#include "af-list.h"
#include "mkdir.h"
#include "apparmor-util.h"
+#include "smack-util.h"
#include "bus-kernel.h"
+#include "label.h"
#ifdef HAVE_SECCOMP
#include "seccomp-util.h"
#ifdef HAVE_SECCOMP
-static int apply_seccomp(ExecContext *c) {
+static int apply_seccomp(const ExecContext *c) {
uint32_t negative_action, action;
scmp_filter_ctx *seccomp;
Iterator i;
return r;
}
-static int apply_address_families(ExecContext *c) {
+static int apply_address_families(const ExecContext *c) {
scmp_filter_ctx *seccomp;
Iterator i;
int r;
}
#endif
-#ifdef HAVE_PAM
- if (params->cgroup_path && context->user && context->pam_name) {
+ /* If delegation is enabled we'll pass ownership of the cgroup
+ * (but only in systemd's own controller hierarchy!) to the
+ * user of the new process. */
+ if (params->cgroup_path && context->user && params->cgroup_delegate) {
err = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
if (err < 0) {
*error = EXIT_CGROUP;
return err;
}
}
-#endif
if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
char **rt;
context->protect_home,
context->protect_system,
context->mount_flags);
- if (err < 0) {
+
+ if (err == -EPERM)
+ log_warning_unit(params->unit_id, "Failed to set up file system namespace due to lack of privileges. Execution sandbox will not be in effect: %s", strerror(-err));
+ else if (err < 0) {
*error = EXIT_NAMESPACE;
return err;
}
}
}
+#ifdef HAVE_SMACK
+ if (context->smack_process_label) {
+ err = mac_smack_apply_pid(0, context->smack_process_label);
+ if (err < 0) {
+ *error = EXIT_SMACK_PROCESS_LABEL;
+ return err;
+ }
+ }
+#endif
+
if (context->user) {
err = enforce_user(context, uid);
if (err < 0) {
#endif
#ifdef HAVE_SELINUX
- if (context->selinux_context && use_selinux()) {
- err = setexeccon(context->selinux_context);
- if (err < 0 && !context->selinux_context_ignore) {
- *error = EXIT_SELINUX_CONTEXT;
- return err;
+ if (mac_selinux_use()) {
+ if (context->selinux_context) {
+ err = setexeccon(context->selinux_context);
+ if (err < 0 && !context->selinux_context_ignore) {
+ *error = EXIT_SELINUX_CONTEXT;
+ return err;
+ }
+ }
+
+ if (params->selinux_context_net && socket_fd >= 0) {
+ _cleanup_free_ char *label = NULL;
+
+ err = mac_selinux_get_child_mls_label(socket_fd, command->path, &label);
+ if (err < 0) {
+ *error = EXIT_SELINUX_CONTEXT;
+ return err;
+ }
+
+ err = setexeccon(label);
+ if (err < 0) {
+ *error = EXIT_SELINUX_CONTEXT;
+ return err;
+ }
}
}
#endif
#ifdef HAVE_APPARMOR
- if (context->apparmor_profile && use_apparmor()) {
+ if (context->apparmor_profile && mac_apparmor_use()) {
err = aa_change_onexec(context->apparmor_profile);
if (err < 0 && !context->apparmor_profile_ignore) {
*error = EXIT_APPARMOR_PROFILE;
- return err;
+ return -errno;
}
}
#endif
n_fds = params->n_fds;
}
- err = exec_context_load_environment(context, &files_env);
+ err = exec_context_load_environment(context, params->unit_id, &files_env);
if (err < 0) {
log_struct_unit(LOG_ERR,
params->unit_id,
}
}
-int exec_context_load_environment(const ExecContext *c, char ***l) {
+int exec_context_load_environment(const ExecContext *c, const char *unit_id, char ***l) {
char **i, **r = NULL;
assert(c);
}
/* Log invalid environment variables with filename */
if (p)
- p = strv_env_clean_log(p, pglob.gl_pathv[n]);
+ p = strv_env_clean_log(p, unit_id, pglob.gl_pathv[n]);
if (r == NULL)
r = p;
prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
}
+bool exec_context_maintains_privileges(ExecContext *c) {
+ assert(c);
+
+ /* Returns true if the process forked off would run run under
+ * an unchanged UID or as root. */
+
+ if (!c->user)
+ return true;
+
+ if (streq(c->user, "root") || streq(c->user, "0"))
+ return true;
+
+ return false;
+}
+
void exec_status_start(ExecStatus *s, pid_t pid) {
assert(s);
return 0;
}
+int exec_command_append(ExecCommand *c, const char *path, ...) {
+ _cleanup_strv_free_ char **l = NULL;
+ va_list ap;
+ int r;
+
+ assert(c);
+ assert(path);
+
+ va_start(ap, path);
+ l = strv_new_ap(path, ap);
+ va_end(ap);
+
+ if (!l)
+ return -ENOMEM;
+
+ r = strv_extend_strv(&c->argv, l);
+ if (r < 0)
+ return r;
+
+ return 0;
+}
+
+
static int exec_runtime_allocate(ExecRuntime **rt) {
if (*rt)