typedef struct ExecStatus ExecStatus;
typedef struct ExecCommand ExecCommand;
typedef struct ExecContext ExecContext;
+typedef struct ExecSharedRuntime ExecSharedRuntime;
+typedef struct DynamicCreds DynamicCreds;
typedef struct ExecRuntime ExecRuntime;
typedef struct ExecParameters ExecParameters;
typedef struct Manager Manager;
#include "cpu-set-util.h"
#include "exec-util.h"
#include "fdset.h"
-#include "firewall-util.h"
#include "list.h"
#include "missing_resource.h"
#include "namespace.h"
#include "nsflags.h"
#include "numa-util.h"
+#include "open-file.h"
#include "path-util.h"
+#include "set.h"
#include "time-util.h"
#define EXEC_STDIN_DATA_MAX (64U*1024U*1024U)
* invocations of commands. Specifically, this allows sharing of /tmp and /var/tmp data as well as network namespaces
* between invocations of commands. This is a reference counted object, with one reference taken by each currently
* active command invocation that wants to share this runtime. */
-struct ExecRuntime {
+struct ExecSharedRuntime {
unsigned n_ref;
Manager *manager;
int ipcns_storage_socket[2];
};
+struct ExecRuntime {
+ ExecSharedRuntime *shared;
+ DynamicCreds *dynamic_creds;
+};
+
typedef enum ExecDirectoryType {
EXEC_DIRECTORY_RUNTIME = 0,
EXEC_DIRECTORY_STATE,
typedef struct ExecDirectoryItem {
char *path;
char **symlinks;
+ bool only_create;
} ExecDirectoryItem;
typedef struct ExecDirectory {
EXEC_CLEAN_CACHE = 1U << EXEC_DIRECTORY_CACHE,
EXEC_CLEAN_LOGS = 1U << EXEC_DIRECTORY_LOGS,
EXEC_CLEAN_CONFIGURATION = 1U << EXEC_DIRECTORY_CONFIGURATION,
+ EXEC_CLEAN_FDSTORE = 1U << _EXEC_DIRECTORY_TYPE_MAX,
EXEC_CLEAN_NONE = 0,
- EXEC_CLEAN_ALL = (1U << _EXEC_DIRECTORY_TYPE_MAX) - 1,
+ EXEC_CLEAN_ALL = (1U << (_EXEC_DIRECTORY_TYPE_MAX+1)) - 1,
_EXEC_CLEAN_MASK_INVALID = -EINVAL,
} ExecCleanMask;
char **read_write_paths, **read_only_paths, **inaccessible_paths, **exec_paths, **no_exec_paths;
char **exec_search_path;
- unsigned long mount_flags;
+ unsigned long mount_propagation_flag;
BindMount *bind_mounts;
size_t n_bind_mounts;
TemporaryFileSystem *temporary_filesystems;
struct iovec* log_extra_fields;
size_t n_log_extra_fields;
+ Set *log_filter_allowed_patterns;
+ Set *log_filter_denied_patterns;
usec_t log_ratelimit_interval_usec;
unsigned log_ratelimit_burst;
ProtectProc protect_proc; /* hidepid= */
ProcSubset proc_subset; /* subset= */
+ int private_mounts;
+ int memory_ksm;
bool private_tmp;
bool private_network;
bool private_devices;
bool private_users;
- bool private_mounts;
bool private_ipc;
bool protect_kernel_tunables;
bool protect_kernel_modules;
bool mount_apivfs;
bool dynamic_user;
- size_t n_dynamic_user_nft_set_contexts;
- NFTSetContext *dynamic_user_nft_set_context;
-
bool remove_ipc;
bool memory_deny_write_execute;
Hashmap *set_credentials; /* output id → ExecSetCredential */
Hashmap *load_credentials; /* output id → ExecLoadCredential */
+ Set *import_credentials;
+
+ ImagePolicy *root_image_policy, *mount_image_policy, *extension_image_policy;
};
static inline bool exec_context_restrict_namespaces_set(const ExecContext *c) {
int exec_fd;
const char *notify_socket;
+
+ LIST_HEAD(OpenFile, open_files);
};
#include "unit.h"
const ExecContext *context,
const ExecParameters *exec_params,
ExecRuntime *runtime,
- DynamicCreds *dynamic_creds,
+ const CGroupContext *cgroup_context,
pid_t *ret);
void exec_command_done_array(ExecCommand *c, size_t n);
int exec_context_destroy_runtime_directory(const ExecContext *c, const char *runtime_root);
int exec_context_destroy_credentials(const ExecContext *c, const char *runtime_root, const char *unit);
+int exec_context_destroy_mount_ns_dir(Unit *u);
const char* exec_context_fdname(const ExecContext *c, int fd_index);
bool exec_context_may_touch_console(const ExecContext *c);
bool exec_context_maintains_privileges(const ExecContext *c);
+bool exec_context_has_encrypted_credentials(ExecContext *c);
+bool exec_context_has_credentials(const ExecContext *context);
int exec_context_get_effective_ioprio(const ExecContext *c);
bool exec_context_get_effective_mount_apivfs(const ExecContext *c);
int exec_context_get_clean_directories(ExecContext *c, char **prefix, ExecCleanMask mask, char ***ret);
int exec_context_get_clean_mask(ExecContext *c, ExecCleanMask *ret);
+int exec_context_add_default_dependencies(Unit *u, const ExecContext *c);
void exec_status_start(ExecStatus *s, pid_t pid);
void exec_status_exit(ExecStatus *s, const ExecContext *context, pid_t pid, int code, int status);
void exec_status_dump(const ExecStatus *s, FILE *f, const char *prefix);
void exec_status_reset(ExecStatus *s);
-int exec_runtime_acquire(Manager *m, const ExecContext *c, const char *name, bool create, ExecRuntime **ret);
-ExecRuntime *exec_runtime_unref(ExecRuntime *r, bool destroy);
+int exec_shared_runtime_acquire(Manager *m, const ExecContext *c, const char *name, bool create, ExecSharedRuntime **ret);
+ExecSharedRuntime *exec_shared_runtime_destroy(ExecSharedRuntime *r);
+ExecSharedRuntime *exec_shared_runtime_unref(ExecSharedRuntime *r);
+DEFINE_TRIVIAL_CLEANUP_FUNC(ExecSharedRuntime*, exec_shared_runtime_unref);
+
+int exec_shared_runtime_serialize(const Manager *m, FILE *f, FDSet *fds);
+int exec_shared_runtime_deserialize_compat(Unit *u, const char *key, const char *value, FDSet *fds);
+int exec_shared_runtime_deserialize_one(Manager *m, const char *value, FDSet *fds);
+void exec_shared_runtime_vacuum(Manager *m);
-int exec_runtime_serialize(const Manager *m, FILE *f, FDSet *fds);
-int exec_runtime_deserialize_compat(Unit *u, const char *key, const char *value, FDSet *fds);
-int exec_runtime_deserialize_one(Manager *m, const char *value, FDSet *fds);
-void exec_runtime_vacuum(Manager *m);
+int exec_runtime_make(ExecSharedRuntime *shared, DynamicCreds *creds, ExecRuntime **ret);
+ExecRuntime* exec_runtime_free(ExecRuntime *rt);
+DEFINE_TRIVIAL_CLEANUP_FUNC(ExecRuntime*, exec_runtime_free);
+ExecRuntime* exec_runtime_destroy(ExecRuntime *rt);
void exec_params_clear(ExecParameters *p);
DEFINE_TRIVIAL_CLEANUP_FUNC(ExecLoadCredential*, exec_load_credential_free);
void exec_directory_done(ExecDirectory *d);
-int exec_directory_add(ExecDirectoryItem **d, size_t *n, const char *path, char **symlinks);
+int exec_directory_add(ExecDirectory *d, const char *path, const char *symlink);
+void exec_directory_sort(ExecDirectory *d);
+
+ExecCleanMask exec_clean_mask_from_string(const char *s);
extern const struct hash_ops exec_set_credential_hash_ops;
extern const struct hash_ops exec_load_credential_hash_ops;
ExecDirectoryType exec_resource_type_from_string(const char *s) _pure_;
bool exec_needs_mount_namespace(const ExecContext *context, const ExecParameters *params, const ExecRuntime *runtime);
-
-void exec_delete_dynamic_user_nft_set(const ExecContext *c, DynamicUser *d);
+bool exec_needs_network_namespace(const ExecContext *context);