[thirdparty/systemd.git] / src / shared / exec-util.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#include "alloc-util.h"
#include "bitfield.h"
#include "conf-files.h"
#include "env-file.h"
#include "env-util.h"
#include "errno-util.h"
#include "escape.h"
#include "exec-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "hashmap.h"
#include "log.h"
#include "path-util.h"
#include "process-util.h"
#include "serialize.h"
#include "stat-util.h"
#include "string-table.h"
#include "string-util.h"
#include "strv.h"
#include "terminal-util.h"
#include "time-util.h"

#define EXIT_SKIP_REMAINING 77

/* Put this test here for a lack of better place */
assert_cc(EAGAIN == EWOULDBLOCK);

static int do_spawn(
                const char *path,
                char *argv[],
                int stdout_fd,
                bool set_systemd_exec_pid,
                pid_t *ret_pid) {

        int r;

        assert(path);
        assert(ret_pid);

        if (null_or_empty_path(path) > 0) {
                log_debug("%s is masked, skipping.", path);
                return 0;
        }

        pid_t pid;
        r = safe_fork_full(
                        "(exec-inner)",
                        (const int[]) { STDIN_FILENO, stdout_fd < 0 ? STDOUT_FILENO : stdout_fd, STDERR_FILENO },
                        /* except_fds= */ NULL, /* n_except_fds= */ 0,
                        FORK_DEATHSIG_SIGTERM|FORK_LOG|FORK_RLIMIT_NOFILE_SAFE|FORK_REARRANGE_STDIO|FORK_CLOSE_ALL_FDS,
                        &pid);
        if (r < 0)
                return r;
        if (r == 0) {
                char *_argv[2];

                if (set_systemd_exec_pid) {
                        r = setenv_systemd_exec_pid(false);
                        if (r < 0)
                                log_warning_errno(r, "Failed to set $SYSTEMD_EXEC_PID, ignoring: %m");
                }

                if (!argv) {
                        _argv[0] = (char*) path;
                        _argv[1] = NULL;
                        argv = _argv;
                } else
                        argv[0] = (char*) path;

                execv(path, argv);
                log_error_errno(errno, "Failed to execute %s: %m", path);
                _exit(EXIT_FAILURE);
        }

        *ret_pid = pid;
        return 1;
}

static int do_execute(
                char * const *paths,
                const char *root,
                usec_t timeout,
                gather_stdout_callback_t const callbacks[_STDOUT_CONSUME_MAX],
                void * const callback_args[_STDOUT_CONSUME_MAX],
                int output_fd,
                char *argv[],
                char *envp[],
                ExecDirFlags flags) {

        _cleanup_hashmap_free_ Hashmap *pids = NULL;
        bool parallel_execution;
        int r;

        /* We fork this all off from a child process so that we can somewhat cleanly make use of SIGALRM
         * to set a time limit.
         *
         * We attempt to perform parallel execution if configured by the user, however if `callbacks` is nonnull,
         * execution must be serial.
         */

        assert(!strv_isempty(paths));

        parallel_execution = FLAGS_SET(flags, EXEC_DIR_PARALLEL) && !callbacks;

        /* Abort execution of this process after the timeout. We simply rely on SIGALRM as
         * default action terminating the process, and turn on alarm(). */

        if (timeout != USEC_INFINITY)
                alarm(DIV_ROUND_UP(timeout, USEC_PER_SEC));

        STRV_FOREACH(e, envp)
                if (putenv(*e) != 0)
                        return log_error_errno(errno, "Failed to set environment variable: %m");

        STRV_FOREACH(path, paths) {
                _cleanup_free_ char *t = NULL;
                _cleanup_close_ int fd = -EBADF;
                pid_t pid;

                t = path_join(root, *path);
                if (!t)
                        return log_oom();

                if (callbacks) {
                        _cleanup_free_ char *bn = NULL;

                        r = path_extract_filename(*path, &bn);
                        if (r < 0)
                                return log_error_errno(r, "Failed to extract filename from path '%s': %m", *path);

                        fd = open_serialization_fd(bn);
                        if (fd < 0)
                                return log_error_errno(fd, "Failed to open serialization file: %m");
                }

                if (DEBUG_LOGGING) {
                        _cleanup_free_ char *s = NULL;

                        char **args = strv_skip(argv, 1);
                        if (args)
                                s = quote_command_line(args, SHELL_ESCAPE_EMPTY);

                        log_debug("About to execute %s%s%s", t, args ? " " : "", args ? strnull(s) : "");
                }

                if (FLAGS_SET(flags, EXEC_DIR_WARN_WORLD_WRITABLE)) {
                        struct stat st;

                        r = stat(t, &st);
                        if (r < 0)
                                log_warning_errno(errno, "Failed to stat '%s', ignoring: %m", t);
                        else if (S_ISREG(st.st_mode) && (st.st_mode & 0002))
                                log_warning("'%s' is marked world-writable, which is a security risk as it "
                                            "is executed with privileges. Please remove world writability "
                                            "permission bits. Proceeding anyway.", t);
                }

                r = do_spawn(t, argv, fd, FLAGS_SET(flags, EXEC_DIR_SET_SYSTEMD_EXEC_PID), &pid);
                if (r <= 0)
                        continue;

                if (parallel_execution) {
                        r = hashmap_ensure_put(&pids, &trivial_hash_ops_value_free, PID_TO_PTR(pid), t);
                        if (r < 0)
                                return log_oom();
                        t = NULL;
                } else {
                        bool skip_remaining = false;

                        r = wait_for_terminate_and_check(t, pid, WAIT_LOG_ABNORMAL);
                        if (r < 0)
                                return r;
                        if (r > 0) {
                                if (FLAGS_SET(flags, EXEC_DIR_SKIP_REMAINING) && r == EXIT_SKIP_REMAINING) {
                                        log_info("%s succeeded with exit status %i, not executing remaining executables.", *path, r);
                                        skip_remaining = true;
                                } else if (FLAGS_SET(flags, EXEC_DIR_IGNORE_ERRORS))
                                        log_warning("%s failed with exit status %i, ignoring.", *path, r);
                                else {
                                        log_error("%s failed with exit status %i.", *path, r);
                                        return r;
                                }
                        }

                        if (callbacks) {
                                r = finish_serialization_fd(fd);
                                if (r < 0)
                                        return log_error_errno(r, "Failed to finish serialization fd: %m");

                                r = callbacks[STDOUT_GENERATE](TAKE_FD(fd), callback_args[STDOUT_GENERATE]);
                                if (r < 0)
                                        return log_error_errno(r, "Failed to process output from %s: %m", *path);
                        }

                        if (skip_remaining)
                                break;
                }
        }

        if (callbacks) {
                r = callbacks[STDOUT_COLLECT](output_fd, callback_args[STDOUT_COLLECT]);
                if (r < 0)
                        return log_error_errno(r, "Callback two failed: %m");
        }

        while (!hashmap_isempty(pids)) {
                _cleanup_free_ char *t = NULL;
                pid_t pid;
                void *p;

                t = ASSERT_PTR(hashmap_steal_first_key_and_value(pids, &p));
                pid = PTR_TO_PID(p);
                assert(pid > 0);

                r = wait_for_terminate_and_check(t, pid, WAIT_LOG);
                if (r < 0)
                        return r;
                if (!FLAGS_SET(flags, EXEC_DIR_IGNORE_ERRORS) && r > 0)
                        return r;
        }

        return 0;
}

int execute_strv(
                const char *name,
                char * const *paths,
                const char *root,
                usec_t timeout,
                gather_stdout_callback_t const callbacks[_STDOUT_CONSUME_MAX],
                void * const callback_args[_STDOUT_CONSUME_MAX],
                char *argv[],
                char *envp[],
                ExecDirFlags flags) {

        _cleanup_close_ int fd = -EBADF;
        pid_t executor_pid;
        int r;

        assert(!FLAGS_SET(flags, EXEC_DIR_PARALLEL | EXEC_DIR_SKIP_REMAINING));

        if (strv_isempty(paths))
                return 0;

        if (callbacks) {
                assert(name);
                assert(callbacks[STDOUT_GENERATE]);
                assert(callbacks[STDOUT_COLLECT]);
                assert(callbacks[STDOUT_CONSUME]);
                assert(callback_args);

                fd = open_serialization_fd(name);
                if (fd < 0)
                        return log_error_errno(fd, "Failed to open serialization file: %m");
        }

        /* Executes all binaries in the directories serially or in parallel and waits for
         * them to finish. Optionally a timeout is applied. If a file with the same name
         * exists in more than one directory, the earliest one wins. */

        r = safe_fork("(sd-exec-strv)", FORK_RESET_SIGNALS|FORK_DEATHSIG_SIGTERM|FORK_LOG, &executor_pid);
        if (r < 0)
                return r;
        if (r == 0) {
                r = do_execute(paths, root, timeout, callbacks, callback_args, fd, argv, envp, flags);
                _exit(r < 0 ? EXIT_FAILURE : r);
        }

        r = wait_for_terminate_and_check("(sd-exec-strv)", executor_pid, 0);
        if (r < 0)
                return r;
        if (!FLAGS_SET(flags, EXEC_DIR_IGNORE_ERRORS) && r > 0)
                return r;

        if (!callbacks)
                return 0;

        r = finish_serialization_fd(fd);
        if (r < 0)
                return log_error_errno(r, "Failed to finish serialization fd: %m");

        r = callbacks[STDOUT_CONSUME](TAKE_FD(fd), callback_args[STDOUT_CONSUME]);
        if (r < 0)
                return log_error_errno(r, "Failed to parse returned data: %m");

        return 0;
}

int execute_directories(
                const char * const *directories,
                usec_t timeout,
                gather_stdout_callback_t const callbacks[_STDOUT_CONSUME_MAX],
                void * const callback_args[_STDOUT_CONSUME_MAX],
                char *argv[],
                char *envp[],
                ExecDirFlags flags) {

        _cleanup_strv_free_ char **paths = NULL;
        _cleanup_free_ char *name = NULL;
        int r;

        assert(!strv_isempty((char* const*) directories));

        r = conf_files_list_strv(
                        &paths,
                        /* suffix= */ NULL,
                        /* root= */ NULL,
                        CONF_FILES_EXECUTABLE|CONF_FILES_REGULAR|CONF_FILES_FILTER_MASKED,
                        directories);
        if (r < 0)
                return log_error_errno(r, "Failed to enumerate executables: %m");

        if (strv_isempty(paths)) {
                log_debug("No executables found.");
                return 0;
        }

        if (callbacks) {
                r = path_extract_filename(directories[0], &name);
                if (r < 0)
                        return log_error_errno(r, "Failed to extract file name from '%s': %m", directories[0]);
        }

        return execute_strv(name, paths, /* root = */ NULL, timeout, callbacks, callback_args, argv, envp, flags);
}

static int gather_environment_generate(int fd, void *arg) {
        char ***env = ASSERT_PTR(arg);
        _cleanup_fclose_ FILE *f = NULL;
        _cleanup_strv_free_ char **new = NULL;
        int r;

        /* Read a series of VAR=value assignments from fd, use them to update the list of variables in env.
         * Also update the exported environment.
         *
         * fd is always consumed, even on error.
         */

        assert(fd >= 0);

        f = fdopen(fd, "r");
        if (!f) {
                safe_close(fd);
                return -errno;
        }

        r = load_env_file_pairs(f, NULL, &new);
        if (r < 0)
                return r;

        STRV_FOREACH_PAIR(x, y, new) {
                if (!env_name_is_valid(*x)) {
                        log_warning("Invalid variable assignment \"%s=...\", ignoring.", *x);
                        continue;
                }

                r = strv_env_assign(env, *x, *y);
                if (r < 0)
                        return r;

                if (setenv(*x, *y, /* overwrite = */ true) < 0)
                        return -errno;
        }

        return 0;
}

static int gather_environment_collect(int fd, void *arg) {
        char ***env = ASSERT_PTR(arg);
        _cleanup_fclose_ FILE *f = NULL;
        int r;

        /* Write out a series of env=cescape(VAR=value) assignments to fd. */

        assert(fd >= 0);

        f = fdopen(fd, "w");
        if (!f) {
                safe_close(fd);
                return -errno;
        }

        r = serialize_strv(f, "env", *env);
        if (r < 0)
                return r;

        r = fflush_and_check(f);
        if (r < 0)
                return r;

        return 0;
}

static int gather_environment_consume(int fd, void *arg) {
        char ***env = ASSERT_PTR(arg);
        _cleanup_fclose_ FILE *f = NULL;
        int r, ret = 0;

        /* Read a series of env=cescape(VAR=value) assignments from fd into env. */

        assert(fd >= 0);

        f = fdopen(fd, "r");
        if (!f) {
                safe_close(fd);
                return -errno;
        }

        for (;;) {
                _cleanup_free_ char *line = NULL;
                const char *v;

                r = read_line(f, LONG_LINE_MAX, &line);
                if (r < 0)
                        return r;
                if (r == 0)
                        return ret;

                v = startswith(line, "env=");
                if (!v) {
                        RET_GATHER(ret, log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
                                                        "Serialization line unexpectedly didn't start with \"env=\", ignoring: %s",
                                                        line));
                        continue;
                }

                r = deserialize_environment(v, env);
                if (r < 0)
                        RET_GATHER(ret, log_debug_errno(r, "Failed to deserialize line \"%s\": %m", line));
        }
}

const gather_stdout_callback_t gather_environment[_STDOUT_CONSUME_MAX] = {
        gather_environment_generate,
        gather_environment_collect,
        gather_environment_consume,
};

int exec_command_flags_from_strv(char * const *ex_opts, ExecCommandFlags *ret) {
        ExecCommandFlags flags = 0;

        assert(ret);

        STRV_FOREACH(opt, ex_opts) {
                ExecCommandFlags fl = exec_command_flags_from_string(*opt);
                if (fl < 0)
                        return fl;

                flags |= fl;
        }

        *ret = flags;

        return 0;
}

int exec_command_flags_to_strv(ExecCommandFlags flags, char ***ret) {
        _cleanup_strv_free_ char **opts = NULL;
        int r;

        assert(flags >= 0);
        assert(ret);

        BIT_FOREACH(i, flags) {
                const char *s = exec_command_flags_to_string(1 << i);
                if (!s)
                        return -EINVAL;

                r = strv_extend(&opts, s);
                if (r < 0)
                        return r;
        }

        *ret = TAKE_PTR(opts);

        return 0;
}

static const char* const exec_command_strings[] = {
        "ignore-failure", /* EXEC_COMMAND_IGNORE_FAILURE */
        "privileged",     /* EXEC_COMMAND_FULLY_PRIVILEGED */
        "no-setuid",      /* EXEC_COMMAND_NO_SETUID */
        "no-env-expand",  /* EXEC_COMMAND_NO_ENV_EXPAND */
        "via-shell",      /* EXEC_COMMAND_VIA_SHELL */
};

assert_cc((1 << ELEMENTSOF(exec_command_strings)) - 1 == _EXEC_COMMAND_FLAGS_ALL);

const char* exec_command_flags_to_string(ExecCommandFlags i) {
        for (size_t idx = 0; idx < ELEMENTSOF(exec_command_strings); idx++)
                if (i == (1 << idx))
                        return exec_command_strings[idx];

        return NULL;
}

ExecCommandFlags exec_command_flags_from_string(const char *s) {
        ssize_t idx;

        if (streq(s, "ambient")) /* Compatibility with ambient hack, removed in v258, map to no bits set */
                return 0;

        idx = string_table_lookup_from_string(exec_command_strings, ELEMENTSOF(exec_command_strings), s);
        if (idx < 0)
                return _EXEC_COMMAND_FLAGS_INVALID;

        return 1 << idx;
}

int fexecve_or_execve(int executable_fd, const char *executable, char *const argv[], char *const envp[]) {
        /* Refuse invalid fds, regardless if fexecve() use is enabled or not */
        if (executable_fd < 0)
                return -EBADF;

        /* Block any attempts on exploiting Linux' liberal argv[] handling, i.e. CVE-2021-4034 and suchlike */
        if (isempty(executable) || strv_isempty(argv))
                return -EINVAL;

#if ENABLE_FEXECVE

        execveat(executable_fd, "", argv, envp, AT_EMPTY_PATH);

        if (IN_SET(errno, ENOSYS, ENOENT) || ERRNO_IS_PRIVILEGE(errno))
                /* Old kernel or a script or an overzealous seccomp filter? Let's fall back to execve().
                 *
                 * fexecve(3): "If fd refers to a script (i.e., it is an executable text file that names a
                 * script interpreter with a first line that begins with the characters #!) and the
                 * close-on-exec flag has been set for fd, then fexecve() fails with the error ENOENT. This
                 * error occurs because, by the time the script interpreter is executed, fd has already been
                 * closed because of the close-on-exec flag. Thus, the close-on-exec flag can't be set on fd
                 * if it refers to a script."
                 *
                 * Unfortunately, if we unset close-on-exec, the script will be executed just fine, but (at
                 * least in case of bash) the script name, $0, will be shown as /dev/fd/nnn, which breaks
                 * scripts which make use of $0. Thus, let's fall back to execve() in this case.
                 */
#endif
                execve(executable, argv, envp);
        return -errno;
}

int shall_fork_agent(void) {
        int r;

        /* Check if we have a controlling terminal. If not (ENXIO here), we aren't actually invoked
         * interactively on a terminal, hence fail. */
        r = get_ctty_devnr(0, NULL);
        if (r == -ENXIO)
                return false;
        if (r < 0)
                return r;

        if (!is_main_thread())
                return -EPERM;

        return true;
}

int _fork_agent(const char *name, char * const *argv, const int except[], size_t n_except, pid_t *ret_pid) {
        int r;

        assert(!strv_isempty(argv));

        /* Spawns a temporary TTY agent, making sure it goes away when we go away */

        r = safe_fork_full(name,
                           NULL,
                           (int*) except, /* safe_fork_full only changes except if you pass in FORK_PACK_FDS, which we don't */
                           n_except,
                           FORK_RESET_SIGNALS|FORK_DEATHSIG_SIGTERM|FORK_CLOSE_ALL_FDS|FORK_REOPEN_LOG|FORK_RLIMIT_NOFILE_SAFE,
                           ret_pid);
        if (r < 0)
                return r;
        if (r > 0)
                return 0;

        /* In the child: */

        bool stdin_is_tty = isatty_safe(STDIN_FILENO),
                stdout_is_tty = isatty_safe(STDOUT_FILENO),
                stderr_is_tty = isatty_safe(STDERR_FILENO);

        if (!stdin_is_tty || !stdout_is_tty || !stderr_is_tty) {
                int fd;

                /* Detach from stdin/stdout/stderr and reopen /dev/tty for them. This is important to ensure
                 * that when systemctl is started via popen() or a similar call that expects to read EOF we
                 * actually do generate EOF and not delay this indefinitely by keeping an unused copy of
                 * stdin around. */
                fd = open_terminal("/dev/tty", stdin_is_tty ? O_WRONLY : (stdout_is_tty && stderr_is_tty) ? O_RDONLY : O_RDWR);
                if (fd < 0) {
                        log_error_errno(fd, "Failed to open %s: %m", "/dev/tty");
                        _exit(EXIT_FAILURE);
                }

                if (!stdin_is_tty && dup2(fd, STDIN_FILENO) < 0) {
                        log_error_errno(errno, "Failed to dup2 /dev/tty to STDIN: %m");
                        _exit(EXIT_FAILURE);
                }

                if (!stdout_is_tty && dup2(fd, STDOUT_FILENO) < 0) {
                        log_error_errno(errno, "Failed to dup2 /dev/tty to STDOUT: %m");
                        _exit(EXIT_FAILURE);
                }

                if (!stderr_is_tty && dup2(fd, STDERR_FILENO) < 0) {
                        log_error_errno(errno, "Failed to dup2 /dev/tty to STDERR: %m");
                        _exit(EXIT_FAILURE);
                }

                fd = safe_close_above_stdio(fd);
        }

        /* Count arguments */
        execv(argv[0], argv);

        /* Let's treat missing agent binary as a graceful issue (in order to support splitting out the Polkit
         * or password agents into separate, optional distro packages), and not complain loudly. */
        log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_ERR, errno,
                       "Failed to execute %s: %m", argv[0]);
        _exit(EXIT_FAILURE);
}
Commit	Line	Data
	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
	2
	3	#include <stdio.h>
	4	#include <stdlib.h>
	5	#include <unistd.h>
	6
	7	#include "alloc-util.h"
	8	#include "bitfield.h"
	9	#include "conf-files.h"
	10	#include "env-file.h"
	11	#include "env-util.h"
	12	#include "errno-util.h"
	13	#include "escape.h"
	14	#include "exec-util.h"
	15	#include "fd-util.h"
	16	#include "fileio.h"
	17	#include "hashmap.h"
	18	#include "log.h"
	19	#include "path-util.h"
	20	#include "process-util.h"
	21	#include "serialize.h"
	22	#include "stat-util.h"
	23	#include "string-table.h"
	24	#include "string-util.h"
	25	#include "strv.h"
	26	#include "terminal-util.h"
	27	#include "time-util.h"
	28
	29	#define EXIT_SKIP_REMAINING 77
	30
	31	/* Put this test here for a lack of better place */
	32	assert_cc(EAGAIN == EWOULDBLOCK);
	33
	34	static int do_spawn(
	35	const char *path,
	36	char *argv[],
	37	int stdout_fd,
	38	bool set_systemd_exec_pid,
	39	pid_t *ret_pid) {
	40
	41	int r;
	42
	43	assert(path);
	44	assert(ret_pid);
	45
	46	if (null_or_empty_path(path) > 0) {
	47	log_debug("%s is masked, skipping.", path);
	48	return 0;
	49	}
	50
	51	pid_t pid;
	52	r = safe_fork_full(
	53	"(exec-inner)",
	54	(const int[]) { STDIN_FILENO, stdout_fd < 0 ? STDOUT_FILENO : stdout_fd, STDERR_FILENO },
	55	/* except_fds= / NULL, / n_except_fds= */ 0,
	56	FORK_DEATHSIG_SIGTERM\|FORK_LOG\|FORK_RLIMIT_NOFILE_SAFE\|FORK_REARRANGE_STDIO\|FORK_CLOSE_ALL_FDS,
	57	&pid);
	58	if (r < 0)
	59	return r;
	60	if (r == 0) {
	61	char *_argv[2];
	62
	63	if (set_systemd_exec_pid) {
	64	r = setenv_systemd_exec_pid(false);
	65	if (r < 0)
	66	log_warning_errno(r, "Failed to set $SYSTEMD_EXEC_PID, ignoring: %m");
	67	}
	68
	69	if (!argv) {
	70	_argv[0] = (char*) path;
	71	_argv[1] = NULL;
	72	argv = _argv;
	73	} else
	74	argv[0] = (char*) path;
	75
	76	execv(path, argv);
	77	log_error_errno(errno, "Failed to execute %s: %m", path);
	78	_exit(EXIT_FAILURE);
	79	}
	80
	81	*ret_pid = pid;
	82	return 1;
	83	}
	84
	85	static int do_execute(
	86	char * const *paths,
	87	const char *root,
	88	usec_t timeout,
	89	gather_stdout_callback_t const callbacks[_STDOUT_CONSUME_MAX],
	90	void * const callback_args[_STDOUT_CONSUME_MAX],
	91	int output_fd,
	92	char *argv[],
	93	char *envp[],
	94	ExecDirFlags flags) {
	95
	96	_cleanup_hashmap_free_ Hashmap *pids = NULL;
	97	bool parallel_execution;
	98	int r;
	99
	100	/* We fork this all off from a child process so that we can somewhat cleanly make use of SIGALRM
	101	* to set a time limit.
	102	*
	103	* We attempt to perform parallel execution if configured by the user, however if `callbacks` is nonnull,
	104	* execution must be serial.
	105	*/
	106
	107	assert(!strv_isempty(paths));
	108
	109	parallel_execution = FLAGS_SET(flags, EXEC_DIR_PARALLEL) && !callbacks;
	110
	111	/* Abort execution of this process after the timeout. We simply rely on SIGALRM as
	112	* default action terminating the process, and turn on alarm(). */
	113
	114	if (timeout != USEC_INFINITY)
	115	alarm(DIV_ROUND_UP(timeout, USEC_PER_SEC));
	116
	117	STRV_FOREACH(e, envp)
	118	if (putenv(*e) != 0)
	119	return log_error_errno(errno, "Failed to set environment variable: %m");
	120
	121	STRV_FOREACH(path, paths) {
	122	_cleanup_free_ char *t = NULL;
	123	_cleanup_close_ int fd = -EBADF;
	124	pid_t pid;
	125
	126	t = path_join(root, *path);
	127	if (!t)
	128	return log_oom();
	129
	130	if (callbacks) {
	131	_cleanup_free_ char *bn = NULL;
	132
	133	r = path_extract_filename(*path, &bn);
	134	if (r < 0)
	135	return log_error_errno(r, "Failed to extract filename from path '%s': %m", *path);
	136
	137	fd = open_serialization_fd(bn);
	138	if (fd < 0)
	139	return log_error_errno(fd, "Failed to open serialization file: %m");
	140	}
	141
	142	if (DEBUG_LOGGING) {
	143	_cleanup_free_ char *s = NULL;
	144
	145	char **args = strv_skip(argv, 1);
	146	if (args)
	147	s = quote_command_line(args, SHELL_ESCAPE_EMPTY);
	148
	149	log_debug("About to execute %s%s%s", t, args ? " " : "", args ? strnull(s) : "");
	150	}
	151
	152	if (FLAGS_SET(flags, EXEC_DIR_WARN_WORLD_WRITABLE)) {
	153	struct stat st;
	154
	155	r = stat(t, &st);
	156	if (r < 0)
	157	log_warning_errno(errno, "Failed to stat '%s', ignoring: %m", t);
	158	else if (S_ISREG(st.st_mode) && (st.st_mode & 0002))
	159	log_warning("'%s' is marked world-writable, which is a security risk as it "
	160	"is executed with privileges. Please remove world writability "
	161	"permission bits. Proceeding anyway.", t);
	162	}
	163
	164	r = do_spawn(t, argv, fd, FLAGS_SET(flags, EXEC_DIR_SET_SYSTEMD_EXEC_PID), &pid);
	165	if (r <= 0)
	166	continue;
	167
	168	if (parallel_execution) {
	169	r = hashmap_ensure_put(&pids, &trivial_hash_ops_value_free, PID_TO_PTR(pid), t);
	170	if (r < 0)
	171	return log_oom();
	172	t = NULL;
	173	} else {
	174	bool skip_remaining = false;
	175
	176	r = wait_for_terminate_and_check(t, pid, WAIT_LOG_ABNORMAL);
	177	if (r < 0)
	178	return r;
	179	if (r > 0) {
	180	if (FLAGS_SET(flags, EXEC_DIR_SKIP_REMAINING) && r == EXIT_SKIP_REMAINING) {
	181	log_info("%s succeeded with exit status %i, not executing remaining executables.", *path, r);
	182	skip_remaining = true;
	183	} else if (FLAGS_SET(flags, EXEC_DIR_IGNORE_ERRORS))
	184	log_warning("%s failed with exit status %i, ignoring.", *path, r);
	185	else {
	186	log_error("%s failed with exit status %i.", *path, r);
	187	return r;
	188	}
	189	}
	190
	191	if (callbacks) {
	192	r = finish_serialization_fd(fd);
	193	if (r < 0)
	194	return log_error_errno(r, "Failed to finish serialization fd: %m");
	195
	196	r = callbacks[STDOUT_GENERATE](TAKE_FD(fd), callback_args[STDOUT_GENERATE]);
	197	if (r < 0)
	198	return log_error_errno(r, "Failed to process output from %s: %m", *path);
	199	}
	200
	201	if (skip_remaining)
	202	break;
	203	}
	204	}
	205
	206	if (callbacks) {
	207	r = callbacks[STDOUT_COLLECT](output_fd, callback_args[STDOUT_COLLECT]);
	208	if (r < 0)
	209	return log_error_errno(r, "Callback two failed: %m");
	210	}
	211
	212	while (!hashmap_isempty(pids)) {
	213	_cleanup_free_ char *t = NULL;
	214	pid_t pid;
	215	void *p;
	216
	217	t = ASSERT_PTR(hashmap_steal_first_key_and_value(pids, &p));
	218	pid = PTR_TO_PID(p);
	219	assert(pid > 0);
	220
	221	r = wait_for_terminate_and_check(t, pid, WAIT_LOG);
	222	if (r < 0)
	223	return r;
	224	if (!FLAGS_SET(flags, EXEC_DIR_IGNORE_ERRORS) && r > 0)
	225	return r;
	226	}
	227
	228	return 0;
	229	}
	230
	231	int execute_strv(
	232	const char *name,
	233	char * const *paths,
	234	const char *root,
	235	usec_t timeout,
	236	gather_stdout_callback_t const callbacks[_STDOUT_CONSUME_MAX],
	237	void * const callback_args[_STDOUT_CONSUME_MAX],
	238	char *argv[],
	239	char *envp[],
	240	ExecDirFlags flags) {
	241
	242	_cleanup_close_ int fd = -EBADF;
	243	pid_t executor_pid;
	244	int r;
	245
	246	assert(!FLAGS_SET(flags, EXEC_DIR_PARALLEL \| EXEC_DIR_SKIP_REMAINING));
	247
	248	if (strv_isempty(paths))
	249	return 0;
	250
	251	if (callbacks) {
	252	assert(name);
	253	assert(callbacks[STDOUT_GENERATE]);
	254	assert(callbacks[STDOUT_COLLECT]);
	255	assert(callbacks[STDOUT_CONSUME]);
	256	assert(callback_args);
	257
	258	fd = open_serialization_fd(name);
	259	if (fd < 0)
	260	return log_error_errno(fd, "Failed to open serialization file: %m");
	261	}
	262
	263	/* Executes all binaries in the directories serially or in parallel and waits for
	264	* them to finish. Optionally a timeout is applied. If a file with the same name
	265	* exists in more than one directory, the earliest one wins. */
	266
	267	r = safe_fork("(sd-exec-strv)", FORK_RESET_SIGNALS\|FORK_DEATHSIG_SIGTERM\|FORK_LOG, &executor_pid);
	268	if (r < 0)
	269	return r;
	270	if (r == 0) {
	271	r = do_execute(paths, root, timeout, callbacks, callback_args, fd, argv, envp, flags);
	272	_exit(r < 0 ? EXIT_FAILURE : r);
	273	}
	274
	275	r = wait_for_terminate_and_check("(sd-exec-strv)", executor_pid, 0);
	276	if (r < 0)
	277	return r;
	278	if (!FLAGS_SET(flags, EXEC_DIR_IGNORE_ERRORS) && r > 0)
	279	return r;
	280
	281	if (!callbacks)
	282	return 0;
	283
	284	r = finish_serialization_fd(fd);
	285	if (r < 0)
	286	return log_error_errno(r, "Failed to finish serialization fd: %m");
	287
	288	r = callbacks[STDOUT_CONSUME](TAKE_FD(fd), callback_args[STDOUT_CONSUME]);
	289	if (r < 0)
	290	return log_error_errno(r, "Failed to parse returned data: %m");
	291
	292	return 0;
	293	}
	294
	295	int execute_directories(
	296	const char * const *directories,
	297	usec_t timeout,
	298	gather_stdout_callback_t const callbacks[_STDOUT_CONSUME_MAX],
	299	void * const callback_args[_STDOUT_CONSUME_MAX],
	300	char *argv[],
	301	char *envp[],
	302	ExecDirFlags flags) {
	303
	304	_cleanup_strv_free_ char **paths = NULL;
	305	_cleanup_free_ char *name = NULL;
	306	int r;
	307
	308	assert(!strv_isempty((char* const*) directories));
	309
	310	r = conf_files_list_strv(
	311	&paths,
	312	/* suffix= */ NULL,
	313	/* root= */ NULL,
	314	CONF_FILES_EXECUTABLE\|CONF_FILES_REGULAR\|CONF_FILES_FILTER_MASKED,
	315	directories);
	316	if (r < 0)
	317	return log_error_errno(r, "Failed to enumerate executables: %m");
	318
	319	if (strv_isempty(paths)) {
	320	log_debug("No executables found.");
	321	return 0;
	322	}
	323
	324	if (callbacks) {
	325	r = path_extract_filename(directories[0], &name);
	326	if (r < 0)
	327	return log_error_errno(r, "Failed to extract file name from '%s': %m", directories[0]);
	328	}
	329
	330	return execute_strv(name, paths, /* root = */ NULL, timeout, callbacks, callback_args, argv, envp, flags);
	331	}
	332
	333	static int gather_environment_generate(int fd, void *arg) {
	334	char ***env = ASSERT_PTR(arg);
	335	_cleanup_fclose_ FILE *f = NULL;
	336	_cleanup_strv_free_ char **new = NULL;
	337	int r;
	338
	339	/* Read a series of VAR=value assignments from fd, use them to update the list of variables in env.
	340	* Also update the exported environment.
	341	*
	342	* fd is always consumed, even on error.
	343	*/
	344
	345	assert(fd >= 0);
	346
	347	f = fdopen(fd, "r");
	348	if (!f) {
	349	safe_close(fd);
	350	return -errno;
	351	}
	352
	353	r = load_env_file_pairs(f, NULL, &new);
	354	if (r < 0)
	355	return r;
	356
	357	STRV_FOREACH_PAIR(x, y, new) {
	358	if (!env_name_is_valid(*x)) {
	359	log_warning("Invalid variable assignment \"%s=...\", ignoring.", *x);
	360	continue;
	361	}
	362
	363	r = strv_env_assign(env, x, y);
	364	if (r < 0)
	365	return r;
	366
	367	if (setenv(x, y, /* overwrite = */ true) < 0)
	368	return -errno;
	369	}
	370
	371	return 0;
	372	}
	373
	374	static int gather_environment_collect(int fd, void *arg) {
	375	char ***env = ASSERT_PTR(arg);
	376	_cleanup_fclose_ FILE *f = NULL;
	377	int r;
	378
	379	/* Write out a series of env=cescape(VAR=value) assignments to fd. */
	380
	381	assert(fd >= 0);
	382
	383	f = fdopen(fd, "w");
	384	if (!f) {
	385	safe_close(fd);
	386	return -errno;
	387	}
	388
	389	r = serialize_strv(f, "env", *env);
	390	if (r < 0)
	391	return r;
	392
	393	r = fflush_and_check(f);
	394	if (r < 0)
	395	return r;
	396
	397	return 0;
	398	}
	399
	400	static int gather_environment_consume(int fd, void *arg) {
	401	char ***env = ASSERT_PTR(arg);
	402	_cleanup_fclose_ FILE *f = NULL;
	403	int r, ret = 0;
	404
	405	/* Read a series of env=cescape(VAR=value) assignments from fd into env. */
	406
	407	assert(fd >= 0);
	408
	409	f = fdopen(fd, "r");
	410	if (!f) {
	411	safe_close(fd);
	412	return -errno;
	413	}
	414
	415	for (;;) {
	416	_cleanup_free_ char *line = NULL;
	417	const char *v;
	418
	419	r = read_line(f, LONG_LINE_MAX, &line);
	420	if (r < 0)
	421	return r;
	422	if (r == 0)
	423	return ret;
	424
	425	v = startswith(line, "env=");
	426	if (!v) {
	427	RET_GATHER(ret, log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
	428	"Serialization line unexpectedly didn't start with \"env=\", ignoring: %s",
	429	line));
	430	continue;
	431	}
	432
	433	r = deserialize_environment(v, env);
	434	if (r < 0)
	435	RET_GATHER(ret, log_debug_errno(r, "Failed to deserialize line \"%s\": %m", line));
	436	}
	437	}
	438
	439	const gather_stdout_callback_t gather_environment[_STDOUT_CONSUME_MAX] = {
	440	gather_environment_generate,
	441	gather_environment_collect,
	442	gather_environment_consume,
	443	};
	444
	445	int exec_command_flags_from_strv(char * const ex_opts, ExecCommandFlags ret) {
	446	ExecCommandFlags flags = 0;
	447
	448	assert(ret);
	449
	450	STRV_FOREACH(opt, ex_opts) {
	451	ExecCommandFlags fl = exec_command_flags_from_string(*opt);
	452	if (fl < 0)
	453	return fl;
	454
	455	flags \|= fl;
	456	}
	457
	458	*ret = flags;
	459
	460	return 0;
	461	}
	462
	463	int exec_command_flags_to_strv(ExecCommandFlags flags, char ***ret) {
	464	_cleanup_strv_free_ char **opts = NULL;
	465	int r;
	466
	467	assert(flags >= 0);
	468	assert(ret);
	469
	470	BIT_FOREACH(i, flags) {
	471	const char *s = exec_command_flags_to_string(1 << i);
	472	if (!s)
	473	return -EINVAL;
	474
	475	r = strv_extend(&opts, s);
	476	if (r < 0)
	477	return r;
	478	}
	479
	480	*ret = TAKE_PTR(opts);
	481
	482	return 0;
	483	}
	484
	485	static const char* const exec_command_strings[] = {
	486	"ignore-failure", /* EXEC_COMMAND_IGNORE_FAILURE */
	487	"privileged", /* EXEC_COMMAND_FULLY_PRIVILEGED */
	488	"no-setuid", /* EXEC_COMMAND_NO_SETUID */
	489	"no-env-expand", /* EXEC_COMMAND_NO_ENV_EXPAND */
	490	"via-shell", /* EXEC_COMMAND_VIA_SHELL */
	491	};
	492
	493	assert_cc((1 << ELEMENTSOF(exec_command_strings)) - 1 == _EXEC_COMMAND_FLAGS_ALL);
	494
	495	const char* exec_command_flags_to_string(ExecCommandFlags i) {
	496	for (size_t idx = 0; idx < ELEMENTSOF(exec_command_strings); idx++)
	497	if (i == (1 << idx))
	498	return exec_command_strings[idx];
	499
	500	return NULL;
	501	}
	502
	503	ExecCommandFlags exec_command_flags_from_string(const char *s) {
	504	ssize_t idx;
	505
	506	if (streq(s, "ambient")) /* Compatibility with ambient hack, removed in v258, map to no bits set */
	507	return 0;
	508
	509	idx = string_table_lookup_from_string(exec_command_strings, ELEMENTSOF(exec_command_strings), s);
	510	if (idx < 0)
	511	return _EXEC_COMMAND_FLAGS_INVALID;
	512
	513	return 1 << idx;
	514	}
	515
	516	int fexecve_or_execve(int executable_fd, const char executable, char const argv[], char *const envp[]) {
	517	/* Refuse invalid fds, regardless if fexecve() use is enabled or not */
	518	if (executable_fd < 0)
	519	return -EBADF;
	520
	521	/* Block any attempts on exploiting Linux' liberal argv[] handling, i.e. CVE-2021-4034 and suchlike */
	522	if (isempty(executable) \|\| strv_isempty(argv))
	523	return -EINVAL;
	524
	525	#if ENABLE_FEXECVE
	526
	527	execveat(executable_fd, "", argv, envp, AT_EMPTY_PATH);
	528
	529	if (IN_SET(errno, ENOSYS, ENOENT) \|\| ERRNO_IS_PRIVILEGE(errno))
	530	/* Old kernel or a script or an overzealous seccomp filter? Let's fall back to execve().
	531	*
	532	* fexecve(3): "If fd refers to a script (i.e., it is an executable text file that names a
	533	* script interpreter with a first line that begins with the characters #!) and the
	534	* close-on-exec flag has been set for fd, then fexecve() fails with the error ENOENT. This
	535	* error occurs because, by the time the script interpreter is executed, fd has already been
	536	* closed because of the close-on-exec flag. Thus, the close-on-exec flag can't be set on fd
	537	* if it refers to a script."
	538	*
	539	* Unfortunately, if we unset close-on-exec, the script will be executed just fine, but (at
	540	* least in case of bash) the script name, $0, will be shown as /dev/fd/nnn, which breaks
	541	* scripts which make use of $0. Thus, let's fall back to execve() in this case.
	542	*/
	543	#endif
	544	execve(executable, argv, envp);
	545	return -errno;
	546	}
	547
	548	int shall_fork_agent(void) {
	549	int r;
	550
	551	/* Check if we have a controlling terminal. If not (ENXIO here), we aren't actually invoked
	552	* interactively on a terminal, hence fail. */
	553	r = get_ctty_devnr(0, NULL);
	554	if (r == -ENXIO)
	555	return false;
	556	if (r < 0)
	557	return r;
	558
	559	if (!is_main_thread())
	560	return -EPERM;
	561
	562	return true;
	563	}
	564
	565	int _fork_agent(const char name, char const argv, const int except[], size_t n_except, pid_t ret_pid) {
	566	int r;
	567
	568	assert(!strv_isempty(argv));
	569
	570	/* Spawns a temporary TTY agent, making sure it goes away when we go away */
	571
	572	r = safe_fork_full(name,
	573	NULL,
	574	(int) except, / safe_fork_full only changes except if you pass in FORK_PACK_FDS, which we don't */
	575	n_except,
	576	FORK_RESET_SIGNALS\|FORK_DEATHSIG_SIGTERM\|FORK_CLOSE_ALL_FDS\|FORK_REOPEN_LOG\|FORK_RLIMIT_NOFILE_SAFE,
	577	ret_pid);
	578	if (r < 0)
	579	return r;
	580	if (r > 0)
	581	return 0;
	582
	583	/* In the child: */
	584
	585	bool stdin_is_tty = isatty_safe(STDIN_FILENO),
	586	stdout_is_tty = isatty_safe(STDOUT_FILENO),
	587	stderr_is_tty = isatty_safe(STDERR_FILENO);
	588
	589	if (!stdin_is_tty \|\| !stdout_is_tty \|\| !stderr_is_tty) {
	590	int fd;
	591
	592	/* Detach from stdin/stdout/stderr and reopen /dev/tty for them. This is important to ensure
	593	* that when systemctl is started via popen() or a similar call that expects to read EOF we
	594	* actually do generate EOF and not delay this indefinitely by keeping an unused copy of
	595	* stdin around. */
	596	fd = open_terminal("/dev/tty", stdin_is_tty ? O_WRONLY : (stdout_is_tty && stderr_is_tty) ? O_RDONLY : O_RDWR);
	597	if (fd < 0) {
	598	log_error_errno(fd, "Failed to open %s: %m", "/dev/tty");
	599	_exit(EXIT_FAILURE);
	600	}
	601
	602	if (!stdin_is_tty && dup2(fd, STDIN_FILENO) < 0) {
	603	log_error_errno(errno, "Failed to dup2 /dev/tty to STDIN: %m");
	604	_exit(EXIT_FAILURE);
	605	}
	606
	607	if (!stdout_is_tty && dup2(fd, STDOUT_FILENO) < 0) {
	608	log_error_errno(errno, "Failed to dup2 /dev/tty to STDOUT: %m");
	609	_exit(EXIT_FAILURE);
	610	}
	611
	612	if (!stderr_is_tty && dup2(fd, STDERR_FILENO) < 0) {
	613	log_error_errno(errno, "Failed to dup2 /dev/tty to STDERR: %m");
	614	_exit(EXIT_FAILURE);
	615	}
	616
	617	fd = safe_close_above_stdio(fd);
	618	}
	619
	620	/* Count arguments */
	621	execv(argv[0], argv);
	622
	623	/* Let's treat missing agent binary as a graceful issue (in order to support splitting out the Polkit
	624	* or password agents into separate, optional distro packages), and not complain loudly. */
	625	log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_ERR, errno,
	626	"Failed to execute %s: %m", argv[0]);
	627	_exit(EXIT_FAILURE);
	628	}