]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/core/execute.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
parse-util: introduce pid_is_valid()
[thirdparty/systemd.git] / src / core / execute.c
CommitLineData
a7334b09
LP		 1/***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
a7334b09
LP		 9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 14 Lesser General Public License for more details.
a7334b09 15
5430f7f2 16 You should have received a copy of the GNU Lesser General Public License
a7334b09
LP		 17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18***/
19
034c6ed7
LP		 20#include <errno.h>
21#include <fcntl.h>
8dd4c05b
LP		 22#include <glob.h>
23#include <grp.h>
24#include <poll.h>
309bff19 25#include <signal.h>
8dd4c05b 26#include <string.h>
19c0b0b9 27#include <sys/capability.h>
d251207d 28#include <sys/eventfd.h>
f3e43635 29#include <sys/mman.h>
8dd4c05b 30#include <sys/personality.h>
94f04347 31#include <sys/prctl.h>
d2ffa389 32#include <sys/shm.h>
8dd4c05b 33#include <sys/socket.h>
451a074f 34#include <sys/stat.h>
d2ffa389 35#include <sys/types.h>
8dd4c05b
LP		 36#include <sys/un.h>
37#include <unistd.h>
023a4f67 38#include <utmpx.h>
5cb5a6ff 39
5b6319dc
LP		 40#ifdef HAVE_PAM
41#include <security/pam_appl.h>
42#endif
43
7b52a628
MS		 44#ifdef HAVE_SELINUX
45#include <selinux/selinux.h>
46#endif
47
17df7223
LP		 48#ifdef HAVE_SECCOMP
49#include <seccomp.h>
50#endif
51
eef65bf3
MS		 52#ifdef HAVE_APPARMOR
53#include <sys/apparmor.h>
54#endif
55
24882e06 56#include "sd-messages.h"
8dd4c05b
LP		 57
58#include "af-list.h"
b5efdb8a 59#include "alloc-util.h"
3ffd4af2
LP		 60#ifdef HAVE_APPARMOR
61#include "apparmor-util.h"
62#endif
8dd4c05b
LP		 63#include "async.h"
64#include "barrier.h"
8dd4c05b 65#include "cap-list.h"
430f0182 66#include "capability-util.h"
f6a6225e 67#include "def.h"
4d1a6904 68#include "env-util.h"
17df7223 69#include "errno-list.h"
3ffd4af2 70#include "execute.h"
8dd4c05b 71#include "exit-status.h"
3ffd4af2 72#include "fd-util.h"
8dd4c05b 73#include "fileio.h"
f97b34a6 74#include "format-util.h"
f4f15635 75#include "fs-util.h"
7d50b32a 76#include "glob-util.h"
c004493c 77#include "io-util.h"
8dd4c05b
LP		 78#include "ioprio.h"
79#include "log.h"
80#include "macro.h"
81#include "missing.h"
82#include "mkdir.h"
83#include "namespace.h"
6bedfcbb 84#include "parse-util.h"
8dd4c05b 85#include "path-util.h"
0b452006 86#include "process-util.h"
78f22b97 87#include "rlimit-util.h"
8dd4c05b 88#include "rm-rf.h"
3ffd4af2
LP		 89#ifdef HAVE_SECCOMP
90#include "seccomp-util.h"
91#endif
8dd4c05b
LP		 92#include "securebits.h"
93#include "selinux-util.h"
24882e06 94#include "signal-util.h"
8dd4c05b 95#include "smack-util.h"
fd63e712 96#include "special.h"
8b43440b 97#include "string-table.h"
07630cea 98#include "string-util.h"
8dd4c05b 99#include "strv.h"
7ccbd1ae 100#include "syslog-util.h"
8dd4c05b
LP		 101#include "terminal-util.h"
102#include "unit.h"
b1d4f8e1 103#include "user-util.h"
8dd4c05b
LP		 104#include "util.h"
105#include "utmp-wtmp.h"
5cb5a6ff 106
e056b01d 107#define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
31a7eb86 108#define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
e6a26745 109
02a51aba
LP		 110/* This assumes there is a 'tty' group */
111#define TTY_MODE 0620
112
531dca78
LP		 113#define SNDBUF_SIZE (8*1024*1024)
114
034c6ed7
LP		 115static int shift_fds(int fds[], unsigned n_fds) {
116 int start, restart_from;
117
118 if (n_fds <= 0)
119 return 0;
120
a0d40ac5
LP		 121 /* Modifies the fds array! (sorts it) */
122
034c6ed7
LP		 123 assert(fds);
124
125 start = 0;
126 for (;;) {
127 int i;
128
129 restart_from = -1;
130
131 for (i = start; i < (int) n_fds; i++) {
132 int nfd;
133
134 /* Already at right index? */
135 if (fds[i] == i+3)
136 continue;
137
3cc2aff1
LP		 138 nfd = fcntl(fds[i], F_DUPFD, i + 3);
139 if (nfd < 0)
034c6ed7
LP		 140 return -errno;
141
03e334a1 142 safe_close(fds[i]);
034c6ed7
LP		 143 fds[i] = nfd;
144
145 /* Hmm, the fd we wanted isn't free? Then
ee33e53a 146 * let's remember that and try again from here */
034c6ed7
LP		 147 if (nfd != i+3 && restart_from < 0)
148 restart_from = i;
149 }
150
151 if (restart_from < 0)
152 break;
153
154 start = restart_from;
155 }
156
157 return 0;
158}
159
4c47affc
FB		 160static int flags_fds(const int fds[], unsigned n_storage_fds, unsigned n_socket_fds, bool nonblock) {
161 unsigned i, n_fds;
e2c76839 162 int r;
47a71eed 163
4c47affc 164 n_fds = n_storage_fds + n_socket_fds;
47a71eed
LP		 165 if (n_fds <= 0)
166 return 0;
167
168 assert(fds);
169
9b141911
FB		 170 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags.
171 * O_NONBLOCK only applies to socket activation though. */
47a71eed
LP		 172
173 for (i = 0; i < n_fds; i++) {
47a71eed 174
9b141911
FB		 175 if (i < n_socket_fds) {
176 r = fd_nonblock(fds[i], nonblock);
177 if (r < 0)
178 return r;
179 }
47a71eed 180
451a074f
LP		 181 /* We unconditionally drop FD_CLOEXEC from the fds,
182 * since after all we want to pass these fds to our
183 * children */
47a71eed 184
3cc2aff1
LP		 185 r = fd_cloexec(fds[i], false);
186 if (r < 0)
e2c76839 187 return r;
47a71eed
LP		 188 }
189
190 return 0;
191}
192
1e22b5cd 193static const char *exec_context_tty_path(const ExecContext *context) {
80876c20
LP		 194 assert(context);
195
1e22b5cd
LP		 196 if (context->stdio_as_fds)
197 return NULL;
198
80876c20
LP		 199 if (context->tty_path)
200 return context->tty_path;
201
202 return "/dev/console";
203}
204
1e22b5cd
LP		 205static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
206 const char *path;
207
6ea832a2
LP		 208 assert(context);
209
1e22b5cd 210 path = exec_context_tty_path(context);
6ea832a2 211
1e22b5cd
LP		 212 if (context->tty_vhangup) {
213 if (p && p->stdin_fd >= 0)
214 (void) terminal_vhangup_fd(p->stdin_fd);
215 else if (path)
216 (void) terminal_vhangup(path);
217 }
6ea832a2 218
1e22b5cd
LP		 219 if (context->tty_reset) {
220 if (p && p->stdin_fd >= 0)
221 (void) reset_terminal_fd(p->stdin_fd, true);
222 else if (path)
223 (void) reset_terminal(path);
224 }
225
226 if (context->tty_vt_disallocate && path)
227 (void) vt_disallocate(path);
6ea832a2
LP		 228}
229
6af760f3
LP		 230static bool is_terminal_input(ExecInput i) {
231 return IN_SET(i,
232 EXEC_INPUT_TTY,
233 EXEC_INPUT_TTY_FORCE,
234 EXEC_INPUT_TTY_FAIL);
235}
236
3a1286b6 237static bool is_terminal_output(ExecOutput o) {
6af760f3
LP		 238 return IN_SET(o,
239 EXEC_OUTPUT_TTY,
240 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
241 EXEC_OUTPUT_KMSG_AND_CONSOLE,
242 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
243}
244
245static bool exec_context_needs_term(const ExecContext *c) {
246 assert(c);
247
248 /* Return true if the execution context suggests we should set $TERM to something useful. */
249
250 if (is_terminal_input(c->std_input))
251 return true;
252
253 if (is_terminal_output(c->std_output))
254 return true;
255
256 if (is_terminal_output(c->std_error))
257 return true;
258
259 return !!c->tty_path;
3a1286b6
MS		 260}
261
80876c20
LP		 262static int open_null_as(int flags, int nfd) {
263 int fd, r;
071830ff 264
80876c20 265 assert(nfd >= 0);
071830ff 266
613b411c
LP		 267 fd = open("/dev/null", flags|O_NOCTTY);
268 if (fd < 0)
071830ff
LP		 269 return -errno;
270
80876c20
LP		 271 if (fd != nfd) {
272 r = dup2(fd, nfd) < 0 ? -errno : nfd;
03e334a1 273 safe_close(fd);
80876c20
LP		 274 } else
275 r = nfd;
071830ff 276
80876c20 277 return r;
071830ff
LP		 278}
279
524daa8c 280static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
b92bea5d
ZJS		 281 union sockaddr_union sa = {
282 .un.sun_family = AF_UNIX,
283 .un.sun_path = "/run/systemd/journal/stdout",
284 };
524daa8c
ZJS		 285 uid_t olduid = UID_INVALID;
286 gid_t oldgid = GID_INVALID;
287 int r;
288
cad93f29 289 if (gid_is_valid(gid)) {
524daa8c
ZJS		 290 oldgid = getgid();
291
292 r = setegid(gid);
293 if (r < 0)
294 return -errno;
295 }
296
cad93f29 297 if (uid_is_valid(uid)) {
524daa8c
ZJS		 298 olduid = getuid();
299
300 r = seteuid(uid);
301 if (r < 0) {
302 r = -errno;
303 goto restore_gid;
304 }
305 }
306
fc2fffe7 307 r = connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
524daa8c
ZJS		 308 if (r < 0)
309 r = -errno;
310
311 /* If we fail to restore the uid or gid, things will likely
312 fail later on. This should only happen if an LSM interferes. */
313
cad93f29 314 if (uid_is_valid(uid))
524daa8c
ZJS		 315 (void) seteuid(olduid);
316
317 restore_gid:
cad93f29 318 if (gid_is_valid(gid))
524daa8c
ZJS		 319 (void) setegid(oldgid);
320
321 return r;
322}
323
fd1f9c89 324static int connect_logger_as(
7a1ab780 325 Unit *unit,
fd1f9c89
LP		 326 const ExecContext *context,
327 ExecOutput output,
328 const char *ident,
fd1f9c89
LP		 329 int nfd,
330 uid_t uid,
331 gid_t gid) {
332
524daa8c 333 int fd, r;
071830ff
LP		 334
335 assert(context);
80876c20
LP		 336 assert(output < _EXEC_OUTPUT_MAX);
337 assert(ident);
338 assert(nfd >= 0);
071830ff 339
54fe0cdb
LP		 340 fd = socket(AF_UNIX, SOCK_STREAM, 0);
341 if (fd < 0)
80876c20 342 return -errno;
071830ff 343
524daa8c
ZJS		 344 r = connect_journal_socket(fd, uid, gid);
345 if (r < 0)
346 return r;
071830ff 347
80876c20 348 if (shutdown(fd, SHUT_RD) < 0) {
03e334a1 349 safe_close(fd);
80876c20
LP		 350 return -errno;
351 }
071830ff 352
fd1f9c89 353 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
531dca78 354
80876c20 355 dprintf(fd,
62bca2c6 356 "%s\n"
80876c20
LP		 357 "%s\n"
358 "%i\n"
54fe0cdb
LP		 359 "%i\n"
360 "%i\n"
361 "%i\n"
4f4a1dbf 362 "%i\n",
4f4a1dbf 363 context->syslog_identifier ? context->syslog_identifier : ident,
7a1ab780 364 unit->id,
54fe0cdb
LP		 365 context->syslog_priority,
366 !!context->syslog_level_prefix,
367 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
368 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
3a1286b6 369 is_terminal_output(output));
80876c20 370
fd1f9c89
LP		 371 if (fd == nfd)
372 return nfd;
373
374 r = dup2(fd, nfd) < 0 ? -errno : nfd;
375 safe_close(fd);
071830ff 376
80876c20
LP		 377 return r;
378}
379static int open_terminal_as(const char *path, mode_t mode, int nfd) {
380 int fd, r;
071830ff 381
80876c20
LP		 382 assert(path);
383 assert(nfd >= 0);
071830ff 384
3cc2aff1
LP		 385 fd = open_terminal(path, mode | O_NOCTTY);
386 if (fd < 0)
80876c20 387 return fd;
071830ff 388
80876c20
LP		 389 if (fd != nfd) {
390 r = dup2(fd, nfd) < 0 ? -errno : nfd;
03e334a1 391 safe_close(fd);
80876c20
LP		 392 } else
393 r = nfd;
071830ff 394
80876c20
LP		 395 return r;
396}
071830ff 397
1e3ad081
LP		 398static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
399
400 if (is_terminal_input(std_input) && !apply_tty_stdin)
401 return EXEC_INPUT_NULL;
071830ff 402
03fd9c49 403 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 404 return EXEC_INPUT_NULL;
405
03fd9c49 406 return std_input;
4f2d528d
LP		 407}
408
03fd9c49 409static int fixup_output(ExecOutput std_output, int socket_fd) {
4f2d528d 410
03fd9c49 411 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 412 return EXEC_OUTPUT_INHERIT;
413
03fd9c49 414 return std_output;
4f2d528d
LP		 415}
416
a34ceba6
LP		 417static int setup_input(
418 const ExecContext *context,
419 const ExecParameters *params,
52c239d7
LB		 420 int socket_fd,
421 int named_iofds[3]) {
a34ceba6 422
4f2d528d
LP		 423 ExecInput i;
424
425 assert(context);
a34ceba6
LP		 426 assert(params);
427
428 if (params->stdin_fd >= 0) {
429 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
430 return -errno;
431
432 /* Try to make this the controlling tty, if it is a tty, and reset it */
433 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
434 (void) reset_terminal_fd(STDIN_FILENO, true);
435
436 return STDIN_FILENO;
437 }
4f2d528d 438
c39f1ce2 439 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
4f2d528d
LP		 440
441 switch (i) {
071830ff 442
80876c20
LP		 443 case EXEC_INPUT_NULL:
444 return open_null_as(O_RDONLY, STDIN_FILENO);
445
446 case EXEC_INPUT_TTY:
447 case EXEC_INPUT_TTY_FORCE:
448 case EXEC_INPUT_TTY_FAIL: {
449 int fd, r;
071830ff 450
1e22b5cd 451 fd = acquire_terminal(exec_context_tty_path(context),
970edce6
ZJS		 452 i == EXEC_INPUT_TTY_FAIL,
453 i == EXEC_INPUT_TTY_FORCE,
454 false,
3a43da28 455 USEC_INFINITY);
970edce6 456 if (fd < 0)
80876c20
LP		 457 return fd;
458
459 if (fd != STDIN_FILENO) {
460 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
03e334a1 461 safe_close(fd);
80876c20
LP		 462 } else
463 r = STDIN_FILENO;
464
465 return r;
466 }
467
4f2d528d
LP		 468 case EXEC_INPUT_SOCKET:
469 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
470
52c239d7
LB		 471 case EXEC_INPUT_NAMED_FD:
472 (void) fd_nonblock(named_iofds[STDIN_FILENO], false);
473 return dup2(named_iofds[STDIN_FILENO], STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
474
80876c20
LP		 475 default:
476 assert_not_reached("Unknown input type");
477 }
478}
479
a34ceba6
LP		 480static int setup_output(
481 Unit *unit,
482 const ExecContext *context,
483 const ExecParameters *params,
484 int fileno,
485 int socket_fd,
52c239d7 486 int named_iofds[3],
a34ceba6 487 const char *ident,
7bce046b
LP		 488 uid_t uid,
489 gid_t gid,
490 dev_t *journal_stream_dev,
491 ino_t *journal_stream_ino) {
a34ceba6 492
4f2d528d
LP		 493 ExecOutput o;
494 ExecInput i;
47c1d80d 495 int r;
4f2d528d 496
f2341e0a 497 assert(unit);
80876c20 498 assert(context);
a34ceba6 499 assert(params);
80876c20 500 assert(ident);
7bce046b
LP		 501 assert(journal_stream_dev);
502 assert(journal_stream_ino);
80876c20 503
a34ceba6
LP		 504 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
505
506 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
507 return -errno;
508
509 return STDOUT_FILENO;
510 }
511
512 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
513 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
514 return -errno;
515
516 return STDERR_FILENO;
517 }
518
c39f1ce2 519 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
03fd9c49 520 o = fixup_output(context->std_output, socket_fd);
4f2d528d 521
eb17e935
MS		 522 if (fileno == STDERR_FILENO) {
523 ExecOutput e;
524 e = fixup_output(context->std_error, socket_fd);
80876c20 525
eb17e935
MS		 526 /* This expects the input and output are already set up */
527
528 /* Don't change the stderr file descriptor if we inherit all
529 * the way and are not on a tty */
530 if (e == EXEC_OUTPUT_INHERIT &&
531 o == EXEC_OUTPUT_INHERIT &&
532 i == EXEC_INPUT_NULL &&
533 !is_terminal_input(context->std_input) &&
534 getppid () != 1)
535 return fileno;
536
537 /* Duplicate from stdout if possible */
52c239d7 538 if ((e == o && e != EXEC_OUTPUT_NAMED_FD) || e == EXEC_OUTPUT_INHERIT)
eb17e935 539 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 540
eb17e935 541 o = e;
80876c20 542
eb17e935 543 } else if (o == EXEC_OUTPUT_INHERIT) {
21d21ea4
LP		 544 /* If input got downgraded, inherit the original value */
545 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
1e22b5cd 546 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
21d21ea4 547
acb591e4 548 /* If the input is connected to anything that's not a /dev/null, inherit that... */
ff876e28 549 if (i != EXEC_INPUT_NULL)
eb17e935 550 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 551
acb591e4
LP		 552 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
553 if (getppid() != 1)
eb17e935 554 return fileno;
94f04347 555
eb17e935
MS		 556 /* We need to open /dev/null here anew, to get the right access mode. */
557 return open_null_as(O_WRONLY, fileno);
071830ff 558 }
94f04347 559
eb17e935 560 switch (o) {
80876c20
LP		 561
562 case EXEC_OUTPUT_NULL:
eb17e935 563 return open_null_as(O_WRONLY, fileno);
80876c20
LP		 564
565 case EXEC_OUTPUT_TTY:
4f2d528d 566 if (is_terminal_input(i))
eb17e935 567 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
80876c20
LP		 568
569 /* We don't reset the terminal if this is just about output */
1e22b5cd 570 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
80876c20
LP		 571
572 case EXEC_OUTPUT_SYSLOG:
28dbc1e8 573 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
9a6bca7a 574 case EXEC_OUTPUT_KMSG:
28dbc1e8 575 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
706343f4
LP		 576 case EXEC_OUTPUT_JOURNAL:
577 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
7a1ab780 578 r = connect_logger_as(unit, context, o, ident, fileno, uid, gid);
47c1d80d 579 if (r < 0) {
f2341e0a 580 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
eb17e935 581 r = open_null_as(O_WRONLY, fileno);
7bce046b
LP		 582 } else {
583 struct stat st;
584
585 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
586 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
587 * services to detect whether they are connected to the journal or not. */
588
589 if (fstat(fileno, &st) >= 0) {
590 *journal_stream_dev = st.st_dev;
591 *journal_stream_ino = st.st_ino;
592 }
47c1d80d
MS		 593 }
594 return r;
4f2d528d
LP		 595
596 case EXEC_OUTPUT_SOCKET:
597 assert(socket_fd >= 0);
eb17e935 598 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
94f04347 599
52c239d7
LB		 600 case EXEC_OUTPUT_NAMED_FD:
601 (void) fd_nonblock(named_iofds[fileno], false);
602 return dup2(named_iofds[fileno], fileno) < 0 ? -errno : fileno;
603
94f04347 604 default:
80876c20 605 assert_not_reached("Unknown error type");
94f04347 606 }
071830ff
LP		 607}
608
02a51aba
LP		 609static int chown_terminal(int fd, uid_t uid) {
610 struct stat st;
611
612 assert(fd >= 0);
02a51aba 613
1ff74fb6
LP		 614 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
615 if (isatty(fd) < 1)
616 return 0;
617
02a51aba 618 /* This might fail. What matters are the results. */
bab45044
LP		 619 (void) fchown(fd, uid, -1);
620 (void) fchmod(fd, TTY_MODE);
02a51aba
LP		 621
622 if (fstat(fd, &st) < 0)
623 return -errno;
624
d8b4e2e9 625 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
02a51aba
LP		 626 return -EPERM;
627
628 return 0;
629}
630
7d5ceb64 631static int setup_confirm_stdio(const char *vc, int *_saved_stdin, int *_saved_stdout) {
3d18b167
LP		 632 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
633 int r;
80876c20 634
80876c20
LP		 635 assert(_saved_stdin);
636 assert(_saved_stdout);
637
af6da548
LP		 638 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
639 if (saved_stdin < 0)
640 return -errno;
80876c20 641
af6da548 642 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
3d18b167
LP		 643 if (saved_stdout < 0)
644 return -errno;
80876c20 645
7d5ceb64 646 fd = acquire_terminal(vc, false, false, false, DEFAULT_CONFIRM_USEC);
3d18b167
LP		 647 if (fd < 0)
648 return fd;
80876c20 649
af6da548
LP		 650 r = chown_terminal(fd, getuid());
651 if (r < 0)
3d18b167 652 return r;
02a51aba 653
3d18b167
LP		 654 r = reset_terminal_fd(fd, true);
655 if (r < 0)
656 return r;
80876c20 657
3d18b167
LP		 658 if (dup2(fd, STDIN_FILENO) < 0)
659 return -errno;
660
661 if (dup2(fd, STDOUT_FILENO) < 0)
662 return -errno;
80876c20
LP		 663
664 if (fd >= 2)
03e334a1 665 safe_close(fd);
3d18b167 666 fd = -1;
80876c20
LP		 667
668 *_saved_stdin = saved_stdin;
669 *_saved_stdout = saved_stdout;
670
3d18b167 671 saved_stdin = saved_stdout = -1;
80876c20 672
3d18b167 673 return 0;
80876c20
LP		 674}
675
63d77c92 676static void write_confirm_error_fd(int err, int fd, const Unit *u) {
3b20f877
FB		 677 assert(err < 0);
678
679 if (err == -ETIMEDOUT)
63d77c92 680 dprintf(fd, "Confirmation question timed out for %s, assuming positive response.\n", u->id);
3b20f877
FB		 681 else {
682 errno = -err;
63d77c92 683 dprintf(fd, "Couldn't ask confirmation for %s: %m, assuming positive response.\n", u->id);
3b20f877
FB		 684 }
685}
686
63d77c92 687static void write_confirm_error(int err, const char *vc, const Unit *u) {
03e334a1 688 _cleanup_close_ int fd = -1;
80876c20 689
3b20f877 690 assert(vc);
80876c20 691
7d5ceb64 692 fd = open_terminal(vc, O_WRONLY|O_NOCTTY|O_CLOEXEC);
af6da548 693 if (fd < 0)
3b20f877 694 return;
80876c20 695
63d77c92 696 write_confirm_error_fd(err, fd, u);
af6da548 697}
80876c20 698
3d18b167 699static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
af6da548 700 int r = 0;
80876c20 701
af6da548
LP		 702 assert(saved_stdin);
703 assert(saved_stdout);
704
705 release_terminal();
706
707 if (*saved_stdin >= 0)
80876c20 708 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
af6da548 709 r = -errno;
80876c20 710
af6da548 711 if (*saved_stdout >= 0)
80876c20 712 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
af6da548 713 r = -errno;
80876c20 714
3d18b167
LP		 715 *saved_stdin = safe_close(*saved_stdin);
716 *saved_stdout = safe_close(*saved_stdout);
af6da548
LP		 717
718 return r;
719}
720
3b20f877
FB		 721enum {
722 CONFIRM_PRETEND_FAILURE = -1,
723 CONFIRM_PRETEND_SUCCESS = 0,
724 CONFIRM_EXECUTE = 1,
725};
726
eedf223a 727static int ask_for_confirmation(const char *vc, Unit *u, const char *cmdline) {
af6da548 728 int saved_stdout = -1, saved_stdin = -1, r;
2bcd3c26 729 _cleanup_free_ char *e = NULL;
3b20f877 730 char c;
af6da548 731
3b20f877 732 /* For any internal errors, assume a positive response. */
7d5ceb64 733 r = setup_confirm_stdio(vc, &saved_stdin, &saved_stdout);
3b20f877 734 if (r < 0) {
63d77c92 735 write_confirm_error(r, vc, u);
3b20f877
FB		 736 return CONFIRM_EXECUTE;
737 }
af6da548 738
b0eb2944
FB		 739 /* confirm_spawn might have been disabled while we were sleeping. */
740 if (manager_is_confirm_spawn_disabled(u->manager)) {
741 r = 1;
742 goto restore_stdio;
743 }
af6da548 744
2bcd3c26
FB		 745 e = ellipsize(cmdline, 60, 100);
746 if (!e) {
747 log_oom();
748 r = CONFIRM_EXECUTE;
749 goto restore_stdio;
750 }
af6da548 751
d172b175 752 for (;;) {
539622bd 753 r = ask_char(&c, "yfshiDjcn", "Execute %s? [y, f, s – h for help] ", e);
d172b175 754 if (r < 0) {
63d77c92 755 write_confirm_error_fd(r, STDOUT_FILENO, u);
d172b175
FB		 756 r = CONFIRM_EXECUTE;
757 goto restore_stdio;
758 }
af6da548 759
d172b175 760 switch (c) {
b0eb2944
FB		 761 case 'c':
762 printf("Resuming normal execution.\n");
763 manager_disable_confirm_spawn();
764 r = 1;
765 break;
dd6f9ac0
FB		 766 case 'D':
767 unit_dump(u, stdout, " ");
768 continue; /* ask again */
d172b175
FB		 769 case 'f':
770 printf("Failing execution.\n");
771 r = CONFIRM_PRETEND_FAILURE;
772 break;
773 case 'h':
b0eb2944
FB		 774 printf(" c - continue, proceed without asking anymore\n"
775 " D - dump, show the state of the unit\n"
dd6f9ac0 776 " f - fail, don't execute the command and pretend it failed\n"
d172b175 777 " h - help\n"
eedf223a 778 " i - info, show a short summary of the unit\n"
56fde33a 779 " j - jobs, show jobs that are in progress\n"
d172b175
FB		 780 " s - skip, don't execute the command and pretend it succeeded\n"
781 " y - yes, execute the command\n");
dd6f9ac0 782 continue; /* ask again */
eedf223a
FB		 783 case 'i':
784 printf(" Description: %s\n"
785 " Unit: %s\n"
786 " Command: %s\n",
787 u->id, u->description, cmdline);
788 continue; /* ask again */
56fde33a
FB		 789 case 'j':
790 manager_dump_jobs(u->manager, stdout, " ");
791 continue; /* ask again */
539622bd
FB		 792 case 'n':
793 /* 'n' was removed in favor of 'f'. */
794 printf("Didn't understand 'n', did you mean 'f'?\n");
795 continue; /* ask again */
d172b175
FB		 796 case 's':
797 printf("Skipping execution.\n");
798 r = CONFIRM_PRETEND_SUCCESS;
799 break;
800 case 'y':
801 r = CONFIRM_EXECUTE;
802 break;
803 default:
804 assert_not_reached("Unhandled choice");
805 }
3b20f877 806 break;
3b20f877 807 }
af6da548 808
3b20f877 809restore_stdio:
af6da548 810 restore_confirm_stdio(&saved_stdin, &saved_stdout);
af6da548 811 return r;
80876c20
LP		 812}
813
4d885bd3
DH		 814static int get_fixed_user(const ExecContext *c, const char **user,
815 uid_t *uid, gid_t *gid,
816 const char **home, const char **shell) {
81a2b7ce 817 int r;
4d885bd3 818 const char *name;
81a2b7ce 819
4d885bd3 820 assert(c);
81a2b7ce 821
23deef88
LP		 822 if (!c->user)
823 return 0;
824
4d885bd3
DH		 825 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
826 * (i.e. are "/" or "/bin/nologin"). */
81a2b7ce 827
23deef88 828 name = c->user;
4d885bd3
DH		 829 r = get_user_creds_clean(&name, uid, gid, home, shell);
830 if (r < 0)
831 return r;
81a2b7ce 832
4d885bd3
DH		 833 *user = name;
834 return 0;
835}
836
837static int get_fixed_group(const ExecContext *c, const char **group, gid_t *gid) {
838 int r;
839 const char *name;
840
841 assert(c);
842
843 if (!c->group)
844 return 0;
845
846 name = c->group;
847 r = get_group_creds(&name, gid);
848 if (r < 0)
849 return r;
850
851 *group = name;
852 return 0;
853}
854
cdc5d5c5
DH		 855static int get_supplementary_groups(const ExecContext *c, const char *user,
856 const char *group, gid_t gid,
857 gid_t **supplementary_gids, int *ngids) {
4d885bd3
DH		 858 char **i;
859 int r, k = 0;
860 int ngroups_max;
861 bool keep_groups = false;
862 gid_t *groups = NULL;
863 _cleanup_free_ gid_t *l_gids = NULL;
864
865 assert(c);
866
bbeea271
DH		 867 /*
868 * If user is given, then lookup GID and supplementary groups list.
869 * We avoid NSS lookups for gid=0. Also we have to initialize groups
cdc5d5c5
DH		 870 * here and as early as possible so we keep the list of supplementary
871 * groups of the caller.
bbeea271
DH		 872 */
873 if (user && gid_is_valid(gid) && gid != 0) {
874 /* First step, initialize groups from /etc/groups */
875 if (initgroups(user, gid) < 0)
876 return -errno;
877
878 keep_groups = true;
879 }
880
4d885bd3
DH		 881 if (!c->supplementary_groups)
882 return 0;
883
366ddd25
DH		 884 /*
885 * If SupplementaryGroups= was passed then NGROUPS_MAX has to
886 * be positive, otherwise fail.
887 */
888 errno = 0;
889 ngroups_max = (int) sysconf(_SC_NGROUPS_MAX);
890 if (ngroups_max <= 0) {
891 if (errno > 0)
892 return -errno;
893 else
894 return -EOPNOTSUPP; /* For all other values */
895 }
896
4d885bd3
DH		 897 l_gids = new(gid_t, ngroups_max);
898 if (!l_gids)
899 return -ENOMEM;
81a2b7ce 900
4d885bd3
DH		 901 if (keep_groups) {
902 /*
903 * Lookup the list of groups that the user belongs to, we
904 * avoid NSS lookups here too for gid=0.
905 */
906 k = ngroups_max;
907 if (getgrouplist(user, gid, l_gids, &k) < 0)
908 return -EINVAL;
909 } else
910 k = 0;
81a2b7ce 911
4d885bd3
DH		 912 STRV_FOREACH(i, c->supplementary_groups) {
913 const char *g;
81a2b7ce 914
4d885bd3
DH		 915 if (k >= ngroups_max)
916 return -E2BIG;
81a2b7ce 917
4d885bd3
DH		 918 g = *i;
919 r = get_group_creds(&g, l_gids+k);
920 if (r < 0)
921 return r;
81a2b7ce 922
4d885bd3
DH		 923 k++;
924 }
81a2b7ce 925
4d885bd3
DH		 926 /*
927 * Sets ngids to zero to drop all supplementary groups, happens
928 * when we are under root and SupplementaryGroups= is empty.
929 */
930 if (k == 0) {
931 *ngids = 0;
932 return 0;
933 }
81a2b7ce 934
4d885bd3
DH		 935 /* Otherwise get the final list of supplementary groups */
936 groups = memdup(l_gids, sizeof(gid_t) * k);
937 if (!groups)
938 return -ENOMEM;
939
940 *supplementary_gids = groups;
941 *ngids = k;
942
943 groups = NULL;
944
945 return 0;
946}
947
948static int enforce_groups(const ExecContext *context, gid_t gid,
949 gid_t *supplementary_gids, int ngids) {
950 int r;
951
952 assert(context);
953
954 /* Handle SupplementaryGroups= even if it is empty */
955 if (context->supplementary_groups) {
956 r = maybe_setgroups(ngids, supplementary_gids);
957 if (r < 0)
97f0e76f 958 return r;
4d885bd3 959 }
81a2b7ce 960
4d885bd3
DH		 961 if (gid_is_valid(gid)) {
962 /* Then set our gids */
963 if (setresgid(gid, gid, gid) < 0)
964 return -errno;
81a2b7ce
LP		 965 }
966
967 return 0;
968}
969
970static int enforce_user(const ExecContext *context, uid_t uid) {
81a2b7ce
LP		 971 assert(context);
972
4d885bd3
DH		 973 if (!uid_is_valid(uid))
974 return 0;
975
479050b3 976 /* Sets (but doesn't look up) the uid and make sure we keep the
81a2b7ce
LP		 977 * capabilities while doing so. */
978
479050b3 979 if (context->capability_ambient_set != 0) {
81a2b7ce
LP		 980
981 /* First step: If we need to keep capabilities but
982 * drop privileges we need to make sure we keep our
cbb21cca 983 * caps, while we drop privileges. */
693ced48 984 if (uid != 0) {
cbb21cca 985 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
693ced48
LP		 986
987 if (prctl(PR_GET_SECUREBITS) != sb)
988 if (prctl(PR_SET_SECUREBITS, sb) < 0)
989 return -errno;
990 }
81a2b7ce
LP		 991 }
992
479050b3 993 /* Second step: actually set the uids */
81a2b7ce
LP		 994 if (setresuid(uid, uid, uid) < 0)
995 return -errno;
996
997 /* At this point we should have all necessary capabilities but
998 are otherwise a normal user. However, the caps might got
999 corrupted due to the setresuid() so we need clean them up
1000 later. This is done outside of this call. */
1001
1002 return 0;
1003}
1004
5b6319dc
LP		 1005#ifdef HAVE_PAM
1006
1007static int null_conv(
1008 int num_msg,
1009 const struct pam_message **msg,
1010 struct pam_response **resp,
1011 void *appdata_ptr) {
1012
1013 /* We don't support conversations */
1014
1015 return PAM_CONV_ERR;
1016}
1017
cefc33ae
LP		 1018#endif
1019
5b6319dc
LP		 1020static int setup_pam(
1021 const char *name,
1022 const char *user,
940c5210 1023 uid_t uid,
2d6fce8d 1024 gid_t gid,
5b6319dc 1025 const char *tty,
2065ca69 1026 char ***env,
5b6319dc
LP		 1027 int fds[], unsigned n_fds) {
1028
cefc33ae
LP		 1029#ifdef HAVE_PAM
1030
5b6319dc
LP		 1031 static const struct pam_conv conv = {
1032 .conv = null_conv,
1033 .appdata_ptr = NULL
1034 };
1035
2d7c6aa2 1036 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
5b6319dc 1037 pam_handle_t *handle = NULL;
d6e5f3ad 1038 sigset_t old_ss;
7bb70b6e 1039 int pam_code = PAM_SUCCESS, r;
84eada2f 1040 char **nv, **e = NULL;
5b6319dc
LP		 1041 bool close_session = false;
1042 pid_t pam_pid = 0, parent_pid;
970edce6 1043 int flags = 0;
5b6319dc
LP		 1044
1045 assert(name);
1046 assert(user);
2065ca69 1047 assert(env);
5b6319dc
LP		 1048
1049 /* We set up PAM in the parent process, then fork. The child
35b8ca3a 1050 * will then stay around until killed via PR_GET_PDEATHSIG or
5b6319dc
LP		 1051 * systemd via the cgroup logic. It will then remove the PAM
1052 * session again. The parent process will exec() the actual
1053 * daemon. We do things this way to ensure that the main PID
1054 * of the daemon is the one we initially fork()ed. */
1055
7bb70b6e
LP		 1056 r = barrier_create(&barrier);
1057 if (r < 0)
2d7c6aa2
DH		 1058 goto fail;
1059
553d2243 1060 if (log_get_max_level() < LOG_DEBUG)
970edce6
ZJS		 1061 flags |= PAM_SILENT;
1062
f546241b
ZJS		 1063 pam_code = pam_start(name, user, &conv, &handle);
1064 if (pam_code != PAM_SUCCESS) {
5b6319dc
LP		 1065 handle = NULL;
1066 goto fail;
1067 }
1068
f546241b
ZJS		 1069 if (tty) {
1070 pam_code = pam_set_item(handle, PAM_TTY, tty);
1071 if (pam_code != PAM_SUCCESS)
5b6319dc 1072 goto fail;
f546241b 1073 }
5b6319dc 1074
84eada2f
JW		 1075 STRV_FOREACH(nv, *env) {
1076 pam_code = pam_putenv(handle, *nv);
2065ca69
JW		 1077 if (pam_code != PAM_SUCCESS)
1078 goto fail;
1079 }
1080
970edce6 1081 pam_code = pam_acct_mgmt(handle, flags);
f546241b 1082 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1083 goto fail;
1084
970edce6 1085 pam_code = pam_open_session(handle, flags);
f546241b 1086 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1087 goto fail;
1088
1089 close_session = true;
1090
f546241b
ZJS		 1091 e = pam_getenvlist(handle);
1092 if (!e) {
5b6319dc
LP		 1093 pam_code = PAM_BUF_ERR;
1094 goto fail;
1095 }
1096
1097 /* Block SIGTERM, so that we know that it won't get lost in
1098 * the child */
ce30c8dc 1099
72c0a2c2 1100 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
5b6319dc 1101
df0ff127 1102 parent_pid = getpid_cached();
5b6319dc 1103
f546241b 1104 pam_pid = fork();
7bb70b6e
LP		 1105 if (pam_pid < 0) {
1106 r = -errno;
5b6319dc 1107 goto fail;
7bb70b6e 1108 }
5b6319dc
LP		 1109
1110 if (pam_pid == 0) {
7bb70b6e 1111 int sig, ret = EXIT_PAM;
5b6319dc
LP		 1112
1113 /* The child's job is to reset the PAM session on
1114 * termination */
2d7c6aa2 1115 barrier_set_role(&barrier, BARRIER_CHILD);
5b6319dc
LP		 1116
1117 /* This string must fit in 10 chars (i.e. the length
5d6b1584
LP		 1118 * of "/sbin/init"), to look pretty in /bin/ps */
1119 rename_process("(sd-pam)");
5b6319dc
LP		 1120
1121 /* Make sure we don't keep open the passed fds in this
1122 child. We assume that otherwise only those fds are
1123 open here that have been opened by PAM. */
1124 close_many(fds, n_fds);
1125
940c5210
AK		 1126 /* Drop privileges - we don't need any to pam_close_session
1127 * and this will make PR_SET_PDEATHSIG work in most cases.
1128 * If this fails, ignore the error - but expect sd-pam threads
1129 * to fail to exit normally */
2d6fce8d 1130
97f0e76f
LP		 1131 r = maybe_setgroups(0, NULL);
1132 if (r < 0)
1133 log_warning_errno(r, "Failed to setgroups() in sd-pam: %m");
2d6fce8d
LP		 1134 if (setresgid(gid, gid, gid) < 0)
1135 log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
940c5210 1136 if (setresuid(uid, uid, uid) < 0)
2d6fce8d 1137 log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
940c5210 1138
ce30c8dc
LP		 1139 (void) ignore_signals(SIGPIPE, -1);
1140
940c5210
AK		 1141 /* Wait until our parent died. This will only work if
1142 * the above setresuid() succeeds, otherwise the kernel
1143 * will not allow unprivileged parents kill their privileged
1144 * children this way. We rely on the control groups kill logic
5b6319dc
LP		 1145 * to do the rest for us. */
1146 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
1147 goto child_finish;
1148
2d7c6aa2
DH		 1149 /* Tell the parent that our setup is done. This is especially
1150 * important regarding dropping privileges. Otherwise, unit
643f4706
ZJS		 1151 * setup might race against our setresuid(2) call.
1152 *
1153 * If the parent aborted, we'll detect this below, hence ignore
1154 * return failure here. */
1155 (void) barrier_place(&barrier);
2d7c6aa2 1156
643f4706 1157 /* Check if our parent process might already have died? */
5b6319dc 1158 if (getppid() == parent_pid) {
d6e5f3ad
DM		 1159 sigset_t ss;
1160
1161 assert_se(sigemptyset(&ss) >= 0);
1162 assert_se(sigaddset(&ss, SIGTERM) >= 0);
1163
3dead8d9
LP		 1164 for (;;) {
1165 if (sigwait(&ss, &sig) < 0) {
1166 if (errno == EINTR)
1167 continue;
1168
1169 goto child_finish;
1170 }
5b6319dc 1171
3dead8d9
LP		 1172 assert(sig == SIGTERM);
1173 break;
1174 }
5b6319dc
LP		 1175 }
1176
3dead8d9 1177 /* If our parent died we'll end the session */
f546241b 1178 if (getppid() != parent_pid) {
970edce6 1179 pam_code = pam_close_session(handle, flags);
f546241b 1180 if (pam_code != PAM_SUCCESS)
5b6319dc 1181 goto child_finish;
f546241b 1182 }
5b6319dc 1183
7bb70b6e 1184 ret = 0;
5b6319dc
LP		 1185
1186 child_finish:
970edce6 1187 pam_end(handle, pam_code | flags);
7bb70b6e 1188 _exit(ret);
5b6319dc
LP		 1189 }
1190
2d7c6aa2
DH		 1191 barrier_set_role(&barrier, BARRIER_PARENT);
1192
5b6319dc
LP		 1193 /* If the child was forked off successfully it will do all the
1194 * cleanups, so forget about the handle here. */
1195 handle = NULL;
1196
3b8bddde 1197 /* Unblock SIGTERM again in the parent */
72c0a2c2 1198 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
5b6319dc
LP		 1199
1200 /* We close the log explicitly here, since the PAM modules
1201 * might have opened it, but we don't want this fd around. */
1202 closelog();
1203
2d7c6aa2
DH		 1204 /* Synchronously wait for the child to initialize. We don't care for
1205 * errors as we cannot recover. However, warn loudly if it happens. */
1206 if (!barrier_place_and_sync(&barrier))
1207 log_error("PAM initialization failed");
1208
2065ca69
JW		 1209 strv_free(*env);
1210 *env = e;
aa87e624 1211
5b6319dc
LP		 1212 return 0;
1213
1214fail:
970edce6
ZJS		 1215 if (pam_code != PAM_SUCCESS) {
1216 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
7bb70b6e
LP		 1217 r = -EPERM; /* PAM errors do not map to errno */
1218 } else
1219 log_error_errno(r, "PAM failed: %m");
9ba35398 1220
5b6319dc
LP		 1221 if (handle) {
1222 if (close_session)
970edce6 1223 pam_code = pam_close_session(handle, flags);
5b6319dc 1224
970edce6 1225 pam_end(handle, pam_code | flags);
5b6319dc
LP		 1226 }
1227
1228 strv_free(e);
5b6319dc
LP		 1229 closelog();
1230
7bb70b6e 1231 return r;
cefc33ae
LP		 1232#else
1233 return 0;
5b6319dc 1234#endif
cefc33ae 1235}
5b6319dc 1236
5d6b1584
LP		 1237static void rename_process_from_path(const char *path) {
1238 char process_name[11];
1239 const char *p;
1240 size_t l;
1241
1242 /* This resulting string must fit in 10 chars (i.e. the length
1243 * of "/sbin/init") to look pretty in /bin/ps */
1244
2b6bf07d 1245 p = basename(path);
5d6b1584
LP		 1246 if (isempty(p)) {
1247 rename_process("(...)");
1248 return;
1249 }
1250
1251 l = strlen(p);
1252 if (l > 8) {
1253 /* The end of the process name is usually more
1254 * interesting, since the first bit might just be
1255 * "systemd-" */
1256 p = p + l - 8;
1257 l = 8;
1258 }
1259
1260 process_name[0] = '(';
1261 memcpy(process_name+1, p, l);
1262 process_name[1+l] = ')';
1263 process_name[1+l+1] = 0;
1264
1265 rename_process(process_name);
1266}
1267
469830d1
LP		 1268static bool context_has_address_families(const ExecContext *c) {
1269 assert(c);
1270
1271 return c->address_families_whitelist ||
1272 !set_isempty(c->address_families);
1273}
1274
1275static bool context_has_syscall_filters(const ExecContext *c) {
1276 assert(c);
1277
1278 return c->syscall_whitelist ||
1279 !set_isempty(c->syscall_filter);
1280}
1281
1282static bool context_has_no_new_privileges(const ExecContext *c) {
1283 assert(c);
1284
1285 if (c->no_new_privileges)
1286 return true;
1287
1288 if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
1289 return false;
1290
1291 /* We need NNP if we have any form of seccomp and are unprivileged */
1292 return context_has_address_families(c) ||
1293 c->memory_deny_write_execute ||
1294 c->restrict_realtime ||
1295 exec_context_restrict_namespaces_set(c) ||
1296 c->protect_kernel_tunables ||
1297 c->protect_kernel_modules ||
1298 c->private_devices ||
1299 context_has_syscall_filters(c) ||
1300 !set_isempty(c->syscall_archs);
1301}
1302
c0467cf3 1303#ifdef HAVE_SECCOMP
17df7223 1304
83f12b27 1305static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
f673b62d
LP		 1306
1307 if (is_seccomp_available())
1308 return false;
1309
1310 log_open();
1311 log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
1312 log_close();
1313 return true;
83f12b27
FS		 1314}
1315
469830d1
LP		 1316static int apply_syscall_filter(const Unit* u, const ExecContext *c) {
1317 uint32_t negative_action, default_action, action;
8351ceae 1318
469830d1 1319 assert(u);
c0467cf3 1320 assert(c);
8351ceae 1321
469830d1 1322 if (!context_has_syscall_filters(c))
83f12b27
FS		 1323 return 0;
1324
469830d1
LP		 1325 if (skip_seccomp_unavailable(u, "SystemCallFilter="))
1326 return 0;
e9642be2 1327
469830d1 1328 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
e9642be2 1329
469830d1
LP		 1330 if (c->syscall_whitelist) {
1331 default_action = negative_action;
1332 action = SCMP_ACT_ALLOW;
7c66bae2 1333 } else {
469830d1
LP		 1334 default_action = SCMP_ACT_ALLOW;
1335 action = negative_action;
57183d11 1336 }
8351ceae 1337
469830d1 1338 return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action);
4298d0b5
LP		 1339}
1340
469830d1
LP		 1341static int apply_syscall_archs(const Unit *u, const ExecContext *c) {
1342 assert(u);
4298d0b5
LP		 1343 assert(c);
1344
469830d1 1345 if (set_isempty(c->syscall_archs))
83f12b27
FS		 1346 return 0;
1347
469830d1
LP		 1348 if (skip_seccomp_unavailable(u, "SystemCallArchitectures="))
1349 return 0;
4298d0b5 1350
469830d1
LP		 1351 return seccomp_restrict_archs(c->syscall_archs);
1352}
4298d0b5 1353
469830d1
LP		 1354static int apply_address_families(const Unit* u, const ExecContext *c) {
1355 assert(u);
1356 assert(c);
4298d0b5 1357
469830d1
LP		 1358 if (!context_has_address_families(c))
1359 return 0;
4298d0b5 1360
469830d1
LP		 1361 if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
1362 return 0;
4298d0b5 1363
469830d1 1364 return seccomp_restrict_address_families(c->address_families, c->address_families_whitelist);
8351ceae 1365}
4298d0b5 1366
83f12b27 1367static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) {
469830d1 1368 assert(u);
f3e43635
TM		 1369 assert(c);
1370
469830d1 1371 if (!c->memory_deny_write_execute)
83f12b27
FS		 1372 return 0;
1373
469830d1
LP		 1374 if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute="))
1375 return 0;
f3e43635 1376
469830d1 1377 return seccomp_memory_deny_write_execute();
f3e43635
TM		 1378}
1379
83f12b27 1380static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
469830d1 1381 assert(u);
f4170c67
LP		 1382 assert(c);
1383
469830d1 1384 if (!c->restrict_realtime)
83f12b27
FS		 1385 return 0;
1386
469830d1
LP		 1387 if (skip_seccomp_unavailable(u, "RestrictRealtime="))
1388 return 0;
f4170c67 1389
469830d1 1390 return seccomp_restrict_realtime();
f4170c67
LP		 1391}
1392
59e856c7 1393static int apply_protect_sysctl(const Unit *u, const ExecContext *c) {
469830d1 1394 assert(u);
59eeb84b
LP		 1395 assert(c);
1396
1397 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1398 * let's protect even those systems where this is left on in the kernel. */
1399
469830d1 1400 if (!c->protect_kernel_tunables)
59eeb84b
LP		 1401 return 0;
1402
469830d1
LP		 1403 if (skip_seccomp_unavailable(u, "ProtectKernelTunables="))
1404 return 0;
59eeb84b 1405
469830d1 1406 return seccomp_protect_sysctl();
59eeb84b
LP		 1407}
1408
59e856c7 1409static int apply_protect_kernel_modules(const Unit *u, const ExecContext *c) {
469830d1 1410 assert(u);
502d704e
DH		 1411 assert(c);
1412
25a8d8a0 1413 /* Turn off module syscalls on ProtectKernelModules=yes */
502d704e 1414
469830d1
LP		 1415 if (!c->protect_kernel_modules)
1416 return 0;
1417
502d704e
DH		 1418 if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
1419 return 0;
1420
469830d1 1421 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM));
502d704e
DH		 1422}
1423
59e856c7 1424static int apply_private_devices(const Unit *u, const ExecContext *c) {
469830d1 1425 assert(u);
ba128bb8
LP		 1426 assert(c);
1427
8f81a5f6 1428 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
ba128bb8 1429
469830d1
LP		 1430 if (!c->private_devices)
1431 return 0;
1432
ba128bb8
LP		 1433 if (skip_seccomp_unavailable(u, "PrivateDevices="))
1434 return 0;
1435
469830d1 1436 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
ba128bb8
LP		 1437}
1438
add00535 1439static int apply_restrict_namespaces(Unit *u, const ExecContext *c) {
469830d1 1440 assert(u);
add00535
LP		 1441 assert(c);
1442
1443 if (!exec_context_restrict_namespaces_set(c))
1444 return 0;
1445
1446 if (skip_seccomp_unavailable(u, "RestrictNamespaces="))
1447 return 0;
1448
1449 return seccomp_restrict_namespaces(c->restrict_namespaces);
1450}
1451
c0467cf3 1452#endif
8351ceae 1453
31a7eb86
ZJS		 1454static void do_idle_pipe_dance(int idle_pipe[4]) {
1455 assert(idle_pipe);
1456
54eb2300
LP		 1457 idle_pipe[1] = safe_close(idle_pipe[1]);
1458 idle_pipe[2] = safe_close(idle_pipe[2]);
31a7eb86
ZJS		 1459
1460 if (idle_pipe[0] >= 0) {
1461 int r;
1462
1463 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1464
1465 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
c7cc737f
LP		 1466 ssize_t n;
1467
31a7eb86 1468 /* Signal systemd that we are bored and want to continue. */
c7cc737f
LP		 1469 n = write(idle_pipe[3], "x", 1);
1470 if (n > 0)
cd972d69
ZJS		 1471 /* Wait for systemd to react to the signal above. */
1472 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
31a7eb86
ZJS		 1473 }
1474
54eb2300 1475 idle_pipe[0] = safe_close(idle_pipe[0]);
31a7eb86
ZJS		 1476
1477 }
1478
54eb2300 1479 idle_pipe[3] = safe_close(idle_pipe[3]);
31a7eb86
ZJS		 1480}
1481
7cae38c4 1482static int build_environment(
fd63e712 1483 Unit *u,
9fa95f85 1484 const ExecContext *c,
1e22b5cd 1485 const ExecParameters *p,
7cae38c4
LP		 1486 unsigned n_fds,
1487 const char *home,
1488 const char *username,
1489 const char *shell,
7bce046b
LP		 1490 dev_t journal_stream_dev,
1491 ino_t journal_stream_ino,
7cae38c4
LP		 1492 char ***ret) {
1493
1494 _cleanup_strv_free_ char **our_env = NULL;
1495 unsigned n_env = 0;
1496 char *x;
1497
4b58153d 1498 assert(u);
7cae38c4
LP		 1499 assert(c);
1500 assert(ret);
1501
4b58153d 1502 our_env = new0(char*, 14);
7cae38c4
LP		 1503 if (!our_env)
1504 return -ENOMEM;
1505
1506 if (n_fds > 0) {
8dd4c05b
LP		 1507 _cleanup_free_ char *joined = NULL;
1508
df0ff127 1509 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid_cached()) < 0)
7cae38c4
LP		 1510 return -ENOMEM;
1511 our_env[n_env++] = x;
1512
1513 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1514 return -ENOMEM;
1515 our_env[n_env++] = x;
8dd4c05b 1516
1e22b5cd 1517 joined = strv_join(p->fd_names, ":");
8dd4c05b
LP		 1518 if (!joined)
1519 return -ENOMEM;
1520
605405c6 1521 x = strjoin("LISTEN_FDNAMES=", joined);
8dd4c05b
LP		 1522 if (!x)
1523 return -ENOMEM;
1524 our_env[n_env++] = x;
7cae38c4
LP		 1525 }
1526
b08af3b1 1527 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
df0ff127 1528 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid_cached()) < 0)
09812eb7
LP		 1529 return -ENOMEM;
1530 our_env[n_env++] = x;
1531
1e22b5cd 1532 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
09812eb7
LP		 1533 return -ENOMEM;
1534 our_env[n_env++] = x;
1535 }
1536
fd63e712
LP		 1537 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1538 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1539 * check the database directly. */
1540 if (unit_has_name(u, SPECIAL_DBUS_SERVICE)) {
1541 x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1542 if (!x)
1543 return -ENOMEM;
1544 our_env[n_env++] = x;
1545 }
1546
7cae38c4
LP		 1547 if (home) {
1548 x = strappend("HOME=", home);
1549 if (!x)
1550 return -ENOMEM;
1551 our_env[n_env++] = x;
1552 }
1553
1554 if (username) {
1555 x = strappend("LOGNAME=", username);
1556 if (!x)
1557 return -ENOMEM;
1558 our_env[n_env++] = x;
1559
1560 x = strappend("USER=", username);
1561 if (!x)
1562 return -ENOMEM;
1563 our_env[n_env++] = x;
1564 }
1565
1566 if (shell) {
1567 x = strappend("SHELL=", shell);
1568 if (!x)
1569 return -ENOMEM;
1570 our_env[n_env++] = x;
1571 }
1572
4b58153d
LP		 1573 if (!sd_id128_is_null(u->invocation_id)) {
1574 if (asprintf(&x, "INVOCATION_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id)) < 0)
1575 return -ENOMEM;
1576
1577 our_env[n_env++] = x;
1578 }
1579
6af760f3
LP		 1580 if (exec_context_needs_term(c)) {
1581 const char *tty_path, *term = NULL;
1582
1583 tty_path = exec_context_tty_path(c);
1584
1585 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try to inherit
1586 * the $TERM set for PID 1. This is useful for containers so that the $TERM the container manager
1587 * passes to PID 1 ends up all the way in the console login shown. */
1588
1589 if (path_equal(tty_path, "/dev/console") && getppid() == 1)
1590 term = getenv("TERM");
1591 if (!term)
1592 term = default_term_for_tty(tty_path);
7cae38c4 1593
6af760f3 1594 x = strappend("TERM=", term);
7cae38c4
LP		 1595 if (!x)
1596 return -ENOMEM;
1597 our_env[n_env++] = x;
1598 }
1599
7bce046b
LP		 1600 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1601 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1602 return -ENOMEM;
1603
1604 our_env[n_env++] = x;
1605 }
1606
7cae38c4 1607 our_env[n_env++] = NULL;
7bce046b 1608 assert(n_env <= 12);
7cae38c4
LP		 1609
1610 *ret = our_env;
1611 our_env = NULL;
1612
1613 return 0;
1614}
1615
b4c14404
FB		 1616static int build_pass_environment(const ExecContext *c, char ***ret) {
1617 _cleanup_strv_free_ char **pass_env = NULL;
1618 size_t n_env = 0, n_bufsize = 0;
1619 char **i;
1620
1621 STRV_FOREACH(i, c->pass_environment) {
1622 _cleanup_free_ char *x = NULL;
1623 char *v;
1624
1625 v = getenv(*i);
1626 if (!v)
1627 continue;
605405c6 1628 x = strjoin(*i, "=", v);
b4c14404
FB		 1629 if (!x)
1630 return -ENOMEM;
1631 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1632 return -ENOMEM;
1633 pass_env[n_env++] = x;
1634 pass_env[n_env] = NULL;
1635 x = NULL;
1636 }
1637
1638 *ret = pass_env;
1639 pass_env = NULL;
1640
1641 return 0;
1642}
1643
8b44a3d2
LP		 1644static bool exec_needs_mount_namespace(
1645 const ExecContext *context,
1646 const ExecParameters *params,
1647 ExecRuntime *runtime) {
1648
1649 assert(context);
1650 assert(params);
1651
915e6d16
LP		 1652 if (context->root_image)
1653 return true;
1654
2a624c36
AP		 1655 if (!strv_isempty(context->read_write_paths) ||
1656 !strv_isempty(context->read_only_paths) ||
1657 !strv_isempty(context->inaccessible_paths))
8b44a3d2
LP		 1658 return true;
1659
d2d6c096
LP		 1660 if (context->n_bind_mounts > 0)
1661 return true;
1662
8b44a3d2
LP		 1663 if (context->mount_flags != 0)
1664 return true;
1665
1666 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1667 return true;
1668
8b44a3d2
LP		 1669 if (context->private_devices ||
1670 context->protect_system != PROTECT_SYSTEM_NO ||
59eeb84b
LP		 1671 context->protect_home != PROTECT_HOME_NO ||
1672 context->protect_kernel_tunables ||
c575770b 1673 context->protect_kernel_modules ||
59eeb84b 1674 context->protect_control_groups)
8b44a3d2
LP		 1675 return true;
1676
9c988f93 1677 if (context->mount_apivfs && (context->root_image || context->root_directory))
5d997827
LP		 1678 return true;
1679
8b44a3d2
LP		 1680 return false;
1681}
1682
d251207d
LP		 1683static int setup_private_users(uid_t uid, gid_t gid) {
1684 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
1685 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
1686 _cleanup_close_ int unshare_ready_fd = -1;
1687 _cleanup_(sigkill_waitp) pid_t pid = 0;
1688 uint64_t c = 1;
1689 siginfo_t si;
1690 ssize_t n;
1691 int r;
1692
1693 /* Set up a user namespace and map root to root, the selected UID/GID to itself, and everything else to
1694 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1695 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1696 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1697 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
1698 * continues execution normally. */
1699
587ab01b
ZJS		 1700 if (uid != 0 && uid_is_valid(uid)) {
1701 r = asprintf(&uid_map,
1702 "0 0 1\n" /* Map root → root */
1703 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
1704 uid, uid);
1705 if (r < 0)
1706 return -ENOMEM;
1707 } else {
e0f3720e 1708 uid_map = strdup("0 0 1\n"); /* The case where the above is the same */
587ab01b
ZJS		 1709 if (!uid_map)
1710 return -ENOMEM;
1711 }
d251207d 1712
587ab01b
ZJS		 1713 if (gid != 0 && gid_is_valid(gid)) {
1714 r = asprintf(&gid_map,
1715 "0 0 1\n" /* Map root → root */
1716 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
1717 gid, gid);
1718 if (r < 0)
1719 return -ENOMEM;
1720 } else {
d251207d 1721 gid_map = strdup("0 0 1\n"); /* The case where the above is the same */
587ab01b
ZJS		 1722 if (!gid_map)
1723 return -ENOMEM;
1724 }
d251207d
LP		 1725
1726 /* Create a communication channel so that the parent can tell the child when it finished creating the user
1727 * namespace. */
1728 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
1729 if (unshare_ready_fd < 0)
1730 return -errno;
1731
1732 /* Create a communication channel so that the child can tell the parent a proper error code in case it
1733 * failed. */
1734 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
1735 return -errno;
1736
1737 pid = fork();
1738 if (pid < 0)
1739 return -errno;
1740
1741 if (pid == 0) {
1742 _cleanup_close_ int fd = -1;
1743 const char *a;
1744 pid_t ppid;
1745
1746 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
1747 * here, after the parent opened its own user namespace. */
1748
1749 ppid = getppid();
1750 errno_pipe[0] = safe_close(errno_pipe[0]);
1751
1752 /* Wait until the parent unshared the user namespace */
1753 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
1754 r = -errno;
1755 goto child_fail;
1756 }
1757
1758 /* Disable the setgroups() system call in the child user namespace, for good. */
1759 a = procfs_file_alloca(ppid, "setgroups");
1760 fd = open(a, O_WRONLY|O_CLOEXEC);
1761 if (fd < 0) {
1762 if (errno != ENOENT) {
1763 r = -errno;
1764 goto child_fail;
1765 }
1766
1767 /* If the file is missing the kernel is too old, let's continue anyway. */
1768 } else {
1769 if (write(fd, "deny\n", 5) < 0) {
1770 r = -errno;
1771 goto child_fail;
1772 }
1773
1774 fd = safe_close(fd);
1775 }
1776
1777 /* First write the GID map */
1778 a = procfs_file_alloca(ppid, "gid_map");
1779 fd = open(a, O_WRONLY|O_CLOEXEC);
1780 if (fd < 0) {
1781 r = -errno;
1782 goto child_fail;
1783 }
1784 if (write(fd, gid_map, strlen(gid_map)) < 0) {
1785 r = -errno;
1786 goto child_fail;
1787 }
1788 fd = safe_close(fd);
1789
1790 /* The write the UID map */
1791 a = procfs_file_alloca(ppid, "uid_map");
1792 fd = open(a, O_WRONLY|O_CLOEXEC);
1793 if (fd < 0) {
1794 r = -errno;
1795 goto child_fail;
1796 }
1797 if (write(fd, uid_map, strlen(uid_map)) < 0) {
1798 r = -errno;
1799 goto child_fail;
1800 }
1801
1802 _exit(EXIT_SUCCESS);
1803
1804 child_fail:
1805 (void) write(errno_pipe[1], &r, sizeof(r));
1806 _exit(EXIT_FAILURE);
1807 }
1808
1809 errno_pipe[1] = safe_close(errno_pipe[1]);
1810
1811 if (unshare(CLONE_NEWUSER) < 0)
1812 return -errno;
1813
1814 /* Let the child know that the namespace is ready now */
1815 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
1816 return -errno;
1817
1818 /* Try to read an error code from the child */
1819 n = read(errno_pipe[0], &r, sizeof(r));
1820 if (n < 0)
1821 return -errno;
1822 if (n == sizeof(r)) { /* an error code was sent to us */
1823 if (r < 0)
1824 return r;
1825 return -EIO;
1826 }
1827 if (n != 0) /* on success we should have read 0 bytes */
1828 return -EIO;
1829
1830 r = wait_for_terminate(pid, &si);
1831 if (r < 0)
1832 return r;
1833 pid = 0;
1834
1835 /* If something strange happened with the child, let's consider this fatal, too */
1836 if (si.si_code != CLD_EXITED || si.si_status != 0)
1837 return -EIO;
1838
1839 return 0;
1840}
1841
3536f49e 1842static int setup_exec_directory(
07689d5d
LP		 1843 const ExecContext *context,
1844 const ExecParameters *params,
1845 uid_t uid,
3536f49e
YW		 1846 gid_t gid,
1847 bool manager_is_system,
1848 ExecDirectoryType type,
1849 int *exit_status) {
07689d5d 1850
3536f49e
YW		 1851 static const int exit_status_table[_EXEC_DIRECTORY_MAX] = {
1852 [EXEC_DIRECTORY_RUNTIME] = EXIT_RUNTIME_DIRECTORY,
1853 [EXEC_DIRECTORY_STATE] = EXIT_STATE_DIRECTORY,
1854 [EXEC_DIRECTORY_CACHE] = EXIT_CACHE_DIRECTORY,
1855 [EXEC_DIRECTORY_LOGS] = EXIT_LOGS_DIRECTORY,
1856 [EXEC_DIRECTORY_CONFIGURATION] = EXIT_CONFIGURATION_DIRECTORY,
1857 };
07689d5d
LP		 1858 char **rt;
1859 int r;
1860
1861 assert(context);
1862 assert(params);
3536f49e
YW		 1863 assert(type >= 0 && type < _EXEC_DIRECTORY_MAX);
1864 assert(exit_status);
07689d5d 1865
3536f49e
YW		 1866 if (!params->prefix[type])
1867 return 0;
1868
1869 if (manager_is_system) {
1870 if (!uid_is_valid(uid))
1871 uid = 0;
1872 if (!gid_is_valid(gid))
1873 gid = 0;
1874 }
1875
1876 STRV_FOREACH(rt, context->directories[type].paths) {
07689d5d
LP		 1877 _cleanup_free_ char *p;
1878
3536f49e
YW		 1879 p = strjoin(params->prefix[type], "/", *rt);
1880 if (!p) {
1881 r = -ENOMEM;
1882 goto fail;
1883 }
07689d5d 1884
23a7448e
YW		 1885 r = mkdir_parents_label(p, 0755);
1886 if (r < 0)
3536f49e 1887 goto fail;
23a7448e 1888
3536f49e 1889 r = mkdir_p_label(p, context->directories[type].mode);
07689d5d 1890 if (r < 0)
3536f49e 1891 goto fail;
07689d5d 1892
3536f49e 1893 r = chmod_and_chown(p, context->directories[type].mode, uid, gid);
07689d5d 1894 if (r < 0)
3536f49e 1895 goto fail;
07689d5d
LP		 1896 }
1897
1898 return 0;
3536f49e
YW		 1899
1900fail:
1901 *exit_status = exit_status_table[type];
1902
1903 return r;
07689d5d
LP		 1904}
1905
cefc33ae
LP		 1906static int setup_smack(
1907 const ExecContext *context,
1908 const ExecCommand *command) {
1909
1910#ifdef HAVE_SMACK
1911 int r;
1912
1913 assert(context);
1914 assert(command);
1915
1916 if (!mac_smack_use())
1917 return 0;
1918
1919 if (context->smack_process_label) {
1920 r = mac_smack_apply_pid(0, context->smack_process_label);
1921 if (r < 0)
1922 return r;
1923 }
1924#ifdef SMACK_DEFAULT_PROCESS_LABEL
1925 else {
1926 _cleanup_free_ char *exec_label = NULL;
1927
1928 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
1929 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP)
1930 return r;
1931
1932 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
1933 if (r < 0)
1934 return r;
1935 }
1936#endif
1937#endif
1938
1939 return 0;
1940}
1941
3fbe8dbe
LP		 1942static int compile_read_write_paths(
1943 const ExecContext *context,
1944 const ExecParameters *params,
1945 char ***ret) {
1946
1947 _cleanup_strv_free_ char **l = NULL;
1948 char **rt;
3536f49e 1949 ExecDirectoryType i;
3fbe8dbe 1950
06ec51d8
ZJS		 1951 /* Compile the list of writable paths. This is the combination of
1952 * the explicitly configured paths, plus all runtime directories. */
3fbe8dbe 1953
3536f49e
YW		 1954 if (strv_isempty(context->read_write_paths)) {
1955 for (i = 0; i < _EXEC_DIRECTORY_MAX; i++)
1956 if (!strv_isempty(context->directories[i].paths))
1957 break;
1958
1959 if (i == _EXEC_DIRECTORY_MAX) {
1960 *ret = NULL; /* NOP if neither is set */
1961 return 0;
1962 }
3fbe8dbe
LP		 1963 }
1964
1965 l = strv_copy(context->read_write_paths);
1966 if (!l)
1967 return -ENOMEM;
1968
3536f49e
YW		 1969 for (i = 0; i < _EXEC_DIRECTORY_MAX; i++) {
1970 if (!params->prefix[i])
1971 continue;
3fbe8dbe 1972
3536f49e
YW		 1973 STRV_FOREACH(rt, context->directories[i].paths) {
1974 char *s;
3fbe8dbe 1975
3536f49e
YW		 1976 s = strjoin(params->prefix[i], "/", *rt);
1977 if (!s)
1978 return -ENOMEM;
1979
1980 if (strv_consume(&l, s) < 0)
1981 return -ENOMEM;
1982 }
3fbe8dbe
LP		 1983 }
1984
1985 *ret = l;
1986 l = NULL;
1987
1988 return 0;
1989}
1990
6818c54c
LP		 1991static int apply_mount_namespace(
1992 Unit *u,
1993 ExecCommand *command,
1994 const ExecContext *context,
1995 const ExecParameters *params,
1996 ExecRuntime *runtime) {
1997
06ec51d8 1998 _cleanup_strv_free_ char **rw = NULL;
93c6bb51 1999 char *tmp = NULL, *var = NULL;
915e6d16 2000 const char *root_dir = NULL, *root_image = NULL;
93c6bb51 2001 NameSpaceInfo ns_info = {
af964954 2002 .ignore_protect_paths = false,
93c6bb51
DH		 2003 .private_dev = context->private_devices,
2004 .protect_control_groups = context->protect_control_groups,
2005 .protect_kernel_tunables = context->protect_kernel_tunables,
2006 .protect_kernel_modules = context->protect_kernel_modules,
5d997827 2007 .mount_apivfs = context->mount_apivfs,
93c6bb51 2008 };
6818c54c
LP		 2009 bool apply_restrictions;
2010 int r;
93c6bb51 2011
2b3c1b9e
DH		 2012 assert(context);
2013
93c6bb51
DH		 2014 /* The runtime struct only contains the parent of the private /tmp,
2015 * which is non-accessible to world users. Inside of it there's a /tmp
2016 * that is sticky, and that's the one we want to use here. */
2017
2018 if (context->private_tmp && runtime) {
2019 if (runtime->tmp_dir)
2020 tmp = strjoina(runtime->tmp_dir, "/tmp");
2021 if (runtime->var_tmp_dir)
2022 var = strjoina(runtime->var_tmp_dir, "/tmp");
2023 }
2024
2025 r = compile_read_write_paths(context, params, &rw);
2026 if (r < 0)
2027 return r;
2028
915e6d16
LP		 2029 if (params->flags & EXEC_APPLY_CHROOT) {
2030 root_image = context->root_image;
2031
2032 if (!root_image)
2033 root_dir = context->root_directory;
2034 }
93c6bb51 2035
af964954
DH		 2036 /*
2037 * If DynamicUser=no and RootDirectory= is set then lets pass a relaxed
2038 * sandbox info, otherwise enforce it, don't ignore protected paths and
2039 * fail if we are enable to apply the sandbox inside the mount namespace.
2040 */
2041 if (!context->dynamic_user && root_dir)
2042 ns_info.ignore_protect_paths = true;
2043
6818c54c
LP		 2044 apply_restrictions = (params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged;
2045
915e6d16
LP		 2046 r = setup_namespace(root_dir, root_image,
2047 &ns_info, rw,
6818c54c
LP		 2048 apply_restrictions ? context->read_only_paths : NULL,
2049 apply_restrictions ? context->inaccessible_paths : NULL,
d2d6c096
LP		 2050 context->bind_mounts,
2051 context->n_bind_mounts,
93c6bb51
DH		 2052 tmp,
2053 var,
6818c54c
LP		 2054 apply_restrictions ? context->protect_home : PROTECT_HOME_NO,
2055 apply_restrictions ? context->protect_system : PROTECT_SYSTEM_NO,
915e6d16
LP		 2056 context->mount_flags,
2057 DISSECT_IMAGE_DISCARD_ON_LOOP);
93c6bb51
DH		 2058
2059 /* If we couldn't set up the namespace this is probably due to a
2060 * missing capability. In this case, silently proceeed. */
2061 if (IN_SET(r, -EPERM, -EACCES)) {
2062 log_open();
2063 log_unit_debug_errno(u, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
2064 log_close();
2065 r = 0;
2066 }
2067
2068 return r;
2069}
2070
915e6d16
LP		 2071static int apply_working_directory(
2072 const ExecContext *context,
2073 const ExecParameters *params,
2074 const char *home,
376fecf6
LP		 2075 const bool needs_mount_ns,
2076 int *exit_status) {
915e6d16 2077
6732edab 2078 const char *d, *wd;
2b3c1b9e
DH		 2079
2080 assert(context);
376fecf6 2081 assert(exit_status);
2b3c1b9e 2082
6732edab
LP		 2083 if (context->working_directory_home) {
2084
376fecf6
LP		 2085 if (!home) {
2086 *exit_status = EXIT_CHDIR;
6732edab 2087 return -ENXIO;
376fecf6 2088 }
6732edab 2089
2b3c1b9e 2090 wd = home;
6732edab
LP		 2091
2092 } else if (context->working_directory)
2b3c1b9e
DH		 2093 wd = context->working_directory;
2094 else
2095 wd = "/";
e7f1e7c6
DH		 2096
2097 if (params->flags & EXEC_APPLY_CHROOT) {
2098 if (!needs_mount_ns && context->root_directory)
376fecf6
LP		 2099 if (chroot(context->root_directory) < 0) {
2100 *exit_status = EXIT_CHROOT;
e7f1e7c6 2101 return -errno;
376fecf6 2102 }
e7f1e7c6 2103
2b3c1b9e
DH		 2104 d = wd;
2105 } else
3b0e5bb5 2106 d = prefix_roota(context->root_directory, wd);
e7f1e7c6 2107
376fecf6
LP		 2108 if (chdir(d) < 0 && !context->working_directory_missing_ok) {
2109 *exit_status = EXIT_CHDIR;
2b3c1b9e 2110 return -errno;
376fecf6 2111 }
e7f1e7c6
DH		 2112
2113 return 0;
2114}
2115
74dd6b51
LP		 2116static int setup_keyring(Unit *u, const ExecParameters *p, uid_t uid, gid_t gid) {
2117 key_serial_t keyring;
2118
2119 assert(u);
2120 assert(p);
2121
2122 /* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that
2123 * each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond
2124 * that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be
2125 * automatically created on-demand and then linked to the per-UID keyring, by the kernel. The kernel's built-in
2126 * on-demand behaviour is very appropriate for login users, but probably not so much for system services, where
2127 * UIDs are not necessarily specific to a service but reused (at least in the case of UID 0). */
2128
2129 if (!(p->flags & EXEC_NEW_KEYRING))
2130 return 0;
2131
2132 keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0);
2133 if (keyring == -1) {
2134 if (errno == ENOSYS)
2135 log_debug_errno(errno, "Kernel keyring not supported, ignoring.");
2136 else if (IN_SET(errno, EACCES, EPERM))
2137 log_debug_errno(errno, "Kernel keyring access prohibited, ignoring.");
2138 else if (errno == EDQUOT)
2139 log_debug_errno(errno, "Out of kernel keyrings to allocate, ignoring.");
2140 else
2141 return log_error_errno(errno, "Setting up kernel keyring failed: %m");
2142
2143 return 0;
2144 }
2145
b3415f5d
LP		 2146 /* Populate they keyring with the invocation ID by default. */
2147 if (!sd_id128_is_null(u->invocation_id)) {
2148 key_serial_t key;
2149
2150 key = add_key("user", "invocation_id", &u->invocation_id, sizeof(u->invocation_id), KEY_SPEC_SESSION_KEYRING);
2151 if (key == -1)
2152 log_debug_errno(errno, "Failed to add invocation ID to keyring, ignoring: %m");
2153 else {
2154 if (keyctl(KEYCTL_SETPERM, key,
2155 KEY_POS_VIEW|KEY_POS_READ|KEY_POS_SEARCH|
2156 KEY_USR_VIEW|KEY_USR_READ|KEY_USR_SEARCH, 0, 0) < 0)
2157 return log_error_errno(errno, "Failed to restrict invocation ID permission: %m");
2158 }
2159 }
2160
74dd6b51
LP		 2161 /* And now, make the keyring owned by the service's user */
2162 if (uid_is_valid(uid) || gid_is_valid(gid))
2163 if (keyctl(KEYCTL_CHOWN, keyring, uid, gid, 0) < 0)
2164 return log_error_errno(errno, "Failed to change ownership of session keyring: %m");
2165
2166 return 0;
2167}
2168
29206d46
LP		 2169static void append_socket_pair(int *array, unsigned *n, int pair[2]) {
2170 assert(array);
2171 assert(n);
2172
2173 if (!pair)
2174 return;
2175
2176 if (pair[0] >= 0)
2177 array[(*n)++] = pair[0];
2178 if (pair[1] >= 0)
2179 array[(*n)++] = pair[1];
2180}
2181
a34ceba6
LP		 2182static int close_remaining_fds(
2183 const ExecParameters *params,
2184 ExecRuntime *runtime,
29206d46 2185 DynamicCreds *dcreds,
00d9ef85 2186 int user_lookup_fd,
a34ceba6
LP		 2187 int socket_fd,
2188 int *fds, unsigned n_fds) {
2189
2190 unsigned n_dont_close = 0;
00d9ef85 2191 int dont_close[n_fds + 12];
a34ceba6
LP		 2192
2193 assert(params);
2194
2195 if (params->stdin_fd >= 0)
2196 dont_close[n_dont_close++] = params->stdin_fd;
2197 if (params->stdout_fd >= 0)
2198 dont_close[n_dont_close++] = params->stdout_fd;
2199 if (params->stderr_fd >= 0)
2200 dont_close[n_dont_close++] = params->stderr_fd;
2201
2202 if (socket_fd >= 0)
2203 dont_close[n_dont_close++] = socket_fd;
2204 if (n_fds > 0) {
2205 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
2206 n_dont_close += n_fds;
2207 }
2208
29206d46
LP		 2209 if (runtime)
2210 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
2211
2212 if (dcreds) {
2213 if (dcreds->user)
2214 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
2215 if (dcreds->group)
2216 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
a34ceba6
LP		 2217 }
2218
00d9ef85
LP		 2219 if (user_lookup_fd >= 0)
2220 dont_close[n_dont_close++] = user_lookup_fd;
2221
a34ceba6
LP		 2222 return close_all_fds(dont_close, n_dont_close);
2223}
2224
00d9ef85
LP		 2225static int send_user_lookup(
2226 Unit *unit,
2227 int user_lookup_fd,
2228 uid_t uid,
2229 gid_t gid) {
2230
2231 assert(unit);
2232
2233 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2234 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2235 * specified. */
2236
2237 if (user_lookup_fd < 0)
2238 return 0;
2239
2240 if (!uid_is_valid(uid) && !gid_is_valid(gid))
2241 return 0;
2242
2243 if (writev(user_lookup_fd,
2244 (struct iovec[]) {
2245 { .iov_base = &uid, .iov_len = sizeof(uid) },
2246 { .iov_base = &gid, .iov_len = sizeof(gid) },
2247 { .iov_base = unit->id, .iov_len = strlen(unit->id) }}, 3) < 0)
2248 return -errno;
2249
2250 return 0;
2251}
2252
6732edab
LP		 2253static int acquire_home(const ExecContext *c, uid_t uid, const char** home, char **buf) {
2254 int r;
2255
2256 assert(c);
2257 assert(home);
2258 assert(buf);
2259
2260 /* If WorkingDirectory=~ is set, try to acquire a usable home directory. */
2261
2262 if (*home)
2263 return 0;
2264
2265 if (!c->working_directory_home)
2266 return 0;
2267
2268 if (uid == 0) {
2269 /* Hardcode /root as home directory for UID 0 */
2270 *home = "/root";
2271 return 1;
2272 }
2273
2274 r = get_home_dir(buf);
2275 if (r < 0)
2276 return r;
2277
2278 *home = *buf;
2279 return 1;
2280}
2281
ff0af2a1 2282static int exec_child(
f2341e0a 2283 Unit *unit,
ff0af2a1
LP		 2284 ExecCommand *command,
2285 const ExecContext *context,
2286 const ExecParameters *params,
2287 ExecRuntime *runtime,
29206d46 2288 DynamicCreds *dcreds,
ff0af2a1
LP		 2289 char **argv,
2290 int socket_fd,
52c239d7 2291 int named_iofds[3],
4c47affc
FB		 2292 int *fds,
2293 unsigned n_storage_fds,
9b141911 2294 unsigned n_socket_fds,
ff0af2a1 2295 char **files_env,
00d9ef85 2296 int user_lookup_fd,
70dd455c
ZJS		 2297 int *exit_status,
2298 char **error_message) {
d35fbf6b 2299
2065ca69 2300 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **final_argv = NULL;
6732edab 2301 _cleanup_free_ char *mac_selinux_context_net = NULL, *home_buffer = NULL;
4d885bd3
DH		 2302 _cleanup_free_ gid_t *supplementary_gids = NULL;
2303 const char *username = NULL, *groupname = NULL;
2b3c1b9e 2304 const char *home = NULL, *shell = NULL;
7bce046b
LP		 2305 dev_t journal_stream_dev = 0;
2306 ino_t journal_stream_ino = 0;
2307 bool needs_mount_namespace;
fed1e721
LP		 2308 uid_t uid = UID_INVALID;
2309 gid_t gid = GID_INVALID;
4d885bd3 2310 int i, r, ngids = 0;
4c47affc 2311 unsigned n_fds;
3536f49e 2312 ExecDirectoryType dt;
034c6ed7 2313
f2341e0a 2314 assert(unit);
5cb5a6ff
LP		 2315 assert(command);
2316 assert(context);
d35fbf6b 2317 assert(params);
ff0af2a1 2318 assert(exit_status);
70dd455c
ZJS		 2319 assert(error_message);
2320 /* We don't always set error_message, hence it must be initialized */
2321 assert(*error_message == NULL);
d35fbf6b
DM		 2322
2323 rename_process_from_path(command->path);
2324
2325 /* We reset exactly these signals, since they are the
2326 * only ones we set to SIG_IGN in the main daemon. All
2327 * others we leave untouched because we set them to
2328 * SIG_DFL or a valid handler initially, both of which
2329 * will be demoted to SIG_DFL. */
ce30c8dc
LP		 2330 (void) default_signals(SIGNALS_CRASH_HANDLER,
2331 SIGNALS_IGNORE, -1);
d35fbf6b
DM		 2332
2333 if (context->ignore_sigpipe)
ce30c8dc 2334 (void) ignore_signals(SIGPIPE, -1);
d35fbf6b 2335
ff0af2a1
LP		 2336 r = reset_signal_mask();
2337 if (r < 0) {
2338 *exit_status = EXIT_SIGNAL_MASK;
70dd455c
ZJS		 2339 *error_message = strdup("Failed to reset signal mask");
2340 /* If strdup fails, here and below, we will just print the generic error message. */
ff0af2a1 2341 return r;
d35fbf6b 2342 }
034c6ed7 2343
d35fbf6b
DM		 2344 if (params->idle_pipe)
2345 do_idle_pipe_dance(params->idle_pipe);
4f2d528d 2346
d35fbf6b
DM		 2347 /* Close sockets very early to make sure we don't
2348 * block init reexecution because it cannot bind its
2349 * sockets */
ff0af2a1 2350
d35fbf6b 2351 log_forget_fds();
4f2d528d 2352
4c47affc 2353 n_fds = n_storage_fds + n_socket_fds;
00d9ef85 2354 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, fds, n_fds);
ff0af2a1
LP		 2355 if (r < 0) {
2356 *exit_status = EXIT_FDS;
70dd455c 2357 *error_message = strdup("Failed to close remaining fds");
ff0af2a1 2358 return r;
8c7be95e
LP		 2359 }
2360
d35fbf6b
DM		 2361 if (!context->same_pgrp)
2362 if (setsid() < 0) {
ff0af2a1 2363 *exit_status = EXIT_SETSID;
d35fbf6b
DM		 2364 return -errno;
2365 }
9e2f7c11 2366
1e22b5cd 2367 exec_context_tty_reset(context, params);
d35fbf6b 2368
c891efaf 2369 if (unit_shall_confirm_spawn(unit)) {
7d5ceb64 2370 const char *vc = params->confirm_spawn;
3b20f877
FB		 2371 _cleanup_free_ char *cmdline = NULL;
2372
2373 cmdline = exec_command_line(argv);
2374 if (!cmdline) {
2375 *exit_status = EXIT_CONFIRM;
2376 return -ENOMEM;
2377 }
d35fbf6b 2378
eedf223a 2379 r = ask_for_confirmation(vc, unit, cmdline);
3b20f877
FB		 2380 if (r != CONFIRM_EXECUTE) {
2381 if (r == CONFIRM_PRETEND_SUCCESS) {
2382 *exit_status = EXIT_SUCCESS;
2383 return 0;
2384 }
ff0af2a1 2385 *exit_status = EXIT_CONFIRM;
70dd455c 2386 *error_message = strdup("Execution cancelled");
d35fbf6b 2387 return -ECANCELED;
d35fbf6b
DM		 2388 }
2389 }
1a63a750 2390
29206d46
LP		 2391 if (context->dynamic_user && dcreds) {
2392
409093fe
LP		 2393 /* Make sure we bypass our own NSS module for any NSS checks */
2394 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
2395 *exit_status = EXIT_USER;
70dd455c 2396 *error_message = strdup("Failed to update environment");
409093fe
LP		 2397 return -errno;
2398 }
2399
29206d46 2400 r = dynamic_creds_realize(dcreds, &uid, &gid);
ff0af2a1
LP		 2401 if (r < 0) {
2402 *exit_status = EXIT_USER;
70dd455c 2403 *error_message = strdup("Failed to update dynamic user credentials");
ff0af2a1 2404 return r;
524daa8c 2405 }
524daa8c 2406
70dd455c 2407 if (!uid_is_valid(uid)) {
29206d46 2408 *exit_status = EXIT_USER;
70dd455c
ZJS		 2409 (void) asprintf(error_message, "UID validation failed for \""UID_FMT"\"", uid);
2410 /* If asprintf fails, here and below, we will just print the generic error message. */
2411 return -ESRCH;
2412 }
2413
2414 if (!gid_is_valid(gid)) {
2415 *exit_status = EXIT_USER;
2416 (void) asprintf(error_message, "GID validation failed for \""GID_FMT"\"", gid);
29206d46
LP		 2417 return -ESRCH;
2418 }
5bc7452b 2419
29206d46
LP		 2420 if (dcreds->user)
2421 username = dcreds->user->name;
2422
2423 } else {
4d885bd3
DH		 2424 r = get_fixed_user(context, &username, &uid, &gid, &home, &shell);
2425 if (r < 0) {
2426 *exit_status = EXIT_USER;
70dd455c 2427 *error_message = strdup("Failed to determine user credentials");
4d885bd3 2428 return r;
5bc7452b 2429 }
5bc7452b 2430
4d885bd3
DH		 2431 r = get_fixed_group(context, &groupname, &gid);
2432 if (r < 0) {
2433 *exit_status = EXIT_GROUP;
70dd455c 2434 *error_message = strdup("Failed to determine group credentials");
4d885bd3
DH		 2435 return r;
2436 }
cdc5d5c5 2437 }
29206d46 2438
cdc5d5c5
DH		 2439 /* Initialize user supplementary groups and get SupplementaryGroups= ones */
2440 r = get_supplementary_groups(context, username, groupname, gid,
2441 &supplementary_gids, &ngids);
2442 if (r < 0) {
2443 *exit_status = EXIT_GROUP;
70dd455c 2444 *error_message = strdup("Failed to determine supplementary groups");
cdc5d5c5 2445 return r;
29206d46 2446 }
5bc7452b 2447
00d9ef85
LP		 2448 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
2449 if (r < 0) {
2450 *exit_status = EXIT_USER;
70dd455c 2451 *error_message = strdup("Failed to send user credentials to PID1");
00d9ef85
LP		 2452 return r;
2453 }
2454
2455 user_lookup_fd = safe_close(user_lookup_fd);
2456
6732edab
LP		 2457 r = acquire_home(context, uid, &home, &home_buffer);
2458 if (r < 0) {
2459 *exit_status = EXIT_CHDIR;
2460 *error_message = strdup("Failed to determine $HOME for user");
2461 return r;
2462 }
2463
d35fbf6b
DM		 2464 /* If a socket is connected to STDIN/STDOUT/STDERR, we
2465 * must sure to drop O_NONBLOCK */
2466 if (socket_fd >= 0)
a34ceba6 2467 (void) fd_nonblock(socket_fd, false);
acbb0225 2468
52c239d7 2469 r = setup_input(context, params, socket_fd, named_iofds);
ff0af2a1
LP		 2470 if (r < 0) {
2471 *exit_status = EXIT_STDIN;
70dd455c 2472 *error_message = strdup("Failed to set up stdin");
ff0af2a1 2473 return r;
d35fbf6b 2474 }
034c6ed7 2475
52c239d7 2476 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 2477 if (r < 0) {
2478 *exit_status = EXIT_STDOUT;
70dd455c 2479 *error_message = strdup("Failed to set up stdout");
ff0af2a1 2480 return r;
d35fbf6b
DM		 2481 }
2482
52c239d7 2483 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 2484 if (r < 0) {
2485 *exit_status = EXIT_STDERR;
70dd455c 2486 *error_message = strdup("Failed to set up stderr");
ff0af2a1 2487 return r;
d35fbf6b
DM		 2488 }
2489
2490 if (params->cgroup_path) {
ff0af2a1
LP		 2491 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
2492 if (r < 0) {
2493 *exit_status = EXIT_CGROUP;
70dd455c 2494 (void) asprintf(error_message, "Failed to attach to cgroup %s", params->cgroup_path);
ff0af2a1 2495 return r;
309bff19 2496 }
d35fbf6b 2497 }
309bff19 2498
d35fbf6b 2499 if (context->oom_score_adjust_set) {
d5243d62 2500 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
f2b68789 2501
d5243d62
LP		 2502 /* When we can't make this change due to EPERM, then
2503 * let's silently skip over it. User namespaces
2504 * prohibit write access to this file, and we
2505 * shouldn't trip up over that. */
613b411c 2506
d5243d62 2507 sprintf(t, "%i", context->oom_score_adjust);
ad118bda 2508 r = write_string_file("/proc/self/oom_score_adj", t, 0);
6cb7fa17 2509 if (r == -EPERM || r == -EACCES) {
ff0af2a1 2510 log_open();
f2341e0a 2511 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
ff0af2a1
LP		 2512 log_close();
2513 } else if (r < 0) {
2514 *exit_status = EXIT_OOM_ADJUST;
70dd455c 2515 *error_message = strdup("Failed to write /proc/self/oom_score_adj");
d35fbf6b 2516 return -errno;
613b411c 2517 }
d35fbf6b
DM		 2518 }
2519
2520 if (context->nice_set)
2521 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
ff0af2a1 2522 *exit_status = EXIT_NICE;
d35fbf6b 2523 return -errno;
613b411c
LP		 2524 }
2525
d35fbf6b
DM		 2526 if (context->cpu_sched_set) {
2527 struct sched_param param = {
2528 .sched_priority = context->cpu_sched_priority,
2529 };
2530
ff0af2a1
LP		 2531 r = sched_setscheduler(0,
2532 context->cpu_sched_policy |
2533 (context->cpu_sched_reset_on_fork ?
2534 SCHED_RESET_ON_FORK : 0),
2535 &param);
2536 if (r < 0) {
2537 *exit_status = EXIT_SETSCHEDULER;
d35fbf6b 2538 return -errno;
fc9b2a84 2539 }
d35fbf6b 2540 }
fc9b2a84 2541
d35fbf6b
DM		 2542 if (context->cpuset)
2543 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
ff0af2a1 2544 *exit_status = EXIT_CPUAFFINITY;
d35fbf6b 2545 return -errno;
034c6ed7
LP		 2546 }
2547
d35fbf6b
DM		 2548 if (context->ioprio_set)
2549 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
ff0af2a1 2550 *exit_status = EXIT_IOPRIO;
d35fbf6b
DM		 2551 return -errno;
2552 }
da726a4d 2553
d35fbf6b
DM		 2554 if (context->timer_slack_nsec != NSEC_INFINITY)
2555 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
ff0af2a1 2556 *exit_status = EXIT_TIMERSLACK;
d35fbf6b 2557 return -errno;
4c2630eb 2558 }
9eba9da4 2559
050f7277 2560 if (context->personality != PERSONALITY_INVALID)
d35fbf6b 2561 if (personality(context->personality) < 0) {
ff0af2a1 2562 *exit_status = EXIT_PERSONALITY;
d35fbf6b 2563 return -errno;
4c2630eb 2564 }
94f04347 2565
d35fbf6b 2566 if (context->utmp_id)
df0ff127 2567 utmp_put_init_process(context->utmp_id, getpid_cached(), getsid(0),
6a93917d 2568 context->tty_path,
023a4f67
LP		 2569 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
2570 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
2571 USER_PROCESS,
6a93917d 2572 username);
d35fbf6b 2573
e0d2adfd 2574 if (context->user) {
ff0af2a1
LP		 2575 r = chown_terminal(STDIN_FILENO, uid);
2576 if (r < 0) {
2577 *exit_status = EXIT_STDIN;
2578 return r;
071830ff 2579 }
d35fbf6b 2580 }
8e274523 2581
a931ad47
LP		 2582 /* If delegation is enabled we'll pass ownership of the cgroup
2583 * (but only in systemd's own controller hierarchy!) to the
2584 * user of the new process. */
2585 if (params->cgroup_path && context->user && params->cgroup_delegate) {
ff0af2a1
LP		 2586 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
2587 if (r < 0) {
2588 *exit_status = EXIT_CGROUP;
2589 return r;
d35fbf6b 2590 }
034c6ed7 2591
034c6ed7 2592
ff0af2a1
LP		 2593 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
2594 if (r < 0) {
2595 *exit_status = EXIT_CGROUP;
2596 return r;
034c6ed7 2597 }
d35fbf6b 2598 }
034c6ed7 2599
3536f49e
YW		 2600 for (dt = 0; dt < _EXEC_DIRECTORY_MAX; dt++) {
2601 r = setup_exec_directory(context, params, uid, gid, MANAGER_IS_SYSTEM(unit->manager), dt, exit_status);
2602 if (r < 0)
07689d5d 2603 return r;
d35fbf6b 2604 }
94f04347 2605
7bce046b 2606 r = build_environment(
fd63e712 2607 unit,
7bce046b
LP		 2608 context,
2609 params,
2610 n_fds,
2611 home,
2612 username,
2613 shell,
2614 journal_stream_dev,
2615 journal_stream_ino,
2616 &our_env);
2065ca69
JW		 2617 if (r < 0) {
2618 *exit_status = EXIT_MEMORY;
2619 return r;
2620 }
2621
2622 r = build_pass_environment(context, &pass_env);
2623 if (r < 0) {
2624 *exit_status = EXIT_MEMORY;
2625 return r;
2626 }
2627
2628 accum_env = strv_env_merge(5,
2629 params->environment,
2630 our_env,
2631 pass_env,
2632 context->environment,
2633 files_env,
2634 NULL);
2635 if (!accum_env) {
2636 *exit_status = EXIT_MEMORY;
2637 return -ENOMEM;
2638 }
1280503b 2639 accum_env = strv_env_clean(accum_env);
2065ca69 2640
096424d1 2641 (void) umask(context->umask);
b213e1c1 2642
74dd6b51
LP		 2643 r = setup_keyring(unit, params, uid, gid);
2644 if (r < 0) {
2645 *exit_status = EXIT_KEYRING;
2646 return r;
2647 }
2648
c39f1ce2 2649 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
b213e1c1 2650 if (context->pam_name && username) {
2d6fce8d 2651 r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
b213e1c1
SW		 2652 if (r < 0) {
2653 *exit_status = EXIT_PAM;
2654 return r;
2655 }
d35fbf6b 2656 }
b213e1c1 2657 }
ac45f971 2658
d35fbf6b 2659 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
ff0af2a1
LP		 2660 r = setup_netns(runtime->netns_storage_socket);
2661 if (r < 0) {
2662 *exit_status = EXIT_NETWORK;
2663 return r;
d35fbf6b
DM		 2664 }
2665 }
169c1bda 2666
ee818b89 2667 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
ee818b89 2668 if (needs_mount_namespace) {
6818c54c 2669 r = apply_mount_namespace(unit, command, context, params, runtime);
3fbe8dbe
LP		 2670 if (r < 0) {
2671 *exit_status = EXIT_NAMESPACE;
2672 return r;
2673 }
d35fbf6b 2674 }
81a2b7ce 2675
50b3dfb9 2676 /* Apply just after mount namespace setup */
376fecf6
LP		 2677 r = apply_working_directory(context, params, home, needs_mount_namespace, exit_status);
2678 if (r < 0)
50b3dfb9 2679 return r;
50b3dfb9 2680
bbeea271 2681 /* Drop groups as early as possbile */
096424d1 2682 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
4d885bd3 2683 r = enforce_groups(context, gid, supplementary_gids, ngids);
096424d1
LP		 2684 if (r < 0) {
2685 *exit_status = EXIT_GROUP;
2686 return r;
2687 }
2688 }
2689
9008e1ac 2690#ifdef HAVE_SELINUX
c39f1ce2
LP		 2691 if ((params->flags & EXEC_APPLY_PERMISSIONS) &&
2692 mac_selinux_use() &&
2693 params->selinux_context_net &&
2694 socket_fd >= 0 &&
2695 !command->privileged) {
2696
ff0af2a1
LP		 2697 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
2698 if (r < 0) {
2699 *exit_status = EXIT_SELINUX_CONTEXT;
2700 return r;
9008e1ac
MS		 2701 }
2702 }
2703#endif
2704
d87a2ef7 2705 if ((params->flags & EXEC_APPLY_PERMISSIONS) && context->private_users) {
d251207d
LP		 2706 r = setup_private_users(uid, gid);
2707 if (r < 0) {
2708 *exit_status = EXIT_USER;
2709 return r;
2710 }
2711 }
2712
d35fbf6b
DM		 2713 /* We repeat the fd closing here, to make sure that
2714 * nothing is leaked from the PAM modules. Note that
2715 * we are more aggressive this time since socket_fd
e44da745
DM		 2716 * and the netns fds we don't need anymore. The custom
2717 * endpoint fd was needed to upload the policy and can
2718 * now be closed as well. */
ff0af2a1
LP		 2719 r = close_all_fds(fds, n_fds);
2720 if (r >= 0)
2721 r = shift_fds(fds, n_fds);
2722 if (r >= 0)
4c47affc 2723 r = flags_fds(fds, n_storage_fds, n_socket_fds, context->non_blocking);
ff0af2a1
LP		 2724 if (r < 0) {
2725 *exit_status = EXIT_FDS;
2726 return r;
d35fbf6b 2727 }
e66cf1a3 2728
c39f1ce2 2729 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
e66cf1a3 2730
755d4b67
IP		 2731 int secure_bits = context->secure_bits;
2732
d35fbf6b 2733 for (i = 0; i < _RLIMIT_MAX; i++) {
03857c43 2734
d35fbf6b
DM		 2735 if (!context->rlimit[i])
2736 continue;
2737
03857c43
LP		 2738 r = setrlimit_closest(i, context->rlimit[i]);
2739 if (r < 0) {
ff0af2a1 2740 *exit_status = EXIT_LIMITS;
03857c43 2741 return r;
e66cf1a3
LP		 2742 }
2743 }
2744
f4170c67
LP		 2745 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
2746 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
2747 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
2748 *exit_status = EXIT_LIMITS;
2749 return -errno;
2750 }
2751 }
2752
a103496c
IP		 2753 if (!cap_test_all(context->capability_bounding_set)) {
2754 r = capability_bounding_set_drop(context->capability_bounding_set, false);
ff0af2a1
LP		 2755 if (r < 0) {
2756 *exit_status = EXIT_CAPABILITIES;
70dd455c 2757 *error_message = strdup("Failed to drop capabilities");
ff0af2a1 2758 return r;
3b8bddde 2759 }
4c2630eb 2760 }
3b8bddde 2761
755d4b67
IP		 2762 /* This is done before enforce_user, but ambient set
2763 * does not survive over setresuid() if keep_caps is not set. */
2764 if (context->capability_ambient_set != 0) {
2765 r = capability_ambient_set_apply(context->capability_ambient_set, true);
2766 if (r < 0) {
2767 *exit_status = EXIT_CAPABILITIES;
70dd455c 2768 *error_message = strdup("Failed to apply ambient capabilities (before UID change)");
755d4b67
IP		 2769 return r;
2770 }
755d4b67
IP		 2771 }
2772
d35fbf6b 2773 if (context->user) {
ff0af2a1
LP		 2774 r = enforce_user(context, uid);
2775 if (r < 0) {
2776 *exit_status = EXIT_USER;
70dd455c 2777 (void) asprintf(error_message, "Failed to change UID to "UID_FMT, uid);
ff0af2a1 2778 return r;
5b6319dc 2779 }
755d4b67
IP		 2780 if (context->capability_ambient_set != 0) {
2781
2782 /* Fix the ambient capabilities after user change. */
2783 r = capability_ambient_set_apply(context->capability_ambient_set, false);
2784 if (r < 0) {
2785 *exit_status = EXIT_CAPABILITIES;
70dd455c 2786 *error_message = strdup("Failed to apply ambient capabilities (after UID change)");
755d4b67
IP		 2787 return r;
2788 }
2789
2790 /* If we were asked to change user and ambient capabilities
2791 * were requested, we had to add keep-caps to the securebits
2792 * so that we would maintain the inherited capability set
2793 * through the setresuid(). Make sure that the bit is added
2794 * also to the context secure_bits so that we don't try to
2795 * drop the bit away next. */
2796
7f508f2c 2797 secure_bits |= 1<<SECURE_KEEP_CAPS;
755d4b67 2798 }
5b6319dc 2799 }
d35fbf6b 2800
5cd9cd35
LP		 2801 /* Apply the MAC contexts late, but before seccomp syscall filtering, as those should really be last to
2802 * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
2803 * syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
2804 * are restricted. */
2805
2806#ifdef HAVE_SELINUX
2807 if (mac_selinux_use()) {
2808 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
2809
2810 if (exec_context) {
2811 r = setexeccon(exec_context);
2812 if (r < 0) {
2813 *exit_status = EXIT_SELINUX_CONTEXT;
70dd455c 2814 (void) asprintf(error_message, "Failed to set SELinux context to %s", exec_context);
5cd9cd35
LP		 2815 return r;
2816 }
2817 }
2818 }
2819#endif
2820
2821 r = setup_smack(context, command);
2822 if (r < 0) {
2823 *exit_status = EXIT_SMACK_PROCESS_LABEL;
70dd455c 2824 *error_message = strdup("Failed to set SMACK process label");
5cd9cd35
LP		 2825 return r;
2826 }
2827
2828#ifdef HAVE_APPARMOR
2829 if (context->apparmor_profile && mac_apparmor_use()) {
2830 r = aa_change_onexec(context->apparmor_profile);
2831 if (r < 0 && !context->apparmor_profile_ignore) {
2832 *exit_status = EXIT_APPARMOR_PROFILE;
70dd455c
ZJS		 2833 (void) asprintf(error_message,
2834 "Failed to prepare AppArmor profile change to %s",
2835 context->apparmor_profile);
5cd9cd35
LP		 2836 return -errno;
2837 }
2838 }
2839#endif
2840
d35fbf6b
DM		 2841 /* PR_GET_SECUREBITS is not privileged, while
2842 * PR_SET_SECUREBITS is. So to suppress
2843 * potential EPERMs we'll try not to call
2844 * PR_SET_SECUREBITS unless necessary. */
755d4b67
IP		 2845 if (prctl(PR_GET_SECUREBITS) != secure_bits)
2846 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
ff0af2a1 2847 *exit_status = EXIT_SECUREBITS;
70dd455c 2848 *error_message = strdup("Failed to set secure bits");
d35fbf6b 2849 return -errno;
ff01d048 2850 }
5b6319dc 2851
59eeb84b 2852 if (context_has_no_new_privileges(context))
d35fbf6b 2853 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
ff0af2a1 2854 *exit_status = EXIT_NO_NEW_PRIVILEGES;
70dd455c 2855 *error_message = strdup("Failed to disable new privileges");
d35fbf6b
DM		 2856 return -errno;
2857 }
2858
2859#ifdef HAVE_SECCOMP
469830d1
LP		 2860 r = apply_address_families(unit, context);
2861 if (r < 0) {
2862 *exit_status = EXIT_ADDRESS_FAMILIES;
5b3637b4 2863 *error_message = strdup("Failed to restrict address families");
469830d1 2864 return r;
4c2630eb 2865 }
04aa0cb9 2866
469830d1
LP		 2867 r = apply_memory_deny_write_execute(unit, context);
2868 if (r < 0) {
2869 *exit_status = EXIT_SECCOMP;
5b3637b4 2870 *error_message = strdup("Failed to disable writing to executable memory");
469830d1 2871 return r;
f3e43635 2872 }
f4170c67 2873
469830d1
LP		 2874 r = apply_restrict_realtime(unit, context);
2875 if (r < 0) {
2876 *exit_status = EXIT_SECCOMP;
5b3637b4 2877 *error_message = strdup("Failed to apply realtime restrictions");
469830d1 2878 return r;
f4170c67
LP		 2879 }
2880
add00535
LP		 2881 r = apply_restrict_namespaces(unit, context);
2882 if (r < 0) {
2883 *exit_status = EXIT_SECCOMP;
70dd455c 2884 *error_message = strdup("Failed to apply namespace restrictions");
add00535
LP		 2885 return r;
2886 }
2887
469830d1
LP		 2888 r = apply_protect_sysctl(unit, context);
2889 if (r < 0) {
2890 *exit_status = EXIT_SECCOMP;
5b3637b4 2891 *error_message = strdup("Failed to apply sysctl restrictions");
469830d1 2892 return r;
502d704e
DH		 2893 }
2894
469830d1
LP		 2895 r = apply_protect_kernel_modules(unit, context);
2896 if (r < 0) {
2897 *exit_status = EXIT_SECCOMP;
5b3637b4 2898 *error_message = strdup("Failed to apply module loading restrictions");
469830d1 2899 return r;
59eeb84b
LP		 2900 }
2901
469830d1
LP		 2902 r = apply_private_devices(unit, context);
2903 if (r < 0) {
2904 *exit_status = EXIT_SECCOMP;
5b3637b4 2905 *error_message = strdup("Failed to set up private devices");
469830d1
LP		 2906 return r;
2907 }
2908
2909 r = apply_syscall_archs(unit, context);
2910 if (r < 0) {
2911 *exit_status = EXIT_SECCOMP;
5b3637b4 2912 *error_message = strdup("Failed to apply syscall architecture restrictions");
469830d1 2913 return r;
ba128bb8
LP		 2914 }
2915
5cd9cd35
LP		 2916 /* This really should remain the last step before the execve(), to make sure our own code is unaffected
2917 * by the filter as little as possible. */
469830d1
LP		 2918 r = apply_syscall_filter(unit, context);
2919 if (r < 0) {
2920 *exit_status = EXIT_SECCOMP;
5b3637b4 2921 *error_message = strdup("Failed to apply syscall filters");
469830d1 2922 return r;
d35fbf6b
DM		 2923 }
2924#endif
d35fbf6b 2925 }
034c6ed7 2926
2065ca69 2927 final_argv = replace_env_argv(argv, accum_env);
d35fbf6b 2928 if (!final_argv) {
ff0af2a1 2929 *exit_status = EXIT_MEMORY;
70dd455c 2930 *error_message = strdup("Failed to prepare process arguments");
d35fbf6b
DM		 2931 return -ENOMEM;
2932 }
034c6ed7 2933
553d2243 2934 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
d35fbf6b 2935 _cleanup_free_ char *line;
81a2b7ce 2936
d35fbf6b
DM		 2937 line = exec_command_line(final_argv);
2938 if (line) {
2939 log_open();
f2341e0a 2940 log_struct(LOG_DEBUG,
f2341e0a
LP		 2941 "EXECUTABLE=%s", command->path,
2942 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
ba360bb0 2943 LOG_UNIT_ID(unit),
f2341e0a 2944 NULL);
d35fbf6b
DM		 2945 log_close();
2946 }
2947 }
dd305ec9 2948
2065ca69 2949 execve(command->path, final_argv, accum_env);
ff0af2a1 2950 *exit_status = EXIT_EXEC;
d35fbf6b
DM		 2951 return -errno;
2952}
81a2b7ce 2953
f2341e0a
LP		 2954int exec_spawn(Unit *unit,
2955 ExecCommand *command,
d35fbf6b
DM		 2956 const ExecContext *context,
2957 const ExecParameters *params,
2958 ExecRuntime *runtime,
29206d46 2959 DynamicCreds *dcreds,
d35fbf6b 2960 pid_t *ret) {
8351ceae 2961
d35fbf6b 2962 _cleanup_strv_free_ char **files_env = NULL;
9b141911 2963 int *fds = NULL;
4c47affc 2964 unsigned n_storage_fds = 0, n_socket_fds = 0;
ff0af2a1
LP		 2965 _cleanup_free_ char *line = NULL;
2966 int socket_fd, r;
52c239d7 2967 int named_iofds[3] = { -1, -1, -1 };
ff0af2a1 2968 char **argv;
d35fbf6b 2969 pid_t pid;
8351ceae 2970
f2341e0a 2971 assert(unit);
d35fbf6b
DM		 2972 assert(command);
2973 assert(context);
2974 assert(ret);
2975 assert(params);
4c47affc 2976 assert(params->fds || (params->n_storage_fds + params->n_socket_fds <= 0));
4298d0b5 2977
d35fbf6b
DM		 2978 if (context->std_input == EXEC_INPUT_SOCKET ||
2979 context->std_output == EXEC_OUTPUT_SOCKET ||
2980 context->std_error == EXEC_OUTPUT_SOCKET) {
17df7223 2981
4c47affc 2982 if (params->n_socket_fds > 1) {
f2341e0a 2983 log_unit_error(unit, "Got more than one socket.");
d35fbf6b 2984 return -EINVAL;
ff0af2a1 2985 }
eef65bf3 2986
4c47affc 2987 if (params->n_socket_fds == 0) {
488ab41c
AA		 2988 log_unit_error(unit, "Got no socket.");
2989 return -EINVAL;
2990 }
2991
d35fbf6b
DM		 2992 socket_fd = params->fds[0];
2993 } else {
2994 socket_fd = -1;
2995 fds = params->fds;
4c47affc 2996 n_storage_fds = params->n_storage_fds;
9b141911 2997 n_socket_fds = params->n_socket_fds;
d35fbf6b 2998 }
94f04347 2999
52c239d7
LB		 3000 r = exec_context_named_iofds(unit, context, params, named_iofds);
3001 if (r < 0)
3002 return log_unit_error_errno(unit, r, "Failed to load a named file descriptor: %m");
3003
f2341e0a 3004 r = exec_context_load_environment(unit, context, &files_env);
ff0af2a1 3005 if (r < 0)
f2341e0a 3006 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
034c6ed7 3007
d35fbf6b 3008 argv = params->argv ?: command->argv;
d35fbf6b
DM		 3009 line = exec_command_line(argv);
3010 if (!line)
3011 return log_oom();
fab56fc5 3012
f2341e0a 3013 log_struct(LOG_DEBUG,
f2341e0a
LP		 3014 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
3015 "EXECUTABLE=%s", command->path,
ba360bb0 3016 LOG_UNIT_ID(unit),
f2341e0a 3017 NULL);
d35fbf6b
DM		 3018 pid = fork();
3019 if (pid < 0)
74129a12 3020 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
d35fbf6b
DM		 3021
3022 if (pid == 0) {
ff0af2a1 3023 int exit_status;
70dd455c 3024 _cleanup_free_ char *error_message = NULL;
ff0af2a1 3025
f2341e0a
LP		 3026 r = exec_child(unit,
3027 command,
ff0af2a1
LP		 3028 context,
3029 params,
3030 runtime,
29206d46 3031 dcreds,
ff0af2a1
LP		 3032 argv,
3033 socket_fd,
52c239d7 3034 named_iofds,
4c47affc
FB		 3035 fds,
3036 n_storage_fds,
9b141911 3037 n_socket_fds,
ff0af2a1 3038 files_env,
00d9ef85 3039 unit->manager->user_lookup_fds[1],
70dd455c
ZJS		 3040 &exit_status,
3041 &error_message);
ff0af2a1 3042 if (r < 0) {
4c2630eb 3043 log_open();
70dd455c
ZJS		 3044 if (error_message)
3045 log_struct_errno(LOG_ERR, r,
2b044526 3046 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
70dd455c
ZJS		 3047 LOG_UNIT_ID(unit),
3048 LOG_UNIT_MESSAGE(unit, "%s: %m",
3049 error_message),
3050 "EXECUTABLE=%s", command->path,
3051 NULL);
4d8b0f0f
YW		 3052 else if (r == -ENOENT && command->ignore)
3053 log_struct_errno(LOG_INFO, r,
3054 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
3055 LOG_UNIT_ID(unit),
3056 LOG_UNIT_MESSAGE(unit, "Skipped spawning %s: %m",
3057 command->path),
3058 "EXECUTABLE=%s", command->path,
3059 NULL);
70dd455c
ZJS		 3060 else
3061 log_struct_errno(LOG_ERR, r,
2b044526 3062 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
70dd455c
ZJS		 3063 LOG_UNIT_ID(unit),
3064 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
3065 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
3066 command->path),
3067 "EXECUTABLE=%s", command->path,
3068 NULL);
4c2630eb
MS		 3069 }
3070
ff0af2a1 3071 _exit(exit_status);
034c6ed7
LP		 3072 }
3073
f2341e0a 3074 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
23635a85 3075
80876c20
LP		 3076 /* We add the new process to the cgroup both in the child (so
3077 * that we can be sure that no user code is ever executed
3078 * outside of the cgroup) and in the parent (so that we can be
3079 * sure that when we kill the cgroup the process will be
3080 * killed too). */
d35fbf6b 3081 if (params->cgroup_path)
dd305ec9 3082 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
2da3263a 3083
b58b4116 3084 exec_status_start(&command->exec_status, pid);
9fb86720 3085
034c6ed7 3086 *ret = pid;
5cb5a6ff
LP		 3087 return 0;
3088}
3089
034c6ed7 3090void exec_context_init(ExecContext *c) {
3536f49e
YW		 3091 ExecDirectoryType i;
3092
034c6ed7
LP		 3093 assert(c);
3094
4c12626c 3095 c->umask = 0022;
9eba9da4 3096 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
94f04347 3097 c->cpu_sched_policy = SCHED_OTHER;
071830ff 3098 c->syslog_priority = LOG_DAEMON|LOG_INFO;
74922904 3099 c->syslog_level_prefix = true;
353e12c2 3100 c->ignore_sigpipe = true;
3a43da28 3101 c->timer_slack_nsec = NSEC_INFINITY;
050f7277 3102 c->personality = PERSONALITY_INVALID;
3536f49e
YW		 3103 for (i = 0; i < _EXEC_DIRECTORY_MAX; i++)
3104 c->directories[i].mode = 0755;
a103496c 3105 c->capability_bounding_set = CAP_ALL;
add00535 3106 c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
034c6ed7
LP		 3107}
3108
613b411c 3109void exec_context_done(ExecContext *c) {
5cb5a6ff 3110 unsigned l;
3536f49e 3111 ExecDirectoryType i;
5cb5a6ff
LP		 3112
3113 assert(c);
3114
6796073e
LP		 3115 c->environment = strv_free(c->environment);
3116 c->environment_files = strv_free(c->environment_files);
b4c14404 3117 c->pass_environment = strv_free(c->pass_environment);
8c7be95e 3118
1f6b4113 3119 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
a1e58e8e 3120 c->rlimit[l] = mfree(c->rlimit[l]);
034c6ed7 3121
52c239d7
LB		 3122 for (l = 0; l < 3; l++)
3123 c->stdio_fdname[l] = mfree(c->stdio_fdname[l]);
3124
a1e58e8e
LP		 3125 c->working_directory = mfree(c->working_directory);
3126 c->root_directory = mfree(c->root_directory);
915e6d16 3127 c->root_image = mfree(c->root_image);
a1e58e8e
LP		 3128 c->tty_path = mfree(c->tty_path);
3129 c->syslog_identifier = mfree(c->syslog_identifier);
3130 c->user = mfree(c->user);
3131 c->group = mfree(c->group);
034c6ed7 3132
6796073e 3133 c->supplementary_groups = strv_free(c->supplementary_groups);
94f04347 3134
a1e58e8e 3135 c->pam_name = mfree(c->pam_name);
5b6319dc 3136
2a624c36
AP		 3137 c->read_only_paths = strv_free(c->read_only_paths);
3138 c->read_write_paths = strv_free(c->read_write_paths);
3139 c->inaccessible_paths = strv_free(c->inaccessible_paths);
82c121a4 3140
d2d6c096
LP		 3141 bind_mount_free_many(c->bind_mounts, c->n_bind_mounts);
3142
82c121a4
LP		 3143 if (c->cpuset)
3144 CPU_FREE(c->cpuset);
86a3475b 3145
a1e58e8e
LP		 3146 c->utmp_id = mfree(c->utmp_id);
3147 c->selinux_context = mfree(c->selinux_context);
3148 c->apparmor_profile = mfree(c->apparmor_profile);
5b8e1b77 3149 c->smack_process_label = mfree(c->smack_process_label);
eef65bf3 3150
525d3cc7
LP		 3151 c->syscall_filter = set_free(c->syscall_filter);
3152 c->syscall_archs = set_free(c->syscall_archs);
3153 c->address_families = set_free(c->address_families);
e66cf1a3 3154
3536f49e
YW		 3155 for (i = 0; i < _EXEC_DIRECTORY_MAX; i++)
3156 c->directories[i].paths = strv_free(c->directories[i].paths);
e66cf1a3
LP		 3157}
3158
3159int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
3160 char **i;
3161
3162 assert(c);
3163
3164 if (!runtime_prefix)
3165 return 0;
3166
3536f49e 3167 STRV_FOREACH(i, c->directories[EXEC_DIRECTORY_RUNTIME].paths) {
e66cf1a3
LP		 3168 _cleanup_free_ char *p;
3169
605405c6 3170 p = strjoin(runtime_prefix, "/", *i);
e66cf1a3
LP		 3171 if (!p)
3172 return -ENOMEM;
3173
3174 /* We execute this synchronously, since we need to be
3175 * sure this is gone when we start the service
3176 * next. */
c6878637 3177 (void) rm_rf(p, REMOVE_ROOT);
e66cf1a3
LP		 3178 }
3179
3180 return 0;
5cb5a6ff
LP		 3181}
3182
43d0fcbd
LP		 3183void exec_command_done(ExecCommand *c) {
3184 assert(c);
3185
a1e58e8e 3186 c->path = mfree(c->path);
43d0fcbd 3187
6796073e 3188 c->argv = strv_free(c->argv);
43d0fcbd
LP		 3189}
3190
3191void exec_command_done_array(ExecCommand *c, unsigned n) {
3192 unsigned i;
3193
3194 for (i = 0; i < n; i++)
3195 exec_command_done(c+i);
3196}
3197
f1acf85a 3198ExecCommand* exec_command_free_list(ExecCommand *c) {
5cb5a6ff
LP		 3199 ExecCommand *i;
3200
3201 while ((i = c)) {
71fda00f 3202 LIST_REMOVE(command, c, i);
43d0fcbd 3203 exec_command_done(i);
5cb5a6ff
LP		 3204 free(i);
3205 }
f1acf85a
ZJS		 3206
3207 return NULL;
5cb5a6ff
LP		 3208}
3209
034c6ed7
LP		 3210void exec_command_free_array(ExecCommand **c, unsigned n) {
3211 unsigned i;
3212
f1acf85a
ZJS		 3213 for (i = 0; i < n; i++)
3214 c[i] = exec_command_free_list(c[i]);
034c6ed7
LP		 3215}
3216
039f0e70 3217typedef struct InvalidEnvInfo {
f2341e0a 3218 Unit *unit;
039f0e70
LP		 3219 const char *path;
3220} InvalidEnvInfo;
3221
3222static void invalid_env(const char *p, void *userdata) {
3223 InvalidEnvInfo *info = userdata;
3224
f2341e0a 3225 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
039f0e70
LP		 3226}
3227
52c239d7
LB		 3228const char* exec_context_fdname(const ExecContext *c, int fd_index) {
3229 assert(c);
3230
3231 switch (fd_index) {
3232 case STDIN_FILENO:
3233 if (c->std_input != EXEC_INPUT_NAMED_FD)
3234 return NULL;
3235 return c->stdio_fdname[STDIN_FILENO] ?: "stdin";
3236 case STDOUT_FILENO:
3237 if (c->std_output != EXEC_OUTPUT_NAMED_FD)
3238 return NULL;
3239 return c->stdio_fdname[STDOUT_FILENO] ?: "stdout";
3240 case STDERR_FILENO:
3241 if (c->std_error != EXEC_OUTPUT_NAMED_FD)
3242 return NULL;
3243 return c->stdio_fdname[STDERR_FILENO] ?: "stderr";
3244 default:
3245 return NULL;
3246 }
3247}
3248
3249int exec_context_named_iofds(Unit *unit, const ExecContext *c, const ExecParameters *p, int named_iofds[3]) {
3250 unsigned i, targets;
56fbd561 3251 const char* stdio_fdname[3];
4c47affc 3252 unsigned n_fds;
52c239d7
LB		 3253
3254 assert(c);
3255 assert(p);
3256
3257 targets = (c->std_input == EXEC_INPUT_NAMED_FD) +
3258 (c->std_output == EXEC_OUTPUT_NAMED_FD) +
3259 (c->std_error == EXEC_OUTPUT_NAMED_FD);
3260
3261 for (i = 0; i < 3; i++)
3262 stdio_fdname[i] = exec_context_fdname(c, i);
3263
4c47affc
FB		 3264 n_fds = p->n_storage_fds + p->n_socket_fds;
3265
3266 for (i = 0; i < n_fds && targets > 0; i++)
56fbd561
ZJS		 3267 if (named_iofds[STDIN_FILENO] < 0 &&
3268 c->std_input == EXEC_INPUT_NAMED_FD &&
3269 stdio_fdname[STDIN_FILENO] &&
3270 streq(p->fd_names[i], stdio_fdname[STDIN_FILENO])) {
3271
52c239d7
LB		 3272 named_iofds[STDIN_FILENO] = p->fds[i];
3273 targets--;
56fbd561
ZJS		 3274
3275 } else if (named_iofds[STDOUT_FILENO] < 0 &&
3276 c->std_output == EXEC_OUTPUT_NAMED_FD &&
3277 stdio_fdname[STDOUT_FILENO] &&
3278 streq(p->fd_names[i], stdio_fdname[STDOUT_FILENO])) {
3279
52c239d7
LB		 3280 named_iofds[STDOUT_FILENO] = p->fds[i];
3281 targets--;
56fbd561
ZJS		 3282
3283 } else if (named_iofds[STDERR_FILENO] < 0 &&
3284 c->std_error == EXEC_OUTPUT_NAMED_FD &&
3285 stdio_fdname[STDERR_FILENO] &&
3286 streq(p->fd_names[i], stdio_fdname[STDERR_FILENO])) {
3287
52c239d7
LB		 3288 named_iofds[STDERR_FILENO] = p->fds[i];
3289 targets--;
3290 }
3291
56fbd561 3292 return targets == 0 ? 0 : -ENOENT;
52c239d7
LB		 3293}
3294
f2341e0a 3295int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
8c7be95e
LP		 3296 char **i, **r = NULL;
3297
3298 assert(c);
3299 assert(l);
3300
3301 STRV_FOREACH(i, c->environment_files) {
3302 char *fn;
52511fae
ZJS		 3303 int k;
3304 unsigned n;
8c7be95e
LP		 3305 bool ignore = false;
3306 char **p;
7fd1b19b 3307 _cleanup_globfree_ glob_t pglob = {};
8c7be95e
LP		 3308
3309 fn = *i;
3310
3311 if (fn[0] == '-') {
3312 ignore = true;
313cefa1 3313 fn++;
8c7be95e
LP		 3314 }
3315
3316 if (!path_is_absolute(fn)) {
8c7be95e
LP		 3317 if (ignore)
3318 continue;
3319
3320 strv_free(r);
3321 return -EINVAL;
3322 }
3323
2bef10ab 3324 /* Filename supports globbing, take all matching files */
d8c92e8b
ZJS		 3325 k = safe_glob(fn, 0, &pglob);
3326 if (k < 0) {
2bef10ab
PL		 3327 if (ignore)
3328 continue;
8c7be95e 3329
2bef10ab 3330 strv_free(r);
d8c92e8b 3331 return k;
2bef10ab 3332 }
8c7be95e 3333
d8c92e8b
ZJS		 3334 /* When we don't match anything, -ENOENT should be returned */
3335 assert(pglob.gl_pathc > 0);
3336
3337 for (n = 0; n < pglob.gl_pathc; n++) {
717603e3 3338 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
2bef10ab
PL		 3339 if (k < 0) {
3340 if (ignore)
3341 continue;
8c7be95e 3342
2bef10ab 3343 strv_free(r);
2bef10ab 3344 return k;
e9c1ea9d 3345 }
ebc05a09 3346 /* Log invalid environment variables with filename */
039f0e70
LP		 3347 if (p) {
3348 InvalidEnvInfo info = {
f2341e0a 3349 .unit = unit,
039f0e70
LP		 3350 .path = pglob.gl_pathv[n]
3351 };
3352
3353 p = strv_env_clean_with_callback(p, invalid_env, &info);
3354 }
8c7be95e 3355
2bef10ab
PL		 3356 if (r == NULL)
3357 r = p;
3358 else {
3359 char **m;
8c7be95e 3360
2bef10ab
PL		 3361 m = strv_env_merge(2, r, p);
3362 strv_free(r);
3363 strv_free(p);
c84a9488 3364 if (!m)
2bef10ab 3365 return -ENOMEM;
2bef10ab
PL		 3366
3367 r = m;
3368 }
8c7be95e
LP		 3369 }
3370 }
3371
3372 *l = r;
3373
3374 return 0;
3375}
3376
6ac8fdc9 3377static bool tty_may_match_dev_console(const char *tty) {
e1d75803 3378 _cleanup_free_ char *active = NULL;
7d6884b6 3379 char *console;
6ac8fdc9 3380
1e22b5cd
LP		 3381 if (!tty)
3382 return true;
3383
6ac8fdc9
MS		 3384 if (startswith(tty, "/dev/"))
3385 tty += 5;
3386
3387 /* trivial identity? */
3388 if (streq(tty, "console"))
3389 return true;
3390
3391 console = resolve_dev_console(&active);
3392 /* if we could not resolve, assume it may */
3393 if (!console)
3394 return true;
3395
3396 /* "tty0" means the active VC, so it may be the same sometimes */
e1d75803 3397 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
6ac8fdc9
MS		 3398}
3399
3400bool exec_context_may_touch_console(ExecContext *ec) {
1e22b5cd
LP		 3401
3402 return (ec->tty_reset ||
3403 ec->tty_vhangup ||
3404 ec->tty_vt_disallocate ||
6ac8fdc9
MS		 3405 is_terminal_input(ec->std_input) ||
3406 is_terminal_output(ec->std_output) ||
3407 is_terminal_output(ec->std_error)) &&
1e22b5cd 3408 tty_may_match_dev_console(exec_context_tty_path(ec));
6ac8fdc9
MS		 3409}
3410
15ae422b
LP		 3411static void strv_fprintf(FILE *f, char **l) {
3412 char **g;
3413
3414 assert(f);
3415
3416 STRV_FOREACH(g, l)
3417 fprintf(f, " %s", *g);
3418}
3419
5cb5a6ff 3420void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
c2bbd90b 3421 char **e, **d;
94f04347 3422 unsigned i;
3536f49e 3423 ExecDirectoryType dt;
add00535 3424 int r;
9eba9da4 3425
5cb5a6ff
LP		 3426 assert(c);
3427 assert(f);
3428
4ad49000 3429 prefix = strempty(prefix);
5cb5a6ff
LP		 3430
3431 fprintf(f,
94f04347
LP		 3432 "%sUMask: %04o\n"
3433 "%sWorkingDirectory: %s\n"
451a074f 3434 "%sRootDirectory: %s\n"
15ae422b 3435 "%sNonBlocking: %s\n"
64747e2d 3436 "%sPrivateTmp: %s\n"
7f112f50 3437 "%sPrivateDevices: %s\n"
59eeb84b 3438 "%sProtectKernelTunables: %s\n"
e66a2f65 3439 "%sProtectKernelModules: %s\n"
59eeb84b 3440 "%sProtectControlGroups: %s\n"
d251207d
LP		 3441 "%sPrivateNetwork: %s\n"
3442 "%sPrivateUsers: %s\n"
1b8689f9
LP		 3443 "%sProtectHome: %s\n"
3444 "%sProtectSystem: %s\n"
5d997827 3445 "%sMountAPIVFS: %s\n"
f3e43635 3446 "%sIgnoreSIGPIPE: %s\n"
f4170c67
LP		 3447 "%sMemoryDenyWriteExecute: %s\n"
3448 "%sRestrictRealtime: %s\n",
5cb5a6ff 3449 prefix, c->umask,
9eba9da4 3450 prefix, c->working_directory ? c->working_directory : "/",
451a074f 3451 prefix, c->root_directory ? c->root_directory : "/",
15ae422b 3452 prefix, yes_no(c->non_blocking),
64747e2d 3453 prefix, yes_no(c->private_tmp),
7f112f50 3454 prefix, yes_no(c->private_devices),
59eeb84b 3455 prefix, yes_no(c->protect_kernel_tunables),
e66a2f65 3456 prefix, yes_no(c->protect_kernel_modules),
59eeb84b 3457 prefix, yes_no(c->protect_control_groups),
d251207d
LP		 3458 prefix, yes_no(c->private_network),
3459 prefix, yes_no(c->private_users),
1b8689f9
LP		 3460 prefix, protect_home_to_string(c->protect_home),
3461 prefix, protect_system_to_string(c->protect_system),
5d997827 3462 prefix, yes_no(c->mount_apivfs),
f3e43635 3463 prefix, yes_no(c->ignore_sigpipe),
f4170c67
LP		 3464 prefix, yes_no(c->memory_deny_write_execute),
3465 prefix, yes_no(c->restrict_realtime));
fb33a393 3466
915e6d16
LP		 3467 if (c->root_image)
3468 fprintf(f, "%sRootImage: %s\n", prefix, c->root_image);
3469
8c7be95e
LP		 3470 STRV_FOREACH(e, c->environment)
3471 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
3472
3473 STRV_FOREACH(e, c->environment_files)
3474 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
94f04347 3475
b4c14404
FB		 3476 STRV_FOREACH(e, c->pass_environment)
3477 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
3478
53f47dfc
YW		 3479 fprintf(f, "%sRuntimeDirectoryPreserve: %s\n", prefix, exec_preserve_mode_to_string(c->runtime_directory_preserve_mode));
3480
3536f49e
YW		 3481 for (dt = 0; dt < _EXEC_DIRECTORY_MAX; dt++) {
3482 fprintf(f, "%s%sMode: %04o\n", prefix, exec_directory_type_to_string(dt), c->directories[dt].mode);
3483
3484 STRV_FOREACH(d, c->directories[dt].paths)
3485 fprintf(f, "%s%s: %s\n", prefix, exec_directory_type_to_string(dt), *d);
3486 }
c2bbd90b 3487
fb33a393
LP		 3488 if (c->nice_set)
3489 fprintf(f,
3490 "%sNice: %i\n",
3491 prefix, c->nice);
3492
dd6c17b1 3493 if (c->oom_score_adjust_set)
fb33a393 3494 fprintf(f,
dd6c17b1
LP		 3495 "%sOOMScoreAdjust: %i\n",
3496 prefix, c->oom_score_adjust);
9eba9da4 3497
94f04347 3498 for (i = 0; i < RLIM_NLIMITS; i++)
3c11da9d
EV		 3499 if (c->rlimit[i]) {
3500 fprintf(f, "%s%s: " RLIM_FMT "\n",
3501 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
3502 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
3503 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
3504 }
94f04347 3505
f8b69d1d 3506 if (c->ioprio_set) {
1756a011 3507 _cleanup_free_ char *class_str = NULL;
f8b69d1d 3508
1756a011 3509 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
9eba9da4
LP		 3510 fprintf(f,
3511 "%sIOSchedulingClass: %s\n"
3512 "%sIOPriority: %i\n",
f8b69d1d 3513 prefix, strna(class_str),
9eba9da4 3514 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
f8b69d1d 3515 }
94f04347 3516
f8b69d1d 3517 if (c->cpu_sched_set) {
1756a011 3518 _cleanup_free_ char *policy_str = NULL;
f8b69d1d 3519
1756a011 3520 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
94f04347
LP		 3521 fprintf(f,
3522 "%sCPUSchedulingPolicy: %s\n"
38b48754
LP		 3523 "%sCPUSchedulingPriority: %i\n"
3524 "%sCPUSchedulingResetOnFork: %s\n",
f8b69d1d 3525 prefix, strna(policy_str),
38b48754
LP		 3526 prefix, c->cpu_sched_priority,
3527 prefix, yes_no(c->cpu_sched_reset_on_fork));
b929bf04 3528 }
94f04347 3529
82c121a4 3530 if (c->cpuset) {
94f04347 3531 fprintf(f, "%sCPUAffinity:", prefix);
82c121a4
LP		 3532 for (i = 0; i < c->cpuset_ncpus; i++)
3533 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
43a99a7a 3534 fprintf(f, " %u", i);
94f04347
LP		 3535 fputs("\n", f);
3536 }
3537
3a43da28 3538 if (c->timer_slack_nsec != NSEC_INFINITY)
ccd06097 3539 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
94f04347
LP		 3540
3541 fprintf(f,
80876c20
LP		 3542 "%sStandardInput: %s\n"
3543 "%sStandardOutput: %s\n"
3544 "%sStandardError: %s\n",
3545 prefix, exec_input_to_string(c->std_input),
3546 prefix, exec_output_to_string(c->std_output),
3547 prefix, exec_output_to_string(c->std_error));
3548
3549 if (c->tty_path)
3550 fprintf(f,
6ea832a2
LP		 3551 "%sTTYPath: %s\n"
3552 "%sTTYReset: %s\n"
3553 "%sTTYVHangup: %s\n"
3554 "%sTTYVTDisallocate: %s\n",
3555 prefix, c->tty_path,
3556 prefix, yes_no(c->tty_reset),
3557 prefix, yes_no(c->tty_vhangup),
3558 prefix, yes_no(c->tty_vt_disallocate));
94f04347 3559
5ce70e5b
ZJS		 3560 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
3561 c->std_output == EXEC_OUTPUT_KMSG ||
3562 c->std_output == EXEC_OUTPUT_JOURNAL ||
3563 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3564 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3565 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
3566 c->std_error == EXEC_OUTPUT_SYSLOG ||
3567 c->std_error == EXEC_OUTPUT_KMSG ||
3568 c->std_error == EXEC_OUTPUT_JOURNAL ||
3569 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3570 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3571 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
f8b69d1d 3572
5ce70e5b 3573 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
f8b69d1d 3574
5ce70e5b
ZJS		 3575 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
3576 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
f8b69d1d 3577
94f04347
LP		 3578 fprintf(f,
3579 "%sSyslogFacility: %s\n"
3580 "%sSyslogLevel: %s\n",
f8b69d1d
MS		 3581 prefix, strna(fac_str),
3582 prefix, strna(lvl_str));
f8b69d1d 3583 }
94f04347 3584
94f04347
LP		 3585 if (c->secure_bits)
3586 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
3587 prefix,
cbb21cca
ZJS		 3588 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
3589 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
3590 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
3591 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
3592 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
3593 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
94f04347 3594
a103496c 3595 if (c->capability_bounding_set != CAP_ALL) {
ae556c21 3596 unsigned long l;
260abb78 3597 fprintf(f, "%sCapabilityBoundingSet:", prefix);
94f04347 3598
64685e0c 3599 for (l = 0; l <= cap_last_cap(); l++)
a103496c 3600 if (c->capability_bounding_set & (UINT64_C(1) << l))
2822da4f 3601 fprintf(f, " %s", strna(capability_to_name(l)));
94f04347
LP		 3602
3603 fputs("\n", f);
755d4b67
IP		 3604 }
3605
3606 if (c->capability_ambient_set != 0) {
3607 unsigned long l;
3608 fprintf(f, "%sAmbientCapabilities:", prefix);
3609
3610 for (l = 0; l <= cap_last_cap(); l++)
3611 if (c->capability_ambient_set & (UINT64_C(1) << l))
3612 fprintf(f, " %s", strna(capability_to_name(l)));
3613
3614 fputs("\n", f);
94f04347
LP		 3615 }
3616
3617 if (c->user)
f2d3769a 3618 fprintf(f, "%sUser: %s\n", prefix, c->user);
94f04347 3619 if (c->group)
f2d3769a 3620 fprintf(f, "%sGroup: %s\n", prefix, c->group);
94f04347 3621
29206d46
LP		 3622 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
3623
15ae422b 3624 if (strv_length(c->supplementary_groups) > 0) {
94f04347 3625 fprintf(f, "%sSupplementaryGroups:", prefix);
15ae422b
LP		 3626 strv_fprintf(f, c->supplementary_groups);
3627 fputs("\n", f);
3628 }
94f04347 3629
5b6319dc 3630 if (c->pam_name)
f2d3769a 3631 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
5b6319dc 3632
2a624c36
AP		 3633 if (strv_length(c->read_write_paths) > 0) {
3634 fprintf(f, "%sReadWritePaths:", prefix);
3635 strv_fprintf(f, c->read_write_paths);
15ae422b
LP		 3636 fputs("\n", f);
3637 }
3638
2a624c36
AP		 3639 if (strv_length(c->read_only_paths) > 0) {
3640 fprintf(f, "%sReadOnlyPaths:", prefix);
3641 strv_fprintf(f, c->read_only_paths);
15ae422b
LP		 3642 fputs("\n", f);
3643 }
94f04347 3644
2a624c36
AP		 3645 if (strv_length(c->inaccessible_paths) > 0) {
3646 fprintf(f, "%sInaccessiblePaths:", prefix);
3647 strv_fprintf(f, c->inaccessible_paths);
94f04347
LP		 3648 fputs("\n", f);
3649 }
2e22afe9 3650
d2d6c096
LP		 3651 if (c->n_bind_mounts > 0)
3652 for (i = 0; i < c->n_bind_mounts; i++) {
3653 fprintf(f, "%s%s: %s:%s:%s\n", prefix,
3654 c->bind_mounts[i].read_only ? "BindReadOnlyPaths" : "BindPaths",
3655 c->bind_mounts[i].source,
3656 c->bind_mounts[i].destination,
3657 c->bind_mounts[i].recursive ? "rbind" : "norbind");
3658 }
3659
169c1bda
LP		 3660 if (c->utmp_id)
3661 fprintf(f,
3662 "%sUtmpIdentifier: %s\n",
3663 prefix, c->utmp_id);
7b52a628
MS		 3664
3665 if (c->selinux_context)
3666 fprintf(f,
5f8640fb
LP		 3667 "%sSELinuxContext: %s%s\n",
3668 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
17df7223 3669
80c21aea
WC		 3670 if (c->apparmor_profile)
3671 fprintf(f,
3672 "%sAppArmorProfile: %s%s\n",
3673 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
3674
3675 if (c->smack_process_label)
3676 fprintf(f,
3677 "%sSmackProcessLabel: %s%s\n",
3678 prefix, c->smack_process_label_ignore ? "-" : "", c->smack_process_label);
3679
050f7277 3680 if (c->personality != PERSONALITY_INVALID)
ac45f971
LP		 3681 fprintf(f,
3682 "%sPersonality: %s\n",
3683 prefix, strna(personality_to_string(c->personality)));
3684
17df7223 3685 if (c->syscall_filter) {
351a19b1 3686#ifdef HAVE_SECCOMP
17df7223
LP		 3687 Iterator j;
3688 void *id;
3689 bool first = true;
351a19b1 3690#endif
17df7223
LP		 3691
3692 fprintf(f,
57183d11 3693 "%sSystemCallFilter: ",
17df7223
LP		 3694 prefix);
3695
3696 if (!c->syscall_whitelist)
3697 fputc('~', f);
3698
351a19b1 3699#ifdef HAVE_SECCOMP
17df7223
LP		 3700 SET_FOREACH(id, c->syscall_filter, j) {
3701 _cleanup_free_ char *name = NULL;
3702
3703 if (first)
3704 first = false;
3705 else
3706 fputc(' ', f);
3707
57183d11 3708 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
17df7223
LP		 3709 fputs(strna(name), f);
3710 }
351a19b1 3711#endif
17df7223
LP		 3712
3713 fputc('\n', f);
3714 }
3715
57183d11
LP		 3716 if (c->syscall_archs) {
3717#ifdef HAVE_SECCOMP
3718 Iterator j;
3719 void *id;
3720#endif
3721
3722 fprintf(f,
3723 "%sSystemCallArchitectures:",
3724 prefix);
3725
3726#ifdef HAVE_SECCOMP
3727 SET_FOREACH(id, c->syscall_archs, j)
3728 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
3729#endif
3730 fputc('\n', f);
3731 }
3732
add00535
LP		 3733 if (exec_context_restrict_namespaces_set(c)) {
3734 _cleanup_free_ char *s = NULL;
3735
3736 r = namespace_flag_to_string_many(c->restrict_namespaces, &s);
3737 if (r >= 0)
3738 fprintf(f, "%sRestrictNamespaces: %s\n",
3739 prefix, s);
3740 }
3741
b3267152 3742 if (c->syscall_errno > 0)
17df7223
LP		 3743 fprintf(f,
3744 "%sSystemCallErrorNumber: %s\n",
3745 prefix, strna(errno_to_name(c->syscall_errno)));
eef65bf3
MS		 3746
3747 if (c->apparmor_profile)
3748 fprintf(f,
3749 "%sAppArmorProfile: %s%s\n",
3750 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
5cb5a6ff
LP		 3751}
3752
a931ad47
LP		 3753bool exec_context_maintains_privileges(ExecContext *c) {
3754 assert(c);
3755
61233823 3756 /* Returns true if the process forked off would run under
a931ad47
LP		 3757 * an unchanged UID or as root. */
3758
3759 if (!c->user)
3760 return true;
3761
3762 if (streq(c->user, "root") || streq(c->user, "0"))
3763 return true;
3764
3765 return false;
3766}
3767
7f452159
LP		 3768int exec_context_get_effective_ioprio(ExecContext *c) {
3769 int p;
3770
3771 assert(c);
3772
3773 if (c->ioprio_set)
3774 return c->ioprio;
3775
3776 p = ioprio_get(IOPRIO_WHO_PROCESS, 0);
3777 if (p < 0)
3778 return IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 4);
3779
3780 return p;
3781}
3782
b58b4116 3783void exec_status_start(ExecStatus *s, pid_t pid) {
034c6ed7 3784 assert(s);
5cb5a6ff 3785
b58b4116
LP		 3786 zero(*s);
3787 s->pid = pid;
3788 dual_timestamp_get(&s->start_timestamp);
3789}
3790
6ea832a2 3791void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
b58b4116
LP		 3792 assert(s);
3793
0b1f4ae6 3794 if (s->pid && s->pid != pid)
b58b4116
LP		 3795 zero(*s);
3796
034c6ed7 3797 s->pid = pid;
63983207 3798 dual_timestamp_get(&s->exit_timestamp);
9fb86720 3799
034c6ed7
LP		 3800 s->code = code;
3801 s->status = status;
169c1bda 3802
6ea832a2
LP		 3803 if (context) {
3804 if (context->utmp_id)
3805 utmp_put_dead_process(context->utmp_id, pid, code, status);
3806
1e22b5cd 3807 exec_context_tty_reset(context, NULL);
6ea832a2 3808 }
9fb86720
LP		 3809}
3810
3811void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
3812 char buf[FORMAT_TIMESTAMP_MAX];
3813
3814 assert(s);
3815 assert(f);
3816
9fb86720
LP		 3817 if (s->pid <= 0)
3818 return;
3819
4c940960
LP		 3820 prefix = strempty(prefix);
3821
9fb86720 3822 fprintf(f,
ccd06097
ZJS		 3823 "%sPID: "PID_FMT"\n",
3824 prefix, s->pid);
9fb86720 3825
af9d16e1 3826 if (dual_timestamp_is_set(&s->start_timestamp))
9fb86720
LP		 3827 fprintf(f,
3828 "%sStart Timestamp: %s\n",
63983207 3829 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
9fb86720 3830
af9d16e1 3831 if (dual_timestamp_is_set(&s->exit_timestamp))
9fb86720
LP		 3832 fprintf(f,
3833 "%sExit Timestamp: %s\n"
3834 "%sExit Code: %s\n"
3835 "%sExit Status: %i\n",
63983207 3836 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
9fb86720
LP		 3837 prefix, sigchld_code_to_string(s->code),
3838 prefix, s->status);
5cb5a6ff 3839}
44d8db9e 3840
9e2f7c11 3841char *exec_command_line(char **argv) {
44d8db9e
LP		 3842 size_t k;
3843 char *n, *p, **a;
3844 bool first = true;
3845
9e2f7c11 3846 assert(argv);
44d8db9e 3847
9164977d 3848 k = 1;
9e2f7c11 3849 STRV_FOREACH(a, argv)
44d8db9e
LP		 3850 k += strlen(*a)+3;
3851
5cd9cd35
LP		 3852 n = new(char, k);
3853 if (!n)
44d8db9e
LP		 3854 return NULL;
3855
3856 p = n;
9e2f7c11 3857 STRV_FOREACH(a, argv) {
44d8db9e
LP		 3858
3859 if (!first)
3860 *(p++) = ' ';
3861 else
3862 first = false;
3863
3864 if (strpbrk(*a, WHITESPACE)) {
3865 *(p++) = '\'';
3866 p = stpcpy(p, *a);
3867 *(p++) = '\'';
3868 } else
3869 p = stpcpy(p, *a);
3870
3871 }
3872
9164977d
LP		 3873 *p = 0;
3874
44d8db9e
LP		 3875 /* FIXME: this doesn't really handle arguments that have
3876 * spaces and ticks in them */
3877
3878 return n;
3879}
3880
3881void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
e1d75803 3882 _cleanup_free_ char *cmd = NULL;
4c940960 3883 const char *prefix2;
44d8db9e
LP		 3884
3885 assert(c);
3886 assert(f);
3887
4c940960 3888 prefix = strempty(prefix);
63c372cb 3889 prefix2 = strjoina(prefix, "\t");
44d8db9e 3890
9e2f7c11 3891 cmd = exec_command_line(c->argv);
44d8db9e
LP		 3892 fprintf(f,
3893 "%sCommand Line: %s\n",
3894 prefix, cmd ? cmd : strerror(ENOMEM));
3895
9fb86720 3896 exec_status_dump(&c->exec_status, f, prefix2);
44d8db9e
LP		 3897}
3898
3899void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
3900 assert(f);
3901
4c940960 3902 prefix = strempty(prefix);
44d8db9e
LP		 3903
3904 LIST_FOREACH(command, c, c)
3905 exec_command_dump(c, f, prefix);
3906}
94f04347 3907
a6a80b4f
LP		 3908void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
3909 ExecCommand *end;
3910
3911 assert(l);
3912 assert(e);
3913
3914 if (*l) {
35b8ca3a 3915 /* It's kind of important, that we keep the order here */
71fda00f
LP		 3916 LIST_FIND_TAIL(command, *l, end);
3917 LIST_INSERT_AFTER(command, *l, end, e);
a6a80b4f
LP		 3918 } else
3919 *l = e;
3920}
3921
26fd040d
LP		 3922int exec_command_set(ExecCommand *c, const char *path, ...) {
3923 va_list ap;
3924 char **l, *p;
3925
3926 assert(c);
3927 assert(path);
3928
3929 va_start(ap, path);
3930 l = strv_new_ap(path, ap);
3931 va_end(ap);
3932
3933 if (!l)
3934 return -ENOMEM;
3935
250a918d
LP		 3936 p = strdup(path);
3937 if (!p) {
26fd040d
LP		 3938 strv_free(l);
3939 return -ENOMEM;
3940 }
3941
3942 free(c->path);
3943 c->path = p;
3944
3945 strv_free(c->argv);
3946 c->argv = l;
3947
3948 return 0;
3949}
3950
86b23b07 3951int exec_command_append(ExecCommand *c, const char *path, ...) {
e63ff941 3952 _cleanup_strv_free_ char **l = NULL;
86b23b07 3953 va_list ap;
86b23b07
JS		 3954 int r;
3955
3956 assert(c);
3957 assert(path);
3958
3959 va_start(ap, path);
3960 l = strv_new_ap(path, ap);
3961 va_end(ap);
3962
3963 if (!l)
3964 return -ENOMEM;
3965
e287086b 3966 r = strv_extend_strv(&c->argv, l, false);
e63ff941 3967 if (r < 0)
86b23b07 3968 return r;
86b23b07
JS		 3969
3970 return 0;
3971}
3972
3973
613b411c
LP		 3974static int exec_runtime_allocate(ExecRuntime **rt) {
3975
3976 if (*rt)
3977 return 0;
3978
3979 *rt = new0(ExecRuntime, 1);
f146f5e1 3980 if (!*rt)
613b411c
LP		 3981 return -ENOMEM;
3982
3983 (*rt)->n_ref = 1;
3984 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
3985
3986 return 0;
3987}
3988
3989int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
3990 int r;
3991
3992 assert(rt);
3993 assert(c);
3994 assert(id);
3995
3996 if (*rt)
3997 return 1;
3998
3999 if (!c->private_network && !c->private_tmp)
4000 return 0;
4001
4002 r = exec_runtime_allocate(rt);
4003 if (r < 0)
4004 return r;
4005
4006 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
33df919d 4007 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, (*rt)->netns_storage_socket) < 0)
613b411c
LP		 4008 return -errno;
4009 }
4010
4011 if (c->private_tmp && !(*rt)->tmp_dir) {
4012 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
4013 if (r < 0)
4014 return r;
4015 }
4016
4017 return 1;
4018}
4019
4020ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
4021 assert(r);
4022 assert(r->n_ref > 0);
4023
4024 r->n_ref++;
4025 return r;
4026}
4027
4028ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
4029
4030 if (!r)
4031 return NULL;
4032
4033 assert(r->n_ref > 0);
4034
4035 r->n_ref--;
f2341e0a
LP		 4036 if (r->n_ref > 0)
4037 return NULL;
4038
4039 free(r->tmp_dir);
4040 free(r->var_tmp_dir);
4041 safe_close_pair(r->netns_storage_socket);
6b430fdb 4042 return mfree(r);
613b411c
LP		 4043}
4044
f2341e0a 4045int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
613b411c
LP		 4046 assert(u);
4047 assert(f);
4048 assert(fds);
4049
4050 if (!rt)
4051 return 0;
4052
4053 if (rt->tmp_dir)
4054 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
4055
4056 if (rt->var_tmp_dir)
4057 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
4058
4059 if (rt->netns_storage_socket[0] >= 0) {
4060 int copy;
4061
4062 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
4063 if (copy < 0)
4064 return copy;
4065
4066 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
4067 }
4068
4069 if (rt->netns_storage_socket[1] >= 0) {
4070 int copy;
4071
4072 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
4073 if (copy < 0)
4074 return copy;
4075
4076 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
4077 }
4078
4079 return 0;
4080}
4081
f2341e0a 4082int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
613b411c
LP		 4083 int r;
4084
4085 assert(rt);
4086 assert(key);
4087 assert(value);
4088
4089 if (streq(key, "tmp-dir")) {
4090 char *copy;
4091
4092 r = exec_runtime_allocate(rt);
4093 if (r < 0)
f2341e0a 4094 return log_oom();
613b411c
LP		 4095
4096 copy = strdup(value);
4097 if (!copy)
4098 return log_oom();
4099
4100 free((*rt)->tmp_dir);
4101 (*rt)->tmp_dir = copy;
4102
4103 } else if (streq(key, "var-tmp-dir")) {
4104 char *copy;
4105
4106 r = exec_runtime_allocate(rt);
4107 if (r < 0)
f2341e0a 4108 return log_oom();
613b411c
LP		 4109
4110 copy = strdup(value);
4111 if (!copy)
4112 return log_oom();
4113
4114 free((*rt)->var_tmp_dir);
4115 (*rt)->var_tmp_dir = copy;
4116
4117 } else if (streq(key, "netns-socket-0")) {
4118 int fd;
4119
4120 r = exec_runtime_allocate(rt);
4121 if (r < 0)
f2341e0a 4122 return log_oom();
613b411c
LP		 4123
4124 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
f2341e0a 4125 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
613b411c 4126 else {
03e334a1 4127 safe_close((*rt)->netns_storage_socket[0]);
613b411c
LP		 4128 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
4129 }
4130 } else if (streq(key, "netns-socket-1")) {
4131 int fd;
4132
4133 r = exec_runtime_allocate(rt);
4134 if (r < 0)
f2341e0a 4135 return log_oom();
613b411c
LP		 4136
4137 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
f2341e0a 4138 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
613b411c 4139 else {
03e334a1 4140 safe_close((*rt)->netns_storage_socket[1]);
613b411c
LP		 4141 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
4142 }
4143 } else
4144 return 0;
4145
4146 return 1;
4147}
4148
4149static void *remove_tmpdir_thread(void *p) {
4150 _cleanup_free_ char *path = p;
4151
c6878637 4152 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
613b411c
LP		 4153 return NULL;
4154}
4155
4156void exec_runtime_destroy(ExecRuntime *rt) {
98b47d54
LP		 4157 int r;
4158
613b411c
LP		 4159 if (!rt)
4160 return;
4161
4162 /* If there are multiple users of this, let's leave the stuff around */
4163 if (rt->n_ref > 1)
4164 return;
4165
4166 if (rt->tmp_dir) {
4167 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
98b47d54
LP		 4168
4169 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
4170 if (r < 0) {
da927ba9 4171 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
98b47d54
LP		 4172 free(rt->tmp_dir);
4173 }
4174
613b411c
LP		 4175 rt->tmp_dir = NULL;
4176 }
4177
4178 if (rt->var_tmp_dir) {
4179 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
98b47d54
LP		 4180
4181 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
4182 if (r < 0) {
da927ba9 4183 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
98b47d54
LP		 4184 free(rt->var_tmp_dir);
4185 }
4186
613b411c
LP		 4187 rt->var_tmp_dir = NULL;
4188 }
4189
3d94f76c 4190 safe_close_pair(rt->netns_storage_socket);
613b411c
LP		 4191}
4192
80876c20
LP		 4193static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
4194 [EXEC_INPUT_NULL] = "null",
4195 [EXEC_INPUT_TTY] = "tty",
4196 [EXEC_INPUT_TTY_FORCE] = "tty-force",
4f2d528d 4197 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
52c239d7
LB		 4198 [EXEC_INPUT_SOCKET] = "socket",
4199 [EXEC_INPUT_NAMED_FD] = "fd",
80876c20
LP		 4200};
4201
8a0867d6
LP		 4202DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
4203
94f04347 4204static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
80876c20 4205 [EXEC_OUTPUT_INHERIT] = "inherit",
94f04347 4206 [EXEC_OUTPUT_NULL] = "null",
80876c20 4207 [EXEC_OUTPUT_TTY] = "tty",
94f04347 4208 [EXEC_OUTPUT_SYSLOG] = "syslog",
28dbc1e8 4209 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
9a6bca7a 4210 [EXEC_OUTPUT_KMSG] = "kmsg",
28dbc1e8 4211 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
706343f4
LP		 4212 [EXEC_OUTPUT_JOURNAL] = "journal",
4213 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
52c239d7
LB		 4214 [EXEC_OUTPUT_SOCKET] = "socket",
4215 [EXEC_OUTPUT_NAMED_FD] = "fd",
94f04347
LP		 4216};
4217
4218DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
023a4f67
LP		 4219
4220static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
4221 [EXEC_UTMP_INIT] = "init",
4222 [EXEC_UTMP_LOGIN] = "login",
4223 [EXEC_UTMP_USER] = "user",
4224};
4225
4226DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
53f47dfc
YW		 4227
4228static const char* const exec_preserve_mode_table[_EXEC_PRESERVE_MODE_MAX] = {
4229 [EXEC_PRESERVE_NO] = "no",
4230 [EXEC_PRESERVE_YES] = "yes",
4231 [EXEC_PRESERVE_RESTART] = "restart",
4232};
4233
4234DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(exec_preserve_mode, ExecPreserveMode, EXEC_PRESERVE_YES);
3536f49e
YW		 4235
4236static const char* const exec_directory_type_table[_EXEC_DIRECTORY_MAX] = {
4237 [EXEC_DIRECTORY_RUNTIME] = "RuntimeDirectory",
4238 [EXEC_DIRECTORY_STATE] = "StateDirectory",
4239 [EXEC_DIRECTORY_CACHE] = "CacheDirectory",
4240 [EXEC_DIRECTORY_LOGS] = "LogsDirectory",
4241 [EXEC_DIRECTORY_CONFIGURATION] = "ConfigurationDirectory",
4242};
4243
4244DEFINE_STRING_TABLE_LOOKUP(exec_directory_type, ExecDirectoryType);
Unnamed repository; edit this file 'description' to name the repository.