]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/core/execute.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
core: add RemoveIPC= setting
[thirdparty/systemd.git] / src / core / execute.c
CommitLineData
a7334b09
LP		 1/***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
a7334b09
LP		 9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 14 Lesser General Public License for more details.
a7334b09 15
5430f7f2 16 You should have received a copy of the GNU Lesser General Public License
a7334b09
LP		 17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18***/
19
034c6ed7
LP		 20#include <errno.h>
21#include <fcntl.h>
8dd4c05b
LP		 22#include <glob.h>
23#include <grp.h>
24#include <poll.h>
309bff19 25#include <signal.h>
8dd4c05b 26#include <string.h>
19c0b0b9 27#include <sys/capability.h>
d251207d 28#include <sys/eventfd.h>
f3e43635 29#include <sys/mman.h>
8dd4c05b 30#include <sys/personality.h>
94f04347 31#include <sys/prctl.h>
8dd4c05b 32#include <sys/socket.h>
451a074f 33#include <sys/stat.h>
8dd4c05b
LP		 34#include <sys/un.h>
35#include <unistd.h>
023a4f67 36#include <utmpx.h>
5cb5a6ff 37
5b6319dc
LP		 38#ifdef HAVE_PAM
39#include <security/pam_appl.h>
40#endif
41
7b52a628
MS		 42#ifdef HAVE_SELINUX
43#include <selinux/selinux.h>
44#endif
45
17df7223
LP		 46#ifdef HAVE_SECCOMP
47#include <seccomp.h>
48#endif
49
eef65bf3
MS		 50#ifdef HAVE_APPARMOR
51#include <sys/apparmor.h>
52#endif
53
24882e06 54#include "sd-messages.h"
8dd4c05b
LP		 55
56#include "af-list.h"
b5efdb8a 57#include "alloc-util.h"
3ffd4af2
LP		 58#ifdef HAVE_APPARMOR
59#include "apparmor-util.h"
60#endif
8dd4c05b
LP		 61#include "async.h"
62#include "barrier.h"
8dd4c05b 63#include "cap-list.h"
430f0182 64#include "capability-util.h"
f6a6225e 65#include "def.h"
4d1a6904 66#include "env-util.h"
17df7223 67#include "errno-list.h"
3ffd4af2 68#include "execute.h"
8dd4c05b 69#include "exit-status.h"
3ffd4af2 70#include "fd-util.h"
8dd4c05b 71#include "fileio.h"
6482f626 72#include "formats-util.h"
f4f15635 73#include "fs-util.h"
7d50b32a 74#include "glob-util.h"
c004493c 75#include "io-util.h"
8dd4c05b
LP		 76#include "ioprio.h"
77#include "log.h"
78#include "macro.h"
79#include "missing.h"
80#include "mkdir.h"
81#include "namespace.h"
6bedfcbb 82#include "parse-util.h"
8dd4c05b 83#include "path-util.h"
0b452006 84#include "process-util.h"
78f22b97 85#include "rlimit-util.h"
8dd4c05b 86#include "rm-rf.h"
3ffd4af2
LP		 87#ifdef HAVE_SECCOMP
88#include "seccomp-util.h"
89#endif
8dd4c05b
LP		 90#include "securebits.h"
91#include "selinux-util.h"
24882e06 92#include "signal-util.h"
8dd4c05b 93#include "smack-util.h"
8b43440b 94#include "string-table.h"
07630cea 95#include "string-util.h"
8dd4c05b 96#include "strv.h"
7ccbd1ae 97#include "syslog-util.h"
8dd4c05b
LP		 98#include "terminal-util.h"
99#include "unit.h"
b1d4f8e1 100#include "user-util.h"
8dd4c05b
LP		 101#include "util.h"
102#include "utmp-wtmp.h"
5cb5a6ff 103
e056b01d 104#define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
31a7eb86 105#define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
e6a26745 106
02a51aba
LP		 107/* This assumes there is a 'tty' group */
108#define TTY_MODE 0620
109
531dca78
LP		 110#define SNDBUF_SIZE (8*1024*1024)
111
034c6ed7
LP		 112static int shift_fds(int fds[], unsigned n_fds) {
113 int start, restart_from;
114
115 if (n_fds <= 0)
116 return 0;
117
a0d40ac5
LP		 118 /* Modifies the fds array! (sorts it) */
119
034c6ed7
LP		 120 assert(fds);
121
122 start = 0;
123 for (;;) {
124 int i;
125
126 restart_from = -1;
127
128 for (i = start; i < (int) n_fds; i++) {
129 int nfd;
130
131 /* Already at right index? */
132 if (fds[i] == i+3)
133 continue;
134
3cc2aff1
LP		 135 nfd = fcntl(fds[i], F_DUPFD, i + 3);
136 if (nfd < 0)
034c6ed7
LP		 137 return -errno;
138
03e334a1 139 safe_close(fds[i]);
034c6ed7
LP		 140 fds[i] = nfd;
141
142 /* Hmm, the fd we wanted isn't free? Then
ee33e53a 143 * let's remember that and try again from here */
034c6ed7
LP		 144 if (nfd != i+3 && restart_from < 0)
145 restart_from = i;
146 }
147
148 if (restart_from < 0)
149 break;
150
151 start = restart_from;
152 }
153
154 return 0;
155}
156
c2748801 157static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
47a71eed 158 unsigned i;
e2c76839 159 int r;
47a71eed
LP		 160
161 if (n_fds <= 0)
162 return 0;
163
164 assert(fds);
165
451a074f 166 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
47a71eed
LP		 167
168 for (i = 0; i < n_fds; i++) {
47a71eed 169
3cc2aff1
LP		 170 r = fd_nonblock(fds[i], nonblock);
171 if (r < 0)
e2c76839 172 return r;
47a71eed 173
451a074f
LP		 174 /* We unconditionally drop FD_CLOEXEC from the fds,
175 * since after all we want to pass these fds to our
176 * children */
47a71eed 177
3cc2aff1
LP		 178 r = fd_cloexec(fds[i], false);
179 if (r < 0)
e2c76839 180 return r;
47a71eed
LP		 181 }
182
183 return 0;
184}
185
1e22b5cd 186static const char *exec_context_tty_path(const ExecContext *context) {
80876c20
LP		 187 assert(context);
188
1e22b5cd
LP		 189 if (context->stdio_as_fds)
190 return NULL;
191
80876c20
LP		 192 if (context->tty_path)
193 return context->tty_path;
194
195 return "/dev/console";
196}
197
1e22b5cd
LP		 198static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
199 const char *path;
200
6ea832a2
LP		 201 assert(context);
202
1e22b5cd 203 path = exec_context_tty_path(context);
6ea832a2 204
1e22b5cd
LP		 205 if (context->tty_vhangup) {
206 if (p && p->stdin_fd >= 0)
207 (void) terminal_vhangup_fd(p->stdin_fd);
208 else if (path)
209 (void) terminal_vhangup(path);
210 }
6ea832a2 211
1e22b5cd
LP		 212 if (context->tty_reset) {
213 if (p && p->stdin_fd >= 0)
214 (void) reset_terminal_fd(p->stdin_fd, true);
215 else if (path)
216 (void) reset_terminal(path);
217 }
218
219 if (context->tty_vt_disallocate && path)
220 (void) vt_disallocate(path);
6ea832a2
LP		 221}
222
6af760f3
LP		 223static bool is_terminal_input(ExecInput i) {
224 return IN_SET(i,
225 EXEC_INPUT_TTY,
226 EXEC_INPUT_TTY_FORCE,
227 EXEC_INPUT_TTY_FAIL);
228}
229
3a1286b6 230static bool is_terminal_output(ExecOutput o) {
6af760f3
LP		 231 return IN_SET(o,
232 EXEC_OUTPUT_TTY,
233 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
234 EXEC_OUTPUT_KMSG_AND_CONSOLE,
235 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
236}
237
238static bool exec_context_needs_term(const ExecContext *c) {
239 assert(c);
240
241 /* Return true if the execution context suggests we should set $TERM to something useful. */
242
243 if (is_terminal_input(c->std_input))
244 return true;
245
246 if (is_terminal_output(c->std_output))
247 return true;
248
249 if (is_terminal_output(c->std_error))
250 return true;
251
252 return !!c->tty_path;
3a1286b6
MS		 253}
254
80876c20
LP		 255static int open_null_as(int flags, int nfd) {
256 int fd, r;
071830ff 257
80876c20 258 assert(nfd >= 0);
071830ff 259
613b411c
LP		 260 fd = open("/dev/null", flags|O_NOCTTY);
261 if (fd < 0)
071830ff
LP		 262 return -errno;
263
80876c20
LP		 264 if (fd != nfd) {
265 r = dup2(fd, nfd) < 0 ? -errno : nfd;
03e334a1 266 safe_close(fd);
80876c20
LP		 267 } else
268 r = nfd;
071830ff 269
80876c20 270 return r;
071830ff
LP		 271}
272
524daa8c 273static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
b92bea5d
ZJS		 274 union sockaddr_union sa = {
275 .un.sun_family = AF_UNIX,
276 .un.sun_path = "/run/systemd/journal/stdout",
277 };
524daa8c
ZJS		 278 uid_t olduid = UID_INVALID;
279 gid_t oldgid = GID_INVALID;
280 int r;
281
282 if (gid != GID_INVALID) {
283 oldgid = getgid();
284
285 r = setegid(gid);
286 if (r < 0)
287 return -errno;
288 }
289
290 if (uid != UID_INVALID) {
291 olduid = getuid();
292
293 r = seteuid(uid);
294 if (r < 0) {
295 r = -errno;
296 goto restore_gid;
297 }
298 }
299
fc2fffe7 300 r = connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
524daa8c
ZJS		 301 if (r < 0)
302 r = -errno;
303
304 /* If we fail to restore the uid or gid, things will likely
305 fail later on. This should only happen if an LSM interferes. */
306
307 if (uid != UID_INVALID)
308 (void) seteuid(olduid);
309
310 restore_gid:
311 if (gid != GID_INVALID)
312 (void) setegid(oldgid);
313
314 return r;
315}
316
fd1f9c89 317static int connect_logger_as(
7a1ab780 318 Unit *unit,
fd1f9c89
LP		 319 const ExecContext *context,
320 ExecOutput output,
321 const char *ident,
fd1f9c89
LP		 322 int nfd,
323 uid_t uid,
324 gid_t gid) {
325
524daa8c 326 int fd, r;
071830ff
LP		 327
328 assert(context);
80876c20
LP		 329 assert(output < _EXEC_OUTPUT_MAX);
330 assert(ident);
331 assert(nfd >= 0);
071830ff 332
54fe0cdb
LP		 333 fd = socket(AF_UNIX, SOCK_STREAM, 0);
334 if (fd < 0)
80876c20 335 return -errno;
071830ff 336
524daa8c
ZJS		 337 r = connect_journal_socket(fd, uid, gid);
338 if (r < 0)
339 return r;
071830ff 340
80876c20 341 if (shutdown(fd, SHUT_RD) < 0) {
03e334a1 342 safe_close(fd);
80876c20
LP		 343 return -errno;
344 }
071830ff 345
fd1f9c89 346 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
531dca78 347
80876c20 348 dprintf(fd,
62bca2c6 349 "%s\n"
80876c20
LP		 350 "%s\n"
351 "%i\n"
54fe0cdb
LP		 352 "%i\n"
353 "%i\n"
354 "%i\n"
4f4a1dbf 355 "%i\n",
4f4a1dbf 356 context->syslog_identifier ? context->syslog_identifier : ident,
7a1ab780 357 unit->id,
54fe0cdb
LP		 358 context->syslog_priority,
359 !!context->syslog_level_prefix,
360 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
361 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
3a1286b6 362 is_terminal_output(output));
80876c20 363
fd1f9c89
LP		 364 if (fd == nfd)
365 return nfd;
366
367 r = dup2(fd, nfd) < 0 ? -errno : nfd;
368 safe_close(fd);
071830ff 369
80876c20
LP		 370 return r;
371}
372static int open_terminal_as(const char *path, mode_t mode, int nfd) {
373 int fd, r;
071830ff 374
80876c20
LP		 375 assert(path);
376 assert(nfd >= 0);
071830ff 377
3cc2aff1
LP		 378 fd = open_terminal(path, mode | O_NOCTTY);
379 if (fd < 0)
80876c20 380 return fd;
071830ff 381
80876c20
LP		 382 if (fd != nfd) {
383 r = dup2(fd, nfd) < 0 ? -errno : nfd;
03e334a1 384 safe_close(fd);
80876c20
LP		 385 } else
386 r = nfd;
071830ff 387
80876c20
LP		 388 return r;
389}
071830ff 390
1e3ad081
LP		 391static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
392
393 if (is_terminal_input(std_input) && !apply_tty_stdin)
394 return EXEC_INPUT_NULL;
071830ff 395
03fd9c49 396 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 397 return EXEC_INPUT_NULL;
398
03fd9c49 399 return std_input;
4f2d528d
LP		 400}
401
03fd9c49 402static int fixup_output(ExecOutput std_output, int socket_fd) {
4f2d528d 403
03fd9c49 404 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 405 return EXEC_OUTPUT_INHERIT;
406
03fd9c49 407 return std_output;
4f2d528d
LP		 408}
409
a34ceba6
LP		 410static int setup_input(
411 const ExecContext *context,
412 const ExecParameters *params,
413 int socket_fd) {
414
4f2d528d
LP		 415 ExecInput i;
416
417 assert(context);
a34ceba6
LP		 418 assert(params);
419
420 if (params->stdin_fd >= 0) {
421 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
422 return -errno;
423
424 /* Try to make this the controlling tty, if it is a tty, and reset it */
425 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
426 (void) reset_terminal_fd(STDIN_FILENO, true);
427
428 return STDIN_FILENO;
429 }
4f2d528d 430
c39f1ce2 431 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
4f2d528d
LP		 432
433 switch (i) {
071830ff 434
80876c20
LP		 435 case EXEC_INPUT_NULL:
436 return open_null_as(O_RDONLY, STDIN_FILENO);
437
438 case EXEC_INPUT_TTY:
439 case EXEC_INPUT_TTY_FORCE:
440 case EXEC_INPUT_TTY_FAIL: {
441 int fd, r;
071830ff 442
1e22b5cd 443 fd = acquire_terminal(exec_context_tty_path(context),
970edce6
ZJS		 444 i == EXEC_INPUT_TTY_FAIL,
445 i == EXEC_INPUT_TTY_FORCE,
446 false,
3a43da28 447 USEC_INFINITY);
970edce6 448 if (fd < 0)
80876c20
LP		 449 return fd;
450
451 if (fd != STDIN_FILENO) {
452 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
03e334a1 453 safe_close(fd);
80876c20
LP		 454 } else
455 r = STDIN_FILENO;
456
457 return r;
458 }
459
4f2d528d
LP		 460 case EXEC_INPUT_SOCKET:
461 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
462
80876c20
LP		 463 default:
464 assert_not_reached("Unknown input type");
465 }
466}
467
a34ceba6
LP		 468static int setup_output(
469 Unit *unit,
470 const ExecContext *context,
471 const ExecParameters *params,
472 int fileno,
473 int socket_fd,
474 const char *ident,
7bce046b
LP		 475 uid_t uid,
476 gid_t gid,
477 dev_t *journal_stream_dev,
478 ino_t *journal_stream_ino) {
a34ceba6 479
4f2d528d
LP		 480 ExecOutput o;
481 ExecInput i;
47c1d80d 482 int r;
4f2d528d 483
f2341e0a 484 assert(unit);
80876c20 485 assert(context);
a34ceba6 486 assert(params);
80876c20 487 assert(ident);
7bce046b
LP		 488 assert(journal_stream_dev);
489 assert(journal_stream_ino);
80876c20 490
a34ceba6
LP		 491 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
492
493 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
494 return -errno;
495
496 return STDOUT_FILENO;
497 }
498
499 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
500 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
501 return -errno;
502
503 return STDERR_FILENO;
504 }
505
c39f1ce2 506 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
03fd9c49 507 o = fixup_output(context->std_output, socket_fd);
4f2d528d 508
eb17e935
MS		 509 if (fileno == STDERR_FILENO) {
510 ExecOutput e;
511 e = fixup_output(context->std_error, socket_fd);
80876c20 512
eb17e935
MS		 513 /* This expects the input and output are already set up */
514
515 /* Don't change the stderr file descriptor if we inherit all
516 * the way and are not on a tty */
517 if (e == EXEC_OUTPUT_INHERIT &&
518 o == EXEC_OUTPUT_INHERIT &&
519 i == EXEC_INPUT_NULL &&
520 !is_terminal_input(context->std_input) &&
521 getppid () != 1)
522 return fileno;
523
524 /* Duplicate from stdout if possible */
525 if (e == o || e == EXEC_OUTPUT_INHERIT)
526 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 527
eb17e935 528 o = e;
80876c20 529
eb17e935 530 } else if (o == EXEC_OUTPUT_INHERIT) {
21d21ea4
LP		 531 /* If input got downgraded, inherit the original value */
532 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
1e22b5cd 533 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
21d21ea4 534
acb591e4 535 /* If the input is connected to anything that's not a /dev/null, inherit that... */
ff876e28 536 if (i != EXEC_INPUT_NULL)
eb17e935 537 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 538
acb591e4
LP		 539 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
540 if (getppid() != 1)
eb17e935 541 return fileno;
94f04347 542
eb17e935
MS		 543 /* We need to open /dev/null here anew, to get the right access mode. */
544 return open_null_as(O_WRONLY, fileno);
071830ff 545 }
94f04347 546
eb17e935 547 switch (o) {
80876c20
LP		 548
549 case EXEC_OUTPUT_NULL:
eb17e935 550 return open_null_as(O_WRONLY, fileno);
80876c20
LP		 551
552 case EXEC_OUTPUT_TTY:
4f2d528d 553 if (is_terminal_input(i))
eb17e935 554 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
80876c20
LP		 555
556 /* We don't reset the terminal if this is just about output */
1e22b5cd 557 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
80876c20
LP		 558
559 case EXEC_OUTPUT_SYSLOG:
28dbc1e8 560 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
9a6bca7a 561 case EXEC_OUTPUT_KMSG:
28dbc1e8 562 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
706343f4
LP		 563 case EXEC_OUTPUT_JOURNAL:
564 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
7a1ab780 565 r = connect_logger_as(unit, context, o, ident, fileno, uid, gid);
47c1d80d 566 if (r < 0) {
f2341e0a 567 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
eb17e935 568 r = open_null_as(O_WRONLY, fileno);
7bce046b
LP		 569 } else {
570 struct stat st;
571
572 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
573 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
574 * services to detect whether they are connected to the journal or not. */
575
576 if (fstat(fileno, &st) >= 0) {
577 *journal_stream_dev = st.st_dev;
578 *journal_stream_ino = st.st_ino;
579 }
47c1d80d
MS		 580 }
581 return r;
4f2d528d
LP		 582
583 case EXEC_OUTPUT_SOCKET:
584 assert(socket_fd >= 0);
eb17e935 585 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
94f04347
LP		 586
587 default:
80876c20 588 assert_not_reached("Unknown error type");
94f04347 589 }
071830ff
LP		 590}
591
02a51aba
LP		 592static int chown_terminal(int fd, uid_t uid) {
593 struct stat st;
594
595 assert(fd >= 0);
02a51aba 596
1ff74fb6
LP		 597 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
598 if (isatty(fd) < 1)
599 return 0;
600
02a51aba 601 /* This might fail. What matters are the results. */
bab45044
LP		 602 (void) fchown(fd, uid, -1);
603 (void) fchmod(fd, TTY_MODE);
02a51aba
LP		 604
605 if (fstat(fd, &st) < 0)
606 return -errno;
607
d8b4e2e9 608 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
02a51aba
LP		 609 return -EPERM;
610
611 return 0;
612}
613
3d18b167
LP		 614static int setup_confirm_stdio(int *_saved_stdin, int *_saved_stdout) {
615 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
616 int r;
80876c20 617
80876c20
LP		 618 assert(_saved_stdin);
619 assert(_saved_stdout);
620
af6da548
LP		 621 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
622 if (saved_stdin < 0)
623 return -errno;
80876c20 624
af6da548 625 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
3d18b167
LP		 626 if (saved_stdout < 0)
627 return -errno;
80876c20 628
af6da548
LP		 629 fd = acquire_terminal(
630 "/dev/console",
631 false,
632 false,
633 false,
634 DEFAULT_CONFIRM_USEC);
3d18b167
LP		 635 if (fd < 0)
636 return fd;
80876c20 637
af6da548
LP		 638 r = chown_terminal(fd, getuid());
639 if (r < 0)
3d18b167 640 return r;
02a51aba 641
3d18b167
LP		 642 r = reset_terminal_fd(fd, true);
643 if (r < 0)
644 return r;
80876c20 645
3d18b167
LP		 646 if (dup2(fd, STDIN_FILENO) < 0)
647 return -errno;
648
649 if (dup2(fd, STDOUT_FILENO) < 0)
650 return -errno;
80876c20
LP		 651
652 if (fd >= 2)
03e334a1 653 safe_close(fd);
3d18b167 654 fd = -1;
80876c20
LP		 655
656 *_saved_stdin = saved_stdin;
657 *_saved_stdout = saved_stdout;
658
3d18b167 659 saved_stdin = saved_stdout = -1;
80876c20 660
3d18b167 661 return 0;
80876c20
LP		 662}
663
44b601bc 664_printf_(1, 2) static int write_confirm_message(const char *format, ...) {
03e334a1 665 _cleanup_close_ int fd = -1;
af6da548 666 va_list ap;
80876c20 667
af6da548 668 assert(format);
80876c20 669
af6da548
LP		 670 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
671 if (fd < 0)
672 return fd;
80876c20 673
af6da548
LP		 674 va_start(ap, format);
675 vdprintf(fd, format, ap);
676 va_end(ap);
80876c20 677
af6da548
LP		 678 return 0;
679}
80876c20 680
3d18b167 681static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
af6da548 682 int r = 0;
80876c20 683
af6da548
LP		 684 assert(saved_stdin);
685 assert(saved_stdout);
686
687 release_terminal();
688
689 if (*saved_stdin >= 0)
80876c20 690 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
af6da548 691 r = -errno;
80876c20 692
af6da548 693 if (*saved_stdout >= 0)
80876c20 694 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
af6da548 695 r = -errno;
80876c20 696
3d18b167
LP		 697 *saved_stdin = safe_close(*saved_stdin);
698 *saved_stdout = safe_close(*saved_stdout);
af6da548
LP		 699
700 return r;
701}
702
703static int ask_for_confirmation(char *response, char **argv) {
704 int saved_stdout = -1, saved_stdin = -1, r;
e1d75803 705 _cleanup_free_ char *line = NULL;
af6da548
LP		 706
707 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
708 if (r < 0)
709 return r;
710
711 line = exec_command_line(argv);
712 if (!line)
713 return -ENOMEM;
714
418b9be5 715 r = ask_char(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
af6da548
LP		 716
717 restore_confirm_stdio(&saved_stdin, &saved_stdout);
718
719 return r;
80876c20
LP		 720}
721
81a2b7ce
LP		 722static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
723 bool keep_groups = false;
724 int r;
725
726 assert(context);
727
35b8ca3a 728 /* Lookup and set GID and supplementary group list. Here too
81a2b7ce
LP		 729 * we avoid NSS lookups for gid=0. */
730
731 if (context->group || username) {
81a2b7ce
LP		 732 /* First step, initialize groups from /etc/groups */
733 if (username && gid != 0) {
734 if (initgroups(username, gid) < 0)
735 return -errno;
736
737 keep_groups = true;
738 }
739
740 /* Second step, set our gids */
741 if (setresgid(gid, gid, gid) < 0)
742 return -errno;
743 }
744
745 if (context->supplementary_groups) {
746 int ngroups_max, k;
747 gid_t *gids;
748 char **i;
749
750 /* Final step, initialize any manually set supplementary groups */
da19d5c1 751 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
81a2b7ce
LP		 752
753 if (!(gids = new(gid_t, ngroups_max)))
754 return -ENOMEM;
755
756 if (keep_groups) {
3cc2aff1
LP		 757 k = getgroups(ngroups_max, gids);
758 if (k < 0) {
81a2b7ce
LP		 759 free(gids);
760 return -errno;
761 }
762 } else
763 k = 0;
764
765 STRV_FOREACH(i, context->supplementary_groups) {
4b67834e 766 const char *g;
81a2b7ce
LP		 767
768 if (k >= ngroups_max) {
769 free(gids);
770 return -E2BIG;
771 }
772
4b67834e
LP		 773 g = *i;
774 r = get_group_creds(&g, gids+k);
775 if (r < 0) {
81a2b7ce
LP		 776 free(gids);
777 return r;
778 }
779
780 k++;
781 }
782
783 if (setgroups(k, gids) < 0) {
784 free(gids);
785 return -errno;
786 }
787
788 free(gids);
789 }
790
791 return 0;
792}
793
794static int enforce_user(const ExecContext *context, uid_t uid) {
81a2b7ce
LP		 795 assert(context);
796
479050b3 797 /* Sets (but doesn't look up) the uid and make sure we keep the
81a2b7ce
LP		 798 * capabilities while doing so. */
799
479050b3 800 if (context->capability_ambient_set != 0) {
81a2b7ce
LP		 801
802 /* First step: If we need to keep capabilities but
803 * drop privileges we need to make sure we keep our
cbb21cca 804 * caps, while we drop privileges. */
693ced48 805 if (uid != 0) {
cbb21cca 806 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
693ced48
LP		 807
808 if (prctl(PR_GET_SECUREBITS) != sb)
809 if (prctl(PR_SET_SECUREBITS, sb) < 0)
810 return -errno;
811 }
81a2b7ce
LP		 812 }
813
479050b3 814 /* Second step: actually set the uids */
81a2b7ce
LP		 815 if (setresuid(uid, uid, uid) < 0)
816 return -errno;
817
818 /* At this point we should have all necessary capabilities but
819 are otherwise a normal user. However, the caps might got
820 corrupted due to the setresuid() so we need clean them up
821 later. This is done outside of this call. */
822
823 return 0;
824}
825
5b6319dc
LP		 826#ifdef HAVE_PAM
827
828static int null_conv(
829 int num_msg,
830 const struct pam_message **msg,
831 struct pam_response **resp,
832 void *appdata_ptr) {
833
834 /* We don't support conversations */
835
836 return PAM_CONV_ERR;
837}
838
839static int setup_pam(
840 const char *name,
841 const char *user,
940c5210 842 uid_t uid,
5b6319dc 843 const char *tty,
2065ca69 844 char ***env,
5b6319dc
LP		 845 int fds[], unsigned n_fds) {
846
847 static const struct pam_conv conv = {
848 .conv = null_conv,
849 .appdata_ptr = NULL
850 };
851
2d7c6aa2 852 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
5b6319dc 853 pam_handle_t *handle = NULL;
d6e5f3ad 854 sigset_t old_ss;
7bb70b6e 855 int pam_code = PAM_SUCCESS, r;
84eada2f 856 char **nv, **e = NULL;
5b6319dc
LP		 857 bool close_session = false;
858 pid_t pam_pid = 0, parent_pid;
970edce6 859 int flags = 0;
5b6319dc
LP		 860
861 assert(name);
862 assert(user);
2065ca69 863 assert(env);
5b6319dc
LP		 864
865 /* We set up PAM in the parent process, then fork. The child
35b8ca3a 866 * will then stay around until killed via PR_GET_PDEATHSIG or
5b6319dc
LP		 867 * systemd via the cgroup logic. It will then remove the PAM
868 * session again. The parent process will exec() the actual
869 * daemon. We do things this way to ensure that the main PID
870 * of the daemon is the one we initially fork()ed. */
871
7bb70b6e
LP		 872 r = barrier_create(&barrier);
873 if (r < 0)
2d7c6aa2
DH		 874 goto fail;
875
553d2243 876 if (log_get_max_level() < LOG_DEBUG)
970edce6
ZJS		 877 flags |= PAM_SILENT;
878
f546241b
ZJS		 879 pam_code = pam_start(name, user, &conv, &handle);
880 if (pam_code != PAM_SUCCESS) {
5b6319dc
LP		 881 handle = NULL;
882 goto fail;
883 }
884
f546241b
ZJS		 885 if (tty) {
886 pam_code = pam_set_item(handle, PAM_TTY, tty);
887 if (pam_code != PAM_SUCCESS)
5b6319dc 888 goto fail;
f546241b 889 }
5b6319dc 890
84eada2f
JW		 891 STRV_FOREACH(nv, *env) {
892 pam_code = pam_putenv(handle, *nv);
2065ca69
JW		 893 if (pam_code != PAM_SUCCESS)
894 goto fail;
895 }
896
970edce6 897 pam_code = pam_acct_mgmt(handle, flags);
f546241b 898 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 899 goto fail;
900
970edce6 901 pam_code = pam_open_session(handle, flags);
f546241b 902 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 903 goto fail;
904
905 close_session = true;
906
f546241b
ZJS		 907 e = pam_getenvlist(handle);
908 if (!e) {
5b6319dc
LP		 909 pam_code = PAM_BUF_ERR;
910 goto fail;
911 }
912
913 /* Block SIGTERM, so that we know that it won't get lost in
914 * the child */
ce30c8dc 915
72c0a2c2 916 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
5b6319dc
LP		 917
918 parent_pid = getpid();
919
f546241b 920 pam_pid = fork();
7bb70b6e
LP		 921 if (pam_pid < 0) {
922 r = -errno;
5b6319dc 923 goto fail;
7bb70b6e 924 }
5b6319dc
LP		 925
926 if (pam_pid == 0) {
7bb70b6e 927 int sig, ret = EXIT_PAM;
5b6319dc
LP		 928
929 /* The child's job is to reset the PAM session on
930 * termination */
2d7c6aa2 931 barrier_set_role(&barrier, BARRIER_CHILD);
5b6319dc
LP		 932
933 /* This string must fit in 10 chars (i.e. the length
5d6b1584
LP		 934 * of "/sbin/init"), to look pretty in /bin/ps */
935 rename_process("(sd-pam)");
5b6319dc
LP		 936
937 /* Make sure we don't keep open the passed fds in this
938 child. We assume that otherwise only those fds are
939 open here that have been opened by PAM. */
940 close_many(fds, n_fds);
941
940c5210
AK		 942 /* Drop privileges - we don't need any to pam_close_session
943 * and this will make PR_SET_PDEATHSIG work in most cases.
944 * If this fails, ignore the error - but expect sd-pam threads
945 * to fail to exit normally */
946 if (setresuid(uid, uid, uid) < 0)
da927ba9 947 log_error_errno(r, "Error: Failed to setresuid() in sd-pam: %m");
940c5210 948
ce30c8dc
LP		 949 (void) ignore_signals(SIGPIPE, -1);
950
940c5210
AK		 951 /* Wait until our parent died. This will only work if
952 * the above setresuid() succeeds, otherwise the kernel
953 * will not allow unprivileged parents kill their privileged
954 * children this way. We rely on the control groups kill logic
5b6319dc
LP		 955 * to do the rest for us. */
956 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
957 goto child_finish;
958
2d7c6aa2
DH		 959 /* Tell the parent that our setup is done. This is especially
960 * important regarding dropping privileges. Otherwise, unit
961 * setup might race against our setresuid(2) call. */
962 barrier_place(&barrier);
963
5b6319dc
LP		 964 /* Check if our parent process might already have
965 * died? */
966 if (getppid() == parent_pid) {
d6e5f3ad
DM		 967 sigset_t ss;
968
969 assert_se(sigemptyset(&ss) >= 0);
970 assert_se(sigaddset(&ss, SIGTERM) >= 0);
971
3dead8d9
LP		 972 for (;;) {
973 if (sigwait(&ss, &sig) < 0) {
974 if (errno == EINTR)
975 continue;
976
977 goto child_finish;
978 }
5b6319dc 979
3dead8d9
LP		 980 assert(sig == SIGTERM);
981 break;
982 }
5b6319dc
LP		 983 }
984
3dead8d9 985 /* If our parent died we'll end the session */
f546241b 986 if (getppid() != parent_pid) {
970edce6 987 pam_code = pam_close_session(handle, flags);
f546241b 988 if (pam_code != PAM_SUCCESS)
5b6319dc 989 goto child_finish;
f546241b 990 }
5b6319dc 991
7bb70b6e 992 ret = 0;
5b6319dc
LP		 993
994 child_finish:
970edce6 995 pam_end(handle, pam_code | flags);
7bb70b6e 996 _exit(ret);
5b6319dc
LP		 997 }
998
2d7c6aa2
DH		 999 barrier_set_role(&barrier, BARRIER_PARENT);
1000
5b6319dc
LP		 1001 /* If the child was forked off successfully it will do all the
1002 * cleanups, so forget about the handle here. */
1003 handle = NULL;
1004
3b8bddde 1005 /* Unblock SIGTERM again in the parent */
72c0a2c2 1006 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
5b6319dc
LP		 1007
1008 /* We close the log explicitly here, since the PAM modules
1009 * might have opened it, but we don't want this fd around. */
1010 closelog();
1011
2d7c6aa2
DH		 1012 /* Synchronously wait for the child to initialize. We don't care for
1013 * errors as we cannot recover. However, warn loudly if it happens. */
1014 if (!barrier_place_and_sync(&barrier))
1015 log_error("PAM initialization failed");
1016
2065ca69
JW		 1017 strv_free(*env);
1018 *env = e;
aa87e624 1019
5b6319dc
LP		 1020 return 0;
1021
1022fail:
970edce6
ZJS		 1023 if (pam_code != PAM_SUCCESS) {
1024 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
7bb70b6e
LP		 1025 r = -EPERM; /* PAM errors do not map to errno */
1026 } else
1027 log_error_errno(r, "PAM failed: %m");
9ba35398 1028
5b6319dc
LP		 1029 if (handle) {
1030 if (close_session)
970edce6 1031 pam_code = pam_close_session(handle, flags);
5b6319dc 1032
970edce6 1033 pam_end(handle, pam_code | flags);
5b6319dc
LP		 1034 }
1035
1036 strv_free(e);
5b6319dc
LP		 1037 closelog();
1038
7bb70b6e 1039 return r;
5b6319dc
LP		 1040}
1041#endif
1042
5d6b1584
LP		 1043static void rename_process_from_path(const char *path) {
1044 char process_name[11];
1045 const char *p;
1046 size_t l;
1047
1048 /* This resulting string must fit in 10 chars (i.e. the length
1049 * of "/sbin/init") to look pretty in /bin/ps */
1050
2b6bf07d 1051 p = basename(path);
5d6b1584
LP		 1052 if (isempty(p)) {
1053 rename_process("(...)");
1054 return;
1055 }
1056
1057 l = strlen(p);
1058 if (l > 8) {
1059 /* The end of the process name is usually more
1060 * interesting, since the first bit might just be
1061 * "systemd-" */
1062 p = p + l - 8;
1063 l = 8;
1064 }
1065
1066 process_name[0] = '(';
1067 memcpy(process_name+1, p, l);
1068 process_name[1+l] = ')';
1069 process_name[1+l+1] = 0;
1070
1071 rename_process(process_name);
1072}
1073
c0467cf3 1074#ifdef HAVE_SECCOMP
17df7223 1075
822a5960 1076static int apply_seccomp(const ExecContext *c) {
17df7223
LP		 1077 uint32_t negative_action, action;
1078 scmp_filter_ctx *seccomp;
c0467cf3
RC		 1079 Iterator i;
1080 void *id;
17df7223 1081 int r;
8351ceae 1082
c0467cf3 1083 assert(c);
8351ceae 1084
17df7223
LP		 1085 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
1086
1087 seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW);
1088 if (!seccomp)
1089 return -ENOMEM;
8351ceae 1090
e9642be2
LP		 1091 if (c->syscall_archs) {
1092
1093 SET_FOREACH(id, c->syscall_archs, i) {
1094 r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
1095 if (r == -EEXIST)
1096 continue;
7c66bae2
LP		 1097 if (r < 0)
1098 goto finish;
e9642be2 1099 }
e9642be2 1100
7c66bae2 1101 } else {
e9642be2 1102 r = seccomp_add_secondary_archs(seccomp);
7c66bae2
LP		 1103 if (r < 0)
1104 goto finish;
57183d11 1105 }
8351ceae 1106
57183d11 1107 action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
17df7223
LP		 1108 SET_FOREACH(id, c->syscall_filter, i) {
1109 r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
7c66bae2
LP		 1110 if (r < 0)
1111 goto finish;
c0467cf3 1112 }
8351ceae 1113
7c66bae2
LP		 1114 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1115 if (r < 0)
1116 goto finish;
1117
17df7223 1118 r = seccomp_load(seccomp);
7c66bae2
LP		 1119
1120finish:
17df7223 1121 seccomp_release(seccomp);
4298d0b5
LP		 1122 return r;
1123}
1124
822a5960 1125static int apply_address_families(const ExecContext *c) {
4298d0b5
LP		 1126 scmp_filter_ctx *seccomp;
1127 Iterator i;
1128 int r;
1129
1130 assert(c);
1131
1132 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1133 if (!seccomp)
1134 return -ENOMEM;
1135
1136 r = seccomp_add_secondary_archs(seccomp);
1137 if (r < 0)
1138 goto finish;
1139
1140 if (c->address_families_whitelist) {
1141 int af, first = 0, last = 0;
1142 void *afp;
1143
1144 /* If this is a whitelist, we first block the address
1145 * families that are out of range and then everything
1146 * that is not in the set. First, we find the lowest
1147 * and highest address family in the set. */
1148
1149 SET_FOREACH(afp, c->address_families, i) {
1150 af = PTR_TO_INT(afp);
17df7223 1151
4298d0b5
LP		 1152 if (af <= 0 || af >= af_max())
1153 continue;
1154
1155 if (first == 0 || af < first)
1156 first = af;
1157
1158 if (last == 0 || af > last)
1159 last = af;
1160 }
1161
1162 assert((first == 0) == (last == 0));
1163
1164 if (first == 0) {
1165
1166 /* No entries in the valid range, block everything */
1167 r = seccomp_rule_add(
1168 seccomp,
1169 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1170 SCMP_SYS(socket),
1171 0);
1172 if (r < 0)
1173 goto finish;
1174
1175 } else {
1176
1177 /* Block everything below the first entry */
1178 r = seccomp_rule_add(
1179 seccomp,
1180 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1181 SCMP_SYS(socket),
1182 1,
1183 SCMP_A0(SCMP_CMP_LT, first));
1184 if (r < 0)
1185 goto finish;
1186
1187 /* Block everything above the last entry */
1188 r = seccomp_rule_add(
1189 seccomp,
1190 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1191 SCMP_SYS(socket),
1192 1,
1193 SCMP_A0(SCMP_CMP_GT, last));
1194 if (r < 0)
1195 goto finish;
1196
1197 /* Block everything between the first and last
1198 * entry */
1199 for (af = 1; af < af_max(); af++) {
1200
1201 if (set_contains(c->address_families, INT_TO_PTR(af)))
1202 continue;
1203
1204 r = seccomp_rule_add(
1205 seccomp,
1206 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1207 SCMP_SYS(socket),
1208 1,
1209 SCMP_A0(SCMP_CMP_EQ, af));
1210 if (r < 0)
1211 goto finish;
1212 }
1213 }
1214
1215 } else {
1216 void *af;
1217
1218 /* If this is a blacklist, then generate one rule for
1219 * each address family that are then combined in OR
1220 * checks. */
1221
1222 SET_FOREACH(af, c->address_families, i) {
1223
1224 r = seccomp_rule_add(
1225 seccomp,
1226 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1227 SCMP_SYS(socket),
1228 1,
1229 SCMP_A0(SCMP_CMP_EQ, PTR_TO_INT(af)));
1230 if (r < 0)
1231 goto finish;
1232 }
1233 }
1234
1235 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1236 if (r < 0)
1237 goto finish;
1238
1239 r = seccomp_load(seccomp);
1240
1241finish:
1242 seccomp_release(seccomp);
17df7223 1243 return r;
8351ceae 1244}
4298d0b5 1245
f3e43635
TM		 1246static int apply_memory_deny_write_execute(const ExecContext *c) {
1247 scmp_filter_ctx *seccomp;
1248 int r;
1249
1250 assert(c);
1251
1252 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1253 if (!seccomp)
1254 return -ENOMEM;
1255
1256 r = seccomp_rule_add(
1257 seccomp,
abd84d4d 1258 SCMP_ACT_ERRNO(EPERM),
f3e43635
TM		 1259 SCMP_SYS(mmap),
1260 1,
1261 SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE));
1262 if (r < 0)
1263 goto finish;
1264
1265 r = seccomp_rule_add(
1266 seccomp,
abd84d4d 1267 SCMP_ACT_ERRNO(EPERM),
f3e43635
TM		 1268 SCMP_SYS(mprotect),
1269 1,
1270 SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC));
1271 if (r < 0)
1272 goto finish;
1273
1274 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1275 if (r < 0)
1276 goto finish;
1277
1278 r = seccomp_load(seccomp);
1279
1280finish:
1281 seccomp_release(seccomp);
1282 return r;
1283}
1284
f4170c67
LP		 1285static int apply_restrict_realtime(const ExecContext *c) {
1286 static const int permitted_policies[] = {
1287 SCHED_OTHER,
1288 SCHED_BATCH,
1289 SCHED_IDLE,
1290 };
1291
1292 scmp_filter_ctx *seccomp;
1293 unsigned i;
1294 int r, p, max_policy = 0;
1295
1296 assert(c);
1297
1298 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1299 if (!seccomp)
1300 return -ENOMEM;
1301
1302 /* Determine the highest policy constant we want to allow */
1303 for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
1304 if (permitted_policies[i] > max_policy)
1305 max_policy = permitted_policies[i];
1306
1307 /* Go through all policies with lower values than that, and block them -- unless they appear in the
1308 * whitelist. */
1309 for (p = 0; p < max_policy; p++) {
1310 bool good = false;
1311
1312 /* Check if this is in the whitelist. */
1313 for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
1314 if (permitted_policies[i] == p) {
1315 good = true;
1316 break;
1317 }
1318
1319 if (good)
1320 continue;
1321
1322 /* Deny this policy */
1323 r = seccomp_rule_add(
1324 seccomp,
1325 SCMP_ACT_ERRNO(EPERM),
1326 SCMP_SYS(sched_setscheduler),
1327 1,
1328 SCMP_A1(SCMP_CMP_EQ, p));
1329 if (r < 0)
1330 goto finish;
1331 }
1332
1333 /* Blacklist all other policies, i.e. the ones with higher values. Note that all comparisons are unsigned here,
1334 * hence no need no check for < 0 values. */
1335 r = seccomp_rule_add(
1336 seccomp,
1337 SCMP_ACT_ERRNO(EPERM),
1338 SCMP_SYS(sched_setscheduler),
1339 1,
1340 SCMP_A1(SCMP_CMP_GT, max_policy));
1341 if (r < 0)
1342 goto finish;
1343
1344 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1345 if (r < 0)
1346 goto finish;
1347
1348 r = seccomp_load(seccomp);
1349
1350finish:
1351 seccomp_release(seccomp);
1352 return r;
1353}
1354
c0467cf3 1355#endif
8351ceae 1356
31a7eb86
ZJS		 1357static void do_idle_pipe_dance(int idle_pipe[4]) {
1358 assert(idle_pipe);
1359
03e334a1 1360
54eb2300
LP		 1361 idle_pipe[1] = safe_close(idle_pipe[1]);
1362 idle_pipe[2] = safe_close(idle_pipe[2]);
31a7eb86
ZJS		 1363
1364 if (idle_pipe[0] >= 0) {
1365 int r;
1366
1367 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1368
1369 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
c7cc737f
LP		 1370 ssize_t n;
1371
31a7eb86 1372 /* Signal systemd that we are bored and want to continue. */
c7cc737f
LP		 1373 n = write(idle_pipe[3], "x", 1);
1374 if (n > 0)
cd972d69
ZJS		 1375 /* Wait for systemd to react to the signal above. */
1376 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
31a7eb86
ZJS		 1377 }
1378
54eb2300 1379 idle_pipe[0] = safe_close(idle_pipe[0]);
31a7eb86
ZJS		 1380
1381 }
1382
54eb2300 1383 idle_pipe[3] = safe_close(idle_pipe[3]);
31a7eb86
ZJS		 1384}
1385
7cae38c4 1386static int build_environment(
9fa95f85 1387 const ExecContext *c,
1e22b5cd 1388 const ExecParameters *p,
7cae38c4
LP		 1389 unsigned n_fds,
1390 const char *home,
1391 const char *username,
1392 const char *shell,
7bce046b
LP		 1393 dev_t journal_stream_dev,
1394 ino_t journal_stream_ino,
7cae38c4
LP		 1395 char ***ret) {
1396
1397 _cleanup_strv_free_ char **our_env = NULL;
1398 unsigned n_env = 0;
1399 char *x;
1400
1401 assert(c);
1402 assert(ret);
1403
7bce046b 1404 our_env = new0(char*, 12);
7cae38c4
LP		 1405 if (!our_env)
1406 return -ENOMEM;
1407
1408 if (n_fds > 0) {
8dd4c05b
LP		 1409 _cleanup_free_ char *joined = NULL;
1410
ccd06097 1411 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
7cae38c4
LP		 1412 return -ENOMEM;
1413 our_env[n_env++] = x;
1414
1415 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1416 return -ENOMEM;
1417 our_env[n_env++] = x;
8dd4c05b 1418
1e22b5cd 1419 joined = strv_join(p->fd_names, ":");
8dd4c05b
LP		 1420 if (!joined)
1421 return -ENOMEM;
1422
1423 x = strjoin("LISTEN_FDNAMES=", joined, NULL);
1424 if (!x)
1425 return -ENOMEM;
1426 our_env[n_env++] = x;
7cae38c4
LP		 1427 }
1428
b08af3b1 1429 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
ccd06097 1430 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
09812eb7
LP		 1431 return -ENOMEM;
1432 our_env[n_env++] = x;
1433
1e22b5cd 1434 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
09812eb7
LP		 1435 return -ENOMEM;
1436 our_env[n_env++] = x;
1437 }
1438
7cae38c4
LP		 1439 if (home) {
1440 x = strappend("HOME=", home);
1441 if (!x)
1442 return -ENOMEM;
1443 our_env[n_env++] = x;
1444 }
1445
1446 if (username) {
1447 x = strappend("LOGNAME=", username);
1448 if (!x)
1449 return -ENOMEM;
1450 our_env[n_env++] = x;
1451
1452 x = strappend("USER=", username);
1453 if (!x)
1454 return -ENOMEM;
1455 our_env[n_env++] = x;
1456 }
1457
1458 if (shell) {
1459 x = strappend("SHELL=", shell);
1460 if (!x)
1461 return -ENOMEM;
1462 our_env[n_env++] = x;
1463 }
1464
6af760f3
LP		 1465 if (exec_context_needs_term(c)) {
1466 const char *tty_path, *term = NULL;
1467
1468 tty_path = exec_context_tty_path(c);
1469
1470 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try to inherit
1471 * the $TERM set for PID 1. This is useful for containers so that the $TERM the container manager
1472 * passes to PID 1 ends up all the way in the console login shown. */
1473
1474 if (path_equal(tty_path, "/dev/console") && getppid() == 1)
1475 term = getenv("TERM");
1476 if (!term)
1477 term = default_term_for_tty(tty_path);
7cae38c4 1478
6af760f3 1479 x = strappend("TERM=", term);
7cae38c4
LP		 1480 if (!x)
1481 return -ENOMEM;
1482 our_env[n_env++] = x;
1483 }
1484
7bce046b
LP		 1485 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1486 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1487 return -ENOMEM;
1488
1489 our_env[n_env++] = x;
1490 }
1491
7cae38c4 1492 our_env[n_env++] = NULL;
7bce046b 1493 assert(n_env <= 12);
7cae38c4
LP		 1494
1495 *ret = our_env;
1496 our_env = NULL;
1497
1498 return 0;
1499}
1500
b4c14404
FB		 1501static int build_pass_environment(const ExecContext *c, char ***ret) {
1502 _cleanup_strv_free_ char **pass_env = NULL;
1503 size_t n_env = 0, n_bufsize = 0;
1504 char **i;
1505
1506 STRV_FOREACH(i, c->pass_environment) {
1507 _cleanup_free_ char *x = NULL;
1508 char *v;
1509
1510 v = getenv(*i);
1511 if (!v)
1512 continue;
1513 x = strjoin(*i, "=", v, NULL);
1514 if (!x)
1515 return -ENOMEM;
1516 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1517 return -ENOMEM;
1518 pass_env[n_env++] = x;
1519 pass_env[n_env] = NULL;
1520 x = NULL;
1521 }
1522
1523 *ret = pass_env;
1524 pass_env = NULL;
1525
1526 return 0;
1527}
1528
8b44a3d2
LP		 1529static bool exec_needs_mount_namespace(
1530 const ExecContext *context,
1531 const ExecParameters *params,
1532 ExecRuntime *runtime) {
1533
1534 assert(context);
1535 assert(params);
1536
2a624c36
AP		 1537 if (!strv_isempty(context->read_write_paths) ||
1538 !strv_isempty(context->read_only_paths) ||
1539 !strv_isempty(context->inaccessible_paths))
8b44a3d2
LP		 1540 return true;
1541
1542 if (context->mount_flags != 0)
1543 return true;
1544
1545 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1546 return true;
1547
8b44a3d2
LP		 1548 if (context->private_devices ||
1549 context->protect_system != PROTECT_SYSTEM_NO ||
1550 context->protect_home != PROTECT_HOME_NO)
1551 return true;
1552
1553 return false;
1554}
1555
d251207d
LP		 1556static int setup_private_users(uid_t uid, gid_t gid) {
1557 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
1558 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
1559 _cleanup_close_ int unshare_ready_fd = -1;
1560 _cleanup_(sigkill_waitp) pid_t pid = 0;
1561 uint64_t c = 1;
1562 siginfo_t si;
1563 ssize_t n;
1564 int r;
1565
1566 /* Set up a user namespace and map root to root, the selected UID/GID to itself, and everything else to
1567 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1568 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1569 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1570 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
1571 * continues execution normally. */
1572
1573 if (uid != 0 && uid_is_valid(uid))
1574 asprintf(&uid_map,
1575 "0 0 1\n" /* Map root → root */
1576 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
1577 uid, uid); /* The case where the above is the same */
1578 else
1579 uid_map = strdup("0 0 1\n");
1580 if (!uid_map)
1581 return -ENOMEM;
1582
1583 if (gid != 0 && gid_is_valid(gid))
1584 asprintf(&gid_map,
1585 "0 0 1\n" /* Map root → root */
1586 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
1587 gid, gid);
1588 else
1589 gid_map = strdup("0 0 1\n"); /* The case where the above is the same */
1590 if (!gid_map)
1591 return -ENOMEM;
1592
1593 /* Create a communication channel so that the parent can tell the child when it finished creating the user
1594 * namespace. */
1595 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
1596 if (unshare_ready_fd < 0)
1597 return -errno;
1598
1599 /* Create a communication channel so that the child can tell the parent a proper error code in case it
1600 * failed. */
1601 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
1602 return -errno;
1603
1604 pid = fork();
1605 if (pid < 0)
1606 return -errno;
1607
1608 if (pid == 0) {
1609 _cleanup_close_ int fd = -1;
1610 const char *a;
1611 pid_t ppid;
1612
1613 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
1614 * here, after the parent opened its own user namespace. */
1615
1616 ppid = getppid();
1617 errno_pipe[0] = safe_close(errno_pipe[0]);
1618
1619 /* Wait until the parent unshared the user namespace */
1620 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
1621 r = -errno;
1622 goto child_fail;
1623 }
1624
1625 /* Disable the setgroups() system call in the child user namespace, for good. */
1626 a = procfs_file_alloca(ppid, "setgroups");
1627 fd = open(a, O_WRONLY|O_CLOEXEC);
1628 if (fd < 0) {
1629 if (errno != ENOENT) {
1630 r = -errno;
1631 goto child_fail;
1632 }
1633
1634 /* If the file is missing the kernel is too old, let's continue anyway. */
1635 } else {
1636 if (write(fd, "deny\n", 5) < 0) {
1637 r = -errno;
1638 goto child_fail;
1639 }
1640
1641 fd = safe_close(fd);
1642 }
1643
1644 /* First write the GID map */
1645 a = procfs_file_alloca(ppid, "gid_map");
1646 fd = open(a, O_WRONLY|O_CLOEXEC);
1647 if (fd < 0) {
1648 r = -errno;
1649 goto child_fail;
1650 }
1651 if (write(fd, gid_map, strlen(gid_map)) < 0) {
1652 r = -errno;
1653 goto child_fail;
1654 }
1655 fd = safe_close(fd);
1656
1657 /* The write the UID map */
1658 a = procfs_file_alloca(ppid, "uid_map");
1659 fd = open(a, O_WRONLY|O_CLOEXEC);
1660 if (fd < 0) {
1661 r = -errno;
1662 goto child_fail;
1663 }
1664 if (write(fd, uid_map, strlen(uid_map)) < 0) {
1665 r = -errno;
1666 goto child_fail;
1667 }
1668
1669 _exit(EXIT_SUCCESS);
1670
1671 child_fail:
1672 (void) write(errno_pipe[1], &r, sizeof(r));
1673 _exit(EXIT_FAILURE);
1674 }
1675
1676 errno_pipe[1] = safe_close(errno_pipe[1]);
1677
1678 if (unshare(CLONE_NEWUSER) < 0)
1679 return -errno;
1680
1681 /* Let the child know that the namespace is ready now */
1682 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
1683 return -errno;
1684
1685 /* Try to read an error code from the child */
1686 n = read(errno_pipe[0], &r, sizeof(r));
1687 if (n < 0)
1688 return -errno;
1689 if (n == sizeof(r)) { /* an error code was sent to us */
1690 if (r < 0)
1691 return r;
1692 return -EIO;
1693 }
1694 if (n != 0) /* on success we should have read 0 bytes */
1695 return -EIO;
1696
1697 r = wait_for_terminate(pid, &si);
1698 if (r < 0)
1699 return r;
1700 pid = 0;
1701
1702 /* If something strange happened with the child, let's consider this fatal, too */
1703 if (si.si_code != CLD_EXITED || si.si_status != 0)
1704 return -EIO;
1705
1706 return 0;
1707}
1708
29206d46
LP		 1709static void append_socket_pair(int *array, unsigned *n, int pair[2]) {
1710 assert(array);
1711 assert(n);
1712
1713 if (!pair)
1714 return;
1715
1716 if (pair[0] >= 0)
1717 array[(*n)++] = pair[0];
1718 if (pair[1] >= 0)
1719 array[(*n)++] = pair[1];
1720}
1721
a34ceba6
LP		 1722static int close_remaining_fds(
1723 const ExecParameters *params,
1724 ExecRuntime *runtime,
29206d46 1725 DynamicCreds *dcreds,
00d9ef85 1726 int user_lookup_fd,
a34ceba6
LP		 1727 int socket_fd,
1728 int *fds, unsigned n_fds) {
1729
1730 unsigned n_dont_close = 0;
00d9ef85 1731 int dont_close[n_fds + 12];
a34ceba6
LP		 1732
1733 assert(params);
1734
1735 if (params->stdin_fd >= 0)
1736 dont_close[n_dont_close++] = params->stdin_fd;
1737 if (params->stdout_fd >= 0)
1738 dont_close[n_dont_close++] = params->stdout_fd;
1739 if (params->stderr_fd >= 0)
1740 dont_close[n_dont_close++] = params->stderr_fd;
1741
1742 if (socket_fd >= 0)
1743 dont_close[n_dont_close++] = socket_fd;
1744 if (n_fds > 0) {
1745 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
1746 n_dont_close += n_fds;
1747 }
1748
29206d46
LP		 1749 if (runtime)
1750 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
1751
1752 if (dcreds) {
1753 if (dcreds->user)
1754 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
1755 if (dcreds->group)
1756 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
a34ceba6
LP		 1757 }
1758
00d9ef85
LP		 1759 if (user_lookup_fd >= 0)
1760 dont_close[n_dont_close++] = user_lookup_fd;
1761
a34ceba6
LP		 1762 return close_all_fds(dont_close, n_dont_close);
1763}
1764
00d9ef85
LP		 1765static int send_user_lookup(
1766 Unit *unit,
1767 int user_lookup_fd,
1768 uid_t uid,
1769 gid_t gid) {
1770
1771 assert(unit);
1772
1773 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
1774 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
1775 * specified. */
1776
1777 if (user_lookup_fd < 0)
1778 return 0;
1779
1780 if (!uid_is_valid(uid) && !gid_is_valid(gid))
1781 return 0;
1782
1783 if (writev(user_lookup_fd,
1784 (struct iovec[]) {
1785 { .iov_base = &uid, .iov_len = sizeof(uid) },
1786 { .iov_base = &gid, .iov_len = sizeof(gid) },
1787 { .iov_base = unit->id, .iov_len = strlen(unit->id) }}, 3) < 0)
1788 return -errno;
1789
1790 return 0;
1791}
1792
ff0af2a1 1793static int exec_child(
f2341e0a 1794 Unit *unit,
ff0af2a1
LP		 1795 ExecCommand *command,
1796 const ExecContext *context,
1797 const ExecParameters *params,
1798 ExecRuntime *runtime,
29206d46 1799 DynamicCreds *dcreds,
ff0af2a1
LP		 1800 char **argv,
1801 int socket_fd,
1802 int *fds, unsigned n_fds,
1803 char **files_env,
00d9ef85 1804 int user_lookup_fd,
ff0af2a1 1805 int *exit_status) {
d35fbf6b 1806
2065ca69 1807 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **final_argv = NULL;
9008e1ac 1808 _cleanup_free_ char *mac_selinux_context_net = NULL;
5f5d8eab 1809 const char *username = NULL, *home = NULL, *shell = NULL, *wd;
7bce046b
LP		 1810 dev_t journal_stream_dev = 0;
1811 ino_t journal_stream_ino = 0;
1812 bool needs_mount_namespace;
fed1e721
LP		 1813 uid_t uid = UID_INVALID;
1814 gid_t gid = GID_INVALID;
ff0af2a1 1815 int i, r;
034c6ed7 1816
f2341e0a 1817 assert(unit);
5cb5a6ff
LP		 1818 assert(command);
1819 assert(context);
d35fbf6b 1820 assert(params);
ff0af2a1 1821 assert(exit_status);
d35fbf6b
DM		 1822
1823 rename_process_from_path(command->path);
1824
1825 /* We reset exactly these signals, since they are the
1826 * only ones we set to SIG_IGN in the main daemon. All
1827 * others we leave untouched because we set them to
1828 * SIG_DFL or a valid handler initially, both of which
1829 * will be demoted to SIG_DFL. */
ce30c8dc
LP		 1830 (void) default_signals(SIGNALS_CRASH_HANDLER,
1831 SIGNALS_IGNORE, -1);
d35fbf6b
DM		 1832
1833 if (context->ignore_sigpipe)
ce30c8dc 1834 (void) ignore_signals(SIGPIPE, -1);
d35fbf6b 1835
ff0af2a1
LP		 1836 r = reset_signal_mask();
1837 if (r < 0) {
1838 *exit_status = EXIT_SIGNAL_MASK;
1839 return r;
d35fbf6b 1840 }
034c6ed7 1841
d35fbf6b
DM		 1842 if (params->idle_pipe)
1843 do_idle_pipe_dance(params->idle_pipe);
4f2d528d 1844
d35fbf6b
DM		 1845 /* Close sockets very early to make sure we don't
1846 * block init reexecution because it cannot bind its
1847 * sockets */
ff0af2a1 1848
d35fbf6b 1849 log_forget_fds();
4f2d528d 1850
00d9ef85 1851 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, fds, n_fds);
ff0af2a1
LP		 1852 if (r < 0) {
1853 *exit_status = EXIT_FDS;
1854 return r;
8c7be95e
LP		 1855 }
1856
d35fbf6b
DM		 1857 if (!context->same_pgrp)
1858 if (setsid() < 0) {
ff0af2a1 1859 *exit_status = EXIT_SETSID;
d35fbf6b
DM		 1860 return -errno;
1861 }
9e2f7c11 1862
1e22b5cd 1863 exec_context_tty_reset(context, params);
d35fbf6b 1864
c39f1ce2 1865 if (params->flags & EXEC_CONFIRM_SPAWN) {
d35fbf6b
DM		 1866 char response;
1867
ff0af2a1
LP		 1868 r = ask_for_confirmation(&response, argv);
1869 if (r == -ETIMEDOUT)
d35fbf6b 1870 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
ff0af2a1
LP		 1871 else if (r < 0)
1872 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-r));
d35fbf6b
DM		 1873 else if (response == 's') {
1874 write_confirm_message("Skipping execution.\n");
ff0af2a1 1875 *exit_status = EXIT_CONFIRM;
d35fbf6b
DM		 1876 return -ECANCELED;
1877 } else if (response == 'n') {
1878 write_confirm_message("Failing execution.\n");
ff0af2a1 1879 *exit_status = 0;
d35fbf6b
DM		 1880 return 0;
1881 }
1882 }
1a63a750 1883
29206d46
LP		 1884 if (context->dynamic_user && dcreds) {
1885
409093fe
LP		 1886 /* Make sure we bypass our own NSS module for any NSS checks */
1887 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
1888 *exit_status = EXIT_USER;
1889 return -errno;
1890 }
1891
29206d46 1892 r = dynamic_creds_realize(dcreds, &uid, &gid);
ff0af2a1
LP		 1893 if (r < 0) {
1894 *exit_status = EXIT_USER;
1895 return r;
524daa8c 1896 }
524daa8c 1897
92b25bca 1898 if (!uid_is_valid(uid) || !gid_is_valid(gid)) {
29206d46
LP		 1899 *exit_status = EXIT_USER;
1900 return -ESRCH;
1901 }
5bc7452b 1902
29206d46
LP		 1903 if (dcreds->user)
1904 username = dcreds->user->name;
1905
1906 } else {
1907 if (context->user) {
1908 username = context->user;
1909 r = get_user_creds(&username, &uid, &gid, &home, &shell);
1910 if (r < 0) {
1911 *exit_status = EXIT_USER;
1912 return r;
1913 }
70493828
LP		 1914
1915 /* Don't set $HOME or $SHELL if they are are not particularly enlightening anyway. */
1916 if (isempty(home) || path_equal(home, "/"))
1917 home = NULL;
1918
1919 if (isempty(shell) || PATH_IN_SET(shell,
1920 "/bin/nologin",
1921 "/sbin/nologin",
1922 "/usr/bin/nologin",
1923 "/usr/sbin/nologin"))
1924 shell = NULL;
5bc7452b 1925 }
5bc7452b 1926
29206d46
LP		 1927 if (context->group) {
1928 const char *g = context->group;
1929
1930 r = get_group_creds(&g, &gid);
1931 if (r < 0) {
1932 *exit_status = EXIT_GROUP;
1933 return r;
1934 }
1935 }
1936 }
5bc7452b 1937
00d9ef85
LP		 1938 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
1939 if (r < 0) {
1940 *exit_status = EXIT_USER;
1941 return r;
1942 }
1943
1944 user_lookup_fd = safe_close(user_lookup_fd);
1945
d35fbf6b
DM		 1946 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1947 * must sure to drop O_NONBLOCK */
1948 if (socket_fd >= 0)
a34ceba6 1949 (void) fd_nonblock(socket_fd, false);
acbb0225 1950
a34ceba6 1951 r = setup_input(context, params, socket_fd);
ff0af2a1
LP		 1952 if (r < 0) {
1953 *exit_status = EXIT_STDIN;
1954 return r;
d35fbf6b 1955 }
034c6ed7 1956
7bce046b 1957 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 1958 if (r < 0) {
1959 *exit_status = EXIT_STDOUT;
1960 return r;
d35fbf6b
DM		 1961 }
1962
7bce046b 1963 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 1964 if (r < 0) {
1965 *exit_status = EXIT_STDERR;
1966 return r;
d35fbf6b
DM		 1967 }
1968
1969 if (params->cgroup_path) {
ff0af2a1
LP		 1970 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
1971 if (r < 0) {
1972 *exit_status = EXIT_CGROUP;
1973 return r;
309bff19 1974 }
d35fbf6b 1975 }
309bff19 1976
d35fbf6b 1977 if (context->oom_score_adjust_set) {
d5243d62 1978 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
f2b68789 1979
d5243d62
LP		 1980 /* When we can't make this change due to EPERM, then
1981 * let's silently skip over it. User namespaces
1982 * prohibit write access to this file, and we
1983 * shouldn't trip up over that. */
613b411c 1984
d5243d62 1985 sprintf(t, "%i", context->oom_score_adjust);
ad118bda 1986 r = write_string_file("/proc/self/oom_score_adj", t, 0);
6cb7fa17 1987 if (r == -EPERM || r == -EACCES) {
ff0af2a1 1988 log_open();
f2341e0a 1989 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
ff0af2a1
LP		 1990 log_close();
1991 } else if (r < 0) {
1992 *exit_status = EXIT_OOM_ADJUST;
d35fbf6b 1993 return -errno;
613b411c 1994 }
d35fbf6b
DM		 1995 }
1996
1997 if (context->nice_set)
1998 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
ff0af2a1 1999 *exit_status = EXIT_NICE;
d35fbf6b 2000 return -errno;
613b411c
LP		 2001 }
2002
d35fbf6b
DM		 2003 if (context->cpu_sched_set) {
2004 struct sched_param param = {
2005 .sched_priority = context->cpu_sched_priority,
2006 };
2007
ff0af2a1
LP		 2008 r = sched_setscheduler(0,
2009 context->cpu_sched_policy |
2010 (context->cpu_sched_reset_on_fork ?
2011 SCHED_RESET_ON_FORK : 0),
2012 &param);
2013 if (r < 0) {
2014 *exit_status = EXIT_SETSCHEDULER;
d35fbf6b 2015 return -errno;
fc9b2a84 2016 }
d35fbf6b 2017 }
fc9b2a84 2018
d35fbf6b
DM		 2019 if (context->cpuset)
2020 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
ff0af2a1 2021 *exit_status = EXIT_CPUAFFINITY;
d35fbf6b 2022 return -errno;
034c6ed7
LP		 2023 }
2024
d35fbf6b
DM		 2025 if (context->ioprio_set)
2026 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
ff0af2a1 2027 *exit_status = EXIT_IOPRIO;
d35fbf6b
DM		 2028 return -errno;
2029 }
da726a4d 2030
d35fbf6b
DM		 2031 if (context->timer_slack_nsec != NSEC_INFINITY)
2032 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
ff0af2a1 2033 *exit_status = EXIT_TIMERSLACK;
d35fbf6b 2034 return -errno;
4c2630eb 2035 }
9eba9da4 2036
050f7277 2037 if (context->personality != PERSONALITY_INVALID)
d35fbf6b 2038 if (personality(context->personality) < 0) {
ff0af2a1 2039 *exit_status = EXIT_PERSONALITY;
d35fbf6b 2040 return -errno;
4c2630eb 2041 }
94f04347 2042
d35fbf6b 2043 if (context->utmp_id)
023a4f67
LP		 2044 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path,
2045 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
2046 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
2047 USER_PROCESS,
2048 username ? "root" : context->user);
d35fbf6b 2049
524daa8c 2050 if (context->user && is_terminal_input(context->std_input)) {
ff0af2a1
LP		 2051 r = chown_terminal(STDIN_FILENO, uid);
2052 if (r < 0) {
2053 *exit_status = EXIT_STDIN;
2054 return r;
071830ff 2055 }
d35fbf6b 2056 }
8e274523 2057
a931ad47
LP		 2058 /* If delegation is enabled we'll pass ownership of the cgroup
2059 * (but only in systemd's own controller hierarchy!) to the
2060 * user of the new process. */
2061 if (params->cgroup_path && context->user && params->cgroup_delegate) {
ff0af2a1
LP		 2062 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
2063 if (r < 0) {
2064 *exit_status = EXIT_CGROUP;
2065 return r;
d35fbf6b 2066 }
034c6ed7 2067
034c6ed7 2068
ff0af2a1
LP		 2069 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
2070 if (r < 0) {
2071 *exit_status = EXIT_CGROUP;
2072 return r;
034c6ed7 2073 }
d35fbf6b 2074 }
034c6ed7 2075
d35fbf6b
DM		 2076 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
2077 char **rt;
fb33a393 2078
d35fbf6b
DM		 2079 STRV_FOREACH(rt, context->runtime_directory) {
2080 _cleanup_free_ char *p;
94f04347 2081
d35fbf6b
DM		 2082 p = strjoin(params->runtime_prefix, "/", *rt, NULL);
2083 if (!p) {
ff0af2a1 2084 *exit_status = EXIT_RUNTIME_DIRECTORY;
d35fbf6b 2085 return -ENOMEM;
94f04347 2086 }
94f04347 2087
6bfe5c28
LP		 2088 r = mkdir_p_label(p, context->runtime_directory_mode);
2089 if (r < 0) {
2090 *exit_status = EXIT_RUNTIME_DIRECTORY;
2091 return r;
2092 }
2093
2094 r = chmod_and_chown(p, context->runtime_directory_mode, uid, gid);
ff0af2a1
LP		 2095 if (r < 0) {
2096 *exit_status = EXIT_RUNTIME_DIRECTORY;
2097 return r;
94f04347 2098 }
d35fbf6b
DM		 2099 }
2100 }
94f04347 2101
7bce046b
LP		 2102 r = build_environment(
2103 context,
2104 params,
2105 n_fds,
2106 home,
2107 username,
2108 shell,
2109 journal_stream_dev,
2110 journal_stream_ino,
2111 &our_env);
2065ca69
JW		 2112 if (r < 0) {
2113 *exit_status = EXIT_MEMORY;
2114 return r;
2115 }
2116
2117 r = build_pass_environment(context, &pass_env);
2118 if (r < 0) {
2119 *exit_status = EXIT_MEMORY;
2120 return r;
2121 }
2122
2123 accum_env = strv_env_merge(5,
2124 params->environment,
2125 our_env,
2126 pass_env,
2127 context->environment,
2128 files_env,
2129 NULL);
2130 if (!accum_env) {
2131 *exit_status = EXIT_MEMORY;
2132 return -ENOMEM;
2133 }
1280503b 2134 accum_env = strv_env_clean(accum_env);
2065ca69 2135
b213e1c1
SW		 2136 umask(context->umask);
2137
c39f1ce2 2138 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
ff0af2a1
LP		 2139 r = enforce_groups(context, username, gid);
2140 if (r < 0) {
2141 *exit_status = EXIT_GROUP;
2142 return r;
d35fbf6b 2143 }
6bf6e43e 2144#ifdef HAVE_SMACK
6bf6e43e
SW		 2145 if (context->smack_process_label) {
2146 r = mac_smack_apply_pid(0, context->smack_process_label);
2147 if (r < 0) {
2148 *exit_status = EXIT_SMACK_PROCESS_LABEL;
2149 return r;
2150 }
2151 }
2152#ifdef SMACK_DEFAULT_PROCESS_LABEL
2153 else {
2154 _cleanup_free_ char *exec_label = NULL;
2155
2156 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
2157 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) {
2158 *exit_status = EXIT_SMACK_PROCESS_LABEL;
2159 return r;
2160 }
2161
2162 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
2163 if (r < 0) {
2164 *exit_status = EXIT_SMACK_PROCESS_LABEL;
2165 return r;
2166 }
2167 }
6bf6e43e
SW		 2168#endif
2169#endif
d35fbf6b 2170#ifdef HAVE_PAM
b213e1c1 2171 if (context->pam_name && username) {
2065ca69 2172 r = setup_pam(context->pam_name, username, uid, context->tty_path, &accum_env, fds, n_fds);
b213e1c1
SW		 2173 if (r < 0) {
2174 *exit_status = EXIT_PAM;
2175 return r;
2176 }
d35fbf6b 2177 }
d35fbf6b 2178#endif
b213e1c1 2179 }
ac45f971 2180
d35fbf6b 2181 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
ff0af2a1
LP		 2182 r = setup_netns(runtime->netns_storage_socket);
2183 if (r < 0) {
2184 *exit_status = EXIT_NETWORK;
2185 return r;
d35fbf6b
DM		 2186 }
2187 }
169c1bda 2188
ee818b89
AC		 2189 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
2190
2191 if (needs_mount_namespace) {
d35fbf6b
DM		 2192 char *tmp = NULL, *var = NULL;
2193
2194 /* The runtime struct only contains the parent
2195 * of the private /tmp, which is
2196 * non-accessible to world users. Inside of it
2197 * there's a /tmp that is sticky, and that's
2198 * the one we want to use here. */
2199
2200 if (context->private_tmp && runtime) {
2201 if (runtime->tmp_dir)
63c372cb 2202 tmp = strjoina(runtime->tmp_dir, "/tmp");
d35fbf6b 2203 if (runtime->var_tmp_dir)
63c372cb 2204 var = strjoina(runtime->var_tmp_dir, "/tmp");
d35fbf6b 2205 }
d8b4e2e9 2206
ff0af2a1 2207 r = setup_namespace(
c39f1ce2 2208 (params->flags & EXEC_APPLY_CHROOT) ? context->root_directory : NULL,
2a624c36
AP		 2209 context->read_write_paths,
2210 context->read_only_paths,
2211 context->inaccessible_paths,
d35fbf6b
DM		 2212 tmp,
2213 var,
2214 context->private_devices,
2215 context->protect_home,
2216 context->protect_system,
2217 context->mount_flags);
0015ebf3 2218
ff0af2a1
LP		 2219 /* If we couldn't set up the namespace this is
2220 * probably due to a missing capability. In this case,
2221 * silently proceeed. */
2222 if (r == -EPERM || r == -EACCES) {
2223 log_open();
f2341e0a 2224 log_unit_debug_errno(unit, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
ff0af2a1
LP		 2225 log_close();
2226 } else if (r < 0) {
2227 *exit_status = EXIT_NAMESPACE;
2228 return r;
81a2b7ce 2229 }
d35fbf6b 2230 }
81a2b7ce 2231
5f5d8eab
LP		 2232 if (context->working_directory_home)
2233 wd = home;
2234 else if (context->working_directory)
2235 wd = context->working_directory;
2236 else
2237 wd = "/";
2238
c39f1ce2 2239 if (params->flags & EXEC_APPLY_CHROOT) {
ee818b89 2240 if (!needs_mount_namespace && context->root_directory)
d35fbf6b 2241 if (chroot(context->root_directory) < 0) {
ff0af2a1 2242 *exit_status = EXIT_CHROOT;
d35fbf6b 2243 return -errno;
8aa75193
LP		 2244 }
2245
5f5d8eab 2246 if (chdir(wd) < 0 &&
4c08c824 2247 !context->working_directory_missing_ok) {
ff0af2a1 2248 *exit_status = EXIT_CHDIR;
d35fbf6b
DM		 2249 return -errno;
2250 }
2251 } else {
5f5d8eab 2252 const char *d;
8aa75193 2253
5f5d8eab 2254 d = strjoina(strempty(context->root_directory), "/", strempty(wd));
cf1d0302
LP		 2255 if (chdir(d) < 0 &&
2256 !context->working_directory_missing_ok) {
ff0af2a1 2257 *exit_status = EXIT_CHDIR;
d35fbf6b
DM		 2258 return -errno;
2259 }
2260 }
e66cf1a3 2261
9008e1ac 2262#ifdef HAVE_SELINUX
c39f1ce2
LP		 2263 if ((params->flags & EXEC_APPLY_PERMISSIONS) &&
2264 mac_selinux_use() &&
2265 params->selinux_context_net &&
2266 socket_fd >= 0 &&
2267 !command->privileged) {
2268
ff0af2a1
LP		 2269 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
2270 if (r < 0) {
2271 *exit_status = EXIT_SELINUX_CONTEXT;
2272 return r;
9008e1ac
MS		 2273 }
2274 }
2275#endif
2276
d87a2ef7 2277 if ((params->flags & EXEC_APPLY_PERMISSIONS) && context->private_users) {
d251207d
LP		 2278 r = setup_private_users(uid, gid);
2279 if (r < 0) {
2280 *exit_status = EXIT_USER;
2281 return r;
2282 }
2283 }
2284
d35fbf6b
DM		 2285 /* We repeat the fd closing here, to make sure that
2286 * nothing is leaked from the PAM modules. Note that
2287 * we are more aggressive this time since socket_fd
e44da745
DM		 2288 * and the netns fds we don't need anymore. The custom
2289 * endpoint fd was needed to upload the policy and can
2290 * now be closed as well. */
ff0af2a1
LP		 2291 r = close_all_fds(fds, n_fds);
2292 if (r >= 0)
2293 r = shift_fds(fds, n_fds);
2294 if (r >= 0)
2295 r = flags_fds(fds, n_fds, context->non_blocking);
2296 if (r < 0) {
2297 *exit_status = EXIT_FDS;
2298 return r;
d35fbf6b 2299 }
e66cf1a3 2300
c39f1ce2 2301 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
e66cf1a3 2302
19c0b0b9
RC		 2303 bool use_address_families = context->address_families_whitelist ||
2304 !set_isempty(context->address_families);
2305 bool use_syscall_filter = context->syscall_whitelist ||
2306 !set_isempty(context->syscall_filter) ||
2307 !set_isempty(context->syscall_archs);
755d4b67
IP		 2308 int secure_bits = context->secure_bits;
2309
d35fbf6b 2310 for (i = 0; i < _RLIMIT_MAX; i++) {
03857c43 2311
d35fbf6b
DM		 2312 if (!context->rlimit[i])
2313 continue;
2314
03857c43
LP		 2315 r = setrlimit_closest(i, context->rlimit[i]);
2316 if (r < 0) {
ff0af2a1 2317 *exit_status = EXIT_LIMITS;
03857c43 2318 return r;
e66cf1a3
LP		 2319 }
2320 }
2321
f4170c67
LP		 2322 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
2323 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
2324 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
2325 *exit_status = EXIT_LIMITS;
2326 return -errno;
2327 }
2328 }
2329
a103496c
IP		 2330 if (!cap_test_all(context->capability_bounding_set)) {
2331 r = capability_bounding_set_drop(context->capability_bounding_set, false);
ff0af2a1
LP		 2332 if (r < 0) {
2333 *exit_status = EXIT_CAPABILITIES;
2334 return r;
3b8bddde 2335 }
4c2630eb 2336 }
3b8bddde 2337
755d4b67
IP		 2338 /* This is done before enforce_user, but ambient set
2339 * does not survive over setresuid() if keep_caps is not set. */
2340 if (context->capability_ambient_set != 0) {
2341 r = capability_ambient_set_apply(context->capability_ambient_set, true);
2342 if (r < 0) {
2343 *exit_status = EXIT_CAPABILITIES;
2344 return r;
2345 }
755d4b67
IP		 2346 }
2347
d35fbf6b 2348 if (context->user) {
ff0af2a1
LP		 2349 r = enforce_user(context, uid);
2350 if (r < 0) {
2351 *exit_status = EXIT_USER;
2352 return r;
5b6319dc 2353 }
755d4b67
IP		 2354 if (context->capability_ambient_set != 0) {
2355
2356 /* Fix the ambient capabilities after user change. */
2357 r = capability_ambient_set_apply(context->capability_ambient_set, false);
2358 if (r < 0) {
2359 *exit_status = EXIT_CAPABILITIES;
2360 return r;
2361 }
2362
2363 /* If we were asked to change user and ambient capabilities
2364 * were requested, we had to add keep-caps to the securebits
2365 * so that we would maintain the inherited capability set
2366 * through the setresuid(). Make sure that the bit is added
2367 * also to the context secure_bits so that we don't try to
2368 * drop the bit away next. */
2369
7f508f2c 2370 secure_bits |= 1<<SECURE_KEEP_CAPS;
755d4b67 2371 }
5b6319dc 2372 }
d35fbf6b
DM		 2373
2374 /* PR_GET_SECUREBITS is not privileged, while
2375 * PR_SET_SECUREBITS is. So to suppress
2376 * potential EPERMs we'll try not to call
2377 * PR_SET_SECUREBITS unless necessary. */
755d4b67
IP		 2378 if (prctl(PR_GET_SECUREBITS) != secure_bits)
2379 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
ff0af2a1 2380 *exit_status = EXIT_SECUREBITS;
d35fbf6b 2381 return -errno;
ff01d048 2382 }
5b6319dc 2383
19c0b0b9 2384 if (context->no_new_privileges ||
f4170c67 2385 (!have_effective_cap(CAP_SYS_ADMIN) && (use_address_families || context->memory_deny_write_execute || context->restrict_realtime || use_syscall_filter)))
d35fbf6b 2386 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
ff0af2a1 2387 *exit_status = EXIT_NO_NEW_PRIVILEGES;
d35fbf6b
DM		 2388 return -errno;
2389 }
2390
2391#ifdef HAVE_SECCOMP
19c0b0b9 2392 if (use_address_families) {
ff0af2a1
LP		 2393 r = apply_address_families(context);
2394 if (r < 0) {
2395 *exit_status = EXIT_ADDRESS_FAMILIES;
2396 return r;
4c2630eb
MS		 2397 }
2398 }
04aa0cb9 2399
f3e43635
TM		 2400 if (context->memory_deny_write_execute) {
2401 r = apply_memory_deny_write_execute(context);
2402 if (r < 0) {
2403 *exit_status = EXIT_SECCOMP;
2404 return r;
2405 }
2406 }
f4170c67
LP		 2407
2408 if (context->restrict_realtime) {
2409 r = apply_restrict_realtime(context);
2410 if (r < 0) {
2411 *exit_status = EXIT_SECCOMP;
2412 return r;
2413 }
2414 }
2415
19c0b0b9 2416 if (use_syscall_filter) {
ff0af2a1
LP		 2417 r = apply_seccomp(context);
2418 if (r < 0) {
2419 *exit_status = EXIT_SECCOMP;
2420 return r;
81a2b7ce 2421 }
d35fbf6b
DM		 2422 }
2423#endif
81a2b7ce 2424
d35fbf6b 2425#ifdef HAVE_SELINUX
6baa7db0 2426 if (mac_selinux_use()) {
9008e1ac 2427 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
16115b0a 2428
9008e1ac 2429 if (exec_context) {
ff0af2a1
LP		 2430 r = setexeccon(exec_context);
2431 if (r < 0) {
2432 *exit_status = EXIT_SELINUX_CONTEXT;
2433 return r;
16115b0a 2434 }
81a2b7ce 2435 }
81a2b7ce 2436 }
d35fbf6b 2437#endif
81a2b7ce 2438
d35fbf6b 2439#ifdef HAVE_APPARMOR
6baa7db0 2440 if (context->apparmor_profile && mac_apparmor_use()) {
ff0af2a1
LP		 2441 r = aa_change_onexec(context->apparmor_profile);
2442 if (r < 0 && !context->apparmor_profile_ignore) {
2443 *exit_status = EXIT_APPARMOR_PROFILE;
5482192e 2444 return -errno;
d35fbf6b 2445 }
034c6ed7 2446 }
d35fbf6b
DM		 2447#endif
2448 }
034c6ed7 2449
2065ca69 2450 final_argv = replace_env_argv(argv, accum_env);
d35fbf6b 2451 if (!final_argv) {
ff0af2a1 2452 *exit_status = EXIT_MEMORY;
d35fbf6b
DM		 2453 return -ENOMEM;
2454 }
034c6ed7 2455
553d2243 2456 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
d35fbf6b 2457 _cleanup_free_ char *line;
81a2b7ce 2458
d35fbf6b
DM		 2459 line = exec_command_line(final_argv);
2460 if (line) {
2461 log_open();
f2341e0a
LP		 2462 log_struct(LOG_DEBUG,
2463 LOG_UNIT_ID(unit),
2464 "EXECUTABLE=%s", command->path,
2465 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
2466 NULL);
d35fbf6b
DM		 2467 log_close();
2468 }
2469 }
dd305ec9 2470
2065ca69 2471 execve(command->path, final_argv, accum_env);
ff0af2a1 2472 *exit_status = EXIT_EXEC;
d35fbf6b
DM		 2473 return -errno;
2474}
81a2b7ce 2475
f2341e0a
LP		 2476int exec_spawn(Unit *unit,
2477 ExecCommand *command,
d35fbf6b
DM		 2478 const ExecContext *context,
2479 const ExecParameters *params,
2480 ExecRuntime *runtime,
29206d46 2481 DynamicCreds *dcreds,
d35fbf6b 2482 pid_t *ret) {
8351ceae 2483
d35fbf6b
DM		 2484 _cleanup_strv_free_ char **files_env = NULL;
2485 int *fds = NULL; unsigned n_fds = 0;
ff0af2a1
LP		 2486 _cleanup_free_ char *line = NULL;
2487 int socket_fd, r;
2488 char **argv;
d35fbf6b 2489 pid_t pid;
8351ceae 2490
f2341e0a 2491 assert(unit);
d35fbf6b
DM		 2492 assert(command);
2493 assert(context);
2494 assert(ret);
2495 assert(params);
2496 assert(params->fds || params->n_fds <= 0);
4298d0b5 2497
d35fbf6b
DM		 2498 if (context->std_input == EXEC_INPUT_SOCKET ||
2499 context->std_output == EXEC_OUTPUT_SOCKET ||
2500 context->std_error == EXEC_OUTPUT_SOCKET) {
17df7223 2501
ff0af2a1 2502 if (params->n_fds != 1) {
f2341e0a 2503 log_unit_error(unit, "Got more than one socket.");
d35fbf6b 2504 return -EINVAL;
ff0af2a1 2505 }
eef65bf3 2506
d35fbf6b
DM		 2507 socket_fd = params->fds[0];
2508 } else {
2509 socket_fd = -1;
2510 fds = params->fds;
2511 n_fds = params->n_fds;
2512 }
94f04347 2513
f2341e0a 2514 r = exec_context_load_environment(unit, context, &files_env);
ff0af2a1 2515 if (r < 0)
f2341e0a 2516 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
034c6ed7 2517
d35fbf6b 2518 argv = params->argv ?: command->argv;
d35fbf6b
DM		 2519 line = exec_command_line(argv);
2520 if (!line)
2521 return log_oom();
fab56fc5 2522
f2341e0a
LP		 2523 log_struct(LOG_DEBUG,
2524 LOG_UNIT_ID(unit),
2525 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
2526 "EXECUTABLE=%s", command->path,
2527 NULL);
d35fbf6b
DM		 2528 pid = fork();
2529 if (pid < 0)
74129a12 2530 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
d35fbf6b
DM		 2531
2532 if (pid == 0) {
ff0af2a1
LP		 2533 int exit_status;
2534
f2341e0a
LP		 2535 r = exec_child(unit,
2536 command,
ff0af2a1
LP		 2537 context,
2538 params,
2539 runtime,
29206d46 2540 dcreds,
ff0af2a1
LP		 2541 argv,
2542 socket_fd,
2543 fds, n_fds,
2544 files_env,
00d9ef85 2545 unit->manager->user_lookup_fds[1],
ff0af2a1
LP		 2546 &exit_status);
2547 if (r < 0) {
4c2630eb 2548 log_open();
f2341e0a
LP		 2549 log_struct_errno(LOG_ERR, r,
2550 LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
2551 LOG_UNIT_ID(unit),
2552 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
2553 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
2554 command->path),
2555 "EXECUTABLE=%s", command->path,
2556 NULL);
4c2630eb
MS		 2557 }
2558
ff0af2a1 2559 _exit(exit_status);
034c6ed7
LP		 2560 }
2561
f2341e0a 2562 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
23635a85 2563
80876c20
LP		 2564 /* We add the new process to the cgroup both in the child (so
2565 * that we can be sure that no user code is ever executed
2566 * outside of the cgroup) and in the parent (so that we can be
2567 * sure that when we kill the cgroup the process will be
2568 * killed too). */
d35fbf6b 2569 if (params->cgroup_path)
dd305ec9 2570 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
2da3263a 2571
b58b4116 2572 exec_status_start(&command->exec_status, pid);
9fb86720 2573
034c6ed7 2574 *ret = pid;
5cb5a6ff
LP		 2575 return 0;
2576}
2577
034c6ed7
LP		 2578void exec_context_init(ExecContext *c) {
2579 assert(c);
2580
4c12626c 2581 c->umask = 0022;
9eba9da4 2582 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
94f04347 2583 c->cpu_sched_policy = SCHED_OTHER;
071830ff 2584 c->syslog_priority = LOG_DAEMON|LOG_INFO;
74922904 2585 c->syslog_level_prefix = true;
353e12c2 2586 c->ignore_sigpipe = true;
3a43da28 2587 c->timer_slack_nsec = NSEC_INFINITY;
050f7277 2588 c->personality = PERSONALITY_INVALID;
e66cf1a3 2589 c->runtime_directory_mode = 0755;
a103496c 2590 c->capability_bounding_set = CAP_ALL;
034c6ed7
LP		 2591}
2592
613b411c 2593void exec_context_done(ExecContext *c) {
5cb5a6ff
LP		 2594 unsigned l;
2595
2596 assert(c);
2597
6796073e
LP		 2598 c->environment = strv_free(c->environment);
2599 c->environment_files = strv_free(c->environment_files);
b4c14404 2600 c->pass_environment = strv_free(c->pass_environment);
8c7be95e 2601
1f6b4113 2602 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
a1e58e8e 2603 c->rlimit[l] = mfree(c->rlimit[l]);
034c6ed7 2604
a1e58e8e
LP		 2605 c->working_directory = mfree(c->working_directory);
2606 c->root_directory = mfree(c->root_directory);
2607 c->tty_path = mfree(c->tty_path);
2608 c->syslog_identifier = mfree(c->syslog_identifier);
2609 c->user = mfree(c->user);
2610 c->group = mfree(c->group);
034c6ed7 2611
6796073e 2612 c->supplementary_groups = strv_free(c->supplementary_groups);
94f04347 2613
a1e58e8e 2614 c->pam_name = mfree(c->pam_name);
5b6319dc 2615
2a624c36
AP		 2616 c->read_only_paths = strv_free(c->read_only_paths);
2617 c->read_write_paths = strv_free(c->read_write_paths);
2618 c->inaccessible_paths = strv_free(c->inaccessible_paths);
82c121a4
LP		 2619
2620 if (c->cpuset)
2621 CPU_FREE(c->cpuset);
86a3475b 2622
a1e58e8e
LP		 2623 c->utmp_id = mfree(c->utmp_id);
2624 c->selinux_context = mfree(c->selinux_context);
2625 c->apparmor_profile = mfree(c->apparmor_profile);
eef65bf3 2626
525d3cc7
LP		 2627 c->syscall_filter = set_free(c->syscall_filter);
2628 c->syscall_archs = set_free(c->syscall_archs);
2629 c->address_families = set_free(c->address_families);
e66cf1a3 2630
6796073e 2631 c->runtime_directory = strv_free(c->runtime_directory);
e66cf1a3
LP		 2632}
2633
2634int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
2635 char **i;
2636
2637 assert(c);
2638
2639 if (!runtime_prefix)
2640 return 0;
2641
2642 STRV_FOREACH(i, c->runtime_directory) {
2643 _cleanup_free_ char *p;
2644
2645 p = strjoin(runtime_prefix, "/", *i, NULL);
2646 if (!p)
2647 return -ENOMEM;
2648
2649 /* We execute this synchronously, since we need to be
2650 * sure this is gone when we start the service
2651 * next. */
c6878637 2652 (void) rm_rf(p, REMOVE_ROOT);
e66cf1a3
LP		 2653 }
2654
2655 return 0;
5cb5a6ff
LP		 2656}
2657
43d0fcbd
LP		 2658void exec_command_done(ExecCommand *c) {
2659 assert(c);
2660
a1e58e8e 2661 c->path = mfree(c->path);
43d0fcbd 2662
6796073e 2663 c->argv = strv_free(c->argv);
43d0fcbd
LP		 2664}
2665
2666void exec_command_done_array(ExecCommand *c, unsigned n) {
2667 unsigned i;
2668
2669 for (i = 0; i < n; i++)
2670 exec_command_done(c+i);
2671}
2672
f1acf85a 2673ExecCommand* exec_command_free_list(ExecCommand *c) {
5cb5a6ff
LP		 2674 ExecCommand *i;
2675
2676 while ((i = c)) {
71fda00f 2677 LIST_REMOVE(command, c, i);
43d0fcbd 2678 exec_command_done(i);
5cb5a6ff
LP		 2679 free(i);
2680 }
f1acf85a
ZJS		 2681
2682 return NULL;
5cb5a6ff
LP		 2683}
2684
034c6ed7
LP		 2685void exec_command_free_array(ExecCommand **c, unsigned n) {
2686 unsigned i;
2687
f1acf85a
ZJS		 2688 for (i = 0; i < n; i++)
2689 c[i] = exec_command_free_list(c[i]);
034c6ed7
LP		 2690}
2691
039f0e70 2692typedef struct InvalidEnvInfo {
f2341e0a 2693 Unit *unit;
039f0e70
LP		 2694 const char *path;
2695} InvalidEnvInfo;
2696
2697static void invalid_env(const char *p, void *userdata) {
2698 InvalidEnvInfo *info = userdata;
2699
f2341e0a 2700 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
039f0e70
LP		 2701}
2702
f2341e0a 2703int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
8c7be95e
LP		 2704 char **i, **r = NULL;
2705
2706 assert(c);
2707 assert(l);
2708
2709 STRV_FOREACH(i, c->environment_files) {
2710 char *fn;
2711 int k;
2712 bool ignore = false;
2713 char **p;
7fd1b19b 2714 _cleanup_globfree_ glob_t pglob = {};
2bef10ab 2715 int count, n;
8c7be95e
LP		 2716
2717 fn = *i;
2718
2719 if (fn[0] == '-') {
2720 ignore = true;
313cefa1 2721 fn++;
8c7be95e
LP		 2722 }
2723
2724 if (!path_is_absolute(fn)) {
8c7be95e
LP		 2725 if (ignore)
2726 continue;
2727
2728 strv_free(r);
2729 return -EINVAL;
2730 }
2731
2bef10ab 2732 /* Filename supports globbing, take all matching files */
2bef10ab
PL		 2733 errno = 0;
2734 if (glob(fn, 0, NULL, &pglob) != 0) {
2bef10ab
PL		 2735 if (ignore)
2736 continue;
8c7be95e 2737
2bef10ab 2738 strv_free(r);
f5e5c28f 2739 return errno > 0 ? -errno : -EINVAL;
2bef10ab
PL		 2740 }
2741 count = pglob.gl_pathc;
2742 if (count == 0) {
8c7be95e
LP		 2743 if (ignore)
2744 continue;
2745
2746 strv_free(r);
2bef10ab 2747 return -EINVAL;
8c7be95e 2748 }
2bef10ab 2749 for (n = 0; n < count; n++) {
717603e3 2750 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
2bef10ab
PL		 2751 if (k < 0) {
2752 if (ignore)
2753 continue;
8c7be95e 2754
2bef10ab 2755 strv_free(r);
2bef10ab 2756 return k;
e9c1ea9d 2757 }
ebc05a09 2758 /* Log invalid environment variables with filename */
039f0e70
LP		 2759 if (p) {
2760 InvalidEnvInfo info = {
f2341e0a 2761 .unit = unit,
039f0e70
LP		 2762 .path = pglob.gl_pathv[n]
2763 };
2764
2765 p = strv_env_clean_with_callback(p, invalid_env, &info);
2766 }
8c7be95e 2767
2bef10ab
PL		 2768 if (r == NULL)
2769 r = p;
2770 else {
2771 char **m;
8c7be95e 2772
2bef10ab
PL		 2773 m = strv_env_merge(2, r, p);
2774 strv_free(r);
2775 strv_free(p);
c84a9488 2776 if (!m)
2bef10ab 2777 return -ENOMEM;
2bef10ab
PL		 2778
2779 r = m;
2780 }
8c7be95e
LP		 2781 }
2782 }
2783
2784 *l = r;
2785
2786 return 0;
2787}
2788
6ac8fdc9 2789static bool tty_may_match_dev_console(const char *tty) {
e1d75803 2790 _cleanup_free_ char *active = NULL;
7d6884b6 2791 char *console;
6ac8fdc9 2792
1e22b5cd
LP		 2793 if (!tty)
2794 return true;
2795
6ac8fdc9
MS		 2796 if (startswith(tty, "/dev/"))
2797 tty += 5;
2798
2799 /* trivial identity? */
2800 if (streq(tty, "console"))
2801 return true;
2802
2803 console = resolve_dev_console(&active);
2804 /* if we could not resolve, assume it may */
2805 if (!console)
2806 return true;
2807
2808 /* "tty0" means the active VC, so it may be the same sometimes */
e1d75803 2809 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
6ac8fdc9
MS		 2810}
2811
2812bool exec_context_may_touch_console(ExecContext *ec) {
1e22b5cd
LP		 2813
2814 return (ec->tty_reset ||
2815 ec->tty_vhangup ||
2816 ec->tty_vt_disallocate ||
6ac8fdc9
MS		 2817 is_terminal_input(ec->std_input) ||
2818 is_terminal_output(ec->std_output) ||
2819 is_terminal_output(ec->std_error)) &&
1e22b5cd 2820 tty_may_match_dev_console(exec_context_tty_path(ec));
6ac8fdc9
MS		 2821}
2822
15ae422b
LP		 2823static void strv_fprintf(FILE *f, char **l) {
2824 char **g;
2825
2826 assert(f);
2827
2828 STRV_FOREACH(g, l)
2829 fprintf(f, " %s", *g);
2830}
2831
5cb5a6ff 2832void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
c2bbd90b 2833 char **e, **d;
94f04347 2834 unsigned i;
9eba9da4 2835
5cb5a6ff
LP		 2836 assert(c);
2837 assert(f);
2838
4ad49000 2839 prefix = strempty(prefix);
5cb5a6ff
LP		 2840
2841 fprintf(f,
94f04347
LP		 2842 "%sUMask: %04o\n"
2843 "%sWorkingDirectory: %s\n"
451a074f 2844 "%sRootDirectory: %s\n"
15ae422b 2845 "%sNonBlocking: %s\n"
64747e2d 2846 "%sPrivateTmp: %s\n"
7f112f50 2847 "%sPrivateDevices: %s\n"
d251207d
LP		 2848 "%sPrivateNetwork: %s\n"
2849 "%sPrivateUsers: %s\n"
1b8689f9
LP		 2850 "%sProtectHome: %s\n"
2851 "%sProtectSystem: %s\n"
f3e43635 2852 "%sIgnoreSIGPIPE: %s\n"
f4170c67
LP		 2853 "%sMemoryDenyWriteExecute: %s\n"
2854 "%sRestrictRealtime: %s\n",
5cb5a6ff 2855 prefix, c->umask,
9eba9da4 2856 prefix, c->working_directory ? c->working_directory : "/",
451a074f 2857 prefix, c->root_directory ? c->root_directory : "/",
15ae422b 2858 prefix, yes_no(c->non_blocking),
64747e2d 2859 prefix, yes_no(c->private_tmp),
7f112f50 2860 prefix, yes_no(c->private_devices),
d251207d
LP		 2861 prefix, yes_no(c->private_network),
2862 prefix, yes_no(c->private_users),
1b8689f9
LP		 2863 prefix, protect_home_to_string(c->protect_home),
2864 prefix, protect_system_to_string(c->protect_system),
f3e43635 2865 prefix, yes_no(c->ignore_sigpipe),
f4170c67
LP		 2866 prefix, yes_no(c->memory_deny_write_execute),
2867 prefix, yes_no(c->restrict_realtime));
fb33a393 2868
8c7be95e
LP		 2869 STRV_FOREACH(e, c->environment)
2870 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
2871
2872 STRV_FOREACH(e, c->environment_files)
2873 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
94f04347 2874
b4c14404
FB		 2875 STRV_FOREACH(e, c->pass_environment)
2876 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
2877
c2bbd90b
EV		 2878 fprintf(f, "%sRuntimeDirectoryMode: %04o\n", prefix, c->runtime_directory_mode);
2879
2880 STRV_FOREACH(d, c->runtime_directory)
2881 fprintf(f, "%sRuntimeDirectory: %s\n", prefix, *d);
2882
fb33a393
LP		 2883 if (c->nice_set)
2884 fprintf(f,
2885 "%sNice: %i\n",
2886 prefix, c->nice);
2887
dd6c17b1 2888 if (c->oom_score_adjust_set)
fb33a393 2889 fprintf(f,
dd6c17b1
LP		 2890 "%sOOMScoreAdjust: %i\n",
2891 prefix, c->oom_score_adjust);
9eba9da4 2892
94f04347 2893 for (i = 0; i < RLIM_NLIMITS; i++)
3c11da9d
EV		 2894 if (c->rlimit[i]) {
2895 fprintf(f, "%s%s: " RLIM_FMT "\n",
2896 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
2897 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
2898 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
2899 }
94f04347 2900
f8b69d1d 2901 if (c->ioprio_set) {
1756a011 2902 _cleanup_free_ char *class_str = NULL;
f8b69d1d 2903
1756a011 2904 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
9eba9da4
LP		 2905 fprintf(f,
2906 "%sIOSchedulingClass: %s\n"
2907 "%sIOPriority: %i\n",
f8b69d1d 2908 prefix, strna(class_str),
9eba9da4 2909 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
f8b69d1d 2910 }
94f04347 2911
f8b69d1d 2912 if (c->cpu_sched_set) {
1756a011 2913 _cleanup_free_ char *policy_str = NULL;
f8b69d1d 2914
1756a011 2915 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
94f04347
LP		 2916 fprintf(f,
2917 "%sCPUSchedulingPolicy: %s\n"
38b48754
LP		 2918 "%sCPUSchedulingPriority: %i\n"
2919 "%sCPUSchedulingResetOnFork: %s\n",
f8b69d1d 2920 prefix, strna(policy_str),
38b48754
LP		 2921 prefix, c->cpu_sched_priority,
2922 prefix, yes_no(c->cpu_sched_reset_on_fork));
b929bf04 2923 }
94f04347 2924
82c121a4 2925 if (c->cpuset) {
94f04347 2926 fprintf(f, "%sCPUAffinity:", prefix);
82c121a4
LP		 2927 for (i = 0; i < c->cpuset_ncpus; i++)
2928 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
43a99a7a 2929 fprintf(f, " %u", i);
94f04347
LP		 2930 fputs("\n", f);
2931 }
2932
3a43da28 2933 if (c->timer_slack_nsec != NSEC_INFINITY)
ccd06097 2934 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
94f04347
LP		 2935
2936 fprintf(f,
80876c20
LP		 2937 "%sStandardInput: %s\n"
2938 "%sStandardOutput: %s\n"
2939 "%sStandardError: %s\n",
2940 prefix, exec_input_to_string(c->std_input),
2941 prefix, exec_output_to_string(c->std_output),
2942 prefix, exec_output_to_string(c->std_error));
2943
2944 if (c->tty_path)
2945 fprintf(f,
6ea832a2
LP		 2946 "%sTTYPath: %s\n"
2947 "%sTTYReset: %s\n"
2948 "%sTTYVHangup: %s\n"
2949 "%sTTYVTDisallocate: %s\n",
2950 prefix, c->tty_path,
2951 prefix, yes_no(c->tty_reset),
2952 prefix, yes_no(c->tty_vhangup),
2953 prefix, yes_no(c->tty_vt_disallocate));
94f04347 2954
5ce70e5b
ZJS		 2955 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
2956 c->std_output == EXEC_OUTPUT_KMSG ||
2957 c->std_output == EXEC_OUTPUT_JOURNAL ||
2958 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2959 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2960 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
2961 c->std_error == EXEC_OUTPUT_SYSLOG ||
2962 c->std_error == EXEC_OUTPUT_KMSG ||
2963 c->std_error == EXEC_OUTPUT_JOURNAL ||
2964 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2965 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2966 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
f8b69d1d 2967
5ce70e5b 2968 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
f8b69d1d 2969
5ce70e5b
ZJS		 2970 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
2971 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
f8b69d1d 2972
94f04347
LP		 2973 fprintf(f,
2974 "%sSyslogFacility: %s\n"
2975 "%sSyslogLevel: %s\n",
f8b69d1d
MS		 2976 prefix, strna(fac_str),
2977 prefix, strna(lvl_str));
f8b69d1d 2978 }
94f04347 2979
94f04347
LP		 2980 if (c->secure_bits)
2981 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
2982 prefix,
cbb21cca
ZJS		 2983 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
2984 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
2985 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
2986 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
2987 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
2988 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
94f04347 2989
a103496c 2990 if (c->capability_bounding_set != CAP_ALL) {
ae556c21 2991 unsigned long l;
260abb78 2992 fprintf(f, "%sCapabilityBoundingSet:", prefix);
94f04347 2993
64685e0c 2994 for (l = 0; l <= cap_last_cap(); l++)
a103496c 2995 if (c->capability_bounding_set & (UINT64_C(1) << l))
2822da4f 2996 fprintf(f, " %s", strna(capability_to_name(l)));
94f04347
LP		 2997
2998 fputs("\n", f);
755d4b67
IP		 2999 }
3000
3001 if (c->capability_ambient_set != 0) {
3002 unsigned long l;
3003 fprintf(f, "%sAmbientCapabilities:", prefix);
3004
3005 for (l = 0; l <= cap_last_cap(); l++)
3006 if (c->capability_ambient_set & (UINT64_C(1) << l))
3007 fprintf(f, " %s", strna(capability_to_name(l)));
3008
3009 fputs("\n", f);
94f04347
LP		 3010 }
3011
3012 if (c->user)
f2d3769a 3013 fprintf(f, "%sUser: %s\n", prefix, c->user);
94f04347 3014 if (c->group)
f2d3769a 3015 fprintf(f, "%sGroup: %s\n", prefix, c->group);
94f04347 3016
29206d46
LP		 3017 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
3018
15ae422b 3019 if (strv_length(c->supplementary_groups) > 0) {
94f04347 3020 fprintf(f, "%sSupplementaryGroups:", prefix);
15ae422b
LP		 3021 strv_fprintf(f, c->supplementary_groups);
3022 fputs("\n", f);
3023 }
94f04347 3024
5b6319dc 3025 if (c->pam_name)
f2d3769a 3026 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
5b6319dc 3027
2a624c36
AP		 3028 if (strv_length(c->read_write_paths) > 0) {
3029 fprintf(f, "%sReadWritePaths:", prefix);
3030 strv_fprintf(f, c->read_write_paths);
15ae422b
LP		 3031 fputs("\n", f);
3032 }
3033
2a624c36
AP		 3034 if (strv_length(c->read_only_paths) > 0) {
3035 fprintf(f, "%sReadOnlyPaths:", prefix);
3036 strv_fprintf(f, c->read_only_paths);
15ae422b
LP		 3037 fputs("\n", f);
3038 }
94f04347 3039
2a624c36
AP		 3040 if (strv_length(c->inaccessible_paths) > 0) {
3041 fprintf(f, "%sInaccessiblePaths:", prefix);
3042 strv_fprintf(f, c->inaccessible_paths);
94f04347
LP		 3043 fputs("\n", f);
3044 }
2e22afe9 3045
169c1bda
LP		 3046 if (c->utmp_id)
3047 fprintf(f,
3048 "%sUtmpIdentifier: %s\n",
3049 prefix, c->utmp_id);
7b52a628
MS		 3050
3051 if (c->selinux_context)
3052 fprintf(f,
5f8640fb
LP		 3053 "%sSELinuxContext: %s%s\n",
3054 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
17df7223 3055
050f7277 3056 if (c->personality != PERSONALITY_INVALID)
ac45f971
LP		 3057 fprintf(f,
3058 "%sPersonality: %s\n",
3059 prefix, strna(personality_to_string(c->personality)));
3060
17df7223 3061 if (c->syscall_filter) {
351a19b1 3062#ifdef HAVE_SECCOMP
17df7223
LP		 3063 Iterator j;
3064 void *id;
3065 bool first = true;
351a19b1 3066#endif
17df7223
LP		 3067
3068 fprintf(f,
57183d11 3069 "%sSystemCallFilter: ",
17df7223
LP		 3070 prefix);
3071
3072 if (!c->syscall_whitelist)
3073 fputc('~', f);
3074
351a19b1 3075#ifdef HAVE_SECCOMP
17df7223
LP		 3076 SET_FOREACH(id, c->syscall_filter, j) {
3077 _cleanup_free_ char *name = NULL;
3078
3079 if (first)
3080 first = false;
3081 else
3082 fputc(' ', f);
3083
57183d11 3084 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
17df7223
LP		 3085 fputs(strna(name), f);
3086 }
351a19b1 3087#endif
17df7223
LP		 3088
3089 fputc('\n', f);
3090 }
3091
57183d11
LP		 3092 if (c->syscall_archs) {
3093#ifdef HAVE_SECCOMP
3094 Iterator j;
3095 void *id;
3096#endif
3097
3098 fprintf(f,
3099 "%sSystemCallArchitectures:",
3100 prefix);
3101
3102#ifdef HAVE_SECCOMP
3103 SET_FOREACH(id, c->syscall_archs, j)
3104 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
3105#endif
3106 fputc('\n', f);
3107 }
3108
b3267152 3109 if (c->syscall_errno > 0)
17df7223
LP		 3110 fprintf(f,
3111 "%sSystemCallErrorNumber: %s\n",
3112 prefix, strna(errno_to_name(c->syscall_errno)));
eef65bf3
MS		 3113
3114 if (c->apparmor_profile)
3115 fprintf(f,
3116 "%sAppArmorProfile: %s%s\n",
3117 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
5cb5a6ff
LP		 3118}
3119
a931ad47
LP		 3120bool exec_context_maintains_privileges(ExecContext *c) {
3121 assert(c);
3122
61233823 3123 /* Returns true if the process forked off would run under
a931ad47
LP		 3124 * an unchanged UID or as root. */
3125
3126 if (!c->user)
3127 return true;
3128
3129 if (streq(c->user, "root") || streq(c->user, "0"))
3130 return true;
3131
3132 return false;
3133}
3134
b58b4116 3135void exec_status_start(ExecStatus *s, pid_t pid) {
034c6ed7 3136 assert(s);
5cb5a6ff 3137
b58b4116
LP		 3138 zero(*s);
3139 s->pid = pid;
3140 dual_timestamp_get(&s->start_timestamp);
3141}
3142
6ea832a2 3143void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
b58b4116
LP		 3144 assert(s);
3145
0b1f4ae6 3146 if (s->pid && s->pid != pid)
b58b4116
LP		 3147 zero(*s);
3148
034c6ed7 3149 s->pid = pid;
63983207 3150 dual_timestamp_get(&s->exit_timestamp);
9fb86720 3151
034c6ed7
LP		 3152 s->code = code;
3153 s->status = status;
169c1bda 3154
6ea832a2
LP		 3155 if (context) {
3156 if (context->utmp_id)
3157 utmp_put_dead_process(context->utmp_id, pid, code, status);
3158
1e22b5cd 3159 exec_context_tty_reset(context, NULL);
6ea832a2 3160 }
9fb86720
LP		 3161}
3162
3163void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
3164 char buf[FORMAT_TIMESTAMP_MAX];
3165
3166 assert(s);
3167 assert(f);
3168
9fb86720
LP		 3169 if (s->pid <= 0)
3170 return;
3171
4c940960
LP		 3172 prefix = strempty(prefix);
3173
9fb86720 3174 fprintf(f,
ccd06097
ZJS		 3175 "%sPID: "PID_FMT"\n",
3176 prefix, s->pid);
9fb86720 3177
af9d16e1 3178 if (dual_timestamp_is_set(&s->start_timestamp))
9fb86720
LP		 3179 fprintf(f,
3180 "%sStart Timestamp: %s\n",
63983207 3181 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
9fb86720 3182
af9d16e1 3183 if (dual_timestamp_is_set(&s->exit_timestamp))
9fb86720
LP		 3184 fprintf(f,
3185 "%sExit Timestamp: %s\n"
3186 "%sExit Code: %s\n"
3187 "%sExit Status: %i\n",
63983207 3188 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
9fb86720
LP		 3189 prefix, sigchld_code_to_string(s->code),
3190 prefix, s->status);
5cb5a6ff 3191}
44d8db9e 3192
9e2f7c11 3193char *exec_command_line(char **argv) {
44d8db9e
LP		 3194 size_t k;
3195 char *n, *p, **a;
3196 bool first = true;
3197
9e2f7c11 3198 assert(argv);
44d8db9e 3199
9164977d 3200 k = 1;
9e2f7c11 3201 STRV_FOREACH(a, argv)
44d8db9e
LP		 3202 k += strlen(*a)+3;
3203
3204 if (!(n = new(char, k)))
3205 return NULL;
3206
3207 p = n;
9e2f7c11 3208 STRV_FOREACH(a, argv) {
44d8db9e
LP		 3209
3210 if (!first)
3211 *(p++) = ' ';
3212 else
3213 first = false;
3214
3215 if (strpbrk(*a, WHITESPACE)) {
3216 *(p++) = '\'';
3217 p = stpcpy(p, *a);
3218 *(p++) = '\'';
3219 } else
3220 p = stpcpy(p, *a);
3221
3222 }
3223
9164977d
LP		 3224 *p = 0;
3225
44d8db9e
LP		 3226 /* FIXME: this doesn't really handle arguments that have
3227 * spaces and ticks in them */
3228
3229 return n;
3230}
3231
3232void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
e1d75803 3233 _cleanup_free_ char *cmd = NULL;
4c940960 3234 const char *prefix2;
44d8db9e
LP		 3235
3236 assert(c);
3237 assert(f);
3238
4c940960 3239 prefix = strempty(prefix);
63c372cb 3240 prefix2 = strjoina(prefix, "\t");
44d8db9e 3241
9e2f7c11 3242 cmd = exec_command_line(c->argv);
44d8db9e
LP		 3243 fprintf(f,
3244 "%sCommand Line: %s\n",
3245 prefix, cmd ? cmd : strerror(ENOMEM));
3246
9fb86720 3247 exec_status_dump(&c->exec_status, f, prefix2);
44d8db9e
LP		 3248}
3249
3250void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
3251 assert(f);
3252
4c940960 3253 prefix = strempty(prefix);
44d8db9e
LP		 3254
3255 LIST_FOREACH(command, c, c)
3256 exec_command_dump(c, f, prefix);
3257}
94f04347 3258
a6a80b4f
LP		 3259void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
3260 ExecCommand *end;
3261
3262 assert(l);
3263 assert(e);
3264
3265 if (*l) {
35b8ca3a 3266 /* It's kind of important, that we keep the order here */
71fda00f
LP		 3267 LIST_FIND_TAIL(command, *l, end);
3268 LIST_INSERT_AFTER(command, *l, end, e);
a6a80b4f
LP		 3269 } else
3270 *l = e;
3271}
3272
26fd040d
LP		 3273int exec_command_set(ExecCommand *c, const char *path, ...) {
3274 va_list ap;
3275 char **l, *p;
3276
3277 assert(c);
3278 assert(path);
3279
3280 va_start(ap, path);
3281 l = strv_new_ap(path, ap);
3282 va_end(ap);
3283
3284 if (!l)
3285 return -ENOMEM;
3286
250a918d
LP		 3287 p = strdup(path);
3288 if (!p) {
26fd040d
LP		 3289 strv_free(l);
3290 return -ENOMEM;
3291 }
3292
3293 free(c->path);
3294 c->path = p;
3295
3296 strv_free(c->argv);
3297 c->argv = l;
3298
3299 return 0;
3300}
3301
86b23b07 3302int exec_command_append(ExecCommand *c, const char *path, ...) {
e63ff941 3303 _cleanup_strv_free_ char **l = NULL;
86b23b07 3304 va_list ap;
86b23b07
JS		 3305 int r;
3306
3307 assert(c);
3308 assert(path);
3309
3310 va_start(ap, path);
3311 l = strv_new_ap(path, ap);
3312 va_end(ap);
3313
3314 if (!l)
3315 return -ENOMEM;
3316
e287086b 3317 r = strv_extend_strv(&c->argv, l, false);
e63ff941 3318 if (r < 0)
86b23b07 3319 return r;
86b23b07
JS		 3320
3321 return 0;
3322}
3323
3324
613b411c
LP		 3325static int exec_runtime_allocate(ExecRuntime **rt) {
3326
3327 if (*rt)
3328 return 0;
3329
3330 *rt = new0(ExecRuntime, 1);
f146f5e1 3331 if (!*rt)
613b411c
LP		 3332 return -ENOMEM;
3333
3334 (*rt)->n_ref = 1;
3335 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
3336
3337 return 0;
3338}
3339
3340int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
3341 int r;
3342
3343 assert(rt);
3344 assert(c);
3345 assert(id);
3346
3347 if (*rt)
3348 return 1;
3349
3350 if (!c->private_network && !c->private_tmp)
3351 return 0;
3352
3353 r = exec_runtime_allocate(rt);
3354 if (r < 0)
3355 return r;
3356
3357 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
33df919d 3358 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, (*rt)->netns_storage_socket) < 0)
613b411c
LP		 3359 return -errno;
3360 }
3361
3362 if (c->private_tmp && !(*rt)->tmp_dir) {
3363 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
3364 if (r < 0)
3365 return r;
3366 }
3367
3368 return 1;
3369}
3370
3371ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
3372 assert(r);
3373 assert(r->n_ref > 0);
3374
3375 r->n_ref++;
3376 return r;
3377}
3378
3379ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
3380
3381 if (!r)
3382 return NULL;
3383
3384 assert(r->n_ref > 0);
3385
3386 r->n_ref--;
f2341e0a
LP		 3387 if (r->n_ref > 0)
3388 return NULL;
3389
3390 free(r->tmp_dir);
3391 free(r->var_tmp_dir);
3392 safe_close_pair(r->netns_storage_socket);
3393 free(r);
613b411c
LP		 3394
3395 return NULL;
3396}
3397
f2341e0a 3398int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
613b411c
LP		 3399 assert(u);
3400 assert(f);
3401 assert(fds);
3402
3403 if (!rt)
3404 return 0;
3405
3406 if (rt->tmp_dir)
3407 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
3408
3409 if (rt->var_tmp_dir)
3410 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
3411
3412 if (rt->netns_storage_socket[0] >= 0) {
3413 int copy;
3414
3415 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
3416 if (copy < 0)
3417 return copy;
3418
3419 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
3420 }
3421
3422 if (rt->netns_storage_socket[1] >= 0) {
3423 int copy;
3424
3425 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
3426 if (copy < 0)
3427 return copy;
3428
3429 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
3430 }
3431
3432 return 0;
3433}
3434
f2341e0a 3435int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
613b411c
LP		 3436 int r;
3437
3438 assert(rt);
3439 assert(key);
3440 assert(value);
3441
3442 if (streq(key, "tmp-dir")) {
3443 char *copy;
3444
3445 r = exec_runtime_allocate(rt);
3446 if (r < 0)
f2341e0a 3447 return log_oom();
613b411c
LP		 3448
3449 copy = strdup(value);
3450 if (!copy)
3451 return log_oom();
3452
3453 free((*rt)->tmp_dir);
3454 (*rt)->tmp_dir = copy;
3455
3456 } else if (streq(key, "var-tmp-dir")) {
3457 char *copy;
3458
3459 r = exec_runtime_allocate(rt);
3460 if (r < 0)
f2341e0a 3461 return log_oom();
613b411c
LP		 3462
3463 copy = strdup(value);
3464 if (!copy)
3465 return log_oom();
3466
3467 free((*rt)->var_tmp_dir);
3468 (*rt)->var_tmp_dir = copy;
3469
3470 } else if (streq(key, "netns-socket-0")) {
3471 int fd;
3472
3473 r = exec_runtime_allocate(rt);
3474 if (r < 0)
f2341e0a 3475 return log_oom();
613b411c
LP		 3476
3477 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
f2341e0a 3478 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
613b411c 3479 else {
03e334a1 3480 safe_close((*rt)->netns_storage_socket[0]);
613b411c
LP		 3481 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
3482 }
3483 } else if (streq(key, "netns-socket-1")) {
3484 int fd;
3485
3486 r = exec_runtime_allocate(rt);
3487 if (r < 0)
f2341e0a 3488 return log_oom();
613b411c
LP		 3489
3490 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
f2341e0a 3491 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
613b411c 3492 else {
03e334a1 3493 safe_close((*rt)->netns_storage_socket[1]);
613b411c
LP		 3494 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
3495 }
3496 } else
3497 return 0;
3498
3499 return 1;
3500}
3501
3502static void *remove_tmpdir_thread(void *p) {
3503 _cleanup_free_ char *path = p;
3504
c6878637 3505 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
613b411c
LP		 3506 return NULL;
3507}
3508
3509void exec_runtime_destroy(ExecRuntime *rt) {
98b47d54
LP		 3510 int r;
3511
613b411c
LP		 3512 if (!rt)
3513 return;
3514
3515 /* If there are multiple users of this, let's leave the stuff around */
3516 if (rt->n_ref > 1)
3517 return;
3518
3519 if (rt->tmp_dir) {
3520 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
98b47d54
LP		 3521
3522 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
3523 if (r < 0) {
da927ba9 3524 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
98b47d54
LP		 3525 free(rt->tmp_dir);
3526 }
3527
613b411c
LP		 3528 rt->tmp_dir = NULL;
3529 }
3530
3531 if (rt->var_tmp_dir) {
3532 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
98b47d54
LP		 3533
3534 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
3535 if (r < 0) {
da927ba9 3536 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
98b47d54
LP		 3537 free(rt->var_tmp_dir);
3538 }
3539
613b411c
LP		 3540 rt->var_tmp_dir = NULL;
3541 }
3542
3d94f76c 3543 safe_close_pair(rt->netns_storage_socket);
613b411c
LP		 3544}
3545
80876c20
LP		 3546static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
3547 [EXEC_INPUT_NULL] = "null",
3548 [EXEC_INPUT_TTY] = "tty",
3549 [EXEC_INPUT_TTY_FORCE] = "tty-force",
4f2d528d
LP		 3550 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
3551 [EXEC_INPUT_SOCKET] = "socket"
80876c20
LP		 3552};
3553
8a0867d6
LP		 3554DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
3555
94f04347 3556static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
80876c20 3557 [EXEC_OUTPUT_INHERIT] = "inherit",
94f04347 3558 [EXEC_OUTPUT_NULL] = "null",
80876c20 3559 [EXEC_OUTPUT_TTY] = "tty",
94f04347 3560 [EXEC_OUTPUT_SYSLOG] = "syslog",
28dbc1e8 3561 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
9a6bca7a 3562 [EXEC_OUTPUT_KMSG] = "kmsg",
28dbc1e8 3563 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
706343f4
LP		 3564 [EXEC_OUTPUT_JOURNAL] = "journal",
3565 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
4f2d528d 3566 [EXEC_OUTPUT_SOCKET] = "socket"
94f04347
LP		 3567};
3568
3569DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
023a4f67
LP		 3570
3571static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
3572 [EXEC_UTMP_INIT] = "init",
3573 [EXEC_UTMP_LOGIN] = "login",
3574 [EXEC_UTMP_USER] = "user",
3575};
3576
3577DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
Unnamed repository; edit this file 'description' to name the repository.