]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/execute.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
doc,core: Read{Write,Only}Paths= and InaccessiblePaths=
[thirdparty/systemd.git] / src / core / execute.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <errno.h>
21 #include <fcntl.h>
22 #include <glob.h>
23 #include <grp.h>
24 #include <poll.h>
25 #include <signal.h>
26 #include <string.h>
27 #include <sys/capability.h>
28 #include <sys/mman.h>
29 #include <sys/personality.h>
30 #include <sys/prctl.h>
31 #include <sys/socket.h>
32 #include <sys/stat.h>
33 #include <sys/un.h>
34 #include <unistd.h>
35 #include <utmpx.h>
36
37 #ifdef HAVE_PAM
38 #include <security/pam_appl.h>
39 #endif
40
41 #ifdef HAVE_SELINUX
42 #include <selinux/selinux.h>
43 #endif
44
45 #ifdef HAVE_SECCOMP
46 #include <seccomp.h>
47 #endif
48
49 #ifdef HAVE_APPARMOR
50 #include <sys/apparmor.h>
51 #endif
52
53 #include "sd-messages.h"
54
55 #include "af-list.h"
56 #include "alloc-util.h"
57 #ifdef HAVE_APPARMOR
58 #include "apparmor-util.h"
59 #endif
60 #include "async.h"
61 #include "barrier.h"
62 #include "cap-list.h"
63 #include "capability-util.h"
64 #include "def.h"
65 #include "env-util.h"
66 #include "errno-list.h"
67 #include "execute.h"
68 #include "exit-status.h"
69 #include "fd-util.h"
70 #include "fileio.h"
71 #include "formats-util.h"
72 #include "fs-util.h"
73 #include "glob-util.h"
74 #include "io-util.h"
75 #include "ioprio.h"
76 #include "log.h"
77 #include "macro.h"
78 #include "missing.h"
79 #include "mkdir.h"
80 #include "namespace.h"
81 #include "parse-util.h"
82 #include "path-util.h"
83 #include "process-util.h"
84 #include "rlimit-util.h"
85 #include "rm-rf.h"
86 #ifdef HAVE_SECCOMP
87 #include "seccomp-util.h"
88 #endif
89 #include "securebits.h"
90 #include "selinux-util.h"
91 #include "signal-util.h"
92 #include "smack-util.h"
93 #include "string-table.h"
94 #include "string-util.h"
95 #include "strv.h"
96 #include "syslog-util.h"
97 #include "terminal-util.h"
98 #include "unit.h"
99 #include "user-util.h"
100 #include "util.h"
101 #include "utmp-wtmp.h"
102
103 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
104 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
105
106 /* This assumes there is a 'tty' group */
107 #define TTY_MODE 0620
108
109 #define SNDBUF_SIZE (8*1024*1024)
110
111 static int shift_fds(int fds[], unsigned n_fds) {
112 int start, restart_from;
113
114 if (n_fds <= 0)
115 return 0;
116
117 /* Modifies the fds array! (sorts it) */
118
119 assert(fds);
120
121 start = 0;
122 for (;;) {
123 int i;
124
125 restart_from = -1;
126
127 for (i = start; i < (int) n_fds; i++) {
128 int nfd;
129
130 /* Already at right index? */
131 if (fds[i] == i+3)
132 continue;
133
134 nfd = fcntl(fds[i], F_DUPFD, i + 3);
135 if (nfd < 0)
136 return -errno;
137
138 safe_close(fds[i]);
139 fds[i] = nfd;
140
141 /* Hmm, the fd we wanted isn't free? Then
142 * let's remember that and try again from here */
143 if (nfd != i+3 && restart_from < 0)
144 restart_from = i;
145 }
146
147 if (restart_from < 0)
148 break;
149
150 start = restart_from;
151 }
152
153 return 0;
154 }
155
156 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
157 unsigned i;
158 int r;
159
160 if (n_fds <= 0)
161 return 0;
162
163 assert(fds);
164
165 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
166
167 for (i = 0; i < n_fds; i++) {
168
169 r = fd_nonblock(fds[i], nonblock);
170 if (r < 0)
171 return r;
172
173 /* We unconditionally drop FD_CLOEXEC from the fds,
174 * since after all we want to pass these fds to our
175 * children */
176
177 r = fd_cloexec(fds[i], false);
178 if (r < 0)
179 return r;
180 }
181
182 return 0;
183 }
184
185 static const char *exec_context_tty_path(const ExecContext *context) {
186 assert(context);
187
188 if (context->stdio_as_fds)
189 return NULL;
190
191 if (context->tty_path)
192 return context->tty_path;
193
194 return "/dev/console";
195 }
196
197 static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
198 const char *path;
199
200 assert(context);
201
202 path = exec_context_tty_path(context);
203
204 if (context->tty_vhangup) {
205 if (p && p->stdin_fd >= 0)
206 (void) terminal_vhangup_fd(p->stdin_fd);
207 else if (path)
208 (void) terminal_vhangup(path);
209 }
210
211 if (context->tty_reset) {
212 if (p && p->stdin_fd >= 0)
213 (void) reset_terminal_fd(p->stdin_fd, true);
214 else if (path)
215 (void) reset_terminal(path);
216 }
217
218 if (context->tty_vt_disallocate && path)
219 (void) vt_disallocate(path);
220 }
221
222 static bool is_terminal_output(ExecOutput o) {
223 return
224 o == EXEC_OUTPUT_TTY ||
225 o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
226 o == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
227 o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE;
228 }
229
230 static int open_null_as(int flags, int nfd) {
231 int fd, r;
232
233 assert(nfd >= 0);
234
235 fd = open("/dev/null", flags|O_NOCTTY);
236 if (fd < 0)
237 return -errno;
238
239 if (fd != nfd) {
240 r = dup2(fd, nfd) < 0 ? -errno : nfd;
241 safe_close(fd);
242 } else
243 r = nfd;
244
245 return r;
246 }
247
248 static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
249 union sockaddr_union sa = {
250 .un.sun_family = AF_UNIX,
251 .un.sun_path = "/run/systemd/journal/stdout",
252 };
253 uid_t olduid = UID_INVALID;
254 gid_t oldgid = GID_INVALID;
255 int r;
256
257 if (gid != GID_INVALID) {
258 oldgid = getgid();
259
260 r = setegid(gid);
261 if (r < 0)
262 return -errno;
263 }
264
265 if (uid != UID_INVALID) {
266 olduid = getuid();
267
268 r = seteuid(uid);
269 if (r < 0) {
270 r = -errno;
271 goto restore_gid;
272 }
273 }
274
275 r = connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
276 if (r < 0)
277 r = -errno;
278
279 /* If we fail to restore the uid or gid, things will likely
280 fail later on. This should only happen if an LSM interferes. */
281
282 if (uid != UID_INVALID)
283 (void) seteuid(olduid);
284
285 restore_gid:
286 if (gid != GID_INVALID)
287 (void) setegid(oldgid);
288
289 return r;
290 }
291
292 static int connect_logger_as(
293 const ExecContext *context,
294 ExecOutput output,
295 const char *ident,
296 const char *unit_id,
297 int nfd,
298 uid_t uid,
299 gid_t gid) {
300
301 int fd, r;
302
303 assert(context);
304 assert(output < _EXEC_OUTPUT_MAX);
305 assert(ident);
306 assert(nfd >= 0);
307
308 fd = socket(AF_UNIX, SOCK_STREAM, 0);
309 if (fd < 0)
310 return -errno;
311
312 r = connect_journal_socket(fd, uid, gid);
313 if (r < 0)
314 return r;
315
316 if (shutdown(fd, SHUT_RD) < 0) {
317 safe_close(fd);
318 return -errno;
319 }
320
321 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
322
323 dprintf(fd,
324 "%s\n"
325 "%s\n"
326 "%i\n"
327 "%i\n"
328 "%i\n"
329 "%i\n"
330 "%i\n",
331 context->syslog_identifier ? context->syslog_identifier : ident,
332 unit_id,
333 context->syslog_priority,
334 !!context->syslog_level_prefix,
335 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
336 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
337 is_terminal_output(output));
338
339 if (fd == nfd)
340 return nfd;
341
342 r = dup2(fd, nfd) < 0 ? -errno : nfd;
343 safe_close(fd);
344
345 return r;
346 }
347 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
348 int fd, r;
349
350 assert(path);
351 assert(nfd >= 0);
352
353 fd = open_terminal(path, mode | O_NOCTTY);
354 if (fd < 0)
355 return fd;
356
357 if (fd != nfd) {
358 r = dup2(fd, nfd) < 0 ? -errno : nfd;
359 safe_close(fd);
360 } else
361 r = nfd;
362
363 return r;
364 }
365
366 static bool is_terminal_input(ExecInput i) {
367 return
368 i == EXEC_INPUT_TTY ||
369 i == EXEC_INPUT_TTY_FORCE ||
370 i == EXEC_INPUT_TTY_FAIL;
371 }
372
373 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
374
375 if (is_terminal_input(std_input) && !apply_tty_stdin)
376 return EXEC_INPUT_NULL;
377
378 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
379 return EXEC_INPUT_NULL;
380
381 return std_input;
382 }
383
384 static int fixup_output(ExecOutput std_output, int socket_fd) {
385
386 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
387 return EXEC_OUTPUT_INHERIT;
388
389 return std_output;
390 }
391
392 static int setup_input(
393 const ExecContext *context,
394 const ExecParameters *params,
395 int socket_fd) {
396
397 ExecInput i;
398
399 assert(context);
400 assert(params);
401
402 if (params->stdin_fd >= 0) {
403 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
404 return -errno;
405
406 /* Try to make this the controlling tty, if it is a tty, and reset it */
407 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
408 (void) reset_terminal_fd(STDIN_FILENO, true);
409
410 return STDIN_FILENO;
411 }
412
413 i = fixup_input(context->std_input, socket_fd, params->apply_tty_stdin);
414
415 switch (i) {
416
417 case EXEC_INPUT_NULL:
418 return open_null_as(O_RDONLY, STDIN_FILENO);
419
420 case EXEC_INPUT_TTY:
421 case EXEC_INPUT_TTY_FORCE:
422 case EXEC_INPUT_TTY_FAIL: {
423 int fd, r;
424
425 fd = acquire_terminal(exec_context_tty_path(context),
426 i == EXEC_INPUT_TTY_FAIL,
427 i == EXEC_INPUT_TTY_FORCE,
428 false,
429 USEC_INFINITY);
430 if (fd < 0)
431 return fd;
432
433 if (fd != STDIN_FILENO) {
434 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
435 safe_close(fd);
436 } else
437 r = STDIN_FILENO;
438
439 return r;
440 }
441
442 case EXEC_INPUT_SOCKET:
443 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
444
445 default:
446 assert_not_reached("Unknown input type");
447 }
448 }
449
450 static int setup_output(
451 Unit *unit,
452 const ExecContext *context,
453 const ExecParameters *params,
454 int fileno,
455 int socket_fd,
456 const char *ident,
457 uid_t uid,
458 gid_t gid,
459 dev_t *journal_stream_dev,
460 ino_t *journal_stream_ino) {
461
462 ExecOutput o;
463 ExecInput i;
464 int r;
465
466 assert(unit);
467 assert(context);
468 assert(params);
469 assert(ident);
470 assert(journal_stream_dev);
471 assert(journal_stream_ino);
472
473 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
474
475 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
476 return -errno;
477
478 return STDOUT_FILENO;
479 }
480
481 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
482 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
483 return -errno;
484
485 return STDERR_FILENO;
486 }
487
488 i = fixup_input(context->std_input, socket_fd, params->apply_tty_stdin);
489 o = fixup_output(context->std_output, socket_fd);
490
491 if (fileno == STDERR_FILENO) {
492 ExecOutput e;
493 e = fixup_output(context->std_error, socket_fd);
494
495 /* This expects the input and output are already set up */
496
497 /* Don't change the stderr file descriptor if we inherit all
498 * the way and are not on a tty */
499 if (e == EXEC_OUTPUT_INHERIT &&
500 o == EXEC_OUTPUT_INHERIT &&
501 i == EXEC_INPUT_NULL &&
502 !is_terminal_input(context->std_input) &&
503 getppid () != 1)
504 return fileno;
505
506 /* Duplicate from stdout if possible */
507 if (e == o || e == EXEC_OUTPUT_INHERIT)
508 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
509
510 o = e;
511
512 } else if (o == EXEC_OUTPUT_INHERIT) {
513 /* If input got downgraded, inherit the original value */
514 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
515 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
516
517 /* If the input is connected to anything that's not a /dev/null, inherit that... */
518 if (i != EXEC_INPUT_NULL)
519 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
520
521 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
522 if (getppid() != 1)
523 return fileno;
524
525 /* We need to open /dev/null here anew, to get the right access mode. */
526 return open_null_as(O_WRONLY, fileno);
527 }
528
529 switch (o) {
530
531 case EXEC_OUTPUT_NULL:
532 return open_null_as(O_WRONLY, fileno);
533
534 case EXEC_OUTPUT_TTY:
535 if (is_terminal_input(i))
536 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
537
538 /* We don't reset the terminal if this is just about output */
539 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
540
541 case EXEC_OUTPUT_SYSLOG:
542 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
543 case EXEC_OUTPUT_KMSG:
544 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
545 case EXEC_OUTPUT_JOURNAL:
546 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
547 r = connect_logger_as(context, o, ident, unit->id, fileno, uid, gid);
548 if (r < 0) {
549 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
550 r = open_null_as(O_WRONLY, fileno);
551 } else {
552 struct stat st;
553
554 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
555 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
556 * services to detect whether they are connected to the journal or not. */
557
558 if (fstat(fileno, &st) >= 0) {
559 *journal_stream_dev = st.st_dev;
560 *journal_stream_ino = st.st_ino;
561 }
562 }
563 return r;
564
565 case EXEC_OUTPUT_SOCKET:
566 assert(socket_fd >= 0);
567 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
568
569 default:
570 assert_not_reached("Unknown error type");
571 }
572 }
573
574 static int chown_terminal(int fd, uid_t uid) {
575 struct stat st;
576
577 assert(fd >= 0);
578
579 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
580 if (isatty(fd) < 1)
581 return 0;
582
583 /* This might fail. What matters are the results. */
584 (void) fchown(fd, uid, -1);
585 (void) fchmod(fd, TTY_MODE);
586
587 if (fstat(fd, &st) < 0)
588 return -errno;
589
590 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
591 return -EPERM;
592
593 return 0;
594 }
595
596 static int setup_confirm_stdio(int *_saved_stdin, int *_saved_stdout) {
597 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
598 int r;
599
600 assert(_saved_stdin);
601 assert(_saved_stdout);
602
603 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
604 if (saved_stdin < 0)
605 return -errno;
606
607 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
608 if (saved_stdout < 0)
609 return -errno;
610
611 fd = acquire_terminal(
612 "/dev/console",
613 false,
614 false,
615 false,
616 DEFAULT_CONFIRM_USEC);
617 if (fd < 0)
618 return fd;
619
620 r = chown_terminal(fd, getuid());
621 if (r < 0)
622 return r;
623
624 r = reset_terminal_fd(fd, true);
625 if (r < 0)
626 return r;
627
628 if (dup2(fd, STDIN_FILENO) < 0)
629 return -errno;
630
631 if (dup2(fd, STDOUT_FILENO) < 0)
632 return -errno;
633
634 if (fd >= 2)
635 safe_close(fd);
636 fd = -1;
637
638 *_saved_stdin = saved_stdin;
639 *_saved_stdout = saved_stdout;
640
641 saved_stdin = saved_stdout = -1;
642
643 return 0;
644 }
645
646 _printf_(1, 2) static int write_confirm_message(const char *format, ...) {
647 _cleanup_close_ int fd = -1;
648 va_list ap;
649
650 assert(format);
651
652 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
653 if (fd < 0)
654 return fd;
655
656 va_start(ap, format);
657 vdprintf(fd, format, ap);
658 va_end(ap);
659
660 return 0;
661 }
662
663 static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
664 int r = 0;
665
666 assert(saved_stdin);
667 assert(saved_stdout);
668
669 release_terminal();
670
671 if (*saved_stdin >= 0)
672 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
673 r = -errno;
674
675 if (*saved_stdout >= 0)
676 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
677 r = -errno;
678
679 *saved_stdin = safe_close(*saved_stdin);
680 *saved_stdout = safe_close(*saved_stdout);
681
682 return r;
683 }
684
685 static int ask_for_confirmation(char *response, char **argv) {
686 int saved_stdout = -1, saved_stdin = -1, r;
687 _cleanup_free_ char *line = NULL;
688
689 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
690 if (r < 0)
691 return r;
692
693 line = exec_command_line(argv);
694 if (!line)
695 return -ENOMEM;
696
697 r = ask_char(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
698
699 restore_confirm_stdio(&saved_stdin, &saved_stdout);
700
701 return r;
702 }
703
704 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
705 bool keep_groups = false;
706 int r;
707
708 assert(context);
709
710 /* Lookup and set GID and supplementary group list. Here too
711 * we avoid NSS lookups for gid=0. */
712
713 if (context->group || username) {
714 /* First step, initialize groups from /etc/groups */
715 if (username && gid != 0) {
716 if (initgroups(username, gid) < 0)
717 return -errno;
718
719 keep_groups = true;
720 }
721
722 /* Second step, set our gids */
723 if (setresgid(gid, gid, gid) < 0)
724 return -errno;
725 }
726
727 if (context->supplementary_groups) {
728 int ngroups_max, k;
729 gid_t *gids;
730 char **i;
731
732 /* Final step, initialize any manually set supplementary groups */
733 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
734
735 if (!(gids = new(gid_t, ngroups_max)))
736 return -ENOMEM;
737
738 if (keep_groups) {
739 k = getgroups(ngroups_max, gids);
740 if (k < 0) {
741 free(gids);
742 return -errno;
743 }
744 } else
745 k = 0;
746
747 STRV_FOREACH(i, context->supplementary_groups) {
748 const char *g;
749
750 if (k >= ngroups_max) {
751 free(gids);
752 return -E2BIG;
753 }
754
755 g = *i;
756 r = get_group_creds(&g, gids+k);
757 if (r < 0) {
758 free(gids);
759 return r;
760 }
761
762 k++;
763 }
764
765 if (setgroups(k, gids) < 0) {
766 free(gids);
767 return -errno;
768 }
769
770 free(gids);
771 }
772
773 return 0;
774 }
775
776 static int enforce_user(const ExecContext *context, uid_t uid) {
777 assert(context);
778
779 /* Sets (but doesn't look up) the uid and make sure we keep the
780 * capabilities while doing so. */
781
782 if (context->capability_ambient_set != 0) {
783
784 /* First step: If we need to keep capabilities but
785 * drop privileges we need to make sure we keep our
786 * caps, while we drop privileges. */
787 if (uid != 0) {
788 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
789
790 if (prctl(PR_GET_SECUREBITS) != sb)
791 if (prctl(PR_SET_SECUREBITS, sb) < 0)
792 return -errno;
793 }
794 }
795
796 /* Second step: actually set the uids */
797 if (setresuid(uid, uid, uid) < 0)
798 return -errno;
799
800 /* At this point we should have all necessary capabilities but
801 are otherwise a normal user. However, the caps might got
802 corrupted due to the setresuid() so we need clean them up
803 later. This is done outside of this call. */
804
805 return 0;
806 }
807
808 #ifdef HAVE_PAM
809
810 static int null_conv(
811 int num_msg,
812 const struct pam_message **msg,
813 struct pam_response **resp,
814 void *appdata_ptr) {
815
816 /* We don't support conversations */
817
818 return PAM_CONV_ERR;
819 }
820
821 static int setup_pam(
822 const char *name,
823 const char *user,
824 uid_t uid,
825 const char *tty,
826 char ***env,
827 int fds[], unsigned n_fds) {
828
829 static const struct pam_conv conv = {
830 .conv = null_conv,
831 .appdata_ptr = NULL
832 };
833
834 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
835 pam_handle_t *handle = NULL;
836 sigset_t old_ss;
837 int pam_code = PAM_SUCCESS, r;
838 char **nv, **e = NULL;
839 bool close_session = false;
840 pid_t pam_pid = 0, parent_pid;
841 int flags = 0;
842
843 assert(name);
844 assert(user);
845 assert(env);
846
847 /* We set up PAM in the parent process, then fork. The child
848 * will then stay around until killed via PR_GET_PDEATHSIG or
849 * systemd via the cgroup logic. It will then remove the PAM
850 * session again. The parent process will exec() the actual
851 * daemon. We do things this way to ensure that the main PID
852 * of the daemon is the one we initially fork()ed. */
853
854 r = barrier_create(&barrier);
855 if (r < 0)
856 goto fail;
857
858 if (log_get_max_level() < LOG_DEBUG)
859 flags |= PAM_SILENT;
860
861 pam_code = pam_start(name, user, &conv, &handle);
862 if (pam_code != PAM_SUCCESS) {
863 handle = NULL;
864 goto fail;
865 }
866
867 if (tty) {
868 pam_code = pam_set_item(handle, PAM_TTY, tty);
869 if (pam_code != PAM_SUCCESS)
870 goto fail;
871 }
872
873 STRV_FOREACH(nv, *env) {
874 pam_code = pam_putenv(handle, *nv);
875 if (pam_code != PAM_SUCCESS)
876 goto fail;
877 }
878
879 pam_code = pam_acct_mgmt(handle, flags);
880 if (pam_code != PAM_SUCCESS)
881 goto fail;
882
883 pam_code = pam_open_session(handle, flags);
884 if (pam_code != PAM_SUCCESS)
885 goto fail;
886
887 close_session = true;
888
889 e = pam_getenvlist(handle);
890 if (!e) {
891 pam_code = PAM_BUF_ERR;
892 goto fail;
893 }
894
895 /* Block SIGTERM, so that we know that it won't get lost in
896 * the child */
897
898 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
899
900 parent_pid = getpid();
901
902 pam_pid = fork();
903 if (pam_pid < 0) {
904 r = -errno;
905 goto fail;
906 }
907
908 if (pam_pid == 0) {
909 int sig, ret = EXIT_PAM;
910
911 /* The child's job is to reset the PAM session on
912 * termination */
913 barrier_set_role(&barrier, BARRIER_CHILD);
914
915 /* This string must fit in 10 chars (i.e. the length
916 * of "/sbin/init"), to look pretty in /bin/ps */
917 rename_process("(sd-pam)");
918
919 /* Make sure we don't keep open the passed fds in this
920 child. We assume that otherwise only those fds are
921 open here that have been opened by PAM. */
922 close_many(fds, n_fds);
923
924 /* Drop privileges - we don't need any to pam_close_session
925 * and this will make PR_SET_PDEATHSIG work in most cases.
926 * If this fails, ignore the error - but expect sd-pam threads
927 * to fail to exit normally */
928 if (setresuid(uid, uid, uid) < 0)
929 log_error_errno(r, "Error: Failed to setresuid() in sd-pam: %m");
930
931 (void) ignore_signals(SIGPIPE, -1);
932
933 /* Wait until our parent died. This will only work if
934 * the above setresuid() succeeds, otherwise the kernel
935 * will not allow unprivileged parents kill their privileged
936 * children this way. We rely on the control groups kill logic
937 * to do the rest for us. */
938 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
939 goto child_finish;
940
941 /* Tell the parent that our setup is done. This is especially
942 * important regarding dropping privileges. Otherwise, unit
943 * setup might race against our setresuid(2) call. */
944 barrier_place(&barrier);
945
946 /* Check if our parent process might already have
947 * died? */
948 if (getppid() == parent_pid) {
949 sigset_t ss;
950
951 assert_se(sigemptyset(&ss) >= 0);
952 assert_se(sigaddset(&ss, SIGTERM) >= 0);
953
954 for (;;) {
955 if (sigwait(&ss, &sig) < 0) {
956 if (errno == EINTR)
957 continue;
958
959 goto child_finish;
960 }
961
962 assert(sig == SIGTERM);
963 break;
964 }
965 }
966
967 /* If our parent died we'll end the session */
968 if (getppid() != parent_pid) {
969 pam_code = pam_close_session(handle, flags);
970 if (pam_code != PAM_SUCCESS)
971 goto child_finish;
972 }
973
974 ret = 0;
975
976 child_finish:
977 pam_end(handle, pam_code | flags);
978 _exit(ret);
979 }
980
981 barrier_set_role(&barrier, BARRIER_PARENT);
982
983 /* If the child was forked off successfully it will do all the
984 * cleanups, so forget about the handle here. */
985 handle = NULL;
986
987 /* Unblock SIGTERM again in the parent */
988 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
989
990 /* We close the log explicitly here, since the PAM modules
991 * might have opened it, but we don't want this fd around. */
992 closelog();
993
994 /* Synchronously wait for the child to initialize. We don't care for
995 * errors as we cannot recover. However, warn loudly if it happens. */
996 if (!barrier_place_and_sync(&barrier))
997 log_error("PAM initialization failed");
998
999 strv_free(*env);
1000 *env = e;
1001
1002 return 0;
1003
1004 fail:
1005 if (pam_code != PAM_SUCCESS) {
1006 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
1007 r = -EPERM; /* PAM errors do not map to errno */
1008 } else
1009 log_error_errno(r, "PAM failed: %m");
1010
1011 if (handle) {
1012 if (close_session)
1013 pam_code = pam_close_session(handle, flags);
1014
1015 pam_end(handle, pam_code | flags);
1016 }
1017
1018 strv_free(e);
1019 closelog();
1020
1021 return r;
1022 }
1023 #endif
1024
1025 static void rename_process_from_path(const char *path) {
1026 char process_name[11];
1027 const char *p;
1028 size_t l;
1029
1030 /* This resulting string must fit in 10 chars (i.e. the length
1031 * of "/sbin/init") to look pretty in /bin/ps */
1032
1033 p = basename(path);
1034 if (isempty(p)) {
1035 rename_process("(...)");
1036 return;
1037 }
1038
1039 l = strlen(p);
1040 if (l > 8) {
1041 /* The end of the process name is usually more
1042 * interesting, since the first bit might just be
1043 * "systemd-" */
1044 p = p + l - 8;
1045 l = 8;
1046 }
1047
1048 process_name[0] = '(';
1049 memcpy(process_name+1, p, l);
1050 process_name[1+l] = ')';
1051 process_name[1+l+1] = 0;
1052
1053 rename_process(process_name);
1054 }
1055
1056 #ifdef HAVE_SECCOMP
1057
1058 static int apply_seccomp(const ExecContext *c) {
1059 uint32_t negative_action, action;
1060 scmp_filter_ctx *seccomp;
1061 Iterator i;
1062 void *id;
1063 int r;
1064
1065 assert(c);
1066
1067 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
1068
1069 seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW);
1070 if (!seccomp)
1071 return -ENOMEM;
1072
1073 if (c->syscall_archs) {
1074
1075 SET_FOREACH(id, c->syscall_archs, i) {
1076 r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
1077 if (r == -EEXIST)
1078 continue;
1079 if (r < 0)
1080 goto finish;
1081 }
1082
1083 } else {
1084 r = seccomp_add_secondary_archs(seccomp);
1085 if (r < 0)
1086 goto finish;
1087 }
1088
1089 action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
1090 SET_FOREACH(id, c->syscall_filter, i) {
1091 r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
1092 if (r < 0)
1093 goto finish;
1094 }
1095
1096 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1097 if (r < 0)
1098 goto finish;
1099
1100 r = seccomp_load(seccomp);
1101
1102 finish:
1103 seccomp_release(seccomp);
1104 return r;
1105 }
1106
1107 static int apply_address_families(const ExecContext *c) {
1108 scmp_filter_ctx *seccomp;
1109 Iterator i;
1110 int r;
1111
1112 assert(c);
1113
1114 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1115 if (!seccomp)
1116 return -ENOMEM;
1117
1118 r = seccomp_add_secondary_archs(seccomp);
1119 if (r < 0)
1120 goto finish;
1121
1122 if (c->address_families_whitelist) {
1123 int af, first = 0, last = 0;
1124 void *afp;
1125
1126 /* If this is a whitelist, we first block the address
1127 * families that are out of range and then everything
1128 * that is not in the set. First, we find the lowest
1129 * and highest address family in the set. */
1130
1131 SET_FOREACH(afp, c->address_families, i) {
1132 af = PTR_TO_INT(afp);
1133
1134 if (af <= 0 || af >= af_max())
1135 continue;
1136
1137 if (first == 0 || af < first)
1138 first = af;
1139
1140 if (last == 0 || af > last)
1141 last = af;
1142 }
1143
1144 assert((first == 0) == (last == 0));
1145
1146 if (first == 0) {
1147
1148 /* No entries in the valid range, block everything */
1149 r = seccomp_rule_add(
1150 seccomp,
1151 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1152 SCMP_SYS(socket),
1153 0);
1154 if (r < 0)
1155 goto finish;
1156
1157 } else {
1158
1159 /* Block everything below the first entry */
1160 r = seccomp_rule_add(
1161 seccomp,
1162 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1163 SCMP_SYS(socket),
1164 1,
1165 SCMP_A0(SCMP_CMP_LT, first));
1166 if (r < 0)
1167 goto finish;
1168
1169 /* Block everything above the last entry */
1170 r = seccomp_rule_add(
1171 seccomp,
1172 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1173 SCMP_SYS(socket),
1174 1,
1175 SCMP_A0(SCMP_CMP_GT, last));
1176 if (r < 0)
1177 goto finish;
1178
1179 /* Block everything between the first and last
1180 * entry */
1181 for (af = 1; af < af_max(); af++) {
1182
1183 if (set_contains(c->address_families, INT_TO_PTR(af)))
1184 continue;
1185
1186 r = seccomp_rule_add(
1187 seccomp,
1188 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1189 SCMP_SYS(socket),
1190 1,
1191 SCMP_A0(SCMP_CMP_EQ, af));
1192 if (r < 0)
1193 goto finish;
1194 }
1195 }
1196
1197 } else {
1198 void *af;
1199
1200 /* If this is a blacklist, then generate one rule for
1201 * each address family that are then combined in OR
1202 * checks. */
1203
1204 SET_FOREACH(af, c->address_families, i) {
1205
1206 r = seccomp_rule_add(
1207 seccomp,
1208 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1209 SCMP_SYS(socket),
1210 1,
1211 SCMP_A0(SCMP_CMP_EQ, PTR_TO_INT(af)));
1212 if (r < 0)
1213 goto finish;
1214 }
1215 }
1216
1217 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1218 if (r < 0)
1219 goto finish;
1220
1221 r = seccomp_load(seccomp);
1222
1223 finish:
1224 seccomp_release(seccomp);
1225 return r;
1226 }
1227
1228 static int apply_memory_deny_write_execute(const ExecContext *c) {
1229 scmp_filter_ctx *seccomp;
1230 int r;
1231
1232 assert(c);
1233
1234 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1235 if (!seccomp)
1236 return -ENOMEM;
1237
1238 r = seccomp_rule_add(
1239 seccomp,
1240 SCMP_ACT_ERRNO(EPERM),
1241 SCMP_SYS(mmap),
1242 1,
1243 SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE));
1244 if (r < 0)
1245 goto finish;
1246
1247 r = seccomp_rule_add(
1248 seccomp,
1249 SCMP_ACT_ERRNO(EPERM),
1250 SCMP_SYS(mprotect),
1251 1,
1252 SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC));
1253 if (r < 0)
1254 goto finish;
1255
1256 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1257 if (r < 0)
1258 goto finish;
1259
1260 r = seccomp_load(seccomp);
1261
1262 finish:
1263 seccomp_release(seccomp);
1264 return r;
1265 }
1266
1267 static int apply_restrict_realtime(const ExecContext *c) {
1268 static const int permitted_policies[] = {
1269 SCHED_OTHER,
1270 SCHED_BATCH,
1271 SCHED_IDLE,
1272 };
1273
1274 scmp_filter_ctx *seccomp;
1275 unsigned i;
1276 int r, p, max_policy = 0;
1277
1278 assert(c);
1279
1280 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1281 if (!seccomp)
1282 return -ENOMEM;
1283
1284 /* Determine the highest policy constant we want to allow */
1285 for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
1286 if (permitted_policies[i] > max_policy)
1287 max_policy = permitted_policies[i];
1288
1289 /* Go through all policies with lower values than that, and block them -- unless they appear in the
1290 * whitelist. */
1291 for (p = 0; p < max_policy; p++) {
1292 bool good = false;
1293
1294 /* Check if this is in the whitelist. */
1295 for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
1296 if (permitted_policies[i] == p) {
1297 good = true;
1298 break;
1299 }
1300
1301 if (good)
1302 continue;
1303
1304 /* Deny this policy */
1305 r = seccomp_rule_add(
1306 seccomp,
1307 SCMP_ACT_ERRNO(EPERM),
1308 SCMP_SYS(sched_setscheduler),
1309 1,
1310 SCMP_A1(SCMP_CMP_EQ, p));
1311 if (r < 0)
1312 goto finish;
1313 }
1314
1315 /* Blacklist all other policies, i.e. the ones with higher values. Note that all comparisons are unsigned here,
1316 * hence no need no check for < 0 values. */
1317 r = seccomp_rule_add(
1318 seccomp,
1319 SCMP_ACT_ERRNO(EPERM),
1320 SCMP_SYS(sched_setscheduler),
1321 1,
1322 SCMP_A1(SCMP_CMP_GT, max_policy));
1323 if (r < 0)
1324 goto finish;
1325
1326 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1327 if (r < 0)
1328 goto finish;
1329
1330 r = seccomp_load(seccomp);
1331
1332 finish:
1333 seccomp_release(seccomp);
1334 return r;
1335 }
1336
1337 #endif
1338
1339 static void do_idle_pipe_dance(int idle_pipe[4]) {
1340 assert(idle_pipe);
1341
1342
1343 idle_pipe[1] = safe_close(idle_pipe[1]);
1344 idle_pipe[2] = safe_close(idle_pipe[2]);
1345
1346 if (idle_pipe[0] >= 0) {
1347 int r;
1348
1349 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1350
1351 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1352 ssize_t n;
1353
1354 /* Signal systemd that we are bored and want to continue. */
1355 n = write(idle_pipe[3], "x", 1);
1356 if (n > 0)
1357 /* Wait for systemd to react to the signal above. */
1358 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1359 }
1360
1361 idle_pipe[0] = safe_close(idle_pipe[0]);
1362
1363 }
1364
1365 idle_pipe[3] = safe_close(idle_pipe[3]);
1366 }
1367
1368 static int build_environment(
1369 const ExecContext *c,
1370 const ExecParameters *p,
1371 unsigned n_fds,
1372 const char *home,
1373 const char *username,
1374 const char *shell,
1375 dev_t journal_stream_dev,
1376 ino_t journal_stream_ino,
1377 char ***ret) {
1378
1379 _cleanup_strv_free_ char **our_env = NULL;
1380 unsigned n_env = 0;
1381 char *x;
1382
1383 assert(c);
1384 assert(ret);
1385
1386 our_env = new0(char*, 12);
1387 if (!our_env)
1388 return -ENOMEM;
1389
1390 if (n_fds > 0) {
1391 _cleanup_free_ char *joined = NULL;
1392
1393 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1394 return -ENOMEM;
1395 our_env[n_env++] = x;
1396
1397 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1398 return -ENOMEM;
1399 our_env[n_env++] = x;
1400
1401 joined = strv_join(p->fd_names, ":");
1402 if (!joined)
1403 return -ENOMEM;
1404
1405 x = strjoin("LISTEN_FDNAMES=", joined, NULL);
1406 if (!x)
1407 return -ENOMEM;
1408 our_env[n_env++] = x;
1409 }
1410
1411 if (p->watchdog_usec > 0) {
1412 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1413 return -ENOMEM;
1414 our_env[n_env++] = x;
1415
1416 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
1417 return -ENOMEM;
1418 our_env[n_env++] = x;
1419 }
1420
1421 if (home) {
1422 x = strappend("HOME=", home);
1423 if (!x)
1424 return -ENOMEM;
1425 our_env[n_env++] = x;
1426 }
1427
1428 if (username) {
1429 x = strappend("LOGNAME=", username);
1430 if (!x)
1431 return -ENOMEM;
1432 our_env[n_env++] = x;
1433
1434 x = strappend("USER=", username);
1435 if (!x)
1436 return -ENOMEM;
1437 our_env[n_env++] = x;
1438 }
1439
1440 if (shell) {
1441 x = strappend("SHELL=", shell);
1442 if (!x)
1443 return -ENOMEM;
1444 our_env[n_env++] = x;
1445 }
1446
1447 if (is_terminal_input(c->std_input) ||
1448 c->std_output == EXEC_OUTPUT_TTY ||
1449 c->std_error == EXEC_OUTPUT_TTY ||
1450 c->tty_path) {
1451
1452 x = strdup(default_term_for_tty(exec_context_tty_path(c)));
1453 if (!x)
1454 return -ENOMEM;
1455 our_env[n_env++] = x;
1456 }
1457
1458 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1459 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1460 return -ENOMEM;
1461
1462 our_env[n_env++] = x;
1463 }
1464
1465 our_env[n_env++] = NULL;
1466 assert(n_env <= 12);
1467
1468 *ret = our_env;
1469 our_env = NULL;
1470
1471 return 0;
1472 }
1473
1474 static int build_pass_environment(const ExecContext *c, char ***ret) {
1475 _cleanup_strv_free_ char **pass_env = NULL;
1476 size_t n_env = 0, n_bufsize = 0;
1477 char **i;
1478
1479 STRV_FOREACH(i, c->pass_environment) {
1480 _cleanup_free_ char *x = NULL;
1481 char *v;
1482
1483 v = getenv(*i);
1484 if (!v)
1485 continue;
1486 x = strjoin(*i, "=", v, NULL);
1487 if (!x)
1488 return -ENOMEM;
1489 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1490 return -ENOMEM;
1491 pass_env[n_env++] = x;
1492 pass_env[n_env] = NULL;
1493 x = NULL;
1494 }
1495
1496 *ret = pass_env;
1497 pass_env = NULL;
1498
1499 return 0;
1500 }
1501
1502 static bool exec_needs_mount_namespace(
1503 const ExecContext *context,
1504 const ExecParameters *params,
1505 ExecRuntime *runtime) {
1506
1507 assert(context);
1508 assert(params);
1509
1510 if (!strv_isempty(context->read_write_paths) ||
1511 !strv_isempty(context->read_only_paths) ||
1512 !strv_isempty(context->inaccessible_paths))
1513 return true;
1514
1515 if (context->mount_flags != 0)
1516 return true;
1517
1518 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1519 return true;
1520
1521 if (context->private_devices ||
1522 context->protect_system != PROTECT_SYSTEM_NO ||
1523 context->protect_home != PROTECT_HOME_NO)
1524 return true;
1525
1526 return false;
1527 }
1528
1529 static int close_remaining_fds(
1530 const ExecParameters *params,
1531 ExecRuntime *runtime,
1532 int socket_fd,
1533 int *fds, unsigned n_fds) {
1534
1535 unsigned n_dont_close = 0;
1536 int dont_close[n_fds + 7];
1537
1538 assert(params);
1539
1540 if (params->stdin_fd >= 0)
1541 dont_close[n_dont_close++] = params->stdin_fd;
1542 if (params->stdout_fd >= 0)
1543 dont_close[n_dont_close++] = params->stdout_fd;
1544 if (params->stderr_fd >= 0)
1545 dont_close[n_dont_close++] = params->stderr_fd;
1546
1547 if (socket_fd >= 0)
1548 dont_close[n_dont_close++] = socket_fd;
1549 if (n_fds > 0) {
1550 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
1551 n_dont_close += n_fds;
1552 }
1553
1554 if (runtime) {
1555 if (runtime->netns_storage_socket[0] >= 0)
1556 dont_close[n_dont_close++] = runtime->netns_storage_socket[0];
1557 if (runtime->netns_storage_socket[1] >= 0)
1558 dont_close[n_dont_close++] = runtime->netns_storage_socket[1];
1559 }
1560
1561 return close_all_fds(dont_close, n_dont_close);
1562 }
1563
1564 static int exec_child(
1565 Unit *unit,
1566 ExecCommand *command,
1567 const ExecContext *context,
1568 const ExecParameters *params,
1569 ExecRuntime *runtime,
1570 char **argv,
1571 int socket_fd,
1572 int *fds, unsigned n_fds,
1573 char **files_env,
1574 int *exit_status) {
1575
1576 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **final_argv = NULL;
1577 _cleanup_free_ char *mac_selinux_context_net = NULL;
1578 const char *username = NULL, *home = NULL, *shell = NULL, *wd;
1579 dev_t journal_stream_dev = 0;
1580 ino_t journal_stream_ino = 0;
1581 bool needs_mount_namespace;
1582 uid_t uid = UID_INVALID;
1583 gid_t gid = GID_INVALID;
1584 int i, r;
1585
1586 assert(unit);
1587 assert(command);
1588 assert(context);
1589 assert(params);
1590 assert(exit_status);
1591
1592 rename_process_from_path(command->path);
1593
1594 /* We reset exactly these signals, since they are the
1595 * only ones we set to SIG_IGN in the main daemon. All
1596 * others we leave untouched because we set them to
1597 * SIG_DFL or a valid handler initially, both of which
1598 * will be demoted to SIG_DFL. */
1599 (void) default_signals(SIGNALS_CRASH_HANDLER,
1600 SIGNALS_IGNORE, -1);
1601
1602 if (context->ignore_sigpipe)
1603 (void) ignore_signals(SIGPIPE, -1);
1604
1605 r = reset_signal_mask();
1606 if (r < 0) {
1607 *exit_status = EXIT_SIGNAL_MASK;
1608 return r;
1609 }
1610
1611 if (params->idle_pipe)
1612 do_idle_pipe_dance(params->idle_pipe);
1613
1614 /* Close sockets very early to make sure we don't
1615 * block init reexecution because it cannot bind its
1616 * sockets */
1617
1618 log_forget_fds();
1619
1620 r = close_remaining_fds(params, runtime, socket_fd, fds, n_fds);
1621 if (r < 0) {
1622 *exit_status = EXIT_FDS;
1623 return r;
1624 }
1625
1626 if (!context->same_pgrp)
1627 if (setsid() < 0) {
1628 *exit_status = EXIT_SETSID;
1629 return -errno;
1630 }
1631
1632 exec_context_tty_reset(context, params);
1633
1634 if (params->confirm_spawn) {
1635 char response;
1636
1637 r = ask_for_confirmation(&response, argv);
1638 if (r == -ETIMEDOUT)
1639 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1640 else if (r < 0)
1641 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-r));
1642 else if (response == 's') {
1643 write_confirm_message("Skipping execution.\n");
1644 *exit_status = EXIT_CONFIRM;
1645 return -ECANCELED;
1646 } else if (response == 'n') {
1647 write_confirm_message("Failing execution.\n");
1648 *exit_status = 0;
1649 return 0;
1650 }
1651 }
1652
1653 if (context->user) {
1654 username = context->user;
1655 r = get_user_creds(&username, &uid, &gid, &home, &shell);
1656 if (r < 0) {
1657 *exit_status = EXIT_USER;
1658 return r;
1659 }
1660 }
1661
1662 if (context->group) {
1663 const char *g = context->group;
1664
1665 r = get_group_creds(&g, &gid);
1666 if (r < 0) {
1667 *exit_status = EXIT_GROUP;
1668 return r;
1669 }
1670 }
1671
1672
1673 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1674 * must sure to drop O_NONBLOCK */
1675 if (socket_fd >= 0)
1676 (void) fd_nonblock(socket_fd, false);
1677
1678 r = setup_input(context, params, socket_fd);
1679 if (r < 0) {
1680 *exit_status = EXIT_STDIN;
1681 return r;
1682 }
1683
1684 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
1685 if (r < 0) {
1686 *exit_status = EXIT_STDOUT;
1687 return r;
1688 }
1689
1690 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
1691 if (r < 0) {
1692 *exit_status = EXIT_STDERR;
1693 return r;
1694 }
1695
1696 if (params->cgroup_path) {
1697 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
1698 if (r < 0) {
1699 *exit_status = EXIT_CGROUP;
1700 return r;
1701 }
1702 }
1703
1704 if (context->oom_score_adjust_set) {
1705 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
1706
1707 /* When we can't make this change due to EPERM, then
1708 * let's silently skip over it. User namespaces
1709 * prohibit write access to this file, and we
1710 * shouldn't trip up over that. */
1711
1712 sprintf(t, "%i", context->oom_score_adjust);
1713 r = write_string_file("/proc/self/oom_score_adj", t, 0);
1714 if (r == -EPERM || r == -EACCES) {
1715 log_open();
1716 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
1717 log_close();
1718 } else if (r < 0) {
1719 *exit_status = EXIT_OOM_ADJUST;
1720 return -errno;
1721 }
1722 }
1723
1724 if (context->nice_set)
1725 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1726 *exit_status = EXIT_NICE;
1727 return -errno;
1728 }
1729
1730 if (context->cpu_sched_set) {
1731 struct sched_param param = {
1732 .sched_priority = context->cpu_sched_priority,
1733 };
1734
1735 r = sched_setscheduler(0,
1736 context->cpu_sched_policy |
1737 (context->cpu_sched_reset_on_fork ?
1738 SCHED_RESET_ON_FORK : 0),
1739 &param);
1740 if (r < 0) {
1741 *exit_status = EXIT_SETSCHEDULER;
1742 return -errno;
1743 }
1744 }
1745
1746 if (context->cpuset)
1747 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1748 *exit_status = EXIT_CPUAFFINITY;
1749 return -errno;
1750 }
1751
1752 if (context->ioprio_set)
1753 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1754 *exit_status = EXIT_IOPRIO;
1755 return -errno;
1756 }
1757
1758 if (context->timer_slack_nsec != NSEC_INFINITY)
1759 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1760 *exit_status = EXIT_TIMERSLACK;
1761 return -errno;
1762 }
1763
1764 if (context->personality != PERSONALITY_INVALID)
1765 if (personality(context->personality) < 0) {
1766 *exit_status = EXIT_PERSONALITY;
1767 return -errno;
1768 }
1769
1770 if (context->utmp_id)
1771 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path,
1772 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
1773 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
1774 USER_PROCESS,
1775 username ? "root" : context->user);
1776
1777 if (context->user && is_terminal_input(context->std_input)) {
1778 r = chown_terminal(STDIN_FILENO, uid);
1779 if (r < 0) {
1780 *exit_status = EXIT_STDIN;
1781 return r;
1782 }
1783 }
1784
1785 /* If delegation is enabled we'll pass ownership of the cgroup
1786 * (but only in systemd's own controller hierarchy!) to the
1787 * user of the new process. */
1788 if (params->cgroup_path && context->user && params->cgroup_delegate) {
1789 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
1790 if (r < 0) {
1791 *exit_status = EXIT_CGROUP;
1792 return r;
1793 }
1794
1795
1796 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
1797 if (r < 0) {
1798 *exit_status = EXIT_CGROUP;
1799 return r;
1800 }
1801 }
1802
1803 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
1804 char **rt;
1805
1806 STRV_FOREACH(rt, context->runtime_directory) {
1807 _cleanup_free_ char *p;
1808
1809 p = strjoin(params->runtime_prefix, "/", *rt, NULL);
1810 if (!p) {
1811 *exit_status = EXIT_RUNTIME_DIRECTORY;
1812 return -ENOMEM;
1813 }
1814
1815 r = mkdir_p_label(p, context->runtime_directory_mode);
1816 if (r < 0) {
1817 *exit_status = EXIT_RUNTIME_DIRECTORY;
1818 return r;
1819 }
1820
1821 r = chmod_and_chown(p, context->runtime_directory_mode, uid, gid);
1822 if (r < 0) {
1823 *exit_status = EXIT_RUNTIME_DIRECTORY;
1824 return r;
1825 }
1826 }
1827 }
1828
1829 r = build_environment(
1830 context,
1831 params,
1832 n_fds,
1833 home,
1834 username,
1835 shell,
1836 journal_stream_dev,
1837 journal_stream_ino,
1838 &our_env);
1839 if (r < 0) {
1840 *exit_status = EXIT_MEMORY;
1841 return r;
1842 }
1843
1844 r = build_pass_environment(context, &pass_env);
1845 if (r < 0) {
1846 *exit_status = EXIT_MEMORY;
1847 return r;
1848 }
1849
1850 accum_env = strv_env_merge(5,
1851 params->environment,
1852 our_env,
1853 pass_env,
1854 context->environment,
1855 files_env,
1856 NULL);
1857 if (!accum_env) {
1858 *exit_status = EXIT_MEMORY;
1859 return -ENOMEM;
1860 }
1861 accum_env = strv_env_clean(accum_env);
1862
1863 umask(context->umask);
1864
1865 if (params->apply_permissions && !command->privileged) {
1866 r = enforce_groups(context, username, gid);
1867 if (r < 0) {
1868 *exit_status = EXIT_GROUP;
1869 return r;
1870 }
1871 #ifdef HAVE_SMACK
1872 if (context->smack_process_label) {
1873 r = mac_smack_apply_pid(0, context->smack_process_label);
1874 if (r < 0) {
1875 *exit_status = EXIT_SMACK_PROCESS_LABEL;
1876 return r;
1877 }
1878 }
1879 #ifdef SMACK_DEFAULT_PROCESS_LABEL
1880 else {
1881 _cleanup_free_ char *exec_label = NULL;
1882
1883 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
1884 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) {
1885 *exit_status = EXIT_SMACK_PROCESS_LABEL;
1886 return r;
1887 }
1888
1889 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
1890 if (r < 0) {
1891 *exit_status = EXIT_SMACK_PROCESS_LABEL;
1892 return r;
1893 }
1894 }
1895 #endif
1896 #endif
1897 #ifdef HAVE_PAM
1898 if (context->pam_name && username) {
1899 r = setup_pam(context->pam_name, username, uid, context->tty_path, &accum_env, fds, n_fds);
1900 if (r < 0) {
1901 *exit_status = EXIT_PAM;
1902 return r;
1903 }
1904 }
1905 #endif
1906 }
1907
1908 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
1909 r = setup_netns(runtime->netns_storage_socket);
1910 if (r < 0) {
1911 *exit_status = EXIT_NETWORK;
1912 return r;
1913 }
1914 }
1915
1916 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
1917
1918 if (needs_mount_namespace) {
1919 char *tmp = NULL, *var = NULL;
1920
1921 /* The runtime struct only contains the parent
1922 * of the private /tmp, which is
1923 * non-accessible to world users. Inside of it
1924 * there's a /tmp that is sticky, and that's
1925 * the one we want to use here. */
1926
1927 if (context->private_tmp && runtime) {
1928 if (runtime->tmp_dir)
1929 tmp = strjoina(runtime->tmp_dir, "/tmp");
1930 if (runtime->var_tmp_dir)
1931 var = strjoina(runtime->var_tmp_dir, "/tmp");
1932 }
1933
1934 r = setup_namespace(
1935 params->apply_chroot ? context->root_directory : NULL,
1936 context->read_write_paths,
1937 context->read_only_paths,
1938 context->inaccessible_paths,
1939 tmp,
1940 var,
1941 context->private_devices,
1942 context->protect_home,
1943 context->protect_system,
1944 context->mount_flags);
1945
1946 /* If we couldn't set up the namespace this is
1947 * probably due to a missing capability. In this case,
1948 * silently proceeed. */
1949 if (r == -EPERM || r == -EACCES) {
1950 log_open();
1951 log_unit_debug_errno(unit, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
1952 log_close();
1953 } else if (r < 0) {
1954 *exit_status = EXIT_NAMESPACE;
1955 return r;
1956 }
1957 }
1958
1959 if (context->working_directory_home)
1960 wd = home;
1961 else if (context->working_directory)
1962 wd = context->working_directory;
1963 else
1964 wd = "/";
1965
1966 if (params->apply_chroot) {
1967 if (!needs_mount_namespace && context->root_directory)
1968 if (chroot(context->root_directory) < 0) {
1969 *exit_status = EXIT_CHROOT;
1970 return -errno;
1971 }
1972
1973 if (chdir(wd) < 0 &&
1974 !context->working_directory_missing_ok) {
1975 *exit_status = EXIT_CHDIR;
1976 return -errno;
1977 }
1978 } else {
1979 const char *d;
1980
1981 d = strjoina(strempty(context->root_directory), "/", strempty(wd));
1982 if (chdir(d) < 0 &&
1983 !context->working_directory_missing_ok) {
1984 *exit_status = EXIT_CHDIR;
1985 return -errno;
1986 }
1987 }
1988
1989 #ifdef HAVE_SELINUX
1990 if (params->apply_permissions && mac_selinux_use() && params->selinux_context_net && socket_fd >= 0 && !command->privileged) {
1991 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
1992 if (r < 0) {
1993 *exit_status = EXIT_SELINUX_CONTEXT;
1994 return r;
1995 }
1996 }
1997 #endif
1998
1999 /* We repeat the fd closing here, to make sure that
2000 * nothing is leaked from the PAM modules. Note that
2001 * we are more aggressive this time since socket_fd
2002 * and the netns fds we don't need anymore. The custom
2003 * endpoint fd was needed to upload the policy and can
2004 * now be closed as well. */
2005 r = close_all_fds(fds, n_fds);
2006 if (r >= 0)
2007 r = shift_fds(fds, n_fds);
2008 if (r >= 0)
2009 r = flags_fds(fds, n_fds, context->non_blocking);
2010 if (r < 0) {
2011 *exit_status = EXIT_FDS;
2012 return r;
2013 }
2014
2015 if (params->apply_permissions && !command->privileged) {
2016
2017 bool use_address_families = context->address_families_whitelist ||
2018 !set_isempty(context->address_families);
2019 bool use_syscall_filter = context->syscall_whitelist ||
2020 !set_isempty(context->syscall_filter) ||
2021 !set_isempty(context->syscall_archs);
2022 int secure_bits = context->secure_bits;
2023
2024 for (i = 0; i < _RLIMIT_MAX; i++) {
2025
2026 if (!context->rlimit[i])
2027 continue;
2028
2029 r = setrlimit_closest(i, context->rlimit[i]);
2030 if (r < 0) {
2031 *exit_status = EXIT_LIMITS;
2032 return r;
2033 }
2034 }
2035
2036 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
2037 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
2038 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
2039 *exit_status = EXIT_LIMITS;
2040 return -errno;
2041 }
2042 }
2043
2044 if (!cap_test_all(context->capability_bounding_set)) {
2045 r = capability_bounding_set_drop(context->capability_bounding_set, false);
2046 if (r < 0) {
2047 *exit_status = EXIT_CAPABILITIES;
2048 return r;
2049 }
2050 }
2051
2052 /* This is done before enforce_user, but ambient set
2053 * does not survive over setresuid() if keep_caps is not set. */
2054 if (context->capability_ambient_set != 0) {
2055 r = capability_ambient_set_apply(context->capability_ambient_set, true);
2056 if (r < 0) {
2057 *exit_status = EXIT_CAPABILITIES;
2058 return r;
2059 }
2060 }
2061
2062 if (context->user) {
2063 r = enforce_user(context, uid);
2064 if (r < 0) {
2065 *exit_status = EXIT_USER;
2066 return r;
2067 }
2068 if (context->capability_ambient_set != 0) {
2069
2070 /* Fix the ambient capabilities after user change. */
2071 r = capability_ambient_set_apply(context->capability_ambient_set, false);
2072 if (r < 0) {
2073 *exit_status = EXIT_CAPABILITIES;
2074 return r;
2075 }
2076
2077 /* If we were asked to change user and ambient capabilities
2078 * were requested, we had to add keep-caps to the securebits
2079 * so that we would maintain the inherited capability set
2080 * through the setresuid(). Make sure that the bit is added
2081 * also to the context secure_bits so that we don't try to
2082 * drop the bit away next. */
2083
2084 secure_bits |= 1<<SECURE_KEEP_CAPS;
2085 }
2086 }
2087
2088 /* PR_GET_SECUREBITS is not privileged, while
2089 * PR_SET_SECUREBITS is. So to suppress
2090 * potential EPERMs we'll try not to call
2091 * PR_SET_SECUREBITS unless necessary. */
2092 if (prctl(PR_GET_SECUREBITS) != secure_bits)
2093 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
2094 *exit_status = EXIT_SECUREBITS;
2095 return -errno;
2096 }
2097
2098 if (context->no_new_privileges ||
2099 (!have_effective_cap(CAP_SYS_ADMIN) && (use_address_families || context->memory_deny_write_execute || context->restrict_realtime || use_syscall_filter)))
2100 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
2101 *exit_status = EXIT_NO_NEW_PRIVILEGES;
2102 return -errno;
2103 }
2104
2105 #ifdef HAVE_SECCOMP
2106 if (use_address_families) {
2107 r = apply_address_families(context);
2108 if (r < 0) {
2109 *exit_status = EXIT_ADDRESS_FAMILIES;
2110 return r;
2111 }
2112 }
2113
2114 if (context->memory_deny_write_execute) {
2115 r = apply_memory_deny_write_execute(context);
2116 if (r < 0) {
2117 *exit_status = EXIT_SECCOMP;
2118 return r;
2119 }
2120 }
2121
2122 if (context->restrict_realtime) {
2123 r = apply_restrict_realtime(context);
2124 if (r < 0) {
2125 *exit_status = EXIT_SECCOMP;
2126 return r;
2127 }
2128 }
2129
2130 if (use_syscall_filter) {
2131 r = apply_seccomp(context);
2132 if (r < 0) {
2133 *exit_status = EXIT_SECCOMP;
2134 return r;
2135 }
2136 }
2137 #endif
2138
2139 #ifdef HAVE_SELINUX
2140 if (mac_selinux_use()) {
2141 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
2142
2143 if (exec_context) {
2144 r = setexeccon(exec_context);
2145 if (r < 0) {
2146 *exit_status = EXIT_SELINUX_CONTEXT;
2147 return r;
2148 }
2149 }
2150 }
2151 #endif
2152
2153 #ifdef HAVE_APPARMOR
2154 if (context->apparmor_profile && mac_apparmor_use()) {
2155 r = aa_change_onexec(context->apparmor_profile);
2156 if (r < 0 && !context->apparmor_profile_ignore) {
2157 *exit_status = EXIT_APPARMOR_PROFILE;
2158 return -errno;
2159 }
2160 }
2161 #endif
2162 }
2163
2164 final_argv = replace_env_argv(argv, accum_env);
2165 if (!final_argv) {
2166 *exit_status = EXIT_MEMORY;
2167 return -ENOMEM;
2168 }
2169
2170 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
2171 _cleanup_free_ char *line;
2172
2173 line = exec_command_line(final_argv);
2174 if (line) {
2175 log_open();
2176 log_struct(LOG_DEBUG,
2177 LOG_UNIT_ID(unit),
2178 "EXECUTABLE=%s", command->path,
2179 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
2180 NULL);
2181 log_close();
2182 }
2183 }
2184
2185 execve(command->path, final_argv, accum_env);
2186 *exit_status = EXIT_EXEC;
2187 return -errno;
2188 }
2189
2190 int exec_spawn(Unit *unit,
2191 ExecCommand *command,
2192 const ExecContext *context,
2193 const ExecParameters *params,
2194 ExecRuntime *runtime,
2195 pid_t *ret) {
2196
2197 _cleanup_strv_free_ char **files_env = NULL;
2198 int *fds = NULL; unsigned n_fds = 0;
2199 _cleanup_free_ char *line = NULL;
2200 int socket_fd, r;
2201 char **argv;
2202 pid_t pid;
2203
2204 assert(unit);
2205 assert(command);
2206 assert(context);
2207 assert(ret);
2208 assert(params);
2209 assert(params->fds || params->n_fds <= 0);
2210
2211 if (context->std_input == EXEC_INPUT_SOCKET ||
2212 context->std_output == EXEC_OUTPUT_SOCKET ||
2213 context->std_error == EXEC_OUTPUT_SOCKET) {
2214
2215 if (params->n_fds != 1) {
2216 log_unit_error(unit, "Got more than one socket.");
2217 return -EINVAL;
2218 }
2219
2220 socket_fd = params->fds[0];
2221 } else {
2222 socket_fd = -1;
2223 fds = params->fds;
2224 n_fds = params->n_fds;
2225 }
2226
2227 r = exec_context_load_environment(unit, context, &files_env);
2228 if (r < 0)
2229 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
2230
2231 argv = params->argv ?: command->argv;
2232 line = exec_command_line(argv);
2233 if (!line)
2234 return log_oom();
2235
2236 log_struct(LOG_DEBUG,
2237 LOG_UNIT_ID(unit),
2238 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
2239 "EXECUTABLE=%s", command->path,
2240 NULL);
2241 pid = fork();
2242 if (pid < 0)
2243 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
2244
2245 if (pid == 0) {
2246 int exit_status;
2247
2248 r = exec_child(unit,
2249 command,
2250 context,
2251 params,
2252 runtime,
2253 argv,
2254 socket_fd,
2255 fds, n_fds,
2256 files_env,
2257 &exit_status);
2258 if (r < 0) {
2259 log_open();
2260 log_struct_errno(LOG_ERR, r,
2261 LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
2262 LOG_UNIT_ID(unit),
2263 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
2264 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
2265 command->path),
2266 "EXECUTABLE=%s", command->path,
2267 NULL);
2268 }
2269
2270 _exit(exit_status);
2271 }
2272
2273 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
2274
2275 /* We add the new process to the cgroup both in the child (so
2276 * that we can be sure that no user code is ever executed
2277 * outside of the cgroup) and in the parent (so that we can be
2278 * sure that when we kill the cgroup the process will be
2279 * killed too). */
2280 if (params->cgroup_path)
2281 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
2282
2283 exec_status_start(&command->exec_status, pid);
2284
2285 *ret = pid;
2286 return 0;
2287 }
2288
2289 void exec_context_init(ExecContext *c) {
2290 assert(c);
2291
2292 c->umask = 0022;
2293 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
2294 c->cpu_sched_policy = SCHED_OTHER;
2295 c->syslog_priority = LOG_DAEMON|LOG_INFO;
2296 c->syslog_level_prefix = true;
2297 c->ignore_sigpipe = true;
2298 c->timer_slack_nsec = NSEC_INFINITY;
2299 c->personality = PERSONALITY_INVALID;
2300 c->runtime_directory_mode = 0755;
2301 c->capability_bounding_set = CAP_ALL;
2302 }
2303
2304 void exec_context_done(ExecContext *c) {
2305 unsigned l;
2306
2307 assert(c);
2308
2309 c->environment = strv_free(c->environment);
2310 c->environment_files = strv_free(c->environment_files);
2311 c->pass_environment = strv_free(c->pass_environment);
2312
2313 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
2314 c->rlimit[l] = mfree(c->rlimit[l]);
2315
2316 c->working_directory = mfree(c->working_directory);
2317 c->root_directory = mfree(c->root_directory);
2318 c->tty_path = mfree(c->tty_path);
2319 c->syslog_identifier = mfree(c->syslog_identifier);
2320 c->user = mfree(c->user);
2321 c->group = mfree(c->group);
2322
2323 c->supplementary_groups = strv_free(c->supplementary_groups);
2324
2325 c->pam_name = mfree(c->pam_name);
2326
2327 c->read_only_paths = strv_free(c->read_only_paths);
2328 c->read_write_paths = strv_free(c->read_write_paths);
2329 c->inaccessible_paths = strv_free(c->inaccessible_paths);
2330
2331 if (c->cpuset)
2332 CPU_FREE(c->cpuset);
2333
2334 c->utmp_id = mfree(c->utmp_id);
2335 c->selinux_context = mfree(c->selinux_context);
2336 c->apparmor_profile = mfree(c->apparmor_profile);
2337
2338 c->syscall_filter = set_free(c->syscall_filter);
2339 c->syscall_archs = set_free(c->syscall_archs);
2340 c->address_families = set_free(c->address_families);
2341
2342 c->runtime_directory = strv_free(c->runtime_directory);
2343 }
2344
2345 int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
2346 char **i;
2347
2348 assert(c);
2349
2350 if (!runtime_prefix)
2351 return 0;
2352
2353 STRV_FOREACH(i, c->runtime_directory) {
2354 _cleanup_free_ char *p;
2355
2356 p = strjoin(runtime_prefix, "/", *i, NULL);
2357 if (!p)
2358 return -ENOMEM;
2359
2360 /* We execute this synchronously, since we need to be
2361 * sure this is gone when we start the service
2362 * next. */
2363 (void) rm_rf(p, REMOVE_ROOT);
2364 }
2365
2366 return 0;
2367 }
2368
2369 void exec_command_done(ExecCommand *c) {
2370 assert(c);
2371
2372 c->path = mfree(c->path);
2373
2374 c->argv = strv_free(c->argv);
2375 }
2376
2377 void exec_command_done_array(ExecCommand *c, unsigned n) {
2378 unsigned i;
2379
2380 for (i = 0; i < n; i++)
2381 exec_command_done(c+i);
2382 }
2383
2384 ExecCommand* exec_command_free_list(ExecCommand *c) {
2385 ExecCommand *i;
2386
2387 while ((i = c)) {
2388 LIST_REMOVE(command, c, i);
2389 exec_command_done(i);
2390 free(i);
2391 }
2392
2393 return NULL;
2394 }
2395
2396 void exec_command_free_array(ExecCommand **c, unsigned n) {
2397 unsigned i;
2398
2399 for (i = 0; i < n; i++)
2400 c[i] = exec_command_free_list(c[i]);
2401 }
2402
2403 typedef struct InvalidEnvInfo {
2404 Unit *unit;
2405 const char *path;
2406 } InvalidEnvInfo;
2407
2408 static void invalid_env(const char *p, void *userdata) {
2409 InvalidEnvInfo *info = userdata;
2410
2411 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
2412 }
2413
2414 int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
2415 char **i, **r = NULL;
2416
2417 assert(c);
2418 assert(l);
2419
2420 STRV_FOREACH(i, c->environment_files) {
2421 char *fn;
2422 int k;
2423 bool ignore = false;
2424 char **p;
2425 _cleanup_globfree_ glob_t pglob = {};
2426 int count, n;
2427
2428 fn = *i;
2429
2430 if (fn[0] == '-') {
2431 ignore = true;
2432 fn++;
2433 }
2434
2435 if (!path_is_absolute(fn)) {
2436 if (ignore)
2437 continue;
2438
2439 strv_free(r);
2440 return -EINVAL;
2441 }
2442
2443 /* Filename supports globbing, take all matching files */
2444 errno = 0;
2445 if (glob(fn, 0, NULL, &pglob) != 0) {
2446 if (ignore)
2447 continue;
2448
2449 strv_free(r);
2450 return errno > 0 ? -errno : -EINVAL;
2451 }
2452 count = pglob.gl_pathc;
2453 if (count == 0) {
2454 if (ignore)
2455 continue;
2456
2457 strv_free(r);
2458 return -EINVAL;
2459 }
2460 for (n = 0; n < count; n++) {
2461 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
2462 if (k < 0) {
2463 if (ignore)
2464 continue;
2465
2466 strv_free(r);
2467 return k;
2468 }
2469 /* Log invalid environment variables with filename */
2470 if (p) {
2471 InvalidEnvInfo info = {
2472 .unit = unit,
2473 .path = pglob.gl_pathv[n]
2474 };
2475
2476 p = strv_env_clean_with_callback(p, invalid_env, &info);
2477 }
2478
2479 if (r == NULL)
2480 r = p;
2481 else {
2482 char **m;
2483
2484 m = strv_env_merge(2, r, p);
2485 strv_free(r);
2486 strv_free(p);
2487 if (!m)
2488 return -ENOMEM;
2489
2490 r = m;
2491 }
2492 }
2493 }
2494
2495 *l = r;
2496
2497 return 0;
2498 }
2499
2500 static bool tty_may_match_dev_console(const char *tty) {
2501 _cleanup_free_ char *active = NULL;
2502 char *console;
2503
2504 if (!tty)
2505 return true;
2506
2507 if (startswith(tty, "/dev/"))
2508 tty += 5;
2509
2510 /* trivial identity? */
2511 if (streq(tty, "console"))
2512 return true;
2513
2514 console = resolve_dev_console(&active);
2515 /* if we could not resolve, assume it may */
2516 if (!console)
2517 return true;
2518
2519 /* "tty0" means the active VC, so it may be the same sometimes */
2520 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
2521 }
2522
2523 bool exec_context_may_touch_console(ExecContext *ec) {
2524
2525 return (ec->tty_reset ||
2526 ec->tty_vhangup ||
2527 ec->tty_vt_disallocate ||
2528 is_terminal_input(ec->std_input) ||
2529 is_terminal_output(ec->std_output) ||
2530 is_terminal_output(ec->std_error)) &&
2531 tty_may_match_dev_console(exec_context_tty_path(ec));
2532 }
2533
2534 static void strv_fprintf(FILE *f, char **l) {
2535 char **g;
2536
2537 assert(f);
2538
2539 STRV_FOREACH(g, l)
2540 fprintf(f, " %s", *g);
2541 }
2542
2543 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
2544 char **e, **d;
2545 unsigned i;
2546
2547 assert(c);
2548 assert(f);
2549
2550 prefix = strempty(prefix);
2551
2552 fprintf(f,
2553 "%sUMask: %04o\n"
2554 "%sWorkingDirectory: %s\n"
2555 "%sRootDirectory: %s\n"
2556 "%sNonBlocking: %s\n"
2557 "%sPrivateTmp: %s\n"
2558 "%sPrivateNetwork: %s\n"
2559 "%sPrivateDevices: %s\n"
2560 "%sProtectHome: %s\n"
2561 "%sProtectSystem: %s\n"
2562 "%sIgnoreSIGPIPE: %s\n"
2563 "%sMemoryDenyWriteExecute: %s\n"
2564 "%sRestrictRealtime: %s\n",
2565 prefix, c->umask,
2566 prefix, c->working_directory ? c->working_directory : "/",
2567 prefix, c->root_directory ? c->root_directory : "/",
2568 prefix, yes_no(c->non_blocking),
2569 prefix, yes_no(c->private_tmp),
2570 prefix, yes_no(c->private_network),
2571 prefix, yes_no(c->private_devices),
2572 prefix, protect_home_to_string(c->protect_home),
2573 prefix, protect_system_to_string(c->protect_system),
2574 prefix, yes_no(c->ignore_sigpipe),
2575 prefix, yes_no(c->memory_deny_write_execute),
2576 prefix, yes_no(c->restrict_realtime));
2577
2578 STRV_FOREACH(e, c->environment)
2579 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
2580
2581 STRV_FOREACH(e, c->environment_files)
2582 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
2583
2584 STRV_FOREACH(e, c->pass_environment)
2585 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
2586
2587 fprintf(f, "%sRuntimeDirectoryMode: %04o\n", prefix, c->runtime_directory_mode);
2588
2589 STRV_FOREACH(d, c->runtime_directory)
2590 fprintf(f, "%sRuntimeDirectory: %s\n", prefix, *d);
2591
2592 if (c->nice_set)
2593 fprintf(f,
2594 "%sNice: %i\n",
2595 prefix, c->nice);
2596
2597 if (c->oom_score_adjust_set)
2598 fprintf(f,
2599 "%sOOMScoreAdjust: %i\n",
2600 prefix, c->oom_score_adjust);
2601
2602 for (i = 0; i < RLIM_NLIMITS; i++)
2603 if (c->rlimit[i]) {
2604 fprintf(f, "%s%s: " RLIM_FMT "\n",
2605 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
2606 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
2607 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
2608 }
2609
2610 if (c->ioprio_set) {
2611 _cleanup_free_ char *class_str = NULL;
2612
2613 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
2614 fprintf(f,
2615 "%sIOSchedulingClass: %s\n"
2616 "%sIOPriority: %i\n",
2617 prefix, strna(class_str),
2618 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
2619 }
2620
2621 if (c->cpu_sched_set) {
2622 _cleanup_free_ char *policy_str = NULL;
2623
2624 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
2625 fprintf(f,
2626 "%sCPUSchedulingPolicy: %s\n"
2627 "%sCPUSchedulingPriority: %i\n"
2628 "%sCPUSchedulingResetOnFork: %s\n",
2629 prefix, strna(policy_str),
2630 prefix, c->cpu_sched_priority,
2631 prefix, yes_no(c->cpu_sched_reset_on_fork));
2632 }
2633
2634 if (c->cpuset) {
2635 fprintf(f, "%sCPUAffinity:", prefix);
2636 for (i = 0; i < c->cpuset_ncpus; i++)
2637 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
2638 fprintf(f, " %u", i);
2639 fputs("\n", f);
2640 }
2641
2642 if (c->timer_slack_nsec != NSEC_INFINITY)
2643 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
2644
2645 fprintf(f,
2646 "%sStandardInput: %s\n"
2647 "%sStandardOutput: %s\n"
2648 "%sStandardError: %s\n",
2649 prefix, exec_input_to_string(c->std_input),
2650 prefix, exec_output_to_string(c->std_output),
2651 prefix, exec_output_to_string(c->std_error));
2652
2653 if (c->tty_path)
2654 fprintf(f,
2655 "%sTTYPath: %s\n"
2656 "%sTTYReset: %s\n"
2657 "%sTTYVHangup: %s\n"
2658 "%sTTYVTDisallocate: %s\n",
2659 prefix, c->tty_path,
2660 prefix, yes_no(c->tty_reset),
2661 prefix, yes_no(c->tty_vhangup),
2662 prefix, yes_no(c->tty_vt_disallocate));
2663
2664 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
2665 c->std_output == EXEC_OUTPUT_KMSG ||
2666 c->std_output == EXEC_OUTPUT_JOURNAL ||
2667 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2668 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2669 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
2670 c->std_error == EXEC_OUTPUT_SYSLOG ||
2671 c->std_error == EXEC_OUTPUT_KMSG ||
2672 c->std_error == EXEC_OUTPUT_JOURNAL ||
2673 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2674 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2675 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
2676
2677 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
2678
2679 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
2680 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
2681
2682 fprintf(f,
2683 "%sSyslogFacility: %s\n"
2684 "%sSyslogLevel: %s\n",
2685 prefix, strna(fac_str),
2686 prefix, strna(lvl_str));
2687 }
2688
2689 if (c->secure_bits)
2690 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
2691 prefix,
2692 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
2693 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
2694 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
2695 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
2696 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
2697 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
2698
2699 if (c->capability_bounding_set != CAP_ALL) {
2700 unsigned long l;
2701 fprintf(f, "%sCapabilityBoundingSet:", prefix);
2702
2703 for (l = 0; l <= cap_last_cap(); l++)
2704 if (c->capability_bounding_set & (UINT64_C(1) << l))
2705 fprintf(f, " %s", strna(capability_to_name(l)));
2706
2707 fputs("\n", f);
2708 }
2709
2710 if (c->capability_ambient_set != 0) {
2711 unsigned long l;
2712 fprintf(f, "%sAmbientCapabilities:", prefix);
2713
2714 for (l = 0; l <= cap_last_cap(); l++)
2715 if (c->capability_ambient_set & (UINT64_C(1) << l))
2716 fprintf(f, " %s", strna(capability_to_name(l)));
2717
2718 fputs("\n", f);
2719 }
2720
2721 if (c->user)
2722 fprintf(f, "%sUser: %s\n", prefix, c->user);
2723 if (c->group)
2724 fprintf(f, "%sGroup: %s\n", prefix, c->group);
2725
2726 if (strv_length(c->supplementary_groups) > 0) {
2727 fprintf(f, "%sSupplementaryGroups:", prefix);
2728 strv_fprintf(f, c->supplementary_groups);
2729 fputs("\n", f);
2730 }
2731
2732 if (c->pam_name)
2733 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
2734
2735 if (strv_length(c->read_write_paths) > 0) {
2736 fprintf(f, "%sReadWritePaths:", prefix);
2737 strv_fprintf(f, c->read_write_paths);
2738 fputs("\n", f);
2739 }
2740
2741 if (strv_length(c->read_only_paths) > 0) {
2742 fprintf(f, "%sReadOnlyPaths:", prefix);
2743 strv_fprintf(f, c->read_only_paths);
2744 fputs("\n", f);
2745 }
2746
2747 if (strv_length(c->inaccessible_paths) > 0) {
2748 fprintf(f, "%sInaccessiblePaths:", prefix);
2749 strv_fprintf(f, c->inaccessible_paths);
2750 fputs("\n", f);
2751 }
2752
2753 if (c->utmp_id)
2754 fprintf(f,
2755 "%sUtmpIdentifier: %s\n",
2756 prefix, c->utmp_id);
2757
2758 if (c->selinux_context)
2759 fprintf(f,
2760 "%sSELinuxContext: %s%s\n",
2761 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
2762
2763 if (c->personality != PERSONALITY_INVALID)
2764 fprintf(f,
2765 "%sPersonality: %s\n",
2766 prefix, strna(personality_to_string(c->personality)));
2767
2768 if (c->syscall_filter) {
2769 #ifdef HAVE_SECCOMP
2770 Iterator j;
2771 void *id;
2772 bool first = true;
2773 #endif
2774
2775 fprintf(f,
2776 "%sSystemCallFilter: ",
2777 prefix);
2778
2779 if (!c->syscall_whitelist)
2780 fputc('~', f);
2781
2782 #ifdef HAVE_SECCOMP
2783 SET_FOREACH(id, c->syscall_filter, j) {
2784 _cleanup_free_ char *name = NULL;
2785
2786 if (first)
2787 first = false;
2788 else
2789 fputc(' ', f);
2790
2791 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
2792 fputs(strna(name), f);
2793 }
2794 #endif
2795
2796 fputc('\n', f);
2797 }
2798
2799 if (c->syscall_archs) {
2800 #ifdef HAVE_SECCOMP
2801 Iterator j;
2802 void *id;
2803 #endif
2804
2805 fprintf(f,
2806 "%sSystemCallArchitectures:",
2807 prefix);
2808
2809 #ifdef HAVE_SECCOMP
2810 SET_FOREACH(id, c->syscall_archs, j)
2811 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
2812 #endif
2813 fputc('\n', f);
2814 }
2815
2816 if (c->syscall_errno > 0)
2817 fprintf(f,
2818 "%sSystemCallErrorNumber: %s\n",
2819 prefix, strna(errno_to_name(c->syscall_errno)));
2820
2821 if (c->apparmor_profile)
2822 fprintf(f,
2823 "%sAppArmorProfile: %s%s\n",
2824 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
2825 }
2826
2827 bool exec_context_maintains_privileges(ExecContext *c) {
2828 assert(c);
2829
2830 /* Returns true if the process forked off would run under
2831 * an unchanged UID or as root. */
2832
2833 if (!c->user)
2834 return true;
2835
2836 if (streq(c->user, "root") || streq(c->user, "0"))
2837 return true;
2838
2839 return false;
2840 }
2841
2842 void exec_status_start(ExecStatus *s, pid_t pid) {
2843 assert(s);
2844
2845 zero(*s);
2846 s->pid = pid;
2847 dual_timestamp_get(&s->start_timestamp);
2848 }
2849
2850 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
2851 assert(s);
2852
2853 if (s->pid && s->pid != pid)
2854 zero(*s);
2855
2856 s->pid = pid;
2857 dual_timestamp_get(&s->exit_timestamp);
2858
2859 s->code = code;
2860 s->status = status;
2861
2862 if (context) {
2863 if (context->utmp_id)
2864 utmp_put_dead_process(context->utmp_id, pid, code, status);
2865
2866 exec_context_tty_reset(context, NULL);
2867 }
2868 }
2869
2870 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
2871 char buf[FORMAT_TIMESTAMP_MAX];
2872
2873 assert(s);
2874 assert(f);
2875
2876 if (s->pid <= 0)
2877 return;
2878
2879 prefix = strempty(prefix);
2880
2881 fprintf(f,
2882 "%sPID: "PID_FMT"\n",
2883 prefix, s->pid);
2884
2885 if (s->start_timestamp.realtime > 0)
2886 fprintf(f,
2887 "%sStart Timestamp: %s\n",
2888 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
2889
2890 if (s->exit_timestamp.realtime > 0)
2891 fprintf(f,
2892 "%sExit Timestamp: %s\n"
2893 "%sExit Code: %s\n"
2894 "%sExit Status: %i\n",
2895 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
2896 prefix, sigchld_code_to_string(s->code),
2897 prefix, s->status);
2898 }
2899
2900 char *exec_command_line(char **argv) {
2901 size_t k;
2902 char *n, *p, **a;
2903 bool first = true;
2904
2905 assert(argv);
2906
2907 k = 1;
2908 STRV_FOREACH(a, argv)
2909 k += strlen(*a)+3;
2910
2911 if (!(n = new(char, k)))
2912 return NULL;
2913
2914 p = n;
2915 STRV_FOREACH(a, argv) {
2916
2917 if (!first)
2918 *(p++) = ' ';
2919 else
2920 first = false;
2921
2922 if (strpbrk(*a, WHITESPACE)) {
2923 *(p++) = '\'';
2924 p = stpcpy(p, *a);
2925 *(p++) = '\'';
2926 } else
2927 p = stpcpy(p, *a);
2928
2929 }
2930
2931 *p = 0;
2932
2933 /* FIXME: this doesn't really handle arguments that have
2934 * spaces and ticks in them */
2935
2936 return n;
2937 }
2938
2939 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
2940 _cleanup_free_ char *cmd = NULL;
2941 const char *prefix2;
2942
2943 assert(c);
2944 assert(f);
2945
2946 prefix = strempty(prefix);
2947 prefix2 = strjoina(prefix, "\t");
2948
2949 cmd = exec_command_line(c->argv);
2950 fprintf(f,
2951 "%sCommand Line: %s\n",
2952 prefix, cmd ? cmd : strerror(ENOMEM));
2953
2954 exec_status_dump(&c->exec_status, f, prefix2);
2955 }
2956
2957 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2958 assert(f);
2959
2960 prefix = strempty(prefix);
2961
2962 LIST_FOREACH(command, c, c)
2963 exec_command_dump(c, f, prefix);
2964 }
2965
2966 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2967 ExecCommand *end;
2968
2969 assert(l);
2970 assert(e);
2971
2972 if (*l) {
2973 /* It's kind of important, that we keep the order here */
2974 LIST_FIND_TAIL(command, *l, end);
2975 LIST_INSERT_AFTER(command, *l, end, e);
2976 } else
2977 *l = e;
2978 }
2979
2980 int exec_command_set(ExecCommand *c, const char *path, ...) {
2981 va_list ap;
2982 char **l, *p;
2983
2984 assert(c);
2985 assert(path);
2986
2987 va_start(ap, path);
2988 l = strv_new_ap(path, ap);
2989 va_end(ap);
2990
2991 if (!l)
2992 return -ENOMEM;
2993
2994 p = strdup(path);
2995 if (!p) {
2996 strv_free(l);
2997 return -ENOMEM;
2998 }
2999
3000 free(c->path);
3001 c->path = p;
3002
3003 strv_free(c->argv);
3004 c->argv = l;
3005
3006 return 0;
3007 }
3008
3009 int exec_command_append(ExecCommand *c, const char *path, ...) {
3010 _cleanup_strv_free_ char **l = NULL;
3011 va_list ap;
3012 int r;
3013
3014 assert(c);
3015 assert(path);
3016
3017 va_start(ap, path);
3018 l = strv_new_ap(path, ap);
3019 va_end(ap);
3020
3021 if (!l)
3022 return -ENOMEM;
3023
3024 r = strv_extend_strv(&c->argv, l, false);
3025 if (r < 0)
3026 return r;
3027
3028 return 0;
3029 }
3030
3031
3032 static int exec_runtime_allocate(ExecRuntime **rt) {
3033
3034 if (*rt)
3035 return 0;
3036
3037 *rt = new0(ExecRuntime, 1);
3038 if (!*rt)
3039 return -ENOMEM;
3040
3041 (*rt)->n_ref = 1;
3042 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
3043
3044 return 0;
3045 }
3046
3047 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
3048 int r;
3049
3050 assert(rt);
3051 assert(c);
3052 assert(id);
3053
3054 if (*rt)
3055 return 1;
3056
3057 if (!c->private_network && !c->private_tmp)
3058 return 0;
3059
3060 r = exec_runtime_allocate(rt);
3061 if (r < 0)
3062 return r;
3063
3064 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
3065 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, (*rt)->netns_storage_socket) < 0)
3066 return -errno;
3067 }
3068
3069 if (c->private_tmp && !(*rt)->tmp_dir) {
3070 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
3071 if (r < 0)
3072 return r;
3073 }
3074
3075 return 1;
3076 }
3077
3078 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
3079 assert(r);
3080 assert(r->n_ref > 0);
3081
3082 r->n_ref++;
3083 return r;
3084 }
3085
3086 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
3087
3088 if (!r)
3089 return NULL;
3090
3091 assert(r->n_ref > 0);
3092
3093 r->n_ref--;
3094 if (r->n_ref > 0)
3095 return NULL;
3096
3097 free(r->tmp_dir);
3098 free(r->var_tmp_dir);
3099 safe_close_pair(r->netns_storage_socket);
3100 free(r);
3101
3102 return NULL;
3103 }
3104
3105 int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
3106 assert(u);
3107 assert(f);
3108 assert(fds);
3109
3110 if (!rt)
3111 return 0;
3112
3113 if (rt->tmp_dir)
3114 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
3115
3116 if (rt->var_tmp_dir)
3117 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
3118
3119 if (rt->netns_storage_socket[0] >= 0) {
3120 int copy;
3121
3122 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
3123 if (copy < 0)
3124 return copy;
3125
3126 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
3127 }
3128
3129 if (rt->netns_storage_socket[1] >= 0) {
3130 int copy;
3131
3132 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
3133 if (copy < 0)
3134 return copy;
3135
3136 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
3137 }
3138
3139 return 0;
3140 }
3141
3142 int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
3143 int r;
3144
3145 assert(rt);
3146 assert(key);
3147 assert(value);
3148
3149 if (streq(key, "tmp-dir")) {
3150 char *copy;
3151
3152 r = exec_runtime_allocate(rt);
3153 if (r < 0)
3154 return log_oom();
3155
3156 copy = strdup(value);
3157 if (!copy)
3158 return log_oom();
3159
3160 free((*rt)->tmp_dir);
3161 (*rt)->tmp_dir = copy;
3162
3163 } else if (streq(key, "var-tmp-dir")) {
3164 char *copy;
3165
3166 r = exec_runtime_allocate(rt);
3167 if (r < 0)
3168 return log_oom();
3169
3170 copy = strdup(value);
3171 if (!copy)
3172 return log_oom();
3173
3174 free((*rt)->var_tmp_dir);
3175 (*rt)->var_tmp_dir = copy;
3176
3177 } else if (streq(key, "netns-socket-0")) {
3178 int fd;
3179
3180 r = exec_runtime_allocate(rt);
3181 if (r < 0)
3182 return log_oom();
3183
3184 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
3185 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
3186 else {
3187 safe_close((*rt)->netns_storage_socket[0]);
3188 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
3189 }
3190 } else if (streq(key, "netns-socket-1")) {
3191 int fd;
3192
3193 r = exec_runtime_allocate(rt);
3194 if (r < 0)
3195 return log_oom();
3196
3197 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
3198 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
3199 else {
3200 safe_close((*rt)->netns_storage_socket[1]);
3201 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
3202 }
3203 } else
3204 return 0;
3205
3206 return 1;
3207 }
3208
3209 static void *remove_tmpdir_thread(void *p) {
3210 _cleanup_free_ char *path = p;
3211
3212 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
3213 return NULL;
3214 }
3215
3216 void exec_runtime_destroy(ExecRuntime *rt) {
3217 int r;
3218
3219 if (!rt)
3220 return;
3221
3222 /* If there are multiple users of this, let's leave the stuff around */
3223 if (rt->n_ref > 1)
3224 return;
3225
3226 if (rt->tmp_dir) {
3227 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
3228
3229 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
3230 if (r < 0) {
3231 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
3232 free(rt->tmp_dir);
3233 }
3234
3235 rt->tmp_dir = NULL;
3236 }
3237
3238 if (rt->var_tmp_dir) {
3239 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
3240
3241 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
3242 if (r < 0) {
3243 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
3244 free(rt->var_tmp_dir);
3245 }
3246
3247 rt->var_tmp_dir = NULL;
3248 }
3249
3250 safe_close_pair(rt->netns_storage_socket);
3251 }
3252
3253 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
3254 [EXEC_INPUT_NULL] = "null",
3255 [EXEC_INPUT_TTY] = "tty",
3256 [EXEC_INPUT_TTY_FORCE] = "tty-force",
3257 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
3258 [EXEC_INPUT_SOCKET] = "socket"
3259 };
3260
3261 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
3262
3263 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
3264 [EXEC_OUTPUT_INHERIT] = "inherit",
3265 [EXEC_OUTPUT_NULL] = "null",
3266 [EXEC_OUTPUT_TTY] = "tty",
3267 [EXEC_OUTPUT_SYSLOG] = "syslog",
3268 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
3269 [EXEC_OUTPUT_KMSG] = "kmsg",
3270 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
3271 [EXEC_OUTPUT_JOURNAL] = "journal",
3272 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
3273 [EXEC_OUTPUT_SOCKET] = "socket"
3274 };
3275
3276 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
3277
3278 static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
3279 [EXEC_UTMP_INIT] = "init",
3280 [EXEC_UTMP_LOGIN] = "login",
3281 [EXEC_UTMP_USER] = "user",
3282 };
3283
3284 DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
Unnamed repository; edit this file 'description' to name the repository.