]>
Commit | Line | Data |
---|---|---|
5cb5a6ff LP |
1 | /*-*- Mode: C; c-basic-offset: 8 -*-*/ |
2 | ||
a7334b09 LP |
3 | /*** |
4 | This file is part of systemd. | |
5 | ||
6 | Copyright 2010 Lennart Poettering | |
7 | ||
8 | systemd is free software; you can redistribute it and/or modify it | |
9 | under the terms of the GNU General Public License as published by | |
10 | the Free Software Foundation; either version 2 of the License, or | |
11 | (at your option) any later version. | |
12 | ||
13 | systemd is distributed in the hope that it will be useful, but | |
14 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
16 | General Public License for more details. | |
17 | ||
18 | You should have received a copy of the GNU General Public License | |
19 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
20 | ***/ | |
21 | ||
5cb5a6ff | 22 | #include <assert.h> |
034c6ed7 LP |
23 | #include <dirent.h> |
24 | #include <errno.h> | |
25 | #include <fcntl.h> | |
26 | #include <unistd.h> | |
44d8db9e | 27 | #include <string.h> |
309bff19 | 28 | #include <signal.h> |
071830ff LP |
29 | #include <sys/socket.h> |
30 | #include <sys/un.h> | |
94f04347 | 31 | #include <sys/prctl.h> |
66ee3769 | 32 | #include <linux/sched.h> |
451a074f LP |
33 | #include <sys/types.h> |
34 | #include <sys/stat.h> | |
81a2b7ce LP |
35 | #include <grp.h> |
36 | #include <pwd.h> | |
5cb5a6ff LP |
37 | |
38 | #include "execute.h" | |
39 | #include "strv.h" | |
40 | #include "macro.h" | |
41 | #include "util.h" | |
acbb0225 | 42 | #include "log.h" |
9eba9da4 | 43 | #include "ioprio.h" |
94f04347 | 44 | #include "securebits.h" |
8e274523 | 45 | #include "cgroup.h" |
5cb5a6ff | 46 | |
034c6ed7 LP |
47 | static int shift_fds(int fds[], unsigned n_fds) { |
48 | int start, restart_from; | |
49 | ||
50 | if (n_fds <= 0) | |
51 | return 0; | |
52 | ||
a0d40ac5 LP |
53 | /* Modifies the fds array! (sorts it) */ |
54 | ||
034c6ed7 LP |
55 | assert(fds); |
56 | ||
57 | start = 0; | |
58 | for (;;) { | |
59 | int i; | |
60 | ||
61 | restart_from = -1; | |
62 | ||
63 | for (i = start; i < (int) n_fds; i++) { | |
64 | int nfd; | |
65 | ||
66 | /* Already at right index? */ | |
67 | if (fds[i] == i+3) | |
68 | continue; | |
69 | ||
70 | if ((nfd = fcntl(fds[i], F_DUPFD, i+3)) < 0) | |
71 | return -errno; | |
72 | ||
2da3263a | 73 | assert_se(close_nointr(fds[i]) == 0); |
034c6ed7 LP |
74 | fds[i] = nfd; |
75 | ||
76 | /* Hmm, the fd we wanted isn't free? Then | |
77 | * let's remember that and try again from here*/ | |
78 | if (nfd != i+3 && restart_from < 0) | |
79 | restart_from = i; | |
80 | } | |
81 | ||
82 | if (restart_from < 0) | |
83 | break; | |
84 | ||
85 | start = restart_from; | |
86 | } | |
87 | ||
88 | return 0; | |
89 | } | |
90 | ||
451a074f | 91 | static int flags_fds(int fds[], unsigned n_fds, bool nonblock) { |
47a71eed | 92 | unsigned i; |
e2c76839 | 93 | int r; |
47a71eed LP |
94 | |
95 | if (n_fds <= 0) | |
96 | return 0; | |
97 | ||
98 | assert(fds); | |
99 | ||
451a074f | 100 | /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */ |
47a71eed LP |
101 | |
102 | for (i = 0; i < n_fds; i++) { | |
47a71eed | 103 | |
e2c76839 LP |
104 | if ((r = fd_nonblock(fds[i], nonblock)) < 0) |
105 | return r; | |
47a71eed | 106 | |
451a074f LP |
107 | /* We unconditionally drop FD_CLOEXEC from the fds, |
108 | * since after all we want to pass these fds to our | |
109 | * children */ | |
47a71eed | 110 | |
e2c76839 LP |
111 | if ((r = fd_cloexec(fds[i], false)) < 0) |
112 | return r; | |
47a71eed LP |
113 | } |
114 | ||
115 | return 0; | |
116 | } | |
117 | ||
071830ff LP |
118 | static int replace_null_fd(int fd, int flags) { |
119 | int nfd; | |
120 | assert(fd >= 0); | |
121 | ||
122 | close_nointr(fd); | |
123 | ||
124 | if ((nfd = open("/dev/null", flags|O_NOCTTY)) < 0) | |
125 | return -errno; | |
126 | ||
127 | if (nfd != fd) { | |
128 | close_nointr_nofail(nfd); | |
129 | return -EIO; | |
130 | } | |
131 | ||
132 | return 0; | |
133 | } | |
134 | ||
135 | static int setup_output(const ExecContext *context, const char *ident) { | |
136 | int r; | |
137 | ||
138 | assert(context); | |
139 | ||
140 | switch (context->output) { | |
141 | ||
94f04347 | 142 | case EXEC_OUTPUT_CONSOLE: |
071830ff LP |
143 | return 0; |
144 | ||
94f04347 | 145 | case EXEC_OUTPUT_NULL: |
071830ff | 146 | |
94f04347 | 147 | if ((r = replace_null_fd(STDOUT_FILENO, O_WRONLY)) < 0 || |
071830ff LP |
148 | (r = replace_null_fd(STDERR_FILENO, O_WRONLY)) < 0) |
149 | return r; | |
150 | ||
151 | return 0; | |
152 | ||
94f04347 LP |
153 | case EXEC_OUTPUT_KERNEL: |
154 | case EXEC_OUTPUT_SYSLOG: { | |
071830ff LP |
155 | |
156 | int fd; | |
157 | union { | |
158 | struct sockaddr sa; | |
159 | struct sockaddr_un un; | |
160 | } sa; | |
161 | ||
071830ff LP |
162 | close_nointr(STDOUT_FILENO); |
163 | close_nointr(STDERR_FILENO); | |
164 | ||
165 | if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) | |
166 | return -errno; | |
167 | ||
168 | if (fd != STDOUT_FILENO) { | |
169 | close_nointr_nofail(fd); | |
170 | return -EIO; | |
171 | } | |
172 | ||
173 | zero(sa); | |
174 | sa.sa.sa_family = AF_UNIX; | |
175 | strncpy(sa.un.sun_path+1, LOGGER_SOCKET, sizeof(sa.un.sun_path)-1); | |
176 | ||
177 | if (connect(fd, &sa.sa, sizeof(sa)) < 0) { | |
178 | close_nointr_nofail(fd); | |
179 | return -errno; | |
180 | } | |
181 | ||
182 | if (shutdown(fd, SHUT_RD) < 0) { | |
183 | close_nointr_nofail(fd); | |
184 | return -errno; | |
185 | } | |
186 | ||
187 | if ((fd = dup(fd)) < 0) { | |
188 | close_nointr_nofail(fd); | |
189 | return -errno; | |
190 | } | |
191 | ||
192 | if (fd != STDERR_FILENO) { | |
193 | close_nointr_nofail(fd); | |
194 | return -EIO; | |
195 | } | |
196 | ||
197 | /* We speak a very simple protocol between log server | |
198 | * and client: one line for the log destination (kmsg | |
199 | * or syslog), followed by the priority field, | |
200 | * followed by the process name. Since we replaced | |
201 | * stdin/stderr we simple use stdio to write to | |
202 | * it. Note that we use stderr, to minimize buffer | |
203 | * flushing issues. */ | |
204 | ||
205 | fprintf(stderr, | |
206 | "%s\n" | |
207 | "%i\n" | |
208 | "%s\n", | |
94f04347 | 209 | context->output == EXEC_OUTPUT_KERNEL ? "kmsg" : "syslog", |
071830ff LP |
210 | context->syslog_priority, |
211 | context->syslog_identifier ? context->syslog_identifier : ident); | |
212 | ||
213 | return 0; | |
214 | } | |
94f04347 LP |
215 | |
216 | default: | |
217 | assert_not_reached("Unknown output type"); | |
071830ff | 218 | } |
94f04347 LP |
219 | } |
220 | ||
47be870b | 221 | static int setup_input(const ExecContext *context) { |
94f04347 LP |
222 | int r; |
223 | ||
224 | assert(context); | |
071830ff | 225 | |
94f04347 LP |
226 | switch (context->input) { |
227 | ||
228 | case EXEC_INPUT_CONSOLE: | |
229 | return 0; | |
230 | ||
231 | case EXEC_INPUT_NULL: | |
232 | if ((r = replace_null_fd(STDIN_FILENO, O_RDONLY)) < 0) | |
233 | return r; | |
234 | ||
235 | return 0; | |
236 | ||
237 | default: | |
238 | assert_not_reached("Unknown input type"); | |
239 | } | |
071830ff LP |
240 | } |
241 | ||
81a2b7ce LP |
242 | static int get_group_creds(const char *groupname, gid_t *gid) { |
243 | struct group *g; | |
244 | unsigned long lu; | |
245 | ||
246 | assert(groupname); | |
247 | assert(gid); | |
248 | ||
249 | /* We enforce some special rules for gid=0: in order to avoid | |
250 | * NSS lookups for root we hardcode its data. */ | |
251 | ||
252 | if (streq(groupname, "root") || streq(groupname, "0")) { | |
253 | *gid = 0; | |
254 | return 0; | |
255 | } | |
256 | ||
257 | if (safe_atolu(groupname, &lu) >= 0) { | |
258 | errno = 0; | |
259 | g = getgrgid((gid_t) lu); | |
260 | } else { | |
261 | errno = 0; | |
262 | g = getgrnam(groupname); | |
263 | } | |
264 | ||
265 | if (!g) | |
266 | return errno != 0 ? -errno : -ESRCH; | |
267 | ||
268 | *gid = g->gr_gid; | |
269 | return 0; | |
270 | } | |
271 | ||
272 | static int get_user_creds(const char **username, uid_t *uid, gid_t *gid, const char **home) { | |
273 | struct passwd *p; | |
274 | unsigned long lu; | |
275 | ||
276 | assert(username); | |
277 | assert(*username); | |
278 | assert(uid); | |
279 | assert(gid); | |
280 | assert(home); | |
281 | ||
282 | /* We enforce some special rules for uid=0: in order to avoid | |
283 | * NSS lookups for root we hardcode its data. */ | |
284 | ||
285 | if (streq(*username, "root") || streq(*username, "0")) { | |
286 | *username = "root"; | |
287 | *uid = 0; | |
288 | *gid = 0; | |
289 | *home = "/root"; | |
290 | return 0; | |
291 | } | |
292 | ||
293 | if (safe_atolu(*username, &lu) >= 0) { | |
294 | errno = 0; | |
295 | p = getpwuid((uid_t) lu); | |
296 | ||
297 | /* If there are multiple users with the same id, make | |
298 | * sure to leave $USER to the configured value instead | |
299 | * of the first occurence in the database. However if | |
300 | * the uid was configured by a numeric uid, then let's | |
301 | * pick the real username from /etc/passwd. */ | |
302 | if (*username && p) | |
303 | *username = p->pw_name; | |
304 | } else { | |
305 | errno = 0; | |
306 | p = getpwnam(*username); | |
307 | } | |
308 | ||
309 | if (!p) | |
310 | return errno != 0 ? -errno : -ESRCH; | |
311 | ||
312 | *uid = p->pw_uid; | |
313 | *gid = p->pw_gid; | |
314 | *home = p->pw_dir; | |
315 | return 0; | |
316 | } | |
317 | ||
318 | static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) { | |
319 | bool keep_groups = false; | |
320 | int r; | |
321 | ||
322 | assert(context); | |
323 | ||
324 | /* Lookup and ser GID and supplementary group list. Here too | |
325 | * we avoid NSS lookups for gid=0. */ | |
326 | ||
327 | if (context->group || username) { | |
328 | ||
329 | if (context->group) | |
330 | if ((r = get_group_creds(context->group, &gid)) < 0) | |
331 | return r; | |
332 | ||
333 | /* First step, initialize groups from /etc/groups */ | |
334 | if (username && gid != 0) { | |
335 | if (initgroups(username, gid) < 0) | |
336 | return -errno; | |
337 | ||
338 | keep_groups = true; | |
339 | } | |
340 | ||
341 | /* Second step, set our gids */ | |
342 | if (setresgid(gid, gid, gid) < 0) | |
343 | return -errno; | |
344 | } | |
345 | ||
346 | if (context->supplementary_groups) { | |
347 | int ngroups_max, k; | |
348 | gid_t *gids; | |
349 | char **i; | |
350 | ||
351 | /* Final step, initialize any manually set supplementary groups */ | |
352 | ngroups_max = (int) sysconf(_SC_NGROUPS_MAX); | |
353 | ||
354 | if (!(gids = new(gid_t, ngroups_max))) | |
355 | return -ENOMEM; | |
356 | ||
357 | if (keep_groups) { | |
358 | if ((k = getgroups(ngroups_max, gids)) < 0) { | |
359 | free(gids); | |
360 | return -errno; | |
361 | } | |
362 | } else | |
363 | k = 0; | |
364 | ||
365 | STRV_FOREACH(i, context->supplementary_groups) { | |
366 | ||
367 | if (k >= ngroups_max) { | |
368 | free(gids); | |
369 | return -E2BIG; | |
370 | } | |
371 | ||
372 | if ((r = get_group_creds(*i, gids+k)) < 0) { | |
373 | free(gids); | |
374 | return r; | |
375 | } | |
376 | ||
377 | k++; | |
378 | } | |
379 | ||
380 | if (setgroups(k, gids) < 0) { | |
381 | free(gids); | |
382 | return -errno; | |
383 | } | |
384 | ||
385 | free(gids); | |
386 | } | |
387 | ||
388 | return 0; | |
389 | } | |
390 | ||
391 | static int enforce_user(const ExecContext *context, uid_t uid) { | |
392 | int r; | |
393 | assert(context); | |
394 | ||
395 | /* Sets (but doesn't lookup) the uid and make sure we keep the | |
396 | * capabilities while doing so. */ | |
397 | ||
398 | if (context->capabilities) { | |
399 | cap_t d; | |
400 | static const cap_value_t bits[] = { | |
401 | CAP_SETUID, /* Necessary so that we can run setresuid() below */ | |
402 | CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */ | |
403 | }; | |
404 | ||
405 | /* First step: If we need to keep capabilities but | |
406 | * drop privileges we need to make sure we keep our | |
407 | * caps, whiel we drop priviliges. */ | |
693ced48 LP |
408 | if (uid != 0) { |
409 | int sb = context->secure_bits|SECURE_KEEP_CAPS; | |
410 | ||
411 | if (prctl(PR_GET_SECUREBITS) != sb) | |
412 | if (prctl(PR_SET_SECUREBITS, sb) < 0) | |
413 | return -errno; | |
414 | } | |
81a2b7ce LP |
415 | |
416 | /* Second step: set the capabilites. This will reduce | |
417 | * the capabilities to the minimum we need. */ | |
418 | ||
419 | if (!(d = cap_dup(context->capabilities))) | |
420 | return -errno; | |
421 | ||
422 | if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 || | |
423 | cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0) { | |
424 | r = -errno; | |
425 | cap_free(d); | |
426 | return r; | |
427 | } | |
428 | ||
429 | if (cap_set_proc(d) < 0) { | |
430 | r = -errno; | |
431 | cap_free(d); | |
432 | return r; | |
433 | } | |
434 | ||
435 | cap_free(d); | |
436 | } | |
437 | ||
438 | /* Third step: actually set the uids */ | |
439 | if (setresuid(uid, uid, uid) < 0) | |
440 | return -errno; | |
441 | ||
442 | /* At this point we should have all necessary capabilities but | |
443 | are otherwise a normal user. However, the caps might got | |
444 | corrupted due to the setresuid() so we need clean them up | |
445 | later. This is done outside of this call. */ | |
446 | ||
447 | return 0; | |
448 | } | |
449 | ||
450 | int exec_spawn(const ExecCommand *command, | |
451 | const ExecContext *context, | |
452 | int *fds, unsigned n_fds, | |
453 | bool apply_permissions, | |
454 | bool apply_chroot, | |
8e274523 | 455 | CGroupBonding *cgroup_bondings, |
81a2b7ce LP |
456 | pid_t *ret) { |
457 | ||
034c6ed7 | 458 | pid_t pid; |
8e274523 | 459 | int r; |
034c6ed7 | 460 | |
5cb5a6ff LP |
461 | assert(command); |
462 | assert(context); | |
463 | assert(ret); | |
034c6ed7 LP |
464 | assert(fds || n_fds <= 0); |
465 | ||
81a2b7ce | 466 | log_debug("About to execute %s", command->path); |
acbb0225 | 467 | |
8e274523 LP |
468 | if (cgroup_bondings) |
469 | if ((r = cgroup_bonding_realize_list(cgroup_bondings))) | |
470 | return r; | |
471 | ||
034c6ed7 LP |
472 | if ((pid = fork()) < 0) |
473 | return -errno; | |
474 | ||
475 | if (pid == 0) { | |
8e274523 | 476 | int i; |
309bff19 | 477 | sigset_t ss; |
81a2b7ce LP |
478 | const char *username = NULL, *home = NULL; |
479 | uid_t uid = (uid_t) -1; | |
480 | gid_t gid = (gid_t) -1; | |
481 | char **our_env = NULL, **final_env = NULL; | |
482 | unsigned n_env = 0; | |
309bff19 | 483 | |
034c6ed7 | 484 | /* child */ |
5cb5a6ff | 485 | |
309bff19 LP |
486 | if (sigemptyset(&ss) < 0 || |
487 | sigprocmask(SIG_SETMASK, &ss, NULL) < 0) { | |
488 | r = EXIT_SIGNAL_MASK; | |
489 | goto fail; | |
490 | } | |
491 | ||
ee2b4894 LP |
492 | if (context->new_session) { |
493 | if (setsid() < 0) { | |
494 | r = EXIT_SETSID; | |
495 | goto fail; | |
496 | } | |
497 | } else { | |
498 | if (setpgid(0, 0) < 0) { | |
499 | r = EXIT_PGID; | |
500 | goto fail; | |
501 | } | |
034c6ed7 LP |
502 | } |
503 | ||
9eba9da4 LP |
504 | umask(context->umask); |
505 | ||
94f04347 LP |
506 | if (setup_input(context) < 0) { |
507 | r = EXIT_INPUT; | |
508 | goto fail; | |
509 | } | |
510 | ||
071830ff LP |
511 | if (setup_output(context, file_name_from_path(command->path)) < 0) { |
512 | r = EXIT_OUTPUT; | |
513 | goto fail; | |
514 | } | |
515 | ||
8e274523 LP |
516 | if (cgroup_bondings) |
517 | if ((r = cgroup_bonding_install_list(cgroup_bondings, 0)) < 0) { | |
518 | r = EXIT_CGROUP; | |
519 | goto fail; | |
520 | } | |
521 | ||
fb33a393 LP |
522 | if (context->oom_adjust_set) { |
523 | char t[16]; | |
034c6ed7 | 524 | |
fb33a393 LP |
525 | snprintf(t, sizeof(t), "%i", context->oom_adjust); |
526 | char_array_0(t); | |
034c6ed7 | 527 | |
fb33a393 LP |
528 | if (write_one_line_file("/proc/self/oom_adj", t) < 0) { |
529 | r = EXIT_OOM_ADJUST; | |
530 | goto fail; | |
531 | } | |
034c6ed7 LP |
532 | } |
533 | ||
fb33a393 LP |
534 | if (context->nice_set) |
535 | if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) { | |
536 | r = EXIT_NICE; | |
537 | goto fail; | |
538 | } | |
539 | ||
94f04347 LP |
540 | if (context->cpu_sched_set) { |
541 | struct sched_param param; | |
542 | ||
543 | zero(param); | |
544 | param.sched_priority = context->cpu_sched_priority; | |
545 | ||
38b48754 LP |
546 | if (sched_setscheduler(0, context->cpu_sched_policy | |
547 | (context->cpu_sched_reset_on_fork ? SCHED_RESET_ON_FORK : 0), ¶m) < 0) { | |
94f04347 LP |
548 | r = EXIT_SETSCHEDULER; |
549 | goto fail; | |
550 | } | |
551 | } | |
552 | ||
553 | if (context->cpu_affinity_set) | |
554 | if (sched_setaffinity(0, sizeof(context->cpu_affinity), &context->cpu_affinity) < 0) { | |
555 | r = EXIT_CPUAFFINITY; | |
556 | goto fail; | |
557 | } | |
558 | ||
9eba9da4 LP |
559 | if (context->ioprio_set) |
560 | if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) { | |
561 | r = EXIT_IOPRIO; | |
562 | goto fail; | |
563 | } | |
564 | ||
94f04347 LP |
565 | if (context->timer_slack_ns_set) |
566 | if (prctl(PR_SET_TIMERSLACK, context->timer_slack_ns_set) < 0) { | |
567 | r = EXIT_TIMERSLACK; | |
568 | goto fail; | |
569 | } | |
570 | ||
81a2b7ce LP |
571 | if (context->user) { |
572 | username = context->user; | |
573 | if (get_user_creds(&username, &uid, &gid, &home) < 0) { | |
574 | r = EXIT_USER; | |
575 | goto fail; | |
576 | } | |
577 | } | |
578 | ||
579 | if (apply_permissions) | |
580 | if (enforce_groups(context, username, uid) < 0) { | |
581 | r = EXIT_GROUP; | |
582 | goto fail; | |
583 | } | |
584 | ||
585 | if (apply_chroot) { | |
586 | if (context->root_directory) | |
587 | if (chroot(context->root_directory) < 0) { | |
588 | r = EXIT_CHROOT; | |
589 | goto fail; | |
590 | } | |
591 | ||
592 | if (chdir(context->working_directory ? context->working_directory : "/") < 0) { | |
593 | r = EXIT_CHDIR; | |
594 | goto fail; | |
595 | } | |
596 | } else { | |
597 | ||
598 | char *d; | |
599 | ||
600 | if (asprintf(&d, "%s/%s", | |
601 | context->root_directory ? context->root_directory : "", | |
602 | context->working_directory ? context->working_directory : "") < 0) { | |
603 | r = EXIT_MEMORY; | |
604 | goto fail; | |
605 | } | |
606 | ||
607 | if (chdir(d) < 0) { | |
608 | free(d); | |
609 | r = EXIT_CHDIR; | |
610 | goto fail; | |
611 | } | |
612 | ||
613 | free(d); | |
614 | } | |
615 | ||
a0d40ac5 | 616 | if (close_all_fds(fds, n_fds) < 0 || |
47a71eed | 617 | shift_fds(fds, n_fds) < 0 || |
451a074f | 618 | flags_fds(fds, n_fds, context->non_blocking) < 0) { |
034c6ed7 LP |
619 | r = EXIT_FDS; |
620 | goto fail; | |
621 | } | |
622 | ||
81a2b7ce | 623 | if (apply_permissions) { |
034c6ed7 | 624 | |
81a2b7ce LP |
625 | for (i = 0; i < RLIMIT_NLIMITS; i++) { |
626 | if (!context->rlimit[i]) | |
627 | continue; | |
628 | ||
629 | if (setrlimit(i, context->rlimit[i]) < 0) { | |
630 | r = EXIT_LIMITS; | |
631 | goto fail; | |
632 | } | |
034c6ed7 | 633 | } |
034c6ed7 | 634 | |
81a2b7ce LP |
635 | if (context->user) |
636 | if (enforce_user(context, uid) < 0) { | |
637 | r = EXIT_USER; | |
638 | goto fail; | |
639 | } | |
640 | ||
693ced48 LP |
641 | /* PR_GET_SECUREBITS is not priviliged, while |
642 | * PR_SET_SECUREBITS is. So to suppress | |
643 | * potential EPERMs we'll try not to call | |
644 | * PR_SET_SECUREBITS unless necessary. */ | |
645 | if (prctl(PR_GET_SECUREBITS) != context->secure_bits) | |
646 | if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) { | |
647 | r = EXIT_SECUREBITS; | |
648 | goto fail; | |
649 | } | |
81a2b7ce LP |
650 | |
651 | if (context->capabilities) | |
652 | if (cap_set_proc(context->capabilities) < 0) { | |
653 | r = EXIT_CAPABILITIES; | |
654 | goto fail; | |
655 | } | |
94f04347 LP |
656 | } |
657 | ||
81a2b7ce LP |
658 | if (!(our_env = new0(char*, 6))) { |
659 | r = EXIT_MEMORY; | |
660 | goto fail; | |
661 | } | |
034c6ed7 | 662 | |
81a2b7ce LP |
663 | if (n_fds > 0) |
664 | if (asprintf(our_env + n_env++, "LISTEN_PID=%llu", (unsigned long long) getpid()) < 0 || | |
665 | asprintf(our_env + n_env++, "LISTEN_FDS=%u", n_fds) < 0) { | |
666 | r = EXIT_MEMORY; | |
667 | goto fail; | |
668 | } | |
034c6ed7 | 669 | |
81a2b7ce LP |
670 | if (home) |
671 | if (asprintf(our_env + n_env++, "HOME=%s", home) < 0) { | |
672 | r = EXIT_MEMORY; | |
673 | goto fail; | |
674 | } | |
034c6ed7 | 675 | |
81a2b7ce LP |
676 | if (username) |
677 | if (asprintf(our_env + n_env++, "LOGNAME=%s", username) < 0 || | |
678 | asprintf(our_env + n_env++, "USER=%s", username) < 0) { | |
679 | r = EXIT_MEMORY; | |
680 | goto fail; | |
681 | } | |
034c6ed7 | 682 | |
81a2b7ce LP |
683 | if (!(final_env = strv_env_merge(environ, our_env, context->environment, NULL))) { |
684 | r = EXIT_MEMORY; | |
685 | goto fail; | |
686 | } | |
034c6ed7 | 687 | |
81a2b7ce | 688 | execve(command->path, command->argv, final_env); |
034c6ed7 LP |
689 | r = EXIT_EXEC; |
690 | ||
691 | fail: | |
81a2b7ce LP |
692 | strv_free(our_env); |
693 | strv_free(final_env); | |
694 | ||
034c6ed7 LP |
695 | _exit(r); |
696 | } | |
697 | ||
2da3263a | 698 | |
81a2b7ce | 699 | log_debug("Forked %s as %llu", command->path, (unsigned long long) pid); |
2da3263a | 700 | |
034c6ed7 | 701 | *ret = pid; |
5cb5a6ff LP |
702 | return 0; |
703 | } | |
704 | ||
034c6ed7 LP |
705 | void exec_context_init(ExecContext *c) { |
706 | assert(c); | |
707 | ||
708 | c->umask = 0002; | |
034c6ed7 | 709 | c->oom_adjust = 0; |
9eba9da4 | 710 | c->oom_adjust_set = false; |
034c6ed7 | 711 | c->nice = 0; |
9eba9da4 LP |
712 | c->nice_set = false; |
713 | c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0); | |
714 | c->ioprio_set = false; | |
94f04347 LP |
715 | c->cpu_sched_policy = SCHED_OTHER; |
716 | c->cpu_sched_priority = 0; | |
717 | c->cpu_sched_set = false; | |
718 | CPU_ZERO(&c->cpu_affinity); | |
719 | c->cpu_affinity_set = false; | |
ee2b4894 LP |
720 | c->timer_slack_ns = 0; |
721 | c->timer_slack_ns_set = false; | |
722 | ||
723 | c->cpu_sched_reset_on_fork = false; | |
724 | c->non_blocking = false; | |
725 | c->new_session = false; | |
071830ff | 726 | |
94f04347 | 727 | c->input = 0; |
071830ff LP |
728 | c->output = 0; |
729 | c->syslog_priority = LOG_DAEMON|LOG_INFO; | |
94f04347 LP |
730 | |
731 | c->secure_bits = 0; | |
732 | c->capability_bounding_set_drop = 0; | |
034c6ed7 LP |
733 | } |
734 | ||
735 | void exec_context_done(ExecContext *c) { | |
5cb5a6ff LP |
736 | unsigned l; |
737 | ||
738 | assert(c); | |
739 | ||
740 | strv_free(c->environment); | |
034c6ed7 | 741 | c->environment = NULL; |
5cb5a6ff | 742 | |
034c6ed7 | 743 | for (l = 0; l < ELEMENTSOF(c->rlimit); l++) { |
5cb5a6ff | 744 | free(c->rlimit[l]); |
034c6ed7 LP |
745 | c->rlimit[l] = NULL; |
746 | } | |
747 | ||
9eba9da4 LP |
748 | free(c->working_directory); |
749 | c->working_directory = NULL; | |
750 | free(c->root_directory); | |
751 | c->root_directory = NULL; | |
5cb5a6ff | 752 | |
071830ff LP |
753 | free(c->syslog_identifier); |
754 | c->syslog_identifier = NULL; | |
755 | ||
5cb5a6ff | 756 | free(c->user); |
034c6ed7 LP |
757 | c->user = NULL; |
758 | ||
5cb5a6ff | 759 | free(c->group); |
034c6ed7 LP |
760 | c->group = NULL; |
761 | ||
762 | strv_free(c->supplementary_groups); | |
763 | c->supplementary_groups = NULL; | |
94f04347 LP |
764 | |
765 | if (c->capabilities) { | |
766 | cap_free(c->capabilities); | |
767 | c->capabilities = NULL; | |
768 | } | |
5cb5a6ff LP |
769 | } |
770 | ||
771 | void exec_command_free_list(ExecCommand *c) { | |
772 | ExecCommand *i; | |
773 | ||
774 | while ((i = c)) { | |
034c6ed7 | 775 | LIST_REMOVE(ExecCommand, command, c, i); |
5cb5a6ff LP |
776 | |
777 | free(i->path); | |
44d8db9e | 778 | strv_free(i->argv); |
5cb5a6ff LP |
779 | free(i); |
780 | } | |
781 | } | |
782 | ||
034c6ed7 LP |
783 | void exec_command_free_array(ExecCommand **c, unsigned n) { |
784 | unsigned i; | |
785 | ||
786 | for (i = 0; i < n; i++) { | |
787 | exec_command_free_list(c[i]); | |
788 | c[i] = NULL; | |
789 | } | |
790 | } | |
791 | ||
5cb5a6ff | 792 | void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { |
94f04347 LP |
793 | char ** e; |
794 | unsigned i; | |
9eba9da4 | 795 | |
5cb5a6ff LP |
796 | assert(c); |
797 | assert(f); | |
798 | ||
799 | if (!prefix) | |
800 | prefix = ""; | |
801 | ||
802 | fprintf(f, | |
94f04347 LP |
803 | "%sUMask: %04o\n" |
804 | "%sWorkingDirectory: %s\n" | |
451a074f | 805 | "%sRootDirectory: %s\n" |
ee2b4894 LP |
806 | "%sNonBlocking: %s\n" |
807 | "%sNewSession: %s\n", | |
5cb5a6ff | 808 | prefix, c->umask, |
9eba9da4 | 809 | prefix, c->working_directory ? c->working_directory : "/", |
451a074f | 810 | prefix, c->root_directory ? c->root_directory : "/", |
ee2b4894 LP |
811 | prefix, yes_no(c->non_blocking), |
812 | prefix, yes_no(c->new_session)); | |
fb33a393 | 813 | |
94f04347 LP |
814 | if (c->environment) |
815 | for (e = c->environment; *e; e++) | |
816 | fprintf(f, "%sEnvironment: %s\n", prefix, *e); | |
817 | ||
fb33a393 LP |
818 | if (c->nice_set) |
819 | fprintf(f, | |
820 | "%sNice: %i\n", | |
821 | prefix, c->nice); | |
822 | ||
823 | if (c->oom_adjust_set) | |
824 | fprintf(f, | |
825 | "%sOOMAdjust: %i\n", | |
826 | prefix, c->oom_adjust); | |
9eba9da4 | 827 | |
94f04347 LP |
828 | for (i = 0; i < RLIM_NLIMITS; i++) |
829 | if (c->rlimit[i]) | |
ea430986 | 830 | fprintf(f, "%s%s: %llu\n", prefix, rlimit_to_string(i), (unsigned long long) c->rlimit[i]->rlim_max); |
94f04347 | 831 | |
9eba9da4 LP |
832 | if (c->ioprio_set) |
833 | fprintf(f, | |
834 | "%sIOSchedulingClass: %s\n" | |
835 | "%sIOPriority: %i\n", | |
94f04347 | 836 | prefix, ioprio_class_to_string(IOPRIO_PRIO_CLASS(c->ioprio)), |
9eba9da4 | 837 | prefix, (int) IOPRIO_PRIO_DATA(c->ioprio)); |
94f04347 LP |
838 | |
839 | if (c->cpu_sched_set) | |
840 | fprintf(f, | |
841 | "%sCPUSchedulingPolicy: %s\n" | |
38b48754 LP |
842 | "%sCPUSchedulingPriority: %i\n" |
843 | "%sCPUSchedulingResetOnFork: %s\n", | |
94f04347 | 844 | prefix, sched_policy_to_string(c->cpu_sched_policy), |
38b48754 LP |
845 | prefix, c->cpu_sched_priority, |
846 | prefix, yes_no(c->cpu_sched_reset_on_fork)); | |
94f04347 LP |
847 | |
848 | if (c->cpu_affinity_set) { | |
849 | fprintf(f, "%sCPUAffinity:", prefix); | |
850 | for (i = 0; i < CPU_SETSIZE; i++) | |
851 | if (CPU_ISSET(i, &c->cpu_affinity)) | |
852 | fprintf(f, " %i", i); | |
853 | fputs("\n", f); | |
854 | } | |
855 | ||
856 | if (c->timer_slack_ns_set) | |
857 | fprintf(f, "%sTimerSlackNS: %lu\n", prefix, c->timer_slack_ns); | |
858 | ||
859 | fprintf(f, | |
860 | "%sInput: %s\n" | |
861 | "%sOutput: %s\n", | |
862 | prefix, exec_input_to_string(c->input), | |
863 | prefix, exec_output_to_string(c->output)); | |
864 | ||
865 | if (c->output == EXEC_OUTPUT_SYSLOG || c->output == EXEC_OUTPUT_KERNEL) | |
866 | fprintf(f, | |
867 | "%sSyslogFacility: %s\n" | |
868 | "%sSyslogLevel: %s\n", | |
869 | prefix, log_facility_to_string(LOG_FAC(c->syslog_priority)), | |
870 | prefix, log_level_to_string(LOG_PRI(c->syslog_priority))); | |
871 | ||
872 | if (c->capabilities) { | |
873 | char *t; | |
874 | if ((t = cap_to_text(c->capabilities, NULL))) { | |
875 | fprintf(f, "%sCapabilities: %s\n", | |
876 | prefix, t); | |
877 | cap_free(t); | |
878 | } | |
879 | } | |
880 | ||
881 | if (c->secure_bits) | |
882 | fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n", | |
883 | prefix, | |
884 | (c->secure_bits & SECURE_KEEP_CAPS) ? " keep-caps" : "", | |
885 | (c->secure_bits & SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "", | |
886 | (c->secure_bits & SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "", | |
887 | (c->secure_bits & SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "", | |
888 | (c->secure_bits & SECURE_NOROOT) ? " noroot" : "", | |
889 | (c->secure_bits & SECURE_NOROOT_LOCKED) ? "noroot-locked" : ""); | |
890 | ||
891 | if (c->capability_bounding_set_drop) { | |
892 | fprintf(f, "%sCapabilityBoundingSetDrop:", prefix); | |
893 | ||
894 | for (i = 0; i <= CAP_LAST_CAP; i++) | |
895 | if (c->capability_bounding_set_drop & (1 << i)) { | |
896 | char *t; | |
897 | ||
898 | if ((t = cap_to_name(i))) { | |
899 | fprintf(f, " %s", t); | |
900 | free(t); | |
901 | } | |
902 | } | |
903 | ||
904 | fputs("\n", f); | |
905 | } | |
906 | ||
907 | if (c->user) | |
908 | fprintf(f, "%sUser: %s", prefix, c->user); | |
909 | if (c->group) | |
910 | fprintf(f, "%sGroup: %s", prefix, c->group); | |
911 | ||
912 | if (c->supplementary_groups) { | |
913 | char **g; | |
914 | ||
915 | fprintf(f, "%sSupplementaryGroups:", prefix); | |
916 | ||
917 | STRV_FOREACH(g, c->supplementary_groups) | |
918 | fprintf(f, " %s", *g); | |
919 | ||
920 | fputs("\n", f); | |
921 | } | |
5cb5a6ff LP |
922 | } |
923 | ||
034c6ed7 LP |
924 | void exec_status_fill(ExecStatus *s, pid_t pid, int code, int status) { |
925 | assert(s); | |
5cb5a6ff | 926 | |
034c6ed7 LP |
927 | s->pid = pid; |
928 | s->code = code; | |
929 | s->status = status; | |
930 | s->timestamp = now(CLOCK_REALTIME); | |
5cb5a6ff | 931 | } |
44d8db9e LP |
932 | |
933 | char *exec_command_line(ExecCommand *c) { | |
934 | size_t k; | |
935 | char *n, *p, **a; | |
936 | bool first = true; | |
937 | ||
938 | assert(c); | |
939 | assert(c->argv); | |
940 | ||
9164977d | 941 | k = 1; |
44d8db9e LP |
942 | STRV_FOREACH(a, c->argv) |
943 | k += strlen(*a)+3; | |
944 | ||
945 | if (!(n = new(char, k))) | |
946 | return NULL; | |
947 | ||
948 | p = n; | |
949 | STRV_FOREACH(a, c->argv) { | |
950 | ||
951 | if (!first) | |
952 | *(p++) = ' '; | |
953 | else | |
954 | first = false; | |
955 | ||
956 | if (strpbrk(*a, WHITESPACE)) { | |
957 | *(p++) = '\''; | |
958 | p = stpcpy(p, *a); | |
959 | *(p++) = '\''; | |
960 | } else | |
961 | p = stpcpy(p, *a); | |
962 | ||
963 | } | |
964 | ||
9164977d LP |
965 | *p = 0; |
966 | ||
44d8db9e LP |
967 | /* FIXME: this doesn't really handle arguments that have |
968 | * spaces and ticks in them */ | |
969 | ||
970 | return n; | |
971 | } | |
972 | ||
973 | void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) { | |
974 | char *cmd; | |
975 | ||
976 | assert(c); | |
977 | assert(f); | |
978 | ||
979 | if (!prefix) | |
980 | prefix = ""; | |
981 | ||
982 | cmd = exec_command_line(c); | |
983 | ||
984 | fprintf(f, | |
985 | "%sCommand Line: %s\n", | |
986 | prefix, cmd ? cmd : strerror(ENOMEM)); | |
987 | ||
988 | free(cmd); | |
989 | } | |
990 | ||
991 | void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) { | |
992 | assert(f); | |
993 | ||
994 | if (!prefix) | |
995 | prefix = ""; | |
996 | ||
997 | LIST_FOREACH(command, c, c) | |
998 | exec_command_dump(c, f, prefix); | |
999 | } | |
94f04347 | 1000 | |
a6a80b4f LP |
1001 | void exec_command_append_list(ExecCommand **l, ExecCommand *e) { |
1002 | ExecCommand *end; | |
1003 | ||
1004 | assert(l); | |
1005 | assert(e); | |
1006 | ||
1007 | if (*l) { | |
1008 | /* It's kinda important that we keep the order here */ | |
1009 | LIST_FIND_TAIL(ExecCommand, command, *l, end); | |
1010 | LIST_INSERT_AFTER(ExecCommand, command, *l, end, e); | |
1011 | } else | |
1012 | *l = e; | |
1013 | } | |
1014 | ||
94f04347 LP |
1015 | static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = { |
1016 | [EXEC_OUTPUT_CONSOLE] = "console", | |
1017 | [EXEC_OUTPUT_NULL] = "null", | |
1018 | [EXEC_OUTPUT_SYSLOG] = "syslog", | |
1019 | [EXEC_OUTPUT_KERNEL] = "kernel" | |
1020 | }; | |
1021 | ||
1022 | DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput); | |
1023 | ||
1024 | static const char* const exec_input_table[_EXEC_INPUT_MAX] = { | |
1025 | [EXEC_INPUT_NULL] = "null", | |
1026 | [EXEC_INPUT_CONSOLE] = "console" | |
1027 | }; | |
1028 | ||
1029 | DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput); |