]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/execute.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
securebits-util: add secure_bits_{from_string,to_string_alloc}()
[thirdparty/systemd.git] / src / core / execute.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <errno.h>
21 #include <fcntl.h>
22 #include <glob.h>
23 #include <grp.h>
24 #include <poll.h>
25 #include <signal.h>
26 #include <string.h>
27 #include <sys/capability.h>
28 #include <sys/eventfd.h>
29 #include <sys/mman.h>
30 #include <sys/personality.h>
31 #include <sys/prctl.h>
32 #include <sys/shm.h>
33 #include <sys/socket.h>
34 #include <sys/stat.h>
35 #include <sys/types.h>
36 #include <sys/un.h>
37 #include <unistd.h>
38 #include <utmpx.h>
39
40 #ifdef HAVE_PAM
41 #include <security/pam_appl.h>
42 #endif
43
44 #ifdef HAVE_SELINUX
45 #include <selinux/selinux.h>
46 #endif
47
48 #ifdef HAVE_SECCOMP
49 #include <seccomp.h>
50 #endif
51
52 #ifdef HAVE_APPARMOR
53 #include <sys/apparmor.h>
54 #endif
55
56 #include "sd-messages.h"
57
58 #include "af-list.h"
59 #include "alloc-util.h"
60 #ifdef HAVE_APPARMOR
61 #include "apparmor-util.h"
62 #endif
63 #include "async.h"
64 #include "barrier.h"
65 #include "cap-list.h"
66 #include "capability-util.h"
67 #include "def.h"
68 #include "env-util.h"
69 #include "errno-list.h"
70 #include "execute.h"
71 #include "exit-status.h"
72 #include "fd-util.h"
73 #include "fileio.h"
74 #include "format-util.h"
75 #include "fs-util.h"
76 #include "glob-util.h"
77 #include "io-util.h"
78 #include "ioprio.h"
79 #include "log.h"
80 #include "macro.h"
81 #include "missing.h"
82 #include "mkdir.h"
83 #include "namespace.h"
84 #include "parse-util.h"
85 #include "path-util.h"
86 #include "process-util.h"
87 #include "rlimit-util.h"
88 #include "rm-rf.h"
89 #ifdef HAVE_SECCOMP
90 #include "seccomp-util.h"
91 #endif
92 #include "securebits.h"
93 #include "securebits-util.h"
94 #include "selinux-util.h"
95 #include "signal-util.h"
96 #include "smack-util.h"
97 #include "special.h"
98 #include "string-table.h"
99 #include "string-util.h"
100 #include "strv.h"
101 #include "syslog-util.h"
102 #include "terminal-util.h"
103 #include "unit.h"
104 #include "user-util.h"
105 #include "util.h"
106 #include "utmp-wtmp.h"
107
108 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
109 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
110
111 /* This assumes there is a 'tty' group */
112 #define TTY_MODE 0620
113
114 #define SNDBUF_SIZE (8*1024*1024)
115
116 static int shift_fds(int fds[], unsigned n_fds) {
117 int start, restart_from;
118
119 if (n_fds <= 0)
120 return 0;
121
122 /* Modifies the fds array! (sorts it) */
123
124 assert(fds);
125
126 start = 0;
127 for (;;) {
128 int i;
129
130 restart_from = -1;
131
132 for (i = start; i < (int) n_fds; i++) {
133 int nfd;
134
135 /* Already at right index? */
136 if (fds[i] == i+3)
137 continue;
138
139 nfd = fcntl(fds[i], F_DUPFD, i + 3);
140 if (nfd < 0)
141 return -errno;
142
143 safe_close(fds[i]);
144 fds[i] = nfd;
145
146 /* Hmm, the fd we wanted isn't free? Then
147 * let's remember that and try again from here */
148 if (nfd != i+3 && restart_from < 0)
149 restart_from = i;
150 }
151
152 if (restart_from < 0)
153 break;
154
155 start = restart_from;
156 }
157
158 return 0;
159 }
160
161 static int flags_fds(const int fds[], unsigned n_storage_fds, unsigned n_socket_fds, bool nonblock) {
162 unsigned i, n_fds;
163 int r;
164
165 n_fds = n_storage_fds + n_socket_fds;
166 if (n_fds <= 0)
167 return 0;
168
169 assert(fds);
170
171 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags.
172 * O_NONBLOCK only applies to socket activation though. */
173
174 for (i = 0; i < n_fds; i++) {
175
176 if (i < n_socket_fds) {
177 r = fd_nonblock(fds[i], nonblock);
178 if (r < 0)
179 return r;
180 }
181
182 /* We unconditionally drop FD_CLOEXEC from the fds,
183 * since after all we want to pass these fds to our
184 * children */
185
186 r = fd_cloexec(fds[i], false);
187 if (r < 0)
188 return r;
189 }
190
191 return 0;
192 }
193
194 static const char *exec_context_tty_path(const ExecContext *context) {
195 assert(context);
196
197 if (context->stdio_as_fds)
198 return NULL;
199
200 if (context->tty_path)
201 return context->tty_path;
202
203 return "/dev/console";
204 }
205
206 static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
207 const char *path;
208
209 assert(context);
210
211 path = exec_context_tty_path(context);
212
213 if (context->tty_vhangup) {
214 if (p && p->stdin_fd >= 0)
215 (void) terminal_vhangup_fd(p->stdin_fd);
216 else if (path)
217 (void) terminal_vhangup(path);
218 }
219
220 if (context->tty_reset) {
221 if (p && p->stdin_fd >= 0)
222 (void) reset_terminal_fd(p->stdin_fd, true);
223 else if (path)
224 (void) reset_terminal(path);
225 }
226
227 if (context->tty_vt_disallocate && path)
228 (void) vt_disallocate(path);
229 }
230
231 static bool is_terminal_input(ExecInput i) {
232 return IN_SET(i,
233 EXEC_INPUT_TTY,
234 EXEC_INPUT_TTY_FORCE,
235 EXEC_INPUT_TTY_FAIL);
236 }
237
238 static bool is_terminal_output(ExecOutput o) {
239 return IN_SET(o,
240 EXEC_OUTPUT_TTY,
241 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
242 EXEC_OUTPUT_KMSG_AND_CONSOLE,
243 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
244 }
245
246 static bool exec_context_needs_term(const ExecContext *c) {
247 assert(c);
248
249 /* Return true if the execution context suggests we should set $TERM to something useful. */
250
251 if (is_terminal_input(c->std_input))
252 return true;
253
254 if (is_terminal_output(c->std_output))
255 return true;
256
257 if (is_terminal_output(c->std_error))
258 return true;
259
260 return !!c->tty_path;
261 }
262
263 static int open_null_as(int flags, int nfd) {
264 int fd, r;
265
266 assert(nfd >= 0);
267
268 fd = open("/dev/null", flags|O_NOCTTY);
269 if (fd < 0)
270 return -errno;
271
272 if (fd != nfd) {
273 r = dup2(fd, nfd) < 0 ? -errno : nfd;
274 safe_close(fd);
275 } else
276 r = nfd;
277
278 return r;
279 }
280
281 static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
282 static const union sockaddr_union sa = {
283 .un.sun_family = AF_UNIX,
284 .un.sun_path = "/run/systemd/journal/stdout",
285 };
286 uid_t olduid = UID_INVALID;
287 gid_t oldgid = GID_INVALID;
288 int r;
289
290 if (gid_is_valid(gid)) {
291 oldgid = getgid();
292
293 if (setegid(gid) < 0)
294 return -errno;
295 }
296
297 if (uid_is_valid(uid)) {
298 olduid = getuid();
299
300 if (seteuid(uid) < 0) {
301 r = -errno;
302 goto restore_gid;
303 }
304 }
305
306 r = connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un)) < 0 ? -errno : 0;
307
308 /* If we fail to restore the uid or gid, things will likely
309 fail later on. This should only happen if an LSM interferes. */
310
311 if (uid_is_valid(uid))
312 (void) seteuid(olduid);
313
314 restore_gid:
315 if (gid_is_valid(gid))
316 (void) setegid(oldgid);
317
318 return r;
319 }
320
321 static int connect_logger_as(
322 Unit *unit,
323 const ExecContext *context,
324 ExecOutput output,
325 const char *ident,
326 int nfd,
327 uid_t uid,
328 gid_t gid) {
329
330 int fd, r;
331
332 assert(context);
333 assert(output < _EXEC_OUTPUT_MAX);
334 assert(ident);
335 assert(nfd >= 0);
336
337 fd = socket(AF_UNIX, SOCK_STREAM, 0);
338 if (fd < 0)
339 return -errno;
340
341 r = connect_journal_socket(fd, uid, gid);
342 if (r < 0)
343 return r;
344
345 if (shutdown(fd, SHUT_RD) < 0) {
346 safe_close(fd);
347 return -errno;
348 }
349
350 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
351
352 dprintf(fd,
353 "%s\n"
354 "%s\n"
355 "%i\n"
356 "%i\n"
357 "%i\n"
358 "%i\n"
359 "%i\n",
360 context->syslog_identifier ?: ident,
361 MANAGER_IS_SYSTEM(unit->manager) ? unit->id : "",
362 context->syslog_priority,
363 !!context->syslog_level_prefix,
364 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
365 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
366 is_terminal_output(output));
367
368 if (fd == nfd)
369 return nfd;
370
371 r = dup2(fd, nfd) < 0 ? -errno : nfd;
372 safe_close(fd);
373
374 return r;
375 }
376 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
377 int fd, r;
378
379 assert(path);
380 assert(nfd >= 0);
381
382 fd = open_terminal(path, mode | O_NOCTTY);
383 if (fd < 0)
384 return fd;
385
386 if (fd != nfd) {
387 r = dup2(fd, nfd) < 0 ? -errno : nfd;
388 safe_close(fd);
389 } else
390 r = nfd;
391
392 return r;
393 }
394
395 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
396
397 if (is_terminal_input(std_input) && !apply_tty_stdin)
398 return EXEC_INPUT_NULL;
399
400 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
401 return EXEC_INPUT_NULL;
402
403 return std_input;
404 }
405
406 static int fixup_output(ExecOutput std_output, int socket_fd) {
407
408 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
409 return EXEC_OUTPUT_INHERIT;
410
411 return std_output;
412 }
413
414 static int setup_input(
415 const ExecContext *context,
416 const ExecParameters *params,
417 int socket_fd,
418 int named_iofds[3]) {
419
420 ExecInput i;
421
422 assert(context);
423 assert(params);
424
425 if (params->stdin_fd >= 0) {
426 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
427 return -errno;
428
429 /* Try to make this the controlling tty, if it is a tty, and reset it */
430 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
431 (void) reset_terminal_fd(STDIN_FILENO, true);
432
433 return STDIN_FILENO;
434 }
435
436 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
437
438 switch (i) {
439
440 case EXEC_INPUT_NULL:
441 return open_null_as(O_RDONLY, STDIN_FILENO);
442
443 case EXEC_INPUT_TTY:
444 case EXEC_INPUT_TTY_FORCE:
445 case EXEC_INPUT_TTY_FAIL: {
446 int fd, r;
447
448 fd = acquire_terminal(exec_context_tty_path(context),
449 i == EXEC_INPUT_TTY_FAIL,
450 i == EXEC_INPUT_TTY_FORCE,
451 false,
452 USEC_INFINITY);
453 if (fd < 0)
454 return fd;
455
456 if (fd != STDIN_FILENO) {
457 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
458 safe_close(fd);
459 } else
460 r = STDIN_FILENO;
461
462 return r;
463 }
464
465 case EXEC_INPUT_SOCKET:
466 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
467
468 case EXEC_INPUT_NAMED_FD:
469 (void) fd_nonblock(named_iofds[STDIN_FILENO], false);
470 return dup2(named_iofds[STDIN_FILENO], STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
471
472 default:
473 assert_not_reached("Unknown input type");
474 }
475 }
476
477 static int setup_output(
478 Unit *unit,
479 const ExecContext *context,
480 const ExecParameters *params,
481 int fileno,
482 int socket_fd,
483 int named_iofds[3],
484 const char *ident,
485 uid_t uid,
486 gid_t gid,
487 dev_t *journal_stream_dev,
488 ino_t *journal_stream_ino) {
489
490 ExecOutput o;
491 ExecInput i;
492 int r;
493
494 assert(unit);
495 assert(context);
496 assert(params);
497 assert(ident);
498 assert(journal_stream_dev);
499 assert(journal_stream_ino);
500
501 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
502
503 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
504 return -errno;
505
506 return STDOUT_FILENO;
507 }
508
509 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
510 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
511 return -errno;
512
513 return STDERR_FILENO;
514 }
515
516 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
517 o = fixup_output(context->std_output, socket_fd);
518
519 if (fileno == STDERR_FILENO) {
520 ExecOutput e;
521 e = fixup_output(context->std_error, socket_fd);
522
523 /* This expects the input and output are already set up */
524
525 /* Don't change the stderr file descriptor if we inherit all
526 * the way and are not on a tty */
527 if (e == EXEC_OUTPUT_INHERIT &&
528 o == EXEC_OUTPUT_INHERIT &&
529 i == EXEC_INPUT_NULL &&
530 !is_terminal_input(context->std_input) &&
531 getppid () != 1)
532 return fileno;
533
534 /* Duplicate from stdout if possible */
535 if ((e == o && e != EXEC_OUTPUT_NAMED_FD) || e == EXEC_OUTPUT_INHERIT)
536 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
537
538 o = e;
539
540 } else if (o == EXEC_OUTPUT_INHERIT) {
541 /* If input got downgraded, inherit the original value */
542 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
543 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
544
545 /* If the input is connected to anything that's not a /dev/null, inherit that... */
546 if (i != EXEC_INPUT_NULL)
547 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
548
549 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
550 if (getppid() != 1)
551 return fileno;
552
553 /* We need to open /dev/null here anew, to get the right access mode. */
554 return open_null_as(O_WRONLY, fileno);
555 }
556
557 switch (o) {
558
559 case EXEC_OUTPUT_NULL:
560 return open_null_as(O_WRONLY, fileno);
561
562 case EXEC_OUTPUT_TTY:
563 if (is_terminal_input(i))
564 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
565
566 /* We don't reset the terminal if this is just about output */
567 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
568
569 case EXEC_OUTPUT_SYSLOG:
570 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
571 case EXEC_OUTPUT_KMSG:
572 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
573 case EXEC_OUTPUT_JOURNAL:
574 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
575 r = connect_logger_as(unit, context, o, ident, fileno, uid, gid);
576 if (r < 0) {
577 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
578 r = open_null_as(O_WRONLY, fileno);
579 } else {
580 struct stat st;
581
582 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
583 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
584 * services to detect whether they are connected to the journal or not. */
585
586 if (fstat(fileno, &st) >= 0) {
587 *journal_stream_dev = st.st_dev;
588 *journal_stream_ino = st.st_ino;
589 }
590 }
591 return r;
592
593 case EXEC_OUTPUT_SOCKET:
594 assert(socket_fd >= 0);
595 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
596
597 case EXEC_OUTPUT_NAMED_FD:
598 (void) fd_nonblock(named_iofds[fileno], false);
599 return dup2(named_iofds[fileno], fileno) < 0 ? -errno : fileno;
600
601 default:
602 assert_not_reached("Unknown error type");
603 }
604 }
605
606 static int chown_terminal(int fd, uid_t uid) {
607 struct stat st;
608
609 assert(fd >= 0);
610
611 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
612 if (isatty(fd) < 1)
613 return 0;
614
615 /* This might fail. What matters are the results. */
616 (void) fchown(fd, uid, -1);
617 (void) fchmod(fd, TTY_MODE);
618
619 if (fstat(fd, &st) < 0)
620 return -errno;
621
622 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
623 return -EPERM;
624
625 return 0;
626 }
627
628 static int setup_confirm_stdio(const char *vc, int *_saved_stdin, int *_saved_stdout) {
629 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
630 int r;
631
632 assert(_saved_stdin);
633 assert(_saved_stdout);
634
635 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
636 if (saved_stdin < 0)
637 return -errno;
638
639 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
640 if (saved_stdout < 0)
641 return -errno;
642
643 fd = acquire_terminal(vc, false, false, false, DEFAULT_CONFIRM_USEC);
644 if (fd < 0)
645 return fd;
646
647 r = chown_terminal(fd, getuid());
648 if (r < 0)
649 return r;
650
651 r = reset_terminal_fd(fd, true);
652 if (r < 0)
653 return r;
654
655 if (dup2(fd, STDIN_FILENO) < 0)
656 return -errno;
657
658 if (dup2(fd, STDOUT_FILENO) < 0)
659 return -errno;
660
661 if (fd >= 2)
662 safe_close(fd);
663 fd = -1;
664
665 *_saved_stdin = saved_stdin;
666 *_saved_stdout = saved_stdout;
667
668 saved_stdin = saved_stdout = -1;
669
670 return 0;
671 }
672
673 static void write_confirm_error_fd(int err, int fd, const Unit *u) {
674 assert(err < 0);
675
676 if (err == -ETIMEDOUT)
677 dprintf(fd, "Confirmation question timed out for %s, assuming positive response.\n", u->id);
678 else {
679 errno = -err;
680 dprintf(fd, "Couldn't ask confirmation for %s: %m, assuming positive response.\n", u->id);
681 }
682 }
683
684 static void write_confirm_error(int err, const char *vc, const Unit *u) {
685 _cleanup_close_ int fd = -1;
686
687 assert(vc);
688
689 fd = open_terminal(vc, O_WRONLY|O_NOCTTY|O_CLOEXEC);
690 if (fd < 0)
691 return;
692
693 write_confirm_error_fd(err, fd, u);
694 }
695
696 static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
697 int r = 0;
698
699 assert(saved_stdin);
700 assert(saved_stdout);
701
702 release_terminal();
703
704 if (*saved_stdin >= 0)
705 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
706 r = -errno;
707
708 if (*saved_stdout >= 0)
709 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
710 r = -errno;
711
712 *saved_stdin = safe_close(*saved_stdin);
713 *saved_stdout = safe_close(*saved_stdout);
714
715 return r;
716 }
717
718 enum {
719 CONFIRM_PRETEND_FAILURE = -1,
720 CONFIRM_PRETEND_SUCCESS = 0,
721 CONFIRM_EXECUTE = 1,
722 };
723
724 static int ask_for_confirmation(const char *vc, Unit *u, const char *cmdline) {
725 int saved_stdout = -1, saved_stdin = -1, r;
726 _cleanup_free_ char *e = NULL;
727 char c;
728
729 /* For any internal errors, assume a positive response. */
730 r = setup_confirm_stdio(vc, &saved_stdin, &saved_stdout);
731 if (r < 0) {
732 write_confirm_error(r, vc, u);
733 return CONFIRM_EXECUTE;
734 }
735
736 /* confirm_spawn might have been disabled while we were sleeping. */
737 if (manager_is_confirm_spawn_disabled(u->manager)) {
738 r = 1;
739 goto restore_stdio;
740 }
741
742 e = ellipsize(cmdline, 60, 100);
743 if (!e) {
744 log_oom();
745 r = CONFIRM_EXECUTE;
746 goto restore_stdio;
747 }
748
749 for (;;) {
750 r = ask_char(&c, "yfshiDjcn", "Execute %s? [y, f, s – h for help] ", e);
751 if (r < 0) {
752 write_confirm_error_fd(r, STDOUT_FILENO, u);
753 r = CONFIRM_EXECUTE;
754 goto restore_stdio;
755 }
756
757 switch (c) {
758 case 'c':
759 printf("Resuming normal execution.\n");
760 manager_disable_confirm_spawn();
761 r = 1;
762 break;
763 case 'D':
764 unit_dump(u, stdout, " ");
765 continue; /* ask again */
766 case 'f':
767 printf("Failing execution.\n");
768 r = CONFIRM_PRETEND_FAILURE;
769 break;
770 case 'h':
771 printf(" c - continue, proceed without asking anymore\n"
772 " D - dump, show the state of the unit\n"
773 " f - fail, don't execute the command and pretend it failed\n"
774 " h - help\n"
775 " i - info, show a short summary of the unit\n"
776 " j - jobs, show jobs that are in progress\n"
777 " s - skip, don't execute the command and pretend it succeeded\n"
778 " y - yes, execute the command\n");
779 continue; /* ask again */
780 case 'i':
781 printf(" Description: %s\n"
782 " Unit: %s\n"
783 " Command: %s\n",
784 u->id, u->description, cmdline);
785 continue; /* ask again */
786 case 'j':
787 manager_dump_jobs(u->manager, stdout, " ");
788 continue; /* ask again */
789 case 'n':
790 /* 'n' was removed in favor of 'f'. */
791 printf("Didn't understand 'n', did you mean 'f'?\n");
792 continue; /* ask again */
793 case 's':
794 printf("Skipping execution.\n");
795 r = CONFIRM_PRETEND_SUCCESS;
796 break;
797 case 'y':
798 r = CONFIRM_EXECUTE;
799 break;
800 default:
801 assert_not_reached("Unhandled choice");
802 }
803 break;
804 }
805
806 restore_stdio:
807 restore_confirm_stdio(&saved_stdin, &saved_stdout);
808 return r;
809 }
810
811 static int get_fixed_user(const ExecContext *c, const char **user,
812 uid_t *uid, gid_t *gid,
813 const char **home, const char **shell) {
814 int r;
815 const char *name;
816
817 assert(c);
818
819 if (!c->user)
820 return 0;
821
822 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
823 * (i.e. are "/" or "/bin/nologin"). */
824
825 name = c->user;
826 r = get_user_creds_clean(&name, uid, gid, home, shell);
827 if (r < 0)
828 return r;
829
830 *user = name;
831 return 0;
832 }
833
834 static int get_fixed_group(const ExecContext *c, const char **group, gid_t *gid) {
835 int r;
836 const char *name;
837
838 assert(c);
839
840 if (!c->group)
841 return 0;
842
843 name = c->group;
844 r = get_group_creds(&name, gid);
845 if (r < 0)
846 return r;
847
848 *group = name;
849 return 0;
850 }
851
852 static int get_supplementary_groups(const ExecContext *c, const char *user,
853 const char *group, gid_t gid,
854 gid_t **supplementary_gids, int *ngids) {
855 char **i;
856 int r, k = 0;
857 int ngroups_max;
858 bool keep_groups = false;
859 gid_t *groups = NULL;
860 _cleanup_free_ gid_t *l_gids = NULL;
861
862 assert(c);
863
864 /*
865 * If user is given, then lookup GID and supplementary groups list.
866 * We avoid NSS lookups for gid=0. Also we have to initialize groups
867 * here and as early as possible so we keep the list of supplementary
868 * groups of the caller.
869 */
870 if (user && gid_is_valid(gid) && gid != 0) {
871 /* First step, initialize groups from /etc/groups */
872 if (initgroups(user, gid) < 0)
873 return -errno;
874
875 keep_groups = true;
876 }
877
878 if (!c->supplementary_groups)
879 return 0;
880
881 /*
882 * If SupplementaryGroups= was passed then NGROUPS_MAX has to
883 * be positive, otherwise fail.
884 */
885 errno = 0;
886 ngroups_max = (int) sysconf(_SC_NGROUPS_MAX);
887 if (ngroups_max <= 0) {
888 if (errno > 0)
889 return -errno;
890 else
891 return -EOPNOTSUPP; /* For all other values */
892 }
893
894 l_gids = new(gid_t, ngroups_max);
895 if (!l_gids)
896 return -ENOMEM;
897
898 if (keep_groups) {
899 /*
900 * Lookup the list of groups that the user belongs to, we
901 * avoid NSS lookups here too for gid=0.
902 */
903 k = ngroups_max;
904 if (getgrouplist(user, gid, l_gids, &k) < 0)
905 return -EINVAL;
906 } else
907 k = 0;
908
909 STRV_FOREACH(i, c->supplementary_groups) {
910 const char *g;
911
912 if (k >= ngroups_max)
913 return -E2BIG;
914
915 g = *i;
916 r = get_group_creds(&g, l_gids+k);
917 if (r < 0)
918 return r;
919
920 k++;
921 }
922
923 /*
924 * Sets ngids to zero to drop all supplementary groups, happens
925 * when we are under root and SupplementaryGroups= is empty.
926 */
927 if (k == 0) {
928 *ngids = 0;
929 return 0;
930 }
931
932 /* Otherwise get the final list of supplementary groups */
933 groups = memdup(l_gids, sizeof(gid_t) * k);
934 if (!groups)
935 return -ENOMEM;
936
937 *supplementary_gids = groups;
938 *ngids = k;
939
940 groups = NULL;
941
942 return 0;
943 }
944
945 static int enforce_groups(const ExecContext *context, gid_t gid,
946 gid_t *supplementary_gids, int ngids) {
947 int r;
948
949 assert(context);
950
951 /* Handle SupplementaryGroups= even if it is empty */
952 if (context->supplementary_groups) {
953 r = maybe_setgroups(ngids, supplementary_gids);
954 if (r < 0)
955 return r;
956 }
957
958 if (gid_is_valid(gid)) {
959 /* Then set our gids */
960 if (setresgid(gid, gid, gid) < 0)
961 return -errno;
962 }
963
964 return 0;
965 }
966
967 static int enforce_user(const ExecContext *context, uid_t uid) {
968 assert(context);
969
970 if (!uid_is_valid(uid))
971 return 0;
972
973 /* Sets (but doesn't look up) the uid and make sure we keep the
974 * capabilities while doing so. */
975
976 if (context->capability_ambient_set != 0) {
977
978 /* First step: If we need to keep capabilities but
979 * drop privileges we need to make sure we keep our
980 * caps, while we drop privileges. */
981 if (uid != 0) {
982 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
983
984 if (prctl(PR_GET_SECUREBITS) != sb)
985 if (prctl(PR_SET_SECUREBITS, sb) < 0)
986 return -errno;
987 }
988 }
989
990 /* Second step: actually set the uids */
991 if (setresuid(uid, uid, uid) < 0)
992 return -errno;
993
994 /* At this point we should have all necessary capabilities but
995 are otherwise a normal user. However, the caps might got
996 corrupted due to the setresuid() so we need clean them up
997 later. This is done outside of this call. */
998
999 return 0;
1000 }
1001
1002 #ifdef HAVE_PAM
1003
1004 static int null_conv(
1005 int num_msg,
1006 const struct pam_message **msg,
1007 struct pam_response **resp,
1008 void *appdata_ptr) {
1009
1010 /* We don't support conversations */
1011
1012 return PAM_CONV_ERR;
1013 }
1014
1015 #endif
1016
1017 static int setup_pam(
1018 const char *name,
1019 const char *user,
1020 uid_t uid,
1021 gid_t gid,
1022 const char *tty,
1023 char ***env,
1024 int fds[], unsigned n_fds) {
1025
1026 #ifdef HAVE_PAM
1027
1028 static const struct pam_conv conv = {
1029 .conv = null_conv,
1030 .appdata_ptr = NULL
1031 };
1032
1033 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
1034 pam_handle_t *handle = NULL;
1035 sigset_t old_ss;
1036 int pam_code = PAM_SUCCESS, r;
1037 char **nv, **e = NULL;
1038 bool close_session = false;
1039 pid_t pam_pid = 0, parent_pid;
1040 int flags = 0;
1041
1042 assert(name);
1043 assert(user);
1044 assert(env);
1045
1046 /* We set up PAM in the parent process, then fork. The child
1047 * will then stay around until killed via PR_GET_PDEATHSIG or
1048 * systemd via the cgroup logic. It will then remove the PAM
1049 * session again. The parent process will exec() the actual
1050 * daemon. We do things this way to ensure that the main PID
1051 * of the daemon is the one we initially fork()ed. */
1052
1053 r = barrier_create(&barrier);
1054 if (r < 0)
1055 goto fail;
1056
1057 if (log_get_max_level() < LOG_DEBUG)
1058 flags |= PAM_SILENT;
1059
1060 pam_code = pam_start(name, user, &conv, &handle);
1061 if (pam_code != PAM_SUCCESS) {
1062 handle = NULL;
1063 goto fail;
1064 }
1065
1066 if (tty) {
1067 pam_code = pam_set_item(handle, PAM_TTY, tty);
1068 if (pam_code != PAM_SUCCESS)
1069 goto fail;
1070 }
1071
1072 STRV_FOREACH(nv, *env) {
1073 pam_code = pam_putenv(handle, *nv);
1074 if (pam_code != PAM_SUCCESS)
1075 goto fail;
1076 }
1077
1078 pam_code = pam_acct_mgmt(handle, flags);
1079 if (pam_code != PAM_SUCCESS)
1080 goto fail;
1081
1082 pam_code = pam_open_session(handle, flags);
1083 if (pam_code != PAM_SUCCESS)
1084 goto fail;
1085
1086 close_session = true;
1087
1088 e = pam_getenvlist(handle);
1089 if (!e) {
1090 pam_code = PAM_BUF_ERR;
1091 goto fail;
1092 }
1093
1094 /* Block SIGTERM, so that we know that it won't get lost in
1095 * the child */
1096
1097 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
1098
1099 parent_pid = getpid_cached();
1100
1101 pam_pid = fork();
1102 if (pam_pid < 0) {
1103 r = -errno;
1104 goto fail;
1105 }
1106
1107 if (pam_pid == 0) {
1108 int sig, ret = EXIT_PAM;
1109
1110 /* The child's job is to reset the PAM session on
1111 * termination */
1112 barrier_set_role(&barrier, BARRIER_CHILD);
1113
1114 /* This string must fit in 10 chars (i.e. the length
1115 * of "/sbin/init"), to look pretty in /bin/ps */
1116 rename_process("(sd-pam)");
1117
1118 /* Make sure we don't keep open the passed fds in this
1119 child. We assume that otherwise only those fds are
1120 open here that have been opened by PAM. */
1121 close_many(fds, n_fds);
1122
1123 /* Drop privileges - we don't need any to pam_close_session
1124 * and this will make PR_SET_PDEATHSIG work in most cases.
1125 * If this fails, ignore the error - but expect sd-pam threads
1126 * to fail to exit normally */
1127
1128 r = maybe_setgroups(0, NULL);
1129 if (r < 0)
1130 log_warning_errno(r, "Failed to setgroups() in sd-pam: %m");
1131 if (setresgid(gid, gid, gid) < 0)
1132 log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
1133 if (setresuid(uid, uid, uid) < 0)
1134 log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
1135
1136 (void) ignore_signals(SIGPIPE, -1);
1137
1138 /* Wait until our parent died. This will only work if
1139 * the above setresuid() succeeds, otherwise the kernel
1140 * will not allow unprivileged parents kill their privileged
1141 * children this way. We rely on the control groups kill logic
1142 * to do the rest for us. */
1143 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
1144 goto child_finish;
1145
1146 /* Tell the parent that our setup is done. This is especially
1147 * important regarding dropping privileges. Otherwise, unit
1148 * setup might race against our setresuid(2) call.
1149 *
1150 * If the parent aborted, we'll detect this below, hence ignore
1151 * return failure here. */
1152 (void) barrier_place(&barrier);
1153
1154 /* Check if our parent process might already have died? */
1155 if (getppid() == parent_pid) {
1156 sigset_t ss;
1157
1158 assert_se(sigemptyset(&ss) >= 0);
1159 assert_se(sigaddset(&ss, SIGTERM) >= 0);
1160
1161 for (;;) {
1162 if (sigwait(&ss, &sig) < 0) {
1163 if (errno == EINTR)
1164 continue;
1165
1166 goto child_finish;
1167 }
1168
1169 assert(sig == SIGTERM);
1170 break;
1171 }
1172 }
1173
1174 /* If our parent died we'll end the session */
1175 if (getppid() != parent_pid) {
1176 pam_code = pam_close_session(handle, flags);
1177 if (pam_code != PAM_SUCCESS)
1178 goto child_finish;
1179 }
1180
1181 ret = 0;
1182
1183 child_finish:
1184 pam_end(handle, pam_code | flags);
1185 _exit(ret);
1186 }
1187
1188 barrier_set_role(&barrier, BARRIER_PARENT);
1189
1190 /* If the child was forked off successfully it will do all the
1191 * cleanups, so forget about the handle here. */
1192 handle = NULL;
1193
1194 /* Unblock SIGTERM again in the parent */
1195 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
1196
1197 /* We close the log explicitly here, since the PAM modules
1198 * might have opened it, but we don't want this fd around. */
1199 closelog();
1200
1201 /* Synchronously wait for the child to initialize. We don't care for
1202 * errors as we cannot recover. However, warn loudly if it happens. */
1203 if (!barrier_place_and_sync(&barrier))
1204 log_error("PAM initialization failed");
1205
1206 strv_free(*env);
1207 *env = e;
1208
1209 return 0;
1210
1211 fail:
1212 if (pam_code != PAM_SUCCESS) {
1213 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
1214 r = -EPERM; /* PAM errors do not map to errno */
1215 } else
1216 log_error_errno(r, "PAM failed: %m");
1217
1218 if (handle) {
1219 if (close_session)
1220 pam_code = pam_close_session(handle, flags);
1221
1222 pam_end(handle, pam_code | flags);
1223 }
1224
1225 strv_free(e);
1226 closelog();
1227
1228 return r;
1229 #else
1230 return 0;
1231 #endif
1232 }
1233
1234 static void rename_process_from_path(const char *path) {
1235 char process_name[11];
1236 const char *p;
1237 size_t l;
1238
1239 /* This resulting string must fit in 10 chars (i.e. the length
1240 * of "/sbin/init") to look pretty in /bin/ps */
1241
1242 p = basename(path);
1243 if (isempty(p)) {
1244 rename_process("(...)");
1245 return;
1246 }
1247
1248 l = strlen(p);
1249 if (l > 8) {
1250 /* The end of the process name is usually more
1251 * interesting, since the first bit might just be
1252 * "systemd-" */
1253 p = p + l - 8;
1254 l = 8;
1255 }
1256
1257 process_name[0] = '(';
1258 memcpy(process_name+1, p, l);
1259 process_name[1+l] = ')';
1260 process_name[1+l+1] = 0;
1261
1262 rename_process(process_name);
1263 }
1264
1265 static bool context_has_address_families(const ExecContext *c) {
1266 assert(c);
1267
1268 return c->address_families_whitelist ||
1269 !set_isempty(c->address_families);
1270 }
1271
1272 static bool context_has_syscall_filters(const ExecContext *c) {
1273 assert(c);
1274
1275 return c->syscall_whitelist ||
1276 !set_isempty(c->syscall_filter);
1277 }
1278
1279 static bool context_has_no_new_privileges(const ExecContext *c) {
1280 assert(c);
1281
1282 if (c->no_new_privileges)
1283 return true;
1284
1285 if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
1286 return false;
1287
1288 /* We need NNP if we have any form of seccomp and are unprivileged */
1289 return context_has_address_families(c) ||
1290 c->memory_deny_write_execute ||
1291 c->restrict_realtime ||
1292 exec_context_restrict_namespaces_set(c) ||
1293 c->protect_kernel_tunables ||
1294 c->protect_kernel_modules ||
1295 c->private_devices ||
1296 context_has_syscall_filters(c) ||
1297 !set_isempty(c->syscall_archs);
1298 }
1299
1300 #ifdef HAVE_SECCOMP
1301
1302 static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
1303
1304 if (is_seccomp_available())
1305 return false;
1306
1307 log_open();
1308 log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
1309 log_close();
1310 return true;
1311 }
1312
1313 static int apply_syscall_filter(const Unit* u, const ExecContext *c) {
1314 uint32_t negative_action, default_action, action;
1315
1316 assert(u);
1317 assert(c);
1318
1319 if (!context_has_syscall_filters(c))
1320 return 0;
1321
1322 if (skip_seccomp_unavailable(u, "SystemCallFilter="))
1323 return 0;
1324
1325 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
1326
1327 if (c->syscall_whitelist) {
1328 default_action = negative_action;
1329 action = SCMP_ACT_ALLOW;
1330 } else {
1331 default_action = SCMP_ACT_ALLOW;
1332 action = negative_action;
1333 }
1334
1335 return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action);
1336 }
1337
1338 static int apply_syscall_archs(const Unit *u, const ExecContext *c) {
1339 assert(u);
1340 assert(c);
1341
1342 if (set_isempty(c->syscall_archs))
1343 return 0;
1344
1345 if (skip_seccomp_unavailable(u, "SystemCallArchitectures="))
1346 return 0;
1347
1348 return seccomp_restrict_archs(c->syscall_archs);
1349 }
1350
1351 static int apply_address_families(const Unit* u, const ExecContext *c) {
1352 assert(u);
1353 assert(c);
1354
1355 if (!context_has_address_families(c))
1356 return 0;
1357
1358 if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
1359 return 0;
1360
1361 return seccomp_restrict_address_families(c->address_families, c->address_families_whitelist);
1362 }
1363
1364 static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) {
1365 assert(u);
1366 assert(c);
1367
1368 if (!c->memory_deny_write_execute)
1369 return 0;
1370
1371 if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute="))
1372 return 0;
1373
1374 return seccomp_memory_deny_write_execute();
1375 }
1376
1377 static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
1378 assert(u);
1379 assert(c);
1380
1381 if (!c->restrict_realtime)
1382 return 0;
1383
1384 if (skip_seccomp_unavailable(u, "RestrictRealtime="))
1385 return 0;
1386
1387 return seccomp_restrict_realtime();
1388 }
1389
1390 static int apply_protect_sysctl(const Unit *u, const ExecContext *c) {
1391 assert(u);
1392 assert(c);
1393
1394 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1395 * let's protect even those systems where this is left on in the kernel. */
1396
1397 if (!c->protect_kernel_tunables)
1398 return 0;
1399
1400 if (skip_seccomp_unavailable(u, "ProtectKernelTunables="))
1401 return 0;
1402
1403 return seccomp_protect_sysctl();
1404 }
1405
1406 static int apply_protect_kernel_modules(const Unit *u, const ExecContext *c) {
1407 assert(u);
1408 assert(c);
1409
1410 /* Turn off module syscalls on ProtectKernelModules=yes */
1411
1412 if (!c->protect_kernel_modules)
1413 return 0;
1414
1415 if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
1416 return 0;
1417
1418 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM));
1419 }
1420
1421 static int apply_private_devices(const Unit *u, const ExecContext *c) {
1422 assert(u);
1423 assert(c);
1424
1425 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
1426
1427 if (!c->private_devices)
1428 return 0;
1429
1430 if (skip_seccomp_unavailable(u, "PrivateDevices="))
1431 return 0;
1432
1433 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
1434 }
1435
1436 static int apply_restrict_namespaces(Unit *u, const ExecContext *c) {
1437 assert(u);
1438 assert(c);
1439
1440 if (!exec_context_restrict_namespaces_set(c))
1441 return 0;
1442
1443 if (skip_seccomp_unavailable(u, "RestrictNamespaces="))
1444 return 0;
1445
1446 return seccomp_restrict_namespaces(c->restrict_namespaces);
1447 }
1448
1449 #endif
1450
1451 static void do_idle_pipe_dance(int idle_pipe[4]) {
1452 assert(idle_pipe);
1453
1454 idle_pipe[1] = safe_close(idle_pipe[1]);
1455 idle_pipe[2] = safe_close(idle_pipe[2]);
1456
1457 if (idle_pipe[0] >= 0) {
1458 int r;
1459
1460 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1461
1462 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1463 ssize_t n;
1464
1465 /* Signal systemd that we are bored and want to continue. */
1466 n = write(idle_pipe[3], "x", 1);
1467 if (n > 0)
1468 /* Wait for systemd to react to the signal above. */
1469 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1470 }
1471
1472 idle_pipe[0] = safe_close(idle_pipe[0]);
1473
1474 }
1475
1476 idle_pipe[3] = safe_close(idle_pipe[3]);
1477 }
1478
1479 static int build_environment(
1480 Unit *u,
1481 const ExecContext *c,
1482 const ExecParameters *p,
1483 unsigned n_fds,
1484 const char *home,
1485 const char *username,
1486 const char *shell,
1487 dev_t journal_stream_dev,
1488 ino_t journal_stream_ino,
1489 char ***ret) {
1490
1491 _cleanup_strv_free_ char **our_env = NULL;
1492 unsigned n_env = 0;
1493 char *x;
1494
1495 assert(u);
1496 assert(c);
1497 assert(ret);
1498
1499 our_env = new0(char*, 14);
1500 if (!our_env)
1501 return -ENOMEM;
1502
1503 if (n_fds > 0) {
1504 _cleanup_free_ char *joined = NULL;
1505
1506 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid_cached()) < 0)
1507 return -ENOMEM;
1508 our_env[n_env++] = x;
1509
1510 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1511 return -ENOMEM;
1512 our_env[n_env++] = x;
1513
1514 joined = strv_join(p->fd_names, ":");
1515 if (!joined)
1516 return -ENOMEM;
1517
1518 x = strjoin("LISTEN_FDNAMES=", joined);
1519 if (!x)
1520 return -ENOMEM;
1521 our_env[n_env++] = x;
1522 }
1523
1524 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
1525 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid_cached()) < 0)
1526 return -ENOMEM;
1527 our_env[n_env++] = x;
1528
1529 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
1530 return -ENOMEM;
1531 our_env[n_env++] = x;
1532 }
1533
1534 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1535 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1536 * check the database directly. */
1537 if (unit_has_name(u, SPECIAL_DBUS_SERVICE)) {
1538 x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1539 if (!x)
1540 return -ENOMEM;
1541 our_env[n_env++] = x;
1542 }
1543
1544 if (home) {
1545 x = strappend("HOME=", home);
1546 if (!x)
1547 return -ENOMEM;
1548 our_env[n_env++] = x;
1549 }
1550
1551 if (username) {
1552 x = strappend("LOGNAME=", username);
1553 if (!x)
1554 return -ENOMEM;
1555 our_env[n_env++] = x;
1556
1557 x = strappend("USER=", username);
1558 if (!x)
1559 return -ENOMEM;
1560 our_env[n_env++] = x;
1561 }
1562
1563 if (shell) {
1564 x = strappend("SHELL=", shell);
1565 if (!x)
1566 return -ENOMEM;
1567 our_env[n_env++] = x;
1568 }
1569
1570 if (!sd_id128_is_null(u->invocation_id)) {
1571 if (asprintf(&x, "INVOCATION_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id)) < 0)
1572 return -ENOMEM;
1573
1574 our_env[n_env++] = x;
1575 }
1576
1577 if (exec_context_needs_term(c)) {
1578 const char *tty_path, *term = NULL;
1579
1580 tty_path = exec_context_tty_path(c);
1581
1582 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try to inherit
1583 * the $TERM set for PID 1. This is useful for containers so that the $TERM the container manager
1584 * passes to PID 1 ends up all the way in the console login shown. */
1585
1586 if (path_equal(tty_path, "/dev/console") && getppid() == 1)
1587 term = getenv("TERM");
1588 if (!term)
1589 term = default_term_for_tty(tty_path);
1590
1591 x = strappend("TERM=", term);
1592 if (!x)
1593 return -ENOMEM;
1594 our_env[n_env++] = x;
1595 }
1596
1597 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1598 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1599 return -ENOMEM;
1600
1601 our_env[n_env++] = x;
1602 }
1603
1604 our_env[n_env++] = NULL;
1605 assert(n_env <= 12);
1606
1607 *ret = our_env;
1608 our_env = NULL;
1609
1610 return 0;
1611 }
1612
1613 static int build_pass_environment(const ExecContext *c, char ***ret) {
1614 _cleanup_strv_free_ char **pass_env = NULL;
1615 size_t n_env = 0, n_bufsize = 0;
1616 char **i;
1617
1618 STRV_FOREACH(i, c->pass_environment) {
1619 _cleanup_free_ char *x = NULL;
1620 char *v;
1621
1622 v = getenv(*i);
1623 if (!v)
1624 continue;
1625 x = strjoin(*i, "=", v);
1626 if (!x)
1627 return -ENOMEM;
1628 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1629 return -ENOMEM;
1630 pass_env[n_env++] = x;
1631 pass_env[n_env] = NULL;
1632 x = NULL;
1633 }
1634
1635 *ret = pass_env;
1636 pass_env = NULL;
1637
1638 return 0;
1639 }
1640
1641 static bool exec_needs_mount_namespace(
1642 const ExecContext *context,
1643 const ExecParameters *params,
1644 ExecRuntime *runtime) {
1645
1646 assert(context);
1647 assert(params);
1648
1649 if (context->root_image)
1650 return true;
1651
1652 if (!strv_isempty(context->read_write_paths) ||
1653 !strv_isempty(context->read_only_paths) ||
1654 !strv_isempty(context->inaccessible_paths))
1655 return true;
1656
1657 if (context->n_bind_mounts > 0)
1658 return true;
1659
1660 if (context->mount_flags != 0)
1661 return true;
1662
1663 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1664 return true;
1665
1666 if (context->private_devices ||
1667 context->protect_system != PROTECT_SYSTEM_NO ||
1668 context->protect_home != PROTECT_HOME_NO ||
1669 context->protect_kernel_tunables ||
1670 context->protect_kernel_modules ||
1671 context->protect_control_groups)
1672 return true;
1673
1674 if (context->mount_apivfs && (context->root_image || context->root_directory))
1675 return true;
1676
1677 return false;
1678 }
1679
1680 static int setup_private_users(uid_t uid, gid_t gid) {
1681 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
1682 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
1683 _cleanup_close_ int unshare_ready_fd = -1;
1684 _cleanup_(sigkill_waitp) pid_t pid = 0;
1685 uint64_t c = 1;
1686 siginfo_t si;
1687 ssize_t n;
1688 int r;
1689
1690 /* Set up a user namespace and map root to root, the selected UID/GID to itself, and everything else to
1691 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1692 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1693 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1694 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
1695 * continues execution normally. */
1696
1697 if (uid != 0 && uid_is_valid(uid)) {
1698 r = asprintf(&uid_map,
1699 "0 0 1\n" /* Map root → root */
1700 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
1701 uid, uid);
1702 if (r < 0)
1703 return -ENOMEM;
1704 } else {
1705 uid_map = strdup("0 0 1\n"); /* The case where the above is the same */
1706 if (!uid_map)
1707 return -ENOMEM;
1708 }
1709
1710 if (gid != 0 && gid_is_valid(gid)) {
1711 r = asprintf(&gid_map,
1712 "0 0 1\n" /* Map root → root */
1713 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
1714 gid, gid);
1715 if (r < 0)
1716 return -ENOMEM;
1717 } else {
1718 gid_map = strdup("0 0 1\n"); /* The case where the above is the same */
1719 if (!gid_map)
1720 return -ENOMEM;
1721 }
1722
1723 /* Create a communication channel so that the parent can tell the child when it finished creating the user
1724 * namespace. */
1725 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
1726 if (unshare_ready_fd < 0)
1727 return -errno;
1728
1729 /* Create a communication channel so that the child can tell the parent a proper error code in case it
1730 * failed. */
1731 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
1732 return -errno;
1733
1734 pid = fork();
1735 if (pid < 0)
1736 return -errno;
1737
1738 if (pid == 0) {
1739 _cleanup_close_ int fd = -1;
1740 const char *a;
1741 pid_t ppid;
1742
1743 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
1744 * here, after the parent opened its own user namespace. */
1745
1746 ppid = getppid();
1747 errno_pipe[0] = safe_close(errno_pipe[0]);
1748
1749 /* Wait until the parent unshared the user namespace */
1750 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
1751 r = -errno;
1752 goto child_fail;
1753 }
1754
1755 /* Disable the setgroups() system call in the child user namespace, for good. */
1756 a = procfs_file_alloca(ppid, "setgroups");
1757 fd = open(a, O_WRONLY|O_CLOEXEC);
1758 if (fd < 0) {
1759 if (errno != ENOENT) {
1760 r = -errno;
1761 goto child_fail;
1762 }
1763
1764 /* If the file is missing the kernel is too old, let's continue anyway. */
1765 } else {
1766 if (write(fd, "deny\n", 5) < 0) {
1767 r = -errno;
1768 goto child_fail;
1769 }
1770
1771 fd = safe_close(fd);
1772 }
1773
1774 /* First write the GID map */
1775 a = procfs_file_alloca(ppid, "gid_map");
1776 fd = open(a, O_WRONLY|O_CLOEXEC);
1777 if (fd < 0) {
1778 r = -errno;
1779 goto child_fail;
1780 }
1781 if (write(fd, gid_map, strlen(gid_map)) < 0) {
1782 r = -errno;
1783 goto child_fail;
1784 }
1785 fd = safe_close(fd);
1786
1787 /* The write the UID map */
1788 a = procfs_file_alloca(ppid, "uid_map");
1789 fd = open(a, O_WRONLY|O_CLOEXEC);
1790 if (fd < 0) {
1791 r = -errno;
1792 goto child_fail;
1793 }
1794 if (write(fd, uid_map, strlen(uid_map)) < 0) {
1795 r = -errno;
1796 goto child_fail;
1797 }
1798
1799 _exit(EXIT_SUCCESS);
1800
1801 child_fail:
1802 (void) write(errno_pipe[1], &r, sizeof(r));
1803 _exit(EXIT_FAILURE);
1804 }
1805
1806 errno_pipe[1] = safe_close(errno_pipe[1]);
1807
1808 if (unshare(CLONE_NEWUSER) < 0)
1809 return -errno;
1810
1811 /* Let the child know that the namespace is ready now */
1812 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
1813 return -errno;
1814
1815 /* Try to read an error code from the child */
1816 n = read(errno_pipe[0], &r, sizeof(r));
1817 if (n < 0)
1818 return -errno;
1819 if (n == sizeof(r)) { /* an error code was sent to us */
1820 if (r < 0)
1821 return r;
1822 return -EIO;
1823 }
1824 if (n != 0) /* on success we should have read 0 bytes */
1825 return -EIO;
1826
1827 r = wait_for_terminate(pid, &si);
1828 if (r < 0)
1829 return r;
1830 pid = 0;
1831
1832 /* If something strange happened with the child, let's consider this fatal, too */
1833 if (si.si_code != CLD_EXITED || si.si_status != 0)
1834 return -EIO;
1835
1836 return 0;
1837 }
1838
1839 static int setup_exec_directory(
1840 const ExecContext *context,
1841 const ExecParameters *params,
1842 uid_t uid,
1843 gid_t gid,
1844 bool manager_is_system,
1845 ExecDirectoryType type,
1846 int *exit_status) {
1847
1848 static const int exit_status_table[_EXEC_DIRECTORY_MAX] = {
1849 [EXEC_DIRECTORY_RUNTIME] = EXIT_RUNTIME_DIRECTORY,
1850 [EXEC_DIRECTORY_STATE] = EXIT_STATE_DIRECTORY,
1851 [EXEC_DIRECTORY_CACHE] = EXIT_CACHE_DIRECTORY,
1852 [EXEC_DIRECTORY_LOGS] = EXIT_LOGS_DIRECTORY,
1853 [EXEC_DIRECTORY_CONFIGURATION] = EXIT_CONFIGURATION_DIRECTORY,
1854 };
1855 char **rt;
1856 int r;
1857
1858 assert(context);
1859 assert(params);
1860 assert(type >= 0 && type < _EXEC_DIRECTORY_MAX);
1861 assert(exit_status);
1862
1863 if (!params->prefix[type])
1864 return 0;
1865
1866 if (manager_is_system) {
1867 if (!uid_is_valid(uid))
1868 uid = 0;
1869 if (!gid_is_valid(gid))
1870 gid = 0;
1871 }
1872
1873 STRV_FOREACH(rt, context->directories[type].paths) {
1874 _cleanup_free_ char *p;
1875
1876 p = strjoin(params->prefix[type], "/", *rt);
1877 if (!p) {
1878 r = -ENOMEM;
1879 goto fail;
1880 }
1881
1882 r = mkdir_parents_label(p, 0755);
1883 if (r < 0)
1884 goto fail;
1885
1886 r = mkdir_p_label(p, context->directories[type].mode);
1887 if (r < 0)
1888 goto fail;
1889
1890 r = chmod_and_chown(p, context->directories[type].mode, uid, gid);
1891 if (r < 0)
1892 goto fail;
1893 }
1894
1895 return 0;
1896
1897 fail:
1898 *exit_status = exit_status_table[type];
1899
1900 return r;
1901 }
1902
1903 static int setup_smack(
1904 const ExecContext *context,
1905 const ExecCommand *command) {
1906
1907 int r;
1908
1909 assert(context);
1910 assert(command);
1911
1912 if (context->smack_process_label) {
1913 r = mac_smack_apply_pid(0, context->smack_process_label);
1914 if (r < 0)
1915 return r;
1916 }
1917 #ifdef SMACK_DEFAULT_PROCESS_LABEL
1918 else {
1919 _cleanup_free_ char *exec_label = NULL;
1920
1921 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
1922 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP)
1923 return r;
1924
1925 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
1926 if (r < 0)
1927 return r;
1928 }
1929 #endif
1930
1931 return 0;
1932 }
1933
1934 static int compile_read_write_paths(
1935 const ExecContext *context,
1936 const ExecParameters *params,
1937 char ***ret) {
1938
1939 _cleanup_strv_free_ char **l = NULL;
1940 char **rt;
1941 ExecDirectoryType i;
1942
1943 /* Compile the list of writable paths. This is the combination of
1944 * the explicitly configured paths, plus all runtime directories. */
1945
1946 if (strv_isempty(context->read_write_paths)) {
1947 for (i = 0; i < _EXEC_DIRECTORY_MAX; i++)
1948 if (!strv_isempty(context->directories[i].paths))
1949 break;
1950
1951 if (i == _EXEC_DIRECTORY_MAX) {
1952 *ret = NULL; /* NOP if neither is set */
1953 return 0;
1954 }
1955 }
1956
1957 l = strv_copy(context->read_write_paths);
1958 if (!l)
1959 return -ENOMEM;
1960
1961 for (i = 0; i < _EXEC_DIRECTORY_MAX; i++) {
1962 if (!params->prefix[i])
1963 continue;
1964
1965 STRV_FOREACH(rt, context->directories[i].paths) {
1966 char *s;
1967
1968 s = strjoin(params->prefix[i], "/", *rt);
1969 if (!s)
1970 return -ENOMEM;
1971
1972 if (strv_consume(&l, s) < 0)
1973 return -ENOMEM;
1974 }
1975 }
1976
1977 *ret = l;
1978 l = NULL;
1979
1980 return 0;
1981 }
1982
1983 static int apply_mount_namespace(
1984 Unit *u,
1985 ExecCommand *command,
1986 const ExecContext *context,
1987 const ExecParameters *params,
1988 ExecRuntime *runtime) {
1989
1990 _cleanup_strv_free_ char **rw = NULL;
1991 char *tmp = NULL, *var = NULL;
1992 const char *root_dir = NULL, *root_image = NULL;
1993 NameSpaceInfo ns_info = {
1994 .ignore_protect_paths = false,
1995 .private_dev = context->private_devices,
1996 .protect_control_groups = context->protect_control_groups,
1997 .protect_kernel_tunables = context->protect_kernel_tunables,
1998 .protect_kernel_modules = context->protect_kernel_modules,
1999 .mount_apivfs = context->mount_apivfs,
2000 };
2001 bool apply_restrictions;
2002 int r;
2003
2004 assert(context);
2005
2006 /* The runtime struct only contains the parent of the private /tmp,
2007 * which is non-accessible to world users. Inside of it there's a /tmp
2008 * that is sticky, and that's the one we want to use here. */
2009
2010 if (context->private_tmp && runtime) {
2011 if (runtime->tmp_dir)
2012 tmp = strjoina(runtime->tmp_dir, "/tmp");
2013 if (runtime->var_tmp_dir)
2014 var = strjoina(runtime->var_tmp_dir, "/tmp");
2015 }
2016
2017 r = compile_read_write_paths(context, params, &rw);
2018 if (r < 0)
2019 return r;
2020
2021 if (params->flags & EXEC_APPLY_CHROOT) {
2022 root_image = context->root_image;
2023
2024 if (!root_image)
2025 root_dir = context->root_directory;
2026 }
2027
2028 /*
2029 * If DynamicUser=no and RootDirectory= is set then lets pass a relaxed
2030 * sandbox info, otherwise enforce it, don't ignore protected paths and
2031 * fail if we are enable to apply the sandbox inside the mount namespace.
2032 */
2033 if (!context->dynamic_user && root_dir)
2034 ns_info.ignore_protect_paths = true;
2035
2036 apply_restrictions = (params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged;
2037
2038 r = setup_namespace(root_dir, root_image,
2039 &ns_info, rw,
2040 apply_restrictions ? context->read_only_paths : NULL,
2041 apply_restrictions ? context->inaccessible_paths : NULL,
2042 context->bind_mounts,
2043 context->n_bind_mounts,
2044 tmp,
2045 var,
2046 apply_restrictions ? context->protect_home : PROTECT_HOME_NO,
2047 apply_restrictions ? context->protect_system : PROTECT_SYSTEM_NO,
2048 context->mount_flags,
2049 DISSECT_IMAGE_DISCARD_ON_LOOP);
2050
2051 /* If we couldn't set up the namespace this is probably due to a
2052 * missing capability. In this case, silently proceeed. */
2053 if (IN_SET(r, -EPERM, -EACCES)) {
2054 log_open();
2055 log_unit_debug_errno(u, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
2056 log_close();
2057 r = 0;
2058 }
2059
2060 return r;
2061 }
2062
2063 static int apply_working_directory(
2064 const ExecContext *context,
2065 const ExecParameters *params,
2066 const char *home,
2067 const bool needs_mount_ns,
2068 int *exit_status) {
2069
2070 const char *d, *wd;
2071
2072 assert(context);
2073 assert(exit_status);
2074
2075 if (context->working_directory_home) {
2076
2077 if (!home) {
2078 *exit_status = EXIT_CHDIR;
2079 return -ENXIO;
2080 }
2081
2082 wd = home;
2083
2084 } else if (context->working_directory)
2085 wd = context->working_directory;
2086 else
2087 wd = "/";
2088
2089 if (params->flags & EXEC_APPLY_CHROOT) {
2090 if (!needs_mount_ns && context->root_directory)
2091 if (chroot(context->root_directory) < 0) {
2092 *exit_status = EXIT_CHROOT;
2093 return -errno;
2094 }
2095
2096 d = wd;
2097 } else
2098 d = prefix_roota(context->root_directory, wd);
2099
2100 if (chdir(d) < 0 && !context->working_directory_missing_ok) {
2101 *exit_status = EXIT_CHDIR;
2102 return -errno;
2103 }
2104
2105 return 0;
2106 }
2107
2108 static int setup_keyring(Unit *u, const ExecParameters *p, uid_t uid, gid_t gid) {
2109 key_serial_t keyring;
2110
2111 assert(u);
2112 assert(p);
2113
2114 /* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that
2115 * each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond
2116 * that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be
2117 * automatically created on-demand and then linked to the per-UID keyring, by the kernel. The kernel's built-in
2118 * on-demand behaviour is very appropriate for login users, but probably not so much for system services, where
2119 * UIDs are not necessarily specific to a service but reused (at least in the case of UID 0). */
2120
2121 if (!(p->flags & EXEC_NEW_KEYRING))
2122 return 0;
2123
2124 keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0);
2125 if (keyring == -1) {
2126 if (errno == ENOSYS)
2127 log_debug_errno(errno, "Kernel keyring not supported, ignoring.");
2128 else if (IN_SET(errno, EACCES, EPERM))
2129 log_debug_errno(errno, "Kernel keyring access prohibited, ignoring.");
2130 else if (errno == EDQUOT)
2131 log_debug_errno(errno, "Out of kernel keyrings to allocate, ignoring.");
2132 else
2133 return log_error_errno(errno, "Setting up kernel keyring failed: %m");
2134
2135 return 0;
2136 }
2137
2138 /* Populate they keyring with the invocation ID by default. */
2139 if (!sd_id128_is_null(u->invocation_id)) {
2140 key_serial_t key;
2141
2142 key = add_key("user", "invocation_id", &u->invocation_id, sizeof(u->invocation_id), KEY_SPEC_SESSION_KEYRING);
2143 if (key == -1)
2144 log_debug_errno(errno, "Failed to add invocation ID to keyring, ignoring: %m");
2145 else {
2146 if (keyctl(KEYCTL_SETPERM, key,
2147 KEY_POS_VIEW|KEY_POS_READ|KEY_POS_SEARCH|
2148 KEY_USR_VIEW|KEY_USR_READ|KEY_USR_SEARCH, 0, 0) < 0)
2149 return log_error_errno(errno, "Failed to restrict invocation ID permission: %m");
2150 }
2151 }
2152
2153 /* And now, make the keyring owned by the service's user */
2154 if (uid_is_valid(uid) || gid_is_valid(gid))
2155 if (keyctl(KEYCTL_CHOWN, keyring, uid, gid, 0) < 0)
2156 return log_error_errno(errno, "Failed to change ownership of session keyring: %m");
2157
2158 return 0;
2159 }
2160
2161 static void append_socket_pair(int *array, unsigned *n, int pair[2]) {
2162 assert(array);
2163 assert(n);
2164
2165 if (!pair)
2166 return;
2167
2168 if (pair[0] >= 0)
2169 array[(*n)++] = pair[0];
2170 if (pair[1] >= 0)
2171 array[(*n)++] = pair[1];
2172 }
2173
2174 static int close_remaining_fds(
2175 const ExecParameters *params,
2176 ExecRuntime *runtime,
2177 DynamicCreds *dcreds,
2178 int user_lookup_fd,
2179 int socket_fd,
2180 int *fds, unsigned n_fds) {
2181
2182 unsigned n_dont_close = 0;
2183 int dont_close[n_fds + 12];
2184
2185 assert(params);
2186
2187 if (params->stdin_fd >= 0)
2188 dont_close[n_dont_close++] = params->stdin_fd;
2189 if (params->stdout_fd >= 0)
2190 dont_close[n_dont_close++] = params->stdout_fd;
2191 if (params->stderr_fd >= 0)
2192 dont_close[n_dont_close++] = params->stderr_fd;
2193
2194 if (socket_fd >= 0)
2195 dont_close[n_dont_close++] = socket_fd;
2196 if (n_fds > 0) {
2197 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
2198 n_dont_close += n_fds;
2199 }
2200
2201 if (runtime)
2202 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
2203
2204 if (dcreds) {
2205 if (dcreds->user)
2206 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
2207 if (dcreds->group)
2208 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
2209 }
2210
2211 if (user_lookup_fd >= 0)
2212 dont_close[n_dont_close++] = user_lookup_fd;
2213
2214 return close_all_fds(dont_close, n_dont_close);
2215 }
2216
2217 static int send_user_lookup(
2218 Unit *unit,
2219 int user_lookup_fd,
2220 uid_t uid,
2221 gid_t gid) {
2222
2223 assert(unit);
2224
2225 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2226 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2227 * specified. */
2228
2229 if (user_lookup_fd < 0)
2230 return 0;
2231
2232 if (!uid_is_valid(uid) && !gid_is_valid(gid))
2233 return 0;
2234
2235 if (writev(user_lookup_fd,
2236 (struct iovec[]) {
2237 { .iov_base = &uid, .iov_len = sizeof(uid) },
2238 { .iov_base = &gid, .iov_len = sizeof(gid) },
2239 { .iov_base = unit->id, .iov_len = strlen(unit->id) }}, 3) < 0)
2240 return -errno;
2241
2242 return 0;
2243 }
2244
2245 static int acquire_home(const ExecContext *c, uid_t uid, const char** home, char **buf) {
2246 int r;
2247
2248 assert(c);
2249 assert(home);
2250 assert(buf);
2251
2252 /* If WorkingDirectory=~ is set, try to acquire a usable home directory. */
2253
2254 if (*home)
2255 return 0;
2256
2257 if (!c->working_directory_home)
2258 return 0;
2259
2260 if (uid == 0) {
2261 /* Hardcode /root as home directory for UID 0 */
2262 *home = "/root";
2263 return 1;
2264 }
2265
2266 r = get_home_dir(buf);
2267 if (r < 0)
2268 return r;
2269
2270 *home = *buf;
2271 return 1;
2272 }
2273
2274 static int exec_child(
2275 Unit *unit,
2276 ExecCommand *command,
2277 const ExecContext *context,
2278 const ExecParameters *params,
2279 ExecRuntime *runtime,
2280 DynamicCreds *dcreds,
2281 char **argv,
2282 int socket_fd,
2283 int named_iofds[3],
2284 int *fds,
2285 unsigned n_storage_fds,
2286 unsigned n_socket_fds,
2287 char **files_env,
2288 int user_lookup_fd,
2289 int *exit_status,
2290 char **error_message) {
2291
2292 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **final_argv = NULL;
2293 _cleanup_free_ char *mac_selinux_context_net = NULL, *home_buffer = NULL;
2294 _cleanup_free_ gid_t *supplementary_gids = NULL;
2295 const char *username = NULL, *groupname = NULL;
2296 const char *home = NULL, *shell = NULL;
2297 dev_t journal_stream_dev = 0;
2298 ino_t journal_stream_ino = 0;
2299 bool needs_exec_restrictions, needs_mount_namespace;
2300 #ifdef HAVE_SELINUX
2301 bool needs_selinux = false;
2302 #endif
2303 #ifdef HAVE_SMACK
2304 bool needs_smack = false;
2305 #endif
2306 #ifdef HAVE_APPARMOR
2307 bool needs_apparmor = false;
2308 #endif
2309 uid_t uid = UID_INVALID;
2310 gid_t gid = GID_INVALID;
2311 int i, r, ngids = 0;
2312 unsigned n_fds;
2313 ExecDirectoryType dt;
2314
2315 assert(unit);
2316 assert(command);
2317 assert(context);
2318 assert(params);
2319 assert(exit_status);
2320 assert(error_message);
2321 /* We don't always set error_message, hence it must be initialized */
2322 assert(*error_message == NULL);
2323
2324 rename_process_from_path(command->path);
2325
2326 /* We reset exactly these signals, since they are the
2327 * only ones we set to SIG_IGN in the main daemon. All
2328 * others we leave untouched because we set them to
2329 * SIG_DFL or a valid handler initially, both of which
2330 * will be demoted to SIG_DFL. */
2331 (void) default_signals(SIGNALS_CRASH_HANDLER,
2332 SIGNALS_IGNORE, -1);
2333
2334 if (context->ignore_sigpipe)
2335 (void) ignore_signals(SIGPIPE, -1);
2336
2337 r = reset_signal_mask();
2338 if (r < 0) {
2339 *exit_status = EXIT_SIGNAL_MASK;
2340 *error_message = strdup("Failed to reset signal mask");
2341 /* If strdup fails, here and below, we will just print the generic error message. */
2342 return r;
2343 }
2344
2345 if (params->idle_pipe)
2346 do_idle_pipe_dance(params->idle_pipe);
2347
2348 /* Close sockets very early to make sure we don't
2349 * block init reexecution because it cannot bind its
2350 * sockets */
2351
2352 log_forget_fds();
2353
2354 n_fds = n_storage_fds + n_socket_fds;
2355 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, fds, n_fds);
2356 if (r < 0) {
2357 *exit_status = EXIT_FDS;
2358 *error_message = strdup("Failed to close remaining fds");
2359 return r;
2360 }
2361
2362 if (!context->same_pgrp)
2363 if (setsid() < 0) {
2364 *exit_status = EXIT_SETSID;
2365 return -errno;
2366 }
2367
2368 exec_context_tty_reset(context, params);
2369
2370 if (unit_shall_confirm_spawn(unit)) {
2371 const char *vc = params->confirm_spawn;
2372 _cleanup_free_ char *cmdline = NULL;
2373
2374 cmdline = exec_command_line(argv);
2375 if (!cmdline) {
2376 *exit_status = EXIT_CONFIRM;
2377 return -ENOMEM;
2378 }
2379
2380 r = ask_for_confirmation(vc, unit, cmdline);
2381 if (r != CONFIRM_EXECUTE) {
2382 if (r == CONFIRM_PRETEND_SUCCESS) {
2383 *exit_status = EXIT_SUCCESS;
2384 return 0;
2385 }
2386 *exit_status = EXIT_CONFIRM;
2387 *error_message = strdup("Execution cancelled");
2388 return -ECANCELED;
2389 }
2390 }
2391
2392 if (context->dynamic_user && dcreds) {
2393
2394 /* Make sure we bypass our own NSS module for any NSS checks */
2395 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
2396 *exit_status = EXIT_USER;
2397 *error_message = strdup("Failed to update environment");
2398 return -errno;
2399 }
2400
2401 r = dynamic_creds_realize(dcreds, &uid, &gid);
2402 if (r < 0) {
2403 *exit_status = EXIT_USER;
2404 *error_message = strdup("Failed to update dynamic user credentials");
2405 return r;
2406 }
2407
2408 if (!uid_is_valid(uid)) {
2409 *exit_status = EXIT_USER;
2410 (void) asprintf(error_message, "UID validation failed for \""UID_FMT"\"", uid);
2411 /* If asprintf fails, here and below, we will just print the generic error message. */
2412 return -ESRCH;
2413 }
2414
2415 if (!gid_is_valid(gid)) {
2416 *exit_status = EXIT_USER;
2417 (void) asprintf(error_message, "GID validation failed for \""GID_FMT"\"", gid);
2418 return -ESRCH;
2419 }
2420
2421 if (dcreds->user)
2422 username = dcreds->user->name;
2423
2424 } else {
2425 r = get_fixed_user(context, &username, &uid, &gid, &home, &shell);
2426 if (r < 0) {
2427 *exit_status = EXIT_USER;
2428 *error_message = strdup("Failed to determine user credentials");
2429 return r;
2430 }
2431
2432 r = get_fixed_group(context, &groupname, &gid);
2433 if (r < 0) {
2434 *exit_status = EXIT_GROUP;
2435 *error_message = strdup("Failed to determine group credentials");
2436 return r;
2437 }
2438 }
2439
2440 /* Initialize user supplementary groups and get SupplementaryGroups= ones */
2441 r = get_supplementary_groups(context, username, groupname, gid,
2442 &supplementary_gids, &ngids);
2443 if (r < 0) {
2444 *exit_status = EXIT_GROUP;
2445 *error_message = strdup("Failed to determine supplementary groups");
2446 return r;
2447 }
2448
2449 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
2450 if (r < 0) {
2451 *exit_status = EXIT_USER;
2452 *error_message = strdup("Failed to send user credentials to PID1");
2453 return r;
2454 }
2455
2456 user_lookup_fd = safe_close(user_lookup_fd);
2457
2458 r = acquire_home(context, uid, &home, &home_buffer);
2459 if (r < 0) {
2460 *exit_status = EXIT_CHDIR;
2461 *error_message = strdup("Failed to determine $HOME for user");
2462 return r;
2463 }
2464
2465 /* If a socket is connected to STDIN/STDOUT/STDERR, we
2466 * must sure to drop O_NONBLOCK */
2467 if (socket_fd >= 0)
2468 (void) fd_nonblock(socket_fd, false);
2469
2470 r = setup_input(context, params, socket_fd, named_iofds);
2471 if (r < 0) {
2472 *exit_status = EXIT_STDIN;
2473 *error_message = strdup("Failed to set up stdin");
2474 return r;
2475 }
2476
2477 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
2478 if (r < 0) {
2479 *exit_status = EXIT_STDOUT;
2480 *error_message = strdup("Failed to set up stdout");
2481 return r;
2482 }
2483
2484 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
2485 if (r < 0) {
2486 *exit_status = EXIT_STDERR;
2487 *error_message = strdup("Failed to set up stderr");
2488 return r;
2489 }
2490
2491 if (params->cgroup_path) {
2492 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
2493 if (r < 0) {
2494 *exit_status = EXIT_CGROUP;
2495 (void) asprintf(error_message, "Failed to attach to cgroup %s", params->cgroup_path);
2496 return r;
2497 }
2498 }
2499
2500 if (context->oom_score_adjust_set) {
2501 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
2502
2503 /* When we can't make this change due to EPERM, then
2504 * let's silently skip over it. User namespaces
2505 * prohibit write access to this file, and we
2506 * shouldn't trip up over that. */
2507
2508 sprintf(t, "%i", context->oom_score_adjust);
2509 r = write_string_file("/proc/self/oom_score_adj", t, 0);
2510 if (r == -EPERM || r == -EACCES) {
2511 log_open();
2512 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
2513 log_close();
2514 } else if (r < 0) {
2515 *exit_status = EXIT_OOM_ADJUST;
2516 *error_message = strdup("Failed to write /proc/self/oom_score_adj");
2517 return -errno;
2518 }
2519 }
2520
2521 if (context->nice_set)
2522 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
2523 *exit_status = EXIT_NICE;
2524 return -errno;
2525 }
2526
2527 if (context->cpu_sched_set) {
2528 struct sched_param param = {
2529 .sched_priority = context->cpu_sched_priority,
2530 };
2531
2532 r = sched_setscheduler(0,
2533 context->cpu_sched_policy |
2534 (context->cpu_sched_reset_on_fork ?
2535 SCHED_RESET_ON_FORK : 0),
2536 &param);
2537 if (r < 0) {
2538 *exit_status = EXIT_SETSCHEDULER;
2539 return -errno;
2540 }
2541 }
2542
2543 if (context->cpuset)
2544 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
2545 *exit_status = EXIT_CPUAFFINITY;
2546 return -errno;
2547 }
2548
2549 if (context->ioprio_set)
2550 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
2551 *exit_status = EXIT_IOPRIO;
2552 return -errno;
2553 }
2554
2555 if (context->timer_slack_nsec != NSEC_INFINITY)
2556 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
2557 *exit_status = EXIT_TIMERSLACK;
2558 return -errno;
2559 }
2560
2561 if (context->personality != PERSONALITY_INVALID)
2562 if (personality(context->personality) < 0) {
2563 *exit_status = EXIT_PERSONALITY;
2564 return -errno;
2565 }
2566
2567 if (context->utmp_id)
2568 utmp_put_init_process(context->utmp_id, getpid_cached(), getsid(0),
2569 context->tty_path,
2570 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
2571 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
2572 USER_PROCESS,
2573 username);
2574
2575 if (context->user) {
2576 r = chown_terminal(STDIN_FILENO, uid);
2577 if (r < 0) {
2578 *exit_status = EXIT_STDIN;
2579 return r;
2580 }
2581 }
2582
2583 /* If delegation is enabled we'll pass ownership of the cgroup
2584 * (but only in systemd's own controller hierarchy!) to the
2585 * user of the new process. */
2586 if (params->cgroup_path && context->user && params->cgroup_delegate) {
2587 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
2588 if (r < 0) {
2589 *exit_status = EXIT_CGROUP;
2590 return r;
2591 }
2592
2593
2594 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
2595 if (r < 0) {
2596 *exit_status = EXIT_CGROUP;
2597 return r;
2598 }
2599 }
2600
2601 for (dt = 0; dt < _EXEC_DIRECTORY_MAX; dt++) {
2602 r = setup_exec_directory(context, params, uid, gid, MANAGER_IS_SYSTEM(unit->manager), dt, exit_status);
2603 if (r < 0)
2604 return r;
2605 }
2606
2607 r = build_environment(
2608 unit,
2609 context,
2610 params,
2611 n_fds,
2612 home,
2613 username,
2614 shell,
2615 journal_stream_dev,
2616 journal_stream_ino,
2617 &our_env);
2618 if (r < 0) {
2619 *exit_status = EXIT_MEMORY;
2620 return r;
2621 }
2622
2623 r = build_pass_environment(context, &pass_env);
2624 if (r < 0) {
2625 *exit_status = EXIT_MEMORY;
2626 return r;
2627 }
2628
2629 accum_env = strv_env_merge(5,
2630 params->environment,
2631 our_env,
2632 pass_env,
2633 context->environment,
2634 files_env,
2635 NULL);
2636 if (!accum_env) {
2637 *exit_status = EXIT_MEMORY;
2638 return -ENOMEM;
2639 }
2640 accum_env = strv_env_clean(accum_env);
2641
2642 (void) umask(context->umask);
2643
2644 r = setup_keyring(unit, params, uid, gid);
2645 if (r < 0) {
2646 *exit_status = EXIT_KEYRING;
2647 return r;
2648 }
2649
2650 needs_exec_restrictions = (params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged;
2651
2652 if (needs_exec_restrictions) {
2653 if (context->pam_name && username) {
2654 r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
2655 if (r < 0) {
2656 *exit_status = EXIT_PAM;
2657 return r;
2658 }
2659 }
2660
2661 /* MAC enablement checks need to be done before a new mount ns is created, as they rely on /sys being
2662 * present. The actual MAC context application will happen later, as late as possible, to avoid
2663 * impacting our own code paths. */
2664
2665 #ifdef HAVE_SELINUX
2666 needs_selinux = mac_selinux_use();
2667 #endif
2668
2669 #ifdef HAVE_SMACK
2670 needs_smack = mac_smack_use();
2671 #endif
2672
2673 #ifdef HAVE_APPARMOR
2674 needs_apparmor = context->apparmor_profile && mac_apparmor_use();
2675 #endif
2676
2677 }
2678
2679 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
2680 r = setup_netns(runtime->netns_storage_socket);
2681 if (r < 0) {
2682 *exit_status = EXIT_NETWORK;
2683 return r;
2684 }
2685 }
2686
2687 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
2688 if (needs_mount_namespace) {
2689 r = apply_mount_namespace(unit, command, context, params, runtime);
2690 if (r < 0) {
2691 *exit_status = EXIT_NAMESPACE;
2692 return r;
2693 }
2694 }
2695
2696 /* Apply just after mount namespace setup */
2697 r = apply_working_directory(context, params, home, needs_mount_namespace, exit_status);
2698 if (r < 0)
2699 return r;
2700
2701 /* Drop groups as early as possbile */
2702 if (needs_exec_restrictions) {
2703 r = enforce_groups(context, gid, supplementary_gids, ngids);
2704 if (r < 0) {
2705 *exit_status = EXIT_GROUP;
2706 return r;
2707 }
2708 }
2709
2710 #ifdef HAVE_SELINUX
2711 if (needs_exec_restrictions && needs_selinux && params->selinux_context_net && socket_fd >= 0) {
2712 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
2713 if (r < 0) {
2714 *exit_status = EXIT_SELINUX_CONTEXT;
2715 return r;
2716 }
2717 }
2718 #endif
2719
2720 if ((params->flags & EXEC_APPLY_PERMISSIONS) && context->private_users) {
2721 r = setup_private_users(uid, gid);
2722 if (r < 0) {
2723 *exit_status = EXIT_USER;
2724 return r;
2725 }
2726 }
2727
2728 /* We repeat the fd closing here, to make sure that
2729 * nothing is leaked from the PAM modules. Note that
2730 * we are more aggressive this time since socket_fd
2731 * and the netns fds we don't need anymore. The custom
2732 * endpoint fd was needed to upload the policy and can
2733 * now be closed as well. */
2734 r = close_all_fds(fds, n_fds);
2735 if (r >= 0)
2736 r = shift_fds(fds, n_fds);
2737 if (r >= 0)
2738 r = flags_fds(fds, n_storage_fds, n_socket_fds, context->non_blocking);
2739 if (r < 0) {
2740 *exit_status = EXIT_FDS;
2741 return r;
2742 }
2743
2744 if (needs_exec_restrictions) {
2745
2746 int secure_bits = context->secure_bits;
2747
2748 for (i = 0; i < _RLIMIT_MAX; i++) {
2749
2750 if (!context->rlimit[i])
2751 continue;
2752
2753 r = setrlimit_closest(i, context->rlimit[i]);
2754 if (r < 0) {
2755 *exit_status = EXIT_LIMITS;
2756 return r;
2757 }
2758 }
2759
2760 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
2761 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
2762 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
2763 *exit_status = EXIT_LIMITS;
2764 return -errno;
2765 }
2766 }
2767
2768 if (!cap_test_all(context->capability_bounding_set)) {
2769 r = capability_bounding_set_drop(context->capability_bounding_set, false);
2770 if (r < 0) {
2771 *exit_status = EXIT_CAPABILITIES;
2772 *error_message = strdup("Failed to drop capabilities");
2773 return r;
2774 }
2775 }
2776
2777 /* This is done before enforce_user, but ambient set
2778 * does not survive over setresuid() if keep_caps is not set. */
2779 if (context->capability_ambient_set != 0) {
2780 r = capability_ambient_set_apply(context->capability_ambient_set, true);
2781 if (r < 0) {
2782 *exit_status = EXIT_CAPABILITIES;
2783 *error_message = strdup("Failed to apply ambient capabilities (before UID change)");
2784 return r;
2785 }
2786 }
2787
2788 if (context->user) {
2789 r = enforce_user(context, uid);
2790 if (r < 0) {
2791 *exit_status = EXIT_USER;
2792 (void) asprintf(error_message, "Failed to change UID to "UID_FMT, uid);
2793 return r;
2794 }
2795 if (context->capability_ambient_set != 0) {
2796
2797 /* Fix the ambient capabilities after user change. */
2798 r = capability_ambient_set_apply(context->capability_ambient_set, false);
2799 if (r < 0) {
2800 *exit_status = EXIT_CAPABILITIES;
2801 *error_message = strdup("Failed to apply ambient capabilities (after UID change)");
2802 return r;
2803 }
2804
2805 /* If we were asked to change user and ambient capabilities
2806 * were requested, we had to add keep-caps to the securebits
2807 * so that we would maintain the inherited capability set
2808 * through the setresuid(). Make sure that the bit is added
2809 * also to the context secure_bits so that we don't try to
2810 * drop the bit away next. */
2811
2812 secure_bits |= 1<<SECURE_KEEP_CAPS;
2813 }
2814 }
2815
2816 /* Apply the MAC contexts late, but before seccomp syscall filtering, as those should really be last to
2817 * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
2818 * syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
2819 * are restricted. */
2820
2821 #ifdef HAVE_SELINUX
2822 if (needs_selinux) {
2823 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
2824
2825 if (exec_context) {
2826 r = setexeccon(exec_context);
2827 if (r < 0) {
2828 *exit_status = EXIT_SELINUX_CONTEXT;
2829 (void) asprintf(error_message, "Failed to set SELinux context to %s", exec_context);
2830 return r;
2831 }
2832 }
2833 }
2834 #endif
2835
2836 #ifdef HAVE_SMACK
2837 if (needs_smack) {
2838 r = setup_smack(context, command);
2839 if (r < 0) {
2840 *exit_status = EXIT_SMACK_PROCESS_LABEL;
2841 *error_message = strdup("Failed to set SMACK process label");
2842 return r;
2843 }
2844 }
2845 #endif
2846
2847 #ifdef HAVE_APPARMOR
2848 if (needs_apparmor) {
2849 r = aa_change_onexec(context->apparmor_profile);
2850 if (r < 0 && !context->apparmor_profile_ignore) {
2851 *exit_status = EXIT_APPARMOR_PROFILE;
2852 (void) asprintf(error_message,
2853 "Failed to prepare AppArmor profile change to %s",
2854 context->apparmor_profile);
2855 return -errno;
2856 }
2857 }
2858 #endif
2859
2860 /* PR_GET_SECUREBITS is not privileged, while
2861 * PR_SET_SECUREBITS is. So to suppress
2862 * potential EPERMs we'll try not to call
2863 * PR_SET_SECUREBITS unless necessary. */
2864 if (prctl(PR_GET_SECUREBITS) != secure_bits)
2865 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
2866 *exit_status = EXIT_SECUREBITS;
2867 *error_message = strdup("Failed to set secure bits");
2868 return -errno;
2869 }
2870
2871 if (context_has_no_new_privileges(context))
2872 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
2873 *exit_status = EXIT_NO_NEW_PRIVILEGES;
2874 *error_message = strdup("Failed to disable new privileges");
2875 return -errno;
2876 }
2877
2878 #ifdef HAVE_SECCOMP
2879 r = apply_address_families(unit, context);
2880 if (r < 0) {
2881 *exit_status = EXIT_ADDRESS_FAMILIES;
2882 *error_message = strdup("Failed to restrict address families");
2883 return r;
2884 }
2885
2886 r = apply_memory_deny_write_execute(unit, context);
2887 if (r < 0) {
2888 *exit_status = EXIT_SECCOMP;
2889 *error_message = strdup("Failed to disable writing to executable memory");
2890 return r;
2891 }
2892
2893 r = apply_restrict_realtime(unit, context);
2894 if (r < 0) {
2895 *exit_status = EXIT_SECCOMP;
2896 *error_message = strdup("Failed to apply realtime restrictions");
2897 return r;
2898 }
2899
2900 r = apply_restrict_namespaces(unit, context);
2901 if (r < 0) {
2902 *exit_status = EXIT_SECCOMP;
2903 *error_message = strdup("Failed to apply namespace restrictions");
2904 return r;
2905 }
2906
2907 r = apply_protect_sysctl(unit, context);
2908 if (r < 0) {
2909 *exit_status = EXIT_SECCOMP;
2910 *error_message = strdup("Failed to apply sysctl restrictions");
2911 return r;
2912 }
2913
2914 r = apply_protect_kernel_modules(unit, context);
2915 if (r < 0) {
2916 *exit_status = EXIT_SECCOMP;
2917 *error_message = strdup("Failed to apply module loading restrictions");
2918 return r;
2919 }
2920
2921 r = apply_private_devices(unit, context);
2922 if (r < 0) {
2923 *exit_status = EXIT_SECCOMP;
2924 *error_message = strdup("Failed to set up private devices");
2925 return r;
2926 }
2927
2928 r = apply_syscall_archs(unit, context);
2929 if (r < 0) {
2930 *exit_status = EXIT_SECCOMP;
2931 *error_message = strdup("Failed to apply syscall architecture restrictions");
2932 return r;
2933 }
2934
2935 /* This really should remain the last step before the execve(), to make sure our own code is unaffected
2936 * by the filter as little as possible. */
2937 r = apply_syscall_filter(unit, context);
2938 if (r < 0) {
2939 *exit_status = EXIT_SECCOMP;
2940 *error_message = strdup("Failed to apply syscall filters");
2941 return r;
2942 }
2943 #endif
2944 }
2945
2946 final_argv = replace_env_argv(argv, accum_env);
2947 if (!final_argv) {
2948 *exit_status = EXIT_MEMORY;
2949 *error_message = strdup("Failed to prepare process arguments");
2950 return -ENOMEM;
2951 }
2952
2953 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
2954 _cleanup_free_ char *line;
2955
2956 line = exec_command_line(final_argv);
2957 if (line) {
2958 log_open();
2959 log_struct(LOG_DEBUG,
2960 "EXECUTABLE=%s", command->path,
2961 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
2962 LOG_UNIT_ID(unit),
2963 NULL);
2964 log_close();
2965 }
2966 }
2967
2968 execve(command->path, final_argv, accum_env);
2969 *exit_status = EXIT_EXEC;
2970 return -errno;
2971 }
2972
2973 int exec_spawn(Unit *unit,
2974 ExecCommand *command,
2975 const ExecContext *context,
2976 const ExecParameters *params,
2977 ExecRuntime *runtime,
2978 DynamicCreds *dcreds,
2979 pid_t *ret) {
2980
2981 _cleanup_strv_free_ char **files_env = NULL;
2982 int *fds = NULL;
2983 unsigned n_storage_fds = 0, n_socket_fds = 0;
2984 _cleanup_free_ char *line = NULL;
2985 int socket_fd, r;
2986 int named_iofds[3] = { -1, -1, -1 };
2987 char **argv;
2988 pid_t pid;
2989
2990 assert(unit);
2991 assert(command);
2992 assert(context);
2993 assert(ret);
2994 assert(params);
2995 assert(params->fds || (params->n_storage_fds + params->n_socket_fds <= 0));
2996
2997 if (context->std_input == EXEC_INPUT_SOCKET ||
2998 context->std_output == EXEC_OUTPUT_SOCKET ||
2999 context->std_error == EXEC_OUTPUT_SOCKET) {
3000
3001 if (params->n_socket_fds > 1) {
3002 log_unit_error(unit, "Got more than one socket.");
3003 return -EINVAL;
3004 }
3005
3006 if (params->n_socket_fds == 0) {
3007 log_unit_error(unit, "Got no socket.");
3008 return -EINVAL;
3009 }
3010
3011 socket_fd = params->fds[0];
3012 } else {
3013 socket_fd = -1;
3014 fds = params->fds;
3015 n_storage_fds = params->n_storage_fds;
3016 n_socket_fds = params->n_socket_fds;
3017 }
3018
3019 r = exec_context_named_iofds(unit, context, params, named_iofds);
3020 if (r < 0)
3021 return log_unit_error_errno(unit, r, "Failed to load a named file descriptor: %m");
3022
3023 r = exec_context_load_environment(unit, context, &files_env);
3024 if (r < 0)
3025 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
3026
3027 argv = params->argv ?: command->argv;
3028 line = exec_command_line(argv);
3029 if (!line)
3030 return log_oom();
3031
3032 log_struct(LOG_DEBUG,
3033 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
3034 "EXECUTABLE=%s", command->path,
3035 LOG_UNIT_ID(unit),
3036 NULL);
3037 pid = fork();
3038 if (pid < 0)
3039 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
3040
3041 if (pid == 0) {
3042 int exit_status;
3043 _cleanup_free_ char *error_message = NULL;
3044
3045 r = exec_child(unit,
3046 command,
3047 context,
3048 params,
3049 runtime,
3050 dcreds,
3051 argv,
3052 socket_fd,
3053 named_iofds,
3054 fds,
3055 n_storage_fds,
3056 n_socket_fds,
3057 files_env,
3058 unit->manager->user_lookup_fds[1],
3059 &exit_status,
3060 &error_message);
3061 if (r < 0) {
3062 log_open();
3063 if (error_message)
3064 log_struct_errno(LOG_ERR, r,
3065 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
3066 LOG_UNIT_ID(unit),
3067 LOG_UNIT_MESSAGE(unit, "%s: %m",
3068 error_message),
3069 "EXECUTABLE=%s", command->path,
3070 NULL);
3071 else if (r == -ENOENT && command->ignore)
3072 log_struct_errno(LOG_INFO, r,
3073 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
3074 LOG_UNIT_ID(unit),
3075 LOG_UNIT_MESSAGE(unit, "Skipped spawning %s: %m",
3076 command->path),
3077 "EXECUTABLE=%s", command->path,
3078 NULL);
3079 else
3080 log_struct_errno(LOG_ERR, r,
3081 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
3082 LOG_UNIT_ID(unit),
3083 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
3084 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
3085 command->path),
3086 "EXECUTABLE=%s", command->path,
3087 NULL);
3088 }
3089
3090 _exit(exit_status);
3091 }
3092
3093 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
3094
3095 /* We add the new process to the cgroup both in the child (so
3096 * that we can be sure that no user code is ever executed
3097 * outside of the cgroup) and in the parent (so that we can be
3098 * sure that when we kill the cgroup the process will be
3099 * killed too). */
3100 if (params->cgroup_path)
3101 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
3102
3103 exec_status_start(&command->exec_status, pid);
3104
3105 *ret = pid;
3106 return 0;
3107 }
3108
3109 void exec_context_init(ExecContext *c) {
3110 ExecDirectoryType i;
3111
3112 assert(c);
3113
3114 c->umask = 0022;
3115 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
3116 c->cpu_sched_policy = SCHED_OTHER;
3117 c->syslog_priority = LOG_DAEMON|LOG_INFO;
3118 c->syslog_level_prefix = true;
3119 c->ignore_sigpipe = true;
3120 c->timer_slack_nsec = NSEC_INFINITY;
3121 c->personality = PERSONALITY_INVALID;
3122 for (i = 0; i < _EXEC_DIRECTORY_MAX; i++)
3123 c->directories[i].mode = 0755;
3124 c->capability_bounding_set = CAP_ALL;
3125 c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
3126 }
3127
3128 void exec_context_done(ExecContext *c) {
3129 unsigned l;
3130 ExecDirectoryType i;
3131
3132 assert(c);
3133
3134 c->environment = strv_free(c->environment);
3135 c->environment_files = strv_free(c->environment_files);
3136 c->pass_environment = strv_free(c->pass_environment);
3137
3138 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
3139 c->rlimit[l] = mfree(c->rlimit[l]);
3140
3141 for (l = 0; l < 3; l++)
3142 c->stdio_fdname[l] = mfree(c->stdio_fdname[l]);
3143
3144 c->working_directory = mfree(c->working_directory);
3145 c->root_directory = mfree(c->root_directory);
3146 c->root_image = mfree(c->root_image);
3147 c->tty_path = mfree(c->tty_path);
3148 c->syslog_identifier = mfree(c->syslog_identifier);
3149 c->user = mfree(c->user);
3150 c->group = mfree(c->group);
3151
3152 c->supplementary_groups = strv_free(c->supplementary_groups);
3153
3154 c->pam_name = mfree(c->pam_name);
3155
3156 c->read_only_paths = strv_free(c->read_only_paths);
3157 c->read_write_paths = strv_free(c->read_write_paths);
3158 c->inaccessible_paths = strv_free(c->inaccessible_paths);
3159
3160 bind_mount_free_many(c->bind_mounts, c->n_bind_mounts);
3161
3162 if (c->cpuset)
3163 CPU_FREE(c->cpuset);
3164
3165 c->utmp_id = mfree(c->utmp_id);
3166 c->selinux_context = mfree(c->selinux_context);
3167 c->apparmor_profile = mfree(c->apparmor_profile);
3168 c->smack_process_label = mfree(c->smack_process_label);
3169
3170 c->syscall_filter = set_free(c->syscall_filter);
3171 c->syscall_archs = set_free(c->syscall_archs);
3172 c->address_families = set_free(c->address_families);
3173
3174 for (i = 0; i < _EXEC_DIRECTORY_MAX; i++)
3175 c->directories[i].paths = strv_free(c->directories[i].paths);
3176 }
3177
3178 int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
3179 char **i;
3180
3181 assert(c);
3182
3183 if (!runtime_prefix)
3184 return 0;
3185
3186 STRV_FOREACH(i, c->directories[EXEC_DIRECTORY_RUNTIME].paths) {
3187 _cleanup_free_ char *p;
3188
3189 p = strjoin(runtime_prefix, "/", *i);
3190 if (!p)
3191 return -ENOMEM;
3192
3193 /* We execute this synchronously, since we need to be
3194 * sure this is gone when we start the service
3195 * next. */
3196 (void) rm_rf(p, REMOVE_ROOT);
3197 }
3198
3199 return 0;
3200 }
3201
3202 void exec_command_done(ExecCommand *c) {
3203 assert(c);
3204
3205 c->path = mfree(c->path);
3206
3207 c->argv = strv_free(c->argv);
3208 }
3209
3210 void exec_command_done_array(ExecCommand *c, unsigned n) {
3211 unsigned i;
3212
3213 for (i = 0; i < n; i++)
3214 exec_command_done(c+i);
3215 }
3216
3217 ExecCommand* exec_command_free_list(ExecCommand *c) {
3218 ExecCommand *i;
3219
3220 while ((i = c)) {
3221 LIST_REMOVE(command, c, i);
3222 exec_command_done(i);
3223 free(i);
3224 }
3225
3226 return NULL;
3227 }
3228
3229 void exec_command_free_array(ExecCommand **c, unsigned n) {
3230 unsigned i;
3231
3232 for (i = 0; i < n; i++)
3233 c[i] = exec_command_free_list(c[i]);
3234 }
3235
3236 typedef struct InvalidEnvInfo {
3237 Unit *unit;
3238 const char *path;
3239 } InvalidEnvInfo;
3240
3241 static void invalid_env(const char *p, void *userdata) {
3242 InvalidEnvInfo *info = userdata;
3243
3244 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
3245 }
3246
3247 const char* exec_context_fdname(const ExecContext *c, int fd_index) {
3248 assert(c);
3249
3250 switch (fd_index) {
3251 case STDIN_FILENO:
3252 if (c->std_input != EXEC_INPUT_NAMED_FD)
3253 return NULL;
3254 return c->stdio_fdname[STDIN_FILENO] ?: "stdin";
3255 case STDOUT_FILENO:
3256 if (c->std_output != EXEC_OUTPUT_NAMED_FD)
3257 return NULL;
3258 return c->stdio_fdname[STDOUT_FILENO] ?: "stdout";
3259 case STDERR_FILENO:
3260 if (c->std_error != EXEC_OUTPUT_NAMED_FD)
3261 return NULL;
3262 return c->stdio_fdname[STDERR_FILENO] ?: "stderr";
3263 default:
3264 return NULL;
3265 }
3266 }
3267
3268 int exec_context_named_iofds(Unit *unit, const ExecContext *c, const ExecParameters *p, int named_iofds[3]) {
3269 unsigned i, targets;
3270 const char* stdio_fdname[3];
3271 unsigned n_fds;
3272
3273 assert(c);
3274 assert(p);
3275
3276 targets = (c->std_input == EXEC_INPUT_NAMED_FD) +
3277 (c->std_output == EXEC_OUTPUT_NAMED_FD) +
3278 (c->std_error == EXEC_OUTPUT_NAMED_FD);
3279
3280 for (i = 0; i < 3; i++)
3281 stdio_fdname[i] = exec_context_fdname(c, i);
3282
3283 n_fds = p->n_storage_fds + p->n_socket_fds;
3284
3285 for (i = 0; i < n_fds && targets > 0; i++)
3286 if (named_iofds[STDIN_FILENO] < 0 &&
3287 c->std_input == EXEC_INPUT_NAMED_FD &&
3288 stdio_fdname[STDIN_FILENO] &&
3289 streq(p->fd_names[i], stdio_fdname[STDIN_FILENO])) {
3290
3291 named_iofds[STDIN_FILENO] = p->fds[i];
3292 targets--;
3293
3294 } else if (named_iofds[STDOUT_FILENO] < 0 &&
3295 c->std_output == EXEC_OUTPUT_NAMED_FD &&
3296 stdio_fdname[STDOUT_FILENO] &&
3297 streq(p->fd_names[i], stdio_fdname[STDOUT_FILENO])) {
3298
3299 named_iofds[STDOUT_FILENO] = p->fds[i];
3300 targets--;
3301
3302 } else if (named_iofds[STDERR_FILENO] < 0 &&
3303 c->std_error == EXEC_OUTPUT_NAMED_FD &&
3304 stdio_fdname[STDERR_FILENO] &&
3305 streq(p->fd_names[i], stdio_fdname[STDERR_FILENO])) {
3306
3307 named_iofds[STDERR_FILENO] = p->fds[i];
3308 targets--;
3309 }
3310
3311 return targets == 0 ? 0 : -ENOENT;
3312 }
3313
3314 int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
3315 char **i, **r = NULL;
3316
3317 assert(c);
3318 assert(l);
3319
3320 STRV_FOREACH(i, c->environment_files) {
3321 char *fn;
3322 int k;
3323 unsigned n;
3324 bool ignore = false;
3325 char **p;
3326 _cleanup_globfree_ glob_t pglob = {};
3327
3328 fn = *i;
3329
3330 if (fn[0] == '-') {
3331 ignore = true;
3332 fn++;
3333 }
3334
3335 if (!path_is_absolute(fn)) {
3336 if (ignore)
3337 continue;
3338
3339 strv_free(r);
3340 return -EINVAL;
3341 }
3342
3343 /* Filename supports globbing, take all matching files */
3344 k = safe_glob(fn, 0, &pglob);
3345 if (k < 0) {
3346 if (ignore)
3347 continue;
3348
3349 strv_free(r);
3350 return k;
3351 }
3352
3353 /* When we don't match anything, -ENOENT should be returned */
3354 assert(pglob.gl_pathc > 0);
3355
3356 for (n = 0; n < pglob.gl_pathc; n++) {
3357 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
3358 if (k < 0) {
3359 if (ignore)
3360 continue;
3361
3362 strv_free(r);
3363 return k;
3364 }
3365 /* Log invalid environment variables with filename */
3366 if (p) {
3367 InvalidEnvInfo info = {
3368 .unit = unit,
3369 .path = pglob.gl_pathv[n]
3370 };
3371
3372 p = strv_env_clean_with_callback(p, invalid_env, &info);
3373 }
3374
3375 if (r == NULL)
3376 r = p;
3377 else {
3378 char **m;
3379
3380 m = strv_env_merge(2, r, p);
3381 strv_free(r);
3382 strv_free(p);
3383 if (!m)
3384 return -ENOMEM;
3385
3386 r = m;
3387 }
3388 }
3389 }
3390
3391 *l = r;
3392
3393 return 0;
3394 }
3395
3396 static bool tty_may_match_dev_console(const char *tty) {
3397 _cleanup_free_ char *active = NULL;
3398 char *console;
3399
3400 if (!tty)
3401 return true;
3402
3403 if (startswith(tty, "/dev/"))
3404 tty += 5;
3405
3406 /* trivial identity? */
3407 if (streq(tty, "console"))
3408 return true;
3409
3410 console = resolve_dev_console(&active);
3411 /* if we could not resolve, assume it may */
3412 if (!console)
3413 return true;
3414
3415 /* "tty0" means the active VC, so it may be the same sometimes */
3416 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
3417 }
3418
3419 bool exec_context_may_touch_console(ExecContext *ec) {
3420
3421 return (ec->tty_reset ||
3422 ec->tty_vhangup ||
3423 ec->tty_vt_disallocate ||
3424 is_terminal_input(ec->std_input) ||
3425 is_terminal_output(ec->std_output) ||
3426 is_terminal_output(ec->std_error)) &&
3427 tty_may_match_dev_console(exec_context_tty_path(ec));
3428 }
3429
3430 static void strv_fprintf(FILE *f, char **l) {
3431 char **g;
3432
3433 assert(f);
3434
3435 STRV_FOREACH(g, l)
3436 fprintf(f, " %s", *g);
3437 }
3438
3439 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
3440 char **e, **d;
3441 unsigned i;
3442 ExecDirectoryType dt;
3443 int r;
3444
3445 assert(c);
3446 assert(f);
3447
3448 prefix = strempty(prefix);
3449
3450 fprintf(f,
3451 "%sUMask: %04o\n"
3452 "%sWorkingDirectory: %s\n"
3453 "%sRootDirectory: %s\n"
3454 "%sNonBlocking: %s\n"
3455 "%sPrivateTmp: %s\n"
3456 "%sPrivateDevices: %s\n"
3457 "%sProtectKernelTunables: %s\n"
3458 "%sProtectKernelModules: %s\n"
3459 "%sProtectControlGroups: %s\n"
3460 "%sPrivateNetwork: %s\n"
3461 "%sPrivateUsers: %s\n"
3462 "%sProtectHome: %s\n"
3463 "%sProtectSystem: %s\n"
3464 "%sMountAPIVFS: %s\n"
3465 "%sIgnoreSIGPIPE: %s\n"
3466 "%sMemoryDenyWriteExecute: %s\n"
3467 "%sRestrictRealtime: %s\n",
3468 prefix, c->umask,
3469 prefix, c->working_directory ? c->working_directory : "/",
3470 prefix, c->root_directory ? c->root_directory : "/",
3471 prefix, yes_no(c->non_blocking),
3472 prefix, yes_no(c->private_tmp),
3473 prefix, yes_no(c->private_devices),
3474 prefix, yes_no(c->protect_kernel_tunables),
3475 prefix, yes_no(c->protect_kernel_modules),
3476 prefix, yes_no(c->protect_control_groups),
3477 prefix, yes_no(c->private_network),
3478 prefix, yes_no(c->private_users),
3479 prefix, protect_home_to_string(c->protect_home),
3480 prefix, protect_system_to_string(c->protect_system),
3481 prefix, yes_no(c->mount_apivfs),
3482 prefix, yes_no(c->ignore_sigpipe),
3483 prefix, yes_no(c->memory_deny_write_execute),
3484 prefix, yes_no(c->restrict_realtime));
3485
3486 if (c->root_image)
3487 fprintf(f, "%sRootImage: %s\n", prefix, c->root_image);
3488
3489 STRV_FOREACH(e, c->environment)
3490 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
3491
3492 STRV_FOREACH(e, c->environment_files)
3493 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
3494
3495 STRV_FOREACH(e, c->pass_environment)
3496 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
3497
3498 fprintf(f, "%sRuntimeDirectoryPreserve: %s\n", prefix, exec_preserve_mode_to_string(c->runtime_directory_preserve_mode));
3499
3500 for (dt = 0; dt < _EXEC_DIRECTORY_MAX; dt++) {
3501 fprintf(f, "%s%sMode: %04o\n", prefix, exec_directory_type_to_string(dt), c->directories[dt].mode);
3502
3503 STRV_FOREACH(d, c->directories[dt].paths)
3504 fprintf(f, "%s%s: %s\n", prefix, exec_directory_type_to_string(dt), *d);
3505 }
3506
3507 if (c->nice_set)
3508 fprintf(f,
3509 "%sNice: %i\n",
3510 prefix, c->nice);
3511
3512 if (c->oom_score_adjust_set)
3513 fprintf(f,
3514 "%sOOMScoreAdjust: %i\n",
3515 prefix, c->oom_score_adjust);
3516
3517 for (i = 0; i < RLIM_NLIMITS; i++)
3518 if (c->rlimit[i]) {
3519 fprintf(f, "%s%s: " RLIM_FMT "\n",
3520 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
3521 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
3522 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
3523 }
3524
3525 if (c->ioprio_set) {
3526 _cleanup_free_ char *class_str = NULL;
3527
3528 r = ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
3529 if (r >= 0)
3530 fprintf(f, "%sIOSchedulingClass: %s\n", prefix, class_str);
3531
3532 fprintf(f, "%sIOPriority: %lu\n", prefix, IOPRIO_PRIO_DATA(c->ioprio));
3533 }
3534
3535 if (c->cpu_sched_set) {
3536 _cleanup_free_ char *policy_str = NULL;
3537
3538 r = sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
3539 if (r >= 0)
3540 fprintf(f, "%sCPUSchedulingPolicy: %s\n", prefix, policy_str);
3541
3542 fprintf(f,
3543 "%sCPUSchedulingPriority: %i\n"
3544 "%sCPUSchedulingResetOnFork: %s\n",
3545 prefix, c->cpu_sched_priority,
3546 prefix, yes_no(c->cpu_sched_reset_on_fork));
3547 }
3548
3549 if (c->cpuset) {
3550 fprintf(f, "%sCPUAffinity:", prefix);
3551 for (i = 0; i < c->cpuset_ncpus; i++)
3552 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
3553 fprintf(f, " %u", i);
3554 fputs("\n", f);
3555 }
3556
3557 if (c->timer_slack_nsec != NSEC_INFINITY)
3558 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
3559
3560 fprintf(f,
3561 "%sStandardInput: %s\n"
3562 "%sStandardOutput: %s\n"
3563 "%sStandardError: %s\n",
3564 prefix, exec_input_to_string(c->std_input),
3565 prefix, exec_output_to_string(c->std_output),
3566 prefix, exec_output_to_string(c->std_error));
3567
3568 if (c->tty_path)
3569 fprintf(f,
3570 "%sTTYPath: %s\n"
3571 "%sTTYReset: %s\n"
3572 "%sTTYVHangup: %s\n"
3573 "%sTTYVTDisallocate: %s\n",
3574 prefix, c->tty_path,
3575 prefix, yes_no(c->tty_reset),
3576 prefix, yes_no(c->tty_vhangup),
3577 prefix, yes_no(c->tty_vt_disallocate));
3578
3579 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
3580 c->std_output == EXEC_OUTPUT_KMSG ||
3581 c->std_output == EXEC_OUTPUT_JOURNAL ||
3582 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3583 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3584 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
3585 c->std_error == EXEC_OUTPUT_SYSLOG ||
3586 c->std_error == EXEC_OUTPUT_KMSG ||
3587 c->std_error == EXEC_OUTPUT_JOURNAL ||
3588 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3589 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3590 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
3591
3592 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
3593
3594 r = log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
3595 if (r >= 0)
3596 fprintf(f, "%sSyslogFacility: %s\n", prefix, fac_str);
3597
3598 r = log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
3599 if (r >= 0)
3600 fprintf(f, "%sSyslogLevel: %s\n", prefix, lvl_str);
3601 }
3602
3603 if (c->secure_bits) {
3604 _cleanup_free_ char *str = NULL;
3605
3606 r = secure_bits_to_string_alloc(c->secure_bits, &str);
3607 if (r >= 0)
3608 fprintf(f, "%sSecure Bits: %s\n", prefix, str);
3609 }
3610
3611 if (c->capability_bounding_set != CAP_ALL) {
3612 _cleanup_free_ char *str = NULL;
3613
3614 r = capability_set_to_string_alloc(c->capability_bounding_set, &str);
3615 if (r >= 0)
3616 fprintf(f, "%sCapabilityBoundingSet: %s\n", prefix, str);
3617 }
3618
3619 if (c->capability_ambient_set != 0) {
3620 _cleanup_free_ char *str = NULL;
3621
3622 r = capability_set_to_string_alloc(c->capability_ambient_set, &str);
3623 if (r >= 0)
3624 fprintf(f, "%sAmbientCapabilities: %s\n", prefix, str);
3625 }
3626
3627 if (c->user)
3628 fprintf(f, "%sUser: %s\n", prefix, c->user);
3629 if (c->group)
3630 fprintf(f, "%sGroup: %s\n", prefix, c->group);
3631
3632 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
3633
3634 if (strv_length(c->supplementary_groups) > 0) {
3635 fprintf(f, "%sSupplementaryGroups:", prefix);
3636 strv_fprintf(f, c->supplementary_groups);
3637 fputs("\n", f);
3638 }
3639
3640 if (c->pam_name)
3641 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
3642
3643 if (strv_length(c->read_write_paths) > 0) {
3644 fprintf(f, "%sReadWritePaths:", prefix);
3645 strv_fprintf(f, c->read_write_paths);
3646 fputs("\n", f);
3647 }
3648
3649 if (strv_length(c->read_only_paths) > 0) {
3650 fprintf(f, "%sReadOnlyPaths:", prefix);
3651 strv_fprintf(f, c->read_only_paths);
3652 fputs("\n", f);
3653 }
3654
3655 if (strv_length(c->inaccessible_paths) > 0) {
3656 fprintf(f, "%sInaccessiblePaths:", prefix);
3657 strv_fprintf(f, c->inaccessible_paths);
3658 fputs("\n", f);
3659 }
3660
3661 if (c->n_bind_mounts > 0)
3662 for (i = 0; i < c->n_bind_mounts; i++) {
3663 fprintf(f, "%s%s: %s:%s:%s\n", prefix,
3664 c->bind_mounts[i].read_only ? "BindReadOnlyPaths" : "BindPaths",
3665 c->bind_mounts[i].source,
3666 c->bind_mounts[i].destination,
3667 c->bind_mounts[i].recursive ? "rbind" : "norbind");
3668 }
3669
3670 if (c->utmp_id)
3671 fprintf(f,
3672 "%sUtmpIdentifier: %s\n",
3673 prefix, c->utmp_id);
3674
3675 if (c->selinux_context)
3676 fprintf(f,
3677 "%sSELinuxContext: %s%s\n",
3678 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
3679
3680 if (c->apparmor_profile)
3681 fprintf(f,
3682 "%sAppArmorProfile: %s%s\n",
3683 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
3684
3685 if (c->smack_process_label)
3686 fprintf(f,
3687 "%sSmackProcessLabel: %s%s\n",
3688 prefix, c->smack_process_label_ignore ? "-" : "", c->smack_process_label);
3689
3690 if (c->personality != PERSONALITY_INVALID)
3691 fprintf(f,
3692 "%sPersonality: %s\n",
3693 prefix, strna(personality_to_string(c->personality)));
3694
3695 if (c->syscall_filter) {
3696 #ifdef HAVE_SECCOMP
3697 Iterator j;
3698 void *id;
3699 bool first = true;
3700 #endif
3701
3702 fprintf(f,
3703 "%sSystemCallFilter: ",
3704 prefix);
3705
3706 if (!c->syscall_whitelist)
3707 fputc('~', f);
3708
3709 #ifdef HAVE_SECCOMP
3710 SET_FOREACH(id, c->syscall_filter, j) {
3711 _cleanup_free_ char *name = NULL;
3712
3713 if (first)
3714 first = false;
3715 else
3716 fputc(' ', f);
3717
3718 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
3719 fputs(strna(name), f);
3720 }
3721 #endif
3722
3723 fputc('\n', f);
3724 }
3725
3726 if (c->syscall_archs) {
3727 #ifdef HAVE_SECCOMP
3728 Iterator j;
3729 void *id;
3730 #endif
3731
3732 fprintf(f,
3733 "%sSystemCallArchitectures:",
3734 prefix);
3735
3736 #ifdef HAVE_SECCOMP
3737 SET_FOREACH(id, c->syscall_archs, j)
3738 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
3739 #endif
3740 fputc('\n', f);
3741 }
3742
3743 if (exec_context_restrict_namespaces_set(c)) {
3744 _cleanup_free_ char *s = NULL;
3745
3746 r = namespace_flag_to_string_many(c->restrict_namespaces, &s);
3747 if (r >= 0)
3748 fprintf(f, "%sRestrictNamespaces: %s\n",
3749 prefix, s);
3750 }
3751
3752 if (c->syscall_errno > 0)
3753 fprintf(f,
3754 "%sSystemCallErrorNumber: %s\n",
3755 prefix, strna(errno_to_name(c->syscall_errno)));
3756
3757 if (c->apparmor_profile)
3758 fprintf(f,
3759 "%sAppArmorProfile: %s%s\n",
3760 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
3761 }
3762
3763 bool exec_context_maintains_privileges(ExecContext *c) {
3764 assert(c);
3765
3766 /* Returns true if the process forked off would run under
3767 * an unchanged UID or as root. */
3768
3769 if (!c->user)
3770 return true;
3771
3772 if (streq(c->user, "root") || streq(c->user, "0"))
3773 return true;
3774
3775 return false;
3776 }
3777
3778 int exec_context_get_effective_ioprio(ExecContext *c) {
3779 int p;
3780
3781 assert(c);
3782
3783 if (c->ioprio_set)
3784 return c->ioprio;
3785
3786 p = ioprio_get(IOPRIO_WHO_PROCESS, 0);
3787 if (p < 0)
3788 return IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 4);
3789
3790 return p;
3791 }
3792
3793 void exec_status_start(ExecStatus *s, pid_t pid) {
3794 assert(s);
3795
3796 zero(*s);
3797 s->pid = pid;
3798 dual_timestamp_get(&s->start_timestamp);
3799 }
3800
3801 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
3802 assert(s);
3803
3804 if (s->pid && s->pid != pid)
3805 zero(*s);
3806
3807 s->pid = pid;
3808 dual_timestamp_get(&s->exit_timestamp);
3809
3810 s->code = code;
3811 s->status = status;
3812
3813 if (context) {
3814 if (context->utmp_id)
3815 utmp_put_dead_process(context->utmp_id, pid, code, status);
3816
3817 exec_context_tty_reset(context, NULL);
3818 }
3819 }
3820
3821 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
3822 char buf[FORMAT_TIMESTAMP_MAX];
3823
3824 assert(s);
3825 assert(f);
3826
3827 if (s->pid <= 0)
3828 return;
3829
3830 prefix = strempty(prefix);
3831
3832 fprintf(f,
3833 "%sPID: "PID_FMT"\n",
3834 prefix, s->pid);
3835
3836 if (dual_timestamp_is_set(&s->start_timestamp))
3837 fprintf(f,
3838 "%sStart Timestamp: %s\n",
3839 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
3840
3841 if (dual_timestamp_is_set(&s->exit_timestamp))
3842 fprintf(f,
3843 "%sExit Timestamp: %s\n"
3844 "%sExit Code: %s\n"
3845 "%sExit Status: %i\n",
3846 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
3847 prefix, sigchld_code_to_string(s->code),
3848 prefix, s->status);
3849 }
3850
3851 char *exec_command_line(char **argv) {
3852 size_t k;
3853 char *n, *p, **a;
3854 bool first = true;
3855
3856 assert(argv);
3857
3858 k = 1;
3859 STRV_FOREACH(a, argv)
3860 k += strlen(*a)+3;
3861
3862 n = new(char, k);
3863 if (!n)
3864 return NULL;
3865
3866 p = n;
3867 STRV_FOREACH(a, argv) {
3868
3869 if (!first)
3870 *(p++) = ' ';
3871 else
3872 first = false;
3873
3874 if (strpbrk(*a, WHITESPACE)) {
3875 *(p++) = '\'';
3876 p = stpcpy(p, *a);
3877 *(p++) = '\'';
3878 } else
3879 p = stpcpy(p, *a);
3880
3881 }
3882
3883 *p = 0;
3884
3885 /* FIXME: this doesn't really handle arguments that have
3886 * spaces and ticks in them */
3887
3888 return n;
3889 }
3890
3891 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
3892 _cleanup_free_ char *cmd = NULL;
3893 const char *prefix2;
3894
3895 assert(c);
3896 assert(f);
3897
3898 prefix = strempty(prefix);
3899 prefix2 = strjoina(prefix, "\t");
3900
3901 cmd = exec_command_line(c->argv);
3902 fprintf(f,
3903 "%sCommand Line: %s\n",
3904 prefix, cmd ? cmd : strerror(ENOMEM));
3905
3906 exec_status_dump(&c->exec_status, f, prefix2);
3907 }
3908
3909 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
3910 assert(f);
3911
3912 prefix = strempty(prefix);
3913
3914 LIST_FOREACH(command, c, c)
3915 exec_command_dump(c, f, prefix);
3916 }
3917
3918 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
3919 ExecCommand *end;
3920
3921 assert(l);
3922 assert(e);
3923
3924 if (*l) {
3925 /* It's kind of important, that we keep the order here */
3926 LIST_FIND_TAIL(command, *l, end);
3927 LIST_INSERT_AFTER(command, *l, end, e);
3928 } else
3929 *l = e;
3930 }
3931
3932 int exec_command_set(ExecCommand *c, const char *path, ...) {
3933 va_list ap;
3934 char **l, *p;
3935
3936 assert(c);
3937 assert(path);
3938
3939 va_start(ap, path);
3940 l = strv_new_ap(path, ap);
3941 va_end(ap);
3942
3943 if (!l)
3944 return -ENOMEM;
3945
3946 p = strdup(path);
3947 if (!p) {
3948 strv_free(l);
3949 return -ENOMEM;
3950 }
3951
3952 free(c->path);
3953 c->path = p;
3954
3955 strv_free(c->argv);
3956 c->argv = l;
3957
3958 return 0;
3959 }
3960
3961 int exec_command_append(ExecCommand *c, const char *path, ...) {
3962 _cleanup_strv_free_ char **l = NULL;
3963 va_list ap;
3964 int r;
3965
3966 assert(c);
3967 assert(path);
3968
3969 va_start(ap, path);
3970 l = strv_new_ap(path, ap);
3971 va_end(ap);
3972
3973 if (!l)
3974 return -ENOMEM;
3975
3976 r = strv_extend_strv(&c->argv, l, false);
3977 if (r < 0)
3978 return r;
3979
3980 return 0;
3981 }
3982
3983
3984 static int exec_runtime_allocate(ExecRuntime **rt) {
3985
3986 if (*rt)
3987 return 0;
3988
3989 *rt = new0(ExecRuntime, 1);
3990 if (!*rt)
3991 return -ENOMEM;
3992
3993 (*rt)->n_ref = 1;
3994 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
3995
3996 return 0;
3997 }
3998
3999 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
4000 int r;
4001
4002 assert(rt);
4003 assert(c);
4004 assert(id);
4005
4006 if (*rt)
4007 return 1;
4008
4009 if (!c->private_network && !c->private_tmp)
4010 return 0;
4011
4012 r = exec_runtime_allocate(rt);
4013 if (r < 0)
4014 return r;
4015
4016 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
4017 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, (*rt)->netns_storage_socket) < 0)
4018 return -errno;
4019 }
4020
4021 if (c->private_tmp && !(*rt)->tmp_dir) {
4022 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
4023 if (r < 0)
4024 return r;
4025 }
4026
4027 return 1;
4028 }
4029
4030 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
4031 assert(r);
4032 assert(r->n_ref > 0);
4033
4034 r->n_ref++;
4035 return r;
4036 }
4037
4038 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
4039
4040 if (!r)
4041 return NULL;
4042
4043 assert(r->n_ref > 0);
4044
4045 r->n_ref--;
4046 if (r->n_ref > 0)
4047 return NULL;
4048
4049 free(r->tmp_dir);
4050 free(r->var_tmp_dir);
4051 safe_close_pair(r->netns_storage_socket);
4052 return mfree(r);
4053 }
4054
4055 int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
4056 assert(u);
4057 assert(f);
4058 assert(fds);
4059
4060 if (!rt)
4061 return 0;
4062
4063 if (rt->tmp_dir)
4064 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
4065
4066 if (rt->var_tmp_dir)
4067 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
4068
4069 if (rt->netns_storage_socket[0] >= 0) {
4070 int copy;
4071
4072 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
4073 if (copy < 0)
4074 return copy;
4075
4076 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
4077 }
4078
4079 if (rt->netns_storage_socket[1] >= 0) {
4080 int copy;
4081
4082 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
4083 if (copy < 0)
4084 return copy;
4085
4086 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
4087 }
4088
4089 return 0;
4090 }
4091
4092 int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
4093 int r;
4094
4095 assert(rt);
4096 assert(key);
4097 assert(value);
4098
4099 if (streq(key, "tmp-dir")) {
4100 char *copy;
4101
4102 r = exec_runtime_allocate(rt);
4103 if (r < 0)
4104 return log_oom();
4105
4106 copy = strdup(value);
4107 if (!copy)
4108 return log_oom();
4109
4110 free((*rt)->tmp_dir);
4111 (*rt)->tmp_dir = copy;
4112
4113 } else if (streq(key, "var-tmp-dir")) {
4114 char *copy;
4115
4116 r = exec_runtime_allocate(rt);
4117 if (r < 0)
4118 return log_oom();
4119
4120 copy = strdup(value);
4121 if (!copy)
4122 return log_oom();
4123
4124 free((*rt)->var_tmp_dir);
4125 (*rt)->var_tmp_dir = copy;
4126
4127 } else if (streq(key, "netns-socket-0")) {
4128 int fd;
4129
4130 r = exec_runtime_allocate(rt);
4131 if (r < 0)
4132 return log_oom();
4133
4134 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
4135 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
4136 else {
4137 safe_close((*rt)->netns_storage_socket[0]);
4138 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
4139 }
4140 } else if (streq(key, "netns-socket-1")) {
4141 int fd;
4142
4143 r = exec_runtime_allocate(rt);
4144 if (r < 0)
4145 return log_oom();
4146
4147 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
4148 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
4149 else {
4150 safe_close((*rt)->netns_storage_socket[1]);
4151 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
4152 }
4153 } else
4154 return 0;
4155
4156 return 1;
4157 }
4158
4159 static void *remove_tmpdir_thread(void *p) {
4160 _cleanup_free_ char *path = p;
4161
4162 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
4163 return NULL;
4164 }
4165
4166 void exec_runtime_destroy(ExecRuntime *rt) {
4167 int r;
4168
4169 if (!rt)
4170 return;
4171
4172 /* If there are multiple users of this, let's leave the stuff around */
4173 if (rt->n_ref > 1)
4174 return;
4175
4176 if (rt->tmp_dir) {
4177 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
4178
4179 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
4180 if (r < 0) {
4181 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
4182 free(rt->tmp_dir);
4183 }
4184
4185 rt->tmp_dir = NULL;
4186 }
4187
4188 if (rt->var_tmp_dir) {
4189 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
4190
4191 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
4192 if (r < 0) {
4193 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
4194 free(rt->var_tmp_dir);
4195 }
4196
4197 rt->var_tmp_dir = NULL;
4198 }
4199
4200 safe_close_pair(rt->netns_storage_socket);
4201 }
4202
4203 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
4204 [EXEC_INPUT_NULL] = "null",
4205 [EXEC_INPUT_TTY] = "tty",
4206 [EXEC_INPUT_TTY_FORCE] = "tty-force",
4207 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
4208 [EXEC_INPUT_SOCKET] = "socket",
4209 [EXEC_INPUT_NAMED_FD] = "fd",
4210 };
4211
4212 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
4213
4214 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
4215 [EXEC_OUTPUT_INHERIT] = "inherit",
4216 [EXEC_OUTPUT_NULL] = "null",
4217 [EXEC_OUTPUT_TTY] = "tty",
4218 [EXEC_OUTPUT_SYSLOG] = "syslog",
4219 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
4220 [EXEC_OUTPUT_KMSG] = "kmsg",
4221 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
4222 [EXEC_OUTPUT_JOURNAL] = "journal",
4223 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
4224 [EXEC_OUTPUT_SOCKET] = "socket",
4225 [EXEC_OUTPUT_NAMED_FD] = "fd",
4226 };
4227
4228 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
4229
4230 static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
4231 [EXEC_UTMP_INIT] = "init",
4232 [EXEC_UTMP_LOGIN] = "login",
4233 [EXEC_UTMP_USER] = "user",
4234 };
4235
4236 DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
4237
4238 static const char* const exec_preserve_mode_table[_EXEC_PRESERVE_MODE_MAX] = {
4239 [EXEC_PRESERVE_NO] = "no",
4240 [EXEC_PRESERVE_YES] = "yes",
4241 [EXEC_PRESERVE_RESTART] = "restart",
4242 };
4243
4244 DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(exec_preserve_mode, ExecPreserveMode, EXEC_PRESERVE_YES);
4245
4246 static const char* const exec_directory_type_table[_EXEC_DIRECTORY_MAX] = {
4247 [EXEC_DIRECTORY_RUNTIME] = "RuntimeDirectory",
4248 [EXEC_DIRECTORY_STATE] = "StateDirectory",
4249 [EXEC_DIRECTORY_CACHE] = "CacheDirectory",
4250 [EXEC_DIRECTORY_LOGS] = "LogsDirectory",
4251 [EXEC_DIRECTORY_CONFIGURATION] = "ConfigurationDirectory",
4252 };
4253
4254 DEFINE_STRING_TABLE_LOOKUP(exec_directory_type, ExecDirectoryType);
Unnamed repository; edit this file 'description' to name the repository.