]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/execute.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
core: grant user@.service instances write access to their own cgroup
[thirdparty/systemd.git] / src / core / execute.c
1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
2
3 /***
4 This file is part of systemd.
5
6 Copyright 2010 Lennart Poettering
7
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
12
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
17
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 ***/
21
22 #include <assert.h>
23 #include <dirent.h>
24 #include <errno.h>
25 #include <fcntl.h>
26 #include <unistd.h>
27 #include <string.h>
28 #include <signal.h>
29 #include <sys/socket.h>
30 #include <sys/un.h>
31 #include <sys/prctl.h>
32 #include <linux/sched.h>
33 #include <sys/types.h>
34 #include <sys/stat.h>
35 #include <grp.h>
36 #include <pwd.h>
37 #include <sys/mount.h>
38 #include <linux/fs.h>
39 #include <linux/oom.h>
40 #include <sys/poll.h>
41 #include <linux/seccomp-bpf.h>
42 #include <glob.h>
43 #include <libgen.h>
44
45 #ifdef HAVE_PAM
46 #include <security/pam_appl.h>
47 #endif
48
49 #include "execute.h"
50 #include "strv.h"
51 #include "macro.h"
52 #include "capability.h"
53 #include "util.h"
54 #include "log.h"
55 #include "sd-messages.h"
56 #include "ioprio.h"
57 #include "securebits.h"
58 #include "namespace.h"
59 #include "tcpwrap.h"
60 #include "exit-status.h"
61 #include "missing.h"
62 #include "utmp-wtmp.h"
63 #include "def.h"
64 #include "loopback-setup.h"
65 #include "path-util.h"
66 #include "syscall-list.h"
67 #include "env-util.h"
68 #include "fileio.h"
69 #include "unit.h"
70
71 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
72
73 /* This assumes there is a 'tty' group */
74 #define TTY_MODE 0620
75
76 static int shift_fds(int fds[], unsigned n_fds) {
77 int start, restart_from;
78
79 if (n_fds <= 0)
80 return 0;
81
82 /* Modifies the fds array! (sorts it) */
83
84 assert(fds);
85
86 start = 0;
87 for (;;) {
88 int i;
89
90 restart_from = -1;
91
92 for (i = start; i < (int) n_fds; i++) {
93 int nfd;
94
95 /* Already at right index? */
96 if (fds[i] == i+3)
97 continue;
98
99 if ((nfd = fcntl(fds[i], F_DUPFD, i+3)) < 0)
100 return -errno;
101
102 close_nointr_nofail(fds[i]);
103 fds[i] = nfd;
104
105 /* Hmm, the fd we wanted isn't free? Then
106 * let's remember that and try again from here*/
107 if (nfd != i+3 && restart_from < 0)
108 restart_from = i;
109 }
110
111 if (restart_from < 0)
112 break;
113
114 start = restart_from;
115 }
116
117 return 0;
118 }
119
120 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
121 unsigned i;
122 int r;
123
124 if (n_fds <= 0)
125 return 0;
126
127 assert(fds);
128
129 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
130
131 for (i = 0; i < n_fds; i++) {
132
133 if ((r = fd_nonblock(fds[i], nonblock)) < 0)
134 return r;
135
136 /* We unconditionally drop FD_CLOEXEC from the fds,
137 * since after all we want to pass these fds to our
138 * children */
139
140 if ((r = fd_cloexec(fds[i], false)) < 0)
141 return r;
142 }
143
144 return 0;
145 }
146
147 _pure_ static const char *tty_path(const ExecContext *context) {
148 assert(context);
149
150 if (context->tty_path)
151 return context->tty_path;
152
153 return "/dev/console";
154 }
155
156 void exec_context_tty_reset(const ExecContext *context) {
157 assert(context);
158
159 if (context->tty_vhangup)
160 terminal_vhangup(tty_path(context));
161
162 if (context->tty_reset)
163 reset_terminal(tty_path(context));
164
165 if (context->tty_vt_disallocate && context->tty_path)
166 vt_disallocate(context->tty_path);
167 }
168
169 static bool is_terminal_output(ExecOutput o) {
170 return
171 o == EXEC_OUTPUT_TTY ||
172 o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
173 o == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
174 o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE;
175 }
176
177 void exec_context_serialize(const ExecContext *context, Unit *u, FILE *f) {
178 assert(context);
179 assert(u);
180 assert(f);
181
182 if (context->tmp_dir)
183 unit_serialize_item(u, f, "tmp-dir", context->tmp_dir);
184
185 if (context->var_tmp_dir)
186 unit_serialize_item(u, f, "var-tmp-dir", context->var_tmp_dir);
187 }
188
189 static int open_null_as(int flags, int nfd) {
190 int fd, r;
191
192 assert(nfd >= 0);
193
194 if ((fd = open("/dev/null", flags|O_NOCTTY)) < 0)
195 return -errno;
196
197 if (fd != nfd) {
198 r = dup2(fd, nfd) < 0 ? -errno : nfd;
199 close_nointr_nofail(fd);
200 } else
201 r = nfd;
202
203 return r;
204 }
205
206 static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd) {
207 int fd, r;
208 union sockaddr_union sa = {
209 .un.sun_family = AF_UNIX,
210 .un.sun_path = "/run/systemd/journal/stdout",
211 };
212
213 assert(context);
214 assert(output < _EXEC_OUTPUT_MAX);
215 assert(ident);
216 assert(nfd >= 0);
217
218 fd = socket(AF_UNIX, SOCK_STREAM, 0);
219 if (fd < 0)
220 return -errno;
221
222 r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path));
223 if (r < 0) {
224 close_nointr_nofail(fd);
225 return -errno;
226 }
227
228 if (shutdown(fd, SHUT_RD) < 0) {
229 close_nointr_nofail(fd);
230 return -errno;
231 }
232
233 dprintf(fd,
234 "%s\n"
235 "%s\n"
236 "%i\n"
237 "%i\n"
238 "%i\n"
239 "%i\n"
240 "%i\n",
241 context->syslog_identifier ? context->syslog_identifier : ident,
242 unit_id,
243 context->syslog_priority,
244 !!context->syslog_level_prefix,
245 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
246 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
247 is_terminal_output(output));
248
249 if (fd != nfd) {
250 r = dup2(fd, nfd) < 0 ? -errno : nfd;
251 close_nointr_nofail(fd);
252 } else
253 r = nfd;
254
255 return r;
256 }
257 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
258 int fd, r;
259
260 assert(path);
261 assert(nfd >= 0);
262
263 if ((fd = open_terminal(path, mode | O_NOCTTY)) < 0)
264 return fd;
265
266 if (fd != nfd) {
267 r = dup2(fd, nfd) < 0 ? -errno : nfd;
268 close_nointr_nofail(fd);
269 } else
270 r = nfd;
271
272 return r;
273 }
274
275 static bool is_terminal_input(ExecInput i) {
276 return
277 i == EXEC_INPUT_TTY ||
278 i == EXEC_INPUT_TTY_FORCE ||
279 i == EXEC_INPUT_TTY_FAIL;
280 }
281
282 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
283
284 if (is_terminal_input(std_input) && !apply_tty_stdin)
285 return EXEC_INPUT_NULL;
286
287 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
288 return EXEC_INPUT_NULL;
289
290 return std_input;
291 }
292
293 static int fixup_output(ExecOutput std_output, int socket_fd) {
294
295 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
296 return EXEC_OUTPUT_INHERIT;
297
298 return std_output;
299 }
300
301 static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty_stdin) {
302 ExecInput i;
303
304 assert(context);
305
306 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
307
308 switch (i) {
309
310 case EXEC_INPUT_NULL:
311 return open_null_as(O_RDONLY, STDIN_FILENO);
312
313 case EXEC_INPUT_TTY:
314 case EXEC_INPUT_TTY_FORCE:
315 case EXEC_INPUT_TTY_FAIL: {
316 int fd, r;
317
318 if ((fd = acquire_terminal(
319 tty_path(context),
320 i == EXEC_INPUT_TTY_FAIL,
321 i == EXEC_INPUT_TTY_FORCE,
322 false,
323 (usec_t) -1)) < 0)
324 return fd;
325
326 if (fd != STDIN_FILENO) {
327 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
328 close_nointr_nofail(fd);
329 } else
330 r = STDIN_FILENO;
331
332 return r;
333 }
334
335 case EXEC_INPUT_SOCKET:
336 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
337
338 default:
339 assert_not_reached("Unknown input type");
340 }
341 }
342
343 static int setup_output(const ExecContext *context, int fileno, int socket_fd, const char *ident, const char *unit_id, bool apply_tty_stdin) {
344 ExecOutput o;
345 ExecInput i;
346 int r;
347
348 assert(context);
349 assert(ident);
350
351 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
352 o = fixup_output(context->std_output, socket_fd);
353
354 if (fileno == STDERR_FILENO) {
355 ExecOutput e;
356 e = fixup_output(context->std_error, socket_fd);
357
358 /* This expects the input and output are already set up */
359
360 /* Don't change the stderr file descriptor if we inherit all
361 * the way and are not on a tty */
362 if (e == EXEC_OUTPUT_INHERIT &&
363 o == EXEC_OUTPUT_INHERIT &&
364 i == EXEC_INPUT_NULL &&
365 !is_terminal_input(context->std_input) &&
366 getppid () != 1)
367 return fileno;
368
369 /* Duplicate from stdout if possible */
370 if (e == o || e == EXEC_OUTPUT_INHERIT)
371 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
372
373 o = e;
374
375 } else if (o == EXEC_OUTPUT_INHERIT) {
376 /* If input got downgraded, inherit the original value */
377 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
378 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
379
380 /* If the input is connected to anything that's not a /dev/null, inherit that... */
381 if (i != EXEC_INPUT_NULL)
382 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
383
384 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
385 if (getppid() != 1)
386 return fileno;
387
388 /* We need to open /dev/null here anew, to get the right access mode. */
389 return open_null_as(O_WRONLY, fileno);
390 }
391
392 switch (o) {
393
394 case EXEC_OUTPUT_NULL:
395 return open_null_as(O_WRONLY, fileno);
396
397 case EXEC_OUTPUT_TTY:
398 if (is_terminal_input(i))
399 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
400
401 /* We don't reset the terminal if this is just about output */
402 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
403
404 case EXEC_OUTPUT_SYSLOG:
405 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
406 case EXEC_OUTPUT_KMSG:
407 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
408 case EXEC_OUTPUT_JOURNAL:
409 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
410 r = connect_logger_as(context, o, ident, unit_id, fileno);
411 if (r < 0) {
412 log_struct_unit(LOG_CRIT, unit_id,
413 "MESSAGE=Failed to connect std%s of %s to the journal socket: %s",
414 fileno == STDOUT_FILENO ? "out" : "err",
415 unit_id, strerror(-r),
416 "ERRNO=%d", -r,
417 NULL);
418 r = open_null_as(O_WRONLY, fileno);
419 }
420 return r;
421
422 case EXEC_OUTPUT_SOCKET:
423 assert(socket_fd >= 0);
424 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
425
426 default:
427 assert_not_reached("Unknown error type");
428 }
429 }
430
431 static int chown_terminal(int fd, uid_t uid) {
432 struct stat st;
433
434 assert(fd >= 0);
435
436 /* This might fail. What matters are the results. */
437 (void) fchown(fd, uid, -1);
438 (void) fchmod(fd, TTY_MODE);
439
440 if (fstat(fd, &st) < 0)
441 return -errno;
442
443 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
444 return -EPERM;
445
446 return 0;
447 }
448
449 static int setup_confirm_stdio(int *_saved_stdin,
450 int *_saved_stdout) {
451 int fd = -1, saved_stdin, saved_stdout = -1, r;
452
453 assert(_saved_stdin);
454 assert(_saved_stdout);
455
456 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
457 if (saved_stdin < 0)
458 return -errno;
459
460 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
461 if (saved_stdout < 0) {
462 r = errno;
463 goto fail;
464 }
465
466 fd = acquire_terminal(
467 "/dev/console",
468 false,
469 false,
470 false,
471 DEFAULT_CONFIRM_USEC);
472 if (fd < 0) {
473 r = fd;
474 goto fail;
475 }
476
477 r = chown_terminal(fd, getuid());
478 if (r < 0)
479 goto fail;
480
481 if (dup2(fd, STDIN_FILENO) < 0) {
482 r = -errno;
483 goto fail;
484 }
485
486 if (dup2(fd, STDOUT_FILENO) < 0) {
487 r = -errno;
488 goto fail;
489 }
490
491 if (fd >= 2)
492 close_nointr_nofail(fd);
493
494 *_saved_stdin = saved_stdin;
495 *_saved_stdout = saved_stdout;
496
497 return 0;
498
499 fail:
500 if (saved_stdout >= 0)
501 close_nointr_nofail(saved_stdout);
502
503 if (saved_stdin >= 0)
504 close_nointr_nofail(saved_stdin);
505
506 if (fd >= 0)
507 close_nointr_nofail(fd);
508
509 return r;
510 }
511
512 _printf_attr_(1, 2) static int write_confirm_message(const char *format, ...) {
513 int fd;
514 va_list ap;
515
516 assert(format);
517
518 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
519 if (fd < 0)
520 return fd;
521
522 va_start(ap, format);
523 vdprintf(fd, format, ap);
524 va_end(ap);
525
526 close_nointr_nofail(fd);
527
528 return 0;
529 }
530
531 static int restore_confirm_stdio(int *saved_stdin,
532 int *saved_stdout) {
533
534 int r = 0;
535
536 assert(saved_stdin);
537 assert(saved_stdout);
538
539 release_terminal();
540
541 if (*saved_stdin >= 0)
542 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
543 r = -errno;
544
545 if (*saved_stdout >= 0)
546 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
547 r = -errno;
548
549 if (*saved_stdin >= 0)
550 close_nointr_nofail(*saved_stdin);
551
552 if (*saved_stdout >= 0)
553 close_nointr_nofail(*saved_stdout);
554
555 return r;
556 }
557
558 static int ask_for_confirmation(char *response, char **argv) {
559 int saved_stdout = -1, saved_stdin = -1, r;
560 char *line;
561
562 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
563 if (r < 0)
564 return r;
565
566 line = exec_command_line(argv);
567 if (!line)
568 return -ENOMEM;
569
570 r = ask(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
571 free(line);
572
573 restore_confirm_stdio(&saved_stdin, &saved_stdout);
574
575 return r;
576 }
577
578 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
579 bool keep_groups = false;
580 int r;
581
582 assert(context);
583
584 /* Lookup and set GID and supplementary group list. Here too
585 * we avoid NSS lookups for gid=0. */
586
587 if (context->group || username) {
588
589 if (context->group) {
590 const char *g = context->group;
591
592 if ((r = get_group_creds(&g, &gid)) < 0)
593 return r;
594 }
595
596 /* First step, initialize groups from /etc/groups */
597 if (username && gid != 0) {
598 if (initgroups(username, gid) < 0)
599 return -errno;
600
601 keep_groups = true;
602 }
603
604 /* Second step, set our gids */
605 if (setresgid(gid, gid, gid) < 0)
606 return -errno;
607 }
608
609 if (context->supplementary_groups) {
610 int ngroups_max, k;
611 gid_t *gids;
612 char **i;
613
614 /* Final step, initialize any manually set supplementary groups */
615 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
616
617 if (!(gids = new(gid_t, ngroups_max)))
618 return -ENOMEM;
619
620 if (keep_groups) {
621 if ((k = getgroups(ngroups_max, gids)) < 0) {
622 free(gids);
623 return -errno;
624 }
625 } else
626 k = 0;
627
628 STRV_FOREACH(i, context->supplementary_groups) {
629 const char *g;
630
631 if (k >= ngroups_max) {
632 free(gids);
633 return -E2BIG;
634 }
635
636 g = *i;
637 r = get_group_creds(&g, gids+k);
638 if (r < 0) {
639 free(gids);
640 return r;
641 }
642
643 k++;
644 }
645
646 if (setgroups(k, gids) < 0) {
647 free(gids);
648 return -errno;
649 }
650
651 free(gids);
652 }
653
654 return 0;
655 }
656
657 static int enforce_user(const ExecContext *context, uid_t uid) {
658 int r;
659 assert(context);
660
661 /* Sets (but doesn't lookup) the uid and make sure we keep the
662 * capabilities while doing so. */
663
664 if (context->capabilities) {
665 cap_t d;
666 static const cap_value_t bits[] = {
667 CAP_SETUID, /* Necessary so that we can run setresuid() below */
668 CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
669 };
670
671 /* First step: If we need to keep capabilities but
672 * drop privileges we need to make sure we keep our
673 * caps, while we drop privileges. */
674 if (uid != 0) {
675 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
676
677 if (prctl(PR_GET_SECUREBITS) != sb)
678 if (prctl(PR_SET_SECUREBITS, sb) < 0)
679 return -errno;
680 }
681
682 /* Second step: set the capabilities. This will reduce
683 * the capabilities to the minimum we need. */
684
685 if (!(d = cap_dup(context->capabilities)))
686 return -errno;
687
688 if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
689 cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0) {
690 r = -errno;
691 cap_free(d);
692 return r;
693 }
694
695 if (cap_set_proc(d) < 0) {
696 r = -errno;
697 cap_free(d);
698 return r;
699 }
700
701 cap_free(d);
702 }
703
704 /* Third step: actually set the uids */
705 if (setresuid(uid, uid, uid) < 0)
706 return -errno;
707
708 /* At this point we should have all necessary capabilities but
709 are otherwise a normal user. However, the caps might got
710 corrupted due to the setresuid() so we need clean them up
711 later. This is done outside of this call. */
712
713 return 0;
714 }
715
716 #ifdef HAVE_PAM
717
718 static int null_conv(
719 int num_msg,
720 const struct pam_message **msg,
721 struct pam_response **resp,
722 void *appdata_ptr) {
723
724 /* We don't support conversations */
725
726 return PAM_CONV_ERR;
727 }
728
729 static int setup_pam(
730 const char *name,
731 const char *user,
732 uid_t uid,
733 const char *tty,
734 char ***pam_env,
735 int fds[], unsigned n_fds) {
736
737 static const struct pam_conv conv = {
738 .conv = null_conv,
739 .appdata_ptr = NULL
740 };
741
742 pam_handle_t *handle = NULL;
743 sigset_t ss, old_ss;
744 int pam_code = PAM_SUCCESS;
745 int err;
746 char **e = NULL;
747 bool close_session = false;
748 pid_t pam_pid = 0, parent_pid;
749
750 assert(name);
751 assert(user);
752 assert(pam_env);
753
754 /* We set up PAM in the parent process, then fork. The child
755 * will then stay around until killed via PR_GET_PDEATHSIG or
756 * systemd via the cgroup logic. It will then remove the PAM
757 * session again. The parent process will exec() the actual
758 * daemon. We do things this way to ensure that the main PID
759 * of the daemon is the one we initially fork()ed. */
760
761 if ((pam_code = pam_start(name, user, &conv, &handle)) != PAM_SUCCESS) {
762 handle = NULL;
763 goto fail;
764 }
765
766 if (tty)
767 if ((pam_code = pam_set_item(handle, PAM_TTY, tty)) != PAM_SUCCESS)
768 goto fail;
769
770 if ((pam_code = pam_acct_mgmt(handle, PAM_SILENT)) != PAM_SUCCESS)
771 goto fail;
772
773 if ((pam_code = pam_open_session(handle, PAM_SILENT)) != PAM_SUCCESS)
774 goto fail;
775
776 close_session = true;
777
778 if ((!(e = pam_getenvlist(handle)))) {
779 pam_code = PAM_BUF_ERR;
780 goto fail;
781 }
782
783 /* Block SIGTERM, so that we know that it won't get lost in
784 * the child */
785 if (sigemptyset(&ss) < 0 ||
786 sigaddset(&ss, SIGTERM) < 0 ||
787 sigprocmask(SIG_BLOCK, &ss, &old_ss) < 0)
788 goto fail;
789
790 parent_pid = getpid();
791
792 if ((pam_pid = fork()) < 0)
793 goto fail;
794
795 if (pam_pid == 0) {
796 int sig;
797 int r = EXIT_PAM;
798
799 /* The child's job is to reset the PAM session on
800 * termination */
801
802 /* This string must fit in 10 chars (i.e. the length
803 * of "/sbin/init"), to look pretty in /bin/ps */
804 rename_process("(sd-pam)");
805
806 /* Make sure we don't keep open the passed fds in this
807 child. We assume that otherwise only those fds are
808 open here that have been opened by PAM. */
809 close_many(fds, n_fds);
810
811 /* Drop privileges - we don't need any to pam_close_session
812 * and this will make PR_SET_PDEATHSIG work in most cases.
813 * If this fails, ignore the error - but expect sd-pam threads
814 * to fail to exit normally */
815 if (setresuid(uid, uid, uid) < 0)
816 log_error("Error: Failed to setresuid() in sd-pam: %s", strerror(-r));
817
818 /* Wait until our parent died. This will only work if
819 * the above setresuid() succeeds, otherwise the kernel
820 * will not allow unprivileged parents kill their privileged
821 * children this way. We rely on the control groups kill logic
822 * to do the rest for us. */
823 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
824 goto child_finish;
825
826 /* Check if our parent process might already have
827 * died? */
828 if (getppid() == parent_pid) {
829 for (;;) {
830 if (sigwait(&ss, &sig) < 0) {
831 if (errno == EINTR)
832 continue;
833
834 goto child_finish;
835 }
836
837 assert(sig == SIGTERM);
838 break;
839 }
840 }
841
842 /* If our parent died we'll end the session */
843 if (getppid() != parent_pid)
844 if ((pam_code = pam_close_session(handle, PAM_DATA_SILENT)) != PAM_SUCCESS)
845 goto child_finish;
846
847 r = 0;
848
849 child_finish:
850 pam_end(handle, pam_code | PAM_DATA_SILENT);
851 _exit(r);
852 }
853
854 /* If the child was forked off successfully it will do all the
855 * cleanups, so forget about the handle here. */
856 handle = NULL;
857
858 /* Unblock SIGTERM again in the parent */
859 if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0)
860 goto fail;
861
862 /* We close the log explicitly here, since the PAM modules
863 * might have opened it, but we don't want this fd around. */
864 closelog();
865
866 *pam_env = e;
867 e = NULL;
868
869 return 0;
870
871 fail:
872 if (pam_code != PAM_SUCCESS)
873 err = -EPERM; /* PAM errors do not map to errno */
874 else
875 err = -errno;
876
877 if (handle) {
878 if (close_session)
879 pam_code = pam_close_session(handle, PAM_DATA_SILENT);
880
881 pam_end(handle, pam_code | PAM_DATA_SILENT);
882 }
883
884 strv_free(e);
885
886 closelog();
887
888 if (pam_pid > 1) {
889 kill(pam_pid, SIGTERM);
890 kill(pam_pid, SIGCONT);
891 }
892
893 return err;
894 }
895 #endif
896
897 static void rename_process_from_path(const char *path) {
898 char process_name[11];
899 const char *p;
900 size_t l;
901
902 /* This resulting string must fit in 10 chars (i.e. the length
903 * of "/sbin/init") to look pretty in /bin/ps */
904
905 p = path_get_file_name(path);
906 if (isempty(p)) {
907 rename_process("(...)");
908 return;
909 }
910
911 l = strlen(p);
912 if (l > 8) {
913 /* The end of the process name is usually more
914 * interesting, since the first bit might just be
915 * "systemd-" */
916 p = p + l - 8;
917 l = 8;
918 }
919
920 process_name[0] = '(';
921 memcpy(process_name+1, p, l);
922 process_name[1+l] = ')';
923 process_name[1+l+1] = 0;
924
925 rename_process(process_name);
926 }
927
928 static int apply_seccomp(uint32_t *syscall_filter) {
929 static const struct sock_filter header[] = {
930 VALIDATE_ARCHITECTURE,
931 EXAMINE_SYSCALL
932 };
933 static const struct sock_filter footer[] = {
934 _KILL_PROCESS
935 };
936
937 int i;
938 unsigned n;
939 struct sock_filter *f;
940 struct sock_fprog prog = {};
941
942 assert(syscall_filter);
943
944 /* First: count the syscalls to check for */
945 for (i = 0, n = 0; i < syscall_max(); i++)
946 if (syscall_filter[i >> 4] & (1 << (i & 31)))
947 n++;
948
949 /* Second: build the filter program from a header the syscall
950 * matches and the footer */
951 f = alloca(sizeof(struct sock_filter) * (ELEMENTSOF(header) + 2*n + ELEMENTSOF(footer)));
952 memcpy(f, header, sizeof(header));
953
954 for (i = 0, n = 0; i < syscall_max(); i++)
955 if (syscall_filter[i >> 4] & (1 << (i & 31))) {
956 struct sock_filter item[] = {
957 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, INDEX_TO_SYSCALL(i), 0, 1),
958 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
959 };
960
961 assert_cc(ELEMENTSOF(item) == 2);
962
963 f[ELEMENTSOF(header) + 2*n] = item[0];
964 f[ELEMENTSOF(header) + 2*n+1] = item[1];
965
966 n++;
967 }
968
969 memcpy(f + (ELEMENTSOF(header) + 2*n), footer, sizeof(footer));
970
971 /* Third: install the filter */
972 prog.len = ELEMENTSOF(header) + ELEMENTSOF(footer) + 2*n;
973 prog.filter = f;
974 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0)
975 return -errno;
976
977 return 0;
978 }
979
980 int exec_spawn(ExecCommand *command,
981 char **argv,
982 ExecContext *context,
983 int fds[], unsigned n_fds,
984 char **environment,
985 bool apply_permissions,
986 bool apply_chroot,
987 bool apply_tty_stdin,
988 bool confirm_spawn,
989 CGroupControllerMask cgroup_mask,
990 const char *cgroup_path,
991 const char *unit_id,
992 int idle_pipe[2],
993 pid_t *ret) {
994
995 _cleanup_strv_free_ char **files_env = NULL;
996 int socket_fd;
997 char *line;
998 pid_t pid;
999 int r;
1000
1001 assert(command);
1002 assert(context);
1003 assert(ret);
1004 assert(fds || n_fds <= 0);
1005
1006 if (context->std_input == EXEC_INPUT_SOCKET ||
1007 context->std_output == EXEC_OUTPUT_SOCKET ||
1008 context->std_error == EXEC_OUTPUT_SOCKET) {
1009
1010 if (n_fds != 1)
1011 return -EINVAL;
1012
1013 socket_fd = fds[0];
1014
1015 fds = NULL;
1016 n_fds = 0;
1017 } else
1018 socket_fd = -1;
1019
1020 r = exec_context_load_environment(context, &files_env);
1021 if (r < 0) {
1022 log_struct_unit(LOG_ERR,
1023 unit_id,
1024 "MESSAGE=Failed to load environment files: %s", strerror(-r),
1025 "ERRNO=%d", -r,
1026 NULL);
1027 return r;
1028 }
1029
1030 if (!argv)
1031 argv = command->argv;
1032
1033 line = exec_command_line(argv);
1034 if (!line)
1035 return log_oom();
1036
1037 log_struct_unit(LOG_DEBUG,
1038 unit_id,
1039 "EXECUTABLE=%s", command->path,
1040 "MESSAGE=About to execute: %s", line,
1041 NULL);
1042 free(line);
1043
1044 if (context->private_tmp && !context->tmp_dir && !context->var_tmp_dir) {
1045 r = setup_tmpdirs(&context->tmp_dir, &context->var_tmp_dir);
1046 if (r < 0)
1047 return r;
1048 }
1049
1050 pid = fork();
1051 if (pid < 0)
1052 return -errno;
1053
1054 if (pid == 0) {
1055 int i, err;
1056 sigset_t ss;
1057 const char *username = NULL, *home = NULL;
1058 uid_t uid = (uid_t) -1;
1059 gid_t gid = (gid_t) -1;
1060 _cleanup_strv_free_ char **our_env = NULL, **pam_env = NULL,
1061 **final_env = NULL, **final_argv = NULL;
1062 unsigned n_env = 0;
1063
1064 /* child */
1065
1066 rename_process_from_path(command->path);
1067
1068 /* We reset exactly these signals, since they are the
1069 * only ones we set to SIG_IGN in the main daemon. All
1070 * others we leave untouched because we set them to
1071 * SIG_DFL or a valid handler initially, both of which
1072 * will be demoted to SIG_DFL. */
1073 default_signals(SIGNALS_CRASH_HANDLER,
1074 SIGNALS_IGNORE, -1);
1075
1076 if (context->ignore_sigpipe)
1077 ignore_signals(SIGPIPE, -1);
1078
1079 assert_se(sigemptyset(&ss) == 0);
1080 if (sigprocmask(SIG_SETMASK, &ss, NULL) < 0) {
1081 err = -errno;
1082 r = EXIT_SIGNAL_MASK;
1083 goto fail_child;
1084 }
1085
1086 if (idle_pipe) {
1087 if (idle_pipe[1] >= 0)
1088 close_nointr_nofail(idle_pipe[1]);
1089 if (idle_pipe[0] >= 0) {
1090 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1091 close_nointr_nofail(idle_pipe[0]);
1092 }
1093 }
1094
1095 /* Close sockets very early to make sure we don't
1096 * block init reexecution because it cannot bind its
1097 * sockets */
1098 log_forget_fds();
1099 err = close_all_fds(socket_fd >= 0 ? &socket_fd : fds,
1100 socket_fd >= 0 ? 1 : n_fds);
1101 if (err < 0) {
1102 r = EXIT_FDS;
1103 goto fail_child;
1104 }
1105
1106 if (!context->same_pgrp)
1107 if (setsid() < 0) {
1108 err = -errno;
1109 r = EXIT_SETSID;
1110 goto fail_child;
1111 }
1112
1113 if (context->tcpwrap_name) {
1114 if (socket_fd >= 0)
1115 if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) {
1116 err = -EACCES;
1117 r = EXIT_TCPWRAP;
1118 goto fail_child;
1119 }
1120
1121 for (i = 0; i < (int) n_fds; i++) {
1122 if (!socket_tcpwrap(fds[i], context->tcpwrap_name)) {
1123 err = -EACCES;
1124 r = EXIT_TCPWRAP;
1125 goto fail_child;
1126 }
1127 }
1128 }
1129
1130 exec_context_tty_reset(context);
1131
1132 if (confirm_spawn) {
1133 char response;
1134
1135 err = ask_for_confirmation(&response, argv);
1136 if (err == -ETIMEDOUT)
1137 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1138 else if (err < 0)
1139 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-err));
1140 else if (response == 's') {
1141 write_confirm_message("Skipping execution.\n");
1142 err = -ECANCELED;
1143 r = EXIT_CONFIRM;
1144 goto fail_child;
1145 } else if (response == 'n') {
1146 write_confirm_message("Failing execution.\n");
1147 err = r = 0;
1148 goto fail_child;
1149 }
1150 }
1151
1152 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1153 * must sure to drop O_NONBLOCK */
1154 if (socket_fd >= 0)
1155 fd_nonblock(socket_fd, false);
1156
1157 err = setup_input(context, socket_fd, apply_tty_stdin);
1158 if (err < 0) {
1159 r = EXIT_STDIN;
1160 goto fail_child;
1161 }
1162
1163 err = setup_output(context, STDOUT_FILENO, socket_fd, path_get_file_name(command->path), unit_id, apply_tty_stdin);
1164 if (err < 0) {
1165 r = EXIT_STDOUT;
1166 goto fail_child;
1167 }
1168
1169 err = setup_output(context, STDERR_FILENO, socket_fd, path_get_file_name(command->path), unit_id, apply_tty_stdin);
1170 if (err < 0) {
1171 r = EXIT_STDERR;
1172 goto fail_child;
1173 }
1174
1175 if (cgroup_path) {
1176 err = cg_attach_with_mask(cgroup_mask, cgroup_path, 0);
1177 if (err < 0) {
1178 r = EXIT_CGROUP;
1179 goto fail_child;
1180 }
1181 }
1182
1183 if (context->oom_score_adjust_set) {
1184 char t[16];
1185
1186 snprintf(t, sizeof(t), "%i", context->oom_score_adjust);
1187 char_array_0(t);
1188
1189 if (write_string_file("/proc/self/oom_score_adj", t) < 0) {
1190 err = -errno;
1191 r = EXIT_OOM_ADJUST;
1192 goto fail_child;
1193 }
1194 }
1195
1196 if (context->nice_set)
1197 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1198 err = -errno;
1199 r = EXIT_NICE;
1200 goto fail_child;
1201 }
1202
1203 if (context->cpu_sched_set) {
1204 struct sched_param param = {
1205 .sched_priority = context->cpu_sched_priority,
1206 };
1207
1208 r = sched_setscheduler(0,
1209 context->cpu_sched_policy |
1210 (context->cpu_sched_reset_on_fork ?
1211 SCHED_RESET_ON_FORK : 0),
1212 &param);
1213 if (r < 0) {
1214 err = -errno;
1215 r = EXIT_SETSCHEDULER;
1216 goto fail_child;
1217 }
1218 }
1219
1220 if (context->cpuset)
1221 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1222 err = -errno;
1223 r = EXIT_CPUAFFINITY;
1224 goto fail_child;
1225 }
1226
1227 if (context->ioprio_set)
1228 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1229 err = -errno;
1230 r = EXIT_IOPRIO;
1231 goto fail_child;
1232 }
1233
1234 if (context->timer_slack_nsec != (nsec_t) -1)
1235 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1236 err = -errno;
1237 r = EXIT_TIMERSLACK;
1238 goto fail_child;
1239 }
1240
1241 if (context->utmp_id)
1242 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path);
1243
1244 if (context->user) {
1245 username = context->user;
1246 err = get_user_creds(&username, &uid, &gid, &home, NULL);
1247 if (err < 0) {
1248 r = EXIT_USER;
1249 goto fail_child;
1250 }
1251
1252 if (is_terminal_input(context->std_input)) {
1253 err = chown_terminal(STDIN_FILENO, uid);
1254 if (err < 0) {
1255 r = EXIT_STDIN;
1256 goto fail_child;
1257 }
1258 }
1259 }
1260
1261 #ifdef HAVE_PAM
1262 if (cgroup_path && context->user && context->pam_name) {
1263 err = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, 0644, uid, gid);
1264 if (err < 0) {
1265 r = EXIT_CGROUP;
1266 goto fail_child;
1267 }
1268
1269
1270 err = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, 0755, uid, gid);
1271 if (err < 0) {
1272 r = EXIT_CGROUP;
1273 goto fail_child;
1274 }
1275 }
1276 #endif
1277
1278 if (apply_permissions) {
1279 err = enforce_groups(context, username, gid);
1280 if (err < 0) {
1281 r = EXIT_GROUP;
1282 goto fail_child;
1283 }
1284 }
1285
1286 umask(context->umask);
1287
1288 #ifdef HAVE_PAM
1289 if (apply_permissions && context->pam_name && username) {
1290 err = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
1291 if (err < 0) {
1292 r = EXIT_PAM;
1293 goto fail_child;
1294 }
1295 }
1296 #endif
1297 if (context->private_network) {
1298 if (unshare(CLONE_NEWNET) < 0) {
1299 err = -errno;
1300 r = EXIT_NETWORK;
1301 goto fail_child;
1302 }
1303
1304 loopback_setup();
1305 }
1306
1307 if (strv_length(context->read_write_dirs) > 0 ||
1308 strv_length(context->read_only_dirs) > 0 ||
1309 strv_length(context->inaccessible_dirs) > 0 ||
1310 context->mount_flags != 0 ||
1311 context->private_tmp) {
1312 err = setup_namespace(context->read_write_dirs,
1313 context->read_only_dirs,
1314 context->inaccessible_dirs,
1315 context->tmp_dir,
1316 context->var_tmp_dir,
1317 context->private_tmp,
1318 context->mount_flags);
1319 if (err < 0) {
1320 r = EXIT_NAMESPACE;
1321 goto fail_child;
1322 }
1323 }
1324
1325 if (apply_chroot) {
1326 if (context->root_directory)
1327 if (chroot(context->root_directory) < 0) {
1328 err = -errno;
1329 r = EXIT_CHROOT;
1330 goto fail_child;
1331 }
1332
1333 if (chdir(context->working_directory ? context->working_directory : "/") < 0) {
1334 err = -errno;
1335 r = EXIT_CHDIR;
1336 goto fail_child;
1337 }
1338 } else {
1339 _cleanup_free_ char *d = NULL;
1340
1341 if (asprintf(&d, "%s/%s",
1342 context->root_directory ? context->root_directory : "",
1343 context->working_directory ? context->working_directory : "") < 0) {
1344 err = -ENOMEM;
1345 r = EXIT_MEMORY;
1346 goto fail_child;
1347 }
1348
1349 if (chdir(d) < 0) {
1350 err = -errno;
1351 r = EXIT_CHDIR;
1352 goto fail_child;
1353 }
1354 }
1355
1356 /* We repeat the fd closing here, to make sure that
1357 * nothing is leaked from the PAM modules */
1358 err = close_all_fds(fds, n_fds);
1359 if (err >= 0)
1360 err = shift_fds(fds, n_fds);
1361 if (err >= 0)
1362 err = flags_fds(fds, n_fds, context->non_blocking);
1363 if (err < 0) {
1364 r = EXIT_FDS;
1365 goto fail_child;
1366 }
1367
1368 if (apply_permissions) {
1369
1370 for (i = 0; i < RLIMIT_NLIMITS; i++) {
1371 if (!context->rlimit[i])
1372 continue;
1373
1374 if (setrlimit_closest(i, context->rlimit[i]) < 0) {
1375 err = -errno;
1376 r = EXIT_LIMITS;
1377 goto fail_child;
1378 }
1379 }
1380
1381 if (context->capability_bounding_set_drop) {
1382 err = capability_bounding_set_drop(context->capability_bounding_set_drop, false);
1383 if (err < 0) {
1384 r = EXIT_CAPABILITIES;
1385 goto fail_child;
1386 }
1387 }
1388
1389 if (context->user) {
1390 err = enforce_user(context, uid);
1391 if (err < 0) {
1392 r = EXIT_USER;
1393 goto fail_child;
1394 }
1395 }
1396
1397 /* PR_GET_SECUREBITS is not privileged, while
1398 * PR_SET_SECUREBITS is. So to suppress
1399 * potential EPERMs we'll try not to call
1400 * PR_SET_SECUREBITS unless necessary. */
1401 if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
1402 if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
1403 err = -errno;
1404 r = EXIT_SECUREBITS;
1405 goto fail_child;
1406 }
1407
1408 if (context->capabilities)
1409 if (cap_set_proc(context->capabilities) < 0) {
1410 err = -errno;
1411 r = EXIT_CAPABILITIES;
1412 goto fail_child;
1413 }
1414
1415 if (context->no_new_privileges)
1416 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
1417 err = -errno;
1418 r = EXIT_NO_NEW_PRIVILEGES;
1419 goto fail_child;
1420 }
1421
1422 if (context->syscall_filter) {
1423 err = apply_seccomp(context->syscall_filter);
1424 if (err < 0) {
1425 r = EXIT_SECCOMP;
1426 goto fail_child;
1427 }
1428 }
1429 }
1430
1431 our_env = new0(char*, 7);
1432 if (!our_env) {
1433 err = -ENOMEM;
1434 r = EXIT_MEMORY;
1435 goto fail_child;
1436 }
1437
1438 if (n_fds > 0)
1439 if (asprintf(our_env + n_env++, "LISTEN_PID=%lu", (unsigned long) getpid()) < 0 ||
1440 asprintf(our_env + n_env++, "LISTEN_FDS=%u", n_fds) < 0) {
1441 err = -ENOMEM;
1442 r = EXIT_MEMORY;
1443 goto fail_child;
1444 }
1445
1446 if (home)
1447 if (asprintf(our_env + n_env++, "HOME=%s", home) < 0) {
1448 err = -ENOMEM;
1449 r = EXIT_MEMORY;
1450 goto fail_child;
1451 }
1452
1453 if (username)
1454 if (asprintf(our_env + n_env++, "LOGNAME=%s", username) < 0 ||
1455 asprintf(our_env + n_env++, "USER=%s", username) < 0) {
1456 err = -ENOMEM;
1457 r = EXIT_MEMORY;
1458 goto fail_child;
1459 }
1460
1461 if (is_terminal_input(context->std_input) ||
1462 context->std_output == EXEC_OUTPUT_TTY ||
1463 context->std_error == EXEC_OUTPUT_TTY)
1464 if (!(our_env[n_env++] = strdup(default_term_for_tty(tty_path(context))))) {
1465 err = -ENOMEM;
1466 r = EXIT_MEMORY;
1467 goto fail_child;
1468 }
1469
1470 assert(n_env <= 7);
1471
1472 final_env = strv_env_merge(5,
1473 environment,
1474 our_env,
1475 context->environment,
1476 files_env,
1477 pam_env,
1478 NULL);
1479 if (!final_env) {
1480 err = -ENOMEM;
1481 r = EXIT_MEMORY;
1482 goto fail_child;
1483 }
1484
1485 final_argv = replace_env_argv(argv, final_env);
1486 if (!final_argv) {
1487 err = -ENOMEM;
1488 r = EXIT_MEMORY;
1489 goto fail_child;
1490 }
1491
1492 final_env = strv_env_clean(final_env);
1493
1494 if (_unlikely_(log_get_max_level() >= LOG_PRI(LOG_DEBUG))) {
1495 line = exec_command_line(final_argv);
1496 if (line) {
1497 log_open();
1498 log_struct_unit(LOG_DEBUG,
1499 unit_id,
1500 "EXECUTABLE=%s", command->path,
1501 "MESSAGE=Executing: %s", line,
1502 NULL);
1503 log_close();
1504 free(line);
1505 line = NULL;
1506 }
1507 }
1508 execve(command->path, final_argv, final_env);
1509 err = -errno;
1510 r = EXIT_EXEC;
1511
1512 fail_child:
1513 if (r != 0) {
1514 log_open();
1515 log_struct(LOG_ERR, MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
1516 "EXECUTABLE=%s", command->path,
1517 "MESSAGE=Failed at step %s spawning %s: %s",
1518 exit_status_to_string(r, EXIT_STATUS_SYSTEMD),
1519 command->path, strerror(-err),
1520 "ERRNO=%d", -err,
1521 NULL);
1522 log_close();
1523 }
1524
1525 _exit(r);
1526 }
1527
1528 log_struct_unit(LOG_DEBUG,
1529 unit_id,
1530 "MESSAGE=Forked %s as %lu",
1531 command->path, (unsigned long) pid,
1532 NULL);
1533
1534 /* We add the new process to the cgroup both in the child (so
1535 * that we can be sure that no user code is ever executed
1536 * outside of the cgroup) and in the parent (so that we can be
1537 * sure that when we kill the cgroup the process will be
1538 * killed too). */
1539 if (cgroup_path)
1540 cg_attach(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, pid);
1541
1542 exec_status_start(&command->exec_status, pid);
1543
1544 *ret = pid;
1545 return 0;
1546 }
1547
1548 void exec_context_init(ExecContext *c) {
1549 assert(c);
1550
1551 c->umask = 0022;
1552 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
1553 c->cpu_sched_policy = SCHED_OTHER;
1554 c->syslog_priority = LOG_DAEMON|LOG_INFO;
1555 c->syslog_level_prefix = true;
1556 c->ignore_sigpipe = true;
1557 c->timer_slack_nsec = (nsec_t) -1;
1558 }
1559
1560 void exec_context_tmp_dirs_done(ExecContext *c) {
1561 char* dirs[] = {c->tmp_dir ? c->tmp_dir : c->var_tmp_dir,
1562 c->tmp_dir ? c->var_tmp_dir : NULL,
1563 NULL};
1564 char **dirp;
1565
1566 for(dirp = dirs; *dirp; dirp++) {
1567 char *dir;
1568 int r;
1569
1570 r = rm_rf_dangerous(*dirp, false, true, false);
1571 dir = dirname(*dirp);
1572 if (r < 0)
1573 log_warning("Failed to remove content of temporary directory %s: %s",
1574 dir, strerror(-r));
1575 else {
1576 r = rmdir(dir);
1577 if (r < 0)
1578 log_warning("Failed to remove temporary directory %s: %s",
1579 dir, strerror(-r));
1580 }
1581
1582 free(*dirp);
1583 }
1584
1585 c->tmp_dir = c->var_tmp_dir = NULL;
1586 }
1587
1588 void exec_context_done(ExecContext *c, bool reloading_or_reexecuting) {
1589 unsigned l;
1590
1591 assert(c);
1592
1593 strv_free(c->environment);
1594 c->environment = NULL;
1595
1596 strv_free(c->environment_files);
1597 c->environment_files = NULL;
1598
1599 for (l = 0; l < ELEMENTSOF(c->rlimit); l++) {
1600 free(c->rlimit[l]);
1601 c->rlimit[l] = NULL;
1602 }
1603
1604 free(c->working_directory);
1605 c->working_directory = NULL;
1606 free(c->root_directory);
1607 c->root_directory = NULL;
1608
1609 free(c->tty_path);
1610 c->tty_path = NULL;
1611
1612 free(c->tcpwrap_name);
1613 c->tcpwrap_name = NULL;
1614
1615 free(c->syslog_identifier);
1616 c->syslog_identifier = NULL;
1617
1618 free(c->user);
1619 c->user = NULL;
1620
1621 free(c->group);
1622 c->group = NULL;
1623
1624 strv_free(c->supplementary_groups);
1625 c->supplementary_groups = NULL;
1626
1627 free(c->pam_name);
1628 c->pam_name = NULL;
1629
1630 if (c->capabilities) {
1631 cap_free(c->capabilities);
1632 c->capabilities = NULL;
1633 }
1634
1635 strv_free(c->read_only_dirs);
1636 c->read_only_dirs = NULL;
1637
1638 strv_free(c->read_write_dirs);
1639 c->read_write_dirs = NULL;
1640
1641 strv_free(c->inaccessible_dirs);
1642 c->inaccessible_dirs = NULL;
1643
1644 if (c->cpuset)
1645 CPU_FREE(c->cpuset);
1646
1647 free(c->utmp_id);
1648 c->utmp_id = NULL;
1649
1650 free(c->syscall_filter);
1651 c->syscall_filter = NULL;
1652
1653 if (!reloading_or_reexecuting)
1654 exec_context_tmp_dirs_done(c);
1655 }
1656
1657 void exec_command_done(ExecCommand *c) {
1658 assert(c);
1659
1660 free(c->path);
1661 c->path = NULL;
1662
1663 strv_free(c->argv);
1664 c->argv = NULL;
1665 }
1666
1667 void exec_command_done_array(ExecCommand *c, unsigned n) {
1668 unsigned i;
1669
1670 for (i = 0; i < n; i++)
1671 exec_command_done(c+i);
1672 }
1673
1674 void exec_command_free_list(ExecCommand *c) {
1675 ExecCommand *i;
1676
1677 while ((i = c)) {
1678 LIST_REMOVE(ExecCommand, command, c, i);
1679 exec_command_done(i);
1680 free(i);
1681 }
1682 }
1683
1684 void exec_command_free_array(ExecCommand **c, unsigned n) {
1685 unsigned i;
1686
1687 for (i = 0; i < n; i++) {
1688 exec_command_free_list(c[i]);
1689 c[i] = NULL;
1690 }
1691 }
1692
1693 int exec_context_load_environment(const ExecContext *c, char ***l) {
1694 char **i, **r = NULL;
1695
1696 assert(c);
1697 assert(l);
1698
1699 STRV_FOREACH(i, c->environment_files) {
1700 char *fn;
1701 int k;
1702 bool ignore = false;
1703 char **p;
1704 _cleanup_globfree_ glob_t pglob = {};
1705 int count, n;
1706
1707 fn = *i;
1708
1709 if (fn[0] == '-') {
1710 ignore = true;
1711 fn ++;
1712 }
1713
1714 if (!path_is_absolute(fn)) {
1715 if (ignore)
1716 continue;
1717
1718 strv_free(r);
1719 return -EINVAL;
1720 }
1721
1722 /* Filename supports globbing, take all matching files */
1723 errno = 0;
1724 if (glob(fn, 0, NULL, &pglob) != 0) {
1725 if (ignore)
1726 continue;
1727
1728 strv_free(r);
1729 return errno ? -errno : -EINVAL;
1730 }
1731 count = pglob.gl_pathc;
1732 if (count == 0) {
1733 if (ignore)
1734 continue;
1735
1736 strv_free(r);
1737 return -EINVAL;
1738 }
1739 for (n = 0; n < count; n++) {
1740 k = load_env_file(pglob.gl_pathv[n], NULL, &p);
1741 if (k < 0) {
1742 if (ignore)
1743 continue;
1744
1745 strv_free(r);
1746 return k;
1747 }
1748 /* Log invalid environment variables with filename */
1749 if (p)
1750 p = strv_env_clean_log(p, pglob.gl_pathv[n]);
1751
1752 if (r == NULL)
1753 r = p;
1754 else {
1755 char **m;
1756
1757 m = strv_env_merge(2, r, p);
1758 strv_free(r);
1759 strv_free(p);
1760 if (!m)
1761 return -ENOMEM;
1762
1763 r = m;
1764 }
1765 }
1766 }
1767
1768 *l = r;
1769
1770 return 0;
1771 }
1772
1773 static bool tty_may_match_dev_console(const char *tty) {
1774 char *active = NULL, *console;
1775 bool b;
1776
1777 if (startswith(tty, "/dev/"))
1778 tty += 5;
1779
1780 /* trivial identity? */
1781 if (streq(tty, "console"))
1782 return true;
1783
1784 console = resolve_dev_console(&active);
1785 /* if we could not resolve, assume it may */
1786 if (!console)
1787 return true;
1788
1789 /* "tty0" means the active VC, so it may be the same sometimes */
1790 b = streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
1791 free(active);
1792
1793 return b;
1794 }
1795
1796 bool exec_context_may_touch_console(ExecContext *ec) {
1797 return (ec->tty_reset || ec->tty_vhangup || ec->tty_vt_disallocate ||
1798 is_terminal_input(ec->std_input) ||
1799 is_terminal_output(ec->std_output) ||
1800 is_terminal_output(ec->std_error)) &&
1801 tty_may_match_dev_console(tty_path(ec));
1802 }
1803
1804 static void strv_fprintf(FILE *f, char **l) {
1805 char **g;
1806
1807 assert(f);
1808
1809 STRV_FOREACH(g, l)
1810 fprintf(f, " %s", *g);
1811 }
1812
1813 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
1814 char **e;
1815 unsigned i;
1816
1817 assert(c);
1818 assert(f);
1819
1820 prefix = strempty(prefix);
1821
1822 fprintf(f,
1823 "%sUMask: %04o\n"
1824 "%sWorkingDirectory: %s\n"
1825 "%sRootDirectory: %s\n"
1826 "%sNonBlocking: %s\n"
1827 "%sPrivateTmp: %s\n"
1828 "%sPrivateNetwork: %s\n"
1829 "%sIgnoreSIGPIPE: %s\n",
1830 prefix, c->umask,
1831 prefix, c->working_directory ? c->working_directory : "/",
1832 prefix, c->root_directory ? c->root_directory : "/",
1833 prefix, yes_no(c->non_blocking),
1834 prefix, yes_no(c->private_tmp),
1835 prefix, yes_no(c->private_network),
1836 prefix, yes_no(c->ignore_sigpipe));
1837
1838 STRV_FOREACH(e, c->environment)
1839 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
1840
1841 STRV_FOREACH(e, c->environment_files)
1842 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
1843
1844 if (c->tcpwrap_name)
1845 fprintf(f,
1846 "%sTCPWrapName: %s\n",
1847 prefix, c->tcpwrap_name);
1848
1849 if (c->nice_set)
1850 fprintf(f,
1851 "%sNice: %i\n",
1852 prefix, c->nice);
1853
1854 if (c->oom_score_adjust_set)
1855 fprintf(f,
1856 "%sOOMScoreAdjust: %i\n",
1857 prefix, c->oom_score_adjust);
1858
1859 for (i = 0; i < RLIM_NLIMITS; i++)
1860 if (c->rlimit[i])
1861 fprintf(f, "%s%s: %llu\n", prefix, rlimit_to_string(i), (unsigned long long) c->rlimit[i]->rlim_max);
1862
1863 if (c->ioprio_set) {
1864 char *class_str;
1865 int r;
1866
1867 r = ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
1868 if (r < 0)
1869 class_str = NULL;
1870 fprintf(f,
1871 "%sIOSchedulingClass: %s\n"
1872 "%sIOPriority: %i\n",
1873 prefix, strna(class_str),
1874 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
1875 free(class_str);
1876 }
1877
1878 if (c->cpu_sched_set) {
1879 char *policy_str;
1880 int r;
1881
1882 r = sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
1883 if (r < 0)
1884 policy_str = NULL;
1885 fprintf(f,
1886 "%sCPUSchedulingPolicy: %s\n"
1887 "%sCPUSchedulingPriority: %i\n"
1888 "%sCPUSchedulingResetOnFork: %s\n",
1889 prefix, strna(policy_str),
1890 prefix, c->cpu_sched_priority,
1891 prefix, yes_no(c->cpu_sched_reset_on_fork));
1892 free(policy_str);
1893 }
1894
1895 if (c->cpuset) {
1896 fprintf(f, "%sCPUAffinity:", prefix);
1897 for (i = 0; i < c->cpuset_ncpus; i++)
1898 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
1899 fprintf(f, " %i", i);
1900 fputs("\n", f);
1901 }
1902
1903 if (c->timer_slack_nsec != (nsec_t) -1)
1904 fprintf(f, "%sTimerSlackNSec: %lu\n", prefix, (unsigned long)c->timer_slack_nsec);
1905
1906 fprintf(f,
1907 "%sStandardInput: %s\n"
1908 "%sStandardOutput: %s\n"
1909 "%sStandardError: %s\n",
1910 prefix, exec_input_to_string(c->std_input),
1911 prefix, exec_output_to_string(c->std_output),
1912 prefix, exec_output_to_string(c->std_error));
1913
1914 if (c->tty_path)
1915 fprintf(f,
1916 "%sTTYPath: %s\n"
1917 "%sTTYReset: %s\n"
1918 "%sTTYVHangup: %s\n"
1919 "%sTTYVTDisallocate: %s\n",
1920 prefix, c->tty_path,
1921 prefix, yes_no(c->tty_reset),
1922 prefix, yes_no(c->tty_vhangup),
1923 prefix, yes_no(c->tty_vt_disallocate));
1924
1925 if (c->std_output == EXEC_OUTPUT_SYSLOG || c->std_output == EXEC_OUTPUT_KMSG || c->std_output == EXEC_OUTPUT_JOURNAL ||
1926 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE || c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
1927 c->std_error == EXEC_OUTPUT_SYSLOG || c->std_error == EXEC_OUTPUT_KMSG || c->std_error == EXEC_OUTPUT_JOURNAL ||
1928 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE || c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
1929 char *fac_str, *lvl_str;
1930 int r;
1931
1932 r = log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
1933 if (r < 0)
1934 fac_str = NULL;
1935
1936 r = log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
1937 if (r < 0)
1938 lvl_str = NULL;
1939
1940 fprintf(f,
1941 "%sSyslogFacility: %s\n"
1942 "%sSyslogLevel: %s\n",
1943 prefix, strna(fac_str),
1944 prefix, strna(lvl_str));
1945 free(lvl_str);
1946 free(fac_str);
1947 }
1948
1949 if (c->capabilities) {
1950 char *t;
1951 if ((t = cap_to_text(c->capabilities, NULL))) {
1952 fprintf(f, "%sCapabilities: %s\n",
1953 prefix, t);
1954 cap_free(t);
1955 }
1956 }
1957
1958 if (c->secure_bits)
1959 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
1960 prefix,
1961 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
1962 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
1963 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
1964 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
1965 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
1966 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
1967
1968 if (c->capability_bounding_set_drop) {
1969 unsigned long l;
1970 fprintf(f, "%sCapabilityBoundingSet:", prefix);
1971
1972 for (l = 0; l <= cap_last_cap(); l++)
1973 if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) {
1974 char *t;
1975
1976 if ((t = cap_to_name(l))) {
1977 fprintf(f, " %s", t);
1978 cap_free(t);
1979 }
1980 }
1981
1982 fputs("\n", f);
1983 }
1984
1985 if (c->user)
1986 fprintf(f, "%sUser: %s\n", prefix, c->user);
1987 if (c->group)
1988 fprintf(f, "%sGroup: %s\n", prefix, c->group);
1989
1990 if (strv_length(c->supplementary_groups) > 0) {
1991 fprintf(f, "%sSupplementaryGroups:", prefix);
1992 strv_fprintf(f, c->supplementary_groups);
1993 fputs("\n", f);
1994 }
1995
1996 if (c->pam_name)
1997 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
1998
1999 if (strv_length(c->read_write_dirs) > 0) {
2000 fprintf(f, "%sReadWriteDirs:", prefix);
2001 strv_fprintf(f, c->read_write_dirs);
2002 fputs("\n", f);
2003 }
2004
2005 if (strv_length(c->read_only_dirs) > 0) {
2006 fprintf(f, "%sReadOnlyDirs:", prefix);
2007 strv_fprintf(f, c->read_only_dirs);
2008 fputs("\n", f);
2009 }
2010
2011 if (strv_length(c->inaccessible_dirs) > 0) {
2012 fprintf(f, "%sInaccessibleDirs:", prefix);
2013 strv_fprintf(f, c->inaccessible_dirs);
2014 fputs("\n", f);
2015 }
2016
2017 if (c->utmp_id)
2018 fprintf(f,
2019 "%sUtmpIdentifier: %s\n",
2020 prefix, c->utmp_id);
2021 }
2022
2023 void exec_status_start(ExecStatus *s, pid_t pid) {
2024 assert(s);
2025
2026 zero(*s);
2027 s->pid = pid;
2028 dual_timestamp_get(&s->start_timestamp);
2029 }
2030
2031 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
2032 assert(s);
2033
2034 if (s->pid && s->pid != pid)
2035 zero(*s);
2036
2037 s->pid = pid;
2038 dual_timestamp_get(&s->exit_timestamp);
2039
2040 s->code = code;
2041 s->status = status;
2042
2043 if (context) {
2044 if (context->utmp_id)
2045 utmp_put_dead_process(context->utmp_id, pid, code, status);
2046
2047 exec_context_tty_reset(context);
2048 }
2049 }
2050
2051 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
2052 char buf[FORMAT_TIMESTAMP_MAX];
2053
2054 assert(s);
2055 assert(f);
2056
2057 if (!prefix)
2058 prefix = "";
2059
2060 if (s->pid <= 0)
2061 return;
2062
2063 fprintf(f,
2064 "%sPID: %lu\n",
2065 prefix, (unsigned long) s->pid);
2066
2067 if (s->start_timestamp.realtime > 0)
2068 fprintf(f,
2069 "%sStart Timestamp: %s\n",
2070 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
2071
2072 if (s->exit_timestamp.realtime > 0)
2073 fprintf(f,
2074 "%sExit Timestamp: %s\n"
2075 "%sExit Code: %s\n"
2076 "%sExit Status: %i\n",
2077 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
2078 prefix, sigchld_code_to_string(s->code),
2079 prefix, s->status);
2080 }
2081
2082 char *exec_command_line(char **argv) {
2083 size_t k;
2084 char *n, *p, **a;
2085 bool first = true;
2086
2087 assert(argv);
2088
2089 k = 1;
2090 STRV_FOREACH(a, argv)
2091 k += strlen(*a)+3;
2092
2093 if (!(n = new(char, k)))
2094 return NULL;
2095
2096 p = n;
2097 STRV_FOREACH(a, argv) {
2098
2099 if (!first)
2100 *(p++) = ' ';
2101 else
2102 first = false;
2103
2104 if (strpbrk(*a, WHITESPACE)) {
2105 *(p++) = '\'';
2106 p = stpcpy(p, *a);
2107 *(p++) = '\'';
2108 } else
2109 p = stpcpy(p, *a);
2110
2111 }
2112
2113 *p = 0;
2114
2115 /* FIXME: this doesn't really handle arguments that have
2116 * spaces and ticks in them */
2117
2118 return n;
2119 }
2120
2121 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
2122 char *p2;
2123 const char *prefix2;
2124
2125 char *cmd;
2126
2127 assert(c);
2128 assert(f);
2129
2130 if (!prefix)
2131 prefix = "";
2132 p2 = strappend(prefix, "\t");
2133 prefix2 = p2 ? p2 : prefix;
2134
2135 cmd = exec_command_line(c->argv);
2136
2137 fprintf(f,
2138 "%sCommand Line: %s\n",
2139 prefix, cmd ? cmd : strerror(ENOMEM));
2140
2141 free(cmd);
2142
2143 exec_status_dump(&c->exec_status, f, prefix2);
2144
2145 free(p2);
2146 }
2147
2148 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2149 assert(f);
2150
2151 if (!prefix)
2152 prefix = "";
2153
2154 LIST_FOREACH(command, c, c)
2155 exec_command_dump(c, f, prefix);
2156 }
2157
2158 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2159 ExecCommand *end;
2160
2161 assert(l);
2162 assert(e);
2163
2164 if (*l) {
2165 /* It's kind of important, that we keep the order here */
2166 LIST_FIND_TAIL(ExecCommand, command, *l, end);
2167 LIST_INSERT_AFTER(ExecCommand, command, *l, end, e);
2168 } else
2169 *l = e;
2170 }
2171
2172 int exec_command_set(ExecCommand *c, const char *path, ...) {
2173 va_list ap;
2174 char **l, *p;
2175
2176 assert(c);
2177 assert(path);
2178
2179 va_start(ap, path);
2180 l = strv_new_ap(path, ap);
2181 va_end(ap);
2182
2183 if (!l)
2184 return -ENOMEM;
2185
2186 if (!(p = strdup(path))) {
2187 strv_free(l);
2188 return -ENOMEM;
2189 }
2190
2191 free(c->path);
2192 c->path = p;
2193
2194 strv_free(c->argv);
2195 c->argv = l;
2196
2197 return 0;
2198 }
2199
2200 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
2201 [EXEC_INPUT_NULL] = "null",
2202 [EXEC_INPUT_TTY] = "tty",
2203 [EXEC_INPUT_TTY_FORCE] = "tty-force",
2204 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
2205 [EXEC_INPUT_SOCKET] = "socket"
2206 };
2207
2208 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
2209
2210 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
2211 [EXEC_OUTPUT_INHERIT] = "inherit",
2212 [EXEC_OUTPUT_NULL] = "null",
2213 [EXEC_OUTPUT_TTY] = "tty",
2214 [EXEC_OUTPUT_SYSLOG] = "syslog",
2215 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
2216 [EXEC_OUTPUT_KMSG] = "kmsg",
2217 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
2218 [EXEC_OUTPUT_JOURNAL] = "journal",
2219 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
2220 [EXEC_OUTPUT_SOCKET] = "socket"
2221 };
2222
2223 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
Unnamed repository; edit this file 'description' to name the repository.