]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/core/execute.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
resolve: remove unsed counter (#4349)
[thirdparty/systemd.git] / src / core / execute.c
CommitLineData
a7334b09
LP		 1/***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
a7334b09
LP		 9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 14 Lesser General Public License for more details.
a7334b09 15
5430f7f2 16 You should have received a copy of the GNU Lesser General Public License
a7334b09
LP		 17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18***/
19
034c6ed7
LP		 20#include <errno.h>
21#include <fcntl.h>
8dd4c05b
LP		 22#include <glob.h>
23#include <grp.h>
24#include <poll.h>
309bff19 25#include <signal.h>
8dd4c05b 26#include <string.h>
19c0b0b9 27#include <sys/capability.h>
d251207d 28#include <sys/eventfd.h>
f3e43635 29#include <sys/mman.h>
8dd4c05b 30#include <sys/personality.h>
94f04347 31#include <sys/prctl.h>
8dd4c05b 32#include <sys/socket.h>
451a074f 33#include <sys/stat.h>
8dd4c05b
LP		 34#include <sys/un.h>
35#include <unistd.h>
023a4f67 36#include <utmpx.h>
5cb5a6ff 37
5b6319dc
LP		 38#ifdef HAVE_PAM
39#include <security/pam_appl.h>
40#endif
41
7b52a628
MS		 42#ifdef HAVE_SELINUX
43#include <selinux/selinux.h>
44#endif
45
17df7223
LP		 46#ifdef HAVE_SECCOMP
47#include <seccomp.h>
48#endif
49
eef65bf3
MS		 50#ifdef HAVE_APPARMOR
51#include <sys/apparmor.h>
52#endif
53
24882e06 54#include "sd-messages.h"
8dd4c05b
LP		 55
56#include "af-list.h"
b5efdb8a 57#include "alloc-util.h"
3ffd4af2
LP		 58#ifdef HAVE_APPARMOR
59#include "apparmor-util.h"
60#endif
8dd4c05b
LP		 61#include "async.h"
62#include "barrier.h"
8dd4c05b 63#include "cap-list.h"
430f0182 64#include "capability-util.h"
f6a6225e 65#include "def.h"
4d1a6904 66#include "env-util.h"
17df7223 67#include "errno-list.h"
3ffd4af2 68#include "execute.h"
8dd4c05b 69#include "exit-status.h"
3ffd4af2 70#include "fd-util.h"
8dd4c05b 71#include "fileio.h"
6482f626 72#include "formats-util.h"
f4f15635 73#include "fs-util.h"
7d50b32a 74#include "glob-util.h"
c004493c 75#include "io-util.h"
8dd4c05b
LP		 76#include "ioprio.h"
77#include "log.h"
78#include "macro.h"
79#include "missing.h"
80#include "mkdir.h"
81#include "namespace.h"
6bedfcbb 82#include "parse-util.h"
8dd4c05b 83#include "path-util.h"
0b452006 84#include "process-util.h"
78f22b97 85#include "rlimit-util.h"
8dd4c05b 86#include "rm-rf.h"
3ffd4af2
LP		 87#ifdef HAVE_SECCOMP
88#include "seccomp-util.h"
89#endif
8dd4c05b
LP		 90#include "securebits.h"
91#include "selinux-util.h"
24882e06 92#include "signal-util.h"
8dd4c05b 93#include "smack-util.h"
fd63e712 94#include "special.h"
8b43440b 95#include "string-table.h"
07630cea 96#include "string-util.h"
8dd4c05b 97#include "strv.h"
7ccbd1ae 98#include "syslog-util.h"
8dd4c05b
LP		 99#include "terminal-util.h"
100#include "unit.h"
b1d4f8e1 101#include "user-util.h"
8dd4c05b
LP		 102#include "util.h"
103#include "utmp-wtmp.h"
5cb5a6ff 104
e056b01d 105#define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
31a7eb86 106#define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
e6a26745 107
02a51aba
LP		 108/* This assumes there is a 'tty' group */
109#define TTY_MODE 0620
110
531dca78
LP		 111#define SNDBUF_SIZE (8*1024*1024)
112
034c6ed7
LP		 113static int shift_fds(int fds[], unsigned n_fds) {
114 int start, restart_from;
115
116 if (n_fds <= 0)
117 return 0;
118
a0d40ac5
LP		 119 /* Modifies the fds array! (sorts it) */
120
034c6ed7
LP		 121 assert(fds);
122
123 start = 0;
124 for (;;) {
125 int i;
126
127 restart_from = -1;
128
129 for (i = start; i < (int) n_fds; i++) {
130 int nfd;
131
132 /* Already at right index? */
133 if (fds[i] == i+3)
134 continue;
135
3cc2aff1
LP		 136 nfd = fcntl(fds[i], F_DUPFD, i + 3);
137 if (nfd < 0)
034c6ed7
LP		 138 return -errno;
139
03e334a1 140 safe_close(fds[i]);
034c6ed7
LP		 141 fds[i] = nfd;
142
143 /* Hmm, the fd we wanted isn't free? Then
ee33e53a 144 * let's remember that and try again from here */
034c6ed7
LP		 145 if (nfd != i+3 && restart_from < 0)
146 restart_from = i;
147 }
148
149 if (restart_from < 0)
150 break;
151
152 start = restart_from;
153 }
154
155 return 0;
156}
157
c2748801 158static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
47a71eed 159 unsigned i;
e2c76839 160 int r;
47a71eed
LP		 161
162 if (n_fds <= 0)
163 return 0;
164
165 assert(fds);
166
451a074f 167 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
47a71eed
LP		 168
169 for (i = 0; i < n_fds; i++) {
47a71eed 170
3cc2aff1
LP		 171 r = fd_nonblock(fds[i], nonblock);
172 if (r < 0)
e2c76839 173 return r;
47a71eed 174
451a074f
LP		 175 /* We unconditionally drop FD_CLOEXEC from the fds,
176 * since after all we want to pass these fds to our
177 * children */
47a71eed 178
3cc2aff1
LP		 179 r = fd_cloexec(fds[i], false);
180 if (r < 0)
e2c76839 181 return r;
47a71eed
LP		 182 }
183
184 return 0;
185}
186
1e22b5cd 187static const char *exec_context_tty_path(const ExecContext *context) {
80876c20
LP		 188 assert(context);
189
1e22b5cd
LP		 190 if (context->stdio_as_fds)
191 return NULL;
192
80876c20
LP		 193 if (context->tty_path)
194 return context->tty_path;
195
196 return "/dev/console";
197}
198
1e22b5cd
LP		 199static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
200 const char *path;
201
6ea832a2
LP		 202 assert(context);
203
1e22b5cd 204 path = exec_context_tty_path(context);
6ea832a2 205
1e22b5cd
LP		 206 if (context->tty_vhangup) {
207 if (p && p->stdin_fd >= 0)
208 (void) terminal_vhangup_fd(p->stdin_fd);
209 else if (path)
210 (void) terminal_vhangup(path);
211 }
6ea832a2 212
1e22b5cd
LP		 213 if (context->tty_reset) {
214 if (p && p->stdin_fd >= 0)
215 (void) reset_terminal_fd(p->stdin_fd, true);
216 else if (path)
217 (void) reset_terminal(path);
218 }
219
220 if (context->tty_vt_disallocate && path)
221 (void) vt_disallocate(path);
6ea832a2
LP		 222}
223
6af760f3
LP		 224static bool is_terminal_input(ExecInput i) {
225 return IN_SET(i,
226 EXEC_INPUT_TTY,
227 EXEC_INPUT_TTY_FORCE,
228 EXEC_INPUT_TTY_FAIL);
229}
230
3a1286b6 231static bool is_terminal_output(ExecOutput o) {
6af760f3
LP		 232 return IN_SET(o,
233 EXEC_OUTPUT_TTY,
234 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
235 EXEC_OUTPUT_KMSG_AND_CONSOLE,
236 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
237}
238
239static bool exec_context_needs_term(const ExecContext *c) {
240 assert(c);
241
242 /* Return true if the execution context suggests we should set $TERM to something useful. */
243
244 if (is_terminal_input(c->std_input))
245 return true;
246
247 if (is_terminal_output(c->std_output))
248 return true;
249
250 if (is_terminal_output(c->std_error))
251 return true;
252
253 return !!c->tty_path;
3a1286b6
MS		 254}
255
80876c20
LP		 256static int open_null_as(int flags, int nfd) {
257 int fd, r;
071830ff 258
80876c20 259 assert(nfd >= 0);
071830ff 260
613b411c
LP		 261 fd = open("/dev/null", flags|O_NOCTTY);
262 if (fd < 0)
071830ff
LP		 263 return -errno;
264
80876c20
LP		 265 if (fd != nfd) {
266 r = dup2(fd, nfd) < 0 ? -errno : nfd;
03e334a1 267 safe_close(fd);
80876c20
LP		 268 } else
269 r = nfd;
071830ff 270
80876c20 271 return r;
071830ff
LP		 272}
273
524daa8c 274static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
b92bea5d
ZJS		 275 union sockaddr_union sa = {
276 .un.sun_family = AF_UNIX,
277 .un.sun_path = "/run/systemd/journal/stdout",
278 };
524daa8c
ZJS		 279 uid_t olduid = UID_INVALID;
280 gid_t oldgid = GID_INVALID;
281 int r;
282
283 if (gid != GID_INVALID) {
284 oldgid = getgid();
285
286 r = setegid(gid);
287 if (r < 0)
288 return -errno;
289 }
290
291 if (uid != UID_INVALID) {
292 olduid = getuid();
293
294 r = seteuid(uid);
295 if (r < 0) {
296 r = -errno;
297 goto restore_gid;
298 }
299 }
300
fc2fffe7 301 r = connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
524daa8c
ZJS		 302 if (r < 0)
303 r = -errno;
304
305 /* If we fail to restore the uid or gid, things will likely
306 fail later on. This should only happen if an LSM interferes. */
307
308 if (uid != UID_INVALID)
309 (void) seteuid(olduid);
310
311 restore_gid:
312 if (gid != GID_INVALID)
313 (void) setegid(oldgid);
314
315 return r;
316}
317
fd1f9c89 318static int connect_logger_as(
7a1ab780 319 Unit *unit,
fd1f9c89
LP		 320 const ExecContext *context,
321 ExecOutput output,
322 const char *ident,
fd1f9c89
LP		 323 int nfd,
324 uid_t uid,
325 gid_t gid) {
326
524daa8c 327 int fd, r;
071830ff
LP		 328
329 assert(context);
80876c20
LP		 330 assert(output < _EXEC_OUTPUT_MAX);
331 assert(ident);
332 assert(nfd >= 0);
071830ff 333
54fe0cdb
LP		 334 fd = socket(AF_UNIX, SOCK_STREAM, 0);
335 if (fd < 0)
80876c20 336 return -errno;
071830ff 337
524daa8c
ZJS		 338 r = connect_journal_socket(fd, uid, gid);
339 if (r < 0)
340 return r;
071830ff 341
80876c20 342 if (shutdown(fd, SHUT_RD) < 0) {
03e334a1 343 safe_close(fd);
80876c20
LP		 344 return -errno;
345 }
071830ff 346
fd1f9c89 347 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
531dca78 348
80876c20 349 dprintf(fd,
62bca2c6 350 "%s\n"
80876c20
LP		 351 "%s\n"
352 "%i\n"
54fe0cdb
LP		 353 "%i\n"
354 "%i\n"
355 "%i\n"
4f4a1dbf 356 "%i\n",
4f4a1dbf 357 context->syslog_identifier ? context->syslog_identifier : ident,
7a1ab780 358 unit->id,
54fe0cdb
LP		 359 context->syslog_priority,
360 !!context->syslog_level_prefix,
361 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
362 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
3a1286b6 363 is_terminal_output(output));
80876c20 364
fd1f9c89
LP		 365 if (fd == nfd)
366 return nfd;
367
368 r = dup2(fd, nfd) < 0 ? -errno : nfd;
369 safe_close(fd);
071830ff 370
80876c20
LP		 371 return r;
372}
373static int open_terminal_as(const char *path, mode_t mode, int nfd) {
374 int fd, r;
071830ff 375
80876c20
LP		 376 assert(path);
377 assert(nfd >= 0);
071830ff 378
3cc2aff1
LP		 379 fd = open_terminal(path, mode | O_NOCTTY);
380 if (fd < 0)
80876c20 381 return fd;
071830ff 382
80876c20
LP		 383 if (fd != nfd) {
384 r = dup2(fd, nfd) < 0 ? -errno : nfd;
03e334a1 385 safe_close(fd);
80876c20
LP		 386 } else
387 r = nfd;
071830ff 388
80876c20
LP		 389 return r;
390}
071830ff 391
1e3ad081
LP		 392static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
393
394 if (is_terminal_input(std_input) && !apply_tty_stdin)
395 return EXEC_INPUT_NULL;
071830ff 396
03fd9c49 397 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 398 return EXEC_INPUT_NULL;
399
03fd9c49 400 return std_input;
4f2d528d
LP		 401}
402
03fd9c49 403static int fixup_output(ExecOutput std_output, int socket_fd) {
4f2d528d 404
03fd9c49 405 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
4f2d528d
LP		 406 return EXEC_OUTPUT_INHERIT;
407
03fd9c49 408 return std_output;
4f2d528d
LP		 409}
410
a34ceba6
LP		 411static int setup_input(
412 const ExecContext *context,
413 const ExecParameters *params,
414 int socket_fd) {
415
4f2d528d
LP		 416 ExecInput i;
417
418 assert(context);
a34ceba6
LP		 419 assert(params);
420
421 if (params->stdin_fd >= 0) {
422 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
423 return -errno;
424
425 /* Try to make this the controlling tty, if it is a tty, and reset it */
426 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
427 (void) reset_terminal_fd(STDIN_FILENO, true);
428
429 return STDIN_FILENO;
430 }
4f2d528d 431
c39f1ce2 432 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
4f2d528d
LP		 433
434 switch (i) {
071830ff 435
80876c20
LP		 436 case EXEC_INPUT_NULL:
437 return open_null_as(O_RDONLY, STDIN_FILENO);
438
439 case EXEC_INPUT_TTY:
440 case EXEC_INPUT_TTY_FORCE:
441 case EXEC_INPUT_TTY_FAIL: {
442 int fd, r;
071830ff 443
1e22b5cd 444 fd = acquire_terminal(exec_context_tty_path(context),
970edce6
ZJS		 445 i == EXEC_INPUT_TTY_FAIL,
446 i == EXEC_INPUT_TTY_FORCE,
447 false,
3a43da28 448 USEC_INFINITY);
970edce6 449 if (fd < 0)
80876c20
LP		 450 return fd;
451
452 if (fd != STDIN_FILENO) {
453 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
03e334a1 454 safe_close(fd);
80876c20
LP		 455 } else
456 r = STDIN_FILENO;
457
458 return r;
459 }
460
4f2d528d
LP		 461 case EXEC_INPUT_SOCKET:
462 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
463
80876c20
LP		 464 default:
465 assert_not_reached("Unknown input type");
466 }
467}
468
a34ceba6
LP		 469static int setup_output(
470 Unit *unit,
471 const ExecContext *context,
472 const ExecParameters *params,
473 int fileno,
474 int socket_fd,
475 const char *ident,
7bce046b
LP		 476 uid_t uid,
477 gid_t gid,
478 dev_t *journal_stream_dev,
479 ino_t *journal_stream_ino) {
a34ceba6 480
4f2d528d
LP		 481 ExecOutput o;
482 ExecInput i;
47c1d80d 483 int r;
4f2d528d 484
f2341e0a 485 assert(unit);
80876c20 486 assert(context);
a34ceba6 487 assert(params);
80876c20 488 assert(ident);
7bce046b
LP		 489 assert(journal_stream_dev);
490 assert(journal_stream_ino);
80876c20 491
a34ceba6
LP		 492 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
493
494 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
495 return -errno;
496
497 return STDOUT_FILENO;
498 }
499
500 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
501 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
502 return -errno;
503
504 return STDERR_FILENO;
505 }
506
c39f1ce2 507 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
03fd9c49 508 o = fixup_output(context->std_output, socket_fd);
4f2d528d 509
eb17e935
MS		 510 if (fileno == STDERR_FILENO) {
511 ExecOutput e;
512 e = fixup_output(context->std_error, socket_fd);
80876c20 513
eb17e935
MS		 514 /* This expects the input and output are already set up */
515
516 /* Don't change the stderr file descriptor if we inherit all
517 * the way and are not on a tty */
518 if (e == EXEC_OUTPUT_INHERIT &&
519 o == EXEC_OUTPUT_INHERIT &&
520 i == EXEC_INPUT_NULL &&
521 !is_terminal_input(context->std_input) &&
522 getppid () != 1)
523 return fileno;
524
525 /* Duplicate from stdout if possible */
526 if (e == o || e == EXEC_OUTPUT_INHERIT)
527 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 528
eb17e935 529 o = e;
80876c20 530
eb17e935 531 } else if (o == EXEC_OUTPUT_INHERIT) {
21d21ea4
LP		 532 /* If input got downgraded, inherit the original value */
533 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
1e22b5cd 534 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
21d21ea4 535
acb591e4 536 /* If the input is connected to anything that's not a /dev/null, inherit that... */
ff876e28 537 if (i != EXEC_INPUT_NULL)
eb17e935 538 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
071830ff 539
acb591e4
LP		 540 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
541 if (getppid() != 1)
eb17e935 542 return fileno;
94f04347 543
eb17e935
MS		 544 /* We need to open /dev/null here anew, to get the right access mode. */
545 return open_null_as(O_WRONLY, fileno);
071830ff 546 }
94f04347 547
eb17e935 548 switch (o) {
80876c20
LP		 549
550 case EXEC_OUTPUT_NULL:
eb17e935 551 return open_null_as(O_WRONLY, fileno);
80876c20
LP		 552
553 case EXEC_OUTPUT_TTY:
4f2d528d 554 if (is_terminal_input(i))
eb17e935 555 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
80876c20
LP		 556
557 /* We don't reset the terminal if this is just about output */
1e22b5cd 558 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
80876c20
LP		 559
560 case EXEC_OUTPUT_SYSLOG:
28dbc1e8 561 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
9a6bca7a 562 case EXEC_OUTPUT_KMSG:
28dbc1e8 563 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
706343f4
LP		 564 case EXEC_OUTPUT_JOURNAL:
565 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
7a1ab780 566 r = connect_logger_as(unit, context, o, ident, fileno, uid, gid);
47c1d80d 567 if (r < 0) {
f2341e0a 568 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
eb17e935 569 r = open_null_as(O_WRONLY, fileno);
7bce046b
LP		 570 } else {
571 struct stat st;
572
573 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
574 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
575 * services to detect whether they are connected to the journal or not. */
576
577 if (fstat(fileno, &st) >= 0) {
578 *journal_stream_dev = st.st_dev;
579 *journal_stream_ino = st.st_ino;
580 }
47c1d80d
MS		 581 }
582 return r;
4f2d528d
LP		 583
584 case EXEC_OUTPUT_SOCKET:
585 assert(socket_fd >= 0);
eb17e935 586 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
94f04347
LP		 587
588 default:
80876c20 589 assert_not_reached("Unknown error type");
94f04347 590 }
071830ff
LP		 591}
592
02a51aba
LP		 593static int chown_terminal(int fd, uid_t uid) {
594 struct stat st;
595
596 assert(fd >= 0);
02a51aba 597
1ff74fb6
LP		 598 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
599 if (isatty(fd) < 1)
600 return 0;
601
02a51aba 602 /* This might fail. What matters are the results. */
bab45044
LP		 603 (void) fchown(fd, uid, -1);
604 (void) fchmod(fd, TTY_MODE);
02a51aba
LP		 605
606 if (fstat(fd, &st) < 0)
607 return -errno;
608
d8b4e2e9 609 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
02a51aba
LP		 610 return -EPERM;
611
612 return 0;
613}
614
3d18b167
LP		 615static int setup_confirm_stdio(int *_saved_stdin, int *_saved_stdout) {
616 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
617 int r;
80876c20 618
80876c20
LP		 619 assert(_saved_stdin);
620 assert(_saved_stdout);
621
af6da548
LP		 622 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
623 if (saved_stdin < 0)
624 return -errno;
80876c20 625
af6da548 626 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
3d18b167
LP		 627 if (saved_stdout < 0)
628 return -errno;
80876c20 629
af6da548
LP		 630 fd = acquire_terminal(
631 "/dev/console",
632 false,
633 false,
634 false,
635 DEFAULT_CONFIRM_USEC);
3d18b167
LP		 636 if (fd < 0)
637 return fd;
80876c20 638
af6da548
LP		 639 r = chown_terminal(fd, getuid());
640 if (r < 0)
3d18b167 641 return r;
02a51aba 642
3d18b167
LP		 643 r = reset_terminal_fd(fd, true);
644 if (r < 0)
645 return r;
80876c20 646
3d18b167
LP		 647 if (dup2(fd, STDIN_FILENO) < 0)
648 return -errno;
649
650 if (dup2(fd, STDOUT_FILENO) < 0)
651 return -errno;
80876c20
LP		 652
653 if (fd >= 2)
03e334a1 654 safe_close(fd);
3d18b167 655 fd = -1;
80876c20
LP		 656
657 *_saved_stdin = saved_stdin;
658 *_saved_stdout = saved_stdout;
659
3d18b167 660 saved_stdin = saved_stdout = -1;
80876c20 661
3d18b167 662 return 0;
80876c20
LP		 663}
664
44b601bc 665_printf_(1, 2) static int write_confirm_message(const char *format, ...) {
03e334a1 666 _cleanup_close_ int fd = -1;
af6da548 667 va_list ap;
80876c20 668
af6da548 669 assert(format);
80876c20 670
af6da548
LP		 671 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
672 if (fd < 0)
673 return fd;
80876c20 674
af6da548
LP		 675 va_start(ap, format);
676 vdprintf(fd, format, ap);
677 va_end(ap);
80876c20 678
af6da548
LP		 679 return 0;
680}
80876c20 681
3d18b167 682static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
af6da548 683 int r = 0;
80876c20 684
af6da548
LP		 685 assert(saved_stdin);
686 assert(saved_stdout);
687
688 release_terminal();
689
690 if (*saved_stdin >= 0)
80876c20 691 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
af6da548 692 r = -errno;
80876c20 693
af6da548 694 if (*saved_stdout >= 0)
80876c20 695 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
af6da548 696 r = -errno;
80876c20 697
3d18b167
LP		 698 *saved_stdin = safe_close(*saved_stdin);
699 *saved_stdout = safe_close(*saved_stdout);
af6da548
LP		 700
701 return r;
702}
703
704static int ask_for_confirmation(char *response, char **argv) {
705 int saved_stdout = -1, saved_stdin = -1, r;
e1d75803 706 _cleanup_free_ char *line = NULL;
af6da548
LP		 707
708 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
709 if (r < 0)
710 return r;
711
712 line = exec_command_line(argv);
713 if (!line)
714 return -ENOMEM;
715
418b9be5 716 r = ask_char(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
af6da548
LP		 717
718 restore_confirm_stdio(&saved_stdin, &saved_stdout);
719
720 return r;
80876c20
LP		 721}
722
81a2b7ce
LP		 723static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
724 bool keep_groups = false;
725 int r;
726
727 assert(context);
728
35b8ca3a 729 /* Lookup and set GID and supplementary group list. Here too
81a2b7ce
LP		 730 * we avoid NSS lookups for gid=0. */
731
732 if (context->group || username) {
81a2b7ce
LP		 733 /* First step, initialize groups from /etc/groups */
734 if (username && gid != 0) {
735 if (initgroups(username, gid) < 0)
736 return -errno;
737
738 keep_groups = true;
739 }
740
741 /* Second step, set our gids */
742 if (setresgid(gid, gid, gid) < 0)
743 return -errno;
744 }
745
746 if (context->supplementary_groups) {
747 int ngroups_max, k;
748 gid_t *gids;
749 char **i;
750
751 /* Final step, initialize any manually set supplementary groups */
da19d5c1 752 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
81a2b7ce
LP		 753
754 if (!(gids = new(gid_t, ngroups_max)))
755 return -ENOMEM;
756
757 if (keep_groups) {
3cc2aff1
LP		 758 k = getgroups(ngroups_max, gids);
759 if (k < 0) {
81a2b7ce
LP		 760 free(gids);
761 return -errno;
762 }
763 } else
764 k = 0;
765
766 STRV_FOREACH(i, context->supplementary_groups) {
4b67834e 767 const char *g;
81a2b7ce
LP		 768
769 if (k >= ngroups_max) {
770 free(gids);
771 return -E2BIG;
772 }
773
4b67834e
LP		 774 g = *i;
775 r = get_group_creds(&g, gids+k);
776 if (r < 0) {
81a2b7ce
LP		 777 free(gids);
778 return r;
779 }
780
781 k++;
782 }
783
97f0e76f
LP		 784 r = maybe_setgroups(k, gids);
785 if (r < 0) {
81a2b7ce 786 free(gids);
97f0e76f 787 return r;
81a2b7ce
LP		 788 }
789
790 free(gids);
791 }
792
793 return 0;
794}
795
796static int enforce_user(const ExecContext *context, uid_t uid) {
81a2b7ce
LP		 797 assert(context);
798
479050b3 799 /* Sets (but doesn't look up) the uid and make sure we keep the
81a2b7ce
LP		 800 * capabilities while doing so. */
801
479050b3 802 if (context->capability_ambient_set != 0) {
81a2b7ce
LP		 803
804 /* First step: If we need to keep capabilities but
805 * drop privileges we need to make sure we keep our
cbb21cca 806 * caps, while we drop privileges. */
693ced48 807 if (uid != 0) {
cbb21cca 808 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
693ced48
LP		 809
810 if (prctl(PR_GET_SECUREBITS) != sb)
811 if (prctl(PR_SET_SECUREBITS, sb) < 0)
812 return -errno;
813 }
81a2b7ce
LP		 814 }
815
479050b3 816 /* Second step: actually set the uids */
81a2b7ce
LP		 817 if (setresuid(uid, uid, uid) < 0)
818 return -errno;
819
820 /* At this point we should have all necessary capabilities but
821 are otherwise a normal user. However, the caps might got
822 corrupted due to the setresuid() so we need clean them up
823 later. This is done outside of this call. */
824
825 return 0;
826}
827
5b6319dc
LP		 828#ifdef HAVE_PAM
829
830static int null_conv(
831 int num_msg,
832 const struct pam_message **msg,
833 struct pam_response **resp,
834 void *appdata_ptr) {
835
836 /* We don't support conversations */
837
838 return PAM_CONV_ERR;
839}
840
cefc33ae
LP		 841#endif
842
5b6319dc
LP		 843static int setup_pam(
844 const char *name,
845 const char *user,
940c5210 846 uid_t uid,
2d6fce8d 847 gid_t gid,
5b6319dc 848 const char *tty,
2065ca69 849 char ***env,
5b6319dc
LP		 850 int fds[], unsigned n_fds) {
851
cefc33ae
LP		 852#ifdef HAVE_PAM
853
5b6319dc
LP		 854 static const struct pam_conv conv = {
855 .conv = null_conv,
856 .appdata_ptr = NULL
857 };
858
2d7c6aa2 859 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
5b6319dc 860 pam_handle_t *handle = NULL;
d6e5f3ad 861 sigset_t old_ss;
7bb70b6e 862 int pam_code = PAM_SUCCESS, r;
84eada2f 863 char **nv, **e = NULL;
5b6319dc
LP		 864 bool close_session = false;
865 pid_t pam_pid = 0, parent_pid;
970edce6 866 int flags = 0;
5b6319dc
LP		 867
868 assert(name);
869 assert(user);
2065ca69 870 assert(env);
5b6319dc
LP		 871
872 /* We set up PAM in the parent process, then fork. The child
35b8ca3a 873 * will then stay around until killed via PR_GET_PDEATHSIG or
5b6319dc
LP		 874 * systemd via the cgroup logic. It will then remove the PAM
875 * session again. The parent process will exec() the actual
876 * daemon. We do things this way to ensure that the main PID
877 * of the daemon is the one we initially fork()ed. */
878
7bb70b6e
LP		 879 r = barrier_create(&barrier);
880 if (r < 0)
2d7c6aa2
DH		 881 goto fail;
882
553d2243 883 if (log_get_max_level() < LOG_DEBUG)
970edce6
ZJS		 884 flags |= PAM_SILENT;
885
f546241b
ZJS		 886 pam_code = pam_start(name, user, &conv, &handle);
887 if (pam_code != PAM_SUCCESS) {
5b6319dc
LP		 888 handle = NULL;
889 goto fail;
890 }
891
f546241b
ZJS		 892 if (tty) {
893 pam_code = pam_set_item(handle, PAM_TTY, tty);
894 if (pam_code != PAM_SUCCESS)
5b6319dc 895 goto fail;
f546241b 896 }
5b6319dc 897
84eada2f
JW		 898 STRV_FOREACH(nv, *env) {
899 pam_code = pam_putenv(handle, *nv);
2065ca69
JW		 900 if (pam_code != PAM_SUCCESS)
901 goto fail;
902 }
903
970edce6 904 pam_code = pam_acct_mgmt(handle, flags);
f546241b 905 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 906 goto fail;
907
970edce6 908 pam_code = pam_open_session(handle, flags);
f546241b 909 if (pam_code != PAM_SUCCESS)
5b6319dc
LP		 910 goto fail;
911
912 close_session = true;
913
f546241b
ZJS		 914 e = pam_getenvlist(handle);
915 if (!e) {
5b6319dc
LP		 916 pam_code = PAM_BUF_ERR;
917 goto fail;
918 }
919
920 /* Block SIGTERM, so that we know that it won't get lost in
921 * the child */
ce30c8dc 922
72c0a2c2 923 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
5b6319dc
LP		 924
925 parent_pid = getpid();
926
f546241b 927 pam_pid = fork();
7bb70b6e
LP		 928 if (pam_pid < 0) {
929 r = -errno;
5b6319dc 930 goto fail;
7bb70b6e 931 }
5b6319dc
LP		 932
933 if (pam_pid == 0) {
7bb70b6e 934 int sig, ret = EXIT_PAM;
5b6319dc
LP		 935
936 /* The child's job is to reset the PAM session on
937 * termination */
2d7c6aa2 938 barrier_set_role(&barrier, BARRIER_CHILD);
5b6319dc
LP		 939
940 /* This string must fit in 10 chars (i.e. the length
5d6b1584
LP		 941 * of "/sbin/init"), to look pretty in /bin/ps */
942 rename_process("(sd-pam)");
5b6319dc
LP		 943
944 /* Make sure we don't keep open the passed fds in this
945 child. We assume that otherwise only those fds are
946 open here that have been opened by PAM. */
947 close_many(fds, n_fds);
948
940c5210
AK		 949 /* Drop privileges - we don't need any to pam_close_session
950 * and this will make PR_SET_PDEATHSIG work in most cases.
951 * If this fails, ignore the error - but expect sd-pam threads
952 * to fail to exit normally */
2d6fce8d 953
97f0e76f
LP		 954 r = maybe_setgroups(0, NULL);
955 if (r < 0)
956 log_warning_errno(r, "Failed to setgroups() in sd-pam: %m");
2d6fce8d
LP		 957 if (setresgid(gid, gid, gid) < 0)
958 log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
940c5210 959 if (setresuid(uid, uid, uid) < 0)
2d6fce8d 960 log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
940c5210 961
ce30c8dc
LP		 962 (void) ignore_signals(SIGPIPE, -1);
963
940c5210
AK		 964 /* Wait until our parent died. This will only work if
965 * the above setresuid() succeeds, otherwise the kernel
966 * will not allow unprivileged parents kill their privileged
967 * children this way. We rely on the control groups kill logic
5b6319dc
LP		 968 * to do the rest for us. */
969 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
970 goto child_finish;
971
2d7c6aa2
DH		 972 /* Tell the parent that our setup is done. This is especially
973 * important regarding dropping privileges. Otherwise, unit
974 * setup might race against our setresuid(2) call. */
975 barrier_place(&barrier);
976
5b6319dc
LP		 977 /* Check if our parent process might already have
978 * died? */
979 if (getppid() == parent_pid) {
d6e5f3ad
DM		 980 sigset_t ss;
981
982 assert_se(sigemptyset(&ss) >= 0);
983 assert_se(sigaddset(&ss, SIGTERM) >= 0);
984
3dead8d9
LP		 985 for (;;) {
986 if (sigwait(&ss, &sig) < 0) {
987 if (errno == EINTR)
988 continue;
989
990 goto child_finish;
991 }
5b6319dc 992
3dead8d9
LP		 993 assert(sig == SIGTERM);
994 break;
995 }
5b6319dc
LP		 996 }
997
3dead8d9 998 /* If our parent died we'll end the session */
f546241b 999 if (getppid() != parent_pid) {
970edce6 1000 pam_code = pam_close_session(handle, flags);
f546241b 1001 if (pam_code != PAM_SUCCESS)
5b6319dc 1002 goto child_finish;
f546241b 1003 }
5b6319dc 1004
7bb70b6e 1005 ret = 0;
5b6319dc
LP		 1006
1007 child_finish:
970edce6 1008 pam_end(handle, pam_code | flags);
7bb70b6e 1009 _exit(ret);
5b6319dc
LP		 1010 }
1011
2d7c6aa2
DH		 1012 barrier_set_role(&barrier, BARRIER_PARENT);
1013
5b6319dc
LP		 1014 /* If the child was forked off successfully it will do all the
1015 * cleanups, so forget about the handle here. */
1016 handle = NULL;
1017
3b8bddde 1018 /* Unblock SIGTERM again in the parent */
72c0a2c2 1019 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
5b6319dc
LP		 1020
1021 /* We close the log explicitly here, since the PAM modules
1022 * might have opened it, but we don't want this fd around. */
1023 closelog();
1024
2d7c6aa2
DH		 1025 /* Synchronously wait for the child to initialize. We don't care for
1026 * errors as we cannot recover. However, warn loudly if it happens. */
1027 if (!barrier_place_and_sync(&barrier))
1028 log_error("PAM initialization failed");
1029
2065ca69
JW		 1030 strv_free(*env);
1031 *env = e;
aa87e624 1032
5b6319dc
LP		 1033 return 0;
1034
1035fail:
970edce6
ZJS		 1036 if (pam_code != PAM_SUCCESS) {
1037 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
7bb70b6e
LP		 1038 r = -EPERM; /* PAM errors do not map to errno */
1039 } else
1040 log_error_errno(r, "PAM failed: %m");
9ba35398 1041
5b6319dc
LP		 1042 if (handle) {
1043 if (close_session)
970edce6 1044 pam_code = pam_close_session(handle, flags);
5b6319dc 1045
970edce6 1046 pam_end(handle, pam_code | flags);
5b6319dc
LP		 1047 }
1048
1049 strv_free(e);
5b6319dc
LP		 1050 closelog();
1051
7bb70b6e 1052 return r;
cefc33ae
LP		 1053#else
1054 return 0;
5b6319dc 1055#endif
cefc33ae 1056}
5b6319dc 1057
5d6b1584
LP		 1058static void rename_process_from_path(const char *path) {
1059 char process_name[11];
1060 const char *p;
1061 size_t l;
1062
1063 /* This resulting string must fit in 10 chars (i.e. the length
1064 * of "/sbin/init") to look pretty in /bin/ps */
1065
2b6bf07d 1066 p = basename(path);
5d6b1584
LP		 1067 if (isempty(p)) {
1068 rename_process("(...)");
1069 return;
1070 }
1071
1072 l = strlen(p);
1073 if (l > 8) {
1074 /* The end of the process name is usually more
1075 * interesting, since the first bit might just be
1076 * "systemd-" */
1077 p = p + l - 8;
1078 l = 8;
1079 }
1080
1081 process_name[0] = '(';
1082 memcpy(process_name+1, p, l);
1083 process_name[1+l] = ')';
1084 process_name[1+l+1] = 0;
1085
1086 rename_process(process_name);
1087}
1088
c0467cf3 1089#ifdef HAVE_SECCOMP
17df7223 1090
83f12b27
FS		 1091static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
1092 if (!is_seccomp_available()) {
1093 log_open();
d347d902 1094 log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
83f12b27
FS		 1095 log_close();
1096 return true;
1097 }
1098 return false;
1099}
1100
1101static int apply_seccomp(const Unit* u, const ExecContext *c) {
17df7223
LP		 1102 uint32_t negative_action, action;
1103 scmp_filter_ctx *seccomp;
c0467cf3
RC		 1104 Iterator i;
1105 void *id;
17df7223 1106 int r;
8351ceae 1107
c0467cf3 1108 assert(c);
8351ceae 1109
83f12b27
FS		 1110 if (skip_seccomp_unavailable(u, "syscall filtering"))
1111 return 0;
1112
17df7223
LP		 1113 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
1114
1115 seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW);
1116 if (!seccomp)
1117 return -ENOMEM;
8351ceae 1118
e9642be2
LP		 1119 if (c->syscall_archs) {
1120
1121 SET_FOREACH(id, c->syscall_archs, i) {
1122 r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
1123 if (r == -EEXIST)
1124 continue;
7c66bae2
LP		 1125 if (r < 0)
1126 goto finish;
e9642be2 1127 }
e9642be2 1128
7c66bae2 1129 } else {
e9642be2 1130 r = seccomp_add_secondary_archs(seccomp);
7c66bae2
LP		 1131 if (r < 0)
1132 goto finish;
57183d11 1133 }
8351ceae 1134
57183d11 1135 action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
17df7223
LP		 1136 SET_FOREACH(id, c->syscall_filter, i) {
1137 r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
7c66bae2
LP		 1138 if (r < 0)
1139 goto finish;
c0467cf3 1140 }
8351ceae 1141
7c66bae2
LP		 1142 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1143 if (r < 0)
1144 goto finish;
1145
17df7223 1146 r = seccomp_load(seccomp);
7c66bae2
LP		 1147
1148finish:
17df7223 1149 seccomp_release(seccomp);
4298d0b5
LP		 1150 return r;
1151}
1152
83f12b27 1153static int apply_address_families(const Unit* u, const ExecContext *c) {
4298d0b5
LP		 1154 scmp_filter_ctx *seccomp;
1155 Iterator i;
1156 int r;
1157
1158 assert(c);
1159
83f12b27
FS		 1160 if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
1161 return 0;
1162
4298d0b5
LP		 1163 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1164 if (!seccomp)
1165 return -ENOMEM;
1166
1167 r = seccomp_add_secondary_archs(seccomp);
1168 if (r < 0)
1169 goto finish;
1170
1171 if (c->address_families_whitelist) {
1172 int af, first = 0, last = 0;
1173 void *afp;
1174
1175 /* If this is a whitelist, we first block the address
1176 * families that are out of range and then everything
1177 * that is not in the set. First, we find the lowest
1178 * and highest address family in the set. */
1179
1180 SET_FOREACH(afp, c->address_families, i) {
1181 af = PTR_TO_INT(afp);
17df7223 1182
4298d0b5
LP		 1183 if (af <= 0 || af >= af_max())
1184 continue;
1185
1186 if (first == 0 || af < first)
1187 first = af;
1188
1189 if (last == 0 || af > last)
1190 last = af;
1191 }
1192
1193 assert((first == 0) == (last == 0));
1194
1195 if (first == 0) {
1196
1197 /* No entries in the valid range, block everything */
1198 r = seccomp_rule_add(
1199 seccomp,
1200 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1201 SCMP_SYS(socket),
1202 0);
1203 if (r < 0)
1204 goto finish;
1205
1206 } else {
1207
1208 /* Block everything below the first entry */
1209 r = seccomp_rule_add(
1210 seccomp,
1211 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1212 SCMP_SYS(socket),
1213 1,
1214 SCMP_A0(SCMP_CMP_LT, first));
1215 if (r < 0)
1216 goto finish;
1217
1218 /* Block everything above the last entry */
1219 r = seccomp_rule_add(
1220 seccomp,
1221 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1222 SCMP_SYS(socket),
1223 1,
1224 SCMP_A0(SCMP_CMP_GT, last));
1225 if (r < 0)
1226 goto finish;
1227
1228 /* Block everything between the first and last
1229 * entry */
1230 for (af = 1; af < af_max(); af++) {
1231
1232 if (set_contains(c->address_families, INT_TO_PTR(af)))
1233 continue;
1234
1235 r = seccomp_rule_add(
1236 seccomp,
1237 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1238 SCMP_SYS(socket),
1239 1,
1240 SCMP_A0(SCMP_CMP_EQ, af));
1241 if (r < 0)
1242 goto finish;
1243 }
1244 }
1245
1246 } else {
1247 void *af;
1248
1249 /* If this is a blacklist, then generate one rule for
1250 * each address family that are then combined in OR
1251 * checks. */
1252
1253 SET_FOREACH(af, c->address_families, i) {
1254
1255 r = seccomp_rule_add(
1256 seccomp,
1257 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1258 SCMP_SYS(socket),
1259 1,
1260 SCMP_A0(SCMP_CMP_EQ, PTR_TO_INT(af)));
1261 if (r < 0)
1262 goto finish;
1263 }
1264 }
1265
1266 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1267 if (r < 0)
1268 goto finish;
1269
1270 r = seccomp_load(seccomp);
1271
1272finish:
1273 seccomp_release(seccomp);
17df7223 1274 return r;
8351ceae 1275}
4298d0b5 1276
83f12b27 1277static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) {
f3e43635
TM		 1278 scmp_filter_ctx *seccomp;
1279 int r;
1280
1281 assert(c);
1282
83f12b27
FS		 1283 if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute="))
1284 return 0;
1285
f3e43635
TM		 1286 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1287 if (!seccomp)
1288 return -ENOMEM;
1289
72246c2a
LP		 1290 r = seccomp_add_secondary_archs(seccomp);
1291 if (r < 0)
1292 goto finish;
1293
f3e43635
TM		 1294 r = seccomp_rule_add(
1295 seccomp,
abd84d4d 1296 SCMP_ACT_ERRNO(EPERM),
f3e43635
TM		 1297 SCMP_SYS(mmap),
1298 1,
1299 SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE));
1300 if (r < 0)
1301 goto finish;
1302
1303 r = seccomp_rule_add(
1304 seccomp,
abd84d4d 1305 SCMP_ACT_ERRNO(EPERM),
f3e43635
TM		 1306 SCMP_SYS(mprotect),
1307 1,
1308 SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC));
1309 if (r < 0)
1310 goto finish;
1311
1312 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1313 if (r < 0)
1314 goto finish;
1315
1316 r = seccomp_load(seccomp);
1317
1318finish:
1319 seccomp_release(seccomp);
1320 return r;
1321}
1322
83f12b27 1323static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
f4170c67
LP		 1324 static const int permitted_policies[] = {
1325 SCHED_OTHER,
1326 SCHED_BATCH,
1327 SCHED_IDLE,
1328 };
1329
1330 scmp_filter_ctx *seccomp;
1331 unsigned i;
1332 int r, p, max_policy = 0;
1333
1334 assert(c);
1335
83f12b27
FS		 1336 if (skip_seccomp_unavailable(u, "RestrictRealtime="))
1337 return 0;
1338
f4170c67
LP		 1339 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1340 if (!seccomp)
1341 return -ENOMEM;
1342
72246c2a
LP		 1343 r = seccomp_add_secondary_archs(seccomp);
1344 if (r < 0)
1345 goto finish;
1346
f4170c67
LP		 1347 /* Determine the highest policy constant we want to allow */
1348 for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
1349 if (permitted_policies[i] > max_policy)
1350 max_policy = permitted_policies[i];
1351
1352 /* Go through all policies with lower values than that, and block them -- unless they appear in the
1353 * whitelist. */
1354 for (p = 0; p < max_policy; p++) {
1355 bool good = false;
1356
1357 /* Check if this is in the whitelist. */
1358 for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
1359 if (permitted_policies[i] == p) {
1360 good = true;
1361 break;
1362 }
1363
1364 if (good)
1365 continue;
1366
1367 /* Deny this policy */
1368 r = seccomp_rule_add(
1369 seccomp,
1370 SCMP_ACT_ERRNO(EPERM),
1371 SCMP_SYS(sched_setscheduler),
1372 1,
1373 SCMP_A1(SCMP_CMP_EQ, p));
1374 if (r < 0)
1375 goto finish;
1376 }
1377
1378 /* Blacklist all other policies, i.e. the ones with higher values. Note that all comparisons are unsigned here,
1379 * hence no need no check for < 0 values. */
1380 r = seccomp_rule_add(
1381 seccomp,
1382 SCMP_ACT_ERRNO(EPERM),
1383 SCMP_SYS(sched_setscheduler),
1384 1,
1385 SCMP_A1(SCMP_CMP_GT, max_policy));
1386 if (r < 0)
1387 goto finish;
1388
1389 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1390 if (r < 0)
1391 goto finish;
1392
1393 r = seccomp_load(seccomp);
1394
1395finish:
1396 seccomp_release(seccomp);
1397 return r;
1398}
1399
59eeb84b
LP		 1400static int apply_protect_sysctl(Unit *u, const ExecContext *c) {
1401 scmp_filter_ctx *seccomp;
1402 int r;
1403
1404 assert(c);
1405
1406 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1407 * let's protect even those systems where this is left on in the kernel. */
1408
1409 if (skip_seccomp_unavailable(u, "ProtectKernelTunables="))
1410 return 0;
1411
1412 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1413 if (!seccomp)
1414 return -ENOMEM;
1415
1416 r = seccomp_add_secondary_archs(seccomp);
1417 if (r < 0)
1418 goto finish;
1419
1420 r = seccomp_rule_add(
1421 seccomp,
1422 SCMP_ACT_ERRNO(EPERM),
1423 SCMP_SYS(_sysctl),
1424 0);
1425 if (r < 0)
1426 goto finish;
1427
1428 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1429 if (r < 0)
1430 goto finish;
1431
1432 r = seccomp_load(seccomp);
1433
1434finish:
1435 seccomp_release(seccomp);
1436 return r;
1437}
1438
ba128bb8 1439static int apply_private_devices(Unit *u, const ExecContext *c) {
8f81a5f6 1440 const SystemCallFilterSet *set;
ba128bb8 1441 scmp_filter_ctx *seccomp;
8f81a5f6
DH		 1442 const char *sys;
1443 bool syscalls_found = false;
ba128bb8
LP		 1444 int r;
1445
1446 assert(c);
1447
8f81a5f6 1448 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
ba128bb8
LP		 1449
1450 if (skip_seccomp_unavailable(u, "PrivateDevices="))
1451 return 0;
1452
1453 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1454 if (!seccomp)
1455 return -ENOMEM;
1456
1457 r = seccomp_add_secondary_archs(seccomp);
1458 if (r < 0)
1459 goto finish;
1460
8f81a5f6
DH		 1461 for (set = syscall_filter_sets; set->set_name; set++)
1462 if (streq(set->set_name, "@raw-io")) {
1463 syscalls_found = true;
1464 break;
1465 }
1466
1467 /* We should never fail here */
1468 if (!syscalls_found) {
1469 r = -EOPNOTSUPP;
1470 goto finish;
1471 }
1472
1473 NULSTR_FOREACH(sys, set->value) {
1474 int id;
1475 bool add = true;
1476
1477#ifndef __NR_s390_pci_mmio_read
1478 if (streq(sys, "s390_pci_mmio_read"))
1479 add = false;
1480#endif
1481#ifndef __NR_s390_pci_mmio_write
1482 if (streq(sys, "s390_pci_mmio_write"))
1483 add = false;
1484#endif
1485
1486 if (!add)
1487 continue;
1488
1489 id = seccomp_syscall_resolve_name(sys);
1490
ba128bb8
LP		 1491 r = seccomp_rule_add(
1492 seccomp,
1493 SCMP_ACT_ERRNO(EPERM),
8f81a5f6 1494 id, 0);
ba128bb8
LP		 1495 if (r < 0)
1496 goto finish;
1497 }
1498
1499 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1500 if (r < 0)
1501 goto finish;
1502
1503 r = seccomp_load(seccomp);
1504
1505finish:
1506 seccomp_release(seccomp);
1507 return r;
1508}
1509
c0467cf3 1510#endif
8351ceae 1511
31a7eb86
ZJS		 1512static void do_idle_pipe_dance(int idle_pipe[4]) {
1513 assert(idle_pipe);
1514
54eb2300
LP		 1515 idle_pipe[1] = safe_close(idle_pipe[1]);
1516 idle_pipe[2] = safe_close(idle_pipe[2]);
31a7eb86
ZJS		 1517
1518 if (idle_pipe[0] >= 0) {
1519 int r;
1520
1521 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1522
1523 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
c7cc737f
LP		 1524 ssize_t n;
1525
31a7eb86 1526 /* Signal systemd that we are bored and want to continue. */
c7cc737f
LP		 1527 n = write(idle_pipe[3], "x", 1);
1528 if (n > 0)
cd972d69
ZJS		 1529 /* Wait for systemd to react to the signal above. */
1530 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
31a7eb86
ZJS		 1531 }
1532
54eb2300 1533 idle_pipe[0] = safe_close(idle_pipe[0]);
31a7eb86
ZJS		 1534
1535 }
1536
54eb2300 1537 idle_pipe[3] = safe_close(idle_pipe[3]);
31a7eb86
ZJS		 1538}
1539
7cae38c4 1540static int build_environment(
fd63e712 1541 Unit *u,
9fa95f85 1542 const ExecContext *c,
1e22b5cd 1543 const ExecParameters *p,
7cae38c4
LP		 1544 unsigned n_fds,
1545 const char *home,
1546 const char *username,
1547 const char *shell,
7bce046b
LP		 1548 dev_t journal_stream_dev,
1549 ino_t journal_stream_ino,
7cae38c4
LP		 1550 char ***ret) {
1551
1552 _cleanup_strv_free_ char **our_env = NULL;
1553 unsigned n_env = 0;
1554 char *x;
1555
4b58153d 1556 assert(u);
7cae38c4
LP		 1557 assert(c);
1558 assert(ret);
1559
4b58153d 1560 our_env = new0(char*, 14);
7cae38c4
LP		 1561 if (!our_env)
1562 return -ENOMEM;
1563
1564 if (n_fds > 0) {
8dd4c05b
LP		 1565 _cleanup_free_ char *joined = NULL;
1566
ccd06097 1567 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
7cae38c4
LP		 1568 return -ENOMEM;
1569 our_env[n_env++] = x;
1570
1571 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1572 return -ENOMEM;
1573 our_env[n_env++] = x;
8dd4c05b 1574
1e22b5cd 1575 joined = strv_join(p->fd_names, ":");
8dd4c05b
LP		 1576 if (!joined)
1577 return -ENOMEM;
1578
1579 x = strjoin("LISTEN_FDNAMES=", joined, NULL);
1580 if (!x)
1581 return -ENOMEM;
1582 our_env[n_env++] = x;
7cae38c4
LP		 1583 }
1584
b08af3b1 1585 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
ccd06097 1586 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
09812eb7
LP		 1587 return -ENOMEM;
1588 our_env[n_env++] = x;
1589
1e22b5cd 1590 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
09812eb7
LP		 1591 return -ENOMEM;
1592 our_env[n_env++] = x;
1593 }
1594
fd63e712
LP		 1595 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1596 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1597 * check the database directly. */
1598 if (unit_has_name(u, SPECIAL_DBUS_SERVICE)) {
1599 x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1600 if (!x)
1601 return -ENOMEM;
1602 our_env[n_env++] = x;
1603 }
1604
7cae38c4
LP		 1605 if (home) {
1606 x = strappend("HOME=", home);
1607 if (!x)
1608 return -ENOMEM;
1609 our_env[n_env++] = x;
1610 }
1611
1612 if (username) {
1613 x = strappend("LOGNAME=", username);
1614 if (!x)
1615 return -ENOMEM;
1616 our_env[n_env++] = x;
1617
1618 x = strappend("USER=", username);
1619 if (!x)
1620 return -ENOMEM;
1621 our_env[n_env++] = x;
1622 }
1623
1624 if (shell) {
1625 x = strappend("SHELL=", shell);
1626 if (!x)
1627 return -ENOMEM;
1628 our_env[n_env++] = x;
1629 }
1630
4b58153d
LP		 1631 if (!sd_id128_is_null(u->invocation_id)) {
1632 if (asprintf(&x, "INVOCATION_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id)) < 0)
1633 return -ENOMEM;
1634
1635 our_env[n_env++] = x;
1636 }
1637
6af760f3
LP		 1638 if (exec_context_needs_term(c)) {
1639 const char *tty_path, *term = NULL;
1640
1641 tty_path = exec_context_tty_path(c);
1642
1643 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try to inherit
1644 * the $TERM set for PID 1. This is useful for containers so that the $TERM the container manager
1645 * passes to PID 1 ends up all the way in the console login shown. */
1646
1647 if (path_equal(tty_path, "/dev/console") && getppid() == 1)
1648 term = getenv("TERM");
1649 if (!term)
1650 term = default_term_for_tty(tty_path);
7cae38c4 1651
6af760f3 1652 x = strappend("TERM=", term);
7cae38c4
LP		 1653 if (!x)
1654 return -ENOMEM;
1655 our_env[n_env++] = x;
1656 }
1657
7bce046b
LP		 1658 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1659 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1660 return -ENOMEM;
1661
1662 our_env[n_env++] = x;
1663 }
1664
7cae38c4 1665 our_env[n_env++] = NULL;
7bce046b 1666 assert(n_env <= 12);
7cae38c4
LP		 1667
1668 *ret = our_env;
1669 our_env = NULL;
1670
1671 return 0;
1672}
1673
b4c14404
FB		 1674static int build_pass_environment(const ExecContext *c, char ***ret) {
1675 _cleanup_strv_free_ char **pass_env = NULL;
1676 size_t n_env = 0, n_bufsize = 0;
1677 char **i;
1678
1679 STRV_FOREACH(i, c->pass_environment) {
1680 _cleanup_free_ char *x = NULL;
1681 char *v;
1682
1683 v = getenv(*i);
1684 if (!v)
1685 continue;
1686 x = strjoin(*i, "=", v, NULL);
1687 if (!x)
1688 return -ENOMEM;
1689 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1690 return -ENOMEM;
1691 pass_env[n_env++] = x;
1692 pass_env[n_env] = NULL;
1693 x = NULL;
1694 }
1695
1696 *ret = pass_env;
1697 pass_env = NULL;
1698
1699 return 0;
1700}
1701
8b44a3d2
LP		 1702static bool exec_needs_mount_namespace(
1703 const ExecContext *context,
1704 const ExecParameters *params,
1705 ExecRuntime *runtime) {
1706
1707 assert(context);
1708 assert(params);
1709
2a624c36
AP		 1710 if (!strv_isempty(context->read_write_paths) ||
1711 !strv_isempty(context->read_only_paths) ||
1712 !strv_isempty(context->inaccessible_paths))
8b44a3d2
LP		 1713 return true;
1714
1715 if (context->mount_flags != 0)
1716 return true;
1717
1718 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1719 return true;
1720
8b44a3d2
LP		 1721 if (context->private_devices ||
1722 context->protect_system != PROTECT_SYSTEM_NO ||
59eeb84b
LP		 1723 context->protect_home != PROTECT_HOME_NO ||
1724 context->protect_kernel_tunables ||
1725 context->protect_control_groups)
8b44a3d2
LP		 1726 return true;
1727
1728 return false;
1729}
1730
d251207d
LP		 1731static int setup_private_users(uid_t uid, gid_t gid) {
1732 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
1733 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
1734 _cleanup_close_ int unshare_ready_fd = -1;
1735 _cleanup_(sigkill_waitp) pid_t pid = 0;
1736 uint64_t c = 1;
1737 siginfo_t si;
1738 ssize_t n;
1739 int r;
1740
1741 /* Set up a user namespace and map root to root, the selected UID/GID to itself, and everything else to
1742 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1743 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1744 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1745 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
1746 * continues execution normally. */
1747
1748 if (uid != 0 && uid_is_valid(uid))
1749 asprintf(&uid_map,
1750 "0 0 1\n" /* Map root → root */
1751 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
1752 uid, uid); /* The case where the above is the same */
1753 else
1754 uid_map = strdup("0 0 1\n");
1755 if (!uid_map)
1756 return -ENOMEM;
1757
1758 if (gid != 0 && gid_is_valid(gid))
1759 asprintf(&gid_map,
1760 "0 0 1\n" /* Map root → root */
1761 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
1762 gid, gid);
1763 else
1764 gid_map = strdup("0 0 1\n"); /* The case where the above is the same */
1765 if (!gid_map)
1766 return -ENOMEM;
1767
1768 /* Create a communication channel so that the parent can tell the child when it finished creating the user
1769 * namespace. */
1770 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
1771 if (unshare_ready_fd < 0)
1772 return -errno;
1773
1774 /* Create a communication channel so that the child can tell the parent a proper error code in case it
1775 * failed. */
1776 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
1777 return -errno;
1778
1779 pid = fork();
1780 if (pid < 0)
1781 return -errno;
1782
1783 if (pid == 0) {
1784 _cleanup_close_ int fd = -1;
1785 const char *a;
1786 pid_t ppid;
1787
1788 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
1789 * here, after the parent opened its own user namespace. */
1790
1791 ppid = getppid();
1792 errno_pipe[0] = safe_close(errno_pipe[0]);
1793
1794 /* Wait until the parent unshared the user namespace */
1795 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
1796 r = -errno;
1797 goto child_fail;
1798 }
1799
1800 /* Disable the setgroups() system call in the child user namespace, for good. */
1801 a = procfs_file_alloca(ppid, "setgroups");
1802 fd = open(a, O_WRONLY|O_CLOEXEC);
1803 if (fd < 0) {
1804 if (errno != ENOENT) {
1805 r = -errno;
1806 goto child_fail;
1807 }
1808
1809 /* If the file is missing the kernel is too old, let's continue anyway. */
1810 } else {
1811 if (write(fd, "deny\n", 5) < 0) {
1812 r = -errno;
1813 goto child_fail;
1814 }
1815
1816 fd = safe_close(fd);
1817 }
1818
1819 /* First write the GID map */
1820 a = procfs_file_alloca(ppid, "gid_map");
1821 fd = open(a, O_WRONLY|O_CLOEXEC);
1822 if (fd < 0) {
1823 r = -errno;
1824 goto child_fail;
1825 }
1826 if (write(fd, gid_map, strlen(gid_map)) < 0) {
1827 r = -errno;
1828 goto child_fail;
1829 }
1830 fd = safe_close(fd);
1831
1832 /* The write the UID map */
1833 a = procfs_file_alloca(ppid, "uid_map");
1834 fd = open(a, O_WRONLY|O_CLOEXEC);
1835 if (fd < 0) {
1836 r = -errno;
1837 goto child_fail;
1838 }
1839 if (write(fd, uid_map, strlen(uid_map)) < 0) {
1840 r = -errno;
1841 goto child_fail;
1842 }
1843
1844 _exit(EXIT_SUCCESS);
1845
1846 child_fail:
1847 (void) write(errno_pipe[1], &r, sizeof(r));
1848 _exit(EXIT_FAILURE);
1849 }
1850
1851 errno_pipe[1] = safe_close(errno_pipe[1]);
1852
1853 if (unshare(CLONE_NEWUSER) < 0)
1854 return -errno;
1855
1856 /* Let the child know that the namespace is ready now */
1857 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
1858 return -errno;
1859
1860 /* Try to read an error code from the child */
1861 n = read(errno_pipe[0], &r, sizeof(r));
1862 if (n < 0)
1863 return -errno;
1864 if (n == sizeof(r)) { /* an error code was sent to us */
1865 if (r < 0)
1866 return r;
1867 return -EIO;
1868 }
1869 if (n != 0) /* on success we should have read 0 bytes */
1870 return -EIO;
1871
1872 r = wait_for_terminate(pid, &si);
1873 if (r < 0)
1874 return r;
1875 pid = 0;
1876
1877 /* If something strange happened with the child, let's consider this fatal, too */
1878 if (si.si_code != CLD_EXITED || si.si_status != 0)
1879 return -EIO;
1880
1881 return 0;
1882}
1883
07689d5d
LP		 1884static int setup_runtime_directory(
1885 const ExecContext *context,
1886 const ExecParameters *params,
1887 uid_t uid,
1888 gid_t gid) {
1889
1890 char **rt;
1891 int r;
1892
1893 assert(context);
1894 assert(params);
1895
1896 STRV_FOREACH(rt, context->runtime_directory) {
1897 _cleanup_free_ char *p;
1898
1899 p = strjoin(params->runtime_prefix, "/", *rt, NULL);
1900 if (!p)
1901 return -ENOMEM;
1902
1903 r = mkdir_p_label(p, context->runtime_directory_mode);
1904 if (r < 0)
1905 return r;
1906
1907 r = chmod_and_chown(p, context->runtime_directory_mode, uid, gid);
1908 if (r < 0)
1909 return r;
1910 }
1911
1912 return 0;
1913}
1914
cefc33ae
LP		 1915static int setup_smack(
1916 const ExecContext *context,
1917 const ExecCommand *command) {
1918
1919#ifdef HAVE_SMACK
1920 int r;
1921
1922 assert(context);
1923 assert(command);
1924
1925 if (!mac_smack_use())
1926 return 0;
1927
1928 if (context->smack_process_label) {
1929 r = mac_smack_apply_pid(0, context->smack_process_label);
1930 if (r < 0)
1931 return r;
1932 }
1933#ifdef SMACK_DEFAULT_PROCESS_LABEL
1934 else {
1935 _cleanup_free_ char *exec_label = NULL;
1936
1937 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
1938 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP)
1939 return r;
1940
1941 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
1942 if (r < 0)
1943 return r;
1944 }
1945#endif
1946#endif
1947
1948 return 0;
1949}
1950
3fbe8dbe
LP		 1951static int compile_read_write_paths(
1952 const ExecContext *context,
1953 const ExecParameters *params,
1954 char ***ret) {
1955
1956 _cleanup_strv_free_ char **l = NULL;
1957 char **rt;
1958
1959 /* Compile the list of writable paths. This is the combination of the explicitly configured paths, plus all
1960 * runtime directories. */
1961
1962 if (strv_isempty(context->read_write_paths) &&
1963 strv_isempty(context->runtime_directory)) {
1964 *ret = NULL; /* NOP if neither is set */
1965 return 0;
1966 }
1967
1968 l = strv_copy(context->read_write_paths);
1969 if (!l)
1970 return -ENOMEM;
1971
1972 STRV_FOREACH(rt, context->runtime_directory) {
1973 char *s;
1974
1975 s = strjoin(params->runtime_prefix, "/", *rt, NULL);
1976 if (!s)
1977 return -ENOMEM;
1978
1979 if (strv_consume(&l, s) < 0)
1980 return -ENOMEM;
1981 }
1982
1983 *ret = l;
1984 l = NULL;
1985
1986 return 0;
1987}
1988
29206d46
LP		 1989static void append_socket_pair(int *array, unsigned *n, int pair[2]) {
1990 assert(array);
1991 assert(n);
1992
1993 if (!pair)
1994 return;
1995
1996 if (pair[0] >= 0)
1997 array[(*n)++] = pair[0];
1998 if (pair[1] >= 0)
1999 array[(*n)++] = pair[1];
2000}
2001
a34ceba6
LP		 2002static int close_remaining_fds(
2003 const ExecParameters *params,
2004 ExecRuntime *runtime,
29206d46 2005 DynamicCreds *dcreds,
00d9ef85 2006 int user_lookup_fd,
a34ceba6
LP		 2007 int socket_fd,
2008 int *fds, unsigned n_fds) {
2009
2010 unsigned n_dont_close = 0;
00d9ef85 2011 int dont_close[n_fds + 12];
a34ceba6
LP		 2012
2013 assert(params);
2014
2015 if (params->stdin_fd >= 0)
2016 dont_close[n_dont_close++] = params->stdin_fd;
2017 if (params->stdout_fd >= 0)
2018 dont_close[n_dont_close++] = params->stdout_fd;
2019 if (params->stderr_fd >= 0)
2020 dont_close[n_dont_close++] = params->stderr_fd;
2021
2022 if (socket_fd >= 0)
2023 dont_close[n_dont_close++] = socket_fd;
2024 if (n_fds > 0) {
2025 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
2026 n_dont_close += n_fds;
2027 }
2028
29206d46
LP		 2029 if (runtime)
2030 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
2031
2032 if (dcreds) {
2033 if (dcreds->user)
2034 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
2035 if (dcreds->group)
2036 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
a34ceba6
LP		 2037 }
2038
00d9ef85
LP		 2039 if (user_lookup_fd >= 0)
2040 dont_close[n_dont_close++] = user_lookup_fd;
2041
a34ceba6
LP		 2042 return close_all_fds(dont_close, n_dont_close);
2043}
2044
59eeb84b
LP		 2045static bool context_has_address_families(const ExecContext *c) {
2046 assert(c);
2047
2048 return c->address_families_whitelist ||
2049 !set_isempty(c->address_families);
2050}
2051
2052static bool context_has_syscall_filters(const ExecContext *c) {
2053 assert(c);
2054
2055 return c->syscall_whitelist ||
2056 !set_isempty(c->syscall_filter) ||
2057 !set_isempty(c->syscall_archs);
2058}
2059
2060static bool context_has_no_new_privileges(const ExecContext *c) {
2061 assert(c);
2062
2063 if (c->no_new_privileges)
2064 return true;
2065
2066 if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
2067 return false;
2068
2069 return context_has_address_families(c) || /* we need NNP if we have any form of seccomp and are unprivileged */
2070 c->memory_deny_write_execute ||
2071 c->restrict_realtime ||
2072 c->protect_kernel_tunables ||
2073 context_has_syscall_filters(c);
2074}
2075
00d9ef85
LP		 2076static int send_user_lookup(
2077 Unit *unit,
2078 int user_lookup_fd,
2079 uid_t uid,
2080 gid_t gid) {
2081
2082 assert(unit);
2083
2084 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2085 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2086 * specified. */
2087
2088 if (user_lookup_fd < 0)
2089 return 0;
2090
2091 if (!uid_is_valid(uid) && !gid_is_valid(gid))
2092 return 0;
2093
2094 if (writev(user_lookup_fd,
2095 (struct iovec[]) {
2096 { .iov_base = &uid, .iov_len = sizeof(uid) },
2097 { .iov_base = &gid, .iov_len = sizeof(gid) },
2098 { .iov_base = unit->id, .iov_len = strlen(unit->id) }}, 3) < 0)
2099 return -errno;
2100
2101 return 0;
2102}
2103
ff0af2a1 2104static int exec_child(
f2341e0a 2105 Unit *unit,
ff0af2a1
LP		 2106 ExecCommand *command,
2107 const ExecContext *context,
2108 const ExecParameters *params,
2109 ExecRuntime *runtime,
29206d46 2110 DynamicCreds *dcreds,
ff0af2a1
LP		 2111 char **argv,
2112 int socket_fd,
2113 int *fds, unsigned n_fds,
2114 char **files_env,
00d9ef85 2115 int user_lookup_fd,
ff0af2a1 2116 int *exit_status) {
d35fbf6b 2117
2065ca69 2118 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **final_argv = NULL;
9008e1ac 2119 _cleanup_free_ char *mac_selinux_context_net = NULL;
5f5d8eab 2120 const char *username = NULL, *home = NULL, *shell = NULL, *wd;
7bce046b
LP		 2121 dev_t journal_stream_dev = 0;
2122 ino_t journal_stream_ino = 0;
2123 bool needs_mount_namespace;
fed1e721
LP		 2124 uid_t uid = UID_INVALID;
2125 gid_t gid = GID_INVALID;
ff0af2a1 2126 int i, r;
034c6ed7 2127
f2341e0a 2128 assert(unit);
5cb5a6ff
LP		 2129 assert(command);
2130 assert(context);
d35fbf6b 2131 assert(params);
ff0af2a1 2132 assert(exit_status);
d35fbf6b
DM		 2133
2134 rename_process_from_path(command->path);
2135
2136 /* We reset exactly these signals, since they are the
2137 * only ones we set to SIG_IGN in the main daemon. All
2138 * others we leave untouched because we set them to
2139 * SIG_DFL or a valid handler initially, both of which
2140 * will be demoted to SIG_DFL. */
ce30c8dc
LP		 2141 (void) default_signals(SIGNALS_CRASH_HANDLER,
2142 SIGNALS_IGNORE, -1);
d35fbf6b
DM		 2143
2144 if (context->ignore_sigpipe)
ce30c8dc 2145 (void) ignore_signals(SIGPIPE, -1);
d35fbf6b 2146
ff0af2a1
LP		 2147 r = reset_signal_mask();
2148 if (r < 0) {
2149 *exit_status = EXIT_SIGNAL_MASK;
2150 return r;
d35fbf6b 2151 }
034c6ed7 2152
d35fbf6b
DM		 2153 if (params->idle_pipe)
2154 do_idle_pipe_dance(params->idle_pipe);
4f2d528d 2155
d35fbf6b
DM		 2156 /* Close sockets very early to make sure we don't
2157 * block init reexecution because it cannot bind its
2158 * sockets */
ff0af2a1 2159
d35fbf6b 2160 log_forget_fds();
4f2d528d 2161
00d9ef85 2162 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, fds, n_fds);
ff0af2a1
LP		 2163 if (r < 0) {
2164 *exit_status = EXIT_FDS;
2165 return r;
8c7be95e
LP		 2166 }
2167
d35fbf6b
DM		 2168 if (!context->same_pgrp)
2169 if (setsid() < 0) {
ff0af2a1 2170 *exit_status = EXIT_SETSID;
d35fbf6b
DM		 2171 return -errno;
2172 }
9e2f7c11 2173
1e22b5cd 2174 exec_context_tty_reset(context, params);
d35fbf6b 2175
c39f1ce2 2176 if (params->flags & EXEC_CONFIRM_SPAWN) {
d35fbf6b
DM		 2177 char response;
2178
ff0af2a1
LP		 2179 r = ask_for_confirmation(&response, argv);
2180 if (r == -ETIMEDOUT)
d35fbf6b 2181 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
ff0af2a1
LP		 2182 else if (r < 0)
2183 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-r));
d35fbf6b
DM		 2184 else if (response == 's') {
2185 write_confirm_message("Skipping execution.\n");
ff0af2a1 2186 *exit_status = EXIT_CONFIRM;
d35fbf6b
DM		 2187 return -ECANCELED;
2188 } else if (response == 'n') {
2189 write_confirm_message("Failing execution.\n");
ff0af2a1 2190 *exit_status = 0;
d35fbf6b
DM		 2191 return 0;
2192 }
2193 }
1a63a750 2194
29206d46
LP		 2195 if (context->dynamic_user && dcreds) {
2196
409093fe
LP		 2197 /* Make sure we bypass our own NSS module for any NSS checks */
2198 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
2199 *exit_status = EXIT_USER;
2200 return -errno;
2201 }
2202
29206d46 2203 r = dynamic_creds_realize(dcreds, &uid, &gid);
ff0af2a1
LP		 2204 if (r < 0) {
2205 *exit_status = EXIT_USER;
2206 return r;
524daa8c 2207 }
524daa8c 2208
92b25bca 2209 if (!uid_is_valid(uid) || !gid_is_valid(gid)) {
29206d46
LP		 2210 *exit_status = EXIT_USER;
2211 return -ESRCH;
2212 }
5bc7452b 2213
29206d46
LP		 2214 if (dcreds->user)
2215 username = dcreds->user->name;
2216
2217 } else {
2218 if (context->user) {
2219 username = context->user;
be39ccf3 2220 r = get_user_creds_clean(&username, &uid, &gid, &home, &shell);
29206d46
LP		 2221 if (r < 0) {
2222 *exit_status = EXIT_USER;
2223 return r;
2224 }
70493828 2225
629ff674 2226 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
be39ccf3 2227 * (i.e. are "/" or "/bin/nologin"). */
5bc7452b 2228 }
5bc7452b 2229
29206d46
LP		 2230 if (context->group) {
2231 const char *g = context->group;
2232
2233 r = get_group_creds(&g, &gid);
2234 if (r < 0) {
2235 *exit_status = EXIT_GROUP;
2236 return r;
2237 }
2238 }
2239 }
5bc7452b 2240
00d9ef85
LP		 2241 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
2242 if (r < 0) {
2243 *exit_status = EXIT_USER;
2244 return r;
2245 }
2246
2247 user_lookup_fd = safe_close(user_lookup_fd);
2248
d35fbf6b
DM		 2249 /* If a socket is connected to STDIN/STDOUT/STDERR, we
2250 * must sure to drop O_NONBLOCK */
2251 if (socket_fd >= 0)
a34ceba6 2252 (void) fd_nonblock(socket_fd, false);
acbb0225 2253
a34ceba6 2254 r = setup_input(context, params, socket_fd);
ff0af2a1
LP		 2255 if (r < 0) {
2256 *exit_status = EXIT_STDIN;
2257 return r;
d35fbf6b 2258 }
034c6ed7 2259
7bce046b 2260 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 2261 if (r < 0) {
2262 *exit_status = EXIT_STDOUT;
2263 return r;
d35fbf6b
DM		 2264 }
2265
7bce046b 2266 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
ff0af2a1
LP		 2267 if (r < 0) {
2268 *exit_status = EXIT_STDERR;
2269 return r;
d35fbf6b
DM		 2270 }
2271
2272 if (params->cgroup_path) {
ff0af2a1
LP		 2273 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
2274 if (r < 0) {
2275 *exit_status = EXIT_CGROUP;
2276 return r;
309bff19 2277 }
d35fbf6b 2278 }
309bff19 2279
d35fbf6b 2280 if (context->oom_score_adjust_set) {
d5243d62 2281 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
f2b68789 2282
d5243d62
LP		 2283 /* When we can't make this change due to EPERM, then
2284 * let's silently skip over it. User namespaces
2285 * prohibit write access to this file, and we
2286 * shouldn't trip up over that. */
613b411c 2287
d5243d62 2288 sprintf(t, "%i", context->oom_score_adjust);
ad118bda 2289 r = write_string_file("/proc/self/oom_score_adj", t, 0);
6cb7fa17 2290 if (r == -EPERM || r == -EACCES) {
ff0af2a1 2291 log_open();
f2341e0a 2292 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
ff0af2a1
LP		 2293 log_close();
2294 } else if (r < 0) {
2295 *exit_status = EXIT_OOM_ADJUST;
d35fbf6b 2296 return -errno;
613b411c 2297 }
d35fbf6b
DM		 2298 }
2299
2300 if (context->nice_set)
2301 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
ff0af2a1 2302 *exit_status = EXIT_NICE;
d35fbf6b 2303 return -errno;
613b411c
LP		 2304 }
2305
d35fbf6b
DM		 2306 if (context->cpu_sched_set) {
2307 struct sched_param param = {
2308 .sched_priority = context->cpu_sched_priority,
2309 };
2310
ff0af2a1
LP		 2311 r = sched_setscheduler(0,
2312 context->cpu_sched_policy |
2313 (context->cpu_sched_reset_on_fork ?
2314 SCHED_RESET_ON_FORK : 0),
2315 &param);
2316 if (r < 0) {
2317 *exit_status = EXIT_SETSCHEDULER;
d35fbf6b 2318 return -errno;
fc9b2a84 2319 }
d35fbf6b 2320 }
fc9b2a84 2321
d35fbf6b
DM		 2322 if (context->cpuset)
2323 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
ff0af2a1 2324 *exit_status = EXIT_CPUAFFINITY;
d35fbf6b 2325 return -errno;
034c6ed7
LP		 2326 }
2327
d35fbf6b
DM		 2328 if (context->ioprio_set)
2329 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
ff0af2a1 2330 *exit_status = EXIT_IOPRIO;
d35fbf6b
DM		 2331 return -errno;
2332 }
da726a4d 2333
d35fbf6b
DM		 2334 if (context->timer_slack_nsec != NSEC_INFINITY)
2335 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
ff0af2a1 2336 *exit_status = EXIT_TIMERSLACK;
d35fbf6b 2337 return -errno;
4c2630eb 2338 }
9eba9da4 2339
050f7277 2340 if (context->personality != PERSONALITY_INVALID)
d35fbf6b 2341 if (personality(context->personality) < 0) {
ff0af2a1 2342 *exit_status = EXIT_PERSONALITY;
d35fbf6b 2343 return -errno;
4c2630eb 2344 }
94f04347 2345
d35fbf6b 2346 if (context->utmp_id)
023a4f67
LP		 2347 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path,
2348 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
2349 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
2350 USER_PROCESS,
2351 username ? "root" : context->user);
d35fbf6b 2352
524daa8c 2353 if (context->user && is_terminal_input(context->std_input)) {
ff0af2a1
LP		 2354 r = chown_terminal(STDIN_FILENO, uid);
2355 if (r < 0) {
2356 *exit_status = EXIT_STDIN;
2357 return r;
071830ff 2358 }
d35fbf6b 2359 }
8e274523 2360
a931ad47
LP		 2361 /* If delegation is enabled we'll pass ownership of the cgroup
2362 * (but only in systemd's own controller hierarchy!) to the
2363 * user of the new process. */
2364 if (params->cgroup_path && context->user && params->cgroup_delegate) {
ff0af2a1
LP		 2365 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
2366 if (r < 0) {
2367 *exit_status = EXIT_CGROUP;
2368 return r;
d35fbf6b 2369 }
034c6ed7 2370
034c6ed7 2371
ff0af2a1
LP		 2372 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
2373 if (r < 0) {
2374 *exit_status = EXIT_CGROUP;
2375 return r;
034c6ed7 2376 }
d35fbf6b 2377 }
034c6ed7 2378
d35fbf6b 2379 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
07689d5d
LP		 2380 r = setup_runtime_directory(context, params, uid, gid);
2381 if (r < 0) {
2382 *exit_status = EXIT_RUNTIME_DIRECTORY;
2383 return r;
d35fbf6b
DM		 2384 }
2385 }
94f04347 2386
7bce046b 2387 r = build_environment(
fd63e712 2388 unit,
7bce046b
LP		 2389 context,
2390 params,
2391 n_fds,
2392 home,
2393 username,
2394 shell,
2395 journal_stream_dev,
2396 journal_stream_ino,
2397 &our_env);
2065ca69
JW		 2398 if (r < 0) {
2399 *exit_status = EXIT_MEMORY;
2400 return r;
2401 }
2402
2403 r = build_pass_environment(context, &pass_env);
2404 if (r < 0) {
2405 *exit_status = EXIT_MEMORY;
2406 return r;
2407 }
2408
2409 accum_env = strv_env_merge(5,
2410 params->environment,
2411 our_env,
2412 pass_env,
2413 context->environment,
2414 files_env,
2415 NULL);
2416 if (!accum_env) {
2417 *exit_status = EXIT_MEMORY;
2418 return -ENOMEM;
2419 }
1280503b 2420 accum_env = strv_env_clean(accum_env);
2065ca69 2421
096424d1 2422 (void) umask(context->umask);
b213e1c1 2423
c39f1ce2 2424 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
cefc33ae
LP		 2425 r = setup_smack(context, command);
2426 if (r < 0) {
2427 *exit_status = EXIT_SMACK_PROCESS_LABEL;
2428 return r;
6bf6e43e 2429 }
6bf6e43e 2430
b213e1c1 2431 if (context->pam_name && username) {
2d6fce8d 2432 r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
b213e1c1
SW		 2433 if (r < 0) {
2434 *exit_status = EXIT_PAM;
2435 return r;
2436 }
d35fbf6b 2437 }
b213e1c1 2438 }
ac45f971 2439
d35fbf6b 2440 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
ff0af2a1
LP		 2441 r = setup_netns(runtime->netns_storage_socket);
2442 if (r < 0) {
2443 *exit_status = EXIT_NETWORK;
2444 return r;
d35fbf6b
DM		 2445 }
2446 }
169c1bda 2447
ee818b89 2448 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
ee818b89 2449 if (needs_mount_namespace) {
3fbe8dbe 2450 _cleanup_free_ char **rw = NULL;
d35fbf6b
DM		 2451 char *tmp = NULL, *var = NULL;
2452
2453 /* The runtime struct only contains the parent
2454 * of the private /tmp, which is
2455 * non-accessible to world users. Inside of it
2456 * there's a /tmp that is sticky, and that's
2457 * the one we want to use here. */
2458
2459 if (context->private_tmp && runtime) {
2460 if (runtime->tmp_dir)
63c372cb 2461 tmp = strjoina(runtime->tmp_dir, "/tmp");
d35fbf6b 2462 if (runtime->var_tmp_dir)
63c372cb 2463 var = strjoina(runtime->var_tmp_dir, "/tmp");
d35fbf6b 2464 }
d8b4e2e9 2465
3fbe8dbe
LP		 2466 r = compile_read_write_paths(context, params, &rw);
2467 if (r < 0) {
2468 *exit_status = EXIT_NAMESPACE;
2469 return r;
2470 }
2471
ff0af2a1 2472 r = setup_namespace(
c39f1ce2 2473 (params->flags & EXEC_APPLY_CHROOT) ? context->root_directory : NULL,
3fbe8dbe 2474 rw,
2a624c36
AP		 2475 context->read_only_paths,
2476 context->inaccessible_paths,
d35fbf6b
DM		 2477 tmp,
2478 var,
2479 context->private_devices,
59eeb84b
LP		 2480 context->protect_kernel_tunables,
2481 context->protect_control_groups,
d35fbf6b
DM		 2482 context->protect_home,
2483 context->protect_system,
2484 context->mount_flags);
0015ebf3 2485
ff0af2a1
LP		 2486 /* If we couldn't set up the namespace this is
2487 * probably due to a missing capability. In this case,
2488 * silently proceeed. */
2489 if (r == -EPERM || r == -EACCES) {
2490 log_open();
f2341e0a 2491 log_unit_debug_errno(unit, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
ff0af2a1
LP		 2492 log_close();
2493 } else if (r < 0) {
2494 *exit_status = EXIT_NAMESPACE;
2495 return r;
81a2b7ce 2496 }
d35fbf6b 2497 }
81a2b7ce 2498
096424d1
LP		 2499 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2500 r = enforce_groups(context, username, gid);
2501 if (r < 0) {
2502 *exit_status = EXIT_GROUP;
2503 return r;
2504 }
2505 }
2506
5f5d8eab
LP		 2507 if (context->working_directory_home)
2508 wd = home;
2509 else if (context->working_directory)
2510 wd = context->working_directory;
2511 else
2512 wd = "/";
2513
c39f1ce2 2514 if (params->flags & EXEC_APPLY_CHROOT) {
ee818b89 2515 if (!needs_mount_namespace && context->root_directory)
d35fbf6b 2516 if (chroot(context->root_directory) < 0) {
ff0af2a1 2517 *exit_status = EXIT_CHROOT;
d35fbf6b 2518 return -errno;
8aa75193
LP		 2519 }
2520
5f5d8eab 2521 if (chdir(wd) < 0 &&
4c08c824 2522 !context->working_directory_missing_ok) {
ff0af2a1 2523 *exit_status = EXIT_CHDIR;
d35fbf6b
DM		 2524 return -errno;
2525 }
2526 } else {
5f5d8eab 2527 const char *d;
8aa75193 2528
5f5d8eab 2529 d = strjoina(strempty(context->root_directory), "/", strempty(wd));
cf1d0302
LP		 2530 if (chdir(d) < 0 &&
2531 !context->working_directory_missing_ok) {
ff0af2a1 2532 *exit_status = EXIT_CHDIR;
d35fbf6b
DM		 2533 return -errno;
2534 }
2535 }
e66cf1a3 2536
9008e1ac 2537#ifdef HAVE_SELINUX
c39f1ce2
LP		 2538 if ((params->flags & EXEC_APPLY_PERMISSIONS) &&
2539 mac_selinux_use() &&
2540 params->selinux_context_net &&
2541 socket_fd >= 0 &&
2542 !command->privileged) {
2543
ff0af2a1
LP		 2544 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
2545 if (r < 0) {
2546 *exit_status = EXIT_SELINUX_CONTEXT;
2547 return r;
9008e1ac
MS		 2548 }
2549 }
2550#endif
2551
d87a2ef7 2552 if ((params->flags & EXEC_APPLY_PERMISSIONS) && context->private_users) {
d251207d
LP		 2553 r = setup_private_users(uid, gid);
2554 if (r < 0) {
2555 *exit_status = EXIT_USER;
2556 return r;
2557 }
2558 }
2559
d35fbf6b
DM		 2560 /* We repeat the fd closing here, to make sure that
2561 * nothing is leaked from the PAM modules. Note that
2562 * we are more aggressive this time since socket_fd
e44da745
DM		 2563 * and the netns fds we don't need anymore. The custom
2564 * endpoint fd was needed to upload the policy and can
2565 * now be closed as well. */
ff0af2a1
LP		 2566 r = close_all_fds(fds, n_fds);
2567 if (r >= 0)
2568 r = shift_fds(fds, n_fds);
2569 if (r >= 0)
2570 r = flags_fds(fds, n_fds, context->non_blocking);
2571 if (r < 0) {
2572 *exit_status = EXIT_FDS;
2573 return r;
d35fbf6b 2574 }
e66cf1a3 2575
c39f1ce2 2576 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
e66cf1a3 2577
755d4b67
IP		 2578 int secure_bits = context->secure_bits;
2579
d35fbf6b 2580 for (i = 0; i < _RLIMIT_MAX; i++) {
03857c43 2581
d35fbf6b
DM		 2582 if (!context->rlimit[i])
2583 continue;
2584
03857c43
LP		 2585 r = setrlimit_closest(i, context->rlimit[i]);
2586 if (r < 0) {
ff0af2a1 2587 *exit_status = EXIT_LIMITS;
03857c43 2588 return r;
e66cf1a3
LP		 2589 }
2590 }
2591
f4170c67
LP		 2592 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
2593 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
2594 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
2595 *exit_status = EXIT_LIMITS;
2596 return -errno;
2597 }
2598 }
2599
a103496c
IP		 2600 if (!cap_test_all(context->capability_bounding_set)) {
2601 r = capability_bounding_set_drop(context->capability_bounding_set, false);
ff0af2a1
LP		 2602 if (r < 0) {
2603 *exit_status = EXIT_CAPABILITIES;
2604 return r;
3b8bddde 2605 }
4c2630eb 2606 }
3b8bddde 2607
755d4b67
IP		 2608 /* This is done before enforce_user, but ambient set
2609 * does not survive over setresuid() if keep_caps is not set. */
2610 if (context->capability_ambient_set != 0) {
2611 r = capability_ambient_set_apply(context->capability_ambient_set, true);
2612 if (r < 0) {
2613 *exit_status = EXIT_CAPABILITIES;
2614 return r;
2615 }
755d4b67
IP		 2616 }
2617
d35fbf6b 2618 if (context->user) {
ff0af2a1
LP		 2619 r = enforce_user(context, uid);
2620 if (r < 0) {
2621 *exit_status = EXIT_USER;
2622 return r;
5b6319dc 2623 }
755d4b67
IP		 2624 if (context->capability_ambient_set != 0) {
2625
2626 /* Fix the ambient capabilities after user change. */
2627 r = capability_ambient_set_apply(context->capability_ambient_set, false);
2628 if (r < 0) {
2629 *exit_status = EXIT_CAPABILITIES;
2630 return r;
2631 }
2632
2633 /* If we were asked to change user and ambient capabilities
2634 * were requested, we had to add keep-caps to the securebits
2635 * so that we would maintain the inherited capability set
2636 * through the setresuid(). Make sure that the bit is added
2637 * also to the context secure_bits so that we don't try to
2638 * drop the bit away next. */
2639
7f508f2c 2640 secure_bits |= 1<<SECURE_KEEP_CAPS;
755d4b67 2641 }
5b6319dc 2642 }
d35fbf6b
DM		 2643
2644 /* PR_GET_SECUREBITS is not privileged, while
2645 * PR_SET_SECUREBITS is. So to suppress
2646 * potential EPERMs we'll try not to call
2647 * PR_SET_SECUREBITS unless necessary. */
755d4b67
IP		 2648 if (prctl(PR_GET_SECUREBITS) != secure_bits)
2649 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
ff0af2a1 2650 *exit_status = EXIT_SECUREBITS;
d35fbf6b 2651 return -errno;
ff01d048 2652 }
5b6319dc 2653
59eeb84b 2654 if (context_has_no_new_privileges(context))
d35fbf6b 2655 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
ff0af2a1 2656 *exit_status = EXIT_NO_NEW_PRIVILEGES;
d35fbf6b
DM		 2657 return -errno;
2658 }
2659
2660#ifdef HAVE_SECCOMP
59eeb84b 2661 if (context_has_address_families(context)) {
83f12b27 2662 r = apply_address_families(unit, context);
ff0af2a1
LP		 2663 if (r < 0) {
2664 *exit_status = EXIT_ADDRESS_FAMILIES;
2665 return r;
4c2630eb
MS		 2666 }
2667 }
04aa0cb9 2668
f3e43635 2669 if (context->memory_deny_write_execute) {
83f12b27 2670 r = apply_memory_deny_write_execute(unit, context);
f3e43635
TM		 2671 if (r < 0) {
2672 *exit_status = EXIT_SECCOMP;
2673 return r;
2674 }
2675 }
f4170c67
LP		 2676
2677 if (context->restrict_realtime) {
83f12b27 2678 r = apply_restrict_realtime(unit, context);
f4170c67
LP		 2679 if (r < 0) {
2680 *exit_status = EXIT_SECCOMP;
2681 return r;
2682 }
2683 }
2684
59eeb84b
LP		 2685 if (context->protect_kernel_tunables) {
2686 r = apply_protect_sysctl(unit, context);
2687 if (r < 0) {
2688 *exit_status = EXIT_SECCOMP;
2689 return r;
2690 }
2691 }
2692
ba128bb8
LP		 2693 if (context->private_devices) {
2694 r = apply_private_devices(unit, context);
2695 if (r < 0) {
2696 *exit_status = EXIT_SECCOMP;
2697 return r;
2698 }
2699 }
2700
59eeb84b 2701 if (context_has_syscall_filters(context)) {
83f12b27 2702 r = apply_seccomp(unit, context);
ff0af2a1
LP		 2703 if (r < 0) {
2704 *exit_status = EXIT_SECCOMP;
2705 return r;
81a2b7ce 2706 }
d35fbf6b
DM		 2707 }
2708#endif
81a2b7ce 2709
d35fbf6b 2710#ifdef HAVE_SELINUX
6baa7db0 2711 if (mac_selinux_use()) {
9008e1ac 2712 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
16115b0a 2713
9008e1ac 2714 if (exec_context) {
ff0af2a1
LP		 2715 r = setexeccon(exec_context);
2716 if (r < 0) {
2717 *exit_status = EXIT_SELINUX_CONTEXT;
2718 return r;
16115b0a 2719 }
81a2b7ce 2720 }
81a2b7ce 2721 }
d35fbf6b 2722#endif
81a2b7ce 2723
d35fbf6b 2724#ifdef HAVE_APPARMOR
6baa7db0 2725 if (context->apparmor_profile && mac_apparmor_use()) {
ff0af2a1
LP		 2726 r = aa_change_onexec(context->apparmor_profile);
2727 if (r < 0 && !context->apparmor_profile_ignore) {
2728 *exit_status = EXIT_APPARMOR_PROFILE;
5482192e 2729 return -errno;
d35fbf6b 2730 }
034c6ed7 2731 }
d35fbf6b
DM		 2732#endif
2733 }
034c6ed7 2734
2065ca69 2735 final_argv = replace_env_argv(argv, accum_env);
d35fbf6b 2736 if (!final_argv) {
ff0af2a1 2737 *exit_status = EXIT_MEMORY;
d35fbf6b
DM		 2738 return -ENOMEM;
2739 }
034c6ed7 2740
553d2243 2741 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
d35fbf6b 2742 _cleanup_free_ char *line;
81a2b7ce 2743
d35fbf6b
DM		 2744 line = exec_command_line(final_argv);
2745 if (line) {
2746 log_open();
f2341e0a
LP		 2747 log_struct(LOG_DEBUG,
2748 LOG_UNIT_ID(unit),
2749 "EXECUTABLE=%s", command->path,
2750 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
2751 NULL);
d35fbf6b
DM		 2752 log_close();
2753 }
2754 }
dd305ec9 2755
2065ca69 2756 execve(command->path, final_argv, accum_env);
ff0af2a1 2757 *exit_status = EXIT_EXEC;
d35fbf6b
DM		 2758 return -errno;
2759}
81a2b7ce 2760
f2341e0a
LP		 2761int exec_spawn(Unit *unit,
2762 ExecCommand *command,
d35fbf6b
DM		 2763 const ExecContext *context,
2764 const ExecParameters *params,
2765 ExecRuntime *runtime,
29206d46 2766 DynamicCreds *dcreds,
d35fbf6b 2767 pid_t *ret) {
8351ceae 2768
d35fbf6b
DM		 2769 _cleanup_strv_free_ char **files_env = NULL;
2770 int *fds = NULL; unsigned n_fds = 0;
ff0af2a1
LP		 2771 _cleanup_free_ char *line = NULL;
2772 int socket_fd, r;
2773 char **argv;
d35fbf6b 2774 pid_t pid;
8351ceae 2775
f2341e0a 2776 assert(unit);
d35fbf6b
DM		 2777 assert(command);
2778 assert(context);
2779 assert(ret);
2780 assert(params);
2781 assert(params->fds || params->n_fds <= 0);
4298d0b5 2782
d35fbf6b
DM		 2783 if (context->std_input == EXEC_INPUT_SOCKET ||
2784 context->std_output == EXEC_OUTPUT_SOCKET ||
2785 context->std_error == EXEC_OUTPUT_SOCKET) {
17df7223 2786
ff0af2a1 2787 if (params->n_fds != 1) {
f2341e0a 2788 log_unit_error(unit, "Got more than one socket.");
d35fbf6b 2789 return -EINVAL;
ff0af2a1 2790 }
eef65bf3 2791
d35fbf6b
DM		 2792 socket_fd = params->fds[0];
2793 } else {
2794 socket_fd = -1;
2795 fds = params->fds;
2796 n_fds = params->n_fds;
2797 }
94f04347 2798
f2341e0a 2799 r = exec_context_load_environment(unit, context, &files_env);
ff0af2a1 2800 if (r < 0)
f2341e0a 2801 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
034c6ed7 2802
d35fbf6b 2803 argv = params->argv ?: command->argv;
d35fbf6b
DM		 2804 line = exec_command_line(argv);
2805 if (!line)
2806 return log_oom();
fab56fc5 2807
f2341e0a
LP		 2808 log_struct(LOG_DEBUG,
2809 LOG_UNIT_ID(unit),
2810 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
2811 "EXECUTABLE=%s", command->path,
2812 NULL);
d35fbf6b
DM		 2813 pid = fork();
2814 if (pid < 0)
74129a12 2815 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
d35fbf6b
DM		 2816
2817 if (pid == 0) {
ff0af2a1
LP		 2818 int exit_status;
2819
f2341e0a
LP		 2820 r = exec_child(unit,
2821 command,
ff0af2a1
LP		 2822 context,
2823 params,
2824 runtime,
29206d46 2825 dcreds,
ff0af2a1
LP		 2826 argv,
2827 socket_fd,
2828 fds, n_fds,
2829 files_env,
00d9ef85 2830 unit->manager->user_lookup_fds[1],
ff0af2a1
LP		 2831 &exit_status);
2832 if (r < 0) {
4c2630eb 2833 log_open();
f2341e0a
LP		 2834 log_struct_errno(LOG_ERR, r,
2835 LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
2836 LOG_UNIT_ID(unit),
2837 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
2838 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
2839 command->path),
2840 "EXECUTABLE=%s", command->path,
2841 NULL);
4c2630eb
MS		 2842 }
2843
ff0af2a1 2844 _exit(exit_status);
034c6ed7
LP		 2845 }
2846
f2341e0a 2847 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
23635a85 2848
80876c20
LP		 2849 /* We add the new process to the cgroup both in the child (so
2850 * that we can be sure that no user code is ever executed
2851 * outside of the cgroup) and in the parent (so that we can be
2852 * sure that when we kill the cgroup the process will be
2853 * killed too). */
d35fbf6b 2854 if (params->cgroup_path)
dd305ec9 2855 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
2da3263a 2856
b58b4116 2857 exec_status_start(&command->exec_status, pid);
9fb86720 2858
034c6ed7 2859 *ret = pid;
5cb5a6ff
LP		 2860 return 0;
2861}
2862
034c6ed7
LP		 2863void exec_context_init(ExecContext *c) {
2864 assert(c);
2865
4c12626c 2866 c->umask = 0022;
9eba9da4 2867 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
94f04347 2868 c->cpu_sched_policy = SCHED_OTHER;
071830ff 2869 c->syslog_priority = LOG_DAEMON|LOG_INFO;
74922904 2870 c->syslog_level_prefix = true;
353e12c2 2871 c->ignore_sigpipe = true;
3a43da28 2872 c->timer_slack_nsec = NSEC_INFINITY;
050f7277 2873 c->personality = PERSONALITY_INVALID;
e66cf1a3 2874 c->runtime_directory_mode = 0755;
a103496c 2875 c->capability_bounding_set = CAP_ALL;
034c6ed7
LP		 2876}
2877
613b411c 2878void exec_context_done(ExecContext *c) {
5cb5a6ff
LP		 2879 unsigned l;
2880
2881 assert(c);
2882
6796073e
LP		 2883 c->environment = strv_free(c->environment);
2884 c->environment_files = strv_free(c->environment_files);
b4c14404 2885 c->pass_environment = strv_free(c->pass_environment);
8c7be95e 2886
1f6b4113 2887 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
a1e58e8e 2888 c->rlimit[l] = mfree(c->rlimit[l]);
034c6ed7 2889
a1e58e8e
LP		 2890 c->working_directory = mfree(c->working_directory);
2891 c->root_directory = mfree(c->root_directory);
2892 c->tty_path = mfree(c->tty_path);
2893 c->syslog_identifier = mfree(c->syslog_identifier);
2894 c->user = mfree(c->user);
2895 c->group = mfree(c->group);
034c6ed7 2896
6796073e 2897 c->supplementary_groups = strv_free(c->supplementary_groups);
94f04347 2898
a1e58e8e 2899 c->pam_name = mfree(c->pam_name);
5b6319dc 2900
2a624c36
AP		 2901 c->read_only_paths = strv_free(c->read_only_paths);
2902 c->read_write_paths = strv_free(c->read_write_paths);
2903 c->inaccessible_paths = strv_free(c->inaccessible_paths);
82c121a4
LP		 2904
2905 if (c->cpuset)
2906 CPU_FREE(c->cpuset);
86a3475b 2907
a1e58e8e
LP		 2908 c->utmp_id = mfree(c->utmp_id);
2909 c->selinux_context = mfree(c->selinux_context);
2910 c->apparmor_profile = mfree(c->apparmor_profile);
eef65bf3 2911
525d3cc7
LP		 2912 c->syscall_filter = set_free(c->syscall_filter);
2913 c->syscall_archs = set_free(c->syscall_archs);
2914 c->address_families = set_free(c->address_families);
e66cf1a3 2915
6796073e 2916 c->runtime_directory = strv_free(c->runtime_directory);
e66cf1a3
LP		 2917}
2918
2919int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
2920 char **i;
2921
2922 assert(c);
2923
2924 if (!runtime_prefix)
2925 return 0;
2926
2927 STRV_FOREACH(i, c->runtime_directory) {
2928 _cleanup_free_ char *p;
2929
2930 p = strjoin(runtime_prefix, "/", *i, NULL);
2931 if (!p)
2932 return -ENOMEM;
2933
2934 /* We execute this synchronously, since we need to be
2935 * sure this is gone when we start the service
2936 * next. */
c6878637 2937 (void) rm_rf(p, REMOVE_ROOT);
e66cf1a3
LP		 2938 }
2939
2940 return 0;
5cb5a6ff
LP		 2941}
2942
43d0fcbd
LP		 2943void exec_command_done(ExecCommand *c) {
2944 assert(c);
2945
a1e58e8e 2946 c->path = mfree(c->path);
43d0fcbd 2947
6796073e 2948 c->argv = strv_free(c->argv);
43d0fcbd
LP		 2949}
2950
2951void exec_command_done_array(ExecCommand *c, unsigned n) {
2952 unsigned i;
2953
2954 for (i = 0; i < n; i++)
2955 exec_command_done(c+i);
2956}
2957
f1acf85a 2958ExecCommand* exec_command_free_list(ExecCommand *c) {
5cb5a6ff
LP		 2959 ExecCommand *i;
2960
2961 while ((i = c)) {
71fda00f 2962 LIST_REMOVE(command, c, i);
43d0fcbd 2963 exec_command_done(i);
5cb5a6ff
LP		 2964 free(i);
2965 }
f1acf85a
ZJS		 2966
2967 return NULL;
5cb5a6ff
LP		 2968}
2969
034c6ed7
LP		 2970void exec_command_free_array(ExecCommand **c, unsigned n) {
2971 unsigned i;
2972
f1acf85a
ZJS		 2973 for (i = 0; i < n; i++)
2974 c[i] = exec_command_free_list(c[i]);
034c6ed7
LP		 2975}
2976
039f0e70 2977typedef struct InvalidEnvInfo {
f2341e0a 2978 Unit *unit;
039f0e70
LP		 2979 const char *path;
2980} InvalidEnvInfo;
2981
2982static void invalid_env(const char *p, void *userdata) {
2983 InvalidEnvInfo *info = userdata;
2984
f2341e0a 2985 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
039f0e70
LP		 2986}
2987
f2341e0a 2988int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
8c7be95e
LP		 2989 char **i, **r = NULL;
2990
2991 assert(c);
2992 assert(l);
2993
2994 STRV_FOREACH(i, c->environment_files) {
2995 char *fn;
2996 int k;
2997 bool ignore = false;
2998 char **p;
7fd1b19b 2999 _cleanup_globfree_ glob_t pglob = {};
2bef10ab 3000 int count, n;
8c7be95e
LP		 3001
3002 fn = *i;
3003
3004 if (fn[0] == '-') {
3005 ignore = true;
313cefa1 3006 fn++;
8c7be95e
LP		 3007 }
3008
3009 if (!path_is_absolute(fn)) {
8c7be95e
LP		 3010 if (ignore)
3011 continue;
3012
3013 strv_free(r);
3014 return -EINVAL;
3015 }
3016
2bef10ab 3017 /* Filename supports globbing, take all matching files */
2bef10ab
PL		 3018 errno = 0;
3019 if (glob(fn, 0, NULL, &pglob) != 0) {
2bef10ab
PL		 3020 if (ignore)
3021 continue;
8c7be95e 3022
2bef10ab 3023 strv_free(r);
f5e5c28f 3024 return errno > 0 ? -errno : -EINVAL;
2bef10ab
PL		 3025 }
3026 count = pglob.gl_pathc;
3027 if (count == 0) {
8c7be95e
LP		 3028 if (ignore)
3029 continue;
3030
3031 strv_free(r);
2bef10ab 3032 return -EINVAL;
8c7be95e 3033 }
2bef10ab 3034 for (n = 0; n < count; n++) {
717603e3 3035 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
2bef10ab
PL		 3036 if (k < 0) {
3037 if (ignore)
3038 continue;
8c7be95e 3039
2bef10ab 3040 strv_free(r);
2bef10ab 3041 return k;
e9c1ea9d 3042 }
ebc05a09 3043 /* Log invalid environment variables with filename */
039f0e70
LP		 3044 if (p) {
3045 InvalidEnvInfo info = {
f2341e0a 3046 .unit = unit,
039f0e70
LP		 3047 .path = pglob.gl_pathv[n]
3048 };
3049
3050 p = strv_env_clean_with_callback(p, invalid_env, &info);
3051 }
8c7be95e 3052
2bef10ab
PL		 3053 if (r == NULL)
3054 r = p;
3055 else {
3056 char **m;
8c7be95e 3057
2bef10ab
PL		 3058 m = strv_env_merge(2, r, p);
3059 strv_free(r);
3060 strv_free(p);
c84a9488 3061 if (!m)
2bef10ab 3062 return -ENOMEM;
2bef10ab
PL		 3063
3064 r = m;
3065 }
8c7be95e
LP		 3066 }
3067 }
3068
3069 *l = r;
3070
3071 return 0;
3072}
3073
6ac8fdc9 3074static bool tty_may_match_dev_console(const char *tty) {
e1d75803 3075 _cleanup_free_ char *active = NULL;
7d6884b6 3076 char *console;
6ac8fdc9 3077
1e22b5cd
LP		 3078 if (!tty)
3079 return true;
3080
6ac8fdc9
MS		 3081 if (startswith(tty, "/dev/"))
3082 tty += 5;
3083
3084 /* trivial identity? */
3085 if (streq(tty, "console"))
3086 return true;
3087
3088 console = resolve_dev_console(&active);
3089 /* if we could not resolve, assume it may */
3090 if (!console)
3091 return true;
3092
3093 /* "tty0" means the active VC, so it may be the same sometimes */
e1d75803 3094 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
6ac8fdc9
MS		 3095}
3096
3097bool exec_context_may_touch_console(ExecContext *ec) {
1e22b5cd
LP		 3098
3099 return (ec->tty_reset ||
3100 ec->tty_vhangup ||
3101 ec->tty_vt_disallocate ||
6ac8fdc9
MS		 3102 is_terminal_input(ec->std_input) ||
3103 is_terminal_output(ec->std_output) ||
3104 is_terminal_output(ec->std_error)) &&
1e22b5cd 3105 tty_may_match_dev_console(exec_context_tty_path(ec));
6ac8fdc9
MS		 3106}
3107
15ae422b
LP		 3108static void strv_fprintf(FILE *f, char **l) {
3109 char **g;
3110
3111 assert(f);
3112
3113 STRV_FOREACH(g, l)
3114 fprintf(f, " %s", *g);
3115}
3116
5cb5a6ff 3117void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
c2bbd90b 3118 char **e, **d;
94f04347 3119 unsigned i;
9eba9da4 3120
5cb5a6ff
LP		 3121 assert(c);
3122 assert(f);
3123
4ad49000 3124 prefix = strempty(prefix);
5cb5a6ff
LP		 3125
3126 fprintf(f,
94f04347
LP		 3127 "%sUMask: %04o\n"
3128 "%sWorkingDirectory: %s\n"
451a074f 3129 "%sRootDirectory: %s\n"
15ae422b 3130 "%sNonBlocking: %s\n"
64747e2d 3131 "%sPrivateTmp: %s\n"
7f112f50 3132 "%sPrivateDevices: %s\n"
59eeb84b
LP		 3133 "%sProtectKernelTunables: %s\n"
3134 "%sProtectControlGroups: %s\n"
d251207d
LP		 3135 "%sPrivateNetwork: %s\n"
3136 "%sPrivateUsers: %s\n"
1b8689f9
LP		 3137 "%sProtectHome: %s\n"
3138 "%sProtectSystem: %s\n"
f3e43635 3139 "%sIgnoreSIGPIPE: %s\n"
f4170c67
LP		 3140 "%sMemoryDenyWriteExecute: %s\n"
3141 "%sRestrictRealtime: %s\n",
5cb5a6ff 3142 prefix, c->umask,
9eba9da4 3143 prefix, c->working_directory ? c->working_directory : "/",
451a074f 3144 prefix, c->root_directory ? c->root_directory : "/",
15ae422b 3145 prefix, yes_no(c->non_blocking),
64747e2d 3146 prefix, yes_no(c->private_tmp),
7f112f50 3147 prefix, yes_no(c->private_devices),
59eeb84b
LP		 3148 prefix, yes_no(c->protect_kernel_tunables),
3149 prefix, yes_no(c->protect_control_groups),
d251207d
LP		 3150 prefix, yes_no(c->private_network),
3151 prefix, yes_no(c->private_users),
1b8689f9
LP		 3152 prefix, protect_home_to_string(c->protect_home),
3153 prefix, protect_system_to_string(c->protect_system),
f3e43635 3154 prefix, yes_no(c->ignore_sigpipe),
f4170c67
LP		 3155 prefix, yes_no(c->memory_deny_write_execute),
3156 prefix, yes_no(c->restrict_realtime));
fb33a393 3157
8c7be95e
LP		 3158 STRV_FOREACH(e, c->environment)
3159 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
3160
3161 STRV_FOREACH(e, c->environment_files)
3162 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
94f04347 3163
b4c14404
FB		 3164 STRV_FOREACH(e, c->pass_environment)
3165 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
3166
c2bbd90b
EV		 3167 fprintf(f, "%sRuntimeDirectoryMode: %04o\n", prefix, c->runtime_directory_mode);
3168
3169 STRV_FOREACH(d, c->runtime_directory)
3170 fprintf(f, "%sRuntimeDirectory: %s\n", prefix, *d);
3171
fb33a393
LP		 3172 if (c->nice_set)
3173 fprintf(f,
3174 "%sNice: %i\n",
3175 prefix, c->nice);
3176
dd6c17b1 3177 if (c->oom_score_adjust_set)
fb33a393 3178 fprintf(f,
dd6c17b1
LP		 3179 "%sOOMScoreAdjust: %i\n",
3180 prefix, c->oom_score_adjust);
9eba9da4 3181
94f04347 3182 for (i = 0; i < RLIM_NLIMITS; i++)
3c11da9d
EV		 3183 if (c->rlimit[i]) {
3184 fprintf(f, "%s%s: " RLIM_FMT "\n",
3185 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
3186 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
3187 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
3188 }
94f04347 3189
f8b69d1d 3190 if (c->ioprio_set) {
1756a011 3191 _cleanup_free_ char *class_str = NULL;
f8b69d1d 3192
1756a011 3193 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
9eba9da4
LP		 3194 fprintf(f,
3195 "%sIOSchedulingClass: %s\n"
3196 "%sIOPriority: %i\n",
f8b69d1d 3197 prefix, strna(class_str),
9eba9da4 3198 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
f8b69d1d 3199 }
94f04347 3200
f8b69d1d 3201 if (c->cpu_sched_set) {
1756a011 3202 _cleanup_free_ char *policy_str = NULL;
f8b69d1d 3203
1756a011 3204 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
94f04347
LP		 3205 fprintf(f,
3206 "%sCPUSchedulingPolicy: %s\n"
38b48754
LP		 3207 "%sCPUSchedulingPriority: %i\n"
3208 "%sCPUSchedulingResetOnFork: %s\n",
f8b69d1d 3209 prefix, strna(policy_str),
38b48754
LP		 3210 prefix, c->cpu_sched_priority,
3211 prefix, yes_no(c->cpu_sched_reset_on_fork));
b929bf04 3212 }
94f04347 3213
82c121a4 3214 if (c->cpuset) {
94f04347 3215 fprintf(f, "%sCPUAffinity:", prefix);
82c121a4
LP		 3216 for (i = 0; i < c->cpuset_ncpus; i++)
3217 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
43a99a7a 3218 fprintf(f, " %u", i);
94f04347
LP		 3219 fputs("\n", f);
3220 }
3221
3a43da28 3222 if (c->timer_slack_nsec != NSEC_INFINITY)
ccd06097 3223 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
94f04347
LP		 3224
3225 fprintf(f,
80876c20
LP		 3226 "%sStandardInput: %s\n"
3227 "%sStandardOutput: %s\n"
3228 "%sStandardError: %s\n",
3229 prefix, exec_input_to_string(c->std_input),
3230 prefix, exec_output_to_string(c->std_output),
3231 prefix, exec_output_to_string(c->std_error));
3232
3233 if (c->tty_path)
3234 fprintf(f,
6ea832a2
LP		 3235 "%sTTYPath: %s\n"
3236 "%sTTYReset: %s\n"
3237 "%sTTYVHangup: %s\n"
3238 "%sTTYVTDisallocate: %s\n",
3239 prefix, c->tty_path,
3240 prefix, yes_no(c->tty_reset),
3241 prefix, yes_no(c->tty_vhangup),
3242 prefix, yes_no(c->tty_vt_disallocate));
94f04347 3243
5ce70e5b
ZJS		 3244 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
3245 c->std_output == EXEC_OUTPUT_KMSG ||
3246 c->std_output == EXEC_OUTPUT_JOURNAL ||
3247 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3248 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3249 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
3250 c->std_error == EXEC_OUTPUT_SYSLOG ||
3251 c->std_error == EXEC_OUTPUT_KMSG ||
3252 c->std_error == EXEC_OUTPUT_JOURNAL ||
3253 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3254 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3255 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
f8b69d1d 3256
5ce70e5b 3257 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
f8b69d1d 3258
5ce70e5b
ZJS		 3259 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
3260 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
f8b69d1d 3261
94f04347
LP		 3262 fprintf(f,
3263 "%sSyslogFacility: %s\n"
3264 "%sSyslogLevel: %s\n",
f8b69d1d
MS		 3265 prefix, strna(fac_str),
3266 prefix, strna(lvl_str));
f8b69d1d 3267 }
94f04347 3268
94f04347
LP		 3269 if (c->secure_bits)
3270 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
3271 prefix,
cbb21cca
ZJS		 3272 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
3273 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
3274 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
3275 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
3276 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
3277 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
94f04347 3278
a103496c 3279 if (c->capability_bounding_set != CAP_ALL) {
ae556c21 3280 unsigned long l;
260abb78 3281 fprintf(f, "%sCapabilityBoundingSet:", prefix);
94f04347 3282
64685e0c 3283 for (l = 0; l <= cap_last_cap(); l++)
a103496c 3284 if (c->capability_bounding_set & (UINT64_C(1) << l))
2822da4f 3285 fprintf(f, " %s", strna(capability_to_name(l)));
94f04347
LP		 3286
3287 fputs("\n", f);
755d4b67
IP		 3288 }
3289
3290 if (c->capability_ambient_set != 0) {
3291 unsigned long l;
3292 fprintf(f, "%sAmbientCapabilities:", prefix);
3293
3294 for (l = 0; l <= cap_last_cap(); l++)
3295 if (c->capability_ambient_set & (UINT64_C(1) << l))
3296 fprintf(f, " %s", strna(capability_to_name(l)));
3297
3298 fputs("\n", f);
94f04347
LP		 3299 }
3300
3301 if (c->user)
f2d3769a 3302 fprintf(f, "%sUser: %s\n", prefix, c->user);
94f04347 3303 if (c->group)
f2d3769a 3304 fprintf(f, "%sGroup: %s\n", prefix, c->group);
94f04347 3305
29206d46
LP		 3306 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
3307
15ae422b 3308 if (strv_length(c->supplementary_groups) > 0) {
94f04347 3309 fprintf(f, "%sSupplementaryGroups:", prefix);
15ae422b
LP		 3310 strv_fprintf(f, c->supplementary_groups);
3311 fputs("\n", f);
3312 }
94f04347 3313
5b6319dc 3314 if (c->pam_name)
f2d3769a 3315 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
5b6319dc 3316
2a624c36
AP		 3317 if (strv_length(c->read_write_paths) > 0) {
3318 fprintf(f, "%sReadWritePaths:", prefix);
3319 strv_fprintf(f, c->read_write_paths);
15ae422b
LP		 3320 fputs("\n", f);
3321 }
3322
2a624c36
AP		 3323 if (strv_length(c->read_only_paths) > 0) {
3324 fprintf(f, "%sReadOnlyPaths:", prefix);
3325 strv_fprintf(f, c->read_only_paths);
15ae422b
LP		 3326 fputs("\n", f);
3327 }
94f04347 3328
2a624c36
AP		 3329 if (strv_length(c->inaccessible_paths) > 0) {
3330 fprintf(f, "%sInaccessiblePaths:", prefix);
3331 strv_fprintf(f, c->inaccessible_paths);
94f04347
LP		 3332 fputs("\n", f);
3333 }
2e22afe9 3334
169c1bda
LP		 3335 if (c->utmp_id)
3336 fprintf(f,
3337 "%sUtmpIdentifier: %s\n",
3338 prefix, c->utmp_id);
7b52a628
MS		 3339
3340 if (c->selinux_context)
3341 fprintf(f,
5f8640fb
LP		 3342 "%sSELinuxContext: %s%s\n",
3343 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
17df7223 3344
050f7277 3345 if (c->personality != PERSONALITY_INVALID)
ac45f971
LP		 3346 fprintf(f,
3347 "%sPersonality: %s\n",
3348 prefix, strna(personality_to_string(c->personality)));
3349
17df7223 3350 if (c->syscall_filter) {
351a19b1 3351#ifdef HAVE_SECCOMP
17df7223
LP		 3352 Iterator j;
3353 void *id;
3354 bool first = true;
351a19b1 3355#endif
17df7223
LP		 3356
3357 fprintf(f,
57183d11 3358 "%sSystemCallFilter: ",
17df7223
LP		 3359 prefix);
3360
3361 if (!c->syscall_whitelist)
3362 fputc('~', f);
3363
351a19b1 3364#ifdef HAVE_SECCOMP
17df7223
LP		 3365 SET_FOREACH(id, c->syscall_filter, j) {
3366 _cleanup_free_ char *name = NULL;
3367
3368 if (first)
3369 first = false;
3370 else
3371 fputc(' ', f);
3372
57183d11 3373 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
17df7223
LP		 3374 fputs(strna(name), f);
3375 }
351a19b1 3376#endif
17df7223
LP		 3377
3378 fputc('\n', f);
3379 }
3380
57183d11
LP		 3381 if (c->syscall_archs) {
3382#ifdef HAVE_SECCOMP
3383 Iterator j;
3384 void *id;
3385#endif
3386
3387 fprintf(f,
3388 "%sSystemCallArchitectures:",
3389 prefix);
3390
3391#ifdef HAVE_SECCOMP
3392 SET_FOREACH(id, c->syscall_archs, j)
3393 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
3394#endif
3395 fputc('\n', f);
3396 }
3397
b3267152 3398 if (c->syscall_errno > 0)
17df7223
LP		 3399 fprintf(f,
3400 "%sSystemCallErrorNumber: %s\n",
3401 prefix, strna(errno_to_name(c->syscall_errno)));
eef65bf3
MS		 3402
3403 if (c->apparmor_profile)
3404 fprintf(f,
3405 "%sAppArmorProfile: %s%s\n",
3406 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
5cb5a6ff
LP		 3407}
3408
a931ad47
LP		 3409bool exec_context_maintains_privileges(ExecContext *c) {
3410 assert(c);
3411
61233823 3412 /* Returns true if the process forked off would run under
a931ad47
LP		 3413 * an unchanged UID or as root. */
3414
3415 if (!c->user)
3416 return true;
3417
3418 if (streq(c->user, "root") || streq(c->user, "0"))
3419 return true;
3420
3421 return false;
3422}
3423
b58b4116 3424void exec_status_start(ExecStatus *s, pid_t pid) {
034c6ed7 3425 assert(s);
5cb5a6ff 3426
b58b4116
LP		 3427 zero(*s);
3428 s->pid = pid;
3429 dual_timestamp_get(&s->start_timestamp);
3430}
3431
6ea832a2 3432void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
b58b4116
LP		 3433 assert(s);
3434
0b1f4ae6 3435 if (s->pid && s->pid != pid)
b58b4116
LP		 3436 zero(*s);
3437
034c6ed7 3438 s->pid = pid;
63983207 3439 dual_timestamp_get(&s->exit_timestamp);
9fb86720 3440
034c6ed7
LP		 3441 s->code = code;
3442 s->status = status;
169c1bda 3443
6ea832a2
LP		 3444 if (context) {
3445 if (context->utmp_id)
3446 utmp_put_dead_process(context->utmp_id, pid, code, status);
3447
1e22b5cd 3448 exec_context_tty_reset(context, NULL);
6ea832a2 3449 }
9fb86720
LP		 3450}
3451
3452void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
3453 char buf[FORMAT_TIMESTAMP_MAX];
3454
3455 assert(s);
3456 assert(f);
3457
9fb86720
LP		 3458 if (s->pid <= 0)
3459 return;
3460
4c940960
LP		 3461 prefix = strempty(prefix);
3462
9fb86720 3463 fprintf(f,
ccd06097
ZJS		 3464 "%sPID: "PID_FMT"\n",
3465 prefix, s->pid);
9fb86720 3466
af9d16e1 3467 if (dual_timestamp_is_set(&s->start_timestamp))
9fb86720
LP		 3468 fprintf(f,
3469 "%sStart Timestamp: %s\n",
63983207 3470 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
9fb86720 3471
af9d16e1 3472 if (dual_timestamp_is_set(&s->exit_timestamp))
9fb86720
LP		 3473 fprintf(f,
3474 "%sExit Timestamp: %s\n"
3475 "%sExit Code: %s\n"
3476 "%sExit Status: %i\n",
63983207 3477 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
9fb86720
LP		 3478 prefix, sigchld_code_to_string(s->code),
3479 prefix, s->status);
5cb5a6ff 3480}
44d8db9e 3481
9e2f7c11 3482char *exec_command_line(char **argv) {
44d8db9e
LP		 3483 size_t k;
3484 char *n, *p, **a;
3485 bool first = true;
3486
9e2f7c11 3487 assert(argv);
44d8db9e 3488
9164977d 3489 k = 1;
9e2f7c11 3490 STRV_FOREACH(a, argv)
44d8db9e
LP		 3491 k += strlen(*a)+3;
3492
3493 if (!(n = new(char, k)))
3494 return NULL;
3495
3496 p = n;
9e2f7c11 3497 STRV_FOREACH(a, argv) {
44d8db9e
LP		 3498
3499 if (!first)
3500 *(p++) = ' ';
3501 else
3502 first = false;
3503
3504 if (strpbrk(*a, WHITESPACE)) {
3505 *(p++) = '\'';
3506 p = stpcpy(p, *a);
3507 *(p++) = '\'';
3508 } else
3509 p = stpcpy(p, *a);
3510
3511 }
3512
9164977d
LP		 3513 *p = 0;
3514
44d8db9e
LP		 3515 /* FIXME: this doesn't really handle arguments that have
3516 * spaces and ticks in them */
3517
3518 return n;
3519}
3520
3521void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
e1d75803 3522 _cleanup_free_ char *cmd = NULL;
4c940960 3523 const char *prefix2;
44d8db9e
LP		 3524
3525 assert(c);
3526 assert(f);
3527
4c940960 3528 prefix = strempty(prefix);
63c372cb 3529 prefix2 = strjoina(prefix, "\t");
44d8db9e 3530
9e2f7c11 3531 cmd = exec_command_line(c->argv);
44d8db9e
LP		 3532 fprintf(f,
3533 "%sCommand Line: %s\n",
3534 prefix, cmd ? cmd : strerror(ENOMEM));
3535
9fb86720 3536 exec_status_dump(&c->exec_status, f, prefix2);
44d8db9e
LP		 3537}
3538
3539void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
3540 assert(f);
3541
4c940960 3542 prefix = strempty(prefix);
44d8db9e
LP		 3543
3544 LIST_FOREACH(command, c, c)
3545 exec_command_dump(c, f, prefix);
3546}
94f04347 3547
a6a80b4f
LP		 3548void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
3549 ExecCommand *end;
3550
3551 assert(l);
3552 assert(e);
3553
3554 if (*l) {
35b8ca3a 3555 /* It's kind of important, that we keep the order here */
71fda00f
LP		 3556 LIST_FIND_TAIL(command, *l, end);
3557 LIST_INSERT_AFTER(command, *l, end, e);
a6a80b4f
LP		 3558 } else
3559 *l = e;
3560}
3561
26fd040d
LP		 3562int exec_command_set(ExecCommand *c, const char *path, ...) {
3563 va_list ap;
3564 char **l, *p;
3565
3566 assert(c);
3567 assert(path);
3568
3569 va_start(ap, path);
3570 l = strv_new_ap(path, ap);
3571 va_end(ap);
3572
3573 if (!l)
3574 return -ENOMEM;
3575
250a918d
LP		 3576 p = strdup(path);
3577 if (!p) {
26fd040d
LP		 3578 strv_free(l);
3579 return -ENOMEM;
3580 }
3581
3582 free(c->path);
3583 c->path = p;
3584
3585 strv_free(c->argv);
3586 c->argv = l;
3587
3588 return 0;
3589}
3590
86b23b07 3591int exec_command_append(ExecCommand *c, const char *path, ...) {
e63ff941 3592 _cleanup_strv_free_ char **l = NULL;
86b23b07 3593 va_list ap;
86b23b07
JS		 3594 int r;
3595
3596 assert(c);
3597 assert(path);
3598
3599 va_start(ap, path);
3600 l = strv_new_ap(path, ap);
3601 va_end(ap);
3602
3603 if (!l)
3604 return -ENOMEM;
3605
e287086b 3606 r = strv_extend_strv(&c->argv, l, false);
e63ff941 3607 if (r < 0)
86b23b07 3608 return r;
86b23b07
JS		 3609
3610 return 0;
3611}
3612
3613
613b411c
LP		 3614static int exec_runtime_allocate(ExecRuntime **rt) {
3615
3616 if (*rt)
3617 return 0;
3618
3619 *rt = new0(ExecRuntime, 1);
f146f5e1 3620 if (!*rt)
613b411c
LP		 3621 return -ENOMEM;
3622
3623 (*rt)->n_ref = 1;
3624 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
3625
3626 return 0;
3627}
3628
3629int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
3630 int r;
3631
3632 assert(rt);
3633 assert(c);
3634 assert(id);
3635
3636 if (*rt)
3637 return 1;
3638
3639 if (!c->private_network && !c->private_tmp)
3640 return 0;
3641
3642 r = exec_runtime_allocate(rt);
3643 if (r < 0)
3644 return r;
3645
3646 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
33df919d 3647 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, (*rt)->netns_storage_socket) < 0)
613b411c
LP		 3648 return -errno;
3649 }
3650
3651 if (c->private_tmp && !(*rt)->tmp_dir) {
3652 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
3653 if (r < 0)
3654 return r;
3655 }
3656
3657 return 1;
3658}
3659
3660ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
3661 assert(r);
3662 assert(r->n_ref > 0);
3663
3664 r->n_ref++;
3665 return r;
3666}
3667
3668ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
3669
3670 if (!r)
3671 return NULL;
3672
3673 assert(r->n_ref > 0);
3674
3675 r->n_ref--;
f2341e0a
LP		 3676 if (r->n_ref > 0)
3677 return NULL;
3678
3679 free(r->tmp_dir);
3680 free(r->var_tmp_dir);
3681 safe_close_pair(r->netns_storage_socket);
3682 free(r);
613b411c
LP		 3683
3684 return NULL;
3685}
3686
f2341e0a 3687int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
613b411c
LP		 3688 assert(u);
3689 assert(f);
3690 assert(fds);
3691
3692 if (!rt)
3693 return 0;
3694
3695 if (rt->tmp_dir)
3696 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
3697
3698 if (rt->var_tmp_dir)
3699 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
3700
3701 if (rt->netns_storage_socket[0] >= 0) {
3702 int copy;
3703
3704 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
3705 if (copy < 0)
3706 return copy;
3707
3708 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
3709 }
3710
3711 if (rt->netns_storage_socket[1] >= 0) {
3712 int copy;
3713
3714 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
3715 if (copy < 0)
3716 return copy;
3717
3718 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
3719 }
3720
3721 return 0;
3722}
3723
f2341e0a 3724int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
613b411c
LP		 3725 int r;
3726
3727 assert(rt);
3728 assert(key);
3729 assert(value);
3730
3731 if (streq(key, "tmp-dir")) {
3732 char *copy;
3733
3734 r = exec_runtime_allocate(rt);
3735 if (r < 0)
f2341e0a 3736 return log_oom();
613b411c
LP		 3737
3738 copy = strdup(value);
3739 if (!copy)
3740 return log_oom();
3741
3742 free((*rt)->tmp_dir);
3743 (*rt)->tmp_dir = copy;
3744
3745 } else if (streq(key, "var-tmp-dir")) {
3746 char *copy;
3747
3748 r = exec_runtime_allocate(rt);
3749 if (r < 0)
f2341e0a 3750 return log_oom();
613b411c
LP		 3751
3752 copy = strdup(value);
3753 if (!copy)
3754 return log_oom();
3755
3756 free((*rt)->var_tmp_dir);
3757 (*rt)->var_tmp_dir = copy;
3758
3759 } else if (streq(key, "netns-socket-0")) {
3760 int fd;
3761
3762 r = exec_runtime_allocate(rt);
3763 if (r < 0)
f2341e0a 3764 return log_oom();
613b411c
LP		 3765
3766 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
f2341e0a 3767 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
613b411c 3768 else {
03e334a1 3769 safe_close((*rt)->netns_storage_socket[0]);
613b411c
LP		 3770 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
3771 }
3772 } else if (streq(key, "netns-socket-1")) {
3773 int fd;
3774
3775 r = exec_runtime_allocate(rt);
3776 if (r < 0)
f2341e0a 3777 return log_oom();
613b411c
LP		 3778
3779 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
f2341e0a 3780 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
613b411c 3781 else {
03e334a1 3782 safe_close((*rt)->netns_storage_socket[1]);
613b411c
LP		 3783 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
3784 }
3785 } else
3786 return 0;
3787
3788 return 1;
3789}
3790
3791static void *remove_tmpdir_thread(void *p) {
3792 _cleanup_free_ char *path = p;
3793
c6878637 3794 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
613b411c
LP		 3795 return NULL;
3796}
3797
3798void exec_runtime_destroy(ExecRuntime *rt) {
98b47d54
LP		 3799 int r;
3800
613b411c
LP		 3801 if (!rt)
3802 return;
3803
3804 /* If there are multiple users of this, let's leave the stuff around */
3805 if (rt->n_ref > 1)
3806 return;
3807
3808 if (rt->tmp_dir) {
3809 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
98b47d54
LP		 3810
3811 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
3812 if (r < 0) {
da927ba9 3813 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
98b47d54
LP		 3814 free(rt->tmp_dir);
3815 }
3816
613b411c
LP		 3817 rt->tmp_dir = NULL;
3818 }
3819
3820 if (rt->var_tmp_dir) {
3821 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
98b47d54
LP		 3822
3823 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
3824 if (r < 0) {
da927ba9 3825 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
98b47d54
LP		 3826 free(rt->var_tmp_dir);
3827 }
3828
613b411c
LP		 3829 rt->var_tmp_dir = NULL;
3830 }
3831
3d94f76c 3832 safe_close_pair(rt->netns_storage_socket);
613b411c
LP		 3833}
3834
80876c20
LP		 3835static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
3836 [EXEC_INPUT_NULL] = "null",
3837 [EXEC_INPUT_TTY] = "tty",
3838 [EXEC_INPUT_TTY_FORCE] = "tty-force",
4f2d528d
LP		 3839 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
3840 [EXEC_INPUT_SOCKET] = "socket"
80876c20
LP		 3841};
3842
8a0867d6
LP		 3843DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
3844
94f04347 3845static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
80876c20 3846 [EXEC_OUTPUT_INHERIT] = "inherit",
94f04347 3847 [EXEC_OUTPUT_NULL] = "null",
80876c20 3848 [EXEC_OUTPUT_TTY] = "tty",
94f04347 3849 [EXEC_OUTPUT_SYSLOG] = "syslog",
28dbc1e8 3850 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
9a6bca7a 3851 [EXEC_OUTPUT_KMSG] = "kmsg",
28dbc1e8 3852 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
706343f4
LP		 3853 [EXEC_OUTPUT_JOURNAL] = "journal",
3854 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
4f2d528d 3855 [EXEC_OUTPUT_SOCKET] = "socket"
94f04347
LP		 3856};
3857
3858DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
023a4f67
LP		 3859
3860static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
3861 [EXEC_UTMP_INIT] = "init",
3862 [EXEC_UTMP_LOGIN] = "login",
3863 [EXEC_UTMP_USER] = "user",
3864};
3865
3866DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
Unnamed repository; edit this file 'description' to name the repository.