]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/execute.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
cgroup: always keep access mode of 'tasks' and 'cgroup.procs' files in cgroup directo...
[thirdparty/systemd.git] / src / core / execute.c
1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
2
3 /***
4 This file is part of systemd.
5
6 Copyright 2010 Lennart Poettering
7
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
12
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
17
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 ***/
21
22 #include <assert.h>
23 #include <dirent.h>
24 #include <errno.h>
25 #include <fcntl.h>
26 #include <unistd.h>
27 #include <string.h>
28 #include <signal.h>
29 #include <sys/socket.h>
30 #include <sys/un.h>
31 #include <sys/prctl.h>
32 #include <linux/sched.h>
33 #include <sys/types.h>
34 #include <sys/stat.h>
35 #include <grp.h>
36 #include <pwd.h>
37 #include <sys/mount.h>
38 #include <linux/fs.h>
39 #include <linux/oom.h>
40 #include <sys/poll.h>
41 #include <linux/seccomp-bpf.h>
42 #include <glob.h>
43 #include <libgen.h>
44
45 #ifdef HAVE_PAM
46 #include <security/pam_appl.h>
47 #endif
48
49 #include "execute.h"
50 #include "strv.h"
51 #include "macro.h"
52 #include "capability.h"
53 #include "util.h"
54 #include "log.h"
55 #include "sd-messages.h"
56 #include "ioprio.h"
57 #include "securebits.h"
58 #include "cgroup.h"
59 #include "namespace.h"
60 #include "tcpwrap.h"
61 #include "exit-status.h"
62 #include "missing.h"
63 #include "utmp-wtmp.h"
64 #include "def.h"
65 #include "loopback-setup.h"
66 #include "path-util.h"
67 #include "syscall-list.h"
68 #include "env-util.h"
69 #include "fileio.h"
70
71 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
72
73 /* This assumes there is a 'tty' group */
74 #define TTY_MODE 0620
75
76 static int shift_fds(int fds[], unsigned n_fds) {
77 int start, restart_from;
78
79 if (n_fds <= 0)
80 return 0;
81
82 /* Modifies the fds array! (sorts it) */
83
84 assert(fds);
85
86 start = 0;
87 for (;;) {
88 int i;
89
90 restart_from = -1;
91
92 for (i = start; i < (int) n_fds; i++) {
93 int nfd;
94
95 /* Already at right index? */
96 if (fds[i] == i+3)
97 continue;
98
99 if ((nfd = fcntl(fds[i], F_DUPFD, i+3)) < 0)
100 return -errno;
101
102 close_nointr_nofail(fds[i]);
103 fds[i] = nfd;
104
105 /* Hmm, the fd we wanted isn't free? Then
106 * let's remember that and try again from here*/
107 if (nfd != i+3 && restart_from < 0)
108 restart_from = i;
109 }
110
111 if (restart_from < 0)
112 break;
113
114 start = restart_from;
115 }
116
117 return 0;
118 }
119
120 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
121 unsigned i;
122 int r;
123
124 if (n_fds <= 0)
125 return 0;
126
127 assert(fds);
128
129 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
130
131 for (i = 0; i < n_fds; i++) {
132
133 if ((r = fd_nonblock(fds[i], nonblock)) < 0)
134 return r;
135
136 /* We unconditionally drop FD_CLOEXEC from the fds,
137 * since after all we want to pass these fds to our
138 * children */
139
140 if ((r = fd_cloexec(fds[i], false)) < 0)
141 return r;
142 }
143
144 return 0;
145 }
146
147 static const char *tty_path(const ExecContext *context) {
148 assert(context);
149
150 if (context->tty_path)
151 return context->tty_path;
152
153 return "/dev/console";
154 }
155
156 void exec_context_tty_reset(const ExecContext *context) {
157 assert(context);
158
159 if (context->tty_vhangup)
160 terminal_vhangup(tty_path(context));
161
162 if (context->tty_reset)
163 reset_terminal(tty_path(context));
164
165 if (context->tty_vt_disallocate && context->tty_path)
166 vt_disallocate(context->tty_path);
167 }
168
169 static bool is_terminal_output(ExecOutput o) {
170 return
171 o == EXEC_OUTPUT_TTY ||
172 o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
173 o == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
174 o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE;
175 }
176
177 void exec_context_serialize(const ExecContext *context, Unit *u, FILE *f) {
178 assert(context);
179 assert(u);
180 assert(f);
181
182 if (context->tmp_dir)
183 unit_serialize_item(u, f, "tmp-dir", context->tmp_dir);
184
185 if (context->var_tmp_dir)
186 unit_serialize_item(u, f, "var-tmp-dir", context->var_tmp_dir);
187 }
188
189 static int open_null_as(int flags, int nfd) {
190 int fd, r;
191
192 assert(nfd >= 0);
193
194 if ((fd = open("/dev/null", flags|O_NOCTTY)) < 0)
195 return -errno;
196
197 if (fd != nfd) {
198 r = dup2(fd, nfd) < 0 ? -errno : nfd;
199 close_nointr_nofail(fd);
200 } else
201 r = nfd;
202
203 return r;
204 }
205
206 static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd) {
207 int fd, r;
208 union sockaddr_union sa = {
209 .un.sun_family = AF_UNIX,
210 .un.sun_path = "/run/systemd/journal/stdout",
211 };
212
213 assert(context);
214 assert(output < _EXEC_OUTPUT_MAX);
215 assert(ident);
216 assert(nfd >= 0);
217
218 fd = socket(AF_UNIX, SOCK_STREAM, 0);
219 if (fd < 0)
220 return -errno;
221
222 r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path));
223 if (r < 0) {
224 close_nointr_nofail(fd);
225 return -errno;
226 }
227
228 if (shutdown(fd, SHUT_RD) < 0) {
229 close_nointr_nofail(fd);
230 return -errno;
231 }
232
233 dprintf(fd,
234 "%s\n"
235 "%s\n"
236 "%i\n"
237 "%i\n"
238 "%i\n"
239 "%i\n"
240 "%i\n",
241 context->syslog_identifier ? context->syslog_identifier : ident,
242 unit_id,
243 context->syslog_priority,
244 !!context->syslog_level_prefix,
245 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
246 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
247 is_terminal_output(output));
248
249 if (fd != nfd) {
250 r = dup2(fd, nfd) < 0 ? -errno : nfd;
251 close_nointr_nofail(fd);
252 } else
253 r = nfd;
254
255 return r;
256 }
257 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
258 int fd, r;
259
260 assert(path);
261 assert(nfd >= 0);
262
263 if ((fd = open_terminal(path, mode | O_NOCTTY)) < 0)
264 return fd;
265
266 if (fd != nfd) {
267 r = dup2(fd, nfd) < 0 ? -errno : nfd;
268 close_nointr_nofail(fd);
269 } else
270 r = nfd;
271
272 return r;
273 }
274
275 static bool is_terminal_input(ExecInput i) {
276 return
277 i == EXEC_INPUT_TTY ||
278 i == EXEC_INPUT_TTY_FORCE ||
279 i == EXEC_INPUT_TTY_FAIL;
280 }
281
282 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
283
284 if (is_terminal_input(std_input) && !apply_tty_stdin)
285 return EXEC_INPUT_NULL;
286
287 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
288 return EXEC_INPUT_NULL;
289
290 return std_input;
291 }
292
293 static int fixup_output(ExecOutput std_output, int socket_fd) {
294
295 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
296 return EXEC_OUTPUT_INHERIT;
297
298 return std_output;
299 }
300
301 static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty_stdin) {
302 ExecInput i;
303
304 assert(context);
305
306 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
307
308 switch (i) {
309
310 case EXEC_INPUT_NULL:
311 return open_null_as(O_RDONLY, STDIN_FILENO);
312
313 case EXEC_INPUT_TTY:
314 case EXEC_INPUT_TTY_FORCE:
315 case EXEC_INPUT_TTY_FAIL: {
316 int fd, r;
317
318 if ((fd = acquire_terminal(
319 tty_path(context),
320 i == EXEC_INPUT_TTY_FAIL,
321 i == EXEC_INPUT_TTY_FORCE,
322 false,
323 (usec_t) -1)) < 0)
324 return fd;
325
326 if (fd != STDIN_FILENO) {
327 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
328 close_nointr_nofail(fd);
329 } else
330 r = STDIN_FILENO;
331
332 return r;
333 }
334
335 case EXEC_INPUT_SOCKET:
336 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
337
338 default:
339 assert_not_reached("Unknown input type");
340 }
341 }
342
343 static int setup_output(const ExecContext *context, int fileno, int socket_fd, const char *ident, const char *unit_id, bool apply_tty_stdin) {
344 ExecOutput o;
345 ExecInput i;
346 int r;
347
348 assert(context);
349 assert(ident);
350
351 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
352 o = fixup_output(context->std_output, socket_fd);
353
354 if (fileno == STDERR_FILENO) {
355 ExecOutput e;
356 e = fixup_output(context->std_error, socket_fd);
357
358 /* This expects the input and output are already set up */
359
360 /* Don't change the stderr file descriptor if we inherit all
361 * the way and are not on a tty */
362 if (e == EXEC_OUTPUT_INHERIT &&
363 o == EXEC_OUTPUT_INHERIT &&
364 i == EXEC_INPUT_NULL &&
365 !is_terminal_input(context->std_input) &&
366 getppid () != 1)
367 return fileno;
368
369 /* Duplicate from stdout if possible */
370 if (e == o || e == EXEC_OUTPUT_INHERIT)
371 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
372
373 o = e;
374
375 } else if (o == EXEC_OUTPUT_INHERIT) {
376 /* If input got downgraded, inherit the original value */
377 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
378 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
379
380 /* If the input is connected to anything that's not a /dev/null, inherit that... */
381 if (i != EXEC_INPUT_NULL)
382 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
383
384 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
385 if (getppid() != 1)
386 return fileno;
387
388 /* We need to open /dev/null here anew, to get the right access mode. */
389 return open_null_as(O_WRONLY, fileno);
390 }
391
392 switch (o) {
393
394 case EXEC_OUTPUT_NULL:
395 return open_null_as(O_WRONLY, fileno);
396
397 case EXEC_OUTPUT_TTY:
398 if (is_terminal_input(i))
399 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
400
401 /* We don't reset the terminal if this is just about output */
402 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
403
404 case EXEC_OUTPUT_SYSLOG:
405 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
406 case EXEC_OUTPUT_KMSG:
407 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
408 case EXEC_OUTPUT_JOURNAL:
409 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
410 r = connect_logger_as(context, o, ident, unit_id, fileno);
411 if (r < 0) {
412 log_struct_unit(LOG_CRIT, unit_id,
413 "MESSAGE=Failed to connect std%s of %s to the journal socket: %s",
414 fileno == STDOUT_FILENO ? "out" : "err",
415 unit_id, strerror(-r),
416 "ERRNO=%d", -r,
417 NULL);
418 r = open_null_as(O_WRONLY, fileno);
419 }
420 return r;
421
422 case EXEC_OUTPUT_SOCKET:
423 assert(socket_fd >= 0);
424 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
425
426 default:
427 assert_not_reached("Unknown error type");
428 }
429 }
430
431 static int chown_terminal(int fd, uid_t uid) {
432 struct stat st;
433
434 assert(fd >= 0);
435
436 /* This might fail. What matters are the results. */
437 (void) fchown(fd, uid, -1);
438 (void) fchmod(fd, TTY_MODE);
439
440 if (fstat(fd, &st) < 0)
441 return -errno;
442
443 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
444 return -EPERM;
445
446 return 0;
447 }
448
449 static int setup_confirm_stdio(int *_saved_stdin,
450 int *_saved_stdout) {
451 int fd = -1, saved_stdin, saved_stdout = -1, r;
452
453 assert(_saved_stdin);
454 assert(_saved_stdout);
455
456 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
457 if (saved_stdin < 0)
458 return -errno;
459
460 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
461 if (saved_stdout < 0) {
462 r = errno;
463 goto fail;
464 }
465
466 fd = acquire_terminal(
467 "/dev/console",
468 false,
469 false,
470 false,
471 DEFAULT_CONFIRM_USEC);
472 if (fd < 0) {
473 r = fd;
474 goto fail;
475 }
476
477 r = chown_terminal(fd, getuid());
478 if (r < 0)
479 goto fail;
480
481 if (dup2(fd, STDIN_FILENO) < 0) {
482 r = -errno;
483 goto fail;
484 }
485
486 if (dup2(fd, STDOUT_FILENO) < 0) {
487 r = -errno;
488 goto fail;
489 }
490
491 if (fd >= 2)
492 close_nointr_nofail(fd);
493
494 *_saved_stdin = saved_stdin;
495 *_saved_stdout = saved_stdout;
496
497 return 0;
498
499 fail:
500 if (saved_stdout >= 0)
501 close_nointr_nofail(saved_stdout);
502
503 if (saved_stdin >= 0)
504 close_nointr_nofail(saved_stdin);
505
506 if (fd >= 0)
507 close_nointr_nofail(fd);
508
509 return r;
510 }
511
512 static int write_confirm_message(const char *format, ...) {
513 int fd;
514 va_list ap;
515
516 assert(format);
517
518 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
519 if (fd < 0)
520 return fd;
521
522 va_start(ap, format);
523 vdprintf(fd, format, ap);
524 va_end(ap);
525
526 close_nointr_nofail(fd);
527
528 return 0;
529 }
530
531 static int restore_confirm_stdio(int *saved_stdin,
532 int *saved_stdout) {
533
534 int r = 0;
535
536 assert(saved_stdin);
537 assert(saved_stdout);
538
539 release_terminal();
540
541 if (*saved_stdin >= 0)
542 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
543 r = -errno;
544
545 if (*saved_stdout >= 0)
546 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
547 r = -errno;
548
549 if (*saved_stdin >= 0)
550 close_nointr_nofail(*saved_stdin);
551
552 if (*saved_stdout >= 0)
553 close_nointr_nofail(*saved_stdout);
554
555 return r;
556 }
557
558 static int ask_for_confirmation(char *response, char **argv) {
559 int saved_stdout = -1, saved_stdin = -1, r;
560 char *line;
561
562 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
563 if (r < 0)
564 return r;
565
566 line = exec_command_line(argv);
567 if (!line)
568 return -ENOMEM;
569
570 r = ask(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
571 free(line);
572
573 restore_confirm_stdio(&saved_stdin, &saved_stdout);
574
575 return r;
576 }
577
578 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
579 bool keep_groups = false;
580 int r;
581
582 assert(context);
583
584 /* Lookup and set GID and supplementary group list. Here too
585 * we avoid NSS lookups for gid=0. */
586
587 if (context->group || username) {
588
589 if (context->group) {
590 const char *g = context->group;
591
592 if ((r = get_group_creds(&g, &gid)) < 0)
593 return r;
594 }
595
596 /* First step, initialize groups from /etc/groups */
597 if (username && gid != 0) {
598 if (initgroups(username, gid) < 0)
599 return -errno;
600
601 keep_groups = true;
602 }
603
604 /* Second step, set our gids */
605 if (setresgid(gid, gid, gid) < 0)
606 return -errno;
607 }
608
609 if (context->supplementary_groups) {
610 int ngroups_max, k;
611 gid_t *gids;
612 char **i;
613
614 /* Final step, initialize any manually set supplementary groups */
615 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
616
617 if (!(gids = new(gid_t, ngroups_max)))
618 return -ENOMEM;
619
620 if (keep_groups) {
621 if ((k = getgroups(ngroups_max, gids)) < 0) {
622 free(gids);
623 return -errno;
624 }
625 } else
626 k = 0;
627
628 STRV_FOREACH(i, context->supplementary_groups) {
629 const char *g;
630
631 if (k >= ngroups_max) {
632 free(gids);
633 return -E2BIG;
634 }
635
636 g = *i;
637 r = get_group_creds(&g, gids+k);
638 if (r < 0) {
639 free(gids);
640 return r;
641 }
642
643 k++;
644 }
645
646 if (setgroups(k, gids) < 0) {
647 free(gids);
648 return -errno;
649 }
650
651 free(gids);
652 }
653
654 return 0;
655 }
656
657 static int enforce_user(const ExecContext *context, uid_t uid) {
658 int r;
659 assert(context);
660
661 /* Sets (but doesn't lookup) the uid and make sure we keep the
662 * capabilities while doing so. */
663
664 if (context->capabilities) {
665 cap_t d;
666 static const cap_value_t bits[] = {
667 CAP_SETUID, /* Necessary so that we can run setresuid() below */
668 CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
669 };
670
671 /* First step: If we need to keep capabilities but
672 * drop privileges we need to make sure we keep our
673 * caps, while we drop privileges. */
674 if (uid != 0) {
675 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
676
677 if (prctl(PR_GET_SECUREBITS) != sb)
678 if (prctl(PR_SET_SECUREBITS, sb) < 0)
679 return -errno;
680 }
681
682 /* Second step: set the capabilities. This will reduce
683 * the capabilities to the minimum we need. */
684
685 if (!(d = cap_dup(context->capabilities)))
686 return -errno;
687
688 if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
689 cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0) {
690 r = -errno;
691 cap_free(d);
692 return r;
693 }
694
695 if (cap_set_proc(d) < 0) {
696 r = -errno;
697 cap_free(d);
698 return r;
699 }
700
701 cap_free(d);
702 }
703
704 /* Third step: actually set the uids */
705 if (setresuid(uid, uid, uid) < 0)
706 return -errno;
707
708 /* At this point we should have all necessary capabilities but
709 are otherwise a normal user. However, the caps might got
710 corrupted due to the setresuid() so we need clean them up
711 later. This is done outside of this call. */
712
713 return 0;
714 }
715
716 #ifdef HAVE_PAM
717
718 static int null_conv(
719 int num_msg,
720 const struct pam_message **msg,
721 struct pam_response **resp,
722 void *appdata_ptr) {
723
724 /* We don't support conversations */
725
726 return PAM_CONV_ERR;
727 }
728
729 static int setup_pam(
730 const char *name,
731 const char *user,
732 uid_t uid,
733 const char *tty,
734 char ***pam_env,
735 int fds[], unsigned n_fds) {
736
737 static const struct pam_conv conv = {
738 .conv = null_conv,
739 .appdata_ptr = NULL
740 };
741
742 pam_handle_t *handle = NULL;
743 sigset_t ss, old_ss;
744 int pam_code = PAM_SUCCESS;
745 int err;
746 char **e = NULL;
747 bool close_session = false;
748 pid_t pam_pid = 0, parent_pid;
749
750 assert(name);
751 assert(user);
752 assert(pam_env);
753
754 /* We set up PAM in the parent process, then fork. The child
755 * will then stay around until killed via PR_GET_PDEATHSIG or
756 * systemd via the cgroup logic. It will then remove the PAM
757 * session again. The parent process will exec() the actual
758 * daemon. We do things this way to ensure that the main PID
759 * of the daemon is the one we initially fork()ed. */
760
761 if ((pam_code = pam_start(name, user, &conv, &handle)) != PAM_SUCCESS) {
762 handle = NULL;
763 goto fail;
764 }
765
766 if (tty)
767 if ((pam_code = pam_set_item(handle, PAM_TTY, tty)) != PAM_SUCCESS)
768 goto fail;
769
770 if ((pam_code = pam_acct_mgmt(handle, PAM_SILENT)) != PAM_SUCCESS)
771 goto fail;
772
773 if ((pam_code = pam_open_session(handle, PAM_SILENT)) != PAM_SUCCESS)
774 goto fail;
775
776 close_session = true;
777
778 if ((!(e = pam_getenvlist(handle)))) {
779 pam_code = PAM_BUF_ERR;
780 goto fail;
781 }
782
783 /* Block SIGTERM, so that we know that it won't get lost in
784 * the child */
785 if (sigemptyset(&ss) < 0 ||
786 sigaddset(&ss, SIGTERM) < 0 ||
787 sigprocmask(SIG_BLOCK, &ss, &old_ss) < 0)
788 goto fail;
789
790 parent_pid = getpid();
791
792 if ((pam_pid = fork()) < 0)
793 goto fail;
794
795 if (pam_pid == 0) {
796 int sig;
797 int r = EXIT_PAM;
798
799 /* The child's job is to reset the PAM session on
800 * termination */
801
802 /* This string must fit in 10 chars (i.e. the length
803 * of "/sbin/init"), to look pretty in /bin/ps */
804 rename_process("(sd-pam)");
805
806 /* Make sure we don't keep open the passed fds in this
807 child. We assume that otherwise only those fds are
808 open here that have been opened by PAM. */
809 close_many(fds, n_fds);
810
811 /* Drop privileges - we don't need any to pam_close_session
812 * and this will make PR_SET_PDEATHSIG work in most cases.
813 * If this fails, ignore the error - but expect sd-pam threads
814 * to fail to exit normally */
815 if (setresuid(uid, uid, uid) < 0)
816 log_error("Error: Failed to setresuid() in sd-pam: %s", strerror(-r));
817
818 /* Wait until our parent died. This will only work if
819 * the above setresuid() succeeds, otherwise the kernel
820 * will not allow unprivileged parents kill their privileged
821 * children this way. We rely on the control groups kill logic
822 * to do the rest for us. */
823 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
824 goto child_finish;
825
826 /* Check if our parent process might already have
827 * died? */
828 if (getppid() == parent_pid) {
829 for (;;) {
830 if (sigwait(&ss, &sig) < 0) {
831 if (errno == EINTR)
832 continue;
833
834 goto child_finish;
835 }
836
837 assert(sig == SIGTERM);
838 break;
839 }
840 }
841
842 /* If our parent died we'll end the session */
843 if (getppid() != parent_pid)
844 if ((pam_code = pam_close_session(handle, PAM_DATA_SILENT)) != PAM_SUCCESS)
845 goto child_finish;
846
847 r = 0;
848
849 child_finish:
850 pam_end(handle, pam_code | PAM_DATA_SILENT);
851 _exit(r);
852 }
853
854 /* If the child was forked off successfully it will do all the
855 * cleanups, so forget about the handle here. */
856 handle = NULL;
857
858 /* Unblock SIGTERM again in the parent */
859 if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0)
860 goto fail;
861
862 /* We close the log explicitly here, since the PAM modules
863 * might have opened it, but we don't want this fd around. */
864 closelog();
865
866 *pam_env = e;
867 e = NULL;
868
869 return 0;
870
871 fail:
872 if (pam_code != PAM_SUCCESS)
873 err = -EPERM; /* PAM errors do not map to errno */
874 else
875 err = -errno;
876
877 if (handle) {
878 if (close_session)
879 pam_code = pam_close_session(handle, PAM_DATA_SILENT);
880
881 pam_end(handle, pam_code | PAM_DATA_SILENT);
882 }
883
884 strv_free(e);
885
886 closelog();
887
888 if (pam_pid > 1) {
889 kill(pam_pid, SIGTERM);
890 kill(pam_pid, SIGCONT);
891 }
892
893 return err;
894 }
895 #endif
896
897 static void rename_process_from_path(const char *path) {
898 char process_name[11];
899 const char *p;
900 size_t l;
901
902 /* This resulting string must fit in 10 chars (i.e. the length
903 * of "/sbin/init") to look pretty in /bin/ps */
904
905 p = path_get_file_name(path);
906 if (isempty(p)) {
907 rename_process("(...)");
908 return;
909 }
910
911 l = strlen(p);
912 if (l > 8) {
913 /* The end of the process name is usually more
914 * interesting, since the first bit might just be
915 * "systemd-" */
916 p = p + l - 8;
917 l = 8;
918 }
919
920 process_name[0] = '(';
921 memcpy(process_name+1, p, l);
922 process_name[1+l] = ')';
923 process_name[1+l+1] = 0;
924
925 rename_process(process_name);
926 }
927
928 static int apply_seccomp(uint32_t *syscall_filter) {
929 static const struct sock_filter header[] = {
930 VALIDATE_ARCHITECTURE,
931 EXAMINE_SYSCALL
932 };
933 static const struct sock_filter footer[] = {
934 _KILL_PROCESS
935 };
936
937 int i;
938 unsigned n;
939 struct sock_filter *f;
940 struct sock_fprog prog = {};
941
942 assert(syscall_filter);
943
944 /* First: count the syscalls to check for */
945 for (i = 0, n = 0; i < syscall_max(); i++)
946 if (syscall_filter[i >> 4] & (1 << (i & 31)))
947 n++;
948
949 /* Second: build the filter program from a header the syscall
950 * matches and the footer */
951 f = alloca(sizeof(struct sock_filter) * (ELEMENTSOF(header) + 2*n + ELEMENTSOF(footer)));
952 memcpy(f, header, sizeof(header));
953
954 for (i = 0, n = 0; i < syscall_max(); i++)
955 if (syscall_filter[i >> 4] & (1 << (i & 31))) {
956 struct sock_filter item[] = {
957 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, INDEX_TO_SYSCALL(i), 0, 1),
958 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
959 };
960
961 assert_cc(ELEMENTSOF(item) == 2);
962
963 f[ELEMENTSOF(header) + 2*n] = item[0];
964 f[ELEMENTSOF(header) + 2*n+1] = item[1];
965
966 n++;
967 }
968
969 memcpy(f + (ELEMENTSOF(header) + 2*n), footer, sizeof(footer));
970
971 /* Third: install the filter */
972 prog.len = ELEMENTSOF(header) + ELEMENTSOF(footer) + 2*n;
973 prog.filter = f;
974 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0)
975 return -errno;
976
977 return 0;
978 }
979
980 int exec_spawn(ExecCommand *command,
981 char **argv,
982 ExecContext *context,
983 int fds[], unsigned n_fds,
984 char **environment,
985 bool apply_permissions,
986 bool apply_chroot,
987 bool apply_tty_stdin,
988 bool confirm_spawn,
989 CGroupBonding *cgroup_bondings,
990 CGroupAttribute *cgroup_attributes,
991 const char *cgroup_suffix,
992 const char *unit_id,
993 int idle_pipe[2],
994 pid_t *ret) {
995
996 pid_t pid;
997 int r;
998 char *line;
999 int socket_fd;
1000 char _cleanup_strv_free_ **files_env = NULL;
1001
1002 assert(command);
1003 assert(context);
1004 assert(ret);
1005 assert(fds || n_fds <= 0);
1006
1007 if (context->std_input == EXEC_INPUT_SOCKET ||
1008 context->std_output == EXEC_OUTPUT_SOCKET ||
1009 context->std_error == EXEC_OUTPUT_SOCKET) {
1010
1011 if (n_fds != 1)
1012 return -EINVAL;
1013
1014 socket_fd = fds[0];
1015
1016 fds = NULL;
1017 n_fds = 0;
1018 } else
1019 socket_fd = -1;
1020
1021 r = exec_context_load_environment(context, &files_env);
1022 if (r < 0) {
1023 log_struct_unit(LOG_ERR,
1024 unit_id,
1025 "MESSAGE=Failed to load environment files: %s", strerror(-r),
1026 "ERRNO=%d", -r,
1027 NULL);
1028 return r;
1029 }
1030
1031 if (!argv)
1032 argv = command->argv;
1033
1034 line = exec_command_line(argv);
1035 if (!line)
1036 return log_oom();
1037
1038 log_struct_unit(LOG_DEBUG,
1039 unit_id,
1040 "MESSAGE=About to execute %s", line,
1041 NULL);
1042 free(line);
1043
1044 r = cgroup_bonding_realize_list(cgroup_bondings);
1045 if (r < 0)
1046 return r;
1047
1048 /* We must initialize the attributes in the parent, before we
1049 fork, because we really need them initialized before making
1050 the process a member of the group (which we do in both the
1051 child and the parent), and we cannot really apply them twice
1052 (due to 'append' style attributes) */
1053 cgroup_attribute_apply_list(cgroup_attributes, cgroup_bondings);
1054
1055 if (context->private_tmp && !context->tmp_dir && !context->var_tmp_dir) {
1056 r = setup_tmpdirs(&context->tmp_dir, &context->var_tmp_dir);
1057 if (r < 0)
1058 return r;
1059 }
1060
1061 pid = fork();
1062 if (pid < 0)
1063 return -errno;
1064
1065 if (pid == 0) {
1066 int i, err;
1067 sigset_t ss;
1068 const char *username = NULL, *home = NULL;
1069 uid_t uid = (uid_t) -1;
1070 gid_t gid = (gid_t) -1;
1071 char _cleanup_strv_free_ **our_env = NULL, **pam_env = NULL,
1072 **final_env = NULL, **final_argv = NULL;
1073 unsigned n_env = 0;
1074 bool set_access = false;
1075
1076 /* child */
1077
1078 rename_process_from_path(command->path);
1079
1080 /* We reset exactly these signals, since they are the
1081 * only ones we set to SIG_IGN in the main daemon. All
1082 * others we leave untouched because we set them to
1083 * SIG_DFL or a valid handler initially, both of which
1084 * will be demoted to SIG_DFL. */
1085 default_signals(SIGNALS_CRASH_HANDLER,
1086 SIGNALS_IGNORE, -1);
1087
1088 if (context->ignore_sigpipe)
1089 ignore_signals(SIGPIPE, -1);
1090
1091 assert_se(sigemptyset(&ss) == 0);
1092 if (sigprocmask(SIG_SETMASK, &ss, NULL) < 0) {
1093 err = -errno;
1094 r = EXIT_SIGNAL_MASK;
1095 goto fail_child;
1096 }
1097
1098 if (idle_pipe) {
1099 if (idle_pipe[1] >= 0)
1100 close_nointr_nofail(idle_pipe[1]);
1101 if (idle_pipe[0] >= 0) {
1102 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1103 close_nointr_nofail(idle_pipe[0]);
1104 }
1105 }
1106
1107 /* Close sockets very early to make sure we don't
1108 * block init reexecution because it cannot bind its
1109 * sockets */
1110 log_forget_fds();
1111 err = close_all_fds(socket_fd >= 0 ? &socket_fd : fds,
1112 socket_fd >= 0 ? 1 : n_fds);
1113 if (err < 0) {
1114 r = EXIT_FDS;
1115 goto fail_child;
1116 }
1117
1118 if (!context->same_pgrp)
1119 if (setsid() < 0) {
1120 err = -errno;
1121 r = EXIT_SETSID;
1122 goto fail_child;
1123 }
1124
1125 if (context->tcpwrap_name) {
1126 if (socket_fd >= 0)
1127 if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) {
1128 err = -EACCES;
1129 r = EXIT_TCPWRAP;
1130 goto fail_child;
1131 }
1132
1133 for (i = 0; i < (int) n_fds; i++) {
1134 if (!socket_tcpwrap(fds[i], context->tcpwrap_name)) {
1135 err = -EACCES;
1136 r = EXIT_TCPWRAP;
1137 goto fail_child;
1138 }
1139 }
1140 }
1141
1142 exec_context_tty_reset(context);
1143
1144 if (confirm_spawn) {
1145 char response;
1146
1147 err = ask_for_confirmation(&response, argv);
1148 if (err == -ETIMEDOUT)
1149 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1150 else if (err < 0)
1151 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-err));
1152 else if (response == 's') {
1153 write_confirm_message("Skipping execution.\n");
1154 err = -ECANCELED;
1155 r = EXIT_CONFIRM;
1156 goto fail_child;
1157 } else if (response == 'n') {
1158 write_confirm_message("Failing execution.\n");
1159 err = r = 0;
1160 goto fail_child;
1161 }
1162 }
1163
1164 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1165 * must sure to drop O_NONBLOCK */
1166 if (socket_fd >= 0)
1167 fd_nonblock(socket_fd, false);
1168
1169 err = setup_input(context, socket_fd, apply_tty_stdin);
1170 if (err < 0) {
1171 r = EXIT_STDIN;
1172 goto fail_child;
1173 }
1174
1175 err = setup_output(context, STDOUT_FILENO, socket_fd, path_get_file_name(command->path), unit_id, apply_tty_stdin);
1176 if (err < 0) {
1177 r = EXIT_STDOUT;
1178 goto fail_child;
1179 }
1180
1181 err = setup_output(context, STDERR_FILENO, socket_fd, path_get_file_name(command->path), unit_id, apply_tty_stdin);
1182 if (err < 0) {
1183 r = EXIT_STDERR;
1184 goto fail_child;
1185 }
1186
1187 if (cgroup_bondings) {
1188 err = cgroup_bonding_install_list(cgroup_bondings, 0, cgroup_suffix);
1189 if (err < 0) {
1190 r = EXIT_CGROUP;
1191 goto fail_child;
1192 }
1193 }
1194
1195 if (context->oom_score_adjust_set) {
1196 char t[16];
1197
1198 snprintf(t, sizeof(t), "%i", context->oom_score_adjust);
1199 char_array_0(t);
1200
1201 if (write_string_file("/proc/self/oom_score_adj", t) < 0) {
1202 err = -errno;
1203 r = EXIT_OOM_ADJUST;
1204 goto fail_child;
1205 }
1206 }
1207
1208 if (context->nice_set)
1209 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1210 err = -errno;
1211 r = EXIT_NICE;
1212 goto fail_child;
1213 }
1214
1215 if (context->cpu_sched_set) {
1216 struct sched_param param = {
1217 .sched_priority = context->cpu_sched_priority,
1218 };
1219
1220 r = sched_setscheduler(0,
1221 context->cpu_sched_policy |
1222 (context->cpu_sched_reset_on_fork ?
1223 SCHED_RESET_ON_FORK : 0),
1224 &param);
1225 if (r < 0) {
1226 err = -errno;
1227 r = EXIT_SETSCHEDULER;
1228 goto fail_child;
1229 }
1230 }
1231
1232 if (context->cpuset)
1233 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1234 err = -errno;
1235 r = EXIT_CPUAFFINITY;
1236 goto fail_child;
1237 }
1238
1239 if (context->ioprio_set)
1240 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1241 err = -errno;
1242 r = EXIT_IOPRIO;
1243 goto fail_child;
1244 }
1245
1246 if (context->timer_slack_nsec != (nsec_t) -1)
1247 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1248 err = -errno;
1249 r = EXIT_TIMERSLACK;
1250 goto fail_child;
1251 }
1252
1253 if (context->utmp_id)
1254 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path);
1255
1256 if (context->user) {
1257 username = context->user;
1258 err = get_user_creds(&username, &uid, &gid, &home, NULL);
1259 if (err < 0) {
1260 r = EXIT_USER;
1261 goto fail_child;
1262 }
1263
1264 if (is_terminal_input(context->std_input)) {
1265 err = chown_terminal(STDIN_FILENO, uid);
1266 if (err < 0) {
1267 r = EXIT_STDIN;
1268 goto fail_child;
1269 }
1270 }
1271
1272 if (cgroup_bondings && context->control_group_modify) {
1273 err = cgroup_bonding_set_group_access_list(cgroup_bondings, 0755, uid, gid);
1274 if (err >= 0)
1275 err = cgroup_bonding_set_task_access_list(
1276 cgroup_bondings,
1277 0644,
1278 uid,
1279 gid,
1280 context->control_group_persistent);
1281 if (err < 0) {
1282 r = EXIT_CGROUP;
1283 goto fail_child;
1284 }
1285
1286 set_access = true;
1287 }
1288 }
1289
1290 if (cgroup_bondings && !set_access && context->control_group_persistent >= 0) {
1291 err = cgroup_bonding_set_task_access_list(
1292 cgroup_bondings,
1293 (mode_t) -1,
1294 (uid_t) -1,
1295 (uid_t) -1,
1296 context->control_group_persistent);
1297 if (err < 0) {
1298 r = EXIT_CGROUP;
1299 goto fail_child;
1300 }
1301 }
1302
1303 if (apply_permissions) {
1304 err = enforce_groups(context, username, gid);
1305 if (err < 0) {
1306 r = EXIT_GROUP;
1307 goto fail_child;
1308 }
1309 }
1310
1311 umask(context->umask);
1312
1313 #ifdef HAVE_PAM
1314 if (apply_permissions && context->pam_name && username) {
1315 err = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
1316 if (err < 0) {
1317 r = EXIT_PAM;
1318 goto fail_child;
1319 }
1320 }
1321 #endif
1322 if (context->private_network) {
1323 if (unshare(CLONE_NEWNET) < 0) {
1324 err = -errno;
1325 r = EXIT_NETWORK;
1326 goto fail_child;
1327 }
1328
1329 loopback_setup();
1330 }
1331
1332 if (strv_length(context->read_write_dirs) > 0 ||
1333 strv_length(context->read_only_dirs) > 0 ||
1334 strv_length(context->inaccessible_dirs) > 0 ||
1335 context->mount_flags != 0 ||
1336 context->private_tmp) {
1337 err = setup_namespace(context->read_write_dirs,
1338 context->read_only_dirs,
1339 context->inaccessible_dirs,
1340 context->tmp_dir,
1341 context->var_tmp_dir,
1342 context->private_tmp,
1343 context->mount_flags);
1344 if (err < 0) {
1345 r = EXIT_NAMESPACE;
1346 goto fail_child;
1347 }
1348 }
1349
1350 if (apply_chroot) {
1351 if (context->root_directory)
1352 if (chroot(context->root_directory) < 0) {
1353 err = -errno;
1354 r = EXIT_CHROOT;
1355 goto fail_child;
1356 }
1357
1358 if (chdir(context->working_directory ? context->working_directory : "/") < 0) {
1359 err = -errno;
1360 r = EXIT_CHDIR;
1361 goto fail_child;
1362 }
1363 } else {
1364 char _cleanup_free_ *d = NULL;
1365
1366 if (asprintf(&d, "%s/%s",
1367 context->root_directory ? context->root_directory : "",
1368 context->working_directory ? context->working_directory : "") < 0) {
1369 err = -ENOMEM;
1370 r = EXIT_MEMORY;
1371 goto fail_child;
1372 }
1373
1374 if (chdir(d) < 0) {
1375 err = -errno;
1376 r = EXIT_CHDIR;
1377 goto fail_child;
1378 }
1379 }
1380
1381 /* We repeat the fd closing here, to make sure that
1382 * nothing is leaked from the PAM modules */
1383 err = close_all_fds(fds, n_fds);
1384 if (err >= 0)
1385 err = shift_fds(fds, n_fds);
1386 if (err >= 0)
1387 err = flags_fds(fds, n_fds, context->non_blocking);
1388 if (err < 0) {
1389 r = EXIT_FDS;
1390 goto fail_child;
1391 }
1392
1393 if (apply_permissions) {
1394
1395 for (i = 0; i < RLIMIT_NLIMITS; i++) {
1396 if (!context->rlimit[i])
1397 continue;
1398
1399 if (setrlimit_closest(i, context->rlimit[i]) < 0) {
1400 err = -errno;
1401 r = EXIT_LIMITS;
1402 goto fail_child;
1403 }
1404 }
1405
1406 if (context->capability_bounding_set_drop) {
1407 err = capability_bounding_set_drop(context->capability_bounding_set_drop, false);
1408 if (err < 0) {
1409 r = EXIT_CAPABILITIES;
1410 goto fail_child;
1411 }
1412 }
1413
1414 if (context->user) {
1415 err = enforce_user(context, uid);
1416 if (err < 0) {
1417 r = EXIT_USER;
1418 goto fail_child;
1419 }
1420 }
1421
1422 /* PR_GET_SECUREBITS is not privileged, while
1423 * PR_SET_SECUREBITS is. So to suppress
1424 * potential EPERMs we'll try not to call
1425 * PR_SET_SECUREBITS unless necessary. */
1426 if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
1427 if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
1428 err = -errno;
1429 r = EXIT_SECUREBITS;
1430 goto fail_child;
1431 }
1432
1433 if (context->capabilities)
1434 if (cap_set_proc(context->capabilities) < 0) {
1435 err = -errno;
1436 r = EXIT_CAPABILITIES;
1437 goto fail_child;
1438 }
1439
1440 if (context->no_new_privileges)
1441 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
1442 err = -errno;
1443 r = EXIT_NO_NEW_PRIVILEGES;
1444 goto fail_child;
1445 }
1446
1447 if (context->syscall_filter) {
1448 err = apply_seccomp(context->syscall_filter);
1449 if (err < 0) {
1450 r = EXIT_SECCOMP;
1451 goto fail_child;
1452 }
1453 }
1454 }
1455
1456 our_env = new0(char*, 7);
1457 if (!our_env) {
1458 err = -ENOMEM;
1459 r = EXIT_MEMORY;
1460 goto fail_child;
1461 }
1462
1463 if (n_fds > 0)
1464 if (asprintf(our_env + n_env++, "LISTEN_PID=%lu", (unsigned long) getpid()) < 0 ||
1465 asprintf(our_env + n_env++, "LISTEN_FDS=%u", n_fds) < 0) {
1466 err = -ENOMEM;
1467 r = EXIT_MEMORY;
1468 goto fail_child;
1469 }
1470
1471 if (home)
1472 if (asprintf(our_env + n_env++, "HOME=%s", home) < 0) {
1473 err = -ENOMEM;
1474 r = EXIT_MEMORY;
1475 goto fail_child;
1476 }
1477
1478 if (username)
1479 if (asprintf(our_env + n_env++, "LOGNAME=%s", username) < 0 ||
1480 asprintf(our_env + n_env++, "USER=%s", username) < 0) {
1481 err = -ENOMEM;
1482 r = EXIT_MEMORY;
1483 goto fail_child;
1484 }
1485
1486 if (is_terminal_input(context->std_input) ||
1487 context->std_output == EXEC_OUTPUT_TTY ||
1488 context->std_error == EXEC_OUTPUT_TTY)
1489 if (!(our_env[n_env++] = strdup(default_term_for_tty(tty_path(context))))) {
1490 err = -ENOMEM;
1491 r = EXIT_MEMORY;
1492 goto fail_child;
1493 }
1494
1495 assert(n_env <= 7);
1496
1497 final_env = strv_env_merge(5,
1498 environment,
1499 our_env,
1500 context->environment,
1501 files_env,
1502 pam_env,
1503 NULL);
1504 if (!final_env) {
1505 err = -ENOMEM;
1506 r = EXIT_MEMORY;
1507 goto fail_child;
1508 }
1509
1510 final_argv = replace_env_argv(argv, final_env);
1511 if (!final_argv) {
1512 err = -ENOMEM;
1513 r = EXIT_MEMORY;
1514 goto fail_child;
1515 }
1516
1517 final_env = strv_env_clean(final_env);
1518
1519 execve(command->path, final_argv, final_env);
1520 err = -errno;
1521 r = EXIT_EXEC;
1522
1523 fail_child:
1524 if (r != 0) {
1525 log_open();
1526 log_struct(LOG_ERR, MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
1527 "EXECUTABLE=%s", command->path,
1528 "MESSAGE=Failed at step %s spawning %s: %s",
1529 exit_status_to_string(r, EXIT_STATUS_SYSTEMD),
1530 command->path, strerror(-err),
1531 "ERRNO=%d", -err,
1532 NULL);
1533 log_close();
1534 }
1535
1536 _exit(r);
1537 }
1538
1539 log_struct_unit(LOG_DEBUG,
1540 unit_id,
1541 "MESSAGE=Forked %s as %lu",
1542 command->path, (unsigned long) pid,
1543 NULL);
1544
1545 /* We add the new process to the cgroup both in the child (so
1546 * that we can be sure that no user code is ever executed
1547 * outside of the cgroup) and in the parent (so that we can be
1548 * sure that when we kill the cgroup the process will be
1549 * killed too). */
1550 if (cgroup_bondings)
1551 cgroup_bonding_install_list(cgroup_bondings, pid, cgroup_suffix);
1552
1553 exec_status_start(&command->exec_status, pid);
1554
1555 *ret = pid;
1556 return 0;
1557 }
1558
1559 void exec_context_init(ExecContext *c) {
1560 assert(c);
1561
1562 c->umask = 0022;
1563 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
1564 c->cpu_sched_policy = SCHED_OTHER;
1565 c->syslog_priority = LOG_DAEMON|LOG_INFO;
1566 c->syslog_level_prefix = true;
1567 c->control_group_persistent = -1;
1568 c->ignore_sigpipe = true;
1569 c->timer_slack_nsec = (nsec_t) -1;
1570 }
1571
1572 void exec_context_tmp_dirs_done(ExecContext *c) {
1573 char* dirs[] = {c->tmp_dir ? c->tmp_dir : c->var_tmp_dir,
1574 c->tmp_dir ? c->var_tmp_dir : NULL,
1575 NULL};
1576 char **dirp;
1577
1578 for(dirp = dirs; *dirp; dirp++) {
1579 char *dir;
1580 int r;
1581
1582 r = rm_rf_dangerous(*dirp, false, true, false);
1583 dir = dirname(*dirp);
1584 if (r < 0)
1585 log_warning("Failed to remove content of temporary directory %s: %s",
1586 dir, strerror(-r));
1587 else {
1588 r = rmdir(dir);
1589 if (r < 0)
1590 log_warning("Failed to remove temporary directory %s: %s",
1591 dir, strerror(-r));
1592 }
1593
1594 free(*dirp);
1595 }
1596
1597 c->tmp_dir = c->var_tmp_dir = NULL;
1598 }
1599
1600 void exec_context_done(ExecContext *c, bool reloading_or_reexecuting) {
1601 unsigned l;
1602
1603 assert(c);
1604
1605 strv_free(c->environment);
1606 c->environment = NULL;
1607
1608 strv_free(c->environment_files);
1609 c->environment_files = NULL;
1610
1611 for (l = 0; l < ELEMENTSOF(c->rlimit); l++) {
1612 free(c->rlimit[l]);
1613 c->rlimit[l] = NULL;
1614 }
1615
1616 free(c->working_directory);
1617 c->working_directory = NULL;
1618 free(c->root_directory);
1619 c->root_directory = NULL;
1620
1621 free(c->tty_path);
1622 c->tty_path = NULL;
1623
1624 free(c->tcpwrap_name);
1625 c->tcpwrap_name = NULL;
1626
1627 free(c->syslog_identifier);
1628 c->syslog_identifier = NULL;
1629
1630 free(c->user);
1631 c->user = NULL;
1632
1633 free(c->group);
1634 c->group = NULL;
1635
1636 strv_free(c->supplementary_groups);
1637 c->supplementary_groups = NULL;
1638
1639 free(c->pam_name);
1640 c->pam_name = NULL;
1641
1642 if (c->capabilities) {
1643 cap_free(c->capabilities);
1644 c->capabilities = NULL;
1645 }
1646
1647 strv_free(c->read_only_dirs);
1648 c->read_only_dirs = NULL;
1649
1650 strv_free(c->read_write_dirs);
1651 c->read_write_dirs = NULL;
1652
1653 strv_free(c->inaccessible_dirs);
1654 c->inaccessible_dirs = NULL;
1655
1656 if (c->cpuset)
1657 CPU_FREE(c->cpuset);
1658
1659 free(c->utmp_id);
1660 c->utmp_id = NULL;
1661
1662 free(c->syscall_filter);
1663 c->syscall_filter = NULL;
1664
1665 if (!reloading_or_reexecuting)
1666 exec_context_tmp_dirs_done(c);
1667 }
1668
1669 void exec_command_done(ExecCommand *c) {
1670 assert(c);
1671
1672 free(c->path);
1673 c->path = NULL;
1674
1675 strv_free(c->argv);
1676 c->argv = NULL;
1677 }
1678
1679 void exec_command_done_array(ExecCommand *c, unsigned n) {
1680 unsigned i;
1681
1682 for (i = 0; i < n; i++)
1683 exec_command_done(c+i);
1684 }
1685
1686 void exec_command_free_list(ExecCommand *c) {
1687 ExecCommand *i;
1688
1689 while ((i = c)) {
1690 LIST_REMOVE(ExecCommand, command, c, i);
1691 exec_command_done(i);
1692 free(i);
1693 }
1694 }
1695
1696 void exec_command_free_array(ExecCommand **c, unsigned n) {
1697 unsigned i;
1698
1699 for (i = 0; i < n; i++) {
1700 exec_command_free_list(c[i]);
1701 c[i] = NULL;
1702 }
1703 }
1704
1705 int exec_context_load_environment(const ExecContext *c, char ***l) {
1706 char **i, **r = NULL;
1707
1708 assert(c);
1709 assert(l);
1710
1711 STRV_FOREACH(i, c->environment_files) {
1712 char *fn;
1713 int k;
1714 bool ignore = false;
1715 char **p;
1716 glob_t _cleanup_globfree_ pglob = {};
1717 int count, n;
1718
1719 fn = *i;
1720
1721 if (fn[0] == '-') {
1722 ignore = true;
1723 fn ++;
1724 }
1725
1726 if (!path_is_absolute(fn)) {
1727 if (ignore)
1728 continue;
1729
1730 strv_free(r);
1731 return -EINVAL;
1732 }
1733
1734 /* Filename supports globbing, take all matching files */
1735 errno = 0;
1736 if (glob(fn, 0, NULL, &pglob) != 0) {
1737 if (ignore)
1738 continue;
1739
1740 strv_free(r);
1741 return errno ? -errno : -EINVAL;
1742 }
1743 count = pglob.gl_pathc;
1744 if (count == 0) {
1745 if (ignore)
1746 continue;
1747
1748 strv_free(r);
1749 return -EINVAL;
1750 }
1751 for (n = 0; n < count; n++) {
1752 k = load_env_file(pglob.gl_pathv[n], NULL, &p);
1753 if (k < 0) {
1754 if (ignore)
1755 continue;
1756
1757 strv_free(r);
1758 return k;
1759 }
1760
1761 if (r == NULL)
1762 r = p;
1763 else {
1764 char **m;
1765
1766 m = strv_env_merge(2, r, p);
1767 strv_free(r);
1768 strv_free(p);
1769 if (!m)
1770 return -ENOMEM;
1771
1772 r = m;
1773 }
1774 }
1775 }
1776
1777 *l = r;
1778
1779 return 0;
1780 }
1781
1782 static bool tty_may_match_dev_console(const char *tty) {
1783 char *active = NULL, *console;
1784 bool b;
1785
1786 if (startswith(tty, "/dev/"))
1787 tty += 5;
1788
1789 /* trivial identity? */
1790 if (streq(tty, "console"))
1791 return true;
1792
1793 console = resolve_dev_console(&active);
1794 /* if we could not resolve, assume it may */
1795 if (!console)
1796 return true;
1797
1798 /* "tty0" means the active VC, so it may be the same sometimes */
1799 b = streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
1800 free(active);
1801
1802 return b;
1803 }
1804
1805 bool exec_context_may_touch_console(ExecContext *ec) {
1806 return (ec->tty_reset || ec->tty_vhangup || ec->tty_vt_disallocate ||
1807 is_terminal_input(ec->std_input) ||
1808 is_terminal_output(ec->std_output) ||
1809 is_terminal_output(ec->std_error)) &&
1810 tty_may_match_dev_console(tty_path(ec));
1811 }
1812
1813 static void strv_fprintf(FILE *f, char **l) {
1814 char **g;
1815
1816 assert(f);
1817
1818 STRV_FOREACH(g, l)
1819 fprintf(f, " %s", *g);
1820 }
1821
1822 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
1823 char ** e;
1824 unsigned i;
1825
1826 assert(c);
1827 assert(f);
1828
1829 if (!prefix)
1830 prefix = "";
1831
1832 fprintf(f,
1833 "%sUMask: %04o\n"
1834 "%sWorkingDirectory: %s\n"
1835 "%sRootDirectory: %s\n"
1836 "%sNonBlocking: %s\n"
1837 "%sPrivateTmp: %s\n"
1838 "%sControlGroupModify: %s\n"
1839 "%sControlGroupPersistent: %s\n"
1840 "%sPrivateNetwork: %s\n"
1841 "%sIgnoreSIGPIPE: %s\n",
1842 prefix, c->umask,
1843 prefix, c->working_directory ? c->working_directory : "/",
1844 prefix, c->root_directory ? c->root_directory : "/",
1845 prefix, yes_no(c->non_blocking),
1846 prefix, yes_no(c->private_tmp),
1847 prefix, yes_no(c->control_group_modify),
1848 prefix, yes_no(c->control_group_persistent),
1849 prefix, yes_no(c->private_network),
1850 prefix, yes_no(c->ignore_sigpipe));
1851
1852 STRV_FOREACH(e, c->environment)
1853 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
1854
1855 STRV_FOREACH(e, c->environment_files)
1856 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
1857
1858 if (c->tcpwrap_name)
1859 fprintf(f,
1860 "%sTCPWrapName: %s\n",
1861 prefix, c->tcpwrap_name);
1862
1863 if (c->nice_set)
1864 fprintf(f,
1865 "%sNice: %i\n",
1866 prefix, c->nice);
1867
1868 if (c->oom_score_adjust_set)
1869 fprintf(f,
1870 "%sOOMScoreAdjust: %i\n",
1871 prefix, c->oom_score_adjust);
1872
1873 for (i = 0; i < RLIM_NLIMITS; i++)
1874 if (c->rlimit[i])
1875 fprintf(f, "%s%s: %llu\n", prefix, rlimit_to_string(i), (unsigned long long) c->rlimit[i]->rlim_max);
1876
1877 if (c->ioprio_set) {
1878 char *class_str;
1879 int r;
1880
1881 r = ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
1882 if (r < 0)
1883 class_str = NULL;
1884 fprintf(f,
1885 "%sIOSchedulingClass: %s\n"
1886 "%sIOPriority: %i\n",
1887 prefix, strna(class_str),
1888 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
1889 free(class_str);
1890 }
1891
1892 if (c->cpu_sched_set) {
1893 char *policy_str;
1894 int r;
1895
1896 r = sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
1897 if (r < 0)
1898 policy_str = NULL;
1899 fprintf(f,
1900 "%sCPUSchedulingPolicy: %s\n"
1901 "%sCPUSchedulingPriority: %i\n"
1902 "%sCPUSchedulingResetOnFork: %s\n",
1903 prefix, strna(policy_str),
1904 prefix, c->cpu_sched_priority,
1905 prefix, yes_no(c->cpu_sched_reset_on_fork));
1906 free(policy_str);
1907 }
1908
1909 if (c->cpuset) {
1910 fprintf(f, "%sCPUAffinity:", prefix);
1911 for (i = 0; i < c->cpuset_ncpus; i++)
1912 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
1913 fprintf(f, " %i", i);
1914 fputs("\n", f);
1915 }
1916
1917 if (c->timer_slack_nsec != (nsec_t) -1)
1918 fprintf(f, "%sTimerSlackNSec: %lu\n", prefix, (unsigned long)c->timer_slack_nsec);
1919
1920 fprintf(f,
1921 "%sStandardInput: %s\n"
1922 "%sStandardOutput: %s\n"
1923 "%sStandardError: %s\n",
1924 prefix, exec_input_to_string(c->std_input),
1925 prefix, exec_output_to_string(c->std_output),
1926 prefix, exec_output_to_string(c->std_error));
1927
1928 if (c->tty_path)
1929 fprintf(f,
1930 "%sTTYPath: %s\n"
1931 "%sTTYReset: %s\n"
1932 "%sTTYVHangup: %s\n"
1933 "%sTTYVTDisallocate: %s\n",
1934 prefix, c->tty_path,
1935 prefix, yes_no(c->tty_reset),
1936 prefix, yes_no(c->tty_vhangup),
1937 prefix, yes_no(c->tty_vt_disallocate));
1938
1939 if (c->std_output == EXEC_OUTPUT_SYSLOG || c->std_output == EXEC_OUTPUT_KMSG || c->std_output == EXEC_OUTPUT_JOURNAL ||
1940 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE || c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
1941 c->std_error == EXEC_OUTPUT_SYSLOG || c->std_error == EXEC_OUTPUT_KMSG || c->std_error == EXEC_OUTPUT_JOURNAL ||
1942 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE || c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
1943 char *fac_str, *lvl_str;
1944 int r;
1945
1946 r = log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
1947 if (r < 0)
1948 fac_str = NULL;
1949
1950 r = log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
1951 if (r < 0)
1952 lvl_str = NULL;
1953
1954 fprintf(f,
1955 "%sSyslogFacility: %s\n"
1956 "%sSyslogLevel: %s\n",
1957 prefix, strna(fac_str),
1958 prefix, strna(lvl_str));
1959 free(lvl_str);
1960 free(fac_str);
1961 }
1962
1963 if (c->capabilities) {
1964 char *t;
1965 if ((t = cap_to_text(c->capabilities, NULL))) {
1966 fprintf(f, "%sCapabilities: %s\n",
1967 prefix, t);
1968 cap_free(t);
1969 }
1970 }
1971
1972 if (c->secure_bits)
1973 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
1974 prefix,
1975 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
1976 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
1977 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
1978 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
1979 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
1980 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
1981
1982 if (c->capability_bounding_set_drop) {
1983 unsigned long l;
1984 fprintf(f, "%sCapabilityBoundingSet:", prefix);
1985
1986 for (l = 0; l <= cap_last_cap(); l++)
1987 if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) {
1988 char *t;
1989
1990 if ((t = cap_to_name(l))) {
1991 fprintf(f, " %s", t);
1992 cap_free(t);
1993 }
1994 }
1995
1996 fputs("\n", f);
1997 }
1998
1999 if (c->user)
2000 fprintf(f, "%sUser: %s\n", prefix, c->user);
2001 if (c->group)
2002 fprintf(f, "%sGroup: %s\n", prefix, c->group);
2003
2004 if (strv_length(c->supplementary_groups) > 0) {
2005 fprintf(f, "%sSupplementaryGroups:", prefix);
2006 strv_fprintf(f, c->supplementary_groups);
2007 fputs("\n", f);
2008 }
2009
2010 if (c->pam_name)
2011 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
2012
2013 if (strv_length(c->read_write_dirs) > 0) {
2014 fprintf(f, "%sReadWriteDirs:", prefix);
2015 strv_fprintf(f, c->read_write_dirs);
2016 fputs("\n", f);
2017 }
2018
2019 if (strv_length(c->read_only_dirs) > 0) {
2020 fprintf(f, "%sReadOnlyDirs:", prefix);
2021 strv_fprintf(f, c->read_only_dirs);
2022 fputs("\n", f);
2023 }
2024
2025 if (strv_length(c->inaccessible_dirs) > 0) {
2026 fprintf(f, "%sInaccessibleDirs:", prefix);
2027 strv_fprintf(f, c->inaccessible_dirs);
2028 fputs("\n", f);
2029 }
2030
2031 if (c->utmp_id)
2032 fprintf(f,
2033 "%sUtmpIdentifier: %s\n",
2034 prefix, c->utmp_id);
2035 }
2036
2037 void exec_status_start(ExecStatus *s, pid_t pid) {
2038 assert(s);
2039
2040 zero(*s);
2041 s->pid = pid;
2042 dual_timestamp_get(&s->start_timestamp);
2043 }
2044
2045 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
2046 assert(s);
2047
2048 if (s->pid && s->pid != pid)
2049 zero(*s);
2050
2051 s->pid = pid;
2052 dual_timestamp_get(&s->exit_timestamp);
2053
2054 s->code = code;
2055 s->status = status;
2056
2057 if (context) {
2058 if (context->utmp_id)
2059 utmp_put_dead_process(context->utmp_id, pid, code, status);
2060
2061 exec_context_tty_reset(context);
2062 }
2063 }
2064
2065 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
2066 char buf[FORMAT_TIMESTAMP_MAX];
2067
2068 assert(s);
2069 assert(f);
2070
2071 if (!prefix)
2072 prefix = "";
2073
2074 if (s->pid <= 0)
2075 return;
2076
2077 fprintf(f,
2078 "%sPID: %lu\n",
2079 prefix, (unsigned long) s->pid);
2080
2081 if (s->start_timestamp.realtime > 0)
2082 fprintf(f,
2083 "%sStart Timestamp: %s\n",
2084 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
2085
2086 if (s->exit_timestamp.realtime > 0)
2087 fprintf(f,
2088 "%sExit Timestamp: %s\n"
2089 "%sExit Code: %s\n"
2090 "%sExit Status: %i\n",
2091 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
2092 prefix, sigchld_code_to_string(s->code),
2093 prefix, s->status);
2094 }
2095
2096 char *exec_command_line(char **argv) {
2097 size_t k;
2098 char *n, *p, **a;
2099 bool first = true;
2100
2101 assert(argv);
2102
2103 k = 1;
2104 STRV_FOREACH(a, argv)
2105 k += strlen(*a)+3;
2106
2107 if (!(n = new(char, k)))
2108 return NULL;
2109
2110 p = n;
2111 STRV_FOREACH(a, argv) {
2112
2113 if (!first)
2114 *(p++) = ' ';
2115 else
2116 first = false;
2117
2118 if (strpbrk(*a, WHITESPACE)) {
2119 *(p++) = '\'';
2120 p = stpcpy(p, *a);
2121 *(p++) = '\'';
2122 } else
2123 p = stpcpy(p, *a);
2124
2125 }
2126
2127 *p = 0;
2128
2129 /* FIXME: this doesn't really handle arguments that have
2130 * spaces and ticks in them */
2131
2132 return n;
2133 }
2134
2135 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
2136 char *p2;
2137 const char *prefix2;
2138
2139 char *cmd;
2140
2141 assert(c);
2142 assert(f);
2143
2144 if (!prefix)
2145 prefix = "";
2146 p2 = strappend(prefix, "\t");
2147 prefix2 = p2 ? p2 : prefix;
2148
2149 cmd = exec_command_line(c->argv);
2150
2151 fprintf(f,
2152 "%sCommand Line: %s\n",
2153 prefix, cmd ? cmd : strerror(ENOMEM));
2154
2155 free(cmd);
2156
2157 exec_status_dump(&c->exec_status, f, prefix2);
2158
2159 free(p2);
2160 }
2161
2162 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2163 assert(f);
2164
2165 if (!prefix)
2166 prefix = "";
2167
2168 LIST_FOREACH(command, c, c)
2169 exec_command_dump(c, f, prefix);
2170 }
2171
2172 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2173 ExecCommand *end;
2174
2175 assert(l);
2176 assert(e);
2177
2178 if (*l) {
2179 /* It's kind of important, that we keep the order here */
2180 LIST_FIND_TAIL(ExecCommand, command, *l, end);
2181 LIST_INSERT_AFTER(ExecCommand, command, *l, end, e);
2182 } else
2183 *l = e;
2184 }
2185
2186 int exec_command_set(ExecCommand *c, const char *path, ...) {
2187 va_list ap;
2188 char **l, *p;
2189
2190 assert(c);
2191 assert(path);
2192
2193 va_start(ap, path);
2194 l = strv_new_ap(path, ap);
2195 va_end(ap);
2196
2197 if (!l)
2198 return -ENOMEM;
2199
2200 if (!(p = strdup(path))) {
2201 strv_free(l);
2202 return -ENOMEM;
2203 }
2204
2205 free(c->path);
2206 c->path = p;
2207
2208 strv_free(c->argv);
2209 c->argv = l;
2210
2211 return 0;
2212 }
2213
2214 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
2215 [EXEC_INPUT_NULL] = "null",
2216 [EXEC_INPUT_TTY] = "tty",
2217 [EXEC_INPUT_TTY_FORCE] = "tty-force",
2218 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
2219 [EXEC_INPUT_SOCKET] = "socket"
2220 };
2221
2222 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
2223
2224 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
2225 [EXEC_OUTPUT_INHERIT] = "inherit",
2226 [EXEC_OUTPUT_NULL] = "null",
2227 [EXEC_OUTPUT_TTY] = "tty",
2228 [EXEC_OUTPUT_SYSLOG] = "syslog",
2229 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
2230 [EXEC_OUTPUT_KMSG] = "kmsg",
2231 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
2232 [EXEC_OUTPUT_JOURNAL] = "journal",
2233 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
2234 [EXEC_OUTPUT_SOCKET] = "socket"
2235 };
2236
2237 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
Unnamed repository; edit this file 'description' to name the repository.