]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/core/execute.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
core: only apply NonBlocking= to fds passed via socket activation
[thirdparty/systemd.git] / src / core / execute.c
CommitLineData
a7334b09
LP		 1/***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
a7334b09
LP		 9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 14 Lesser General Public License for more details.
a7334b09 15
5430f7f2 16 You should have received a copy of the GNU Lesser General Public License
a7334b09
LP		 17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18***/
19
034c6ed7
LP		 20#include <errno.h>
21#include <fcntl.h>
8dd4c05b
LP		 22#include <glob.h>
23#include <grp.h>
24#include <poll.h>
309bff19 25#include <signal.h>
8dd4c05b 26#include <string.h>
19c0b0b9 27#include <sys/capability.h>
d251207d 28#include <sys/eventfd.h>
f3e43635 29#include <sys/mman.h>
8dd4c05b 30#include <sys/personality.h>
94f04347 31#include <sys/prctl.h>
d2ffa389 32#include <sys/shm.h>
8dd4c05b 33#include <sys/socket.h>
451a074f 34#include <sys/stat.h>
d2ffa389 35#include <sys/types.h>
8dd4c05b
LP		 36#include <sys/un.h>
37#include <unistd.h>
023a4f67 38#include <utmpx.h>
5cb5a6ff 39
5b6319dc
LP		 40#ifdef HAVE_PAM
41#include <security/pam_appl.h>
42#endif
43
7b52a628
MS		 44#ifdef HAVE_SELINUX
45#include <selinux/selinux.h>
46#endif
47
17df7223
LP		 48#ifdef HAVE_SECCOMP
49#include <seccomp.h>
50#endif
51
eef65bf3
MS		 52#ifdef HAVE_APPARMOR
53#include <sys/apparmor.h>
54#endif
55
24882e06 56#include "sd-messages.h"
8dd4c05b
LP		 57
58#include "af-list.h"
b5efdb8a 59#include "alloc-util.h"
3ffd4af2
LP		 60#ifdef HAVE_APPARMOR
61#include "apparmor-util.h"
62#endif
8dd4c05b
LP		 63#include "async.h"
64#include "barrier.h"
8dd4c05b 65#include "cap-list.h"
430f0182 66#include "capability-util.h"
f6a6225e 67#include "def.h"
4d1a6904 68#include "env-util.h"
17df7223 69#include "errno-list.h"
3ffd4af2 70#include "execute.h"
8dd4c05b 71#include "exit-status.h"
3ffd4af2 72#include "fd-util.h"
8dd4c05b 73#include "fileio.h"
f97b34a6 74#include "format-util.h"
f4f15635 75#include "fs-util.h"
7d50b32a 76#include "glob-util.h"
c004493c 77#include "io-util.h"
8dd4c05b
LP		 78#include "ioprio.h"
79#include "log.h"
80#include "macro.h"
81#include "missing.h"
82#include "mkdir.h"
83#include "namespace.h"
6bedfcbb 84#include "parse-util.h"
8dd4c05b 85#include "path-util.h"
0b452006 86#include "process-util.h"
78f22b97 87#include "rlimit-util.h"
8dd4c05b 88#include "rm-rf.h"
3ffd4af2
LP		 89#ifdef HAVE_SECCOMP
90#include "seccomp-util.h"
91#endif
8dd4c05b
LP		 92#include "securebits.h"
93#include "selinux-util.h"
24882e06 94#include "signal-util.h"
8dd4c05b 95#include "smack-util.h"
fd63e712 96#include "special.h"
8b43440b 97#include "string-table.h"
07630cea 98#include "string-util.h"
8dd4c05b 99#include "strv.h"
7ccbd1ae 100#include "syslog-util.h"
8dd4c05b
LP		 101#include "terminal-util.h"
102#include "unit.h"
b1d4f8e1 103#include "user-util.h"
8dd4c05b
LP		 104#include "util.h"
105#include "utmp-wtmp.h"
5cb5a6ff 106
e056b01d 107#define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
31a7eb86 108#define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
e6a26745 109
02a51aba
LP		 110/* This assumes there is a 'tty' group */
111#define TTY_MODE 0620
112
531dca78
LP		 113#define SNDBUF_SIZE (8*1024*1024)
114
034c6ed7
LP		 115static int shift_fds(int fds[], unsigned n_fds) {
116 int start, restart_from;
117
118 if (n_fds <= 0)
119 return 0;
120
a0d40ac5
LP		 121 /* Modifies the fds array! (sorts it) */
122
034c6ed7
LP		 123 assert(fds);
124
125 start = 0;
126 for (;;) {
127 int i;
128
129 restart_from = -1;
130
131 for (i = start; i < (int) n_fds; i++) {
132 int nfd;
133
134 /* Already at right index? */
135 if (fds[i] == i+3)
136 continue;
137
3cc2aff1
LP		 138 nfd = fcntl(fds[i], F_DUPFD, i + 3);
139 if (nfd < 0)
034c6ed7
LP		 140 return -errno;
141
03e334a1 142 safe_close(fds[i]);
034c6ed7
LP		 143 fds[i] = nfd;
144
145 /* Hmm, the fd we wanted isn't free? Then
ee33e53a 146 * let's remember that and try again from here */
034c6ed7
LP		 147 if (nfd != i+3 && restart_from < 0)
148 restart_from = i;
149 }
150
151 if (restart_from < 0)
152 break;
153
154 start = restart_from;
155 }
156
157 return 0;
158}
159
9b141911 160static int flags_fds(const int fds[], unsigned n_fds, unsigned n_socket_fds, bool nonblock) {
47a71eed 161 unsigned i;
e2c76839 162 int r;
47a71eed
LP		 163
164 if (n_fds <= 0)
165 return 0;
166
167 assert(fds);
168
9b141911
FB		 169 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags.
170 * O_NONBLOCK only applies to socket activation though. */
47a71eed
LP		 171
172 for (i = 0; i < n_fds; i++) {
47a71eed 173
9b141911
FB		 174 if (i < n_socket_fds) {
175 r = fd_nonblock(fds[i], nonblock);
176 if (r < 0)
177 return r;
178 }
47a71eed 179
451a074f
LP		 180 /* We unconditionally drop FD_CLOEXEC from the fds,
181 * since after all we want to pass these fds to our
182 * children */
47a71eed 183
3cc2aff1
LP		 184 r = fd_cloexec(fds[i], false);
185 if (r < 0)
e2c76839 186 return r;
47a71eed
LP		 187 }
188
189 return 0;
190}
191
1e22b5cd 192static const char *exec_context_tty_path(const ExecContext *context) {
80876c20
LP		 193 assert(context);
194
1e22b5cd
LP		 195 if (context->stdio_as_fds)
196 return NULL;
197
80876c20
LP		 198 if (context->tty_path)
199 return context->tty_path;
200
201 return "/dev/console";
202}
203
1e22b5cd
LP		 204static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
205 const char *path;
206
6ea832a2
LP		 207 assert(context);
208
1e22b5cd 209 path = exec_context_tty_path(context);
6ea832a2 210
1e22b5cd
LP		 211 if (context->tty_vhangup) {
212 if (p && p->stdin_fd >= 0)
213 (void) terminal_vhangup_fd(p->stdin_fd);
214 else if (path)
215 (void) terminal_vhangup(path);
216 }
6ea832a2 217
1e22b5cd
LP		 218 if (context->tty_reset) {
219 if (p && p->stdin_fd >= 0)
220 (void) reset_terminal_fd(p->stdin_fd, true);
221 else if (path)
222 (void) reset_terminal(path);
223 }
224
225 if (context->tty_vt_disallocate && path)
226 (void) vt_disallocate(path);
6ea832a2
LP		 227}
228
6af760f3
LP		 229static bool is_terminal_input(ExecInput i) {
230 return IN_SET(i,
231 EXEC_INPUT_TTY,
232 EXEC_INPUT_TTY_FORCE,
233 EXEC_INPUT_TTY_FAIL);
234}
235
3a1286b6 236static bool is_terminal_output(ExecOutput o) {
6af760f3
LP		 237 return IN_SET(o,
238 EXEC_OUTPUT_TTY,
239 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
240 EXEC_OUTPUT_KMSG_AND_CONSOLE,
241 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
242}
243
244static bool exec_context_needs_term(const ExecContext *c) {
245 assert(c);
246
247 /* Return true if the execution context suggests we should set $TERM to something useful. */
248
249 if (is_terminal_input(c->std_input))
250 return true;
251
252 if (is_terminal_output(c->std_output))
253 return true;
254
255 if (is_terminal_output(c->std_error))
256 return true;
257
258 return !!c->tty_path;
3a1286b6
MS		 259}
260
80876c20
LP		 261static int open_null_as(int flags, int nfd) {
262 int fd, r;
071830ff 263
80876c20 264 assert(nfd >= 0);
071830ff 265
613b411c
LP		 266 fd = open("/dev/null", flags|O_NOCTTY);
267 if (fd < 0)
071830ff
LP		 268 return -errno;
269
80876c20
LP		 270 if (fd != nfd) {
271 r = dup2(fd, nfd) < 0 ? -errno : nfd;
03e334a1 272 safe_close(fd);
80876c20
LP		 273 } else
274 r = nfd;
071830ff 275
80876c20 276 return r;
071830ff
LP		 277}
278
524daa8c 279static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
b92bea5d
ZJS		 280 union sockaddr_union sa = {
281 .un.sun_family = AF_UNIX,
282 .un.sun_path = "/run/systemd/journal/stdout",
283 };
524daa8c
ZJS		 284 uid_t olduid = UID_INVALID;
285 gid_t oldgid = GID_INVALID;
286 int r;
287
288 if (gid != GID_INVALID) {
289 oldgid = getgid();
290
291 r = setegid(gid);
292 if (r < 0)
293 return -errno;
294 }
295
296 if (uid != UID_INVALID) {
297 olduid = getuid();
298
299 r = seteuid(uid);
300 if (r < 0) {
301 r = -errno;
302 goto restore_gid;
303 }
304 }
305
fc2fffe7 306 r = connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
524daa8c
ZJS		 307 if (r < 0)
308 r = -errno;
309
310 /* If we fail to restore the uid or gid, things will likely
311 fail later on. This should only happen if an LSM interferes. */
312
313 if (uid != UID_INVALID)
314 (void) seteuid(olduid);
315
316 restore_gid:
317 if (gid != GID_INVALID)
318 (void) setegid(oldgid);
319
320 return r;
321}
322
fd1f9c89 323static int connect_logger_as(
7a1ab780 324 Unit *unit,
fd1f9c89
LP		 325 const ExecContext *context,
326 ExecOutput output,
327 const char *ident,
fd1f9c89
LP		 328 int nfd,
329 uid_t uid,
330 gid_t gid) {
331
524daa8c 332 int fd, r;
071830ff
LP		 333
334 assert(context);
80876c20
LP		 335 assert(output < _EXEC_OUTPUT_MAX);
336 assert(ident);
337 assert(nfd >= 0);
071830ff 338
54fe0cdb
LP		 339 fd = socket(AF_UNIX, SOCK_STREAM, 0);
340 if (fd < 0)
80876c20 341 return -errno;
071830ff 342
524daa8c
ZJS		 343 r = connect_journal_socket(fd, uid, gid);
344 if (r < 0)
345 return r;
071830ff 346
80876c20 347 if (shutdown(fd, SHUT_RD) < 0) {
03e334a1 348 safe_close(fd);
80876c20
LP		 349 return -errno;
350 }
071830ff 351
fd1f9c89 352 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
531dca78 353
80876c20 354 dprintf(fd,
62bca2c6 355 "%s\n"
80876c20
LP		 356 "%s\n"
357 "%i\n"
54fe0cdb
LP		 358 "%i\n"
359 "%i\n"
360 "%i\n"
4f4a1dbf 361 "%i\n",
4f4a1dbf 362 context->syslog_identifier ? context->syslog_identifier : ident,
7a1ab780 363 unit->id,
54fe0cdb
LP		 364 context->syslog_priority,
365 !!context->syslog_level_prefix,
366 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
367 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
3a1286b6 368 is_terminal_output(output));
80876c20 369
fd1f9c89
LP		 370 if (fd == nfd)
371 return nfd;
372
373 r = dup2(fd, nfd) < 0 ? -errno : nfd;
374 safe_close(fd);
071830ff 375
80876c20
LP		 376 return r;
377}
378static int open_terminal_as(const char *path, mode_t mode, int nfd) {
379 int fd, r;
071830ff 380
80876c20
LP		 381 assert(path);
382 assert(nfd >= 0);
071830ff 383
3cc2aff1
LP		 384 fd = open_terminal(path, mode | O_NOCTTY);
385 if (fd < 0)
80876c20 386 return fd;
071830ff 387
80876c20
LP		 388 if (fd != nfd) {
389 r = dup2(fd, nfd) < 0 ? -errno : nfd;
03e334a1 390 safe_close(fd);
80876c20
LP		 391 } else
392 r = nfd;
071830ff 393
80876c20
LP		 394 return r;
395}
071830ff 396
1e3ad081
LP		 397static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
398
399 if (is_terminal_input(std_input) && !apply_tty_stdin)
400 return EXEC_INPUT_NULL;
071830ff 401
03fd9c49 402 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 403 return EXEC_INPUT_NULL;
404
03fd9c49 405 return std_input;
4f2d528d
LP		 406}
407
03fd9c49 408static int fixup_output(ExecOutput std_output, int socket_fd) {
4f2d528d 409
03fd9c49 410 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 411 return EXEC_OUTPUT_INHERIT;
412
03fd9c49 413 return std_output;
4f2d528d
LP		 414}
415
a34ceba6
LP		 416static int setup_input(
417 const ExecContext *context,
418 const ExecParameters *params,
52c239d7
LB		 419 int socket_fd,
420 int named_iofds[3]) {
a34ceba6 421
4f2d528d
LP		 422 ExecInput i;
423
424 assert(context);
a34ceba6
LP		 425 assert(params);
426
427 if (params->stdin_fd >= 0) {
428 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
429 return -errno;
430
431 /* Try to make this the controlling tty, if it is a tty, and reset it */
432 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
433 (void) reset_terminal_fd(STDIN_FILENO, true);
434
435 return STDIN_FILENO;
436 }
4f2d528d 437
c39f1ce2 438 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
4f2d528d
LP		 439
440 switch (i) {
071830ff 441
80876c20
LP		 442 case EXEC_INPUT_NULL:
443 return open_null_as(O_RDONLY, STDIN_FILENO);
444
445 case EXEC_INPUT_TTY:
446 case EXEC_INPUT_TTY_FORCE:
447 case EXEC_INPUT_TTY_FAIL: {
448 int fd, r;
071830ff 449
1e22b5cd 450 fd = acquire_terminal(exec_context_tty_path(context),
970edce6
ZJS		 451 i == EXEC_INPUT_TTY_FAIL,
452 i == EXEC_INPUT_TTY_FORCE,
453 false,
3a43da28 454 USEC_INFINITY);
970edce6 455 if (fd < 0)
80876c20
LP		 456 return fd;
457
458 if (fd != STDIN_FILENO) {
459 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
03e334a1 460 safe_close(fd);
80876c20
LP		 461 } else
462 r = STDIN_FILENO;
463
464 return r;
465 }
466
4f2d528d
LP		 467 case EXEC_INPUT_SOCKET:
468 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
469
52c239d7
LB		 470 case EXEC_INPUT_NAMED_FD:
471 (void) fd_nonblock(named_iofds[STDIN_FILENO], false);
472 return dup2(named_iofds[STDIN_FILENO], STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
473
80876c20
LP		 474 default:
475 assert_not_reached("Unknown input type");
476 }
477}
478
a34ceba6
LP		 479static int setup_output(
480 Unit *unit,
481 const ExecContext *context,
482 const ExecParameters *params,
483 int fileno,
484 int socket_fd,
52c239d7 485 int named_iofds[3],
a34ceba6 486 const char *ident,
7bce046b
LP		 487 uid_t uid,
488 gid_t gid,
489 dev_t *journal_stream_dev,
490 ino_t *journal_stream_ino) {
a34ceba6 491
4f2d528d
LP		 492 ExecOutput o;
493 ExecInput i;
47c1d80d 494 int r;
4f2d528d 495
f2341e0a 496 assert(unit);
80876c20 497 assert(context);
a34ceba6 498 assert(params);
80876c20 499 assert(ident);
7bce046b
LP		 500 assert(journal_stream_dev);
501 assert(journal_stream_ino);
80876c20 502
a34ceba6
LP		 503 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
504
505 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
506 return -errno;
507
508 return STDOUT_FILENO;
509 }
510
511 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
512 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
513 return -errno;
514
515 return STDERR_FILENO;
516 }
517
c39f1ce2 518 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
03fd9c49 519 o = fixup_output(context->std_output, socket_fd);
4f2d528d 520
eb17e935
MS		 521 if (fileno == STDERR_FILENO) {
522 ExecOutput e;
523 e = fixup_output(context->std_error, socket_fd);
80876c20 524
eb17e935
MS		 525 /* This expects the input and output are already set up */
526
527 /* Don't change the stderr file descriptor if we inherit all
528 * the way and are not on a tty */
529 if (e == EXEC_OUTPUT_INHERIT &&
530 o == EXEC_OUTPUT_INHERIT &&
531 i == EXEC_INPUT_NULL &&
532 !is_terminal_input(context->std_input) &&
533 getppid () != 1)
534 return fileno;
535
536 /* Duplicate from stdout if possible */
52c239d7 537 if ((e == o && e != EXEC_OUTPUT_NAMED_FD) || e == EXEC_OUTPUT_INHERIT)
eb17e935 538 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 539
eb17e935 540 o = e;
80876c20 541
eb17e935 542 } else if (o == EXEC_OUTPUT_INHERIT) {
21d21ea4
LP		 543 /* If input got downgraded, inherit the original value */
544 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
1e22b5cd 545 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
21d21ea4 546
acb591e4 547 /* If the input is connected to anything that's not a /dev/null, inherit that... */
ff876e28 548 if (i != EXEC_INPUT_NULL)
eb17e935 549 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 550
acb591e4
LP		 551 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
552 if (getppid() != 1)
eb17e935 553 return fileno;
94f04347 554
eb17e935
MS		 555 /* We need to open /dev/null here anew, to get the right access mode. */
556 return open_null_as(O_WRONLY, fileno);
071830ff 557 }
94f04347 558
eb17e935 559 switch (o) {
80876c20
LP		 560
561 case EXEC_OUTPUT_NULL:
eb17e935 562 return open_null_as(O_WRONLY, fileno);
80876c20
LP		 563
564 case EXEC_OUTPUT_TTY:
4f2d528d 565 if (is_terminal_input(i))
eb17e935 566 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
80876c20
LP		 567
568 /* We don't reset the terminal if this is just about output */
1e22b5cd 569 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
80876c20
LP		 570
571 case EXEC_OUTPUT_SYSLOG:
28dbc1e8 572 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
9a6bca7a 573 case EXEC_OUTPUT_KMSG:
28dbc1e8 574 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
706343f4
LP		 575 case EXEC_OUTPUT_JOURNAL:
576 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
7a1ab780 577 r = connect_logger_as(unit, context, o, ident, fileno, uid, gid);
47c1d80d 578 if (r < 0) {
f2341e0a 579 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
eb17e935 580 r = open_null_as(O_WRONLY, fileno);
7bce046b
LP		 581 } else {
582 struct stat st;
583
584 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
585 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
586 * services to detect whether they are connected to the journal or not. */
587
588 if (fstat(fileno, &st) >= 0) {
589 *journal_stream_dev = st.st_dev;
590 *journal_stream_ino = st.st_ino;
591 }
47c1d80d
MS		 592 }
593 return r;
4f2d528d
LP		 594
595 case EXEC_OUTPUT_SOCKET:
596 assert(socket_fd >= 0);
eb17e935 597 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
94f04347 598
52c239d7
LB		 599 case EXEC_OUTPUT_NAMED_FD:
600 (void) fd_nonblock(named_iofds[fileno], false);
601 return dup2(named_iofds[fileno], fileno) < 0 ? -errno : fileno;
602
94f04347 603 default:
80876c20 604 assert_not_reached("Unknown error type");
94f04347 605 }
071830ff
LP		 606}
607
02a51aba
LP		 608static int chown_terminal(int fd, uid_t uid) {
609 struct stat st;
610
611 assert(fd >= 0);
02a51aba 612
1ff74fb6
LP		 613 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
614 if (isatty(fd) < 1)
615 return 0;
616
02a51aba 617 /* This might fail. What matters are the results. */
bab45044
LP		 618 (void) fchown(fd, uid, -1);
619 (void) fchmod(fd, TTY_MODE);
02a51aba
LP		 620
621 if (fstat(fd, &st) < 0)
622 return -errno;
623
d8b4e2e9 624 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
02a51aba
LP		 625 return -EPERM;
626
627 return 0;
628}
629
7d5ceb64 630static int setup_confirm_stdio(const char *vc, int *_saved_stdin, int *_saved_stdout) {
3d18b167
LP		 631 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
632 int r;
80876c20 633
80876c20
LP		 634 assert(_saved_stdin);
635 assert(_saved_stdout);
636
af6da548
LP		 637 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
638 if (saved_stdin < 0)
639 return -errno;
80876c20 640
af6da548 641 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
3d18b167
LP		 642 if (saved_stdout < 0)
643 return -errno;
80876c20 644
7d5ceb64 645 fd = acquire_terminal(vc, false, false, false, DEFAULT_CONFIRM_USEC);
3d18b167
LP		 646 if (fd < 0)
647 return fd;
80876c20 648
af6da548
LP		 649 r = chown_terminal(fd, getuid());
650 if (r < 0)
3d18b167 651 return r;
02a51aba 652
3d18b167
LP		 653 r = reset_terminal_fd(fd, true);
654 if (r < 0)
655 return r;
80876c20 656
3d18b167
LP		 657 if (dup2(fd, STDIN_FILENO) < 0)
658 return -errno;
659
660 if (dup2(fd, STDOUT_FILENO) < 0)
661 return -errno;
80876c20
LP		 662
663 if (fd >= 2)
03e334a1 664 safe_close(fd);
3d18b167 665 fd = -1;
80876c20
LP		 666
667 *_saved_stdin = saved_stdin;
668 *_saved_stdout = saved_stdout;
669
3d18b167 670 saved_stdin = saved_stdout = -1;
80876c20 671
3d18b167 672 return 0;
80876c20
LP		 673}
674
63d77c92 675static void write_confirm_error_fd(int err, int fd, const Unit *u) {
3b20f877
FB		 676 assert(err < 0);
677
678 if (err == -ETIMEDOUT)
63d77c92 679 dprintf(fd, "Confirmation question timed out for %s, assuming positive response.\n", u->id);
3b20f877
FB		 680 else {
681 errno = -err;
63d77c92 682 dprintf(fd, "Couldn't ask confirmation for %s: %m, assuming positive response.\n", u->id);
3b20f877
FB		 683 }
684}
685
63d77c92 686static void write_confirm_error(int err, const char *vc, const Unit *u) {
03e334a1 687 _cleanup_close_ int fd = -1;
80876c20 688
3b20f877 689 assert(vc);
80876c20 690
7d5ceb64 691 fd = open_terminal(vc, O_WRONLY|O_NOCTTY|O_CLOEXEC);
af6da548 692 if (fd < 0)
3b20f877 693 return;
80876c20 694
63d77c92 695 write_confirm_error_fd(err, fd, u);
af6da548 696}
80876c20 697
3d18b167 698static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
af6da548 699 int r = 0;
80876c20 700
af6da548
LP		 701 assert(saved_stdin);
702 assert(saved_stdout);
703
704 release_terminal();
705
706 if (*saved_stdin >= 0)
80876c20 707 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
af6da548 708 r = -errno;
80876c20 709
af6da548 710 if (*saved_stdout >= 0)
80876c20 711 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
af6da548 712 r = -errno;
80876c20 713
3d18b167
LP		 714 *saved_stdin = safe_close(*saved_stdin);
715 *saved_stdout = safe_close(*saved_stdout);
af6da548
LP		 716
717 return r;
718}
719
3b20f877
FB		 720enum {
721 CONFIRM_PRETEND_FAILURE = -1,
722 CONFIRM_PRETEND_SUCCESS = 0,
723 CONFIRM_EXECUTE = 1,
724};
725
eedf223a 726static int ask_for_confirmation(const char *vc, Unit *u, const char *cmdline) {
af6da548 727 int saved_stdout = -1, saved_stdin = -1, r;
2bcd3c26 728 _cleanup_free_ char *e = NULL;
3b20f877 729 char c;
af6da548 730
3b20f877 731 /* For any internal errors, assume a positive response. */
7d5ceb64 732 r = setup_confirm_stdio(vc, &saved_stdin, &saved_stdout);
3b20f877 733 if (r < 0) {
63d77c92 734 write_confirm_error(r, vc, u);
3b20f877
FB		 735 return CONFIRM_EXECUTE;
736 }
af6da548 737
b0eb2944
FB		 738 /* confirm_spawn might have been disabled while we were sleeping. */
739 if (manager_is_confirm_spawn_disabled(u->manager)) {
740 r = 1;
741 goto restore_stdio;
742 }
af6da548 743
2bcd3c26
FB		 744 e = ellipsize(cmdline, 60, 100);
745 if (!e) {
746 log_oom();
747 r = CONFIRM_EXECUTE;
748 goto restore_stdio;
749 }
af6da548 750
d172b175 751 for (;;) {
539622bd 752 r = ask_char(&c, "yfshiDjcn", "Execute %s? [y, f, s – h for help] ", e);
d172b175 753 if (r < 0) {
63d77c92 754 write_confirm_error_fd(r, STDOUT_FILENO, u);
d172b175
FB		 755 r = CONFIRM_EXECUTE;
756 goto restore_stdio;
757 }
af6da548 758
d172b175 759 switch (c) {
b0eb2944
FB		 760 case 'c':
761 printf("Resuming normal execution.\n");
762 manager_disable_confirm_spawn();
763 r = 1;
764 break;
dd6f9ac0
FB		 765 case 'D':
766 unit_dump(u, stdout, " ");
767 continue; /* ask again */
d172b175
FB		 768 case 'f':
769 printf("Failing execution.\n");
770 r = CONFIRM_PRETEND_FAILURE;
771 break;
772 case 'h':
b0eb2944
FB		 773 printf(" c - continue, proceed without asking anymore\n"
774 " D - dump, show the state of the unit\n"
dd6f9ac0 775 " f - fail, don't execute the command and pretend it failed\n"
d172b175 776 " h - help\n"
eedf223a 777 " i - info, show a short summary of the unit\n"
56fde33a 778 " j - jobs, show jobs that are in progress\n"
d172b175
FB		 779 " s - skip, don't execute the command and pretend it succeeded\n"
780 " y - yes, execute the command\n");
dd6f9ac0 781 continue; /* ask again */
eedf223a
FB		 782 case 'i':
783 printf(" Description: %s\n"
784 " Unit: %s\n"
785 " Command: %s\n",
786 u->id, u->description, cmdline);
787 continue; /* ask again */
56fde33a
FB		 788 case 'j':
789 manager_dump_jobs(u->manager, stdout, " ");
790 continue; /* ask again */
539622bd
FB		 791 case 'n':
792 /* 'n' was removed in favor of 'f'. */
793 printf("Didn't understand 'n', did you mean 'f'?\n");
794 continue; /* ask again */
d172b175
FB		 795 case 's':
796 printf("Skipping execution.\n");
797 r = CONFIRM_PRETEND_SUCCESS;
798 break;
799 case 'y':
800 r = CONFIRM_EXECUTE;
801 break;
802 default:
803 assert_not_reached("Unhandled choice");
804 }
3b20f877 805 break;
3b20f877 806 }
af6da548 807
3b20f877 808restore_stdio:
af6da548 809 restore_confirm_stdio(&saved_stdin, &saved_stdout);
af6da548 810 return r;
80876c20
LP		 811}
812
4d885bd3
DH		 813static int get_fixed_user(const ExecContext *c, const char **user,
814 uid_t *uid, gid_t *gid,
815 const char **home, const char **shell) {
81a2b7ce 816 int r;
4d885bd3 817 const char *name;
81a2b7ce 818
4d885bd3 819 assert(c);
81a2b7ce 820
23deef88
LP		 821 if (!c->user)
822 return 0;
823
4d885bd3
DH		 824 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
825 * (i.e. are "/" or "/bin/nologin"). */
81a2b7ce 826
23deef88 827 name = c->user;
4d885bd3
DH		 828 r = get_user_creds_clean(&name, uid, gid, home, shell);
829 if (r < 0)
830 return r;
81a2b7ce 831
4d885bd3
DH		 832 *user = name;
833 return 0;
834}
835
836static int get_fixed_group(const ExecContext *c, const char **group, gid_t *gid) {
837 int r;
838 const char *name;
839
840 assert(c);
841
842 if (!c->group)
843 return 0;
844
845 name = c->group;
846 r = get_group_creds(&name, gid);
847 if (r < 0)
848 return r;
849
850 *group = name;
851 return 0;
852}
853
cdc5d5c5
DH		 854static int get_supplementary_groups(const ExecContext *c, const char *user,
855 const char *group, gid_t gid,
856 gid_t **supplementary_gids, int *ngids) {
4d885bd3
DH		 857 char **i;
858 int r, k = 0;
859 int ngroups_max;
860 bool keep_groups = false;
861 gid_t *groups = NULL;
862 _cleanup_free_ gid_t *l_gids = NULL;
863
864 assert(c);
865
bbeea271
DH		 866 /*
867 * If user is given, then lookup GID and supplementary groups list.
868 * We avoid NSS lookups for gid=0. Also we have to initialize groups
cdc5d5c5
DH		 869 * here and as early as possible so we keep the list of supplementary
870 * groups of the caller.
bbeea271
DH		 871 */
872 if (user && gid_is_valid(gid) && gid != 0) {
873 /* First step, initialize groups from /etc/groups */
874 if (initgroups(user, gid) < 0)
875 return -errno;
876
877 keep_groups = true;
878 }
879
4d885bd3
DH		 880 if (!c->supplementary_groups)
881 return 0;
882
366ddd25
DH		 883 /*
884 * If SupplementaryGroups= was passed then NGROUPS_MAX has to
885 * be positive, otherwise fail.
886 */
887 errno = 0;
888 ngroups_max = (int) sysconf(_SC_NGROUPS_MAX);
889 if (ngroups_max <= 0) {
890 if (errno > 0)
891 return -errno;
892 else
893 return -EOPNOTSUPP; /* For all other values */
894 }
895
4d885bd3
DH		 896 l_gids = new(gid_t, ngroups_max);
897 if (!l_gids)
898 return -ENOMEM;
81a2b7ce 899
4d885bd3
DH		 900 if (keep_groups) {
901 /*
902 * Lookup the list of groups that the user belongs to, we
903 * avoid NSS lookups here too for gid=0.
904 */
905 k = ngroups_max;
906 if (getgrouplist(user, gid, l_gids, &k) < 0)
907 return -EINVAL;
908 } else
909 k = 0;
81a2b7ce 910
4d885bd3
DH		 911 STRV_FOREACH(i, c->supplementary_groups) {
912 const char *g;
81a2b7ce 913
4d885bd3
DH		 914 if (k >= ngroups_max)
915 return -E2BIG;
81a2b7ce 916
4d885bd3
DH		 917 g = *i;
918 r = get_group_creds(&g, l_gids+k);
919 if (r < 0)
920 return r;
81a2b7ce 921
4d885bd3
DH		 922 k++;
923 }
81a2b7ce 924
4d885bd3
DH		 925 /*
926 * Sets ngids to zero to drop all supplementary groups, happens
927 * when we are under root and SupplementaryGroups= is empty.
928 */
929 if (k == 0) {
930 *ngids = 0;
931 return 0;
932 }
81a2b7ce 933
4d885bd3
DH		 934 /* Otherwise get the final list of supplementary groups */
935 groups = memdup(l_gids, sizeof(gid_t) * k);
936 if (!groups)
937 return -ENOMEM;
938
939 *supplementary_gids = groups;
940 *ngids = k;
941
942 groups = NULL;
943
944 return 0;
945}
946
947static int enforce_groups(const ExecContext *context, gid_t gid,
948 gid_t *supplementary_gids, int ngids) {
949 int r;
950
951 assert(context);
952
953 /* Handle SupplementaryGroups= even if it is empty */
954 if (context->supplementary_groups) {
955 r = maybe_setgroups(ngids, supplementary_gids);
956 if (r < 0)
97f0e76f 957 return r;
4d885bd3 958 }
81a2b7ce 959
4d885bd3
DH		 960 if (gid_is_valid(gid)) {
961 /* Then set our gids */
962 if (setresgid(gid, gid, gid) < 0)
963 return -errno;
81a2b7ce
LP		 964 }
965
966 return 0;
967}
968
969static int enforce_user(const ExecContext *context, uid_t uid) {
81a2b7ce
LP		 970 assert(context);
971
4d885bd3
DH		 972 if (!uid_is_valid(uid))
973 return 0;
974
479050b3 975 /* Sets (but doesn't look up) the uid and make sure we keep the
81a2b7ce
LP		 976 * capabilities while doing so. */
977
479050b3 978 if (context->capability_ambient_set != 0) {
81a2b7ce
LP		 979
980 /* First step: If we need to keep capabilities but
981 * drop privileges we need to make sure we keep our
cbb21cca 982 * caps, while we drop privileges. */
693ced48 983 if (uid != 0) {
cbb21cca 984 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
693ced48
LP		 985
986 if (prctl(PR_GET_SECUREBITS) != sb)
987 if (prctl(PR_SET_SECUREBITS, sb) < 0)
988 return -errno;
989 }
81a2b7ce
LP		 990 }
991
479050b3 992 /* Second step: actually set the uids */
81a2b7ce
LP		 993 if (setresuid(uid, uid, uid) < 0)
994 return -errno;
995
996 /* At this point we should have all necessary capabilities but
997 are otherwise a normal user. However, the caps might got
998 corrupted due to the setresuid() so we need clean them up
999 later. This is done outside of this call. */
1000
1001 return 0;
1002}
1003
5b6319dc
LP		 1004#ifdef HAVE_PAM
1005
1006static int null_conv(
1007 int num_msg,
1008 const struct pam_message **msg,
1009 struct pam_response **resp,
1010 void *appdata_ptr) {
1011
1012 /* We don't support conversations */
1013
1014 return PAM_CONV_ERR;
1015}
1016
cefc33ae
LP		 1017#endif
1018
5b6319dc
LP		 1019static int setup_pam(
1020 const char *name,
1021 const char *user,
940c5210 1022 uid_t uid,
2d6fce8d 1023 gid_t gid,
5b6319dc 1024 const char *tty,
2065ca69 1025 char ***env,
5b6319dc
LP		 1026 int fds[], unsigned n_fds) {
1027
cefc33ae
LP		 1028#ifdef HAVE_PAM
1029
5b6319dc
LP		 1030 static const struct pam_conv conv = {
1031 .conv = null_conv,
1032 .appdata_ptr = NULL
1033 };
1034
2d7c6aa2 1035 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
5b6319dc 1036 pam_handle_t *handle = NULL;
d6e5f3ad 1037 sigset_t old_ss;
7bb70b6e 1038 int pam_code = PAM_SUCCESS, r;
84eada2f 1039 char **nv, **e = NULL;
5b6319dc
LP		 1040 bool close_session = false;
1041 pid_t pam_pid = 0, parent_pid;
970edce6 1042 int flags = 0;
5b6319dc
LP		 1043
1044 assert(name);
1045 assert(user);
2065ca69 1046 assert(env);
5b6319dc
LP		 1047
1048 /* We set up PAM in the parent process, then fork. The child
35b8ca3a 1049 * will then stay around until killed via PR_GET_PDEATHSIG or
5b6319dc
LP		 1050 * systemd via the cgroup logic. It will then remove the PAM
1051 * session again. The parent process will exec() the actual
1052 * daemon. We do things this way to ensure that the main PID
1053 * of the daemon is the one we initially fork()ed. */
1054
7bb70b6e
LP		 1055 r = barrier_create(&barrier);
1056 if (r < 0)
2d7c6aa2
DH		 1057 goto fail;
1058
553d2243 1059 if (log_get_max_level() < LOG_DEBUG)
970edce6
ZJS		 1060 flags |= PAM_SILENT;
1061
f546241b
ZJS		 1062 pam_code = pam_start(name, user, &conv, &handle);
1063 if (pam_code != PAM_SUCCESS) {
5b6319dc
LP		 1064 handle = NULL;
1065 goto fail;
1066 }
1067
f546241b
ZJS		 1068 if (tty) {
1069 pam_code = pam_set_item(handle, PAM_TTY, tty);
1070 if (pam_code != PAM_SUCCESS)
5b6319dc 1071 goto fail;
f546241b 1072 }
5b6319dc 1073
84eada2f
JW		 1074 STRV_FOREACH(nv, *env) {
1075 pam_code = pam_putenv(handle, *nv);
2065ca69
JW		 1076 if (pam_code != PAM_SUCCESS)
1077 goto fail;
1078 }
1079
970edce6 1080 pam_code = pam_acct_mgmt(handle, flags);
f546241b 1081 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1082 goto fail;
1083
970edce6 1084 pam_code = pam_open_session(handle, flags);
f546241b 1085 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 1086 goto fail;
1087
1088 close_session = true;
1089
f546241b
ZJS		 1090 e = pam_getenvlist(handle);
1091 if (!e) {
5b6319dc
LP		 1092 pam_code = PAM_BUF_ERR;
1093 goto fail;
1094 }
1095
1096 /* Block SIGTERM, so that we know that it won't get lost in
1097 * the child */
ce30c8dc 1098
72c0a2c2 1099 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
5b6319dc
LP		 1100
1101 parent_pid = getpid();
1102
f546241b 1103 pam_pid = fork();
7bb70b6e
LP		 1104 if (pam_pid < 0) {
1105 r = -errno;
5b6319dc 1106 goto fail;
7bb70b6e 1107 }
5b6319dc
LP		 1108
1109 if (pam_pid == 0) {
7bb70b6e 1110 int sig, ret = EXIT_PAM;
5b6319dc
LP		 1111
1112 /* The child's job is to reset the PAM session on
1113 * termination */
2d7c6aa2 1114 barrier_set_role(&barrier, BARRIER_CHILD);
5b6319dc
LP		 1115
1116 /* This string must fit in 10 chars (i.e. the length
5d6b1584
LP		 1117 * of "/sbin/init"), to look pretty in /bin/ps */
1118 rename_process("(sd-pam)");
5b6319dc
LP		 1119
1120 /* Make sure we don't keep open the passed fds in this
1121 child. We assume that otherwise only those fds are
1122 open here that have been opened by PAM. */
1123 close_many(fds, n_fds);
1124
940c5210
AK		 1125 /* Drop privileges - we don't need any to pam_close_session
1126 * and this will make PR_SET_PDEATHSIG work in most cases.
1127 * If this fails, ignore the error - but expect sd-pam threads
1128 * to fail to exit normally */
2d6fce8d 1129
97f0e76f
LP		 1130 r = maybe_setgroups(0, NULL);
1131 if (r < 0)
1132 log_warning_errno(r, "Failed to setgroups() in sd-pam: %m");
2d6fce8d
LP		 1133 if (setresgid(gid, gid, gid) < 0)
1134 log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
940c5210 1135 if (setresuid(uid, uid, uid) < 0)
2d6fce8d 1136 log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
940c5210 1137
ce30c8dc
LP		 1138 (void) ignore_signals(SIGPIPE, -1);
1139
940c5210
AK		 1140 /* Wait until our parent died. This will only work if
1141 * the above setresuid() succeeds, otherwise the kernel
1142 * will not allow unprivileged parents kill their privileged
1143 * children this way. We rely on the control groups kill logic
5b6319dc
LP		 1144 * to do the rest for us. */
1145 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
1146 goto child_finish;
1147
2d7c6aa2
DH		 1148 /* Tell the parent that our setup is done. This is especially
1149 * important regarding dropping privileges. Otherwise, unit
643f4706
ZJS		 1150 * setup might race against our setresuid(2) call.
1151 *
1152 * If the parent aborted, we'll detect this below, hence ignore
1153 * return failure here. */
1154 (void) barrier_place(&barrier);
2d7c6aa2 1155
643f4706 1156 /* Check if our parent process might already have died? */
5b6319dc 1157 if (getppid() == parent_pid) {
d6e5f3ad
DM		 1158 sigset_t ss;
1159
1160 assert_se(sigemptyset(&ss) >= 0);
1161 assert_se(sigaddset(&ss, SIGTERM) >= 0);
1162
3dead8d9
LP		 1163 for (;;) {
1164 if (sigwait(&ss, &sig) < 0) {
1165 if (errno == EINTR)
1166 continue;
1167
1168 goto child_finish;
1169 }
5b6319dc 1170
3dead8d9
LP		 1171 assert(sig == SIGTERM);
1172 break;
1173 }
5b6319dc
LP		 1174 }
1175
3dead8d9 1176 /* If our parent died we'll end the session */
f546241b 1177 if (getppid() != parent_pid) {
970edce6 1178 pam_code = pam_close_session(handle, flags);
f546241b 1179 if (pam_code != PAM_SUCCESS)
5b6319dc 1180 goto child_finish;
f546241b 1181 }
5b6319dc 1182
7bb70b6e 1183 ret = 0;
5b6319dc
LP		 1184
1185 child_finish:
970edce6 1186 pam_end(handle, pam_code | flags);
7bb70b6e 1187 _exit(ret);
5b6319dc
LP		 1188 }
1189
2d7c6aa2
DH		 1190 barrier_set_role(&barrier, BARRIER_PARENT);
1191
5b6319dc
LP		 1192 /* If the child was forked off successfully it will do all the
1193 * cleanups, so forget about the handle here. */
1194 handle = NULL;
1195
3b8bddde 1196 /* Unblock SIGTERM again in the parent */
72c0a2c2 1197 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
5b6319dc
LP		 1198
1199 /* We close the log explicitly here, since the PAM modules
1200 * might have opened it, but we don't want this fd around. */
1201 closelog();
1202
2d7c6aa2
DH		 1203 /* Synchronously wait for the child to initialize. We don't care for
1204 * errors as we cannot recover. However, warn loudly if it happens. */
1205 if (!barrier_place_and_sync(&barrier))
1206 log_error("PAM initialization failed");
1207
2065ca69
JW		 1208 strv_free(*env);
1209 *env = e;
aa87e624 1210
5b6319dc
LP		 1211 return 0;
1212
1213fail:
970edce6
ZJS		 1214 if (pam_code != PAM_SUCCESS) {
1215 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
7bb70b6e
LP		 1216 r = -EPERM; /* PAM errors do not map to errno */
1217 } else
1218 log_error_errno(r, "PAM failed: %m");
9ba35398 1219
5b6319dc
LP		 1220 if (handle) {
1221 if (close_session)
970edce6 1222 pam_code = pam_close_session(handle, flags);
5b6319dc 1223
970edce6 1224 pam_end(handle, pam_code | flags);
5b6319dc
LP		 1225 }
1226
1227 strv_free(e);
5b6319dc
LP		 1228 closelog();
1229
7bb70b6e 1230 return r;
cefc33ae
LP		 1231#else
1232 return 0;
5b6319dc 1233#endif
cefc33ae 1234}
5b6319dc 1235
5d6b1584
LP		 1236static void rename_process_from_path(const char *path) {
1237 char process_name[11];
1238 const char *p;
1239 size_t l;
1240
1241 /* This resulting string must fit in 10 chars (i.e. the length
1242 * of "/sbin/init") to look pretty in /bin/ps */
1243
2b6bf07d 1244 p = basename(path);
5d6b1584
LP		 1245 if (isempty(p)) {
1246 rename_process("(...)");
1247 return;
1248 }
1249
1250 l = strlen(p);
1251 if (l > 8) {
1252 /* The end of the process name is usually more
1253 * interesting, since the first bit might just be
1254 * "systemd-" */
1255 p = p + l - 8;
1256 l = 8;
1257 }
1258
1259 process_name[0] = '(';
1260 memcpy(process_name+1, p, l);
1261 process_name[1+l] = ')';
1262 process_name[1+l+1] = 0;
1263
1264 rename_process(process_name);
1265}
1266
469830d1
LP		 1267static bool context_has_address_families(const ExecContext *c) {
1268 assert(c);
1269
1270 return c->address_families_whitelist ||
1271 !set_isempty(c->address_families);
1272}
1273
1274static bool context_has_syscall_filters(const ExecContext *c) {
1275 assert(c);
1276
1277 return c->syscall_whitelist ||
1278 !set_isempty(c->syscall_filter);
1279}
1280
1281static bool context_has_no_new_privileges(const ExecContext *c) {
1282 assert(c);
1283
1284 if (c->no_new_privileges)
1285 return true;
1286
1287 if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
1288 return false;
1289
1290 /* We need NNP if we have any form of seccomp and are unprivileged */
1291 return context_has_address_families(c) ||
1292 c->memory_deny_write_execute ||
1293 c->restrict_realtime ||
1294 exec_context_restrict_namespaces_set(c) ||
1295 c->protect_kernel_tunables ||
1296 c->protect_kernel_modules ||
1297 c->private_devices ||
1298 context_has_syscall_filters(c) ||
1299 !set_isempty(c->syscall_archs);
1300}
1301
c0467cf3 1302#ifdef HAVE_SECCOMP
17df7223 1303
83f12b27 1304static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
f673b62d
LP		 1305
1306 if (is_seccomp_available())
1307 return false;
1308
1309 log_open();
1310 log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
1311 log_close();
1312 return true;
83f12b27
FS		 1313}
1314
469830d1
LP		 1315static int apply_syscall_filter(const Unit* u, const ExecContext *c) {
1316 uint32_t negative_action, default_action, action;
8351ceae 1317
469830d1 1318 assert(u);
c0467cf3 1319 assert(c);
8351ceae 1320
469830d1 1321 if (!context_has_syscall_filters(c))
83f12b27
FS		 1322 return 0;
1323
469830d1
LP		 1324 if (skip_seccomp_unavailable(u, "SystemCallFilter="))
1325 return 0;
e9642be2 1326
469830d1 1327 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
e9642be2 1328
469830d1
LP		 1329 if (c->syscall_whitelist) {
1330 default_action = negative_action;
1331 action = SCMP_ACT_ALLOW;
7c66bae2 1332 } else {
469830d1
LP		 1333 default_action = SCMP_ACT_ALLOW;
1334 action = negative_action;
57183d11 1335 }
8351ceae 1336
469830d1 1337 return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action);
4298d0b5
LP		 1338}
1339
469830d1
LP		 1340static int apply_syscall_archs(const Unit *u, const ExecContext *c) {
1341 assert(u);
4298d0b5
LP		 1342 assert(c);
1343
469830d1 1344 if (set_isempty(c->syscall_archs))
83f12b27
FS		 1345 return 0;
1346
469830d1
LP		 1347 if (skip_seccomp_unavailable(u, "SystemCallArchitectures="))
1348 return 0;
4298d0b5 1349
469830d1
LP		 1350 return seccomp_restrict_archs(c->syscall_archs);
1351}
4298d0b5 1352
469830d1
LP		 1353static int apply_address_families(const Unit* u, const ExecContext *c) {
1354 assert(u);
1355 assert(c);
4298d0b5 1356
469830d1
LP		 1357 if (!context_has_address_families(c))
1358 return 0;
4298d0b5 1359
469830d1
LP		 1360 if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
1361 return 0;
4298d0b5 1362
469830d1 1363 return seccomp_restrict_address_families(c->address_families, c->address_families_whitelist);
8351ceae 1364}
4298d0b5 1365
83f12b27 1366static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) {
469830d1 1367 assert(u);
f3e43635
TM		 1368 assert(c);
1369
469830d1 1370 if (!c->memory_deny_write_execute)
83f12b27
FS		 1371 return 0;
1372
469830d1
LP		 1373 if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute="))
1374 return 0;
f3e43635 1375
469830d1 1376 return seccomp_memory_deny_write_execute();
f3e43635
TM		 1377}
1378
83f12b27 1379static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
469830d1 1380 assert(u);
f4170c67
LP		 1381 assert(c);
1382
469830d1 1383 if (!c->restrict_realtime)
83f12b27
FS		 1384 return 0;
1385
469830d1
LP		 1386 if (skip_seccomp_unavailable(u, "RestrictRealtime="))
1387 return 0;
f4170c67 1388
469830d1 1389 return seccomp_restrict_realtime();
f4170c67
LP		 1390}
1391
59e856c7 1392static int apply_protect_sysctl(const Unit *u, const ExecContext *c) {
469830d1 1393 assert(u);
59eeb84b
LP		 1394 assert(c);
1395
1396 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1397 * let's protect even those systems where this is left on in the kernel. */
1398
469830d1 1399 if (!c->protect_kernel_tunables)
59eeb84b
LP		 1400 return 0;
1401
469830d1
LP		 1402 if (skip_seccomp_unavailable(u, "ProtectKernelTunables="))
1403 return 0;
59eeb84b 1404
469830d1 1405 return seccomp_protect_sysctl();
59eeb84b
LP		 1406}
1407
59e856c7 1408static int apply_protect_kernel_modules(const Unit *u, const ExecContext *c) {
469830d1 1409 assert(u);
502d704e
DH		 1410 assert(c);
1411
25a8d8a0 1412 /* Turn off module syscalls on ProtectKernelModules=yes */
502d704e 1413
469830d1
LP		 1414 if (!c->protect_kernel_modules)
1415 return 0;
1416
502d704e
DH		 1417 if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
1418 return 0;
1419
469830d1 1420 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM));
502d704e
DH		 1421}
1422
59e856c7 1423static int apply_private_devices(const Unit *u, const ExecContext *c) {
469830d1 1424 assert(u);
ba128bb8
LP		 1425 assert(c);
1426
8f81a5f6 1427 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
ba128bb8 1428
469830d1
LP		 1429 if (!c->private_devices)
1430 return 0;
1431
ba128bb8
LP		 1432 if (skip_seccomp_unavailable(u, "PrivateDevices="))
1433 return 0;
1434
469830d1 1435 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
ba128bb8
LP		 1436}
1437
add00535 1438static int apply_restrict_namespaces(Unit *u, const ExecContext *c) {
469830d1 1439 assert(u);
add00535
LP		 1440 assert(c);
1441
1442 if (!exec_context_restrict_namespaces_set(c))
1443 return 0;
1444
1445 if (skip_seccomp_unavailable(u, "RestrictNamespaces="))
1446 return 0;
1447
1448 return seccomp_restrict_namespaces(c->restrict_namespaces);
1449}
1450
c0467cf3 1451#endif
8351ceae 1452
31a7eb86
ZJS		 1453static void do_idle_pipe_dance(int idle_pipe[4]) {
1454 assert(idle_pipe);
1455
54eb2300
LP		 1456 idle_pipe[1] = safe_close(idle_pipe[1]);
1457 idle_pipe[2] = safe_close(idle_pipe[2]);
31a7eb86
ZJS		 1458
1459 if (idle_pipe[0] >= 0) {
1460 int r;
1461
1462 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1463
1464 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
c7cc737f
LP		 1465 ssize_t n;
1466
31a7eb86 1467 /* Signal systemd that we are bored and want to continue. */
c7cc737f
LP		 1468 n = write(idle_pipe[3], "x", 1);
1469 if (n > 0)
cd972d69
ZJS		 1470 /* Wait for systemd to react to the signal above. */
1471 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
31a7eb86
ZJS		 1472 }
1473
54eb2300 1474 idle_pipe[0] = safe_close(idle_pipe[0]);
31a7eb86
ZJS		 1475
1476 }
1477
54eb2300 1478 idle_pipe[3] = safe_close(idle_pipe[3]);
31a7eb86
ZJS		 1479}
1480
7cae38c4 1481static int build_environment(
fd63e712 1482 Unit *u,
9fa95f85 1483 const ExecContext *c,
1e22b5cd 1484 const ExecParameters *p,
7cae38c4
LP		 1485 unsigned n_fds,
1486 const char *home,
1487 const char *username,
1488 const char *shell,
7bce046b
LP		 1489 dev_t journal_stream_dev,
1490 ino_t journal_stream_ino,
7cae38c4
LP		 1491 char ***ret) {
1492
1493 _cleanup_strv_free_ char **our_env = NULL;
1494 unsigned n_env = 0;
1495 char *x;
1496
4b58153d 1497 assert(u);
7cae38c4
LP		 1498 assert(c);
1499 assert(ret);
1500
4b58153d 1501 our_env = new0(char*, 14);
7cae38c4
LP		 1502 if (!our_env)
1503 return -ENOMEM;
1504
1505 if (n_fds > 0) {
8dd4c05b
LP		 1506 _cleanup_free_ char *joined = NULL;
1507
ccd06097 1508 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
7cae38c4
LP		 1509 return -ENOMEM;
1510 our_env[n_env++] = x;
1511
1512 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1513 return -ENOMEM;
1514 our_env[n_env++] = x;
8dd4c05b 1515
1e22b5cd 1516 joined = strv_join(p->fd_names, ":");
8dd4c05b
LP		 1517 if (!joined)
1518 return -ENOMEM;
1519
605405c6 1520 x = strjoin("LISTEN_FDNAMES=", joined);
8dd4c05b
LP		 1521 if (!x)
1522 return -ENOMEM;
1523 our_env[n_env++] = x;
7cae38c4
LP		 1524 }
1525
b08af3b1 1526 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
ccd06097 1527 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
09812eb7
LP		 1528 return -ENOMEM;
1529 our_env[n_env++] = x;
1530
1e22b5cd 1531 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
09812eb7
LP		 1532 return -ENOMEM;
1533 our_env[n_env++] = x;
1534 }
1535
fd63e712
LP		 1536 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1537 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1538 * check the database directly. */
1539 if (unit_has_name(u, SPECIAL_DBUS_SERVICE)) {
1540 x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1541 if (!x)
1542 return -ENOMEM;
1543 our_env[n_env++] = x;
1544 }
1545
7cae38c4
LP		 1546 if (home) {
1547 x = strappend("HOME=", home);
1548 if (!x)
1549 return -ENOMEM;
1550 our_env[n_env++] = x;
1551 }
1552
1553 if (username) {
1554 x = strappend("LOGNAME=", username);
1555 if (!x)
1556 return -ENOMEM;
1557 our_env[n_env++] = x;
1558
1559 x = strappend("USER=", username);
1560 if (!x)
1561 return -ENOMEM;
1562 our_env[n_env++] = x;
1563 }
1564
1565 if (shell) {
1566 x = strappend("SHELL=", shell);
1567 if (!x)
1568 return -ENOMEM;
1569 our_env[n_env++] = x;
1570 }
1571
4b58153d
LP		 1572 if (!sd_id128_is_null(u->invocation_id)) {
1573 if (asprintf(&x, "INVOCATION_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id)) < 0)
1574 return -ENOMEM;
1575
1576 our_env[n_env++] = x;
1577 }
1578
6af760f3
LP		 1579 if (exec_context_needs_term(c)) {
1580 const char *tty_path, *term = NULL;
1581
1582 tty_path = exec_context_tty_path(c);
1583
1584 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try to inherit
1585 * the $TERM set for PID 1. This is useful for containers so that the $TERM the container manager
1586 * passes to PID 1 ends up all the way in the console login shown. */
1587
1588 if (path_equal(tty_path, "/dev/console") && getppid() == 1)
1589 term = getenv("TERM");
1590 if (!term)
1591 term = default_term_for_tty(tty_path);
7cae38c4 1592
6af760f3 1593 x = strappend("TERM=", term);
7cae38c4
LP		 1594 if (!x)
1595 return -ENOMEM;
1596 our_env[n_env++] = x;
1597 }
1598
7bce046b
LP		 1599 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1600 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1601 return -ENOMEM;
1602
1603 our_env[n_env++] = x;
1604 }
1605
7cae38c4 1606 our_env[n_env++] = NULL;
7bce046b 1607 assert(n_env <= 12);
7cae38c4
LP		 1608
1609 *ret = our_env;
1610 our_env = NULL;
1611
1612 return 0;
1613}
1614
b4c14404
FB		 1615static int build_pass_environment(const ExecContext *c, char ***ret) {
1616 _cleanup_strv_free_ char **pass_env = NULL;
1617 size_t n_env = 0, n_bufsize = 0;
1618 char **i;
1619
1620 STRV_FOREACH(i, c->pass_environment) {
1621 _cleanup_free_ char *x = NULL;
1622 char *v;
1623
1624 v = getenv(*i);
1625 if (!v)
1626 continue;
605405c6 1627 x = strjoin(*i, "=", v);
b4c14404
FB		 1628 if (!x)
1629 return -ENOMEM;
1630 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1631 return -ENOMEM;
1632 pass_env[n_env++] = x;
1633 pass_env[n_env] = NULL;
1634 x = NULL;
1635 }
1636
1637 *ret = pass_env;
1638 pass_env = NULL;
1639
1640 return 0;
1641}
1642
8b44a3d2
LP		 1643static bool exec_needs_mount_namespace(
1644 const ExecContext *context,
1645 const ExecParameters *params,
1646 ExecRuntime *runtime) {
1647
1648 assert(context);
1649 assert(params);
1650
915e6d16
LP		 1651 if (context->root_image)
1652 return true;
1653
2a624c36
AP		 1654 if (!strv_isempty(context->read_write_paths) ||
1655 !strv_isempty(context->read_only_paths) ||
1656 !strv_isempty(context->inaccessible_paths))
8b44a3d2
LP		 1657 return true;
1658
d2d6c096
LP		 1659 if (context->n_bind_mounts > 0)
1660 return true;
1661
8b44a3d2
LP		 1662 if (context->mount_flags != 0)
1663 return true;
1664
1665 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1666 return true;
1667
8b44a3d2
LP		 1668 if (context->private_devices ||
1669 context->protect_system != PROTECT_SYSTEM_NO ||
59eeb84b
LP		 1670 context->protect_home != PROTECT_HOME_NO ||
1671 context->protect_kernel_tunables ||
c575770b 1672 context->protect_kernel_modules ||
59eeb84b 1673 context->protect_control_groups)
8b44a3d2
LP		 1674 return true;
1675
9c988f93 1676 if (context->mount_apivfs && (context->root_image || context->root_directory))
5d997827
LP		 1677 return true;
1678
8b44a3d2
LP		 1679 return false;
1680}
1681
d251207d
LP		 1682static int setup_private_users(uid_t uid, gid_t gid) {
1683 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
1684 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
1685 _cleanup_close_ int unshare_ready_fd = -1;
1686 _cleanup_(sigkill_waitp) pid_t pid = 0;
1687 uint64_t c = 1;
1688 siginfo_t si;
1689 ssize_t n;
1690 int r;
1691
1692 /* Set up a user namespace and map root to root, the selected UID/GID to itself, and everything else to
1693 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1694 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1695 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1696 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
1697 * continues execution normally. */
1698
587ab01b
ZJS		 1699 if (uid != 0 && uid_is_valid(uid)) {
1700 r = asprintf(&uid_map,
1701 "0 0 1\n" /* Map root → root */
1702 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
1703 uid, uid);
1704 if (r < 0)
1705 return -ENOMEM;
1706 } else {
e0f3720e 1707 uid_map = strdup("0 0 1\n"); /* The case where the above is the same */
587ab01b
ZJS		 1708 if (!uid_map)
1709 return -ENOMEM;
1710 }
d251207d 1711
587ab01b
ZJS		 1712 if (gid != 0 && gid_is_valid(gid)) {
1713 r = asprintf(&gid_map,
1714 "0 0 1\n" /* Map root → root */
1715 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
1716 gid, gid);
1717 if (r < 0)
1718 return -ENOMEM;
1719 } else {
d251207d 1720 gid_map = strdup("0 0 1\n"); /* The case where the above is the same */
587ab01b
ZJS		 1721 if (!gid_map)
1722 return -ENOMEM;
1723 }
d251207d
LP		 1724
1725 /* Create a communication channel so that the parent can tell the child when it finished creating the user
1726 * namespace. */
1727 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
1728 if (unshare_ready_fd < 0)
1729 return -errno;
1730
1731 /* Create a communication channel so that the child can tell the parent a proper error code in case it
1732 * failed. */
1733 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
1734 return -errno;
1735
1736 pid = fork();
1737 if (pid < 0)
1738 return -errno;
1739
1740 if (pid == 0) {
1741 _cleanup_close_ int fd = -1;
1742 const char *a;
1743 pid_t ppid;
1744
1745 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
1746 * here, after the parent opened its own user namespace. */
1747
1748 ppid = getppid();
1749 errno_pipe[0] = safe_close(errno_pipe[0]);
1750
1751 /* Wait until the parent unshared the user namespace */
1752 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
1753 r = -errno;
1754 goto child_fail;
1755 }
1756
1757 /* Disable the setgroups() system call in the child user namespace, for good. */
1758 a = procfs_file_alloca(ppid, "setgroups");
1759 fd = open(a, O_WRONLY|O_CLOEXEC);
1760 if (fd < 0) {
1761 if (errno != ENOENT) {
1762 r = -errno;
1763 goto child_fail;
1764 }
1765
1766 /* If the file is missing the kernel is too old, let's continue anyway. */
1767 } else {
1768 if (write(fd, "deny\n", 5) < 0) {
1769 r = -errno;
1770 goto child_fail;
1771 }
1772
1773 fd = safe_close(fd);
1774 }
1775
1776 /* First write the GID map */
1777 a = procfs_file_alloca(ppid, "gid_map");
1778 fd = open(a, O_WRONLY|O_CLOEXEC);
1779 if (fd < 0) {
1780 r = -errno;
1781 goto child_fail;
1782 }
1783 if (write(fd, gid_map, strlen(gid_map)) < 0) {
1784 r = -errno;
1785 goto child_fail;
1786 }
1787 fd = safe_close(fd);
1788
1789 /* The write the UID map */
1790 a = procfs_file_alloca(ppid, "uid_map");
1791 fd = open(a, O_WRONLY|O_CLOEXEC);
1792 if (fd < 0) {
1793 r = -errno;
1794 goto child_fail;
1795 }
1796 if (write(fd, uid_map, strlen(uid_map)) < 0) {
1797 r = -errno;
1798 goto child_fail;
1799 }
1800
1801 _exit(EXIT_SUCCESS);
1802
1803 child_fail:
1804 (void) write(errno_pipe[1], &r, sizeof(r));
1805 _exit(EXIT_FAILURE);
1806 }
1807
1808 errno_pipe[1] = safe_close(errno_pipe[1]);
1809
1810 if (unshare(CLONE_NEWUSER) < 0)
1811 return -errno;
1812
1813 /* Let the child know that the namespace is ready now */
1814 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
1815 return -errno;
1816
1817 /* Try to read an error code from the child */
1818 n = read(errno_pipe[0], &r, sizeof(r));
1819 if (n < 0)
1820 return -errno;
1821 if (n == sizeof(r)) { /* an error code was sent to us */
1822 if (r < 0)
1823 return r;
1824 return -EIO;
1825 }
1826 if (n != 0) /* on success we should have read 0 bytes */
1827 return -EIO;
1828
1829 r = wait_for_terminate(pid, &si);
1830 if (r < 0)
1831 return r;
1832 pid = 0;
1833
1834 /* If something strange happened with the child, let's consider this fatal, too */
1835 if (si.si_code != CLD_EXITED || si.si_status != 0)
1836 return -EIO;
1837
1838 return 0;
1839}
1840
07689d5d
LP		 1841static int setup_runtime_directory(
1842 const ExecContext *context,
1843 const ExecParameters *params,
1844 uid_t uid,
1845 gid_t gid) {
1846
1847 char **rt;
1848 int r;
1849
1850 assert(context);
1851 assert(params);
1852
1853 STRV_FOREACH(rt, context->runtime_directory) {
1854 _cleanup_free_ char *p;
1855
605405c6 1856 p = strjoin(params->runtime_prefix, "/", *rt);
07689d5d
LP		 1857 if (!p)
1858 return -ENOMEM;
1859
1860 r = mkdir_p_label(p, context->runtime_directory_mode);
1861 if (r < 0)
1862 return r;
1863
1864 r = chmod_and_chown(p, context->runtime_directory_mode, uid, gid);
1865 if (r < 0)
1866 return r;
1867 }
1868
1869 return 0;
1870}
1871
cefc33ae
LP		 1872static int setup_smack(
1873 const ExecContext *context,
1874 const ExecCommand *command) {
1875
1876#ifdef HAVE_SMACK
1877 int r;
1878
1879 assert(context);
1880 assert(command);
1881
1882 if (!mac_smack_use())
1883 return 0;
1884
1885 if (context->smack_process_label) {
1886 r = mac_smack_apply_pid(0, context->smack_process_label);
1887 if (r < 0)
1888 return r;
1889 }
1890#ifdef SMACK_DEFAULT_PROCESS_LABEL
1891 else {
1892 _cleanup_free_ char *exec_label = NULL;
1893
1894 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
1895 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP)
1896 return r;
1897
1898 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
1899 if (r < 0)
1900 return r;
1901 }
1902#endif
1903#endif
1904
1905 return 0;
1906}
1907
3fbe8dbe
LP		 1908static int compile_read_write_paths(
1909 const ExecContext *context,
1910 const ExecParameters *params,
1911 char ***ret) {
1912
1913 _cleanup_strv_free_ char **l = NULL;
1914 char **rt;
1915
06ec51d8
ZJS		 1916 /* Compile the list of writable paths. This is the combination of
1917 * the explicitly configured paths, plus all runtime directories. */
3fbe8dbe
LP		 1918
1919 if (strv_isempty(context->read_write_paths) &&
1920 strv_isempty(context->runtime_directory)) {
1921 *ret = NULL; /* NOP if neither is set */
1922 return 0;
1923 }
1924
1925 l = strv_copy(context->read_write_paths);
1926 if (!l)
1927 return -ENOMEM;
1928
1929 STRV_FOREACH(rt, context->runtime_directory) {
1930 char *s;
1931
605405c6 1932 s = strjoin(params->runtime_prefix, "/", *rt);
3fbe8dbe
LP		 1933 if (!s)
1934 return -ENOMEM;
1935
1936 if (strv_consume(&l, s) < 0)
1937 return -ENOMEM;
1938 }
1939
1940 *ret = l;
1941 l = NULL;
1942
1943 return 0;
1944}
1945
6818c54c
LP		 1946static int apply_mount_namespace(
1947 Unit *u,
1948 ExecCommand *command,
1949 const ExecContext *context,
1950 const ExecParameters *params,
1951 ExecRuntime *runtime) {
1952
06ec51d8 1953 _cleanup_strv_free_ char **rw = NULL;
93c6bb51 1954 char *tmp = NULL, *var = NULL;
915e6d16 1955 const char *root_dir = NULL, *root_image = NULL;
93c6bb51 1956 NameSpaceInfo ns_info = {
af964954 1957 .ignore_protect_paths = false,
93c6bb51
DH		 1958 .private_dev = context->private_devices,
1959 .protect_control_groups = context->protect_control_groups,
1960 .protect_kernel_tunables = context->protect_kernel_tunables,
1961 .protect_kernel_modules = context->protect_kernel_modules,
5d997827 1962 .mount_apivfs = context->mount_apivfs,
93c6bb51 1963 };
6818c54c
LP		 1964 bool apply_restrictions;
1965 int r;
93c6bb51 1966
2b3c1b9e
DH		 1967 assert(context);
1968
93c6bb51
DH		 1969 /* The runtime struct only contains the parent of the private /tmp,
1970 * which is non-accessible to world users. Inside of it there's a /tmp
1971 * that is sticky, and that's the one we want to use here. */
1972
1973 if (context->private_tmp && runtime) {
1974 if (runtime->tmp_dir)
1975 tmp = strjoina(runtime->tmp_dir, "/tmp");
1976 if (runtime->var_tmp_dir)
1977 var = strjoina(runtime->var_tmp_dir, "/tmp");
1978 }
1979
1980 r = compile_read_write_paths(context, params, &rw);
1981 if (r < 0)
1982 return r;
1983
915e6d16
LP		 1984 if (params->flags & EXEC_APPLY_CHROOT) {
1985 root_image = context->root_image;
1986
1987 if (!root_image)
1988 root_dir = context->root_directory;
1989 }
93c6bb51 1990
af964954
DH		 1991 /*
1992 * If DynamicUser=no and RootDirectory= is set then lets pass a relaxed
1993 * sandbox info, otherwise enforce it, don't ignore protected paths and
1994 * fail if we are enable to apply the sandbox inside the mount namespace.
1995 */
1996 if (!context->dynamic_user && root_dir)
1997 ns_info.ignore_protect_paths = true;
1998
6818c54c
LP		 1999 apply_restrictions = (params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged;
2000
915e6d16
LP		 2001 r = setup_namespace(root_dir, root_image,
2002 &ns_info, rw,
6818c54c
LP		 2003 apply_restrictions ? context->read_only_paths : NULL,
2004 apply_restrictions ? context->inaccessible_paths : NULL,
d2d6c096
LP		 2005 context->bind_mounts,
2006 context->n_bind_mounts,
93c6bb51
DH		 2007 tmp,
2008 var,
6818c54c
LP		 2009 apply_restrictions ? context->protect_home : PROTECT_HOME_NO,
2010 apply_restrictions ? context->protect_system : PROTECT_SYSTEM_NO,
915e6d16
LP		 2011 context->mount_flags,
2012 DISSECT_IMAGE_DISCARD_ON_LOOP);
93c6bb51
DH		 2013
2014 /* If we couldn't set up the namespace this is probably due to a
2015 * missing capability. In this case, silently proceeed. */
2016 if (IN_SET(r, -EPERM, -EACCES)) {
2017 log_open();
2018 log_unit_debug_errno(u, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
2019 log_close();
2020 r = 0;
2021 }
2022
2023 return r;
2024}
2025
915e6d16
LP		 2026static int apply_working_directory(
2027 const ExecContext *context,
2028 const ExecParameters *params,
2029 const char *home,
376fecf6
LP		 2030 const bool needs_mount_ns,
2031 int *exit_status) {
915e6d16 2032
6732edab 2033 const char *d, *wd;
2b3c1b9e
DH		 2034
2035 assert(context);
376fecf6 2036 assert(exit_status);
2b3c1b9e 2037
6732edab
LP		 2038 if (context->working_directory_home) {
2039
376fecf6
LP		 2040 if (!home) {
2041 *exit_status = EXIT_CHDIR;
6732edab 2042 return -ENXIO;
376fecf6 2043 }
6732edab 2044
2b3c1b9e 2045 wd = home;
6732edab
LP		 2046
2047 } else if (context->working_directory)
2b3c1b9e
DH		 2048 wd = context->working_directory;
2049 else
2050 wd = "/";
e7f1e7c6
DH		 2051
2052 if (params->flags & EXEC_APPLY_CHROOT) {
2053 if (!needs_mount_ns && context->root_directory)
376fecf6
LP		 2054 if (chroot(context->root_directory) < 0) {
2055 *exit_status = EXIT_CHROOT;
e7f1e7c6 2056 return -errno;
376fecf6 2057 }
e7f1e7c6 2058
2b3c1b9e
DH		 2059 d = wd;
2060 } else
3b0e5bb5 2061 d = prefix_roota(context->root_directory, wd);
e7f1e7c6 2062
376fecf6
LP		 2063 if (chdir(d) < 0 && !context->working_directory_missing_ok) {
2064 *exit_status = EXIT_CHDIR;
2b3c1b9e 2065 return -errno;
376fecf6 2066 }
e7f1e7c6
DH		 2067
2068 return 0;
2069}
2070
74dd6b51
LP		 2071static int setup_keyring(Unit *u, const ExecParameters *p, uid_t uid, gid_t gid) {
2072 key_serial_t keyring;
2073
2074 assert(u);
2075 assert(p);
2076
2077 /* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that
2078 * each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond
2079 * that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be
2080 * automatically created on-demand and then linked to the per-UID keyring, by the kernel. The kernel's built-in
2081 * on-demand behaviour is very appropriate for login users, but probably not so much for system services, where
2082 * UIDs are not necessarily specific to a service but reused (at least in the case of UID 0). */
2083
2084 if (!(p->flags & EXEC_NEW_KEYRING))
2085 return 0;
2086
2087 keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0);
2088 if (keyring == -1) {
2089 if (errno == ENOSYS)
2090 log_debug_errno(errno, "Kernel keyring not supported, ignoring.");
2091 else if (IN_SET(errno, EACCES, EPERM))
2092 log_debug_errno(errno, "Kernel keyring access prohibited, ignoring.");
2093 else if (errno == EDQUOT)
2094 log_debug_errno(errno, "Out of kernel keyrings to allocate, ignoring.");
2095 else
2096 return log_error_errno(errno, "Setting up kernel keyring failed: %m");
2097
2098 return 0;
2099 }
2100
b3415f5d
LP		 2101 /* Populate they keyring with the invocation ID by default. */
2102 if (!sd_id128_is_null(u->invocation_id)) {
2103 key_serial_t key;
2104
2105 key = add_key("user", "invocation_id", &u->invocation_id, sizeof(u->invocation_id), KEY_SPEC_SESSION_KEYRING);
2106 if (key == -1)
2107 log_debug_errno(errno, "Failed to add invocation ID to keyring, ignoring: %m");
2108 else {
2109 if (keyctl(KEYCTL_SETPERM, key,
2110 KEY_POS_VIEW|KEY_POS_READ|KEY_POS_SEARCH|
2111 KEY_USR_VIEW|KEY_USR_READ|KEY_USR_SEARCH, 0, 0) < 0)
2112 return log_error_errno(errno, "Failed to restrict invocation ID permission: %m");
2113 }
2114 }
2115
74dd6b51
LP		 2116 /* And now, make the keyring owned by the service's user */
2117 if (uid_is_valid(uid) || gid_is_valid(gid))
2118 if (keyctl(KEYCTL_CHOWN, keyring, uid, gid, 0) < 0)
2119 return log_error_errno(errno, "Failed to change ownership of session keyring: %m");
2120
2121 return 0;
2122}
2123
29206d46
LP		 2124static void append_socket_pair(int *array, unsigned *n, int pair[2]) {
2125 assert(array);
2126 assert(n);
2127
2128 if (!pair)
2129 return;
2130
2131 if (pair[0] >= 0)
2132 array[(*n)++] = pair[0];
2133 if (pair[1] >= 0)
2134 array[(*n)++] = pair[1];
2135}
2136
a34ceba6
LP		 2137static int close_remaining_fds(
2138 const ExecParameters *params,
2139 ExecRuntime *runtime,
29206d46 2140 DynamicCreds *dcreds,
00d9ef85 2141 int user_lookup_fd,
a34ceba6
LP		 2142 int socket_fd,
2143 int *fds, unsigned n_fds) {
2144
2145 unsigned n_dont_close = 0;
00d9ef85 2146 int dont_close[n_fds + 12];
a34ceba6
LP		 2147
2148 assert(params);
2149
2150 if (params->stdin_fd >= 0)
2151 dont_close[n_dont_close++] = params->stdin_fd;
2152 if (params->stdout_fd >= 0)
2153 dont_close[n_dont_close++] = params->stdout_fd;
2154 if (params->stderr_fd >= 0)
2155 dont_close[n_dont_close++] = params->stderr_fd;
2156
2157 if (socket_fd >= 0)
2158 dont_close[n_dont_close++] = socket_fd;
2159 if (n_fds > 0) {
2160 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
2161 n_dont_close += n_fds;
2162 }
2163
29206d46
LP		 2164 if (runtime)
2165 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
2166
2167 if (dcreds) {
2168 if (dcreds->user)
2169 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
2170 if (dcreds->group)
2171 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
a34ceba6
LP		 2172 }
2173
00d9ef85
LP		 2174 if (user_lookup_fd >= 0)
2175 dont_close[n_dont_close++] = user_lookup_fd;
2176
a34ceba6
LP		 2177 return close_all_fds(dont_close, n_dont_close);
2178}
2179
00d9ef85
LP		 2180static int send_user_lookup(
2181 Unit *unit,
2182 int user_lookup_fd,
2183 uid_t uid,
2184 gid_t gid) {
2185
2186 assert(unit);
2187
2188 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2189 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2190 * specified. */
2191
2192 if (user_lookup_fd < 0)
2193 return 0;
2194
2195 if (!uid_is_valid(uid) && !gid_is_valid(gid))
2196 return 0;
2197
2198 if (writev(user_lookup_fd,
2199 (struct iovec[]) {
2200 { .iov_base = &uid, .iov_len = sizeof(uid) },
2201 { .iov_base = &gid, .iov_len = sizeof(gid) },
2202 { .iov_base = unit->id, .iov_len = strlen(unit->id) }}, 3) < 0)
2203 return -errno;
2204
2205 return 0;
2206}
2207
6732edab
LP		 2208static int acquire_home(const ExecContext *c, uid_t uid, const char** home, char **buf) {
2209 int r;
2210
2211 assert(c);
2212 assert(home);
2213 assert(buf);
2214
2215 /* If WorkingDirectory=~ is set, try to acquire a usable home directory. */
2216
2217 if (*home)
2218 return 0;
2219
2220 if (!c->working_directory_home)
2221 return 0;
2222
2223 if (uid == 0) {
2224 /* Hardcode /root as home directory for UID 0 */
2225 *home = "/root";
2226 return 1;
2227 }
2228
2229 r = get_home_dir(buf);
2230 if (r < 0)
2231 return r;
2232
2233 *home = *buf;
2234 return 1;
2235}
2236
ff0af2a1 2237static int exec_child(
f2341e0a 2238 Unit *unit,
ff0af2a1
LP		 2239 ExecCommand *command,
2240 const ExecContext *context,
2241 const ExecParameters *params,
2242 ExecRuntime *runtime,
29206d46 2243 DynamicCreds *dcreds,
ff0af2a1
LP		 2244 char **argv,
2245 int socket_fd,
52c239d7 2246 int named_iofds[3],
ff0af2a1 2247 int *fds, unsigned n_fds,
9b141911 2248 unsigned n_socket_fds,
ff0af2a1 2249 char **files_env,
00d9ef85 2250 int user_lookup_fd,
70dd455c
ZJS		 2251 int *exit_status,
2252 char **error_message) {
d35fbf6b 2253
2065ca69 2254 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **final_argv = NULL;
6732edab 2255 _cleanup_free_ char *mac_selinux_context_net = NULL, *home_buffer = NULL;
4d885bd3
DH		 2256 _cleanup_free_ gid_t *supplementary_gids = NULL;
2257 const char *username = NULL, *groupname = NULL;
2b3c1b9e 2258 const char *home = NULL, *shell = NULL;
7bce046b
LP		 2259 dev_t journal_stream_dev = 0;
2260 ino_t journal_stream_ino = 0;
2261 bool needs_mount_namespace;
fed1e721
LP		 2262 uid_t uid = UID_INVALID;
2263 gid_t gid = GID_INVALID;
4d885bd3 2264 int i, r, ngids = 0;
034c6ed7 2265
f2341e0a 2266 assert(unit);
5cb5a6ff
LP		 2267 assert(command);
2268 assert(context);
d35fbf6b 2269 assert(params);
ff0af2a1 2270 assert(exit_status);
70dd455c
ZJS		 2271 assert(error_message);
2272 /* We don't always set error_message, hence it must be initialized */
2273 assert(*error_message == NULL);
d35fbf6b
DM		 2274
2275 rename_process_from_path(command->path);
2276
2277 /* We reset exactly these signals, since they are the
2278 * only ones we set to SIG_IGN in the main daemon. All
2279 * others we leave untouched because we set them to
2280 * SIG_DFL or a valid handler initially, both of which
2281 * will be demoted to SIG_DFL. */
ce30c8dc
LP		 2282 (void) default_signals(SIGNALS_CRASH_HANDLER,
2283 SIGNALS_IGNORE, -1);
d35fbf6b
DM		 2284
2285 if (context->ignore_sigpipe)
ce30c8dc 2286 (void) ignore_signals(SIGPIPE, -1);
d35fbf6b 2287
ff0af2a1
LP		 2288 r = reset_signal_mask();
2289 if (r < 0) {
2290 *exit_status = EXIT_SIGNAL_MASK;
70dd455c
ZJS		 2291 *error_message = strdup("Failed to reset signal mask");
2292 /* If strdup fails, here and below, we will just print the generic error message. */
ff0af2a1 2293 return r;
d35fbf6b 2294 }
034c6ed7 2295
d35fbf6b
DM		 2296 if (params->idle_pipe)
2297 do_idle_pipe_dance(params->idle_pipe);
4f2d528d 2298
d35fbf6b
DM		 2299 /* Close sockets very early to make sure we don't
2300 * block init reexecution because it cannot bind its
2301 * sockets */
ff0af2a1 2302
d35fbf6b 2303 log_forget_fds();
4f2d528d 2304
00d9ef85 2305 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, fds, n_fds);
ff0af2a1
LP		 2306 if (r < 0) {
2307 *exit_status = EXIT_FDS;
70dd455c 2308 *error_message = strdup("Failed to close remaining fds");
ff0af2a1 2309 return r;
8c7be95e
LP		 2310 }
2311
d35fbf6b
DM		 2312 if (!context->same_pgrp)
2313 if (setsid() < 0) {
ff0af2a1 2314 *exit_status = EXIT_SETSID;
d35fbf6b
DM		 2315 return -errno;
2316 }
9e2f7c11 2317
1e22b5cd 2318 exec_context_tty_reset(context, params);
d35fbf6b 2319
c891efaf 2320 if (unit_shall_confirm_spawn(unit)) {
7d5ceb64 2321 const char *vc = params->confirm_spawn;
3b20f877
FB		 2322 _cleanup_free_ char *cmdline = NULL;
2323
2324 cmdline = exec_command_line(argv);
2325 if (!cmdline) {
2326 *exit_status = EXIT_CONFIRM;
2327 return -ENOMEM;
2328 }
d35fbf6b 2329
eedf223a 2330 r = ask_for_confirmation(vc, unit, cmdline);
3b20f877
FB		 2331 if (r != CONFIRM_EXECUTE) {
2332 if (r == CONFIRM_PRETEND_SUCCESS) {
2333 *exit_status = EXIT_SUCCESS;
2334 return 0;
2335 }
ff0af2a1 2336 *exit_status = EXIT_CONFIRM;
70dd455c 2337 *error_message = strdup("Execution cancelled");
d35fbf6b 2338 return -ECANCELED;
d35fbf6b
DM		 2339 }
2340 }
1a63a750 2341
29206d46
LP		 2342 if (context->dynamic_user && dcreds) {
2343
409093fe
LP		 2344 /* Make sure we bypass our own NSS module for any NSS checks */
2345 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
2346 *exit_status = EXIT_USER;
70dd455c 2347 *error_message = strdup("Failed to update environment");
409093fe
LP		 2348 return -errno;
2349 }
2350
29206d46 2351 r = dynamic_creds_realize(dcreds, &uid, &gid);
ff0af2a1
LP		 2352 if (r < 0) {
2353 *exit_status = EXIT_USER;
70dd455c 2354 *error_message = strdup("Failed to update dynamic user credentials");
ff0af2a1 2355 return r;
524daa8c 2356 }
524daa8c 2357
70dd455c 2358 if (!uid_is_valid(uid)) {
29206d46 2359 *exit_status = EXIT_USER;
70dd455c
ZJS		 2360 (void) asprintf(error_message, "UID validation failed for \""UID_FMT"\"", uid);
2361 /* If asprintf fails, here and below, we will just print the generic error message. */
2362 return -ESRCH;
2363 }
2364
2365 if (!gid_is_valid(gid)) {
2366 *exit_status = EXIT_USER;
2367 (void) asprintf(error_message, "GID validation failed for \""GID_FMT"\"", gid);
29206d46
LP		 2368 return -ESRCH;
2369 }
5bc7452b 2370
29206d46
LP		 2371 if (dcreds->user)
2372 username = dcreds->user->name;
2373
2374 } else {
4d885bd3
DH		 2375 r = get_fixed_user(context, &username, &uid, &gid, &home, &shell);
2376 if (r < 0) {
2377 *exit_status = EXIT_USER;
70dd455c 2378 *error_message = strdup("Failed to determine user credentials");
4d885bd3 2379 return r;
5bc7452b 2380 }
5bc7452b 2381
4d885bd3
DH		 2382 r = get_fixed_group(context, &groupname, &gid);
2383 if (r < 0) {
2384 *exit_status = EXIT_GROUP;
70dd455c 2385 *error_message = strdup("Failed to determine group credentials");
4d885bd3
DH		 2386 return r;
2387 }
cdc5d5c5 2388 }
29206d46 2389
cdc5d5c5
DH		 2390 /* Initialize user supplementary groups and get SupplementaryGroups= ones */
2391 r = get_supplementary_groups(context, username, groupname, gid,
2392 &supplementary_gids, &ngids);
2393 if (r < 0) {
2394 *exit_status = EXIT_GROUP;
70dd455c 2395 *error_message = strdup("Failed to determine supplementary groups");
cdc5d5c5 2396 return r;
29206d46 2397 }
5bc7452b 2398
00d9ef85
LP		 2399 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
2400 if (r < 0) {
2401 *exit_status = EXIT_USER;
70dd455c 2402 *error_message = strdup("Failed to send user credentials to PID1");
00d9ef85
LP		 2403 return r;
2404 }
2405
2406 user_lookup_fd = safe_close(user_lookup_fd);
2407
6732edab
LP		 2408 r = acquire_home(context, uid, &home, &home_buffer);
2409 if (r < 0) {
2410 *exit_status = EXIT_CHDIR;
2411 *error_message = strdup("Failed to determine $HOME for user");
2412 return r;
2413 }
2414
d35fbf6b
DM		 2415 /* If a socket is connected to STDIN/STDOUT/STDERR, we
2416 * must sure to drop O_NONBLOCK */
2417 if (socket_fd >= 0)
a34ceba6 2418 (void) fd_nonblock(socket_fd, false);
acbb0225 2419
52c239d7 2420 r = setup_input(context, params, socket_fd, named_iofds);
ff0af2a1
LP		 2421 if (r < 0) {
2422 *exit_status = EXIT_STDIN;
70dd455c 2423 *error_message = strdup("Failed to set up stdin");
ff0af2a1 2424 return r;
d35fbf6b 2425 }
034c6ed7 2426
52c239d7 2427 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 2428 if (r < 0) {
2429 *exit_status = EXIT_STDOUT;
70dd455c 2430 *error_message = strdup("Failed to set up stdout");
ff0af2a1 2431 return r;
d35fbf6b
DM		 2432 }
2433
52c239d7 2434 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 2435 if (r < 0) {
2436 *exit_status = EXIT_STDERR;
70dd455c 2437 *error_message = strdup("Failed to set up stderr");
ff0af2a1 2438 return r;
d35fbf6b
DM		 2439 }
2440
2441 if (params->cgroup_path) {
ff0af2a1
LP		 2442 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
2443 if (r < 0) {
2444 *exit_status = EXIT_CGROUP;
70dd455c 2445 (void) asprintf(error_message, "Failed to attach to cgroup %s", params->cgroup_path);
ff0af2a1 2446 return r;
309bff19 2447 }
d35fbf6b 2448 }
309bff19 2449
d35fbf6b 2450 if (context->oom_score_adjust_set) {
d5243d62 2451 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
f2b68789 2452
d5243d62
LP		 2453 /* When we can't make this change due to EPERM, then
2454 * let's silently skip over it. User namespaces
2455 * prohibit write access to this file, and we
2456 * shouldn't trip up over that. */
613b411c 2457
d5243d62 2458 sprintf(t, "%i", context->oom_score_adjust);
ad118bda 2459 r = write_string_file("/proc/self/oom_score_adj", t, 0);
6cb7fa17 2460 if (r == -EPERM || r == -EACCES) {
ff0af2a1 2461 log_open();
f2341e0a 2462 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
ff0af2a1
LP		 2463 log_close();
2464 } else if (r < 0) {
2465 *exit_status = EXIT_OOM_ADJUST;
70dd455c 2466 *error_message = strdup("Failed to write /proc/self/oom_score_adj");
d35fbf6b 2467 return -errno;
613b411c 2468 }
d35fbf6b
DM		 2469 }
2470
2471 if (context->nice_set)
2472 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
ff0af2a1 2473 *exit_status = EXIT_NICE;
d35fbf6b 2474 return -errno;
613b411c
LP		 2475 }
2476
d35fbf6b
DM		 2477 if (context->cpu_sched_set) {
2478 struct sched_param param = {
2479 .sched_priority = context->cpu_sched_priority,
2480 };
2481
ff0af2a1
LP		 2482 r = sched_setscheduler(0,
2483 context->cpu_sched_policy |
2484 (context->cpu_sched_reset_on_fork ?
2485 SCHED_RESET_ON_FORK : 0),
2486 &param);
2487 if (r < 0) {
2488 *exit_status = EXIT_SETSCHEDULER;
d35fbf6b 2489 return -errno;
fc9b2a84 2490 }
d35fbf6b 2491 }
fc9b2a84 2492
d35fbf6b
DM		 2493 if (context->cpuset)
2494 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
ff0af2a1 2495 *exit_status = EXIT_CPUAFFINITY;
d35fbf6b 2496 return -errno;
034c6ed7
LP		 2497 }
2498
d35fbf6b
DM		 2499 if (context->ioprio_set)
2500 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
ff0af2a1 2501 *exit_status = EXIT_IOPRIO;
d35fbf6b
DM		 2502 return -errno;
2503 }
da726a4d 2504
d35fbf6b
DM		 2505 if (context->timer_slack_nsec != NSEC_INFINITY)
2506 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
ff0af2a1 2507 *exit_status = EXIT_TIMERSLACK;
d35fbf6b 2508 return -errno;
4c2630eb 2509 }
9eba9da4 2510
050f7277 2511 if (context->personality != PERSONALITY_INVALID)
d35fbf6b 2512 if (personality(context->personality) < 0) {
ff0af2a1 2513 *exit_status = EXIT_PERSONALITY;
d35fbf6b 2514 return -errno;
4c2630eb 2515 }
94f04347 2516
d35fbf6b 2517 if (context->utmp_id)
6a93917d
ZJS		 2518 utmp_put_init_process(context->utmp_id, getpid(), getsid(0),
2519 context->tty_path,
023a4f67
LP		 2520 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
2521 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
2522 USER_PROCESS,
6a93917d 2523 username);
d35fbf6b 2524
e0d2adfd 2525 if (context->user) {
ff0af2a1
LP		 2526 r = chown_terminal(STDIN_FILENO, uid);
2527 if (r < 0) {
2528 *exit_status = EXIT_STDIN;
2529 return r;
071830ff 2530 }
d35fbf6b 2531 }
8e274523 2532
a931ad47
LP		 2533 /* If delegation is enabled we'll pass ownership of the cgroup
2534 * (but only in systemd's own controller hierarchy!) to the
2535 * user of the new process. */
2536 if (params->cgroup_path && context->user && params->cgroup_delegate) {
ff0af2a1
LP		 2537 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
2538 if (r < 0) {
2539 *exit_status = EXIT_CGROUP;
2540 return r;
d35fbf6b 2541 }
034c6ed7 2542
034c6ed7 2543
ff0af2a1
LP		 2544 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
2545 if (r < 0) {
2546 *exit_status = EXIT_CGROUP;
2547 return r;
034c6ed7 2548 }
d35fbf6b 2549 }
034c6ed7 2550
d35fbf6b 2551 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
07689d5d
LP		 2552 r = setup_runtime_directory(context, params, uid, gid);
2553 if (r < 0) {
2554 *exit_status = EXIT_RUNTIME_DIRECTORY;
2555 return r;
d35fbf6b
DM		 2556 }
2557 }
94f04347 2558
7bce046b 2559 r = build_environment(
fd63e712 2560 unit,
7bce046b
LP		 2561 context,
2562 params,
2563 n_fds,
2564 home,
2565 username,
2566 shell,
2567 journal_stream_dev,
2568 journal_stream_ino,
2569 &our_env);
2065ca69
JW		 2570 if (r < 0) {
2571 *exit_status = EXIT_MEMORY;
2572 return r;
2573 }
2574
2575 r = build_pass_environment(context, &pass_env);
2576 if (r < 0) {
2577 *exit_status = EXIT_MEMORY;
2578 return r;
2579 }
2580
2581 accum_env = strv_env_merge(5,
2582 params->environment,
2583 our_env,
2584 pass_env,
2585 context->environment,
2586 files_env,
2587 NULL);
2588 if (!accum_env) {
2589 *exit_status = EXIT_MEMORY;
2590 return -ENOMEM;
2591 }
1280503b 2592 accum_env = strv_env_clean(accum_env);
2065ca69 2593
096424d1 2594 (void) umask(context->umask);
b213e1c1 2595
74dd6b51
LP		 2596 r = setup_keyring(unit, params, uid, gid);
2597 if (r < 0) {
2598 *exit_status = EXIT_KEYRING;
2599 return r;
2600 }
2601
c39f1ce2 2602 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
b213e1c1 2603 if (context->pam_name && username) {
2d6fce8d 2604 r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
b213e1c1
SW		 2605 if (r < 0) {
2606 *exit_status = EXIT_PAM;
2607 return r;
2608 }
d35fbf6b 2609 }
b213e1c1 2610 }
ac45f971 2611
d35fbf6b 2612 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
ff0af2a1
LP		 2613 r = setup_netns(runtime->netns_storage_socket);
2614 if (r < 0) {
2615 *exit_status = EXIT_NETWORK;
2616 return r;
d35fbf6b
DM		 2617 }
2618 }
169c1bda 2619
ee818b89 2620 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
ee818b89 2621 if (needs_mount_namespace) {
6818c54c 2622 r = apply_mount_namespace(unit, command, context, params, runtime);
3fbe8dbe
LP		 2623 if (r < 0) {
2624 *exit_status = EXIT_NAMESPACE;
2625 return r;
2626 }
d35fbf6b 2627 }
81a2b7ce 2628
50b3dfb9 2629 /* Apply just after mount namespace setup */
376fecf6
LP		 2630 r = apply_working_directory(context, params, home, needs_mount_namespace, exit_status);
2631 if (r < 0)
50b3dfb9 2632 return r;
50b3dfb9 2633
bbeea271 2634 /* Drop groups as early as possbile */
096424d1 2635 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
4d885bd3 2636 r = enforce_groups(context, gid, supplementary_gids, ngids);
096424d1
LP		 2637 if (r < 0) {
2638 *exit_status = EXIT_GROUP;
2639 return r;
2640 }
2641 }
2642
9008e1ac 2643#ifdef HAVE_SELINUX
c39f1ce2
LP		 2644 if ((params->flags & EXEC_APPLY_PERMISSIONS) &&
2645 mac_selinux_use() &&
2646 params->selinux_context_net &&
2647 socket_fd >= 0 &&
2648 !command->privileged) {
2649
ff0af2a1
LP		 2650 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
2651 if (r < 0) {
2652 *exit_status = EXIT_SELINUX_CONTEXT;
2653 return r;
9008e1ac
MS		 2654 }
2655 }
2656#endif
2657
d87a2ef7 2658 if ((params->flags & EXEC_APPLY_PERMISSIONS) && context->private_users) {
d251207d
LP		 2659 r = setup_private_users(uid, gid);
2660 if (r < 0) {
2661 *exit_status = EXIT_USER;
2662 return r;
2663 }
2664 }
2665
d35fbf6b
DM		 2666 /* We repeat the fd closing here, to make sure that
2667 * nothing is leaked from the PAM modules. Note that
2668 * we are more aggressive this time since socket_fd
e44da745
DM		 2669 * and the netns fds we don't need anymore. The custom
2670 * endpoint fd was needed to upload the policy and can
2671 * now be closed as well. */
ff0af2a1
LP		 2672 r = close_all_fds(fds, n_fds);
2673 if (r >= 0)
2674 r = shift_fds(fds, n_fds);
2675 if (r >= 0)
9b141911 2676 r = flags_fds(fds, n_fds, n_socket_fds, context->non_blocking);
ff0af2a1
LP		 2677 if (r < 0) {
2678 *exit_status = EXIT_FDS;
2679 return r;
d35fbf6b 2680 }
e66cf1a3 2681
c39f1ce2 2682 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
e66cf1a3 2683
755d4b67
IP		 2684 int secure_bits = context->secure_bits;
2685
d35fbf6b 2686 for (i = 0; i < _RLIMIT_MAX; i++) {
03857c43 2687
d35fbf6b
DM		 2688 if (!context->rlimit[i])
2689 continue;
2690
03857c43
LP		 2691 r = setrlimit_closest(i, context->rlimit[i]);
2692 if (r < 0) {
ff0af2a1 2693 *exit_status = EXIT_LIMITS;
03857c43 2694 return r;
e66cf1a3
LP		 2695 }
2696 }
2697
f4170c67
LP		 2698 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
2699 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
2700 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
2701 *exit_status = EXIT_LIMITS;
2702 return -errno;
2703 }
2704 }
2705
a103496c
IP		 2706 if (!cap_test_all(context->capability_bounding_set)) {
2707 r = capability_bounding_set_drop(context->capability_bounding_set, false);
ff0af2a1
LP		 2708 if (r < 0) {
2709 *exit_status = EXIT_CAPABILITIES;
70dd455c 2710 *error_message = strdup("Failed to drop capabilities");
ff0af2a1 2711 return r;
3b8bddde 2712 }
4c2630eb 2713 }
3b8bddde 2714
755d4b67
IP		 2715 /* This is done before enforce_user, but ambient set
2716 * does not survive over setresuid() if keep_caps is not set. */
2717 if (context->capability_ambient_set != 0) {
2718 r = capability_ambient_set_apply(context->capability_ambient_set, true);
2719 if (r < 0) {
2720 *exit_status = EXIT_CAPABILITIES;
70dd455c 2721 *error_message = strdup("Failed to apply ambient capabilities (before UID change)");
755d4b67
IP		 2722 return r;
2723 }
755d4b67
IP		 2724 }
2725
d35fbf6b 2726 if (context->user) {
ff0af2a1
LP		 2727 r = enforce_user(context, uid);
2728 if (r < 0) {
2729 *exit_status = EXIT_USER;
70dd455c 2730 (void) asprintf(error_message, "Failed to change UID to "UID_FMT, uid);
ff0af2a1 2731 return r;
5b6319dc 2732 }
755d4b67
IP		 2733 if (context->capability_ambient_set != 0) {
2734
2735 /* Fix the ambient capabilities after user change. */
2736 r = capability_ambient_set_apply(context->capability_ambient_set, false);
2737 if (r < 0) {
2738 *exit_status = EXIT_CAPABILITIES;
70dd455c 2739 *error_message = strdup("Failed to apply ambient capabilities (after UID change)");
755d4b67
IP		 2740 return r;
2741 }
2742
2743 /* If we were asked to change user and ambient capabilities
2744 * were requested, we had to add keep-caps to the securebits
2745 * so that we would maintain the inherited capability set
2746 * through the setresuid(). Make sure that the bit is added
2747 * also to the context secure_bits so that we don't try to
2748 * drop the bit away next. */
2749
7f508f2c 2750 secure_bits |= 1<<SECURE_KEEP_CAPS;
755d4b67 2751 }
5b6319dc 2752 }
d35fbf6b 2753
5cd9cd35
LP		 2754 /* Apply the MAC contexts late, but before seccomp syscall filtering, as those should really be last to
2755 * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
2756 * syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
2757 * are restricted. */
2758
2759#ifdef HAVE_SELINUX
2760 if (mac_selinux_use()) {
2761 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
2762
2763 if (exec_context) {
2764 r = setexeccon(exec_context);
2765 if (r < 0) {
2766 *exit_status = EXIT_SELINUX_CONTEXT;
70dd455c 2767 (void) asprintf(error_message, "Failed to set SELinux context to %s", exec_context);
5cd9cd35
LP		 2768 return r;
2769 }
2770 }
2771 }
2772#endif
2773
2774 r = setup_smack(context, command);
2775 if (r < 0) {
2776 *exit_status = EXIT_SMACK_PROCESS_LABEL;
70dd455c 2777 *error_message = strdup("Failed to set SMACK process label");
5cd9cd35
LP		 2778 return r;
2779 }
2780
2781#ifdef HAVE_APPARMOR
2782 if (context->apparmor_profile && mac_apparmor_use()) {
2783 r = aa_change_onexec(context->apparmor_profile);
2784 if (r < 0 && !context->apparmor_profile_ignore) {
2785 *exit_status = EXIT_APPARMOR_PROFILE;
70dd455c
ZJS		 2786 (void) asprintf(error_message,
2787 "Failed to prepare AppArmor profile change to %s",
2788 context->apparmor_profile);
5cd9cd35
LP		 2789 return -errno;
2790 }
2791 }
2792#endif
2793
d35fbf6b
DM		 2794 /* PR_GET_SECUREBITS is not privileged, while
2795 * PR_SET_SECUREBITS is. So to suppress
2796 * potential EPERMs we'll try not to call
2797 * PR_SET_SECUREBITS unless necessary. */
755d4b67
IP		 2798 if (prctl(PR_GET_SECUREBITS) != secure_bits)
2799 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
ff0af2a1 2800 *exit_status = EXIT_SECUREBITS;
70dd455c 2801 *error_message = strdup("Failed to set secure bits");
d35fbf6b 2802 return -errno;
ff01d048 2803 }
5b6319dc 2804
59eeb84b 2805 if (context_has_no_new_privileges(context))
d35fbf6b 2806 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
ff0af2a1 2807 *exit_status = EXIT_NO_NEW_PRIVILEGES;
70dd455c 2808 *error_message = strdup("Failed to disable new privileges");
d35fbf6b
DM		 2809 return -errno;
2810 }
2811
2812#ifdef HAVE_SECCOMP
469830d1
LP		 2813 r = apply_address_families(unit, context);
2814 if (r < 0) {
2815 *exit_status = EXIT_ADDRESS_FAMILIES;
5b3637b4 2816 *error_message = strdup("Failed to restrict address families");
469830d1 2817 return r;
4c2630eb 2818 }
04aa0cb9 2819
469830d1
LP		 2820 r = apply_memory_deny_write_execute(unit, context);
2821 if (r < 0) {
2822 *exit_status = EXIT_SECCOMP;
5b3637b4 2823 *error_message = strdup("Failed to disable writing to executable memory");
469830d1 2824 return r;
f3e43635 2825 }
f4170c67 2826
469830d1
LP		 2827 r = apply_restrict_realtime(unit, context);
2828 if (r < 0) {
2829 *exit_status = EXIT_SECCOMP;
5b3637b4 2830 *error_message = strdup("Failed to apply realtime restrictions");
469830d1 2831 return r;
f4170c67
LP		 2832 }
2833
add00535
LP		 2834 r = apply_restrict_namespaces(unit, context);
2835 if (r < 0) {
2836 *exit_status = EXIT_SECCOMP;
70dd455c 2837 *error_message = strdup("Failed to apply namespace restrictions");
add00535
LP		 2838 return r;
2839 }
2840
469830d1
LP		 2841 r = apply_protect_sysctl(unit, context);
2842 if (r < 0) {
2843 *exit_status = EXIT_SECCOMP;
5b3637b4 2844 *error_message = strdup("Failed to apply sysctl restrictions");
469830d1 2845 return r;
502d704e
DH		 2846 }
2847
469830d1
LP		 2848 r = apply_protect_kernel_modules(unit, context);
2849 if (r < 0) {
2850 *exit_status = EXIT_SECCOMP;
5b3637b4 2851 *error_message = strdup("Failed to apply module loading restrictions");
469830d1 2852 return r;
59eeb84b
LP		 2853 }
2854
469830d1
LP		 2855 r = apply_private_devices(unit, context);
2856 if (r < 0) {
2857 *exit_status = EXIT_SECCOMP;
5b3637b4 2858 *error_message = strdup("Failed to set up private devices");
469830d1
LP		 2859 return r;
2860 }
2861
2862 r = apply_syscall_archs(unit, context);
2863 if (r < 0) {
2864 *exit_status = EXIT_SECCOMP;
5b3637b4 2865 *error_message = strdup("Failed to apply syscall architecture restrictions");
469830d1 2866 return r;
ba128bb8
LP		 2867 }
2868
5cd9cd35
LP		 2869 /* This really should remain the last step before the execve(), to make sure our own code is unaffected
2870 * by the filter as little as possible. */
469830d1
LP		 2871 r = apply_syscall_filter(unit, context);
2872 if (r < 0) {
2873 *exit_status = EXIT_SECCOMP;
5b3637b4 2874 *error_message = strdup("Failed to apply syscall filters");
469830d1 2875 return r;
d35fbf6b
DM		 2876 }
2877#endif
d35fbf6b 2878 }
034c6ed7 2879
2065ca69 2880 final_argv = replace_env_argv(argv, accum_env);
d35fbf6b 2881 if (!final_argv) {
ff0af2a1 2882 *exit_status = EXIT_MEMORY;
70dd455c 2883 *error_message = strdup("Failed to prepare process arguments");
d35fbf6b
DM		 2884 return -ENOMEM;
2885 }
034c6ed7 2886
553d2243 2887 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
d35fbf6b 2888 _cleanup_free_ char *line;
81a2b7ce 2889
d35fbf6b
DM		 2890 line = exec_command_line(final_argv);
2891 if (line) {
2892 log_open();
f2341e0a 2893 log_struct(LOG_DEBUG,
f2341e0a
LP		 2894 "EXECUTABLE=%s", command->path,
2895 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
ba360bb0 2896 LOG_UNIT_ID(unit),
f2341e0a 2897 NULL);
d35fbf6b
DM		 2898 log_close();
2899 }
2900 }
dd305ec9 2901
2065ca69 2902 execve(command->path, final_argv, accum_env);
ff0af2a1 2903 *exit_status = EXIT_EXEC;
d35fbf6b
DM		 2904 return -errno;
2905}
81a2b7ce 2906
f2341e0a
LP		 2907int exec_spawn(Unit *unit,
2908 ExecCommand *command,
d35fbf6b
DM		 2909 const ExecContext *context,
2910 const ExecParameters *params,
2911 ExecRuntime *runtime,
29206d46 2912 DynamicCreds *dcreds,
d35fbf6b 2913 pid_t *ret) {
8351ceae 2914
d35fbf6b 2915 _cleanup_strv_free_ char **files_env = NULL;
9b141911
FB		 2916 int *fds = NULL;
2917 unsigned n_fds = 0, n_socket_fds = 0;
ff0af2a1
LP		 2918 _cleanup_free_ char *line = NULL;
2919 int socket_fd, r;
52c239d7 2920 int named_iofds[3] = { -1, -1, -1 };
ff0af2a1 2921 char **argv;
d35fbf6b 2922 pid_t pid;
8351ceae 2923
f2341e0a 2924 assert(unit);
d35fbf6b
DM		 2925 assert(command);
2926 assert(context);
2927 assert(ret);
2928 assert(params);
2929 assert(params->fds || params->n_fds <= 0);
4298d0b5 2930
d35fbf6b
DM		 2931 if (context->std_input == EXEC_INPUT_SOCKET ||
2932 context->std_output == EXEC_OUTPUT_SOCKET ||
2933 context->std_error == EXEC_OUTPUT_SOCKET) {
17df7223 2934
488ab41c 2935 if (params->n_fds > 1) {
f2341e0a 2936 log_unit_error(unit, "Got more than one socket.");
d35fbf6b 2937 return -EINVAL;
ff0af2a1 2938 }
eef65bf3 2939
488ab41c
AA		 2940 if (params->n_fds == 0) {
2941 log_unit_error(unit, "Got no socket.");
2942 return -EINVAL;
2943 }
2944
d35fbf6b
DM		 2945 socket_fd = params->fds[0];
2946 } else {
2947 socket_fd = -1;
2948 fds = params->fds;
2949 n_fds = params->n_fds;
9b141911 2950 n_socket_fds = params->n_socket_fds;
d35fbf6b 2951 }
94f04347 2952
52c239d7
LB		 2953 r = exec_context_named_iofds(unit, context, params, named_iofds);
2954 if (r < 0)
2955 return log_unit_error_errno(unit, r, "Failed to load a named file descriptor: %m");
2956
f2341e0a 2957 r = exec_context_load_environment(unit, context, &files_env);
ff0af2a1 2958 if (r < 0)
f2341e0a 2959 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
034c6ed7 2960
d35fbf6b 2961 argv = params->argv ?: command->argv;
d35fbf6b
DM		 2962 line = exec_command_line(argv);
2963 if (!line)
2964 return log_oom();
fab56fc5 2965
f2341e0a 2966 log_struct(LOG_DEBUG,
f2341e0a
LP		 2967 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
2968 "EXECUTABLE=%s", command->path,
ba360bb0 2969 LOG_UNIT_ID(unit),
f2341e0a 2970 NULL);
d35fbf6b
DM		 2971 pid = fork();
2972 if (pid < 0)
74129a12 2973 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
d35fbf6b
DM		 2974
2975 if (pid == 0) {
ff0af2a1 2976 int exit_status;
70dd455c 2977 _cleanup_free_ char *error_message = NULL;
ff0af2a1 2978
f2341e0a
LP		 2979 r = exec_child(unit,
2980 command,
ff0af2a1
LP		 2981 context,
2982 params,
2983 runtime,
29206d46 2984 dcreds,
ff0af2a1
LP		 2985 argv,
2986 socket_fd,
52c239d7 2987 named_iofds,
ff0af2a1 2988 fds, n_fds,
9b141911 2989 n_socket_fds,
ff0af2a1 2990 files_env,
00d9ef85 2991 unit->manager->user_lookup_fds[1],
70dd455c
ZJS		 2992 &exit_status,
2993 &error_message);
ff0af2a1 2994 if (r < 0) {
4c2630eb 2995 log_open();
70dd455c
ZJS		 2996 if (error_message)
2997 log_struct_errno(LOG_ERR, r,
2b044526 2998 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
70dd455c
ZJS		 2999 LOG_UNIT_ID(unit),
3000 LOG_UNIT_MESSAGE(unit, "%s: %m",
3001 error_message),
3002 "EXECUTABLE=%s", command->path,
3003 NULL);
4d8b0f0f
YW		 3004 else if (r == -ENOENT && command->ignore)
3005 log_struct_errno(LOG_INFO, r,
3006 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
3007 LOG_UNIT_ID(unit),
3008 LOG_UNIT_MESSAGE(unit, "Skipped spawning %s: %m",
3009 command->path),
3010 "EXECUTABLE=%s", command->path,
3011 NULL);
70dd455c
ZJS		 3012 else
3013 log_struct_errno(LOG_ERR, r,
2b044526 3014 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
70dd455c
ZJS		 3015 LOG_UNIT_ID(unit),
3016 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
3017 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
3018 command->path),
3019 "EXECUTABLE=%s", command->path,
3020 NULL);
4c2630eb
MS		 3021 }
3022
ff0af2a1 3023 _exit(exit_status);
034c6ed7
LP		 3024 }
3025
f2341e0a 3026 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
23635a85 3027
80876c20
LP		 3028 /* We add the new process to the cgroup both in the child (so
3029 * that we can be sure that no user code is ever executed
3030 * outside of the cgroup) and in the parent (so that we can be
3031 * sure that when we kill the cgroup the process will be
3032 * killed too). */
d35fbf6b 3033 if (params->cgroup_path)
dd305ec9 3034 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
2da3263a 3035
b58b4116 3036 exec_status_start(&command->exec_status, pid);
9fb86720 3037
034c6ed7 3038 *ret = pid;
5cb5a6ff
LP		 3039 return 0;
3040}
3041
034c6ed7
LP		 3042void exec_context_init(ExecContext *c) {
3043 assert(c);
3044
4c12626c 3045 c->umask = 0022;
9eba9da4 3046 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
94f04347 3047 c->cpu_sched_policy = SCHED_OTHER;
071830ff 3048 c->syslog_priority = LOG_DAEMON|LOG_INFO;
74922904 3049 c->syslog_level_prefix = true;
353e12c2 3050 c->ignore_sigpipe = true;
3a43da28 3051 c->timer_slack_nsec = NSEC_INFINITY;
050f7277 3052 c->personality = PERSONALITY_INVALID;
e66cf1a3 3053 c->runtime_directory_mode = 0755;
a103496c 3054 c->capability_bounding_set = CAP_ALL;
add00535 3055 c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
034c6ed7
LP		 3056}
3057
613b411c 3058void exec_context_done(ExecContext *c) {
5cb5a6ff
LP		 3059 unsigned l;
3060
3061 assert(c);
3062
6796073e
LP		 3063 c->environment = strv_free(c->environment);
3064 c->environment_files = strv_free(c->environment_files);
b4c14404 3065 c->pass_environment = strv_free(c->pass_environment);
8c7be95e 3066
1f6b4113 3067 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
a1e58e8e 3068 c->rlimit[l] = mfree(c->rlimit[l]);
034c6ed7 3069
52c239d7
LB		 3070 for (l = 0; l < 3; l++)
3071 c->stdio_fdname[l] = mfree(c->stdio_fdname[l]);
3072
a1e58e8e
LP		 3073 c->working_directory = mfree(c->working_directory);
3074 c->root_directory = mfree(c->root_directory);
915e6d16 3075 c->root_image = mfree(c->root_image);
a1e58e8e
LP		 3076 c->tty_path = mfree(c->tty_path);
3077 c->syslog_identifier = mfree(c->syslog_identifier);
3078 c->user = mfree(c->user);
3079 c->group = mfree(c->group);
034c6ed7 3080
6796073e 3081 c->supplementary_groups = strv_free(c->supplementary_groups);
94f04347 3082
a1e58e8e 3083 c->pam_name = mfree(c->pam_name);
5b6319dc 3084
2a624c36
AP		 3085 c->read_only_paths = strv_free(c->read_only_paths);
3086 c->read_write_paths = strv_free(c->read_write_paths);
3087 c->inaccessible_paths = strv_free(c->inaccessible_paths);
82c121a4 3088
d2d6c096
LP		 3089 bind_mount_free_many(c->bind_mounts, c->n_bind_mounts);
3090
82c121a4
LP		 3091 if (c->cpuset)
3092 CPU_FREE(c->cpuset);
86a3475b 3093
a1e58e8e
LP		 3094 c->utmp_id = mfree(c->utmp_id);
3095 c->selinux_context = mfree(c->selinux_context);
3096 c->apparmor_profile = mfree(c->apparmor_profile);
eef65bf3 3097
525d3cc7
LP		 3098 c->syscall_filter = set_free(c->syscall_filter);
3099 c->syscall_archs = set_free(c->syscall_archs);
3100 c->address_families = set_free(c->address_families);
e66cf1a3 3101
6796073e 3102 c->runtime_directory = strv_free(c->runtime_directory);
e66cf1a3
LP		 3103}
3104
3105int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
3106 char **i;
3107
3108 assert(c);
3109
3110 if (!runtime_prefix)
3111 return 0;
3112
3113 STRV_FOREACH(i, c->runtime_directory) {
3114 _cleanup_free_ char *p;
3115
605405c6 3116 p = strjoin(runtime_prefix, "/", *i);
e66cf1a3
LP		 3117 if (!p)
3118 return -ENOMEM;
3119
3120 /* We execute this synchronously, since we need to be
3121 * sure this is gone when we start the service
3122 * next. */
c6878637 3123 (void) rm_rf(p, REMOVE_ROOT);
e66cf1a3
LP		 3124 }
3125
3126 return 0;
5cb5a6ff
LP		 3127}
3128
43d0fcbd
LP		 3129void exec_command_done(ExecCommand *c) {
3130 assert(c);
3131
a1e58e8e 3132 c->path = mfree(c->path);
43d0fcbd 3133
6796073e 3134 c->argv = strv_free(c->argv);
43d0fcbd
LP		 3135}
3136
3137void exec_command_done_array(ExecCommand *c, unsigned n) {
3138 unsigned i;
3139
3140 for (i = 0; i < n; i++)
3141 exec_command_done(c+i);
3142}
3143
f1acf85a 3144ExecCommand* exec_command_free_list(ExecCommand *c) {
5cb5a6ff
LP		 3145 ExecCommand *i;
3146
3147 while ((i = c)) {
71fda00f 3148 LIST_REMOVE(command, c, i);
43d0fcbd 3149 exec_command_done(i);
5cb5a6ff
LP		 3150 free(i);
3151 }
f1acf85a
ZJS		 3152
3153 return NULL;
5cb5a6ff
LP		 3154}
3155
034c6ed7
LP		 3156void exec_command_free_array(ExecCommand **c, unsigned n) {
3157 unsigned i;
3158
f1acf85a
ZJS		 3159 for (i = 0; i < n; i++)
3160 c[i] = exec_command_free_list(c[i]);
034c6ed7
LP		 3161}
3162
039f0e70 3163typedef struct InvalidEnvInfo {
f2341e0a 3164 Unit *unit;
039f0e70
LP		 3165 const char *path;
3166} InvalidEnvInfo;
3167
3168static void invalid_env(const char *p, void *userdata) {
3169 InvalidEnvInfo *info = userdata;
3170
f2341e0a 3171 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
039f0e70
LP		 3172}
3173
52c239d7
LB		 3174const char* exec_context_fdname(const ExecContext *c, int fd_index) {
3175 assert(c);
3176
3177 switch (fd_index) {
3178 case STDIN_FILENO:
3179 if (c->std_input != EXEC_INPUT_NAMED_FD)
3180 return NULL;
3181 return c->stdio_fdname[STDIN_FILENO] ?: "stdin";
3182 case STDOUT_FILENO:
3183 if (c->std_output != EXEC_OUTPUT_NAMED_FD)
3184 return NULL;
3185 return c->stdio_fdname[STDOUT_FILENO] ?: "stdout";
3186 case STDERR_FILENO:
3187 if (c->std_error != EXEC_OUTPUT_NAMED_FD)
3188 return NULL;
3189 return c->stdio_fdname[STDERR_FILENO] ?: "stderr";
3190 default:
3191 return NULL;
3192 }
3193}
3194
3195int exec_context_named_iofds(Unit *unit, const ExecContext *c, const ExecParameters *p, int named_iofds[3]) {
3196 unsigned i, targets;
56fbd561 3197 const char* stdio_fdname[3];
52c239d7
LB		 3198
3199 assert(c);
3200 assert(p);
3201
3202 targets = (c->std_input == EXEC_INPUT_NAMED_FD) +
3203 (c->std_output == EXEC_OUTPUT_NAMED_FD) +
3204 (c->std_error == EXEC_OUTPUT_NAMED_FD);
3205
3206 for (i = 0; i < 3; i++)
3207 stdio_fdname[i] = exec_context_fdname(c, i);
3208
3209 for (i = 0; i < p->n_fds && targets > 0; i++)
56fbd561
ZJS		 3210 if (named_iofds[STDIN_FILENO] < 0 &&
3211 c->std_input == EXEC_INPUT_NAMED_FD &&
3212 stdio_fdname[STDIN_FILENO] &&
3213 streq(p->fd_names[i], stdio_fdname[STDIN_FILENO])) {
3214
52c239d7
LB		 3215 named_iofds[STDIN_FILENO] = p->fds[i];
3216 targets--;
56fbd561
ZJS		 3217
3218 } else if (named_iofds[STDOUT_FILENO] < 0 &&
3219 c->std_output == EXEC_OUTPUT_NAMED_FD &&
3220 stdio_fdname[STDOUT_FILENO] &&
3221 streq(p->fd_names[i], stdio_fdname[STDOUT_FILENO])) {
3222
52c239d7
LB		 3223 named_iofds[STDOUT_FILENO] = p->fds[i];
3224 targets--;
56fbd561
ZJS		 3225
3226 } else if (named_iofds[STDERR_FILENO] < 0 &&
3227 c->std_error == EXEC_OUTPUT_NAMED_FD &&
3228 stdio_fdname[STDERR_FILENO] &&
3229 streq(p->fd_names[i], stdio_fdname[STDERR_FILENO])) {
3230
52c239d7
LB		 3231 named_iofds[STDERR_FILENO] = p->fds[i];
3232 targets--;
3233 }
3234
56fbd561 3235 return targets == 0 ? 0 : -ENOENT;
52c239d7
LB		 3236}
3237
f2341e0a 3238int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
8c7be95e
LP		 3239 char **i, **r = NULL;
3240
3241 assert(c);
3242 assert(l);
3243
3244 STRV_FOREACH(i, c->environment_files) {
3245 char *fn;
d8c92e8b 3246 int k, n;
8c7be95e
LP		 3247 bool ignore = false;
3248 char **p;
7fd1b19b 3249 _cleanup_globfree_ glob_t pglob = {};
8c7be95e
LP		 3250
3251 fn = *i;
3252
3253 if (fn[0] == '-') {
3254 ignore = true;
313cefa1 3255 fn++;
8c7be95e
LP		 3256 }
3257
3258 if (!path_is_absolute(fn)) {
8c7be95e
LP		 3259 if (ignore)
3260 continue;
3261
3262 strv_free(r);
3263 return -EINVAL;
3264 }
3265
2bef10ab 3266 /* Filename supports globbing, take all matching files */
d8c92e8b
ZJS		 3267 k = safe_glob(fn, 0, &pglob);
3268 if (k < 0) {
2bef10ab
PL		 3269 if (ignore)
3270 continue;
8c7be95e 3271
2bef10ab 3272 strv_free(r);
d8c92e8b 3273 return k;
2bef10ab 3274 }
8c7be95e 3275
d8c92e8b
ZJS		 3276 /* When we don't match anything, -ENOENT should be returned */
3277 assert(pglob.gl_pathc > 0);
3278
3279 for (n = 0; n < pglob.gl_pathc; n++) {
717603e3 3280 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
2bef10ab
PL		 3281 if (k < 0) {
3282 if (ignore)
3283 continue;
8c7be95e 3284
2bef10ab 3285 strv_free(r);
2bef10ab 3286 return k;
e9c1ea9d 3287 }
ebc05a09 3288 /* Log invalid environment variables with filename */
039f0e70
LP		 3289 if (p) {
3290 InvalidEnvInfo info = {
f2341e0a 3291 .unit = unit,
039f0e70
LP		 3292 .path = pglob.gl_pathv[n]
3293 };
3294
3295 p = strv_env_clean_with_callback(p, invalid_env, &info);
3296 }
8c7be95e 3297
2bef10ab
PL		 3298 if (r == NULL)
3299 r = p;
3300 else {
3301 char **m;
8c7be95e 3302
2bef10ab
PL		 3303 m = strv_env_merge(2, r, p);
3304 strv_free(r);
3305 strv_free(p);
c84a9488 3306 if (!m)
2bef10ab 3307 return -ENOMEM;
2bef10ab
PL		 3308
3309 r = m;
3310 }
8c7be95e
LP		 3311 }
3312 }
3313
3314 *l = r;
3315
3316 return 0;
3317}
3318
6ac8fdc9 3319static bool tty_may_match_dev_console(const char *tty) {
e1d75803 3320 _cleanup_free_ char *active = NULL;
7d6884b6 3321 char *console;
6ac8fdc9 3322
1e22b5cd
LP		 3323 if (!tty)
3324 return true;
3325
6ac8fdc9
MS		 3326 if (startswith(tty, "/dev/"))
3327 tty += 5;
3328
3329 /* trivial identity? */
3330 if (streq(tty, "console"))
3331 return true;
3332
3333 console = resolve_dev_console(&active);
3334 /* if we could not resolve, assume it may */
3335 if (!console)
3336 return true;
3337
3338 /* "tty0" means the active VC, so it may be the same sometimes */
e1d75803 3339 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
6ac8fdc9
MS		 3340}
3341
3342bool exec_context_may_touch_console(ExecContext *ec) {
1e22b5cd
LP		 3343
3344 return (ec->tty_reset ||
3345 ec->tty_vhangup ||
3346 ec->tty_vt_disallocate ||
6ac8fdc9
MS		 3347 is_terminal_input(ec->std_input) ||
3348 is_terminal_output(ec->std_output) ||
3349 is_terminal_output(ec->std_error)) &&
1e22b5cd 3350 tty_may_match_dev_console(exec_context_tty_path(ec));
6ac8fdc9
MS		 3351}
3352
15ae422b
LP		 3353static void strv_fprintf(FILE *f, char **l) {
3354 char **g;
3355
3356 assert(f);
3357
3358 STRV_FOREACH(g, l)
3359 fprintf(f, " %s", *g);
3360}
3361
5cb5a6ff 3362void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
c2bbd90b 3363 char **e, **d;
94f04347 3364 unsigned i;
add00535 3365 int r;
9eba9da4 3366
5cb5a6ff
LP		 3367 assert(c);
3368 assert(f);
3369
4ad49000 3370 prefix = strempty(prefix);
5cb5a6ff
LP		 3371
3372 fprintf(f,
94f04347
LP		 3373 "%sUMask: %04o\n"
3374 "%sWorkingDirectory: %s\n"
451a074f 3375 "%sRootDirectory: %s\n"
15ae422b 3376 "%sNonBlocking: %s\n"
64747e2d 3377 "%sPrivateTmp: %s\n"
7f112f50 3378 "%sPrivateDevices: %s\n"
59eeb84b 3379 "%sProtectKernelTunables: %s\n"
e66a2f65 3380 "%sProtectKernelModules: %s\n"
59eeb84b 3381 "%sProtectControlGroups: %s\n"
d251207d
LP		 3382 "%sPrivateNetwork: %s\n"
3383 "%sPrivateUsers: %s\n"
1b8689f9
LP		 3384 "%sProtectHome: %s\n"
3385 "%sProtectSystem: %s\n"
5d997827 3386 "%sMountAPIVFS: %s\n"
f3e43635 3387 "%sIgnoreSIGPIPE: %s\n"
f4170c67
LP		 3388 "%sMemoryDenyWriteExecute: %s\n"
3389 "%sRestrictRealtime: %s\n",
5cb5a6ff 3390 prefix, c->umask,
9eba9da4 3391 prefix, c->working_directory ? c->working_directory : "/",
451a074f 3392 prefix, c->root_directory ? c->root_directory : "/",
15ae422b 3393 prefix, yes_no(c->non_blocking),
64747e2d 3394 prefix, yes_no(c->private_tmp),
7f112f50 3395 prefix, yes_no(c->private_devices),
59eeb84b 3396 prefix, yes_no(c->protect_kernel_tunables),
e66a2f65 3397 prefix, yes_no(c->protect_kernel_modules),
59eeb84b 3398 prefix, yes_no(c->protect_control_groups),
d251207d
LP		 3399 prefix, yes_no(c->private_network),
3400 prefix, yes_no(c->private_users),
1b8689f9
LP		 3401 prefix, protect_home_to_string(c->protect_home),
3402 prefix, protect_system_to_string(c->protect_system),
5d997827 3403 prefix, yes_no(c->mount_apivfs),
f3e43635 3404 prefix, yes_no(c->ignore_sigpipe),
f4170c67
LP		 3405 prefix, yes_no(c->memory_deny_write_execute),
3406 prefix, yes_no(c->restrict_realtime));
fb33a393 3407
915e6d16
LP		 3408 if (c->root_image)
3409 fprintf(f, "%sRootImage: %s\n", prefix, c->root_image);
3410
8c7be95e
LP		 3411 STRV_FOREACH(e, c->environment)
3412 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
3413
3414 STRV_FOREACH(e, c->environment_files)
3415 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
94f04347 3416
b4c14404
FB		 3417 STRV_FOREACH(e, c->pass_environment)
3418 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
3419
c2bbd90b
EV		 3420 fprintf(f, "%sRuntimeDirectoryMode: %04o\n", prefix, c->runtime_directory_mode);
3421
3422 STRV_FOREACH(d, c->runtime_directory)
3423 fprintf(f, "%sRuntimeDirectory: %s\n", prefix, *d);
3424
fb33a393
LP		 3425 if (c->nice_set)
3426 fprintf(f,
3427 "%sNice: %i\n",
3428 prefix, c->nice);
3429
dd6c17b1 3430 if (c->oom_score_adjust_set)
fb33a393 3431 fprintf(f,
dd6c17b1
LP		 3432 "%sOOMScoreAdjust: %i\n",
3433 prefix, c->oom_score_adjust);
9eba9da4 3434
94f04347 3435 for (i = 0; i < RLIM_NLIMITS; i++)
3c11da9d
EV		 3436 if (c->rlimit[i]) {
3437 fprintf(f, "%s%s: " RLIM_FMT "\n",
3438 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
3439 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
3440 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
3441 }
94f04347 3442
f8b69d1d 3443 if (c->ioprio_set) {
1756a011 3444 _cleanup_free_ char *class_str = NULL;
f8b69d1d 3445
1756a011 3446 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
9eba9da4
LP		 3447 fprintf(f,
3448 "%sIOSchedulingClass: %s\n"
3449 "%sIOPriority: %i\n",
f8b69d1d 3450 prefix, strna(class_str),
9eba9da4 3451 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
f8b69d1d 3452 }
94f04347 3453
f8b69d1d 3454 if (c->cpu_sched_set) {
1756a011 3455 _cleanup_free_ char *policy_str = NULL;
f8b69d1d 3456
1756a011 3457 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
94f04347
LP		 3458 fprintf(f,
3459 "%sCPUSchedulingPolicy: %s\n"
38b48754
LP		 3460 "%sCPUSchedulingPriority: %i\n"
3461 "%sCPUSchedulingResetOnFork: %s\n",
f8b69d1d 3462 prefix, strna(policy_str),
38b48754
LP		 3463 prefix, c->cpu_sched_priority,
3464 prefix, yes_no(c->cpu_sched_reset_on_fork));
b929bf04 3465 }
94f04347 3466
82c121a4 3467 if (c->cpuset) {
94f04347 3468 fprintf(f, "%sCPUAffinity:", prefix);
82c121a4
LP		 3469 for (i = 0; i < c->cpuset_ncpus; i++)
3470 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
43a99a7a 3471 fprintf(f, " %u", i);
94f04347
LP		 3472 fputs("\n", f);
3473 }
3474
3a43da28 3475 if (c->timer_slack_nsec != NSEC_INFINITY)
ccd06097 3476 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
94f04347
LP		 3477
3478 fprintf(f,
80876c20
LP		 3479 "%sStandardInput: %s\n"
3480 "%sStandardOutput: %s\n"
3481 "%sStandardError: %s\n",
3482 prefix, exec_input_to_string(c->std_input),
3483 prefix, exec_output_to_string(c->std_output),
3484 prefix, exec_output_to_string(c->std_error));
3485
3486 if (c->tty_path)
3487 fprintf(f,
6ea832a2
LP		 3488 "%sTTYPath: %s\n"
3489 "%sTTYReset: %s\n"
3490 "%sTTYVHangup: %s\n"
3491 "%sTTYVTDisallocate: %s\n",
3492 prefix, c->tty_path,
3493 prefix, yes_no(c->tty_reset),
3494 prefix, yes_no(c->tty_vhangup),
3495 prefix, yes_no(c->tty_vt_disallocate));
94f04347 3496
5ce70e5b
ZJS		 3497 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
3498 c->std_output == EXEC_OUTPUT_KMSG ||
3499 c->std_output == EXEC_OUTPUT_JOURNAL ||
3500 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3501 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3502 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
3503 c->std_error == EXEC_OUTPUT_SYSLOG ||
3504 c->std_error == EXEC_OUTPUT_KMSG ||
3505 c->std_error == EXEC_OUTPUT_JOURNAL ||
3506 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3507 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3508 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
f8b69d1d 3509
5ce70e5b 3510 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
f8b69d1d 3511
5ce70e5b
ZJS		 3512 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
3513 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
f8b69d1d 3514
94f04347
LP		 3515 fprintf(f,
3516 "%sSyslogFacility: %s\n"
3517 "%sSyslogLevel: %s\n",
f8b69d1d
MS		 3518 prefix, strna(fac_str),
3519 prefix, strna(lvl_str));
f8b69d1d 3520 }
94f04347 3521
94f04347
LP		 3522 if (c->secure_bits)
3523 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
3524 prefix,
cbb21cca
ZJS		 3525 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
3526 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
3527 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
3528 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
3529 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
3530 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
94f04347 3531
a103496c 3532 if (c->capability_bounding_set != CAP_ALL) {
ae556c21 3533 unsigned long l;
260abb78 3534 fprintf(f, "%sCapabilityBoundingSet:", prefix);
94f04347 3535
64685e0c 3536 for (l = 0; l <= cap_last_cap(); l++)
a103496c 3537 if (c->capability_bounding_set & (UINT64_C(1) << l))
2822da4f 3538 fprintf(f, " %s", strna(capability_to_name(l)));
94f04347
LP		 3539
3540 fputs("\n", f);
755d4b67
IP		 3541 }
3542
3543 if (c->capability_ambient_set != 0) {
3544 unsigned long l;
3545 fprintf(f, "%sAmbientCapabilities:", prefix);
3546
3547 for (l = 0; l <= cap_last_cap(); l++)
3548 if (c->capability_ambient_set & (UINT64_C(1) << l))
3549 fprintf(f, " %s", strna(capability_to_name(l)));
3550
3551 fputs("\n", f);
94f04347
LP		 3552 }
3553
3554 if (c->user)
f2d3769a 3555 fprintf(f, "%sUser: %s\n", prefix, c->user);
94f04347 3556 if (c->group)
f2d3769a 3557 fprintf(f, "%sGroup: %s\n", prefix, c->group);
94f04347 3558
29206d46
LP		 3559 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
3560
15ae422b 3561 if (strv_length(c->supplementary_groups) > 0) {
94f04347 3562 fprintf(f, "%sSupplementaryGroups:", prefix);
15ae422b
LP		 3563 strv_fprintf(f, c->supplementary_groups);
3564 fputs("\n", f);
3565 }
94f04347 3566
5b6319dc 3567 if (c->pam_name)
f2d3769a 3568 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
5b6319dc 3569
2a624c36
AP		 3570 if (strv_length(c->read_write_paths) > 0) {
3571 fprintf(f, "%sReadWritePaths:", prefix);
3572 strv_fprintf(f, c->read_write_paths);
15ae422b
LP		 3573 fputs("\n", f);
3574 }
3575
2a624c36
AP		 3576 if (strv_length(c->read_only_paths) > 0) {
3577 fprintf(f, "%sReadOnlyPaths:", prefix);
3578 strv_fprintf(f, c->read_only_paths);
15ae422b
LP		 3579 fputs("\n", f);
3580 }
94f04347 3581
2a624c36
AP		 3582 if (strv_length(c->inaccessible_paths) > 0) {
3583 fprintf(f, "%sInaccessiblePaths:", prefix);
3584 strv_fprintf(f, c->inaccessible_paths);
94f04347
LP		 3585 fputs("\n", f);
3586 }
2e22afe9 3587
d2d6c096
LP		 3588 if (c->n_bind_mounts > 0)
3589 for (i = 0; i < c->n_bind_mounts; i++) {
3590 fprintf(f, "%s%s: %s:%s:%s\n", prefix,
3591 c->bind_mounts[i].read_only ? "BindReadOnlyPaths" : "BindPaths",
3592 c->bind_mounts[i].source,
3593 c->bind_mounts[i].destination,
3594 c->bind_mounts[i].recursive ? "rbind" : "norbind");
3595 }
3596
169c1bda
LP		 3597 if (c->utmp_id)
3598 fprintf(f,
3599 "%sUtmpIdentifier: %s\n",
3600 prefix, c->utmp_id);
7b52a628
MS		 3601
3602 if (c->selinux_context)
3603 fprintf(f,
5f8640fb
LP		 3604 "%sSELinuxContext: %s%s\n",
3605 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
17df7223 3606
050f7277 3607 if (c->personality != PERSONALITY_INVALID)
ac45f971
LP		 3608 fprintf(f,
3609 "%sPersonality: %s\n",
3610 prefix, strna(personality_to_string(c->personality)));
3611
17df7223 3612 if (c->syscall_filter) {
351a19b1 3613#ifdef HAVE_SECCOMP
17df7223
LP		 3614 Iterator j;
3615 void *id;
3616 bool first = true;
351a19b1 3617#endif
17df7223
LP		 3618
3619 fprintf(f,
57183d11 3620 "%sSystemCallFilter: ",
17df7223
LP		 3621 prefix);
3622
3623 if (!c->syscall_whitelist)
3624 fputc('~', f);
3625
351a19b1 3626#ifdef HAVE_SECCOMP
17df7223
LP		 3627 SET_FOREACH(id, c->syscall_filter, j) {
3628 _cleanup_free_ char *name = NULL;
3629
3630 if (first)
3631 first = false;
3632 else
3633 fputc(' ', f);
3634
57183d11 3635 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
17df7223
LP		 3636 fputs(strna(name), f);
3637 }
351a19b1 3638#endif
17df7223
LP		 3639
3640 fputc('\n', f);
3641 }
3642
57183d11
LP		 3643 if (c->syscall_archs) {
3644#ifdef HAVE_SECCOMP
3645 Iterator j;
3646 void *id;
3647#endif
3648
3649 fprintf(f,
3650 "%sSystemCallArchitectures:",
3651 prefix);
3652
3653#ifdef HAVE_SECCOMP
3654 SET_FOREACH(id, c->syscall_archs, j)
3655 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
3656#endif
3657 fputc('\n', f);
3658 }
3659
add00535
LP		 3660 if (exec_context_restrict_namespaces_set(c)) {
3661 _cleanup_free_ char *s = NULL;
3662
3663 r = namespace_flag_to_string_many(c->restrict_namespaces, &s);
3664 if (r >= 0)
3665 fprintf(f, "%sRestrictNamespaces: %s\n",
3666 prefix, s);
3667 }
3668
b3267152 3669 if (c->syscall_errno > 0)
17df7223
LP		 3670 fprintf(f,
3671 "%sSystemCallErrorNumber: %s\n",
3672 prefix, strna(errno_to_name(c->syscall_errno)));
eef65bf3
MS		 3673
3674 if (c->apparmor_profile)
3675 fprintf(f,
3676 "%sAppArmorProfile: %s%s\n",
3677 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
5cb5a6ff
LP		 3678}
3679
a931ad47
LP		 3680bool exec_context_maintains_privileges(ExecContext *c) {
3681 assert(c);
3682
61233823 3683 /* Returns true if the process forked off would run under
a931ad47
LP		 3684 * an unchanged UID or as root. */
3685
3686 if (!c->user)
3687 return true;
3688
3689 if (streq(c->user, "root") || streq(c->user, "0"))
3690 return true;
3691
3692 return false;
3693}
3694
b58b4116 3695void exec_status_start(ExecStatus *s, pid_t pid) {
034c6ed7 3696 assert(s);
5cb5a6ff 3697
b58b4116
LP		 3698 zero(*s);
3699 s->pid = pid;
3700 dual_timestamp_get(&s->start_timestamp);
3701}
3702
6ea832a2 3703void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
b58b4116
LP		 3704 assert(s);
3705
0b1f4ae6 3706 if (s->pid && s->pid != pid)
b58b4116
LP		 3707 zero(*s);
3708
034c6ed7 3709 s->pid = pid;
63983207 3710 dual_timestamp_get(&s->exit_timestamp);
9fb86720 3711
034c6ed7
LP		 3712 s->code = code;
3713 s->status = status;
169c1bda 3714
6ea832a2
LP		 3715 if (context) {
3716 if (context->utmp_id)
3717 utmp_put_dead_process(context->utmp_id, pid, code, status);
3718
1e22b5cd 3719 exec_context_tty_reset(context, NULL);
6ea832a2 3720 }
9fb86720
LP		 3721}
3722
3723void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
3724 char buf[FORMAT_TIMESTAMP_MAX];
3725
3726 assert(s);
3727 assert(f);
3728
9fb86720
LP		 3729 if (s->pid <= 0)
3730 return;
3731
4c940960
LP		 3732 prefix = strempty(prefix);
3733
9fb86720 3734 fprintf(f,
ccd06097
ZJS		 3735 "%sPID: "PID_FMT"\n",
3736 prefix, s->pid);
9fb86720 3737
af9d16e1 3738 if (dual_timestamp_is_set(&s->start_timestamp))
9fb86720
LP		 3739 fprintf(f,
3740 "%sStart Timestamp: %s\n",
63983207 3741 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
9fb86720 3742
af9d16e1 3743 if (dual_timestamp_is_set(&s->exit_timestamp))
9fb86720
LP		 3744 fprintf(f,
3745 "%sExit Timestamp: %s\n"
3746 "%sExit Code: %s\n"
3747 "%sExit Status: %i\n",
63983207 3748 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
9fb86720
LP		 3749 prefix, sigchld_code_to_string(s->code),
3750 prefix, s->status);
5cb5a6ff 3751}
44d8db9e 3752
9e2f7c11 3753char *exec_command_line(char **argv) {
44d8db9e
LP		 3754 size_t k;
3755 char *n, *p, **a;
3756 bool first = true;
3757
9e2f7c11 3758 assert(argv);
44d8db9e 3759
9164977d 3760 k = 1;
9e2f7c11 3761 STRV_FOREACH(a, argv)
44d8db9e
LP		 3762 k += strlen(*a)+3;
3763
5cd9cd35
LP		 3764 n = new(char, k);
3765 if (!n)
44d8db9e
LP		 3766 return NULL;
3767
3768 p = n;
9e2f7c11 3769 STRV_FOREACH(a, argv) {
44d8db9e
LP		 3770
3771 if (!first)
3772 *(p++) = ' ';
3773 else
3774 first = false;
3775
3776 if (strpbrk(*a, WHITESPACE)) {
3777 *(p++) = '\'';
3778 p = stpcpy(p, *a);
3779 *(p++) = '\'';
3780 } else
3781 p = stpcpy(p, *a);
3782
3783 }
3784
9164977d
LP		 3785 *p = 0;
3786
44d8db9e
LP		 3787 /* FIXME: this doesn't really handle arguments that have
3788 * spaces and ticks in them */
3789
3790 return n;
3791}
3792
3793void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
e1d75803 3794 _cleanup_free_ char *cmd = NULL;
4c940960 3795 const char *prefix2;
44d8db9e
LP		 3796
3797 assert(c);
3798 assert(f);
3799
4c940960 3800 prefix = strempty(prefix);
63c372cb 3801 prefix2 = strjoina(prefix, "\t");
44d8db9e 3802
9e2f7c11 3803 cmd = exec_command_line(c->argv);
44d8db9e
LP		 3804 fprintf(f,
3805 "%sCommand Line: %s\n",
3806 prefix, cmd ? cmd : strerror(ENOMEM));
3807
9fb86720 3808 exec_status_dump(&c->exec_status, f, prefix2);
44d8db9e
LP		 3809}
3810
3811void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
3812 assert(f);
3813
4c940960 3814 prefix = strempty(prefix);
44d8db9e
LP		 3815
3816 LIST_FOREACH(command, c, c)
3817 exec_command_dump(c, f, prefix);
3818}
94f04347 3819
a6a80b4f
LP		 3820void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
3821 ExecCommand *end;
3822
3823 assert(l);
3824 assert(e);
3825
3826 if (*l) {
35b8ca3a 3827 /* It's kind of important, that we keep the order here */
71fda00f
LP		 3828 LIST_FIND_TAIL(command, *l, end);
3829 LIST_INSERT_AFTER(command, *l, end, e);
a6a80b4f
LP		 3830 } else
3831 *l = e;
3832}
3833
26fd040d
LP		 3834int exec_command_set(ExecCommand *c, const char *path, ...) {
3835 va_list ap;
3836 char **l, *p;
3837
3838 assert(c);
3839 assert(path);
3840
3841 va_start(ap, path);
3842 l = strv_new_ap(path, ap);
3843 va_end(ap);
3844
3845 if (!l)
3846 return -ENOMEM;
3847
250a918d
LP		 3848 p = strdup(path);
3849 if (!p) {
26fd040d
LP		 3850 strv_free(l);
3851 return -ENOMEM;
3852 }
3853
3854 free(c->path);
3855 c->path = p;
3856
3857 strv_free(c->argv);
3858 c->argv = l;
3859
3860 return 0;
3861}
3862
86b23b07 3863int exec_command_append(ExecCommand *c, const char *path, ...) {
e63ff941 3864 _cleanup_strv_free_ char **l = NULL;
86b23b07 3865 va_list ap;
86b23b07
JS		 3866 int r;
3867
3868 assert(c);
3869 assert(path);
3870
3871 va_start(ap, path);
3872 l = strv_new_ap(path, ap);
3873 va_end(ap);
3874
3875 if (!l)
3876 return -ENOMEM;
3877
e287086b 3878 r = strv_extend_strv(&c->argv, l, false);
e63ff941 3879 if (r < 0)
86b23b07 3880 return r;
86b23b07
JS		 3881
3882 return 0;
3883}
3884
3885
613b411c
LP		 3886static int exec_runtime_allocate(ExecRuntime **rt) {
3887
3888 if (*rt)
3889 return 0;
3890
3891 *rt = new0(ExecRuntime, 1);
f146f5e1 3892 if (!*rt)
613b411c
LP		 3893 return -ENOMEM;
3894
3895 (*rt)->n_ref = 1;
3896 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
3897
3898 return 0;
3899}
3900
3901int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
3902 int r;
3903
3904 assert(rt);
3905 assert(c);
3906 assert(id);
3907
3908 if (*rt)
3909 return 1;
3910
3911 if (!c->private_network && !c->private_tmp)
3912 return 0;
3913
3914 r = exec_runtime_allocate(rt);
3915 if (r < 0)
3916 return r;
3917
3918 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
33df919d 3919 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, (*rt)->netns_storage_socket) < 0)
613b411c
LP		 3920 return -errno;
3921 }
3922
3923 if (c->private_tmp && !(*rt)->tmp_dir) {
3924 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
3925 if (r < 0)
3926 return r;
3927 }
3928
3929 return 1;
3930}
3931
3932ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
3933 assert(r);
3934 assert(r->n_ref > 0);
3935
3936 r->n_ref++;
3937 return r;
3938}
3939
3940ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
3941
3942 if (!r)
3943 return NULL;
3944
3945 assert(r->n_ref > 0);
3946
3947 r->n_ref--;
f2341e0a
LP		 3948 if (r->n_ref > 0)
3949 return NULL;
3950
3951 free(r->tmp_dir);
3952 free(r->var_tmp_dir);
3953 safe_close_pair(r->netns_storage_socket);
6b430fdb 3954 return mfree(r);
613b411c
LP		 3955}
3956
f2341e0a 3957int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
613b411c
LP		 3958 assert(u);
3959 assert(f);
3960 assert(fds);
3961
3962 if (!rt)
3963 return 0;
3964
3965 if (rt->tmp_dir)
3966 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
3967
3968 if (rt->var_tmp_dir)
3969 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
3970
3971 if (rt->netns_storage_socket[0] >= 0) {
3972 int copy;
3973
3974 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
3975 if (copy < 0)
3976 return copy;
3977
3978 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
3979 }
3980
3981 if (rt->netns_storage_socket[1] >= 0) {
3982 int copy;
3983
3984 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
3985 if (copy < 0)
3986 return copy;
3987
3988 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
3989 }
3990
3991 return 0;
3992}
3993
f2341e0a 3994int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
613b411c
LP		 3995 int r;
3996
3997 assert(rt);
3998 assert(key);
3999 assert(value);
4000
4001 if (streq(key, "tmp-dir")) {
4002 char *copy;
4003
4004 r = exec_runtime_allocate(rt);
4005 if (r < 0)
f2341e0a 4006 return log_oom();
613b411c
LP		 4007
4008 copy = strdup(value);
4009 if (!copy)
4010 return log_oom();
4011
4012 free((*rt)->tmp_dir);
4013 (*rt)->tmp_dir = copy;
4014
4015 } else if (streq(key, "var-tmp-dir")) {
4016 char *copy;
4017
4018 r = exec_runtime_allocate(rt);
4019 if (r < 0)
f2341e0a 4020 return log_oom();
613b411c
LP		 4021
4022 copy = strdup(value);
4023 if (!copy)
4024 return log_oom();
4025
4026 free((*rt)->var_tmp_dir);
4027 (*rt)->var_tmp_dir = copy;
4028
4029 } else if (streq(key, "netns-socket-0")) {
4030 int fd;
4031
4032 r = exec_runtime_allocate(rt);
4033 if (r < 0)
f2341e0a 4034 return log_oom();
613b411c
LP		 4035
4036 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
f2341e0a 4037 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
613b411c 4038 else {
03e334a1 4039 safe_close((*rt)->netns_storage_socket[0]);
613b411c
LP		 4040 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
4041 }
4042 } else if (streq(key, "netns-socket-1")) {
4043 int fd;
4044
4045 r = exec_runtime_allocate(rt);
4046 if (r < 0)
f2341e0a 4047 return log_oom();
613b411c
LP		 4048
4049 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
f2341e0a 4050 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
613b411c 4051 else {
03e334a1 4052 safe_close((*rt)->netns_storage_socket[1]);
613b411c
LP		 4053 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
4054 }
4055 } else
4056 return 0;
4057
4058 return 1;
4059}
4060
4061static void *remove_tmpdir_thread(void *p) {
4062 _cleanup_free_ char *path = p;
4063
c6878637 4064 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
613b411c
LP		 4065 return NULL;
4066}
4067
4068void exec_runtime_destroy(ExecRuntime *rt) {
98b47d54
LP		 4069 int r;
4070
613b411c
LP		 4071 if (!rt)
4072 return;
4073
4074 /* If there are multiple users of this, let's leave the stuff around */
4075 if (rt->n_ref > 1)
4076 return;
4077
4078 if (rt->tmp_dir) {
4079 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
98b47d54
LP		 4080
4081 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
4082 if (r < 0) {
da927ba9 4083 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
98b47d54
LP		 4084 free(rt->tmp_dir);
4085 }
4086
613b411c
LP		 4087 rt->tmp_dir = NULL;
4088 }
4089
4090 if (rt->var_tmp_dir) {
4091 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
98b47d54
LP		 4092
4093 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
4094 if (r < 0) {
da927ba9 4095 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
98b47d54
LP		 4096 free(rt->var_tmp_dir);
4097 }
4098
613b411c
LP		 4099 rt->var_tmp_dir = NULL;
4100 }
4101
3d94f76c 4102 safe_close_pair(rt->netns_storage_socket);
613b411c
LP		 4103}
4104
80876c20
LP		 4105static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
4106 [EXEC_INPUT_NULL] = "null",
4107 [EXEC_INPUT_TTY] = "tty",
4108 [EXEC_INPUT_TTY_FORCE] = "tty-force",
4f2d528d 4109 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
52c239d7
LB		 4110 [EXEC_INPUT_SOCKET] = "socket",
4111 [EXEC_INPUT_NAMED_FD] = "fd",
80876c20
LP		 4112};
4113
8a0867d6
LP		 4114DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
4115
94f04347 4116static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
80876c20 4117 [EXEC_OUTPUT_INHERIT] = "inherit",
94f04347 4118 [EXEC_OUTPUT_NULL] = "null",
80876c20 4119 [EXEC_OUTPUT_TTY] = "tty",
94f04347 4120 [EXEC_OUTPUT_SYSLOG] = "syslog",
28dbc1e8 4121 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
9a6bca7a 4122 [EXEC_OUTPUT_KMSG] = "kmsg",
28dbc1e8 4123 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
706343f4
LP		 4124 [EXEC_OUTPUT_JOURNAL] = "journal",
4125 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
52c239d7
LB		 4126 [EXEC_OUTPUT_SOCKET] = "socket",
4127 [EXEC_OUTPUT_NAMED_FD] = "fd",
94f04347
LP		 4128};
4129
4130DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
023a4f67
LP		 4131
4132static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
4133 [EXEC_UTMP_INIT] = "init",
4134 [EXEC_UTMP_LOGIN] = "login",
4135 [EXEC_UTMP_USER] = "user",
4136};
4137
4138DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
Unnamed repository; edit this file 'description' to name the repository.