]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/execute.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
core: lets apply working directory just after mount namespaces
[thirdparty/systemd.git] / src / core / execute.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <errno.h>
21 #include <fcntl.h>
22 #include <glob.h>
23 #include <grp.h>
24 #include <poll.h>
25 #include <signal.h>
26 #include <string.h>
27 #include <sys/capability.h>
28 #include <sys/eventfd.h>
29 #include <sys/mman.h>
30 #include <sys/personality.h>
31 #include <sys/prctl.h>
32 #include <sys/socket.h>
33 #include <sys/stat.h>
34 #include <sys/un.h>
35 #include <unistd.h>
36 #include <utmpx.h>
37
38 #ifdef HAVE_PAM
39 #include <security/pam_appl.h>
40 #endif
41
42 #ifdef HAVE_SELINUX
43 #include <selinux/selinux.h>
44 #endif
45
46 #ifdef HAVE_SECCOMP
47 #include <seccomp.h>
48 #endif
49
50 #ifdef HAVE_APPARMOR
51 #include <sys/apparmor.h>
52 #endif
53
54 #include "sd-messages.h"
55
56 #include "af-list.h"
57 #include "alloc-util.h"
58 #ifdef HAVE_APPARMOR
59 #include "apparmor-util.h"
60 #endif
61 #include "async.h"
62 #include "barrier.h"
63 #include "cap-list.h"
64 #include "capability-util.h"
65 #include "def.h"
66 #include "env-util.h"
67 #include "errno-list.h"
68 #include "execute.h"
69 #include "exit-status.h"
70 #include "fd-util.h"
71 #include "fileio.h"
72 #include "formats-util.h"
73 #include "fs-util.h"
74 #include "glob-util.h"
75 #include "io-util.h"
76 #include "ioprio.h"
77 #include "log.h"
78 #include "macro.h"
79 #include "missing.h"
80 #include "mkdir.h"
81 #include "namespace.h"
82 #include "parse-util.h"
83 #include "path-util.h"
84 #include "process-util.h"
85 #include "rlimit-util.h"
86 #include "rm-rf.h"
87 #ifdef HAVE_SECCOMP
88 #include "seccomp-util.h"
89 #endif
90 #include "securebits.h"
91 #include "selinux-util.h"
92 #include "signal-util.h"
93 #include "smack-util.h"
94 #include "special.h"
95 #include "string-table.h"
96 #include "string-util.h"
97 #include "strv.h"
98 #include "syslog-util.h"
99 #include "terminal-util.h"
100 #include "unit.h"
101 #include "user-util.h"
102 #include "util.h"
103 #include "utmp-wtmp.h"
104
105 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
106 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
107
108 /* This assumes there is a 'tty' group */
109 #define TTY_MODE 0620
110
111 #define SNDBUF_SIZE (8*1024*1024)
112
113 static int shift_fds(int fds[], unsigned n_fds) {
114 int start, restart_from;
115
116 if (n_fds <= 0)
117 return 0;
118
119 /* Modifies the fds array! (sorts it) */
120
121 assert(fds);
122
123 start = 0;
124 for (;;) {
125 int i;
126
127 restart_from = -1;
128
129 for (i = start; i < (int) n_fds; i++) {
130 int nfd;
131
132 /* Already at right index? */
133 if (fds[i] == i+3)
134 continue;
135
136 nfd = fcntl(fds[i], F_DUPFD, i + 3);
137 if (nfd < 0)
138 return -errno;
139
140 safe_close(fds[i]);
141 fds[i] = nfd;
142
143 /* Hmm, the fd we wanted isn't free? Then
144 * let's remember that and try again from here */
145 if (nfd != i+3 && restart_from < 0)
146 restart_from = i;
147 }
148
149 if (restart_from < 0)
150 break;
151
152 start = restart_from;
153 }
154
155 return 0;
156 }
157
158 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
159 unsigned i;
160 int r;
161
162 if (n_fds <= 0)
163 return 0;
164
165 assert(fds);
166
167 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
168
169 for (i = 0; i < n_fds; i++) {
170
171 r = fd_nonblock(fds[i], nonblock);
172 if (r < 0)
173 return r;
174
175 /* We unconditionally drop FD_CLOEXEC from the fds,
176 * since after all we want to pass these fds to our
177 * children */
178
179 r = fd_cloexec(fds[i], false);
180 if (r < 0)
181 return r;
182 }
183
184 return 0;
185 }
186
187 static const char *exec_context_tty_path(const ExecContext *context) {
188 assert(context);
189
190 if (context->stdio_as_fds)
191 return NULL;
192
193 if (context->tty_path)
194 return context->tty_path;
195
196 return "/dev/console";
197 }
198
199 static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
200 const char *path;
201
202 assert(context);
203
204 path = exec_context_tty_path(context);
205
206 if (context->tty_vhangup) {
207 if (p && p->stdin_fd >= 0)
208 (void) terminal_vhangup_fd(p->stdin_fd);
209 else if (path)
210 (void) terminal_vhangup(path);
211 }
212
213 if (context->tty_reset) {
214 if (p && p->stdin_fd >= 0)
215 (void) reset_terminal_fd(p->stdin_fd, true);
216 else if (path)
217 (void) reset_terminal(path);
218 }
219
220 if (context->tty_vt_disallocate && path)
221 (void) vt_disallocate(path);
222 }
223
224 static bool is_terminal_input(ExecInput i) {
225 return IN_SET(i,
226 EXEC_INPUT_TTY,
227 EXEC_INPUT_TTY_FORCE,
228 EXEC_INPUT_TTY_FAIL);
229 }
230
231 static bool is_terminal_output(ExecOutput o) {
232 return IN_SET(o,
233 EXEC_OUTPUT_TTY,
234 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
235 EXEC_OUTPUT_KMSG_AND_CONSOLE,
236 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
237 }
238
239 static bool exec_context_needs_term(const ExecContext *c) {
240 assert(c);
241
242 /* Return true if the execution context suggests we should set $TERM to something useful. */
243
244 if (is_terminal_input(c->std_input))
245 return true;
246
247 if (is_terminal_output(c->std_output))
248 return true;
249
250 if (is_terminal_output(c->std_error))
251 return true;
252
253 return !!c->tty_path;
254 }
255
256 static int open_null_as(int flags, int nfd) {
257 int fd, r;
258
259 assert(nfd >= 0);
260
261 fd = open("/dev/null", flags|O_NOCTTY);
262 if (fd < 0)
263 return -errno;
264
265 if (fd != nfd) {
266 r = dup2(fd, nfd) < 0 ? -errno : nfd;
267 safe_close(fd);
268 } else
269 r = nfd;
270
271 return r;
272 }
273
274 static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
275 union sockaddr_union sa = {
276 .un.sun_family = AF_UNIX,
277 .un.sun_path = "/run/systemd/journal/stdout",
278 };
279 uid_t olduid = UID_INVALID;
280 gid_t oldgid = GID_INVALID;
281 int r;
282
283 if (gid != GID_INVALID) {
284 oldgid = getgid();
285
286 r = setegid(gid);
287 if (r < 0)
288 return -errno;
289 }
290
291 if (uid != UID_INVALID) {
292 olduid = getuid();
293
294 r = seteuid(uid);
295 if (r < 0) {
296 r = -errno;
297 goto restore_gid;
298 }
299 }
300
301 r = connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
302 if (r < 0)
303 r = -errno;
304
305 /* If we fail to restore the uid or gid, things will likely
306 fail later on. This should only happen if an LSM interferes. */
307
308 if (uid != UID_INVALID)
309 (void) seteuid(olduid);
310
311 restore_gid:
312 if (gid != GID_INVALID)
313 (void) setegid(oldgid);
314
315 return r;
316 }
317
318 static int connect_logger_as(
319 Unit *unit,
320 const ExecContext *context,
321 ExecOutput output,
322 const char *ident,
323 int nfd,
324 uid_t uid,
325 gid_t gid) {
326
327 int fd, r;
328
329 assert(context);
330 assert(output < _EXEC_OUTPUT_MAX);
331 assert(ident);
332 assert(nfd >= 0);
333
334 fd = socket(AF_UNIX, SOCK_STREAM, 0);
335 if (fd < 0)
336 return -errno;
337
338 r = connect_journal_socket(fd, uid, gid);
339 if (r < 0)
340 return r;
341
342 if (shutdown(fd, SHUT_RD) < 0) {
343 safe_close(fd);
344 return -errno;
345 }
346
347 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
348
349 dprintf(fd,
350 "%s\n"
351 "%s\n"
352 "%i\n"
353 "%i\n"
354 "%i\n"
355 "%i\n"
356 "%i\n",
357 context->syslog_identifier ? context->syslog_identifier : ident,
358 unit->id,
359 context->syslog_priority,
360 !!context->syslog_level_prefix,
361 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
362 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
363 is_terminal_output(output));
364
365 if (fd == nfd)
366 return nfd;
367
368 r = dup2(fd, nfd) < 0 ? -errno : nfd;
369 safe_close(fd);
370
371 return r;
372 }
373 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
374 int fd, r;
375
376 assert(path);
377 assert(nfd >= 0);
378
379 fd = open_terminal(path, mode | O_NOCTTY);
380 if (fd < 0)
381 return fd;
382
383 if (fd != nfd) {
384 r = dup2(fd, nfd) < 0 ? -errno : nfd;
385 safe_close(fd);
386 } else
387 r = nfd;
388
389 return r;
390 }
391
392 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
393
394 if (is_terminal_input(std_input) && !apply_tty_stdin)
395 return EXEC_INPUT_NULL;
396
397 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
398 return EXEC_INPUT_NULL;
399
400 return std_input;
401 }
402
403 static int fixup_output(ExecOutput std_output, int socket_fd) {
404
405 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
406 return EXEC_OUTPUT_INHERIT;
407
408 return std_output;
409 }
410
411 static int setup_input(
412 const ExecContext *context,
413 const ExecParameters *params,
414 int socket_fd,
415 int named_iofds[3]) {
416
417 ExecInput i;
418
419 assert(context);
420 assert(params);
421
422 if (params->stdin_fd >= 0) {
423 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
424 return -errno;
425
426 /* Try to make this the controlling tty, if it is a tty, and reset it */
427 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
428 (void) reset_terminal_fd(STDIN_FILENO, true);
429
430 return STDIN_FILENO;
431 }
432
433 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
434
435 switch (i) {
436
437 case EXEC_INPUT_NULL:
438 return open_null_as(O_RDONLY, STDIN_FILENO);
439
440 case EXEC_INPUT_TTY:
441 case EXEC_INPUT_TTY_FORCE:
442 case EXEC_INPUT_TTY_FAIL: {
443 int fd, r;
444
445 fd = acquire_terminal(exec_context_tty_path(context),
446 i == EXEC_INPUT_TTY_FAIL,
447 i == EXEC_INPUT_TTY_FORCE,
448 false,
449 USEC_INFINITY);
450 if (fd < 0)
451 return fd;
452
453 if (fd != STDIN_FILENO) {
454 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
455 safe_close(fd);
456 } else
457 r = STDIN_FILENO;
458
459 return r;
460 }
461
462 case EXEC_INPUT_SOCKET:
463 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
464
465 case EXEC_INPUT_NAMED_FD:
466 (void) fd_nonblock(named_iofds[STDIN_FILENO], false);
467 return dup2(named_iofds[STDIN_FILENO], STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
468
469 default:
470 assert_not_reached("Unknown input type");
471 }
472 }
473
474 static int setup_output(
475 Unit *unit,
476 const ExecContext *context,
477 const ExecParameters *params,
478 int fileno,
479 int socket_fd,
480 int named_iofds[3],
481 const char *ident,
482 uid_t uid,
483 gid_t gid,
484 dev_t *journal_stream_dev,
485 ino_t *journal_stream_ino) {
486
487 ExecOutput o;
488 ExecInput i;
489 int r;
490
491 assert(unit);
492 assert(context);
493 assert(params);
494 assert(ident);
495 assert(journal_stream_dev);
496 assert(journal_stream_ino);
497
498 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
499
500 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
501 return -errno;
502
503 return STDOUT_FILENO;
504 }
505
506 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
507 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
508 return -errno;
509
510 return STDERR_FILENO;
511 }
512
513 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
514 o = fixup_output(context->std_output, socket_fd);
515
516 if (fileno == STDERR_FILENO) {
517 ExecOutput e;
518 e = fixup_output(context->std_error, socket_fd);
519
520 /* This expects the input and output are already set up */
521
522 /* Don't change the stderr file descriptor if we inherit all
523 * the way and are not on a tty */
524 if (e == EXEC_OUTPUT_INHERIT &&
525 o == EXEC_OUTPUT_INHERIT &&
526 i == EXEC_INPUT_NULL &&
527 !is_terminal_input(context->std_input) &&
528 getppid () != 1)
529 return fileno;
530
531 /* Duplicate from stdout if possible */
532 if ((e == o && e != EXEC_OUTPUT_NAMED_FD) || e == EXEC_OUTPUT_INHERIT)
533 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
534
535 o = e;
536
537 } else if (o == EXEC_OUTPUT_INHERIT) {
538 /* If input got downgraded, inherit the original value */
539 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
540 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
541
542 /* If the input is connected to anything that's not a /dev/null, inherit that... */
543 if (i != EXEC_INPUT_NULL)
544 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
545
546 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
547 if (getppid() != 1)
548 return fileno;
549
550 /* We need to open /dev/null here anew, to get the right access mode. */
551 return open_null_as(O_WRONLY, fileno);
552 }
553
554 switch (o) {
555
556 case EXEC_OUTPUT_NULL:
557 return open_null_as(O_WRONLY, fileno);
558
559 case EXEC_OUTPUT_TTY:
560 if (is_terminal_input(i))
561 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
562
563 /* We don't reset the terminal if this is just about output */
564 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
565
566 case EXEC_OUTPUT_SYSLOG:
567 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
568 case EXEC_OUTPUT_KMSG:
569 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
570 case EXEC_OUTPUT_JOURNAL:
571 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
572 r = connect_logger_as(unit, context, o, ident, fileno, uid, gid);
573 if (r < 0) {
574 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
575 r = open_null_as(O_WRONLY, fileno);
576 } else {
577 struct stat st;
578
579 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
580 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
581 * services to detect whether they are connected to the journal or not. */
582
583 if (fstat(fileno, &st) >= 0) {
584 *journal_stream_dev = st.st_dev;
585 *journal_stream_ino = st.st_ino;
586 }
587 }
588 return r;
589
590 case EXEC_OUTPUT_SOCKET:
591 assert(socket_fd >= 0);
592 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
593
594 case EXEC_OUTPUT_NAMED_FD:
595 (void) fd_nonblock(named_iofds[fileno], false);
596 return dup2(named_iofds[fileno], fileno) < 0 ? -errno : fileno;
597
598 default:
599 assert_not_reached("Unknown error type");
600 }
601 }
602
603 static int chown_terminal(int fd, uid_t uid) {
604 struct stat st;
605
606 assert(fd >= 0);
607
608 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
609 if (isatty(fd) < 1)
610 return 0;
611
612 /* This might fail. What matters are the results. */
613 (void) fchown(fd, uid, -1);
614 (void) fchmod(fd, TTY_MODE);
615
616 if (fstat(fd, &st) < 0)
617 return -errno;
618
619 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
620 return -EPERM;
621
622 return 0;
623 }
624
625 static int setup_confirm_stdio(int *_saved_stdin, int *_saved_stdout) {
626 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
627 int r;
628
629 assert(_saved_stdin);
630 assert(_saved_stdout);
631
632 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
633 if (saved_stdin < 0)
634 return -errno;
635
636 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
637 if (saved_stdout < 0)
638 return -errno;
639
640 fd = acquire_terminal(
641 "/dev/console",
642 false,
643 false,
644 false,
645 DEFAULT_CONFIRM_USEC);
646 if (fd < 0)
647 return fd;
648
649 r = chown_terminal(fd, getuid());
650 if (r < 0)
651 return r;
652
653 r = reset_terminal_fd(fd, true);
654 if (r < 0)
655 return r;
656
657 if (dup2(fd, STDIN_FILENO) < 0)
658 return -errno;
659
660 if (dup2(fd, STDOUT_FILENO) < 0)
661 return -errno;
662
663 if (fd >= 2)
664 safe_close(fd);
665 fd = -1;
666
667 *_saved_stdin = saved_stdin;
668 *_saved_stdout = saved_stdout;
669
670 saved_stdin = saved_stdout = -1;
671
672 return 0;
673 }
674
675 _printf_(1, 2) static int write_confirm_message(const char *format, ...) {
676 _cleanup_close_ int fd = -1;
677 va_list ap;
678
679 assert(format);
680
681 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
682 if (fd < 0)
683 return fd;
684
685 va_start(ap, format);
686 vdprintf(fd, format, ap);
687 va_end(ap);
688
689 return 0;
690 }
691
692 static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
693 int r = 0;
694
695 assert(saved_stdin);
696 assert(saved_stdout);
697
698 release_terminal();
699
700 if (*saved_stdin >= 0)
701 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
702 r = -errno;
703
704 if (*saved_stdout >= 0)
705 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
706 r = -errno;
707
708 *saved_stdin = safe_close(*saved_stdin);
709 *saved_stdout = safe_close(*saved_stdout);
710
711 return r;
712 }
713
714 static int ask_for_confirmation(char *response, char **argv) {
715 int saved_stdout = -1, saved_stdin = -1, r;
716 _cleanup_free_ char *line = NULL;
717
718 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
719 if (r < 0)
720 return r;
721
722 line = exec_command_line(argv);
723 if (!line)
724 return -ENOMEM;
725
726 r = ask_char(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
727
728 restore_confirm_stdio(&saved_stdin, &saved_stdout);
729
730 return r;
731 }
732
733 static int get_fixed_user(const ExecContext *c, const char **user,
734 uid_t *uid, gid_t *gid,
735 const char **home, const char **shell) {
736 int r;
737 const char *name;
738
739 assert(c);
740
741 if (!c->user)
742 return 0;
743
744 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
745 * (i.e. are "/" or "/bin/nologin"). */
746
747 name = c->user;
748 r = get_user_creds_clean(&name, uid, gid, home, shell);
749 if (r < 0)
750 return r;
751
752 *user = name;
753 return 0;
754 }
755
756 static int get_fixed_group(const ExecContext *c, const char **group, gid_t *gid) {
757 int r;
758 const char *name;
759
760 assert(c);
761
762 if (!c->group)
763 return 0;
764
765 name = c->group;
766 r = get_group_creds(&name, gid);
767 if (r < 0)
768 return r;
769
770 *group = name;
771 return 0;
772 }
773
774 static int get_fixed_supplementary_groups(const ExecContext *c,
775 const char *user,
776 const char *group,
777 gid_t gid,
778 gid_t **supplementary_gids, int *ngids) {
779 char **i;
780 int r, k = 0;
781 int ngroups_max;
782 bool keep_groups = false;
783 gid_t *groups = NULL;
784 _cleanup_free_ gid_t *l_gids = NULL;
785
786 assert(c);
787
788 if (!c->supplementary_groups)
789 return 0;
790
791 /*
792 * If SupplementaryGroups= was passed then NGROUPS_MAX has to
793 * be positive, otherwise fail.
794 */
795 errno = 0;
796 ngroups_max = (int) sysconf(_SC_NGROUPS_MAX);
797 if (ngroups_max <= 0) {
798 if (errno > 0)
799 return -errno;
800 else
801 return -EOPNOTSUPP; /* For all other values */
802 }
803
804 /*
805 * If user is given, then lookup GID and supplementary group list.
806 * We avoid NSS lookups for gid=0.
807 */
808 if (user && gid_is_valid(gid) && gid != 0) {
809 /* First step, initialize groups from /etc/groups */
810 if (initgroups(user, gid) < 0)
811 return -errno;
812
813 keep_groups = true;
814 }
815
816 l_gids = new(gid_t, ngroups_max);
817 if (!l_gids)
818 return -ENOMEM;
819
820 if (keep_groups) {
821 /*
822 * Lookup the list of groups that the user belongs to, we
823 * avoid NSS lookups here too for gid=0.
824 */
825 k = ngroups_max;
826 if (getgrouplist(user, gid, l_gids, &k) < 0)
827 return -EINVAL;
828 } else
829 k = 0;
830
831 STRV_FOREACH(i, c->supplementary_groups) {
832 const char *g;
833
834 if (k >= ngroups_max)
835 return -E2BIG;
836
837 g = *i;
838 r = get_group_creds(&g, l_gids+k);
839 if (r < 0)
840 return r;
841
842 k++;
843 }
844
845 /*
846 * Sets ngids to zero to drop all supplementary groups, happens
847 * when we are under root and SupplementaryGroups= is empty.
848 */
849 if (k == 0) {
850 *ngids = 0;
851 return 0;
852 }
853
854 /* Otherwise get the final list of supplementary groups */
855 groups = memdup(l_gids, sizeof(gid_t) * k);
856 if (!groups)
857 return -ENOMEM;
858
859 *supplementary_gids = groups;
860 *ngids = k;
861
862 groups = NULL;
863
864 return 0;
865 }
866
867 static int enforce_groups(const ExecContext *context, gid_t gid,
868 gid_t *supplementary_gids, int ngids) {
869 int r;
870
871 assert(context);
872
873 /* Handle SupplementaryGroups= even if it is empty */
874 if (context->supplementary_groups) {
875 r = maybe_setgroups(ngids, supplementary_gids);
876 if (r < 0)
877 return r;
878 }
879
880 if (gid_is_valid(gid)) {
881 /* Then set our gids */
882 if (setresgid(gid, gid, gid) < 0)
883 return -errno;
884 }
885
886 return 0;
887 }
888
889 static int enforce_user(const ExecContext *context, uid_t uid) {
890 assert(context);
891
892 if (!uid_is_valid(uid))
893 return 0;
894
895 /* Sets (but doesn't look up) the uid and make sure we keep the
896 * capabilities while doing so. */
897
898 if (context->capability_ambient_set != 0) {
899
900 /* First step: If we need to keep capabilities but
901 * drop privileges we need to make sure we keep our
902 * caps, while we drop privileges. */
903 if (uid != 0) {
904 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
905
906 if (prctl(PR_GET_SECUREBITS) != sb)
907 if (prctl(PR_SET_SECUREBITS, sb) < 0)
908 return -errno;
909 }
910 }
911
912 /* Second step: actually set the uids */
913 if (setresuid(uid, uid, uid) < 0)
914 return -errno;
915
916 /* At this point we should have all necessary capabilities but
917 are otherwise a normal user. However, the caps might got
918 corrupted due to the setresuid() so we need clean them up
919 later. This is done outside of this call. */
920
921 return 0;
922 }
923
924 #ifdef HAVE_PAM
925
926 static int null_conv(
927 int num_msg,
928 const struct pam_message **msg,
929 struct pam_response **resp,
930 void *appdata_ptr) {
931
932 /* We don't support conversations */
933
934 return PAM_CONV_ERR;
935 }
936
937 #endif
938
939 static int setup_pam(
940 const char *name,
941 const char *user,
942 uid_t uid,
943 gid_t gid,
944 const char *tty,
945 char ***env,
946 int fds[], unsigned n_fds) {
947
948 #ifdef HAVE_PAM
949
950 static const struct pam_conv conv = {
951 .conv = null_conv,
952 .appdata_ptr = NULL
953 };
954
955 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
956 pam_handle_t *handle = NULL;
957 sigset_t old_ss;
958 int pam_code = PAM_SUCCESS, r;
959 char **nv, **e = NULL;
960 bool close_session = false;
961 pid_t pam_pid = 0, parent_pid;
962 int flags = 0;
963
964 assert(name);
965 assert(user);
966 assert(env);
967
968 /* We set up PAM in the parent process, then fork. The child
969 * will then stay around until killed via PR_GET_PDEATHSIG or
970 * systemd via the cgroup logic. It will then remove the PAM
971 * session again. The parent process will exec() the actual
972 * daemon. We do things this way to ensure that the main PID
973 * of the daemon is the one we initially fork()ed. */
974
975 r = barrier_create(&barrier);
976 if (r < 0)
977 goto fail;
978
979 if (log_get_max_level() < LOG_DEBUG)
980 flags |= PAM_SILENT;
981
982 pam_code = pam_start(name, user, &conv, &handle);
983 if (pam_code != PAM_SUCCESS) {
984 handle = NULL;
985 goto fail;
986 }
987
988 if (tty) {
989 pam_code = pam_set_item(handle, PAM_TTY, tty);
990 if (pam_code != PAM_SUCCESS)
991 goto fail;
992 }
993
994 STRV_FOREACH(nv, *env) {
995 pam_code = pam_putenv(handle, *nv);
996 if (pam_code != PAM_SUCCESS)
997 goto fail;
998 }
999
1000 pam_code = pam_acct_mgmt(handle, flags);
1001 if (pam_code != PAM_SUCCESS)
1002 goto fail;
1003
1004 pam_code = pam_open_session(handle, flags);
1005 if (pam_code != PAM_SUCCESS)
1006 goto fail;
1007
1008 close_session = true;
1009
1010 e = pam_getenvlist(handle);
1011 if (!e) {
1012 pam_code = PAM_BUF_ERR;
1013 goto fail;
1014 }
1015
1016 /* Block SIGTERM, so that we know that it won't get lost in
1017 * the child */
1018
1019 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
1020
1021 parent_pid = getpid();
1022
1023 pam_pid = fork();
1024 if (pam_pid < 0) {
1025 r = -errno;
1026 goto fail;
1027 }
1028
1029 if (pam_pid == 0) {
1030 int sig, ret = EXIT_PAM;
1031
1032 /* The child's job is to reset the PAM session on
1033 * termination */
1034 barrier_set_role(&barrier, BARRIER_CHILD);
1035
1036 /* This string must fit in 10 chars (i.e. the length
1037 * of "/sbin/init"), to look pretty in /bin/ps */
1038 rename_process("(sd-pam)");
1039
1040 /* Make sure we don't keep open the passed fds in this
1041 child. We assume that otherwise only those fds are
1042 open here that have been opened by PAM. */
1043 close_many(fds, n_fds);
1044
1045 /* Drop privileges - we don't need any to pam_close_session
1046 * and this will make PR_SET_PDEATHSIG work in most cases.
1047 * If this fails, ignore the error - but expect sd-pam threads
1048 * to fail to exit normally */
1049
1050 r = maybe_setgroups(0, NULL);
1051 if (r < 0)
1052 log_warning_errno(r, "Failed to setgroups() in sd-pam: %m");
1053 if (setresgid(gid, gid, gid) < 0)
1054 log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
1055 if (setresuid(uid, uid, uid) < 0)
1056 log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
1057
1058 (void) ignore_signals(SIGPIPE, -1);
1059
1060 /* Wait until our parent died. This will only work if
1061 * the above setresuid() succeeds, otherwise the kernel
1062 * will not allow unprivileged parents kill their privileged
1063 * children this way. We rely on the control groups kill logic
1064 * to do the rest for us. */
1065 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
1066 goto child_finish;
1067
1068 /* Tell the parent that our setup is done. This is especially
1069 * important regarding dropping privileges. Otherwise, unit
1070 * setup might race against our setresuid(2) call. */
1071 barrier_place(&barrier);
1072
1073 /* Check if our parent process might already have
1074 * died? */
1075 if (getppid() == parent_pid) {
1076 sigset_t ss;
1077
1078 assert_se(sigemptyset(&ss) >= 0);
1079 assert_se(sigaddset(&ss, SIGTERM) >= 0);
1080
1081 for (;;) {
1082 if (sigwait(&ss, &sig) < 0) {
1083 if (errno == EINTR)
1084 continue;
1085
1086 goto child_finish;
1087 }
1088
1089 assert(sig == SIGTERM);
1090 break;
1091 }
1092 }
1093
1094 /* If our parent died we'll end the session */
1095 if (getppid() != parent_pid) {
1096 pam_code = pam_close_session(handle, flags);
1097 if (pam_code != PAM_SUCCESS)
1098 goto child_finish;
1099 }
1100
1101 ret = 0;
1102
1103 child_finish:
1104 pam_end(handle, pam_code | flags);
1105 _exit(ret);
1106 }
1107
1108 barrier_set_role(&barrier, BARRIER_PARENT);
1109
1110 /* If the child was forked off successfully it will do all the
1111 * cleanups, so forget about the handle here. */
1112 handle = NULL;
1113
1114 /* Unblock SIGTERM again in the parent */
1115 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
1116
1117 /* We close the log explicitly here, since the PAM modules
1118 * might have opened it, but we don't want this fd around. */
1119 closelog();
1120
1121 /* Synchronously wait for the child to initialize. We don't care for
1122 * errors as we cannot recover. However, warn loudly if it happens. */
1123 if (!barrier_place_and_sync(&barrier))
1124 log_error("PAM initialization failed");
1125
1126 strv_free(*env);
1127 *env = e;
1128
1129 return 0;
1130
1131 fail:
1132 if (pam_code != PAM_SUCCESS) {
1133 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
1134 r = -EPERM; /* PAM errors do not map to errno */
1135 } else
1136 log_error_errno(r, "PAM failed: %m");
1137
1138 if (handle) {
1139 if (close_session)
1140 pam_code = pam_close_session(handle, flags);
1141
1142 pam_end(handle, pam_code | flags);
1143 }
1144
1145 strv_free(e);
1146 closelog();
1147
1148 return r;
1149 #else
1150 return 0;
1151 #endif
1152 }
1153
1154 static void rename_process_from_path(const char *path) {
1155 char process_name[11];
1156 const char *p;
1157 size_t l;
1158
1159 /* This resulting string must fit in 10 chars (i.e. the length
1160 * of "/sbin/init") to look pretty in /bin/ps */
1161
1162 p = basename(path);
1163 if (isempty(p)) {
1164 rename_process("(...)");
1165 return;
1166 }
1167
1168 l = strlen(p);
1169 if (l > 8) {
1170 /* The end of the process name is usually more
1171 * interesting, since the first bit might just be
1172 * "systemd-" */
1173 p = p + l - 8;
1174 l = 8;
1175 }
1176
1177 process_name[0] = '(';
1178 memcpy(process_name+1, p, l);
1179 process_name[1+l] = ')';
1180 process_name[1+l+1] = 0;
1181
1182 rename_process(process_name);
1183 }
1184
1185 #ifdef HAVE_SECCOMP
1186
1187 static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
1188
1189 if (is_seccomp_available())
1190 return false;
1191
1192 log_open();
1193 log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
1194 log_close();
1195 return true;
1196 }
1197
1198 static int apply_seccomp(const Unit* u, const ExecContext *c) {
1199 uint32_t negative_action, action;
1200 scmp_filter_ctx seccomp;
1201 Iterator i;
1202 void *id;
1203 int r;
1204
1205 assert(c);
1206
1207 if (skip_seccomp_unavailable(u, "syscall filtering"))
1208 return 0;
1209
1210 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
1211
1212 seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW);
1213 if (!seccomp)
1214 return -ENOMEM;
1215
1216 if (c->syscall_archs) {
1217
1218 SET_FOREACH(id, c->syscall_archs, i) {
1219 r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
1220 if (r == -EEXIST)
1221 continue;
1222 if (r < 0)
1223 goto finish;
1224 }
1225
1226 } else {
1227 r = seccomp_add_secondary_archs(seccomp);
1228 if (r < 0)
1229 goto finish;
1230 }
1231
1232 action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
1233 SET_FOREACH(id, c->syscall_filter, i) {
1234 r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
1235 if (r < 0)
1236 goto finish;
1237 }
1238
1239 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1240 if (r < 0)
1241 goto finish;
1242
1243 r = seccomp_load(seccomp);
1244
1245 finish:
1246 seccomp_release(seccomp);
1247 return r;
1248 }
1249
1250 static int apply_address_families(const Unit* u, const ExecContext *c) {
1251 scmp_filter_ctx seccomp;
1252 Iterator i;
1253 int r;
1254
1255 assert(c);
1256
1257 if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
1258 return 0;
1259
1260 r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
1261 if (r < 0)
1262 return r;
1263
1264 if (c->address_families_whitelist) {
1265 int af, first = 0, last = 0;
1266 void *afp;
1267
1268 /* If this is a whitelist, we first block the address
1269 * families that are out of range and then everything
1270 * that is not in the set. First, we find the lowest
1271 * and highest address family in the set. */
1272
1273 SET_FOREACH(afp, c->address_families, i) {
1274 af = PTR_TO_INT(afp);
1275
1276 if (af <= 0 || af >= af_max())
1277 continue;
1278
1279 if (first == 0 || af < first)
1280 first = af;
1281
1282 if (last == 0 || af > last)
1283 last = af;
1284 }
1285
1286 assert((first == 0) == (last == 0));
1287
1288 if (first == 0) {
1289
1290 /* No entries in the valid range, block everything */
1291 r = seccomp_rule_add(
1292 seccomp,
1293 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1294 SCMP_SYS(socket),
1295 0);
1296 if (r < 0)
1297 goto finish;
1298
1299 } else {
1300
1301 /* Block everything below the first entry */
1302 r = seccomp_rule_add(
1303 seccomp,
1304 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1305 SCMP_SYS(socket),
1306 1,
1307 SCMP_A0(SCMP_CMP_LT, first));
1308 if (r < 0)
1309 goto finish;
1310
1311 /* Block everything above the last entry */
1312 r = seccomp_rule_add(
1313 seccomp,
1314 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1315 SCMP_SYS(socket),
1316 1,
1317 SCMP_A0(SCMP_CMP_GT, last));
1318 if (r < 0)
1319 goto finish;
1320
1321 /* Block everything between the first and last
1322 * entry */
1323 for (af = 1; af < af_max(); af++) {
1324
1325 if (set_contains(c->address_families, INT_TO_PTR(af)))
1326 continue;
1327
1328 r = seccomp_rule_add(
1329 seccomp,
1330 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1331 SCMP_SYS(socket),
1332 1,
1333 SCMP_A0(SCMP_CMP_EQ, af));
1334 if (r < 0)
1335 goto finish;
1336 }
1337 }
1338
1339 } else {
1340 void *af;
1341
1342 /* If this is a blacklist, then generate one rule for
1343 * each address family that are then combined in OR
1344 * checks. */
1345
1346 SET_FOREACH(af, c->address_families, i) {
1347
1348 r = seccomp_rule_add(
1349 seccomp,
1350 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1351 SCMP_SYS(socket),
1352 1,
1353 SCMP_A0(SCMP_CMP_EQ, PTR_TO_INT(af)));
1354 if (r < 0)
1355 goto finish;
1356 }
1357 }
1358
1359 r = seccomp_load(seccomp);
1360
1361 finish:
1362 seccomp_release(seccomp);
1363 return r;
1364 }
1365
1366 static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) {
1367 scmp_filter_ctx seccomp;
1368 int r;
1369
1370 assert(c);
1371
1372 if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute="))
1373 return 0;
1374
1375 r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
1376 if (r < 0)
1377 return r;
1378
1379 r = seccomp_rule_add(
1380 seccomp,
1381 SCMP_ACT_ERRNO(EPERM),
1382 SCMP_SYS(mmap),
1383 1,
1384 SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE));
1385 if (r < 0)
1386 goto finish;
1387
1388 r = seccomp_rule_add(
1389 seccomp,
1390 SCMP_ACT_ERRNO(EPERM),
1391 SCMP_SYS(mprotect),
1392 1,
1393 SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC));
1394 if (r < 0)
1395 goto finish;
1396
1397 r = seccomp_load(seccomp);
1398
1399 finish:
1400 seccomp_release(seccomp);
1401 return r;
1402 }
1403
1404 static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
1405 static const int permitted_policies[] = {
1406 SCHED_OTHER,
1407 SCHED_BATCH,
1408 SCHED_IDLE,
1409 };
1410
1411 scmp_filter_ctx seccomp;
1412 unsigned i;
1413 int r, p, max_policy = 0;
1414
1415 assert(c);
1416
1417 if (skip_seccomp_unavailable(u, "RestrictRealtime="))
1418 return 0;
1419
1420 r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
1421 if (r < 0)
1422 return r;
1423
1424 /* Determine the highest policy constant we want to allow */
1425 for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
1426 if (permitted_policies[i] > max_policy)
1427 max_policy = permitted_policies[i];
1428
1429 /* Go through all policies with lower values than that, and block them -- unless they appear in the
1430 * whitelist. */
1431 for (p = 0; p < max_policy; p++) {
1432 bool good = false;
1433
1434 /* Check if this is in the whitelist. */
1435 for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
1436 if (permitted_policies[i] == p) {
1437 good = true;
1438 break;
1439 }
1440
1441 if (good)
1442 continue;
1443
1444 /* Deny this policy */
1445 r = seccomp_rule_add(
1446 seccomp,
1447 SCMP_ACT_ERRNO(EPERM),
1448 SCMP_SYS(sched_setscheduler),
1449 1,
1450 SCMP_A1(SCMP_CMP_EQ, p));
1451 if (r < 0)
1452 goto finish;
1453 }
1454
1455 /* Blacklist all other policies, i.e. the ones with higher values. Note that all comparisons are unsigned here,
1456 * hence no need no check for < 0 values. */
1457 r = seccomp_rule_add(
1458 seccomp,
1459 SCMP_ACT_ERRNO(EPERM),
1460 SCMP_SYS(sched_setscheduler),
1461 1,
1462 SCMP_A1(SCMP_CMP_GT, max_policy));
1463 if (r < 0)
1464 goto finish;
1465
1466 r = seccomp_load(seccomp);
1467
1468 finish:
1469 seccomp_release(seccomp);
1470 return r;
1471 }
1472
1473 static int apply_protect_sysctl(Unit *u, const ExecContext *c) {
1474 scmp_filter_ctx seccomp;
1475 int r;
1476
1477 assert(c);
1478
1479 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1480 * let's protect even those systems where this is left on in the kernel. */
1481
1482 if (skip_seccomp_unavailable(u, "ProtectKernelTunables="))
1483 return 0;
1484
1485 r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
1486 if (r < 0)
1487 return r;
1488
1489 r = seccomp_rule_add(
1490 seccomp,
1491 SCMP_ACT_ERRNO(EPERM),
1492 SCMP_SYS(_sysctl),
1493 0);
1494 if (r < 0)
1495 goto finish;
1496
1497 r = seccomp_load(seccomp);
1498
1499 finish:
1500 seccomp_release(seccomp);
1501 return r;
1502 }
1503
1504 static int apply_protect_kernel_modules(Unit *u, const ExecContext *c) {
1505 assert(c);
1506
1507 /* Turn off module syscalls on ProtectKernelModules=yes */
1508
1509 if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
1510 return 0;
1511
1512 return seccomp_load_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM));
1513 }
1514
1515 static int apply_private_devices(Unit *u, const ExecContext *c) {
1516 assert(c);
1517
1518 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
1519
1520 if (skip_seccomp_unavailable(u, "PrivateDevices="))
1521 return 0;
1522
1523 return seccomp_load_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
1524 }
1525
1526 #endif
1527
1528 static void do_idle_pipe_dance(int idle_pipe[4]) {
1529 assert(idle_pipe);
1530
1531 idle_pipe[1] = safe_close(idle_pipe[1]);
1532 idle_pipe[2] = safe_close(idle_pipe[2]);
1533
1534 if (idle_pipe[0] >= 0) {
1535 int r;
1536
1537 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1538
1539 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1540 ssize_t n;
1541
1542 /* Signal systemd that we are bored and want to continue. */
1543 n = write(idle_pipe[3], "x", 1);
1544 if (n > 0)
1545 /* Wait for systemd to react to the signal above. */
1546 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1547 }
1548
1549 idle_pipe[0] = safe_close(idle_pipe[0]);
1550
1551 }
1552
1553 idle_pipe[3] = safe_close(idle_pipe[3]);
1554 }
1555
1556 static int build_environment(
1557 Unit *u,
1558 const ExecContext *c,
1559 const ExecParameters *p,
1560 unsigned n_fds,
1561 const char *home,
1562 const char *username,
1563 const char *shell,
1564 dev_t journal_stream_dev,
1565 ino_t journal_stream_ino,
1566 char ***ret) {
1567
1568 _cleanup_strv_free_ char **our_env = NULL;
1569 unsigned n_env = 0;
1570 char *x;
1571
1572 assert(u);
1573 assert(c);
1574 assert(ret);
1575
1576 our_env = new0(char*, 14);
1577 if (!our_env)
1578 return -ENOMEM;
1579
1580 if (n_fds > 0) {
1581 _cleanup_free_ char *joined = NULL;
1582
1583 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1584 return -ENOMEM;
1585 our_env[n_env++] = x;
1586
1587 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1588 return -ENOMEM;
1589 our_env[n_env++] = x;
1590
1591 joined = strv_join(p->fd_names, ":");
1592 if (!joined)
1593 return -ENOMEM;
1594
1595 x = strjoin("LISTEN_FDNAMES=", joined, NULL);
1596 if (!x)
1597 return -ENOMEM;
1598 our_env[n_env++] = x;
1599 }
1600
1601 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
1602 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1603 return -ENOMEM;
1604 our_env[n_env++] = x;
1605
1606 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
1607 return -ENOMEM;
1608 our_env[n_env++] = x;
1609 }
1610
1611 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1612 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1613 * check the database directly. */
1614 if (unit_has_name(u, SPECIAL_DBUS_SERVICE)) {
1615 x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1616 if (!x)
1617 return -ENOMEM;
1618 our_env[n_env++] = x;
1619 }
1620
1621 if (home) {
1622 x = strappend("HOME=", home);
1623 if (!x)
1624 return -ENOMEM;
1625 our_env[n_env++] = x;
1626 }
1627
1628 if (username) {
1629 x = strappend("LOGNAME=", username);
1630 if (!x)
1631 return -ENOMEM;
1632 our_env[n_env++] = x;
1633
1634 x = strappend("USER=", username);
1635 if (!x)
1636 return -ENOMEM;
1637 our_env[n_env++] = x;
1638 }
1639
1640 if (shell) {
1641 x = strappend("SHELL=", shell);
1642 if (!x)
1643 return -ENOMEM;
1644 our_env[n_env++] = x;
1645 }
1646
1647 if (!sd_id128_is_null(u->invocation_id)) {
1648 if (asprintf(&x, "INVOCATION_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id)) < 0)
1649 return -ENOMEM;
1650
1651 our_env[n_env++] = x;
1652 }
1653
1654 if (exec_context_needs_term(c)) {
1655 const char *tty_path, *term = NULL;
1656
1657 tty_path = exec_context_tty_path(c);
1658
1659 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try to inherit
1660 * the $TERM set for PID 1. This is useful for containers so that the $TERM the container manager
1661 * passes to PID 1 ends up all the way in the console login shown. */
1662
1663 if (path_equal(tty_path, "/dev/console") && getppid() == 1)
1664 term = getenv("TERM");
1665 if (!term)
1666 term = default_term_for_tty(tty_path);
1667
1668 x = strappend("TERM=", term);
1669 if (!x)
1670 return -ENOMEM;
1671 our_env[n_env++] = x;
1672 }
1673
1674 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1675 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1676 return -ENOMEM;
1677
1678 our_env[n_env++] = x;
1679 }
1680
1681 our_env[n_env++] = NULL;
1682 assert(n_env <= 12);
1683
1684 *ret = our_env;
1685 our_env = NULL;
1686
1687 return 0;
1688 }
1689
1690 static int build_pass_environment(const ExecContext *c, char ***ret) {
1691 _cleanup_strv_free_ char **pass_env = NULL;
1692 size_t n_env = 0, n_bufsize = 0;
1693 char **i;
1694
1695 STRV_FOREACH(i, c->pass_environment) {
1696 _cleanup_free_ char *x = NULL;
1697 char *v;
1698
1699 v = getenv(*i);
1700 if (!v)
1701 continue;
1702 x = strjoin(*i, "=", v, NULL);
1703 if (!x)
1704 return -ENOMEM;
1705 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1706 return -ENOMEM;
1707 pass_env[n_env++] = x;
1708 pass_env[n_env] = NULL;
1709 x = NULL;
1710 }
1711
1712 *ret = pass_env;
1713 pass_env = NULL;
1714
1715 return 0;
1716 }
1717
1718 static bool exec_needs_mount_namespace(
1719 const ExecContext *context,
1720 const ExecParameters *params,
1721 ExecRuntime *runtime) {
1722
1723 assert(context);
1724 assert(params);
1725
1726 if (!strv_isempty(context->read_write_paths) ||
1727 !strv_isempty(context->read_only_paths) ||
1728 !strv_isempty(context->inaccessible_paths))
1729 return true;
1730
1731 if (context->mount_flags != 0)
1732 return true;
1733
1734 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1735 return true;
1736
1737 if (context->private_devices ||
1738 context->protect_system != PROTECT_SYSTEM_NO ||
1739 context->protect_home != PROTECT_HOME_NO ||
1740 context->protect_kernel_tunables ||
1741 context->protect_kernel_modules ||
1742 context->protect_control_groups)
1743 return true;
1744
1745 return false;
1746 }
1747
1748 static int setup_private_users(uid_t uid, gid_t gid) {
1749 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
1750 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
1751 _cleanup_close_ int unshare_ready_fd = -1;
1752 _cleanup_(sigkill_waitp) pid_t pid = 0;
1753 uint64_t c = 1;
1754 siginfo_t si;
1755 ssize_t n;
1756 int r;
1757
1758 /* Set up a user namespace and map root to root, the selected UID/GID to itself, and everything else to
1759 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1760 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1761 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1762 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
1763 * continues execution normally. */
1764
1765 if (uid != 0 && uid_is_valid(uid))
1766 asprintf(&uid_map,
1767 "0 0 1\n" /* Map root → root */
1768 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
1769 uid, uid);
1770 else
1771 uid_map = strdup("0 0 1\n"); /* The case where the above is the same */
1772 if (!uid_map)
1773 return -ENOMEM;
1774
1775 if (gid != 0 && gid_is_valid(gid))
1776 asprintf(&gid_map,
1777 "0 0 1\n" /* Map root → root */
1778 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
1779 gid, gid);
1780 else
1781 gid_map = strdup("0 0 1\n"); /* The case where the above is the same */
1782 if (!gid_map)
1783 return -ENOMEM;
1784
1785 /* Create a communication channel so that the parent can tell the child when it finished creating the user
1786 * namespace. */
1787 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
1788 if (unshare_ready_fd < 0)
1789 return -errno;
1790
1791 /* Create a communication channel so that the child can tell the parent a proper error code in case it
1792 * failed. */
1793 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
1794 return -errno;
1795
1796 pid = fork();
1797 if (pid < 0)
1798 return -errno;
1799
1800 if (pid == 0) {
1801 _cleanup_close_ int fd = -1;
1802 const char *a;
1803 pid_t ppid;
1804
1805 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
1806 * here, after the parent opened its own user namespace. */
1807
1808 ppid = getppid();
1809 errno_pipe[0] = safe_close(errno_pipe[0]);
1810
1811 /* Wait until the parent unshared the user namespace */
1812 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
1813 r = -errno;
1814 goto child_fail;
1815 }
1816
1817 /* Disable the setgroups() system call in the child user namespace, for good. */
1818 a = procfs_file_alloca(ppid, "setgroups");
1819 fd = open(a, O_WRONLY|O_CLOEXEC);
1820 if (fd < 0) {
1821 if (errno != ENOENT) {
1822 r = -errno;
1823 goto child_fail;
1824 }
1825
1826 /* If the file is missing the kernel is too old, let's continue anyway. */
1827 } else {
1828 if (write(fd, "deny\n", 5) < 0) {
1829 r = -errno;
1830 goto child_fail;
1831 }
1832
1833 fd = safe_close(fd);
1834 }
1835
1836 /* First write the GID map */
1837 a = procfs_file_alloca(ppid, "gid_map");
1838 fd = open(a, O_WRONLY|O_CLOEXEC);
1839 if (fd < 0) {
1840 r = -errno;
1841 goto child_fail;
1842 }
1843 if (write(fd, gid_map, strlen(gid_map)) < 0) {
1844 r = -errno;
1845 goto child_fail;
1846 }
1847 fd = safe_close(fd);
1848
1849 /* The write the UID map */
1850 a = procfs_file_alloca(ppid, "uid_map");
1851 fd = open(a, O_WRONLY|O_CLOEXEC);
1852 if (fd < 0) {
1853 r = -errno;
1854 goto child_fail;
1855 }
1856 if (write(fd, uid_map, strlen(uid_map)) < 0) {
1857 r = -errno;
1858 goto child_fail;
1859 }
1860
1861 _exit(EXIT_SUCCESS);
1862
1863 child_fail:
1864 (void) write(errno_pipe[1], &r, sizeof(r));
1865 _exit(EXIT_FAILURE);
1866 }
1867
1868 errno_pipe[1] = safe_close(errno_pipe[1]);
1869
1870 if (unshare(CLONE_NEWUSER) < 0)
1871 return -errno;
1872
1873 /* Let the child know that the namespace is ready now */
1874 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
1875 return -errno;
1876
1877 /* Try to read an error code from the child */
1878 n = read(errno_pipe[0], &r, sizeof(r));
1879 if (n < 0)
1880 return -errno;
1881 if (n == sizeof(r)) { /* an error code was sent to us */
1882 if (r < 0)
1883 return r;
1884 return -EIO;
1885 }
1886 if (n != 0) /* on success we should have read 0 bytes */
1887 return -EIO;
1888
1889 r = wait_for_terminate(pid, &si);
1890 if (r < 0)
1891 return r;
1892 pid = 0;
1893
1894 /* If something strange happened with the child, let's consider this fatal, too */
1895 if (si.si_code != CLD_EXITED || si.si_status != 0)
1896 return -EIO;
1897
1898 return 0;
1899 }
1900
1901 static int setup_runtime_directory(
1902 const ExecContext *context,
1903 const ExecParameters *params,
1904 uid_t uid,
1905 gid_t gid) {
1906
1907 char **rt;
1908 int r;
1909
1910 assert(context);
1911 assert(params);
1912
1913 STRV_FOREACH(rt, context->runtime_directory) {
1914 _cleanup_free_ char *p;
1915
1916 p = strjoin(params->runtime_prefix, "/", *rt, NULL);
1917 if (!p)
1918 return -ENOMEM;
1919
1920 r = mkdir_p_label(p, context->runtime_directory_mode);
1921 if (r < 0)
1922 return r;
1923
1924 r = chmod_and_chown(p, context->runtime_directory_mode, uid, gid);
1925 if (r < 0)
1926 return r;
1927 }
1928
1929 return 0;
1930 }
1931
1932 static int setup_smack(
1933 const ExecContext *context,
1934 const ExecCommand *command) {
1935
1936 #ifdef HAVE_SMACK
1937 int r;
1938
1939 assert(context);
1940 assert(command);
1941
1942 if (!mac_smack_use())
1943 return 0;
1944
1945 if (context->smack_process_label) {
1946 r = mac_smack_apply_pid(0, context->smack_process_label);
1947 if (r < 0)
1948 return r;
1949 }
1950 #ifdef SMACK_DEFAULT_PROCESS_LABEL
1951 else {
1952 _cleanup_free_ char *exec_label = NULL;
1953
1954 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
1955 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP)
1956 return r;
1957
1958 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
1959 if (r < 0)
1960 return r;
1961 }
1962 #endif
1963 #endif
1964
1965 return 0;
1966 }
1967
1968 static int compile_read_write_paths(
1969 const ExecContext *context,
1970 const ExecParameters *params,
1971 char ***ret) {
1972
1973 _cleanup_strv_free_ char **l = NULL;
1974 char **rt;
1975
1976 /* Compile the list of writable paths. This is the combination of the explicitly configured paths, plus all
1977 * runtime directories. */
1978
1979 if (strv_isempty(context->read_write_paths) &&
1980 strv_isempty(context->runtime_directory)) {
1981 *ret = NULL; /* NOP if neither is set */
1982 return 0;
1983 }
1984
1985 l = strv_copy(context->read_write_paths);
1986 if (!l)
1987 return -ENOMEM;
1988
1989 STRV_FOREACH(rt, context->runtime_directory) {
1990 char *s;
1991
1992 s = strjoin(params->runtime_prefix, "/", *rt, NULL);
1993 if (!s)
1994 return -ENOMEM;
1995
1996 if (strv_consume(&l, s) < 0)
1997 return -ENOMEM;
1998 }
1999
2000 *ret = l;
2001 l = NULL;
2002
2003 return 0;
2004 }
2005
2006 static int apply_mount_namespace(Unit *u, const ExecContext *context,
2007 const ExecParameters *params,
2008 ExecRuntime *runtime) {
2009 int r;
2010 _cleanup_free_ char **rw = NULL;
2011 char *tmp = NULL, *var = NULL;
2012 const char *root_dir = NULL;
2013 NameSpaceInfo ns_info = {
2014 .private_dev = context->private_devices,
2015 .protect_control_groups = context->protect_control_groups,
2016 .protect_kernel_tunables = context->protect_kernel_tunables,
2017 .protect_kernel_modules = context->protect_kernel_modules,
2018 };
2019
2020 assert(context);
2021
2022 /* The runtime struct only contains the parent of the private /tmp,
2023 * which is non-accessible to world users. Inside of it there's a /tmp
2024 * that is sticky, and that's the one we want to use here. */
2025
2026 if (context->private_tmp && runtime) {
2027 if (runtime->tmp_dir)
2028 tmp = strjoina(runtime->tmp_dir, "/tmp");
2029 if (runtime->var_tmp_dir)
2030 var = strjoina(runtime->var_tmp_dir, "/tmp");
2031 }
2032
2033 r = compile_read_write_paths(context, params, &rw);
2034 if (r < 0)
2035 return r;
2036
2037 if (params->flags & EXEC_APPLY_CHROOT)
2038 root_dir = context->root_directory;
2039
2040 r = setup_namespace(root_dir, &ns_info, rw,
2041 context->read_only_paths,
2042 context->inaccessible_paths,
2043 tmp,
2044 var,
2045 context->protect_home,
2046 context->protect_system,
2047 context->mount_flags);
2048
2049 /* If we couldn't set up the namespace this is probably due to a
2050 * missing capability. In this case, silently proceeed. */
2051 if (IN_SET(r, -EPERM, -EACCES)) {
2052 log_open();
2053 log_unit_debug_errno(u, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
2054 log_close();
2055 r = 0;
2056 }
2057
2058 return r;
2059 }
2060
2061 static int apply_working_directory(const ExecContext *context,
2062 const ExecParameters *params,
2063 const char *home,
2064 const bool needs_mount_ns) {
2065 const char *d;
2066 const char *wd;
2067
2068 assert(context);
2069
2070 if (context->working_directory_home)
2071 wd = home;
2072 else if (context->working_directory)
2073 wd = context->working_directory;
2074 else
2075 wd = "/";
2076
2077 if (params->flags & EXEC_APPLY_CHROOT) {
2078 if (!needs_mount_ns && context->root_directory)
2079 if (chroot(context->root_directory) < 0)
2080 return -errno;
2081
2082 d = wd;
2083 } else
2084 d = strjoina(strempty(context->root_directory), "/", strempty(wd));
2085
2086 if (chdir(d) < 0 && !context->working_directory_missing_ok)
2087 return -errno;
2088
2089 return 0;
2090 }
2091
2092 static void append_socket_pair(int *array, unsigned *n, int pair[2]) {
2093 assert(array);
2094 assert(n);
2095
2096 if (!pair)
2097 return;
2098
2099 if (pair[0] >= 0)
2100 array[(*n)++] = pair[0];
2101 if (pair[1] >= 0)
2102 array[(*n)++] = pair[1];
2103 }
2104
2105 static int close_remaining_fds(
2106 const ExecParameters *params,
2107 ExecRuntime *runtime,
2108 DynamicCreds *dcreds,
2109 int user_lookup_fd,
2110 int socket_fd,
2111 int *fds, unsigned n_fds) {
2112
2113 unsigned n_dont_close = 0;
2114 int dont_close[n_fds + 12];
2115
2116 assert(params);
2117
2118 if (params->stdin_fd >= 0)
2119 dont_close[n_dont_close++] = params->stdin_fd;
2120 if (params->stdout_fd >= 0)
2121 dont_close[n_dont_close++] = params->stdout_fd;
2122 if (params->stderr_fd >= 0)
2123 dont_close[n_dont_close++] = params->stderr_fd;
2124
2125 if (socket_fd >= 0)
2126 dont_close[n_dont_close++] = socket_fd;
2127 if (n_fds > 0) {
2128 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
2129 n_dont_close += n_fds;
2130 }
2131
2132 if (runtime)
2133 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
2134
2135 if (dcreds) {
2136 if (dcreds->user)
2137 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
2138 if (dcreds->group)
2139 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
2140 }
2141
2142 if (user_lookup_fd >= 0)
2143 dont_close[n_dont_close++] = user_lookup_fd;
2144
2145 return close_all_fds(dont_close, n_dont_close);
2146 }
2147
2148 static bool context_has_address_families(const ExecContext *c) {
2149 assert(c);
2150
2151 return c->address_families_whitelist ||
2152 !set_isempty(c->address_families);
2153 }
2154
2155 static bool context_has_syscall_filters(const ExecContext *c) {
2156 assert(c);
2157
2158 return c->syscall_whitelist ||
2159 !set_isempty(c->syscall_filter) ||
2160 !set_isempty(c->syscall_archs);
2161 }
2162
2163 static bool context_has_no_new_privileges(const ExecContext *c) {
2164 assert(c);
2165
2166 if (c->no_new_privileges)
2167 return true;
2168
2169 if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
2170 return false;
2171
2172 return context_has_address_families(c) || /* we need NNP if we have any form of seccomp and are unprivileged */
2173 c->memory_deny_write_execute ||
2174 c->restrict_realtime ||
2175 c->protect_kernel_tunables ||
2176 c->protect_kernel_modules ||
2177 c->private_devices ||
2178 context_has_syscall_filters(c);
2179 }
2180
2181 static int send_user_lookup(
2182 Unit *unit,
2183 int user_lookup_fd,
2184 uid_t uid,
2185 gid_t gid) {
2186
2187 assert(unit);
2188
2189 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2190 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2191 * specified. */
2192
2193 if (user_lookup_fd < 0)
2194 return 0;
2195
2196 if (!uid_is_valid(uid) && !gid_is_valid(gid))
2197 return 0;
2198
2199 if (writev(user_lookup_fd,
2200 (struct iovec[]) {
2201 { .iov_base = &uid, .iov_len = sizeof(uid) },
2202 { .iov_base = &gid, .iov_len = sizeof(gid) },
2203 { .iov_base = unit->id, .iov_len = strlen(unit->id) }}, 3) < 0)
2204 return -errno;
2205
2206 return 0;
2207 }
2208
2209 static int exec_child(
2210 Unit *unit,
2211 ExecCommand *command,
2212 const ExecContext *context,
2213 const ExecParameters *params,
2214 ExecRuntime *runtime,
2215 DynamicCreds *dcreds,
2216 char **argv,
2217 int socket_fd,
2218 int named_iofds[3],
2219 int *fds, unsigned n_fds,
2220 char **files_env,
2221 int user_lookup_fd,
2222 int *exit_status) {
2223
2224 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **final_argv = NULL;
2225 _cleanup_free_ char *mac_selinux_context_net = NULL;
2226 _cleanup_free_ gid_t *supplementary_gids = NULL;
2227 const char *username = NULL, *groupname = NULL;
2228 const char *home = NULL, *shell = NULL;
2229 dev_t journal_stream_dev = 0;
2230 ino_t journal_stream_ino = 0;
2231 bool needs_mount_namespace;
2232 uid_t uid = UID_INVALID;
2233 gid_t gid = GID_INVALID;
2234 int i, r, ngids = 0;
2235
2236 assert(unit);
2237 assert(command);
2238 assert(context);
2239 assert(params);
2240 assert(exit_status);
2241
2242 rename_process_from_path(command->path);
2243
2244 /* We reset exactly these signals, since they are the
2245 * only ones we set to SIG_IGN in the main daemon. All
2246 * others we leave untouched because we set them to
2247 * SIG_DFL or a valid handler initially, both of which
2248 * will be demoted to SIG_DFL. */
2249 (void) default_signals(SIGNALS_CRASH_HANDLER,
2250 SIGNALS_IGNORE, -1);
2251
2252 if (context->ignore_sigpipe)
2253 (void) ignore_signals(SIGPIPE, -1);
2254
2255 r = reset_signal_mask();
2256 if (r < 0) {
2257 *exit_status = EXIT_SIGNAL_MASK;
2258 return r;
2259 }
2260
2261 if (params->idle_pipe)
2262 do_idle_pipe_dance(params->idle_pipe);
2263
2264 /* Close sockets very early to make sure we don't
2265 * block init reexecution because it cannot bind its
2266 * sockets */
2267
2268 log_forget_fds();
2269
2270 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, fds, n_fds);
2271 if (r < 0) {
2272 *exit_status = EXIT_FDS;
2273 return r;
2274 }
2275
2276 if (!context->same_pgrp)
2277 if (setsid() < 0) {
2278 *exit_status = EXIT_SETSID;
2279 return -errno;
2280 }
2281
2282 exec_context_tty_reset(context, params);
2283
2284 if (params->flags & EXEC_CONFIRM_SPAWN) {
2285 char response;
2286
2287 r = ask_for_confirmation(&response, argv);
2288 if (r == -ETIMEDOUT)
2289 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
2290 else if (r < 0)
2291 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-r));
2292 else if (response == 's') {
2293 write_confirm_message("Skipping execution.\n");
2294 *exit_status = EXIT_CONFIRM;
2295 return -ECANCELED;
2296 } else if (response == 'n') {
2297 write_confirm_message("Failing execution.\n");
2298 *exit_status = 0;
2299 return 0;
2300 }
2301 }
2302
2303 if (context->dynamic_user && dcreds) {
2304
2305 /* Make sure we bypass our own NSS module for any NSS checks */
2306 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
2307 *exit_status = EXIT_USER;
2308 return -errno;
2309 }
2310
2311 r = dynamic_creds_realize(dcreds, &uid, &gid);
2312 if (r < 0) {
2313 *exit_status = EXIT_USER;
2314 return r;
2315 }
2316
2317 if (!uid_is_valid(uid) || !gid_is_valid(gid)) {
2318 *exit_status = EXIT_USER;
2319 return -ESRCH;
2320 }
2321
2322 if (dcreds->user)
2323 username = dcreds->user->name;
2324
2325 } else {
2326 r = get_fixed_user(context, &username, &uid, &gid, &home, &shell);
2327 if (r < 0) {
2328 *exit_status = EXIT_USER;
2329 return r;
2330 }
2331
2332 r = get_fixed_group(context, &groupname, &gid);
2333 if (r < 0) {
2334 *exit_status = EXIT_GROUP;
2335 return r;
2336 }
2337
2338 r = get_fixed_supplementary_groups(context, username, groupname,
2339 gid, &supplementary_gids, &ngids);
2340 if (r < 0) {
2341 *exit_status = EXIT_GROUP;
2342 return r;
2343 }
2344 }
2345
2346 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
2347 if (r < 0) {
2348 *exit_status = EXIT_USER;
2349 return r;
2350 }
2351
2352 user_lookup_fd = safe_close(user_lookup_fd);
2353
2354 /* If a socket is connected to STDIN/STDOUT/STDERR, we
2355 * must sure to drop O_NONBLOCK */
2356 if (socket_fd >= 0)
2357 (void) fd_nonblock(socket_fd, false);
2358
2359 r = setup_input(context, params, socket_fd, named_iofds);
2360 if (r < 0) {
2361 *exit_status = EXIT_STDIN;
2362 return r;
2363 }
2364
2365 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
2366 if (r < 0) {
2367 *exit_status = EXIT_STDOUT;
2368 return r;
2369 }
2370
2371 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
2372 if (r < 0) {
2373 *exit_status = EXIT_STDERR;
2374 return r;
2375 }
2376
2377 if (params->cgroup_path) {
2378 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
2379 if (r < 0) {
2380 *exit_status = EXIT_CGROUP;
2381 return r;
2382 }
2383 }
2384
2385 if (context->oom_score_adjust_set) {
2386 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
2387
2388 /* When we can't make this change due to EPERM, then
2389 * let's silently skip over it. User namespaces
2390 * prohibit write access to this file, and we
2391 * shouldn't trip up over that. */
2392
2393 sprintf(t, "%i", context->oom_score_adjust);
2394 r = write_string_file("/proc/self/oom_score_adj", t, 0);
2395 if (r == -EPERM || r == -EACCES) {
2396 log_open();
2397 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
2398 log_close();
2399 } else if (r < 0) {
2400 *exit_status = EXIT_OOM_ADJUST;
2401 return -errno;
2402 }
2403 }
2404
2405 if (context->nice_set)
2406 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
2407 *exit_status = EXIT_NICE;
2408 return -errno;
2409 }
2410
2411 if (context->cpu_sched_set) {
2412 struct sched_param param = {
2413 .sched_priority = context->cpu_sched_priority,
2414 };
2415
2416 r = sched_setscheduler(0,
2417 context->cpu_sched_policy |
2418 (context->cpu_sched_reset_on_fork ?
2419 SCHED_RESET_ON_FORK : 0),
2420 &param);
2421 if (r < 0) {
2422 *exit_status = EXIT_SETSCHEDULER;
2423 return -errno;
2424 }
2425 }
2426
2427 if (context->cpuset)
2428 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
2429 *exit_status = EXIT_CPUAFFINITY;
2430 return -errno;
2431 }
2432
2433 if (context->ioprio_set)
2434 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
2435 *exit_status = EXIT_IOPRIO;
2436 return -errno;
2437 }
2438
2439 if (context->timer_slack_nsec != NSEC_INFINITY)
2440 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
2441 *exit_status = EXIT_TIMERSLACK;
2442 return -errno;
2443 }
2444
2445 if (context->personality != PERSONALITY_INVALID)
2446 if (personality(context->personality) < 0) {
2447 *exit_status = EXIT_PERSONALITY;
2448 return -errno;
2449 }
2450
2451 if (context->utmp_id)
2452 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path,
2453 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
2454 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
2455 USER_PROCESS,
2456 username ? "root" : context->user);
2457
2458 if (context->user) {
2459 r = chown_terminal(STDIN_FILENO, uid);
2460 if (r < 0) {
2461 *exit_status = EXIT_STDIN;
2462 return r;
2463 }
2464 }
2465
2466 /* If delegation is enabled we'll pass ownership of the cgroup
2467 * (but only in systemd's own controller hierarchy!) to the
2468 * user of the new process. */
2469 if (params->cgroup_path && context->user && params->cgroup_delegate) {
2470 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
2471 if (r < 0) {
2472 *exit_status = EXIT_CGROUP;
2473 return r;
2474 }
2475
2476
2477 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
2478 if (r < 0) {
2479 *exit_status = EXIT_CGROUP;
2480 return r;
2481 }
2482 }
2483
2484 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
2485 r = setup_runtime_directory(context, params, uid, gid);
2486 if (r < 0) {
2487 *exit_status = EXIT_RUNTIME_DIRECTORY;
2488 return r;
2489 }
2490 }
2491
2492 r = build_environment(
2493 unit,
2494 context,
2495 params,
2496 n_fds,
2497 home,
2498 username,
2499 shell,
2500 journal_stream_dev,
2501 journal_stream_ino,
2502 &our_env);
2503 if (r < 0) {
2504 *exit_status = EXIT_MEMORY;
2505 return r;
2506 }
2507
2508 r = build_pass_environment(context, &pass_env);
2509 if (r < 0) {
2510 *exit_status = EXIT_MEMORY;
2511 return r;
2512 }
2513
2514 accum_env = strv_env_merge(5,
2515 params->environment,
2516 our_env,
2517 pass_env,
2518 context->environment,
2519 files_env,
2520 NULL);
2521 if (!accum_env) {
2522 *exit_status = EXIT_MEMORY;
2523 return -ENOMEM;
2524 }
2525 accum_env = strv_env_clean(accum_env);
2526
2527 (void) umask(context->umask);
2528
2529 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2530 r = setup_smack(context, command);
2531 if (r < 0) {
2532 *exit_status = EXIT_SMACK_PROCESS_LABEL;
2533 return r;
2534 }
2535
2536 if (context->pam_name && username) {
2537 r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
2538 if (r < 0) {
2539 *exit_status = EXIT_PAM;
2540 return r;
2541 }
2542 }
2543 }
2544
2545 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
2546 r = setup_netns(runtime->netns_storage_socket);
2547 if (r < 0) {
2548 *exit_status = EXIT_NETWORK;
2549 return r;
2550 }
2551 }
2552
2553 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
2554 if (needs_mount_namespace) {
2555 r = apply_mount_namespace(unit, context, params, runtime);
2556 if (r < 0) {
2557 *exit_status = EXIT_NAMESPACE;
2558 return r;
2559 }
2560 }
2561
2562 /* Apply just after mount namespace setup */
2563 r = apply_working_directory(context, params, home, needs_mount_namespace);
2564 if (r < 0) {
2565 *exit_status = EXIT_CHROOT;
2566 return r;
2567 }
2568
2569 /* Drop group as early as possbile */
2570 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2571 r = enforce_groups(context, gid, supplementary_gids, ngids);
2572 if (r < 0) {
2573 *exit_status = EXIT_GROUP;
2574 return r;
2575 }
2576 }
2577
2578 #ifdef HAVE_SELINUX
2579 if ((params->flags & EXEC_APPLY_PERMISSIONS) &&
2580 mac_selinux_use() &&
2581 params->selinux_context_net &&
2582 socket_fd >= 0 &&
2583 !command->privileged) {
2584
2585 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
2586 if (r < 0) {
2587 *exit_status = EXIT_SELINUX_CONTEXT;
2588 return r;
2589 }
2590 }
2591 #endif
2592
2593 if ((params->flags & EXEC_APPLY_PERMISSIONS) && context->private_users) {
2594 r = setup_private_users(uid, gid);
2595 if (r < 0) {
2596 *exit_status = EXIT_USER;
2597 return r;
2598 }
2599 }
2600
2601 /* We repeat the fd closing here, to make sure that
2602 * nothing is leaked from the PAM modules. Note that
2603 * we are more aggressive this time since socket_fd
2604 * and the netns fds we don't need anymore. The custom
2605 * endpoint fd was needed to upload the policy and can
2606 * now be closed as well. */
2607 r = close_all_fds(fds, n_fds);
2608 if (r >= 0)
2609 r = shift_fds(fds, n_fds);
2610 if (r >= 0)
2611 r = flags_fds(fds, n_fds, context->non_blocking);
2612 if (r < 0) {
2613 *exit_status = EXIT_FDS;
2614 return r;
2615 }
2616
2617 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2618
2619 int secure_bits = context->secure_bits;
2620
2621 for (i = 0; i < _RLIMIT_MAX; i++) {
2622
2623 if (!context->rlimit[i])
2624 continue;
2625
2626 r = setrlimit_closest(i, context->rlimit[i]);
2627 if (r < 0) {
2628 *exit_status = EXIT_LIMITS;
2629 return r;
2630 }
2631 }
2632
2633 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
2634 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
2635 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
2636 *exit_status = EXIT_LIMITS;
2637 return -errno;
2638 }
2639 }
2640
2641 if (!cap_test_all(context->capability_bounding_set)) {
2642 r = capability_bounding_set_drop(context->capability_bounding_set, false);
2643 if (r < 0) {
2644 *exit_status = EXIT_CAPABILITIES;
2645 return r;
2646 }
2647 }
2648
2649 /* This is done before enforce_user, but ambient set
2650 * does not survive over setresuid() if keep_caps is not set. */
2651 if (context->capability_ambient_set != 0) {
2652 r = capability_ambient_set_apply(context->capability_ambient_set, true);
2653 if (r < 0) {
2654 *exit_status = EXIT_CAPABILITIES;
2655 return r;
2656 }
2657 }
2658
2659 if (context->user) {
2660 r = enforce_user(context, uid);
2661 if (r < 0) {
2662 *exit_status = EXIT_USER;
2663 return r;
2664 }
2665 if (context->capability_ambient_set != 0) {
2666
2667 /* Fix the ambient capabilities after user change. */
2668 r = capability_ambient_set_apply(context->capability_ambient_set, false);
2669 if (r < 0) {
2670 *exit_status = EXIT_CAPABILITIES;
2671 return r;
2672 }
2673
2674 /* If we were asked to change user and ambient capabilities
2675 * were requested, we had to add keep-caps to the securebits
2676 * so that we would maintain the inherited capability set
2677 * through the setresuid(). Make sure that the bit is added
2678 * also to the context secure_bits so that we don't try to
2679 * drop the bit away next. */
2680
2681 secure_bits |= 1<<SECURE_KEEP_CAPS;
2682 }
2683 }
2684
2685 /* PR_GET_SECUREBITS is not privileged, while
2686 * PR_SET_SECUREBITS is. So to suppress
2687 * potential EPERMs we'll try not to call
2688 * PR_SET_SECUREBITS unless necessary. */
2689 if (prctl(PR_GET_SECUREBITS) != secure_bits)
2690 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
2691 *exit_status = EXIT_SECUREBITS;
2692 return -errno;
2693 }
2694
2695 if (context_has_no_new_privileges(context))
2696 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
2697 *exit_status = EXIT_NO_NEW_PRIVILEGES;
2698 return -errno;
2699 }
2700
2701 #ifdef HAVE_SECCOMP
2702 if (context_has_address_families(context)) {
2703 r = apply_address_families(unit, context);
2704 if (r < 0) {
2705 *exit_status = EXIT_ADDRESS_FAMILIES;
2706 return r;
2707 }
2708 }
2709
2710 if (context->memory_deny_write_execute) {
2711 r = apply_memory_deny_write_execute(unit, context);
2712 if (r < 0) {
2713 *exit_status = EXIT_SECCOMP;
2714 return r;
2715 }
2716 }
2717
2718 if (context->restrict_realtime) {
2719 r = apply_restrict_realtime(unit, context);
2720 if (r < 0) {
2721 *exit_status = EXIT_SECCOMP;
2722 return r;
2723 }
2724 }
2725
2726 if (context->protect_kernel_tunables) {
2727 r = apply_protect_sysctl(unit, context);
2728 if (r < 0) {
2729 *exit_status = EXIT_SECCOMP;
2730 return r;
2731 }
2732 }
2733
2734 if (context->protect_kernel_modules) {
2735 r = apply_protect_kernel_modules(unit, context);
2736 if (r < 0) {
2737 *exit_status = EXIT_SECCOMP;
2738 return r;
2739 }
2740 }
2741
2742 if (context->private_devices) {
2743 r = apply_private_devices(unit, context);
2744 if (r < 0) {
2745 *exit_status = EXIT_SECCOMP;
2746 return r;
2747 }
2748 }
2749
2750 if (context_has_syscall_filters(context)) {
2751 r = apply_seccomp(unit, context);
2752 if (r < 0) {
2753 *exit_status = EXIT_SECCOMP;
2754 return r;
2755 }
2756 }
2757 #endif
2758
2759 #ifdef HAVE_SELINUX
2760 if (mac_selinux_use()) {
2761 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
2762
2763 if (exec_context) {
2764 r = setexeccon(exec_context);
2765 if (r < 0) {
2766 *exit_status = EXIT_SELINUX_CONTEXT;
2767 return r;
2768 }
2769 }
2770 }
2771 #endif
2772
2773 #ifdef HAVE_APPARMOR
2774 if (context->apparmor_profile && mac_apparmor_use()) {
2775 r = aa_change_onexec(context->apparmor_profile);
2776 if (r < 0 && !context->apparmor_profile_ignore) {
2777 *exit_status = EXIT_APPARMOR_PROFILE;
2778 return -errno;
2779 }
2780 }
2781 #endif
2782 }
2783
2784 final_argv = replace_env_argv(argv, accum_env);
2785 if (!final_argv) {
2786 *exit_status = EXIT_MEMORY;
2787 return -ENOMEM;
2788 }
2789
2790 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
2791 _cleanup_free_ char *line;
2792
2793 line = exec_command_line(final_argv);
2794 if (line) {
2795 log_open();
2796 log_struct(LOG_DEBUG,
2797 LOG_UNIT_ID(unit),
2798 "EXECUTABLE=%s", command->path,
2799 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
2800 NULL);
2801 log_close();
2802 }
2803 }
2804
2805 execve(command->path, final_argv, accum_env);
2806 *exit_status = EXIT_EXEC;
2807 return -errno;
2808 }
2809
2810 int exec_spawn(Unit *unit,
2811 ExecCommand *command,
2812 const ExecContext *context,
2813 const ExecParameters *params,
2814 ExecRuntime *runtime,
2815 DynamicCreds *dcreds,
2816 pid_t *ret) {
2817
2818 _cleanup_strv_free_ char **files_env = NULL;
2819 int *fds = NULL; unsigned n_fds = 0;
2820 _cleanup_free_ char *line = NULL;
2821 int socket_fd, r;
2822 int named_iofds[3] = { -1, -1, -1 };
2823 char **argv;
2824 pid_t pid;
2825
2826 assert(unit);
2827 assert(command);
2828 assert(context);
2829 assert(ret);
2830 assert(params);
2831 assert(params->fds || params->n_fds <= 0);
2832
2833 if (context->std_input == EXEC_INPUT_SOCKET ||
2834 context->std_output == EXEC_OUTPUT_SOCKET ||
2835 context->std_error == EXEC_OUTPUT_SOCKET) {
2836
2837 if (params->n_fds != 1) {
2838 log_unit_error(unit, "Got more than one socket.");
2839 return -EINVAL;
2840 }
2841
2842 socket_fd = params->fds[0];
2843 } else {
2844 socket_fd = -1;
2845 fds = params->fds;
2846 n_fds = params->n_fds;
2847 }
2848
2849 r = exec_context_named_iofds(unit, context, params, named_iofds);
2850 if (r < 0)
2851 return log_unit_error_errno(unit, r, "Failed to load a named file descriptor: %m");
2852
2853 r = exec_context_load_environment(unit, context, &files_env);
2854 if (r < 0)
2855 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
2856
2857 argv = params->argv ?: command->argv;
2858 line = exec_command_line(argv);
2859 if (!line)
2860 return log_oom();
2861
2862 log_struct(LOG_DEBUG,
2863 LOG_UNIT_ID(unit),
2864 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
2865 "EXECUTABLE=%s", command->path,
2866 NULL);
2867 pid = fork();
2868 if (pid < 0)
2869 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
2870
2871 if (pid == 0) {
2872 int exit_status;
2873
2874 r = exec_child(unit,
2875 command,
2876 context,
2877 params,
2878 runtime,
2879 dcreds,
2880 argv,
2881 socket_fd,
2882 named_iofds,
2883 fds, n_fds,
2884 files_env,
2885 unit->manager->user_lookup_fds[1],
2886 &exit_status);
2887 if (r < 0) {
2888 log_open();
2889 log_struct_errno(LOG_ERR, r,
2890 LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
2891 LOG_UNIT_ID(unit),
2892 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
2893 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
2894 command->path),
2895 "EXECUTABLE=%s", command->path,
2896 NULL);
2897 }
2898
2899 _exit(exit_status);
2900 }
2901
2902 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
2903
2904 /* We add the new process to the cgroup both in the child (so
2905 * that we can be sure that no user code is ever executed
2906 * outside of the cgroup) and in the parent (so that we can be
2907 * sure that when we kill the cgroup the process will be
2908 * killed too). */
2909 if (params->cgroup_path)
2910 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
2911
2912 exec_status_start(&command->exec_status, pid);
2913
2914 *ret = pid;
2915 return 0;
2916 }
2917
2918 void exec_context_init(ExecContext *c) {
2919 assert(c);
2920
2921 c->umask = 0022;
2922 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
2923 c->cpu_sched_policy = SCHED_OTHER;
2924 c->syslog_priority = LOG_DAEMON|LOG_INFO;
2925 c->syslog_level_prefix = true;
2926 c->ignore_sigpipe = true;
2927 c->timer_slack_nsec = NSEC_INFINITY;
2928 c->personality = PERSONALITY_INVALID;
2929 c->runtime_directory_mode = 0755;
2930 c->capability_bounding_set = CAP_ALL;
2931 }
2932
2933 void exec_context_done(ExecContext *c) {
2934 unsigned l;
2935
2936 assert(c);
2937
2938 c->environment = strv_free(c->environment);
2939 c->environment_files = strv_free(c->environment_files);
2940 c->pass_environment = strv_free(c->pass_environment);
2941
2942 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
2943 c->rlimit[l] = mfree(c->rlimit[l]);
2944
2945 for (l = 0; l < 3; l++)
2946 c->stdio_fdname[l] = mfree(c->stdio_fdname[l]);
2947
2948 c->working_directory = mfree(c->working_directory);
2949 c->root_directory = mfree(c->root_directory);
2950 c->tty_path = mfree(c->tty_path);
2951 c->syslog_identifier = mfree(c->syslog_identifier);
2952 c->user = mfree(c->user);
2953 c->group = mfree(c->group);
2954
2955 c->supplementary_groups = strv_free(c->supplementary_groups);
2956
2957 c->pam_name = mfree(c->pam_name);
2958
2959 c->read_only_paths = strv_free(c->read_only_paths);
2960 c->read_write_paths = strv_free(c->read_write_paths);
2961 c->inaccessible_paths = strv_free(c->inaccessible_paths);
2962
2963 if (c->cpuset)
2964 CPU_FREE(c->cpuset);
2965
2966 c->utmp_id = mfree(c->utmp_id);
2967 c->selinux_context = mfree(c->selinux_context);
2968 c->apparmor_profile = mfree(c->apparmor_profile);
2969
2970 c->syscall_filter = set_free(c->syscall_filter);
2971 c->syscall_archs = set_free(c->syscall_archs);
2972 c->address_families = set_free(c->address_families);
2973
2974 c->runtime_directory = strv_free(c->runtime_directory);
2975 }
2976
2977 int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
2978 char **i;
2979
2980 assert(c);
2981
2982 if (!runtime_prefix)
2983 return 0;
2984
2985 STRV_FOREACH(i, c->runtime_directory) {
2986 _cleanup_free_ char *p;
2987
2988 p = strjoin(runtime_prefix, "/", *i, NULL);
2989 if (!p)
2990 return -ENOMEM;
2991
2992 /* We execute this synchronously, since we need to be
2993 * sure this is gone when we start the service
2994 * next. */
2995 (void) rm_rf(p, REMOVE_ROOT);
2996 }
2997
2998 return 0;
2999 }
3000
3001 void exec_command_done(ExecCommand *c) {
3002 assert(c);
3003
3004 c->path = mfree(c->path);
3005
3006 c->argv = strv_free(c->argv);
3007 }
3008
3009 void exec_command_done_array(ExecCommand *c, unsigned n) {
3010 unsigned i;
3011
3012 for (i = 0; i < n; i++)
3013 exec_command_done(c+i);
3014 }
3015
3016 ExecCommand* exec_command_free_list(ExecCommand *c) {
3017 ExecCommand *i;
3018
3019 while ((i = c)) {
3020 LIST_REMOVE(command, c, i);
3021 exec_command_done(i);
3022 free(i);
3023 }
3024
3025 return NULL;
3026 }
3027
3028 void exec_command_free_array(ExecCommand **c, unsigned n) {
3029 unsigned i;
3030
3031 for (i = 0; i < n; i++)
3032 c[i] = exec_command_free_list(c[i]);
3033 }
3034
3035 typedef struct InvalidEnvInfo {
3036 Unit *unit;
3037 const char *path;
3038 } InvalidEnvInfo;
3039
3040 static void invalid_env(const char *p, void *userdata) {
3041 InvalidEnvInfo *info = userdata;
3042
3043 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
3044 }
3045
3046 const char* exec_context_fdname(const ExecContext *c, int fd_index) {
3047 assert(c);
3048
3049 switch (fd_index) {
3050 case STDIN_FILENO:
3051 if (c->std_input != EXEC_INPUT_NAMED_FD)
3052 return NULL;
3053 return c->stdio_fdname[STDIN_FILENO] ?: "stdin";
3054 case STDOUT_FILENO:
3055 if (c->std_output != EXEC_OUTPUT_NAMED_FD)
3056 return NULL;
3057 return c->stdio_fdname[STDOUT_FILENO] ?: "stdout";
3058 case STDERR_FILENO:
3059 if (c->std_error != EXEC_OUTPUT_NAMED_FD)
3060 return NULL;
3061 return c->stdio_fdname[STDERR_FILENO] ?: "stderr";
3062 default:
3063 return NULL;
3064 }
3065 }
3066
3067 int exec_context_named_iofds(Unit *unit, const ExecContext *c, const ExecParameters *p, int named_iofds[3]) {
3068 unsigned i, targets;
3069 const char *stdio_fdname[3];
3070
3071 assert(c);
3072 assert(p);
3073
3074 targets = (c->std_input == EXEC_INPUT_NAMED_FD) +
3075 (c->std_output == EXEC_OUTPUT_NAMED_FD) +
3076 (c->std_error == EXEC_OUTPUT_NAMED_FD);
3077
3078 for (i = 0; i < 3; i++)
3079 stdio_fdname[i] = exec_context_fdname(c, i);
3080
3081 for (i = 0; i < p->n_fds && targets > 0; i++)
3082 if (named_iofds[STDIN_FILENO] < 0 && c->std_input == EXEC_INPUT_NAMED_FD && stdio_fdname[STDIN_FILENO] && streq(p->fd_names[i], stdio_fdname[STDIN_FILENO])) {
3083 named_iofds[STDIN_FILENO] = p->fds[i];
3084 targets--;
3085 } else if (named_iofds[STDOUT_FILENO] < 0 && c->std_output == EXEC_OUTPUT_NAMED_FD && stdio_fdname[STDOUT_FILENO] && streq(p->fd_names[i], stdio_fdname[STDOUT_FILENO])) {
3086 named_iofds[STDOUT_FILENO] = p->fds[i];
3087 targets--;
3088 } else if (named_iofds[STDERR_FILENO] < 0 && c->std_error == EXEC_OUTPUT_NAMED_FD && stdio_fdname[STDERR_FILENO] && streq(p->fd_names[i], stdio_fdname[STDERR_FILENO])) {
3089 named_iofds[STDERR_FILENO] = p->fds[i];
3090 targets--;
3091 }
3092
3093 return (targets == 0 ? 0 : -ENOENT);
3094 }
3095
3096 int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
3097 char **i, **r = NULL;
3098
3099 assert(c);
3100 assert(l);
3101
3102 STRV_FOREACH(i, c->environment_files) {
3103 char *fn;
3104 int k;
3105 bool ignore = false;
3106 char **p;
3107 _cleanup_globfree_ glob_t pglob = {};
3108 int count, n;
3109
3110 fn = *i;
3111
3112 if (fn[0] == '-') {
3113 ignore = true;
3114 fn++;
3115 }
3116
3117 if (!path_is_absolute(fn)) {
3118 if (ignore)
3119 continue;
3120
3121 strv_free(r);
3122 return -EINVAL;
3123 }
3124
3125 /* Filename supports globbing, take all matching files */
3126 errno = 0;
3127 if (glob(fn, 0, NULL, &pglob) != 0) {
3128 if (ignore)
3129 continue;
3130
3131 strv_free(r);
3132 return errno > 0 ? -errno : -EINVAL;
3133 }
3134 count = pglob.gl_pathc;
3135 if (count == 0) {
3136 if (ignore)
3137 continue;
3138
3139 strv_free(r);
3140 return -EINVAL;
3141 }
3142 for (n = 0; n < count; n++) {
3143 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
3144 if (k < 0) {
3145 if (ignore)
3146 continue;
3147
3148 strv_free(r);
3149 return k;
3150 }
3151 /* Log invalid environment variables with filename */
3152 if (p) {
3153 InvalidEnvInfo info = {
3154 .unit = unit,
3155 .path = pglob.gl_pathv[n]
3156 };
3157
3158 p = strv_env_clean_with_callback(p, invalid_env, &info);
3159 }
3160
3161 if (r == NULL)
3162 r = p;
3163 else {
3164 char **m;
3165
3166 m = strv_env_merge(2, r, p);
3167 strv_free(r);
3168 strv_free(p);
3169 if (!m)
3170 return -ENOMEM;
3171
3172 r = m;
3173 }
3174 }
3175 }
3176
3177 *l = r;
3178
3179 return 0;
3180 }
3181
3182 static bool tty_may_match_dev_console(const char *tty) {
3183 _cleanup_free_ char *active = NULL;
3184 char *console;
3185
3186 if (!tty)
3187 return true;
3188
3189 if (startswith(tty, "/dev/"))
3190 tty += 5;
3191
3192 /* trivial identity? */
3193 if (streq(tty, "console"))
3194 return true;
3195
3196 console = resolve_dev_console(&active);
3197 /* if we could not resolve, assume it may */
3198 if (!console)
3199 return true;
3200
3201 /* "tty0" means the active VC, so it may be the same sometimes */
3202 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
3203 }
3204
3205 bool exec_context_may_touch_console(ExecContext *ec) {
3206
3207 return (ec->tty_reset ||
3208 ec->tty_vhangup ||
3209 ec->tty_vt_disallocate ||
3210 is_terminal_input(ec->std_input) ||
3211 is_terminal_output(ec->std_output) ||
3212 is_terminal_output(ec->std_error)) &&
3213 tty_may_match_dev_console(exec_context_tty_path(ec));
3214 }
3215
3216 static void strv_fprintf(FILE *f, char **l) {
3217 char **g;
3218
3219 assert(f);
3220
3221 STRV_FOREACH(g, l)
3222 fprintf(f, " %s", *g);
3223 }
3224
3225 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
3226 char **e, **d;
3227 unsigned i;
3228
3229 assert(c);
3230 assert(f);
3231
3232 prefix = strempty(prefix);
3233
3234 fprintf(f,
3235 "%sUMask: %04o\n"
3236 "%sWorkingDirectory: %s\n"
3237 "%sRootDirectory: %s\n"
3238 "%sNonBlocking: %s\n"
3239 "%sPrivateTmp: %s\n"
3240 "%sPrivateDevices: %s\n"
3241 "%sProtectKernelTunables: %s\n"
3242 "%sProtectKernelModules: %s\n"
3243 "%sProtectControlGroups: %s\n"
3244 "%sPrivateNetwork: %s\n"
3245 "%sPrivateUsers: %s\n"
3246 "%sProtectHome: %s\n"
3247 "%sProtectSystem: %s\n"
3248 "%sIgnoreSIGPIPE: %s\n"
3249 "%sMemoryDenyWriteExecute: %s\n"
3250 "%sRestrictRealtime: %s\n",
3251 prefix, c->umask,
3252 prefix, c->working_directory ? c->working_directory : "/",
3253 prefix, c->root_directory ? c->root_directory : "/",
3254 prefix, yes_no(c->non_blocking),
3255 prefix, yes_no(c->private_tmp),
3256 prefix, yes_no(c->private_devices),
3257 prefix, yes_no(c->protect_kernel_tunables),
3258 prefix, yes_no(c->protect_kernel_modules),
3259 prefix, yes_no(c->protect_control_groups),
3260 prefix, yes_no(c->private_network),
3261 prefix, yes_no(c->private_users),
3262 prefix, protect_home_to_string(c->protect_home),
3263 prefix, protect_system_to_string(c->protect_system),
3264 prefix, yes_no(c->ignore_sigpipe),
3265 prefix, yes_no(c->memory_deny_write_execute),
3266 prefix, yes_no(c->restrict_realtime));
3267
3268 STRV_FOREACH(e, c->environment)
3269 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
3270
3271 STRV_FOREACH(e, c->environment_files)
3272 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
3273
3274 STRV_FOREACH(e, c->pass_environment)
3275 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
3276
3277 fprintf(f, "%sRuntimeDirectoryMode: %04o\n", prefix, c->runtime_directory_mode);
3278
3279 STRV_FOREACH(d, c->runtime_directory)
3280 fprintf(f, "%sRuntimeDirectory: %s\n", prefix, *d);
3281
3282 if (c->nice_set)
3283 fprintf(f,
3284 "%sNice: %i\n",
3285 prefix, c->nice);
3286
3287 if (c->oom_score_adjust_set)
3288 fprintf(f,
3289 "%sOOMScoreAdjust: %i\n",
3290 prefix, c->oom_score_adjust);
3291
3292 for (i = 0; i < RLIM_NLIMITS; i++)
3293 if (c->rlimit[i]) {
3294 fprintf(f, "%s%s: " RLIM_FMT "\n",
3295 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
3296 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
3297 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
3298 }
3299
3300 if (c->ioprio_set) {
3301 _cleanup_free_ char *class_str = NULL;
3302
3303 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
3304 fprintf(f,
3305 "%sIOSchedulingClass: %s\n"
3306 "%sIOPriority: %i\n",
3307 prefix, strna(class_str),
3308 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
3309 }
3310
3311 if (c->cpu_sched_set) {
3312 _cleanup_free_ char *policy_str = NULL;
3313
3314 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
3315 fprintf(f,
3316 "%sCPUSchedulingPolicy: %s\n"
3317 "%sCPUSchedulingPriority: %i\n"
3318 "%sCPUSchedulingResetOnFork: %s\n",
3319 prefix, strna(policy_str),
3320 prefix, c->cpu_sched_priority,
3321 prefix, yes_no(c->cpu_sched_reset_on_fork));
3322 }
3323
3324 if (c->cpuset) {
3325 fprintf(f, "%sCPUAffinity:", prefix);
3326 for (i = 0; i < c->cpuset_ncpus; i++)
3327 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
3328 fprintf(f, " %u", i);
3329 fputs("\n", f);
3330 }
3331
3332 if (c->timer_slack_nsec != NSEC_INFINITY)
3333 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
3334
3335 fprintf(f,
3336 "%sStandardInput: %s\n"
3337 "%sStandardOutput: %s\n"
3338 "%sStandardError: %s\n",
3339 prefix, exec_input_to_string(c->std_input),
3340 prefix, exec_output_to_string(c->std_output),
3341 prefix, exec_output_to_string(c->std_error));
3342
3343 if (c->tty_path)
3344 fprintf(f,
3345 "%sTTYPath: %s\n"
3346 "%sTTYReset: %s\n"
3347 "%sTTYVHangup: %s\n"
3348 "%sTTYVTDisallocate: %s\n",
3349 prefix, c->tty_path,
3350 prefix, yes_no(c->tty_reset),
3351 prefix, yes_no(c->tty_vhangup),
3352 prefix, yes_no(c->tty_vt_disallocate));
3353
3354 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
3355 c->std_output == EXEC_OUTPUT_KMSG ||
3356 c->std_output == EXEC_OUTPUT_JOURNAL ||
3357 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3358 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3359 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
3360 c->std_error == EXEC_OUTPUT_SYSLOG ||
3361 c->std_error == EXEC_OUTPUT_KMSG ||
3362 c->std_error == EXEC_OUTPUT_JOURNAL ||
3363 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3364 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3365 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
3366
3367 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
3368
3369 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
3370 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
3371
3372 fprintf(f,
3373 "%sSyslogFacility: %s\n"
3374 "%sSyslogLevel: %s\n",
3375 prefix, strna(fac_str),
3376 prefix, strna(lvl_str));
3377 }
3378
3379 if (c->secure_bits)
3380 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
3381 prefix,
3382 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
3383 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
3384 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
3385 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
3386 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
3387 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
3388
3389 if (c->capability_bounding_set != CAP_ALL) {
3390 unsigned long l;
3391 fprintf(f, "%sCapabilityBoundingSet:", prefix);
3392
3393 for (l = 0; l <= cap_last_cap(); l++)
3394 if (c->capability_bounding_set & (UINT64_C(1) << l))
3395 fprintf(f, " %s", strna(capability_to_name(l)));
3396
3397 fputs("\n", f);
3398 }
3399
3400 if (c->capability_ambient_set != 0) {
3401 unsigned long l;
3402 fprintf(f, "%sAmbientCapabilities:", prefix);
3403
3404 for (l = 0; l <= cap_last_cap(); l++)
3405 if (c->capability_ambient_set & (UINT64_C(1) << l))
3406 fprintf(f, " %s", strna(capability_to_name(l)));
3407
3408 fputs("\n", f);
3409 }
3410
3411 if (c->user)
3412 fprintf(f, "%sUser: %s\n", prefix, c->user);
3413 if (c->group)
3414 fprintf(f, "%sGroup: %s\n", prefix, c->group);
3415
3416 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
3417
3418 if (strv_length(c->supplementary_groups) > 0) {
3419 fprintf(f, "%sSupplementaryGroups:", prefix);
3420 strv_fprintf(f, c->supplementary_groups);
3421 fputs("\n", f);
3422 }
3423
3424 if (c->pam_name)
3425 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
3426
3427 if (strv_length(c->read_write_paths) > 0) {
3428 fprintf(f, "%sReadWritePaths:", prefix);
3429 strv_fprintf(f, c->read_write_paths);
3430 fputs("\n", f);
3431 }
3432
3433 if (strv_length(c->read_only_paths) > 0) {
3434 fprintf(f, "%sReadOnlyPaths:", prefix);
3435 strv_fprintf(f, c->read_only_paths);
3436 fputs("\n", f);
3437 }
3438
3439 if (strv_length(c->inaccessible_paths) > 0) {
3440 fprintf(f, "%sInaccessiblePaths:", prefix);
3441 strv_fprintf(f, c->inaccessible_paths);
3442 fputs("\n", f);
3443 }
3444
3445 if (c->utmp_id)
3446 fprintf(f,
3447 "%sUtmpIdentifier: %s\n",
3448 prefix, c->utmp_id);
3449
3450 if (c->selinux_context)
3451 fprintf(f,
3452 "%sSELinuxContext: %s%s\n",
3453 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
3454
3455 if (c->personality != PERSONALITY_INVALID)
3456 fprintf(f,
3457 "%sPersonality: %s\n",
3458 prefix, strna(personality_to_string(c->personality)));
3459
3460 if (c->syscall_filter) {
3461 #ifdef HAVE_SECCOMP
3462 Iterator j;
3463 void *id;
3464 bool first = true;
3465 #endif
3466
3467 fprintf(f,
3468 "%sSystemCallFilter: ",
3469 prefix);
3470
3471 if (!c->syscall_whitelist)
3472 fputc('~', f);
3473
3474 #ifdef HAVE_SECCOMP
3475 SET_FOREACH(id, c->syscall_filter, j) {
3476 _cleanup_free_ char *name = NULL;
3477
3478 if (first)
3479 first = false;
3480 else
3481 fputc(' ', f);
3482
3483 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
3484 fputs(strna(name), f);
3485 }
3486 #endif
3487
3488 fputc('\n', f);
3489 }
3490
3491 if (c->syscall_archs) {
3492 #ifdef HAVE_SECCOMP
3493 Iterator j;
3494 void *id;
3495 #endif
3496
3497 fprintf(f,
3498 "%sSystemCallArchitectures:",
3499 prefix);
3500
3501 #ifdef HAVE_SECCOMP
3502 SET_FOREACH(id, c->syscall_archs, j)
3503 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
3504 #endif
3505 fputc('\n', f);
3506 }
3507
3508 if (c->syscall_errno > 0)
3509 fprintf(f,
3510 "%sSystemCallErrorNumber: %s\n",
3511 prefix, strna(errno_to_name(c->syscall_errno)));
3512
3513 if (c->apparmor_profile)
3514 fprintf(f,
3515 "%sAppArmorProfile: %s%s\n",
3516 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
3517 }
3518
3519 bool exec_context_maintains_privileges(ExecContext *c) {
3520 assert(c);
3521
3522 /* Returns true if the process forked off would run under
3523 * an unchanged UID or as root. */
3524
3525 if (!c->user)
3526 return true;
3527
3528 if (streq(c->user, "root") || streq(c->user, "0"))
3529 return true;
3530
3531 return false;
3532 }
3533
3534 void exec_status_start(ExecStatus *s, pid_t pid) {
3535 assert(s);
3536
3537 zero(*s);
3538 s->pid = pid;
3539 dual_timestamp_get(&s->start_timestamp);
3540 }
3541
3542 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
3543 assert(s);
3544
3545 if (s->pid && s->pid != pid)
3546 zero(*s);
3547
3548 s->pid = pid;
3549 dual_timestamp_get(&s->exit_timestamp);
3550
3551 s->code = code;
3552 s->status = status;
3553
3554 if (context) {
3555 if (context->utmp_id)
3556 utmp_put_dead_process(context->utmp_id, pid, code, status);
3557
3558 exec_context_tty_reset(context, NULL);
3559 }
3560 }
3561
3562 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
3563 char buf[FORMAT_TIMESTAMP_MAX];
3564
3565 assert(s);
3566 assert(f);
3567
3568 if (s->pid <= 0)
3569 return;
3570
3571 prefix = strempty(prefix);
3572
3573 fprintf(f,
3574 "%sPID: "PID_FMT"\n",
3575 prefix, s->pid);
3576
3577 if (dual_timestamp_is_set(&s->start_timestamp))
3578 fprintf(f,
3579 "%sStart Timestamp: %s\n",
3580 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
3581
3582 if (dual_timestamp_is_set(&s->exit_timestamp))
3583 fprintf(f,
3584 "%sExit Timestamp: %s\n"
3585 "%sExit Code: %s\n"
3586 "%sExit Status: %i\n",
3587 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
3588 prefix, sigchld_code_to_string(s->code),
3589 prefix, s->status);
3590 }
3591
3592 char *exec_command_line(char **argv) {
3593 size_t k;
3594 char *n, *p, **a;
3595 bool first = true;
3596
3597 assert(argv);
3598
3599 k = 1;
3600 STRV_FOREACH(a, argv)
3601 k += strlen(*a)+3;
3602
3603 if (!(n = new(char, k)))
3604 return NULL;
3605
3606 p = n;
3607 STRV_FOREACH(a, argv) {
3608
3609 if (!first)
3610 *(p++) = ' ';
3611 else
3612 first = false;
3613
3614 if (strpbrk(*a, WHITESPACE)) {
3615 *(p++) = '\'';
3616 p = stpcpy(p, *a);
3617 *(p++) = '\'';
3618 } else
3619 p = stpcpy(p, *a);
3620
3621 }
3622
3623 *p = 0;
3624
3625 /* FIXME: this doesn't really handle arguments that have
3626 * spaces and ticks in them */
3627
3628 return n;
3629 }
3630
3631 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
3632 _cleanup_free_ char *cmd = NULL;
3633 const char *prefix2;
3634
3635 assert(c);
3636 assert(f);
3637
3638 prefix = strempty(prefix);
3639 prefix2 = strjoina(prefix, "\t");
3640
3641 cmd = exec_command_line(c->argv);
3642 fprintf(f,
3643 "%sCommand Line: %s\n",
3644 prefix, cmd ? cmd : strerror(ENOMEM));
3645
3646 exec_status_dump(&c->exec_status, f, prefix2);
3647 }
3648
3649 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
3650 assert(f);
3651
3652 prefix = strempty(prefix);
3653
3654 LIST_FOREACH(command, c, c)
3655 exec_command_dump(c, f, prefix);
3656 }
3657
3658 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
3659 ExecCommand *end;
3660
3661 assert(l);
3662 assert(e);
3663
3664 if (*l) {
3665 /* It's kind of important, that we keep the order here */
3666 LIST_FIND_TAIL(command, *l, end);
3667 LIST_INSERT_AFTER(command, *l, end, e);
3668 } else
3669 *l = e;
3670 }
3671
3672 int exec_command_set(ExecCommand *c, const char *path, ...) {
3673 va_list ap;
3674 char **l, *p;
3675
3676 assert(c);
3677 assert(path);
3678
3679 va_start(ap, path);
3680 l = strv_new_ap(path, ap);
3681 va_end(ap);
3682
3683 if (!l)
3684 return -ENOMEM;
3685
3686 p = strdup(path);
3687 if (!p) {
3688 strv_free(l);
3689 return -ENOMEM;
3690 }
3691
3692 free(c->path);
3693 c->path = p;
3694
3695 strv_free(c->argv);
3696 c->argv = l;
3697
3698 return 0;
3699 }
3700
3701 int exec_command_append(ExecCommand *c, const char *path, ...) {
3702 _cleanup_strv_free_ char **l = NULL;
3703 va_list ap;
3704 int r;
3705
3706 assert(c);
3707 assert(path);
3708
3709 va_start(ap, path);
3710 l = strv_new_ap(path, ap);
3711 va_end(ap);
3712
3713 if (!l)
3714 return -ENOMEM;
3715
3716 r = strv_extend_strv(&c->argv, l, false);
3717 if (r < 0)
3718 return r;
3719
3720 return 0;
3721 }
3722
3723
3724 static int exec_runtime_allocate(ExecRuntime **rt) {
3725
3726 if (*rt)
3727 return 0;
3728
3729 *rt = new0(ExecRuntime, 1);
3730 if (!*rt)
3731 return -ENOMEM;
3732
3733 (*rt)->n_ref = 1;
3734 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
3735
3736 return 0;
3737 }
3738
3739 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
3740 int r;
3741
3742 assert(rt);
3743 assert(c);
3744 assert(id);
3745
3746 if (*rt)
3747 return 1;
3748
3749 if (!c->private_network && !c->private_tmp)
3750 return 0;
3751
3752 r = exec_runtime_allocate(rt);
3753 if (r < 0)
3754 return r;
3755
3756 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
3757 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, (*rt)->netns_storage_socket) < 0)
3758 return -errno;
3759 }
3760
3761 if (c->private_tmp && !(*rt)->tmp_dir) {
3762 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
3763 if (r < 0)
3764 return r;
3765 }
3766
3767 return 1;
3768 }
3769
3770 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
3771 assert(r);
3772 assert(r->n_ref > 0);
3773
3774 r->n_ref++;
3775 return r;
3776 }
3777
3778 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
3779
3780 if (!r)
3781 return NULL;
3782
3783 assert(r->n_ref > 0);
3784
3785 r->n_ref--;
3786 if (r->n_ref > 0)
3787 return NULL;
3788
3789 free(r->tmp_dir);
3790 free(r->var_tmp_dir);
3791 safe_close_pair(r->netns_storage_socket);
3792 return mfree(r);
3793 }
3794
3795 int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
3796 assert(u);
3797 assert(f);
3798 assert(fds);
3799
3800 if (!rt)
3801 return 0;
3802
3803 if (rt->tmp_dir)
3804 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
3805
3806 if (rt->var_tmp_dir)
3807 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
3808
3809 if (rt->netns_storage_socket[0] >= 0) {
3810 int copy;
3811
3812 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
3813 if (copy < 0)
3814 return copy;
3815
3816 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
3817 }
3818
3819 if (rt->netns_storage_socket[1] >= 0) {
3820 int copy;
3821
3822 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
3823 if (copy < 0)
3824 return copy;
3825
3826 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
3827 }
3828
3829 return 0;
3830 }
3831
3832 int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
3833 int r;
3834
3835 assert(rt);
3836 assert(key);
3837 assert(value);
3838
3839 if (streq(key, "tmp-dir")) {
3840 char *copy;
3841
3842 r = exec_runtime_allocate(rt);
3843 if (r < 0)
3844 return log_oom();
3845
3846 copy = strdup(value);
3847 if (!copy)
3848 return log_oom();
3849
3850 free((*rt)->tmp_dir);
3851 (*rt)->tmp_dir = copy;
3852
3853 } else if (streq(key, "var-tmp-dir")) {
3854 char *copy;
3855
3856 r = exec_runtime_allocate(rt);
3857 if (r < 0)
3858 return log_oom();
3859
3860 copy = strdup(value);
3861 if (!copy)
3862 return log_oom();
3863
3864 free((*rt)->var_tmp_dir);
3865 (*rt)->var_tmp_dir = copy;
3866
3867 } else if (streq(key, "netns-socket-0")) {
3868 int fd;
3869
3870 r = exec_runtime_allocate(rt);
3871 if (r < 0)
3872 return log_oom();
3873
3874 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
3875 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
3876 else {
3877 safe_close((*rt)->netns_storage_socket[0]);
3878 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
3879 }
3880 } else if (streq(key, "netns-socket-1")) {
3881 int fd;
3882
3883 r = exec_runtime_allocate(rt);
3884 if (r < 0)
3885 return log_oom();
3886
3887 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
3888 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
3889 else {
3890 safe_close((*rt)->netns_storage_socket[1]);
3891 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
3892 }
3893 } else
3894 return 0;
3895
3896 return 1;
3897 }
3898
3899 static void *remove_tmpdir_thread(void *p) {
3900 _cleanup_free_ char *path = p;
3901
3902 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
3903 return NULL;
3904 }
3905
3906 void exec_runtime_destroy(ExecRuntime *rt) {
3907 int r;
3908
3909 if (!rt)
3910 return;
3911
3912 /* If there are multiple users of this, let's leave the stuff around */
3913 if (rt->n_ref > 1)
3914 return;
3915
3916 if (rt->tmp_dir) {
3917 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
3918
3919 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
3920 if (r < 0) {
3921 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
3922 free(rt->tmp_dir);
3923 }
3924
3925 rt->tmp_dir = NULL;
3926 }
3927
3928 if (rt->var_tmp_dir) {
3929 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
3930
3931 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
3932 if (r < 0) {
3933 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
3934 free(rt->var_tmp_dir);
3935 }
3936
3937 rt->var_tmp_dir = NULL;
3938 }
3939
3940 safe_close_pair(rt->netns_storage_socket);
3941 }
3942
3943 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
3944 [EXEC_INPUT_NULL] = "null",
3945 [EXEC_INPUT_TTY] = "tty",
3946 [EXEC_INPUT_TTY_FORCE] = "tty-force",
3947 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
3948 [EXEC_INPUT_SOCKET] = "socket",
3949 [EXEC_INPUT_NAMED_FD] = "fd",
3950 };
3951
3952 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
3953
3954 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
3955 [EXEC_OUTPUT_INHERIT] = "inherit",
3956 [EXEC_OUTPUT_NULL] = "null",
3957 [EXEC_OUTPUT_TTY] = "tty",
3958 [EXEC_OUTPUT_SYSLOG] = "syslog",
3959 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
3960 [EXEC_OUTPUT_KMSG] = "kmsg",
3961 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
3962 [EXEC_OUTPUT_JOURNAL] = "journal",
3963 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
3964 [EXEC_OUTPUT_SOCKET] = "socket",
3965 [EXEC_OUTPUT_NAMED_FD] = "fd",
3966 };
3967
3968 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
3969
3970 static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
3971 [EXEC_UTMP_INIT] = "init",
3972 [EXEC_UTMP_LOGIN] = "login",
3973 [EXEC_UTMP_USER] = "user",
3974 };
3975
3976 DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
Unnamed repository; edit this file 'description' to name the repository.