]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/execute.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
core: rework the confirmation spawn prompt
[thirdparty/systemd.git] / src / core / execute.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <errno.h>
21 #include <fcntl.h>
22 #include <glob.h>
23 #include <grp.h>
24 #include <poll.h>
25 #include <signal.h>
26 #include <string.h>
27 #include <sys/capability.h>
28 #include <sys/eventfd.h>
29 #include <sys/mman.h>
30 #include <sys/personality.h>
31 #include <sys/prctl.h>
32 #include <sys/shm.h>
33 #include <sys/socket.h>
34 #include <sys/stat.h>
35 #include <sys/types.h>
36 #include <sys/un.h>
37 #include <unistd.h>
38 #include <utmpx.h>
39
40 #ifdef HAVE_PAM
41 #include <security/pam_appl.h>
42 #endif
43
44 #ifdef HAVE_SELINUX
45 #include <selinux/selinux.h>
46 #endif
47
48 #ifdef HAVE_SECCOMP
49 #include <seccomp.h>
50 #endif
51
52 #ifdef HAVE_APPARMOR
53 #include <sys/apparmor.h>
54 #endif
55
56 #include "sd-messages.h"
57
58 #include "af-list.h"
59 #include "alloc-util.h"
60 #ifdef HAVE_APPARMOR
61 #include "apparmor-util.h"
62 #endif
63 #include "async.h"
64 #include "barrier.h"
65 #include "cap-list.h"
66 #include "capability-util.h"
67 #include "def.h"
68 #include "env-util.h"
69 #include "errno-list.h"
70 #include "execute.h"
71 #include "exit-status.h"
72 #include "fd-util.h"
73 #include "fileio.h"
74 #include "format-util.h"
75 #include "fs-util.h"
76 #include "glob-util.h"
77 #include "io-util.h"
78 #include "ioprio.h"
79 #include "log.h"
80 #include "macro.h"
81 #include "missing.h"
82 #include "mkdir.h"
83 #include "namespace.h"
84 #include "parse-util.h"
85 #include "path-util.h"
86 #include "process-util.h"
87 #include "rlimit-util.h"
88 #include "rm-rf.h"
89 #ifdef HAVE_SECCOMP
90 #include "seccomp-util.h"
91 #endif
92 #include "securebits.h"
93 #include "selinux-util.h"
94 #include "signal-util.h"
95 #include "smack-util.h"
96 #include "special.h"
97 #include "string-table.h"
98 #include "string-util.h"
99 #include "strv.h"
100 #include "syslog-util.h"
101 #include "terminal-util.h"
102 #include "unit.h"
103 #include "user-util.h"
104 #include "util.h"
105 #include "utmp-wtmp.h"
106
107 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
108 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
109
110 /* This assumes there is a 'tty' group */
111 #define TTY_MODE 0620
112
113 #define SNDBUF_SIZE (8*1024*1024)
114
115 static int shift_fds(int fds[], unsigned n_fds) {
116 int start, restart_from;
117
118 if (n_fds <= 0)
119 return 0;
120
121 /* Modifies the fds array! (sorts it) */
122
123 assert(fds);
124
125 start = 0;
126 for (;;) {
127 int i;
128
129 restart_from = -1;
130
131 for (i = start; i < (int) n_fds; i++) {
132 int nfd;
133
134 /* Already at right index? */
135 if (fds[i] == i+3)
136 continue;
137
138 nfd = fcntl(fds[i], F_DUPFD, i + 3);
139 if (nfd < 0)
140 return -errno;
141
142 safe_close(fds[i]);
143 fds[i] = nfd;
144
145 /* Hmm, the fd we wanted isn't free? Then
146 * let's remember that and try again from here */
147 if (nfd != i+3 && restart_from < 0)
148 restart_from = i;
149 }
150
151 if (restart_from < 0)
152 break;
153
154 start = restart_from;
155 }
156
157 return 0;
158 }
159
160 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
161 unsigned i;
162 int r;
163
164 if (n_fds <= 0)
165 return 0;
166
167 assert(fds);
168
169 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
170
171 for (i = 0; i < n_fds; i++) {
172
173 r = fd_nonblock(fds[i], nonblock);
174 if (r < 0)
175 return r;
176
177 /* We unconditionally drop FD_CLOEXEC from the fds,
178 * since after all we want to pass these fds to our
179 * children */
180
181 r = fd_cloexec(fds[i], false);
182 if (r < 0)
183 return r;
184 }
185
186 return 0;
187 }
188
189 static const char *exec_context_tty_path(const ExecContext *context) {
190 assert(context);
191
192 if (context->stdio_as_fds)
193 return NULL;
194
195 if (context->tty_path)
196 return context->tty_path;
197
198 return "/dev/console";
199 }
200
201 static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
202 const char *path;
203
204 assert(context);
205
206 path = exec_context_tty_path(context);
207
208 if (context->tty_vhangup) {
209 if (p && p->stdin_fd >= 0)
210 (void) terminal_vhangup_fd(p->stdin_fd);
211 else if (path)
212 (void) terminal_vhangup(path);
213 }
214
215 if (context->tty_reset) {
216 if (p && p->stdin_fd >= 0)
217 (void) reset_terminal_fd(p->stdin_fd, true);
218 else if (path)
219 (void) reset_terminal(path);
220 }
221
222 if (context->tty_vt_disallocate && path)
223 (void) vt_disallocate(path);
224 }
225
226 static bool is_terminal_input(ExecInput i) {
227 return IN_SET(i,
228 EXEC_INPUT_TTY,
229 EXEC_INPUT_TTY_FORCE,
230 EXEC_INPUT_TTY_FAIL);
231 }
232
233 static bool is_terminal_output(ExecOutput o) {
234 return IN_SET(o,
235 EXEC_OUTPUT_TTY,
236 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
237 EXEC_OUTPUT_KMSG_AND_CONSOLE,
238 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
239 }
240
241 static bool exec_context_needs_term(const ExecContext *c) {
242 assert(c);
243
244 /* Return true if the execution context suggests we should set $TERM to something useful. */
245
246 if (is_terminal_input(c->std_input))
247 return true;
248
249 if (is_terminal_output(c->std_output))
250 return true;
251
252 if (is_terminal_output(c->std_error))
253 return true;
254
255 return !!c->tty_path;
256 }
257
258 static int open_null_as(int flags, int nfd) {
259 int fd, r;
260
261 assert(nfd >= 0);
262
263 fd = open("/dev/null", flags|O_NOCTTY);
264 if (fd < 0)
265 return -errno;
266
267 if (fd != nfd) {
268 r = dup2(fd, nfd) < 0 ? -errno : nfd;
269 safe_close(fd);
270 } else
271 r = nfd;
272
273 return r;
274 }
275
276 static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
277 union sockaddr_union sa = {
278 .un.sun_family = AF_UNIX,
279 .un.sun_path = "/run/systemd/journal/stdout",
280 };
281 uid_t olduid = UID_INVALID;
282 gid_t oldgid = GID_INVALID;
283 int r;
284
285 if (gid != GID_INVALID) {
286 oldgid = getgid();
287
288 r = setegid(gid);
289 if (r < 0)
290 return -errno;
291 }
292
293 if (uid != UID_INVALID) {
294 olduid = getuid();
295
296 r = seteuid(uid);
297 if (r < 0) {
298 r = -errno;
299 goto restore_gid;
300 }
301 }
302
303 r = connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
304 if (r < 0)
305 r = -errno;
306
307 /* If we fail to restore the uid or gid, things will likely
308 fail later on. This should only happen if an LSM interferes. */
309
310 if (uid != UID_INVALID)
311 (void) seteuid(olduid);
312
313 restore_gid:
314 if (gid != GID_INVALID)
315 (void) setegid(oldgid);
316
317 return r;
318 }
319
320 static int connect_logger_as(
321 Unit *unit,
322 const ExecContext *context,
323 ExecOutput output,
324 const char *ident,
325 int nfd,
326 uid_t uid,
327 gid_t gid) {
328
329 int fd, r;
330
331 assert(context);
332 assert(output < _EXEC_OUTPUT_MAX);
333 assert(ident);
334 assert(nfd >= 0);
335
336 fd = socket(AF_UNIX, SOCK_STREAM, 0);
337 if (fd < 0)
338 return -errno;
339
340 r = connect_journal_socket(fd, uid, gid);
341 if (r < 0)
342 return r;
343
344 if (shutdown(fd, SHUT_RD) < 0) {
345 safe_close(fd);
346 return -errno;
347 }
348
349 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
350
351 dprintf(fd,
352 "%s\n"
353 "%s\n"
354 "%i\n"
355 "%i\n"
356 "%i\n"
357 "%i\n"
358 "%i\n",
359 context->syslog_identifier ? context->syslog_identifier : ident,
360 unit->id,
361 context->syslog_priority,
362 !!context->syslog_level_prefix,
363 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
364 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
365 is_terminal_output(output));
366
367 if (fd == nfd)
368 return nfd;
369
370 r = dup2(fd, nfd) < 0 ? -errno : nfd;
371 safe_close(fd);
372
373 return r;
374 }
375 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
376 int fd, r;
377
378 assert(path);
379 assert(nfd >= 0);
380
381 fd = open_terminal(path, mode | O_NOCTTY);
382 if (fd < 0)
383 return fd;
384
385 if (fd != nfd) {
386 r = dup2(fd, nfd) < 0 ? -errno : nfd;
387 safe_close(fd);
388 } else
389 r = nfd;
390
391 return r;
392 }
393
394 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
395
396 if (is_terminal_input(std_input) && !apply_tty_stdin)
397 return EXEC_INPUT_NULL;
398
399 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
400 return EXEC_INPUT_NULL;
401
402 return std_input;
403 }
404
405 static int fixup_output(ExecOutput std_output, int socket_fd) {
406
407 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
408 return EXEC_OUTPUT_INHERIT;
409
410 return std_output;
411 }
412
413 static int setup_input(
414 const ExecContext *context,
415 const ExecParameters *params,
416 int socket_fd,
417 int named_iofds[3]) {
418
419 ExecInput i;
420
421 assert(context);
422 assert(params);
423
424 if (params->stdin_fd >= 0) {
425 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
426 return -errno;
427
428 /* Try to make this the controlling tty, if it is a tty, and reset it */
429 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
430 (void) reset_terminal_fd(STDIN_FILENO, true);
431
432 return STDIN_FILENO;
433 }
434
435 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
436
437 switch (i) {
438
439 case EXEC_INPUT_NULL:
440 return open_null_as(O_RDONLY, STDIN_FILENO);
441
442 case EXEC_INPUT_TTY:
443 case EXEC_INPUT_TTY_FORCE:
444 case EXEC_INPUT_TTY_FAIL: {
445 int fd, r;
446
447 fd = acquire_terminal(exec_context_tty_path(context),
448 i == EXEC_INPUT_TTY_FAIL,
449 i == EXEC_INPUT_TTY_FORCE,
450 false,
451 USEC_INFINITY);
452 if (fd < 0)
453 return fd;
454
455 if (fd != STDIN_FILENO) {
456 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
457 safe_close(fd);
458 } else
459 r = STDIN_FILENO;
460
461 return r;
462 }
463
464 case EXEC_INPUT_SOCKET:
465 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
466
467 case EXEC_INPUT_NAMED_FD:
468 (void) fd_nonblock(named_iofds[STDIN_FILENO], false);
469 return dup2(named_iofds[STDIN_FILENO], STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
470
471 default:
472 assert_not_reached("Unknown input type");
473 }
474 }
475
476 static int setup_output(
477 Unit *unit,
478 const ExecContext *context,
479 const ExecParameters *params,
480 int fileno,
481 int socket_fd,
482 int named_iofds[3],
483 const char *ident,
484 uid_t uid,
485 gid_t gid,
486 dev_t *journal_stream_dev,
487 ino_t *journal_stream_ino) {
488
489 ExecOutput o;
490 ExecInput i;
491 int r;
492
493 assert(unit);
494 assert(context);
495 assert(params);
496 assert(ident);
497 assert(journal_stream_dev);
498 assert(journal_stream_ino);
499
500 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
501
502 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
503 return -errno;
504
505 return STDOUT_FILENO;
506 }
507
508 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
509 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
510 return -errno;
511
512 return STDERR_FILENO;
513 }
514
515 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
516 o = fixup_output(context->std_output, socket_fd);
517
518 if (fileno == STDERR_FILENO) {
519 ExecOutput e;
520 e = fixup_output(context->std_error, socket_fd);
521
522 /* This expects the input and output are already set up */
523
524 /* Don't change the stderr file descriptor if we inherit all
525 * the way and are not on a tty */
526 if (e == EXEC_OUTPUT_INHERIT &&
527 o == EXEC_OUTPUT_INHERIT &&
528 i == EXEC_INPUT_NULL &&
529 !is_terminal_input(context->std_input) &&
530 getppid () != 1)
531 return fileno;
532
533 /* Duplicate from stdout if possible */
534 if ((e == o && e != EXEC_OUTPUT_NAMED_FD) || e == EXEC_OUTPUT_INHERIT)
535 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
536
537 o = e;
538
539 } else if (o == EXEC_OUTPUT_INHERIT) {
540 /* If input got downgraded, inherit the original value */
541 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
542 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
543
544 /* If the input is connected to anything that's not a /dev/null, inherit that... */
545 if (i != EXEC_INPUT_NULL)
546 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
547
548 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
549 if (getppid() != 1)
550 return fileno;
551
552 /* We need to open /dev/null here anew, to get the right access mode. */
553 return open_null_as(O_WRONLY, fileno);
554 }
555
556 switch (o) {
557
558 case EXEC_OUTPUT_NULL:
559 return open_null_as(O_WRONLY, fileno);
560
561 case EXEC_OUTPUT_TTY:
562 if (is_terminal_input(i))
563 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
564
565 /* We don't reset the terminal if this is just about output */
566 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
567
568 case EXEC_OUTPUT_SYSLOG:
569 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
570 case EXEC_OUTPUT_KMSG:
571 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
572 case EXEC_OUTPUT_JOURNAL:
573 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
574 r = connect_logger_as(unit, context, o, ident, fileno, uid, gid);
575 if (r < 0) {
576 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
577 r = open_null_as(O_WRONLY, fileno);
578 } else {
579 struct stat st;
580
581 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
582 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
583 * services to detect whether they are connected to the journal or not. */
584
585 if (fstat(fileno, &st) >= 0) {
586 *journal_stream_dev = st.st_dev;
587 *journal_stream_ino = st.st_ino;
588 }
589 }
590 return r;
591
592 case EXEC_OUTPUT_SOCKET:
593 assert(socket_fd >= 0);
594 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
595
596 case EXEC_OUTPUT_NAMED_FD:
597 (void) fd_nonblock(named_iofds[fileno], false);
598 return dup2(named_iofds[fileno], fileno) < 0 ? -errno : fileno;
599
600 default:
601 assert_not_reached("Unknown error type");
602 }
603 }
604
605 static int chown_terminal(int fd, uid_t uid) {
606 struct stat st;
607
608 assert(fd >= 0);
609
610 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
611 if (isatty(fd) < 1)
612 return 0;
613
614 /* This might fail. What matters are the results. */
615 (void) fchown(fd, uid, -1);
616 (void) fchmod(fd, TTY_MODE);
617
618 if (fstat(fd, &st) < 0)
619 return -errno;
620
621 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
622 return -EPERM;
623
624 return 0;
625 }
626
627 static int setup_confirm_stdio(const char *vc, int *_saved_stdin, int *_saved_stdout) {
628 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
629 int r;
630
631 assert(_saved_stdin);
632 assert(_saved_stdout);
633
634 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
635 if (saved_stdin < 0)
636 return -errno;
637
638 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
639 if (saved_stdout < 0)
640 return -errno;
641
642 fd = acquire_terminal(vc, false, false, false, DEFAULT_CONFIRM_USEC);
643 if (fd < 0)
644 return fd;
645
646 r = chown_terminal(fd, getuid());
647 if (r < 0)
648 return r;
649
650 r = reset_terminal_fd(fd, true);
651 if (r < 0)
652 return r;
653
654 if (dup2(fd, STDIN_FILENO) < 0)
655 return -errno;
656
657 if (dup2(fd, STDOUT_FILENO) < 0)
658 return -errno;
659
660 if (fd >= 2)
661 safe_close(fd);
662 fd = -1;
663
664 *_saved_stdin = saved_stdin;
665 *_saved_stdout = saved_stdout;
666
667 saved_stdin = saved_stdout = -1;
668
669 return 0;
670 }
671
672 static void write_confirm_error_fd(int err, int fd) {
673 assert(err < 0);
674
675 if (err == -ETIMEDOUT)
676 dprintf(fd, "Confirmation question timed out, assuming positive response.\n");
677 else {
678 errno = -err;
679 dprintf(fd, "Couldn't ask confirmation: %m, assuming positive response.\n");
680 }
681 }
682
683 static void write_confirm_error(int err, const char *vc) {
684 _cleanup_close_ int fd = -1;
685
686 assert(vc);
687
688 fd = open_terminal(vc, O_WRONLY|O_NOCTTY|O_CLOEXEC);
689 if (fd < 0)
690 return;
691
692 write_confirm_error_fd(err, fd);
693 }
694
695 static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
696 int r = 0;
697
698 assert(saved_stdin);
699 assert(saved_stdout);
700
701 release_terminal();
702
703 if (*saved_stdin >= 0)
704 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
705 r = -errno;
706
707 if (*saved_stdout >= 0)
708 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
709 r = -errno;
710
711 *saved_stdin = safe_close(*saved_stdin);
712 *saved_stdout = safe_close(*saved_stdout);
713
714 return r;
715 }
716
717 enum {
718 CONFIRM_PRETEND_FAILURE = -1,
719 CONFIRM_PRETEND_SUCCESS = 0,
720 CONFIRM_EXECUTE = 1,
721 };
722
723 static int ask_for_confirmation(const char *vc, const char *cmdline) {
724 int saved_stdout = -1, saved_stdin = -1, r;
725 _cleanup_free_ char *e = NULL;
726 char c;
727
728 /* For any internal errors, assume a positive response. */
729 r = setup_confirm_stdio(vc, &saved_stdin, &saved_stdout);
730 if (r < 0) {
731 write_confirm_error(r, vc);
732 return CONFIRM_EXECUTE;
733 }
734
735 e = ellipsize(cmdline, 60, 100);
736 if (!e) {
737 log_oom();
738 r = CONFIRM_EXECUTE;
739 goto restore_stdio;
740 }
741
742 for (;;) {
743 r = ask_char(&c, "yfsh", "Execute %s? [y, f, s – h for help] ", e);
744 if (r < 0) {
745 write_confirm_error_fd(r, STDOUT_FILENO);
746 r = CONFIRM_EXECUTE;
747 goto restore_stdio;
748 }
749
750 switch (c) {
751 case 'f':
752 printf("Failing execution.\n");
753 r = CONFIRM_PRETEND_FAILURE;
754 break;
755 case 'h':
756 printf(" f - fail, don't execute the command and pretend it failed\n"
757 " h - help\n"
758 " s - skip, don't execute the command and pretend it succeeded\n"
759 " y - yes, execute the command\n");
760 continue;
761 case 's':
762 printf("Skipping execution.\n");
763 r = CONFIRM_PRETEND_SUCCESS;
764 break;
765 case 'y':
766 r = CONFIRM_EXECUTE;
767 break;
768 default:
769 assert_not_reached("Unhandled choice");
770 }
771 break;
772 }
773
774 restore_stdio:
775 restore_confirm_stdio(&saved_stdin, &saved_stdout);
776 return r;
777 }
778
779 static int get_fixed_user(const ExecContext *c, const char **user,
780 uid_t *uid, gid_t *gid,
781 const char **home, const char **shell) {
782 int r;
783 const char *name;
784
785 assert(c);
786
787 if (!c->user)
788 return 0;
789
790 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
791 * (i.e. are "/" or "/bin/nologin"). */
792
793 name = c->user;
794 r = get_user_creds_clean(&name, uid, gid, home, shell);
795 if (r < 0)
796 return r;
797
798 *user = name;
799 return 0;
800 }
801
802 static int get_fixed_group(const ExecContext *c, const char **group, gid_t *gid) {
803 int r;
804 const char *name;
805
806 assert(c);
807
808 if (!c->group)
809 return 0;
810
811 name = c->group;
812 r = get_group_creds(&name, gid);
813 if (r < 0)
814 return r;
815
816 *group = name;
817 return 0;
818 }
819
820 static int get_supplementary_groups(const ExecContext *c, const char *user,
821 const char *group, gid_t gid,
822 gid_t **supplementary_gids, int *ngids) {
823 char **i;
824 int r, k = 0;
825 int ngroups_max;
826 bool keep_groups = false;
827 gid_t *groups = NULL;
828 _cleanup_free_ gid_t *l_gids = NULL;
829
830 assert(c);
831
832 /*
833 * If user is given, then lookup GID and supplementary groups list.
834 * We avoid NSS lookups for gid=0. Also we have to initialize groups
835 * here and as early as possible so we keep the list of supplementary
836 * groups of the caller.
837 */
838 if (user && gid_is_valid(gid) && gid != 0) {
839 /* First step, initialize groups from /etc/groups */
840 if (initgroups(user, gid) < 0)
841 return -errno;
842
843 keep_groups = true;
844 }
845
846 if (!c->supplementary_groups)
847 return 0;
848
849 /*
850 * If SupplementaryGroups= was passed then NGROUPS_MAX has to
851 * be positive, otherwise fail.
852 */
853 errno = 0;
854 ngroups_max = (int) sysconf(_SC_NGROUPS_MAX);
855 if (ngroups_max <= 0) {
856 if (errno > 0)
857 return -errno;
858 else
859 return -EOPNOTSUPP; /* For all other values */
860 }
861
862 l_gids = new(gid_t, ngroups_max);
863 if (!l_gids)
864 return -ENOMEM;
865
866 if (keep_groups) {
867 /*
868 * Lookup the list of groups that the user belongs to, we
869 * avoid NSS lookups here too for gid=0.
870 */
871 k = ngroups_max;
872 if (getgrouplist(user, gid, l_gids, &k) < 0)
873 return -EINVAL;
874 } else
875 k = 0;
876
877 STRV_FOREACH(i, c->supplementary_groups) {
878 const char *g;
879
880 if (k >= ngroups_max)
881 return -E2BIG;
882
883 g = *i;
884 r = get_group_creds(&g, l_gids+k);
885 if (r < 0)
886 return r;
887
888 k++;
889 }
890
891 /*
892 * Sets ngids to zero to drop all supplementary groups, happens
893 * when we are under root and SupplementaryGroups= is empty.
894 */
895 if (k == 0) {
896 *ngids = 0;
897 return 0;
898 }
899
900 /* Otherwise get the final list of supplementary groups */
901 groups = memdup(l_gids, sizeof(gid_t) * k);
902 if (!groups)
903 return -ENOMEM;
904
905 *supplementary_gids = groups;
906 *ngids = k;
907
908 groups = NULL;
909
910 return 0;
911 }
912
913 static int enforce_groups(const ExecContext *context, gid_t gid,
914 gid_t *supplementary_gids, int ngids) {
915 int r;
916
917 assert(context);
918
919 /* Handle SupplementaryGroups= even if it is empty */
920 if (context->supplementary_groups) {
921 r = maybe_setgroups(ngids, supplementary_gids);
922 if (r < 0)
923 return r;
924 }
925
926 if (gid_is_valid(gid)) {
927 /* Then set our gids */
928 if (setresgid(gid, gid, gid) < 0)
929 return -errno;
930 }
931
932 return 0;
933 }
934
935 static int enforce_user(const ExecContext *context, uid_t uid) {
936 assert(context);
937
938 if (!uid_is_valid(uid))
939 return 0;
940
941 /* Sets (but doesn't look up) the uid and make sure we keep the
942 * capabilities while doing so. */
943
944 if (context->capability_ambient_set != 0) {
945
946 /* First step: If we need to keep capabilities but
947 * drop privileges we need to make sure we keep our
948 * caps, while we drop privileges. */
949 if (uid != 0) {
950 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
951
952 if (prctl(PR_GET_SECUREBITS) != sb)
953 if (prctl(PR_SET_SECUREBITS, sb) < 0)
954 return -errno;
955 }
956 }
957
958 /* Second step: actually set the uids */
959 if (setresuid(uid, uid, uid) < 0)
960 return -errno;
961
962 /* At this point we should have all necessary capabilities but
963 are otherwise a normal user. However, the caps might got
964 corrupted due to the setresuid() so we need clean them up
965 later. This is done outside of this call. */
966
967 return 0;
968 }
969
970 #ifdef HAVE_PAM
971
972 static int null_conv(
973 int num_msg,
974 const struct pam_message **msg,
975 struct pam_response **resp,
976 void *appdata_ptr) {
977
978 /* We don't support conversations */
979
980 return PAM_CONV_ERR;
981 }
982
983 #endif
984
985 static int setup_pam(
986 const char *name,
987 const char *user,
988 uid_t uid,
989 gid_t gid,
990 const char *tty,
991 char ***env,
992 int fds[], unsigned n_fds) {
993
994 #ifdef HAVE_PAM
995
996 static const struct pam_conv conv = {
997 .conv = null_conv,
998 .appdata_ptr = NULL
999 };
1000
1001 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
1002 pam_handle_t *handle = NULL;
1003 sigset_t old_ss;
1004 int pam_code = PAM_SUCCESS, r;
1005 char **nv, **e = NULL;
1006 bool close_session = false;
1007 pid_t pam_pid = 0, parent_pid;
1008 int flags = 0;
1009
1010 assert(name);
1011 assert(user);
1012 assert(env);
1013
1014 /* We set up PAM in the parent process, then fork. The child
1015 * will then stay around until killed via PR_GET_PDEATHSIG or
1016 * systemd via the cgroup logic. It will then remove the PAM
1017 * session again. The parent process will exec() the actual
1018 * daemon. We do things this way to ensure that the main PID
1019 * of the daemon is the one we initially fork()ed. */
1020
1021 r = barrier_create(&barrier);
1022 if (r < 0)
1023 goto fail;
1024
1025 if (log_get_max_level() < LOG_DEBUG)
1026 flags |= PAM_SILENT;
1027
1028 pam_code = pam_start(name, user, &conv, &handle);
1029 if (pam_code != PAM_SUCCESS) {
1030 handle = NULL;
1031 goto fail;
1032 }
1033
1034 if (tty) {
1035 pam_code = pam_set_item(handle, PAM_TTY, tty);
1036 if (pam_code != PAM_SUCCESS)
1037 goto fail;
1038 }
1039
1040 STRV_FOREACH(nv, *env) {
1041 pam_code = pam_putenv(handle, *nv);
1042 if (pam_code != PAM_SUCCESS)
1043 goto fail;
1044 }
1045
1046 pam_code = pam_acct_mgmt(handle, flags);
1047 if (pam_code != PAM_SUCCESS)
1048 goto fail;
1049
1050 pam_code = pam_open_session(handle, flags);
1051 if (pam_code != PAM_SUCCESS)
1052 goto fail;
1053
1054 close_session = true;
1055
1056 e = pam_getenvlist(handle);
1057 if (!e) {
1058 pam_code = PAM_BUF_ERR;
1059 goto fail;
1060 }
1061
1062 /* Block SIGTERM, so that we know that it won't get lost in
1063 * the child */
1064
1065 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
1066
1067 parent_pid = getpid();
1068
1069 pam_pid = fork();
1070 if (pam_pid < 0) {
1071 r = -errno;
1072 goto fail;
1073 }
1074
1075 if (pam_pid == 0) {
1076 int sig, ret = EXIT_PAM;
1077
1078 /* The child's job is to reset the PAM session on
1079 * termination */
1080 barrier_set_role(&barrier, BARRIER_CHILD);
1081
1082 /* This string must fit in 10 chars (i.e. the length
1083 * of "/sbin/init"), to look pretty in /bin/ps */
1084 rename_process("(sd-pam)");
1085
1086 /* Make sure we don't keep open the passed fds in this
1087 child. We assume that otherwise only those fds are
1088 open here that have been opened by PAM. */
1089 close_many(fds, n_fds);
1090
1091 /* Drop privileges - we don't need any to pam_close_session
1092 * and this will make PR_SET_PDEATHSIG work in most cases.
1093 * If this fails, ignore the error - but expect sd-pam threads
1094 * to fail to exit normally */
1095
1096 r = maybe_setgroups(0, NULL);
1097 if (r < 0)
1098 log_warning_errno(r, "Failed to setgroups() in sd-pam: %m");
1099 if (setresgid(gid, gid, gid) < 0)
1100 log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
1101 if (setresuid(uid, uid, uid) < 0)
1102 log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
1103
1104 (void) ignore_signals(SIGPIPE, -1);
1105
1106 /* Wait until our parent died. This will only work if
1107 * the above setresuid() succeeds, otherwise the kernel
1108 * will not allow unprivileged parents kill their privileged
1109 * children this way. We rely on the control groups kill logic
1110 * to do the rest for us. */
1111 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
1112 goto child_finish;
1113
1114 /* Tell the parent that our setup is done. This is especially
1115 * important regarding dropping privileges. Otherwise, unit
1116 * setup might race against our setresuid(2) call. */
1117 barrier_place(&barrier);
1118
1119 /* Check if our parent process might already have
1120 * died? */
1121 if (getppid() == parent_pid) {
1122 sigset_t ss;
1123
1124 assert_se(sigemptyset(&ss) >= 0);
1125 assert_se(sigaddset(&ss, SIGTERM) >= 0);
1126
1127 for (;;) {
1128 if (sigwait(&ss, &sig) < 0) {
1129 if (errno == EINTR)
1130 continue;
1131
1132 goto child_finish;
1133 }
1134
1135 assert(sig == SIGTERM);
1136 break;
1137 }
1138 }
1139
1140 /* If our parent died we'll end the session */
1141 if (getppid() != parent_pid) {
1142 pam_code = pam_close_session(handle, flags);
1143 if (pam_code != PAM_SUCCESS)
1144 goto child_finish;
1145 }
1146
1147 ret = 0;
1148
1149 child_finish:
1150 pam_end(handle, pam_code | flags);
1151 _exit(ret);
1152 }
1153
1154 barrier_set_role(&barrier, BARRIER_PARENT);
1155
1156 /* If the child was forked off successfully it will do all the
1157 * cleanups, so forget about the handle here. */
1158 handle = NULL;
1159
1160 /* Unblock SIGTERM again in the parent */
1161 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
1162
1163 /* We close the log explicitly here, since the PAM modules
1164 * might have opened it, but we don't want this fd around. */
1165 closelog();
1166
1167 /* Synchronously wait for the child to initialize. We don't care for
1168 * errors as we cannot recover. However, warn loudly if it happens. */
1169 if (!barrier_place_and_sync(&barrier))
1170 log_error("PAM initialization failed");
1171
1172 strv_free(*env);
1173 *env = e;
1174
1175 return 0;
1176
1177 fail:
1178 if (pam_code != PAM_SUCCESS) {
1179 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
1180 r = -EPERM; /* PAM errors do not map to errno */
1181 } else
1182 log_error_errno(r, "PAM failed: %m");
1183
1184 if (handle) {
1185 if (close_session)
1186 pam_code = pam_close_session(handle, flags);
1187
1188 pam_end(handle, pam_code | flags);
1189 }
1190
1191 strv_free(e);
1192 closelog();
1193
1194 return r;
1195 #else
1196 return 0;
1197 #endif
1198 }
1199
1200 static void rename_process_from_path(const char *path) {
1201 char process_name[11];
1202 const char *p;
1203 size_t l;
1204
1205 /* This resulting string must fit in 10 chars (i.e. the length
1206 * of "/sbin/init") to look pretty in /bin/ps */
1207
1208 p = basename(path);
1209 if (isempty(p)) {
1210 rename_process("(...)");
1211 return;
1212 }
1213
1214 l = strlen(p);
1215 if (l > 8) {
1216 /* The end of the process name is usually more
1217 * interesting, since the first bit might just be
1218 * "systemd-" */
1219 p = p + l - 8;
1220 l = 8;
1221 }
1222
1223 process_name[0] = '(';
1224 memcpy(process_name+1, p, l);
1225 process_name[1+l] = ')';
1226 process_name[1+l+1] = 0;
1227
1228 rename_process(process_name);
1229 }
1230
1231 #ifdef HAVE_SECCOMP
1232
1233 static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
1234
1235 if (is_seccomp_available())
1236 return false;
1237
1238 log_open();
1239 log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
1240 log_close();
1241 return true;
1242 }
1243
1244 static int apply_seccomp(const Unit* u, const ExecContext *c) {
1245 uint32_t negative_action, action;
1246 scmp_filter_ctx seccomp;
1247 Iterator i;
1248 void *id;
1249 int r;
1250
1251 assert(c);
1252
1253 if (skip_seccomp_unavailable(u, "syscall filtering"))
1254 return 0;
1255
1256 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
1257
1258 seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW);
1259 if (!seccomp)
1260 return -ENOMEM;
1261
1262 if (c->syscall_archs) {
1263
1264 SET_FOREACH(id, c->syscall_archs, i) {
1265 r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
1266 if (r == -EEXIST)
1267 continue;
1268 if (r < 0)
1269 goto finish;
1270 }
1271
1272 } else {
1273 r = seccomp_add_secondary_archs(seccomp);
1274 if (r < 0)
1275 goto finish;
1276 }
1277
1278 action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
1279 SET_FOREACH(id, c->syscall_filter, i) {
1280 r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
1281 if (r < 0)
1282 goto finish;
1283 }
1284
1285 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1286 if (r < 0)
1287 goto finish;
1288
1289 r = seccomp_load(seccomp);
1290
1291 finish:
1292 seccomp_release(seccomp);
1293 return r;
1294 }
1295
1296 static int apply_address_families(const Unit* u, const ExecContext *c) {
1297 scmp_filter_ctx seccomp;
1298 Iterator i;
1299 int r;
1300
1301 assert(c);
1302
1303 if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
1304 return 0;
1305
1306 r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
1307 if (r < 0)
1308 return r;
1309
1310 if (c->address_families_whitelist) {
1311 int af, first = 0, last = 0;
1312 void *afp;
1313
1314 /* If this is a whitelist, we first block the address
1315 * families that are out of range and then everything
1316 * that is not in the set. First, we find the lowest
1317 * and highest address family in the set. */
1318
1319 SET_FOREACH(afp, c->address_families, i) {
1320 af = PTR_TO_INT(afp);
1321
1322 if (af <= 0 || af >= af_max())
1323 continue;
1324
1325 if (first == 0 || af < first)
1326 first = af;
1327
1328 if (last == 0 || af > last)
1329 last = af;
1330 }
1331
1332 assert((first == 0) == (last == 0));
1333
1334 if (first == 0) {
1335
1336 /* No entries in the valid range, block everything */
1337 r = seccomp_rule_add(
1338 seccomp,
1339 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1340 SCMP_SYS(socket),
1341 0);
1342 if (r < 0)
1343 goto finish;
1344
1345 } else {
1346
1347 /* Block everything below the first entry */
1348 r = seccomp_rule_add(
1349 seccomp,
1350 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1351 SCMP_SYS(socket),
1352 1,
1353 SCMP_A0(SCMP_CMP_LT, first));
1354 if (r < 0)
1355 goto finish;
1356
1357 /* Block everything above the last entry */
1358 r = seccomp_rule_add(
1359 seccomp,
1360 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1361 SCMP_SYS(socket),
1362 1,
1363 SCMP_A0(SCMP_CMP_GT, last));
1364 if (r < 0)
1365 goto finish;
1366
1367 /* Block everything between the first and last
1368 * entry */
1369 for (af = 1; af < af_max(); af++) {
1370
1371 if (set_contains(c->address_families, INT_TO_PTR(af)))
1372 continue;
1373
1374 r = seccomp_rule_add(
1375 seccomp,
1376 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1377 SCMP_SYS(socket),
1378 1,
1379 SCMP_A0(SCMP_CMP_EQ, af));
1380 if (r < 0)
1381 goto finish;
1382 }
1383 }
1384
1385 } else {
1386 void *af;
1387
1388 /* If this is a blacklist, then generate one rule for
1389 * each address family that are then combined in OR
1390 * checks. */
1391
1392 SET_FOREACH(af, c->address_families, i) {
1393
1394 r = seccomp_rule_add(
1395 seccomp,
1396 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1397 SCMP_SYS(socket),
1398 1,
1399 SCMP_A0(SCMP_CMP_EQ, PTR_TO_INT(af)));
1400 if (r < 0)
1401 goto finish;
1402 }
1403 }
1404
1405 r = seccomp_load(seccomp);
1406
1407 finish:
1408 seccomp_release(seccomp);
1409 return r;
1410 }
1411
1412 static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) {
1413 scmp_filter_ctx seccomp;
1414 int r;
1415
1416 assert(c);
1417
1418 if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute="))
1419 return 0;
1420
1421 r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
1422 if (r < 0)
1423 return r;
1424
1425 r = seccomp_rule_add(
1426 seccomp,
1427 SCMP_ACT_ERRNO(EPERM),
1428 SCMP_SYS(mmap),
1429 1,
1430 SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE));
1431 if (r < 0)
1432 goto finish;
1433
1434 r = seccomp_rule_add(
1435 seccomp,
1436 SCMP_ACT_ERRNO(EPERM),
1437 SCMP_SYS(mprotect),
1438 1,
1439 SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC));
1440 if (r < 0)
1441 goto finish;
1442
1443 r = seccomp_rule_add(
1444 seccomp,
1445 SCMP_ACT_ERRNO(EPERM),
1446 SCMP_SYS(shmat),
1447 1,
1448 SCMP_A2(SCMP_CMP_MASKED_EQ, SHM_EXEC, SHM_EXEC));
1449 if (r < 0)
1450 goto finish;
1451
1452 r = seccomp_load(seccomp);
1453
1454 finish:
1455 seccomp_release(seccomp);
1456 return r;
1457 }
1458
1459 static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
1460 static const int permitted_policies[] = {
1461 SCHED_OTHER,
1462 SCHED_BATCH,
1463 SCHED_IDLE,
1464 };
1465
1466 scmp_filter_ctx seccomp;
1467 unsigned i;
1468 int r, p, max_policy = 0;
1469
1470 assert(c);
1471
1472 if (skip_seccomp_unavailable(u, "RestrictRealtime="))
1473 return 0;
1474
1475 r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
1476 if (r < 0)
1477 return r;
1478
1479 /* Determine the highest policy constant we want to allow */
1480 for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
1481 if (permitted_policies[i] > max_policy)
1482 max_policy = permitted_policies[i];
1483
1484 /* Go through all policies with lower values than that, and block them -- unless they appear in the
1485 * whitelist. */
1486 for (p = 0; p < max_policy; p++) {
1487 bool good = false;
1488
1489 /* Check if this is in the whitelist. */
1490 for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
1491 if (permitted_policies[i] == p) {
1492 good = true;
1493 break;
1494 }
1495
1496 if (good)
1497 continue;
1498
1499 /* Deny this policy */
1500 r = seccomp_rule_add(
1501 seccomp,
1502 SCMP_ACT_ERRNO(EPERM),
1503 SCMP_SYS(sched_setscheduler),
1504 1,
1505 SCMP_A1(SCMP_CMP_EQ, p));
1506 if (r < 0)
1507 goto finish;
1508 }
1509
1510 /* Blacklist all other policies, i.e. the ones with higher values. Note that all comparisons are unsigned here,
1511 * hence no need no check for < 0 values. */
1512 r = seccomp_rule_add(
1513 seccomp,
1514 SCMP_ACT_ERRNO(EPERM),
1515 SCMP_SYS(sched_setscheduler),
1516 1,
1517 SCMP_A1(SCMP_CMP_GT, max_policy));
1518 if (r < 0)
1519 goto finish;
1520
1521 r = seccomp_load(seccomp);
1522
1523 finish:
1524 seccomp_release(seccomp);
1525 return r;
1526 }
1527
1528 static int apply_protect_sysctl(const Unit *u, const ExecContext *c) {
1529 scmp_filter_ctx seccomp;
1530 int r;
1531
1532 assert(c);
1533
1534 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1535 * let's protect even those systems where this is left on in the kernel. */
1536
1537 if (skip_seccomp_unavailable(u, "ProtectKernelTunables="))
1538 return 0;
1539
1540 r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
1541 if (r < 0)
1542 return r;
1543
1544 r = seccomp_rule_add(
1545 seccomp,
1546 SCMP_ACT_ERRNO(EPERM),
1547 SCMP_SYS(_sysctl),
1548 0);
1549 if (r < 0)
1550 goto finish;
1551
1552 r = seccomp_load(seccomp);
1553
1554 finish:
1555 seccomp_release(seccomp);
1556 return r;
1557 }
1558
1559 static int apply_protect_kernel_modules(const Unit *u, const ExecContext *c) {
1560 assert(c);
1561
1562 /* Turn off module syscalls on ProtectKernelModules=yes */
1563
1564 if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
1565 return 0;
1566
1567 return seccomp_load_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM));
1568 }
1569
1570 static int apply_private_devices(const Unit *u, const ExecContext *c) {
1571 assert(c);
1572
1573 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
1574
1575 if (skip_seccomp_unavailable(u, "PrivateDevices="))
1576 return 0;
1577
1578 return seccomp_load_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
1579 }
1580
1581 static int apply_restrict_namespaces(Unit *u, const ExecContext *c) {
1582 assert(c);
1583
1584 if (!exec_context_restrict_namespaces_set(c))
1585 return 0;
1586
1587 if (skip_seccomp_unavailable(u, "RestrictNamespaces="))
1588 return 0;
1589
1590 return seccomp_restrict_namespaces(c->restrict_namespaces);
1591 }
1592
1593 #endif
1594
1595 static void do_idle_pipe_dance(int idle_pipe[4]) {
1596 assert(idle_pipe);
1597
1598 idle_pipe[1] = safe_close(idle_pipe[1]);
1599 idle_pipe[2] = safe_close(idle_pipe[2]);
1600
1601 if (idle_pipe[0] >= 0) {
1602 int r;
1603
1604 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1605
1606 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1607 ssize_t n;
1608
1609 /* Signal systemd that we are bored and want to continue. */
1610 n = write(idle_pipe[3], "x", 1);
1611 if (n > 0)
1612 /* Wait for systemd to react to the signal above. */
1613 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1614 }
1615
1616 idle_pipe[0] = safe_close(idle_pipe[0]);
1617
1618 }
1619
1620 idle_pipe[3] = safe_close(idle_pipe[3]);
1621 }
1622
1623 static int build_environment(
1624 Unit *u,
1625 const ExecContext *c,
1626 const ExecParameters *p,
1627 unsigned n_fds,
1628 const char *home,
1629 const char *username,
1630 const char *shell,
1631 dev_t journal_stream_dev,
1632 ino_t journal_stream_ino,
1633 char ***ret) {
1634
1635 _cleanup_strv_free_ char **our_env = NULL;
1636 unsigned n_env = 0;
1637 char *x;
1638
1639 assert(u);
1640 assert(c);
1641 assert(ret);
1642
1643 our_env = new0(char*, 14);
1644 if (!our_env)
1645 return -ENOMEM;
1646
1647 if (n_fds > 0) {
1648 _cleanup_free_ char *joined = NULL;
1649
1650 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1651 return -ENOMEM;
1652 our_env[n_env++] = x;
1653
1654 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1655 return -ENOMEM;
1656 our_env[n_env++] = x;
1657
1658 joined = strv_join(p->fd_names, ":");
1659 if (!joined)
1660 return -ENOMEM;
1661
1662 x = strjoin("LISTEN_FDNAMES=", joined);
1663 if (!x)
1664 return -ENOMEM;
1665 our_env[n_env++] = x;
1666 }
1667
1668 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
1669 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1670 return -ENOMEM;
1671 our_env[n_env++] = x;
1672
1673 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
1674 return -ENOMEM;
1675 our_env[n_env++] = x;
1676 }
1677
1678 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1679 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1680 * check the database directly. */
1681 if (unit_has_name(u, SPECIAL_DBUS_SERVICE)) {
1682 x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1683 if (!x)
1684 return -ENOMEM;
1685 our_env[n_env++] = x;
1686 }
1687
1688 if (home) {
1689 x = strappend("HOME=", home);
1690 if (!x)
1691 return -ENOMEM;
1692 our_env[n_env++] = x;
1693 }
1694
1695 if (username) {
1696 x = strappend("LOGNAME=", username);
1697 if (!x)
1698 return -ENOMEM;
1699 our_env[n_env++] = x;
1700
1701 x = strappend("USER=", username);
1702 if (!x)
1703 return -ENOMEM;
1704 our_env[n_env++] = x;
1705 }
1706
1707 if (shell) {
1708 x = strappend("SHELL=", shell);
1709 if (!x)
1710 return -ENOMEM;
1711 our_env[n_env++] = x;
1712 }
1713
1714 if (!sd_id128_is_null(u->invocation_id)) {
1715 if (asprintf(&x, "INVOCATION_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id)) < 0)
1716 return -ENOMEM;
1717
1718 our_env[n_env++] = x;
1719 }
1720
1721 if (exec_context_needs_term(c)) {
1722 const char *tty_path, *term = NULL;
1723
1724 tty_path = exec_context_tty_path(c);
1725
1726 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try to inherit
1727 * the $TERM set for PID 1. This is useful for containers so that the $TERM the container manager
1728 * passes to PID 1 ends up all the way in the console login shown. */
1729
1730 if (path_equal(tty_path, "/dev/console") && getppid() == 1)
1731 term = getenv("TERM");
1732 if (!term)
1733 term = default_term_for_tty(tty_path);
1734
1735 x = strappend("TERM=", term);
1736 if (!x)
1737 return -ENOMEM;
1738 our_env[n_env++] = x;
1739 }
1740
1741 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1742 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1743 return -ENOMEM;
1744
1745 our_env[n_env++] = x;
1746 }
1747
1748 our_env[n_env++] = NULL;
1749 assert(n_env <= 12);
1750
1751 *ret = our_env;
1752 our_env = NULL;
1753
1754 return 0;
1755 }
1756
1757 static int build_pass_environment(const ExecContext *c, char ***ret) {
1758 _cleanup_strv_free_ char **pass_env = NULL;
1759 size_t n_env = 0, n_bufsize = 0;
1760 char **i;
1761
1762 STRV_FOREACH(i, c->pass_environment) {
1763 _cleanup_free_ char *x = NULL;
1764 char *v;
1765
1766 v = getenv(*i);
1767 if (!v)
1768 continue;
1769 x = strjoin(*i, "=", v);
1770 if (!x)
1771 return -ENOMEM;
1772 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1773 return -ENOMEM;
1774 pass_env[n_env++] = x;
1775 pass_env[n_env] = NULL;
1776 x = NULL;
1777 }
1778
1779 *ret = pass_env;
1780 pass_env = NULL;
1781
1782 return 0;
1783 }
1784
1785 static bool exec_needs_mount_namespace(
1786 const ExecContext *context,
1787 const ExecParameters *params,
1788 ExecRuntime *runtime) {
1789
1790 assert(context);
1791 assert(params);
1792
1793 if (!strv_isempty(context->read_write_paths) ||
1794 !strv_isempty(context->read_only_paths) ||
1795 !strv_isempty(context->inaccessible_paths))
1796 return true;
1797
1798 if (context->mount_flags != 0)
1799 return true;
1800
1801 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1802 return true;
1803
1804 if (context->private_devices ||
1805 context->protect_system != PROTECT_SYSTEM_NO ||
1806 context->protect_home != PROTECT_HOME_NO ||
1807 context->protect_kernel_tunables ||
1808 context->protect_kernel_modules ||
1809 context->protect_control_groups)
1810 return true;
1811
1812 return false;
1813 }
1814
1815 static int setup_private_users(uid_t uid, gid_t gid) {
1816 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
1817 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
1818 _cleanup_close_ int unshare_ready_fd = -1;
1819 _cleanup_(sigkill_waitp) pid_t pid = 0;
1820 uint64_t c = 1;
1821 siginfo_t si;
1822 ssize_t n;
1823 int r;
1824
1825 /* Set up a user namespace and map root to root, the selected UID/GID to itself, and everything else to
1826 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1827 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1828 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1829 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
1830 * continues execution normally. */
1831
1832 if (uid != 0 && uid_is_valid(uid))
1833 asprintf(&uid_map,
1834 "0 0 1\n" /* Map root → root */
1835 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
1836 uid, uid);
1837 else
1838 uid_map = strdup("0 0 1\n"); /* The case where the above is the same */
1839 if (!uid_map)
1840 return -ENOMEM;
1841
1842 if (gid != 0 && gid_is_valid(gid))
1843 asprintf(&gid_map,
1844 "0 0 1\n" /* Map root → root */
1845 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
1846 gid, gid);
1847 else
1848 gid_map = strdup("0 0 1\n"); /* The case where the above is the same */
1849 if (!gid_map)
1850 return -ENOMEM;
1851
1852 /* Create a communication channel so that the parent can tell the child when it finished creating the user
1853 * namespace. */
1854 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
1855 if (unshare_ready_fd < 0)
1856 return -errno;
1857
1858 /* Create a communication channel so that the child can tell the parent a proper error code in case it
1859 * failed. */
1860 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
1861 return -errno;
1862
1863 pid = fork();
1864 if (pid < 0)
1865 return -errno;
1866
1867 if (pid == 0) {
1868 _cleanup_close_ int fd = -1;
1869 const char *a;
1870 pid_t ppid;
1871
1872 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
1873 * here, after the parent opened its own user namespace. */
1874
1875 ppid = getppid();
1876 errno_pipe[0] = safe_close(errno_pipe[0]);
1877
1878 /* Wait until the parent unshared the user namespace */
1879 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
1880 r = -errno;
1881 goto child_fail;
1882 }
1883
1884 /* Disable the setgroups() system call in the child user namespace, for good. */
1885 a = procfs_file_alloca(ppid, "setgroups");
1886 fd = open(a, O_WRONLY|O_CLOEXEC);
1887 if (fd < 0) {
1888 if (errno != ENOENT) {
1889 r = -errno;
1890 goto child_fail;
1891 }
1892
1893 /* If the file is missing the kernel is too old, let's continue anyway. */
1894 } else {
1895 if (write(fd, "deny\n", 5) < 0) {
1896 r = -errno;
1897 goto child_fail;
1898 }
1899
1900 fd = safe_close(fd);
1901 }
1902
1903 /* First write the GID map */
1904 a = procfs_file_alloca(ppid, "gid_map");
1905 fd = open(a, O_WRONLY|O_CLOEXEC);
1906 if (fd < 0) {
1907 r = -errno;
1908 goto child_fail;
1909 }
1910 if (write(fd, gid_map, strlen(gid_map)) < 0) {
1911 r = -errno;
1912 goto child_fail;
1913 }
1914 fd = safe_close(fd);
1915
1916 /* The write the UID map */
1917 a = procfs_file_alloca(ppid, "uid_map");
1918 fd = open(a, O_WRONLY|O_CLOEXEC);
1919 if (fd < 0) {
1920 r = -errno;
1921 goto child_fail;
1922 }
1923 if (write(fd, uid_map, strlen(uid_map)) < 0) {
1924 r = -errno;
1925 goto child_fail;
1926 }
1927
1928 _exit(EXIT_SUCCESS);
1929
1930 child_fail:
1931 (void) write(errno_pipe[1], &r, sizeof(r));
1932 _exit(EXIT_FAILURE);
1933 }
1934
1935 errno_pipe[1] = safe_close(errno_pipe[1]);
1936
1937 if (unshare(CLONE_NEWUSER) < 0)
1938 return -errno;
1939
1940 /* Let the child know that the namespace is ready now */
1941 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
1942 return -errno;
1943
1944 /* Try to read an error code from the child */
1945 n = read(errno_pipe[0], &r, sizeof(r));
1946 if (n < 0)
1947 return -errno;
1948 if (n == sizeof(r)) { /* an error code was sent to us */
1949 if (r < 0)
1950 return r;
1951 return -EIO;
1952 }
1953 if (n != 0) /* on success we should have read 0 bytes */
1954 return -EIO;
1955
1956 r = wait_for_terminate(pid, &si);
1957 if (r < 0)
1958 return r;
1959 pid = 0;
1960
1961 /* If something strange happened with the child, let's consider this fatal, too */
1962 if (si.si_code != CLD_EXITED || si.si_status != 0)
1963 return -EIO;
1964
1965 return 0;
1966 }
1967
1968 static int setup_runtime_directory(
1969 const ExecContext *context,
1970 const ExecParameters *params,
1971 uid_t uid,
1972 gid_t gid) {
1973
1974 char **rt;
1975 int r;
1976
1977 assert(context);
1978 assert(params);
1979
1980 STRV_FOREACH(rt, context->runtime_directory) {
1981 _cleanup_free_ char *p;
1982
1983 p = strjoin(params->runtime_prefix, "/", *rt);
1984 if (!p)
1985 return -ENOMEM;
1986
1987 r = mkdir_p_label(p, context->runtime_directory_mode);
1988 if (r < 0)
1989 return r;
1990
1991 r = chmod_and_chown(p, context->runtime_directory_mode, uid, gid);
1992 if (r < 0)
1993 return r;
1994 }
1995
1996 return 0;
1997 }
1998
1999 static int setup_smack(
2000 const ExecContext *context,
2001 const ExecCommand *command) {
2002
2003 #ifdef HAVE_SMACK
2004 int r;
2005
2006 assert(context);
2007 assert(command);
2008
2009 if (!mac_smack_use())
2010 return 0;
2011
2012 if (context->smack_process_label) {
2013 r = mac_smack_apply_pid(0, context->smack_process_label);
2014 if (r < 0)
2015 return r;
2016 }
2017 #ifdef SMACK_DEFAULT_PROCESS_LABEL
2018 else {
2019 _cleanup_free_ char *exec_label = NULL;
2020
2021 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
2022 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP)
2023 return r;
2024
2025 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
2026 if (r < 0)
2027 return r;
2028 }
2029 #endif
2030 #endif
2031
2032 return 0;
2033 }
2034
2035 static int compile_read_write_paths(
2036 const ExecContext *context,
2037 const ExecParameters *params,
2038 char ***ret) {
2039
2040 _cleanup_strv_free_ char **l = NULL;
2041 char **rt;
2042
2043 /* Compile the list of writable paths. This is the combination of the explicitly configured paths, plus all
2044 * runtime directories. */
2045
2046 if (strv_isempty(context->read_write_paths) &&
2047 strv_isempty(context->runtime_directory)) {
2048 *ret = NULL; /* NOP if neither is set */
2049 return 0;
2050 }
2051
2052 l = strv_copy(context->read_write_paths);
2053 if (!l)
2054 return -ENOMEM;
2055
2056 STRV_FOREACH(rt, context->runtime_directory) {
2057 char *s;
2058
2059 s = strjoin(params->runtime_prefix, "/", *rt);
2060 if (!s)
2061 return -ENOMEM;
2062
2063 if (strv_consume(&l, s) < 0)
2064 return -ENOMEM;
2065 }
2066
2067 *ret = l;
2068 l = NULL;
2069
2070 return 0;
2071 }
2072
2073 static int apply_mount_namespace(Unit *u, const ExecContext *context,
2074 const ExecParameters *params,
2075 ExecRuntime *runtime) {
2076 int r;
2077 _cleanup_free_ char **rw = NULL;
2078 char *tmp = NULL, *var = NULL;
2079 const char *root_dir = NULL;
2080 NameSpaceInfo ns_info = {
2081 .ignore_protect_paths = false,
2082 .private_dev = context->private_devices,
2083 .protect_control_groups = context->protect_control_groups,
2084 .protect_kernel_tunables = context->protect_kernel_tunables,
2085 .protect_kernel_modules = context->protect_kernel_modules,
2086 };
2087
2088 assert(context);
2089
2090 /* The runtime struct only contains the parent of the private /tmp,
2091 * which is non-accessible to world users. Inside of it there's a /tmp
2092 * that is sticky, and that's the one we want to use here. */
2093
2094 if (context->private_tmp && runtime) {
2095 if (runtime->tmp_dir)
2096 tmp = strjoina(runtime->tmp_dir, "/tmp");
2097 if (runtime->var_tmp_dir)
2098 var = strjoina(runtime->var_tmp_dir, "/tmp");
2099 }
2100
2101 r = compile_read_write_paths(context, params, &rw);
2102 if (r < 0)
2103 return r;
2104
2105 if (params->flags & EXEC_APPLY_CHROOT)
2106 root_dir = context->root_directory;
2107
2108 /*
2109 * If DynamicUser=no and RootDirectory= is set then lets pass a relaxed
2110 * sandbox info, otherwise enforce it, don't ignore protected paths and
2111 * fail if we are enable to apply the sandbox inside the mount namespace.
2112 */
2113 if (!context->dynamic_user && root_dir)
2114 ns_info.ignore_protect_paths = true;
2115
2116 r = setup_namespace(root_dir, &ns_info, rw,
2117 context->read_only_paths,
2118 context->inaccessible_paths,
2119 tmp,
2120 var,
2121 context->protect_home,
2122 context->protect_system,
2123 context->mount_flags);
2124
2125 /* If we couldn't set up the namespace this is probably due to a
2126 * missing capability. In this case, silently proceeed. */
2127 if (IN_SET(r, -EPERM, -EACCES)) {
2128 log_open();
2129 log_unit_debug_errno(u, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
2130 log_close();
2131 r = 0;
2132 }
2133
2134 return r;
2135 }
2136
2137 static int apply_working_directory(const ExecContext *context,
2138 const ExecParameters *params,
2139 const char *home,
2140 const bool needs_mount_ns) {
2141 const char *d;
2142 const char *wd;
2143
2144 assert(context);
2145
2146 if (context->working_directory_home)
2147 wd = home;
2148 else if (context->working_directory)
2149 wd = context->working_directory;
2150 else
2151 wd = "/";
2152
2153 if (params->flags & EXEC_APPLY_CHROOT) {
2154 if (!needs_mount_ns && context->root_directory)
2155 if (chroot(context->root_directory) < 0)
2156 return -errno;
2157
2158 d = wd;
2159 } else
2160 d = strjoina(strempty(context->root_directory), "/", strempty(wd));
2161
2162 if (chdir(d) < 0 && !context->working_directory_missing_ok)
2163 return -errno;
2164
2165 return 0;
2166 }
2167
2168 static void append_socket_pair(int *array, unsigned *n, int pair[2]) {
2169 assert(array);
2170 assert(n);
2171
2172 if (!pair)
2173 return;
2174
2175 if (pair[0] >= 0)
2176 array[(*n)++] = pair[0];
2177 if (pair[1] >= 0)
2178 array[(*n)++] = pair[1];
2179 }
2180
2181 static int close_remaining_fds(
2182 const ExecParameters *params,
2183 ExecRuntime *runtime,
2184 DynamicCreds *dcreds,
2185 int user_lookup_fd,
2186 int socket_fd,
2187 int *fds, unsigned n_fds) {
2188
2189 unsigned n_dont_close = 0;
2190 int dont_close[n_fds + 12];
2191
2192 assert(params);
2193
2194 if (params->stdin_fd >= 0)
2195 dont_close[n_dont_close++] = params->stdin_fd;
2196 if (params->stdout_fd >= 0)
2197 dont_close[n_dont_close++] = params->stdout_fd;
2198 if (params->stderr_fd >= 0)
2199 dont_close[n_dont_close++] = params->stderr_fd;
2200
2201 if (socket_fd >= 0)
2202 dont_close[n_dont_close++] = socket_fd;
2203 if (n_fds > 0) {
2204 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
2205 n_dont_close += n_fds;
2206 }
2207
2208 if (runtime)
2209 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
2210
2211 if (dcreds) {
2212 if (dcreds->user)
2213 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
2214 if (dcreds->group)
2215 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
2216 }
2217
2218 if (user_lookup_fd >= 0)
2219 dont_close[n_dont_close++] = user_lookup_fd;
2220
2221 return close_all_fds(dont_close, n_dont_close);
2222 }
2223
2224 static bool context_has_address_families(const ExecContext *c) {
2225 assert(c);
2226
2227 return c->address_families_whitelist ||
2228 !set_isempty(c->address_families);
2229 }
2230
2231 static bool context_has_syscall_filters(const ExecContext *c) {
2232 assert(c);
2233
2234 return c->syscall_whitelist ||
2235 !set_isempty(c->syscall_filter) ||
2236 !set_isempty(c->syscall_archs);
2237 }
2238
2239 static bool context_has_no_new_privileges(const ExecContext *c) {
2240 assert(c);
2241
2242 if (c->no_new_privileges)
2243 return true;
2244
2245 if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
2246 return false;
2247
2248 return context_has_address_families(c) || /* we need NNP if we have any form of seccomp and are unprivileged */
2249 c->memory_deny_write_execute ||
2250 c->restrict_realtime ||
2251 exec_context_restrict_namespaces_set(c) ||
2252 c->protect_kernel_tunables ||
2253 c->protect_kernel_modules ||
2254 c->private_devices ||
2255 context_has_syscall_filters(c);
2256 }
2257
2258 static int send_user_lookup(
2259 Unit *unit,
2260 int user_lookup_fd,
2261 uid_t uid,
2262 gid_t gid) {
2263
2264 assert(unit);
2265
2266 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2267 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2268 * specified. */
2269
2270 if (user_lookup_fd < 0)
2271 return 0;
2272
2273 if (!uid_is_valid(uid) && !gid_is_valid(gid))
2274 return 0;
2275
2276 if (writev(user_lookup_fd,
2277 (struct iovec[]) {
2278 { .iov_base = &uid, .iov_len = sizeof(uid) },
2279 { .iov_base = &gid, .iov_len = sizeof(gid) },
2280 { .iov_base = unit->id, .iov_len = strlen(unit->id) }}, 3) < 0)
2281 return -errno;
2282
2283 return 0;
2284 }
2285
2286 static int exec_child(
2287 Unit *unit,
2288 ExecCommand *command,
2289 const ExecContext *context,
2290 const ExecParameters *params,
2291 ExecRuntime *runtime,
2292 DynamicCreds *dcreds,
2293 char **argv,
2294 int socket_fd,
2295 int named_iofds[3],
2296 int *fds, unsigned n_fds,
2297 char **files_env,
2298 int user_lookup_fd,
2299 int *exit_status) {
2300
2301 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **final_argv = NULL;
2302 _cleanup_free_ char *mac_selinux_context_net = NULL;
2303 _cleanup_free_ gid_t *supplementary_gids = NULL;
2304 const char *username = NULL, *groupname = NULL;
2305 const char *home = NULL, *shell = NULL;
2306 dev_t journal_stream_dev = 0;
2307 ino_t journal_stream_ino = 0;
2308 bool needs_mount_namespace;
2309 uid_t uid = UID_INVALID;
2310 gid_t gid = GID_INVALID;
2311 int i, r, ngids = 0;
2312
2313 assert(unit);
2314 assert(command);
2315 assert(context);
2316 assert(params);
2317 assert(exit_status);
2318
2319 rename_process_from_path(command->path);
2320
2321 /* We reset exactly these signals, since they are the
2322 * only ones we set to SIG_IGN in the main daemon. All
2323 * others we leave untouched because we set them to
2324 * SIG_DFL or a valid handler initially, both of which
2325 * will be demoted to SIG_DFL. */
2326 (void) default_signals(SIGNALS_CRASH_HANDLER,
2327 SIGNALS_IGNORE, -1);
2328
2329 if (context->ignore_sigpipe)
2330 (void) ignore_signals(SIGPIPE, -1);
2331
2332 r = reset_signal_mask();
2333 if (r < 0) {
2334 *exit_status = EXIT_SIGNAL_MASK;
2335 return r;
2336 }
2337
2338 if (params->idle_pipe)
2339 do_idle_pipe_dance(params->idle_pipe);
2340
2341 /* Close sockets very early to make sure we don't
2342 * block init reexecution because it cannot bind its
2343 * sockets */
2344
2345 log_forget_fds();
2346
2347 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, fds, n_fds);
2348 if (r < 0) {
2349 *exit_status = EXIT_FDS;
2350 return r;
2351 }
2352
2353 if (!context->same_pgrp)
2354 if (setsid() < 0) {
2355 *exit_status = EXIT_SETSID;
2356 return -errno;
2357 }
2358
2359 exec_context_tty_reset(context, params);
2360
2361 if (params->confirm_spawn) {
2362 const char *vc = params->confirm_spawn;
2363 _cleanup_free_ char *cmdline = NULL;
2364
2365 cmdline = exec_command_line(argv);
2366 if (!cmdline) {
2367 *exit_status = EXIT_CONFIRM;
2368 return -ENOMEM;
2369 }
2370
2371 r = ask_for_confirmation(vc, cmdline);
2372 if (r != CONFIRM_EXECUTE) {
2373 if (r == CONFIRM_PRETEND_SUCCESS) {
2374 *exit_status = EXIT_SUCCESS;
2375 return 0;
2376 }
2377 *exit_status = EXIT_CONFIRM;
2378 return -ECANCELED;
2379 }
2380 }
2381
2382 if (context->dynamic_user && dcreds) {
2383
2384 /* Make sure we bypass our own NSS module for any NSS checks */
2385 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
2386 *exit_status = EXIT_USER;
2387 return -errno;
2388 }
2389
2390 r = dynamic_creds_realize(dcreds, &uid, &gid);
2391 if (r < 0) {
2392 *exit_status = EXIT_USER;
2393 return r;
2394 }
2395
2396 if (!uid_is_valid(uid) || !gid_is_valid(gid)) {
2397 *exit_status = EXIT_USER;
2398 return -ESRCH;
2399 }
2400
2401 if (dcreds->user)
2402 username = dcreds->user->name;
2403
2404 } else {
2405 r = get_fixed_user(context, &username, &uid, &gid, &home, &shell);
2406 if (r < 0) {
2407 *exit_status = EXIT_USER;
2408 return r;
2409 }
2410
2411 r = get_fixed_group(context, &groupname, &gid);
2412 if (r < 0) {
2413 *exit_status = EXIT_GROUP;
2414 return r;
2415 }
2416 }
2417
2418 /* Initialize user supplementary groups and get SupplementaryGroups= ones */
2419 r = get_supplementary_groups(context, username, groupname, gid,
2420 &supplementary_gids, &ngids);
2421 if (r < 0) {
2422 *exit_status = EXIT_GROUP;
2423 return r;
2424 }
2425
2426 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
2427 if (r < 0) {
2428 *exit_status = EXIT_USER;
2429 return r;
2430 }
2431
2432 user_lookup_fd = safe_close(user_lookup_fd);
2433
2434 /* If a socket is connected to STDIN/STDOUT/STDERR, we
2435 * must sure to drop O_NONBLOCK */
2436 if (socket_fd >= 0)
2437 (void) fd_nonblock(socket_fd, false);
2438
2439 r = setup_input(context, params, socket_fd, named_iofds);
2440 if (r < 0) {
2441 *exit_status = EXIT_STDIN;
2442 return r;
2443 }
2444
2445 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
2446 if (r < 0) {
2447 *exit_status = EXIT_STDOUT;
2448 return r;
2449 }
2450
2451 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
2452 if (r < 0) {
2453 *exit_status = EXIT_STDERR;
2454 return r;
2455 }
2456
2457 if (params->cgroup_path) {
2458 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
2459 if (r < 0) {
2460 *exit_status = EXIT_CGROUP;
2461 return r;
2462 }
2463 }
2464
2465 if (context->oom_score_adjust_set) {
2466 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
2467
2468 /* When we can't make this change due to EPERM, then
2469 * let's silently skip over it. User namespaces
2470 * prohibit write access to this file, and we
2471 * shouldn't trip up over that. */
2472
2473 sprintf(t, "%i", context->oom_score_adjust);
2474 r = write_string_file("/proc/self/oom_score_adj", t, 0);
2475 if (r == -EPERM || r == -EACCES) {
2476 log_open();
2477 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
2478 log_close();
2479 } else if (r < 0) {
2480 *exit_status = EXIT_OOM_ADJUST;
2481 return -errno;
2482 }
2483 }
2484
2485 if (context->nice_set)
2486 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
2487 *exit_status = EXIT_NICE;
2488 return -errno;
2489 }
2490
2491 if (context->cpu_sched_set) {
2492 struct sched_param param = {
2493 .sched_priority = context->cpu_sched_priority,
2494 };
2495
2496 r = sched_setscheduler(0,
2497 context->cpu_sched_policy |
2498 (context->cpu_sched_reset_on_fork ?
2499 SCHED_RESET_ON_FORK : 0),
2500 &param);
2501 if (r < 0) {
2502 *exit_status = EXIT_SETSCHEDULER;
2503 return -errno;
2504 }
2505 }
2506
2507 if (context->cpuset)
2508 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
2509 *exit_status = EXIT_CPUAFFINITY;
2510 return -errno;
2511 }
2512
2513 if (context->ioprio_set)
2514 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
2515 *exit_status = EXIT_IOPRIO;
2516 return -errno;
2517 }
2518
2519 if (context->timer_slack_nsec != NSEC_INFINITY)
2520 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
2521 *exit_status = EXIT_TIMERSLACK;
2522 return -errno;
2523 }
2524
2525 if (context->personality != PERSONALITY_INVALID)
2526 if (personality(context->personality) < 0) {
2527 *exit_status = EXIT_PERSONALITY;
2528 return -errno;
2529 }
2530
2531 if (context->utmp_id)
2532 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path,
2533 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
2534 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
2535 USER_PROCESS,
2536 username ? "root" : context->user);
2537
2538 if (context->user) {
2539 r = chown_terminal(STDIN_FILENO, uid);
2540 if (r < 0) {
2541 *exit_status = EXIT_STDIN;
2542 return r;
2543 }
2544 }
2545
2546 /* If delegation is enabled we'll pass ownership of the cgroup
2547 * (but only in systemd's own controller hierarchy!) to the
2548 * user of the new process. */
2549 if (params->cgroup_path && context->user && params->cgroup_delegate) {
2550 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
2551 if (r < 0) {
2552 *exit_status = EXIT_CGROUP;
2553 return r;
2554 }
2555
2556
2557 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
2558 if (r < 0) {
2559 *exit_status = EXIT_CGROUP;
2560 return r;
2561 }
2562 }
2563
2564 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
2565 r = setup_runtime_directory(context, params, uid, gid);
2566 if (r < 0) {
2567 *exit_status = EXIT_RUNTIME_DIRECTORY;
2568 return r;
2569 }
2570 }
2571
2572 r = build_environment(
2573 unit,
2574 context,
2575 params,
2576 n_fds,
2577 home,
2578 username,
2579 shell,
2580 journal_stream_dev,
2581 journal_stream_ino,
2582 &our_env);
2583 if (r < 0) {
2584 *exit_status = EXIT_MEMORY;
2585 return r;
2586 }
2587
2588 r = build_pass_environment(context, &pass_env);
2589 if (r < 0) {
2590 *exit_status = EXIT_MEMORY;
2591 return r;
2592 }
2593
2594 accum_env = strv_env_merge(5,
2595 params->environment,
2596 our_env,
2597 pass_env,
2598 context->environment,
2599 files_env,
2600 NULL);
2601 if (!accum_env) {
2602 *exit_status = EXIT_MEMORY;
2603 return -ENOMEM;
2604 }
2605 accum_env = strv_env_clean(accum_env);
2606
2607 (void) umask(context->umask);
2608
2609 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2610 if (context->pam_name && username) {
2611 r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
2612 if (r < 0) {
2613 *exit_status = EXIT_PAM;
2614 return r;
2615 }
2616 }
2617 }
2618
2619 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
2620 r = setup_netns(runtime->netns_storage_socket);
2621 if (r < 0) {
2622 *exit_status = EXIT_NETWORK;
2623 return r;
2624 }
2625 }
2626
2627 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
2628 if (needs_mount_namespace) {
2629 r = apply_mount_namespace(unit, context, params, runtime);
2630 if (r < 0) {
2631 *exit_status = EXIT_NAMESPACE;
2632 return r;
2633 }
2634 }
2635
2636 /* Apply just after mount namespace setup */
2637 r = apply_working_directory(context, params, home, needs_mount_namespace);
2638 if (r < 0) {
2639 *exit_status = EXIT_CHROOT;
2640 return r;
2641 }
2642
2643 /* Drop groups as early as possbile */
2644 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2645 r = enforce_groups(context, gid, supplementary_gids, ngids);
2646 if (r < 0) {
2647 *exit_status = EXIT_GROUP;
2648 return r;
2649 }
2650 }
2651
2652 #ifdef HAVE_SELINUX
2653 if ((params->flags & EXEC_APPLY_PERMISSIONS) &&
2654 mac_selinux_use() &&
2655 params->selinux_context_net &&
2656 socket_fd >= 0 &&
2657 !command->privileged) {
2658
2659 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
2660 if (r < 0) {
2661 *exit_status = EXIT_SELINUX_CONTEXT;
2662 return r;
2663 }
2664 }
2665 #endif
2666
2667 if ((params->flags & EXEC_APPLY_PERMISSIONS) && context->private_users) {
2668 r = setup_private_users(uid, gid);
2669 if (r < 0) {
2670 *exit_status = EXIT_USER;
2671 return r;
2672 }
2673 }
2674
2675 /* We repeat the fd closing here, to make sure that
2676 * nothing is leaked from the PAM modules. Note that
2677 * we are more aggressive this time since socket_fd
2678 * and the netns fds we don't need anymore. The custom
2679 * endpoint fd was needed to upload the policy and can
2680 * now be closed as well. */
2681 r = close_all_fds(fds, n_fds);
2682 if (r >= 0)
2683 r = shift_fds(fds, n_fds);
2684 if (r >= 0)
2685 r = flags_fds(fds, n_fds, context->non_blocking);
2686 if (r < 0) {
2687 *exit_status = EXIT_FDS;
2688 return r;
2689 }
2690
2691 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2692
2693 int secure_bits = context->secure_bits;
2694
2695 for (i = 0; i < _RLIMIT_MAX; i++) {
2696
2697 if (!context->rlimit[i])
2698 continue;
2699
2700 r = setrlimit_closest(i, context->rlimit[i]);
2701 if (r < 0) {
2702 *exit_status = EXIT_LIMITS;
2703 return r;
2704 }
2705 }
2706
2707 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
2708 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
2709 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
2710 *exit_status = EXIT_LIMITS;
2711 return -errno;
2712 }
2713 }
2714
2715 if (!cap_test_all(context->capability_bounding_set)) {
2716 r = capability_bounding_set_drop(context->capability_bounding_set, false);
2717 if (r < 0) {
2718 *exit_status = EXIT_CAPABILITIES;
2719 return r;
2720 }
2721 }
2722
2723 /* This is done before enforce_user, but ambient set
2724 * does not survive over setresuid() if keep_caps is not set. */
2725 if (context->capability_ambient_set != 0) {
2726 r = capability_ambient_set_apply(context->capability_ambient_set, true);
2727 if (r < 0) {
2728 *exit_status = EXIT_CAPABILITIES;
2729 return r;
2730 }
2731 }
2732
2733 if (context->user) {
2734 r = enforce_user(context, uid);
2735 if (r < 0) {
2736 *exit_status = EXIT_USER;
2737 return r;
2738 }
2739 if (context->capability_ambient_set != 0) {
2740
2741 /* Fix the ambient capabilities after user change. */
2742 r = capability_ambient_set_apply(context->capability_ambient_set, false);
2743 if (r < 0) {
2744 *exit_status = EXIT_CAPABILITIES;
2745 return r;
2746 }
2747
2748 /* If we were asked to change user and ambient capabilities
2749 * were requested, we had to add keep-caps to the securebits
2750 * so that we would maintain the inherited capability set
2751 * through the setresuid(). Make sure that the bit is added
2752 * also to the context secure_bits so that we don't try to
2753 * drop the bit away next. */
2754
2755 secure_bits |= 1<<SECURE_KEEP_CAPS;
2756 }
2757 }
2758
2759 /* Apply the MAC contexts late, but before seccomp syscall filtering, as those should really be last to
2760 * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
2761 * syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
2762 * are restricted. */
2763
2764 #ifdef HAVE_SELINUX
2765 if (mac_selinux_use()) {
2766 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
2767
2768 if (exec_context) {
2769 r = setexeccon(exec_context);
2770 if (r < 0) {
2771 *exit_status = EXIT_SELINUX_CONTEXT;
2772 return r;
2773 }
2774 }
2775 }
2776 #endif
2777
2778 r = setup_smack(context, command);
2779 if (r < 0) {
2780 *exit_status = EXIT_SMACK_PROCESS_LABEL;
2781 return r;
2782 }
2783
2784 #ifdef HAVE_APPARMOR
2785 if (context->apparmor_profile && mac_apparmor_use()) {
2786 r = aa_change_onexec(context->apparmor_profile);
2787 if (r < 0 && !context->apparmor_profile_ignore) {
2788 *exit_status = EXIT_APPARMOR_PROFILE;
2789 return -errno;
2790 }
2791 }
2792 #endif
2793
2794 /* PR_GET_SECUREBITS is not privileged, while
2795 * PR_SET_SECUREBITS is. So to suppress
2796 * potential EPERMs we'll try not to call
2797 * PR_SET_SECUREBITS unless necessary. */
2798 if (prctl(PR_GET_SECUREBITS) != secure_bits)
2799 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
2800 *exit_status = EXIT_SECUREBITS;
2801 return -errno;
2802 }
2803
2804 if (context_has_no_new_privileges(context))
2805 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
2806 *exit_status = EXIT_NO_NEW_PRIVILEGES;
2807 return -errno;
2808 }
2809
2810 #ifdef HAVE_SECCOMP
2811 if (context_has_address_families(context)) {
2812 r = apply_address_families(unit, context);
2813 if (r < 0) {
2814 *exit_status = EXIT_ADDRESS_FAMILIES;
2815 return r;
2816 }
2817 }
2818
2819 if (context->memory_deny_write_execute) {
2820 r = apply_memory_deny_write_execute(unit, context);
2821 if (r < 0) {
2822 *exit_status = EXIT_SECCOMP;
2823 return r;
2824 }
2825 }
2826
2827 if (context->restrict_realtime) {
2828 r = apply_restrict_realtime(unit, context);
2829 if (r < 0) {
2830 *exit_status = EXIT_SECCOMP;
2831 return r;
2832 }
2833 }
2834
2835 r = apply_restrict_namespaces(unit, context);
2836 if (r < 0) {
2837 *exit_status = EXIT_SECCOMP;
2838 return r;
2839 }
2840
2841 if (context->protect_kernel_tunables) {
2842 r = apply_protect_sysctl(unit, context);
2843 if (r < 0) {
2844 *exit_status = EXIT_SECCOMP;
2845 return r;
2846 }
2847 }
2848
2849 if (context->protect_kernel_modules) {
2850 r = apply_protect_kernel_modules(unit, context);
2851 if (r < 0) {
2852 *exit_status = EXIT_SECCOMP;
2853 return r;
2854 }
2855 }
2856
2857 if (context->private_devices) {
2858 r = apply_private_devices(unit, context);
2859 if (r < 0) {
2860 *exit_status = EXIT_SECCOMP;
2861 return r;
2862 }
2863 }
2864
2865 /* This really should remain the last step before the execve(), to make sure our own code is unaffected
2866 * by the filter as little as possible. */
2867 if (context_has_syscall_filters(context)) {
2868 r = apply_seccomp(unit, context);
2869 if (r < 0) {
2870 *exit_status = EXIT_SECCOMP;
2871 return r;
2872 }
2873 }
2874 #endif
2875 }
2876
2877 final_argv = replace_env_argv(argv, accum_env);
2878 if (!final_argv) {
2879 *exit_status = EXIT_MEMORY;
2880 return -ENOMEM;
2881 }
2882
2883 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
2884 _cleanup_free_ char *line;
2885
2886 line = exec_command_line(final_argv);
2887 if (line) {
2888 log_open();
2889 log_struct(LOG_DEBUG,
2890 LOG_UNIT_ID(unit),
2891 "EXECUTABLE=%s", command->path,
2892 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
2893 NULL);
2894 log_close();
2895 }
2896 }
2897
2898 execve(command->path, final_argv, accum_env);
2899 *exit_status = EXIT_EXEC;
2900 return -errno;
2901 }
2902
2903 int exec_spawn(Unit *unit,
2904 ExecCommand *command,
2905 const ExecContext *context,
2906 const ExecParameters *params,
2907 ExecRuntime *runtime,
2908 DynamicCreds *dcreds,
2909 pid_t *ret) {
2910
2911 _cleanup_strv_free_ char **files_env = NULL;
2912 int *fds = NULL; unsigned n_fds = 0;
2913 _cleanup_free_ char *line = NULL;
2914 int socket_fd, r;
2915 int named_iofds[3] = { -1, -1, -1 };
2916 char **argv;
2917 pid_t pid;
2918
2919 assert(unit);
2920 assert(command);
2921 assert(context);
2922 assert(ret);
2923 assert(params);
2924 assert(params->fds || params->n_fds <= 0);
2925
2926 if (context->std_input == EXEC_INPUT_SOCKET ||
2927 context->std_output == EXEC_OUTPUT_SOCKET ||
2928 context->std_error == EXEC_OUTPUT_SOCKET) {
2929
2930 if (params->n_fds != 1) {
2931 log_unit_error(unit, "Got more than one socket.");
2932 return -EINVAL;
2933 }
2934
2935 socket_fd = params->fds[0];
2936 } else {
2937 socket_fd = -1;
2938 fds = params->fds;
2939 n_fds = params->n_fds;
2940 }
2941
2942 r = exec_context_named_iofds(unit, context, params, named_iofds);
2943 if (r < 0)
2944 return log_unit_error_errno(unit, r, "Failed to load a named file descriptor: %m");
2945
2946 r = exec_context_load_environment(unit, context, &files_env);
2947 if (r < 0)
2948 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
2949
2950 argv = params->argv ?: command->argv;
2951 line = exec_command_line(argv);
2952 if (!line)
2953 return log_oom();
2954
2955 log_struct(LOG_DEBUG,
2956 LOG_UNIT_ID(unit),
2957 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
2958 "EXECUTABLE=%s", command->path,
2959 NULL);
2960 pid = fork();
2961 if (pid < 0)
2962 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
2963
2964 if (pid == 0) {
2965 int exit_status;
2966
2967 r = exec_child(unit,
2968 command,
2969 context,
2970 params,
2971 runtime,
2972 dcreds,
2973 argv,
2974 socket_fd,
2975 named_iofds,
2976 fds, n_fds,
2977 files_env,
2978 unit->manager->user_lookup_fds[1],
2979 &exit_status);
2980 if (r < 0) {
2981 log_open();
2982 log_struct_errno(LOG_ERR, r,
2983 LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
2984 LOG_UNIT_ID(unit),
2985 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
2986 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
2987 command->path),
2988 "EXECUTABLE=%s", command->path,
2989 NULL);
2990 }
2991
2992 _exit(exit_status);
2993 }
2994
2995 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
2996
2997 /* We add the new process to the cgroup both in the child (so
2998 * that we can be sure that no user code is ever executed
2999 * outside of the cgroup) and in the parent (so that we can be
3000 * sure that when we kill the cgroup the process will be
3001 * killed too). */
3002 if (params->cgroup_path)
3003 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
3004
3005 exec_status_start(&command->exec_status, pid);
3006
3007 *ret = pid;
3008 return 0;
3009 }
3010
3011 void exec_context_init(ExecContext *c) {
3012 assert(c);
3013
3014 c->umask = 0022;
3015 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
3016 c->cpu_sched_policy = SCHED_OTHER;
3017 c->syslog_priority = LOG_DAEMON|LOG_INFO;
3018 c->syslog_level_prefix = true;
3019 c->ignore_sigpipe = true;
3020 c->timer_slack_nsec = NSEC_INFINITY;
3021 c->personality = PERSONALITY_INVALID;
3022 c->runtime_directory_mode = 0755;
3023 c->capability_bounding_set = CAP_ALL;
3024 c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
3025 }
3026
3027 void exec_context_done(ExecContext *c) {
3028 unsigned l;
3029
3030 assert(c);
3031
3032 c->environment = strv_free(c->environment);
3033 c->environment_files = strv_free(c->environment_files);
3034 c->pass_environment = strv_free(c->pass_environment);
3035
3036 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
3037 c->rlimit[l] = mfree(c->rlimit[l]);
3038
3039 for (l = 0; l < 3; l++)
3040 c->stdio_fdname[l] = mfree(c->stdio_fdname[l]);
3041
3042 c->working_directory = mfree(c->working_directory);
3043 c->root_directory = mfree(c->root_directory);
3044 c->tty_path = mfree(c->tty_path);
3045 c->syslog_identifier = mfree(c->syslog_identifier);
3046 c->user = mfree(c->user);
3047 c->group = mfree(c->group);
3048
3049 c->supplementary_groups = strv_free(c->supplementary_groups);
3050
3051 c->pam_name = mfree(c->pam_name);
3052
3053 c->read_only_paths = strv_free(c->read_only_paths);
3054 c->read_write_paths = strv_free(c->read_write_paths);
3055 c->inaccessible_paths = strv_free(c->inaccessible_paths);
3056
3057 if (c->cpuset)
3058 CPU_FREE(c->cpuset);
3059
3060 c->utmp_id = mfree(c->utmp_id);
3061 c->selinux_context = mfree(c->selinux_context);
3062 c->apparmor_profile = mfree(c->apparmor_profile);
3063
3064 c->syscall_filter = set_free(c->syscall_filter);
3065 c->syscall_archs = set_free(c->syscall_archs);
3066 c->address_families = set_free(c->address_families);
3067
3068 c->runtime_directory = strv_free(c->runtime_directory);
3069 }
3070
3071 int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
3072 char **i;
3073
3074 assert(c);
3075
3076 if (!runtime_prefix)
3077 return 0;
3078
3079 STRV_FOREACH(i, c->runtime_directory) {
3080 _cleanup_free_ char *p;
3081
3082 p = strjoin(runtime_prefix, "/", *i);
3083 if (!p)
3084 return -ENOMEM;
3085
3086 /* We execute this synchronously, since we need to be
3087 * sure this is gone when we start the service
3088 * next. */
3089 (void) rm_rf(p, REMOVE_ROOT);
3090 }
3091
3092 return 0;
3093 }
3094
3095 void exec_command_done(ExecCommand *c) {
3096 assert(c);
3097
3098 c->path = mfree(c->path);
3099
3100 c->argv = strv_free(c->argv);
3101 }
3102
3103 void exec_command_done_array(ExecCommand *c, unsigned n) {
3104 unsigned i;
3105
3106 for (i = 0; i < n; i++)
3107 exec_command_done(c+i);
3108 }
3109
3110 ExecCommand* exec_command_free_list(ExecCommand *c) {
3111 ExecCommand *i;
3112
3113 while ((i = c)) {
3114 LIST_REMOVE(command, c, i);
3115 exec_command_done(i);
3116 free(i);
3117 }
3118
3119 return NULL;
3120 }
3121
3122 void exec_command_free_array(ExecCommand **c, unsigned n) {
3123 unsigned i;
3124
3125 for (i = 0; i < n; i++)
3126 c[i] = exec_command_free_list(c[i]);
3127 }
3128
3129 typedef struct InvalidEnvInfo {
3130 Unit *unit;
3131 const char *path;
3132 } InvalidEnvInfo;
3133
3134 static void invalid_env(const char *p, void *userdata) {
3135 InvalidEnvInfo *info = userdata;
3136
3137 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
3138 }
3139
3140 const char* exec_context_fdname(const ExecContext *c, int fd_index) {
3141 assert(c);
3142
3143 switch (fd_index) {
3144 case STDIN_FILENO:
3145 if (c->std_input != EXEC_INPUT_NAMED_FD)
3146 return NULL;
3147 return c->stdio_fdname[STDIN_FILENO] ?: "stdin";
3148 case STDOUT_FILENO:
3149 if (c->std_output != EXEC_OUTPUT_NAMED_FD)
3150 return NULL;
3151 return c->stdio_fdname[STDOUT_FILENO] ?: "stdout";
3152 case STDERR_FILENO:
3153 if (c->std_error != EXEC_OUTPUT_NAMED_FD)
3154 return NULL;
3155 return c->stdio_fdname[STDERR_FILENO] ?: "stderr";
3156 default:
3157 return NULL;
3158 }
3159 }
3160
3161 int exec_context_named_iofds(Unit *unit, const ExecContext *c, const ExecParameters *p, int named_iofds[3]) {
3162 unsigned i, targets;
3163 const char *stdio_fdname[3];
3164
3165 assert(c);
3166 assert(p);
3167
3168 targets = (c->std_input == EXEC_INPUT_NAMED_FD) +
3169 (c->std_output == EXEC_OUTPUT_NAMED_FD) +
3170 (c->std_error == EXEC_OUTPUT_NAMED_FD);
3171
3172 for (i = 0; i < 3; i++)
3173 stdio_fdname[i] = exec_context_fdname(c, i);
3174
3175 for (i = 0; i < p->n_fds && targets > 0; i++)
3176 if (named_iofds[STDIN_FILENO] < 0 && c->std_input == EXEC_INPUT_NAMED_FD && stdio_fdname[STDIN_FILENO] && streq(p->fd_names[i], stdio_fdname[STDIN_FILENO])) {
3177 named_iofds[STDIN_FILENO] = p->fds[i];
3178 targets--;
3179 } else if (named_iofds[STDOUT_FILENO] < 0 && c->std_output == EXEC_OUTPUT_NAMED_FD && stdio_fdname[STDOUT_FILENO] && streq(p->fd_names[i], stdio_fdname[STDOUT_FILENO])) {
3180 named_iofds[STDOUT_FILENO] = p->fds[i];
3181 targets--;
3182 } else if (named_iofds[STDERR_FILENO] < 0 && c->std_error == EXEC_OUTPUT_NAMED_FD && stdio_fdname[STDERR_FILENO] && streq(p->fd_names[i], stdio_fdname[STDERR_FILENO])) {
3183 named_iofds[STDERR_FILENO] = p->fds[i];
3184 targets--;
3185 }
3186
3187 return (targets == 0 ? 0 : -ENOENT);
3188 }
3189
3190 int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
3191 char **i, **r = NULL;
3192
3193 assert(c);
3194 assert(l);
3195
3196 STRV_FOREACH(i, c->environment_files) {
3197 char *fn;
3198 int k;
3199 bool ignore = false;
3200 char **p;
3201 _cleanup_globfree_ glob_t pglob = {};
3202 int count, n;
3203
3204 fn = *i;
3205
3206 if (fn[0] == '-') {
3207 ignore = true;
3208 fn++;
3209 }
3210
3211 if (!path_is_absolute(fn)) {
3212 if (ignore)
3213 continue;
3214
3215 strv_free(r);
3216 return -EINVAL;
3217 }
3218
3219 /* Filename supports globbing, take all matching files */
3220 errno = 0;
3221 if (glob(fn, 0, NULL, &pglob) != 0) {
3222 if (ignore)
3223 continue;
3224
3225 strv_free(r);
3226 return errno > 0 ? -errno : -EINVAL;
3227 }
3228 count = pglob.gl_pathc;
3229 if (count == 0) {
3230 if (ignore)
3231 continue;
3232
3233 strv_free(r);
3234 return -EINVAL;
3235 }
3236 for (n = 0; n < count; n++) {
3237 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
3238 if (k < 0) {
3239 if (ignore)
3240 continue;
3241
3242 strv_free(r);
3243 return k;
3244 }
3245 /* Log invalid environment variables with filename */
3246 if (p) {
3247 InvalidEnvInfo info = {
3248 .unit = unit,
3249 .path = pglob.gl_pathv[n]
3250 };
3251
3252 p = strv_env_clean_with_callback(p, invalid_env, &info);
3253 }
3254
3255 if (r == NULL)
3256 r = p;
3257 else {
3258 char **m;
3259
3260 m = strv_env_merge(2, r, p);
3261 strv_free(r);
3262 strv_free(p);
3263 if (!m)
3264 return -ENOMEM;
3265
3266 r = m;
3267 }
3268 }
3269 }
3270
3271 *l = r;
3272
3273 return 0;
3274 }
3275
3276 static bool tty_may_match_dev_console(const char *tty) {
3277 _cleanup_free_ char *active = NULL;
3278 char *console;
3279
3280 if (!tty)
3281 return true;
3282
3283 if (startswith(tty, "/dev/"))
3284 tty += 5;
3285
3286 /* trivial identity? */
3287 if (streq(tty, "console"))
3288 return true;
3289
3290 console = resolve_dev_console(&active);
3291 /* if we could not resolve, assume it may */
3292 if (!console)
3293 return true;
3294
3295 /* "tty0" means the active VC, so it may be the same sometimes */
3296 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
3297 }
3298
3299 bool exec_context_may_touch_console(ExecContext *ec) {
3300
3301 return (ec->tty_reset ||
3302 ec->tty_vhangup ||
3303 ec->tty_vt_disallocate ||
3304 is_terminal_input(ec->std_input) ||
3305 is_terminal_output(ec->std_output) ||
3306 is_terminal_output(ec->std_error)) &&
3307 tty_may_match_dev_console(exec_context_tty_path(ec));
3308 }
3309
3310 static void strv_fprintf(FILE *f, char **l) {
3311 char **g;
3312
3313 assert(f);
3314
3315 STRV_FOREACH(g, l)
3316 fprintf(f, " %s", *g);
3317 }
3318
3319 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
3320 char **e, **d;
3321 unsigned i;
3322 int r;
3323
3324 assert(c);
3325 assert(f);
3326
3327 prefix = strempty(prefix);
3328
3329 fprintf(f,
3330 "%sUMask: %04o\n"
3331 "%sWorkingDirectory: %s\n"
3332 "%sRootDirectory: %s\n"
3333 "%sNonBlocking: %s\n"
3334 "%sPrivateTmp: %s\n"
3335 "%sPrivateDevices: %s\n"
3336 "%sProtectKernelTunables: %s\n"
3337 "%sProtectKernelModules: %s\n"
3338 "%sProtectControlGroups: %s\n"
3339 "%sPrivateNetwork: %s\n"
3340 "%sPrivateUsers: %s\n"
3341 "%sProtectHome: %s\n"
3342 "%sProtectSystem: %s\n"
3343 "%sIgnoreSIGPIPE: %s\n"
3344 "%sMemoryDenyWriteExecute: %s\n"
3345 "%sRestrictRealtime: %s\n",
3346 prefix, c->umask,
3347 prefix, c->working_directory ? c->working_directory : "/",
3348 prefix, c->root_directory ? c->root_directory : "/",
3349 prefix, yes_no(c->non_blocking),
3350 prefix, yes_no(c->private_tmp),
3351 prefix, yes_no(c->private_devices),
3352 prefix, yes_no(c->protect_kernel_tunables),
3353 prefix, yes_no(c->protect_kernel_modules),
3354 prefix, yes_no(c->protect_control_groups),
3355 prefix, yes_no(c->private_network),
3356 prefix, yes_no(c->private_users),
3357 prefix, protect_home_to_string(c->protect_home),
3358 prefix, protect_system_to_string(c->protect_system),
3359 prefix, yes_no(c->ignore_sigpipe),
3360 prefix, yes_no(c->memory_deny_write_execute),
3361 prefix, yes_no(c->restrict_realtime));
3362
3363 STRV_FOREACH(e, c->environment)
3364 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
3365
3366 STRV_FOREACH(e, c->environment_files)
3367 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
3368
3369 STRV_FOREACH(e, c->pass_environment)
3370 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
3371
3372 fprintf(f, "%sRuntimeDirectoryMode: %04o\n", prefix, c->runtime_directory_mode);
3373
3374 STRV_FOREACH(d, c->runtime_directory)
3375 fprintf(f, "%sRuntimeDirectory: %s\n", prefix, *d);
3376
3377 if (c->nice_set)
3378 fprintf(f,
3379 "%sNice: %i\n",
3380 prefix, c->nice);
3381
3382 if (c->oom_score_adjust_set)
3383 fprintf(f,
3384 "%sOOMScoreAdjust: %i\n",
3385 prefix, c->oom_score_adjust);
3386
3387 for (i = 0; i < RLIM_NLIMITS; i++)
3388 if (c->rlimit[i]) {
3389 fprintf(f, "%s%s: " RLIM_FMT "\n",
3390 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
3391 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
3392 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
3393 }
3394
3395 if (c->ioprio_set) {
3396 _cleanup_free_ char *class_str = NULL;
3397
3398 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
3399 fprintf(f,
3400 "%sIOSchedulingClass: %s\n"
3401 "%sIOPriority: %i\n",
3402 prefix, strna(class_str),
3403 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
3404 }
3405
3406 if (c->cpu_sched_set) {
3407 _cleanup_free_ char *policy_str = NULL;
3408
3409 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
3410 fprintf(f,
3411 "%sCPUSchedulingPolicy: %s\n"
3412 "%sCPUSchedulingPriority: %i\n"
3413 "%sCPUSchedulingResetOnFork: %s\n",
3414 prefix, strna(policy_str),
3415 prefix, c->cpu_sched_priority,
3416 prefix, yes_no(c->cpu_sched_reset_on_fork));
3417 }
3418
3419 if (c->cpuset) {
3420 fprintf(f, "%sCPUAffinity:", prefix);
3421 for (i = 0; i < c->cpuset_ncpus; i++)
3422 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
3423 fprintf(f, " %u", i);
3424 fputs("\n", f);
3425 }
3426
3427 if (c->timer_slack_nsec != NSEC_INFINITY)
3428 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
3429
3430 fprintf(f,
3431 "%sStandardInput: %s\n"
3432 "%sStandardOutput: %s\n"
3433 "%sStandardError: %s\n",
3434 prefix, exec_input_to_string(c->std_input),
3435 prefix, exec_output_to_string(c->std_output),
3436 prefix, exec_output_to_string(c->std_error));
3437
3438 if (c->tty_path)
3439 fprintf(f,
3440 "%sTTYPath: %s\n"
3441 "%sTTYReset: %s\n"
3442 "%sTTYVHangup: %s\n"
3443 "%sTTYVTDisallocate: %s\n",
3444 prefix, c->tty_path,
3445 prefix, yes_no(c->tty_reset),
3446 prefix, yes_no(c->tty_vhangup),
3447 prefix, yes_no(c->tty_vt_disallocate));
3448
3449 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
3450 c->std_output == EXEC_OUTPUT_KMSG ||
3451 c->std_output == EXEC_OUTPUT_JOURNAL ||
3452 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3453 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3454 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
3455 c->std_error == EXEC_OUTPUT_SYSLOG ||
3456 c->std_error == EXEC_OUTPUT_KMSG ||
3457 c->std_error == EXEC_OUTPUT_JOURNAL ||
3458 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3459 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3460 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
3461
3462 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
3463
3464 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
3465 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
3466
3467 fprintf(f,
3468 "%sSyslogFacility: %s\n"
3469 "%sSyslogLevel: %s\n",
3470 prefix, strna(fac_str),
3471 prefix, strna(lvl_str));
3472 }
3473
3474 if (c->secure_bits)
3475 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
3476 prefix,
3477 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
3478 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
3479 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
3480 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
3481 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
3482 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
3483
3484 if (c->capability_bounding_set != CAP_ALL) {
3485 unsigned long l;
3486 fprintf(f, "%sCapabilityBoundingSet:", prefix);
3487
3488 for (l = 0; l <= cap_last_cap(); l++)
3489 if (c->capability_bounding_set & (UINT64_C(1) << l))
3490 fprintf(f, " %s", strna(capability_to_name(l)));
3491
3492 fputs("\n", f);
3493 }
3494
3495 if (c->capability_ambient_set != 0) {
3496 unsigned long l;
3497 fprintf(f, "%sAmbientCapabilities:", prefix);
3498
3499 for (l = 0; l <= cap_last_cap(); l++)
3500 if (c->capability_ambient_set & (UINT64_C(1) << l))
3501 fprintf(f, " %s", strna(capability_to_name(l)));
3502
3503 fputs("\n", f);
3504 }
3505
3506 if (c->user)
3507 fprintf(f, "%sUser: %s\n", prefix, c->user);
3508 if (c->group)
3509 fprintf(f, "%sGroup: %s\n", prefix, c->group);
3510
3511 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
3512
3513 if (strv_length(c->supplementary_groups) > 0) {
3514 fprintf(f, "%sSupplementaryGroups:", prefix);
3515 strv_fprintf(f, c->supplementary_groups);
3516 fputs("\n", f);
3517 }
3518
3519 if (c->pam_name)
3520 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
3521
3522 if (strv_length(c->read_write_paths) > 0) {
3523 fprintf(f, "%sReadWritePaths:", prefix);
3524 strv_fprintf(f, c->read_write_paths);
3525 fputs("\n", f);
3526 }
3527
3528 if (strv_length(c->read_only_paths) > 0) {
3529 fprintf(f, "%sReadOnlyPaths:", prefix);
3530 strv_fprintf(f, c->read_only_paths);
3531 fputs("\n", f);
3532 }
3533
3534 if (strv_length(c->inaccessible_paths) > 0) {
3535 fprintf(f, "%sInaccessiblePaths:", prefix);
3536 strv_fprintf(f, c->inaccessible_paths);
3537 fputs("\n", f);
3538 }
3539
3540 if (c->utmp_id)
3541 fprintf(f,
3542 "%sUtmpIdentifier: %s\n",
3543 prefix, c->utmp_id);
3544
3545 if (c->selinux_context)
3546 fprintf(f,
3547 "%sSELinuxContext: %s%s\n",
3548 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
3549
3550 if (c->personality != PERSONALITY_INVALID)
3551 fprintf(f,
3552 "%sPersonality: %s\n",
3553 prefix, strna(personality_to_string(c->personality)));
3554
3555 if (c->syscall_filter) {
3556 #ifdef HAVE_SECCOMP
3557 Iterator j;
3558 void *id;
3559 bool first = true;
3560 #endif
3561
3562 fprintf(f,
3563 "%sSystemCallFilter: ",
3564 prefix);
3565
3566 if (!c->syscall_whitelist)
3567 fputc('~', f);
3568
3569 #ifdef HAVE_SECCOMP
3570 SET_FOREACH(id, c->syscall_filter, j) {
3571 _cleanup_free_ char *name = NULL;
3572
3573 if (first)
3574 first = false;
3575 else
3576 fputc(' ', f);
3577
3578 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
3579 fputs(strna(name), f);
3580 }
3581 #endif
3582
3583 fputc('\n', f);
3584 }
3585
3586 if (c->syscall_archs) {
3587 #ifdef HAVE_SECCOMP
3588 Iterator j;
3589 void *id;
3590 #endif
3591
3592 fprintf(f,
3593 "%sSystemCallArchitectures:",
3594 prefix);
3595
3596 #ifdef HAVE_SECCOMP
3597 SET_FOREACH(id, c->syscall_archs, j)
3598 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
3599 #endif
3600 fputc('\n', f);
3601 }
3602
3603 if (exec_context_restrict_namespaces_set(c)) {
3604 _cleanup_free_ char *s = NULL;
3605
3606 r = namespace_flag_to_string_many(c->restrict_namespaces, &s);
3607 if (r >= 0)
3608 fprintf(f, "%sRestrictNamespaces: %s\n",
3609 prefix, s);
3610 }
3611
3612 if (c->syscall_errno > 0)
3613 fprintf(f,
3614 "%sSystemCallErrorNumber: %s\n",
3615 prefix, strna(errno_to_name(c->syscall_errno)));
3616
3617 if (c->apparmor_profile)
3618 fprintf(f,
3619 "%sAppArmorProfile: %s%s\n",
3620 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
3621 }
3622
3623 bool exec_context_maintains_privileges(ExecContext *c) {
3624 assert(c);
3625
3626 /* Returns true if the process forked off would run under
3627 * an unchanged UID or as root. */
3628
3629 if (!c->user)
3630 return true;
3631
3632 if (streq(c->user, "root") || streq(c->user, "0"))
3633 return true;
3634
3635 return false;
3636 }
3637
3638 void exec_status_start(ExecStatus *s, pid_t pid) {
3639 assert(s);
3640
3641 zero(*s);
3642 s->pid = pid;
3643 dual_timestamp_get(&s->start_timestamp);
3644 }
3645
3646 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
3647 assert(s);
3648
3649 if (s->pid && s->pid != pid)
3650 zero(*s);
3651
3652 s->pid = pid;
3653 dual_timestamp_get(&s->exit_timestamp);
3654
3655 s->code = code;
3656 s->status = status;
3657
3658 if (context) {
3659 if (context->utmp_id)
3660 utmp_put_dead_process(context->utmp_id, pid, code, status);
3661
3662 exec_context_tty_reset(context, NULL);
3663 }
3664 }
3665
3666 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
3667 char buf[FORMAT_TIMESTAMP_MAX];
3668
3669 assert(s);
3670 assert(f);
3671
3672 if (s->pid <= 0)
3673 return;
3674
3675 prefix = strempty(prefix);
3676
3677 fprintf(f,
3678 "%sPID: "PID_FMT"\n",
3679 prefix, s->pid);
3680
3681 if (dual_timestamp_is_set(&s->start_timestamp))
3682 fprintf(f,
3683 "%sStart Timestamp: %s\n",
3684 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
3685
3686 if (dual_timestamp_is_set(&s->exit_timestamp))
3687 fprintf(f,
3688 "%sExit Timestamp: %s\n"
3689 "%sExit Code: %s\n"
3690 "%sExit Status: %i\n",
3691 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
3692 prefix, sigchld_code_to_string(s->code),
3693 prefix, s->status);
3694 }
3695
3696 char *exec_command_line(char **argv) {
3697 size_t k;
3698 char *n, *p, **a;
3699 bool first = true;
3700
3701 assert(argv);
3702
3703 k = 1;
3704 STRV_FOREACH(a, argv)
3705 k += strlen(*a)+3;
3706
3707 n = new(char, k);
3708 if (!n)
3709 return NULL;
3710
3711 p = n;
3712 STRV_FOREACH(a, argv) {
3713
3714 if (!first)
3715 *(p++) = ' ';
3716 else
3717 first = false;
3718
3719 if (strpbrk(*a, WHITESPACE)) {
3720 *(p++) = '\'';
3721 p = stpcpy(p, *a);
3722 *(p++) = '\'';
3723 } else
3724 p = stpcpy(p, *a);
3725
3726 }
3727
3728 *p = 0;
3729
3730 /* FIXME: this doesn't really handle arguments that have
3731 * spaces and ticks in them */
3732
3733 return n;
3734 }
3735
3736 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
3737 _cleanup_free_ char *cmd = NULL;
3738 const char *prefix2;
3739
3740 assert(c);
3741 assert(f);
3742
3743 prefix = strempty(prefix);
3744 prefix2 = strjoina(prefix, "\t");
3745
3746 cmd = exec_command_line(c->argv);
3747 fprintf(f,
3748 "%sCommand Line: %s\n",
3749 prefix, cmd ? cmd : strerror(ENOMEM));
3750
3751 exec_status_dump(&c->exec_status, f, prefix2);
3752 }
3753
3754 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
3755 assert(f);
3756
3757 prefix = strempty(prefix);
3758
3759 LIST_FOREACH(command, c, c)
3760 exec_command_dump(c, f, prefix);
3761 }
3762
3763 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
3764 ExecCommand *end;
3765
3766 assert(l);
3767 assert(e);
3768
3769 if (*l) {
3770 /* It's kind of important, that we keep the order here */
3771 LIST_FIND_TAIL(command, *l, end);
3772 LIST_INSERT_AFTER(command, *l, end, e);
3773 } else
3774 *l = e;
3775 }
3776
3777 int exec_command_set(ExecCommand *c, const char *path, ...) {
3778 va_list ap;
3779 char **l, *p;
3780
3781 assert(c);
3782 assert(path);
3783
3784 va_start(ap, path);
3785 l = strv_new_ap(path, ap);
3786 va_end(ap);
3787
3788 if (!l)
3789 return -ENOMEM;
3790
3791 p = strdup(path);
3792 if (!p) {
3793 strv_free(l);
3794 return -ENOMEM;
3795 }
3796
3797 free(c->path);
3798 c->path = p;
3799
3800 strv_free(c->argv);
3801 c->argv = l;
3802
3803 return 0;
3804 }
3805
3806 int exec_command_append(ExecCommand *c, const char *path, ...) {
3807 _cleanup_strv_free_ char **l = NULL;
3808 va_list ap;
3809 int r;
3810
3811 assert(c);
3812 assert(path);
3813
3814 va_start(ap, path);
3815 l = strv_new_ap(path, ap);
3816 va_end(ap);
3817
3818 if (!l)
3819 return -ENOMEM;
3820
3821 r = strv_extend_strv(&c->argv, l, false);
3822 if (r < 0)
3823 return r;
3824
3825 return 0;
3826 }
3827
3828
3829 static int exec_runtime_allocate(ExecRuntime **rt) {
3830
3831 if (*rt)
3832 return 0;
3833
3834 *rt = new0(ExecRuntime, 1);
3835 if (!*rt)
3836 return -ENOMEM;
3837
3838 (*rt)->n_ref = 1;
3839 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
3840
3841 return 0;
3842 }
3843
3844 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
3845 int r;
3846
3847 assert(rt);
3848 assert(c);
3849 assert(id);
3850
3851 if (*rt)
3852 return 1;
3853
3854 if (!c->private_network && !c->private_tmp)
3855 return 0;
3856
3857 r = exec_runtime_allocate(rt);
3858 if (r < 0)
3859 return r;
3860
3861 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
3862 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, (*rt)->netns_storage_socket) < 0)
3863 return -errno;
3864 }
3865
3866 if (c->private_tmp && !(*rt)->tmp_dir) {
3867 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
3868 if (r < 0)
3869 return r;
3870 }
3871
3872 return 1;
3873 }
3874
3875 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
3876 assert(r);
3877 assert(r->n_ref > 0);
3878
3879 r->n_ref++;
3880 return r;
3881 }
3882
3883 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
3884
3885 if (!r)
3886 return NULL;
3887
3888 assert(r->n_ref > 0);
3889
3890 r->n_ref--;
3891 if (r->n_ref > 0)
3892 return NULL;
3893
3894 free(r->tmp_dir);
3895 free(r->var_tmp_dir);
3896 safe_close_pair(r->netns_storage_socket);
3897 return mfree(r);
3898 }
3899
3900 int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
3901 assert(u);
3902 assert(f);
3903 assert(fds);
3904
3905 if (!rt)
3906 return 0;
3907
3908 if (rt->tmp_dir)
3909 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
3910
3911 if (rt->var_tmp_dir)
3912 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
3913
3914 if (rt->netns_storage_socket[0] >= 0) {
3915 int copy;
3916
3917 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
3918 if (copy < 0)
3919 return copy;
3920
3921 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
3922 }
3923
3924 if (rt->netns_storage_socket[1] >= 0) {
3925 int copy;
3926
3927 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
3928 if (copy < 0)
3929 return copy;
3930
3931 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
3932 }
3933
3934 return 0;
3935 }
3936
3937 int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
3938 int r;
3939
3940 assert(rt);
3941 assert(key);
3942 assert(value);
3943
3944 if (streq(key, "tmp-dir")) {
3945 char *copy;
3946
3947 r = exec_runtime_allocate(rt);
3948 if (r < 0)
3949 return log_oom();
3950
3951 copy = strdup(value);
3952 if (!copy)
3953 return log_oom();
3954
3955 free((*rt)->tmp_dir);
3956 (*rt)->tmp_dir = copy;
3957
3958 } else if (streq(key, "var-tmp-dir")) {
3959 char *copy;
3960
3961 r = exec_runtime_allocate(rt);
3962 if (r < 0)
3963 return log_oom();
3964
3965 copy = strdup(value);
3966 if (!copy)
3967 return log_oom();
3968
3969 free((*rt)->var_tmp_dir);
3970 (*rt)->var_tmp_dir = copy;
3971
3972 } else if (streq(key, "netns-socket-0")) {
3973 int fd;
3974
3975 r = exec_runtime_allocate(rt);
3976 if (r < 0)
3977 return log_oom();
3978
3979 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
3980 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
3981 else {
3982 safe_close((*rt)->netns_storage_socket[0]);
3983 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
3984 }
3985 } else if (streq(key, "netns-socket-1")) {
3986 int fd;
3987
3988 r = exec_runtime_allocate(rt);
3989 if (r < 0)
3990 return log_oom();
3991
3992 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
3993 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
3994 else {
3995 safe_close((*rt)->netns_storage_socket[1]);
3996 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
3997 }
3998 } else
3999 return 0;
4000
4001 return 1;
4002 }
4003
4004 static void *remove_tmpdir_thread(void *p) {
4005 _cleanup_free_ char *path = p;
4006
4007 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
4008 return NULL;
4009 }
4010
4011 void exec_runtime_destroy(ExecRuntime *rt) {
4012 int r;
4013
4014 if (!rt)
4015 return;
4016
4017 /* If there are multiple users of this, let's leave the stuff around */
4018 if (rt->n_ref > 1)
4019 return;
4020
4021 if (rt->tmp_dir) {
4022 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
4023
4024 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
4025 if (r < 0) {
4026 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
4027 free(rt->tmp_dir);
4028 }
4029
4030 rt->tmp_dir = NULL;
4031 }
4032
4033 if (rt->var_tmp_dir) {
4034 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
4035
4036 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
4037 if (r < 0) {
4038 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
4039 free(rt->var_tmp_dir);
4040 }
4041
4042 rt->var_tmp_dir = NULL;
4043 }
4044
4045 safe_close_pair(rt->netns_storage_socket);
4046 }
4047
4048 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
4049 [EXEC_INPUT_NULL] = "null",
4050 [EXEC_INPUT_TTY] = "tty",
4051 [EXEC_INPUT_TTY_FORCE] = "tty-force",
4052 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
4053 [EXEC_INPUT_SOCKET] = "socket",
4054 [EXEC_INPUT_NAMED_FD] = "fd",
4055 };
4056
4057 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
4058
4059 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
4060 [EXEC_OUTPUT_INHERIT] = "inherit",
4061 [EXEC_OUTPUT_NULL] = "null",
4062 [EXEC_OUTPUT_TTY] = "tty",
4063 [EXEC_OUTPUT_SYSLOG] = "syslog",
4064 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
4065 [EXEC_OUTPUT_KMSG] = "kmsg",
4066 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
4067 [EXEC_OUTPUT_JOURNAL] = "journal",
4068 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
4069 [EXEC_OUTPUT_SOCKET] = "socket",
4070 [EXEC_OUTPUT_NAMED_FD] = "fd",
4071 };
4072
4073 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
4074
4075 static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
4076 [EXEC_UTMP_INIT] = "init",
4077 [EXEC_UTMP_LOGIN] = "login",
4078 [EXEC_UTMP_USER] = "user",
4079 };
4080
4081 DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
Unnamed repository; edit this file 'description' to name the repository.