From: Daan De Meyer Date: Mon, 7 Apr 2025 19:54:53 +0000 (+0200) Subject: execute: Get rid of custom logging macros X-Git-Tag: v258-rc1~753^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=44d50ba88ee791777d8a13d5458827657d60e76f;p=thirdparty%2Fsystemd.git execute: Get rid of custom logging macros We already have LOG_CONTEXT_PUSH_EXEC() which with two additions does exactly the same as the custom logging macros, so let's get rid of the custom logging macros and use LOG_CONTEXT_PUSH_EXEC() instead. --- diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c index fcbd62744be..d0c69d98ecf 100644 --- a/src/core/exec-invoke.c +++ b/src/core/exec-invoke.c @@ -569,11 +569,8 @@ static int setup_output( case EXEC_OUTPUT_JOURNAL_AND_CONSOLE: r = connect_logger_as(context, params, o, ident, fileno, uid, gid); if (r < 0) { - log_exec_warning_errno(context, - params, - r, - "Failed to connect %s to the journal socket, ignoring: %m", - fileno == STDOUT_FILENO ? "stdout" : "stderr"); + log_warning_errno(r, "Failed to connect %s to the journal socket, ignoring: %m", + fileno == STDOUT_FILENO ? "stdout" : "stderr"); r = open_null_as(O_WRONLY, fileno); } else { struct stat st; @@ -1106,11 +1103,11 @@ static int ask_password_conv( _cleanup_free_ char *creds_dir = NULL; r = exec_context_get_credential_directory(data->context, data->params, data->params->unit_id, &creds_dir); if (r < 0) - return log_exec_error_errno(data->context, data->params, r, "Failed to determine credentials directory: %m"); + return log_error_errno(r, "Failed to determine credentials directory: %m"); if (creds_dir) { if (setenv("CREDENTIALS_DIRECTORY", creds_dir, /* overwrite= */ true) < 0) - return log_exec_error_errno(data->context, data->params, r, "Failed to set $CREDENTIALS_DIRECTORY: %m"); + return log_error_errno(r, "Failed to set $CREDENTIALS_DIRECTORY: %m"); } else (void) unsetenv("CREDENTIALS_DIRECTORY"); @@ -1137,7 +1134,7 @@ static int ask_password_conv( (mi->msg_style == PAM_PROMPT_ECHO_ON ? ASK_PASSWORD_ECHO : 0), &acquired); if (r < 0) { - log_exec_error_errno(data->context, data->params, r, "Failed to query for password: %m"); + log_error_errno(r, "Failed to query for password: %m"); return PAM_CONV_ERR; } @@ -1150,11 +1147,11 @@ static int ask_password_conv( } case PAM_ERROR_MSG: - log_exec_error(data->context, data->params, "PAM: %s", mi->msg); + log_error("PAM: %s", mi->msg); break; case PAM_TEXT_INFO: - log_exec_info(data->context, data->params, "PAM: %s", mi->msg); + log_info("PAM: %s", mi->msg); break; default: @@ -1518,15 +1515,13 @@ static bool seccomp_allows_drop_privileges(const ExecContext *c) { return !(have_capget || have_capset || have_prctl); } -static bool skip_seccomp_unavailable(const ExecContext *c, const ExecParameters *p, const char *msg) { - assert(c); - assert(p); +static bool skip_seccomp_unavailable(const char *msg) { assert(msg); if (is_seccomp_available()) return false; - log_exec_debug(c, p, "SECCOMP features not detected in the kernel, skipping %s", msg); + log_debug("SECCOMP features not detected in the kernel, skipping %s", msg); return true; } @@ -1540,7 +1535,7 @@ static int apply_syscall_filter(const ExecContext *c, const ExecParameters *p) { if (!context_has_syscall_filters(c)) return 0; - if (skip_seccomp_unavailable(c, p, "SystemCallFilter=")) + if (skip_seccomp_unavailable("SystemCallFilter=")) return 0; negative_action = c->syscall_errno == SECCOMP_ERROR_NUMBER_KILL ? scmp_act_kill_process() : SCMP_ACT_ERRNO(c->syscall_errno); @@ -1575,7 +1570,7 @@ static int apply_syscall_log(const ExecContext *c, const ExecParameters *p) { return 0; #ifdef SCMP_ACT_LOG - if (skip_seccomp_unavailable(c, p, "SystemCallLog=")) + if (skip_seccomp_unavailable("SystemCallLog=")) return 0; if (c->syscall_log_allow_list) { @@ -1591,7 +1586,7 @@ static int apply_syscall_log(const ExecContext *c, const ExecParameters *p) { return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_log, action, false); #else /* old libseccomp */ - log_exec_debug(c, p, "SECCOMP feature SCMP_ACT_LOG not available, skipping SystemCallLog="); + log_debug( "SECCOMP feature SCMP_ACT_LOG not available, skipping SystemCallLog="); return 0; #endif } @@ -1603,7 +1598,7 @@ static int apply_syscall_archs(const ExecContext *c, const ExecParameters *p) { if (set_isempty(c->syscall_archs)) return 0; - if (skip_seccomp_unavailable(c, p, "SystemCallArchitectures=")) + if (skip_seccomp_unavailable("SystemCallArchitectures=")) return 0; return seccomp_restrict_archs(c->syscall_archs); @@ -1616,7 +1611,7 @@ static int apply_address_families(const ExecContext *c, const ExecParameters *p) if (!context_has_address_families(c)) return 0; - if (skip_seccomp_unavailable(c, p, "RestrictAddressFamilies=")) + if (skip_seccomp_unavailable("RestrictAddressFamilies=")) return 0; return seccomp_restrict_address_families(c->address_families, c->address_families_allow_list); @@ -1634,18 +1629,15 @@ static int apply_memory_deny_write_execute(const ExecContext *c, const ExecParam /* use prctl() if kernel supports it (6.3) */ r = prctl(PR_SET_MDWE, PR_MDWE_REFUSE_EXEC_GAIN, 0, 0, 0); if (r == 0) { - log_exec_debug(c, p, "Enabled MemoryDenyWriteExecute= with PR_SET_MDWE"); + log_debug("Enabled MemoryDenyWriteExecute= with PR_SET_MDWE"); return 0; } if (r < 0 && errno != EINVAL) - return log_exec_debug_errno(c, - p, - errno, - "Failed to enable MemoryDenyWriteExecute= with PR_SET_MDWE: %m"); + return log_debug_errno(errno, "Failed to enable MemoryDenyWriteExecute= with PR_SET_MDWE: %m"); /* else use seccomp */ - log_exec_debug(c, p, "Kernel doesn't support PR_SET_MDWE: falling back to seccomp"); + log_debug("Kernel doesn't support PR_SET_MDWE: falling back to seccomp"); - if (skip_seccomp_unavailable(c, p, "MemoryDenyWriteExecute=")) + if (skip_seccomp_unavailable("MemoryDenyWriteExecute=")) return 0; return seccomp_memory_deny_write_execute(); @@ -1658,7 +1650,7 @@ static int apply_restrict_realtime(const ExecContext *c, const ExecParameters *p if (!c->restrict_realtime) return 0; - if (skip_seccomp_unavailable(c, p, "RestrictRealtime=")) + if (skip_seccomp_unavailable("RestrictRealtime=")) return 0; return seccomp_restrict_realtime(); @@ -1671,7 +1663,7 @@ static int apply_restrict_suid_sgid(const ExecContext *c, const ExecParameters * if (!c->restrict_suid_sgid) return 0; - if (skip_seccomp_unavailable(c, p, "RestrictSUIDSGID=")) + if (skip_seccomp_unavailable("RestrictSUIDSGID=")) return 0; return seccomp_restrict_suid_sgid(); @@ -1687,7 +1679,7 @@ static int apply_protect_sysctl(const ExecContext *c, const ExecParameters *p) { if (!c->protect_kernel_tunables) return 0; - if (skip_seccomp_unavailable(c, p, "ProtectKernelTunables=")) + if (skip_seccomp_unavailable("ProtectKernelTunables=")) return 0; return seccomp_protect_sysctl(); @@ -1702,7 +1694,7 @@ static int apply_protect_kernel_modules(const ExecContext *c, const ExecParamete if (!c->protect_kernel_modules) return 0; - if (skip_seccomp_unavailable(c, p, "ProtectKernelModules=")) + if (skip_seccomp_unavailable("ProtectKernelModules=")) return 0; return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM), false); @@ -1715,7 +1707,7 @@ static int apply_protect_kernel_logs(const ExecContext *c, const ExecParameters if (!c->protect_kernel_logs) return 0; - if (skip_seccomp_unavailable(c, p, "ProtectKernelLogs=")) + if (skip_seccomp_unavailable("ProtectKernelLogs=")) return 0; return seccomp_protect_syslog(); @@ -1728,7 +1720,7 @@ static int apply_protect_clock(const ExecContext *c, const ExecParameters *p) { if (!c->protect_clock) return 0; - if (skip_seccomp_unavailable(c, p, "ProtectClock=")) + if (skip_seccomp_unavailable("ProtectClock=")) return 0; return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_CLOCK, SCMP_ACT_ERRNO(EPERM), false); @@ -1743,7 +1735,7 @@ static int apply_private_devices(const ExecContext *c, const ExecParameters *p) if (!c->private_devices) return 0; - if (skip_seccomp_unavailable(c, p, "PrivateDevices=")) + if (skip_seccomp_unavailable("PrivateDevices=")) return 0; return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM), false); @@ -1756,7 +1748,7 @@ static int apply_restrict_namespaces(const ExecContext *c, const ExecParameters if (!exec_context_restrict_namespaces_set(c)) return 0; - if (skip_seccomp_unavailable(c, p, "RestrictNamespaces=")) + if (skip_seccomp_unavailable("RestrictNamespaces=")) return 0; return seccomp_restrict_namespaces(c->restrict_namespaces); @@ -1772,7 +1764,7 @@ static int apply_lock_personality(const ExecContext *c, const ExecParameters *p) if (!c->lock_personality) return 0; - if (skip_seccomp_unavailable(c, p, "LockPersonality=")) + if (skip_seccomp_unavailable("LockPersonality=")) return 0; personality = c->personality; @@ -1802,7 +1794,7 @@ static int apply_restrict_filesystems(const ExecContext *c, const ExecParameters if (p->bpf_restrict_fs_map_fd < 0) { /* LSM BPF is unsupported or lsm_bpf_setup failed */ - log_exec_debug(c, p, "LSM BPF not supported, skipping RestrictFileSystems="); + log_debug("LSM BPF not supported, skipping RestrictFileSystems="); return 0; } @@ -1829,34 +1821,32 @@ static int apply_protect_hostname(const ExecContext *c, const ExecParameters *p, if (unshare(CLONE_NEWUTS) < 0) { if (!ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) { *ret_exit_status = EXIT_NAMESPACE; - return log_exec_error_errno(c, p, errno, "Failed to set up UTS namespacing: %m"); + return log_error_errno(errno, "Failed to set up UTS namespacing: %m"); } - log_exec_warning(c, p, - "ProtectHostname=%s is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup.", - protect_hostname_to_string(c->protect_hostname)); + log_warning("ProtectHostname=%s is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup.", + protect_hostname_to_string(c->protect_hostname)); } else if (c->private_hostname) { r = sethostname_idempotent(c->private_hostname); if (r < 0) { *ret_exit_status = EXIT_NAMESPACE; - return log_exec_error_errno(c, p, r, "Failed to set private hostname '%s': %m", c->private_hostname); + return log_error_errno(r, "Failed to set private hostname '%s': %m", c->private_hostname); } } } else - log_exec_warning(c, p, - "ProtectHostname=%s is configured, but the kernel does not support UTS namespaces, ignoring namespace setup.", - protect_hostname_to_string(c->protect_hostname)); + log_warning("ProtectHostname=%s is configured, but the kernel does not support UTS namespaces, ignoring namespace setup.", + protect_hostname_to_string(c->protect_hostname)); #if HAVE_SECCOMP if (c->protect_hostname == PROTECT_HOSTNAME_YES) { - if (skip_seccomp_unavailable(c, p, "ProtectHostname=")) + if (skip_seccomp_unavailable("ProtectHostname=")) return 0; r = seccomp_protect_hostname(); if (r < 0) { *ret_exit_status = EXIT_SECCOMP; - return log_exec_error_errno(c, p, r, "Failed to apply hostname restrictions: %m"); + return log_error_errno(r, "Failed to apply hostname restrictions: %m"); } } #endif @@ -1985,10 +1975,7 @@ static int build_environment( r = get_fixed_user("root", /* prefer_nss = */ false, &username, NULL, NULL, &home, &shell); if (r < 0) - return log_exec_debug_errno(c, - p, - r, - "Failed to determine user credentials for root: %m"); + return log_debug_errno(r, "Failed to determine user credentials for root: %m"); } bool set_user_login_env = exec_context_get_set_login_environment(c); @@ -2059,11 +2046,7 @@ static int build_environment( r = proc_cmdline_get_key(key, 0, &cmdline); if (r < 0) - log_exec_debug_errno(c, - p, - r, - "Failed to read %s from kernel cmdline, ignoring: %m", - key); + log_debug_errno(r, "Failed to read %s from kernel cmdline, ignoring: %m", key); else if (r > 0) term = cmdline; } @@ -2435,15 +2418,12 @@ static int setup_private_users(PrivateUsers private_users, uid_t ouid, gid_t ogi return 1; } -static int can_mount_proc(const ExecContext *c, const ExecParameters *p) { +static int can_mount_proc(void) { _cleanup_close_pair_ int errno_pipe[2] = EBADF_PAIR; _cleanup_(sigkill_waitp) pid_t pid = 0; ssize_t n; int r; - assert(c); - assert(p); - /* If running via unprivileged user manager and /proc/ is masked (e.g. /proc/kmsg is over-mounted with tmpfs * like systemd-nspawn does), then mounting /proc/ will fail with EPERM. This is due to a kernel restriction * where unprivileged user namespaces cannot mount a less restrictive instance of /proc. */ @@ -2451,14 +2431,14 @@ static int can_mount_proc(const ExecContext *c, const ExecParameters *p) { /* Create a communication channel so that the child can tell the parent a proper error code in case it * failed. */ if (pipe2(errno_pipe, O_CLOEXEC) < 0) - return log_exec_debug_errno(c, p, errno, "Failed to create pipe for communicating with child process (sd-proc-check): %m"); + return log_debug_errno(errno, "Failed to create pipe for communicating with child process (sd-proc-check): %m"); /* Fork a child process into its own mount and PID namespace. Note safe_fork() already remounts / as SLAVE * with FORK_MOUNTNS_SLAVE. */ r = safe_fork("(sd-proc-check)", FORK_RESET_SIGNALS|FORK_DEATHSIG_SIGKILL|FORK_NEW_MOUNTNS|FORK_MOUNTNS_SLAVE|FORK_NEW_PIDNS, &pid); if (r < 0) - return log_exec_debug_errno(c, p, r, "Failed to fork child process (sd-proc-check): %m"); + return log_debug_errno(r, "Failed to fork child process (sd-proc-check): %m"); if (r == 0) { errno_pipe[0] = safe_close(errno_pipe[0]); @@ -2478,7 +2458,7 @@ static int can_mount_proc(const ExecContext *c, const ExecParameters *p) { /* Try to read an error code from the child */ n = read(errno_pipe[0], &r, sizeof(r)); if (n < 0) - return log_exec_debug_errno(c, p, errno, "Failed to read errno from pipe with child process (sd-proc-check): %m"); + return log_debug_errno(errno, "Failed to read errno from pipe with child process (sd-proc-check): %m"); if (n == sizeof(r)) { /* an error code was sent to us */ /* This is the expected case where proc cannot be mounted due to permissions. */ if (ERRNO_IS_NEG_PRIVILEGE(r)) @@ -2493,9 +2473,9 @@ static int can_mount_proc(const ExecContext *c, const ExecParameters *p) { r = wait_for_terminate_and_check("(sd-proc-check)", TAKE_PID(pid), 0 /* flags= */); if (r < 0) - return log_exec_debug_errno(c, p, r, "Failed to wait for (sd-proc-check) child process to terminate: %m"); + return log_debug_errno(r, "Failed to wait for (sd-proc-check) child process to terminate: %m"); if (r != EXIT_SUCCESS) /* If something strange happened with the child, let's consider this fatal, too */ - return log_exec_debug_errno(c, p, SYNTHETIC_ERRNO(EIO), "Child process (sd-proc-check) exited with unexpected exit status '%d'.", r); + return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Child process (sd-proc-check) exited with unexpected exit status '%d'.", r); return 1; } @@ -2518,12 +2498,12 @@ static int setup_private_pids(const ExecContext *c, ExecParameters *p) { /* Create a communication channel so that the parent can tell the child a proper error code in case it * failed to send child pidref to the manager. */ if (pipe2(errno_pipe, O_CLOEXEC) < 0) - return log_exec_debug_errno(c, p, errno, "Failed to create pipe for communicating with parent process: %m"); + return log_debug_errno(errno, "Failed to create pipe for communicating with parent process: %m"); /* Set FORK_DETACH to immediately re-parent the child process to the invoking manager process. */ r = pidref_safe_fork("(sd-pidns-child)", FORK_NEW_PIDNS|FORK_DETACH, &pidref); if (r < 0) - return log_exec_debug_errno(c, p, r, "Failed to fork child into new pid namespace: %m"); + return log_debug_errno(r, "Failed to fork child into new pid namespace: %m"); if (r > 0) { errno_pipe[0] = safe_close(errno_pipe[0]); @@ -2550,11 +2530,11 @@ static int setup_private_pids(const ExecContext *c, ExecParameters *p) { * receive an errno even on success. */ n = read(errno_pipe[0], &r, sizeof(r)); if (n < 0) - return log_exec_debug_errno(c, p, errno, "Failed to read errno from pipe with parent process: %m"); + return log_debug_errno(errno, "Failed to read errno from pipe with parent process: %m"); if (n != sizeof(r)) - return log_exec_debug_errno(c, p, SYNTHETIC_ERRNO(EIO), "Failed to read enough bytes from pipe with parent process"); + return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to read enough bytes from pipe with parent process"); if (r < 0) - return log_exec_debug_errno(c, p, r, "Failed to send child pidref to manager: %m"); + return log_debug_errno(r, "Failed to send child pidref to manager: %m"); /* NOTE! This function returns in the child process only. */ return r; @@ -2681,13 +2661,13 @@ static int setup_exec_directory( if (r < 0) goto fail; - log_exec_notice(context, params, "Unit state directory %s missing but matching configuration directory %s exists, assuming update from systemd 253 or older, creating compatibility symlink.", p, q); + log_notice("Unit state directory %s missing but matching configuration directory %s exists, assuming update from systemd 253 or older, creating compatibility symlink.", p, q); continue; } else if (r != -ENOENT) - log_exec_warning_errno(context, params, r, "Unable to detect whether unit configuration directory '%s' exists, assuming not: %m", q); + log_warning_errno(r, "Unable to detect whether unit configuration directory '%s' exists, assuming not: %m", q); } else if (r < 0) - log_exec_warning_errno(context, params, r, "Unable to detect whether unit state directory '%s' is missing, assuming it is: %m", p); + log_warning_errno(r, "Unable to detect whether unit state directory '%s' is missing, assuming it is: %m", p); } if (exec_directory_is_private(context, type)) { @@ -2744,11 +2724,9 @@ static int setup_exec_directory( * it over. Most likely the service has been upgraded from one that didn't use * DynamicUser=1, to one that does. */ - log_exec_info(context, - params, - "Found pre-existing public %s= directory %s, migrating to %s.\n" - "Apparently, service previously had DynamicUser= turned off, and has now turned it on.", - exec_directory_type_to_string(type), p, pp); + log_info("Found pre-existing public %s= directory %s, migrating to %s.\n" + "Apparently, service previously had DynamicUser= turned off, and has now turned it on.", + exec_directory_type_to_string(type), p, pp); r = RET_NERRNO(rename(p, pp)); if (r < 0) @@ -2814,11 +2792,9 @@ static int setup_exec_directory( /* Hmm, apparently DynamicUser= was once turned on for this service, * but is no longer. Let's move the directory back up. */ - log_exec_info(context, - params, - "Found pre-existing private %s= directory %s, migrating to %s.\n" - "Apparently, service previously had DynamicUser= turned on, and has now turned it off.", - exec_directory_type_to_string(type), q, p); + log_info("Found pre-existing private %s= directory %s, migrating to %s.\n" + "Apparently, service previously had DynamicUser= turned on, and has now turned it off.", + exec_directory_type_to_string(type), q, p); r = RET_NERRNO(unlink(p)); if (r < 0) @@ -2848,12 +2824,10 @@ static int setup_exec_directory( /* Still complain if the access mode doesn't match */ if (((st.st_mode ^ context->directories[type].mode) & 07777) != 0) - log_exec_warning(context, - params, - "%s \'%s\' already exists but the mode is different. " - "(File system: %o %sMode: %o)", - exec_directory_type_to_string(type), i->path, - st.st_mode & 07777, exec_directory_type_to_string(type), context->directories[type].mode & 07777); + log_warning("%s \'%s\' already exists but the mode is different. " + "(File system: %o %sMode: %o)", + exec_directory_type_to_string(type), i->path, + st.st_mode & 07777, exec_directory_type_to_string(type), context->directories[type].mode & 07777); continue; } @@ -3370,7 +3344,7 @@ static int pick_versions( if (!result.path) { *reterr_path = strdup(context->root_image); - return log_exec_debug_errno(context, params, SYNTHETIC_ERRNO(ENOENT), "No matching entry in .v/ directory %s found.", context->root_image); + return log_debug_errno(SYNTHETIC_ERRNO(ENOENT), "No matching entry in .v/ directory %s found.", context->root_image); } *ret_root_image = TAKE_PTR(result.path); @@ -3394,7 +3368,7 @@ static int pick_versions( if (!result.path) { *reterr_path = strdup(context->root_directory); - return log_exec_debug_errno(context, params, SYNTHETIC_ERRNO(ENOENT), "No matching entry in .v/ directory %s found.", context->root_directory); + return log_debug_errno(SYNTHETIC_ERRNO(ENOENT), "No matching entry in .v/ directory %s found.", context->root_directory); } *ret_root_image = NULL; @@ -3499,9 +3473,7 @@ static int apply_mount_namespace( return r; if (context->mount_propagation_flag == MS_SHARED) - log_exec_debug(context, - params, - "shared mount propagation hidden by other fs namespacing unit settings: ignoring"); + log_debug("shared mount propagation hidden by other fs namespacing unit settings: ignoring"); r = exec_context_get_credential_directory(context, params, params->unit_id, &creds_path); if (r < 0) @@ -3641,19 +3613,17 @@ static int apply_mount_namespace( root_dir, root_image, bind_mounts, n_bind_mounts)) - return log_exec_debug_errno(context, - params, - SYNTHETIC_ERRNO(EOPNOTSUPP), - "Failed to set up namespace, and refusing to continue since " - "the selected namespacing options alter mount environment non-trivially.\n" - "Bind mounts: %zu, temporary filesystems: %zu, root directory: %s, root image: %s, dynamic user: %s", - n_bind_mounts, - context->n_temporary_filesystems, - yes_no(root_dir), - yes_no(root_image), - yes_no(context->dynamic_user)); - - log_exec_debug(context, params, "Failed to set up namespace, assuming containerized execution and ignoring."); + return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), + "Failed to set up namespace, and refusing to continue since " + "the selected namespacing options alter mount environment non-trivially.\n" + "Bind mounts: %zu, temporary filesystems: %zu, root directory: %s, root image: %s, dynamic user: %s", + n_bind_mounts, + context->n_temporary_filesystems, + yes_no(root_dir), + yes_no(root_image), + yes_no(context->dynamic_user)); + + log_debug("Failed to set up namespace, assuming containerized execution and ignoring."); return 0; } @@ -3759,18 +3729,12 @@ static int setup_keyring( if (gid_is_valid(gid) && gid != saved_gid) { if (setregid(gid, -1) < 0) - return log_exec_error_errno(context, - p, - errno, - "Failed to change GID for user keyring: %m"); + return log_error_errno(errno, "Failed to change GID for user keyring: %m"); } if (uid_is_valid(uid) && uid != saved_uid) { if (setreuid(uid, -1) < 0) { - r = log_exec_error_errno(context, - p, - errno, - "Failed to change UID for user keyring: %m"); + r = log_error_errno(errno, "Failed to change UID for user keyring: %m"); goto out; } } @@ -3778,25 +3742,13 @@ static int setup_keyring( keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0); if (keyring == -1) { if (errno == ENOSYS) - log_exec_debug_errno(context, - p, - errno, - "Kernel keyring not supported, ignoring."); + log_debug_errno(errno, "Kernel keyring not supported, ignoring."); else if (ERRNO_IS_PRIVILEGE(errno)) - log_exec_debug_errno(context, - p, - errno, - "Kernel keyring access prohibited, ignoring."); + log_debug_errno(errno, "Kernel keyring access prohibited, ignoring."); else if (errno == EDQUOT) - log_exec_debug_errno(context, - p, - errno, - "Out of kernel keyrings to allocate, ignoring."); + log_debug_errno(errno, "Out of kernel keyrings to allocate, ignoring."); else - r = log_exec_error_errno(context, - p, - errno, - "Setting up kernel keyring failed: %m"); + r = log_error_errno(errno, "Setting up kernel keyring failed: %m"); goto out; } @@ -3807,10 +3759,7 @@ static int setup_keyring( if (keyctl(KEYCTL_LINK, KEY_SPEC_USER_KEYRING, KEY_SPEC_SESSION_KEYRING, 0, 0) < 0) { - r = log_exec_error_errno(context, - p, - errno, - "Failed to link user keyring into session keyring: %m"); + r = log_error_errno(errno, "Failed to link user keyring into session keyring: %m"); goto out; } } @@ -3818,20 +3767,14 @@ static int setup_keyring( /* Restore uid/gid back */ if (uid_is_valid(uid) && uid != saved_uid) { if (setreuid(saved_uid, -1) < 0) { - r = log_exec_error_errno(context, - p, - errno, - "Failed to change UID back for user keyring: %m"); + r = log_error_errno(errno, "Failed to change UID back for user keyring: %m"); goto out; } } if (gid_is_valid(gid) && gid != saved_gid) { if (setregid(saved_gid, -1) < 0) - return log_exec_error_errno(context, - p, - errno, - "Failed to change GID back for user keyring: %m"); + return log_error_errno(errno, "Failed to change GID back for user keyring: %m"); } /* Populate they keyring with the invocation ID by default, as original saved_uid. */ @@ -3844,18 +3787,12 @@ static int setup_keyring( sizeof(p->invocation_id), KEY_SPEC_SESSION_KEYRING); if (key == -1) - log_exec_debug_errno(context, - p, - errno, - "Failed to add invocation ID to keyring, ignoring: %m"); + log_debug_errno(errno, "Failed to add invocation ID to keyring, ignoring: %m"); else { if (keyctl(KEYCTL_SETPERM, key, KEY_POS_VIEW|KEY_POS_READ|KEY_POS_SEARCH| KEY_USR_VIEW|KEY_USR_READ|KEY_USR_SEARCH, 0, 0) < 0) - r = log_exec_error_errno(context, - p, - errno, - "Failed to restrict invocation ID permission: %m"); + r = log_error_errno(errno, "Failed to restrict invocation ID permission: %m"); } } @@ -4081,7 +4018,7 @@ static int add_shifted_fd(int *fds, size_t fds_size, size_t *n_fds, int *fd) { return 1; } -static int connect_unix_harder(const ExecContext *c, const ExecParameters *p, const OpenFile *of, int ofd) { +static int connect_unix_harder(const OpenFile *of, int ofd) { static const int socket_types[] = { SOCK_DGRAM, SOCK_STREAM, SOCK_SEQPACKET }; union sockaddr_union addr = { @@ -4090,14 +4027,12 @@ static int connect_unix_harder(const ExecContext *c, const ExecParameters *p, co socklen_t sa_len; int r; - assert(c); - assert(p); assert(of); assert(ofd >= 0); r = sockaddr_un_set_path(&addr.un, FORMAT_PROC_FD_PATH(ofd)); if (r < 0) - return log_exec_debug_errno(c, p, r, "Failed to set sockaddr for '%s': %m", of->path); + return log_debug_errno(r, "Failed to set sockaddr for '%s': %m", of->path); sa_len = r; FOREACH_ELEMENT(i, socket_types) { @@ -4105,50 +4040,40 @@ static int connect_unix_harder(const ExecContext *c, const ExecParameters *p, co fd = socket(AF_UNIX, *i|SOCK_CLOEXEC, 0); if (fd < 0) - return log_exec_debug_errno(c, p, - errno, "Failed to create socket for '%s': %m", - of->path); + return log_debug_errno(errno, "Failed to create socket for '%s': %m", of->path); r = RET_NERRNO(connect(fd, &addr.sa, sa_len)); if (r >= 0) return TAKE_FD(fd); if (r != -EPROTOTYPE) - return log_exec_debug_errno(c, p, - r, "Failed to connect to socket for '%s': %m", - of->path); + return log_debug_errno(r, "Failed to connect to socket for '%s': %m", of->path); } - return log_exec_debug_errno(c, p, - SYNTHETIC_ERRNO(EPROTOTYPE), "No suitable socket type to connect to socket '%s'.", - of->path); + return log_debug_errno(SYNTHETIC_ERRNO(EPROTOTYPE), "No suitable socket type to connect to socket '%s'.", of->path); } -static int get_open_file_fd(const ExecContext *c, const ExecParameters *p, const OpenFile *of) { +static int get_open_file_fd(const OpenFile *of) { _cleanup_close_ int fd = -EBADF, ofd = -EBADF; struct stat st; - assert(c); - assert(p); assert(of); ofd = open(of->path, O_PATH | O_CLOEXEC); if (ofd < 0) - return log_exec_debug_errno(c, p, errno, "Failed to open '%s' as O_PATH: %m", of->path); + return log_debug_errno(errno, "Failed to open '%s' as O_PATH: %m", of->path); if (fstat(ofd, &st) < 0) - return log_exec_debug_errno(c, p, errno, "Failed to stat '%s': %m", of->path); + return log_debug_errno( errno, "Failed to stat '%s': %m", of->path); if (S_ISSOCK(st.st_mode)) { - fd = connect_unix_harder(c, p, of, ofd); + fd = connect_unix_harder(of, ofd); if (fd < 0) return fd; if (FLAGS_SET(of->flags, OPENFILE_READ_ONLY) && shutdown(fd, SHUT_WR) < 0) - return log_exec_debug_errno(c, p, - errno, "Failed to shutdown send for socket '%s': %m", - of->path); + return log_debug_errno(errno, "Failed to shutdown send for socket '%s': %m", of->path); - log_exec_debug(c, p, "Opened socket '%s' as fd %d.", of->path, fd); + log_debug("Opened socket '%s' as fd %d.", of->path, fd); } else { int flags = FLAGS_SET(of->flags, OPENFILE_READ_ONLY) ? O_RDONLY : O_RDWR; if (FLAGS_SET(of->flags, OPENFILE_APPEND)) @@ -4158,36 +4083,32 @@ static int get_open_file_fd(const ExecContext *c, const ExecParameters *p, const fd = fd_reopen(ofd, flags|O_NOCTTY|O_CLOEXEC); if (fd < 0) - return log_exec_debug_errno(c, p, fd, "Failed to reopen file '%s': %m", of->path); + return log_debug_errno(fd, "Failed to reopen file '%s': %m", of->path); - log_exec_debug(c, p, "Opened file '%s' as fd %d.", of->path, fd); + log_debug("Opened file '%s' as fd %d.", of->path, fd); } return TAKE_FD(fd); } -static int collect_open_file_fds(const ExecContext *c, ExecParameters *p, size_t *n_fds) { - assert(c); +static int collect_open_file_fds(ExecParameters *p, size_t *n_fds) { assert(p); assert(n_fds); LIST_FOREACH(open_files, of, p->open_files) { _cleanup_close_ int fd = -EBADF; - fd = get_open_file_fd(c, p, of); + fd = get_open_file_fd(of); if (fd < 0) { if (FLAGS_SET(of->flags, OPENFILE_GRACEFUL)) { - log_exec_full_errno(c, p, - fd == -ENOENT || ERRNO_IS_NEG_PRIVILEGE(fd) ? LOG_DEBUG : LOG_WARNING, - fd, - "Failed to get OpenFile= file descriptor for '%s', ignoring: %m", - of->path); + log_full_errno(fd == -ENOENT || ERRNO_IS_NEG_PRIVILEGE(fd) ? LOG_DEBUG : LOG_WARNING, + fd, + "Failed to get OpenFile= file descriptor for '%s', ignoring: %m", + of->path); continue; } - return log_exec_error_errno(c, p, fd, - "Failed to get OpenFile= file descriptor for '%s': %m", - of->path); + return log_error_errno(fd, "Failed to get OpenFile= file descriptor for '%s': %m", of->path); } if (!GREEDY_REALLOC(p->fds, *n_fds + 1)) @@ -4219,10 +4140,10 @@ static void log_command_line( _cleanup_free_ char *cmdline = quote_command_line(argv, SHELL_ESCAPE_EMPTY); - log_exec_struct(context, params, LOG_DEBUG, - LOG_ITEM("EXECUTABLE=%s", executable), - LOG_EXEC_MESSAGE(params, "%s: %s", msg, strnull(cmdline)), - LOG_EXEC_INVOCATION_ID(params)); + log_struct(LOG_DEBUG, + LOG_ITEM("EXECUTABLE=%s", executable), + LOG_EXEC_MESSAGE(params, "%s: %s", msg, strnull(cmdline)), + LOG_EXEC_INVOCATION_ID(params)); } static bool exec_context_needs_cap_sys_admin(const ExecContext *context) { @@ -4347,19 +4268,17 @@ static int setup_delegated_namespaces( if (namespace_type_supported(NAMESPACE_NET) && have_effective_cap(CAP_NET_ADMIN) > 0) { r = setup_shareable_ns(runtime->shared->netns_storage_socket, CLONE_NEWNET); if (ERRNO_IS_NEG_PRIVILEGE(r)) - log_exec_notice_errno(context, params, r, - "PrivateNetwork=yes is configured, but network namespace setup not permitted, proceeding without: %m"); + log_notice_errno(r, "PrivateNetwork=yes is configured, but network namespace setup not permitted, proceeding without: %m"); else if (r < 0) { *reterr_exit_status = EXIT_NETWORK; - return log_exec_error_errno(context, params, r, "Failed to set up network namespacing: %m"); + return log_error_errno(r, "Failed to set up network namespacing: %m"); } else - log_exec_debug(context, params, "Set up %snetwork namespace", delegate ? "delegated " : ""); + log_debug("Set up %snetwork namespace", delegate ? "delegated " : ""); } else if (context->network_namespace_path) { *reterr_exit_status = EXIT_NETWORK; - return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(EOPNOTSUPP), - "NetworkNamespacePath= is not supported, refusing."); + return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "NetworkNamespacePath= is not supported, refusing."); } else - log_exec_notice(context, params, "PrivateNetwork=yes is configured, but the kernel does not support or we lack privileges for network namespace, proceeding without."); + log_notice("PrivateNetwork=yes is configured, but the kernel does not support or we lack privileges for network namespace, proceeding without."); } if (exec_needs_ipc_namespace(context) && @@ -4369,29 +4288,27 @@ static int setup_delegated_namespaces( if (namespace_type_supported(NAMESPACE_IPC)) { r = setup_shareable_ns(runtime->shared->ipcns_storage_socket, CLONE_NEWIPC); if (ERRNO_IS_NEG_PRIVILEGE(r)) - log_exec_warning_errno(context, params, r, - "PrivateIPC=yes is configured, but IPC namespace setup failed, ignoring: %m"); + log_warning_errno(r, "PrivateIPC=yes is configured, but IPC namespace setup failed, ignoring: %m"); else if (r < 0) { *reterr_exit_status = EXIT_NAMESPACE; - return log_exec_error_errno(context, params, r, "Failed to set up IPC namespacing: %m"); + return log_error_errno(r, "Failed to set up IPC namespacing: %m"); } else - log_exec_debug(context, params, "Set up %sIPC namespace", delegate ? "delegated " : ""); + log_debug("Set up %sIPC namespace", delegate ? "delegated " : ""); } else if (context->ipc_namespace_path) { *reterr_exit_status = EXIT_NAMESPACE; - return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(EOPNOTSUPP), - "IPCNamespacePath= is not supported, refusing."); + return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "IPCNamespacePath= is not supported, refusing."); } else - log_exec_warning(context, params, "PrivateIPC=yes is configured, but the kernel does not support IPC namespaces, ignoring."); + log_warning("PrivateIPC=yes is configured, but the kernel does not support IPC namespaces, ignoring."); } if (needs_sandboxing && exec_needs_cgroup_namespace(context) && exec_namespace_is_delegated(context, params, have_cap_sys_admin, CLONE_NEWCGROUP) == delegate) { if (unshare(CLONE_NEWCGROUP) < 0) { *reterr_exit_status = EXIT_NAMESPACE; - return log_exec_error_errno(context, params, errno, "Failed to set up cgroup namespacing: %m"); + return log_error_errno(errno, "Failed to set up cgroup namespacing: %m"); } - log_exec_debug(context, params, "Set up %scgroup namespace", delegate ? "delegated " : ""); + log_debug("Set up %scgroup namespace", delegate ? "delegated " : ""); } /* Unshare a new PID namespace before setting up mounts to ensure /proc/ is mounted with only processes in PID namespace visible. @@ -4400,7 +4317,7 @@ static int setup_delegated_namespaces( exec_namespace_is_delegated(context, params, have_cap_sys_admin, CLONE_NEWPID) == delegate) { if (params->pidref_transport_fd < 0) { *reterr_exit_status = EXIT_NAMESPACE; - return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(ENOTCONN), "PidRef socket is not set up: %m"); + return log_error_errno(SYNTHETIC_ERRNO(ENOTCONN), "PidRef socket is not set up: %m"); } /* If we had CAP_SYS_ADMIN prior to joining the user namespace, then we are privileged and don't need @@ -4410,25 +4327,25 @@ static int setup_delegated_namespaces( * system without CAP_SYS_ADMIN, then we can have CAP_SYS_ADMIN in the current user namespace but not * once we unshare a mount namespace. */ if (!have_cap_sys_admin || delegate) { - r = can_mount_proc(context, params); + r = can_mount_proc(); if (r < 0) { *reterr_exit_status = EXIT_NAMESPACE; - return log_exec_error_errno(context, params, r, "Failed to detect if /proc/ can be remounted: %m"); + return log_error_errno(r, "Failed to detect if /proc/ can be remounted: %m"); } if (r == 0) { *reterr_exit_status = EXIT_NAMESPACE; - return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(EPERM), - "PrivatePIDs=yes is configured, but /proc/ cannot be re-mounted due to lack of privileges, refusing."); + return log_error_errno(SYNTHETIC_ERRNO(EPERM), + "PrivatePIDs=yes is configured, but /proc/ cannot be re-mounted due to lack of privileges, refusing."); } } r = setup_private_pids(context, params); if (r < 0) { *reterr_exit_status = EXIT_NAMESPACE; - return log_exec_error_errno(context, params, r, "Failed to set up pid namespace: %m"); + return log_error_errno(r, "Failed to set up pid namespace: %m"); } - log_exec_debug(context, params, "Set up %spid namespace", delegate ? "delegated " : ""); + log_debug("Set up %spid namespace", delegate ? "delegated " : ""); } /* If PrivatePIDs= yes is configured, we're now running as pid 1 in a pid namespace! */ @@ -4448,11 +4365,11 @@ static int setup_delegated_namespaces( gid); if (r < 0) { *reterr_exit_status = EXIT_NAMESPACE; - return log_exec_error_errno(context, params, r, "Failed to set up mount namespacing%s%s: %m", - error_path ? ": " : "", strempty(error_path)); + return log_error_errno(r, "Failed to set up mount namespacing%s%s: %m", + error_path ? ": " : "", strempty(error_path)); } - log_exec_debug(context, params, "Set up %smount namespace", delegate ? "delegated " : ""); + log_debug("Set up %smount namespace", delegate ? "delegated " : ""); } if (needs_sandboxing && @@ -4461,7 +4378,7 @@ static int setup_delegated_namespaces( if (r < 0) return r; if (r > 0) - log_exec_debug(context, params, "Set up %sUTS namespace", delegate ? "delegated " : ""); + log_debug("Set up %sUTS namespace", delegate ? "delegated " : ""); } return 0; @@ -4574,7 +4491,7 @@ static int exec_fd_mark_hot( if (write(p->exec_fd, &x, sizeof(x)) < 0) { if (reterr_exit_status) *reterr_exit_status = EXIT_EXEC; - return log_exec_error_errno(c, p, errno, "Failed to mark exec_fd as %s: %m", hot ? "hot" : "cold"); + return log_error_errno(errno, "Failed to mark exec_fd as %s: %m", hot ? "hot" : "cold"); } return 1; @@ -4597,7 +4514,7 @@ static int send_handoff_timestamp( if (write(p->handoff_timestamp_fd, (const usec_t[2]) { dt.realtime, dt.monotonic }, sizeof(usec_t) * 2) < 0) { if (reterr_exit_status) *reterr_exit_status = EXIT_EXEC; - return log_exec_error_errno(c, p, errno, "Failed to send handoff timestamp: %m"); + return log_error_errno(errno, "Failed to send handoff timestamp: %m"); } return 1; @@ -4632,7 +4549,7 @@ static void prepare_terminal( * exec_context_apply_tty_size() below might interfere */ lock_fd = lock_dev_console(); if (lock_fd < 0) - log_exec_debug_errno(context, p, lock_fd, "Failed to lock /dev/console, ignoring: %m"); + log_debug_errno(lock_fd, "Failed to lock /dev/console, ignoring: %m"); /* We explicitly control whether to send ansi sequences or not here, since we want to consult * the env vars explicitly configured in the ExecContext, rather than our own environment @@ -4700,34 +4617,23 @@ int exec_invoke( assert(cgroup_context); assert(exit_status); - /* This should be mostly redundant, as the log level is also passed as an argument of the executor, - * and is already applied earlier. Just for safety. */ - if (params->debug_invocation) - log_set_max_level(LOG_PRI(LOG_DEBUG)); - else if (context->log_level_max >= 0) - log_set_max_level(context->log_level_max); + LOG_CONTEXT_PUSH_EXEC(context, params); /* Explicitly test for CVE-2021-4034 inspired invocations */ if (!command->path || strv_isempty(command->argv)) { *exit_status = EXIT_EXEC; - return log_exec_error_errno( - context, - params, - SYNTHETIC_ERRNO(EINVAL), - "Invalid command line arguments."); + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid command line arguments."); } - LOG_CONTEXT_PUSH_EXEC(context, params); - if (context->std_input == EXEC_INPUT_SOCKET || context->std_output == EXEC_OUTPUT_SOCKET || context->std_error == EXEC_OUTPUT_SOCKET) { if (params->n_socket_fds > 1) - return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(EINVAL), "Got more than one socket."); + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Got more than one socket."); if (params->n_socket_fds == 0) - return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(EINVAL), "Got no socket."); + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Got no socket."); socket_fd = params->fds[0]; n_storage_fds = n_socket_fds = n_extra_fds = 0; @@ -4740,7 +4646,7 @@ int exec_invoke( r = exec_context_named_iofds(context, params, named_iofds); if (r < 0) - return log_exec_error_errno(context, params, r, "Failed to load a named file descriptor: %m"); + return log_error_errno(r, "Failed to load a named file descriptor: %m"); rename_process_from_path(command->path); @@ -4756,7 +4662,7 @@ int exec_invoke( r = reset_signal_mask(); if (r < 0) { *exit_status = EXIT_SIGNAL_MASK; - return log_exec_error_errno(context, params, r, "Failed to set process signal mask: %m"); + return log_error_errno(r, "Failed to set process signal mask: %m"); } if (params->idle_pipe) @@ -4774,10 +4680,10 @@ int exec_invoke( /* In case anything used libc syslog(), close this here, too */ closelog(); - r = collect_open_file_fds(context, params, &n_fds); + r = collect_open_file_fds(params, &n_fds); if (r < 0) { *exit_status = EXIT_FDS; - return log_exec_error_errno(context, params, r, "Failed to get OpenFile= file descriptors: %m"); + return log_error_errno(r, "Failed to get OpenFile= file descriptors: %m"); } int keep_fds[n_fds + 4]; @@ -4787,33 +4693,33 @@ int exec_invoke( r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, ¶ms->exec_fd); if (r < 0) { *exit_status = EXIT_FDS; - return log_exec_error_errno(context, params, r, "Failed to collect shifted fd: %m"); + return log_error_errno(r, "Failed to collect shifted fd: %m"); } r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, ¶ms->handoff_timestamp_fd); if (r < 0) { *exit_status = EXIT_FDS; - return log_exec_error_errno(context, params, r, "Failed to collect shifted fd: %m"); + return log_error_errno(r, "Failed to collect shifted fd: %m"); } #if HAVE_LIBBPF r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, ¶ms->bpf_restrict_fs_map_fd); if (r < 0) { *exit_status = EXIT_FDS; - return log_exec_error_errno(context, params, r, "Failed to collect shifted fd: %m"); + return log_error_errno(r, "Failed to collect shifted fd: %m"); } #endif r = close_remaining_fds(params, runtime, socket_fd, keep_fds, n_keep_fds); if (r < 0) { *exit_status = EXIT_FDS; - return log_exec_error_errno(context, params, r, "Failed to close unwanted file descriptors: %m"); + return log_error_errno(r, "Failed to close unwanted file descriptors: %m"); } if (!context->same_pgrp && setsid() < 0) { *exit_status = EXIT_SETSID; - return log_exec_error_errno(context, params, errno, "Failed to create new process session: %m"); + return log_error_errno(errno, "Failed to create new process session: %m"); } /* Now, reset the TTY associated to this service "destructively" (i.e. possibly even hang up or @@ -4842,8 +4748,7 @@ int exec_invoke( } *exit_status = EXIT_CONFIRM; - return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(ECANCELED), - "Execution cancelled by the user."); + return log_error_errno(SYNTHETIC_ERRNO(ECANCELED), "Execution cancelled by the user."); } } @@ -4855,7 +4760,7 @@ int exec_invoke( if (setenv("SYSTEMD_ACTIVATION_UNIT", params->unit_id, true) != 0 || setenv("SYSTEMD_ACTIVATION_SCOPE", runtime_scope_to_string(params->runtime_scope), true) != 0) { *exit_status = EXIT_MEMORY; - return log_exec_error_errno(context, params, errno, "Failed to update environment: %m"); + return log_error_errno(errno, "Failed to update environment: %m"); } if (context->dynamic_user && runtime->dynamic_creds) { @@ -4865,7 +4770,7 @@ int exec_invoke( * checks, if DynamicUser=1 is used, as we shouldn't create a feedback loop with ourselves here. */ if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) { *exit_status = EXIT_USER; - return log_exec_error_errno(context, params, errno, "Failed to update environment: %m"); + return log_error_errno(errno, "Failed to update environment: %m"); } r = compile_suggested_paths(context, params, &suggested_paths); @@ -4878,19 +4783,19 @@ int exec_invoke( if (r < 0) { *exit_status = EXIT_USER; if (r == -EILSEQ) - return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(EOPNOTSUPP), - "Failed to update dynamic user credentials: User or group with specified name already exists."); - return log_exec_error_errno(context, params, r, "Failed to update dynamic user credentials: %m"); + return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), + "Failed to update dynamic user credentials: User or group with specified name already exists."); + return log_error_errno(r, "Failed to update dynamic user credentials: %m"); } if (!uid_is_valid(uid)) { *exit_status = EXIT_USER; - return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(ESRCH), "UID validation failed for \""UID_FMT"\".", uid); + return log_error_errno(SYNTHETIC_ERRNO(ESRCH), "UID validation failed for \""UID_FMT"\".", uid); } if (!gid_is_valid(gid)) { *exit_status = EXIT_USER; - return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(ESRCH), "GID validation failed for \""GID_FMT"\".", gid); + return log_error_errno(SYNTHETIC_ERRNO(ESRCH), "GID validation failed for \""GID_FMT"\".", gid); } if (runtime->dynamic_creds->user) @@ -4906,7 +4811,7 @@ int exec_invoke( own_user = getusername_malloc(); if (!own_user) { *exit_status = EXIT_USER; - return log_exec_error_errno(context, params, r, "Failed to determine my own user ID: %m"); + return log_error_errno(r, "Failed to determine my own user ID: %m"); } u = own_user; } else @@ -4923,7 +4828,7 @@ int exec_invoke( &username, &uid, &gid, &pwent_home, &shell); if (r < 0) { *exit_status = EXIT_USER; - return log_exec_error_errno(context, params, r, "Failed to determine user credentials: %m"); + return log_error_errno(r, "Failed to determine user credentials: %m"); } } @@ -4931,7 +4836,7 @@ int exec_invoke( r = get_fixed_group(context->group, &groupname, &gid); if (r < 0) { *exit_status = EXIT_GROUP; - return log_exec_error_errno(context, params, r, "Failed to determine group credentials: %m"); + return log_error_errno(r, "Failed to determine group credentials: %m"); } } } @@ -4940,13 +4845,13 @@ int exec_invoke( ngids = get_supplementary_groups(context, username, gid, &gids); if (ngids < 0) { *exit_status = EXIT_GROUP; - return log_exec_error_errno(context, params, ngids, "Failed to determine supplementary groups: %m"); + return log_error_errno(ngids, "Failed to determine supplementary groups: %m"); } r = send_user_lookup(params->unit_id, params->user_lookup_fd, uid, gid); if (r < 0) { *exit_status = EXIT_USER; - return log_exec_error_errno(context, params, r, "Failed to send user credentials to PID1: %m"); + return log_error_errno(r, "Failed to send user credentials to PID1: %m"); } params->user_lookup_fd = safe_close(params->user_lookup_fd); @@ -4954,7 +4859,7 @@ int exec_invoke( r = acquire_home(context, &pwent_home, &home_buffer); if (r < 0) { *exit_status = EXIT_CHDIR; - return log_exec_error_errno(context, params, r, "Failed to determine $HOME for the invoking user: %m"); + return log_error_errno(r, "Failed to determine $HOME for the invoking user: %m"); } /* If a socket is connected to STDIN/STDOUT/STDERR, we must drop O_NONBLOCK */ @@ -4969,20 +4874,20 @@ int exec_invoke( r = exec_params_get_cgroup_path(params, cgroup_context, &p); if (r < 0) { *exit_status = EXIT_CGROUP; - return log_exec_error_errno(context, params, r, "Failed to acquire cgroup path: %m"); + return log_error_errno(r, "Failed to acquire cgroup path: %m"); } r = cg_attach(p, 0); if (r == -EUCLEAN) { *exit_status = EXIT_CGROUP; - return log_exec_error_errno(context, params, r, - "Failed to attach process to cgroup '%s', " - "because the cgroup or one of its parents or " - "siblings is in the threaded mode.", p); + return log_error_errno(r, + "Failed to attach process to cgroup '%s', " + "because the cgroup or one of its parents or " + "siblings is in the threaded mode.", p); } if (r < 0) { *exit_status = EXIT_CGROUP; - return log_exec_error_errno(context, params, r, "Failed to attach to cgroup %s: %m", p); + return log_error_errno(r, "Failed to attach to cgroup %s: %m", p); } } @@ -4990,7 +4895,7 @@ int exec_invoke( r = open_shareable_ns_path(runtime->shared->netns_storage_socket, context->network_namespace_path, CLONE_NEWNET); if (r < 0) { *exit_status = EXIT_NETWORK; - return log_exec_error_errno(context, params, r, "Failed to open network namespace path %s: %m", context->network_namespace_path); + return log_error_errno(r, "Failed to open network namespace path %s: %m", context->network_namespace_path); } } @@ -4998,33 +4903,33 @@ int exec_invoke( r = open_shareable_ns_path(runtime->shared->ipcns_storage_socket, context->ipc_namespace_path, CLONE_NEWIPC); if (r < 0) { *exit_status = EXIT_NAMESPACE; - return log_exec_error_errno(context, params, r, "Failed to open IPC namespace path %s: %m", context->ipc_namespace_path); + return log_error_errno(r, "Failed to open IPC namespace path %s: %m", context->ipc_namespace_path); } } r = setup_input(context, params, socket_fd, named_iofds); if (r < 0) { *exit_status = EXIT_STDIN; - return log_exec_error_errno(context, params, r, "Failed to set up standard input: %m"); + return log_error_errno(r, "Failed to set up standard input: %m"); } _cleanup_free_ char *fname = NULL; r = path_extract_filename(command->path, &fname); if (r < 0) { *exit_status = EXIT_STDOUT; - return log_exec_error_errno(context, params, r, "Failed to extract filename from path %s: %m", command->path); + return log_error_errno(r, "Failed to extract filename from path %s: %m", command->path); } r = setup_output(context, params, STDOUT_FILENO, socket_fd, named_iofds, fname, uid, gid, &journal_stream_dev, &journal_stream_ino); if (r < 0) { *exit_status = EXIT_STDOUT; - return log_exec_error_errno(context, params, r, "Failed to set up standard output: %m"); + return log_error_errno(r, "Failed to set up standard output: %m"); } r = setup_output(context, params, STDERR_FILENO, socket_fd, named_iofds, fname, uid, gid, &journal_stream_dev, &journal_stream_ino); if (r < 0) { *exit_status = EXIT_STDERR; - return log_exec_error_errno(context, params, r, "Failed to set up standard error output: %m"); + return log_error_errno(r, "Failed to set up standard error output: %m"); } /* Now that stdin/stdout are definiely opened, properly initialize it with our desired @@ -5038,21 +4943,20 @@ int exec_invoke( * namespaces prohibit write access to this file, and we shouldn't trip up over that. */ r = set_oom_score_adjust(context->oom_score_adjust); if (ERRNO_IS_NEG_PRIVILEGE(r)) - log_exec_debug_errno(context, params, r, - "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m"); + log_debug_errno(r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m"); else if (r < 0) { *exit_status = EXIT_OOM_ADJUST; - return log_exec_error_errno(context, params, r, "Failed to adjust OOM setting: %m"); + return log_error_errno(r, "Failed to adjust OOM setting: %m"); } } if (context->coredump_filter_set) { r = set_coredump_filter(context->coredump_filter); if (ERRNO_IS_NEG_PRIVILEGE(r)) - log_exec_debug_errno(context, params, r, "Failed to adjust coredump_filter, ignoring: %m"); + log_debug_errno(r, "Failed to adjust coredump_filter, ignoring: %m"); else if (r < 0) { *exit_status = EXIT_LIMITS; - return log_exec_error_errno(context, params, r, "Failed to adjust coredump_filter: %m"); + return log_error_errno(r, "Failed to adjust coredump_filter: %m"); } } @@ -5067,7 +4971,7 @@ int exec_invoke( r = sched_setattr(/* pid= */ 0, &attr, /* flags= */ 0); if (r < 0) { *exit_status = EXIT_SETSCHEDULER; - return log_exec_error_errno(context, params, errno, "Failed to set up CPU scheduling: %m"); + return log_error_errno(errno, "Failed to set up CPU scheduling: %m"); } } @@ -5082,7 +4986,7 @@ int exec_invoke( r = setpriority_closest(context->nice); if (r < 0) { *exit_status = EXIT_NICE; - return log_exec_error_errno(context, params, r, "Failed to set up process scheduling priority (nice level): %m"); + return log_error_errno(r, "Failed to set up process scheduling priority (nice level): %m"); } } @@ -5094,7 +4998,7 @@ int exec_invoke( r = exec_context_cpu_affinity_from_numa(context, &converted_cpu_set); if (r < 0) { *exit_status = EXIT_CPUAFFINITY; - return log_exec_error_errno(context, params, r, "Failed to derive CPU affinity mask from NUMA mask: %m"); + return log_error_errno(r, "Failed to derive CPU affinity mask from NUMA mask: %m"); } cpu_set = &converted_cpu_set; @@ -5103,50 +5007,47 @@ int exec_invoke( if (sched_setaffinity(0, cpu_set->allocated, cpu_set->set) < 0) { *exit_status = EXIT_CPUAFFINITY; - return log_exec_error_errno(context, params, errno, "Failed to set up CPU affinity: %m"); + return log_error_errno(errno, "Failed to set up CPU affinity: %m"); } } if (mpol_is_valid(numa_policy_get_type(&context->numa_policy))) { r = apply_numa_policy(&context->numa_policy); if (ERRNO_IS_NEG_NOT_SUPPORTED(r)) - log_exec_debug_errno(context, params, r, "NUMA support not available, ignoring."); + log_debug_errno(r, "NUMA support not available, ignoring."); else if (r < 0) { *exit_status = EXIT_NUMA_POLICY; - return log_exec_error_errno(context, params, r, "Failed to set NUMA memory policy: %m"); + return log_error_errno(r, "Failed to set NUMA memory policy: %m"); } } if (context->ioprio_set) if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) { *exit_status = EXIT_IOPRIO; - return log_exec_error_errno(context, params, errno, "Failed to set up IO scheduling priority: %m"); + return log_error_errno(errno, "Failed to set up IO scheduling priority: %m"); } if (context->timer_slack_nsec != NSEC_INFINITY) if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) { *exit_status = EXIT_TIMERSLACK; - return log_exec_error_errno(context, params, errno, "Failed to set up timer slack: %m"); + return log_error_errno(errno, "Failed to set up timer slack: %m"); } if (context->personality != PERSONALITY_INVALID) { r = safe_personality(context->personality); if (r < 0) { *exit_status = EXIT_PERSONALITY; - return log_exec_error_errno(context, params, r, "Failed to set up execution domain (personality): %m"); + return log_error_errno(r, "Failed to set up execution domain (personality): %m"); } } if (context->memory_ksm >= 0) if (prctl(PR_SET_MEMORY_MERGE, context->memory_ksm, 0, 0, 0) < 0) { if (ERRNO_IS_NOT_SUPPORTED(errno)) - log_exec_debug_errno(context, - params, - errno, - "KSM support not available, ignoring."); + log_debug_errno(errno, "KSM support not available, ignoring."); else { *exit_status = EXIT_KSM; - return log_exec_error_errno(context, params, errno, "Failed to set KSM: %m"); + return log_error_errno(errno, "Failed to set KSM: %m"); } } @@ -5178,7 +5079,7 @@ int exec_invoke( r = chown_terminal(STDIN_FILENO, uid); if (r < 0) { *exit_status = EXIT_STDIN; - return log_exec_error_errno(context, params, r, "Failed to change ownership of terminal: %m"); + return log_error_errno(r, "Failed to change ownership of terminal: %m"); } } @@ -5198,19 +5099,19 @@ int exec_invoke( r = cg_set_access(params->cgroup_path, uid, gid); if (r < 0) { *exit_status = EXIT_CGROUP; - return log_exec_error_errno(context, params, r, "Failed to adjust control group access: %m"); + return log_error_errno(r, "Failed to adjust control group access: %m"); } r = exec_params_get_cgroup_path(params, cgroup_context, &p); if (r < 0) { *exit_status = EXIT_CGROUP; - return log_exec_error_errno(context, params, r, "Failed to acquire cgroup path: %m"); + return log_error_errno(r, "Failed to acquire cgroup path: %m"); } if (r > 0) { r = cg_set_access_recursive(p, uid, gid); if (r < 0) { *exit_status = EXIT_CGROUP; - return log_exec_error_errno(context, params, r, "Failed to adjust control subgroup access: %m"); + return log_error_errno(r, "Failed to adjust control subgroup access: %m"); } } } @@ -5225,8 +5126,8 @@ int exec_invoke( r = chmod_and_chown(memory_pressure_path, 0644, uid, gid); if (r < 0) { - log_exec_full_errno(context, params, r == -ENOENT || ERRNO_IS_PRIVILEGE(r) ? LOG_DEBUG : LOG_WARNING, r, - "Failed to adjust ownership of '%s', ignoring: %m", memory_pressure_path); + log_full_errno(r == -ENOENT || ERRNO_IS_PRIVILEGE(r) ? LOG_DEBUG : LOG_WARNING, r, + "Failed to adjust ownership of '%s', ignoring: %m", memory_pressure_path); memory_pressure_path = mfree(memory_pressure_path); } /* First we use the current cgroup path to chmod and chown the memory pressure path, then pass the path relative @@ -5256,13 +5157,13 @@ int exec_invoke( for (ExecDirectoryType dt = 0; dt < _EXEC_DIRECTORY_TYPE_MAX; dt++) { r = setup_exec_directory(context, params, uid, gid, dt, needs_mount_namespace, exit_status); if (r < 0) - return log_exec_error_errno(context, params, r, "Failed to set up special execution directory in %s: %m", params->prefix[dt]); + return log_error_errno(r, "Failed to set up special execution directory in %s: %m", params->prefix[dt]); } r = exec_setup_credentials(context, params, params->unit_id, uid, gid); if (r < 0) { *exit_status = EXIT_CREDENTIALS; - return log_exec_error_errno(context, params, r, "Failed to set up credentials: %m"); + return log_error_errno(r, "Failed to set up credentials: %m"); } r = build_environment( @@ -5325,7 +5226,7 @@ int exec_invoke( r = setup_keyring(context, params, uid, gid); if (r < 0) { *exit_status = EXIT_KEYRING; - return log_exec_error_errno(context, params, r, "Failed to set up kernel keyring: %m"); + return log_error_errno(r, "Failed to set up kernel keyring: %m"); } /* We need setresuid() if the caller asked us to apply sandboxing and the command isn't explicitly @@ -5367,7 +5268,7 @@ int exec_invoke( r = setrlimit_closest_all((const struct rlimit* const *) context->rlimit, &which_failed); if (r < 0) { *exit_status = EXIT_LIMITS; - return log_exec_error_errno(context, params, r, "Failed to adjust resource limit RLIMIT_%s: %m", rlimit_to_string(which_failed)); + return log_error_errno(r, "Failed to adjust resource limit RLIMIT_%s: %m", rlimit_to_string(which_failed)); } } @@ -5379,7 +5280,7 @@ int exec_invoke( r = setup_pam(context, params, username, uid, gid, &accum_env, params->fds, n_fds, params->exec_fd); if (r < 0) { *exit_status = EXIT_PAM; - return log_exec_error_errno(context, params, r, "Failed to set up PAM session: %m"); + return log_error_errno(r, "Failed to set up PAM session: %m"); } /* PAM modules might have set some ambient caps. Query them here and merge them into @@ -5388,7 +5289,7 @@ int exec_invoke( r = capability_get_ambient(&ambient_after_pam); if (r < 0) { *exit_status = EXIT_CAPABILITIES; - return log_exec_error_errno(context, params, r, "Failed to query ambient caps: %m"); + return log_error_errno(r, "Failed to query ambient caps: %m"); } capability_ambient_set |= ambient_after_pam; @@ -5396,7 +5297,7 @@ int exec_invoke( ngids_after_pam = getgroups_alloc(&gids_after_pam); if (ngids_after_pam < 0) { *exit_status = EXIT_GROUP; - return log_exec_error_errno(context, params, ngids_after_pam, "Failed to obtain groups after setting up PAM: %m"); + return log_error_errno(ngids_after_pam, "Failed to obtain groups after setting up PAM: %m"); } } @@ -5415,10 +5316,10 @@ int exec_invoke( * the actual requested operations fail (or silently continue). */ if (r < 0 && context->private_users != PRIVATE_USERS_NO) { *exit_status = EXIT_USER; - return log_exec_error_errno(context, params, r, "Failed to set up user namespacing for unprivileged user: %m"); + return log_error_errno(r, "Failed to set up user namespacing for unprivileged user: %m"); } if (r < 0) - log_exec_info_errno(context, params, r, "Failed to set up user namespacing for unprivileged user, ignoring: %m"); + log_info_errno(r, "Failed to set up user namespacing for unprivileged user, ignoring: %m"); else { assert(r > 0); userns_set_up = true; @@ -5456,15 +5357,13 @@ int exec_invoke( &gids_to_enforce); if (ngids_to_enforce < 0) { *exit_status = EXIT_GROUP; - return log_exec_error_errno(context, params, - ngids_to_enforce, - "Failed to merge group lists. Group membership might be incorrect: %m"); + return log_error_errno(ngids_to_enforce, "Failed to merge group lists. Group membership might be incorrect: %m"); } r = enforce_groups(gid, gids_to_enforce, ngids_to_enforce); if (r < 0) { *exit_status = EXIT_GROUP; - return log_exec_error_errno(context, params, r, "Changing group credentials failed: %m"); + return log_error_errno(r, "Changing group credentials failed: %m"); } } @@ -5481,7 +5380,7 @@ int exec_invoke( /* allow_setgroups= */ pu == PRIVATE_USERS_FULL); if (r < 0) { *exit_status = EXIT_USER; - return log_exec_error_errno(context, params, r, "Failed to set up user namespacing: %m"); + return log_error_errno(r, "Failed to set up user namespacing: %m"); } if (r > 0) log_debug("Set up privileged user namespace"); @@ -5511,12 +5410,12 @@ int exec_invoke( r = find_executable_full(command->path, /* root= */ NULL, context->exec_search_path, false, &executable, &executable_fd); if (r < 0) { *exit_status = EXIT_EXEC; - log_exec_struct_errno(context, params, LOG_NOTICE, r, - LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED_STR), - LOG_EXEC_MESSAGE(params, - "Unable to locate executable '%s': %m", - command->path), - LOG_ITEM("EXECUTABLE=%s", command->path)); + log_struct_errno(LOG_NOTICE, r, + LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED_STR), + LOG_EXEC_MESSAGE(params, + "Unable to locate executable '%s': %m", + command->path), + LOG_ITEM("EXECUTABLE=%s", command->path)); /* If the error will be ignored by manager, tune down the log level here. Missing executable * is very much expected in this case. */ return r != -ENOMEM && FLAGS_SET(command->flags, EXEC_COMMAND_IGNORE_FAILURE) ? 1 : r; @@ -5525,7 +5424,7 @@ int exec_invoke( r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, &executable_fd); if (r < 0) { *exit_status = EXIT_FDS; - return log_exec_error_errno(context, params, r, "Failed to collect shifted fd: %m"); + return log_error_errno(r, "Failed to collect shifted fd: %m"); } #if HAVE_SELINUX @@ -5544,15 +5443,9 @@ int exec_invoke( if (r < 0) { if (!context->selinux_context_ignore) { *exit_status = EXIT_SELINUX_CONTEXT; - return log_exec_error_errno(context, - params, - r, - "Failed to determine SELinux context: %m"); + return log_error_errno(r, "Failed to determine SELinux context: %m"); } - log_exec_debug_errno(context, - params, - r, - "Failed to determine SELinux context, ignoring: %m"); + log_debug_errno(r, "Failed to determine SELinux context, ignoring: %m"); } } } @@ -5574,7 +5467,7 @@ int exec_invoke( r = flag_fds(params->fds, n_socket_fds, n_fds, context->non_blocking); if (r < 0) { *exit_status = EXIT_FDS; - return log_exec_error_errno(context, params, r, "Failed to adjust passed file descriptors: %m"); + return log_error_errno(r, "Failed to adjust passed file descriptors: %m"); } /* At this point, the fds we want to pass to the program are all ready and set up, with O_CLOEXEC turned off @@ -5593,7 +5486,7 @@ int exec_invoke( if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) { if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) { *exit_status = EXIT_LIMITS; - return log_exec_error_errno(context, params, errno, "Failed to adjust RLIMIT_RTPRIO resource limit: %m"); + return log_error_errno(errno, "Failed to adjust RLIMIT_RTPRIO resource limit: %m"); } } @@ -5604,7 +5497,7 @@ int exec_invoke( r = setup_smack(context, params, executable_fd); if (r < 0 && !context->smack_process_label_ignore) { *exit_status = EXIT_SMACK_PROCESS_LABEL; - return log_exec_error_errno(context, params, r, "Failed to set SMACK process label: %m"); + return log_error_errno(r, "Failed to set SMACK process label: %m"); } } #endif @@ -5622,7 +5515,7 @@ int exec_invoke( if (prctl(PR_SET_KEEPCAPS, 1) < 0) { *exit_status = EXIT_USER; - return log_exec_error_errno(context, params, errno, "Failed to enable keep capabilities flag: %m"); + return log_error_errno(errno, "Failed to enable keep capabilities flag: %m"); } /* Save the current bounding set so we can restore it after applying the seccomp @@ -5637,7 +5530,7 @@ int exec_invoke( r = capability_bounding_set_drop(bset, /* right_now= */ false); if (r < 0) { *exit_status = EXIT_CAPABILITIES; - return log_exec_error_errno(context, params, r, "Failed to drop capabilities: %m"); + return log_error_errno(r, "Failed to drop capabilities: %m"); } } @@ -5656,7 +5549,7 @@ int exec_invoke( r = capability_ambient_set_apply(capability_ambient_set, /* also_inherit= */ true); if (r < 0) { *exit_status = EXIT_CAPABILITIES; - return log_exec_error_errno(context, params, r, "Failed to apply ambient capabilities (before UID change): %m"); + return log_error_errno(r, "Failed to apply ambient capabilities (before UID change): %m"); } } } @@ -5664,14 +5557,14 @@ int exec_invoke( /* chroot to root directory first, before we lose the ability to chroot */ r = apply_root_directory(context, params, runtime, needs_mount_namespace, exit_status); if (r < 0) - return log_exec_error_errno(context, params, r, "Chrooting to the requested root directory failed: %m"); + return log_error_errno(r, "Chrooting to the requested root directory failed: %m"); if (needs_setuid) { if (uid_is_valid(uid)) { r = enforce_user(context, uid, capability_ambient_set); if (r < 0) { *exit_status = EXIT_USER; - return log_exec_error_errno(context, params, r, "Failed to change UID to " UID_FMT ": %m", uid); + return log_error_errno(r, "Failed to change UID to " UID_FMT ": %m", uid); } if (keep_seccomp_privileges) { @@ -5679,20 +5572,20 @@ int exec_invoke( r = drop_capability(CAP_SETUID); if (r < 0) { *exit_status = EXIT_USER; - return log_exec_error_errno(context, params, r, "Failed to drop CAP_SETUID: %m"); + return log_error_errno(r, "Failed to drop CAP_SETUID: %m"); } } r = keep_capability(CAP_SYS_ADMIN); if (r < 0) { *exit_status = EXIT_USER; - return log_exec_error_errno(context, params, r, "Failed to keep CAP_SYS_ADMIN: %m"); + return log_error_errno(r, "Failed to keep CAP_SYS_ADMIN: %m"); } r = keep_capability(CAP_SETPCAP); if (r < 0) { *exit_status = EXIT_USER; - return log_exec_error_errno(context, params, r, "Failed to keep CAP_SETPCAP: %m"); + return log_error_errno(r, "Failed to keep CAP_SETPCAP: %m"); } } @@ -5702,7 +5595,7 @@ int exec_invoke( r = capability_ambient_set_apply(capability_ambient_set, /* also_inherit= */ false); if (r < 0) { *exit_status = EXIT_CAPABILITIES; - return log_exec_error_errno(context, params, r, "Failed to apply ambient capabilities (after UID change): %m"); + return log_error_errno(r, "Failed to apply ambient capabilities (after UID change): %m"); } } } @@ -5715,7 +5608,7 @@ int exec_invoke( r = apply_working_directory(context, params, runtime, pwent_home, accum_env); if (r < 0) { *exit_status = EXIT_CHDIR; - return log_exec_error_errno(context, params, r, "Changing to the requested working directory failed: %m"); + return log_error_errno(r, "Changing to the requested working directory failed: %m"); } if (needs_sandboxing) { @@ -5733,13 +5626,9 @@ int exec_invoke( if (r < 0) { if (!context->selinux_context_ignore) { *exit_status = EXIT_SELINUX_CONTEXT; - return log_exec_error_errno(context, params, r, "Failed to change SELinux context to %s: %m", exec_context); + return log_error_errno(r, "Failed to change SELinux context to %s: %m", exec_context); } - log_exec_debug_errno(context, - params, - r, - "Failed to change SELinux context to %s, ignoring: %m", - exec_context); + log_debug_errno(r, "Failed to change SELinux context to %s, ignoring: %m", exec_context); } } } @@ -5750,11 +5639,8 @@ int exec_invoke( r = ASSERT_PTR(sym_aa_change_onexec)(context->apparmor_profile); if (r < 0 && !context->apparmor_profile_ignore) { *exit_status = EXIT_APPARMOR_PROFILE; - return log_exec_error_errno(context, - params, - errno, - "Failed to prepare AppArmor profile change to %s: %m", - context->apparmor_profile); + return log_error_errno(errno, "Failed to prepare AppArmor profile change to %s: %m", + context->apparmor_profile); } } #endif @@ -5777,97 +5663,97 @@ int exec_invoke( r = capability_gain_cap_setpcap(/* ret_before_caps = */ NULL); if (r < 0) { *exit_status = EXIT_CAPABILITIES; - return log_exec_error_errno(context, params, r, "Failed to gain CAP_SETPCAP for setting secure bits"); + return log_error_errno(r, "Failed to gain CAP_SETPCAP for setting secure bits"); } if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) { *exit_status = EXIT_SECUREBITS; - return log_exec_error_errno(context, params, errno, "Failed to set process secure bits: %m"); + return log_error_errno(errno, "Failed to set process secure bits: %m"); } } if (context_has_no_new_privileges(context)) if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) { *exit_status = EXIT_NO_NEW_PRIVILEGES; - return log_exec_error_errno(context, params, errno, "Failed to disable new privileges: %m"); + return log_error_errno(errno, "Failed to disable new privileges: %m"); } #if HAVE_SECCOMP r = apply_address_families(context, params); if (r < 0) { *exit_status = EXIT_ADDRESS_FAMILIES; - return log_exec_error_errno(context, params, r, "Failed to restrict address families: %m"); + return log_error_errno(r, "Failed to restrict address families: %m"); } r = apply_memory_deny_write_execute(context, params); if (r < 0) { *exit_status = EXIT_SECCOMP; - return log_exec_error_errno(context, params, r, "Failed to disable writing to executable memory: %m"); + return log_error_errno(r, "Failed to disable writing to executable memory: %m"); } r = apply_restrict_realtime(context, params); if (r < 0) { *exit_status = EXIT_SECCOMP; - return log_exec_error_errno(context, params, r, "Failed to apply realtime restrictions: %m"); + return log_error_errno(r, "Failed to apply realtime restrictions: %m"); } r = apply_restrict_suid_sgid(context, params); if (r < 0) { *exit_status = EXIT_SECCOMP; - return log_exec_error_errno(context, params, r, "Failed to apply SUID/SGID restrictions: %m"); + return log_error_errno(r, "Failed to apply SUID/SGID restrictions: %m"); } r = apply_restrict_namespaces(context, params); if (r < 0) { *exit_status = EXIT_SECCOMP; - return log_exec_error_errno(context, params, r, "Failed to apply namespace restrictions: %m"); + return log_error_errno(r, "Failed to apply namespace restrictions: %m"); } r = apply_protect_sysctl(context, params); if (r < 0) { *exit_status = EXIT_SECCOMP; - return log_exec_error_errno(context, params, r, "Failed to apply sysctl restrictions: %m"); + return log_error_errno(r, "Failed to apply sysctl restrictions: %m"); } r = apply_protect_kernel_modules(context, params); if (r < 0) { *exit_status = EXIT_SECCOMP; - return log_exec_error_errno(context, params, r, "Failed to apply module loading restrictions: %m"); + return log_error_errno(r, "Failed to apply module loading restrictions: %m"); } r = apply_protect_kernel_logs(context, params); if (r < 0) { *exit_status = EXIT_SECCOMP; - return log_exec_error_errno(context, params, r, "Failed to apply kernel log restrictions: %m"); + return log_error_errno(r, "Failed to apply kernel log restrictions: %m"); } r = apply_protect_clock(context, params); if (r < 0) { *exit_status = EXIT_SECCOMP; - return log_exec_error_errno(context, params, r, "Failed to apply clock restrictions: %m"); + return log_error_errno(r, "Failed to apply clock restrictions: %m"); } r = apply_private_devices(context, params); if (r < 0) { *exit_status = EXIT_SECCOMP; - return log_exec_error_errno(context, params, r, "Failed to set up private devices: %m"); + return log_error_errno(r, "Failed to set up private devices: %m"); } r = apply_syscall_archs(context, params); if (r < 0) { *exit_status = EXIT_SECCOMP; - return log_exec_error_errno(context, params, r, "Failed to apply syscall architecture restrictions: %m"); + return log_error_errno(r, "Failed to apply syscall architecture restrictions: %m"); } r = apply_lock_personality(context, params); if (r < 0) { *exit_status = EXIT_SECCOMP; - return log_exec_error_errno(context, params, r, "Failed to lock personalities: %m"); + return log_error_errno(r, "Failed to lock personalities: %m"); } r = apply_syscall_log(context, params); if (r < 0) { *exit_status = EXIT_SECCOMP; - return log_exec_error_errno(context, params, r, "Failed to apply system call log filters: %m"); + return log_error_errno(r, "Failed to apply system call log filters: %m"); } #endif @@ -5875,7 +5761,7 @@ int exec_invoke( r = apply_restrict_filesystems(context, params); if (r < 0) { *exit_status = EXIT_BPF; - return log_exec_error_errno(context, params, r, "Failed to restrict filesystems: %m"); + return log_error_errno(r, "Failed to restrict filesystems: %m"); } #endif @@ -5885,7 +5771,7 @@ int exec_invoke( r = apply_syscall_filter(context, params); if (r < 0) { *exit_status = EXIT_SECCOMP; - return log_exec_error_errno(context, params, r, "Failed to apply system call filters: %m"); + return log_error_errno(r, "Failed to apply system call filters: %m"); } if (keep_seccomp_privileges) { @@ -5895,7 +5781,7 @@ int exec_invoke( r = capability_bounding_set_drop(saved_bset, /* right_now= */ false); if (r < 0) { *exit_status = EXIT_CAPABILITIES; - return log_exec_error_errno(context, params, r, "Failed to drop bset capabilities: %m"); + return log_error_errno(r, "Failed to drop bset capabilities: %m"); } } @@ -5905,7 +5791,7 @@ int exec_invoke( r = drop_capability(CAP_SYS_ADMIN); if (r < 0) { *exit_status = EXIT_USER; - return log_exec_error_errno(context, params, r, "Failed to drop CAP_SYS_ADMIN: %m"); + return log_error_errno(r, "Failed to drop CAP_SYS_ADMIN: %m"); } } @@ -5915,13 +5801,13 @@ int exec_invoke( r = drop_capability(CAP_SETPCAP); if (r < 0) { *exit_status = EXIT_USER; - return log_exec_error_errno(context, params, r, "Failed to drop CAP_SETPCAP: %m"); + return log_error_errno(r, "Failed to drop CAP_SETPCAP: %m"); } } if (prctl(PR_SET_KEEPCAPS, 0) < 0) { *exit_status = EXIT_USER; - return log_exec_error_errno(context, params, errno, "Failed to drop keep capabilities flag: %m"); + return log_error_errno(errno, "Failed to drop keep capabilities flag: %m"); } } #endif @@ -5946,27 +5832,18 @@ int exec_invoke( r = replace_env_argv(command->argv, accum_env, &replaced_argv, &unset_variables, &bad_variables); if (r < 0) { *exit_status = EXIT_MEMORY; - return log_exec_error_errno(context, - params, - r, - "Failed to replace environment variables: %m"); + return log_error_errno(r, "Failed to replace environment variables: %m"); } final_argv = replaced_argv; if (!strv_isempty(unset_variables)) { _cleanup_free_ char *ju = strv_join(unset_variables, ", "); - log_exec_warning(context, - params, - "Referenced but unset environment variable evaluates to an empty string: %s", - strna(ju)); + log_warning("Referenced but unset environment variable evaluates to an empty string: %s", strna(ju)); } if (!strv_isempty(bad_variables)) { _cleanup_free_ char *jb = strv_join(bad_variables, ", "); - log_exec_warning(context, - params, - "Invalid environment variable name evaluates to an empty string: %s", - strna(jb)); + log_warning("Invalid environment variable name evaluates to an empty string: %s", strna(jb)); } } else final_argv = command->argv; @@ -5998,5 +5875,5 @@ int exec_invoke( (void) exec_fd_mark_hot(context, params, /* hot= */ false, /* reterr_exit_status= */ NULL); *exit_status = EXIT_EXEC; - return log_exec_error_errno(context, params, r, "Failed to execute %s: %m", executable); + return log_error_errno(r, "Failed to execute %s: %m", executable); } diff --git a/src/core/execute.h b/src/core/execute.h index 9b449012b23..c8e78bee24c 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -14,6 +14,7 @@ #include "exec-util.h" #include "fdset.h" #include "list.h" +#include "log.h" #include "log-context.h" #include "namespace.h" #include "nsflags.h" @@ -640,6 +641,16 @@ bool exec_is_cgroup_mount_read_only(const ExecContext *context); const char* exec_get_private_notify_socket_path(const ExecContext *context, const ExecParameters *params, bool needs_sandboxing); +static inline int exec_log_level_max(const ExecContext *context, const ExecParameters *params) { + assert(context); + assert(params); + + if (params->debug_invocation) + return LOG_DEBUG; + + return context->log_level_max < 0 ? log_get_max_level() : context->log_level_max; +} + /* These logging macros do the same logging as those in unit.h, but using ExecContext and ExecParameters * instead of the unit object, so that it can be used in the sd-executor context (where the unit object is * not available). */ @@ -649,77 +660,19 @@ const char* exec_get_private_notify_socket_path(const ExecContext *context, cons #define LOG_EXEC_INVOCATION_ID_FIELD(ep) \ ((ep)->runtime_scope == RUNTIME_SCOPE_USER ? "USER_INVOCATION_ID=" : "INVOCATION_ID=") -#define log_exec_full_errno_zerook(ec, ep, level, error, ...) \ - ({ \ - const ExecContext *_c = (ec); \ - const ExecParameters *_p = (ep); \ - const int _l = (level); \ - bool _do_log = _p->debug_invocation || \ - _c->log_level_max < 0 || \ - _c->log_level_max >= LOG_PRI(_l); \ - LOG_CONTEXT_PUSH_IOV(_c->log_extra_fields, \ - _c->n_log_extra_fields); \ - !_do_log ? -ERRNO_VALUE(error) : \ - log_object_internal(_l, error, \ - PROJECT_FILE, __LINE__, __func__, \ - LOG_EXEC_ID_FIELD(_p), \ - _p->unit_id, \ - LOG_EXEC_INVOCATION_ID_FIELD(_p), \ - _p->invocation_id_string, \ - ##__VA_ARGS__); \ - }) - -#define log_exec_full_errno(ec, ep, level, error, ...) \ - ({ \ - int _error = (error); \ - ASSERT_NON_ZERO(_error); \ - log_exec_full_errno_zerook(ec, ep, level, _error, ##__VA_ARGS__); \ - }) - -#define log_exec_full(ec, ep, level, ...) (void) log_exec_full_errno_zerook(ec, ep, level, 0, __VA_ARGS__) - -#define log_exec_debug(ec, ep, ...) log_exec_full(ec, ep, LOG_DEBUG, __VA_ARGS__) -#define log_exec_info(ec, ep, ...) log_exec_full(ec, ep, LOG_INFO, __VA_ARGS__) -#define log_exec_notice(ec, ep, ...) log_exec_full(ec, ep, LOG_NOTICE, __VA_ARGS__) -#define log_exec_warning(ec, ep, ...) log_exec_full(ec, ep, LOG_WARNING, __VA_ARGS__) -#define log_exec_error(ec, ep, ...) log_exec_full(ec, ep, LOG_ERR, __VA_ARGS__) - -#define log_exec_debug_errno(ec, ep, error, ...) log_exec_full_errno(ec, ep, LOG_DEBUG, error, __VA_ARGS__) -#define log_exec_info_errno(ec, ep, error, ...) log_exec_full_errno(ec, ep, LOG_INFO, error, __VA_ARGS__) -#define log_exec_notice_errno(ec, ep, error, ...) log_exec_full_errno(ec, ep, LOG_NOTICE, error, __VA_ARGS__) -#define log_exec_warning_errno(ec, ep, error, ...) log_exec_full_errno(ec, ep, LOG_WARNING, error, __VA_ARGS__) -#define log_exec_error_errno(ec, ep, error, ...) log_exec_full_errno(ec, ep, LOG_ERR, error, __VA_ARGS__) - /* Like LOG_MESSAGE(), but with the unit name prefixed. */ #define LOG_EXEC_MESSAGE(ep, fmt, ...) LOG_MESSAGE("%s: " fmt, (ep)->unit_id, ##__VA_ARGS__) #define LOG_EXEC_ID(ep) LOG_ITEM("%s%s", LOG_EXEC_ID_FIELD(ep), (ep)->unit_id) #define LOG_EXEC_INVOCATION_ID(ep) LOG_ITEM("%s%s", LOG_EXEC_INVOCATION_ID_FIELD(ep), (ep)->invocation_id_string) -#define log_exec_struct_errno(ec, ep, level, error, ...) \ - ({ \ - const ExecContext *_c = (ec); \ - const ExecParameters *_p = (ep); \ - const int _l = (level); \ - bool _do_log = _p->debug_invocation || \ - _c->log_level_max < 0 || \ - _c->log_level_max >= LOG_PRI(_l); \ - LOG_CONTEXT_PUSH_IOV(_c->log_extra_fields, \ - _c->n_log_extra_fields); \ - !_do_log ? -ERRNO_VALUE(error) : \ - log_struct_errno(_l, error, \ - LOG_EXEC_ID(_p), \ - LOG_EXEC_INVOCATION_ID(_p), \ - __VA_ARGS__); \ - }) - -#define log_exec_struct(ec, ep, level, ...) log_exec_struct_errno(ec, ep, level, 0, __VA_ARGS__) - #define _LOG_CONTEXT_PUSH_EXEC(ec, ep, p, c) \ const ExecContext *c = (ec); \ const ExecParameters *p = (ep); \ LOG_CONTEXT_PUSH_KEY_VALUE(LOG_EXEC_ID_FIELD(p), p->unit_id); \ LOG_CONTEXT_PUSH_KEY_VALUE(LOG_EXEC_INVOCATION_ID_FIELD(p), p->invocation_id_string); \ - LOG_CONTEXT_PUSH_IOV(c->log_extra_fields, c->n_log_extra_fields) + LOG_CONTEXT_PUSH_IOV(c->log_extra_fields, c->n_log_extra_fields) \ + LOG_CONTEXT_SET_LOG_LEVEL(exec_log_level_max(c, p)) \ + LOG_SET_PREFIX(p->unit_id); #define LOG_CONTEXT_PUSH_EXEC(ec, ep) \ _LOG_CONTEXT_PUSH_EXEC(ec, ep, UNIQ_T(p, UNIQ), UNIQ_T(c, UNIQ)) diff --git a/src/core/executor.c b/src/core/executor.c index daee9ea955a..823466595ea 100644 --- a/src/core/executor.c +++ b/src/core/executor.c @@ -240,6 +240,8 @@ static int run(int argc, char *argv[]) { if (r < 0) return log_error_errno(r, "Failed to deserialize: %m"); + LOG_CONTEXT_PUSH_EXEC(&context, ¶ms); + arg_serialization = safe_fclose(arg_serialization); fdset = fdset_free(fdset); @@ -253,11 +255,11 @@ static int run(int argc, char *argv[]) { const char *status = ASSERT_PTR( exit_status_to_string(exit_status, EXIT_STATUS_LIBC | EXIT_STATUS_SYSTEMD)); - log_exec_struct_errno(&context, ¶ms, LOG_ERR, r, - LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED_STR), - LOG_EXEC_MESSAGE(¶ms, "Failed at step %s spawning %s: %m", - status, command.path), - LOG_ITEM("EXECUTABLE=%s", command.path)); + log_struct_errno(LOG_ERR, r, + LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED_STR), + LOG_EXEC_MESSAGE(¶ms, "Failed at step %s spawning %s: %m", + status, command.path), + LOG_ITEM("EXECUTABLE=%s", command.path)); } else /* r == 0: 'skip' is chosen in the confirm spawn prompt * r > 0: expected/ignored failure, do not log at error level */