]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/execute.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
core: only apply NonBlocking= to fds passed via socket activation
[thirdparty/systemd.git] / src / core / execute.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <errno.h>
21 #include <fcntl.h>
22 #include <glob.h>
23 #include <grp.h>
24 #include <poll.h>
25 #include <signal.h>
26 #include <string.h>
27 #include <sys/capability.h>
28 #include <sys/eventfd.h>
29 #include <sys/mman.h>
30 #include <sys/personality.h>
31 #include <sys/prctl.h>
32 #include <sys/shm.h>
33 #include <sys/socket.h>
34 #include <sys/stat.h>
35 #include <sys/types.h>
36 #include <sys/un.h>
37 #include <unistd.h>
38 #include <utmpx.h>
39
40 #ifdef HAVE_PAM
41 #include <security/pam_appl.h>
42 #endif
43
44 #ifdef HAVE_SELINUX
45 #include <selinux/selinux.h>
46 #endif
47
48 #ifdef HAVE_SECCOMP
49 #include <seccomp.h>
50 #endif
51
52 #ifdef HAVE_APPARMOR
53 #include <sys/apparmor.h>
54 #endif
55
56 #include "sd-messages.h"
57
58 #include "af-list.h"
59 #include "alloc-util.h"
60 #ifdef HAVE_APPARMOR
61 #include "apparmor-util.h"
62 #endif
63 #include "async.h"
64 #include "barrier.h"
65 #include "cap-list.h"
66 #include "capability-util.h"
67 #include "def.h"
68 #include "env-util.h"
69 #include "errno-list.h"
70 #include "execute.h"
71 #include "exit-status.h"
72 #include "fd-util.h"
73 #include "fileio.h"
74 #include "format-util.h"
75 #include "fs-util.h"
76 #include "glob-util.h"
77 #include "io-util.h"
78 #include "ioprio.h"
79 #include "log.h"
80 #include "macro.h"
81 #include "missing.h"
82 #include "mkdir.h"
83 #include "namespace.h"
84 #include "parse-util.h"
85 #include "path-util.h"
86 #include "process-util.h"
87 #include "rlimit-util.h"
88 #include "rm-rf.h"
89 #ifdef HAVE_SECCOMP
90 #include "seccomp-util.h"
91 #endif
92 #include "securebits.h"
93 #include "selinux-util.h"
94 #include "signal-util.h"
95 #include "smack-util.h"
96 #include "special.h"
97 #include "string-table.h"
98 #include "string-util.h"
99 #include "strv.h"
100 #include "syslog-util.h"
101 #include "terminal-util.h"
102 #include "unit.h"
103 #include "user-util.h"
104 #include "util.h"
105 #include "utmp-wtmp.h"
106
107 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
108 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
109
110 /* This assumes there is a 'tty' group */
111 #define TTY_MODE 0620
112
113 #define SNDBUF_SIZE (8*1024*1024)
114
115 static int shift_fds(int fds[], unsigned n_fds) {
116 int start, restart_from;
117
118 if (n_fds <= 0)
119 return 0;
120
121 /* Modifies the fds array! (sorts it) */
122
123 assert(fds);
124
125 start = 0;
126 for (;;) {
127 int i;
128
129 restart_from = -1;
130
131 for (i = start; i < (int) n_fds; i++) {
132 int nfd;
133
134 /* Already at right index? */
135 if (fds[i] == i+3)
136 continue;
137
138 nfd = fcntl(fds[i], F_DUPFD, i + 3);
139 if (nfd < 0)
140 return -errno;
141
142 safe_close(fds[i]);
143 fds[i] = nfd;
144
145 /* Hmm, the fd we wanted isn't free? Then
146 * let's remember that and try again from here */
147 if (nfd != i+3 && restart_from < 0)
148 restart_from = i;
149 }
150
151 if (restart_from < 0)
152 break;
153
154 start = restart_from;
155 }
156
157 return 0;
158 }
159
160 static int flags_fds(const int fds[], unsigned n_fds, unsigned n_socket_fds, bool nonblock) {
161 unsigned i;
162 int r;
163
164 if (n_fds <= 0)
165 return 0;
166
167 assert(fds);
168
169 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags.
170 * O_NONBLOCK only applies to socket activation though. */
171
172 for (i = 0; i < n_fds; i++) {
173
174 if (i < n_socket_fds) {
175 r = fd_nonblock(fds[i], nonblock);
176 if (r < 0)
177 return r;
178 }
179
180 /* We unconditionally drop FD_CLOEXEC from the fds,
181 * since after all we want to pass these fds to our
182 * children */
183
184 r = fd_cloexec(fds[i], false);
185 if (r < 0)
186 return r;
187 }
188
189 return 0;
190 }
191
192 static const char *exec_context_tty_path(const ExecContext *context) {
193 assert(context);
194
195 if (context->stdio_as_fds)
196 return NULL;
197
198 if (context->tty_path)
199 return context->tty_path;
200
201 return "/dev/console";
202 }
203
204 static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
205 const char *path;
206
207 assert(context);
208
209 path = exec_context_tty_path(context);
210
211 if (context->tty_vhangup) {
212 if (p && p->stdin_fd >= 0)
213 (void) terminal_vhangup_fd(p->stdin_fd);
214 else if (path)
215 (void) terminal_vhangup(path);
216 }
217
218 if (context->tty_reset) {
219 if (p && p->stdin_fd >= 0)
220 (void) reset_terminal_fd(p->stdin_fd, true);
221 else if (path)
222 (void) reset_terminal(path);
223 }
224
225 if (context->tty_vt_disallocate && path)
226 (void) vt_disallocate(path);
227 }
228
229 static bool is_terminal_input(ExecInput i) {
230 return IN_SET(i,
231 EXEC_INPUT_TTY,
232 EXEC_INPUT_TTY_FORCE,
233 EXEC_INPUT_TTY_FAIL);
234 }
235
236 static bool is_terminal_output(ExecOutput o) {
237 return IN_SET(o,
238 EXEC_OUTPUT_TTY,
239 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
240 EXEC_OUTPUT_KMSG_AND_CONSOLE,
241 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
242 }
243
244 static bool exec_context_needs_term(const ExecContext *c) {
245 assert(c);
246
247 /* Return true if the execution context suggests we should set $TERM to something useful. */
248
249 if (is_terminal_input(c->std_input))
250 return true;
251
252 if (is_terminal_output(c->std_output))
253 return true;
254
255 if (is_terminal_output(c->std_error))
256 return true;
257
258 return !!c->tty_path;
259 }
260
261 static int open_null_as(int flags, int nfd) {
262 int fd, r;
263
264 assert(nfd >= 0);
265
266 fd = open("/dev/null", flags|O_NOCTTY);
267 if (fd < 0)
268 return -errno;
269
270 if (fd != nfd) {
271 r = dup2(fd, nfd) < 0 ? -errno : nfd;
272 safe_close(fd);
273 } else
274 r = nfd;
275
276 return r;
277 }
278
279 static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
280 union sockaddr_union sa = {
281 .un.sun_family = AF_UNIX,
282 .un.sun_path = "/run/systemd/journal/stdout",
283 };
284 uid_t olduid = UID_INVALID;
285 gid_t oldgid = GID_INVALID;
286 int r;
287
288 if (gid != GID_INVALID) {
289 oldgid = getgid();
290
291 r = setegid(gid);
292 if (r < 0)
293 return -errno;
294 }
295
296 if (uid != UID_INVALID) {
297 olduid = getuid();
298
299 r = seteuid(uid);
300 if (r < 0) {
301 r = -errno;
302 goto restore_gid;
303 }
304 }
305
306 r = connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
307 if (r < 0)
308 r = -errno;
309
310 /* If we fail to restore the uid or gid, things will likely
311 fail later on. This should only happen if an LSM interferes. */
312
313 if (uid != UID_INVALID)
314 (void) seteuid(olduid);
315
316 restore_gid:
317 if (gid != GID_INVALID)
318 (void) setegid(oldgid);
319
320 return r;
321 }
322
323 static int connect_logger_as(
324 Unit *unit,
325 const ExecContext *context,
326 ExecOutput output,
327 const char *ident,
328 int nfd,
329 uid_t uid,
330 gid_t gid) {
331
332 int fd, r;
333
334 assert(context);
335 assert(output < _EXEC_OUTPUT_MAX);
336 assert(ident);
337 assert(nfd >= 0);
338
339 fd = socket(AF_UNIX, SOCK_STREAM, 0);
340 if (fd < 0)
341 return -errno;
342
343 r = connect_journal_socket(fd, uid, gid);
344 if (r < 0)
345 return r;
346
347 if (shutdown(fd, SHUT_RD) < 0) {
348 safe_close(fd);
349 return -errno;
350 }
351
352 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
353
354 dprintf(fd,
355 "%s\n"
356 "%s\n"
357 "%i\n"
358 "%i\n"
359 "%i\n"
360 "%i\n"
361 "%i\n",
362 context->syslog_identifier ? context->syslog_identifier : ident,
363 unit->id,
364 context->syslog_priority,
365 !!context->syslog_level_prefix,
366 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
367 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
368 is_terminal_output(output));
369
370 if (fd == nfd)
371 return nfd;
372
373 r = dup2(fd, nfd) < 0 ? -errno : nfd;
374 safe_close(fd);
375
376 return r;
377 }
378 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
379 int fd, r;
380
381 assert(path);
382 assert(nfd >= 0);
383
384 fd = open_terminal(path, mode | O_NOCTTY);
385 if (fd < 0)
386 return fd;
387
388 if (fd != nfd) {
389 r = dup2(fd, nfd) < 0 ? -errno : nfd;
390 safe_close(fd);
391 } else
392 r = nfd;
393
394 return r;
395 }
396
397 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
398
399 if (is_terminal_input(std_input) && !apply_tty_stdin)
400 return EXEC_INPUT_NULL;
401
402 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
403 return EXEC_INPUT_NULL;
404
405 return std_input;
406 }
407
408 static int fixup_output(ExecOutput std_output, int socket_fd) {
409
410 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
411 return EXEC_OUTPUT_INHERIT;
412
413 return std_output;
414 }
415
416 static int setup_input(
417 const ExecContext *context,
418 const ExecParameters *params,
419 int socket_fd,
420 int named_iofds[3]) {
421
422 ExecInput i;
423
424 assert(context);
425 assert(params);
426
427 if (params->stdin_fd >= 0) {
428 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
429 return -errno;
430
431 /* Try to make this the controlling tty, if it is a tty, and reset it */
432 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
433 (void) reset_terminal_fd(STDIN_FILENO, true);
434
435 return STDIN_FILENO;
436 }
437
438 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
439
440 switch (i) {
441
442 case EXEC_INPUT_NULL:
443 return open_null_as(O_RDONLY, STDIN_FILENO);
444
445 case EXEC_INPUT_TTY:
446 case EXEC_INPUT_TTY_FORCE:
447 case EXEC_INPUT_TTY_FAIL: {
448 int fd, r;
449
450 fd = acquire_terminal(exec_context_tty_path(context),
451 i == EXEC_INPUT_TTY_FAIL,
452 i == EXEC_INPUT_TTY_FORCE,
453 false,
454 USEC_INFINITY);
455 if (fd < 0)
456 return fd;
457
458 if (fd != STDIN_FILENO) {
459 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
460 safe_close(fd);
461 } else
462 r = STDIN_FILENO;
463
464 return r;
465 }
466
467 case EXEC_INPUT_SOCKET:
468 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
469
470 case EXEC_INPUT_NAMED_FD:
471 (void) fd_nonblock(named_iofds[STDIN_FILENO], false);
472 return dup2(named_iofds[STDIN_FILENO], STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
473
474 default:
475 assert_not_reached("Unknown input type");
476 }
477 }
478
479 static int setup_output(
480 Unit *unit,
481 const ExecContext *context,
482 const ExecParameters *params,
483 int fileno,
484 int socket_fd,
485 int named_iofds[3],
486 const char *ident,
487 uid_t uid,
488 gid_t gid,
489 dev_t *journal_stream_dev,
490 ino_t *journal_stream_ino) {
491
492 ExecOutput o;
493 ExecInput i;
494 int r;
495
496 assert(unit);
497 assert(context);
498 assert(params);
499 assert(ident);
500 assert(journal_stream_dev);
501 assert(journal_stream_ino);
502
503 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
504
505 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
506 return -errno;
507
508 return STDOUT_FILENO;
509 }
510
511 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
512 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
513 return -errno;
514
515 return STDERR_FILENO;
516 }
517
518 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
519 o = fixup_output(context->std_output, socket_fd);
520
521 if (fileno == STDERR_FILENO) {
522 ExecOutput e;
523 e = fixup_output(context->std_error, socket_fd);
524
525 /* This expects the input and output are already set up */
526
527 /* Don't change the stderr file descriptor if we inherit all
528 * the way and are not on a tty */
529 if (e == EXEC_OUTPUT_INHERIT &&
530 o == EXEC_OUTPUT_INHERIT &&
531 i == EXEC_INPUT_NULL &&
532 !is_terminal_input(context->std_input) &&
533 getppid () != 1)
534 return fileno;
535
536 /* Duplicate from stdout if possible */
537 if ((e == o && e != EXEC_OUTPUT_NAMED_FD) || e == EXEC_OUTPUT_INHERIT)
538 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
539
540 o = e;
541
542 } else if (o == EXEC_OUTPUT_INHERIT) {
543 /* If input got downgraded, inherit the original value */
544 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
545 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
546
547 /* If the input is connected to anything that's not a /dev/null, inherit that... */
548 if (i != EXEC_INPUT_NULL)
549 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
550
551 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
552 if (getppid() != 1)
553 return fileno;
554
555 /* We need to open /dev/null here anew, to get the right access mode. */
556 return open_null_as(O_WRONLY, fileno);
557 }
558
559 switch (o) {
560
561 case EXEC_OUTPUT_NULL:
562 return open_null_as(O_WRONLY, fileno);
563
564 case EXEC_OUTPUT_TTY:
565 if (is_terminal_input(i))
566 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
567
568 /* We don't reset the terminal if this is just about output */
569 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
570
571 case EXEC_OUTPUT_SYSLOG:
572 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
573 case EXEC_OUTPUT_KMSG:
574 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
575 case EXEC_OUTPUT_JOURNAL:
576 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
577 r = connect_logger_as(unit, context, o, ident, fileno, uid, gid);
578 if (r < 0) {
579 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
580 r = open_null_as(O_WRONLY, fileno);
581 } else {
582 struct stat st;
583
584 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
585 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
586 * services to detect whether they are connected to the journal or not. */
587
588 if (fstat(fileno, &st) >= 0) {
589 *journal_stream_dev = st.st_dev;
590 *journal_stream_ino = st.st_ino;
591 }
592 }
593 return r;
594
595 case EXEC_OUTPUT_SOCKET:
596 assert(socket_fd >= 0);
597 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
598
599 case EXEC_OUTPUT_NAMED_FD:
600 (void) fd_nonblock(named_iofds[fileno], false);
601 return dup2(named_iofds[fileno], fileno) < 0 ? -errno : fileno;
602
603 default:
604 assert_not_reached("Unknown error type");
605 }
606 }
607
608 static int chown_terminal(int fd, uid_t uid) {
609 struct stat st;
610
611 assert(fd >= 0);
612
613 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
614 if (isatty(fd) < 1)
615 return 0;
616
617 /* This might fail. What matters are the results. */
618 (void) fchown(fd, uid, -1);
619 (void) fchmod(fd, TTY_MODE);
620
621 if (fstat(fd, &st) < 0)
622 return -errno;
623
624 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
625 return -EPERM;
626
627 return 0;
628 }
629
630 static int setup_confirm_stdio(const char *vc, int *_saved_stdin, int *_saved_stdout) {
631 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
632 int r;
633
634 assert(_saved_stdin);
635 assert(_saved_stdout);
636
637 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
638 if (saved_stdin < 0)
639 return -errno;
640
641 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
642 if (saved_stdout < 0)
643 return -errno;
644
645 fd = acquire_terminal(vc, false, false, false, DEFAULT_CONFIRM_USEC);
646 if (fd < 0)
647 return fd;
648
649 r = chown_terminal(fd, getuid());
650 if (r < 0)
651 return r;
652
653 r = reset_terminal_fd(fd, true);
654 if (r < 0)
655 return r;
656
657 if (dup2(fd, STDIN_FILENO) < 0)
658 return -errno;
659
660 if (dup2(fd, STDOUT_FILENO) < 0)
661 return -errno;
662
663 if (fd >= 2)
664 safe_close(fd);
665 fd = -1;
666
667 *_saved_stdin = saved_stdin;
668 *_saved_stdout = saved_stdout;
669
670 saved_stdin = saved_stdout = -1;
671
672 return 0;
673 }
674
675 static void write_confirm_error_fd(int err, int fd, const Unit *u) {
676 assert(err < 0);
677
678 if (err == -ETIMEDOUT)
679 dprintf(fd, "Confirmation question timed out for %s, assuming positive response.\n", u->id);
680 else {
681 errno = -err;
682 dprintf(fd, "Couldn't ask confirmation for %s: %m, assuming positive response.\n", u->id);
683 }
684 }
685
686 static void write_confirm_error(int err, const char *vc, const Unit *u) {
687 _cleanup_close_ int fd = -1;
688
689 assert(vc);
690
691 fd = open_terminal(vc, O_WRONLY|O_NOCTTY|O_CLOEXEC);
692 if (fd < 0)
693 return;
694
695 write_confirm_error_fd(err, fd, u);
696 }
697
698 static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
699 int r = 0;
700
701 assert(saved_stdin);
702 assert(saved_stdout);
703
704 release_terminal();
705
706 if (*saved_stdin >= 0)
707 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
708 r = -errno;
709
710 if (*saved_stdout >= 0)
711 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
712 r = -errno;
713
714 *saved_stdin = safe_close(*saved_stdin);
715 *saved_stdout = safe_close(*saved_stdout);
716
717 return r;
718 }
719
720 enum {
721 CONFIRM_PRETEND_FAILURE = -1,
722 CONFIRM_PRETEND_SUCCESS = 0,
723 CONFIRM_EXECUTE = 1,
724 };
725
726 static int ask_for_confirmation(const char *vc, Unit *u, const char *cmdline) {
727 int saved_stdout = -1, saved_stdin = -1, r;
728 _cleanup_free_ char *e = NULL;
729 char c;
730
731 /* For any internal errors, assume a positive response. */
732 r = setup_confirm_stdio(vc, &saved_stdin, &saved_stdout);
733 if (r < 0) {
734 write_confirm_error(r, vc, u);
735 return CONFIRM_EXECUTE;
736 }
737
738 /* confirm_spawn might have been disabled while we were sleeping. */
739 if (manager_is_confirm_spawn_disabled(u->manager)) {
740 r = 1;
741 goto restore_stdio;
742 }
743
744 e = ellipsize(cmdline, 60, 100);
745 if (!e) {
746 log_oom();
747 r = CONFIRM_EXECUTE;
748 goto restore_stdio;
749 }
750
751 for (;;) {
752 r = ask_char(&c, "yfshiDjcn", "Execute %s? [y, f, s – h for help] ", e);
753 if (r < 0) {
754 write_confirm_error_fd(r, STDOUT_FILENO, u);
755 r = CONFIRM_EXECUTE;
756 goto restore_stdio;
757 }
758
759 switch (c) {
760 case 'c':
761 printf("Resuming normal execution.\n");
762 manager_disable_confirm_spawn();
763 r = 1;
764 break;
765 case 'D':
766 unit_dump(u, stdout, " ");
767 continue; /* ask again */
768 case 'f':
769 printf("Failing execution.\n");
770 r = CONFIRM_PRETEND_FAILURE;
771 break;
772 case 'h':
773 printf(" c - continue, proceed without asking anymore\n"
774 " D - dump, show the state of the unit\n"
775 " f - fail, don't execute the command and pretend it failed\n"
776 " h - help\n"
777 " i - info, show a short summary of the unit\n"
778 " j - jobs, show jobs that are in progress\n"
779 " s - skip, don't execute the command and pretend it succeeded\n"
780 " y - yes, execute the command\n");
781 continue; /* ask again */
782 case 'i':
783 printf(" Description: %s\n"
784 " Unit: %s\n"
785 " Command: %s\n",
786 u->id, u->description, cmdline);
787 continue; /* ask again */
788 case 'j':
789 manager_dump_jobs(u->manager, stdout, " ");
790 continue; /* ask again */
791 case 'n':
792 /* 'n' was removed in favor of 'f'. */
793 printf("Didn't understand 'n', did you mean 'f'?\n");
794 continue; /* ask again */
795 case 's':
796 printf("Skipping execution.\n");
797 r = CONFIRM_PRETEND_SUCCESS;
798 break;
799 case 'y':
800 r = CONFIRM_EXECUTE;
801 break;
802 default:
803 assert_not_reached("Unhandled choice");
804 }
805 break;
806 }
807
808 restore_stdio:
809 restore_confirm_stdio(&saved_stdin, &saved_stdout);
810 return r;
811 }
812
813 static int get_fixed_user(const ExecContext *c, const char **user,
814 uid_t *uid, gid_t *gid,
815 const char **home, const char **shell) {
816 int r;
817 const char *name;
818
819 assert(c);
820
821 if (!c->user)
822 return 0;
823
824 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
825 * (i.e. are "/" or "/bin/nologin"). */
826
827 name = c->user;
828 r = get_user_creds_clean(&name, uid, gid, home, shell);
829 if (r < 0)
830 return r;
831
832 *user = name;
833 return 0;
834 }
835
836 static int get_fixed_group(const ExecContext *c, const char **group, gid_t *gid) {
837 int r;
838 const char *name;
839
840 assert(c);
841
842 if (!c->group)
843 return 0;
844
845 name = c->group;
846 r = get_group_creds(&name, gid);
847 if (r < 0)
848 return r;
849
850 *group = name;
851 return 0;
852 }
853
854 static int get_supplementary_groups(const ExecContext *c, const char *user,
855 const char *group, gid_t gid,
856 gid_t **supplementary_gids, int *ngids) {
857 char **i;
858 int r, k = 0;
859 int ngroups_max;
860 bool keep_groups = false;
861 gid_t *groups = NULL;
862 _cleanup_free_ gid_t *l_gids = NULL;
863
864 assert(c);
865
866 /*
867 * If user is given, then lookup GID and supplementary groups list.
868 * We avoid NSS lookups for gid=0. Also we have to initialize groups
869 * here and as early as possible so we keep the list of supplementary
870 * groups of the caller.
871 */
872 if (user && gid_is_valid(gid) && gid != 0) {
873 /* First step, initialize groups from /etc/groups */
874 if (initgroups(user, gid) < 0)
875 return -errno;
876
877 keep_groups = true;
878 }
879
880 if (!c->supplementary_groups)
881 return 0;
882
883 /*
884 * If SupplementaryGroups= was passed then NGROUPS_MAX has to
885 * be positive, otherwise fail.
886 */
887 errno = 0;
888 ngroups_max = (int) sysconf(_SC_NGROUPS_MAX);
889 if (ngroups_max <= 0) {
890 if (errno > 0)
891 return -errno;
892 else
893 return -EOPNOTSUPP; /* For all other values */
894 }
895
896 l_gids = new(gid_t, ngroups_max);
897 if (!l_gids)
898 return -ENOMEM;
899
900 if (keep_groups) {
901 /*
902 * Lookup the list of groups that the user belongs to, we
903 * avoid NSS lookups here too for gid=0.
904 */
905 k = ngroups_max;
906 if (getgrouplist(user, gid, l_gids, &k) < 0)
907 return -EINVAL;
908 } else
909 k = 0;
910
911 STRV_FOREACH(i, c->supplementary_groups) {
912 const char *g;
913
914 if (k >= ngroups_max)
915 return -E2BIG;
916
917 g = *i;
918 r = get_group_creds(&g, l_gids+k);
919 if (r < 0)
920 return r;
921
922 k++;
923 }
924
925 /*
926 * Sets ngids to zero to drop all supplementary groups, happens
927 * when we are under root and SupplementaryGroups= is empty.
928 */
929 if (k == 0) {
930 *ngids = 0;
931 return 0;
932 }
933
934 /* Otherwise get the final list of supplementary groups */
935 groups = memdup(l_gids, sizeof(gid_t) * k);
936 if (!groups)
937 return -ENOMEM;
938
939 *supplementary_gids = groups;
940 *ngids = k;
941
942 groups = NULL;
943
944 return 0;
945 }
946
947 static int enforce_groups(const ExecContext *context, gid_t gid,
948 gid_t *supplementary_gids, int ngids) {
949 int r;
950
951 assert(context);
952
953 /* Handle SupplementaryGroups= even if it is empty */
954 if (context->supplementary_groups) {
955 r = maybe_setgroups(ngids, supplementary_gids);
956 if (r < 0)
957 return r;
958 }
959
960 if (gid_is_valid(gid)) {
961 /* Then set our gids */
962 if (setresgid(gid, gid, gid) < 0)
963 return -errno;
964 }
965
966 return 0;
967 }
968
969 static int enforce_user(const ExecContext *context, uid_t uid) {
970 assert(context);
971
972 if (!uid_is_valid(uid))
973 return 0;
974
975 /* Sets (but doesn't look up) the uid and make sure we keep the
976 * capabilities while doing so. */
977
978 if (context->capability_ambient_set != 0) {
979
980 /* First step: If we need to keep capabilities but
981 * drop privileges we need to make sure we keep our
982 * caps, while we drop privileges. */
983 if (uid != 0) {
984 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
985
986 if (prctl(PR_GET_SECUREBITS) != sb)
987 if (prctl(PR_SET_SECUREBITS, sb) < 0)
988 return -errno;
989 }
990 }
991
992 /* Second step: actually set the uids */
993 if (setresuid(uid, uid, uid) < 0)
994 return -errno;
995
996 /* At this point we should have all necessary capabilities but
997 are otherwise a normal user. However, the caps might got
998 corrupted due to the setresuid() so we need clean them up
999 later. This is done outside of this call. */
1000
1001 return 0;
1002 }
1003
1004 #ifdef HAVE_PAM
1005
1006 static int null_conv(
1007 int num_msg,
1008 const struct pam_message **msg,
1009 struct pam_response **resp,
1010 void *appdata_ptr) {
1011
1012 /* We don't support conversations */
1013
1014 return PAM_CONV_ERR;
1015 }
1016
1017 #endif
1018
1019 static int setup_pam(
1020 const char *name,
1021 const char *user,
1022 uid_t uid,
1023 gid_t gid,
1024 const char *tty,
1025 char ***env,
1026 int fds[], unsigned n_fds) {
1027
1028 #ifdef HAVE_PAM
1029
1030 static const struct pam_conv conv = {
1031 .conv = null_conv,
1032 .appdata_ptr = NULL
1033 };
1034
1035 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
1036 pam_handle_t *handle = NULL;
1037 sigset_t old_ss;
1038 int pam_code = PAM_SUCCESS, r;
1039 char **nv, **e = NULL;
1040 bool close_session = false;
1041 pid_t pam_pid = 0, parent_pid;
1042 int flags = 0;
1043
1044 assert(name);
1045 assert(user);
1046 assert(env);
1047
1048 /* We set up PAM in the parent process, then fork. The child
1049 * will then stay around until killed via PR_GET_PDEATHSIG or
1050 * systemd via the cgroup logic. It will then remove the PAM
1051 * session again. The parent process will exec() the actual
1052 * daemon. We do things this way to ensure that the main PID
1053 * of the daemon is the one we initially fork()ed. */
1054
1055 r = barrier_create(&barrier);
1056 if (r < 0)
1057 goto fail;
1058
1059 if (log_get_max_level() < LOG_DEBUG)
1060 flags |= PAM_SILENT;
1061
1062 pam_code = pam_start(name, user, &conv, &handle);
1063 if (pam_code != PAM_SUCCESS) {
1064 handle = NULL;
1065 goto fail;
1066 }
1067
1068 if (tty) {
1069 pam_code = pam_set_item(handle, PAM_TTY, tty);
1070 if (pam_code != PAM_SUCCESS)
1071 goto fail;
1072 }
1073
1074 STRV_FOREACH(nv, *env) {
1075 pam_code = pam_putenv(handle, *nv);
1076 if (pam_code != PAM_SUCCESS)
1077 goto fail;
1078 }
1079
1080 pam_code = pam_acct_mgmt(handle, flags);
1081 if (pam_code != PAM_SUCCESS)
1082 goto fail;
1083
1084 pam_code = pam_open_session(handle, flags);
1085 if (pam_code != PAM_SUCCESS)
1086 goto fail;
1087
1088 close_session = true;
1089
1090 e = pam_getenvlist(handle);
1091 if (!e) {
1092 pam_code = PAM_BUF_ERR;
1093 goto fail;
1094 }
1095
1096 /* Block SIGTERM, so that we know that it won't get lost in
1097 * the child */
1098
1099 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
1100
1101 parent_pid = getpid();
1102
1103 pam_pid = fork();
1104 if (pam_pid < 0) {
1105 r = -errno;
1106 goto fail;
1107 }
1108
1109 if (pam_pid == 0) {
1110 int sig, ret = EXIT_PAM;
1111
1112 /* The child's job is to reset the PAM session on
1113 * termination */
1114 barrier_set_role(&barrier, BARRIER_CHILD);
1115
1116 /* This string must fit in 10 chars (i.e. the length
1117 * of "/sbin/init"), to look pretty in /bin/ps */
1118 rename_process("(sd-pam)");
1119
1120 /* Make sure we don't keep open the passed fds in this
1121 child. We assume that otherwise only those fds are
1122 open here that have been opened by PAM. */
1123 close_many(fds, n_fds);
1124
1125 /* Drop privileges - we don't need any to pam_close_session
1126 * and this will make PR_SET_PDEATHSIG work in most cases.
1127 * If this fails, ignore the error - but expect sd-pam threads
1128 * to fail to exit normally */
1129
1130 r = maybe_setgroups(0, NULL);
1131 if (r < 0)
1132 log_warning_errno(r, "Failed to setgroups() in sd-pam: %m");
1133 if (setresgid(gid, gid, gid) < 0)
1134 log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
1135 if (setresuid(uid, uid, uid) < 0)
1136 log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
1137
1138 (void) ignore_signals(SIGPIPE, -1);
1139
1140 /* Wait until our parent died. This will only work if
1141 * the above setresuid() succeeds, otherwise the kernel
1142 * will not allow unprivileged parents kill their privileged
1143 * children this way. We rely on the control groups kill logic
1144 * to do the rest for us. */
1145 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
1146 goto child_finish;
1147
1148 /* Tell the parent that our setup is done. This is especially
1149 * important regarding dropping privileges. Otherwise, unit
1150 * setup might race against our setresuid(2) call.
1151 *
1152 * If the parent aborted, we'll detect this below, hence ignore
1153 * return failure here. */
1154 (void) barrier_place(&barrier);
1155
1156 /* Check if our parent process might already have died? */
1157 if (getppid() == parent_pid) {
1158 sigset_t ss;
1159
1160 assert_se(sigemptyset(&ss) >= 0);
1161 assert_se(sigaddset(&ss, SIGTERM) >= 0);
1162
1163 for (;;) {
1164 if (sigwait(&ss, &sig) < 0) {
1165 if (errno == EINTR)
1166 continue;
1167
1168 goto child_finish;
1169 }
1170
1171 assert(sig == SIGTERM);
1172 break;
1173 }
1174 }
1175
1176 /* If our parent died we'll end the session */
1177 if (getppid() != parent_pid) {
1178 pam_code = pam_close_session(handle, flags);
1179 if (pam_code != PAM_SUCCESS)
1180 goto child_finish;
1181 }
1182
1183 ret = 0;
1184
1185 child_finish:
1186 pam_end(handle, pam_code | flags);
1187 _exit(ret);
1188 }
1189
1190 barrier_set_role(&barrier, BARRIER_PARENT);
1191
1192 /* If the child was forked off successfully it will do all the
1193 * cleanups, so forget about the handle here. */
1194 handle = NULL;
1195
1196 /* Unblock SIGTERM again in the parent */
1197 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
1198
1199 /* We close the log explicitly here, since the PAM modules
1200 * might have opened it, but we don't want this fd around. */
1201 closelog();
1202
1203 /* Synchronously wait for the child to initialize. We don't care for
1204 * errors as we cannot recover. However, warn loudly if it happens. */
1205 if (!barrier_place_and_sync(&barrier))
1206 log_error("PAM initialization failed");
1207
1208 strv_free(*env);
1209 *env = e;
1210
1211 return 0;
1212
1213 fail:
1214 if (pam_code != PAM_SUCCESS) {
1215 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
1216 r = -EPERM; /* PAM errors do not map to errno */
1217 } else
1218 log_error_errno(r, "PAM failed: %m");
1219
1220 if (handle) {
1221 if (close_session)
1222 pam_code = pam_close_session(handle, flags);
1223
1224 pam_end(handle, pam_code | flags);
1225 }
1226
1227 strv_free(e);
1228 closelog();
1229
1230 return r;
1231 #else
1232 return 0;
1233 #endif
1234 }
1235
1236 static void rename_process_from_path(const char *path) {
1237 char process_name[11];
1238 const char *p;
1239 size_t l;
1240
1241 /* This resulting string must fit in 10 chars (i.e. the length
1242 * of "/sbin/init") to look pretty in /bin/ps */
1243
1244 p = basename(path);
1245 if (isempty(p)) {
1246 rename_process("(...)");
1247 return;
1248 }
1249
1250 l = strlen(p);
1251 if (l > 8) {
1252 /* The end of the process name is usually more
1253 * interesting, since the first bit might just be
1254 * "systemd-" */
1255 p = p + l - 8;
1256 l = 8;
1257 }
1258
1259 process_name[0] = '(';
1260 memcpy(process_name+1, p, l);
1261 process_name[1+l] = ')';
1262 process_name[1+l+1] = 0;
1263
1264 rename_process(process_name);
1265 }
1266
1267 static bool context_has_address_families(const ExecContext *c) {
1268 assert(c);
1269
1270 return c->address_families_whitelist ||
1271 !set_isempty(c->address_families);
1272 }
1273
1274 static bool context_has_syscall_filters(const ExecContext *c) {
1275 assert(c);
1276
1277 return c->syscall_whitelist ||
1278 !set_isempty(c->syscall_filter);
1279 }
1280
1281 static bool context_has_no_new_privileges(const ExecContext *c) {
1282 assert(c);
1283
1284 if (c->no_new_privileges)
1285 return true;
1286
1287 if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
1288 return false;
1289
1290 /* We need NNP if we have any form of seccomp and are unprivileged */
1291 return context_has_address_families(c) ||
1292 c->memory_deny_write_execute ||
1293 c->restrict_realtime ||
1294 exec_context_restrict_namespaces_set(c) ||
1295 c->protect_kernel_tunables ||
1296 c->protect_kernel_modules ||
1297 c->private_devices ||
1298 context_has_syscall_filters(c) ||
1299 !set_isempty(c->syscall_archs);
1300 }
1301
1302 #ifdef HAVE_SECCOMP
1303
1304 static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
1305
1306 if (is_seccomp_available())
1307 return false;
1308
1309 log_open();
1310 log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
1311 log_close();
1312 return true;
1313 }
1314
1315 static int apply_syscall_filter(const Unit* u, const ExecContext *c) {
1316 uint32_t negative_action, default_action, action;
1317
1318 assert(u);
1319 assert(c);
1320
1321 if (!context_has_syscall_filters(c))
1322 return 0;
1323
1324 if (skip_seccomp_unavailable(u, "SystemCallFilter="))
1325 return 0;
1326
1327 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
1328
1329 if (c->syscall_whitelist) {
1330 default_action = negative_action;
1331 action = SCMP_ACT_ALLOW;
1332 } else {
1333 default_action = SCMP_ACT_ALLOW;
1334 action = negative_action;
1335 }
1336
1337 return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action);
1338 }
1339
1340 static int apply_syscall_archs(const Unit *u, const ExecContext *c) {
1341 assert(u);
1342 assert(c);
1343
1344 if (set_isempty(c->syscall_archs))
1345 return 0;
1346
1347 if (skip_seccomp_unavailable(u, "SystemCallArchitectures="))
1348 return 0;
1349
1350 return seccomp_restrict_archs(c->syscall_archs);
1351 }
1352
1353 static int apply_address_families(const Unit* u, const ExecContext *c) {
1354 assert(u);
1355 assert(c);
1356
1357 if (!context_has_address_families(c))
1358 return 0;
1359
1360 if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
1361 return 0;
1362
1363 return seccomp_restrict_address_families(c->address_families, c->address_families_whitelist);
1364 }
1365
1366 static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) {
1367 assert(u);
1368 assert(c);
1369
1370 if (!c->memory_deny_write_execute)
1371 return 0;
1372
1373 if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute="))
1374 return 0;
1375
1376 return seccomp_memory_deny_write_execute();
1377 }
1378
1379 static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
1380 assert(u);
1381 assert(c);
1382
1383 if (!c->restrict_realtime)
1384 return 0;
1385
1386 if (skip_seccomp_unavailable(u, "RestrictRealtime="))
1387 return 0;
1388
1389 return seccomp_restrict_realtime();
1390 }
1391
1392 static int apply_protect_sysctl(const Unit *u, const ExecContext *c) {
1393 assert(u);
1394 assert(c);
1395
1396 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1397 * let's protect even those systems where this is left on in the kernel. */
1398
1399 if (!c->protect_kernel_tunables)
1400 return 0;
1401
1402 if (skip_seccomp_unavailable(u, "ProtectKernelTunables="))
1403 return 0;
1404
1405 return seccomp_protect_sysctl();
1406 }
1407
1408 static int apply_protect_kernel_modules(const Unit *u, const ExecContext *c) {
1409 assert(u);
1410 assert(c);
1411
1412 /* Turn off module syscalls on ProtectKernelModules=yes */
1413
1414 if (!c->protect_kernel_modules)
1415 return 0;
1416
1417 if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
1418 return 0;
1419
1420 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM));
1421 }
1422
1423 static int apply_private_devices(const Unit *u, const ExecContext *c) {
1424 assert(u);
1425 assert(c);
1426
1427 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
1428
1429 if (!c->private_devices)
1430 return 0;
1431
1432 if (skip_seccomp_unavailable(u, "PrivateDevices="))
1433 return 0;
1434
1435 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
1436 }
1437
1438 static int apply_restrict_namespaces(Unit *u, const ExecContext *c) {
1439 assert(u);
1440 assert(c);
1441
1442 if (!exec_context_restrict_namespaces_set(c))
1443 return 0;
1444
1445 if (skip_seccomp_unavailable(u, "RestrictNamespaces="))
1446 return 0;
1447
1448 return seccomp_restrict_namespaces(c->restrict_namespaces);
1449 }
1450
1451 #endif
1452
1453 static void do_idle_pipe_dance(int idle_pipe[4]) {
1454 assert(idle_pipe);
1455
1456 idle_pipe[1] = safe_close(idle_pipe[1]);
1457 idle_pipe[2] = safe_close(idle_pipe[2]);
1458
1459 if (idle_pipe[0] >= 0) {
1460 int r;
1461
1462 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1463
1464 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1465 ssize_t n;
1466
1467 /* Signal systemd that we are bored and want to continue. */
1468 n = write(idle_pipe[3], "x", 1);
1469 if (n > 0)
1470 /* Wait for systemd to react to the signal above. */
1471 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1472 }
1473
1474 idle_pipe[0] = safe_close(idle_pipe[0]);
1475
1476 }
1477
1478 idle_pipe[3] = safe_close(idle_pipe[3]);
1479 }
1480
1481 static int build_environment(
1482 Unit *u,
1483 const ExecContext *c,
1484 const ExecParameters *p,
1485 unsigned n_fds,
1486 const char *home,
1487 const char *username,
1488 const char *shell,
1489 dev_t journal_stream_dev,
1490 ino_t journal_stream_ino,
1491 char ***ret) {
1492
1493 _cleanup_strv_free_ char **our_env = NULL;
1494 unsigned n_env = 0;
1495 char *x;
1496
1497 assert(u);
1498 assert(c);
1499 assert(ret);
1500
1501 our_env = new0(char*, 14);
1502 if (!our_env)
1503 return -ENOMEM;
1504
1505 if (n_fds > 0) {
1506 _cleanup_free_ char *joined = NULL;
1507
1508 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1509 return -ENOMEM;
1510 our_env[n_env++] = x;
1511
1512 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1513 return -ENOMEM;
1514 our_env[n_env++] = x;
1515
1516 joined = strv_join(p->fd_names, ":");
1517 if (!joined)
1518 return -ENOMEM;
1519
1520 x = strjoin("LISTEN_FDNAMES=", joined);
1521 if (!x)
1522 return -ENOMEM;
1523 our_env[n_env++] = x;
1524 }
1525
1526 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
1527 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1528 return -ENOMEM;
1529 our_env[n_env++] = x;
1530
1531 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
1532 return -ENOMEM;
1533 our_env[n_env++] = x;
1534 }
1535
1536 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1537 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1538 * check the database directly. */
1539 if (unit_has_name(u, SPECIAL_DBUS_SERVICE)) {
1540 x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1541 if (!x)
1542 return -ENOMEM;
1543 our_env[n_env++] = x;
1544 }
1545
1546 if (home) {
1547 x = strappend("HOME=", home);
1548 if (!x)
1549 return -ENOMEM;
1550 our_env[n_env++] = x;
1551 }
1552
1553 if (username) {
1554 x = strappend("LOGNAME=", username);
1555 if (!x)
1556 return -ENOMEM;
1557 our_env[n_env++] = x;
1558
1559 x = strappend("USER=", username);
1560 if (!x)
1561 return -ENOMEM;
1562 our_env[n_env++] = x;
1563 }
1564
1565 if (shell) {
1566 x = strappend("SHELL=", shell);
1567 if (!x)
1568 return -ENOMEM;
1569 our_env[n_env++] = x;
1570 }
1571
1572 if (!sd_id128_is_null(u->invocation_id)) {
1573 if (asprintf(&x, "INVOCATION_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id)) < 0)
1574 return -ENOMEM;
1575
1576 our_env[n_env++] = x;
1577 }
1578
1579 if (exec_context_needs_term(c)) {
1580 const char *tty_path, *term = NULL;
1581
1582 tty_path = exec_context_tty_path(c);
1583
1584 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try to inherit
1585 * the $TERM set for PID 1. This is useful for containers so that the $TERM the container manager
1586 * passes to PID 1 ends up all the way in the console login shown. */
1587
1588 if (path_equal(tty_path, "/dev/console") && getppid() == 1)
1589 term = getenv("TERM");
1590 if (!term)
1591 term = default_term_for_tty(tty_path);
1592
1593 x = strappend("TERM=", term);
1594 if (!x)
1595 return -ENOMEM;
1596 our_env[n_env++] = x;
1597 }
1598
1599 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1600 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1601 return -ENOMEM;
1602
1603 our_env[n_env++] = x;
1604 }
1605
1606 our_env[n_env++] = NULL;
1607 assert(n_env <= 12);
1608
1609 *ret = our_env;
1610 our_env = NULL;
1611
1612 return 0;
1613 }
1614
1615 static int build_pass_environment(const ExecContext *c, char ***ret) {
1616 _cleanup_strv_free_ char **pass_env = NULL;
1617 size_t n_env = 0, n_bufsize = 0;
1618 char **i;
1619
1620 STRV_FOREACH(i, c->pass_environment) {
1621 _cleanup_free_ char *x = NULL;
1622 char *v;
1623
1624 v = getenv(*i);
1625 if (!v)
1626 continue;
1627 x = strjoin(*i, "=", v);
1628 if (!x)
1629 return -ENOMEM;
1630 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1631 return -ENOMEM;
1632 pass_env[n_env++] = x;
1633 pass_env[n_env] = NULL;
1634 x = NULL;
1635 }
1636
1637 *ret = pass_env;
1638 pass_env = NULL;
1639
1640 return 0;
1641 }
1642
1643 static bool exec_needs_mount_namespace(
1644 const ExecContext *context,
1645 const ExecParameters *params,
1646 ExecRuntime *runtime) {
1647
1648 assert(context);
1649 assert(params);
1650
1651 if (context->root_image)
1652 return true;
1653
1654 if (!strv_isempty(context->read_write_paths) ||
1655 !strv_isempty(context->read_only_paths) ||
1656 !strv_isempty(context->inaccessible_paths))
1657 return true;
1658
1659 if (context->n_bind_mounts > 0)
1660 return true;
1661
1662 if (context->mount_flags != 0)
1663 return true;
1664
1665 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1666 return true;
1667
1668 if (context->private_devices ||
1669 context->protect_system != PROTECT_SYSTEM_NO ||
1670 context->protect_home != PROTECT_HOME_NO ||
1671 context->protect_kernel_tunables ||
1672 context->protect_kernel_modules ||
1673 context->protect_control_groups)
1674 return true;
1675
1676 if (context->mount_apivfs && (context->root_image || context->root_directory))
1677 return true;
1678
1679 return false;
1680 }
1681
1682 static int setup_private_users(uid_t uid, gid_t gid) {
1683 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
1684 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
1685 _cleanup_close_ int unshare_ready_fd = -1;
1686 _cleanup_(sigkill_waitp) pid_t pid = 0;
1687 uint64_t c = 1;
1688 siginfo_t si;
1689 ssize_t n;
1690 int r;
1691
1692 /* Set up a user namespace and map root to root, the selected UID/GID to itself, and everything else to
1693 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1694 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1695 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1696 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
1697 * continues execution normally. */
1698
1699 if (uid != 0 && uid_is_valid(uid)) {
1700 r = asprintf(&uid_map,
1701 "0 0 1\n" /* Map root → root */
1702 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
1703 uid, uid);
1704 if (r < 0)
1705 return -ENOMEM;
1706 } else {
1707 uid_map = strdup("0 0 1\n"); /* The case where the above is the same */
1708 if (!uid_map)
1709 return -ENOMEM;
1710 }
1711
1712 if (gid != 0 && gid_is_valid(gid)) {
1713 r = asprintf(&gid_map,
1714 "0 0 1\n" /* Map root → root */
1715 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
1716 gid, gid);
1717 if (r < 0)
1718 return -ENOMEM;
1719 } else {
1720 gid_map = strdup("0 0 1\n"); /* The case where the above is the same */
1721 if (!gid_map)
1722 return -ENOMEM;
1723 }
1724
1725 /* Create a communication channel so that the parent can tell the child when it finished creating the user
1726 * namespace. */
1727 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
1728 if (unshare_ready_fd < 0)
1729 return -errno;
1730
1731 /* Create a communication channel so that the child can tell the parent a proper error code in case it
1732 * failed. */
1733 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
1734 return -errno;
1735
1736 pid = fork();
1737 if (pid < 0)
1738 return -errno;
1739
1740 if (pid == 0) {
1741 _cleanup_close_ int fd = -1;
1742 const char *a;
1743 pid_t ppid;
1744
1745 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
1746 * here, after the parent opened its own user namespace. */
1747
1748 ppid = getppid();
1749 errno_pipe[0] = safe_close(errno_pipe[0]);
1750
1751 /* Wait until the parent unshared the user namespace */
1752 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
1753 r = -errno;
1754 goto child_fail;
1755 }
1756
1757 /* Disable the setgroups() system call in the child user namespace, for good. */
1758 a = procfs_file_alloca(ppid, "setgroups");
1759 fd = open(a, O_WRONLY|O_CLOEXEC);
1760 if (fd < 0) {
1761 if (errno != ENOENT) {
1762 r = -errno;
1763 goto child_fail;
1764 }
1765
1766 /* If the file is missing the kernel is too old, let's continue anyway. */
1767 } else {
1768 if (write(fd, "deny\n", 5) < 0) {
1769 r = -errno;
1770 goto child_fail;
1771 }
1772
1773 fd = safe_close(fd);
1774 }
1775
1776 /* First write the GID map */
1777 a = procfs_file_alloca(ppid, "gid_map");
1778 fd = open(a, O_WRONLY|O_CLOEXEC);
1779 if (fd < 0) {
1780 r = -errno;
1781 goto child_fail;
1782 }
1783 if (write(fd, gid_map, strlen(gid_map)) < 0) {
1784 r = -errno;
1785 goto child_fail;
1786 }
1787 fd = safe_close(fd);
1788
1789 /* The write the UID map */
1790 a = procfs_file_alloca(ppid, "uid_map");
1791 fd = open(a, O_WRONLY|O_CLOEXEC);
1792 if (fd < 0) {
1793 r = -errno;
1794 goto child_fail;
1795 }
1796 if (write(fd, uid_map, strlen(uid_map)) < 0) {
1797 r = -errno;
1798 goto child_fail;
1799 }
1800
1801 _exit(EXIT_SUCCESS);
1802
1803 child_fail:
1804 (void) write(errno_pipe[1], &r, sizeof(r));
1805 _exit(EXIT_FAILURE);
1806 }
1807
1808 errno_pipe[1] = safe_close(errno_pipe[1]);
1809
1810 if (unshare(CLONE_NEWUSER) < 0)
1811 return -errno;
1812
1813 /* Let the child know that the namespace is ready now */
1814 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
1815 return -errno;
1816
1817 /* Try to read an error code from the child */
1818 n = read(errno_pipe[0], &r, sizeof(r));
1819 if (n < 0)
1820 return -errno;
1821 if (n == sizeof(r)) { /* an error code was sent to us */
1822 if (r < 0)
1823 return r;
1824 return -EIO;
1825 }
1826 if (n != 0) /* on success we should have read 0 bytes */
1827 return -EIO;
1828
1829 r = wait_for_terminate(pid, &si);
1830 if (r < 0)
1831 return r;
1832 pid = 0;
1833
1834 /* If something strange happened with the child, let's consider this fatal, too */
1835 if (si.si_code != CLD_EXITED || si.si_status != 0)
1836 return -EIO;
1837
1838 return 0;
1839 }
1840
1841 static int setup_runtime_directory(
1842 const ExecContext *context,
1843 const ExecParameters *params,
1844 uid_t uid,
1845 gid_t gid) {
1846
1847 char **rt;
1848 int r;
1849
1850 assert(context);
1851 assert(params);
1852
1853 STRV_FOREACH(rt, context->runtime_directory) {
1854 _cleanup_free_ char *p;
1855
1856 p = strjoin(params->runtime_prefix, "/", *rt);
1857 if (!p)
1858 return -ENOMEM;
1859
1860 r = mkdir_p_label(p, context->runtime_directory_mode);
1861 if (r < 0)
1862 return r;
1863
1864 r = chmod_and_chown(p, context->runtime_directory_mode, uid, gid);
1865 if (r < 0)
1866 return r;
1867 }
1868
1869 return 0;
1870 }
1871
1872 static int setup_smack(
1873 const ExecContext *context,
1874 const ExecCommand *command) {
1875
1876 #ifdef HAVE_SMACK
1877 int r;
1878
1879 assert(context);
1880 assert(command);
1881
1882 if (!mac_smack_use())
1883 return 0;
1884
1885 if (context->smack_process_label) {
1886 r = mac_smack_apply_pid(0, context->smack_process_label);
1887 if (r < 0)
1888 return r;
1889 }
1890 #ifdef SMACK_DEFAULT_PROCESS_LABEL
1891 else {
1892 _cleanup_free_ char *exec_label = NULL;
1893
1894 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
1895 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP)
1896 return r;
1897
1898 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
1899 if (r < 0)
1900 return r;
1901 }
1902 #endif
1903 #endif
1904
1905 return 0;
1906 }
1907
1908 static int compile_read_write_paths(
1909 const ExecContext *context,
1910 const ExecParameters *params,
1911 char ***ret) {
1912
1913 _cleanup_strv_free_ char **l = NULL;
1914 char **rt;
1915
1916 /* Compile the list of writable paths. This is the combination of
1917 * the explicitly configured paths, plus all runtime directories. */
1918
1919 if (strv_isempty(context->read_write_paths) &&
1920 strv_isempty(context->runtime_directory)) {
1921 *ret = NULL; /* NOP if neither is set */
1922 return 0;
1923 }
1924
1925 l = strv_copy(context->read_write_paths);
1926 if (!l)
1927 return -ENOMEM;
1928
1929 STRV_FOREACH(rt, context->runtime_directory) {
1930 char *s;
1931
1932 s = strjoin(params->runtime_prefix, "/", *rt);
1933 if (!s)
1934 return -ENOMEM;
1935
1936 if (strv_consume(&l, s) < 0)
1937 return -ENOMEM;
1938 }
1939
1940 *ret = l;
1941 l = NULL;
1942
1943 return 0;
1944 }
1945
1946 static int apply_mount_namespace(
1947 Unit *u,
1948 ExecCommand *command,
1949 const ExecContext *context,
1950 const ExecParameters *params,
1951 ExecRuntime *runtime) {
1952
1953 _cleanup_strv_free_ char **rw = NULL;
1954 char *tmp = NULL, *var = NULL;
1955 const char *root_dir = NULL, *root_image = NULL;
1956 NameSpaceInfo ns_info = {
1957 .ignore_protect_paths = false,
1958 .private_dev = context->private_devices,
1959 .protect_control_groups = context->protect_control_groups,
1960 .protect_kernel_tunables = context->protect_kernel_tunables,
1961 .protect_kernel_modules = context->protect_kernel_modules,
1962 .mount_apivfs = context->mount_apivfs,
1963 };
1964 bool apply_restrictions;
1965 int r;
1966
1967 assert(context);
1968
1969 /* The runtime struct only contains the parent of the private /tmp,
1970 * which is non-accessible to world users. Inside of it there's a /tmp
1971 * that is sticky, and that's the one we want to use here. */
1972
1973 if (context->private_tmp && runtime) {
1974 if (runtime->tmp_dir)
1975 tmp = strjoina(runtime->tmp_dir, "/tmp");
1976 if (runtime->var_tmp_dir)
1977 var = strjoina(runtime->var_tmp_dir, "/tmp");
1978 }
1979
1980 r = compile_read_write_paths(context, params, &rw);
1981 if (r < 0)
1982 return r;
1983
1984 if (params->flags & EXEC_APPLY_CHROOT) {
1985 root_image = context->root_image;
1986
1987 if (!root_image)
1988 root_dir = context->root_directory;
1989 }
1990
1991 /*
1992 * If DynamicUser=no and RootDirectory= is set then lets pass a relaxed
1993 * sandbox info, otherwise enforce it, don't ignore protected paths and
1994 * fail if we are enable to apply the sandbox inside the mount namespace.
1995 */
1996 if (!context->dynamic_user && root_dir)
1997 ns_info.ignore_protect_paths = true;
1998
1999 apply_restrictions = (params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged;
2000
2001 r = setup_namespace(root_dir, root_image,
2002 &ns_info, rw,
2003 apply_restrictions ? context->read_only_paths : NULL,
2004 apply_restrictions ? context->inaccessible_paths : NULL,
2005 context->bind_mounts,
2006 context->n_bind_mounts,
2007 tmp,
2008 var,
2009 apply_restrictions ? context->protect_home : PROTECT_HOME_NO,
2010 apply_restrictions ? context->protect_system : PROTECT_SYSTEM_NO,
2011 context->mount_flags,
2012 DISSECT_IMAGE_DISCARD_ON_LOOP);
2013
2014 /* If we couldn't set up the namespace this is probably due to a
2015 * missing capability. In this case, silently proceeed. */
2016 if (IN_SET(r, -EPERM, -EACCES)) {
2017 log_open();
2018 log_unit_debug_errno(u, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
2019 log_close();
2020 r = 0;
2021 }
2022
2023 return r;
2024 }
2025
2026 static int apply_working_directory(
2027 const ExecContext *context,
2028 const ExecParameters *params,
2029 const char *home,
2030 const bool needs_mount_ns,
2031 int *exit_status) {
2032
2033 const char *d, *wd;
2034
2035 assert(context);
2036 assert(exit_status);
2037
2038 if (context->working_directory_home) {
2039
2040 if (!home) {
2041 *exit_status = EXIT_CHDIR;
2042 return -ENXIO;
2043 }
2044
2045 wd = home;
2046
2047 } else if (context->working_directory)
2048 wd = context->working_directory;
2049 else
2050 wd = "/";
2051
2052 if (params->flags & EXEC_APPLY_CHROOT) {
2053 if (!needs_mount_ns && context->root_directory)
2054 if (chroot(context->root_directory) < 0) {
2055 *exit_status = EXIT_CHROOT;
2056 return -errno;
2057 }
2058
2059 d = wd;
2060 } else
2061 d = prefix_roota(context->root_directory, wd);
2062
2063 if (chdir(d) < 0 && !context->working_directory_missing_ok) {
2064 *exit_status = EXIT_CHDIR;
2065 return -errno;
2066 }
2067
2068 return 0;
2069 }
2070
2071 static int setup_keyring(Unit *u, const ExecParameters *p, uid_t uid, gid_t gid) {
2072 key_serial_t keyring;
2073
2074 assert(u);
2075 assert(p);
2076
2077 /* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that
2078 * each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond
2079 * that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be
2080 * automatically created on-demand and then linked to the per-UID keyring, by the kernel. The kernel's built-in
2081 * on-demand behaviour is very appropriate for login users, but probably not so much for system services, where
2082 * UIDs are not necessarily specific to a service but reused (at least in the case of UID 0). */
2083
2084 if (!(p->flags & EXEC_NEW_KEYRING))
2085 return 0;
2086
2087 keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0);
2088 if (keyring == -1) {
2089 if (errno == ENOSYS)
2090 log_debug_errno(errno, "Kernel keyring not supported, ignoring.");
2091 else if (IN_SET(errno, EACCES, EPERM))
2092 log_debug_errno(errno, "Kernel keyring access prohibited, ignoring.");
2093 else if (errno == EDQUOT)
2094 log_debug_errno(errno, "Out of kernel keyrings to allocate, ignoring.");
2095 else
2096 return log_error_errno(errno, "Setting up kernel keyring failed: %m");
2097
2098 return 0;
2099 }
2100
2101 /* Populate they keyring with the invocation ID by default. */
2102 if (!sd_id128_is_null(u->invocation_id)) {
2103 key_serial_t key;
2104
2105 key = add_key("user", "invocation_id", &u->invocation_id, sizeof(u->invocation_id), KEY_SPEC_SESSION_KEYRING);
2106 if (key == -1)
2107 log_debug_errno(errno, "Failed to add invocation ID to keyring, ignoring: %m");
2108 else {
2109 if (keyctl(KEYCTL_SETPERM, key,
2110 KEY_POS_VIEW|KEY_POS_READ|KEY_POS_SEARCH|
2111 KEY_USR_VIEW|KEY_USR_READ|KEY_USR_SEARCH, 0, 0) < 0)
2112 return log_error_errno(errno, "Failed to restrict invocation ID permission: %m");
2113 }
2114 }
2115
2116 /* And now, make the keyring owned by the service's user */
2117 if (uid_is_valid(uid) || gid_is_valid(gid))
2118 if (keyctl(KEYCTL_CHOWN, keyring, uid, gid, 0) < 0)
2119 return log_error_errno(errno, "Failed to change ownership of session keyring: %m");
2120
2121 return 0;
2122 }
2123
2124 static void append_socket_pair(int *array, unsigned *n, int pair[2]) {
2125 assert(array);
2126 assert(n);
2127
2128 if (!pair)
2129 return;
2130
2131 if (pair[0] >= 0)
2132 array[(*n)++] = pair[0];
2133 if (pair[1] >= 0)
2134 array[(*n)++] = pair[1];
2135 }
2136
2137 static int close_remaining_fds(
2138 const ExecParameters *params,
2139 ExecRuntime *runtime,
2140 DynamicCreds *dcreds,
2141 int user_lookup_fd,
2142 int socket_fd,
2143 int *fds, unsigned n_fds) {
2144
2145 unsigned n_dont_close = 0;
2146 int dont_close[n_fds + 12];
2147
2148 assert(params);
2149
2150 if (params->stdin_fd >= 0)
2151 dont_close[n_dont_close++] = params->stdin_fd;
2152 if (params->stdout_fd >= 0)
2153 dont_close[n_dont_close++] = params->stdout_fd;
2154 if (params->stderr_fd >= 0)
2155 dont_close[n_dont_close++] = params->stderr_fd;
2156
2157 if (socket_fd >= 0)
2158 dont_close[n_dont_close++] = socket_fd;
2159 if (n_fds > 0) {
2160 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
2161 n_dont_close += n_fds;
2162 }
2163
2164 if (runtime)
2165 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
2166
2167 if (dcreds) {
2168 if (dcreds->user)
2169 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
2170 if (dcreds->group)
2171 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
2172 }
2173
2174 if (user_lookup_fd >= 0)
2175 dont_close[n_dont_close++] = user_lookup_fd;
2176
2177 return close_all_fds(dont_close, n_dont_close);
2178 }
2179
2180 static int send_user_lookup(
2181 Unit *unit,
2182 int user_lookup_fd,
2183 uid_t uid,
2184 gid_t gid) {
2185
2186 assert(unit);
2187
2188 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2189 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2190 * specified. */
2191
2192 if (user_lookup_fd < 0)
2193 return 0;
2194
2195 if (!uid_is_valid(uid) && !gid_is_valid(gid))
2196 return 0;
2197
2198 if (writev(user_lookup_fd,
2199 (struct iovec[]) {
2200 { .iov_base = &uid, .iov_len = sizeof(uid) },
2201 { .iov_base = &gid, .iov_len = sizeof(gid) },
2202 { .iov_base = unit->id, .iov_len = strlen(unit->id) }}, 3) < 0)
2203 return -errno;
2204
2205 return 0;
2206 }
2207
2208 static int acquire_home(const ExecContext *c, uid_t uid, const char** home, char **buf) {
2209 int r;
2210
2211 assert(c);
2212 assert(home);
2213 assert(buf);
2214
2215 /* If WorkingDirectory=~ is set, try to acquire a usable home directory. */
2216
2217 if (*home)
2218 return 0;
2219
2220 if (!c->working_directory_home)
2221 return 0;
2222
2223 if (uid == 0) {
2224 /* Hardcode /root as home directory for UID 0 */
2225 *home = "/root";
2226 return 1;
2227 }
2228
2229 r = get_home_dir(buf);
2230 if (r < 0)
2231 return r;
2232
2233 *home = *buf;
2234 return 1;
2235 }
2236
2237 static int exec_child(
2238 Unit *unit,
2239 ExecCommand *command,
2240 const ExecContext *context,
2241 const ExecParameters *params,
2242 ExecRuntime *runtime,
2243 DynamicCreds *dcreds,
2244 char **argv,
2245 int socket_fd,
2246 int named_iofds[3],
2247 int *fds, unsigned n_fds,
2248 unsigned n_socket_fds,
2249 char **files_env,
2250 int user_lookup_fd,
2251 int *exit_status,
2252 char **error_message) {
2253
2254 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **final_argv = NULL;
2255 _cleanup_free_ char *mac_selinux_context_net = NULL, *home_buffer = NULL;
2256 _cleanup_free_ gid_t *supplementary_gids = NULL;
2257 const char *username = NULL, *groupname = NULL;
2258 const char *home = NULL, *shell = NULL;
2259 dev_t journal_stream_dev = 0;
2260 ino_t journal_stream_ino = 0;
2261 bool needs_mount_namespace;
2262 uid_t uid = UID_INVALID;
2263 gid_t gid = GID_INVALID;
2264 int i, r, ngids = 0;
2265
2266 assert(unit);
2267 assert(command);
2268 assert(context);
2269 assert(params);
2270 assert(exit_status);
2271 assert(error_message);
2272 /* We don't always set error_message, hence it must be initialized */
2273 assert(*error_message == NULL);
2274
2275 rename_process_from_path(command->path);
2276
2277 /* We reset exactly these signals, since they are the
2278 * only ones we set to SIG_IGN in the main daemon. All
2279 * others we leave untouched because we set them to
2280 * SIG_DFL or a valid handler initially, both of which
2281 * will be demoted to SIG_DFL. */
2282 (void) default_signals(SIGNALS_CRASH_HANDLER,
2283 SIGNALS_IGNORE, -1);
2284
2285 if (context->ignore_sigpipe)
2286 (void) ignore_signals(SIGPIPE, -1);
2287
2288 r = reset_signal_mask();
2289 if (r < 0) {
2290 *exit_status = EXIT_SIGNAL_MASK;
2291 *error_message = strdup("Failed to reset signal mask");
2292 /* If strdup fails, here and below, we will just print the generic error message. */
2293 return r;
2294 }
2295
2296 if (params->idle_pipe)
2297 do_idle_pipe_dance(params->idle_pipe);
2298
2299 /* Close sockets very early to make sure we don't
2300 * block init reexecution because it cannot bind its
2301 * sockets */
2302
2303 log_forget_fds();
2304
2305 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, fds, n_fds);
2306 if (r < 0) {
2307 *exit_status = EXIT_FDS;
2308 *error_message = strdup("Failed to close remaining fds");
2309 return r;
2310 }
2311
2312 if (!context->same_pgrp)
2313 if (setsid() < 0) {
2314 *exit_status = EXIT_SETSID;
2315 return -errno;
2316 }
2317
2318 exec_context_tty_reset(context, params);
2319
2320 if (unit_shall_confirm_spawn(unit)) {
2321 const char *vc = params->confirm_spawn;
2322 _cleanup_free_ char *cmdline = NULL;
2323
2324 cmdline = exec_command_line(argv);
2325 if (!cmdline) {
2326 *exit_status = EXIT_CONFIRM;
2327 return -ENOMEM;
2328 }
2329
2330 r = ask_for_confirmation(vc, unit, cmdline);
2331 if (r != CONFIRM_EXECUTE) {
2332 if (r == CONFIRM_PRETEND_SUCCESS) {
2333 *exit_status = EXIT_SUCCESS;
2334 return 0;
2335 }
2336 *exit_status = EXIT_CONFIRM;
2337 *error_message = strdup("Execution cancelled");
2338 return -ECANCELED;
2339 }
2340 }
2341
2342 if (context->dynamic_user && dcreds) {
2343
2344 /* Make sure we bypass our own NSS module for any NSS checks */
2345 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
2346 *exit_status = EXIT_USER;
2347 *error_message = strdup("Failed to update environment");
2348 return -errno;
2349 }
2350
2351 r = dynamic_creds_realize(dcreds, &uid, &gid);
2352 if (r < 0) {
2353 *exit_status = EXIT_USER;
2354 *error_message = strdup("Failed to update dynamic user credentials");
2355 return r;
2356 }
2357
2358 if (!uid_is_valid(uid)) {
2359 *exit_status = EXIT_USER;
2360 (void) asprintf(error_message, "UID validation failed for \""UID_FMT"\"", uid);
2361 /* If asprintf fails, here and below, we will just print the generic error message. */
2362 return -ESRCH;
2363 }
2364
2365 if (!gid_is_valid(gid)) {
2366 *exit_status = EXIT_USER;
2367 (void) asprintf(error_message, "GID validation failed for \""GID_FMT"\"", gid);
2368 return -ESRCH;
2369 }
2370
2371 if (dcreds->user)
2372 username = dcreds->user->name;
2373
2374 } else {
2375 r = get_fixed_user(context, &username, &uid, &gid, &home, &shell);
2376 if (r < 0) {
2377 *exit_status = EXIT_USER;
2378 *error_message = strdup("Failed to determine user credentials");
2379 return r;
2380 }
2381
2382 r = get_fixed_group(context, &groupname, &gid);
2383 if (r < 0) {
2384 *exit_status = EXIT_GROUP;
2385 *error_message = strdup("Failed to determine group credentials");
2386 return r;
2387 }
2388 }
2389
2390 /* Initialize user supplementary groups and get SupplementaryGroups= ones */
2391 r = get_supplementary_groups(context, username, groupname, gid,
2392 &supplementary_gids, &ngids);
2393 if (r < 0) {
2394 *exit_status = EXIT_GROUP;
2395 *error_message = strdup("Failed to determine supplementary groups");
2396 return r;
2397 }
2398
2399 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
2400 if (r < 0) {
2401 *exit_status = EXIT_USER;
2402 *error_message = strdup("Failed to send user credentials to PID1");
2403 return r;
2404 }
2405
2406 user_lookup_fd = safe_close(user_lookup_fd);
2407
2408 r = acquire_home(context, uid, &home, &home_buffer);
2409 if (r < 0) {
2410 *exit_status = EXIT_CHDIR;
2411 *error_message = strdup("Failed to determine $HOME for user");
2412 return r;
2413 }
2414
2415 /* If a socket is connected to STDIN/STDOUT/STDERR, we
2416 * must sure to drop O_NONBLOCK */
2417 if (socket_fd >= 0)
2418 (void) fd_nonblock(socket_fd, false);
2419
2420 r = setup_input(context, params, socket_fd, named_iofds);
2421 if (r < 0) {
2422 *exit_status = EXIT_STDIN;
2423 *error_message = strdup("Failed to set up stdin");
2424 return r;
2425 }
2426
2427 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
2428 if (r < 0) {
2429 *exit_status = EXIT_STDOUT;
2430 *error_message = strdup("Failed to set up stdout");
2431 return r;
2432 }
2433
2434 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
2435 if (r < 0) {
2436 *exit_status = EXIT_STDERR;
2437 *error_message = strdup("Failed to set up stderr");
2438 return r;
2439 }
2440
2441 if (params->cgroup_path) {
2442 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
2443 if (r < 0) {
2444 *exit_status = EXIT_CGROUP;
2445 (void) asprintf(error_message, "Failed to attach to cgroup %s", params->cgroup_path);
2446 return r;
2447 }
2448 }
2449
2450 if (context->oom_score_adjust_set) {
2451 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
2452
2453 /* When we can't make this change due to EPERM, then
2454 * let's silently skip over it. User namespaces
2455 * prohibit write access to this file, and we
2456 * shouldn't trip up over that. */
2457
2458 sprintf(t, "%i", context->oom_score_adjust);
2459 r = write_string_file("/proc/self/oom_score_adj", t, 0);
2460 if (r == -EPERM || r == -EACCES) {
2461 log_open();
2462 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
2463 log_close();
2464 } else if (r < 0) {
2465 *exit_status = EXIT_OOM_ADJUST;
2466 *error_message = strdup("Failed to write /proc/self/oom_score_adj");
2467 return -errno;
2468 }
2469 }
2470
2471 if (context->nice_set)
2472 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
2473 *exit_status = EXIT_NICE;
2474 return -errno;
2475 }
2476
2477 if (context->cpu_sched_set) {
2478 struct sched_param param = {
2479 .sched_priority = context->cpu_sched_priority,
2480 };
2481
2482 r = sched_setscheduler(0,
2483 context->cpu_sched_policy |
2484 (context->cpu_sched_reset_on_fork ?
2485 SCHED_RESET_ON_FORK : 0),
2486 &param);
2487 if (r < 0) {
2488 *exit_status = EXIT_SETSCHEDULER;
2489 return -errno;
2490 }
2491 }
2492
2493 if (context->cpuset)
2494 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
2495 *exit_status = EXIT_CPUAFFINITY;
2496 return -errno;
2497 }
2498
2499 if (context->ioprio_set)
2500 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
2501 *exit_status = EXIT_IOPRIO;
2502 return -errno;
2503 }
2504
2505 if (context->timer_slack_nsec != NSEC_INFINITY)
2506 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
2507 *exit_status = EXIT_TIMERSLACK;
2508 return -errno;
2509 }
2510
2511 if (context->personality != PERSONALITY_INVALID)
2512 if (personality(context->personality) < 0) {
2513 *exit_status = EXIT_PERSONALITY;
2514 return -errno;
2515 }
2516
2517 if (context->utmp_id)
2518 utmp_put_init_process(context->utmp_id, getpid(), getsid(0),
2519 context->tty_path,
2520 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
2521 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
2522 USER_PROCESS,
2523 username);
2524
2525 if (context->user) {
2526 r = chown_terminal(STDIN_FILENO, uid);
2527 if (r < 0) {
2528 *exit_status = EXIT_STDIN;
2529 return r;
2530 }
2531 }
2532
2533 /* If delegation is enabled we'll pass ownership of the cgroup
2534 * (but only in systemd's own controller hierarchy!) to the
2535 * user of the new process. */
2536 if (params->cgroup_path && context->user && params->cgroup_delegate) {
2537 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
2538 if (r < 0) {
2539 *exit_status = EXIT_CGROUP;
2540 return r;
2541 }
2542
2543
2544 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
2545 if (r < 0) {
2546 *exit_status = EXIT_CGROUP;
2547 return r;
2548 }
2549 }
2550
2551 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
2552 r = setup_runtime_directory(context, params, uid, gid);
2553 if (r < 0) {
2554 *exit_status = EXIT_RUNTIME_DIRECTORY;
2555 return r;
2556 }
2557 }
2558
2559 r = build_environment(
2560 unit,
2561 context,
2562 params,
2563 n_fds,
2564 home,
2565 username,
2566 shell,
2567 journal_stream_dev,
2568 journal_stream_ino,
2569 &our_env);
2570 if (r < 0) {
2571 *exit_status = EXIT_MEMORY;
2572 return r;
2573 }
2574
2575 r = build_pass_environment(context, &pass_env);
2576 if (r < 0) {
2577 *exit_status = EXIT_MEMORY;
2578 return r;
2579 }
2580
2581 accum_env = strv_env_merge(5,
2582 params->environment,
2583 our_env,
2584 pass_env,
2585 context->environment,
2586 files_env,
2587 NULL);
2588 if (!accum_env) {
2589 *exit_status = EXIT_MEMORY;
2590 return -ENOMEM;
2591 }
2592 accum_env = strv_env_clean(accum_env);
2593
2594 (void) umask(context->umask);
2595
2596 r = setup_keyring(unit, params, uid, gid);
2597 if (r < 0) {
2598 *exit_status = EXIT_KEYRING;
2599 return r;
2600 }
2601
2602 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2603 if (context->pam_name && username) {
2604 r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
2605 if (r < 0) {
2606 *exit_status = EXIT_PAM;
2607 return r;
2608 }
2609 }
2610 }
2611
2612 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
2613 r = setup_netns(runtime->netns_storage_socket);
2614 if (r < 0) {
2615 *exit_status = EXIT_NETWORK;
2616 return r;
2617 }
2618 }
2619
2620 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
2621 if (needs_mount_namespace) {
2622 r = apply_mount_namespace(unit, command, context, params, runtime);
2623 if (r < 0) {
2624 *exit_status = EXIT_NAMESPACE;
2625 return r;
2626 }
2627 }
2628
2629 /* Apply just after mount namespace setup */
2630 r = apply_working_directory(context, params, home, needs_mount_namespace, exit_status);
2631 if (r < 0)
2632 return r;
2633
2634 /* Drop groups as early as possbile */
2635 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2636 r = enforce_groups(context, gid, supplementary_gids, ngids);
2637 if (r < 0) {
2638 *exit_status = EXIT_GROUP;
2639 return r;
2640 }
2641 }
2642
2643 #ifdef HAVE_SELINUX
2644 if ((params->flags & EXEC_APPLY_PERMISSIONS) &&
2645 mac_selinux_use() &&
2646 params->selinux_context_net &&
2647 socket_fd >= 0 &&
2648 !command->privileged) {
2649
2650 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
2651 if (r < 0) {
2652 *exit_status = EXIT_SELINUX_CONTEXT;
2653 return r;
2654 }
2655 }
2656 #endif
2657
2658 if ((params->flags & EXEC_APPLY_PERMISSIONS) && context->private_users) {
2659 r = setup_private_users(uid, gid);
2660 if (r < 0) {
2661 *exit_status = EXIT_USER;
2662 return r;
2663 }
2664 }
2665
2666 /* We repeat the fd closing here, to make sure that
2667 * nothing is leaked from the PAM modules. Note that
2668 * we are more aggressive this time since socket_fd
2669 * and the netns fds we don't need anymore. The custom
2670 * endpoint fd was needed to upload the policy and can
2671 * now be closed as well. */
2672 r = close_all_fds(fds, n_fds);
2673 if (r >= 0)
2674 r = shift_fds(fds, n_fds);
2675 if (r >= 0)
2676 r = flags_fds(fds, n_fds, n_socket_fds, context->non_blocking);
2677 if (r < 0) {
2678 *exit_status = EXIT_FDS;
2679 return r;
2680 }
2681
2682 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2683
2684 int secure_bits = context->secure_bits;
2685
2686 for (i = 0; i < _RLIMIT_MAX; i++) {
2687
2688 if (!context->rlimit[i])
2689 continue;
2690
2691 r = setrlimit_closest(i, context->rlimit[i]);
2692 if (r < 0) {
2693 *exit_status = EXIT_LIMITS;
2694 return r;
2695 }
2696 }
2697
2698 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
2699 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
2700 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
2701 *exit_status = EXIT_LIMITS;
2702 return -errno;
2703 }
2704 }
2705
2706 if (!cap_test_all(context->capability_bounding_set)) {
2707 r = capability_bounding_set_drop(context->capability_bounding_set, false);
2708 if (r < 0) {
2709 *exit_status = EXIT_CAPABILITIES;
2710 *error_message = strdup("Failed to drop capabilities");
2711 return r;
2712 }
2713 }
2714
2715 /* This is done before enforce_user, but ambient set
2716 * does not survive over setresuid() if keep_caps is not set. */
2717 if (context->capability_ambient_set != 0) {
2718 r = capability_ambient_set_apply(context->capability_ambient_set, true);
2719 if (r < 0) {
2720 *exit_status = EXIT_CAPABILITIES;
2721 *error_message = strdup("Failed to apply ambient capabilities (before UID change)");
2722 return r;
2723 }
2724 }
2725
2726 if (context->user) {
2727 r = enforce_user(context, uid);
2728 if (r < 0) {
2729 *exit_status = EXIT_USER;
2730 (void) asprintf(error_message, "Failed to change UID to "UID_FMT, uid);
2731 return r;
2732 }
2733 if (context->capability_ambient_set != 0) {
2734
2735 /* Fix the ambient capabilities after user change. */
2736 r = capability_ambient_set_apply(context->capability_ambient_set, false);
2737 if (r < 0) {
2738 *exit_status = EXIT_CAPABILITIES;
2739 *error_message = strdup("Failed to apply ambient capabilities (after UID change)");
2740 return r;
2741 }
2742
2743 /* If we were asked to change user and ambient capabilities
2744 * were requested, we had to add keep-caps to the securebits
2745 * so that we would maintain the inherited capability set
2746 * through the setresuid(). Make sure that the bit is added
2747 * also to the context secure_bits so that we don't try to
2748 * drop the bit away next. */
2749
2750 secure_bits |= 1<<SECURE_KEEP_CAPS;
2751 }
2752 }
2753
2754 /* Apply the MAC contexts late, but before seccomp syscall filtering, as those should really be last to
2755 * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
2756 * syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
2757 * are restricted. */
2758
2759 #ifdef HAVE_SELINUX
2760 if (mac_selinux_use()) {
2761 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
2762
2763 if (exec_context) {
2764 r = setexeccon(exec_context);
2765 if (r < 0) {
2766 *exit_status = EXIT_SELINUX_CONTEXT;
2767 (void) asprintf(error_message, "Failed to set SELinux context to %s", exec_context);
2768 return r;
2769 }
2770 }
2771 }
2772 #endif
2773
2774 r = setup_smack(context, command);
2775 if (r < 0) {
2776 *exit_status = EXIT_SMACK_PROCESS_LABEL;
2777 *error_message = strdup("Failed to set SMACK process label");
2778 return r;
2779 }
2780
2781 #ifdef HAVE_APPARMOR
2782 if (context->apparmor_profile && mac_apparmor_use()) {
2783 r = aa_change_onexec(context->apparmor_profile);
2784 if (r < 0 && !context->apparmor_profile_ignore) {
2785 *exit_status = EXIT_APPARMOR_PROFILE;
2786 (void) asprintf(error_message,
2787 "Failed to prepare AppArmor profile change to %s",
2788 context->apparmor_profile);
2789 return -errno;
2790 }
2791 }
2792 #endif
2793
2794 /* PR_GET_SECUREBITS is not privileged, while
2795 * PR_SET_SECUREBITS is. So to suppress
2796 * potential EPERMs we'll try not to call
2797 * PR_SET_SECUREBITS unless necessary. */
2798 if (prctl(PR_GET_SECUREBITS) != secure_bits)
2799 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
2800 *exit_status = EXIT_SECUREBITS;
2801 *error_message = strdup("Failed to set secure bits");
2802 return -errno;
2803 }
2804
2805 if (context_has_no_new_privileges(context))
2806 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
2807 *exit_status = EXIT_NO_NEW_PRIVILEGES;
2808 *error_message = strdup("Failed to disable new privileges");
2809 return -errno;
2810 }
2811
2812 #ifdef HAVE_SECCOMP
2813 r = apply_address_families(unit, context);
2814 if (r < 0) {
2815 *exit_status = EXIT_ADDRESS_FAMILIES;
2816 *error_message = strdup("Failed to restrict address families");
2817 return r;
2818 }
2819
2820 r = apply_memory_deny_write_execute(unit, context);
2821 if (r < 0) {
2822 *exit_status = EXIT_SECCOMP;
2823 *error_message = strdup("Failed to disable writing to executable memory");
2824 return r;
2825 }
2826
2827 r = apply_restrict_realtime(unit, context);
2828 if (r < 0) {
2829 *exit_status = EXIT_SECCOMP;
2830 *error_message = strdup("Failed to apply realtime restrictions");
2831 return r;
2832 }
2833
2834 r = apply_restrict_namespaces(unit, context);
2835 if (r < 0) {
2836 *exit_status = EXIT_SECCOMP;
2837 *error_message = strdup("Failed to apply namespace restrictions");
2838 return r;
2839 }
2840
2841 r = apply_protect_sysctl(unit, context);
2842 if (r < 0) {
2843 *exit_status = EXIT_SECCOMP;
2844 *error_message = strdup("Failed to apply sysctl restrictions");
2845 return r;
2846 }
2847
2848 r = apply_protect_kernel_modules(unit, context);
2849 if (r < 0) {
2850 *exit_status = EXIT_SECCOMP;
2851 *error_message = strdup("Failed to apply module loading restrictions");
2852 return r;
2853 }
2854
2855 r = apply_private_devices(unit, context);
2856 if (r < 0) {
2857 *exit_status = EXIT_SECCOMP;
2858 *error_message = strdup("Failed to set up private devices");
2859 return r;
2860 }
2861
2862 r = apply_syscall_archs(unit, context);
2863 if (r < 0) {
2864 *exit_status = EXIT_SECCOMP;
2865 *error_message = strdup("Failed to apply syscall architecture restrictions");
2866 return r;
2867 }
2868
2869 /* This really should remain the last step before the execve(), to make sure our own code is unaffected
2870 * by the filter as little as possible. */
2871 r = apply_syscall_filter(unit, context);
2872 if (r < 0) {
2873 *exit_status = EXIT_SECCOMP;
2874 *error_message = strdup("Failed to apply syscall filters");
2875 return r;
2876 }
2877 #endif
2878 }
2879
2880 final_argv = replace_env_argv(argv, accum_env);
2881 if (!final_argv) {
2882 *exit_status = EXIT_MEMORY;
2883 *error_message = strdup("Failed to prepare process arguments");
2884 return -ENOMEM;
2885 }
2886
2887 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
2888 _cleanup_free_ char *line;
2889
2890 line = exec_command_line(final_argv);
2891 if (line) {
2892 log_open();
2893 log_struct(LOG_DEBUG,
2894 "EXECUTABLE=%s", command->path,
2895 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
2896 LOG_UNIT_ID(unit),
2897 NULL);
2898 log_close();
2899 }
2900 }
2901
2902 execve(command->path, final_argv, accum_env);
2903 *exit_status = EXIT_EXEC;
2904 return -errno;
2905 }
2906
2907 int exec_spawn(Unit *unit,
2908 ExecCommand *command,
2909 const ExecContext *context,
2910 const ExecParameters *params,
2911 ExecRuntime *runtime,
2912 DynamicCreds *dcreds,
2913 pid_t *ret) {
2914
2915 _cleanup_strv_free_ char **files_env = NULL;
2916 int *fds = NULL;
2917 unsigned n_fds = 0, n_socket_fds = 0;
2918 _cleanup_free_ char *line = NULL;
2919 int socket_fd, r;
2920 int named_iofds[3] = { -1, -1, -1 };
2921 char **argv;
2922 pid_t pid;
2923
2924 assert(unit);
2925 assert(command);
2926 assert(context);
2927 assert(ret);
2928 assert(params);
2929 assert(params->fds || params->n_fds <= 0);
2930
2931 if (context->std_input == EXEC_INPUT_SOCKET ||
2932 context->std_output == EXEC_OUTPUT_SOCKET ||
2933 context->std_error == EXEC_OUTPUT_SOCKET) {
2934
2935 if (params->n_fds > 1) {
2936 log_unit_error(unit, "Got more than one socket.");
2937 return -EINVAL;
2938 }
2939
2940 if (params->n_fds == 0) {
2941 log_unit_error(unit, "Got no socket.");
2942 return -EINVAL;
2943 }
2944
2945 socket_fd = params->fds[0];
2946 } else {
2947 socket_fd = -1;
2948 fds = params->fds;
2949 n_fds = params->n_fds;
2950 n_socket_fds = params->n_socket_fds;
2951 }
2952
2953 r = exec_context_named_iofds(unit, context, params, named_iofds);
2954 if (r < 0)
2955 return log_unit_error_errno(unit, r, "Failed to load a named file descriptor: %m");
2956
2957 r = exec_context_load_environment(unit, context, &files_env);
2958 if (r < 0)
2959 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
2960
2961 argv = params->argv ?: command->argv;
2962 line = exec_command_line(argv);
2963 if (!line)
2964 return log_oom();
2965
2966 log_struct(LOG_DEBUG,
2967 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
2968 "EXECUTABLE=%s", command->path,
2969 LOG_UNIT_ID(unit),
2970 NULL);
2971 pid = fork();
2972 if (pid < 0)
2973 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
2974
2975 if (pid == 0) {
2976 int exit_status;
2977 _cleanup_free_ char *error_message = NULL;
2978
2979 r = exec_child(unit,
2980 command,
2981 context,
2982 params,
2983 runtime,
2984 dcreds,
2985 argv,
2986 socket_fd,
2987 named_iofds,
2988 fds, n_fds,
2989 n_socket_fds,
2990 files_env,
2991 unit->manager->user_lookup_fds[1],
2992 &exit_status,
2993 &error_message);
2994 if (r < 0) {
2995 log_open();
2996 if (error_message)
2997 log_struct_errno(LOG_ERR, r,
2998 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
2999 LOG_UNIT_ID(unit),
3000 LOG_UNIT_MESSAGE(unit, "%s: %m",
3001 error_message),
3002 "EXECUTABLE=%s", command->path,
3003 NULL);
3004 else if (r == -ENOENT && command->ignore)
3005 log_struct_errno(LOG_INFO, r,
3006 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
3007 LOG_UNIT_ID(unit),
3008 LOG_UNIT_MESSAGE(unit, "Skipped spawning %s: %m",
3009 command->path),
3010 "EXECUTABLE=%s", command->path,
3011 NULL);
3012 else
3013 log_struct_errno(LOG_ERR, r,
3014 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
3015 LOG_UNIT_ID(unit),
3016 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
3017 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
3018 command->path),
3019 "EXECUTABLE=%s", command->path,
3020 NULL);
3021 }
3022
3023 _exit(exit_status);
3024 }
3025
3026 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
3027
3028 /* We add the new process to the cgroup both in the child (so
3029 * that we can be sure that no user code is ever executed
3030 * outside of the cgroup) and in the parent (so that we can be
3031 * sure that when we kill the cgroup the process will be
3032 * killed too). */
3033 if (params->cgroup_path)
3034 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
3035
3036 exec_status_start(&command->exec_status, pid);
3037
3038 *ret = pid;
3039 return 0;
3040 }
3041
3042 void exec_context_init(ExecContext *c) {
3043 assert(c);
3044
3045 c->umask = 0022;
3046 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
3047 c->cpu_sched_policy = SCHED_OTHER;
3048 c->syslog_priority = LOG_DAEMON|LOG_INFO;
3049 c->syslog_level_prefix = true;
3050 c->ignore_sigpipe = true;
3051 c->timer_slack_nsec = NSEC_INFINITY;
3052 c->personality = PERSONALITY_INVALID;
3053 c->runtime_directory_mode = 0755;
3054 c->capability_bounding_set = CAP_ALL;
3055 c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
3056 }
3057
3058 void exec_context_done(ExecContext *c) {
3059 unsigned l;
3060
3061 assert(c);
3062
3063 c->environment = strv_free(c->environment);
3064 c->environment_files = strv_free(c->environment_files);
3065 c->pass_environment = strv_free(c->pass_environment);
3066
3067 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
3068 c->rlimit[l] = mfree(c->rlimit[l]);
3069
3070 for (l = 0; l < 3; l++)
3071 c->stdio_fdname[l] = mfree(c->stdio_fdname[l]);
3072
3073 c->working_directory = mfree(c->working_directory);
3074 c->root_directory = mfree(c->root_directory);
3075 c->root_image = mfree(c->root_image);
3076 c->tty_path = mfree(c->tty_path);
3077 c->syslog_identifier = mfree(c->syslog_identifier);
3078 c->user = mfree(c->user);
3079 c->group = mfree(c->group);
3080
3081 c->supplementary_groups = strv_free(c->supplementary_groups);
3082
3083 c->pam_name = mfree(c->pam_name);
3084
3085 c->read_only_paths = strv_free(c->read_only_paths);
3086 c->read_write_paths = strv_free(c->read_write_paths);
3087 c->inaccessible_paths = strv_free(c->inaccessible_paths);
3088
3089 bind_mount_free_many(c->bind_mounts, c->n_bind_mounts);
3090
3091 if (c->cpuset)
3092 CPU_FREE(c->cpuset);
3093
3094 c->utmp_id = mfree(c->utmp_id);
3095 c->selinux_context = mfree(c->selinux_context);
3096 c->apparmor_profile = mfree(c->apparmor_profile);
3097
3098 c->syscall_filter = set_free(c->syscall_filter);
3099 c->syscall_archs = set_free(c->syscall_archs);
3100 c->address_families = set_free(c->address_families);
3101
3102 c->runtime_directory = strv_free(c->runtime_directory);
3103 }
3104
3105 int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
3106 char **i;
3107
3108 assert(c);
3109
3110 if (!runtime_prefix)
3111 return 0;
3112
3113 STRV_FOREACH(i, c->runtime_directory) {
3114 _cleanup_free_ char *p;
3115
3116 p = strjoin(runtime_prefix, "/", *i);
3117 if (!p)
3118 return -ENOMEM;
3119
3120 /* We execute this synchronously, since we need to be
3121 * sure this is gone when we start the service
3122 * next. */
3123 (void) rm_rf(p, REMOVE_ROOT);
3124 }
3125
3126 return 0;
3127 }
3128
3129 void exec_command_done(ExecCommand *c) {
3130 assert(c);
3131
3132 c->path = mfree(c->path);
3133
3134 c->argv = strv_free(c->argv);
3135 }
3136
3137 void exec_command_done_array(ExecCommand *c, unsigned n) {
3138 unsigned i;
3139
3140 for (i = 0; i < n; i++)
3141 exec_command_done(c+i);
3142 }
3143
3144 ExecCommand* exec_command_free_list(ExecCommand *c) {
3145 ExecCommand *i;
3146
3147 while ((i = c)) {
3148 LIST_REMOVE(command, c, i);
3149 exec_command_done(i);
3150 free(i);
3151 }
3152
3153 return NULL;
3154 }
3155
3156 void exec_command_free_array(ExecCommand **c, unsigned n) {
3157 unsigned i;
3158
3159 for (i = 0; i < n; i++)
3160 c[i] = exec_command_free_list(c[i]);
3161 }
3162
3163 typedef struct InvalidEnvInfo {
3164 Unit *unit;
3165 const char *path;
3166 } InvalidEnvInfo;
3167
3168 static void invalid_env(const char *p, void *userdata) {
3169 InvalidEnvInfo *info = userdata;
3170
3171 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
3172 }
3173
3174 const char* exec_context_fdname(const ExecContext *c, int fd_index) {
3175 assert(c);
3176
3177 switch (fd_index) {
3178 case STDIN_FILENO:
3179 if (c->std_input != EXEC_INPUT_NAMED_FD)
3180 return NULL;
3181 return c->stdio_fdname[STDIN_FILENO] ?: "stdin";
3182 case STDOUT_FILENO:
3183 if (c->std_output != EXEC_OUTPUT_NAMED_FD)
3184 return NULL;
3185 return c->stdio_fdname[STDOUT_FILENO] ?: "stdout";
3186 case STDERR_FILENO:
3187 if (c->std_error != EXEC_OUTPUT_NAMED_FD)
3188 return NULL;
3189 return c->stdio_fdname[STDERR_FILENO] ?: "stderr";
3190 default:
3191 return NULL;
3192 }
3193 }
3194
3195 int exec_context_named_iofds(Unit *unit, const ExecContext *c, const ExecParameters *p, int named_iofds[3]) {
3196 unsigned i, targets;
3197 const char* stdio_fdname[3];
3198
3199 assert(c);
3200 assert(p);
3201
3202 targets = (c->std_input == EXEC_INPUT_NAMED_FD) +
3203 (c->std_output == EXEC_OUTPUT_NAMED_FD) +
3204 (c->std_error == EXEC_OUTPUT_NAMED_FD);
3205
3206 for (i = 0; i < 3; i++)
3207 stdio_fdname[i] = exec_context_fdname(c, i);
3208
3209 for (i = 0; i < p->n_fds && targets > 0; i++)
3210 if (named_iofds[STDIN_FILENO] < 0 &&
3211 c->std_input == EXEC_INPUT_NAMED_FD &&
3212 stdio_fdname[STDIN_FILENO] &&
3213 streq(p->fd_names[i], stdio_fdname[STDIN_FILENO])) {
3214
3215 named_iofds[STDIN_FILENO] = p->fds[i];
3216 targets--;
3217
3218 } else if (named_iofds[STDOUT_FILENO] < 0 &&
3219 c->std_output == EXEC_OUTPUT_NAMED_FD &&
3220 stdio_fdname[STDOUT_FILENO] &&
3221 streq(p->fd_names[i], stdio_fdname[STDOUT_FILENO])) {
3222
3223 named_iofds[STDOUT_FILENO] = p->fds[i];
3224 targets--;
3225
3226 } else if (named_iofds[STDERR_FILENO] < 0 &&
3227 c->std_error == EXEC_OUTPUT_NAMED_FD &&
3228 stdio_fdname[STDERR_FILENO] &&
3229 streq(p->fd_names[i], stdio_fdname[STDERR_FILENO])) {
3230
3231 named_iofds[STDERR_FILENO] = p->fds[i];
3232 targets--;
3233 }
3234
3235 return targets == 0 ? 0 : -ENOENT;
3236 }
3237
3238 int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
3239 char **i, **r = NULL;
3240
3241 assert(c);
3242 assert(l);
3243
3244 STRV_FOREACH(i, c->environment_files) {
3245 char *fn;
3246 int k, n;
3247 bool ignore = false;
3248 char **p;
3249 _cleanup_globfree_ glob_t pglob = {};
3250
3251 fn = *i;
3252
3253 if (fn[0] == '-') {
3254 ignore = true;
3255 fn++;
3256 }
3257
3258 if (!path_is_absolute(fn)) {
3259 if (ignore)
3260 continue;
3261
3262 strv_free(r);
3263 return -EINVAL;
3264 }
3265
3266 /* Filename supports globbing, take all matching files */
3267 k = safe_glob(fn, 0, &pglob);
3268 if (k < 0) {
3269 if (ignore)
3270 continue;
3271
3272 strv_free(r);
3273 return k;
3274 }
3275
3276 /* When we don't match anything, -ENOENT should be returned */
3277 assert(pglob.gl_pathc > 0);
3278
3279 for (n = 0; n < pglob.gl_pathc; n++) {
3280 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
3281 if (k < 0) {
3282 if (ignore)
3283 continue;
3284
3285 strv_free(r);
3286 return k;
3287 }
3288 /* Log invalid environment variables with filename */
3289 if (p) {
3290 InvalidEnvInfo info = {
3291 .unit = unit,
3292 .path = pglob.gl_pathv[n]
3293 };
3294
3295 p = strv_env_clean_with_callback(p, invalid_env, &info);
3296 }
3297
3298 if (r == NULL)
3299 r = p;
3300 else {
3301 char **m;
3302
3303 m = strv_env_merge(2, r, p);
3304 strv_free(r);
3305 strv_free(p);
3306 if (!m)
3307 return -ENOMEM;
3308
3309 r = m;
3310 }
3311 }
3312 }
3313
3314 *l = r;
3315
3316 return 0;
3317 }
3318
3319 static bool tty_may_match_dev_console(const char *tty) {
3320 _cleanup_free_ char *active = NULL;
3321 char *console;
3322
3323 if (!tty)
3324 return true;
3325
3326 if (startswith(tty, "/dev/"))
3327 tty += 5;
3328
3329 /* trivial identity? */
3330 if (streq(tty, "console"))
3331 return true;
3332
3333 console = resolve_dev_console(&active);
3334 /* if we could not resolve, assume it may */
3335 if (!console)
3336 return true;
3337
3338 /* "tty0" means the active VC, so it may be the same sometimes */
3339 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
3340 }
3341
3342 bool exec_context_may_touch_console(ExecContext *ec) {
3343
3344 return (ec->tty_reset ||
3345 ec->tty_vhangup ||
3346 ec->tty_vt_disallocate ||
3347 is_terminal_input(ec->std_input) ||
3348 is_terminal_output(ec->std_output) ||
3349 is_terminal_output(ec->std_error)) &&
3350 tty_may_match_dev_console(exec_context_tty_path(ec));
3351 }
3352
3353 static void strv_fprintf(FILE *f, char **l) {
3354 char **g;
3355
3356 assert(f);
3357
3358 STRV_FOREACH(g, l)
3359 fprintf(f, " %s", *g);
3360 }
3361
3362 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
3363 char **e, **d;
3364 unsigned i;
3365 int r;
3366
3367 assert(c);
3368 assert(f);
3369
3370 prefix = strempty(prefix);
3371
3372 fprintf(f,
3373 "%sUMask: %04o\n"
3374 "%sWorkingDirectory: %s\n"
3375 "%sRootDirectory: %s\n"
3376 "%sNonBlocking: %s\n"
3377 "%sPrivateTmp: %s\n"
3378 "%sPrivateDevices: %s\n"
3379 "%sProtectKernelTunables: %s\n"
3380 "%sProtectKernelModules: %s\n"
3381 "%sProtectControlGroups: %s\n"
3382 "%sPrivateNetwork: %s\n"
3383 "%sPrivateUsers: %s\n"
3384 "%sProtectHome: %s\n"
3385 "%sProtectSystem: %s\n"
3386 "%sMountAPIVFS: %s\n"
3387 "%sIgnoreSIGPIPE: %s\n"
3388 "%sMemoryDenyWriteExecute: %s\n"
3389 "%sRestrictRealtime: %s\n",
3390 prefix, c->umask,
3391 prefix, c->working_directory ? c->working_directory : "/",
3392 prefix, c->root_directory ? c->root_directory : "/",
3393 prefix, yes_no(c->non_blocking),
3394 prefix, yes_no(c->private_tmp),
3395 prefix, yes_no(c->private_devices),
3396 prefix, yes_no(c->protect_kernel_tunables),
3397 prefix, yes_no(c->protect_kernel_modules),
3398 prefix, yes_no(c->protect_control_groups),
3399 prefix, yes_no(c->private_network),
3400 prefix, yes_no(c->private_users),
3401 prefix, protect_home_to_string(c->protect_home),
3402 prefix, protect_system_to_string(c->protect_system),
3403 prefix, yes_no(c->mount_apivfs),
3404 prefix, yes_no(c->ignore_sigpipe),
3405 prefix, yes_no(c->memory_deny_write_execute),
3406 prefix, yes_no(c->restrict_realtime));
3407
3408 if (c->root_image)
3409 fprintf(f, "%sRootImage: %s\n", prefix, c->root_image);
3410
3411 STRV_FOREACH(e, c->environment)
3412 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
3413
3414 STRV_FOREACH(e, c->environment_files)
3415 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
3416
3417 STRV_FOREACH(e, c->pass_environment)
3418 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
3419
3420 fprintf(f, "%sRuntimeDirectoryMode: %04o\n", prefix, c->runtime_directory_mode);
3421
3422 STRV_FOREACH(d, c->runtime_directory)
3423 fprintf(f, "%sRuntimeDirectory: %s\n", prefix, *d);
3424
3425 if (c->nice_set)
3426 fprintf(f,
3427 "%sNice: %i\n",
3428 prefix, c->nice);
3429
3430 if (c->oom_score_adjust_set)
3431 fprintf(f,
3432 "%sOOMScoreAdjust: %i\n",
3433 prefix, c->oom_score_adjust);
3434
3435 for (i = 0; i < RLIM_NLIMITS; i++)
3436 if (c->rlimit[i]) {
3437 fprintf(f, "%s%s: " RLIM_FMT "\n",
3438 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
3439 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
3440 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
3441 }
3442
3443 if (c->ioprio_set) {
3444 _cleanup_free_ char *class_str = NULL;
3445
3446 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
3447 fprintf(f,
3448 "%sIOSchedulingClass: %s\n"
3449 "%sIOPriority: %i\n",
3450 prefix, strna(class_str),
3451 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
3452 }
3453
3454 if (c->cpu_sched_set) {
3455 _cleanup_free_ char *policy_str = NULL;
3456
3457 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
3458 fprintf(f,
3459 "%sCPUSchedulingPolicy: %s\n"
3460 "%sCPUSchedulingPriority: %i\n"
3461 "%sCPUSchedulingResetOnFork: %s\n",
3462 prefix, strna(policy_str),
3463 prefix, c->cpu_sched_priority,
3464 prefix, yes_no(c->cpu_sched_reset_on_fork));
3465 }
3466
3467 if (c->cpuset) {
3468 fprintf(f, "%sCPUAffinity:", prefix);
3469 for (i = 0; i < c->cpuset_ncpus; i++)
3470 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
3471 fprintf(f, " %u", i);
3472 fputs("\n", f);
3473 }
3474
3475 if (c->timer_slack_nsec != NSEC_INFINITY)
3476 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
3477
3478 fprintf(f,
3479 "%sStandardInput: %s\n"
3480 "%sStandardOutput: %s\n"
3481 "%sStandardError: %s\n",
3482 prefix, exec_input_to_string(c->std_input),
3483 prefix, exec_output_to_string(c->std_output),
3484 prefix, exec_output_to_string(c->std_error));
3485
3486 if (c->tty_path)
3487 fprintf(f,
3488 "%sTTYPath: %s\n"
3489 "%sTTYReset: %s\n"
3490 "%sTTYVHangup: %s\n"
3491 "%sTTYVTDisallocate: %s\n",
3492 prefix, c->tty_path,
3493 prefix, yes_no(c->tty_reset),
3494 prefix, yes_no(c->tty_vhangup),
3495 prefix, yes_no(c->tty_vt_disallocate));
3496
3497 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
3498 c->std_output == EXEC_OUTPUT_KMSG ||
3499 c->std_output == EXEC_OUTPUT_JOURNAL ||
3500 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3501 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3502 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
3503 c->std_error == EXEC_OUTPUT_SYSLOG ||
3504 c->std_error == EXEC_OUTPUT_KMSG ||
3505 c->std_error == EXEC_OUTPUT_JOURNAL ||
3506 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3507 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3508 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
3509
3510 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
3511
3512 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
3513 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
3514
3515 fprintf(f,
3516 "%sSyslogFacility: %s\n"
3517 "%sSyslogLevel: %s\n",
3518 prefix, strna(fac_str),
3519 prefix, strna(lvl_str));
3520 }
3521
3522 if (c->secure_bits)
3523 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
3524 prefix,
3525 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
3526 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
3527 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
3528 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
3529 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
3530 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
3531
3532 if (c->capability_bounding_set != CAP_ALL) {
3533 unsigned long l;
3534 fprintf(f, "%sCapabilityBoundingSet:", prefix);
3535
3536 for (l = 0; l <= cap_last_cap(); l++)
3537 if (c->capability_bounding_set & (UINT64_C(1) << l))
3538 fprintf(f, " %s", strna(capability_to_name(l)));
3539
3540 fputs("\n", f);
3541 }
3542
3543 if (c->capability_ambient_set != 0) {
3544 unsigned long l;
3545 fprintf(f, "%sAmbientCapabilities:", prefix);
3546
3547 for (l = 0; l <= cap_last_cap(); l++)
3548 if (c->capability_ambient_set & (UINT64_C(1) << l))
3549 fprintf(f, " %s", strna(capability_to_name(l)));
3550
3551 fputs("\n", f);
3552 }
3553
3554 if (c->user)
3555 fprintf(f, "%sUser: %s\n", prefix, c->user);
3556 if (c->group)
3557 fprintf(f, "%sGroup: %s\n", prefix, c->group);
3558
3559 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
3560
3561 if (strv_length(c->supplementary_groups) > 0) {
3562 fprintf(f, "%sSupplementaryGroups:", prefix);
3563 strv_fprintf(f, c->supplementary_groups);
3564 fputs("\n", f);
3565 }
3566
3567 if (c->pam_name)
3568 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
3569
3570 if (strv_length(c->read_write_paths) > 0) {
3571 fprintf(f, "%sReadWritePaths:", prefix);
3572 strv_fprintf(f, c->read_write_paths);
3573 fputs("\n", f);
3574 }
3575
3576 if (strv_length(c->read_only_paths) > 0) {
3577 fprintf(f, "%sReadOnlyPaths:", prefix);
3578 strv_fprintf(f, c->read_only_paths);
3579 fputs("\n", f);
3580 }
3581
3582 if (strv_length(c->inaccessible_paths) > 0) {
3583 fprintf(f, "%sInaccessiblePaths:", prefix);
3584 strv_fprintf(f, c->inaccessible_paths);
3585 fputs("\n", f);
3586 }
3587
3588 if (c->n_bind_mounts > 0)
3589 for (i = 0; i < c->n_bind_mounts; i++) {
3590 fprintf(f, "%s%s: %s:%s:%s\n", prefix,
3591 c->bind_mounts[i].read_only ? "BindReadOnlyPaths" : "BindPaths",
3592 c->bind_mounts[i].source,
3593 c->bind_mounts[i].destination,
3594 c->bind_mounts[i].recursive ? "rbind" : "norbind");
3595 }
3596
3597 if (c->utmp_id)
3598 fprintf(f,
3599 "%sUtmpIdentifier: %s\n",
3600 prefix, c->utmp_id);
3601
3602 if (c->selinux_context)
3603 fprintf(f,
3604 "%sSELinuxContext: %s%s\n",
3605 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
3606
3607 if (c->personality != PERSONALITY_INVALID)
3608 fprintf(f,
3609 "%sPersonality: %s\n",
3610 prefix, strna(personality_to_string(c->personality)));
3611
3612 if (c->syscall_filter) {
3613 #ifdef HAVE_SECCOMP
3614 Iterator j;
3615 void *id;
3616 bool first = true;
3617 #endif
3618
3619 fprintf(f,
3620 "%sSystemCallFilter: ",
3621 prefix);
3622
3623 if (!c->syscall_whitelist)
3624 fputc('~', f);
3625
3626 #ifdef HAVE_SECCOMP
3627 SET_FOREACH(id, c->syscall_filter, j) {
3628 _cleanup_free_ char *name = NULL;
3629
3630 if (first)
3631 first = false;
3632 else
3633 fputc(' ', f);
3634
3635 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
3636 fputs(strna(name), f);
3637 }
3638 #endif
3639
3640 fputc('\n', f);
3641 }
3642
3643 if (c->syscall_archs) {
3644 #ifdef HAVE_SECCOMP
3645 Iterator j;
3646 void *id;
3647 #endif
3648
3649 fprintf(f,
3650 "%sSystemCallArchitectures:",
3651 prefix);
3652
3653 #ifdef HAVE_SECCOMP
3654 SET_FOREACH(id, c->syscall_archs, j)
3655 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
3656 #endif
3657 fputc('\n', f);
3658 }
3659
3660 if (exec_context_restrict_namespaces_set(c)) {
3661 _cleanup_free_ char *s = NULL;
3662
3663 r = namespace_flag_to_string_many(c->restrict_namespaces, &s);
3664 if (r >= 0)
3665 fprintf(f, "%sRestrictNamespaces: %s\n",
3666 prefix, s);
3667 }
3668
3669 if (c->syscall_errno > 0)
3670 fprintf(f,
3671 "%sSystemCallErrorNumber: %s\n",
3672 prefix, strna(errno_to_name(c->syscall_errno)));
3673
3674 if (c->apparmor_profile)
3675 fprintf(f,
3676 "%sAppArmorProfile: %s%s\n",
3677 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
3678 }
3679
3680 bool exec_context_maintains_privileges(ExecContext *c) {
3681 assert(c);
3682
3683 /* Returns true if the process forked off would run under
3684 * an unchanged UID or as root. */
3685
3686 if (!c->user)
3687 return true;
3688
3689 if (streq(c->user, "root") || streq(c->user, "0"))
3690 return true;
3691
3692 return false;
3693 }
3694
3695 void exec_status_start(ExecStatus *s, pid_t pid) {
3696 assert(s);
3697
3698 zero(*s);
3699 s->pid = pid;
3700 dual_timestamp_get(&s->start_timestamp);
3701 }
3702
3703 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
3704 assert(s);
3705
3706 if (s->pid && s->pid != pid)
3707 zero(*s);
3708
3709 s->pid = pid;
3710 dual_timestamp_get(&s->exit_timestamp);
3711
3712 s->code = code;
3713 s->status = status;
3714
3715 if (context) {
3716 if (context->utmp_id)
3717 utmp_put_dead_process(context->utmp_id, pid, code, status);
3718
3719 exec_context_tty_reset(context, NULL);
3720 }
3721 }
3722
3723 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
3724 char buf[FORMAT_TIMESTAMP_MAX];
3725
3726 assert(s);
3727 assert(f);
3728
3729 if (s->pid <= 0)
3730 return;
3731
3732 prefix = strempty(prefix);
3733
3734 fprintf(f,
3735 "%sPID: "PID_FMT"\n",
3736 prefix, s->pid);
3737
3738 if (dual_timestamp_is_set(&s->start_timestamp))
3739 fprintf(f,
3740 "%sStart Timestamp: %s\n",
3741 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
3742
3743 if (dual_timestamp_is_set(&s->exit_timestamp))
3744 fprintf(f,
3745 "%sExit Timestamp: %s\n"
3746 "%sExit Code: %s\n"
3747 "%sExit Status: %i\n",
3748 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
3749 prefix, sigchld_code_to_string(s->code),
3750 prefix, s->status);
3751 }
3752
3753 char *exec_command_line(char **argv) {
3754 size_t k;
3755 char *n, *p, **a;
3756 bool first = true;
3757
3758 assert(argv);
3759
3760 k = 1;
3761 STRV_FOREACH(a, argv)
3762 k += strlen(*a)+3;
3763
3764 n = new(char, k);
3765 if (!n)
3766 return NULL;
3767
3768 p = n;
3769 STRV_FOREACH(a, argv) {
3770
3771 if (!first)
3772 *(p++) = ' ';
3773 else
3774 first = false;
3775
3776 if (strpbrk(*a, WHITESPACE)) {
3777 *(p++) = '\'';
3778 p = stpcpy(p, *a);
3779 *(p++) = '\'';
3780 } else
3781 p = stpcpy(p, *a);
3782
3783 }
3784
3785 *p = 0;
3786
3787 /* FIXME: this doesn't really handle arguments that have
3788 * spaces and ticks in them */
3789
3790 return n;
3791 }
3792
3793 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
3794 _cleanup_free_ char *cmd = NULL;
3795 const char *prefix2;
3796
3797 assert(c);
3798 assert(f);
3799
3800 prefix = strempty(prefix);
3801 prefix2 = strjoina(prefix, "\t");
3802
3803 cmd = exec_command_line(c->argv);
3804 fprintf(f,
3805 "%sCommand Line: %s\n",
3806 prefix, cmd ? cmd : strerror(ENOMEM));
3807
3808 exec_status_dump(&c->exec_status, f, prefix2);
3809 }
3810
3811 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
3812 assert(f);
3813
3814 prefix = strempty(prefix);
3815
3816 LIST_FOREACH(command, c, c)
3817 exec_command_dump(c, f, prefix);
3818 }
3819
3820 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
3821 ExecCommand *end;
3822
3823 assert(l);
3824 assert(e);
3825
3826 if (*l) {
3827 /* It's kind of important, that we keep the order here */
3828 LIST_FIND_TAIL(command, *l, end);
3829 LIST_INSERT_AFTER(command, *l, end, e);
3830 } else
3831 *l = e;
3832 }
3833
3834 int exec_command_set(ExecCommand *c, const char *path, ...) {
3835 va_list ap;
3836 char **l, *p;
3837
3838 assert(c);
3839 assert(path);
3840
3841 va_start(ap, path);
3842 l = strv_new_ap(path, ap);
3843 va_end(ap);
3844
3845 if (!l)
3846 return -ENOMEM;
3847
3848 p = strdup(path);
3849 if (!p) {
3850 strv_free(l);
3851 return -ENOMEM;
3852 }
3853
3854 free(c->path);
3855 c->path = p;
3856
3857 strv_free(c->argv);
3858 c->argv = l;
3859
3860 return 0;
3861 }
3862
3863 int exec_command_append(ExecCommand *c, const char *path, ...) {
3864 _cleanup_strv_free_ char **l = NULL;
3865 va_list ap;
3866 int r;
3867
3868 assert(c);
3869 assert(path);
3870
3871 va_start(ap, path);
3872 l = strv_new_ap(path, ap);
3873 va_end(ap);
3874
3875 if (!l)
3876 return -ENOMEM;
3877
3878 r = strv_extend_strv(&c->argv, l, false);
3879 if (r < 0)
3880 return r;
3881
3882 return 0;
3883 }
3884
3885
3886 static int exec_runtime_allocate(ExecRuntime **rt) {
3887
3888 if (*rt)
3889 return 0;
3890
3891 *rt = new0(ExecRuntime, 1);
3892 if (!*rt)
3893 return -ENOMEM;
3894
3895 (*rt)->n_ref = 1;
3896 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
3897
3898 return 0;
3899 }
3900
3901 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
3902 int r;
3903
3904 assert(rt);
3905 assert(c);
3906 assert(id);
3907
3908 if (*rt)
3909 return 1;
3910
3911 if (!c->private_network && !c->private_tmp)
3912 return 0;
3913
3914 r = exec_runtime_allocate(rt);
3915 if (r < 0)
3916 return r;
3917
3918 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
3919 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, (*rt)->netns_storage_socket) < 0)
3920 return -errno;
3921 }
3922
3923 if (c->private_tmp && !(*rt)->tmp_dir) {
3924 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
3925 if (r < 0)
3926 return r;
3927 }
3928
3929 return 1;
3930 }
3931
3932 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
3933 assert(r);
3934 assert(r->n_ref > 0);
3935
3936 r->n_ref++;
3937 return r;
3938 }
3939
3940 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
3941
3942 if (!r)
3943 return NULL;
3944
3945 assert(r->n_ref > 0);
3946
3947 r->n_ref--;
3948 if (r->n_ref > 0)
3949 return NULL;
3950
3951 free(r->tmp_dir);
3952 free(r->var_tmp_dir);
3953 safe_close_pair(r->netns_storage_socket);
3954 return mfree(r);
3955 }
3956
3957 int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
3958 assert(u);
3959 assert(f);
3960 assert(fds);
3961
3962 if (!rt)
3963 return 0;
3964
3965 if (rt->tmp_dir)
3966 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
3967
3968 if (rt->var_tmp_dir)
3969 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
3970
3971 if (rt->netns_storage_socket[0] >= 0) {
3972 int copy;
3973
3974 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
3975 if (copy < 0)
3976 return copy;
3977
3978 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
3979 }
3980
3981 if (rt->netns_storage_socket[1] >= 0) {
3982 int copy;
3983
3984 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
3985 if (copy < 0)
3986 return copy;
3987
3988 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
3989 }
3990
3991 return 0;
3992 }
3993
3994 int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
3995 int r;
3996
3997 assert(rt);
3998 assert(key);
3999 assert(value);
4000
4001 if (streq(key, "tmp-dir")) {
4002 char *copy;
4003
4004 r = exec_runtime_allocate(rt);
4005 if (r < 0)
4006 return log_oom();
4007
4008 copy = strdup(value);
4009 if (!copy)
4010 return log_oom();
4011
4012 free((*rt)->tmp_dir);
4013 (*rt)->tmp_dir = copy;
4014
4015 } else if (streq(key, "var-tmp-dir")) {
4016 char *copy;
4017
4018 r = exec_runtime_allocate(rt);
4019 if (r < 0)
4020 return log_oom();
4021
4022 copy = strdup(value);
4023 if (!copy)
4024 return log_oom();
4025
4026 free((*rt)->var_tmp_dir);
4027 (*rt)->var_tmp_dir = copy;
4028
4029 } else if (streq(key, "netns-socket-0")) {
4030 int fd;
4031
4032 r = exec_runtime_allocate(rt);
4033 if (r < 0)
4034 return log_oom();
4035
4036 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
4037 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
4038 else {
4039 safe_close((*rt)->netns_storage_socket[0]);
4040 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
4041 }
4042 } else if (streq(key, "netns-socket-1")) {
4043 int fd;
4044
4045 r = exec_runtime_allocate(rt);
4046 if (r < 0)
4047 return log_oom();
4048
4049 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
4050 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
4051 else {
4052 safe_close((*rt)->netns_storage_socket[1]);
4053 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
4054 }
4055 } else
4056 return 0;
4057
4058 return 1;
4059 }
4060
4061 static void *remove_tmpdir_thread(void *p) {
4062 _cleanup_free_ char *path = p;
4063
4064 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
4065 return NULL;
4066 }
4067
4068 void exec_runtime_destroy(ExecRuntime *rt) {
4069 int r;
4070
4071 if (!rt)
4072 return;
4073
4074 /* If there are multiple users of this, let's leave the stuff around */
4075 if (rt->n_ref > 1)
4076 return;
4077
4078 if (rt->tmp_dir) {
4079 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
4080
4081 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
4082 if (r < 0) {
4083 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
4084 free(rt->tmp_dir);
4085 }
4086
4087 rt->tmp_dir = NULL;
4088 }
4089
4090 if (rt->var_tmp_dir) {
4091 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
4092
4093 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
4094 if (r < 0) {
4095 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
4096 free(rt->var_tmp_dir);
4097 }
4098
4099 rt->var_tmp_dir = NULL;
4100 }
4101
4102 safe_close_pair(rt->netns_storage_socket);
4103 }
4104
4105 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
4106 [EXEC_INPUT_NULL] = "null",
4107 [EXEC_INPUT_TTY] = "tty",
4108 [EXEC_INPUT_TTY_FORCE] = "tty-force",
4109 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
4110 [EXEC_INPUT_SOCKET] = "socket",
4111 [EXEC_INPUT_NAMED_FD] = "fd",
4112 };
4113
4114 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
4115
4116 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
4117 [EXEC_OUTPUT_INHERIT] = "inherit",
4118 [EXEC_OUTPUT_NULL] = "null",
4119 [EXEC_OUTPUT_TTY] = "tty",
4120 [EXEC_OUTPUT_SYSLOG] = "syslog",
4121 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
4122 [EXEC_OUTPUT_KMSG] = "kmsg",
4123 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
4124 [EXEC_OUTPUT_JOURNAL] = "journal",
4125 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
4126 [EXEC_OUTPUT_SOCKET] = "socket",
4127 [EXEC_OUTPUT_NAMED_FD] = "fd",
4128 };
4129
4130 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
4131
4132 static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
4133 [EXEC_UTMP_INIT] = "init",
4134 [EXEC_UTMP_LOGIN] = "login",
4135 [EXEC_UTMP_USER] = "user",
4136 };
4137
4138 DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
Unnamed repository; edit this file 'description' to name the repository.