]> git.ipfire.org Git - thirdparty/systemd.git/blob - execute.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
cgroup: add cgroupsification
[thirdparty/systemd.git] / execute.c
1 /*-*- Mode: C; c-basic-offset: 8 -*-*/
2
3 /***
4 This file is part of systemd.
5
6 Copyright 2010 Lennart Poettering
7
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
12
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 ***/
21
22 #include <assert.h>
23 #include <dirent.h>
24 #include <errno.h>
25 #include <fcntl.h>
26 #include <unistd.h>
27 #include <string.h>
28 #include <signal.h>
29 #include <sys/socket.h>
30 #include <sys/un.h>
31 #include <sys/prctl.h>
32 #include <linux/sched.h>
33 #include <sys/types.h>
34 #include <sys/stat.h>
35 #include <grp.h>
36 #include <pwd.h>
37
38 #include "execute.h"
39 #include "strv.h"
40 #include "macro.h"
41 #include "util.h"
42 #include "log.h"
43 #include "ioprio.h"
44 #include "securebits.h"
45 #include "cgroup.h"
46
47 static int close_fds(int except[], unsigned n_except) {
48 DIR *d;
49 struct dirent *de;
50 int r = 0;
51
52 /* Modifies the fds array! (sorts it) */
53
54 if (!(d = opendir("/proc/self/fd")))
55 return -errno;
56
57 while ((de = readdir(d))) {
58 int fd;
59
60 if (de->d_name[0] == '.')
61 continue;
62
63 if ((r = safe_atoi(de->d_name, &fd)) < 0)
64 goto finish;
65
66 if (fd < 3)
67 continue;
68
69 if (fd == dirfd(d))
70 continue;
71
72 if (except) {
73 bool found;
74 unsigned i;
75
76 found = false;
77 for (i = 0; i < n_except; i++)
78 if (except[i] == fd) {
79 found = true;
80 break;
81 }
82
83 if (found)
84 continue;
85 }
86
87 if ((r = close_nointr(fd)) < 0)
88 goto finish;
89 }
90
91 finish:
92 closedir(d);
93 return r;
94 }
95
96 static int shift_fds(int fds[], unsigned n_fds) {
97 int start, restart_from;
98
99 if (n_fds <= 0)
100 return 0;
101
102 assert(fds);
103
104 start = 0;
105 for (;;) {
106 int i;
107
108 restart_from = -1;
109
110 for (i = start; i < (int) n_fds; i++) {
111 int nfd;
112
113 /* Already at right index? */
114 if (fds[i] == i+3)
115 continue;
116
117 if ((nfd = fcntl(fds[i], F_DUPFD, i+3)) < 0)
118 return -errno;
119
120 assert_se(close_nointr(fds[i]) == 0);
121 fds[i] = nfd;
122
123 /* Hmm, the fd we wanted isn't free? Then
124 * let's remember that and try again from here*/
125 if (nfd != i+3 && restart_from < 0)
126 restart_from = i;
127 }
128
129 if (restart_from < 0)
130 break;
131
132 start = restart_from;
133 }
134
135 return 0;
136 }
137
138 static int flags_fds(int fds[], unsigned n_fds, bool nonblock) {
139 unsigned i;
140
141 if (n_fds <= 0)
142 return 0;
143
144 assert(fds);
145
146 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
147
148 for (i = 0; i < n_fds; i++) {
149 int flags;
150
151 if ((flags = fcntl(fds[i], F_GETFL, 0)) < 0)
152 return -errno;
153
154 if (nonblock)
155 flags |= O_NONBLOCK;
156 else
157 flags &= ~O_NONBLOCK;
158
159 if (fcntl(fds[i], F_SETFL, flags) < 0)
160 return -errno;
161
162 /* We unconditionally drop FD_CLOEXEC from the fds,
163 * since after all we want to pass these fds to our
164 * children */
165 if ((flags = fcntl(fds[i], F_GETFD, 0)) < 0)
166 return -errno;
167
168 if (fcntl(fds[i], F_SETFD, flags &~FD_CLOEXEC) < 0)
169 return -errno;
170 }
171
172 return 0;
173 }
174
175 static int replace_null_fd(int fd, int flags) {
176 int nfd;
177 assert(fd >= 0);
178
179 close_nointr(fd);
180
181 if ((nfd = open("/dev/null", flags|O_NOCTTY)) < 0)
182 return -errno;
183
184 if (nfd != fd) {
185 close_nointr_nofail(nfd);
186 return -EIO;
187 }
188
189 return 0;
190 }
191
192 static int setup_output(const ExecContext *context, const char *ident) {
193 int r;
194
195 assert(context);
196
197 switch (context->output) {
198
199 case EXEC_OUTPUT_CONSOLE:
200 return 0;
201
202 case EXEC_OUTPUT_NULL:
203
204 if ((r = replace_null_fd(STDOUT_FILENO, O_WRONLY)) < 0 ||
205 (r = replace_null_fd(STDERR_FILENO, O_WRONLY)) < 0)
206 return r;
207
208 return 0;
209
210 case EXEC_OUTPUT_KERNEL:
211 case EXEC_OUTPUT_SYSLOG: {
212
213 int fd;
214 union {
215 struct sockaddr sa;
216 struct sockaddr_un un;
217 } sa;
218
219 close_nointr(STDOUT_FILENO);
220 close_nointr(STDERR_FILENO);
221
222 if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
223 return -errno;
224
225 if (fd != STDOUT_FILENO) {
226 close_nointr_nofail(fd);
227 return -EIO;
228 }
229
230 zero(sa);
231 sa.sa.sa_family = AF_UNIX;
232 strncpy(sa.un.sun_path+1, LOGGER_SOCKET, sizeof(sa.un.sun_path)-1);
233
234 if (connect(fd, &sa.sa, sizeof(sa)) < 0) {
235 close_nointr_nofail(fd);
236 return -errno;
237 }
238
239 if (shutdown(fd, SHUT_RD) < 0) {
240 close_nointr_nofail(fd);
241 return -errno;
242 }
243
244 if ((fd = dup(fd)) < 0) {
245 close_nointr_nofail(fd);
246 return -errno;
247 }
248
249 if (fd != STDERR_FILENO) {
250 close_nointr_nofail(fd);
251 return -EIO;
252 }
253
254 /* We speak a very simple protocol between log server
255 * and client: one line for the log destination (kmsg
256 * or syslog), followed by the priority field,
257 * followed by the process name. Since we replaced
258 * stdin/stderr we simple use stdio to write to
259 * it. Note that we use stderr, to minimize buffer
260 * flushing issues. */
261
262 fprintf(stderr,
263 "%s\n"
264 "%i\n"
265 "%s\n",
266 context->output == EXEC_OUTPUT_KERNEL ? "kmsg" : "syslog",
267 context->syslog_priority,
268 context->syslog_identifier ? context->syslog_identifier : ident);
269
270 return 0;
271 }
272
273 default:
274 assert_not_reached("Unknown output type");
275 }
276 }
277
278 static int setup_input(const ExecContext *context) {
279 int r;
280
281 assert(context);
282
283 switch (context->input) {
284
285 case EXEC_INPUT_CONSOLE:
286 return 0;
287
288 case EXEC_INPUT_NULL:
289 if ((r = replace_null_fd(STDIN_FILENO, O_RDONLY)) < 0)
290 return r;
291
292 return 0;
293
294 default:
295 assert_not_reached("Unknown input type");
296 }
297 }
298
299 static int get_group_creds(const char *groupname, gid_t *gid) {
300 struct group *g;
301 unsigned long lu;
302
303 assert(groupname);
304 assert(gid);
305
306 /* We enforce some special rules for gid=0: in order to avoid
307 * NSS lookups for root we hardcode its data. */
308
309 if (streq(groupname, "root") || streq(groupname, "0")) {
310 *gid = 0;
311 return 0;
312 }
313
314 if (safe_atolu(groupname, &lu) >= 0) {
315 errno = 0;
316 g = getgrgid((gid_t) lu);
317 } else {
318 errno = 0;
319 g = getgrnam(groupname);
320 }
321
322 if (!g)
323 return errno != 0 ? -errno : -ESRCH;
324
325 *gid = g->gr_gid;
326 return 0;
327 }
328
329 static int get_user_creds(const char **username, uid_t *uid, gid_t *gid, const char **home) {
330 struct passwd *p;
331 unsigned long lu;
332
333 assert(username);
334 assert(*username);
335 assert(uid);
336 assert(gid);
337 assert(home);
338
339 /* We enforce some special rules for uid=0: in order to avoid
340 * NSS lookups for root we hardcode its data. */
341
342 if (streq(*username, "root") || streq(*username, "0")) {
343 *username = "root";
344 *uid = 0;
345 *gid = 0;
346 *home = "/root";
347 return 0;
348 }
349
350 if (safe_atolu(*username, &lu) >= 0) {
351 errno = 0;
352 p = getpwuid((uid_t) lu);
353
354 /* If there are multiple users with the same id, make
355 * sure to leave $USER to the configured value instead
356 * of the first occurence in the database. However if
357 * the uid was configured by a numeric uid, then let's
358 * pick the real username from /etc/passwd. */
359 if (*username && p)
360 *username = p->pw_name;
361 } else {
362 errno = 0;
363 p = getpwnam(*username);
364 }
365
366 if (!p)
367 return errno != 0 ? -errno : -ESRCH;
368
369 *uid = p->pw_uid;
370 *gid = p->pw_gid;
371 *home = p->pw_dir;
372 return 0;
373 }
374
375 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
376 bool keep_groups = false;
377 int r;
378
379 assert(context);
380
381 /* Lookup and ser GID and supplementary group list. Here too
382 * we avoid NSS lookups for gid=0. */
383
384 if (context->group || username) {
385
386 if (context->group)
387 if ((r = get_group_creds(context->group, &gid)) < 0)
388 return r;
389
390 /* First step, initialize groups from /etc/groups */
391 if (username && gid != 0) {
392 if (initgroups(username, gid) < 0)
393 return -errno;
394
395 keep_groups = true;
396 }
397
398 /* Second step, set our gids */
399 if (setresgid(gid, gid, gid) < 0)
400 return -errno;
401 }
402
403 if (context->supplementary_groups) {
404 int ngroups_max, k;
405 gid_t *gids;
406 char **i;
407
408 /* Final step, initialize any manually set supplementary groups */
409 ngroups_max = (int) sysconf(_SC_NGROUPS_MAX);
410
411 if (!(gids = new(gid_t, ngroups_max)))
412 return -ENOMEM;
413
414 if (keep_groups) {
415 if ((k = getgroups(ngroups_max, gids)) < 0) {
416 free(gids);
417 return -errno;
418 }
419 } else
420 k = 0;
421
422 STRV_FOREACH(i, context->supplementary_groups) {
423
424 if (k >= ngroups_max) {
425 free(gids);
426 return -E2BIG;
427 }
428
429 if ((r = get_group_creds(*i, gids+k)) < 0) {
430 free(gids);
431 return r;
432 }
433
434 k++;
435 }
436
437 if (setgroups(k, gids) < 0) {
438 free(gids);
439 return -errno;
440 }
441
442 free(gids);
443 }
444
445 return 0;
446 }
447
448 static int enforce_user(const ExecContext *context, uid_t uid) {
449 int r;
450 assert(context);
451
452 /* Sets (but doesn't lookup) the uid and make sure we keep the
453 * capabilities while doing so. */
454
455 if (context->capabilities) {
456 cap_t d;
457 static const cap_value_t bits[] = {
458 CAP_SETUID, /* Necessary so that we can run setresuid() below */
459 CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
460 };
461
462 /* First step: If we need to keep capabilities but
463 * drop privileges we need to make sure we keep our
464 * caps, whiel we drop priviliges. */
465 if (uid != 0) {
466 int sb = context->secure_bits|SECURE_KEEP_CAPS;
467
468 if (prctl(PR_GET_SECUREBITS) != sb)
469 if (prctl(PR_SET_SECUREBITS, sb) < 0)
470 return -errno;
471 }
472
473 /* Second step: set the capabilites. This will reduce
474 * the capabilities to the minimum we need. */
475
476 if (!(d = cap_dup(context->capabilities)))
477 return -errno;
478
479 if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
480 cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0) {
481 r = -errno;
482 cap_free(d);
483 return r;
484 }
485
486 if (cap_set_proc(d) < 0) {
487 r = -errno;
488 cap_free(d);
489 return r;
490 }
491
492 cap_free(d);
493 }
494
495 /* Third step: actually set the uids */
496 if (setresuid(uid, uid, uid) < 0)
497 return -errno;
498
499 /* At this point we should have all necessary capabilities but
500 are otherwise a normal user. However, the caps might got
501 corrupted due to the setresuid() so we need clean them up
502 later. This is done outside of this call. */
503
504 return 0;
505 }
506
507 int exec_spawn(const ExecCommand *command,
508 const ExecContext *context,
509 int *fds, unsigned n_fds,
510 bool apply_permissions,
511 bool apply_chroot,
512 CGroupBonding *cgroup_bondings,
513 pid_t *ret) {
514
515 pid_t pid;
516 int r;
517
518 assert(command);
519 assert(context);
520 assert(ret);
521 assert(fds || n_fds <= 0);
522
523 log_debug("About to execute %s", command->path);
524
525 if (cgroup_bondings)
526 if ((r = cgroup_bonding_realize_list(cgroup_bondings)))
527 return r;
528
529 if ((pid = fork()) < 0)
530 return -errno;
531
532 if (pid == 0) {
533 int i;
534 sigset_t ss;
535 const char *username = NULL, *home = NULL;
536 uid_t uid = (uid_t) -1;
537 gid_t gid = (gid_t) -1;
538 char **our_env = NULL, **final_env = NULL;
539 unsigned n_env = 0;
540
541 /* child */
542
543 if (sigemptyset(&ss) < 0 ||
544 sigprocmask(SIG_SETMASK, &ss, NULL) < 0) {
545 r = EXIT_SIGNAL_MASK;
546 goto fail;
547 }
548
549 if (setpgid(0, 0) < 0) {
550 r = EXIT_PGID;
551 goto fail;
552 }
553
554 umask(context->umask);
555
556 if (setup_input(context) < 0) {
557 r = EXIT_INPUT;
558 goto fail;
559 }
560
561 if (setup_output(context, file_name_from_path(command->path)) < 0) {
562 r = EXIT_OUTPUT;
563 goto fail;
564 }
565
566 if (cgroup_bondings)
567 if ((r = cgroup_bonding_install_list(cgroup_bondings, 0)) < 0) {
568 r = EXIT_CGROUP;
569 goto fail;
570 }
571
572 if (context->oom_adjust_set) {
573 char t[16];
574
575 snprintf(t, sizeof(t), "%i", context->oom_adjust);
576 char_array_0(t);
577
578 if (write_one_line_file("/proc/self/oom_adj", t) < 0) {
579 r = EXIT_OOM_ADJUST;
580 goto fail;
581 }
582 }
583
584 if (context->nice_set)
585 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
586 r = EXIT_NICE;
587 goto fail;
588 }
589
590 if (context->cpu_sched_set) {
591 struct sched_param param;
592
593 zero(param);
594 param.sched_priority = context->cpu_sched_priority;
595
596 if (sched_setscheduler(0, context->cpu_sched_policy |
597 (context->cpu_sched_reset_on_fork ? SCHED_RESET_ON_FORK : 0), &param) < 0) {
598 r = EXIT_SETSCHEDULER;
599 goto fail;
600 }
601 }
602
603 if (context->cpu_affinity_set)
604 if (sched_setaffinity(0, sizeof(context->cpu_affinity), &context->cpu_affinity) < 0) {
605 r = EXIT_CPUAFFINITY;
606 goto fail;
607 }
608
609 if (context->ioprio_set)
610 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
611 r = EXIT_IOPRIO;
612 goto fail;
613 }
614
615 if (context->timer_slack_ns_set)
616 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_ns_set) < 0) {
617 r = EXIT_TIMERSLACK;
618 goto fail;
619 }
620
621 if (context->user) {
622 username = context->user;
623 if (get_user_creds(&username, &uid, &gid, &home) < 0) {
624 r = EXIT_USER;
625 goto fail;
626 }
627 }
628
629 if (apply_permissions)
630 if (enforce_groups(context, username, uid) < 0) {
631 r = EXIT_GROUP;
632 goto fail;
633 }
634
635 if (apply_chroot) {
636 if (context->root_directory)
637 if (chroot(context->root_directory) < 0) {
638 r = EXIT_CHROOT;
639 goto fail;
640 }
641
642 if (chdir(context->working_directory ? context->working_directory : "/") < 0) {
643 r = EXIT_CHDIR;
644 goto fail;
645 }
646 } else {
647
648 char *d;
649
650 if (asprintf(&d, "%s/%s",
651 context->root_directory ? context->root_directory : "",
652 context->working_directory ? context->working_directory : "") < 0) {
653 r = EXIT_MEMORY;
654 goto fail;
655 }
656
657 if (chdir(d) < 0) {
658 free(d);
659 r = EXIT_CHDIR;
660 goto fail;
661 }
662
663 free(d);
664 }
665
666 if (close_fds(fds, n_fds) < 0 ||
667 shift_fds(fds, n_fds) < 0 ||
668 flags_fds(fds, n_fds, context->non_blocking) < 0) {
669 r = EXIT_FDS;
670 goto fail;
671 }
672
673 if (apply_permissions) {
674
675 for (i = 0; i < RLIMIT_NLIMITS; i++) {
676 if (!context->rlimit[i])
677 continue;
678
679 if (setrlimit(i, context->rlimit[i]) < 0) {
680 r = EXIT_LIMITS;
681 goto fail;
682 }
683 }
684
685 if (context->user)
686 if (enforce_user(context, uid) < 0) {
687 r = EXIT_USER;
688 goto fail;
689 }
690
691 /* PR_GET_SECUREBITS is not priviliged, while
692 * PR_SET_SECUREBITS is. So to suppress
693 * potential EPERMs we'll try not to call
694 * PR_SET_SECUREBITS unless necessary. */
695 if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
696 if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
697 r = EXIT_SECUREBITS;
698 goto fail;
699 }
700
701 if (context->capabilities)
702 if (cap_set_proc(context->capabilities) < 0) {
703 r = EXIT_CAPABILITIES;
704 goto fail;
705 }
706 }
707
708 if (!(our_env = new0(char*, 6))) {
709 r = EXIT_MEMORY;
710 goto fail;
711 }
712
713 if (n_fds > 0)
714 if (asprintf(our_env + n_env++, "LISTEN_PID=%llu", (unsigned long long) getpid()) < 0 ||
715 asprintf(our_env + n_env++, "LISTEN_FDS=%u", n_fds) < 0) {
716 r = EXIT_MEMORY;
717 goto fail;
718 }
719
720 if (home)
721 if (asprintf(our_env + n_env++, "HOME=%s", home) < 0) {
722 r = EXIT_MEMORY;
723 goto fail;
724 }
725
726 if (username)
727 if (asprintf(our_env + n_env++, "LOGNAME=%s", username) < 0 ||
728 asprintf(our_env + n_env++, "USER=%s", username) < 0) {
729 r = EXIT_MEMORY;
730 goto fail;
731 }
732
733 if (!(final_env = strv_env_merge(environ, our_env, context->environment, NULL))) {
734 r = EXIT_MEMORY;
735 goto fail;
736 }
737
738 execve(command->path, command->argv, final_env);
739 r = EXIT_EXEC;
740
741 fail:
742 strv_free(our_env);
743 strv_free(final_env);
744
745 _exit(r);
746 }
747
748
749 log_debug("Forked %s as %llu", command->path, (unsigned long long) pid);
750
751 *ret = pid;
752 return 0;
753 }
754
755 void exec_context_init(ExecContext *c) {
756 assert(c);
757
758 c->umask = 0002;
759 c->oom_adjust = 0;
760 c->oom_adjust_set = false;
761 c->nice = 0;
762 c->nice_set = false;
763 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
764 c->ioprio_set = false;
765 c->cpu_sched_policy = SCHED_OTHER;
766 c->cpu_sched_priority = 0;
767 c->cpu_sched_set = false;
768 CPU_ZERO(&c->cpu_affinity);
769 c->cpu_affinity_set = false;
770
771 c->input = 0;
772 c->output = 0;
773 c->syslog_priority = LOG_DAEMON|LOG_INFO;
774
775 c->secure_bits = 0;
776 c->capability_bounding_set_drop = 0;
777 }
778
779 void exec_context_done(ExecContext *c) {
780 unsigned l;
781
782 assert(c);
783
784 strv_free(c->environment);
785 c->environment = NULL;
786
787 for (l = 0; l < ELEMENTSOF(c->rlimit); l++) {
788 free(c->rlimit[l]);
789 c->rlimit[l] = NULL;
790 }
791
792 free(c->working_directory);
793 c->working_directory = NULL;
794 free(c->root_directory);
795 c->root_directory = NULL;
796
797 free(c->syslog_identifier);
798 c->syslog_identifier = NULL;
799
800 free(c->user);
801 c->user = NULL;
802
803 free(c->group);
804 c->group = NULL;
805
806 strv_free(c->supplementary_groups);
807 c->supplementary_groups = NULL;
808
809 if (c->capabilities) {
810 cap_free(c->capabilities);
811 c->capabilities = NULL;
812 }
813 }
814
815 void exec_command_free_list(ExecCommand *c) {
816 ExecCommand *i;
817
818 while ((i = c)) {
819 LIST_REMOVE(ExecCommand, command, c, i);
820
821 free(i->path);
822 strv_free(i->argv);
823 free(i);
824 }
825 }
826
827 void exec_command_free_array(ExecCommand **c, unsigned n) {
828 unsigned i;
829
830 for (i = 0; i < n; i++) {
831 exec_command_free_list(c[i]);
832 c[i] = NULL;
833 }
834 }
835
836 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
837 char ** e;
838 unsigned i;
839
840 assert(c);
841 assert(f);
842
843 if (!prefix)
844 prefix = "";
845
846 fprintf(f,
847 "%sUMask: %04o\n"
848 "%sWorkingDirectory: %s\n"
849 "%sRootDirectory: %s\n"
850 "%sNonBlocking: %s\n",
851 prefix, c->umask,
852 prefix, c->working_directory ? c->working_directory : "/",
853 prefix, c->root_directory ? c->root_directory : "/",
854 prefix, yes_no(c->non_blocking));
855
856 if (c->environment)
857 for (e = c->environment; *e; e++)
858 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
859
860 if (c->nice_set)
861 fprintf(f,
862 "%sNice: %i\n",
863 prefix, c->nice);
864
865 if (c->oom_adjust_set)
866 fprintf(f,
867 "%sOOMAdjust: %i\n",
868 prefix, c->oom_adjust);
869
870 for (i = 0; i < RLIM_NLIMITS; i++)
871 if (c->rlimit[i])
872 fprintf(f, "%s%s: %llu\n", prefix, rlimit_to_string(i), (unsigned long long) c->rlimit[i]->rlim_max);
873
874 if (c->ioprio_set)
875 fprintf(f,
876 "%sIOSchedulingClass: %s\n"
877 "%sIOPriority: %i\n",
878 prefix, ioprio_class_to_string(IOPRIO_PRIO_CLASS(c->ioprio)),
879 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
880
881 if (c->cpu_sched_set)
882 fprintf(f,
883 "%sCPUSchedulingPolicy: %s\n"
884 "%sCPUSchedulingPriority: %i\n"
885 "%sCPUSchedulingResetOnFork: %s\n",
886 prefix, sched_policy_to_string(c->cpu_sched_policy),
887 prefix, c->cpu_sched_priority,
888 prefix, yes_no(c->cpu_sched_reset_on_fork));
889
890 if (c->cpu_affinity_set) {
891 fprintf(f, "%sCPUAffinity:", prefix);
892 for (i = 0; i < CPU_SETSIZE; i++)
893 if (CPU_ISSET(i, &c->cpu_affinity))
894 fprintf(f, " %i", i);
895 fputs("\n", f);
896 }
897
898 if (c->timer_slack_ns_set)
899 fprintf(f, "%sTimerSlackNS: %lu\n", prefix, c->timer_slack_ns);
900
901 fprintf(f,
902 "%sInput: %s\n"
903 "%sOutput: %s\n",
904 prefix, exec_input_to_string(c->input),
905 prefix, exec_output_to_string(c->output));
906
907 if (c->output == EXEC_OUTPUT_SYSLOG || c->output == EXEC_OUTPUT_KERNEL)
908 fprintf(f,
909 "%sSyslogFacility: %s\n"
910 "%sSyslogLevel: %s\n",
911 prefix, log_facility_to_string(LOG_FAC(c->syslog_priority)),
912 prefix, log_level_to_string(LOG_PRI(c->syslog_priority)));
913
914 if (c->capabilities) {
915 char *t;
916 if ((t = cap_to_text(c->capabilities, NULL))) {
917 fprintf(f, "%sCapabilities: %s\n",
918 prefix, t);
919 cap_free(t);
920 }
921 }
922
923 if (c->secure_bits)
924 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
925 prefix,
926 (c->secure_bits & SECURE_KEEP_CAPS) ? " keep-caps" : "",
927 (c->secure_bits & SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
928 (c->secure_bits & SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
929 (c->secure_bits & SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
930 (c->secure_bits & SECURE_NOROOT) ? " noroot" : "",
931 (c->secure_bits & SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
932
933 if (c->capability_bounding_set_drop) {
934 fprintf(f, "%sCapabilityBoundingSetDrop:", prefix);
935
936 for (i = 0; i <= CAP_LAST_CAP; i++)
937 if (c->capability_bounding_set_drop & (1 << i)) {
938 char *t;
939
940 if ((t = cap_to_name(i))) {
941 fprintf(f, " %s", t);
942 free(t);
943 }
944 }
945
946 fputs("\n", f);
947 }
948
949 if (c->user)
950 fprintf(f, "%sUser: %s", prefix, c->user);
951 if (c->group)
952 fprintf(f, "%sGroup: %s", prefix, c->group);
953
954 if (c->supplementary_groups) {
955 char **g;
956
957 fprintf(f, "%sSupplementaryGroups:", prefix);
958
959 STRV_FOREACH(g, c->supplementary_groups)
960 fprintf(f, " %s", *g);
961
962 fputs("\n", f);
963 }
964 }
965
966 void exec_status_fill(ExecStatus *s, pid_t pid, int code, int status) {
967 assert(s);
968
969 s->pid = pid;
970 s->code = code;
971 s->status = status;
972 s->timestamp = now(CLOCK_REALTIME);
973 }
974
975 char *exec_command_line(ExecCommand *c) {
976 size_t k;
977 char *n, *p, **a;
978 bool first = true;
979
980 assert(c);
981 assert(c->argv);
982
983 k = 1;
984 STRV_FOREACH(a, c->argv)
985 k += strlen(*a)+3;
986
987 if (!(n = new(char, k)))
988 return NULL;
989
990 p = n;
991 STRV_FOREACH(a, c->argv) {
992
993 if (!first)
994 *(p++) = ' ';
995 else
996 first = false;
997
998 if (strpbrk(*a, WHITESPACE)) {
999 *(p++) = '\'';
1000 p = stpcpy(p, *a);
1001 *(p++) = '\'';
1002 } else
1003 p = stpcpy(p, *a);
1004
1005 }
1006
1007 *p = 0;
1008
1009 /* FIXME: this doesn't really handle arguments that have
1010 * spaces and ticks in them */
1011
1012 return n;
1013 }
1014
1015 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
1016 char *cmd;
1017
1018 assert(c);
1019 assert(f);
1020
1021 if (!prefix)
1022 prefix = "";
1023
1024 cmd = exec_command_line(c);
1025
1026 fprintf(f,
1027 "%sCommand Line: %s\n",
1028 prefix, cmd ? cmd : strerror(ENOMEM));
1029
1030 free(cmd);
1031 }
1032
1033 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
1034 assert(f);
1035
1036 if (!prefix)
1037 prefix = "";
1038
1039 LIST_FOREACH(command, c, c)
1040 exec_command_dump(c, f, prefix);
1041 }
1042
1043 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
1044 ExecCommand *end;
1045
1046 assert(l);
1047 assert(e);
1048
1049 if (*l) {
1050 /* It's kinda important that we keep the order here */
1051 LIST_FIND_TAIL(ExecCommand, command, *l, end);
1052 LIST_INSERT_AFTER(ExecCommand, command, *l, end, e);
1053 } else
1054 *l = e;
1055 }
1056
1057 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
1058 [EXEC_OUTPUT_CONSOLE] = "console",
1059 [EXEC_OUTPUT_NULL] = "null",
1060 [EXEC_OUTPUT_SYSLOG] = "syslog",
1061 [EXEC_OUTPUT_KERNEL] = "kernel"
1062 };
1063
1064 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
1065
1066 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
1067 [EXEC_INPUT_NULL] = "null",
1068 [EXEC_INPUT_CONSOLE] = "console"
1069 };
1070
1071 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
Unnamed repository; edit this file 'description' to name the repository.