]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/execute.c
projects / thirdparty / systemd.git / blob
? search:


b9de2617a9cb6f77645667de2495351553a8b728
[thirdparty/systemd.git] / src / core / execute.c
1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
2
3 /***
4 This file is part of systemd.
5
6 Copyright 2010 Lennart Poettering
7
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
12
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
17
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 ***/
21
22 #include <errno.h>
23 #include <fcntl.h>
24 #include <glob.h>
25 #include <grp.h>
26 #include <poll.h>
27 #include <signal.h>
28 #include <string.h>
29 #include <sys/personality.h>
30 #include <sys/prctl.h>
31 #include <sys/socket.h>
32 #include <sys/stat.h>
33 #include <sys/un.h>
34 #include <unistd.h>
35 #include <utmpx.h>
36
37 #ifdef HAVE_PAM
38 #include <security/pam_appl.h>
39 #endif
40
41 #ifdef HAVE_SELINUX
42 #include <selinux/selinux.h>
43 #endif
44
45 #ifdef HAVE_SECCOMP
46 #include <seccomp.h>
47 #endif
48
49 #ifdef HAVE_APPARMOR
50 #include <sys/apparmor.h>
51 #endif
52
53 #include "sd-messages.h"
54
55 #include "af-list.h"
56 #include "alloc-util.h"
57 #ifdef HAVE_APPARMOR
58 #include "apparmor-util.h"
59 #endif
60 #include "async.h"
61 #include "barrier.h"
62 #include "bus-endpoint.h"
63 #include "cap-list.h"
64 #include "capability-util.h"
65 #include "def.h"
66 #include "env-util.h"
67 #include "errno-list.h"
68 #include "execute.h"
69 #include "exit-status.h"
70 #include "fd-util.h"
71 #include "fileio.h"
72 #include "formats-util.h"
73 #include "fs-util.h"
74 #include "glob-util.h"
75 #include "io-util.h"
76 #include "ioprio.h"
77 #include "log.h"
78 #include "macro.h"
79 #include "missing.h"
80 #include "mkdir.h"
81 #include "namespace.h"
82 #include "parse-util.h"
83 #include "path-util.h"
84 #include "process-util.h"
85 #include "rlimit-util.h"
86 #include "rm-rf.h"
87 #ifdef HAVE_SECCOMP
88 #include "seccomp-util.h"
89 #endif
90 #include "securebits.h"
91 #include "selinux-util.h"
92 #include "signal-util.h"
93 #include "smack-util.h"
94 #include "string-table.h"
95 #include "string-util.h"
96 #include "strv.h"
97 #include "syslog-util.h"
98 #include "terminal-util.h"
99 #include "unit.h"
100 #include "user-util.h"
101 #include "util.h"
102 #include "utmp-wtmp.h"
103
104 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
105 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
106
107 /* This assumes there is a 'tty' group */
108 #define TTY_MODE 0620
109
110 #define SNDBUF_SIZE (8*1024*1024)
111
112 static int shift_fds(int fds[], unsigned n_fds) {
113 int start, restart_from;
114
115 if (n_fds <= 0)
116 return 0;
117
118 /* Modifies the fds array! (sorts it) */
119
120 assert(fds);
121
122 start = 0;
123 for (;;) {
124 int i;
125
126 restart_from = -1;
127
128 for (i = start; i < (int) n_fds; i++) {
129 int nfd;
130
131 /* Already at right index? */
132 if (fds[i] == i+3)
133 continue;
134
135 nfd = fcntl(fds[i], F_DUPFD, i + 3);
136 if (nfd < 0)
137 return -errno;
138
139 safe_close(fds[i]);
140 fds[i] = nfd;
141
142 /* Hmm, the fd we wanted isn't free? Then
143 * let's remember that and try again from here */
144 if (nfd != i+3 && restart_from < 0)
145 restart_from = i;
146 }
147
148 if (restart_from < 0)
149 break;
150
151 start = restart_from;
152 }
153
154 return 0;
155 }
156
157 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
158 unsigned i;
159 int r;
160
161 if (n_fds <= 0)
162 return 0;
163
164 assert(fds);
165
166 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
167
168 for (i = 0; i < n_fds; i++) {
169
170 r = fd_nonblock(fds[i], nonblock);
171 if (r < 0)
172 return r;
173
174 /* We unconditionally drop FD_CLOEXEC from the fds,
175 * since after all we want to pass these fds to our
176 * children */
177
178 r = fd_cloexec(fds[i], false);
179 if (r < 0)
180 return r;
181 }
182
183 return 0;
184 }
185
186 _pure_ static const char *tty_path(const ExecContext *context) {
187 assert(context);
188
189 if (context->tty_path)
190 return context->tty_path;
191
192 return "/dev/console";
193 }
194
195 static void exec_context_tty_reset(const ExecContext *context) {
196 assert(context);
197
198 if (context->tty_vhangup)
199 terminal_vhangup(tty_path(context));
200
201 if (context->tty_reset)
202 reset_terminal(tty_path(context));
203
204 if (context->tty_vt_disallocate && context->tty_path)
205 vt_disallocate(context->tty_path);
206 }
207
208 static bool is_terminal_output(ExecOutput o) {
209 return
210 o == EXEC_OUTPUT_TTY ||
211 o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
212 o == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
213 o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE;
214 }
215
216 static int open_null_as(int flags, int nfd) {
217 int fd, r;
218
219 assert(nfd >= 0);
220
221 fd = open("/dev/null", flags|O_NOCTTY);
222 if (fd < 0)
223 return -errno;
224
225 if (fd != nfd) {
226 r = dup2(fd, nfd) < 0 ? -errno : nfd;
227 safe_close(fd);
228 } else
229 r = nfd;
230
231 return r;
232 }
233
234 static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
235 union sockaddr_union sa = {
236 .un.sun_family = AF_UNIX,
237 .un.sun_path = "/run/systemd/journal/stdout",
238 };
239 uid_t olduid = UID_INVALID;
240 gid_t oldgid = GID_INVALID;
241 int r;
242
243 if (gid != GID_INVALID) {
244 oldgid = getgid();
245
246 r = setegid(gid);
247 if (r < 0)
248 return -errno;
249 }
250
251 if (uid != UID_INVALID) {
252 olduid = getuid();
253
254 r = seteuid(uid);
255 if (r < 0) {
256 r = -errno;
257 goto restore_gid;
258 }
259 }
260
261 r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path));
262 if (r < 0)
263 r = -errno;
264
265 /* If we fail to restore the uid or gid, things will likely
266 fail later on. This should only happen if an LSM interferes. */
267
268 if (uid != UID_INVALID)
269 (void) seteuid(olduid);
270
271 restore_gid:
272 if (gid != GID_INVALID)
273 (void) setegid(oldgid);
274
275 return r;
276 }
277
278 static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd, uid_t uid, gid_t gid) {
279 int fd, r;
280
281 assert(context);
282 assert(output < _EXEC_OUTPUT_MAX);
283 assert(ident);
284 assert(nfd >= 0);
285
286 fd = socket(AF_UNIX, SOCK_STREAM, 0);
287 if (fd < 0)
288 return -errno;
289
290 r = connect_journal_socket(fd, uid, gid);
291 if (r < 0)
292 return r;
293
294 if (shutdown(fd, SHUT_RD) < 0) {
295 safe_close(fd);
296 return -errno;
297 }
298
299 fd_inc_sndbuf(fd, SNDBUF_SIZE);
300
301 dprintf(fd,
302 "%s\n"
303 "%s\n"
304 "%i\n"
305 "%i\n"
306 "%i\n"
307 "%i\n"
308 "%i\n",
309 context->syslog_identifier ? context->syslog_identifier : ident,
310 unit_id,
311 context->syslog_priority,
312 !!context->syslog_level_prefix,
313 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
314 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
315 is_terminal_output(output));
316
317 if (fd != nfd) {
318 r = dup2(fd, nfd) < 0 ? -errno : nfd;
319 safe_close(fd);
320 } else
321 r = nfd;
322
323 return r;
324 }
325 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
326 int fd, r;
327
328 assert(path);
329 assert(nfd >= 0);
330
331 fd = open_terminal(path, mode | O_NOCTTY);
332 if (fd < 0)
333 return fd;
334
335 if (fd != nfd) {
336 r = dup2(fd, nfd) < 0 ? -errno : nfd;
337 safe_close(fd);
338 } else
339 r = nfd;
340
341 return r;
342 }
343
344 static bool is_terminal_input(ExecInput i) {
345 return
346 i == EXEC_INPUT_TTY ||
347 i == EXEC_INPUT_TTY_FORCE ||
348 i == EXEC_INPUT_TTY_FAIL;
349 }
350
351 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
352
353 if (is_terminal_input(std_input) && !apply_tty_stdin)
354 return EXEC_INPUT_NULL;
355
356 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
357 return EXEC_INPUT_NULL;
358
359 return std_input;
360 }
361
362 static int fixup_output(ExecOutput std_output, int socket_fd) {
363
364 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
365 return EXEC_OUTPUT_INHERIT;
366
367 return std_output;
368 }
369
370 static int setup_input(
371 const ExecContext *context,
372 const ExecParameters *params,
373 int socket_fd) {
374
375 ExecInput i;
376
377 assert(context);
378 assert(params);
379
380 if (params->stdin_fd >= 0) {
381 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
382 return -errno;
383
384 /* Try to make this the controlling tty, if it is a tty, and reset it */
385 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
386 (void) reset_terminal_fd(STDIN_FILENO, true);
387
388 return STDIN_FILENO;
389 }
390
391 i = fixup_input(context->std_input, socket_fd, params->apply_tty_stdin);
392
393 switch (i) {
394
395 case EXEC_INPUT_NULL:
396 return open_null_as(O_RDONLY, STDIN_FILENO);
397
398 case EXEC_INPUT_TTY:
399 case EXEC_INPUT_TTY_FORCE:
400 case EXEC_INPUT_TTY_FAIL: {
401 int fd, r;
402
403 fd = acquire_terminal(tty_path(context),
404 i == EXEC_INPUT_TTY_FAIL,
405 i == EXEC_INPUT_TTY_FORCE,
406 false,
407 USEC_INFINITY);
408 if (fd < 0)
409 return fd;
410
411 if (fd != STDIN_FILENO) {
412 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
413 safe_close(fd);
414 } else
415 r = STDIN_FILENO;
416
417 return r;
418 }
419
420 case EXEC_INPUT_SOCKET:
421 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
422
423 default:
424 assert_not_reached("Unknown input type");
425 }
426 }
427
428 static int setup_output(
429 Unit *unit,
430 const ExecContext *context,
431 const ExecParameters *params,
432 int fileno,
433 int socket_fd,
434 const char *ident,
435 uid_t uid, gid_t gid) {
436
437 ExecOutput o;
438 ExecInput i;
439 int r;
440
441 assert(unit);
442 assert(context);
443 assert(params);
444 assert(ident);
445
446 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
447
448 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
449 return -errno;
450
451 return STDOUT_FILENO;
452 }
453
454 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
455 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
456 return -errno;
457
458 return STDERR_FILENO;
459 }
460
461 i = fixup_input(context->std_input, socket_fd, params->apply_tty_stdin);
462 o = fixup_output(context->std_output, socket_fd);
463
464 if (fileno == STDERR_FILENO) {
465 ExecOutput e;
466 e = fixup_output(context->std_error, socket_fd);
467
468 /* This expects the input and output are already set up */
469
470 /* Don't change the stderr file descriptor if we inherit all
471 * the way and are not on a tty */
472 if (e == EXEC_OUTPUT_INHERIT &&
473 o == EXEC_OUTPUT_INHERIT &&
474 i == EXEC_INPUT_NULL &&
475 !is_terminal_input(context->std_input) &&
476 getppid () != 1)
477 return fileno;
478
479 /* Duplicate from stdout if possible */
480 if (e == o || e == EXEC_OUTPUT_INHERIT)
481 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
482
483 o = e;
484
485 } else if (o == EXEC_OUTPUT_INHERIT) {
486 /* If input got downgraded, inherit the original value */
487 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
488 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
489
490 /* If the input is connected to anything that's not a /dev/null, inherit that... */
491 if (i != EXEC_INPUT_NULL)
492 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
493
494 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
495 if (getppid() != 1)
496 return fileno;
497
498 /* We need to open /dev/null here anew, to get the right access mode. */
499 return open_null_as(O_WRONLY, fileno);
500 }
501
502 switch (o) {
503
504 case EXEC_OUTPUT_NULL:
505 return open_null_as(O_WRONLY, fileno);
506
507 case EXEC_OUTPUT_TTY:
508 if (is_terminal_input(i))
509 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
510
511 /* We don't reset the terminal if this is just about output */
512 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
513
514 case EXEC_OUTPUT_SYSLOG:
515 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
516 case EXEC_OUTPUT_KMSG:
517 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
518 case EXEC_OUTPUT_JOURNAL:
519 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
520 r = connect_logger_as(context, o, ident, unit->id, fileno, uid, gid);
521 if (r < 0) {
522 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
523 r = open_null_as(O_WRONLY, fileno);
524 }
525 return r;
526
527 case EXEC_OUTPUT_SOCKET:
528 assert(socket_fd >= 0);
529 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
530
531 default:
532 assert_not_reached("Unknown error type");
533 }
534 }
535
536 static int chown_terminal(int fd, uid_t uid) {
537 struct stat st;
538
539 assert(fd >= 0);
540
541 /* This might fail. What matters are the results. */
542 (void) fchown(fd, uid, -1);
543 (void) fchmod(fd, TTY_MODE);
544
545 if (fstat(fd, &st) < 0)
546 return -errno;
547
548 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
549 return -EPERM;
550
551 return 0;
552 }
553
554 static int setup_confirm_stdio(int *_saved_stdin, int *_saved_stdout) {
555 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
556 int r;
557
558 assert(_saved_stdin);
559 assert(_saved_stdout);
560
561 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
562 if (saved_stdin < 0)
563 return -errno;
564
565 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
566 if (saved_stdout < 0)
567 return -errno;
568
569 fd = acquire_terminal(
570 "/dev/console",
571 false,
572 false,
573 false,
574 DEFAULT_CONFIRM_USEC);
575 if (fd < 0)
576 return fd;
577
578 r = chown_terminal(fd, getuid());
579 if (r < 0)
580 return r;
581
582 r = reset_terminal_fd(fd, true);
583 if (r < 0)
584 return r;
585
586 if (dup2(fd, STDIN_FILENO) < 0)
587 return -errno;
588
589 if (dup2(fd, STDOUT_FILENO) < 0)
590 return -errno;
591
592 if (fd >= 2)
593 safe_close(fd);
594 fd = -1;
595
596 *_saved_stdin = saved_stdin;
597 *_saved_stdout = saved_stdout;
598
599 saved_stdin = saved_stdout = -1;
600
601 return 0;
602 }
603
604 _printf_(1, 2) static int write_confirm_message(const char *format, ...) {
605 _cleanup_close_ int fd = -1;
606 va_list ap;
607
608 assert(format);
609
610 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
611 if (fd < 0)
612 return fd;
613
614 va_start(ap, format);
615 vdprintf(fd, format, ap);
616 va_end(ap);
617
618 return 0;
619 }
620
621 static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
622 int r = 0;
623
624 assert(saved_stdin);
625 assert(saved_stdout);
626
627 release_terminal();
628
629 if (*saved_stdin >= 0)
630 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
631 r = -errno;
632
633 if (*saved_stdout >= 0)
634 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
635 r = -errno;
636
637 *saved_stdin = safe_close(*saved_stdin);
638 *saved_stdout = safe_close(*saved_stdout);
639
640 return r;
641 }
642
643 static int ask_for_confirmation(char *response, char **argv) {
644 int saved_stdout = -1, saved_stdin = -1, r;
645 _cleanup_free_ char *line = NULL;
646
647 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
648 if (r < 0)
649 return r;
650
651 line = exec_command_line(argv);
652 if (!line)
653 return -ENOMEM;
654
655 r = ask_char(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
656
657 restore_confirm_stdio(&saved_stdin, &saved_stdout);
658
659 return r;
660 }
661
662 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
663 bool keep_groups = false;
664 int r;
665
666 assert(context);
667
668 /* Lookup and set GID and supplementary group list. Here too
669 * we avoid NSS lookups for gid=0. */
670
671 if (context->group || username) {
672 /* First step, initialize groups from /etc/groups */
673 if (username && gid != 0) {
674 if (initgroups(username, gid) < 0)
675 return -errno;
676
677 keep_groups = true;
678 }
679
680 /* Second step, set our gids */
681 if (setresgid(gid, gid, gid) < 0)
682 return -errno;
683 }
684
685 if (context->supplementary_groups) {
686 int ngroups_max, k;
687 gid_t *gids;
688 char **i;
689
690 /* Final step, initialize any manually set supplementary groups */
691 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
692
693 if (!(gids = new(gid_t, ngroups_max)))
694 return -ENOMEM;
695
696 if (keep_groups) {
697 k = getgroups(ngroups_max, gids);
698 if (k < 0) {
699 free(gids);
700 return -errno;
701 }
702 } else
703 k = 0;
704
705 STRV_FOREACH(i, context->supplementary_groups) {
706 const char *g;
707
708 if (k >= ngroups_max) {
709 free(gids);
710 return -E2BIG;
711 }
712
713 g = *i;
714 r = get_group_creds(&g, gids+k);
715 if (r < 0) {
716 free(gids);
717 return r;
718 }
719
720 k++;
721 }
722
723 if (setgroups(k, gids) < 0) {
724 free(gids);
725 return -errno;
726 }
727
728 free(gids);
729 }
730
731 return 0;
732 }
733
734 static int enforce_user(const ExecContext *context, uid_t uid) {
735 assert(context);
736
737 /* Sets (but doesn't lookup) the uid and make sure we keep the
738 * capabilities while doing so. */
739
740 if (context->capabilities || context->capability_ambient_set != 0) {
741
742 /* First step: If we need to keep capabilities but
743 * drop privileges we need to make sure we keep our
744 * caps, while we drop privileges. */
745 if (uid != 0) {
746 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
747
748 if (prctl(PR_GET_SECUREBITS) != sb)
749 if (prctl(PR_SET_SECUREBITS, sb) < 0)
750 return -errno;
751 }
752
753 /* Second step: set the capabilities. This will reduce
754 * the capabilities to the minimum we need. */
755
756 if (context->capabilities) {
757 _cleanup_cap_free_ cap_t d = NULL;
758 static const cap_value_t bits[] = {
759 CAP_SETUID, /* Necessary so that we can run setresuid() below */
760 CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
761 };
762
763 d = cap_dup(context->capabilities);
764 if (!d)
765 return -errno;
766
767 if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
768 cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0)
769 return -errno;
770
771 if (cap_set_proc(d) < 0)
772 return -errno;
773 }
774 }
775
776 /* Third step: actually set the uids */
777 if (setresuid(uid, uid, uid) < 0)
778 return -errno;
779
780 /* At this point we should have all necessary capabilities but
781 are otherwise a normal user. However, the caps might got
782 corrupted due to the setresuid() so we need clean them up
783 later. This is done outside of this call. */
784
785 return 0;
786 }
787
788 #ifdef HAVE_PAM
789
790 static int null_conv(
791 int num_msg,
792 const struct pam_message **msg,
793 struct pam_response **resp,
794 void *appdata_ptr) {
795
796 /* We don't support conversations */
797
798 return PAM_CONV_ERR;
799 }
800
801 static int setup_pam(
802 const char *name,
803 const char *user,
804 uid_t uid,
805 const char *tty,
806 char ***pam_env,
807 int fds[], unsigned n_fds) {
808
809 static const struct pam_conv conv = {
810 .conv = null_conv,
811 .appdata_ptr = NULL
812 };
813
814 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
815 pam_handle_t *handle = NULL;
816 sigset_t old_ss;
817 int pam_code = PAM_SUCCESS, r;
818 char **e = NULL;
819 bool close_session = false;
820 pid_t pam_pid = 0, parent_pid;
821 int flags = 0;
822
823 assert(name);
824 assert(user);
825 assert(pam_env);
826
827 /* We set up PAM in the parent process, then fork. The child
828 * will then stay around until killed via PR_GET_PDEATHSIG or
829 * systemd via the cgroup logic. It will then remove the PAM
830 * session again. The parent process will exec() the actual
831 * daemon. We do things this way to ensure that the main PID
832 * of the daemon is the one we initially fork()ed. */
833
834 r = barrier_create(&barrier);
835 if (r < 0)
836 goto fail;
837
838 if (log_get_max_level() < LOG_DEBUG)
839 flags |= PAM_SILENT;
840
841 pam_code = pam_start(name, user, &conv, &handle);
842 if (pam_code != PAM_SUCCESS) {
843 handle = NULL;
844 goto fail;
845 }
846
847 if (tty) {
848 pam_code = pam_set_item(handle, PAM_TTY, tty);
849 if (pam_code != PAM_SUCCESS)
850 goto fail;
851 }
852
853 pam_code = pam_acct_mgmt(handle, flags);
854 if (pam_code != PAM_SUCCESS)
855 goto fail;
856
857 pam_code = pam_open_session(handle, flags);
858 if (pam_code != PAM_SUCCESS)
859 goto fail;
860
861 close_session = true;
862
863 e = pam_getenvlist(handle);
864 if (!e) {
865 pam_code = PAM_BUF_ERR;
866 goto fail;
867 }
868
869 /* Block SIGTERM, so that we know that it won't get lost in
870 * the child */
871
872 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
873
874 parent_pid = getpid();
875
876 pam_pid = fork();
877 if (pam_pid < 0) {
878 r = -errno;
879 goto fail;
880 }
881
882 if (pam_pid == 0) {
883 int sig, ret = EXIT_PAM;
884
885 /* The child's job is to reset the PAM session on
886 * termination */
887 barrier_set_role(&barrier, BARRIER_CHILD);
888
889 /* This string must fit in 10 chars (i.e. the length
890 * of "/sbin/init"), to look pretty in /bin/ps */
891 rename_process("(sd-pam)");
892
893 /* Make sure we don't keep open the passed fds in this
894 child. We assume that otherwise only those fds are
895 open here that have been opened by PAM. */
896 close_many(fds, n_fds);
897
898 /* Drop privileges - we don't need any to pam_close_session
899 * and this will make PR_SET_PDEATHSIG work in most cases.
900 * If this fails, ignore the error - but expect sd-pam threads
901 * to fail to exit normally */
902 if (setresuid(uid, uid, uid) < 0)
903 log_error_errno(r, "Error: Failed to setresuid() in sd-pam: %m");
904
905 (void) ignore_signals(SIGPIPE, -1);
906
907 /* Wait until our parent died. This will only work if
908 * the above setresuid() succeeds, otherwise the kernel
909 * will not allow unprivileged parents kill their privileged
910 * children this way. We rely on the control groups kill logic
911 * to do the rest for us. */
912 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
913 goto child_finish;
914
915 /* Tell the parent that our setup is done. This is especially
916 * important regarding dropping privileges. Otherwise, unit
917 * setup might race against our setresuid(2) call. */
918 barrier_place(&barrier);
919
920 /* Check if our parent process might already have
921 * died? */
922 if (getppid() == parent_pid) {
923 sigset_t ss;
924
925 assert_se(sigemptyset(&ss) >= 0);
926 assert_se(sigaddset(&ss, SIGTERM) >= 0);
927
928 for (;;) {
929 if (sigwait(&ss, &sig) < 0) {
930 if (errno == EINTR)
931 continue;
932
933 goto child_finish;
934 }
935
936 assert(sig == SIGTERM);
937 break;
938 }
939 }
940
941 /* If our parent died we'll end the session */
942 if (getppid() != parent_pid) {
943 pam_code = pam_close_session(handle, flags);
944 if (pam_code != PAM_SUCCESS)
945 goto child_finish;
946 }
947
948 ret = 0;
949
950 child_finish:
951 pam_end(handle, pam_code | flags);
952 _exit(ret);
953 }
954
955 barrier_set_role(&barrier, BARRIER_PARENT);
956
957 /* If the child was forked off successfully it will do all the
958 * cleanups, so forget about the handle here. */
959 handle = NULL;
960
961 /* Unblock SIGTERM again in the parent */
962 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
963
964 /* We close the log explicitly here, since the PAM modules
965 * might have opened it, but we don't want this fd around. */
966 closelog();
967
968 /* Synchronously wait for the child to initialize. We don't care for
969 * errors as we cannot recover. However, warn loudly if it happens. */
970 if (!barrier_place_and_sync(&barrier))
971 log_error("PAM initialization failed");
972
973 *pam_env = e;
974 e = NULL;
975
976 return 0;
977
978 fail:
979 if (pam_code != PAM_SUCCESS) {
980 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
981 r = -EPERM; /* PAM errors do not map to errno */
982 } else
983 log_error_errno(r, "PAM failed: %m");
984
985 if (handle) {
986 if (close_session)
987 pam_code = pam_close_session(handle, flags);
988
989 pam_end(handle, pam_code | flags);
990 }
991
992 strv_free(e);
993 closelog();
994
995 return r;
996 }
997 #endif
998
999 static void rename_process_from_path(const char *path) {
1000 char process_name[11];
1001 const char *p;
1002 size_t l;
1003
1004 /* This resulting string must fit in 10 chars (i.e. the length
1005 * of "/sbin/init") to look pretty in /bin/ps */
1006
1007 p = basename(path);
1008 if (isempty(p)) {
1009 rename_process("(...)");
1010 return;
1011 }
1012
1013 l = strlen(p);
1014 if (l > 8) {
1015 /* The end of the process name is usually more
1016 * interesting, since the first bit might just be
1017 * "systemd-" */
1018 p = p + l - 8;
1019 l = 8;
1020 }
1021
1022 process_name[0] = '(';
1023 memcpy(process_name+1, p, l);
1024 process_name[1+l] = ')';
1025 process_name[1+l+1] = 0;
1026
1027 rename_process(process_name);
1028 }
1029
1030 #ifdef HAVE_SECCOMP
1031
1032 static int apply_seccomp(const ExecContext *c) {
1033 uint32_t negative_action, action;
1034 scmp_filter_ctx *seccomp;
1035 Iterator i;
1036 void *id;
1037 int r;
1038
1039 assert(c);
1040
1041 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
1042
1043 seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW);
1044 if (!seccomp)
1045 return -ENOMEM;
1046
1047 if (c->syscall_archs) {
1048
1049 SET_FOREACH(id, c->syscall_archs, i) {
1050 r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
1051 if (r == -EEXIST)
1052 continue;
1053 if (r < 0)
1054 goto finish;
1055 }
1056
1057 } else {
1058 r = seccomp_add_secondary_archs(seccomp);
1059 if (r < 0)
1060 goto finish;
1061 }
1062
1063 action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
1064 SET_FOREACH(id, c->syscall_filter, i) {
1065 r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
1066 if (r < 0)
1067 goto finish;
1068 }
1069
1070 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1071 if (r < 0)
1072 goto finish;
1073
1074 r = seccomp_load(seccomp);
1075
1076 finish:
1077 seccomp_release(seccomp);
1078 return r;
1079 }
1080
1081 static int apply_address_families(const ExecContext *c) {
1082 scmp_filter_ctx *seccomp;
1083 Iterator i;
1084 int r;
1085
1086 assert(c);
1087
1088 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1089 if (!seccomp)
1090 return -ENOMEM;
1091
1092 r = seccomp_add_secondary_archs(seccomp);
1093 if (r < 0)
1094 goto finish;
1095
1096 if (c->address_families_whitelist) {
1097 int af, first = 0, last = 0;
1098 void *afp;
1099
1100 /* If this is a whitelist, we first block the address
1101 * families that are out of range and then everything
1102 * that is not in the set. First, we find the lowest
1103 * and highest address family in the set. */
1104
1105 SET_FOREACH(afp, c->address_families, i) {
1106 af = PTR_TO_INT(afp);
1107
1108 if (af <= 0 || af >= af_max())
1109 continue;
1110
1111 if (first == 0 || af < first)
1112 first = af;
1113
1114 if (last == 0 || af > last)
1115 last = af;
1116 }
1117
1118 assert((first == 0) == (last == 0));
1119
1120 if (first == 0) {
1121
1122 /* No entries in the valid range, block everything */
1123 r = seccomp_rule_add(
1124 seccomp,
1125 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1126 SCMP_SYS(socket),
1127 0);
1128 if (r < 0)
1129 goto finish;
1130
1131 } else {
1132
1133 /* Block everything below the first entry */
1134 r = seccomp_rule_add(
1135 seccomp,
1136 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1137 SCMP_SYS(socket),
1138 1,
1139 SCMP_A0(SCMP_CMP_LT, first));
1140 if (r < 0)
1141 goto finish;
1142
1143 /* Block everything above the last entry */
1144 r = seccomp_rule_add(
1145 seccomp,
1146 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1147 SCMP_SYS(socket),
1148 1,
1149 SCMP_A0(SCMP_CMP_GT, last));
1150 if (r < 0)
1151 goto finish;
1152
1153 /* Block everything between the first and last
1154 * entry */
1155 for (af = 1; af < af_max(); af++) {
1156
1157 if (set_contains(c->address_families, INT_TO_PTR(af)))
1158 continue;
1159
1160 r = seccomp_rule_add(
1161 seccomp,
1162 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1163 SCMP_SYS(socket),
1164 1,
1165 SCMP_A0(SCMP_CMP_EQ, af));
1166 if (r < 0)
1167 goto finish;
1168 }
1169 }
1170
1171 } else {
1172 void *af;
1173
1174 /* If this is a blacklist, then generate one rule for
1175 * each address family that are then combined in OR
1176 * checks. */
1177
1178 SET_FOREACH(af, c->address_families, i) {
1179
1180 r = seccomp_rule_add(
1181 seccomp,
1182 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1183 SCMP_SYS(socket),
1184 1,
1185 SCMP_A0(SCMP_CMP_EQ, PTR_TO_INT(af)));
1186 if (r < 0)
1187 goto finish;
1188 }
1189 }
1190
1191 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1192 if (r < 0)
1193 goto finish;
1194
1195 r = seccomp_load(seccomp);
1196
1197 finish:
1198 seccomp_release(seccomp);
1199 return r;
1200 }
1201
1202 #endif
1203
1204 static void do_idle_pipe_dance(int idle_pipe[4]) {
1205 assert(idle_pipe);
1206
1207
1208 idle_pipe[1] = safe_close(idle_pipe[1]);
1209 idle_pipe[2] = safe_close(idle_pipe[2]);
1210
1211 if (idle_pipe[0] >= 0) {
1212 int r;
1213
1214 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1215
1216 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1217 ssize_t n;
1218
1219 /* Signal systemd that we are bored and want to continue. */
1220 n = write(idle_pipe[3], "x", 1);
1221 if (n > 0)
1222 /* Wait for systemd to react to the signal above. */
1223 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1224 }
1225
1226 idle_pipe[0] = safe_close(idle_pipe[0]);
1227
1228 }
1229
1230 idle_pipe[3] = safe_close(idle_pipe[3]);
1231 }
1232
1233 static int build_environment(
1234 const ExecContext *c,
1235 unsigned n_fds,
1236 char ** fd_names,
1237 usec_t watchdog_usec,
1238 const char *home,
1239 const char *username,
1240 const char *shell,
1241 char ***ret) {
1242
1243 _cleanup_strv_free_ char **our_env = NULL;
1244 unsigned n_env = 0;
1245 char *x;
1246
1247 assert(c);
1248 assert(ret);
1249
1250 our_env = new0(char*, 11);
1251 if (!our_env)
1252 return -ENOMEM;
1253
1254 if (n_fds > 0) {
1255 _cleanup_free_ char *joined = NULL;
1256
1257 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1258 return -ENOMEM;
1259 our_env[n_env++] = x;
1260
1261 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1262 return -ENOMEM;
1263 our_env[n_env++] = x;
1264
1265 joined = strv_join(fd_names, ":");
1266 if (!joined)
1267 return -ENOMEM;
1268
1269 x = strjoin("LISTEN_FDNAMES=", joined, NULL);
1270 if (!x)
1271 return -ENOMEM;
1272 our_env[n_env++] = x;
1273 }
1274
1275 if (watchdog_usec > 0) {
1276 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1277 return -ENOMEM;
1278 our_env[n_env++] = x;
1279
1280 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, watchdog_usec) < 0)
1281 return -ENOMEM;
1282 our_env[n_env++] = x;
1283 }
1284
1285 if (home) {
1286 x = strappend("HOME=", home);
1287 if (!x)
1288 return -ENOMEM;
1289 our_env[n_env++] = x;
1290 }
1291
1292 if (username) {
1293 x = strappend("LOGNAME=", username);
1294 if (!x)
1295 return -ENOMEM;
1296 our_env[n_env++] = x;
1297
1298 x = strappend("USER=", username);
1299 if (!x)
1300 return -ENOMEM;
1301 our_env[n_env++] = x;
1302 }
1303
1304 if (shell) {
1305 x = strappend("SHELL=", shell);
1306 if (!x)
1307 return -ENOMEM;
1308 our_env[n_env++] = x;
1309 }
1310
1311 if (is_terminal_input(c->std_input) ||
1312 c->std_output == EXEC_OUTPUT_TTY ||
1313 c->std_error == EXEC_OUTPUT_TTY ||
1314 c->tty_path) {
1315
1316 x = strdup(default_term_for_tty(tty_path(c)));
1317 if (!x)
1318 return -ENOMEM;
1319 our_env[n_env++] = x;
1320 }
1321
1322 our_env[n_env++] = NULL;
1323 assert(n_env <= 11);
1324
1325 *ret = our_env;
1326 our_env = NULL;
1327
1328 return 0;
1329 }
1330
1331 static int build_pass_environment(const ExecContext *c, char ***ret) {
1332 _cleanup_strv_free_ char **pass_env = NULL;
1333 size_t n_env = 0, n_bufsize = 0;
1334 char **i;
1335
1336 STRV_FOREACH(i, c->pass_environment) {
1337 _cleanup_free_ char *x = NULL;
1338 char *v;
1339
1340 v = getenv(*i);
1341 if (!v)
1342 continue;
1343 x = strjoin(*i, "=", v, NULL);
1344 if (!x)
1345 return -ENOMEM;
1346 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1347 return -ENOMEM;
1348 pass_env[n_env++] = x;
1349 pass_env[n_env] = NULL;
1350 x = NULL;
1351 }
1352
1353 *ret = pass_env;
1354 pass_env = NULL;
1355
1356 return 0;
1357 }
1358
1359 static bool exec_needs_mount_namespace(
1360 const ExecContext *context,
1361 const ExecParameters *params,
1362 ExecRuntime *runtime) {
1363
1364 assert(context);
1365 assert(params);
1366
1367 if (!strv_isempty(context->read_write_dirs) ||
1368 !strv_isempty(context->read_only_dirs) ||
1369 !strv_isempty(context->inaccessible_dirs))
1370 return true;
1371
1372 if (context->mount_flags != 0)
1373 return true;
1374
1375 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1376 return true;
1377
1378 if (params->bus_endpoint_path)
1379 return true;
1380
1381 if (context->private_devices ||
1382 context->protect_system != PROTECT_SYSTEM_NO ||
1383 context->protect_home != PROTECT_HOME_NO)
1384 return true;
1385
1386 return false;
1387 }
1388
1389 static int close_remaining_fds(
1390 const ExecParameters *params,
1391 ExecRuntime *runtime,
1392 int socket_fd,
1393 int *fds, unsigned n_fds) {
1394
1395 unsigned n_dont_close = 0;
1396 int dont_close[n_fds + 7];
1397
1398 assert(params);
1399
1400 if (params->stdin_fd >= 0)
1401 dont_close[n_dont_close++] = params->stdin_fd;
1402 if (params->stdout_fd >= 0)
1403 dont_close[n_dont_close++] = params->stdout_fd;
1404 if (params->stderr_fd >= 0)
1405 dont_close[n_dont_close++] = params->stderr_fd;
1406
1407 if (socket_fd >= 0)
1408 dont_close[n_dont_close++] = socket_fd;
1409 if (n_fds > 0) {
1410 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
1411 n_dont_close += n_fds;
1412 }
1413
1414 if (params->bus_endpoint_fd >= 0)
1415 dont_close[n_dont_close++] = params->bus_endpoint_fd;
1416
1417 if (runtime) {
1418 if (runtime->netns_storage_socket[0] >= 0)
1419 dont_close[n_dont_close++] = runtime->netns_storage_socket[0];
1420 if (runtime->netns_storage_socket[1] >= 0)
1421 dont_close[n_dont_close++] = runtime->netns_storage_socket[1];
1422 }
1423
1424 return close_all_fds(dont_close, n_dont_close);
1425 }
1426
1427 static int exec_child(
1428 Unit *unit,
1429 ExecCommand *command,
1430 const ExecContext *context,
1431 const ExecParameters *params,
1432 ExecRuntime *runtime,
1433 char **argv,
1434 int socket_fd,
1435 int *fds, unsigned n_fds,
1436 char **files_env,
1437 int *exit_status) {
1438
1439 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL;
1440 _cleanup_free_ char *mac_selinux_context_net = NULL;
1441 const char *username = NULL, *home = NULL, *shell = NULL, *wd;
1442 uid_t uid = UID_INVALID;
1443 gid_t gid = GID_INVALID;
1444 int i, r;
1445 bool needs_mount_namespace;
1446
1447 assert(unit);
1448 assert(command);
1449 assert(context);
1450 assert(params);
1451 assert(exit_status);
1452
1453 rename_process_from_path(command->path);
1454
1455 /* We reset exactly these signals, since they are the
1456 * only ones we set to SIG_IGN in the main daemon. All
1457 * others we leave untouched because we set them to
1458 * SIG_DFL or a valid handler initially, both of which
1459 * will be demoted to SIG_DFL. */
1460 (void) default_signals(SIGNALS_CRASH_HANDLER,
1461 SIGNALS_IGNORE, -1);
1462
1463 if (context->ignore_sigpipe)
1464 (void) ignore_signals(SIGPIPE, -1);
1465
1466 r = reset_signal_mask();
1467 if (r < 0) {
1468 *exit_status = EXIT_SIGNAL_MASK;
1469 return r;
1470 }
1471
1472 if (params->idle_pipe)
1473 do_idle_pipe_dance(params->idle_pipe);
1474
1475 /* Close sockets very early to make sure we don't
1476 * block init reexecution because it cannot bind its
1477 * sockets */
1478
1479 log_forget_fds();
1480
1481 r = close_remaining_fds(params, runtime, socket_fd, fds, n_fds);
1482 if (r < 0) {
1483 *exit_status = EXIT_FDS;
1484 return r;
1485 }
1486
1487 if (!context->same_pgrp)
1488 if (setsid() < 0) {
1489 *exit_status = EXIT_SETSID;
1490 return -errno;
1491 }
1492
1493 exec_context_tty_reset(context);
1494
1495 if (params->confirm_spawn) {
1496 char response;
1497
1498 r = ask_for_confirmation(&response, argv);
1499 if (r == -ETIMEDOUT)
1500 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1501 else if (r < 0)
1502 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-r));
1503 else if (response == 's') {
1504 write_confirm_message("Skipping execution.\n");
1505 *exit_status = EXIT_CONFIRM;
1506 return -ECANCELED;
1507 } else if (response == 'n') {
1508 write_confirm_message("Failing execution.\n");
1509 *exit_status = 0;
1510 return 0;
1511 }
1512 }
1513
1514 if (context->user) {
1515 username = context->user;
1516 r = get_user_creds(&username, &uid, &gid, &home, &shell);
1517 if (r < 0) {
1518 *exit_status = EXIT_USER;
1519 return r;
1520 }
1521 }
1522
1523 if (context->group) {
1524 const char *g = context->group;
1525
1526 r = get_group_creds(&g, &gid);
1527 if (r < 0) {
1528 *exit_status = EXIT_GROUP;
1529 return r;
1530 }
1531 }
1532
1533
1534 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1535 * must sure to drop O_NONBLOCK */
1536 if (socket_fd >= 0)
1537 (void) fd_nonblock(socket_fd, false);
1538
1539 r = setup_input(context, params, socket_fd);
1540 if (r < 0) {
1541 *exit_status = EXIT_STDIN;
1542 return r;
1543 }
1544
1545 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, basename(command->path), uid, gid);
1546 if (r < 0) {
1547 *exit_status = EXIT_STDOUT;
1548 return r;
1549 }
1550
1551 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, basename(command->path), uid, gid);
1552 if (r < 0) {
1553 *exit_status = EXIT_STDERR;
1554 return r;
1555 }
1556
1557 if (params->cgroup_path) {
1558 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
1559 if (r < 0) {
1560 *exit_status = EXIT_CGROUP;
1561 return r;
1562 }
1563 }
1564
1565 if (context->oom_score_adjust_set) {
1566 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
1567
1568 /* When we can't make this change due to EPERM, then
1569 * let's silently skip over it. User namespaces
1570 * prohibit write access to this file, and we
1571 * shouldn't trip up over that. */
1572
1573 sprintf(t, "%i", context->oom_score_adjust);
1574 r = write_string_file("/proc/self/oom_score_adj", t, 0);
1575 if (r == -EPERM || r == -EACCES) {
1576 log_open();
1577 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
1578 log_close();
1579 } else if (r < 0) {
1580 *exit_status = EXIT_OOM_ADJUST;
1581 return -errno;
1582 }
1583 }
1584
1585 if (context->nice_set)
1586 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1587 *exit_status = EXIT_NICE;
1588 return -errno;
1589 }
1590
1591 if (context->cpu_sched_set) {
1592 struct sched_param param = {
1593 .sched_priority = context->cpu_sched_priority,
1594 };
1595
1596 r = sched_setscheduler(0,
1597 context->cpu_sched_policy |
1598 (context->cpu_sched_reset_on_fork ?
1599 SCHED_RESET_ON_FORK : 0),
1600 &param);
1601 if (r < 0) {
1602 *exit_status = EXIT_SETSCHEDULER;
1603 return -errno;
1604 }
1605 }
1606
1607 if (context->cpuset)
1608 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1609 *exit_status = EXIT_CPUAFFINITY;
1610 return -errno;
1611 }
1612
1613 if (context->ioprio_set)
1614 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1615 *exit_status = EXIT_IOPRIO;
1616 return -errno;
1617 }
1618
1619 if (context->timer_slack_nsec != NSEC_INFINITY)
1620 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1621 *exit_status = EXIT_TIMERSLACK;
1622 return -errno;
1623 }
1624
1625 if (context->personality != PERSONALITY_INVALID)
1626 if (personality(context->personality) < 0) {
1627 *exit_status = EXIT_PERSONALITY;
1628 return -errno;
1629 }
1630
1631 if (context->utmp_id)
1632 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path,
1633 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
1634 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
1635 USER_PROCESS,
1636 username ? "root" : context->user);
1637
1638 if (context->user && is_terminal_input(context->std_input)) {
1639 r = chown_terminal(STDIN_FILENO, uid);
1640 if (r < 0) {
1641 *exit_status = EXIT_STDIN;
1642 return r;
1643 }
1644 }
1645
1646 if (params->bus_endpoint_fd >= 0 && context->bus_endpoint) {
1647 uid_t ep_uid = (uid == UID_INVALID) ? 0 : uid;
1648
1649 r = bus_kernel_set_endpoint_policy(params->bus_endpoint_fd, ep_uid, context->bus_endpoint);
1650 if (r < 0) {
1651 *exit_status = EXIT_BUS_ENDPOINT;
1652 return r;
1653 }
1654 }
1655
1656 /* If delegation is enabled we'll pass ownership of the cgroup
1657 * (but only in systemd's own controller hierarchy!) to the
1658 * user of the new process. */
1659 if (params->cgroup_path && context->user && params->cgroup_delegate) {
1660 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
1661 if (r < 0) {
1662 *exit_status = EXIT_CGROUP;
1663 return r;
1664 }
1665
1666
1667 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
1668 if (r < 0) {
1669 *exit_status = EXIT_CGROUP;
1670 return r;
1671 }
1672 }
1673
1674 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
1675 char **rt;
1676
1677 STRV_FOREACH(rt, context->runtime_directory) {
1678 _cleanup_free_ char *p;
1679
1680 p = strjoin(params->runtime_prefix, "/", *rt, NULL);
1681 if (!p) {
1682 *exit_status = EXIT_RUNTIME_DIRECTORY;
1683 return -ENOMEM;
1684 }
1685
1686 r = mkdir_p_label(p, context->runtime_directory_mode);
1687 if (r < 0) {
1688 *exit_status = EXIT_RUNTIME_DIRECTORY;
1689 return r;
1690 }
1691
1692 r = chmod_and_chown(p, context->runtime_directory_mode, uid, gid);
1693 if (r < 0) {
1694 *exit_status = EXIT_RUNTIME_DIRECTORY;
1695 return r;
1696 }
1697 }
1698 }
1699
1700 umask(context->umask);
1701
1702 if (params->apply_permissions) {
1703 r = enforce_groups(context, username, gid);
1704 if (r < 0) {
1705 *exit_status = EXIT_GROUP;
1706 return r;
1707 }
1708 #ifdef HAVE_SMACK
1709 if (context->smack_process_label) {
1710 r = mac_smack_apply_pid(0, context->smack_process_label);
1711 if (r < 0) {
1712 *exit_status = EXIT_SMACK_PROCESS_LABEL;
1713 return r;
1714 }
1715 }
1716 #ifdef SMACK_DEFAULT_PROCESS_LABEL
1717 else {
1718 _cleanup_free_ char *exec_label = NULL;
1719
1720 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
1721 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) {
1722 *exit_status = EXIT_SMACK_PROCESS_LABEL;
1723 return r;
1724 }
1725
1726 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
1727 if (r < 0) {
1728 *exit_status = EXIT_SMACK_PROCESS_LABEL;
1729 return r;
1730 }
1731 }
1732 #endif
1733 #endif
1734 #ifdef HAVE_PAM
1735 if (context->pam_name && username) {
1736 r = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
1737 if (r < 0) {
1738 *exit_status = EXIT_PAM;
1739 return r;
1740 }
1741 }
1742 #endif
1743 }
1744
1745 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
1746 r = setup_netns(runtime->netns_storage_socket);
1747 if (r < 0) {
1748 *exit_status = EXIT_NETWORK;
1749 return r;
1750 }
1751 }
1752
1753 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
1754
1755 if (needs_mount_namespace) {
1756 char *tmp = NULL, *var = NULL;
1757
1758 /* The runtime struct only contains the parent
1759 * of the private /tmp, which is
1760 * non-accessible to world users. Inside of it
1761 * there's a /tmp that is sticky, and that's
1762 * the one we want to use here. */
1763
1764 if (context->private_tmp && runtime) {
1765 if (runtime->tmp_dir)
1766 tmp = strjoina(runtime->tmp_dir, "/tmp");
1767 if (runtime->var_tmp_dir)
1768 var = strjoina(runtime->var_tmp_dir, "/tmp");
1769 }
1770
1771 r = setup_namespace(
1772 params->apply_chroot ? context->root_directory : NULL,
1773 context->read_write_dirs,
1774 context->read_only_dirs,
1775 context->inaccessible_dirs,
1776 tmp,
1777 var,
1778 params->bus_endpoint_path,
1779 context->private_devices,
1780 context->protect_home,
1781 context->protect_system,
1782 context->mount_flags);
1783
1784 /* If we couldn't set up the namespace this is
1785 * probably due to a missing capability. In this case,
1786 * silently proceeed. */
1787 if (r == -EPERM || r == -EACCES) {
1788 log_open();
1789 log_unit_debug_errno(unit, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
1790 log_close();
1791 } else if (r < 0) {
1792 *exit_status = EXIT_NAMESPACE;
1793 return r;
1794 }
1795 }
1796
1797 if (context->working_directory_home)
1798 wd = home;
1799 else if (context->working_directory)
1800 wd = context->working_directory;
1801 else
1802 wd = "/";
1803
1804 if (params->apply_chroot) {
1805 if (!needs_mount_namespace && context->root_directory)
1806 if (chroot(context->root_directory) < 0) {
1807 *exit_status = EXIT_CHROOT;
1808 return -errno;
1809 }
1810
1811 if (chdir(wd) < 0 &&
1812 !context->working_directory_missing_ok) {
1813 *exit_status = EXIT_CHDIR;
1814 return -errno;
1815 }
1816 } else {
1817 const char *d;
1818
1819 d = strjoina(strempty(context->root_directory), "/", strempty(wd));
1820 if (chdir(d) < 0 &&
1821 !context->working_directory_missing_ok) {
1822 *exit_status = EXIT_CHDIR;
1823 return -errno;
1824 }
1825 }
1826
1827 #ifdef HAVE_SELINUX
1828 if (params->apply_permissions && mac_selinux_use() && params->selinux_context_net && socket_fd >= 0) {
1829 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
1830 if (r < 0) {
1831 *exit_status = EXIT_SELINUX_CONTEXT;
1832 return r;
1833 }
1834 }
1835 #endif
1836
1837 /* We repeat the fd closing here, to make sure that
1838 * nothing is leaked from the PAM modules. Note that
1839 * we are more aggressive this time since socket_fd
1840 * and the netns fds we don't need anymore. The custom
1841 * endpoint fd was needed to upload the policy and can
1842 * now be closed as well. */
1843 r = close_all_fds(fds, n_fds);
1844 if (r >= 0)
1845 r = shift_fds(fds, n_fds);
1846 if (r >= 0)
1847 r = flags_fds(fds, n_fds, context->non_blocking);
1848 if (r < 0) {
1849 *exit_status = EXIT_FDS;
1850 return r;
1851 }
1852
1853 if (params->apply_permissions) {
1854
1855 int secure_bits = context->secure_bits;
1856
1857 for (i = 0; i < _RLIMIT_MAX; i++) {
1858 if (!context->rlimit[i])
1859 continue;
1860
1861 if (setrlimit_closest(i, context->rlimit[i]) < 0) {
1862 *exit_status = EXIT_LIMITS;
1863 return -errno;
1864 }
1865 }
1866
1867 if (!cap_test_all(context->capability_bounding_set)) {
1868 r = capability_bounding_set_drop(context->capability_bounding_set, false);
1869 if (r < 0) {
1870 *exit_status = EXIT_CAPABILITIES;
1871 return r;
1872 }
1873 }
1874
1875 /* This is done before enforce_user, but ambient set
1876 * does not survive over setresuid() if keep_caps is not set. */
1877 if (context->capability_ambient_set != 0) {
1878 r = capability_ambient_set_apply(context->capability_ambient_set, true);
1879 if (r < 0) {
1880 *exit_status = EXIT_CAPABILITIES;
1881 return r;
1882 }
1883
1884 if (context->capabilities) {
1885
1886 /* The capabilities in ambient set need to be also in the inherited
1887 * set. If they aren't, trying to get them will fail. Add the ambient
1888 * set inherited capabilities to the capability set in the context.
1889 * This is needed because if capabilities are set (using "Capabilities="
1890 * keyword), they will override whatever we set now. */
1891
1892 r = capability_update_inherited_set(context->capabilities, context->capability_ambient_set);
1893 if (r < 0) {
1894 *exit_status = EXIT_CAPABILITIES;
1895 return r;
1896 }
1897 }
1898 }
1899
1900 if (context->user) {
1901 r = enforce_user(context, uid);
1902 if (r < 0) {
1903 *exit_status = EXIT_USER;
1904 return r;
1905 }
1906 if (context->capability_ambient_set != 0) {
1907
1908 /* Fix the ambient capabilities after user change. */
1909 r = capability_ambient_set_apply(context->capability_ambient_set, false);
1910 if (r < 0) {
1911 *exit_status = EXIT_CAPABILITIES;
1912 return r;
1913 }
1914
1915 /* If we were asked to change user and ambient capabilities
1916 * were requested, we had to add keep-caps to the securebits
1917 * so that we would maintain the inherited capability set
1918 * through the setresuid(). Make sure that the bit is added
1919 * also to the context secure_bits so that we don't try to
1920 * drop the bit away next. */
1921
1922 secure_bits |= 1<<SECURE_KEEP_CAPS;
1923 }
1924 }
1925
1926 /* PR_GET_SECUREBITS is not privileged, while
1927 * PR_SET_SECUREBITS is. So to suppress
1928 * potential EPERMs we'll try not to call
1929 * PR_SET_SECUREBITS unless necessary. */
1930 if (prctl(PR_GET_SECUREBITS) != secure_bits)
1931 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
1932 *exit_status = EXIT_SECUREBITS;
1933 return -errno;
1934 }
1935
1936 if (context->capabilities)
1937 if (cap_set_proc(context->capabilities) < 0) {
1938 *exit_status = EXIT_CAPABILITIES;
1939 return -errno;
1940 }
1941
1942 if (context->no_new_privileges)
1943 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
1944 *exit_status = EXIT_NO_NEW_PRIVILEGES;
1945 return -errno;
1946 }
1947
1948 #ifdef HAVE_SECCOMP
1949 if (context->address_families_whitelist ||
1950 !set_isempty(context->address_families)) {
1951 r = apply_address_families(context);
1952 if (r < 0) {
1953 *exit_status = EXIT_ADDRESS_FAMILIES;
1954 return r;
1955 }
1956 }
1957
1958 if (context->syscall_whitelist ||
1959 !set_isempty(context->syscall_filter) ||
1960 !set_isempty(context->syscall_archs)) {
1961 r = apply_seccomp(context);
1962 if (r < 0) {
1963 *exit_status = EXIT_SECCOMP;
1964 return r;
1965 }
1966 }
1967 #endif
1968
1969 #ifdef HAVE_SELINUX
1970 if (mac_selinux_use()) {
1971 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
1972
1973 if (exec_context) {
1974 r = setexeccon(exec_context);
1975 if (r < 0) {
1976 *exit_status = EXIT_SELINUX_CONTEXT;
1977 return r;
1978 }
1979 }
1980 }
1981 #endif
1982
1983 #ifdef HAVE_APPARMOR
1984 if (context->apparmor_profile && mac_apparmor_use()) {
1985 r = aa_change_onexec(context->apparmor_profile);
1986 if (r < 0 && !context->apparmor_profile_ignore) {
1987 *exit_status = EXIT_APPARMOR_PROFILE;
1988 return -errno;
1989 }
1990 }
1991 #endif
1992 }
1993
1994 r = build_environment(context, n_fds, params->fd_names, params->watchdog_usec, home, username, shell, &our_env);
1995 if (r < 0) {
1996 *exit_status = EXIT_MEMORY;
1997 return r;
1998 }
1999
2000 r = build_pass_environment(context, &pass_env);
2001 if (r < 0) {
2002 *exit_status = EXIT_MEMORY;
2003 return r;
2004 }
2005
2006 final_env = strv_env_merge(6,
2007 params->environment,
2008 our_env,
2009 pass_env,
2010 context->environment,
2011 files_env,
2012 pam_env,
2013 NULL);
2014 if (!final_env) {
2015 *exit_status = EXIT_MEMORY;
2016 return -ENOMEM;
2017 }
2018
2019 final_argv = replace_env_argv(argv, final_env);
2020 if (!final_argv) {
2021 *exit_status = EXIT_MEMORY;
2022 return -ENOMEM;
2023 }
2024
2025 final_env = strv_env_clean(final_env);
2026
2027 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
2028 _cleanup_free_ char *line;
2029
2030 line = exec_command_line(final_argv);
2031 if (line) {
2032 log_open();
2033 log_struct(LOG_DEBUG,
2034 LOG_UNIT_ID(unit),
2035 "EXECUTABLE=%s", command->path,
2036 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
2037 NULL);
2038 log_close();
2039 }
2040 }
2041
2042 execve(command->path, final_argv, final_env);
2043 *exit_status = EXIT_EXEC;
2044 return -errno;
2045 }
2046
2047 int exec_spawn(Unit *unit,
2048 ExecCommand *command,
2049 const ExecContext *context,
2050 const ExecParameters *params,
2051 ExecRuntime *runtime,
2052 pid_t *ret) {
2053
2054 _cleanup_strv_free_ char **files_env = NULL;
2055 int *fds = NULL; unsigned n_fds = 0;
2056 _cleanup_free_ char *line = NULL;
2057 int socket_fd, r;
2058 char **argv;
2059 pid_t pid;
2060
2061 assert(unit);
2062 assert(command);
2063 assert(context);
2064 assert(ret);
2065 assert(params);
2066 assert(params->fds || params->n_fds <= 0);
2067
2068 if (context->std_input == EXEC_INPUT_SOCKET ||
2069 context->std_output == EXEC_OUTPUT_SOCKET ||
2070 context->std_error == EXEC_OUTPUT_SOCKET) {
2071
2072 if (params->n_fds != 1) {
2073 log_unit_error(unit, "Got more than one socket.");
2074 return -EINVAL;
2075 }
2076
2077 socket_fd = params->fds[0];
2078 } else {
2079 socket_fd = -1;
2080 fds = params->fds;
2081 n_fds = params->n_fds;
2082 }
2083
2084 r = exec_context_load_environment(unit, context, &files_env);
2085 if (r < 0)
2086 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
2087
2088 argv = params->argv ?: command->argv;
2089 line = exec_command_line(argv);
2090 if (!line)
2091 return log_oom();
2092
2093 log_struct(LOG_DEBUG,
2094 LOG_UNIT_ID(unit),
2095 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
2096 "EXECUTABLE=%s", command->path,
2097 NULL);
2098 pid = fork();
2099 if (pid < 0)
2100 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
2101
2102 if (pid == 0) {
2103 int exit_status;
2104
2105 r = exec_child(unit,
2106 command,
2107 context,
2108 params,
2109 runtime,
2110 argv,
2111 socket_fd,
2112 fds, n_fds,
2113 files_env,
2114 &exit_status);
2115 if (r < 0) {
2116 log_open();
2117 log_struct_errno(LOG_ERR, r,
2118 LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
2119 LOG_UNIT_ID(unit),
2120 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
2121 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
2122 command->path),
2123 "EXECUTABLE=%s", command->path,
2124 NULL);
2125 }
2126
2127 _exit(exit_status);
2128 }
2129
2130 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
2131
2132 /* We add the new process to the cgroup both in the child (so
2133 * that we can be sure that no user code is ever executed
2134 * outside of the cgroup) and in the parent (so that we can be
2135 * sure that when we kill the cgroup the process will be
2136 * killed too). */
2137 if (params->cgroup_path)
2138 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
2139
2140 exec_status_start(&command->exec_status, pid);
2141
2142 *ret = pid;
2143 return 0;
2144 }
2145
2146 void exec_context_init(ExecContext *c) {
2147 assert(c);
2148
2149 c->umask = 0022;
2150 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
2151 c->cpu_sched_policy = SCHED_OTHER;
2152 c->syslog_priority = LOG_DAEMON|LOG_INFO;
2153 c->syslog_level_prefix = true;
2154 c->ignore_sigpipe = true;
2155 c->timer_slack_nsec = NSEC_INFINITY;
2156 c->personality = PERSONALITY_INVALID;
2157 c->runtime_directory_mode = 0755;
2158 c->capability_bounding_set = CAP_ALL;
2159 }
2160
2161 void exec_context_done(ExecContext *c) {
2162 unsigned l;
2163
2164 assert(c);
2165
2166 c->environment = strv_free(c->environment);
2167 c->environment_files = strv_free(c->environment_files);
2168 c->pass_environment = strv_free(c->pass_environment);
2169
2170 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
2171 c->rlimit[l] = mfree(c->rlimit[l]);
2172
2173 c->working_directory = mfree(c->working_directory);
2174 c->root_directory = mfree(c->root_directory);
2175 c->tty_path = mfree(c->tty_path);
2176 c->syslog_identifier = mfree(c->syslog_identifier);
2177 c->user = mfree(c->user);
2178 c->group = mfree(c->group);
2179
2180 c->supplementary_groups = strv_free(c->supplementary_groups);
2181
2182 c->pam_name = mfree(c->pam_name);
2183
2184 if (c->capabilities) {
2185 cap_free(c->capabilities);
2186 c->capabilities = NULL;
2187 }
2188
2189 c->read_only_dirs = strv_free(c->read_only_dirs);
2190 c->read_write_dirs = strv_free(c->read_write_dirs);
2191 c->inaccessible_dirs = strv_free(c->inaccessible_dirs);
2192
2193 if (c->cpuset)
2194 CPU_FREE(c->cpuset);
2195
2196 c->utmp_id = mfree(c->utmp_id);
2197 c->selinux_context = mfree(c->selinux_context);
2198 c->apparmor_profile = mfree(c->apparmor_profile);
2199
2200 c->syscall_filter = set_free(c->syscall_filter);
2201 c->syscall_archs = set_free(c->syscall_archs);
2202 c->address_families = set_free(c->address_families);
2203
2204 c->runtime_directory = strv_free(c->runtime_directory);
2205
2206 bus_endpoint_free(c->bus_endpoint);
2207 c->bus_endpoint = NULL;
2208 }
2209
2210 int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
2211 char **i;
2212
2213 assert(c);
2214
2215 if (!runtime_prefix)
2216 return 0;
2217
2218 STRV_FOREACH(i, c->runtime_directory) {
2219 _cleanup_free_ char *p;
2220
2221 p = strjoin(runtime_prefix, "/", *i, NULL);
2222 if (!p)
2223 return -ENOMEM;
2224
2225 /* We execute this synchronously, since we need to be
2226 * sure this is gone when we start the service
2227 * next. */
2228 (void) rm_rf(p, REMOVE_ROOT);
2229 }
2230
2231 return 0;
2232 }
2233
2234 void exec_command_done(ExecCommand *c) {
2235 assert(c);
2236
2237 c->path = mfree(c->path);
2238
2239 c->argv = strv_free(c->argv);
2240 }
2241
2242 void exec_command_done_array(ExecCommand *c, unsigned n) {
2243 unsigned i;
2244
2245 for (i = 0; i < n; i++)
2246 exec_command_done(c+i);
2247 }
2248
2249 ExecCommand* exec_command_free_list(ExecCommand *c) {
2250 ExecCommand *i;
2251
2252 while ((i = c)) {
2253 LIST_REMOVE(command, c, i);
2254 exec_command_done(i);
2255 free(i);
2256 }
2257
2258 return NULL;
2259 }
2260
2261 void exec_command_free_array(ExecCommand **c, unsigned n) {
2262 unsigned i;
2263
2264 for (i = 0; i < n; i++)
2265 c[i] = exec_command_free_list(c[i]);
2266 }
2267
2268 typedef struct InvalidEnvInfo {
2269 Unit *unit;
2270 const char *path;
2271 } InvalidEnvInfo;
2272
2273 static void invalid_env(const char *p, void *userdata) {
2274 InvalidEnvInfo *info = userdata;
2275
2276 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
2277 }
2278
2279 int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
2280 char **i, **r = NULL;
2281
2282 assert(c);
2283 assert(l);
2284
2285 STRV_FOREACH(i, c->environment_files) {
2286 char *fn;
2287 int k;
2288 bool ignore = false;
2289 char **p;
2290 _cleanup_globfree_ glob_t pglob = {};
2291 int count, n;
2292
2293 fn = *i;
2294
2295 if (fn[0] == '-') {
2296 ignore = true;
2297 fn ++;
2298 }
2299
2300 if (!path_is_absolute(fn)) {
2301 if (ignore)
2302 continue;
2303
2304 strv_free(r);
2305 return -EINVAL;
2306 }
2307
2308 /* Filename supports globbing, take all matching files */
2309 errno = 0;
2310 if (glob(fn, 0, NULL, &pglob) != 0) {
2311 if (ignore)
2312 continue;
2313
2314 strv_free(r);
2315 return errno > 0 ? -errno : -EINVAL;
2316 }
2317 count = pglob.gl_pathc;
2318 if (count == 0) {
2319 if (ignore)
2320 continue;
2321
2322 strv_free(r);
2323 return -EINVAL;
2324 }
2325 for (n = 0; n < count; n++) {
2326 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
2327 if (k < 0) {
2328 if (ignore)
2329 continue;
2330
2331 strv_free(r);
2332 return k;
2333 }
2334 /* Log invalid environment variables with filename */
2335 if (p) {
2336 InvalidEnvInfo info = {
2337 .unit = unit,
2338 .path = pglob.gl_pathv[n]
2339 };
2340
2341 p = strv_env_clean_with_callback(p, invalid_env, &info);
2342 }
2343
2344 if (r == NULL)
2345 r = p;
2346 else {
2347 char **m;
2348
2349 m = strv_env_merge(2, r, p);
2350 strv_free(r);
2351 strv_free(p);
2352 if (!m)
2353 return -ENOMEM;
2354
2355 r = m;
2356 }
2357 }
2358 }
2359
2360 *l = r;
2361
2362 return 0;
2363 }
2364
2365 static bool tty_may_match_dev_console(const char *tty) {
2366 _cleanup_free_ char *active = NULL;
2367 char *console;
2368
2369 if (startswith(tty, "/dev/"))
2370 tty += 5;
2371
2372 /* trivial identity? */
2373 if (streq(tty, "console"))
2374 return true;
2375
2376 console = resolve_dev_console(&active);
2377 /* if we could not resolve, assume it may */
2378 if (!console)
2379 return true;
2380
2381 /* "tty0" means the active VC, so it may be the same sometimes */
2382 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
2383 }
2384
2385 bool exec_context_may_touch_console(ExecContext *ec) {
2386 return (ec->tty_reset || ec->tty_vhangup || ec->tty_vt_disallocate ||
2387 is_terminal_input(ec->std_input) ||
2388 is_terminal_output(ec->std_output) ||
2389 is_terminal_output(ec->std_error)) &&
2390 tty_may_match_dev_console(tty_path(ec));
2391 }
2392
2393 static void strv_fprintf(FILE *f, char **l) {
2394 char **g;
2395
2396 assert(f);
2397
2398 STRV_FOREACH(g, l)
2399 fprintf(f, " %s", *g);
2400 }
2401
2402 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
2403 char **e, **d;
2404 unsigned i;
2405
2406 assert(c);
2407 assert(f);
2408
2409 prefix = strempty(prefix);
2410
2411 fprintf(f,
2412 "%sUMask: %04o\n"
2413 "%sWorkingDirectory: %s\n"
2414 "%sRootDirectory: %s\n"
2415 "%sNonBlocking: %s\n"
2416 "%sPrivateTmp: %s\n"
2417 "%sPrivateNetwork: %s\n"
2418 "%sPrivateDevices: %s\n"
2419 "%sProtectHome: %s\n"
2420 "%sProtectSystem: %s\n"
2421 "%sIgnoreSIGPIPE: %s\n",
2422 prefix, c->umask,
2423 prefix, c->working_directory ? c->working_directory : "/",
2424 prefix, c->root_directory ? c->root_directory : "/",
2425 prefix, yes_no(c->non_blocking),
2426 prefix, yes_no(c->private_tmp),
2427 prefix, yes_no(c->private_network),
2428 prefix, yes_no(c->private_devices),
2429 prefix, protect_home_to_string(c->protect_home),
2430 prefix, protect_system_to_string(c->protect_system),
2431 prefix, yes_no(c->ignore_sigpipe));
2432
2433 STRV_FOREACH(e, c->environment)
2434 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
2435
2436 STRV_FOREACH(e, c->environment_files)
2437 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
2438
2439 STRV_FOREACH(e, c->pass_environment)
2440 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
2441
2442 fprintf(f, "%sRuntimeDirectoryMode: %04o\n", prefix, c->runtime_directory_mode);
2443
2444 STRV_FOREACH(d, c->runtime_directory)
2445 fprintf(f, "%sRuntimeDirectory: %s\n", prefix, *d);
2446
2447 if (c->nice_set)
2448 fprintf(f,
2449 "%sNice: %i\n",
2450 prefix, c->nice);
2451
2452 if (c->oom_score_adjust_set)
2453 fprintf(f,
2454 "%sOOMScoreAdjust: %i\n",
2455 prefix, c->oom_score_adjust);
2456
2457 for (i = 0; i < RLIM_NLIMITS; i++)
2458 if (c->rlimit[i]) {
2459 fprintf(f, "%s%s: " RLIM_FMT "\n",
2460 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
2461 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
2462 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
2463 }
2464
2465 if (c->ioprio_set) {
2466 _cleanup_free_ char *class_str = NULL;
2467
2468 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
2469 fprintf(f,
2470 "%sIOSchedulingClass: %s\n"
2471 "%sIOPriority: %i\n",
2472 prefix, strna(class_str),
2473 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
2474 }
2475
2476 if (c->cpu_sched_set) {
2477 _cleanup_free_ char *policy_str = NULL;
2478
2479 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
2480 fprintf(f,
2481 "%sCPUSchedulingPolicy: %s\n"
2482 "%sCPUSchedulingPriority: %i\n"
2483 "%sCPUSchedulingResetOnFork: %s\n",
2484 prefix, strna(policy_str),
2485 prefix, c->cpu_sched_priority,
2486 prefix, yes_no(c->cpu_sched_reset_on_fork));
2487 }
2488
2489 if (c->cpuset) {
2490 fprintf(f, "%sCPUAffinity:", prefix);
2491 for (i = 0; i < c->cpuset_ncpus; i++)
2492 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
2493 fprintf(f, " %u", i);
2494 fputs("\n", f);
2495 }
2496
2497 if (c->timer_slack_nsec != NSEC_INFINITY)
2498 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
2499
2500 fprintf(f,
2501 "%sStandardInput: %s\n"
2502 "%sStandardOutput: %s\n"
2503 "%sStandardError: %s\n",
2504 prefix, exec_input_to_string(c->std_input),
2505 prefix, exec_output_to_string(c->std_output),
2506 prefix, exec_output_to_string(c->std_error));
2507
2508 if (c->tty_path)
2509 fprintf(f,
2510 "%sTTYPath: %s\n"
2511 "%sTTYReset: %s\n"
2512 "%sTTYVHangup: %s\n"
2513 "%sTTYVTDisallocate: %s\n",
2514 prefix, c->tty_path,
2515 prefix, yes_no(c->tty_reset),
2516 prefix, yes_no(c->tty_vhangup),
2517 prefix, yes_no(c->tty_vt_disallocate));
2518
2519 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
2520 c->std_output == EXEC_OUTPUT_KMSG ||
2521 c->std_output == EXEC_OUTPUT_JOURNAL ||
2522 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2523 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2524 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
2525 c->std_error == EXEC_OUTPUT_SYSLOG ||
2526 c->std_error == EXEC_OUTPUT_KMSG ||
2527 c->std_error == EXEC_OUTPUT_JOURNAL ||
2528 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2529 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2530 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
2531
2532 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
2533
2534 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
2535 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
2536
2537 fprintf(f,
2538 "%sSyslogFacility: %s\n"
2539 "%sSyslogLevel: %s\n",
2540 prefix, strna(fac_str),
2541 prefix, strna(lvl_str));
2542 }
2543
2544 if (c->capabilities) {
2545 _cleanup_cap_free_charp_ char *t;
2546
2547 t = cap_to_text(c->capabilities, NULL);
2548 if (t)
2549 fprintf(f, "%sCapabilities: %s\n", prefix, t);
2550 }
2551
2552 if (c->secure_bits)
2553 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
2554 prefix,
2555 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
2556 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
2557 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
2558 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
2559 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
2560 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
2561
2562 if (c->capability_bounding_set != CAP_ALL) {
2563 unsigned long l;
2564 fprintf(f, "%sCapabilityBoundingSet:", prefix);
2565
2566 for (l = 0; l <= cap_last_cap(); l++)
2567 if (c->capability_bounding_set & (UINT64_C(1) << l))
2568 fprintf(f, " %s", strna(capability_to_name(l)));
2569
2570 fputs("\n", f);
2571 }
2572
2573 if (c->capability_ambient_set != 0) {
2574 unsigned long l;
2575 fprintf(f, "%sAmbientCapabilities:", prefix);
2576
2577 for (l = 0; l <= cap_last_cap(); l++)
2578 if (c->capability_ambient_set & (UINT64_C(1) << l))
2579 fprintf(f, " %s", strna(capability_to_name(l)));
2580
2581 fputs("\n", f);
2582 }
2583
2584 if (c->user)
2585 fprintf(f, "%sUser: %s\n", prefix, c->user);
2586 if (c->group)
2587 fprintf(f, "%sGroup: %s\n", prefix, c->group);
2588
2589 if (strv_length(c->supplementary_groups) > 0) {
2590 fprintf(f, "%sSupplementaryGroups:", prefix);
2591 strv_fprintf(f, c->supplementary_groups);
2592 fputs("\n", f);
2593 }
2594
2595 if (c->pam_name)
2596 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
2597
2598 if (strv_length(c->read_write_dirs) > 0) {
2599 fprintf(f, "%sReadWriteDirs:", prefix);
2600 strv_fprintf(f, c->read_write_dirs);
2601 fputs("\n", f);
2602 }
2603
2604 if (strv_length(c->read_only_dirs) > 0) {
2605 fprintf(f, "%sReadOnlyDirs:", prefix);
2606 strv_fprintf(f, c->read_only_dirs);
2607 fputs("\n", f);
2608 }
2609
2610 if (strv_length(c->inaccessible_dirs) > 0) {
2611 fprintf(f, "%sInaccessibleDirs:", prefix);
2612 strv_fprintf(f, c->inaccessible_dirs);
2613 fputs("\n", f);
2614 }
2615
2616 if (c->utmp_id)
2617 fprintf(f,
2618 "%sUtmpIdentifier: %s\n",
2619 prefix, c->utmp_id);
2620
2621 if (c->selinux_context)
2622 fprintf(f,
2623 "%sSELinuxContext: %s%s\n",
2624 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
2625
2626 if (c->personality != PERSONALITY_INVALID)
2627 fprintf(f,
2628 "%sPersonality: %s\n",
2629 prefix, strna(personality_to_string(c->personality)));
2630
2631 if (c->syscall_filter) {
2632 #ifdef HAVE_SECCOMP
2633 Iterator j;
2634 void *id;
2635 bool first = true;
2636 #endif
2637
2638 fprintf(f,
2639 "%sSystemCallFilter: ",
2640 prefix);
2641
2642 if (!c->syscall_whitelist)
2643 fputc('~', f);
2644
2645 #ifdef HAVE_SECCOMP
2646 SET_FOREACH(id, c->syscall_filter, j) {
2647 _cleanup_free_ char *name = NULL;
2648
2649 if (first)
2650 first = false;
2651 else
2652 fputc(' ', f);
2653
2654 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
2655 fputs(strna(name), f);
2656 }
2657 #endif
2658
2659 fputc('\n', f);
2660 }
2661
2662 if (c->syscall_archs) {
2663 #ifdef HAVE_SECCOMP
2664 Iterator j;
2665 void *id;
2666 #endif
2667
2668 fprintf(f,
2669 "%sSystemCallArchitectures:",
2670 prefix);
2671
2672 #ifdef HAVE_SECCOMP
2673 SET_FOREACH(id, c->syscall_archs, j)
2674 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
2675 #endif
2676 fputc('\n', f);
2677 }
2678
2679 if (c->syscall_errno > 0)
2680 fprintf(f,
2681 "%sSystemCallErrorNumber: %s\n",
2682 prefix, strna(errno_to_name(c->syscall_errno)));
2683
2684 if (c->apparmor_profile)
2685 fprintf(f,
2686 "%sAppArmorProfile: %s%s\n",
2687 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
2688 }
2689
2690 bool exec_context_maintains_privileges(ExecContext *c) {
2691 assert(c);
2692
2693 /* Returns true if the process forked off would run run under
2694 * an unchanged UID or as root. */
2695
2696 if (!c->user)
2697 return true;
2698
2699 if (streq(c->user, "root") || streq(c->user, "0"))
2700 return true;
2701
2702 return false;
2703 }
2704
2705 void exec_status_start(ExecStatus *s, pid_t pid) {
2706 assert(s);
2707
2708 zero(*s);
2709 s->pid = pid;
2710 dual_timestamp_get(&s->start_timestamp);
2711 }
2712
2713 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
2714 assert(s);
2715
2716 if (s->pid && s->pid != pid)
2717 zero(*s);
2718
2719 s->pid = pid;
2720 dual_timestamp_get(&s->exit_timestamp);
2721
2722 s->code = code;
2723 s->status = status;
2724
2725 if (context) {
2726 if (context->utmp_id)
2727 utmp_put_dead_process(context->utmp_id, pid, code, status);
2728
2729 exec_context_tty_reset(context);
2730 }
2731 }
2732
2733 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
2734 char buf[FORMAT_TIMESTAMP_MAX];
2735
2736 assert(s);
2737 assert(f);
2738
2739 if (s->pid <= 0)
2740 return;
2741
2742 prefix = strempty(prefix);
2743
2744 fprintf(f,
2745 "%sPID: "PID_FMT"\n",
2746 prefix, s->pid);
2747
2748 if (s->start_timestamp.realtime > 0)
2749 fprintf(f,
2750 "%sStart Timestamp: %s\n",
2751 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
2752
2753 if (s->exit_timestamp.realtime > 0)
2754 fprintf(f,
2755 "%sExit Timestamp: %s\n"
2756 "%sExit Code: %s\n"
2757 "%sExit Status: %i\n",
2758 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
2759 prefix, sigchld_code_to_string(s->code),
2760 prefix, s->status);
2761 }
2762
2763 char *exec_command_line(char **argv) {
2764 size_t k;
2765 char *n, *p, **a;
2766 bool first = true;
2767
2768 assert(argv);
2769
2770 k = 1;
2771 STRV_FOREACH(a, argv)
2772 k += strlen(*a)+3;
2773
2774 if (!(n = new(char, k)))
2775 return NULL;
2776
2777 p = n;
2778 STRV_FOREACH(a, argv) {
2779
2780 if (!first)
2781 *(p++) = ' ';
2782 else
2783 first = false;
2784
2785 if (strpbrk(*a, WHITESPACE)) {
2786 *(p++) = '\'';
2787 p = stpcpy(p, *a);
2788 *(p++) = '\'';
2789 } else
2790 p = stpcpy(p, *a);
2791
2792 }
2793
2794 *p = 0;
2795
2796 /* FIXME: this doesn't really handle arguments that have
2797 * spaces and ticks in them */
2798
2799 return n;
2800 }
2801
2802 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
2803 _cleanup_free_ char *cmd = NULL;
2804 const char *prefix2;
2805
2806 assert(c);
2807 assert(f);
2808
2809 prefix = strempty(prefix);
2810 prefix2 = strjoina(prefix, "\t");
2811
2812 cmd = exec_command_line(c->argv);
2813 fprintf(f,
2814 "%sCommand Line: %s\n",
2815 prefix, cmd ? cmd : strerror(ENOMEM));
2816
2817 exec_status_dump(&c->exec_status, f, prefix2);
2818 }
2819
2820 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2821 assert(f);
2822
2823 prefix = strempty(prefix);
2824
2825 LIST_FOREACH(command, c, c)
2826 exec_command_dump(c, f, prefix);
2827 }
2828
2829 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2830 ExecCommand *end;
2831
2832 assert(l);
2833 assert(e);
2834
2835 if (*l) {
2836 /* It's kind of important, that we keep the order here */
2837 LIST_FIND_TAIL(command, *l, end);
2838 LIST_INSERT_AFTER(command, *l, end, e);
2839 } else
2840 *l = e;
2841 }
2842
2843 int exec_command_set(ExecCommand *c, const char *path, ...) {
2844 va_list ap;
2845 char **l, *p;
2846
2847 assert(c);
2848 assert(path);
2849
2850 va_start(ap, path);
2851 l = strv_new_ap(path, ap);
2852 va_end(ap);
2853
2854 if (!l)
2855 return -ENOMEM;
2856
2857 p = strdup(path);
2858 if (!p) {
2859 strv_free(l);
2860 return -ENOMEM;
2861 }
2862
2863 free(c->path);
2864 c->path = p;
2865
2866 strv_free(c->argv);
2867 c->argv = l;
2868
2869 return 0;
2870 }
2871
2872 int exec_command_append(ExecCommand *c, const char *path, ...) {
2873 _cleanup_strv_free_ char **l = NULL;
2874 va_list ap;
2875 int r;
2876
2877 assert(c);
2878 assert(path);
2879
2880 va_start(ap, path);
2881 l = strv_new_ap(path, ap);
2882 va_end(ap);
2883
2884 if (!l)
2885 return -ENOMEM;
2886
2887 r = strv_extend_strv(&c->argv, l, false);
2888 if (r < 0)
2889 return r;
2890
2891 return 0;
2892 }
2893
2894
2895 static int exec_runtime_allocate(ExecRuntime **rt) {
2896
2897 if (*rt)
2898 return 0;
2899
2900 *rt = new0(ExecRuntime, 1);
2901 if (!*rt)
2902 return -ENOMEM;
2903
2904 (*rt)->n_ref = 1;
2905 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
2906
2907 return 0;
2908 }
2909
2910 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
2911 int r;
2912
2913 assert(rt);
2914 assert(c);
2915 assert(id);
2916
2917 if (*rt)
2918 return 1;
2919
2920 if (!c->private_network && !c->private_tmp)
2921 return 0;
2922
2923 r = exec_runtime_allocate(rt);
2924 if (r < 0)
2925 return r;
2926
2927 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
2928 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, (*rt)->netns_storage_socket) < 0)
2929 return -errno;
2930 }
2931
2932 if (c->private_tmp && !(*rt)->tmp_dir) {
2933 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
2934 if (r < 0)
2935 return r;
2936 }
2937
2938 return 1;
2939 }
2940
2941 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
2942 assert(r);
2943 assert(r->n_ref > 0);
2944
2945 r->n_ref++;
2946 return r;
2947 }
2948
2949 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
2950
2951 if (!r)
2952 return NULL;
2953
2954 assert(r->n_ref > 0);
2955
2956 r->n_ref--;
2957 if (r->n_ref > 0)
2958 return NULL;
2959
2960 free(r->tmp_dir);
2961 free(r->var_tmp_dir);
2962 safe_close_pair(r->netns_storage_socket);
2963 free(r);
2964
2965 return NULL;
2966 }
2967
2968 int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
2969 assert(u);
2970 assert(f);
2971 assert(fds);
2972
2973 if (!rt)
2974 return 0;
2975
2976 if (rt->tmp_dir)
2977 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
2978
2979 if (rt->var_tmp_dir)
2980 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
2981
2982 if (rt->netns_storage_socket[0] >= 0) {
2983 int copy;
2984
2985 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
2986 if (copy < 0)
2987 return copy;
2988
2989 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
2990 }
2991
2992 if (rt->netns_storage_socket[1] >= 0) {
2993 int copy;
2994
2995 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
2996 if (copy < 0)
2997 return copy;
2998
2999 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
3000 }
3001
3002 return 0;
3003 }
3004
3005 int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
3006 int r;
3007
3008 assert(rt);
3009 assert(key);
3010 assert(value);
3011
3012 if (streq(key, "tmp-dir")) {
3013 char *copy;
3014
3015 r = exec_runtime_allocate(rt);
3016 if (r < 0)
3017 return log_oom();
3018
3019 copy = strdup(value);
3020 if (!copy)
3021 return log_oom();
3022
3023 free((*rt)->tmp_dir);
3024 (*rt)->tmp_dir = copy;
3025
3026 } else if (streq(key, "var-tmp-dir")) {
3027 char *copy;
3028
3029 r = exec_runtime_allocate(rt);
3030 if (r < 0)
3031 return log_oom();
3032
3033 copy = strdup(value);
3034 if (!copy)
3035 return log_oom();
3036
3037 free((*rt)->var_tmp_dir);
3038 (*rt)->var_tmp_dir = copy;
3039
3040 } else if (streq(key, "netns-socket-0")) {
3041 int fd;
3042
3043 r = exec_runtime_allocate(rt);
3044 if (r < 0)
3045 return log_oom();
3046
3047 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
3048 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
3049 else {
3050 safe_close((*rt)->netns_storage_socket[0]);
3051 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
3052 }
3053 } else if (streq(key, "netns-socket-1")) {
3054 int fd;
3055
3056 r = exec_runtime_allocate(rt);
3057 if (r < 0)
3058 return log_oom();
3059
3060 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
3061 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
3062 else {
3063 safe_close((*rt)->netns_storage_socket[1]);
3064 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
3065 }
3066 } else
3067 return 0;
3068
3069 return 1;
3070 }
3071
3072 static void *remove_tmpdir_thread(void *p) {
3073 _cleanup_free_ char *path = p;
3074
3075 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
3076 return NULL;
3077 }
3078
3079 void exec_runtime_destroy(ExecRuntime *rt) {
3080 int r;
3081
3082 if (!rt)
3083 return;
3084
3085 /* If there are multiple users of this, let's leave the stuff around */
3086 if (rt->n_ref > 1)
3087 return;
3088
3089 if (rt->tmp_dir) {
3090 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
3091
3092 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
3093 if (r < 0) {
3094 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
3095 free(rt->tmp_dir);
3096 }
3097
3098 rt->tmp_dir = NULL;
3099 }
3100
3101 if (rt->var_tmp_dir) {
3102 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
3103
3104 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
3105 if (r < 0) {
3106 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
3107 free(rt->var_tmp_dir);
3108 }
3109
3110 rt->var_tmp_dir = NULL;
3111 }
3112
3113 safe_close_pair(rt->netns_storage_socket);
3114 }
3115
3116 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
3117 [EXEC_INPUT_NULL] = "null",
3118 [EXEC_INPUT_TTY] = "tty",
3119 [EXEC_INPUT_TTY_FORCE] = "tty-force",
3120 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
3121 [EXEC_INPUT_SOCKET] = "socket"
3122 };
3123
3124 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
3125
3126 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
3127 [EXEC_OUTPUT_INHERIT] = "inherit",
3128 [EXEC_OUTPUT_NULL] = "null",
3129 [EXEC_OUTPUT_TTY] = "tty",
3130 [EXEC_OUTPUT_SYSLOG] = "syslog",
3131 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
3132 [EXEC_OUTPUT_KMSG] = "kmsg",
3133 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
3134 [EXEC_OUTPUT_JOURNAL] = "journal",
3135 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
3136 [EXEC_OUTPUT_SOCKET] = "socket"
3137 };
3138
3139 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
3140
3141 static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
3142 [EXEC_UTMP_INIT] = "init",
3143 [EXEC_UTMP_LOGIN] = "login",
3144 [EXEC_UTMP_USER] = "user",
3145 };
3146
3147 DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
Unnamed repository; edit this file 'description' to name the repository.