]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/execute.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tree-wide: use mfree more
[thirdparty/systemd.git] / src / core / execute.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <errno.h>
21 #include <fcntl.h>
22 #include <glob.h>
23 #include <grp.h>
24 #include <poll.h>
25 #include <signal.h>
26 #include <string.h>
27 #include <sys/capability.h>
28 #include <sys/eventfd.h>
29 #include <sys/mman.h>
30 #include <sys/personality.h>
31 #include <sys/prctl.h>
32 #include <sys/socket.h>
33 #include <sys/stat.h>
34 #include <sys/un.h>
35 #include <unistd.h>
36 #include <utmpx.h>
37
38 #ifdef HAVE_PAM
39 #include <security/pam_appl.h>
40 #endif
41
42 #ifdef HAVE_SELINUX
43 #include <selinux/selinux.h>
44 #endif
45
46 #ifdef HAVE_SECCOMP
47 #include <seccomp.h>
48 #endif
49
50 #ifdef HAVE_APPARMOR
51 #include <sys/apparmor.h>
52 #endif
53
54 #include "sd-messages.h"
55
56 #include "af-list.h"
57 #include "alloc-util.h"
58 #ifdef HAVE_APPARMOR
59 #include "apparmor-util.h"
60 #endif
61 #include "async.h"
62 #include "barrier.h"
63 #include "cap-list.h"
64 #include "capability-util.h"
65 #include "def.h"
66 #include "env-util.h"
67 #include "errno-list.h"
68 #include "execute.h"
69 #include "exit-status.h"
70 #include "fd-util.h"
71 #include "fileio.h"
72 #include "formats-util.h"
73 #include "fs-util.h"
74 #include "glob-util.h"
75 #include "io-util.h"
76 #include "ioprio.h"
77 #include "log.h"
78 #include "macro.h"
79 #include "missing.h"
80 #include "mkdir.h"
81 #include "namespace.h"
82 #include "parse-util.h"
83 #include "path-util.h"
84 #include "process-util.h"
85 #include "rlimit-util.h"
86 #include "rm-rf.h"
87 #ifdef HAVE_SECCOMP
88 #include "seccomp-util.h"
89 #endif
90 #include "securebits.h"
91 #include "selinux-util.h"
92 #include "signal-util.h"
93 #include "smack-util.h"
94 #include "special.h"
95 #include "string-table.h"
96 #include "string-util.h"
97 #include "strv.h"
98 #include "syslog-util.h"
99 #include "terminal-util.h"
100 #include "unit.h"
101 #include "user-util.h"
102 #include "util.h"
103 #include "utmp-wtmp.h"
104
105 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
106 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
107
108 /* This assumes there is a 'tty' group */
109 #define TTY_MODE 0620
110
111 #define SNDBUF_SIZE (8*1024*1024)
112
113 static int shift_fds(int fds[], unsigned n_fds) {
114 int start, restart_from;
115
116 if (n_fds <= 0)
117 return 0;
118
119 /* Modifies the fds array! (sorts it) */
120
121 assert(fds);
122
123 start = 0;
124 for (;;) {
125 int i;
126
127 restart_from = -1;
128
129 for (i = start; i < (int) n_fds; i++) {
130 int nfd;
131
132 /* Already at right index? */
133 if (fds[i] == i+3)
134 continue;
135
136 nfd = fcntl(fds[i], F_DUPFD, i + 3);
137 if (nfd < 0)
138 return -errno;
139
140 safe_close(fds[i]);
141 fds[i] = nfd;
142
143 /* Hmm, the fd we wanted isn't free? Then
144 * let's remember that and try again from here */
145 if (nfd != i+3 && restart_from < 0)
146 restart_from = i;
147 }
148
149 if (restart_from < 0)
150 break;
151
152 start = restart_from;
153 }
154
155 return 0;
156 }
157
158 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
159 unsigned i;
160 int r;
161
162 if (n_fds <= 0)
163 return 0;
164
165 assert(fds);
166
167 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
168
169 for (i = 0; i < n_fds; i++) {
170
171 r = fd_nonblock(fds[i], nonblock);
172 if (r < 0)
173 return r;
174
175 /* We unconditionally drop FD_CLOEXEC from the fds,
176 * since after all we want to pass these fds to our
177 * children */
178
179 r = fd_cloexec(fds[i], false);
180 if (r < 0)
181 return r;
182 }
183
184 return 0;
185 }
186
187 static const char *exec_context_tty_path(const ExecContext *context) {
188 assert(context);
189
190 if (context->stdio_as_fds)
191 return NULL;
192
193 if (context->tty_path)
194 return context->tty_path;
195
196 return "/dev/console";
197 }
198
199 static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
200 const char *path;
201
202 assert(context);
203
204 path = exec_context_tty_path(context);
205
206 if (context->tty_vhangup) {
207 if (p && p->stdin_fd >= 0)
208 (void) terminal_vhangup_fd(p->stdin_fd);
209 else if (path)
210 (void) terminal_vhangup(path);
211 }
212
213 if (context->tty_reset) {
214 if (p && p->stdin_fd >= 0)
215 (void) reset_terminal_fd(p->stdin_fd, true);
216 else if (path)
217 (void) reset_terminal(path);
218 }
219
220 if (context->tty_vt_disallocate && path)
221 (void) vt_disallocate(path);
222 }
223
224 static bool is_terminal_input(ExecInput i) {
225 return IN_SET(i,
226 EXEC_INPUT_TTY,
227 EXEC_INPUT_TTY_FORCE,
228 EXEC_INPUT_TTY_FAIL);
229 }
230
231 static bool is_terminal_output(ExecOutput o) {
232 return IN_SET(o,
233 EXEC_OUTPUT_TTY,
234 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
235 EXEC_OUTPUT_KMSG_AND_CONSOLE,
236 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
237 }
238
239 static bool exec_context_needs_term(const ExecContext *c) {
240 assert(c);
241
242 /* Return true if the execution context suggests we should set $TERM to something useful. */
243
244 if (is_terminal_input(c->std_input))
245 return true;
246
247 if (is_terminal_output(c->std_output))
248 return true;
249
250 if (is_terminal_output(c->std_error))
251 return true;
252
253 return !!c->tty_path;
254 }
255
256 static int open_null_as(int flags, int nfd) {
257 int fd, r;
258
259 assert(nfd >= 0);
260
261 fd = open("/dev/null", flags|O_NOCTTY);
262 if (fd < 0)
263 return -errno;
264
265 if (fd != nfd) {
266 r = dup2(fd, nfd) < 0 ? -errno : nfd;
267 safe_close(fd);
268 } else
269 r = nfd;
270
271 return r;
272 }
273
274 static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
275 union sockaddr_union sa = {
276 .un.sun_family = AF_UNIX,
277 .un.sun_path = "/run/systemd/journal/stdout",
278 };
279 uid_t olduid = UID_INVALID;
280 gid_t oldgid = GID_INVALID;
281 int r;
282
283 if (gid != GID_INVALID) {
284 oldgid = getgid();
285
286 r = setegid(gid);
287 if (r < 0)
288 return -errno;
289 }
290
291 if (uid != UID_INVALID) {
292 olduid = getuid();
293
294 r = seteuid(uid);
295 if (r < 0) {
296 r = -errno;
297 goto restore_gid;
298 }
299 }
300
301 r = connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
302 if (r < 0)
303 r = -errno;
304
305 /* If we fail to restore the uid or gid, things will likely
306 fail later on. This should only happen if an LSM interferes. */
307
308 if (uid != UID_INVALID)
309 (void) seteuid(olduid);
310
311 restore_gid:
312 if (gid != GID_INVALID)
313 (void) setegid(oldgid);
314
315 return r;
316 }
317
318 static int connect_logger_as(
319 Unit *unit,
320 const ExecContext *context,
321 ExecOutput output,
322 const char *ident,
323 int nfd,
324 uid_t uid,
325 gid_t gid) {
326
327 int fd, r;
328
329 assert(context);
330 assert(output < _EXEC_OUTPUT_MAX);
331 assert(ident);
332 assert(nfd >= 0);
333
334 fd = socket(AF_UNIX, SOCK_STREAM, 0);
335 if (fd < 0)
336 return -errno;
337
338 r = connect_journal_socket(fd, uid, gid);
339 if (r < 0)
340 return r;
341
342 if (shutdown(fd, SHUT_RD) < 0) {
343 safe_close(fd);
344 return -errno;
345 }
346
347 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
348
349 dprintf(fd,
350 "%s\n"
351 "%s\n"
352 "%i\n"
353 "%i\n"
354 "%i\n"
355 "%i\n"
356 "%i\n",
357 context->syslog_identifier ? context->syslog_identifier : ident,
358 unit->id,
359 context->syslog_priority,
360 !!context->syslog_level_prefix,
361 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
362 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
363 is_terminal_output(output));
364
365 if (fd == nfd)
366 return nfd;
367
368 r = dup2(fd, nfd) < 0 ? -errno : nfd;
369 safe_close(fd);
370
371 return r;
372 }
373 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
374 int fd, r;
375
376 assert(path);
377 assert(nfd >= 0);
378
379 fd = open_terminal(path, mode | O_NOCTTY);
380 if (fd < 0)
381 return fd;
382
383 if (fd != nfd) {
384 r = dup2(fd, nfd) < 0 ? -errno : nfd;
385 safe_close(fd);
386 } else
387 r = nfd;
388
389 return r;
390 }
391
392 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
393
394 if (is_terminal_input(std_input) && !apply_tty_stdin)
395 return EXEC_INPUT_NULL;
396
397 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
398 return EXEC_INPUT_NULL;
399
400 return std_input;
401 }
402
403 static int fixup_output(ExecOutput std_output, int socket_fd) {
404
405 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
406 return EXEC_OUTPUT_INHERIT;
407
408 return std_output;
409 }
410
411 static int setup_input(
412 const ExecContext *context,
413 const ExecParameters *params,
414 int socket_fd) {
415
416 ExecInput i;
417
418 assert(context);
419 assert(params);
420
421 if (params->stdin_fd >= 0) {
422 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
423 return -errno;
424
425 /* Try to make this the controlling tty, if it is a tty, and reset it */
426 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
427 (void) reset_terminal_fd(STDIN_FILENO, true);
428
429 return STDIN_FILENO;
430 }
431
432 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
433
434 switch (i) {
435
436 case EXEC_INPUT_NULL:
437 return open_null_as(O_RDONLY, STDIN_FILENO);
438
439 case EXEC_INPUT_TTY:
440 case EXEC_INPUT_TTY_FORCE:
441 case EXEC_INPUT_TTY_FAIL: {
442 int fd, r;
443
444 fd = acquire_terminal(exec_context_tty_path(context),
445 i == EXEC_INPUT_TTY_FAIL,
446 i == EXEC_INPUT_TTY_FORCE,
447 false,
448 USEC_INFINITY);
449 if (fd < 0)
450 return fd;
451
452 if (fd != STDIN_FILENO) {
453 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
454 safe_close(fd);
455 } else
456 r = STDIN_FILENO;
457
458 return r;
459 }
460
461 case EXEC_INPUT_SOCKET:
462 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
463
464 default:
465 assert_not_reached("Unknown input type");
466 }
467 }
468
469 static int setup_output(
470 Unit *unit,
471 const ExecContext *context,
472 const ExecParameters *params,
473 int fileno,
474 int socket_fd,
475 const char *ident,
476 uid_t uid,
477 gid_t gid,
478 dev_t *journal_stream_dev,
479 ino_t *journal_stream_ino) {
480
481 ExecOutput o;
482 ExecInput i;
483 int r;
484
485 assert(unit);
486 assert(context);
487 assert(params);
488 assert(ident);
489 assert(journal_stream_dev);
490 assert(journal_stream_ino);
491
492 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
493
494 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
495 return -errno;
496
497 return STDOUT_FILENO;
498 }
499
500 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
501 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
502 return -errno;
503
504 return STDERR_FILENO;
505 }
506
507 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
508 o = fixup_output(context->std_output, socket_fd);
509
510 if (fileno == STDERR_FILENO) {
511 ExecOutput e;
512 e = fixup_output(context->std_error, socket_fd);
513
514 /* This expects the input and output are already set up */
515
516 /* Don't change the stderr file descriptor if we inherit all
517 * the way and are not on a tty */
518 if (e == EXEC_OUTPUT_INHERIT &&
519 o == EXEC_OUTPUT_INHERIT &&
520 i == EXEC_INPUT_NULL &&
521 !is_terminal_input(context->std_input) &&
522 getppid () != 1)
523 return fileno;
524
525 /* Duplicate from stdout if possible */
526 if (e == o || e == EXEC_OUTPUT_INHERIT)
527 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
528
529 o = e;
530
531 } else if (o == EXEC_OUTPUT_INHERIT) {
532 /* If input got downgraded, inherit the original value */
533 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
534 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
535
536 /* If the input is connected to anything that's not a /dev/null, inherit that... */
537 if (i != EXEC_INPUT_NULL)
538 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
539
540 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
541 if (getppid() != 1)
542 return fileno;
543
544 /* We need to open /dev/null here anew, to get the right access mode. */
545 return open_null_as(O_WRONLY, fileno);
546 }
547
548 switch (o) {
549
550 case EXEC_OUTPUT_NULL:
551 return open_null_as(O_WRONLY, fileno);
552
553 case EXEC_OUTPUT_TTY:
554 if (is_terminal_input(i))
555 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
556
557 /* We don't reset the terminal if this is just about output */
558 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
559
560 case EXEC_OUTPUT_SYSLOG:
561 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
562 case EXEC_OUTPUT_KMSG:
563 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
564 case EXEC_OUTPUT_JOURNAL:
565 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
566 r = connect_logger_as(unit, context, o, ident, fileno, uid, gid);
567 if (r < 0) {
568 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
569 r = open_null_as(O_WRONLY, fileno);
570 } else {
571 struct stat st;
572
573 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
574 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
575 * services to detect whether they are connected to the journal or not. */
576
577 if (fstat(fileno, &st) >= 0) {
578 *journal_stream_dev = st.st_dev;
579 *journal_stream_ino = st.st_ino;
580 }
581 }
582 return r;
583
584 case EXEC_OUTPUT_SOCKET:
585 assert(socket_fd >= 0);
586 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
587
588 default:
589 assert_not_reached("Unknown error type");
590 }
591 }
592
593 static int chown_terminal(int fd, uid_t uid) {
594 struct stat st;
595
596 assert(fd >= 0);
597
598 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
599 if (isatty(fd) < 1)
600 return 0;
601
602 /* This might fail. What matters are the results. */
603 (void) fchown(fd, uid, -1);
604 (void) fchmod(fd, TTY_MODE);
605
606 if (fstat(fd, &st) < 0)
607 return -errno;
608
609 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
610 return -EPERM;
611
612 return 0;
613 }
614
615 static int setup_confirm_stdio(int *_saved_stdin, int *_saved_stdout) {
616 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
617 int r;
618
619 assert(_saved_stdin);
620 assert(_saved_stdout);
621
622 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
623 if (saved_stdin < 0)
624 return -errno;
625
626 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
627 if (saved_stdout < 0)
628 return -errno;
629
630 fd = acquire_terminal(
631 "/dev/console",
632 false,
633 false,
634 false,
635 DEFAULT_CONFIRM_USEC);
636 if (fd < 0)
637 return fd;
638
639 r = chown_terminal(fd, getuid());
640 if (r < 0)
641 return r;
642
643 r = reset_terminal_fd(fd, true);
644 if (r < 0)
645 return r;
646
647 if (dup2(fd, STDIN_FILENO) < 0)
648 return -errno;
649
650 if (dup2(fd, STDOUT_FILENO) < 0)
651 return -errno;
652
653 if (fd >= 2)
654 safe_close(fd);
655 fd = -1;
656
657 *_saved_stdin = saved_stdin;
658 *_saved_stdout = saved_stdout;
659
660 saved_stdin = saved_stdout = -1;
661
662 return 0;
663 }
664
665 _printf_(1, 2) static int write_confirm_message(const char *format, ...) {
666 _cleanup_close_ int fd = -1;
667 va_list ap;
668
669 assert(format);
670
671 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
672 if (fd < 0)
673 return fd;
674
675 va_start(ap, format);
676 vdprintf(fd, format, ap);
677 va_end(ap);
678
679 return 0;
680 }
681
682 static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
683 int r = 0;
684
685 assert(saved_stdin);
686 assert(saved_stdout);
687
688 release_terminal();
689
690 if (*saved_stdin >= 0)
691 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
692 r = -errno;
693
694 if (*saved_stdout >= 0)
695 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
696 r = -errno;
697
698 *saved_stdin = safe_close(*saved_stdin);
699 *saved_stdout = safe_close(*saved_stdout);
700
701 return r;
702 }
703
704 static int ask_for_confirmation(char *response, char **argv) {
705 int saved_stdout = -1, saved_stdin = -1, r;
706 _cleanup_free_ char *line = NULL;
707
708 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
709 if (r < 0)
710 return r;
711
712 line = exec_command_line(argv);
713 if (!line)
714 return -ENOMEM;
715
716 r = ask_char(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
717
718 restore_confirm_stdio(&saved_stdin, &saved_stdout);
719
720 return r;
721 }
722
723 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
724 bool keep_groups = false;
725 int r;
726
727 assert(context);
728
729 /* Lookup and set GID and supplementary group list. Here too
730 * we avoid NSS lookups for gid=0. */
731
732 if (context->group || username) {
733 /* First step, initialize groups from /etc/groups */
734 if (username && gid != 0) {
735 if (initgroups(username, gid) < 0)
736 return -errno;
737
738 keep_groups = true;
739 }
740
741 /* Second step, set our gids */
742 if (setresgid(gid, gid, gid) < 0)
743 return -errno;
744 }
745
746 if (context->supplementary_groups) {
747 int ngroups_max, k;
748 gid_t *gids;
749 char **i;
750
751 /* Final step, initialize any manually set supplementary groups */
752 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
753
754 if (!(gids = new(gid_t, ngroups_max)))
755 return -ENOMEM;
756
757 if (keep_groups) {
758 k = getgroups(ngroups_max, gids);
759 if (k < 0) {
760 free(gids);
761 return -errno;
762 }
763 } else
764 k = 0;
765
766 STRV_FOREACH(i, context->supplementary_groups) {
767 const char *g;
768
769 if (k >= ngroups_max) {
770 free(gids);
771 return -E2BIG;
772 }
773
774 g = *i;
775 r = get_group_creds(&g, gids+k);
776 if (r < 0) {
777 free(gids);
778 return r;
779 }
780
781 k++;
782 }
783
784 r = maybe_setgroups(k, gids);
785 if (r < 0) {
786 free(gids);
787 return r;
788 }
789
790 free(gids);
791 }
792
793 return 0;
794 }
795
796 static int enforce_user(const ExecContext *context, uid_t uid) {
797 assert(context);
798
799 /* Sets (but doesn't look up) the uid and make sure we keep the
800 * capabilities while doing so. */
801
802 if (context->capability_ambient_set != 0) {
803
804 /* First step: If we need to keep capabilities but
805 * drop privileges we need to make sure we keep our
806 * caps, while we drop privileges. */
807 if (uid != 0) {
808 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
809
810 if (prctl(PR_GET_SECUREBITS) != sb)
811 if (prctl(PR_SET_SECUREBITS, sb) < 0)
812 return -errno;
813 }
814 }
815
816 /* Second step: actually set the uids */
817 if (setresuid(uid, uid, uid) < 0)
818 return -errno;
819
820 /* At this point we should have all necessary capabilities but
821 are otherwise a normal user. However, the caps might got
822 corrupted due to the setresuid() so we need clean them up
823 later. This is done outside of this call. */
824
825 return 0;
826 }
827
828 #ifdef HAVE_PAM
829
830 static int null_conv(
831 int num_msg,
832 const struct pam_message **msg,
833 struct pam_response **resp,
834 void *appdata_ptr) {
835
836 /* We don't support conversations */
837
838 return PAM_CONV_ERR;
839 }
840
841 #endif
842
843 static int setup_pam(
844 const char *name,
845 const char *user,
846 uid_t uid,
847 gid_t gid,
848 const char *tty,
849 char ***env,
850 int fds[], unsigned n_fds) {
851
852 #ifdef HAVE_PAM
853
854 static const struct pam_conv conv = {
855 .conv = null_conv,
856 .appdata_ptr = NULL
857 };
858
859 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
860 pam_handle_t *handle = NULL;
861 sigset_t old_ss;
862 int pam_code = PAM_SUCCESS, r;
863 char **nv, **e = NULL;
864 bool close_session = false;
865 pid_t pam_pid = 0, parent_pid;
866 int flags = 0;
867
868 assert(name);
869 assert(user);
870 assert(env);
871
872 /* We set up PAM in the parent process, then fork. The child
873 * will then stay around until killed via PR_GET_PDEATHSIG or
874 * systemd via the cgroup logic. It will then remove the PAM
875 * session again. The parent process will exec() the actual
876 * daemon. We do things this way to ensure that the main PID
877 * of the daemon is the one we initially fork()ed. */
878
879 r = barrier_create(&barrier);
880 if (r < 0)
881 goto fail;
882
883 if (log_get_max_level() < LOG_DEBUG)
884 flags |= PAM_SILENT;
885
886 pam_code = pam_start(name, user, &conv, &handle);
887 if (pam_code != PAM_SUCCESS) {
888 handle = NULL;
889 goto fail;
890 }
891
892 if (tty) {
893 pam_code = pam_set_item(handle, PAM_TTY, tty);
894 if (pam_code != PAM_SUCCESS)
895 goto fail;
896 }
897
898 STRV_FOREACH(nv, *env) {
899 pam_code = pam_putenv(handle, *nv);
900 if (pam_code != PAM_SUCCESS)
901 goto fail;
902 }
903
904 pam_code = pam_acct_mgmt(handle, flags);
905 if (pam_code != PAM_SUCCESS)
906 goto fail;
907
908 pam_code = pam_open_session(handle, flags);
909 if (pam_code != PAM_SUCCESS)
910 goto fail;
911
912 close_session = true;
913
914 e = pam_getenvlist(handle);
915 if (!e) {
916 pam_code = PAM_BUF_ERR;
917 goto fail;
918 }
919
920 /* Block SIGTERM, so that we know that it won't get lost in
921 * the child */
922
923 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
924
925 parent_pid = getpid();
926
927 pam_pid = fork();
928 if (pam_pid < 0) {
929 r = -errno;
930 goto fail;
931 }
932
933 if (pam_pid == 0) {
934 int sig, ret = EXIT_PAM;
935
936 /* The child's job is to reset the PAM session on
937 * termination */
938 barrier_set_role(&barrier, BARRIER_CHILD);
939
940 /* This string must fit in 10 chars (i.e. the length
941 * of "/sbin/init"), to look pretty in /bin/ps */
942 rename_process("(sd-pam)");
943
944 /* Make sure we don't keep open the passed fds in this
945 child. We assume that otherwise only those fds are
946 open here that have been opened by PAM. */
947 close_many(fds, n_fds);
948
949 /* Drop privileges - we don't need any to pam_close_session
950 * and this will make PR_SET_PDEATHSIG work in most cases.
951 * If this fails, ignore the error - but expect sd-pam threads
952 * to fail to exit normally */
953
954 r = maybe_setgroups(0, NULL);
955 if (r < 0)
956 log_warning_errno(r, "Failed to setgroups() in sd-pam: %m");
957 if (setresgid(gid, gid, gid) < 0)
958 log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
959 if (setresuid(uid, uid, uid) < 0)
960 log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
961
962 (void) ignore_signals(SIGPIPE, -1);
963
964 /* Wait until our parent died. This will only work if
965 * the above setresuid() succeeds, otherwise the kernel
966 * will not allow unprivileged parents kill their privileged
967 * children this way. We rely on the control groups kill logic
968 * to do the rest for us. */
969 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
970 goto child_finish;
971
972 /* Tell the parent that our setup is done. This is especially
973 * important regarding dropping privileges. Otherwise, unit
974 * setup might race against our setresuid(2) call. */
975 barrier_place(&barrier);
976
977 /* Check if our parent process might already have
978 * died? */
979 if (getppid() == parent_pid) {
980 sigset_t ss;
981
982 assert_se(sigemptyset(&ss) >= 0);
983 assert_se(sigaddset(&ss, SIGTERM) >= 0);
984
985 for (;;) {
986 if (sigwait(&ss, &sig) < 0) {
987 if (errno == EINTR)
988 continue;
989
990 goto child_finish;
991 }
992
993 assert(sig == SIGTERM);
994 break;
995 }
996 }
997
998 /* If our parent died we'll end the session */
999 if (getppid() != parent_pid) {
1000 pam_code = pam_close_session(handle, flags);
1001 if (pam_code != PAM_SUCCESS)
1002 goto child_finish;
1003 }
1004
1005 ret = 0;
1006
1007 child_finish:
1008 pam_end(handle, pam_code | flags);
1009 _exit(ret);
1010 }
1011
1012 barrier_set_role(&barrier, BARRIER_PARENT);
1013
1014 /* If the child was forked off successfully it will do all the
1015 * cleanups, so forget about the handle here. */
1016 handle = NULL;
1017
1018 /* Unblock SIGTERM again in the parent */
1019 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
1020
1021 /* We close the log explicitly here, since the PAM modules
1022 * might have opened it, but we don't want this fd around. */
1023 closelog();
1024
1025 /* Synchronously wait for the child to initialize. We don't care for
1026 * errors as we cannot recover. However, warn loudly if it happens. */
1027 if (!barrier_place_and_sync(&barrier))
1028 log_error("PAM initialization failed");
1029
1030 strv_free(*env);
1031 *env = e;
1032
1033 return 0;
1034
1035 fail:
1036 if (pam_code != PAM_SUCCESS) {
1037 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
1038 r = -EPERM; /* PAM errors do not map to errno */
1039 } else
1040 log_error_errno(r, "PAM failed: %m");
1041
1042 if (handle) {
1043 if (close_session)
1044 pam_code = pam_close_session(handle, flags);
1045
1046 pam_end(handle, pam_code | flags);
1047 }
1048
1049 strv_free(e);
1050 closelog();
1051
1052 return r;
1053 #else
1054 return 0;
1055 #endif
1056 }
1057
1058 static void rename_process_from_path(const char *path) {
1059 char process_name[11];
1060 const char *p;
1061 size_t l;
1062
1063 /* This resulting string must fit in 10 chars (i.e. the length
1064 * of "/sbin/init") to look pretty in /bin/ps */
1065
1066 p = basename(path);
1067 if (isempty(p)) {
1068 rename_process("(...)");
1069 return;
1070 }
1071
1072 l = strlen(p);
1073 if (l > 8) {
1074 /* The end of the process name is usually more
1075 * interesting, since the first bit might just be
1076 * "systemd-" */
1077 p = p + l - 8;
1078 l = 8;
1079 }
1080
1081 process_name[0] = '(';
1082 memcpy(process_name+1, p, l);
1083 process_name[1+l] = ')';
1084 process_name[1+l+1] = 0;
1085
1086 rename_process(process_name);
1087 }
1088
1089 #ifdef HAVE_SECCOMP
1090
1091 static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
1092 if (!is_seccomp_available()) {
1093 log_open();
1094 log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
1095 log_close();
1096 return true;
1097 }
1098 return false;
1099 }
1100
1101 static int apply_seccomp(const Unit* u, const ExecContext *c) {
1102 uint32_t negative_action, action;
1103 scmp_filter_ctx *seccomp;
1104 Iterator i;
1105 void *id;
1106 int r;
1107
1108 assert(c);
1109
1110 if (skip_seccomp_unavailable(u, "syscall filtering"))
1111 return 0;
1112
1113 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
1114
1115 seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW);
1116 if (!seccomp)
1117 return -ENOMEM;
1118
1119 if (c->syscall_archs) {
1120
1121 SET_FOREACH(id, c->syscall_archs, i) {
1122 r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
1123 if (r == -EEXIST)
1124 continue;
1125 if (r < 0)
1126 goto finish;
1127 }
1128
1129 } else {
1130 r = seccomp_add_secondary_archs(seccomp);
1131 if (r < 0)
1132 goto finish;
1133 }
1134
1135 action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
1136 SET_FOREACH(id, c->syscall_filter, i) {
1137 r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
1138 if (r < 0)
1139 goto finish;
1140 }
1141
1142 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1143 if (r < 0)
1144 goto finish;
1145
1146 r = seccomp_load(seccomp);
1147
1148 finish:
1149 seccomp_release(seccomp);
1150 return r;
1151 }
1152
1153 static int apply_address_families(const Unit* u, const ExecContext *c) {
1154 scmp_filter_ctx *seccomp;
1155 Iterator i;
1156 int r;
1157
1158 assert(c);
1159
1160 if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
1161 return 0;
1162
1163 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1164 if (!seccomp)
1165 return -ENOMEM;
1166
1167 r = seccomp_add_secondary_archs(seccomp);
1168 if (r < 0)
1169 goto finish;
1170
1171 if (c->address_families_whitelist) {
1172 int af, first = 0, last = 0;
1173 void *afp;
1174
1175 /* If this is a whitelist, we first block the address
1176 * families that are out of range and then everything
1177 * that is not in the set. First, we find the lowest
1178 * and highest address family in the set. */
1179
1180 SET_FOREACH(afp, c->address_families, i) {
1181 af = PTR_TO_INT(afp);
1182
1183 if (af <= 0 || af >= af_max())
1184 continue;
1185
1186 if (first == 0 || af < first)
1187 first = af;
1188
1189 if (last == 0 || af > last)
1190 last = af;
1191 }
1192
1193 assert((first == 0) == (last == 0));
1194
1195 if (first == 0) {
1196
1197 /* No entries in the valid range, block everything */
1198 r = seccomp_rule_add(
1199 seccomp,
1200 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1201 SCMP_SYS(socket),
1202 0);
1203 if (r < 0)
1204 goto finish;
1205
1206 } else {
1207
1208 /* Block everything below the first entry */
1209 r = seccomp_rule_add(
1210 seccomp,
1211 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1212 SCMP_SYS(socket),
1213 1,
1214 SCMP_A0(SCMP_CMP_LT, first));
1215 if (r < 0)
1216 goto finish;
1217
1218 /* Block everything above the last entry */
1219 r = seccomp_rule_add(
1220 seccomp,
1221 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1222 SCMP_SYS(socket),
1223 1,
1224 SCMP_A0(SCMP_CMP_GT, last));
1225 if (r < 0)
1226 goto finish;
1227
1228 /* Block everything between the first and last
1229 * entry */
1230 for (af = 1; af < af_max(); af++) {
1231
1232 if (set_contains(c->address_families, INT_TO_PTR(af)))
1233 continue;
1234
1235 r = seccomp_rule_add(
1236 seccomp,
1237 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1238 SCMP_SYS(socket),
1239 1,
1240 SCMP_A0(SCMP_CMP_EQ, af));
1241 if (r < 0)
1242 goto finish;
1243 }
1244 }
1245
1246 } else {
1247 void *af;
1248
1249 /* If this is a blacklist, then generate one rule for
1250 * each address family that are then combined in OR
1251 * checks. */
1252
1253 SET_FOREACH(af, c->address_families, i) {
1254
1255 r = seccomp_rule_add(
1256 seccomp,
1257 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1258 SCMP_SYS(socket),
1259 1,
1260 SCMP_A0(SCMP_CMP_EQ, PTR_TO_INT(af)));
1261 if (r < 0)
1262 goto finish;
1263 }
1264 }
1265
1266 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1267 if (r < 0)
1268 goto finish;
1269
1270 r = seccomp_load(seccomp);
1271
1272 finish:
1273 seccomp_release(seccomp);
1274 return r;
1275 }
1276
1277 static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) {
1278 scmp_filter_ctx *seccomp;
1279 int r;
1280
1281 assert(c);
1282
1283 if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute="))
1284 return 0;
1285
1286 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1287 if (!seccomp)
1288 return -ENOMEM;
1289
1290 r = seccomp_add_secondary_archs(seccomp);
1291 if (r < 0)
1292 goto finish;
1293
1294 r = seccomp_rule_add(
1295 seccomp,
1296 SCMP_ACT_ERRNO(EPERM),
1297 SCMP_SYS(mmap),
1298 1,
1299 SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE));
1300 if (r < 0)
1301 goto finish;
1302
1303 r = seccomp_rule_add(
1304 seccomp,
1305 SCMP_ACT_ERRNO(EPERM),
1306 SCMP_SYS(mprotect),
1307 1,
1308 SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC));
1309 if (r < 0)
1310 goto finish;
1311
1312 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1313 if (r < 0)
1314 goto finish;
1315
1316 r = seccomp_load(seccomp);
1317
1318 finish:
1319 seccomp_release(seccomp);
1320 return r;
1321 }
1322
1323 static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
1324 static const int permitted_policies[] = {
1325 SCHED_OTHER,
1326 SCHED_BATCH,
1327 SCHED_IDLE,
1328 };
1329
1330 scmp_filter_ctx *seccomp;
1331 unsigned i;
1332 int r, p, max_policy = 0;
1333
1334 assert(c);
1335
1336 if (skip_seccomp_unavailable(u, "RestrictRealtime="))
1337 return 0;
1338
1339 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1340 if (!seccomp)
1341 return -ENOMEM;
1342
1343 r = seccomp_add_secondary_archs(seccomp);
1344 if (r < 0)
1345 goto finish;
1346
1347 /* Determine the highest policy constant we want to allow */
1348 for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
1349 if (permitted_policies[i] > max_policy)
1350 max_policy = permitted_policies[i];
1351
1352 /* Go through all policies with lower values than that, and block them -- unless they appear in the
1353 * whitelist. */
1354 for (p = 0; p < max_policy; p++) {
1355 bool good = false;
1356
1357 /* Check if this is in the whitelist. */
1358 for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
1359 if (permitted_policies[i] == p) {
1360 good = true;
1361 break;
1362 }
1363
1364 if (good)
1365 continue;
1366
1367 /* Deny this policy */
1368 r = seccomp_rule_add(
1369 seccomp,
1370 SCMP_ACT_ERRNO(EPERM),
1371 SCMP_SYS(sched_setscheduler),
1372 1,
1373 SCMP_A1(SCMP_CMP_EQ, p));
1374 if (r < 0)
1375 goto finish;
1376 }
1377
1378 /* Blacklist all other policies, i.e. the ones with higher values. Note that all comparisons are unsigned here,
1379 * hence no need no check for < 0 values. */
1380 r = seccomp_rule_add(
1381 seccomp,
1382 SCMP_ACT_ERRNO(EPERM),
1383 SCMP_SYS(sched_setscheduler),
1384 1,
1385 SCMP_A1(SCMP_CMP_GT, max_policy));
1386 if (r < 0)
1387 goto finish;
1388
1389 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1390 if (r < 0)
1391 goto finish;
1392
1393 r = seccomp_load(seccomp);
1394
1395 finish:
1396 seccomp_release(seccomp);
1397 return r;
1398 }
1399
1400 static int apply_protect_sysctl(Unit *u, const ExecContext *c) {
1401 scmp_filter_ctx *seccomp;
1402 int r;
1403
1404 assert(c);
1405
1406 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1407 * let's protect even those systems where this is left on in the kernel. */
1408
1409 if (skip_seccomp_unavailable(u, "ProtectKernelTunables="))
1410 return 0;
1411
1412 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1413 if (!seccomp)
1414 return -ENOMEM;
1415
1416 r = seccomp_add_secondary_archs(seccomp);
1417 if (r < 0)
1418 goto finish;
1419
1420 r = seccomp_rule_add(
1421 seccomp,
1422 SCMP_ACT_ERRNO(EPERM),
1423 SCMP_SYS(_sysctl),
1424 0);
1425 if (r < 0)
1426 goto finish;
1427
1428 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1429 if (r < 0)
1430 goto finish;
1431
1432 r = seccomp_load(seccomp);
1433
1434 finish:
1435 seccomp_release(seccomp);
1436 return r;
1437 }
1438
1439 static int apply_protect_kernel_modules(Unit *u, const ExecContext *c) {
1440 static const int module_syscalls[] = {
1441 SCMP_SYS(delete_module),
1442 SCMP_SYS(finit_module),
1443 SCMP_SYS(init_module),
1444 };
1445
1446 scmp_filter_ctx *seccomp;
1447 unsigned i;
1448 int r;
1449
1450 assert(c);
1451
1452 /* Turn of module syscalls on ProtectKernelModules=yes */
1453
1454 if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
1455 return 0;
1456
1457 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1458 if (!seccomp)
1459 return -ENOMEM;
1460
1461 r = seccomp_add_secondary_archs(seccomp);
1462 if (r < 0)
1463 goto finish;
1464
1465 for (i = 0; i < ELEMENTSOF(module_syscalls); i++) {
1466 r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM),
1467 module_syscalls[i], 0);
1468 if (r < 0)
1469 goto finish;
1470 }
1471
1472 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1473 if (r < 0)
1474 goto finish;
1475
1476 r = seccomp_load(seccomp);
1477
1478 finish:
1479 seccomp_release(seccomp);
1480 return r;
1481 }
1482
1483 static int apply_private_devices(Unit *u, const ExecContext *c) {
1484 const SystemCallFilterSet *set;
1485 scmp_filter_ctx *seccomp;
1486 const char *sys;
1487 bool syscalls_found = false;
1488 int r;
1489
1490 assert(c);
1491
1492 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
1493
1494 if (skip_seccomp_unavailable(u, "PrivateDevices="))
1495 return 0;
1496
1497 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1498 if (!seccomp)
1499 return -ENOMEM;
1500
1501 r = seccomp_add_secondary_archs(seccomp);
1502 if (r < 0)
1503 goto finish;
1504
1505 for (set = syscall_filter_sets; set->set_name; set++)
1506 if (streq(set->set_name, "@raw-io")) {
1507 syscalls_found = true;
1508 break;
1509 }
1510
1511 /* We should never fail here */
1512 if (!syscalls_found) {
1513 r = -EOPNOTSUPP;
1514 goto finish;
1515 }
1516
1517 NULSTR_FOREACH(sys, set->value) {
1518 int id;
1519 bool add = true;
1520
1521 #ifndef __NR_s390_pci_mmio_read
1522 if (streq(sys, "s390_pci_mmio_read"))
1523 add = false;
1524 #endif
1525 #ifndef __NR_s390_pci_mmio_write
1526 if (streq(sys, "s390_pci_mmio_write"))
1527 add = false;
1528 #endif
1529
1530 if (!add)
1531 continue;
1532
1533 id = seccomp_syscall_resolve_name(sys);
1534
1535 r = seccomp_rule_add(
1536 seccomp,
1537 SCMP_ACT_ERRNO(EPERM),
1538 id, 0);
1539 if (r < 0)
1540 goto finish;
1541 }
1542
1543 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1544 if (r < 0)
1545 goto finish;
1546
1547 r = seccomp_load(seccomp);
1548
1549 finish:
1550 seccomp_release(seccomp);
1551 return r;
1552 }
1553
1554 #endif
1555
1556 static void do_idle_pipe_dance(int idle_pipe[4]) {
1557 assert(idle_pipe);
1558
1559 idle_pipe[1] = safe_close(idle_pipe[1]);
1560 idle_pipe[2] = safe_close(idle_pipe[2]);
1561
1562 if (idle_pipe[0] >= 0) {
1563 int r;
1564
1565 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1566
1567 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1568 ssize_t n;
1569
1570 /* Signal systemd that we are bored and want to continue. */
1571 n = write(idle_pipe[3], "x", 1);
1572 if (n > 0)
1573 /* Wait for systemd to react to the signal above. */
1574 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1575 }
1576
1577 idle_pipe[0] = safe_close(idle_pipe[0]);
1578
1579 }
1580
1581 idle_pipe[3] = safe_close(idle_pipe[3]);
1582 }
1583
1584 static int build_environment(
1585 Unit *u,
1586 const ExecContext *c,
1587 const ExecParameters *p,
1588 unsigned n_fds,
1589 const char *home,
1590 const char *username,
1591 const char *shell,
1592 dev_t journal_stream_dev,
1593 ino_t journal_stream_ino,
1594 char ***ret) {
1595
1596 _cleanup_strv_free_ char **our_env = NULL;
1597 unsigned n_env = 0;
1598 char *x;
1599
1600 assert(u);
1601 assert(c);
1602 assert(ret);
1603
1604 our_env = new0(char*, 14);
1605 if (!our_env)
1606 return -ENOMEM;
1607
1608 if (n_fds > 0) {
1609 _cleanup_free_ char *joined = NULL;
1610
1611 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1612 return -ENOMEM;
1613 our_env[n_env++] = x;
1614
1615 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1616 return -ENOMEM;
1617 our_env[n_env++] = x;
1618
1619 joined = strv_join(p->fd_names, ":");
1620 if (!joined)
1621 return -ENOMEM;
1622
1623 x = strjoin("LISTEN_FDNAMES=", joined, NULL);
1624 if (!x)
1625 return -ENOMEM;
1626 our_env[n_env++] = x;
1627 }
1628
1629 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
1630 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1631 return -ENOMEM;
1632 our_env[n_env++] = x;
1633
1634 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
1635 return -ENOMEM;
1636 our_env[n_env++] = x;
1637 }
1638
1639 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1640 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1641 * check the database directly. */
1642 if (unit_has_name(u, SPECIAL_DBUS_SERVICE)) {
1643 x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1644 if (!x)
1645 return -ENOMEM;
1646 our_env[n_env++] = x;
1647 }
1648
1649 if (home) {
1650 x = strappend("HOME=", home);
1651 if (!x)
1652 return -ENOMEM;
1653 our_env[n_env++] = x;
1654 }
1655
1656 if (username) {
1657 x = strappend("LOGNAME=", username);
1658 if (!x)
1659 return -ENOMEM;
1660 our_env[n_env++] = x;
1661
1662 x = strappend("USER=", username);
1663 if (!x)
1664 return -ENOMEM;
1665 our_env[n_env++] = x;
1666 }
1667
1668 if (shell) {
1669 x = strappend("SHELL=", shell);
1670 if (!x)
1671 return -ENOMEM;
1672 our_env[n_env++] = x;
1673 }
1674
1675 if (!sd_id128_is_null(u->invocation_id)) {
1676 if (asprintf(&x, "INVOCATION_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id)) < 0)
1677 return -ENOMEM;
1678
1679 our_env[n_env++] = x;
1680 }
1681
1682 if (exec_context_needs_term(c)) {
1683 const char *tty_path, *term = NULL;
1684
1685 tty_path = exec_context_tty_path(c);
1686
1687 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try to inherit
1688 * the $TERM set for PID 1. This is useful for containers so that the $TERM the container manager
1689 * passes to PID 1 ends up all the way in the console login shown. */
1690
1691 if (path_equal(tty_path, "/dev/console") && getppid() == 1)
1692 term = getenv("TERM");
1693 if (!term)
1694 term = default_term_for_tty(tty_path);
1695
1696 x = strappend("TERM=", term);
1697 if (!x)
1698 return -ENOMEM;
1699 our_env[n_env++] = x;
1700 }
1701
1702 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1703 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1704 return -ENOMEM;
1705
1706 our_env[n_env++] = x;
1707 }
1708
1709 our_env[n_env++] = NULL;
1710 assert(n_env <= 12);
1711
1712 *ret = our_env;
1713 our_env = NULL;
1714
1715 return 0;
1716 }
1717
1718 static int build_pass_environment(const ExecContext *c, char ***ret) {
1719 _cleanup_strv_free_ char **pass_env = NULL;
1720 size_t n_env = 0, n_bufsize = 0;
1721 char **i;
1722
1723 STRV_FOREACH(i, c->pass_environment) {
1724 _cleanup_free_ char *x = NULL;
1725 char *v;
1726
1727 v = getenv(*i);
1728 if (!v)
1729 continue;
1730 x = strjoin(*i, "=", v, NULL);
1731 if (!x)
1732 return -ENOMEM;
1733 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1734 return -ENOMEM;
1735 pass_env[n_env++] = x;
1736 pass_env[n_env] = NULL;
1737 x = NULL;
1738 }
1739
1740 *ret = pass_env;
1741 pass_env = NULL;
1742
1743 return 0;
1744 }
1745
1746 static bool exec_needs_mount_namespace(
1747 const ExecContext *context,
1748 const ExecParameters *params,
1749 ExecRuntime *runtime) {
1750
1751 assert(context);
1752 assert(params);
1753
1754 if (!strv_isempty(context->read_write_paths) ||
1755 !strv_isempty(context->read_only_paths) ||
1756 !strv_isempty(context->inaccessible_paths))
1757 return true;
1758
1759 if (context->mount_flags != 0)
1760 return true;
1761
1762 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1763 return true;
1764
1765 if (context->private_devices ||
1766 context->protect_system != PROTECT_SYSTEM_NO ||
1767 context->protect_home != PROTECT_HOME_NO ||
1768 context->protect_kernel_tunables ||
1769 context->protect_kernel_modules ||
1770 context->protect_control_groups)
1771 return true;
1772
1773 return false;
1774 }
1775
1776 static int setup_private_users(uid_t uid, gid_t gid) {
1777 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
1778 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
1779 _cleanup_close_ int unshare_ready_fd = -1;
1780 _cleanup_(sigkill_waitp) pid_t pid = 0;
1781 uint64_t c = 1;
1782 siginfo_t si;
1783 ssize_t n;
1784 int r;
1785
1786 /* Set up a user namespace and map root to root, the selected UID/GID to itself, and everything else to
1787 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1788 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1789 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1790 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
1791 * continues execution normally. */
1792
1793 if (uid != 0 && uid_is_valid(uid))
1794 asprintf(&uid_map,
1795 "0 0 1\n" /* Map root → root */
1796 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
1797 uid, uid); /* The case where the above is the same */
1798 else
1799 uid_map = strdup("0 0 1\n");
1800 if (!uid_map)
1801 return -ENOMEM;
1802
1803 if (gid != 0 && gid_is_valid(gid))
1804 asprintf(&gid_map,
1805 "0 0 1\n" /* Map root → root */
1806 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
1807 gid, gid);
1808 else
1809 gid_map = strdup("0 0 1\n"); /* The case where the above is the same */
1810 if (!gid_map)
1811 return -ENOMEM;
1812
1813 /* Create a communication channel so that the parent can tell the child when it finished creating the user
1814 * namespace. */
1815 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
1816 if (unshare_ready_fd < 0)
1817 return -errno;
1818
1819 /* Create a communication channel so that the child can tell the parent a proper error code in case it
1820 * failed. */
1821 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
1822 return -errno;
1823
1824 pid = fork();
1825 if (pid < 0)
1826 return -errno;
1827
1828 if (pid == 0) {
1829 _cleanup_close_ int fd = -1;
1830 const char *a;
1831 pid_t ppid;
1832
1833 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
1834 * here, after the parent opened its own user namespace. */
1835
1836 ppid = getppid();
1837 errno_pipe[0] = safe_close(errno_pipe[0]);
1838
1839 /* Wait until the parent unshared the user namespace */
1840 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
1841 r = -errno;
1842 goto child_fail;
1843 }
1844
1845 /* Disable the setgroups() system call in the child user namespace, for good. */
1846 a = procfs_file_alloca(ppid, "setgroups");
1847 fd = open(a, O_WRONLY|O_CLOEXEC);
1848 if (fd < 0) {
1849 if (errno != ENOENT) {
1850 r = -errno;
1851 goto child_fail;
1852 }
1853
1854 /* If the file is missing the kernel is too old, let's continue anyway. */
1855 } else {
1856 if (write(fd, "deny\n", 5) < 0) {
1857 r = -errno;
1858 goto child_fail;
1859 }
1860
1861 fd = safe_close(fd);
1862 }
1863
1864 /* First write the GID map */
1865 a = procfs_file_alloca(ppid, "gid_map");
1866 fd = open(a, O_WRONLY|O_CLOEXEC);
1867 if (fd < 0) {
1868 r = -errno;
1869 goto child_fail;
1870 }
1871 if (write(fd, gid_map, strlen(gid_map)) < 0) {
1872 r = -errno;
1873 goto child_fail;
1874 }
1875 fd = safe_close(fd);
1876
1877 /* The write the UID map */
1878 a = procfs_file_alloca(ppid, "uid_map");
1879 fd = open(a, O_WRONLY|O_CLOEXEC);
1880 if (fd < 0) {
1881 r = -errno;
1882 goto child_fail;
1883 }
1884 if (write(fd, uid_map, strlen(uid_map)) < 0) {
1885 r = -errno;
1886 goto child_fail;
1887 }
1888
1889 _exit(EXIT_SUCCESS);
1890
1891 child_fail:
1892 (void) write(errno_pipe[1], &r, sizeof(r));
1893 _exit(EXIT_FAILURE);
1894 }
1895
1896 errno_pipe[1] = safe_close(errno_pipe[1]);
1897
1898 if (unshare(CLONE_NEWUSER) < 0)
1899 return -errno;
1900
1901 /* Let the child know that the namespace is ready now */
1902 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
1903 return -errno;
1904
1905 /* Try to read an error code from the child */
1906 n = read(errno_pipe[0], &r, sizeof(r));
1907 if (n < 0)
1908 return -errno;
1909 if (n == sizeof(r)) { /* an error code was sent to us */
1910 if (r < 0)
1911 return r;
1912 return -EIO;
1913 }
1914 if (n != 0) /* on success we should have read 0 bytes */
1915 return -EIO;
1916
1917 r = wait_for_terminate(pid, &si);
1918 if (r < 0)
1919 return r;
1920 pid = 0;
1921
1922 /* If something strange happened with the child, let's consider this fatal, too */
1923 if (si.si_code != CLD_EXITED || si.si_status != 0)
1924 return -EIO;
1925
1926 return 0;
1927 }
1928
1929 static int setup_runtime_directory(
1930 const ExecContext *context,
1931 const ExecParameters *params,
1932 uid_t uid,
1933 gid_t gid) {
1934
1935 char **rt;
1936 int r;
1937
1938 assert(context);
1939 assert(params);
1940
1941 STRV_FOREACH(rt, context->runtime_directory) {
1942 _cleanup_free_ char *p;
1943
1944 p = strjoin(params->runtime_prefix, "/", *rt, NULL);
1945 if (!p)
1946 return -ENOMEM;
1947
1948 r = mkdir_p_label(p, context->runtime_directory_mode);
1949 if (r < 0)
1950 return r;
1951
1952 r = chmod_and_chown(p, context->runtime_directory_mode, uid, gid);
1953 if (r < 0)
1954 return r;
1955 }
1956
1957 return 0;
1958 }
1959
1960 static int setup_smack(
1961 const ExecContext *context,
1962 const ExecCommand *command) {
1963
1964 #ifdef HAVE_SMACK
1965 int r;
1966
1967 assert(context);
1968 assert(command);
1969
1970 if (!mac_smack_use())
1971 return 0;
1972
1973 if (context->smack_process_label) {
1974 r = mac_smack_apply_pid(0, context->smack_process_label);
1975 if (r < 0)
1976 return r;
1977 }
1978 #ifdef SMACK_DEFAULT_PROCESS_LABEL
1979 else {
1980 _cleanup_free_ char *exec_label = NULL;
1981
1982 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
1983 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP)
1984 return r;
1985
1986 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
1987 if (r < 0)
1988 return r;
1989 }
1990 #endif
1991 #endif
1992
1993 return 0;
1994 }
1995
1996 static int compile_read_write_paths(
1997 const ExecContext *context,
1998 const ExecParameters *params,
1999 char ***ret) {
2000
2001 _cleanup_strv_free_ char **l = NULL;
2002 char **rt;
2003
2004 /* Compile the list of writable paths. This is the combination of the explicitly configured paths, plus all
2005 * runtime directories. */
2006
2007 if (strv_isempty(context->read_write_paths) &&
2008 strv_isempty(context->runtime_directory)) {
2009 *ret = NULL; /* NOP if neither is set */
2010 return 0;
2011 }
2012
2013 l = strv_copy(context->read_write_paths);
2014 if (!l)
2015 return -ENOMEM;
2016
2017 STRV_FOREACH(rt, context->runtime_directory) {
2018 char *s;
2019
2020 s = strjoin(params->runtime_prefix, "/", *rt, NULL);
2021 if (!s)
2022 return -ENOMEM;
2023
2024 if (strv_consume(&l, s) < 0)
2025 return -ENOMEM;
2026 }
2027
2028 *ret = l;
2029 l = NULL;
2030
2031 return 0;
2032 }
2033
2034 static void append_socket_pair(int *array, unsigned *n, int pair[2]) {
2035 assert(array);
2036 assert(n);
2037
2038 if (!pair)
2039 return;
2040
2041 if (pair[0] >= 0)
2042 array[(*n)++] = pair[0];
2043 if (pair[1] >= 0)
2044 array[(*n)++] = pair[1];
2045 }
2046
2047 static int close_remaining_fds(
2048 const ExecParameters *params,
2049 ExecRuntime *runtime,
2050 DynamicCreds *dcreds,
2051 int user_lookup_fd,
2052 int socket_fd,
2053 int *fds, unsigned n_fds) {
2054
2055 unsigned n_dont_close = 0;
2056 int dont_close[n_fds + 12];
2057
2058 assert(params);
2059
2060 if (params->stdin_fd >= 0)
2061 dont_close[n_dont_close++] = params->stdin_fd;
2062 if (params->stdout_fd >= 0)
2063 dont_close[n_dont_close++] = params->stdout_fd;
2064 if (params->stderr_fd >= 0)
2065 dont_close[n_dont_close++] = params->stderr_fd;
2066
2067 if (socket_fd >= 0)
2068 dont_close[n_dont_close++] = socket_fd;
2069 if (n_fds > 0) {
2070 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
2071 n_dont_close += n_fds;
2072 }
2073
2074 if (runtime)
2075 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
2076
2077 if (dcreds) {
2078 if (dcreds->user)
2079 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
2080 if (dcreds->group)
2081 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
2082 }
2083
2084 if (user_lookup_fd >= 0)
2085 dont_close[n_dont_close++] = user_lookup_fd;
2086
2087 return close_all_fds(dont_close, n_dont_close);
2088 }
2089
2090 static bool context_has_address_families(const ExecContext *c) {
2091 assert(c);
2092
2093 return c->address_families_whitelist ||
2094 !set_isempty(c->address_families);
2095 }
2096
2097 static bool context_has_syscall_filters(const ExecContext *c) {
2098 assert(c);
2099
2100 return c->syscall_whitelist ||
2101 !set_isempty(c->syscall_filter) ||
2102 !set_isempty(c->syscall_archs);
2103 }
2104
2105 static bool context_has_no_new_privileges(const ExecContext *c) {
2106 assert(c);
2107
2108 if (c->no_new_privileges)
2109 return true;
2110
2111 if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
2112 return false;
2113
2114 return context_has_address_families(c) || /* we need NNP if we have any form of seccomp and are unprivileged */
2115 c->memory_deny_write_execute ||
2116 c->restrict_realtime ||
2117 c->protect_kernel_tunables ||
2118 c->protect_kernel_modules ||
2119 c->private_devices ||
2120 context_has_syscall_filters(c);
2121 }
2122
2123 static int send_user_lookup(
2124 Unit *unit,
2125 int user_lookup_fd,
2126 uid_t uid,
2127 gid_t gid) {
2128
2129 assert(unit);
2130
2131 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2132 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2133 * specified. */
2134
2135 if (user_lookup_fd < 0)
2136 return 0;
2137
2138 if (!uid_is_valid(uid) && !gid_is_valid(gid))
2139 return 0;
2140
2141 if (writev(user_lookup_fd,
2142 (struct iovec[]) {
2143 { .iov_base = &uid, .iov_len = sizeof(uid) },
2144 { .iov_base = &gid, .iov_len = sizeof(gid) },
2145 { .iov_base = unit->id, .iov_len = strlen(unit->id) }}, 3) < 0)
2146 return -errno;
2147
2148 return 0;
2149 }
2150
2151 static int exec_child(
2152 Unit *unit,
2153 ExecCommand *command,
2154 const ExecContext *context,
2155 const ExecParameters *params,
2156 ExecRuntime *runtime,
2157 DynamicCreds *dcreds,
2158 char **argv,
2159 int socket_fd,
2160 int *fds, unsigned n_fds,
2161 char **files_env,
2162 int user_lookup_fd,
2163 int *exit_status) {
2164
2165 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **final_argv = NULL;
2166 _cleanup_free_ char *mac_selinux_context_net = NULL;
2167 const char *username = NULL, *home = NULL, *shell = NULL, *wd;
2168 dev_t journal_stream_dev = 0;
2169 ino_t journal_stream_ino = 0;
2170 bool needs_mount_namespace;
2171 uid_t uid = UID_INVALID;
2172 gid_t gid = GID_INVALID;
2173 int i, r;
2174
2175 assert(unit);
2176 assert(command);
2177 assert(context);
2178 assert(params);
2179 assert(exit_status);
2180
2181 rename_process_from_path(command->path);
2182
2183 /* We reset exactly these signals, since they are the
2184 * only ones we set to SIG_IGN in the main daemon. All
2185 * others we leave untouched because we set them to
2186 * SIG_DFL or a valid handler initially, both of which
2187 * will be demoted to SIG_DFL. */
2188 (void) default_signals(SIGNALS_CRASH_HANDLER,
2189 SIGNALS_IGNORE, -1);
2190
2191 if (context->ignore_sigpipe)
2192 (void) ignore_signals(SIGPIPE, -1);
2193
2194 r = reset_signal_mask();
2195 if (r < 0) {
2196 *exit_status = EXIT_SIGNAL_MASK;
2197 return r;
2198 }
2199
2200 if (params->idle_pipe)
2201 do_idle_pipe_dance(params->idle_pipe);
2202
2203 /* Close sockets very early to make sure we don't
2204 * block init reexecution because it cannot bind its
2205 * sockets */
2206
2207 log_forget_fds();
2208
2209 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, fds, n_fds);
2210 if (r < 0) {
2211 *exit_status = EXIT_FDS;
2212 return r;
2213 }
2214
2215 if (!context->same_pgrp)
2216 if (setsid() < 0) {
2217 *exit_status = EXIT_SETSID;
2218 return -errno;
2219 }
2220
2221 exec_context_tty_reset(context, params);
2222
2223 if (params->flags & EXEC_CONFIRM_SPAWN) {
2224 char response;
2225
2226 r = ask_for_confirmation(&response, argv);
2227 if (r == -ETIMEDOUT)
2228 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
2229 else if (r < 0)
2230 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-r));
2231 else if (response == 's') {
2232 write_confirm_message("Skipping execution.\n");
2233 *exit_status = EXIT_CONFIRM;
2234 return -ECANCELED;
2235 } else if (response == 'n') {
2236 write_confirm_message("Failing execution.\n");
2237 *exit_status = 0;
2238 return 0;
2239 }
2240 }
2241
2242 if (context->dynamic_user && dcreds) {
2243
2244 /* Make sure we bypass our own NSS module for any NSS checks */
2245 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
2246 *exit_status = EXIT_USER;
2247 return -errno;
2248 }
2249
2250 r = dynamic_creds_realize(dcreds, &uid, &gid);
2251 if (r < 0) {
2252 *exit_status = EXIT_USER;
2253 return r;
2254 }
2255
2256 if (!uid_is_valid(uid) || !gid_is_valid(gid)) {
2257 *exit_status = EXIT_USER;
2258 return -ESRCH;
2259 }
2260
2261 if (dcreds->user)
2262 username = dcreds->user->name;
2263
2264 } else {
2265 if (context->user) {
2266 username = context->user;
2267 r = get_user_creds_clean(&username, &uid, &gid, &home, &shell);
2268 if (r < 0) {
2269 *exit_status = EXIT_USER;
2270 return r;
2271 }
2272
2273 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
2274 * (i.e. are "/" or "/bin/nologin"). */
2275 }
2276
2277 if (context->group) {
2278 const char *g = context->group;
2279
2280 r = get_group_creds(&g, &gid);
2281 if (r < 0) {
2282 *exit_status = EXIT_GROUP;
2283 return r;
2284 }
2285 }
2286 }
2287
2288 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
2289 if (r < 0) {
2290 *exit_status = EXIT_USER;
2291 return r;
2292 }
2293
2294 user_lookup_fd = safe_close(user_lookup_fd);
2295
2296 /* If a socket is connected to STDIN/STDOUT/STDERR, we
2297 * must sure to drop O_NONBLOCK */
2298 if (socket_fd >= 0)
2299 (void) fd_nonblock(socket_fd, false);
2300
2301 r = setup_input(context, params, socket_fd);
2302 if (r < 0) {
2303 *exit_status = EXIT_STDIN;
2304 return r;
2305 }
2306
2307 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
2308 if (r < 0) {
2309 *exit_status = EXIT_STDOUT;
2310 return r;
2311 }
2312
2313 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
2314 if (r < 0) {
2315 *exit_status = EXIT_STDERR;
2316 return r;
2317 }
2318
2319 if (params->cgroup_path) {
2320 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
2321 if (r < 0) {
2322 *exit_status = EXIT_CGROUP;
2323 return r;
2324 }
2325 }
2326
2327 if (context->oom_score_adjust_set) {
2328 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
2329
2330 /* When we can't make this change due to EPERM, then
2331 * let's silently skip over it. User namespaces
2332 * prohibit write access to this file, and we
2333 * shouldn't trip up over that. */
2334
2335 sprintf(t, "%i", context->oom_score_adjust);
2336 r = write_string_file("/proc/self/oom_score_adj", t, 0);
2337 if (r == -EPERM || r == -EACCES) {
2338 log_open();
2339 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
2340 log_close();
2341 } else if (r < 0) {
2342 *exit_status = EXIT_OOM_ADJUST;
2343 return -errno;
2344 }
2345 }
2346
2347 if (context->nice_set)
2348 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
2349 *exit_status = EXIT_NICE;
2350 return -errno;
2351 }
2352
2353 if (context->cpu_sched_set) {
2354 struct sched_param param = {
2355 .sched_priority = context->cpu_sched_priority,
2356 };
2357
2358 r = sched_setscheduler(0,
2359 context->cpu_sched_policy |
2360 (context->cpu_sched_reset_on_fork ?
2361 SCHED_RESET_ON_FORK : 0),
2362 &param);
2363 if (r < 0) {
2364 *exit_status = EXIT_SETSCHEDULER;
2365 return -errno;
2366 }
2367 }
2368
2369 if (context->cpuset)
2370 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
2371 *exit_status = EXIT_CPUAFFINITY;
2372 return -errno;
2373 }
2374
2375 if (context->ioprio_set)
2376 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
2377 *exit_status = EXIT_IOPRIO;
2378 return -errno;
2379 }
2380
2381 if (context->timer_slack_nsec != NSEC_INFINITY)
2382 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
2383 *exit_status = EXIT_TIMERSLACK;
2384 return -errno;
2385 }
2386
2387 if (context->personality != PERSONALITY_INVALID)
2388 if (personality(context->personality) < 0) {
2389 *exit_status = EXIT_PERSONALITY;
2390 return -errno;
2391 }
2392
2393 if (context->utmp_id)
2394 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path,
2395 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
2396 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
2397 USER_PROCESS,
2398 username ? "root" : context->user);
2399
2400 if (context->user) {
2401 r = chown_terminal(STDIN_FILENO, uid);
2402 if (r < 0) {
2403 *exit_status = EXIT_STDIN;
2404 return r;
2405 }
2406 }
2407
2408 /* If delegation is enabled we'll pass ownership of the cgroup
2409 * (but only in systemd's own controller hierarchy!) to the
2410 * user of the new process. */
2411 if (params->cgroup_path && context->user && params->cgroup_delegate) {
2412 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
2413 if (r < 0) {
2414 *exit_status = EXIT_CGROUP;
2415 return r;
2416 }
2417
2418
2419 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
2420 if (r < 0) {
2421 *exit_status = EXIT_CGROUP;
2422 return r;
2423 }
2424 }
2425
2426 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
2427 r = setup_runtime_directory(context, params, uid, gid);
2428 if (r < 0) {
2429 *exit_status = EXIT_RUNTIME_DIRECTORY;
2430 return r;
2431 }
2432 }
2433
2434 r = build_environment(
2435 unit,
2436 context,
2437 params,
2438 n_fds,
2439 home,
2440 username,
2441 shell,
2442 journal_stream_dev,
2443 journal_stream_ino,
2444 &our_env);
2445 if (r < 0) {
2446 *exit_status = EXIT_MEMORY;
2447 return r;
2448 }
2449
2450 r = build_pass_environment(context, &pass_env);
2451 if (r < 0) {
2452 *exit_status = EXIT_MEMORY;
2453 return r;
2454 }
2455
2456 accum_env = strv_env_merge(5,
2457 params->environment,
2458 our_env,
2459 pass_env,
2460 context->environment,
2461 files_env,
2462 NULL);
2463 if (!accum_env) {
2464 *exit_status = EXIT_MEMORY;
2465 return -ENOMEM;
2466 }
2467 accum_env = strv_env_clean(accum_env);
2468
2469 (void) umask(context->umask);
2470
2471 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2472 r = setup_smack(context, command);
2473 if (r < 0) {
2474 *exit_status = EXIT_SMACK_PROCESS_LABEL;
2475 return r;
2476 }
2477
2478 if (context->pam_name && username) {
2479 r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
2480 if (r < 0) {
2481 *exit_status = EXIT_PAM;
2482 return r;
2483 }
2484 }
2485 }
2486
2487 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
2488 r = setup_netns(runtime->netns_storage_socket);
2489 if (r < 0) {
2490 *exit_status = EXIT_NETWORK;
2491 return r;
2492 }
2493 }
2494
2495 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
2496 if (needs_mount_namespace) {
2497 _cleanup_free_ char **rw = NULL;
2498 char *tmp = NULL, *var = NULL;
2499 NameSpaceInfo ns_info = {
2500 .private_dev = context->private_devices,
2501 .protect_control_groups = context->protect_control_groups,
2502 .protect_kernel_tunables = context->protect_kernel_tunables,
2503 .protect_kernel_modules = context->protect_kernel_modules,
2504 };
2505
2506 /* The runtime struct only contains the parent
2507 * of the private /tmp, which is
2508 * non-accessible to world users. Inside of it
2509 * there's a /tmp that is sticky, and that's
2510 * the one we want to use here. */
2511
2512 if (context->private_tmp && runtime) {
2513 if (runtime->tmp_dir)
2514 tmp = strjoina(runtime->tmp_dir, "/tmp");
2515 if (runtime->var_tmp_dir)
2516 var = strjoina(runtime->var_tmp_dir, "/tmp");
2517 }
2518
2519 r = compile_read_write_paths(context, params, &rw);
2520 if (r < 0) {
2521 *exit_status = EXIT_NAMESPACE;
2522 return r;
2523 }
2524
2525 r = setup_namespace(
2526 (params->flags & EXEC_APPLY_CHROOT) ? context->root_directory : NULL,
2527 &ns_info,
2528 rw,
2529 context->read_only_paths,
2530 context->inaccessible_paths,
2531 tmp,
2532 var,
2533 context->protect_home,
2534 context->protect_system,
2535 context->mount_flags);
2536
2537 /* If we couldn't set up the namespace this is
2538 * probably due to a missing capability. In this case,
2539 * silently proceeed. */
2540 if (r == -EPERM || r == -EACCES) {
2541 log_open();
2542 log_unit_debug_errno(unit, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
2543 log_close();
2544 } else if (r < 0) {
2545 *exit_status = EXIT_NAMESPACE;
2546 return r;
2547 }
2548 }
2549
2550 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2551 r = enforce_groups(context, username, gid);
2552 if (r < 0) {
2553 *exit_status = EXIT_GROUP;
2554 return r;
2555 }
2556 }
2557
2558 if (context->working_directory_home)
2559 wd = home;
2560 else if (context->working_directory)
2561 wd = context->working_directory;
2562 else
2563 wd = "/";
2564
2565 if (params->flags & EXEC_APPLY_CHROOT) {
2566 if (!needs_mount_namespace && context->root_directory)
2567 if (chroot(context->root_directory) < 0) {
2568 *exit_status = EXIT_CHROOT;
2569 return -errno;
2570 }
2571
2572 if (chdir(wd) < 0 &&
2573 !context->working_directory_missing_ok) {
2574 *exit_status = EXIT_CHDIR;
2575 return -errno;
2576 }
2577 } else {
2578 const char *d;
2579
2580 d = strjoina(strempty(context->root_directory), "/", strempty(wd));
2581 if (chdir(d) < 0 &&
2582 !context->working_directory_missing_ok) {
2583 *exit_status = EXIT_CHDIR;
2584 return -errno;
2585 }
2586 }
2587
2588 #ifdef HAVE_SELINUX
2589 if ((params->flags & EXEC_APPLY_PERMISSIONS) &&
2590 mac_selinux_use() &&
2591 params->selinux_context_net &&
2592 socket_fd >= 0 &&
2593 !command->privileged) {
2594
2595 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
2596 if (r < 0) {
2597 *exit_status = EXIT_SELINUX_CONTEXT;
2598 return r;
2599 }
2600 }
2601 #endif
2602
2603 if ((params->flags & EXEC_APPLY_PERMISSIONS) && context->private_users) {
2604 r = setup_private_users(uid, gid);
2605 if (r < 0) {
2606 *exit_status = EXIT_USER;
2607 return r;
2608 }
2609 }
2610
2611 /* We repeat the fd closing here, to make sure that
2612 * nothing is leaked from the PAM modules. Note that
2613 * we are more aggressive this time since socket_fd
2614 * and the netns fds we don't need anymore. The custom
2615 * endpoint fd was needed to upload the policy and can
2616 * now be closed as well. */
2617 r = close_all_fds(fds, n_fds);
2618 if (r >= 0)
2619 r = shift_fds(fds, n_fds);
2620 if (r >= 0)
2621 r = flags_fds(fds, n_fds, context->non_blocking);
2622 if (r < 0) {
2623 *exit_status = EXIT_FDS;
2624 return r;
2625 }
2626
2627 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2628
2629 int secure_bits = context->secure_bits;
2630
2631 for (i = 0; i < _RLIMIT_MAX; i++) {
2632
2633 if (!context->rlimit[i])
2634 continue;
2635
2636 r = setrlimit_closest(i, context->rlimit[i]);
2637 if (r < 0) {
2638 *exit_status = EXIT_LIMITS;
2639 return r;
2640 }
2641 }
2642
2643 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
2644 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
2645 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
2646 *exit_status = EXIT_LIMITS;
2647 return -errno;
2648 }
2649 }
2650
2651 if (!cap_test_all(context->capability_bounding_set)) {
2652 r = capability_bounding_set_drop(context->capability_bounding_set, false);
2653 if (r < 0) {
2654 *exit_status = EXIT_CAPABILITIES;
2655 return r;
2656 }
2657 }
2658
2659 /* This is done before enforce_user, but ambient set
2660 * does not survive over setresuid() if keep_caps is not set. */
2661 if (context->capability_ambient_set != 0) {
2662 r = capability_ambient_set_apply(context->capability_ambient_set, true);
2663 if (r < 0) {
2664 *exit_status = EXIT_CAPABILITIES;
2665 return r;
2666 }
2667 }
2668
2669 if (context->user) {
2670 r = enforce_user(context, uid);
2671 if (r < 0) {
2672 *exit_status = EXIT_USER;
2673 return r;
2674 }
2675 if (context->capability_ambient_set != 0) {
2676
2677 /* Fix the ambient capabilities after user change. */
2678 r = capability_ambient_set_apply(context->capability_ambient_set, false);
2679 if (r < 0) {
2680 *exit_status = EXIT_CAPABILITIES;
2681 return r;
2682 }
2683
2684 /* If we were asked to change user and ambient capabilities
2685 * were requested, we had to add keep-caps to the securebits
2686 * so that we would maintain the inherited capability set
2687 * through the setresuid(). Make sure that the bit is added
2688 * also to the context secure_bits so that we don't try to
2689 * drop the bit away next. */
2690
2691 secure_bits |= 1<<SECURE_KEEP_CAPS;
2692 }
2693 }
2694
2695 /* PR_GET_SECUREBITS is not privileged, while
2696 * PR_SET_SECUREBITS is. So to suppress
2697 * potential EPERMs we'll try not to call
2698 * PR_SET_SECUREBITS unless necessary. */
2699 if (prctl(PR_GET_SECUREBITS) != secure_bits)
2700 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
2701 *exit_status = EXIT_SECUREBITS;
2702 return -errno;
2703 }
2704
2705 if (context_has_no_new_privileges(context))
2706 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
2707 *exit_status = EXIT_NO_NEW_PRIVILEGES;
2708 return -errno;
2709 }
2710
2711 #ifdef HAVE_SECCOMP
2712 if (context_has_address_families(context)) {
2713 r = apply_address_families(unit, context);
2714 if (r < 0) {
2715 *exit_status = EXIT_ADDRESS_FAMILIES;
2716 return r;
2717 }
2718 }
2719
2720 if (context->memory_deny_write_execute) {
2721 r = apply_memory_deny_write_execute(unit, context);
2722 if (r < 0) {
2723 *exit_status = EXIT_SECCOMP;
2724 return r;
2725 }
2726 }
2727
2728 if (context->restrict_realtime) {
2729 r = apply_restrict_realtime(unit, context);
2730 if (r < 0) {
2731 *exit_status = EXIT_SECCOMP;
2732 return r;
2733 }
2734 }
2735
2736 if (context->protect_kernel_tunables) {
2737 r = apply_protect_sysctl(unit, context);
2738 if (r < 0) {
2739 *exit_status = EXIT_SECCOMP;
2740 return r;
2741 }
2742 }
2743
2744 if (context->protect_kernel_modules) {
2745 r = apply_protect_kernel_modules(unit, context);
2746 if (r < 0) {
2747 *exit_status = EXIT_SECCOMP;
2748 return r;
2749 }
2750 }
2751
2752 if (context->private_devices) {
2753 r = apply_private_devices(unit, context);
2754 if (r < 0) {
2755 *exit_status = EXIT_SECCOMP;
2756 return r;
2757 }
2758 }
2759
2760 if (context_has_syscall_filters(context)) {
2761 r = apply_seccomp(unit, context);
2762 if (r < 0) {
2763 *exit_status = EXIT_SECCOMP;
2764 return r;
2765 }
2766 }
2767 #endif
2768
2769 #ifdef HAVE_SELINUX
2770 if (mac_selinux_use()) {
2771 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
2772
2773 if (exec_context) {
2774 r = setexeccon(exec_context);
2775 if (r < 0) {
2776 *exit_status = EXIT_SELINUX_CONTEXT;
2777 return r;
2778 }
2779 }
2780 }
2781 #endif
2782
2783 #ifdef HAVE_APPARMOR
2784 if (context->apparmor_profile && mac_apparmor_use()) {
2785 r = aa_change_onexec(context->apparmor_profile);
2786 if (r < 0 && !context->apparmor_profile_ignore) {
2787 *exit_status = EXIT_APPARMOR_PROFILE;
2788 return -errno;
2789 }
2790 }
2791 #endif
2792 }
2793
2794 final_argv = replace_env_argv(argv, accum_env);
2795 if (!final_argv) {
2796 *exit_status = EXIT_MEMORY;
2797 return -ENOMEM;
2798 }
2799
2800 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
2801 _cleanup_free_ char *line;
2802
2803 line = exec_command_line(final_argv);
2804 if (line) {
2805 log_open();
2806 log_struct(LOG_DEBUG,
2807 LOG_UNIT_ID(unit),
2808 "EXECUTABLE=%s", command->path,
2809 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
2810 NULL);
2811 log_close();
2812 }
2813 }
2814
2815 execve(command->path, final_argv, accum_env);
2816 *exit_status = EXIT_EXEC;
2817 return -errno;
2818 }
2819
2820 int exec_spawn(Unit *unit,
2821 ExecCommand *command,
2822 const ExecContext *context,
2823 const ExecParameters *params,
2824 ExecRuntime *runtime,
2825 DynamicCreds *dcreds,
2826 pid_t *ret) {
2827
2828 _cleanup_strv_free_ char **files_env = NULL;
2829 int *fds = NULL; unsigned n_fds = 0;
2830 _cleanup_free_ char *line = NULL;
2831 int socket_fd, r;
2832 char **argv;
2833 pid_t pid;
2834
2835 assert(unit);
2836 assert(command);
2837 assert(context);
2838 assert(ret);
2839 assert(params);
2840 assert(params->fds || params->n_fds <= 0);
2841
2842 if (context->std_input == EXEC_INPUT_SOCKET ||
2843 context->std_output == EXEC_OUTPUT_SOCKET ||
2844 context->std_error == EXEC_OUTPUT_SOCKET) {
2845
2846 if (params->n_fds != 1) {
2847 log_unit_error(unit, "Got more than one socket.");
2848 return -EINVAL;
2849 }
2850
2851 socket_fd = params->fds[0];
2852 } else {
2853 socket_fd = -1;
2854 fds = params->fds;
2855 n_fds = params->n_fds;
2856 }
2857
2858 r = exec_context_load_environment(unit, context, &files_env);
2859 if (r < 0)
2860 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
2861
2862 argv = params->argv ?: command->argv;
2863 line = exec_command_line(argv);
2864 if (!line)
2865 return log_oom();
2866
2867 log_struct(LOG_DEBUG,
2868 LOG_UNIT_ID(unit),
2869 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
2870 "EXECUTABLE=%s", command->path,
2871 NULL);
2872 pid = fork();
2873 if (pid < 0)
2874 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
2875
2876 if (pid == 0) {
2877 int exit_status;
2878
2879 r = exec_child(unit,
2880 command,
2881 context,
2882 params,
2883 runtime,
2884 dcreds,
2885 argv,
2886 socket_fd,
2887 fds, n_fds,
2888 files_env,
2889 unit->manager->user_lookup_fds[1],
2890 &exit_status);
2891 if (r < 0) {
2892 log_open();
2893 log_struct_errno(LOG_ERR, r,
2894 LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
2895 LOG_UNIT_ID(unit),
2896 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
2897 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
2898 command->path),
2899 "EXECUTABLE=%s", command->path,
2900 NULL);
2901 }
2902
2903 _exit(exit_status);
2904 }
2905
2906 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
2907
2908 /* We add the new process to the cgroup both in the child (so
2909 * that we can be sure that no user code is ever executed
2910 * outside of the cgroup) and in the parent (so that we can be
2911 * sure that when we kill the cgroup the process will be
2912 * killed too). */
2913 if (params->cgroup_path)
2914 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
2915
2916 exec_status_start(&command->exec_status, pid);
2917
2918 *ret = pid;
2919 return 0;
2920 }
2921
2922 void exec_context_init(ExecContext *c) {
2923 assert(c);
2924
2925 c->umask = 0022;
2926 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
2927 c->cpu_sched_policy = SCHED_OTHER;
2928 c->syslog_priority = LOG_DAEMON|LOG_INFO;
2929 c->syslog_level_prefix = true;
2930 c->ignore_sigpipe = true;
2931 c->timer_slack_nsec = NSEC_INFINITY;
2932 c->personality = PERSONALITY_INVALID;
2933 c->runtime_directory_mode = 0755;
2934 c->capability_bounding_set = CAP_ALL;
2935 }
2936
2937 void exec_context_done(ExecContext *c) {
2938 unsigned l;
2939
2940 assert(c);
2941
2942 c->environment = strv_free(c->environment);
2943 c->environment_files = strv_free(c->environment_files);
2944 c->pass_environment = strv_free(c->pass_environment);
2945
2946 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
2947 c->rlimit[l] = mfree(c->rlimit[l]);
2948
2949 c->working_directory = mfree(c->working_directory);
2950 c->root_directory = mfree(c->root_directory);
2951 c->tty_path = mfree(c->tty_path);
2952 c->syslog_identifier = mfree(c->syslog_identifier);
2953 c->user = mfree(c->user);
2954 c->group = mfree(c->group);
2955
2956 c->supplementary_groups = strv_free(c->supplementary_groups);
2957
2958 c->pam_name = mfree(c->pam_name);
2959
2960 c->read_only_paths = strv_free(c->read_only_paths);
2961 c->read_write_paths = strv_free(c->read_write_paths);
2962 c->inaccessible_paths = strv_free(c->inaccessible_paths);
2963
2964 if (c->cpuset)
2965 CPU_FREE(c->cpuset);
2966
2967 c->utmp_id = mfree(c->utmp_id);
2968 c->selinux_context = mfree(c->selinux_context);
2969 c->apparmor_profile = mfree(c->apparmor_profile);
2970
2971 c->syscall_filter = set_free(c->syscall_filter);
2972 c->syscall_archs = set_free(c->syscall_archs);
2973 c->address_families = set_free(c->address_families);
2974
2975 c->runtime_directory = strv_free(c->runtime_directory);
2976 }
2977
2978 int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
2979 char **i;
2980
2981 assert(c);
2982
2983 if (!runtime_prefix)
2984 return 0;
2985
2986 STRV_FOREACH(i, c->runtime_directory) {
2987 _cleanup_free_ char *p;
2988
2989 p = strjoin(runtime_prefix, "/", *i, NULL);
2990 if (!p)
2991 return -ENOMEM;
2992
2993 /* We execute this synchronously, since we need to be
2994 * sure this is gone when we start the service
2995 * next. */
2996 (void) rm_rf(p, REMOVE_ROOT);
2997 }
2998
2999 return 0;
3000 }
3001
3002 void exec_command_done(ExecCommand *c) {
3003 assert(c);
3004
3005 c->path = mfree(c->path);
3006
3007 c->argv = strv_free(c->argv);
3008 }
3009
3010 void exec_command_done_array(ExecCommand *c, unsigned n) {
3011 unsigned i;
3012
3013 for (i = 0; i < n; i++)
3014 exec_command_done(c+i);
3015 }
3016
3017 ExecCommand* exec_command_free_list(ExecCommand *c) {
3018 ExecCommand *i;
3019
3020 while ((i = c)) {
3021 LIST_REMOVE(command, c, i);
3022 exec_command_done(i);
3023 free(i);
3024 }
3025
3026 return NULL;
3027 }
3028
3029 void exec_command_free_array(ExecCommand **c, unsigned n) {
3030 unsigned i;
3031
3032 for (i = 0; i < n; i++)
3033 c[i] = exec_command_free_list(c[i]);
3034 }
3035
3036 typedef struct InvalidEnvInfo {
3037 Unit *unit;
3038 const char *path;
3039 } InvalidEnvInfo;
3040
3041 static void invalid_env(const char *p, void *userdata) {
3042 InvalidEnvInfo *info = userdata;
3043
3044 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
3045 }
3046
3047 int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
3048 char **i, **r = NULL;
3049
3050 assert(c);
3051 assert(l);
3052
3053 STRV_FOREACH(i, c->environment_files) {
3054 char *fn;
3055 int k;
3056 bool ignore = false;
3057 char **p;
3058 _cleanup_globfree_ glob_t pglob = {};
3059 int count, n;
3060
3061 fn = *i;
3062
3063 if (fn[0] == '-') {
3064 ignore = true;
3065 fn++;
3066 }
3067
3068 if (!path_is_absolute(fn)) {
3069 if (ignore)
3070 continue;
3071
3072 strv_free(r);
3073 return -EINVAL;
3074 }
3075
3076 /* Filename supports globbing, take all matching files */
3077 errno = 0;
3078 if (glob(fn, 0, NULL, &pglob) != 0) {
3079 if (ignore)
3080 continue;
3081
3082 strv_free(r);
3083 return errno > 0 ? -errno : -EINVAL;
3084 }
3085 count = pglob.gl_pathc;
3086 if (count == 0) {
3087 if (ignore)
3088 continue;
3089
3090 strv_free(r);
3091 return -EINVAL;
3092 }
3093 for (n = 0; n < count; n++) {
3094 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
3095 if (k < 0) {
3096 if (ignore)
3097 continue;
3098
3099 strv_free(r);
3100 return k;
3101 }
3102 /* Log invalid environment variables with filename */
3103 if (p) {
3104 InvalidEnvInfo info = {
3105 .unit = unit,
3106 .path = pglob.gl_pathv[n]
3107 };
3108
3109 p = strv_env_clean_with_callback(p, invalid_env, &info);
3110 }
3111
3112 if (r == NULL)
3113 r = p;
3114 else {
3115 char **m;
3116
3117 m = strv_env_merge(2, r, p);
3118 strv_free(r);
3119 strv_free(p);
3120 if (!m)
3121 return -ENOMEM;
3122
3123 r = m;
3124 }
3125 }
3126 }
3127
3128 *l = r;
3129
3130 return 0;
3131 }
3132
3133 static bool tty_may_match_dev_console(const char *tty) {
3134 _cleanup_free_ char *active = NULL;
3135 char *console;
3136
3137 if (!tty)
3138 return true;
3139
3140 if (startswith(tty, "/dev/"))
3141 tty += 5;
3142
3143 /* trivial identity? */
3144 if (streq(tty, "console"))
3145 return true;
3146
3147 console = resolve_dev_console(&active);
3148 /* if we could not resolve, assume it may */
3149 if (!console)
3150 return true;
3151
3152 /* "tty0" means the active VC, so it may be the same sometimes */
3153 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
3154 }
3155
3156 bool exec_context_may_touch_console(ExecContext *ec) {
3157
3158 return (ec->tty_reset ||
3159 ec->tty_vhangup ||
3160 ec->tty_vt_disallocate ||
3161 is_terminal_input(ec->std_input) ||
3162 is_terminal_output(ec->std_output) ||
3163 is_terminal_output(ec->std_error)) &&
3164 tty_may_match_dev_console(exec_context_tty_path(ec));
3165 }
3166
3167 static void strv_fprintf(FILE *f, char **l) {
3168 char **g;
3169
3170 assert(f);
3171
3172 STRV_FOREACH(g, l)
3173 fprintf(f, " %s", *g);
3174 }
3175
3176 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
3177 char **e, **d;
3178 unsigned i;
3179
3180 assert(c);
3181 assert(f);
3182
3183 prefix = strempty(prefix);
3184
3185 fprintf(f,
3186 "%sUMask: %04o\n"
3187 "%sWorkingDirectory: %s\n"
3188 "%sRootDirectory: %s\n"
3189 "%sNonBlocking: %s\n"
3190 "%sPrivateTmp: %s\n"
3191 "%sPrivateDevices: %s\n"
3192 "%sProtectKernelTunables: %s\n"
3193 "%sProtectKernelModules: %s\n"
3194 "%sProtectControlGroups: %s\n"
3195 "%sPrivateNetwork: %s\n"
3196 "%sPrivateUsers: %s\n"
3197 "%sProtectHome: %s\n"
3198 "%sProtectSystem: %s\n"
3199 "%sIgnoreSIGPIPE: %s\n"
3200 "%sMemoryDenyWriteExecute: %s\n"
3201 "%sRestrictRealtime: %s\n",
3202 prefix, c->umask,
3203 prefix, c->working_directory ? c->working_directory : "/",
3204 prefix, c->root_directory ? c->root_directory : "/",
3205 prefix, yes_no(c->non_blocking),
3206 prefix, yes_no(c->private_tmp),
3207 prefix, yes_no(c->private_devices),
3208 prefix, yes_no(c->protect_kernel_tunables),
3209 prefix, yes_no(c->protect_kernel_modules),
3210 prefix, yes_no(c->protect_control_groups),
3211 prefix, yes_no(c->private_network),
3212 prefix, yes_no(c->private_users),
3213 prefix, protect_home_to_string(c->protect_home),
3214 prefix, protect_system_to_string(c->protect_system),
3215 prefix, yes_no(c->ignore_sigpipe),
3216 prefix, yes_no(c->memory_deny_write_execute),
3217 prefix, yes_no(c->restrict_realtime));
3218
3219 STRV_FOREACH(e, c->environment)
3220 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
3221
3222 STRV_FOREACH(e, c->environment_files)
3223 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
3224
3225 STRV_FOREACH(e, c->pass_environment)
3226 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
3227
3228 fprintf(f, "%sRuntimeDirectoryMode: %04o\n", prefix, c->runtime_directory_mode);
3229
3230 STRV_FOREACH(d, c->runtime_directory)
3231 fprintf(f, "%sRuntimeDirectory: %s\n", prefix, *d);
3232
3233 if (c->nice_set)
3234 fprintf(f,
3235 "%sNice: %i\n",
3236 prefix, c->nice);
3237
3238 if (c->oom_score_adjust_set)
3239 fprintf(f,
3240 "%sOOMScoreAdjust: %i\n",
3241 prefix, c->oom_score_adjust);
3242
3243 for (i = 0; i < RLIM_NLIMITS; i++)
3244 if (c->rlimit[i]) {
3245 fprintf(f, "%s%s: " RLIM_FMT "\n",
3246 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
3247 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
3248 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
3249 }
3250
3251 if (c->ioprio_set) {
3252 _cleanup_free_ char *class_str = NULL;
3253
3254 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
3255 fprintf(f,
3256 "%sIOSchedulingClass: %s\n"
3257 "%sIOPriority: %i\n",
3258 prefix, strna(class_str),
3259 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
3260 }
3261
3262 if (c->cpu_sched_set) {
3263 _cleanup_free_ char *policy_str = NULL;
3264
3265 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
3266 fprintf(f,
3267 "%sCPUSchedulingPolicy: %s\n"
3268 "%sCPUSchedulingPriority: %i\n"
3269 "%sCPUSchedulingResetOnFork: %s\n",
3270 prefix, strna(policy_str),
3271 prefix, c->cpu_sched_priority,
3272 prefix, yes_no(c->cpu_sched_reset_on_fork));
3273 }
3274
3275 if (c->cpuset) {
3276 fprintf(f, "%sCPUAffinity:", prefix);
3277 for (i = 0; i < c->cpuset_ncpus; i++)
3278 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
3279 fprintf(f, " %u", i);
3280 fputs("\n", f);
3281 }
3282
3283 if (c->timer_slack_nsec != NSEC_INFINITY)
3284 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
3285
3286 fprintf(f,
3287 "%sStandardInput: %s\n"
3288 "%sStandardOutput: %s\n"
3289 "%sStandardError: %s\n",
3290 prefix, exec_input_to_string(c->std_input),
3291 prefix, exec_output_to_string(c->std_output),
3292 prefix, exec_output_to_string(c->std_error));
3293
3294 if (c->tty_path)
3295 fprintf(f,
3296 "%sTTYPath: %s\n"
3297 "%sTTYReset: %s\n"
3298 "%sTTYVHangup: %s\n"
3299 "%sTTYVTDisallocate: %s\n",
3300 prefix, c->tty_path,
3301 prefix, yes_no(c->tty_reset),
3302 prefix, yes_no(c->tty_vhangup),
3303 prefix, yes_no(c->tty_vt_disallocate));
3304
3305 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
3306 c->std_output == EXEC_OUTPUT_KMSG ||
3307 c->std_output == EXEC_OUTPUT_JOURNAL ||
3308 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3309 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3310 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
3311 c->std_error == EXEC_OUTPUT_SYSLOG ||
3312 c->std_error == EXEC_OUTPUT_KMSG ||
3313 c->std_error == EXEC_OUTPUT_JOURNAL ||
3314 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3315 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3316 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
3317
3318 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
3319
3320 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
3321 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
3322
3323 fprintf(f,
3324 "%sSyslogFacility: %s\n"
3325 "%sSyslogLevel: %s\n",
3326 prefix, strna(fac_str),
3327 prefix, strna(lvl_str));
3328 }
3329
3330 if (c->secure_bits)
3331 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
3332 prefix,
3333 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
3334 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
3335 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
3336 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
3337 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
3338 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
3339
3340 if (c->capability_bounding_set != CAP_ALL) {
3341 unsigned long l;
3342 fprintf(f, "%sCapabilityBoundingSet:", prefix);
3343
3344 for (l = 0; l <= cap_last_cap(); l++)
3345 if (c->capability_bounding_set & (UINT64_C(1) << l))
3346 fprintf(f, " %s", strna(capability_to_name(l)));
3347
3348 fputs("\n", f);
3349 }
3350
3351 if (c->capability_ambient_set != 0) {
3352 unsigned long l;
3353 fprintf(f, "%sAmbientCapabilities:", prefix);
3354
3355 for (l = 0; l <= cap_last_cap(); l++)
3356 if (c->capability_ambient_set & (UINT64_C(1) << l))
3357 fprintf(f, " %s", strna(capability_to_name(l)));
3358
3359 fputs("\n", f);
3360 }
3361
3362 if (c->user)
3363 fprintf(f, "%sUser: %s\n", prefix, c->user);
3364 if (c->group)
3365 fprintf(f, "%sGroup: %s\n", prefix, c->group);
3366
3367 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
3368
3369 if (strv_length(c->supplementary_groups) > 0) {
3370 fprintf(f, "%sSupplementaryGroups:", prefix);
3371 strv_fprintf(f, c->supplementary_groups);
3372 fputs("\n", f);
3373 }
3374
3375 if (c->pam_name)
3376 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
3377
3378 if (strv_length(c->read_write_paths) > 0) {
3379 fprintf(f, "%sReadWritePaths:", prefix);
3380 strv_fprintf(f, c->read_write_paths);
3381 fputs("\n", f);
3382 }
3383
3384 if (strv_length(c->read_only_paths) > 0) {
3385 fprintf(f, "%sReadOnlyPaths:", prefix);
3386 strv_fprintf(f, c->read_only_paths);
3387 fputs("\n", f);
3388 }
3389
3390 if (strv_length(c->inaccessible_paths) > 0) {
3391 fprintf(f, "%sInaccessiblePaths:", prefix);
3392 strv_fprintf(f, c->inaccessible_paths);
3393 fputs("\n", f);
3394 }
3395
3396 if (c->utmp_id)
3397 fprintf(f,
3398 "%sUtmpIdentifier: %s\n",
3399 prefix, c->utmp_id);
3400
3401 if (c->selinux_context)
3402 fprintf(f,
3403 "%sSELinuxContext: %s%s\n",
3404 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
3405
3406 if (c->personality != PERSONALITY_INVALID)
3407 fprintf(f,
3408 "%sPersonality: %s\n",
3409 prefix, strna(personality_to_string(c->personality)));
3410
3411 if (c->syscall_filter) {
3412 #ifdef HAVE_SECCOMP
3413 Iterator j;
3414 void *id;
3415 bool first = true;
3416 #endif
3417
3418 fprintf(f,
3419 "%sSystemCallFilter: ",
3420 prefix);
3421
3422 if (!c->syscall_whitelist)
3423 fputc('~', f);
3424
3425 #ifdef HAVE_SECCOMP
3426 SET_FOREACH(id, c->syscall_filter, j) {
3427 _cleanup_free_ char *name = NULL;
3428
3429 if (first)
3430 first = false;
3431 else
3432 fputc(' ', f);
3433
3434 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
3435 fputs(strna(name), f);
3436 }
3437 #endif
3438
3439 fputc('\n', f);
3440 }
3441
3442 if (c->syscall_archs) {
3443 #ifdef HAVE_SECCOMP
3444 Iterator j;
3445 void *id;
3446 #endif
3447
3448 fprintf(f,
3449 "%sSystemCallArchitectures:",
3450 prefix);
3451
3452 #ifdef HAVE_SECCOMP
3453 SET_FOREACH(id, c->syscall_archs, j)
3454 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
3455 #endif
3456 fputc('\n', f);
3457 }
3458
3459 if (c->syscall_errno > 0)
3460 fprintf(f,
3461 "%sSystemCallErrorNumber: %s\n",
3462 prefix, strna(errno_to_name(c->syscall_errno)));
3463
3464 if (c->apparmor_profile)
3465 fprintf(f,
3466 "%sAppArmorProfile: %s%s\n",
3467 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
3468 }
3469
3470 bool exec_context_maintains_privileges(ExecContext *c) {
3471 assert(c);
3472
3473 /* Returns true if the process forked off would run under
3474 * an unchanged UID or as root. */
3475
3476 if (!c->user)
3477 return true;
3478
3479 if (streq(c->user, "root") || streq(c->user, "0"))
3480 return true;
3481
3482 return false;
3483 }
3484
3485 void exec_status_start(ExecStatus *s, pid_t pid) {
3486 assert(s);
3487
3488 zero(*s);
3489 s->pid = pid;
3490 dual_timestamp_get(&s->start_timestamp);
3491 }
3492
3493 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
3494 assert(s);
3495
3496 if (s->pid && s->pid != pid)
3497 zero(*s);
3498
3499 s->pid = pid;
3500 dual_timestamp_get(&s->exit_timestamp);
3501
3502 s->code = code;
3503 s->status = status;
3504
3505 if (context) {
3506 if (context->utmp_id)
3507 utmp_put_dead_process(context->utmp_id, pid, code, status);
3508
3509 exec_context_tty_reset(context, NULL);
3510 }
3511 }
3512
3513 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
3514 char buf[FORMAT_TIMESTAMP_MAX];
3515
3516 assert(s);
3517 assert(f);
3518
3519 if (s->pid <= 0)
3520 return;
3521
3522 prefix = strempty(prefix);
3523
3524 fprintf(f,
3525 "%sPID: "PID_FMT"\n",
3526 prefix, s->pid);
3527
3528 if (dual_timestamp_is_set(&s->start_timestamp))
3529 fprintf(f,
3530 "%sStart Timestamp: %s\n",
3531 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
3532
3533 if (dual_timestamp_is_set(&s->exit_timestamp))
3534 fprintf(f,
3535 "%sExit Timestamp: %s\n"
3536 "%sExit Code: %s\n"
3537 "%sExit Status: %i\n",
3538 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
3539 prefix, sigchld_code_to_string(s->code),
3540 prefix, s->status);
3541 }
3542
3543 char *exec_command_line(char **argv) {
3544 size_t k;
3545 char *n, *p, **a;
3546 bool first = true;
3547
3548 assert(argv);
3549
3550 k = 1;
3551 STRV_FOREACH(a, argv)
3552 k += strlen(*a)+3;
3553
3554 if (!(n = new(char, k)))
3555 return NULL;
3556
3557 p = n;
3558 STRV_FOREACH(a, argv) {
3559
3560 if (!first)
3561 *(p++) = ' ';
3562 else
3563 first = false;
3564
3565 if (strpbrk(*a, WHITESPACE)) {
3566 *(p++) = '\'';
3567 p = stpcpy(p, *a);
3568 *(p++) = '\'';
3569 } else
3570 p = stpcpy(p, *a);
3571
3572 }
3573
3574 *p = 0;
3575
3576 /* FIXME: this doesn't really handle arguments that have
3577 * spaces and ticks in them */
3578
3579 return n;
3580 }
3581
3582 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
3583 _cleanup_free_ char *cmd = NULL;
3584 const char *prefix2;
3585
3586 assert(c);
3587 assert(f);
3588
3589 prefix = strempty(prefix);
3590 prefix2 = strjoina(prefix, "\t");
3591
3592 cmd = exec_command_line(c->argv);
3593 fprintf(f,
3594 "%sCommand Line: %s\n",
3595 prefix, cmd ? cmd : strerror(ENOMEM));
3596
3597 exec_status_dump(&c->exec_status, f, prefix2);
3598 }
3599
3600 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
3601 assert(f);
3602
3603 prefix = strempty(prefix);
3604
3605 LIST_FOREACH(command, c, c)
3606 exec_command_dump(c, f, prefix);
3607 }
3608
3609 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
3610 ExecCommand *end;
3611
3612 assert(l);
3613 assert(e);
3614
3615 if (*l) {
3616 /* It's kind of important, that we keep the order here */
3617 LIST_FIND_TAIL(command, *l, end);
3618 LIST_INSERT_AFTER(command, *l, end, e);
3619 } else
3620 *l = e;
3621 }
3622
3623 int exec_command_set(ExecCommand *c, const char *path, ...) {
3624 va_list ap;
3625 char **l, *p;
3626
3627 assert(c);
3628 assert(path);
3629
3630 va_start(ap, path);
3631 l = strv_new_ap(path, ap);
3632 va_end(ap);
3633
3634 if (!l)
3635 return -ENOMEM;
3636
3637 p = strdup(path);
3638 if (!p) {
3639 strv_free(l);
3640 return -ENOMEM;
3641 }
3642
3643 free(c->path);
3644 c->path = p;
3645
3646 strv_free(c->argv);
3647 c->argv = l;
3648
3649 return 0;
3650 }
3651
3652 int exec_command_append(ExecCommand *c, const char *path, ...) {
3653 _cleanup_strv_free_ char **l = NULL;
3654 va_list ap;
3655 int r;
3656
3657 assert(c);
3658 assert(path);
3659
3660 va_start(ap, path);
3661 l = strv_new_ap(path, ap);
3662 va_end(ap);
3663
3664 if (!l)
3665 return -ENOMEM;
3666
3667 r = strv_extend_strv(&c->argv, l, false);
3668 if (r < 0)
3669 return r;
3670
3671 return 0;
3672 }
3673
3674
3675 static int exec_runtime_allocate(ExecRuntime **rt) {
3676
3677 if (*rt)
3678 return 0;
3679
3680 *rt = new0(ExecRuntime, 1);
3681 if (!*rt)
3682 return -ENOMEM;
3683
3684 (*rt)->n_ref = 1;
3685 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
3686
3687 return 0;
3688 }
3689
3690 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
3691 int r;
3692
3693 assert(rt);
3694 assert(c);
3695 assert(id);
3696
3697 if (*rt)
3698 return 1;
3699
3700 if (!c->private_network && !c->private_tmp)
3701 return 0;
3702
3703 r = exec_runtime_allocate(rt);
3704 if (r < 0)
3705 return r;
3706
3707 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
3708 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, (*rt)->netns_storage_socket) < 0)
3709 return -errno;
3710 }
3711
3712 if (c->private_tmp && !(*rt)->tmp_dir) {
3713 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
3714 if (r < 0)
3715 return r;
3716 }
3717
3718 return 1;
3719 }
3720
3721 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
3722 assert(r);
3723 assert(r->n_ref > 0);
3724
3725 r->n_ref++;
3726 return r;
3727 }
3728
3729 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
3730
3731 if (!r)
3732 return NULL;
3733
3734 assert(r->n_ref > 0);
3735
3736 r->n_ref--;
3737 if (r->n_ref > 0)
3738 return NULL;
3739
3740 free(r->tmp_dir);
3741 free(r->var_tmp_dir);
3742 safe_close_pair(r->netns_storage_socket);
3743 return mfree(r);
3744 }
3745
3746 int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
3747 assert(u);
3748 assert(f);
3749 assert(fds);
3750
3751 if (!rt)
3752 return 0;
3753
3754 if (rt->tmp_dir)
3755 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
3756
3757 if (rt->var_tmp_dir)
3758 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
3759
3760 if (rt->netns_storage_socket[0] >= 0) {
3761 int copy;
3762
3763 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
3764 if (copy < 0)
3765 return copy;
3766
3767 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
3768 }
3769
3770 if (rt->netns_storage_socket[1] >= 0) {
3771 int copy;
3772
3773 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
3774 if (copy < 0)
3775 return copy;
3776
3777 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
3778 }
3779
3780 return 0;
3781 }
3782
3783 int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
3784 int r;
3785
3786 assert(rt);
3787 assert(key);
3788 assert(value);
3789
3790 if (streq(key, "tmp-dir")) {
3791 char *copy;
3792
3793 r = exec_runtime_allocate(rt);
3794 if (r < 0)
3795 return log_oom();
3796
3797 copy = strdup(value);
3798 if (!copy)
3799 return log_oom();
3800
3801 free((*rt)->tmp_dir);
3802 (*rt)->tmp_dir = copy;
3803
3804 } else if (streq(key, "var-tmp-dir")) {
3805 char *copy;
3806
3807 r = exec_runtime_allocate(rt);
3808 if (r < 0)
3809 return log_oom();
3810
3811 copy = strdup(value);
3812 if (!copy)
3813 return log_oom();
3814
3815 free((*rt)->var_tmp_dir);
3816 (*rt)->var_tmp_dir = copy;
3817
3818 } else if (streq(key, "netns-socket-0")) {
3819 int fd;
3820
3821 r = exec_runtime_allocate(rt);
3822 if (r < 0)
3823 return log_oom();
3824
3825 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
3826 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
3827 else {
3828 safe_close((*rt)->netns_storage_socket[0]);
3829 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
3830 }
3831 } else if (streq(key, "netns-socket-1")) {
3832 int fd;
3833
3834 r = exec_runtime_allocate(rt);
3835 if (r < 0)
3836 return log_oom();
3837
3838 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
3839 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
3840 else {
3841 safe_close((*rt)->netns_storage_socket[1]);
3842 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
3843 }
3844 } else
3845 return 0;
3846
3847 return 1;
3848 }
3849
3850 static void *remove_tmpdir_thread(void *p) {
3851 _cleanup_free_ char *path = p;
3852
3853 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
3854 return NULL;
3855 }
3856
3857 void exec_runtime_destroy(ExecRuntime *rt) {
3858 int r;
3859
3860 if (!rt)
3861 return;
3862
3863 /* If there are multiple users of this, let's leave the stuff around */
3864 if (rt->n_ref > 1)
3865 return;
3866
3867 if (rt->tmp_dir) {
3868 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
3869
3870 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
3871 if (r < 0) {
3872 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
3873 free(rt->tmp_dir);
3874 }
3875
3876 rt->tmp_dir = NULL;
3877 }
3878
3879 if (rt->var_tmp_dir) {
3880 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
3881
3882 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
3883 if (r < 0) {
3884 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
3885 free(rt->var_tmp_dir);
3886 }
3887
3888 rt->var_tmp_dir = NULL;
3889 }
3890
3891 safe_close_pair(rt->netns_storage_socket);
3892 }
3893
3894 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
3895 [EXEC_INPUT_NULL] = "null",
3896 [EXEC_INPUT_TTY] = "tty",
3897 [EXEC_INPUT_TTY_FORCE] = "tty-force",
3898 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
3899 [EXEC_INPUT_SOCKET] = "socket"
3900 };
3901
3902 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
3903
3904 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
3905 [EXEC_OUTPUT_INHERIT] = "inherit",
3906 [EXEC_OUTPUT_NULL] = "null",
3907 [EXEC_OUTPUT_TTY] = "tty",
3908 [EXEC_OUTPUT_SYSLOG] = "syslog",
3909 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
3910 [EXEC_OUTPUT_KMSG] = "kmsg",
3911 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
3912 [EXEC_OUTPUT_JOURNAL] = "journal",
3913 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
3914 [EXEC_OUTPUT_SOCKET] = "socket"
3915 };
3916
3917 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
3918
3919 static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
3920 [EXEC_UTMP_INIT] = "init",
3921 [EXEC_UTMP_LOGIN] = "login",
3922 [EXEC_UTMP_USER] = "user",
3923 };
3924
3925 DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
Unnamed repository; edit this file 'description' to name the repository.