2 This file is part of systemd.
4 Copyright 2010 Lennart Poettering
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
27 #include <sys/capability.h>
29 #include <sys/personality.h>
30 #include <sys/prctl.h>
31 #include <sys/socket.h>
38 #include <security/pam_appl.h>
42 #include <selinux/selinux.h>
50 #include <sys/apparmor.h>
53 #include "sd-messages.h"
56 #include "alloc-util.h"
58 #include "apparmor-util.h"
63 #include "capability-util.h"
66 #include "errno-list.h"
68 #include "exit-status.h"
71 #include "formats-util.h"
73 #include "glob-util.h"
80 #include "namespace.h"
81 #include "parse-util.h"
82 #include "path-util.h"
83 #include "process-util.h"
84 #include "rlimit-util.h"
87 #include "seccomp-util.h"
89 #include "securebits.h"
90 #include "selinux-util.h"
91 #include "signal-util.h"
92 #include "smack-util.h"
93 #include "string-table.h"
94 #include "string-util.h"
96 #include "syslog-util.h"
97 #include "terminal-util.h"
99 #include "user-util.h"
101 #include "utmp-wtmp.h"
103 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
104 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
106 /* This assumes there is a 'tty' group */
107 #define TTY_MODE 0620
109 #define SNDBUF_SIZE (8*1024*1024)
111 static int shift_fds(int fds
[], unsigned n_fds
) {
112 int start
, restart_from
;
117 /* Modifies the fds array! (sorts it) */
127 for (i
= start
; i
< (int) n_fds
; i
++) {
130 /* Already at right index? */
134 nfd
= fcntl(fds
[i
], F_DUPFD
, i
+ 3);
141 /* Hmm, the fd we wanted isn't free? Then
142 * let's remember that and try again from here */
143 if (nfd
!= i
+3 && restart_from
< 0)
147 if (restart_from
< 0)
150 start
= restart_from
;
156 static int flags_fds(const int fds
[], unsigned n_fds
, bool nonblock
) {
165 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
167 for (i
= 0; i
< n_fds
; i
++) {
169 r
= fd_nonblock(fds
[i
], nonblock
);
173 /* We unconditionally drop FD_CLOEXEC from the fds,
174 * since after all we want to pass these fds to our
177 r
= fd_cloexec(fds
[i
], false);
185 static const char *exec_context_tty_path(const ExecContext
*context
) {
188 if (context
->stdio_as_fds
)
191 if (context
->tty_path
)
192 return context
->tty_path
;
194 return "/dev/console";
197 static void exec_context_tty_reset(const ExecContext
*context
, const ExecParameters
*p
) {
202 path
= exec_context_tty_path(context
);
204 if (context
->tty_vhangup
) {
205 if (p
&& p
->stdin_fd
>= 0)
206 (void) terminal_vhangup_fd(p
->stdin_fd
);
208 (void) terminal_vhangup(path
);
211 if (context
->tty_reset
) {
212 if (p
&& p
->stdin_fd
>= 0)
213 (void) reset_terminal_fd(p
->stdin_fd
, true);
215 (void) reset_terminal(path
);
218 if (context
->tty_vt_disallocate
&& path
)
219 (void) vt_disallocate(path
);
222 static bool is_terminal_output(ExecOutput o
) {
224 o
== EXEC_OUTPUT_TTY
||
225 o
== EXEC_OUTPUT_SYSLOG_AND_CONSOLE
||
226 o
== EXEC_OUTPUT_KMSG_AND_CONSOLE
||
227 o
== EXEC_OUTPUT_JOURNAL_AND_CONSOLE
;
230 static int open_null_as(int flags
, int nfd
) {
235 fd
= open("/dev/null", flags
|O_NOCTTY
);
240 r
= dup2(fd
, nfd
) < 0 ? -errno
: nfd
;
248 static int connect_journal_socket(int fd
, uid_t uid
, gid_t gid
) {
249 union sockaddr_union sa
= {
250 .un
.sun_family
= AF_UNIX
,
251 .un
.sun_path
= "/run/systemd/journal/stdout",
253 uid_t olduid
= UID_INVALID
;
254 gid_t oldgid
= GID_INVALID
;
257 if (gid
!= GID_INVALID
) {
265 if (uid
!= UID_INVALID
) {
275 r
= connect(fd
, &sa
.sa
, SOCKADDR_UN_LEN(sa
.un
));
279 /* If we fail to restore the uid or gid, things will likely
280 fail later on. This should only happen if an LSM interferes. */
282 if (uid
!= UID_INVALID
)
283 (void) seteuid(olduid
);
286 if (gid
!= GID_INVALID
)
287 (void) setegid(oldgid
);
292 static int connect_logger_as(const ExecContext
*context
, ExecOutput output
, const char *ident
, const char *unit_id
, int nfd
, uid_t uid
, gid_t gid
) {
296 assert(output
< _EXEC_OUTPUT_MAX
);
300 fd
= socket(AF_UNIX
, SOCK_STREAM
, 0);
304 r
= connect_journal_socket(fd
, uid
, gid
);
308 if (shutdown(fd
, SHUT_RD
) < 0) {
313 fd_inc_sndbuf(fd
, SNDBUF_SIZE
);
323 context
->syslog_identifier
? context
->syslog_identifier
: ident
,
325 context
->syslog_priority
,
326 !!context
->syslog_level_prefix
,
327 output
== EXEC_OUTPUT_SYSLOG
|| output
== EXEC_OUTPUT_SYSLOG_AND_CONSOLE
,
328 output
== EXEC_OUTPUT_KMSG
|| output
== EXEC_OUTPUT_KMSG_AND_CONSOLE
,
329 is_terminal_output(output
));
332 r
= dup2(fd
, nfd
) < 0 ? -errno
: nfd
;
339 static int open_terminal_as(const char *path
, mode_t mode
, int nfd
) {
345 fd
= open_terminal(path
, mode
| O_NOCTTY
);
350 r
= dup2(fd
, nfd
) < 0 ? -errno
: nfd
;
358 static bool is_terminal_input(ExecInput i
) {
360 i
== EXEC_INPUT_TTY
||
361 i
== EXEC_INPUT_TTY_FORCE
||
362 i
== EXEC_INPUT_TTY_FAIL
;
365 static int fixup_input(ExecInput std_input
, int socket_fd
, bool apply_tty_stdin
) {
367 if (is_terminal_input(std_input
) && !apply_tty_stdin
)
368 return EXEC_INPUT_NULL
;
370 if (std_input
== EXEC_INPUT_SOCKET
&& socket_fd
< 0)
371 return EXEC_INPUT_NULL
;
376 static int fixup_output(ExecOutput std_output
, int socket_fd
) {
378 if (std_output
== EXEC_OUTPUT_SOCKET
&& socket_fd
< 0)
379 return EXEC_OUTPUT_INHERIT
;
384 static int setup_input(
385 const ExecContext
*context
,
386 const ExecParameters
*params
,
394 if (params
->stdin_fd
>= 0) {
395 if (dup2(params
->stdin_fd
, STDIN_FILENO
) < 0)
398 /* Try to make this the controlling tty, if it is a tty, and reset it */
399 (void) ioctl(STDIN_FILENO
, TIOCSCTTY
, context
->std_input
== EXEC_INPUT_TTY_FORCE
);
400 (void) reset_terminal_fd(STDIN_FILENO
, true);
405 i
= fixup_input(context
->std_input
, socket_fd
, params
->apply_tty_stdin
);
409 case EXEC_INPUT_NULL
:
410 return open_null_as(O_RDONLY
, STDIN_FILENO
);
413 case EXEC_INPUT_TTY_FORCE
:
414 case EXEC_INPUT_TTY_FAIL
: {
417 fd
= acquire_terminal(exec_context_tty_path(context
),
418 i
== EXEC_INPUT_TTY_FAIL
,
419 i
== EXEC_INPUT_TTY_FORCE
,
425 if (fd
!= STDIN_FILENO
) {
426 r
= dup2(fd
, STDIN_FILENO
) < 0 ? -errno
: STDIN_FILENO
;
434 case EXEC_INPUT_SOCKET
:
435 return dup2(socket_fd
, STDIN_FILENO
) < 0 ? -errno
: STDIN_FILENO
;
438 assert_not_reached("Unknown input type");
442 static int setup_output(
444 const ExecContext
*context
,
445 const ExecParameters
*params
,
449 uid_t uid
, gid_t gid
) {
460 if (fileno
== STDOUT_FILENO
&& params
->stdout_fd
>= 0) {
462 if (dup2(params
->stdout_fd
, STDOUT_FILENO
) < 0)
465 return STDOUT_FILENO
;
468 if (fileno
== STDERR_FILENO
&& params
->stderr_fd
>= 0) {
469 if (dup2(params
->stderr_fd
, STDERR_FILENO
) < 0)
472 return STDERR_FILENO
;
475 i
= fixup_input(context
->std_input
, socket_fd
, params
->apply_tty_stdin
);
476 o
= fixup_output(context
->std_output
, socket_fd
);
478 if (fileno
== STDERR_FILENO
) {
480 e
= fixup_output(context
->std_error
, socket_fd
);
482 /* This expects the input and output are already set up */
484 /* Don't change the stderr file descriptor if we inherit all
485 * the way and are not on a tty */
486 if (e
== EXEC_OUTPUT_INHERIT
&&
487 o
== EXEC_OUTPUT_INHERIT
&&
488 i
== EXEC_INPUT_NULL
&&
489 !is_terminal_input(context
->std_input
) &&
493 /* Duplicate from stdout if possible */
494 if (e
== o
|| e
== EXEC_OUTPUT_INHERIT
)
495 return dup2(STDOUT_FILENO
, fileno
) < 0 ? -errno
: fileno
;
499 } else if (o
== EXEC_OUTPUT_INHERIT
) {
500 /* If input got downgraded, inherit the original value */
501 if (i
== EXEC_INPUT_NULL
&& is_terminal_input(context
->std_input
))
502 return open_terminal_as(exec_context_tty_path(context
), O_WRONLY
, fileno
);
504 /* If the input is connected to anything that's not a /dev/null, inherit that... */
505 if (i
!= EXEC_INPUT_NULL
)
506 return dup2(STDIN_FILENO
, fileno
) < 0 ? -errno
: fileno
;
508 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
512 /* We need to open /dev/null here anew, to get the right access mode. */
513 return open_null_as(O_WRONLY
, fileno
);
518 case EXEC_OUTPUT_NULL
:
519 return open_null_as(O_WRONLY
, fileno
);
521 case EXEC_OUTPUT_TTY
:
522 if (is_terminal_input(i
))
523 return dup2(STDIN_FILENO
, fileno
) < 0 ? -errno
: fileno
;
525 /* We don't reset the terminal if this is just about output */
526 return open_terminal_as(exec_context_tty_path(context
), O_WRONLY
, fileno
);
528 case EXEC_OUTPUT_SYSLOG
:
529 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE
:
530 case EXEC_OUTPUT_KMSG
:
531 case EXEC_OUTPUT_KMSG_AND_CONSOLE
:
532 case EXEC_OUTPUT_JOURNAL
:
533 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE
:
534 r
= connect_logger_as(context
, o
, ident
, unit
->id
, fileno
, uid
, gid
);
536 log_unit_error_errno(unit
, r
, "Failed to connect %s to the journal socket, ignoring: %m", fileno
== STDOUT_FILENO
? "stdout" : "stderr");
537 r
= open_null_as(O_WRONLY
, fileno
);
541 case EXEC_OUTPUT_SOCKET
:
542 assert(socket_fd
>= 0);
543 return dup2(socket_fd
, fileno
) < 0 ? -errno
: fileno
;
546 assert_not_reached("Unknown error type");
550 static int chown_terminal(int fd
, uid_t uid
) {
555 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
559 /* This might fail. What matters are the results. */
560 (void) fchown(fd
, uid
, -1);
561 (void) fchmod(fd
, TTY_MODE
);
563 if (fstat(fd
, &st
) < 0)
566 if (st
.st_uid
!= uid
|| (st
.st_mode
& 0777) != TTY_MODE
)
572 static int setup_confirm_stdio(int *_saved_stdin
, int *_saved_stdout
) {
573 _cleanup_close_
int fd
= -1, saved_stdin
= -1, saved_stdout
= -1;
576 assert(_saved_stdin
);
577 assert(_saved_stdout
);
579 saved_stdin
= fcntl(STDIN_FILENO
, F_DUPFD
, 3);
583 saved_stdout
= fcntl(STDOUT_FILENO
, F_DUPFD
, 3);
584 if (saved_stdout
< 0)
587 fd
= acquire_terminal(
592 DEFAULT_CONFIRM_USEC
);
596 r
= chown_terminal(fd
, getuid());
600 r
= reset_terminal_fd(fd
, true);
604 if (dup2(fd
, STDIN_FILENO
) < 0)
607 if (dup2(fd
, STDOUT_FILENO
) < 0)
614 *_saved_stdin
= saved_stdin
;
615 *_saved_stdout
= saved_stdout
;
617 saved_stdin
= saved_stdout
= -1;
622 _printf_(1, 2) static int write_confirm_message(const char *format
, ...) {
623 _cleanup_close_
int fd
= -1;
628 fd
= open_terminal("/dev/console", O_WRONLY
|O_NOCTTY
|O_CLOEXEC
);
632 va_start(ap
, format
);
633 vdprintf(fd
, format
, ap
);
639 static int restore_confirm_stdio(int *saved_stdin
, int *saved_stdout
) {
643 assert(saved_stdout
);
647 if (*saved_stdin
>= 0)
648 if (dup2(*saved_stdin
, STDIN_FILENO
) < 0)
651 if (*saved_stdout
>= 0)
652 if (dup2(*saved_stdout
, STDOUT_FILENO
) < 0)
655 *saved_stdin
= safe_close(*saved_stdin
);
656 *saved_stdout
= safe_close(*saved_stdout
);
661 static int ask_for_confirmation(char *response
, char **argv
) {
662 int saved_stdout
= -1, saved_stdin
= -1, r
;
663 _cleanup_free_
char *line
= NULL
;
665 r
= setup_confirm_stdio(&saved_stdin
, &saved_stdout
);
669 line
= exec_command_line(argv
);
673 r
= ask_char(response
, "yns", "Execute %s? [Yes, No, Skip] ", line
);
675 restore_confirm_stdio(&saved_stdin
, &saved_stdout
);
680 static int enforce_groups(const ExecContext
*context
, const char *username
, gid_t gid
) {
681 bool keep_groups
= false;
686 /* Lookup and set GID and supplementary group list. Here too
687 * we avoid NSS lookups for gid=0. */
689 if (context
->group
|| username
) {
690 /* First step, initialize groups from /etc/groups */
691 if (username
&& gid
!= 0) {
692 if (initgroups(username
, gid
) < 0)
698 /* Second step, set our gids */
699 if (setresgid(gid
, gid
, gid
) < 0)
703 if (context
->supplementary_groups
) {
708 /* Final step, initialize any manually set supplementary groups */
709 assert_se((ngroups_max
= (int) sysconf(_SC_NGROUPS_MAX
)) > 0);
711 if (!(gids
= new(gid_t
, ngroups_max
)))
715 k
= getgroups(ngroups_max
, gids
);
723 STRV_FOREACH(i
, context
->supplementary_groups
) {
726 if (k
>= ngroups_max
) {
732 r
= get_group_creds(&g
, gids
+k
);
741 if (setgroups(k
, gids
) < 0) {
752 static int enforce_user(const ExecContext
*context
, uid_t uid
) {
755 /* Sets (but doesn't look up) the uid and make sure we keep the
756 * capabilities while doing so. */
758 if (context
->capability_ambient_set
!= 0) {
760 /* First step: If we need to keep capabilities but
761 * drop privileges we need to make sure we keep our
762 * caps, while we drop privileges. */
764 int sb
= context
->secure_bits
| 1<<SECURE_KEEP_CAPS
;
766 if (prctl(PR_GET_SECUREBITS
) != sb
)
767 if (prctl(PR_SET_SECUREBITS
, sb
) < 0)
772 /* Second step: actually set the uids */
773 if (setresuid(uid
, uid
, uid
) < 0)
776 /* At this point we should have all necessary capabilities but
777 are otherwise a normal user. However, the caps might got
778 corrupted due to the setresuid() so we need clean them up
779 later. This is done outside of this call. */
786 static int null_conv(
788 const struct pam_message
**msg
,
789 struct pam_response
**resp
,
792 /* We don't support conversations */
797 static int setup_pam(
803 int fds
[], unsigned n_fds
) {
805 static const struct pam_conv conv
= {
810 _cleanup_(barrier_destroy
) Barrier barrier
= BARRIER_NULL
;
811 pam_handle_t
*handle
= NULL
;
813 int pam_code
= PAM_SUCCESS
, r
;
815 bool close_session
= false;
816 pid_t pam_pid
= 0, parent_pid
;
823 /* We set up PAM in the parent process, then fork. The child
824 * will then stay around until killed via PR_GET_PDEATHSIG or
825 * systemd via the cgroup logic. It will then remove the PAM
826 * session again. The parent process will exec() the actual
827 * daemon. We do things this way to ensure that the main PID
828 * of the daemon is the one we initially fork()ed. */
830 r
= barrier_create(&barrier
);
834 if (log_get_max_level() < LOG_DEBUG
)
837 pam_code
= pam_start(name
, user
, &conv
, &handle
);
838 if (pam_code
!= PAM_SUCCESS
) {
844 pam_code
= pam_set_item(handle
, PAM_TTY
, tty
);
845 if (pam_code
!= PAM_SUCCESS
)
849 STRV_FOREACH(e
, *env
) {
850 pam_code
= pam_putenv(handle
, *e
);
851 if (pam_code
!= PAM_SUCCESS
)
855 pam_code
= pam_acct_mgmt(handle
, flags
);
856 if (pam_code
!= PAM_SUCCESS
)
859 pam_code
= pam_open_session(handle
, flags
);
860 if (pam_code
!= PAM_SUCCESS
)
863 close_session
= true;
865 e
= pam_getenvlist(handle
);
867 pam_code
= PAM_BUF_ERR
;
871 /* Block SIGTERM, so that we know that it won't get lost in
874 assert_se(sigprocmask_many(SIG_BLOCK
, &old_ss
, SIGTERM
, -1) >= 0);
876 parent_pid
= getpid();
885 int sig
, ret
= EXIT_PAM
;
887 /* The child's job is to reset the PAM session on
889 barrier_set_role(&barrier
, BARRIER_CHILD
);
891 /* This string must fit in 10 chars (i.e. the length
892 * of "/sbin/init"), to look pretty in /bin/ps */
893 rename_process("(sd-pam)");
895 /* Make sure we don't keep open the passed fds in this
896 child. We assume that otherwise only those fds are
897 open here that have been opened by PAM. */
898 close_many(fds
, n_fds
);
900 /* Drop privileges - we don't need any to pam_close_session
901 * and this will make PR_SET_PDEATHSIG work in most cases.
902 * If this fails, ignore the error - but expect sd-pam threads
903 * to fail to exit normally */
904 if (setresuid(uid
, uid
, uid
) < 0)
905 log_error_errno(r
, "Error: Failed to setresuid() in sd-pam: %m");
907 (void) ignore_signals(SIGPIPE
, -1);
909 /* Wait until our parent died. This will only work if
910 * the above setresuid() succeeds, otherwise the kernel
911 * will not allow unprivileged parents kill their privileged
912 * children this way. We rely on the control groups kill logic
913 * to do the rest for us. */
914 if (prctl(PR_SET_PDEATHSIG
, SIGTERM
) < 0)
917 /* Tell the parent that our setup is done. This is especially
918 * important regarding dropping privileges. Otherwise, unit
919 * setup might race against our setresuid(2) call. */
920 barrier_place(&barrier
);
922 /* Check if our parent process might already have
924 if (getppid() == parent_pid
) {
927 assert_se(sigemptyset(&ss
) >= 0);
928 assert_se(sigaddset(&ss
, SIGTERM
) >= 0);
931 if (sigwait(&ss
, &sig
) < 0) {
938 assert(sig
== SIGTERM
);
943 /* If our parent died we'll end the session */
944 if (getppid() != parent_pid
) {
945 pam_code
= pam_close_session(handle
, flags
);
946 if (pam_code
!= PAM_SUCCESS
)
953 pam_end(handle
, pam_code
| flags
);
957 barrier_set_role(&barrier
, BARRIER_PARENT
);
959 /* If the child was forked off successfully it will do all the
960 * cleanups, so forget about the handle here. */
963 /* Unblock SIGTERM again in the parent */
964 assert_se(sigprocmask(SIG_SETMASK
, &old_ss
, NULL
) >= 0);
966 /* We close the log explicitly here, since the PAM modules
967 * might have opened it, but we don't want this fd around. */
970 /* Synchronously wait for the child to initialize. We don't care for
971 * errors as we cannot recover. However, warn loudly if it happens. */
972 if (!barrier_place_and_sync(&barrier
))
973 log_error("PAM initialization failed");
981 if (pam_code
!= PAM_SUCCESS
) {
982 log_error("PAM failed: %s", pam_strerror(handle
, pam_code
));
983 r
= -EPERM
; /* PAM errors do not map to errno */
985 log_error_errno(r
, "PAM failed: %m");
989 pam_code
= pam_close_session(handle
, flags
);
991 pam_end(handle
, pam_code
| flags
);
1001 static void rename_process_from_path(const char *path
) {
1002 char process_name
[11];
1006 /* This resulting string must fit in 10 chars (i.e. the length
1007 * of "/sbin/init") to look pretty in /bin/ps */
1011 rename_process("(...)");
1017 /* The end of the process name is usually more
1018 * interesting, since the first bit might just be
1024 process_name
[0] = '(';
1025 memcpy(process_name
+1, p
, l
);
1026 process_name
[1+l
] = ')';
1027 process_name
[1+l
+1] = 0;
1029 rename_process(process_name
);
1034 static int apply_seccomp(const ExecContext
*c
) {
1035 uint32_t negative_action
, action
;
1036 scmp_filter_ctx
*seccomp
;
1043 negative_action
= c
->syscall_errno
== 0 ? SCMP_ACT_KILL
: SCMP_ACT_ERRNO(c
->syscall_errno
);
1045 seccomp
= seccomp_init(c
->syscall_whitelist
? negative_action
: SCMP_ACT_ALLOW
);
1049 if (c
->syscall_archs
) {
1051 SET_FOREACH(id
, c
->syscall_archs
, i
) {
1052 r
= seccomp_arch_add(seccomp
, PTR_TO_UINT32(id
) - 1);
1060 r
= seccomp_add_secondary_archs(seccomp
);
1065 action
= c
->syscall_whitelist
? SCMP_ACT_ALLOW
: negative_action
;
1066 SET_FOREACH(id
, c
->syscall_filter
, i
) {
1067 r
= seccomp_rule_add(seccomp
, action
, PTR_TO_INT(id
) - 1, 0);
1072 r
= seccomp_attr_set(seccomp
, SCMP_FLTATR_CTL_NNP
, 0);
1076 r
= seccomp_load(seccomp
);
1079 seccomp_release(seccomp
);
1083 static int apply_address_families(const ExecContext
*c
) {
1084 scmp_filter_ctx
*seccomp
;
1090 seccomp
= seccomp_init(SCMP_ACT_ALLOW
);
1094 r
= seccomp_add_secondary_archs(seccomp
);
1098 if (c
->address_families_whitelist
) {
1099 int af
, first
= 0, last
= 0;
1102 /* If this is a whitelist, we first block the address
1103 * families that are out of range and then everything
1104 * that is not in the set. First, we find the lowest
1105 * and highest address family in the set. */
1107 SET_FOREACH(afp
, c
->address_families
, i
) {
1108 af
= PTR_TO_INT(afp
);
1110 if (af
<= 0 || af
>= af_max())
1113 if (first
== 0 || af
< first
)
1116 if (last
== 0 || af
> last
)
1120 assert((first
== 0) == (last
== 0));
1124 /* No entries in the valid range, block everything */
1125 r
= seccomp_rule_add(
1127 SCMP_ACT_ERRNO(EPROTONOSUPPORT
),
1135 /* Block everything below the first entry */
1136 r
= seccomp_rule_add(
1138 SCMP_ACT_ERRNO(EPROTONOSUPPORT
),
1141 SCMP_A0(SCMP_CMP_LT
, first
));
1145 /* Block everything above the last entry */
1146 r
= seccomp_rule_add(
1148 SCMP_ACT_ERRNO(EPROTONOSUPPORT
),
1151 SCMP_A0(SCMP_CMP_GT
, last
));
1155 /* Block everything between the first and last
1157 for (af
= 1; af
< af_max(); af
++) {
1159 if (set_contains(c
->address_families
, INT_TO_PTR(af
)))
1162 r
= seccomp_rule_add(
1164 SCMP_ACT_ERRNO(EPROTONOSUPPORT
),
1167 SCMP_A0(SCMP_CMP_EQ
, af
));
1176 /* If this is a blacklist, then generate one rule for
1177 * each address family that are then combined in OR
1180 SET_FOREACH(af
, c
->address_families
, i
) {
1182 r
= seccomp_rule_add(
1184 SCMP_ACT_ERRNO(EPROTONOSUPPORT
),
1187 SCMP_A0(SCMP_CMP_EQ
, PTR_TO_INT(af
)));
1193 r
= seccomp_attr_set(seccomp
, SCMP_FLTATR_CTL_NNP
, 0);
1197 r
= seccomp_load(seccomp
);
1200 seccomp_release(seccomp
);
1204 static int apply_memory_deny_write_execute(const ExecContext
*c
) {
1205 scmp_filter_ctx
*seccomp
;
1210 seccomp
= seccomp_init(SCMP_ACT_ALLOW
);
1214 r
= seccomp_rule_add(
1219 SCMP_A2(SCMP_CMP_MASKED_EQ
, PROT_EXEC
|PROT_WRITE
, PROT_EXEC
|PROT_WRITE
));
1223 r
= seccomp_rule_add(
1228 SCMP_A2(SCMP_CMP_MASKED_EQ
, PROT_EXEC
, PROT_EXEC
));
1232 r
= seccomp_attr_set(seccomp
, SCMP_FLTATR_CTL_NNP
, 0);
1236 r
= seccomp_load(seccomp
);
1239 seccomp_release(seccomp
);
1245 static void do_idle_pipe_dance(int idle_pipe
[4]) {
1249 idle_pipe
[1] = safe_close(idle_pipe
[1]);
1250 idle_pipe
[2] = safe_close(idle_pipe
[2]);
1252 if (idle_pipe
[0] >= 0) {
1255 r
= fd_wait_for_event(idle_pipe
[0], POLLHUP
, IDLE_TIMEOUT_USEC
);
1257 if (idle_pipe
[3] >= 0 && r
== 0 /* timeout */) {
1260 /* Signal systemd that we are bored and want to continue. */
1261 n
= write(idle_pipe
[3], "x", 1);
1263 /* Wait for systemd to react to the signal above. */
1264 fd_wait_for_event(idle_pipe
[0], POLLHUP
, IDLE_TIMEOUT2_USEC
);
1267 idle_pipe
[0] = safe_close(idle_pipe
[0]);
1271 idle_pipe
[3] = safe_close(idle_pipe
[3]);
1274 static int build_environment(
1275 const ExecContext
*c
,
1276 const ExecParameters
*p
,
1279 const char *username
,
1283 _cleanup_strv_free_
char **our_env
= NULL
;
1290 our_env
= new0(char*, 11);
1295 _cleanup_free_
char *joined
= NULL
;
1297 if (asprintf(&x
, "LISTEN_PID="PID_FMT
, getpid()) < 0)
1299 our_env
[n_env
++] = x
;
1301 if (asprintf(&x
, "LISTEN_FDS=%u", n_fds
) < 0)
1303 our_env
[n_env
++] = x
;
1305 joined
= strv_join(p
->fd_names
, ":");
1309 x
= strjoin("LISTEN_FDNAMES=", joined
, NULL
);
1312 our_env
[n_env
++] = x
;
1315 if (p
->watchdog_usec
> 0) {
1316 if (asprintf(&x
, "WATCHDOG_PID="PID_FMT
, getpid()) < 0)
1318 our_env
[n_env
++] = x
;
1320 if (asprintf(&x
, "WATCHDOG_USEC="USEC_FMT
, p
->watchdog_usec
) < 0)
1322 our_env
[n_env
++] = x
;
1326 x
= strappend("HOME=", home
);
1329 our_env
[n_env
++] = x
;
1333 x
= strappend("LOGNAME=", username
);
1336 our_env
[n_env
++] = x
;
1338 x
= strappend("USER=", username
);
1341 our_env
[n_env
++] = x
;
1345 x
= strappend("SHELL=", shell
);
1348 our_env
[n_env
++] = x
;
1351 if (is_terminal_input(c
->std_input
) ||
1352 c
->std_output
== EXEC_OUTPUT_TTY
||
1353 c
->std_error
== EXEC_OUTPUT_TTY
||
1356 x
= strdup(default_term_for_tty(exec_context_tty_path(c
)));
1359 our_env
[n_env
++] = x
;
1362 our_env
[n_env
++] = NULL
;
1363 assert(n_env
<= 11);
1371 static int build_pass_environment(const ExecContext
*c
, char ***ret
) {
1372 _cleanup_strv_free_
char **pass_env
= NULL
;
1373 size_t n_env
= 0, n_bufsize
= 0;
1376 STRV_FOREACH(i
, c
->pass_environment
) {
1377 _cleanup_free_
char *x
= NULL
;
1383 x
= strjoin(*i
, "=", v
, NULL
);
1386 if (!GREEDY_REALLOC(pass_env
, n_bufsize
, n_env
+ 2))
1388 pass_env
[n_env
++] = x
;
1389 pass_env
[n_env
] = NULL
;
1399 static bool exec_needs_mount_namespace(
1400 const ExecContext
*context
,
1401 const ExecParameters
*params
,
1402 ExecRuntime
*runtime
) {
1407 if (!strv_isempty(context
->read_write_dirs
) ||
1408 !strv_isempty(context
->read_only_dirs
) ||
1409 !strv_isempty(context
->inaccessible_dirs
))
1412 if (context
->mount_flags
!= 0)
1415 if (context
->private_tmp
&& runtime
&& (runtime
->tmp_dir
|| runtime
->var_tmp_dir
))
1418 if (context
->private_devices
||
1419 context
->protect_system
!= PROTECT_SYSTEM_NO
||
1420 context
->protect_home
!= PROTECT_HOME_NO
)
1426 static int close_remaining_fds(
1427 const ExecParameters
*params
,
1428 ExecRuntime
*runtime
,
1430 int *fds
, unsigned n_fds
) {
1432 unsigned n_dont_close
= 0;
1433 int dont_close
[n_fds
+ 7];
1437 if (params
->stdin_fd
>= 0)
1438 dont_close
[n_dont_close
++] = params
->stdin_fd
;
1439 if (params
->stdout_fd
>= 0)
1440 dont_close
[n_dont_close
++] = params
->stdout_fd
;
1441 if (params
->stderr_fd
>= 0)
1442 dont_close
[n_dont_close
++] = params
->stderr_fd
;
1445 dont_close
[n_dont_close
++] = socket_fd
;
1447 memcpy(dont_close
+ n_dont_close
, fds
, sizeof(int) * n_fds
);
1448 n_dont_close
+= n_fds
;
1452 if (runtime
->netns_storage_socket
[0] >= 0)
1453 dont_close
[n_dont_close
++] = runtime
->netns_storage_socket
[0];
1454 if (runtime
->netns_storage_socket
[1] >= 0)
1455 dont_close
[n_dont_close
++] = runtime
->netns_storage_socket
[1];
1458 return close_all_fds(dont_close
, n_dont_close
);
1461 static int exec_child(
1463 ExecCommand
*command
,
1464 const ExecContext
*context
,
1465 const ExecParameters
*params
,
1466 ExecRuntime
*runtime
,
1469 int *fds
, unsigned n_fds
,
1473 _cleanup_strv_free_
char **our_env
= NULL
, **pass_env
= NULL
, **accum_env
= NULL
, **final_argv
= NULL
;
1474 _cleanup_free_
char *mac_selinux_context_net
= NULL
;
1475 const char *username
= NULL
, *home
= NULL
, *shell
= NULL
, *wd
;
1476 uid_t uid
= UID_INVALID
;
1477 gid_t gid
= GID_INVALID
;
1479 bool needs_mount_namespace
;
1485 assert(exit_status
);
1487 rename_process_from_path(command
->path
);
1489 /* We reset exactly these signals, since they are the
1490 * only ones we set to SIG_IGN in the main daemon. All
1491 * others we leave untouched because we set them to
1492 * SIG_DFL or a valid handler initially, both of which
1493 * will be demoted to SIG_DFL. */
1494 (void) default_signals(SIGNALS_CRASH_HANDLER
,
1495 SIGNALS_IGNORE
, -1);
1497 if (context
->ignore_sigpipe
)
1498 (void) ignore_signals(SIGPIPE
, -1);
1500 r
= reset_signal_mask();
1502 *exit_status
= EXIT_SIGNAL_MASK
;
1506 if (params
->idle_pipe
)
1507 do_idle_pipe_dance(params
->idle_pipe
);
1509 /* Close sockets very early to make sure we don't
1510 * block init reexecution because it cannot bind its
1515 r
= close_remaining_fds(params
, runtime
, socket_fd
, fds
, n_fds
);
1517 *exit_status
= EXIT_FDS
;
1521 if (!context
->same_pgrp
)
1523 *exit_status
= EXIT_SETSID
;
1527 exec_context_tty_reset(context
, params
);
1529 if (params
->confirm_spawn
) {
1532 r
= ask_for_confirmation(&response
, argv
);
1533 if (r
== -ETIMEDOUT
)
1534 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1536 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-r
));
1537 else if (response
== 's') {
1538 write_confirm_message("Skipping execution.\n");
1539 *exit_status
= EXIT_CONFIRM
;
1541 } else if (response
== 'n') {
1542 write_confirm_message("Failing execution.\n");
1548 if (context
->user
) {
1549 username
= context
->user
;
1550 r
= get_user_creds(&username
, &uid
, &gid
, &home
, &shell
);
1552 *exit_status
= EXIT_USER
;
1557 if (context
->group
) {
1558 const char *g
= context
->group
;
1560 r
= get_group_creds(&g
, &gid
);
1562 *exit_status
= EXIT_GROUP
;
1568 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1569 * must sure to drop O_NONBLOCK */
1571 (void) fd_nonblock(socket_fd
, false);
1573 r
= setup_input(context
, params
, socket_fd
);
1575 *exit_status
= EXIT_STDIN
;
1579 r
= setup_output(unit
, context
, params
, STDOUT_FILENO
, socket_fd
, basename(command
->path
), uid
, gid
);
1581 *exit_status
= EXIT_STDOUT
;
1585 r
= setup_output(unit
, context
, params
, STDERR_FILENO
, socket_fd
, basename(command
->path
), uid
, gid
);
1587 *exit_status
= EXIT_STDERR
;
1591 if (params
->cgroup_path
) {
1592 r
= cg_attach_everywhere(params
->cgroup_supported
, params
->cgroup_path
, 0, NULL
, NULL
);
1594 *exit_status
= EXIT_CGROUP
;
1599 if (context
->oom_score_adjust_set
) {
1600 char t
[DECIMAL_STR_MAX(context
->oom_score_adjust
)];
1602 /* When we can't make this change due to EPERM, then
1603 * let's silently skip over it. User namespaces
1604 * prohibit write access to this file, and we
1605 * shouldn't trip up over that. */
1607 sprintf(t
, "%i", context
->oom_score_adjust
);
1608 r
= write_string_file("/proc/self/oom_score_adj", t
, 0);
1609 if (r
== -EPERM
|| r
== -EACCES
) {
1611 log_unit_debug_errno(unit
, r
, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
1614 *exit_status
= EXIT_OOM_ADJUST
;
1619 if (context
->nice_set
)
1620 if (setpriority(PRIO_PROCESS
, 0, context
->nice
) < 0) {
1621 *exit_status
= EXIT_NICE
;
1625 if (context
->cpu_sched_set
) {
1626 struct sched_param param
= {
1627 .sched_priority
= context
->cpu_sched_priority
,
1630 r
= sched_setscheduler(0,
1631 context
->cpu_sched_policy
|
1632 (context
->cpu_sched_reset_on_fork
?
1633 SCHED_RESET_ON_FORK
: 0),
1636 *exit_status
= EXIT_SETSCHEDULER
;
1641 if (context
->cpuset
)
1642 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context
->cpuset_ncpus
), context
->cpuset
) < 0) {
1643 *exit_status
= EXIT_CPUAFFINITY
;
1647 if (context
->ioprio_set
)
1648 if (ioprio_set(IOPRIO_WHO_PROCESS
, 0, context
->ioprio
) < 0) {
1649 *exit_status
= EXIT_IOPRIO
;
1653 if (context
->timer_slack_nsec
!= NSEC_INFINITY
)
1654 if (prctl(PR_SET_TIMERSLACK
, context
->timer_slack_nsec
) < 0) {
1655 *exit_status
= EXIT_TIMERSLACK
;
1659 if (context
->personality
!= PERSONALITY_INVALID
)
1660 if (personality(context
->personality
) < 0) {
1661 *exit_status
= EXIT_PERSONALITY
;
1665 if (context
->utmp_id
)
1666 utmp_put_init_process(context
->utmp_id
, getpid(), getsid(0), context
->tty_path
,
1667 context
->utmp_mode
== EXEC_UTMP_INIT
? INIT_PROCESS
:
1668 context
->utmp_mode
== EXEC_UTMP_LOGIN
? LOGIN_PROCESS
:
1670 username
? "root" : context
->user
);
1672 if (context
->user
&& is_terminal_input(context
->std_input
)) {
1673 r
= chown_terminal(STDIN_FILENO
, uid
);
1675 *exit_status
= EXIT_STDIN
;
1680 /* If delegation is enabled we'll pass ownership of the cgroup
1681 * (but only in systemd's own controller hierarchy!) to the
1682 * user of the new process. */
1683 if (params
->cgroup_path
&& context
->user
&& params
->cgroup_delegate
) {
1684 r
= cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER
, params
->cgroup_path
, 0644, uid
, gid
);
1686 *exit_status
= EXIT_CGROUP
;
1691 r
= cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER
, params
->cgroup_path
, 0755, uid
, gid
);
1693 *exit_status
= EXIT_CGROUP
;
1698 if (!strv_isempty(context
->runtime_directory
) && params
->runtime_prefix
) {
1701 STRV_FOREACH(rt
, context
->runtime_directory
) {
1702 _cleanup_free_
char *p
;
1704 p
= strjoin(params
->runtime_prefix
, "/", *rt
, NULL
);
1706 *exit_status
= EXIT_RUNTIME_DIRECTORY
;
1710 r
= mkdir_p_label(p
, context
->runtime_directory_mode
);
1712 *exit_status
= EXIT_RUNTIME_DIRECTORY
;
1716 r
= chmod_and_chown(p
, context
->runtime_directory_mode
, uid
, gid
);
1718 *exit_status
= EXIT_RUNTIME_DIRECTORY
;
1724 r
= build_environment(context
, params
, n_fds
, home
, username
, shell
, &our_env
);
1726 *exit_status
= EXIT_MEMORY
;
1730 r
= build_pass_environment(context
, &pass_env
);
1732 *exit_status
= EXIT_MEMORY
;
1736 accum_env
= strv_env_merge(5,
1737 params
->environment
,
1740 context
->environment
,
1744 *exit_status
= EXIT_MEMORY
;
1748 umask(context
->umask
);
1750 if (params
->apply_permissions
&& !command
->privileged
) {
1751 r
= enforce_groups(context
, username
, gid
);
1753 *exit_status
= EXIT_GROUP
;
1757 if (context
->smack_process_label
) {
1758 r
= mac_smack_apply_pid(0, context
->smack_process_label
);
1760 *exit_status
= EXIT_SMACK_PROCESS_LABEL
;
1764 #ifdef SMACK_DEFAULT_PROCESS_LABEL
1766 _cleanup_free_
char *exec_label
= NULL
;
1768 r
= mac_smack_read(command
->path
, SMACK_ATTR_EXEC
, &exec_label
);
1769 if (r
< 0 && r
!= -ENODATA
&& r
!= -EOPNOTSUPP
) {
1770 *exit_status
= EXIT_SMACK_PROCESS_LABEL
;
1774 r
= mac_smack_apply_pid(0, exec_label
? : SMACK_DEFAULT_PROCESS_LABEL
);
1776 *exit_status
= EXIT_SMACK_PROCESS_LABEL
;
1783 if (context
->pam_name
&& username
) {
1784 r
= setup_pam(context
->pam_name
, username
, uid
, context
->tty_path
, &accum_env
, fds
, n_fds
);
1786 *exit_status
= EXIT_PAM
;
1793 if (context
->private_network
&& runtime
&& runtime
->netns_storage_socket
[0] >= 0) {
1794 r
= setup_netns(runtime
->netns_storage_socket
);
1796 *exit_status
= EXIT_NETWORK
;
1801 needs_mount_namespace
= exec_needs_mount_namespace(context
, params
, runtime
);
1803 if (needs_mount_namespace
) {
1804 char *tmp
= NULL
, *var
= NULL
;
1806 /* The runtime struct only contains the parent
1807 * of the private /tmp, which is
1808 * non-accessible to world users. Inside of it
1809 * there's a /tmp that is sticky, and that's
1810 * the one we want to use here. */
1812 if (context
->private_tmp
&& runtime
) {
1813 if (runtime
->tmp_dir
)
1814 tmp
= strjoina(runtime
->tmp_dir
, "/tmp");
1815 if (runtime
->var_tmp_dir
)
1816 var
= strjoina(runtime
->var_tmp_dir
, "/tmp");
1819 r
= setup_namespace(
1820 params
->apply_chroot
? context
->root_directory
: NULL
,
1821 context
->read_write_dirs
,
1822 context
->read_only_dirs
,
1823 context
->inaccessible_dirs
,
1826 context
->private_devices
,
1827 context
->protect_home
,
1828 context
->protect_system
,
1829 context
->mount_flags
);
1831 /* If we couldn't set up the namespace this is
1832 * probably due to a missing capability. In this case,
1833 * silently proceeed. */
1834 if (r
== -EPERM
|| r
== -EACCES
) {
1836 log_unit_debug_errno(unit
, r
, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
1839 *exit_status
= EXIT_NAMESPACE
;
1844 if (context
->working_directory_home
)
1846 else if (context
->working_directory
)
1847 wd
= context
->working_directory
;
1851 if (params
->apply_chroot
) {
1852 if (!needs_mount_namespace
&& context
->root_directory
)
1853 if (chroot(context
->root_directory
) < 0) {
1854 *exit_status
= EXIT_CHROOT
;
1858 if (chdir(wd
) < 0 &&
1859 !context
->working_directory_missing_ok
) {
1860 *exit_status
= EXIT_CHDIR
;
1866 d
= strjoina(strempty(context
->root_directory
), "/", strempty(wd
));
1868 !context
->working_directory_missing_ok
) {
1869 *exit_status
= EXIT_CHDIR
;
1875 if (params
->apply_permissions
&& mac_selinux_use() && params
->selinux_context_net
&& socket_fd
>= 0 && !command
->privileged
) {
1876 r
= mac_selinux_get_child_mls_label(socket_fd
, command
->path
, context
->selinux_context
, &mac_selinux_context_net
);
1878 *exit_status
= EXIT_SELINUX_CONTEXT
;
1884 /* We repeat the fd closing here, to make sure that
1885 * nothing is leaked from the PAM modules. Note that
1886 * we are more aggressive this time since socket_fd
1887 * and the netns fds we don't need anymore. The custom
1888 * endpoint fd was needed to upload the policy and can
1889 * now be closed as well. */
1890 r
= close_all_fds(fds
, n_fds
);
1892 r
= shift_fds(fds
, n_fds
);
1894 r
= flags_fds(fds
, n_fds
, context
->non_blocking
);
1896 *exit_status
= EXIT_FDS
;
1900 if (params
->apply_permissions
&& !command
->privileged
) {
1902 bool use_address_families
= context
->address_families_whitelist
||
1903 !set_isempty(context
->address_families
);
1904 bool use_syscall_filter
= context
->syscall_whitelist
||
1905 !set_isempty(context
->syscall_filter
) ||
1906 !set_isempty(context
->syscall_archs
);
1907 int secure_bits
= context
->secure_bits
;
1909 for (i
= 0; i
< _RLIMIT_MAX
; i
++) {
1910 if (!context
->rlimit
[i
])
1913 if (setrlimit_closest(i
, context
->rlimit
[i
]) < 0) {
1914 *exit_status
= EXIT_LIMITS
;
1919 if (!cap_test_all(context
->capability_bounding_set
)) {
1920 r
= capability_bounding_set_drop(context
->capability_bounding_set
, false);
1922 *exit_status
= EXIT_CAPABILITIES
;
1927 /* This is done before enforce_user, but ambient set
1928 * does not survive over setresuid() if keep_caps is not set. */
1929 if (context
->capability_ambient_set
!= 0) {
1930 r
= capability_ambient_set_apply(context
->capability_ambient_set
, true);
1932 *exit_status
= EXIT_CAPABILITIES
;
1937 if (context
->user
) {
1938 r
= enforce_user(context
, uid
);
1940 *exit_status
= EXIT_USER
;
1943 if (context
->capability_ambient_set
!= 0) {
1945 /* Fix the ambient capabilities after user change. */
1946 r
= capability_ambient_set_apply(context
->capability_ambient_set
, false);
1948 *exit_status
= EXIT_CAPABILITIES
;
1952 /* If we were asked to change user and ambient capabilities
1953 * were requested, we had to add keep-caps to the securebits
1954 * so that we would maintain the inherited capability set
1955 * through the setresuid(). Make sure that the bit is added
1956 * also to the context secure_bits so that we don't try to
1957 * drop the bit away next. */
1959 secure_bits
|= 1<<SECURE_KEEP_CAPS
;
1963 /* PR_GET_SECUREBITS is not privileged, while
1964 * PR_SET_SECUREBITS is. So to suppress
1965 * potential EPERMs we'll try not to call
1966 * PR_SET_SECUREBITS unless necessary. */
1967 if (prctl(PR_GET_SECUREBITS
) != secure_bits
)
1968 if (prctl(PR_SET_SECUREBITS
, secure_bits
) < 0) {
1969 *exit_status
= EXIT_SECUREBITS
;
1973 if (context
->no_new_privileges
||
1974 (!have_effective_cap(CAP_SYS_ADMIN
) && (use_address_families
|| use_syscall_filter
)))
1975 if (prctl(PR_SET_NO_NEW_PRIVS
, 1, 0, 0, 0) < 0) {
1976 *exit_status
= EXIT_NO_NEW_PRIVILEGES
;
1981 if (use_address_families
) {
1982 r
= apply_address_families(context
);
1984 *exit_status
= EXIT_ADDRESS_FAMILIES
;
1989 if (context
->memory_deny_write_execute
) {
1990 r
= apply_memory_deny_write_execute(context
);
1992 *exit_status
= EXIT_SECCOMP
;
1996 if (use_syscall_filter
) {
1997 r
= apply_seccomp(context
);
1999 *exit_status
= EXIT_SECCOMP
;
2006 if (mac_selinux_use()) {
2007 char *exec_context
= mac_selinux_context_net
?: context
->selinux_context
;
2010 r
= setexeccon(exec_context
);
2012 *exit_status
= EXIT_SELINUX_CONTEXT
;
2019 #ifdef HAVE_APPARMOR
2020 if (context
->apparmor_profile
&& mac_apparmor_use()) {
2021 r
= aa_change_onexec(context
->apparmor_profile
);
2022 if (r
< 0 && !context
->apparmor_profile_ignore
) {
2023 *exit_status
= EXIT_APPARMOR_PROFILE
;
2030 final_argv
= replace_env_argv(argv
, accum_env
);
2032 *exit_status
= EXIT_MEMORY
;
2036 accum_env
= strv_env_clean(accum_env
);
2038 if (_unlikely_(log_get_max_level() >= LOG_DEBUG
)) {
2039 _cleanup_free_
char *line
;
2041 line
= exec_command_line(final_argv
);
2044 log_struct(LOG_DEBUG
,
2046 "EXECUTABLE=%s", command
->path
,
2047 LOG_UNIT_MESSAGE(unit
, "Executing: %s", line
),
2053 execve(command
->path
, final_argv
, accum_env
);
2054 *exit_status
= EXIT_EXEC
;
2058 int exec_spawn(Unit
*unit
,
2059 ExecCommand
*command
,
2060 const ExecContext
*context
,
2061 const ExecParameters
*params
,
2062 ExecRuntime
*runtime
,
2065 _cleanup_strv_free_
char **files_env
= NULL
;
2066 int *fds
= NULL
; unsigned n_fds
= 0;
2067 _cleanup_free_
char *line
= NULL
;
2077 assert(params
->fds
|| params
->n_fds
<= 0);
2079 if (context
->std_input
== EXEC_INPUT_SOCKET
||
2080 context
->std_output
== EXEC_OUTPUT_SOCKET
||
2081 context
->std_error
== EXEC_OUTPUT_SOCKET
) {
2083 if (params
->n_fds
!= 1) {
2084 log_unit_error(unit
, "Got more than one socket.");
2088 socket_fd
= params
->fds
[0];
2092 n_fds
= params
->n_fds
;
2095 r
= exec_context_load_environment(unit
, context
, &files_env
);
2097 return log_unit_error_errno(unit
, r
, "Failed to load environment files: %m");
2099 argv
= params
->argv
?: command
->argv
;
2100 line
= exec_command_line(argv
);
2104 log_struct(LOG_DEBUG
,
2106 LOG_UNIT_MESSAGE(unit
, "About to execute: %s", line
),
2107 "EXECUTABLE=%s", command
->path
,
2111 return log_unit_error_errno(unit
, errno
, "Failed to fork: %m");
2116 r
= exec_child(unit
,
2128 log_struct_errno(LOG_ERR
, r
,
2129 LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED
),
2131 LOG_UNIT_MESSAGE(unit
, "Failed at step %s spawning %s: %m",
2132 exit_status_to_string(exit_status
, EXIT_STATUS_SYSTEMD
),
2134 "EXECUTABLE=%s", command
->path
,
2141 log_unit_debug(unit
, "Forked %s as "PID_FMT
, command
->path
, pid
);
2143 /* We add the new process to the cgroup both in the child (so
2144 * that we can be sure that no user code is ever executed
2145 * outside of the cgroup) and in the parent (so that we can be
2146 * sure that when we kill the cgroup the process will be
2148 if (params
->cgroup_path
)
2149 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER
, params
->cgroup_path
, pid
);
2151 exec_status_start(&command
->exec_status
, pid
);
2157 void exec_context_init(ExecContext
*c
) {
2161 c
->ioprio
= IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE
, 0);
2162 c
->cpu_sched_policy
= SCHED_OTHER
;
2163 c
->syslog_priority
= LOG_DAEMON
|LOG_INFO
;
2164 c
->syslog_level_prefix
= true;
2165 c
->ignore_sigpipe
= true;
2166 c
->timer_slack_nsec
= NSEC_INFINITY
;
2167 c
->personality
= PERSONALITY_INVALID
;
2168 c
->runtime_directory_mode
= 0755;
2169 c
->capability_bounding_set
= CAP_ALL
;
2172 void exec_context_done(ExecContext
*c
) {
2177 c
->environment
= strv_free(c
->environment
);
2178 c
->environment_files
= strv_free(c
->environment_files
);
2179 c
->pass_environment
= strv_free(c
->pass_environment
);
2181 for (l
= 0; l
< ELEMENTSOF(c
->rlimit
); l
++)
2182 c
->rlimit
[l
] = mfree(c
->rlimit
[l
]);
2184 c
->working_directory
= mfree(c
->working_directory
);
2185 c
->root_directory
= mfree(c
->root_directory
);
2186 c
->tty_path
= mfree(c
->tty_path
);
2187 c
->syslog_identifier
= mfree(c
->syslog_identifier
);
2188 c
->user
= mfree(c
->user
);
2189 c
->group
= mfree(c
->group
);
2191 c
->supplementary_groups
= strv_free(c
->supplementary_groups
);
2193 c
->pam_name
= mfree(c
->pam_name
);
2195 c
->read_only_dirs
= strv_free(c
->read_only_dirs
);
2196 c
->read_write_dirs
= strv_free(c
->read_write_dirs
);
2197 c
->inaccessible_dirs
= strv_free(c
->inaccessible_dirs
);
2200 CPU_FREE(c
->cpuset
);
2202 c
->utmp_id
= mfree(c
->utmp_id
);
2203 c
->selinux_context
= mfree(c
->selinux_context
);
2204 c
->apparmor_profile
= mfree(c
->apparmor_profile
);
2206 c
->syscall_filter
= set_free(c
->syscall_filter
);
2207 c
->syscall_archs
= set_free(c
->syscall_archs
);
2208 c
->address_families
= set_free(c
->address_families
);
2210 c
->runtime_directory
= strv_free(c
->runtime_directory
);
2213 int exec_context_destroy_runtime_directory(ExecContext
*c
, const char *runtime_prefix
) {
2218 if (!runtime_prefix
)
2221 STRV_FOREACH(i
, c
->runtime_directory
) {
2222 _cleanup_free_
char *p
;
2224 p
= strjoin(runtime_prefix
, "/", *i
, NULL
);
2228 /* We execute this synchronously, since we need to be
2229 * sure this is gone when we start the service
2231 (void) rm_rf(p
, REMOVE_ROOT
);
2237 void exec_command_done(ExecCommand
*c
) {
2240 c
->path
= mfree(c
->path
);
2242 c
->argv
= strv_free(c
->argv
);
2245 void exec_command_done_array(ExecCommand
*c
, unsigned n
) {
2248 for (i
= 0; i
< n
; i
++)
2249 exec_command_done(c
+i
);
2252 ExecCommand
* exec_command_free_list(ExecCommand
*c
) {
2256 LIST_REMOVE(command
, c
, i
);
2257 exec_command_done(i
);
2264 void exec_command_free_array(ExecCommand
**c
, unsigned n
) {
2267 for (i
= 0; i
< n
; i
++)
2268 c
[i
] = exec_command_free_list(c
[i
]);
2271 typedef struct InvalidEnvInfo
{
2276 static void invalid_env(const char *p
, void *userdata
) {
2277 InvalidEnvInfo
*info
= userdata
;
2279 log_unit_error(info
->unit
, "Ignoring invalid environment assignment '%s': %s", p
, info
->path
);
2282 int exec_context_load_environment(Unit
*unit
, const ExecContext
*c
, char ***l
) {
2283 char **i
, **r
= NULL
;
2288 STRV_FOREACH(i
, c
->environment_files
) {
2291 bool ignore
= false;
2293 _cleanup_globfree_ glob_t pglob
= {};
2303 if (!path_is_absolute(fn
)) {
2311 /* Filename supports globbing, take all matching files */
2313 if (glob(fn
, 0, NULL
, &pglob
) != 0) {
2318 return errno
> 0 ? -errno
: -EINVAL
;
2320 count
= pglob
.gl_pathc
;
2328 for (n
= 0; n
< count
; n
++) {
2329 k
= load_env_file(NULL
, pglob
.gl_pathv
[n
], NULL
, &p
);
2337 /* Log invalid environment variables with filename */
2339 InvalidEnvInfo info
= {
2341 .path
= pglob
.gl_pathv
[n
]
2344 p
= strv_env_clean_with_callback(p
, invalid_env
, &info
);
2352 m
= strv_env_merge(2, r
, p
);
2368 static bool tty_may_match_dev_console(const char *tty
) {
2369 _cleanup_free_
char *active
= NULL
;
2375 if (startswith(tty
, "/dev/"))
2378 /* trivial identity? */
2379 if (streq(tty
, "console"))
2382 console
= resolve_dev_console(&active
);
2383 /* if we could not resolve, assume it may */
2387 /* "tty0" means the active VC, so it may be the same sometimes */
2388 return streq(console
, tty
) || (streq(console
, "tty0") && tty_is_vc(tty
));
2391 bool exec_context_may_touch_console(ExecContext
*ec
) {
2393 return (ec
->tty_reset
||
2395 ec
->tty_vt_disallocate
||
2396 is_terminal_input(ec
->std_input
) ||
2397 is_terminal_output(ec
->std_output
) ||
2398 is_terminal_output(ec
->std_error
)) &&
2399 tty_may_match_dev_console(exec_context_tty_path(ec
));
2402 static void strv_fprintf(FILE *f
, char **l
) {
2408 fprintf(f
, " %s", *g
);
2411 void exec_context_dump(ExecContext
*c
, FILE* f
, const char *prefix
) {
2418 prefix
= strempty(prefix
);
2422 "%sWorkingDirectory: %s\n"
2423 "%sRootDirectory: %s\n"
2424 "%sNonBlocking: %s\n"
2425 "%sPrivateTmp: %s\n"
2426 "%sPrivateNetwork: %s\n"
2427 "%sPrivateDevices: %s\n"
2428 "%sProtectHome: %s\n"
2429 "%sProtectSystem: %s\n"
2430 "%sIgnoreSIGPIPE: %s\n"
2431 "%sMemoryDenyWriteExecute: %s\n",
2433 prefix
, c
->working_directory
? c
->working_directory
: "/",
2434 prefix
, c
->root_directory
? c
->root_directory
: "/",
2435 prefix
, yes_no(c
->non_blocking
),
2436 prefix
, yes_no(c
->private_tmp
),
2437 prefix
, yes_no(c
->private_network
),
2438 prefix
, yes_no(c
->private_devices
),
2439 prefix
, protect_home_to_string(c
->protect_home
),
2440 prefix
, protect_system_to_string(c
->protect_system
),
2441 prefix
, yes_no(c
->ignore_sigpipe
),
2442 prefix
, yes_no(c
->memory_deny_write_execute
));
2444 STRV_FOREACH(e
, c
->environment
)
2445 fprintf(f
, "%sEnvironment: %s\n", prefix
, *e
);
2447 STRV_FOREACH(e
, c
->environment_files
)
2448 fprintf(f
, "%sEnvironmentFile: %s\n", prefix
, *e
);
2450 STRV_FOREACH(e
, c
->pass_environment
)
2451 fprintf(f
, "%sPassEnvironment: %s\n", prefix
, *e
);
2453 fprintf(f
, "%sRuntimeDirectoryMode: %04o\n", prefix
, c
->runtime_directory_mode
);
2455 STRV_FOREACH(d
, c
->runtime_directory
)
2456 fprintf(f
, "%sRuntimeDirectory: %s\n", prefix
, *d
);
2463 if (c
->oom_score_adjust_set
)
2465 "%sOOMScoreAdjust: %i\n",
2466 prefix
, c
->oom_score_adjust
);
2468 for (i
= 0; i
< RLIM_NLIMITS
; i
++)
2470 fprintf(f
, "%s%s: " RLIM_FMT
"\n",
2471 prefix
, rlimit_to_string(i
), c
->rlimit
[i
]->rlim_max
);
2472 fprintf(f
, "%s%sSoft: " RLIM_FMT
"\n",
2473 prefix
, rlimit_to_string(i
), c
->rlimit
[i
]->rlim_cur
);
2476 if (c
->ioprio_set
) {
2477 _cleanup_free_
char *class_str
= NULL
;
2479 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c
->ioprio
), &class_str
);
2481 "%sIOSchedulingClass: %s\n"
2482 "%sIOPriority: %i\n",
2483 prefix
, strna(class_str
),
2484 prefix
, (int) IOPRIO_PRIO_DATA(c
->ioprio
));
2487 if (c
->cpu_sched_set
) {
2488 _cleanup_free_
char *policy_str
= NULL
;
2490 sched_policy_to_string_alloc(c
->cpu_sched_policy
, &policy_str
);
2492 "%sCPUSchedulingPolicy: %s\n"
2493 "%sCPUSchedulingPriority: %i\n"
2494 "%sCPUSchedulingResetOnFork: %s\n",
2495 prefix
, strna(policy_str
),
2496 prefix
, c
->cpu_sched_priority
,
2497 prefix
, yes_no(c
->cpu_sched_reset_on_fork
));
2501 fprintf(f
, "%sCPUAffinity:", prefix
);
2502 for (i
= 0; i
< c
->cpuset_ncpus
; i
++)
2503 if (CPU_ISSET_S(i
, CPU_ALLOC_SIZE(c
->cpuset_ncpus
), c
->cpuset
))
2504 fprintf(f
, " %u", i
);
2508 if (c
->timer_slack_nsec
!= NSEC_INFINITY
)
2509 fprintf(f
, "%sTimerSlackNSec: "NSEC_FMT
"\n", prefix
, c
->timer_slack_nsec
);
2512 "%sStandardInput: %s\n"
2513 "%sStandardOutput: %s\n"
2514 "%sStandardError: %s\n",
2515 prefix
, exec_input_to_string(c
->std_input
),
2516 prefix
, exec_output_to_string(c
->std_output
),
2517 prefix
, exec_output_to_string(c
->std_error
));
2523 "%sTTYVHangup: %s\n"
2524 "%sTTYVTDisallocate: %s\n",
2525 prefix
, c
->tty_path
,
2526 prefix
, yes_no(c
->tty_reset
),
2527 prefix
, yes_no(c
->tty_vhangup
),
2528 prefix
, yes_no(c
->tty_vt_disallocate
));
2530 if (c
->std_output
== EXEC_OUTPUT_SYSLOG
||
2531 c
->std_output
== EXEC_OUTPUT_KMSG
||
2532 c
->std_output
== EXEC_OUTPUT_JOURNAL
||
2533 c
->std_output
== EXEC_OUTPUT_SYSLOG_AND_CONSOLE
||
2534 c
->std_output
== EXEC_OUTPUT_KMSG_AND_CONSOLE
||
2535 c
->std_output
== EXEC_OUTPUT_JOURNAL_AND_CONSOLE
||
2536 c
->std_error
== EXEC_OUTPUT_SYSLOG
||
2537 c
->std_error
== EXEC_OUTPUT_KMSG
||
2538 c
->std_error
== EXEC_OUTPUT_JOURNAL
||
2539 c
->std_error
== EXEC_OUTPUT_SYSLOG_AND_CONSOLE
||
2540 c
->std_error
== EXEC_OUTPUT_KMSG_AND_CONSOLE
||
2541 c
->std_error
== EXEC_OUTPUT_JOURNAL_AND_CONSOLE
) {
2543 _cleanup_free_
char *fac_str
= NULL
, *lvl_str
= NULL
;
2545 log_facility_unshifted_to_string_alloc(c
->syslog_priority
>> 3, &fac_str
);
2546 log_level_to_string_alloc(LOG_PRI(c
->syslog_priority
), &lvl_str
);
2549 "%sSyslogFacility: %s\n"
2550 "%sSyslogLevel: %s\n",
2551 prefix
, strna(fac_str
),
2552 prefix
, strna(lvl_str
));
2556 fprintf(f
, "%sSecure Bits:%s%s%s%s%s%s\n",
2558 (c
->secure_bits
& 1<<SECURE_KEEP_CAPS
) ? " keep-caps" : "",
2559 (c
->secure_bits
& 1<<SECURE_KEEP_CAPS_LOCKED
) ? " keep-caps-locked" : "",
2560 (c
->secure_bits
& 1<<SECURE_NO_SETUID_FIXUP
) ? " no-setuid-fixup" : "",
2561 (c
->secure_bits
& 1<<SECURE_NO_SETUID_FIXUP_LOCKED
) ? " no-setuid-fixup-locked" : "",
2562 (c
->secure_bits
& 1<<SECURE_NOROOT
) ? " noroot" : "",
2563 (c
->secure_bits
& 1<<SECURE_NOROOT_LOCKED
) ? "noroot-locked" : "");
2565 if (c
->capability_bounding_set
!= CAP_ALL
) {
2567 fprintf(f
, "%sCapabilityBoundingSet:", prefix
);
2569 for (l
= 0; l
<= cap_last_cap(); l
++)
2570 if (c
->capability_bounding_set
& (UINT64_C(1) << l
))
2571 fprintf(f
, " %s", strna(capability_to_name(l
)));
2576 if (c
->capability_ambient_set
!= 0) {
2578 fprintf(f
, "%sAmbientCapabilities:", prefix
);
2580 for (l
= 0; l
<= cap_last_cap(); l
++)
2581 if (c
->capability_ambient_set
& (UINT64_C(1) << l
))
2582 fprintf(f
, " %s", strna(capability_to_name(l
)));
2588 fprintf(f
, "%sUser: %s\n", prefix
, c
->user
);
2590 fprintf(f
, "%sGroup: %s\n", prefix
, c
->group
);
2592 if (strv_length(c
->supplementary_groups
) > 0) {
2593 fprintf(f
, "%sSupplementaryGroups:", prefix
);
2594 strv_fprintf(f
, c
->supplementary_groups
);
2599 fprintf(f
, "%sPAMName: %s\n", prefix
, c
->pam_name
);
2601 if (strv_length(c
->read_write_dirs
) > 0) {
2602 fprintf(f
, "%sReadWriteDirs:", prefix
);
2603 strv_fprintf(f
, c
->read_write_dirs
);
2607 if (strv_length(c
->read_only_dirs
) > 0) {
2608 fprintf(f
, "%sReadOnlyDirs:", prefix
);
2609 strv_fprintf(f
, c
->read_only_dirs
);
2613 if (strv_length(c
->inaccessible_dirs
) > 0) {
2614 fprintf(f
, "%sInaccessibleDirs:", prefix
);
2615 strv_fprintf(f
, c
->inaccessible_dirs
);
2621 "%sUtmpIdentifier: %s\n",
2622 prefix
, c
->utmp_id
);
2624 if (c
->selinux_context
)
2626 "%sSELinuxContext: %s%s\n",
2627 prefix
, c
->selinux_context_ignore
? "-" : "", c
->selinux_context
);
2629 if (c
->personality
!= PERSONALITY_INVALID
)
2631 "%sPersonality: %s\n",
2632 prefix
, strna(personality_to_string(c
->personality
)));
2634 if (c
->syscall_filter
) {
2642 "%sSystemCallFilter: ",
2645 if (!c
->syscall_whitelist
)
2649 SET_FOREACH(id
, c
->syscall_filter
, j
) {
2650 _cleanup_free_
char *name
= NULL
;
2657 name
= seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE
, PTR_TO_INT(id
) - 1);
2658 fputs(strna(name
), f
);
2665 if (c
->syscall_archs
) {
2672 "%sSystemCallArchitectures:",
2676 SET_FOREACH(id
, c
->syscall_archs
, j
)
2677 fprintf(f
, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id
) - 1)));
2682 if (c
->syscall_errno
> 0)
2684 "%sSystemCallErrorNumber: %s\n",
2685 prefix
, strna(errno_to_name(c
->syscall_errno
)));
2687 if (c
->apparmor_profile
)
2689 "%sAppArmorProfile: %s%s\n",
2690 prefix
, c
->apparmor_profile_ignore
? "-" : "", c
->apparmor_profile
);
2693 bool exec_context_maintains_privileges(ExecContext
*c
) {
2696 /* Returns true if the process forked off would run run under
2697 * an unchanged UID or as root. */
2702 if (streq(c
->user
, "root") || streq(c
->user
, "0"))
2708 void exec_status_start(ExecStatus
*s
, pid_t pid
) {
2713 dual_timestamp_get(&s
->start_timestamp
);
2716 void exec_status_exit(ExecStatus
*s
, ExecContext
*context
, pid_t pid
, int code
, int status
) {
2719 if (s
->pid
&& s
->pid
!= pid
)
2723 dual_timestamp_get(&s
->exit_timestamp
);
2729 if (context
->utmp_id
)
2730 utmp_put_dead_process(context
->utmp_id
, pid
, code
, status
);
2732 exec_context_tty_reset(context
, NULL
);
2736 void exec_status_dump(ExecStatus
*s
, FILE *f
, const char *prefix
) {
2737 char buf
[FORMAT_TIMESTAMP_MAX
];
2745 prefix
= strempty(prefix
);
2748 "%sPID: "PID_FMT
"\n",
2751 if (s
->start_timestamp
.realtime
> 0)
2753 "%sStart Timestamp: %s\n",
2754 prefix
, format_timestamp(buf
, sizeof(buf
), s
->start_timestamp
.realtime
));
2756 if (s
->exit_timestamp
.realtime
> 0)
2758 "%sExit Timestamp: %s\n"
2760 "%sExit Status: %i\n",
2761 prefix
, format_timestamp(buf
, sizeof(buf
), s
->exit_timestamp
.realtime
),
2762 prefix
, sigchld_code_to_string(s
->code
),
2766 char *exec_command_line(char **argv
) {
2774 STRV_FOREACH(a
, argv
)
2777 if (!(n
= new(char, k
)))
2781 STRV_FOREACH(a
, argv
) {
2788 if (strpbrk(*a
, WHITESPACE
)) {
2799 /* FIXME: this doesn't really handle arguments that have
2800 * spaces and ticks in them */
2805 void exec_command_dump(ExecCommand
*c
, FILE *f
, const char *prefix
) {
2806 _cleanup_free_
char *cmd
= NULL
;
2807 const char *prefix2
;
2812 prefix
= strempty(prefix
);
2813 prefix2
= strjoina(prefix
, "\t");
2815 cmd
= exec_command_line(c
->argv
);
2817 "%sCommand Line: %s\n",
2818 prefix
, cmd
? cmd
: strerror(ENOMEM
));
2820 exec_status_dump(&c
->exec_status
, f
, prefix2
);
2823 void exec_command_dump_list(ExecCommand
*c
, FILE *f
, const char *prefix
) {
2826 prefix
= strempty(prefix
);
2828 LIST_FOREACH(command
, c
, c
)
2829 exec_command_dump(c
, f
, prefix
);
2832 void exec_command_append_list(ExecCommand
**l
, ExecCommand
*e
) {
2839 /* It's kind of important, that we keep the order here */
2840 LIST_FIND_TAIL(command
, *l
, end
);
2841 LIST_INSERT_AFTER(command
, *l
, end
, e
);
2846 int exec_command_set(ExecCommand
*c
, const char *path
, ...) {
2854 l
= strv_new_ap(path
, ap
);
2875 int exec_command_append(ExecCommand
*c
, const char *path
, ...) {
2876 _cleanup_strv_free_
char **l
= NULL
;
2884 l
= strv_new_ap(path
, ap
);
2890 r
= strv_extend_strv(&c
->argv
, l
, false);
2898 static int exec_runtime_allocate(ExecRuntime
**rt
) {
2903 *rt
= new0(ExecRuntime
, 1);
2908 (*rt
)->netns_storage_socket
[0] = (*rt
)->netns_storage_socket
[1] = -1;
2913 int exec_runtime_make(ExecRuntime
**rt
, ExecContext
*c
, const char *id
) {
2923 if (!c
->private_network
&& !c
->private_tmp
)
2926 r
= exec_runtime_allocate(rt
);
2930 if (c
->private_network
&& (*rt
)->netns_storage_socket
[0] < 0) {
2931 if (socketpair(AF_UNIX
, SOCK_DGRAM
, 0, (*rt
)->netns_storage_socket
) < 0)
2935 if (c
->private_tmp
&& !(*rt
)->tmp_dir
) {
2936 r
= setup_tmp_dirs(id
, &(*rt
)->tmp_dir
, &(*rt
)->var_tmp_dir
);
2944 ExecRuntime
*exec_runtime_ref(ExecRuntime
*r
) {
2946 assert(r
->n_ref
> 0);
2952 ExecRuntime
*exec_runtime_unref(ExecRuntime
*r
) {
2957 assert(r
->n_ref
> 0);
2964 free(r
->var_tmp_dir
);
2965 safe_close_pair(r
->netns_storage_socket
);
2971 int exec_runtime_serialize(Unit
*u
, ExecRuntime
*rt
, FILE *f
, FDSet
*fds
) {
2980 unit_serialize_item(u
, f
, "tmp-dir", rt
->tmp_dir
);
2982 if (rt
->var_tmp_dir
)
2983 unit_serialize_item(u
, f
, "var-tmp-dir", rt
->var_tmp_dir
);
2985 if (rt
->netns_storage_socket
[0] >= 0) {
2988 copy
= fdset_put_dup(fds
, rt
->netns_storage_socket
[0]);
2992 unit_serialize_item_format(u
, f
, "netns-socket-0", "%i", copy
);
2995 if (rt
->netns_storage_socket
[1] >= 0) {
2998 copy
= fdset_put_dup(fds
, rt
->netns_storage_socket
[1]);
3002 unit_serialize_item_format(u
, f
, "netns-socket-1", "%i", copy
);
3008 int exec_runtime_deserialize_item(Unit
*u
, ExecRuntime
**rt
, const char *key
, const char *value
, FDSet
*fds
) {
3015 if (streq(key
, "tmp-dir")) {
3018 r
= exec_runtime_allocate(rt
);
3022 copy
= strdup(value
);
3026 free((*rt
)->tmp_dir
);
3027 (*rt
)->tmp_dir
= copy
;
3029 } else if (streq(key
, "var-tmp-dir")) {
3032 r
= exec_runtime_allocate(rt
);
3036 copy
= strdup(value
);
3040 free((*rt
)->var_tmp_dir
);
3041 (*rt
)->var_tmp_dir
= copy
;
3043 } else if (streq(key
, "netns-socket-0")) {
3046 r
= exec_runtime_allocate(rt
);
3050 if (safe_atoi(value
, &fd
) < 0 || !fdset_contains(fds
, fd
))
3051 log_unit_debug(u
, "Failed to parse netns socket value: %s", value
);
3053 safe_close((*rt
)->netns_storage_socket
[0]);
3054 (*rt
)->netns_storage_socket
[0] = fdset_remove(fds
, fd
);
3056 } else if (streq(key
, "netns-socket-1")) {
3059 r
= exec_runtime_allocate(rt
);
3063 if (safe_atoi(value
, &fd
) < 0 || !fdset_contains(fds
, fd
))
3064 log_unit_debug(u
, "Failed to parse netns socket value: %s", value
);
3066 safe_close((*rt
)->netns_storage_socket
[1]);
3067 (*rt
)->netns_storage_socket
[1] = fdset_remove(fds
, fd
);
3075 static void *remove_tmpdir_thread(void *p
) {
3076 _cleanup_free_
char *path
= p
;
3078 (void) rm_rf(path
, REMOVE_ROOT
|REMOVE_PHYSICAL
);
3082 void exec_runtime_destroy(ExecRuntime
*rt
) {
3088 /* If there are multiple users of this, let's leave the stuff around */
3093 log_debug("Spawning thread to nuke %s", rt
->tmp_dir
);
3095 r
= asynchronous_job(remove_tmpdir_thread
, rt
->tmp_dir
);
3097 log_warning_errno(r
, "Failed to nuke %s: %m", rt
->tmp_dir
);
3104 if (rt
->var_tmp_dir
) {
3105 log_debug("Spawning thread to nuke %s", rt
->var_tmp_dir
);
3107 r
= asynchronous_job(remove_tmpdir_thread
, rt
->var_tmp_dir
);
3109 log_warning_errno(r
, "Failed to nuke %s: %m", rt
->var_tmp_dir
);
3110 free(rt
->var_tmp_dir
);
3113 rt
->var_tmp_dir
= NULL
;
3116 safe_close_pair(rt
->netns_storage_socket
);
3119 static const char* const exec_input_table
[_EXEC_INPUT_MAX
] = {
3120 [EXEC_INPUT_NULL
] = "null",
3121 [EXEC_INPUT_TTY
] = "tty",
3122 [EXEC_INPUT_TTY_FORCE
] = "tty-force",
3123 [EXEC_INPUT_TTY_FAIL
] = "tty-fail",
3124 [EXEC_INPUT_SOCKET
] = "socket"
3127 DEFINE_STRING_TABLE_LOOKUP(exec_input
, ExecInput
);
3129 static const char* const exec_output_table
[_EXEC_OUTPUT_MAX
] = {
3130 [EXEC_OUTPUT_INHERIT
] = "inherit",
3131 [EXEC_OUTPUT_NULL
] = "null",
3132 [EXEC_OUTPUT_TTY
] = "tty",
3133 [EXEC_OUTPUT_SYSLOG
] = "syslog",
3134 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE
] = "syslog+console",
3135 [EXEC_OUTPUT_KMSG
] = "kmsg",
3136 [EXEC_OUTPUT_KMSG_AND_CONSOLE
] = "kmsg+console",
3137 [EXEC_OUTPUT_JOURNAL
] = "journal",
3138 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE
] = "journal+console",
3139 [EXEC_OUTPUT_SOCKET
] = "socket"
3142 DEFINE_STRING_TABLE_LOOKUP(exec_output
, ExecOutput
);
3144 static const char* const exec_utmp_mode_table
[_EXEC_UTMP_MODE_MAX
] = {
3145 [EXEC_UTMP_INIT
] = "init",
3146 [EXEC_UTMP_LOGIN
] = "login",
3147 [EXEC_UTMP_USER
] = "user",
3150 DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode
, ExecUtmpMode
);