]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/execute.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
core: allow setting WorkingDirectory= to the special value ~
[thirdparty/systemd.git] / src / core / execute.c
1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
2
3 /***
4 This file is part of systemd.
5
6 Copyright 2010 Lennart Poettering
7
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
12
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
17
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 ***/
21
22 #include <errno.h>
23 #include <fcntl.h>
24 #include <unistd.h>
25 #include <string.h>
26 #include <signal.h>
27 #include <sys/socket.h>
28 #include <sys/un.h>
29 #include <sys/prctl.h>
30 #include <sys/stat.h>
31 #include <grp.h>
32 #include <poll.h>
33 #include <glob.h>
34 #include <utmpx.h>
35 #include <sys/personality.h>
36
37 #ifdef HAVE_PAM
38 #include <security/pam_appl.h>
39 #endif
40
41 #ifdef HAVE_SELINUX
42 #include <selinux/selinux.h>
43 #endif
44
45 #ifdef HAVE_SECCOMP
46 #include <seccomp.h>
47 #endif
48
49 #ifdef HAVE_APPARMOR
50 #include <sys/apparmor.h>
51 #endif
52
53 #include "barrier.h"
54 #include "sd-messages.h"
55 #include "rm-rf.h"
56 #include "strv.h"
57 #include "macro.h"
58 #include "capability.h"
59 #include "util.h"
60 #include "log.h"
61 #include "ioprio.h"
62 #include "securebits.h"
63 #include "namespace.h"
64 #include "exit-status.h"
65 #include "missing.h"
66 #include "utmp-wtmp.h"
67 #include "def.h"
68 #include "path-util.h"
69 #include "env-util.h"
70 #include "fileio.h"
71 #include "unit.h"
72 #include "async.h"
73 #include "selinux-util.h"
74 #include "errno-list.h"
75 #include "af-list.h"
76 #include "mkdir.h"
77 #include "smack-util.h"
78 #include "bus-endpoint.h"
79 #include "cap-list.h"
80 #include "formats-util.h"
81 #include "process-util.h"
82 #include "terminal-util.h"
83 #include "signal-util.h"
84
85 #ifdef HAVE_APPARMOR
86 #include "apparmor-util.h"
87 #endif
88
89 #ifdef HAVE_SECCOMP
90 #include "seccomp-util.h"
91 #endif
92
93 #include "execute.h"
94
95 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
96 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
97
98 /* This assumes there is a 'tty' group */
99 #define TTY_MODE 0620
100
101 #define SNDBUF_SIZE (8*1024*1024)
102
103 static int shift_fds(int fds[], unsigned n_fds) {
104 int start, restart_from;
105
106 if (n_fds <= 0)
107 return 0;
108
109 /* Modifies the fds array! (sorts it) */
110
111 assert(fds);
112
113 start = 0;
114 for (;;) {
115 int i;
116
117 restart_from = -1;
118
119 for (i = start; i < (int) n_fds; i++) {
120 int nfd;
121
122 /* Already at right index? */
123 if (fds[i] == i+3)
124 continue;
125
126 nfd = fcntl(fds[i], F_DUPFD, i + 3);
127 if (nfd < 0)
128 return -errno;
129
130 safe_close(fds[i]);
131 fds[i] = nfd;
132
133 /* Hmm, the fd we wanted isn't free? Then
134 * let's remember that and try again from here */
135 if (nfd != i+3 && restart_from < 0)
136 restart_from = i;
137 }
138
139 if (restart_from < 0)
140 break;
141
142 start = restart_from;
143 }
144
145 return 0;
146 }
147
148 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
149 unsigned i;
150 int r;
151
152 if (n_fds <= 0)
153 return 0;
154
155 assert(fds);
156
157 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
158
159 for (i = 0; i < n_fds; i++) {
160
161 r = fd_nonblock(fds[i], nonblock);
162 if (r < 0)
163 return r;
164
165 /* We unconditionally drop FD_CLOEXEC from the fds,
166 * since after all we want to pass these fds to our
167 * children */
168
169 r = fd_cloexec(fds[i], false);
170 if (r < 0)
171 return r;
172 }
173
174 return 0;
175 }
176
177 _pure_ static const char *tty_path(const ExecContext *context) {
178 assert(context);
179
180 if (context->tty_path)
181 return context->tty_path;
182
183 return "/dev/console";
184 }
185
186 static void exec_context_tty_reset(const ExecContext *context) {
187 assert(context);
188
189 if (context->tty_vhangup)
190 terminal_vhangup(tty_path(context));
191
192 if (context->tty_reset)
193 reset_terminal(tty_path(context));
194
195 if (context->tty_vt_disallocate && context->tty_path)
196 vt_disallocate(context->tty_path);
197 }
198
199 static bool is_terminal_output(ExecOutput o) {
200 return
201 o == EXEC_OUTPUT_TTY ||
202 o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
203 o == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
204 o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE;
205 }
206
207 static int open_null_as(int flags, int nfd) {
208 int fd, r;
209
210 assert(nfd >= 0);
211
212 fd = open("/dev/null", flags|O_NOCTTY);
213 if (fd < 0)
214 return -errno;
215
216 if (fd != nfd) {
217 r = dup2(fd, nfd) < 0 ? -errno : nfd;
218 safe_close(fd);
219 } else
220 r = nfd;
221
222 return r;
223 }
224
225 static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
226 union sockaddr_union sa = {
227 .un.sun_family = AF_UNIX,
228 .un.sun_path = "/run/systemd/journal/stdout",
229 };
230 uid_t olduid = UID_INVALID;
231 gid_t oldgid = GID_INVALID;
232 int r;
233
234 if (gid != GID_INVALID) {
235 oldgid = getgid();
236
237 r = setegid(gid);
238 if (r < 0)
239 return -errno;
240 }
241
242 if (uid != UID_INVALID) {
243 olduid = getuid();
244
245 r = seteuid(uid);
246 if (r < 0) {
247 r = -errno;
248 goto restore_gid;
249 }
250 }
251
252 r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path));
253 if (r < 0)
254 r = -errno;
255
256 /* If we fail to restore the uid or gid, things will likely
257 fail later on. This should only happen if an LSM interferes. */
258
259 if (uid != UID_INVALID)
260 (void) seteuid(olduid);
261
262 restore_gid:
263 if (gid != GID_INVALID)
264 (void) setegid(oldgid);
265
266 return r;
267 }
268
269 static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd, uid_t uid, gid_t gid) {
270 int fd, r;
271
272 assert(context);
273 assert(output < _EXEC_OUTPUT_MAX);
274 assert(ident);
275 assert(nfd >= 0);
276
277 fd = socket(AF_UNIX, SOCK_STREAM, 0);
278 if (fd < 0)
279 return -errno;
280
281 r = connect_journal_socket(fd, uid, gid);
282 if (r < 0)
283 return r;
284
285 if (shutdown(fd, SHUT_RD) < 0) {
286 safe_close(fd);
287 return -errno;
288 }
289
290 fd_inc_sndbuf(fd, SNDBUF_SIZE);
291
292 dprintf(fd,
293 "%s\n"
294 "%s\n"
295 "%i\n"
296 "%i\n"
297 "%i\n"
298 "%i\n"
299 "%i\n",
300 context->syslog_identifier ? context->syslog_identifier : ident,
301 unit_id,
302 context->syslog_priority,
303 !!context->syslog_level_prefix,
304 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
305 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
306 is_terminal_output(output));
307
308 if (fd != nfd) {
309 r = dup2(fd, nfd) < 0 ? -errno : nfd;
310 safe_close(fd);
311 } else
312 r = nfd;
313
314 return r;
315 }
316 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
317 int fd, r;
318
319 assert(path);
320 assert(nfd >= 0);
321
322 fd = open_terminal(path, mode | O_NOCTTY);
323 if (fd < 0)
324 return fd;
325
326 if (fd != nfd) {
327 r = dup2(fd, nfd) < 0 ? -errno : nfd;
328 safe_close(fd);
329 } else
330 r = nfd;
331
332 return r;
333 }
334
335 static bool is_terminal_input(ExecInput i) {
336 return
337 i == EXEC_INPUT_TTY ||
338 i == EXEC_INPUT_TTY_FORCE ||
339 i == EXEC_INPUT_TTY_FAIL;
340 }
341
342 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
343
344 if (is_terminal_input(std_input) && !apply_tty_stdin)
345 return EXEC_INPUT_NULL;
346
347 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
348 return EXEC_INPUT_NULL;
349
350 return std_input;
351 }
352
353 static int fixup_output(ExecOutput std_output, int socket_fd) {
354
355 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
356 return EXEC_OUTPUT_INHERIT;
357
358 return std_output;
359 }
360
361 static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty_stdin) {
362 ExecInput i;
363
364 assert(context);
365
366 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
367
368 switch (i) {
369
370 case EXEC_INPUT_NULL:
371 return open_null_as(O_RDONLY, STDIN_FILENO);
372
373 case EXEC_INPUT_TTY:
374 case EXEC_INPUT_TTY_FORCE:
375 case EXEC_INPUT_TTY_FAIL: {
376 int fd, r;
377
378 fd = acquire_terminal(tty_path(context),
379 i == EXEC_INPUT_TTY_FAIL,
380 i == EXEC_INPUT_TTY_FORCE,
381 false,
382 USEC_INFINITY);
383 if (fd < 0)
384 return fd;
385
386 if (fd != STDIN_FILENO) {
387 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
388 safe_close(fd);
389 } else
390 r = STDIN_FILENO;
391
392 return r;
393 }
394
395 case EXEC_INPUT_SOCKET:
396 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
397
398 default:
399 assert_not_reached("Unknown input type");
400 }
401 }
402
403 static int setup_output(Unit *unit, const ExecContext *context, int fileno, int socket_fd, const char *ident, bool apply_tty_stdin, uid_t uid, gid_t gid) {
404 ExecOutput o;
405 ExecInput i;
406 int r;
407
408 assert(unit);
409 assert(context);
410 assert(ident);
411
412 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
413 o = fixup_output(context->std_output, socket_fd);
414
415 if (fileno == STDERR_FILENO) {
416 ExecOutput e;
417 e = fixup_output(context->std_error, socket_fd);
418
419 /* This expects the input and output are already set up */
420
421 /* Don't change the stderr file descriptor if we inherit all
422 * the way and are not on a tty */
423 if (e == EXEC_OUTPUT_INHERIT &&
424 o == EXEC_OUTPUT_INHERIT &&
425 i == EXEC_INPUT_NULL &&
426 !is_terminal_input(context->std_input) &&
427 getppid () != 1)
428 return fileno;
429
430 /* Duplicate from stdout if possible */
431 if (e == o || e == EXEC_OUTPUT_INHERIT)
432 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
433
434 o = e;
435
436 } else if (o == EXEC_OUTPUT_INHERIT) {
437 /* If input got downgraded, inherit the original value */
438 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
439 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
440
441 /* If the input is connected to anything that's not a /dev/null, inherit that... */
442 if (i != EXEC_INPUT_NULL)
443 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
444
445 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
446 if (getppid() != 1)
447 return fileno;
448
449 /* We need to open /dev/null here anew, to get the right access mode. */
450 return open_null_as(O_WRONLY, fileno);
451 }
452
453 switch (o) {
454
455 case EXEC_OUTPUT_NULL:
456 return open_null_as(O_WRONLY, fileno);
457
458 case EXEC_OUTPUT_TTY:
459 if (is_terminal_input(i))
460 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
461
462 /* We don't reset the terminal if this is just about output */
463 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
464
465 case EXEC_OUTPUT_SYSLOG:
466 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
467 case EXEC_OUTPUT_KMSG:
468 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
469 case EXEC_OUTPUT_JOURNAL:
470 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
471 r = connect_logger_as(context, o, ident, unit->id, fileno, uid, gid);
472 if (r < 0) {
473 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
474 r = open_null_as(O_WRONLY, fileno);
475 }
476 return r;
477
478 case EXEC_OUTPUT_SOCKET:
479 assert(socket_fd >= 0);
480 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
481
482 default:
483 assert_not_reached("Unknown error type");
484 }
485 }
486
487 static int chown_terminal(int fd, uid_t uid) {
488 struct stat st;
489
490 assert(fd >= 0);
491
492 /* This might fail. What matters are the results. */
493 (void) fchown(fd, uid, -1);
494 (void) fchmod(fd, TTY_MODE);
495
496 if (fstat(fd, &st) < 0)
497 return -errno;
498
499 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
500 return -EPERM;
501
502 return 0;
503 }
504
505 static int setup_confirm_stdio(int *_saved_stdin,
506 int *_saved_stdout) {
507 int fd = -1, saved_stdin, saved_stdout = -1, r;
508
509 assert(_saved_stdin);
510 assert(_saved_stdout);
511
512 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
513 if (saved_stdin < 0)
514 return -errno;
515
516 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
517 if (saved_stdout < 0) {
518 r = errno;
519 goto fail;
520 }
521
522 fd = acquire_terminal(
523 "/dev/console",
524 false,
525 false,
526 false,
527 DEFAULT_CONFIRM_USEC);
528 if (fd < 0) {
529 r = fd;
530 goto fail;
531 }
532
533 r = chown_terminal(fd, getuid());
534 if (r < 0)
535 goto fail;
536
537 if (dup2(fd, STDIN_FILENO) < 0) {
538 r = -errno;
539 goto fail;
540 }
541
542 if (dup2(fd, STDOUT_FILENO) < 0) {
543 r = -errno;
544 goto fail;
545 }
546
547 if (fd >= 2)
548 safe_close(fd);
549
550 *_saved_stdin = saved_stdin;
551 *_saved_stdout = saved_stdout;
552
553 return 0;
554
555 fail:
556 safe_close(saved_stdout);
557 safe_close(saved_stdin);
558 safe_close(fd);
559
560 return r;
561 }
562
563 _printf_(1, 2) static int write_confirm_message(const char *format, ...) {
564 _cleanup_close_ int fd = -1;
565 va_list ap;
566
567 assert(format);
568
569 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
570 if (fd < 0)
571 return fd;
572
573 va_start(ap, format);
574 vdprintf(fd, format, ap);
575 va_end(ap);
576
577 return 0;
578 }
579
580 static int restore_confirm_stdio(int *saved_stdin,
581 int *saved_stdout) {
582
583 int r = 0;
584
585 assert(saved_stdin);
586 assert(saved_stdout);
587
588 release_terminal();
589
590 if (*saved_stdin >= 0)
591 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
592 r = -errno;
593
594 if (*saved_stdout >= 0)
595 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
596 r = -errno;
597
598 safe_close(*saved_stdin);
599 safe_close(*saved_stdout);
600
601 return r;
602 }
603
604 static int ask_for_confirmation(char *response, char **argv) {
605 int saved_stdout = -1, saved_stdin = -1, r;
606 _cleanup_free_ char *line = NULL;
607
608 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
609 if (r < 0)
610 return r;
611
612 line = exec_command_line(argv);
613 if (!line)
614 return -ENOMEM;
615
616 r = ask_char(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
617
618 restore_confirm_stdio(&saved_stdin, &saved_stdout);
619
620 return r;
621 }
622
623 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
624 bool keep_groups = false;
625 int r;
626
627 assert(context);
628
629 /* Lookup and set GID and supplementary group list. Here too
630 * we avoid NSS lookups for gid=0. */
631
632 if (context->group || username) {
633 /* First step, initialize groups from /etc/groups */
634 if (username && gid != 0) {
635 if (initgroups(username, gid) < 0)
636 return -errno;
637
638 keep_groups = true;
639 }
640
641 /* Second step, set our gids */
642 if (setresgid(gid, gid, gid) < 0)
643 return -errno;
644 }
645
646 if (context->supplementary_groups) {
647 int ngroups_max, k;
648 gid_t *gids;
649 char **i;
650
651 /* Final step, initialize any manually set supplementary groups */
652 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
653
654 if (!(gids = new(gid_t, ngroups_max)))
655 return -ENOMEM;
656
657 if (keep_groups) {
658 k = getgroups(ngroups_max, gids);
659 if (k < 0) {
660 free(gids);
661 return -errno;
662 }
663 } else
664 k = 0;
665
666 STRV_FOREACH(i, context->supplementary_groups) {
667 const char *g;
668
669 if (k >= ngroups_max) {
670 free(gids);
671 return -E2BIG;
672 }
673
674 g = *i;
675 r = get_group_creds(&g, gids+k);
676 if (r < 0) {
677 free(gids);
678 return r;
679 }
680
681 k++;
682 }
683
684 if (setgroups(k, gids) < 0) {
685 free(gids);
686 return -errno;
687 }
688
689 free(gids);
690 }
691
692 return 0;
693 }
694
695 static int enforce_user(const ExecContext *context, uid_t uid) {
696 assert(context);
697
698 /* Sets (but doesn't lookup) the uid and make sure we keep the
699 * capabilities while doing so. */
700
701 if (context->capabilities) {
702 _cleanup_cap_free_ cap_t d = NULL;
703 static const cap_value_t bits[] = {
704 CAP_SETUID, /* Necessary so that we can run setresuid() below */
705 CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
706 };
707
708 /* First step: If we need to keep capabilities but
709 * drop privileges we need to make sure we keep our
710 * caps, while we drop privileges. */
711 if (uid != 0) {
712 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
713
714 if (prctl(PR_GET_SECUREBITS) != sb)
715 if (prctl(PR_SET_SECUREBITS, sb) < 0)
716 return -errno;
717 }
718
719 /* Second step: set the capabilities. This will reduce
720 * the capabilities to the minimum we need. */
721
722 d = cap_dup(context->capabilities);
723 if (!d)
724 return -errno;
725
726 if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
727 cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0)
728 return -errno;
729
730 if (cap_set_proc(d) < 0)
731 return -errno;
732 }
733
734 /* Third step: actually set the uids */
735 if (setresuid(uid, uid, uid) < 0)
736 return -errno;
737
738 /* At this point we should have all necessary capabilities but
739 are otherwise a normal user. However, the caps might got
740 corrupted due to the setresuid() so we need clean them up
741 later. This is done outside of this call. */
742
743 return 0;
744 }
745
746 #ifdef HAVE_PAM
747
748 static int null_conv(
749 int num_msg,
750 const struct pam_message **msg,
751 struct pam_response **resp,
752 void *appdata_ptr) {
753
754 /* We don't support conversations */
755
756 return PAM_CONV_ERR;
757 }
758
759 static int setup_pam(
760 const char *name,
761 const char *user,
762 uid_t uid,
763 const char *tty,
764 char ***pam_env,
765 int fds[], unsigned n_fds) {
766
767 static const struct pam_conv conv = {
768 .conv = null_conv,
769 .appdata_ptr = NULL
770 };
771
772 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
773 pam_handle_t *handle = NULL;
774 sigset_t old_ss;
775 int pam_code = PAM_SUCCESS;
776 int err = 0;
777 char **e = NULL;
778 bool close_session = false;
779 pid_t pam_pid = 0, parent_pid;
780 int flags = 0;
781
782 assert(name);
783 assert(user);
784 assert(pam_env);
785
786 /* We set up PAM in the parent process, then fork. The child
787 * will then stay around until killed via PR_GET_PDEATHSIG or
788 * systemd via the cgroup logic. It will then remove the PAM
789 * session again. The parent process will exec() the actual
790 * daemon. We do things this way to ensure that the main PID
791 * of the daemon is the one we initially fork()ed. */
792
793 err = barrier_create(&barrier);
794 if (err < 0)
795 goto fail;
796
797 if (log_get_max_level() < LOG_DEBUG)
798 flags |= PAM_SILENT;
799
800 pam_code = pam_start(name, user, &conv, &handle);
801 if (pam_code != PAM_SUCCESS) {
802 handle = NULL;
803 goto fail;
804 }
805
806 if (tty) {
807 pam_code = pam_set_item(handle, PAM_TTY, tty);
808 if (pam_code != PAM_SUCCESS)
809 goto fail;
810 }
811
812 pam_code = pam_acct_mgmt(handle, flags);
813 if (pam_code != PAM_SUCCESS)
814 goto fail;
815
816 pam_code = pam_open_session(handle, flags);
817 if (pam_code != PAM_SUCCESS)
818 goto fail;
819
820 close_session = true;
821
822 e = pam_getenvlist(handle);
823 if (!e) {
824 pam_code = PAM_BUF_ERR;
825 goto fail;
826 }
827
828 /* Block SIGTERM, so that we know that it won't get lost in
829 * the child */
830
831 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
832
833 parent_pid = getpid();
834
835 pam_pid = fork();
836 if (pam_pid < 0)
837 goto fail;
838
839 if (pam_pid == 0) {
840 int sig;
841 int r = EXIT_PAM;
842
843 /* The child's job is to reset the PAM session on
844 * termination */
845 barrier_set_role(&barrier, BARRIER_CHILD);
846
847 /* This string must fit in 10 chars (i.e. the length
848 * of "/sbin/init"), to look pretty in /bin/ps */
849 rename_process("(sd-pam)");
850
851 /* Make sure we don't keep open the passed fds in this
852 child. We assume that otherwise only those fds are
853 open here that have been opened by PAM. */
854 close_many(fds, n_fds);
855
856 /* Drop privileges - we don't need any to pam_close_session
857 * and this will make PR_SET_PDEATHSIG work in most cases.
858 * If this fails, ignore the error - but expect sd-pam threads
859 * to fail to exit normally */
860 if (setresuid(uid, uid, uid) < 0)
861 log_error_errno(r, "Error: Failed to setresuid() in sd-pam: %m");
862
863 (void) ignore_signals(SIGPIPE, -1);
864
865 /* Wait until our parent died. This will only work if
866 * the above setresuid() succeeds, otherwise the kernel
867 * will not allow unprivileged parents kill their privileged
868 * children this way. We rely on the control groups kill logic
869 * to do the rest for us. */
870 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
871 goto child_finish;
872
873 /* Tell the parent that our setup is done. This is especially
874 * important regarding dropping privileges. Otherwise, unit
875 * setup might race against our setresuid(2) call. */
876 barrier_place(&barrier);
877
878 /* Check if our parent process might already have
879 * died? */
880 if (getppid() == parent_pid) {
881 sigset_t ss;
882
883 assert_se(sigemptyset(&ss) >= 0);
884 assert_se(sigaddset(&ss, SIGTERM) >= 0);
885
886 for (;;) {
887 if (sigwait(&ss, &sig) < 0) {
888 if (errno == EINTR)
889 continue;
890
891 goto child_finish;
892 }
893
894 assert(sig == SIGTERM);
895 break;
896 }
897 }
898
899 /* If our parent died we'll end the session */
900 if (getppid() != parent_pid) {
901 pam_code = pam_close_session(handle, flags);
902 if (pam_code != PAM_SUCCESS)
903 goto child_finish;
904 }
905
906 r = 0;
907
908 child_finish:
909 pam_end(handle, pam_code | flags);
910 _exit(r);
911 }
912
913 barrier_set_role(&barrier, BARRIER_PARENT);
914
915 /* If the child was forked off successfully it will do all the
916 * cleanups, so forget about the handle here. */
917 handle = NULL;
918
919 /* Unblock SIGTERM again in the parent */
920 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
921
922 /* We close the log explicitly here, since the PAM modules
923 * might have opened it, but we don't want this fd around. */
924 closelog();
925
926 /* Synchronously wait for the child to initialize. We don't care for
927 * errors as we cannot recover. However, warn loudly if it happens. */
928 if (!barrier_place_and_sync(&barrier))
929 log_error("PAM initialization failed");
930
931 *pam_env = e;
932 e = NULL;
933
934 return 0;
935
936 fail:
937 if (pam_code != PAM_SUCCESS) {
938 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
939 err = -EPERM; /* PAM errors do not map to errno */
940 } else {
941 err = log_error_errno(err < 0 ? err : errno, "PAM failed: %m");
942 }
943
944 if (handle) {
945 if (close_session)
946 pam_code = pam_close_session(handle, flags);
947
948 pam_end(handle, pam_code | flags);
949 }
950
951 strv_free(e);
952
953 closelog();
954
955 if (pam_pid > 1) {
956 kill(pam_pid, SIGTERM);
957 kill(pam_pid, SIGCONT);
958 }
959
960 return err;
961 }
962 #endif
963
964 static void rename_process_from_path(const char *path) {
965 char process_name[11];
966 const char *p;
967 size_t l;
968
969 /* This resulting string must fit in 10 chars (i.e. the length
970 * of "/sbin/init") to look pretty in /bin/ps */
971
972 p = basename(path);
973 if (isempty(p)) {
974 rename_process("(...)");
975 return;
976 }
977
978 l = strlen(p);
979 if (l > 8) {
980 /* The end of the process name is usually more
981 * interesting, since the first bit might just be
982 * "systemd-" */
983 p = p + l - 8;
984 l = 8;
985 }
986
987 process_name[0] = '(';
988 memcpy(process_name+1, p, l);
989 process_name[1+l] = ')';
990 process_name[1+l+1] = 0;
991
992 rename_process(process_name);
993 }
994
995 #ifdef HAVE_SECCOMP
996
997 static int apply_seccomp(const ExecContext *c) {
998 uint32_t negative_action, action;
999 scmp_filter_ctx *seccomp;
1000 Iterator i;
1001 void *id;
1002 int r;
1003
1004 assert(c);
1005
1006 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
1007
1008 seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW);
1009 if (!seccomp)
1010 return -ENOMEM;
1011
1012 if (c->syscall_archs) {
1013
1014 SET_FOREACH(id, c->syscall_archs, i) {
1015 r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
1016 if (r == -EEXIST)
1017 continue;
1018 if (r < 0)
1019 goto finish;
1020 }
1021
1022 } else {
1023 r = seccomp_add_secondary_archs(seccomp);
1024 if (r < 0)
1025 goto finish;
1026 }
1027
1028 action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
1029 SET_FOREACH(id, c->syscall_filter, i) {
1030 r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
1031 if (r < 0)
1032 goto finish;
1033 }
1034
1035 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1036 if (r < 0)
1037 goto finish;
1038
1039 r = seccomp_load(seccomp);
1040
1041 finish:
1042 seccomp_release(seccomp);
1043 return r;
1044 }
1045
1046 static int apply_address_families(const ExecContext *c) {
1047 scmp_filter_ctx *seccomp;
1048 Iterator i;
1049 int r;
1050
1051 assert(c);
1052
1053 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1054 if (!seccomp)
1055 return -ENOMEM;
1056
1057 r = seccomp_add_secondary_archs(seccomp);
1058 if (r < 0)
1059 goto finish;
1060
1061 if (c->address_families_whitelist) {
1062 int af, first = 0, last = 0;
1063 void *afp;
1064
1065 /* If this is a whitelist, we first block the address
1066 * families that are out of range and then everything
1067 * that is not in the set. First, we find the lowest
1068 * and highest address family in the set. */
1069
1070 SET_FOREACH(afp, c->address_families, i) {
1071 af = PTR_TO_INT(afp);
1072
1073 if (af <= 0 || af >= af_max())
1074 continue;
1075
1076 if (first == 0 || af < first)
1077 first = af;
1078
1079 if (last == 0 || af > last)
1080 last = af;
1081 }
1082
1083 assert((first == 0) == (last == 0));
1084
1085 if (first == 0) {
1086
1087 /* No entries in the valid range, block everything */
1088 r = seccomp_rule_add(
1089 seccomp,
1090 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1091 SCMP_SYS(socket),
1092 0);
1093 if (r < 0)
1094 goto finish;
1095
1096 } else {
1097
1098 /* Block everything below the first entry */
1099 r = seccomp_rule_add(
1100 seccomp,
1101 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1102 SCMP_SYS(socket),
1103 1,
1104 SCMP_A0(SCMP_CMP_LT, first));
1105 if (r < 0)
1106 goto finish;
1107
1108 /* Block everything above the last entry */
1109 r = seccomp_rule_add(
1110 seccomp,
1111 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1112 SCMP_SYS(socket),
1113 1,
1114 SCMP_A0(SCMP_CMP_GT, last));
1115 if (r < 0)
1116 goto finish;
1117
1118 /* Block everything between the first and last
1119 * entry */
1120 for (af = 1; af < af_max(); af++) {
1121
1122 if (set_contains(c->address_families, INT_TO_PTR(af)))
1123 continue;
1124
1125 r = seccomp_rule_add(
1126 seccomp,
1127 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1128 SCMP_SYS(socket),
1129 1,
1130 SCMP_A0(SCMP_CMP_EQ, af));
1131 if (r < 0)
1132 goto finish;
1133 }
1134 }
1135
1136 } else {
1137 void *af;
1138
1139 /* If this is a blacklist, then generate one rule for
1140 * each address family that are then combined in OR
1141 * checks. */
1142
1143 SET_FOREACH(af, c->address_families, i) {
1144
1145 r = seccomp_rule_add(
1146 seccomp,
1147 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1148 SCMP_SYS(socket),
1149 1,
1150 SCMP_A0(SCMP_CMP_EQ, PTR_TO_INT(af)));
1151 if (r < 0)
1152 goto finish;
1153 }
1154 }
1155
1156 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1157 if (r < 0)
1158 goto finish;
1159
1160 r = seccomp_load(seccomp);
1161
1162 finish:
1163 seccomp_release(seccomp);
1164 return r;
1165 }
1166
1167 #endif
1168
1169 static void do_idle_pipe_dance(int idle_pipe[4]) {
1170 assert(idle_pipe);
1171
1172
1173 idle_pipe[1] = safe_close(idle_pipe[1]);
1174 idle_pipe[2] = safe_close(idle_pipe[2]);
1175
1176 if (idle_pipe[0] >= 0) {
1177 int r;
1178
1179 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1180
1181 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1182 ssize_t n;
1183
1184 /* Signal systemd that we are bored and want to continue. */
1185 n = write(idle_pipe[3], "x", 1);
1186 if (n > 0)
1187 /* Wait for systemd to react to the signal above. */
1188 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1189 }
1190
1191 idle_pipe[0] = safe_close(idle_pipe[0]);
1192
1193 }
1194
1195 idle_pipe[3] = safe_close(idle_pipe[3]);
1196 }
1197
1198 static int build_environment(
1199 const ExecContext *c,
1200 unsigned n_fds,
1201 usec_t watchdog_usec,
1202 const char *home,
1203 const char *username,
1204 const char *shell,
1205 char ***ret) {
1206
1207 _cleanup_strv_free_ char **our_env = NULL;
1208 unsigned n_env = 0;
1209 char *x;
1210
1211 assert(c);
1212 assert(ret);
1213
1214 our_env = new0(char*, 10);
1215 if (!our_env)
1216 return -ENOMEM;
1217
1218 if (n_fds > 0) {
1219 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1220 return -ENOMEM;
1221 our_env[n_env++] = x;
1222
1223 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1224 return -ENOMEM;
1225 our_env[n_env++] = x;
1226 }
1227
1228 if (watchdog_usec > 0) {
1229 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1230 return -ENOMEM;
1231 our_env[n_env++] = x;
1232
1233 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, watchdog_usec) < 0)
1234 return -ENOMEM;
1235 our_env[n_env++] = x;
1236 }
1237
1238 if (home) {
1239 x = strappend("HOME=", home);
1240 if (!x)
1241 return -ENOMEM;
1242 our_env[n_env++] = x;
1243 }
1244
1245 if (username) {
1246 x = strappend("LOGNAME=", username);
1247 if (!x)
1248 return -ENOMEM;
1249 our_env[n_env++] = x;
1250
1251 x = strappend("USER=", username);
1252 if (!x)
1253 return -ENOMEM;
1254 our_env[n_env++] = x;
1255 }
1256
1257 if (shell) {
1258 x = strappend("SHELL=", shell);
1259 if (!x)
1260 return -ENOMEM;
1261 our_env[n_env++] = x;
1262 }
1263
1264 if (is_terminal_input(c->std_input) ||
1265 c->std_output == EXEC_OUTPUT_TTY ||
1266 c->std_error == EXEC_OUTPUT_TTY ||
1267 c->tty_path) {
1268
1269 x = strdup(default_term_for_tty(tty_path(c)));
1270 if (!x)
1271 return -ENOMEM;
1272 our_env[n_env++] = x;
1273 }
1274
1275 our_env[n_env++] = NULL;
1276 assert(n_env <= 10);
1277
1278 *ret = our_env;
1279 our_env = NULL;
1280
1281 return 0;
1282 }
1283
1284 static bool exec_needs_mount_namespace(
1285 const ExecContext *context,
1286 const ExecParameters *params,
1287 ExecRuntime *runtime) {
1288
1289 assert(context);
1290 assert(params);
1291
1292 if (!strv_isempty(context->read_write_dirs) ||
1293 !strv_isempty(context->read_only_dirs) ||
1294 !strv_isempty(context->inaccessible_dirs))
1295 return true;
1296
1297 if (context->mount_flags != 0)
1298 return true;
1299
1300 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1301 return true;
1302
1303 if (params->bus_endpoint_path)
1304 return true;
1305
1306 if (context->private_devices ||
1307 context->protect_system != PROTECT_SYSTEM_NO ||
1308 context->protect_home != PROTECT_HOME_NO)
1309 return true;
1310
1311 return false;
1312 }
1313
1314 static int exec_child(
1315 Unit *unit,
1316 ExecCommand *command,
1317 const ExecContext *context,
1318 const ExecParameters *params,
1319 ExecRuntime *runtime,
1320 char **argv,
1321 int socket_fd,
1322 int *fds, unsigned n_fds,
1323 char **files_env,
1324 int *exit_status) {
1325
1326 _cleanup_strv_free_ char **our_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL;
1327 _cleanup_free_ char *mac_selinux_context_net = NULL;
1328 const char *username = NULL, *home = NULL, *shell = NULL, *wd;
1329 unsigned n_dont_close = 0;
1330 int dont_close[n_fds + 4];
1331 uid_t uid = UID_INVALID;
1332 gid_t gid = GID_INVALID;
1333 int i, r;
1334 bool needs_mount_namespace;
1335
1336 assert(unit);
1337 assert(command);
1338 assert(context);
1339 assert(params);
1340 assert(exit_status);
1341
1342 rename_process_from_path(command->path);
1343
1344 /* We reset exactly these signals, since they are the
1345 * only ones we set to SIG_IGN in the main daemon. All
1346 * others we leave untouched because we set them to
1347 * SIG_DFL or a valid handler initially, both of which
1348 * will be demoted to SIG_DFL. */
1349 (void) default_signals(SIGNALS_CRASH_HANDLER,
1350 SIGNALS_IGNORE, -1);
1351
1352 if (context->ignore_sigpipe)
1353 (void) ignore_signals(SIGPIPE, -1);
1354
1355 r = reset_signal_mask();
1356 if (r < 0) {
1357 *exit_status = EXIT_SIGNAL_MASK;
1358 return r;
1359 }
1360
1361 if (params->idle_pipe)
1362 do_idle_pipe_dance(params->idle_pipe);
1363
1364 /* Close sockets very early to make sure we don't
1365 * block init reexecution because it cannot bind its
1366 * sockets */
1367
1368 log_forget_fds();
1369
1370 if (socket_fd >= 0)
1371 dont_close[n_dont_close++] = socket_fd;
1372 if (n_fds > 0) {
1373 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
1374 n_dont_close += n_fds;
1375 }
1376 if (params->bus_endpoint_fd >= 0)
1377 dont_close[n_dont_close++] = params->bus_endpoint_fd;
1378 if (runtime) {
1379 if (runtime->netns_storage_socket[0] >= 0)
1380 dont_close[n_dont_close++] = runtime->netns_storage_socket[0];
1381 if (runtime->netns_storage_socket[1] >= 0)
1382 dont_close[n_dont_close++] = runtime->netns_storage_socket[1];
1383 }
1384
1385 r = close_all_fds(dont_close, n_dont_close);
1386 if (r < 0) {
1387 *exit_status = EXIT_FDS;
1388 return r;
1389 }
1390
1391 if (!context->same_pgrp)
1392 if (setsid() < 0) {
1393 *exit_status = EXIT_SETSID;
1394 return -errno;
1395 }
1396
1397 exec_context_tty_reset(context);
1398
1399 if (params->confirm_spawn) {
1400 char response;
1401
1402 r = ask_for_confirmation(&response, argv);
1403 if (r == -ETIMEDOUT)
1404 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1405 else if (r < 0)
1406 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-r));
1407 else if (response == 's') {
1408 write_confirm_message("Skipping execution.\n");
1409 *exit_status = EXIT_CONFIRM;
1410 return -ECANCELED;
1411 } else if (response == 'n') {
1412 write_confirm_message("Failing execution.\n");
1413 *exit_status = 0;
1414 return 0;
1415 }
1416 }
1417
1418 if (context->user) {
1419 username = context->user;
1420 r = get_user_creds(&username, &uid, &gid, &home, &shell);
1421 if (r < 0) {
1422 *exit_status = EXIT_USER;
1423 return r;
1424 }
1425 }
1426
1427 if (context->group) {
1428 const char *g = context->group;
1429
1430 r = get_group_creds(&g, &gid);
1431 if (r < 0) {
1432 *exit_status = EXIT_GROUP;
1433 return r;
1434 }
1435 }
1436
1437
1438 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1439 * must sure to drop O_NONBLOCK */
1440 if (socket_fd >= 0)
1441 fd_nonblock(socket_fd, false);
1442
1443 r = setup_input(context, socket_fd, params->apply_tty_stdin);
1444 if (r < 0) {
1445 *exit_status = EXIT_STDIN;
1446 return r;
1447 }
1448
1449 r = setup_output(unit, context, STDOUT_FILENO, socket_fd, basename(command->path), params->apply_tty_stdin, uid, gid);
1450 if (r < 0) {
1451 *exit_status = EXIT_STDOUT;
1452 return r;
1453 }
1454
1455 r = setup_output(unit, context, STDERR_FILENO, socket_fd, basename(command->path), params->apply_tty_stdin, uid, gid);
1456 if (r < 0) {
1457 *exit_status = EXIT_STDERR;
1458 return r;
1459 }
1460
1461 if (params->cgroup_path) {
1462 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
1463 if (r < 0) {
1464 *exit_status = EXIT_CGROUP;
1465 return r;
1466 }
1467 }
1468
1469 if (context->oom_score_adjust_set) {
1470 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
1471
1472 /* When we can't make this change due to EPERM, then
1473 * let's silently skip over it. User namespaces
1474 * prohibit write access to this file, and we
1475 * shouldn't trip up over that. */
1476
1477 sprintf(t, "%i", context->oom_score_adjust);
1478 r = write_string_file("/proc/self/oom_score_adj", t, 0);
1479 if (r == -EPERM || r == -EACCES) {
1480 log_open();
1481 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
1482 log_close();
1483 } else if (r < 0) {
1484 *exit_status = EXIT_OOM_ADJUST;
1485 return -errno;
1486 }
1487 }
1488
1489 if (context->nice_set)
1490 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1491 *exit_status = EXIT_NICE;
1492 return -errno;
1493 }
1494
1495 if (context->cpu_sched_set) {
1496 struct sched_param param = {
1497 .sched_priority = context->cpu_sched_priority,
1498 };
1499
1500 r = sched_setscheduler(0,
1501 context->cpu_sched_policy |
1502 (context->cpu_sched_reset_on_fork ?
1503 SCHED_RESET_ON_FORK : 0),
1504 &param);
1505 if (r < 0) {
1506 *exit_status = EXIT_SETSCHEDULER;
1507 return -errno;
1508 }
1509 }
1510
1511 if (context->cpuset)
1512 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1513 *exit_status = EXIT_CPUAFFINITY;
1514 return -errno;
1515 }
1516
1517 if (context->ioprio_set)
1518 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1519 *exit_status = EXIT_IOPRIO;
1520 return -errno;
1521 }
1522
1523 if (context->timer_slack_nsec != NSEC_INFINITY)
1524 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1525 *exit_status = EXIT_TIMERSLACK;
1526 return -errno;
1527 }
1528
1529 if (context->personality != PERSONALITY_INVALID)
1530 if (personality(context->personality) < 0) {
1531 *exit_status = EXIT_PERSONALITY;
1532 return -errno;
1533 }
1534
1535 if (context->utmp_id)
1536 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path,
1537 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
1538 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
1539 USER_PROCESS,
1540 username ? "root" : context->user);
1541
1542 if (context->user && is_terminal_input(context->std_input)) {
1543 r = chown_terminal(STDIN_FILENO, uid);
1544 if (r < 0) {
1545 *exit_status = EXIT_STDIN;
1546 return r;
1547 }
1548 }
1549
1550 if (params->bus_endpoint_fd >= 0 && context->bus_endpoint) {
1551 uid_t ep_uid = (uid == UID_INVALID) ? 0 : uid;
1552
1553 r = bus_kernel_set_endpoint_policy(params->bus_endpoint_fd, ep_uid, context->bus_endpoint);
1554 if (r < 0) {
1555 *exit_status = EXIT_BUS_ENDPOINT;
1556 return r;
1557 }
1558 }
1559
1560 /* If delegation is enabled we'll pass ownership of the cgroup
1561 * (but only in systemd's own controller hierarchy!) to the
1562 * user of the new process. */
1563 if (params->cgroup_path && context->user && params->cgroup_delegate) {
1564 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
1565 if (r < 0) {
1566 *exit_status = EXIT_CGROUP;
1567 return r;
1568 }
1569
1570
1571 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
1572 if (r < 0) {
1573 *exit_status = EXIT_CGROUP;
1574 return r;
1575 }
1576 }
1577
1578 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
1579 char **rt;
1580
1581 STRV_FOREACH(rt, context->runtime_directory) {
1582 _cleanup_free_ char *p;
1583
1584 p = strjoin(params->runtime_prefix, "/", *rt, NULL);
1585 if (!p) {
1586 *exit_status = EXIT_RUNTIME_DIRECTORY;
1587 return -ENOMEM;
1588 }
1589
1590 r = mkdir_p_label(p, context->runtime_directory_mode);
1591 if (r < 0) {
1592 *exit_status = EXIT_RUNTIME_DIRECTORY;
1593 return r;
1594 }
1595
1596 r = chmod_and_chown(p, context->runtime_directory_mode, uid, gid);
1597 if (r < 0) {
1598 *exit_status = EXIT_RUNTIME_DIRECTORY;
1599 return r;
1600 }
1601 }
1602 }
1603
1604 umask(context->umask);
1605
1606 if (params->apply_permissions) {
1607 r = enforce_groups(context, username, gid);
1608 if (r < 0) {
1609 *exit_status = EXIT_GROUP;
1610 return r;
1611 }
1612 #ifdef HAVE_SMACK
1613 if (context->smack_process_label) {
1614 r = mac_smack_apply_pid(0, context->smack_process_label);
1615 if (r < 0) {
1616 *exit_status = EXIT_SMACK_PROCESS_LABEL;
1617 return r;
1618 }
1619 }
1620 #ifdef SMACK_DEFAULT_PROCESS_LABEL
1621 else {
1622 _cleanup_free_ char *exec_label = NULL;
1623
1624 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
1625 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) {
1626 *exit_status = EXIT_SMACK_PROCESS_LABEL;
1627 return r;
1628 }
1629
1630 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
1631 if (r < 0) {
1632 *exit_status = EXIT_SMACK_PROCESS_LABEL;
1633 return r;
1634 }
1635 }
1636 #endif
1637 #endif
1638 #ifdef HAVE_PAM
1639 if (context->pam_name && username) {
1640 r = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
1641 if (r < 0) {
1642 *exit_status = EXIT_PAM;
1643 return r;
1644 }
1645 }
1646 #endif
1647 }
1648
1649 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
1650 r = setup_netns(runtime->netns_storage_socket);
1651 if (r < 0) {
1652 *exit_status = EXIT_NETWORK;
1653 return r;
1654 }
1655 }
1656
1657 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
1658
1659 if (needs_mount_namespace) {
1660 char *tmp = NULL, *var = NULL;
1661
1662 /* The runtime struct only contains the parent
1663 * of the private /tmp, which is
1664 * non-accessible to world users. Inside of it
1665 * there's a /tmp that is sticky, and that's
1666 * the one we want to use here. */
1667
1668 if (context->private_tmp && runtime) {
1669 if (runtime->tmp_dir)
1670 tmp = strjoina(runtime->tmp_dir, "/tmp");
1671 if (runtime->var_tmp_dir)
1672 var = strjoina(runtime->var_tmp_dir, "/tmp");
1673 }
1674
1675 r = setup_namespace(
1676 params->apply_chroot ? context->root_directory : NULL,
1677 context->read_write_dirs,
1678 context->read_only_dirs,
1679 context->inaccessible_dirs,
1680 tmp,
1681 var,
1682 params->bus_endpoint_path,
1683 context->private_devices,
1684 context->protect_home,
1685 context->protect_system,
1686 context->mount_flags);
1687
1688 /* If we couldn't set up the namespace this is
1689 * probably due to a missing capability. In this case,
1690 * silently proceeed. */
1691 if (r == -EPERM || r == -EACCES) {
1692 log_open();
1693 log_unit_debug_errno(unit, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
1694 log_close();
1695 } else if (r < 0) {
1696 *exit_status = EXIT_NAMESPACE;
1697 return r;
1698 }
1699 }
1700
1701 if (context->working_directory_home)
1702 wd = home;
1703 else if (context->working_directory)
1704 wd = context->working_directory;
1705 else
1706 wd = "/";
1707
1708 if (params->apply_chroot) {
1709 if (!needs_mount_namespace && context->root_directory)
1710 if (chroot(context->root_directory) < 0) {
1711 *exit_status = EXIT_CHROOT;
1712 return -errno;
1713 }
1714
1715 if (chdir(wd) < 0 &&
1716 !context->working_directory_missing_ok) {
1717 *exit_status = EXIT_CHDIR;
1718 return -errno;
1719 }
1720 } else {
1721 const char *d;
1722
1723 d = strjoina(strempty(context->root_directory), "/", strempty(wd));
1724 if (chdir(d) < 0 &&
1725 !context->working_directory_missing_ok) {
1726 *exit_status = EXIT_CHDIR;
1727 return -errno;
1728 }
1729 }
1730
1731 #ifdef HAVE_SELINUX
1732 if (params->apply_permissions && mac_selinux_use() && params->selinux_context_net && socket_fd >= 0) {
1733 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
1734 if (r < 0) {
1735 *exit_status = EXIT_SELINUX_CONTEXT;
1736 return r;
1737 }
1738 }
1739 #endif
1740
1741 /* We repeat the fd closing here, to make sure that
1742 * nothing is leaked from the PAM modules. Note that
1743 * we are more aggressive this time since socket_fd
1744 * and the netns fds we don't need anymore. The custom
1745 * endpoint fd was needed to upload the policy and can
1746 * now be closed as well. */
1747 r = close_all_fds(fds, n_fds);
1748 if (r >= 0)
1749 r = shift_fds(fds, n_fds);
1750 if (r >= 0)
1751 r = flags_fds(fds, n_fds, context->non_blocking);
1752 if (r < 0) {
1753 *exit_status = EXIT_FDS;
1754 return r;
1755 }
1756
1757 if (params->apply_permissions) {
1758
1759 for (i = 0; i < _RLIMIT_MAX; i++) {
1760 if (!context->rlimit[i])
1761 continue;
1762
1763 if (setrlimit_closest(i, context->rlimit[i]) < 0) {
1764 *exit_status = EXIT_LIMITS;
1765 return -errno;
1766 }
1767 }
1768
1769 if (context->capability_bounding_set_drop) {
1770 r = capability_bounding_set_drop(context->capability_bounding_set_drop, false);
1771 if (r < 0) {
1772 *exit_status = EXIT_CAPABILITIES;
1773 return r;
1774 }
1775 }
1776
1777 if (context->user) {
1778 r = enforce_user(context, uid);
1779 if (r < 0) {
1780 *exit_status = EXIT_USER;
1781 return r;
1782 }
1783 }
1784
1785 /* PR_GET_SECUREBITS is not privileged, while
1786 * PR_SET_SECUREBITS is. So to suppress
1787 * potential EPERMs we'll try not to call
1788 * PR_SET_SECUREBITS unless necessary. */
1789 if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
1790 if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
1791 *exit_status = EXIT_SECUREBITS;
1792 return -errno;
1793 }
1794
1795 if (context->capabilities)
1796 if (cap_set_proc(context->capabilities) < 0) {
1797 *exit_status = EXIT_CAPABILITIES;
1798 return -errno;
1799 }
1800
1801 if (context->no_new_privileges)
1802 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
1803 *exit_status = EXIT_NO_NEW_PRIVILEGES;
1804 return -errno;
1805 }
1806
1807 #ifdef HAVE_SECCOMP
1808 if (context->address_families_whitelist ||
1809 !set_isempty(context->address_families)) {
1810 r = apply_address_families(context);
1811 if (r < 0) {
1812 *exit_status = EXIT_ADDRESS_FAMILIES;
1813 return r;
1814 }
1815 }
1816
1817 if (context->syscall_whitelist ||
1818 !set_isempty(context->syscall_filter) ||
1819 !set_isempty(context->syscall_archs)) {
1820 r = apply_seccomp(context);
1821 if (r < 0) {
1822 *exit_status = EXIT_SECCOMP;
1823 return r;
1824 }
1825 }
1826 #endif
1827
1828 #ifdef HAVE_SELINUX
1829 if (mac_selinux_use()) {
1830 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
1831
1832 if (exec_context) {
1833 r = setexeccon(exec_context);
1834 if (r < 0) {
1835 *exit_status = EXIT_SELINUX_CONTEXT;
1836 return r;
1837 }
1838 }
1839 }
1840 #endif
1841
1842 #ifdef HAVE_APPARMOR
1843 if (context->apparmor_profile && mac_apparmor_use()) {
1844 r = aa_change_onexec(context->apparmor_profile);
1845 if (r < 0 && !context->apparmor_profile_ignore) {
1846 *exit_status = EXIT_APPARMOR_PROFILE;
1847 return -errno;
1848 }
1849 }
1850 #endif
1851 }
1852
1853 r = build_environment(context, n_fds, params->watchdog_usec, home, username, shell, &our_env);
1854 if (r < 0) {
1855 *exit_status = EXIT_MEMORY;
1856 return r;
1857 }
1858
1859 final_env = strv_env_merge(5,
1860 params->environment,
1861 our_env,
1862 context->environment,
1863 files_env,
1864 pam_env,
1865 NULL);
1866 if (!final_env) {
1867 *exit_status = EXIT_MEMORY;
1868 return -ENOMEM;
1869 }
1870
1871 final_argv = replace_env_argv(argv, final_env);
1872 if (!final_argv) {
1873 *exit_status = EXIT_MEMORY;
1874 return -ENOMEM;
1875 }
1876
1877 final_env = strv_env_clean(final_env);
1878
1879 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
1880 _cleanup_free_ char *line;
1881
1882 line = exec_command_line(final_argv);
1883 if (line) {
1884 log_open();
1885 log_struct(LOG_DEBUG,
1886 LOG_UNIT_ID(unit),
1887 "EXECUTABLE=%s", command->path,
1888 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
1889 NULL);
1890 log_close();
1891 }
1892 }
1893
1894 execve(command->path, final_argv, final_env);
1895 *exit_status = EXIT_EXEC;
1896 return -errno;
1897 }
1898
1899 int exec_spawn(Unit *unit,
1900 ExecCommand *command,
1901 const ExecContext *context,
1902 const ExecParameters *params,
1903 ExecRuntime *runtime,
1904 pid_t *ret) {
1905
1906 _cleanup_strv_free_ char **files_env = NULL;
1907 int *fds = NULL; unsigned n_fds = 0;
1908 _cleanup_free_ char *line = NULL;
1909 int socket_fd, r;
1910 char **argv;
1911 pid_t pid;
1912
1913 assert(unit);
1914 assert(command);
1915 assert(context);
1916 assert(ret);
1917 assert(params);
1918 assert(params->fds || params->n_fds <= 0);
1919
1920 if (context->std_input == EXEC_INPUT_SOCKET ||
1921 context->std_output == EXEC_OUTPUT_SOCKET ||
1922 context->std_error == EXEC_OUTPUT_SOCKET) {
1923
1924 if (params->n_fds != 1) {
1925 log_unit_error(unit, "Got more than one socket.");
1926 return -EINVAL;
1927 }
1928
1929 socket_fd = params->fds[0];
1930 } else {
1931 socket_fd = -1;
1932 fds = params->fds;
1933 n_fds = params->n_fds;
1934 }
1935
1936 r = exec_context_load_environment(unit, context, &files_env);
1937 if (r < 0)
1938 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
1939
1940 argv = params->argv ?: command->argv;
1941 line = exec_command_line(argv);
1942 if (!line)
1943 return log_oom();
1944
1945 log_struct(LOG_DEBUG,
1946 LOG_UNIT_ID(unit),
1947 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
1948 "EXECUTABLE=%s", command->path,
1949 NULL);
1950 pid = fork();
1951 if (pid < 0)
1952 return log_unit_error_errno(unit, r, "Failed to fork: %m");
1953
1954 if (pid == 0) {
1955 int exit_status;
1956
1957 r = exec_child(unit,
1958 command,
1959 context,
1960 params,
1961 runtime,
1962 argv,
1963 socket_fd,
1964 fds, n_fds,
1965 files_env,
1966 &exit_status);
1967 if (r < 0) {
1968 log_open();
1969 log_struct_errno(LOG_ERR, r,
1970 LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
1971 LOG_UNIT_ID(unit),
1972 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
1973 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
1974 command->path),
1975 "EXECUTABLE=%s", command->path,
1976 NULL);
1977 }
1978
1979 _exit(exit_status);
1980 }
1981
1982 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
1983
1984 /* We add the new process to the cgroup both in the child (so
1985 * that we can be sure that no user code is ever executed
1986 * outside of the cgroup) and in the parent (so that we can be
1987 * sure that when we kill the cgroup the process will be
1988 * killed too). */
1989 if (params->cgroup_path)
1990 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
1991
1992 exec_status_start(&command->exec_status, pid);
1993
1994 *ret = pid;
1995 return 0;
1996 }
1997
1998 void exec_context_init(ExecContext *c) {
1999 assert(c);
2000
2001 c->umask = 0022;
2002 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
2003 c->cpu_sched_policy = SCHED_OTHER;
2004 c->syslog_priority = LOG_DAEMON|LOG_INFO;
2005 c->syslog_level_prefix = true;
2006 c->ignore_sigpipe = true;
2007 c->timer_slack_nsec = NSEC_INFINITY;
2008 c->personality = PERSONALITY_INVALID;
2009 c->runtime_directory_mode = 0755;
2010 }
2011
2012 void exec_context_done(ExecContext *c) {
2013 unsigned l;
2014
2015 assert(c);
2016
2017 c->environment = strv_free(c->environment);
2018 c->environment_files = strv_free(c->environment_files);
2019
2020 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
2021 c->rlimit[l] = mfree(c->rlimit[l]);
2022
2023 c->working_directory = mfree(c->working_directory);
2024 c->root_directory = mfree(c->root_directory);
2025 c->tty_path = mfree(c->tty_path);
2026 c->syslog_identifier = mfree(c->syslog_identifier);
2027 c->user = mfree(c->user);
2028 c->group = mfree(c->group);
2029
2030 c->supplementary_groups = strv_free(c->supplementary_groups);
2031
2032 c->pam_name = mfree(c->pam_name);
2033
2034 if (c->capabilities) {
2035 cap_free(c->capabilities);
2036 c->capabilities = NULL;
2037 }
2038
2039 c->read_only_dirs = strv_free(c->read_only_dirs);
2040 c->read_write_dirs = strv_free(c->read_write_dirs);
2041 c->inaccessible_dirs = strv_free(c->inaccessible_dirs);
2042
2043 if (c->cpuset)
2044 CPU_FREE(c->cpuset);
2045
2046 c->utmp_id = mfree(c->utmp_id);
2047 c->selinux_context = mfree(c->selinux_context);
2048 c->apparmor_profile = mfree(c->apparmor_profile);
2049
2050 c->syscall_filter = set_free(c->syscall_filter);
2051 c->syscall_archs = set_free(c->syscall_archs);
2052 c->address_families = set_free(c->address_families);
2053
2054 c->runtime_directory = strv_free(c->runtime_directory);
2055
2056 bus_endpoint_free(c->bus_endpoint);
2057 c->bus_endpoint = NULL;
2058 }
2059
2060 int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
2061 char **i;
2062
2063 assert(c);
2064
2065 if (!runtime_prefix)
2066 return 0;
2067
2068 STRV_FOREACH(i, c->runtime_directory) {
2069 _cleanup_free_ char *p;
2070
2071 p = strjoin(runtime_prefix, "/", *i, NULL);
2072 if (!p)
2073 return -ENOMEM;
2074
2075 /* We execute this synchronously, since we need to be
2076 * sure this is gone when we start the service
2077 * next. */
2078 (void) rm_rf(p, REMOVE_ROOT);
2079 }
2080
2081 return 0;
2082 }
2083
2084 void exec_command_done(ExecCommand *c) {
2085 assert(c);
2086
2087 c->path = mfree(c->path);
2088
2089 c->argv = strv_free(c->argv);
2090 }
2091
2092 void exec_command_done_array(ExecCommand *c, unsigned n) {
2093 unsigned i;
2094
2095 for (i = 0; i < n; i++)
2096 exec_command_done(c+i);
2097 }
2098
2099 ExecCommand* exec_command_free_list(ExecCommand *c) {
2100 ExecCommand *i;
2101
2102 while ((i = c)) {
2103 LIST_REMOVE(command, c, i);
2104 exec_command_done(i);
2105 free(i);
2106 }
2107
2108 return NULL;
2109 }
2110
2111 void exec_command_free_array(ExecCommand **c, unsigned n) {
2112 unsigned i;
2113
2114 for (i = 0; i < n; i++)
2115 c[i] = exec_command_free_list(c[i]);
2116 }
2117
2118 typedef struct InvalidEnvInfo {
2119 Unit *unit;
2120 const char *path;
2121 } InvalidEnvInfo;
2122
2123 static void invalid_env(const char *p, void *userdata) {
2124 InvalidEnvInfo *info = userdata;
2125
2126 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
2127 }
2128
2129 int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
2130 char **i, **r = NULL;
2131
2132 assert(c);
2133 assert(l);
2134
2135 STRV_FOREACH(i, c->environment_files) {
2136 char *fn;
2137 int k;
2138 bool ignore = false;
2139 char **p;
2140 _cleanup_globfree_ glob_t pglob = {};
2141 int count, n;
2142
2143 fn = *i;
2144
2145 if (fn[0] == '-') {
2146 ignore = true;
2147 fn ++;
2148 }
2149
2150 if (!path_is_absolute(fn)) {
2151 if (ignore)
2152 continue;
2153
2154 strv_free(r);
2155 return -EINVAL;
2156 }
2157
2158 /* Filename supports globbing, take all matching files */
2159 errno = 0;
2160 if (glob(fn, 0, NULL, &pglob) != 0) {
2161 if (ignore)
2162 continue;
2163
2164 strv_free(r);
2165 return errno ? -errno : -EINVAL;
2166 }
2167 count = pglob.gl_pathc;
2168 if (count == 0) {
2169 if (ignore)
2170 continue;
2171
2172 strv_free(r);
2173 return -EINVAL;
2174 }
2175 for (n = 0; n < count; n++) {
2176 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
2177 if (k < 0) {
2178 if (ignore)
2179 continue;
2180
2181 strv_free(r);
2182 return k;
2183 }
2184 /* Log invalid environment variables with filename */
2185 if (p) {
2186 InvalidEnvInfo info = {
2187 .unit = unit,
2188 .path = pglob.gl_pathv[n]
2189 };
2190
2191 p = strv_env_clean_with_callback(p, invalid_env, &info);
2192 }
2193
2194 if (r == NULL)
2195 r = p;
2196 else {
2197 char **m;
2198
2199 m = strv_env_merge(2, r, p);
2200 strv_free(r);
2201 strv_free(p);
2202 if (!m)
2203 return -ENOMEM;
2204
2205 r = m;
2206 }
2207 }
2208 }
2209
2210 *l = r;
2211
2212 return 0;
2213 }
2214
2215 static bool tty_may_match_dev_console(const char *tty) {
2216 _cleanup_free_ char *active = NULL;
2217 char *console;
2218
2219 if (startswith(tty, "/dev/"))
2220 tty += 5;
2221
2222 /* trivial identity? */
2223 if (streq(tty, "console"))
2224 return true;
2225
2226 console = resolve_dev_console(&active);
2227 /* if we could not resolve, assume it may */
2228 if (!console)
2229 return true;
2230
2231 /* "tty0" means the active VC, so it may be the same sometimes */
2232 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
2233 }
2234
2235 bool exec_context_may_touch_console(ExecContext *ec) {
2236 return (ec->tty_reset || ec->tty_vhangup || ec->tty_vt_disallocate ||
2237 is_terminal_input(ec->std_input) ||
2238 is_terminal_output(ec->std_output) ||
2239 is_terminal_output(ec->std_error)) &&
2240 tty_may_match_dev_console(tty_path(ec));
2241 }
2242
2243 static void strv_fprintf(FILE *f, char **l) {
2244 char **g;
2245
2246 assert(f);
2247
2248 STRV_FOREACH(g, l)
2249 fprintf(f, " %s", *g);
2250 }
2251
2252 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
2253 char **e;
2254 unsigned i;
2255
2256 assert(c);
2257 assert(f);
2258
2259 prefix = strempty(prefix);
2260
2261 fprintf(f,
2262 "%sUMask: %04o\n"
2263 "%sWorkingDirectory: %s\n"
2264 "%sRootDirectory: %s\n"
2265 "%sNonBlocking: %s\n"
2266 "%sPrivateTmp: %s\n"
2267 "%sPrivateNetwork: %s\n"
2268 "%sPrivateDevices: %s\n"
2269 "%sProtectHome: %s\n"
2270 "%sProtectSystem: %s\n"
2271 "%sIgnoreSIGPIPE: %s\n",
2272 prefix, c->umask,
2273 prefix, c->working_directory ? c->working_directory : "/",
2274 prefix, c->root_directory ? c->root_directory : "/",
2275 prefix, yes_no(c->non_blocking),
2276 prefix, yes_no(c->private_tmp),
2277 prefix, yes_no(c->private_network),
2278 prefix, yes_no(c->private_devices),
2279 prefix, protect_home_to_string(c->protect_home),
2280 prefix, protect_system_to_string(c->protect_system),
2281 prefix, yes_no(c->ignore_sigpipe));
2282
2283 STRV_FOREACH(e, c->environment)
2284 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
2285
2286 STRV_FOREACH(e, c->environment_files)
2287 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
2288
2289 if (c->nice_set)
2290 fprintf(f,
2291 "%sNice: %i\n",
2292 prefix, c->nice);
2293
2294 if (c->oom_score_adjust_set)
2295 fprintf(f,
2296 "%sOOMScoreAdjust: %i\n",
2297 prefix, c->oom_score_adjust);
2298
2299 for (i = 0; i < RLIM_NLIMITS; i++)
2300 if (c->rlimit[i])
2301 fprintf(f, "%s%s: "RLIM_FMT"\n",
2302 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
2303
2304 if (c->ioprio_set) {
2305 _cleanup_free_ char *class_str = NULL;
2306
2307 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
2308 fprintf(f,
2309 "%sIOSchedulingClass: %s\n"
2310 "%sIOPriority: %i\n",
2311 prefix, strna(class_str),
2312 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
2313 }
2314
2315 if (c->cpu_sched_set) {
2316 _cleanup_free_ char *policy_str = NULL;
2317
2318 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
2319 fprintf(f,
2320 "%sCPUSchedulingPolicy: %s\n"
2321 "%sCPUSchedulingPriority: %i\n"
2322 "%sCPUSchedulingResetOnFork: %s\n",
2323 prefix, strna(policy_str),
2324 prefix, c->cpu_sched_priority,
2325 prefix, yes_no(c->cpu_sched_reset_on_fork));
2326 }
2327
2328 if (c->cpuset) {
2329 fprintf(f, "%sCPUAffinity:", prefix);
2330 for (i = 0; i < c->cpuset_ncpus; i++)
2331 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
2332 fprintf(f, " %u", i);
2333 fputs("\n", f);
2334 }
2335
2336 if (c->timer_slack_nsec != NSEC_INFINITY)
2337 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
2338
2339 fprintf(f,
2340 "%sStandardInput: %s\n"
2341 "%sStandardOutput: %s\n"
2342 "%sStandardError: %s\n",
2343 prefix, exec_input_to_string(c->std_input),
2344 prefix, exec_output_to_string(c->std_output),
2345 prefix, exec_output_to_string(c->std_error));
2346
2347 if (c->tty_path)
2348 fprintf(f,
2349 "%sTTYPath: %s\n"
2350 "%sTTYReset: %s\n"
2351 "%sTTYVHangup: %s\n"
2352 "%sTTYVTDisallocate: %s\n",
2353 prefix, c->tty_path,
2354 prefix, yes_no(c->tty_reset),
2355 prefix, yes_no(c->tty_vhangup),
2356 prefix, yes_no(c->tty_vt_disallocate));
2357
2358 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
2359 c->std_output == EXEC_OUTPUT_KMSG ||
2360 c->std_output == EXEC_OUTPUT_JOURNAL ||
2361 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2362 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2363 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
2364 c->std_error == EXEC_OUTPUT_SYSLOG ||
2365 c->std_error == EXEC_OUTPUT_KMSG ||
2366 c->std_error == EXEC_OUTPUT_JOURNAL ||
2367 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2368 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2369 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
2370
2371 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
2372
2373 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
2374 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
2375
2376 fprintf(f,
2377 "%sSyslogFacility: %s\n"
2378 "%sSyslogLevel: %s\n",
2379 prefix, strna(fac_str),
2380 prefix, strna(lvl_str));
2381 }
2382
2383 if (c->capabilities) {
2384 _cleanup_cap_free_charp_ char *t;
2385
2386 t = cap_to_text(c->capabilities, NULL);
2387 if (t)
2388 fprintf(f, "%sCapabilities: %s\n", prefix, t);
2389 }
2390
2391 if (c->secure_bits)
2392 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
2393 prefix,
2394 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
2395 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
2396 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
2397 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
2398 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
2399 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
2400
2401 if (c->capability_bounding_set_drop) {
2402 unsigned long l;
2403 fprintf(f, "%sCapabilityBoundingSet:", prefix);
2404
2405 for (l = 0; l <= cap_last_cap(); l++)
2406 if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l)))
2407 fprintf(f, " %s", strna(capability_to_name(l)));
2408
2409 fputs("\n", f);
2410 }
2411
2412 if (c->user)
2413 fprintf(f, "%sUser: %s\n", prefix, c->user);
2414 if (c->group)
2415 fprintf(f, "%sGroup: %s\n", prefix, c->group);
2416
2417 if (strv_length(c->supplementary_groups) > 0) {
2418 fprintf(f, "%sSupplementaryGroups:", prefix);
2419 strv_fprintf(f, c->supplementary_groups);
2420 fputs("\n", f);
2421 }
2422
2423 if (c->pam_name)
2424 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
2425
2426 if (strv_length(c->read_write_dirs) > 0) {
2427 fprintf(f, "%sReadWriteDirs:", prefix);
2428 strv_fprintf(f, c->read_write_dirs);
2429 fputs("\n", f);
2430 }
2431
2432 if (strv_length(c->read_only_dirs) > 0) {
2433 fprintf(f, "%sReadOnlyDirs:", prefix);
2434 strv_fprintf(f, c->read_only_dirs);
2435 fputs("\n", f);
2436 }
2437
2438 if (strv_length(c->inaccessible_dirs) > 0) {
2439 fprintf(f, "%sInaccessibleDirs:", prefix);
2440 strv_fprintf(f, c->inaccessible_dirs);
2441 fputs("\n", f);
2442 }
2443
2444 if (c->utmp_id)
2445 fprintf(f,
2446 "%sUtmpIdentifier: %s\n",
2447 prefix, c->utmp_id);
2448
2449 if (c->selinux_context)
2450 fprintf(f,
2451 "%sSELinuxContext: %s%s\n",
2452 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
2453
2454 if (c->personality != PERSONALITY_INVALID)
2455 fprintf(f,
2456 "%sPersonality: %s\n",
2457 prefix, strna(personality_to_string(c->personality)));
2458
2459 if (c->syscall_filter) {
2460 #ifdef HAVE_SECCOMP
2461 Iterator j;
2462 void *id;
2463 bool first = true;
2464 #endif
2465
2466 fprintf(f,
2467 "%sSystemCallFilter: ",
2468 prefix);
2469
2470 if (!c->syscall_whitelist)
2471 fputc('~', f);
2472
2473 #ifdef HAVE_SECCOMP
2474 SET_FOREACH(id, c->syscall_filter, j) {
2475 _cleanup_free_ char *name = NULL;
2476
2477 if (first)
2478 first = false;
2479 else
2480 fputc(' ', f);
2481
2482 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
2483 fputs(strna(name), f);
2484 }
2485 #endif
2486
2487 fputc('\n', f);
2488 }
2489
2490 if (c->syscall_archs) {
2491 #ifdef HAVE_SECCOMP
2492 Iterator j;
2493 void *id;
2494 #endif
2495
2496 fprintf(f,
2497 "%sSystemCallArchitectures:",
2498 prefix);
2499
2500 #ifdef HAVE_SECCOMP
2501 SET_FOREACH(id, c->syscall_archs, j)
2502 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
2503 #endif
2504 fputc('\n', f);
2505 }
2506
2507 if (c->syscall_errno != 0)
2508 fprintf(f,
2509 "%sSystemCallErrorNumber: %s\n",
2510 prefix, strna(errno_to_name(c->syscall_errno)));
2511
2512 if (c->apparmor_profile)
2513 fprintf(f,
2514 "%sAppArmorProfile: %s%s\n",
2515 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
2516 }
2517
2518 bool exec_context_maintains_privileges(ExecContext *c) {
2519 assert(c);
2520
2521 /* Returns true if the process forked off would run run under
2522 * an unchanged UID or as root. */
2523
2524 if (!c->user)
2525 return true;
2526
2527 if (streq(c->user, "root") || streq(c->user, "0"))
2528 return true;
2529
2530 return false;
2531 }
2532
2533 void exec_status_start(ExecStatus *s, pid_t pid) {
2534 assert(s);
2535
2536 zero(*s);
2537 s->pid = pid;
2538 dual_timestamp_get(&s->start_timestamp);
2539 }
2540
2541 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
2542 assert(s);
2543
2544 if (s->pid && s->pid != pid)
2545 zero(*s);
2546
2547 s->pid = pid;
2548 dual_timestamp_get(&s->exit_timestamp);
2549
2550 s->code = code;
2551 s->status = status;
2552
2553 if (context) {
2554 if (context->utmp_id)
2555 utmp_put_dead_process(context->utmp_id, pid, code, status);
2556
2557 exec_context_tty_reset(context);
2558 }
2559 }
2560
2561 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
2562 char buf[FORMAT_TIMESTAMP_MAX];
2563
2564 assert(s);
2565 assert(f);
2566
2567 if (s->pid <= 0)
2568 return;
2569
2570 prefix = strempty(prefix);
2571
2572 fprintf(f,
2573 "%sPID: "PID_FMT"\n",
2574 prefix, s->pid);
2575
2576 if (s->start_timestamp.realtime > 0)
2577 fprintf(f,
2578 "%sStart Timestamp: %s\n",
2579 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
2580
2581 if (s->exit_timestamp.realtime > 0)
2582 fprintf(f,
2583 "%sExit Timestamp: %s\n"
2584 "%sExit Code: %s\n"
2585 "%sExit Status: %i\n",
2586 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
2587 prefix, sigchld_code_to_string(s->code),
2588 prefix, s->status);
2589 }
2590
2591 char *exec_command_line(char **argv) {
2592 size_t k;
2593 char *n, *p, **a;
2594 bool first = true;
2595
2596 assert(argv);
2597
2598 k = 1;
2599 STRV_FOREACH(a, argv)
2600 k += strlen(*a)+3;
2601
2602 if (!(n = new(char, k)))
2603 return NULL;
2604
2605 p = n;
2606 STRV_FOREACH(a, argv) {
2607
2608 if (!first)
2609 *(p++) = ' ';
2610 else
2611 first = false;
2612
2613 if (strpbrk(*a, WHITESPACE)) {
2614 *(p++) = '\'';
2615 p = stpcpy(p, *a);
2616 *(p++) = '\'';
2617 } else
2618 p = stpcpy(p, *a);
2619
2620 }
2621
2622 *p = 0;
2623
2624 /* FIXME: this doesn't really handle arguments that have
2625 * spaces and ticks in them */
2626
2627 return n;
2628 }
2629
2630 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
2631 _cleanup_free_ char *cmd = NULL;
2632 const char *prefix2;
2633
2634 assert(c);
2635 assert(f);
2636
2637 prefix = strempty(prefix);
2638 prefix2 = strjoina(prefix, "\t");
2639
2640 cmd = exec_command_line(c->argv);
2641 fprintf(f,
2642 "%sCommand Line: %s\n",
2643 prefix, cmd ? cmd : strerror(ENOMEM));
2644
2645 exec_status_dump(&c->exec_status, f, prefix2);
2646 }
2647
2648 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2649 assert(f);
2650
2651 prefix = strempty(prefix);
2652
2653 LIST_FOREACH(command, c, c)
2654 exec_command_dump(c, f, prefix);
2655 }
2656
2657 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2658 ExecCommand *end;
2659
2660 assert(l);
2661 assert(e);
2662
2663 if (*l) {
2664 /* It's kind of important, that we keep the order here */
2665 LIST_FIND_TAIL(command, *l, end);
2666 LIST_INSERT_AFTER(command, *l, end, e);
2667 } else
2668 *l = e;
2669 }
2670
2671 int exec_command_set(ExecCommand *c, const char *path, ...) {
2672 va_list ap;
2673 char **l, *p;
2674
2675 assert(c);
2676 assert(path);
2677
2678 va_start(ap, path);
2679 l = strv_new_ap(path, ap);
2680 va_end(ap);
2681
2682 if (!l)
2683 return -ENOMEM;
2684
2685 p = strdup(path);
2686 if (!p) {
2687 strv_free(l);
2688 return -ENOMEM;
2689 }
2690
2691 free(c->path);
2692 c->path = p;
2693
2694 strv_free(c->argv);
2695 c->argv = l;
2696
2697 return 0;
2698 }
2699
2700 int exec_command_append(ExecCommand *c, const char *path, ...) {
2701 _cleanup_strv_free_ char **l = NULL;
2702 va_list ap;
2703 int r;
2704
2705 assert(c);
2706 assert(path);
2707
2708 va_start(ap, path);
2709 l = strv_new_ap(path, ap);
2710 va_end(ap);
2711
2712 if (!l)
2713 return -ENOMEM;
2714
2715 r = strv_extend_strv(&c->argv, l);
2716 if (r < 0)
2717 return r;
2718
2719 return 0;
2720 }
2721
2722
2723 static int exec_runtime_allocate(ExecRuntime **rt) {
2724
2725 if (*rt)
2726 return 0;
2727
2728 *rt = new0(ExecRuntime, 1);
2729 if (!*rt)
2730 return -ENOMEM;
2731
2732 (*rt)->n_ref = 1;
2733 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
2734
2735 return 0;
2736 }
2737
2738 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
2739 int r;
2740
2741 assert(rt);
2742 assert(c);
2743 assert(id);
2744
2745 if (*rt)
2746 return 1;
2747
2748 if (!c->private_network && !c->private_tmp)
2749 return 0;
2750
2751 r = exec_runtime_allocate(rt);
2752 if (r < 0)
2753 return r;
2754
2755 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
2756 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, (*rt)->netns_storage_socket) < 0)
2757 return -errno;
2758 }
2759
2760 if (c->private_tmp && !(*rt)->tmp_dir) {
2761 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
2762 if (r < 0)
2763 return r;
2764 }
2765
2766 return 1;
2767 }
2768
2769 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
2770 assert(r);
2771 assert(r->n_ref > 0);
2772
2773 r->n_ref++;
2774 return r;
2775 }
2776
2777 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
2778
2779 if (!r)
2780 return NULL;
2781
2782 assert(r->n_ref > 0);
2783
2784 r->n_ref--;
2785 if (r->n_ref > 0)
2786 return NULL;
2787
2788 free(r->tmp_dir);
2789 free(r->var_tmp_dir);
2790 safe_close_pair(r->netns_storage_socket);
2791 free(r);
2792
2793 return NULL;
2794 }
2795
2796 int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
2797 assert(u);
2798 assert(f);
2799 assert(fds);
2800
2801 if (!rt)
2802 return 0;
2803
2804 if (rt->tmp_dir)
2805 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
2806
2807 if (rt->var_tmp_dir)
2808 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
2809
2810 if (rt->netns_storage_socket[0] >= 0) {
2811 int copy;
2812
2813 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
2814 if (copy < 0)
2815 return copy;
2816
2817 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
2818 }
2819
2820 if (rt->netns_storage_socket[1] >= 0) {
2821 int copy;
2822
2823 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
2824 if (copy < 0)
2825 return copy;
2826
2827 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
2828 }
2829
2830 return 0;
2831 }
2832
2833 int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
2834 int r;
2835
2836 assert(rt);
2837 assert(key);
2838 assert(value);
2839
2840 if (streq(key, "tmp-dir")) {
2841 char *copy;
2842
2843 r = exec_runtime_allocate(rt);
2844 if (r < 0)
2845 return log_oom();
2846
2847 copy = strdup(value);
2848 if (!copy)
2849 return log_oom();
2850
2851 free((*rt)->tmp_dir);
2852 (*rt)->tmp_dir = copy;
2853
2854 } else if (streq(key, "var-tmp-dir")) {
2855 char *copy;
2856
2857 r = exec_runtime_allocate(rt);
2858 if (r < 0)
2859 return log_oom();
2860
2861 copy = strdup(value);
2862 if (!copy)
2863 return log_oom();
2864
2865 free((*rt)->var_tmp_dir);
2866 (*rt)->var_tmp_dir = copy;
2867
2868 } else if (streq(key, "netns-socket-0")) {
2869 int fd;
2870
2871 r = exec_runtime_allocate(rt);
2872 if (r < 0)
2873 return log_oom();
2874
2875 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2876 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
2877 else {
2878 safe_close((*rt)->netns_storage_socket[0]);
2879 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
2880 }
2881 } else if (streq(key, "netns-socket-1")) {
2882 int fd;
2883
2884 r = exec_runtime_allocate(rt);
2885 if (r < 0)
2886 return log_oom();
2887
2888 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2889 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
2890 else {
2891 safe_close((*rt)->netns_storage_socket[1]);
2892 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
2893 }
2894 } else
2895 return 0;
2896
2897 return 1;
2898 }
2899
2900 static void *remove_tmpdir_thread(void *p) {
2901 _cleanup_free_ char *path = p;
2902
2903 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
2904 return NULL;
2905 }
2906
2907 void exec_runtime_destroy(ExecRuntime *rt) {
2908 int r;
2909
2910 if (!rt)
2911 return;
2912
2913 /* If there are multiple users of this, let's leave the stuff around */
2914 if (rt->n_ref > 1)
2915 return;
2916
2917 if (rt->tmp_dir) {
2918 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
2919
2920 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
2921 if (r < 0) {
2922 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
2923 free(rt->tmp_dir);
2924 }
2925
2926 rt->tmp_dir = NULL;
2927 }
2928
2929 if (rt->var_tmp_dir) {
2930 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
2931
2932 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
2933 if (r < 0) {
2934 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
2935 free(rt->var_tmp_dir);
2936 }
2937
2938 rt->var_tmp_dir = NULL;
2939 }
2940
2941 safe_close_pair(rt->netns_storage_socket);
2942 }
2943
2944 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
2945 [EXEC_INPUT_NULL] = "null",
2946 [EXEC_INPUT_TTY] = "tty",
2947 [EXEC_INPUT_TTY_FORCE] = "tty-force",
2948 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
2949 [EXEC_INPUT_SOCKET] = "socket"
2950 };
2951
2952 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
2953
2954 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
2955 [EXEC_OUTPUT_INHERIT] = "inherit",
2956 [EXEC_OUTPUT_NULL] = "null",
2957 [EXEC_OUTPUT_TTY] = "tty",
2958 [EXEC_OUTPUT_SYSLOG] = "syslog",
2959 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
2960 [EXEC_OUTPUT_KMSG] = "kmsg",
2961 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
2962 [EXEC_OUTPUT_JOURNAL] = "journal",
2963 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
2964 [EXEC_OUTPUT_SOCKET] = "socket"
2965 };
2966
2967 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
2968
2969 static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
2970 [EXEC_UTMP_INIT] = "init",
2971 [EXEC_UTMP_LOGIN] = "login",
2972 [EXEC_UTMP_USER] = "user",
2973 };
2974
2975 DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
Unnamed repository; edit this file 'description' to name the repository.