2 This file is part of systemd.
4 Copyright 2010 Lennart Poettering
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
27 #include <sys/capability.h>
28 #include <sys/eventfd.h>
30 #include <sys/personality.h>
31 #include <sys/prctl.h>
33 #include <sys/socket.h>
35 #include <sys/types.h>
41 #include <security/pam_appl.h>
45 #include <selinux/selinux.h>
53 #include <sys/apparmor.h>
56 #include "sd-messages.h"
59 #include "alloc-util.h"
61 #include "apparmor-util.h"
66 #include "capability-util.h"
69 #include "errno-list.h"
71 #include "exit-status.h"
74 #include "format-util.h"
76 #include "glob-util.h"
83 #include "namespace.h"
84 #include "parse-util.h"
85 #include "path-util.h"
86 #include "process-util.h"
87 #include "rlimit-util.h"
90 #include "seccomp-util.h"
92 #include "securebits.h"
93 #include "securebits-util.h"
94 #include "selinux-util.h"
95 #include "signal-util.h"
96 #include "smack-util.h"
98 #include "string-table.h"
99 #include "string-util.h"
101 #include "syslog-util.h"
102 #include "terminal-util.h"
104 #include "user-util.h"
106 #include "utmp-wtmp.h"
108 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
109 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
111 /* This assumes there is a 'tty' group */
112 #define TTY_MODE 0620
114 #define SNDBUF_SIZE (8*1024*1024)
116 static int shift_fds(int fds
[], unsigned n_fds
) {
117 int start
, restart_from
;
122 /* Modifies the fds array! (sorts it) */
132 for (i
= start
; i
< (int) n_fds
; i
++) {
135 /* Already at right index? */
139 nfd
= fcntl(fds
[i
], F_DUPFD
, i
+ 3);
146 /* Hmm, the fd we wanted isn't free? Then
147 * let's remember that and try again from here */
148 if (nfd
!= i
+3 && restart_from
< 0)
152 if (restart_from
< 0)
155 start
= restart_from
;
161 static int flags_fds(const int fds
[], unsigned n_storage_fds
, unsigned n_socket_fds
, bool nonblock
) {
165 n_fds
= n_storage_fds
+ n_socket_fds
;
171 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags.
172 * O_NONBLOCK only applies to socket activation though. */
174 for (i
= 0; i
< n_fds
; i
++) {
176 if (i
< n_socket_fds
) {
177 r
= fd_nonblock(fds
[i
], nonblock
);
182 /* We unconditionally drop FD_CLOEXEC from the fds,
183 * since after all we want to pass these fds to our
186 r
= fd_cloexec(fds
[i
], false);
194 static const char *exec_context_tty_path(const ExecContext
*context
) {
197 if (context
->stdio_as_fds
)
200 if (context
->tty_path
)
201 return context
->tty_path
;
203 return "/dev/console";
206 static void exec_context_tty_reset(const ExecContext
*context
, const ExecParameters
*p
) {
211 path
= exec_context_tty_path(context
);
213 if (context
->tty_vhangup
) {
214 if (p
&& p
->stdin_fd
>= 0)
215 (void) terminal_vhangup_fd(p
->stdin_fd
);
217 (void) terminal_vhangup(path
);
220 if (context
->tty_reset
) {
221 if (p
&& p
->stdin_fd
>= 0)
222 (void) reset_terminal_fd(p
->stdin_fd
, true);
224 (void) reset_terminal(path
);
227 if (context
->tty_vt_disallocate
&& path
)
228 (void) vt_disallocate(path
);
231 static bool is_terminal_input(ExecInput i
) {
234 EXEC_INPUT_TTY_FORCE
,
235 EXEC_INPUT_TTY_FAIL
);
238 static bool is_terminal_output(ExecOutput o
) {
241 EXEC_OUTPUT_SYSLOG_AND_CONSOLE
,
242 EXEC_OUTPUT_KMSG_AND_CONSOLE
,
243 EXEC_OUTPUT_JOURNAL_AND_CONSOLE
);
246 static bool exec_context_needs_term(const ExecContext
*c
) {
249 /* Return true if the execution context suggests we should set $TERM to something useful. */
251 if (is_terminal_input(c
->std_input
))
254 if (is_terminal_output(c
->std_output
))
257 if (is_terminal_output(c
->std_error
))
260 return !!c
->tty_path
;
263 static int open_null_as(int flags
, int nfd
) {
268 fd
= open("/dev/null", flags
|O_NOCTTY
);
273 r
= dup2(fd
, nfd
) < 0 ? -errno
: nfd
;
281 static int connect_journal_socket(int fd
, uid_t uid
, gid_t gid
) {
282 static const union sockaddr_union sa
= {
283 .un
.sun_family
= AF_UNIX
,
284 .un
.sun_path
= "/run/systemd/journal/stdout",
286 uid_t olduid
= UID_INVALID
;
287 gid_t oldgid
= GID_INVALID
;
290 if (gid_is_valid(gid
)) {
293 if (setegid(gid
) < 0)
297 if (uid_is_valid(uid
)) {
300 if (seteuid(uid
) < 0) {
306 r
= connect(fd
, &sa
.sa
, SOCKADDR_UN_LEN(sa
.un
)) < 0 ? -errno
: 0;
308 /* If we fail to restore the uid or gid, things will likely
309 fail later on. This should only happen if an LSM interferes. */
311 if (uid_is_valid(uid
))
312 (void) seteuid(olduid
);
315 if (gid_is_valid(gid
))
316 (void) setegid(oldgid
);
321 static int connect_logger_as(
323 const ExecContext
*context
,
324 const ExecParameters
*params
,
335 assert(output
< _EXEC_OUTPUT_MAX
);
339 fd
= socket(AF_UNIX
, SOCK_STREAM
, 0);
343 r
= connect_journal_socket(fd
, uid
, gid
);
347 if (shutdown(fd
, SHUT_RD
) < 0) {
352 (void) fd_inc_sndbuf(fd
, SNDBUF_SIZE
);
362 context
->syslog_identifier
?: ident
,
363 params
->flags
& EXEC_PASS_LOG_UNIT
? unit
->id
: "",
364 context
->syslog_priority
,
365 !!context
->syslog_level_prefix
,
366 output
== EXEC_OUTPUT_SYSLOG
|| output
== EXEC_OUTPUT_SYSLOG_AND_CONSOLE
,
367 output
== EXEC_OUTPUT_KMSG
|| output
== EXEC_OUTPUT_KMSG_AND_CONSOLE
,
368 is_terminal_output(output
));
373 r
= dup2(fd
, nfd
) < 0 ? -errno
: nfd
;
378 static int open_terminal_as(const char *path
, mode_t mode
, int nfd
) {
384 fd
= open_terminal(path
, mode
| O_NOCTTY
);
389 r
= dup2(fd
, nfd
) < 0 ? -errno
: nfd
;
397 static int fixup_input(ExecInput std_input
, int socket_fd
, bool apply_tty_stdin
) {
399 if (is_terminal_input(std_input
) && !apply_tty_stdin
)
400 return EXEC_INPUT_NULL
;
402 if (std_input
== EXEC_INPUT_SOCKET
&& socket_fd
< 0)
403 return EXEC_INPUT_NULL
;
408 static int fixup_output(ExecOutput std_output
, int socket_fd
) {
410 if (std_output
== EXEC_OUTPUT_SOCKET
&& socket_fd
< 0)
411 return EXEC_OUTPUT_INHERIT
;
416 static int setup_input(
417 const ExecContext
*context
,
418 const ExecParameters
*params
,
420 int named_iofds
[3]) {
427 if (params
->stdin_fd
>= 0) {
428 if (dup2(params
->stdin_fd
, STDIN_FILENO
) < 0)
431 /* Try to make this the controlling tty, if it is a tty, and reset it */
432 (void) ioctl(STDIN_FILENO
, TIOCSCTTY
, context
->std_input
== EXEC_INPUT_TTY_FORCE
);
433 (void) reset_terminal_fd(STDIN_FILENO
, true);
438 i
= fixup_input(context
->std_input
, socket_fd
, params
->flags
& EXEC_APPLY_TTY_STDIN
);
442 case EXEC_INPUT_NULL
:
443 return open_null_as(O_RDONLY
, STDIN_FILENO
);
446 case EXEC_INPUT_TTY_FORCE
:
447 case EXEC_INPUT_TTY_FAIL
: {
450 fd
= acquire_terminal(exec_context_tty_path(context
),
451 i
== EXEC_INPUT_TTY_FAIL
,
452 i
== EXEC_INPUT_TTY_FORCE
,
458 if (fd
!= STDIN_FILENO
) {
459 r
= dup2(fd
, STDIN_FILENO
) < 0 ? -errno
: STDIN_FILENO
;
467 case EXEC_INPUT_SOCKET
:
468 return dup2(socket_fd
, STDIN_FILENO
) < 0 ? -errno
: STDIN_FILENO
;
470 case EXEC_INPUT_NAMED_FD
:
471 (void) fd_nonblock(named_iofds
[STDIN_FILENO
], false);
472 return dup2(named_iofds
[STDIN_FILENO
], STDIN_FILENO
) < 0 ? -errno
: STDIN_FILENO
;
475 assert_not_reached("Unknown input type");
479 static int setup_output(
481 const ExecContext
*context
,
482 const ExecParameters
*params
,
489 dev_t
*journal_stream_dev
,
490 ino_t
*journal_stream_ino
) {
500 assert(journal_stream_dev
);
501 assert(journal_stream_ino
);
503 if (fileno
== STDOUT_FILENO
&& params
->stdout_fd
>= 0) {
505 if (dup2(params
->stdout_fd
, STDOUT_FILENO
) < 0)
508 return STDOUT_FILENO
;
511 if (fileno
== STDERR_FILENO
&& params
->stderr_fd
>= 0) {
512 if (dup2(params
->stderr_fd
, STDERR_FILENO
) < 0)
515 return STDERR_FILENO
;
518 i
= fixup_input(context
->std_input
, socket_fd
, params
->flags
& EXEC_APPLY_TTY_STDIN
);
519 o
= fixup_output(context
->std_output
, socket_fd
);
521 if (fileno
== STDERR_FILENO
) {
523 e
= fixup_output(context
->std_error
, socket_fd
);
525 /* This expects the input and output are already set up */
527 /* Don't change the stderr file descriptor if we inherit all
528 * the way and are not on a tty */
529 if (e
== EXEC_OUTPUT_INHERIT
&&
530 o
== EXEC_OUTPUT_INHERIT
&&
531 i
== EXEC_INPUT_NULL
&&
532 !is_terminal_input(context
->std_input
) &&
536 /* Duplicate from stdout if possible */
537 if ((e
== o
&& e
!= EXEC_OUTPUT_NAMED_FD
) || e
== EXEC_OUTPUT_INHERIT
)
538 return dup2(STDOUT_FILENO
, fileno
) < 0 ? -errno
: fileno
;
542 } else if (o
== EXEC_OUTPUT_INHERIT
) {
543 /* If input got downgraded, inherit the original value */
544 if (i
== EXEC_INPUT_NULL
&& is_terminal_input(context
->std_input
))
545 return open_terminal_as(exec_context_tty_path(context
), O_WRONLY
, fileno
);
547 /* If the input is connected to anything that's not a /dev/null, inherit that... */
548 if (i
!= EXEC_INPUT_NULL
)
549 return dup2(STDIN_FILENO
, fileno
) < 0 ? -errno
: fileno
;
551 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
555 /* We need to open /dev/null here anew, to get the right access mode. */
556 return open_null_as(O_WRONLY
, fileno
);
561 case EXEC_OUTPUT_NULL
:
562 return open_null_as(O_WRONLY
, fileno
);
564 case EXEC_OUTPUT_TTY
:
565 if (is_terminal_input(i
))
566 return dup2(STDIN_FILENO
, fileno
) < 0 ? -errno
: fileno
;
568 /* We don't reset the terminal if this is just about output */
569 return open_terminal_as(exec_context_tty_path(context
), O_WRONLY
, fileno
);
571 case EXEC_OUTPUT_SYSLOG
:
572 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE
:
573 case EXEC_OUTPUT_KMSG
:
574 case EXEC_OUTPUT_KMSG_AND_CONSOLE
:
575 case EXEC_OUTPUT_JOURNAL
:
576 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE
:
577 r
= connect_logger_as(unit
, context
, params
, o
, ident
, fileno
, uid
, gid
);
579 log_unit_error_errno(unit
, r
, "Failed to connect %s to the journal socket, ignoring: %m", fileno
== STDOUT_FILENO
? "stdout" : "stderr");
580 r
= open_null_as(O_WRONLY
, fileno
);
584 /* If we connected this fd to the journal via a stream, patch the device/inode into the passed
585 * parameters, but only then. This is useful so that we can set $JOURNAL_STREAM that permits
586 * services to detect whether they are connected to the journal or not. */
588 if (fstat(fileno
, &st
) >= 0) {
589 *journal_stream_dev
= st
.st_dev
;
590 *journal_stream_ino
= st
.st_ino
;
595 case EXEC_OUTPUT_SOCKET
:
596 assert(socket_fd
>= 0);
597 return dup2(socket_fd
, fileno
) < 0 ? -errno
: fileno
;
599 case EXEC_OUTPUT_NAMED_FD
:
600 (void) fd_nonblock(named_iofds
[fileno
], false);
601 return dup2(named_iofds
[fileno
], fileno
) < 0 ? -errno
: fileno
;
604 assert_not_reached("Unknown error type");
608 static int chown_terminal(int fd
, uid_t uid
) {
613 /* Before we chown/chmod the TTY, let's ensure this is actually a tty */
617 /* This might fail. What matters are the results. */
618 (void) fchown(fd
, uid
, -1);
619 (void) fchmod(fd
, TTY_MODE
);
621 if (fstat(fd
, &st
) < 0)
624 if (st
.st_uid
!= uid
|| (st
.st_mode
& 0777) != TTY_MODE
)
630 static int setup_confirm_stdio(const char *vc
, int *_saved_stdin
, int *_saved_stdout
) {
631 _cleanup_close_
int fd
= -1, saved_stdin
= -1, saved_stdout
= -1;
634 assert(_saved_stdin
);
635 assert(_saved_stdout
);
637 saved_stdin
= fcntl(STDIN_FILENO
, F_DUPFD
, 3);
641 saved_stdout
= fcntl(STDOUT_FILENO
, F_DUPFD
, 3);
642 if (saved_stdout
< 0)
645 fd
= acquire_terminal(vc
, false, false, false, DEFAULT_CONFIRM_USEC
);
649 r
= chown_terminal(fd
, getuid());
653 r
= reset_terminal_fd(fd
, true);
657 if (dup2(fd
, STDIN_FILENO
) < 0)
660 if (dup2(fd
, STDOUT_FILENO
) < 0)
667 *_saved_stdin
= saved_stdin
;
668 *_saved_stdout
= saved_stdout
;
670 saved_stdin
= saved_stdout
= -1;
675 static void write_confirm_error_fd(int err
, int fd
, const Unit
*u
) {
678 if (err
== -ETIMEDOUT
)
679 dprintf(fd
, "Confirmation question timed out for %s, assuming positive response.\n", u
->id
);
682 dprintf(fd
, "Couldn't ask confirmation for %s: %m, assuming positive response.\n", u
->id
);
686 static void write_confirm_error(int err
, const char *vc
, const Unit
*u
) {
687 _cleanup_close_
int fd
= -1;
691 fd
= open_terminal(vc
, O_WRONLY
|O_NOCTTY
|O_CLOEXEC
);
695 write_confirm_error_fd(err
, fd
, u
);
698 static int restore_confirm_stdio(int *saved_stdin
, int *saved_stdout
) {
702 assert(saved_stdout
);
706 if (*saved_stdin
>= 0)
707 if (dup2(*saved_stdin
, STDIN_FILENO
) < 0)
710 if (*saved_stdout
>= 0)
711 if (dup2(*saved_stdout
, STDOUT_FILENO
) < 0)
714 *saved_stdin
= safe_close(*saved_stdin
);
715 *saved_stdout
= safe_close(*saved_stdout
);
721 CONFIRM_PRETEND_FAILURE
= -1,
722 CONFIRM_PRETEND_SUCCESS
= 0,
726 static int ask_for_confirmation(const char *vc
, Unit
*u
, const char *cmdline
) {
727 int saved_stdout
= -1, saved_stdin
= -1, r
;
728 _cleanup_free_
char *e
= NULL
;
731 /* For any internal errors, assume a positive response. */
732 r
= setup_confirm_stdio(vc
, &saved_stdin
, &saved_stdout
);
734 write_confirm_error(r
, vc
, u
);
735 return CONFIRM_EXECUTE
;
738 /* confirm_spawn might have been disabled while we were sleeping. */
739 if (manager_is_confirm_spawn_disabled(u
->manager
)) {
744 e
= ellipsize(cmdline
, 60, 100);
752 r
= ask_char(&c
, "yfshiDjcn", "Execute %s? [y, f, s – h for help] ", e
);
754 write_confirm_error_fd(r
, STDOUT_FILENO
, u
);
761 printf("Resuming normal execution.\n");
762 manager_disable_confirm_spawn();
766 unit_dump(u
, stdout
, " ");
767 continue; /* ask again */
769 printf("Failing execution.\n");
770 r
= CONFIRM_PRETEND_FAILURE
;
773 printf(" c - continue, proceed without asking anymore\n"
774 " D - dump, show the state of the unit\n"
775 " f - fail, don't execute the command and pretend it failed\n"
777 " i - info, show a short summary of the unit\n"
778 " j - jobs, show jobs that are in progress\n"
779 " s - skip, don't execute the command and pretend it succeeded\n"
780 " y - yes, execute the command\n");
781 continue; /* ask again */
783 printf(" Description: %s\n"
786 u
->id
, u
->description
, cmdline
);
787 continue; /* ask again */
789 manager_dump_jobs(u
->manager
, stdout
, " ");
790 continue; /* ask again */
792 /* 'n' was removed in favor of 'f'. */
793 printf("Didn't understand 'n', did you mean 'f'?\n");
794 continue; /* ask again */
796 printf("Skipping execution.\n");
797 r
= CONFIRM_PRETEND_SUCCESS
;
803 assert_not_reached("Unhandled choice");
809 restore_confirm_stdio(&saved_stdin
, &saved_stdout
);
813 static int get_fixed_user(const ExecContext
*c
, const char **user
,
814 uid_t
*uid
, gid_t
*gid
,
815 const char **home
, const char **shell
) {
824 /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
825 * (i.e. are "/" or "/bin/nologin"). */
828 r
= get_user_creds_clean(&name
, uid
, gid
, home
, shell
);
836 static int get_fixed_group(const ExecContext
*c
, const char **group
, gid_t
*gid
) {
846 r
= get_group_creds(&name
, gid
);
854 static int get_supplementary_groups(const ExecContext
*c
, const char *user
,
855 const char *group
, gid_t gid
,
856 gid_t
**supplementary_gids
, int *ngids
) {
860 bool keep_groups
= false;
861 gid_t
*groups
= NULL
;
862 _cleanup_free_ gid_t
*l_gids
= NULL
;
867 * If user is given, then lookup GID and supplementary groups list.
868 * We avoid NSS lookups for gid=0. Also we have to initialize groups
869 * here and as early as possible so we keep the list of supplementary
870 * groups of the caller.
872 if (user
&& gid_is_valid(gid
) && gid
!= 0) {
873 /* First step, initialize groups from /etc/groups */
874 if (initgroups(user
, gid
) < 0)
880 if (!c
->supplementary_groups
)
884 * If SupplementaryGroups= was passed then NGROUPS_MAX has to
885 * be positive, otherwise fail.
888 ngroups_max
= (int) sysconf(_SC_NGROUPS_MAX
);
889 if (ngroups_max
<= 0) {
893 return -EOPNOTSUPP
; /* For all other values */
896 l_gids
= new(gid_t
, ngroups_max
);
902 * Lookup the list of groups that the user belongs to, we
903 * avoid NSS lookups here too for gid=0.
906 if (getgrouplist(user
, gid
, l_gids
, &k
) < 0)
911 STRV_FOREACH(i
, c
->supplementary_groups
) {
914 if (k
>= ngroups_max
)
918 r
= get_group_creds(&g
, l_gids
+k
);
926 * Sets ngids to zero to drop all supplementary groups, happens
927 * when we are under root and SupplementaryGroups= is empty.
934 /* Otherwise get the final list of supplementary groups */
935 groups
= memdup(l_gids
, sizeof(gid_t
) * k
);
939 *supplementary_gids
= groups
;
947 static int enforce_groups(const ExecContext
*context
, gid_t gid
,
948 gid_t
*supplementary_gids
, int ngids
) {
953 /* Handle SupplementaryGroups= even if it is empty */
954 if (context
->supplementary_groups
) {
955 r
= maybe_setgroups(ngids
, supplementary_gids
);
960 if (gid_is_valid(gid
)) {
961 /* Then set our gids */
962 if (setresgid(gid
, gid
, gid
) < 0)
969 static int enforce_user(const ExecContext
*context
, uid_t uid
) {
972 if (!uid_is_valid(uid
))
975 /* Sets (but doesn't look up) the uid and make sure we keep the
976 * capabilities while doing so. */
978 if (context
->capability_ambient_set
!= 0) {
980 /* First step: If we need to keep capabilities but
981 * drop privileges we need to make sure we keep our
982 * caps, while we drop privileges. */
984 int sb
= context
->secure_bits
| 1<<SECURE_KEEP_CAPS
;
986 if (prctl(PR_GET_SECUREBITS
) != sb
)
987 if (prctl(PR_SET_SECUREBITS
, sb
) < 0)
992 /* Second step: actually set the uids */
993 if (setresuid(uid
, uid
, uid
) < 0)
996 /* At this point we should have all necessary capabilities but
997 are otherwise a normal user. However, the caps might got
998 corrupted due to the setresuid() so we need clean them up
999 later. This is done outside of this call. */
1006 static int null_conv(
1008 const struct pam_message
**msg
,
1009 struct pam_response
**resp
,
1010 void *appdata_ptr
) {
1012 /* We don't support conversations */
1014 return PAM_CONV_ERR
;
1019 static int setup_pam(
1026 int fds
[], unsigned n_fds
) {
1030 static const struct pam_conv conv
= {
1035 _cleanup_(barrier_destroy
) Barrier barrier
= BARRIER_NULL
;
1036 pam_handle_t
*handle
= NULL
;
1038 int pam_code
= PAM_SUCCESS
, r
;
1039 char **nv
, **e
= NULL
;
1040 bool close_session
= false;
1041 pid_t pam_pid
= 0, parent_pid
;
1048 /* We set up PAM in the parent process, then fork. The child
1049 * will then stay around until killed via PR_GET_PDEATHSIG or
1050 * systemd via the cgroup logic. It will then remove the PAM
1051 * session again. The parent process will exec() the actual
1052 * daemon. We do things this way to ensure that the main PID
1053 * of the daemon is the one we initially fork()ed. */
1055 r
= barrier_create(&barrier
);
1059 if (log_get_max_level() < LOG_DEBUG
)
1060 flags
|= PAM_SILENT
;
1062 pam_code
= pam_start(name
, user
, &conv
, &handle
);
1063 if (pam_code
!= PAM_SUCCESS
) {
1069 pam_code
= pam_set_item(handle
, PAM_TTY
, tty
);
1070 if (pam_code
!= PAM_SUCCESS
)
1074 STRV_FOREACH(nv
, *env
) {
1075 pam_code
= pam_putenv(handle
, *nv
);
1076 if (pam_code
!= PAM_SUCCESS
)
1080 pam_code
= pam_acct_mgmt(handle
, flags
);
1081 if (pam_code
!= PAM_SUCCESS
)
1084 pam_code
= pam_open_session(handle
, flags
);
1085 if (pam_code
!= PAM_SUCCESS
)
1088 close_session
= true;
1090 e
= pam_getenvlist(handle
);
1092 pam_code
= PAM_BUF_ERR
;
1096 /* Block SIGTERM, so that we know that it won't get lost in
1099 assert_se(sigprocmask_many(SIG_BLOCK
, &old_ss
, SIGTERM
, -1) >= 0);
1101 parent_pid
= getpid_cached();
1110 int sig
, ret
= EXIT_PAM
;
1112 /* The child's job is to reset the PAM session on
1114 barrier_set_role(&barrier
, BARRIER_CHILD
);
1116 /* This string must fit in 10 chars (i.e. the length
1117 * of "/sbin/init"), to look pretty in /bin/ps */
1118 rename_process("(sd-pam)");
1120 /* Make sure we don't keep open the passed fds in this
1121 child. We assume that otherwise only those fds are
1122 open here that have been opened by PAM. */
1123 close_many(fds
, n_fds
);
1125 /* Drop privileges - we don't need any to pam_close_session
1126 * and this will make PR_SET_PDEATHSIG work in most cases.
1127 * If this fails, ignore the error - but expect sd-pam threads
1128 * to fail to exit normally */
1130 r
= maybe_setgroups(0, NULL
);
1132 log_warning_errno(r
, "Failed to setgroups() in sd-pam: %m");
1133 if (setresgid(gid
, gid
, gid
) < 0)
1134 log_warning_errno(errno
, "Failed to setresgid() in sd-pam: %m");
1135 if (setresuid(uid
, uid
, uid
) < 0)
1136 log_warning_errno(errno
, "Failed to setresuid() in sd-pam: %m");
1138 (void) ignore_signals(SIGPIPE
, -1);
1140 /* Wait until our parent died. This will only work if
1141 * the above setresuid() succeeds, otherwise the kernel
1142 * will not allow unprivileged parents kill their privileged
1143 * children this way. We rely on the control groups kill logic
1144 * to do the rest for us. */
1145 if (prctl(PR_SET_PDEATHSIG
, SIGTERM
) < 0)
1148 /* Tell the parent that our setup is done. This is especially
1149 * important regarding dropping privileges. Otherwise, unit
1150 * setup might race against our setresuid(2) call.
1152 * If the parent aborted, we'll detect this below, hence ignore
1153 * return failure here. */
1154 (void) barrier_place(&barrier
);
1156 /* Check if our parent process might already have died? */
1157 if (getppid() == parent_pid
) {
1160 assert_se(sigemptyset(&ss
) >= 0);
1161 assert_se(sigaddset(&ss
, SIGTERM
) >= 0);
1164 if (sigwait(&ss
, &sig
) < 0) {
1171 assert(sig
== SIGTERM
);
1176 /* If our parent died we'll end the session */
1177 if (getppid() != parent_pid
) {
1178 pam_code
= pam_close_session(handle
, flags
);
1179 if (pam_code
!= PAM_SUCCESS
)
1186 pam_end(handle
, pam_code
| flags
);
1190 barrier_set_role(&barrier
, BARRIER_PARENT
);
1192 /* If the child was forked off successfully it will do all the
1193 * cleanups, so forget about the handle here. */
1196 /* Unblock SIGTERM again in the parent */
1197 assert_se(sigprocmask(SIG_SETMASK
, &old_ss
, NULL
) >= 0);
1199 /* We close the log explicitly here, since the PAM modules
1200 * might have opened it, but we don't want this fd around. */
1203 /* Synchronously wait for the child to initialize. We don't care for
1204 * errors as we cannot recover. However, warn loudly if it happens. */
1205 if (!barrier_place_and_sync(&barrier
))
1206 log_error("PAM initialization failed");
1214 if (pam_code
!= PAM_SUCCESS
) {
1215 log_error("PAM failed: %s", pam_strerror(handle
, pam_code
));
1216 r
= -EPERM
; /* PAM errors do not map to errno */
1218 log_error_errno(r
, "PAM failed: %m");
1222 pam_code
= pam_close_session(handle
, flags
);
1224 pam_end(handle
, pam_code
| flags
);
1236 static void rename_process_from_path(const char *path
) {
1237 char process_name
[11];
1241 /* This resulting string must fit in 10 chars (i.e. the length
1242 * of "/sbin/init") to look pretty in /bin/ps */
1246 rename_process("(...)");
1252 /* The end of the process name is usually more
1253 * interesting, since the first bit might just be
1259 process_name
[0] = '(';
1260 memcpy(process_name
+1, p
, l
);
1261 process_name
[1+l
] = ')';
1262 process_name
[1+l
+1] = 0;
1264 rename_process(process_name
);
1267 static bool context_has_address_families(const ExecContext
*c
) {
1270 return c
->address_families_whitelist
||
1271 !set_isempty(c
->address_families
);
1274 static bool context_has_syscall_filters(const ExecContext
*c
) {
1277 return c
->syscall_whitelist
||
1278 !set_isempty(c
->syscall_filter
);
1281 static bool context_has_no_new_privileges(const ExecContext
*c
) {
1284 if (c
->no_new_privileges
)
1287 if (have_effective_cap(CAP_SYS_ADMIN
)) /* if we are privileged, we don't need NNP */
1290 /* We need NNP if we have any form of seccomp and are unprivileged */
1291 return context_has_address_families(c
) ||
1292 c
->memory_deny_write_execute
||
1293 c
->restrict_realtime
||
1294 exec_context_restrict_namespaces_set(c
) ||
1295 c
->protect_kernel_tunables
||
1296 c
->protect_kernel_modules
||
1297 c
->private_devices
||
1298 context_has_syscall_filters(c
) ||
1299 !set_isempty(c
->syscall_archs
);
1304 static bool skip_seccomp_unavailable(const Unit
* u
, const char* msg
) {
1306 if (is_seccomp_available())
1310 log_unit_debug(u
, "SECCOMP features not detected in the kernel, skipping %s", msg
);
1315 static int apply_syscall_filter(const Unit
* u
, const ExecContext
*c
) {
1316 uint32_t negative_action
, default_action
, action
;
1321 if (!context_has_syscall_filters(c
))
1324 if (skip_seccomp_unavailable(u
, "SystemCallFilter="))
1327 negative_action
= c
->syscall_errno
== 0 ? SCMP_ACT_KILL
: SCMP_ACT_ERRNO(c
->syscall_errno
);
1329 if (c
->syscall_whitelist
) {
1330 default_action
= negative_action
;
1331 action
= SCMP_ACT_ALLOW
;
1333 default_action
= SCMP_ACT_ALLOW
;
1334 action
= negative_action
;
1337 return seccomp_load_syscall_filter_set_raw(default_action
, c
->syscall_filter
, action
);
1340 static int apply_syscall_archs(const Unit
*u
, const ExecContext
*c
) {
1344 if (set_isempty(c
->syscall_archs
))
1347 if (skip_seccomp_unavailable(u
, "SystemCallArchitectures="))
1350 return seccomp_restrict_archs(c
->syscall_archs
);
1353 static int apply_address_families(const Unit
* u
, const ExecContext
*c
) {
1357 if (!context_has_address_families(c
))
1360 if (skip_seccomp_unavailable(u
, "RestrictAddressFamilies="))
1363 return seccomp_restrict_address_families(c
->address_families
, c
->address_families_whitelist
);
1366 static int apply_memory_deny_write_execute(const Unit
* u
, const ExecContext
*c
) {
1370 if (!c
->memory_deny_write_execute
)
1373 if (skip_seccomp_unavailable(u
, "MemoryDenyWriteExecute="))
1376 return seccomp_memory_deny_write_execute();
1379 static int apply_restrict_realtime(const Unit
* u
, const ExecContext
*c
) {
1383 if (!c
->restrict_realtime
)
1386 if (skip_seccomp_unavailable(u
, "RestrictRealtime="))
1389 return seccomp_restrict_realtime();
1392 static int apply_protect_sysctl(const Unit
*u
, const ExecContext
*c
) {
1396 /* Turn off the legacy sysctl() system call. Many distributions turn this off while building the kernel, but
1397 * let's protect even those systems where this is left on in the kernel. */
1399 if (!c
->protect_kernel_tunables
)
1402 if (skip_seccomp_unavailable(u
, "ProtectKernelTunables="))
1405 return seccomp_protect_sysctl();
1408 static int apply_protect_kernel_modules(const Unit
*u
, const ExecContext
*c
) {
1412 /* Turn off module syscalls on ProtectKernelModules=yes */
1414 if (!c
->protect_kernel_modules
)
1417 if (skip_seccomp_unavailable(u
, "ProtectKernelModules="))
1420 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW
, syscall_filter_sets
+ SYSCALL_FILTER_SET_MODULE
, SCMP_ACT_ERRNO(EPERM
));
1423 static int apply_private_devices(const Unit
*u
, const ExecContext
*c
) {
1427 /* If PrivateDevices= is set, also turn off iopl and all @raw-io syscalls. */
1429 if (!c
->private_devices
)
1432 if (skip_seccomp_unavailable(u
, "PrivateDevices="))
1435 return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW
, syscall_filter_sets
+ SYSCALL_FILTER_SET_RAW_IO
, SCMP_ACT_ERRNO(EPERM
));
1438 static int apply_restrict_namespaces(Unit
*u
, const ExecContext
*c
) {
1442 if (!exec_context_restrict_namespaces_set(c
))
1445 if (skip_seccomp_unavailable(u
, "RestrictNamespaces="))
1448 return seccomp_restrict_namespaces(c
->restrict_namespaces
);
1453 static void do_idle_pipe_dance(int idle_pipe
[4]) {
1456 idle_pipe
[1] = safe_close(idle_pipe
[1]);
1457 idle_pipe
[2] = safe_close(idle_pipe
[2]);
1459 if (idle_pipe
[0] >= 0) {
1462 r
= fd_wait_for_event(idle_pipe
[0], POLLHUP
, IDLE_TIMEOUT_USEC
);
1464 if (idle_pipe
[3] >= 0 && r
== 0 /* timeout */) {
1467 /* Signal systemd that we are bored and want to continue. */
1468 n
= write(idle_pipe
[3], "x", 1);
1470 /* Wait for systemd to react to the signal above. */
1471 fd_wait_for_event(idle_pipe
[0], POLLHUP
, IDLE_TIMEOUT2_USEC
);
1474 idle_pipe
[0] = safe_close(idle_pipe
[0]);
1478 idle_pipe
[3] = safe_close(idle_pipe
[3]);
1481 static int build_environment(
1483 const ExecContext
*c
,
1484 const ExecParameters
*p
,
1487 const char *username
,
1489 dev_t journal_stream_dev
,
1490 ino_t journal_stream_ino
,
1493 _cleanup_strv_free_
char **our_env
= NULL
;
1501 our_env
= new0(char*, 14);
1506 _cleanup_free_
char *joined
= NULL
;
1508 if (asprintf(&x
, "LISTEN_PID="PID_FMT
, getpid_cached()) < 0)
1510 our_env
[n_env
++] = x
;
1512 if (asprintf(&x
, "LISTEN_FDS=%u", n_fds
) < 0)
1514 our_env
[n_env
++] = x
;
1516 joined
= strv_join(p
->fd_names
, ":");
1520 x
= strjoin("LISTEN_FDNAMES=", joined
);
1523 our_env
[n_env
++] = x
;
1526 if ((p
->flags
& EXEC_SET_WATCHDOG
) && p
->watchdog_usec
> 0) {
1527 if (asprintf(&x
, "WATCHDOG_PID="PID_FMT
, getpid_cached()) < 0)
1529 our_env
[n_env
++] = x
;
1531 if (asprintf(&x
, "WATCHDOG_USEC="USEC_FMT
, p
->watchdog_usec
) < 0)
1533 our_env
[n_env
++] = x
;
1536 /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
1537 * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
1538 * check the database directly. */
1539 if (unit_has_name(u
, SPECIAL_DBUS_SERVICE
)) {
1540 x
= strdup("SYSTEMD_NSS_BYPASS_BUS=1");
1543 our_env
[n_env
++] = x
;
1547 x
= strappend("HOME=", home
);
1550 our_env
[n_env
++] = x
;
1554 x
= strappend("LOGNAME=", username
);
1557 our_env
[n_env
++] = x
;
1559 x
= strappend("USER=", username
);
1562 our_env
[n_env
++] = x
;
1566 x
= strappend("SHELL=", shell
);
1569 our_env
[n_env
++] = x
;
1572 if (!sd_id128_is_null(u
->invocation_id
)) {
1573 if (asprintf(&x
, "INVOCATION_ID=" SD_ID128_FORMAT_STR
, SD_ID128_FORMAT_VAL(u
->invocation_id
)) < 0)
1576 our_env
[n_env
++] = x
;
1579 if (exec_context_needs_term(c
)) {
1580 const char *tty_path
, *term
= NULL
;
1582 tty_path
= exec_context_tty_path(c
);
1584 /* If we are forked off PID 1 and we are supposed to operate on /dev/console, then let's try to inherit
1585 * the $TERM set for PID 1. This is useful for containers so that the $TERM the container manager
1586 * passes to PID 1 ends up all the way in the console login shown. */
1588 if (path_equal(tty_path
, "/dev/console") && getppid() == 1)
1589 term
= getenv("TERM");
1591 term
= default_term_for_tty(tty_path
);
1593 x
= strappend("TERM=", term
);
1596 our_env
[n_env
++] = x
;
1599 if (journal_stream_dev
!= 0 && journal_stream_ino
!= 0) {
1600 if (asprintf(&x
, "JOURNAL_STREAM=" DEV_FMT
":" INO_FMT
, journal_stream_dev
, journal_stream_ino
) < 0)
1603 our_env
[n_env
++] = x
;
1606 our_env
[n_env
++] = NULL
;
1607 assert(n_env
<= 12);
1615 static int build_pass_environment(const ExecContext
*c
, char ***ret
) {
1616 _cleanup_strv_free_
char **pass_env
= NULL
;
1617 size_t n_env
= 0, n_bufsize
= 0;
1620 STRV_FOREACH(i
, c
->pass_environment
) {
1621 _cleanup_free_
char *x
= NULL
;
1627 x
= strjoin(*i
, "=", v
);
1630 if (!GREEDY_REALLOC(pass_env
, n_bufsize
, n_env
+ 2))
1632 pass_env
[n_env
++] = x
;
1633 pass_env
[n_env
] = NULL
;
1643 static bool exec_needs_mount_namespace(
1644 const ExecContext
*context
,
1645 const ExecParameters
*params
,
1646 ExecRuntime
*runtime
) {
1651 if (context
->root_image
)
1654 if (!strv_isempty(context
->read_write_paths
) ||
1655 !strv_isempty(context
->read_only_paths
) ||
1656 !strv_isempty(context
->inaccessible_paths
))
1659 if (context
->n_bind_mounts
> 0)
1662 if (context
->mount_flags
!= 0)
1665 if (context
->private_tmp
&& runtime
&& (runtime
->tmp_dir
|| runtime
->var_tmp_dir
))
1668 if (context
->private_devices
||
1669 context
->protect_system
!= PROTECT_SYSTEM_NO
||
1670 context
->protect_home
!= PROTECT_HOME_NO
||
1671 context
->protect_kernel_tunables
||
1672 context
->protect_kernel_modules
||
1673 context
->protect_control_groups
)
1676 if (context
->mount_apivfs
&& (context
->root_image
|| context
->root_directory
))
1682 static int setup_private_users(uid_t uid
, gid_t gid
) {
1683 _cleanup_free_
char *uid_map
= NULL
, *gid_map
= NULL
;
1684 _cleanup_close_pair_
int errno_pipe
[2] = { -1, -1 };
1685 _cleanup_close_
int unshare_ready_fd
= -1;
1686 _cleanup_(sigkill_waitp
) pid_t pid
= 0;
1692 /* Set up a user namespace and map root to root, the selected UID/GID to itself, and everything else to
1693 * nobody. In order to be able to write this mapping we need CAP_SETUID in the original user namespace, which
1694 * we however lack after opening the user namespace. To work around this we fork() a temporary child process,
1695 * which waits for the parent to create the new user namespace while staying in the original namespace. The
1696 * child then writes the UID mapping, under full privileges. The parent waits for the child to finish and
1697 * continues execution normally. */
1699 if (uid
!= 0 && uid_is_valid(uid
)) {
1700 r
= asprintf(&uid_map
,
1701 "0 0 1\n" /* Map root → root */
1702 UID_FMT
" " UID_FMT
" 1\n", /* Map $UID → $UID */
1707 uid_map
= strdup("0 0 1\n"); /* The case where the above is the same */
1712 if (gid
!= 0 && gid_is_valid(gid
)) {
1713 r
= asprintf(&gid_map
,
1714 "0 0 1\n" /* Map root → root */
1715 GID_FMT
" " GID_FMT
" 1\n", /* Map $GID → $GID */
1720 gid_map
= strdup("0 0 1\n"); /* The case where the above is the same */
1725 /* Create a communication channel so that the parent can tell the child when it finished creating the user
1727 unshare_ready_fd
= eventfd(0, EFD_CLOEXEC
);
1728 if (unshare_ready_fd
< 0)
1731 /* Create a communication channel so that the child can tell the parent a proper error code in case it
1733 if (pipe2(errno_pipe
, O_CLOEXEC
) < 0)
1741 _cleanup_close_
int fd
= -1;
1745 /* Child process, running in the original user namespace. Let's update the parent's UID/GID map from
1746 * here, after the parent opened its own user namespace. */
1749 errno_pipe
[0] = safe_close(errno_pipe
[0]);
1751 /* Wait until the parent unshared the user namespace */
1752 if (read(unshare_ready_fd
, &c
, sizeof(c
)) < 0) {
1757 /* Disable the setgroups() system call in the child user namespace, for good. */
1758 a
= procfs_file_alloca(ppid
, "setgroups");
1759 fd
= open(a
, O_WRONLY
|O_CLOEXEC
);
1761 if (errno
!= ENOENT
) {
1766 /* If the file is missing the kernel is too old, let's continue anyway. */
1768 if (write(fd
, "deny\n", 5) < 0) {
1773 fd
= safe_close(fd
);
1776 /* First write the GID map */
1777 a
= procfs_file_alloca(ppid
, "gid_map");
1778 fd
= open(a
, O_WRONLY
|O_CLOEXEC
);
1783 if (write(fd
, gid_map
, strlen(gid_map
)) < 0) {
1787 fd
= safe_close(fd
);
1789 /* The write the UID map */
1790 a
= procfs_file_alloca(ppid
, "uid_map");
1791 fd
= open(a
, O_WRONLY
|O_CLOEXEC
);
1796 if (write(fd
, uid_map
, strlen(uid_map
)) < 0) {
1801 _exit(EXIT_SUCCESS
);
1804 (void) write(errno_pipe
[1], &r
, sizeof(r
));
1805 _exit(EXIT_FAILURE
);
1808 errno_pipe
[1] = safe_close(errno_pipe
[1]);
1810 if (unshare(CLONE_NEWUSER
) < 0)
1813 /* Let the child know that the namespace is ready now */
1814 if (write(unshare_ready_fd
, &c
, sizeof(c
)) < 0)
1817 /* Try to read an error code from the child */
1818 n
= read(errno_pipe
[0], &r
, sizeof(r
));
1821 if (n
== sizeof(r
)) { /* an error code was sent to us */
1826 if (n
!= 0) /* on success we should have read 0 bytes */
1829 r
= wait_for_terminate(pid
, &si
);
1834 /* If something strange happened with the child, let's consider this fatal, too */
1835 if (si
.si_code
!= CLD_EXITED
|| si
.si_status
!= 0)
1841 static int setup_exec_directory(
1842 const ExecContext
*context
,
1843 const ExecParameters
*params
,
1846 ExecDirectoryType type
,
1849 static const int exit_status_table
[_EXEC_DIRECTORY_MAX
] = {
1850 [EXEC_DIRECTORY_RUNTIME
] = EXIT_RUNTIME_DIRECTORY
,
1851 [EXEC_DIRECTORY_STATE
] = EXIT_STATE_DIRECTORY
,
1852 [EXEC_DIRECTORY_CACHE
] = EXIT_CACHE_DIRECTORY
,
1853 [EXEC_DIRECTORY_LOGS
] = EXIT_LOGS_DIRECTORY
,
1854 [EXEC_DIRECTORY_CONFIGURATION
] = EXIT_CONFIGURATION_DIRECTORY
,
1861 assert(type
>= 0 && type
< _EXEC_DIRECTORY_MAX
);
1862 assert(exit_status
);
1864 if (!params
->prefix
[type
])
1867 if (params
->flags
& EXEC_CHOWN_DIRECTORIES
) {
1868 if (!uid_is_valid(uid
))
1870 if (!gid_is_valid(gid
))
1874 STRV_FOREACH(rt
, context
->directories
[type
].paths
) {
1875 _cleanup_free_
char *p
;
1877 p
= strjoin(params
->prefix
[type
], "/", *rt
);
1883 r
= mkdir_parents_label(p
, 0755);
1887 r
= mkdir_p_label(p
, context
->directories
[type
].mode
);
1891 /* Don't change the owner of the configuration directory, as in the common case it is not written to by
1892 * a service, and shall not be writable. */
1893 if (type
== EXEC_DIRECTORY_CONFIGURATION
)
1896 r
= chmod_and_chown(p
, context
->directories
[type
].mode
, uid
, gid
);
1904 *exit_status
= exit_status_table
[type
];
1909 static int setup_smack(
1910 const ExecContext
*context
,
1911 const ExecCommand
*command
) {
1918 if (context
->smack_process_label
) {
1919 r
= mac_smack_apply_pid(0, context
->smack_process_label
);
1923 #ifdef SMACK_DEFAULT_PROCESS_LABEL
1925 _cleanup_free_
char *exec_label
= NULL
;
1927 r
= mac_smack_read(command
->path
, SMACK_ATTR_EXEC
, &exec_label
);
1928 if (r
< 0 && r
!= -ENODATA
&& r
!= -EOPNOTSUPP
)
1931 r
= mac_smack_apply_pid(0, exec_label
? : SMACK_DEFAULT_PROCESS_LABEL
);
1940 static int compile_read_write_paths(
1941 const ExecContext
*context
,
1942 const ExecParameters
*params
,
1945 _cleanup_strv_free_
char **l
= NULL
;
1947 ExecDirectoryType i
;
1949 /* Compile the list of writable paths. This is the combination of
1950 * the explicitly configured paths, plus all runtime directories. */
1952 if (strv_isempty(context
->read_write_paths
)) {
1953 for (i
= 0; i
< _EXEC_DIRECTORY_MAX
; i
++)
1954 if (!strv_isempty(context
->directories
[i
].paths
))
1957 if (i
== _EXEC_DIRECTORY_MAX
) {
1958 *ret
= NULL
; /* NOP if neither is set */
1963 l
= strv_copy(context
->read_write_paths
);
1967 for (i
= 0; i
< _EXEC_DIRECTORY_MAX
; i
++) {
1968 if (!params
->prefix
[i
])
1971 STRV_FOREACH(rt
, context
->directories
[i
].paths
) {
1974 s
= strjoin(params
->prefix
[i
], "/", *rt
);
1978 if (strv_consume(&l
, s
) < 0)
1989 static int apply_mount_namespace(
1991 ExecCommand
*command
,
1992 const ExecContext
*context
,
1993 const ExecParameters
*params
,
1994 ExecRuntime
*runtime
) {
1996 _cleanup_strv_free_
char **rw
= NULL
;
1997 char *tmp
= NULL
, *var
= NULL
;
1998 const char *root_dir
= NULL
, *root_image
= NULL
;
1999 NameSpaceInfo ns_info
= {
2000 .ignore_protect_paths
= false,
2001 .private_dev
= context
->private_devices
,
2002 .protect_control_groups
= context
->protect_control_groups
,
2003 .protect_kernel_tunables
= context
->protect_kernel_tunables
,
2004 .protect_kernel_modules
= context
->protect_kernel_modules
,
2005 .mount_apivfs
= context
->mount_apivfs
,
2007 bool apply_restrictions
;
2012 /* The runtime struct only contains the parent of the private /tmp,
2013 * which is non-accessible to world users. Inside of it there's a /tmp
2014 * that is sticky, and that's the one we want to use here. */
2016 if (context
->private_tmp
&& runtime
) {
2017 if (runtime
->tmp_dir
)
2018 tmp
= strjoina(runtime
->tmp_dir
, "/tmp");
2019 if (runtime
->var_tmp_dir
)
2020 var
= strjoina(runtime
->var_tmp_dir
, "/tmp");
2023 r
= compile_read_write_paths(context
, params
, &rw
);
2027 if (params
->flags
& EXEC_APPLY_CHROOT
) {
2028 root_image
= context
->root_image
;
2031 root_dir
= context
->root_directory
;
2035 * If DynamicUser=no and RootDirectory= is set then lets pass a relaxed
2036 * sandbox info, otherwise enforce it, don't ignore protected paths and
2037 * fail if we are enable to apply the sandbox inside the mount namespace.
2039 if (!context
->dynamic_user
&& root_dir
)
2040 ns_info
.ignore_protect_paths
= true;
2042 apply_restrictions
= (params
->flags
& EXEC_APPLY_PERMISSIONS
) && !(command
->flags
& EXEC_COMMAND_FULLY_PRIVILEGED
);
2044 r
= setup_namespace(root_dir
, root_image
,
2046 apply_restrictions
? context
->read_only_paths
: NULL
,
2047 apply_restrictions
? context
->inaccessible_paths
: NULL
,
2048 context
->bind_mounts
,
2049 context
->n_bind_mounts
,
2052 apply_restrictions
? context
->protect_home
: PROTECT_HOME_NO
,
2053 apply_restrictions
? context
->protect_system
: PROTECT_SYSTEM_NO
,
2054 context
->mount_flags
,
2055 DISSECT_IMAGE_DISCARD_ON_LOOP
);
2057 /* If we couldn't set up the namespace this is probably due to a
2058 * missing capability. In this case, silently proceeed. */
2059 if (IN_SET(r
, -EPERM
, -EACCES
)) {
2061 log_unit_debug_errno(u
, r
, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
2069 static int apply_working_directory(
2070 const ExecContext
*context
,
2071 const ExecParameters
*params
,
2073 const bool needs_mount_ns
,
2079 assert(exit_status
);
2081 if (context
->working_directory_home
) {
2084 *exit_status
= EXIT_CHDIR
;
2090 } else if (context
->working_directory
)
2091 wd
= context
->working_directory
;
2095 if (params
->flags
& EXEC_APPLY_CHROOT
) {
2096 if (!needs_mount_ns
&& context
->root_directory
)
2097 if (chroot(context
->root_directory
) < 0) {
2098 *exit_status
= EXIT_CHROOT
;
2104 d
= prefix_roota(context
->root_directory
, wd
);
2106 if (chdir(d
) < 0 && !context
->working_directory_missing_ok
) {
2107 *exit_status
= EXIT_CHDIR
;
2114 static int setup_keyring(Unit
*u
, const ExecParameters
*p
, uid_t uid
, gid_t gid
) {
2115 key_serial_t keyring
;
2120 /* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that
2121 * each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond
2122 * that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be
2123 * automatically created on-demand and then linked to the per-UID keyring, by the kernel. The kernel's built-in
2124 * on-demand behaviour is very appropriate for login users, but probably not so much for system services, where
2125 * UIDs are not necessarily specific to a service but reused (at least in the case of UID 0). */
2127 if (!(p
->flags
& EXEC_NEW_KEYRING
))
2130 keyring
= keyctl(KEYCTL_JOIN_SESSION_KEYRING
, 0, 0, 0, 0);
2131 if (keyring
== -1) {
2132 if (errno
== ENOSYS
)
2133 log_debug_errno(errno
, "Kernel keyring not supported, ignoring.");
2134 else if (IN_SET(errno
, EACCES
, EPERM
))
2135 log_debug_errno(errno
, "Kernel keyring access prohibited, ignoring.");
2136 else if (errno
== EDQUOT
)
2137 log_debug_errno(errno
, "Out of kernel keyrings to allocate, ignoring.");
2139 return log_error_errno(errno
, "Setting up kernel keyring failed: %m");
2144 /* Populate they keyring with the invocation ID by default. */
2145 if (!sd_id128_is_null(u
->invocation_id
)) {
2148 key
= add_key("user", "invocation_id", &u
->invocation_id
, sizeof(u
->invocation_id
), KEY_SPEC_SESSION_KEYRING
);
2150 log_debug_errno(errno
, "Failed to add invocation ID to keyring, ignoring: %m");
2152 if (keyctl(KEYCTL_SETPERM
, key
,
2153 KEY_POS_VIEW
|KEY_POS_READ
|KEY_POS_SEARCH
|
2154 KEY_USR_VIEW
|KEY_USR_READ
|KEY_USR_SEARCH
, 0, 0) < 0)
2155 return log_error_errno(errno
, "Failed to restrict invocation ID permission: %m");
2159 /* And now, make the keyring owned by the service's user */
2160 if (uid_is_valid(uid
) || gid_is_valid(gid
))
2161 if (keyctl(KEYCTL_CHOWN
, keyring
, uid
, gid
, 0) < 0)
2162 return log_error_errno(errno
, "Failed to change ownership of session keyring: %m");
2167 static void append_socket_pair(int *array
, unsigned *n
, int pair
[2]) {
2175 array
[(*n
)++] = pair
[0];
2177 array
[(*n
)++] = pair
[1];
2180 static int close_remaining_fds(
2181 const ExecParameters
*params
,
2182 ExecRuntime
*runtime
,
2183 DynamicCreds
*dcreds
,
2186 int *fds
, unsigned n_fds
) {
2188 unsigned n_dont_close
= 0;
2189 int dont_close
[n_fds
+ 12];
2193 if (params
->stdin_fd
>= 0)
2194 dont_close
[n_dont_close
++] = params
->stdin_fd
;
2195 if (params
->stdout_fd
>= 0)
2196 dont_close
[n_dont_close
++] = params
->stdout_fd
;
2197 if (params
->stderr_fd
>= 0)
2198 dont_close
[n_dont_close
++] = params
->stderr_fd
;
2201 dont_close
[n_dont_close
++] = socket_fd
;
2203 memcpy(dont_close
+ n_dont_close
, fds
, sizeof(int) * n_fds
);
2204 n_dont_close
+= n_fds
;
2208 append_socket_pair(dont_close
, &n_dont_close
, runtime
->netns_storage_socket
);
2212 append_socket_pair(dont_close
, &n_dont_close
, dcreds
->user
->storage_socket
);
2214 append_socket_pair(dont_close
, &n_dont_close
, dcreds
->group
->storage_socket
);
2217 if (user_lookup_fd
>= 0)
2218 dont_close
[n_dont_close
++] = user_lookup_fd
;
2220 return close_all_fds(dont_close
, n_dont_close
);
2223 static int send_user_lookup(
2231 /* Send the resolved UID/GID to PID 1 after we learnt it. We send a single datagram, containing the UID/GID
2232 * data as well as the unit name. Note that we suppress sending this if no user/group to resolve was
2235 if (user_lookup_fd
< 0)
2238 if (!uid_is_valid(uid
) && !gid_is_valid(gid
))
2241 if (writev(user_lookup_fd
,
2243 { .iov_base
= &uid
, .iov_len
= sizeof(uid
) },
2244 { .iov_base
= &gid
, .iov_len
= sizeof(gid
) },
2245 { .iov_base
= unit
->id
, .iov_len
= strlen(unit
->id
) }}, 3) < 0)
2251 static int acquire_home(const ExecContext
*c
, uid_t uid
, const char** home
, char **buf
) {
2258 /* If WorkingDirectory=~ is set, try to acquire a usable home directory. */
2263 if (!c
->working_directory_home
)
2267 /* Hardcode /root as home directory for UID 0 */
2272 r
= get_home_dir(buf
);
2280 static int exec_child(
2282 ExecCommand
*command
,
2283 const ExecContext
*context
,
2284 const ExecParameters
*params
,
2285 ExecRuntime
*runtime
,
2286 DynamicCreds
*dcreds
,
2291 unsigned n_storage_fds
,
2292 unsigned n_socket_fds
,
2296 char **error_message
) {
2298 _cleanup_strv_free_
char **our_env
= NULL
, **pass_env
= NULL
, **accum_env
= NULL
, **final_argv
= NULL
;
2299 _cleanup_free_
char *mac_selinux_context_net
= NULL
, *home_buffer
= NULL
;
2300 _cleanup_free_ gid_t
*supplementary_gids
= NULL
;
2301 const char *username
= NULL
, *groupname
= NULL
;
2302 const char *home
= NULL
, *shell
= NULL
;
2303 dev_t journal_stream_dev
= 0;
2304 ino_t journal_stream_ino
= 0;
2305 bool needs_exec_restrictions
, needs_mount_namespace
;
2307 bool needs_selinux
= false;
2310 bool needs_smack
= false;
2312 #ifdef HAVE_APPARMOR
2313 bool needs_apparmor
= false;
2315 uid_t uid
= UID_INVALID
;
2316 gid_t gid
= GID_INVALID
;
2317 int i
, r
, ngids
= 0;
2319 ExecDirectoryType dt
;
2325 assert(exit_status
);
2326 assert(error_message
);
2327 /* We don't always set error_message, hence it must be initialized */
2328 assert(*error_message
== NULL
);
2330 rename_process_from_path(command
->path
);
2332 /* We reset exactly these signals, since they are the
2333 * only ones we set to SIG_IGN in the main daemon. All
2334 * others we leave untouched because we set them to
2335 * SIG_DFL or a valid handler initially, both of which
2336 * will be demoted to SIG_DFL. */
2337 (void) default_signals(SIGNALS_CRASH_HANDLER
,
2338 SIGNALS_IGNORE
, -1);
2340 if (context
->ignore_sigpipe
)
2341 (void) ignore_signals(SIGPIPE
, -1);
2343 r
= reset_signal_mask();
2345 *exit_status
= EXIT_SIGNAL_MASK
;
2346 *error_message
= strdup("Failed to reset signal mask");
2347 /* If strdup fails, here and below, we will just print the generic error message. */
2351 if (params
->idle_pipe
)
2352 do_idle_pipe_dance(params
->idle_pipe
);
2354 /* Close sockets very early to make sure we don't
2355 * block init reexecution because it cannot bind its
2360 n_fds
= n_storage_fds
+ n_socket_fds
;
2361 r
= close_remaining_fds(params
, runtime
, dcreds
, user_lookup_fd
, socket_fd
, fds
, n_fds
);
2363 *exit_status
= EXIT_FDS
;
2364 *error_message
= strdup("Failed to close remaining fds");
2368 if (!context
->same_pgrp
)
2370 *exit_status
= EXIT_SETSID
;
2374 exec_context_tty_reset(context
, params
);
2376 if (unit_shall_confirm_spawn(unit
)) {
2377 const char *vc
= params
->confirm_spawn
;
2378 _cleanup_free_
char *cmdline
= NULL
;
2380 cmdline
= exec_command_line(argv
);
2382 *exit_status
= EXIT_CONFIRM
;
2386 r
= ask_for_confirmation(vc
, unit
, cmdline
);
2387 if (r
!= CONFIRM_EXECUTE
) {
2388 if (r
== CONFIRM_PRETEND_SUCCESS
) {
2389 *exit_status
= EXIT_SUCCESS
;
2392 *exit_status
= EXIT_CONFIRM
;
2393 *error_message
= strdup("Execution cancelled");
2398 if (context
->dynamic_user
&& dcreds
) {
2400 /* Make sure we bypass our own NSS module for any NSS checks */
2401 if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
2402 *exit_status
= EXIT_USER
;
2403 *error_message
= strdup("Failed to update environment");
2407 r
= dynamic_creds_realize(dcreds
, &uid
, &gid
);
2409 *exit_status
= EXIT_USER
;
2410 *error_message
= strdup("Failed to update dynamic user credentials");
2414 if (!uid_is_valid(uid
)) {
2415 *exit_status
= EXIT_USER
;
2416 (void) asprintf(error_message
, "UID validation failed for \""UID_FMT
"\"", uid
);
2417 /* If asprintf fails, here and below, we will just print the generic error message. */
2421 if (!gid_is_valid(gid
)) {
2422 *exit_status
= EXIT_USER
;
2423 (void) asprintf(error_message
, "GID validation failed for \""GID_FMT
"\"", gid
);
2428 username
= dcreds
->user
->name
;
2431 r
= get_fixed_user(context
, &username
, &uid
, &gid
, &home
, &shell
);
2433 *exit_status
= EXIT_USER
;
2434 *error_message
= strdup("Failed to determine user credentials");
2438 r
= get_fixed_group(context
, &groupname
, &gid
);
2440 *exit_status
= EXIT_GROUP
;
2441 *error_message
= strdup("Failed to determine group credentials");
2446 /* Initialize user supplementary groups and get SupplementaryGroups= ones */
2447 r
= get_supplementary_groups(context
, username
, groupname
, gid
,
2448 &supplementary_gids
, &ngids
);
2450 *exit_status
= EXIT_GROUP
;
2451 *error_message
= strdup("Failed to determine supplementary groups");
2455 r
= send_user_lookup(unit
, user_lookup_fd
, uid
, gid
);
2457 *exit_status
= EXIT_USER
;
2458 *error_message
= strdup("Failed to send user credentials to PID1");
2462 user_lookup_fd
= safe_close(user_lookup_fd
);
2464 r
= acquire_home(context
, uid
, &home
, &home_buffer
);
2466 *exit_status
= EXIT_CHDIR
;
2467 *error_message
= strdup("Failed to determine $HOME for user");
2471 /* If a socket is connected to STDIN/STDOUT/STDERR, we
2472 * must sure to drop O_NONBLOCK */
2474 (void) fd_nonblock(socket_fd
, false);
2476 r
= setup_input(context
, params
, socket_fd
, named_iofds
);
2478 *exit_status
= EXIT_STDIN
;
2479 *error_message
= strdup("Failed to set up stdin");
2483 r
= setup_output(unit
, context
, params
, STDOUT_FILENO
, socket_fd
, named_iofds
, basename(command
->path
), uid
, gid
, &journal_stream_dev
, &journal_stream_ino
);
2485 *exit_status
= EXIT_STDOUT
;
2486 *error_message
= strdup("Failed to set up stdout");
2490 r
= setup_output(unit
, context
, params
, STDERR_FILENO
, socket_fd
, named_iofds
, basename(command
->path
), uid
, gid
, &journal_stream_dev
, &journal_stream_ino
);
2492 *exit_status
= EXIT_STDERR
;
2493 *error_message
= strdup("Failed to set up stderr");
2497 if (params
->cgroup_path
) {
2498 r
= cg_attach_everywhere(params
->cgroup_supported
, params
->cgroup_path
, 0, NULL
, NULL
);
2500 *exit_status
= EXIT_CGROUP
;
2501 (void) asprintf(error_message
, "Failed to attach to cgroup %s", params
->cgroup_path
);
2506 if (context
->oom_score_adjust_set
) {
2507 char t
[DECIMAL_STR_MAX(context
->oom_score_adjust
)];
2509 /* When we can't make this change due to EPERM, then
2510 * let's silently skip over it. User namespaces
2511 * prohibit write access to this file, and we
2512 * shouldn't trip up over that. */
2514 sprintf(t
, "%i", context
->oom_score_adjust
);
2515 r
= write_string_file("/proc/self/oom_score_adj", t
, 0);
2516 if (r
== -EPERM
|| r
== -EACCES
) {
2518 log_unit_debug_errno(unit
, r
, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
2521 *exit_status
= EXIT_OOM_ADJUST
;
2522 *error_message
= strdup("Failed to write /proc/self/oom_score_adj");
2527 if (context
->nice_set
)
2528 if (setpriority(PRIO_PROCESS
, 0, context
->nice
) < 0) {
2529 *exit_status
= EXIT_NICE
;
2533 if (context
->cpu_sched_set
) {
2534 struct sched_param param
= {
2535 .sched_priority
= context
->cpu_sched_priority
,
2538 r
= sched_setscheduler(0,
2539 context
->cpu_sched_policy
|
2540 (context
->cpu_sched_reset_on_fork
?
2541 SCHED_RESET_ON_FORK
: 0),
2544 *exit_status
= EXIT_SETSCHEDULER
;
2549 if (context
->cpuset
)
2550 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context
->cpuset_ncpus
), context
->cpuset
) < 0) {
2551 *exit_status
= EXIT_CPUAFFINITY
;
2555 if (context
->ioprio_set
)
2556 if (ioprio_set(IOPRIO_WHO_PROCESS
, 0, context
->ioprio
) < 0) {
2557 *exit_status
= EXIT_IOPRIO
;
2561 if (context
->timer_slack_nsec
!= NSEC_INFINITY
)
2562 if (prctl(PR_SET_TIMERSLACK
, context
->timer_slack_nsec
) < 0) {
2563 *exit_status
= EXIT_TIMERSLACK
;
2567 if (context
->personality
!= PERSONALITY_INVALID
)
2568 if (personality(context
->personality
) < 0) {
2569 *exit_status
= EXIT_PERSONALITY
;
2573 if (context
->utmp_id
)
2574 utmp_put_init_process(context
->utmp_id
, getpid_cached(), getsid(0),
2576 context
->utmp_mode
== EXEC_UTMP_INIT
? INIT_PROCESS
:
2577 context
->utmp_mode
== EXEC_UTMP_LOGIN
? LOGIN_PROCESS
:
2581 if (context
->user
) {
2582 r
= chown_terminal(STDIN_FILENO
, uid
);
2584 *exit_status
= EXIT_STDIN
;
2589 /* If delegation is enabled we'll pass ownership of the cgroup
2590 * (but only in systemd's own controller hierarchy!) to the
2591 * user of the new process. */
2592 if (params
->cgroup_path
&& context
->user
&& params
->cgroup_delegate
) {
2593 r
= cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER
, params
->cgroup_path
, 0644, uid
, gid
);
2595 *exit_status
= EXIT_CGROUP
;
2600 r
= cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER
, params
->cgroup_path
, 0755, uid
, gid
);
2602 *exit_status
= EXIT_CGROUP
;
2607 for (dt
= 0; dt
< _EXEC_DIRECTORY_MAX
; dt
++) {
2608 r
= setup_exec_directory(context
, params
, uid
, gid
, dt
, exit_status
);
2613 r
= build_environment(
2625 *exit_status
= EXIT_MEMORY
;
2629 r
= build_pass_environment(context
, &pass_env
);
2631 *exit_status
= EXIT_MEMORY
;
2635 accum_env
= strv_env_merge(5,
2636 params
->environment
,
2639 context
->environment
,
2643 *exit_status
= EXIT_MEMORY
;
2646 accum_env
= strv_env_clean(accum_env
);
2648 (void) umask(context
->umask
);
2650 r
= setup_keyring(unit
, params
, uid
, gid
);
2652 *exit_status
= EXIT_KEYRING
;
2656 needs_exec_restrictions
= (params
->flags
& EXEC_APPLY_PERMISSIONS
) && !(command
->flags
& EXEC_COMMAND_FULLY_PRIVILEGED
);
2658 if (needs_exec_restrictions
) {
2659 if (context
->pam_name
&& username
) {
2660 r
= setup_pam(context
->pam_name
, username
, uid
, gid
, context
->tty_path
, &accum_env
, fds
, n_fds
);
2662 *exit_status
= EXIT_PAM
;
2667 /* MAC enablement checks need to be done before a new mount ns is created, as they rely on /sys being
2668 * present. The actual MAC context application will happen later, as late as possible, to avoid
2669 * impacting our own code paths. */
2672 needs_selinux
= mac_selinux_use();
2676 needs_smack
= mac_smack_use();
2679 #ifdef HAVE_APPARMOR
2680 needs_apparmor
= context
->apparmor_profile
&& mac_apparmor_use();
2685 if (context
->private_network
&& runtime
&& runtime
->netns_storage_socket
[0] >= 0) {
2686 r
= setup_netns(runtime
->netns_storage_socket
);
2688 *exit_status
= EXIT_NETWORK
;
2693 needs_mount_namespace
= exec_needs_mount_namespace(context
, params
, runtime
);
2694 if (needs_mount_namespace
) {
2695 r
= apply_mount_namespace(unit
, command
, context
, params
, runtime
);
2697 *exit_status
= EXIT_NAMESPACE
;
2702 /* Apply just after mount namespace setup */
2703 r
= apply_working_directory(context
, params
, home
, needs_mount_namespace
, exit_status
);
2707 /* Drop groups as early as possbile */
2708 if (needs_exec_restrictions
) {
2709 r
= enforce_groups(context
, gid
, supplementary_gids
, ngids
);
2711 *exit_status
= EXIT_GROUP
;
2717 if (needs_exec_restrictions
&& needs_selinux
&& params
->selinux_context_net
&& socket_fd
>= 0) {
2718 r
= mac_selinux_get_child_mls_label(socket_fd
, command
->path
, context
->selinux_context
, &mac_selinux_context_net
);
2720 *exit_status
= EXIT_SELINUX_CONTEXT
;
2726 if ((params
->flags
& EXEC_APPLY_PERMISSIONS
) && context
->private_users
) {
2727 r
= setup_private_users(uid
, gid
);
2729 *exit_status
= EXIT_USER
;
2734 /* We repeat the fd closing here, to make sure that
2735 * nothing is leaked from the PAM modules. Note that
2736 * we are more aggressive this time since socket_fd
2737 * and the netns fds we don't need anymore. The custom
2738 * endpoint fd was needed to upload the policy and can
2739 * now be closed as well. */
2740 r
= close_all_fds(fds
, n_fds
);
2742 r
= shift_fds(fds
, n_fds
);
2744 r
= flags_fds(fds
, n_storage_fds
, n_socket_fds
, context
->non_blocking
);
2746 *exit_status
= EXIT_FDS
;
2750 if (needs_exec_restrictions
) {
2752 int secure_bits
= context
->secure_bits
;
2754 for (i
= 0; i
< _RLIMIT_MAX
; i
++) {
2756 if (!context
->rlimit
[i
])
2759 r
= setrlimit_closest(i
, context
->rlimit
[i
]);
2761 *exit_status
= EXIT_LIMITS
;
2766 /* Set the RTPRIO resource limit to 0, but only if nothing else was explicitly requested. */
2767 if (context
->restrict_realtime
&& !context
->rlimit
[RLIMIT_RTPRIO
]) {
2768 if (setrlimit(RLIMIT_RTPRIO
, &RLIMIT_MAKE_CONST(0)) < 0) {
2769 *exit_status
= EXIT_LIMITS
;
2774 if (!cap_test_all(context
->capability_bounding_set
)) {
2775 r
= capability_bounding_set_drop(context
->capability_bounding_set
, false);
2777 *exit_status
= EXIT_CAPABILITIES
;
2778 *error_message
= strdup("Failed to drop capabilities");
2783 /* This is done before enforce_user, but ambient set
2784 * does not survive over setresuid() if keep_caps is not set. */
2785 if (context
->capability_ambient_set
!= 0) {
2786 r
= capability_ambient_set_apply(context
->capability_ambient_set
, true);
2788 *exit_status
= EXIT_CAPABILITIES
;
2789 *error_message
= strdup("Failed to apply ambient capabilities (before UID change)");
2794 if (context
->user
) {
2795 r
= enforce_user(context
, uid
);
2797 *exit_status
= EXIT_USER
;
2798 (void) asprintf(error_message
, "Failed to change UID to "UID_FMT
, uid
);
2801 if (context
->capability_ambient_set
!= 0) {
2803 /* Fix the ambient capabilities after user change. */
2804 r
= capability_ambient_set_apply(context
->capability_ambient_set
, false);
2806 *exit_status
= EXIT_CAPABILITIES
;
2807 *error_message
= strdup("Failed to apply ambient capabilities (after UID change)");
2811 /* If we were asked to change user and ambient capabilities
2812 * were requested, we had to add keep-caps to the securebits
2813 * so that we would maintain the inherited capability set
2814 * through the setresuid(). Make sure that the bit is added
2815 * also to the context secure_bits so that we don't try to
2816 * drop the bit away next. */
2818 secure_bits
|= 1<<SECURE_KEEP_CAPS
;
2822 /* Apply the MAC contexts late, but before seccomp syscall filtering, as those should really be last to
2823 * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
2824 * syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
2825 * are restricted. */
2828 if (needs_selinux
) {
2829 char *exec_context
= mac_selinux_context_net
?: context
->selinux_context
;
2832 r
= setexeccon(exec_context
);
2834 *exit_status
= EXIT_SELINUX_CONTEXT
;
2835 (void) asprintf(error_message
, "Failed to set SELinux context to %s", exec_context
);
2844 r
= setup_smack(context
, command
);
2846 *exit_status
= EXIT_SMACK_PROCESS_LABEL
;
2847 *error_message
= strdup("Failed to set SMACK process label");
2853 #ifdef HAVE_APPARMOR
2854 if (needs_apparmor
) {
2855 r
= aa_change_onexec(context
->apparmor_profile
);
2856 if (r
< 0 && !context
->apparmor_profile_ignore
) {
2857 *exit_status
= EXIT_APPARMOR_PROFILE
;
2858 (void) asprintf(error_message
,
2859 "Failed to prepare AppArmor profile change to %s",
2860 context
->apparmor_profile
);
2866 /* PR_GET_SECUREBITS is not privileged, while
2867 * PR_SET_SECUREBITS is. So to suppress
2868 * potential EPERMs we'll try not to call
2869 * PR_SET_SECUREBITS unless necessary. */
2870 if (prctl(PR_GET_SECUREBITS
) != secure_bits
)
2871 if (prctl(PR_SET_SECUREBITS
, secure_bits
) < 0) {
2872 *exit_status
= EXIT_SECUREBITS
;
2873 *error_message
= strdup("Failed to set secure bits");
2877 if (context_has_no_new_privileges(context
))
2878 if (prctl(PR_SET_NO_NEW_PRIVS
, 1, 0, 0, 0) < 0) {
2879 *exit_status
= EXIT_NO_NEW_PRIVILEGES
;
2880 *error_message
= strdup("Failed to disable new privileges");
2885 r
= apply_address_families(unit
, context
);
2887 *exit_status
= EXIT_ADDRESS_FAMILIES
;
2888 *error_message
= strdup("Failed to restrict address families");
2892 r
= apply_memory_deny_write_execute(unit
, context
);
2894 *exit_status
= EXIT_SECCOMP
;
2895 *error_message
= strdup("Failed to disable writing to executable memory");
2899 r
= apply_restrict_realtime(unit
, context
);
2901 *exit_status
= EXIT_SECCOMP
;
2902 *error_message
= strdup("Failed to apply realtime restrictions");
2906 r
= apply_restrict_namespaces(unit
, context
);
2908 *exit_status
= EXIT_SECCOMP
;
2909 *error_message
= strdup("Failed to apply namespace restrictions");
2913 r
= apply_protect_sysctl(unit
, context
);
2915 *exit_status
= EXIT_SECCOMP
;
2916 *error_message
= strdup("Failed to apply sysctl restrictions");
2920 r
= apply_protect_kernel_modules(unit
, context
);
2922 *exit_status
= EXIT_SECCOMP
;
2923 *error_message
= strdup("Failed to apply module loading restrictions");
2927 r
= apply_private_devices(unit
, context
);
2929 *exit_status
= EXIT_SECCOMP
;
2930 *error_message
= strdup("Failed to set up private devices");
2934 r
= apply_syscall_archs(unit
, context
);
2936 *exit_status
= EXIT_SECCOMP
;
2937 *error_message
= strdup("Failed to apply syscall architecture restrictions");
2941 /* This really should remain the last step before the execve(), to make sure our own code is unaffected
2942 * by the filter as little as possible. */
2943 r
= apply_syscall_filter(unit
, context
);
2945 *exit_status
= EXIT_SECCOMP
;
2946 *error_message
= strdup("Failed to apply syscall filters");
2952 final_argv
= replace_env_argv(argv
, accum_env
);
2954 *exit_status
= EXIT_MEMORY
;
2955 *error_message
= strdup("Failed to prepare process arguments");
2959 if (_unlikely_(log_get_max_level() >= LOG_DEBUG
)) {
2960 _cleanup_free_
char *line
;
2962 line
= exec_command_line(final_argv
);
2965 log_struct(LOG_DEBUG
,
2966 "EXECUTABLE=%s", command
->path
,
2967 LOG_UNIT_MESSAGE(unit
, "Executing: %s", line
),
2974 execve(command
->path
, final_argv
, accum_env
);
2975 *exit_status
= EXIT_EXEC
;
2979 int exec_spawn(Unit
*unit
,
2980 ExecCommand
*command
,
2981 const ExecContext
*context
,
2982 const ExecParameters
*params
,
2983 ExecRuntime
*runtime
,
2984 DynamicCreds
*dcreds
,
2987 _cleanup_strv_free_
char **files_env
= NULL
;
2989 unsigned n_storage_fds
= 0, n_socket_fds
= 0;
2990 _cleanup_free_
char *line
= NULL
;
2992 int named_iofds
[3] = { -1, -1, -1 };
3001 assert(params
->fds
|| (params
->n_storage_fds
+ params
->n_socket_fds
<= 0));
3003 if (context
->std_input
== EXEC_INPUT_SOCKET
||
3004 context
->std_output
== EXEC_OUTPUT_SOCKET
||
3005 context
->std_error
== EXEC_OUTPUT_SOCKET
) {
3007 if (params
->n_socket_fds
> 1) {
3008 log_unit_error(unit
, "Got more than one socket.");
3012 if (params
->n_socket_fds
== 0) {
3013 log_unit_error(unit
, "Got no socket.");
3017 socket_fd
= params
->fds
[0];
3021 n_storage_fds
= params
->n_storage_fds
;
3022 n_socket_fds
= params
->n_socket_fds
;
3025 r
= exec_context_named_iofds(unit
, context
, params
, named_iofds
);
3027 return log_unit_error_errno(unit
, r
, "Failed to load a named file descriptor: %m");
3029 r
= exec_context_load_environment(unit
, context
, &files_env
);
3031 return log_unit_error_errno(unit
, r
, "Failed to load environment files: %m");
3033 argv
= params
->argv
?: command
->argv
;
3034 line
= exec_command_line(argv
);
3038 log_struct(LOG_DEBUG
,
3039 LOG_UNIT_MESSAGE(unit
, "About to execute: %s", line
),
3040 "EXECUTABLE=%s", command
->path
,
3045 return log_unit_error_errno(unit
, errno
, "Failed to fork: %m");
3049 _cleanup_free_
char *error_message
= NULL
;
3051 r
= exec_child(unit
,
3064 unit
->manager
->user_lookup_fds
[1],
3070 log_struct_errno(LOG_ERR
, r
,
3071 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR
,
3073 LOG_UNIT_MESSAGE(unit
, "%s: %m",
3075 "EXECUTABLE=%s", command
->path
,
3077 else if (r
== -ENOENT
&& (command
->flags
& EXEC_COMMAND_IGNORE_FAILURE
))
3078 log_struct_errno(LOG_INFO
, r
,
3079 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR
,
3081 LOG_UNIT_MESSAGE(unit
, "Skipped spawning %s: %m",
3083 "EXECUTABLE=%s", command
->path
,
3086 log_struct_errno(LOG_ERR
, r
,
3087 "MESSAGE_ID=" SD_MESSAGE_SPAWN_FAILED_STR
,
3089 LOG_UNIT_MESSAGE(unit
, "Failed at step %s spawning %s: %m",
3090 exit_status_to_string(exit_status
, EXIT_STATUS_SYSTEMD
),
3092 "EXECUTABLE=%s", command
->path
,
3099 log_unit_debug(unit
, "Forked %s as "PID_FMT
, command
->path
, pid
);
3101 /* We add the new process to the cgroup both in the child (so
3102 * that we can be sure that no user code is ever executed
3103 * outside of the cgroup) and in the parent (so that we can be
3104 * sure that when we kill the cgroup the process will be
3106 if (params
->cgroup_path
)
3107 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER
, params
->cgroup_path
, pid
);
3109 exec_status_start(&command
->exec_status
, pid
);
3115 void exec_context_init(ExecContext
*c
) {
3116 ExecDirectoryType i
;
3121 c
->ioprio
= IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE
, 0);
3122 c
->cpu_sched_policy
= SCHED_OTHER
;
3123 c
->syslog_priority
= LOG_DAEMON
|LOG_INFO
;
3124 c
->syslog_level_prefix
= true;
3125 c
->ignore_sigpipe
= true;
3126 c
->timer_slack_nsec
= NSEC_INFINITY
;
3127 c
->personality
= PERSONALITY_INVALID
;
3128 for (i
= 0; i
< _EXEC_DIRECTORY_MAX
; i
++)
3129 c
->directories
[i
].mode
= 0755;
3130 c
->capability_bounding_set
= CAP_ALL
;
3131 c
->restrict_namespaces
= NAMESPACE_FLAGS_ALL
;
3134 void exec_context_done(ExecContext
*c
) {
3136 ExecDirectoryType i
;
3140 c
->environment
= strv_free(c
->environment
);
3141 c
->environment_files
= strv_free(c
->environment_files
);
3142 c
->pass_environment
= strv_free(c
->pass_environment
);
3144 for (l
= 0; l
< ELEMENTSOF(c
->rlimit
); l
++)
3145 c
->rlimit
[l
] = mfree(c
->rlimit
[l
]);
3147 for (l
= 0; l
< 3; l
++)
3148 c
->stdio_fdname
[l
] = mfree(c
->stdio_fdname
[l
]);
3150 c
->working_directory
= mfree(c
->working_directory
);
3151 c
->root_directory
= mfree(c
->root_directory
);
3152 c
->root_image
= mfree(c
->root_image
);
3153 c
->tty_path
= mfree(c
->tty_path
);
3154 c
->syslog_identifier
= mfree(c
->syslog_identifier
);
3155 c
->user
= mfree(c
->user
);
3156 c
->group
= mfree(c
->group
);
3158 c
->supplementary_groups
= strv_free(c
->supplementary_groups
);
3160 c
->pam_name
= mfree(c
->pam_name
);
3162 c
->read_only_paths
= strv_free(c
->read_only_paths
);
3163 c
->read_write_paths
= strv_free(c
->read_write_paths
);
3164 c
->inaccessible_paths
= strv_free(c
->inaccessible_paths
);
3166 bind_mount_free_many(c
->bind_mounts
, c
->n_bind_mounts
);
3169 CPU_FREE(c
->cpuset
);
3171 c
->utmp_id
= mfree(c
->utmp_id
);
3172 c
->selinux_context
= mfree(c
->selinux_context
);
3173 c
->apparmor_profile
= mfree(c
->apparmor_profile
);
3174 c
->smack_process_label
= mfree(c
->smack_process_label
);
3176 c
->syscall_filter
= set_free(c
->syscall_filter
);
3177 c
->syscall_archs
= set_free(c
->syscall_archs
);
3178 c
->address_families
= set_free(c
->address_families
);
3180 for (i
= 0; i
< _EXEC_DIRECTORY_MAX
; i
++)
3181 c
->directories
[i
].paths
= strv_free(c
->directories
[i
].paths
);
3184 int exec_context_destroy_runtime_directory(ExecContext
*c
, const char *runtime_prefix
) {
3189 if (!runtime_prefix
)
3192 STRV_FOREACH(i
, c
->directories
[EXEC_DIRECTORY_RUNTIME
].paths
) {
3193 _cleanup_free_
char *p
;
3195 p
= strjoin(runtime_prefix
, "/", *i
);
3199 /* We execute this synchronously, since we need to be
3200 * sure this is gone when we start the service
3202 (void) rm_rf(p
, REMOVE_ROOT
);
3208 void exec_command_done(ExecCommand
*c
) {
3211 c
->path
= mfree(c
->path
);
3213 c
->argv
= strv_free(c
->argv
);
3216 void exec_command_done_array(ExecCommand
*c
, unsigned n
) {
3219 for (i
= 0; i
< n
; i
++)
3220 exec_command_done(c
+i
);
3223 ExecCommand
* exec_command_free_list(ExecCommand
*c
) {
3227 LIST_REMOVE(command
, c
, i
);
3228 exec_command_done(i
);
3235 void exec_command_free_array(ExecCommand
**c
, unsigned n
) {
3238 for (i
= 0; i
< n
; i
++)
3239 c
[i
] = exec_command_free_list(c
[i
]);
3242 typedef struct InvalidEnvInfo
{
3247 static void invalid_env(const char *p
, void *userdata
) {
3248 InvalidEnvInfo
*info
= userdata
;
3250 log_unit_error(info
->unit
, "Ignoring invalid environment assignment '%s': %s", p
, info
->path
);
3253 const char* exec_context_fdname(const ExecContext
*c
, int fd_index
) {
3258 if (c
->std_input
!= EXEC_INPUT_NAMED_FD
)
3260 return c
->stdio_fdname
[STDIN_FILENO
] ?: "stdin";
3262 if (c
->std_output
!= EXEC_OUTPUT_NAMED_FD
)
3264 return c
->stdio_fdname
[STDOUT_FILENO
] ?: "stdout";
3266 if (c
->std_error
!= EXEC_OUTPUT_NAMED_FD
)
3268 return c
->stdio_fdname
[STDERR_FILENO
] ?: "stderr";
3274 int exec_context_named_iofds(Unit
*unit
, const ExecContext
*c
, const ExecParameters
*p
, int named_iofds
[3]) {
3275 unsigned i
, targets
;
3276 const char* stdio_fdname
[3];
3282 targets
= (c
->std_input
== EXEC_INPUT_NAMED_FD
) +
3283 (c
->std_output
== EXEC_OUTPUT_NAMED_FD
) +
3284 (c
->std_error
== EXEC_OUTPUT_NAMED_FD
);
3286 for (i
= 0; i
< 3; i
++)
3287 stdio_fdname
[i
] = exec_context_fdname(c
, i
);
3289 n_fds
= p
->n_storage_fds
+ p
->n_socket_fds
;
3291 for (i
= 0; i
< n_fds
&& targets
> 0; i
++)
3292 if (named_iofds
[STDIN_FILENO
] < 0 &&
3293 c
->std_input
== EXEC_INPUT_NAMED_FD
&&
3294 stdio_fdname
[STDIN_FILENO
] &&
3295 streq(p
->fd_names
[i
], stdio_fdname
[STDIN_FILENO
])) {
3297 named_iofds
[STDIN_FILENO
] = p
->fds
[i
];
3300 } else if (named_iofds
[STDOUT_FILENO
] < 0 &&
3301 c
->std_output
== EXEC_OUTPUT_NAMED_FD
&&
3302 stdio_fdname
[STDOUT_FILENO
] &&
3303 streq(p
->fd_names
[i
], stdio_fdname
[STDOUT_FILENO
])) {
3305 named_iofds
[STDOUT_FILENO
] = p
->fds
[i
];
3308 } else if (named_iofds
[STDERR_FILENO
] < 0 &&
3309 c
->std_error
== EXEC_OUTPUT_NAMED_FD
&&
3310 stdio_fdname
[STDERR_FILENO
] &&
3311 streq(p
->fd_names
[i
], stdio_fdname
[STDERR_FILENO
])) {
3313 named_iofds
[STDERR_FILENO
] = p
->fds
[i
];
3317 return targets
== 0 ? 0 : -ENOENT
;
3320 int exec_context_load_environment(Unit
*unit
, const ExecContext
*c
, char ***l
) {
3321 char **i
, **r
= NULL
;
3326 STRV_FOREACH(i
, c
->environment_files
) {
3330 bool ignore
= false;
3332 _cleanup_globfree_ glob_t pglob
= {};
3341 if (!path_is_absolute(fn
)) {
3349 /* Filename supports globbing, take all matching files */
3350 k
= safe_glob(fn
, 0, &pglob
);
3359 /* When we don't match anything, -ENOENT should be returned */
3360 assert(pglob
.gl_pathc
> 0);
3362 for (n
= 0; n
< pglob
.gl_pathc
; n
++) {
3363 k
= load_env_file(NULL
, pglob
.gl_pathv
[n
], NULL
, &p
);
3371 /* Log invalid environment variables with filename */
3373 InvalidEnvInfo info
= {
3375 .path
= pglob
.gl_pathv
[n
]
3378 p
= strv_env_clean_with_callback(p
, invalid_env
, &info
);
3386 m
= strv_env_merge(2, r
, p
);
3402 static bool tty_may_match_dev_console(const char *tty
) {
3403 _cleanup_free_
char *active
= NULL
;
3409 if (startswith(tty
, "/dev/"))
3412 /* trivial identity? */
3413 if (streq(tty
, "console"))
3416 console
= resolve_dev_console(&active
);
3417 /* if we could not resolve, assume it may */
3421 /* "tty0" means the active VC, so it may be the same sometimes */
3422 return streq(console
, tty
) || (streq(console
, "tty0") && tty_is_vc(tty
));
3425 bool exec_context_may_touch_console(ExecContext
*ec
) {
3427 return (ec
->tty_reset
||
3429 ec
->tty_vt_disallocate
||
3430 is_terminal_input(ec
->std_input
) ||
3431 is_terminal_output(ec
->std_output
) ||
3432 is_terminal_output(ec
->std_error
)) &&
3433 tty_may_match_dev_console(exec_context_tty_path(ec
));
3436 static void strv_fprintf(FILE *f
, char **l
) {
3442 fprintf(f
, " %s", *g
);
3445 void exec_context_dump(ExecContext
*c
, FILE* f
, const char *prefix
) {
3448 ExecDirectoryType dt
;
3454 prefix
= strempty(prefix
);
3458 "%sWorkingDirectory: %s\n"
3459 "%sRootDirectory: %s\n"
3460 "%sNonBlocking: %s\n"
3461 "%sPrivateTmp: %s\n"
3462 "%sPrivateDevices: %s\n"
3463 "%sProtectKernelTunables: %s\n"
3464 "%sProtectKernelModules: %s\n"
3465 "%sProtectControlGroups: %s\n"
3466 "%sPrivateNetwork: %s\n"
3467 "%sPrivateUsers: %s\n"
3468 "%sProtectHome: %s\n"
3469 "%sProtectSystem: %s\n"
3470 "%sMountAPIVFS: %s\n"
3471 "%sIgnoreSIGPIPE: %s\n"
3472 "%sMemoryDenyWriteExecute: %s\n"
3473 "%sRestrictRealtime: %s\n",
3475 prefix
, c
->working_directory
? c
->working_directory
: "/",
3476 prefix
, c
->root_directory
? c
->root_directory
: "/",
3477 prefix
, yes_no(c
->non_blocking
),
3478 prefix
, yes_no(c
->private_tmp
),
3479 prefix
, yes_no(c
->private_devices
),
3480 prefix
, yes_no(c
->protect_kernel_tunables
),
3481 prefix
, yes_no(c
->protect_kernel_modules
),
3482 prefix
, yes_no(c
->protect_control_groups
),
3483 prefix
, yes_no(c
->private_network
),
3484 prefix
, yes_no(c
->private_users
),
3485 prefix
, protect_home_to_string(c
->protect_home
),
3486 prefix
, protect_system_to_string(c
->protect_system
),
3487 prefix
, yes_no(c
->mount_apivfs
),
3488 prefix
, yes_no(c
->ignore_sigpipe
),
3489 prefix
, yes_no(c
->memory_deny_write_execute
),
3490 prefix
, yes_no(c
->restrict_realtime
));
3493 fprintf(f
, "%sRootImage: %s\n", prefix
, c
->root_image
);
3495 STRV_FOREACH(e
, c
->environment
)
3496 fprintf(f
, "%sEnvironment: %s\n", prefix
, *e
);
3498 STRV_FOREACH(e
, c
->environment_files
)
3499 fprintf(f
, "%sEnvironmentFile: %s\n", prefix
, *e
);
3501 STRV_FOREACH(e
, c
->pass_environment
)
3502 fprintf(f
, "%sPassEnvironment: %s\n", prefix
, *e
);
3504 fprintf(f
, "%sRuntimeDirectoryPreserve: %s\n", prefix
, exec_preserve_mode_to_string(c
->runtime_directory_preserve_mode
));
3506 for (dt
= 0; dt
< _EXEC_DIRECTORY_MAX
; dt
++) {
3507 fprintf(f
, "%s%sMode: %04o\n", prefix
, exec_directory_type_to_string(dt
), c
->directories
[dt
].mode
);
3509 STRV_FOREACH(d
, c
->directories
[dt
].paths
)
3510 fprintf(f
, "%s%s: %s\n", prefix
, exec_directory_type_to_string(dt
), *d
);
3518 if (c
->oom_score_adjust_set
)
3520 "%sOOMScoreAdjust: %i\n",
3521 prefix
, c
->oom_score_adjust
);
3523 for (i
= 0; i
< RLIM_NLIMITS
; i
++)
3525 fprintf(f
, "%s%s: " RLIM_FMT
"\n",
3526 prefix
, rlimit_to_string(i
), c
->rlimit
[i
]->rlim_max
);
3527 fprintf(f
, "%s%sSoft: " RLIM_FMT
"\n",
3528 prefix
, rlimit_to_string(i
), c
->rlimit
[i
]->rlim_cur
);
3531 if (c
->ioprio_set
) {
3532 _cleanup_free_
char *class_str
= NULL
;
3534 r
= ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c
->ioprio
), &class_str
);
3536 fprintf(f
, "%sIOSchedulingClass: %s\n", prefix
, class_str
);
3538 fprintf(f
, "%sIOPriority: %lu\n", prefix
, IOPRIO_PRIO_DATA(c
->ioprio
));
3541 if (c
->cpu_sched_set
) {
3542 _cleanup_free_
char *policy_str
= NULL
;
3544 r
= sched_policy_to_string_alloc(c
->cpu_sched_policy
, &policy_str
);
3546 fprintf(f
, "%sCPUSchedulingPolicy: %s\n", prefix
, policy_str
);
3549 "%sCPUSchedulingPriority: %i\n"
3550 "%sCPUSchedulingResetOnFork: %s\n",
3551 prefix
, c
->cpu_sched_priority
,
3552 prefix
, yes_no(c
->cpu_sched_reset_on_fork
));
3556 fprintf(f
, "%sCPUAffinity:", prefix
);
3557 for (i
= 0; i
< c
->cpuset_ncpus
; i
++)
3558 if (CPU_ISSET_S(i
, CPU_ALLOC_SIZE(c
->cpuset_ncpus
), c
->cpuset
))
3559 fprintf(f
, " %u", i
);
3563 if (c
->timer_slack_nsec
!= NSEC_INFINITY
)
3564 fprintf(f
, "%sTimerSlackNSec: "NSEC_FMT
"\n", prefix
, c
->timer_slack_nsec
);
3567 "%sStandardInput: %s\n"
3568 "%sStandardOutput: %s\n"
3569 "%sStandardError: %s\n",
3570 prefix
, exec_input_to_string(c
->std_input
),
3571 prefix
, exec_output_to_string(c
->std_output
),
3572 prefix
, exec_output_to_string(c
->std_error
));
3578 "%sTTYVHangup: %s\n"
3579 "%sTTYVTDisallocate: %s\n",
3580 prefix
, c
->tty_path
,
3581 prefix
, yes_no(c
->tty_reset
),
3582 prefix
, yes_no(c
->tty_vhangup
),
3583 prefix
, yes_no(c
->tty_vt_disallocate
));
3585 if (c
->std_output
== EXEC_OUTPUT_SYSLOG
||
3586 c
->std_output
== EXEC_OUTPUT_KMSG
||
3587 c
->std_output
== EXEC_OUTPUT_JOURNAL
||
3588 c
->std_output
== EXEC_OUTPUT_SYSLOG_AND_CONSOLE
||
3589 c
->std_output
== EXEC_OUTPUT_KMSG_AND_CONSOLE
||
3590 c
->std_output
== EXEC_OUTPUT_JOURNAL_AND_CONSOLE
||
3591 c
->std_error
== EXEC_OUTPUT_SYSLOG
||
3592 c
->std_error
== EXEC_OUTPUT_KMSG
||
3593 c
->std_error
== EXEC_OUTPUT_JOURNAL
||
3594 c
->std_error
== EXEC_OUTPUT_SYSLOG_AND_CONSOLE
||
3595 c
->std_error
== EXEC_OUTPUT_KMSG_AND_CONSOLE
||
3596 c
->std_error
== EXEC_OUTPUT_JOURNAL_AND_CONSOLE
) {
3598 _cleanup_free_
char *fac_str
= NULL
, *lvl_str
= NULL
;
3600 r
= log_facility_unshifted_to_string_alloc(c
->syslog_priority
>> 3, &fac_str
);
3602 fprintf(f
, "%sSyslogFacility: %s\n", prefix
, fac_str
);
3604 r
= log_level_to_string_alloc(LOG_PRI(c
->syslog_priority
), &lvl_str
);
3606 fprintf(f
, "%sSyslogLevel: %s\n", prefix
, lvl_str
);
3609 if (c
->secure_bits
) {
3610 _cleanup_free_
char *str
= NULL
;
3612 r
= secure_bits_to_string_alloc(c
->secure_bits
, &str
);
3614 fprintf(f
, "%sSecure Bits: %s\n", prefix
, str
);
3617 if (c
->capability_bounding_set
!= CAP_ALL
) {
3618 _cleanup_free_
char *str
= NULL
;
3620 r
= capability_set_to_string_alloc(c
->capability_bounding_set
, &str
);
3622 fprintf(f
, "%sCapabilityBoundingSet: %s\n", prefix
, str
);
3625 if (c
->capability_ambient_set
!= 0) {
3626 _cleanup_free_
char *str
= NULL
;
3628 r
= capability_set_to_string_alloc(c
->capability_ambient_set
, &str
);
3630 fprintf(f
, "%sAmbientCapabilities: %s\n", prefix
, str
);
3634 fprintf(f
, "%sUser: %s\n", prefix
, c
->user
);
3636 fprintf(f
, "%sGroup: %s\n", prefix
, c
->group
);
3638 fprintf(f
, "%sDynamicUser: %s\n", prefix
, yes_no(c
->dynamic_user
));
3640 if (strv_length(c
->supplementary_groups
) > 0) {
3641 fprintf(f
, "%sSupplementaryGroups:", prefix
);
3642 strv_fprintf(f
, c
->supplementary_groups
);
3647 fprintf(f
, "%sPAMName: %s\n", prefix
, c
->pam_name
);
3649 if (strv_length(c
->read_write_paths
) > 0) {
3650 fprintf(f
, "%sReadWritePaths:", prefix
);
3651 strv_fprintf(f
, c
->read_write_paths
);
3655 if (strv_length(c
->read_only_paths
) > 0) {
3656 fprintf(f
, "%sReadOnlyPaths:", prefix
);
3657 strv_fprintf(f
, c
->read_only_paths
);
3661 if (strv_length(c
->inaccessible_paths
) > 0) {
3662 fprintf(f
, "%sInaccessiblePaths:", prefix
);
3663 strv_fprintf(f
, c
->inaccessible_paths
);
3667 if (c
->n_bind_mounts
> 0)
3668 for (i
= 0; i
< c
->n_bind_mounts
; i
++) {
3669 fprintf(f
, "%s%s: %s:%s:%s\n", prefix
,
3670 c
->bind_mounts
[i
].read_only
? "BindReadOnlyPaths" : "BindPaths",
3671 c
->bind_mounts
[i
].source
,
3672 c
->bind_mounts
[i
].destination
,
3673 c
->bind_mounts
[i
].recursive
? "rbind" : "norbind");
3678 "%sUtmpIdentifier: %s\n",
3679 prefix
, c
->utmp_id
);
3681 if (c
->selinux_context
)
3683 "%sSELinuxContext: %s%s\n",
3684 prefix
, c
->selinux_context_ignore
? "-" : "", c
->selinux_context
);
3686 if (c
->apparmor_profile
)
3688 "%sAppArmorProfile: %s%s\n",
3689 prefix
, c
->apparmor_profile_ignore
? "-" : "", c
->apparmor_profile
);
3691 if (c
->smack_process_label
)
3693 "%sSmackProcessLabel: %s%s\n",
3694 prefix
, c
->smack_process_label_ignore
? "-" : "", c
->smack_process_label
);
3696 if (c
->personality
!= PERSONALITY_INVALID
)
3698 "%sPersonality: %s\n",
3699 prefix
, strna(personality_to_string(c
->personality
)));
3701 if (c
->syscall_filter
) {
3709 "%sSystemCallFilter: ",
3712 if (!c
->syscall_whitelist
)
3716 SET_FOREACH(id
, c
->syscall_filter
, j
) {
3717 _cleanup_free_
char *name
= NULL
;
3724 name
= seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE
, PTR_TO_INT(id
) - 1);
3725 fputs(strna(name
), f
);
3732 if (c
->syscall_archs
) {
3739 "%sSystemCallArchitectures:",
3743 SET_FOREACH(id
, c
->syscall_archs
, j
)
3744 fprintf(f
, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id
) - 1)));
3749 if (exec_context_restrict_namespaces_set(c
)) {
3750 _cleanup_free_
char *s
= NULL
;
3752 r
= namespace_flag_to_string_many(c
->restrict_namespaces
, &s
);
3754 fprintf(f
, "%sRestrictNamespaces: %s\n",
3758 if (c
->syscall_errno
> 0)
3760 "%sSystemCallErrorNumber: %s\n",
3761 prefix
, strna(errno_to_name(c
->syscall_errno
)));
3763 if (c
->apparmor_profile
)
3765 "%sAppArmorProfile: %s%s\n",
3766 prefix
, c
->apparmor_profile_ignore
? "-" : "", c
->apparmor_profile
);
3769 bool exec_context_maintains_privileges(ExecContext
*c
) {
3772 /* Returns true if the process forked off would run under
3773 * an unchanged UID or as root. */
3778 if (streq(c
->user
, "root") || streq(c
->user
, "0"))
3784 int exec_context_get_effective_ioprio(ExecContext
*c
) {
3792 p
= ioprio_get(IOPRIO_WHO_PROCESS
, 0);
3794 return IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE
, 4);
3799 void exec_status_start(ExecStatus
*s
, pid_t pid
) {
3804 dual_timestamp_get(&s
->start_timestamp
);
3807 void exec_status_exit(ExecStatus
*s
, ExecContext
*context
, pid_t pid
, int code
, int status
) {
3810 if (s
->pid
&& s
->pid
!= pid
)
3814 dual_timestamp_get(&s
->exit_timestamp
);
3820 if (context
->utmp_id
)
3821 utmp_put_dead_process(context
->utmp_id
, pid
, code
, status
);
3823 exec_context_tty_reset(context
, NULL
);
3827 void exec_status_dump(ExecStatus
*s
, FILE *f
, const char *prefix
) {
3828 char buf
[FORMAT_TIMESTAMP_MAX
];
3836 prefix
= strempty(prefix
);
3839 "%sPID: "PID_FMT
"\n",
3842 if (dual_timestamp_is_set(&s
->start_timestamp
))
3844 "%sStart Timestamp: %s\n",
3845 prefix
, format_timestamp(buf
, sizeof(buf
), s
->start_timestamp
.realtime
));
3847 if (dual_timestamp_is_set(&s
->exit_timestamp
))
3849 "%sExit Timestamp: %s\n"
3851 "%sExit Status: %i\n",
3852 prefix
, format_timestamp(buf
, sizeof(buf
), s
->exit_timestamp
.realtime
),
3853 prefix
, sigchld_code_to_string(s
->code
),
3857 char *exec_command_line(char **argv
) {
3865 STRV_FOREACH(a
, argv
)
3873 STRV_FOREACH(a
, argv
) {
3880 if (strpbrk(*a
, WHITESPACE
)) {
3891 /* FIXME: this doesn't really handle arguments that have
3892 * spaces and ticks in them */
3897 void exec_command_dump(ExecCommand
*c
, FILE *f
, const char *prefix
) {
3898 _cleanup_free_
char *cmd
= NULL
;
3899 const char *prefix2
;
3904 prefix
= strempty(prefix
);
3905 prefix2
= strjoina(prefix
, "\t");
3907 cmd
= exec_command_line(c
->argv
);
3909 "%sCommand Line: %s\n",
3910 prefix
, cmd
? cmd
: strerror(ENOMEM
));
3912 exec_status_dump(&c
->exec_status
, f
, prefix2
);
3915 void exec_command_dump_list(ExecCommand
*c
, FILE *f
, const char *prefix
) {
3918 prefix
= strempty(prefix
);
3920 LIST_FOREACH(command
, c
, c
)
3921 exec_command_dump(c
, f
, prefix
);
3924 void exec_command_append_list(ExecCommand
**l
, ExecCommand
*e
) {
3931 /* It's kind of important, that we keep the order here */
3932 LIST_FIND_TAIL(command
, *l
, end
);
3933 LIST_INSERT_AFTER(command
, *l
, end
, e
);
3938 int exec_command_set(ExecCommand
*c
, const char *path
, ...) {
3946 l
= strv_new_ap(path
, ap
);
3967 int exec_command_append(ExecCommand
*c
, const char *path
, ...) {
3968 _cleanup_strv_free_
char **l
= NULL
;
3976 l
= strv_new_ap(path
, ap
);
3982 r
= strv_extend_strv(&c
->argv
, l
, false);
3990 static int exec_runtime_allocate(ExecRuntime
**rt
) {
3995 *rt
= new0(ExecRuntime
, 1);
4000 (*rt
)->netns_storage_socket
[0] = (*rt
)->netns_storage_socket
[1] = -1;
4005 int exec_runtime_make(ExecRuntime
**rt
, ExecContext
*c
, const char *id
) {
4015 if (!c
->private_network
&& !c
->private_tmp
)
4018 r
= exec_runtime_allocate(rt
);
4022 if (c
->private_network
&& (*rt
)->netns_storage_socket
[0] < 0) {
4023 if (socketpair(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
, 0, (*rt
)->netns_storage_socket
) < 0)
4027 if (c
->private_tmp
&& !(*rt
)->tmp_dir
) {
4028 r
= setup_tmp_dirs(id
, &(*rt
)->tmp_dir
, &(*rt
)->var_tmp_dir
);
4036 ExecRuntime
*exec_runtime_ref(ExecRuntime
*r
) {
4038 assert(r
->n_ref
> 0);
4044 ExecRuntime
*exec_runtime_unref(ExecRuntime
*r
) {
4049 assert(r
->n_ref
> 0);
4056 free(r
->var_tmp_dir
);
4057 safe_close_pair(r
->netns_storage_socket
);
4061 int exec_runtime_serialize(Unit
*u
, ExecRuntime
*rt
, FILE *f
, FDSet
*fds
) {
4070 unit_serialize_item(u
, f
, "tmp-dir", rt
->tmp_dir
);
4072 if (rt
->var_tmp_dir
)
4073 unit_serialize_item(u
, f
, "var-tmp-dir", rt
->var_tmp_dir
);
4075 if (rt
->netns_storage_socket
[0] >= 0) {
4078 copy
= fdset_put_dup(fds
, rt
->netns_storage_socket
[0]);
4082 unit_serialize_item_format(u
, f
, "netns-socket-0", "%i", copy
);
4085 if (rt
->netns_storage_socket
[1] >= 0) {
4088 copy
= fdset_put_dup(fds
, rt
->netns_storage_socket
[1]);
4092 unit_serialize_item_format(u
, f
, "netns-socket-1", "%i", copy
);
4098 int exec_runtime_deserialize_item(Unit
*u
, ExecRuntime
**rt
, const char *key
, const char *value
, FDSet
*fds
) {
4105 if (streq(key
, "tmp-dir")) {
4108 r
= exec_runtime_allocate(rt
);
4112 copy
= strdup(value
);
4116 free((*rt
)->tmp_dir
);
4117 (*rt
)->tmp_dir
= copy
;
4119 } else if (streq(key
, "var-tmp-dir")) {
4122 r
= exec_runtime_allocate(rt
);
4126 copy
= strdup(value
);
4130 free((*rt
)->var_tmp_dir
);
4131 (*rt
)->var_tmp_dir
= copy
;
4133 } else if (streq(key
, "netns-socket-0")) {
4136 r
= exec_runtime_allocate(rt
);
4140 if (safe_atoi(value
, &fd
) < 0 || !fdset_contains(fds
, fd
))
4141 log_unit_debug(u
, "Failed to parse netns socket value: %s", value
);
4143 safe_close((*rt
)->netns_storage_socket
[0]);
4144 (*rt
)->netns_storage_socket
[0] = fdset_remove(fds
, fd
);
4146 } else if (streq(key
, "netns-socket-1")) {
4149 r
= exec_runtime_allocate(rt
);
4153 if (safe_atoi(value
, &fd
) < 0 || !fdset_contains(fds
, fd
))
4154 log_unit_debug(u
, "Failed to parse netns socket value: %s", value
);
4156 safe_close((*rt
)->netns_storage_socket
[1]);
4157 (*rt
)->netns_storage_socket
[1] = fdset_remove(fds
, fd
);
4165 static void *remove_tmpdir_thread(void *p
) {
4166 _cleanup_free_
char *path
= p
;
4168 (void) rm_rf(path
, REMOVE_ROOT
|REMOVE_PHYSICAL
);
4172 void exec_runtime_destroy(ExecRuntime
*rt
) {
4178 /* If there are multiple users of this, let's leave the stuff around */
4183 log_debug("Spawning thread to nuke %s", rt
->tmp_dir
);
4185 r
= asynchronous_job(remove_tmpdir_thread
, rt
->tmp_dir
);
4187 log_warning_errno(r
, "Failed to nuke %s: %m", rt
->tmp_dir
);
4194 if (rt
->var_tmp_dir
) {
4195 log_debug("Spawning thread to nuke %s", rt
->var_tmp_dir
);
4197 r
= asynchronous_job(remove_tmpdir_thread
, rt
->var_tmp_dir
);
4199 log_warning_errno(r
, "Failed to nuke %s: %m", rt
->var_tmp_dir
);
4200 free(rt
->var_tmp_dir
);
4203 rt
->var_tmp_dir
= NULL
;
4206 safe_close_pair(rt
->netns_storage_socket
);
4209 static const char* const exec_input_table
[_EXEC_INPUT_MAX
] = {
4210 [EXEC_INPUT_NULL
] = "null",
4211 [EXEC_INPUT_TTY
] = "tty",
4212 [EXEC_INPUT_TTY_FORCE
] = "tty-force",
4213 [EXEC_INPUT_TTY_FAIL
] = "tty-fail",
4214 [EXEC_INPUT_SOCKET
] = "socket",
4215 [EXEC_INPUT_NAMED_FD
] = "fd",
4218 DEFINE_STRING_TABLE_LOOKUP(exec_input
, ExecInput
);
4220 static const char* const exec_output_table
[_EXEC_OUTPUT_MAX
] = {
4221 [EXEC_OUTPUT_INHERIT
] = "inherit",
4222 [EXEC_OUTPUT_NULL
] = "null",
4223 [EXEC_OUTPUT_TTY
] = "tty",
4224 [EXEC_OUTPUT_SYSLOG
] = "syslog",
4225 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE
] = "syslog+console",
4226 [EXEC_OUTPUT_KMSG
] = "kmsg",
4227 [EXEC_OUTPUT_KMSG_AND_CONSOLE
] = "kmsg+console",
4228 [EXEC_OUTPUT_JOURNAL
] = "journal",
4229 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE
] = "journal+console",
4230 [EXEC_OUTPUT_SOCKET
] = "socket",
4231 [EXEC_OUTPUT_NAMED_FD
] = "fd",
4234 DEFINE_STRING_TABLE_LOOKUP(exec_output
, ExecOutput
);
4236 static const char* const exec_utmp_mode_table
[_EXEC_UTMP_MODE_MAX
] = {
4237 [EXEC_UTMP_INIT
] = "init",
4238 [EXEC_UTMP_LOGIN
] = "login",
4239 [EXEC_UTMP_USER
] = "user",
4242 DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode
, ExecUtmpMode
);
4244 static const char* const exec_preserve_mode_table
[_EXEC_PRESERVE_MODE_MAX
] = {
4245 [EXEC_PRESERVE_NO
] = "no",
4246 [EXEC_PRESERVE_YES
] = "yes",
4247 [EXEC_PRESERVE_RESTART
] = "restart",
4250 DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(exec_preserve_mode
, ExecPreserveMode
, EXEC_PRESERVE_YES
);
4252 static const char* const exec_directory_type_table
[_EXEC_DIRECTORY_MAX
] = {
4253 [EXEC_DIRECTORY_RUNTIME
] = "RuntimeDirectory",
4254 [EXEC_DIRECTORY_STATE
] = "StateDirectory",
4255 [EXEC_DIRECTORY_CACHE
] = "CacheDirectory",
4256 [EXEC_DIRECTORY_LOGS
] = "LogsDirectory",
4257 [EXEC_DIRECTORY_CONFIGURATION
] = "ConfigurationDirectory",
4260 DEFINE_STRING_TABLE_LOOKUP(exec_directory_type
, ExecDirectoryType
);