]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/execute.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #1358 from jengelh/master
[thirdparty/systemd.git] / src / core / execute.c
1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
2
3 /***
4 This file is part of systemd.
5
6 Copyright 2010 Lennart Poettering
7
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
12
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
17
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 ***/
21
22 #include <errno.h>
23 #include <fcntl.h>
24 #include <unistd.h>
25 #include <string.h>
26 #include <signal.h>
27 #include <sys/socket.h>
28 #include <sys/un.h>
29 #include <sys/prctl.h>
30 #include <sys/stat.h>
31 #include <grp.h>
32 #include <poll.h>
33 #include <glob.h>
34 #include <utmpx.h>
35 #include <sys/personality.h>
36
37 #ifdef HAVE_PAM
38 #include <security/pam_appl.h>
39 #endif
40
41 #ifdef HAVE_SELINUX
42 #include <selinux/selinux.h>
43 #endif
44
45 #ifdef HAVE_SECCOMP
46 #include <seccomp.h>
47 #endif
48
49 #ifdef HAVE_APPARMOR
50 #include <sys/apparmor.h>
51 #endif
52
53 #include "sd-messages.h"
54 #include "rm-rf.h"
55 #include "strv.h"
56 #include "macro.h"
57 #include "capability.h"
58 #include "util.h"
59 #include "log.h"
60 #include "ioprio.h"
61 #include "securebits.h"
62 #include "namespace.h"
63 #include "exit-status.h"
64 #include "missing.h"
65 #include "utmp-wtmp.h"
66 #include "def.h"
67 #include "path-util.h"
68 #include "env-util.h"
69 #include "fileio.h"
70 #include "unit.h"
71 #include "async.h"
72 #include "selinux-util.h"
73 #include "errno-list.h"
74 #include "af-list.h"
75 #include "mkdir.h"
76 #include "smack-util.h"
77 #include "bus-endpoint.h"
78 #include "cap-list.h"
79 #include "formats-util.h"
80 #include "process-util.h"
81 #include "terminal-util.h"
82 #include "signal-util.h"
83
84 #ifdef HAVE_APPARMOR
85 #include "apparmor-util.h"
86 #endif
87
88 #ifdef HAVE_SECCOMP
89 #include "seccomp-util.h"
90 #endif
91
92 #include "execute.h"
93
94 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
95 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
96
97 /* This assumes there is a 'tty' group */
98 #define TTY_MODE 0620
99
100 #define SNDBUF_SIZE (8*1024*1024)
101
102 static int shift_fds(int fds[], unsigned n_fds) {
103 int start, restart_from;
104
105 if (n_fds <= 0)
106 return 0;
107
108 /* Modifies the fds array! (sorts it) */
109
110 assert(fds);
111
112 start = 0;
113 for (;;) {
114 int i;
115
116 restart_from = -1;
117
118 for (i = start; i < (int) n_fds; i++) {
119 int nfd;
120
121 /* Already at right index? */
122 if (fds[i] == i+3)
123 continue;
124
125 nfd = fcntl(fds[i], F_DUPFD, i + 3);
126 if (nfd < 0)
127 return -errno;
128
129 safe_close(fds[i]);
130 fds[i] = nfd;
131
132 /* Hmm, the fd we wanted isn't free? Then
133 * let's remember that and try again from here */
134 if (nfd != i+3 && restart_from < 0)
135 restart_from = i;
136 }
137
138 if (restart_from < 0)
139 break;
140
141 start = restart_from;
142 }
143
144 return 0;
145 }
146
147 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
148 unsigned i;
149 int r;
150
151 if (n_fds <= 0)
152 return 0;
153
154 assert(fds);
155
156 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
157
158 for (i = 0; i < n_fds; i++) {
159
160 r = fd_nonblock(fds[i], nonblock);
161 if (r < 0)
162 return r;
163
164 /* We unconditionally drop FD_CLOEXEC from the fds,
165 * since after all we want to pass these fds to our
166 * children */
167
168 r = fd_cloexec(fds[i], false);
169 if (r < 0)
170 return r;
171 }
172
173 return 0;
174 }
175
176 _pure_ static const char *tty_path(const ExecContext *context) {
177 assert(context);
178
179 if (context->tty_path)
180 return context->tty_path;
181
182 return "/dev/console";
183 }
184
185 static void exec_context_tty_reset(const ExecContext *context) {
186 assert(context);
187
188 if (context->tty_vhangup)
189 terminal_vhangup(tty_path(context));
190
191 if (context->tty_reset)
192 reset_terminal(tty_path(context));
193
194 if (context->tty_vt_disallocate && context->tty_path)
195 vt_disallocate(context->tty_path);
196 }
197
198 static bool is_terminal_output(ExecOutput o) {
199 return
200 o == EXEC_OUTPUT_TTY ||
201 o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
202 o == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
203 o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE;
204 }
205
206 static int open_null_as(int flags, int nfd) {
207 int fd, r;
208
209 assert(nfd >= 0);
210
211 fd = open("/dev/null", flags|O_NOCTTY);
212 if (fd < 0)
213 return -errno;
214
215 if (fd != nfd) {
216 r = dup2(fd, nfd) < 0 ? -errno : nfd;
217 safe_close(fd);
218 } else
219 r = nfd;
220
221 return r;
222 }
223
224 static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
225 union sockaddr_union sa = {
226 .un.sun_family = AF_UNIX,
227 .un.sun_path = "/run/systemd/journal/stdout",
228 };
229 uid_t olduid = UID_INVALID;
230 gid_t oldgid = GID_INVALID;
231 int r;
232
233 if (gid != GID_INVALID) {
234 oldgid = getgid();
235
236 r = setegid(gid);
237 if (r < 0)
238 return -errno;
239 }
240
241 if (uid != UID_INVALID) {
242 olduid = getuid();
243
244 r = seteuid(uid);
245 if (r < 0) {
246 r = -errno;
247 goto restore_gid;
248 }
249 }
250
251 r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path));
252 if (r < 0)
253 r = -errno;
254
255 /* If we fail to restore the uid or gid, things will likely
256 fail later on. This should only happen if an LSM interferes. */
257
258 if (uid != UID_INVALID)
259 (void) seteuid(olduid);
260
261 restore_gid:
262 if (gid != GID_INVALID)
263 (void) setegid(oldgid);
264
265 return r;
266 }
267
268 static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd, uid_t uid, gid_t gid) {
269 int fd, r;
270
271 assert(context);
272 assert(output < _EXEC_OUTPUT_MAX);
273 assert(ident);
274 assert(nfd >= 0);
275
276 fd = socket(AF_UNIX, SOCK_STREAM, 0);
277 if (fd < 0)
278 return -errno;
279
280 r = connect_journal_socket(fd, uid, gid);
281 if (r < 0)
282 return r;
283
284 if (shutdown(fd, SHUT_RD) < 0) {
285 safe_close(fd);
286 return -errno;
287 }
288
289 fd_inc_sndbuf(fd, SNDBUF_SIZE);
290
291 dprintf(fd,
292 "%s\n"
293 "%s\n"
294 "%i\n"
295 "%i\n"
296 "%i\n"
297 "%i\n"
298 "%i\n",
299 context->syslog_identifier ? context->syslog_identifier : ident,
300 unit_id,
301 context->syslog_priority,
302 !!context->syslog_level_prefix,
303 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
304 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
305 is_terminal_output(output));
306
307 if (fd != nfd) {
308 r = dup2(fd, nfd) < 0 ? -errno : nfd;
309 safe_close(fd);
310 } else
311 r = nfd;
312
313 return r;
314 }
315 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
316 int fd, r;
317
318 assert(path);
319 assert(nfd >= 0);
320
321 fd = open_terminal(path, mode | O_NOCTTY);
322 if (fd < 0)
323 return fd;
324
325 if (fd != nfd) {
326 r = dup2(fd, nfd) < 0 ? -errno : nfd;
327 safe_close(fd);
328 } else
329 r = nfd;
330
331 return r;
332 }
333
334 static bool is_terminal_input(ExecInput i) {
335 return
336 i == EXEC_INPUT_TTY ||
337 i == EXEC_INPUT_TTY_FORCE ||
338 i == EXEC_INPUT_TTY_FAIL;
339 }
340
341 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
342
343 if (is_terminal_input(std_input) && !apply_tty_stdin)
344 return EXEC_INPUT_NULL;
345
346 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
347 return EXEC_INPUT_NULL;
348
349 return std_input;
350 }
351
352 static int fixup_output(ExecOutput std_output, int socket_fd) {
353
354 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
355 return EXEC_OUTPUT_INHERIT;
356
357 return std_output;
358 }
359
360 static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty_stdin) {
361 ExecInput i;
362
363 assert(context);
364
365 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
366
367 switch (i) {
368
369 case EXEC_INPUT_NULL:
370 return open_null_as(O_RDONLY, STDIN_FILENO);
371
372 case EXEC_INPUT_TTY:
373 case EXEC_INPUT_TTY_FORCE:
374 case EXEC_INPUT_TTY_FAIL: {
375 int fd, r;
376
377 fd = acquire_terminal(tty_path(context),
378 i == EXEC_INPUT_TTY_FAIL,
379 i == EXEC_INPUT_TTY_FORCE,
380 false,
381 USEC_INFINITY);
382 if (fd < 0)
383 return fd;
384
385 if (fd != STDIN_FILENO) {
386 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
387 safe_close(fd);
388 } else
389 r = STDIN_FILENO;
390
391 return r;
392 }
393
394 case EXEC_INPUT_SOCKET:
395 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
396
397 default:
398 assert_not_reached("Unknown input type");
399 }
400 }
401
402 static int setup_output(Unit *unit, const ExecContext *context, int fileno, int socket_fd, const char *ident, bool apply_tty_stdin, uid_t uid, gid_t gid) {
403 ExecOutput o;
404 ExecInput i;
405 int r;
406
407 assert(unit);
408 assert(context);
409 assert(ident);
410
411 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
412 o = fixup_output(context->std_output, socket_fd);
413
414 if (fileno == STDERR_FILENO) {
415 ExecOutput e;
416 e = fixup_output(context->std_error, socket_fd);
417
418 /* This expects the input and output are already set up */
419
420 /* Don't change the stderr file descriptor if we inherit all
421 * the way and are not on a tty */
422 if (e == EXEC_OUTPUT_INHERIT &&
423 o == EXEC_OUTPUT_INHERIT &&
424 i == EXEC_INPUT_NULL &&
425 !is_terminal_input(context->std_input) &&
426 getppid () != 1)
427 return fileno;
428
429 /* Duplicate from stdout if possible */
430 if (e == o || e == EXEC_OUTPUT_INHERIT)
431 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
432
433 o = e;
434
435 } else if (o == EXEC_OUTPUT_INHERIT) {
436 /* If input got downgraded, inherit the original value */
437 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
438 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
439
440 /* If the input is connected to anything that's not a /dev/null, inherit that... */
441 if (i != EXEC_INPUT_NULL)
442 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
443
444 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
445 if (getppid() != 1)
446 return fileno;
447
448 /* We need to open /dev/null here anew, to get the right access mode. */
449 return open_null_as(O_WRONLY, fileno);
450 }
451
452 switch (o) {
453
454 case EXEC_OUTPUT_NULL:
455 return open_null_as(O_WRONLY, fileno);
456
457 case EXEC_OUTPUT_TTY:
458 if (is_terminal_input(i))
459 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
460
461 /* We don't reset the terminal if this is just about output */
462 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
463
464 case EXEC_OUTPUT_SYSLOG:
465 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
466 case EXEC_OUTPUT_KMSG:
467 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
468 case EXEC_OUTPUT_JOURNAL:
469 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
470 r = connect_logger_as(context, o, ident, unit->id, fileno, uid, gid);
471 if (r < 0) {
472 log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
473 r = open_null_as(O_WRONLY, fileno);
474 }
475 return r;
476
477 case EXEC_OUTPUT_SOCKET:
478 assert(socket_fd >= 0);
479 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
480
481 default:
482 assert_not_reached("Unknown error type");
483 }
484 }
485
486 static int chown_terminal(int fd, uid_t uid) {
487 struct stat st;
488
489 assert(fd >= 0);
490
491 /* This might fail. What matters are the results. */
492 (void) fchown(fd, uid, -1);
493 (void) fchmod(fd, TTY_MODE);
494
495 if (fstat(fd, &st) < 0)
496 return -errno;
497
498 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
499 return -EPERM;
500
501 return 0;
502 }
503
504 static int setup_confirm_stdio(int *_saved_stdin,
505 int *_saved_stdout) {
506 int fd = -1, saved_stdin, saved_stdout = -1, r;
507
508 assert(_saved_stdin);
509 assert(_saved_stdout);
510
511 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
512 if (saved_stdin < 0)
513 return -errno;
514
515 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
516 if (saved_stdout < 0) {
517 r = errno;
518 goto fail;
519 }
520
521 fd = acquire_terminal(
522 "/dev/console",
523 false,
524 false,
525 false,
526 DEFAULT_CONFIRM_USEC);
527 if (fd < 0) {
528 r = fd;
529 goto fail;
530 }
531
532 r = chown_terminal(fd, getuid());
533 if (r < 0)
534 goto fail;
535
536 if (dup2(fd, STDIN_FILENO) < 0) {
537 r = -errno;
538 goto fail;
539 }
540
541 if (dup2(fd, STDOUT_FILENO) < 0) {
542 r = -errno;
543 goto fail;
544 }
545
546 if (fd >= 2)
547 safe_close(fd);
548
549 *_saved_stdin = saved_stdin;
550 *_saved_stdout = saved_stdout;
551
552 return 0;
553
554 fail:
555 safe_close(saved_stdout);
556 safe_close(saved_stdin);
557 safe_close(fd);
558
559 return r;
560 }
561
562 _printf_(1, 2) static int write_confirm_message(const char *format, ...) {
563 _cleanup_close_ int fd = -1;
564 va_list ap;
565
566 assert(format);
567
568 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
569 if (fd < 0)
570 return fd;
571
572 va_start(ap, format);
573 vdprintf(fd, format, ap);
574 va_end(ap);
575
576 return 0;
577 }
578
579 static int restore_confirm_stdio(int *saved_stdin,
580 int *saved_stdout) {
581
582 int r = 0;
583
584 assert(saved_stdin);
585 assert(saved_stdout);
586
587 release_terminal();
588
589 if (*saved_stdin >= 0)
590 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
591 r = -errno;
592
593 if (*saved_stdout >= 0)
594 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
595 r = -errno;
596
597 safe_close(*saved_stdin);
598 safe_close(*saved_stdout);
599
600 return r;
601 }
602
603 static int ask_for_confirmation(char *response, char **argv) {
604 int saved_stdout = -1, saved_stdin = -1, r;
605 _cleanup_free_ char *line = NULL;
606
607 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
608 if (r < 0)
609 return r;
610
611 line = exec_command_line(argv);
612 if (!line)
613 return -ENOMEM;
614
615 r = ask_char(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
616
617 restore_confirm_stdio(&saved_stdin, &saved_stdout);
618
619 return r;
620 }
621
622 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
623 bool keep_groups = false;
624 int r;
625
626 assert(context);
627
628 /* Lookup and set GID and supplementary group list. Here too
629 * we avoid NSS lookups for gid=0. */
630
631 if (context->group || username) {
632 /* First step, initialize groups from /etc/groups */
633 if (username && gid != 0) {
634 if (initgroups(username, gid) < 0)
635 return -errno;
636
637 keep_groups = true;
638 }
639
640 /* Second step, set our gids */
641 if (setresgid(gid, gid, gid) < 0)
642 return -errno;
643 }
644
645 if (context->supplementary_groups) {
646 int ngroups_max, k;
647 gid_t *gids;
648 char **i;
649
650 /* Final step, initialize any manually set supplementary groups */
651 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
652
653 if (!(gids = new(gid_t, ngroups_max)))
654 return -ENOMEM;
655
656 if (keep_groups) {
657 k = getgroups(ngroups_max, gids);
658 if (k < 0) {
659 free(gids);
660 return -errno;
661 }
662 } else
663 k = 0;
664
665 STRV_FOREACH(i, context->supplementary_groups) {
666 const char *g;
667
668 if (k >= ngroups_max) {
669 free(gids);
670 return -E2BIG;
671 }
672
673 g = *i;
674 r = get_group_creds(&g, gids+k);
675 if (r < 0) {
676 free(gids);
677 return r;
678 }
679
680 k++;
681 }
682
683 if (setgroups(k, gids) < 0) {
684 free(gids);
685 return -errno;
686 }
687
688 free(gids);
689 }
690
691 return 0;
692 }
693
694 static int enforce_user(const ExecContext *context, uid_t uid) {
695 assert(context);
696
697 /* Sets (but doesn't lookup) the uid and make sure we keep the
698 * capabilities while doing so. */
699
700 if (context->capabilities) {
701 _cleanup_cap_free_ cap_t d = NULL;
702 static const cap_value_t bits[] = {
703 CAP_SETUID, /* Necessary so that we can run setresuid() below */
704 CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
705 };
706
707 /* First step: If we need to keep capabilities but
708 * drop privileges we need to make sure we keep our
709 * caps, while we drop privileges. */
710 if (uid != 0) {
711 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
712
713 if (prctl(PR_GET_SECUREBITS) != sb)
714 if (prctl(PR_SET_SECUREBITS, sb) < 0)
715 return -errno;
716 }
717
718 /* Second step: set the capabilities. This will reduce
719 * the capabilities to the minimum we need. */
720
721 d = cap_dup(context->capabilities);
722 if (!d)
723 return -errno;
724
725 if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
726 cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0)
727 return -errno;
728
729 if (cap_set_proc(d) < 0)
730 return -errno;
731 }
732
733 /* Third step: actually set the uids */
734 if (setresuid(uid, uid, uid) < 0)
735 return -errno;
736
737 /* At this point we should have all necessary capabilities but
738 are otherwise a normal user. However, the caps might got
739 corrupted due to the setresuid() so we need clean them up
740 later. This is done outside of this call. */
741
742 return 0;
743 }
744
745 #ifdef HAVE_PAM
746
747 static int null_conv(
748 int num_msg,
749 const struct pam_message **msg,
750 struct pam_response **resp,
751 void *appdata_ptr) {
752
753 /* We don't support conversations */
754
755 return PAM_CONV_ERR;
756 }
757
758 static int setup_pam(
759 const char *name,
760 const char *user,
761 uid_t uid,
762 const char *tty,
763 char ***pam_env,
764 int fds[], unsigned n_fds) {
765
766 static const struct pam_conv conv = {
767 .conv = null_conv,
768 .appdata_ptr = NULL
769 };
770
771 pam_handle_t *handle = NULL;
772 sigset_t old_ss;
773 int pam_code = PAM_SUCCESS;
774 int err;
775 char **e = NULL;
776 bool close_session = false;
777 pid_t pam_pid = 0, parent_pid;
778 int flags = 0;
779
780 assert(name);
781 assert(user);
782 assert(pam_env);
783
784 /* We set up PAM in the parent process, then fork. The child
785 * will then stay around until killed via PR_GET_PDEATHSIG or
786 * systemd via the cgroup logic. It will then remove the PAM
787 * session again. The parent process will exec() the actual
788 * daemon. We do things this way to ensure that the main PID
789 * of the daemon is the one we initially fork()ed. */
790
791 if (log_get_max_level() < LOG_DEBUG)
792 flags |= PAM_SILENT;
793
794 pam_code = pam_start(name, user, &conv, &handle);
795 if (pam_code != PAM_SUCCESS) {
796 handle = NULL;
797 goto fail;
798 }
799
800 if (tty) {
801 pam_code = pam_set_item(handle, PAM_TTY, tty);
802 if (pam_code != PAM_SUCCESS)
803 goto fail;
804 }
805
806 pam_code = pam_acct_mgmt(handle, flags);
807 if (pam_code != PAM_SUCCESS)
808 goto fail;
809
810 pam_code = pam_open_session(handle, flags);
811 if (pam_code != PAM_SUCCESS)
812 goto fail;
813
814 close_session = true;
815
816 e = pam_getenvlist(handle);
817 if (!e) {
818 pam_code = PAM_BUF_ERR;
819 goto fail;
820 }
821
822 /* Block SIGTERM, so that we know that it won't get lost in
823 * the child */
824
825 assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0);
826
827 parent_pid = getpid();
828
829 pam_pid = fork();
830 if (pam_pid < 0)
831 goto fail;
832
833 if (pam_pid == 0) {
834 int sig;
835 int r = EXIT_PAM;
836
837 /* The child's job is to reset the PAM session on
838 * termination */
839
840 /* This string must fit in 10 chars (i.e. the length
841 * of "/sbin/init"), to look pretty in /bin/ps */
842 rename_process("(sd-pam)");
843
844 /* Make sure we don't keep open the passed fds in this
845 child. We assume that otherwise only those fds are
846 open here that have been opened by PAM. */
847 close_many(fds, n_fds);
848
849 /* Drop privileges - we don't need any to pam_close_session
850 * and this will make PR_SET_PDEATHSIG work in most cases.
851 * If this fails, ignore the error - but expect sd-pam threads
852 * to fail to exit normally */
853 if (setresuid(uid, uid, uid) < 0)
854 log_error_errno(r, "Error: Failed to setresuid() in sd-pam: %m");
855
856 (void) ignore_signals(SIGPIPE, -1);
857
858 /* Wait until our parent died. This will only work if
859 * the above setresuid() succeeds, otherwise the kernel
860 * will not allow unprivileged parents kill their privileged
861 * children this way. We rely on the control groups kill logic
862 * to do the rest for us. */
863 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
864 goto child_finish;
865
866 /* Check if our parent process might already have
867 * died? */
868 if (getppid() == parent_pid) {
869 sigset_t ss;
870
871 assert_se(sigemptyset(&ss) >= 0);
872 assert_se(sigaddset(&ss, SIGTERM) >= 0);
873
874 for (;;) {
875 if (sigwait(&ss, &sig) < 0) {
876 if (errno == EINTR)
877 continue;
878
879 goto child_finish;
880 }
881
882 assert(sig == SIGTERM);
883 break;
884 }
885 }
886
887 /* If our parent died we'll end the session */
888 if (getppid() != parent_pid) {
889 pam_code = pam_close_session(handle, flags);
890 if (pam_code != PAM_SUCCESS)
891 goto child_finish;
892 }
893
894 r = 0;
895
896 child_finish:
897 pam_end(handle, pam_code | flags);
898 _exit(r);
899 }
900
901 /* If the child was forked off successfully it will do all the
902 * cleanups, so forget about the handle here. */
903 handle = NULL;
904
905 /* Unblock SIGTERM again in the parent */
906 assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
907
908 /* We close the log explicitly here, since the PAM modules
909 * might have opened it, but we don't want this fd around. */
910 closelog();
911
912 *pam_env = e;
913 e = NULL;
914
915 return 0;
916
917 fail:
918 if (pam_code != PAM_SUCCESS) {
919 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
920 err = -EPERM; /* PAM errors do not map to errno */
921 } else {
922 err = log_error_errno(errno, "PAM failed: %m");
923 }
924
925 if (handle) {
926 if (close_session)
927 pam_code = pam_close_session(handle, flags);
928
929 pam_end(handle, pam_code | flags);
930 }
931
932 strv_free(e);
933
934 closelog();
935
936 if (pam_pid > 1) {
937 kill(pam_pid, SIGTERM);
938 kill(pam_pid, SIGCONT);
939 }
940
941 return err;
942 }
943 #endif
944
945 static void rename_process_from_path(const char *path) {
946 char process_name[11];
947 const char *p;
948 size_t l;
949
950 /* This resulting string must fit in 10 chars (i.e. the length
951 * of "/sbin/init") to look pretty in /bin/ps */
952
953 p = basename(path);
954 if (isempty(p)) {
955 rename_process("(...)");
956 return;
957 }
958
959 l = strlen(p);
960 if (l > 8) {
961 /* The end of the process name is usually more
962 * interesting, since the first bit might just be
963 * "systemd-" */
964 p = p + l - 8;
965 l = 8;
966 }
967
968 process_name[0] = '(';
969 memcpy(process_name+1, p, l);
970 process_name[1+l] = ')';
971 process_name[1+l+1] = 0;
972
973 rename_process(process_name);
974 }
975
976 #ifdef HAVE_SECCOMP
977
978 static int apply_seccomp(const ExecContext *c) {
979 uint32_t negative_action, action;
980 scmp_filter_ctx *seccomp;
981 Iterator i;
982 void *id;
983 int r;
984
985 assert(c);
986
987 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
988
989 seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW);
990 if (!seccomp)
991 return -ENOMEM;
992
993 if (c->syscall_archs) {
994
995 SET_FOREACH(id, c->syscall_archs, i) {
996 r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
997 if (r == -EEXIST)
998 continue;
999 if (r < 0)
1000 goto finish;
1001 }
1002
1003 } else {
1004 r = seccomp_add_secondary_archs(seccomp);
1005 if (r < 0)
1006 goto finish;
1007 }
1008
1009 action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
1010 SET_FOREACH(id, c->syscall_filter, i) {
1011 r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
1012 if (r < 0)
1013 goto finish;
1014 }
1015
1016 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1017 if (r < 0)
1018 goto finish;
1019
1020 r = seccomp_load(seccomp);
1021
1022 finish:
1023 seccomp_release(seccomp);
1024 return r;
1025 }
1026
1027 static int apply_address_families(const ExecContext *c) {
1028 scmp_filter_ctx *seccomp;
1029 Iterator i;
1030 int r;
1031
1032 assert(c);
1033
1034 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1035 if (!seccomp)
1036 return -ENOMEM;
1037
1038 r = seccomp_add_secondary_archs(seccomp);
1039 if (r < 0)
1040 goto finish;
1041
1042 if (c->address_families_whitelist) {
1043 int af, first = 0, last = 0;
1044 void *afp;
1045
1046 /* If this is a whitelist, we first block the address
1047 * families that are out of range and then everything
1048 * that is not in the set. First, we find the lowest
1049 * and highest address family in the set. */
1050
1051 SET_FOREACH(afp, c->address_families, i) {
1052 af = PTR_TO_INT(afp);
1053
1054 if (af <= 0 || af >= af_max())
1055 continue;
1056
1057 if (first == 0 || af < first)
1058 first = af;
1059
1060 if (last == 0 || af > last)
1061 last = af;
1062 }
1063
1064 assert((first == 0) == (last == 0));
1065
1066 if (first == 0) {
1067
1068 /* No entries in the valid range, block everything */
1069 r = seccomp_rule_add(
1070 seccomp,
1071 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1072 SCMP_SYS(socket),
1073 0);
1074 if (r < 0)
1075 goto finish;
1076
1077 } else {
1078
1079 /* Block everything below the first entry */
1080 r = seccomp_rule_add(
1081 seccomp,
1082 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1083 SCMP_SYS(socket),
1084 1,
1085 SCMP_A0(SCMP_CMP_LT, first));
1086 if (r < 0)
1087 goto finish;
1088
1089 /* Block everything above the last entry */
1090 r = seccomp_rule_add(
1091 seccomp,
1092 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1093 SCMP_SYS(socket),
1094 1,
1095 SCMP_A0(SCMP_CMP_GT, last));
1096 if (r < 0)
1097 goto finish;
1098
1099 /* Block everything between the first and last
1100 * entry */
1101 for (af = 1; af < af_max(); af++) {
1102
1103 if (set_contains(c->address_families, INT_TO_PTR(af)))
1104 continue;
1105
1106 r = seccomp_rule_add(
1107 seccomp,
1108 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1109 SCMP_SYS(socket),
1110 1,
1111 SCMP_A0(SCMP_CMP_EQ, af));
1112 if (r < 0)
1113 goto finish;
1114 }
1115 }
1116
1117 } else {
1118 void *af;
1119
1120 /* If this is a blacklist, then generate one rule for
1121 * each address family that are then combined in OR
1122 * checks. */
1123
1124 SET_FOREACH(af, c->address_families, i) {
1125
1126 r = seccomp_rule_add(
1127 seccomp,
1128 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1129 SCMP_SYS(socket),
1130 1,
1131 SCMP_A0(SCMP_CMP_EQ, PTR_TO_INT(af)));
1132 if (r < 0)
1133 goto finish;
1134 }
1135 }
1136
1137 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1138 if (r < 0)
1139 goto finish;
1140
1141 r = seccomp_load(seccomp);
1142
1143 finish:
1144 seccomp_release(seccomp);
1145 return r;
1146 }
1147
1148 #endif
1149
1150 static void do_idle_pipe_dance(int idle_pipe[4]) {
1151 assert(idle_pipe);
1152
1153
1154 idle_pipe[1] = safe_close(idle_pipe[1]);
1155 idle_pipe[2] = safe_close(idle_pipe[2]);
1156
1157 if (idle_pipe[0] >= 0) {
1158 int r;
1159
1160 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1161
1162 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1163 ssize_t n;
1164
1165 /* Signal systemd that we are bored and want to continue. */
1166 n = write(idle_pipe[3], "x", 1);
1167 if (n > 0)
1168 /* Wait for systemd to react to the signal above. */
1169 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1170 }
1171
1172 idle_pipe[0] = safe_close(idle_pipe[0]);
1173
1174 }
1175
1176 idle_pipe[3] = safe_close(idle_pipe[3]);
1177 }
1178
1179 static int build_environment(
1180 const ExecContext *c,
1181 unsigned n_fds,
1182 usec_t watchdog_usec,
1183 const char *home,
1184 const char *username,
1185 const char *shell,
1186 char ***ret) {
1187
1188 _cleanup_strv_free_ char **our_env = NULL;
1189 unsigned n_env = 0;
1190 char *x;
1191
1192 assert(c);
1193 assert(ret);
1194
1195 our_env = new0(char*, 10);
1196 if (!our_env)
1197 return -ENOMEM;
1198
1199 if (n_fds > 0) {
1200 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1201 return -ENOMEM;
1202 our_env[n_env++] = x;
1203
1204 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1205 return -ENOMEM;
1206 our_env[n_env++] = x;
1207 }
1208
1209 if (watchdog_usec > 0) {
1210 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1211 return -ENOMEM;
1212 our_env[n_env++] = x;
1213
1214 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, watchdog_usec) < 0)
1215 return -ENOMEM;
1216 our_env[n_env++] = x;
1217 }
1218
1219 if (home) {
1220 x = strappend("HOME=", home);
1221 if (!x)
1222 return -ENOMEM;
1223 our_env[n_env++] = x;
1224 }
1225
1226 if (username) {
1227 x = strappend("LOGNAME=", username);
1228 if (!x)
1229 return -ENOMEM;
1230 our_env[n_env++] = x;
1231
1232 x = strappend("USER=", username);
1233 if (!x)
1234 return -ENOMEM;
1235 our_env[n_env++] = x;
1236 }
1237
1238 if (shell) {
1239 x = strappend("SHELL=", shell);
1240 if (!x)
1241 return -ENOMEM;
1242 our_env[n_env++] = x;
1243 }
1244
1245 if (is_terminal_input(c->std_input) ||
1246 c->std_output == EXEC_OUTPUT_TTY ||
1247 c->std_error == EXEC_OUTPUT_TTY ||
1248 c->tty_path) {
1249
1250 x = strdup(default_term_for_tty(tty_path(c)));
1251 if (!x)
1252 return -ENOMEM;
1253 our_env[n_env++] = x;
1254 }
1255
1256 our_env[n_env++] = NULL;
1257 assert(n_env <= 10);
1258
1259 *ret = our_env;
1260 our_env = NULL;
1261
1262 return 0;
1263 }
1264
1265 static bool exec_needs_mount_namespace(
1266 const ExecContext *context,
1267 const ExecParameters *params,
1268 ExecRuntime *runtime) {
1269
1270 assert(context);
1271 assert(params);
1272
1273 if (!strv_isempty(context->read_write_dirs) ||
1274 !strv_isempty(context->read_only_dirs) ||
1275 !strv_isempty(context->inaccessible_dirs))
1276 return true;
1277
1278 if (context->mount_flags != 0)
1279 return true;
1280
1281 if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
1282 return true;
1283
1284 if (params->bus_endpoint_path)
1285 return true;
1286
1287 if (context->private_devices ||
1288 context->protect_system != PROTECT_SYSTEM_NO ||
1289 context->protect_home != PROTECT_HOME_NO)
1290 return true;
1291
1292 return false;
1293 }
1294
1295 static int exec_child(
1296 Unit *unit,
1297 ExecCommand *command,
1298 const ExecContext *context,
1299 const ExecParameters *params,
1300 ExecRuntime *runtime,
1301 char **argv,
1302 int socket_fd,
1303 int *fds, unsigned n_fds,
1304 char **files_env,
1305 int *exit_status) {
1306
1307 _cleanup_strv_free_ char **our_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL;
1308 _cleanup_free_ char *mac_selinux_context_net = NULL;
1309 const char *username = NULL, *home = NULL, *shell = NULL;
1310 unsigned n_dont_close = 0;
1311 int dont_close[n_fds + 4];
1312 uid_t uid = UID_INVALID;
1313 gid_t gid = GID_INVALID;
1314 int i, r;
1315 bool needs_mount_namespace;
1316
1317 assert(unit);
1318 assert(command);
1319 assert(context);
1320 assert(params);
1321 assert(exit_status);
1322
1323 rename_process_from_path(command->path);
1324
1325 /* We reset exactly these signals, since they are the
1326 * only ones we set to SIG_IGN in the main daemon. All
1327 * others we leave untouched because we set them to
1328 * SIG_DFL or a valid handler initially, both of which
1329 * will be demoted to SIG_DFL. */
1330 (void) default_signals(SIGNALS_CRASH_HANDLER,
1331 SIGNALS_IGNORE, -1);
1332
1333 if (context->ignore_sigpipe)
1334 (void) ignore_signals(SIGPIPE, -1);
1335
1336 r = reset_signal_mask();
1337 if (r < 0) {
1338 *exit_status = EXIT_SIGNAL_MASK;
1339 return r;
1340 }
1341
1342 if (params->idle_pipe)
1343 do_idle_pipe_dance(params->idle_pipe);
1344
1345 /* Close sockets very early to make sure we don't
1346 * block init reexecution because it cannot bind its
1347 * sockets */
1348
1349 log_forget_fds();
1350
1351 if (socket_fd >= 0)
1352 dont_close[n_dont_close++] = socket_fd;
1353 if (n_fds > 0) {
1354 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
1355 n_dont_close += n_fds;
1356 }
1357 if (params->bus_endpoint_fd >= 0)
1358 dont_close[n_dont_close++] = params->bus_endpoint_fd;
1359 if (runtime) {
1360 if (runtime->netns_storage_socket[0] >= 0)
1361 dont_close[n_dont_close++] = runtime->netns_storage_socket[0];
1362 if (runtime->netns_storage_socket[1] >= 0)
1363 dont_close[n_dont_close++] = runtime->netns_storage_socket[1];
1364 }
1365
1366 r = close_all_fds(dont_close, n_dont_close);
1367 if (r < 0) {
1368 *exit_status = EXIT_FDS;
1369 return r;
1370 }
1371
1372 if (!context->same_pgrp)
1373 if (setsid() < 0) {
1374 *exit_status = EXIT_SETSID;
1375 return -errno;
1376 }
1377
1378 exec_context_tty_reset(context);
1379
1380 if (params->confirm_spawn) {
1381 char response;
1382
1383 r = ask_for_confirmation(&response, argv);
1384 if (r == -ETIMEDOUT)
1385 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1386 else if (r < 0)
1387 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-r));
1388 else if (response == 's') {
1389 write_confirm_message("Skipping execution.\n");
1390 *exit_status = EXIT_CONFIRM;
1391 return -ECANCELED;
1392 } else if (response == 'n') {
1393 write_confirm_message("Failing execution.\n");
1394 *exit_status = 0;
1395 return 0;
1396 }
1397 }
1398
1399 if (context->user) {
1400 username = context->user;
1401 r = get_user_creds(&username, &uid, &gid, &home, &shell);
1402 if (r < 0) {
1403 *exit_status = EXIT_USER;
1404 return r;
1405 }
1406 }
1407
1408 if (context->group) {
1409 const char *g = context->group;
1410
1411 r = get_group_creds(&g, &gid);
1412 if (r < 0) {
1413 *exit_status = EXIT_GROUP;
1414 return r;
1415 }
1416 }
1417
1418
1419 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1420 * must sure to drop O_NONBLOCK */
1421 if (socket_fd >= 0)
1422 fd_nonblock(socket_fd, false);
1423
1424 r = setup_input(context, socket_fd, params->apply_tty_stdin);
1425 if (r < 0) {
1426 *exit_status = EXIT_STDIN;
1427 return r;
1428 }
1429
1430 r = setup_output(unit, context, STDOUT_FILENO, socket_fd, basename(command->path), params->apply_tty_stdin, uid, gid);
1431 if (r < 0) {
1432 *exit_status = EXIT_STDOUT;
1433 return r;
1434 }
1435
1436 r = setup_output(unit, context, STDERR_FILENO, socket_fd, basename(command->path), params->apply_tty_stdin, uid, gid);
1437 if (r < 0) {
1438 *exit_status = EXIT_STDERR;
1439 return r;
1440 }
1441
1442 if (params->cgroup_path) {
1443 r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
1444 if (r < 0) {
1445 *exit_status = EXIT_CGROUP;
1446 return r;
1447 }
1448 }
1449
1450 if (context->oom_score_adjust_set) {
1451 char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
1452
1453 /* When we can't make this change due to EPERM, then
1454 * let's silently skip over it. User namespaces
1455 * prohibit write access to this file, and we
1456 * shouldn't trip up over that. */
1457
1458 sprintf(t, "%i", context->oom_score_adjust);
1459 r = write_string_file("/proc/self/oom_score_adj", t, 0);
1460 if (r == -EPERM || r == -EACCES) {
1461 log_open();
1462 log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
1463 log_close();
1464 } else if (r < 0) {
1465 *exit_status = EXIT_OOM_ADJUST;
1466 return -errno;
1467 }
1468 }
1469
1470 if (context->nice_set)
1471 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1472 *exit_status = EXIT_NICE;
1473 return -errno;
1474 }
1475
1476 if (context->cpu_sched_set) {
1477 struct sched_param param = {
1478 .sched_priority = context->cpu_sched_priority,
1479 };
1480
1481 r = sched_setscheduler(0,
1482 context->cpu_sched_policy |
1483 (context->cpu_sched_reset_on_fork ?
1484 SCHED_RESET_ON_FORK : 0),
1485 &param);
1486 if (r < 0) {
1487 *exit_status = EXIT_SETSCHEDULER;
1488 return -errno;
1489 }
1490 }
1491
1492 if (context->cpuset)
1493 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1494 *exit_status = EXIT_CPUAFFINITY;
1495 return -errno;
1496 }
1497
1498 if (context->ioprio_set)
1499 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1500 *exit_status = EXIT_IOPRIO;
1501 return -errno;
1502 }
1503
1504 if (context->timer_slack_nsec != NSEC_INFINITY)
1505 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1506 *exit_status = EXIT_TIMERSLACK;
1507 return -errno;
1508 }
1509
1510 if (context->personality != PERSONALITY_INVALID)
1511 if (personality(context->personality) < 0) {
1512 *exit_status = EXIT_PERSONALITY;
1513 return -errno;
1514 }
1515
1516 if (context->utmp_id)
1517 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path,
1518 context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS :
1519 context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
1520 USER_PROCESS,
1521 username ? "root" : context->user);
1522
1523 if (context->user && is_terminal_input(context->std_input)) {
1524 r = chown_terminal(STDIN_FILENO, uid);
1525 if (r < 0) {
1526 *exit_status = EXIT_STDIN;
1527 return r;
1528 }
1529 }
1530
1531 if (params->bus_endpoint_fd >= 0 && context->bus_endpoint) {
1532 uid_t ep_uid = (uid == UID_INVALID) ? 0 : uid;
1533
1534 r = bus_kernel_set_endpoint_policy(params->bus_endpoint_fd, ep_uid, context->bus_endpoint);
1535 if (r < 0) {
1536 *exit_status = EXIT_BUS_ENDPOINT;
1537 return r;
1538 }
1539 }
1540
1541 /* If delegation is enabled we'll pass ownership of the cgroup
1542 * (but only in systemd's own controller hierarchy!) to the
1543 * user of the new process. */
1544 if (params->cgroup_path && context->user && params->cgroup_delegate) {
1545 r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
1546 if (r < 0) {
1547 *exit_status = EXIT_CGROUP;
1548 return r;
1549 }
1550
1551
1552 r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
1553 if (r < 0) {
1554 *exit_status = EXIT_CGROUP;
1555 return r;
1556 }
1557 }
1558
1559 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
1560 char **rt;
1561
1562 STRV_FOREACH(rt, context->runtime_directory) {
1563 _cleanup_free_ char *p;
1564
1565 p = strjoin(params->runtime_prefix, "/", *rt, NULL);
1566 if (!p) {
1567 *exit_status = EXIT_RUNTIME_DIRECTORY;
1568 return -ENOMEM;
1569 }
1570
1571 r = mkdir_p_label(p, context->runtime_directory_mode);
1572 if (r < 0) {
1573 *exit_status = EXIT_RUNTIME_DIRECTORY;
1574 return r;
1575 }
1576
1577 r = chmod_and_chown(p, context->runtime_directory_mode, uid, gid);
1578 if (r < 0) {
1579 *exit_status = EXIT_RUNTIME_DIRECTORY;
1580 return r;
1581 }
1582 }
1583 }
1584
1585 umask(context->umask);
1586
1587 if (params->apply_permissions) {
1588 r = enforce_groups(context, username, gid);
1589 if (r < 0) {
1590 *exit_status = EXIT_GROUP;
1591 return r;
1592 }
1593 #ifdef HAVE_SMACK
1594 if (context->smack_process_label) {
1595 r = mac_smack_apply_pid(0, context->smack_process_label);
1596 if (r < 0) {
1597 *exit_status = EXIT_SMACK_PROCESS_LABEL;
1598 return r;
1599 }
1600 }
1601 #ifdef SMACK_DEFAULT_PROCESS_LABEL
1602 else {
1603 _cleanup_free_ char *exec_label = NULL;
1604
1605 r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
1606 if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) {
1607 *exit_status = EXIT_SMACK_PROCESS_LABEL;
1608 return r;
1609 }
1610
1611 r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
1612 if (r < 0) {
1613 *exit_status = EXIT_SMACK_PROCESS_LABEL;
1614 return r;
1615 }
1616 }
1617 #endif
1618 #endif
1619 #ifdef HAVE_PAM
1620 if (context->pam_name && username) {
1621 r = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
1622 if (r < 0) {
1623 *exit_status = EXIT_PAM;
1624 return r;
1625 }
1626 }
1627 #endif
1628 }
1629
1630 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
1631 r = setup_netns(runtime->netns_storage_socket);
1632 if (r < 0) {
1633 *exit_status = EXIT_NETWORK;
1634 return r;
1635 }
1636 }
1637
1638 needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime);
1639
1640 if (needs_mount_namespace) {
1641 char *tmp = NULL, *var = NULL;
1642
1643 /* The runtime struct only contains the parent
1644 * of the private /tmp, which is
1645 * non-accessible to world users. Inside of it
1646 * there's a /tmp that is sticky, and that's
1647 * the one we want to use here. */
1648
1649 if (context->private_tmp && runtime) {
1650 if (runtime->tmp_dir)
1651 tmp = strjoina(runtime->tmp_dir, "/tmp");
1652 if (runtime->var_tmp_dir)
1653 var = strjoina(runtime->var_tmp_dir, "/tmp");
1654 }
1655
1656 r = setup_namespace(
1657 params->apply_chroot ? context->root_directory : NULL,
1658 context->read_write_dirs,
1659 context->read_only_dirs,
1660 context->inaccessible_dirs,
1661 tmp,
1662 var,
1663 params->bus_endpoint_path,
1664 context->private_devices,
1665 context->protect_home,
1666 context->protect_system,
1667 context->mount_flags);
1668
1669 /* If we couldn't set up the namespace this is
1670 * probably due to a missing capability. In this case,
1671 * silently proceeed. */
1672 if (r == -EPERM || r == -EACCES) {
1673 log_open();
1674 log_unit_debug_errno(unit, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
1675 log_close();
1676 } else if (r < 0) {
1677 *exit_status = EXIT_NAMESPACE;
1678 return r;
1679 }
1680 }
1681
1682 if (params->apply_chroot) {
1683 if (!needs_mount_namespace && context->root_directory)
1684 if (chroot(context->root_directory) < 0) {
1685 *exit_status = EXIT_CHROOT;
1686 return -errno;
1687 }
1688
1689 if (chdir(context->working_directory ?: "/") < 0 &&
1690 !context->working_directory_missing_ok) {
1691 *exit_status = EXIT_CHDIR;
1692 return -errno;
1693 }
1694 } else {
1695 _cleanup_free_ char *d = NULL;
1696
1697 if (asprintf(&d, "%s/%s",
1698 context->root_directory ?: "",
1699 context->working_directory ?: "") < 0) {
1700 *exit_status = EXIT_MEMORY;
1701 return -ENOMEM;
1702 }
1703
1704 if (chdir(d) < 0 &&
1705 !context->working_directory_missing_ok) {
1706 *exit_status = EXIT_CHDIR;
1707 return -errno;
1708 }
1709 }
1710
1711 #ifdef HAVE_SELINUX
1712 if (params->apply_permissions && mac_selinux_use() && params->selinux_context_net && socket_fd >= 0) {
1713 r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
1714 if (r < 0) {
1715 *exit_status = EXIT_SELINUX_CONTEXT;
1716 return r;
1717 }
1718 }
1719 #endif
1720
1721 /* We repeat the fd closing here, to make sure that
1722 * nothing is leaked from the PAM modules. Note that
1723 * we are more aggressive this time since socket_fd
1724 * and the netns fds we don't need anymore. The custom
1725 * endpoint fd was needed to upload the policy and can
1726 * now be closed as well. */
1727 r = close_all_fds(fds, n_fds);
1728 if (r >= 0)
1729 r = shift_fds(fds, n_fds);
1730 if (r >= 0)
1731 r = flags_fds(fds, n_fds, context->non_blocking);
1732 if (r < 0) {
1733 *exit_status = EXIT_FDS;
1734 return r;
1735 }
1736
1737 if (params->apply_permissions) {
1738
1739 for (i = 0; i < _RLIMIT_MAX; i++) {
1740 if (!context->rlimit[i])
1741 continue;
1742
1743 if (setrlimit_closest(i, context->rlimit[i]) < 0) {
1744 *exit_status = EXIT_LIMITS;
1745 return -errno;
1746 }
1747 }
1748
1749 if (context->capability_bounding_set_drop) {
1750 r = capability_bounding_set_drop(context->capability_bounding_set_drop, false);
1751 if (r < 0) {
1752 *exit_status = EXIT_CAPABILITIES;
1753 return r;
1754 }
1755 }
1756
1757 if (context->user) {
1758 r = enforce_user(context, uid);
1759 if (r < 0) {
1760 *exit_status = EXIT_USER;
1761 return r;
1762 }
1763 }
1764
1765 /* PR_GET_SECUREBITS is not privileged, while
1766 * PR_SET_SECUREBITS is. So to suppress
1767 * potential EPERMs we'll try not to call
1768 * PR_SET_SECUREBITS unless necessary. */
1769 if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
1770 if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
1771 *exit_status = EXIT_SECUREBITS;
1772 return -errno;
1773 }
1774
1775 if (context->capabilities)
1776 if (cap_set_proc(context->capabilities) < 0) {
1777 *exit_status = EXIT_CAPABILITIES;
1778 return -errno;
1779 }
1780
1781 if (context->no_new_privileges)
1782 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
1783 *exit_status = EXIT_NO_NEW_PRIVILEGES;
1784 return -errno;
1785 }
1786
1787 #ifdef HAVE_SECCOMP
1788 if (context->address_families_whitelist ||
1789 !set_isempty(context->address_families)) {
1790 r = apply_address_families(context);
1791 if (r < 0) {
1792 *exit_status = EXIT_ADDRESS_FAMILIES;
1793 return r;
1794 }
1795 }
1796
1797 if (context->syscall_whitelist ||
1798 !set_isempty(context->syscall_filter) ||
1799 !set_isempty(context->syscall_archs)) {
1800 r = apply_seccomp(context);
1801 if (r < 0) {
1802 *exit_status = EXIT_SECCOMP;
1803 return r;
1804 }
1805 }
1806 #endif
1807
1808 #ifdef HAVE_SELINUX
1809 if (mac_selinux_use()) {
1810 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
1811
1812 if (exec_context) {
1813 r = setexeccon(exec_context);
1814 if (r < 0) {
1815 *exit_status = EXIT_SELINUX_CONTEXT;
1816 return r;
1817 }
1818 }
1819 }
1820 #endif
1821
1822 #ifdef HAVE_APPARMOR
1823 if (context->apparmor_profile && mac_apparmor_use()) {
1824 r = aa_change_onexec(context->apparmor_profile);
1825 if (r < 0 && !context->apparmor_profile_ignore) {
1826 *exit_status = EXIT_APPARMOR_PROFILE;
1827 return -errno;
1828 }
1829 }
1830 #endif
1831 }
1832
1833 r = build_environment(context, n_fds, params->watchdog_usec, home, username, shell, &our_env);
1834 if (r < 0) {
1835 *exit_status = EXIT_MEMORY;
1836 return r;
1837 }
1838
1839 final_env = strv_env_merge(5,
1840 params->environment,
1841 our_env,
1842 context->environment,
1843 files_env,
1844 pam_env,
1845 NULL);
1846 if (!final_env) {
1847 *exit_status = EXIT_MEMORY;
1848 return -ENOMEM;
1849 }
1850
1851 final_argv = replace_env_argv(argv, final_env);
1852 if (!final_argv) {
1853 *exit_status = EXIT_MEMORY;
1854 return -ENOMEM;
1855 }
1856
1857 final_env = strv_env_clean(final_env);
1858
1859 if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) {
1860 _cleanup_free_ char *line;
1861
1862 line = exec_command_line(final_argv);
1863 if (line) {
1864 log_open();
1865 log_struct(LOG_DEBUG,
1866 LOG_UNIT_ID(unit),
1867 "EXECUTABLE=%s", command->path,
1868 LOG_UNIT_MESSAGE(unit, "Executing: %s", line),
1869 NULL);
1870 log_close();
1871 }
1872 }
1873
1874 execve(command->path, final_argv, final_env);
1875 *exit_status = EXIT_EXEC;
1876 return -errno;
1877 }
1878
1879 int exec_spawn(Unit *unit,
1880 ExecCommand *command,
1881 const ExecContext *context,
1882 const ExecParameters *params,
1883 ExecRuntime *runtime,
1884 pid_t *ret) {
1885
1886 _cleanup_strv_free_ char **files_env = NULL;
1887 int *fds = NULL; unsigned n_fds = 0;
1888 _cleanup_free_ char *line = NULL;
1889 int socket_fd, r;
1890 char **argv;
1891 pid_t pid;
1892
1893 assert(unit);
1894 assert(command);
1895 assert(context);
1896 assert(ret);
1897 assert(params);
1898 assert(params->fds || params->n_fds <= 0);
1899
1900 if (context->std_input == EXEC_INPUT_SOCKET ||
1901 context->std_output == EXEC_OUTPUT_SOCKET ||
1902 context->std_error == EXEC_OUTPUT_SOCKET) {
1903
1904 if (params->n_fds != 1) {
1905 log_unit_error(unit, "Got more than one socket.");
1906 return -EINVAL;
1907 }
1908
1909 socket_fd = params->fds[0];
1910 } else {
1911 socket_fd = -1;
1912 fds = params->fds;
1913 n_fds = params->n_fds;
1914 }
1915
1916 r = exec_context_load_environment(unit, context, &files_env);
1917 if (r < 0)
1918 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
1919
1920 argv = params->argv ?: command->argv;
1921 line = exec_command_line(argv);
1922 if (!line)
1923 return log_oom();
1924
1925 log_struct(LOG_DEBUG,
1926 LOG_UNIT_ID(unit),
1927 LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
1928 "EXECUTABLE=%s", command->path,
1929 NULL);
1930 pid = fork();
1931 if (pid < 0)
1932 return log_unit_error_errno(unit, r, "Failed to fork: %m");
1933
1934 if (pid == 0) {
1935 int exit_status;
1936
1937 r = exec_child(unit,
1938 command,
1939 context,
1940 params,
1941 runtime,
1942 argv,
1943 socket_fd,
1944 fds, n_fds,
1945 files_env,
1946 &exit_status);
1947 if (r < 0) {
1948 log_open();
1949 log_struct_errno(LOG_ERR, r,
1950 LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
1951 LOG_UNIT_ID(unit),
1952 LOG_UNIT_MESSAGE(unit, "Failed at step %s spawning %s: %m",
1953 exit_status_to_string(exit_status, EXIT_STATUS_SYSTEMD),
1954 command->path),
1955 "EXECUTABLE=%s", command->path,
1956 NULL);
1957 }
1958
1959 _exit(exit_status);
1960 }
1961
1962 log_unit_debug(unit, "Forked %s as "PID_FMT, command->path, pid);
1963
1964 /* We add the new process to the cgroup both in the child (so
1965 * that we can be sure that no user code is ever executed
1966 * outside of the cgroup) and in the parent (so that we can be
1967 * sure that when we kill the cgroup the process will be
1968 * killed too). */
1969 if (params->cgroup_path)
1970 (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
1971
1972 exec_status_start(&command->exec_status, pid);
1973
1974 *ret = pid;
1975 return 0;
1976 }
1977
1978 void exec_context_init(ExecContext *c) {
1979 assert(c);
1980
1981 c->umask = 0022;
1982 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
1983 c->cpu_sched_policy = SCHED_OTHER;
1984 c->syslog_priority = LOG_DAEMON|LOG_INFO;
1985 c->syslog_level_prefix = true;
1986 c->ignore_sigpipe = true;
1987 c->timer_slack_nsec = NSEC_INFINITY;
1988 c->personality = PERSONALITY_INVALID;
1989 c->runtime_directory_mode = 0755;
1990 }
1991
1992 void exec_context_done(ExecContext *c) {
1993 unsigned l;
1994
1995 assert(c);
1996
1997 c->environment = strv_free(c->environment);
1998 c->environment_files = strv_free(c->environment_files);
1999
2000 for (l = 0; l < ELEMENTSOF(c->rlimit); l++)
2001 c->rlimit[l] = mfree(c->rlimit[l]);
2002
2003 c->working_directory = mfree(c->working_directory);
2004 c->root_directory = mfree(c->root_directory);
2005 c->tty_path = mfree(c->tty_path);
2006 c->syslog_identifier = mfree(c->syslog_identifier);
2007 c->user = mfree(c->user);
2008 c->group = mfree(c->group);
2009
2010 c->supplementary_groups = strv_free(c->supplementary_groups);
2011
2012 c->pam_name = mfree(c->pam_name);
2013
2014 if (c->capabilities) {
2015 cap_free(c->capabilities);
2016 c->capabilities = NULL;
2017 }
2018
2019 c->read_only_dirs = strv_free(c->read_only_dirs);
2020 c->read_write_dirs = strv_free(c->read_write_dirs);
2021 c->inaccessible_dirs = strv_free(c->inaccessible_dirs);
2022
2023 if (c->cpuset)
2024 CPU_FREE(c->cpuset);
2025
2026 c->utmp_id = mfree(c->utmp_id);
2027 c->selinux_context = mfree(c->selinux_context);
2028 c->apparmor_profile = mfree(c->apparmor_profile);
2029
2030 c->syscall_filter = set_free(c->syscall_filter);
2031 c->syscall_archs = set_free(c->syscall_archs);
2032 c->address_families = set_free(c->address_families);
2033
2034 c->runtime_directory = strv_free(c->runtime_directory);
2035
2036 bus_endpoint_free(c->bus_endpoint);
2037 c->bus_endpoint = NULL;
2038 }
2039
2040 int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
2041 char **i;
2042
2043 assert(c);
2044
2045 if (!runtime_prefix)
2046 return 0;
2047
2048 STRV_FOREACH(i, c->runtime_directory) {
2049 _cleanup_free_ char *p;
2050
2051 p = strjoin(runtime_prefix, "/", *i, NULL);
2052 if (!p)
2053 return -ENOMEM;
2054
2055 /* We execute this synchronously, since we need to be
2056 * sure this is gone when we start the service
2057 * next. */
2058 (void) rm_rf(p, REMOVE_ROOT);
2059 }
2060
2061 return 0;
2062 }
2063
2064 void exec_command_done(ExecCommand *c) {
2065 assert(c);
2066
2067 c->path = mfree(c->path);
2068
2069 c->argv = strv_free(c->argv);
2070 }
2071
2072 void exec_command_done_array(ExecCommand *c, unsigned n) {
2073 unsigned i;
2074
2075 for (i = 0; i < n; i++)
2076 exec_command_done(c+i);
2077 }
2078
2079 ExecCommand* exec_command_free_list(ExecCommand *c) {
2080 ExecCommand *i;
2081
2082 while ((i = c)) {
2083 LIST_REMOVE(command, c, i);
2084 exec_command_done(i);
2085 free(i);
2086 }
2087
2088 return NULL;
2089 }
2090
2091 void exec_command_free_array(ExecCommand **c, unsigned n) {
2092 unsigned i;
2093
2094 for (i = 0; i < n; i++)
2095 c[i] = exec_command_free_list(c[i]);
2096 }
2097
2098 typedef struct InvalidEnvInfo {
2099 Unit *unit;
2100 const char *path;
2101 } InvalidEnvInfo;
2102
2103 static void invalid_env(const char *p, void *userdata) {
2104 InvalidEnvInfo *info = userdata;
2105
2106 log_unit_error(info->unit, "Ignoring invalid environment assignment '%s': %s", p, info->path);
2107 }
2108
2109 int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
2110 char **i, **r = NULL;
2111
2112 assert(c);
2113 assert(l);
2114
2115 STRV_FOREACH(i, c->environment_files) {
2116 char *fn;
2117 int k;
2118 bool ignore = false;
2119 char **p;
2120 _cleanup_globfree_ glob_t pglob = {};
2121 int count, n;
2122
2123 fn = *i;
2124
2125 if (fn[0] == '-') {
2126 ignore = true;
2127 fn ++;
2128 }
2129
2130 if (!path_is_absolute(fn)) {
2131 if (ignore)
2132 continue;
2133
2134 strv_free(r);
2135 return -EINVAL;
2136 }
2137
2138 /* Filename supports globbing, take all matching files */
2139 errno = 0;
2140 if (glob(fn, 0, NULL, &pglob) != 0) {
2141 if (ignore)
2142 continue;
2143
2144 strv_free(r);
2145 return errno ? -errno : -EINVAL;
2146 }
2147 count = pglob.gl_pathc;
2148 if (count == 0) {
2149 if (ignore)
2150 continue;
2151
2152 strv_free(r);
2153 return -EINVAL;
2154 }
2155 for (n = 0; n < count; n++) {
2156 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
2157 if (k < 0) {
2158 if (ignore)
2159 continue;
2160
2161 strv_free(r);
2162 return k;
2163 }
2164 /* Log invalid environment variables with filename */
2165 if (p) {
2166 InvalidEnvInfo info = {
2167 .unit = unit,
2168 .path = pglob.gl_pathv[n]
2169 };
2170
2171 p = strv_env_clean_with_callback(p, invalid_env, &info);
2172 }
2173
2174 if (r == NULL)
2175 r = p;
2176 else {
2177 char **m;
2178
2179 m = strv_env_merge(2, r, p);
2180 strv_free(r);
2181 strv_free(p);
2182 if (!m)
2183 return -ENOMEM;
2184
2185 r = m;
2186 }
2187 }
2188 }
2189
2190 *l = r;
2191
2192 return 0;
2193 }
2194
2195 static bool tty_may_match_dev_console(const char *tty) {
2196 _cleanup_free_ char *active = NULL;
2197 char *console;
2198
2199 if (startswith(tty, "/dev/"))
2200 tty += 5;
2201
2202 /* trivial identity? */
2203 if (streq(tty, "console"))
2204 return true;
2205
2206 console = resolve_dev_console(&active);
2207 /* if we could not resolve, assume it may */
2208 if (!console)
2209 return true;
2210
2211 /* "tty0" means the active VC, so it may be the same sometimes */
2212 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
2213 }
2214
2215 bool exec_context_may_touch_console(ExecContext *ec) {
2216 return (ec->tty_reset || ec->tty_vhangup || ec->tty_vt_disallocate ||
2217 is_terminal_input(ec->std_input) ||
2218 is_terminal_output(ec->std_output) ||
2219 is_terminal_output(ec->std_error)) &&
2220 tty_may_match_dev_console(tty_path(ec));
2221 }
2222
2223 static void strv_fprintf(FILE *f, char **l) {
2224 char **g;
2225
2226 assert(f);
2227
2228 STRV_FOREACH(g, l)
2229 fprintf(f, " %s", *g);
2230 }
2231
2232 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
2233 char **e;
2234 unsigned i;
2235
2236 assert(c);
2237 assert(f);
2238
2239 prefix = strempty(prefix);
2240
2241 fprintf(f,
2242 "%sUMask: %04o\n"
2243 "%sWorkingDirectory: %s\n"
2244 "%sRootDirectory: %s\n"
2245 "%sNonBlocking: %s\n"
2246 "%sPrivateTmp: %s\n"
2247 "%sPrivateNetwork: %s\n"
2248 "%sPrivateDevices: %s\n"
2249 "%sProtectHome: %s\n"
2250 "%sProtectSystem: %s\n"
2251 "%sIgnoreSIGPIPE: %s\n",
2252 prefix, c->umask,
2253 prefix, c->working_directory ? c->working_directory : "/",
2254 prefix, c->root_directory ? c->root_directory : "/",
2255 prefix, yes_no(c->non_blocking),
2256 prefix, yes_no(c->private_tmp),
2257 prefix, yes_no(c->private_network),
2258 prefix, yes_no(c->private_devices),
2259 prefix, protect_home_to_string(c->protect_home),
2260 prefix, protect_system_to_string(c->protect_system),
2261 prefix, yes_no(c->ignore_sigpipe));
2262
2263 STRV_FOREACH(e, c->environment)
2264 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
2265
2266 STRV_FOREACH(e, c->environment_files)
2267 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
2268
2269 if (c->nice_set)
2270 fprintf(f,
2271 "%sNice: %i\n",
2272 prefix, c->nice);
2273
2274 if (c->oom_score_adjust_set)
2275 fprintf(f,
2276 "%sOOMScoreAdjust: %i\n",
2277 prefix, c->oom_score_adjust);
2278
2279 for (i = 0; i < RLIM_NLIMITS; i++)
2280 if (c->rlimit[i])
2281 fprintf(f, "%s%s: "RLIM_FMT"\n",
2282 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
2283
2284 if (c->ioprio_set) {
2285 _cleanup_free_ char *class_str = NULL;
2286
2287 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
2288 fprintf(f,
2289 "%sIOSchedulingClass: %s\n"
2290 "%sIOPriority: %i\n",
2291 prefix, strna(class_str),
2292 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
2293 }
2294
2295 if (c->cpu_sched_set) {
2296 _cleanup_free_ char *policy_str = NULL;
2297
2298 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
2299 fprintf(f,
2300 "%sCPUSchedulingPolicy: %s\n"
2301 "%sCPUSchedulingPriority: %i\n"
2302 "%sCPUSchedulingResetOnFork: %s\n",
2303 prefix, strna(policy_str),
2304 prefix, c->cpu_sched_priority,
2305 prefix, yes_no(c->cpu_sched_reset_on_fork));
2306 }
2307
2308 if (c->cpuset) {
2309 fprintf(f, "%sCPUAffinity:", prefix);
2310 for (i = 0; i < c->cpuset_ncpus; i++)
2311 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
2312 fprintf(f, " %u", i);
2313 fputs("\n", f);
2314 }
2315
2316 if (c->timer_slack_nsec != NSEC_INFINITY)
2317 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
2318
2319 fprintf(f,
2320 "%sStandardInput: %s\n"
2321 "%sStandardOutput: %s\n"
2322 "%sStandardError: %s\n",
2323 prefix, exec_input_to_string(c->std_input),
2324 prefix, exec_output_to_string(c->std_output),
2325 prefix, exec_output_to_string(c->std_error));
2326
2327 if (c->tty_path)
2328 fprintf(f,
2329 "%sTTYPath: %s\n"
2330 "%sTTYReset: %s\n"
2331 "%sTTYVHangup: %s\n"
2332 "%sTTYVTDisallocate: %s\n",
2333 prefix, c->tty_path,
2334 prefix, yes_no(c->tty_reset),
2335 prefix, yes_no(c->tty_vhangup),
2336 prefix, yes_no(c->tty_vt_disallocate));
2337
2338 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
2339 c->std_output == EXEC_OUTPUT_KMSG ||
2340 c->std_output == EXEC_OUTPUT_JOURNAL ||
2341 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2342 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2343 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
2344 c->std_error == EXEC_OUTPUT_SYSLOG ||
2345 c->std_error == EXEC_OUTPUT_KMSG ||
2346 c->std_error == EXEC_OUTPUT_JOURNAL ||
2347 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2348 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2349 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
2350
2351 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
2352
2353 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
2354 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
2355
2356 fprintf(f,
2357 "%sSyslogFacility: %s\n"
2358 "%sSyslogLevel: %s\n",
2359 prefix, strna(fac_str),
2360 prefix, strna(lvl_str));
2361 }
2362
2363 if (c->capabilities) {
2364 _cleanup_cap_free_charp_ char *t;
2365
2366 t = cap_to_text(c->capabilities, NULL);
2367 if (t)
2368 fprintf(f, "%sCapabilities: %s\n", prefix, t);
2369 }
2370
2371 if (c->secure_bits)
2372 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
2373 prefix,
2374 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
2375 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
2376 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
2377 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
2378 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
2379 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
2380
2381 if (c->capability_bounding_set_drop) {
2382 unsigned long l;
2383 fprintf(f, "%sCapabilityBoundingSet:", prefix);
2384
2385 for (l = 0; l <= cap_last_cap(); l++)
2386 if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l)))
2387 fprintf(f, " %s", strna(capability_to_name(l)));
2388
2389 fputs("\n", f);
2390 }
2391
2392 if (c->user)
2393 fprintf(f, "%sUser: %s\n", prefix, c->user);
2394 if (c->group)
2395 fprintf(f, "%sGroup: %s\n", prefix, c->group);
2396
2397 if (strv_length(c->supplementary_groups) > 0) {
2398 fprintf(f, "%sSupplementaryGroups:", prefix);
2399 strv_fprintf(f, c->supplementary_groups);
2400 fputs("\n", f);
2401 }
2402
2403 if (c->pam_name)
2404 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
2405
2406 if (strv_length(c->read_write_dirs) > 0) {
2407 fprintf(f, "%sReadWriteDirs:", prefix);
2408 strv_fprintf(f, c->read_write_dirs);
2409 fputs("\n", f);
2410 }
2411
2412 if (strv_length(c->read_only_dirs) > 0) {
2413 fprintf(f, "%sReadOnlyDirs:", prefix);
2414 strv_fprintf(f, c->read_only_dirs);
2415 fputs("\n", f);
2416 }
2417
2418 if (strv_length(c->inaccessible_dirs) > 0) {
2419 fprintf(f, "%sInaccessibleDirs:", prefix);
2420 strv_fprintf(f, c->inaccessible_dirs);
2421 fputs("\n", f);
2422 }
2423
2424 if (c->utmp_id)
2425 fprintf(f,
2426 "%sUtmpIdentifier: %s\n",
2427 prefix, c->utmp_id);
2428
2429 if (c->selinux_context)
2430 fprintf(f,
2431 "%sSELinuxContext: %s%s\n",
2432 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
2433
2434 if (c->personality != PERSONALITY_INVALID)
2435 fprintf(f,
2436 "%sPersonality: %s\n",
2437 prefix, strna(personality_to_string(c->personality)));
2438
2439 if (c->syscall_filter) {
2440 #ifdef HAVE_SECCOMP
2441 Iterator j;
2442 void *id;
2443 bool first = true;
2444 #endif
2445
2446 fprintf(f,
2447 "%sSystemCallFilter: ",
2448 prefix);
2449
2450 if (!c->syscall_whitelist)
2451 fputc('~', f);
2452
2453 #ifdef HAVE_SECCOMP
2454 SET_FOREACH(id, c->syscall_filter, j) {
2455 _cleanup_free_ char *name = NULL;
2456
2457 if (first)
2458 first = false;
2459 else
2460 fputc(' ', f);
2461
2462 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
2463 fputs(strna(name), f);
2464 }
2465 #endif
2466
2467 fputc('\n', f);
2468 }
2469
2470 if (c->syscall_archs) {
2471 #ifdef HAVE_SECCOMP
2472 Iterator j;
2473 void *id;
2474 #endif
2475
2476 fprintf(f,
2477 "%sSystemCallArchitectures:",
2478 prefix);
2479
2480 #ifdef HAVE_SECCOMP
2481 SET_FOREACH(id, c->syscall_archs, j)
2482 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
2483 #endif
2484 fputc('\n', f);
2485 }
2486
2487 if (c->syscall_errno != 0)
2488 fprintf(f,
2489 "%sSystemCallErrorNumber: %s\n",
2490 prefix, strna(errno_to_name(c->syscall_errno)));
2491
2492 if (c->apparmor_profile)
2493 fprintf(f,
2494 "%sAppArmorProfile: %s%s\n",
2495 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
2496 }
2497
2498 bool exec_context_maintains_privileges(ExecContext *c) {
2499 assert(c);
2500
2501 /* Returns true if the process forked off would run run under
2502 * an unchanged UID or as root. */
2503
2504 if (!c->user)
2505 return true;
2506
2507 if (streq(c->user, "root") || streq(c->user, "0"))
2508 return true;
2509
2510 return false;
2511 }
2512
2513 void exec_status_start(ExecStatus *s, pid_t pid) {
2514 assert(s);
2515
2516 zero(*s);
2517 s->pid = pid;
2518 dual_timestamp_get(&s->start_timestamp);
2519 }
2520
2521 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
2522 assert(s);
2523
2524 if (s->pid && s->pid != pid)
2525 zero(*s);
2526
2527 s->pid = pid;
2528 dual_timestamp_get(&s->exit_timestamp);
2529
2530 s->code = code;
2531 s->status = status;
2532
2533 if (context) {
2534 if (context->utmp_id)
2535 utmp_put_dead_process(context->utmp_id, pid, code, status);
2536
2537 exec_context_tty_reset(context);
2538 }
2539 }
2540
2541 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
2542 char buf[FORMAT_TIMESTAMP_MAX];
2543
2544 assert(s);
2545 assert(f);
2546
2547 if (s->pid <= 0)
2548 return;
2549
2550 prefix = strempty(prefix);
2551
2552 fprintf(f,
2553 "%sPID: "PID_FMT"\n",
2554 prefix, s->pid);
2555
2556 if (s->start_timestamp.realtime > 0)
2557 fprintf(f,
2558 "%sStart Timestamp: %s\n",
2559 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
2560
2561 if (s->exit_timestamp.realtime > 0)
2562 fprintf(f,
2563 "%sExit Timestamp: %s\n"
2564 "%sExit Code: %s\n"
2565 "%sExit Status: %i\n",
2566 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
2567 prefix, sigchld_code_to_string(s->code),
2568 prefix, s->status);
2569 }
2570
2571 char *exec_command_line(char **argv) {
2572 size_t k;
2573 char *n, *p, **a;
2574 bool first = true;
2575
2576 assert(argv);
2577
2578 k = 1;
2579 STRV_FOREACH(a, argv)
2580 k += strlen(*a)+3;
2581
2582 if (!(n = new(char, k)))
2583 return NULL;
2584
2585 p = n;
2586 STRV_FOREACH(a, argv) {
2587
2588 if (!first)
2589 *(p++) = ' ';
2590 else
2591 first = false;
2592
2593 if (strpbrk(*a, WHITESPACE)) {
2594 *(p++) = '\'';
2595 p = stpcpy(p, *a);
2596 *(p++) = '\'';
2597 } else
2598 p = stpcpy(p, *a);
2599
2600 }
2601
2602 *p = 0;
2603
2604 /* FIXME: this doesn't really handle arguments that have
2605 * spaces and ticks in them */
2606
2607 return n;
2608 }
2609
2610 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
2611 _cleanup_free_ char *cmd = NULL;
2612 const char *prefix2;
2613
2614 assert(c);
2615 assert(f);
2616
2617 prefix = strempty(prefix);
2618 prefix2 = strjoina(prefix, "\t");
2619
2620 cmd = exec_command_line(c->argv);
2621 fprintf(f,
2622 "%sCommand Line: %s\n",
2623 prefix, cmd ? cmd : strerror(ENOMEM));
2624
2625 exec_status_dump(&c->exec_status, f, prefix2);
2626 }
2627
2628 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2629 assert(f);
2630
2631 prefix = strempty(prefix);
2632
2633 LIST_FOREACH(command, c, c)
2634 exec_command_dump(c, f, prefix);
2635 }
2636
2637 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2638 ExecCommand *end;
2639
2640 assert(l);
2641 assert(e);
2642
2643 if (*l) {
2644 /* It's kind of important, that we keep the order here */
2645 LIST_FIND_TAIL(command, *l, end);
2646 LIST_INSERT_AFTER(command, *l, end, e);
2647 } else
2648 *l = e;
2649 }
2650
2651 int exec_command_set(ExecCommand *c, const char *path, ...) {
2652 va_list ap;
2653 char **l, *p;
2654
2655 assert(c);
2656 assert(path);
2657
2658 va_start(ap, path);
2659 l = strv_new_ap(path, ap);
2660 va_end(ap);
2661
2662 if (!l)
2663 return -ENOMEM;
2664
2665 p = strdup(path);
2666 if (!p) {
2667 strv_free(l);
2668 return -ENOMEM;
2669 }
2670
2671 free(c->path);
2672 c->path = p;
2673
2674 strv_free(c->argv);
2675 c->argv = l;
2676
2677 return 0;
2678 }
2679
2680 int exec_command_append(ExecCommand *c, const char *path, ...) {
2681 _cleanup_strv_free_ char **l = NULL;
2682 va_list ap;
2683 int r;
2684
2685 assert(c);
2686 assert(path);
2687
2688 va_start(ap, path);
2689 l = strv_new_ap(path, ap);
2690 va_end(ap);
2691
2692 if (!l)
2693 return -ENOMEM;
2694
2695 r = strv_extend_strv(&c->argv, l);
2696 if (r < 0)
2697 return r;
2698
2699 return 0;
2700 }
2701
2702
2703 static int exec_runtime_allocate(ExecRuntime **rt) {
2704
2705 if (*rt)
2706 return 0;
2707
2708 *rt = new0(ExecRuntime, 1);
2709 if (!*rt)
2710 return -ENOMEM;
2711
2712 (*rt)->n_ref = 1;
2713 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
2714
2715 return 0;
2716 }
2717
2718 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
2719 int r;
2720
2721 assert(rt);
2722 assert(c);
2723 assert(id);
2724
2725 if (*rt)
2726 return 1;
2727
2728 if (!c->private_network && !c->private_tmp)
2729 return 0;
2730
2731 r = exec_runtime_allocate(rt);
2732 if (r < 0)
2733 return r;
2734
2735 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
2736 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, (*rt)->netns_storage_socket) < 0)
2737 return -errno;
2738 }
2739
2740 if (c->private_tmp && !(*rt)->tmp_dir) {
2741 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
2742 if (r < 0)
2743 return r;
2744 }
2745
2746 return 1;
2747 }
2748
2749 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
2750 assert(r);
2751 assert(r->n_ref > 0);
2752
2753 r->n_ref++;
2754 return r;
2755 }
2756
2757 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
2758
2759 if (!r)
2760 return NULL;
2761
2762 assert(r->n_ref > 0);
2763
2764 r->n_ref--;
2765 if (r->n_ref > 0)
2766 return NULL;
2767
2768 free(r->tmp_dir);
2769 free(r->var_tmp_dir);
2770 safe_close_pair(r->netns_storage_socket);
2771 free(r);
2772
2773 return NULL;
2774 }
2775
2776 int exec_runtime_serialize(Unit *u, ExecRuntime *rt, FILE *f, FDSet *fds) {
2777 assert(u);
2778 assert(f);
2779 assert(fds);
2780
2781 if (!rt)
2782 return 0;
2783
2784 if (rt->tmp_dir)
2785 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
2786
2787 if (rt->var_tmp_dir)
2788 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
2789
2790 if (rt->netns_storage_socket[0] >= 0) {
2791 int copy;
2792
2793 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
2794 if (copy < 0)
2795 return copy;
2796
2797 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
2798 }
2799
2800 if (rt->netns_storage_socket[1] >= 0) {
2801 int copy;
2802
2803 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
2804 if (copy < 0)
2805 return copy;
2806
2807 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
2808 }
2809
2810 return 0;
2811 }
2812
2813 int exec_runtime_deserialize_item(Unit *u, ExecRuntime **rt, const char *key, const char *value, FDSet *fds) {
2814 int r;
2815
2816 assert(rt);
2817 assert(key);
2818 assert(value);
2819
2820 if (streq(key, "tmp-dir")) {
2821 char *copy;
2822
2823 r = exec_runtime_allocate(rt);
2824 if (r < 0)
2825 return log_oom();
2826
2827 copy = strdup(value);
2828 if (!copy)
2829 return log_oom();
2830
2831 free((*rt)->tmp_dir);
2832 (*rt)->tmp_dir = copy;
2833
2834 } else if (streq(key, "var-tmp-dir")) {
2835 char *copy;
2836
2837 r = exec_runtime_allocate(rt);
2838 if (r < 0)
2839 return log_oom();
2840
2841 copy = strdup(value);
2842 if (!copy)
2843 return log_oom();
2844
2845 free((*rt)->var_tmp_dir);
2846 (*rt)->var_tmp_dir = copy;
2847
2848 } else if (streq(key, "netns-socket-0")) {
2849 int fd;
2850
2851 r = exec_runtime_allocate(rt);
2852 if (r < 0)
2853 return log_oom();
2854
2855 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2856 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
2857 else {
2858 safe_close((*rt)->netns_storage_socket[0]);
2859 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
2860 }
2861 } else if (streq(key, "netns-socket-1")) {
2862 int fd;
2863
2864 r = exec_runtime_allocate(rt);
2865 if (r < 0)
2866 return log_oom();
2867
2868 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2869 log_unit_debug(u, "Failed to parse netns socket value: %s", value);
2870 else {
2871 safe_close((*rt)->netns_storage_socket[1]);
2872 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
2873 }
2874 } else
2875 return 0;
2876
2877 return 1;
2878 }
2879
2880 static void *remove_tmpdir_thread(void *p) {
2881 _cleanup_free_ char *path = p;
2882
2883 (void) rm_rf(path, REMOVE_ROOT|REMOVE_PHYSICAL);
2884 return NULL;
2885 }
2886
2887 void exec_runtime_destroy(ExecRuntime *rt) {
2888 int r;
2889
2890 if (!rt)
2891 return;
2892
2893 /* If there are multiple users of this, let's leave the stuff around */
2894 if (rt->n_ref > 1)
2895 return;
2896
2897 if (rt->tmp_dir) {
2898 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
2899
2900 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
2901 if (r < 0) {
2902 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
2903 free(rt->tmp_dir);
2904 }
2905
2906 rt->tmp_dir = NULL;
2907 }
2908
2909 if (rt->var_tmp_dir) {
2910 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
2911
2912 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
2913 if (r < 0) {
2914 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
2915 free(rt->var_tmp_dir);
2916 }
2917
2918 rt->var_tmp_dir = NULL;
2919 }
2920
2921 safe_close_pair(rt->netns_storage_socket);
2922 }
2923
2924 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
2925 [EXEC_INPUT_NULL] = "null",
2926 [EXEC_INPUT_TTY] = "tty",
2927 [EXEC_INPUT_TTY_FORCE] = "tty-force",
2928 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
2929 [EXEC_INPUT_SOCKET] = "socket"
2930 };
2931
2932 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
2933
2934 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
2935 [EXEC_OUTPUT_INHERIT] = "inherit",
2936 [EXEC_OUTPUT_NULL] = "null",
2937 [EXEC_OUTPUT_TTY] = "tty",
2938 [EXEC_OUTPUT_SYSLOG] = "syslog",
2939 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
2940 [EXEC_OUTPUT_KMSG] = "kmsg",
2941 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
2942 [EXEC_OUTPUT_JOURNAL] = "journal",
2943 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
2944 [EXEC_OUTPUT_SOCKET] = "socket"
2945 };
2946
2947 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
2948
2949 static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
2950 [EXEC_UTMP_INIT] = "init",
2951 [EXEC_UTMP_LOGIN] = "login",
2952 [EXEC_UTMP_USER] = "user",
2953 };
2954
2955 DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
Unnamed repository; edit this file 'description' to name the repository.