]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/execute.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #2509 from bengal/dhcp-nak-delay-v4
[thirdparty/systemd.git] / src / core / execute.c
1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
2
3 /***
4 This file is part of systemd.
5
6 Copyright 2010 Lennart Poettering
7
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
12
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
17
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 ***/
21
22 #include <errno.h>
23 #include <fcntl.h>
24 #include <glob.h>
25 #include <grp.h>
26 #include <poll.h>
27 #include <signal.h>
28 #include <string.h>
29 #include <sys/personality.h>
30 #include <sys/prctl.h>
31 #include <sys/socket.h>
32 #include <sys/stat.h>
33 #include <sys/un.h>
34 #include <unistd.h>
35 #include <utmpx.h>
36
37 #ifdef HAVE_PAM
38 #include <security/pam_appl.h>
39 #endif
40
41 #ifdef HAVE_SELINUX
42 #include <selinux/selinux.h>
43 #endif
44
45 #ifdef HAVE_SECCOMP
46 #include <seccomp.h>
47 #endif
48
49 #ifdef HAVE_APPARMOR
50 #include <sys/apparmor.h>
51 #endif
52
53 #include "sd-messages.h"
54
55 #include "af-list.h"
56 #include "alloc-util.h"
57 #ifdef HAVE_APPARMOR
58 #include "apparmor-util.h"
59 #endif
60 #include "async.h"
61 #include "barrier.h"
62 #include "bus-endpoint.h"
63 #include "cap-list.h"
64 #include "capability-util.h"
65 #include "def.h"
66 #include "env-util.h"
67 #include "errno-list.h"
68 #include "execute.h"
69 #include "exit-status.h"
70 #include "fd-util.h"
71 #include "fileio.h"
72 #include "formats-util.h"
73 #include "fs-util.h"
74 #include "glob-util.h"
75 #include "io-util.h"
76 #include "ioprio.h"
77 #include "log.h"
78 #include "macro.h"
79 #include "missing.h"
80 #include "mkdir.h"
81 #include "namespace.h"
82 #include "parse-util.h"
83 #include "path-util.h"
84 #include "process-util.h"
85 #include "rlimit-util.h"
86 #include "rm-rf.h"
87 #ifdef HAVE_SECCOMP
88 #include "seccomp-util.h"
89 #endif
90 #include "securebits.h"
91 #include "selinux-util.h"
92 #include "signal-util.h"
93 #include "smack-util.h"
94 #include "string-table.h"
95 #include "string-util.h"
96 #include "strv.h"
97 #include "syslog-util.h"
98 #include "terminal-util.h"
99 #include "unit.h"
100 #include "user-util.h"
101 #include "util.h"
102 #include "utmp-wtmp.h"
103
104 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
105 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
106
107 /* This assumes there is a 'tty' group */
108 #define TTY_MODE 0620
109
110 #define SNDBUF_SIZE (8*1024*1024)
111
112 static int shift_fds(int fds[], unsigned n_fds) {
113 int start, restart_from;
114
115 if (n_fds <= 0)
116 return 0;
117
118 /* Modifies the fds array! (sorts it) */
119
120 assert(fds);
121
122 start = 0;
123 for (;;) {
124 int i;
125
126 restart_from = -1;
127
128 for (i = start; i < (int) n_fds; i++) {
129 int nfd;
130
131 /* Already at right index? */
132 if (fds[i] == i+3)
133 continue;
134
135 nfd = fcntl(fds[i], F_DUPFD, i + 3);
136 if (nfd < 0)
137 return -errno;
138
139 safe_close(fds[i]);
140 fds[i] = nfd;
141
142 /* Hmm, the fd we wanted isn't free? Then
143 * let's remember that and try again from here */
144 if (nfd != i+3 && restart_from < 0)
145 restart_from = i;
146 }
147
148 if (restart_from < 0)
149 break;
150
151 start = restart_from;
152 }
153
154 return 0;
155 }
156
157 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
158 unsigned i;
159 int r;
160
161 if (n_fds <= 0)
162 return 0;
163
164 assert(fds);
165
166 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
167
168 for (i = 0; i < n_fds; i++) {
169
170 r = fd_nonblock(fds[i], nonblock);
171 if (r < 0)
172 return r;
173
174 /* We unconditionally drop FD_CLOEXEC from the fds,
175 * since after all we want to pass these fds to our
176 * children */
177
178 r = fd_cloexec(fds[i], false);
179 if (r < 0)
180 return r;
181 }
182
183 return 0;
184 }
185
186 static const char *exec_context_tty_path(const ExecContext *context) {
187 assert(context);
188
189 if (context->stdio_as_fds)
190 return NULL;
191
192 if (context->tty_path)
193 return context->tty_path;
194
195 return "/dev/console";
196 }
197
198 static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
199 const char *path;
200
201 assert(context);
202
203 path = exec_context_tty_path(context);
204
205 if (context->tty_vhangup) {
206 if (p && p->stdin_fd >= 0)
207 (void) terminal_vhangup_fd(p->stdin_fd);
208 else if (path)
209 (void) terminal_vhangup(path);
210 }
211
212 if (context->tty_reset) {
213 if (p && p->stdin_fd >= 0)
214 (void) reset_terminal_fd(p->stdin_fd, true);
215 else if (path)
216 (void) reset_terminal(path);
217 }
218
219 if (context->tty_vt_disallocate && path)
220 (void) vt_disallocate(path);
221 }
222
223 static bool is_terminal_output(ExecOutput o) {
224 return
225 o == EXEC_OUTPUT_TTY ||
226 o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
227 o == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
228 o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE;
229 }
230
231 static int open_null_as(int flags, int nfd) {
232 int fd, r;
233
234 assert(nfd >= 0);
235
236 fd = open("/dev/null", flags|O_NOCTTY);
237 if (fd < 0)
238 return -errno;
239
240 if (fd != nfd) {
241 r = dup2(fd, nfd) < 0 ? -errno : nfd;
242 safe_close(fd);
243 } else
244 r = nfd;
245
246 return r;
247 }
248
249 static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
250 union sockaddr_union sa = {
251 .un.sun_family = AF_UNIX,
252 .un.sun_path = "/run/systemd/journal/stdout",
253 };
254 uid_t olduid = UID_INVALID;
255 gid_t oldgid = GID_INVALID;
256 int r;
257
258 if (gid != GID_INVALID) {
259 oldgid = getgid();
260
261 r = setegid(gid);
262 if (r < 0)
263 return -errno;
264 }
265
266 if (uid != UID_INVALID) {
267 olduid = getuid();
268
269 r = seteuid(uid);
270 if (r < 0) {
271 r = -errno;
272 goto restore_gid;
273 }
274 }
275
276 r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path));
277 if (r < 0)
278 r = -errno;
279
280 /* If we fail to restore the uid or gid, things will likely
281 fail later on. This should only happen if an LSM interferes. */
282
283 if (uid != UID_INVALID)
284 (void) seteuid(olduid);
285
286 restore_gid:
287 if (gid != GID_INVALID)
288 (void) setegid(oldgid);
289
290 return r;
291 }
292
293 static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd, uid_t uid, gid_t gid) {
294 int fd, r;
295
296 assert(context);
297 assert(output < _EXEC_OUTPUT_MAX);
298 assert(ident);
299 assert(nfd >= 0);
300
301 fd = socket(AF_UNIX, SOCK_STREAM, 0);
302 if (fd < 0)
303 return -errno;
304
305 r = connect_journal_socket(fd, uid, gid);
306 if (r < 0)
307 return r;
308
309 if (shutdown(fd, SHUT_RD) < 0) {
310 safe_close(fd);
311 return -errno;
312 }
313
314 fd_inc_sndbuf(fd, SNDBUF_SIZE);
315
316 dprintf(fd,
317 "%s\n"
318 "%s\n"
319 "%i\n"
320 "%i\n"
321 "%i\n"
322 "%i\n"
323 "%i\n",
324 context->syslog_identifier ? context->syslog_identifier : ident,
325 unit_id,
326 context->syslog_priority,
327 !!context->syslog_level_prefix,
328 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
329 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
330 is_terminal_output(output));
331
332 if (fd != nfd) {
333 r = dup2(fd, nfd) < 0 ? -errno : nfd;
334 safe_close(fd);
335 } else
336 r = nfd;
337
338 return r;
339 }
340 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
341 int fd, r;
342
343 assert(path);
344 assert(nfd >= 0);
345
346 fd = open_terminal(path, mode | O_NOCTTY);
347 if (fd < 0)
348 return fd;
349
350 if (fd != nfd) {
351 r = dup2(fd, nfd) < 0 ? -errno : nfd;
352 safe_close(fd);
353 } else
354 r = nfd;
355
356 return r;
357 }
358
359 static bool is_terminal_input(ExecInput i) {
360 return
361 i == EXEC_INPUT_TTY ||
362 i == EXEC_INPUT_TTY_FORCE ||
363 i == EXEC_INPUT_TTY_FAIL;
364 }
365
366 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
367
368 if (is_terminal_input(std_input) && !apply_tty_stdin)
369 return EXEC_INPUT_NULL;
370
371 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
372 return EXEC_INPUT_NULL;
373
374 return std_input;
375 }
376
377 static int fixup_output(ExecOutput std_output, int socket_fd) {
378
379 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
380 return EXEC_OUTPUT_INHERIT;
381
382 return std_output;
383 }
384
385 static int setup_input(
386 const ExecContext *context,
387 const ExecParameters *params,
388 int socket_fd) {
389
390 ExecInput i;
391
392 assert(context);
393 assert(params);
394
395 if (params->stdin_fd >= 0) {
396 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
397 return -errno;
398
399 /* Try to make this the controlling tty, if it is a tty, and reset it */
400 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
401 (void) reset_terminal_fd(STDIN_FILENO, true);
402
403 return STDIN_FILENO;
404 }
405
406 i = fixup_input(context->std_input, socket_fd, params->apply_tty_stdin);
407
408 switch (i) {
409
410 case EXEC_INPUT_NULL:
411 return open_null_as(O_RDONLY, STDIN_FILENO);
412
413 case EXEC_INPUT_TTY:
414 case EXEC_INPUT_TTY_FORCE:
415 case EXEC_INPUT_TTY_FAIL: {
416 int fd, r;
417
418 fd = acquire_terminal(exec_context_tty_path(context),
419 i == EXEC_INPUT_TTY_FAIL,
420 i == EXEC_INPUT_TTY_FORCE,
421 false,
422 USEC_INFINITY);
423 if (fd < 0)
424 return fd;
425
426 if (fd != STDIN_FILENO) {
427 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
428 safe_close(fd);
429 } else
430 r = STDIN_FILENO;
431
432 return r;
433 }
434
435 case EXEC_INPUT_SOCKET:
436 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
437
438 default:
439 assert_not_reached("Unknown input type");
440 }
441 }
442
443 static int setup_output(
444 Unit *unit,
445 const ExecContext *context,
446 const ExecParameters *params,
447 int fileno,
448 int socket_fd,
449 const char *ident,
450 uid_t uid, gid_t gid) {
451
452 ExecOutput o;
453 ExecInput i;
454 int r;
455
456 assert(unit);
457 assert(context);
458 assert(params);
459 assert(ident);
460
461 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
462
463 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
464 return -errno;
465
466 return STDOUT_FILENO;
467 }
468
469 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
470 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
471 return -errno;
472
473 return STDERR_FILENO;
474 }
475
476 i = fixup_input(context->std_input, socket_fd, params->apply_tty_stdin);
477 o = fixup_output(context->std_output, socket_fd);
478
479 if (fileno == STDERR_FILENO) {
480 ExecOutput e;
481 e = fixup_output(context->std_error, socket_fd);
482
483 /* This expects the input and output are already set up */
484
485 /* Don't change the stderr file descriptor if we inherit all
486 * the way and are not on a tty */
487 if (e == EXEC_OUTPUT_INHERIT &&
488 o == EXEC_OUTPUT_INHERIT &&
489 i == EXEC_INPUT_NULL &&
490 !is_terminal_input(context->std_input) &&
491 getppid () != 1)
492 return fileno;
493
494 /* Duplicate from stdout if possible */
495 if (e == o || e == EXEC_OUTPUT_INHERIT)
496 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
497
498 o = e;
499
500 } else if (o == EXEC_OUTPUT_INHERIT) {
501 /* If input got downgraded, inherit the original value */
502 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
503 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
504
505 /* If the input is connected to anything that's not a /dev/null, inherit that... */
506 if (i != EXEC_INPUT_NULL)
507 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
508
509 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
510 if (getppid() != 1)
511 return fileno;
512
513 /* We need to open /dev/null here anew, to get the right access mode. */
514 return open_null_as(O_WRONLY, fileno);
515 }
516
517 switch (o) {
518
519 case EXEC_OUTPUT_NULL:
520 return open_null_as(O_WRONLY, fileno);
521
522 case EXEC_OUTPUT_TTY:
523 if (is_terminal_input(i))
524 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
525
526 /* We don't reset the terminal if this is just about output */
527 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
528
529 case EXEC_OUTPUT_SYSLOG:
530 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
531 case EXEC_OUTPUT_KMSG:
532 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
533 case EXEC_OUTPUT_JOURNAL:
534 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
535 r = connect_logger_as(context, o, ident, unit->id, fileno, uid, gid);
536 if (r < 0) {
537 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
538 r = open_null_as(O_WRONLY, fileno);
539 }
540 return r;
541
542 case EXEC_OUTPUT_SOCKET:
543 assert(socket_fd >= 0);
544 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
545
546 default:
547 assert_not_reached("Unknown error type");
548 }
549 }
550
551 static int chown_terminal(int fd, uid_t uid) {
552 struct stat st;
553
554 assert(fd >= 0);
555
556 /* This might fail. What matters are the results. */
557 (void) fchown(fd, uid, -1);
558 (void) fchmod(fd, TTY_MODE);
559
560 if (fstat(fd, &st) < 0)
561 return -errno;
562
563 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
564 return -EPERM;
565
566 return 0;
567 }
568
569 static int setup_confirm_stdio(int *_saved_stdin, int *_saved_stdout) {
570 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
571 int r;
572
573 assert(_saved_stdin);
574 assert(_saved_stdout);
575
576 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
577 if (saved_stdin < 0)
578 return -errno;
579
580 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
581 if (saved_stdout < 0)
582 return -errno;
583
584 fd = acquire_terminal(
585 "/dev/console",
586 false,
587 false,
588 false,
589 DEFAULT_CONFIRM_USEC);
590 if (fd < 0)
591 return fd;
592
593 r = chown_terminal(fd, getuid());
594 if (r < 0)
595 return r;
596
597 r = reset_terminal_fd(fd, true);
598 if (r < 0)
599 return r;
600
601 if (dup2(fd, STDIN_FILENO) < 0)
602 return -errno;
603
604 if (dup2(fd, STDOUT_FILENO) < 0)
605 return -errno;
606
607 if (fd >= 2)
608 safe_close(fd);
609 fd = -1;
610
611 *_saved_stdin = saved_stdin;
612 *_saved_stdout = saved_stdout;
613
614 saved_stdin = saved_stdout = -1;
615
616 return 0;
617 }
618
619 _printf_(1, 2) static int write_confirm_message(const char *format, ...) {
620 _cleanup_close_ int fd = -1;
621 va_list ap;
622
623 assert(format);
624
625 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
626 if (fd < 0)
627 return fd;
628
629 va_start(ap, format);
630 vdprintf(fd, format, ap);
631 va_end(ap);
632
633 return 0;
634 }
635
636 static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
637 int r = 0;
638
639 assert(saved_stdin);
640 assert(saved_stdout);
641
642 release_terminal();
643
644 if (*saved_stdin >= 0)
645 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
646 r = -errno;
647
648 if (*saved_stdout >= 0)
649 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
650 r = -errno;
651
652 *saved_stdin = safe_close(*saved_stdin);
653 *saved_stdout = safe_close(*saved_stdout);
654
655 return r;
656 }
657
658 static int ask_for_confirmation(char *response, char **argv) {
659 int saved_stdout = -1, saved_stdin = -1, r;
660 _cleanup_free_ char *line = NULL;
661
662 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
663 if (r < 0)
664 return r;
665
666 line = exec_command_line(argv);
667 if (!line)
668 return -ENOMEM;
669
670 r = ask_char(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
671
672 restore_confirm_stdio(&saved_stdin, &saved_stdout);
673
674 return r;
675 }
676
677 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
678 bool keep_groups = false;
679 int r;
680
681 assert(context);
682
683 /* Lookup and set GID and supplementary group list. Here too
684 * we avoid NSS lookups for gid=0. */
685
686 if (context->group || username) {
687 /* First step, initialize groups from /etc/groups */
688 if (username && gid != 0) {
689 if (initgroups(username, gid) < 0)
690 return -errno;
691
692 keep_groups = true;
693 }
694
695 /* Second step, set our gids */
696 if (setresgid(gid, gid, gid) < 0)
697 return -errno;
698 }
699
700 if (context->supplementary_groups) {
701 int ngroups_max, k;
702 gid_t *gids;
703 char **i;
704
705 /* Final step, initialize any manually set supplementary groups */
706 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
707
708 if (!(gids = new(gid_t, ngroups_max)))
709 return -ENOMEM;
710
711 if (keep_groups) {
712 k = getgroups(ngroups_max, gids);
713 if (k < 0) {
714 free(gids);
715 return -errno;
716 }
717 } else
718 k = 0;
719
720 STRV_FOREACH(i, context->supplementary_groups) {
721 const char *g;
722
723 if (k >= ngroups_max) {
724 free(gids);
725 return -E2BIG;
726 }
727
728 g = *i;
729 r = get_group_creds(&g, gids+k);
730 if (r < 0) {
731 free(gids);
732 return r;
733 }
734
735 k++;
736 }
737
738 if (setgroups(k, gids) < 0) {
739 free(gids);
740 return -errno;
741 }
742
743 free(gids);
744 }
745
746 return 0;
747 }
748
749 static int enforce_user(const ExecContext *context, uid_t uid) {
750 assert(context);
751
752 /* Sets (but doesn't lookup) the uid and make sure we keep the
753 * capabilities while doing so. */
754
755 if (context->capabilities || context->capability_ambient_set != 0) {
756
757 /* First step: If we need to keep capabilities but
758 * drop privileges we need to make sure we keep our
759 * caps, while we drop privileges. */
760 if (uid != 0) {
761 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
762
763 if (prctl(PR_GET_SECUREBITS) != sb)
764 if (prctl(PR_SET_SECUREBITS, sb) < 0)
765 return -errno;
766 }
767
768 /* Second step: set the capabilities. This will reduce
769 * the capabilities to the minimum we need. */
770
771 if (context->capabilities) {
772 _cleanup_cap_free_ cap_t d = NULL;
773 static const cap_value_t bits[] = {
774 CAP_SETUID, /* Necessary so that we can run setresuid() below */
775 CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
776 };
777
778 d = cap_dup(context->capabilities);
779 if (!d)
780 return -errno;
781
782 if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
783 cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0)
784 return -errno;
785
786 if (cap_set_proc(d) < 0)
787 return -errno;
788 }
789 }
790
791 /* Third step: actually set the uids */
792 if (setresuid(uid, uid, uid) < 0)
793 return -errno;
794
795 /* At this point we should have all necessary capabilities but
796 are otherwise a normal user. However, the caps might got
797 corrupted due to the setresuid() so we need clean them up
798 later. This is done outside of this call. */
799
800 return 0;
801 }
802
803 #ifdef HAVE_PAM
804
805 static int null_conv(
806 int num_msg,
807 const struct pam_message **msg,
808 struct pam_response **resp,
809 void *appdata_ptr) {
810
811 /* We don't support conversations */
812
813 return PAM_CONV_ERR;
814 }
815
816 static int setup_pam(
817 const char *name,
818 const char *user,
819 uid_t uid,
820 const char *tty,
821 char ***pam_env,
822 int fds[], unsigned n_fds) {
823
824 static const struct pam_conv conv = {
825 .conv = null_conv,
826 .appdata_ptr = NULL
827 };
828
829 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
830 pam_handle_t *handle = NULL;
831 sigset_t old_ss;
832 int pam_code = PAM_SUCCESS, r;
833 char **e = NULL;
834 bool close_session = false;
835 pid_t pam_pid = 0, parent_pid;
836 int flags = 0;
837
838 assert(name);
839 assert(user);
840 assert(pam_env);
841
842 /* We set up PAM in the parent process, then fork. The child
843 * will then stay around until killed via PR_GET_PDEATHSIG or
844 * systemd via the cgroup logic. It will then remove the PAM
845 * session again. The parent process will exec() the actual
846 * daemon. We do things this way to ensure that the main PID
847 * of the daemon is the one we initially fork()ed. */
848
849 r = barrier_create(&barrier);
850 if (r < 0)
851 goto fail;
852
853 if (log_get_max_level() < LOG_DEBUG)
854 flags |= PAM_SILENT;
855
856 pam_code = pam_start(name, user, &conv, &handle);
857 if (pam_code != PAM_SUCCESS) {
858 handle = NULL;
859 goto fail;
860 }
861
862 if (tty) {
863 pam_code = pam_set_item(handle, PAM_TTY, tty);
864 if (pam_code != PAM_SUCCESS)
865 goto fail;
866 }
867
868 pam_code = pam_acct_mgmt(handle, flags);
869 if (pam_code != PAM_SUCCESS)
870 goto fail;
871
872 pam_code = pam_open_session(handle, flags);
873 if (pam_code != PAM_SUCCESS)
874 goto fail;
875
876 close_session = true;
877
878 e = pam_getenvlist(handle);
879 if (!e) {
880 pam_code = PAM_BUF_ERR;
881 goto fail;
882 }
883
884 /* Block SIGTERM, so that we know that it won't get lost in
885 * the child */
886
887 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
888
889 parent_pid = getpid();
890
891 pam_pid = fork();
892 if (pam_pid < 0) {
893 r = -errno;
894 goto fail;
895 }
896
897 if (pam_pid == 0) {
898 int sig, ret = EXIT_PAM;
899
900 /* The child's job is to reset the PAM session on
901 * termination */
902 barrier_set_role(&barrier, BARRIER_CHILD);
903
904 /* This string must fit in 10 chars (i.e. the length
905 * of "/sbin/init"), to look pretty in /bin/ps */
906 rename_process("(sd-pam)");
907
908 /* Make sure we don't keep open the passed fds in this
909 child. We assume that otherwise only those fds are
910 open here that have been opened by PAM. */
911 close_many(fds, n_fds);
912
913 /* Drop privileges - we don't need any to pam_close_session
914 * and this will make PR_SET_PDEATHSIG work in most cases.
915 * If this fails, ignore the error - but expect sd-pam threads
916 * to fail to exit normally */
917 if (setresuid(uid, uid, uid) < 0)
918 log_error_errno(r, "Error: Failed to setresuid() in sd-pam: %m");
919
920 (void) ignore_signals(SIGPIPE, -1);
921
922 /* Wait until our parent died. This will only work if
923 * the above setresuid() succeeds, otherwise the kernel
924 * will not allow unprivileged parents kill their privileged
925 * children this way. We rely on the control groups kill logic
926 * to do the rest for us. */
927 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
928 goto child_finish;
929
930 /* Tell the parent that our setup is done. This is especially
931 * important regarding dropping privileges. Otherwise, unit
932 * setup might race against our setresuid(2) call. */
933 barrier_place(&barrier);
934
935 /* Check if our parent process might already have
936 * died? */
937 if (getppid() == parent_pid) {
938 sigset_t ss;
939
940 assert_se(sigemptyset(&ss) >= 0);
941 assert_se(sigaddset(&ss, SIGTERM) >= 0);
942
943 for (;;) {
944 if (sigwait(&ss, &sig) < 0) {
945 if (errno == EINTR)
946 continue;
947
948 goto child_finish;
949 }
950
951 assert(sig == SIGTERM);
952 break;
953 }
954 }
955
956 /* If our parent died we'll end the session */
957 if (getppid() != parent_pid) {
958 pam_code = pam_close_session(handle, flags);
959 if (pam_code != PAM_SUCCESS)
960 goto child_finish;
961 }
962
963 ret = 0;
964
965 child_finish:
966 pam_end(handle, pam_code | flags);
967 _exit(ret);
968 }
969
970 barrier_set_role(&barrier, BARRIER_PARENT);
971
972 /* If the child was forked off successfully it will do all the
973 * cleanups, so forget about the handle here. */
974 handle = NULL;
975
976 /* Unblock SIGTERM again in the parent */
977 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
978
979 /* We close the log explicitly here, since the PAM modules
980 * might have opened it, but we don't want this fd around. */
981 closelog();
982
983 /* Synchronously wait for the child to initialize. We don't care for
984 * errors as we cannot recover. However, warn loudly if it happens. */
985 if (!barrier_place_and_sync(&barrier))
986 log_error("PAM initialization failed");
987
988 *pam_env = e;
989 e = NULL;
990
991 return 0;
992
993 fail:
994 if (pam_code != PAM_SUCCESS) {
995 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
996 r = -EPERM; /* PAM errors do not map to errno */
997 } else
998 log_error_errno(r, "PAM failed: %m");
999
1000 if (handle) {
1001 if (close_session)
1002 pam_code = pam_close_session(handle, flags);
1003
1004 pam_end(handle, pam_code | flags);
1005 }
1006
1007 strv_free(e);
1008 closelog();
1009
1010 return r;
1011 }
1012 #endif
1013
1014 static void rename_process_from_path(const char *path) {
1015 char process_name[11];
1016 const char *p;
1017 size_t l;
1018
1019 /* This resulting string must fit in 10 chars (i.e. the length
1020 * of "/sbin/init") to look pretty in /bin/ps */
1021
1022 p = basename(path);
1023 if (isempty(p)) {
1024 rename_process("(...)");
1025 return;
1026 }
1027
1028 l = strlen(p);
1029 if (l > 8) {
1030 /* The end of the process name is usually more
1031 * interesting, since the first bit might just be
1032 * "systemd-" */
1033 p = p + l - 8;
1034 l = 8;
1035 }
1036
1037 process_name[0] = '(';
1038 memcpy(process_name+1, p, l);
1039 process_name[1+l] = ')';
1040 process_name[1+l+1] = 0;
1041
1042 rename_process(process_name);
1043 }
1044
1045 #ifdef HAVE_SECCOMP
1046
1047 static int apply_seccomp(const ExecContext *c) {
1048 uint32_t negative_action, action;
1049 scmp_filter_ctx *seccomp;
1050 Iterator i;
1051 void *id;
1052 int r;
1053
1054 assert(c);
1055
1056 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
1057
1058 seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW);
1059 if (!seccomp)
1060 return -ENOMEM;
1061
1062 if (c->syscall_archs) {
1063
1064 SET_FOREACH(id, c->syscall_archs, i) {
1065 r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
1066 if (r == -EEXIST)
1067 continue;
1068 if (r < 0)
1069 goto finish;
1070 }
1071
1072 } else {
1073 r = seccomp_add_secondary_archs(seccomp);
1074 if (r < 0)
1075 goto finish;
1076 }
1077
1078 action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
1079 SET_FOREACH(id, c->syscall_filter, i) {
1080 r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
1081 if (r < 0)
1082 goto finish;
1083 }
1084
1085 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1086 if (r < 0)
1087 goto finish;
1088
1089 r = seccomp_load(seccomp);
1090
1091 finish:
1092 seccomp_release(seccomp);
1093 return r;
1094 }
1095
1096 static int apply_address_families(const ExecContext *c) {
1097 scmp_filter_ctx *seccomp;
1098 Iterator i;
1099 int r;
1100
1101 assert(c);
1102
1103 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1104 if (!seccomp)
1105 return -ENOMEM;
1106
1107 r = seccomp_add_secondary_archs(seccomp);
1108 if (r < 0)
1109 goto finish;
1110
1111 if (c->address_families_whitelist) {
1112 int af, first = 0, last = 0;
1113 void *afp;
1114
1115 /* If this is a whitelist, we first block the address
1116 * families that are out of range and then everything
1117 * that is not in the set. First, we find the lowest
1118 * and highest address family in the set. */
1119
1120 SET_FOREACH(afp, c->address_families, i) {
1121 af = PTR_TO_INT(afp);
1122
1123 if (af <= 0 || af >= af_max())
1124 continue;
1125
1126 if (first == 0 || af < first)
1127 first = af;
1128
1129 if (last == 0 || af > last)
1130 last = af;
1131 }
1132
1133 assert((first == 0) == (last == 0));
1134
1135 if (first == 0) {
1136
1137 /* No entries in the valid range, block everything */
1138 r = seccomp_rule_add(
1139 seccomp,
1140 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1141 SCMP_SYS(socket),
1142 0);
1143 if (r < 0)
1144 goto finish;
1145
1146 } else {
1147
1148 /* Block everything below the first entry */
1149 r = seccomp_rule_add(
1150 seccomp,
1151 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1152 SCMP_SYS(socket),
1153 1,
1154 SCMP_A0(SCMP_CMP_LT, first));
1155 if (r < 0)
1156 goto finish;
1157
1158 /* Block everything above the last entry */
1159 r = seccomp_rule_add(
1160 seccomp,
1161 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1162 SCMP_SYS(socket),
1163 1,
1164 SCMP_A0(SCMP_CMP_GT, last));
1165 if (r < 0)
1166 goto finish;
1167
1168 /* Block everything between the first and last
1169 * entry */
1170 for (af = 1; af < af_max(); af++) {
1171
1172 if (set_contains(c->address_families, INT_TO_PTR(af)))
1173 continue;
1174
1175 r = seccomp_rule_add(
1176 seccomp,
1177 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1178 SCMP_SYS(socket),
1179 1,
1180 SCMP_A0(SCMP_CMP_EQ, af));
1181 if (r < 0)
1182 goto finish;
1183 }
1184 }
1185
1186 } else {
1187 void *af;
1188
1189 /* If this is a blacklist, then generate one rule for
1190 * each address family that are then combined in OR
1191 * checks. */
1192
1193 SET_FOREACH(af, c->address_families, i) {
1194
1195 r = seccomp_rule_add(
1196 seccomp,
1197 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1198 SCMP_SYS(socket),
1199 1,
1200 SCMP_A0(SCMP_CMP_EQ, PTR_TO_INT(af)));
1201 if (r < 0)
1202 goto finish;
1203 }
1204 }
1205
1206 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1207 if (r < 0)
1208 goto finish;
1209
1210 r = seccomp_load(seccomp);
1211
1212 finish:
1213 seccomp_release(seccomp);
1214 return r;
1215 }
1216
1217 #endif
1218
1219 static void do_idle_pipe_dance(int idle_pipe[4]) {
1220 assert(idle_pipe);
1221
1222
1223 idle_pipe[1] = safe_close(idle_pipe[1]);
1224 idle_pipe[2] = safe_close(idle_pipe[2]);
1225
1226 if (idle_pipe[0] >= 0) {
1227 int r;
1228
1229 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1230
1231 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1232 ssize_t n;
1233
1234 /* Signal systemd that we are bored and want to continue. */
1235 n = write(idle_pipe[3], "x", 1);
1236 if (n > 0)
1237 /* Wait for systemd to react to the signal above. */
1238 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1239 }
1240
1241 idle_pipe[0] = safe_close(idle_pipe[0]);
1242
1243 }
1244
1245 idle_pipe[3] = safe_close(idle_pipe[3]);
1246 }
1247
1248 static int build_environment(
1249 const ExecContext *c,
1250 const ExecParameters *p,
1251 unsigned n_fds,
1252 const char *home,
1253 const char *username,
1254 const char *shell,
1255 char ***ret) {
1256
1257 _cleanup_strv_free_ char **our_env = NULL;
1258 unsigned n_env = 0;
1259 char *x;
1260
1261 assert(c);
1262 assert(ret);
1263
1264 our_env = new0(char*, 11);
1265 if (!our_env)
1266 return -ENOMEM;
1267
1268 if (n_fds > 0) {
1269 _cleanup_free_ char *joined = NULL;
1270
1271 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1272 return -ENOMEM;
1273 our_env[n_env++] = x;
1274
1275 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1276 return -ENOMEM;
1277 our_env[n_env++] = x;
1278
1279 joined = strv_join(p->fd_names, ":");
1280 if (!joined)
1281 return -ENOMEM;
1282
1283 x = strjoin("LISTEN_FDNAMES=", joined, NULL);
1284 if (!x)
1285 return -ENOMEM;
1286 our_env[n_env++] = x;
1287 }
1288
1289 if (p->watchdog_usec > 0) {
1290 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1291 return -ENOMEM;
1292 our_env[n_env++] = x;
1293
1294 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
1295 return -ENOMEM;
1296 our_env[n_env++] = x;
1297 }
1298
1299 if (home) {
1300 x = strappend("HOME=", home);
1301 if (!x)
1302 return -ENOMEM;
1303 our_env[n_env++] = x;
1304 }
1305
1306 if (username) {
1307 x = strappend("LOGNAME=", username);
1308 if (!x)
1309 return -ENOMEM;
1310 our_env[n_env++] = x;
1311
1312 x = strappend("USER=", username);
1313 if (!x)
1314 return -ENOMEM;
1315 our_env[n_env++] = x;
1316 }
1317
1318 if (shell) {
1319 x = strappend("SHELL=", shell);
1320 if (!x)
1321 return -ENOMEM;
1322 our_env[n_env++] = x;
1323 }
1324
1325 if (is_terminal_input(c->std_input) ||
1326 c->std_output == EXEC_OUTPUT_TTY ||
1327 c->std_error == EXEC_OUTPUT_TTY ||
1328 c->tty_path) {
1329
1330 x = strdup(default_term_for_tty(exec_context_tty_path(c)));
1331 if (!x)
1332 return -ENOMEM;
1333 our_env[n_env++] = x;
1334 }
1335
1336 our_env[n_env++] = NULL;
1337 assert(n_env <= 11);
1338
1339 *ret = our_env;
1340 our_env = NULL;
1341
1342 return 0;
1343 }
1344
1345 static int build_pass_environment(const ExecContext *c, char ***ret) {
1346 _cleanup_strv_free_ char **pass_env = NULL;
1347 size_t n_env = 0, n_bufsize = 0;
1348 char **i;
1349
1350 STRV_FOREACH(i, c->pass_environment) {
1351 _cleanup_free_ char *x = NULL;
1352 char *v;
1353
1354 v = getenv(*i);
1355 if (!v)
1356 continue;
1357 x = strjoin(*i, "=", v, NULL);
1358 if (!x)
1359 return -ENOMEM;
1360 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1361 return -ENOMEM;
1362 pass_env[n_env++] = x;
1363 pass_env[n_env] = NULL;
1364 x = NULL;
1365 }
1366
1367 *ret = pass_env;
1368 pass_env = NULL;
1369
1370 return 0;
1371 }
1372
1373 static bool exec_needs_mount_namespace(
1374 const ExecContext *context,
1375 const ExecParameters *params,
1376 ExecRuntime *runtime) {
1377
1378 assert(context);
1379 assert(params);
1380
1381 if (!strv_isempty(context->read_write_dirs) ||
1382 !strv_isempty(context->read_only_dirs) ||
1383 !strv_isempty(context->inaccessible_dirs))
1384 return true;
1385
1386 if (context->mount_flags != 0)
1387 return true;
1388
1389 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1390 return true;
1391
1392 if (params->bus_endpoint_path)
1393 return true;
1394
1395 if (context->private_devices ||
1396 context->protect_system != PROTECT_SYSTEM_NO ||
1397 context->protect_home != PROTECT_HOME_NO)
1398 return true;
1399
1400 return false;
1401 }
1402
1403 static int close_remaining_fds(
1404 const ExecParameters *params,
1405 ExecRuntime *runtime,
1406 int socket_fd,
1407 int *fds, unsigned n_fds) {
1408
1409 unsigned n_dont_close = 0;
1410 int dont_close[n_fds + 7];
1411
1412 assert(params);
1413
1414 if (params->stdin_fd >= 0)
1415 dont_close[n_dont_close++] = params->stdin_fd;
1416 if (params->stdout_fd >= 0)
1417 dont_close[n_dont_close++] = params->stdout_fd;
1418 if (params->stderr_fd >= 0)
1419 dont_close[n_dont_close++] = params->stderr_fd;
1420
1421 if (socket_fd >= 0)
1422 dont_close[n_dont_close++] = socket_fd;
1423 if (n_fds > 0) {
1424 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
1425 n_dont_close += n_fds;
1426 }
1427
1428 if (params->bus_endpoint_fd >= 0)
1429 dont_close[n_dont_close++] = params->bus_endpoint_fd;
1430
1431 if (runtime) {
1432 if (runtime->netns_storage_socket[0] >= 0)
1433 dont_close[n_dont_close++] = runtime->netns_storage_socket[0];
1434 if (runtime->netns_storage_socket[1] >= 0)
1435 dont_close[n_dont_close++] = runtime->netns_storage_socket[1];
1436 }
1437
1438 return close_all_fds(dont_close, n_dont_close);
1439 }
1440
1441 static int exec_child(
1442 Unit *unit,
1443 ExecCommand *command,
1444 const ExecContext *context,
1445 const ExecParameters *params,
1446 ExecRuntime *runtime,
1447 char **argv,
1448 int socket_fd,
1449 int *fds, unsigned n_fds,
1450 char **files_env,
1451 int *exit_status) {
1452
1453 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL;
1454 _cleanup_free_ char *mac_selinux_context_net = NULL;
1455 const char *username = NULL, *home = NULL, *shell = NULL, *wd;
1456 uid_t uid = UID_INVALID;
1457 gid_t gid = GID_INVALID;
1458 int i, r;
1459 bool needs_mount_namespace;
1460
1461 assert(unit);
1462 assert(command);
1463 assert(context);
1464 assert(params);
1465 assert(exit_status);
1466
1467 rename_process_from_path(command->path);
1468
1469 /* We reset exactly these signals, since they are the
1470 * only ones we set to SIG_IGN in the main daemon. All
1471 * others we leave untouched because we set them to
1472 * SIG_DFL or a valid handler initially, both of which
1473 * will be demoted to SIG_DFL. */
1474 (void) default_signals(SIGNALS_CRASH_HANDLER,
1475 SIGNALS_IGNORE, -1);
1476
1477 if (context->ignore_sigpipe)
1478 (void) ignore_signals(SIGPIPE, -1);
1479
1480 r = reset_signal_mask();
1481 if (r < 0) {
1482 *exit_status = EXIT_SIGNAL_MASK;
1483 return r;
1484 }
1485
1486 if (params->idle_pipe)
1487 do_idle_pipe_dance(params->idle_pipe);
1488
1489 /* Close sockets very early to make sure we don't
1490 * block init reexecution because it cannot bind its
1491 * sockets */
1492
1493 log_forget_fds();
1494
1495 r = close_remaining_fds(params, runtime, socket_fd, fds, n_fds);
1496 if (r < 0) {
1497 *exit_status = EXIT_FDS;
1498 return r;
1499 }
1500
1501 if (!context->same_pgrp)
1502 if (setsid() < 0) {
1503 *exit_status = EXIT_SETSID;
1504 return -errno;
1505 }
1506
1507 exec_context_tty_reset(context, params);
1508
1509 if (params->confirm_spawn) {
1510 char response;
1511
1512 r = ask_for_confirmation(&response, argv);
1513 if (r == -ETIMEDOUT)
1514 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1515 else if (r < 0)
1516 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-r));
1517 else if (response == 's') {
1518 write_confirm_message("Skipping execution.\n");
1519 *exit_status = EXIT_CONFIRM;
1520 return -ECANCELED;
1521 } else if (response == 'n') {
1522 write_confirm_message("Failing execution.\n");
1523 *exit_status = 0;
1524 return 0;
1525 }
1526 }
1527
1528 if (context->user) {
1529 username = context->user;
1530 r = get_user_creds(&username, &uid, &gid, &home, &shell);
1531 if (r < 0) {
1532 *exit_status = EXIT_USER;
1533 return r;
1534 }
1535 }
1536
1537 if (context->group) {
1538 const char *g = context->group;
1539
1540 r = get_group_creds(&g, &gid);
1541 if (r < 0) {
1542 *exit_status = EXIT_GROUP;
1543 return r;
1544 }
1545 }
1546
1547
1548 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1549 * must sure to drop O_NONBLOCK */
1550 if (socket_fd >= 0)
1551 (void) fd_nonblock(socket_fd, false);
1552
1553 r = setup_input(context, params, socket_fd);
1554 if (r < 0) {
1555 *exit_status = EXIT_STDIN;
1556 return r;
1557 }
1558
1559 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, basename(command->path), uid, gid);
1560 if (r < 0) {
1561 *exit_status = EXIT_STDOUT;
1562 return r;
1563 }
1564
1565 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, basename(command->path), uid, gid);
1566 if (r < 0) {
1567 *exit_status = EXIT_STDERR;
1568 return r;
1569 }
1570
1571 if (params->cgroup_path) {
1572 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
1573 if (r < 0) {
1574 *exit_status = EXIT_CGROUP;
1575 return r;
1576 }
1577 }
1578
1579 if (context->oom_score_adjust_set) {
1580 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
1581
1582 /* When we can't make this change due to EPERM, then
1583 * let's silently skip over it. User namespaces
1584 * prohibit write access to this file, and we
1585 * shouldn't trip up over that. */
1586
1587 sprintf(t, "%i", context->oom_score_adjust);
1588 r = write_string_file("/proc/self/oom_score_adj", t, 0);
1589 if (r == -EPERM || r == -EACCES) {
1590 log_open();
1591 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
1592 log_close();
1593 } else if (r < 0) {
1594 *exit_status = EXIT_OOM_ADJUST;
1595 return -errno;
1596 }
1597 }
1598
1599 if (context->nice_set)
1600 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1601 *exit_status = EXIT_NICE;
1602 return -errno;
1603 }
1604
1605 if (context->cpu_sched_set) {
1606 struct sched_param param = {
1607 .sched_priority = context->cpu_sched_priority,
1608 };
1609
1610 r = sched_setscheduler(0,
1611 context->cpu_sched_policy |
1612 (context->cpu_sched_reset_on_fork ?
1613 SCHED_RESET_ON_FORK : 0),
1614 &param);
1615 if (r < 0) {
1616 *exit_status = EXIT_SETSCHEDULER;
1617 return -errno;
1618 }
1619 }
1620
1621 if (context->cpuset)
1622 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1623 *exit_status = EXIT_CPUAFFINITY;
1624 return -errno;
1625 }
1626
1627 if (context->ioprio_set)
1628 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1629 *exit_status = EXIT_IOPRIO;
1630 return -errno;
1631 }
1632
1633 if (context->timer_slack_nsec != NSEC_INFINITY)
1634 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1635 *exit_status = EXIT_TIMERSLACK;
1636 return -errno;
1637 }
1638
1639 if (context->personality != PERSONALITY_INVALID)
1640 if (personality(context->personality) < 0) {
1641 *exit_status = EXIT_PERSONALITY;
1642 return -errno;
1643 }
1644
1645 if (context->utmp_id)
1646 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path,
1647 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
1648 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
1649 USER_PROCESS,
1650 username ? "root" : context->user);
1651
1652 if (context->user && is_terminal_input(context->std_input)) {
1653 r = chown_terminal(STDIN_FILENO, uid);
1654 if (r < 0) {
1655 *exit_status = EXIT_STDIN;
1656 return r;
1657 }
1658 }
1659
1660 if (params->bus_endpoint_fd >= 0 && context->bus_endpoint) {
1661 uid_t ep_uid = (uid == UID_INVALID) ? 0 : uid;
1662
1663 r = bus_kernel_set_endpoint_policy(params->bus_endpoint_fd, ep_uid, context->bus_endpoint);
1664 if (r < 0) {
1665 *exit_status = EXIT_BUS_ENDPOINT;
1666 return r;
1667 }
1668 }
1669
1670 /* If delegation is enabled we'll pass ownership of the cgroup
1671 * (but only in systemd's own controller hierarchy!) to the
1672 * user of the new process. */
1673 if (params->cgroup_path && context->user && params->cgroup_delegate) {
1674 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
1675 if (r < 0) {
1676 *exit_status = EXIT_CGROUP;
1677 return r;
1678 }
1679
1680
1681 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
1682 if (r < 0) {
1683 *exit_status = EXIT_CGROUP;
1684 return r;
1685 }
1686 }
1687
1688 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
1689 char **rt;
1690
1691 STRV_FOREACH(rt, context->runtime_directory) {
1692 _cleanup_free_ char *p;
1693
1694 p = strjoin(params->runtime_prefix, "/", *rt, NULL);
1695 if (!p) {
1696 *exit_status = EXIT_RUNTIME_DIRECTORY;
1697 return -ENOMEM;
1698 }
1699
1700 r = mkdir_p_label(p, context->runtime_directory_mode);
1701 if (r < 0) {
1702 *exit_status = EXIT_RUNTIME_DIRECTORY;
1703 return r;
1704 }
1705
1706 r = chmod_and_chown(p, context->runtime_directory_mode, uid, gid);
1707 if (r < 0) {
1708 *exit_status = EXIT_RUNTIME_DIRECTORY;
1709 return r;
1710 }
1711 }
1712 }
1713
1714 umask(context->umask);
1715
1716 if (params->apply_permissions) {
1717 r = enforce_groups(context, username, gid);
1718 if (r < 0) {
1719 *exit_status = EXIT_GROUP;
1720 return r;
1721 }
1722 #ifdef HAVE_SMACK
1723 if (context->smack_process_label) {
1724 r = mac_smack_apply_pid(0, context->smack_process_label);
1725 if (r < 0) {
1726 *exit_status = EXIT_SMACK_PROCESS_LABEL;
1727 return r;
1728 }
1729 }
1730 #ifdef SMACK_DEFAULT_PROCESS_LABEL
1731 else {
1732 _cleanup_free_ char *exec_label = NULL;
1733
1734 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
1735 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) {
1736 *exit_status = EXIT_SMACK_PROCESS_LABEL;
1737 return r;
1738 }
1739
1740 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
1741 if (r < 0) {
1742 *exit_status = EXIT_SMACK_PROCESS_LABEL;
1743 return r;
1744 }
1745 }
1746 #endif
1747 #endif
1748 #ifdef HAVE_PAM
1749 if (context->pam_name && username) {
1750 r = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
1751 if (r < 0) {
1752 *exit_status = EXIT_PAM;
1753 return r;
1754 }
1755 }
1756 #endif
1757 }
1758
1759 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
1760 r = setup_netns(runtime->netns_storage_socket);
1761 if (r < 0) {
1762 *exit_status = EXIT_NETWORK;
1763 return r;
1764 }
1765 }
1766
1767 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
1768
1769 if (needs_mount_namespace) {
1770 char *tmp = NULL, *var = NULL;
1771
1772 /* The runtime struct only contains the parent
1773 * of the private /tmp, which is
1774 * non-accessible to world users. Inside of it
1775 * there's a /tmp that is sticky, and that's
1776 * the one we want to use here. */
1777
1778 if (context->private_tmp && runtime) {
1779 if (runtime->tmp_dir)
1780 tmp = strjoina(runtime->tmp_dir, "/tmp");
1781 if (runtime->var_tmp_dir)
1782 var = strjoina(runtime->var_tmp_dir, "/tmp");
1783 }
1784
1785 r = setup_namespace(
1786 params->apply_chroot ? context->root_directory : NULL,
1787 context->read_write_dirs,
1788 context->read_only_dirs,
1789 context->inaccessible_dirs,
1790 tmp,
1791 var,
1792 params->bus_endpoint_path,
1793 context->private_devices,
1794 context->protect_home,
1795 context->protect_system,
1796 context->mount_flags);
1797
1798 /* If we couldn't set up the namespace this is
1799 * probably due to a missing capability. In this case,
1800 * silently proceeed. */
1801 if (r == -EPERM || r == -EACCES) {
1802 log_open();
1803 log_unit_debug_errno(unit, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
1804 log_close();
1805 } else if (r < 0) {
1806 *exit_status = EXIT_NAMESPACE;
1807 return r;
1808 }
1809 }
1810
1811 if (context->working_directory_home)
1812 wd = home;
1813 else if (context->working_directory)
1814 wd = context->working_directory;
1815 else
1816 wd = "/";
1817
1818 if (params->apply_chroot) {
1819 if (!needs_mount_namespace && context->root_directory)
1820 if (chroot(context->root_directory) < 0) {
1821 *exit_status = EXIT_CHROOT;
1822 return -errno;
1823 }
1824
1825 if (chdir(wd) < 0 &&
1826 !context->working_directory_missing_ok) {
1827 *exit_status = EXIT_CHDIR;
1828 return -errno;
1829 }
1830 } else {
1831 const char *d;
1832
1833 d = strjoina(strempty(context->root_directory), "/", strempty(wd));
1834 if (chdir(d) < 0 &&
1835 !context->working_directory_missing_ok) {
1836 *exit_status = EXIT_CHDIR;
1837 return -errno;
1838 }
1839 }
1840
1841 #ifdef HAVE_SELINUX
1842 if (params->apply_permissions && mac_selinux_use() && params->selinux_context_net && socket_fd >= 0) {
1843 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
1844 if (r < 0) {
1845 *exit_status = EXIT_SELINUX_CONTEXT;
1846 return r;
1847 }
1848 }
1849 #endif
1850
1851 /* We repeat the fd closing here, to make sure that
1852 * nothing is leaked from the PAM modules. Note that
1853 * we are more aggressive this time since socket_fd
1854 * and the netns fds we don't need anymore. The custom
1855 * endpoint fd was needed to upload the policy and can
1856 * now be closed as well. */
1857 r = close_all_fds(fds, n_fds);
1858 if (r >= 0)
1859 r = shift_fds(fds, n_fds);
1860 if (r >= 0)
1861 r = flags_fds(fds, n_fds, context->non_blocking);
1862 if (r < 0) {
1863 *exit_status = EXIT_FDS;
1864 return r;
1865 }
1866
1867 if (params->apply_permissions) {
1868
1869 int secure_bits = context->secure_bits;
1870
1871 for (i = 0; i < _RLIMIT_MAX; i++) {
1872 if (!context->rlimit[i])
1873 continue;
1874
1875 if (setrlimit_closest(i, context->rlimit[i]) < 0) {
1876 *exit_status = EXIT_LIMITS;
1877 return -errno;
1878 }
1879 }
1880
1881 if (!cap_test_all(context->capability_bounding_set)) {
1882 r = capability_bounding_set_drop(context->capability_bounding_set, false);
1883 if (r < 0) {
1884 *exit_status = EXIT_CAPABILITIES;
1885 return r;
1886 }
1887 }
1888
1889 /* This is done before enforce_user, but ambient set
1890 * does not survive over setresuid() if keep_caps is not set. */
1891 if (context->capability_ambient_set != 0) {
1892 r = capability_ambient_set_apply(context->capability_ambient_set, true);
1893 if (r < 0) {
1894 *exit_status = EXIT_CAPABILITIES;
1895 return r;
1896 }
1897
1898 if (context->capabilities) {
1899
1900 /* The capabilities in ambient set need to be also in the inherited
1901 * set. If they aren't, trying to get them will fail. Add the ambient
1902 * set inherited capabilities to the capability set in the context.
1903 * This is needed because if capabilities are set (using "Capabilities="
1904 * keyword), they will override whatever we set now. */
1905
1906 r = capability_update_inherited_set(context->capabilities, context->capability_ambient_set);
1907 if (r < 0) {
1908 *exit_status = EXIT_CAPABILITIES;
1909 return r;
1910 }
1911 }
1912 }
1913
1914 if (context->user) {
1915 r = enforce_user(context, uid);
1916 if (r < 0) {
1917 *exit_status = EXIT_USER;
1918 return r;
1919 }
1920 if (context->capability_ambient_set != 0) {
1921
1922 /* Fix the ambient capabilities after user change. */
1923 r = capability_ambient_set_apply(context->capability_ambient_set, false);
1924 if (r < 0) {
1925 *exit_status = EXIT_CAPABILITIES;
1926 return r;
1927 }
1928
1929 /* If we were asked to change user and ambient capabilities
1930 * were requested, we had to add keep-caps to the securebits
1931 * so that we would maintain the inherited capability set
1932 * through the setresuid(). Make sure that the bit is added
1933 * also to the context secure_bits so that we don't try to
1934 * drop the bit away next. */
1935
1936 secure_bits |= 1<<SECURE_KEEP_CAPS;
1937 }
1938 }
1939
1940 /* PR_GET_SECUREBITS is not privileged, while
1941 * PR_SET_SECUREBITS is. So to suppress
1942 * potential EPERMs we'll try not to call
1943 * PR_SET_SECUREBITS unless necessary. */
1944 if (prctl(PR_GET_SECUREBITS) != secure_bits)
1945 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
1946 *exit_status = EXIT_SECUREBITS;
1947 return -errno;
1948 }
1949
1950 if (context->capabilities)
1951 if (cap_set_proc(context->capabilities) < 0) {
1952 *exit_status = EXIT_CAPABILITIES;
1953 return -errno;
1954 }
1955
1956 if (context->no_new_privileges)
1957 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
1958 *exit_status = EXIT_NO_NEW_PRIVILEGES;
1959 return -errno;
1960 }
1961
1962 #ifdef HAVE_SECCOMP
1963 if (context->address_families_whitelist ||
1964 !set_isempty(context->address_families)) {
1965 r = apply_address_families(context);
1966 if (r < 0) {
1967 *exit_status = EXIT_ADDRESS_FAMILIES;
1968 return r;
1969 }
1970 }
1971
1972 if (context->syscall_whitelist ||
1973 !set_isempty(context->syscall_filter) ||
1974 !set_isempty(context->syscall_archs)) {
1975 r = apply_seccomp(context);
1976 if (r < 0) {
1977 *exit_status = EXIT_SECCOMP;
1978 return r;
1979 }
1980 }
1981 #endif
1982
1983 #ifdef HAVE_SELINUX
1984 if (mac_selinux_use()) {
1985 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
1986
1987 if (exec_context) {
1988 r = setexeccon(exec_context);
1989 if (r < 0) {
1990 *exit_status = EXIT_SELINUX_CONTEXT;
1991 return r;
1992 }
1993 }
1994 }
1995 #endif
1996
1997 #ifdef HAVE_APPARMOR
1998 if (context->apparmor_profile && mac_apparmor_use()) {
1999 r = aa_change_onexec(context->apparmor_profile);
2000 if (r < 0 && !context->apparmor_profile_ignore) {
2001 *exit_status = EXIT_APPARMOR_PROFILE;
2002 return -errno;
2003 }
2004 }
2005 #endif
2006 }
2007
2008 r = build_environment(context, params, n_fds, home, username, shell, &our_env);
2009 if (r < 0) {
2010 *exit_status = EXIT_MEMORY;
2011 return r;
2012 }
2013
2014 r = build_pass_environment(context, &pass_env);
2015 if (r < 0) {
2016 *exit_status = EXIT_MEMORY;
2017 return r;
2018 }
2019
2020 final_env = strv_env_merge(6,
2021 params->environment,
2022 our_env,
2023 pass_env,
2024 context->environment,
2025 files_env,
2026 pam_env,
2027 NULL);
2028 if (!final_env) {
2029 *exit_status = EXIT_MEMORY;
2030 return -ENOMEM;
2031 }
2032
2033 final_argv = replace_env_argv(argv, final_env);
2034 if (!final_argv) {
2035 *exit_status = EXIT_MEMORY;
2036 return -ENOMEM;
2037 }
2038
2039 final_env = strv_env_clean(final_env);
2040
2041 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
2042 _cleanup_free_ char *line;
2043
2044 line = exec_command_line(final_argv);
2045 if (line) {
2046 log_open();
2047 log_struct(LOG_DEBUG,
2048 LOG_UNIT_ID(unit),
2049 "EXECUTABLE=%s", command->path,
2050 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
2051 NULL);
2052 log_close();
2053 }
2054 }
2055
2056 execve(command->path, final_argv, final_env);
2057 *exit_status = EXIT_EXEC;
2058 return -errno;
2059 }
2060
2061 int exec_spawn(Unit *unit,
2062 ExecCommand *command,
2063 const ExecContext *context,
2064 const ExecParameters *params,
2065 ExecRuntime *runtime,
2066 pid_t *ret) {
2067
2068 _cleanup_strv_free_ char **files_env = NULL;
2069 int *fds = NULL; unsigned n_fds = 0;
2070 _cleanup_free_ char *line = NULL;
2071 int socket_fd, r;
2072 char **argv;
2073 pid_t pid;
2074
2075 assert(unit);
2076 assert(command);
2077 assert(context);
2078 assert(ret);
2079 assert(params);
2080 assert(params->fds || params->n_fds <= 0);
2081
2082 if (context->std_input == EXEC_INPUT_SOCKET ||
2083 context->std_output == EXEC_OUTPUT_SOCKET ||
2084 context->std_error == EXEC_OUTPUT_SOCKET) {
2085
2086 if (params->n_fds != 1) {
2087 log_unit_error(unit, "Got more than one socket.");
2088 return -EINVAL;
2089 }
2090
2091 socket_fd = params->fds[0];
2092 } else {
2093 socket_fd = -1;
2094 fds = params->fds;
2095 n_fds = params->n_fds;
2096 }
2097
2098 r = exec_context_load_environment(unit, context, &files_env);
2099 if (r < 0)
2100 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
2101
2102 argv = params->argv ?: command->argv;
2103 line = exec_command_line(argv);
2104 if (!line)
2105 return log_oom();
2106
2107 log_struct(LOG_DEBUG,
2108 LOG_UNIT_ID(unit),
2109 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
2110 "EXECUTABLE=%s", command->path,
2111 NULL);
2112 pid = fork();
2113 if (pid < 0)
2114 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
2115
2116 if (pid == 0) {
2117 int exit_status;
2118
2119 r = exec_child(unit,
2120 command,
2121 context,
2122 params,
2123 runtime,
2124 argv,
2125 socket_fd,
2126 fds, n_fds,
2127 files_env,
2128 &exit_status);
2129 if (r < 0) {
2130 log_open();
2131 log_struct_errno(LOG_ERR, r,
2132 LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
2133 LOG_UNIT_ID(unit),
2134 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
2135 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
2136 command->path),
2137 "EXECUTABLE=%s", command->path,
2138 NULL);
2139 }
2140
2141 _exit(exit_status);
2142 }
2143
2144 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
2145
2146 /* We add the new process to the cgroup both in the child (so
2147 * that we can be sure that no user code is ever executed
2148 * outside of the cgroup) and in the parent (so that we can be
2149 * sure that when we kill the cgroup the process will be
2150 * killed too). */
2151 if (params->cgroup_path)
2152 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
2153
2154 exec_status_start(&command->exec_status, pid);
2155
2156 *ret = pid;
2157 return 0;
2158 }
2159
2160 void exec_context_init(ExecContext *c) {
2161 assert(c);
2162
2163 c->umask = 0022;
2164 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
2165 c->cpu_sched_policy = SCHED_OTHER;
2166 c->syslog_priority = LOG_DAEMON|LOG_INFO;
2167 c->syslog_level_prefix = true;
2168 c->ignore_sigpipe = true;
2169 c->timer_slack_nsec = NSEC_INFINITY;
2170 c->personality = PERSONALITY_INVALID;
2171 c->runtime_directory_mode = 0755;
2172 c->capability_bounding_set = CAP_ALL;
2173 }
2174
2175 void exec_context_done(ExecContext *c) {
2176 unsigned l;
2177
2178 assert(c);
2179
2180 c->environment = strv_free(c->environment);
2181 c->environment_files = strv_free(c->environment_files);
2182 c->pass_environment = strv_free(c->pass_environment);
2183
2184 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
2185 c->rlimit[l] = mfree(c->rlimit[l]);
2186
2187 c->working_directory = mfree(c->working_directory);
2188 c->root_directory = mfree(c->root_directory);
2189 c->tty_path = mfree(c->tty_path);
2190 c->syslog_identifier = mfree(c->syslog_identifier);
2191 c->user = mfree(c->user);
2192 c->group = mfree(c->group);
2193
2194 c->supplementary_groups = strv_free(c->supplementary_groups);
2195
2196 c->pam_name = mfree(c->pam_name);
2197
2198 if (c->capabilities) {
2199 cap_free(c->capabilities);
2200 c->capabilities = NULL;
2201 }
2202
2203 c->read_only_dirs = strv_free(c->read_only_dirs);
2204 c->read_write_dirs = strv_free(c->read_write_dirs);
2205 c->inaccessible_dirs = strv_free(c->inaccessible_dirs);
2206
2207 if (c->cpuset)
2208 CPU_FREE(c->cpuset);
2209
2210 c->utmp_id = mfree(c->utmp_id);
2211 c->selinux_context = mfree(c->selinux_context);
2212 c->apparmor_profile = mfree(c->apparmor_profile);
2213
2214 c->syscall_filter = set_free(c->syscall_filter);
2215 c->syscall_archs = set_free(c->syscall_archs);
2216 c->address_families = set_free(c->address_families);
2217
2218 c->runtime_directory = strv_free(c->runtime_directory);
2219
2220 bus_endpoint_free(c->bus_endpoint);
2221 c->bus_endpoint = NULL;
2222 }
2223
2224 int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
2225 char **i;
2226
2227 assert(c);
2228
2229 if (!runtime_prefix)
2230 return 0;
2231
2232 STRV_FOREACH(i, c->runtime_directory) {
2233 _cleanup_free_ char *p;
2234
2235 p = strjoin(runtime_prefix, "/", *i, NULL);
2236 if (!p)
2237 return -ENOMEM;
2238
2239 /* We execute this synchronously, since we need to be
2240 * sure this is gone when we start the service
2241 * next. */
2242 (void) rm_rf(p, REMOVE_ROOT);
2243 }
2244
2245 return 0;
2246 }
2247
2248 void exec_command_done(ExecCommand *c) {
2249 assert(c);
2250
2251 c->path = mfree(c->path);
2252
2253 c->argv = strv_free(c->argv);
2254 }
2255
2256 void exec_command_done_array(ExecCommand *c, unsigned n) {
2257 unsigned i;
2258
2259 for (i = 0; i < n; i++)
2260 exec_command_done(c+i);
2261 }
2262
2263 ExecCommand* exec_command_free_list(ExecCommand *c) {
2264 ExecCommand *i;
2265
2266 while ((i = c)) {
2267 LIST_REMOVE(command, c, i);
2268 exec_command_done(i);
2269 free(i);
2270 }
2271
2272 return NULL;
2273 }
2274
2275 void exec_command_free_array(ExecCommand **c, unsigned n) {
2276 unsigned i;
2277
2278 for (i = 0; i < n; i++)
2279 c[i] = exec_command_free_list(c[i]);
2280 }
2281
2282 typedef struct InvalidEnvInfo {
2283 Unit *unit;
2284 const char *path;
2285 } InvalidEnvInfo;
2286
2287 static void invalid_env(const char *p, void *userdata) {
2288 InvalidEnvInfo *info = userdata;
2289
2290 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
2291 }
2292
2293 int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
2294 char **i, **r = NULL;
2295
2296 assert(c);
2297 assert(l);
2298
2299 STRV_FOREACH(i, c->environment_files) {
2300 char *fn;
2301 int k;
2302 bool ignore = false;
2303 char **p;
2304 _cleanup_globfree_ glob_t pglob = {};
2305 int count, n;
2306
2307 fn = *i;
2308
2309 if (fn[0] == '-') {
2310 ignore = true;
2311 fn ++;
2312 }
2313
2314 if (!path_is_absolute(fn)) {
2315 if (ignore)
2316 continue;
2317
2318 strv_free(r);
2319 return -EINVAL;
2320 }
2321
2322 /* Filename supports globbing, take all matching files */
2323 errno = 0;
2324 if (glob(fn, 0, NULL, &pglob) != 0) {
2325 if (ignore)
2326 continue;
2327
2328 strv_free(r);
2329 return errno > 0 ? -errno : -EINVAL;
2330 }
2331 count = pglob.gl_pathc;
2332 if (count == 0) {
2333 if (ignore)
2334 continue;
2335
2336 strv_free(r);
2337 return -EINVAL;
2338 }
2339 for (n = 0; n < count; n++) {
2340 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
2341 if (k < 0) {
2342 if (ignore)
2343 continue;
2344
2345 strv_free(r);
2346 return k;
2347 }
2348 /* Log invalid environment variables with filename */
2349 if (p) {
2350 InvalidEnvInfo info = {
2351 .unit = unit,
2352 .path = pglob.gl_pathv[n]
2353 };
2354
2355 p = strv_env_clean_with_callback(p, invalid_env, &info);
2356 }
2357
2358 if (r == NULL)
2359 r = p;
2360 else {
2361 char **m;
2362
2363 m = strv_env_merge(2, r, p);
2364 strv_free(r);
2365 strv_free(p);
2366 if (!m)
2367 return -ENOMEM;
2368
2369 r = m;
2370 }
2371 }
2372 }
2373
2374 *l = r;
2375
2376 return 0;
2377 }
2378
2379 static bool tty_may_match_dev_console(const char *tty) {
2380 _cleanup_free_ char *active = NULL;
2381 char *console;
2382
2383 if (!tty)
2384 return true;
2385
2386 if (startswith(tty, "/dev/"))
2387 tty += 5;
2388
2389 /* trivial identity? */
2390 if (streq(tty, "console"))
2391 return true;
2392
2393 console = resolve_dev_console(&active);
2394 /* if we could not resolve, assume it may */
2395 if (!console)
2396 return true;
2397
2398 /* "tty0" means the active VC, so it may be the same sometimes */
2399 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
2400 }
2401
2402 bool exec_context_may_touch_console(ExecContext *ec) {
2403
2404 return (ec->tty_reset ||
2405 ec->tty_vhangup ||
2406 ec->tty_vt_disallocate ||
2407 is_terminal_input(ec->std_input) ||
2408 is_terminal_output(ec->std_output) ||
2409 is_terminal_output(ec->std_error)) &&
2410 tty_may_match_dev_console(exec_context_tty_path(ec));
2411 }
2412
2413 static void strv_fprintf(FILE *f, char **l) {
2414 char **g;
2415
2416 assert(f);
2417
2418 STRV_FOREACH(g, l)
2419 fprintf(f, " %s", *g);
2420 }
2421
2422 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
2423 char **e, **d;
2424 unsigned i;
2425
2426 assert(c);
2427 assert(f);
2428
2429 prefix = strempty(prefix);
2430
2431 fprintf(f,
2432 "%sUMask: %04o\n"
2433 "%sWorkingDirectory: %s\n"
2434 "%sRootDirectory: %s\n"
2435 "%sNonBlocking: %s\n"
2436 "%sPrivateTmp: %s\n"
2437 "%sPrivateNetwork: %s\n"
2438 "%sPrivateDevices: %s\n"
2439 "%sProtectHome: %s\n"
2440 "%sProtectSystem: %s\n"
2441 "%sIgnoreSIGPIPE: %s\n",
2442 prefix, c->umask,
2443 prefix, c->working_directory ? c->working_directory : "/",
2444 prefix, c->root_directory ? c->root_directory : "/",
2445 prefix, yes_no(c->non_blocking),
2446 prefix, yes_no(c->private_tmp),
2447 prefix, yes_no(c->private_network),
2448 prefix, yes_no(c->private_devices),
2449 prefix, protect_home_to_string(c->protect_home),
2450 prefix, protect_system_to_string(c->protect_system),
2451 prefix, yes_no(c->ignore_sigpipe));
2452
2453 STRV_FOREACH(e, c->environment)
2454 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
2455
2456 STRV_FOREACH(e, c->environment_files)
2457 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
2458
2459 STRV_FOREACH(e, c->pass_environment)
2460 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
2461
2462 fprintf(f, "%sRuntimeDirectoryMode: %04o\n", prefix, c->runtime_directory_mode);
2463
2464 STRV_FOREACH(d, c->runtime_directory)
2465 fprintf(f, "%sRuntimeDirectory: %s\n", prefix, *d);
2466
2467 if (c->nice_set)
2468 fprintf(f,
2469 "%sNice: %i\n",
2470 prefix, c->nice);
2471
2472 if (c->oom_score_adjust_set)
2473 fprintf(f,
2474 "%sOOMScoreAdjust: %i\n",
2475 prefix, c->oom_score_adjust);
2476
2477 for (i = 0; i < RLIM_NLIMITS; i++)
2478 if (c->rlimit[i]) {
2479 fprintf(f, "%s%s: " RLIM_FMT "\n",
2480 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
2481 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
2482 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
2483 }
2484
2485 if (c->ioprio_set) {
2486 _cleanup_free_ char *class_str = NULL;
2487
2488 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
2489 fprintf(f,
2490 "%sIOSchedulingClass: %s\n"
2491 "%sIOPriority: %i\n",
2492 prefix, strna(class_str),
2493 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
2494 }
2495
2496 if (c->cpu_sched_set) {
2497 _cleanup_free_ char *policy_str = NULL;
2498
2499 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
2500 fprintf(f,
2501 "%sCPUSchedulingPolicy: %s\n"
2502 "%sCPUSchedulingPriority: %i\n"
2503 "%sCPUSchedulingResetOnFork: %s\n",
2504 prefix, strna(policy_str),
2505 prefix, c->cpu_sched_priority,
2506 prefix, yes_no(c->cpu_sched_reset_on_fork));
2507 }
2508
2509 if (c->cpuset) {
2510 fprintf(f, "%sCPUAffinity:", prefix);
2511 for (i = 0; i < c->cpuset_ncpus; i++)
2512 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
2513 fprintf(f, " %u", i);
2514 fputs("\n", f);
2515 }
2516
2517 if (c->timer_slack_nsec != NSEC_INFINITY)
2518 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
2519
2520 fprintf(f,
2521 "%sStandardInput: %s\n"
2522 "%sStandardOutput: %s\n"
2523 "%sStandardError: %s\n",
2524 prefix, exec_input_to_string(c->std_input),
2525 prefix, exec_output_to_string(c->std_output),
2526 prefix, exec_output_to_string(c->std_error));
2527
2528 if (c->tty_path)
2529 fprintf(f,
2530 "%sTTYPath: %s\n"
2531 "%sTTYReset: %s\n"
2532 "%sTTYVHangup: %s\n"
2533 "%sTTYVTDisallocate: %s\n",
2534 prefix, c->tty_path,
2535 prefix, yes_no(c->tty_reset),
2536 prefix, yes_no(c->tty_vhangup),
2537 prefix, yes_no(c->tty_vt_disallocate));
2538
2539 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
2540 c->std_output == EXEC_OUTPUT_KMSG ||
2541 c->std_output == EXEC_OUTPUT_JOURNAL ||
2542 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2543 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2544 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
2545 c->std_error == EXEC_OUTPUT_SYSLOG ||
2546 c->std_error == EXEC_OUTPUT_KMSG ||
2547 c->std_error == EXEC_OUTPUT_JOURNAL ||
2548 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2549 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2550 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
2551
2552 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
2553
2554 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
2555 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
2556
2557 fprintf(f,
2558 "%sSyslogFacility: %s\n"
2559 "%sSyslogLevel: %s\n",
2560 prefix, strna(fac_str),
2561 prefix, strna(lvl_str));
2562 }
2563
2564 if (c->capabilities) {
2565 _cleanup_cap_free_charp_ char *t;
2566
2567 t = cap_to_text(c->capabilities, NULL);
2568 if (t)
2569 fprintf(f, "%sCapabilities: %s\n", prefix, t);
2570 }
2571
2572 if (c->secure_bits)
2573 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
2574 prefix,
2575 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
2576 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
2577 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
2578 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
2579 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
2580 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
2581
2582 if (c->capability_bounding_set != CAP_ALL) {
2583 unsigned long l;
2584 fprintf(f, "%sCapabilityBoundingSet:", prefix);
2585
2586 for (l = 0; l <= cap_last_cap(); l++)
2587 if (c->capability_bounding_set & (UINT64_C(1) << l))
2588 fprintf(f, " %s", strna(capability_to_name(l)));
2589
2590 fputs("\n", f);
2591 }
2592
2593 if (c->capability_ambient_set != 0) {
2594 unsigned long l;
2595 fprintf(f, "%sAmbientCapabilities:", prefix);
2596
2597 for (l = 0; l <= cap_last_cap(); l++)
2598 if (c->capability_ambient_set & (UINT64_C(1) << l))
2599 fprintf(f, " %s", strna(capability_to_name(l)));
2600
2601 fputs("\n", f);
2602 }
2603
2604 if (c->user)
2605 fprintf(f, "%sUser: %s\n", prefix, c->user);
2606 if (c->group)
2607 fprintf(f, "%sGroup: %s\n", prefix, c->group);
2608
2609 if (strv_length(c->supplementary_groups) > 0) {
2610 fprintf(f, "%sSupplementaryGroups:", prefix);
2611 strv_fprintf(f, c->supplementary_groups);
2612 fputs("\n", f);
2613 }
2614
2615 if (c->pam_name)
2616 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
2617
2618 if (strv_length(c->read_write_dirs) > 0) {
2619 fprintf(f, "%sReadWriteDirs:", prefix);
2620 strv_fprintf(f, c->read_write_dirs);
2621 fputs("\n", f);
2622 }
2623
2624 if (strv_length(c->read_only_dirs) > 0) {
2625 fprintf(f, "%sReadOnlyDirs:", prefix);
2626 strv_fprintf(f, c->read_only_dirs);
2627 fputs("\n", f);
2628 }
2629
2630 if (strv_length(c->inaccessible_dirs) > 0) {
2631 fprintf(f, "%sInaccessibleDirs:", prefix);
2632 strv_fprintf(f, c->inaccessible_dirs);
2633 fputs("\n", f);
2634 }
2635
2636 if (c->utmp_id)
2637 fprintf(f,
2638 "%sUtmpIdentifier: %s\n",
2639 prefix, c->utmp_id);
2640
2641 if (c->selinux_context)
2642 fprintf(f,
2643 "%sSELinuxContext: %s%s\n",
2644 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
2645
2646 if (c->personality != PERSONALITY_INVALID)
2647 fprintf(f,
2648 "%sPersonality: %s\n",
2649 prefix, strna(personality_to_string(c->personality)));
2650
2651 if (c->syscall_filter) {
2652 #ifdef HAVE_SECCOMP
2653 Iterator j;
2654 void *id;
2655 bool first = true;
2656 #endif
2657
2658 fprintf(f,
2659 "%sSystemCallFilter: ",
2660 prefix);
2661
2662 if (!c->syscall_whitelist)
2663 fputc('~', f);
2664
2665 #ifdef HAVE_SECCOMP
2666 SET_FOREACH(id, c->syscall_filter, j) {
2667 _cleanup_free_ char *name = NULL;
2668
2669 if (first)
2670 first = false;
2671 else
2672 fputc(' ', f);
2673
2674 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
2675 fputs(strna(name), f);
2676 }
2677 #endif
2678
2679 fputc('\n', f);
2680 }
2681
2682 if (c->syscall_archs) {
2683 #ifdef HAVE_SECCOMP
2684 Iterator j;
2685 void *id;
2686 #endif
2687
2688 fprintf(f,
2689 "%sSystemCallArchitectures:",
2690 prefix);
2691
2692 #ifdef HAVE_SECCOMP
2693 SET_FOREACH(id, c->syscall_archs, j)
2694 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
2695 #endif
2696 fputc('\n', f);
2697 }
2698
2699 if (c->syscall_errno > 0)
2700 fprintf(f,
2701 "%sSystemCallErrorNumber: %s\n",
2702 prefix, strna(errno_to_name(c->syscall_errno)));
2703
2704 if (c->apparmor_profile)
2705 fprintf(f,
2706 "%sAppArmorProfile: %s%s\n",
2707 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
2708 }
2709
2710 bool exec_context_maintains_privileges(ExecContext *c) {
2711 assert(c);
2712
2713 /* Returns true if the process forked off would run run under
2714 * an unchanged UID or as root. */
2715
2716 if (!c->user)
2717 return true;
2718
2719 if (streq(c->user, "root") || streq(c->user, "0"))
2720 return true;
2721
2722 return false;
2723 }
2724
2725 void exec_status_start(ExecStatus *s, pid_t pid) {
2726 assert(s);
2727
2728 zero(*s);
2729 s->pid = pid;
2730 dual_timestamp_get(&s->start_timestamp);
2731 }
2732
2733 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
2734 assert(s);
2735
2736 if (s->pid && s->pid != pid)
2737 zero(*s);
2738
2739 s->pid = pid;
2740 dual_timestamp_get(&s->exit_timestamp);
2741
2742 s->code = code;
2743 s->status = status;
2744
2745 if (context) {
2746 if (context->utmp_id)
2747 utmp_put_dead_process(context->utmp_id, pid, code, status);
2748
2749 exec_context_tty_reset(context, NULL);
2750 }
2751 }
2752
2753 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
2754 char buf[FORMAT_TIMESTAMP_MAX];
2755
2756 assert(s);
2757 assert(f);
2758
2759 if (s->pid <= 0)
2760 return;
2761
2762 prefix = strempty(prefix);
2763
2764 fprintf(f,
2765 "%sPID: "PID_FMT"\n",
2766 prefix, s->pid);
2767
2768 if (s->start_timestamp.realtime > 0)
2769 fprintf(f,
2770 "%sStart Timestamp: %s\n",
2771 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
2772
2773 if (s->exit_timestamp.realtime > 0)
2774 fprintf(f,
2775 "%sExit Timestamp: %s\n"
2776 "%sExit Code: %s\n"
2777 "%sExit Status: %i\n",
2778 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
2779 prefix, sigchld_code_to_string(s->code),
2780 prefix, s->status);
2781 }
2782
2783 char *exec_command_line(char **argv) {
2784 size_t k;
2785 char *n, *p, **a;
2786 bool first = true;
2787
2788 assert(argv);
2789
2790 k = 1;
2791 STRV_FOREACH(a, argv)
2792 k += strlen(*a)+3;
2793
2794 if (!(n = new(char, k)))
2795 return NULL;
2796
2797 p = n;
2798 STRV_FOREACH(a, argv) {
2799
2800 if (!first)
2801 *(p++) = ' ';
2802 else
2803 first = false;
2804
2805 if (strpbrk(*a, WHITESPACE)) {
2806 *(p++) = '\'';
2807 p = stpcpy(p, *a);
2808 *(p++) = '\'';
2809 } else
2810 p = stpcpy(p, *a);
2811
2812 }
2813
2814 *p = 0;
2815
2816 /* FIXME: this doesn't really handle arguments that have
2817 * spaces and ticks in them */
2818
2819 return n;
2820 }
2821
2822 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
2823 _cleanup_free_ char *cmd = NULL;
2824 const char *prefix2;
2825
2826 assert(c);
2827 assert(f);
2828
2829 prefix = strempty(prefix);
2830 prefix2 = strjoina(prefix, "\t");
2831
2832 cmd = exec_command_line(c->argv);
2833 fprintf(f,
2834 "%sCommand Line: %s\n",
2835 prefix, cmd ? cmd : strerror(ENOMEM));
2836
2837 exec_status_dump(&c->exec_status, f, prefix2);
2838 }
2839
2840 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2841 assert(f);
2842
2843 prefix = strempty(prefix);
2844
2845 LIST_FOREACH(command, c, c)
2846 exec_command_dump(c, f, prefix);
2847 }
2848
2849 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2850 ExecCommand *end;
2851
2852 assert(l);
2853 assert(e);
2854
2855 if (*l) {
2856 /* It's kind of important, that we keep the order here */
2857 LIST_FIND_TAIL(command, *l, end);
2858 LIST_INSERT_AFTER(command, *l, end, e);
2859 } else
2860 *l = e;
2861 }
2862
2863 int exec_command_set(ExecCommand *c, const char *path, ...) {
2864 va_list ap;
2865 char **l, *p;
2866
2867 assert(c);
2868 assert(path);
2869
2870 va_start(ap, path);
2871 l = strv_new_ap(path, ap);
2872 va_end(ap);
2873
2874 if (!l)
2875 return -ENOMEM;
2876
2877 p = strdup(path);
2878 if (!p) {
2879 strv_free(l);
2880 return -ENOMEM;
2881 }
2882
2883 free(c->path);
2884 c->path = p;
2885
2886 strv_free(c->argv);
2887 c->argv = l;
2888
2889 return 0;
2890 }
2891
2892 int exec_command_append(ExecCommand *c, const char *path, ...) {
2893 _cleanup_strv_free_ char **l = NULL;
2894 va_list ap;
2895 int r;
2896
2897 assert(c);
2898 assert(path);
2899
2900 va_start(ap, path);
2901 l = strv_new_ap(path, ap);
2902 va_end(ap);
2903
2904 if (!l)
2905 return -ENOMEM;
2906
2907 r = strv_extend_strv(&c->argv, l, false);
2908 if (r < 0)
2909 return r;
2910
2911 return 0;
2912 }
2913
2914
2915 static int exec_runtime_allocate(ExecRuntime **rt) {
2916
2917 if (*rt)
2918 return 0;
2919
2920 *rt = new0(ExecRuntime, 1);
2921 if (!*rt)
2922 return -ENOMEM;
2923
2924 (*rt)->n_ref = 1;
2925 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
2926
2927 return 0;
2928 }
2929
2930 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
2931 int r;
2932
2933 assert(rt);
2934 assert(c);
2935 assert(id);
2936
2937 if (*rt)
2938 return 1;
2939
2940 if (!c->private_network && !c->private_tmp)
2941 return 0;
2942
2943 r = exec_runtime_allocate(rt);
2944 if (r < 0)
2945 return r;
2946
2947 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
2948 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, (*rt)->netns_storage_socket) < 0)
2949 return -errno;
2950 }
2951
2952 if (c->private_tmp && !(*rt)->tmp_dir) {
2953 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
2954 if (r < 0)
2955 return r;
2956 }
2957
2958 return 1;
2959 }
2960
2961 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
2962 assert(r);
2963 assert(r->n_ref > 0);
2964
2965 r->n_ref++;
2966 return r;
2967 }
2968
2969 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
2970
2971 if (!r)
2972 return NULL;
2973
2974 assert(r->n_ref > 0);
2975
2976 r->n_ref--;
2977 if (r->n_ref > 0)
2978 return NULL;
2979
2980 free(r->tmp_dir);
2981 free(r->var_tmp_dir);
2982 safe_close_pair(r->netns_storage_socket);
2983 free(r);
2984
2985 return NULL;
2986 }
2987
2988 int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
2989 assert(u);
2990 assert(f);
2991 assert(fds);
2992
2993 if (!rt)
2994 return 0;
2995
2996 if (rt->tmp_dir)
2997 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
2998
2999 if (rt->var_tmp_dir)
3000 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
3001
3002 if (rt->netns_storage_socket[0] >= 0) {
3003 int copy;
3004
3005 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
3006 if (copy < 0)
3007 return copy;
3008
3009 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
3010 }
3011
3012 if (rt->netns_storage_socket[1] >= 0) {
3013 int copy;
3014
3015 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
3016 if (copy < 0)
3017 return copy;
3018
3019 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
3020 }
3021
3022 return 0;
3023 }
3024
3025 int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
3026 int r;
3027
3028 assert(rt);
3029 assert(key);
3030 assert(value);
3031
3032 if (streq(key, "tmp-dir")) {
3033 char *copy;
3034
3035 r = exec_runtime_allocate(rt);
3036 if (r < 0)
3037 return log_oom();
3038
3039 copy = strdup(value);
3040 if (!copy)
3041 return log_oom();
3042
3043 free((*rt)->tmp_dir);
3044 (*rt)->tmp_dir = copy;
3045
3046 } else if (streq(key, "var-tmp-dir")) {
3047 char *copy;
3048
3049 r = exec_runtime_allocate(rt);
3050 if (r < 0)
3051 return log_oom();
3052
3053 copy = strdup(value);
3054 if (!copy)
3055 return log_oom();
3056
3057 free((*rt)->var_tmp_dir);
3058 (*rt)->var_tmp_dir = copy;
3059
3060 } else if (streq(key, "netns-socket-0")) {
3061 int fd;
3062
3063 r = exec_runtime_allocate(rt);
3064 if (r < 0)
3065 return log_oom();
3066
3067 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
3068 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
3069 else {
3070 safe_close((*rt)->netns_storage_socket[0]);
3071 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
3072 }
3073 } else if (streq(key, "netns-socket-1")) {
3074 int fd;
3075
3076 r = exec_runtime_allocate(rt);
3077 if (r < 0)
3078 return log_oom();
3079
3080 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
3081 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
3082 else {
3083 safe_close((*rt)->netns_storage_socket[1]);
3084 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
3085 }
3086 } else
3087 return 0;
3088
3089 return 1;
3090 }
3091
3092 static void *remove_tmpdir_thread(void *p) {
3093 _cleanup_free_ char *path = p;
3094
3095 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
3096 return NULL;
3097 }
3098
3099 void exec_runtime_destroy(ExecRuntime *rt) {
3100 int r;
3101
3102 if (!rt)
3103 return;
3104
3105 /* If there are multiple users of this, let's leave the stuff around */
3106 if (rt->n_ref > 1)
3107 return;
3108
3109 if (rt->tmp_dir) {
3110 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
3111
3112 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
3113 if (r < 0) {
3114 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
3115 free(rt->tmp_dir);
3116 }
3117
3118 rt->tmp_dir = NULL;
3119 }
3120
3121 if (rt->var_tmp_dir) {
3122 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
3123
3124 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
3125 if (r < 0) {
3126 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
3127 free(rt->var_tmp_dir);
3128 }
3129
3130 rt->var_tmp_dir = NULL;
3131 }
3132
3133 safe_close_pair(rt->netns_storage_socket);
3134 }
3135
3136 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
3137 [EXEC_INPUT_NULL] = "null",
3138 [EXEC_INPUT_TTY] = "tty",
3139 [EXEC_INPUT_TTY_FORCE] = "tty-force",
3140 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
3141 [EXEC_INPUT_SOCKET] = "socket"
3142 };
3143
3144 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
3145
3146 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
3147 [EXEC_OUTPUT_INHERIT] = "inherit",
3148 [EXEC_OUTPUT_NULL] = "null",
3149 [EXEC_OUTPUT_TTY] = "tty",
3150 [EXEC_OUTPUT_SYSLOG] = "syslog",
3151 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
3152 [EXEC_OUTPUT_KMSG] = "kmsg",
3153 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
3154 [EXEC_OUTPUT_JOURNAL] = "journal",
3155 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
3156 [EXEC_OUTPUT_SOCKET] = "socket"
3157 };
3158
3159 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
3160
3161 static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
3162 [EXEC_UTMP_INIT] = "init",
3163 [EXEC_UTMP_LOGIN] = "login",
3164 [EXEC_UTMP_USER] = "user",
3165 };
3166
3167 DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
Unnamed repository; edit this file 'description' to name the repository.