]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/execute.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #2412 from fbuihuu/device-fixes
[thirdparty/systemd.git] / src / core / execute.c
1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
2
3 /***
4 This file is part of systemd.
5
6 Copyright 2010 Lennart Poettering
7
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
12
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
17
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 ***/
21
22 #include <errno.h>
23 #include <fcntl.h>
24 #include <glob.h>
25 #include <grp.h>
26 #include <poll.h>
27 #include <signal.h>
28 #include <string.h>
29 #include <sys/personality.h>
30 #include <sys/prctl.h>
31 #include <sys/socket.h>
32 #include <sys/stat.h>
33 #include <sys/un.h>
34 #include <unistd.h>
35 #include <utmpx.h>
36
37 #ifdef HAVE_PAM
38 #include <security/pam_appl.h>
39 #endif
40
41 #ifdef HAVE_SELINUX
42 #include <selinux/selinux.h>
43 #endif
44
45 #ifdef HAVE_SECCOMP
46 #include <seccomp.h>
47 #endif
48
49 #ifdef HAVE_APPARMOR
50 #include <sys/apparmor.h>
51 #endif
52
53 #include "sd-messages.h"
54
55 #include "af-list.h"
56 #include "alloc-util.h"
57 #ifdef HAVE_APPARMOR
58 #include "apparmor-util.h"
59 #endif
60 #include "async.h"
61 #include "barrier.h"
62 #include "bus-endpoint.h"
63 #include "cap-list.h"
64 #include "capability-util.h"
65 #include "def.h"
66 #include "env-util.h"
67 #include "errno-list.h"
68 #include "execute.h"
69 #include "exit-status.h"
70 #include "fd-util.h"
71 #include "fileio.h"
72 #include "formats-util.h"
73 #include "fs-util.h"
74 #include "glob-util.h"
75 #include "io-util.h"
76 #include "ioprio.h"
77 #include "log.h"
78 #include "macro.h"
79 #include "missing.h"
80 #include "mkdir.h"
81 #include "namespace.h"
82 #include "parse-util.h"
83 #include "path-util.h"
84 #include "process-util.h"
85 #include "rlimit-util.h"
86 #include "rm-rf.h"
87 #ifdef HAVE_SECCOMP
88 #include "seccomp-util.h"
89 #endif
90 #include "securebits.h"
91 #include "selinux-util.h"
92 #include "signal-util.h"
93 #include "smack-util.h"
94 #include "string-table.h"
95 #include "string-util.h"
96 #include "strv.h"
97 #include "syslog-util.h"
98 #include "terminal-util.h"
99 #include "unit.h"
100 #include "user-util.h"
101 #include "util.h"
102 #include "utmp-wtmp.h"
103
104 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
105 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
106
107 /* This assumes there is a 'tty' group */
108 #define TTY_MODE 0620
109
110 #define SNDBUF_SIZE (8*1024*1024)
111
112 static int shift_fds(int fds[], unsigned n_fds) {
113 int start, restart_from;
114
115 if (n_fds <= 0)
116 return 0;
117
118 /* Modifies the fds array! (sorts it) */
119
120 assert(fds);
121
122 start = 0;
123 for (;;) {
124 int i;
125
126 restart_from = -1;
127
128 for (i = start; i < (int) n_fds; i++) {
129 int nfd;
130
131 /* Already at right index? */
132 if (fds[i] == i+3)
133 continue;
134
135 nfd = fcntl(fds[i], F_DUPFD, i + 3);
136 if (nfd < 0)
137 return -errno;
138
139 safe_close(fds[i]);
140 fds[i] = nfd;
141
142 /* Hmm, the fd we wanted isn't free? Then
143 * let's remember that and try again from here */
144 if (nfd != i+3 && restart_from < 0)
145 restart_from = i;
146 }
147
148 if (restart_from < 0)
149 break;
150
151 start = restart_from;
152 }
153
154 return 0;
155 }
156
157 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
158 unsigned i;
159 int r;
160
161 if (n_fds <= 0)
162 return 0;
163
164 assert(fds);
165
166 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
167
168 for (i = 0; i < n_fds; i++) {
169
170 r = fd_nonblock(fds[i], nonblock);
171 if (r < 0)
172 return r;
173
174 /* We unconditionally drop FD_CLOEXEC from the fds,
175 * since after all we want to pass these fds to our
176 * children */
177
178 r = fd_cloexec(fds[i], false);
179 if (r < 0)
180 return r;
181 }
182
183 return 0;
184 }
185
186 _pure_ static const char *tty_path(const ExecContext *context) {
187 assert(context);
188
189 if (context->tty_path)
190 return context->tty_path;
191
192 return "/dev/console";
193 }
194
195 static void exec_context_tty_reset(const ExecContext *context) {
196 assert(context);
197
198 if (context->tty_vhangup)
199 terminal_vhangup(tty_path(context));
200
201 if (context->tty_reset)
202 reset_terminal(tty_path(context));
203
204 if (context->tty_vt_disallocate && context->tty_path)
205 vt_disallocate(context->tty_path);
206 }
207
208 static bool is_terminal_output(ExecOutput o) {
209 return
210 o == EXEC_OUTPUT_TTY ||
211 o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
212 o == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
213 o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE;
214 }
215
216 static int open_null_as(int flags, int nfd) {
217 int fd, r;
218
219 assert(nfd >= 0);
220
221 fd = open("/dev/null", flags|O_NOCTTY);
222 if (fd < 0)
223 return -errno;
224
225 if (fd != nfd) {
226 r = dup2(fd, nfd) < 0 ? -errno : nfd;
227 safe_close(fd);
228 } else
229 r = nfd;
230
231 return r;
232 }
233
234 static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
235 union sockaddr_union sa = {
236 .un.sun_family = AF_UNIX,
237 .un.sun_path = "/run/systemd/journal/stdout",
238 };
239 uid_t olduid = UID_INVALID;
240 gid_t oldgid = GID_INVALID;
241 int r;
242
243 if (gid != GID_INVALID) {
244 oldgid = getgid();
245
246 r = setegid(gid);
247 if (r < 0)
248 return -errno;
249 }
250
251 if (uid != UID_INVALID) {
252 olduid = getuid();
253
254 r = seteuid(uid);
255 if (r < 0) {
256 r = -errno;
257 goto restore_gid;
258 }
259 }
260
261 r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path));
262 if (r < 0)
263 r = -errno;
264
265 /* If we fail to restore the uid or gid, things will likely
266 fail later on. This should only happen if an LSM interferes. */
267
268 if (uid != UID_INVALID)
269 (void) seteuid(olduid);
270
271 restore_gid:
272 if (gid != GID_INVALID)
273 (void) setegid(oldgid);
274
275 return r;
276 }
277
278 static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd, uid_t uid, gid_t gid) {
279 int fd, r;
280
281 assert(context);
282 assert(output < _EXEC_OUTPUT_MAX);
283 assert(ident);
284 assert(nfd >= 0);
285
286 fd = socket(AF_UNIX, SOCK_STREAM, 0);
287 if (fd < 0)
288 return -errno;
289
290 r = connect_journal_socket(fd, uid, gid);
291 if (r < 0)
292 return r;
293
294 if (shutdown(fd, SHUT_RD) < 0) {
295 safe_close(fd);
296 return -errno;
297 }
298
299 fd_inc_sndbuf(fd, SNDBUF_SIZE);
300
301 dprintf(fd,
302 "%s\n"
303 "%s\n"
304 "%i\n"
305 "%i\n"
306 "%i\n"
307 "%i\n"
308 "%i\n",
309 context->syslog_identifier ? context->syslog_identifier : ident,
310 unit_id,
311 context->syslog_priority,
312 !!context->syslog_level_prefix,
313 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
314 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
315 is_terminal_output(output));
316
317 if (fd != nfd) {
318 r = dup2(fd, nfd) < 0 ? -errno : nfd;
319 safe_close(fd);
320 } else
321 r = nfd;
322
323 return r;
324 }
325 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
326 int fd, r;
327
328 assert(path);
329 assert(nfd >= 0);
330
331 fd = open_terminal(path, mode | O_NOCTTY);
332 if (fd < 0)
333 return fd;
334
335 if (fd != nfd) {
336 r = dup2(fd, nfd) < 0 ? -errno : nfd;
337 safe_close(fd);
338 } else
339 r = nfd;
340
341 return r;
342 }
343
344 static bool is_terminal_input(ExecInput i) {
345 return
346 i == EXEC_INPUT_TTY ||
347 i == EXEC_INPUT_TTY_FORCE ||
348 i == EXEC_INPUT_TTY_FAIL;
349 }
350
351 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
352
353 if (is_terminal_input(std_input) && !apply_tty_stdin)
354 return EXEC_INPUT_NULL;
355
356 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
357 return EXEC_INPUT_NULL;
358
359 return std_input;
360 }
361
362 static int fixup_output(ExecOutput std_output, int socket_fd) {
363
364 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
365 return EXEC_OUTPUT_INHERIT;
366
367 return std_output;
368 }
369
370 static int setup_input(
371 const ExecContext *context,
372 const ExecParameters *params,
373 int socket_fd) {
374
375 ExecInput i;
376
377 assert(context);
378 assert(params);
379
380 if (params->stdin_fd >= 0) {
381 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
382 return -errno;
383
384 /* Try to make this the controlling tty, if it is a tty, and reset it */
385 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
386 (void) reset_terminal_fd(STDIN_FILENO, true);
387
388 return STDIN_FILENO;
389 }
390
391 i = fixup_input(context->std_input, socket_fd, params->apply_tty_stdin);
392
393 switch (i) {
394
395 case EXEC_INPUT_NULL:
396 return open_null_as(O_RDONLY, STDIN_FILENO);
397
398 case EXEC_INPUT_TTY:
399 case EXEC_INPUT_TTY_FORCE:
400 case EXEC_INPUT_TTY_FAIL: {
401 int fd, r;
402
403 fd = acquire_terminal(tty_path(context),
404 i == EXEC_INPUT_TTY_FAIL,
405 i == EXEC_INPUT_TTY_FORCE,
406 false,
407 USEC_INFINITY);
408 if (fd < 0)
409 return fd;
410
411 if (fd != STDIN_FILENO) {
412 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
413 safe_close(fd);
414 } else
415 r = STDIN_FILENO;
416
417 return r;
418 }
419
420 case EXEC_INPUT_SOCKET:
421 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
422
423 default:
424 assert_not_reached("Unknown input type");
425 }
426 }
427
428 static int setup_output(
429 Unit *unit,
430 const ExecContext *context,
431 const ExecParameters *params,
432 int fileno,
433 int socket_fd,
434 const char *ident,
435 uid_t uid, gid_t gid) {
436
437 ExecOutput o;
438 ExecInput i;
439 int r;
440
441 assert(unit);
442 assert(context);
443 assert(params);
444 assert(ident);
445
446 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
447
448 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
449 return -errno;
450
451 return STDOUT_FILENO;
452 }
453
454 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
455 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
456 return -errno;
457
458 return STDERR_FILENO;
459 }
460
461 i = fixup_input(context->std_input, socket_fd, params->apply_tty_stdin);
462 o = fixup_output(context->std_output, socket_fd);
463
464 if (fileno == STDERR_FILENO) {
465 ExecOutput e;
466 e = fixup_output(context->std_error, socket_fd);
467
468 /* This expects the input and output are already set up */
469
470 /* Don't change the stderr file descriptor if we inherit all
471 * the way and are not on a tty */
472 if (e == EXEC_OUTPUT_INHERIT &&
473 o == EXEC_OUTPUT_INHERIT &&
474 i == EXEC_INPUT_NULL &&
475 !is_terminal_input(context->std_input) &&
476 getppid () != 1)
477 return fileno;
478
479 /* Duplicate from stdout if possible */
480 if (e == o || e == EXEC_OUTPUT_INHERIT)
481 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
482
483 o = e;
484
485 } else if (o == EXEC_OUTPUT_INHERIT) {
486 /* If input got downgraded, inherit the original value */
487 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
488 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
489
490 /* If the input is connected to anything that's not a /dev/null, inherit that... */
491 if (i != EXEC_INPUT_NULL)
492 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
493
494 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
495 if (getppid() != 1)
496 return fileno;
497
498 /* We need to open /dev/null here anew, to get the right access mode. */
499 return open_null_as(O_WRONLY, fileno);
500 }
501
502 switch (o) {
503
504 case EXEC_OUTPUT_NULL:
505 return open_null_as(O_WRONLY, fileno);
506
507 case EXEC_OUTPUT_TTY:
508 if (is_terminal_input(i))
509 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
510
511 /* We don't reset the terminal if this is just about output */
512 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
513
514 case EXEC_OUTPUT_SYSLOG:
515 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
516 case EXEC_OUTPUT_KMSG:
517 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
518 case EXEC_OUTPUT_JOURNAL:
519 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
520 r = connect_logger_as(context, o, ident, unit->id, fileno, uid, gid);
521 if (r < 0) {
522 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
523 r = open_null_as(O_WRONLY, fileno);
524 }
525 return r;
526
527 case EXEC_OUTPUT_SOCKET:
528 assert(socket_fd >= 0);
529 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
530
531 default:
532 assert_not_reached("Unknown error type");
533 }
534 }
535
536 static int chown_terminal(int fd, uid_t uid) {
537 struct stat st;
538
539 assert(fd >= 0);
540
541 /* This might fail. What matters are the results. */
542 (void) fchown(fd, uid, -1);
543 (void) fchmod(fd, TTY_MODE);
544
545 if (fstat(fd, &st) < 0)
546 return -errno;
547
548 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
549 return -EPERM;
550
551 return 0;
552 }
553
554 static int setup_confirm_stdio(int *_saved_stdin, int *_saved_stdout) {
555 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
556 int r;
557
558 assert(_saved_stdin);
559 assert(_saved_stdout);
560
561 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
562 if (saved_stdin < 0)
563 return -errno;
564
565 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
566 if (saved_stdout < 0)
567 return -errno;
568
569 fd = acquire_terminal(
570 "/dev/console",
571 false,
572 false,
573 false,
574 DEFAULT_CONFIRM_USEC);
575 if (fd < 0)
576 return fd;
577
578 r = chown_terminal(fd, getuid());
579 if (r < 0)
580 return r;
581
582 r = reset_terminal_fd(fd, true);
583 if (r < 0)
584 return r;
585
586 if (dup2(fd, STDIN_FILENO) < 0)
587 return -errno;
588
589 if (dup2(fd, STDOUT_FILENO) < 0)
590 return -errno;
591
592 if (fd >= 2)
593 safe_close(fd);
594 fd = -1;
595
596 *_saved_stdin = saved_stdin;
597 *_saved_stdout = saved_stdout;
598
599 saved_stdin = saved_stdout = -1;
600
601 return 0;
602 }
603
604 _printf_(1, 2) static int write_confirm_message(const char *format, ...) {
605 _cleanup_close_ int fd = -1;
606 va_list ap;
607
608 assert(format);
609
610 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
611 if (fd < 0)
612 return fd;
613
614 va_start(ap, format);
615 vdprintf(fd, format, ap);
616 va_end(ap);
617
618 return 0;
619 }
620
621 static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
622 int r = 0;
623
624 assert(saved_stdin);
625 assert(saved_stdout);
626
627 release_terminal();
628
629 if (*saved_stdin >= 0)
630 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
631 r = -errno;
632
633 if (*saved_stdout >= 0)
634 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
635 r = -errno;
636
637 *saved_stdin = safe_close(*saved_stdin);
638 *saved_stdout = safe_close(*saved_stdout);
639
640 return r;
641 }
642
643 static int ask_for_confirmation(char *response, char **argv) {
644 int saved_stdout = -1, saved_stdin = -1, r;
645 _cleanup_free_ char *line = NULL;
646
647 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
648 if (r < 0)
649 return r;
650
651 line = exec_command_line(argv);
652 if (!line)
653 return -ENOMEM;
654
655 r = ask_char(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
656
657 restore_confirm_stdio(&saved_stdin, &saved_stdout);
658
659 return r;
660 }
661
662 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
663 bool keep_groups = false;
664 int r;
665
666 assert(context);
667
668 /* Lookup and set GID and supplementary group list. Here too
669 * we avoid NSS lookups for gid=0. */
670
671 if (context->group || username) {
672 /* First step, initialize groups from /etc/groups */
673 if (username && gid != 0) {
674 if (initgroups(username, gid) < 0)
675 return -errno;
676
677 keep_groups = true;
678 }
679
680 /* Second step, set our gids */
681 if (setresgid(gid, gid, gid) < 0)
682 return -errno;
683 }
684
685 if (context->supplementary_groups) {
686 int ngroups_max, k;
687 gid_t *gids;
688 char **i;
689
690 /* Final step, initialize any manually set supplementary groups */
691 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
692
693 if (!(gids = new(gid_t, ngroups_max)))
694 return -ENOMEM;
695
696 if (keep_groups) {
697 k = getgroups(ngroups_max, gids);
698 if (k < 0) {
699 free(gids);
700 return -errno;
701 }
702 } else
703 k = 0;
704
705 STRV_FOREACH(i, context->supplementary_groups) {
706 const char *g;
707
708 if (k >= ngroups_max) {
709 free(gids);
710 return -E2BIG;
711 }
712
713 g = *i;
714 r = get_group_creds(&g, gids+k);
715 if (r < 0) {
716 free(gids);
717 return r;
718 }
719
720 k++;
721 }
722
723 if (setgroups(k, gids) < 0) {
724 free(gids);
725 return -errno;
726 }
727
728 free(gids);
729 }
730
731 return 0;
732 }
733
734 static int enforce_user(const ExecContext *context, uid_t uid) {
735 assert(context);
736
737 /* Sets (but doesn't lookup) the uid and make sure we keep the
738 * capabilities while doing so. */
739
740 if (context->capabilities || context->capability_ambient_set != 0) {
741
742 /* First step: If we need to keep capabilities but
743 * drop privileges we need to make sure we keep our
744 * caps, while we drop privileges. */
745 if (uid != 0) {
746 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
747
748 if (prctl(PR_GET_SECUREBITS) != sb)
749 if (prctl(PR_SET_SECUREBITS, sb) < 0)
750 return -errno;
751 }
752
753 /* Second step: set the capabilities. This will reduce
754 * the capabilities to the minimum we need. */
755
756 if (context->capabilities) {
757 _cleanup_cap_free_ cap_t d = NULL;
758 static const cap_value_t bits[] = {
759 CAP_SETUID, /* Necessary so that we can run setresuid() below */
760 CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
761 };
762
763 d = cap_dup(context->capabilities);
764 if (!d)
765 return -errno;
766
767 if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
768 cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0)
769 return -errno;
770
771 if (cap_set_proc(d) < 0)
772 return -errno;
773 }
774 }
775
776 /* Third step: actually set the uids */
777 if (setresuid(uid, uid, uid) < 0)
778 return -errno;
779
780 /* At this point we should have all necessary capabilities but
781 are otherwise a normal user. However, the caps might got
782 corrupted due to the setresuid() so we need clean them up
783 later. This is done outside of this call. */
784
785 return 0;
786 }
787
788 #ifdef HAVE_PAM
789
790 static int null_conv(
791 int num_msg,
792 const struct pam_message **msg,
793 struct pam_response **resp,
794 void *appdata_ptr) {
795
796 /* We don't support conversations */
797
798 return PAM_CONV_ERR;
799 }
800
801 static int setup_pam(
802 const char *name,
803 const char *user,
804 uid_t uid,
805 const char *tty,
806 char ***pam_env,
807 int fds[], unsigned n_fds) {
808
809 static const struct pam_conv conv = {
810 .conv = null_conv,
811 .appdata_ptr = NULL
812 };
813
814 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
815 pam_handle_t *handle = NULL;
816 sigset_t old_ss;
817 int pam_code = PAM_SUCCESS;
818 int err = 0;
819 char **e = NULL;
820 bool close_session = false;
821 pid_t pam_pid = 0, parent_pid;
822 int flags = 0;
823
824 assert(name);
825 assert(user);
826 assert(pam_env);
827
828 /* We set up PAM in the parent process, then fork. The child
829 * will then stay around until killed via PR_GET_PDEATHSIG or
830 * systemd via the cgroup logic. It will then remove the PAM
831 * session again. The parent process will exec() the actual
832 * daemon. We do things this way to ensure that the main PID
833 * of the daemon is the one we initially fork()ed. */
834
835 err = barrier_create(&barrier);
836 if (err < 0)
837 goto fail;
838
839 if (log_get_max_level() < LOG_DEBUG)
840 flags |= PAM_SILENT;
841
842 pam_code = pam_start(name, user, &conv, &handle);
843 if (pam_code != PAM_SUCCESS) {
844 handle = NULL;
845 goto fail;
846 }
847
848 if (tty) {
849 pam_code = pam_set_item(handle, PAM_TTY, tty);
850 if (pam_code != PAM_SUCCESS)
851 goto fail;
852 }
853
854 pam_code = pam_acct_mgmt(handle, flags);
855 if (pam_code != PAM_SUCCESS)
856 goto fail;
857
858 pam_code = pam_open_session(handle, flags);
859 if (pam_code != PAM_SUCCESS)
860 goto fail;
861
862 close_session = true;
863
864 e = pam_getenvlist(handle);
865 if (!e) {
866 pam_code = PAM_BUF_ERR;
867 goto fail;
868 }
869
870 /* Block SIGTERM, so that we know that it won't get lost in
871 * the child */
872
873 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
874
875 parent_pid = getpid();
876
877 pam_pid = fork();
878 if (pam_pid < 0)
879 goto fail;
880
881 if (pam_pid == 0) {
882 int sig;
883 int r = EXIT_PAM;
884
885 /* The child's job is to reset the PAM session on
886 * termination */
887 barrier_set_role(&barrier, BARRIER_CHILD);
888
889 /* This string must fit in 10 chars (i.e. the length
890 * of "/sbin/init"), to look pretty in /bin/ps */
891 rename_process("(sd-pam)");
892
893 /* Make sure we don't keep open the passed fds in this
894 child. We assume that otherwise only those fds are
895 open here that have been opened by PAM. */
896 close_many(fds, n_fds);
897
898 /* Drop privileges - we don't need any to pam_close_session
899 * and this will make PR_SET_PDEATHSIG work in most cases.
900 * If this fails, ignore the error - but expect sd-pam threads
901 * to fail to exit normally */
902 if (setresuid(uid, uid, uid) < 0)
903 log_error_errno(r, "Error: Failed to setresuid() in sd-pam: %m");
904
905 (void) ignore_signals(SIGPIPE, -1);
906
907 /* Wait until our parent died. This will only work if
908 * the above setresuid() succeeds, otherwise the kernel
909 * will not allow unprivileged parents kill their privileged
910 * children this way. We rely on the control groups kill logic
911 * to do the rest for us. */
912 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
913 goto child_finish;
914
915 /* Tell the parent that our setup is done. This is especially
916 * important regarding dropping privileges. Otherwise, unit
917 * setup might race against our setresuid(2) call. */
918 barrier_place(&barrier);
919
920 /* Check if our parent process might already have
921 * died? */
922 if (getppid() == parent_pid) {
923 sigset_t ss;
924
925 assert_se(sigemptyset(&ss) >= 0);
926 assert_se(sigaddset(&ss, SIGTERM) >= 0);
927
928 for (;;) {
929 if (sigwait(&ss, &sig) < 0) {
930 if (errno == EINTR)
931 continue;
932
933 goto child_finish;
934 }
935
936 assert(sig == SIGTERM);
937 break;
938 }
939 }
940
941 /* If our parent died we'll end the session */
942 if (getppid() != parent_pid) {
943 pam_code = pam_close_session(handle, flags);
944 if (pam_code != PAM_SUCCESS)
945 goto child_finish;
946 }
947
948 r = 0;
949
950 child_finish:
951 pam_end(handle, pam_code | flags);
952 _exit(r);
953 }
954
955 barrier_set_role(&barrier, BARRIER_PARENT);
956
957 /* If the child was forked off successfully it will do all the
958 * cleanups, so forget about the handle here. */
959 handle = NULL;
960
961 /* Unblock SIGTERM again in the parent */
962 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
963
964 /* We close the log explicitly here, since the PAM modules
965 * might have opened it, but we don't want this fd around. */
966 closelog();
967
968 /* Synchronously wait for the child to initialize. We don't care for
969 * errors as we cannot recover. However, warn loudly if it happens. */
970 if (!barrier_place_and_sync(&barrier))
971 log_error("PAM initialization failed");
972
973 *pam_env = e;
974 e = NULL;
975
976 return 0;
977
978 fail:
979 if (pam_code != PAM_SUCCESS) {
980 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
981 err = -EPERM; /* PAM errors do not map to errno */
982 } else {
983 err = log_error_errno(err < 0 ? err : errno, "PAM failed: %m");
984 }
985
986 if (handle) {
987 if (close_session)
988 pam_code = pam_close_session(handle, flags);
989
990 pam_end(handle, pam_code | flags);
991 }
992
993 strv_free(e);
994 closelog();
995
996 return err;
997 }
998 #endif
999
1000 static void rename_process_from_path(const char *path) {
1001 char process_name[11];
1002 const char *p;
1003 size_t l;
1004
1005 /* This resulting string must fit in 10 chars (i.e. the length
1006 * of "/sbin/init") to look pretty in /bin/ps */
1007
1008 p = basename(path);
1009 if (isempty(p)) {
1010 rename_process("(...)");
1011 return;
1012 }
1013
1014 l = strlen(p);
1015 if (l > 8) {
1016 /* The end of the process name is usually more
1017 * interesting, since the first bit might just be
1018 * "systemd-" */
1019 p = p + l - 8;
1020 l = 8;
1021 }
1022
1023 process_name[0] = '(';
1024 memcpy(process_name+1, p, l);
1025 process_name[1+l] = ')';
1026 process_name[1+l+1] = 0;
1027
1028 rename_process(process_name);
1029 }
1030
1031 #ifdef HAVE_SECCOMP
1032
1033 static int apply_seccomp(const ExecContext *c) {
1034 uint32_t negative_action, action;
1035 scmp_filter_ctx *seccomp;
1036 Iterator i;
1037 void *id;
1038 int r;
1039
1040 assert(c);
1041
1042 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
1043
1044 seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW);
1045 if (!seccomp)
1046 return -ENOMEM;
1047
1048 if (c->syscall_archs) {
1049
1050 SET_FOREACH(id, c->syscall_archs, i) {
1051 r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
1052 if (r == -EEXIST)
1053 continue;
1054 if (r < 0)
1055 goto finish;
1056 }
1057
1058 } else {
1059 r = seccomp_add_secondary_archs(seccomp);
1060 if (r < 0)
1061 goto finish;
1062 }
1063
1064 action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
1065 SET_FOREACH(id, c->syscall_filter, i) {
1066 r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
1067 if (r < 0)
1068 goto finish;
1069 }
1070
1071 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1072 if (r < 0)
1073 goto finish;
1074
1075 r = seccomp_load(seccomp);
1076
1077 finish:
1078 seccomp_release(seccomp);
1079 return r;
1080 }
1081
1082 static int apply_address_families(const ExecContext *c) {
1083 scmp_filter_ctx *seccomp;
1084 Iterator i;
1085 int r;
1086
1087 assert(c);
1088
1089 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1090 if (!seccomp)
1091 return -ENOMEM;
1092
1093 r = seccomp_add_secondary_archs(seccomp);
1094 if (r < 0)
1095 goto finish;
1096
1097 if (c->address_families_whitelist) {
1098 int af, first = 0, last = 0;
1099 void *afp;
1100
1101 /* If this is a whitelist, we first block the address
1102 * families that are out of range and then everything
1103 * that is not in the set. First, we find the lowest
1104 * and highest address family in the set. */
1105
1106 SET_FOREACH(afp, c->address_families, i) {
1107 af = PTR_TO_INT(afp);
1108
1109 if (af <= 0 || af >= af_max())
1110 continue;
1111
1112 if (first == 0 || af < first)
1113 first = af;
1114
1115 if (last == 0 || af > last)
1116 last = af;
1117 }
1118
1119 assert((first == 0) == (last == 0));
1120
1121 if (first == 0) {
1122
1123 /* No entries in the valid range, block everything */
1124 r = seccomp_rule_add(
1125 seccomp,
1126 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1127 SCMP_SYS(socket),
1128 0);
1129 if (r < 0)
1130 goto finish;
1131
1132 } else {
1133
1134 /* Block everything below the first entry */
1135 r = seccomp_rule_add(
1136 seccomp,
1137 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1138 SCMP_SYS(socket),
1139 1,
1140 SCMP_A0(SCMP_CMP_LT, first));
1141 if (r < 0)
1142 goto finish;
1143
1144 /* Block everything above the last entry */
1145 r = seccomp_rule_add(
1146 seccomp,
1147 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1148 SCMP_SYS(socket),
1149 1,
1150 SCMP_A0(SCMP_CMP_GT, last));
1151 if (r < 0)
1152 goto finish;
1153
1154 /* Block everything between the first and last
1155 * entry */
1156 for (af = 1; af < af_max(); af++) {
1157
1158 if (set_contains(c->address_families, INT_TO_PTR(af)))
1159 continue;
1160
1161 r = seccomp_rule_add(
1162 seccomp,
1163 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1164 SCMP_SYS(socket),
1165 1,
1166 SCMP_A0(SCMP_CMP_EQ, af));
1167 if (r < 0)
1168 goto finish;
1169 }
1170 }
1171
1172 } else {
1173 void *af;
1174
1175 /* If this is a blacklist, then generate one rule for
1176 * each address family that are then combined in OR
1177 * checks. */
1178
1179 SET_FOREACH(af, c->address_families, i) {
1180
1181 r = seccomp_rule_add(
1182 seccomp,
1183 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1184 SCMP_SYS(socket),
1185 1,
1186 SCMP_A0(SCMP_CMP_EQ, PTR_TO_INT(af)));
1187 if (r < 0)
1188 goto finish;
1189 }
1190 }
1191
1192 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1193 if (r < 0)
1194 goto finish;
1195
1196 r = seccomp_load(seccomp);
1197
1198 finish:
1199 seccomp_release(seccomp);
1200 return r;
1201 }
1202
1203 #endif
1204
1205 static void do_idle_pipe_dance(int idle_pipe[4]) {
1206 assert(idle_pipe);
1207
1208
1209 idle_pipe[1] = safe_close(idle_pipe[1]);
1210 idle_pipe[2] = safe_close(idle_pipe[2]);
1211
1212 if (idle_pipe[0] >= 0) {
1213 int r;
1214
1215 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1216
1217 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1218 ssize_t n;
1219
1220 /* Signal systemd that we are bored and want to continue. */
1221 n = write(idle_pipe[3], "x", 1);
1222 if (n > 0)
1223 /* Wait for systemd to react to the signal above. */
1224 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1225 }
1226
1227 idle_pipe[0] = safe_close(idle_pipe[0]);
1228
1229 }
1230
1231 idle_pipe[3] = safe_close(idle_pipe[3]);
1232 }
1233
1234 static int build_environment(
1235 const ExecContext *c,
1236 unsigned n_fds,
1237 char ** fd_names,
1238 usec_t watchdog_usec,
1239 const char *home,
1240 const char *username,
1241 const char *shell,
1242 char ***ret) {
1243
1244 _cleanup_strv_free_ char **our_env = NULL;
1245 unsigned n_env = 0;
1246 char *x;
1247
1248 assert(c);
1249 assert(ret);
1250
1251 our_env = new0(char*, 11);
1252 if (!our_env)
1253 return -ENOMEM;
1254
1255 if (n_fds > 0) {
1256 _cleanup_free_ char *joined = NULL;
1257
1258 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1259 return -ENOMEM;
1260 our_env[n_env++] = x;
1261
1262 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1263 return -ENOMEM;
1264 our_env[n_env++] = x;
1265
1266 joined = strv_join(fd_names, ":");
1267 if (!joined)
1268 return -ENOMEM;
1269
1270 x = strjoin("LISTEN_FDNAMES=", joined, NULL);
1271 if (!x)
1272 return -ENOMEM;
1273 our_env[n_env++] = x;
1274 }
1275
1276 if (watchdog_usec > 0) {
1277 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1278 return -ENOMEM;
1279 our_env[n_env++] = x;
1280
1281 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, watchdog_usec) < 0)
1282 return -ENOMEM;
1283 our_env[n_env++] = x;
1284 }
1285
1286 if (home) {
1287 x = strappend("HOME=", home);
1288 if (!x)
1289 return -ENOMEM;
1290 our_env[n_env++] = x;
1291 }
1292
1293 if (username) {
1294 x = strappend("LOGNAME=", username);
1295 if (!x)
1296 return -ENOMEM;
1297 our_env[n_env++] = x;
1298
1299 x = strappend("USER=", username);
1300 if (!x)
1301 return -ENOMEM;
1302 our_env[n_env++] = x;
1303 }
1304
1305 if (shell) {
1306 x = strappend("SHELL=", shell);
1307 if (!x)
1308 return -ENOMEM;
1309 our_env[n_env++] = x;
1310 }
1311
1312 if (is_terminal_input(c->std_input) ||
1313 c->std_output == EXEC_OUTPUT_TTY ||
1314 c->std_error == EXEC_OUTPUT_TTY ||
1315 c->tty_path) {
1316
1317 x = strdup(default_term_for_tty(tty_path(c)));
1318 if (!x)
1319 return -ENOMEM;
1320 our_env[n_env++] = x;
1321 }
1322
1323 our_env[n_env++] = NULL;
1324 assert(n_env <= 11);
1325
1326 *ret = our_env;
1327 our_env = NULL;
1328
1329 return 0;
1330 }
1331
1332 static int build_pass_environment(const ExecContext *c, char ***ret) {
1333 _cleanup_strv_free_ char **pass_env = NULL;
1334 size_t n_env = 0, n_bufsize = 0;
1335 char **i;
1336
1337 STRV_FOREACH(i, c->pass_environment) {
1338 _cleanup_free_ char *x = NULL;
1339 char *v;
1340
1341 v = getenv(*i);
1342 if (!v)
1343 continue;
1344 x = strjoin(*i, "=", v, NULL);
1345 if (!x)
1346 return -ENOMEM;
1347 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1348 return -ENOMEM;
1349 pass_env[n_env++] = x;
1350 pass_env[n_env] = NULL;
1351 x = NULL;
1352 }
1353
1354 *ret = pass_env;
1355 pass_env = NULL;
1356
1357 return 0;
1358 }
1359
1360 static bool exec_needs_mount_namespace(
1361 const ExecContext *context,
1362 const ExecParameters *params,
1363 ExecRuntime *runtime) {
1364
1365 assert(context);
1366 assert(params);
1367
1368 if (!strv_isempty(context->read_write_dirs) ||
1369 !strv_isempty(context->read_only_dirs) ||
1370 !strv_isempty(context->inaccessible_dirs))
1371 return true;
1372
1373 if (context->mount_flags != 0)
1374 return true;
1375
1376 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1377 return true;
1378
1379 if (params->bus_endpoint_path)
1380 return true;
1381
1382 if (context->private_devices ||
1383 context->protect_system != PROTECT_SYSTEM_NO ||
1384 context->protect_home != PROTECT_HOME_NO)
1385 return true;
1386
1387 return false;
1388 }
1389
1390 static int close_remaining_fds(
1391 const ExecParameters *params,
1392 ExecRuntime *runtime,
1393 int socket_fd,
1394 int *fds, unsigned n_fds) {
1395
1396 unsigned n_dont_close = 0;
1397 int dont_close[n_fds + 7];
1398
1399 assert(params);
1400
1401 if (params->stdin_fd >= 0)
1402 dont_close[n_dont_close++] = params->stdin_fd;
1403 if (params->stdout_fd >= 0)
1404 dont_close[n_dont_close++] = params->stdout_fd;
1405 if (params->stderr_fd >= 0)
1406 dont_close[n_dont_close++] = params->stderr_fd;
1407
1408 if (socket_fd >= 0)
1409 dont_close[n_dont_close++] = socket_fd;
1410 if (n_fds > 0) {
1411 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
1412 n_dont_close += n_fds;
1413 }
1414
1415 if (params->bus_endpoint_fd >= 0)
1416 dont_close[n_dont_close++] = params->bus_endpoint_fd;
1417
1418 if (runtime) {
1419 if (runtime->netns_storage_socket[0] >= 0)
1420 dont_close[n_dont_close++] = runtime->netns_storage_socket[0];
1421 if (runtime->netns_storage_socket[1] >= 0)
1422 dont_close[n_dont_close++] = runtime->netns_storage_socket[1];
1423 }
1424
1425 return close_all_fds(dont_close, n_dont_close);
1426 }
1427
1428 static int exec_child(
1429 Unit *unit,
1430 ExecCommand *command,
1431 const ExecContext *context,
1432 const ExecParameters *params,
1433 ExecRuntime *runtime,
1434 char **argv,
1435 int socket_fd,
1436 int *fds, unsigned n_fds,
1437 char **files_env,
1438 int *exit_status) {
1439
1440 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL;
1441 _cleanup_free_ char *mac_selinux_context_net = NULL;
1442 const char *username = NULL, *home = NULL, *shell = NULL, *wd;
1443 uid_t uid = UID_INVALID;
1444 gid_t gid = GID_INVALID;
1445 int i, r;
1446 bool needs_mount_namespace;
1447
1448 assert(unit);
1449 assert(command);
1450 assert(context);
1451 assert(params);
1452 assert(exit_status);
1453
1454 rename_process_from_path(command->path);
1455
1456 /* We reset exactly these signals, since they are the
1457 * only ones we set to SIG_IGN in the main daemon. All
1458 * others we leave untouched because we set them to
1459 * SIG_DFL or a valid handler initially, both of which
1460 * will be demoted to SIG_DFL. */
1461 (void) default_signals(SIGNALS_CRASH_HANDLER,
1462 SIGNALS_IGNORE, -1);
1463
1464 if (context->ignore_sigpipe)
1465 (void) ignore_signals(SIGPIPE, -1);
1466
1467 r = reset_signal_mask();
1468 if (r < 0) {
1469 *exit_status = EXIT_SIGNAL_MASK;
1470 return r;
1471 }
1472
1473 if (params->idle_pipe)
1474 do_idle_pipe_dance(params->idle_pipe);
1475
1476 /* Close sockets very early to make sure we don't
1477 * block init reexecution because it cannot bind its
1478 * sockets */
1479
1480 log_forget_fds();
1481
1482 r = close_remaining_fds(params, runtime, socket_fd, fds, n_fds);
1483 if (r < 0) {
1484 *exit_status = EXIT_FDS;
1485 return r;
1486 }
1487
1488 if (!context->same_pgrp)
1489 if (setsid() < 0) {
1490 *exit_status = EXIT_SETSID;
1491 return -errno;
1492 }
1493
1494 exec_context_tty_reset(context);
1495
1496 if (params->confirm_spawn) {
1497 char response;
1498
1499 r = ask_for_confirmation(&response, argv);
1500 if (r == -ETIMEDOUT)
1501 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1502 else if (r < 0)
1503 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-r));
1504 else if (response == 's') {
1505 write_confirm_message("Skipping execution.\n");
1506 *exit_status = EXIT_CONFIRM;
1507 return -ECANCELED;
1508 } else if (response == 'n') {
1509 write_confirm_message("Failing execution.\n");
1510 *exit_status = 0;
1511 return 0;
1512 }
1513 }
1514
1515 if (context->user) {
1516 username = context->user;
1517 r = get_user_creds(&username, &uid, &gid, &home, &shell);
1518 if (r < 0) {
1519 *exit_status = EXIT_USER;
1520 return r;
1521 }
1522 }
1523
1524 if (context->group) {
1525 const char *g = context->group;
1526
1527 r = get_group_creds(&g, &gid);
1528 if (r < 0) {
1529 *exit_status = EXIT_GROUP;
1530 return r;
1531 }
1532 }
1533
1534
1535 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1536 * must sure to drop O_NONBLOCK */
1537 if (socket_fd >= 0)
1538 (void) fd_nonblock(socket_fd, false);
1539
1540 r = setup_input(context, params, socket_fd);
1541 if (r < 0) {
1542 *exit_status = EXIT_STDIN;
1543 return r;
1544 }
1545
1546 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, basename(command->path), uid, gid);
1547 if (r < 0) {
1548 *exit_status = EXIT_STDOUT;
1549 return r;
1550 }
1551
1552 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, basename(command->path), uid, gid);
1553 if (r < 0) {
1554 *exit_status = EXIT_STDERR;
1555 return r;
1556 }
1557
1558 if (params->cgroup_path) {
1559 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
1560 if (r < 0) {
1561 *exit_status = EXIT_CGROUP;
1562 return r;
1563 }
1564 }
1565
1566 if (context->oom_score_adjust_set) {
1567 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
1568
1569 /* When we can't make this change due to EPERM, then
1570 * let's silently skip over it. User namespaces
1571 * prohibit write access to this file, and we
1572 * shouldn't trip up over that. */
1573
1574 sprintf(t, "%i", context->oom_score_adjust);
1575 r = write_string_file("/proc/self/oom_score_adj", t, 0);
1576 if (r == -EPERM || r == -EACCES) {
1577 log_open();
1578 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
1579 log_close();
1580 } else if (r < 0) {
1581 *exit_status = EXIT_OOM_ADJUST;
1582 return -errno;
1583 }
1584 }
1585
1586 if (context->nice_set)
1587 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1588 *exit_status = EXIT_NICE;
1589 return -errno;
1590 }
1591
1592 if (context->cpu_sched_set) {
1593 struct sched_param param = {
1594 .sched_priority = context->cpu_sched_priority,
1595 };
1596
1597 r = sched_setscheduler(0,
1598 context->cpu_sched_policy |
1599 (context->cpu_sched_reset_on_fork ?
1600 SCHED_RESET_ON_FORK : 0),
1601 &param);
1602 if (r < 0) {
1603 *exit_status = EXIT_SETSCHEDULER;
1604 return -errno;
1605 }
1606 }
1607
1608 if (context->cpuset)
1609 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1610 *exit_status = EXIT_CPUAFFINITY;
1611 return -errno;
1612 }
1613
1614 if (context->ioprio_set)
1615 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1616 *exit_status = EXIT_IOPRIO;
1617 return -errno;
1618 }
1619
1620 if (context->timer_slack_nsec != NSEC_INFINITY)
1621 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1622 *exit_status = EXIT_TIMERSLACK;
1623 return -errno;
1624 }
1625
1626 if (context->personality != PERSONALITY_INVALID)
1627 if (personality(context->personality) < 0) {
1628 *exit_status = EXIT_PERSONALITY;
1629 return -errno;
1630 }
1631
1632 if (context->utmp_id)
1633 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path,
1634 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
1635 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
1636 USER_PROCESS,
1637 username ? "root" : context->user);
1638
1639 if (context->user && is_terminal_input(context->std_input)) {
1640 r = chown_terminal(STDIN_FILENO, uid);
1641 if (r < 0) {
1642 *exit_status = EXIT_STDIN;
1643 return r;
1644 }
1645 }
1646
1647 if (params->bus_endpoint_fd >= 0 && context->bus_endpoint) {
1648 uid_t ep_uid = (uid == UID_INVALID) ? 0 : uid;
1649
1650 r = bus_kernel_set_endpoint_policy(params->bus_endpoint_fd, ep_uid, context->bus_endpoint);
1651 if (r < 0) {
1652 *exit_status = EXIT_BUS_ENDPOINT;
1653 return r;
1654 }
1655 }
1656
1657 /* If delegation is enabled we'll pass ownership of the cgroup
1658 * (but only in systemd's own controller hierarchy!) to the
1659 * user of the new process. */
1660 if (params->cgroup_path && context->user && params->cgroup_delegate) {
1661 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
1662 if (r < 0) {
1663 *exit_status = EXIT_CGROUP;
1664 return r;
1665 }
1666
1667
1668 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
1669 if (r < 0) {
1670 *exit_status = EXIT_CGROUP;
1671 return r;
1672 }
1673 }
1674
1675 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
1676 char **rt;
1677
1678 STRV_FOREACH(rt, context->runtime_directory) {
1679 _cleanup_free_ char *p;
1680
1681 p = strjoin(params->runtime_prefix, "/", *rt, NULL);
1682 if (!p) {
1683 *exit_status = EXIT_RUNTIME_DIRECTORY;
1684 return -ENOMEM;
1685 }
1686
1687 r = mkdir_p_label(p, context->runtime_directory_mode);
1688 if (r < 0) {
1689 *exit_status = EXIT_RUNTIME_DIRECTORY;
1690 return r;
1691 }
1692
1693 r = chmod_and_chown(p, context->runtime_directory_mode, uid, gid);
1694 if (r < 0) {
1695 *exit_status = EXIT_RUNTIME_DIRECTORY;
1696 return r;
1697 }
1698 }
1699 }
1700
1701 umask(context->umask);
1702
1703 if (params->apply_permissions) {
1704 r = enforce_groups(context, username, gid);
1705 if (r < 0) {
1706 *exit_status = EXIT_GROUP;
1707 return r;
1708 }
1709 #ifdef HAVE_SMACK
1710 if (context->smack_process_label) {
1711 r = mac_smack_apply_pid(0, context->smack_process_label);
1712 if (r < 0) {
1713 *exit_status = EXIT_SMACK_PROCESS_LABEL;
1714 return r;
1715 }
1716 }
1717 #ifdef SMACK_DEFAULT_PROCESS_LABEL
1718 else {
1719 _cleanup_free_ char *exec_label = NULL;
1720
1721 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
1722 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) {
1723 *exit_status = EXIT_SMACK_PROCESS_LABEL;
1724 return r;
1725 }
1726
1727 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
1728 if (r < 0) {
1729 *exit_status = EXIT_SMACK_PROCESS_LABEL;
1730 return r;
1731 }
1732 }
1733 #endif
1734 #endif
1735 #ifdef HAVE_PAM
1736 if (context->pam_name && username) {
1737 r = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
1738 if (r < 0) {
1739 *exit_status = EXIT_PAM;
1740 return r;
1741 }
1742 }
1743 #endif
1744 }
1745
1746 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
1747 r = setup_netns(runtime->netns_storage_socket);
1748 if (r < 0) {
1749 *exit_status = EXIT_NETWORK;
1750 return r;
1751 }
1752 }
1753
1754 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
1755
1756 if (needs_mount_namespace) {
1757 char *tmp = NULL, *var = NULL;
1758
1759 /* The runtime struct only contains the parent
1760 * of the private /tmp, which is
1761 * non-accessible to world users. Inside of it
1762 * there's a /tmp that is sticky, and that's
1763 * the one we want to use here. */
1764
1765 if (context->private_tmp && runtime) {
1766 if (runtime->tmp_dir)
1767 tmp = strjoina(runtime->tmp_dir, "/tmp");
1768 if (runtime->var_tmp_dir)
1769 var = strjoina(runtime->var_tmp_dir, "/tmp");
1770 }
1771
1772 r = setup_namespace(
1773 params->apply_chroot ? context->root_directory : NULL,
1774 context->read_write_dirs,
1775 context->read_only_dirs,
1776 context->inaccessible_dirs,
1777 tmp,
1778 var,
1779 params->bus_endpoint_path,
1780 context->private_devices,
1781 context->protect_home,
1782 context->protect_system,
1783 context->mount_flags);
1784
1785 /* If we couldn't set up the namespace this is
1786 * probably due to a missing capability. In this case,
1787 * silently proceeed. */
1788 if (r == -EPERM || r == -EACCES) {
1789 log_open();
1790 log_unit_debug_errno(unit, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
1791 log_close();
1792 } else if (r < 0) {
1793 *exit_status = EXIT_NAMESPACE;
1794 return r;
1795 }
1796 }
1797
1798 if (context->working_directory_home)
1799 wd = home;
1800 else if (context->working_directory)
1801 wd = context->working_directory;
1802 else
1803 wd = "/";
1804
1805 if (params->apply_chroot) {
1806 if (!needs_mount_namespace && context->root_directory)
1807 if (chroot(context->root_directory) < 0) {
1808 *exit_status = EXIT_CHROOT;
1809 return -errno;
1810 }
1811
1812 if (chdir(wd) < 0 &&
1813 !context->working_directory_missing_ok) {
1814 *exit_status = EXIT_CHDIR;
1815 return -errno;
1816 }
1817 } else {
1818 const char *d;
1819
1820 d = strjoina(strempty(context->root_directory), "/", strempty(wd));
1821 if (chdir(d) < 0 &&
1822 !context->working_directory_missing_ok) {
1823 *exit_status = EXIT_CHDIR;
1824 return -errno;
1825 }
1826 }
1827
1828 #ifdef HAVE_SELINUX
1829 if (params->apply_permissions && mac_selinux_use() && params->selinux_context_net && socket_fd >= 0) {
1830 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
1831 if (r < 0) {
1832 *exit_status = EXIT_SELINUX_CONTEXT;
1833 return r;
1834 }
1835 }
1836 #endif
1837
1838 /* We repeat the fd closing here, to make sure that
1839 * nothing is leaked from the PAM modules. Note that
1840 * we are more aggressive this time since socket_fd
1841 * and the netns fds we don't need anymore. The custom
1842 * endpoint fd was needed to upload the policy and can
1843 * now be closed as well. */
1844 r = close_all_fds(fds, n_fds);
1845 if (r >= 0)
1846 r = shift_fds(fds, n_fds);
1847 if (r >= 0)
1848 r = flags_fds(fds, n_fds, context->non_blocking);
1849 if (r < 0) {
1850 *exit_status = EXIT_FDS;
1851 return r;
1852 }
1853
1854 if (params->apply_permissions) {
1855
1856 int secure_bits = context->secure_bits;
1857
1858 for (i = 0; i < _RLIMIT_MAX; i++) {
1859 if (!context->rlimit[i])
1860 continue;
1861
1862 if (setrlimit_closest(i, context->rlimit[i]) < 0) {
1863 *exit_status = EXIT_LIMITS;
1864 return -errno;
1865 }
1866 }
1867
1868 if (!cap_test_all(context->capability_bounding_set)) {
1869 r = capability_bounding_set_drop(context->capability_bounding_set, false);
1870 if (r < 0) {
1871 *exit_status = EXIT_CAPABILITIES;
1872 return r;
1873 }
1874 }
1875
1876 /* This is done before enforce_user, but ambient set
1877 * does not survive over setresuid() if keep_caps is not set. */
1878 if (context->capability_ambient_set != 0) {
1879 r = capability_ambient_set_apply(context->capability_ambient_set, true);
1880 if (r < 0) {
1881 *exit_status = EXIT_CAPABILITIES;
1882 return r;
1883 }
1884
1885 if (context->capabilities) {
1886
1887 /* The capabilities in ambient set need to be also in the inherited
1888 * set. If they aren't, trying to get them will fail. Add the ambient
1889 * set inherited capabilities to the capability set in the context.
1890 * This is needed because if capabilities are set (using "Capabilities="
1891 * keyword), they will override whatever we set now. */
1892
1893 r = capability_update_inherited_set(context->capabilities, context->capability_ambient_set);
1894 if (r < 0) {
1895 *exit_status = EXIT_CAPABILITIES;
1896 return r;
1897 }
1898 }
1899 }
1900
1901 if (context->user) {
1902 r = enforce_user(context, uid);
1903 if (r < 0) {
1904 *exit_status = EXIT_USER;
1905 return r;
1906 }
1907 if (context->capability_ambient_set != 0) {
1908
1909 /* Fix the ambient capabilities after user change. */
1910 r = capability_ambient_set_apply(context->capability_ambient_set, false);
1911 if (r < 0) {
1912 *exit_status = EXIT_CAPABILITIES;
1913 return r;
1914 }
1915
1916 /* If we were asked to change user and ambient capabilities
1917 * were requested, we had to add keep-caps to the securebits
1918 * so that we would maintain the inherited capability set
1919 * through the setresuid(). Make sure that the bit is added
1920 * also to the context secure_bits so that we don't try to
1921 * drop the bit away next. */
1922
1923 secure_bits |= 1<<SECURE_KEEP_CAPS;
1924 }
1925 }
1926
1927 /* PR_GET_SECUREBITS is not privileged, while
1928 * PR_SET_SECUREBITS is. So to suppress
1929 * potential EPERMs we'll try not to call
1930 * PR_SET_SECUREBITS unless necessary. */
1931 if (prctl(PR_GET_SECUREBITS) != secure_bits)
1932 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
1933 *exit_status = EXIT_SECUREBITS;
1934 return -errno;
1935 }
1936
1937 if (context->capabilities)
1938 if (cap_set_proc(context->capabilities) < 0) {
1939 *exit_status = EXIT_CAPABILITIES;
1940 return -errno;
1941 }
1942
1943 if (context->no_new_privileges)
1944 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
1945 *exit_status = EXIT_NO_NEW_PRIVILEGES;
1946 return -errno;
1947 }
1948
1949 #ifdef HAVE_SECCOMP
1950 if (context->address_families_whitelist ||
1951 !set_isempty(context->address_families)) {
1952 r = apply_address_families(context);
1953 if (r < 0) {
1954 *exit_status = EXIT_ADDRESS_FAMILIES;
1955 return r;
1956 }
1957 }
1958
1959 if (context->syscall_whitelist ||
1960 !set_isempty(context->syscall_filter) ||
1961 !set_isempty(context->syscall_archs)) {
1962 r = apply_seccomp(context);
1963 if (r < 0) {
1964 *exit_status = EXIT_SECCOMP;
1965 return r;
1966 }
1967 }
1968 #endif
1969
1970 #ifdef HAVE_SELINUX
1971 if (mac_selinux_use()) {
1972 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
1973
1974 if (exec_context) {
1975 r = setexeccon(exec_context);
1976 if (r < 0) {
1977 *exit_status = EXIT_SELINUX_CONTEXT;
1978 return r;
1979 }
1980 }
1981 }
1982 #endif
1983
1984 #ifdef HAVE_APPARMOR
1985 if (context->apparmor_profile && mac_apparmor_use()) {
1986 r = aa_change_onexec(context->apparmor_profile);
1987 if (r < 0 && !context->apparmor_profile_ignore) {
1988 *exit_status = EXIT_APPARMOR_PROFILE;
1989 return -errno;
1990 }
1991 }
1992 #endif
1993 }
1994
1995 r = build_environment(context, n_fds, params->fd_names, params->watchdog_usec, home, username, shell, &our_env);
1996 if (r < 0) {
1997 *exit_status = EXIT_MEMORY;
1998 return r;
1999 }
2000
2001 r = build_pass_environment(context, &pass_env);
2002 if (r < 0) {
2003 *exit_status = EXIT_MEMORY;
2004 return r;
2005 }
2006
2007 final_env = strv_env_merge(6,
2008 params->environment,
2009 our_env,
2010 pass_env,
2011 context->environment,
2012 files_env,
2013 pam_env,
2014 NULL);
2015 if (!final_env) {
2016 *exit_status = EXIT_MEMORY;
2017 return -ENOMEM;
2018 }
2019
2020 final_argv = replace_env_argv(argv, final_env);
2021 if (!final_argv) {
2022 *exit_status = EXIT_MEMORY;
2023 return -ENOMEM;
2024 }
2025
2026 final_env = strv_env_clean(final_env);
2027
2028 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
2029 _cleanup_free_ char *line;
2030
2031 line = exec_command_line(final_argv);
2032 if (line) {
2033 log_open();
2034 log_struct(LOG_DEBUG,
2035 LOG_UNIT_ID(unit),
2036 "EXECUTABLE=%s", command->path,
2037 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
2038 NULL);
2039 log_close();
2040 }
2041 }
2042
2043 execve(command->path, final_argv, final_env);
2044 *exit_status = EXIT_EXEC;
2045 return -errno;
2046 }
2047
2048 int exec_spawn(Unit *unit,
2049 ExecCommand *command,
2050 const ExecContext *context,
2051 const ExecParameters *params,
2052 ExecRuntime *runtime,
2053 pid_t *ret) {
2054
2055 _cleanup_strv_free_ char **files_env = NULL;
2056 int *fds = NULL; unsigned n_fds = 0;
2057 _cleanup_free_ char *line = NULL;
2058 int socket_fd, r;
2059 char **argv;
2060 pid_t pid;
2061
2062 assert(unit);
2063 assert(command);
2064 assert(context);
2065 assert(ret);
2066 assert(params);
2067 assert(params->fds || params->n_fds <= 0);
2068
2069 if (context->std_input == EXEC_INPUT_SOCKET ||
2070 context->std_output == EXEC_OUTPUT_SOCKET ||
2071 context->std_error == EXEC_OUTPUT_SOCKET) {
2072
2073 if (params->n_fds != 1) {
2074 log_unit_error(unit, "Got more than one socket.");
2075 return -EINVAL;
2076 }
2077
2078 socket_fd = params->fds[0];
2079 } else {
2080 socket_fd = -1;
2081 fds = params->fds;
2082 n_fds = params->n_fds;
2083 }
2084
2085 r = exec_context_load_environment(unit, context, &files_env);
2086 if (r < 0)
2087 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
2088
2089 argv = params->argv ?: command->argv;
2090 line = exec_command_line(argv);
2091 if (!line)
2092 return log_oom();
2093
2094 log_struct(LOG_DEBUG,
2095 LOG_UNIT_ID(unit),
2096 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
2097 "EXECUTABLE=%s", command->path,
2098 NULL);
2099 pid = fork();
2100 if (pid < 0)
2101 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
2102
2103 if (pid == 0) {
2104 int exit_status;
2105
2106 r = exec_child(unit,
2107 command,
2108 context,
2109 params,
2110 runtime,
2111 argv,
2112 socket_fd,
2113 fds, n_fds,
2114 files_env,
2115 &exit_status);
2116 if (r < 0) {
2117 log_open();
2118 log_struct_errno(LOG_ERR, r,
2119 LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
2120 LOG_UNIT_ID(unit),
2121 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
2122 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
2123 command->path),
2124 "EXECUTABLE=%s", command->path,
2125 NULL);
2126 }
2127
2128 _exit(exit_status);
2129 }
2130
2131 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
2132
2133 /* We add the new process to the cgroup both in the child (so
2134 * that we can be sure that no user code is ever executed
2135 * outside of the cgroup) and in the parent (so that we can be
2136 * sure that when we kill the cgroup the process will be
2137 * killed too). */
2138 if (params->cgroup_path)
2139 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
2140
2141 exec_status_start(&command->exec_status, pid);
2142
2143 *ret = pid;
2144 return 0;
2145 }
2146
2147 void exec_context_init(ExecContext *c) {
2148 assert(c);
2149
2150 c->umask = 0022;
2151 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
2152 c->cpu_sched_policy = SCHED_OTHER;
2153 c->syslog_priority = LOG_DAEMON|LOG_INFO;
2154 c->syslog_level_prefix = true;
2155 c->ignore_sigpipe = true;
2156 c->timer_slack_nsec = NSEC_INFINITY;
2157 c->personality = PERSONALITY_INVALID;
2158 c->runtime_directory_mode = 0755;
2159 c->capability_bounding_set = CAP_ALL;
2160 }
2161
2162 void exec_context_done(ExecContext *c) {
2163 unsigned l;
2164
2165 assert(c);
2166
2167 c->environment = strv_free(c->environment);
2168 c->environment_files = strv_free(c->environment_files);
2169 c->pass_environment = strv_free(c->pass_environment);
2170
2171 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
2172 c->rlimit[l] = mfree(c->rlimit[l]);
2173
2174 c->working_directory = mfree(c->working_directory);
2175 c->root_directory = mfree(c->root_directory);
2176 c->tty_path = mfree(c->tty_path);
2177 c->syslog_identifier = mfree(c->syslog_identifier);
2178 c->user = mfree(c->user);
2179 c->group = mfree(c->group);
2180
2181 c->supplementary_groups = strv_free(c->supplementary_groups);
2182
2183 c->pam_name = mfree(c->pam_name);
2184
2185 if (c->capabilities) {
2186 cap_free(c->capabilities);
2187 c->capabilities = NULL;
2188 }
2189
2190 c->read_only_dirs = strv_free(c->read_only_dirs);
2191 c->read_write_dirs = strv_free(c->read_write_dirs);
2192 c->inaccessible_dirs = strv_free(c->inaccessible_dirs);
2193
2194 if (c->cpuset)
2195 CPU_FREE(c->cpuset);
2196
2197 c->utmp_id = mfree(c->utmp_id);
2198 c->selinux_context = mfree(c->selinux_context);
2199 c->apparmor_profile = mfree(c->apparmor_profile);
2200
2201 c->syscall_filter = set_free(c->syscall_filter);
2202 c->syscall_archs = set_free(c->syscall_archs);
2203 c->address_families = set_free(c->address_families);
2204
2205 c->runtime_directory = strv_free(c->runtime_directory);
2206
2207 bus_endpoint_free(c->bus_endpoint);
2208 c->bus_endpoint = NULL;
2209 }
2210
2211 int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
2212 char **i;
2213
2214 assert(c);
2215
2216 if (!runtime_prefix)
2217 return 0;
2218
2219 STRV_FOREACH(i, c->runtime_directory) {
2220 _cleanup_free_ char *p;
2221
2222 p = strjoin(runtime_prefix, "/", *i, NULL);
2223 if (!p)
2224 return -ENOMEM;
2225
2226 /* We execute this synchronously, since we need to be
2227 * sure this is gone when we start the service
2228 * next. */
2229 (void) rm_rf(p, REMOVE_ROOT);
2230 }
2231
2232 return 0;
2233 }
2234
2235 void exec_command_done(ExecCommand *c) {
2236 assert(c);
2237
2238 c->path = mfree(c->path);
2239
2240 c->argv = strv_free(c->argv);
2241 }
2242
2243 void exec_command_done_array(ExecCommand *c, unsigned n) {
2244 unsigned i;
2245
2246 for (i = 0; i < n; i++)
2247 exec_command_done(c+i);
2248 }
2249
2250 ExecCommand* exec_command_free_list(ExecCommand *c) {
2251 ExecCommand *i;
2252
2253 while ((i = c)) {
2254 LIST_REMOVE(command, c, i);
2255 exec_command_done(i);
2256 free(i);
2257 }
2258
2259 return NULL;
2260 }
2261
2262 void exec_command_free_array(ExecCommand **c, unsigned n) {
2263 unsigned i;
2264
2265 for (i = 0; i < n; i++)
2266 c[i] = exec_command_free_list(c[i]);
2267 }
2268
2269 typedef struct InvalidEnvInfo {
2270 Unit *unit;
2271 const char *path;
2272 } InvalidEnvInfo;
2273
2274 static void invalid_env(const char *p, void *userdata) {
2275 InvalidEnvInfo *info = userdata;
2276
2277 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
2278 }
2279
2280 int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
2281 char **i, **r = NULL;
2282
2283 assert(c);
2284 assert(l);
2285
2286 STRV_FOREACH(i, c->environment_files) {
2287 char *fn;
2288 int k;
2289 bool ignore = false;
2290 char **p;
2291 _cleanup_globfree_ glob_t pglob = {};
2292 int count, n;
2293
2294 fn = *i;
2295
2296 if (fn[0] == '-') {
2297 ignore = true;
2298 fn ++;
2299 }
2300
2301 if (!path_is_absolute(fn)) {
2302 if (ignore)
2303 continue;
2304
2305 strv_free(r);
2306 return -EINVAL;
2307 }
2308
2309 /* Filename supports globbing, take all matching files */
2310 errno = 0;
2311 if (glob(fn, 0, NULL, &pglob) != 0) {
2312 if (ignore)
2313 continue;
2314
2315 strv_free(r);
2316 return errno > 0 ? -errno : -EINVAL;
2317 }
2318 count = pglob.gl_pathc;
2319 if (count == 0) {
2320 if (ignore)
2321 continue;
2322
2323 strv_free(r);
2324 return -EINVAL;
2325 }
2326 for (n = 0; n < count; n++) {
2327 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
2328 if (k < 0) {
2329 if (ignore)
2330 continue;
2331
2332 strv_free(r);
2333 return k;
2334 }
2335 /* Log invalid environment variables with filename */
2336 if (p) {
2337 InvalidEnvInfo info = {
2338 .unit = unit,
2339 .path = pglob.gl_pathv[n]
2340 };
2341
2342 p = strv_env_clean_with_callback(p, invalid_env, &info);
2343 }
2344
2345 if (r == NULL)
2346 r = p;
2347 else {
2348 char **m;
2349
2350 m = strv_env_merge(2, r, p);
2351 strv_free(r);
2352 strv_free(p);
2353 if (!m)
2354 return -ENOMEM;
2355
2356 r = m;
2357 }
2358 }
2359 }
2360
2361 *l = r;
2362
2363 return 0;
2364 }
2365
2366 static bool tty_may_match_dev_console(const char *tty) {
2367 _cleanup_free_ char *active = NULL;
2368 char *console;
2369
2370 if (startswith(tty, "/dev/"))
2371 tty += 5;
2372
2373 /* trivial identity? */
2374 if (streq(tty, "console"))
2375 return true;
2376
2377 console = resolve_dev_console(&active);
2378 /* if we could not resolve, assume it may */
2379 if (!console)
2380 return true;
2381
2382 /* "tty0" means the active VC, so it may be the same sometimes */
2383 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
2384 }
2385
2386 bool exec_context_may_touch_console(ExecContext *ec) {
2387 return (ec->tty_reset || ec->tty_vhangup || ec->tty_vt_disallocate ||
2388 is_terminal_input(ec->std_input) ||
2389 is_terminal_output(ec->std_output) ||
2390 is_terminal_output(ec->std_error)) &&
2391 tty_may_match_dev_console(tty_path(ec));
2392 }
2393
2394 static void strv_fprintf(FILE *f, char **l) {
2395 char **g;
2396
2397 assert(f);
2398
2399 STRV_FOREACH(g, l)
2400 fprintf(f, " %s", *g);
2401 }
2402
2403 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
2404 char **e, **d;
2405 unsigned i;
2406
2407 assert(c);
2408 assert(f);
2409
2410 prefix = strempty(prefix);
2411
2412 fprintf(f,
2413 "%sUMask: %04o\n"
2414 "%sWorkingDirectory: %s\n"
2415 "%sRootDirectory: %s\n"
2416 "%sNonBlocking: %s\n"
2417 "%sPrivateTmp: %s\n"
2418 "%sPrivateNetwork: %s\n"
2419 "%sPrivateDevices: %s\n"
2420 "%sProtectHome: %s\n"
2421 "%sProtectSystem: %s\n"
2422 "%sIgnoreSIGPIPE: %s\n",
2423 prefix, c->umask,
2424 prefix, c->working_directory ? c->working_directory : "/",
2425 prefix, c->root_directory ? c->root_directory : "/",
2426 prefix, yes_no(c->non_blocking),
2427 prefix, yes_no(c->private_tmp),
2428 prefix, yes_no(c->private_network),
2429 prefix, yes_no(c->private_devices),
2430 prefix, protect_home_to_string(c->protect_home),
2431 prefix, protect_system_to_string(c->protect_system),
2432 prefix, yes_no(c->ignore_sigpipe));
2433
2434 STRV_FOREACH(e, c->environment)
2435 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
2436
2437 STRV_FOREACH(e, c->environment_files)
2438 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
2439
2440 STRV_FOREACH(e, c->pass_environment)
2441 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
2442
2443 fprintf(f, "%sRuntimeDirectoryMode: %04o\n", prefix, c->runtime_directory_mode);
2444
2445 STRV_FOREACH(d, c->runtime_directory)
2446 fprintf(f, "%sRuntimeDirectory: %s\n", prefix, *d);
2447
2448 if (c->nice_set)
2449 fprintf(f,
2450 "%sNice: %i\n",
2451 prefix, c->nice);
2452
2453 if (c->oom_score_adjust_set)
2454 fprintf(f,
2455 "%sOOMScoreAdjust: %i\n",
2456 prefix, c->oom_score_adjust);
2457
2458 for (i = 0; i < RLIM_NLIMITS; i++)
2459 if (c->rlimit[i]) {
2460 fprintf(f, "%s%s: " RLIM_FMT "\n",
2461 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
2462 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
2463 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
2464 }
2465
2466 if (c->ioprio_set) {
2467 _cleanup_free_ char *class_str = NULL;
2468
2469 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
2470 fprintf(f,
2471 "%sIOSchedulingClass: %s\n"
2472 "%sIOPriority: %i\n",
2473 prefix, strna(class_str),
2474 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
2475 }
2476
2477 if (c->cpu_sched_set) {
2478 _cleanup_free_ char *policy_str = NULL;
2479
2480 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
2481 fprintf(f,
2482 "%sCPUSchedulingPolicy: %s\n"
2483 "%sCPUSchedulingPriority: %i\n"
2484 "%sCPUSchedulingResetOnFork: %s\n",
2485 prefix, strna(policy_str),
2486 prefix, c->cpu_sched_priority,
2487 prefix, yes_no(c->cpu_sched_reset_on_fork));
2488 }
2489
2490 if (c->cpuset) {
2491 fprintf(f, "%sCPUAffinity:", prefix);
2492 for (i = 0; i < c->cpuset_ncpus; i++)
2493 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
2494 fprintf(f, " %u", i);
2495 fputs("\n", f);
2496 }
2497
2498 if (c->timer_slack_nsec != NSEC_INFINITY)
2499 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
2500
2501 fprintf(f,
2502 "%sStandardInput: %s\n"
2503 "%sStandardOutput: %s\n"
2504 "%sStandardError: %s\n",
2505 prefix, exec_input_to_string(c->std_input),
2506 prefix, exec_output_to_string(c->std_output),
2507 prefix, exec_output_to_string(c->std_error));
2508
2509 if (c->tty_path)
2510 fprintf(f,
2511 "%sTTYPath: %s\n"
2512 "%sTTYReset: %s\n"
2513 "%sTTYVHangup: %s\n"
2514 "%sTTYVTDisallocate: %s\n",
2515 prefix, c->tty_path,
2516 prefix, yes_no(c->tty_reset),
2517 prefix, yes_no(c->tty_vhangup),
2518 prefix, yes_no(c->tty_vt_disallocate));
2519
2520 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
2521 c->std_output == EXEC_OUTPUT_KMSG ||
2522 c->std_output == EXEC_OUTPUT_JOURNAL ||
2523 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2524 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2525 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
2526 c->std_error == EXEC_OUTPUT_SYSLOG ||
2527 c->std_error == EXEC_OUTPUT_KMSG ||
2528 c->std_error == EXEC_OUTPUT_JOURNAL ||
2529 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2530 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2531 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
2532
2533 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
2534
2535 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
2536 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
2537
2538 fprintf(f,
2539 "%sSyslogFacility: %s\n"
2540 "%sSyslogLevel: %s\n",
2541 prefix, strna(fac_str),
2542 prefix, strna(lvl_str));
2543 }
2544
2545 if (c->capabilities) {
2546 _cleanup_cap_free_charp_ char *t;
2547
2548 t = cap_to_text(c->capabilities, NULL);
2549 if (t)
2550 fprintf(f, "%sCapabilities: %s\n", prefix, t);
2551 }
2552
2553 if (c->secure_bits)
2554 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
2555 prefix,
2556 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
2557 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
2558 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
2559 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
2560 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
2561 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
2562
2563 if (c->capability_bounding_set != CAP_ALL) {
2564 unsigned long l;
2565 fprintf(f, "%sCapabilityBoundingSet:", prefix);
2566
2567 for (l = 0; l <= cap_last_cap(); l++)
2568 if (c->capability_bounding_set & (UINT64_C(1) << l))
2569 fprintf(f, " %s", strna(capability_to_name(l)));
2570
2571 fputs("\n", f);
2572 }
2573
2574 if (c->capability_ambient_set != 0) {
2575 unsigned long l;
2576 fprintf(f, "%sAmbientCapabilities:", prefix);
2577
2578 for (l = 0; l <= cap_last_cap(); l++)
2579 if (c->capability_ambient_set & (UINT64_C(1) << l))
2580 fprintf(f, " %s", strna(capability_to_name(l)));
2581
2582 fputs("\n", f);
2583 }
2584
2585 if (c->user)
2586 fprintf(f, "%sUser: %s\n", prefix, c->user);
2587 if (c->group)
2588 fprintf(f, "%sGroup: %s\n", prefix, c->group);
2589
2590 if (strv_length(c->supplementary_groups) > 0) {
2591 fprintf(f, "%sSupplementaryGroups:", prefix);
2592 strv_fprintf(f, c->supplementary_groups);
2593 fputs("\n", f);
2594 }
2595
2596 if (c->pam_name)
2597 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
2598
2599 if (strv_length(c->read_write_dirs) > 0) {
2600 fprintf(f, "%sReadWriteDirs:", prefix);
2601 strv_fprintf(f, c->read_write_dirs);
2602 fputs("\n", f);
2603 }
2604
2605 if (strv_length(c->read_only_dirs) > 0) {
2606 fprintf(f, "%sReadOnlyDirs:", prefix);
2607 strv_fprintf(f, c->read_only_dirs);
2608 fputs("\n", f);
2609 }
2610
2611 if (strv_length(c->inaccessible_dirs) > 0) {
2612 fprintf(f, "%sInaccessibleDirs:", prefix);
2613 strv_fprintf(f, c->inaccessible_dirs);
2614 fputs("\n", f);
2615 }
2616
2617 if (c->utmp_id)
2618 fprintf(f,
2619 "%sUtmpIdentifier: %s\n",
2620 prefix, c->utmp_id);
2621
2622 if (c->selinux_context)
2623 fprintf(f,
2624 "%sSELinuxContext: %s%s\n",
2625 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
2626
2627 if (c->personality != PERSONALITY_INVALID)
2628 fprintf(f,
2629 "%sPersonality: %s\n",
2630 prefix, strna(personality_to_string(c->personality)));
2631
2632 if (c->syscall_filter) {
2633 #ifdef HAVE_SECCOMP
2634 Iterator j;
2635 void *id;
2636 bool first = true;
2637 #endif
2638
2639 fprintf(f,
2640 "%sSystemCallFilter: ",
2641 prefix);
2642
2643 if (!c->syscall_whitelist)
2644 fputc('~', f);
2645
2646 #ifdef HAVE_SECCOMP
2647 SET_FOREACH(id, c->syscall_filter, j) {
2648 _cleanup_free_ char *name = NULL;
2649
2650 if (first)
2651 first = false;
2652 else
2653 fputc(' ', f);
2654
2655 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
2656 fputs(strna(name), f);
2657 }
2658 #endif
2659
2660 fputc('\n', f);
2661 }
2662
2663 if (c->syscall_archs) {
2664 #ifdef HAVE_SECCOMP
2665 Iterator j;
2666 void *id;
2667 #endif
2668
2669 fprintf(f,
2670 "%sSystemCallArchitectures:",
2671 prefix);
2672
2673 #ifdef HAVE_SECCOMP
2674 SET_FOREACH(id, c->syscall_archs, j)
2675 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
2676 #endif
2677 fputc('\n', f);
2678 }
2679
2680 if (c->syscall_errno > 0)
2681 fprintf(f,
2682 "%sSystemCallErrorNumber: %s\n",
2683 prefix, strna(errno_to_name(c->syscall_errno)));
2684
2685 if (c->apparmor_profile)
2686 fprintf(f,
2687 "%sAppArmorProfile: %s%s\n",
2688 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
2689 }
2690
2691 bool exec_context_maintains_privileges(ExecContext *c) {
2692 assert(c);
2693
2694 /* Returns true if the process forked off would run run under
2695 * an unchanged UID or as root. */
2696
2697 if (!c->user)
2698 return true;
2699
2700 if (streq(c->user, "root") || streq(c->user, "0"))
2701 return true;
2702
2703 return false;
2704 }
2705
2706 void exec_status_start(ExecStatus *s, pid_t pid) {
2707 assert(s);
2708
2709 zero(*s);
2710 s->pid = pid;
2711 dual_timestamp_get(&s->start_timestamp);
2712 }
2713
2714 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
2715 assert(s);
2716
2717 if (s->pid && s->pid != pid)
2718 zero(*s);
2719
2720 s->pid = pid;
2721 dual_timestamp_get(&s->exit_timestamp);
2722
2723 s->code = code;
2724 s->status = status;
2725
2726 if (context) {
2727 if (context->utmp_id)
2728 utmp_put_dead_process(context->utmp_id, pid, code, status);
2729
2730 exec_context_tty_reset(context);
2731 }
2732 }
2733
2734 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
2735 char buf[FORMAT_TIMESTAMP_MAX];
2736
2737 assert(s);
2738 assert(f);
2739
2740 if (s->pid <= 0)
2741 return;
2742
2743 prefix = strempty(prefix);
2744
2745 fprintf(f,
2746 "%sPID: "PID_FMT"\n",
2747 prefix, s->pid);
2748
2749 if (s->start_timestamp.realtime > 0)
2750 fprintf(f,
2751 "%sStart Timestamp: %s\n",
2752 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
2753
2754 if (s->exit_timestamp.realtime > 0)
2755 fprintf(f,
2756 "%sExit Timestamp: %s\n"
2757 "%sExit Code: %s\n"
2758 "%sExit Status: %i\n",
2759 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
2760 prefix, sigchld_code_to_string(s->code),
2761 prefix, s->status);
2762 }
2763
2764 char *exec_command_line(char **argv) {
2765 size_t k;
2766 char *n, *p, **a;
2767 bool first = true;
2768
2769 assert(argv);
2770
2771 k = 1;
2772 STRV_FOREACH(a, argv)
2773 k += strlen(*a)+3;
2774
2775 if (!(n = new(char, k)))
2776 return NULL;
2777
2778 p = n;
2779 STRV_FOREACH(a, argv) {
2780
2781 if (!first)
2782 *(p++) = ' ';
2783 else
2784 first = false;
2785
2786 if (strpbrk(*a, WHITESPACE)) {
2787 *(p++) = '\'';
2788 p = stpcpy(p, *a);
2789 *(p++) = '\'';
2790 } else
2791 p = stpcpy(p, *a);
2792
2793 }
2794
2795 *p = 0;
2796
2797 /* FIXME: this doesn't really handle arguments that have
2798 * spaces and ticks in them */
2799
2800 return n;
2801 }
2802
2803 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
2804 _cleanup_free_ char *cmd = NULL;
2805 const char *prefix2;
2806
2807 assert(c);
2808 assert(f);
2809
2810 prefix = strempty(prefix);
2811 prefix2 = strjoina(prefix, "\t");
2812
2813 cmd = exec_command_line(c->argv);
2814 fprintf(f,
2815 "%sCommand Line: %s\n",
2816 prefix, cmd ? cmd : strerror(ENOMEM));
2817
2818 exec_status_dump(&c->exec_status, f, prefix2);
2819 }
2820
2821 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2822 assert(f);
2823
2824 prefix = strempty(prefix);
2825
2826 LIST_FOREACH(command, c, c)
2827 exec_command_dump(c, f, prefix);
2828 }
2829
2830 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2831 ExecCommand *end;
2832
2833 assert(l);
2834 assert(e);
2835
2836 if (*l) {
2837 /* It's kind of important, that we keep the order here */
2838 LIST_FIND_TAIL(command, *l, end);
2839 LIST_INSERT_AFTER(command, *l, end, e);
2840 } else
2841 *l = e;
2842 }
2843
2844 int exec_command_set(ExecCommand *c, const char *path, ...) {
2845 va_list ap;
2846 char **l, *p;
2847
2848 assert(c);
2849 assert(path);
2850
2851 va_start(ap, path);
2852 l = strv_new_ap(path, ap);
2853 va_end(ap);
2854
2855 if (!l)
2856 return -ENOMEM;
2857
2858 p = strdup(path);
2859 if (!p) {
2860 strv_free(l);
2861 return -ENOMEM;
2862 }
2863
2864 free(c->path);
2865 c->path = p;
2866
2867 strv_free(c->argv);
2868 c->argv = l;
2869
2870 return 0;
2871 }
2872
2873 int exec_command_append(ExecCommand *c, const char *path, ...) {
2874 _cleanup_strv_free_ char **l = NULL;
2875 va_list ap;
2876 int r;
2877
2878 assert(c);
2879 assert(path);
2880
2881 va_start(ap, path);
2882 l = strv_new_ap(path, ap);
2883 va_end(ap);
2884
2885 if (!l)
2886 return -ENOMEM;
2887
2888 r = strv_extend_strv(&c->argv, l, false);
2889 if (r < 0)
2890 return r;
2891
2892 return 0;
2893 }
2894
2895
2896 static int exec_runtime_allocate(ExecRuntime **rt) {
2897
2898 if (*rt)
2899 return 0;
2900
2901 *rt = new0(ExecRuntime, 1);
2902 if (!*rt)
2903 return -ENOMEM;
2904
2905 (*rt)->n_ref = 1;
2906 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
2907
2908 return 0;
2909 }
2910
2911 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
2912 int r;
2913
2914 assert(rt);
2915 assert(c);
2916 assert(id);
2917
2918 if (*rt)
2919 return 1;
2920
2921 if (!c->private_network && !c->private_tmp)
2922 return 0;
2923
2924 r = exec_runtime_allocate(rt);
2925 if (r < 0)
2926 return r;
2927
2928 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
2929 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, (*rt)->netns_storage_socket) < 0)
2930 return -errno;
2931 }
2932
2933 if (c->private_tmp && !(*rt)->tmp_dir) {
2934 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
2935 if (r < 0)
2936 return r;
2937 }
2938
2939 return 1;
2940 }
2941
2942 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
2943 assert(r);
2944 assert(r->n_ref > 0);
2945
2946 r->n_ref++;
2947 return r;
2948 }
2949
2950 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
2951
2952 if (!r)
2953 return NULL;
2954
2955 assert(r->n_ref > 0);
2956
2957 r->n_ref--;
2958 if (r->n_ref > 0)
2959 return NULL;
2960
2961 free(r->tmp_dir);
2962 free(r->var_tmp_dir);
2963 safe_close_pair(r->netns_storage_socket);
2964 free(r);
2965
2966 return NULL;
2967 }
2968
2969 int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
2970 assert(u);
2971 assert(f);
2972 assert(fds);
2973
2974 if (!rt)
2975 return 0;
2976
2977 if (rt->tmp_dir)
2978 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
2979
2980 if (rt->var_tmp_dir)
2981 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
2982
2983 if (rt->netns_storage_socket[0] >= 0) {
2984 int copy;
2985
2986 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
2987 if (copy < 0)
2988 return copy;
2989
2990 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
2991 }
2992
2993 if (rt->netns_storage_socket[1] >= 0) {
2994 int copy;
2995
2996 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
2997 if (copy < 0)
2998 return copy;
2999
3000 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
3001 }
3002
3003 return 0;
3004 }
3005
3006 int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
3007 int r;
3008
3009 assert(rt);
3010 assert(key);
3011 assert(value);
3012
3013 if (streq(key, "tmp-dir")) {
3014 char *copy;
3015
3016 r = exec_runtime_allocate(rt);
3017 if (r < 0)
3018 return log_oom();
3019
3020 copy = strdup(value);
3021 if (!copy)
3022 return log_oom();
3023
3024 free((*rt)->tmp_dir);
3025 (*rt)->tmp_dir = copy;
3026
3027 } else if (streq(key, "var-tmp-dir")) {
3028 char *copy;
3029
3030 r = exec_runtime_allocate(rt);
3031 if (r < 0)
3032 return log_oom();
3033
3034 copy = strdup(value);
3035 if (!copy)
3036 return log_oom();
3037
3038 free((*rt)->var_tmp_dir);
3039 (*rt)->var_tmp_dir = copy;
3040
3041 } else if (streq(key, "netns-socket-0")) {
3042 int fd;
3043
3044 r = exec_runtime_allocate(rt);
3045 if (r < 0)
3046 return log_oom();
3047
3048 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
3049 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
3050 else {
3051 safe_close((*rt)->netns_storage_socket[0]);
3052 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
3053 }
3054 } else if (streq(key, "netns-socket-1")) {
3055 int fd;
3056
3057 r = exec_runtime_allocate(rt);
3058 if (r < 0)
3059 return log_oom();
3060
3061 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
3062 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
3063 else {
3064 safe_close((*rt)->netns_storage_socket[1]);
3065 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
3066 }
3067 } else
3068 return 0;
3069
3070 return 1;
3071 }
3072
3073 static void *remove_tmpdir_thread(void *p) {
3074 _cleanup_free_ char *path = p;
3075
3076 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
3077 return NULL;
3078 }
3079
3080 void exec_runtime_destroy(ExecRuntime *rt) {
3081 int r;
3082
3083 if (!rt)
3084 return;
3085
3086 /* If there are multiple users of this, let's leave the stuff around */
3087 if (rt->n_ref > 1)
3088 return;
3089
3090 if (rt->tmp_dir) {
3091 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
3092
3093 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
3094 if (r < 0) {
3095 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
3096 free(rt->tmp_dir);
3097 }
3098
3099 rt->tmp_dir = NULL;
3100 }
3101
3102 if (rt->var_tmp_dir) {
3103 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
3104
3105 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
3106 if (r < 0) {
3107 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
3108 free(rt->var_tmp_dir);
3109 }
3110
3111 rt->var_tmp_dir = NULL;
3112 }
3113
3114 safe_close_pair(rt->netns_storage_socket);
3115 }
3116
3117 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
3118 [EXEC_INPUT_NULL] = "null",
3119 [EXEC_INPUT_TTY] = "tty",
3120 [EXEC_INPUT_TTY_FORCE] = "tty-force",
3121 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
3122 [EXEC_INPUT_SOCKET] = "socket"
3123 };
3124
3125 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
3126
3127 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
3128 [EXEC_OUTPUT_INHERIT] = "inherit",
3129 [EXEC_OUTPUT_NULL] = "null",
3130 [EXEC_OUTPUT_TTY] = "tty",
3131 [EXEC_OUTPUT_SYSLOG] = "syslog",
3132 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
3133 [EXEC_OUTPUT_KMSG] = "kmsg",
3134 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
3135 [EXEC_OUTPUT_JOURNAL] = "journal",
3136 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
3137 [EXEC_OUTPUT_SOCKET] = "socket"
3138 };
3139
3140 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
3141
3142 static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
3143 [EXEC_UTMP_INIT] = "init",
3144 [EXEC_UTMP_LOGIN] = "login",
3145 [EXEC_UTMP_USER] = "user",
3146 };
3147
3148 DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
Unnamed repository; edit this file 'description' to name the repository.