]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/execute.c
projects / thirdparty / systemd.git / blob
? search:


10f73ee9b5798efcab43ac9a244fdc9b51e5da80
[thirdparty/systemd.git] / src / core / execute.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <errno.h>
21 #include <fcntl.h>
22 #include <glob.h>
23 #include <grp.h>
24 #include <poll.h>
25 #include <signal.h>
26 #include <string.h>
27 #include <sys/capability.h>
28 #include <sys/eventfd.h>
29 #include <sys/mman.h>
30 #include <sys/personality.h>
31 #include <sys/prctl.h>
32 #include <sys/shm.h>
33 #include <sys/socket.h>
34 #include <sys/stat.h>
35 #include <sys/types.h>
36 #include <sys/un.h>
37 #include <unistd.h>
38 #include <utmpx.h>
39
40 #ifdef HAVE_PAM
41 #include <security/pam_appl.h>
42 #endif
43
44 #ifdef HAVE_SELINUX
45 #include <selinux/selinux.h>
46 #endif
47
48 #ifdef HAVE_SECCOMP
49 #include <seccomp.h>
50 #endif
51
52 #ifdef HAVE_APPARMOR
53 #include <sys/apparmor.h>
54 #endif
55
56 #include "sd-messages.h"
57
58 #include "af-list.h"
59 #include "alloc-util.h"
60 #ifdef HAVE_APPARMOR
61 #include "apparmor-util.h"
62 #endif
63 #include "async.h"
64 #include "barrier.h"
65 #include "cap-list.h"
66 #include "capability-util.h"
67 #include "def.h"
68 #include "env-util.h"
69 #include "errno-list.h"
70 #include "execute.h"
71 #include "exit-status.h"
72 #include "fd-util.h"
73 #include "fileio.h"
74 #include "format-util.h"
75 #include "fs-util.h"
76 #include "glob-util.h"
77 #include "io-util.h"
78 #include "ioprio.h"
79 #include "log.h"
80 #include "macro.h"
81 #include "missing.h"
82 #include "mkdir.h"
83 #include "namespace.h"
84 #include "parse-util.h"
85 #include "path-util.h"
86 #include "process-util.h"
87 #include "rlimit-util.h"
88 #include "rm-rf.h"
89 #ifdef HAVE_SECCOMP
90 #include "seccomp-util.h"
91 #endif
92 #include "securebits.h"
93 #include "selinux-util.h"
94 #include "signal-util.h"
95 #include "smack-util.h"
96 #include "special.h"
97 #include "string-table.h"
98 #include "string-util.h"
99 #include "strv.h"
100 #include "syslog-util.h"
101 #include "terminal-util.h"
102 #include "unit.h"
103 #include "user-util.h"
104 #include "util.h"
105 #include "utmp-wtmp.h"
106
107 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
108 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
109
110 /* This assumes there is a 'tty' group */
111 #define TTY_MODE 0620
112
113 #define SNDBUF_SIZE (8*1024*1024)
114
115 static int shift_fds(int fds[], unsigned n_fds) {
116 int start, restart_from;
117
118 if (n_fds <= 0)
119 return 0;
120
121 /* Modifies the fds array! (sorts it) */
122
123 assert(fds);
124
125 start = 0;
126 for (;;) {
127 int i;
128
129 restart_from = -1;
130
131 for (i = start; i < (int) n_fds; i++) {
132 int nfd;
133
134 /* Already at right index? */
135 if (fds[i] == i+3)
136 continue;
137
138 nfd = fcntl(fds[i], F_DUPFD, i + 3);
139 if (nfd < 0)
140 return -errno;
141
142 safe_close(fds[i]);
143 fds[i] = nfd;
144
145 /* Hmm, the fd we wanted isn't free? Then
146 * let's remember that and try again from here */
147 if (nfd != i+3 && restart_from < 0)
148 restart_from = i;
149 }
150
151 if (restart_from < 0)
152 break;
153
154 start = restart_from;
155 }
156
157 return 0;
158 }
159
160 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
161 unsigned i;
162 int r;
163
164 if (n_fds <= 0)
165 return 0;
166
167 assert(fds);
168
169 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
170
171 for (i = 0; i < n_fds; i++) {
172
173 r = fd_nonblock(fds[i], nonblock);
174 if (r < 0)
175 return r;
176
177 /* We unconditionally drop FD_CLOEXEC from the fds,
178 * since after all we want to pass these fds to our
179 * children */
180
181 r = fd_cloexec(fds[i], false);
182 if (r < 0)
183 return r;
184 }
185
186 return 0;
187 }
188
189 static const char *exec_context_tty_path(const ExecContext *context) {
190 assert(context);
191
192 if (context->stdio_as_fds)
193 return NULL;
194
195 if (context->tty_path)
196 return context->tty_path;
197
198 return "/dev/console";
199 }
200
201 static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
202 const char *path;
203
204 assert(context);
205
206 path = exec_context_tty_path(context);
207
208 if (context->tty_vhangup) {
209 if (p && p->stdin_fd >= 0)
210 (void) terminal_vhangup_fd(p->stdin_fd);
211 else if (path)
212 (void) terminal_vhangup(path);
213 }
214
215 if (context->tty_reset) {
216 if (p && p->stdin_fd >= 0)
217 (void) reset_terminal_fd(p->stdin_fd, true);
218 else if (path)
219 (void) reset_terminal(path);
220 }
221
222 if (context->tty_vt_disallocate && path)
223 (void) vt_disallocate(path);
224 }
225
226 static bool is_terminal_input(ExecInput i) {
227 return IN_SET(i,
228 EXEC_INPUT_TTY,
229 EXEC_INPUT_TTY_FORCE,
230 EXEC_INPUT_TTY_FAIL);
231 }
232
233 static bool is_terminal_output(ExecOutput o) {
234 return IN_SET(o,
235 EXEC_OUTPUT_TTY,
236 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
237 EXEC_OUTPUT_KMSG_AND_CONSOLE,
238 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
239 }
240
241 static bool exec_context_needs_term(const ExecContext *c) {
242 assert(c);
243
244 /* Return true if the execution context suggests we should set $TERM to something useful. */
245
246 if (is_terminal_input(c->std_input))
247 return true;
248
249 if (is_terminal_output(c->std_output))
250 return true;
251
252 if (is_terminal_output(c->std_error))
253 return true;
254
255 return !!c->tty_path;
256 }
257
258 static int open_null_as(int flags, int nfd) {
259 int fd, r;
260
261 assert(nfd >= 0);
262
263 fd = open("/dev/null", flags|O_NOCTTY);
264 if (fd < 0)
265 return -errno;
266
267 if (fd != nfd) {
268 r = dup2(fd, nfd) < 0 ? -errno : nfd;
269 safe_close(fd);
270 } else
271 r = nfd;
272
273 return r;
274 }
275
276 static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
277 union sockaddr_union sa = {
278 .un.sun_family = AF_UNIX,
279 .un.sun_path = "/run/systemd/journal/stdout",
280 };
281 uid_t olduid = UID_INVALID;
282 gid_t oldgid = GID_INVALID;
283 int r;
284
285 if (gid != GID_INVALID) {
286 oldgid = getgid();
287
288 r = setegid(gid);
289 if (r < 0)
290 return -errno;
291 }
292
293 if (uid != UID_INVALID) {
294 olduid = getuid();
295
296 r = seteuid(uid);
297 if (r < 0) {
298 r = -errno;
299 goto restore_gid;
300 }
301 }
302
303 r = connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
304 if (r < 0)
305 r = -errno;
306
307 /* If we fail to restore the uid or gid, things will likely
308 fail later on. This should only happen if an LSM interferes. */
309
310 if (uid != UID_INVALID)
311 (void) seteuid(olduid);
312
313 restore_gid:
314 if (gid != GID_INVALID)
315 (void) setegid(oldgid);
316
317 return r;
318 }
319
320 static int connect_logger_as(
321 Unit *unit,
322 const ExecContext *context,
323 ExecOutput output,
324 const char *ident,
325 int nfd,
326 uid_t uid,
327 gid_t gid) {
328
329 int fd, r;
330
331 assert(context);
332 assert(output < _EXEC_OUTPUT_MAX);
333 assert(ident);
334 assert(nfd >= 0);
335
336 fd = socket(AF_UNIX, SOCK_STREAM, 0);
337 if (fd < 0)
338 return -errno;
339
340 r = connect_journal_socket(fd, uid, gid);
341 if (r < 0)
342 return r;
343
344 if (shutdown(fd, SHUT_RD) < 0) {
345 safe_close(fd);
346 return -errno;
347 }
348
349 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
350
351 dprintf(fd,
352 "%s\n"
353 "%s\n"
354 "%i\n"
355 "%i\n"
356 "%i\n"
357 "%i\n"
358 "%i\n",
359 context->syslog_identifier ? context->syslog_identifier : ident,
360 unit->id,
361 context->syslog_priority,
362 !!context->syslog_level_prefix,
363 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
364 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
365 is_terminal_output(output));
366
367 if (fd == nfd)
368 return nfd;
369
370 r = dup2(fd, nfd) < 0 ? -errno : nfd;
371 safe_close(fd);
372
373 return r;
374 }
375 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
376 int fd, r;
377
378 assert(path);
379 assert(nfd >= 0);
380
381 fd = open_terminal(path, mode | O_NOCTTY);
382 if (fd < 0)
383 return fd;
384
385 if (fd != nfd) {
386 r = dup2(fd, nfd) < 0 ? -errno : nfd;
387 safe_close(fd);
388 } else
389 r = nfd;
390
391 return r;
392 }
393
394 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
395
396 if (is_terminal_input(std_input) && !apply_tty_stdin)
397 return EXEC_INPUT_NULL;
398
399 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
400 return EXEC_INPUT_NULL;
401
402 return std_input;
403 }
404
405 static int fixup_output(ExecOutput std_output, int socket_fd) {
406
407 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
408 return EXEC_OUTPUT_INHERIT;
409
410 return std_output;
411 }
412
413 static int setup_input(
414 const ExecContext *context,
415 const ExecParameters *params,
416 int socket_fd,
417 int named_iofds[3]) {
418
419 ExecInput i;
420
421 assert(context);
422 assert(params);
423
424 if (params->stdin_fd >= 0) {
425 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
426 return -errno;
427
428 /* Try to make this the controlling tty, if it is a tty, and reset it */
429 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
430 (void) reset_terminal_fd(STDIN_FILENO, true);
431
432 return STDIN_FILENO;
433 }
434
435 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
436
437 switch (i) {
438
439 case EXEC_INPUT_NULL:
440 return open_null_as(O_RDONLY, STDIN_FILENO);
441
442 case EXEC_INPUT_TTY:
443 case EXEC_INPUT_TTY_FORCE:
444 case EXEC_INPUT_TTY_FAIL: {
445 int fd, r;
446
447 fd = acquire_terminal(exec_context_tty_path(context),
448 i == EXEC_INPUT_TTY_FAIL,
449 i == EXEC_INPUT_TTY_FORCE,
450 false,
451 USEC_INFINITY);
452 if (fd < 0)
453 return fd;
454
455 if (fd != STDIN_FILENO) {
456 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
457 safe_close(fd);
458 } else
459 r = STDIN_FILENO;
460
461 return r;
462 }
463
464 case EXEC_INPUT_SOCKET:
465 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
466
467 case EXEC_INPUT_NAMED_FD:
468 (void) fd_nonblock(named_iofds[STDIN_FILENO], false);
469 return dup2(named_iofds[STDIN_FILENO], STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
470
471 default:
472 assert_not_reached("Unknown input type");
473 }
474 }
475
476 static int setup_output(
477 Unit *unit,
478 const ExecContext *context,
479 const ExecParameters *params,
480 int fileno,
481 int socket_fd,
482 int named_iofds[3],
483 const char *ident,
484 uid_t uid,
485 gid_t gid,
486 dev_t *journal_stream_dev,
487 ino_t *journal_stream_ino) {
488
489 ExecOutput o;
490 ExecInput i;
491 int r;
492
493 assert(unit);
494 assert(context);
495 assert(params);
496 assert(ident);
497 assert(journal_stream_dev);
498 assert(journal_stream_ino);
499
500 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
501
502 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
503 return -errno;
504
505 return STDOUT_FILENO;
506 }
507
508 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
509 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
510 return -errno;
511
512 return STDERR_FILENO;
513 }
514
515 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
516 o = fixup_output(context->std_output, socket_fd);
517
518 if (fileno == STDERR_FILENO) {
519 ExecOutput e;
520 e = fixup_output(context->std_error, socket_fd);
521
522 /* This expects the input and output are already set up */
523
524 /* Don't change the stderr file descriptor if we inherit all
525 * the way and are not on a tty */
526 if (e == EXEC_OUTPUT_INHERIT &&
527 o == EXEC_OUTPUT_INHERIT &&
528 i == EXEC_INPUT_NULL &&
529 !is_terminal_input(context->std_input) &&
530 getppid () != 1)
531 return fileno;
532
533 /* Duplicate from stdout if possible */
534 if ((e == o && e != EXEC_OUTPUT_NAMED_FD) || e == EXEC_OUTPUT_INHERIT)
535 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
536
537 o = e;
538
539 } else if (o == EXEC_OUTPUT_INHERIT) {
540 /* If input got downgraded, inherit the original value */
541 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
542 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
543
544 /* If the input is connected to anything that's not a /dev/null, inherit that... */
545 if (i != EXEC_INPUT_NULL)
546 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
547
548 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
549 if (getppid() != 1)
550 return fileno;
551
552 /* We need to open /dev/null here anew, to get the right access mode. */
553 return open_null_as(O_WRONLY, fileno);
554 }
555
556 switch (o) {
557
558 case EXEC_OUTPUT_NULL:
559 return open_null_as(O_WRONLY, fileno);
560
561 case EXEC_OUTPUT_TTY:
562 if (is_terminal_input(i))
563 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
564
565 /* We don't reset the terminal if this is just about output */
566 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
567
568 case EXEC_OUTPUT_SYSLOG:
569 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
570 case EXEC_OUTPUT_KMSG:
571 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
572 case EXEC_OUTPUT_JOURNAL:
573 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
574 r = connect_logger_as(unit, context, o, ident, fileno, uid, gid);
575 if (r < 0) {
576 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
577 r = open_null_as(O_WRONLY, fileno);
578 } else {
579 struct stat st;
580
581 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
582 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
583 * services to detect whether they are connected to the journal or not. */
584
585 if (fstat(fileno, &st) >= 0) {
586 *journal_stream_dev = st.st_dev;
587 *journal_stream_ino = st.st_ino;
588 }
589 }
590 return r;
591
592 case EXEC_OUTPUT_SOCKET:
593 assert(socket_fd >= 0);
594 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
595
596 case EXEC_OUTPUT_NAMED_FD:
597 (void) fd_nonblock(named_iofds[fileno], false);
598 return dup2(named_iofds[fileno], fileno) < 0 ? -errno : fileno;
599
600 default:
601 assert_not_reached("Unknown error type");
602 }
603 }
604
605 static int chown_terminal(int fd, uid_t uid) {
606 struct stat st;
607
608 assert(fd >= 0);
609
610 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
611 if (isatty(fd) < 1)
612 return 0;
613
614 /* This might fail. What matters are the results. */
615 (void) fchown(fd, uid, -1);
616 (void) fchmod(fd, TTY_MODE);
617
618 if (fstat(fd, &st) < 0)
619 return -errno;
620
621 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
622 return -EPERM;
623
624 return 0;
625 }
626
627 static int setup_confirm_stdio(const char *vc, int *_saved_stdin, int *_saved_stdout) {
628 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
629 int r;
630
631 assert(_saved_stdin);
632 assert(_saved_stdout);
633
634 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
635 if (saved_stdin < 0)
636 return -errno;
637
638 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
639 if (saved_stdout < 0)
640 return -errno;
641
642 fd = acquire_terminal(vc, false, false, false, DEFAULT_CONFIRM_USEC);
643 if (fd < 0)
644 return fd;
645
646 r = chown_terminal(fd, getuid());
647 if (r < 0)
648 return r;
649
650 r = reset_terminal_fd(fd, true);
651 if (r < 0)
652 return r;
653
654 if (dup2(fd, STDIN_FILENO) < 0)
655 return -errno;
656
657 if (dup2(fd, STDOUT_FILENO) < 0)
658 return -errno;
659
660 if (fd >= 2)
661 safe_close(fd);
662 fd = -1;
663
664 *_saved_stdin = saved_stdin;
665 *_saved_stdout = saved_stdout;
666
667 saved_stdin = saved_stdout = -1;
668
669 return 0;
670 }
671
672 static void write_confirm_error_fd(int err, int fd) {
673 assert(err < 0);
674
675 if (err == -ETIMEDOUT)
676 dprintf(fd, "Confirmation question timed out, assuming positive response.\n");
677 else {
678 errno = -err;
679 dprintf(fd, "Couldn't ask confirmation: %m, assuming positive response.\n");
680 }
681 }
682
683 static void write_confirm_error(int err, const char *vc) {
684 _cleanup_close_ int fd = -1;
685
686 assert(vc);
687
688 fd = open_terminal(vc, O_WRONLY|O_NOCTTY|O_CLOEXEC);
689 if (fd < 0)
690 return;
691
692 write_confirm_error_fd(err, fd);
693 }
694
695 static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
696 int r = 0;
697
698 assert(saved_stdin);
699 assert(saved_stdout);
700
701 release_terminal();
702
703 if (*saved_stdin >= 0)
704 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
705 r = -errno;
706
707 if (*saved_stdout >= 0)
708 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
709 r = -errno;
710
711 *saved_stdin = safe_close(*saved_stdin);
712 *saved_stdout = safe_close(*saved_stdout);
713
714 return r;
715 }
716
717 enum {
718 CONFIRM_PRETEND_FAILURE = -1,
719 CONFIRM_PRETEND_SUCCESS = 0,
720 CONFIRM_EXECUTE = 1,
721 };
722
723 static int ask_for_confirmation(const char *vc, Unit *u, const char *cmdline) {
724 int saved_stdout = -1, saved_stdin = -1, r;
725 _cleanup_free_ char *e = NULL;
726 char c;
727
728 /* For any internal errors, assume a positive response. */
729 r = setup_confirm_stdio(vc, &saved_stdin, &saved_stdout);
730 if (r < 0) {
731 write_confirm_error(r, vc);
732 return CONFIRM_EXECUTE;
733 }
734
735 /* confirm_spawn might have been disabled while we were sleeping. */
736 if (manager_is_confirm_spawn_disabled(u->manager)) {
737 r = 1;
738 goto restore_stdio;
739 }
740
741 e = ellipsize(cmdline, 60, 100);
742 if (!e) {
743 log_oom();
744 r = CONFIRM_EXECUTE;
745 goto restore_stdio;
746 }
747
748 for (;;) {
749 r = ask_char(&c, "yfshiDjc", "Execute %s? [y, f, s – h for help] ", e);
750 if (r < 0) {
751 write_confirm_error_fd(r, STDOUT_FILENO);
752 r = CONFIRM_EXECUTE;
753 goto restore_stdio;
754 }
755
756 switch (c) {
757 case 'c':
758 printf("Resuming normal execution.\n");
759 manager_disable_confirm_spawn();
760 r = 1;
761 break;
762 case 'D':
763 unit_dump(u, stdout, " ");
764 continue; /* ask again */
765 case 'f':
766 printf("Failing execution.\n");
767 r = CONFIRM_PRETEND_FAILURE;
768 break;
769 case 'h':
770 printf(" c - continue, proceed without asking anymore\n"
771 " D - dump, show the state of the unit\n"
772 " f - fail, don't execute the command and pretend it failed\n"
773 " h - help\n"
774 " i - info, show a short summary of the unit\n"
775 " j - jobs, show jobs that are in progress\n"
776 " s - skip, don't execute the command and pretend it succeeded\n"
777 " y - yes, execute the command\n");
778 continue; /* ask again */
779 case 'i':
780 printf(" Description: %s\n"
781 " Unit: %s\n"
782 " Command: %s\n",
783 u->id, u->description, cmdline);
784 continue; /* ask again */
785 case 'j':
786 manager_dump_jobs(u->manager, stdout, " ");
787 continue; /* ask again */
788 case 's':
789 printf("Skipping execution.\n");
790 r = CONFIRM_PRETEND_SUCCESS;
791 break;
792 case 'y':
793 r = CONFIRM_EXECUTE;
794 break;
795 default:
796 assert_not_reached("Unhandled choice");
797 }
798 break;
799 }
800
801 restore_stdio:
802 restore_confirm_stdio(&saved_stdin, &saved_stdout);
803 return r;
804 }
805
806 static int get_fixed_user(const ExecContext *c, const char **user,
807 uid_t *uid, gid_t *gid,
808 const char **home, const char **shell) {
809 int r;
810 const char *name;
811
812 assert(c);
813
814 if (!c->user)
815 return 0;
816
817 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
818 * (i.e. are "/" or "/bin/nologin"). */
819
820 name = c->user;
821 r = get_user_creds_clean(&name, uid, gid, home, shell);
822 if (r < 0)
823 return r;
824
825 *user = name;
826 return 0;
827 }
828
829 static int get_fixed_group(const ExecContext *c, const char **group, gid_t *gid) {
830 int r;
831 const char *name;
832
833 assert(c);
834
835 if (!c->group)
836 return 0;
837
838 name = c->group;
839 r = get_group_creds(&name, gid);
840 if (r < 0)
841 return r;
842
843 *group = name;
844 return 0;
845 }
846
847 static int get_supplementary_groups(const ExecContext *c, const char *user,
848 const char *group, gid_t gid,
849 gid_t **supplementary_gids, int *ngids) {
850 char **i;
851 int r, k = 0;
852 int ngroups_max;
853 bool keep_groups = false;
854 gid_t *groups = NULL;
855 _cleanup_free_ gid_t *l_gids = NULL;
856
857 assert(c);
858
859 /*
860 * If user is given, then lookup GID and supplementary groups list.
861 * We avoid NSS lookups for gid=0. Also we have to initialize groups
862 * here and as early as possible so we keep the list of supplementary
863 * groups of the caller.
864 */
865 if (user && gid_is_valid(gid) && gid != 0) {
866 /* First step, initialize groups from /etc/groups */
867 if (initgroups(user, gid) < 0)
868 return -errno;
869
870 keep_groups = true;
871 }
872
873 if (!c->supplementary_groups)
874 return 0;
875
876 /*
877 * If SupplementaryGroups= was passed then NGROUPS_MAX has to
878 * be positive, otherwise fail.
879 */
880 errno = 0;
881 ngroups_max = (int) sysconf(_SC_NGROUPS_MAX);
882 if (ngroups_max <= 0) {
883 if (errno > 0)
884 return -errno;
885 else
886 return -EOPNOTSUPP; /* For all other values */
887 }
888
889 l_gids = new(gid_t, ngroups_max);
890 if (!l_gids)
891 return -ENOMEM;
892
893 if (keep_groups) {
894 /*
895 * Lookup the list of groups that the user belongs to, we
896 * avoid NSS lookups here too for gid=0.
897 */
898 k = ngroups_max;
899 if (getgrouplist(user, gid, l_gids, &k) < 0)
900 return -EINVAL;
901 } else
902 k = 0;
903
904 STRV_FOREACH(i, c->supplementary_groups) {
905 const char *g;
906
907 if (k >= ngroups_max)
908 return -E2BIG;
909
910 g = *i;
911 r = get_group_creds(&g, l_gids+k);
912 if (r < 0)
913 return r;
914
915 k++;
916 }
917
918 /*
919 * Sets ngids to zero to drop all supplementary groups, happens
920 * when we are under root and SupplementaryGroups= is empty.
921 */
922 if (k == 0) {
923 *ngids = 0;
924 return 0;
925 }
926
927 /* Otherwise get the final list of supplementary groups */
928 groups = memdup(l_gids, sizeof(gid_t) * k);
929 if (!groups)
930 return -ENOMEM;
931
932 *supplementary_gids = groups;
933 *ngids = k;
934
935 groups = NULL;
936
937 return 0;
938 }
939
940 static int enforce_groups(const ExecContext *context, gid_t gid,
941 gid_t *supplementary_gids, int ngids) {
942 int r;
943
944 assert(context);
945
946 /* Handle SupplementaryGroups= even if it is empty */
947 if (context->supplementary_groups) {
948 r = maybe_setgroups(ngids, supplementary_gids);
949 if (r < 0)
950 return r;
951 }
952
953 if (gid_is_valid(gid)) {
954 /* Then set our gids */
955 if (setresgid(gid, gid, gid) < 0)
956 return -errno;
957 }
958
959 return 0;
960 }
961
962 static int enforce_user(const ExecContext *context, uid_t uid) {
963 assert(context);
964
965 if (!uid_is_valid(uid))
966 return 0;
967
968 /* Sets (but doesn't look up) the uid and make sure we keep the
969 * capabilities while doing so. */
970
971 if (context->capability_ambient_set != 0) {
972
973 /* First step: If we need to keep capabilities but
974 * drop privileges we need to make sure we keep our
975 * caps, while we drop privileges. */
976 if (uid != 0) {
977 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
978
979 if (prctl(PR_GET_SECUREBITS) != sb)
980 if (prctl(PR_SET_SECUREBITS, sb) < 0)
981 return -errno;
982 }
983 }
984
985 /* Second step: actually set the uids */
986 if (setresuid(uid, uid, uid) < 0)
987 return -errno;
988
989 /* At this point we should have all necessary capabilities but
990 are otherwise a normal user. However, the caps might got
991 corrupted due to the setresuid() so we need clean them up
992 later. This is done outside of this call. */
993
994 return 0;
995 }
996
997 #ifdef HAVE_PAM
998
999 static int null_conv(
1000 int num_msg,
1001 const struct pam_message **msg,
1002 struct pam_response **resp,
1003 void *appdata_ptr) {
1004
1005 /* We don't support conversations */
1006
1007 return PAM_CONV_ERR;
1008 }
1009
1010 #endif
1011
1012 static int setup_pam(
1013 const char *name,
1014 const char *user,
1015 uid_t uid,
1016 gid_t gid,
1017 const char *tty,
1018 char ***env,
1019 int fds[], unsigned n_fds) {
1020
1021 #ifdef HAVE_PAM
1022
1023 static const struct pam_conv conv = {
1024 .conv = null_conv,
1025 .appdata_ptr = NULL
1026 };
1027
1028 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
1029 pam_handle_t *handle = NULL;
1030 sigset_t old_ss;
1031 int pam_code = PAM_SUCCESS, r;
1032 char **nv, **e = NULL;
1033 bool close_session = false;
1034 pid_t pam_pid = 0, parent_pid;
1035 int flags = 0;
1036
1037 assert(name);
1038 assert(user);
1039 assert(env);
1040
1041 /* We set up PAM in the parent process, then fork. The child
1042 * will then stay around until killed via PR_GET_PDEATHSIG or
1043 * systemd via the cgroup logic. It will then remove the PAM
1044 * session again. The parent process will exec() the actual
1045 * daemon. We do things this way to ensure that the main PID
1046 * of the daemon is the one we initially fork()ed. */
1047
1048 r = barrier_create(&barrier);
1049 if (r < 0)
1050 goto fail;
1051
1052 if (log_get_max_level() < LOG_DEBUG)
1053 flags |= PAM_SILENT;
1054
1055 pam_code = pam_start(name, user, &conv, &handle);
1056 if (pam_code != PAM_SUCCESS) {
1057 handle = NULL;
1058 goto fail;
1059 }
1060
1061 if (tty) {
1062 pam_code = pam_set_item(handle, PAM_TTY, tty);
1063 if (pam_code != PAM_SUCCESS)
1064 goto fail;
1065 }
1066
1067 STRV_FOREACH(nv, *env) {
1068 pam_code = pam_putenv(handle, *nv);
1069 if (pam_code != PAM_SUCCESS)
1070 goto fail;
1071 }
1072
1073 pam_code = pam_acct_mgmt(handle, flags);
1074 if (pam_code != PAM_SUCCESS)
1075 goto fail;
1076
1077 pam_code = pam_open_session(handle, flags);
1078 if (pam_code != PAM_SUCCESS)
1079 goto fail;
1080
1081 close_session = true;
1082
1083 e = pam_getenvlist(handle);
1084 if (!e) {
1085 pam_code = PAM_BUF_ERR;
1086 goto fail;
1087 }
1088
1089 /* Block SIGTERM, so that we know that it won't get lost in
1090 * the child */
1091
1092 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
1093
1094 parent_pid = getpid();
1095
1096 pam_pid = fork();
1097 if (pam_pid < 0) {
1098 r = -errno;
1099 goto fail;
1100 }
1101
1102 if (pam_pid == 0) {
1103 int sig, ret = EXIT_PAM;
1104
1105 /* The child's job is to reset the PAM session on
1106 * termination */
1107 barrier_set_role(&barrier, BARRIER_CHILD);
1108
1109 /* This string must fit in 10 chars (i.e. the length
1110 * of "/sbin/init"), to look pretty in /bin/ps */
1111 rename_process("(sd-pam)");
1112
1113 /* Make sure we don't keep open the passed fds in this
1114 child. We assume that otherwise only those fds are
1115 open here that have been opened by PAM. */
1116 close_many(fds, n_fds);
1117
1118 /* Drop privileges - we don't need any to pam_close_session
1119 * and this will make PR_SET_PDEATHSIG work in most cases.
1120 * If this fails, ignore the error - but expect sd-pam threads
1121 * to fail to exit normally */
1122
1123 r = maybe_setgroups(0, NULL);
1124 if (r < 0)
1125 log_warning_errno(r, "Failed to setgroups() in sd-pam: %m");
1126 if (setresgid(gid, gid, gid) < 0)
1127 log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
1128 if (setresuid(uid, uid, uid) < 0)
1129 log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
1130
1131 (void) ignore_signals(SIGPIPE, -1);
1132
1133 /* Wait until our parent died. This will only work if
1134 * the above setresuid() succeeds, otherwise the kernel
1135 * will not allow unprivileged parents kill their privileged
1136 * children this way. We rely on the control groups kill logic
1137 * to do the rest for us. */
1138 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
1139 goto child_finish;
1140
1141 /* Tell the parent that our setup is done. This is especially
1142 * important regarding dropping privileges. Otherwise, unit
1143 * setup might race against our setresuid(2) call. */
1144 barrier_place(&barrier);
1145
1146 /* Check if our parent process might already have
1147 * died? */
1148 if (getppid() == parent_pid) {
1149 sigset_t ss;
1150
1151 assert_se(sigemptyset(&ss) >= 0);
1152 assert_se(sigaddset(&ss, SIGTERM) >= 0);
1153
1154 for (;;) {
1155 if (sigwait(&ss, &sig) < 0) {
1156 if (errno == EINTR)
1157 continue;
1158
1159 goto child_finish;
1160 }
1161
1162 assert(sig == SIGTERM);
1163 break;
1164 }
1165 }
1166
1167 /* If our parent died we'll end the session */
1168 if (getppid() != parent_pid) {
1169 pam_code = pam_close_session(handle, flags);
1170 if (pam_code != PAM_SUCCESS)
1171 goto child_finish;
1172 }
1173
1174 ret = 0;
1175
1176 child_finish:
1177 pam_end(handle, pam_code | flags);
1178 _exit(ret);
1179 }
1180
1181 barrier_set_role(&barrier, BARRIER_PARENT);
1182
1183 /* If the child was forked off successfully it will do all the
1184 * cleanups, so forget about the handle here. */
1185 handle = NULL;
1186
1187 /* Unblock SIGTERM again in the parent */
1188 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
1189
1190 /* We close the log explicitly here, since the PAM modules
1191 * might have opened it, but we don't want this fd around. */
1192 closelog();
1193
1194 /* Synchronously wait for the child to initialize. We don't care for
1195 * errors as we cannot recover. However, warn loudly if it happens. */
1196 if (!barrier_place_and_sync(&barrier))
1197 log_error("PAM initialization failed");
1198
1199 strv_free(*env);
1200 *env = e;
1201
1202 return 0;
1203
1204 fail:
1205 if (pam_code != PAM_SUCCESS) {
1206 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
1207 r = -EPERM; /* PAM errors do not map to errno */
1208 } else
1209 log_error_errno(r, "PAM failed: %m");
1210
1211 if (handle) {
1212 if (close_session)
1213 pam_code = pam_close_session(handle, flags);
1214
1215 pam_end(handle, pam_code | flags);
1216 }
1217
1218 strv_free(e);
1219 closelog();
1220
1221 return r;
1222 #else
1223 return 0;
1224 #endif
1225 }
1226
1227 static void rename_process_from_path(const char *path) {
1228 char process_name[11];
1229 const char *p;
1230 size_t l;
1231
1232 /* This resulting string must fit in 10 chars (i.e. the length
1233 * of "/sbin/init") to look pretty in /bin/ps */
1234
1235 p = basename(path);
1236 if (isempty(p)) {
1237 rename_process("(...)");
1238 return;
1239 }
1240
1241 l = strlen(p);
1242 if (l > 8) {
1243 /* The end of the process name is usually more
1244 * interesting, since the first bit might just be
1245 * "systemd-" */
1246 p = p + l - 8;
1247 l = 8;
1248 }
1249
1250 process_name[0] = '(';
1251 memcpy(process_name+1, p, l);
1252 process_name[1+l] = ')';
1253 process_name[1+l+1] = 0;
1254
1255 rename_process(process_name);
1256 }
1257
1258 #ifdef HAVE_SECCOMP
1259
1260 static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
1261
1262 if (is_seccomp_available())
1263 return false;
1264
1265 log_open();
1266 log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
1267 log_close();
1268 return true;
1269 }
1270
1271 static int apply_seccomp(const Unit* u, const ExecContext *c) {
1272 uint32_t negative_action, action;
1273 scmp_filter_ctx seccomp;
1274 Iterator i;
1275 void *id;
1276 int r;
1277
1278 assert(c);
1279
1280 if (skip_seccomp_unavailable(u, "syscall filtering"))
1281 return 0;
1282
1283 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
1284
1285 seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW);
1286 if (!seccomp)
1287 return -ENOMEM;
1288
1289 if (c->syscall_archs) {
1290
1291 SET_FOREACH(id, c->syscall_archs, i) {
1292 r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
1293 if (r == -EEXIST)
1294 continue;
1295 if (r < 0)
1296 goto finish;
1297 }
1298
1299 } else {
1300 r = seccomp_add_secondary_archs(seccomp);
1301 if (r < 0)
1302 goto finish;
1303 }
1304
1305 action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
1306 SET_FOREACH(id, c->syscall_filter, i) {
1307 r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
1308 if (r < 0)
1309 goto finish;
1310 }
1311
1312 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1313 if (r < 0)
1314 goto finish;
1315
1316 r = seccomp_load(seccomp);
1317
1318 finish:
1319 seccomp_release(seccomp);
1320 return r;
1321 }
1322
1323 static int apply_address_families(const Unit* u, const ExecContext *c) {
1324 scmp_filter_ctx seccomp;
1325 Iterator i;
1326 int r;
1327
1328 assert(c);
1329
1330 if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
1331 return 0;
1332
1333 r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
1334 if (r < 0)
1335 return r;
1336
1337 if (c->address_families_whitelist) {
1338 int af, first = 0, last = 0;
1339 void *afp;
1340
1341 /* If this is a whitelist, we first block the address
1342 * families that are out of range and then everything
1343 * that is not in the set. First, we find the lowest
1344 * and highest address family in the set. */
1345
1346 SET_FOREACH(afp, c->address_families, i) {
1347 af = PTR_TO_INT(afp);
1348
1349 if (af <= 0 || af >= af_max())
1350 continue;
1351
1352 if (first == 0 || af < first)
1353 first = af;
1354
1355 if (last == 0 || af > last)
1356 last = af;
1357 }
1358
1359 assert((first == 0) == (last == 0));
1360
1361 if (first == 0) {
1362
1363 /* No entries in the valid range, block everything */
1364 r = seccomp_rule_add(
1365 seccomp,
1366 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1367 SCMP_SYS(socket),
1368 0);
1369 if (r < 0)
1370 goto finish;
1371
1372 } else {
1373
1374 /* Block everything below the first entry */
1375 r = seccomp_rule_add(
1376 seccomp,
1377 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1378 SCMP_SYS(socket),
1379 1,
1380 SCMP_A0(SCMP_CMP_LT, first));
1381 if (r < 0)
1382 goto finish;
1383
1384 /* Block everything above the last entry */
1385 r = seccomp_rule_add(
1386 seccomp,
1387 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1388 SCMP_SYS(socket),
1389 1,
1390 SCMP_A0(SCMP_CMP_GT, last));
1391 if (r < 0)
1392 goto finish;
1393
1394 /* Block everything between the first and last
1395 * entry */
1396 for (af = 1; af < af_max(); af++) {
1397
1398 if (set_contains(c->address_families, INT_TO_PTR(af)))
1399 continue;
1400
1401 r = seccomp_rule_add(
1402 seccomp,
1403 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1404 SCMP_SYS(socket),
1405 1,
1406 SCMP_A0(SCMP_CMP_EQ, af));
1407 if (r < 0)
1408 goto finish;
1409 }
1410 }
1411
1412 } else {
1413 void *af;
1414
1415 /* If this is a blacklist, then generate one rule for
1416 * each address family that are then combined in OR
1417 * checks. */
1418
1419 SET_FOREACH(af, c->address_families, i) {
1420
1421 r = seccomp_rule_add(
1422 seccomp,
1423 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1424 SCMP_SYS(socket),
1425 1,
1426 SCMP_A0(SCMP_CMP_EQ, PTR_TO_INT(af)));
1427 if (r < 0)
1428 goto finish;
1429 }
1430 }
1431
1432 r = seccomp_load(seccomp);
1433
1434 finish:
1435 seccomp_release(seccomp);
1436 return r;
1437 }
1438
1439 static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) {
1440 scmp_filter_ctx seccomp;
1441 int r;
1442
1443 assert(c);
1444
1445 if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute="))
1446 return 0;
1447
1448 r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
1449 if (r < 0)
1450 return r;
1451
1452 r = seccomp_rule_add(
1453 seccomp,
1454 SCMP_ACT_ERRNO(EPERM),
1455 SCMP_SYS(mmap),
1456 1,
1457 SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE));
1458 if (r < 0)
1459 goto finish;
1460
1461 r = seccomp_rule_add(
1462 seccomp,
1463 SCMP_ACT_ERRNO(EPERM),
1464 SCMP_SYS(mprotect),
1465 1,
1466 SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC));
1467 if (r < 0)
1468 goto finish;
1469
1470 r = seccomp_rule_add(
1471 seccomp,
1472 SCMP_ACT_ERRNO(EPERM),
1473 SCMP_SYS(shmat),
1474 1,
1475 SCMP_A2(SCMP_CMP_MASKED_EQ, SHM_EXEC, SHM_EXEC));
1476 if (r < 0)
1477 goto finish;
1478
1479 r = seccomp_load(seccomp);
1480
1481 finish:
1482 seccomp_release(seccomp);
1483 return r;
1484 }
1485
1486 static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
1487 static const int permitted_policies[] = {
1488 SCHED_OTHER,
1489 SCHED_BATCH,
1490 SCHED_IDLE,
1491 };
1492
1493 scmp_filter_ctx seccomp;
1494 unsigned i;
1495 int r, p, max_policy = 0;
1496
1497 assert(c);
1498
1499 if (skip_seccomp_unavailable(u, "RestrictRealtime="))
1500 return 0;
1501
1502 r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
1503 if (r < 0)
1504 return r;
1505
1506 /* Determine the highest policy constant we want to allow */
1507 for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
1508 if (permitted_policies[i] > max_policy)
1509 max_policy = permitted_policies[i];
1510
1511 /* Go through all policies with lower values than that, and block them -- unless they appear in the
1512 * whitelist. */
1513 for (p = 0; p < max_policy; p++) {
1514 bool good = false;
1515
1516 /* Check if this is in the whitelist. */
1517 for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
1518 if (permitted_policies[i] == p) {
1519 good = true;
1520 break;
1521 }
1522
1523 if (good)
1524 continue;
1525
1526 /* Deny this policy */
1527 r = seccomp_rule_add(
1528 seccomp,
1529 SCMP_ACT_ERRNO(EPERM),
1530 SCMP_SYS(sched_setscheduler),
1531 1,
1532 SCMP_A1(SCMP_CMP_EQ, p));
1533 if (r < 0)
1534 goto finish;
1535 }
1536
1537 /* Blacklist all other policies, i.e. the ones with higher values. Note that all comparisons are unsigned here,
1538 * hence no need no check for < 0 values. */
1539 r = seccomp_rule_add(
1540 seccomp,
1541 SCMP_ACT_ERRNO(EPERM),
1542 SCMP_SYS(sched_setscheduler),
1543 1,
1544 SCMP_A1(SCMP_CMP_GT, max_policy));
1545 if (r < 0)
1546 goto finish;
1547
1548 r = seccomp_load(seccomp);
1549
1550 finish:
1551 seccomp_release(seccomp);
1552 return r;
1553 }
1554
1555 static int apply_protect_sysctl(const Unit *u, const ExecContext *c) {
1556 scmp_filter_ctx seccomp;
1557 int r;
1558
1559 assert(c);
1560
1561 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1562 * let's protect even those systems where this is left on in the kernel. */
1563
1564 if (skip_seccomp_unavailable(u, "ProtectKernelTunables="))
1565 return 0;
1566
1567 r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
1568 if (r < 0)
1569 return r;
1570
1571 r = seccomp_rule_add(
1572 seccomp,
1573 SCMP_ACT_ERRNO(EPERM),
1574 SCMP_SYS(_sysctl),
1575 0);
1576 if (r < 0)
1577 goto finish;
1578
1579 r = seccomp_load(seccomp);
1580
1581 finish:
1582 seccomp_release(seccomp);
1583 return r;
1584 }
1585
1586 static int apply_protect_kernel_modules(const Unit *u, const ExecContext *c) {
1587 assert(c);
1588
1589 /* Turn off module syscalls on ProtectKernelModules=yes */
1590
1591 if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
1592 return 0;
1593
1594 return seccomp_load_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM));
1595 }
1596
1597 static int apply_private_devices(const Unit *u, const ExecContext *c) {
1598 assert(c);
1599
1600 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
1601
1602 if (skip_seccomp_unavailable(u, "PrivateDevices="))
1603 return 0;
1604
1605 return seccomp_load_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
1606 }
1607
1608 static int apply_restrict_namespaces(Unit *u, const ExecContext *c) {
1609 assert(c);
1610
1611 if (!exec_context_restrict_namespaces_set(c))
1612 return 0;
1613
1614 if (skip_seccomp_unavailable(u, "RestrictNamespaces="))
1615 return 0;
1616
1617 return seccomp_restrict_namespaces(c->restrict_namespaces);
1618 }
1619
1620 #endif
1621
1622 static void do_idle_pipe_dance(int idle_pipe[4]) {
1623 assert(idle_pipe);
1624
1625 idle_pipe[1] = safe_close(idle_pipe[1]);
1626 idle_pipe[2] = safe_close(idle_pipe[2]);
1627
1628 if (idle_pipe[0] >= 0) {
1629 int r;
1630
1631 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1632
1633 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1634 ssize_t n;
1635
1636 /* Signal systemd that we are bored and want to continue. */
1637 n = write(idle_pipe[3], "x", 1);
1638 if (n > 0)
1639 /* Wait for systemd to react to the signal above. */
1640 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1641 }
1642
1643 idle_pipe[0] = safe_close(idle_pipe[0]);
1644
1645 }
1646
1647 idle_pipe[3] = safe_close(idle_pipe[3]);
1648 }
1649
1650 static int build_environment(
1651 Unit *u,
1652 const ExecContext *c,
1653 const ExecParameters *p,
1654 unsigned n_fds,
1655 const char *home,
1656 const char *username,
1657 const char *shell,
1658 dev_t journal_stream_dev,
1659 ino_t journal_stream_ino,
1660 char ***ret) {
1661
1662 _cleanup_strv_free_ char **our_env = NULL;
1663 unsigned n_env = 0;
1664 char *x;
1665
1666 assert(u);
1667 assert(c);
1668 assert(ret);
1669
1670 our_env = new0(char*, 14);
1671 if (!our_env)
1672 return -ENOMEM;
1673
1674 if (n_fds > 0) {
1675 _cleanup_free_ char *joined = NULL;
1676
1677 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1678 return -ENOMEM;
1679 our_env[n_env++] = x;
1680
1681 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1682 return -ENOMEM;
1683 our_env[n_env++] = x;
1684
1685 joined = strv_join(p->fd_names, ":");
1686 if (!joined)
1687 return -ENOMEM;
1688
1689 x = strjoin("LISTEN_FDNAMES=", joined);
1690 if (!x)
1691 return -ENOMEM;
1692 our_env[n_env++] = x;
1693 }
1694
1695 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
1696 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1697 return -ENOMEM;
1698 our_env[n_env++] = x;
1699
1700 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
1701 return -ENOMEM;
1702 our_env[n_env++] = x;
1703 }
1704
1705 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1706 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1707 * check the database directly. */
1708 if (unit_has_name(u, SPECIAL_DBUS_SERVICE)) {
1709 x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1710 if (!x)
1711 return -ENOMEM;
1712 our_env[n_env++] = x;
1713 }
1714
1715 if (home) {
1716 x = strappend("HOME=", home);
1717 if (!x)
1718 return -ENOMEM;
1719 our_env[n_env++] = x;
1720 }
1721
1722 if (username) {
1723 x = strappend("LOGNAME=", username);
1724 if (!x)
1725 return -ENOMEM;
1726 our_env[n_env++] = x;
1727
1728 x = strappend("USER=", username);
1729 if (!x)
1730 return -ENOMEM;
1731 our_env[n_env++] = x;
1732 }
1733
1734 if (shell) {
1735 x = strappend("SHELL=", shell);
1736 if (!x)
1737 return -ENOMEM;
1738 our_env[n_env++] = x;
1739 }
1740
1741 if (!sd_id128_is_null(u->invocation_id)) {
1742 if (asprintf(&x, "INVOCATION_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id)) < 0)
1743 return -ENOMEM;
1744
1745 our_env[n_env++] = x;
1746 }
1747
1748 if (exec_context_needs_term(c)) {
1749 const char *tty_path, *term = NULL;
1750
1751 tty_path = exec_context_tty_path(c);
1752
1753 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try to inherit
1754 * the $TERM set for PID 1. This is useful for containers so that the $TERM the container manager
1755 * passes to PID 1 ends up all the way in the console login shown. */
1756
1757 if (path_equal(tty_path, "/dev/console") && getppid() == 1)
1758 term = getenv("TERM");
1759 if (!term)
1760 term = default_term_for_tty(tty_path);
1761
1762 x = strappend("TERM=", term);
1763 if (!x)
1764 return -ENOMEM;
1765 our_env[n_env++] = x;
1766 }
1767
1768 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1769 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1770 return -ENOMEM;
1771
1772 our_env[n_env++] = x;
1773 }
1774
1775 our_env[n_env++] = NULL;
1776 assert(n_env <= 12);
1777
1778 *ret = our_env;
1779 our_env = NULL;
1780
1781 return 0;
1782 }
1783
1784 static int build_pass_environment(const ExecContext *c, char ***ret) {
1785 _cleanup_strv_free_ char **pass_env = NULL;
1786 size_t n_env = 0, n_bufsize = 0;
1787 char **i;
1788
1789 STRV_FOREACH(i, c->pass_environment) {
1790 _cleanup_free_ char *x = NULL;
1791 char *v;
1792
1793 v = getenv(*i);
1794 if (!v)
1795 continue;
1796 x = strjoin(*i, "=", v);
1797 if (!x)
1798 return -ENOMEM;
1799 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1800 return -ENOMEM;
1801 pass_env[n_env++] = x;
1802 pass_env[n_env] = NULL;
1803 x = NULL;
1804 }
1805
1806 *ret = pass_env;
1807 pass_env = NULL;
1808
1809 return 0;
1810 }
1811
1812 static bool exec_needs_mount_namespace(
1813 const ExecContext *context,
1814 const ExecParameters *params,
1815 ExecRuntime *runtime) {
1816
1817 assert(context);
1818 assert(params);
1819
1820 if (!strv_isempty(context->read_write_paths) ||
1821 !strv_isempty(context->read_only_paths) ||
1822 !strv_isempty(context->inaccessible_paths))
1823 return true;
1824
1825 if (context->mount_flags != 0)
1826 return true;
1827
1828 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1829 return true;
1830
1831 if (context->private_devices ||
1832 context->protect_system != PROTECT_SYSTEM_NO ||
1833 context->protect_home != PROTECT_HOME_NO ||
1834 context->protect_kernel_tunables ||
1835 context->protect_kernel_modules ||
1836 context->protect_control_groups)
1837 return true;
1838
1839 return false;
1840 }
1841
1842 static int setup_private_users(uid_t uid, gid_t gid) {
1843 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
1844 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
1845 _cleanup_close_ int unshare_ready_fd = -1;
1846 _cleanup_(sigkill_waitp) pid_t pid = 0;
1847 uint64_t c = 1;
1848 siginfo_t si;
1849 ssize_t n;
1850 int r;
1851
1852 /* Set up a user namespace and map root to root, the selected UID/GID to itself, and everything else to
1853 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1854 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1855 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1856 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
1857 * continues execution normally. */
1858
1859 if (uid != 0 && uid_is_valid(uid))
1860 asprintf(&uid_map,
1861 "0 0 1\n" /* Map root → root */
1862 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
1863 uid, uid);
1864 else
1865 uid_map = strdup("0 0 1\n"); /* The case where the above is the same */
1866 if (!uid_map)
1867 return -ENOMEM;
1868
1869 if (gid != 0 && gid_is_valid(gid))
1870 asprintf(&gid_map,
1871 "0 0 1\n" /* Map root → root */
1872 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
1873 gid, gid);
1874 else
1875 gid_map = strdup("0 0 1\n"); /* The case where the above is the same */
1876 if (!gid_map)
1877 return -ENOMEM;
1878
1879 /* Create a communication channel so that the parent can tell the child when it finished creating the user
1880 * namespace. */
1881 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
1882 if (unshare_ready_fd < 0)
1883 return -errno;
1884
1885 /* Create a communication channel so that the child can tell the parent a proper error code in case it
1886 * failed. */
1887 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
1888 return -errno;
1889
1890 pid = fork();
1891 if (pid < 0)
1892 return -errno;
1893
1894 if (pid == 0) {
1895 _cleanup_close_ int fd = -1;
1896 const char *a;
1897 pid_t ppid;
1898
1899 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
1900 * here, after the parent opened its own user namespace. */
1901
1902 ppid = getppid();
1903 errno_pipe[0] = safe_close(errno_pipe[0]);
1904
1905 /* Wait until the parent unshared the user namespace */
1906 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
1907 r = -errno;
1908 goto child_fail;
1909 }
1910
1911 /* Disable the setgroups() system call in the child user namespace, for good. */
1912 a = procfs_file_alloca(ppid, "setgroups");
1913 fd = open(a, O_WRONLY|O_CLOEXEC);
1914 if (fd < 0) {
1915 if (errno != ENOENT) {
1916 r = -errno;
1917 goto child_fail;
1918 }
1919
1920 /* If the file is missing the kernel is too old, let's continue anyway. */
1921 } else {
1922 if (write(fd, "deny\n", 5) < 0) {
1923 r = -errno;
1924 goto child_fail;
1925 }
1926
1927 fd = safe_close(fd);
1928 }
1929
1930 /* First write the GID map */
1931 a = procfs_file_alloca(ppid, "gid_map");
1932 fd = open(a, O_WRONLY|O_CLOEXEC);
1933 if (fd < 0) {
1934 r = -errno;
1935 goto child_fail;
1936 }
1937 if (write(fd, gid_map, strlen(gid_map)) < 0) {
1938 r = -errno;
1939 goto child_fail;
1940 }
1941 fd = safe_close(fd);
1942
1943 /* The write the UID map */
1944 a = procfs_file_alloca(ppid, "uid_map");
1945 fd = open(a, O_WRONLY|O_CLOEXEC);
1946 if (fd < 0) {
1947 r = -errno;
1948 goto child_fail;
1949 }
1950 if (write(fd, uid_map, strlen(uid_map)) < 0) {
1951 r = -errno;
1952 goto child_fail;
1953 }
1954
1955 _exit(EXIT_SUCCESS);
1956
1957 child_fail:
1958 (void) write(errno_pipe[1], &r, sizeof(r));
1959 _exit(EXIT_FAILURE);
1960 }
1961
1962 errno_pipe[1] = safe_close(errno_pipe[1]);
1963
1964 if (unshare(CLONE_NEWUSER) < 0)
1965 return -errno;
1966
1967 /* Let the child know that the namespace is ready now */
1968 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
1969 return -errno;
1970
1971 /* Try to read an error code from the child */
1972 n = read(errno_pipe[0], &r, sizeof(r));
1973 if (n < 0)
1974 return -errno;
1975 if (n == sizeof(r)) { /* an error code was sent to us */
1976 if (r < 0)
1977 return r;
1978 return -EIO;
1979 }
1980 if (n != 0) /* on success we should have read 0 bytes */
1981 return -EIO;
1982
1983 r = wait_for_terminate(pid, &si);
1984 if (r < 0)
1985 return r;
1986 pid = 0;
1987
1988 /* If something strange happened with the child, let's consider this fatal, too */
1989 if (si.si_code != CLD_EXITED || si.si_status != 0)
1990 return -EIO;
1991
1992 return 0;
1993 }
1994
1995 static int setup_runtime_directory(
1996 const ExecContext *context,
1997 const ExecParameters *params,
1998 uid_t uid,
1999 gid_t gid) {
2000
2001 char **rt;
2002 int r;
2003
2004 assert(context);
2005 assert(params);
2006
2007 STRV_FOREACH(rt, context->runtime_directory) {
2008 _cleanup_free_ char *p;
2009
2010 p = strjoin(params->runtime_prefix, "/", *rt);
2011 if (!p)
2012 return -ENOMEM;
2013
2014 r = mkdir_p_label(p, context->runtime_directory_mode);
2015 if (r < 0)
2016 return r;
2017
2018 r = chmod_and_chown(p, context->runtime_directory_mode, uid, gid);
2019 if (r < 0)
2020 return r;
2021 }
2022
2023 return 0;
2024 }
2025
2026 static int setup_smack(
2027 const ExecContext *context,
2028 const ExecCommand *command) {
2029
2030 #ifdef HAVE_SMACK
2031 int r;
2032
2033 assert(context);
2034 assert(command);
2035
2036 if (!mac_smack_use())
2037 return 0;
2038
2039 if (context->smack_process_label) {
2040 r = mac_smack_apply_pid(0, context->smack_process_label);
2041 if (r < 0)
2042 return r;
2043 }
2044 #ifdef SMACK_DEFAULT_PROCESS_LABEL
2045 else {
2046 _cleanup_free_ char *exec_label = NULL;
2047
2048 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
2049 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP)
2050 return r;
2051
2052 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
2053 if (r < 0)
2054 return r;
2055 }
2056 #endif
2057 #endif
2058
2059 return 0;
2060 }
2061
2062 static int compile_read_write_paths(
2063 const ExecContext *context,
2064 const ExecParameters *params,
2065 char ***ret) {
2066
2067 _cleanup_strv_free_ char **l = NULL;
2068 char **rt;
2069
2070 /* Compile the list of writable paths. This is the combination of the explicitly configured paths, plus all
2071 * runtime directories. */
2072
2073 if (strv_isempty(context->read_write_paths) &&
2074 strv_isempty(context->runtime_directory)) {
2075 *ret = NULL; /* NOP if neither is set */
2076 return 0;
2077 }
2078
2079 l = strv_copy(context->read_write_paths);
2080 if (!l)
2081 return -ENOMEM;
2082
2083 STRV_FOREACH(rt, context->runtime_directory) {
2084 char *s;
2085
2086 s = strjoin(params->runtime_prefix, "/", *rt);
2087 if (!s)
2088 return -ENOMEM;
2089
2090 if (strv_consume(&l, s) < 0)
2091 return -ENOMEM;
2092 }
2093
2094 *ret = l;
2095 l = NULL;
2096
2097 return 0;
2098 }
2099
2100 static int apply_mount_namespace(Unit *u, const ExecContext *context,
2101 const ExecParameters *params,
2102 ExecRuntime *runtime) {
2103 int r;
2104 _cleanup_free_ char **rw = NULL;
2105 char *tmp = NULL, *var = NULL;
2106 const char *root_dir = NULL;
2107 NameSpaceInfo ns_info = {
2108 .ignore_protect_paths = false,
2109 .private_dev = context->private_devices,
2110 .protect_control_groups = context->protect_control_groups,
2111 .protect_kernel_tunables = context->protect_kernel_tunables,
2112 .protect_kernel_modules = context->protect_kernel_modules,
2113 };
2114
2115 assert(context);
2116
2117 /* The runtime struct only contains the parent of the private /tmp,
2118 * which is non-accessible to world users. Inside of it there's a /tmp
2119 * that is sticky, and that's the one we want to use here. */
2120
2121 if (context->private_tmp && runtime) {
2122 if (runtime->tmp_dir)
2123 tmp = strjoina(runtime->tmp_dir, "/tmp");
2124 if (runtime->var_tmp_dir)
2125 var = strjoina(runtime->var_tmp_dir, "/tmp");
2126 }
2127
2128 r = compile_read_write_paths(context, params, &rw);
2129 if (r < 0)
2130 return r;
2131
2132 if (params->flags & EXEC_APPLY_CHROOT)
2133 root_dir = context->root_directory;
2134
2135 /*
2136 * If DynamicUser=no and RootDirectory= is set then lets pass a relaxed
2137 * sandbox info, otherwise enforce it, don't ignore protected paths and
2138 * fail if we are enable to apply the sandbox inside the mount namespace.
2139 */
2140 if (!context->dynamic_user && root_dir)
2141 ns_info.ignore_protect_paths = true;
2142
2143 r = setup_namespace(root_dir, &ns_info, rw,
2144 context->read_only_paths,
2145 context->inaccessible_paths,
2146 tmp,
2147 var,
2148 context->protect_home,
2149 context->protect_system,
2150 context->mount_flags);
2151
2152 /* If we couldn't set up the namespace this is probably due to a
2153 * missing capability. In this case, silently proceeed. */
2154 if (IN_SET(r, -EPERM, -EACCES)) {
2155 log_open();
2156 log_unit_debug_errno(u, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
2157 log_close();
2158 r = 0;
2159 }
2160
2161 return r;
2162 }
2163
2164 static int apply_working_directory(const ExecContext *context,
2165 const ExecParameters *params,
2166 const char *home,
2167 const bool needs_mount_ns) {
2168 const char *d;
2169 const char *wd;
2170
2171 assert(context);
2172
2173 if (context->working_directory_home)
2174 wd = home;
2175 else if (context->working_directory)
2176 wd = context->working_directory;
2177 else
2178 wd = "/";
2179
2180 if (params->flags & EXEC_APPLY_CHROOT) {
2181 if (!needs_mount_ns && context->root_directory)
2182 if (chroot(context->root_directory) < 0)
2183 return -errno;
2184
2185 d = wd;
2186 } else
2187 d = strjoina(strempty(context->root_directory), "/", strempty(wd));
2188
2189 if (chdir(d) < 0 && !context->working_directory_missing_ok)
2190 return -errno;
2191
2192 return 0;
2193 }
2194
2195 static void append_socket_pair(int *array, unsigned *n, int pair[2]) {
2196 assert(array);
2197 assert(n);
2198
2199 if (!pair)
2200 return;
2201
2202 if (pair[0] >= 0)
2203 array[(*n)++] = pair[0];
2204 if (pair[1] >= 0)
2205 array[(*n)++] = pair[1];
2206 }
2207
2208 static int close_remaining_fds(
2209 const ExecParameters *params,
2210 ExecRuntime *runtime,
2211 DynamicCreds *dcreds,
2212 int user_lookup_fd,
2213 int socket_fd,
2214 int *fds, unsigned n_fds) {
2215
2216 unsigned n_dont_close = 0;
2217 int dont_close[n_fds + 12];
2218
2219 assert(params);
2220
2221 if (params->stdin_fd >= 0)
2222 dont_close[n_dont_close++] = params->stdin_fd;
2223 if (params->stdout_fd >= 0)
2224 dont_close[n_dont_close++] = params->stdout_fd;
2225 if (params->stderr_fd >= 0)
2226 dont_close[n_dont_close++] = params->stderr_fd;
2227
2228 if (socket_fd >= 0)
2229 dont_close[n_dont_close++] = socket_fd;
2230 if (n_fds > 0) {
2231 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
2232 n_dont_close += n_fds;
2233 }
2234
2235 if (runtime)
2236 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
2237
2238 if (dcreds) {
2239 if (dcreds->user)
2240 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
2241 if (dcreds->group)
2242 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
2243 }
2244
2245 if (user_lookup_fd >= 0)
2246 dont_close[n_dont_close++] = user_lookup_fd;
2247
2248 return close_all_fds(dont_close, n_dont_close);
2249 }
2250
2251 static bool context_has_address_families(const ExecContext *c) {
2252 assert(c);
2253
2254 return c->address_families_whitelist ||
2255 !set_isempty(c->address_families);
2256 }
2257
2258 static bool context_has_syscall_filters(const ExecContext *c) {
2259 assert(c);
2260
2261 return c->syscall_whitelist ||
2262 !set_isempty(c->syscall_filter) ||
2263 !set_isempty(c->syscall_archs);
2264 }
2265
2266 static bool context_has_no_new_privileges(const ExecContext *c) {
2267 assert(c);
2268
2269 if (c->no_new_privileges)
2270 return true;
2271
2272 if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
2273 return false;
2274
2275 return context_has_address_families(c) || /* we need NNP if we have any form of seccomp and are unprivileged */
2276 c->memory_deny_write_execute ||
2277 c->restrict_realtime ||
2278 exec_context_restrict_namespaces_set(c) ||
2279 c->protect_kernel_tunables ||
2280 c->protect_kernel_modules ||
2281 c->private_devices ||
2282 context_has_syscall_filters(c);
2283 }
2284
2285 static int send_user_lookup(
2286 Unit *unit,
2287 int user_lookup_fd,
2288 uid_t uid,
2289 gid_t gid) {
2290
2291 assert(unit);
2292
2293 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2294 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2295 * specified. */
2296
2297 if (user_lookup_fd < 0)
2298 return 0;
2299
2300 if (!uid_is_valid(uid) && !gid_is_valid(gid))
2301 return 0;
2302
2303 if (writev(user_lookup_fd,
2304 (struct iovec[]) {
2305 { .iov_base = &uid, .iov_len = sizeof(uid) },
2306 { .iov_base = &gid, .iov_len = sizeof(gid) },
2307 { .iov_base = unit->id, .iov_len = strlen(unit->id) }}, 3) < 0)
2308 return -errno;
2309
2310 return 0;
2311 }
2312
2313 static int exec_child(
2314 Unit *unit,
2315 ExecCommand *command,
2316 const ExecContext *context,
2317 const ExecParameters *params,
2318 ExecRuntime *runtime,
2319 DynamicCreds *dcreds,
2320 char **argv,
2321 int socket_fd,
2322 int named_iofds[3],
2323 int *fds, unsigned n_fds,
2324 char **files_env,
2325 int user_lookup_fd,
2326 int *exit_status) {
2327
2328 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **final_argv = NULL;
2329 _cleanup_free_ char *mac_selinux_context_net = NULL;
2330 _cleanup_free_ gid_t *supplementary_gids = NULL;
2331 const char *username = NULL, *groupname = NULL;
2332 const char *home = NULL, *shell = NULL;
2333 dev_t journal_stream_dev = 0;
2334 ino_t journal_stream_ino = 0;
2335 bool needs_mount_namespace;
2336 uid_t uid = UID_INVALID;
2337 gid_t gid = GID_INVALID;
2338 int i, r, ngids = 0;
2339
2340 assert(unit);
2341 assert(command);
2342 assert(context);
2343 assert(params);
2344 assert(exit_status);
2345
2346 rename_process_from_path(command->path);
2347
2348 /* We reset exactly these signals, since they are the
2349 * only ones we set to SIG_IGN in the main daemon. All
2350 * others we leave untouched because we set them to
2351 * SIG_DFL or a valid handler initially, both of which
2352 * will be demoted to SIG_DFL. */
2353 (void) default_signals(SIGNALS_CRASH_HANDLER,
2354 SIGNALS_IGNORE, -1);
2355
2356 if (context->ignore_sigpipe)
2357 (void) ignore_signals(SIGPIPE, -1);
2358
2359 r = reset_signal_mask();
2360 if (r < 0) {
2361 *exit_status = EXIT_SIGNAL_MASK;
2362 return r;
2363 }
2364
2365 if (params->idle_pipe)
2366 do_idle_pipe_dance(params->idle_pipe);
2367
2368 /* Close sockets very early to make sure we don't
2369 * block init reexecution because it cannot bind its
2370 * sockets */
2371
2372 log_forget_fds();
2373
2374 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, fds, n_fds);
2375 if (r < 0) {
2376 *exit_status = EXIT_FDS;
2377 return r;
2378 }
2379
2380 if (!context->same_pgrp)
2381 if (setsid() < 0) {
2382 *exit_status = EXIT_SETSID;
2383 return -errno;
2384 }
2385
2386 exec_context_tty_reset(context, params);
2387
2388 if (!manager_is_confirm_spawn_disabled(unit->manager)) {
2389 const char *vc = params->confirm_spawn;
2390 _cleanup_free_ char *cmdline = NULL;
2391
2392 cmdline = exec_command_line(argv);
2393 if (!cmdline) {
2394 *exit_status = EXIT_CONFIRM;
2395 return -ENOMEM;
2396 }
2397
2398 r = ask_for_confirmation(vc, unit, cmdline);
2399 if (r != CONFIRM_EXECUTE) {
2400 if (r == CONFIRM_PRETEND_SUCCESS) {
2401 *exit_status = EXIT_SUCCESS;
2402 return 0;
2403 }
2404 *exit_status = EXIT_CONFIRM;
2405 return -ECANCELED;
2406 }
2407 }
2408
2409 if (context->dynamic_user && dcreds) {
2410
2411 /* Make sure we bypass our own NSS module for any NSS checks */
2412 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
2413 *exit_status = EXIT_USER;
2414 return -errno;
2415 }
2416
2417 r = dynamic_creds_realize(dcreds, &uid, &gid);
2418 if (r < 0) {
2419 *exit_status = EXIT_USER;
2420 return r;
2421 }
2422
2423 if (!uid_is_valid(uid) || !gid_is_valid(gid)) {
2424 *exit_status = EXIT_USER;
2425 return -ESRCH;
2426 }
2427
2428 if (dcreds->user)
2429 username = dcreds->user->name;
2430
2431 } else {
2432 r = get_fixed_user(context, &username, &uid, &gid, &home, &shell);
2433 if (r < 0) {
2434 *exit_status = EXIT_USER;
2435 return r;
2436 }
2437
2438 r = get_fixed_group(context, &groupname, &gid);
2439 if (r < 0) {
2440 *exit_status = EXIT_GROUP;
2441 return r;
2442 }
2443 }
2444
2445 /* Initialize user supplementary groups and get SupplementaryGroups= ones */
2446 r = get_supplementary_groups(context, username, groupname, gid,
2447 &supplementary_gids, &ngids);
2448 if (r < 0) {
2449 *exit_status = EXIT_GROUP;
2450 return r;
2451 }
2452
2453 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
2454 if (r < 0) {
2455 *exit_status = EXIT_USER;
2456 return r;
2457 }
2458
2459 user_lookup_fd = safe_close(user_lookup_fd);
2460
2461 /* If a socket is connected to STDIN/STDOUT/STDERR, we
2462 * must sure to drop O_NONBLOCK */
2463 if (socket_fd >= 0)
2464 (void) fd_nonblock(socket_fd, false);
2465
2466 r = setup_input(context, params, socket_fd, named_iofds);
2467 if (r < 0) {
2468 *exit_status = EXIT_STDIN;
2469 return r;
2470 }
2471
2472 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
2473 if (r < 0) {
2474 *exit_status = EXIT_STDOUT;
2475 return r;
2476 }
2477
2478 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
2479 if (r < 0) {
2480 *exit_status = EXIT_STDERR;
2481 return r;
2482 }
2483
2484 if (params->cgroup_path) {
2485 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
2486 if (r < 0) {
2487 *exit_status = EXIT_CGROUP;
2488 return r;
2489 }
2490 }
2491
2492 if (context->oom_score_adjust_set) {
2493 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
2494
2495 /* When we can't make this change due to EPERM, then
2496 * let's silently skip over it. User namespaces
2497 * prohibit write access to this file, and we
2498 * shouldn't trip up over that. */
2499
2500 sprintf(t, "%i", context->oom_score_adjust);
2501 r = write_string_file("/proc/self/oom_score_adj", t, 0);
2502 if (r == -EPERM || r == -EACCES) {
2503 log_open();
2504 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
2505 log_close();
2506 } else if (r < 0) {
2507 *exit_status = EXIT_OOM_ADJUST;
2508 return -errno;
2509 }
2510 }
2511
2512 if (context->nice_set)
2513 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
2514 *exit_status = EXIT_NICE;
2515 return -errno;
2516 }
2517
2518 if (context->cpu_sched_set) {
2519 struct sched_param param = {
2520 .sched_priority = context->cpu_sched_priority,
2521 };
2522
2523 r = sched_setscheduler(0,
2524 context->cpu_sched_policy |
2525 (context->cpu_sched_reset_on_fork ?
2526 SCHED_RESET_ON_FORK : 0),
2527 &param);
2528 if (r < 0) {
2529 *exit_status = EXIT_SETSCHEDULER;
2530 return -errno;
2531 }
2532 }
2533
2534 if (context->cpuset)
2535 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
2536 *exit_status = EXIT_CPUAFFINITY;
2537 return -errno;
2538 }
2539
2540 if (context->ioprio_set)
2541 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
2542 *exit_status = EXIT_IOPRIO;
2543 return -errno;
2544 }
2545
2546 if (context->timer_slack_nsec != NSEC_INFINITY)
2547 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
2548 *exit_status = EXIT_TIMERSLACK;
2549 return -errno;
2550 }
2551
2552 if (context->personality != PERSONALITY_INVALID)
2553 if (personality(context->personality) < 0) {
2554 *exit_status = EXIT_PERSONALITY;
2555 return -errno;
2556 }
2557
2558 if (context->utmp_id)
2559 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path,
2560 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
2561 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
2562 USER_PROCESS,
2563 username ? "root" : context->user);
2564
2565 if (context->user) {
2566 r = chown_terminal(STDIN_FILENO, uid);
2567 if (r < 0) {
2568 *exit_status = EXIT_STDIN;
2569 return r;
2570 }
2571 }
2572
2573 /* If delegation is enabled we'll pass ownership of the cgroup
2574 * (but only in systemd's own controller hierarchy!) to the
2575 * user of the new process. */
2576 if (params->cgroup_path && context->user && params->cgroup_delegate) {
2577 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
2578 if (r < 0) {
2579 *exit_status = EXIT_CGROUP;
2580 return r;
2581 }
2582
2583
2584 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
2585 if (r < 0) {
2586 *exit_status = EXIT_CGROUP;
2587 return r;
2588 }
2589 }
2590
2591 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
2592 r = setup_runtime_directory(context, params, uid, gid);
2593 if (r < 0) {
2594 *exit_status = EXIT_RUNTIME_DIRECTORY;
2595 return r;
2596 }
2597 }
2598
2599 r = build_environment(
2600 unit,
2601 context,
2602 params,
2603 n_fds,
2604 home,
2605 username,
2606 shell,
2607 journal_stream_dev,
2608 journal_stream_ino,
2609 &our_env);
2610 if (r < 0) {
2611 *exit_status = EXIT_MEMORY;
2612 return r;
2613 }
2614
2615 r = build_pass_environment(context, &pass_env);
2616 if (r < 0) {
2617 *exit_status = EXIT_MEMORY;
2618 return r;
2619 }
2620
2621 accum_env = strv_env_merge(5,
2622 params->environment,
2623 our_env,
2624 pass_env,
2625 context->environment,
2626 files_env,
2627 NULL);
2628 if (!accum_env) {
2629 *exit_status = EXIT_MEMORY;
2630 return -ENOMEM;
2631 }
2632 accum_env = strv_env_clean(accum_env);
2633
2634 (void) umask(context->umask);
2635
2636 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2637 if (context->pam_name && username) {
2638 r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
2639 if (r < 0) {
2640 *exit_status = EXIT_PAM;
2641 return r;
2642 }
2643 }
2644 }
2645
2646 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
2647 r = setup_netns(runtime->netns_storage_socket);
2648 if (r < 0) {
2649 *exit_status = EXIT_NETWORK;
2650 return r;
2651 }
2652 }
2653
2654 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
2655 if (needs_mount_namespace) {
2656 r = apply_mount_namespace(unit, context, params, runtime);
2657 if (r < 0) {
2658 *exit_status = EXIT_NAMESPACE;
2659 return r;
2660 }
2661 }
2662
2663 /* Apply just after mount namespace setup */
2664 r = apply_working_directory(context, params, home, needs_mount_namespace);
2665 if (r < 0) {
2666 *exit_status = EXIT_CHROOT;
2667 return r;
2668 }
2669
2670 /* Drop groups as early as possbile */
2671 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2672 r = enforce_groups(context, gid, supplementary_gids, ngids);
2673 if (r < 0) {
2674 *exit_status = EXIT_GROUP;
2675 return r;
2676 }
2677 }
2678
2679 #ifdef HAVE_SELINUX
2680 if ((params->flags & EXEC_APPLY_PERMISSIONS) &&
2681 mac_selinux_use() &&
2682 params->selinux_context_net &&
2683 socket_fd >= 0 &&
2684 !command->privileged) {
2685
2686 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
2687 if (r < 0) {
2688 *exit_status = EXIT_SELINUX_CONTEXT;
2689 return r;
2690 }
2691 }
2692 #endif
2693
2694 if ((params->flags & EXEC_APPLY_PERMISSIONS) && context->private_users) {
2695 r = setup_private_users(uid, gid);
2696 if (r < 0) {
2697 *exit_status = EXIT_USER;
2698 return r;
2699 }
2700 }
2701
2702 /* We repeat the fd closing here, to make sure that
2703 * nothing is leaked from the PAM modules. Note that
2704 * we are more aggressive this time since socket_fd
2705 * and the netns fds we don't need anymore. The custom
2706 * endpoint fd was needed to upload the policy and can
2707 * now be closed as well. */
2708 r = close_all_fds(fds, n_fds);
2709 if (r >= 0)
2710 r = shift_fds(fds, n_fds);
2711 if (r >= 0)
2712 r = flags_fds(fds, n_fds, context->non_blocking);
2713 if (r < 0) {
2714 *exit_status = EXIT_FDS;
2715 return r;
2716 }
2717
2718 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2719
2720 int secure_bits = context->secure_bits;
2721
2722 for (i = 0; i < _RLIMIT_MAX; i++) {
2723
2724 if (!context->rlimit[i])
2725 continue;
2726
2727 r = setrlimit_closest(i, context->rlimit[i]);
2728 if (r < 0) {
2729 *exit_status = EXIT_LIMITS;
2730 return r;
2731 }
2732 }
2733
2734 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
2735 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
2736 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
2737 *exit_status = EXIT_LIMITS;
2738 return -errno;
2739 }
2740 }
2741
2742 if (!cap_test_all(context->capability_bounding_set)) {
2743 r = capability_bounding_set_drop(context->capability_bounding_set, false);
2744 if (r < 0) {
2745 *exit_status = EXIT_CAPABILITIES;
2746 return r;
2747 }
2748 }
2749
2750 /* This is done before enforce_user, but ambient set
2751 * does not survive over setresuid() if keep_caps is not set. */
2752 if (context->capability_ambient_set != 0) {
2753 r = capability_ambient_set_apply(context->capability_ambient_set, true);
2754 if (r < 0) {
2755 *exit_status = EXIT_CAPABILITIES;
2756 return r;
2757 }
2758 }
2759
2760 if (context->user) {
2761 r = enforce_user(context, uid);
2762 if (r < 0) {
2763 *exit_status = EXIT_USER;
2764 return r;
2765 }
2766 if (context->capability_ambient_set != 0) {
2767
2768 /* Fix the ambient capabilities after user change. */
2769 r = capability_ambient_set_apply(context->capability_ambient_set, false);
2770 if (r < 0) {
2771 *exit_status = EXIT_CAPABILITIES;
2772 return r;
2773 }
2774
2775 /* If we were asked to change user and ambient capabilities
2776 * were requested, we had to add keep-caps to the securebits
2777 * so that we would maintain the inherited capability set
2778 * through the setresuid(). Make sure that the bit is added
2779 * also to the context secure_bits so that we don't try to
2780 * drop the bit away next. */
2781
2782 secure_bits |= 1<<SECURE_KEEP_CAPS;
2783 }
2784 }
2785
2786 /* Apply the MAC contexts late, but before seccomp syscall filtering, as those should really be last to
2787 * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
2788 * syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
2789 * are restricted. */
2790
2791 #ifdef HAVE_SELINUX
2792 if (mac_selinux_use()) {
2793 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
2794
2795 if (exec_context) {
2796 r = setexeccon(exec_context);
2797 if (r < 0) {
2798 *exit_status = EXIT_SELINUX_CONTEXT;
2799 return r;
2800 }
2801 }
2802 }
2803 #endif
2804
2805 r = setup_smack(context, command);
2806 if (r < 0) {
2807 *exit_status = EXIT_SMACK_PROCESS_LABEL;
2808 return r;
2809 }
2810
2811 #ifdef HAVE_APPARMOR
2812 if (context->apparmor_profile && mac_apparmor_use()) {
2813 r = aa_change_onexec(context->apparmor_profile);
2814 if (r < 0 && !context->apparmor_profile_ignore) {
2815 *exit_status = EXIT_APPARMOR_PROFILE;
2816 return -errno;
2817 }
2818 }
2819 #endif
2820
2821 /* PR_GET_SECUREBITS is not privileged, while
2822 * PR_SET_SECUREBITS is. So to suppress
2823 * potential EPERMs we'll try not to call
2824 * PR_SET_SECUREBITS unless necessary. */
2825 if (prctl(PR_GET_SECUREBITS) != secure_bits)
2826 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
2827 *exit_status = EXIT_SECUREBITS;
2828 return -errno;
2829 }
2830
2831 if (context_has_no_new_privileges(context))
2832 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
2833 *exit_status = EXIT_NO_NEW_PRIVILEGES;
2834 return -errno;
2835 }
2836
2837 #ifdef HAVE_SECCOMP
2838 if (context_has_address_families(context)) {
2839 r = apply_address_families(unit, context);
2840 if (r < 0) {
2841 *exit_status = EXIT_ADDRESS_FAMILIES;
2842 return r;
2843 }
2844 }
2845
2846 if (context->memory_deny_write_execute) {
2847 r = apply_memory_deny_write_execute(unit, context);
2848 if (r < 0) {
2849 *exit_status = EXIT_SECCOMP;
2850 return r;
2851 }
2852 }
2853
2854 if (context->restrict_realtime) {
2855 r = apply_restrict_realtime(unit, context);
2856 if (r < 0) {
2857 *exit_status = EXIT_SECCOMP;
2858 return r;
2859 }
2860 }
2861
2862 r = apply_restrict_namespaces(unit, context);
2863 if (r < 0) {
2864 *exit_status = EXIT_SECCOMP;
2865 return r;
2866 }
2867
2868 if (context->protect_kernel_tunables) {
2869 r = apply_protect_sysctl(unit, context);
2870 if (r < 0) {
2871 *exit_status = EXIT_SECCOMP;
2872 return r;
2873 }
2874 }
2875
2876 if (context->protect_kernel_modules) {
2877 r = apply_protect_kernel_modules(unit, context);
2878 if (r < 0) {
2879 *exit_status = EXIT_SECCOMP;
2880 return r;
2881 }
2882 }
2883
2884 if (context->private_devices) {
2885 r = apply_private_devices(unit, context);
2886 if (r < 0) {
2887 *exit_status = EXIT_SECCOMP;
2888 return r;
2889 }
2890 }
2891
2892 /* This really should remain the last step before the execve(), to make sure our own code is unaffected
2893 * by the filter as little as possible. */
2894 if (context_has_syscall_filters(context)) {
2895 r = apply_seccomp(unit, context);
2896 if (r < 0) {
2897 *exit_status = EXIT_SECCOMP;
2898 return r;
2899 }
2900 }
2901 #endif
2902 }
2903
2904 final_argv = replace_env_argv(argv, accum_env);
2905 if (!final_argv) {
2906 *exit_status = EXIT_MEMORY;
2907 return -ENOMEM;
2908 }
2909
2910 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
2911 _cleanup_free_ char *line;
2912
2913 line = exec_command_line(final_argv);
2914 if (line) {
2915 log_open();
2916 log_struct(LOG_DEBUG,
2917 LOG_UNIT_ID(unit),
2918 "EXECUTABLE=%s", command->path,
2919 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
2920 NULL);
2921 log_close();
2922 }
2923 }
2924
2925 execve(command->path, final_argv, accum_env);
2926 *exit_status = EXIT_EXEC;
2927 return -errno;
2928 }
2929
2930 int exec_spawn(Unit *unit,
2931 ExecCommand *command,
2932 const ExecContext *context,
2933 const ExecParameters *params,
2934 ExecRuntime *runtime,
2935 DynamicCreds *dcreds,
2936 pid_t *ret) {
2937
2938 _cleanup_strv_free_ char **files_env = NULL;
2939 int *fds = NULL; unsigned n_fds = 0;
2940 _cleanup_free_ char *line = NULL;
2941 int socket_fd, r;
2942 int named_iofds[3] = { -1, -1, -1 };
2943 char **argv;
2944 pid_t pid;
2945
2946 assert(unit);
2947 assert(command);
2948 assert(context);
2949 assert(ret);
2950 assert(params);
2951 assert(params->fds || params->n_fds <= 0);
2952
2953 if (context->std_input == EXEC_INPUT_SOCKET ||
2954 context->std_output == EXEC_OUTPUT_SOCKET ||
2955 context->std_error == EXEC_OUTPUT_SOCKET) {
2956
2957 if (params->n_fds != 1) {
2958 log_unit_error(unit, "Got more than one socket.");
2959 return -EINVAL;
2960 }
2961
2962 socket_fd = params->fds[0];
2963 } else {
2964 socket_fd = -1;
2965 fds = params->fds;
2966 n_fds = params->n_fds;
2967 }
2968
2969 r = exec_context_named_iofds(unit, context, params, named_iofds);
2970 if (r < 0)
2971 return log_unit_error_errno(unit, r, "Failed to load a named file descriptor: %m");
2972
2973 r = exec_context_load_environment(unit, context, &files_env);
2974 if (r < 0)
2975 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
2976
2977 argv = params->argv ?: command->argv;
2978 line = exec_command_line(argv);
2979 if (!line)
2980 return log_oom();
2981
2982 log_struct(LOG_DEBUG,
2983 LOG_UNIT_ID(unit),
2984 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
2985 "EXECUTABLE=%s", command->path,
2986 NULL);
2987 pid = fork();
2988 if (pid < 0)
2989 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
2990
2991 if (pid == 0) {
2992 int exit_status;
2993
2994 r = exec_child(unit,
2995 command,
2996 context,
2997 params,
2998 runtime,
2999 dcreds,
3000 argv,
3001 socket_fd,
3002 named_iofds,
3003 fds, n_fds,
3004 files_env,
3005 unit->manager->user_lookup_fds[1],
3006 &exit_status);
3007 if (r < 0) {
3008 log_open();
3009 log_struct_errno(LOG_ERR, r,
3010 LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
3011 LOG_UNIT_ID(unit),
3012 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
3013 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
3014 command->path),
3015 "EXECUTABLE=%s", command->path,
3016 NULL);
3017 }
3018
3019 _exit(exit_status);
3020 }
3021
3022 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
3023
3024 /* We add the new process to the cgroup both in the child (so
3025 * that we can be sure that no user code is ever executed
3026 * outside of the cgroup) and in the parent (so that we can be
3027 * sure that when we kill the cgroup the process will be
3028 * killed too). */
3029 if (params->cgroup_path)
3030 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
3031
3032 exec_status_start(&command->exec_status, pid);
3033
3034 *ret = pid;
3035 return 0;
3036 }
3037
3038 void exec_context_init(ExecContext *c) {
3039 assert(c);
3040
3041 c->umask = 0022;
3042 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
3043 c->cpu_sched_policy = SCHED_OTHER;
3044 c->syslog_priority = LOG_DAEMON|LOG_INFO;
3045 c->syslog_level_prefix = true;
3046 c->ignore_sigpipe = true;
3047 c->timer_slack_nsec = NSEC_INFINITY;
3048 c->personality = PERSONALITY_INVALID;
3049 c->runtime_directory_mode = 0755;
3050 c->capability_bounding_set = CAP_ALL;
3051 c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
3052 }
3053
3054 void exec_context_done(ExecContext *c) {
3055 unsigned l;
3056
3057 assert(c);
3058
3059 c->environment = strv_free(c->environment);
3060 c->environment_files = strv_free(c->environment_files);
3061 c->pass_environment = strv_free(c->pass_environment);
3062
3063 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
3064 c->rlimit[l] = mfree(c->rlimit[l]);
3065
3066 for (l = 0; l < 3; l++)
3067 c->stdio_fdname[l] = mfree(c->stdio_fdname[l]);
3068
3069 c->working_directory = mfree(c->working_directory);
3070 c->root_directory = mfree(c->root_directory);
3071 c->tty_path = mfree(c->tty_path);
3072 c->syslog_identifier = mfree(c->syslog_identifier);
3073 c->user = mfree(c->user);
3074 c->group = mfree(c->group);
3075
3076 c->supplementary_groups = strv_free(c->supplementary_groups);
3077
3078 c->pam_name = mfree(c->pam_name);
3079
3080 c->read_only_paths = strv_free(c->read_only_paths);
3081 c->read_write_paths = strv_free(c->read_write_paths);
3082 c->inaccessible_paths = strv_free(c->inaccessible_paths);
3083
3084 if (c->cpuset)
3085 CPU_FREE(c->cpuset);
3086
3087 c->utmp_id = mfree(c->utmp_id);
3088 c->selinux_context = mfree(c->selinux_context);
3089 c->apparmor_profile = mfree(c->apparmor_profile);
3090
3091 c->syscall_filter = set_free(c->syscall_filter);
3092 c->syscall_archs = set_free(c->syscall_archs);
3093 c->address_families = set_free(c->address_families);
3094
3095 c->runtime_directory = strv_free(c->runtime_directory);
3096 }
3097
3098 int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
3099 char **i;
3100
3101 assert(c);
3102
3103 if (!runtime_prefix)
3104 return 0;
3105
3106 STRV_FOREACH(i, c->runtime_directory) {
3107 _cleanup_free_ char *p;
3108
3109 p = strjoin(runtime_prefix, "/", *i);
3110 if (!p)
3111 return -ENOMEM;
3112
3113 /* We execute this synchronously, since we need to be
3114 * sure this is gone when we start the service
3115 * next. */
3116 (void) rm_rf(p, REMOVE_ROOT);
3117 }
3118
3119 return 0;
3120 }
3121
3122 void exec_command_done(ExecCommand *c) {
3123 assert(c);
3124
3125 c->path = mfree(c->path);
3126
3127 c->argv = strv_free(c->argv);
3128 }
3129
3130 void exec_command_done_array(ExecCommand *c, unsigned n) {
3131 unsigned i;
3132
3133 for (i = 0; i < n; i++)
3134 exec_command_done(c+i);
3135 }
3136
3137 ExecCommand* exec_command_free_list(ExecCommand *c) {
3138 ExecCommand *i;
3139
3140 while ((i = c)) {
3141 LIST_REMOVE(command, c, i);
3142 exec_command_done(i);
3143 free(i);
3144 }
3145
3146 return NULL;
3147 }
3148
3149 void exec_command_free_array(ExecCommand **c, unsigned n) {
3150 unsigned i;
3151
3152 for (i = 0; i < n; i++)
3153 c[i] = exec_command_free_list(c[i]);
3154 }
3155
3156 typedef struct InvalidEnvInfo {
3157 Unit *unit;
3158 const char *path;
3159 } InvalidEnvInfo;
3160
3161 static void invalid_env(const char *p, void *userdata) {
3162 InvalidEnvInfo *info = userdata;
3163
3164 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
3165 }
3166
3167 const char* exec_context_fdname(const ExecContext *c, int fd_index) {
3168 assert(c);
3169
3170 switch (fd_index) {
3171 case STDIN_FILENO:
3172 if (c->std_input != EXEC_INPUT_NAMED_FD)
3173 return NULL;
3174 return c->stdio_fdname[STDIN_FILENO] ?: "stdin";
3175 case STDOUT_FILENO:
3176 if (c->std_output != EXEC_OUTPUT_NAMED_FD)
3177 return NULL;
3178 return c->stdio_fdname[STDOUT_FILENO] ?: "stdout";
3179 case STDERR_FILENO:
3180 if (c->std_error != EXEC_OUTPUT_NAMED_FD)
3181 return NULL;
3182 return c->stdio_fdname[STDERR_FILENO] ?: "stderr";
3183 default:
3184 return NULL;
3185 }
3186 }
3187
3188 int exec_context_named_iofds(Unit *unit, const ExecContext *c, const ExecParameters *p, int named_iofds[3]) {
3189 unsigned i, targets;
3190 const char *stdio_fdname[3];
3191
3192 assert(c);
3193 assert(p);
3194
3195 targets = (c->std_input == EXEC_INPUT_NAMED_FD) +
3196 (c->std_output == EXEC_OUTPUT_NAMED_FD) +
3197 (c->std_error == EXEC_OUTPUT_NAMED_FD);
3198
3199 for (i = 0; i < 3; i++)
3200 stdio_fdname[i] = exec_context_fdname(c, i);
3201
3202 for (i = 0; i < p->n_fds && targets > 0; i++)
3203 if (named_iofds[STDIN_FILENO] < 0 && c->std_input == EXEC_INPUT_NAMED_FD && stdio_fdname[STDIN_FILENO] && streq(p->fd_names[i], stdio_fdname[STDIN_FILENO])) {
3204 named_iofds[STDIN_FILENO] = p->fds[i];
3205 targets--;
3206 } else if (named_iofds[STDOUT_FILENO] < 0 && c->std_output == EXEC_OUTPUT_NAMED_FD && stdio_fdname[STDOUT_FILENO] && streq(p->fd_names[i], stdio_fdname[STDOUT_FILENO])) {
3207 named_iofds[STDOUT_FILENO] = p->fds[i];
3208 targets--;
3209 } else if (named_iofds[STDERR_FILENO] < 0 && c->std_error == EXEC_OUTPUT_NAMED_FD && stdio_fdname[STDERR_FILENO] && streq(p->fd_names[i], stdio_fdname[STDERR_FILENO])) {
3210 named_iofds[STDERR_FILENO] = p->fds[i];
3211 targets--;
3212 }
3213
3214 return (targets == 0 ? 0 : -ENOENT);
3215 }
3216
3217 int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
3218 char **i, **r = NULL;
3219
3220 assert(c);
3221 assert(l);
3222
3223 STRV_FOREACH(i, c->environment_files) {
3224 char *fn;
3225 int k;
3226 bool ignore = false;
3227 char **p;
3228 _cleanup_globfree_ glob_t pglob = {};
3229 int count, n;
3230
3231 fn = *i;
3232
3233 if (fn[0] == '-') {
3234 ignore = true;
3235 fn++;
3236 }
3237
3238 if (!path_is_absolute(fn)) {
3239 if (ignore)
3240 continue;
3241
3242 strv_free(r);
3243 return -EINVAL;
3244 }
3245
3246 /* Filename supports globbing, take all matching files */
3247 errno = 0;
3248 if (glob(fn, 0, NULL, &pglob) != 0) {
3249 if (ignore)
3250 continue;
3251
3252 strv_free(r);
3253 return errno > 0 ? -errno : -EINVAL;
3254 }
3255 count = pglob.gl_pathc;
3256 if (count == 0) {
3257 if (ignore)
3258 continue;
3259
3260 strv_free(r);
3261 return -EINVAL;
3262 }
3263 for (n = 0; n < count; n++) {
3264 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
3265 if (k < 0) {
3266 if (ignore)
3267 continue;
3268
3269 strv_free(r);
3270 return k;
3271 }
3272 /* Log invalid environment variables with filename */
3273 if (p) {
3274 InvalidEnvInfo info = {
3275 .unit = unit,
3276 .path = pglob.gl_pathv[n]
3277 };
3278
3279 p = strv_env_clean_with_callback(p, invalid_env, &info);
3280 }
3281
3282 if (r == NULL)
3283 r = p;
3284 else {
3285 char **m;
3286
3287 m = strv_env_merge(2, r, p);
3288 strv_free(r);
3289 strv_free(p);
3290 if (!m)
3291 return -ENOMEM;
3292
3293 r = m;
3294 }
3295 }
3296 }
3297
3298 *l = r;
3299
3300 return 0;
3301 }
3302
3303 static bool tty_may_match_dev_console(const char *tty) {
3304 _cleanup_free_ char *active = NULL;
3305 char *console;
3306
3307 if (!tty)
3308 return true;
3309
3310 if (startswith(tty, "/dev/"))
3311 tty += 5;
3312
3313 /* trivial identity? */
3314 if (streq(tty, "console"))
3315 return true;
3316
3317 console = resolve_dev_console(&active);
3318 /* if we could not resolve, assume it may */
3319 if (!console)
3320 return true;
3321
3322 /* "tty0" means the active VC, so it may be the same sometimes */
3323 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
3324 }
3325
3326 bool exec_context_may_touch_console(ExecContext *ec) {
3327
3328 return (ec->tty_reset ||
3329 ec->tty_vhangup ||
3330 ec->tty_vt_disallocate ||
3331 is_terminal_input(ec->std_input) ||
3332 is_terminal_output(ec->std_output) ||
3333 is_terminal_output(ec->std_error)) &&
3334 tty_may_match_dev_console(exec_context_tty_path(ec));
3335 }
3336
3337 static void strv_fprintf(FILE *f, char **l) {
3338 char **g;
3339
3340 assert(f);
3341
3342 STRV_FOREACH(g, l)
3343 fprintf(f, " %s", *g);
3344 }
3345
3346 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
3347 char **e, **d;
3348 unsigned i;
3349 int r;
3350
3351 assert(c);
3352 assert(f);
3353
3354 prefix = strempty(prefix);
3355
3356 fprintf(f,
3357 "%sUMask: %04o\n"
3358 "%sWorkingDirectory: %s\n"
3359 "%sRootDirectory: %s\n"
3360 "%sNonBlocking: %s\n"
3361 "%sPrivateTmp: %s\n"
3362 "%sPrivateDevices: %s\n"
3363 "%sProtectKernelTunables: %s\n"
3364 "%sProtectKernelModules: %s\n"
3365 "%sProtectControlGroups: %s\n"
3366 "%sPrivateNetwork: %s\n"
3367 "%sPrivateUsers: %s\n"
3368 "%sProtectHome: %s\n"
3369 "%sProtectSystem: %s\n"
3370 "%sIgnoreSIGPIPE: %s\n"
3371 "%sMemoryDenyWriteExecute: %s\n"
3372 "%sRestrictRealtime: %s\n",
3373 prefix, c->umask,
3374 prefix, c->working_directory ? c->working_directory : "/",
3375 prefix, c->root_directory ? c->root_directory : "/",
3376 prefix, yes_no(c->non_blocking),
3377 prefix, yes_no(c->private_tmp),
3378 prefix, yes_no(c->private_devices),
3379 prefix, yes_no(c->protect_kernel_tunables),
3380 prefix, yes_no(c->protect_kernel_modules),
3381 prefix, yes_no(c->protect_control_groups),
3382 prefix, yes_no(c->private_network),
3383 prefix, yes_no(c->private_users),
3384 prefix, protect_home_to_string(c->protect_home),
3385 prefix, protect_system_to_string(c->protect_system),
3386 prefix, yes_no(c->ignore_sigpipe),
3387 prefix, yes_no(c->memory_deny_write_execute),
3388 prefix, yes_no(c->restrict_realtime));
3389
3390 STRV_FOREACH(e, c->environment)
3391 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
3392
3393 STRV_FOREACH(e, c->environment_files)
3394 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
3395
3396 STRV_FOREACH(e, c->pass_environment)
3397 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
3398
3399 fprintf(f, "%sRuntimeDirectoryMode: %04o\n", prefix, c->runtime_directory_mode);
3400
3401 STRV_FOREACH(d, c->runtime_directory)
3402 fprintf(f, "%sRuntimeDirectory: %s\n", prefix, *d);
3403
3404 if (c->nice_set)
3405 fprintf(f,
3406 "%sNice: %i\n",
3407 prefix, c->nice);
3408
3409 if (c->oom_score_adjust_set)
3410 fprintf(f,
3411 "%sOOMScoreAdjust: %i\n",
3412 prefix, c->oom_score_adjust);
3413
3414 for (i = 0; i < RLIM_NLIMITS; i++)
3415 if (c->rlimit[i]) {
3416 fprintf(f, "%s%s: " RLIM_FMT "\n",
3417 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
3418 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
3419 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
3420 }
3421
3422 if (c->ioprio_set) {
3423 _cleanup_free_ char *class_str = NULL;
3424
3425 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
3426 fprintf(f,
3427 "%sIOSchedulingClass: %s\n"
3428 "%sIOPriority: %i\n",
3429 prefix, strna(class_str),
3430 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
3431 }
3432
3433 if (c->cpu_sched_set) {
3434 _cleanup_free_ char *policy_str = NULL;
3435
3436 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
3437 fprintf(f,
3438 "%sCPUSchedulingPolicy: %s\n"
3439 "%sCPUSchedulingPriority: %i\n"
3440 "%sCPUSchedulingResetOnFork: %s\n",
3441 prefix, strna(policy_str),
3442 prefix, c->cpu_sched_priority,
3443 prefix, yes_no(c->cpu_sched_reset_on_fork));
3444 }
3445
3446 if (c->cpuset) {
3447 fprintf(f, "%sCPUAffinity:", prefix);
3448 for (i = 0; i < c->cpuset_ncpus; i++)
3449 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
3450 fprintf(f, " %u", i);
3451 fputs("\n", f);
3452 }
3453
3454 if (c->timer_slack_nsec != NSEC_INFINITY)
3455 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
3456
3457 fprintf(f,
3458 "%sStandardInput: %s\n"
3459 "%sStandardOutput: %s\n"
3460 "%sStandardError: %s\n",
3461 prefix, exec_input_to_string(c->std_input),
3462 prefix, exec_output_to_string(c->std_output),
3463 prefix, exec_output_to_string(c->std_error));
3464
3465 if (c->tty_path)
3466 fprintf(f,
3467 "%sTTYPath: %s\n"
3468 "%sTTYReset: %s\n"
3469 "%sTTYVHangup: %s\n"
3470 "%sTTYVTDisallocate: %s\n",
3471 prefix, c->tty_path,
3472 prefix, yes_no(c->tty_reset),
3473 prefix, yes_no(c->tty_vhangup),
3474 prefix, yes_no(c->tty_vt_disallocate));
3475
3476 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
3477 c->std_output == EXEC_OUTPUT_KMSG ||
3478 c->std_output == EXEC_OUTPUT_JOURNAL ||
3479 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3480 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3481 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
3482 c->std_error == EXEC_OUTPUT_SYSLOG ||
3483 c->std_error == EXEC_OUTPUT_KMSG ||
3484 c->std_error == EXEC_OUTPUT_JOURNAL ||
3485 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3486 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3487 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
3488
3489 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
3490
3491 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
3492 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
3493
3494 fprintf(f,
3495 "%sSyslogFacility: %s\n"
3496 "%sSyslogLevel: %s\n",
3497 prefix, strna(fac_str),
3498 prefix, strna(lvl_str));
3499 }
3500
3501 if (c->secure_bits)
3502 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
3503 prefix,
3504 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
3505 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
3506 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
3507 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
3508 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
3509 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
3510
3511 if (c->capability_bounding_set != CAP_ALL) {
3512 unsigned long l;
3513 fprintf(f, "%sCapabilityBoundingSet:", prefix);
3514
3515 for (l = 0; l <= cap_last_cap(); l++)
3516 if (c->capability_bounding_set & (UINT64_C(1) << l))
3517 fprintf(f, " %s", strna(capability_to_name(l)));
3518
3519 fputs("\n", f);
3520 }
3521
3522 if (c->capability_ambient_set != 0) {
3523 unsigned long l;
3524 fprintf(f, "%sAmbientCapabilities:", prefix);
3525
3526 for (l = 0; l <= cap_last_cap(); l++)
3527 if (c->capability_ambient_set & (UINT64_C(1) << l))
3528 fprintf(f, " %s", strna(capability_to_name(l)));
3529
3530 fputs("\n", f);
3531 }
3532
3533 if (c->user)
3534 fprintf(f, "%sUser: %s\n", prefix, c->user);
3535 if (c->group)
3536 fprintf(f, "%sGroup: %s\n", prefix, c->group);
3537
3538 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
3539
3540 if (strv_length(c->supplementary_groups) > 0) {
3541 fprintf(f, "%sSupplementaryGroups:", prefix);
3542 strv_fprintf(f, c->supplementary_groups);
3543 fputs("\n", f);
3544 }
3545
3546 if (c->pam_name)
3547 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
3548
3549 if (strv_length(c->read_write_paths) > 0) {
3550 fprintf(f, "%sReadWritePaths:", prefix);
3551 strv_fprintf(f, c->read_write_paths);
3552 fputs("\n", f);
3553 }
3554
3555 if (strv_length(c->read_only_paths) > 0) {
3556 fprintf(f, "%sReadOnlyPaths:", prefix);
3557 strv_fprintf(f, c->read_only_paths);
3558 fputs("\n", f);
3559 }
3560
3561 if (strv_length(c->inaccessible_paths) > 0) {
3562 fprintf(f, "%sInaccessiblePaths:", prefix);
3563 strv_fprintf(f, c->inaccessible_paths);
3564 fputs("\n", f);
3565 }
3566
3567 if (c->utmp_id)
3568 fprintf(f,
3569 "%sUtmpIdentifier: %s\n",
3570 prefix, c->utmp_id);
3571
3572 if (c->selinux_context)
3573 fprintf(f,
3574 "%sSELinuxContext: %s%s\n",
3575 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
3576
3577 if (c->personality != PERSONALITY_INVALID)
3578 fprintf(f,
3579 "%sPersonality: %s\n",
3580 prefix, strna(personality_to_string(c->personality)));
3581
3582 if (c->syscall_filter) {
3583 #ifdef HAVE_SECCOMP
3584 Iterator j;
3585 void *id;
3586 bool first = true;
3587 #endif
3588
3589 fprintf(f,
3590 "%sSystemCallFilter: ",
3591 prefix);
3592
3593 if (!c->syscall_whitelist)
3594 fputc('~', f);
3595
3596 #ifdef HAVE_SECCOMP
3597 SET_FOREACH(id, c->syscall_filter, j) {
3598 _cleanup_free_ char *name = NULL;
3599
3600 if (first)
3601 first = false;
3602 else
3603 fputc(' ', f);
3604
3605 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
3606 fputs(strna(name), f);
3607 }
3608 #endif
3609
3610 fputc('\n', f);
3611 }
3612
3613 if (c->syscall_archs) {
3614 #ifdef HAVE_SECCOMP
3615 Iterator j;
3616 void *id;
3617 #endif
3618
3619 fprintf(f,
3620 "%sSystemCallArchitectures:",
3621 prefix);
3622
3623 #ifdef HAVE_SECCOMP
3624 SET_FOREACH(id, c->syscall_archs, j)
3625 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
3626 #endif
3627 fputc('\n', f);
3628 }
3629
3630 if (exec_context_restrict_namespaces_set(c)) {
3631 _cleanup_free_ char *s = NULL;
3632
3633 r = namespace_flag_to_string_many(c->restrict_namespaces, &s);
3634 if (r >= 0)
3635 fprintf(f, "%sRestrictNamespaces: %s\n",
3636 prefix, s);
3637 }
3638
3639 if (c->syscall_errno > 0)
3640 fprintf(f,
3641 "%sSystemCallErrorNumber: %s\n",
3642 prefix, strna(errno_to_name(c->syscall_errno)));
3643
3644 if (c->apparmor_profile)
3645 fprintf(f,
3646 "%sAppArmorProfile: %s%s\n",
3647 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
3648 }
3649
3650 bool exec_context_maintains_privileges(ExecContext *c) {
3651 assert(c);
3652
3653 /* Returns true if the process forked off would run under
3654 * an unchanged UID or as root. */
3655
3656 if (!c->user)
3657 return true;
3658
3659 if (streq(c->user, "root") || streq(c->user, "0"))
3660 return true;
3661
3662 return false;
3663 }
3664
3665 void exec_status_start(ExecStatus *s, pid_t pid) {
3666 assert(s);
3667
3668 zero(*s);
3669 s->pid = pid;
3670 dual_timestamp_get(&s->start_timestamp);
3671 }
3672
3673 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
3674 assert(s);
3675
3676 if (s->pid && s->pid != pid)
3677 zero(*s);
3678
3679 s->pid = pid;
3680 dual_timestamp_get(&s->exit_timestamp);
3681
3682 s->code = code;
3683 s->status = status;
3684
3685 if (context) {
3686 if (context->utmp_id)
3687 utmp_put_dead_process(context->utmp_id, pid, code, status);
3688
3689 exec_context_tty_reset(context, NULL);
3690 }
3691 }
3692
3693 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
3694 char buf[FORMAT_TIMESTAMP_MAX];
3695
3696 assert(s);
3697 assert(f);
3698
3699 if (s->pid <= 0)
3700 return;
3701
3702 prefix = strempty(prefix);
3703
3704 fprintf(f,
3705 "%sPID: "PID_FMT"\n",
3706 prefix, s->pid);
3707
3708 if (dual_timestamp_is_set(&s->start_timestamp))
3709 fprintf(f,
3710 "%sStart Timestamp: %s\n",
3711 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
3712
3713 if (dual_timestamp_is_set(&s->exit_timestamp))
3714 fprintf(f,
3715 "%sExit Timestamp: %s\n"
3716 "%sExit Code: %s\n"
3717 "%sExit Status: %i\n",
3718 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
3719 prefix, sigchld_code_to_string(s->code),
3720 prefix, s->status);
3721 }
3722
3723 char *exec_command_line(char **argv) {
3724 size_t k;
3725 char *n, *p, **a;
3726 bool first = true;
3727
3728 assert(argv);
3729
3730 k = 1;
3731 STRV_FOREACH(a, argv)
3732 k += strlen(*a)+3;
3733
3734 n = new(char, k);
3735 if (!n)
3736 return NULL;
3737
3738 p = n;
3739 STRV_FOREACH(a, argv) {
3740
3741 if (!first)
3742 *(p++) = ' ';
3743 else
3744 first = false;
3745
3746 if (strpbrk(*a, WHITESPACE)) {
3747 *(p++) = '\'';
3748 p = stpcpy(p, *a);
3749 *(p++) = '\'';
3750 } else
3751 p = stpcpy(p, *a);
3752
3753 }
3754
3755 *p = 0;
3756
3757 /* FIXME: this doesn't really handle arguments that have
3758 * spaces and ticks in them */
3759
3760 return n;
3761 }
3762
3763 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
3764 _cleanup_free_ char *cmd = NULL;
3765 const char *prefix2;
3766
3767 assert(c);
3768 assert(f);
3769
3770 prefix = strempty(prefix);
3771 prefix2 = strjoina(prefix, "\t");
3772
3773 cmd = exec_command_line(c->argv);
3774 fprintf(f,
3775 "%sCommand Line: %s\n",
3776 prefix, cmd ? cmd : strerror(ENOMEM));
3777
3778 exec_status_dump(&c->exec_status, f, prefix2);
3779 }
3780
3781 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
3782 assert(f);
3783
3784 prefix = strempty(prefix);
3785
3786 LIST_FOREACH(command, c, c)
3787 exec_command_dump(c, f, prefix);
3788 }
3789
3790 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
3791 ExecCommand *end;
3792
3793 assert(l);
3794 assert(e);
3795
3796 if (*l) {
3797 /* It's kind of important, that we keep the order here */
3798 LIST_FIND_TAIL(command, *l, end);
3799 LIST_INSERT_AFTER(command, *l, end, e);
3800 } else
3801 *l = e;
3802 }
3803
3804 int exec_command_set(ExecCommand *c, const char *path, ...) {
3805 va_list ap;
3806 char **l, *p;
3807
3808 assert(c);
3809 assert(path);
3810
3811 va_start(ap, path);
3812 l = strv_new_ap(path, ap);
3813 va_end(ap);
3814
3815 if (!l)
3816 return -ENOMEM;
3817
3818 p = strdup(path);
3819 if (!p) {
3820 strv_free(l);
3821 return -ENOMEM;
3822 }
3823
3824 free(c->path);
3825 c->path = p;
3826
3827 strv_free(c->argv);
3828 c->argv = l;
3829
3830 return 0;
3831 }
3832
3833 int exec_command_append(ExecCommand *c, const char *path, ...) {
3834 _cleanup_strv_free_ char **l = NULL;
3835 va_list ap;
3836 int r;
3837
3838 assert(c);
3839 assert(path);
3840
3841 va_start(ap, path);
3842 l = strv_new_ap(path, ap);
3843 va_end(ap);
3844
3845 if (!l)
3846 return -ENOMEM;
3847
3848 r = strv_extend_strv(&c->argv, l, false);
3849 if (r < 0)
3850 return r;
3851
3852 return 0;
3853 }
3854
3855
3856 static int exec_runtime_allocate(ExecRuntime **rt) {
3857
3858 if (*rt)
3859 return 0;
3860
3861 *rt = new0(ExecRuntime, 1);
3862 if (!*rt)
3863 return -ENOMEM;
3864
3865 (*rt)->n_ref = 1;
3866 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
3867
3868 return 0;
3869 }
3870
3871 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
3872 int r;
3873
3874 assert(rt);
3875 assert(c);
3876 assert(id);
3877
3878 if (*rt)
3879 return 1;
3880
3881 if (!c->private_network && !c->private_tmp)
3882 return 0;
3883
3884 r = exec_runtime_allocate(rt);
3885 if (r < 0)
3886 return r;
3887
3888 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
3889 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, (*rt)->netns_storage_socket) < 0)
3890 return -errno;
3891 }
3892
3893 if (c->private_tmp && !(*rt)->tmp_dir) {
3894 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
3895 if (r < 0)
3896 return r;
3897 }
3898
3899 return 1;
3900 }
3901
3902 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
3903 assert(r);
3904 assert(r->n_ref > 0);
3905
3906 r->n_ref++;
3907 return r;
3908 }
3909
3910 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
3911
3912 if (!r)
3913 return NULL;
3914
3915 assert(r->n_ref > 0);
3916
3917 r->n_ref--;
3918 if (r->n_ref > 0)
3919 return NULL;
3920
3921 free(r->tmp_dir);
3922 free(r->var_tmp_dir);
3923 safe_close_pair(r->netns_storage_socket);
3924 return mfree(r);
3925 }
3926
3927 int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
3928 assert(u);
3929 assert(f);
3930 assert(fds);
3931
3932 if (!rt)
3933 return 0;
3934
3935 if (rt->tmp_dir)
3936 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
3937
3938 if (rt->var_tmp_dir)
3939 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
3940
3941 if (rt->netns_storage_socket[0] >= 0) {
3942 int copy;
3943
3944 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
3945 if (copy < 0)
3946 return copy;
3947
3948 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
3949 }
3950
3951 if (rt->netns_storage_socket[1] >= 0) {
3952 int copy;
3953
3954 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
3955 if (copy < 0)
3956 return copy;
3957
3958 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
3959 }
3960
3961 return 0;
3962 }
3963
3964 int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
3965 int r;
3966
3967 assert(rt);
3968 assert(key);
3969 assert(value);
3970
3971 if (streq(key, "tmp-dir")) {
3972 char *copy;
3973
3974 r = exec_runtime_allocate(rt);
3975 if (r < 0)
3976 return log_oom();
3977
3978 copy = strdup(value);
3979 if (!copy)
3980 return log_oom();
3981
3982 free((*rt)->tmp_dir);
3983 (*rt)->tmp_dir = copy;
3984
3985 } else if (streq(key, "var-tmp-dir")) {
3986 char *copy;
3987
3988 r = exec_runtime_allocate(rt);
3989 if (r < 0)
3990 return log_oom();
3991
3992 copy = strdup(value);
3993 if (!copy)
3994 return log_oom();
3995
3996 free((*rt)->var_tmp_dir);
3997 (*rt)->var_tmp_dir = copy;
3998
3999 } else if (streq(key, "netns-socket-0")) {
4000 int fd;
4001
4002 r = exec_runtime_allocate(rt);
4003 if (r < 0)
4004 return log_oom();
4005
4006 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
4007 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
4008 else {
4009 safe_close((*rt)->netns_storage_socket[0]);
4010 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
4011 }
4012 } else if (streq(key, "netns-socket-1")) {
4013 int fd;
4014
4015 r = exec_runtime_allocate(rt);
4016 if (r < 0)
4017 return log_oom();
4018
4019 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
4020 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
4021 else {
4022 safe_close((*rt)->netns_storage_socket[1]);
4023 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
4024 }
4025 } else
4026 return 0;
4027
4028 return 1;
4029 }
4030
4031 static void *remove_tmpdir_thread(void *p) {
4032 _cleanup_free_ char *path = p;
4033
4034 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
4035 return NULL;
4036 }
4037
4038 void exec_runtime_destroy(ExecRuntime *rt) {
4039 int r;
4040
4041 if (!rt)
4042 return;
4043
4044 /* If there are multiple users of this, let's leave the stuff around */
4045 if (rt->n_ref > 1)
4046 return;
4047
4048 if (rt->tmp_dir) {
4049 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
4050
4051 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
4052 if (r < 0) {
4053 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
4054 free(rt->tmp_dir);
4055 }
4056
4057 rt->tmp_dir = NULL;
4058 }
4059
4060 if (rt->var_tmp_dir) {
4061 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
4062
4063 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
4064 if (r < 0) {
4065 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
4066 free(rt->var_tmp_dir);
4067 }
4068
4069 rt->var_tmp_dir = NULL;
4070 }
4071
4072 safe_close_pair(rt->netns_storage_socket);
4073 }
4074
4075 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
4076 [EXEC_INPUT_NULL] = "null",
4077 [EXEC_INPUT_TTY] = "tty",
4078 [EXEC_INPUT_TTY_FORCE] = "tty-force",
4079 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
4080 [EXEC_INPUT_SOCKET] = "socket",
4081 [EXEC_INPUT_NAMED_FD] = "fd",
4082 };
4083
4084 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
4085
4086 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
4087 [EXEC_OUTPUT_INHERIT] = "inherit",
4088 [EXEC_OUTPUT_NULL] = "null",
4089 [EXEC_OUTPUT_TTY] = "tty",
4090 [EXEC_OUTPUT_SYSLOG] = "syslog",
4091 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
4092 [EXEC_OUTPUT_KMSG] = "kmsg",
4093 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
4094 [EXEC_OUTPUT_JOURNAL] = "journal",
4095 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
4096 [EXEC_OUTPUT_SOCKET] = "socket",
4097 [EXEC_OUTPUT_NAMED_FD] = "fd",
4098 };
4099
4100 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
4101
4102 static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
4103 [EXEC_UTMP_INIT] = "init",
4104 [EXEC_UTMP_LOGIN] = "login",
4105 [EXEC_UTMP_USER] = "user",
4106 };
4107
4108 DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
Unnamed repository; edit this file 'description' to name the repository.