->cpu_sched_reset_on_fork));
3508 }
3509
3510 if (c->cpuset) {
3511 fprintf(f, "%sCPUAffinity:", prefix);
3512 for (i = 0; i < c->cpuset_ncpus; i++)
3513 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
3514 fprintf(f, " %u", i);
3515 fputs("\n", f);
3516 }
3517
3518 if (c->timer_slack_nsec != NSEC_INFINITY)
3519 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
3520
3521 fprintf(f,
3522 "%sStandardInput: %s\n"
3523 "%sStandardOutput: %s\n"
3524 "%sStandardError: %s\n",
3525 prefix, exec_input_to_string(c->std_input),
3526 prefix, exec_output_to_string(c->std_output),
3527 prefix, exec_output_to_string(c->std_error));
3528
3529 if (c->tty_path)
3530 fprintf(f,
3531 "%sTTYPath: %s\n"
3532 "%sTTYReset: %s\n"
3533 "%sTTYVHangup: %s\n"
3534 "%sTTYVTDisallocate: %s\n",
3535 prefix, c->tty_path,
3536 prefix, yes_no(c->tty_reset),
3537 prefix, yes_no(c->tty_vhangup),
3538 prefix, yes_no(c->tty_vt_disallocate));
3539
3540 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
3541 c->std_output == EXEC_OUTPUT_KMSG ||
3542 c->std_output == EXEC_OUTPUT_JOURNAL ||
3543 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3544 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3545 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
3546 c->std_error == EXEC_OUTPUT_SYSLOG ||
3547 c->std_error == EXEC_OUTPUT_KMSG ||
3548 c->std_error == EXEC_OUTPUT_JOURNAL ||
3549 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3550 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3551 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
3552
3553 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
3554
3555 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
3556 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
3557
3558 fprintf(f,
3559 "%sSyslogFacility: %s\n"
3560 "%sSyslogLevel: %s\n",
3561 prefix, strna(fac_str),
3562 prefix, strna(lvl_str));
3563 }
3564
3565 if (c->secure_bits)
3566 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
3567 prefix,
3568 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
3569 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
3570 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
3571 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
3572 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
3573 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
3574
3575 if (c->capability_bounding_set != CAP_ALL) {
3576 unsigned long l;
3577 fprintf(f, "%sCapabilityBoundingSet:", prefix);
3578
3579 for (l = 0; l <= cap_last_cap(); l++)
3580 if (c->capability_bounding_set & (UINT64_C(1) << l))
3581 fprintf(f, " %s", strna(capability_to_name(l)));
3582
3583 fputs("\n", f);
3584 }
3585
3586 if (c->capability_ambient_set != 0) {
3587 unsigned long l;
3588 fprintf(f, "%sAmbientCapabilities:", prefix);
3589
3590 for (l = 0; l <= cap_last_cap(); l++)
3591 if (c->capability_ambient_set & (UINT64_C(1) << l))
3592 fprintf(f, " %s", strna(capability_to_name(l)));
3593
3594 fputs("\n", f);
3595 }
3596
3597 if (c->user)
3598 fprintf(f, "%sUser: %s\n", prefix, c->user);
3599 if (c->group)
3600 fprintf(f, "%sGroup: %s\n", prefix, c->group);
3601
3602 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
3603
3604 if (strv_length(c->supplementary_groups) > 0) {
3605 fprintf(f, "%sSupplementaryGroups:", prefix);
3606 strv_fprintf(f, c->supplementary_groups);
3607 fputs("\n", f);
3608 }
3609
3610 if (c->pam_name)
3611 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
3612
3613 if (strv_length(c->read_write_paths) > 0) {
3614 fprintf(f, "%sReadWritePaths:", prefix);
3615 strv_fprintf(f, c->read_write_paths);
3616 fputs("\n", f);
3617 }
3618
3619 if (strv_length(c->read_only_paths) > 0) {
3620 fprintf(f, "%sReadOnlyPaths:", prefix);
3621 strv_fprintf(f, c->read_only_paths);
3622 fputs("\n", f);
3623 }
3624
3625 if (strv_length(c->inaccessible_paths) > 0) {
3626 fprintf(f, "%sInaccessiblePaths:", prefix);
3627 strv_fprintf(f, c->inaccessible_paths);
3628 fputs("\n", f);
3629 }
3630
3631 if (c->utmp_id)
3632 fprintf(f,
3633 "%sUtmpIdentifier: %s\n",
3634 prefix, c->utmp_id);
3635
3636 if (c->selinux_context)
3637 fprintf(f,
3638 "%sSELinuxContext: %s%s\n",
3639 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
3640
3641 if (c->personality != PERSONALITY_INVALID)
3642 fprintf(f,
3643 "%sPersonality: %s\n",
3644 prefix, strna(personality_to_string(c->personality)));
3645
3646 if (c->syscall_filter) {
3647 #ifdef HAVE_SECCOMP
3648 Iterator j;
3649 void *id;
3650 bool first = true;
3651 #endif
3652
3653 fprintf(f,
3654 "%sSystemCallFilter: ",
3655 prefix);
3656
3657 if (!c->syscall_whitelist)
3658 fputc('~', f);
3659
3660 #ifdef HAVE_SECCOMP
3661 SET_FOREACH(id, c->syscall_filter, j) {
3662 _cleanup_free_ char *name = NULL;
3663
3664 if (first)
3665 first = false;
3666 else
3667 fputc(' ', f);
3668
3669 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
3670 fputs(strna(name), f);
3671 }
3672 #endif
3673
3674 fputc('\n', f);
3675 }
3676
3677 if (c->syscall_archs) {
3678 #ifdef HAVE_SECCOMP
3679 Iterator j;
3680 void *id;
3681 #endif
3682
3683 fprintf(f,
3684 "%sSystemCallArchitectures:",
3685 prefix);
3686
3687 #ifdef HAVE_SECCOMP
3688 SET_FOREACH(id, c->syscall_archs, j)
3689 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
3690 #endif
3691 fputc('\n', f);
3692 }
3693
3694 if (exec_context_restrict_namespaces_set(c)) {
3695 _cleanup_free_ char *s = NULL;
3696
3697 r = namespace_flag_to_string_many(c->restrict_namespaces, &s);
3698 if (r >= 0)
3699 fprintf(f, "%sRestrictNamespaces: %s\n",
3700 prefix, s);
3701 }
3702
3703 if (c->syscall_errno > 0)
3704 fprintf(f,
3705 "%sSystemCallErrorNumber: %s\n",
3706 prefix, strna(errno_to_name(c->syscall_errno)));
3707
3708 if (c->apparmor_profile)
3709 fprintf(f,
3710 "%sAppArmorProfile: %s%s\n",
3711 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
3712 }
3713
3714 bool exec_context_maintains_privileges(ExecContext *c) {
3715 assert(c);
3716
3717 /* Returns true if the process forked off would run under
3718 * an unchanged UID or as root. */
3719
3720 if (!c->user)
3721 return true;
3722
3723 if (streq(c->user, "root") || streq(c->user, "0"))
3724 return true;
3725
3726 return false;
3727 }
3728
3729 void exec_status_start(ExecStatus *s, pid_t pid) {
3730 assert(s);
3731
3732 zero(*s);
3733 s->pid = pid;
3734 dual_timestamp_get(&s->start_timestamp);
3735 }
3736
3737 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
3738 assert(s);
3739
3740 if (s->pid && s->pid != pid)
3741 zero(*s);
3742
3743 s->pid = pid;
3744 dual_timestamp_get(&s->exit_timestamp);
3745
3746 s->code = code;
3747 s->status = status;
3748
3749 if (context) {
3750 if (context->utmp_id)
3751 utmp_put_dead_process(context->utmp_id, pid, code, status);
3752
3753 exec_context_tty_reset(context, NULL);
3754 }
3755 }
3756
3757 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
3758 char buf[FORMAT_TIMESTAMP_MAX];
3759
3760 assert(s);
3761 assert(f);
3762
3763 if (s->pid <= 0)
3764 return;
3765
3766 prefix = strempty(prefix);
3767
3768 fprintf(f,
3769 "%sPID: "PID_FMT"\n",
3770 prefix, s->pid);
3771
3772 if (dual_timestamp_is_set(&s->start_timestamp))
3773 fprintf(f,
3774 "%sStart Timestamp: %s\n",
3775 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
3776
3777 if (dual_timestamp_is_set(&s->exit_timestamp))
3778 fprintf(f,
3779 "%sExit Timestamp: %s\n"
3780 "%sExit Code: %s\n"
3781 "%sExit Status: %i\n",
3782 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
3783 prefix, sigchld_code_to_string(s->code),
3784 prefix, s->status);
3785 }
3786
3787 char *exec_command_line(char **argv) {
3788 size_t k;
3789 char *n, *p, **a;
3790 bool first = true;
3791
3792 assert(argv);
3793
3794 k = 1;
3795 STRV_FOREACH(a, argv)
3796 k += strlen(*a)+3;
3797
3798 n = new(char, k);
3799 if (!n)
3800 return NULL;
3801
3802 p = n;
3803 STRV_FOREACH(a, argv) {
3804
3805 if (!first)
3806 *(p++) = ' ';
3807 else
3808 first = false;
3809
3810 if (strpbrk(*a, WHITESPACE)) {
3811 *(p++) = '\'';
3812 p = stpcpy(p, *a);
3813 *(p++) = '\'';
3814 } else
3815 p = stpcpy(p, *a);
3816
3817 }
3818
3819 *p = 0;
3820
3821 /* FIXME: this doesn't really handle arguments that have
3822 * spaces and ticks in them */
3823
3824 return n;
3825 }
3826
3827 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
3828 _cleanup_free_ char *cmd = NULL;
3829 const char *prefix2;
3830
3831 assert(c);
3832 assert(f);
3833
3834 prefix = strempty(prefix);
3835 prefix2 = strjoina(prefix, "\t");
3836
3837 cmd = exec_command_line(c->argv);
3838 fprintf(f,
3839 "%sCommand Line: %s\n",
3840 prefix, cmd ? cmd : strerror(ENOMEM));
3841
3842 exec_status_dump(&c->exec_status, f, prefix2);
3843 }
3844
3845 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
3846 assert(f);
3847
3848 prefix = strempty(prefix);
3849
3850 LIST_FOREACH(command, c, c)
3851 exec_command_dump(c, f, prefix);
3852 }
3853
3854 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
3855 ExecCommand *end;
3856
3857 assert(l);
3858 assert(e);
3859
3860 if (*l) {
3861 /* It's kind of important, that we keep the order here */
3862 LIST_FIND_TAIL(command, *l, end);
3863 LIST_INSERT_AFTER(command, *l, end, e);
3864 } else
3865 *l = e;
3866 }
3867
3868 int exec_command_set(ExecCommand *c, const char *path, ...) {
3869 va_list ap;
3870 char **l, *p;
3871
3872 assert(c);
3873 assert(path);
3874
3875 va_start(ap, path);
3876 l = strv_new_ap(path, ap);
3877 va_end(ap);
3878
3879 if (!l)
3880 return -ENOMEM;
3881
3882 p = strdup(path);
3883 if (!p) {
3884 strv_free(l);
3885 return -ENOMEM;
3886 }
3887
3888 free(c->path);
3889 c->path = p;
3890
3891 strv_free(c->argv);
3892 c->argv = l;
3893
3894 return 0;
3895 }
3896
3897 int exec_command_append(ExecCommand *c, const char *path, ...) {
3898 _cleanup_strv_free_ char **l = NULL;
3899 va_list ap;
3900 int r;
3901
3902 assert(c);
3903 assert(path);
3904
3905 va_start(ap, path);
3906 l = strv_new_ap(path, ap);
3907 va_end(ap);
3908
3909 if (!l)
3910 return -ENOMEM;
3911
3912 r = strv_extend_strv(&c->argv, l, false);
3913 if (r < 0)
3914 return r;
3915
3916 return 0;
3917 }
3918
3919
3920 static int exec_runtime_allocate(ExecRuntime **rt) {
3921
3922 if (*rt)
3923 return 0;
3924
3925 *rt = new0(ExecRuntime, 1);
3926 if (!*rt)
3927 return -ENOMEM;
3928
3929 (*rt)->n_ref = 1;
3930 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
3931
3932 return 0;
3933 }
3934
3935 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
3936 int r;
3937
3938 assert(rt);
3939 assert(c);
3940 assert(id);
3941
3942 if (*rt)
3943 return 1;
3944
3945 if (!c->private_network && !c->private_tmp)
3946 return 0;
3947
3948 r = exec_runtime_allocate(rt);
3949 if (r < 0)
3950 return r;
3951
3952 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
3953 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, (*rt)->netns_storage_socket) < 0)
3954 return -errno;
3955 }
3956
3957 if (c->private_tmp && !(*rt)->tmp_dir) {
3958 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
3959 if (r < 0)
3960 return r;
3961 }
3962
3963 return 1;
3964 }
3965
3966 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
3967 assert(r);
3968 assert(r->n_ref > 0);
3969
3970 r->n_ref++;
3971 return r;
3972 }
3973
3974 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
3975
3976 if (!r)
3977 return NULL;
3978
3979 assert(r->n_ref > 0);
3980
3981 r->n_ref--;
3982 if (r->n_ref > 0)
3983 return NULL;
3984
3985 free(r->tmp_dir);
3986 free(r->var_tmp_dir);
3987 safe_close_pair(r->netns_storage_socket);
3988 return mfree(r);
3989 }
3990
3991 int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
3992 assert(u);
3993 assert(f);
3994 assert(fds);
3995
3996 if (!rt)
3997 return 0;
3998
3999 if (rt->tmp_dir)
4000 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
4001
4002 if (rt->var_tmp_dir)
4003 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
4004
4005 if (rt->netns_storage_socket[0] >= 0) {
4006 int copy;
4007
4008 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
4009 if (copy < 0)
4010 return copy;
4011
4012 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
4013 }
4014
4015 if (rt->netns_storage_socket[1] >= 0) {
4016 int copy;
4017
4018 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
4019 if (copy < 0)
4020 return copy;
4021
4022 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
4023 }
4024
4025 return 0;
4026 }
4027
4028 int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
4029 int r;
4030
4031 assert(rt);
4032 assert(key);
4033 assert(value);
4034
4035 if (streq(key, "tmp-dir")) {
4036 char *copy;
4037
4038 r = exec_runtime_allocate(rt);
4039 if (r < 0)
4040 return log_oom();
4041
4042 copy = strdup(value);
4043 if (!copy)
4044 return log_oom();
4045
4046 free((*rt)->tmp_dir);
4047 (*rt)->tmp_dir = copy;
4048
4049 } else if (streq(key, "var-tmp-dir")) {
4050 char *copy;
4051
4052 r = exec_runtime_allocate(rt);
4053 if (r < 0)
4054 return log_oom();
4055
4056 copy = strdup(value);
4057 if (!copy)
4058 return log_oom();
4059
4060 free((*rt)->var_tmp_dir);
4061 (*rt)->var_tmp_dir = copy;
4062
4063 } else if (streq(key, "netns-socket-0")) {
4064 int fd;
4065
4066 r = exec_runtime_allocate(rt);
4067 if (r < 0)
4068 return log_oom();
4069
4070 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
4071 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
4072 else {
4073 safe_close((*rt)->netns_storage_socket[0]);
4074 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
4075 }
4076 } else if (streq(key, "netns-socket-1")) {
4077 int fd;
4078
4079 r = exec_runtime_allocate(rt);
4080 if (r < 0)
4081 return log_oom();
4082
4083 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
4084 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
4085 else {
4086 safe_close((*rt)->netns_storage_socket[1]);
4087 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
4088 }
4089 } else
4090 return 0;
4091
4092 return 1;
4093 }
4094
4095 static void *remove_tmpdir_thread(void *p) {
4096 _cleanup_free_ char *path = p;
4097
4098 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
4099 return NULL;
4100 }
4101
4102 void exec_runtime_destroy(ExecRuntime *rt) {
4103 int r;
4104
4105 if (!rt)
4106 return;
4107
4108 /* If there are multiple users of this, let's leave the stuff around */
4109 if (rt->n_ref > 1)
4110 return;
4111
4112 if (rt->tmp_dir) {
4113 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
4114
4115 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
4116 if (r < 0) {
4117 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
4118 free(rt->tmp_dir);
4119 }
4120
4121 rt->tmp_dir = NULL;
4122 }
4123
4124 if (rt->var_tmp_dir) {
4125 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
4126
4127 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
4128 if (r < 0) {
4129 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
4130 free(rt->var_tmp_dir);
4131 }
4132
4133 rt->var_tmp_dir = NULL;
4134 }
4135
4136 safe_close_pair(rt->netns_storage_socket);
4137 }
4138
4139 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
4140 [EXEC_INPUT_NULL] = "null",
4141 [EXEC_INPUT_TTY] = "tty",
4142 [EXEC_INPUT_TTY_FORCE] = "tty-force",
4143 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
4144 [EXEC_INPUT_SOCKET] = "socket",
4145 [EXEC_INPUT_NAMED_FD] = "fd",
4146 };
4147
4148 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
4149
4150 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
4151 [EXEC_OUTPUT_INHERIT] = "inherit",
4152 [EXEC_OUTPUT_NULL] = "null",
4153 [EXEC_OUTPUT_TTY] = "tty",
4154 [EXEC_OUTPUT_SYSLOG] = "syslog",
4155 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
4156 [EXEC_OUTPUT_KMSG] = "kmsg",
4157 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
4158 [EXEC_OUTPUT_JOURNAL] = "journal",
4159 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
4160 [EXEC_OUTPUT_SOCKET] = "socket",
4161 [EXEC_OUTPUT_NAMED_FD] = "fd",
4162 };
4163
4164 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
4165
4166 static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
4167 [EXEC_UTMP_INIT] = "init",
4168 [EXEC_UTMP_LOGIN] = "login",
4169 [EXEC_UTMP_USER] = "user",
4170 };
4171
4172 DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
Unnamed repository; edit this file 'description' to name the repository.