]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/execute.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
core: rename EXEC_APPLY_PERMISSIONS → EXEC_APPLY_SANDBOXING
[thirdparty/systemd.git] / src / core / execute.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <errno.h>
21 #include <fcntl.h>
22 #include <glob.h>
23 #include <grp.h>
24 #include <poll.h>
25 #include <signal.h>
26 #include <string.h>
27 #include <sys/capability.h>
28 #include <sys/eventfd.h>
29 #include <sys/mman.h>
30 #include <sys/personality.h>
31 #include <sys/prctl.h>
32 #include <sys/shm.h>
33 #include <sys/socket.h>
34 #include <sys/stat.h>
35 #include <sys/types.h>
36 #include <sys/un.h>
37 #include <unistd.h>
38 #include <utmpx.h>
39
40 #ifdef HAVE_PAM
41 #include <security/pam_appl.h>
42 #endif
43
44 #ifdef HAVE_SELINUX
45 #include <selinux/selinux.h>
46 #endif
47
48 #ifdef HAVE_SECCOMP
49 #include <seccomp.h>
50 #endif
51
52 #ifdef HAVE_APPARMOR
53 #include <sys/apparmor.h>
54 #endif
55
56 #include "sd-messages.h"
57
58 #include "af-list.h"
59 #include "alloc-util.h"
60 #ifdef HAVE_APPARMOR
61 #include "apparmor-util.h"
62 #endif
63 #include "async.h"
64 #include "barrier.h"
65 #include "cap-list.h"
66 #include "capability-util.h"
67 #include "def.h"
68 #include "env-util.h"
69 #include "errno-list.h"
70 #include "execute.h"
71 #include "exit-status.h"
72 #include "fd-util.h"
73 #include "fileio.h"
74 #include "format-util.h"
75 #include "fs-util.h"
76 #include "glob-util.h"
77 #include "io-util.h"
78 #include "ioprio.h"
79 #include "log.h"
80 #include "macro.h"
81 #include "missing.h"
82 #include "mkdir.h"
83 #include "namespace.h"
84 #include "parse-util.h"
85 #include "path-util.h"
86 #include "process-util.h"
87 #include "rlimit-util.h"
88 #include "rm-rf.h"
89 #ifdef HAVE_SECCOMP
90 #include "seccomp-util.h"
91 #endif
92 #include "securebits.h"
93 #include "securebits-util.h"
94 #include "selinux-util.h"
95 #include "signal-util.h"
96 #include "smack-util.h"
97 #include "special.h"
98 #include "string-table.h"
99 #include "string-util.h"
100 #include "strv.h"
101 #include "syslog-util.h"
102 #include "terminal-util.h"
103 #include "unit.h"
104 #include "user-util.h"
105 #include "util.h"
106 #include "utmp-wtmp.h"
107
108 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
109 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
110
111 /* This assumes there is a 'tty' group */
112 #define TTY_MODE 0620
113
114 #define SNDBUF_SIZE (8*1024*1024)
115
116 static int shift_fds(int fds[], unsigned n_fds) {
117 int start, restart_from;
118
119 if (n_fds <= 0)
120 return 0;
121
122 /* Modifies the fds array! (sorts it) */
123
124 assert(fds);
125
126 start = 0;
127 for (;;) {
128 int i;
129
130 restart_from = -1;
131
132 for (i = start; i < (int) n_fds; i++) {
133 int nfd;
134
135 /* Already at right index? */
136 if (fds[i] == i+3)
137 continue;
138
139 nfd = fcntl(fds[i], F_DUPFD, i + 3);
140 if (nfd < 0)
141 return -errno;
142
143 safe_close(fds[i]);
144 fds[i] = nfd;
145
146 /* Hmm, the fd we wanted isn't free? Then
147 * let's remember that and try again from here */
148 if (nfd != i+3 && restart_from < 0)
149 restart_from = i;
150 }
151
152 if (restart_from < 0)
153 break;
154
155 start = restart_from;
156 }
157
158 return 0;
159 }
160
161 static int flags_fds(const int fds[], unsigned n_storage_fds, unsigned n_socket_fds, bool nonblock) {
162 unsigned i, n_fds;
163 int r;
164
165 n_fds = n_storage_fds + n_socket_fds;
166 if (n_fds <= 0)
167 return 0;
168
169 assert(fds);
170
171 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags.
172 * O_NONBLOCK only applies to socket activation though. */
173
174 for (i = 0; i < n_fds; i++) {
175
176 if (i < n_socket_fds) {
177 r = fd_nonblock(fds[i], nonblock);
178 if (r < 0)
179 return r;
180 }
181
182 /* We unconditionally drop FD_CLOEXEC from the fds,
183 * since after all we want to pass these fds to our
184 * children */
185
186 r = fd_cloexec(fds[i], false);
187 if (r < 0)
188 return r;
189 }
190
191 return 0;
192 }
193
194 static const char *exec_context_tty_path(const ExecContext *context) {
195 assert(context);
196
197 if (context->stdio_as_fds)
198 return NULL;
199
200 if (context->tty_path)
201 return context->tty_path;
202
203 return "/dev/console";
204 }
205
206 static void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) {
207 const char *path;
208
209 assert(context);
210
211 path = exec_context_tty_path(context);
212
213 if (context->tty_vhangup) {
214 if (p && p->stdin_fd >= 0)
215 (void) terminal_vhangup_fd(p->stdin_fd);
216 else if (path)
217 (void) terminal_vhangup(path);
218 }
219
220 if (context->tty_reset) {
221 if (p && p->stdin_fd >= 0)
222 (void) reset_terminal_fd(p->stdin_fd, true);
223 else if (path)
224 (void) reset_terminal(path);
225 }
226
227 if (context->tty_vt_disallocate && path)
228 (void) vt_disallocate(path);
229 }
230
231 static bool is_terminal_input(ExecInput i) {
232 return IN_SET(i,
233 EXEC_INPUT_TTY,
234 EXEC_INPUT_TTY_FORCE,
235 EXEC_INPUT_TTY_FAIL);
236 }
237
238 static bool is_terminal_output(ExecOutput o) {
239 return IN_SET(o,
240 EXEC_OUTPUT_TTY,
241 EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
242 EXEC_OUTPUT_KMSG_AND_CONSOLE,
243 EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
244 }
245
246 static bool exec_context_needs_term(const ExecContext *c) {
247 assert(c);
248
249 /* Return true if the execution context suggests we should set $TERM to something useful. */
250
251 if (is_terminal_input(c->std_input))
252 return true;
253
254 if (is_terminal_output(c->std_output))
255 return true;
256
257 if (is_terminal_output(c->std_error))
258 return true;
259
260 return !!c->tty_path;
261 }
262
263 static int open_null_as(int flags, int nfd) {
264 int fd, r;
265
266 assert(nfd >= 0);
267
268 fd = open("/dev/null", flags|O_NOCTTY);
269 if (fd < 0)
270 return -errno;
271
272 if (fd != nfd) {
273 r = dup2(fd, nfd) < 0 ? -errno : nfd;
274 safe_close(fd);
275 } else
276 r = nfd;
277
278 return r;
279 }
280
281 static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
282 static const union sockaddr_union sa = {
283 .un.sun_family = AF_UNIX,
284 .un.sun_path = "/run/systemd/journal/stdout",
285 };
286 uid_t olduid = UID_INVALID;
287 gid_t oldgid = GID_INVALID;
288 int r;
289
290 if (gid_is_valid(gid)) {
291 oldgid = getgid();
292
293 if (setegid(gid) < 0)
294 return -errno;
295 }
296
297 if (uid_is_valid(uid)) {
298 olduid = getuid();
299
300 if (seteuid(uid) < 0) {
301 r = -errno;
302 goto restore_gid;
303 }
304 }
305
306 r = connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un)) < 0 ? -errno : 0;
307
308 /* If we fail to restore the uid or gid, things will likely
309 fail later on. This should only happen if an LSM interferes. */
310
311 if (uid_is_valid(uid))
312 (void) seteuid(olduid);
313
314 restore_gid:
315 if (gid_is_valid(gid))
316 (void) setegid(oldgid);
317
318 return r;
319 }
320
321 static int connect_logger_as(
322 Unit *unit,
323 const ExecContext *context,
324 const ExecParameters *params,
325 ExecOutput output,
326 const char *ident,
327 int nfd,
328 uid_t uid,
329 gid_t gid) {
330
331 int fd, r;
332
333 assert(context);
334 assert(params);
335 assert(output < _EXEC_OUTPUT_MAX);
336 assert(ident);
337 assert(nfd >= 0);
338
339 fd = socket(AF_UNIX, SOCK_STREAM, 0);
340 if (fd < 0)
341 return -errno;
342
343 r = connect_journal_socket(fd, uid, gid);
344 if (r < 0)
345 return r;
346
347 if (shutdown(fd, SHUT_RD) < 0) {
348 safe_close(fd);
349 return -errno;
350 }
351
352 (void) fd_inc_sndbuf(fd, SNDBUF_SIZE);
353
354 dprintf(fd,
355 "%s\n"
356 "%s\n"
357 "%i\n"
358 "%i\n"
359 "%i\n"
360 "%i\n"
361 "%i\n",
362 context->syslog_identifier ?: ident,
363 params->flags & EXEC_PASS_LOG_UNIT ? unit->id : "",
364 context->syslog_priority,
365 !!context->syslog_level_prefix,
366 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
367 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
368 is_terminal_output(output));
369
370 if (fd == nfd)
371 return nfd;
372
373 r = dup2(fd, nfd) < 0 ? -errno : nfd;
374 safe_close(fd);
375
376 return r;
377 }
378 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
379 int fd, r;
380
381 assert(path);
382 assert(nfd >= 0);
383
384 fd = open_terminal(path, mode | O_NOCTTY);
385 if (fd < 0)
386 return fd;
387
388 if (fd != nfd) {
389 r = dup2(fd, nfd) < 0 ? -errno : nfd;
390 safe_close(fd);
391 } else
392 r = nfd;
393
394 return r;
395 }
396
397 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
398
399 if (is_terminal_input(std_input) && !apply_tty_stdin)
400 return EXEC_INPUT_NULL;
401
402 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
403 return EXEC_INPUT_NULL;
404
405 return std_input;
406 }
407
408 static int fixup_output(ExecOutput std_output, int socket_fd) {
409
410 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
411 return EXEC_OUTPUT_INHERIT;
412
413 return std_output;
414 }
415
416 static int setup_input(
417 const ExecContext *context,
418 const ExecParameters *params,
419 int socket_fd,
420 int named_iofds[3]) {
421
422 ExecInput i;
423
424 assert(context);
425 assert(params);
426
427 if (params->stdin_fd >= 0) {
428 if (dup2(params->stdin_fd, STDIN_FILENO) < 0)
429 return -errno;
430
431 /* Try to make this the controlling tty, if it is a tty, and reset it */
432 (void) ioctl(STDIN_FILENO, TIOCSCTTY, context->std_input == EXEC_INPUT_TTY_FORCE);
433 (void) reset_terminal_fd(STDIN_FILENO, true);
434
435 return STDIN_FILENO;
436 }
437
438 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
439
440 switch (i) {
441
442 case EXEC_INPUT_NULL:
443 return open_null_as(O_RDONLY, STDIN_FILENO);
444
445 case EXEC_INPUT_TTY:
446 case EXEC_INPUT_TTY_FORCE:
447 case EXEC_INPUT_TTY_FAIL: {
448 int fd, r;
449
450 fd = acquire_terminal(exec_context_tty_path(context),
451 i == EXEC_INPUT_TTY_FAIL,
452 i == EXEC_INPUT_TTY_FORCE,
453 false,
454 USEC_INFINITY);
455 if (fd < 0)
456 return fd;
457
458 if (fd != STDIN_FILENO) {
459 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
460 safe_close(fd);
461 } else
462 r = STDIN_FILENO;
463
464 return r;
465 }
466
467 case EXEC_INPUT_SOCKET:
468 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
469
470 case EXEC_INPUT_NAMED_FD:
471 (void) fd_nonblock(named_iofds[STDIN_FILENO], false);
472 return dup2(named_iofds[STDIN_FILENO], STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
473
474 default:
475 assert_not_reached("Unknown input type");
476 }
477 }
478
479 static int setup_output(
480 Unit *unit,
481 const ExecContext *context,
482 const ExecParameters *params,
483 int fileno,
484 int socket_fd,
485 int named_iofds[3],
486 const char *ident,
487 uid_t uid,
488 gid_t gid,
489 dev_t *journal_stream_dev,
490 ino_t *journal_stream_ino) {
491
492 ExecOutput o;
493 ExecInput i;
494 int r;
495
496 assert(unit);
497 assert(context);
498 assert(params);
499 assert(ident);
500 assert(journal_stream_dev);
501 assert(journal_stream_ino);
502
503 if (fileno == STDOUT_FILENO && params->stdout_fd >= 0) {
504
505 if (dup2(params->stdout_fd, STDOUT_FILENO) < 0)
506 return -errno;
507
508 return STDOUT_FILENO;
509 }
510
511 if (fileno == STDERR_FILENO && params->stderr_fd >= 0) {
512 if (dup2(params->stderr_fd, STDERR_FILENO) < 0)
513 return -errno;
514
515 return STDERR_FILENO;
516 }
517
518 i = fixup_input(context->std_input, socket_fd, params->flags & EXEC_APPLY_TTY_STDIN);
519 o = fixup_output(context->std_output, socket_fd);
520
521 if (fileno == STDERR_FILENO) {
522 ExecOutput e;
523 e = fixup_output(context->std_error, socket_fd);
524
525 /* This expects the input and output are already set up */
526
527 /* Don't change the stderr file descriptor if we inherit all
528 * the way and are not on a tty */
529 if (e == EXEC_OUTPUT_INHERIT &&
530 o == EXEC_OUTPUT_INHERIT &&
531 i == EXEC_INPUT_NULL &&
532 !is_terminal_input(context->std_input) &&
533 getppid () != 1)
534 return fileno;
535
536 /* Duplicate from stdout if possible */
537 if ((e == o && e != EXEC_OUTPUT_NAMED_FD) || e == EXEC_OUTPUT_INHERIT)
538 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
539
540 o = e;
541
542 } else if (o == EXEC_OUTPUT_INHERIT) {
543 /* If input got downgraded, inherit the original value */
544 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
545 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
546
547 /* If the input is connected to anything that's not a /dev/null, inherit that... */
548 if (i != EXEC_INPUT_NULL)
549 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
550
551 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
552 if (getppid() != 1)
553 return fileno;
554
555 /* We need to open /dev/null here anew, to get the right access mode. */
556 return open_null_as(O_WRONLY, fileno);
557 }
558
559 switch (o) {
560
561 case EXEC_OUTPUT_NULL:
562 return open_null_as(O_WRONLY, fileno);
563
564 case EXEC_OUTPUT_TTY:
565 if (is_terminal_input(i))
566 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
567
568 /* We don't reset the terminal if this is just about output */
569 return open_terminal_as(exec_context_tty_path(context), O_WRONLY, fileno);
570
571 case EXEC_OUTPUT_SYSLOG:
572 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
573 case EXEC_OUTPUT_KMSG:
574 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
575 case EXEC_OUTPUT_JOURNAL:
576 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
577 r = connect_logger_as(unit, context, params, o, ident, fileno, uid, gid);
578 if (r < 0) {
579 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
580 r = open_null_as(O_WRONLY, fileno);
581 } else {
582 struct stat st;
583
584 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
585 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
586 * services to detect whether they are connected to the journal or not. */
587
588 if (fstat(fileno, &st) >= 0) {
589 *journal_stream_dev = st.st_dev;
590 *journal_stream_ino = st.st_ino;
591 }
592 }
593 return r;
594
595 case EXEC_OUTPUT_SOCKET:
596 assert(socket_fd >= 0);
597 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
598
599 case EXEC_OUTPUT_NAMED_FD:
600 (void) fd_nonblock(named_iofds[fileno], false);
601 return dup2(named_iofds[fileno], fileno) < 0 ? -errno : fileno;
602
603 default:
604 assert_not_reached("Unknown error type");
605 }
606 }
607
608 static int chown_terminal(int fd, uid_t uid) {
609 struct stat st;
610
611 assert(fd >= 0);
612
613 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
614 if (isatty(fd) < 1)
615 return 0;
616
617 /* This might fail. What matters are the results. */
618 (void) fchown(fd, uid, -1);
619 (void) fchmod(fd, TTY_MODE);
620
621 if (fstat(fd, &st) < 0)
622 return -errno;
623
624 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
625 return -EPERM;
626
627 return 0;
628 }
629
630 static int setup_confirm_stdio(const char *vc, int *_saved_stdin, int *_saved_stdout) {
631 _cleanup_close_ int fd = -1, saved_stdin = -1, saved_stdout = -1;
632 int r;
633
634 assert(_saved_stdin);
635 assert(_saved_stdout);
636
637 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
638 if (saved_stdin < 0)
639 return -errno;
640
641 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
642 if (saved_stdout < 0)
643 return -errno;
644
645 fd = acquire_terminal(vc, false, false, false, DEFAULT_CONFIRM_USEC);
646 if (fd < 0)
647 return fd;
648
649 r = chown_terminal(fd, getuid());
650 if (r < 0)
651 return r;
652
653 r = reset_terminal_fd(fd, true);
654 if (r < 0)
655 return r;
656
657 if (dup2(fd, STDIN_FILENO) < 0)
658 return -errno;
659
660 if (dup2(fd, STDOUT_FILENO) < 0)
661 return -errno;
662
663 if (fd >= 2)
664 safe_close(fd);
665 fd = -1;
666
667 *_saved_stdin = saved_stdin;
668 *_saved_stdout = saved_stdout;
669
670 saved_stdin = saved_stdout = -1;
671
672 return 0;
673 }
674
675 static void write_confirm_error_fd(int err, int fd, const Unit *u) {
676 assert(err < 0);
677
678 if (err == -ETIMEDOUT)
679 dprintf(fd, "Confirmation question timed out for %s, assuming positive response.\n", u->id);
680 else {
681 errno = -err;
682 dprintf(fd, "Couldn't ask confirmation for %s: %m, assuming positive response.\n", u->id);
683 }
684 }
685
686 static void write_confirm_error(int err, const char *vc, const Unit *u) {
687 _cleanup_close_ int fd = -1;
688
689 assert(vc);
690
691 fd = open_terminal(vc, O_WRONLY|O_NOCTTY|O_CLOEXEC);
692 if (fd < 0)
693 return;
694
695 write_confirm_error_fd(err, fd, u);
696 }
697
698 static int restore_confirm_stdio(int *saved_stdin, int *saved_stdout) {
699 int r = 0;
700
701 assert(saved_stdin);
702 assert(saved_stdout);
703
704 release_terminal();
705
706 if (*saved_stdin >= 0)
707 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
708 r = -errno;
709
710 if (*saved_stdout >= 0)
711 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
712 r = -errno;
713
714 *saved_stdin = safe_close(*saved_stdin);
715 *saved_stdout = safe_close(*saved_stdout);
716
717 return r;
718 }
719
720 enum {
721 CONFIRM_PRETEND_FAILURE = -1,
722 CONFIRM_PRETEND_SUCCESS = 0,
723 CONFIRM_EXECUTE = 1,
724 };
725
726 static int ask_for_confirmation(const char *vc, Unit *u, const char *cmdline) {
727 int saved_stdout = -1, saved_stdin = -1, r;
728 _cleanup_free_ char *e = NULL;
729 char c;
730
731 /* For any internal errors, assume a positive response. */
732 r = setup_confirm_stdio(vc, &saved_stdin, &saved_stdout);
733 if (r < 0) {
734 write_confirm_error(r, vc, u);
735 return CONFIRM_EXECUTE;
736 }
737
738 /* confirm_spawn might have been disabled while we were sleeping. */
739 if (manager_is_confirm_spawn_disabled(u->manager)) {
740 r = 1;
741 goto restore_stdio;
742 }
743
744 e = ellipsize(cmdline, 60, 100);
745 if (!e) {
746 log_oom();
747 r = CONFIRM_EXECUTE;
748 goto restore_stdio;
749 }
750
751 for (;;) {
752 r = ask_char(&c, "yfshiDjcn", "Execute %s? [y, f, s – h for help] ", e);
753 if (r < 0) {
754 write_confirm_error_fd(r, STDOUT_FILENO, u);
755 r = CONFIRM_EXECUTE;
756 goto restore_stdio;
757 }
758
759 switch (c) {
760 case 'c':
761 printf("Resuming normal execution.\n");
762 manager_disable_confirm_spawn();
763 r = 1;
764 break;
765 case 'D':
766 unit_dump(u, stdout, " ");
767 continue; /* ask again */
768 case 'f':
769 printf("Failing execution.\n");
770 r = CONFIRM_PRETEND_FAILURE;
771 break;
772 case 'h':
773 printf(" c - continue, proceed without asking anymore\n"
774 " D - dump, show the state of the unit\n"
775 " f - fail, don't execute the command and pretend it failed\n"
776 " h - help\n"
777 " i - info, show a short summary of the unit\n"
778 " j - jobs, show jobs that are in progress\n"
779 " s - skip, don't execute the command and pretend it succeeded\n"
780 " y - yes, execute the command\n");
781 continue; /* ask again */
782 case 'i':
783 printf(" Description: %s\n"
784 " Unit: %s\n"
785 " Command: %s\n",
786 u->id, u->description, cmdline);
787 continue; /* ask again */
788 case 'j':
789 manager_dump_jobs(u->manager, stdout, " ");
790 continue; /* ask again */
791 case 'n':
792 /* 'n' was removed in favor of 'f'. */
793 printf("Didn't understand 'n', did you mean 'f'?\n");
794 continue; /* ask again */
795 case 's':
796 printf("Skipping execution.\n");
797 r = CONFIRM_PRETEND_SUCCESS;
798 break;
799 case 'y':
800 r = CONFIRM_EXECUTE;
801 break;
802 default:
803 assert_not_reached("Unhandled choice");
804 }
805 break;
806 }
807
808 restore_stdio:
809 restore_confirm_stdio(&saved_stdin, &saved_stdout);
810 return r;
811 }
812
813 static int get_fixed_user(const ExecContext *c, const char **user,
814 uid_t *uid, gid_t *gid,
815 const char **home, const char **shell) {
816 int r;
817 const char *name;
818
819 assert(c);
820
821 if (!c->user)
822 return 0;
823
824 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
825 * (i.e. are "/" or "/bin/nologin"). */
826
827 name = c->user;
828 r = get_user_creds_clean(&name, uid, gid, home, shell);
829 if (r < 0)
830 return r;
831
832 *user = name;
833 return 0;
834 }
835
836 static int get_fixed_group(const ExecContext *c, const char **group, gid_t *gid) {
837 int r;
838 const char *name;
839
840 assert(c);
841
842 if (!c->group)
843 return 0;
844
845 name = c->group;
846 r = get_group_creds(&name, gid);
847 if (r < 0)
848 return r;
849
850 *group = name;
851 return 0;
852 }
853
854 static int get_supplementary_groups(const ExecContext *c, const char *user,
855 const char *group, gid_t gid,
856 gid_t **supplementary_gids, int *ngids) {
857 char **i;
858 int r, k = 0;
859 int ngroups_max;
860 bool keep_groups = false;
861 gid_t *groups = NULL;
862 _cleanup_free_ gid_t *l_gids = NULL;
863
864 assert(c);
865
866 /*
867 * If user is given, then lookup GID and supplementary groups list.
868 * We avoid NSS lookups for gid=0. Also we have to initialize groups
869 * here and as early as possible so we keep the list of supplementary
870 * groups of the caller.
871 */
872 if (user && gid_is_valid(gid) && gid != 0) {
873 /* First step, initialize groups from /etc/groups */
874 if (initgroups(user, gid) < 0)
875 return -errno;
876
877 keep_groups = true;
878 }
879
880 if (!c->supplementary_groups)
881 return 0;
882
883 /*
884 * If SupplementaryGroups= was passed then NGROUPS_MAX has to
885 * be positive, otherwise fail.
886 */
887 errno = 0;
888 ngroups_max = (int) sysconf(_SC_NGROUPS_MAX);
889 if (ngroups_max <= 0) {
890 if (errno > 0)
891 return -errno;
892 else
893 return -EOPNOTSUPP; /* For all other values */
894 }
895
896 l_gids = new(gid_t, ngroups_max);
897 if (!l_gids)
898 return -ENOMEM;
899
900 if (keep_groups) {
901 /*
902 * Lookup the list of groups that the user belongs to, we
903 * avoid NSS lookups here too for gid=0.
904 */
905 k = ngroups_max;
906 if (getgrouplist(user, gid, l_gids, &k) < 0)
907 return -EINVAL;
908 } else
909 k = 0;
910
911 STRV_FOREACH(i, c->supplementary_groups) {
912 const char *g;
913
914 if (k >= ngroups_max)
915 return -E2BIG;
916
917 g = *i;
918 r = get_group_creds(&g, l_gids+k);
919 if (r < 0)
920 return r;
921
922 k++;
923 }
924
925 /*
926 * Sets ngids to zero to drop all supplementary groups, happens
927 * when we are under root and SupplementaryGroups= is empty.
928 */
929 if (k == 0) {
930 *ngids = 0;
931 return 0;
932 }
933
934 /* Otherwise get the final list of supplementary groups */
935 groups = memdup(l_gids, sizeof(gid_t) * k);
936 if (!groups)
937 return -ENOMEM;
938
939 *supplementary_gids = groups;
940 *ngids = k;
941
942 groups = NULL;
943
944 return 0;
945 }
946
947 static int enforce_groups(const ExecContext *context, gid_t gid,
948 gid_t *supplementary_gids, int ngids) {
949 int r;
950
951 assert(context);
952
953 /* Handle SupplementaryGroups= even if it is empty */
954 if (context->supplementary_groups) {
955 r = maybe_setgroups(ngids, supplementary_gids);
956 if (r < 0)
957 return r;
958 }
959
960 if (gid_is_valid(gid)) {
961 /* Then set our gids */
962 if (setresgid(gid, gid, gid) < 0)
963 return -errno;
964 }
965
966 return 0;
967 }
968
969 static int enforce_user(const ExecContext *context, uid_t uid) {
970 assert(context);
971
972 if (!uid_is_valid(uid))
973 return 0;
974
975 /* Sets (but doesn't look up) the uid and make sure we keep the
976 * capabilities while doing so. */
977
978 if (context->capability_ambient_set != 0) {
979
980 /* First step: If we need to keep capabilities but
981 * drop privileges we need to make sure we keep our
982 * caps, while we drop privileges. */
983 if (uid != 0) {
984 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
985
986 if (prctl(PR_GET_SECUREBITS) != sb)
987 if (prctl(PR_SET_SECUREBITS, sb) < 0)
988 return -errno;
989 }
990 }
991
992 /* Second step: actually set the uids */
993 if (setresuid(uid, uid, uid) < 0)
994 return -errno;
995
996 /* At this point we should have all necessary capabilities but
997 are otherwise a normal user. However, the caps might got
998 corrupted due to the setresuid() so we need clean them up
999 later. This is done outside of this call. */
1000
1001 return 0;
1002 }
1003
1004 #ifdef HAVE_PAM
1005
1006 static int null_conv(
1007 int num_msg,
1008 const struct pam_message **msg,
1009 struct pam_response **resp,
1010 void *appdata_ptr) {
1011
1012 /* We don't support conversations */
1013
1014 return PAM_CONV_ERR;
1015 }
1016
1017 #endif
1018
1019 static int setup_pam(
1020 const char *name,
1021 const char *user,
1022 uid_t uid,
1023 gid_t gid,
1024 const char *tty,
1025 char ***env,
1026 int fds[], unsigned n_fds) {
1027
1028 #ifdef HAVE_PAM
1029
1030 static const struct pam_conv conv = {
1031 .conv = null_conv,
1032 .appdata_ptr = NULL
1033 };
1034
1035 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
1036 pam_handle_t *handle = NULL;
1037 sigset_t old_ss;
1038 int pam_code = PAM_SUCCESS, r;
1039 char **nv, **e = NULL;
1040 bool close_session = false;
1041 pid_t pam_pid = 0, parent_pid;
1042 int flags = 0;
1043
1044 assert(name);
1045 assert(user);
1046 assert(env);
1047
1048 /* We set up PAM in the parent process, then fork. The child
1049 * will then stay around until killed via PR_GET_PDEATHSIG or
1050 * systemd via the cgroup logic. It will then remove the PAM
1051 * session again. The parent process will exec() the actual
1052 * daemon. We do things this way to ensure that the main PID
1053 * of the daemon is the one we initially fork()ed. */
1054
1055 r = barrier_create(&barrier);
1056 if (r < 0)
1057 goto fail;
1058
1059 if (log_get_max_level() < LOG_DEBUG)
1060 flags |= PAM_SILENT;
1061
1062 pam_code = pam_start(name, user, &conv, &handle);
1063 if (pam_code != PAM_SUCCESS) {
1064 handle = NULL;
1065 goto fail;
1066 }
1067
1068 if (tty) {
1069 pam_code = pam_set_item(handle, PAM_TTY, tty);
1070 if (pam_code != PAM_SUCCESS)
1071 goto fail;
1072 }
1073
1074 STRV_FOREACH(nv, *env) {
1075 pam_code = pam_putenv(handle, *nv);
1076 if (pam_code != PAM_SUCCESS)
1077 goto fail;
1078 }
1079
1080 pam_code = pam_acct_mgmt(handle, flags);
1081 if (pam_code != PAM_SUCCESS)
1082 goto fail;
1083
1084 pam_code = pam_open_session(handle, flags);
1085 if (pam_code != PAM_SUCCESS)
1086 goto fail;
1087
1088 close_session = true;
1089
1090 e = pam_getenvlist(handle);
1091 if (!e) {
1092 pam_code = PAM_BUF_ERR;
1093 goto fail;
1094 }
1095
1096 /* Block SIGTERM, so that we know that it won't get lost in
1097 * the child */
1098
1099 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
1100
1101 parent_pid = getpid_cached();
1102
1103 pam_pid = fork();
1104 if (pam_pid < 0) {
1105 r = -errno;
1106 goto fail;
1107 }
1108
1109 if (pam_pid == 0) {
1110 int sig, ret = EXIT_PAM;
1111
1112 /* The child's job is to reset the PAM session on
1113 * termination */
1114 barrier_set_role(&barrier, BARRIER_CHILD);
1115
1116 /* This string must fit in 10 chars (i.e. the length
1117 * of "/sbin/init"), to look pretty in /bin/ps */
1118 rename_process("(sd-pam)");
1119
1120 /* Make sure we don't keep open the passed fds in this
1121 child. We assume that otherwise only those fds are
1122 open here that have been opened by PAM. */
1123 close_many(fds, n_fds);
1124
1125 /* Drop privileges - we don't need any to pam_close_session
1126 * and this will make PR_SET_PDEATHSIG work in most cases.
1127 * If this fails, ignore the error - but expect sd-pam threads
1128 * to fail to exit normally */
1129
1130 r = maybe_setgroups(0, NULL);
1131 if (r < 0)
1132 log_warning_errno(r, "Failed to setgroups() in sd-pam: %m");
1133 if (setresgid(gid, gid, gid) < 0)
1134 log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
1135 if (setresuid(uid, uid, uid) < 0)
1136 log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
1137
1138 (void) ignore_signals(SIGPIPE, -1);
1139
1140 /* Wait until our parent died. This will only work if
1141 * the above setresuid() succeeds, otherwise the kernel
1142 * will not allow unprivileged parents kill their privileged
1143 * children this way. We rely on the control groups kill logic
1144 * to do the rest for us. */
1145 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
1146 goto child_finish;
1147
1148 /* Tell the parent that our setup is done. This is especially
1149 * important regarding dropping privileges. Otherwise, unit
1150 * setup might race against our setresuid(2) call.
1151 *
1152 * If the parent aborted, we'll detect this below, hence ignore
1153 * return failure here. */
1154 (void) barrier_place(&barrier);
1155
1156 /* Check if our parent process might already have died? */
1157 if (getppid() == parent_pid) {
1158 sigset_t ss;
1159
1160 assert_se(sigemptyset(&ss) >= 0);
1161 assert_se(sigaddset(&ss, SIGTERM) >= 0);
1162
1163 for (;;) {
1164 if (sigwait(&ss, &sig) < 0) {
1165 if (errno == EINTR)
1166 continue;
1167
1168 goto child_finish;
1169 }
1170
1171 assert(sig == SIGTERM);
1172 break;
1173 }
1174 }
1175
1176 /* If our parent died we'll end the session */
1177 if (getppid() != parent_pid) {
1178 pam_code = pam_close_session(handle, flags);
1179 if (pam_code != PAM_SUCCESS)
1180 goto child_finish;
1181 }
1182
1183 ret = 0;
1184
1185 child_finish:
1186 pam_end(handle, pam_code | flags);
1187 _exit(ret);
1188 }
1189
1190 barrier_set_role(&barrier, BARRIER_PARENT);
1191
1192 /* If the child was forked off successfully it will do all the
1193 * cleanups, so forget about the handle here. */
1194 handle = NULL;
1195
1196 /* Unblock SIGTERM again in the parent */
1197 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
1198
1199 /* We close the log explicitly here, since the PAM modules
1200 * might have opened it, but we don't want this fd around. */
1201 closelog();
1202
1203 /* Synchronously wait for the child to initialize. We don't care for
1204 * errors as we cannot recover. However, warn loudly if it happens. */
1205 if (!barrier_place_and_sync(&barrier))
1206 log_error("PAM initialization failed");
1207
1208 strv_free(*env);
1209 *env = e;
1210
1211 return 0;
1212
1213 fail:
1214 if (pam_code != PAM_SUCCESS) {
1215 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
1216 r = -EPERM; /* PAM errors do not map to errno */
1217 } else
1218 log_error_errno(r, "PAM failed: %m");
1219
1220 if (handle) {
1221 if (close_session)
1222 pam_code = pam_close_session(handle, flags);
1223
1224 pam_end(handle, pam_code | flags);
1225 }
1226
1227 strv_free(e);
1228 closelog();
1229
1230 return r;
1231 #else
1232 return 0;
1233 #endif
1234 }
1235
1236 static void rename_process_from_path(const char *path) {
1237 char process_name[11];
1238 const char *p;
1239 size_t l;
1240
1241 /* This resulting string must fit in 10 chars (i.e. the length
1242 * of "/sbin/init") to look pretty in /bin/ps */
1243
1244 p = basename(path);
1245 if (isempty(p)) {
1246 rename_process("(...)");
1247 return;
1248 }
1249
1250 l = strlen(p);
1251 if (l > 8) {
1252 /* The end of the process name is usually more
1253 * interesting, since the first bit might just be
1254 * "systemd-" */
1255 p = p + l - 8;
1256 l = 8;
1257 }
1258
1259 process_name[0] = '(';
1260 memcpy(process_name+1, p, l);
1261 process_name[1+l] = ')';
1262 process_name[1+l+1] = 0;
1263
1264 rename_process(process_name);
1265 }
1266
1267 static bool context_has_address_families(const ExecContext *c) {
1268 assert(c);
1269
1270 return c->address_families_whitelist ||
1271 !set_isempty(c->address_families);
1272 }
1273
1274 static bool context_has_syscall_filters(const ExecContext *c) {
1275 assert(c);
1276
1277 return c->syscall_whitelist ||
1278 !set_isempty(c->syscall_filter);
1279 }
1280
1281 static bool context_has_no_new_privileges(const ExecContext *c) {
1282 assert(c);
1283
1284 if (c->no_new_privileges)
1285 return true;
1286
1287 if (have_effective_cap(CAP_SYS_ADMIN)) /* if we are privileged, we don't need NNP */
1288 return false;
1289
1290 /* We need NNP if we have any form of seccomp and are unprivileged */
1291 return context_has_address_families(c) ||
1292 c->memory_deny_write_execute ||
1293 c->restrict_realtime ||
1294 exec_context_restrict_namespaces_set(c) ||
1295 c->protect_kernel_tunables ||
1296 c->protect_kernel_modules ||
1297 c->private_devices ||
1298 context_has_syscall_filters(c) ||
1299 !set_isempty(c->syscall_archs);
1300 }
1301
1302 #ifdef HAVE_SECCOMP
1303
1304 static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
1305
1306 if (is_seccomp_available())
1307 return false;
1308
1309 log_open();
1310 log_unit_debug(u, "SECCOMP features not detected in the kernel, skipping %s", msg);
1311 log_close();
1312 return true;
1313 }
1314
1315 static int apply_syscall_filter(const Unit* u, const ExecContext *c) {
1316 uint32_t negative_action, default_action, action;
1317
1318 assert(u);
1319 assert(c);
1320
1321 if (!context_has_syscall_filters(c))
1322 return 0;
1323
1324 if (skip_seccomp_unavailable(u, "SystemCallFilter="))
1325 return 0;
1326
1327 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
1328
1329 if (c->syscall_whitelist) {
1330 default_action = negative_action;
1331 action = SCMP_ACT_ALLOW;
1332 } else {
1333 default_action = SCMP_ACT_ALLOW;
1334 action = negative_action;
1335 }
1336
1337 return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_filter, action);
1338 }
1339
1340 static int apply_syscall_archs(const Unit *u, const ExecContext *c) {
1341 assert(u);
1342 assert(c);
1343
1344 if (set_isempty(c->syscall_archs))
1345 return 0;
1346
1347 if (skip_seccomp_unavailable(u, "SystemCallArchitectures="))
1348 return 0;
1349
1350 return seccomp_restrict_archs(c->syscall_archs);
1351 }
1352
1353 static int apply_address_families(const Unit* u, const ExecContext *c) {
1354 assert(u);
1355 assert(c);
1356
1357 if (!context_has_address_families(c))
1358 return 0;
1359
1360 if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
1361 return 0;
1362
1363 return seccomp_restrict_address_families(c->address_families, c->address_families_whitelist);
1364 }
1365
1366 static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) {
1367 assert(u);
1368 assert(c);
1369
1370 if (!c->memory_deny_write_execute)
1371 return 0;
1372
1373 if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute="))
1374 return 0;
1375
1376 return seccomp_memory_deny_write_execute();
1377 }
1378
1379 static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
1380 assert(u);
1381 assert(c);
1382
1383 if (!c->restrict_realtime)
1384 return 0;
1385
1386 if (skip_seccomp_unavailable(u, "RestrictRealtime="))
1387 return 0;
1388
1389 return seccomp_restrict_realtime();
1390 }
1391
1392 static int apply_protect_sysctl(const Unit *u, const ExecContext *c) {
1393 assert(u);
1394 assert(c);
1395
1396 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1397 * let's protect even those systems where this is left on in the kernel. */
1398
1399 if (!c->protect_kernel_tunables)
1400 return 0;
1401
1402 if (skip_seccomp_unavailable(u, "ProtectKernelTunables="))
1403 return 0;
1404
1405 return seccomp_protect_sysctl();
1406 }
1407
1408 static int apply_protect_kernel_modules(const Unit *u, const ExecContext *c) {
1409 assert(u);
1410 assert(c);
1411
1412 /* Turn off module syscalls on ProtectKernelModules=yes */
1413
1414 if (!c->protect_kernel_modules)
1415 return 0;
1416
1417 if (skip_seccomp_unavailable(u, "ProtectKernelModules="))
1418 return 0;
1419
1420 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM));
1421 }
1422
1423 static int apply_private_devices(const Unit *u, const ExecContext *c) {
1424 assert(u);
1425 assert(c);
1426
1427 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
1428
1429 if (!c->private_devices)
1430 return 0;
1431
1432 if (skip_seccomp_unavailable(u, "PrivateDevices="))
1433 return 0;
1434
1435 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
1436 }
1437
1438 static int apply_restrict_namespaces(Unit *u, const ExecContext *c) {
1439 assert(u);
1440 assert(c);
1441
1442 if (!exec_context_restrict_namespaces_set(c))
1443 return 0;
1444
1445 if (skip_seccomp_unavailable(u, "RestrictNamespaces="))
1446 return 0;
1447
1448 return seccomp_restrict_namespaces(c->restrict_namespaces);
1449 }
1450
1451 #endif
1452
1453 static void do_idle_pipe_dance(int idle_pipe[4]) {
1454 assert(idle_pipe);
1455
1456 idle_pipe[1] = safe_close(idle_pipe[1]);
1457 idle_pipe[2] = safe_close(idle_pipe[2]);
1458
1459 if (idle_pipe[0] >= 0) {
1460 int r;
1461
1462 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1463
1464 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1465 ssize_t n;
1466
1467 /* Signal systemd that we are bored and want to continue. */
1468 n = write(idle_pipe[3], "x", 1);
1469 if (n > 0)
1470 /* Wait for systemd to react to the signal above. */
1471 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1472 }
1473
1474 idle_pipe[0] = safe_close(idle_pipe[0]);
1475
1476 }
1477
1478 idle_pipe[3] = safe_close(idle_pipe[3]);
1479 }
1480
1481 static int build_environment(
1482 Unit *u,
1483 const ExecContext *c,
1484 const ExecParameters *p,
1485 unsigned n_fds,
1486 const char *home,
1487 const char *username,
1488 const char *shell,
1489 dev_t journal_stream_dev,
1490 ino_t journal_stream_ino,
1491 char ***ret) {
1492
1493 _cleanup_strv_free_ char **our_env = NULL;
1494 unsigned n_env = 0;
1495 char *x;
1496
1497 assert(u);
1498 assert(c);
1499 assert(ret);
1500
1501 our_env = new0(char*, 14);
1502 if (!our_env)
1503 return -ENOMEM;
1504
1505 if (n_fds > 0) {
1506 _cleanup_free_ char *joined = NULL;
1507
1508 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid_cached()) < 0)
1509 return -ENOMEM;
1510 our_env[n_env++] = x;
1511
1512 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1513 return -ENOMEM;
1514 our_env[n_env++] = x;
1515
1516 joined = strv_join(p->fd_names, ":");
1517 if (!joined)
1518 return -ENOMEM;
1519
1520 x = strjoin("LISTEN_FDNAMES=", joined);
1521 if (!x)
1522 return -ENOMEM;
1523 our_env[n_env++] = x;
1524 }
1525
1526 if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
1527 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid_cached()) < 0)
1528 return -ENOMEM;
1529 our_env[n_env++] = x;
1530
1531 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, p->watchdog_usec) < 0)
1532 return -ENOMEM;
1533 our_env[n_env++] = x;
1534 }
1535
1536 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1537 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1538 * check the database directly. */
1539 if (p->flags & EXEC_NSS_BYPASS_BUS) {
1540 x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1541 if (!x)
1542 return -ENOMEM;
1543 our_env[n_env++] = x;
1544 }
1545
1546 if (home) {
1547 x = strappend("HOME=", home);
1548 if (!x)
1549 return -ENOMEM;
1550 our_env[n_env++] = x;
1551 }
1552
1553 if (username) {
1554 x = strappend("LOGNAME=", username);
1555 if (!x)
1556 return -ENOMEM;
1557 our_env[n_env++] = x;
1558
1559 x = strappend("USER=", username);
1560 if (!x)
1561 return -ENOMEM;
1562 our_env[n_env++] = x;
1563 }
1564
1565 if (shell) {
1566 x = strappend("SHELL=", shell);
1567 if (!x)
1568 return -ENOMEM;
1569 our_env[n_env++] = x;
1570 }
1571
1572 if (!sd_id128_is_null(u->invocation_id)) {
1573 if (asprintf(&x, "INVOCATION_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(u->invocation_id)) < 0)
1574 return -ENOMEM;
1575
1576 our_env[n_env++] = x;
1577 }
1578
1579 if (exec_context_needs_term(c)) {
1580 const char *tty_path, *term = NULL;
1581
1582 tty_path = exec_context_tty_path(c);
1583
1584 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try to inherit
1585 * the $TERM set for PID 1. This is useful for containers so that the $TERM the container manager
1586 * passes to PID 1 ends up all the way in the console login shown. */
1587
1588 if (path_equal(tty_path, "/dev/console") && getppid() == 1)
1589 term = getenv("TERM");
1590 if (!term)
1591 term = default_term_for_tty(tty_path);
1592
1593 x = strappend("TERM=", term);
1594 if (!x)
1595 return -ENOMEM;
1596 our_env[n_env++] = x;
1597 }
1598
1599 if (journal_stream_dev != 0 && journal_stream_ino != 0) {
1600 if (asprintf(&x, "JOURNAL_STREAM=" DEV_FMT ":" INO_FMT, journal_stream_dev, journal_stream_ino) < 0)
1601 return -ENOMEM;
1602
1603 our_env[n_env++] = x;
1604 }
1605
1606 our_env[n_env++] = NULL;
1607 assert(n_env <= 12);
1608
1609 *ret = our_env;
1610 our_env = NULL;
1611
1612 return 0;
1613 }
1614
1615 static int build_pass_environment(const ExecContext *c, char ***ret) {
1616 _cleanup_strv_free_ char **pass_env = NULL;
1617 size_t n_env = 0, n_bufsize = 0;
1618 char **i;
1619
1620 STRV_FOREACH(i, c->pass_environment) {
1621 _cleanup_free_ char *x = NULL;
1622 char *v;
1623
1624 v = getenv(*i);
1625 if (!v)
1626 continue;
1627 x = strjoin(*i, "=", v);
1628 if (!x)
1629 return -ENOMEM;
1630 if (!GREEDY_REALLOC(pass_env, n_bufsize, n_env + 2))
1631 return -ENOMEM;
1632 pass_env[n_env++] = x;
1633 pass_env[n_env] = NULL;
1634 x = NULL;
1635 }
1636
1637 *ret = pass_env;
1638 pass_env = NULL;
1639
1640 return 0;
1641 }
1642
1643 static bool exec_needs_mount_namespace(
1644 const ExecContext *context,
1645 const ExecParameters *params,
1646 ExecRuntime *runtime) {
1647
1648 assert(context);
1649 assert(params);
1650
1651 if (context->root_image)
1652 return true;
1653
1654 if (!strv_isempty(context->read_write_paths) ||
1655 !strv_isempty(context->read_only_paths) ||
1656 !strv_isempty(context->inaccessible_paths))
1657 return true;
1658
1659 if (context->n_bind_mounts > 0)
1660 return true;
1661
1662 if (context->mount_flags != 0)
1663 return true;
1664
1665 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1666 return true;
1667
1668 if (context->private_devices ||
1669 context->protect_system != PROTECT_SYSTEM_NO ||
1670 context->protect_home != PROTECT_HOME_NO ||
1671 context->protect_kernel_tunables ||
1672 context->protect_kernel_modules ||
1673 context->protect_control_groups)
1674 return true;
1675
1676 if (context->mount_apivfs && (context->root_image || context->root_directory))
1677 return true;
1678
1679 return false;
1680 }
1681
1682 static int setup_private_users(uid_t uid, gid_t gid) {
1683 _cleanup_free_ char *uid_map = NULL, *gid_map = NULL;
1684 _cleanup_close_pair_ int errno_pipe[2] = { -1, -1 };
1685 _cleanup_close_ int unshare_ready_fd = -1;
1686 _cleanup_(sigkill_waitp) pid_t pid = 0;
1687 uint64_t c = 1;
1688 siginfo_t si;
1689 ssize_t n;
1690 int r;
1691
1692 /* Set up a user namespace and map root to root, the selected UID/GID to itself, and everything else to
1693 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1694 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1695 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1696 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
1697 * continues execution normally. */
1698
1699 if (uid != 0 && uid_is_valid(uid)) {
1700 r = asprintf(&uid_map,
1701 "0 0 1\n" /* Map root → root */
1702 UID_FMT " " UID_FMT " 1\n", /* Map $UID → $UID */
1703 uid, uid);
1704 if (r < 0)
1705 return -ENOMEM;
1706 } else {
1707 uid_map = strdup("0 0 1\n"); /* The case where the above is the same */
1708 if (!uid_map)
1709 return -ENOMEM;
1710 }
1711
1712 if (gid != 0 && gid_is_valid(gid)) {
1713 r = asprintf(&gid_map,
1714 "0 0 1\n" /* Map root → root */
1715 GID_FMT " " GID_FMT " 1\n", /* Map $GID → $GID */
1716 gid, gid);
1717 if (r < 0)
1718 return -ENOMEM;
1719 } else {
1720 gid_map = strdup("0 0 1\n"); /* The case where the above is the same */
1721 if (!gid_map)
1722 return -ENOMEM;
1723 }
1724
1725 /* Create a communication channel so that the parent can tell the child when it finished creating the user
1726 * namespace. */
1727 unshare_ready_fd = eventfd(0, EFD_CLOEXEC);
1728 if (unshare_ready_fd < 0)
1729 return -errno;
1730
1731 /* Create a communication channel so that the child can tell the parent a proper error code in case it
1732 * failed. */
1733 if (pipe2(errno_pipe, O_CLOEXEC) < 0)
1734 return -errno;
1735
1736 pid = fork();
1737 if (pid < 0)
1738 return -errno;
1739
1740 if (pid == 0) {
1741 _cleanup_close_ int fd = -1;
1742 const char *a;
1743 pid_t ppid;
1744
1745 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
1746 * here, after the parent opened its own user namespace. */
1747
1748 ppid = getppid();
1749 errno_pipe[0] = safe_close(errno_pipe[0]);
1750
1751 /* Wait until the parent unshared the user namespace */
1752 if (read(unshare_ready_fd, &c, sizeof(c)) < 0) {
1753 r = -errno;
1754 goto child_fail;
1755 }
1756
1757 /* Disable the setgroups() system call in the child user namespace, for good. */
1758 a = procfs_file_alloca(ppid, "setgroups");
1759 fd = open(a, O_WRONLY|O_CLOEXEC);
1760 if (fd < 0) {
1761 if (errno != ENOENT) {
1762 r = -errno;
1763 goto child_fail;
1764 }
1765
1766 /* If the file is missing the kernel is too old, let's continue anyway. */
1767 } else {
1768 if (write(fd, "deny\n", 5) < 0) {
1769 r = -errno;
1770 goto child_fail;
1771 }
1772
1773 fd = safe_close(fd);
1774 }
1775
1776 /* First write the GID map */
1777 a = procfs_file_alloca(ppid, "gid_map");
1778 fd = open(a, O_WRONLY|O_CLOEXEC);
1779 if (fd < 0) {
1780 r = -errno;
1781 goto child_fail;
1782 }
1783 if (write(fd, gid_map, strlen(gid_map)) < 0) {
1784 r = -errno;
1785 goto child_fail;
1786 }
1787 fd = safe_close(fd);
1788
1789 /* The write the UID map */
1790 a = procfs_file_alloca(ppid, "uid_map");
1791 fd = open(a, O_WRONLY|O_CLOEXEC);
1792 if (fd < 0) {
1793 r = -errno;
1794 goto child_fail;
1795 }
1796 if (write(fd, uid_map, strlen(uid_map)) < 0) {
1797 r = -errno;
1798 goto child_fail;
1799 }
1800
1801 _exit(EXIT_SUCCESS);
1802
1803 child_fail:
1804 (void) write(errno_pipe[1], &r, sizeof(r));
1805 _exit(EXIT_FAILURE);
1806 }
1807
1808 errno_pipe[1] = safe_close(errno_pipe[1]);
1809
1810 if (unshare(CLONE_NEWUSER) < 0)
1811 return -errno;
1812
1813 /* Let the child know that the namespace is ready now */
1814 if (write(unshare_ready_fd, &c, sizeof(c)) < 0)
1815 return -errno;
1816
1817 /* Try to read an error code from the child */
1818 n = read(errno_pipe[0], &r, sizeof(r));
1819 if (n < 0)
1820 return -errno;
1821 if (n == sizeof(r)) { /* an error code was sent to us */
1822 if (r < 0)
1823 return r;
1824 return -EIO;
1825 }
1826 if (n != 0) /* on success we should have read 0 bytes */
1827 return -EIO;
1828
1829 r = wait_for_terminate(pid, &si);
1830 if (r < 0)
1831 return r;
1832 pid = 0;
1833
1834 /* If something strange happened with the child, let's consider this fatal, too */
1835 if (si.si_code != CLD_EXITED || si.si_status != 0)
1836 return -EIO;
1837
1838 return 0;
1839 }
1840
1841 static int setup_exec_directory(
1842 const ExecContext *context,
1843 const ExecParameters *params,
1844 uid_t uid,
1845 gid_t gid,
1846 ExecDirectoryType type,
1847 int *exit_status) {
1848
1849 static const int exit_status_table[_EXEC_DIRECTORY_MAX] = {
1850 [EXEC_DIRECTORY_RUNTIME] = EXIT_RUNTIME_DIRECTORY,
1851 [EXEC_DIRECTORY_STATE] = EXIT_STATE_DIRECTORY,
1852 [EXEC_DIRECTORY_CACHE] = EXIT_CACHE_DIRECTORY,
1853 [EXEC_DIRECTORY_LOGS] = EXIT_LOGS_DIRECTORY,
1854 [EXEC_DIRECTORY_CONFIGURATION] = EXIT_CONFIGURATION_DIRECTORY,
1855 };
1856 char **rt;
1857 int r;
1858
1859 assert(context);
1860 assert(params);
1861 assert(type >= 0 && type < _EXEC_DIRECTORY_MAX);
1862 assert(exit_status);
1863
1864 if (!params->prefix[type])
1865 return 0;
1866
1867 if (params->flags & EXEC_CHOWN_DIRECTORIES) {
1868 if (!uid_is_valid(uid))
1869 uid = 0;
1870 if (!gid_is_valid(gid))
1871 gid = 0;
1872 }
1873
1874 STRV_FOREACH(rt, context->directories[type].paths) {
1875 _cleanup_free_ char *p;
1876
1877 p = strjoin(params->prefix[type], "/", *rt);
1878 if (!p) {
1879 r = -ENOMEM;
1880 goto fail;
1881 }
1882
1883 r = mkdir_parents_label(p, 0755);
1884 if (r < 0)
1885 goto fail;
1886
1887 r = mkdir_p_label(p, context->directories[type].mode);
1888 if (r < 0)
1889 goto fail;
1890
1891 /* Don't change the owner of the configuration directory, as in the common case it is not written to by
1892 * a service, and shall not be writable. */
1893 if (type == EXEC_DIRECTORY_CONFIGURATION)
1894 continue;
1895
1896 r = chmod_and_chown(p, context->directories[type].mode, uid, gid);
1897 if (r < 0)
1898 goto fail;
1899 }
1900
1901 return 0;
1902
1903 fail:
1904 *exit_status = exit_status_table[type];
1905
1906 return r;
1907 }
1908
1909 static int setup_smack(
1910 const ExecContext *context,
1911 const ExecCommand *command) {
1912
1913 int r;
1914
1915 assert(context);
1916 assert(command);
1917
1918 if (context->smack_process_label) {
1919 r = mac_smack_apply_pid(0, context->smack_process_label);
1920 if (r < 0)
1921 return r;
1922 }
1923 #ifdef SMACK_DEFAULT_PROCESS_LABEL
1924 else {
1925 _cleanup_free_ char *exec_label = NULL;
1926
1927 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
1928 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP)
1929 return r;
1930
1931 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
1932 if (r < 0)
1933 return r;
1934 }
1935 #endif
1936
1937 return 0;
1938 }
1939
1940 static int compile_read_write_paths(
1941 const ExecContext *context,
1942 const ExecParameters *params,
1943 char ***ret) {
1944
1945 _cleanup_strv_free_ char **l = NULL;
1946 char **rt;
1947 ExecDirectoryType i;
1948
1949 /* Compile the list of writable paths. This is the combination of
1950 * the explicitly configured paths, plus all runtime directories. */
1951
1952 if (strv_isempty(context->read_write_paths)) {
1953 for (i = 0; i < _EXEC_DIRECTORY_MAX; i++)
1954 if (!strv_isempty(context->directories[i].paths))
1955 break;
1956
1957 if (i == _EXEC_DIRECTORY_MAX) {
1958 *ret = NULL; /* NOP if neither is set */
1959 return 0;
1960 }
1961 }
1962
1963 l = strv_copy(context->read_write_paths);
1964 if (!l)
1965 return -ENOMEM;
1966
1967 for (i = 0; i < _EXEC_DIRECTORY_MAX; i++) {
1968 if (!params->prefix[i])
1969 continue;
1970
1971 STRV_FOREACH(rt, context->directories[i].paths) {
1972 char *s;
1973
1974 s = strjoin(params->prefix[i], "/", *rt);
1975 if (!s)
1976 return -ENOMEM;
1977
1978 if (strv_consume(&l, s) < 0)
1979 return -ENOMEM;
1980 }
1981 }
1982
1983 *ret = l;
1984 l = NULL;
1985
1986 return 0;
1987 }
1988
1989 static int apply_mount_namespace(
1990 Unit *u,
1991 ExecCommand *command,
1992 const ExecContext *context,
1993 const ExecParameters *params,
1994 ExecRuntime *runtime) {
1995
1996 _cleanup_strv_free_ char **rw = NULL;
1997 char *tmp = NULL, *var = NULL;
1998 const char *root_dir = NULL, *root_image = NULL;
1999 NameSpaceInfo ns_info = {
2000 .ignore_protect_paths = false,
2001 .private_dev = context->private_devices,
2002 .protect_control_groups = context->protect_control_groups,
2003 .protect_kernel_tunables = context->protect_kernel_tunables,
2004 .protect_kernel_modules = context->protect_kernel_modules,
2005 .mount_apivfs = context->mount_apivfs,
2006 };
2007 bool apply_restrictions;
2008 int r;
2009
2010 assert(context);
2011
2012 /* The runtime struct only contains the parent of the private /tmp,
2013 * which is non-accessible to world users. Inside of it there's a /tmp
2014 * that is sticky, and that's the one we want to use here. */
2015
2016 if (context->private_tmp && runtime) {
2017 if (runtime->tmp_dir)
2018 tmp = strjoina(runtime->tmp_dir, "/tmp");
2019 if (runtime->var_tmp_dir)
2020 var = strjoina(runtime->var_tmp_dir, "/tmp");
2021 }
2022
2023 r = compile_read_write_paths(context, params, &rw);
2024 if (r < 0)
2025 return r;
2026
2027 if (params->flags & EXEC_APPLY_CHROOT) {
2028 root_image = context->root_image;
2029
2030 if (!root_image)
2031 root_dir = context->root_directory;
2032 }
2033
2034 /*
2035 * If DynamicUser=no and RootDirectory= is set then lets pass a relaxed
2036 * sandbox info, otherwise enforce it, don't ignore protected paths and
2037 * fail if we are enable to apply the sandbox inside the mount namespace.
2038 */
2039 if (!context->dynamic_user && root_dir)
2040 ns_info.ignore_protect_paths = true;
2041
2042 apply_restrictions = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & EXEC_COMMAND_FULLY_PRIVILEGED);
2043
2044 r = setup_namespace(root_dir, root_image,
2045 &ns_info, rw,
2046 apply_restrictions ? context->read_only_paths : NULL,
2047 apply_restrictions ? context->inaccessible_paths : NULL,
2048 context->bind_mounts,
2049 context->n_bind_mounts,
2050 tmp,
2051 var,
2052 apply_restrictions ? context->protect_home : PROTECT_HOME_NO,
2053 apply_restrictions ? context->protect_system : PROTECT_SYSTEM_NO,
2054 context->mount_flags,
2055 DISSECT_IMAGE_DISCARD_ON_LOOP);
2056
2057 /* If we couldn't set up the namespace this is probably due to a
2058 * missing capability. In this case, silently proceeed. */
2059 if (IN_SET(r, -EPERM, -EACCES)) {
2060 log_open();
2061 log_unit_debug_errno(u, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
2062 log_close();
2063 r = 0;
2064 }
2065
2066 return r;
2067 }
2068
2069 static int apply_working_directory(
2070 const ExecContext *context,
2071 const ExecParameters *params,
2072 const char *home,
2073 const bool needs_mount_ns,
2074 int *exit_status) {
2075
2076 const char *d, *wd;
2077
2078 assert(context);
2079 assert(exit_status);
2080
2081 if (context->working_directory_home) {
2082
2083 if (!home) {
2084 *exit_status = EXIT_CHDIR;
2085 return -ENXIO;
2086 }
2087
2088 wd = home;
2089
2090 } else if (context->working_directory)
2091 wd = context->working_directory;
2092 else
2093 wd = "/";
2094
2095 if (params->flags & EXEC_APPLY_CHROOT) {
2096 if (!needs_mount_ns && context->root_directory)
2097 if (chroot(context->root_directory) < 0) {
2098 *exit_status = EXIT_CHROOT;
2099 return -errno;
2100 }
2101
2102 d = wd;
2103 } else
2104 d = prefix_roota(context->root_directory, wd);
2105
2106 if (chdir(d) < 0 && !context->working_directory_missing_ok) {
2107 *exit_status = EXIT_CHDIR;
2108 return -errno;
2109 }
2110
2111 return 0;
2112 }
2113
2114 static int setup_keyring(Unit *u, const ExecParameters *p, uid_t uid, gid_t gid) {
2115 key_serial_t keyring;
2116
2117 assert(u);
2118 assert(p);
2119
2120 /* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that
2121 * each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond
2122 * that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be
2123 * automatically created on-demand and then linked to the per-UID keyring, by the kernel. The kernel's built-in
2124 * on-demand behaviour is very appropriate for login users, but probably not so much for system services, where
2125 * UIDs are not necessarily specific to a service but reused (at least in the case of UID 0). */
2126
2127 if (!(p->flags & EXEC_NEW_KEYRING))
2128 return 0;
2129
2130 keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0);
2131 if (keyring == -1) {
2132 if (errno == ENOSYS)
2133 log_debug_errno(errno, "Kernel keyring not supported, ignoring.");
2134 else if (IN_SET(errno, EACCES, EPERM))
2135 log_debug_errno(errno, "Kernel keyring access prohibited, ignoring.");
2136 else if (errno == EDQUOT)
2137 log_debug_errno(errno, "Out of kernel keyrings to allocate, ignoring.");
2138 else
2139 return log_error_errno(errno, "Setting up kernel keyring failed: %m");
2140
2141 return 0;
2142 }
2143
2144 /* Populate they keyring with the invocation ID by default. */
2145 if (!sd_id128_is_null(u->invocation_id)) {
2146 key_serial_t key;
2147
2148 key = add_key("user", "invocation_id", &u->invocation_id, sizeof(u->invocation_id), KEY_SPEC_SESSION_KEYRING);
2149 if (key == -1)
2150 log_debug_errno(errno, "Failed to add invocation ID to keyring, ignoring: %m");
2151 else {
2152 if (keyctl(KEYCTL_SETPERM, key,
2153 KEY_POS_VIEW|KEY_POS_READ|KEY_POS_SEARCH|
2154 KEY_USR_VIEW|KEY_USR_READ|KEY_USR_SEARCH, 0, 0) < 0)
2155 return log_error_errno(errno, "Failed to restrict invocation ID permission: %m");
2156 }
2157 }
2158
2159 /* And now, make the keyring owned by the service's user */
2160 if (uid_is_valid(uid) || gid_is_valid(gid))
2161 if (keyctl(KEYCTL_CHOWN, keyring, uid, gid, 0) < 0)
2162 return log_error_errno(errno, "Failed to change ownership of session keyring: %m");
2163
2164 return 0;
2165 }
2166
2167 static void append_socket_pair(int *array, unsigned *n, int pair[2]) {
2168 assert(array);
2169 assert(n);
2170
2171 if (!pair)
2172 return;
2173
2174 if (pair[0] >= 0)
2175 array[(*n)++] = pair[0];
2176 if (pair[1] >= 0)
2177 array[(*n)++] = pair[1];
2178 }
2179
2180 static int close_remaining_fds(
2181 const ExecParameters *params,
2182 ExecRuntime *runtime,
2183 DynamicCreds *dcreds,
2184 int user_lookup_fd,
2185 int socket_fd,
2186 int *fds, unsigned n_fds) {
2187
2188 unsigned n_dont_close = 0;
2189 int dont_close[n_fds + 12];
2190
2191 assert(params);
2192
2193 if (params->stdin_fd >= 0)
2194 dont_close[n_dont_close++] = params->stdin_fd;
2195 if (params->stdout_fd >= 0)
2196 dont_close[n_dont_close++] = params->stdout_fd;
2197 if (params->stderr_fd >= 0)
2198 dont_close[n_dont_close++] = params->stderr_fd;
2199
2200 if (socket_fd >= 0)
2201 dont_close[n_dont_close++] = socket_fd;
2202 if (n_fds > 0) {
2203 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
2204 n_dont_close += n_fds;
2205 }
2206
2207 if (runtime)
2208 append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
2209
2210 if (dcreds) {
2211 if (dcreds->user)
2212 append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
2213 if (dcreds->group)
2214 append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
2215 }
2216
2217 if (user_lookup_fd >= 0)
2218 dont_close[n_dont_close++] = user_lookup_fd;
2219
2220 return close_all_fds(dont_close, n_dont_close);
2221 }
2222
2223 static int send_user_lookup(
2224 Unit *unit,
2225 int user_lookup_fd,
2226 uid_t uid,
2227 gid_t gid) {
2228
2229 assert(unit);
2230
2231 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2232 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2233 * specified. */
2234
2235 if (user_lookup_fd < 0)
2236 return 0;
2237
2238 if (!uid_is_valid(uid) && !gid_is_valid(gid))
2239 return 0;
2240
2241 if (writev(user_lookup_fd,
2242 (struct iovec[]) {
2243 { .iov_base = &uid, .iov_len = sizeof(uid) },
2244 { .iov_base = &gid, .iov_len = sizeof(gid) },
2245 { .iov_base = unit->id, .iov_len = strlen(unit->id) }}, 3) < 0)
2246 return -errno;
2247
2248 return 0;
2249 }
2250
2251 static int acquire_home(const ExecContext *c, uid_t uid, const char** home, char **buf) {
2252 int r;
2253
2254 assert(c);
2255 assert(home);
2256 assert(buf);
2257
2258 /* If WorkingDirectory=~ is set, try to acquire a usable home directory. */
2259
2260 if (*home)
2261 return 0;
2262
2263 if (!c->working_directory_home)
2264 return 0;
2265
2266 if (uid == 0) {
2267 /* Hardcode /root as home directory for UID 0 */
2268 *home = "/root";
2269 return 1;
2270 }
2271
2272 r = get_home_dir(buf);
2273 if (r < 0)
2274 return r;
2275
2276 *home = *buf;
2277 return 1;
2278 }
2279
2280 static int exec_child(
2281 Unit *unit,
2282 ExecCommand *command,
2283 const ExecContext *context,
2284 const ExecParameters *params,
2285 ExecRuntime *runtime,
2286 DynamicCreds *dcreds,
2287 char **argv,
2288 int socket_fd,
2289 int named_iofds[3],
2290 int *fds,
2291 unsigned n_storage_fds,
2292 unsigned n_socket_fds,
2293 char **files_env,
2294 int user_lookup_fd,
2295 int *exit_status,
2296 char **error_message) {
2297
2298 _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **final_argv = NULL;
2299 _cleanup_free_ char *mac_selinux_context_net = NULL, *home_buffer = NULL;
2300 _cleanup_free_ gid_t *supplementary_gids = NULL;
2301 const char *username = NULL, *groupname = NULL;
2302 const char *home = NULL, *shell = NULL;
2303 dev_t journal_stream_dev = 0;
2304 ino_t journal_stream_ino = 0;
2305 bool needs_sandboxing, needs_mount_namespace;
2306 #ifdef HAVE_SELINUX
2307 bool needs_selinux = false;
2308 #endif
2309 #ifdef HAVE_SMACK
2310 bool needs_smack = false;
2311 #endif
2312 #ifdef HAVE_APPARMOR
2313 bool needs_apparmor = false;
2314 #endif
2315 uid_t uid = UID_INVALID;
2316 gid_t gid = GID_INVALID;
2317 int i, r, ngids = 0;
2318 unsigned n_fds;
2319 ExecDirectoryType dt;
2320
2321 assert(unit);
2322 assert(command);
2323 assert(context);
2324 assert(params);
2325 assert(exit_status);
2326 assert(error_message);
2327 /* We don't always set error_message, hence it must be initialized */
2328 assert(*error_message == NULL);
2329
2330 rename_process_from_path(command->path);
2331
2332 /* We reset exactly these signals, since they are the
2333 * only ones we set to SIG_IGN in the main daemon. All
2334 * others we leave untouched because we set them to
2335 * SIG_DFL or a valid handler initially, both of which
2336 * will be demoted to SIG_DFL. */
2337 (void) default_signals(SIGNALS_CRASH_HANDLER,
2338 SIGNALS_IGNORE, -1);
2339
2340 if (context->ignore_sigpipe)
2341 (void) ignore_signals(SIGPIPE, -1);
2342
2343 r = reset_signal_mask();
2344 if (r < 0) {
2345 *exit_status = EXIT_SIGNAL_MASK;
2346 *error_message = strdup("Failed to reset signal mask");
2347 /* If strdup fails, here and below, we will just print the generic error message. */
2348 return r;
2349 }
2350
2351 if (params->idle_pipe)
2352 do_idle_pipe_dance(params->idle_pipe);
2353
2354 /* Close sockets very early to make sure we don't
2355 * block init reexecution because it cannot bind its
2356 * sockets */
2357
2358 log_forget_fds();
2359
2360 n_fds = n_storage_fds + n_socket_fds;
2361 r = close_remaining_fds(params, runtime, dcreds, user_lookup_fd, socket_fd, fds, n_fds);
2362 if (r < 0) {
2363 *exit_status = EXIT_FDS;
2364 *error_message = strdup("Failed to close remaining fds");
2365 return r;
2366 }
2367
2368 if (!context->same_pgrp)
2369 if (setsid() < 0) {
2370 *exit_status = EXIT_SETSID;
2371 return -errno;
2372 }
2373
2374 exec_context_tty_reset(context, params);
2375
2376 if (unit_shall_confirm_spawn(unit)) {
2377 const char *vc = params->confirm_spawn;
2378 _cleanup_free_ char *cmdline = NULL;
2379
2380 cmdline = exec_command_line(argv);
2381 if (!cmdline) {
2382 *exit_status = EXIT_CONFIRM;
2383 return -ENOMEM;
2384 }
2385
2386 r = ask_for_confirmation(vc, unit, cmdline);
2387 if (r != CONFIRM_EXECUTE) {
2388 if (r == CONFIRM_PRETEND_SUCCESS) {
2389 *exit_status = EXIT_SUCCESS;
2390 return 0;
2391 }
2392 *exit_status = EXIT_CONFIRM;
2393 *error_message = strdup("Execution cancelled");
2394 return -ECANCELED;
2395 }
2396 }
2397
2398 if (context->dynamic_user && dcreds) {
2399
2400 /* Make sure we bypass our own NSS module for any NSS checks */
2401 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
2402 *exit_status = EXIT_USER;
2403 *error_message = strdup("Failed to update environment");
2404 return -errno;
2405 }
2406
2407 r = dynamic_creds_realize(dcreds, &uid, &gid);
2408 if (r < 0) {
2409 *exit_status = EXIT_USER;
2410 *error_message = strdup("Failed to update dynamic user credentials");
2411 return r;
2412 }
2413
2414 if (!uid_is_valid(uid)) {
2415 *exit_status = EXIT_USER;
2416 (void) asprintf(error_message, "UID validation failed for \""UID_FMT"\"", uid);
2417 /* If asprintf fails, here and below, we will just print the generic error message. */
2418 return -ESRCH;
2419 }
2420
2421 if (!gid_is_valid(gid)) {
2422 *exit_status = EXIT_USER;
2423 (void) asprintf(error_message, "GID validation failed for \""GID_FMT"\"", gid);
2424 return -ESRCH;
2425 }
2426
2427 if (dcreds->user)
2428 username = dcreds->user->name;
2429
2430 } else {
2431 r = get_fixed_user(context, &username, &uid, &gid, &home, &shell);
2432 if (r < 0) {
2433 *exit_status = EXIT_USER;
2434 *error_message = strdup("Failed to determine user credentials");
2435 return r;
2436 }
2437
2438 r = get_fixed_group(context, &groupname, &gid);
2439 if (r < 0) {
2440 *exit_status = EXIT_GROUP;
2441 *error_message = strdup("Failed to determine group credentials");
2442 return r;
2443 }
2444 }
2445
2446 /* Initialize user supplementary groups and get SupplementaryGroups= ones */
2447 r = get_supplementary_groups(context, username, groupname, gid,
2448 &supplementary_gids, &ngids);
2449 if (r < 0) {
2450 *exit_status = EXIT_GROUP;
2451 *error_message = strdup("Failed to determine supplementary groups");
2452 return r;
2453 }
2454
2455 r = send_user_lookup(unit, user_lookup_fd, uid, gid);
2456 if (r < 0) {
2457 *exit_status = EXIT_USER;
2458 *error_message = strdup("Failed to send user credentials to PID1");
2459 return r;
2460 }
2461
2462 user_lookup_fd = safe_close(user_lookup_fd);
2463
2464 r = acquire_home(context, uid, &home, &home_buffer);
2465 if (r < 0) {
2466 *exit_status = EXIT_CHDIR;
2467 *error_message = strdup("Failed to determine $HOME for user");
2468 return r;
2469 }
2470
2471 /* If a socket is connected to STDIN/STDOUT/STDERR, we
2472 * must sure to drop O_NONBLOCK */
2473 if (socket_fd >= 0)
2474 (void) fd_nonblock(socket_fd, false);
2475
2476 r = setup_input(context, params, socket_fd, named_iofds);
2477 if (r < 0) {
2478 *exit_status = EXIT_STDIN;
2479 *error_message = strdup("Failed to set up stdin");
2480 return r;
2481 }
2482
2483 r = setup_output(unit, context, params, STDOUT_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
2484 if (r < 0) {
2485 *exit_status = EXIT_STDOUT;
2486 *error_message = strdup("Failed to set up stdout");
2487 return r;
2488 }
2489
2490 r = setup_output(unit, context, params, STDERR_FILENO, socket_fd, named_iofds, basename(command->path), uid, gid, &journal_stream_dev, &journal_stream_ino);
2491 if (r < 0) {
2492 *exit_status = EXIT_STDERR;
2493 *error_message = strdup("Failed to set up stderr");
2494 return r;
2495 }
2496
2497 if (params->cgroup_path) {
2498 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
2499 if (r < 0) {
2500 *exit_status = EXIT_CGROUP;
2501 (void) asprintf(error_message, "Failed to attach to cgroup %s", params->cgroup_path);
2502 return r;
2503 }
2504 }
2505
2506 if (context->oom_score_adjust_set) {
2507 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
2508
2509 /* When we can't make this change due to EPERM, then
2510 * let's silently skip over it. User namespaces
2511 * prohibit write access to this file, and we
2512 * shouldn't trip up over that. */
2513
2514 sprintf(t, "%i", context->oom_score_adjust);
2515 r = write_string_file("/proc/self/oom_score_adj", t, 0);
2516 if (r == -EPERM || r == -EACCES) {
2517 log_open();
2518 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
2519 log_close();
2520 } else if (r < 0) {
2521 *exit_status = EXIT_OOM_ADJUST;
2522 *error_message = strdup("Failed to write /proc/self/oom_score_adj");
2523 return -errno;
2524 }
2525 }
2526
2527 if (context->nice_set)
2528 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
2529 *exit_status = EXIT_NICE;
2530 return -errno;
2531 }
2532
2533 if (context->cpu_sched_set) {
2534 struct sched_param param = {
2535 .sched_priority = context->cpu_sched_priority,
2536 };
2537
2538 r = sched_setscheduler(0,
2539 context->cpu_sched_policy |
2540 (context->cpu_sched_reset_on_fork ?
2541 SCHED_RESET_ON_FORK : 0),
2542 &param);
2543 if (r < 0) {
2544 *exit_status = EXIT_SETSCHEDULER;
2545 return -errno;
2546 }
2547 }
2548
2549 if (context->cpuset)
2550 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
2551 *exit_status = EXIT_CPUAFFINITY;
2552 return -errno;
2553 }
2554
2555 if (context->ioprio_set)
2556 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
2557 *exit_status = EXIT_IOPRIO;
2558 return -errno;
2559 }
2560
2561 if (context->timer_slack_nsec != NSEC_INFINITY)
2562 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
2563 *exit_status = EXIT_TIMERSLACK;
2564 return -errno;
2565 }
2566
2567 if (context->personality != PERSONALITY_INVALID)
2568 if (personality(context->personality) < 0) {
2569 *exit_status = EXIT_PERSONALITY;
2570 return -errno;
2571 }
2572
2573 if (context->utmp_id)
2574 utmp_put_init_process(context->utmp_id, getpid_cached(), getsid(0),
2575 context->tty_path,
2576 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
2577 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
2578 USER_PROCESS,
2579 username);
2580
2581 if (context->user) {
2582 r = chown_terminal(STDIN_FILENO, uid);
2583 if (r < 0) {
2584 *exit_status = EXIT_STDIN;
2585 return r;
2586 }
2587 }
2588
2589 /* If delegation is enabled we'll pass ownership of the cgroup
2590 * (but only in systemd's own controller hierarchy!) to the
2591 * user of the new process. */
2592 if (params->cgroup_path && context->user && (params->flags & EXEC_CGROUP_DELEGATE)) {
2593 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
2594 if (r < 0) {
2595 *exit_status = EXIT_CGROUP;
2596 return r;
2597 }
2598
2599
2600 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
2601 if (r < 0) {
2602 *exit_status = EXIT_CGROUP;
2603 return r;
2604 }
2605 }
2606
2607 for (dt = 0; dt < _EXEC_DIRECTORY_MAX; dt++) {
2608 r = setup_exec_directory(context, params, uid, gid, dt, exit_status);
2609 if (r < 0)
2610 return r;
2611 }
2612
2613 r = build_environment(
2614 unit,
2615 context,
2616 params,
2617 n_fds,
2618 home,
2619 username,
2620 shell,
2621 journal_stream_dev,
2622 journal_stream_ino,
2623 &our_env);
2624 if (r < 0) {
2625 *exit_status = EXIT_MEMORY;
2626 return r;
2627 }
2628
2629 r = build_pass_environment(context, &pass_env);
2630 if (r < 0) {
2631 *exit_status = EXIT_MEMORY;
2632 return r;
2633 }
2634
2635 accum_env = strv_env_merge(5,
2636 params->environment,
2637 our_env,
2638 pass_env,
2639 context->environment,
2640 files_env,
2641 NULL);
2642 if (!accum_env) {
2643 *exit_status = EXIT_MEMORY;
2644 return -ENOMEM;
2645 }
2646 accum_env = strv_env_clean(accum_env);
2647
2648 (void) umask(context->umask);
2649
2650 r = setup_keyring(unit, params, uid, gid);
2651 if (r < 0) {
2652 *exit_status = EXIT_KEYRING;
2653 return r;
2654 }
2655
2656 needs_sandboxing = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & EXEC_COMMAND_FULLY_PRIVILEGED);
2657
2658 if (needs_sandboxing) {
2659 if (context->pam_name && username) {
2660 r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
2661 if (r < 0) {
2662 *exit_status = EXIT_PAM;
2663 return r;
2664 }
2665 }
2666
2667 /* MAC enablement checks need to be done before a new mount ns is created, as they rely on /sys being
2668 * present. The actual MAC context application will happen later, as late as possible, to avoid
2669 * impacting our own code paths. */
2670
2671 #ifdef HAVE_SELINUX
2672 needs_selinux = mac_selinux_use();
2673 #endif
2674
2675 #ifdef HAVE_SMACK
2676 needs_smack = mac_smack_use();
2677 #endif
2678
2679 #ifdef HAVE_APPARMOR
2680 needs_apparmor = context->apparmor_profile && mac_apparmor_use();
2681 #endif
2682
2683 }
2684
2685 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
2686 r = setup_netns(runtime->netns_storage_socket);
2687 if (r < 0) {
2688 *exit_status = EXIT_NETWORK;
2689 return r;
2690 }
2691 }
2692
2693 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
2694 if (needs_mount_namespace) {
2695 r = apply_mount_namespace(unit, command, context, params, runtime);
2696 if (r < 0) {
2697 *exit_status = EXIT_NAMESPACE;
2698 return r;
2699 }
2700 }
2701
2702 /* Apply just after mount namespace setup */
2703 r = apply_working_directory(context, params, home, needs_mount_namespace, exit_status);
2704 if (r < 0)
2705 return r;
2706
2707 /* Drop groups as early as possbile */
2708 if (needs_sandboxing) {
2709 r = enforce_groups(context, gid, supplementary_gids, ngids);
2710 if (r < 0) {
2711 *exit_status = EXIT_GROUP;
2712 return r;
2713 }
2714 }
2715
2716 #ifdef HAVE_SELINUX
2717 if (needs_sandboxing && needs_selinux && params->selinux_context_net && socket_fd >= 0) {
2718 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
2719 if (r < 0) {
2720 *exit_status = EXIT_SELINUX_CONTEXT;
2721 return r;
2722 }
2723 }
2724 #endif
2725
2726 if ((params->flags & EXEC_APPLY_SANDBOXING) && context->private_users) {
2727 r = setup_private_users(uid, gid);
2728 if (r < 0) {
2729 *exit_status = EXIT_USER;
2730 return r;
2731 }
2732 }
2733
2734 /* We repeat the fd closing here, to make sure that
2735 * nothing is leaked from the PAM modules. Note that
2736 * we are more aggressive this time since socket_fd
2737 * and the netns fds we don't need anymore. The custom
2738 * endpoint fd was needed to upload the policy and can
2739 * now be closed as well. */
2740 r = close_all_fds(fds, n_fds);
2741 if (r >= 0)
2742 r = shift_fds(fds, n_fds);
2743 if (r >= 0)
2744 r = flags_fds(fds, n_storage_fds, n_socket_fds, context->non_blocking);
2745 if (r < 0) {
2746 *exit_status = EXIT_FDS;
2747 return r;
2748 }
2749
2750 if (needs_sandboxing) {
2751
2752 int secure_bits = context->secure_bits;
2753
2754 for (i = 0; i < _RLIMIT_MAX; i++) {
2755
2756 if (!context->rlimit[i])
2757 continue;
2758
2759 r = setrlimit_closest(i, context->rlimit[i]);
2760 if (r < 0) {
2761 *exit_status = EXIT_LIMITS;
2762 return r;
2763 }
2764 }
2765
2766 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
2767 if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
2768 if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
2769 *exit_status = EXIT_LIMITS;
2770 return -errno;
2771 }
2772 }
2773
2774 if (!cap_test_all(context->capability_bounding_set)) {
2775 r = capability_bounding_set_drop(context->capability_bounding_set, false);
2776 if (r < 0) {
2777 *exit_status = EXIT_CAPABILITIES;
2778 *error_message = strdup("Failed to drop capabilities");
2779 return r;
2780 }
2781 }
2782
2783 /* This is done before enforce_user, but ambient set
2784 * does not survive over setresuid() if keep_caps is not set. */
2785 if (context->capability_ambient_set != 0) {
2786 r = capability_ambient_set_apply(context->capability_ambient_set, true);
2787 if (r < 0) {
2788 *exit_status = EXIT_CAPABILITIES;
2789 *error_message = strdup("Failed to apply ambient capabilities (before UID change)");
2790 return r;
2791 }
2792 }
2793
2794 if (context->user) {
2795 r = enforce_user(context, uid);
2796 if (r < 0) {
2797 *exit_status = EXIT_USER;
2798 (void) asprintf(error_message, "Failed to change UID to "UID_FMT, uid);
2799 return r;
2800 }
2801 if (context->capability_ambient_set != 0) {
2802
2803 /* Fix the ambient capabilities after user change. */
2804 r = capability_ambient_set_apply(context->capability_ambient_set, false);
2805 if (r < 0) {
2806 *exit_status = EXIT_CAPABILITIES;
2807 *error_message = strdup("Failed to apply ambient capabilities (after UID change)");
2808 return r;
2809 }
2810
2811 /* If we were asked to change user and ambient capabilities
2812 * were requested, we had to add keep-caps to the securebits
2813 * so that we would maintain the inherited capability set
2814 * through the setresuid(). Make sure that the bit is added
2815 * also to the context secure_bits so that we don't try to
2816 * drop the bit away next. */
2817
2818 secure_bits |= 1<<SECURE_KEEP_CAPS;
2819 }
2820 }
2821
2822 /* Apply the MAC contexts late, but before seccomp syscall filtering, as those should really be last to
2823 * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
2824 * syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
2825 * are restricted. */
2826
2827 #ifdef HAVE_SELINUX
2828 if (needs_selinux) {
2829 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
2830
2831 if (exec_context) {
2832 r = setexeccon(exec_context);
2833 if (r < 0) {
2834 *exit_status = EXIT_SELINUX_CONTEXT;
2835 (void) asprintf(error_message, "Failed to set SELinux context to %s", exec_context);
2836 return r;
2837 }
2838 }
2839 }
2840 #endif
2841
2842 #ifdef HAVE_SMACK
2843 if (needs_smack) {
2844 r = setup_smack(context, command);
2845 if (r < 0) {
2846 *exit_status = EXIT_SMACK_PROCESS_LABEL;
2847 *error_message = strdup("Failed to set SMACK process label");
2848 return r;
2849 }
2850 }
2851 #endif
2852
2853 #ifdef HAVE_APPARMOR
2854 if (needs_apparmor) {
2855 r = aa_change_onexec(context->apparmor_profile);
2856 if (r < 0 && !context->apparmor_profile_ignore) {
2857 *exit_status = EXIT_APPARMOR_PROFILE;
2858 (void) asprintf(error_message,
2859 "Failed to prepare AppArmor profile change to %s",
2860 context->apparmor_profile);
2861 return -errno;
2862 }
2863 }
2864 #endif
2865
2866 /* PR_GET_SECUREBITS is not privileged, while
2867 * PR_SET_SECUREBITS is. So to suppress
2868 * potential EPERMs we'll try not to call
2869 * PR_SET_SECUREBITS unless necessary. */
2870 if (prctl(PR_GET_SECUREBITS) != secure_bits)
2871 if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
2872 *exit_status = EXIT_SECUREBITS;
2873 *error_message = strdup("Failed to set secure bits");
2874 return -errno;
2875 }
2876
2877 if (context_has_no_new_privileges(context))
2878 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
2879 *exit_status = EXIT_NO_NEW_PRIVILEGES;
2880 *error_message = strdup("Failed to disable new privileges");
2881 return -errno;
2882 }
2883
2884 #ifdef HAVE_SECCOMP
2885 r = apply_address_families(unit, context);
2886 if (r < 0) {
2887 *exit_status = EXIT_ADDRESS_FAMILIES;
2888 *error_message = strdup("Failed to restrict address families");
2889 return r;
2890 }
2891
2892 r = apply_memory_deny_write_execute(unit, context);
2893 if (r < 0) {
2894 *exit_status = EXIT_SECCOMP;
2895 *error_message = strdup("Failed to disable writing to executable memory");
2896 return r;
2897 }
2898
2899 r = apply_restrict_realtime(unit, context);
2900 if (r < 0) {
2901 *exit_status = EXIT_SECCOMP;
2902 *error_message = strdup("Failed to apply realtime restrictions");
2903 return r;
2904 }
2905
2906 r = apply_restrict_namespaces(unit, context);
2907 if (r < 0) {
2908 *exit_status = EXIT_SECCOMP;
2909 *error_message = strdup("Failed to apply namespace restrictions");
2910 return r;
2911 }
2912
2913 r = apply_protect_sysctl(unit, context);
2914 if (r < 0) {
2915 *exit_status = EXIT_SECCOMP;
2916 *error_message = strdup("Failed to apply sysctl restrictions");
2917 return r;
2918 }
2919
2920 r = apply_protect_kernel_modules(unit, context);
2921 if (r < 0) {
2922 *exit_status = EXIT_SECCOMP;
2923 *error_message = strdup("Failed to apply module loading restrictions");
2924 return r;
2925 }
2926
2927 r = apply_private_devices(unit, context);
2928 if (r < 0) {
2929 *exit_status = EXIT_SECCOMP;
2930 *error_message = strdup("Failed to set up private devices");
2931 return r;
2932 }
2933
2934 r = apply_syscall_archs(unit, context);
2935 if (r < 0) {
2936 *exit_status = EXIT_SECCOMP;
2937 *error_message = strdup("Failed to apply syscall architecture restrictions");
2938 return r;
2939 }
2940
2941 /* This really should remain the last step before the execve(), to make sure our own code is unaffected
2942 * by the filter as little as possible. */
2943 r = apply_syscall_filter(unit, context);
2944 if (r < 0) {
2945 *exit_status = EXIT_SECCOMP;
2946 *error_message = strdup("Failed to apply syscall filters");
2947 return r;
2948 }
2949 #endif
2950 }
2951
2952 final_argv = replace_env_argv(argv, accum_env);
2953 if (!final_argv) {
2954 *exit_status = EXIT_MEMORY;
2955 *error_message = strdup("Failed to prepare process arguments");
2956 return -ENOMEM;
2957 }
2958
2959 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
2960 _cleanup_free_ char *line;
2961
2962 line = exec_command_line(final_argv);
2963 if (line) {
2964 log_open();
2965 log_struct(LOG_DEBUG,
2966 "EXECUTABLE=%s", command->path,
2967 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
2968 LOG_UNIT_ID(unit),
2969 NULL);
2970 log_close();
2971 }
2972 }
2973
2974 execve(command->path, final_argv, accum_env);
2975 *exit_status = EXIT_EXEC;
2976 return -errno;
2977 }
2978
2979 int exec_spawn(Unit *unit,
2980 ExecCommand *command,
2981 const ExecContext *context,
2982 const ExecParameters *params,
2983 ExecRuntime *runtime,
2984 DynamicCreds *dcreds,
2985 pid_t *ret) {
2986
2987 _cleanup_strv_free_ char **files_env = NULL;
2988 int *fds = NULL;
2989 unsigned n_storage_fds = 0, n_socket_fds = 0;
2990 _cleanup_free_ char *line = NULL;
2991 int socket_fd, r;
2992 int named_iofds[3] = { -1, -1, -1 };
2993 char **argv;
2994 pid_t pid;
2995
2996 assert(unit);
2997 assert(command);
2998 assert(context);
2999 assert(ret);
3000 assert(params);
3001 assert(params->fds || (params->n_storage_fds + params->n_socket_fds <= 0));
3002
3003 if (context->std_input == EXEC_INPUT_SOCKET ||
3004 context->std_output == EXEC_OUTPUT_SOCKET ||
3005 context->std_error == EXEC_OUTPUT_SOCKET) {
3006
3007 if (params->n_socket_fds > 1) {
3008 log_unit_error(unit, "Got more than one socket.");
3009 return -EINVAL;
3010 }
3011
3012 if (params->n_socket_fds == 0) {
3013 log_unit_error(unit, "Got no socket.");
3014 return -EINVAL;
3015 }
3016
3017 socket_fd = params->fds[0];
3018 } else {
3019 socket_fd = -1;
3020 fds = params->fds;
3021 n_storage_fds = params->n_storage_fds;
3022 n_socket_fds = params->n_socket_fds;
3023 }
3024
3025 r = exec_context_named_iofds(unit, context, params, named_iofds);
3026 if (r < 0)
3027 return log_unit_error_errno(unit, r, "Failed to load a named file descriptor: %m");
3028
3029 r = exec_context_load_environment(unit, context, &files_env);
3030 if (r < 0)
3031 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
3032
3033 argv = params->argv ?: command->argv;
3034 line = exec_command_line(argv);
3035 if (!line)
3036 return log_oom();
3037
3038 log_struct(LOG_DEBUG,
3039 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
3040 "EXECUTABLE=%s", command->path,
3041 LOG_UNIT_ID(unit),
3042 NULL);
3043 pid = fork();
3044 if (pid < 0)
3045 return log_unit_error_errno(unit, errno, "Failed to fork: %m");
3046
3047 if (pid == 0) {
3048 int exit_status;
3049 _cleanup_free_ char *error_message = NULL;
3050
3051 r = exec_child(unit,
3052 command,
3053 context,
3054 params,
3055 runtime,
3056 dcreds,
3057 argv,
3058 socket_fd,
3059 named_iofds,
3060 fds,
3061 n_storage_fds,
3062 n_socket_fds,
3063 files_env,
3064 unit->manager->user_lookup_fds[1],
3065 &exit_status,
3066 &error_message);
3067 if (r < 0) {
3068 log_open();
3069 if (error_message)
3070 log_struct_errno(LOG_ERR, r,
3071 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
3072 LOG_UNIT_ID(unit),
3073 LOG_UNIT_MESSAGE(unit, "%s: %m",
3074 error_message),
3075 "EXECUTABLE=%s", command->path,
3076 NULL);
3077 else if (r == -ENOENT && (command->flags & EXEC_COMMAND_IGNORE_FAILURE))
3078 log_struct_errno(LOG_INFO, r,
3079 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
3080 LOG_UNIT_ID(unit),
3081 LOG_UNIT_MESSAGE(unit, "Skipped spawning %s: %m",
3082 command->path),
3083 "EXECUTABLE=%s", command->path,
3084 NULL);
3085 else
3086 log_struct_errno(LOG_ERR, r,
3087 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR,
3088 LOG_UNIT_ID(unit),
3089 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
3090 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
3091 command->path),
3092 "EXECUTABLE=%s", command->path,
3093 NULL);
3094 }
3095
3096 _exit(exit_status);
3097 }
3098
3099 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
3100
3101 /* We add the new process to the cgroup both in the child (so
3102 * that we can be sure that no user code is ever executed
3103 * outside of the cgroup) and in the parent (so that we can be
3104 * sure that when we kill the cgroup the process will be
3105 * killed too). */
3106 if (params->cgroup_path)
3107 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
3108
3109 exec_status_start(&command->exec_status, pid);
3110
3111 *ret = pid;
3112 return 0;
3113 }
3114
3115 void exec_context_init(ExecContext *c) {
3116 ExecDirectoryType i;
3117
3118 assert(c);
3119
3120 c->umask = 0022;
3121 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
3122 c->cpu_sched_policy = SCHED_OTHER;
3123 c->syslog_priority = LOG_DAEMON|LOG_INFO;
3124 c->syslog_level_prefix = true;
3125 c->ignore_sigpipe = true;
3126 c->timer_slack_nsec = NSEC_INFINITY;
3127 c->personality = PERSONALITY_INVALID;
3128 for (i = 0; i < _EXEC_DIRECTORY_MAX; i++)
3129 c->directories[i].mode = 0755;
3130 c->capability_bounding_set = CAP_ALL;
3131 c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
3132 }
3133
3134 void exec_context_done(ExecContext *c) {
3135 unsigned l;
3136 ExecDirectoryType i;
3137
3138 assert(c);
3139
3140 c->environment = strv_free(c->environment);
3141 c->environment_files = strv_free(c->environment_files);
3142 c->pass_environment = strv_free(c->pass_environment);
3143
3144 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
3145 c->rlimit[l] = mfree(c->rlimit[l]);
3146
3147 for (l = 0; l < 3; l++)
3148 c->stdio_fdname[l] = mfree(c->stdio_fdname[l]);
3149
3150 c->working_directory = mfree(c->working_directory);
3151 c->root_directory = mfree(c->root_directory);
3152 c->root_image = mfree(c->root_image);
3153 c->tty_path = mfree(c->tty_path);
3154 c->syslog_identifier = mfree(c->syslog_identifier);
3155 c->user = mfree(c->user);
3156 c->group = mfree(c->group);
3157
3158 c->supplementary_groups = strv_free(c->supplementary_groups);
3159
3160 c->pam_name = mfree(c->pam_name);
3161
3162 c->read_only_paths = strv_free(c->read_only_paths);
3163 c->read_write_paths = strv_free(c->read_write_paths);
3164 c->inaccessible_paths = strv_free(c->inaccessible_paths);
3165
3166 bind_mount_free_many(c->bind_mounts, c->n_bind_mounts);
3167
3168 if (c->cpuset)
3169 CPU_FREE(c->cpuset);
3170
3171 c->utmp_id = mfree(c->utmp_id);
3172 c->selinux_context = mfree(c->selinux_context);
3173 c->apparmor_profile = mfree(c->apparmor_profile);
3174 c->smack_process_label = mfree(c->smack_process_label);
3175
3176 c->syscall_filter = set_free(c->syscall_filter);
3177 c->syscall_archs = set_free(c->syscall_archs);
3178 c->address_families = set_free(c->address_families);
3179
3180 for (i = 0; i < _EXEC_DIRECTORY_MAX; i++)
3181 c->directories[i].paths = strv_free(c->directories[i].paths);
3182 }
3183
3184 int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
3185 char **i;
3186
3187 assert(c);
3188
3189 if (!runtime_prefix)
3190 return 0;
3191
3192 STRV_FOREACH(i, c->directories[EXEC_DIRECTORY_RUNTIME].paths) {
3193 _cleanup_free_ char *p;
3194
3195 p = strjoin(runtime_prefix, "/", *i);
3196 if (!p)
3197 return -ENOMEM;
3198
3199 /* We execute this synchronously, since we need to be
3200 * sure this is gone when we start the service
3201 * next. */
3202 (void) rm_rf(p, REMOVE_ROOT);
3203 }
3204
3205 return 0;
3206 }
3207
3208 void exec_command_done(ExecCommand *c) {
3209 assert(c);
3210
3211 c->path = mfree(c->path);
3212
3213 c->argv = strv_free(c->argv);
3214 }
3215
3216 void exec_command_done_array(ExecCommand *c, unsigned n) {
3217 unsigned i;
3218
3219 for (i = 0; i < n; i++)
3220 exec_command_done(c+i);
3221 }
3222
3223 ExecCommand* exec_command_free_list(ExecCommand *c) {
3224 ExecCommand *i;
3225
3226 while ((i = c)) {
3227 LIST_REMOVE(command, c, i);
3228 exec_command_done(i);
3229 free(i);
3230 }
3231
3232 return NULL;
3233 }
3234
3235 void exec_command_free_array(ExecCommand **c, unsigned n) {
3236 unsigned i;
3237
3238 for (i = 0; i < n; i++)
3239 c[i] = exec_command_free_list(c[i]);
3240 }
3241
3242 typedef struct InvalidEnvInfo {
3243 Unit *unit;
3244 const char *path;
3245 } InvalidEnvInfo;
3246
3247 static void invalid_env(const char *p, void *userdata) {
3248 InvalidEnvInfo *info = userdata;
3249
3250 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
3251 }
3252
3253 const char* exec_context_fdname(const ExecContext *c, int fd_index) {
3254 assert(c);
3255
3256 switch (fd_index) {
3257 case STDIN_FILENO:
3258 if (c->std_input != EXEC_INPUT_NAMED_FD)
3259 return NULL;
3260 return c->stdio_fdname[STDIN_FILENO] ?: "stdin";
3261 case STDOUT_FILENO:
3262 if (c->std_output != EXEC_OUTPUT_NAMED_FD)
3263 return NULL;
3264 return c->stdio_fdname[STDOUT_FILENO] ?: "stdout";
3265 case STDERR_FILENO:
3266 if (c->std_error != EXEC_OUTPUT_NAMED_FD)
3267 return NULL;
3268 return c->stdio_fdname[STDERR_FILENO] ?: "stderr";
3269 default:
3270 return NULL;
3271 }
3272 }
3273
3274 int exec_context_named_iofds(Unit *unit, const ExecContext *c, const ExecParameters *p, int named_iofds[3]) {
3275 unsigned i, targets;
3276 const char* stdio_fdname[3];
3277 unsigned n_fds;
3278
3279 assert(c);
3280 assert(p);
3281
3282 targets = (c->std_input == EXEC_INPUT_NAMED_FD) +
3283 (c->std_output == EXEC_OUTPUT_NAMED_FD) +
3284 (c->std_error == EXEC_OUTPUT_NAMED_FD);
3285
3286 for (i = 0; i < 3; i++)
3287 stdio_fdname[i] = exec_context_fdname(c, i);
3288
3289 n_fds = p->n_storage_fds + p->n_socket_fds;
3290
3291 for (i = 0; i < n_fds && targets > 0; i++)
3292 if (named_iofds[STDIN_FILENO] < 0 &&
3293 c->std_input == EXEC_INPUT_NAMED_FD &&
3294 stdio_fdname[STDIN_FILENO] &&
3295 streq(p->fd_names[i], stdio_fdname[STDIN_FILENO])) {
3296
3297 named_iofds[STDIN_FILENO] = p->fds[i];
3298 targets--;
3299
3300 } else if (named_iofds[STDOUT_FILENO] < 0 &&
3301 c->std_output == EXEC_OUTPUT_NAMED_FD &&
3302 stdio_fdname[STDOUT_FILENO] &&
3303 streq(p->fd_names[i], stdio_fdname[STDOUT_FILENO])) {
3304
3305 named_iofds[STDOUT_FILENO] = p->fds[i];
3306 targets--;
3307
3308 } else if (named_iofds[STDERR_FILENO] < 0 &&
3309 c->std_error == EXEC_OUTPUT_NAMED_FD &&
3310 stdio_fdname[STDERR_FILENO] &&
3311 streq(p->fd_names[i], stdio_fdname[STDERR_FILENO])) {
3312
3313 named_iofds[STDERR_FILENO] = p->fds[i];
3314 targets--;
3315 }
3316
3317 return targets == 0 ? 0 : -ENOENT;
3318 }
3319
3320 int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
3321 char **i, **r = NULL;
3322
3323 assert(c);
3324 assert(l);
3325
3326 STRV_FOREACH(i, c->environment_files) {
3327 char *fn;
3328 int k;
3329 unsigned n;
3330 bool ignore = false;
3331 char **p;
3332 _cleanup_globfree_ glob_t pglob = {};
3333
3334 fn = *i;
3335
3336 if (fn[0] == '-') {
3337 ignore = true;
3338 fn++;
3339 }
3340
3341 if (!path_is_absolute(fn)) {
3342 if (ignore)
3343 continue;
3344
3345 strv_free(r);
3346 return -EINVAL;
3347 }
3348
3349 /* Filename supports globbing, take all matching files */
3350 k = safe_glob(fn, 0, &pglob);
3351 if (k < 0) {
3352 if (ignore)
3353 continue;
3354
3355 strv_free(r);
3356 return k;
3357 }
3358
3359 /* When we don't match anything, -ENOENT should be returned */
3360 assert(pglob.gl_pathc > 0);
3361
3362 for (n = 0; n < pglob.gl_pathc; n++) {
3363 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
3364 if (k < 0) {
3365 if (ignore)
3366 continue;
3367
3368 strv_free(r);
3369 return k;
3370 }
3371 /* Log invalid environment variables with filename */
3372 if (p) {
3373 InvalidEnvInfo info = {
3374 .unit = unit,
3375 .path = pglob.gl_pathv[n]
3376 };
3377
3378 p = strv_env_clean_with_callback(p, invalid_env, &info);
3379 }
3380
3381 if (r == NULL)
3382 r = p;
3383 else {
3384 char **m;
3385
3386 m = strv_env_merge(2, r, p);
3387 strv_free(r);
3388 strv_free(p);
3389 if (!m)
3390 return -ENOMEM;
3391
3392 r = m;
3393 }
3394 }
3395 }
3396
3397 *l = r;
3398
3399 return 0;
3400 }
3401
3402 static bool tty_may_match_dev_console(const char *tty) {
3403 _cleanup_free_ char *active = NULL;
3404 char *console;
3405
3406 if (!tty)
3407 return true;
3408
3409 if (startswith(tty, "/dev/"))
3410 tty += 5;
3411
3412 /* trivial identity? */
3413 if (streq(tty, "console"))
3414 return true;
3415
3416 console = resolve_dev_console(&active);
3417 /* if we could not resolve, assume it may */
3418 if (!console)
3419 return true;
3420
3421 /* "tty0" means the active VC, so it may be the same sometimes */
3422 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
3423 }
3424
3425 bool exec_context_may_touch_console(ExecContext *ec) {
3426
3427 return (ec->tty_reset ||
3428 ec->tty_vhangup ||
3429 ec->tty_vt_disallocate ||
3430 is_terminal_input(ec->std_input) ||
3431 is_terminal_output(ec->std_output) ||
3432 is_terminal_output(ec->std_error)) &&
3433 tty_may_match_dev_console(exec_context_tty_path(ec));
3434 }
3435
3436 static void strv_fprintf(FILE *f, char **l) {
3437 char **g;
3438
3439 assert(f);
3440
3441 STRV_FOREACH(g, l)
3442 fprintf(f, " %s", *g);
3443 }
3444
3445 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
3446 char **e, **d;
3447 unsigned i;
3448 ExecDirectoryType dt;
3449 int r;
3450
3451 assert(c);
3452 assert(f);
3453
3454 prefix = strempty(prefix);
3455
3456 fprintf(f,
3457 "%sUMask: %04o\n"
3458 "%sWorkingDirectory: %s\n"
3459 "%sRootDirectory: %s\n"
3460 "%sNonBlocking: %s\n"
3461 "%sPrivateTmp: %s\n"
3462 "%sPrivateDevices: %s\n"
3463 "%sProtectKernelTunables: %s\n"
3464 "%sProtectKernelModules: %s\n"
3465 "%sProtectControlGroups: %s\n"
3466 "%sPrivateNetwork: %s\n"
3467 "%sPrivateUsers: %s\n"
3468 "%sProtectHome: %s\n"
3469 "%sProtectSystem: %s\n"
3470 "%sMountAPIVFS: %s\n"
3471 "%sIgnoreSIGPIPE: %s\n"
3472 "%sMemoryDenyWriteExecute: %s\n"
3473 "%sRestrictRealtime: %s\n",
3474 prefix, c->umask,
3475 prefix, c->working_directory ? c->working_directory : "/",
3476 prefix, c->root_directory ? c->root_directory : "/",
3477 prefix, yes_no(c->non_blocking),
3478 prefix, yes_no(c->private_tmp),
3479 prefix, yes_no(c->private_devices),
3480 prefix, yes_no(c->protect_kernel_tunables),
3481 prefix, yes_no(c->protect_kernel_modules),
3482 prefix, yes_no(c->protect_control_groups),
3483 prefix, yes_no(c->private_network),
3484 prefix, yes_no(c->private_users),
3485 prefix, protect_home_to_string(c->protect_home),
3486 prefix, protect_system_to_string(c->protect_system),
3487 prefix, yes_no(c->mount_apivfs),
3488 prefix, yes_no(c->ignore_sigpipe),
3489 prefix, yes_no(c->memory_deny_write_execute),
3490 prefix, yes_no(c->restrict_realtime));
3491
3492 if (c->root_image)
3493 fprintf(f, "%sRootImage: %s\n", prefix, c->root_image);
3494
3495 STRV_FOREACH(e, c->environment)
3496 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
3497
3498 STRV_FOREACH(e, c->environment_files)
3499 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
3500
3501 STRV_FOREACH(e, c->pass_environment)
3502 fprintf(f, "%sPassEnvironment: %s\n", prefix, *e);
3503
3504 fprintf(f, "%sRuntimeDirectoryPreserve: %s\n", prefix, exec_preserve_mode_to_string(c->runtime_directory_preserve_mode));
3505
3506 for (dt = 0; dt < _EXEC_DIRECTORY_MAX; dt++) {
3507 fprintf(f, "%s%sMode: %04o\n", prefix, exec_directory_type_to_string(dt), c->directories[dt].mode);
3508
3509 STRV_FOREACH(d, c->directories[dt].paths)
3510 fprintf(f, "%s%s: %s\n", prefix, exec_directory_type_to_string(dt), *d);
3511 }
3512
3513 if (c->nice_set)
3514 fprintf(f,
3515 "%sNice: %i\n",
3516 prefix, c->nice);
3517
3518 if (c->oom_score_adjust_set)
3519 fprintf(f,
3520 "%sOOMScoreAdjust: %i\n",
3521 prefix, c->oom_score_adjust);
3522
3523 for (i = 0; i < RLIM_NLIMITS; i++)
3524 if (c->rlimit[i]) {
3525 fprintf(f, "%s%s: " RLIM_FMT "\n",
3526 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
3527 fprintf(f, "%s%sSoft: " RLIM_FMT "\n",
3528 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_cur);
3529 }
3530
3531 if (c->ioprio_set) {
3532 _cleanup_free_ char *class_str = NULL;
3533
3534 r = ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
3535 if (r >= 0)
3536 fprintf(f, "%sIOSchedulingClass: %s\n", prefix, class_str);
3537
3538 fprintf(f, "%sIOPriority: %lu\n", prefix, IOPRIO_PRIO_DATA(c->ioprio));
3539 }
3540
3541 if (c->cpu_sched_set) {
3542 _cleanup_free_ char *policy_str = NULL;
3543
3544 r = sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
3545 if (r >= 0)
3546 fprintf(f, "%sCPUSchedulingPolicy: %s\n", prefix, policy_str);
3547
3548 fprintf(f,
3549 "%sCPUSchedulingPriority: %i\n"
3550 "%sCPUSchedulingResetOnFork: %s\n",
3551 prefix, c->cpu_sched_priority,
3552 prefix, yes_no(c->cpu_sched_reset_on_fork));
3553 }
3554
3555 if (c->cpuset) {
3556 fprintf(f, "%sCPUAffinity:", prefix);
3557 for (i = 0; i < c->cpuset_ncpus; i++)
3558 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
3559 fprintf(f, " %u", i);
3560 fputs("\n", f);
3561 }
3562
3563 if (c->timer_slack_nsec != NSEC_INFINITY)
3564 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
3565
3566 fprintf(f,
3567 "%sStandardInput: %s\n"
3568 "%sStandardOutput: %s\n"
3569 "%sStandardError: %s\n",
3570 prefix, exec_input_to_string(c->std_input),
3571 prefix, exec_output_to_string(c->std_output),
3572 prefix, exec_output_to_string(c->std_error));
3573
3574 if (c->tty_path)
3575 fprintf(f,
3576 "%sTTYPath: %s\n"
3577 "%sTTYReset: %s\n"
3578 "%sTTYVHangup: %s\n"
3579 "%sTTYVTDisallocate: %s\n",
3580 prefix, c->tty_path,
3581 prefix, yes_no(c->tty_reset),
3582 prefix, yes_no(c->tty_vhangup),
3583 prefix, yes_no(c->tty_vt_disallocate));
3584
3585 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
3586 c->std_output == EXEC_OUTPUT_KMSG ||
3587 c->std_output == EXEC_OUTPUT_JOURNAL ||
3588 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3589 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3590 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
3591 c->std_error == EXEC_OUTPUT_SYSLOG ||
3592 c->std_error == EXEC_OUTPUT_KMSG ||
3593 c->std_error == EXEC_OUTPUT_JOURNAL ||
3594 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
3595 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
3596 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
3597
3598 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
3599
3600 r = log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
3601 if (r >= 0)
3602 fprintf(f, "%sSyslogFacility: %s\n", prefix, fac_str);
3603
3604 r = log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
3605 if (r >= 0)
3606 fprintf(f, "%sSyslogLevel: %s\n", prefix, lvl_str);
3607 }
3608
3609 if (c->secure_bits) {
3610 _cleanup_free_ char *str = NULL;
3611
3612 r = secure_bits_to_string_alloc(c->secure_bits, &str);
3613 if (r >= 0)
3614 fprintf(f, "%sSecure Bits: %s\n", prefix, str);
3615 }
3616
3617 if (c->capability_bounding_set != CAP_ALL) {
3618 _cleanup_free_ char *str = NULL;
3619
3620 r = capability_set_to_string_alloc(c->capability_bounding_set, &str);
3621 if (r >= 0)
3622 fprintf(f, "%sCapabilityBoundingSet: %s\n", prefix, str);
3623 }
3624
3625 if (c->capability_ambient_set != 0) {
3626 _cleanup_free_ char *str = NULL;
3627
3628 r = capability_set_to_string_alloc(c->capability_ambient_set, &str);
3629 if (r >= 0)
3630 fprintf(f, "%sAmbientCapabilities: %s\n", prefix, str);
3631 }
3632
3633 if (c->user)
3634 fprintf(f, "%sUser: %s\n", prefix, c->user);
3635 if (c->group)
3636 fprintf(f, "%sGroup: %s\n", prefix, c->group);
3637
3638 fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
3639
3640 if (strv_length(c->supplementary_groups) > 0) {
3641 fprintf(f, "%sSupplementaryGroups:", prefix);
3642 strv_fprintf(f, c->supplementary_groups);
3643 fputs("\n", f);
3644 }
3645
3646 if (c->pam_name)
3647 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
3648
3649 if (strv_length(c->read_write_paths) > 0) {
3650 fprintf(f, "%sReadWritePaths:", prefix);
3651 strv_fprintf(f, c->read_write_paths);
3652 fputs("\n", f);
3653 }
3654
3655 if (strv_length(c->read_only_paths) > 0) {
3656 fprintf(f, "%sReadOnlyPaths:", prefix);
3657 strv_fprintf(f, c->read_only_paths);
3658 fputs("\n", f);
3659 }
3660
3661 if (strv_length(c->inaccessible_paths) > 0) {
3662 fprintf(f, "%sInaccessiblePaths:", prefix);
3663 strv_fprintf(f, c->inaccessible_paths);
3664 fputs("\n", f);
3665 }
3666
3667 if (c->n_bind_mounts > 0)
3668 for (i = 0; i < c->n_bind_mounts; i++) {
3669 fprintf(f, "%s%s: %s:%s:%s\n", prefix,
3670 c->bind_mounts[i].read_only ? "BindReadOnlyPaths" : "BindPaths",
3671 c->bind_mounts[i].source,
3672 c->bind_mounts[i].destination,
3673 c->bind_mounts[i].recursive ? "rbind" : "norbind");
3674 }
3675
3676 if (c->utmp_id)
3677 fprintf(f,
3678 "%sUtmpIdentifier: %s\n",
3679 prefix, c->utmp_id);
3680
3681 if (c->selinux_context)
3682 fprintf(f,
3683 "%sSELinuxContext: %s%s\n",
3684 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
3685
3686 if (c->apparmor_profile)
3687 fprintf(f,
3688 "%sAppArmorProfile: %s%s\n",
3689 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
3690
3691 if (c->smack_process_label)
3692 fprintf(f,
3693 "%sSmackProcessLabel: %s%s\n",
3694 prefix, c->smack_process_label_ignore ? "-" : "", c->smack_process_label);
3695
3696 if (c->personality != PERSONALITY_INVALID)
3697 fprintf(f,
3698 "%sPersonality: %s\n",
3699 prefix, strna(personality_to_string(c->personality)));
3700
3701 if (c->syscall_filter) {
3702 #ifdef HAVE_SECCOMP
3703 Iterator j;
3704 void *id;
3705 bool first = true;
3706 #endif
3707
3708 fprintf(f,
3709 "%sSystemCallFilter: ",
3710 prefix);
3711
3712 if (!c->syscall_whitelist)
3713 fputc('~', f);
3714
3715 #ifdef HAVE_SECCOMP
3716 SET_FOREACH(id, c->syscall_filter, j) {
3717 _cleanup_free_ char *name = NULL;
3718
3719 if (first)
3720 first = false;
3721 else
3722 fputc(' ', f);
3723
3724 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
3725 fputs(strna(name), f);
3726 }
3727 #endif
3728
3729 fputc('\n', f);
3730 }
3731
3732 if (c->syscall_archs) {
3733 #ifdef HAVE_SECCOMP
3734 Iterator j;
3735 void *id;
3736 #endif
3737
3738 fprintf(f,
3739 "%sSystemCallArchitectures:",
3740 prefix);
3741
3742 #ifdef HAVE_SECCOMP
3743 SET_FOREACH(id, c->syscall_archs, j)
3744 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
3745 #endif
3746 fputc('\n', f);
3747 }
3748
3749 if (exec_context_restrict_namespaces_set(c)) {
3750 _cleanup_free_ char *s = NULL;
3751
3752 r = namespace_flag_to_string_many(c->restrict_namespaces, &s);
3753 if (r >= 0)
3754 fprintf(f, "%sRestrictNamespaces: %s\n",
3755 prefix, s);
3756 }
3757
3758 if (c->syscall_errno > 0)
3759 fprintf(f,
3760 "%sSystemCallErrorNumber: %s\n",
3761 prefix, strna(errno_to_name(c->syscall_errno)));
3762
3763 if (c->apparmor_profile)
3764 fprintf(f,
3765 "%sAppArmorProfile: %s%s\n",
3766 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
3767 }
3768
3769 bool exec_context_maintains_privileges(ExecContext *c) {
3770 assert(c);
3771
3772 /* Returns true if the process forked off would run under
3773 * an unchanged UID or as root. */
3774
3775 if (!c->user)
3776 return true;
3777
3778 if (streq(c->user, "root") || streq(c->user, "0"))
3779 return true;
3780
3781 return false;
3782 }
3783
3784 int exec_context_get_effective_ioprio(ExecContext *c) {
3785 int p;
3786
3787 assert(c);
3788
3789 if (c->ioprio_set)
3790 return c->ioprio;
3791
3792 p = ioprio_get(IOPRIO_WHO_PROCESS, 0);
3793 if (p < 0)
3794 return IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 4);
3795
3796 return p;
3797 }
3798
3799 void exec_status_start(ExecStatus *s, pid_t pid) {
3800 assert(s);
3801
3802 zero(*s);
3803 s->pid = pid;
3804 dual_timestamp_get(&s->start_timestamp);
3805 }
3806
3807 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
3808 assert(s);
3809
3810 if (s->pid && s->pid != pid)
3811 zero(*s);
3812
3813 s->pid = pid;
3814 dual_timestamp_get(&s->exit_timestamp);
3815
3816 s->code = code;
3817 s->status = status;
3818
3819 if (context) {
3820 if (context->utmp_id)
3821 utmp_put_dead_process(context->utmp_id, pid, code, status);
3822
3823 exec_context_tty_reset(context, NULL);
3824 }
3825 }
3826
3827 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
3828 char buf[FORMAT_TIMESTAMP_MAX];
3829
3830 assert(s);
3831 assert(f);
3832
3833 if (s->pid <= 0)
3834 return;
3835
3836 prefix = strempty(prefix);
3837
3838 fprintf(f,
3839 "%sPID: "PID_FMT"\n",
3840 prefix, s->pid);
3841
3842 if (dual_timestamp_is_set(&s->start_timestamp))
3843 fprintf(f,
3844 "%sStart Timestamp: %s\n",
3845 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
3846
3847 if (dual_timestamp_is_set(&s->exit_timestamp))
3848 fprintf(f,
3849 "%sExit Timestamp: %s\n"
3850 "%sExit Code: %s\n"
3851 "%sExit Status: %i\n",
3852 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
3853 prefix, sigchld_code_to_string(s->code),
3854 prefix, s->status);
3855 }
3856
3857 char *exec_command_line(char **argv) {
3858 size_t k;
3859 char *n, *p, **a;
3860 bool first = true;
3861
3862 assert(argv);
3863
3864 k = 1;
3865 STRV_FOREACH(a, argv)
3866 k += strlen(*a)+3;
3867
3868 n = new(char, k);
3869 if (!n)
3870 return NULL;
3871
3872 p = n;
3873 STRV_FOREACH(a, argv) {
3874
3875 if (!first)
3876 *(p++) = ' ';
3877 else
3878 first = false;
3879
3880 if (strpbrk(*a, WHITESPACE)) {
3881 *(p++) = '\'';
3882 p = stpcpy(p, *a);
3883 *(p++) = '\'';
3884 } else
3885 p = stpcpy(p, *a);
3886
3887 }
3888
3889 *p = 0;
3890
3891 /* FIXME: this doesn't really handle arguments that have
3892 * spaces and ticks in them */
3893
3894 return n;
3895 }
3896
3897 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
3898 _cleanup_free_ char *cmd = NULL;
3899 const char *prefix2;
3900
3901 assert(c);
3902 assert(f);
3903
3904 prefix = strempty(prefix);
3905 prefix2 = strjoina(prefix, "\t");
3906
3907 cmd = exec_command_line(c->argv);
3908 fprintf(f,
3909 "%sCommand Line: %s\n",
3910 prefix, cmd ? cmd : strerror(ENOMEM));
3911
3912 exec_status_dump(&c->exec_status, f, prefix2);
3913 }
3914
3915 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
3916 assert(f);
3917
3918 prefix = strempty(prefix);
3919
3920 LIST_FOREACH(command, c, c)
3921 exec_command_dump(c, f, prefix);
3922 }
3923
3924 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
3925 ExecCommand *end;
3926
3927 assert(l);
3928 assert(e);
3929
3930 if (*l) {
3931 /* It's kind of important, that we keep the order here */
3932 LIST_FIND_TAIL(command, *l, end);
3933 LIST_INSERT_AFTER(command, *l, end, e);
3934 } else
3935 *l = e;
3936 }
3937
3938 int exec_command_set(ExecCommand *c, const char *path, ...) {
3939 va_list ap;
3940 char **l, *p;
3941
3942 assert(c);
3943 assert(path);
3944
3945 va_start(ap, path);
3946 l = strv_new_ap(path, ap);
3947 va_end(ap);
3948
3949 if (!l)
3950 return -ENOMEM;
3951
3952 p = strdup(path);
3953 if (!p) {
3954 strv_free(l);
3955 return -ENOMEM;
3956 }
3957
3958 free(c->path);
3959 c->path = p;
3960
3961 strv_free(c->argv);
3962 c->argv = l;
3963
3964 return 0;
3965 }
3966
3967 int exec_command_append(ExecCommand *c, const char *path, ...) {
3968 _cleanup_strv_free_ char **l = NULL;
3969 va_list ap;
3970 int r;
3971
3972 assert(c);
3973 assert(path);
3974
3975 va_start(ap, path);
3976 l = strv_new_ap(path, ap);
3977 va_end(ap);
3978
3979 if (!l)
3980 return -ENOMEM;
3981
3982 r = strv_extend_strv(&c->argv, l, false);
3983 if (r < 0)
3984 return r;
3985
3986 return 0;
3987 }
3988
3989
3990 static int exec_runtime_allocate(ExecRuntime **rt) {
3991
3992 if (*rt)
3993 return 0;
3994
3995 *rt = new0(ExecRuntime, 1);
3996 if (!*rt)
3997 return -ENOMEM;
3998
3999 (*rt)->n_ref = 1;
4000 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
4001
4002 return 0;
4003 }
4004
4005 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
4006 int r;
4007
4008 assert(rt);
4009 assert(c);
4010 assert(id);
4011
4012 if (*rt)
4013 return 1;
4014
4015 if (!c->private_network && !c->private_tmp)
4016 return 0;
4017
4018 r = exec_runtime_allocate(rt);
4019 if (r < 0)
4020 return r;
4021
4022 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
4023 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, (*rt)->netns_storage_socket) < 0)
4024 return -errno;
4025 }
4026
4027 if (c->private_tmp && !(*rt)->tmp_dir) {
4028 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
4029 if (r < 0)
4030 return r;
4031 }
4032
4033 return 1;
4034 }
4035
4036 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
4037 assert(r);
4038 assert(r->n_ref > 0);
4039
4040 r->n_ref++;
4041 return r;
4042 }
4043
4044 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
4045
4046 if (!r)
4047 return NULL;
4048
4049 assert(r->n_ref > 0);
4050
4051 r->n_ref--;
4052 if (r->n_ref > 0)
4053 return NULL;
4054
4055 free(r->tmp_dir);
4056 free(r->var_tmp_dir);
4057 safe_close_pair(r->netns_storage_socket);
4058 return mfree(r);
4059 }
4060
4061 int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
4062 assert(u);
4063 assert(f);
4064 assert(fds);
4065
4066 if (!rt)
4067 return 0;
4068
4069 if (rt->tmp_dir)
4070 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
4071
4072 if (rt->var_tmp_dir)
4073 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
4074
4075 if (rt->netns_storage_socket[0] >= 0) {
4076 int copy;
4077
4078 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
4079 if (copy < 0)
4080 return copy;
4081
4082 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
4083 }
4084
4085 if (rt->netns_storage_socket[1] >= 0) {
4086 int copy;
4087
4088 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
4089 if (copy < 0)
4090 return copy;
4091
4092 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
4093 }
4094
4095 return 0;
4096 }
4097
4098 int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
4099 int r;
4100
4101 assert(rt);
4102 assert(key);
4103 assert(value);
4104
4105 if (streq(key, "tmp-dir")) {
4106 char *copy;
4107
4108 r = exec_runtime_allocate(rt);
4109 if (r < 0)
4110 return log_oom();
4111
4112 copy = strdup(value);
4113 if (!copy)
4114 return log_oom();
4115
4116 free((*rt)->tmp_dir);
4117 (*rt)->tmp_dir = copy;
4118
4119 } else if (streq(key, "var-tmp-dir")) {
4120 char *copy;
4121
4122 r = exec_runtime_allocate(rt);
4123 if (r < 0)
4124 return log_oom();
4125
4126 copy = strdup(value);
4127 if (!copy)
4128 return log_oom();
4129
4130 free((*rt)->var_tmp_dir);
4131 (*rt)->var_tmp_dir = copy;
4132
4133 } else if (streq(key, "netns-socket-0")) {
4134 int fd;
4135
4136 r = exec_runtime_allocate(rt);
4137 if (r < 0)
4138 return log_oom();
4139
4140 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
4141 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
4142 else {
4143 safe_close((*rt)->netns_storage_socket[0]);
4144 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
4145 }
4146 } else if (streq(key, "netns-socket-1")) {
4147 int fd;
4148
4149 r = exec_runtime_allocate(rt);
4150 if (r < 0)
4151 return log_oom();
4152
4153 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
4154 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
4155 else {
4156 safe_close((*rt)->netns_storage_socket[1]);
4157 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
4158 }
4159 } else
4160 return 0;
4161
4162 return 1;
4163 }
4164
4165 static void *remove_tmpdir_thread(void *p) {
4166 _cleanup_free_ char *path = p;
4167
4168 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
4169 return NULL;
4170 }
4171
4172 void exec_runtime_destroy(ExecRuntime *rt) {
4173 int r;
4174
4175 if (!rt)
4176 return;
4177
4178 /* If there are multiple users of this, let's leave the stuff around */
4179 if (rt->n_ref > 1)
4180 return;
4181
4182 if (rt->tmp_dir) {
4183 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
4184
4185 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
4186 if (r < 0) {
4187 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
4188 free(rt->tmp_dir);
4189 }
4190
4191 rt->tmp_dir = NULL;
4192 }
4193
4194 if (rt->var_tmp_dir) {
4195 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
4196
4197 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
4198 if (r < 0) {
4199 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
4200 free(rt->var_tmp_dir);
4201 }
4202
4203 rt->var_tmp_dir = NULL;
4204 }
4205
4206 safe_close_pair(rt->netns_storage_socket);
4207 }
4208
4209 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
4210 [EXEC_INPUT_NULL] = "null",
4211 [EXEC_INPUT_TTY] = "tty",
4212 [EXEC_INPUT_TTY_FORCE] = "tty-force",
4213 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
4214 [EXEC_INPUT_SOCKET] = "socket",
4215 [EXEC_INPUT_NAMED_FD] = "fd",
4216 };
4217
4218 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
4219
4220 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
4221 [EXEC_OUTPUT_INHERIT] = "inherit",
4222 [EXEC_OUTPUT_NULL] = "null",
4223 [EXEC_OUTPUT_TTY] = "tty",
4224 [EXEC_OUTPUT_SYSLOG] = "syslog",
4225 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
4226 [EXEC_OUTPUT_KMSG] = "kmsg",
4227 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
4228 [EXEC_OUTPUT_JOURNAL] = "journal",
4229 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
4230 [EXEC_OUTPUT_SOCKET] = "socket",
4231 [EXEC_OUTPUT_NAMED_FD] = "fd",
4232 };
4233
4234 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
4235
4236 static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
4237 [EXEC_UTMP_INIT] = "init",
4238 [EXEC_UTMP_LOGIN] = "login",
4239 [EXEC_UTMP_USER] = "user",
4240 };
4241
4242 DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
4243
4244 static const char* const exec_preserve_mode_table[_EXEC_PRESERVE_MODE_MAX] = {
4245 [EXEC_PRESERVE_NO] = "no",
4246 [EXEC_PRESERVE_YES] = "yes",
4247 [EXEC_PRESERVE_RESTART] = "restart",
4248 };
4249
4250 DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(exec_preserve_mode, ExecPreserveMode, EXEC_PRESERVE_YES);
4251
4252 static const char* const exec_directory_type_table[_EXEC_DIRECTORY_MAX] = {
4253 [EXEC_DIRECTORY_RUNTIME] = "RuntimeDirectory",
4254 [EXEC_DIRECTORY_STATE] = "StateDirectory",
4255 [EXEC_DIRECTORY_CACHE] = "CacheDirectory",
4256 [EXEC_DIRECTORY_LOGS] = "LogsDirectory",
4257 [EXEC_DIRECTORY_CONFIGURATION] = "ConfigurationDirectory",
4258 };
4259
4260 DEFINE_STRING_TABLE_LOOKUP(exec_directory_type, ExecDirectoryType);
Unnamed repository; edit this file 'description' to name the repository.