src/core/execute.h

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2 #pragma once
   3
   4 /***
   5   This file is part of systemd.
   6
   7   Copyright 2010 Lennart Poettering
   8
   9   systemd is free software; you can redistribute it and/or modify it
  10   under the terms of the GNU Lesser General Public License as published by
  11   the Free Software Foundation; either version 2.1 of the License, or
  12   (at your option) any later version.
  13
  14   systemd is distributed in the hope that it will be useful, but
  15   WITHOUT ANY WARRANTY; without even the implied warranty of
  16   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  17   Lesser General Public License for more details.
  18
  19   You should have received a copy of the GNU Lesser General Public License
  20   along with systemd; If not, see <http://www.gnu.org/licenses/>.
  21 ***/
  22
  23 typedef struct ExecStatus ExecStatus;
  24 typedef struct ExecCommand ExecCommand;
  25 typedef struct ExecContext ExecContext;
  26 typedef struct ExecRuntime ExecRuntime;
  27 typedef struct ExecParameters ExecParameters;
  28
  29 #include <sched.h>
  30 #include <stdbool.h>
  31 #include <stdio.h>
  32 #include <sys/capability.h>
  33
  34 #include "cgroup-util.h"
  35 #include "fdset.h"
  36 #include "list.h"
  37 #include "missing.h"
  38 #include "namespace.h"
  39 #include "nsflags.h"
  40
  41 #define EXEC_STDIN_DATA_MAX (64U*1024U*1024U)
  42
  43 typedef enum ExecUtmpMode {
  44         EXEC_UTMP_INIT,
  45         EXEC_UTMP_LOGIN,
  46         EXEC_UTMP_USER,
  47         _EXEC_UTMP_MODE_MAX,
  48         _EXEC_UTMP_MODE_INVALID = -1
  49 } ExecUtmpMode;
  50
  51 typedef enum ExecInput {
  52         EXEC_INPUT_NULL,
  53         EXEC_INPUT_TTY,
  54         EXEC_INPUT_TTY_FORCE,
  55         EXEC_INPUT_TTY_FAIL,
  56         EXEC_INPUT_SOCKET,
  57         EXEC_INPUT_NAMED_FD,
  58         EXEC_INPUT_DATA,
  59         EXEC_INPUT_FILE,
  60         _EXEC_INPUT_MAX,
  61         _EXEC_INPUT_INVALID = -1
  62 } ExecInput;
  63
  64 typedef enum ExecOutput {
  65         EXEC_OUTPUT_INHERIT,
  66         EXEC_OUTPUT_NULL,
  67         EXEC_OUTPUT_TTY,
  68         EXEC_OUTPUT_SYSLOG,
  69         EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
  70         EXEC_OUTPUT_KMSG,
  71         EXEC_OUTPUT_KMSG_AND_CONSOLE,
  72         EXEC_OUTPUT_JOURNAL,
  73         EXEC_OUTPUT_JOURNAL_AND_CONSOLE,
  74         EXEC_OUTPUT_SOCKET,
  75         EXEC_OUTPUT_NAMED_FD,
  76         EXEC_OUTPUT_FILE,
  77         _EXEC_OUTPUT_MAX,
  78         _EXEC_OUTPUT_INVALID = -1
  79 } ExecOutput;
  80
  81 typedef enum ExecPreserveMode {
  82         EXEC_PRESERVE_NO,
  83         EXEC_PRESERVE_YES,
  84         EXEC_PRESERVE_RESTART,
  85         _EXEC_PRESERVE_MODE_MAX,
  86         _EXEC_PRESERVE_MODE_INVALID = -1
  87 } ExecPreserveMode;
  88
  89 typedef enum ExecKeyringMode {
  90         EXEC_KEYRING_INHERIT,
  91         EXEC_KEYRING_PRIVATE,
  92         EXEC_KEYRING_SHARED,
  93         _EXEC_KEYRING_MODE_MAX,
  94         _EXEC_KEYRING_MODE_INVALID = -1,
  95 } ExecKeyringMode;
  96
  97 struct ExecStatus {
  98         dual_timestamp start_timestamp;
  99         dual_timestamp exit_timestamp;
 100         pid_t pid;
 101         int code;     /* as in siginfo_t::si_code */
 102         int status;   /* as in sigingo_t::si_status */
 103 };
 104
 105 typedef enum ExecCommandFlags {
 106         EXEC_COMMAND_IGNORE_FAILURE = 1,
 107         EXEC_COMMAND_FULLY_PRIVILEGED = 2,
 108         EXEC_COMMAND_NO_SETUID = 4,
 109         EXEC_COMMAND_AMBIENT_MAGIC = 8,
 110 } ExecCommandFlags;
 111
 112 struct ExecCommand {
 113         char *path;
 114         char **argv;
 115         ExecStatus exec_status;
 116         ExecCommandFlags flags;
 117         LIST_FIELDS(ExecCommand, command); /* useful for chaining commands */
 118 };
 119
 120 struct ExecRuntime {
 121         int n_ref;
 122
 123         char *tmp_dir;
 124         char *var_tmp_dir;
 125
 126         /* An AF_UNIX socket pair, that contains a datagram containing a file descriptor referring to the network
 127          * namespace. */
 128         int netns_storage_socket[2];
 129 };
 130
 131 typedef enum ExecDirectoryType {
 132         EXEC_DIRECTORY_RUNTIME = 0,
 133         EXEC_DIRECTORY_STATE,
 134         EXEC_DIRECTORY_CACHE,
 135         EXEC_DIRECTORY_LOGS,
 136         EXEC_DIRECTORY_CONFIGURATION,
 137         _EXEC_DIRECTORY_TYPE_MAX,
 138         _EXEC_DIRECTORY_TYPE_INVALID = -1,
 139 } ExecDirectoryType;
 140
 141 typedef struct ExecDirectory {
 142         char **paths;
 143         mode_t mode;
 144 } ExecDirectory;
 145
 146 struct ExecContext {
 147         char **environment;
 148         char **environment_files;
 149         char **pass_environment;
 150         char **unset_environment;
 151
 152         struct rlimit *rlimit[_RLIMIT_MAX];
 153         char *working_directory, *root_directory, *root_image;
 154         bool working_directory_missing_ok;
 155         bool working_directory_home;
 156
 157         mode_t umask;
 158         int oom_score_adjust;
 159         int nice;
 160         int ioprio;
 161         int cpu_sched_policy;
 162         int cpu_sched_priority;
 163
 164         cpu_set_t *cpuset;
 165         unsigned cpuset_ncpus;
 166
 167         ExecInput std_input;
 168         ExecOutput std_output;
 169         ExecOutput std_error;
 170         char *stdio_fdname[3];
 171         char *stdio_file[3];
 172
 173         void *stdin_data;
 174         size_t stdin_data_size;
 175
 176         nsec_t timer_slack_nsec;
 177
 178         bool stdio_as_fds;
 179
 180         char *tty_path;
 181
 182         bool tty_reset;
 183         bool tty_vhangup;
 184         bool tty_vt_disallocate;
 185
 186         bool ignore_sigpipe;
 187
 188         /* Since resolving these names might involve socket
 189          * connections and we don't want to deadlock ourselves these
 190          * names are resolved on execution only and in the child
 191          * process. */
 192         char *user;
 193         char *group;
 194         char **supplementary_groups;
 195
 196         char *pam_name;
 197
 198         char *utmp_id;
 199         ExecUtmpMode utmp_mode;
 200
 201         bool selinux_context_ignore;
 202         char *selinux_context;
 203
 204         bool apparmor_profile_ignore;
 205         char *apparmor_profile;
 206
 207         bool smack_process_label_ignore;
 208         char *smack_process_label;
 209
 210         ExecKeyringMode keyring_mode;
 211
 212         char **read_write_paths, **read_only_paths, **inaccessible_paths;
 213         unsigned long mount_flags;
 214         BindMount *bind_mounts;
 215         unsigned n_bind_mounts;
 216
 217         uint64_t capability_bounding_set;
 218         uint64_t capability_ambient_set;
 219         int secure_bits;
 220
 221         int syslog_priority;
 222         char *syslog_identifier;
 223         bool syslog_level_prefix;
 224
 225         int log_level_max;
 226
 227         struct iovec* log_extra_fields;
 228         size_t n_log_extra_fields;
 229
 230         bool cpu_sched_reset_on_fork;
 231         bool non_blocking;
 232         bool private_tmp;
 233         bool private_network;
 234         bool private_devices;
 235         bool private_users;
 236         ProtectSystem protect_system;
 237         ProtectHome protect_home;
 238         bool protect_kernel_tunables;
 239         bool protect_kernel_modules;
 240         bool protect_control_groups;
 241         bool mount_apivfs;
 242
 243         bool no_new_privileges;
 244
 245         bool dynamic_user;
 246         bool remove_ipc;
 247
 248         /* This is not exposed to the user but available
 249          * internally. We need it to make sure that whenever we spawn
 250          * /usr/bin/mount it is run in the same process group as us so
 251          * that the autofs logic detects that it belongs to us and we
 252          * don't enter a trigger loop. */
 253         bool same_pgrp;
 254
 255         unsigned long personality;
 256         bool lock_personality;
 257
 258         unsigned long restrict_namespaces; /* The CLONE_NEWxyz flags permitted to the unit's processes */
 259
 260         Hashmap *syscall_filter;
 261         Set *syscall_archs;
 262         int syscall_errno;
 263         bool syscall_whitelist:1;
 264
 265         Set *address_families;
 266         bool address_families_whitelist:1;
 267
 268         ExecPreserveMode runtime_directory_preserve_mode;
 269         ExecDirectory directories[_EXEC_DIRECTORY_TYPE_MAX];
 270
 271         bool memory_deny_write_execute;
 272         bool restrict_realtime;
 273
 274         bool oom_score_adjust_set:1;
 275         bool nice_set:1;
 276         bool ioprio_set:1;
 277         bool cpu_sched_set:1;
 278 };
 279
 280 static inline bool exec_context_restrict_namespaces_set(const ExecContext *c) {
 281         assert(c);
 282
 283         return (c->restrict_namespaces & NAMESPACE_FLAGS_ALL) != NAMESPACE_FLAGS_ALL;
 284 }
 285
 286 typedef enum ExecFlags {
 287         EXEC_APPLY_SANDBOXING  = 1U << 0,
 288         EXEC_APPLY_CHROOT      = 1U << 1,
 289         EXEC_APPLY_TTY_STDIN   = 1U << 2,
 290         EXEC_NEW_KEYRING       = 1U << 3,
 291         EXEC_PASS_LOG_UNIT     = 1U << 4, /* Whether to pass the unit name to the service's journal stream connection */
 292         EXEC_CHOWN_DIRECTORIES = 1U << 5, /* chown() the runtime/state/cache/log directories to the user we run as, under all conditions */
 293         EXEC_NSS_BYPASS_BUS    = 1U << 6, /* Set the SYSTEMD_NSS_BYPASS_BUS environment variable, to disable nss-systemd for dbus */
 294         EXEC_CGROUP_DELEGATE   = 1U << 7,
 295
 296         /* The following are not used by execute.c, but by consumers internally */
 297         EXEC_PASS_FDS          = 1U << 8,
 298         EXEC_IS_CONTROL        = 1U << 9,
 299         EXEC_SETENV_RESULT     = 1U << 10,
 300         EXEC_SET_WATCHDOG      = 1U << 11,
 301 } ExecFlags;
 302
 303 struct ExecParameters {
 304         char **argv;
 305         char **environment;
 306
 307         int *fds;
 308         char **fd_names;
 309         unsigned n_storage_fds;
 310         unsigned n_socket_fds;
 311
 312         ExecFlags flags;
 313         bool selinux_context_net:1;
 314
 315         CGroupMask cgroup_supported;
 316         const char *cgroup_path;
 317
 318         char **prefix;
 319
 320         const char *confirm_spawn;
 321
 322         usec_t watchdog_usec;
 323
 324         int *idle_pipe;
 325
 326         int stdin_fd;
 327         int stdout_fd;
 328         int stderr_fd;
 329 };
 330
 331 #include "unit.h"
 332 #include "dynamic-user.h"
 333
 334 int exec_spawn(Unit *unit,
 335                ExecCommand *command,
 336                const ExecContext *context,
 337                const ExecParameters *exec_params,
 338                ExecRuntime *runtime,
 339                DynamicCreds *dynamic_creds,
 340                pid_t *ret);
 341
 342 void exec_command_done(ExecCommand *c);
 343 void exec_command_done_array(ExecCommand *c, unsigned n);
 344
 345 ExecCommand* exec_command_free_list(ExecCommand *c);
 346 void exec_command_free_array(ExecCommand **c, unsigned n);
 347
 348 char *exec_command_line(char **argv);
 349
 350 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix);
 351 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix);
 352 void exec_command_append_list(ExecCommand **l, ExecCommand *e);
 353 int exec_command_set(ExecCommand *c, const char *path, ...);
 354 int exec_command_append(ExecCommand *c, const char *path, ...);
 355
 356 void exec_context_init(ExecContext *c);
 357 void exec_context_done(ExecContext *c);
 358 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix);
 359
 360 int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_root);
 361
 362 int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l);
 363 int exec_context_named_iofds(Unit *unit, const ExecContext *c, const ExecParameters *p, int named_iofds[3]);
 364 const char* exec_context_fdname(const ExecContext *c, int fd_index);
 365
 366 bool exec_context_may_touch_console(ExecContext *c);
 367 bool exec_context_maintains_privileges(ExecContext *c);
 368
 369 int exec_context_get_effective_ioprio(ExecContext *c);
 370
 371 void exec_context_free_log_extra_fields(ExecContext *c);
 372
 373 void exec_status_start(ExecStatus *s, pid_t pid);
 374 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status);
 375 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix);
 376
 377 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id);
 378 ExecRuntime *exec_runtime_ref(ExecRuntime *r);
 379 ExecRuntime *exec_runtime_unref(ExecRuntime *r);
 380
 381 int exec_runtime_serialize(Unit *unit, ExecRuntime *rt, FILE *f, FDSet *fds);
 382 int exec_runtime_deserialize_item(Unit *unit, ExecRuntime **rt, const char *key, const char *value, FDSet *fds);
 383
 384 void exec_runtime_destroy(ExecRuntime *rt);
 385
 386 const char* exec_output_to_string(ExecOutput i) _const_;
 387 ExecOutput exec_output_from_string(const char *s) _pure_;
 388
 389 const char* exec_input_to_string(ExecInput i) _const_;
 390 ExecInput exec_input_from_string(const char *s) _pure_;
 391
 392 const char* exec_utmp_mode_to_string(ExecUtmpMode i) _const_;
 393 ExecUtmpMode exec_utmp_mode_from_string(const char *s) _pure_;
 394
 395 const char* exec_preserve_mode_to_string(ExecPreserveMode i) _const_;
 396 ExecPreserveMode exec_preserve_mode_from_string(const char *s) _pure_;
 397
 398 const char* exec_keyring_mode_to_string(ExecKeyringMode i) _const_;
 399 ExecKeyringMode exec_keyring_mode_from_string(const char *s) _pure_;
 400
 401 const char* exec_directory_type_to_string(ExecDirectoryType i) _const_;
 402 ExecDirectoryType exec_directory_type_from_string(const char *s) _pure_;