]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/core/execute.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add parser and printer for coredump filter mask
[thirdparty/systemd.git] / src / core / execute.c
CommitLineData
53e1b683 1/* SPDX-License-Identifier: LGPL-2.1+ */
a7334b09 2
034c6ed7
LP		 3#include <errno.h>
4#include <fcntl.h>
8dd4c05b 5#include <poll.h>
d251207d 6#include <sys/eventfd.h>
f5947a5e 7#include <sys/ioctl.h>
f3e43635 8#include <sys/mman.h>
8dd4c05b 9#include <sys/personality.h>
94f04347 10#include <sys/prctl.h>
d2ffa389 11#include <sys/shm.h>
d2ffa389 12#include <sys/types.h>
8dd4c05b
LP		 13#include <sys/un.h>
14#include <unistd.h>
023a4f67 15#include <utmpx.h>
5cb5a6ff 16
349cc4a5 17#if HAVE_PAM
5b6319dc
LP		 18#include <security/pam_appl.h>
19#endif
20
349cc4a5 21#if HAVE_SELINUX
7b52a628
MS		 22#include <selinux/selinux.h>
23#endif
24
349cc4a5 25#if HAVE_SECCOMP
17df7223
LP		 26#include <seccomp.h>
27#endif
28
349cc4a5 29#if HAVE_APPARMOR
eef65bf3
MS		 30#include <sys/apparmor.h>
31#endif
32
24882e06 33#include "sd-messages.h"
8dd4c05b
LP		 34
35#include "af-list.h"
b5efdb8a 36#include "alloc-util.h"
349cc4a5 37#if HAVE_APPARMOR
3ffd4af2
LP		 38#include "apparmor-util.h"
39#endif
8dd4c05b
LP		 40#include "async.h"
41#include "barrier.h"
8dd4c05b 42#include "cap-list.h"
430f0182 43#include "capability-util.h"
a1164ae3 44#include "chown-recursive.h"
fdb3deca 45#include "cgroup-setup.h"
da681e1b 46#include "cpu-set-util.h"
f6a6225e 47#include "def.h"
686d13b9 48#include "env-file.h"
4d1a6904 49#include "env-util.h"
17df7223 50#include "errno-list.h"
3ffd4af2 51#include "execute.h"
8dd4c05b 52#include "exit-status.h"
3ffd4af2 53#include "fd-util.h"
f97b34a6 54#include "format-util.h"
f4f15635 55#include "fs-util.h"
7d50b32a 56#include "glob-util.h"
c004493c 57#include "io-util.h"
8dd4c05b 58#include "ioprio.h"
a1164ae3 59#include "label.h"
8dd4c05b
LP		 60#include "log.h"
61#include "macro.h"
e8a565cb 62#include "manager.h"
0a970718 63#include "memory-util.h"
f5947a5e 64#include "missing_fs.h"
8dd4c05b
LP		 65#include "mkdir.h"
66#include "namespace.h"
6bedfcbb 67#include "parse-util.h"
8dd4c05b 68#include "path-util.h"
0b452006 69#include "process-util.h"
78f22b97 70#include "rlimit-util.h"
8dd4c05b 71#include "rm-rf.h"
349cc4a5 72#if HAVE_SECCOMP
3ffd4af2
LP		 73#include "seccomp-util.h"
74#endif
07d46372 75#include "securebits-util.h"
8dd4c05b 76#include "selinux-util.h"
24882e06 77#include "signal-util.h"
8dd4c05b 78#include "smack-util.h"
57b7a260 79#include "socket-util.h"
fd63e712 80#include "special.h"
949befd3 81#include "stat-util.h"
8b43440b 82#include "string-table.h"
07630cea 83#include "string-util.h"
8dd4c05b 84#include "strv.h"
7ccbd1ae 85#include "syslog-util.h"
8dd4c05b 86#include "terminal-util.h"
566b7d23 87#include "umask-util.h"
8dd4c05b 88#include "unit.h"
b1d4f8e1 89#include "user-util.h"
8dd4c05b 90#include "utmp-wtmp.h"
5cb5a6ff 91
e056b01d 92#define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
31a7eb86 93#define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
e6a26745 94
531dca78
LP		 95#define SNDBUF_SIZE (8*1024*1024)
96
da6053d0 97static int shift_fds(int fds[], size_t n_fds) {
034c6ed7
LP		 98 int start, restart_from;
99
100 if (n_fds <= 0)
101 return 0;
102
a0d40ac5
LP		 103 /* Modifies the fds array! (sorts it) */
104
034c6ed7
LP		 105 assert(fds);
106
107 start = 0;
108 for (;;) {
109 int i;
110
111 restart_from = -1;
112
113 for (i = start; i < (int) n_fds; i++) {
114 int nfd;
115
116 /* Already at right index? */
117 if (fds[i] == i+3)
118 continue;
119
3cc2aff1
LP		 120 nfd = fcntl(fds[i], F_DUPFD, i + 3);
121 if (nfd < 0)
034c6ed7
LP		 122 return -errno;
123
03e334a1 124 safe_close(fds[i]);
034c6ed7
LP		 125 fds[i] = nfd;
126
127 /* Hmm, the fd we wanted isn't free? Then
ee33e53a 128 * let's remember that and try again from here */
034c6ed7
LP		 129 if (nfd != i+3 && restart_from < 0)
130 restart_from = i;
131 }
132
133 if (restart_from < 0)
134 break;
135
136 start = restart_from;
137 }
138
139 return 0;
140}
141
25b583d7 142static int flags_fds(const int fds[], size_t n_socket_fds, size_t n_storage_fds, bool nonblock) {
da6053d0 143 size_t i, n_fds;
e2c76839 144 int r;
47a71eed 145
25b583d7 146 n_fds = n_socket_fds + n_storage_fds;
47a71eed
LP		 147 if (n_fds <= 0)
148 return 0;
149
150 assert(fds);
151
9b141911
FB		 152 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags.
153 * O_NONBLOCK only applies to socket activation though. */
47a71eed
LP		 154
155 for (i = 0; i < n_fds; i++) {
47a71eed 156
9b141911
FB		 157 if (i < n_socket_fds) {
158 r = fd_nonblock(fds[i], nonblock);
159 if (r < 0)
160 return r;
161 }
47a71eed 162
451a074f
LP		 163 /* We unconditionally drop FD_CLOEXEC from the fds,
164 * since after all we want to pass these fds to our
165 * children */
47a71eed 166
3cc2aff1
LP		 167 r = fd_cloexec(fds[i], false);
168 if (r < 0)
e2c76839 169 return r;
47a71eed
LP		 170 }
171
172 return 0;
173}
174
1e22b5cd 175static const char *exec_context_tty_path(const ExecContext *context) {
80876c20
LP		 176 assert(context);
177
1e22b5cd
LP		 178 if (context->stdio_as_fds)
179 return NULL;
180
80876c20
LP		 181 if (context->tty_path)
182 return context->tty_path;
183
184 return "/dev/console";
185}
186
1e22b5cd
LP		 187static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
188 const char *path;
189
6ea832a2
LP		 190 assert(context);
191
1e22b5cd 192 path = exec_context_tty_path(context);
6ea832a2 193
1e22b5cd
LP		 194 if (context->tty_vhangup) {
195 if (p && p->stdin_fd >= 0)
196 (void) terminal_vhangup_fd(p->stdin_fd);
197 else if (path)
198 (void) terminal_vhangup(path);
199 }
6ea832a2 200
1e22b5cd
LP		 201 if (context->tty_reset) {
202 if (p && p->stdin_fd >= 0)
203 (void) reset_terminal_fd(p->stdin_fd, true);
204 else if (path)
205 (void) reset_terminal(path);
206 }
207
208 if (context->tty_vt_disallocate && path)
209 (void) vt_disallocate(path);
6ea832a2
LP		 210}
211
6af760f3
LP		 212static bool is_terminal_input(ExecInput i) {
213 return IN_SET(i,
214 EXEC_INPUT_TTY,
215 EXEC_INPUT_TTY_FORCE,
216 EXEC_INPUT_TTY_FAIL);
217}
218
3a1286b6 219static bool is_terminal_output(ExecOutput o) {
6af760f3
LP		 220 return IN_SET(o,
221 EXEC_OUTPUT_TTY,
222 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
223 EXEC_OUTPUT_KMSG_AND_CONSOLE,
224 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
225}
226
aac8c0c3
LP		 227static bool is_syslog_output(ExecOutput o) {
228 return IN_SET(o,
229 EXEC_OUTPUT_SYSLOG,
230 EXEC_OUTPUT_SYSLOG_AND_CONSOLE);
231}
232
233static bool is_kmsg_output(ExecOutput o) {
234 return IN_SET(o,
235 EXEC_OUTPUT_KMSG,
236 EXEC_OUTPUT_KMSG_AND_CONSOLE);
237}
238
6af760f3
LP		 239static bool exec_context_needs_term(const ExecContext *c) {
240 assert(c);
241
242 /* Return true if the execution context suggests we should set $TERM to something useful. */
243
244 if (is_terminal_input(c->std_input))
245 return true;
246
247 if (is_terminal_output(c->std_output))
248 return true;
249
250 if (is_terminal_output(c->std_error))
251 return true;
252
253 return !!c->tty_path;
3a1286b6
MS		 254}
255
80876c20 256static int open_null_as(int flags, int nfd) {
046a82c1 257 int fd;
071830ff 258
80876c20 259 assert(nfd >= 0);
071830ff 260
613b411c
LP		 261 fd = open("/dev/null", flags|O_NOCTTY);
262 if (fd < 0)
071830ff
LP		 263 return -errno;
264
046a82c1 265 return move_fd(fd, nfd, false);
071830ff
LP		 266}
267
91dd5f7c
LP		 268static int connect_journal_socket(
269 int fd,
270 const char *log_namespace,
271 uid_t uid,
272 gid_t gid) {
273
f36a9d59
ZJS		 274 union sockaddr_union sa;
275 socklen_t sa_len;
524daa8c
ZJS		 276 uid_t olduid = UID_INVALID;
277 gid_t oldgid = GID_INVALID;
91dd5f7c 278 const char *j;
524daa8c
ZJS		 279 int r;
280
91dd5f7c
LP		 281 j = log_namespace ?
282 strjoina("/run/systemd/journal.", log_namespace, "/stdout") :
283 "/run/systemd/journal/stdout";
284 r = sockaddr_un_set_path(&sa.un, j);
285 if (r < 0)
286 return r;
f36a9d59 287 sa_len = r;
91dd5f7c 288
cad93f29 289 if (gid_is_valid(gid)) {
524daa8c
ZJS		 290 oldgid = getgid();
291
92a17af9 292 if (setegid(gid) < 0)
524daa8c
ZJS		 293 return -errno;
294 }
295
cad93f29 296 if (uid_is_valid(uid)) {
524daa8c
ZJS		 297 olduid = getuid();
298
92a17af9 299 if (seteuid(uid) < 0) {
524daa8c
ZJS		 300 r = -errno;
301 goto restore_gid;
302 }
303 }
304
f36a9d59 305 r = connect(fd, &sa.sa, sa_len) < 0 ? -errno : 0;
524daa8c
ZJS		 306
307 /* If we fail to restore the uid or gid, things will likely
308 fail later on. This should only happen if an LSM interferes. */
309
cad93f29 310 if (uid_is_valid(uid))
524daa8c
ZJS		 311 (void) seteuid(olduid);
312
313 restore_gid:
cad93f29 314 if (gid_is_valid(gid))
524daa8c
ZJS		 315 (void) setegid(oldgid);
316
317 return r;
318}
319
fd1f9c89 320static int connect_logger_as(
34cf6c43 321 const Unit *unit,
fd1f9c89 322 const ExecContext *context,
af635cf3 323 const ExecParameters *params,
fd1f9c89
LP		 324 ExecOutput output,
325 const char *ident,
fd1f9c89
LP		 326 int nfd,
327 uid_t uid,
328 gid_t gid) {
329
2ac1ff68
EV		 330 _cleanup_close_ int fd = -1;
331 int r;
071830ff
LP		 332
333 assert(context);
af635cf3 334 assert(params);
80876c20
LP		 335 assert(output < _EXEC_OUTPUT_MAX);
336 assert(ident);
337 assert(nfd >= 0);
071830ff 338
54fe0cdb
LP		 339 fd = socket(AF_UNIX, SOCK_STREAM, 0);
340 if (fd < 0)
80876c20 341 return -errno;
071830ff 342
91dd5f7c 343 r = connect_journal_socket(fd, context->log_namespace, uid, gid);
524daa8c
ZJS		 344 if (r < 0)
345 return r;
071830ff 346
2ac1ff68 347 if (shutdown(fd, SHUT_RD) < 0)
80876c20 348 return -errno;
071830ff 349
fd1f9c89 350 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
531dca78 351
2ac1ff68 352 if (dprintf(fd,
62bca2c6 353 "%s\n"
80876c20
LP		 354 "%s\n"
355 "%i\n"
54fe0cdb
LP		 356 "%i\n"
357 "%i\n"
358 "%i\n"
4f4a1dbf 359 "%i\n",
c867611e 360 context->syslog_identifier ?: ident,
af635cf3 361 params->flags & EXEC_PASS_LOG_UNIT ? unit->id : "",
54fe0cdb
LP		 362 context->syslog_priority,
363 !!context->syslog_level_prefix,
aac8c0c3
LP		 364 is_syslog_output(output),
365 is_kmsg_output(output),
2ac1ff68
EV		 366 is_terminal_output(output)) < 0)
367 return -errno;
80876c20 368
2ac1ff68 369 return move_fd(TAKE_FD(fd), nfd, false);
80876c20 370}
2ac1ff68 371
3a274a21 372static int open_terminal_as(const char *path, int flags, int nfd) {
046a82c1 373 int fd;
071830ff 374
80876c20
LP		 375 assert(path);
376 assert(nfd >= 0);
fd1f9c89 377
3a274a21 378 fd = open_terminal(path, flags | O_NOCTTY);
3cc2aff1 379 if (fd < 0)
80876c20 380 return fd;
071830ff 381
046a82c1 382 return move_fd(fd, nfd, false);
80876c20 383}
071830ff 384
2038c3f5 385static int acquire_path(const char *path, int flags, mode_t mode) {
86fca584
ZJS		 386 union sockaddr_union sa;
387 socklen_t sa_len;
15a3e96f 388 _cleanup_close_ int fd = -1;
86fca584 389 int r;
071830ff 390
80876c20 391 assert(path);
071830ff 392
2038c3f5
LP		 393 if (IN_SET(flags & O_ACCMODE, O_WRONLY, O_RDWR))
394 flags |= O_CREAT;
395
396 fd = open(path, flags|O_NOCTTY, mode);
397 if (fd >= 0)
15a3e96f 398 return TAKE_FD(fd);
071830ff 399
2038c3f5
LP		 400 if (errno != ENXIO) /* ENXIO is returned when we try to open() an AF_UNIX file system socket on Linux */
401 return -errno;
2038c3f5
LP		 402
403 /* So, it appears the specified path could be an AF_UNIX socket. Let's see if we can connect to it. */
404
86fca584
ZJS		 405 r = sockaddr_un_set_path(&sa.un, path);
406 if (r < 0)
407 return r == -EINVAL ? -ENXIO : r;
408 sa_len = r;
409
2038c3f5
LP		 410 fd = socket(AF_UNIX, SOCK_STREAM, 0);
411 if (fd < 0)
412 return -errno;
413
86fca584 414 if (connect(fd, &sa.sa, sa_len) < 0)
2038c3f5
LP		 415 return errno == EINVAL ? -ENXIO : -errno; /* Propagate initial error if we get EINVAL, i.e. we have
416 * indication that his wasn't an AF_UNIX socket after all */
071830ff 417
2038c3f5
LP		 418 if ((flags & O_ACCMODE) == O_RDONLY)
419 r = shutdown(fd, SHUT_WR);
420 else if ((flags & O_ACCMODE) == O_WRONLY)
421 r = shutdown(fd, SHUT_RD);
422 else
86fca584 423 r = 0;
15a3e96f 424 if (r < 0)
2038c3f5 425 return -errno;
2038c3f5 426
15a3e96f 427 return TAKE_FD(fd);
80876c20 428}
071830ff 429
08f3be7a
LP		 430static int fixup_input(
431 const ExecContext *context,
432 int socket_fd,
433 bool apply_tty_stdin) {
434
435 ExecInput std_input;
436
437 assert(context);
438
439 std_input = context->std_input;
1e3ad081
LP		 440
441 if (is_terminal_input(std_input) && !apply_tty_stdin)
442 return EXEC_INPUT_NULL;
071830ff 443
03fd9c49 444 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 445 return EXEC_INPUT_NULL;
446
08f3be7a
LP		 447 if (std_input == EXEC_INPUT_DATA && context->stdin_data_size == 0)
448 return EXEC_INPUT_NULL;
449
03fd9c49 450 return std_input;
4f2d528d
LP		 451}
452
03fd9c49 453static int fixup_output(ExecOutput std_output, int socket_fd) {
4f2d528d 454
03fd9c49 455 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 456 return EXEC_OUTPUT_INHERIT;
457
03fd9c49 458 return std_output;
4f2d528d
LP		 459}
460
a34ceba6
LP		 461static int setup_input(
462 const ExecContext *context,
463 const ExecParameters *params,
52c239d7 464 int socket_fd,
2caa38e9 465 const int named_iofds[static 3]) {
a34ceba6 466
4f2d528d
LP		 467 ExecInput i;
468
469 assert(context);
a34ceba6 470 assert(params);
2caa38e9 471 assert(named_iofds);
a34ceba6
LP		 472
473 if (params->stdin_fd >= 0) {
474 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
475 return -errno;
476
477 /* Try to make this the controlling tty, if it is a tty, and reset it */
1fb0682e
LP		 478 if (isatty(STDIN_FILENO)) {
479 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
480 (void) reset_terminal_fd(STDIN_FILENO, true);
481 }
a34ceba6
LP		 482
483 return STDIN_FILENO;
484 }
4f2d528d 485
08f3be7a 486 i = fixup_input(context, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
4f2d528d
LP		 487
488 switch (i) {
071830ff 489
80876c20
LP		 490 case EXEC_INPUT_NULL:
491 return open_null_as(O_RDONLY, STDIN_FILENO);
492
493 case EXEC_INPUT_TTY:
494 case EXEC_INPUT_TTY_FORCE:
495 case EXEC_INPUT_TTY_FAIL: {
046a82c1 496 int fd;
071830ff 497
1e22b5cd 498 fd = acquire_terminal(exec_context_tty_path(context),
8854d795
LP		 499 i == EXEC_INPUT_TTY_FAIL ? ACQUIRE_TERMINAL_TRY :
500 i == EXEC_INPUT_TTY_FORCE ? ACQUIRE_TERMINAL_FORCE :
501 ACQUIRE_TERMINAL_WAIT,
3a43da28 502 USEC_INFINITY);
970edce6 503 if (fd < 0)
80876c20
LP		 504 return fd;
505
046a82c1 506 return move_fd(fd, STDIN_FILENO, false);
80876c20
LP		 507 }
508
4f2d528d 509 case EXEC_INPUT_SOCKET:
e75a9ed1
LP		 510 assert(socket_fd >= 0);
511
4f2d528d
LP		 512 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
513
52c239d7 514 case EXEC_INPUT_NAMED_FD:
e75a9ed1
LP		 515 assert(named_iofds[STDIN_FILENO] >= 0);
516
52c239d7
LB		 517 (void) fd_nonblock(named_iofds[STDIN_FILENO], false);
518 return dup2(named_iofds[STDIN_FILENO], STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
519
08f3be7a
LP		 520 case EXEC_INPUT_DATA: {
521 int fd;
522
523 fd = acquire_data_fd(context->stdin_data, context->stdin_data_size, 0);
524 if (fd < 0)
525 return fd;
526
527 return move_fd(fd, STDIN_FILENO, false);
528 }
529
2038c3f5
LP		 530 case EXEC_INPUT_FILE: {
531 bool rw;
532 int fd;
533
534 assert(context->stdio_file[STDIN_FILENO]);
535
536 rw = (context->std_output == EXEC_OUTPUT_FILE && streq_ptr(context->stdio_file[STDIN_FILENO], context->stdio_file[STDOUT_FILENO])) ||
537 (context->std_error == EXEC_OUTPUT_FILE && streq_ptr(context->stdio_file[STDIN_FILENO], context->stdio_file[STDERR_FILENO]));
538
539 fd = acquire_path(context->stdio_file[STDIN_FILENO], rw ? O_RDWR : O_RDONLY, 0666 & ~context->umask);
540 if (fd < 0)
541 return fd;
542
543 return move_fd(fd, STDIN_FILENO, false);
544 }
545
80876c20
LP		 546 default:
547 assert_not_reached("Unknown input type");
548 }
549}
550
41fc585a
LP		 551static bool can_inherit_stderr_from_stdout(
552 const ExecContext *context,
553 ExecOutput o,
554 ExecOutput e) {
555
556 assert(context);
557
558 /* Returns true, if given the specified STDERR and STDOUT output we can directly dup() the stdout fd to the
559 * stderr fd */
560
561 if (e == EXEC_OUTPUT_INHERIT)
562 return true;
563 if (e != o)
564 return false;
565
566 if (e == EXEC_OUTPUT_NAMED_FD)
567 return streq_ptr(context->stdio_fdname[STDOUT_FILENO], context->stdio_fdname[STDERR_FILENO]);
568
569 if (IN_SET(e, EXEC_OUTPUT_FILE, EXEC_OUTPUT_FILE_APPEND))
570 return streq_ptr(context->stdio_file[STDOUT_FILENO], context->stdio_file[STDERR_FILENO]);
571
572 return true;
573}
574
a34ceba6 575static int setup_output(
34cf6c43 576 const Unit *unit,
a34ceba6
LP		 577 const ExecContext *context,
578 const ExecParameters *params,
579 int fileno,
580 int socket_fd,
2caa38e9 581 const int named_iofds[static 3],
a34ceba6 582 const char *ident,
7bce046b
LP		 583 uid_t uid,
584 gid_t gid,
585 dev_t *journal_stream_dev,
586 ino_t *journal_stream_ino) {
a34ceba6 587
4f2d528d
LP		 588 ExecOutput o;
589 ExecInput i;
47c1d80d 590 int r;
4f2d528d 591
f2341e0a 592 assert(unit);
80876c20 593 assert(context);
a34ceba6 594 assert(params);
80876c20 595 assert(ident);
7bce046b
LP		 596 assert(journal_stream_dev);
597 assert(journal_stream_ino);
80876c20 598
a34ceba6
LP		 599 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
600
601 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
602 return -errno;
603
604 return STDOUT_FILENO;
605 }
606
607 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
608 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
609 return -errno;
610
611 return STDERR_FILENO;
612 }
613
08f3be7a 614 i = fixup_input(context, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
03fd9c49 615 o = fixup_output(context->std_output, socket_fd);
4f2d528d 616
eb17e935
MS		 617 if (fileno == STDERR_FILENO) {
618 ExecOutput e;
619 e = fixup_output(context->std_error, socket_fd);
80876c20 620
eb17e935
MS		 621 /* This expects the input and output are already set up */
622
623 /* Don't change the stderr file descriptor if we inherit all
624 * the way and are not on a tty */
625 if (e == EXEC_OUTPUT_INHERIT &&
626 o == EXEC_OUTPUT_INHERIT &&
627 i == EXEC_INPUT_NULL &&
628 !is_terminal_input(context->std_input) &&
629 getppid () != 1)
630 return fileno;
631
632 /* Duplicate from stdout if possible */
41fc585a 633 if (can_inherit_stderr_from_stdout(context, o, e))
eb17e935 634 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 635
eb17e935 636 o = e;
80876c20 637
eb17e935 638 } else if (o == EXEC_OUTPUT_INHERIT) {
21d21ea4
LP		 639 /* If input got downgraded, inherit the original value */
640 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
1e22b5cd 641 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
21d21ea4 642
08f3be7a
LP		 643 /* If the input is connected to anything that's not a /dev/null or a data fd, inherit that... */
644 if (!IN_SET(i, EXEC_INPUT_NULL, EXEC_INPUT_DATA))
eb17e935 645 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 646
acb591e4
LP		 647 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
648 if (getppid() != 1)
eb17e935 649 return fileno;
94f04347 650
eb17e935
MS		 651 /* We need to open /dev/null here anew, to get the right access mode. */
652 return open_null_as(O_WRONLY, fileno);
071830ff 653 }
94f04347 654
eb17e935 655 switch (o) {
80876c20
LP		 656
657 case EXEC_OUTPUT_NULL:
eb17e935 658 return open_null_as(O_WRONLY, fileno);
80876c20
LP		 659
660 case EXEC_OUTPUT_TTY:
4f2d528d 661 if (is_terminal_input(i))
eb17e935 662 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
80876c20
LP		 663
664 /* We don't reset the terminal if this is just about output */
1e22b5cd 665 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
80876c20
LP		 666
667 case EXEC_OUTPUT_SYSLOG:
28dbc1e8 668 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
9a6bca7a 669 case EXEC_OUTPUT_KMSG:
28dbc1e8 670 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
706343f4
LP		 671 case EXEC_OUTPUT_JOURNAL:
672 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
af635cf3 673 r = connect_logger_as(unit, context, params, o, ident, fileno, uid, gid);
47c1d80d 674 if (r < 0) {
82677ae4 675 log_unit_warning_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
eb17e935 676 r = open_null_as(O_WRONLY, fileno);
7bce046b
LP		 677 } else {
678 struct stat st;
679
680 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
681 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
ab2116b1
LP		 682 * services to detect whether they are connected to the journal or not.
683 *
684 * If both stdout and stderr are connected to a stream then let's make sure to store the data
685 * about STDERR as that's usually the best way to do logging. */
7bce046b 686
ab2116b1
LP		 687 if (fstat(fileno, &st) >= 0 &&
688 (*journal_stream_ino == 0 || fileno == STDERR_FILENO)) {
7bce046b
LP		 689 *journal_stream_dev = st.st_dev;
690 *journal_stream_ino = st.st_ino;
691 }
47c1d80d
MS		 692 }
693 return r;
4f2d528d
LP		 694
695 case EXEC_OUTPUT_SOCKET:
696 assert(socket_fd >= 0);
e75a9ed1 697
eb17e935 698 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
94f04347 699
52c239d7 700 case EXEC_OUTPUT_NAMED_FD:
e75a9ed1
LP		 701 assert(named_iofds[fileno] >= 0);
702
52c239d7
LB		 703 (void) fd_nonblock(named_iofds[fileno], false);
704 return dup2(named_iofds[fileno], fileno) < 0 ? -errno : fileno;
705
566b7d23
ZD		 706 case EXEC_OUTPUT_FILE:
707 case EXEC_OUTPUT_FILE_APPEND: {
2038c3f5 708 bool rw;
566b7d23 709 int fd, flags;
2038c3f5
LP		 710
711 assert(context->stdio_file[fileno]);
712
713 rw = context->std_input == EXEC_INPUT_FILE &&
714 streq_ptr(context->stdio_file[fileno], context->stdio_file[STDIN_FILENO]);
715
716 if (rw)
717 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
718
566b7d23
ZD		 719 flags = O_WRONLY;
720 if (o == EXEC_OUTPUT_FILE_APPEND)
721 flags |= O_APPEND;
722
723 fd = acquire_path(context->stdio_file[fileno], flags, 0666 & ~context->umask);
2038c3f5
LP		 724 if (fd < 0)
725 return fd;
726
566b7d23 727 return move_fd(fd, fileno, 0);
2038c3f5
LP		 728 }
729
94f04347 730 default:
80876c20 731 assert_not_reached("Unknown error type");
94f04347 732 }
071830ff
LP		 733}
734
02a51aba 735static int chown_terminal(int fd, uid_t uid) {
4b3b5bc7 736 int r;
02a51aba
LP		 737
738 assert(fd >= 0);
02a51aba 739
1ff74fb6 740 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
4b3b5bc7
LP		 741 if (isatty(fd) < 1) {
742 if (IN_SET(errno, EINVAL, ENOTTY))
743 return 0; /* not a tty */
1ff74fb6 744
02a51aba 745 return -errno;
4b3b5bc7 746 }
02a51aba 747
4b3b5bc7
LP		 748 /* This might fail. What matters are the results. */
749 r = fchmod_and_chown(fd, TTY_MODE, uid, -1);
750 if (r < 0)
751 return r;
02a51aba 752
4b3b5bc7 753 return 1;
02a51aba
LP		 754}
755
7d5ceb64 756static int setup_confirm_stdio(const char *vc, int *_saved_stdin, int *_saved_stdout) {
3d18b167
LP		 757 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
758 int r;
80876c20 759
80876c20
LP		 760 assert(_saved_stdin);
761 assert(_saved_stdout);
762
af6da548
LP		 763 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
764 if (saved_stdin < 0)
765 return -errno;
80876c20 766
af6da548 767 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
3d18b167
LP		 768 if (saved_stdout < 0)
769 return -errno;
80876c20 770
8854d795 771 fd = acquire_terminal(vc, ACQUIRE_TERMINAL_WAIT, DEFAULT_CONFIRM_USEC);
3d18b167
LP		 772 if (fd < 0)
773 return fd;
80876c20 774
af6da548
LP		 775 r = chown_terminal(fd, getuid());
776 if (r < 0)
3d18b167 777 return r;
02a51aba 778
3d18b167
LP		 779 r = reset_terminal_fd(fd, true);
780 if (r < 0)
781 return r;
80876c20 782
2b33ab09 783 r = rearrange_stdio(fd, fd, STDERR_FILENO);
3d18b167 784 fd = -1;
2b33ab09
LP		 785 if (r < 0)
786 return r;
80876c20
LP		 787
788 *_saved_stdin = saved_stdin;
789 *_saved_stdout = saved_stdout;
790
3d18b167 791 saved_stdin = saved_stdout = -1;
80876c20 792
3d18b167 793 return 0;
80876c20
LP		 794}
795
63d77c92 796static void write_confirm_error_fd(int err, int fd, const Unit *u) {
3b20f877
FB		 797 assert(err < 0);
798
799 if (err == -ETIMEDOUT)
63d77c92 800 dprintf(fd, "Confirmation question timed out for %s, assuming positive response.\n", u->id);
3b20f877
FB		 801 else {
802 errno = -err;
63d77c92 803 dprintf(fd, "Couldn't ask confirmation for %s: %m, assuming positive response.\n", u->id);
3b20f877
FB		 804 }
805}
806
63d77c92 807static void write_confirm_error(int err, const char *vc, const Unit *u) {
03e334a1 808 _cleanup_close_ int fd = -1;
80876c20 809
3b20f877 810 assert(vc);
80876c20 811
7d5ceb64 812 fd = open_terminal(vc, O_WRONLY|O_NOCTTY|O_CLOEXEC);
af6da548 813 if (fd < 0)
3b20f877 814 return;
80876c20 815
63d77c92 816 write_confirm_error_fd(err, fd, u);
af6da548 817}
80876c20 818
3d18b167 819static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
af6da548 820 int r = 0;
80876c20 821
af6da548
LP		 822 assert(saved_stdin);
823 assert(saved_stdout);
824
825 release_terminal();
826
827 if (*saved_stdin >= 0)
80876c20 828 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
af6da548 829 r = -errno;
80876c20 830
af6da548 831 if (*saved_stdout >= 0)
80876c20 832 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
af6da548 833 r = -errno;
80876c20 834
3d18b167
LP		 835 *saved_stdin = safe_close(*saved_stdin);
836 *saved_stdout = safe_close(*saved_stdout);
af6da548
LP		 837
838 return r;
839}
840
3b20f877
FB		 841enum {
842 CONFIRM_PRETEND_FAILURE = -1,
843 CONFIRM_PRETEND_SUCCESS = 0,
844 CONFIRM_EXECUTE = 1,
845};
846
eedf223a 847static int ask_for_confirmation(const char *vc, Unit *u, const char *cmdline) {
af6da548 848 int saved_stdout = -1, saved_stdin = -1, r;
2bcd3c26 849 _cleanup_free_ char *e = NULL;
3b20f877 850 char c;
af6da548 851
3b20f877 852 /* For any internal errors, assume a positive response. */
7d5ceb64 853 r = setup_confirm_stdio(vc, &saved_stdin, &saved_stdout);
3b20f877 854 if (r < 0) {
63d77c92 855 write_confirm_error(r, vc, u);
3b20f877
FB		 856 return CONFIRM_EXECUTE;
857 }
af6da548 858
b0eb2944
FB		 859 /* confirm_spawn might have been disabled while we were sleeping. */
860 if (manager_is_confirm_spawn_disabled(u->manager)) {
861 r = 1;
862 goto restore_stdio;
863 }
af6da548 864
2bcd3c26
FB		 865 e = ellipsize(cmdline, 60, 100);
866 if (!e) {
867 log_oom();
868 r = CONFIRM_EXECUTE;
869 goto restore_stdio;
870 }
af6da548 871
d172b175 872 for (;;) {
539622bd 873 r = ask_char(&c, "yfshiDjcn", "Execute %s? [y, f, s – h for help] ", e);
d172b175 874 if (r < 0) {
63d77c92 875 write_confirm_error_fd(r, STDOUT_FILENO, u);
d172b175
FB		 876 r = CONFIRM_EXECUTE;
877 goto restore_stdio;
878 }
af6da548 879
d172b175 880 switch (c) {
b0eb2944
FB		 881 case 'c':
882 printf("Resuming normal execution.\n");
883 manager_disable_confirm_spawn();
884 r = 1;
885 break;
dd6f9ac0
FB		 886 case 'D':
887 unit_dump(u, stdout, " ");
888 continue; /* ask again */
d172b175
FB		 889 case 'f':
890 printf("Failing execution.\n");
891 r = CONFIRM_PRETEND_FAILURE;
892 break;
893 case 'h':
b0eb2944
FB		 894 printf(" c - continue, proceed without asking anymore\n"
895 " D - dump, show the state of the unit\n"
dd6f9ac0 896 " f - fail, don't execute the command and pretend it failed\n"
d172b175 897 " h - help\n"
eedf223a 898 " i - info, show a short summary of the unit\n"
56fde33a 899 " j - jobs, show jobs that are in progress\n"
d172b175
FB		 900 " s - skip, don't execute the command and pretend it succeeded\n"
901 " y - yes, execute the command\n");
dd6f9ac0 902 continue; /* ask again */
eedf223a
FB		 903 case 'i':
904 printf(" Description: %s\n"
905 " Unit: %s\n"
906 " Command: %s\n",
907 u->id, u->description, cmdline);
908 continue; /* ask again */
56fde33a
FB		 909 case 'j':
910 manager_dump_jobs(u->manager, stdout, " ");
911 continue; /* ask again */
539622bd
FB		 912 case 'n':
913 /* 'n' was removed in favor of 'f'. */
914 printf("Didn't understand 'n', did you mean 'f'?\n");
915 continue; /* ask again */
d172b175
FB		 916 case 's':
917 printf("Skipping execution.\n");
918 r = CONFIRM_PRETEND_SUCCESS;
919 break;
920 case 'y':
921 r = CONFIRM_EXECUTE;
922 break;
923 default:
924 assert_not_reached("Unhandled choice");
925 }
3b20f877 926 break;
3b20f877 927 }
af6da548 928
3b20f877 929restore_stdio:
af6da548 930 restore_confirm_stdio(&saved_stdin, &saved_stdout);
af6da548 931 return r;
80876c20
LP		 932}
933
4d885bd3
DH		 934static int get_fixed_user(const ExecContext *c, const char **user,
935 uid_t *uid, gid_t *gid,
936 const char **home, const char **shell) {
81a2b7ce 937 int r;
4d885bd3 938 const char *name;
81a2b7ce 939
4d885bd3 940 assert(c);
81a2b7ce 941
23deef88
LP		 942 if (!c->user)
943 return 0;
944
4d885bd3
DH		 945 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
946 * (i.e. are "/" or "/bin/nologin"). */
81a2b7ce 947
23deef88 948 name = c->user;
fafff8f1 949 r = get_user_creds(&name, uid, gid, home, shell, USER_CREDS_CLEAN);
4d885bd3
DH		 950 if (r < 0)
951 return r;
81a2b7ce 952
4d885bd3
DH		 953 *user = name;
954 return 0;
955}
956
957static int get_fixed_group(const ExecContext *c, const char **group, gid_t *gid) {
958 int r;
959 const char *name;
960
961 assert(c);
962
963 if (!c->group)
964 return 0;
965
966 name = c->group;
fafff8f1 967 r = get_group_creds(&name, gid, 0);
4d885bd3
DH		 968 if (r < 0)
969 return r;
970
971 *group = name;
972 return 0;
973}
974
cdc5d5c5
DH		 975static int get_supplementary_groups(const ExecContext *c, const char *user,
976 const char *group, gid_t gid,
977 gid_t **supplementary_gids, int *ngids) {
4d885bd3
DH		 978 char **i;
979 int r, k = 0;
980 int ngroups_max;
981 bool keep_groups = false;
982 gid_t *groups = NULL;
983 _cleanup_free_ gid_t *l_gids = NULL;
984
985 assert(c);
986
bbeea271
DH		 987 /*
988 * If user is given, then lookup GID and supplementary groups list.
989 * We avoid NSS lookups for gid=0. Also we have to initialize groups
cdc5d5c5
DH		 990 * here and as early as possible so we keep the list of supplementary
991 * groups of the caller.
bbeea271
DH		 992 */
993 if (user && gid_is_valid(gid) && gid != 0) {
994 /* First step, initialize groups from /etc/groups */
995 if (initgroups(user, gid) < 0)
996 return -errno;
997
998 keep_groups = true;
999 }
1000
ac6e8be6 1001 if (strv_isempty(c->supplementary_groups))
4d885bd3
DH		 1002 return 0;
1003
366ddd25
DH		 1004 /*
1005 * If SupplementaryGroups= was passed then NGROUPS_MAX has to
1006 * be positive, otherwise fail.
1007 */
1008 errno = 0;
1009 ngroups_max = (int) sysconf(_SC_NGROUPS_MAX);
66855de7
LP		 1010 if (ngroups_max <= 0)
1011 return errno_or_else(EOPNOTSUPP);
366ddd25 1012
4d885bd3
DH		 1013 l_gids = new(gid_t, ngroups_max);
1014 if (!l_gids)
1015 return -ENOMEM;
81a2b7ce 1016
4d885bd3
DH		 1017 if (keep_groups) {
1018 /*
1019 * Lookup the list of groups that the user belongs to, we
1020 * avoid NSS lookups here too for gid=0.
1021 */
1022 k = ngroups_max;
1023 if (getgrouplist(user, gid, l_gids, &k) < 0)
1024 return -EINVAL;
1025 } else
1026 k = 0;
81a2b7ce 1027
4d885bd3
DH		 1028 STRV_FOREACH(i, c->supplementary_groups) {
1029 const char *g;
81a2b7ce 1030
4d885bd3
DH		 1031 if (k >= ngroups_max)
1032 return -E2BIG;
81a2b7ce 1033
4d885bd3 1034 g = *i;
fafff8f1 1035 r = get_group_creds(&g, l_gids+k, 0);
4d885bd3
DH		 1036 if (r < 0)
1037 return r;
81a2b7ce 1038
4d885bd3
DH		 1039 k++;
1040 }
81a2b7ce 1041
4d885bd3
DH		 1042 /*
1043 * Sets ngids to zero to drop all supplementary groups, happens
1044 * when we are under root and SupplementaryGroups= is empty.
1045 */
1046 if (k == 0) {
1047 *ngids = 0;
1048 return 0;
1049 }
81a2b7ce 1050
4d885bd3
DH		 1051 /* Otherwise get the final list of supplementary groups */
1052 groups = memdup(l_gids, sizeof(gid_t) * k);
1053 if (!groups)
1054 return -ENOMEM;
1055
1056 *supplementary_gids = groups;
1057 *ngids = k;
1058
1059 groups = NULL;
1060
1061 return 0;
1062}
1063
34cf6c43 1064static int enforce_groups(gid_t gid, const gid_t *supplementary_gids, int ngids) {
4d885bd3
DH		 1065 int r;
1066
709dbeac
YW		 1067 /* Handle SupplementaryGroups= if it is not empty */
1068 if (ngids > 0) {
4d885bd3
DH		 1069 r = maybe_setgroups(ngids, supplementary_gids);
1070 if (r < 0)
97f0e76f 1071 return r;
4d885bd3 1072 }
81a2b7ce 1073
4d885bd3
DH		 1074 if (gid_is_valid(gid)) {
1075 /* Then set our gids */
1076 if (setresgid(gid, gid, gid) < 0)
1077 return -errno;
81a2b7ce
LP		 1078 }
1079
1080 return 0;
1081}
1082
1083static int enforce_user(const ExecContext *context, uid_t uid) {
81a2b7ce
LP		 1084 assert(context);
1085
4d885bd3
DH		 1086 if (!uid_is_valid(uid))
1087 return 0;
1088
479050b3 1089 /* Sets (but doesn't look up) the uid and make sure we keep the
81a2b7ce
LP		 1090 * capabilities while doing so. */
1091
479050b3 1092 if (context->capability_ambient_set != 0) {
81a2b7ce
LP		 1093
1094 /* First step: If we need to keep capabilities but
1095 * drop privileges we need to make sure we keep our
cbb21cca 1096 * caps, while we drop privileges. */
693ced48 1097 if (uid != 0) {
cbb21cca 1098 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
693ced48
LP		 1099
1100 if (prctl(PR_GET_SECUREBITS) != sb)
1101 if (prctl(PR_SET_SECUREBITS, sb) < 0)
1102 return -errno;
1103 }
81a2b7ce
LP		 1104 }
1105
479050b3 1106 /* Second step: actually set the uids */
81a2b7ce
LP		 1107 if (setresuid(uid, uid, uid) < 0)
1108 return -errno;
1109
1110 /* At this point we should have all necessary capabilities but
1111 are otherwise a normal user. However, the caps might got
1112 corrupted due to the setresuid() so we need clean them up
1113 later. This is done outside of this call. */
1114
1115 return 0;
1116}
1117
349cc4a5 1118#if HAVE_PAM
5b6319dc
LP		 1119
1120static int null_conv(
1121 int num_msg,
1122 const struct pam_message **msg,
1123 struct pam_response **resp,
1124 void *appdata_ptr) {
1125
1126 /* We don't support conversations */
1127
1128 return PAM_CONV_ERR;
1129}
1130
cefc33ae
LP		 1131#endif
1132
5b6319dc
LP		 1133static int setup_pam(
1134 const char *name,
1135 const char *user,
940c5210 1136 uid_t uid,
2d6fce8d 1137 gid_t gid,
5b6319dc 1138 const char *tty,
2065ca69 1139 char ***env,
5b8d1f6b 1140 const int fds[], size_t n_fds) {
5b6319dc 1141
349cc4a5 1142#if HAVE_PAM
cefc33ae 1143
5b6319dc
LP		 1144 static const struct pam_conv conv = {
1145 .conv = null_conv,
1146 .appdata_ptr = NULL
1147 };
1148
2d7c6aa2 1149 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
5b6319dc 1150 pam_handle_t *handle = NULL;
d6e5f3ad 1151 sigset_t old_ss;
7bb70b6e 1152 int pam_code = PAM_SUCCESS, r;
84eada2f 1153 char **nv, **e = NULL;
5b6319dc
LP		 1154 bool close_session = false;
1155 pid_t pam_pid = 0, parent_pid;
970edce6 1156 int flags = 0;
5b6319dc
LP		 1157
1158 assert(name);
1159 assert(user);
2065ca69 1160 assert(env);
5b6319dc
LP		 1161
1162 /* We set up PAM in the parent process, then fork. The child
35b8ca3a 1163 * will then stay around until killed via PR_GET_PDEATHSIG or
5b6319dc
LP		 1164 * systemd via the cgroup logic. It will then remove the PAM
1165 * session again. The parent process will exec() the actual
1166 * daemon. We do things this way to ensure that the main PID
1167 * of the daemon is the one we initially fork()ed. */
1168
7bb70b6e
LP		 1169 r = barrier_create(&barrier);
1170 if (r < 0)
2d7c6aa2
DH		 1171 goto fail;
1172
553d2243 1173 if (log_get_max_level() < LOG_DEBUG)
970edce6
ZJS		 1174 flags |= PAM_SILENT;
1175
f546241b
ZJS		 1176 pam_code = pam_start(name, user, &conv, &handle);
1177 if (pam_code != PAM_SUCCESS) {
5b6319dc
LP		 1178 handle = NULL;
1179 goto fail;
1180 }
1181
3cd24c1a
LP		 1182 if (!tty) {
1183 _cleanup_free_ char *q = NULL;
1184
1185 /* Hmm, so no TTY was explicitly passed, but an fd passed to us directly might be a TTY. Let's figure
1186 * out if that's the case, and read the TTY off it. */
1187
1188 if (getttyname_malloc(STDIN_FILENO, &q) >= 0)
1189 tty = strjoina("/dev/", q);
1190 }
1191
f546241b
ZJS		 1192 if (tty) {
1193 pam_code = pam_set_item(handle, PAM_TTY, tty);
1194 if (pam_code != PAM_SUCCESS)
5b6319dc 1195 goto fail;
f546241b 1196 }
5b6319dc 1197
84eada2f
JW		 1198 STRV_FOREACH(nv, *env) {
1199 pam_code = pam_putenv(handle, *nv);
2065ca69
JW		 1200 if (pam_code != PAM_SUCCESS)
1201 goto fail;
1202 }
1203
970edce6 1204 pam_code = pam_acct_mgmt(handle, flags);
f546241b 1205 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1206 goto fail;
1207
3bb39ea9
DG		 1208 pam_code = pam_setcred(handle, PAM_ESTABLISH_CRED | flags);
1209 if (pam_code != PAM_SUCCESS)
46d7c6af 1210 log_debug("pam_setcred() failed, ignoring: %s", pam_strerror(handle, pam_code));
3bb39ea9 1211
970edce6 1212 pam_code = pam_open_session(handle, flags);
f546241b 1213 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1214 goto fail;
1215
1216 close_session = true;
1217
f546241b
ZJS		 1218 e = pam_getenvlist(handle);
1219 if (!e) {
5b6319dc
LP		 1220 pam_code = PAM_BUF_ERR;
1221 goto fail;
1222 }
1223
1224 /* Block SIGTERM, so that we know that it won't get lost in
1225 * the child */
ce30c8dc 1226
72c0a2c2 1227 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
5b6319dc 1228
df0ff127 1229 parent_pid = getpid_cached();
5b6319dc 1230
4c253ed1
LP		 1231 r = safe_fork("(sd-pam)", 0, &pam_pid);
1232 if (r < 0)
5b6319dc 1233 goto fail;
4c253ed1 1234 if (r == 0) {
7bb70b6e 1235 int sig, ret = EXIT_PAM;
5b6319dc
LP		 1236
1237 /* The child's job is to reset the PAM session on
1238 * termination */
2d7c6aa2 1239 barrier_set_role(&barrier, BARRIER_CHILD);
5b6319dc 1240
4c253ed1
LP		 1241 /* Make sure we don't keep open the passed fds in this child. We assume that otherwise only those fds
1242 * are open here that have been opened by PAM. */
1243 (void) close_many(fds, n_fds);
5b6319dc 1244
940c5210
AK		 1245 /* Drop privileges - we don't need any to pam_close_session
1246 * and this will make PR_SET_PDEATHSIG work in most cases.
1247 * If this fails, ignore the error - but expect sd-pam threads
1248 * to fail to exit normally */
2d6fce8d 1249
97f0e76f
LP		 1250 r = maybe_setgroups(0, NULL);
1251 if (r < 0)
1252 log_warning_errno(r, "Failed to setgroups() in sd-pam: %m");
2d6fce8d
LP		 1253 if (setresgid(gid, gid, gid) < 0)
1254 log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
940c5210 1255 if (setresuid(uid, uid, uid) < 0)
2d6fce8d 1256 log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
940c5210 1257
ce30c8dc
LP		 1258 (void) ignore_signals(SIGPIPE, -1);
1259
940c5210
AK		 1260 /* Wait until our parent died. This will only work if
1261 * the above setresuid() succeeds, otherwise the kernel
1262 * will not allow unprivileged parents kill their privileged
1263 * children this way. We rely on the control groups kill logic
5b6319dc
LP		 1264 * to do the rest for us. */
1265 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
1266 goto child_finish;
1267
2d7c6aa2
DH		 1268 /* Tell the parent that our setup is done. This is especially
1269 * important regarding dropping privileges. Otherwise, unit
643f4706
ZJS		 1270 * setup might race against our setresuid(2) call.
1271 *
1272 * If the parent aborted, we'll detect this below, hence ignore
1273 * return failure here. */
1274 (void) barrier_place(&barrier);
2d7c6aa2 1275
643f4706 1276 /* Check if our parent process might already have died? */
5b6319dc 1277 if (getppid() == parent_pid) {
d6e5f3ad
DM		 1278 sigset_t ss;
1279
1280 assert_se(sigemptyset(&ss) >= 0);
1281 assert_se(sigaddset(&ss, SIGTERM) >= 0);
1282
3dead8d9
LP		 1283 for (;;) {
1284 if (sigwait(&ss, &sig) < 0) {
1285 if (errno == EINTR)
1286 continue;
1287
1288 goto child_finish;
1289 }
5b6319dc 1290
3dead8d9
LP		 1291 assert(sig == SIGTERM);
1292 break;
1293 }
5b6319dc
LP		 1294 }
1295
3bb39ea9
DG		 1296 pam_code = pam_setcred(handle, PAM_DELETE_CRED | flags);
1297 if (pam_code != PAM_SUCCESS)
1298 goto child_finish;
1299
3dead8d9 1300 /* If our parent died we'll end the session */
f546241b 1301 if (getppid() != parent_pid) {
970edce6 1302 pam_code = pam_close_session(handle, flags);
f546241b 1303 if (pam_code != PAM_SUCCESS)
5b6319dc 1304 goto child_finish;
f546241b 1305 }
5b6319dc 1306
7bb70b6e 1307 ret = 0;
5b6319dc
LP		 1308
1309 child_finish:
970edce6 1310 pam_end(handle, pam_code | flags);
7bb70b6e 1311 _exit(ret);
5b6319dc
LP		 1312 }
1313
2d7c6aa2
DH		 1314 barrier_set_role(&barrier, BARRIER_PARENT);
1315
5b6319dc
LP		 1316 /* If the child was forked off successfully it will do all the
1317 * cleanups, so forget about the handle here. */
1318 handle = NULL;
1319
3b8bddde 1320 /* Unblock SIGTERM again in the parent */
72c0a2c2 1321 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
5b6319dc
LP		 1322
1323 /* We close the log explicitly here, since the PAM modules
1324 * might have opened it, but we don't want this fd around. */
1325 closelog();
1326
2d7c6aa2
DH		 1327 /* Synchronously wait for the child to initialize. We don't care for
1328 * errors as we cannot recover. However, warn loudly if it happens. */
1329 if (!barrier_place_and_sync(&barrier))
1330 log_error("PAM initialization failed");
1331
130d3d22 1332 return strv_free_and_replace(*env, e);
5b6319dc
LP		 1333
1334fail:
970edce6
ZJS		 1335 if (pam_code != PAM_SUCCESS) {
1336 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
7bb70b6e
LP		 1337 r = -EPERM; /* PAM errors do not map to errno */
1338 } else
1339 log_error_errno(r, "PAM failed: %m");
9ba35398 1340
5b6319dc
LP		 1341 if (handle) {
1342 if (close_session)
970edce6 1343 pam_code = pam_close_session(handle, flags);
5b6319dc 1344
970edce6 1345 pam_end(handle, pam_code | flags);
5b6319dc
LP		 1346 }
1347
1348 strv_free(e);
5b6319dc
LP		 1349 closelog();
1350
7bb70b6e 1351 return r;
cefc33ae
LP		 1352#else
1353 return 0;
5b6319dc 1354#endif
cefc33ae 1355}
5b6319dc 1356
5d6b1584
LP		 1357static void rename_process_from_path(const char *path) {
1358 char process_name[11];
1359 const char *p;
1360 size_t l;
1361
1362 /* This resulting string must fit in 10 chars (i.e. the length
1363 * of "/sbin/init") to look pretty in /bin/ps */
1364
2b6bf07d 1365 p = basename(path);
5d6b1584
LP		 1366 if (isempty(p)) {
1367 rename_process("(...)");
1368 return;
1369 }
1370
1371 l = strlen(p);
1372 if (l > 8) {
1373 /* The end of the process name is usually more
1374 * interesting, since the first bit might just be
1375 * "systemd-" */
1376 p = p + l - 8;
1377 l = 8;
1378 }
1379
1380 process_name[0] = '(';
1381 memcpy(process_name+1, p, l);
1382 process_name[1+l] = ')';
1383 process_name[1+l+1] = 0;
1384
1385 rename_process(process_name);
1386}
1387
469830d1
LP		 1388static bool context_has_address_families(const ExecContext *c) {
1389 assert(c);
1390
1391 return c->address_families_whitelist ||
1392 !set_isempty(c->address_families);
1393}
1394
1395static bool context_has_syscall_filters(const ExecContext *c) {
1396 assert(c);
1397
1398 return c->syscall_whitelist ||
8cfa775f 1399 !hashmap_isempty(c->syscall_filter);
469830d1
LP		 1400}
1401
1402static bool context_has_no_new_privileges(const ExecContext *c) {
1403 assert(c);
1404
1405 if (c->no_new_privileges)
1406 return true;
1407
1408 if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
1409 return false;
1410
1411 /* We need NNP if we have any form of seccomp and are unprivileged */
1412 return context_has_address_families(c) ||
1413 c->memory_deny_write_execute ||
1414 c->restrict_realtime ||
f69567cb 1415 c->restrict_suid_sgid ||
469830d1 1416 exec_context_restrict_namespaces_set(c) ||
fc64760d 1417 c->protect_clock ||
469830d1
LP		 1418 c->protect_kernel_tunables ||
1419 c->protect_kernel_modules ||
84703040 1420 c->protect_kernel_logs ||
469830d1
LP		 1421 c->private_devices ||
1422 context_has_syscall_filters(c) ||
78e864e5 1423 !set_isempty(c->syscall_archs) ||
aecd5ac6
TM		 1424 c->lock_personality ||
1425 c->protect_hostname;
469830d1
LP		 1426}
1427
349cc4a5 1428#if HAVE_SECCOMP
17df7223 1429
83f12b27 1430static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
f673b62d
LP		 1431
1432 if (is_seccomp_available())
1433 return false;
1434
f673b62d 1435 log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
f673b62d 1436 return true;
83f12b27
FS		 1437}
1438
165a31c0 1439static int apply_syscall_filter(const Unit* u, const ExecContext *c, bool needs_ambient_hack) {
469830d1 1440 uint32_t negative_action, default_action, action;
165a31c0 1441 int r;
8351ceae 1442
469830d1 1443 assert(u);
c0467cf3 1444 assert(c);
8351ceae 1445
469830d1 1446 if (!context_has_syscall_filters(c))
83f12b27
FS		 1447 return 0;
1448
469830d1
LP		 1449 if (skip_seccomp_unavailable(u, "SystemCallFilter="))
1450 return 0;
e9642be2 1451
ccc16c78 1452 negative_action = c->syscall_errno == 0 ? scmp_act_kill_process() : SCMP_ACT_ERRNO(c->syscall_errno);
e9642be2 1453
469830d1
LP		 1454 if (c->syscall_whitelist) {
1455 default_action = negative_action;
1456 action = SCMP_ACT_ALLOW;
7c66bae2 1457 } else {
469830d1
LP		 1458 default_action = SCMP_ACT_ALLOW;
1459 action = negative_action;
57183d11 1460 }
8351ceae 1461
165a31c0
LP		 1462 if (needs_ambient_hack) {
1463 r = seccomp_filter_set_add(c->syscall_filter, c->syscall_whitelist, syscall_filter_sets + SYSCALL_FILTER_SET_SETUID);
1464 if (r < 0)
1465 return r;
1466 }
1467
b54f36c6 1468 return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action, false);
4298d0b5
LP		 1469}
1470
469830d1
LP		 1471static int apply_syscall_archs(const Unit *u, const ExecContext *c) {
1472 assert(u);
4298d0b5
LP		 1473 assert(c);
1474
469830d1 1475 if (set_isempty(c->syscall_archs))
83f12b27
FS		 1476 return 0;
1477
469830d1
LP		 1478 if (skip_seccomp_unavailable(u, "SystemCallArchitectures="))
1479 return 0;
4298d0b5 1480
469830d1
LP		 1481 return seccomp_restrict_archs(c->syscall_archs);
1482}
4298d0b5 1483
469830d1
LP		 1484static int apply_address_families(const Unit* u, const ExecContext *c) {
1485 assert(u);
1486 assert(c);
4298d0b5 1487
469830d1
LP		 1488 if (!context_has_address_families(c))
1489 return 0;
4298d0b5 1490
469830d1
LP		 1491 if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
1492 return 0;
4298d0b5 1493
469830d1 1494 return seccomp_restrict_address_families(c->address_families, c->address_families_whitelist);
8351ceae 1495}
4298d0b5 1496
83f12b27 1497static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) {
469830d1 1498 assert(u);
f3e43635
TM		 1499 assert(c);
1500
469830d1 1501 if (!c->memory_deny_write_execute)
83f12b27
FS		 1502 return 0;
1503
469830d1
LP		 1504 if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute="))
1505 return 0;
f3e43635 1506
469830d1 1507 return seccomp_memory_deny_write_execute();
f3e43635
TM		 1508}
1509
83f12b27 1510static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
469830d1 1511 assert(u);
f4170c67
LP		 1512 assert(c);
1513
469830d1 1514 if (!c->restrict_realtime)
83f12b27
FS		 1515 return 0;
1516
469830d1
LP		 1517 if (skip_seccomp_unavailable(u, "RestrictRealtime="))
1518 return 0;
f4170c67 1519
469830d1 1520 return seccomp_restrict_realtime();
f4170c67
LP		 1521}
1522
f69567cb
LP		 1523static int apply_restrict_suid_sgid(const Unit* u, const ExecContext *c) {
1524 assert(u);
1525 assert(c);
1526
1527 if (!c->restrict_suid_sgid)
1528 return 0;
1529
1530 if (skip_seccomp_unavailable(u, "RestrictSUIDSGID="))
1531 return 0;
1532
1533 return seccomp_restrict_suid_sgid();
1534}
1535
59e856c7 1536static int apply_protect_sysctl(const Unit *u, const ExecContext *c) {
469830d1 1537 assert(u);
59eeb84b
LP		 1538 assert(c);
1539
1540 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1541 * let's protect even those systems where this is left on in the kernel. */
1542
469830d1 1543 if (!c->protect_kernel_tunables)
59eeb84b
LP		 1544 return 0;
1545
469830d1
LP		 1546 if (skip_seccomp_unavailable(u, "ProtectKernelTunables="))
1547 return 0;
59eeb84b 1548
469830d1 1549 return seccomp_protect_sysctl();
59eeb84b
LP		 1550}
1551
59e856c7 1552static int apply_protect_kernel_modules(const Unit *u, const ExecContext *c) {
469830d1 1553 assert(u);
502d704e
DH		 1554 assert(c);
1555
25a8d8a0 1556 /* Turn off module syscalls on ProtectKernelModules=yes */
502d704e 1557
469830d1
LP		 1558 if (!c->protect_kernel_modules)
1559 return 0;
1560
502d704e
DH		 1561 if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
1562 return 0;
1563
b54f36c6 1564 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM), false);
502d704e
DH		 1565}
1566
84703040
KK		 1567static int apply_protect_kernel_logs(const Unit *u, const ExecContext *c) {
1568 assert(u);
1569 assert(c);
1570
1571 if (!c->protect_kernel_logs)
1572 return 0;
1573
1574 if (skip_seccomp_unavailable(u, "ProtectKernelLogs="))
1575 return 0;
1576
1577 return seccomp_protect_syslog();
1578}
1579
fc64760d
KK		 1580static int apply_protect_clock(const Unit *u, const ExecContext *c) {
1581 assert(u);
1582 assert(c);
1583
1584 if (!c->protect_clock)
1585 return 0;
1586
1587 if (skip_seccomp_unavailable(u, "ProtectClock="))
1588 return 0;
1589
1590 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_CLOCK, SCMP_ACT_ERRNO(EPERM), false);
1591}
1592
59e856c7 1593static int apply_private_devices(const Unit *u, const ExecContext *c) {
469830d1 1594 assert(u);
ba128bb8
LP		 1595 assert(c);
1596
8f81a5f6 1597 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
ba128bb8 1598
469830d1
LP		 1599 if (!c->private_devices)
1600 return 0;
1601
ba128bb8
LP		 1602 if (skip_seccomp_unavailable(u, "PrivateDevices="))
1603 return 0;
1604
b54f36c6 1605 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM), false);
ba128bb8
LP		 1606}
1607
34cf6c43 1608static int apply_restrict_namespaces(const Unit *u, const ExecContext *c) {
469830d1 1609 assert(u);
add00535
LP		 1610 assert(c);
1611
1612 if (!exec_context_restrict_namespaces_set(c))
1613 return 0;
1614
1615 if (skip_seccomp_unavailable(u, "RestrictNamespaces="))
1616 return 0;
1617
1618 return seccomp_restrict_namespaces(c->restrict_namespaces);
1619}
1620
78e864e5 1621static int apply_lock_personality(const Unit* u, const ExecContext *c) {
e8132d63
LP		 1622 unsigned long personality;
1623 int r;
78e864e5
TM		 1624
1625 assert(u);
1626 assert(c);
1627
1628 if (!c->lock_personality)
1629 return 0;
1630
1631 if (skip_seccomp_unavailable(u, "LockPersonality="))
1632 return 0;
1633
e8132d63
LP		 1634 personality = c->personality;
1635
1636 /* If personality is not specified, use either PER_LINUX or PER_LINUX32 depending on what is currently set. */
1637 if (personality == PERSONALITY_INVALID) {
1638
1639 r = opinionated_personality(&personality);
1640 if (r < 0)
1641 return r;
1642 }
78e864e5
TM		 1643
1644 return seccomp_lock_personality(personality);
1645}
1646
c0467cf3 1647#endif
8351ceae 1648
3042bbeb 1649static void do_idle_pipe_dance(int idle_pipe[static 4]) {
31a7eb86
ZJS		 1650 assert(idle_pipe);
1651
54eb2300
LP		 1652 idle_pipe[1] = safe_close(idle_pipe[1]);
1653 idle_pipe[2] = safe_close(idle_pipe[2]);
31a7eb86
ZJS		 1654
1655 if (idle_pipe[0] >= 0) {
1656 int r;
1657
1658 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1659
1660 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
c7cc737f
LP		 1661 ssize_t n;
1662
31a7eb86 1663 /* Signal systemd that we are bored and want to continue. */
c7cc737f
LP		 1664 n = write(idle_pipe[3], "x", 1);
1665 if (n > 0)
cd972d69 1666 /* Wait for systemd to react to the signal above. */
54756dce 1667 (void) fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
31a7eb86
ZJS		 1668 }
1669
54eb2300 1670 idle_pipe[0] = safe_close(idle_pipe[0]);
31a7eb86
ZJS		 1671
1672 }
1673
54eb2300 1674 idle_pipe[3] = safe_close(idle_pipe[3]);
31a7eb86
ZJS		 1675}
1676
fb2042dd
YW		 1677static const char *exec_directory_env_name_to_string(ExecDirectoryType t);
1678
7cae38c4 1679static int build_environment(
34cf6c43 1680 const Unit *u,
9fa95f85 1681 const ExecContext *c,
1e22b5cd 1682 const ExecParameters *p,
da6053d0 1683 size_t n_fds,
7cae38c4
LP		 1684 const char *home,
1685 const char *username,
1686 const char *shell,
7bce046b
LP		 1687 dev_t journal_stream_dev,
1688 ino_t journal_stream_ino,
7cae38c4
LP		 1689 char ***ret) {
1690
1691 _cleanup_strv_free_ char **our_env = NULL;
fb2042dd 1692 ExecDirectoryType t;
da6053d0 1693 size_t n_env = 0;
7cae38c4
LP		 1694 char *x;
1695
4b58153d 1696 assert(u);
7cae38c4 1697 assert(c);
7c1cb6f1 1698 assert(p);
7cae38c4
LP		 1699 assert(ret);
1700
91dd5f7c 1701 our_env = new0(char*, 15 + _EXEC_DIRECTORY_TYPE_MAX);
7cae38c4
LP		 1702 if (!our_env)
1703 return -ENOMEM;
1704
1705 if (n_fds > 0) {
8dd4c05b
LP		 1706 _cleanup_free_ char *joined = NULL;
1707
df0ff127 1708 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid_cached()) < 0)
7cae38c4
LP		 1709 return -ENOMEM;
1710 our_env[n_env++] = x;
1711
da6053d0 1712 if (asprintf(&x, "LISTEN_FDS=%zu", n_fds) < 0)
7cae38c4
LP		 1713 return -ENOMEM;
1714 our_env[n_env++] = x;
8dd4c05b 1715
1e22b5cd 1716 joined = strv_join(p->fd_names, ":");
8dd4c05b
LP		 1717 if (!joined)
1718 return -ENOMEM;
1719
605405c6 1720 x = strjoin("LISTEN_FDNAMES=", joined);
8dd4c05b
LP		 1721 if (!x)
1722 return -ENOMEM;
1723 our_env[n_env++] = x;
7cae38c4
LP		 1724 }
1725
b08af3b1 1726 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
df0ff127 1727 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid_cached()) < 0)
09812eb7
LP		 1728 return -ENOMEM;
1729 our_env[n_env++] = x;
1730
1e22b5cd 1731 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
09812eb7
LP		 1732 return -ENOMEM;
1733 our_env[n_env++] = x;
1734 }
1735
fd63e712
LP		 1736 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1737 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1738 * check the database directly. */
ac647978 1739 if (p->flags & EXEC_NSS_BYPASS_BUS) {
fd63e712
LP		 1740 x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1741 if (!x)
1742 return -ENOMEM;
1743 our_env[n_env++] = x;
1744 }
1745
7cae38c4 1746 if (home) {
b910cc72 1747 x = strjoin("HOME=", home);
7cae38c4
LP		 1748 if (!x)
1749 return -ENOMEM;
7bbead1d
LP		 1750
1751 path_simplify(x + 5, true);
7cae38c4
LP		 1752 our_env[n_env++] = x;
1753 }
1754
1755 if (username) {
b910cc72 1756 x = strjoin("LOGNAME=", username);
7cae38c4
LP		 1757 if (!x)
1758 return -ENOMEM;
1759 our_env[n_env++] = x;
1760
b910cc72 1761 x = strjoin("USER=", username);
7cae38c4
LP		 1762 if (!x)
1763 return -ENOMEM;
1764 our_env[n_env++] = x;
1765 }
1766
1767 if (shell) {
b910cc72 1768 x = strjoin("SHELL=", shell);
7cae38c4
LP		 1769 if (!x)
1770 return -ENOMEM;
7bbead1d
LP		 1771
1772 path_simplify(x + 6, true);
7cae38c4
LP		 1773 our_env[n_env++] = x;
1774 }
1775
4b58153d
LP		 1776 if (!sd_id128_is_null(u->invocation_id)) {
1777 if (asprintf(&x, "INVOCATION_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id)) < 0)
1778 return -ENOMEM;
1779
1780 our_env[n_env++] = x;
1781 }
1782
6af760f3
LP		 1783 if (exec_context_needs_term(c)) {
1784 const char *tty_path, *term = NULL;
1785
1786 tty_path = exec_context_tty_path(c);
1787
1788 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try to inherit
1789 * the $TERM set for PID 1. This is useful for containers so that the $TERM the container manager
1790 * passes to PID 1 ends up all the way in the console login shown. */
1791
1792 if (path_equal(tty_path, "/dev/console") && getppid() == 1)
1793 term = getenv("TERM");
1794 if (!term)
1795 term = default_term_for_tty(tty_path);
7cae38c4 1796
b910cc72 1797 x = strjoin("TERM=", term);
7cae38c4
LP		 1798 if (!x)
1799 return -ENOMEM;
1800 our_env[n_env++] = x;
1801 }
1802
7bce046b
LP		 1803 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1804 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1805 return -ENOMEM;
1806
1807 our_env[n_env++] = x;
1808 }
1809
91dd5f7c
LP		 1810 if (c->log_namespace) {
1811 x = strjoin("LOG_NAMESPACE=", c->log_namespace);
1812 if (!x)
1813 return -ENOMEM;
1814
1815 our_env[n_env++] = x;
1816 }
1817
fb2042dd
YW		 1818 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
1819 _cleanup_free_ char *pre = NULL, *joined = NULL;
1820 const char *n;
1821
1822 if (!p->prefix[t])
1823 continue;
1824
1825 if (strv_isempty(c->directories[t].paths))
1826 continue;
1827
1828 n = exec_directory_env_name_to_string(t);
1829 if (!n)
1830 continue;
1831
1832 pre = strjoin(p->prefix[t], "/");
1833 if (!pre)
1834 return -ENOMEM;
1835
1836 joined = strv_join_prefix(c->directories[t].paths, ":", pre);
1837 if (!joined)
1838 return -ENOMEM;
1839
1840 x = strjoin(n, "=", joined);
1841 if (!x)
1842 return -ENOMEM;
1843
1844 our_env[n_env++] = x;
1845 }
1846
7cae38c4 1847 our_env[n_env++] = NULL;
fb2042dd 1848 assert(n_env <= 14 + _EXEC_DIRECTORY_TYPE_MAX);
7cae38c4 1849
ae2a15bc 1850 *ret = TAKE_PTR(our_env);
7cae38c4
LP		 1851
1852 return 0;
1853}
1854
b4c14404
FB		 1855static int build_pass_environment(const ExecContext *c, char ***ret) {
1856 _cleanup_strv_free_ char **pass_env = NULL;
1857 size_t n_env = 0, n_bufsize = 0;
1858 char **i;
1859
1860 STRV_FOREACH(i, c->pass_environment) {
1861 _cleanup_free_ char *x = NULL;
1862 char *v;
1863
1864 v = getenv(*i);
1865 if (!v)
1866 continue;
605405c6 1867 x = strjoin(*i, "=", v);
b4c14404
FB		 1868 if (!x)
1869 return -ENOMEM;
00819cc1 1870
b4c14404
FB		 1871 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1872 return -ENOMEM;
00819cc1 1873
1cc6c93a 1874 pass_env[n_env++] = TAKE_PTR(x);
b4c14404 1875 pass_env[n_env] = NULL;
b4c14404
FB		 1876 }
1877
ae2a15bc 1878 *ret = TAKE_PTR(pass_env);
b4c14404
FB		 1879
1880 return 0;
1881}
1882
8b44a3d2
LP		 1883static bool exec_needs_mount_namespace(
1884 const ExecContext *context,
1885 const ExecParameters *params,
4657abb5 1886 const ExecRuntime *runtime) {
8b44a3d2
LP		 1887
1888 assert(context);
1889 assert(params);
1890
915e6d16
LP		 1891 if (context->root_image)
1892 return true;
1893
2a624c36
AP		 1894 if (!strv_isempty(context->read_write_paths) ||
1895 !strv_isempty(context->read_only_paths) ||
1896 !strv_isempty(context->inaccessible_paths))
8b44a3d2
LP		 1897 return true;
1898
42b1d8e0 1899 if (context->n_bind_mounts > 0)
d2d6c096
LP		 1900 return true;
1901
2abd4e38
YW		 1902 if (context->n_temporary_filesystems > 0)
1903 return true;
1904
37ed15d7 1905 if (!IN_SET(context->mount_flags, 0, MS_SHARED))
8b44a3d2
LP		 1906 return true;
1907
1908 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1909 return true;
1910
8b44a3d2 1911 if (context->private_devices ||
228af36f 1912 context->private_mounts ||
8b44a3d2 1913 context->protect_system != PROTECT_SYSTEM_NO ||
59eeb84b
LP		 1914 context->protect_home != PROTECT_HOME_NO ||
1915 context->protect_kernel_tunables ||
c575770b 1916 context->protect_kernel_modules ||
94a7b275 1917 context->protect_kernel_logs ||
59eeb84b 1918 context->protect_control_groups)
8b44a3d2
LP		 1919 return true;
1920
37c56f89
YW		 1921 if (context->root_directory) {
1922 ExecDirectoryType t;
1923
1924 if (context->mount_apivfs)
1925 return true;
1926
1927 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
1928 if (!params->prefix[t])
1929 continue;
1930
1931 if (!strv_isempty(context->directories[t].paths))
1932 return true;
1933 }
1934 }
5d997827 1935
42b1d8e0 1936 if (context->dynamic_user &&
b43ee82f 1937 (!strv_isempty(context->directories[EXEC_DIRECTORY_STATE].paths) ||
42b1d8e0
YW		 1938 !strv_isempty(context->directories[EXEC_DIRECTORY_CACHE].paths) ||
1939 !strv_isempty(context->directories[EXEC_DIRECTORY_LOGS].paths)))
1940 return true;
1941
91dd5f7c
LP		 1942 if (context->log_namespace)
1943 return true;
1944
8b44a3d2
LP		 1945 return false;
1946}
1947
5749f855 1948static int setup_private_users(uid_t ouid, gid_t ogid, uid_t uid, gid_t gid) {
d251207d
LP		 1949 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
1950 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
1951 _cleanup_close_ int unshare_ready_fd = -1;
1952 _cleanup_(sigkill_waitp) pid_t pid = 0;
1953 uint64_t c = 1;
d251207d
LP		 1954 ssize_t n;
1955 int r;
1956
5749f855
AZ		 1957 /* Set up a user namespace and map the original UID/GID (IDs from before any user or group changes, i.e.
1958 * the IDs from the user or system manager(s)) to itself, the selected UID/GID to itself, and everything else to
d251207d
LP		 1959 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1960 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1961 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1962 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
5749f855
AZ		 1963 * continues execution normally.
1964 * For unprivileged users (i.e. without capabilities), the root to root mapping is excluded. As such, it
1965 * does not need CAP_SETUID to write the single line mapping to itself. */
d251207d 1966
5749f855
AZ		 1967 /* Can only set up multiple mappings with CAP_SETUID. */
1968 if (have_effective_cap(CAP_SETUID) && uid != ouid && uid_is_valid(uid))
587ab01b 1969 r = asprintf(&uid_map,
5749f855 1970 UID_FMT " " UID_FMT " 1\n" /* Map $OUID → $OUID */
587ab01b 1971 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
5749f855
AZ		 1972 ouid, ouid, uid, uid);
1973 else
1974 r = asprintf(&uid_map,
1975 UID_FMT " " UID_FMT " 1\n", /* Map $OUID → $OUID */
1976 ouid, ouid);
d251207d 1977
5749f855
AZ		 1978 if (r < 0)
1979 return -ENOMEM;
1980
1981 /* Can only set up multiple mappings with CAP_SETGID. */
1982 if (have_effective_cap(CAP_SETGID) && gid != ogid && gid_is_valid(gid))
587ab01b 1983 r = asprintf(&gid_map,
5749f855 1984 GID_FMT " " GID_FMT " 1\n" /* Map $OGID → $OGID */
587ab01b 1985 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
5749f855
AZ		 1986 ogid, ogid, gid, gid);
1987 else
1988 r = asprintf(&gid_map,
1989 GID_FMT " " GID_FMT " 1\n", /* Map $OGID -> $OGID */
1990 ogid, ogid);
1991
1992 if (r < 0)
1993 return -ENOMEM;
d251207d
LP		 1994
1995 /* Create a communication channel so that the parent can tell the child when it finished creating the user
1996 * namespace. */
1997 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
1998 if (unshare_ready_fd < 0)
1999 return -errno;
2000
2001 /* Create a communication channel so that the child can tell the parent a proper error code in case it
2002 * failed. */
2003 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
2004 return -errno;
2005
4c253ed1
LP		 2006 r = safe_fork("(sd-userns)", FORK_RESET_SIGNALS|FORK_DEATHSIG, &pid);
2007 if (r < 0)
2008 return r;
2009 if (r == 0) {
d251207d
LP		 2010 _cleanup_close_ int fd = -1;
2011 const char *a;
2012 pid_t ppid;
2013
2014 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
2015 * here, after the parent opened its own user namespace. */
2016
2017 ppid = getppid();
2018 errno_pipe[0] = safe_close(errno_pipe[0]);
2019
2020 /* Wait until the parent unshared the user namespace */
2021 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
2022 r = -errno;
2023 goto child_fail;
2024 }
2025
2026 /* Disable the setgroups() system call in the child user namespace, for good. */
2027 a = procfs_file_alloca(ppid, "setgroups");
2028 fd = open(a, O_WRONLY|O_CLOEXEC);
2029 if (fd < 0) {
2030 if (errno != ENOENT) {
2031 r = -errno;
2032 goto child_fail;
2033 }
2034
2035 /* If the file is missing the kernel is too old, let's continue anyway. */
2036 } else {
2037 if (write(fd, "deny\n", 5) < 0) {
2038 r = -errno;
2039 goto child_fail;
2040 }
2041
2042 fd = safe_close(fd);
2043 }
2044
2045 /* First write the GID map */
2046 a = procfs_file_alloca(ppid, "gid_map");
2047 fd = open(a, O_WRONLY|O_CLOEXEC);
2048 if (fd < 0) {
2049 r = -errno;
2050 goto child_fail;
2051 }
2052 if (write(fd, gid_map, strlen(gid_map)) < 0) {
2053 r = -errno;
2054 goto child_fail;
2055 }
2056 fd = safe_close(fd);
2057
2058 /* The write the UID map */
2059 a = procfs_file_alloca(ppid, "uid_map");
2060 fd = open(a, O_WRONLY|O_CLOEXEC);
2061 if (fd < 0) {
2062 r = -errno;
2063 goto child_fail;
2064 }
2065 if (write(fd, uid_map, strlen(uid_map)) < 0) {
2066 r = -errno;
2067 goto child_fail;
2068 }
2069
2070 _exit(EXIT_SUCCESS);
2071
2072 child_fail:
2073 (void) write(errno_pipe[1], &r, sizeof(r));
2074 _exit(EXIT_FAILURE);
2075 }
2076
2077 errno_pipe[1] = safe_close(errno_pipe[1]);
2078
2079 if (unshare(CLONE_NEWUSER) < 0)
2080 return -errno;
2081
2082 /* Let the child know that the namespace is ready now */
2083 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
2084 return -errno;
2085
2086 /* Try to read an error code from the child */
2087 n = read(errno_pipe[0], &r, sizeof(r));
2088 if (n < 0)
2089 return -errno;
2090 if (n == sizeof(r)) { /* an error code was sent to us */
2091 if (r < 0)
2092 return r;
2093 return -EIO;
2094 }
2095 if (n != 0) /* on success we should have read 0 bytes */
2096 return -EIO;
2097
2e87a1fd
LP		 2098 r = wait_for_terminate_and_check("(sd-userns)", pid, 0);
2099 pid = 0;
d251207d
LP		 2100 if (r < 0)
2101 return r;
2e87a1fd 2102 if (r != EXIT_SUCCESS) /* If something strange happened with the child, let's consider this fatal, too */
d251207d
LP		 2103 return -EIO;
2104
2105 return 0;
2106}
2107
494d0247
YW		 2108static bool exec_directory_is_private(const ExecContext *context, ExecDirectoryType type) {
2109 if (!context->dynamic_user)
2110 return false;
2111
2112 if (type == EXEC_DIRECTORY_CONFIGURATION)
2113 return false;
2114
2115 if (type == EXEC_DIRECTORY_RUNTIME && context->runtime_directory_preserve_mode == EXEC_PRESERVE_NO)
2116 return false;
2117
2118 return true;
2119}
2120
3536f49e 2121static int setup_exec_directory(
07689d5d
LP		 2122 const ExecContext *context,
2123 const ExecParameters *params,
2124 uid_t uid,
3536f49e 2125 gid_t gid,
3536f49e
YW		 2126 ExecDirectoryType type,
2127 int *exit_status) {
07689d5d 2128
72fd1768 2129 static const int exit_status_table[_EXEC_DIRECTORY_TYPE_MAX] = {
3536f49e
YW		 2130 [EXEC_DIRECTORY_RUNTIME] = EXIT_RUNTIME_DIRECTORY,
2131 [EXEC_DIRECTORY_STATE] = EXIT_STATE_DIRECTORY,
2132 [EXEC_DIRECTORY_CACHE] = EXIT_CACHE_DIRECTORY,
2133 [EXEC_DIRECTORY_LOGS] = EXIT_LOGS_DIRECTORY,
2134 [EXEC_DIRECTORY_CONFIGURATION] = EXIT_CONFIGURATION_DIRECTORY,
2135 };
07689d5d
LP		 2136 char **rt;
2137 int r;
2138
2139 assert(context);
2140 assert(params);
72fd1768 2141 assert(type >= 0 && type < _EXEC_DIRECTORY_TYPE_MAX);
3536f49e 2142 assert(exit_status);
07689d5d 2143
3536f49e
YW		 2144 if (!params->prefix[type])
2145 return 0;
2146
8679efde 2147 if (params->flags & EXEC_CHOWN_DIRECTORIES) {
3536f49e
YW		 2148 if (!uid_is_valid(uid))
2149 uid = 0;
2150 if (!gid_is_valid(gid))
2151 gid = 0;
2152 }
2153
2154 STRV_FOREACH(rt, context->directories[type].paths) {
6c47cd7d 2155 _cleanup_free_ char *p = NULL, *pp = NULL;
07689d5d 2156
edbfeb12 2157 p = path_join(params->prefix[type], *rt);
3536f49e
YW		 2158 if (!p) {
2159 r = -ENOMEM;
2160 goto fail;
2161 }
07689d5d 2162
23a7448e
YW		 2163 r = mkdir_parents_label(p, 0755);
2164 if (r < 0)
3536f49e 2165 goto fail;
23a7448e 2166
494d0247 2167 if (exec_directory_is_private(context, type)) {
6c9c51e5 2168 _cleanup_free_ char *private_root = NULL;
6c47cd7d 2169
3f5b1508
LP		 2170 /* So, here's one extra complication when dealing with DynamicUser=1 units. In that
2171 * case we want to avoid leaving a directory around fully accessible that is owned by
2172 * a dynamic user whose UID is later on reused. To lock this down we use the same
2173 * trick used by container managers to prohibit host users to get access to files of
2174 * the same UID in containers: we place everything inside a directory that has an
2175 * access mode of 0700 and is owned root:root, so that it acts as security boundary
2176 * for unprivileged host code. We then use fs namespacing to make this directory
2177 * permeable for the service itself.
6c47cd7d 2178 *
3f5b1508
LP		 2179 * Specifically: for a service which wants a special directory "foo/" we first create
2180 * a directory "private/" with access mode 0700 owned by root:root. Then we place
2181 * "foo" inside of that directory (i.e. "private/foo/"), and make "foo" a symlink to
2182 * "private/foo". This way, privileged host users can access "foo/" as usual, but
2183 * unprivileged host users can't look into it. Inside of the namespace of the unit
2184 * "private/" is replaced by a more liberally accessible tmpfs, into which the host's
2185 * "private/foo/" is mounted under the same name, thus disabling the access boundary
2186 * for the service and making sure it only gets access to the dirs it needs but no
2187 * others. Tricky? Yes, absolutely, but it works!
6c47cd7d 2188 *
3f5b1508
LP		 2189 * Note that we don't do this for EXEC_DIRECTORY_CONFIGURATION as that's assumed not
2190 * to be owned by the service itself.
2191 *
2192 * Also, note that we don't do this for EXEC_DIRECTORY_RUNTIME as that's often used
2193 * for sharing files or sockets with other services. */
6c47cd7d 2194
edbfeb12 2195 private_root = path_join(params->prefix[type], "private");
6c47cd7d
LP		 2196 if (!private_root) {
2197 r = -ENOMEM;
2198 goto fail;
2199 }
2200
2201 /* First set up private root if it doesn't exist yet, with access mode 0700 and owned by root:root */
37c1d5e9 2202 r = mkdir_safe_label(private_root, 0700, 0, 0, MKDIR_WARN_MODE);
6c47cd7d
LP		 2203 if (r < 0)
2204 goto fail;
2205
edbfeb12 2206 pp = path_join(private_root, *rt);
6c47cd7d
LP		 2207 if (!pp) {
2208 r = -ENOMEM;
2209 goto fail;
2210 }
2211
2212 /* Create all directories between the configured directory and this private root, and mark them 0755 */
2213 r = mkdir_parents_label(pp, 0755);
2214 if (r < 0)
2215 goto fail;
2216
949befd3
LP		 2217 if (is_dir(p, false) > 0 &&
2218 (laccess(pp, F_OK) < 0 && errno == ENOENT)) {
2219
2220 /* Hmm, the private directory doesn't exist yet, but the normal one exists? If so, move
2221 * it over. Most likely the service has been upgraded from one that didn't use
2222 * DynamicUser=1, to one that does. */
2223
cf52c45d
LP		 2224 log_info("Found pre-existing public %s= directory %s, migrating to %s.\n"
2225 "Apparently, service previously had DynamicUser= turned off, and has now turned it on.",
2226 exec_directory_type_to_string(type), p, pp);
2227
949befd3
LP		 2228 if (rename(p, pp) < 0) {
2229 r = -errno;
2230 goto fail;
2231 }
2232 } else {
2233 /* Otherwise, create the actual directory for the service */
2234
2235 r = mkdir_label(pp, context->directories[type].mode);
2236 if (r < 0 && r != -EEXIST)
2237 goto fail;
2238 }
6c47cd7d 2239
6c47cd7d 2240 /* And link it up from the original place */
6c9c51e5 2241 r = symlink_idempotent(pp, p, true);
6c47cd7d
LP		 2242 if (r < 0)
2243 goto fail;
2244
6c47cd7d 2245 } else {
5c6d40d1
LP		 2246 _cleanup_free_ char *target = NULL;
2247
2248 if (type != EXEC_DIRECTORY_CONFIGURATION &&
2249 readlink_and_make_absolute(p, &target) >= 0) {
578dc69f 2250 _cleanup_free_ char *q = NULL, *q_resolved = NULL, *target_resolved = NULL;
5c6d40d1
LP		 2251
2252 /* This already exists and is a symlink? Interesting. Maybe it's one created
2193f17c
LP		 2253 * by DynamicUser=1 (see above)?
2254 *
2255 * We do this for all directory types except for ConfigurationDirectory=,
2256 * since they all support the private/ symlink logic at least in some
2257 * configurations, see above. */
5c6d40d1 2258
578dc69f
YW		 2259 r = chase_symlinks(target, NULL, 0, &target_resolved, NULL);
2260 if (r < 0)
2261 goto fail;
2262
5c6d40d1
LP		 2263 q = path_join(params->prefix[type], "private", *rt);
2264 if (!q) {
2265 r = -ENOMEM;
2266 goto fail;
2267 }
2268
578dc69f
YW		 2269 /* /var/lib or friends may be symlinks. So, let's chase them also. */
2270 r = chase_symlinks(q, NULL, CHASE_NONEXISTENT, &q_resolved, NULL);
2271 if (r < 0)
2272 goto fail;
2273
2274 if (path_equal(q_resolved, target_resolved)) {
5c6d40d1
LP		 2275
2276 /* Hmm, apparently DynamicUser= was once turned on for this service,
2277 * but is no longer. Let's move the directory back up. */
2278
cf52c45d
LP		 2279 log_info("Found pre-existing private %s= directory %s, migrating to %s.\n"
2280 "Apparently, service previously had DynamicUser= turned on, and has now turned it off.",
2281 exec_directory_type_to_string(type), q, p);
2282
5c6d40d1
LP		 2283 if (unlink(p) < 0) {
2284 r = -errno;
2285 goto fail;
2286 }
2287
2288 if (rename(q, p) < 0) {
2289 r = -errno;
2290 goto fail;
2291 }
2292 }
2293 }
2294
6c47cd7d 2295 r = mkdir_label(p, context->directories[type].mode);
d484580c 2296 if (r < 0) {
d484580c
LP		 2297 if (r != -EEXIST)
2298 goto fail;
2299
206e9864
LP		 2300 if (type == EXEC_DIRECTORY_CONFIGURATION) {
2301 struct stat st;
2302
2303 /* Don't change the owner/access mode of the configuration directory,
2304 * as in the common case it is not written to by a service, and shall
2305 * not be writable. */
2306
2307 if (stat(p, &st) < 0) {
2308 r = -errno;
2309 goto fail;
2310 }
2311
2312 /* Still complain if the access mode doesn't match */
2313 if (((st.st_mode ^ context->directories[type].mode) & 07777) != 0)
2314 log_warning("%s \'%s\' already exists but the mode is different. "
2315 "(File system: %o %sMode: %o)",
2316 exec_directory_type_to_string(type), *rt,
2317 st.st_mode & 07777, exec_directory_type_to_string(type), context->directories[type].mode & 07777);
2318
6cff72eb 2319 continue;
206e9864 2320 }
6cff72eb 2321 }
a1164ae3 2322 }
07689d5d 2323
206e9864 2324 /* Lock down the access mode (we use chmod_and_chown() to make this idempotent. We don't
5238e957 2325 * specify UID/GID here, so that path_chown_recursive() can optimize things depending on the
206e9864
LP		 2326 * current UID/GID ownership.) */
2327 r = chmod_and_chown(pp ?: p, context->directories[type].mode, UID_INVALID, GID_INVALID);
2328 if (r < 0)
2329 goto fail;
c71b2eb7 2330
607b358e
LP		 2331 /* Then, change the ownership of the whole tree, if necessary. When dynamic users are used we
2332 * drop the suid/sgid bits, since we really don't want SUID/SGID files for dynamic UID/GID
2333 * assignments to exist.*/
2334 r = path_chown_recursive(pp ?: p, uid, gid, context->dynamic_user ? 01777 : 07777);
07689d5d 2335 if (r < 0)
3536f49e 2336 goto fail;
07689d5d
LP		 2337 }
2338
2339 return 0;
3536f49e
YW		 2340
2341fail:
2342 *exit_status = exit_status_table[type];
3536f49e 2343 return r;
07689d5d
LP		 2344}
2345
92b423b9 2346#if ENABLE_SMACK
cefc33ae
LP		 2347static int setup_smack(
2348 const ExecContext *context,
2349 const ExecCommand *command) {
2350
cefc33ae
LP		 2351 int r;
2352
2353 assert(context);
2354 assert(command);
2355
cefc33ae
LP		 2356 if (context->smack_process_label) {
2357 r = mac_smack_apply_pid(0, context->smack_process_label);
2358 if (r < 0)
2359 return r;
2360 }
2361#ifdef SMACK_DEFAULT_PROCESS_LABEL
2362 else {
2363 _cleanup_free_ char *exec_label = NULL;
2364
2365 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
4c701096 2366 if (r < 0 && !IN_SET(r, -ENODATA, -EOPNOTSUPP))
cefc33ae
LP		 2367 return r;
2368
2369 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
2370 if (r < 0)
2371 return r;
2372 }
cefc33ae
LP		 2373#endif
2374
2375 return 0;
2376}
92b423b9 2377#endif
cefc33ae 2378
6c47cd7d
LP		 2379static int compile_bind_mounts(
2380 const ExecContext *context,
2381 const ExecParameters *params,
2382 BindMount **ret_bind_mounts,
da6053d0 2383 size_t *ret_n_bind_mounts,
6c47cd7d
LP		 2384 char ***ret_empty_directories) {
2385
2386 _cleanup_strv_free_ char **empty_directories = NULL;
2387 BindMount *bind_mounts;
da6053d0 2388 size_t n, h = 0, i;
6c47cd7d
LP		 2389 ExecDirectoryType t;
2390 int r;
2391
2392 assert(context);
2393 assert(params);
2394 assert(ret_bind_mounts);
2395 assert(ret_n_bind_mounts);
2396 assert(ret_empty_directories);
2397
2398 n = context->n_bind_mounts;
2399 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
2400 if (!params->prefix[t])
2401 continue;
2402
2403 n += strv_length(context->directories[t].paths);
2404 }
2405
2406 if (n <= 0) {
2407 *ret_bind_mounts = NULL;
2408 *ret_n_bind_mounts = 0;
2409 *ret_empty_directories = NULL;
2410 return 0;
2411 }
2412
2413 bind_mounts = new(BindMount, n);
2414 if (!bind_mounts)
2415 return -ENOMEM;
2416
a8cabc61 2417 for (i = 0; i < context->n_bind_mounts; i++) {
6c47cd7d
LP		 2418 BindMount *item = context->bind_mounts + i;
2419 char *s, *d;
2420
2421 s = strdup(item->source);
2422 if (!s) {
2423 r = -ENOMEM;
2424 goto finish;
2425 }
2426
2427 d = strdup(item->destination);
2428 if (!d) {
2429 free(s);
2430 r = -ENOMEM;
2431 goto finish;
2432 }
2433
2434 bind_mounts[h++] = (BindMount) {
2435 .source = s,
2436 .destination = d,
2437 .read_only = item->read_only,
2438 .recursive = item->recursive,
2439 .ignore_enoent = item->ignore_enoent,
2440 };
2441 }
2442
2443 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
2444 char **suffix;
2445
2446 if (!params->prefix[t])
2447 continue;
2448
2449 if (strv_isempty(context->directories[t].paths))
2450 continue;
2451
494d0247 2452 if (exec_directory_is_private(context, t) &&
5609f688 2453 !(context->root_directory || context->root_image)) {
6c47cd7d
LP		 2454 char *private_root;
2455
2456 /* So this is for a dynamic user, and we need to make sure the process can access its own
2457 * directory. For that we overmount the usually inaccessible "private" subdirectory with a
2458 * tmpfs that makes it accessible and is empty except for the submounts we do this for. */
2459
657ee2d8 2460 private_root = path_join(params->prefix[t], "private");
6c47cd7d
LP		 2461 if (!private_root) {
2462 r = -ENOMEM;
2463 goto finish;
2464 }
2465
2466 r = strv_consume(&empty_directories, private_root);
a635a7ae 2467 if (r < 0)
6c47cd7d 2468 goto finish;
6c47cd7d
LP		 2469 }
2470
2471 STRV_FOREACH(suffix, context->directories[t].paths) {
2472 char *s, *d;
2473
494d0247 2474 if (exec_directory_is_private(context, t))
657ee2d8 2475 s = path_join(params->prefix[t], "private", *suffix);
6c47cd7d 2476 else
657ee2d8 2477 s = path_join(params->prefix[t], *suffix);
6c47cd7d
LP		 2478 if (!s) {
2479 r = -ENOMEM;
2480 goto finish;
2481 }
2482
494d0247 2483 if (exec_directory_is_private(context, t) &&
5609f688
YW		 2484 (context->root_directory || context->root_image))
2485 /* When RootDirectory= or RootImage= are set, then the symbolic link to the private
2486 * directory is not created on the root directory. So, let's bind-mount the directory
2487 * on the 'non-private' place. */
657ee2d8 2488 d = path_join(params->prefix[t], *suffix);
5609f688
YW		 2489 else
2490 d = strdup(s);
6c47cd7d
LP		 2491 if (!d) {
2492 free(s);
2493 r = -ENOMEM;
2494 goto finish;
2495 }
2496
2497 bind_mounts[h++] = (BindMount) {
2498 .source = s,
2499 .destination = d,
2500 .read_only = false,
9ce4e4b0 2501 .nosuid = context->dynamic_user, /* don't allow suid/sgid when DynamicUser= is on */
6c47cd7d
LP		 2502 .recursive = true,
2503 .ignore_enoent = false,
2504 };
2505 }
2506 }
2507
2508 assert(h == n);
2509
2510 *ret_bind_mounts = bind_mounts;
2511 *ret_n_bind_mounts = n;
ae2a15bc 2512 *ret_empty_directories = TAKE_PTR(empty_directories);
6c47cd7d
LP		 2513
2514 return (int) n;
2515
2516finish:
2517 bind_mount_free_many(bind_mounts, h);
2518 return r;
2519}
2520
4e677599
LP		 2521static bool insist_on_sandboxing(
2522 const ExecContext *context,
2523 const char *root_dir,
2524 const char *root_image,
2525 const BindMount *bind_mounts,
2526 size_t n_bind_mounts) {
2527
2528 size_t i;
2529
2530 assert(context);
2531 assert(n_bind_mounts == 0 || bind_mounts);
2532
2533 /* Checks whether we need to insist on fs namespacing. i.e. whether we have settings configured that
2534 * would alter the view on the file system beyond making things read-only or invisble, i.e. would
2535 * rearrange stuff in a way we cannot ignore gracefully. */
2536
2537 if (context->n_temporary_filesystems > 0)
2538 return true;
2539
2540 if (root_dir || root_image)
2541 return true;
2542
2543 if (context->dynamic_user)
2544 return true;
2545
2546 /* If there are any bind mounts set that don't map back onto themselves, fs namespacing becomes
2547 * essential. */
2548 for (i = 0; i < n_bind_mounts; i++)
2549 if (!path_equal(bind_mounts[i].source, bind_mounts[i].destination))
2550 return true;
2551
91dd5f7c
LP		 2552 if (context->log_namespace)
2553 return true;
2554
4e677599
LP		 2555 return false;
2556}
2557
6818c54c 2558static int apply_mount_namespace(
34cf6c43
YW		 2559 const Unit *u,
2560 const ExecCommand *command,
6818c54c
LP		 2561 const ExecContext *context,
2562 const ExecParameters *params,
7cc5ef5f
ZJS		 2563 const ExecRuntime *runtime,
2564 char **error_path) {
6818c54c 2565
7bcef4ef 2566 _cleanup_strv_free_ char **empty_directories = NULL;
93c6bb51 2567 char *tmp = NULL, *var = NULL;
915e6d16 2568 const char *root_dir = NULL, *root_image = NULL;
228af36f 2569 NamespaceInfo ns_info;
165a31c0 2570 bool needs_sandboxing;
6c47cd7d 2571 BindMount *bind_mounts = NULL;
da6053d0 2572 size_t n_bind_mounts = 0;
6818c54c 2573 int r;
93c6bb51 2574
2b3c1b9e
DH		 2575 assert(context);
2576
915e6d16
LP		 2577 if (params->flags & EXEC_APPLY_CHROOT) {
2578 root_image = context->root_image;
2579
2580 if (!root_image)
2581 root_dir = context->root_directory;
2582 }
93c6bb51 2583
6c47cd7d
LP		 2584 r = compile_bind_mounts(context, params, &bind_mounts, &n_bind_mounts, &empty_directories);
2585 if (r < 0)
2586 return r;
2587
165a31c0 2588 needs_sandboxing = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & EXEC_COMMAND_FULLY_PRIVILEGED);
ecf63c91
NJ		 2589 if (needs_sandboxing) {
2590 /* The runtime struct only contains the parent of the private /tmp,
2591 * which is non-accessible to world users. Inside of it there's a /tmp
2592 * that is sticky, and that's the one we want to use here. */
2593
2594 if (context->private_tmp && runtime) {
2595 if (runtime->tmp_dir)
2596 tmp = strjoina(runtime->tmp_dir, "/tmp");
2597 if (runtime->var_tmp_dir)
2598 var = strjoina(runtime->var_tmp_dir, "/tmp");
2599 }
2600
b5a33299
YW		 2601 ns_info = (NamespaceInfo) {
2602 .ignore_protect_paths = false,
2603 .private_dev = context->private_devices,
2604 .protect_control_groups = context->protect_control_groups,
2605 .protect_kernel_tunables = context->protect_kernel_tunables,
2606 .protect_kernel_modules = context->protect_kernel_modules,
94a7b275 2607 .protect_kernel_logs = context->protect_kernel_logs,
aecd5ac6 2608 .protect_hostname = context->protect_hostname,
b5a33299 2609 .mount_apivfs = context->mount_apivfs,
228af36f 2610 .private_mounts = context->private_mounts,
b5a33299 2611 };
ecf63c91 2612 } else if (!context->dynamic_user && root_dir)
228af36f
LP		 2613 /*
2614 * If DynamicUser=no and RootDirectory= is set then lets pass a relaxed
2615 * sandbox info, otherwise enforce it, don't ignore protected paths and
2616 * fail if we are enable to apply the sandbox inside the mount namespace.
2617 */
2618 ns_info = (NamespaceInfo) {
2619 .ignore_protect_paths = true,
2620 };
2621 else
2622 ns_info = (NamespaceInfo) {};
b5a33299 2623
37ed15d7
FB		 2624 if (context->mount_flags == MS_SHARED)
2625 log_unit_debug(u, "shared mount propagation hidden by other fs namespacing unit settings: ignoring");
2626
915e6d16 2627 r = setup_namespace(root_dir, root_image,
7bcef4ef 2628 &ns_info, context->read_write_paths,
165a31c0
LP		 2629 needs_sandboxing ? context->read_only_paths : NULL,
2630 needs_sandboxing ? context->inaccessible_paths : NULL,
6c47cd7d
LP		 2631 empty_directories,
2632 bind_mounts,
2633 n_bind_mounts,
2abd4e38
YW		 2634 context->temporary_filesystems,
2635 context->n_temporary_filesystems,
93c6bb51
DH		 2636 tmp,
2637 var,
91dd5f7c 2638 context->log_namespace,
165a31c0
LP		 2639 needs_sandboxing ? context->protect_home : PROTECT_HOME_NO,
2640 needs_sandboxing ? context->protect_system : PROTECT_SYSTEM_NO,
915e6d16 2641 context->mount_flags,
8d251485 2642 DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK,
7cc5ef5f 2643 error_path);
93c6bb51 2644
1beab8b0 2645 /* If we couldn't set up the namespace this is probably due to a missing capability. setup_namespace() reports
5238e957 2646 * that with a special, recognizable error ENOANO. In this case, silently proceed, but only if exclusively
1beab8b0
LP		 2647 * sandboxing options were used, i.e. nothing such as RootDirectory= or BindMount= that would result in a
2648 * completely different execution environment. */
aca835ed 2649 if (r == -ENOANO) {
4e677599
LP		 2650 if (insist_on_sandboxing(
2651 context,
2652 root_dir, root_image,
2653 bind_mounts,
2654 n_bind_mounts)) {
2655 log_unit_debug(u, "Failed to set up namespace, and refusing to continue since the selected namespacing options alter mount environment non-trivially.\n"
2656 "Bind mounts: %zu, temporary filesystems: %zu, root directory: %s, root image: %s, dynamic user: %s",
2657 n_bind_mounts, context->n_temporary_filesystems, yes_no(root_dir), yes_no(root_image), yes_no(context->dynamic_user));
2658
2659 r = -EOPNOTSUPP;
2660 } else {
aca835ed 2661 log_unit_debug(u, "Failed to set up namespace, assuming containerized execution and ignoring.");
4e677599 2662 r = 0;
aca835ed 2663 }
93c6bb51
DH		 2664 }
2665
4e677599 2666 bind_mount_free_many(bind_mounts, n_bind_mounts);
93c6bb51
DH		 2667 return r;
2668}
2669
915e6d16
LP		 2670static int apply_working_directory(
2671 const ExecContext *context,
2672 const ExecParameters *params,
2673 const char *home,
376fecf6 2674 int *exit_status) {
915e6d16 2675
6732edab 2676 const char *d, *wd;
2b3c1b9e
DH		 2677
2678 assert(context);
376fecf6 2679 assert(exit_status);
2b3c1b9e 2680
6732edab
LP		 2681 if (context->working_directory_home) {
2682
376fecf6
LP		 2683 if (!home) {
2684 *exit_status = EXIT_CHDIR;
6732edab 2685 return -ENXIO;
376fecf6 2686 }
6732edab 2687
2b3c1b9e 2688 wd = home;
6732edab
LP		 2689
2690 } else if (context->working_directory)
2b3c1b9e
DH		 2691 wd = context->working_directory;
2692 else
2693 wd = "/";
e7f1e7c6 2694
fa97f630 2695 if (params->flags & EXEC_APPLY_CHROOT)
2b3c1b9e 2696 d = wd;
fa97f630 2697 else
3b0e5bb5 2698 d = prefix_roota(context->root_directory, wd);
e7f1e7c6 2699
376fecf6
LP		 2700 if (chdir(d) < 0 && !context->working_directory_missing_ok) {
2701 *exit_status = EXIT_CHDIR;
2b3c1b9e 2702 return -errno;
376fecf6 2703 }
e7f1e7c6
DH		 2704
2705 return 0;
2706}
2707
fa97f630
JB		 2708static int apply_root_directory(
2709 const ExecContext *context,
2710 const ExecParameters *params,
2711 const bool needs_mount_ns,
2712 int *exit_status) {
2713
2714 assert(context);
2715 assert(exit_status);
2716
2717 if (params->flags & EXEC_APPLY_CHROOT) {
2718 if (!needs_mount_ns && context->root_directory)
2719 if (chroot(context->root_directory) < 0) {
2720 *exit_status = EXIT_CHROOT;
2721 return -errno;
2722 }
2723 }
2724
2725 return 0;
2726}
2727
b1edf445 2728static int setup_keyring(
34cf6c43 2729 const Unit *u,
b1edf445
LP		 2730 const ExecContext *context,
2731 const ExecParameters *p,
2732 uid_t uid, gid_t gid) {
2733
74dd6b51 2734 key_serial_t keyring;
e64c2d0b
DJL		 2735 int r = 0;
2736 uid_t saved_uid;
2737 gid_t saved_gid;
74dd6b51
LP		 2738
2739 assert(u);
b1edf445 2740 assert(context);
74dd6b51
LP		 2741 assert(p);
2742
2743 /* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that
2744 * each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond
2745 * that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be
2746 * automatically created on-demand and then linked to the per-UID keyring, by the kernel. The kernel's built-in
2747 * on-demand behaviour is very appropriate for login users, but probably not so much for system services, where
2748 * UIDs are not necessarily specific to a service but reused (at least in the case of UID 0). */
2749
b1edf445
LP		 2750 if (context->keyring_mode == EXEC_KEYRING_INHERIT)
2751 return 0;
2752
e64c2d0b
DJL		 2753 /* Acquiring a reference to the user keyring is nasty. We briefly change identity in order to get things set up
2754 * properly by the kernel. If we don't do that then we can't create it atomically, and that sucks for parallel
2755 * execution. This mimics what pam_keyinit does, too. Setting up session keyring, to be owned by the right user
2756 * & group is just as nasty as acquiring a reference to the user keyring. */
2757
2758 saved_uid = getuid();
2759 saved_gid = getgid();
2760
2761 if (gid_is_valid(gid) && gid != saved_gid) {
2762 if (setregid(gid, -1) < 0)
2763 return log_unit_error_errno(u, errno, "Failed to change GID for user keyring: %m");
2764 }
2765
2766 if (uid_is_valid(uid) && uid != saved_uid) {
2767 if (setreuid(uid, -1) < 0) {
2768 r = log_unit_error_errno(u, errno, "Failed to change UID for user keyring: %m");
2769 goto out;
2770 }
2771 }
2772
74dd6b51
LP		 2773 keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0);
2774 if (keyring == -1) {
2775 if (errno == ENOSYS)
8002fb97 2776 log_unit_debug_errno(u, errno, "Kernel keyring not supported, ignoring.");
74dd6b51 2777 else if (IN_SET(errno, EACCES, EPERM))
8002fb97 2778 log_unit_debug_errno(u, errno, "Kernel keyring access prohibited, ignoring.");
74dd6b51 2779 else if (errno == EDQUOT)
8002fb97 2780 log_unit_debug_errno(u, errno, "Out of kernel keyrings to allocate, ignoring.");
74dd6b51 2781 else
e64c2d0b 2782 r = log_unit_error_errno(u, errno, "Setting up kernel keyring failed: %m");
74dd6b51 2783
e64c2d0b 2784 goto out;
74dd6b51
LP		 2785 }
2786
e64c2d0b
DJL		 2787 /* When requested link the user keyring into the session keyring. */
2788 if (context->keyring_mode == EXEC_KEYRING_SHARED) {
2789
2790 if (keyctl(KEYCTL_LINK,
2791 KEY_SPEC_USER_KEYRING,
2792 KEY_SPEC_SESSION_KEYRING, 0, 0) < 0) {
2793 r = log_unit_error_errno(u, errno, "Failed to link user keyring into session keyring: %m");
2794 goto out;
2795 }
2796 }
2797
2798 /* Restore uid/gid back */
2799 if (uid_is_valid(uid) && uid != saved_uid) {
2800 if (setreuid(saved_uid, -1) < 0) {
2801 r = log_unit_error_errno(u, errno, "Failed to change UID back for user keyring: %m");
2802 goto out;
2803 }
2804 }
2805
2806 if (gid_is_valid(gid) && gid != saved_gid) {
2807 if (setregid(saved_gid, -1) < 0)
2808 return log_unit_error_errno(u, errno, "Failed to change GID back for user keyring: %m");
2809 }
2810
2811 /* Populate they keyring with the invocation ID by default, as original saved_uid. */
b3415f5d
LP		 2812 if (!sd_id128_is_null(u->invocation_id)) {
2813 key_serial_t key;
2814
2815 key = add_key("user", "invocation_id", &u->invocation_id, sizeof(u->invocation_id), KEY_SPEC_SESSION_KEYRING);
2816 if (key == -1)
8002fb97 2817 log_unit_debug_errno(u, errno, "Failed to add invocation ID to keyring, ignoring: %m");
b3415f5d
LP		 2818 else {
2819 if (keyctl(KEYCTL_SETPERM, key,
2820 KEY_POS_VIEW|KEY_POS_READ|KEY_POS_SEARCH|
2821 KEY_USR_VIEW|KEY_USR_READ|KEY_USR_SEARCH, 0, 0) < 0)
e64c2d0b 2822 r = log_unit_error_errno(u, errno, "Failed to restrict invocation ID permission: %m");
b3415f5d
LP		 2823 }
2824 }
2825
e64c2d0b
DJL		 2826out:
2827 /* Revert back uid & gid for the the last time, and exit */
2828 /* no extra logging, as only the first already reported error matters */
2829 if (getuid() != saved_uid)
2830 (void) setreuid(saved_uid, -1);
b1edf445 2831
e64c2d0b
DJL		 2832 if (getgid() != saved_gid)
2833 (void) setregid(saved_gid, -1);
b1edf445 2834
e64c2d0b 2835 return r;
74dd6b51
LP		 2836}
2837
3042bbeb 2838static void append_socket_pair(int *array, size_t *n, const int pair[static 2]) {
29206d46
LP		 2839 assert(array);
2840 assert(n);
2caa38e9 2841 assert(pair);
29206d46
LP		 2842
2843 if (pair[0] >= 0)
2844 array[(*n)++] = pair[0];
2845 if (pair[1] >= 0)
2846 array[(*n)++] = pair[1];
2847}
2848
a34ceba6
LP		 2849static int close_remaining_fds(
2850 const ExecParameters *params,
34cf6c43
YW		 2851 const ExecRuntime *runtime,
2852 const DynamicCreds *dcreds,
00d9ef85 2853 int user_lookup_fd,
a34ceba6 2854 int socket_fd,
5686391b 2855 int exec_fd,
5b8d1f6b 2856 const int *fds, size_t n_fds) {
a34ceba6 2857
da6053d0 2858 size_t n_dont_close = 0;
00d9ef85 2859 int dont_close[n_fds + 12];
a34ceba6
LP		 2860
2861 assert(params);
2862
2863 if (params->stdin_fd >= 0)
2864 dont_close[n_dont_close++] = params->stdin_fd;
2865 if (params->stdout_fd >= 0)
2866 dont_close[n_dont_close++] = params->stdout_fd;
2867 if (params->stderr_fd >= 0)
2868 dont_close[n_dont_close++] = params->stderr_fd;
2869
2870 if (socket_fd >= 0)
2871 dont_close[n_dont_close++] = socket_fd;
5686391b
LP		 2872 if (exec_fd >= 0)
2873 dont_close[n_dont_close++] = exec_fd;
a34ceba6
LP		 2874 if (n_fds > 0) {
2875 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
2876 n_dont_close += n_fds;
2877 }
2878
29206d46
LP		 2879 if (runtime)
2880 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
2881
2882 if (dcreds) {
2883 if (dcreds->user)
2884 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
2885 if (dcreds->group)
2886 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
a34ceba6
LP		 2887 }
2888
00d9ef85
LP		 2889 if (user_lookup_fd >= 0)
2890 dont_close[n_dont_close++] = user_lookup_fd;
2891
a34ceba6
LP		 2892 return close_all_fds(dont_close, n_dont_close);
2893}
2894
00d9ef85
LP		 2895static int send_user_lookup(
2896 Unit *unit,
2897 int user_lookup_fd,
2898 uid_t uid,
2899 gid_t gid) {
2900
2901 assert(unit);
2902
2903 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2904 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2905 * specified. */
2906
2907 if (user_lookup_fd < 0)
2908 return 0;
2909
2910 if (!uid_is_valid(uid) && !gid_is_valid(gid))
2911 return 0;
2912
2913 if (writev(user_lookup_fd,
2914 (struct iovec[]) {
e6a7ec4b
LP		 2915 IOVEC_INIT(&uid, sizeof(uid)),
2916 IOVEC_INIT(&gid, sizeof(gid)),
2917 IOVEC_INIT_STRING(unit->id) }, 3) < 0)
00d9ef85
LP		 2918 return -errno;
2919
2920 return 0;
2921}
2922
6732edab
LP		 2923static int acquire_home(const ExecContext *c, uid_t uid, const char** home, char **buf) {
2924 int r;
2925
2926 assert(c);
2927 assert(home);
2928 assert(buf);
2929
2930 /* If WorkingDirectory=~ is set, try to acquire a usable home directory. */
2931
2932 if (*home)
2933 return 0;
2934
2935 if (!c->working_directory_home)
2936 return 0;
2937
6732edab
LP		 2938 r = get_home_dir(buf);
2939 if (r < 0)
2940 return r;
2941
2942 *home = *buf;
2943 return 1;
2944}
2945
da50b85a
LP		 2946static int compile_suggested_paths(const ExecContext *c, const ExecParameters *p, char ***ret) {
2947 _cleanup_strv_free_ char ** list = NULL;
2948 ExecDirectoryType t;
2949 int r;
2950
2951 assert(c);
2952 assert(p);
2953 assert(ret);
2954
2955 assert(c->dynamic_user);
2956
2957 /* Compile a list of paths that it might make sense to read the owning UID from to use as initial candidate for
2958 * dynamic UID allocation, in order to save us from doing costly recursive chown()s of the special
2959 * directories. */
2960
2961 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
2962 char **i;
2963
2964 if (t == EXEC_DIRECTORY_CONFIGURATION)
2965 continue;
2966
2967 if (!p->prefix[t])
2968 continue;
2969
2970 STRV_FOREACH(i, c->directories[t].paths) {
2971 char *e;
2972
494d0247 2973 if (exec_directory_is_private(c, t))
657ee2d8 2974 e = path_join(p->prefix[t], "private", *i);
494d0247
YW		 2975 else
2976 e = path_join(p->prefix[t], *i);
da50b85a
LP		 2977 if (!e)
2978 return -ENOMEM;
2979
2980 r = strv_consume(&list, e);
2981 if (r < 0)
2982 return r;
2983 }
2984 }
2985
ae2a15bc 2986 *ret = TAKE_PTR(list);
da50b85a
LP		 2987
2988 return 0;
2989}
2990
34cf6c43
YW		 2991static char *exec_command_line(char **argv);
2992
78f93209
LP		 2993static int exec_parameters_get_cgroup_path(const ExecParameters *params, char **ret) {
2994 bool using_subcgroup;
2995 char *p;
2996
2997 assert(params);
2998 assert(ret);
2999
3000 if (!params->cgroup_path)
3001 return -EINVAL;
3002
3003 /* If we are called for a unit where cgroup delegation is on, and the payload created its own populated
3004 * subcgroup (which we expect it to do, after all it asked for delegation), then we cannot place the control
3005 * processes started after the main unit's process in the unit's main cgroup because it is now an inner one,
3006 * and inner cgroups may not contain processes. Hence, if delegation is on, and this is a control process,
3007 * let's use ".control" as subcgroup instead. Note that we do so only for ExecStartPost=, ExecReload=,
3008 * ExecStop=, ExecStopPost=, i.e. for the commands where the main process is already forked. For ExecStartPre=
3009 * this is not necessary, the cgroup is still empty. We distinguish these cases with the EXEC_CONTROL_CGROUP
3010 * flag, which is only passed for the former statements, not for the latter. */
3011
3012 using_subcgroup = FLAGS_SET(params->flags, EXEC_CONTROL_CGROUP|EXEC_CGROUP_DELEGATE|EXEC_IS_CONTROL);
3013 if (using_subcgroup)
657ee2d8 3014 p = path_join(params->cgroup_path, ".control");
78f93209
LP		 3015 else
3016 p = strdup(params->cgroup_path);
3017 if (!p)
3018 return -ENOMEM;
3019
3020 *ret = p;
3021 return using_subcgroup;
3022}
3023
e2b2fb7f
MS		 3024static int exec_context_cpu_affinity_from_numa(const ExecContext *c, CPUSet *ret) {
3025 _cleanup_(cpu_set_reset) CPUSet s = {};
3026 int r;
3027
3028 assert(c);
3029 assert(ret);
3030
3031 if (!c->numa_policy.nodes.set) {
3032 log_debug("Can't derive CPU affinity mask from NUMA mask because NUMA mask is not set, ignoring");
3033 return 0;
3034 }
3035
3036 r = numa_to_cpu_set(&c->numa_policy, &s);
3037 if (r < 0)
3038 return r;
3039
3040 cpu_set_reset(ret);
3041
3042 return cpu_set_add_all(ret, &s);
3043}
3044
3045bool exec_context_get_cpu_affinity_from_numa(const ExecContext *c) {
3046 assert(c);
3047
3048 return c->cpu_affinity_from_numa;
3049}
3050
ff0af2a1 3051static int exec_child(
f2341e0a 3052 Unit *unit,
34cf6c43 3053 const ExecCommand *command,
ff0af2a1
LP		 3054 const ExecContext *context,
3055 const ExecParameters *params,
3056 ExecRuntime *runtime,
29206d46 3057 DynamicCreds *dcreds,
ff0af2a1 3058 int socket_fd,
2caa38e9 3059 const int named_iofds[static 3],
4c47affc 3060 int *fds,
da6053d0 3061 size_t n_socket_fds,
25b583d7 3062 size_t n_storage_fds,
ff0af2a1 3063 char **files_env,
00d9ef85 3064 int user_lookup_fd,
12145637 3065 int *exit_status) {
d35fbf6b 3066
7ca69792 3067 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **replaced_argv = NULL;
5686391b 3068 int *fds_with_exec_fd, n_fds_with_exec_fd, r, ngids = 0, exec_fd = -1;
4d885bd3
DH		 3069 _cleanup_free_ gid_t *supplementary_gids = NULL;
3070 const char *username = NULL, *groupname = NULL;
5686391b 3071 _cleanup_free_ char *home_buffer = NULL;
2b3c1b9e 3072 const char *home = NULL, *shell = NULL;
7ca69792 3073 char **final_argv = NULL;
7bce046b
LP		 3074 dev_t journal_stream_dev = 0;
3075 ino_t journal_stream_ino = 0;
5749f855 3076 bool userns_set_up = false;
165a31c0
LP		 3077 bool needs_sandboxing, /* Do we need to set up full sandboxing? (i.e. all namespacing, all MAC stuff, caps, yadda yadda */
3078 needs_setuid, /* Do we need to do the actual setresuid()/setresgid() calls? */
3079 needs_mount_namespace, /* Do we need to set up a mount namespace for this kernel? */
3080 needs_ambient_hack; /* Do we need to apply the ambient capabilities hack? */
349cc4a5 3081#if HAVE_SELINUX
7f59dd35 3082 _cleanup_free_ char *mac_selinux_context_net = NULL;
43b1f709 3083 bool use_selinux = false;
ecfbc84f 3084#endif
f9fa32f0 3085#if ENABLE_SMACK
43b1f709 3086 bool use_smack = false;
ecfbc84f 3087#endif
349cc4a5 3088#if HAVE_APPARMOR
43b1f709 3089 bool use_apparmor = false;
ecfbc84f 3090#endif
5749f855
AZ		 3091 uid_t saved_uid = getuid();
3092 gid_t saved_gid = getgid();
fed1e721
LP		 3093 uid_t uid = UID_INVALID;
3094 gid_t gid = GID_INVALID;
da6053d0 3095 size_t n_fds;
3536f49e 3096 ExecDirectoryType dt;
165a31c0 3097 int secure_bits;
afb11bf1
DG		 3098 _cleanup_free_ gid_t *gids_after_pam = NULL;
3099 int ngids_after_pam = 0;
034c6ed7 3100
f2341e0a 3101 assert(unit);
5cb5a6ff
LP		 3102 assert(command);
3103 assert(context);
d35fbf6b 3104 assert(params);
ff0af2a1 3105 assert(exit_status);
d35fbf6b
DM		 3106
3107 rename_process_from_path(command->path);
3108
3109 /* We reset exactly these signals, since they are the
3110 * only ones we set to SIG_IGN in the main daemon. All
3111 * others we leave untouched because we set them to
3112 * SIG_DFL or a valid handler initially, both of which
3113 * will be demoted to SIG_DFL. */
ce30c8dc
LP		 3114 (void) default_signals(SIGNALS_CRASH_HANDLER,
3115 SIGNALS_IGNORE, -1);
d35fbf6b
DM		 3116
3117 if (context->ignore_sigpipe)
ce30c8dc 3118 (void) ignore_signals(SIGPIPE, -1);
d35fbf6b 3119
ff0af2a1
LP		 3120 r = reset_signal_mask();
3121 if (r < 0) {
3122 *exit_status = EXIT_SIGNAL_MASK;
12145637 3123 return log_unit_error_errno(unit, r, "Failed to set process signal mask: %m");
d35fbf6b 3124 }
034c6ed7 3125
d35fbf6b
DM		 3126 if (params->idle_pipe)
3127 do_idle_pipe_dance(params->idle_pipe);
4f2d528d 3128
2c027c62
LP		 3129 /* Close fds we don't need very early to make sure we don't block init reexecution because it cannot bind its
3130 * sockets. Among the fds we close are the logging fds, and we want to keep them closed, so that we don't have
3131 * any fds open we don't really want open during the transition. In order to make logging work, we switch the
3132 * log subsystem into open_when_needed mode, so that it reopens the logs on every single log call. */
ff0af2a1 3133
d35fbf6b 3134 log_forget_fds();
2c027c62 3135 log_set_open_when_needed(true);
4f2d528d 3136
40a80078
LP		 3137 /* In case anything used libc syslog(), close this here, too */
3138 closelog();
3139
5686391b
LP		 3140 n_fds = n_socket_fds + n_storage_fds;
3141 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, params->exec_fd, fds, n_fds);
ff0af2a1
LP		 3142 if (r < 0) {
3143 *exit_status = EXIT_FDS;
12145637 3144 return log_unit_error_errno(unit, r, "Failed to close unwanted file descriptors: %m");
8c7be95e
LP		 3145 }
3146
d35fbf6b
DM		 3147 if (!context->same_pgrp)
3148 if (setsid() < 0) {
ff0af2a1 3149 *exit_status = EXIT_SETSID;
12145637 3150 return log_unit_error_errno(unit, errno, "Failed to create new process session: %m");
d35fbf6b 3151 }
9e2f7c11 3152
1e22b5cd 3153 exec_context_tty_reset(context, params);
d35fbf6b 3154
c891efaf 3155 if (unit_shall_confirm_spawn(unit)) {
7d5ceb64 3156 const char *vc = params->confirm_spawn;
3b20f877
FB		 3157 _cleanup_free_ char *cmdline = NULL;
3158
ee39ca20 3159 cmdline = exec_command_line(command->argv);
3b20f877 3160 if (!cmdline) {
0460aa5c 3161 *exit_status = EXIT_MEMORY;
12145637 3162 return log_oom();
3b20f877 3163 }
d35fbf6b 3164
eedf223a 3165 r = ask_for_confirmation(vc, unit, cmdline);
3b20f877
FB		 3166 if (r != CONFIRM_EXECUTE) {
3167 if (r == CONFIRM_PRETEND_SUCCESS) {
3168 *exit_status = EXIT_SUCCESS;
3169 return 0;
3170 }
ff0af2a1 3171 *exit_status = EXIT_CONFIRM;
12145637 3172 log_unit_error(unit, "Execution cancelled by the user");
d35fbf6b 3173 return -ECANCELED;
d35fbf6b
DM		 3174 }
3175 }
1a63a750 3176
d521916d
LP		 3177 /* We are about to invoke NSS and PAM modules. Let's tell them what we are doing here, maybe they care. This is
3178 * used by nss-resolve to disable itself when we are about to start systemd-resolved, to avoid deadlocks. Note
3179 * that these env vars do not survive the execve(), which means they really only apply to the PAM and NSS
3180 * invocations themselves. Also note that while we'll only invoke NSS modules involved in user management they
3181 * might internally call into other NSS modules that are involved in hostname resolution, we never know. */
3182 if (setenv("SYSTEMD_ACTIVATION_UNIT", unit->id, true) != 0 ||
3183 setenv("SYSTEMD_ACTIVATION_SCOPE", MANAGER_IS_SYSTEM(unit->manager) ? "system" : "user", true) != 0) {
3184 *exit_status = EXIT_MEMORY;
3185 return log_unit_error_errno(unit, errno, "Failed to update environment: %m");
3186 }
3187
29206d46 3188 if (context->dynamic_user && dcreds) {
da50b85a 3189 _cleanup_strv_free_ char **suggested_paths = NULL;
29206d46 3190
d521916d
LP		 3191 /* On top of that, make sure we bypass our own NSS module nss-systemd comprehensively for any NSS
3192 * checks, if DynamicUser=1 is used, as we shouldn't create a feedback loop with ourselves here.*/
409093fe
LP		 3193 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
3194 *exit_status = EXIT_USER;
12145637 3195 return log_unit_error_errno(unit, errno, "Failed to update environment: %m");
409093fe
LP		 3196 }
3197
da50b85a
LP		 3198 r = compile_suggested_paths(context, params, &suggested_paths);
3199 if (r < 0) {
3200 *exit_status = EXIT_MEMORY;
3201 return log_oom();
3202 }
3203
3204 r = dynamic_creds_realize(dcreds, suggested_paths, &uid, &gid);
ff0af2a1
LP		 3205 if (r < 0) {
3206 *exit_status = EXIT_USER;
e2b0cc34
YW		 3207 if (r == -EILSEQ) {
3208 log_unit_error(unit, "Failed to update dynamic user credentials: User or group with specified name already exists.");
3209 return -EOPNOTSUPP;
3210 }
12145637 3211 return log_unit_error_errno(unit, r, "Failed to update dynamic user credentials: %m");
524daa8c 3212 }
524daa8c 3213
70dd455c 3214 if (!uid_is_valid(uid)) {
29206d46 3215 *exit_status = EXIT_USER;
12145637 3216 log_unit_error(unit, "UID validation failed for \""UID_FMT"\"", uid);
70dd455c
ZJS		 3217 return -ESRCH;
3218 }
3219
3220 if (!gid_is_valid(gid)) {
3221 *exit_status = EXIT_USER;
12145637 3222 log_unit_error(unit, "GID validation failed for \""GID_FMT"\"", gid);
29206d46
LP		 3223 return -ESRCH;
3224 }
5bc7452b 3225
29206d46
LP		 3226 if (dcreds->user)
3227 username = dcreds->user->name;
3228
3229 } else {
4d885bd3
DH		 3230 r = get_fixed_user(context, &username, &uid, &gid, &home, &shell);
3231 if (r < 0) {
3232 *exit_status = EXIT_USER;
12145637 3233 return log_unit_error_errno(unit, r, "Failed to determine user credentials: %m");
5bc7452b 3234 }
5bc7452b 3235
4d885bd3
DH		 3236 r = get_fixed_group(context, &groupname, &gid);
3237 if (r < 0) {
3238 *exit_status = EXIT_GROUP;
12145637 3239 return log_unit_error_errno(unit, r, "Failed to determine group credentials: %m");
4d885bd3 3240 }
cdc5d5c5 3241 }
29206d46 3242
cdc5d5c5
DH		 3243 /* Initialize user supplementary groups and get SupplementaryGroups= ones */
3244 r = get_supplementary_groups(context, username, groupname, gid,
3245 &supplementary_gids, &ngids);
3246 if (r < 0) {
3247 *exit_status = EXIT_GROUP;
12145637 3248 return log_unit_error_errno(unit, r, "Failed to determine supplementary groups: %m");
29206d46 3249 }
5bc7452b 3250
00d9ef85
LP		 3251 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
3252 if (r < 0) {
3253 *exit_status = EXIT_USER;
12145637 3254 return log_unit_error_errno(unit, r, "Failed to send user credentials to PID1: %m");
00d9ef85
LP		 3255 }
3256
3257 user_lookup_fd = safe_close(user_lookup_fd);
3258
6732edab
LP		 3259 r = acquire_home(context, uid, &home, &home_buffer);
3260 if (r < 0) {
3261 *exit_status = EXIT_CHDIR;
12145637 3262 return log_unit_error_errno(unit, r, "Failed to determine $HOME for user: %m");
6732edab
LP		 3263 }
3264
d35fbf6b
DM		 3265 /* If a socket is connected to STDIN/STDOUT/STDERR, we
3266 * must sure to drop O_NONBLOCK */
3267 if (socket_fd >= 0)
a34ceba6 3268 (void) fd_nonblock(socket_fd, false);
acbb0225 3269
4c70a4a7
MS		 3270 /* Journald will try to look-up our cgroup in order to populate _SYSTEMD_CGROUP and _SYSTEMD_UNIT fields.
3271 * Hence we need to migrate to the target cgroup from init.scope before connecting to journald */
3272 if (params->cgroup_path) {
3273 _cleanup_free_ char *p = NULL;
3274
3275 r = exec_parameters_get_cgroup_path(params, &p);
3276 if (r < 0) {
3277 *exit_status = EXIT_CGROUP;
3278 return log_unit_error_errno(unit, r, "Failed to acquire cgroup path: %m");
3279 }
3280
3281 r = cg_attach_everywhere(params->cgroup_supported, p, 0, NULL, NULL);
3282 if (r < 0) {
3283 *exit_status = EXIT_CGROUP;
3284 return log_unit_error_errno(unit, r, "Failed to attach to cgroup %s: %m", p);
3285 }
3286 }
3287
a8d08f39
LP		 3288 if (context->network_namespace_path && runtime && runtime->netns_storage_socket[0] >= 0) {
3289 r = open_netns_path(runtime->netns_storage_socket, context->network_namespace_path);
3290 if (r < 0) {
3291 *exit_status = EXIT_NETWORK;
3292 return log_unit_error_errno(unit, r, "Failed to open network namespace path %s: %m", context->network_namespace_path);
3293 }
3294 }
3295
52c239d7 3296 r = setup_input(context, params, socket_fd, named_iofds);
ff0af2a1
LP		 3297 if (r < 0) {
3298 *exit_status = EXIT_STDIN;
12145637 3299 return log_unit_error_errno(unit, r, "Failed to set up standard input: %m");
d35fbf6b 3300 }
034c6ed7 3301
52c239d7 3302 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 3303 if (r < 0) {
3304 *exit_status = EXIT_STDOUT;
12145637 3305 return log_unit_error_errno(unit, r, "Failed to set up standard output: %m");
d35fbf6b
DM		 3306 }
3307
52c239d7 3308 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 3309 if (r < 0) {
3310 *exit_status = EXIT_STDERR;
12145637 3311 return log_unit_error_errno(unit, r, "Failed to set up standard error output: %m");
d35fbf6b
DM		 3312 }
3313
d35fbf6b 3314 if (context->oom_score_adjust_set) {
9f8168eb
LP		 3315 /* When we can't make this change due to EPERM, then let's silently skip over it. User namespaces
3316 * prohibit write access to this file, and we shouldn't trip up over that. */
3317 r = set_oom_score_adjust(context->oom_score_adjust);
12145637 3318 if (IN_SET(r, -EPERM, -EACCES))
f2341e0a 3319 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
12145637 3320 else if (r < 0) {
ff0af2a1 3321 *exit_status = EXIT_OOM_ADJUST;
12145637 3322 return log_unit_error_errno(unit, r, "Failed to adjust OOM setting: %m");
613b411c 3323 }
d35fbf6b
DM		 3324 }
3325
39090201
DJL		 3326 if (context->nice_set) {
3327 r = setpriority_closest(context->nice);
3328 if (r < 0)
3329 return log_unit_error_errno(unit, r, "Failed to set up process scheduling priority (nice level): %m");
3330 }
613b411c 3331
d35fbf6b
DM		 3332 if (context->cpu_sched_set) {
3333 struct sched_param param = {
3334 .sched_priority = context->cpu_sched_priority,
3335 };
3336
ff0af2a1
LP		 3337 r = sched_setscheduler(0,
3338 context->cpu_sched_policy |
3339 (context->cpu_sched_reset_on_fork ?
3340 SCHED_RESET_ON_FORK : 0),
3341 &param);
3342 if (r < 0) {
3343 *exit_status = EXIT_SETSCHEDULER;
12145637 3344 return log_unit_error_errno(unit, errno, "Failed to set up CPU scheduling: %m");
fc9b2a84 3345 }
d35fbf6b 3346 }
fc9b2a84 3347
e2b2fb7f
MS		 3348 if (context->cpu_affinity_from_numa || context->cpu_set.set) {
3349 _cleanup_(cpu_set_reset) CPUSet converted_cpu_set = {};
3350 const CPUSet *cpu_set;
3351
3352 if (context->cpu_affinity_from_numa) {
3353 r = exec_context_cpu_affinity_from_numa(context, &converted_cpu_set);
3354 if (r < 0) {
3355 *exit_status = EXIT_CPUAFFINITY;
3356 return log_unit_error_errno(unit, r, "Failed to derive CPU affinity mask from NUMA mask: %m");
3357 }
3358
3359 cpu_set = &converted_cpu_set;
3360 } else
3361 cpu_set = &context->cpu_set;
3362
3363 if (sched_setaffinity(0, cpu_set->allocated, cpu_set->set) < 0) {
ff0af2a1 3364 *exit_status = EXIT_CPUAFFINITY;
12145637 3365 return log_unit_error_errno(unit, errno, "Failed to set up CPU affinity: %m");
034c6ed7 3366 }
e2b2fb7f 3367 }
034c6ed7 3368
b070c7c0
MS		 3369 if (mpol_is_valid(numa_policy_get_type(&context->numa_policy))) {
3370 r = apply_numa_policy(&context->numa_policy);
3371 if (r == -EOPNOTSUPP)
33fe9e3f 3372 log_unit_debug_errno(unit, r, "NUMA support not available, ignoring.");
b070c7c0
MS		 3373 else if (r < 0) {
3374 *exit_status = EXIT_NUMA_POLICY;
3375 return log_unit_error_errno(unit, r, "Failed to set NUMA memory policy: %m");
3376 }
3377 }
3378
d35fbf6b
DM		 3379 if (context->ioprio_set)
3380 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
ff0af2a1 3381 *exit_status = EXIT_IOPRIO;
12145637 3382 return log_unit_error_errno(unit, errno, "Failed to set up IO scheduling priority: %m");
d35fbf6b 3383 }
da726a4d 3384
d35fbf6b
DM		 3385 if (context->timer_slack_nsec != NSEC_INFINITY)
3386 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
ff0af2a1 3387 *exit_status = EXIT_TIMERSLACK;
12145637 3388 return log_unit_error_errno(unit, errno, "Failed to set up timer slack: %m");
4c2630eb 3389 }
9eba9da4 3390
21022b9d
LP		 3391 if (context->personality != PERSONALITY_INVALID) {
3392 r = safe_personality(context->personality);
3393 if (r < 0) {
ff0af2a1 3394 *exit_status = EXIT_PERSONALITY;
12145637 3395 return log_unit_error_errno(unit, r, "Failed to set up execution domain (personality): %m");
4c2630eb 3396 }
21022b9d 3397 }
94f04347 3398
d35fbf6b 3399 if (context->utmp_id)
df0ff127 3400 utmp_put_init_process(context->utmp_id, getpid_cached(), getsid(0),
6a93917d 3401 context->tty_path,
023a4f67
LP		 3402 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
3403 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
3404 USER_PROCESS,
6a93917d 3405 username);
d35fbf6b 3406
08f67696 3407 if (uid_is_valid(uid)) {
ff0af2a1
LP		 3408 r = chown_terminal(STDIN_FILENO, uid);
3409 if (r < 0) {
3410 *exit_status = EXIT_STDIN;
12145637 3411 return log_unit_error_errno(unit, r, "Failed to change ownership of terminal: %m");
071830ff 3412 }
d35fbf6b 3413 }
8e274523 3414
4e1dfa45 3415 /* If delegation is enabled we'll pass ownership of the cgroup to the user of the new process. On cgroup v1
62b9bb26 3416 * this is only about systemd's own hierarchy, i.e. not the controller hierarchies, simply because that's not
4e1dfa45 3417 * safe. On cgroup v2 there's only one hierarchy anyway, and delegation is safe there, hence in that case only
62b9bb26 3418 * touch a single hierarchy too. */
584b8688 3419 if (params->cgroup_path && context->user && (params->flags & EXEC_CGROUP_DELEGATE)) {
62b9bb26 3420 r = cg_set_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, uid, gid);
ff0af2a1
LP		 3421 if (r < 0) {
3422 *exit_status = EXIT_CGROUP;
12145637 3423 return log_unit_error_errno(unit, r, "Failed to adjust control group access: %m");
034c6ed7 3424 }
d35fbf6b 3425 }
034c6ed7 3426
72fd1768 3427 for (dt = 0; dt < _EXEC_DIRECTORY_TYPE_MAX; dt++) {
8679efde 3428 r = setup_exec_directory(context, params, uid, gid, dt, exit_status);
12145637
LP		 3429 if (r < 0)
3430 return log_unit_error_errno(unit, r, "Failed to set up special execution directory in %s: %m", params->prefix[dt]);
d35fbf6b 3431 }
94f04347 3432
7bce046b 3433 r = build_environment(
fd63e712 3434 unit,
7bce046b
LP		 3435 context,
3436 params,
3437 n_fds,
3438 home,
3439 username,
3440 shell,
3441 journal_stream_dev,
3442 journal_stream_ino,
3443 &our_env);
2065ca69
JW		 3444 if (r < 0) {
3445 *exit_status = EXIT_MEMORY;
12145637 3446 return log_oom();
2065ca69
JW		 3447 }
3448
3449 r = build_pass_environment(context, &pass_env);
3450 if (r < 0) {
3451 *exit_status = EXIT_MEMORY;
12145637 3452 return log_oom();
2065ca69
JW		 3453 }
3454
3455 accum_env = strv_env_merge(5,
3456 params->environment,
3457 our_env,
3458 pass_env,
3459 context->environment,
44e5d006 3460 files_env);
2065ca69
JW		 3461 if (!accum_env) {
3462 *exit_status = EXIT_MEMORY;
12145637 3463 return log_oom();
2065ca69 3464 }
1280503b 3465 accum_env = strv_env_clean(accum_env);
2065ca69 3466
096424d1 3467 (void) umask(context->umask);
b213e1c1 3468
b1edf445 3469 r = setup_keyring(unit, context, params, uid, gid);
74dd6b51
LP		 3470 if (r < 0) {
3471 *exit_status = EXIT_KEYRING;
12145637 3472 return log_unit_error_errno(unit, r, "Failed to set up kernel keyring: %m");
74dd6b51
LP		 3473 }
3474
165a31c0 3475 /* We need sandboxing if the caller asked us to apply it and the command isn't explicitly excepted from it */
1703fa41 3476 needs_sandboxing = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & EXEC_COMMAND_FULLY_PRIVILEGED);
7f18ef0a 3477
165a31c0
LP		 3478 /* We need the ambient capability hack, if the caller asked us to apply it and the command is marked for it, and the kernel doesn't actually support ambient caps */
3479 needs_ambient_hack = (params->flags & EXEC_APPLY_SANDBOXING) && (command->flags & EXEC_COMMAND_AMBIENT_MAGIC) && !ambient_capabilities_supported();
7f18ef0a 3480
165a31c0
LP		 3481 /* We need setresuid() if the caller asked us to apply sandboxing and the command isn't explicitly excepted from either whole sandboxing or just setresuid() itself, and the ambient hack is not desired */
3482 if (needs_ambient_hack)
3483 needs_setuid = false;
3484 else
3485 needs_setuid = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & (EXEC_COMMAND_FULLY_PRIVILEGED|EXEC_COMMAND_NO_SETUID));
3486
3487 if (needs_sandboxing) {
7f18ef0a
FK		 3488 /* MAC enablement checks need to be done before a new mount ns is created, as they rely on /sys being
3489 * present. The actual MAC context application will happen later, as late as possible, to avoid
3490 * impacting our own code paths. */
3491
349cc4a5 3492#if HAVE_SELINUX
43b1f709 3493 use_selinux = mac_selinux_use();
7f18ef0a 3494#endif
f9fa32f0 3495#if ENABLE_SMACK
43b1f709 3496 use_smack = mac_smack_use();
7f18ef0a 3497#endif
349cc4a5 3498#if HAVE_APPARMOR
43b1f709 3499 use_apparmor = mac_apparmor_use();
7f18ef0a 3500#endif
165a31c0 3501 }
7f18ef0a 3502
ce932d2d
LP		 3503 if (needs_sandboxing) {
3504 int which_failed;
3505
3506 /* Let's set the resource limits before we call into PAM, so that pam_limits wins over what
3507 * is set here. (See below.) */
3508
3509 r = setrlimit_closest_all((const struct rlimit* const *) context->rlimit, &which_failed);
3510 if (r < 0) {
3511 *exit_status = EXIT_LIMITS;
3512 return log_unit_error_errno(unit, r, "Failed to adjust resource limit RLIMIT_%s: %m", rlimit_to_string(which_failed));
3513 }
3514 }
3515
165a31c0 3516 if (needs_setuid) {
ce932d2d
LP		 3517
3518 /* Let's call into PAM after we set up our own idea of resource limits to that pam_limits
3519 * wins here. (See above.) */
3520
165a31c0
LP		 3521 if (context->pam_name && username) {
3522 r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
3523 if (r < 0) {
3524 *exit_status = EXIT_PAM;
12145637 3525 return log_unit_error_errno(unit, r, "Failed to set up PAM session: %m");
165a31c0 3526 }
afb11bf1
DG		 3527
3528 ngids_after_pam = getgroups_alloc(&gids_after_pam);
3529 if (ngids_after_pam < 0) {
3530 *exit_status = EXIT_MEMORY;
3531 return log_unit_error_errno(unit, ngids_after_pam, "Failed to obtain groups after setting up PAM: %m");
3532 }
165a31c0 3533 }
b213e1c1 3534 }
ac45f971 3535
5749f855
AZ		 3536 if (needs_sandboxing) {
3537#if HAVE_SELINUX
3538 if (use_selinux && params->selinux_context_net && socket_fd >= 0) {
3539 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
3540 if (r < 0) {
3541 *exit_status = EXIT_SELINUX_CONTEXT;
3542 return log_unit_error_errno(unit, r, "Failed to determine SELinux context: %m");
3543 }
3544 }
3545#endif
3546
3547 /* If we're unprivileged, set up the user namespace first to enable use of the other namespaces.
3548 * Users with CAP_SYS_ADMIN can set up user namespaces last because they will be able to
3549 * set up the all of the other namespaces (i.e. network, mount, UTS) without a user namespace. */
3550 if (context->private_users && !have_effective_cap(CAP_SYS_ADMIN)) {
3551 userns_set_up = true;
3552 r = setup_private_users(saved_uid, saved_gid, uid, gid);
3553 if (r < 0) {
3554 *exit_status = EXIT_USER;
3555 return log_unit_error_errno(unit, r, "Failed to set up user namespacing for unprivileged user: %m");
3556 }
3557 }
3558 }
3559
a8d08f39
LP		 3560 if ((context->private_network || context->network_namespace_path) && runtime && runtime->netns_storage_socket[0] >= 0) {
3561
6e2d7c4f
MS		 3562 if (ns_type_supported(NAMESPACE_NET)) {
3563 r = setup_netns(runtime->netns_storage_socket);
ee00d1e9
ZJS		 3564 if (r == -EPERM)
3565 log_unit_warning_errno(unit, r,
3566 "PrivateNetwork=yes is configured, but network namespace setup failed, ignoring: %m");
3567 else if (r < 0) {
6e2d7c4f
MS		 3568 *exit_status = EXIT_NETWORK;
3569 return log_unit_error_errno(unit, r, "Failed to set up network namespacing: %m");
3570 }
a8d08f39
LP		 3571 } else if (context->network_namespace_path) {
3572 *exit_status = EXIT_NETWORK;
ee00d1e9
ZJS		 3573 return log_unit_error_errno(unit, SYNTHETIC_ERRNO(EOPNOTSUPP),
3574 "NetworkNamespacePath= is not supported, refusing.");
6e2d7c4f
MS		 3575 } else
3576 log_unit_warning(unit, "PrivateNetwork=yes is configured, but the kernel does not support network namespaces, ignoring.");
d35fbf6b 3577 }
169c1bda 3578
ee818b89 3579 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
ee818b89 3580 if (needs_mount_namespace) {
7cc5ef5f
ZJS		 3581 _cleanup_free_ char *error_path = NULL;
3582
3583 r = apply_mount_namespace(unit, command, context, params, runtime, &error_path);
3fbe8dbe
LP		 3584 if (r < 0) {
3585 *exit_status = EXIT_NAMESPACE;
7cc5ef5f
ZJS		 3586 return log_unit_error_errno(unit, r, "Failed to set up mount namespacing%s%s: %m",
3587 error_path ? ": " : "", strempty(error_path));
3fbe8dbe 3588 }
d35fbf6b 3589 }
81a2b7ce 3590
aecd5ac6
TM		 3591 if (context->protect_hostname) {
3592 if (ns_type_supported(NAMESPACE_UTS)) {
3593 if (unshare(CLONE_NEWUTS) < 0) {
6d19b718
LP		 3594 if (!ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) {
3595 *exit_status = EXIT_NAMESPACE;
3596 return log_unit_error_errno(unit, errno, "Failed to set up UTS namespacing: %m");
3597 }
3598
3599 log_unit_warning(unit, "ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup.");
aecd5ac6
TM		 3600 }
3601 } else
3602 log_unit_warning(unit, "ProtectHostname=yes is configured, but the kernel does not support UTS namespaces, ignoring namespace setup.");
3603#if HAVE_SECCOMP
3604 r = seccomp_protect_hostname();
3605 if (r < 0) {
3606 *exit_status = EXIT_SECCOMP;
3607 return log_unit_error_errno(unit, r, "Failed to apply hostname restrictions: %m");
3608 }
3609#endif
3610 }
3611
5749f855
AZ		 3612 /* Drop groups as early as possible.
3613 * This needs to be done after PrivateDevices=y setup as device nodes should be owned by the host's root.
3614 * For non-root in a userns, devices will be owned by the user/group before the group change, and nobody. */
165a31c0 3615 if (needs_setuid) {
afb11bf1
DG		 3616 _cleanup_free_ gid_t *gids_to_enforce = NULL;
3617 int ngids_to_enforce = 0;
3618
3619 ngids_to_enforce = merge_gid_lists(supplementary_gids,
3620 ngids,
3621 gids_after_pam,
3622 ngids_after_pam,
3623 &gids_to_enforce);
3624 if (ngids_to_enforce < 0) {
3625 *exit_status = EXIT_MEMORY;
3626 return log_unit_error_errno(unit,
3627 ngids_to_enforce,
3628 "Failed to merge group lists. Group membership might be incorrect: %m");
3629 }
3630
3631 r = enforce_groups(gid, gids_to_enforce, ngids_to_enforce);
096424d1
LP		 3632 if (r < 0) {
3633 *exit_status = EXIT_GROUP;
12145637 3634 return log_unit_error_errno(unit, r, "Changing group credentials failed: %m");
096424d1 3635 }
165a31c0 3636 }
096424d1 3637
5749f855
AZ		 3638 /* If the user namespace was not set up above, try to do it now.
3639 * It's preferred to set up the user namespace later (after all other namespaces) so as not to be
3640 * restricted by rules pertaining to combining user namspaces with other namespaces (e.g. in the
3641 * case of mount namespaces being less privileged when the mount point list is copied from a
3642 * different user namespace). */
9008e1ac 3643
5749f855
AZ		 3644 if (needs_sandboxing && context->private_users && !userns_set_up) {
3645 r = setup_private_users(saved_uid, saved_gid, uid, gid);
3646 if (r < 0) {
3647 *exit_status = EXIT_USER;
3648 return log_unit_error_errno(unit, r, "Failed to set up user namespacing: %m");
d251207d
LP		 3649 }
3650 }
3651
165a31c0 3652 /* We repeat the fd closing here, to make sure that nothing is leaked from the PAM modules. Note that we are
5686391b
LP		 3653 * more aggressive this time since socket_fd and the netns fds we don't need anymore. We do keep the exec_fd
3654 * however if we have it as we want to keep it open until the final execve(). */
3655
3656 if (params->exec_fd >= 0) {
3657 exec_fd = params->exec_fd;
3658
3659 if (exec_fd < 3 + (int) n_fds) {
3660 int moved_fd;
3661
3662 /* Let's move the exec fd far up, so that it's outside of the fd range we want to pass to the
3663 * process we are about to execute. */
3664
3665 moved_fd = fcntl(exec_fd, F_DUPFD_CLOEXEC, 3 + (int) n_fds);
3666 if (moved_fd < 0) {
3667 *exit_status = EXIT_FDS;
3668 return log_unit_error_errno(unit, errno, "Couldn't move exec fd up: %m");
3669 }
3670
3671 safe_close(exec_fd);
3672 exec_fd = moved_fd;
3673 } else {
3674 /* This fd should be FD_CLOEXEC already, but let's make sure. */
3675 r = fd_cloexec(exec_fd, true);
3676 if (r < 0) {
3677 *exit_status = EXIT_FDS;
3678 return log_unit_error_errno(unit, r, "Failed to make exec fd FD_CLOEXEC: %m");
3679 }
3680 }
3681
3682 fds_with_exec_fd = newa(int, n_fds + 1);
7e8d494b 3683 memcpy_safe(fds_with_exec_fd, fds, n_fds * sizeof(int));
5686391b
LP		 3684 fds_with_exec_fd[n_fds] = exec_fd;
3685 n_fds_with_exec_fd = n_fds + 1;
3686 } else {
3687 fds_with_exec_fd = fds;
3688 n_fds_with_exec_fd = n_fds;
3689 }
3690
3691 r = close_all_fds(fds_with_exec_fd, n_fds_with_exec_fd);
ff0af2a1
LP		 3692 if (r >= 0)
3693 r = shift_fds(fds, n_fds);
3694 if (r >= 0)
25b583d7 3695 r = flags_fds(fds, n_socket_fds, n_storage_fds, context->non_blocking);
ff0af2a1
LP		 3696 if (r < 0) {
3697 *exit_status = EXIT_FDS;
12145637 3698 return log_unit_error_errno(unit, r, "Failed to adjust passed file descriptors: %m");
d35fbf6b 3699 }
e66cf1a3 3700
5686391b
LP		 3701 /* At this point, the fds we want to pass to the program are all ready and set up, with O_CLOEXEC turned off
3702 * and at the right fd numbers. The are no other fds open, with one exception: the exec_fd if it is defined,
3703 * and it has O_CLOEXEC set, after all we want it to be closed by the execve(), so that our parent knows we
3704 * came this far. */
3705
165a31c0 3706 secure_bits = context->secure_bits;
e66cf1a3 3707
165a31c0
LP		 3708 if (needs_sandboxing) {
3709 uint64_t bset;
e66cf1a3 3710
ce932d2d
LP		 3711 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly
3712 * requested. (Note this is placed after the general resource limit initialization, see
3713 * above, in order to take precedence.) */
f4170c67
LP		 3714 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
3715 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
3716 *exit_status = EXIT_LIMITS;
12145637 3717 return log_unit_error_errno(unit, errno, "Failed to adjust RLIMIT_RTPRIO resource limit: %m");
f4170c67
LP		 3718 }
3719 }
3720
37ac2744
JB		 3721#if ENABLE_SMACK
3722 /* LSM Smack needs the capability CAP_MAC_ADMIN to change the current execution security context of the
3723 * process. This is the latest place before dropping capabilities. Other MAC context are set later. */
3724 if (use_smack) {
3725 r = setup_smack(context, command);
3726 if (r < 0) {
3727 *exit_status = EXIT_SMACK_PROCESS_LABEL;
3728 return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m");
3729 }
3730 }
3731#endif
3732
165a31c0
LP		 3733 bset = context->capability_bounding_set;
3734 /* If the ambient caps hack is enabled (which means the kernel can't do them, and the user asked for
3735 * our magic fallback), then let's add some extra caps, so that the service can drop privs of its own,
3736 * instead of us doing that */
3737 if (needs_ambient_hack)
3738 bset |= (UINT64_C(1) << CAP_SETPCAP) |
3739 (UINT64_C(1) << CAP_SETUID) |
3740 (UINT64_C(1) << CAP_SETGID);
3741
3742 if (!cap_test_all(bset)) {
3743 r = capability_bounding_set_drop(bset, false);
ff0af2a1
LP		 3744 if (r < 0) {
3745 *exit_status = EXIT_CAPABILITIES;
12145637 3746 return log_unit_error_errno(unit, r, "Failed to drop capabilities: %m");
3b8bddde 3747 }
4c2630eb 3748 }
3b8bddde 3749
755d4b67
IP		 3750 /* This is done before enforce_user, but ambient set
3751 * does not survive over setresuid() if keep_caps is not set. */
943800f4 3752 if (!needs_ambient_hack) {
755d4b67
IP		 3753 r = capability_ambient_set_apply(context->capability_ambient_set, true);
3754 if (r < 0) {
3755 *exit_status = EXIT_CAPABILITIES;
12145637 3756 return log_unit_error_errno(unit, r, "Failed to apply ambient capabilities (before UID change): %m");
755d4b67 3757 }
755d4b67 3758 }
165a31c0 3759 }
755d4b67 3760
fa97f630
JB		 3761 /* chroot to root directory first, before we lose the ability to chroot */
3762 r = apply_root_directory(context, params, needs_mount_namespace, exit_status);
3763 if (r < 0)
3764 return log_unit_error_errno(unit, r, "Chrooting to the requested root directory failed: %m");
3765
165a31c0 3766 if (needs_setuid) {
08f67696 3767 if (uid_is_valid(uid)) {
ff0af2a1
LP		 3768 r = enforce_user(context, uid);
3769 if (r < 0) {
3770 *exit_status = EXIT_USER;
12145637 3771 return log_unit_error_errno(unit, r, "Failed to change UID to " UID_FMT ": %m", uid);
5b6319dc 3772 }
165a31c0
LP		 3773
3774 if (!needs_ambient_hack &&
3775 context->capability_ambient_set != 0) {
755d4b67
IP		 3776
3777 /* Fix the ambient capabilities after user change. */
3778 r = capability_ambient_set_apply(context->capability_ambient_set, false);
3779 if (r < 0) {
3780 *exit_status = EXIT_CAPABILITIES;
12145637 3781 return log_unit_error_errno(unit, r, "Failed to apply ambient capabilities (after UID change): %m");
755d4b67
IP		 3782 }
3783
3784 /* If we were asked to change user and ambient capabilities
3785 * were requested, we had to add keep-caps to the securebits
3786 * so that we would maintain the inherited capability set
3787 * through the setresuid(). Make sure that the bit is added
3788 * also to the context secure_bits so that we don't try to
3789 * drop the bit away next. */
3790
7f508f2c 3791 secure_bits |= 1<<SECURE_KEEP_CAPS;
755d4b67 3792 }
5b6319dc 3793 }
165a31c0 3794 }
d35fbf6b 3795
56ef8db9
JB		 3796 /* Apply working directory here, because the working directory might be on NFS and only the user running
3797 * this service might have the correct privilege to change to the working directory */
fa97f630 3798 r = apply_working_directory(context, params, home, exit_status);
56ef8db9
JB		 3799 if (r < 0)
3800 return log_unit_error_errno(unit, r, "Changing to the requested working directory failed: %m");
3801
165a31c0 3802 if (needs_sandboxing) {
37ac2744 3803 /* Apply other MAC contexts late, but before seccomp syscall filtering, as those should really be last to
5cd9cd35
LP		 3804 * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
3805 * syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
3806 * are restricted. */
3807
349cc4a5 3808#if HAVE_SELINUX
43b1f709 3809 if (use_selinux) {
5cd9cd35
LP		 3810 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
3811
3812 if (exec_context) {
3813 r = setexeccon(exec_context);
3814 if (r < 0) {
3815 *exit_status = EXIT_SELINUX_CONTEXT;
12145637 3816 return log_unit_error_errno(unit, r, "Failed to change SELinux context to %s: %m", exec_context);
5cd9cd35
LP		 3817 }
3818 }
3819 }
3820#endif
3821
349cc4a5 3822#if HAVE_APPARMOR
43b1f709 3823 if (use_apparmor && context->apparmor_profile) {
5cd9cd35
LP		 3824 r = aa_change_onexec(context->apparmor_profile);
3825 if (r < 0 && !context->apparmor_profile_ignore) {
3826 *exit_status = EXIT_APPARMOR_PROFILE;
12145637 3827 return log_unit_error_errno(unit, errno, "Failed to prepare AppArmor profile change to %s: %m", context->apparmor_profile);
5cd9cd35
LP		 3828 }
3829 }
3830#endif
3831
165a31c0
LP		 3832 /* PR_GET_SECUREBITS is not privileged, while PR_SET_SECUREBITS is. So to suppress potential EPERMs
3833 * we'll try not to call PR_SET_SECUREBITS unless necessary. */
755d4b67
IP		 3834 if (prctl(PR_GET_SECUREBITS) != secure_bits)
3835 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
ff0af2a1 3836 *exit_status = EXIT_SECUREBITS;
12145637 3837 return log_unit_error_errno(unit, errno, "Failed to set process secure bits: %m");
ff01d048 3838 }
5b6319dc 3839
59eeb84b 3840 if (context_has_no_new_privileges(context))
d35fbf6b 3841 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
ff0af2a1 3842 *exit_status = EXIT_NO_NEW_PRIVILEGES;
12145637 3843 return log_unit_error_errno(unit, errno, "Failed to disable new privileges: %m");
d35fbf6b
DM		 3844 }
3845
349cc4a5 3846#if HAVE_SECCOMP
469830d1
LP		 3847 r = apply_address_families(unit, context);
3848 if (r < 0) {
3849 *exit_status = EXIT_ADDRESS_FAMILIES;
12145637 3850 return log_unit_error_errno(unit, r, "Failed to restrict address families: %m");
4c2630eb 3851 }
04aa0cb9 3852
469830d1
LP		 3853 r = apply_memory_deny_write_execute(unit, context);
3854 if (r < 0) {
3855 *exit_status = EXIT_SECCOMP;
12145637 3856 return log_unit_error_errno(unit, r, "Failed to disable writing to executable memory: %m");
f3e43635 3857 }
f4170c67 3858
469830d1
LP		 3859 r = apply_restrict_realtime(unit, context);
3860 if (r < 0) {
3861 *exit_status = EXIT_SECCOMP;
12145637 3862 return log_unit_error_errno(unit, r, "Failed to apply realtime restrictions: %m");
f4170c67
LP		 3863 }
3864
f69567cb
LP		 3865 r = apply_restrict_suid_sgid(unit, context);
3866 if (r < 0) {
3867 *exit_status = EXIT_SECCOMP;
3868 return log_unit_error_errno(unit, r, "Failed to apply SUID/SGID restrictions: %m");
3869 }
3870
add00535
LP		 3871 r = apply_restrict_namespaces(unit, context);
3872 if (r < 0) {
3873 *exit_status = EXIT_SECCOMP;
12145637 3874 return log_unit_error_errno(unit, r, "Failed to apply namespace restrictions: %m");
add00535
LP		 3875 }
3876
469830d1
LP		 3877 r = apply_protect_sysctl(unit, context);
3878 if (r < 0) {
3879 *exit_status = EXIT_SECCOMP;
12145637 3880 return log_unit_error_errno(unit, r, "Failed to apply sysctl restrictions: %m");
502d704e
DH		 3881 }
3882
469830d1
LP		 3883 r = apply_protect_kernel_modules(unit, context);
3884 if (r < 0) {
3885 *exit_status = EXIT_SECCOMP;
12145637 3886 return log_unit_error_errno(unit, r, "Failed to apply module loading restrictions: %m");
59eeb84b
LP		 3887 }
3888
84703040
KK		 3889 r = apply_protect_kernel_logs(unit, context);
3890 if (r < 0) {
3891 *exit_status = EXIT_SECCOMP;
3892 return log_unit_error_errno(unit, r, "Failed to apply kernel log restrictions: %m");
3893 }
3894
fc64760d
KK		 3895 r = apply_protect_clock(unit, context);
3896 if (r < 0) {
3897 *exit_status = EXIT_SECCOMP;
3898 return log_unit_error_errno(unit, r, "Failed to apply clock restrictions: %m");
3899 }
3900
469830d1
LP		 3901 r = apply_private_devices(unit, context);
3902 if (r < 0) {
3903 *exit_status = EXIT_SECCOMP;
12145637 3904 return log_unit_error_errno(unit, r, "Failed to set up private devices: %m");
469830d1
LP		 3905 }
3906
3907 r = apply_syscall_archs(unit, context);
3908 if (r < 0) {
3909 *exit_status = EXIT_SECCOMP;
12145637 3910 return log_unit_error_errno(unit, r, "Failed to apply syscall architecture restrictions: %m");
ba128bb8
LP		 3911 }
3912
78e864e5
TM		 3913 r = apply_lock_personality(unit, context);
3914 if (r < 0) {
3915 *exit_status = EXIT_SECCOMP;
12145637 3916 return log_unit_error_errno(unit, r, "Failed to lock personalities: %m");
78e864e5
TM		 3917 }
3918
5cd9cd35
LP		 3919 /* This really should remain the last step before the execve(), to make sure our own code is unaffected
3920 * by the filter as little as possible. */
165a31c0 3921 r = apply_syscall_filter(unit, context, needs_ambient_hack);
469830d1
LP		 3922 if (r < 0) {
3923 *exit_status = EXIT_SECCOMP;
12145637 3924 return log_unit_error_errno(unit, r, "Failed to apply system call filters: %m");
d35fbf6b
DM		 3925 }
3926#endif
d35fbf6b 3927 }
034c6ed7 3928
00819cc1
LP		 3929 if (!strv_isempty(context->unset_environment)) {
3930 char **ee = NULL;
3931
3932 ee = strv_env_delete(accum_env, 1, context->unset_environment);
3933 if (!ee) {
3934 *exit_status = EXIT_MEMORY;
12145637 3935 return log_oom();
00819cc1
LP		 3936 }
3937
130d3d22 3938 strv_free_and_replace(accum_env, ee);
00819cc1
LP		 3939 }
3940
7ca69792
AZ		 3941 if (!FLAGS_SET(command->flags, EXEC_COMMAND_NO_ENV_EXPAND)) {
3942 replaced_argv = replace_env_argv(command->argv, accum_env);
3943 if (!replaced_argv) {
3944 *exit_status = EXIT_MEMORY;
3945 return log_oom();
3946 }
3947 final_argv = replaced_argv;
3948 } else
3949 final_argv = command->argv;
034c6ed7 3950
f1d34068 3951 if (DEBUG_LOGGING) {
d35fbf6b 3952 _cleanup_free_ char *line;
81a2b7ce 3953
d35fbf6b 3954 line = exec_command_line(final_argv);
a1230ff9 3955 if (line)
f2341e0a 3956 log_struct(LOG_DEBUG,
f2341e0a
LP		 3957 "EXECUTABLE=%s", command->path,
3958 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
ba360bb0 3959 LOG_UNIT_ID(unit),
a1230ff9 3960 LOG_UNIT_INVOCATION_ID(unit));
d35fbf6b 3961 }
dd305ec9 3962
5686391b
LP		 3963 if (exec_fd >= 0) {
3964 uint8_t hot = 1;
3965
3966 /* We have finished with all our initializations. Let's now let the manager know that. From this point
3967 * on, if the manager sees POLLHUP on the exec_fd, then execve() was successful. */
3968
3969 if (write(exec_fd, &hot, sizeof(hot)) < 0) {
3970 *exit_status = EXIT_EXEC;
3971 return log_unit_error_errno(unit, errno, "Failed to enable exec_fd: %m");
3972 }
3973 }
3974
2065ca69 3975 execve(command->path, final_argv, accum_env);
5686391b
LP		 3976 r = -errno;
3977
3978 if (exec_fd >= 0) {
3979 uint8_t hot = 0;
3980
3981 /* The execve() failed. This means the exec_fd is still open. Which means we need to tell the manager
3982 * that POLLHUP on it no longer means execve() succeeded. */
3983
3984 if (write(exec_fd, &hot, sizeof(hot)) < 0) {
3985 *exit_status = EXIT_EXEC;
3986 return log_unit_error_errno(unit, errno, "Failed to disable exec_fd: %m");
3987 }
3988 }
12145637 3989
5686391b
LP		 3990 if (r == -ENOENT && (command->flags & EXEC_COMMAND_IGNORE_FAILURE)) {
3991 log_struct_errno(LOG_INFO, r,
12145637
LP		 3992 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
3993 LOG_UNIT_ID(unit),
3994 LOG_UNIT_INVOCATION_ID(unit),
3995 LOG_UNIT_MESSAGE(unit, "Executable %s missing, skipping: %m",
3996 command->path),
a1230ff9 3997 "EXECUTABLE=%s", command->path);
12145637
LP		 3998 return 0;
3999 }
4000
ff0af2a1 4001 *exit_status = EXIT_EXEC;
5686391b 4002 return log_unit_error_errno(unit, r, "Failed to execute command: %m");
d35fbf6b 4003}
81a2b7ce 4004
34cf6c43 4005static int exec_context_load_environment(const Unit *unit, const ExecContext *c, char ***l);
2caa38e9 4006static int exec_context_named_iofds(const ExecContext *c, const ExecParameters *p, int named_iofds[static 3]);
34cf6c43 4007
f2341e0a
LP		 4008int exec_spawn(Unit *unit,
4009 ExecCommand *command,
d35fbf6b
DM		 4010 const ExecContext *context,
4011 const ExecParameters *params,
4012 ExecRuntime *runtime,
29206d46 4013 DynamicCreds *dcreds,
d35fbf6b 4014 pid_t *ret) {
8351ceae 4015
ee39ca20 4016 int socket_fd, r, named_iofds[3] = { -1, -1, -1 }, *fds = NULL;
78f93209 4017 _cleanup_free_ char *subcgroup_path = NULL;
d35fbf6b 4018 _cleanup_strv_free_ char **files_env = NULL;
da6053d0 4019 size_t n_storage_fds = 0, n_socket_fds = 0;
ff0af2a1 4020 _cleanup_free_ char *line = NULL;
d35fbf6b 4021 pid_t pid;
8351ceae 4022
f2341e0a 4023 assert(unit);
d35fbf6b
DM		 4024 assert(command);
4025 assert(context);
4026 assert(ret);
4027 assert(params);
25b583d7 4028 assert(params->fds || (params->n_socket_fds + params->n_storage_fds <= 0));
4298d0b5 4029
d35fbf6b
DM		 4030 if (context->std_input == EXEC_INPUT_SOCKET ||
4031 context->std_output == EXEC_OUTPUT_SOCKET ||
4032 context->std_error == EXEC_OUTPUT_SOCKET) {
17df7223 4033
4c47affc 4034 if (params->n_socket_fds > 1) {
f2341e0a 4035 log_unit_error(unit, "Got more than one socket.");
d35fbf6b 4036 return -EINVAL;
ff0af2a1 4037 }
eef65bf3 4038
4c47affc 4039 if (params->n_socket_fds == 0) {
488ab41c
AA		 4040 log_unit_error(unit, "Got no socket.");
4041 return -EINVAL;
4042 }
4043
d35fbf6b
DM		 4044 socket_fd = params->fds[0];
4045 } else {
4046 socket_fd = -1;
4047 fds = params->fds;
9b141911 4048 n_socket_fds = params->n_socket_fds;
25b583d7 4049 n_storage_fds = params->n_storage_fds;
d35fbf6b 4050 }
94f04347 4051
34cf6c43 4052 r = exec_context_named_iofds(context, params, named_iofds);
52c239d7
LB		 4053 if (r < 0)
4054 return log_unit_error_errno(unit, r, "Failed to load a named file descriptor: %m");
4055
f2341e0a 4056 r = exec_context_load_environment(unit, context, &files_env);
ff0af2a1 4057 if (r < 0)
f2341e0a 4058 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
034c6ed7 4059
ee39ca20 4060 line = exec_command_line(command->argv);
d35fbf6b
DM		 4061 if (!line)
4062 return log_oom();
fab56fc5 4063
f2341e0a 4064 log_struct(LOG_DEBUG,
f2341e0a
LP		 4065 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
4066 "EXECUTABLE=%s", command->path,
ba360bb0 4067 LOG_UNIT_ID(unit),
a1230ff9 4068 LOG_UNIT_INVOCATION_ID(unit));
12145637 4069
78f93209
LP		 4070 if (params->cgroup_path) {
4071 r = exec_parameters_get_cgroup_path(params, &subcgroup_path);
4072 if (r < 0)
4073 return log_unit_error_errno(unit, r, "Failed to acquire subcgroup path: %m");
4074 if (r > 0) { /* We are using a child cgroup */
4075 r = cg_create(SYSTEMD_CGROUP_CONTROLLER, subcgroup_path);
4076 if (r < 0)
4077 return log_unit_error_errno(unit, r, "Failed to create control group '%s': %m", subcgroup_path);
4078 }
4079 }
4080
d35fbf6b
DM		 4081 pid = fork();
4082 if (pid < 0)
74129a12 4083 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
d35fbf6b
DM		 4084
4085 if (pid == 0) {
12145637 4086 int exit_status = EXIT_SUCCESS;
ff0af2a1 4087
f2341e0a
LP		 4088 r = exec_child(unit,
4089 command,
ff0af2a1
LP		 4090 context,
4091 params,
4092 runtime,
29206d46 4093 dcreds,
ff0af2a1 4094 socket_fd,
52c239d7 4095 named_iofds,
4c47affc 4096 fds,
9b141911 4097 n_socket_fds,
25b583d7 4098 n_storage_fds,
ff0af2a1 4099 files_env,
00d9ef85 4100 unit->manager->user_lookup_fds[1],
12145637
LP		 4101 &exit_status);
4102
e1714f02
ZJS		 4103 if (r < 0) {
4104 const char *status =
4105 exit_status_to_string(exit_status,
e04ed6db 4106 EXIT_STATUS_LIBC | EXIT_STATUS_SYSTEMD);
e1714f02 4107
12145637
LP		 4108 log_struct_errno(LOG_ERR, r,
4109 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
4110 LOG_UNIT_ID(unit),
4111 LOG_UNIT_INVOCATION_ID(unit),
4112 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
e1714f02 4113 status, command->path),
a1230ff9 4114 "EXECUTABLE=%s", command->path);
e1714f02 4115 }
4c2630eb 4116
ff0af2a1 4117 _exit(exit_status);
034c6ed7
LP		 4118 }
4119
f2341e0a 4120 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
23635a85 4121
78f93209
LP		 4122 /* We add the new process to the cgroup both in the child (so that we can be sure that no user code is ever
4123 * executed outside of the cgroup) and in the parent (so that we can be sure that when we kill the cgroup the
4124 * process will be killed too). */
4125 if (subcgroup_path)
4126 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, subcgroup_path, pid);
2da3263a 4127
b58b4116 4128 exec_status_start(&command->exec_status, pid);
9fb86720 4129
034c6ed7 4130 *ret = pid;
5cb5a6ff
LP		 4131 return 0;
4132}
4133
034c6ed7 4134void exec_context_init(ExecContext *c) {
3536f49e
YW		 4135 ExecDirectoryType i;
4136
034c6ed7
LP		 4137 assert(c);
4138
4c12626c 4139 c->umask = 0022;
9eba9da4 4140 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
94f04347 4141 c->cpu_sched_policy = SCHED_OTHER;
071830ff 4142 c->syslog_priority = LOG_DAEMON|LOG_INFO;
74922904 4143 c->syslog_level_prefix = true;
353e12c2 4144 c->ignore_sigpipe = true;
3a43da28 4145 c->timer_slack_nsec = NSEC_INFINITY;
050f7277 4146 c->personality = PERSONALITY_INVALID;
72fd1768 4147 for (i = 0; i < _EXEC_DIRECTORY_TYPE_MAX; i++)
3536f49e 4148 c->directories[i].mode = 0755;
12213aed 4149 c->timeout_clean_usec = USEC_INFINITY;
a103496c 4150 c->capability_bounding_set = CAP_ALL;
aa9d574d
YW		 4151 assert_cc(NAMESPACE_FLAGS_INITIAL != NAMESPACE_FLAGS_ALL);
4152 c->restrict_namespaces = NAMESPACE_FLAGS_INITIAL;
d3070fbd 4153 c->log_level_max = -1;
b070c7c0 4154 numa_policy_reset(&c->numa_policy);
034c6ed7
LP		 4155}
4156
613b411c 4157void exec_context_done(ExecContext *c) {
3536f49e 4158 ExecDirectoryType i;
d3070fbd 4159 size_t l;
5cb5a6ff
LP		 4160
4161 assert(c);
4162
6796073e
LP		 4163 c->environment = strv_free(c->environment);
4164 c->environment_files = strv_free(c->environment_files);
b4c14404 4165 c->pass_environment = strv_free(c->pass_environment);
00819cc1 4166 c->unset_environment = strv_free(c->unset_environment);
8c7be95e 4167
31ce987c 4168 rlimit_free_all(c->rlimit);
034c6ed7 4169
2038c3f5 4170 for (l = 0; l < 3; l++) {
52c239d7 4171 c->stdio_fdname[l] = mfree(c->stdio_fdname[l]);
2038c3f5
LP		 4172 c->stdio_file[l] = mfree(c->stdio_file[l]);
4173 }
52c239d7 4174
a1e58e8e
LP		 4175 c->working_directory = mfree(c->working_directory);
4176 c->root_directory = mfree(c->root_directory);
915e6d16 4177 c->root_image = mfree(c->root_image);
a1e58e8e
LP		 4178 c->tty_path = mfree(c->tty_path);
4179 c->syslog_identifier = mfree(c->syslog_identifier);
4180 c->user = mfree(c->user);
4181 c->group = mfree(c->group);
034c6ed7 4182
6796073e 4183 c->supplementary_groups = strv_free(c->supplementary_groups);
94f04347 4184
a1e58e8e 4185 c->pam_name = mfree(c->pam_name);
5b6319dc 4186
2a624c36
AP		 4187 c->read_only_paths = strv_free(c->read_only_paths);
4188 c->read_write_paths = strv_free(c->read_write_paths);
4189 c->inaccessible_paths = strv_free(c->inaccessible_paths);
82c121a4 4190
d2d6c096 4191 bind_mount_free_many(c->bind_mounts, c->n_bind_mounts);
8e06d57c
YW		 4192 c->bind_mounts = NULL;
4193 c->n_bind_mounts = 0;
2abd4e38
YW		 4194 temporary_filesystem_free_many(c->temporary_filesystems, c->n_temporary_filesystems);
4195 c->temporary_filesystems = NULL;
4196 c->n_temporary_filesystems = 0;
d2d6c096 4197
0985c7c4 4198 cpu_set_reset(&c->cpu_set);
b070c7c0 4199 numa_policy_reset(&c->numa_policy);
86a3475b 4200
a1e58e8e
LP		 4201 c->utmp_id = mfree(c->utmp_id);
4202 c->selinux_context = mfree(c->selinux_context);
4203 c->apparmor_profile = mfree(c->apparmor_profile);
5b8e1b77 4204 c->smack_process_label = mfree(c->smack_process_label);
eef65bf3 4205
8cfa775f 4206 c->syscall_filter = hashmap_free(c->syscall_filter);
525d3cc7
LP		 4207 c->syscall_archs = set_free(c->syscall_archs);
4208 c->address_families = set_free(c->address_families);
e66cf1a3 4209
72fd1768 4210 for (i = 0; i < _EXEC_DIRECTORY_TYPE_MAX; i++)
3536f49e 4211 c->directories[i].paths = strv_free(c->directories[i].paths);
d3070fbd
LP		 4212
4213 c->log_level_max = -1;
4214
4215 exec_context_free_log_extra_fields(c);
08f3be7a 4216
5ac1530e
ZJS		 4217 c->log_ratelimit_interval_usec = 0;
4218 c->log_ratelimit_burst = 0;
90fc172e 4219
08f3be7a
LP		 4220 c->stdin_data = mfree(c->stdin_data);
4221 c->stdin_data_size = 0;
a8d08f39
LP		 4222
4223 c->network_namespace_path = mfree(c->network_namespace_path);
91dd5f7c
LP		 4224
4225 c->log_namespace = mfree(c->log_namespace);
e66cf1a3
LP		 4226}
4227
34cf6c43 4228int exec_context_destroy_runtime_directory(const ExecContext *c, const char *runtime_prefix) {
e66cf1a3
LP		 4229 char **i;
4230
4231 assert(c);
4232
4233 if (!runtime_prefix)
4234 return 0;
4235
3536f49e 4236 STRV_FOREACH(i, c->directories[EXEC_DIRECTORY_RUNTIME].paths) {
e66cf1a3
LP		 4237 _cleanup_free_ char *p;
4238
494d0247
YW		 4239 if (exec_directory_is_private(c, EXEC_DIRECTORY_RUNTIME))
4240 p = path_join(runtime_prefix, "private", *i);
4241 else
4242 p = path_join(runtime_prefix, *i);
e66cf1a3
LP		 4243 if (!p)
4244 return -ENOMEM;
4245
7bc4bf4a
LP		 4246 /* We execute this synchronously, since we need to be sure this is gone when we start the
4247 * service next. */
c6878637 4248 (void) rm_rf(p, REMOVE_ROOT);
e66cf1a3
LP		 4249 }
4250
4251 return 0;
5cb5a6ff
LP		 4252}
4253
34cf6c43 4254static void exec_command_done(ExecCommand *c) {
43d0fcbd
LP		 4255 assert(c);
4256
a1e58e8e 4257 c->path = mfree(c->path);
6796073e 4258 c->argv = strv_free(c->argv);
43d0fcbd
LP		 4259}
4260
da6053d0
LP		 4261void exec_command_done_array(ExecCommand *c, size_t n) {
4262 size_t i;
43d0fcbd
LP		 4263
4264 for (i = 0; i < n; i++)
4265 exec_command_done(c+i);
4266}
4267
f1acf85a 4268ExecCommand* exec_command_free_list(ExecCommand *c) {
5cb5a6ff
LP		 4269 ExecCommand *i;
4270
4271 while ((i = c)) {
71fda00f 4272 LIST_REMOVE(command, c, i);
43d0fcbd 4273 exec_command_done(i);
5cb5a6ff
LP		 4274 free(i);
4275 }
f1acf85a
ZJS		 4276
4277 return NULL;
5cb5a6ff
LP		 4278}
4279
da6053d0
LP		 4280void exec_command_free_array(ExecCommand **c, size_t n) {
4281 size_t i;
034c6ed7 4282
f1acf85a
ZJS		 4283 for (i = 0; i < n; i++)
4284 c[i] = exec_command_free_list(c[i]);
034c6ed7
LP		 4285}
4286
6a1d4d9f
LP		 4287void exec_command_reset_status_array(ExecCommand *c, size_t n) {
4288 size_t i;
4289
4290 for (i = 0; i < n; i++)
4291 exec_status_reset(&c[i].exec_status);
4292}
4293
4294void exec_command_reset_status_list_array(ExecCommand **c, size_t n) {
4295 size_t i;
4296
4297 for (i = 0; i < n; i++) {
4298 ExecCommand *z;
4299
4300 LIST_FOREACH(command, z, c[i])
4301 exec_status_reset(&z->exec_status);
4302 }
4303}
4304
039f0e70 4305typedef struct InvalidEnvInfo {
34cf6c43 4306 const Unit *unit;
039f0e70
LP		 4307 const char *path;
4308} InvalidEnvInfo;
4309
4310static void invalid_env(const char *p, void *userdata) {
4311 InvalidEnvInfo *info = userdata;
4312
f2341e0a 4313 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
039f0e70
LP		 4314}
4315
52c239d7
LB		 4316const char* exec_context_fdname(const ExecContext *c, int fd_index) {
4317 assert(c);
4318
4319 switch (fd_index) {
5073ff6b 4320
52c239d7
LB		 4321 case STDIN_FILENO:
4322 if (c->std_input != EXEC_INPUT_NAMED_FD)
4323 return NULL;
5073ff6b 4324
52c239d7 4325 return c->stdio_fdname[STDIN_FILENO] ?: "stdin";
5073ff6b 4326
52c239d7
LB		 4327 case STDOUT_FILENO:
4328 if (c->std_output != EXEC_OUTPUT_NAMED_FD)
4329 return NULL;
5073ff6b 4330
52c239d7 4331 return c->stdio_fdname[STDOUT_FILENO] ?: "stdout";
5073ff6b 4332
52c239d7
LB		 4333 case STDERR_FILENO:
4334 if (c->std_error != EXEC_OUTPUT_NAMED_FD)
4335 return NULL;
5073ff6b 4336
52c239d7 4337 return c->stdio_fdname[STDERR_FILENO] ?: "stderr";
5073ff6b 4338
52c239d7
LB		 4339 default:
4340 return NULL;
4341 }
4342}
4343
2caa38e9
LP		 4344static int exec_context_named_iofds(
4345 const ExecContext *c,
4346 const ExecParameters *p,
4347 int named_iofds[static 3]) {
4348
da6053d0 4349 size_t i, targets;
56fbd561 4350 const char* stdio_fdname[3];
da6053d0 4351 size_t n_fds;
52c239d7
LB		 4352
4353 assert(c);
4354 assert(p);
2caa38e9 4355 assert(named_iofds);
52c239d7
LB		 4356
4357 targets = (c->std_input == EXEC_INPUT_NAMED_FD) +
4358 (c->std_output == EXEC_OUTPUT_NAMED_FD) +
4359 (c->std_error == EXEC_OUTPUT_NAMED_FD);
4360
4361 for (i = 0; i < 3; i++)
4362 stdio_fdname[i] = exec_context_fdname(c, i);
4363
4c47affc
FB		 4364 n_fds = p->n_storage_fds + p->n_socket_fds;
4365
4366 for (i = 0; i < n_fds && targets > 0; i++)
56fbd561
ZJS		 4367 if (named_iofds[STDIN_FILENO] < 0 &&
4368 c->std_input == EXEC_INPUT_NAMED_FD &&
4369 stdio_fdname[STDIN_FILENO] &&
4370 streq(p->fd_names[i], stdio_fdname[STDIN_FILENO])) {
4371
52c239d7
LB		 4372 named_iofds[STDIN_FILENO] = p->fds[i];
4373 targets--;
56fbd561
ZJS		 4374
4375 } else if (named_iofds[STDOUT_FILENO] < 0 &&
4376 c->std_output == EXEC_OUTPUT_NAMED_FD &&
4377 stdio_fdname[STDOUT_FILENO] &&
4378 streq(p->fd_names[i], stdio_fdname[STDOUT_FILENO])) {
4379
52c239d7
LB		 4380 named_iofds[STDOUT_FILENO] = p->fds[i];
4381 targets--;
56fbd561
ZJS		 4382
4383 } else if (named_iofds[STDERR_FILENO] < 0 &&
4384 c->std_error == EXEC_OUTPUT_NAMED_FD &&
4385 stdio_fdname[STDERR_FILENO] &&
4386 streq(p->fd_names[i], stdio_fdname[STDERR_FILENO])) {
4387
52c239d7
LB		 4388 named_iofds[STDERR_FILENO] = p->fds[i];
4389 targets--;
4390 }
4391
56fbd561 4392 return targets == 0 ? 0 : -ENOENT;
52c239d7
LB		 4393}
4394
34cf6c43 4395static int exec_context_load_environment(const Unit *unit, const ExecContext *c, char ***l) {
8c7be95e
LP		 4396 char **i, **r = NULL;
4397
4398 assert(c);
4399 assert(l);
4400
4401 STRV_FOREACH(i, c->environment_files) {
4402 char *fn;
52511fae
ZJS		 4403 int k;
4404 unsigned n;
8c7be95e
LP		 4405 bool ignore = false;
4406 char **p;
7fd1b19b 4407 _cleanup_globfree_ glob_t pglob = {};
8c7be95e
LP		 4408
4409 fn = *i;
4410
4411 if (fn[0] == '-') {
4412 ignore = true;
313cefa1 4413 fn++;
8c7be95e
LP		 4414 }
4415
4416 if (!path_is_absolute(fn)) {
8c7be95e
LP		 4417 if (ignore)
4418 continue;
4419
4420 strv_free(r);
4421 return -EINVAL;
4422 }
4423
2bef10ab 4424 /* Filename supports globbing, take all matching files */
d8c92e8b
ZJS		 4425 k = safe_glob(fn, 0, &pglob);
4426 if (k < 0) {
2bef10ab
PL		 4427 if (ignore)
4428 continue;
8c7be95e 4429
2bef10ab 4430 strv_free(r);
d8c92e8b 4431 return k;
2bef10ab 4432 }
8c7be95e 4433
d8c92e8b
ZJS		 4434 /* When we don't match anything, -ENOENT should be returned */
4435 assert(pglob.gl_pathc > 0);
4436
4437 for (n = 0; n < pglob.gl_pathc; n++) {
aa8fbc74 4438 k = load_env_file(NULL, pglob.gl_pathv[n], &p);
2bef10ab
PL		 4439 if (k < 0) {
4440 if (ignore)
4441 continue;
8c7be95e 4442
2bef10ab 4443 strv_free(r);
2bef10ab 4444 return k;
e9c1ea9d 4445 }
ebc05a09 4446 /* Log invalid environment variables with filename */
039f0e70
LP		 4447 if (p) {
4448 InvalidEnvInfo info = {
f2341e0a 4449 .unit = unit,
039f0e70
LP		 4450 .path = pglob.gl_pathv[n]
4451 };
4452
4453 p = strv_env_clean_with_callback(p, invalid_env, &info);
4454 }
8c7be95e 4455
234519ae 4456 if (!r)
2bef10ab
PL		 4457 r = p;
4458 else {
4459 char **m;
8c7be95e 4460
2bef10ab
PL		 4461 m = strv_env_merge(2, r, p);
4462 strv_free(r);
4463 strv_free(p);
c84a9488 4464 if (!m)
2bef10ab 4465 return -ENOMEM;
2bef10ab
PL		 4466
4467 r = m;
4468 }
8c7be95e
LP		 4469 }
4470 }
4471
4472 *l = r;
4473
4474 return 0;
4475}
4476
6ac8fdc9 4477static bool tty_may_match_dev_console(const char *tty) {
7b912648 4478 _cleanup_free_ char *resolved = NULL;
6ac8fdc9 4479
1e22b5cd
LP		 4480 if (!tty)
4481 return true;
4482
a119ec7c 4483 tty = skip_dev_prefix(tty);
6ac8fdc9
MS		 4484
4485 /* trivial identity? */
4486 if (streq(tty, "console"))
4487 return true;
4488
7b912648
LP		 4489 if (resolve_dev_console(&resolved) < 0)
4490 return true; /* if we could not resolve, assume it may */
6ac8fdc9
MS		 4491
4492 /* "tty0" means the active VC, so it may be the same sometimes */
955f1c85 4493 return path_equal(resolved, tty) || (streq(resolved, "tty0") && tty_is_vc(tty));
6ac8fdc9
MS		 4494}
4495
6c0ae739
LP		 4496static bool exec_context_may_touch_tty(const ExecContext *ec) {
4497 assert(ec);
1e22b5cd 4498
6c0ae739 4499 return ec->tty_reset ||
1e22b5cd
LP		 4500 ec->tty_vhangup ||
4501 ec->tty_vt_disallocate ||
6ac8fdc9
MS		 4502 is_terminal_input(ec->std_input) ||
4503 is_terminal_output(ec->std_output) ||
6c0ae739
LP		 4504 is_terminal_output(ec->std_error);
4505}
4506
4507bool exec_context_may_touch_console(const ExecContext *ec) {
4508
4509 return exec_context_may_touch_tty(ec) &&
1e22b5cd 4510 tty_may_match_dev_console(exec_context_tty_path(ec));
6ac8fdc9
MS		 4511}
4512
15ae422b
LP		 4513static void strv_fprintf(FILE *f, char **l) {
4514 char **g;
4515
4516 assert(f);
4517
4518 STRV_FOREACH(g, l)
4519 fprintf(f, " %s", *g);
4520}
4521
34cf6c43 4522void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
12213aed 4523 char **e, **d, buf_clean[FORMAT_TIMESPAN_MAX];
d3070fbd 4524 ExecDirectoryType dt;
94f04347 4525 unsigned i;
add00535 4526 int r;
9eba9da4 4527
5cb5a6ff
LP		 4528 assert(c);
4529 assert(f);
4530
4ad49000 4531 prefix = strempty(prefix);
5cb5a6ff
LP		 4532
4533 fprintf(f,
94f04347
LP		 4534 "%sUMask: %04o\n"
4535 "%sWorkingDirectory: %s\n"
451a074f 4536 "%sRootDirectory: %s\n"
15ae422b 4537 "%sNonBlocking: %s\n"
64747e2d 4538 "%sPrivateTmp: %s\n"
7f112f50 4539 "%sPrivateDevices: %s\n"
59eeb84b 4540 "%sProtectKernelTunables: %s\n"
e66a2f65 4541 "%sProtectKernelModules: %s\n"
84703040 4542 "%sProtectKernelLogs: %s\n"
fc64760d 4543 "%sProtectClock: %s\n"
59eeb84b 4544 "%sProtectControlGroups: %s\n"
d251207d
LP		 4545 "%sPrivateNetwork: %s\n"
4546 "%sPrivateUsers: %s\n"
1b8689f9
LP		 4547 "%sProtectHome: %s\n"
4548 "%sProtectSystem: %s\n"
5d997827 4549 "%sMountAPIVFS: %s\n"
f3e43635 4550 "%sIgnoreSIGPIPE: %s\n"
f4170c67 4551 "%sMemoryDenyWriteExecute: %s\n"
b1edf445 4552 "%sRestrictRealtime: %s\n"
f69567cb 4553 "%sRestrictSUIDSGID: %s\n"
aecd5ac6
TM		 4554 "%sKeyringMode: %s\n"
4555 "%sProtectHostname: %s\n",
5cb5a6ff 4556 prefix, c->umask,
9eba9da4 4557 prefix, c->working_directory ? c->working_directory : "/",
451a074f 4558 prefix, c->root_directory ? c->root_directory : "/",
15ae422b 4559 prefix, yes_no(c->non_blocking),
64747e2d 4560 prefix, yes_no(c->private_tmp),
7f112f50 4561 prefix, yes_no(c->private_devices),
59eeb84b 4562 prefix, yes_no(c->protect_kernel_tunables),
e66a2f65 4563 prefix, yes_no(c->protect_kernel_modules),
84703040 4564 prefix, yes_no(c->protect_kernel_logs),
fc64760d 4565 prefix, yes_no(c->protect_clock),
59eeb84b 4566 prefix, yes_no(c->protect_control_groups),
d251207d
LP		 4567 prefix, yes_no(c->private_network),
4568 prefix, yes_no(c->private_users),
1b8689f9
LP		 4569 prefix, protect_home_to_string(c->protect_home),
4570 prefix, protect_system_to_string(c->protect_system),
5d997827 4571 prefix, yes_no(c->mount_apivfs),
f3e43635 4572 prefix, yes_no(c->ignore_sigpipe),
f4170c67 4573 prefix, yes_no(c->memory_deny_write_execute),
b1edf445 4574 prefix, yes_no(c->restrict_realtime),
f69567cb 4575 prefix, yes_no(c->restrict_suid_sgid),
aecd5ac6
TM		 4576 prefix, exec_keyring_mode_to_string(c->keyring_mode),
4577 prefix, yes_no(c->protect_hostname));
fb33a393 4578
915e6d16
LP		 4579 if (c->root_image)
4580 fprintf(f, "%sRootImage: %s\n", prefix, c->root_image);
4581
8c7be95e
LP		 4582 STRV_FOREACH(e, c->environment)
4583 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
4584
4585 STRV_FOREACH(e, c->environment_files)
4586 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
94f04347 4587
b4c14404
FB		 4588 STRV_FOREACH(e, c->pass_environment)
4589 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
4590
00819cc1
LP		 4591 STRV_FOREACH(e, c->unset_environment)
4592 fprintf(f, "%sUnsetEnvironment: %s\n", prefix, *e);
4593
53f47dfc
YW		 4594 fprintf(f, "%sRuntimeDirectoryPreserve: %s\n", prefix, exec_preserve_mode_to_string(c->runtime_directory_preserve_mode));
4595
72fd1768 4596 for (dt = 0; dt < _EXEC_DIRECTORY_TYPE_MAX; dt++) {
3536f49e
YW		 4597 fprintf(f, "%s%sMode: %04o\n", prefix, exec_directory_type_to_string(dt), c->directories[dt].mode);
4598
4599 STRV_FOREACH(d, c->directories[dt].paths)
4600 fprintf(f, "%s%s: %s\n", prefix, exec_directory_type_to_string(dt), *d);
4601 }
c2bbd90b 4602
12213aed
YW		 4603 fprintf(f,
4604 "%sTimeoutCleanSec: %s\n",
4605 prefix, format_timespan(buf_clean, sizeof(buf_clean), c->timeout_clean_usec, USEC_PER_SEC));
4606
fb33a393
LP		 4607 if (c->nice_set)
4608 fprintf(f,
4609 "%sNice: %i\n",
4610 prefix, c->nice);
4611
dd6c17b1 4612 if (c->oom_score_adjust_set)
fb33a393 4613 fprintf(f,
dd6c17b1
LP		 4614 "%sOOMScoreAdjust: %i\n",
4615 prefix, c->oom_score_adjust);
9eba9da4 4616
94f04347 4617 for (i = 0; i < RLIM_NLIMITS; i++)
3c11da9d 4618 if (c->rlimit[i]) {
4c3a2b84 4619 fprintf(f, "%sLimit%s: " RLIM_FMT "\n",
3c11da9d 4620 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
4c3a2b84 4621 fprintf(f, "%sLimit%sSoft: " RLIM_FMT "\n",
3c11da9d
EV		 4622 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
4623 }
94f04347 4624
f8b69d1d 4625 if (c->ioprio_set) {
1756a011 4626 _cleanup_free_ char *class_str = NULL;
f8b69d1d 4627
837df140
YW		 4628 r = ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
4629 if (r >= 0)
4630 fprintf(f, "%sIOSchedulingClass: %s\n", prefix, class_str);
4631
4632 fprintf(f, "%sIOPriority: %lu\n", prefix, IOPRIO_PRIO_DATA(c->ioprio));
f8b69d1d 4633 }
94f04347 4634
f8b69d1d 4635 if (c->cpu_sched_set) {
1756a011 4636 _cleanup_free_ char *policy_str = NULL;
f8b69d1d 4637
837df140
YW		 4638 r = sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
4639 if (r >= 0)
4640 fprintf(f, "%sCPUSchedulingPolicy: %s\n", prefix, policy_str);
4641
94f04347 4642 fprintf(f,
38b48754
LP		 4643 "%sCPUSchedulingPriority: %i\n"
4644 "%sCPUSchedulingResetOnFork: %s\n",
38b48754
LP		 4645 prefix, c->cpu_sched_priority,
4646 prefix, yes_no(c->cpu_sched_reset_on_fork));
b929bf04 4647 }
94f04347 4648
0985c7c4 4649 if (c->cpu_set.set) {
e7fca352
MS		 4650 _cleanup_free_ char *affinity = NULL;
4651
4652 affinity = cpu_set_to_range_string(&c->cpu_set);
4653 fprintf(f, "%sCPUAffinity: %s\n", prefix, affinity);
94f04347
LP		 4654 }
4655
b070c7c0
MS		 4656 if (mpol_is_valid(numa_policy_get_type(&c->numa_policy))) {
4657 _cleanup_free_ char *nodes = NULL;
4658
4659 nodes = cpu_set_to_range_string(&c->numa_policy.nodes);
4660 fprintf(f, "%sNUMAPolicy: %s\n", prefix, mpol_to_string(numa_policy_get_type(&c->numa_policy)));
4661 fprintf(f, "%sNUMAMask: %s\n", prefix, strnull(nodes));
4662 }
4663
3a43da28 4664 if (c->timer_slack_nsec != NSEC_INFINITY)
ccd06097 4665 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
94f04347
LP		 4666
4667 fprintf(f,
80876c20
LP		 4668 "%sStandardInput: %s\n"
4669 "%sStandardOutput: %s\n"
4670 "%sStandardError: %s\n",
4671 prefix, exec_input_to_string(c->std_input),
4672 prefix, exec_output_to_string(c->std_output),
4673 prefix, exec_output_to_string(c->std_error));
4674
befc4a80
LP		 4675 if (c->std_input == EXEC_INPUT_NAMED_FD)
4676 fprintf(f, "%sStandardInputFileDescriptorName: %s\n", prefix, c->stdio_fdname[STDIN_FILENO]);
4677 if (c->std_output == EXEC_OUTPUT_NAMED_FD)
4678 fprintf(f, "%sStandardOutputFileDescriptorName: %s\n", prefix, c->stdio_fdname[STDOUT_FILENO]);
4679 if (c->std_error == EXEC_OUTPUT_NAMED_FD)
4680 fprintf(f, "%sStandardErrorFileDescriptorName: %s\n", prefix, c->stdio_fdname[STDERR_FILENO]);
4681
4682 if (c->std_input == EXEC_INPUT_FILE)
4683 fprintf(f, "%sStandardInputFile: %s\n", prefix, c->stdio_file[STDIN_FILENO]);
4684 if (c->std_output == EXEC_OUTPUT_FILE)
4685 fprintf(f, "%sStandardOutputFile: %s\n", prefix, c->stdio_file[STDOUT_FILENO]);
566b7d23
ZD		 4686 if (c->std_output == EXEC_OUTPUT_FILE_APPEND)
4687 fprintf(f, "%sStandardOutputFileToAppend: %s\n", prefix, c->stdio_file[STDOUT_FILENO]);
befc4a80
LP		 4688 if (c->std_error == EXEC_OUTPUT_FILE)
4689 fprintf(f, "%sStandardErrorFile: %s\n", prefix, c->stdio_file[STDERR_FILENO]);
566b7d23
ZD		 4690 if (c->std_error == EXEC_OUTPUT_FILE_APPEND)
4691 fprintf(f, "%sStandardErrorFileToAppend: %s\n", prefix, c->stdio_file[STDERR_FILENO]);
befc4a80 4692
80876c20
LP		 4693 if (c->tty_path)
4694 fprintf(f,
6ea832a2
LP		 4695 "%sTTYPath: %s\n"
4696 "%sTTYReset: %s\n"
4697 "%sTTYVHangup: %s\n"
4698 "%sTTYVTDisallocate: %s\n",
4699 prefix, c->tty_path,
4700 prefix, yes_no(c->tty_reset),
4701 prefix, yes_no(c->tty_vhangup),
4702 prefix, yes_no(c->tty_vt_disallocate));
94f04347 4703
9f6444eb
LP		 4704 if (IN_SET(c->std_output,
4705 EXEC_OUTPUT_SYSLOG,
4706 EXEC_OUTPUT_KMSG,
4707 EXEC_OUTPUT_JOURNAL,
4708 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
4709 EXEC_OUTPUT_KMSG_AND_CONSOLE,
4710 EXEC_OUTPUT_JOURNAL_AND_CONSOLE) ||
4711 IN_SET(c->std_error,
4712 EXEC_OUTPUT_SYSLOG,
4713 EXEC_OUTPUT_KMSG,
4714 EXEC_OUTPUT_JOURNAL,
4715 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
4716 EXEC_OUTPUT_KMSG_AND_CONSOLE,
4717 EXEC_OUTPUT_JOURNAL_AND_CONSOLE)) {
f8b69d1d 4718
5ce70e5b 4719 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
f8b69d1d 4720
837df140
YW		 4721 r = log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
4722 if (r >= 0)
4723 fprintf(f, "%sSyslogFacility: %s\n", prefix, fac_str);
f8b69d1d 4724
837df140
YW		 4725 r = log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
4726 if (r >= 0)
4727 fprintf(f, "%sSyslogLevel: %s\n", prefix, lvl_str);
f8b69d1d 4728 }
94f04347 4729
d3070fbd
LP		 4730 if (c->log_level_max >= 0) {
4731 _cleanup_free_ char *t = NULL;
4732
4733 (void) log_level_to_string_alloc(c->log_level_max, &t);
4734
4735 fprintf(f, "%sLogLevelMax: %s\n", prefix, strna(t));
4736 }
4737
5ac1530e 4738 if (c->log_ratelimit_interval_usec > 0) {
90fc172e
AZ		 4739 char buf_timespan[FORMAT_TIMESPAN_MAX];
4740
4741 fprintf(f,
4742 "%sLogRateLimitIntervalSec: %s\n",
5ac1530e 4743 prefix, format_timespan(buf_timespan, sizeof(buf_timespan), c->log_ratelimit_interval_usec, USEC_PER_SEC));
90fc172e
AZ		 4744 }
4745
5ac1530e
ZJS		 4746 if (c->log_ratelimit_burst > 0)
4747 fprintf(f, "%sLogRateLimitBurst: %u\n", prefix, c->log_ratelimit_burst);
90fc172e 4748
d3070fbd
LP		 4749 if (c->n_log_extra_fields > 0) {
4750 size_t j;
4751
4752 for (j = 0; j < c->n_log_extra_fields; j++) {
4753 fprintf(f, "%sLogExtraFields: ", prefix);
4754 fwrite(c->log_extra_fields[j].iov_base,
4755 1, c->log_extra_fields[j].iov_len,
4756 f);
4757 fputc('\n', f);
4758 }
4759 }
4760
91dd5f7c
LP		 4761 if (c->log_namespace)
4762 fprintf(f, "%sLogNamespace: %s\n", prefix, c->log_namespace);
4763
07d46372
YW		 4764 if (c->secure_bits) {
4765 _cleanup_free_ char *str = NULL;
4766
4767 r = secure_bits_to_string_alloc(c->secure_bits, &str);
4768 if (r >= 0)
4769 fprintf(f, "%sSecure Bits: %s\n", prefix, str);
4770 }
94f04347 4771
a103496c 4772 if (c->capability_bounding_set != CAP_ALL) {
dd1f5bd0 4773 _cleanup_free_ char *str = NULL;
94f04347 4774
dd1f5bd0
YW		 4775 r = capability_set_to_string_alloc(c->capability_bounding_set, &str);
4776 if (r >= 0)
4777 fprintf(f, "%sCapabilityBoundingSet: %s\n", prefix, str);
755d4b67
IP		 4778 }
4779
4780 if (c->capability_ambient_set != 0) {
dd1f5bd0 4781 _cleanup_free_ char *str = NULL;
755d4b67 4782
dd1f5bd0
YW		 4783 r = capability_set_to_string_alloc(c->capability_ambient_set, &str);
4784 if (r >= 0)
4785 fprintf(f, "%sAmbientCapabilities: %s\n", prefix, str);
94f04347
LP		 4786 }
4787
4788 if (c->user)
f2d3769a 4789 fprintf(f, "%sUser: %s\n", prefix, c->user);
94f04347 4790 if (c->group)
f2d3769a 4791 fprintf(f, "%sGroup: %s\n", prefix, c->group);
94f04347 4792
29206d46
LP		 4793 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
4794
ac6e8be6 4795 if (!strv_isempty(c->supplementary_groups)) {
94f04347 4796 fprintf(f, "%sSupplementaryGroups:", prefix);
15ae422b
LP		 4797 strv_fprintf(f, c->supplementary_groups);
4798 fputs("\n", f);
4799 }
94f04347 4800
5b6319dc 4801 if (c->pam_name)
f2d3769a 4802 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
5b6319dc 4803
58629001 4804 if (!strv_isempty(c->read_write_paths)) {
2a624c36
AP		 4805 fprintf(f, "%sReadWritePaths:", prefix);
4806 strv_fprintf(f, c->read_write_paths);
15ae422b
LP		 4807 fputs("\n", f);
4808 }
4809
58629001 4810 if (!strv_isempty(c->read_only_paths)) {
2a624c36
AP		 4811 fprintf(f, "%sReadOnlyPaths:", prefix);
4812 strv_fprintf(f, c->read_only_paths);
15ae422b
LP		 4813 fputs("\n", f);
4814 }
94f04347 4815
58629001 4816 if (!strv_isempty(c->inaccessible_paths)) {
2a624c36
AP		 4817 fprintf(f, "%sInaccessiblePaths:", prefix);
4818 strv_fprintf(f, c->inaccessible_paths);
94f04347
LP		 4819 fputs("\n", f);
4820 }
2e22afe9 4821
d2d6c096 4822 if (c->n_bind_mounts > 0)
4ca763a9
YW		 4823 for (i = 0; i < c->n_bind_mounts; i++)
4824 fprintf(f, "%s%s: %s%s:%s:%s\n", prefix,
d2d6c096 4825 c->bind_mounts[i].read_only ? "BindReadOnlyPaths" : "BindPaths",
4ca763a9 4826 c->bind_mounts[i].ignore_enoent ? "-": "",
d2d6c096
LP		 4827 c->bind_mounts[i].source,
4828 c->bind_mounts[i].destination,
4829 c->bind_mounts[i].recursive ? "rbind" : "norbind");
d2d6c096 4830
2abd4e38
YW		 4831 if (c->n_temporary_filesystems > 0)
4832 for (i = 0; i < c->n_temporary_filesystems; i++) {
4833 TemporaryFileSystem *t = c->temporary_filesystems + i;
4834
4835 fprintf(f, "%sTemporaryFileSystem: %s%s%s\n", prefix,
4836 t->path,
4837 isempty(t->options) ? "" : ":",
4838 strempty(t->options));
4839 }
4840
169c1bda
LP		 4841 if (c->utmp_id)
4842 fprintf(f,
4843 "%sUtmpIdentifier: %s\n",
4844 prefix, c->utmp_id);
7b52a628
MS		 4845
4846 if (c->selinux_context)
4847 fprintf(f,
5f8640fb
LP		 4848 "%sSELinuxContext: %s%s\n",
4849 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
17df7223 4850
80c21aea
WC		 4851 if (c->apparmor_profile)
4852 fprintf(f,
4853 "%sAppArmorProfile: %s%s\n",
4854 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
4855
4856 if (c->smack_process_label)
4857 fprintf(f,
4858 "%sSmackProcessLabel: %s%s\n",
4859 prefix, c->smack_process_label_ignore ? "-" : "", c->smack_process_label);
4860
050f7277 4861 if (c->personality != PERSONALITY_INVALID)
ac45f971
LP		 4862 fprintf(f,
4863 "%sPersonality: %s\n",
4864 prefix, strna(personality_to_string(c->personality)));
4865
78e864e5
TM		 4866 fprintf(f,
4867 "%sLockPersonality: %s\n",
4868 prefix, yes_no(c->lock_personality));
4869
17df7223 4870 if (c->syscall_filter) {
349cc4a5 4871#if HAVE_SECCOMP
17df7223 4872 Iterator j;
8cfa775f 4873 void *id, *val;
17df7223 4874 bool first = true;
351a19b1 4875#endif
17df7223
LP		 4876
4877 fprintf(f,
57183d11 4878 "%sSystemCallFilter: ",
17df7223
LP		 4879 prefix);
4880
4881 if (!c->syscall_whitelist)
4882 fputc('~', f);
4883
349cc4a5 4884#if HAVE_SECCOMP
8cfa775f 4885 HASHMAP_FOREACH_KEY(val, id, c->syscall_filter, j) {
17df7223 4886 _cleanup_free_ char *name = NULL;
8cfa775f
YW		 4887 const char *errno_name = NULL;
4888 int num = PTR_TO_INT(val);
17df7223
LP		 4889
4890 if (first)
4891 first = false;
4892 else
4893 fputc(' ', f);
4894
57183d11 4895 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
17df7223 4896 fputs(strna(name), f);
8cfa775f
YW		 4897
4898 if (num >= 0) {
4899 errno_name = errno_to_name(num);
4900 if (errno_name)
4901 fprintf(f, ":%s", errno_name);
4902 else
4903 fprintf(f, ":%d", num);
4904 }
17df7223 4905 }
351a19b1 4906#endif
17df7223
LP		 4907
4908 fputc('\n', f);
4909 }
4910
57183d11 4911 if (c->syscall_archs) {
349cc4a5 4912#if HAVE_SECCOMP
57183d11
LP		 4913 Iterator j;
4914 void *id;
4915#endif
4916
4917 fprintf(f,
4918 "%sSystemCallArchitectures:",
4919 prefix);
4920
349cc4a5 4921#if HAVE_SECCOMP
57183d11
LP		 4922 SET_FOREACH(id, c->syscall_archs, j)
4923 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
4924#endif
4925 fputc('\n', f);
4926 }
4927
add00535
LP		 4928 if (exec_context_restrict_namespaces_set(c)) {
4929 _cleanup_free_ char *s = NULL;
4930
86c2a9f1 4931 r = namespace_flags_to_string(c->restrict_namespaces, &s);
add00535
LP		 4932 if (r >= 0)
4933 fprintf(f, "%sRestrictNamespaces: %s\n",
dd0395b5 4934 prefix, strna(s));
add00535
LP		 4935 }
4936
a8d08f39
LP		 4937 if (c->network_namespace_path)
4938 fprintf(f,
4939 "%sNetworkNamespacePath: %s\n",
4940 prefix, c->network_namespace_path);
4941
3df90f24
YW		 4942 if (c->syscall_errno > 0) {
4943 const char *errno_name;
4944
4945 fprintf(f, "%sSystemCallErrorNumber: ", prefix);
4946
4947 errno_name = errno_to_name(c->syscall_errno);
4948 if (errno_name)
4949 fprintf(f, "%s\n", errno_name);
4950 else
4951 fprintf(f, "%d\n", c->syscall_errno);
4952 }
5cb5a6ff
LP		 4953}
4954
34cf6c43 4955bool exec_context_maintains_privileges(const ExecContext *c) {
a931ad47
LP		 4956 assert(c);
4957
61233823 4958 /* Returns true if the process forked off would run under
a931ad47
LP		 4959 * an unchanged UID or as root. */
4960
4961 if (!c->user)
4962 return true;
4963
4964 if (streq(c->user, "root") || streq(c->user, "0"))
4965 return true;
4966
4967 return false;
4968}
4969
34cf6c43 4970int exec_context_get_effective_ioprio(const ExecContext *c) {
7f452159
LP		 4971 int p;
4972
4973 assert(c);
4974
4975 if (c->ioprio_set)
4976 return c->ioprio;
4977
4978 p = ioprio_get(IOPRIO_WHO_PROCESS, 0);
4979 if (p < 0)
4980 return IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 4);
4981
4982 return p;
4983}
4984
d3070fbd
LP		 4985void exec_context_free_log_extra_fields(ExecContext *c) {
4986 size_t l;
4987
4988 assert(c);
4989
4990 for (l = 0; l < c->n_log_extra_fields; l++)
4991 free(c->log_extra_fields[l].iov_base);
4992 c->log_extra_fields = mfree(c->log_extra_fields);
4993 c->n_log_extra_fields = 0;
4994}
4995
6f765baf
LP		 4996void exec_context_revert_tty(ExecContext *c) {
4997 int r;
4998
4999 assert(c);
5000
5001 /* First, reset the TTY (possibly kicking everybody else from the TTY) */
5002 exec_context_tty_reset(c, NULL);
5003
5004 /* And then undo what chown_terminal() did earlier. Note that we only do this if we have a path
5005 * configured. If the TTY was passed to us as file descriptor we assume the TTY is opened and managed
5006 * by whoever passed it to us and thus knows better when and how to chmod()/chown() it back. */
5007
5008 if (exec_context_may_touch_tty(c)) {
5009 const char *path;
5010
5011 path = exec_context_tty_path(c);
5012 if (path) {
5013 r = chmod_and_chown(path, TTY_MODE, 0, TTY_GID);
5014 if (r < 0 && r != -ENOENT)
5015 log_warning_errno(r, "Failed to reset TTY ownership/access mode of %s, ignoring: %m", path);
5016 }
5017 }
5018}
5019
4c2f5842
LP		 5020int exec_context_get_clean_directories(
5021 ExecContext *c,
5022 char **prefix,
5023 ExecCleanMask mask,
5024 char ***ret) {
5025
5026 _cleanup_strv_free_ char **l = NULL;
5027 ExecDirectoryType t;
5028 int r;
5029
5030 assert(c);
5031 assert(prefix);
5032 assert(ret);
5033
5034 for (t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
5035 char **i;
5036
5037 if (!FLAGS_SET(mask, 1U << t))
5038 continue;
5039
5040 if (!prefix[t])
5041 continue;
5042
5043 STRV_FOREACH(i, c->directories[t].paths) {
5044 char *j;
5045
5046 j = path_join(prefix[t], *i);
5047 if (!j)
5048 return -ENOMEM;
5049
5050 r = strv_consume(&l, j);
5051 if (r < 0)
5052 return r;
7f622a19
YW		 5053
5054 /* Also remove private directories unconditionally. */
5055 if (t != EXEC_DIRECTORY_CONFIGURATION) {
5056 j = path_join(prefix[t], "private", *i);
5057 if (!j)
5058 return -ENOMEM;
5059
5060 r = strv_consume(&l, j);
5061 if (r < 0)
5062 return r;
5063 }
4c2f5842
LP		 5064 }
5065 }
5066
5067 *ret = TAKE_PTR(l);
5068 return 0;
5069}
5070
5071int exec_context_get_clean_mask(ExecContext *c, ExecCleanMask *ret) {
5072 ExecCleanMask mask = 0;
5073
5074 assert(c);
5075 assert(ret);
5076
5077 for (ExecDirectoryType t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++)
5078 if (!strv_isempty(c->directories[t].paths))
5079 mask |= 1U << t;
5080
5081 *ret = mask;
5082 return 0;
5083}
5084
b58b4116 5085void exec_status_start(ExecStatus *s, pid_t pid) {
034c6ed7 5086 assert(s);
5cb5a6ff 5087
2ed26ed0
LP		 5088 *s = (ExecStatus) {
5089 .pid = pid,
5090 };
5091
b58b4116
LP		 5092 dual_timestamp_get(&s->start_timestamp);
5093}
5094
34cf6c43 5095void exec_status_exit(ExecStatus *s, const ExecContext *context, pid_t pid, int code, int status) {
b58b4116
LP		 5096 assert(s);
5097
2ed26ed0
LP		 5098 if (s->pid != pid) {
5099 *s = (ExecStatus) {
5100 .pid = pid,
5101 };
5102 }
b58b4116 5103
63983207 5104 dual_timestamp_get(&s->exit_timestamp);
9fb86720 5105
034c6ed7
LP		 5106 s->code = code;
5107 s->status = status;
169c1bda 5108
6f765baf
LP		 5109 if (context && context->utmp_id)
5110 (void) utmp_put_dead_process(context->utmp_id, pid, code, status);
9fb86720
LP		 5111}
5112
6a1d4d9f
LP		 5113void exec_status_reset(ExecStatus *s) {
5114 assert(s);
5115
5116 *s = (ExecStatus) {};
5117}
5118
34cf6c43 5119void exec_status_dump(const ExecStatus *s, FILE *f, const char *prefix) {
9fb86720
LP		 5120 char buf[FORMAT_TIMESTAMP_MAX];
5121
5122 assert(s);
5123 assert(f);
5124
9fb86720
LP		 5125 if (s->pid <= 0)
5126 return;
5127
4c940960
LP		 5128 prefix = strempty(prefix);
5129
9fb86720 5130 fprintf(f,
ccd06097
ZJS		 5131 "%sPID: "PID_FMT"\n",
5132 prefix, s->pid);
9fb86720 5133
af9d16e1 5134 if (dual_timestamp_is_set(&s->start_timestamp))
9fb86720
LP		 5135 fprintf(f,
5136 "%sStart Timestamp: %s\n",
63983207 5137 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
9fb86720 5138
af9d16e1 5139 if (dual_timestamp_is_set(&s->exit_timestamp))
9fb86720
LP		 5140 fprintf(f,
5141 "%sExit Timestamp: %s\n"
5142 "%sExit Code: %s\n"
5143 "%sExit Status: %i\n",
63983207 5144 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
9fb86720
LP		 5145 prefix, sigchld_code_to_string(s->code),
5146 prefix, s->status);
5cb5a6ff 5147}
44d8db9e 5148
34cf6c43 5149static char *exec_command_line(char **argv) {
44d8db9e
LP		 5150 size_t k;
5151 char *n, *p, **a;
5152 bool first = true;
5153
9e2f7c11 5154 assert(argv);
44d8db9e 5155
9164977d 5156 k = 1;
9e2f7c11 5157 STRV_FOREACH(a, argv)
44d8db9e
LP		 5158 k += strlen(*a)+3;
5159
5cd9cd35
LP		 5160 n = new(char, k);
5161 if (!n)
44d8db9e
LP		 5162 return NULL;
5163
5164 p = n;
9e2f7c11 5165 STRV_FOREACH(a, argv) {
44d8db9e
LP		 5166
5167 if (!first)
5168 *(p++) = ' ';
5169 else
5170 first = false;
5171
5172 if (strpbrk(*a, WHITESPACE)) {
5173 *(p++) = '\'';
5174 p = stpcpy(p, *a);
5175 *(p++) = '\'';
5176 } else
5177 p = stpcpy(p, *a);
5178
5179 }
5180
9164977d
LP		 5181 *p = 0;
5182
44d8db9e
LP		 5183 /* FIXME: this doesn't really handle arguments that have
5184 * spaces and ticks in them */
5185
5186 return n;
5187}
5188
34cf6c43 5189static void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
e1d75803 5190 _cleanup_free_ char *cmd = NULL;
4c940960 5191 const char *prefix2;
44d8db9e
LP		 5192
5193 assert(c);
5194 assert(f);
5195
4c940960 5196 prefix = strempty(prefix);
63c372cb 5197 prefix2 = strjoina(prefix, "\t");
44d8db9e 5198
9e2f7c11 5199 cmd = exec_command_line(c->argv);
44d8db9e
LP		 5200 fprintf(f,
5201 "%sCommand Line: %s\n",
4bbccb02 5202 prefix, cmd ? cmd : strerror_safe(ENOMEM));
44d8db9e 5203
9fb86720 5204 exec_status_dump(&c->exec_status, f, prefix2);
44d8db9e
LP		 5205}
5206
5207void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
5208 assert(f);
5209
4c940960 5210 prefix = strempty(prefix);
44d8db9e
LP		 5211
5212 LIST_FOREACH(command, c, c)
5213 exec_command_dump(c, f, prefix);
5214}
94f04347 5215
a6a80b4f
LP		 5216void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
5217 ExecCommand *end;
5218
5219 assert(l);
5220 assert(e);
5221
5222 if (*l) {
35b8ca3a 5223 /* It's kind of important, that we keep the order here */
71fda00f
LP		 5224 LIST_FIND_TAIL(command, *l, end);
5225 LIST_INSERT_AFTER(command, *l, end, e);
a6a80b4f
LP		 5226 } else
5227 *l = e;
5228}
5229
26fd040d
LP		 5230int exec_command_set(ExecCommand *c, const char *path, ...) {
5231 va_list ap;
5232 char **l, *p;
5233
5234 assert(c);
5235 assert(path);
5236
5237 va_start(ap, path);
5238 l = strv_new_ap(path, ap);
5239 va_end(ap);
5240
5241 if (!l)
5242 return -ENOMEM;
5243
250a918d
LP		 5244 p = strdup(path);
5245 if (!p) {
26fd040d
LP		 5246 strv_free(l);
5247 return -ENOMEM;
5248 }
5249
6897dfe8 5250 free_and_replace(c->path, p);
26fd040d 5251
130d3d22 5252 return strv_free_and_replace(c->argv, l);
26fd040d
LP		 5253}
5254
86b23b07 5255int exec_command_append(ExecCommand *c, const char *path, ...) {
e63ff941 5256 _cleanup_strv_free_ char **l = NULL;
86b23b07 5257 va_list ap;
86b23b07
JS		 5258 int r;
5259
5260 assert(c);
5261 assert(path);
5262
5263 va_start(ap, path);
5264 l = strv_new_ap(path, ap);
5265 va_end(ap);
5266
5267 if (!l)
5268 return -ENOMEM;
5269
e287086b 5270 r = strv_extend_strv(&c->argv, l, false);
e63ff941 5271 if (r < 0)
86b23b07 5272 return r;
86b23b07
JS		 5273
5274 return 0;
5275}
5276
e8a565cb
YW		 5277static void *remove_tmpdir_thread(void *p) {
5278 _cleanup_free_ char *path = p;
86b23b07 5279
e8a565cb
YW		 5280 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
5281 return NULL;
5282}
5283
5284static ExecRuntime* exec_runtime_free(ExecRuntime *rt, bool destroy) {
5285 int r;
5286
5287 if (!rt)
5288 return NULL;
5289
5290 if (rt->manager)
5291 (void) hashmap_remove(rt->manager->exec_runtime_by_id, rt->id);
5292
5293 /* When destroy is true, then rm_rf tmp_dir and var_tmp_dir. */
5294 if (destroy && rt->tmp_dir) {
5295 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
5296
5297 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
5298 if (r < 0) {
5299 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
5300 free(rt->tmp_dir);
5301 }
5302
5303 rt->tmp_dir = NULL;
5304 }
613b411c 5305
e8a565cb
YW		 5306 if (destroy && rt->var_tmp_dir) {
5307 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
5308
5309 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
5310 if (r < 0) {
5311 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
5312 free(rt->var_tmp_dir);
5313 }
5314
5315 rt->var_tmp_dir = NULL;
5316 }
5317
5318 rt->id = mfree(rt->id);
5319 rt->tmp_dir = mfree(rt->tmp_dir);
5320 rt->var_tmp_dir = mfree(rt->var_tmp_dir);
5321 safe_close_pair(rt->netns_storage_socket);
5322 return mfree(rt);
5323}
5324
5325static void exec_runtime_freep(ExecRuntime **rt) {
da6bc6ed 5326 (void) exec_runtime_free(*rt, false);
e8a565cb
YW		 5327}
5328
8e8009dc
LP		 5329static int exec_runtime_allocate(ExecRuntime **ret) {
5330 ExecRuntime *n;
613b411c 5331
8e8009dc 5332 assert(ret);
613b411c 5333
8e8009dc
LP		 5334 n = new(ExecRuntime, 1);
5335 if (!n)
613b411c
LP		 5336 return -ENOMEM;
5337
8e8009dc
LP		 5338 *n = (ExecRuntime) {
5339 .netns_storage_socket = { -1, -1 },
5340 };
5341
5342 *ret = n;
613b411c
LP		 5343 return 0;
5344}
5345
e8a565cb
YW		 5346static int exec_runtime_add(
5347 Manager *m,
5348 const char *id,
5349 const char *tmp_dir,
5350 const char *var_tmp_dir,
5351 const int netns_storage_socket[2],
5352 ExecRuntime **ret) {
5353
5354 _cleanup_(exec_runtime_freep) ExecRuntime *rt = NULL;
613b411c
LP		 5355 int r;
5356
e8a565cb 5357 assert(m);
613b411c
LP		 5358 assert(id);
5359
e8a565cb
YW		 5360 r = hashmap_ensure_allocated(&m->exec_runtime_by_id, &string_hash_ops);
5361 if (r < 0)
5362 return r;
613b411c 5363
e8a565cb 5364 r = exec_runtime_allocate(&rt);
613b411c
LP		 5365 if (r < 0)
5366 return r;
5367
e8a565cb
YW		 5368 rt->id = strdup(id);
5369 if (!rt->id)
5370 return -ENOMEM;
5371
5372 if (tmp_dir) {
5373 rt->tmp_dir = strdup(tmp_dir);
5374 if (!rt->tmp_dir)
5375 return -ENOMEM;
5376
5377 /* When tmp_dir is set, then we require var_tmp_dir is also set. */
5378 assert(var_tmp_dir);
5379 rt->var_tmp_dir = strdup(var_tmp_dir);
5380 if (!rt->var_tmp_dir)
5381 return -ENOMEM;
5382 }
5383
5384 if (netns_storage_socket) {
5385 rt->netns_storage_socket[0] = netns_storage_socket[0];
5386 rt->netns_storage_socket[1] = netns_storage_socket[1];
613b411c
LP		 5387 }
5388
e8a565cb
YW		 5389 r = hashmap_put(m->exec_runtime_by_id, rt->id, rt);
5390 if (r < 0)
5391 return r;
5392
5393 rt->manager = m;
5394
5395 if (ret)
5396 *ret = rt;
5397
5398 /* do not remove created ExecRuntime object when the operation succeeds. */
5399 rt = NULL;
5400 return 0;
5401}
5402
5403static int exec_runtime_make(Manager *m, const ExecContext *c, const char *id, ExecRuntime **ret) {
5404 _cleanup_free_ char *tmp_dir = NULL, *var_tmp_dir = NULL;
2fa3742d 5405 _cleanup_close_pair_ int netns_storage_socket[2] = { -1, -1 };
e8a565cb
YW		 5406 int r;
5407
5408 assert(m);
5409 assert(c);
5410 assert(id);
5411
5412 /* It is not necessary to create ExecRuntime object. */
a8d08f39 5413 if (!c->private_network && !c->private_tmp && !c->network_namespace_path)
e8a565cb
YW		 5414 return 0;
5415
efa2f3a1
TM		 5416 if (c->private_tmp &&
5417 !(prefixed_path_strv_contains(c->inaccessible_paths, "/tmp") &&
5418 (prefixed_path_strv_contains(c->inaccessible_paths, "/var/tmp") ||
5419 prefixed_path_strv_contains(c->inaccessible_paths, "/var")))) {
e8a565cb 5420 r = setup_tmp_dirs(id, &tmp_dir, &var_tmp_dir);
613b411c
LP		 5421 if (r < 0)
5422 return r;
5423 }
5424
a8d08f39 5425 if (c->private_network || c->network_namespace_path) {
e8a565cb
YW		 5426 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, netns_storage_socket) < 0)
5427 return -errno;
5428 }
5429
5430 r = exec_runtime_add(m, id, tmp_dir, var_tmp_dir, netns_storage_socket, ret);
5431 if (r < 0)
5432 return r;
5433
5434 /* Avoid cleanup */
2fa3742d 5435 netns_storage_socket[0] = netns_storage_socket[1] = -1;
613b411c
LP		 5436 return 1;
5437}
5438
e8a565cb
YW		 5439int exec_runtime_acquire(Manager *m, const ExecContext *c, const char *id, bool create, ExecRuntime **ret) {
5440 ExecRuntime *rt;
5441 int r;
613b411c 5442
e8a565cb
YW		 5443 assert(m);
5444 assert(id);
5445 assert(ret);
5446
5447 rt = hashmap_get(m->exec_runtime_by_id, id);
5448 if (rt)
5449 /* We already have a ExecRuntime object, let's increase the ref count and reuse it */
5450 goto ref;
5451
5452 if (!create)
5453 return 0;
5454
5455 /* If not found, then create a new object. */
5456 r = exec_runtime_make(m, c, id, &rt);
5457 if (r <= 0)
5458 /* When r == 0, it is not necessary to create ExecRuntime object. */
5459 return r;
613b411c 5460
e8a565cb
YW		 5461ref:
5462 /* increment reference counter. */
5463 rt->n_ref++;
5464 *ret = rt;
5465 return 1;
5466}
613b411c 5467
e8a565cb
YW		 5468ExecRuntime *exec_runtime_unref(ExecRuntime *rt, bool destroy) {
5469 if (!rt)
613b411c
LP		 5470 return NULL;
5471
e8a565cb 5472 assert(rt->n_ref > 0);
613b411c 5473
e8a565cb
YW		 5474 rt->n_ref--;
5475 if (rt->n_ref > 0)
f2341e0a
LP		 5476 return NULL;
5477
e8a565cb 5478 return exec_runtime_free(rt, destroy);
613b411c
LP		 5479}
5480
e8a565cb
YW		 5481int exec_runtime_serialize(const Manager *m, FILE *f, FDSet *fds) {
5482 ExecRuntime *rt;
5483 Iterator i;
5484
5485 assert(m);
613b411c
LP		 5486 assert(f);
5487 assert(fds);
5488
e8a565cb
YW		 5489 HASHMAP_FOREACH(rt, m->exec_runtime_by_id, i) {
5490 fprintf(f, "exec-runtime=%s", rt->id);
613b411c 5491
e8a565cb
YW		 5492 if (rt->tmp_dir)
5493 fprintf(f, " tmp-dir=%s", rt->tmp_dir);
613b411c 5494
e8a565cb
YW		 5495 if (rt->var_tmp_dir)
5496 fprintf(f, " var-tmp-dir=%s", rt->var_tmp_dir);
613b411c 5497
e8a565cb
YW		 5498 if (rt->netns_storage_socket[0] >= 0) {
5499 int copy;
613b411c 5500
e8a565cb
YW		 5501 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
5502 if (copy < 0)
5503 return copy;
613b411c 5504
e8a565cb
YW		 5505 fprintf(f, " netns-socket-0=%i", copy);
5506 }
613b411c 5507
e8a565cb
YW		 5508 if (rt->netns_storage_socket[1] >= 0) {
5509 int copy;
613b411c 5510
e8a565cb
YW		 5511 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
5512 if (copy < 0)
5513 return copy;
613b411c 5514
e8a565cb
YW		 5515 fprintf(f, " netns-socket-1=%i", copy);
5516 }
5517
5518 fputc('\n', f);
613b411c
LP		 5519 }
5520
5521 return 0;
5522}
5523
e8a565cb
YW		 5524int exec_runtime_deserialize_compat(Unit *u, const char *key, const char *value, FDSet *fds) {
5525 _cleanup_(exec_runtime_freep) ExecRuntime *rt_create = NULL;
5526 ExecRuntime *rt;
613b411c
LP		 5527 int r;
5528
e8a565cb
YW		 5529 /* This is for the migration from old (v237 or earlier) deserialization text.
5530 * Due to the bug #7790, this may not work with the units that use JoinsNamespaceOf=.
5531 * Even if the ExecRuntime object originally created by the other unit, we cannot judge
5532 * so or not from the serialized text, then we always creates a new object owned by this. */
5533
5534 assert(u);
613b411c
LP		 5535 assert(key);
5536 assert(value);
5537
e8a565cb
YW		 5538 /* Manager manages ExecRuntime objects by the unit id.
5539 * So, we omit the serialized text when the unit does not have id (yet?)... */
5540 if (isempty(u->id)) {
5541 log_unit_debug(u, "Invocation ID not found. Dropping runtime parameter.");
5542 return 0;
5543 }
613b411c 5544
e8a565cb
YW		 5545 r = hashmap_ensure_allocated(&u->manager->exec_runtime_by_id, &string_hash_ops);
5546 if (r < 0) {
5547 log_unit_debug_errno(u, r, "Failed to allocate storage for runtime parameter: %m");
5548 return 0;
5549 }
5550
5551 rt = hashmap_get(u->manager->exec_runtime_by_id, u->id);
5552 if (!rt) {
5553 r = exec_runtime_allocate(&rt_create);
613b411c 5554 if (r < 0)
f2341e0a 5555 return log_oom();
613b411c 5556
e8a565cb
YW		 5557 rt_create->id = strdup(u->id);
5558 if (!rt_create->id)
5559 return log_oom();
5560
5561 rt = rt_create;
5562 }
5563
5564 if (streq(key, "tmp-dir")) {
5565 char *copy;
5566
613b411c
LP		 5567 copy = strdup(value);
5568 if (!copy)
5569 return log_oom();
5570
e8a565cb 5571 free_and_replace(rt->tmp_dir, copy);
613b411c
LP		 5572
5573 } else if (streq(key, "var-tmp-dir")) {
5574 char *copy;
5575
613b411c
LP		 5576 copy = strdup(value);
5577 if (!copy)
5578 return log_oom();
5579
e8a565cb 5580 free_and_replace(rt->var_tmp_dir, copy);
613b411c
LP		 5581
5582 } else if (streq(key, "netns-socket-0")) {
5583 int fd;
5584
e8a565cb 5585 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd)) {
f2341e0a 5586 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
e8a565cb 5587 return 0;
613b411c 5588 }
e8a565cb
YW		 5589
5590 safe_close(rt->netns_storage_socket[0]);
5591 rt->netns_storage_socket[0] = fdset_remove(fds, fd);
5592
613b411c
LP		 5593 } else if (streq(key, "netns-socket-1")) {
5594 int fd;
5595
e8a565cb 5596 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd)) {
f2341e0a 5597 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
e8a565cb 5598 return 0;
613b411c 5599 }
e8a565cb
YW		 5600
5601 safe_close(rt->netns_storage_socket[1]);
5602 rt->netns_storage_socket[1] = fdset_remove(fds, fd);
613b411c
LP		 5603 } else
5604 return 0;
5605
e8a565cb
YW		 5606 /* If the object is newly created, then put it to the hashmap which manages ExecRuntime objects. */
5607 if (rt_create) {
5608 r = hashmap_put(u->manager->exec_runtime_by_id, rt_create->id, rt_create);
5609 if (r < 0) {
3fe91079 5610 log_unit_debug_errno(u, r, "Failed to put runtime parameter to manager's storage: %m");
e8a565cb
YW		 5611 return 0;
5612 }
613b411c 5613
e8a565cb 5614 rt_create->manager = u->manager;
613b411c 5615
e8a565cb
YW		 5616 /* Avoid cleanup */
5617 rt_create = NULL;
5618 }
98b47d54 5619
e8a565cb
YW		 5620 return 1;
5621}
613b411c 5622
e8a565cb
YW		 5623void exec_runtime_deserialize_one(Manager *m, const char *value, FDSet *fds) {
5624 char *id = NULL, *tmp_dir = NULL, *var_tmp_dir = NULL;
5625 int r, fd0 = -1, fd1 = -1;
5626 const char *p, *v = value;
5627 size_t n;
613b411c 5628
e8a565cb
YW		 5629 assert(m);
5630 assert(value);
5631 assert(fds);
98b47d54 5632
e8a565cb
YW		 5633 n = strcspn(v, " ");
5634 id = strndupa(v, n);
5635 if (v[n] != ' ')
5636 goto finalize;
5637 p = v + n + 1;
5638
5639 v = startswith(p, "tmp-dir=");
5640 if (v) {
5641 n = strcspn(v, " ");
5642 tmp_dir = strndupa(v, n);
5643 if (v[n] != ' ')
5644 goto finalize;
5645 p = v + n + 1;
5646 }
5647
5648 v = startswith(p, "var-tmp-dir=");
5649 if (v) {
5650 n = strcspn(v, " ");
5651 var_tmp_dir = strndupa(v, n);
5652 if (v[n] != ' ')
5653 goto finalize;
5654 p = v + n + 1;
5655 }
5656
5657 v = startswith(p, "netns-socket-0=");
5658 if (v) {
5659 char *buf;
5660
5661 n = strcspn(v, " ");
5662 buf = strndupa(v, n);
5663 if (safe_atoi(buf, &fd0) < 0 || !fdset_contains(fds, fd0)) {
5664 log_debug("Unable to process exec-runtime netns fd specification.");
5665 return;
98b47d54 5666 }
e8a565cb
YW		 5667 fd0 = fdset_remove(fds, fd0);
5668 if (v[n] != ' ')
5669 goto finalize;
5670 p = v + n + 1;
613b411c
LP		 5671 }
5672
e8a565cb
YW		 5673 v = startswith(p, "netns-socket-1=");
5674 if (v) {
5675 char *buf;
98b47d54 5676
e8a565cb
YW		 5677 n = strcspn(v, " ");
5678 buf = strndupa(v, n);
5679 if (safe_atoi(buf, &fd1) < 0 || !fdset_contains(fds, fd1)) {
5680 log_debug("Unable to process exec-runtime netns fd specification.");
5681 return;
98b47d54 5682 }
e8a565cb
YW		 5683 fd1 = fdset_remove(fds, fd1);
5684 }
98b47d54 5685
e8a565cb
YW		 5686finalize:
5687
5688 r = exec_runtime_add(m, id, tmp_dir, var_tmp_dir, (int[]) { fd0, fd1 }, NULL);
7d853ca6 5689 if (r < 0)
e8a565cb 5690 log_debug_errno(r, "Failed to add exec-runtime: %m");
e8a565cb 5691}
613b411c 5692
e8a565cb
YW		 5693void exec_runtime_vacuum(Manager *m) {
5694 ExecRuntime *rt;
5695 Iterator i;
5696
5697 assert(m);
5698
5699 /* Free unreferenced ExecRuntime objects. This is used after manager deserialization process. */
5700
5701 HASHMAP_FOREACH(rt, m->exec_runtime_by_id, i) {
5702 if (rt->n_ref > 0)
5703 continue;
5704
5705 (void) exec_runtime_free(rt, false);
5706 }
613b411c
LP		 5707}
5708
b9c04eaf
YW		 5709void exec_params_clear(ExecParameters *p) {
5710 if (!p)
5711 return;
5712
5713 strv_free(p->environment);
5714}
5715
80876c20
LP		 5716static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
5717 [EXEC_INPUT_NULL] = "null",
5718 [EXEC_INPUT_TTY] = "tty",
5719 [EXEC_INPUT_TTY_FORCE] = "tty-force",
4f2d528d 5720 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
52c239d7
LB		 5721 [EXEC_INPUT_SOCKET] = "socket",
5722 [EXEC_INPUT_NAMED_FD] = "fd",
08f3be7a 5723 [EXEC_INPUT_DATA] = "data",
2038c3f5 5724 [EXEC_INPUT_FILE] = "file",
80876c20
LP		 5725};
5726
8a0867d6
LP		 5727DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
5728
94f04347 5729static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
80876c20 5730 [EXEC_OUTPUT_INHERIT] = "inherit",
94f04347 5731 [EXEC_OUTPUT_NULL] = "null",
80876c20 5732 [EXEC_OUTPUT_TTY] = "tty",
94f04347 5733 [EXEC_OUTPUT_SYSLOG] = "syslog",
28dbc1e8 5734 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
9a6bca7a 5735 [EXEC_OUTPUT_KMSG] = "kmsg",
28dbc1e8 5736 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
706343f4
LP		 5737 [EXEC_OUTPUT_JOURNAL] = "journal",
5738 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
52c239d7
LB		 5739 [EXEC_OUTPUT_SOCKET] = "socket",
5740 [EXEC_OUTPUT_NAMED_FD] = "fd",
2038c3f5 5741 [EXEC_OUTPUT_FILE] = "file",
566b7d23 5742 [EXEC_OUTPUT_FILE_APPEND] = "append",
94f04347
LP		 5743};
5744
5745DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
023a4f67
LP		 5746
5747static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
5748 [EXEC_UTMP_INIT] = "init",
5749 [EXEC_UTMP_LOGIN] = "login",
5750 [EXEC_UTMP_USER] = "user",
5751};
5752
5753DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
53f47dfc
YW		 5754
5755static const char* const exec_preserve_mode_table[_EXEC_PRESERVE_MODE_MAX] = {
5756 [EXEC_PRESERVE_NO] = "no",
5757 [EXEC_PRESERVE_YES] = "yes",
5758 [EXEC_PRESERVE_RESTART] = "restart",
5759};
5760
5761DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(exec_preserve_mode, ExecPreserveMode, EXEC_PRESERVE_YES);
3536f49e 5762
6b7b2ed9 5763/* This table maps ExecDirectoryType to the setting it is configured with in the unit */
72fd1768 5764static const char* const exec_directory_type_table[_EXEC_DIRECTORY_TYPE_MAX] = {
3536f49e
YW		 5765 [EXEC_DIRECTORY_RUNTIME] = "RuntimeDirectory",
5766 [EXEC_DIRECTORY_STATE] = "StateDirectory",
5767 [EXEC_DIRECTORY_CACHE] = "CacheDirectory",
5768 [EXEC_DIRECTORY_LOGS] = "LogsDirectory",
5769 [EXEC_DIRECTORY_CONFIGURATION] = "ConfigurationDirectory",
5770};
5771
5772DEFINE_STRING_TABLE_LOOKUP(exec_directory_type, ExecDirectoryType);
b1edf445 5773
6b7b2ed9
LP		 5774/* And this table maps ExecDirectoryType too, but to a generic term identifying the type of resource. This
5775 * one is supposed to be generic enough to be used for unit types that don't use ExecContext and per-unit
5776 * directories, specifically .timer units with their timestamp touch file. */
5777static const char* const exec_resource_type_table[_EXEC_DIRECTORY_TYPE_MAX] = {
5778 [EXEC_DIRECTORY_RUNTIME] = "runtime",
5779 [EXEC_DIRECTORY_STATE] = "state",
5780 [EXEC_DIRECTORY_CACHE] = "cache",
5781 [EXEC_DIRECTORY_LOGS] = "logs",
5782 [EXEC_DIRECTORY_CONFIGURATION] = "configuration",
5783};
5784
5785DEFINE_STRING_TABLE_LOOKUP(exec_resource_type, ExecDirectoryType);
5786
5787/* And this table also maps ExecDirectoryType, to the environment variable we pass the selected directory to
5788 * the service payload in. */
fb2042dd
YW		 5789static const char* const exec_directory_env_name_table[_EXEC_DIRECTORY_TYPE_MAX] = {
5790 [EXEC_DIRECTORY_RUNTIME] = "RUNTIME_DIRECTORY",
5791 [EXEC_DIRECTORY_STATE] = "STATE_DIRECTORY",
5792 [EXEC_DIRECTORY_CACHE] = "CACHE_DIRECTORY",
5793 [EXEC_DIRECTORY_LOGS] = "LOGS_DIRECTORY",
5794 [EXEC_DIRECTORY_CONFIGURATION] = "CONFIGURATION_DIRECTORY",
5795};
5796
5797DEFINE_PRIVATE_STRING_TABLE_LOOKUP_TO_STRING(exec_directory_env_name, ExecDirectoryType);
5798
b1edf445
LP		 5799static const char* const exec_keyring_mode_table[_EXEC_KEYRING_MODE_MAX] = {
5800 [EXEC_KEYRING_INHERIT] = "inherit",
5801 [EXEC_KEYRING_PRIVATE] = "private",
5802 [EXEC_KEYRING_SHARED] = "shared",
5803};
5804
5805DEFINE_STRING_TABLE_LOOKUP(exec_keyring_mode, ExecKeyringMode);
Unnamed repository; edit this file 'description' to name the repository.