]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/execute.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
core: add RootImage= setting for using a specific image file as root directory for...
[thirdparty/systemd.git] / src / core / execute.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <errno.h>
21 #include <fcntl.h>
22 #include <glob.h>
23 #include <grp.h>
24 #include <poll.h>
25 #include <signal.h>
26 #include <string.h>
27 #include <sys/capability.h>
28 #include <sys/eventfd.h>
29 #include <sys/mman.h>
30 #include <sys/personality.h>
31 #include <sys/prctl.h>
32 #include <sys/shm.h>
33 #include <sys/socket.h>
34 #include <sys/stat.h>
35 #include <sys/types.h>
36 #include <sys/un.h>
37 #include <unistd.h>
38 #include <utmpx.h>
39
40 #ifdef HAVE_PAM
41 #include <security/pam_appl.h>
42 #endif
43
44 #ifdef HAVE_SELINUX
45 #include <selinux/selinux.h>
46 #endif
47
48 #ifdef HAVE_SECCOMP
49 #include <seccomp.h>
50 #endif
51
52 #ifdef HAVE_APPARMOR
53 #include <sys/apparmor.h>
54 #endif
55
56 #include "sd-messages.h"
57
58 #include "af-list.h"
59 #include "alloc-util.h"
60 #ifdef HAVE_APPARMOR
61 #include "apparmor-util.h"
62 #endif
63 #include "async.h"
64 #include "barrier.h"
65 #include "cap-list.h"
66 #include "capability-util.h"
67 #include "def.h"
68 #include "env-util.h"
69 #include "errno-list.h"
70 #include "execute.h"
71 #include "exit-status.h"
72 #include "fd-util.h"
73 #include "fileio.h"
74 #include "format-util.h"
75 #include "fs-util.h"
76 #include "glob-util.h"
77 #include "io-util.h"
78 #include "ioprio.h"
79 #include "log.h"
80 #include "macro.h"
81 #include "missing.h"
82 #include "mkdir.h"
83 #include "namespace.h"
84 #include "parse-util.h"
85 #include "path-util.h"
86 #include "process-util.h"
87 #include "rlimit-util.h"
88 #include "rm-rf.h"
89 #ifdef HAVE_SECCOMP
90 #include "seccomp-util.h"
91 #endif
92 #include "securebits.h"
93 #include "selinux-util.h"
94 #include "signal-util.h"
95 #include "smack-util.h"
96 #include "special.h"
97 #include "string-table.h"
98 #include "string-util.h"
99 #include "strv.h"
100 #include "syslog-util.h"
101 #include "terminal-util.h"
102 #include "unit.h"
103 #include "user-util.h"
104 #include "util.h"
105 #include "utmp-wtmp.h"
106
107 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
108 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
109
110 /* This assumes there is a 'tty' group */
111 #define TTY_MODE 0620
112
113 #define SNDBUF_SIZE (8*1024*1024)
114
115 static int shift_fds(int fds[], unsigned n_fds) {
116 int start, restart_from;
117
118 if (n_fds <= 0)
119 return 0;
120
121 /* Modifies the fds array! (sorts it) */
122
123 assert(fds);
124
125 start = 0;
126 for (;;) {
127 int i;
128
129 restart_from = -1;
130
131 for (i = start; i < (int) n_fds; i++) {
132 int nfd;
133
134 /* Already at right index? */
135 if (fds[i] == i+3)
136 continue;
137
138 nfd = fcntl(fds[i], F_DUPFD, i + 3);
139 if (nfd < 0)
140 return -errno;
141
142 safe_close(fds[i]);
143 fds[i] = nfd;
144
145 /* Hmm, the fd we wanted isn't free? Then
146 * let's remember that and try again from here */
147 if (nfd != i+3 && restart_from < 0)
148 restart_from = i;
149 }
150
151 if (restart_from < 0)
152 break;
153
154 start = restart_from;
155 }
156
157 return 0;
158 }
159
160 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
161 unsigned i;
162 int r;
163
164 if (n_fds <= 0)
165 return 0;
166
167 assert(fds);
168
169 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
170
171 for (i = 0; i < n_fds; i++) {
172
173 r = fd_nonblock(fds[i], nonblock);
174 if (r < 0)
175 return r;
176
177 /* We unconditionally drop FD_CLOEXEC from the fds,
178 * since after all we want to pass these fds to our
179 * children */
180
181 r = fd_cloexec(fds[i], false);
182 if (r < 0)
183 return r;
184 }
185
186 return 0;
187 }
188
189 static const char *exec_context_tty_path(const ExecContext *context) {
190 assert(context);
191
192 if (context->stdio_as_fds)
193 return NULL;
194
195 if (context->tty_path)
196 return context->tty_path;
197
198 return "/dev/console";
199 }
200
201 static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
202 const char *path;
203
204 assert(context);
205
206 path = exec_context_tty_path(context);
207
208 if (context->tty_vhangup) {
209 if (p && p->stdin_fd >= 0)
210 (void) terminal_vhangup_fd(p->stdin_fd);
211 else if (path)
212 (void) terminal_vhangup(path);
213 }
214
215 if (context->tty_reset) {
216 if (p && p->stdin_fd >= 0)
217 (void) reset_terminal_fd(p->stdin_fd, true);
218 else if (path)
219 (void) reset_terminal(path);
220 }
221
222 if (context->tty_vt_disallocate && path)
223 (void) vt_disallocate(path);
224 }
225
226 static bool is_terminal_input(ExecInput i) {
227 return IN_SET(i,
228 EXEC_INPUT_TTY,
229 EXEC_INPUT_TTY_FORCE,
230 EXEC_INPUT_TTY_FAIL);
231 }
232
233 static bool is_terminal_output(ExecOutput o) {
234 return IN_SET(o,
235 EXEC_OUTPUT_TTY,
236 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
237 EXEC_OUTPUT_KMSG_AND_CONSOLE,
238 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
239 }
240
241 static bool exec_context_needs_term(const ExecContext *c) {
242 assert(c);
243
244 /* Return true if the execution context suggests we should set $TERM to something useful. */
245
246 if (is_terminal_input(c->std_input))
247 return true;
248
249 if (is_terminal_output(c->std_output))
250 return true;
251
252 if (is_terminal_output(c->std_error))
253 return true;
254
255 return !!c->tty_path;
256 }
257
258 static int open_null_as(int flags, int nfd) {
259 int fd, r;
260
261 assert(nfd >= 0);
262
263 fd = open("/dev/null", flags|O_NOCTTY);
264 if (fd < 0)
265 return -errno;
266
267 if (fd != nfd) {
268 r = dup2(fd, nfd) < 0 ? -errno : nfd;
269 safe_close(fd);
270 } else
271 r = nfd;
272
273 return r;
274 }
275
276 static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
277 union sockaddr_union sa = {
278 .un.sun_family = AF_UNIX,
279 .un.sun_path = "/run/systemd/journal/stdout",
280 };
281 uid_t olduid = UID_INVALID;
282 gid_t oldgid = GID_INVALID;
283 int r;
284
285 if (gid != GID_INVALID) {
286 oldgid = getgid();
287
288 r = setegid(gid);
289 if (r < 0)
290 return -errno;
291 }
292
293 if (uid != UID_INVALID) {
294 olduid = getuid();
295
296 r = seteuid(uid);
297 if (r < 0) {
298 r = -errno;
299 goto restore_gid;
300 }
301 }
302
303 r = connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
304 if (r < 0)
305 r = -errno;
306
307 /* If we fail to restore the uid or gid, things will likely
308 fail later on. This should only happen if an LSM interferes. */
309
310 if (uid != UID_INVALID)
311 (void) seteuid(olduid);
312
313 restore_gid:
314 if (gid != GID_INVALID)
315 (void) setegid(oldgid);
316
317 return r;
318 }
319
320 static int connect_logger_as(
321 Unit *unit,
322 const ExecContext *context,
323 ExecOutput output,
324 const char *ident,
325 int nfd,
326 uid_t uid,
327 gid_t gid) {
328
329 int fd, r;
330
331 assert(context);
332 assert(output < _EXEC_OUTPUT_MAX);
333 assert(ident);
334 assert(nfd >= 0);
335
336 fd = socket(AF_UNIX, SOCK_STREAM, 0);
337 if (fd < 0)
338 return -errno;
339
340 r = connect_journal_socket(fd, uid, gid);
341 if (r < 0)
342 return r;
343
344 if (shutdown(fd, SHUT_RD) < 0) {
345 safe_close(fd);
346 return -errno;
347 }
348
349 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
350
351 dprintf(fd,
352 "%s\n"
353 "%s\n"
354 "%i\n"
355 "%i\n"
356 "%i\n"
357 "%i\n"
358 "%i\n",
359 context->syslog_identifier ? context->syslog_identifier : ident,
360 unit->id,
361 context->syslog_priority,
362 !!context->syslog_level_prefix,
363 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
364 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
365 is_terminal_output(output));
366
367 if (fd == nfd)
368 return nfd;
369
370 r = dup2(fd, nfd) < 0 ? -errno : nfd;
371 safe_close(fd);
372
373 return r;
374 }
375 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
376 int fd, r;
377
378 assert(path);
379 assert(nfd >= 0);
380
381 fd = open_terminal(path, mode | O_NOCTTY);
382 if (fd < 0)
383 return fd;
384
385 if (fd != nfd) {
386 r = dup2(fd, nfd) < 0 ? -errno : nfd;
387 safe_close(fd);
388 } else
389 r = nfd;
390
391 return r;
392 }
393
394 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
395
396 if (is_terminal_input(std_input) && !apply_tty_stdin)
397 return EXEC_INPUT_NULL;
398
399 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
400 return EXEC_INPUT_NULL;
401
402 return std_input;
403 }
404
405 static int fixup_output(ExecOutput std_output, int socket_fd) {
406
407 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
408 return EXEC_OUTPUT_INHERIT;
409
410 return std_output;
411 }
412
413 static int setup_input(
414 const ExecContext *context,
415 const ExecParameters *params,
416 int socket_fd,
417 int named_iofds[3]) {
418
419 ExecInput i;
420
421 assert(context);
422 assert(params);
423
424 if (params->stdin_fd >= 0) {
425 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
426 return -errno;
427
428 /* Try to make this the controlling tty, if it is a tty, and reset it */
429 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
430 (void) reset_terminal_fd(STDIN_FILENO, true);
431
432 return STDIN_FILENO;
433 }
434
435 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
436
437 switch (i) {
438
439 case EXEC_INPUT_NULL:
440 return open_null_as(O_RDONLY, STDIN_FILENO);
441
442 case EXEC_INPUT_TTY:
443 case EXEC_INPUT_TTY_FORCE:
444 case EXEC_INPUT_TTY_FAIL: {
445 int fd, r;
446
447 fd = acquire_terminal(exec_context_tty_path(context),
448 i == EXEC_INPUT_TTY_FAIL,
449 i == EXEC_INPUT_TTY_FORCE,
450 false,
451 USEC_INFINITY);
452 if (fd < 0)
453 return fd;
454
455 if (fd != STDIN_FILENO) {
456 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
457 safe_close(fd);
458 } else
459 r = STDIN_FILENO;
460
461 return r;
462 }
463
464 case EXEC_INPUT_SOCKET:
465 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
466
467 case EXEC_INPUT_NAMED_FD:
468 (void) fd_nonblock(named_iofds[STDIN_FILENO], false);
469 return dup2(named_iofds[STDIN_FILENO], STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
470
471 default:
472 assert_not_reached("Unknown input type");
473 }
474 }
475
476 static int setup_output(
477 Unit *unit,
478 const ExecContext *context,
479 const ExecParameters *params,
480 int fileno,
481 int socket_fd,
482 int named_iofds[3],
483 const char *ident,
484 uid_t uid,
485 gid_t gid,
486 dev_t *journal_stream_dev,
487 ino_t *journal_stream_ino) {
488
489 ExecOutput o;
490 ExecInput i;
491 int r;
492
493 assert(unit);
494 assert(context);
495 assert(params);
496 assert(ident);
497 assert(journal_stream_dev);
498 assert(journal_stream_ino);
499
500 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
501
502 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
503 return -errno;
504
505 return STDOUT_FILENO;
506 }
507
508 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
509 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
510 return -errno;
511
512 return STDERR_FILENO;
513 }
514
515 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
516 o = fixup_output(context->std_output, socket_fd);
517
518 if (fileno == STDERR_FILENO) {
519 ExecOutput e;
520 e = fixup_output(context->std_error, socket_fd);
521
522 /* This expects the input and output are already set up */
523
524 /* Don't change the stderr file descriptor if we inherit all
525 * the way and are not on a tty */
526 if (e == EXEC_OUTPUT_INHERIT &&
527 o == EXEC_OUTPUT_INHERIT &&
528 i == EXEC_INPUT_NULL &&
529 !is_terminal_input(context->std_input) &&
530 getppid () != 1)
531 return fileno;
532
533 /* Duplicate from stdout if possible */
534 if ((e == o && e != EXEC_OUTPUT_NAMED_FD) || e == EXEC_OUTPUT_INHERIT)
535 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
536
537 o = e;
538
539 } else if (o == EXEC_OUTPUT_INHERIT) {
540 /* If input got downgraded, inherit the original value */
541 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
542 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
543
544 /* If the input is connected to anything that's not a /dev/null, inherit that... */
545 if (i != EXEC_INPUT_NULL)
546 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
547
548 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
549 if (getppid() != 1)
550 return fileno;
551
552 /* We need to open /dev/null here anew, to get the right access mode. */
553 return open_null_as(O_WRONLY, fileno);
554 }
555
556 switch (o) {
557
558 case EXEC_OUTPUT_NULL:
559 return open_null_as(O_WRONLY, fileno);
560
561 case EXEC_OUTPUT_TTY:
562 if (is_terminal_input(i))
563 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
564
565 /* We don't reset the terminal if this is just about output */
566 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
567
568 case EXEC_OUTPUT_SYSLOG:
569 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
570 case EXEC_OUTPUT_KMSG:
571 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
572 case EXEC_OUTPUT_JOURNAL:
573 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
574 r = connect_logger_as(unit, context, o, ident, fileno, uid, gid);
575 if (r < 0) {
576 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
577 r = open_null_as(O_WRONLY, fileno);
578 } else {
579 struct stat st;
580
581 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
582 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
583 * services to detect whether they are connected to the journal or not. */
584
585 if (fstat(fileno, &st) >= 0) {
586 *journal_stream_dev = st.st_dev;
587 *journal_stream_ino = st.st_ino;
588 }
589 }
590 return r;
591
592 case EXEC_OUTPUT_SOCKET:
593 assert(socket_fd >= 0);
594 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
595
596 case EXEC_OUTPUT_NAMED_FD:
597 (void) fd_nonblock(named_iofds[fileno], false);
598 return dup2(named_iofds[fileno], fileno) < 0 ? -errno : fileno;
599
600 default:
601 assert_not_reached("Unknown error type");
602 }
603 }
604
605 static int chown_terminal(int fd, uid_t uid) {
606 struct stat st;
607
608 assert(fd >= 0);
609
610 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
611 if (isatty(fd) < 1)
612 return 0;
613
614 /* This might fail. What matters are the results. */
615 (void) fchown(fd, uid, -1);
616 (void) fchmod(fd, TTY_MODE);
617
618 if (fstat(fd, &st) < 0)
619 return -errno;
620
621 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
622 return -EPERM;
623
624 return 0;
625 }
626
627 static int setup_confirm_stdio(const char *vc, int *_saved_stdin, int *_saved_stdout) {
628 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
629 int r;
630
631 assert(_saved_stdin);
632 assert(_saved_stdout);
633
634 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
635 if (saved_stdin < 0)
636 return -errno;
637
638 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
639 if (saved_stdout < 0)
640 return -errno;
641
642 fd = acquire_terminal(vc, false, false, false, DEFAULT_CONFIRM_USEC);
643 if (fd < 0)
644 return fd;
645
646 r = chown_terminal(fd, getuid());
647 if (r < 0)
648 return r;
649
650 r = reset_terminal_fd(fd, true);
651 if (r < 0)
652 return r;
653
654 if (dup2(fd, STDIN_FILENO) < 0)
655 return -errno;
656
657 if (dup2(fd, STDOUT_FILENO) < 0)
658 return -errno;
659
660 if (fd >= 2)
661 safe_close(fd);
662 fd = -1;
663
664 *_saved_stdin = saved_stdin;
665 *_saved_stdout = saved_stdout;
666
667 saved_stdin = saved_stdout = -1;
668
669 return 0;
670 }
671
672 static void write_confirm_error_fd(int err, int fd, const Unit *u) {
673 assert(err < 0);
674
675 if (err == -ETIMEDOUT)
676 dprintf(fd, "Confirmation question timed out for %s, assuming positive response.\n", u->id);
677 else {
678 errno = -err;
679 dprintf(fd, "Couldn't ask confirmation for %s: %m, assuming positive response.\n", u->id);
680 }
681 }
682
683 static void write_confirm_error(int err, const char *vc, const Unit *u) {
684 _cleanup_close_ int fd = -1;
685
686 assert(vc);
687
688 fd = open_terminal(vc, O_WRONLY|O_NOCTTY|O_CLOEXEC);
689 if (fd < 0)
690 return;
691
692 write_confirm_error_fd(err, fd, u);
693 }
694
695 static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
696 int r = 0;
697
698 assert(saved_stdin);
699 assert(saved_stdout);
700
701 release_terminal();
702
703 if (*saved_stdin >= 0)
704 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
705 r = -errno;
706
707 if (*saved_stdout >= 0)
708 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
709 r = -errno;
710
711 *saved_stdin = safe_close(*saved_stdin);
712 *saved_stdout = safe_close(*saved_stdout);
713
714 return r;
715 }
716
717 enum {
718 CONFIRM_PRETEND_FAILURE = -1,
719 CONFIRM_PRETEND_SUCCESS = 0,
720 CONFIRM_EXECUTE = 1,
721 };
722
723 static int ask_for_confirmation(const char *vc, Unit *u, const char *cmdline) {
724 int saved_stdout = -1, saved_stdin = -1, r;
725 _cleanup_free_ char *e = NULL;
726 char c;
727
728 /* For any internal errors, assume a positive response. */
729 r = setup_confirm_stdio(vc, &saved_stdin, &saved_stdout);
730 if (r < 0) {
731 write_confirm_error(r, vc, u);
732 return CONFIRM_EXECUTE;
733 }
734
735 /* confirm_spawn might have been disabled while we were sleeping. */
736 if (manager_is_confirm_spawn_disabled(u->manager)) {
737 r = 1;
738 goto restore_stdio;
739 }
740
741 e = ellipsize(cmdline, 60, 100);
742 if (!e) {
743 log_oom();
744 r = CONFIRM_EXECUTE;
745 goto restore_stdio;
746 }
747
748 for (;;) {
749 r = ask_char(&c, "yfshiDjcn", "Execute %s? [y, f, s – h for help] ", e);
750 if (r < 0) {
751 write_confirm_error_fd(r, STDOUT_FILENO, u);
752 r = CONFIRM_EXECUTE;
753 goto restore_stdio;
754 }
755
756 switch (c) {
757 case 'c':
758 printf("Resuming normal execution.\n");
759 manager_disable_confirm_spawn();
760 r = 1;
761 break;
762 case 'D':
763 unit_dump(u, stdout, " ");
764 continue; /* ask again */
765 case 'f':
766 printf("Failing execution.\n");
767 r = CONFIRM_PRETEND_FAILURE;
768 break;
769 case 'h':
770 printf(" c - continue, proceed without asking anymore\n"
771 " D - dump, show the state of the unit\n"
772 " f - fail, don't execute the command and pretend it failed\n"
773 " h - help\n"
774 " i - info, show a short summary of the unit\n"
775 " j - jobs, show jobs that are in progress\n"
776 " s - skip, don't execute the command and pretend it succeeded\n"
777 " y - yes, execute the command\n");
778 continue; /* ask again */
779 case 'i':
780 printf(" Description: %s\n"
781 " Unit: %s\n"
782 " Command: %s\n",
783 u->id, u->description, cmdline);
784 continue; /* ask again */
785 case 'j':
786 manager_dump_jobs(u->manager, stdout, " ");
787 continue; /* ask again */
788 case 'n':
789 /* 'n' was removed in favor of 'f'. */
790 printf("Didn't understand 'n', did you mean 'f'?\n");
791 continue; /* ask again */
792 case 's':
793 printf("Skipping execution.\n");
794 r = CONFIRM_PRETEND_SUCCESS;
795 break;
796 case 'y':
797 r = CONFIRM_EXECUTE;
798 break;
799 default:
800 assert_not_reached("Unhandled choice");
801 }
802 break;
803 }
804
805 restore_stdio:
806 restore_confirm_stdio(&saved_stdin, &saved_stdout);
807 return r;
808 }
809
810 static int get_fixed_user(const ExecContext *c, const char **user,
811 uid_t *uid, gid_t *gid,
812 const char **home, const char **shell) {
813 int r;
814 const char *name;
815
816 assert(c);
817
818 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
819 * (i.e. are "/" or "/bin/nologin"). */
820
821 name = c->user ?: "root";
822 r = get_user_creds_clean(&name, uid, gid, home, shell);
823 if (r < 0)
824 return r;
825
826 *user = name;
827 return 0;
828 }
829
830 static int get_fixed_group(const ExecContext *c, const char **group, gid_t *gid) {
831 int r;
832 const char *name;
833
834 assert(c);
835
836 if (!c->group)
837 return 0;
838
839 name = c->group;
840 r = get_group_creds(&name, gid);
841 if (r < 0)
842 return r;
843
844 *group = name;
845 return 0;
846 }
847
848 static int get_supplementary_groups(const ExecContext *c, const char *user,
849 const char *group, gid_t gid,
850 gid_t **supplementary_gids, int *ngids) {
851 char **i;
852 int r, k = 0;
853 int ngroups_max;
854 bool keep_groups = false;
855 gid_t *groups = NULL;
856 _cleanup_free_ gid_t *l_gids = NULL;
857
858 assert(c);
859
860 /*
861 * If user is given, then lookup GID and supplementary groups list.
862 * We avoid NSS lookups for gid=0. Also we have to initialize groups
863 * here and as early as possible so we keep the list of supplementary
864 * groups of the caller.
865 */
866 if (user && gid_is_valid(gid) && gid != 0) {
867 /* First step, initialize groups from /etc/groups */
868 if (initgroups(user, gid) < 0)
869 return -errno;
870
871 keep_groups = true;
872 }
873
874 if (!c->supplementary_groups)
875 return 0;
876
877 /*
878 * If SupplementaryGroups= was passed then NGROUPS_MAX has to
879 * be positive, otherwise fail.
880 */
881 errno = 0;
882 ngroups_max = (int) sysconf(_SC_NGROUPS_MAX);
883 if (ngroups_max <= 0) {
884 if (errno > 0)
885 return -errno;
886 else
887 return -EOPNOTSUPP; /* For all other values */
888 }
889
890 l_gids = new(gid_t, ngroups_max);
891 if (!l_gids)
892 return -ENOMEM;
893
894 if (keep_groups) {
895 /*
896 * Lookup the list of groups that the user belongs to, we
897 * avoid NSS lookups here too for gid=0.
898 */
899 k = ngroups_max;
900 if (getgrouplist(user, gid, l_gids, &k) < 0)
901 return -EINVAL;
902 } else
903 k = 0;
904
905 STRV_FOREACH(i, c->supplementary_groups) {
906 const char *g;
907
908 if (k >= ngroups_max)
909 return -E2BIG;
910
911 g = *i;
912 r = get_group_creds(&g, l_gids+k);
913 if (r < 0)
914 return r;
915
916 k++;
917 }
918
919 /*
920 * Sets ngids to zero to drop all supplementary groups, happens
921 * when we are under root and SupplementaryGroups= is empty.
922 */
923 if (k == 0) {
924 *ngids = 0;
925 return 0;
926 }
927
928 /* Otherwise get the final list of supplementary groups */
929 groups = memdup(l_gids, sizeof(gid_t) * k);
930 if (!groups)
931 return -ENOMEM;
932
933 *supplementary_gids = groups;
934 *ngids = k;
935
936 groups = NULL;
937
938 return 0;
939 }
940
941 static int enforce_groups(const ExecContext *context, gid_t gid,
942 gid_t *supplementary_gids, int ngids) {
943 int r;
944
945 assert(context);
946
947 /* Handle SupplementaryGroups= even if it is empty */
948 if (context->supplementary_groups) {
949 r = maybe_setgroups(ngids, supplementary_gids);
950 if (r < 0)
951 return r;
952 }
953
954 if (gid_is_valid(gid)) {
955 /* Then set our gids */
956 if (setresgid(gid, gid, gid) < 0)
957 return -errno;
958 }
959
960 return 0;
961 }
962
963 static int enforce_user(const ExecContext *context, uid_t uid) {
964 assert(context);
965
966 if (!uid_is_valid(uid))
967 return 0;
968
969 /* Sets (but doesn't look up) the uid and make sure we keep the
970 * capabilities while doing so. */
971
972 if (context->capability_ambient_set != 0) {
973
974 /* First step: If we need to keep capabilities but
975 * drop privileges we need to make sure we keep our
976 * caps, while we drop privileges. */
977 if (uid != 0) {
978 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
979
980 if (prctl(PR_GET_SECUREBITS) != sb)
981 if (prctl(PR_SET_SECUREBITS, sb) < 0)
982 return -errno;
983 }
984 }
985
986 /* Second step: actually set the uids */
987 if (setresuid(uid, uid, uid) < 0)
988 return -errno;
989
990 /* At this point we should have all necessary capabilities but
991 are otherwise a normal user. However, the caps might got
992 corrupted due to the setresuid() so we need clean them up
993 later. This is done outside of this call. */
994
995 return 0;
996 }
997
998 #ifdef HAVE_PAM
999
1000 static int null_conv(
1001 int num_msg,
1002 const struct pam_message **msg,
1003 struct pam_response **resp,
1004 void *appdata_ptr) {
1005
1006 /* We don't support conversations */
1007
1008 return PAM_CONV_ERR;
1009 }
1010
1011 #endif
1012
1013 static int setup_pam(
1014 const char *name,
1015 const char *user,
1016 uid_t uid,
1017 gid_t gid,
1018 const char *tty,
1019 char ***env,
1020 int fds[], unsigned n_fds) {
1021
1022 #ifdef HAVE_PAM
1023
1024 static const struct pam_conv conv = {
1025 .conv = null_conv,
1026 .appdata_ptr = NULL
1027 };
1028
1029 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
1030 pam_handle_t *handle = NULL;
1031 sigset_t old_ss;
1032 int pam_code = PAM_SUCCESS, r;
1033 char **nv, **e = NULL;
1034 bool close_session = false;
1035 pid_t pam_pid = 0, parent_pid;
1036 int flags = 0;
1037
1038 assert(name);
1039 assert(user);
1040 assert(env);
1041
1042 /* We set up PAM in the parent process, then fork. The child
1043 * will then stay around until killed via PR_GET_PDEATHSIG or
1044 * systemd via the cgroup logic. It will then remove the PAM
1045 * session again. The parent process will exec() the actual
1046 * daemon. We do things this way to ensure that the main PID
1047 * of the daemon is the one we initially fork()ed. */
1048
1049 r = barrier_create(&barrier);
1050 if (r < 0)
1051 goto fail;
1052
1053 if (log_get_max_level() < LOG_DEBUG)
1054 flags |= PAM_SILENT;
1055
1056 pam_code = pam_start(name, user, &conv, &handle);
1057 if (pam_code != PAM_SUCCESS) {
1058 handle = NULL;
1059 goto fail;
1060 }
1061
1062 if (tty) {
1063 pam_code = pam_set_item(handle, PAM_TTY, tty);
1064 if (pam_code != PAM_SUCCESS)
1065 goto fail;
1066 }
1067
1068 STRV_FOREACH(nv, *env) {
1069 pam_code = pam_putenv(handle, *nv);
1070 if (pam_code != PAM_SUCCESS)
1071 goto fail;
1072 }
1073
1074 pam_code = pam_acct_mgmt(handle, flags);
1075 if (pam_code != PAM_SUCCESS)
1076 goto fail;
1077
1078 pam_code = pam_open_session(handle, flags);
1079 if (pam_code != PAM_SUCCESS)
1080 goto fail;
1081
1082 close_session = true;
1083
1084 e = pam_getenvlist(handle);
1085 if (!e) {
1086 pam_code = PAM_BUF_ERR;
1087 goto fail;
1088 }
1089
1090 /* Block SIGTERM, so that we know that it won't get lost in
1091 * the child */
1092
1093 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
1094
1095 parent_pid = getpid();
1096
1097 pam_pid = fork();
1098 if (pam_pid < 0) {
1099 r = -errno;
1100 goto fail;
1101 }
1102
1103 if (pam_pid == 0) {
1104 int sig, ret = EXIT_PAM;
1105
1106 /* The child's job is to reset the PAM session on
1107 * termination */
1108 barrier_set_role(&barrier, BARRIER_CHILD);
1109
1110 /* This string must fit in 10 chars (i.e. the length
1111 * of "/sbin/init"), to look pretty in /bin/ps */
1112 rename_process("(sd-pam)");
1113
1114 /* Make sure we don't keep open the passed fds in this
1115 child. We assume that otherwise only those fds are
1116 open here that have been opened by PAM. */
1117 close_many(fds, n_fds);
1118
1119 /* Drop privileges - we don't need any to pam_close_session
1120 * and this will make PR_SET_PDEATHSIG work in most cases.
1121 * If this fails, ignore the error - but expect sd-pam threads
1122 * to fail to exit normally */
1123
1124 r = maybe_setgroups(0, NULL);
1125 if (r < 0)
1126 log_warning_errno(r, "Failed to setgroups() in sd-pam: %m");
1127 if (setresgid(gid, gid, gid) < 0)
1128 log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
1129 if (setresuid(uid, uid, uid) < 0)
1130 log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
1131
1132 (void) ignore_signals(SIGPIPE, -1);
1133
1134 /* Wait until our parent died. This will only work if
1135 * the above setresuid() succeeds, otherwise the kernel
1136 * will not allow unprivileged parents kill their privileged
1137 * children this way. We rely on the control groups kill logic
1138 * to do the rest for us. */
1139 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
1140 goto child_finish;
1141
1142 /* Tell the parent that our setup is done. This is especially
1143 * important regarding dropping privileges. Otherwise, unit
1144 * setup might race against our setresuid(2) call. */
1145 barrier_place(&barrier);
1146
1147 /* Check if our parent process might already have
1148 * died? */
1149 if (getppid() == parent_pid) {
1150 sigset_t ss;
1151
1152 assert_se(sigemptyset(&ss) >= 0);
1153 assert_se(sigaddset(&ss, SIGTERM) >= 0);
1154
1155 for (;;) {
1156 if (sigwait(&ss, &sig) < 0) {
1157 if (errno == EINTR)
1158 continue;
1159
1160 goto child_finish;
1161 }
1162
1163 assert(sig == SIGTERM);
1164 break;
1165 }
1166 }
1167
1168 /* If our parent died we'll end the session */
1169 if (getppid() != parent_pid) {
1170 pam_code = pam_close_session(handle, flags);
1171 if (pam_code != PAM_SUCCESS)
1172 goto child_finish;
1173 }
1174
1175 ret = 0;
1176
1177 child_finish:
1178 pam_end(handle, pam_code | flags);
1179 _exit(ret);
1180 }
1181
1182 barrier_set_role(&barrier, BARRIER_PARENT);
1183
1184 /* If the child was forked off successfully it will do all the
1185 * cleanups, so forget about the handle here. */
1186 handle = NULL;
1187
1188 /* Unblock SIGTERM again in the parent */
1189 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
1190
1191 /* We close the log explicitly here, since the PAM modules
1192 * might have opened it, but we don't want this fd around. */
1193 closelog();
1194
1195 /* Synchronously wait for the child to initialize. We don't care for
1196 * errors as we cannot recover. However, warn loudly if it happens. */
1197 if (!barrier_place_and_sync(&barrier))
1198 log_error("PAM initialization failed");
1199
1200 strv_free(*env);
1201 *env = e;
1202
1203 return 0;
1204
1205 fail:
1206 if (pam_code != PAM_SUCCESS) {
1207 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
1208 r = -EPERM; /* PAM errors do not map to errno */
1209 } else
1210 log_error_errno(r, "PAM failed: %m");
1211
1212 if (handle) {
1213 if (close_session)
1214 pam_code = pam_close_session(handle, flags);
1215
1216 pam_end(handle, pam_code | flags);
1217 }
1218
1219 strv_free(e);
1220 closelog();
1221
1222 return r;
1223 #else
1224 return 0;
1225 #endif
1226 }
1227
1228 static void rename_process_from_path(const char *path) {
1229 char process_name[11];
1230 const char *p;
1231 size_t l;
1232
1233 /* This resulting string must fit in 10 chars (i.e. the length
1234 * of "/sbin/init") to look pretty in /bin/ps */
1235
1236 p = basename(path);
1237 if (isempty(p)) {
1238 rename_process("(...)");
1239 return;
1240 }
1241
1242 l = strlen(p);
1243 if (l > 8) {
1244 /* The end of the process name is usually more
1245 * interesting, since the first bit might just be
1246 * "systemd-" */
1247 p = p + l - 8;
1248 l = 8;
1249 }
1250
1251 process_name[0] = '(';
1252 memcpy(process_name+1, p, l);
1253 process_name[1+l] = ')';
1254 process_name[1+l+1] = 0;
1255
1256 rename_process(process_name);
1257 }
1258
1259 static bool context_has_address_families(const ExecContext *c) {
1260 assert(c);
1261
1262 return c->address_families_whitelist ||
1263 !set_isempty(c->address_families);
1264 }
1265
1266 static bool context_has_syscall_filters(const ExecContext *c) {
1267 assert(c);
1268
1269 return c->syscall_whitelist ||
1270 !set_isempty(c->syscall_filter);
1271 }
1272
1273 static bool context_has_no_new_privileges(const ExecContext *c) {
1274 assert(c);
1275
1276 if (c->no_new_privileges)
1277 return true;
1278
1279 if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
1280 return false;
1281
1282 /* We need NNP if we have any form of seccomp and are unprivileged */
1283 return context_has_address_families(c) ||
1284 c->memory_deny_write_execute ||
1285 c->restrict_realtime ||
1286 exec_context_restrict_namespaces_set(c) ||
1287 c->protect_kernel_tunables ||
1288 c->protect_kernel_modules ||
1289 c->private_devices ||
1290 context_has_syscall_filters(c) ||
1291 !set_isempty(c->syscall_archs);
1292 }
1293
1294 #ifdef HAVE_SECCOMP
1295
1296 static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
1297
1298 if (is_seccomp_available())
1299 return false;
1300
1301 log_open();
1302 log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
1303 log_close();
1304 return true;
1305 }
1306
1307 static int apply_syscall_filter(const Unit* u, const ExecContext *c) {
1308 uint32_t negative_action, default_action, action;
1309
1310 assert(u);
1311 assert(c);
1312
1313 if (!context_has_syscall_filters(c))
1314 return 0;
1315
1316 if (skip_seccomp_unavailable(u, "SystemCallFilter="))
1317 return 0;
1318
1319 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
1320
1321 if (c->syscall_whitelist) {
1322 default_action = negative_action;
1323 action = SCMP_ACT_ALLOW;
1324 } else {
1325 default_action = SCMP_ACT_ALLOW;
1326 action = negative_action;
1327 }
1328
1329 return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action);
1330 }
1331
1332 static int apply_syscall_archs(const Unit *u, const ExecContext *c) {
1333 assert(u);
1334 assert(c);
1335
1336 if (set_isempty(c->syscall_archs))
1337 return 0;
1338
1339 if (skip_seccomp_unavailable(u, "SystemCallArchitectures="))
1340 return 0;
1341
1342 return seccomp_restrict_archs(c->syscall_archs);
1343 }
1344
1345 static int apply_address_families(const Unit* u, const ExecContext *c) {
1346 assert(u);
1347 assert(c);
1348
1349 if (!context_has_address_families(c))
1350 return 0;
1351
1352 if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
1353 return 0;
1354
1355 return seccomp_restrict_address_families(c->address_families, c->address_families_whitelist);
1356 }
1357
1358 static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) {
1359 assert(u);
1360 assert(c);
1361
1362 if (!c->memory_deny_write_execute)
1363 return 0;
1364
1365 if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute="))
1366 return 0;
1367
1368 return seccomp_memory_deny_write_execute();
1369 }
1370
1371 static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
1372 assert(u);
1373 assert(c);
1374
1375 if (!c->restrict_realtime)
1376 return 0;
1377
1378 if (skip_seccomp_unavailable(u, "RestrictRealtime="))
1379 return 0;
1380
1381 return seccomp_restrict_realtime();
1382 }
1383
1384 static int apply_protect_sysctl(const Unit *u, const ExecContext *c) {
1385 assert(u);
1386 assert(c);
1387
1388 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1389 * let's protect even those systems where this is left on in the kernel. */
1390
1391 if (!c->protect_kernel_tunables)
1392 return 0;
1393
1394 if (skip_seccomp_unavailable(u, "ProtectKernelTunables="))
1395 return 0;
1396
1397 return seccomp_protect_sysctl();
1398 }
1399
1400 static int apply_protect_kernel_modules(const Unit *u, const ExecContext *c) {
1401 assert(u);
1402 assert(c);
1403
1404 /* Turn off module syscalls on ProtectKernelModules=yes */
1405
1406 if (!c->protect_kernel_modules)
1407 return 0;
1408
1409 if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
1410 return 0;
1411
1412 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM));
1413 }
1414
1415 static int apply_private_devices(const Unit *u, const ExecContext *c) {
1416 assert(u);
1417 assert(c);
1418
1419 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
1420
1421 if (!c->private_devices)
1422 return 0;
1423
1424 if (skip_seccomp_unavailable(u, "PrivateDevices="))
1425 return 0;
1426
1427 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
1428 }
1429
1430 static int apply_restrict_namespaces(Unit *u, const ExecContext *c) {
1431 assert(u);
1432 assert(c);
1433
1434 if (!exec_context_restrict_namespaces_set(c))
1435 return 0;
1436
1437 if (skip_seccomp_unavailable(u, "RestrictNamespaces="))
1438 return 0;
1439
1440 return seccomp_restrict_namespaces(c->restrict_namespaces);
1441 }
1442
1443 #endif
1444
1445 static void do_idle_pipe_dance(int idle_pipe[4]) {
1446 assert(idle_pipe);
1447
1448 idle_pipe[1] = safe_close(idle_pipe[1]);
1449 idle_pipe[2] = safe_close(idle_pipe[2]);
1450
1451 if (idle_pipe[0] >= 0) {
1452 int r;
1453
1454 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1455
1456 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1457 ssize_t n;
1458
1459 /* Signal systemd that we are bored and want to continue. */
1460 n = write(idle_pipe[3], "x", 1);
1461 if (n > 0)
1462 /* Wait for systemd to react to the signal above. */
1463 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1464 }
1465
1466 idle_pipe[0] = safe_close(idle_pipe[0]);
1467
1468 }
1469
1470 idle_pipe[3] = safe_close(idle_pipe[3]);
1471 }
1472
1473 static int build_environment(
1474 Unit *u,
1475 const ExecContext *c,
1476 const ExecParameters *p,
1477 unsigned n_fds,
1478 const char *home,
1479 const char *username,
1480 const char *shell,
1481 dev_t journal_stream_dev,
1482 ino_t journal_stream_ino,
1483 char ***ret) {
1484
1485 _cleanup_strv_free_ char **our_env = NULL;
1486 unsigned n_env = 0;
1487 char *x;
1488
1489 assert(u);
1490 assert(c);
1491 assert(ret);
1492
1493 our_env = new0(char*, 14);
1494 if (!our_env)
1495 return -ENOMEM;
1496
1497 if (n_fds > 0) {
1498 _cleanup_free_ char *joined = NULL;
1499
1500 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1501 return -ENOMEM;
1502 our_env[n_env++] = x;
1503
1504 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1505 return -ENOMEM;
1506 our_env[n_env++] = x;
1507
1508 joined = strv_join(p->fd_names, ":");
1509 if (!joined)
1510 return -ENOMEM;
1511
1512 x = strjoin("LISTEN_FDNAMES=", joined);
1513 if (!x)
1514 return -ENOMEM;
1515 our_env[n_env++] = x;
1516 }
1517
1518 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
1519 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1520 return -ENOMEM;
1521 our_env[n_env++] = x;
1522
1523 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
1524 return -ENOMEM;
1525 our_env[n_env++] = x;
1526 }
1527
1528 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1529 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1530 * check the database directly. */
1531 if (unit_has_name(u, SPECIAL_DBUS_SERVICE)) {
1532 x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1533 if (!x)
1534 return -ENOMEM;
1535 our_env[n_env++] = x;
1536 }
1537
1538 if (home) {
1539 x = strappend("HOME=", home);
1540 if (!x)
1541 return -ENOMEM;
1542 our_env[n_env++] = x;
1543 }
1544
1545 if (username) {
1546 x = strappend("LOGNAME=", username);
1547 if (!x)
1548 return -ENOMEM;
1549 our_env[n_env++] = x;
1550
1551 x = strappend("USER=", username);
1552 if (!x)
1553 return -ENOMEM;
1554 our_env[n_env++] = x;
1555 }
1556
1557 if (shell) {
1558 x = strappend("SHELL=", shell);
1559 if (!x)
1560 return -ENOMEM;
1561 our_env[n_env++] = x;
1562 }
1563
1564 if (!sd_id128_is_null(u->invocation_id)) {
1565 if (asprintf(&x, "INVOCATION_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id)) < 0)
1566 return -ENOMEM;
1567
1568 our_env[n_env++] = x;
1569 }
1570
1571 if (exec_context_needs_term(c)) {
1572 const char *tty_path, *term = NULL;
1573
1574 tty_path = exec_context_tty_path(c);
1575
1576 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try to inherit
1577 * the $TERM set for PID 1. This is useful for containers so that the $TERM the container manager
1578 * passes to PID 1 ends up all the way in the console login shown. */
1579
1580 if (path_equal(tty_path, "/dev/console") && getppid() == 1)
1581 term = getenv("TERM");
1582 if (!term)
1583 term = default_term_for_tty(tty_path);
1584
1585 x = strappend("TERM=", term);
1586 if (!x)
1587 return -ENOMEM;
1588 our_env[n_env++] = x;
1589 }
1590
1591 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1592 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1593 return -ENOMEM;
1594
1595 our_env[n_env++] = x;
1596 }
1597
1598 our_env[n_env++] = NULL;
1599 assert(n_env <= 12);
1600
1601 *ret = our_env;
1602 our_env = NULL;
1603
1604 return 0;
1605 }
1606
1607 static int build_pass_environment(const ExecContext *c, char ***ret) {
1608 _cleanup_strv_free_ char **pass_env = NULL;
1609 size_t n_env = 0, n_bufsize = 0;
1610 char **i;
1611
1612 STRV_FOREACH(i, c->pass_environment) {
1613 _cleanup_free_ char *x = NULL;
1614 char *v;
1615
1616 v = getenv(*i);
1617 if (!v)
1618 continue;
1619 x = strjoin(*i, "=", v);
1620 if (!x)
1621 return -ENOMEM;
1622 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1623 return -ENOMEM;
1624 pass_env[n_env++] = x;
1625 pass_env[n_env] = NULL;
1626 x = NULL;
1627 }
1628
1629 *ret = pass_env;
1630 pass_env = NULL;
1631
1632 return 0;
1633 }
1634
1635 static bool exec_needs_mount_namespace(
1636 const ExecContext *context,
1637 const ExecParameters *params,
1638 ExecRuntime *runtime) {
1639
1640 assert(context);
1641 assert(params);
1642
1643 if (context->root_image)
1644 return true;
1645
1646 if (!strv_isempty(context->read_write_paths) ||
1647 !strv_isempty(context->read_only_paths) ||
1648 !strv_isempty(context->inaccessible_paths))
1649 return true;
1650
1651 if (context->n_bind_mounts > 0)
1652 return true;
1653
1654 if (context->mount_flags != 0)
1655 return true;
1656
1657 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1658 return true;
1659
1660 if (context->private_devices ||
1661 context->protect_system != PROTECT_SYSTEM_NO ||
1662 context->protect_home != PROTECT_HOME_NO ||
1663 context->protect_kernel_tunables ||
1664 context->protect_kernel_modules ||
1665 context->protect_control_groups)
1666 return true;
1667
1668 if (context->mount_apivfs)
1669 return true;
1670
1671 return false;
1672 }
1673
1674 static int setup_private_users(uid_t uid, gid_t gid) {
1675 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
1676 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
1677 _cleanup_close_ int unshare_ready_fd = -1;
1678 _cleanup_(sigkill_waitp) pid_t pid = 0;
1679 uint64_t c = 1;
1680 siginfo_t si;
1681 ssize_t n;
1682 int r;
1683
1684 /* Set up a user namespace and map root to root, the selected UID/GID to itself, and everything else to
1685 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1686 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1687 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1688 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
1689 * continues execution normally. */
1690
1691 if (uid != 0 && uid_is_valid(uid)) {
1692 r = asprintf(&uid_map,
1693 "0 0 1\n" /* Map root → root */
1694 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
1695 uid, uid);
1696 if (r < 0)
1697 return -ENOMEM;
1698 } else {
1699 uid_map = strdup("0 0 1\n"); /* The case where the above is the same */
1700 if (!uid_map)
1701 return -ENOMEM;
1702 }
1703
1704 if (gid != 0 && gid_is_valid(gid)) {
1705 r = asprintf(&gid_map,
1706 "0 0 1\n" /* Map root → root */
1707 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
1708 gid, gid);
1709 if (r < 0)
1710 return -ENOMEM;
1711 } else {
1712 gid_map = strdup("0 0 1\n"); /* The case where the above is the same */
1713 if (!gid_map)
1714 return -ENOMEM;
1715 }
1716
1717 /* Create a communication channel so that the parent can tell the child when it finished creating the user
1718 * namespace. */
1719 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
1720 if (unshare_ready_fd < 0)
1721 return -errno;
1722
1723 /* Create a communication channel so that the child can tell the parent a proper error code in case it
1724 * failed. */
1725 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
1726 return -errno;
1727
1728 pid = fork();
1729 if (pid < 0)
1730 return -errno;
1731
1732 if (pid == 0) {
1733 _cleanup_close_ int fd = -1;
1734 const char *a;
1735 pid_t ppid;
1736
1737 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
1738 * here, after the parent opened its own user namespace. */
1739
1740 ppid = getppid();
1741 errno_pipe[0] = safe_close(errno_pipe[0]);
1742
1743 /* Wait until the parent unshared the user namespace */
1744 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
1745 r = -errno;
1746 goto child_fail;
1747 }
1748
1749 /* Disable the setgroups() system call in the child user namespace, for good. */
1750 a = procfs_file_alloca(ppid, "setgroups");
1751 fd = open(a, O_WRONLY|O_CLOEXEC);
1752 if (fd < 0) {
1753 if (errno != ENOENT) {
1754 r = -errno;
1755 goto child_fail;
1756 }
1757
1758 /* If the file is missing the kernel is too old, let's continue anyway. */
1759 } else {
1760 if (write(fd, "deny\n", 5) < 0) {
1761 r = -errno;
1762 goto child_fail;
1763 }
1764
1765 fd = safe_close(fd);
1766 }
1767
1768 /* First write the GID map */
1769 a = procfs_file_alloca(ppid, "gid_map");
1770 fd = open(a, O_WRONLY|O_CLOEXEC);
1771 if (fd < 0) {
1772 r = -errno;
1773 goto child_fail;
1774 }
1775 if (write(fd, gid_map, strlen(gid_map)) < 0) {
1776 r = -errno;
1777 goto child_fail;
1778 }
1779 fd = safe_close(fd);
1780
1781 /* The write the UID map */
1782 a = procfs_file_alloca(ppid, "uid_map");
1783 fd = open(a, O_WRONLY|O_CLOEXEC);
1784 if (fd < 0) {
1785 r = -errno;
1786 goto child_fail;
1787 }
1788 if (write(fd, uid_map, strlen(uid_map)) < 0) {
1789 r = -errno;
1790 goto child_fail;
1791 }
1792
1793 _exit(EXIT_SUCCESS);
1794
1795 child_fail:
1796 (void) write(errno_pipe[1], &r, sizeof(r));
1797 _exit(EXIT_FAILURE);
1798 }
1799
1800 errno_pipe[1] = safe_close(errno_pipe[1]);
1801
1802 if (unshare(CLONE_NEWUSER) < 0)
1803 return -errno;
1804
1805 /* Let the child know that the namespace is ready now */
1806 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
1807 return -errno;
1808
1809 /* Try to read an error code from the child */
1810 n = read(errno_pipe[0], &r, sizeof(r));
1811 if (n < 0)
1812 return -errno;
1813 if (n == sizeof(r)) { /* an error code was sent to us */
1814 if (r < 0)
1815 return r;
1816 return -EIO;
1817 }
1818 if (n != 0) /* on success we should have read 0 bytes */
1819 return -EIO;
1820
1821 r = wait_for_terminate(pid, &si);
1822 if (r < 0)
1823 return r;
1824 pid = 0;
1825
1826 /* If something strange happened with the child, let's consider this fatal, too */
1827 if (si.si_code != CLD_EXITED || si.si_status != 0)
1828 return -EIO;
1829
1830 return 0;
1831 }
1832
1833 static int setup_runtime_directory(
1834 const ExecContext *context,
1835 const ExecParameters *params,
1836 uid_t uid,
1837 gid_t gid) {
1838
1839 char **rt;
1840 int r;
1841
1842 assert(context);
1843 assert(params);
1844
1845 STRV_FOREACH(rt, context->runtime_directory) {
1846 _cleanup_free_ char *p;
1847
1848 p = strjoin(params->runtime_prefix, "/", *rt);
1849 if (!p)
1850 return -ENOMEM;
1851
1852 r = mkdir_p_label(p, context->runtime_directory_mode);
1853 if (r < 0)
1854 return r;
1855
1856 r = chmod_and_chown(p, context->runtime_directory_mode, uid, gid);
1857 if (r < 0)
1858 return r;
1859 }
1860
1861 return 0;
1862 }
1863
1864 static int setup_smack(
1865 const ExecContext *context,
1866 const ExecCommand *command) {
1867
1868 #ifdef HAVE_SMACK
1869 int r;
1870
1871 assert(context);
1872 assert(command);
1873
1874 if (!mac_smack_use())
1875 return 0;
1876
1877 if (context->smack_process_label) {
1878 r = mac_smack_apply_pid(0, context->smack_process_label);
1879 if (r < 0)
1880 return r;
1881 }
1882 #ifdef SMACK_DEFAULT_PROCESS_LABEL
1883 else {
1884 _cleanup_free_ char *exec_label = NULL;
1885
1886 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
1887 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP)
1888 return r;
1889
1890 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
1891 if (r < 0)
1892 return r;
1893 }
1894 #endif
1895 #endif
1896
1897 return 0;
1898 }
1899
1900 static int compile_read_write_paths(
1901 const ExecContext *context,
1902 const ExecParameters *params,
1903 char ***ret) {
1904
1905 _cleanup_strv_free_ char **l = NULL;
1906 char **rt;
1907
1908 /* Compile the list of writable paths. This is the combination of
1909 * the explicitly configured paths, plus all runtime directories. */
1910
1911 if (strv_isempty(context->read_write_paths) &&
1912 strv_isempty(context->runtime_directory)) {
1913 *ret = NULL; /* NOP if neither is set */
1914 return 0;
1915 }
1916
1917 l = strv_copy(context->read_write_paths);
1918 if (!l)
1919 return -ENOMEM;
1920
1921 STRV_FOREACH(rt, context->runtime_directory) {
1922 char *s;
1923
1924 s = strjoin(params->runtime_prefix, "/", *rt);
1925 if (!s)
1926 return -ENOMEM;
1927
1928 if (strv_consume(&l, s) < 0)
1929 return -ENOMEM;
1930 }
1931
1932 *ret = l;
1933 l = NULL;
1934
1935 return 0;
1936 }
1937
1938 static int apply_mount_namespace(Unit *u, const ExecContext *context,
1939 const ExecParameters *params,
1940 ExecRuntime *runtime) {
1941 int r;
1942 _cleanup_strv_free_ char **rw = NULL;
1943 char *tmp = NULL, *var = NULL;
1944 const char *root_dir = NULL, *root_image = NULL;
1945 NameSpaceInfo ns_info = {
1946 .ignore_protect_paths = false,
1947 .private_dev = context->private_devices,
1948 .protect_control_groups = context->protect_control_groups,
1949 .protect_kernel_tunables = context->protect_kernel_tunables,
1950 .protect_kernel_modules = context->protect_kernel_modules,
1951 .mount_apivfs = context->mount_apivfs,
1952 };
1953
1954 assert(context);
1955
1956 /* The runtime struct only contains the parent of the private /tmp,
1957 * which is non-accessible to world users. Inside of it there's a /tmp
1958 * that is sticky, and that's the one we want to use here. */
1959
1960 if (context->private_tmp && runtime) {
1961 if (runtime->tmp_dir)
1962 tmp = strjoina(runtime->tmp_dir, "/tmp");
1963 if (runtime->var_tmp_dir)
1964 var = strjoina(runtime->var_tmp_dir, "/tmp");
1965 }
1966
1967 r = compile_read_write_paths(context, params, &rw);
1968 if (r < 0)
1969 return r;
1970
1971 if (params->flags & EXEC_APPLY_CHROOT) {
1972 root_image = context->root_image;
1973
1974 if (!root_image)
1975 root_dir = context->root_directory;
1976 }
1977
1978 /*
1979 * If DynamicUser=no and RootDirectory= is set then lets pass a relaxed
1980 * sandbox info, otherwise enforce it, don't ignore protected paths and
1981 * fail if we are enable to apply the sandbox inside the mount namespace.
1982 */
1983 if (!context->dynamic_user && root_dir)
1984 ns_info.ignore_protect_paths = true;
1985
1986 r = setup_namespace(root_dir, root_image,
1987 &ns_info, rw,
1988 context->read_only_paths,
1989 context->inaccessible_paths,
1990 context->bind_mounts,
1991 context->n_bind_mounts,
1992 tmp,
1993 var,
1994 context->protect_home,
1995 context->protect_system,
1996 context->mount_flags,
1997 DISSECT_IMAGE_DISCARD_ON_LOOP);
1998
1999 /* If we couldn't set up the namespace this is probably due to a
2000 * missing capability. In this case, silently proceeed. */
2001 if (IN_SET(r, -EPERM, -EACCES)) {
2002 log_open();
2003 log_unit_debug_errno(u, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
2004 log_close();
2005 r = 0;
2006 }
2007
2008 return r;
2009 }
2010
2011 static int apply_working_directory(
2012 const ExecContext *context,
2013 const ExecParameters *params,
2014 const char *home,
2015 const bool needs_mount_ns) {
2016
2017 const char *d;
2018 const char *wd;
2019
2020 assert(context);
2021
2022 if (context->working_directory_home)
2023 wd = home;
2024 else if (context->working_directory)
2025 wd = context->working_directory;
2026 else
2027 wd = "/";
2028
2029 if (params->flags & EXEC_APPLY_CHROOT) {
2030 if (!needs_mount_ns && context->root_directory)
2031 if (chroot(context->root_directory) < 0)
2032 return -errno;
2033
2034 d = wd;
2035 } else
2036 d = strjoina(strempty(context->root_directory), "/", strempty(wd));
2037
2038 if (chdir(d) < 0 && !context->working_directory_missing_ok)
2039 return -errno;
2040
2041 return 0;
2042 }
2043
2044 static int setup_keyring(Unit *u, const ExecParameters *p, uid_t uid, gid_t gid) {
2045 key_serial_t keyring;
2046
2047 assert(u);
2048 assert(p);
2049
2050 /* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that
2051 * each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond
2052 * that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be
2053 * automatically created on-demand and then linked to the per-UID keyring, by the kernel. The kernel's built-in
2054 * on-demand behaviour is very appropriate for login users, but probably not so much for system services, where
2055 * UIDs are not necessarily specific to a service but reused (at least in the case of UID 0). */
2056
2057 if (!(p->flags & EXEC_NEW_KEYRING))
2058 return 0;
2059
2060 keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0);
2061 if (keyring == -1) {
2062 if (errno == ENOSYS)
2063 log_debug_errno(errno, "Kernel keyring not supported, ignoring.");
2064 else if (IN_SET(errno, EACCES, EPERM))
2065 log_debug_errno(errno, "Kernel keyring access prohibited, ignoring.");
2066 else if (errno == EDQUOT)
2067 log_debug_errno(errno, "Out of kernel keyrings to allocate, ignoring.");
2068 else
2069 return log_error_errno(errno, "Setting up kernel keyring failed: %m");
2070
2071 return 0;
2072 }
2073
2074 /* Populate they keyring with the invocation ID by default. */
2075 if (!sd_id128_is_null(u->invocation_id)) {
2076 key_serial_t key;
2077
2078 key = add_key("user", "invocation_id", &u->invocation_id, sizeof(u->invocation_id), KEY_SPEC_SESSION_KEYRING);
2079 if (key == -1)
2080 log_debug_errno(errno, "Failed to add invocation ID to keyring, ignoring: %m");
2081 else {
2082 if (keyctl(KEYCTL_SETPERM, key,
2083 KEY_POS_VIEW|KEY_POS_READ|KEY_POS_SEARCH|
2084 KEY_USR_VIEW|KEY_USR_READ|KEY_USR_SEARCH, 0, 0) < 0)
2085 return log_error_errno(errno, "Failed to restrict invocation ID permission: %m");
2086 }
2087 }
2088
2089 /* And now, make the keyring owned by the service's user */
2090 if (uid_is_valid(uid) || gid_is_valid(gid))
2091 if (keyctl(KEYCTL_CHOWN, keyring, uid, gid, 0) < 0)
2092 return log_error_errno(errno, "Failed to change ownership of session keyring: %m");
2093
2094 return 0;
2095 }
2096
2097 static void append_socket_pair(int *array, unsigned *n, int pair[2]) {
2098 assert(array);
2099 assert(n);
2100
2101 if (!pair)
2102 return;
2103
2104 if (pair[0] >= 0)
2105 array[(*n)++] = pair[0];
2106 if (pair[1] >= 0)
2107 array[(*n)++] = pair[1];
2108 }
2109
2110 static int close_remaining_fds(
2111 const ExecParameters *params,
2112 ExecRuntime *runtime,
2113 DynamicCreds *dcreds,
2114 int user_lookup_fd,
2115 int socket_fd,
2116 int *fds, unsigned n_fds) {
2117
2118 unsigned n_dont_close = 0;
2119 int dont_close[n_fds + 12];
2120
2121 assert(params);
2122
2123 if (params->stdin_fd >= 0)
2124 dont_close[n_dont_close++] = params->stdin_fd;
2125 if (params->stdout_fd >= 0)
2126 dont_close[n_dont_close++] = params->stdout_fd;
2127 if (params->stderr_fd >= 0)
2128 dont_close[n_dont_close++] = params->stderr_fd;
2129
2130 if (socket_fd >= 0)
2131 dont_close[n_dont_close++] = socket_fd;
2132 if (n_fds > 0) {
2133 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
2134 n_dont_close += n_fds;
2135 }
2136
2137 if (runtime)
2138 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
2139
2140 if (dcreds) {
2141 if (dcreds->user)
2142 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
2143 if (dcreds->group)
2144 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
2145 }
2146
2147 if (user_lookup_fd >= 0)
2148 dont_close[n_dont_close++] = user_lookup_fd;
2149
2150 return close_all_fds(dont_close, n_dont_close);
2151 }
2152
2153 static int send_user_lookup(
2154 Unit *unit,
2155 int user_lookup_fd,
2156 uid_t uid,
2157 gid_t gid) {
2158
2159 assert(unit);
2160
2161 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2162 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2163 * specified. */
2164
2165 if (user_lookup_fd < 0)
2166 return 0;
2167
2168 if (!uid_is_valid(uid) && !gid_is_valid(gid))
2169 return 0;
2170
2171 if (writev(user_lookup_fd,
2172 (struct iovec[]) {
2173 { .iov_base = &uid, .iov_len = sizeof(uid) },
2174 { .iov_base = &gid, .iov_len = sizeof(gid) },
2175 { .iov_base = unit->id, .iov_len = strlen(unit->id) }}, 3) < 0)
2176 return -errno;
2177
2178 return 0;
2179 }
2180
2181 static int exec_child(
2182 Unit *unit,
2183 ExecCommand *command,
2184 const ExecContext *context,
2185 const ExecParameters *params,
2186 ExecRuntime *runtime,
2187 DynamicCreds *dcreds,
2188 char **argv,
2189 int socket_fd,
2190 int named_iofds[3],
2191 int *fds, unsigned n_fds,
2192 char **files_env,
2193 int user_lookup_fd,
2194 int *exit_status,
2195 char **error_message) {
2196
2197 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **final_argv = NULL;
2198 _cleanup_free_ char *mac_selinux_context_net = NULL;
2199 _cleanup_free_ gid_t *supplementary_gids = NULL;
2200 const char *username = NULL, *groupname = NULL;
2201 const char *home = NULL, *shell = NULL;
2202 dev_t journal_stream_dev = 0;
2203 ino_t journal_stream_ino = 0;
2204 bool needs_mount_namespace;
2205 uid_t uid = UID_INVALID;
2206 gid_t gid = GID_INVALID;
2207 int i, r, ngids = 0;
2208
2209 assert(unit);
2210 assert(command);
2211 assert(context);
2212 assert(params);
2213 assert(exit_status);
2214 assert(error_message);
2215 /* We don't always set error_message, hence it must be initialized */
2216 assert(*error_message == NULL);
2217
2218 rename_process_from_path(command->path);
2219
2220 /* We reset exactly these signals, since they are the
2221 * only ones we set to SIG_IGN in the main daemon. All
2222 * others we leave untouched because we set them to
2223 * SIG_DFL or a valid handler initially, both of which
2224 * will be demoted to SIG_DFL. */
2225 (void) default_signals(SIGNALS_CRASH_HANDLER,
2226 SIGNALS_IGNORE, -1);
2227
2228 if (context->ignore_sigpipe)
2229 (void) ignore_signals(SIGPIPE, -1);
2230
2231 r = reset_signal_mask();
2232 if (r < 0) {
2233 *exit_status = EXIT_SIGNAL_MASK;
2234 *error_message = strdup("Failed to reset signal mask");
2235 /* If strdup fails, here and below, we will just print the generic error message. */
2236 return r;
2237 }
2238
2239 if (params->idle_pipe)
2240 do_idle_pipe_dance(params->idle_pipe);
2241
2242 /* Close sockets very early to make sure we don't
2243 * block init reexecution because it cannot bind its
2244 * sockets */
2245
2246 log_forget_fds();
2247
2248 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, fds, n_fds);
2249 if (r < 0) {
2250 *exit_status = EXIT_FDS;
2251 *error_message = strdup("Failed to close remaining fds");
2252 return r;
2253 }
2254
2255 if (!context->same_pgrp)
2256 if (setsid() < 0) {
2257 *exit_status = EXIT_SETSID;
2258 return -errno;
2259 }
2260
2261 exec_context_tty_reset(context, params);
2262
2263 if (unit_shall_confirm_spawn(unit)) {
2264 const char *vc = params->confirm_spawn;
2265 _cleanup_free_ char *cmdline = NULL;
2266
2267 cmdline = exec_command_line(argv);
2268 if (!cmdline) {
2269 *exit_status = EXIT_CONFIRM;
2270 return -ENOMEM;
2271 }
2272
2273 r = ask_for_confirmation(vc, unit, cmdline);
2274 if (r != CONFIRM_EXECUTE) {
2275 if (r == CONFIRM_PRETEND_SUCCESS) {
2276 *exit_status = EXIT_SUCCESS;
2277 return 0;
2278 }
2279 *exit_status = EXIT_CONFIRM;
2280 *error_message = strdup("Execution cancelled");
2281 return -ECANCELED;
2282 }
2283 }
2284
2285 if (context->dynamic_user && dcreds) {
2286
2287 /* Make sure we bypass our own NSS module for any NSS checks */
2288 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
2289 *exit_status = EXIT_USER;
2290 *error_message = strdup("Failed to update environment");
2291 return -errno;
2292 }
2293
2294 r = dynamic_creds_realize(dcreds, &uid, &gid);
2295 if (r < 0) {
2296 *exit_status = EXIT_USER;
2297 *error_message = strdup("Failed to update dynamic user credentials");
2298 return r;
2299 }
2300
2301 if (!uid_is_valid(uid)) {
2302 *exit_status = EXIT_USER;
2303 (void) asprintf(error_message, "UID validation failed for \""UID_FMT"\"", uid);
2304 /* If asprintf fails, here and below, we will just print the generic error message. */
2305 return -ESRCH;
2306 }
2307
2308 if (!gid_is_valid(gid)) {
2309 *exit_status = EXIT_USER;
2310 (void) asprintf(error_message, "GID validation failed for \""GID_FMT"\"", gid);
2311 return -ESRCH;
2312 }
2313
2314 if (dcreds->user)
2315 username = dcreds->user->name;
2316
2317 } else {
2318 r = get_fixed_user(context, &username, &uid, &gid, &home, &shell);
2319 if (r < 0) {
2320 *exit_status = EXIT_USER;
2321 *error_message = strdup("Failed to determine user credentials");
2322 return r;
2323 }
2324
2325 r = get_fixed_group(context, &groupname, &gid);
2326 if (r < 0) {
2327 *exit_status = EXIT_GROUP;
2328 *error_message = strdup("Failed to determine group credentials");
2329 return r;
2330 }
2331 }
2332
2333 /* Initialize user supplementary groups and get SupplementaryGroups= ones */
2334 r = get_supplementary_groups(context, username, groupname, gid,
2335 &supplementary_gids, &ngids);
2336 if (r < 0) {
2337 *exit_status = EXIT_GROUP;
2338 *error_message = strdup("Failed to determine supplementary groups");
2339 return r;
2340 }
2341
2342 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
2343 if (r < 0) {
2344 *exit_status = EXIT_USER;
2345 *error_message = strdup("Failed to send user credentials to PID1");
2346 return r;
2347 }
2348
2349 user_lookup_fd = safe_close(user_lookup_fd);
2350
2351 /* If a socket is connected to STDIN/STDOUT/STDERR, we
2352 * must sure to drop O_NONBLOCK */
2353 if (socket_fd >= 0)
2354 (void) fd_nonblock(socket_fd, false);
2355
2356 r = setup_input(context, params, socket_fd, named_iofds);
2357 if (r < 0) {
2358 *exit_status = EXIT_STDIN;
2359 *error_message = strdup("Failed to set up stdin");
2360 return r;
2361 }
2362
2363 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
2364 if (r < 0) {
2365 *exit_status = EXIT_STDOUT;
2366 *error_message = strdup("Failed to set up stdout");
2367 return r;
2368 }
2369
2370 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
2371 if (r < 0) {
2372 *exit_status = EXIT_STDERR;
2373 *error_message = strdup("Failed to set up stderr");
2374 return r;
2375 }
2376
2377 if (params->cgroup_path) {
2378 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
2379 if (r < 0) {
2380 *exit_status = EXIT_CGROUP;
2381 (void) asprintf(error_message, "Failed to attach to cgroup %s", params->cgroup_path);
2382 return r;
2383 }
2384 }
2385
2386 if (context->oom_score_adjust_set) {
2387 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
2388
2389 /* When we can't make this change due to EPERM, then
2390 * let's silently skip over it. User namespaces
2391 * prohibit write access to this file, and we
2392 * shouldn't trip up over that. */
2393
2394 sprintf(t, "%i", context->oom_score_adjust);
2395 r = write_string_file("/proc/self/oom_score_adj", t, 0);
2396 if (r == -EPERM || r == -EACCES) {
2397 log_open();
2398 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
2399 log_close();
2400 } else if (r < 0) {
2401 *exit_status = EXIT_OOM_ADJUST;
2402 *error_message = strdup("Failed to write /proc/self/oom_score_adj");
2403 return -errno;
2404 }
2405 }
2406
2407 if (context->nice_set)
2408 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
2409 *exit_status = EXIT_NICE;
2410 return -errno;
2411 }
2412
2413 if (context->cpu_sched_set) {
2414 struct sched_param param = {
2415 .sched_priority = context->cpu_sched_priority,
2416 };
2417
2418 r = sched_setscheduler(0,
2419 context->cpu_sched_policy |
2420 (context->cpu_sched_reset_on_fork ?
2421 SCHED_RESET_ON_FORK : 0),
2422 &param);
2423 if (r < 0) {
2424 *exit_status = EXIT_SETSCHEDULER;
2425 return -errno;
2426 }
2427 }
2428
2429 if (context->cpuset)
2430 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
2431 *exit_status = EXIT_CPUAFFINITY;
2432 return -errno;
2433 }
2434
2435 if (context->ioprio_set)
2436 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
2437 *exit_status = EXIT_IOPRIO;
2438 return -errno;
2439 }
2440
2441 if (context->timer_slack_nsec != NSEC_INFINITY)
2442 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
2443 *exit_status = EXIT_TIMERSLACK;
2444 return -errno;
2445 }
2446
2447 if (context->personality != PERSONALITY_INVALID)
2448 if (personality(context->personality) < 0) {
2449 *exit_status = EXIT_PERSONALITY;
2450 return -errno;
2451 }
2452
2453 if (context->utmp_id)
2454 utmp_put_init_process(context->utmp_id, getpid(), getsid(0),
2455 context->tty_path,
2456 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
2457 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
2458 USER_PROCESS,
2459 username);
2460
2461 if (context->user) {
2462 r = chown_terminal(STDIN_FILENO, uid);
2463 if (r < 0) {
2464 *exit_status = EXIT_STDIN;
2465 return r;
2466 }
2467 }
2468
2469 /* If delegation is enabled we'll pass ownership of the cgroup
2470 * (but only in systemd's own controller hierarchy!) to the
2471 * user of the new process. */
2472 if (params->cgroup_path && context->user && params->cgroup_delegate) {
2473 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
2474 if (r < 0) {
2475 *exit_status = EXIT_CGROUP;
2476 return r;
2477 }
2478
2479
2480 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
2481 if (r < 0) {
2482 *exit_status = EXIT_CGROUP;
2483 return r;
2484 }
2485 }
2486
2487 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
2488 r = setup_runtime_directory(context, params, uid, gid);
2489 if (r < 0) {
2490 *exit_status = EXIT_RUNTIME_DIRECTORY;
2491 return r;
2492 }
2493 }
2494
2495 r = build_environment(
2496 unit,
2497 context,
2498 params,
2499 n_fds,
2500 home,
2501 username,
2502 shell,
2503 journal_stream_dev,
2504 journal_stream_ino,
2505 &our_env);
2506 if (r < 0) {
2507 *exit_status = EXIT_MEMORY;
2508 return r;
2509 }
2510
2511 r = build_pass_environment(context, &pass_env);
2512 if (r < 0) {
2513 *exit_status = EXIT_MEMORY;
2514 return r;
2515 }
2516
2517 accum_env = strv_env_merge(5,
2518 params->environment,
2519 our_env,
2520 pass_env,
2521 context->environment,
2522 files_env,
2523 NULL);
2524 if (!accum_env) {
2525 *exit_status = EXIT_MEMORY;
2526 return -ENOMEM;
2527 }
2528 accum_env = strv_env_clean(accum_env);
2529
2530 (void) umask(context->umask);
2531
2532 r = setup_keyring(unit, params, uid, gid);
2533 if (r < 0) {
2534 *exit_status = EXIT_KEYRING;
2535 return r;
2536 }
2537
2538 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2539 if (context->pam_name && username) {
2540 r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
2541 if (r < 0) {
2542 *exit_status = EXIT_PAM;
2543 return r;
2544 }
2545 }
2546 }
2547
2548 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
2549 r = setup_netns(runtime->netns_storage_socket);
2550 if (r < 0) {
2551 *exit_status = EXIT_NETWORK;
2552 return r;
2553 }
2554 }
2555
2556 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
2557 if (needs_mount_namespace) {
2558 r = apply_mount_namespace(unit, context, params, runtime);
2559 if (r < 0) {
2560 *exit_status = EXIT_NAMESPACE;
2561 return r;
2562 }
2563 }
2564
2565 /* Apply just after mount namespace setup */
2566 r = apply_working_directory(context, params, home, needs_mount_namespace);
2567 if (r < 0) {
2568 *exit_status = EXIT_CHROOT;
2569 return r;
2570 }
2571
2572 /* Drop groups as early as possbile */
2573 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2574 r = enforce_groups(context, gid, supplementary_gids, ngids);
2575 if (r < 0) {
2576 *exit_status = EXIT_GROUP;
2577 return r;
2578 }
2579 }
2580
2581 #ifdef HAVE_SELINUX
2582 if ((params->flags & EXEC_APPLY_PERMISSIONS) &&
2583 mac_selinux_use() &&
2584 params->selinux_context_net &&
2585 socket_fd >= 0 &&
2586 !command->privileged) {
2587
2588 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
2589 if (r < 0) {
2590 *exit_status = EXIT_SELINUX_CONTEXT;
2591 return r;
2592 }
2593 }
2594 #endif
2595
2596 if ((params->flags & EXEC_APPLY_PERMISSIONS) && context->private_users) {
2597 r = setup_private_users(uid, gid);
2598 if (r < 0) {
2599 *exit_status = EXIT_USER;
2600 return r;
2601 }
2602 }
2603
2604 /* We repeat the fd closing here, to make sure that
2605 * nothing is leaked from the PAM modules. Note that
2606 * we are more aggressive this time since socket_fd
2607 * and the netns fds we don't need anymore. The custom
2608 * endpoint fd was needed to upload the policy and can
2609 * now be closed as well. */
2610 r = close_all_fds(fds, n_fds);
2611 if (r >= 0)
2612 r = shift_fds(fds, n_fds);
2613 if (r >= 0)
2614 r = flags_fds(fds, n_fds, context->non_blocking);
2615 if (r < 0) {
2616 *exit_status = EXIT_FDS;
2617 return r;
2618 }
2619
2620 if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
2621
2622 int secure_bits = context->secure_bits;
2623
2624 for (i = 0; i < _RLIMIT_MAX; i++) {
2625
2626 if (!context->rlimit[i])
2627 continue;
2628
2629 r = setrlimit_closest(i, context->rlimit[i]);
2630 if (r < 0) {
2631 *exit_status = EXIT_LIMITS;
2632 return r;
2633 }
2634 }
2635
2636 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
2637 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
2638 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
2639 *exit_status = EXIT_LIMITS;
2640 return -errno;
2641 }
2642 }
2643
2644 if (!cap_test_all(context->capability_bounding_set)) {
2645 r = capability_bounding_set_drop(context->capability_bounding_set, false);
2646 if (r < 0) {
2647 *exit_status = EXIT_CAPABILITIES;
2648 *error_message = strdup("Failed to drop capabilities");
2649 return r;
2650 }
2651 }
2652
2653 /* This is done before enforce_user, but ambient set
2654 * does not survive over setresuid() if keep_caps is not set. */
2655 if (context->capability_ambient_set != 0) {
2656 r = capability_ambient_set_apply(context->capability_ambient_set, true);
2657 if (r < 0) {
2658 *exit_status = EXIT_CAPABILITIES;
2659 *error_message = strdup("Failed to apply ambient capabilities (before UID change)");
2660 return r;
2661 }
2662 }
2663
2664 if (context->user) {
2665 r = enforce_user(context, uid);
2666 if (r < 0) {
2667 *exit_status = EXIT_USER;
2668 (void) asprintf(error_message, "Failed to change UID to "UID_FMT, uid);
2669 return r;
2670 }
2671 if (context->capability_ambient_set != 0) {
2672
2673 /* Fix the ambient capabilities after user change. */
2674 r = capability_ambient_set_apply(context->capability_ambient_set, false);
2675 if (r < 0) {
2676 *exit_status = EXIT_CAPABILITIES;
2677 *error_message = strdup("Failed to apply ambient capabilities (after UID change)");
2678 return r;
2679 }
2680
2681 /* If we were asked to change user and ambient capabilities
2682 * were requested, we had to add keep-caps to the securebits
2683 * so that we would maintain the inherited capability set
2684 * through the setresuid(). Make sure that the bit is added
2685 * also to the context secure_bits so that we don't try to
2686 * drop the bit away next. */
2687
2688 secure_bits |= 1<<SECURE_KEEP_CAPS;
2689 }
2690 }
2691
2692 /* Apply the MAC contexts late, but before seccomp syscall filtering, as those should really be last to
2693 * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
2694 * syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
2695 * are restricted. */
2696
2697 #ifdef HAVE_SELINUX
2698 if (mac_selinux_use()) {
2699 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
2700
2701 if (exec_context) {
2702 r = setexeccon(exec_context);
2703 if (r < 0) {
2704 *exit_status = EXIT_SELINUX_CONTEXT;
2705 (void) asprintf(error_message, "Failed to set SELinux context to %s", exec_context);
2706 return r;
2707 }
2708 }
2709 }
2710 #endif
2711
2712 r = setup_smack(context, command);
2713 if (r < 0) {
2714 *exit_status = EXIT_SMACK_PROCESS_LABEL;
2715 *error_message = strdup("Failed to set SMACK process label");
2716 return r;
2717 }
2718
2719 #ifdef HAVE_APPARMOR
2720 if (context->apparmor_profile && mac_apparmor_use()) {
2721 r = aa_change_onexec(context->apparmor_profile);
2722 if (r < 0 && !context->apparmor_profile_ignore) {
2723 *exit_status = EXIT_APPARMOR_PROFILE;
2724 (void) asprintf(error_message,
2725 "Failed to prepare AppArmor profile change to %s",
2726 context->apparmor_profile);
2727 return -errno;
2728 }
2729 }
2730 #endif
2731
2732 /* PR_GET_SECUREBITS is not privileged, while
2733 * PR_SET_SECUREBITS is. So to suppress
2734 * potential EPERMs we'll try not to call
2735 * PR_SET_SECUREBITS unless necessary. */
2736 if (prctl(PR_GET_SECUREBITS) != secure_bits)
2737 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
2738 *exit_status = EXIT_SECUREBITS;
2739 *error_message = strdup("Failed to set secure bits");
2740 return -errno;
2741 }
2742
2743 if (context_has_no_new_privileges(context))
2744 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
2745 *exit_status = EXIT_NO_NEW_PRIVILEGES;
2746 *error_message = strdup("Failed to disable new privileges");
2747 return -errno;
2748 }
2749
2750 #ifdef HAVE_SECCOMP
2751 r = apply_address_families(unit, context);
2752 if (r < 0) {
2753 *exit_status = EXIT_ADDRESS_FAMILIES;
2754 *error_message = strdup("Failed to restrict address families");
2755 return r;
2756 }
2757
2758 r = apply_memory_deny_write_execute(unit, context);
2759 if (r < 0) {
2760 *exit_status = EXIT_SECCOMP;
2761 *error_message = strdup("Failed to disable writing to executable memory");
2762 return r;
2763 }
2764
2765 r = apply_restrict_realtime(unit, context);
2766 if (r < 0) {
2767 *exit_status = EXIT_SECCOMP;
2768 *error_message = strdup("Failed to apply realtime restrictions");
2769 return r;
2770 }
2771
2772 r = apply_restrict_namespaces(unit, context);
2773 if (r < 0) {
2774 *exit_status = EXIT_SECCOMP;
2775 *error_message = strdup("Failed to apply namespace restrictions");
2776 return r;
2777 }
2778
2779 r = apply_protect_sysctl(unit, context);
2780 if (r < 0) {
2781 *exit_status = EXIT_SECCOMP;
2782 *error_message = strdup("Failed to apply sysctl restrictions");
2783 return r;
2784 }
2785
2786 r = apply_protect_kernel_modules(unit, context);
2787 if (r < 0) {
2788 *exit_status = EXIT_SECCOMP;
2789 *error_message = strdup("Failed to apply module loading restrictions");
2790 return r;
2791 }
2792
2793 r = apply_private_devices(unit, context);
2794 if (r < 0) {
2795 *exit_status = EXIT_SECCOMP;
2796 *error_message = strdup("Failed to set up private devices");
2797 return r;
2798 }
2799
2800 r = apply_syscall_archs(unit, context);
2801 if (r < 0) {
2802 *exit_status = EXIT_SECCOMP;
2803 *error_message = strdup("Failed to apply syscall architecture restrictions");
2804 return r;
2805 }
2806
2807 /* This really should remain the last step before the execve(), to make sure our own code is unaffected
2808 * by the filter as little as possible. */
2809 r = apply_syscall_filter(unit, context);
2810 if (r < 0) {
2811 *exit_status = EXIT_SECCOMP;
2812 *error_message = strdup("Failed to apply syscall filters");
2813 return r;
2814 }
2815 #endif
2816 }
2817
2818 final_argv = replace_env_argv(argv, accum_env);
2819 if (!final_argv) {
2820 *exit_status = EXIT_MEMORY;
2821 *error_message = strdup("Failed to prepare process arguments");
2822 return -ENOMEM;
2823 }
2824
2825 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
2826 _cleanup_free_ char *line;
2827
2828 line = exec_command_line(final_argv);
2829 if (line) {
2830 log_open();
2831 log_struct(LOG_DEBUG,
2832 LOG_UNIT_ID(unit),
2833 "EXECUTABLE=%s", command->path,
2834 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
2835 NULL);
2836 log_close();
2837 }
2838 }
2839
2840 execve(command->path, final_argv, accum_env);
2841 *exit_status = EXIT_EXEC;
2842 return -errno;
2843 }
2844
2845 int exec_spawn(Unit *unit,
2846 ExecCommand *command,
2847 const ExecContext *context,
2848 const ExecParameters *params,
2849 ExecRuntime *runtime,
2850 DynamicCreds *dcreds,
2851 pid_t *ret) {
2852
2853 _cleanup_strv_free_ char **files_env = NULL;
2854 int *fds = NULL; unsigned n_fds = 0;
2855 _cleanup_free_ char *line = NULL;
2856 int socket_fd, r;
2857 int named_iofds[3] = { -1, -1, -1 };
2858 char **argv;
2859 pid_t pid;
2860
2861 assert(unit);
2862 assert(command);
2863 assert(context);
2864 assert(ret);
2865 assert(params);
2866 assert(params->fds || params->n_fds <= 0);
2867
2868 if (context->std_input == EXEC_INPUT_SOCKET ||
2869 context->std_output == EXEC_OUTPUT_SOCKET ||
2870 context->std_error == EXEC_OUTPUT_SOCKET) {
2871
2872 if (params->n_fds != 1) {
2873 log_unit_error(unit, "Got more than one socket.");
2874 return -EINVAL;
2875 }
2876
2877 socket_fd = params->fds[0];
2878 } else {
2879 socket_fd = -1;
2880 fds = params->fds;
2881 n_fds = params->n_fds;
2882 }
2883
2884 r = exec_context_named_iofds(unit, context, params, named_iofds);
2885 if (r < 0)
2886 return log_unit_error_errno(unit, r, "Failed to load a named file descriptor: %m");
2887
2888 r = exec_context_load_environment(unit, context, &files_env);
2889 if (r < 0)
2890 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
2891
2892 argv = params->argv ?: command->argv;
2893 line = exec_command_line(argv);
2894 if (!line)
2895 return log_oom();
2896
2897 log_struct(LOG_DEBUG,
2898 LOG_UNIT_ID(unit),
2899 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
2900 "EXECUTABLE=%s", command->path,
2901 NULL);
2902 pid = fork();
2903 if (pid < 0)
2904 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
2905
2906 if (pid == 0) {
2907 int exit_status;
2908 _cleanup_free_ char *error_message = NULL;
2909
2910 r = exec_child(unit,
2911 command,
2912 context,
2913 params,
2914 runtime,
2915 dcreds,
2916 argv,
2917 socket_fd,
2918 named_iofds,
2919 fds, n_fds,
2920 files_env,
2921 unit->manager->user_lookup_fds[1],
2922 &exit_status,
2923 &error_message);
2924 if (r < 0) {
2925 log_open();
2926 if (error_message)
2927 log_struct_errno(LOG_ERR, r,
2928 LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
2929 LOG_UNIT_ID(unit),
2930 LOG_UNIT_MESSAGE(unit, "%s: %m",
2931 error_message),
2932 "EXECUTABLE=%s", command->path,
2933 NULL);
2934 else
2935 log_struct_errno(LOG_ERR, r,
2936 LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
2937 LOG_UNIT_ID(unit),
2938 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
2939 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
2940 command->path),
2941 "EXECUTABLE=%s", command->path,
2942 NULL);
2943 }
2944
2945 _exit(exit_status);
2946 }
2947
2948 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
2949
2950 /* We add the new process to the cgroup both in the child (so
2951 * that we can be sure that no user code is ever executed
2952 * outside of the cgroup) and in the parent (so that we can be
2953 * sure that when we kill the cgroup the process will be
2954 * killed too). */
2955 if (params->cgroup_path)
2956 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
2957
2958 exec_status_start(&command->exec_status, pid);
2959
2960 *ret = pid;
2961 return 0;
2962 }
2963
2964 void exec_context_init(ExecContext *c) {
2965 assert(c);
2966
2967 c->umask = 0022;
2968 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
2969 c->cpu_sched_policy = SCHED_OTHER;
2970 c->syslog_priority = LOG_DAEMON|LOG_INFO;
2971 c->syslog_level_prefix = true;
2972 c->ignore_sigpipe = true;
2973 c->timer_slack_nsec = NSEC_INFINITY;
2974 c->personality = PERSONALITY_INVALID;
2975 c->runtime_directory_mode = 0755;
2976 c->capability_bounding_set = CAP_ALL;
2977 c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
2978 }
2979
2980 void exec_context_done(ExecContext *c) {
2981 unsigned l;
2982
2983 assert(c);
2984
2985 c->environment = strv_free(c->environment);
2986 c->environment_files = strv_free(c->environment_files);
2987 c->pass_environment = strv_free(c->pass_environment);
2988
2989 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
2990 c->rlimit[l] = mfree(c->rlimit[l]);
2991
2992 for (l = 0; l < 3; l++)
2993 c->stdio_fdname[l] = mfree(c->stdio_fdname[l]);
2994
2995 c->working_directory = mfree(c->working_directory);
2996 c->root_directory = mfree(c->root_directory);
2997 c->root_image = mfree(c->root_image);
2998 c->tty_path = mfree(c->tty_path);
2999 c->syslog_identifier = mfree(c->syslog_identifier);
3000 c->user = mfree(c->user);
3001 c->group = mfree(c->group);
3002
3003 c->supplementary_groups = strv_free(c->supplementary_groups);
3004
3005 c->pam_name = mfree(c->pam_name);
3006
3007 c->read_only_paths = strv_free(c->read_only_paths);
3008 c->read_write_paths = strv_free(c->read_write_paths);
3009 c->inaccessible_paths = strv_free(c->inaccessible_paths);
3010
3011 bind_mount_free_many(c->bind_mounts, c->n_bind_mounts);
3012
3013 if (c->cpuset)
3014 CPU_FREE(c->cpuset);
3015
3016 c->utmp_id = mfree(c->utmp_id);
3017 c->selinux_context = mfree(c->selinux_context);
3018 c->apparmor_profile = mfree(c->apparmor_profile);
3019
3020 c->syscall_filter = set_free(c->syscall_filter);
3021 c->syscall_archs = set_free(c->syscall_archs);
3022 c->address_families = set_free(c->address_families);
3023
3024 c->runtime_directory = strv_free(c->runtime_directory);
3025 }
3026
3027 int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
3028 char **i;
3029
3030 assert(c);
3031
3032 if (!runtime_prefix)
3033 return 0;
3034
3035 STRV_FOREACH(i, c->runtime_directory) {
3036 _cleanup_free_ char *p;
3037
3038 p = strjoin(runtime_prefix, "/", *i);
3039 if (!p)
3040 return -ENOMEM;
3041
3042 /* We execute this synchronously, since we need to be
3043 * sure this is gone when we start the service
3044 * next. */
3045 (void) rm_rf(p, REMOVE_ROOT);
3046 }
3047
3048 return 0;
3049 }
3050
3051 void exec_command_done(ExecCommand *c) {
3052 assert(c);
3053
3054 c->path = mfree(c->path);
3055
3056 c->argv = strv_free(c->argv);
3057 }
3058
3059 void exec_command_done_array(ExecCommand *c, unsigned n) {
3060 unsigned i;
3061
3062 for (i = 0; i < n; i++)
3063 exec_command_done(c+i);
3064 }
3065
3066 ExecCommand* exec_command_free_list(ExecCommand *c) {
3067 ExecCommand *i;
3068
3069 while ((i = c)) {
3070 LIST_REMOVE(command, c, i);
3071 exec_command_done(i);
3072 free(i);
3073 }
3074
3075 return NULL;
3076 }
3077
3078 void exec_command_free_array(ExecCommand **c, unsigned n) {
3079 unsigned i;
3080
3081 for (i = 0; i < n; i++)
3082 c[i] = exec_command_free_list(c[i]);
3083 }
3084
3085 typedef struct InvalidEnvInfo {
3086 Unit *unit;
3087 const char *path;
3088 } InvalidEnvInfo;
3089
3090 static void invalid_env(const char *p, void *userdata) {
3091 InvalidEnvInfo *info = userdata;
3092
3093 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
3094 }
3095
3096 const char* exec_context_fdname(const ExecContext *c, int fd_index) {
3097 assert(c);
3098
3099 switch (fd_index) {
3100 case STDIN_FILENO:
3101 if (c->std_input != EXEC_INPUT_NAMED_FD)
3102 return NULL;
3103 return c->stdio_fdname[STDIN_FILENO] ?: "stdin";
3104 case STDOUT_FILENO:
3105 if (c->std_output != EXEC_OUTPUT_NAMED_FD)
3106 return NULL;
3107 return c->stdio_fdname[STDOUT_FILENO] ?: "stdout";
3108 case STDERR_FILENO:
3109 if (c->std_error != EXEC_OUTPUT_NAMED_FD)
3110 return NULL;
3111 return c->stdio_fdname[STDERR_FILENO] ?: "stderr";
3112 default:
3113 return NULL;
3114 }
3115 }
3116
3117 int exec_context_named_iofds(Unit *unit, const ExecContext *c, const ExecParameters *p, int named_iofds[3]) {
3118 unsigned i, targets;
3119 const char* stdio_fdname[3];
3120
3121 assert(c);
3122 assert(p);
3123
3124 targets = (c->std_input == EXEC_INPUT_NAMED_FD) +
3125 (c->std_output == EXEC_OUTPUT_NAMED_FD) +
3126 (c->std_error == EXEC_OUTPUT_NAMED_FD);
3127
3128 for (i = 0; i < 3; i++)
3129 stdio_fdname[i] = exec_context_fdname(c, i);
3130
3131 for (i = 0; i < p->n_fds && targets > 0; i++)
3132 if (named_iofds[STDIN_FILENO] < 0 &&
3133 c->std_input == EXEC_INPUT_NAMED_FD &&
3134 stdio_fdname[STDIN_FILENO] &&
3135 streq(p->fd_names[i], stdio_fdname[STDIN_FILENO])) {
3136
3137 named_iofds[STDIN_FILENO] = p->fds[i];
3138 targets--;
3139
3140 } else if (named_iofds[STDOUT_FILENO] < 0 &&
3141 c->std_output == EXEC_OUTPUT_NAMED_FD &&
3142 stdio_fdname[STDOUT_FILENO] &&
3143 streq(p->fd_names[i], stdio_fdname[STDOUT_FILENO])) {
3144
3145 named_iofds[STDOUT_FILENO] = p->fds[i];
3146 targets--;
3147
3148 } else if (named_iofds[STDERR_FILENO] < 0 &&
3149 c->std_error == EXEC_OUTPUT_NAMED_FD &&
3150 stdio_fdname[STDERR_FILENO] &&
3151 streq(p->fd_names[i], stdio_fdname[STDERR_FILENO])) {
3152
3153 named_iofds[STDERR_FILENO] = p->fds[i];
3154 targets--;
3155 }
3156
3157 return targets == 0 ? 0 : -ENOENT;
3158 }
3159
3160 int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
3161 char **i, **r = NULL;
3162
3163 assert(c);
3164 assert(l);
3165
3166 STRV_FOREACH(i, c->environment_files) {
3167 char *fn;
3168 int k;
3169 bool ignore = false;
3170 char **p;
3171 _cleanup_globfree_ glob_t pglob = {};
3172 int count, n;
3173
3174 fn = *i;
3175
3176 if (fn[0] == '-') {
3177 ignore = true;
3178 fn++;
3179 }
3180
3181 if (!path_is_absolute(fn)) {
3182 if (ignore)
3183 continue;
3184
3185 strv_free(r);
3186 return -EINVAL;
3187 }
3188
3189 /* Filename supports globbing, take all matching files */
3190 errno = 0;
3191 if (glob(fn, 0, NULL, &pglob) != 0) {
3192 if (ignore)
3193 continue;
3194
3195 strv_free(r);
3196 return errno > 0 ? -errno : -EINVAL;
3197 }
3198 count = pglob.gl_pathc;
3199 if (count == 0) {
3200 if (ignore)
3201 continue;
3202
3203 strv_free(r);
3204 return -EINVAL;
3205 }
3206 for (n = 0; n < count; n++) {
3207 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
3208 if (k < 0) {
3209 if (ignore)
3210 continue;
3211
3212 strv_free(r);
3213 return k;
3214 }
3215 /* Log invalid environment variables with filename */
3216 if (p) {
3217 InvalidEnvInfo info = {
3218 .unit = unit,
3219 .path = pglob.gl_pathv[n]
3220 };
3221
3222 p = strv_env_clean_with_callback(p, invalid_env, &info);
3223 }
3224
3225 if (r == NULL)
3226 r = p;
3227 else {
3228 char **m;
3229
3230 m = strv_env_merge(2, r, p);
3231 strv_free(r);
3232 strv_free(p);
3233 if (!m)
3234 return -ENOMEM;
3235
3236 r = m;
3237 }
3238 }
3239 }
3240
3241 *l = r;
3242
3243 return 0;
3244 }
3245
3246 static bool tty_may_match_dev_console(const char *tty) {
3247 _cleanup_free_ char *active = NULL;
3248 char *console;
3249
3250 if (!tty)
3251 return true;
3252
3253 if (startswith(tty, "/dev/"))
3254 tty += 5;
3255
3256 /* trivial identity? */
3257 if (streq(tty, "console"))
3258 return true;
3259
3260 console = resolve_dev_console(&active);
3261 /* if we could not resolve, assume it may */
3262 if (!console)
3263 return true;
3264
3265 /* "tty0" means the active VC, so it may be the same sometimes */
3266 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
3267 }
3268
3269 bool exec_context_may_touch_console(ExecContext *ec) {
3270
3271 return (ec->tty_reset ||
3272 ec->tty_vhangup ||
3273 ec->tty_vt_disallocate ||
3274 is_terminal_input(ec->std_input) ||
3275 is_terminal_output(ec->std_output) ||
3276 is_terminal_output(ec->std_error)) &&
3277 tty_may_match_dev_console(exec_context_tty_path(ec));
3278 }
3279
3280 static void strv_fprintf(FILE *f, char **l) {
3281 char **g;
3282
3283 assert(f);
3284
3285 STRV_FOREACH(g, l)
3286 fprintf(f, " %s", *g);
3287 }
3288
3289 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
3290 char **e, **d;
3291 unsigned i;
3292 int r;
3293
3294 assert(c);
3295 assert(f);
3296
3297 prefix = strempty(prefix);
3298
3299 fprintf(f,
3300 "%sUMask: %04o\n"
3301 "%sWorkingDirectory: %s\n"
3302 "%sRootDirectory: %s\n"
3303 "%sNonBlocking: %s\n"
3304 "%sPrivateTmp: %s\n"
3305 "%sPrivateDevices: %s\n"
3306 "%sProtectKernelTunables: %s\n"
3307 "%sProtectKernelModules: %s\n"
3308 "%sProtectControlGroups: %s\n"
3309 "%sPrivateNetwork: %s\n"
3310 "%sPrivateUsers: %s\n"
3311 "%sProtectHome: %s\n"
3312 "%sProtectSystem: %s\n"
3313 "%sMountAPIVFS: %s\n"
3314 "%sIgnoreSIGPIPE: %s\n"
3315 "%sMemoryDenyWriteExecute: %s\n"
3316 "%sRestrictRealtime: %s\n",
3317 prefix, c->umask,
3318 prefix, c->working_directory ? c->working_directory : "/",
3319 prefix, c->root_directory ? c->root_directory : "/",
3320 prefix, yes_no(c->non_blocking),
3321 prefix, yes_no(c->private_tmp),
3322 prefix, yes_no(c->private_devices),
3323 prefix, yes_no(c->protect_kernel_tunables),
3324 prefix, yes_no(c->protect_kernel_modules),
3325 prefix, yes_no(c->protect_control_groups),
3326 prefix, yes_no(c->private_network),
3327 prefix, yes_no(c->private_users),
3328 prefix, protect_home_to_string(c->protect_home),
3329 prefix, protect_system_to_string(c->protect_system),
3330 prefix, yes_no(c->mount_apivfs),
3331 prefix, yes_no(c->ignore_sigpipe),
3332 prefix, yes_no(c->memory_deny_write_execute),
3333 prefix, yes_no(c->restrict_realtime));
3334
3335 if (c->root_image)
3336 fprintf(f, "%sRootImage: %s\n", prefix, c->root_image);
3337
3338 STRV_FOREACH(e, c->environment)
3339 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
3340
3341 STRV_FOREACH(e, c->environment_files)
3342 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
3343
3344 STRV_FOREACH(e, c->pass_environment)
3345 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
3346
3347 fprintf(f, "%sRuntimeDirectoryMode: %04o\n", prefix, c->runtime_directory_mode);
3348
3349 STRV_FOREACH(d, c->runtime_directory)
3350 fprintf(f, "%sRuntimeDirectory: %s\n", prefix, *d);
3351
3352 if (c->nice_set)
3353 fprintf(f,
3354 "%sNice: %i\n",
3355 prefix, c->nice);
3356
3357 if (c->oom_score_adjust_set)
3358 fprintf(f,
3359 "%sOOMScoreAdjust: %i\n",
3360 prefix, c->oom_score_adjust);
3361
3362 for (i = 0; i < RLIM_NLIMITS; i++)
3363 if (c->rlimit[i]) {
3364 fprintf(f, "%s%s: " RLIM_FMT "\n",
3365 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
3366 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
3367 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
3368 }
3369
3370 if (c->ioprio_set) {
3371 _cleanup_free_ char *class_str = NULL;
3372
3373 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
3374 fprintf(f,
3375 "%sIOSchedulingClass: %s\n"
3376 "%sIOPriority: %i\n",
3377 prefix, strna(class_str),
3378 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
3379 }
3380
3381 if (c->cpu_sched_set) {
3382 _cleanup_free_ char *policy_str = NULL;
3383
3384 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
3385 fprintf(f,
3386 "%sCPUSchedulingPolicy: %s\n"
3387 "%sCPUSchedulingPriority: %i\n"
3388 "%sCPUSchedulingResetOnFork: %s\n",
3389 prefix, strna(policy_str),
3390 prefix, c->cpu_sched_priority,
3391 prefix, yes_no(c->cpu_sched_reset_on_fork));
3392 }
3393
3394 if (c->cpuset) {
3395 fprintf(f, "%sCPUAffinity:", prefix);
3396 for (i = 0; i < c->cpuset_ncpus; i++)
3397 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
3398 fprintf(f, " %u", i);
3399 fputs("\n", f);
3400 }
3401
3402 if (c->timer_slack_nsec != NSEC_INFINITY)
3403 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
3404
3405 fprintf(f,
3406 "%sStandardInput: %s\n"
3407 "%sStandardOutput: %s\n"
3408 "%sStandardError: %s\n",
3409 prefix, exec_input_to_string(c->std_input),
3410 prefix, exec_output_to_string(c->std_output),
3411 prefix, exec_output_to_string(c->std_error));
3412
3413 if (c->tty_path)
3414 fprintf(f,
3415 "%sTTYPath: %s\n"
3416 "%sTTYReset: %s\n"
3417 "%sTTYVHangup: %s\n"
3418 "%sTTYVTDisallocate: %s\n",
3419 prefix, c->tty_path,
3420 prefix, yes_no(c->tty_reset),
3421 prefix, yes_no(c->tty_vhangup),
3422 prefix, yes_no(c->tty_vt_disallocate));
3423
3424 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
3425 c->std_output == EXEC_OUTPUT_KMSG ||
3426 c->std_output == EXEC_OUTPUT_JOURNAL ||
3427 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3428 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3429 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
3430 c->std_error == EXEC_OUTPUT_SYSLOG ||
3431 c->std_error == EXEC_OUTPUT_KMSG ||
3432 c->std_error == EXEC_OUTPUT_JOURNAL ||
3433 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3434 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3435 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
3436
3437 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
3438
3439 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
3440 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
3441
3442 fprintf(f,
3443 "%sSyslogFacility: %s\n"
3444 "%sSyslogLevel: %s\n",
3445 prefix, strna(fac_str),
3446 prefix, strna(lvl_str));
3447 }
3448
3449 if (c->secure_bits)
3450 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
3451 prefix,
3452 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
3453 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
3454 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
3455 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
3456 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
3457 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
3458
3459 if (c->capability_bounding_set != CAP_ALL) {
3460 unsigned long l;
3461 fprintf(f, "%sCapabilityBoundingSet:", prefix);
3462
3463 for (l = 0; l <= cap_last_cap(); l++)
3464 if (c->capability_bounding_set & (UINT64_C(1) << l))
3465 fprintf(f, " %s", strna(capability_to_name(l)));
3466
3467 fputs("\n", f);
3468 }
3469
3470 if (c->capability_ambient_set != 0) {
3471 unsigned long l;
3472 fprintf(f, "%sAmbientCapabilities:", prefix);
3473
3474 for (l = 0; l <= cap_last_cap(); l++)
3475 if (c->capability_ambient_set & (UINT64_C(1) << l))
3476 fprintf(f, " %s", strna(capability_to_name(l)));
3477
3478 fputs("\n", f);
3479 }
3480
3481 if (c->user)
3482 fprintf(f, "%sUser: %s\n", prefix, c->user);
3483 if (c->group)
3484 fprintf(f, "%sGroup: %s\n", prefix, c->group);
3485
3486 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
3487
3488 if (strv_length(c->supplementary_groups) > 0) {
3489 fprintf(f, "%sSupplementaryGroups:", prefix);
3490 strv_fprintf(f, c->supplementary_groups);
3491 fputs("\n", f);
3492 }
3493
3494 if (c->pam_name)
3495 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
3496
3497 if (strv_length(c->read_write_paths) > 0) {
3498 fprintf(f, "%sReadWritePaths:", prefix);
3499 strv_fprintf(f, c->read_write_paths);
3500 fputs("\n", f);
3501 }
3502
3503 if (strv_length(c->read_only_paths) > 0) {
3504 fprintf(f, "%sReadOnlyPaths:", prefix);
3505 strv_fprintf(f, c->read_only_paths);
3506 fputs("\n", f);
3507 }
3508
3509 if (strv_length(c->inaccessible_paths) > 0) {
3510 fprintf(f, "%sInaccessiblePaths:", prefix);
3511 strv_fprintf(f, c->inaccessible_paths);
3512 fputs("\n", f);
3513 }
3514
3515 if (c->n_bind_mounts > 0)
3516 for (i = 0; i < c->n_bind_mounts; i++) {
3517 fprintf(f, "%s%s: %s:%s:%s\n", prefix,
3518 c->bind_mounts[i].read_only ? "BindReadOnlyPaths" : "BindPaths",
3519 c->bind_mounts[i].source,
3520 c->bind_mounts[i].destination,
3521 c->bind_mounts[i].recursive ? "rbind" : "norbind");
3522 }
3523
3524 if (c->utmp_id)
3525 fprintf(f,
3526 "%sUtmpIdentifier: %s\n",
3527 prefix, c->utmp_id);
3528
3529 if (c->selinux_context)
3530 fprintf(f,
3531 "%sSELinuxContext: %s%s\n",
3532 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
3533
3534 if (c->personality != PERSONALITY_INVALID)
3535 fprintf(f,
3536 "%sPersonality: %s\n",
3537 prefix, strna(personality_to_string(c->personality)));
3538
3539 if (c->syscall_filter) {
3540 #ifdef HAVE_SECCOMP
3541 Iterator j;
3542 void *id;
3543 bool first = true;
3544 #endif
3545
3546 fprintf(f,
3547 "%sSystemCallFilter: ",
3548 prefix);
3549
3550 if (!c->syscall_whitelist)
3551 fputc('~', f);
3552
3553 #ifdef HAVE_SECCOMP
3554 SET_FOREACH(id, c->syscall_filter, j) {
3555 _cleanup_free_ char *name = NULL;
3556
3557 if (first)
3558 first = false;
3559 else
3560 fputc(' ', f);
3561
3562 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
3563 fputs(strna(name), f);
3564 }
3565 #endif
3566
3567 fputc('\n', f);
3568 }
3569
3570 if (c->syscall_archs) {
3571 #ifdef HAVE_SECCOMP
3572 Iterator j;
3573 void *id;
3574 #endif
3575
3576 fprintf(f,
3577 "%sSystemCallArchitectures:",
3578 prefix);
3579
3580 #ifdef HAVE_SECCOMP
3581 SET_FOREACH(id, c->syscall_archs, j)
3582 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
3583 #endif
3584 fputc('\n', f);
3585 }
3586
3587 if (exec_context_restrict_namespaces_set(c)) {
3588 _cleanup_free_ char *s = NULL;
3589
3590 r = namespace_flag_to_string_many(c->restrict_namespaces, &s);
3591 if (r >= 0)
3592 fprintf(f, "%sRestrictNamespaces: %s\n",
3593 prefix, s);
3594 }
3595
3596 if (c->syscall_errno > 0)
3597 fprintf(f,
3598 "%sSystemCallErrorNumber: %s\n",
3599 prefix, strna(errno_to_name(c->syscall_errno)));
3600
3601 if (c->apparmor_profile)
3602 fprintf(f,
3603 "%sAppArmorProfile: %s%s\n",
3604 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
3605 }
3606
3607 bool exec_context_maintains_privileges(ExecContext *c) {
3608 assert(c);
3609
3610 /* Returns true if the process forked off would run under
3611 * an unchanged UID or as root. */
3612
3613 if (!c->user)
3614 return true;
3615
3616 if (streq(c->user, "root") || streq(c->user, "0"))
3617 return true;
3618
3619 return false;
3620 }
3621
3622 void exec_status_start(ExecStatus *s, pid_t pid) {
3623 assert(s);
3624
3625 zero(*s);
3626 s->pid = pid;
3627 dual_timestamp_get(&s->start_timestamp);
3628 }
3629
3630 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
3631 assert(s);
3632
3633 if (s->pid && s->pid != pid)
3634 zero(*s);
3635
3636 s->pid = pid;
3637 dual_timestamp_get(&s->exit_timestamp);
3638
3639 s->code = code;
3640 s->status = status;
3641
3642 if (context) {
3643 if (context->utmp_id)
3644 utmp_put_dead_process(context->utmp_id, pid, code, status);
3645
3646 exec_context_tty_reset(context, NULL);
3647 }
3648 }
3649
3650 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
3651 char buf[FORMAT_TIMESTAMP_MAX];
3652
3653 assert(s);
3654 assert(f);
3655
3656 if (s->pid <= 0)
3657 return;
3658
3659 prefix = strempty(prefix);
3660
3661 fprintf(f,
3662 "%sPID: "PID_FMT"\n",
3663 prefix, s->pid);
3664
3665 if (dual_timestamp_is_set(&s->start_timestamp))
3666 fprintf(f,
3667 "%sStart Timestamp: %s\n",
3668 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
3669
3670 if (dual_timestamp_is_set(&s->exit_timestamp))
3671 fprintf(f,
3672 "%sExit Timestamp: %s\n"
3673 "%sExit Code: %s\n"
3674 "%sExit Status: %i\n",
3675 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
3676 prefix, sigchld_code_to_string(s->code),
3677 prefix, s->status);
3678 }
3679
3680 char *exec_command_line(char **argv) {
3681 size_t k;
3682 char *n, *p, **a;
3683 bool first = true;
3684
3685 assert(argv);
3686
3687 k = 1;
3688 STRV_FOREACH(a, argv)
3689 k += strlen(*a)+3;
3690
3691 n = new(char, k);
3692 if (!n)
3693 return NULL;
3694
3695 p = n;
3696 STRV_FOREACH(a, argv) {
3697
3698 if (!first)
3699 *(p++) = ' ';
3700 else
3701 first = false;
3702
3703 if (strpbrk(*a, WHITESPACE)) {
3704 *(p++) = '\'';
3705 p = stpcpy(p, *a);
3706 *(p++) = '\'';
3707 } else
3708 p = stpcpy(p, *a);
3709
3710 }
3711
3712 *p = 0;
3713
3714 /* FIXME: this doesn't really handle arguments that have
3715 * spaces and ticks in them */
3716
3717 return n;
3718 }
3719
3720 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
3721 _cleanup_free_ char *cmd = NULL;
3722 const char *prefix2;
3723
3724 assert(c);
3725 assert(f);
3726
3727 prefix = strempty(prefix);
3728 prefix2 = strjoina(prefix, "\t");
3729
3730 cmd = exec_command_line(c->argv);
3731 fprintf(f,
3732 "%sCommand Line: %s\n",
3733 prefix, cmd ? cmd : strerror(ENOMEM));
3734
3735 exec_status_dump(&c->exec_status, f, prefix2);
3736 }
3737
3738 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
3739 assert(f);
3740
3741 prefix = strempty(prefix);
3742
3743 LIST_FOREACH(command, c, c)
3744 exec_command_dump(c, f, prefix);
3745 }
3746
3747 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
3748 ExecCommand *end;
3749
3750 assert(l);
3751 assert(e);
3752
3753 if (*l) {
3754 /* It's kind of important, that we keep the order here */
3755 LIST_FIND_TAIL(command, *l, end);
3756 LIST_INSERT_AFTER(command, *l, end, e);
3757 } else
3758 *l = e;
3759 }
3760
3761 int exec_command_set(ExecCommand *c, const char *path, ...) {
3762 va_list ap;
3763 char **l, *p;
3764
3765 assert(c);
3766 assert(path);
3767
3768 va_start(ap, path);
3769 l = strv_new_ap(path, ap);
3770 va_end(ap);
3771
3772 if (!l)
3773 return -ENOMEM;
3774
3775 p = strdup(path);
3776 if (!p) {
3777 strv_free(l);
3778 return -ENOMEM;
3779 }
3780
3781 free(c->path);
3782 c->path = p;
3783
3784 strv_free(c->argv);
3785 c->argv = l;
3786
3787 return 0;
3788 }
3789
3790 int exec_command_append(ExecCommand *c, const char *path, ...) {
3791 _cleanup_strv_free_ char **l = NULL;
3792 va_list ap;
3793 int r;
3794
3795 assert(c);
3796 assert(path);
3797
3798 va_start(ap, path);
3799 l = strv_new_ap(path, ap);
3800 va_end(ap);
3801
3802 if (!l)
3803 return -ENOMEM;
3804
3805 r = strv_extend_strv(&c->argv, l, false);
3806 if (r < 0)
3807 return r;
3808
3809 return 0;
3810 }
3811
3812
3813 static int exec_runtime_allocate(ExecRuntime **rt) {
3814
3815 if (*rt)
3816 return 0;
3817
3818 *rt = new0(ExecRuntime, 1);
3819 if (!*rt)
3820 return -ENOMEM;
3821
3822 (*rt)->n_ref = 1;
3823 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
3824
3825 return 0;
3826 }
3827
3828 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
3829 int r;
3830
3831 assert(rt);
3832 assert(c);
3833 assert(id);
3834
3835 if (*rt)
3836 return 1;
3837
3838 if (!c->private_network && !c->private_tmp)
3839 return 0;
3840
3841 r = exec_runtime_allocate(rt);
3842 if (r < 0)
3843 return r;
3844
3845 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
3846 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, (*rt)->netns_storage_socket) < 0)
3847 return -errno;
3848 }
3849
3850 if (c->private_tmp && !(*rt)->tmp_dir) {
3851 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
3852 if (r < 0)
3853 return r;
3854 }
3855
3856 return 1;
3857 }
3858
3859 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
3860 assert(r);
3861 assert(r->n_ref > 0);
3862
3863 r->n_ref++;
3864 return r;
3865 }
3866
3867 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
3868
3869 if (!r)
3870 return NULL;
3871
3872 assert(r->n_ref > 0);
3873
3874 r->n_ref--;
3875 if (r->n_ref > 0)
3876 return NULL;
3877
3878 free(r->tmp_dir);
3879 free(r->var_tmp_dir);
3880 safe_close_pair(r->netns_storage_socket);
3881 return mfree(r);
3882 }
3883
3884 int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
3885 assert(u);
3886 assert(f);
3887 assert(fds);
3888
3889 if (!rt)
3890 return 0;
3891
3892 if (rt->tmp_dir)
3893 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
3894
3895 if (rt->var_tmp_dir)
3896 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
3897
3898 if (rt->netns_storage_socket[0] >= 0) {
3899 int copy;
3900
3901 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
3902 if (copy < 0)
3903 return copy;
3904
3905 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
3906 }
3907
3908 if (rt->netns_storage_socket[1] >= 0) {
3909 int copy;
3910
3911 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
3912 if (copy < 0)
3913 return copy;
3914
3915 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
3916 }
3917
3918 return 0;
3919 }
3920
3921 int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
3922 int r;
3923
3924 assert(rt);
3925 assert(key);
3926 assert(value);
3927
3928 if (streq(key, "tmp-dir")) {
3929 char *copy;
3930
3931 r = exec_runtime_allocate(rt);
3932 if (r < 0)
3933 return log_oom();
3934
3935 copy = strdup(value);
3936 if (!copy)
3937 return log_oom();
3938
3939 free((*rt)->tmp_dir);
3940 (*rt)->tmp_dir = copy;
3941
3942 } else if (streq(key, "var-tmp-dir")) {
3943 char *copy;
3944
3945 r = exec_runtime_allocate(rt);
3946 if (r < 0)
3947 return log_oom();
3948
3949 copy = strdup(value);
3950 if (!copy)
3951 return log_oom();
3952
3953 free((*rt)->var_tmp_dir);
3954 (*rt)->var_tmp_dir = copy;
3955
3956 } else if (streq(key, "netns-socket-0")) {
3957 int fd;
3958
3959 r = exec_runtime_allocate(rt);
3960 if (r < 0)
3961 return log_oom();
3962
3963 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
3964 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
3965 else {
3966 safe_close((*rt)->netns_storage_socket[0]);
3967 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
3968 }
3969 } else if (streq(key, "netns-socket-1")) {
3970 int fd;
3971
3972 r = exec_runtime_allocate(rt);
3973 if (r < 0)
3974 return log_oom();
3975
3976 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
3977 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
3978 else {
3979 safe_close((*rt)->netns_storage_socket[1]);
3980 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
3981 }
3982 } else
3983 return 0;
3984
3985 return 1;
3986 }
3987
3988 static void *remove_tmpdir_thread(void *p) {
3989 _cleanup_free_ char *path = p;
3990
3991 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
3992 return NULL;
3993 }
3994
3995 void exec_runtime_destroy(ExecRuntime *rt) {
3996 int r;
3997
3998 if (!rt)
3999 return;
4000
4001 /* If there are multiple users of this, let's leave the stuff around */
4002 if (rt->n_ref > 1)
4003 return;
4004
4005 if (rt->tmp_dir) {
4006 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
4007
4008 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
4009 if (r < 0) {
4010 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
4011 free(rt->tmp_dir);
4012 }
4013
4014 rt->tmp_dir = NULL;
4015 }
4016
4017 if (rt->var_tmp_dir) {
4018 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
4019
4020 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
4021 if (r < 0) {
4022 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
4023 free(rt->var_tmp_dir);
4024 }
4025
4026 rt->var_tmp_dir = NULL;
4027 }
4028
4029 safe_close_pair(rt->netns_storage_socket);
4030 }
4031
4032 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
4033 [EXEC_INPUT_NULL] = "null",
4034 [EXEC_INPUT_TTY] = "tty",
4035 [EXEC_INPUT_TTY_FORCE] = "tty-force",
4036 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
4037 [EXEC_INPUT_SOCKET] = "socket",
4038 [EXEC_INPUT_NAMED_FD] = "fd",
4039 };
4040
4041 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
4042
4043 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
4044 [EXEC_OUTPUT_INHERIT] = "inherit",
4045 [EXEC_OUTPUT_NULL] = "null",
4046 [EXEC_OUTPUT_TTY] = "tty",
4047 [EXEC_OUTPUT_SYSLOG] = "syslog",
4048 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
4049 [EXEC_OUTPUT_KMSG] = "kmsg",
4050 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
4051 [EXEC_OUTPUT_JOURNAL] = "journal",
4052 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
4053 [EXEC_OUTPUT_SOCKET] = "socket",
4054 [EXEC_OUTPUT_NAMED_FD] = "fd",
4055 };
4056
4057 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
4058
4059 static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
4060 [EXEC_UTMP_INIT] = "init",
4061 [EXEC_UTMP_LOGIN] = "login",
4062 [EXEC_UTMP_USER] = "user",
4063 };
4064
4065 DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
Unnamed repository; edit this file 'description' to name the repository.