]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/execute.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
shared: rework env file reader
[thirdparty/systemd.git] / src / core / execute.c
1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
2
3 /***
4 This file is part of systemd.
5
6 Copyright 2010 Lennart Poettering
7
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
12
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
17
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 ***/
21
22 #include <assert.h>
23 #include <dirent.h>
24 #include <errno.h>
25 #include <fcntl.h>
26 #include <unistd.h>
27 #include <string.h>
28 #include <signal.h>
29 #include <sys/socket.h>
30 #include <sys/un.h>
31 #include <sys/prctl.h>
32 #include <linux/sched.h>
33 #include <sys/types.h>
34 #include <sys/stat.h>
35 #include <grp.h>
36 #include <pwd.h>
37 #include <sys/mount.h>
38 #include <linux/fs.h>
39 #include <linux/oom.h>
40 #include <sys/poll.h>
41 #include <linux/seccomp-bpf.h>
42 #include <glob.h>
43 #include <libgen.h>
44
45 #ifdef HAVE_PAM
46 #include <security/pam_appl.h>
47 #endif
48
49 #include "execute.h"
50 #include "strv.h"
51 #include "macro.h"
52 #include "capability.h"
53 #include "util.h"
54 #include "log.h"
55 #include "sd-messages.h"
56 #include "ioprio.h"
57 #include "securebits.h"
58 #include "cgroup.h"
59 #include "namespace.h"
60 #include "tcpwrap.h"
61 #include "exit-status.h"
62 #include "missing.h"
63 #include "utmp-wtmp.h"
64 #include "def.h"
65 #include "loopback-setup.h"
66 #include "path-util.h"
67 #include "syscall-list.h"
68 #include "env-util.h"
69 #include "fileio.h"
70
71 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
72
73 /* This assumes there is a 'tty' group */
74 #define TTY_MODE 0620
75
76 static int shift_fds(int fds[], unsigned n_fds) {
77 int start, restart_from;
78
79 if (n_fds <= 0)
80 return 0;
81
82 /* Modifies the fds array! (sorts it) */
83
84 assert(fds);
85
86 start = 0;
87 for (;;) {
88 int i;
89
90 restart_from = -1;
91
92 for (i = start; i < (int) n_fds; i++) {
93 int nfd;
94
95 /* Already at right index? */
96 if (fds[i] == i+3)
97 continue;
98
99 if ((nfd = fcntl(fds[i], F_DUPFD, i+3)) < 0)
100 return -errno;
101
102 close_nointr_nofail(fds[i]);
103 fds[i] = nfd;
104
105 /* Hmm, the fd we wanted isn't free? Then
106 * let's remember that and try again from here*/
107 if (nfd != i+3 && restart_from < 0)
108 restart_from = i;
109 }
110
111 if (restart_from < 0)
112 break;
113
114 start = restart_from;
115 }
116
117 return 0;
118 }
119
120 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
121 unsigned i;
122 int r;
123
124 if (n_fds <= 0)
125 return 0;
126
127 assert(fds);
128
129 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
130
131 for (i = 0; i < n_fds; i++) {
132
133 if ((r = fd_nonblock(fds[i], nonblock)) < 0)
134 return r;
135
136 /* We unconditionally drop FD_CLOEXEC from the fds,
137 * since after all we want to pass these fds to our
138 * children */
139
140 if ((r = fd_cloexec(fds[i], false)) < 0)
141 return r;
142 }
143
144 return 0;
145 }
146
147 static const char *tty_path(const ExecContext *context) {
148 assert(context);
149
150 if (context->tty_path)
151 return context->tty_path;
152
153 return "/dev/console";
154 }
155
156 void exec_context_tty_reset(const ExecContext *context) {
157 assert(context);
158
159 if (context->tty_vhangup)
160 terminal_vhangup(tty_path(context));
161
162 if (context->tty_reset)
163 reset_terminal(tty_path(context));
164
165 if (context->tty_vt_disallocate && context->tty_path)
166 vt_disallocate(context->tty_path);
167 }
168
169 static bool is_terminal_output(ExecOutput o) {
170 return
171 o == EXEC_OUTPUT_TTY ||
172 o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
173 o == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
174 o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE;
175 }
176
177 void exec_context_serialize(const ExecContext *context, Unit *u, FILE *f) {
178 assert(context);
179 assert(u);
180 assert(f);
181
182 if (context->tmp_dir)
183 unit_serialize_item(u, f, "tmp-dir", context->tmp_dir);
184
185 if (context->var_tmp_dir)
186 unit_serialize_item(u, f, "var-tmp-dir", context->var_tmp_dir);
187 }
188
189 static int open_null_as(int flags, int nfd) {
190 int fd, r;
191
192 assert(nfd >= 0);
193
194 if ((fd = open("/dev/null", flags|O_NOCTTY)) < 0)
195 return -errno;
196
197 if (fd != nfd) {
198 r = dup2(fd, nfd) < 0 ? -errno : nfd;
199 close_nointr_nofail(fd);
200 } else
201 r = nfd;
202
203 return r;
204 }
205
206 static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd) {
207 int fd, r;
208 union sockaddr_union sa;
209
210 assert(context);
211 assert(output < _EXEC_OUTPUT_MAX);
212 assert(ident);
213 assert(nfd >= 0);
214
215 fd = socket(AF_UNIX, SOCK_STREAM, 0);
216 if (fd < 0)
217 return -errno;
218
219 zero(sa);
220 sa.un.sun_family = AF_UNIX;
221 strncpy(sa.un.sun_path, "/run/systemd/journal/stdout", sizeof(sa.un.sun_path));
222
223 r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path));
224 if (r < 0) {
225 close_nointr_nofail(fd);
226 return -errno;
227 }
228
229 if (shutdown(fd, SHUT_RD) < 0) {
230 close_nointr_nofail(fd);
231 return -errno;
232 }
233
234 dprintf(fd,
235 "%s\n"
236 "%s\n"
237 "%i\n"
238 "%i\n"
239 "%i\n"
240 "%i\n"
241 "%i\n",
242 context->syslog_identifier ? context->syslog_identifier : ident,
243 unit_id,
244 context->syslog_priority,
245 !!context->syslog_level_prefix,
246 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
247 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
248 is_terminal_output(output));
249
250 if (fd != nfd) {
251 r = dup2(fd, nfd) < 0 ? -errno : nfd;
252 close_nointr_nofail(fd);
253 } else
254 r = nfd;
255
256 return r;
257 }
258 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
259 int fd, r;
260
261 assert(path);
262 assert(nfd >= 0);
263
264 if ((fd = open_terminal(path, mode | O_NOCTTY)) < 0)
265 return fd;
266
267 if (fd != nfd) {
268 r = dup2(fd, nfd) < 0 ? -errno : nfd;
269 close_nointr_nofail(fd);
270 } else
271 r = nfd;
272
273 return r;
274 }
275
276 static bool is_terminal_input(ExecInput i) {
277 return
278 i == EXEC_INPUT_TTY ||
279 i == EXEC_INPUT_TTY_FORCE ||
280 i == EXEC_INPUT_TTY_FAIL;
281 }
282
283 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
284
285 if (is_terminal_input(std_input) && !apply_tty_stdin)
286 return EXEC_INPUT_NULL;
287
288 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
289 return EXEC_INPUT_NULL;
290
291 return std_input;
292 }
293
294 static int fixup_output(ExecOutput std_output, int socket_fd) {
295
296 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
297 return EXEC_OUTPUT_INHERIT;
298
299 return std_output;
300 }
301
302 static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty_stdin) {
303 ExecInput i;
304
305 assert(context);
306
307 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
308
309 switch (i) {
310
311 case EXEC_INPUT_NULL:
312 return open_null_as(O_RDONLY, STDIN_FILENO);
313
314 case EXEC_INPUT_TTY:
315 case EXEC_INPUT_TTY_FORCE:
316 case EXEC_INPUT_TTY_FAIL: {
317 int fd, r;
318
319 if ((fd = acquire_terminal(
320 tty_path(context),
321 i == EXEC_INPUT_TTY_FAIL,
322 i == EXEC_INPUT_TTY_FORCE,
323 false,
324 (usec_t) -1)) < 0)
325 return fd;
326
327 if (fd != STDIN_FILENO) {
328 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
329 close_nointr_nofail(fd);
330 } else
331 r = STDIN_FILENO;
332
333 return r;
334 }
335
336 case EXEC_INPUT_SOCKET:
337 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
338
339 default:
340 assert_not_reached("Unknown input type");
341 }
342 }
343
344 static int setup_output(const ExecContext *context, int fileno, int socket_fd, const char *ident, const char *unit_id, bool apply_tty_stdin) {
345 ExecOutput o;
346 ExecInput i;
347 int r;
348
349 assert(context);
350 assert(ident);
351
352 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
353 o = fixup_output(context->std_output, socket_fd);
354
355 if (fileno == STDERR_FILENO) {
356 ExecOutput e;
357 e = fixup_output(context->std_error, socket_fd);
358
359 /* This expects the input and output are already set up */
360
361 /* Don't change the stderr file descriptor if we inherit all
362 * the way and are not on a tty */
363 if (e == EXEC_OUTPUT_INHERIT &&
364 o == EXEC_OUTPUT_INHERIT &&
365 i == EXEC_INPUT_NULL &&
366 !is_terminal_input(context->std_input) &&
367 getppid () != 1)
368 return fileno;
369
370 /* Duplicate from stdout if possible */
371 if (e == o || e == EXEC_OUTPUT_INHERIT)
372 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
373
374 o = e;
375
376 } else if (o == EXEC_OUTPUT_INHERIT) {
377 /* If input got downgraded, inherit the original value */
378 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
379 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
380
381 /* If the input is connected to anything that's not a /dev/null, inherit that... */
382 if (i != EXEC_INPUT_NULL)
383 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
384
385 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
386 if (getppid() != 1)
387 return fileno;
388
389 /* We need to open /dev/null here anew, to get the right access mode. */
390 return open_null_as(O_WRONLY, fileno);
391 }
392
393 switch (o) {
394
395 case EXEC_OUTPUT_NULL:
396 return open_null_as(O_WRONLY, fileno);
397
398 case EXEC_OUTPUT_TTY:
399 if (is_terminal_input(i))
400 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
401
402 /* We don't reset the terminal if this is just about output */
403 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
404
405 case EXEC_OUTPUT_SYSLOG:
406 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
407 case EXEC_OUTPUT_KMSG:
408 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
409 case EXEC_OUTPUT_JOURNAL:
410 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
411 r = connect_logger_as(context, o, ident, unit_id, fileno);
412 if (r < 0) {
413 log_struct_unit(LOG_CRIT, unit_id,
414 "MESSAGE=Failed to connect std%s of %s to the journal socket: %s",
415 fileno == STDOUT_FILENO ? "out" : "err",
416 unit_id, strerror(-r),
417 "ERRNO=%d", -r,
418 NULL);
419 r = open_null_as(O_WRONLY, fileno);
420 }
421 return r;
422
423 case EXEC_OUTPUT_SOCKET:
424 assert(socket_fd >= 0);
425 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
426
427 default:
428 assert_not_reached("Unknown error type");
429 }
430 }
431
432 static int chown_terminal(int fd, uid_t uid) {
433 struct stat st;
434
435 assert(fd >= 0);
436
437 /* This might fail. What matters are the results. */
438 (void) fchown(fd, uid, -1);
439 (void) fchmod(fd, TTY_MODE);
440
441 if (fstat(fd, &st) < 0)
442 return -errno;
443
444 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
445 return -EPERM;
446
447 return 0;
448 }
449
450 static int setup_confirm_stdio(int *_saved_stdin,
451 int *_saved_stdout) {
452 int fd = -1, saved_stdin, saved_stdout = -1, r;
453
454 assert(_saved_stdin);
455 assert(_saved_stdout);
456
457 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
458 if (saved_stdin < 0)
459 return -errno;
460
461 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
462 if (saved_stdout < 0) {
463 r = errno;
464 goto fail;
465 }
466
467 fd = acquire_terminal(
468 "/dev/console",
469 false,
470 false,
471 false,
472 DEFAULT_CONFIRM_USEC);
473 if (fd < 0) {
474 r = fd;
475 goto fail;
476 }
477
478 r = chown_terminal(fd, getuid());
479 if (r < 0)
480 goto fail;
481
482 if (dup2(fd, STDIN_FILENO) < 0) {
483 r = -errno;
484 goto fail;
485 }
486
487 if (dup2(fd, STDOUT_FILENO) < 0) {
488 r = -errno;
489 goto fail;
490 }
491
492 if (fd >= 2)
493 close_nointr_nofail(fd);
494
495 *_saved_stdin = saved_stdin;
496 *_saved_stdout = saved_stdout;
497
498 return 0;
499
500 fail:
501 if (saved_stdout >= 0)
502 close_nointr_nofail(saved_stdout);
503
504 if (saved_stdin >= 0)
505 close_nointr_nofail(saved_stdin);
506
507 if (fd >= 0)
508 close_nointr_nofail(fd);
509
510 return r;
511 }
512
513 static int write_confirm_message(const char *format, ...) {
514 int fd;
515 va_list ap;
516
517 assert(format);
518
519 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
520 if (fd < 0)
521 return fd;
522
523 va_start(ap, format);
524 vdprintf(fd, format, ap);
525 va_end(ap);
526
527 close_nointr_nofail(fd);
528
529 return 0;
530 }
531
532 static int restore_confirm_stdio(int *saved_stdin,
533 int *saved_stdout) {
534
535 int r = 0;
536
537 assert(saved_stdin);
538 assert(saved_stdout);
539
540 release_terminal();
541
542 if (*saved_stdin >= 0)
543 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
544 r = -errno;
545
546 if (*saved_stdout >= 0)
547 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
548 r = -errno;
549
550 if (*saved_stdin >= 0)
551 close_nointr_nofail(*saved_stdin);
552
553 if (*saved_stdout >= 0)
554 close_nointr_nofail(*saved_stdout);
555
556 return r;
557 }
558
559 static int ask_for_confirmation(char *response, char **argv) {
560 int saved_stdout = -1, saved_stdin = -1, r;
561 char *line;
562
563 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
564 if (r < 0)
565 return r;
566
567 line = exec_command_line(argv);
568 if (!line)
569 return -ENOMEM;
570
571 r = ask(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
572 free(line);
573
574 restore_confirm_stdio(&saved_stdin, &saved_stdout);
575
576 return r;
577 }
578
579 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
580 bool keep_groups = false;
581 int r;
582
583 assert(context);
584
585 /* Lookup and set GID and supplementary group list. Here too
586 * we avoid NSS lookups for gid=0. */
587
588 if (context->group || username) {
589
590 if (context->group) {
591 const char *g = context->group;
592
593 if ((r = get_group_creds(&g, &gid)) < 0)
594 return r;
595 }
596
597 /* First step, initialize groups from /etc/groups */
598 if (username && gid != 0) {
599 if (initgroups(username, gid) < 0)
600 return -errno;
601
602 keep_groups = true;
603 }
604
605 /* Second step, set our gids */
606 if (setresgid(gid, gid, gid) < 0)
607 return -errno;
608 }
609
610 if (context->supplementary_groups) {
611 int ngroups_max, k;
612 gid_t *gids;
613 char **i;
614
615 /* Final step, initialize any manually set supplementary groups */
616 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
617
618 if (!(gids = new(gid_t, ngroups_max)))
619 return -ENOMEM;
620
621 if (keep_groups) {
622 if ((k = getgroups(ngroups_max, gids)) < 0) {
623 free(gids);
624 return -errno;
625 }
626 } else
627 k = 0;
628
629 STRV_FOREACH(i, context->supplementary_groups) {
630 const char *g;
631
632 if (k >= ngroups_max) {
633 free(gids);
634 return -E2BIG;
635 }
636
637 g = *i;
638 r = get_group_creds(&g, gids+k);
639 if (r < 0) {
640 free(gids);
641 return r;
642 }
643
644 k++;
645 }
646
647 if (setgroups(k, gids) < 0) {
648 free(gids);
649 return -errno;
650 }
651
652 free(gids);
653 }
654
655 return 0;
656 }
657
658 static int enforce_user(const ExecContext *context, uid_t uid) {
659 int r;
660 assert(context);
661
662 /* Sets (but doesn't lookup) the uid and make sure we keep the
663 * capabilities while doing so. */
664
665 if (context->capabilities) {
666 cap_t d;
667 static const cap_value_t bits[] = {
668 CAP_SETUID, /* Necessary so that we can run setresuid() below */
669 CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
670 };
671
672 /* First step: If we need to keep capabilities but
673 * drop privileges we need to make sure we keep our
674 * caps, while we drop privileges. */
675 if (uid != 0) {
676 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
677
678 if (prctl(PR_GET_SECUREBITS) != sb)
679 if (prctl(PR_SET_SECUREBITS, sb) < 0)
680 return -errno;
681 }
682
683 /* Second step: set the capabilities. This will reduce
684 * the capabilities to the minimum we need. */
685
686 if (!(d = cap_dup(context->capabilities)))
687 return -errno;
688
689 if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
690 cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0) {
691 r = -errno;
692 cap_free(d);
693 return r;
694 }
695
696 if (cap_set_proc(d) < 0) {
697 r = -errno;
698 cap_free(d);
699 return r;
700 }
701
702 cap_free(d);
703 }
704
705 /* Third step: actually set the uids */
706 if (setresuid(uid, uid, uid) < 0)
707 return -errno;
708
709 /* At this point we should have all necessary capabilities but
710 are otherwise a normal user. However, the caps might got
711 corrupted due to the setresuid() so we need clean them up
712 later. This is done outside of this call. */
713
714 return 0;
715 }
716
717 #ifdef HAVE_PAM
718
719 static int null_conv(
720 int num_msg,
721 const struct pam_message **msg,
722 struct pam_response **resp,
723 void *appdata_ptr) {
724
725 /* We don't support conversations */
726
727 return PAM_CONV_ERR;
728 }
729
730 static int setup_pam(
731 const char *name,
732 const char *user,
733 uid_t uid,
734 const char *tty,
735 char ***pam_env,
736 int fds[], unsigned n_fds) {
737
738 static const struct pam_conv conv = {
739 .conv = null_conv,
740 .appdata_ptr = NULL
741 };
742
743 pam_handle_t *handle = NULL;
744 sigset_t ss, old_ss;
745 int pam_code = PAM_SUCCESS;
746 int err;
747 char **e = NULL;
748 bool close_session = false;
749 pid_t pam_pid = 0, parent_pid;
750
751 assert(name);
752 assert(user);
753 assert(pam_env);
754
755 /* We set up PAM in the parent process, then fork. The child
756 * will then stay around until killed via PR_GET_PDEATHSIG or
757 * systemd via the cgroup logic. It will then remove the PAM
758 * session again. The parent process will exec() the actual
759 * daemon. We do things this way to ensure that the main PID
760 * of the daemon is the one we initially fork()ed. */
761
762 if ((pam_code = pam_start(name, user, &conv, &handle)) != PAM_SUCCESS) {
763 handle = NULL;
764 goto fail;
765 }
766
767 if (tty)
768 if ((pam_code = pam_set_item(handle, PAM_TTY, tty)) != PAM_SUCCESS)
769 goto fail;
770
771 if ((pam_code = pam_acct_mgmt(handle, PAM_SILENT)) != PAM_SUCCESS)
772 goto fail;
773
774 if ((pam_code = pam_open_session(handle, PAM_SILENT)) != PAM_SUCCESS)
775 goto fail;
776
777 close_session = true;
778
779 if ((!(e = pam_getenvlist(handle)))) {
780 pam_code = PAM_BUF_ERR;
781 goto fail;
782 }
783
784 /* Block SIGTERM, so that we know that it won't get lost in
785 * the child */
786 if (sigemptyset(&ss) < 0 ||
787 sigaddset(&ss, SIGTERM) < 0 ||
788 sigprocmask(SIG_BLOCK, &ss, &old_ss) < 0)
789 goto fail;
790
791 parent_pid = getpid();
792
793 if ((pam_pid = fork()) < 0)
794 goto fail;
795
796 if (pam_pid == 0) {
797 int sig;
798 int r = EXIT_PAM;
799
800 /* The child's job is to reset the PAM session on
801 * termination */
802
803 /* This string must fit in 10 chars (i.e. the length
804 * of "/sbin/init"), to look pretty in /bin/ps */
805 rename_process("(sd-pam)");
806
807 /* Make sure we don't keep open the passed fds in this
808 child. We assume that otherwise only those fds are
809 open here that have been opened by PAM. */
810 close_many(fds, n_fds);
811
812 /* Drop privileges - we don't need any to pam_close_session
813 * and this will make PR_SET_PDEATHSIG work in most cases.
814 * If this fails, ignore the error - but expect sd-pam threads
815 * to fail to exit normally */
816 if (setresuid(uid, uid, uid) < 0)
817 log_error("Error: Failed to setresuid() in sd-pam: %s", strerror(-r));
818
819 /* Wait until our parent died. This will only work if
820 * the above setresuid() succeeds, otherwise the kernel
821 * will not allow unprivileged parents kill their privileged
822 * children this way. We rely on the control groups kill logic
823 * to do the rest for us. */
824 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
825 goto child_finish;
826
827 /* Check if our parent process might already have
828 * died? */
829 if (getppid() == parent_pid) {
830 for (;;) {
831 if (sigwait(&ss, &sig) < 0) {
832 if (errno == EINTR)
833 continue;
834
835 goto child_finish;
836 }
837
838 assert(sig == SIGTERM);
839 break;
840 }
841 }
842
843 /* If our parent died we'll end the session */
844 if (getppid() != parent_pid)
845 if ((pam_code = pam_close_session(handle, PAM_DATA_SILENT)) != PAM_SUCCESS)
846 goto child_finish;
847
848 r = 0;
849
850 child_finish:
851 pam_end(handle, pam_code | PAM_DATA_SILENT);
852 _exit(r);
853 }
854
855 /* If the child was forked off successfully it will do all the
856 * cleanups, so forget about the handle here. */
857 handle = NULL;
858
859 /* Unblock SIGTERM again in the parent */
860 if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0)
861 goto fail;
862
863 /* We close the log explicitly here, since the PAM modules
864 * might have opened it, but we don't want this fd around. */
865 closelog();
866
867 *pam_env = e;
868 e = NULL;
869
870 return 0;
871
872 fail:
873 if (pam_code != PAM_SUCCESS)
874 err = -EPERM; /* PAM errors do not map to errno */
875 else
876 err = -errno;
877
878 if (handle) {
879 if (close_session)
880 pam_code = pam_close_session(handle, PAM_DATA_SILENT);
881
882 pam_end(handle, pam_code | PAM_DATA_SILENT);
883 }
884
885 strv_free(e);
886
887 closelog();
888
889 if (pam_pid > 1) {
890 kill(pam_pid, SIGTERM);
891 kill(pam_pid, SIGCONT);
892 }
893
894 return err;
895 }
896 #endif
897
898 static void rename_process_from_path(const char *path) {
899 char process_name[11];
900 const char *p;
901 size_t l;
902
903 /* This resulting string must fit in 10 chars (i.e. the length
904 * of "/sbin/init") to look pretty in /bin/ps */
905
906 p = path_get_file_name(path);
907 if (isempty(p)) {
908 rename_process("(...)");
909 return;
910 }
911
912 l = strlen(p);
913 if (l > 8) {
914 /* The end of the process name is usually more
915 * interesting, since the first bit might just be
916 * "systemd-" */
917 p = p + l - 8;
918 l = 8;
919 }
920
921 process_name[0] = '(';
922 memcpy(process_name+1, p, l);
923 process_name[1+l] = ')';
924 process_name[1+l+1] = 0;
925
926 rename_process(process_name);
927 }
928
929 static int apply_seccomp(uint32_t *syscall_filter) {
930 static const struct sock_filter header[] = {
931 VALIDATE_ARCHITECTURE,
932 EXAMINE_SYSCALL
933 };
934 static const struct sock_filter footer[] = {
935 _KILL_PROCESS
936 };
937
938 int i;
939 unsigned n;
940 struct sock_filter *f;
941 struct sock_fprog prog;
942
943 assert(syscall_filter);
944
945 /* First: count the syscalls to check for */
946 for (i = 0, n = 0; i < syscall_max(); i++)
947 if (syscall_filter[i >> 4] & (1 << (i & 31)))
948 n++;
949
950 /* Second: build the filter program from a header the syscall
951 * matches and the footer */
952 f = alloca(sizeof(struct sock_filter) * (ELEMENTSOF(header) + 2*n + ELEMENTSOF(footer)));
953 memcpy(f, header, sizeof(header));
954
955 for (i = 0, n = 0; i < syscall_max(); i++)
956 if (syscall_filter[i >> 4] & (1 << (i & 31))) {
957 struct sock_filter item[] = {
958 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, INDEX_TO_SYSCALL(i), 0, 1),
959 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
960 };
961
962 assert_cc(ELEMENTSOF(item) == 2);
963
964 f[ELEMENTSOF(header) + 2*n] = item[0];
965 f[ELEMENTSOF(header) + 2*n+1] = item[1];
966
967 n++;
968 }
969
970 memcpy(f + (ELEMENTSOF(header) + 2*n), footer, sizeof(footer));
971
972 /* Third: install the filter */
973 zero(prog);
974 prog.len = ELEMENTSOF(header) + ELEMENTSOF(footer) + 2*n;
975 prog.filter = f;
976 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0)
977 return -errno;
978
979 return 0;
980 }
981
982 int exec_spawn(ExecCommand *command,
983 char **argv,
984 ExecContext *context,
985 int fds[], unsigned n_fds,
986 char **environment,
987 bool apply_permissions,
988 bool apply_chroot,
989 bool apply_tty_stdin,
990 bool confirm_spawn,
991 CGroupBonding *cgroup_bondings,
992 CGroupAttribute *cgroup_attributes,
993 const char *cgroup_suffix,
994 const char *unit_id,
995 int idle_pipe[2],
996 pid_t *ret) {
997
998 pid_t pid;
999 int r;
1000 char *line;
1001 int socket_fd;
1002 char _cleanup_strv_free_ **files_env = NULL;
1003
1004 assert(command);
1005 assert(context);
1006 assert(ret);
1007 assert(fds || n_fds <= 0);
1008
1009 if (context->std_input == EXEC_INPUT_SOCKET ||
1010 context->std_output == EXEC_OUTPUT_SOCKET ||
1011 context->std_error == EXEC_OUTPUT_SOCKET) {
1012
1013 if (n_fds != 1)
1014 return -EINVAL;
1015
1016 socket_fd = fds[0];
1017
1018 fds = NULL;
1019 n_fds = 0;
1020 } else
1021 socket_fd = -1;
1022
1023 r = exec_context_load_environment(context, &files_env);
1024 if (r < 0) {
1025 log_struct_unit(LOG_ERR,
1026 unit_id,
1027 "MESSAGE=Failed to load environment files: %s", strerror(-r),
1028 "ERRNO=%d", -r,
1029 NULL);
1030 return r;
1031 }
1032
1033 if (!argv)
1034 argv = command->argv;
1035
1036 line = exec_command_line(argv);
1037 if (!line)
1038 return log_oom();
1039
1040 log_struct_unit(LOG_DEBUG,
1041 unit_id,
1042 "MESSAGE=About to execute %s", line,
1043 NULL);
1044 free(line);
1045
1046 r = cgroup_bonding_realize_list(cgroup_bondings);
1047 if (r < 0)
1048 return r;
1049
1050 cgroup_attribute_apply_list(cgroup_attributes, cgroup_bondings);
1051
1052 if (context->private_tmp && !context->tmp_dir && !context->var_tmp_dir) {
1053 r = setup_tmpdirs(&context->tmp_dir, &context->var_tmp_dir);
1054 if (r < 0)
1055 return r;
1056 }
1057
1058 pid = fork();
1059 if (pid < 0)
1060 return -errno;
1061
1062 if (pid == 0) {
1063 int i, err;
1064 sigset_t ss;
1065 const char *username = NULL, *home = NULL;
1066 uid_t uid = (uid_t) -1;
1067 gid_t gid = (gid_t) -1;
1068 char _cleanup_strv_free_ **our_env = NULL, **pam_env = NULL,
1069 **final_env = NULL, **final_argv = NULL;
1070 unsigned n_env = 0;
1071 bool set_access = false;
1072
1073 /* child */
1074
1075 rename_process_from_path(command->path);
1076
1077 /* We reset exactly these signals, since they are the
1078 * only ones we set to SIG_IGN in the main daemon. All
1079 * others we leave untouched because we set them to
1080 * SIG_DFL or a valid handler initially, both of which
1081 * will be demoted to SIG_DFL. */
1082 default_signals(SIGNALS_CRASH_HANDLER,
1083 SIGNALS_IGNORE, -1);
1084
1085 if (context->ignore_sigpipe)
1086 ignore_signals(SIGPIPE, -1);
1087
1088 assert_se(sigemptyset(&ss) == 0);
1089 if (sigprocmask(SIG_SETMASK, &ss, NULL) < 0) {
1090 err = -errno;
1091 r = EXIT_SIGNAL_MASK;
1092 goto fail_child;
1093 }
1094
1095 if (idle_pipe) {
1096 if (idle_pipe[1] >= 0)
1097 close_nointr_nofail(idle_pipe[1]);
1098 if (idle_pipe[0] >= 0) {
1099 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1100 close_nointr_nofail(idle_pipe[0]);
1101 }
1102 }
1103
1104 /* Close sockets very early to make sure we don't
1105 * block init reexecution because it cannot bind its
1106 * sockets */
1107 log_forget_fds();
1108 err = close_all_fds(socket_fd >= 0 ? &socket_fd : fds,
1109 socket_fd >= 0 ? 1 : n_fds);
1110 if (err < 0) {
1111 r = EXIT_FDS;
1112 goto fail_child;
1113 }
1114
1115 if (!context->same_pgrp)
1116 if (setsid() < 0) {
1117 err = -errno;
1118 r = EXIT_SETSID;
1119 goto fail_child;
1120 }
1121
1122 if (context->tcpwrap_name) {
1123 if (socket_fd >= 0)
1124 if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) {
1125 err = -EACCES;
1126 r = EXIT_TCPWRAP;
1127 goto fail_child;
1128 }
1129
1130 for (i = 0; i < (int) n_fds; i++) {
1131 if (!socket_tcpwrap(fds[i], context->tcpwrap_name)) {
1132 err = -EACCES;
1133 r = EXIT_TCPWRAP;
1134 goto fail_child;
1135 }
1136 }
1137 }
1138
1139 exec_context_tty_reset(context);
1140
1141 if (confirm_spawn) {
1142 char response;
1143
1144 err = ask_for_confirmation(&response, argv);
1145 if (err == -ETIMEDOUT)
1146 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1147 else if (err < 0)
1148 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-err));
1149 else if (response == 's') {
1150 write_confirm_message("Skipping execution.\n");
1151 err = -ECANCELED;
1152 r = EXIT_CONFIRM;
1153 goto fail_child;
1154 } else if (response == 'n') {
1155 write_confirm_message("Failing execution.\n");
1156 err = r = 0;
1157 goto fail_child;
1158 }
1159 }
1160
1161 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1162 * must sure to drop O_NONBLOCK */
1163 if (socket_fd >= 0)
1164 fd_nonblock(socket_fd, false);
1165
1166 err = setup_input(context, socket_fd, apply_tty_stdin);
1167 if (err < 0) {
1168 r = EXIT_STDIN;
1169 goto fail_child;
1170 }
1171
1172 err = setup_output(context, STDOUT_FILENO, socket_fd, path_get_file_name(command->path), unit_id, apply_tty_stdin);
1173 if (err < 0) {
1174 r = EXIT_STDOUT;
1175 goto fail_child;
1176 }
1177
1178 err = setup_output(context, STDERR_FILENO, socket_fd, path_get_file_name(command->path), unit_id, apply_tty_stdin);
1179 if (err < 0) {
1180 r = EXIT_STDERR;
1181 goto fail_child;
1182 }
1183
1184 if (cgroup_bondings) {
1185 err = cgroup_bonding_install_list(cgroup_bondings, 0, cgroup_suffix);
1186 if (err < 0) {
1187 r = EXIT_CGROUP;
1188 goto fail_child;
1189 }
1190 }
1191
1192 if (context->oom_score_adjust_set) {
1193 char t[16];
1194
1195 snprintf(t, sizeof(t), "%i", context->oom_score_adjust);
1196 char_array_0(t);
1197
1198 if (write_string_file("/proc/self/oom_score_adj", t) < 0) {
1199 err = -errno;
1200 r = EXIT_OOM_ADJUST;
1201 goto fail_child;
1202 }
1203 }
1204
1205 if (context->nice_set)
1206 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1207 err = -errno;
1208 r = EXIT_NICE;
1209 goto fail_child;
1210 }
1211
1212 if (context->cpu_sched_set) {
1213 struct sched_param param;
1214
1215 zero(param);
1216 param.sched_priority = context->cpu_sched_priority;
1217
1218 r = sched_setscheduler(0,
1219 context->cpu_sched_policy |
1220 (context->cpu_sched_reset_on_fork ?
1221 SCHED_RESET_ON_FORK : 0),
1222 &param);
1223 if (r < 0) {
1224 err = -errno;
1225 r = EXIT_SETSCHEDULER;
1226 goto fail_child;
1227 }
1228 }
1229
1230 if (context->cpuset)
1231 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1232 err = -errno;
1233 r = EXIT_CPUAFFINITY;
1234 goto fail_child;
1235 }
1236
1237 if (context->ioprio_set)
1238 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1239 err = -errno;
1240 r = EXIT_IOPRIO;
1241 goto fail_child;
1242 }
1243
1244 if (context->timer_slack_nsec != (nsec_t) -1)
1245 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1246 err = -errno;
1247 r = EXIT_TIMERSLACK;
1248 goto fail_child;
1249 }
1250
1251 if (context->utmp_id)
1252 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path);
1253
1254 if (context->user) {
1255 username = context->user;
1256 err = get_user_creds(&username, &uid, &gid, &home, NULL);
1257 if (err < 0) {
1258 r = EXIT_USER;
1259 goto fail_child;
1260 }
1261
1262 if (is_terminal_input(context->std_input)) {
1263 err = chown_terminal(STDIN_FILENO, uid);
1264 if (err < 0) {
1265 r = EXIT_STDIN;
1266 goto fail_child;
1267 }
1268 }
1269
1270 if (cgroup_bondings && context->control_group_modify) {
1271 err = cgroup_bonding_set_group_access_list(cgroup_bondings, 0755, uid, gid);
1272 if (err >= 0)
1273 err = cgroup_bonding_set_task_access_list(cgroup_bondings, 0644, uid, gid, context->control_group_persistent);
1274 if (err < 0) {
1275 r = EXIT_CGROUP;
1276 goto fail_child;
1277 }
1278
1279 set_access = true;
1280 }
1281 }
1282
1283 if (cgroup_bondings && !set_access && context->control_group_persistent >= 0) {
1284 err = cgroup_bonding_set_task_access_list(cgroup_bondings, (mode_t) -1, (uid_t) -1, (uid_t) -1, context->control_group_persistent);
1285 if (err < 0) {
1286 r = EXIT_CGROUP;
1287 goto fail_child;
1288 }
1289 }
1290
1291 if (apply_permissions) {
1292 err = enforce_groups(context, username, gid);
1293 if (err < 0) {
1294 r = EXIT_GROUP;
1295 goto fail_child;
1296 }
1297 }
1298
1299 umask(context->umask);
1300
1301 #ifdef HAVE_PAM
1302 if (apply_permissions && context->pam_name && username) {
1303 err = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
1304 if (err < 0) {
1305 r = EXIT_PAM;
1306 goto fail_child;
1307 }
1308 }
1309 #endif
1310 if (context->private_network) {
1311 if (unshare(CLONE_NEWNET) < 0) {
1312 err = -errno;
1313 r = EXIT_NETWORK;
1314 goto fail_child;
1315 }
1316
1317 loopback_setup();
1318 }
1319
1320 if (strv_length(context->read_write_dirs) > 0 ||
1321 strv_length(context->read_only_dirs) > 0 ||
1322 strv_length(context->inaccessible_dirs) > 0 ||
1323 context->mount_flags != 0 ||
1324 context->private_tmp) {
1325 err = setup_namespace(context->read_write_dirs,
1326 context->read_only_dirs,
1327 context->inaccessible_dirs,
1328 context->tmp_dir,
1329 context->var_tmp_dir,
1330 context->private_tmp,
1331 context->mount_flags);
1332 if (err < 0) {
1333 r = EXIT_NAMESPACE;
1334 goto fail_child;
1335 }
1336 }
1337
1338 if (apply_chroot) {
1339 if (context->root_directory)
1340 if (chroot(context->root_directory) < 0) {
1341 err = -errno;
1342 r = EXIT_CHROOT;
1343 goto fail_child;
1344 }
1345
1346 if (chdir(context->working_directory ? context->working_directory : "/") < 0) {
1347 err = -errno;
1348 r = EXIT_CHDIR;
1349 goto fail_child;
1350 }
1351 } else {
1352 char _cleanup_free_ *d = NULL;
1353
1354 if (asprintf(&d, "%s/%s",
1355 context->root_directory ? context->root_directory : "",
1356 context->working_directory ? context->working_directory : "") < 0) {
1357 err = -ENOMEM;
1358 r = EXIT_MEMORY;
1359 goto fail_child;
1360 }
1361
1362 if (chdir(d) < 0) {
1363 err = -errno;
1364 r = EXIT_CHDIR;
1365 goto fail_child;
1366 }
1367 }
1368
1369 /* We repeat the fd closing here, to make sure that
1370 * nothing is leaked from the PAM modules */
1371 err = close_all_fds(fds, n_fds);
1372 if (err >= 0)
1373 err = shift_fds(fds, n_fds);
1374 if (err >= 0)
1375 err = flags_fds(fds, n_fds, context->non_blocking);
1376 if (err < 0) {
1377 r = EXIT_FDS;
1378 goto fail_child;
1379 }
1380
1381 if (apply_permissions) {
1382
1383 for (i = 0; i < RLIMIT_NLIMITS; i++) {
1384 if (!context->rlimit[i])
1385 continue;
1386
1387 if (setrlimit_closest(i, context->rlimit[i]) < 0) {
1388 err = -errno;
1389 r = EXIT_LIMITS;
1390 goto fail_child;
1391 }
1392 }
1393
1394 if (context->capability_bounding_set_drop) {
1395 err = capability_bounding_set_drop(context->capability_bounding_set_drop, false);
1396 if (err < 0) {
1397 r = EXIT_CAPABILITIES;
1398 goto fail_child;
1399 }
1400 }
1401
1402 if (context->user) {
1403 err = enforce_user(context, uid);
1404 if (err < 0) {
1405 r = EXIT_USER;
1406 goto fail_child;
1407 }
1408 }
1409
1410 /* PR_GET_SECUREBITS is not privileged, while
1411 * PR_SET_SECUREBITS is. So to suppress
1412 * potential EPERMs we'll try not to call
1413 * PR_SET_SECUREBITS unless necessary. */
1414 if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
1415 if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
1416 err = -errno;
1417 r = EXIT_SECUREBITS;
1418 goto fail_child;
1419 }
1420
1421 if (context->capabilities)
1422 if (cap_set_proc(context->capabilities) < 0) {
1423 err = -errno;
1424 r = EXIT_CAPABILITIES;
1425 goto fail_child;
1426 }
1427
1428 if (context->no_new_privileges)
1429 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
1430 err = -errno;
1431 r = EXIT_NO_NEW_PRIVILEGES;
1432 goto fail_child;
1433 }
1434
1435 if (context->syscall_filter) {
1436 err = apply_seccomp(context->syscall_filter);
1437 if (err < 0) {
1438 r = EXIT_SECCOMP;
1439 goto fail_child;
1440 }
1441 }
1442 }
1443
1444 our_env = new0(char*, 7);
1445 if (!our_env) {
1446 err = -ENOMEM;
1447 r = EXIT_MEMORY;
1448 goto fail_child;
1449 }
1450
1451 if (n_fds > 0)
1452 if (asprintf(our_env + n_env++, "LISTEN_PID=%lu", (unsigned long) getpid()) < 0 ||
1453 asprintf(our_env + n_env++, "LISTEN_FDS=%u", n_fds) < 0) {
1454 err = -ENOMEM;
1455 r = EXIT_MEMORY;
1456 goto fail_child;
1457 }
1458
1459 if (home)
1460 if (asprintf(our_env + n_env++, "HOME=%s", home) < 0) {
1461 err = -ENOMEM;
1462 r = EXIT_MEMORY;
1463 goto fail_child;
1464 }
1465
1466 if (username)
1467 if (asprintf(our_env + n_env++, "LOGNAME=%s", username) < 0 ||
1468 asprintf(our_env + n_env++, "USER=%s", username) < 0) {
1469 err = -ENOMEM;
1470 r = EXIT_MEMORY;
1471 goto fail_child;
1472 }
1473
1474 if (is_terminal_input(context->std_input) ||
1475 context->std_output == EXEC_OUTPUT_TTY ||
1476 context->std_error == EXEC_OUTPUT_TTY)
1477 if (!(our_env[n_env++] = strdup(default_term_for_tty(tty_path(context))))) {
1478 err = -ENOMEM;
1479 r = EXIT_MEMORY;
1480 goto fail_child;
1481 }
1482
1483 assert(n_env <= 7);
1484
1485 final_env = strv_env_merge(5,
1486 environment,
1487 our_env,
1488 context->environment,
1489 files_env,
1490 pam_env,
1491 NULL);
1492 if (!final_env) {
1493 err = -ENOMEM;
1494 r = EXIT_MEMORY;
1495 goto fail_child;
1496 }
1497
1498 final_argv = replace_env_argv(argv, final_env);
1499 if (!final_argv) {
1500 err = -ENOMEM;
1501 r = EXIT_MEMORY;
1502 goto fail_child;
1503 }
1504
1505 final_env = strv_env_clean(final_env);
1506
1507 execve(command->path, final_argv, final_env);
1508 err = -errno;
1509 r = EXIT_EXEC;
1510
1511 fail_child:
1512 if (r != 0) {
1513 log_open();
1514 log_struct(LOG_ERR, MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
1515 "EXECUTABLE=%s", command->path,
1516 "MESSAGE=Failed at step %s spawning %s: %s",
1517 exit_status_to_string(r, EXIT_STATUS_SYSTEMD),
1518 command->path, strerror(-err),
1519 "ERRNO=%d", -err,
1520 NULL);
1521 log_close();
1522 }
1523
1524 _exit(r);
1525 }
1526
1527 log_struct_unit(LOG_DEBUG,
1528 unit_id,
1529 "MESSAGE=Forked %s as %lu",
1530 command->path, (unsigned long) pid,
1531 NULL);
1532
1533 /* We add the new process to the cgroup both in the child (so
1534 * that we can be sure that no user code is ever executed
1535 * outside of the cgroup) and in the parent (so that we can be
1536 * sure that when we kill the cgroup the process will be
1537 * killed too). */
1538 if (cgroup_bondings)
1539 cgroup_bonding_install_list(cgroup_bondings, pid, cgroup_suffix);
1540
1541 exec_status_start(&command->exec_status, pid);
1542
1543 *ret = pid;
1544 return 0;
1545 }
1546
1547 void exec_context_init(ExecContext *c) {
1548 assert(c);
1549
1550 c->umask = 0022;
1551 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
1552 c->cpu_sched_policy = SCHED_OTHER;
1553 c->syslog_priority = LOG_DAEMON|LOG_INFO;
1554 c->syslog_level_prefix = true;
1555 c->control_group_persistent = -1;
1556 c->ignore_sigpipe = true;
1557 c->timer_slack_nsec = (nsec_t) -1;
1558 }
1559
1560 void exec_context_tmp_dirs_done(ExecContext *c) {
1561 char* dirs[] = {c->tmp_dir ? c->tmp_dir : c->var_tmp_dir,
1562 c->tmp_dir ? c->var_tmp_dir : NULL,
1563 NULL};
1564 char **dirp;
1565
1566 for(dirp = dirs; *dirp; dirp++) {
1567 char *dir;
1568 int r;
1569
1570 r = rm_rf_dangerous(*dirp, false, true, false);
1571 dir = dirname(*dirp);
1572 if (r < 0)
1573 log_warning("Failed to remove content of temporary directory %s: %s",
1574 dir, strerror(-r));
1575 else {
1576 r = rmdir(dir);
1577 if (r < 0)
1578 log_warning("Failed to remove temporary directory %s: %s",
1579 dir, strerror(-r));
1580 }
1581
1582 free(*dirp);
1583 }
1584
1585 c->tmp_dir = c->var_tmp_dir = NULL;
1586 }
1587
1588 void exec_context_done(ExecContext *c, bool reloading_or_reexecuting) {
1589 unsigned l;
1590
1591 assert(c);
1592
1593 strv_free(c->environment);
1594 c->environment = NULL;
1595
1596 strv_free(c->environment_files);
1597 c->environment_files = NULL;
1598
1599 for (l = 0; l < ELEMENTSOF(c->rlimit); l++) {
1600 free(c->rlimit[l]);
1601 c->rlimit[l] = NULL;
1602 }
1603
1604 free(c->working_directory);
1605 c->working_directory = NULL;
1606 free(c->root_directory);
1607 c->root_directory = NULL;
1608
1609 free(c->tty_path);
1610 c->tty_path = NULL;
1611
1612 free(c->tcpwrap_name);
1613 c->tcpwrap_name = NULL;
1614
1615 free(c->syslog_identifier);
1616 c->syslog_identifier = NULL;
1617
1618 free(c->user);
1619 c->user = NULL;
1620
1621 free(c->group);
1622 c->group = NULL;
1623
1624 strv_free(c->supplementary_groups);
1625 c->supplementary_groups = NULL;
1626
1627 free(c->pam_name);
1628 c->pam_name = NULL;
1629
1630 if (c->capabilities) {
1631 cap_free(c->capabilities);
1632 c->capabilities = NULL;
1633 }
1634
1635 strv_free(c->read_only_dirs);
1636 c->read_only_dirs = NULL;
1637
1638 strv_free(c->read_write_dirs);
1639 c->read_write_dirs = NULL;
1640
1641 strv_free(c->inaccessible_dirs);
1642 c->inaccessible_dirs = NULL;
1643
1644 if (c->cpuset)
1645 CPU_FREE(c->cpuset);
1646
1647 free(c->utmp_id);
1648 c->utmp_id = NULL;
1649
1650 free(c->syscall_filter);
1651 c->syscall_filter = NULL;
1652
1653 if (!reloading_or_reexecuting)
1654 exec_context_tmp_dirs_done(c);
1655 }
1656
1657 void exec_command_done(ExecCommand *c) {
1658 assert(c);
1659
1660 free(c->path);
1661 c->path = NULL;
1662
1663 strv_free(c->argv);
1664 c->argv = NULL;
1665 }
1666
1667 void exec_command_done_array(ExecCommand *c, unsigned n) {
1668 unsigned i;
1669
1670 for (i = 0; i < n; i++)
1671 exec_command_done(c+i);
1672 }
1673
1674 void exec_command_free_list(ExecCommand *c) {
1675 ExecCommand *i;
1676
1677 while ((i = c)) {
1678 LIST_REMOVE(ExecCommand, command, c, i);
1679 exec_command_done(i);
1680 free(i);
1681 }
1682 }
1683
1684 void exec_command_free_array(ExecCommand **c, unsigned n) {
1685 unsigned i;
1686
1687 for (i = 0; i < n; i++) {
1688 exec_command_free_list(c[i]);
1689 c[i] = NULL;
1690 }
1691 }
1692
1693 int exec_context_load_environment(const ExecContext *c, char ***l) {
1694 char **i, **r = NULL;
1695
1696 assert(c);
1697 assert(l);
1698
1699 STRV_FOREACH(i, c->environment_files) {
1700 char *fn;
1701 int k;
1702 bool ignore = false;
1703 char **p;
1704 glob_t pglob;
1705 int count, n;
1706
1707 fn = *i;
1708
1709 if (fn[0] == '-') {
1710 ignore = true;
1711 fn ++;
1712 }
1713
1714 if (!path_is_absolute(fn)) {
1715
1716 if (ignore)
1717 continue;
1718
1719 strv_free(r);
1720 return -EINVAL;
1721 }
1722
1723 /* Filename supports globbing, take all matching files */
1724 zero(pglob);
1725 errno = 0;
1726 if (glob(fn, 0, NULL, &pglob) != 0) {
1727 globfree(&pglob);
1728 if (ignore)
1729 continue;
1730
1731 strv_free(r);
1732 return errno ? -errno : -EINVAL;
1733 }
1734 count = pglob.gl_pathc;
1735 if (count == 0) {
1736 globfree(&pglob);
1737 if (ignore)
1738 continue;
1739
1740 strv_free(r);
1741 return -EINVAL;
1742 }
1743 for (n = 0; n < count; n++) {
1744 k = load_env_file(pglob.gl_pathv[n], NULL, &p);
1745 if (k < 0) {
1746 if (ignore)
1747 continue;
1748
1749 strv_free(r);
1750 globfree(&pglob);
1751 return k;
1752 }
1753
1754 if (r == NULL)
1755 r = p;
1756 else {
1757 char **m;
1758
1759 m = strv_env_merge(2, r, p);
1760 strv_free(r);
1761 strv_free(p);
1762
1763 if (!m) {
1764 globfree(&pglob);
1765 return -ENOMEM;
1766 }
1767
1768 r = m;
1769 }
1770 }
1771 globfree(&pglob);
1772 }
1773
1774 *l = r;
1775
1776 return 0;
1777 }
1778
1779 static bool tty_may_match_dev_console(const char *tty) {
1780 char *active = NULL, *console;
1781 bool b;
1782
1783 if (startswith(tty, "/dev/"))
1784 tty += 5;
1785
1786 /* trivial identity? */
1787 if (streq(tty, "console"))
1788 return true;
1789
1790 console = resolve_dev_console(&active);
1791 /* if we could not resolve, assume it may */
1792 if (!console)
1793 return true;
1794
1795 /* "tty0" means the active VC, so it may be the same sometimes */
1796 b = streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
1797 free(active);
1798
1799 return b;
1800 }
1801
1802 bool exec_context_may_touch_console(ExecContext *ec) {
1803 return (ec->tty_reset || ec->tty_vhangup || ec->tty_vt_disallocate ||
1804 is_terminal_input(ec->std_input) ||
1805 is_terminal_output(ec->std_output) ||
1806 is_terminal_output(ec->std_error)) &&
1807 tty_may_match_dev_console(tty_path(ec));
1808 }
1809
1810 static void strv_fprintf(FILE *f, char **l) {
1811 char **g;
1812
1813 assert(f);
1814
1815 STRV_FOREACH(g, l)
1816 fprintf(f, " %s", *g);
1817 }
1818
1819 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
1820 char ** e;
1821 unsigned i;
1822
1823 assert(c);
1824 assert(f);
1825
1826 if (!prefix)
1827 prefix = "";
1828
1829 fprintf(f,
1830 "%sUMask: %04o\n"
1831 "%sWorkingDirectory: %s\n"
1832 "%sRootDirectory: %s\n"
1833 "%sNonBlocking: %s\n"
1834 "%sPrivateTmp: %s\n"
1835 "%sControlGroupModify: %s\n"
1836 "%sControlGroupPersistent: %s\n"
1837 "%sPrivateNetwork: %s\n"
1838 "%sIgnoreSIGPIPE: %s\n",
1839 prefix, c->umask,
1840 prefix, c->working_directory ? c->working_directory : "/",
1841 prefix, c->root_directory ? c->root_directory : "/",
1842 prefix, yes_no(c->non_blocking),
1843 prefix, yes_no(c->private_tmp),
1844 prefix, yes_no(c->control_group_modify),
1845 prefix, yes_no(c->control_group_persistent),
1846 prefix, yes_no(c->private_network),
1847 prefix, yes_no(c->ignore_sigpipe));
1848
1849 STRV_FOREACH(e, c->environment)
1850 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
1851
1852 STRV_FOREACH(e, c->environment_files)
1853 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
1854
1855 if (c->tcpwrap_name)
1856 fprintf(f,
1857 "%sTCPWrapName: %s\n",
1858 prefix, c->tcpwrap_name);
1859
1860 if (c->nice_set)
1861 fprintf(f,
1862 "%sNice: %i\n",
1863 prefix, c->nice);
1864
1865 if (c->oom_score_adjust_set)
1866 fprintf(f,
1867 "%sOOMScoreAdjust: %i\n",
1868 prefix, c->oom_score_adjust);
1869
1870 for (i = 0; i < RLIM_NLIMITS; i++)
1871 if (c->rlimit[i])
1872 fprintf(f, "%s%s: %llu\n", prefix, rlimit_to_string(i), (unsigned long long) c->rlimit[i]->rlim_max);
1873
1874 if (c->ioprio_set) {
1875 char *class_str;
1876 int r;
1877
1878 r = ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
1879 if (r < 0)
1880 class_str = NULL;
1881 fprintf(f,
1882 "%sIOSchedulingClass: %s\n"
1883 "%sIOPriority: %i\n",
1884 prefix, strna(class_str),
1885 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
1886 free(class_str);
1887 }
1888
1889 if (c->cpu_sched_set) {
1890 char *policy_str;
1891 int r;
1892
1893 r = sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
1894 if (r < 0)
1895 policy_str = NULL;
1896 fprintf(f,
1897 "%sCPUSchedulingPolicy: %s\n"
1898 "%sCPUSchedulingPriority: %i\n"
1899 "%sCPUSchedulingResetOnFork: %s\n",
1900 prefix, strna(policy_str),
1901 prefix, c->cpu_sched_priority,
1902 prefix, yes_no(c->cpu_sched_reset_on_fork));
1903 free(policy_str);
1904 }
1905
1906 if (c->cpuset) {
1907 fprintf(f, "%sCPUAffinity:", prefix);
1908 for (i = 0; i < c->cpuset_ncpus; i++)
1909 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
1910 fprintf(f, " %i", i);
1911 fputs("\n", f);
1912 }
1913
1914 if (c->timer_slack_nsec != (nsec_t) -1)
1915 fprintf(f, "%sTimerSlackNSec: %lu\n", prefix, (unsigned long)c->timer_slack_nsec);
1916
1917 fprintf(f,
1918 "%sStandardInput: %s\n"
1919 "%sStandardOutput: %s\n"
1920 "%sStandardError: %s\n",
1921 prefix, exec_input_to_string(c->std_input),
1922 prefix, exec_output_to_string(c->std_output),
1923 prefix, exec_output_to_string(c->std_error));
1924
1925 if (c->tty_path)
1926 fprintf(f,
1927 "%sTTYPath: %s\n"
1928 "%sTTYReset: %s\n"
1929 "%sTTYVHangup: %s\n"
1930 "%sTTYVTDisallocate: %s\n",
1931 prefix, c->tty_path,
1932 prefix, yes_no(c->tty_reset),
1933 prefix, yes_no(c->tty_vhangup),
1934 prefix, yes_no(c->tty_vt_disallocate));
1935
1936 if (c->std_output == EXEC_OUTPUT_SYSLOG || c->std_output == EXEC_OUTPUT_KMSG || c->std_output == EXEC_OUTPUT_JOURNAL ||
1937 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE || c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
1938 c->std_error == EXEC_OUTPUT_SYSLOG || c->std_error == EXEC_OUTPUT_KMSG || c->std_error == EXEC_OUTPUT_JOURNAL ||
1939 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE || c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
1940 char *fac_str, *lvl_str;
1941 int r;
1942
1943 r = log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
1944 if (r < 0)
1945 fac_str = NULL;
1946
1947 r = log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
1948 if (r < 0)
1949 lvl_str = NULL;
1950
1951 fprintf(f,
1952 "%sSyslogFacility: %s\n"
1953 "%sSyslogLevel: %s\n",
1954 prefix, strna(fac_str),
1955 prefix, strna(lvl_str));
1956 free(lvl_str);
1957 free(fac_str);
1958 }
1959
1960 if (c->capabilities) {
1961 char *t;
1962 if ((t = cap_to_text(c->capabilities, NULL))) {
1963 fprintf(f, "%sCapabilities: %s\n",
1964 prefix, t);
1965 cap_free(t);
1966 }
1967 }
1968
1969 if (c->secure_bits)
1970 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
1971 prefix,
1972 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
1973 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
1974 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
1975 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
1976 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
1977 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
1978
1979 if (c->capability_bounding_set_drop) {
1980 unsigned long l;
1981 fprintf(f, "%sCapabilityBoundingSet:", prefix);
1982
1983 for (l = 0; l <= cap_last_cap(); l++)
1984 if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) {
1985 char *t;
1986
1987 if ((t = cap_to_name(l))) {
1988 fprintf(f, " %s", t);
1989 cap_free(t);
1990 }
1991 }
1992
1993 fputs("\n", f);
1994 }
1995
1996 if (c->user)
1997 fprintf(f, "%sUser: %s\n", prefix, c->user);
1998 if (c->group)
1999 fprintf(f, "%sGroup: %s\n", prefix, c->group);
2000
2001 if (strv_length(c->supplementary_groups) > 0) {
2002 fprintf(f, "%sSupplementaryGroups:", prefix);
2003 strv_fprintf(f, c->supplementary_groups);
2004 fputs("\n", f);
2005 }
2006
2007 if (c->pam_name)
2008 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
2009
2010 if (strv_length(c->read_write_dirs) > 0) {
2011 fprintf(f, "%sReadWriteDirs:", prefix);
2012 strv_fprintf(f, c->read_write_dirs);
2013 fputs("\n", f);
2014 }
2015
2016 if (strv_length(c->read_only_dirs) > 0) {
2017 fprintf(f, "%sReadOnlyDirs:", prefix);
2018 strv_fprintf(f, c->read_only_dirs);
2019 fputs("\n", f);
2020 }
2021
2022 if (strv_length(c->inaccessible_dirs) > 0) {
2023 fprintf(f, "%sInaccessibleDirs:", prefix);
2024 strv_fprintf(f, c->inaccessible_dirs);
2025 fputs("\n", f);
2026 }
2027
2028 if (c->utmp_id)
2029 fprintf(f,
2030 "%sUtmpIdentifier: %s\n",
2031 prefix, c->utmp_id);
2032 }
2033
2034 void exec_status_start(ExecStatus *s, pid_t pid) {
2035 assert(s);
2036
2037 zero(*s);
2038 s->pid = pid;
2039 dual_timestamp_get(&s->start_timestamp);
2040 }
2041
2042 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
2043 assert(s);
2044
2045 if (s->pid && s->pid != pid)
2046 zero(*s);
2047
2048 s->pid = pid;
2049 dual_timestamp_get(&s->exit_timestamp);
2050
2051 s->code = code;
2052 s->status = status;
2053
2054 if (context) {
2055 if (context->utmp_id)
2056 utmp_put_dead_process(context->utmp_id, pid, code, status);
2057
2058 exec_context_tty_reset(context);
2059 }
2060 }
2061
2062 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
2063 char buf[FORMAT_TIMESTAMP_MAX];
2064
2065 assert(s);
2066 assert(f);
2067
2068 if (!prefix)
2069 prefix = "";
2070
2071 if (s->pid <= 0)
2072 return;
2073
2074 fprintf(f,
2075 "%sPID: %lu\n",
2076 prefix, (unsigned long) s->pid);
2077
2078 if (s->start_timestamp.realtime > 0)
2079 fprintf(f,
2080 "%sStart Timestamp: %s\n",
2081 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
2082
2083 if (s->exit_timestamp.realtime > 0)
2084 fprintf(f,
2085 "%sExit Timestamp: %s\n"
2086 "%sExit Code: %s\n"
2087 "%sExit Status: %i\n",
2088 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
2089 prefix, sigchld_code_to_string(s->code),
2090 prefix, s->status);
2091 }
2092
2093 char *exec_command_line(char **argv) {
2094 size_t k;
2095 char *n, *p, **a;
2096 bool first = true;
2097
2098 assert(argv);
2099
2100 k = 1;
2101 STRV_FOREACH(a, argv)
2102 k += strlen(*a)+3;
2103
2104 if (!(n = new(char, k)))
2105 return NULL;
2106
2107 p = n;
2108 STRV_FOREACH(a, argv) {
2109
2110 if (!first)
2111 *(p++) = ' ';
2112 else
2113 first = false;
2114
2115 if (strpbrk(*a, WHITESPACE)) {
2116 *(p++) = '\'';
2117 p = stpcpy(p, *a);
2118 *(p++) = '\'';
2119 } else
2120 p = stpcpy(p, *a);
2121
2122 }
2123
2124 *p = 0;
2125
2126 /* FIXME: this doesn't really handle arguments that have
2127 * spaces and ticks in them */
2128
2129 return n;
2130 }
2131
2132 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
2133 char *p2;
2134 const char *prefix2;
2135
2136 char *cmd;
2137
2138 assert(c);
2139 assert(f);
2140
2141 if (!prefix)
2142 prefix = "";
2143 p2 = strappend(prefix, "\t");
2144 prefix2 = p2 ? p2 : prefix;
2145
2146 cmd = exec_command_line(c->argv);
2147
2148 fprintf(f,
2149 "%sCommand Line: %s\n",
2150 prefix, cmd ? cmd : strerror(ENOMEM));
2151
2152 free(cmd);
2153
2154 exec_status_dump(&c->exec_status, f, prefix2);
2155
2156 free(p2);
2157 }
2158
2159 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2160 assert(f);
2161
2162 if (!prefix)
2163 prefix = "";
2164
2165 LIST_FOREACH(command, c, c)
2166 exec_command_dump(c, f, prefix);
2167 }
2168
2169 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2170 ExecCommand *end;
2171
2172 assert(l);
2173 assert(e);
2174
2175 if (*l) {
2176 /* It's kind of important, that we keep the order here */
2177 LIST_FIND_TAIL(ExecCommand, command, *l, end);
2178 LIST_INSERT_AFTER(ExecCommand, command, *l, end, e);
2179 } else
2180 *l = e;
2181 }
2182
2183 int exec_command_set(ExecCommand *c, const char *path, ...) {
2184 va_list ap;
2185 char **l, *p;
2186
2187 assert(c);
2188 assert(path);
2189
2190 va_start(ap, path);
2191 l = strv_new_ap(path, ap);
2192 va_end(ap);
2193
2194 if (!l)
2195 return -ENOMEM;
2196
2197 if (!(p = strdup(path))) {
2198 strv_free(l);
2199 return -ENOMEM;
2200 }
2201
2202 free(c->path);
2203 c->path = p;
2204
2205 strv_free(c->argv);
2206 c->argv = l;
2207
2208 return 0;
2209 }
2210
2211 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
2212 [EXEC_INPUT_NULL] = "null",
2213 [EXEC_INPUT_TTY] = "tty",
2214 [EXEC_INPUT_TTY_FORCE] = "tty-force",
2215 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
2216 [EXEC_INPUT_SOCKET] = "socket"
2217 };
2218
2219 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
2220
2221 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
2222 [EXEC_OUTPUT_INHERIT] = "inherit",
2223 [EXEC_OUTPUT_NULL] = "null",
2224 [EXEC_OUTPUT_TTY] = "tty",
2225 [EXEC_OUTPUT_SYSLOG] = "syslog",
2226 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
2227 [EXEC_OUTPUT_KMSG] = "kmsg",
2228 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
2229 [EXEC_OUTPUT_JOURNAL] = "journal",
2230 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
2231 [EXEC_OUTPUT_SOCKET] = "socket"
2232 };
2233
2234 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
Unnamed repository; edit this file 'description' to name the repository.