]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/execute.c
projects / thirdparty / systemd.git / blob
? search:


26cde24f150de8e337bba53e01d4c2c1ed8a2ddb
[thirdparty/systemd.git] / src / core / execute.c
1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
2
3 /***
4 This file is part of systemd.
5
6 Copyright 2010 Lennart Poettering
7
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
12
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
17
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 ***/
21
22 #include <assert.h>
23 #include <dirent.h>
24 #include <errno.h>
25 #include <fcntl.h>
26 #include <unistd.h>
27 #include <string.h>
28 #include <signal.h>
29 #include <sys/socket.h>
30 #include <sys/un.h>
31 #include <sys/prctl.h>
32 #include <linux/sched.h>
33 #include <sys/types.h>
34 #include <sys/stat.h>
35 #include <grp.h>
36 #include <pwd.h>
37 #include <sys/mount.h>
38 #include <linux/fs.h>
39 #include <linux/oom.h>
40 #include <sys/poll.h>
41 #include <linux/seccomp-bpf.h>
42 #include <glob.h>
43 #include <libgen.h>
44
45 #ifdef HAVE_PAM
46 #include <security/pam_appl.h>
47 #endif
48
49 #include "execute.h"
50 #include "strv.h"
51 #include "macro.h"
52 #include "capability.h"
53 #include "util.h"
54 #include "log.h"
55 #include "sd-messages.h"
56 #include "ioprio.h"
57 #include "securebits.h"
58 #include "cgroup.h"
59 #include "namespace.h"
60 #include "tcpwrap.h"
61 #include "exit-status.h"
62 #include "missing.h"
63 #include "utmp-wtmp.h"
64 #include "def.h"
65 #include "loopback-setup.h"
66 #include "path-util.h"
67 #include "syscall-list.h"
68 #include "env-util.h"
69 #include "fileio.h"
70
71 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
72
73 /* This assumes there is a 'tty' group */
74 #define TTY_MODE 0620
75
76 static int shift_fds(int fds[], unsigned n_fds) {
77 int start, restart_from;
78
79 if (n_fds <= 0)
80 return 0;
81
82 /* Modifies the fds array! (sorts it) */
83
84 assert(fds);
85
86 start = 0;
87 for (;;) {
88 int i;
89
90 restart_from = -1;
91
92 for (i = start; i < (int) n_fds; i++) {
93 int nfd;
94
95 /* Already at right index? */
96 if (fds[i] == i+3)
97 continue;
98
99 if ((nfd = fcntl(fds[i], F_DUPFD, i+3)) < 0)
100 return -errno;
101
102 close_nointr_nofail(fds[i]);
103 fds[i] = nfd;
104
105 /* Hmm, the fd we wanted isn't free? Then
106 * let's remember that and try again from here*/
107 if (nfd != i+3 && restart_from < 0)
108 restart_from = i;
109 }
110
111 if (restart_from < 0)
112 break;
113
114 start = restart_from;
115 }
116
117 return 0;
118 }
119
120 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
121 unsigned i;
122 int r;
123
124 if (n_fds <= 0)
125 return 0;
126
127 assert(fds);
128
129 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
130
131 for (i = 0; i < n_fds; i++) {
132
133 if ((r = fd_nonblock(fds[i], nonblock)) < 0)
134 return r;
135
136 /* We unconditionally drop FD_CLOEXEC from the fds,
137 * since after all we want to pass these fds to our
138 * children */
139
140 if ((r = fd_cloexec(fds[i], false)) < 0)
141 return r;
142 }
143
144 return 0;
145 }
146
147 static const char *tty_path(const ExecContext *context) {
148 assert(context);
149
150 if (context->tty_path)
151 return context->tty_path;
152
153 return "/dev/console";
154 }
155
156 void exec_context_tty_reset(const ExecContext *context) {
157 assert(context);
158
159 if (context->tty_vhangup)
160 terminal_vhangup(tty_path(context));
161
162 if (context->tty_reset)
163 reset_terminal(tty_path(context));
164
165 if (context->tty_vt_disallocate && context->tty_path)
166 vt_disallocate(context->tty_path);
167 }
168
169 static bool is_terminal_output(ExecOutput o) {
170 return
171 o == EXEC_OUTPUT_TTY ||
172 o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
173 o == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
174 o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE;
175 }
176
177 void exec_context_serialize(const ExecContext *context, Unit *u, FILE *f) {
178 assert(context);
179 assert(u);
180 assert(f);
181
182 if (context->tmp_dir)
183 unit_serialize_item(u, f, "tmp-dir", context->tmp_dir);
184
185 if (context->var_tmp_dir)
186 unit_serialize_item(u, f, "var-tmp-dir", context->var_tmp_dir);
187 }
188
189 static int open_null_as(int flags, int nfd) {
190 int fd, r;
191
192 assert(nfd >= 0);
193
194 if ((fd = open("/dev/null", flags|O_NOCTTY)) < 0)
195 return -errno;
196
197 if (fd != nfd) {
198 r = dup2(fd, nfd) < 0 ? -errno : nfd;
199 close_nointr_nofail(fd);
200 } else
201 r = nfd;
202
203 return r;
204 }
205
206 static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd) {
207 int fd, r;
208 union sockaddr_union sa = {
209 .un.sun_family = AF_UNIX,
210 .un.sun_path = "/run/systemd/journal/stdout",
211 };
212
213 assert(context);
214 assert(output < _EXEC_OUTPUT_MAX);
215 assert(ident);
216 assert(nfd >= 0);
217
218 fd = socket(AF_UNIX, SOCK_STREAM, 0);
219 if (fd < 0)
220 return -errno;
221
222 r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path));
223 if (r < 0) {
224 close_nointr_nofail(fd);
225 return -errno;
226 }
227
228 if (shutdown(fd, SHUT_RD) < 0) {
229 close_nointr_nofail(fd);
230 return -errno;
231 }
232
233 dprintf(fd,
234 "%s\n"
235 "%s\n"
236 "%i\n"
237 "%i\n"
238 "%i\n"
239 "%i\n"
240 "%i\n",
241 context->syslog_identifier ? context->syslog_identifier : ident,
242 unit_id,
243 context->syslog_priority,
244 !!context->syslog_level_prefix,
245 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
246 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
247 is_terminal_output(output));
248
249 if (fd != nfd) {
250 r = dup2(fd, nfd) < 0 ? -errno : nfd;
251 close_nointr_nofail(fd);
252 } else
253 r = nfd;
254
255 return r;
256 }
257 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
258 int fd, r;
259
260 assert(path);
261 assert(nfd >= 0);
262
263 if ((fd = open_terminal(path, mode | O_NOCTTY)) < 0)
264 return fd;
265
266 if (fd != nfd) {
267 r = dup2(fd, nfd) < 0 ? -errno : nfd;
268 close_nointr_nofail(fd);
269 } else
270 r = nfd;
271
272 return r;
273 }
274
275 static bool is_terminal_input(ExecInput i) {
276 return
277 i == EXEC_INPUT_TTY ||
278 i == EXEC_INPUT_TTY_FORCE ||
279 i == EXEC_INPUT_TTY_FAIL;
280 }
281
282 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
283
284 if (is_terminal_input(std_input) && !apply_tty_stdin)
285 return EXEC_INPUT_NULL;
286
287 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
288 return EXEC_INPUT_NULL;
289
290 return std_input;
291 }
292
293 static int fixup_output(ExecOutput std_output, int socket_fd) {
294
295 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
296 return EXEC_OUTPUT_INHERIT;
297
298 return std_output;
299 }
300
301 static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty_stdin) {
302 ExecInput i;
303
304 assert(context);
305
306 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
307
308 switch (i) {
309
310 case EXEC_INPUT_NULL:
311 return open_null_as(O_RDONLY, STDIN_FILENO);
312
313 case EXEC_INPUT_TTY:
314 case EXEC_INPUT_TTY_FORCE:
315 case EXEC_INPUT_TTY_FAIL: {
316 int fd, r;
317
318 if ((fd = acquire_terminal(
319 tty_path(context),
320 i == EXEC_INPUT_TTY_FAIL,
321 i == EXEC_INPUT_TTY_FORCE,
322 false,
323 (usec_t) -1)) < 0)
324 return fd;
325
326 if (fd != STDIN_FILENO) {
327 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
328 close_nointr_nofail(fd);
329 } else
330 r = STDIN_FILENO;
331
332 return r;
333 }
334
335 case EXEC_INPUT_SOCKET:
336 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
337
338 default:
339 assert_not_reached("Unknown input type");
340 }
341 }
342
343 static int setup_output(const ExecContext *context, int fileno, int socket_fd, const char *ident, const char *unit_id, bool apply_tty_stdin) {
344 ExecOutput o;
345 ExecInput i;
346 int r;
347
348 assert(context);
349 assert(ident);
350
351 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
352 o = fixup_output(context->std_output, socket_fd);
353
354 if (fileno == STDERR_FILENO) {
355 ExecOutput e;
356 e = fixup_output(context->std_error, socket_fd);
357
358 /* This expects the input and output are already set up */
359
360 /* Don't change the stderr file descriptor if we inherit all
361 * the way and are not on a tty */
362 if (e == EXEC_OUTPUT_INHERIT &&
363 o == EXEC_OUTPUT_INHERIT &&
364 i == EXEC_INPUT_NULL &&
365 !is_terminal_input(context->std_input) &&
366 getppid () != 1)
367 return fileno;
368
369 /* Duplicate from stdout if possible */
370 if (e == o || e == EXEC_OUTPUT_INHERIT)
371 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
372
373 o = e;
374
375 } else if (o == EXEC_OUTPUT_INHERIT) {
376 /* If input got downgraded, inherit the original value */
377 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
378 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
379
380 /* If the input is connected to anything that's not a /dev/null, inherit that... */
381 if (i != EXEC_INPUT_NULL)
382 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
383
384 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
385 if (getppid() != 1)
386 return fileno;
387
388 /* We need to open /dev/null here anew, to get the right access mode. */
389 return open_null_as(O_WRONLY, fileno);
390 }
391
392 switch (o) {
393
394 case EXEC_OUTPUT_NULL:
395 return open_null_as(O_WRONLY, fileno);
396
397 case EXEC_OUTPUT_TTY:
398 if (is_terminal_input(i))
399 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
400
401 /* We don't reset the terminal if this is just about output */
402 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
403
404 case EXEC_OUTPUT_SYSLOG:
405 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
406 case EXEC_OUTPUT_KMSG:
407 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
408 case EXEC_OUTPUT_JOURNAL:
409 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
410 r = connect_logger_as(context, o, ident, unit_id, fileno);
411 if (r < 0) {
412 log_struct_unit(LOG_CRIT, unit_id,
413 "MESSAGE=Failed to connect std%s of %s to the journal socket: %s",
414 fileno == STDOUT_FILENO ? "out" : "err",
415 unit_id, strerror(-r),
416 "ERRNO=%d", -r,
417 NULL);
418 r = open_null_as(O_WRONLY, fileno);
419 }
420 return r;
421
422 case EXEC_OUTPUT_SOCKET:
423 assert(socket_fd >= 0);
424 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
425
426 default:
427 assert_not_reached("Unknown error type");
428 }
429 }
430
431 static int chown_terminal(int fd, uid_t uid) {
432 struct stat st;
433
434 assert(fd >= 0);
435
436 /* This might fail. What matters are the results. */
437 (void) fchown(fd, uid, -1);
438 (void) fchmod(fd, TTY_MODE);
439
440 if (fstat(fd, &st) < 0)
441 return -errno;
442
443 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
444 return -EPERM;
445
446 return 0;
447 }
448
449 static int setup_confirm_stdio(int *_saved_stdin,
450 int *_saved_stdout) {
451 int fd = -1, saved_stdin, saved_stdout = -1, r;
452
453 assert(_saved_stdin);
454 assert(_saved_stdout);
455
456 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
457 if (saved_stdin < 0)
458 return -errno;
459
460 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
461 if (saved_stdout < 0) {
462 r = errno;
463 goto fail;
464 }
465
466 fd = acquire_terminal(
467 "/dev/console",
468 false,
469 false,
470 false,
471 DEFAULT_CONFIRM_USEC);
472 if (fd < 0) {
473 r = fd;
474 goto fail;
475 }
476
477 r = chown_terminal(fd, getuid());
478 if (r < 0)
479 goto fail;
480
481 if (dup2(fd, STDIN_FILENO) < 0) {
482 r = -errno;
483 goto fail;
484 }
485
486 if (dup2(fd, STDOUT_FILENO) < 0) {
487 r = -errno;
488 goto fail;
489 }
490
491 if (fd >= 2)
492 close_nointr_nofail(fd);
493
494 *_saved_stdin = saved_stdin;
495 *_saved_stdout = saved_stdout;
496
497 return 0;
498
499 fail:
500 if (saved_stdout >= 0)
501 close_nointr_nofail(saved_stdout);
502
503 if (saved_stdin >= 0)
504 close_nointr_nofail(saved_stdin);
505
506 if (fd >= 0)
507 close_nointr_nofail(fd);
508
509 return r;
510 }
511
512 static int write_confirm_message(const char *format, ...) {
513 int fd;
514 va_list ap;
515
516 assert(format);
517
518 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
519 if (fd < 0)
520 return fd;
521
522 va_start(ap, format);
523 vdprintf(fd, format, ap);
524 va_end(ap);
525
526 close_nointr_nofail(fd);
527
528 return 0;
529 }
530
531 static int restore_confirm_stdio(int *saved_stdin,
532 int *saved_stdout) {
533
534 int r = 0;
535
536 assert(saved_stdin);
537 assert(saved_stdout);
538
539 release_terminal();
540
541 if (*saved_stdin >= 0)
542 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
543 r = -errno;
544
545 if (*saved_stdout >= 0)
546 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
547 r = -errno;
548
549 if (*saved_stdin >= 0)
550 close_nointr_nofail(*saved_stdin);
551
552 if (*saved_stdout >= 0)
553 close_nointr_nofail(*saved_stdout);
554
555 return r;
556 }
557
558 static int ask_for_confirmation(char *response, char **argv) {
559 int saved_stdout = -1, saved_stdin = -1, r;
560 char *line;
561
562 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
563 if (r < 0)
564 return r;
565
566 line = exec_command_line(argv);
567 if (!line)
568 return -ENOMEM;
569
570 r = ask(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
571 free(line);
572
573 restore_confirm_stdio(&saved_stdin, &saved_stdout);
574
575 return r;
576 }
577
578 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
579 bool keep_groups = false;
580 int r;
581
582 assert(context);
583
584 /* Lookup and set GID and supplementary group list. Here too
585 * we avoid NSS lookups for gid=0. */
586
587 if (context->group || username) {
588
589 if (context->group) {
590 const char *g = context->group;
591
592 if ((r = get_group_creds(&g, &gid)) < 0)
593 return r;
594 }
595
596 /* First step, initialize groups from /etc/groups */
597 if (username && gid != 0) {
598 if (initgroups(username, gid) < 0)
599 return -errno;
600
601 keep_groups = true;
602 }
603
604 /* Second step, set our gids */
605 if (setresgid(gid, gid, gid) < 0)
606 return -errno;
607 }
608
609 if (context->supplementary_groups) {
610 int ngroups_max, k;
611 gid_t *gids;
612 char **i;
613
614 /* Final step, initialize any manually set supplementary groups */
615 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
616
617 if (!(gids = new(gid_t, ngroups_max)))
618 return -ENOMEM;
619
620 if (keep_groups) {
621 if ((k = getgroups(ngroups_max, gids)) < 0) {
622 free(gids);
623 return -errno;
624 }
625 } else
626 k = 0;
627
628 STRV_FOREACH(i, context->supplementary_groups) {
629 const char *g;
630
631 if (k >= ngroups_max) {
632 free(gids);
633 return -E2BIG;
634 }
635
636 g = *i;
637 r = get_group_creds(&g, gids+k);
638 if (r < 0) {
639 free(gids);
640 return r;
641 }
642
643 k++;
644 }
645
646 if (setgroups(k, gids) < 0) {
647 free(gids);
648 return -errno;
649 }
650
651 free(gids);
652 }
653
654 return 0;
655 }
656
657 static int enforce_user(const ExecContext *context, uid_t uid) {
658 int r;
659 assert(context);
660
661 /* Sets (but doesn't lookup) the uid and make sure we keep the
662 * capabilities while doing so. */
663
664 if (context->capabilities) {
665 cap_t d;
666 static const cap_value_t bits[] = {
667 CAP_SETUID, /* Necessary so that we can run setresuid() below */
668 CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
669 };
670
671 /* First step: If we need to keep capabilities but
672 * drop privileges we need to make sure we keep our
673 * caps, while we drop privileges. */
674 if (uid != 0) {
675 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
676
677 if (prctl(PR_GET_SECUREBITS) != sb)
678 if (prctl(PR_SET_SECUREBITS, sb) < 0)
679 return -errno;
680 }
681
682 /* Second step: set the capabilities. This will reduce
683 * the capabilities to the minimum we need. */
684
685 if (!(d = cap_dup(context->capabilities)))
686 return -errno;
687
688 if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
689 cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0) {
690 r = -errno;
691 cap_free(d);
692 return r;
693 }
694
695 if (cap_set_proc(d) < 0) {
696 r = -errno;
697 cap_free(d);
698 return r;
699 }
700
701 cap_free(d);
702 }
703
704 /* Third step: actually set the uids */
705 if (setresuid(uid, uid, uid) < 0)
706 return -errno;
707
708 /* At this point we should have all necessary capabilities but
709 are otherwise a normal user. However, the caps might got
710 corrupted due to the setresuid() so we need clean them up
711 later. This is done outside of this call. */
712
713 return 0;
714 }
715
716 #ifdef HAVE_PAM
717
718 static int null_conv(
719 int num_msg,
720 const struct pam_message **msg,
721 struct pam_response **resp,
722 void *appdata_ptr) {
723
724 /* We don't support conversations */
725
726 return PAM_CONV_ERR;
727 }
728
729 static int setup_pam(
730 const char *name,
731 const char *user,
732 uid_t uid,
733 const char *tty,
734 char ***pam_env,
735 int fds[], unsigned n_fds) {
736
737 static const struct pam_conv conv = {
738 .conv = null_conv,
739 .appdata_ptr = NULL
740 };
741
742 pam_handle_t *handle = NULL;
743 sigset_t ss, old_ss;
744 int pam_code = PAM_SUCCESS;
745 int err;
746 char **e = NULL;
747 bool close_session = false;
748 pid_t pam_pid = 0, parent_pid;
749
750 assert(name);
751 assert(user);
752 assert(pam_env);
753
754 /* We set up PAM in the parent process, then fork. The child
755 * will then stay around until killed via PR_GET_PDEATHSIG or
756 * systemd via the cgroup logic. It will then remove the PAM
757 * session again. The parent process will exec() the actual
758 * daemon. We do things this way to ensure that the main PID
759 * of the daemon is the one we initially fork()ed. */
760
761 if ((pam_code = pam_start(name, user, &conv, &handle)) != PAM_SUCCESS) {
762 handle = NULL;
763 goto fail;
764 }
765
766 if (tty)
767 if ((pam_code = pam_set_item(handle, PAM_TTY, tty)) != PAM_SUCCESS)
768 goto fail;
769
770 if ((pam_code = pam_acct_mgmt(handle, PAM_SILENT)) != PAM_SUCCESS)
771 goto fail;
772
773 if ((pam_code = pam_open_session(handle, PAM_SILENT)) != PAM_SUCCESS)
774 goto fail;
775
776 close_session = true;
777
778 if ((!(e = pam_getenvlist(handle)))) {
779 pam_code = PAM_BUF_ERR;
780 goto fail;
781 }
782
783 /* Block SIGTERM, so that we know that it won't get lost in
784 * the child */
785 if (sigemptyset(&ss) < 0 ||
786 sigaddset(&ss, SIGTERM) < 0 ||
787 sigprocmask(SIG_BLOCK, &ss, &old_ss) < 0)
788 goto fail;
789
790 parent_pid = getpid();
791
792 if ((pam_pid = fork()) < 0)
793 goto fail;
794
795 if (pam_pid == 0) {
796 int sig;
797 int r = EXIT_PAM;
798
799 /* The child's job is to reset the PAM session on
800 * termination */
801
802 /* This string must fit in 10 chars (i.e. the length
803 * of "/sbin/init"), to look pretty in /bin/ps */
804 rename_process("(sd-pam)");
805
806 /* Make sure we don't keep open the passed fds in this
807 child. We assume that otherwise only those fds are
808 open here that have been opened by PAM. */
809 close_many(fds, n_fds);
810
811 /* Drop privileges - we don't need any to pam_close_session
812 * and this will make PR_SET_PDEATHSIG work in most cases.
813 * If this fails, ignore the error - but expect sd-pam threads
814 * to fail to exit normally */
815 if (setresuid(uid, uid, uid) < 0)
816 log_error("Error: Failed to setresuid() in sd-pam: %s", strerror(-r));
817
818 /* Wait until our parent died. This will only work if
819 * the above setresuid() succeeds, otherwise the kernel
820 * will not allow unprivileged parents kill their privileged
821 * children this way. We rely on the control groups kill logic
822 * to do the rest for us. */
823 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
824 goto child_finish;
825
826 /* Check if our parent process might already have
827 * died? */
828 if (getppid() == parent_pid) {
829 for (;;) {
830 if (sigwait(&ss, &sig) < 0) {
831 if (errno == EINTR)
832 continue;
833
834 goto child_finish;
835 }
836
837 assert(sig == SIGTERM);
838 break;
839 }
840 }
841
842 /* If our parent died we'll end the session */
843 if (getppid() != parent_pid)
844 if ((pam_code = pam_close_session(handle, PAM_DATA_SILENT)) != PAM_SUCCESS)
845 goto child_finish;
846
847 r = 0;
848
849 child_finish:
850 pam_end(handle, pam_code | PAM_DATA_SILENT);
851 _exit(r);
852 }
853
854 /* If the child was forked off successfully it will do all the
855 * cleanups, so forget about the handle here. */
856 handle = NULL;
857
858 /* Unblock SIGTERM again in the parent */
859 if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0)
860 goto fail;
861
862 /* We close the log explicitly here, since the PAM modules
863 * might have opened it, but we don't want this fd around. */
864 closelog();
865
866 *pam_env = e;
867 e = NULL;
868
869 return 0;
870
871 fail:
872 if (pam_code != PAM_SUCCESS)
873 err = -EPERM; /* PAM errors do not map to errno */
874 else
875 err = -errno;
876
877 if (handle) {
878 if (close_session)
879 pam_code = pam_close_session(handle, PAM_DATA_SILENT);
880
881 pam_end(handle, pam_code | PAM_DATA_SILENT);
882 }
883
884 strv_free(e);
885
886 closelog();
887
888 if (pam_pid > 1) {
889 kill(pam_pid, SIGTERM);
890 kill(pam_pid, SIGCONT);
891 }
892
893 return err;
894 }
895 #endif
896
897 static void rename_process_from_path(const char *path) {
898 char process_name[11];
899 const char *p;
900 size_t l;
901
902 /* This resulting string must fit in 10 chars (i.e. the length
903 * of "/sbin/init") to look pretty in /bin/ps */
904
905 p = path_get_file_name(path);
906 if (isempty(p)) {
907 rename_process("(...)");
908 return;
909 }
910
911 l = strlen(p);
912 if (l > 8) {
913 /* The end of the process name is usually more
914 * interesting, since the first bit might just be
915 * "systemd-" */
916 p = p + l - 8;
917 l = 8;
918 }
919
920 process_name[0] = '(';
921 memcpy(process_name+1, p, l);
922 process_name[1+l] = ')';
923 process_name[1+l+1] = 0;
924
925 rename_process(process_name);
926 }
927
928 static int apply_seccomp(uint32_t *syscall_filter) {
929 static const struct sock_filter header[] = {
930 VALIDATE_ARCHITECTURE,
931 EXAMINE_SYSCALL
932 };
933 static const struct sock_filter footer[] = {
934 _KILL_PROCESS
935 };
936
937 int i;
938 unsigned n;
939 struct sock_filter *f;
940 struct sock_fprog prog = {};
941
942 assert(syscall_filter);
943
944 /* First: count the syscalls to check for */
945 for (i = 0, n = 0; i < syscall_max(); i++)
946 if (syscall_filter[i >> 4] & (1 << (i & 31)))
947 n++;
948
949 /* Second: build the filter program from a header the syscall
950 * matches and the footer */
951 f = alloca(sizeof(struct sock_filter) * (ELEMENTSOF(header) + 2*n + ELEMENTSOF(footer)));
952 memcpy(f, header, sizeof(header));
953
954 for (i = 0, n = 0; i < syscall_max(); i++)
955 if (syscall_filter[i >> 4] & (1 << (i & 31))) {
956 struct sock_filter item[] = {
957 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, INDEX_TO_SYSCALL(i), 0, 1),
958 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
959 };
960
961 assert_cc(ELEMENTSOF(item) == 2);
962
963 f[ELEMENTSOF(header) + 2*n] = item[0];
964 f[ELEMENTSOF(header) + 2*n+1] = item[1];
965
966 n++;
967 }
968
969 memcpy(f + (ELEMENTSOF(header) + 2*n), footer, sizeof(footer));
970
971 /* Third: install the filter */
972 prog.len = ELEMENTSOF(header) + ELEMENTSOF(footer) + 2*n;
973 prog.filter = f;
974 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0)
975 return -errno;
976
977 return 0;
978 }
979
980 int exec_spawn(ExecCommand *command,
981 char **argv,
982 ExecContext *context,
983 int fds[], unsigned n_fds,
984 char **environment,
985 bool apply_permissions,
986 bool apply_chroot,
987 bool apply_tty_stdin,
988 bool confirm_spawn,
989 CGroupBonding *cgroup_bondings,
990 CGroupAttribute *cgroup_attributes,
991 const char *cgroup_suffix,
992 const char *unit_id,
993 int idle_pipe[2],
994 pid_t *ret) {
995
996 pid_t pid;
997 int r;
998 char *line;
999 int socket_fd;
1000 char _cleanup_strv_free_ **files_env = NULL;
1001
1002 assert(command);
1003 assert(context);
1004 assert(ret);
1005 assert(fds || n_fds <= 0);
1006
1007 if (context->std_input == EXEC_INPUT_SOCKET ||
1008 context->std_output == EXEC_OUTPUT_SOCKET ||
1009 context->std_error == EXEC_OUTPUT_SOCKET) {
1010
1011 if (n_fds != 1)
1012 return -EINVAL;
1013
1014 socket_fd = fds[0];
1015
1016 fds = NULL;
1017 n_fds = 0;
1018 } else
1019 socket_fd = -1;
1020
1021 r = exec_context_load_environment(context, &files_env);
1022 if (r < 0) {
1023 log_struct_unit(LOG_ERR,
1024 unit_id,
1025 "MESSAGE=Failed to load environment files: %s", strerror(-r),
1026 "ERRNO=%d", -r,
1027 NULL);
1028 return r;
1029 }
1030
1031 if (!argv)
1032 argv = command->argv;
1033
1034 line = exec_command_line(argv);
1035 if (!line)
1036 return log_oom();
1037
1038 log_struct_unit(LOG_DEBUG,
1039 unit_id,
1040 "EXECUTABLE=%s", command->path,
1041 "MESSAGE=About to execute: %s", line,
1042 NULL);
1043 free(line);
1044
1045 r = cgroup_bonding_realize_list(cgroup_bondings);
1046 if (r < 0)
1047 return r;
1048
1049 /* We must initialize the attributes in the parent, before we
1050 fork, because we really need them initialized before making
1051 the process a member of the group (which we do in both the
1052 child and the parent), and we cannot really apply them twice
1053 (due to 'append' style attributes) */
1054 cgroup_attribute_apply_list(cgroup_attributes, cgroup_bondings);
1055
1056 if (context->private_tmp && !context->tmp_dir && !context->var_tmp_dir) {
1057 r = setup_tmpdirs(&context->tmp_dir, &context->var_tmp_dir);
1058 if (r < 0)
1059 return r;
1060 }
1061
1062 pid = fork();
1063 if (pid < 0)
1064 return -errno;
1065
1066 if (pid == 0) {
1067 int i, err;
1068 sigset_t ss;
1069 const char *username = NULL, *home = NULL;
1070 uid_t uid = (uid_t) -1;
1071 gid_t gid = (gid_t) -1;
1072 char _cleanup_strv_free_ **our_env = NULL, **pam_env = NULL,
1073 **final_env = NULL, **final_argv = NULL;
1074 unsigned n_env = 0;
1075 bool set_access = false;
1076
1077 /* child */
1078
1079 rename_process_from_path(command->path);
1080
1081 /* We reset exactly these signals, since they are the
1082 * only ones we set to SIG_IGN in the main daemon. All
1083 * others we leave untouched because we set them to
1084 * SIG_DFL or a valid handler initially, both of which
1085 * will be demoted to SIG_DFL. */
1086 default_signals(SIGNALS_CRASH_HANDLER,
1087 SIGNALS_IGNORE, -1);
1088
1089 if (context->ignore_sigpipe)
1090 ignore_signals(SIGPIPE, -1);
1091
1092 assert_se(sigemptyset(&ss) == 0);
1093 if (sigprocmask(SIG_SETMASK, &ss, NULL) < 0) {
1094 err = -errno;
1095 r = EXIT_SIGNAL_MASK;
1096 goto fail_child;
1097 }
1098
1099 if (idle_pipe) {
1100 if (idle_pipe[1] >= 0)
1101 close_nointr_nofail(idle_pipe[1]);
1102 if (idle_pipe[0] >= 0) {
1103 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1104 close_nointr_nofail(idle_pipe[0]);
1105 }
1106 }
1107
1108 /* Close sockets very early to make sure we don't
1109 * block init reexecution because it cannot bind its
1110 * sockets */
1111 log_forget_fds();
1112 err = close_all_fds(socket_fd >= 0 ? &socket_fd : fds,
1113 socket_fd >= 0 ? 1 : n_fds);
1114 if (err < 0) {
1115 r = EXIT_FDS;
1116 goto fail_child;
1117 }
1118
1119 if (!context->same_pgrp)
1120 if (setsid() < 0) {
1121 err = -errno;
1122 r = EXIT_SETSID;
1123 goto fail_child;
1124 }
1125
1126 if (context->tcpwrap_name) {
1127 if (socket_fd >= 0)
1128 if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) {
1129 err = -EACCES;
1130 r = EXIT_TCPWRAP;
1131 goto fail_child;
1132 }
1133
1134 for (i = 0; i < (int) n_fds; i++) {
1135 if (!socket_tcpwrap(fds[i], context->tcpwrap_name)) {
1136 err = -EACCES;
1137 r = EXIT_TCPWRAP;
1138 goto fail_child;
1139 }
1140 }
1141 }
1142
1143 exec_context_tty_reset(context);
1144
1145 if (confirm_spawn) {
1146 char response;
1147
1148 err = ask_for_confirmation(&response, argv);
1149 if (err == -ETIMEDOUT)
1150 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1151 else if (err < 0)
1152 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-err));
1153 else if (response == 's') {
1154 write_confirm_message("Skipping execution.\n");
1155 err = -ECANCELED;
1156 r = EXIT_CONFIRM;
1157 goto fail_child;
1158 } else if (response == 'n') {
1159 write_confirm_message("Failing execution.\n");
1160 err = r = 0;
1161 goto fail_child;
1162 }
1163 }
1164
1165 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1166 * must sure to drop O_NONBLOCK */
1167 if (socket_fd >= 0)
1168 fd_nonblock(socket_fd, false);
1169
1170 err = setup_input(context, socket_fd, apply_tty_stdin);
1171 if (err < 0) {
1172 r = EXIT_STDIN;
1173 goto fail_child;
1174 }
1175
1176 err = setup_output(context, STDOUT_FILENO, socket_fd, path_get_file_name(command->path), unit_id, apply_tty_stdin);
1177 if (err < 0) {
1178 r = EXIT_STDOUT;
1179 goto fail_child;
1180 }
1181
1182 err = setup_output(context, STDERR_FILENO, socket_fd, path_get_file_name(command->path), unit_id, apply_tty_stdin);
1183 if (err < 0) {
1184 r = EXIT_STDERR;
1185 goto fail_child;
1186 }
1187
1188 if (cgroup_bondings) {
1189 err = cgroup_bonding_install_list(cgroup_bondings, 0, cgroup_suffix);
1190 if (err < 0) {
1191 r = EXIT_CGROUP;
1192 goto fail_child;
1193 }
1194 }
1195
1196 if (context->oom_score_adjust_set) {
1197 char t[16];
1198
1199 snprintf(t, sizeof(t), "%i", context->oom_score_adjust);
1200 char_array_0(t);
1201
1202 if (write_string_file("/proc/self/oom_score_adj", t) < 0) {
1203 err = -errno;
1204 r = EXIT_OOM_ADJUST;
1205 goto fail_child;
1206 }
1207 }
1208
1209 if (context->nice_set)
1210 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1211 err = -errno;
1212 r = EXIT_NICE;
1213 goto fail_child;
1214 }
1215
1216 if (context->cpu_sched_set) {
1217 struct sched_param param = {
1218 .sched_priority = context->cpu_sched_priority,
1219 };
1220
1221 r = sched_setscheduler(0,
1222 context->cpu_sched_policy |
1223 (context->cpu_sched_reset_on_fork ?
1224 SCHED_RESET_ON_FORK : 0),
1225 &param);
1226 if (r < 0) {
1227 err = -errno;
1228 r = EXIT_SETSCHEDULER;
1229 goto fail_child;
1230 }
1231 }
1232
1233 if (context->cpuset)
1234 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1235 err = -errno;
1236 r = EXIT_CPUAFFINITY;
1237 goto fail_child;
1238 }
1239
1240 if (context->ioprio_set)
1241 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1242 err = -errno;
1243 r = EXIT_IOPRIO;
1244 goto fail_child;
1245 }
1246
1247 if (context->timer_slack_nsec != (nsec_t) -1)
1248 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1249 err = -errno;
1250 r = EXIT_TIMERSLACK;
1251 goto fail_child;
1252 }
1253
1254 if (context->utmp_id)
1255 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path);
1256
1257 if (context->user) {
1258 username = context->user;
1259 err = get_user_creds(&username, &uid, &gid, &home, NULL);
1260 if (err < 0) {
1261 r = EXIT_USER;
1262 goto fail_child;
1263 }
1264
1265 if (is_terminal_input(context->std_input)) {
1266 err = chown_terminal(STDIN_FILENO, uid);
1267 if (err < 0) {
1268 r = EXIT_STDIN;
1269 goto fail_child;
1270 }
1271 }
1272
1273 if (cgroup_bondings && context->control_group_modify) {
1274 err = cgroup_bonding_set_group_access_list(cgroup_bondings, 0755, uid, gid);
1275 if (err >= 0)
1276 err = cgroup_bonding_set_task_access_list(
1277 cgroup_bondings,
1278 0644,
1279 uid,
1280 gid,
1281 context->control_group_persistent);
1282 if (err < 0) {
1283 r = EXIT_CGROUP;
1284 goto fail_child;
1285 }
1286
1287 set_access = true;
1288 }
1289 }
1290
1291 if (cgroup_bondings && !set_access && context->control_group_persistent >= 0) {
1292 err = cgroup_bonding_set_task_access_list(
1293 cgroup_bondings,
1294 (mode_t) -1,
1295 (uid_t) -1,
1296 (uid_t) -1,
1297 context->control_group_persistent);
1298 if (err < 0) {
1299 r = EXIT_CGROUP;
1300 goto fail_child;
1301 }
1302 }
1303
1304 if (apply_permissions) {
1305 err = enforce_groups(context, username, gid);
1306 if (err < 0) {
1307 r = EXIT_GROUP;
1308 goto fail_child;
1309 }
1310 }
1311
1312 umask(context->umask);
1313
1314 #ifdef HAVE_PAM
1315 if (apply_permissions && context->pam_name && username) {
1316 err = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
1317 if (err < 0) {
1318 r = EXIT_PAM;
1319 goto fail_child;
1320 }
1321 }
1322 #endif
1323 if (context->private_network) {
1324 if (unshare(CLONE_NEWNET) < 0) {
1325 err = -errno;
1326 r = EXIT_NETWORK;
1327 goto fail_child;
1328 }
1329
1330 loopback_setup();
1331 }
1332
1333 if (strv_length(context->read_write_dirs) > 0 ||
1334 strv_length(context->read_only_dirs) > 0 ||
1335 strv_length(context->inaccessible_dirs) > 0 ||
1336 context->mount_flags != 0 ||
1337 context->private_tmp) {
1338 err = setup_namespace(context->read_write_dirs,
1339 context->read_only_dirs,
1340 context->inaccessible_dirs,
1341 context->tmp_dir,
1342 context->var_tmp_dir,
1343 context->private_tmp,
1344 context->mount_flags);
1345 if (err < 0) {
1346 r = EXIT_NAMESPACE;
1347 goto fail_child;
1348 }
1349 }
1350
1351 if (apply_chroot) {
1352 if (context->root_directory)
1353 if (chroot(context->root_directory) < 0) {
1354 err = -errno;
1355 r = EXIT_CHROOT;
1356 goto fail_child;
1357 }
1358
1359 if (chdir(context->working_directory ? context->working_directory : "/") < 0) {
1360 err = -errno;
1361 r = EXIT_CHDIR;
1362 goto fail_child;
1363 }
1364 } else {
1365 char _cleanup_free_ *d = NULL;
1366
1367 if (asprintf(&d, "%s/%s",
1368 context->root_directory ? context->root_directory : "",
1369 context->working_directory ? context->working_directory : "") < 0) {
1370 err = -ENOMEM;
1371 r = EXIT_MEMORY;
1372 goto fail_child;
1373 }
1374
1375 if (chdir(d) < 0) {
1376 err = -errno;
1377 r = EXIT_CHDIR;
1378 goto fail_child;
1379 }
1380 }
1381
1382 /* We repeat the fd closing here, to make sure that
1383 * nothing is leaked from the PAM modules */
1384 err = close_all_fds(fds, n_fds);
1385 if (err >= 0)
1386 err = shift_fds(fds, n_fds);
1387 if (err >= 0)
1388 err = flags_fds(fds, n_fds, context->non_blocking);
1389 if (err < 0) {
1390 r = EXIT_FDS;
1391 goto fail_child;
1392 }
1393
1394 if (apply_permissions) {
1395
1396 for (i = 0; i < RLIMIT_NLIMITS; i++) {
1397 if (!context->rlimit[i])
1398 continue;
1399
1400 if (setrlimit_closest(i, context->rlimit[i]) < 0) {
1401 err = -errno;
1402 r = EXIT_LIMITS;
1403 goto fail_child;
1404 }
1405 }
1406
1407 if (context->capability_bounding_set_drop) {
1408 err = capability_bounding_set_drop(context->capability_bounding_set_drop, false);
1409 if (err < 0) {
1410 r = EXIT_CAPABILITIES;
1411 goto fail_child;
1412 }
1413 }
1414
1415 if (context->user) {
1416 err = enforce_user(context, uid);
1417 if (err < 0) {
1418 r = EXIT_USER;
1419 goto fail_child;
1420 }
1421 }
1422
1423 /* PR_GET_SECUREBITS is not privileged, while
1424 * PR_SET_SECUREBITS is. So to suppress
1425 * potential EPERMs we'll try not to call
1426 * PR_SET_SECUREBITS unless necessary. */
1427 if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
1428 if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
1429 err = -errno;
1430 r = EXIT_SECUREBITS;
1431 goto fail_child;
1432 }
1433
1434 if (context->capabilities)
1435 if (cap_set_proc(context->capabilities) < 0) {
1436 err = -errno;
1437 r = EXIT_CAPABILITIES;
1438 goto fail_child;
1439 }
1440
1441 if (context->no_new_privileges)
1442 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
1443 err = -errno;
1444 r = EXIT_NO_NEW_PRIVILEGES;
1445 goto fail_child;
1446 }
1447
1448 if (context->syscall_filter) {
1449 err = apply_seccomp(context->syscall_filter);
1450 if (err < 0) {
1451 r = EXIT_SECCOMP;
1452 goto fail_child;
1453 }
1454 }
1455 }
1456
1457 our_env = new0(char*, 7);
1458 if (!our_env) {
1459 err = -ENOMEM;
1460 r = EXIT_MEMORY;
1461 goto fail_child;
1462 }
1463
1464 if (n_fds > 0)
1465 if (asprintf(our_env + n_env++, "LISTEN_PID=%lu", (unsigned long) getpid()) < 0 ||
1466 asprintf(our_env + n_env++, "LISTEN_FDS=%u", n_fds) < 0) {
1467 err = -ENOMEM;
1468 r = EXIT_MEMORY;
1469 goto fail_child;
1470 }
1471
1472 if (home)
1473 if (asprintf(our_env + n_env++, "HOME=%s", home) < 0) {
1474 err = -ENOMEM;
1475 r = EXIT_MEMORY;
1476 goto fail_child;
1477 }
1478
1479 if (username)
1480 if (asprintf(our_env + n_env++, "LOGNAME=%s", username) < 0 ||
1481 asprintf(our_env + n_env++, "USER=%s", username) < 0) {
1482 err = -ENOMEM;
1483 r = EXIT_MEMORY;
1484 goto fail_child;
1485 }
1486
1487 if (is_terminal_input(context->std_input) ||
1488 context->std_output == EXEC_OUTPUT_TTY ||
1489 context->std_error == EXEC_OUTPUT_TTY)
1490 if (!(our_env[n_env++] = strdup(default_term_for_tty(tty_path(context))))) {
1491 err = -ENOMEM;
1492 r = EXIT_MEMORY;
1493 goto fail_child;
1494 }
1495
1496 assert(n_env <= 7);
1497
1498 final_env = strv_env_merge(5,
1499 environment,
1500 our_env,
1501 context->environment,
1502 files_env,
1503 pam_env,
1504 NULL);
1505 if (!final_env) {
1506 err = -ENOMEM;
1507 r = EXIT_MEMORY;
1508 goto fail_child;
1509 }
1510
1511 final_argv = replace_env_argv(argv, final_env);
1512 if (!final_argv) {
1513 err = -ENOMEM;
1514 r = EXIT_MEMORY;
1515 goto fail_child;
1516 }
1517
1518 final_env = strv_env_clean(final_env);
1519
1520 if (_unlikely_(log_get_max_level() >= LOG_PRI(LOG_DEBUG))) {
1521 line = exec_command_line(final_argv);
1522 if (line) {
1523 log_open();
1524 log_struct_unit(LOG_DEBUG,
1525 unit_id,
1526 "EXECUTABLE=%s", command->path,
1527 "MESSAGE=Executing: %s", line,
1528 NULL);
1529 log_close();
1530 free(line);
1531 line = NULL;
1532 }
1533 }
1534 execve(command->path, final_argv, final_env);
1535 err = -errno;
1536 r = EXIT_EXEC;
1537
1538 fail_child:
1539 if (r != 0) {
1540 log_open();
1541 log_struct(LOG_ERR, MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
1542 "EXECUTABLE=%s", command->path,
1543 "MESSAGE=Failed at step %s spawning %s: %s",
1544 exit_status_to_string(r, EXIT_STATUS_SYSTEMD),
1545 command->path, strerror(-err),
1546 "ERRNO=%d", -err,
1547 NULL);
1548 log_close();
1549 }
1550
1551 _exit(r);
1552 }
1553
1554 log_struct_unit(LOG_DEBUG,
1555 unit_id,
1556 "MESSAGE=Forked %s as %lu",
1557 command->path, (unsigned long) pid,
1558 NULL);
1559
1560 /* We add the new process to the cgroup both in the child (so
1561 * that we can be sure that no user code is ever executed
1562 * outside of the cgroup) and in the parent (so that we can be
1563 * sure that when we kill the cgroup the process will be
1564 * killed too). */
1565 cgroup_bonding_install_list(cgroup_bondings, pid, cgroup_suffix);
1566
1567 exec_status_start(&command->exec_status, pid);
1568
1569 *ret = pid;
1570 return 0;
1571 }
1572
1573 void exec_context_init(ExecContext *c) {
1574 assert(c);
1575
1576 c->umask = 0022;
1577 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
1578 c->cpu_sched_policy = SCHED_OTHER;
1579 c->syslog_priority = LOG_DAEMON|LOG_INFO;
1580 c->syslog_level_prefix = true;
1581 c->control_group_persistent = -1;
1582 c->ignore_sigpipe = true;
1583 c->timer_slack_nsec = (nsec_t) -1;
1584 }
1585
1586 void exec_context_tmp_dirs_done(ExecContext *c) {
1587 char* dirs[] = {c->tmp_dir ? c->tmp_dir : c->var_tmp_dir,
1588 c->tmp_dir ? c->var_tmp_dir : NULL,
1589 NULL};
1590 char **dirp;
1591
1592 for(dirp = dirs; *dirp; dirp++) {
1593 char *dir;
1594 int r;
1595
1596 r = rm_rf_dangerous(*dirp, false, true, false);
1597 dir = dirname(*dirp);
1598 if (r < 0)
1599 log_warning("Failed to remove content of temporary directory %s: %s",
1600 dir, strerror(-r));
1601 else {
1602 r = rmdir(dir);
1603 if (r < 0)
1604 log_warning("Failed to remove temporary directory %s: %s",
1605 dir, strerror(-r));
1606 }
1607
1608 free(*dirp);
1609 }
1610
1611 c->tmp_dir = c->var_tmp_dir = NULL;
1612 }
1613
1614 void exec_context_done(ExecContext *c, bool reloading_or_reexecuting) {
1615 unsigned l;
1616
1617 assert(c);
1618
1619 strv_free(c->environment);
1620 c->environment = NULL;
1621
1622 strv_free(c->environment_files);
1623 c->environment_files = NULL;
1624
1625 for (l = 0; l < ELEMENTSOF(c->rlimit); l++) {
1626 free(c->rlimit[l]);
1627 c->rlimit[l] = NULL;
1628 }
1629
1630 free(c->working_directory);
1631 c->working_directory = NULL;
1632 free(c->root_directory);
1633 c->root_directory = NULL;
1634
1635 free(c->tty_path);
1636 c->tty_path = NULL;
1637
1638 free(c->tcpwrap_name);
1639 c->tcpwrap_name = NULL;
1640
1641 free(c->syslog_identifier);
1642 c->syslog_identifier = NULL;
1643
1644 free(c->user);
1645 c->user = NULL;
1646
1647 free(c->group);
1648 c->group = NULL;
1649
1650 strv_free(c->supplementary_groups);
1651 c->supplementary_groups = NULL;
1652
1653 free(c->pam_name);
1654 c->pam_name = NULL;
1655
1656 if (c->capabilities) {
1657 cap_free(c->capabilities);
1658 c->capabilities = NULL;
1659 }
1660
1661 strv_free(c->read_only_dirs);
1662 c->read_only_dirs = NULL;
1663
1664 strv_free(c->read_write_dirs);
1665 c->read_write_dirs = NULL;
1666
1667 strv_free(c->inaccessible_dirs);
1668 c->inaccessible_dirs = NULL;
1669
1670 if (c->cpuset)
1671 CPU_FREE(c->cpuset);
1672
1673 free(c->utmp_id);
1674 c->utmp_id = NULL;
1675
1676 free(c->syscall_filter);
1677 c->syscall_filter = NULL;
1678
1679 if (!reloading_or_reexecuting)
1680 exec_context_tmp_dirs_done(c);
1681 }
1682
1683 void exec_command_done(ExecCommand *c) {
1684 assert(c);
1685
1686 free(c->path);
1687 c->path = NULL;
1688
1689 strv_free(c->argv);
1690 c->argv = NULL;
1691 }
1692
1693 void exec_command_done_array(ExecCommand *c, unsigned n) {
1694 unsigned i;
1695
1696 for (i = 0; i < n; i++)
1697 exec_command_done(c+i);
1698 }
1699
1700 void exec_command_free_list(ExecCommand *c) {
1701 ExecCommand *i;
1702
1703 while ((i = c)) {
1704 LIST_REMOVE(ExecCommand, command, c, i);
1705 exec_command_done(i);
1706 free(i);
1707 }
1708 }
1709
1710 void exec_command_free_array(ExecCommand **c, unsigned n) {
1711 unsigned i;
1712
1713 for (i = 0; i < n; i++) {
1714 exec_command_free_list(c[i]);
1715 c[i] = NULL;
1716 }
1717 }
1718
1719 int exec_context_load_environment(const ExecContext *c, char ***l) {
1720 char **i, **r = NULL;
1721
1722 assert(c);
1723 assert(l);
1724
1725 STRV_FOREACH(i, c->environment_files) {
1726 char *fn;
1727 int k;
1728 bool ignore = false;
1729 char **p;
1730 glob_t _cleanup_globfree_ pglob = {};
1731 int count, n;
1732
1733 fn = *i;
1734
1735 if (fn[0] == '-') {
1736 ignore = true;
1737 fn ++;
1738 }
1739
1740 if (!path_is_absolute(fn)) {
1741 if (ignore)
1742 continue;
1743
1744 strv_free(r);
1745 return -EINVAL;
1746 }
1747
1748 /* Filename supports globbing, take all matching files */
1749 errno = 0;
1750 if (glob(fn, 0, NULL, &pglob) != 0) {
1751 if (ignore)
1752 continue;
1753
1754 strv_free(r);
1755 return errno ? -errno : -EINVAL;
1756 }
1757 count = pglob.gl_pathc;
1758 if (count == 0) {
1759 if (ignore)
1760 continue;
1761
1762 strv_free(r);
1763 return -EINVAL;
1764 }
1765 for (n = 0; n < count; n++) {
1766 k = load_env_file(pglob.gl_pathv[n], NULL, &p);
1767 if (k < 0) {
1768 if (ignore)
1769 continue;
1770
1771 strv_free(r);
1772 return k;
1773 }
1774 /* Log invalid environment variables with filename */
1775 if (p)
1776 p = strv_env_clean_log(p, pglob.gl_pathv[n]);
1777
1778 if (r == NULL)
1779 r = p;
1780 else {
1781 char **m;
1782
1783 m = strv_env_merge(2, r, p);
1784 strv_free(r);
1785 strv_free(p);
1786 if (!m)
1787 return -ENOMEM;
1788
1789 r = m;
1790 }
1791 }
1792 }
1793
1794 *l = r;
1795
1796 return 0;
1797 }
1798
1799 static bool tty_may_match_dev_console(const char *tty) {
1800 char *active = NULL, *console;
1801 bool b;
1802
1803 if (startswith(tty, "/dev/"))
1804 tty += 5;
1805
1806 /* trivial identity? */
1807 if (streq(tty, "console"))
1808 return true;
1809
1810 console = resolve_dev_console(&active);
1811 /* if we could not resolve, assume it may */
1812 if (!console)
1813 return true;
1814
1815 /* "tty0" means the active VC, so it may be the same sometimes */
1816 b = streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
1817 free(active);
1818
1819 return b;
1820 }
1821
1822 bool exec_context_may_touch_console(ExecContext *ec) {
1823 return (ec->tty_reset || ec->tty_vhangup || ec->tty_vt_disallocate ||
1824 is_terminal_input(ec->std_input) ||
1825 is_terminal_output(ec->std_output) ||
1826 is_terminal_output(ec->std_error)) &&
1827 tty_may_match_dev_console(tty_path(ec));
1828 }
1829
1830 static void strv_fprintf(FILE *f, char **l) {
1831 char **g;
1832
1833 assert(f);
1834
1835 STRV_FOREACH(g, l)
1836 fprintf(f, " %s", *g);
1837 }
1838
1839 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
1840 char ** e;
1841 unsigned i;
1842
1843 assert(c);
1844 assert(f);
1845
1846 if (!prefix)
1847 prefix = "";
1848
1849 fprintf(f,
1850 "%sUMask: %04o\n"
1851 "%sWorkingDirectory: %s\n"
1852 "%sRootDirectory: %s\n"
1853 "%sNonBlocking: %s\n"
1854 "%sPrivateTmp: %s\n"
1855 "%sControlGroupModify: %s\n"
1856 "%sControlGroupPersistent: %s\n"
1857 "%sPrivateNetwork: %s\n"
1858 "%sIgnoreSIGPIPE: %s\n",
1859 prefix, c->umask,
1860 prefix, c->working_directory ? c->working_directory : "/",
1861 prefix, c->root_directory ? c->root_directory : "/",
1862 prefix, yes_no(c->non_blocking),
1863 prefix, yes_no(c->private_tmp),
1864 prefix, yes_no(c->control_group_modify),
1865 prefix, yes_no(c->control_group_persistent),
1866 prefix, yes_no(c->private_network),
1867 prefix, yes_no(c->ignore_sigpipe));
1868
1869 STRV_FOREACH(e, c->environment)
1870 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
1871
1872 STRV_FOREACH(e, c->environment_files)
1873 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
1874
1875 if (c->tcpwrap_name)
1876 fprintf(f,
1877 "%sTCPWrapName: %s\n",
1878 prefix, c->tcpwrap_name);
1879
1880 if (c->nice_set)
1881 fprintf(f,
1882 "%sNice: %i\n",
1883 prefix, c->nice);
1884
1885 if (c->oom_score_adjust_set)
1886 fprintf(f,
1887 "%sOOMScoreAdjust: %i\n",
1888 prefix, c->oom_score_adjust);
1889
1890 for (i = 0; i < RLIM_NLIMITS; i++)
1891 if (c->rlimit[i])
1892 fprintf(f, "%s%s: %llu\n", prefix, rlimit_to_string(i), (unsigned long long) c->rlimit[i]->rlim_max);
1893
1894 if (c->ioprio_set) {
1895 char *class_str;
1896 int r;
1897
1898 r = ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
1899 if (r < 0)
1900 class_str = NULL;
1901 fprintf(f,
1902 "%sIOSchedulingClass: %s\n"
1903 "%sIOPriority: %i\n",
1904 prefix, strna(class_str),
1905 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
1906 free(class_str);
1907 }
1908
1909 if (c->cpu_sched_set) {
1910 char *policy_str;
1911 int r;
1912
1913 r = sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
1914 if (r < 0)
1915 policy_str = NULL;
1916 fprintf(f,
1917 "%sCPUSchedulingPolicy: %s\n"
1918 "%sCPUSchedulingPriority: %i\n"
1919 "%sCPUSchedulingResetOnFork: %s\n",
1920 prefix, strna(policy_str),
1921 prefix, c->cpu_sched_priority,
1922 prefix, yes_no(c->cpu_sched_reset_on_fork));
1923 free(policy_str);
1924 }
1925
1926 if (c->cpuset) {
1927 fprintf(f, "%sCPUAffinity:", prefix);
1928 for (i = 0; i < c->cpuset_ncpus; i++)
1929 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
1930 fprintf(f, " %i", i);
1931 fputs("\n", f);
1932 }
1933
1934 if (c->timer_slack_nsec != (nsec_t) -1)
1935 fprintf(f, "%sTimerSlackNSec: %lu\n", prefix, (unsigned long)c->timer_slack_nsec);
1936
1937 fprintf(f,
1938 "%sStandardInput: %s\n"
1939 "%sStandardOutput: %s\n"
1940 "%sStandardError: %s\n",
1941 prefix, exec_input_to_string(c->std_input),
1942 prefix, exec_output_to_string(c->std_output),
1943 prefix, exec_output_to_string(c->std_error));
1944
1945 if (c->tty_path)
1946 fprintf(f,
1947 "%sTTYPath: %s\n"
1948 "%sTTYReset: %s\n"
1949 "%sTTYVHangup: %s\n"
1950 "%sTTYVTDisallocate: %s\n",
1951 prefix, c->tty_path,
1952 prefix, yes_no(c->tty_reset),
1953 prefix, yes_no(c->tty_vhangup),
1954 prefix, yes_no(c->tty_vt_disallocate));
1955
1956 if (c->std_output == EXEC_OUTPUT_SYSLOG || c->std_output == EXEC_OUTPUT_KMSG || c->std_output == EXEC_OUTPUT_JOURNAL ||
1957 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE || c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
1958 c->std_error == EXEC_OUTPUT_SYSLOG || c->std_error == EXEC_OUTPUT_KMSG || c->std_error == EXEC_OUTPUT_JOURNAL ||
1959 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE || c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
1960 char *fac_str, *lvl_str;
1961 int r;
1962
1963 r = log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
1964 if (r < 0)
1965 fac_str = NULL;
1966
1967 r = log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
1968 if (r < 0)
1969 lvl_str = NULL;
1970
1971 fprintf(f,
1972 "%sSyslogFacility: %s\n"
1973 "%sSyslogLevel: %s\n",
1974 prefix, strna(fac_str),
1975 prefix, strna(lvl_str));
1976 free(lvl_str);
1977 free(fac_str);
1978 }
1979
1980 if (c->capabilities) {
1981 char *t;
1982 if ((t = cap_to_text(c->capabilities, NULL))) {
1983 fprintf(f, "%sCapabilities: %s\n",
1984 prefix, t);
1985 cap_free(t);
1986 }
1987 }
1988
1989 if (c->secure_bits)
1990 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
1991 prefix,
1992 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
1993 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
1994 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
1995 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
1996 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
1997 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
1998
1999 if (c->capability_bounding_set_drop) {
2000 unsigned long l;
2001 fprintf(f, "%sCapabilityBoundingSet:", prefix);
2002
2003 for (l = 0; l <= cap_last_cap(); l++)
2004 if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) {
2005 char *t;
2006
2007 if ((t = cap_to_name(l))) {
2008 fprintf(f, " %s", t);
2009 cap_free(t);
2010 }
2011 }
2012
2013 fputs("\n", f);
2014 }
2015
2016 if (c->user)
2017 fprintf(f, "%sUser: %s\n", prefix, c->user);
2018 if (c->group)
2019 fprintf(f, "%sGroup: %s\n", prefix, c->group);
2020
2021 if (strv_length(c->supplementary_groups) > 0) {
2022 fprintf(f, "%sSupplementaryGroups:", prefix);
2023 strv_fprintf(f, c->supplementary_groups);
2024 fputs("\n", f);
2025 }
2026
2027 if (c->pam_name)
2028 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
2029
2030 if (strv_length(c->read_write_dirs) > 0) {
2031 fprintf(f, "%sReadWriteDirs:", prefix);
2032 strv_fprintf(f, c->read_write_dirs);
2033 fputs("\n", f);
2034 }
2035
2036 if (strv_length(c->read_only_dirs) > 0) {
2037 fprintf(f, "%sReadOnlyDirs:", prefix);
2038 strv_fprintf(f, c->read_only_dirs);
2039 fputs("\n", f);
2040 }
2041
2042 if (strv_length(c->inaccessible_dirs) > 0) {
2043 fprintf(f, "%sInaccessibleDirs:", prefix);
2044 strv_fprintf(f, c->inaccessible_dirs);
2045 fputs("\n", f);
2046 }
2047
2048 if (c->utmp_id)
2049 fprintf(f,
2050 "%sUtmpIdentifier: %s\n",
2051 prefix, c->utmp_id);
2052 }
2053
2054 void exec_status_start(ExecStatus *s, pid_t pid) {
2055 assert(s);
2056
2057 zero(*s);
2058 s->pid = pid;
2059 dual_timestamp_get(&s->start_timestamp);
2060 }
2061
2062 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
2063 assert(s);
2064
2065 if (s->pid && s->pid != pid)
2066 zero(*s);
2067
2068 s->pid = pid;
2069 dual_timestamp_get(&s->exit_timestamp);
2070
2071 s->code = code;
2072 s->status = status;
2073
2074 if (context) {
2075 if (context->utmp_id)
2076 utmp_put_dead_process(context->utmp_id, pid, code, status);
2077
2078 exec_context_tty_reset(context);
2079 }
2080 }
2081
2082 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
2083 char buf[FORMAT_TIMESTAMP_MAX];
2084
2085 assert(s);
2086 assert(f);
2087
2088 if (!prefix)
2089 prefix = "";
2090
2091 if (s->pid <= 0)
2092 return;
2093
2094 fprintf(f,
2095 "%sPID: %lu\n",
2096 prefix, (unsigned long) s->pid);
2097
2098 if (s->start_timestamp.realtime > 0)
2099 fprintf(f,
2100 "%sStart Timestamp: %s\n",
2101 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
2102
2103 if (s->exit_timestamp.realtime > 0)
2104 fprintf(f,
2105 "%sExit Timestamp: %s\n"
2106 "%sExit Code: %s\n"
2107 "%sExit Status: %i\n",
2108 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
2109 prefix, sigchld_code_to_string(s->code),
2110 prefix, s->status);
2111 }
2112
2113 char *exec_command_line(char **argv) {
2114 size_t k;
2115 char *n, *p, **a;
2116 bool first = true;
2117
2118 assert(argv);
2119
2120 k = 1;
2121 STRV_FOREACH(a, argv)
2122 k += strlen(*a)+3;
2123
2124 if (!(n = new(char, k)))
2125 return NULL;
2126
2127 p = n;
2128 STRV_FOREACH(a, argv) {
2129
2130 if (!first)
2131 *(p++) = ' ';
2132 else
2133 first = false;
2134
2135 if (strpbrk(*a, WHITESPACE)) {
2136 *(p++) = '\'';
2137 p = stpcpy(p, *a);
2138 *(p++) = '\'';
2139 } else
2140 p = stpcpy(p, *a);
2141
2142 }
2143
2144 *p = 0;
2145
2146 /* FIXME: this doesn't really handle arguments that have
2147 * spaces and ticks in them */
2148
2149 return n;
2150 }
2151
2152 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
2153 char *p2;
2154 const char *prefix2;
2155
2156 char *cmd;
2157
2158 assert(c);
2159 assert(f);
2160
2161 if (!prefix)
2162 prefix = "";
2163 p2 = strappend(prefix, "\t");
2164 prefix2 = p2 ? p2 : prefix;
2165
2166 cmd = exec_command_line(c->argv);
2167
2168 fprintf(f,
2169 "%sCommand Line: %s\n",
2170 prefix, cmd ? cmd : strerror(ENOMEM));
2171
2172 free(cmd);
2173
2174 exec_status_dump(&c->exec_status, f, prefix2);
2175
2176 free(p2);
2177 }
2178
2179 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2180 assert(f);
2181
2182 if (!prefix)
2183 prefix = "";
2184
2185 LIST_FOREACH(command, c, c)
2186 exec_command_dump(c, f, prefix);
2187 }
2188
2189 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2190 ExecCommand *end;
2191
2192 assert(l);
2193 assert(e);
2194
2195 if (*l) {
2196 /* It's kind of important, that we keep the order here */
2197 LIST_FIND_TAIL(ExecCommand, command, *l, end);
2198 LIST_INSERT_AFTER(ExecCommand, command, *l, end, e);
2199 } else
2200 *l = e;
2201 }
2202
2203 int exec_command_set(ExecCommand *c, const char *path, ...) {
2204 va_list ap;
2205 char **l, *p;
2206
2207 assert(c);
2208 assert(path);
2209
2210 va_start(ap, path);
2211 l = strv_new_ap(path, ap);
2212 va_end(ap);
2213
2214 if (!l)
2215 return -ENOMEM;
2216
2217 if (!(p = strdup(path))) {
2218 strv_free(l);
2219 return -ENOMEM;
2220 }
2221
2222 free(c->path);
2223 c->path = p;
2224
2225 strv_free(c->argv);
2226 c->argv = l;
2227
2228 return 0;
2229 }
2230
2231 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
2232 [EXEC_INPUT_NULL] = "null",
2233 [EXEC_INPUT_TTY] = "tty",
2234 [EXEC_INPUT_TTY_FORCE] = "tty-force",
2235 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
2236 [EXEC_INPUT_SOCKET] = "socket"
2237 };
2238
2239 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
2240
2241 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
2242 [EXEC_OUTPUT_INHERIT] = "inherit",
2243 [EXEC_OUTPUT_NULL] = "null",
2244 [EXEC_OUTPUT_TTY] = "tty",
2245 [EXEC_OUTPUT_SYSLOG] = "syslog",
2246 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
2247 [EXEC_OUTPUT_KMSG] = "kmsg",
2248 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
2249 [EXEC_OUTPUT_JOURNAL] = "journal",
2250 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
2251 [EXEC_OUTPUT_SOCKET] = "socket"
2252 };
2253
2254 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
Unnamed repository; edit this file 'description' to name the repository.