]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/execute.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
core: add a concept of "dynamic" user ids, that are allocated as long as a service...
[thirdparty/systemd.git] / src / core / execute.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <errno.h>
21 #include <fcntl.h>
22 #include <glob.h>
23 #include <grp.h>
24 #include <poll.h>
25 #include <signal.h>
26 #include <string.h>
27 #include <sys/capability.h>
28 #include <sys/mman.h>
29 #include <sys/personality.h>
30 #include <sys/prctl.h>
31 #include <sys/socket.h>
32 #include <sys/stat.h>
33 #include <sys/un.h>
34 #include <unistd.h>
35 #include <utmpx.h>
36
37 #ifdef HAVE_PAM
38 #include <security/pam_appl.h>
39 #endif
40
41 #ifdef HAVE_SELINUX
42 #include <selinux/selinux.h>
43 #endif
44
45 #ifdef HAVE_SECCOMP
46 #include <seccomp.h>
47 #endif
48
49 #ifdef HAVE_APPARMOR
50 #include <sys/apparmor.h>
51 #endif
52
53 #include "sd-messages.h"
54
55 #include "af-list.h"
56 #include "alloc-util.h"
57 #ifdef HAVE_APPARMOR
58 #include "apparmor-util.h"
59 #endif
60 #include "async.h"
61 #include "barrier.h"
62 #include "cap-list.h"
63 #include "capability-util.h"
64 #include "def.h"
65 #include "env-util.h"
66 #include "errno-list.h"
67 #include "execute.h"
68 #include "exit-status.h"
69 #include "fd-util.h"
70 #include "fileio.h"
71 #include "formats-util.h"
72 #include "fs-util.h"
73 #include "glob-util.h"
74 #include "io-util.h"
75 #include "ioprio.h"
76 #include "log.h"
77 #include "macro.h"
78 #include "missing.h"
79 #include "mkdir.h"
80 #include "namespace.h"
81 #include "parse-util.h"
82 #include "path-util.h"
83 #include "process-util.h"
84 #include "rlimit-util.h"
85 #include "rm-rf.h"
86 #ifdef HAVE_SECCOMP
87 #include "seccomp-util.h"
88 #endif
89 #include "securebits.h"
90 #include "selinux-util.h"
91 #include "signal-util.h"
92 #include "smack-util.h"
93 #include "string-table.h"
94 #include "string-util.h"
95 #include "strv.h"
96 #include "syslog-util.h"
97 #include "terminal-util.h"
98 #include "unit.h"
99 #include "user-util.h"
100 #include "util.h"
101 #include "utmp-wtmp.h"
102
103 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
104 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
105
106 /* This assumes there is a 'tty' group */
107 #define TTY_MODE 0620
108
109 #define SNDBUF_SIZE (8*1024*1024)
110
111 static int shift_fds(int fds[], unsigned n_fds) {
112 int start, restart_from;
113
114 if (n_fds <= 0)
115 return 0;
116
117 /* Modifies the fds array! (sorts it) */
118
119 assert(fds);
120
121 start = 0;
122 for (;;) {
123 int i;
124
125 restart_from = -1;
126
127 for (i = start; i < (int) n_fds; i++) {
128 int nfd;
129
130 /* Already at right index? */
131 if (fds[i] == i+3)
132 continue;
133
134 nfd = fcntl(fds[i], F_DUPFD, i + 3);
135 if (nfd < 0)
136 return -errno;
137
138 safe_close(fds[i]);
139 fds[i] = nfd;
140
141 /* Hmm, the fd we wanted isn't free? Then
142 * let's remember that and try again from here */
143 if (nfd != i+3 && restart_from < 0)
144 restart_from = i;
145 }
146
147 if (restart_from < 0)
148 break;
149
150 start = restart_from;
151 }
152
153 return 0;
154 }
155
156 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
157 unsigned i;
158 int r;
159
160 if (n_fds <= 0)
161 return 0;
162
163 assert(fds);
164
165 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
166
167 for (i = 0; i < n_fds; i++) {
168
169 r = fd_nonblock(fds[i], nonblock);
170 if (r < 0)
171 return r;
172
173 /* We unconditionally drop FD_CLOEXEC from the fds,
174 * since after all we want to pass these fds to our
175 * children */
176
177 r = fd_cloexec(fds[i], false);
178 if (r < 0)
179 return r;
180 }
181
182 return 0;
183 }
184
185 static const char *exec_context_tty_path(const ExecContext *context) {
186 assert(context);
187
188 if (context->stdio_as_fds)
189 return NULL;
190
191 if (context->tty_path)
192 return context->tty_path;
193
194 return "/dev/console";
195 }
196
197 static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
198 const char *path;
199
200 assert(context);
201
202 path = exec_context_tty_path(context);
203
204 if (context->tty_vhangup) {
205 if (p && p->stdin_fd >= 0)
206 (void) terminal_vhangup_fd(p->stdin_fd);
207 else if (path)
208 (void) terminal_vhangup(path);
209 }
210
211 if (context->tty_reset) {
212 if (p && p->stdin_fd >= 0)
213 (void) reset_terminal_fd(p->stdin_fd, true);
214 else if (path)
215 (void) reset_terminal(path);
216 }
217
218 if (context->tty_vt_disallocate && path)
219 (void) vt_disallocate(path);
220 }
221
222 static bool is_terminal_output(ExecOutput o) {
223 return
224 o == EXEC_OUTPUT_TTY ||
225 o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
226 o == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
227 o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE;
228 }
229
230 static int open_null_as(int flags, int nfd) {
231 int fd, r;
232
233 assert(nfd >= 0);
234
235 fd = open("/dev/null", flags|O_NOCTTY);
236 if (fd < 0)
237 return -errno;
238
239 if (fd != nfd) {
240 r = dup2(fd, nfd) < 0 ? -errno : nfd;
241 safe_close(fd);
242 } else
243 r = nfd;
244
245 return r;
246 }
247
248 static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
249 union sockaddr_union sa = {
250 .un.sun_family = AF_UNIX,
251 .un.sun_path = "/run/systemd/journal/stdout",
252 };
253 uid_t olduid = UID_INVALID;
254 gid_t oldgid = GID_INVALID;
255 int r;
256
257 if (gid != GID_INVALID) {
258 oldgid = getgid();
259
260 r = setegid(gid);
261 if (r < 0)
262 return -errno;
263 }
264
265 if (uid != UID_INVALID) {
266 olduid = getuid();
267
268 r = seteuid(uid);
269 if (r < 0) {
270 r = -errno;
271 goto restore_gid;
272 }
273 }
274
275 r = connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
276 if (r < 0)
277 r = -errno;
278
279 /* If we fail to restore the uid or gid, things will likely
280 fail later on. This should only happen if an LSM interferes. */
281
282 if (uid != UID_INVALID)
283 (void) seteuid(olduid);
284
285 restore_gid:
286 if (gid != GID_INVALID)
287 (void) setegid(oldgid);
288
289 return r;
290 }
291
292 static int connect_logger_as(
293 Unit *unit,
294 const ExecContext *context,
295 ExecOutput output,
296 const char *ident,
297 int nfd,
298 uid_t uid,
299 gid_t gid) {
300
301 int fd, r;
302
303 assert(context);
304 assert(output < _EXEC_OUTPUT_MAX);
305 assert(ident);
306 assert(nfd >= 0);
307
308 fd = socket(AF_UNIX, SOCK_STREAM, 0);
309 if (fd < 0)
310 return -errno;
311
312 r = connect_journal_socket(fd, uid, gid);
313 if (r < 0)
314 return r;
315
316 if (shutdown(fd, SHUT_RD) < 0) {
317 safe_close(fd);
318 return -errno;
319 }
320
321 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
322
323 dprintf(fd,
324 "%s\n"
325 "%s\n"
326 "%i\n"
327 "%i\n"
328 "%i\n"
329 "%i\n"
330 "%i\n",
331 context->syslog_identifier ? context->syslog_identifier : ident,
332 unit->id,
333 context->syslog_priority,
334 !!context->syslog_level_prefix,
335 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
336 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
337 is_terminal_output(output));
338
339 if (fd == nfd)
340 return nfd;
341
342 r = dup2(fd, nfd) < 0 ? -errno : nfd;
343 safe_close(fd);
344
345 return r;
346 }
347 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
348 int fd, r;
349
350 assert(path);
351 assert(nfd >= 0);
352
353 fd = open_terminal(path, mode | O_NOCTTY);
354 if (fd < 0)
355 return fd;
356
357 if (fd != nfd) {
358 r = dup2(fd, nfd) < 0 ? -errno : nfd;
359 safe_close(fd);
360 } else
361 r = nfd;
362
363 return r;
364 }
365
366 static bool is_terminal_input(ExecInput i) {
367 return
368 i == EXEC_INPUT_TTY ||
369 i == EXEC_INPUT_TTY_FORCE ||
370 i == EXEC_INPUT_TTY_FAIL;
371 }
372
373 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
374
375 if (is_terminal_input(std_input) && !apply_tty_stdin)
376 return EXEC_INPUT_NULL;
377
378 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
379 return EXEC_INPUT_NULL;
380
381 return std_input;
382 }
383
384 static int fixup_output(ExecOutput std_output, int socket_fd) {
385
386 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
387 return EXEC_OUTPUT_INHERIT;
388
389 return std_output;
390 }
391
392 static int setup_input(
393 const ExecContext *context,
394 const ExecParameters *params,
395 int socket_fd) {
396
397 ExecInput i;
398
399 assert(context);
400 assert(params);
401
402 if (params->stdin_fd >= 0) {
403 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
404 return -errno;
405
406 /* Try to make this the controlling tty, if it is a tty, and reset it */
407 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
408 (void) reset_terminal_fd(STDIN_FILENO, true);
409
410 return STDIN_FILENO;
411 }
412
413 i = fixup_input(context->std_input, socket_fd, params->apply_tty_stdin);
414
415 switch (i) {
416
417 case EXEC_INPUT_NULL:
418 return open_null_as(O_RDONLY, STDIN_FILENO);
419
420 case EXEC_INPUT_TTY:
421 case EXEC_INPUT_TTY_FORCE:
422 case EXEC_INPUT_TTY_FAIL: {
423 int fd, r;
424
425 fd = acquire_terminal(exec_context_tty_path(context),
426 i == EXEC_INPUT_TTY_FAIL,
427 i == EXEC_INPUT_TTY_FORCE,
428 false,
429 USEC_INFINITY);
430 if (fd < 0)
431 return fd;
432
433 if (fd != STDIN_FILENO) {
434 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
435 safe_close(fd);
436 } else
437 r = STDIN_FILENO;
438
439 return r;
440 }
441
442 case EXEC_INPUT_SOCKET:
443 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
444
445 default:
446 assert_not_reached("Unknown input type");
447 }
448 }
449
450 static int setup_output(
451 Unit *unit,
452 const ExecContext *context,
453 const ExecParameters *params,
454 int fileno,
455 int socket_fd,
456 const char *ident,
457 uid_t uid,
458 gid_t gid,
459 dev_t *journal_stream_dev,
460 ino_t *journal_stream_ino) {
461
462 ExecOutput o;
463 ExecInput i;
464 int r;
465
466 assert(unit);
467 assert(context);
468 assert(params);
469 assert(ident);
470 assert(journal_stream_dev);
471 assert(journal_stream_ino);
472
473 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
474
475 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
476 return -errno;
477
478 return STDOUT_FILENO;
479 }
480
481 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
482 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
483 return -errno;
484
485 return STDERR_FILENO;
486 }
487
488 i = fixup_input(context->std_input, socket_fd, params->apply_tty_stdin);
489 o = fixup_output(context->std_output, socket_fd);
490
491 if (fileno == STDERR_FILENO) {
492 ExecOutput e;
493 e = fixup_output(context->std_error, socket_fd);
494
495 /* This expects the input and output are already set up */
496
497 /* Don't change the stderr file descriptor if we inherit all
498 * the way and are not on a tty */
499 if (e == EXEC_OUTPUT_INHERIT &&
500 o == EXEC_OUTPUT_INHERIT &&
501 i == EXEC_INPUT_NULL &&
502 !is_terminal_input(context->std_input) &&
503 getppid () != 1)
504 return fileno;
505
506 /* Duplicate from stdout if possible */
507 if (e == o || e == EXEC_OUTPUT_INHERIT)
508 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
509
510 o = e;
511
512 } else if (o == EXEC_OUTPUT_INHERIT) {
513 /* If input got downgraded, inherit the original value */
514 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
515 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
516
517 /* If the input is connected to anything that's not a /dev/null, inherit that... */
518 if (i != EXEC_INPUT_NULL)
519 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
520
521 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
522 if (getppid() != 1)
523 return fileno;
524
525 /* We need to open /dev/null here anew, to get the right access mode. */
526 return open_null_as(O_WRONLY, fileno);
527 }
528
529 switch (o) {
530
531 case EXEC_OUTPUT_NULL:
532 return open_null_as(O_WRONLY, fileno);
533
534 case EXEC_OUTPUT_TTY:
535 if (is_terminal_input(i))
536 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
537
538 /* We don't reset the terminal if this is just about output */
539 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
540
541 case EXEC_OUTPUT_SYSLOG:
542 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
543 case EXEC_OUTPUT_KMSG:
544 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
545 case EXEC_OUTPUT_JOURNAL:
546 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
547 r = connect_logger_as(unit, context, o, ident, fileno, uid, gid);
548 if (r < 0) {
549 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
550 r = open_null_as(O_WRONLY, fileno);
551 } else {
552 struct stat st;
553
554 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
555 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
556 * services to detect whether they are connected to the journal or not. */
557
558 if (fstat(fileno, &st) >= 0) {
559 *journal_stream_dev = st.st_dev;
560 *journal_stream_ino = st.st_ino;
561 }
562 }
563 return r;
564
565 case EXEC_OUTPUT_SOCKET:
566 assert(socket_fd >= 0);
567 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
568
569 default:
570 assert_not_reached("Unknown error type");
571 }
572 }
573
574 static int chown_terminal(int fd, uid_t uid) {
575 struct stat st;
576
577 assert(fd >= 0);
578
579 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
580 if (isatty(fd) < 1)
581 return 0;
582
583 /* This might fail. What matters are the results. */
584 (void) fchown(fd, uid, -1);
585 (void) fchmod(fd, TTY_MODE);
586
587 if (fstat(fd, &st) < 0)
588 return -errno;
589
590 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
591 return -EPERM;
592
593 return 0;
594 }
595
596 static int setup_confirm_stdio(int *_saved_stdin, int *_saved_stdout) {
597 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
598 int r;
599
600 assert(_saved_stdin);
601 assert(_saved_stdout);
602
603 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
604 if (saved_stdin < 0)
605 return -errno;
606
607 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
608 if (saved_stdout < 0)
609 return -errno;
610
611 fd = acquire_terminal(
612 "/dev/console",
613 false,
614 false,
615 false,
616 DEFAULT_CONFIRM_USEC);
617 if (fd < 0)
618 return fd;
619
620 r = chown_terminal(fd, getuid());
621 if (r < 0)
622 return r;
623
624 r = reset_terminal_fd(fd, true);
625 if (r < 0)
626 return r;
627
628 if (dup2(fd, STDIN_FILENO) < 0)
629 return -errno;
630
631 if (dup2(fd, STDOUT_FILENO) < 0)
632 return -errno;
633
634 if (fd >= 2)
635 safe_close(fd);
636 fd = -1;
637
638 *_saved_stdin = saved_stdin;
639 *_saved_stdout = saved_stdout;
640
641 saved_stdin = saved_stdout = -1;
642
643 return 0;
644 }
645
646 _printf_(1, 2) static int write_confirm_message(const char *format, ...) {
647 _cleanup_close_ int fd = -1;
648 va_list ap;
649
650 assert(format);
651
652 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
653 if (fd < 0)
654 return fd;
655
656 va_start(ap, format);
657 vdprintf(fd, format, ap);
658 va_end(ap);
659
660 return 0;
661 }
662
663 static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
664 int r = 0;
665
666 assert(saved_stdin);
667 assert(saved_stdout);
668
669 release_terminal();
670
671 if (*saved_stdin >= 0)
672 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
673 r = -errno;
674
675 if (*saved_stdout >= 0)
676 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
677 r = -errno;
678
679 *saved_stdin = safe_close(*saved_stdin);
680 *saved_stdout = safe_close(*saved_stdout);
681
682 return r;
683 }
684
685 static int ask_for_confirmation(char *response, char **argv) {
686 int saved_stdout = -1, saved_stdin = -1, r;
687 _cleanup_free_ char *line = NULL;
688
689 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
690 if (r < 0)
691 return r;
692
693 line = exec_command_line(argv);
694 if (!line)
695 return -ENOMEM;
696
697 r = ask_char(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
698
699 restore_confirm_stdio(&saved_stdin, &saved_stdout);
700
701 return r;
702 }
703
704 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
705 bool keep_groups = false;
706 int r;
707
708 assert(context);
709
710 /* Lookup and set GID and supplementary group list. Here too
711 * we avoid NSS lookups for gid=0. */
712
713 if (context->group || username) {
714 /* First step, initialize groups from /etc/groups */
715 if (username && gid != 0) {
716 if (initgroups(username, gid) < 0)
717 return -errno;
718
719 keep_groups = true;
720 }
721
722 /* Second step, set our gids */
723 if (setresgid(gid, gid, gid) < 0)
724 return -errno;
725 }
726
727 if (context->supplementary_groups) {
728 int ngroups_max, k;
729 gid_t *gids;
730 char **i;
731
732 /* Final step, initialize any manually set supplementary groups */
733 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
734
735 if (!(gids = new(gid_t, ngroups_max)))
736 return -ENOMEM;
737
738 if (keep_groups) {
739 k = getgroups(ngroups_max, gids);
740 if (k < 0) {
741 free(gids);
742 return -errno;
743 }
744 } else
745 k = 0;
746
747 STRV_FOREACH(i, context->supplementary_groups) {
748 const char *g;
749
750 if (k >= ngroups_max) {
751 free(gids);
752 return -E2BIG;
753 }
754
755 g = *i;
756 r = get_group_creds(&g, gids+k);
757 if (r < 0) {
758 free(gids);
759 return r;
760 }
761
762 k++;
763 }
764
765 if (setgroups(k, gids) < 0) {
766 free(gids);
767 return -errno;
768 }
769
770 free(gids);
771 }
772
773 return 0;
774 }
775
776 static int enforce_user(const ExecContext *context, uid_t uid) {
777 assert(context);
778
779 /* Sets (but doesn't look up) the uid and make sure we keep the
780 * capabilities while doing so. */
781
782 if (context->capability_ambient_set != 0) {
783
784 /* First step: If we need to keep capabilities but
785 * drop privileges we need to make sure we keep our
786 * caps, while we drop privileges. */
787 if (uid != 0) {
788 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
789
790 if (prctl(PR_GET_SECUREBITS) != sb)
791 if (prctl(PR_SET_SECUREBITS, sb) < 0)
792 return -errno;
793 }
794 }
795
796 /* Second step: actually set the uids */
797 if (setresuid(uid, uid, uid) < 0)
798 return -errno;
799
800 /* At this point we should have all necessary capabilities but
801 are otherwise a normal user. However, the caps might got
802 corrupted due to the setresuid() so we need clean them up
803 later. This is done outside of this call. */
804
805 return 0;
806 }
807
808 #ifdef HAVE_PAM
809
810 static int null_conv(
811 int num_msg,
812 const struct pam_message **msg,
813 struct pam_response **resp,
814 void *appdata_ptr) {
815
816 /* We don't support conversations */
817
818 return PAM_CONV_ERR;
819 }
820
821 static int setup_pam(
822 const char *name,
823 const char *user,
824 uid_t uid,
825 const char *tty,
826 char ***env,
827 int fds[], unsigned n_fds) {
828
829 static const struct pam_conv conv = {
830 .conv = null_conv,
831 .appdata_ptr = NULL
832 };
833
834 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
835 pam_handle_t *handle = NULL;
836 sigset_t old_ss;
837 int pam_code = PAM_SUCCESS, r;
838 char **nv, **e = NULL;
839 bool close_session = false;
840 pid_t pam_pid = 0, parent_pid;
841 int flags = 0;
842
843 assert(name);
844 assert(user);
845 assert(env);
846
847 /* We set up PAM in the parent process, then fork. The child
848 * will then stay around until killed via PR_GET_PDEATHSIG or
849 * systemd via the cgroup logic. It will then remove the PAM
850 * session again. The parent process will exec() the actual
851 * daemon. We do things this way to ensure that the main PID
852 * of the daemon is the one we initially fork()ed. */
853
854 r = barrier_create(&barrier);
855 if (r < 0)
856 goto fail;
857
858 if (log_get_max_level() < LOG_DEBUG)
859 flags |= PAM_SILENT;
860
861 pam_code = pam_start(name, user, &conv, &handle);
862 if (pam_code != PAM_SUCCESS) {
863 handle = NULL;
864 goto fail;
865 }
866
867 if (tty) {
868 pam_code = pam_set_item(handle, PAM_TTY, tty);
869 if (pam_code != PAM_SUCCESS)
870 goto fail;
871 }
872
873 STRV_FOREACH(nv, *env) {
874 pam_code = pam_putenv(handle, *nv);
875 if (pam_code != PAM_SUCCESS)
876 goto fail;
877 }
878
879 pam_code = pam_acct_mgmt(handle, flags);
880 if (pam_code != PAM_SUCCESS)
881 goto fail;
882
883 pam_code = pam_open_session(handle, flags);
884 if (pam_code != PAM_SUCCESS)
885 goto fail;
886
887 close_session = true;
888
889 e = pam_getenvlist(handle);
890 if (!e) {
891 pam_code = PAM_BUF_ERR;
892 goto fail;
893 }
894
895 /* Block SIGTERM, so that we know that it won't get lost in
896 * the child */
897
898 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
899
900 parent_pid = getpid();
901
902 pam_pid = fork();
903 if (pam_pid < 0) {
904 r = -errno;
905 goto fail;
906 }
907
908 if (pam_pid == 0) {
909 int sig, ret = EXIT_PAM;
910
911 /* The child's job is to reset the PAM session on
912 * termination */
913 barrier_set_role(&barrier, BARRIER_CHILD);
914
915 /* This string must fit in 10 chars (i.e. the length
916 * of "/sbin/init"), to look pretty in /bin/ps */
917 rename_process("(sd-pam)");
918
919 /* Make sure we don't keep open the passed fds in this
920 child. We assume that otherwise only those fds are
921 open here that have been opened by PAM. */
922 close_many(fds, n_fds);
923
924 /* Drop privileges - we don't need any to pam_close_session
925 * and this will make PR_SET_PDEATHSIG work in most cases.
926 * If this fails, ignore the error - but expect sd-pam threads
927 * to fail to exit normally */
928 if (setresuid(uid, uid, uid) < 0)
929 log_error_errno(r, "Error: Failed to setresuid() in sd-pam: %m");
930
931 (void) ignore_signals(SIGPIPE, -1);
932
933 /* Wait until our parent died. This will only work if
934 * the above setresuid() succeeds, otherwise the kernel
935 * will not allow unprivileged parents kill their privileged
936 * children this way. We rely on the control groups kill logic
937 * to do the rest for us. */
938 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
939 goto child_finish;
940
941 /* Tell the parent that our setup is done. This is especially
942 * important regarding dropping privileges. Otherwise, unit
943 * setup might race against our setresuid(2) call. */
944 barrier_place(&barrier);
945
946 /* Check if our parent process might already have
947 * died? */
948 if (getppid() == parent_pid) {
949 sigset_t ss;
950
951 assert_se(sigemptyset(&ss) >= 0);
952 assert_se(sigaddset(&ss, SIGTERM) >= 0);
953
954 for (;;) {
955 if (sigwait(&ss, &sig) < 0) {
956 if (errno == EINTR)
957 continue;
958
959 goto child_finish;
960 }
961
962 assert(sig == SIGTERM);
963 break;
964 }
965 }
966
967 /* If our parent died we'll end the session */
968 if (getppid() != parent_pid) {
969 pam_code = pam_close_session(handle, flags);
970 if (pam_code != PAM_SUCCESS)
971 goto child_finish;
972 }
973
974 ret = 0;
975
976 child_finish:
977 pam_end(handle, pam_code | flags);
978 _exit(ret);
979 }
980
981 barrier_set_role(&barrier, BARRIER_PARENT);
982
983 /* If the child was forked off successfully it will do all the
984 * cleanups, so forget about the handle here. */
985 handle = NULL;
986
987 /* Unblock SIGTERM again in the parent */
988 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
989
990 /* We close the log explicitly here, since the PAM modules
991 * might have opened it, but we don't want this fd around. */
992 closelog();
993
994 /* Synchronously wait for the child to initialize. We don't care for
995 * errors as we cannot recover. However, warn loudly if it happens. */
996 if (!barrier_place_and_sync(&barrier))
997 log_error("PAM initialization failed");
998
999 strv_free(*env);
1000 *env = e;
1001
1002 return 0;
1003
1004 fail:
1005 if (pam_code != PAM_SUCCESS) {
1006 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
1007 r = -EPERM; /* PAM errors do not map to errno */
1008 } else
1009 log_error_errno(r, "PAM failed: %m");
1010
1011 if (handle) {
1012 if (close_session)
1013 pam_code = pam_close_session(handle, flags);
1014
1015 pam_end(handle, pam_code | flags);
1016 }
1017
1018 strv_free(e);
1019 closelog();
1020
1021 return r;
1022 }
1023 #endif
1024
1025 static void rename_process_from_path(const char *path) {
1026 char process_name[11];
1027 const char *p;
1028 size_t l;
1029
1030 /* This resulting string must fit in 10 chars (i.e. the length
1031 * of "/sbin/init") to look pretty in /bin/ps */
1032
1033 p = basename(path);
1034 if (isempty(p)) {
1035 rename_process("(...)");
1036 return;
1037 }
1038
1039 l = strlen(p);
1040 if (l > 8) {
1041 /* The end of the process name is usually more
1042 * interesting, since the first bit might just be
1043 * "systemd-" */
1044 p = p + l - 8;
1045 l = 8;
1046 }
1047
1048 process_name[0] = '(';
1049 memcpy(process_name+1, p, l);
1050 process_name[1+l] = ')';
1051 process_name[1+l+1] = 0;
1052
1053 rename_process(process_name);
1054 }
1055
1056 #ifdef HAVE_SECCOMP
1057
1058 static int apply_seccomp(const ExecContext *c) {
1059 uint32_t negative_action, action;
1060 scmp_filter_ctx *seccomp;
1061 Iterator i;
1062 void *id;
1063 int r;
1064
1065 assert(c);
1066
1067 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
1068
1069 seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW);
1070 if (!seccomp)
1071 return -ENOMEM;
1072
1073 if (c->syscall_archs) {
1074
1075 SET_FOREACH(id, c->syscall_archs, i) {
1076 r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
1077 if (r == -EEXIST)
1078 continue;
1079 if (r < 0)
1080 goto finish;
1081 }
1082
1083 } else {
1084 r = seccomp_add_secondary_archs(seccomp);
1085 if (r < 0)
1086 goto finish;
1087 }
1088
1089 action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
1090 SET_FOREACH(id, c->syscall_filter, i) {
1091 r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
1092 if (r < 0)
1093 goto finish;
1094 }
1095
1096 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1097 if (r < 0)
1098 goto finish;
1099
1100 r = seccomp_load(seccomp);
1101
1102 finish:
1103 seccomp_release(seccomp);
1104 return r;
1105 }
1106
1107 static int apply_address_families(const ExecContext *c) {
1108 scmp_filter_ctx *seccomp;
1109 Iterator i;
1110 int r;
1111
1112 assert(c);
1113
1114 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1115 if (!seccomp)
1116 return -ENOMEM;
1117
1118 r = seccomp_add_secondary_archs(seccomp);
1119 if (r < 0)
1120 goto finish;
1121
1122 if (c->address_families_whitelist) {
1123 int af, first = 0, last = 0;
1124 void *afp;
1125
1126 /* If this is a whitelist, we first block the address
1127 * families that are out of range and then everything
1128 * that is not in the set. First, we find the lowest
1129 * and highest address family in the set. */
1130
1131 SET_FOREACH(afp, c->address_families, i) {
1132 af = PTR_TO_INT(afp);
1133
1134 if (af <= 0 || af >= af_max())
1135 continue;
1136
1137 if (first == 0 || af < first)
1138 first = af;
1139
1140 if (last == 0 || af > last)
1141 last = af;
1142 }
1143
1144 assert((first == 0) == (last == 0));
1145
1146 if (first == 0) {
1147
1148 /* No entries in the valid range, block everything */
1149 r = seccomp_rule_add(
1150 seccomp,
1151 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1152 SCMP_SYS(socket),
1153 0);
1154 if (r < 0)
1155 goto finish;
1156
1157 } else {
1158
1159 /* Block everything below the first entry */
1160 r = seccomp_rule_add(
1161 seccomp,
1162 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1163 SCMP_SYS(socket),
1164 1,
1165 SCMP_A0(SCMP_CMP_LT, first));
1166 if (r < 0)
1167 goto finish;
1168
1169 /* Block everything above the last entry */
1170 r = seccomp_rule_add(
1171 seccomp,
1172 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1173 SCMP_SYS(socket),
1174 1,
1175 SCMP_A0(SCMP_CMP_GT, last));
1176 if (r < 0)
1177 goto finish;
1178
1179 /* Block everything between the first and last
1180 * entry */
1181 for (af = 1; af < af_max(); af++) {
1182
1183 if (set_contains(c->address_families, INT_TO_PTR(af)))
1184 continue;
1185
1186 r = seccomp_rule_add(
1187 seccomp,
1188 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1189 SCMP_SYS(socket),
1190 1,
1191 SCMP_A0(SCMP_CMP_EQ, af));
1192 if (r < 0)
1193 goto finish;
1194 }
1195 }
1196
1197 } else {
1198 void *af;
1199
1200 /* If this is a blacklist, then generate one rule for
1201 * each address family that are then combined in OR
1202 * checks. */
1203
1204 SET_FOREACH(af, c->address_families, i) {
1205
1206 r = seccomp_rule_add(
1207 seccomp,
1208 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1209 SCMP_SYS(socket),
1210 1,
1211 SCMP_A0(SCMP_CMP_EQ, PTR_TO_INT(af)));
1212 if (r < 0)
1213 goto finish;
1214 }
1215 }
1216
1217 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1218 if (r < 0)
1219 goto finish;
1220
1221 r = seccomp_load(seccomp);
1222
1223 finish:
1224 seccomp_release(seccomp);
1225 return r;
1226 }
1227
1228 static int apply_memory_deny_write_execute(const ExecContext *c) {
1229 scmp_filter_ctx *seccomp;
1230 int r;
1231
1232 assert(c);
1233
1234 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1235 if (!seccomp)
1236 return -ENOMEM;
1237
1238 r = seccomp_rule_add(
1239 seccomp,
1240 SCMP_ACT_ERRNO(EPERM),
1241 SCMP_SYS(mmap),
1242 1,
1243 SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE));
1244 if (r < 0)
1245 goto finish;
1246
1247 r = seccomp_rule_add(
1248 seccomp,
1249 SCMP_ACT_ERRNO(EPERM),
1250 SCMP_SYS(mprotect),
1251 1,
1252 SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC));
1253 if (r < 0)
1254 goto finish;
1255
1256 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1257 if (r < 0)
1258 goto finish;
1259
1260 r = seccomp_load(seccomp);
1261
1262 finish:
1263 seccomp_release(seccomp);
1264 return r;
1265 }
1266
1267 static int apply_restrict_realtime(const ExecContext *c) {
1268 static const int permitted_policies[] = {
1269 SCHED_OTHER,
1270 SCHED_BATCH,
1271 SCHED_IDLE,
1272 };
1273
1274 scmp_filter_ctx *seccomp;
1275 unsigned i;
1276 int r, p, max_policy = 0;
1277
1278 assert(c);
1279
1280 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1281 if (!seccomp)
1282 return -ENOMEM;
1283
1284 /* Determine the highest policy constant we want to allow */
1285 for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
1286 if (permitted_policies[i] > max_policy)
1287 max_policy = permitted_policies[i];
1288
1289 /* Go through all policies with lower values than that, and block them -- unless they appear in the
1290 * whitelist. */
1291 for (p = 0; p < max_policy; p++) {
1292 bool good = false;
1293
1294 /* Check if this is in the whitelist. */
1295 for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
1296 if (permitted_policies[i] == p) {
1297 good = true;
1298 break;
1299 }
1300
1301 if (good)
1302 continue;
1303
1304 /* Deny this policy */
1305 r = seccomp_rule_add(
1306 seccomp,
1307 SCMP_ACT_ERRNO(EPERM),
1308 SCMP_SYS(sched_setscheduler),
1309 1,
1310 SCMP_A1(SCMP_CMP_EQ, p));
1311 if (r < 0)
1312 goto finish;
1313 }
1314
1315 /* Blacklist all other policies, i.e. the ones with higher values. Note that all comparisons are unsigned here,
1316 * hence no need no check for < 0 values. */
1317 r = seccomp_rule_add(
1318 seccomp,
1319 SCMP_ACT_ERRNO(EPERM),
1320 SCMP_SYS(sched_setscheduler),
1321 1,
1322 SCMP_A1(SCMP_CMP_GT, max_policy));
1323 if (r < 0)
1324 goto finish;
1325
1326 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1327 if (r < 0)
1328 goto finish;
1329
1330 r = seccomp_load(seccomp);
1331
1332 finish:
1333 seccomp_release(seccomp);
1334 return r;
1335 }
1336
1337 #endif
1338
1339 static void do_idle_pipe_dance(int idle_pipe[4]) {
1340 assert(idle_pipe);
1341
1342
1343 idle_pipe[1] = safe_close(idle_pipe[1]);
1344 idle_pipe[2] = safe_close(idle_pipe[2]);
1345
1346 if (idle_pipe[0] >= 0) {
1347 int r;
1348
1349 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1350
1351 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1352 ssize_t n;
1353
1354 /* Signal systemd that we are bored and want to continue. */
1355 n = write(idle_pipe[3], "x", 1);
1356 if (n > 0)
1357 /* Wait for systemd to react to the signal above. */
1358 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1359 }
1360
1361 idle_pipe[0] = safe_close(idle_pipe[0]);
1362
1363 }
1364
1365 idle_pipe[3] = safe_close(idle_pipe[3]);
1366 }
1367
1368 static int build_environment(
1369 const ExecContext *c,
1370 const ExecParameters *p,
1371 unsigned n_fds,
1372 const char *home,
1373 const char *username,
1374 const char *shell,
1375 dev_t journal_stream_dev,
1376 ino_t journal_stream_ino,
1377 char ***ret) {
1378
1379 _cleanup_strv_free_ char **our_env = NULL;
1380 unsigned n_env = 0;
1381 char *x;
1382
1383 assert(c);
1384 assert(ret);
1385
1386 our_env = new0(char*, 12);
1387 if (!our_env)
1388 return -ENOMEM;
1389
1390 if (n_fds > 0) {
1391 _cleanup_free_ char *joined = NULL;
1392
1393 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1394 return -ENOMEM;
1395 our_env[n_env++] = x;
1396
1397 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1398 return -ENOMEM;
1399 our_env[n_env++] = x;
1400
1401 joined = strv_join(p->fd_names, ":");
1402 if (!joined)
1403 return -ENOMEM;
1404
1405 x = strjoin("LISTEN_FDNAMES=", joined, NULL);
1406 if (!x)
1407 return -ENOMEM;
1408 our_env[n_env++] = x;
1409 }
1410
1411 if (p->watchdog_usec > 0) {
1412 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1413 return -ENOMEM;
1414 our_env[n_env++] = x;
1415
1416 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
1417 return -ENOMEM;
1418 our_env[n_env++] = x;
1419 }
1420
1421 if (home) {
1422 x = strappend("HOME=", home);
1423 if (!x)
1424 return -ENOMEM;
1425 our_env[n_env++] = x;
1426 }
1427
1428 if (username) {
1429 x = strappend("LOGNAME=", username);
1430 if (!x)
1431 return -ENOMEM;
1432 our_env[n_env++] = x;
1433
1434 x = strappend("USER=", username);
1435 if (!x)
1436 return -ENOMEM;
1437 our_env[n_env++] = x;
1438 }
1439
1440 if (shell) {
1441 x = strappend("SHELL=", shell);
1442 if (!x)
1443 return -ENOMEM;
1444 our_env[n_env++] = x;
1445 }
1446
1447 if (is_terminal_input(c->std_input) ||
1448 c->std_output == EXEC_OUTPUT_TTY ||
1449 c->std_error == EXEC_OUTPUT_TTY ||
1450 c->tty_path) {
1451
1452 x = strdup(default_term_for_tty(exec_context_tty_path(c)));
1453 if (!x)
1454 return -ENOMEM;
1455 our_env[n_env++] = x;
1456 }
1457
1458 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1459 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1460 return -ENOMEM;
1461
1462 our_env[n_env++] = x;
1463 }
1464
1465 our_env[n_env++] = NULL;
1466 assert(n_env <= 12);
1467
1468 *ret = our_env;
1469 our_env = NULL;
1470
1471 return 0;
1472 }
1473
1474 static int build_pass_environment(const ExecContext *c, char ***ret) {
1475 _cleanup_strv_free_ char **pass_env = NULL;
1476 size_t n_env = 0, n_bufsize = 0;
1477 char **i;
1478
1479 STRV_FOREACH(i, c->pass_environment) {
1480 _cleanup_free_ char *x = NULL;
1481 char *v;
1482
1483 v = getenv(*i);
1484 if (!v)
1485 continue;
1486 x = strjoin(*i, "=", v, NULL);
1487 if (!x)
1488 return -ENOMEM;
1489 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1490 return -ENOMEM;
1491 pass_env[n_env++] = x;
1492 pass_env[n_env] = NULL;
1493 x = NULL;
1494 }
1495
1496 *ret = pass_env;
1497 pass_env = NULL;
1498
1499 return 0;
1500 }
1501
1502 static bool exec_needs_mount_namespace(
1503 const ExecContext *context,
1504 const ExecParameters *params,
1505 ExecRuntime *runtime) {
1506
1507 assert(context);
1508 assert(params);
1509
1510 if (!strv_isempty(context->read_write_paths) ||
1511 !strv_isempty(context->read_only_paths) ||
1512 !strv_isempty(context->inaccessible_paths))
1513 return true;
1514
1515 if (context->mount_flags != 0)
1516 return true;
1517
1518 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1519 return true;
1520
1521 if (context->private_devices ||
1522 context->protect_system != PROTECT_SYSTEM_NO ||
1523 context->protect_home != PROTECT_HOME_NO)
1524 return true;
1525
1526 return false;
1527 }
1528
1529 static void append_socket_pair(int *array, unsigned *n, int pair[2]) {
1530 assert(array);
1531 assert(n);
1532
1533 if (!pair)
1534 return;
1535
1536 if (pair[0] >= 0)
1537 array[(*n)++] = pair[0];
1538 if (pair[1] >= 0)
1539 array[(*n)++] = pair[1];
1540 }
1541
1542 static int close_remaining_fds(
1543 const ExecParameters *params,
1544 ExecRuntime *runtime,
1545 DynamicCreds *dcreds,
1546 int socket_fd,
1547 int *fds, unsigned n_fds) {
1548
1549 unsigned n_dont_close = 0;
1550 int dont_close[n_fds + 11];
1551
1552 assert(params);
1553
1554 if (params->stdin_fd >= 0)
1555 dont_close[n_dont_close++] = params->stdin_fd;
1556 if (params->stdout_fd >= 0)
1557 dont_close[n_dont_close++] = params->stdout_fd;
1558 if (params->stderr_fd >= 0)
1559 dont_close[n_dont_close++] = params->stderr_fd;
1560
1561 if (socket_fd >= 0)
1562 dont_close[n_dont_close++] = socket_fd;
1563 if (n_fds > 0) {
1564 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
1565 n_dont_close += n_fds;
1566 }
1567
1568 if (runtime)
1569 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
1570
1571 if (dcreds) {
1572 if (dcreds->user)
1573 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
1574 if (dcreds->group)
1575 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
1576 }
1577
1578 return close_all_fds(dont_close, n_dont_close);
1579 }
1580
1581 static int exec_child(
1582 Unit *unit,
1583 ExecCommand *command,
1584 const ExecContext *context,
1585 const ExecParameters *params,
1586 ExecRuntime *runtime,
1587 DynamicCreds *dcreds,
1588 char **argv,
1589 int socket_fd,
1590 int *fds, unsigned n_fds,
1591 char **files_env,
1592 int *exit_status) {
1593
1594 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **final_argv = NULL;
1595 _cleanup_free_ char *mac_selinux_context_net = NULL;
1596 const char *username = NULL, *home = NULL, *shell = NULL, *wd;
1597 dev_t journal_stream_dev = 0;
1598 ino_t journal_stream_ino = 0;
1599 bool needs_mount_namespace;
1600 uid_t uid = UID_INVALID;
1601 gid_t gid = GID_INVALID;
1602 int i, r;
1603
1604 assert(unit);
1605 assert(command);
1606 assert(context);
1607 assert(params);
1608 assert(exit_status);
1609
1610 rename_process_from_path(command->path);
1611
1612 /* We reset exactly these signals, since they are the
1613 * only ones we set to SIG_IGN in the main daemon. All
1614 * others we leave untouched because we set them to
1615 * SIG_DFL or a valid handler initially, both of which
1616 * will be demoted to SIG_DFL. */
1617 (void) default_signals(SIGNALS_CRASH_HANDLER,
1618 SIGNALS_IGNORE, -1);
1619
1620 if (context->ignore_sigpipe)
1621 (void) ignore_signals(SIGPIPE, -1);
1622
1623 r = reset_signal_mask();
1624 if (r < 0) {
1625 *exit_status = EXIT_SIGNAL_MASK;
1626 return r;
1627 }
1628
1629 if (params->idle_pipe)
1630 do_idle_pipe_dance(params->idle_pipe);
1631
1632 /* Close sockets very early to make sure we don't
1633 * block init reexecution because it cannot bind its
1634 * sockets */
1635
1636 log_forget_fds();
1637
1638 r = close_remaining_fds(params, runtime, dcreds, socket_fd, fds, n_fds);
1639 if (r < 0) {
1640 *exit_status = EXIT_FDS;
1641 return r;
1642 }
1643
1644 if (!context->same_pgrp)
1645 if (setsid() < 0) {
1646 *exit_status = EXIT_SETSID;
1647 return -errno;
1648 }
1649
1650 exec_context_tty_reset(context, params);
1651
1652 if (params->confirm_spawn) {
1653 char response;
1654
1655 r = ask_for_confirmation(&response, argv);
1656 if (r == -ETIMEDOUT)
1657 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1658 else if (r < 0)
1659 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-r));
1660 else if (response == 's') {
1661 write_confirm_message("Skipping execution.\n");
1662 *exit_status = EXIT_CONFIRM;
1663 return -ECANCELED;
1664 } else if (response == 'n') {
1665 write_confirm_message("Failing execution.\n");
1666 *exit_status = 0;
1667 return 0;
1668 }
1669 }
1670
1671 if (context->dynamic_user && dcreds) {
1672
1673 r = dynamic_creds_realize(dcreds, &uid, &gid);
1674 if (r < 0) {
1675 *exit_status = EXIT_USER;
1676 return r;
1677 }
1678
1679 if (uid == UID_INVALID || gid == GID_INVALID) {
1680 *exit_status = EXIT_USER;
1681 return -ESRCH;
1682 }
1683
1684 if (dcreds->user)
1685 username = dcreds->user->name;
1686
1687 } else {
1688 if (context->user) {
1689 username = context->user;
1690 r = get_user_creds(&username, &uid, &gid, &home, &shell);
1691 if (r < 0) {
1692 *exit_status = EXIT_USER;
1693 return r;
1694 }
1695 }
1696
1697 if (context->group) {
1698 const char *g = context->group;
1699
1700 r = get_group_creds(&g, &gid);
1701 if (r < 0) {
1702 *exit_status = EXIT_GROUP;
1703 return r;
1704 }
1705 }
1706 }
1707
1708 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1709 * must sure to drop O_NONBLOCK */
1710 if (socket_fd >= 0)
1711 (void) fd_nonblock(socket_fd, false);
1712
1713 r = setup_input(context, params, socket_fd);
1714 if (r < 0) {
1715 *exit_status = EXIT_STDIN;
1716 return r;
1717 }
1718
1719 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
1720 if (r < 0) {
1721 *exit_status = EXIT_STDOUT;
1722 return r;
1723 }
1724
1725 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
1726 if (r < 0) {
1727 *exit_status = EXIT_STDERR;
1728 return r;
1729 }
1730
1731 if (params->cgroup_path) {
1732 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
1733 if (r < 0) {
1734 *exit_status = EXIT_CGROUP;
1735 return r;
1736 }
1737 }
1738
1739 if (context->oom_score_adjust_set) {
1740 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
1741
1742 /* When we can't make this change due to EPERM, then
1743 * let's silently skip over it. User namespaces
1744 * prohibit write access to this file, and we
1745 * shouldn't trip up over that. */
1746
1747 sprintf(t, "%i", context->oom_score_adjust);
1748 r = write_string_file("/proc/self/oom_score_adj", t, 0);
1749 if (r == -EPERM || r == -EACCES) {
1750 log_open();
1751 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
1752 log_close();
1753 } else if (r < 0) {
1754 *exit_status = EXIT_OOM_ADJUST;
1755 return -errno;
1756 }
1757 }
1758
1759 if (context->nice_set)
1760 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1761 *exit_status = EXIT_NICE;
1762 return -errno;
1763 }
1764
1765 if (context->cpu_sched_set) {
1766 struct sched_param param = {
1767 .sched_priority = context->cpu_sched_priority,
1768 };
1769
1770 r = sched_setscheduler(0,
1771 context->cpu_sched_policy |
1772 (context->cpu_sched_reset_on_fork ?
1773 SCHED_RESET_ON_FORK : 0),
1774 &param);
1775 if (r < 0) {
1776 *exit_status = EXIT_SETSCHEDULER;
1777 return -errno;
1778 }
1779 }
1780
1781 if (context->cpuset)
1782 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1783 *exit_status = EXIT_CPUAFFINITY;
1784 return -errno;
1785 }
1786
1787 if (context->ioprio_set)
1788 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1789 *exit_status = EXIT_IOPRIO;
1790 return -errno;
1791 }
1792
1793 if (context->timer_slack_nsec != NSEC_INFINITY)
1794 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1795 *exit_status = EXIT_TIMERSLACK;
1796 return -errno;
1797 }
1798
1799 if (context->personality != PERSONALITY_INVALID)
1800 if (personality(context->personality) < 0) {
1801 *exit_status = EXIT_PERSONALITY;
1802 return -errno;
1803 }
1804
1805 if (context->utmp_id)
1806 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path,
1807 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
1808 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
1809 USER_PROCESS,
1810 username ? "root" : context->user);
1811
1812 if (context->user && is_terminal_input(context->std_input)) {
1813 r = chown_terminal(STDIN_FILENO, uid);
1814 if (r < 0) {
1815 *exit_status = EXIT_STDIN;
1816 return r;
1817 }
1818 }
1819
1820 /* If delegation is enabled we'll pass ownership of the cgroup
1821 * (but only in systemd's own controller hierarchy!) to the
1822 * user of the new process. */
1823 if (params->cgroup_path && context->user && params->cgroup_delegate) {
1824 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
1825 if (r < 0) {
1826 *exit_status = EXIT_CGROUP;
1827 return r;
1828 }
1829
1830
1831 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
1832 if (r < 0) {
1833 *exit_status = EXIT_CGROUP;
1834 return r;
1835 }
1836 }
1837
1838 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
1839 char **rt;
1840
1841 STRV_FOREACH(rt, context->runtime_directory) {
1842 _cleanup_free_ char *p;
1843
1844 p = strjoin(params->runtime_prefix, "/", *rt, NULL);
1845 if (!p) {
1846 *exit_status = EXIT_RUNTIME_DIRECTORY;
1847 return -ENOMEM;
1848 }
1849
1850 r = mkdir_p_label(p, context->runtime_directory_mode);
1851 if (r < 0) {
1852 *exit_status = EXIT_RUNTIME_DIRECTORY;
1853 return r;
1854 }
1855
1856 r = chmod_and_chown(p, context->runtime_directory_mode, uid, gid);
1857 if (r < 0) {
1858 *exit_status = EXIT_RUNTIME_DIRECTORY;
1859 return r;
1860 }
1861 }
1862 }
1863
1864 r = build_environment(
1865 context,
1866 params,
1867 n_fds,
1868 home,
1869 username,
1870 shell,
1871 journal_stream_dev,
1872 journal_stream_ino,
1873 &our_env);
1874 if (r < 0) {
1875 *exit_status = EXIT_MEMORY;
1876 return r;
1877 }
1878
1879 r = build_pass_environment(context, &pass_env);
1880 if (r < 0) {
1881 *exit_status = EXIT_MEMORY;
1882 return r;
1883 }
1884
1885 accum_env = strv_env_merge(5,
1886 params->environment,
1887 our_env,
1888 pass_env,
1889 context->environment,
1890 files_env,
1891 NULL);
1892 if (!accum_env) {
1893 *exit_status = EXIT_MEMORY;
1894 return -ENOMEM;
1895 }
1896 accum_env = strv_env_clean(accum_env);
1897
1898 umask(context->umask);
1899
1900 if (params->apply_permissions && !command->privileged) {
1901 r = enforce_groups(context, username, gid);
1902 if (r < 0) {
1903 *exit_status = EXIT_GROUP;
1904 return r;
1905 }
1906 #ifdef HAVE_SMACK
1907 if (context->smack_process_label) {
1908 r = mac_smack_apply_pid(0, context->smack_process_label);
1909 if (r < 0) {
1910 *exit_status = EXIT_SMACK_PROCESS_LABEL;
1911 return r;
1912 }
1913 }
1914 #ifdef SMACK_DEFAULT_PROCESS_LABEL
1915 else {
1916 _cleanup_free_ char *exec_label = NULL;
1917
1918 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
1919 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) {
1920 *exit_status = EXIT_SMACK_PROCESS_LABEL;
1921 return r;
1922 }
1923
1924 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
1925 if (r < 0) {
1926 *exit_status = EXIT_SMACK_PROCESS_LABEL;
1927 return r;
1928 }
1929 }
1930 #endif
1931 #endif
1932 #ifdef HAVE_PAM
1933 if (context->pam_name && username) {
1934 r = setup_pam(context->pam_name, username, uid, context->tty_path, &accum_env, fds, n_fds);
1935 if (r < 0) {
1936 *exit_status = EXIT_PAM;
1937 return r;
1938 }
1939 }
1940 #endif
1941 }
1942
1943 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
1944 r = setup_netns(runtime->netns_storage_socket);
1945 if (r < 0) {
1946 *exit_status = EXIT_NETWORK;
1947 return r;
1948 }
1949 }
1950
1951 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
1952
1953 if (needs_mount_namespace) {
1954 char *tmp = NULL, *var = NULL;
1955
1956 /* The runtime struct only contains the parent
1957 * of the private /tmp, which is
1958 * non-accessible to world users. Inside of it
1959 * there's a /tmp that is sticky, and that's
1960 * the one we want to use here. */
1961
1962 if (context->private_tmp && runtime) {
1963 if (runtime->tmp_dir)
1964 tmp = strjoina(runtime->tmp_dir, "/tmp");
1965 if (runtime->var_tmp_dir)
1966 var = strjoina(runtime->var_tmp_dir, "/tmp");
1967 }
1968
1969 r = setup_namespace(
1970 params->apply_chroot ? context->root_directory : NULL,
1971 context->read_write_paths,
1972 context->read_only_paths,
1973 context->inaccessible_paths,
1974 tmp,
1975 var,
1976 context->private_devices,
1977 context->protect_home,
1978 context->protect_system,
1979 context->mount_flags);
1980
1981 /* If we couldn't set up the namespace this is
1982 * probably due to a missing capability. In this case,
1983 * silently proceeed. */
1984 if (r == -EPERM || r == -EACCES) {
1985 log_open();
1986 log_unit_debug_errno(unit, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
1987 log_close();
1988 } else if (r < 0) {
1989 *exit_status = EXIT_NAMESPACE;
1990 return r;
1991 }
1992 }
1993
1994 if (context->working_directory_home)
1995 wd = home;
1996 else if (context->working_directory)
1997 wd = context->working_directory;
1998 else
1999 wd = "/";
2000
2001 if (params->apply_chroot) {
2002 if (!needs_mount_namespace && context->root_directory)
2003 if (chroot(context->root_directory) < 0) {
2004 *exit_status = EXIT_CHROOT;
2005 return -errno;
2006 }
2007
2008 if (chdir(wd) < 0 &&
2009 !context->working_directory_missing_ok) {
2010 *exit_status = EXIT_CHDIR;
2011 return -errno;
2012 }
2013 } else {
2014 const char *d;
2015
2016 d = strjoina(strempty(context->root_directory), "/", strempty(wd));
2017 if (chdir(d) < 0 &&
2018 !context->working_directory_missing_ok) {
2019 *exit_status = EXIT_CHDIR;
2020 return -errno;
2021 }
2022 }
2023
2024 #ifdef HAVE_SELINUX
2025 if (params->apply_permissions && mac_selinux_use() && params->selinux_context_net && socket_fd >= 0 && !command->privileged) {
2026 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
2027 if (r < 0) {
2028 *exit_status = EXIT_SELINUX_CONTEXT;
2029 return r;
2030 }
2031 }
2032 #endif
2033
2034 /* We repeat the fd closing here, to make sure that
2035 * nothing is leaked from the PAM modules. Note that
2036 * we are more aggressive this time since socket_fd
2037 * and the netns fds we don't need anymore. The custom
2038 * endpoint fd was needed to upload the policy and can
2039 * now be closed as well. */
2040 r = close_all_fds(fds, n_fds);
2041 if (r >= 0)
2042 r = shift_fds(fds, n_fds);
2043 if (r >= 0)
2044 r = flags_fds(fds, n_fds, context->non_blocking);
2045 if (r < 0) {
2046 *exit_status = EXIT_FDS;
2047 return r;
2048 }
2049
2050 if (params->apply_permissions && !command->privileged) {
2051
2052 bool use_address_families = context->address_families_whitelist ||
2053 !set_isempty(context->address_families);
2054 bool use_syscall_filter = context->syscall_whitelist ||
2055 !set_isempty(context->syscall_filter) ||
2056 !set_isempty(context->syscall_archs);
2057 int secure_bits = context->secure_bits;
2058
2059 for (i = 0; i < _RLIMIT_MAX; i++) {
2060
2061 if (!context->rlimit[i])
2062 continue;
2063
2064 r = setrlimit_closest(i, context->rlimit[i]);
2065 if (r < 0) {
2066 *exit_status = EXIT_LIMITS;
2067 return r;
2068 }
2069 }
2070
2071 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
2072 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
2073 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
2074 *exit_status = EXIT_LIMITS;
2075 return -errno;
2076 }
2077 }
2078
2079 if (!cap_test_all(context->capability_bounding_set)) {
2080 r = capability_bounding_set_drop(context->capability_bounding_set, false);
2081 if (r < 0) {
2082 *exit_status = EXIT_CAPABILITIES;
2083 return r;
2084 }
2085 }
2086
2087 /* This is done before enforce_user, but ambient set
2088 * does not survive over setresuid() if keep_caps is not set. */
2089 if (context->capability_ambient_set != 0) {
2090 r = capability_ambient_set_apply(context->capability_ambient_set, true);
2091 if (r < 0) {
2092 *exit_status = EXIT_CAPABILITIES;
2093 return r;
2094 }
2095 }
2096
2097 if (context->user) {
2098 r = enforce_user(context, uid);
2099 if (r < 0) {
2100 *exit_status = EXIT_USER;
2101 return r;
2102 }
2103 if (context->capability_ambient_set != 0) {
2104
2105 /* Fix the ambient capabilities after user change. */
2106 r = capability_ambient_set_apply(context->capability_ambient_set, false);
2107 if (r < 0) {
2108 *exit_status = EXIT_CAPABILITIES;
2109 return r;
2110 }
2111
2112 /* If we were asked to change user and ambient capabilities
2113 * were requested, we had to add keep-caps to the securebits
2114 * so that we would maintain the inherited capability set
2115 * through the setresuid(). Make sure that the bit is added
2116 * also to the context secure_bits so that we don't try to
2117 * drop the bit away next. */
2118
2119 secure_bits |= 1<<SECURE_KEEP_CAPS;
2120 }
2121 }
2122
2123 /* PR_GET_SECUREBITS is not privileged, while
2124 * PR_SET_SECUREBITS is. So to suppress
2125 * potential EPERMs we'll try not to call
2126 * PR_SET_SECUREBITS unless necessary. */
2127 if (prctl(PR_GET_SECUREBITS) != secure_bits)
2128 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
2129 *exit_status = EXIT_SECUREBITS;
2130 return -errno;
2131 }
2132
2133 if (context->no_new_privileges ||
2134 (!have_effective_cap(CAP_SYS_ADMIN) && (use_address_families || context->memory_deny_write_execute || context->restrict_realtime || use_syscall_filter)))
2135 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
2136 *exit_status = EXIT_NO_NEW_PRIVILEGES;
2137 return -errno;
2138 }
2139
2140 #ifdef HAVE_SECCOMP
2141 if (use_address_families) {
2142 r = apply_address_families(context);
2143 if (r < 0) {
2144 *exit_status = EXIT_ADDRESS_FAMILIES;
2145 return r;
2146 }
2147 }
2148
2149 if (context->memory_deny_write_execute) {
2150 r = apply_memory_deny_write_execute(context);
2151 if (r < 0) {
2152 *exit_status = EXIT_SECCOMP;
2153 return r;
2154 }
2155 }
2156
2157 if (context->restrict_realtime) {
2158 r = apply_restrict_realtime(context);
2159 if (r < 0) {
2160 *exit_status = EXIT_SECCOMP;
2161 return r;
2162 }
2163 }
2164
2165 if (use_syscall_filter) {
2166 r = apply_seccomp(context);
2167 if (r < 0) {
2168 *exit_status = EXIT_SECCOMP;
2169 return r;
2170 }
2171 }
2172 #endif
2173
2174 #ifdef HAVE_SELINUX
2175 if (mac_selinux_use()) {
2176 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
2177
2178 if (exec_context) {
2179 r = setexeccon(exec_context);
2180 if (r < 0) {
2181 *exit_status = EXIT_SELINUX_CONTEXT;
2182 return r;
2183 }
2184 }
2185 }
2186 #endif
2187
2188 #ifdef HAVE_APPARMOR
2189 if (context->apparmor_profile && mac_apparmor_use()) {
2190 r = aa_change_onexec(context->apparmor_profile);
2191 if (r < 0 && !context->apparmor_profile_ignore) {
2192 *exit_status = EXIT_APPARMOR_PROFILE;
2193 return -errno;
2194 }
2195 }
2196 #endif
2197 }
2198
2199 final_argv = replace_env_argv(argv, accum_env);
2200 if (!final_argv) {
2201 *exit_status = EXIT_MEMORY;
2202 return -ENOMEM;
2203 }
2204
2205 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
2206 _cleanup_free_ char *line;
2207
2208 line = exec_command_line(final_argv);
2209 if (line) {
2210 log_open();
2211 log_struct(LOG_DEBUG,
2212 LOG_UNIT_ID(unit),
2213 "EXECUTABLE=%s", command->path,
2214 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
2215 NULL);
2216 log_close();
2217 }
2218 }
2219
2220 execve(command->path, final_argv, accum_env);
2221 *exit_status = EXIT_EXEC;
2222 return -errno;
2223 }
2224
2225 int exec_spawn(Unit *unit,
2226 ExecCommand *command,
2227 const ExecContext *context,
2228 const ExecParameters *params,
2229 ExecRuntime *runtime,
2230 DynamicCreds *dcreds,
2231 pid_t *ret) {
2232
2233 _cleanup_strv_free_ char **files_env = NULL;
2234 int *fds = NULL; unsigned n_fds = 0;
2235 _cleanup_free_ char *line = NULL;
2236 int socket_fd, r;
2237 char **argv;
2238 pid_t pid;
2239
2240 assert(unit);
2241 assert(command);
2242 assert(context);
2243 assert(ret);
2244 assert(params);
2245 assert(params->fds || params->n_fds <= 0);
2246
2247 if (context->std_input == EXEC_INPUT_SOCKET ||
2248 context->std_output == EXEC_OUTPUT_SOCKET ||
2249 context->std_error == EXEC_OUTPUT_SOCKET) {
2250
2251 if (params->n_fds != 1) {
2252 log_unit_error(unit, "Got more than one socket.");
2253 return -EINVAL;
2254 }
2255
2256 socket_fd = params->fds[0];
2257 } else {
2258 socket_fd = -1;
2259 fds = params->fds;
2260 n_fds = params->n_fds;
2261 }
2262
2263 r = exec_context_load_environment(unit, context, &files_env);
2264 if (r < 0)
2265 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
2266
2267 argv = params->argv ?: command->argv;
2268 line = exec_command_line(argv);
2269 if (!line)
2270 return log_oom();
2271
2272 log_struct(LOG_DEBUG,
2273 LOG_UNIT_ID(unit),
2274 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
2275 "EXECUTABLE=%s", command->path,
2276 NULL);
2277 pid = fork();
2278 if (pid < 0)
2279 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
2280
2281 if (pid == 0) {
2282 int exit_status;
2283
2284 r = exec_child(unit,
2285 command,
2286 context,
2287 params,
2288 runtime,
2289 dcreds,
2290 argv,
2291 socket_fd,
2292 fds, n_fds,
2293 files_env,
2294 &exit_status);
2295 if (r < 0) {
2296 log_open();
2297 log_struct_errno(LOG_ERR, r,
2298 LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
2299 LOG_UNIT_ID(unit),
2300 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
2301 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
2302 command->path),
2303 "EXECUTABLE=%s", command->path,
2304 NULL);
2305 }
2306
2307 _exit(exit_status);
2308 }
2309
2310 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
2311
2312 /* We add the new process to the cgroup both in the child (so
2313 * that we can be sure that no user code is ever executed
2314 * outside of the cgroup) and in the parent (so that we can be
2315 * sure that when we kill the cgroup the process will be
2316 * killed too). */
2317 if (params->cgroup_path)
2318 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
2319
2320 exec_status_start(&command->exec_status, pid);
2321
2322 *ret = pid;
2323 return 0;
2324 }
2325
2326 void exec_context_init(ExecContext *c) {
2327 assert(c);
2328
2329 c->umask = 0022;
2330 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
2331 c->cpu_sched_policy = SCHED_OTHER;
2332 c->syslog_priority = LOG_DAEMON|LOG_INFO;
2333 c->syslog_level_prefix = true;
2334 c->ignore_sigpipe = true;
2335 c->timer_slack_nsec = NSEC_INFINITY;
2336 c->personality = PERSONALITY_INVALID;
2337 c->runtime_directory_mode = 0755;
2338 c->capability_bounding_set = CAP_ALL;
2339 }
2340
2341 void exec_context_done(ExecContext *c) {
2342 unsigned l;
2343
2344 assert(c);
2345
2346 c->environment = strv_free(c->environment);
2347 c->environment_files = strv_free(c->environment_files);
2348 c->pass_environment = strv_free(c->pass_environment);
2349
2350 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
2351 c->rlimit[l] = mfree(c->rlimit[l]);
2352
2353 c->working_directory = mfree(c->working_directory);
2354 c->root_directory = mfree(c->root_directory);
2355 c->tty_path = mfree(c->tty_path);
2356 c->syslog_identifier = mfree(c->syslog_identifier);
2357 c->user = mfree(c->user);
2358 c->group = mfree(c->group);
2359
2360 c->supplementary_groups = strv_free(c->supplementary_groups);
2361
2362 c->pam_name = mfree(c->pam_name);
2363
2364 c->read_only_paths = strv_free(c->read_only_paths);
2365 c->read_write_paths = strv_free(c->read_write_paths);
2366 c->inaccessible_paths = strv_free(c->inaccessible_paths);
2367
2368 if (c->cpuset)
2369 CPU_FREE(c->cpuset);
2370
2371 c->utmp_id = mfree(c->utmp_id);
2372 c->selinux_context = mfree(c->selinux_context);
2373 c->apparmor_profile = mfree(c->apparmor_profile);
2374
2375 c->syscall_filter = set_free(c->syscall_filter);
2376 c->syscall_archs = set_free(c->syscall_archs);
2377 c->address_families = set_free(c->address_families);
2378
2379 c->runtime_directory = strv_free(c->runtime_directory);
2380 }
2381
2382 int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
2383 char **i;
2384
2385 assert(c);
2386
2387 if (!runtime_prefix)
2388 return 0;
2389
2390 STRV_FOREACH(i, c->runtime_directory) {
2391 _cleanup_free_ char *p;
2392
2393 p = strjoin(runtime_prefix, "/", *i, NULL);
2394 if (!p)
2395 return -ENOMEM;
2396
2397 /* We execute this synchronously, since we need to be
2398 * sure this is gone when we start the service
2399 * next. */
2400 (void) rm_rf(p, REMOVE_ROOT);
2401 }
2402
2403 return 0;
2404 }
2405
2406 void exec_command_done(ExecCommand *c) {
2407 assert(c);
2408
2409 c->path = mfree(c->path);
2410
2411 c->argv = strv_free(c->argv);
2412 }
2413
2414 void exec_command_done_array(ExecCommand *c, unsigned n) {
2415 unsigned i;
2416
2417 for (i = 0; i < n; i++)
2418 exec_command_done(c+i);
2419 }
2420
2421 ExecCommand* exec_command_free_list(ExecCommand *c) {
2422 ExecCommand *i;
2423
2424 while ((i = c)) {
2425 LIST_REMOVE(command, c, i);
2426 exec_command_done(i);
2427 free(i);
2428 }
2429
2430 return NULL;
2431 }
2432
2433 void exec_command_free_array(ExecCommand **c, unsigned n) {
2434 unsigned i;
2435
2436 for (i = 0; i < n; i++)
2437 c[i] = exec_command_free_list(c[i]);
2438 }
2439
2440 typedef struct InvalidEnvInfo {
2441 Unit *unit;
2442 const char *path;
2443 } InvalidEnvInfo;
2444
2445 static void invalid_env(const char *p, void *userdata) {
2446 InvalidEnvInfo *info = userdata;
2447
2448 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
2449 }
2450
2451 int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
2452 char **i, **r = NULL;
2453
2454 assert(c);
2455 assert(l);
2456
2457 STRV_FOREACH(i, c->environment_files) {
2458 char *fn;
2459 int k;
2460 bool ignore = false;
2461 char **p;
2462 _cleanup_globfree_ glob_t pglob = {};
2463 int count, n;
2464
2465 fn = *i;
2466
2467 if (fn[0] == '-') {
2468 ignore = true;
2469 fn++;
2470 }
2471
2472 if (!path_is_absolute(fn)) {
2473 if (ignore)
2474 continue;
2475
2476 strv_free(r);
2477 return -EINVAL;
2478 }
2479
2480 /* Filename supports globbing, take all matching files */
2481 errno = 0;
2482 if (glob(fn, 0, NULL, &pglob) != 0) {
2483 if (ignore)
2484 continue;
2485
2486 strv_free(r);
2487 return errno > 0 ? -errno : -EINVAL;
2488 }
2489 count = pglob.gl_pathc;
2490 if (count == 0) {
2491 if (ignore)
2492 continue;
2493
2494 strv_free(r);
2495 return -EINVAL;
2496 }
2497 for (n = 0; n < count; n++) {
2498 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
2499 if (k < 0) {
2500 if (ignore)
2501 continue;
2502
2503 strv_free(r);
2504 return k;
2505 }
2506 /* Log invalid environment variables with filename */
2507 if (p) {
2508 InvalidEnvInfo info = {
2509 .unit = unit,
2510 .path = pglob.gl_pathv[n]
2511 };
2512
2513 p = strv_env_clean_with_callback(p, invalid_env, &info);
2514 }
2515
2516 if (r == NULL)
2517 r = p;
2518 else {
2519 char **m;
2520
2521 m = strv_env_merge(2, r, p);
2522 strv_free(r);
2523 strv_free(p);
2524 if (!m)
2525 return -ENOMEM;
2526
2527 r = m;
2528 }
2529 }
2530 }
2531
2532 *l = r;
2533
2534 return 0;
2535 }
2536
2537 static bool tty_may_match_dev_console(const char *tty) {
2538 _cleanup_free_ char *active = NULL;
2539 char *console;
2540
2541 if (!tty)
2542 return true;
2543
2544 if (startswith(tty, "/dev/"))
2545 tty += 5;
2546
2547 /* trivial identity? */
2548 if (streq(tty, "console"))
2549 return true;
2550
2551 console = resolve_dev_console(&active);
2552 /* if we could not resolve, assume it may */
2553 if (!console)
2554 return true;
2555
2556 /* "tty0" means the active VC, so it may be the same sometimes */
2557 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
2558 }
2559
2560 bool exec_context_may_touch_console(ExecContext *ec) {
2561
2562 return (ec->tty_reset ||
2563 ec->tty_vhangup ||
2564 ec->tty_vt_disallocate ||
2565 is_terminal_input(ec->std_input) ||
2566 is_terminal_output(ec->std_output) ||
2567 is_terminal_output(ec->std_error)) &&
2568 tty_may_match_dev_console(exec_context_tty_path(ec));
2569 }
2570
2571 static void strv_fprintf(FILE *f, char **l) {
2572 char **g;
2573
2574 assert(f);
2575
2576 STRV_FOREACH(g, l)
2577 fprintf(f, " %s", *g);
2578 }
2579
2580 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
2581 char **e, **d;
2582 unsigned i;
2583
2584 assert(c);
2585 assert(f);
2586
2587 prefix = strempty(prefix);
2588
2589 fprintf(f,
2590 "%sUMask: %04o\n"
2591 "%sWorkingDirectory: %s\n"
2592 "%sRootDirectory: %s\n"
2593 "%sNonBlocking: %s\n"
2594 "%sPrivateTmp: %s\n"
2595 "%sPrivateNetwork: %s\n"
2596 "%sPrivateDevices: %s\n"
2597 "%sProtectHome: %s\n"
2598 "%sProtectSystem: %s\n"
2599 "%sIgnoreSIGPIPE: %s\n"
2600 "%sMemoryDenyWriteExecute: %s\n"
2601 "%sRestrictRealtime: %s\n",
2602 prefix, c->umask,
2603 prefix, c->working_directory ? c->working_directory : "/",
2604 prefix, c->root_directory ? c->root_directory : "/",
2605 prefix, yes_no(c->non_blocking),
2606 prefix, yes_no(c->private_tmp),
2607 prefix, yes_no(c->private_network),
2608 prefix, yes_no(c->private_devices),
2609 prefix, protect_home_to_string(c->protect_home),
2610 prefix, protect_system_to_string(c->protect_system),
2611 prefix, yes_no(c->ignore_sigpipe),
2612 prefix, yes_no(c->memory_deny_write_execute),
2613 prefix, yes_no(c->restrict_realtime));
2614
2615 STRV_FOREACH(e, c->environment)
2616 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
2617
2618 STRV_FOREACH(e, c->environment_files)
2619 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
2620
2621 STRV_FOREACH(e, c->pass_environment)
2622 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
2623
2624 fprintf(f, "%sRuntimeDirectoryMode: %04o\n", prefix, c->runtime_directory_mode);
2625
2626 STRV_FOREACH(d, c->runtime_directory)
2627 fprintf(f, "%sRuntimeDirectory: %s\n", prefix, *d);
2628
2629 if (c->nice_set)
2630 fprintf(f,
2631 "%sNice: %i\n",
2632 prefix, c->nice);
2633
2634 if (c->oom_score_adjust_set)
2635 fprintf(f,
2636 "%sOOMScoreAdjust: %i\n",
2637 prefix, c->oom_score_adjust);
2638
2639 for (i = 0; i < RLIM_NLIMITS; i++)
2640 if (c->rlimit[i]) {
2641 fprintf(f, "%s%s: " RLIM_FMT "\n",
2642 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
2643 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
2644 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
2645 }
2646
2647 if (c->ioprio_set) {
2648 _cleanup_free_ char *class_str = NULL;
2649
2650 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
2651 fprintf(f,
2652 "%sIOSchedulingClass: %s\n"
2653 "%sIOPriority: %i\n",
2654 prefix, strna(class_str),
2655 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
2656 }
2657
2658 if (c->cpu_sched_set) {
2659 _cleanup_free_ char *policy_str = NULL;
2660
2661 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
2662 fprintf(f,
2663 "%sCPUSchedulingPolicy: %s\n"
2664 "%sCPUSchedulingPriority: %i\n"
2665 "%sCPUSchedulingResetOnFork: %s\n",
2666 prefix, strna(policy_str),
2667 prefix, c->cpu_sched_priority,
2668 prefix, yes_no(c->cpu_sched_reset_on_fork));
2669 }
2670
2671 if (c->cpuset) {
2672 fprintf(f, "%sCPUAffinity:", prefix);
2673 for (i = 0; i < c->cpuset_ncpus; i++)
2674 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
2675 fprintf(f, " %u", i);
2676 fputs("\n", f);
2677 }
2678
2679 if (c->timer_slack_nsec != NSEC_INFINITY)
2680 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
2681
2682 fprintf(f,
2683 "%sStandardInput: %s\n"
2684 "%sStandardOutput: %s\n"
2685 "%sStandardError: %s\n",
2686 prefix, exec_input_to_string(c->std_input),
2687 prefix, exec_output_to_string(c->std_output),
2688 prefix, exec_output_to_string(c->std_error));
2689
2690 if (c->tty_path)
2691 fprintf(f,
2692 "%sTTYPath: %s\n"
2693 "%sTTYReset: %s\n"
2694 "%sTTYVHangup: %s\n"
2695 "%sTTYVTDisallocate: %s\n",
2696 prefix, c->tty_path,
2697 prefix, yes_no(c->tty_reset),
2698 prefix, yes_no(c->tty_vhangup),
2699 prefix, yes_no(c->tty_vt_disallocate));
2700
2701 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
2702 c->std_output == EXEC_OUTPUT_KMSG ||
2703 c->std_output == EXEC_OUTPUT_JOURNAL ||
2704 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2705 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2706 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
2707 c->std_error == EXEC_OUTPUT_SYSLOG ||
2708 c->std_error == EXEC_OUTPUT_KMSG ||
2709 c->std_error == EXEC_OUTPUT_JOURNAL ||
2710 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2711 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2712 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
2713
2714 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
2715
2716 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
2717 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
2718
2719 fprintf(f,
2720 "%sSyslogFacility: %s\n"
2721 "%sSyslogLevel: %s\n",
2722 prefix, strna(fac_str),
2723 prefix, strna(lvl_str));
2724 }
2725
2726 if (c->secure_bits)
2727 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
2728 prefix,
2729 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
2730 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
2731 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
2732 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
2733 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
2734 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
2735
2736 if (c->capability_bounding_set != CAP_ALL) {
2737 unsigned long l;
2738 fprintf(f, "%sCapabilityBoundingSet:", prefix);
2739
2740 for (l = 0; l <= cap_last_cap(); l++)
2741 if (c->capability_bounding_set & (UINT64_C(1) << l))
2742 fprintf(f, " %s", strna(capability_to_name(l)));
2743
2744 fputs("\n", f);
2745 }
2746
2747 if (c->capability_ambient_set != 0) {
2748 unsigned long l;
2749 fprintf(f, "%sAmbientCapabilities:", prefix);
2750
2751 for (l = 0; l <= cap_last_cap(); l++)
2752 if (c->capability_ambient_set & (UINT64_C(1) << l))
2753 fprintf(f, " %s", strna(capability_to_name(l)));
2754
2755 fputs("\n", f);
2756 }
2757
2758 if (c->user)
2759 fprintf(f, "%sUser: %s\n", prefix, c->user);
2760 if (c->group)
2761 fprintf(f, "%sGroup: %s\n", prefix, c->group);
2762
2763 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
2764
2765 if (strv_length(c->supplementary_groups) > 0) {
2766 fprintf(f, "%sSupplementaryGroups:", prefix);
2767 strv_fprintf(f, c->supplementary_groups);
2768 fputs("\n", f);
2769 }
2770
2771 if (c->pam_name)
2772 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
2773
2774 if (strv_length(c->read_write_paths) > 0) {
2775 fprintf(f, "%sReadWritePaths:", prefix);
2776 strv_fprintf(f, c->read_write_paths);
2777 fputs("\n", f);
2778 }
2779
2780 if (strv_length(c->read_only_paths) > 0) {
2781 fprintf(f, "%sReadOnlyPaths:", prefix);
2782 strv_fprintf(f, c->read_only_paths);
2783 fputs("\n", f);
2784 }
2785
2786 if (strv_length(c->inaccessible_paths) > 0) {
2787 fprintf(f, "%sInaccessiblePaths:", prefix);
2788 strv_fprintf(f, c->inaccessible_paths);
2789 fputs("\n", f);
2790 }
2791
2792 if (c->utmp_id)
2793 fprintf(f,
2794 "%sUtmpIdentifier: %s\n",
2795 prefix, c->utmp_id);
2796
2797 if (c->selinux_context)
2798 fprintf(f,
2799 "%sSELinuxContext: %s%s\n",
2800 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
2801
2802 if (c->personality != PERSONALITY_INVALID)
2803 fprintf(f,
2804 "%sPersonality: %s\n",
2805 prefix, strna(personality_to_string(c->personality)));
2806
2807 if (c->syscall_filter) {
2808 #ifdef HAVE_SECCOMP
2809 Iterator j;
2810 void *id;
2811 bool first = true;
2812 #endif
2813
2814 fprintf(f,
2815 "%sSystemCallFilter: ",
2816 prefix);
2817
2818 if (!c->syscall_whitelist)
2819 fputc('~', f);
2820
2821 #ifdef HAVE_SECCOMP
2822 SET_FOREACH(id, c->syscall_filter, j) {
2823 _cleanup_free_ char *name = NULL;
2824
2825 if (first)
2826 first = false;
2827 else
2828 fputc(' ', f);
2829
2830 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
2831 fputs(strna(name), f);
2832 }
2833 #endif
2834
2835 fputc('\n', f);
2836 }
2837
2838 if (c->syscall_archs) {
2839 #ifdef HAVE_SECCOMP
2840 Iterator j;
2841 void *id;
2842 #endif
2843
2844 fprintf(f,
2845 "%sSystemCallArchitectures:",
2846 prefix);
2847
2848 #ifdef HAVE_SECCOMP
2849 SET_FOREACH(id, c->syscall_archs, j)
2850 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
2851 #endif
2852 fputc('\n', f);
2853 }
2854
2855 if (c->syscall_errno > 0)
2856 fprintf(f,
2857 "%sSystemCallErrorNumber: %s\n",
2858 prefix, strna(errno_to_name(c->syscall_errno)));
2859
2860 if (c->apparmor_profile)
2861 fprintf(f,
2862 "%sAppArmorProfile: %s%s\n",
2863 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
2864 }
2865
2866 bool exec_context_maintains_privileges(ExecContext *c) {
2867 assert(c);
2868
2869 /* Returns true if the process forked off would run under
2870 * an unchanged UID or as root. */
2871
2872 if (!c->user)
2873 return true;
2874
2875 if (streq(c->user, "root") || streq(c->user, "0"))
2876 return true;
2877
2878 return false;
2879 }
2880
2881 void exec_status_start(ExecStatus *s, pid_t pid) {
2882 assert(s);
2883
2884 zero(*s);
2885 s->pid = pid;
2886 dual_timestamp_get(&s->start_timestamp);
2887 }
2888
2889 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
2890 assert(s);
2891
2892 if (s->pid && s->pid != pid)
2893 zero(*s);
2894
2895 s->pid = pid;
2896 dual_timestamp_get(&s->exit_timestamp);
2897
2898 s->code = code;
2899 s->status = status;
2900
2901 if (context) {
2902 if (context->utmp_id)
2903 utmp_put_dead_process(context->utmp_id, pid, code, status);
2904
2905 exec_context_tty_reset(context, NULL);
2906 }
2907 }
2908
2909 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
2910 char buf[FORMAT_TIMESTAMP_MAX];
2911
2912 assert(s);
2913 assert(f);
2914
2915 if (s->pid <= 0)
2916 return;
2917
2918 prefix = strempty(prefix);
2919
2920 fprintf(f,
2921 "%sPID: "PID_FMT"\n",
2922 prefix, s->pid);
2923
2924 if (s->start_timestamp.realtime > 0)
2925 fprintf(f,
2926 "%sStart Timestamp: %s\n",
2927 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
2928
2929 if (s->exit_timestamp.realtime > 0)
2930 fprintf(f,
2931 "%sExit Timestamp: %s\n"
2932 "%sExit Code: %s\n"
2933 "%sExit Status: %i\n",
2934 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
2935 prefix, sigchld_code_to_string(s->code),
2936 prefix, s->status);
2937 }
2938
2939 char *exec_command_line(char **argv) {
2940 size_t k;
2941 char *n, *p, **a;
2942 bool first = true;
2943
2944 assert(argv);
2945
2946 k = 1;
2947 STRV_FOREACH(a, argv)
2948 k += strlen(*a)+3;
2949
2950 if (!(n = new(char, k)))
2951 return NULL;
2952
2953 p = n;
2954 STRV_FOREACH(a, argv) {
2955
2956 if (!first)
2957 *(p++) = ' ';
2958 else
2959 first = false;
2960
2961 if (strpbrk(*a, WHITESPACE)) {
2962 *(p++) = '\'';
2963 p = stpcpy(p, *a);
2964 *(p++) = '\'';
2965 } else
2966 p = stpcpy(p, *a);
2967
2968 }
2969
2970 *p = 0;
2971
2972 /* FIXME: this doesn't really handle arguments that have
2973 * spaces and ticks in them */
2974
2975 return n;
2976 }
2977
2978 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
2979 _cleanup_free_ char *cmd = NULL;
2980 const char *prefix2;
2981
2982 assert(c);
2983 assert(f);
2984
2985 prefix = strempty(prefix);
2986 prefix2 = strjoina(prefix, "\t");
2987
2988 cmd = exec_command_line(c->argv);
2989 fprintf(f,
2990 "%sCommand Line: %s\n",
2991 prefix, cmd ? cmd : strerror(ENOMEM));
2992
2993 exec_status_dump(&c->exec_status, f, prefix2);
2994 }
2995
2996 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2997 assert(f);
2998
2999 prefix = strempty(prefix);
3000
3001 LIST_FOREACH(command, c, c)
3002 exec_command_dump(c, f, prefix);
3003 }
3004
3005 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
3006 ExecCommand *end;
3007
3008 assert(l);
3009 assert(e);
3010
3011 if (*l) {
3012 /* It's kind of important, that we keep the order here */
3013 LIST_FIND_TAIL(command, *l, end);
3014 LIST_INSERT_AFTER(command, *l, end, e);
3015 } else
3016 *l = e;
3017 }
3018
3019 int exec_command_set(ExecCommand *c, const char *path, ...) {
3020 va_list ap;
3021 char **l, *p;
3022
3023 assert(c);
3024 assert(path);
3025
3026 va_start(ap, path);
3027 l = strv_new_ap(path, ap);
3028 va_end(ap);
3029
3030 if (!l)
3031 return -ENOMEM;
3032
3033 p = strdup(path);
3034 if (!p) {
3035 strv_free(l);
3036 return -ENOMEM;
3037 }
3038
3039 free(c->path);
3040 c->path = p;
3041
3042 strv_free(c->argv);
3043 c->argv = l;
3044
3045 return 0;
3046 }
3047
3048 int exec_command_append(ExecCommand *c, const char *path, ...) {
3049 _cleanup_strv_free_ char **l = NULL;
3050 va_list ap;
3051 int r;
3052
3053 assert(c);
3054 assert(path);
3055
3056 va_start(ap, path);
3057 l = strv_new_ap(path, ap);
3058 va_end(ap);
3059
3060 if (!l)
3061 return -ENOMEM;
3062
3063 r = strv_extend_strv(&c->argv, l, false);
3064 if (r < 0)
3065 return r;
3066
3067 return 0;
3068 }
3069
3070
3071 static int exec_runtime_allocate(ExecRuntime **rt) {
3072
3073 if (*rt)
3074 return 0;
3075
3076 *rt = new0(ExecRuntime, 1);
3077 if (!*rt)
3078 return -ENOMEM;
3079
3080 (*rt)->n_ref = 1;
3081 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
3082
3083 return 0;
3084 }
3085
3086 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
3087 int r;
3088
3089 assert(rt);
3090 assert(c);
3091 assert(id);
3092
3093 if (*rt)
3094 return 1;
3095
3096 if (!c->private_network && !c->private_tmp)
3097 return 0;
3098
3099 r = exec_runtime_allocate(rt);
3100 if (r < 0)
3101 return r;
3102
3103 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
3104 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, (*rt)->netns_storage_socket) < 0)
3105 return -errno;
3106 }
3107
3108 if (c->private_tmp && !(*rt)->tmp_dir) {
3109 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
3110 if (r < 0)
3111 return r;
3112 }
3113
3114 return 1;
3115 }
3116
3117 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
3118 assert(r);
3119 assert(r->n_ref > 0);
3120
3121 r->n_ref++;
3122 return r;
3123 }
3124
3125 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
3126
3127 if (!r)
3128 return NULL;
3129
3130 assert(r->n_ref > 0);
3131
3132 r->n_ref--;
3133 if (r->n_ref > 0)
3134 return NULL;
3135
3136 free(r->tmp_dir);
3137 free(r->var_tmp_dir);
3138 safe_close_pair(r->netns_storage_socket);
3139 free(r);
3140
3141 return NULL;
3142 }
3143
3144 int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
3145 assert(u);
3146 assert(f);
3147 assert(fds);
3148
3149 if (!rt)
3150 return 0;
3151
3152 if (rt->tmp_dir)
3153 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
3154
3155 if (rt->var_tmp_dir)
3156 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
3157
3158 if (rt->netns_storage_socket[0] >= 0) {
3159 int copy;
3160
3161 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
3162 if (copy < 0)
3163 return copy;
3164
3165 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
3166 }
3167
3168 if (rt->netns_storage_socket[1] >= 0) {
3169 int copy;
3170
3171 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
3172 if (copy < 0)
3173 return copy;
3174
3175 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
3176 }
3177
3178 return 0;
3179 }
3180
3181 int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
3182 int r;
3183
3184 assert(rt);
3185 assert(key);
3186 assert(value);
3187
3188 if (streq(key, "tmp-dir")) {
3189 char *copy;
3190
3191 r = exec_runtime_allocate(rt);
3192 if (r < 0)
3193 return log_oom();
3194
3195 copy = strdup(value);
3196 if (!copy)
3197 return log_oom();
3198
3199 free((*rt)->tmp_dir);
3200 (*rt)->tmp_dir = copy;
3201
3202 } else if (streq(key, "var-tmp-dir")) {
3203 char *copy;
3204
3205 r = exec_runtime_allocate(rt);
3206 if (r < 0)
3207 return log_oom();
3208
3209 copy = strdup(value);
3210 if (!copy)
3211 return log_oom();
3212
3213 free((*rt)->var_tmp_dir);
3214 (*rt)->var_tmp_dir = copy;
3215
3216 } else if (streq(key, "netns-socket-0")) {
3217 int fd;
3218
3219 r = exec_runtime_allocate(rt);
3220 if (r < 0)
3221 return log_oom();
3222
3223 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
3224 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
3225 else {
3226 safe_close((*rt)->netns_storage_socket[0]);
3227 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
3228 }
3229 } else if (streq(key, "netns-socket-1")) {
3230 int fd;
3231
3232 r = exec_runtime_allocate(rt);
3233 if (r < 0)
3234 return log_oom();
3235
3236 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
3237 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
3238 else {
3239 safe_close((*rt)->netns_storage_socket[1]);
3240 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
3241 }
3242 } else
3243 return 0;
3244
3245 return 1;
3246 }
3247
3248 static void *remove_tmpdir_thread(void *p) {
3249 _cleanup_free_ char *path = p;
3250
3251 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
3252 return NULL;
3253 }
3254
3255 void exec_runtime_destroy(ExecRuntime *rt) {
3256 int r;
3257
3258 if (!rt)
3259 return;
3260
3261 /* If there are multiple users of this, let's leave the stuff around */
3262 if (rt->n_ref > 1)
3263 return;
3264
3265 if (rt->tmp_dir) {
3266 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
3267
3268 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
3269 if (r < 0) {
3270 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
3271 free(rt->tmp_dir);
3272 }
3273
3274 rt->tmp_dir = NULL;
3275 }
3276
3277 if (rt->var_tmp_dir) {
3278 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
3279
3280 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
3281 if (r < 0) {
3282 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
3283 free(rt->var_tmp_dir);
3284 }
3285
3286 rt->var_tmp_dir = NULL;
3287 }
3288
3289 safe_close_pair(rt->netns_storage_socket);
3290 }
3291
3292 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
3293 [EXEC_INPUT_NULL] = "null",
3294 [EXEC_INPUT_TTY] = "tty",
3295 [EXEC_INPUT_TTY_FORCE] = "tty-force",
3296 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
3297 [EXEC_INPUT_SOCKET] = "socket"
3298 };
3299
3300 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
3301
3302 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
3303 [EXEC_OUTPUT_INHERIT] = "inherit",
3304 [EXEC_OUTPUT_NULL] = "null",
3305 [EXEC_OUTPUT_TTY] = "tty",
3306 [EXEC_OUTPUT_SYSLOG] = "syslog",
3307 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
3308 [EXEC_OUTPUT_KMSG] = "kmsg",
3309 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
3310 [EXEC_OUTPUT_JOURNAL] = "journal",
3311 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
3312 [EXEC_OUTPUT_SOCKET] = "socket"
3313 };
3314
3315 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
3316
3317 static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
3318 [EXEC_UTMP_INIT] = "init",
3319 [EXEC_UTMP_LOGIN] = "login",
3320 [EXEC_UTMP_USER] = "user",
3321 };
3322
3323 DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
Unnamed repository; edit this file 'description' to name the repository.