case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
r = connect_logger_as(context, params, o, ident, fileno, uid, gid);
if (r < 0) {
- log_exec_warning_errno(context,
- params,
- r,
- "Failed to connect %s to the journal socket, ignoring: %m",
- fileno == STDOUT_FILENO ? "stdout" : "stderr");
+ log_warning_errno(r, "Failed to connect %s to the journal socket, ignoring: %m",
+ fileno == STDOUT_FILENO ? "stdout" : "stderr");
r = open_null_as(O_WRONLY, fileno);
} else {
struct stat st;
_cleanup_free_ char *creds_dir = NULL;
r = exec_context_get_credential_directory(data->context, data->params, data->params->unit_id, &creds_dir);
if (r < 0)
- return log_exec_error_errno(data->context, data->params, r, "Failed to determine credentials directory: %m");
+ return log_error_errno(r, "Failed to determine credentials directory: %m");
if (creds_dir) {
if (setenv("CREDENTIALS_DIRECTORY", creds_dir, /* overwrite= */ true) < 0)
- return log_exec_error_errno(data->context, data->params, r, "Failed to set $CREDENTIALS_DIRECTORY: %m");
+ return log_error_errno(r, "Failed to set $CREDENTIALS_DIRECTORY: %m");
} else
(void) unsetenv("CREDENTIALS_DIRECTORY");
(mi->msg_style == PAM_PROMPT_ECHO_ON ? ASK_PASSWORD_ECHO : 0),
&acquired);
if (r < 0) {
- log_exec_error_errno(data->context, data->params, r, "Failed to query for password: %m");
+ log_error_errno(r, "Failed to query for password: %m");
return PAM_CONV_ERR;
}
}
case PAM_ERROR_MSG:
- log_exec_error(data->context, data->params, "PAM: %s", mi->msg);
+ log_error("PAM: %s", mi->msg);
break;
case PAM_TEXT_INFO:
- log_exec_info(data->context, data->params, "PAM: %s", mi->msg);
+ log_info("PAM: %s", mi->msg);
break;
default:
return !(have_capget || have_capset || have_prctl);
}
-static bool skip_seccomp_unavailable(const ExecContext *c, const ExecParameters *p, const char *msg) {
- assert(c);
- assert(p);
+static bool skip_seccomp_unavailable(const char *msg) {
assert(msg);
if (is_seccomp_available())
return false;
- log_exec_debug(c, p, "SECCOMP features not detected in the kernel, skipping %s", msg);
+ log_debug("SECCOMP features not detected in the kernel, skipping %s", msg);
return true;
}
if (!context_has_syscall_filters(c))
return 0;
- if (skip_seccomp_unavailable(c, p, "SystemCallFilter="))
+ if (skip_seccomp_unavailable("SystemCallFilter="))
return 0;
negative_action = c->syscall_errno == SECCOMP_ERROR_NUMBER_KILL ? scmp_act_kill_process() : SCMP_ACT_ERRNO(c->syscall_errno);
return 0;
#ifdef SCMP_ACT_LOG
- if (skip_seccomp_unavailable(c, p, "SystemCallLog="))
+ if (skip_seccomp_unavailable("SystemCallLog="))
return 0;
if (c->syscall_log_allow_list) {
return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_log, action, false);
#else
/* old libseccomp */
- log_exec_debug(c, p, "SECCOMP feature SCMP_ACT_LOG not available, skipping SystemCallLog=");
+ log_debug( "SECCOMP feature SCMP_ACT_LOG not available, skipping SystemCallLog=");
return 0;
#endif
}
if (set_isempty(c->syscall_archs))
return 0;
- if (skip_seccomp_unavailable(c, p, "SystemCallArchitectures="))
+ if (skip_seccomp_unavailable("SystemCallArchitectures="))
return 0;
return seccomp_restrict_archs(c->syscall_archs);
if (!context_has_address_families(c))
return 0;
- if (skip_seccomp_unavailable(c, p, "RestrictAddressFamilies="))
+ if (skip_seccomp_unavailable("RestrictAddressFamilies="))
return 0;
return seccomp_restrict_address_families(c->address_families, c->address_families_allow_list);
/* use prctl() if kernel supports it (6.3) */
r = prctl(PR_SET_MDWE, PR_MDWE_REFUSE_EXEC_GAIN, 0, 0, 0);
if (r == 0) {
- log_exec_debug(c, p, "Enabled MemoryDenyWriteExecute= with PR_SET_MDWE");
+ log_debug("Enabled MemoryDenyWriteExecute= with PR_SET_MDWE");
return 0;
}
if (r < 0 && errno != EINVAL)
- return log_exec_debug_errno(c,
- p,
- errno,
- "Failed to enable MemoryDenyWriteExecute= with PR_SET_MDWE: %m");
+ return log_debug_errno(errno, "Failed to enable MemoryDenyWriteExecute= with PR_SET_MDWE: %m");
/* else use seccomp */
- log_exec_debug(c, p, "Kernel doesn't support PR_SET_MDWE: falling back to seccomp");
+ log_debug("Kernel doesn't support PR_SET_MDWE: falling back to seccomp");
- if (skip_seccomp_unavailable(c, p, "MemoryDenyWriteExecute="))
+ if (skip_seccomp_unavailable("MemoryDenyWriteExecute="))
return 0;
return seccomp_memory_deny_write_execute();
if (!c->restrict_realtime)
return 0;
- if (skip_seccomp_unavailable(c, p, "RestrictRealtime="))
+ if (skip_seccomp_unavailable("RestrictRealtime="))
return 0;
return seccomp_restrict_realtime();
if (!c->restrict_suid_sgid)
return 0;
- if (skip_seccomp_unavailable(c, p, "RestrictSUIDSGID="))
+ if (skip_seccomp_unavailable("RestrictSUIDSGID="))
return 0;
return seccomp_restrict_suid_sgid();
if (!c->protect_kernel_tunables)
return 0;
- if (skip_seccomp_unavailable(c, p, "ProtectKernelTunables="))
+ if (skip_seccomp_unavailable("ProtectKernelTunables="))
return 0;
return seccomp_protect_sysctl();
if (!c->protect_kernel_modules)
return 0;
- if (skip_seccomp_unavailable(c, p, "ProtectKernelModules="))
+ if (skip_seccomp_unavailable("ProtectKernelModules="))
return 0;
return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_MODULE, SCMP_ACT_ERRNO(EPERM), false);
if (!c->protect_kernel_logs)
return 0;
- if (skip_seccomp_unavailable(c, p, "ProtectKernelLogs="))
+ if (skip_seccomp_unavailable("ProtectKernelLogs="))
return 0;
return seccomp_protect_syslog();
if (!c->protect_clock)
return 0;
- if (skip_seccomp_unavailable(c, p, "ProtectClock="))
+ if (skip_seccomp_unavailable("ProtectClock="))
return 0;
return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_CLOCK, SCMP_ACT_ERRNO(EPERM), false);
if (!c->private_devices)
return 0;
- if (skip_seccomp_unavailable(c, p, "PrivateDevices="))
+ if (skip_seccomp_unavailable("PrivateDevices="))
return 0;
return seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM), false);
if (!exec_context_restrict_namespaces_set(c))
return 0;
- if (skip_seccomp_unavailable(c, p, "RestrictNamespaces="))
+ if (skip_seccomp_unavailable("RestrictNamespaces="))
return 0;
return seccomp_restrict_namespaces(c->restrict_namespaces);
if (!c->lock_personality)
return 0;
- if (skip_seccomp_unavailable(c, p, "LockPersonality="))
+ if (skip_seccomp_unavailable("LockPersonality="))
return 0;
personality = c->personality;
if (p->bpf_restrict_fs_map_fd < 0) {
/* LSM BPF is unsupported or lsm_bpf_setup failed */
- log_exec_debug(c, p, "LSM BPF not supported, skipping RestrictFileSystems=");
+ log_debug("LSM BPF not supported, skipping RestrictFileSystems=");
return 0;
}
if (unshare(CLONE_NEWUTS) < 0) {
if (!ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) {
*ret_exit_status = EXIT_NAMESPACE;
- return log_exec_error_errno(c, p, errno, "Failed to set up UTS namespacing: %m");
+ return log_error_errno(errno, "Failed to set up UTS namespacing: %m");
}
- log_exec_warning(c, p,
- "ProtectHostname=%s is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup.",
- protect_hostname_to_string(c->protect_hostname));
+ log_warning("ProtectHostname=%s is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup.",
+ protect_hostname_to_string(c->protect_hostname));
} else if (c->private_hostname) {
r = sethostname_idempotent(c->private_hostname);
if (r < 0) {
*ret_exit_status = EXIT_NAMESPACE;
- return log_exec_error_errno(c, p, r, "Failed to set private hostname '%s': %m", c->private_hostname);
+ return log_error_errno(r, "Failed to set private hostname '%s': %m", c->private_hostname);
}
}
} else
- log_exec_warning(c, p,
- "ProtectHostname=%s is configured, but the kernel does not support UTS namespaces, ignoring namespace setup.",
- protect_hostname_to_string(c->protect_hostname));
+ log_warning("ProtectHostname=%s is configured, but the kernel does not support UTS namespaces, ignoring namespace setup.",
+ protect_hostname_to_string(c->protect_hostname));
#if HAVE_SECCOMP
if (c->protect_hostname == PROTECT_HOSTNAME_YES) {
- if (skip_seccomp_unavailable(c, p, "ProtectHostname="))
+ if (skip_seccomp_unavailable("ProtectHostname="))
return 0;
r = seccomp_protect_hostname();
if (r < 0) {
*ret_exit_status = EXIT_SECCOMP;
- return log_exec_error_errno(c, p, r, "Failed to apply hostname restrictions: %m");
+ return log_error_errno(r, "Failed to apply hostname restrictions: %m");
}
}
#endif
r = get_fixed_user("root", /* prefer_nss = */ false, &username, NULL, NULL, &home, &shell);
if (r < 0)
- return log_exec_debug_errno(c,
- p,
- r,
- "Failed to determine user credentials for root: %m");
+ return log_debug_errno(r, "Failed to determine user credentials for root: %m");
}
bool set_user_login_env = exec_context_get_set_login_environment(c);
r = proc_cmdline_get_key(key, 0, &cmdline);
if (r < 0)
- log_exec_debug_errno(c,
- p,
- r,
- "Failed to read %s from kernel cmdline, ignoring: %m",
- key);
+ log_debug_errno(r, "Failed to read %s from kernel cmdline, ignoring: %m", key);
else if (r > 0)
term = cmdline;
}
return 1;
}
-static int can_mount_proc(const ExecContext *c, const ExecParameters *p) {
+static int can_mount_proc(void) {
_cleanup_close_pair_ int errno_pipe[2] = EBADF_PAIR;
_cleanup_(sigkill_waitp) pid_t pid = 0;
ssize_t n;
int r;
- assert(c);
- assert(p);
-
/* If running via unprivileged user manager and /proc/ is masked (e.g. /proc/kmsg is over-mounted with tmpfs
* like systemd-nspawn does), then mounting /proc/ will fail with EPERM. This is due to a kernel restriction
* where unprivileged user namespaces cannot mount a less restrictive instance of /proc. */
/* Create a communication channel so that the child can tell the parent a proper error code in case it
* failed. */
if (pipe2(errno_pipe, O_CLOEXEC) < 0)
- return log_exec_debug_errno(c, p, errno, "Failed to create pipe for communicating with child process (sd-proc-check): %m");
+ return log_debug_errno(errno, "Failed to create pipe for communicating with child process (sd-proc-check): %m");
/* Fork a child process into its own mount and PID namespace. Note safe_fork() already remounts / as SLAVE
* with FORK_MOUNTNS_SLAVE. */
r = safe_fork("(sd-proc-check)",
FORK_RESET_SIGNALS|FORK_DEATHSIG_SIGKILL|FORK_NEW_MOUNTNS|FORK_MOUNTNS_SLAVE|FORK_NEW_PIDNS, &pid);
if (r < 0)
- return log_exec_debug_errno(c, p, r, "Failed to fork child process (sd-proc-check): %m");
+ return log_debug_errno(r, "Failed to fork child process (sd-proc-check): %m");
if (r == 0) {
errno_pipe[0] = safe_close(errno_pipe[0]);
/* Try to read an error code from the child */
n = read(errno_pipe[0], &r, sizeof(r));
if (n < 0)
- return log_exec_debug_errno(c, p, errno, "Failed to read errno from pipe with child process (sd-proc-check): %m");
+ return log_debug_errno(errno, "Failed to read errno from pipe with child process (sd-proc-check): %m");
if (n == sizeof(r)) { /* an error code was sent to us */
/* This is the expected case where proc cannot be mounted due to permissions. */
if (ERRNO_IS_NEG_PRIVILEGE(r))
r = wait_for_terminate_and_check("(sd-proc-check)", TAKE_PID(pid), 0 /* flags= */);
if (r < 0)
- return log_exec_debug_errno(c, p, r, "Failed to wait for (sd-proc-check) child process to terminate: %m");
+ return log_debug_errno(r, "Failed to wait for (sd-proc-check) child process to terminate: %m");
if (r != EXIT_SUCCESS) /* If something strange happened with the child, let's consider this fatal, too */
- return log_exec_debug_errno(c, p, SYNTHETIC_ERRNO(EIO), "Child process (sd-proc-check) exited with unexpected exit status '%d'.", r);
+ return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Child process (sd-proc-check) exited with unexpected exit status '%d'.", r);
return 1;
}
/* Create a communication channel so that the parent can tell the child a proper error code in case it
* failed to send child pidref to the manager. */
if (pipe2(errno_pipe, O_CLOEXEC) < 0)
- return log_exec_debug_errno(c, p, errno, "Failed to create pipe for communicating with parent process: %m");
+ return log_debug_errno(errno, "Failed to create pipe for communicating with parent process: %m");
/* Set FORK_DETACH to immediately re-parent the child process to the invoking manager process. */
r = pidref_safe_fork("(sd-pidns-child)", FORK_NEW_PIDNS|FORK_DETACH, &pidref);
if (r < 0)
- return log_exec_debug_errno(c, p, r, "Failed to fork child into new pid namespace: %m");
+ return log_debug_errno(r, "Failed to fork child into new pid namespace: %m");
if (r > 0) {
errno_pipe[0] = safe_close(errno_pipe[0]);
* receive an errno even on success. */
n = read(errno_pipe[0], &r, sizeof(r));
if (n < 0)
- return log_exec_debug_errno(c, p, errno, "Failed to read errno from pipe with parent process: %m");
+ return log_debug_errno(errno, "Failed to read errno from pipe with parent process: %m");
if (n != sizeof(r))
- return log_exec_debug_errno(c, p, SYNTHETIC_ERRNO(EIO), "Failed to read enough bytes from pipe with parent process");
+ return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to read enough bytes from pipe with parent process");
if (r < 0)
- return log_exec_debug_errno(c, p, r, "Failed to send child pidref to manager: %m");
+ return log_debug_errno(r, "Failed to send child pidref to manager: %m");
/* NOTE! This function returns in the child process only. */
return r;
if (r < 0)
goto fail;
- log_exec_notice(context, params, "Unit state directory %s missing but matching configuration directory %s exists, assuming update from systemd 253 or older, creating compatibility symlink.", p, q);
+ log_notice("Unit state directory %s missing but matching configuration directory %s exists, assuming update from systemd 253 or older, creating compatibility symlink.", p, q);
continue;
} else if (r != -ENOENT)
- log_exec_warning_errno(context, params, r, "Unable to detect whether unit configuration directory '%s' exists, assuming not: %m", q);
+ log_warning_errno(r, "Unable to detect whether unit configuration directory '%s' exists, assuming not: %m", q);
} else if (r < 0)
- log_exec_warning_errno(context, params, r, "Unable to detect whether unit state directory '%s' is missing, assuming it is: %m", p);
+ log_warning_errno(r, "Unable to detect whether unit state directory '%s' is missing, assuming it is: %m", p);
}
if (exec_directory_is_private(context, type)) {
* it over. Most likely the service has been upgraded from one that didn't use
* DynamicUser=1, to one that does. */
- log_exec_info(context,
- params,
- "Found pre-existing public %s= directory %s, migrating to %s.\n"
- "Apparently, service previously had DynamicUser= turned off, and has now turned it on.",
- exec_directory_type_to_string(type), p, pp);
+ log_info("Found pre-existing public %s= directory %s, migrating to %s.\n"
+ "Apparently, service previously had DynamicUser= turned off, and has now turned it on.",
+ exec_directory_type_to_string(type), p, pp);
r = RET_NERRNO(rename(p, pp));
if (r < 0)
/* Hmm, apparently DynamicUser= was once turned on for this service,
* but is no longer. Let's move the directory back up. */
- log_exec_info(context,
- params,
- "Found pre-existing private %s= directory %s, migrating to %s.\n"
- "Apparently, service previously had DynamicUser= turned on, and has now turned it off.",
- exec_directory_type_to_string(type), q, p);
+ log_info("Found pre-existing private %s= directory %s, migrating to %s.\n"
+ "Apparently, service previously had DynamicUser= turned on, and has now turned it off.",
+ exec_directory_type_to_string(type), q, p);
r = RET_NERRNO(unlink(p));
if (r < 0)
/* Still complain if the access mode doesn't match */
if (((st.st_mode ^ context->directories[type].mode) & 07777) != 0)
- log_exec_warning(context,
- params,
- "%s \'%s\' already exists but the mode is different. "
- "(File system: %o %sMode: %o)",
- exec_directory_type_to_string(type), i->path,
- st.st_mode & 07777, exec_directory_type_to_string(type), context->directories[type].mode & 07777);
+ log_warning("%s \'%s\' already exists but the mode is different. "
+ "(File system: %o %sMode: %o)",
+ exec_directory_type_to_string(type), i->path,
+ st.st_mode & 07777, exec_directory_type_to_string(type), context->directories[type].mode & 07777);
continue;
}
if (!result.path) {
*reterr_path = strdup(context->root_image);
- return log_exec_debug_errno(context, params, SYNTHETIC_ERRNO(ENOENT), "No matching entry in .v/ directory %s found.", context->root_image);
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOENT), "No matching entry in .v/ directory %s found.", context->root_image);
}
*ret_root_image = TAKE_PTR(result.path);
if (!result.path) {
*reterr_path = strdup(context->root_directory);
- return log_exec_debug_errno(context, params, SYNTHETIC_ERRNO(ENOENT), "No matching entry in .v/ directory %s found.", context->root_directory);
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOENT), "No matching entry in .v/ directory %s found.", context->root_directory);
}
*ret_root_image = NULL;
return r;
if (context->mount_propagation_flag == MS_SHARED)
- log_exec_debug(context,
- params,
- "shared mount propagation hidden by other fs namespacing unit settings: ignoring");
+ log_debug("shared mount propagation hidden by other fs namespacing unit settings: ignoring");
r = exec_context_get_credential_directory(context, params, params->unit_id, &creds_path);
if (r < 0)
root_dir, root_image,
bind_mounts,
n_bind_mounts))
- return log_exec_debug_errno(context,
- params,
- SYNTHETIC_ERRNO(EOPNOTSUPP),
- "Failed to set up namespace, and refusing to continue since "
- "the selected namespacing options alter mount environment non-trivially.\n"
- "Bind mounts: %zu, temporary filesystems: %zu, root directory: %s, root image: %s, dynamic user: %s",
- n_bind_mounts,
- context->n_temporary_filesystems,
- yes_no(root_dir),
- yes_no(root_image),
- yes_no(context->dynamic_user));
-
- log_exec_debug(context, params, "Failed to set up namespace, assuming containerized execution and ignoring.");
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
+ "Failed to set up namespace, and refusing to continue since "
+ "the selected namespacing options alter mount environment non-trivially.\n"
+ "Bind mounts: %zu, temporary filesystems: %zu, root directory: %s, root image: %s, dynamic user: %s",
+ n_bind_mounts,
+ context->n_temporary_filesystems,
+ yes_no(root_dir),
+ yes_no(root_image),
+ yes_no(context->dynamic_user));
+
+ log_debug("Failed to set up namespace, assuming containerized execution and ignoring.");
return 0;
}
if (gid_is_valid(gid) && gid != saved_gid) {
if (setregid(gid, -1) < 0)
- return log_exec_error_errno(context,
- p,
- errno,
- "Failed to change GID for user keyring: %m");
+ return log_error_errno(errno, "Failed to change GID for user keyring: %m");
}
if (uid_is_valid(uid) && uid != saved_uid) {
if (setreuid(uid, -1) < 0) {
- r = log_exec_error_errno(context,
- p,
- errno,
- "Failed to change UID for user keyring: %m");
+ r = log_error_errno(errno, "Failed to change UID for user keyring: %m");
goto out;
}
}
keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0);
if (keyring == -1) {
if (errno == ENOSYS)
- log_exec_debug_errno(context,
- p,
- errno,
- "Kernel keyring not supported, ignoring.");
+ log_debug_errno(errno, "Kernel keyring not supported, ignoring.");
else if (ERRNO_IS_PRIVILEGE(errno))
- log_exec_debug_errno(context,
- p,
- errno,
- "Kernel keyring access prohibited, ignoring.");
+ log_debug_errno(errno, "Kernel keyring access prohibited, ignoring.");
else if (errno == EDQUOT)
- log_exec_debug_errno(context,
- p,
- errno,
- "Out of kernel keyrings to allocate, ignoring.");
+ log_debug_errno(errno, "Out of kernel keyrings to allocate, ignoring.");
else
- r = log_exec_error_errno(context,
- p,
- errno,
- "Setting up kernel keyring failed: %m");
+ r = log_error_errno(errno, "Setting up kernel keyring failed: %m");
goto out;
}
if (keyctl(KEYCTL_LINK,
KEY_SPEC_USER_KEYRING,
KEY_SPEC_SESSION_KEYRING, 0, 0) < 0) {
- r = log_exec_error_errno(context,
- p,
- errno,
- "Failed to link user keyring into session keyring: %m");
+ r = log_error_errno(errno, "Failed to link user keyring into session keyring: %m");
goto out;
}
}
/* Restore uid/gid back */
if (uid_is_valid(uid) && uid != saved_uid) {
if (setreuid(saved_uid, -1) < 0) {
- r = log_exec_error_errno(context,
- p,
- errno,
- "Failed to change UID back for user keyring: %m");
+ r = log_error_errno(errno, "Failed to change UID back for user keyring: %m");
goto out;
}
}
if (gid_is_valid(gid) && gid != saved_gid) {
if (setregid(saved_gid, -1) < 0)
- return log_exec_error_errno(context,
- p,
- errno,
- "Failed to change GID back for user keyring: %m");
+ return log_error_errno(errno, "Failed to change GID back for user keyring: %m");
}
/* Populate they keyring with the invocation ID by default, as original saved_uid. */
sizeof(p->invocation_id),
KEY_SPEC_SESSION_KEYRING);
if (key == -1)
- log_exec_debug_errno(context,
- p,
- errno,
- "Failed to add invocation ID to keyring, ignoring: %m");
+ log_debug_errno(errno, "Failed to add invocation ID to keyring, ignoring: %m");
else {
if (keyctl(KEYCTL_SETPERM, key,
KEY_POS_VIEW|KEY_POS_READ|KEY_POS_SEARCH|
KEY_USR_VIEW|KEY_USR_READ|KEY_USR_SEARCH, 0, 0) < 0)
- r = log_exec_error_errno(context,
- p,
- errno,
- "Failed to restrict invocation ID permission: %m");
+ r = log_error_errno(errno, "Failed to restrict invocation ID permission: %m");
}
}
return 1;
}
-static int connect_unix_harder(const ExecContext *c, const ExecParameters *p, const OpenFile *of, int ofd) {
+static int connect_unix_harder(const OpenFile *of, int ofd) {
static const int socket_types[] = { SOCK_DGRAM, SOCK_STREAM, SOCK_SEQPACKET };
union sockaddr_union addr = {
socklen_t sa_len;
int r;
- assert(c);
- assert(p);
assert(of);
assert(ofd >= 0);
r = sockaddr_un_set_path(&addr.un, FORMAT_PROC_FD_PATH(ofd));
if (r < 0)
- return log_exec_debug_errno(c, p, r, "Failed to set sockaddr for '%s': %m", of->path);
+ return log_debug_errno(r, "Failed to set sockaddr for '%s': %m", of->path);
sa_len = r;
FOREACH_ELEMENT(i, socket_types) {
fd = socket(AF_UNIX, *i|SOCK_CLOEXEC, 0);
if (fd < 0)
- return log_exec_debug_errno(c, p,
- errno, "Failed to create socket for '%s': %m",
- of->path);
+ return log_debug_errno(errno, "Failed to create socket for '%s': %m", of->path);
r = RET_NERRNO(connect(fd, &addr.sa, sa_len));
if (r >= 0)
return TAKE_FD(fd);
if (r != -EPROTOTYPE)
- return log_exec_debug_errno(c, p,
- r, "Failed to connect to socket for '%s': %m",
- of->path);
+ return log_debug_errno(r, "Failed to connect to socket for '%s': %m", of->path);
}
- return log_exec_debug_errno(c, p,
- SYNTHETIC_ERRNO(EPROTOTYPE), "No suitable socket type to connect to socket '%s'.",
- of->path);
+ return log_debug_errno(SYNTHETIC_ERRNO(EPROTOTYPE), "No suitable socket type to connect to socket '%s'.", of->path);
}
-static int get_open_file_fd(const ExecContext *c, const ExecParameters *p, const OpenFile *of) {
+static int get_open_file_fd(const OpenFile *of) {
_cleanup_close_ int fd = -EBADF, ofd = -EBADF;
struct stat st;
- assert(c);
- assert(p);
assert(of);
ofd = open(of->path, O_PATH | O_CLOEXEC);
if (ofd < 0)
- return log_exec_debug_errno(c, p, errno, "Failed to open '%s' as O_PATH: %m", of->path);
+ return log_debug_errno(errno, "Failed to open '%s' as O_PATH: %m", of->path);
if (fstat(ofd, &st) < 0)
- return log_exec_debug_errno(c, p, errno, "Failed to stat '%s': %m", of->path);
+ return log_debug_errno( errno, "Failed to stat '%s': %m", of->path);
if (S_ISSOCK(st.st_mode)) {
- fd = connect_unix_harder(c, p, of, ofd);
+ fd = connect_unix_harder(of, ofd);
if (fd < 0)
return fd;
if (FLAGS_SET(of->flags, OPENFILE_READ_ONLY) && shutdown(fd, SHUT_WR) < 0)
- return log_exec_debug_errno(c, p,
- errno, "Failed to shutdown send for socket '%s': %m",
- of->path);
+ return log_debug_errno(errno, "Failed to shutdown send for socket '%s': %m", of->path);
- log_exec_debug(c, p, "Opened socket '%s' as fd %d.", of->path, fd);
+ log_debug("Opened socket '%s' as fd %d.", of->path, fd);
} else {
int flags = FLAGS_SET(of->flags, OPENFILE_READ_ONLY) ? O_RDONLY : O_RDWR;
if (FLAGS_SET(of->flags, OPENFILE_APPEND))
fd = fd_reopen(ofd, flags|O_NOCTTY|O_CLOEXEC);
if (fd < 0)
- return log_exec_debug_errno(c, p, fd, "Failed to reopen file '%s': %m", of->path);
+ return log_debug_errno(fd, "Failed to reopen file '%s': %m", of->path);
- log_exec_debug(c, p, "Opened file '%s' as fd %d.", of->path, fd);
+ log_debug("Opened file '%s' as fd %d.", of->path, fd);
}
return TAKE_FD(fd);
}
-static int collect_open_file_fds(const ExecContext *c, ExecParameters *p, size_t *n_fds) {
- assert(c);
+static int collect_open_file_fds(ExecParameters *p, size_t *n_fds) {
assert(p);
assert(n_fds);
LIST_FOREACH(open_files, of, p->open_files) {
_cleanup_close_ int fd = -EBADF;
- fd = get_open_file_fd(c, p, of);
+ fd = get_open_file_fd(of);
if (fd < 0) {
if (FLAGS_SET(of->flags, OPENFILE_GRACEFUL)) {
- log_exec_full_errno(c, p,
- fd == -ENOENT || ERRNO_IS_NEG_PRIVILEGE(fd) ? LOG_DEBUG : LOG_WARNING,
- fd,
- "Failed to get OpenFile= file descriptor for '%s', ignoring: %m",
- of->path);
+ log_full_errno(fd == -ENOENT || ERRNO_IS_NEG_PRIVILEGE(fd) ? LOG_DEBUG : LOG_WARNING,
+ fd,
+ "Failed to get OpenFile= file descriptor for '%s', ignoring: %m",
+ of->path);
continue;
}
- return log_exec_error_errno(c, p, fd,
- "Failed to get OpenFile= file descriptor for '%s': %m",
- of->path);
+ return log_error_errno(fd, "Failed to get OpenFile= file descriptor for '%s': %m", of->path);
}
if (!GREEDY_REALLOC(p->fds, *n_fds + 1))
_cleanup_free_ char *cmdline = quote_command_line(argv, SHELL_ESCAPE_EMPTY);
- log_exec_struct(context, params, LOG_DEBUG,
- LOG_ITEM("EXECUTABLE=%s", executable),
- LOG_EXEC_MESSAGE(params, "%s: %s", msg, strnull(cmdline)),
- LOG_EXEC_INVOCATION_ID(params));
+ log_struct(LOG_DEBUG,
+ LOG_ITEM("EXECUTABLE=%s", executable),
+ LOG_EXEC_MESSAGE(params, "%s: %s", msg, strnull(cmdline)),
+ LOG_EXEC_INVOCATION_ID(params));
}
static bool exec_context_needs_cap_sys_admin(const ExecContext *context) {
if (namespace_type_supported(NAMESPACE_NET) && have_effective_cap(CAP_NET_ADMIN) > 0) {
r = setup_shareable_ns(runtime->shared->netns_storage_socket, CLONE_NEWNET);
if (ERRNO_IS_NEG_PRIVILEGE(r))
- log_exec_notice_errno(context, params, r,
- "PrivateNetwork=yes is configured, but network namespace setup not permitted, proceeding without: %m");
+ log_notice_errno(r, "PrivateNetwork=yes is configured, but network namespace setup not permitted, proceeding without: %m");
else if (r < 0) {
*reterr_exit_status = EXIT_NETWORK;
- return log_exec_error_errno(context, params, r, "Failed to set up network namespacing: %m");
+ return log_error_errno(r, "Failed to set up network namespacing: %m");
} else
- log_exec_debug(context, params, "Set up %snetwork namespace", delegate ? "delegated " : "");
+ log_debug("Set up %snetwork namespace", delegate ? "delegated " : "");
} else if (context->network_namespace_path) {
*reterr_exit_status = EXIT_NETWORK;
- return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(EOPNOTSUPP),
- "NetworkNamespacePath= is not supported, refusing.");
+ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "NetworkNamespacePath= is not supported, refusing.");
} else
- log_exec_notice(context, params, "PrivateNetwork=yes is configured, but the kernel does not support or we lack privileges for network namespace, proceeding without.");
+ log_notice("PrivateNetwork=yes is configured, but the kernel does not support or we lack privileges for network namespace, proceeding without.");
}
if (exec_needs_ipc_namespace(context) &&
if (namespace_type_supported(NAMESPACE_IPC)) {
r = setup_shareable_ns(runtime->shared->ipcns_storage_socket, CLONE_NEWIPC);
if (ERRNO_IS_NEG_PRIVILEGE(r))
- log_exec_warning_errno(context, params, r,
- "PrivateIPC=yes is configured, but IPC namespace setup failed, ignoring: %m");
+ log_warning_errno(r, "PrivateIPC=yes is configured, but IPC namespace setup failed, ignoring: %m");
else if (r < 0) {
*reterr_exit_status = EXIT_NAMESPACE;
- return log_exec_error_errno(context, params, r, "Failed to set up IPC namespacing: %m");
+ return log_error_errno(r, "Failed to set up IPC namespacing: %m");
} else
- log_exec_debug(context, params, "Set up %sIPC namespace", delegate ? "delegated " : "");
+ log_debug("Set up %sIPC namespace", delegate ? "delegated " : "");
} else if (context->ipc_namespace_path) {
*reterr_exit_status = EXIT_NAMESPACE;
- return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(EOPNOTSUPP),
- "IPCNamespacePath= is not supported, refusing.");
+ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "IPCNamespacePath= is not supported, refusing.");
} else
- log_exec_warning(context, params, "PrivateIPC=yes is configured, but the kernel does not support IPC namespaces, ignoring.");
+ log_warning("PrivateIPC=yes is configured, but the kernel does not support IPC namespaces, ignoring.");
}
if (needs_sandboxing && exec_needs_cgroup_namespace(context) &&
exec_namespace_is_delegated(context, params, have_cap_sys_admin, CLONE_NEWCGROUP) == delegate) {
if (unshare(CLONE_NEWCGROUP) < 0) {
*reterr_exit_status = EXIT_NAMESPACE;
- return log_exec_error_errno(context, params, errno, "Failed to set up cgroup namespacing: %m");
+ return log_error_errno(errno, "Failed to set up cgroup namespacing: %m");
}
- log_exec_debug(context, params, "Set up %scgroup namespace", delegate ? "delegated " : "");
+ log_debug("Set up %scgroup namespace", delegate ? "delegated " : "");
}
/* Unshare a new PID namespace before setting up mounts to ensure /proc/ is mounted with only processes in PID namespace visible.
exec_namespace_is_delegated(context, params, have_cap_sys_admin, CLONE_NEWPID) == delegate) {
if (params->pidref_transport_fd < 0) {
*reterr_exit_status = EXIT_NAMESPACE;
- return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(ENOTCONN), "PidRef socket is not set up: %m");
+ return log_error_errno(SYNTHETIC_ERRNO(ENOTCONN), "PidRef socket is not set up: %m");
}
/* If we had CAP_SYS_ADMIN prior to joining the user namespace, then we are privileged and don't need
* system without CAP_SYS_ADMIN, then we can have CAP_SYS_ADMIN in the current user namespace but not
* once we unshare a mount namespace. */
if (!have_cap_sys_admin || delegate) {
- r = can_mount_proc(context, params);
+ r = can_mount_proc();
if (r < 0) {
*reterr_exit_status = EXIT_NAMESPACE;
- return log_exec_error_errno(context, params, r, "Failed to detect if /proc/ can be remounted: %m");
+ return log_error_errno(r, "Failed to detect if /proc/ can be remounted: %m");
}
if (r == 0) {
*reterr_exit_status = EXIT_NAMESPACE;
- return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(EPERM),
- "PrivatePIDs=yes is configured, but /proc/ cannot be re-mounted due to lack of privileges, refusing.");
+ return log_error_errno(SYNTHETIC_ERRNO(EPERM),
+ "PrivatePIDs=yes is configured, but /proc/ cannot be re-mounted due to lack of privileges, refusing.");
}
}
r = setup_private_pids(context, params);
if (r < 0) {
*reterr_exit_status = EXIT_NAMESPACE;
- return log_exec_error_errno(context, params, r, "Failed to set up pid namespace: %m");
+ return log_error_errno(r, "Failed to set up pid namespace: %m");
}
- log_exec_debug(context, params, "Set up %spid namespace", delegate ? "delegated " : "");
+ log_debug("Set up %spid namespace", delegate ? "delegated " : "");
}
/* If PrivatePIDs= yes is configured, we're now running as pid 1 in a pid namespace! */
gid);
if (r < 0) {
*reterr_exit_status = EXIT_NAMESPACE;
- return log_exec_error_errno(context, params, r, "Failed to set up mount namespacing%s%s: %m",
- error_path ? ": " : "", strempty(error_path));
+ return log_error_errno(r, "Failed to set up mount namespacing%s%s: %m",
+ error_path ? ": " : "", strempty(error_path));
}
- log_exec_debug(context, params, "Set up %smount namespace", delegate ? "delegated " : "");
+ log_debug("Set up %smount namespace", delegate ? "delegated " : "");
}
if (needs_sandboxing &&
if (r < 0)
return r;
if (r > 0)
- log_exec_debug(context, params, "Set up %sUTS namespace", delegate ? "delegated " : "");
+ log_debug("Set up %sUTS namespace", delegate ? "delegated " : "");
}
return 0;
if (write(p->exec_fd, &x, sizeof(x)) < 0) {
if (reterr_exit_status)
*reterr_exit_status = EXIT_EXEC;
- return log_exec_error_errno(c, p, errno, "Failed to mark exec_fd as %s: %m", hot ? "hot" : "cold");
+ return log_error_errno(errno, "Failed to mark exec_fd as %s: %m", hot ? "hot" : "cold");
}
return 1;
if (write(p->handoff_timestamp_fd, (const usec_t[2]) { dt.realtime, dt.monotonic }, sizeof(usec_t) * 2) < 0) {
if (reterr_exit_status)
*reterr_exit_status = EXIT_EXEC;
- return log_exec_error_errno(c, p, errno, "Failed to send handoff timestamp: %m");
+ return log_error_errno(errno, "Failed to send handoff timestamp: %m");
}
return 1;
* exec_context_apply_tty_size() below might interfere */
lock_fd = lock_dev_console();
if (lock_fd < 0)
- log_exec_debug_errno(context, p, lock_fd, "Failed to lock /dev/console, ignoring: %m");
+ log_debug_errno(lock_fd, "Failed to lock /dev/console, ignoring: %m");
/* We explicitly control whether to send ansi sequences or not here, since we want to consult
* the env vars explicitly configured in the ExecContext, rather than our own environment
assert(cgroup_context);
assert(exit_status);
- /* This should be mostly redundant, as the log level is also passed as an argument of the executor,
- * and is already applied earlier. Just for safety. */
- if (params->debug_invocation)
- log_set_max_level(LOG_PRI(LOG_DEBUG));
- else if (context->log_level_max >= 0)
- log_set_max_level(context->log_level_max);
+ LOG_CONTEXT_PUSH_EXEC(context, params);
/* Explicitly test for CVE-2021-4034 inspired invocations */
if (!command->path || strv_isempty(command->argv)) {
*exit_status = EXIT_EXEC;
- return log_exec_error_errno(
- context,
- params,
- SYNTHETIC_ERRNO(EINVAL),
- "Invalid command line arguments.");
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid command line arguments.");
}
- LOG_CONTEXT_PUSH_EXEC(context, params);
-
if (context->std_input == EXEC_INPUT_SOCKET ||
context->std_output == EXEC_OUTPUT_SOCKET ||
context->std_error == EXEC_OUTPUT_SOCKET) {
if (params->n_socket_fds > 1)
- return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(EINVAL), "Got more than one socket.");
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Got more than one socket.");
if (params->n_socket_fds == 0)
- return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(EINVAL), "Got no socket.");
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Got no socket.");
socket_fd = params->fds[0];
n_storage_fds = n_socket_fds = n_extra_fds = 0;
r = exec_context_named_iofds(context, params, named_iofds);
if (r < 0)
- return log_exec_error_errno(context, params, r, "Failed to load a named file descriptor: %m");
+ return log_error_errno(r, "Failed to load a named file descriptor: %m");
rename_process_from_path(command->path);
r = reset_signal_mask();
if (r < 0) {
*exit_status = EXIT_SIGNAL_MASK;
- return log_exec_error_errno(context, params, r, "Failed to set process signal mask: %m");
+ return log_error_errno(r, "Failed to set process signal mask: %m");
}
if (params->idle_pipe)
/* In case anything used libc syslog(), close this here, too */
closelog();
- r = collect_open_file_fds(context, params, &n_fds);
+ r = collect_open_file_fds(params, &n_fds);
if (r < 0) {
*exit_status = EXIT_FDS;
- return log_exec_error_errno(context, params, r, "Failed to get OpenFile= file descriptors: %m");
+ return log_error_errno(r, "Failed to get OpenFile= file descriptors: %m");
}
int keep_fds[n_fds + 4];
r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, ¶ms->exec_fd);
if (r < 0) {
*exit_status = EXIT_FDS;
- return log_exec_error_errno(context, params, r, "Failed to collect shifted fd: %m");
+ return log_error_errno(r, "Failed to collect shifted fd: %m");
}
r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, ¶ms->handoff_timestamp_fd);
if (r < 0) {
*exit_status = EXIT_FDS;
- return log_exec_error_errno(context, params, r, "Failed to collect shifted fd: %m");
+ return log_error_errno(r, "Failed to collect shifted fd: %m");
}
#if HAVE_LIBBPF
r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, ¶ms->bpf_restrict_fs_map_fd);
if (r < 0) {
*exit_status = EXIT_FDS;
- return log_exec_error_errno(context, params, r, "Failed to collect shifted fd: %m");
+ return log_error_errno(r, "Failed to collect shifted fd: %m");
}
#endif
r = close_remaining_fds(params, runtime, socket_fd, keep_fds, n_keep_fds);
if (r < 0) {
*exit_status = EXIT_FDS;
- return log_exec_error_errno(context, params, r, "Failed to close unwanted file descriptors: %m");
+ return log_error_errno(r, "Failed to close unwanted file descriptors: %m");
}
if (!context->same_pgrp &&
setsid() < 0) {
*exit_status = EXIT_SETSID;
- return log_exec_error_errno(context, params, errno, "Failed to create new process session: %m");
+ return log_error_errno(errno, "Failed to create new process session: %m");
}
/* Now, reset the TTY associated to this service "destructively" (i.e. possibly even hang up or
}
*exit_status = EXIT_CONFIRM;
- return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(ECANCELED),
- "Execution cancelled by the user.");
+ return log_error_errno(SYNTHETIC_ERRNO(ECANCELED), "Execution cancelled by the user.");
}
}
if (setenv("SYSTEMD_ACTIVATION_UNIT", params->unit_id, true) != 0 ||
setenv("SYSTEMD_ACTIVATION_SCOPE", runtime_scope_to_string(params->runtime_scope), true) != 0) {
*exit_status = EXIT_MEMORY;
- return log_exec_error_errno(context, params, errno, "Failed to update environment: %m");
+ return log_error_errno(errno, "Failed to update environment: %m");
}
if (context->dynamic_user && runtime->dynamic_creds) {
* checks, if DynamicUser=1 is used, as we shouldn't create a feedback loop with ourselves here. */
if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) {
*exit_status = EXIT_USER;
- return log_exec_error_errno(context, params, errno, "Failed to update environment: %m");
+ return log_error_errno(errno, "Failed to update environment: %m");
}
r = compile_suggested_paths(context, params, &suggested_paths);
if (r < 0) {
*exit_status = EXIT_USER;
if (r == -EILSEQ)
- return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(EOPNOTSUPP),
- "Failed to update dynamic user credentials: User or group with specified name already exists.");
- return log_exec_error_errno(context, params, r, "Failed to update dynamic user credentials: %m");
+ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
+ "Failed to update dynamic user credentials: User or group with specified name already exists.");
+ return log_error_errno(r, "Failed to update dynamic user credentials: %m");
}
if (!uid_is_valid(uid)) {
*exit_status = EXIT_USER;
- return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(ESRCH), "UID validation failed for \""UID_FMT"\".", uid);
+ return log_error_errno(SYNTHETIC_ERRNO(ESRCH), "UID validation failed for \""UID_FMT"\".", uid);
}
if (!gid_is_valid(gid)) {
*exit_status = EXIT_USER;
- return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(ESRCH), "GID validation failed for \""GID_FMT"\".", gid);
+ return log_error_errno(SYNTHETIC_ERRNO(ESRCH), "GID validation failed for \""GID_FMT"\".", gid);
}
if (runtime->dynamic_creds->user)
own_user = getusername_malloc();
if (!own_user) {
*exit_status = EXIT_USER;
- return log_exec_error_errno(context, params, r, "Failed to determine my own user ID: %m");
+ return log_error_errno(r, "Failed to determine my own user ID: %m");
}
u = own_user;
} else
&username, &uid, &gid, &pwent_home, &shell);
if (r < 0) {
*exit_status = EXIT_USER;
- return log_exec_error_errno(context, params, r, "Failed to determine user credentials: %m");
+ return log_error_errno(r, "Failed to determine user credentials: %m");
}
}
r = get_fixed_group(context->group, &groupname, &gid);
if (r < 0) {
*exit_status = EXIT_GROUP;
- return log_exec_error_errno(context, params, r, "Failed to determine group credentials: %m");
+ return log_error_errno(r, "Failed to determine group credentials: %m");
}
}
}
ngids = get_supplementary_groups(context, username, gid, &gids);
if (ngids < 0) {
*exit_status = EXIT_GROUP;
- return log_exec_error_errno(context, params, ngids, "Failed to determine supplementary groups: %m");
+ return log_error_errno(ngids, "Failed to determine supplementary groups: %m");
}
r = send_user_lookup(params->unit_id, params->user_lookup_fd, uid, gid);
if (r < 0) {
*exit_status = EXIT_USER;
- return log_exec_error_errno(context, params, r, "Failed to send user credentials to PID1: %m");
+ return log_error_errno(r, "Failed to send user credentials to PID1: %m");
}
params->user_lookup_fd = safe_close(params->user_lookup_fd);
r = acquire_home(context, &pwent_home, &home_buffer);
if (r < 0) {
*exit_status = EXIT_CHDIR;
- return log_exec_error_errno(context, params, r, "Failed to determine $HOME for the invoking user: %m");
+ return log_error_errno(r, "Failed to determine $HOME for the invoking user: %m");
}
/* If a socket is connected to STDIN/STDOUT/STDERR, we must drop O_NONBLOCK */
r = exec_params_get_cgroup_path(params, cgroup_context, &p);
if (r < 0) {
*exit_status = EXIT_CGROUP;
- return log_exec_error_errno(context, params, r, "Failed to acquire cgroup path: %m");
+ return log_error_errno(r, "Failed to acquire cgroup path: %m");
}
r = cg_attach(p, 0);
if (r == -EUCLEAN) {
*exit_status = EXIT_CGROUP;
- return log_exec_error_errno(context, params, r,
- "Failed to attach process to cgroup '%s', "
- "because the cgroup or one of its parents or "
- "siblings is in the threaded mode.", p);
+ return log_error_errno(r,
+ "Failed to attach process to cgroup '%s', "
+ "because the cgroup or one of its parents or "
+ "siblings is in the threaded mode.", p);
}
if (r < 0) {
*exit_status = EXIT_CGROUP;
- return log_exec_error_errno(context, params, r, "Failed to attach to cgroup %s: %m", p);
+ return log_error_errno(r, "Failed to attach to cgroup %s: %m", p);
}
}
r = open_shareable_ns_path(runtime->shared->netns_storage_socket, context->network_namespace_path, CLONE_NEWNET);
if (r < 0) {
*exit_status = EXIT_NETWORK;
- return log_exec_error_errno(context, params, r, "Failed to open network namespace path %s: %m", context->network_namespace_path);
+ return log_error_errno(r, "Failed to open network namespace path %s: %m", context->network_namespace_path);
}
}
r = open_shareable_ns_path(runtime->shared->ipcns_storage_socket, context->ipc_namespace_path, CLONE_NEWIPC);
if (r < 0) {
*exit_status = EXIT_NAMESPACE;
- return log_exec_error_errno(context, params, r, "Failed to open IPC namespace path %s: %m", context->ipc_namespace_path);
+ return log_error_errno(r, "Failed to open IPC namespace path %s: %m", context->ipc_namespace_path);
}
}
r = setup_input(context, params, socket_fd, named_iofds);
if (r < 0) {
*exit_status = EXIT_STDIN;
- return log_exec_error_errno(context, params, r, "Failed to set up standard input: %m");
+ return log_error_errno(r, "Failed to set up standard input: %m");
}
_cleanup_free_ char *fname = NULL;
r = path_extract_filename(command->path, &fname);
if (r < 0) {
*exit_status = EXIT_STDOUT;
- return log_exec_error_errno(context, params, r, "Failed to extract filename from path %s: %m", command->path);
+ return log_error_errno(r, "Failed to extract filename from path %s: %m", command->path);
}
r = setup_output(context, params, STDOUT_FILENO, socket_fd, named_iofds, fname, uid, gid, &journal_stream_dev, &journal_stream_ino);
if (r < 0) {
*exit_status = EXIT_STDOUT;
- return log_exec_error_errno(context, params, r, "Failed to set up standard output: %m");
+ return log_error_errno(r, "Failed to set up standard output: %m");
}
r = setup_output(context, params, STDERR_FILENO, socket_fd, named_iofds, fname, uid, gid, &journal_stream_dev, &journal_stream_ino);
if (r < 0) {
*exit_status = EXIT_STDERR;
- return log_exec_error_errno(context, params, r, "Failed to set up standard error output: %m");
+ return log_error_errno(r, "Failed to set up standard error output: %m");
}
/* Now that stdin/stdout are definiely opened, properly initialize it with our desired
* namespaces prohibit write access to this file, and we shouldn't trip up over that. */
r = set_oom_score_adjust(context->oom_score_adjust);
if (ERRNO_IS_NEG_PRIVILEGE(r))
- log_exec_debug_errno(context, params, r,
- "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
+ log_debug_errno(r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
else if (r < 0) {
*exit_status = EXIT_OOM_ADJUST;
- return log_exec_error_errno(context, params, r, "Failed to adjust OOM setting: %m");
+ return log_error_errno(r, "Failed to adjust OOM setting: %m");
}
}
if (context->coredump_filter_set) {
r = set_coredump_filter(context->coredump_filter);
if (ERRNO_IS_NEG_PRIVILEGE(r))
- log_exec_debug_errno(context, params, r, "Failed to adjust coredump_filter, ignoring: %m");
+ log_debug_errno(r, "Failed to adjust coredump_filter, ignoring: %m");
else if (r < 0) {
*exit_status = EXIT_LIMITS;
- return log_exec_error_errno(context, params, r, "Failed to adjust coredump_filter: %m");
+ return log_error_errno(r, "Failed to adjust coredump_filter: %m");
}
}
r = sched_setattr(/* pid= */ 0, &attr, /* flags= */ 0);
if (r < 0) {
*exit_status = EXIT_SETSCHEDULER;
- return log_exec_error_errno(context, params, errno, "Failed to set up CPU scheduling: %m");
+ return log_error_errno(errno, "Failed to set up CPU scheduling: %m");
}
}
r = setpriority_closest(context->nice);
if (r < 0) {
*exit_status = EXIT_NICE;
- return log_exec_error_errno(context, params, r, "Failed to set up process scheduling priority (nice level): %m");
+ return log_error_errno(r, "Failed to set up process scheduling priority (nice level): %m");
}
}
r = exec_context_cpu_affinity_from_numa(context, &converted_cpu_set);
if (r < 0) {
*exit_status = EXIT_CPUAFFINITY;
- return log_exec_error_errno(context, params, r, "Failed to derive CPU affinity mask from NUMA mask: %m");
+ return log_error_errno(r, "Failed to derive CPU affinity mask from NUMA mask: %m");
}
cpu_set = &converted_cpu_set;
if (sched_setaffinity(0, cpu_set->allocated, cpu_set->set) < 0) {
*exit_status = EXIT_CPUAFFINITY;
- return log_exec_error_errno(context, params, errno, "Failed to set up CPU affinity: %m");
+ return log_error_errno(errno, "Failed to set up CPU affinity: %m");
}
}
if (mpol_is_valid(numa_policy_get_type(&context->numa_policy))) {
r = apply_numa_policy(&context->numa_policy);
if (ERRNO_IS_NEG_NOT_SUPPORTED(r))
- log_exec_debug_errno(context, params, r, "NUMA support not available, ignoring.");
+ log_debug_errno(r, "NUMA support not available, ignoring.");
else if (r < 0) {
*exit_status = EXIT_NUMA_POLICY;
- return log_exec_error_errno(context, params, r, "Failed to set NUMA memory policy: %m");
+ return log_error_errno(r, "Failed to set NUMA memory policy: %m");
}
}
if (context->ioprio_set)
if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
*exit_status = EXIT_IOPRIO;
- return log_exec_error_errno(context, params, errno, "Failed to set up IO scheduling priority: %m");
+ return log_error_errno(errno, "Failed to set up IO scheduling priority: %m");
}
if (context->timer_slack_nsec != NSEC_INFINITY)
if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
*exit_status = EXIT_TIMERSLACK;
- return log_exec_error_errno(context, params, errno, "Failed to set up timer slack: %m");
+ return log_error_errno(errno, "Failed to set up timer slack: %m");
}
if (context->personality != PERSONALITY_INVALID) {
r = safe_personality(context->personality);
if (r < 0) {
*exit_status = EXIT_PERSONALITY;
- return log_exec_error_errno(context, params, r, "Failed to set up execution domain (personality): %m");
+ return log_error_errno(r, "Failed to set up execution domain (personality): %m");
}
}
if (context->memory_ksm >= 0)
if (prctl(PR_SET_MEMORY_MERGE, context->memory_ksm, 0, 0, 0) < 0) {
if (ERRNO_IS_NOT_SUPPORTED(errno))
- log_exec_debug_errno(context,
- params,
- errno,
- "KSM support not available, ignoring.");
+ log_debug_errno(errno, "KSM support not available, ignoring.");
else {
*exit_status = EXIT_KSM;
- return log_exec_error_errno(context, params, errno, "Failed to set KSM: %m");
+ return log_error_errno(errno, "Failed to set KSM: %m");
}
}
r = chown_terminal(STDIN_FILENO, uid);
if (r < 0) {
*exit_status = EXIT_STDIN;
- return log_exec_error_errno(context, params, r, "Failed to change ownership of terminal: %m");
+ return log_error_errno(r, "Failed to change ownership of terminal: %m");
}
}
r = cg_set_access(params->cgroup_path, uid, gid);
if (r < 0) {
*exit_status = EXIT_CGROUP;
- return log_exec_error_errno(context, params, r, "Failed to adjust control group access: %m");
+ return log_error_errno(r, "Failed to adjust control group access: %m");
}
r = exec_params_get_cgroup_path(params, cgroup_context, &p);
if (r < 0) {
*exit_status = EXIT_CGROUP;
- return log_exec_error_errno(context, params, r, "Failed to acquire cgroup path: %m");
+ return log_error_errno(r, "Failed to acquire cgroup path: %m");
}
if (r > 0) {
r = cg_set_access_recursive(p, uid, gid);
if (r < 0) {
*exit_status = EXIT_CGROUP;
- return log_exec_error_errno(context, params, r, "Failed to adjust control subgroup access: %m");
+ return log_error_errno(r, "Failed to adjust control subgroup access: %m");
}
}
}
r = chmod_and_chown(memory_pressure_path, 0644, uid, gid);
if (r < 0) {
- log_exec_full_errno(context, params, r == -ENOENT || ERRNO_IS_PRIVILEGE(r) ? LOG_DEBUG : LOG_WARNING, r,
- "Failed to adjust ownership of '%s', ignoring: %m", memory_pressure_path);
+ log_full_errno(r == -ENOENT || ERRNO_IS_PRIVILEGE(r) ? LOG_DEBUG : LOG_WARNING, r,
+ "Failed to adjust ownership of '%s', ignoring: %m", memory_pressure_path);
memory_pressure_path = mfree(memory_pressure_path);
}
/* First we use the current cgroup path to chmod and chown the memory pressure path, then pass the path relative
for (ExecDirectoryType dt = 0; dt < _EXEC_DIRECTORY_TYPE_MAX; dt++) {
r = setup_exec_directory(context, params, uid, gid, dt, needs_mount_namespace, exit_status);
if (r < 0)
- return log_exec_error_errno(context, params, r, "Failed to set up special execution directory in %s: %m", params->prefix[dt]);
+ return log_error_errno(r, "Failed to set up special execution directory in %s: %m", params->prefix[dt]);
}
r = exec_setup_credentials(context, params, params->unit_id, uid, gid);
if (r < 0) {
*exit_status = EXIT_CREDENTIALS;
- return log_exec_error_errno(context, params, r, "Failed to set up credentials: %m");
+ return log_error_errno(r, "Failed to set up credentials: %m");
}
r = build_environment(
r = setup_keyring(context, params, uid, gid);
if (r < 0) {
*exit_status = EXIT_KEYRING;
- return log_exec_error_errno(context, params, r, "Failed to set up kernel keyring: %m");
+ return log_error_errno(r, "Failed to set up kernel keyring: %m");
}
/* We need setresuid() if the caller asked us to apply sandboxing and the command isn't explicitly
r = setrlimit_closest_all((const struct rlimit* const *) context->rlimit, &which_failed);
if (r < 0) {
*exit_status = EXIT_LIMITS;
- return log_exec_error_errno(context, params, r, "Failed to adjust resource limit RLIMIT_%s: %m", rlimit_to_string(which_failed));
+ return log_error_errno(r, "Failed to adjust resource limit RLIMIT_%s: %m", rlimit_to_string(which_failed));
}
}
r = setup_pam(context, params, username, uid, gid, &accum_env, params->fds, n_fds, params->exec_fd);
if (r < 0) {
*exit_status = EXIT_PAM;
- return log_exec_error_errno(context, params, r, "Failed to set up PAM session: %m");
+ return log_error_errno(r, "Failed to set up PAM session: %m");
}
/* PAM modules might have set some ambient caps. Query them here and merge them into
r = capability_get_ambient(&ambient_after_pam);
if (r < 0) {
*exit_status = EXIT_CAPABILITIES;
- return log_exec_error_errno(context, params, r, "Failed to query ambient caps: %m");
+ return log_error_errno(r, "Failed to query ambient caps: %m");
}
capability_ambient_set |= ambient_after_pam;
ngids_after_pam = getgroups_alloc(&gids_after_pam);
if (ngids_after_pam < 0) {
*exit_status = EXIT_GROUP;
- return log_exec_error_errno(context, params, ngids_after_pam, "Failed to obtain groups after setting up PAM: %m");
+ return log_error_errno(ngids_after_pam, "Failed to obtain groups after setting up PAM: %m");
}
}
* the actual requested operations fail (or silently continue). */
if (r < 0 && context->private_users != PRIVATE_USERS_NO) {
*exit_status = EXIT_USER;
- return log_exec_error_errno(context, params, r, "Failed to set up user namespacing for unprivileged user: %m");
+ return log_error_errno(r, "Failed to set up user namespacing for unprivileged user: %m");
}
if (r < 0)
- log_exec_info_errno(context, params, r, "Failed to set up user namespacing for unprivileged user, ignoring: %m");
+ log_info_errno(r, "Failed to set up user namespacing for unprivileged user, ignoring: %m");
else {
assert(r > 0);
userns_set_up = true;
&gids_to_enforce);
if (ngids_to_enforce < 0) {
*exit_status = EXIT_GROUP;
- return log_exec_error_errno(context, params,
- ngids_to_enforce,
- "Failed to merge group lists. Group membership might be incorrect: %m");
+ return log_error_errno(ngids_to_enforce, "Failed to merge group lists. Group membership might be incorrect: %m");
}
r = enforce_groups(gid, gids_to_enforce, ngids_to_enforce);
if (r < 0) {
*exit_status = EXIT_GROUP;
- return log_exec_error_errno(context, params, r, "Changing group credentials failed: %m");
+ return log_error_errno(r, "Changing group credentials failed: %m");
}
}
/* allow_setgroups= */ pu == PRIVATE_USERS_FULL);
if (r < 0) {
*exit_status = EXIT_USER;
- return log_exec_error_errno(context, params, r, "Failed to set up user namespacing: %m");
+ return log_error_errno(r, "Failed to set up user namespacing: %m");
}
if (r > 0)
log_debug("Set up privileged user namespace");
r = find_executable_full(command->path, /* root= */ NULL, context->exec_search_path, false, &executable, &executable_fd);
if (r < 0) {
*exit_status = EXIT_EXEC;
- log_exec_struct_errno(context, params, LOG_NOTICE, r,
- LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED_STR),
- LOG_EXEC_MESSAGE(params,
- "Unable to locate executable '%s': %m",
- command->path),
- LOG_ITEM("EXECUTABLE=%s", command->path));
+ log_struct_errno(LOG_NOTICE, r,
+ LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED_STR),
+ LOG_EXEC_MESSAGE(params,
+ "Unable to locate executable '%s': %m",
+ command->path),
+ LOG_ITEM("EXECUTABLE=%s", command->path));
/* If the error will be ignored by manager, tune down the log level here. Missing executable
* is very much expected in this case. */
return r != -ENOMEM && FLAGS_SET(command->flags, EXEC_COMMAND_IGNORE_FAILURE) ? 1 : r;
r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, &executable_fd);
if (r < 0) {
*exit_status = EXIT_FDS;
- return log_exec_error_errno(context, params, r, "Failed to collect shifted fd: %m");
+ return log_error_errno(r, "Failed to collect shifted fd: %m");
}
#if HAVE_SELINUX
if (r < 0) {
if (!context->selinux_context_ignore) {
*exit_status = EXIT_SELINUX_CONTEXT;
- return log_exec_error_errno(context,
- params,
- r,
- "Failed to determine SELinux context: %m");
+ return log_error_errno(r, "Failed to determine SELinux context: %m");
}
- log_exec_debug_errno(context,
- params,
- r,
- "Failed to determine SELinux context, ignoring: %m");
+ log_debug_errno(r, "Failed to determine SELinux context, ignoring: %m");
}
}
}
r = flag_fds(params->fds, n_socket_fds, n_fds, context->non_blocking);
if (r < 0) {
*exit_status = EXIT_FDS;
- return log_exec_error_errno(context, params, r, "Failed to adjust passed file descriptors: %m");
+ return log_error_errno(r, "Failed to adjust passed file descriptors: %m");
}
/* At this point, the fds we want to pass to the program are all ready and set up, with O_CLOEXEC turned off
if (context->restrict_realtime && !context->rlimit[RLIMIT_RTPRIO]) {
if (setrlimit(RLIMIT_RTPRIO, &RLIMIT_MAKE_CONST(0)) < 0) {
*exit_status = EXIT_LIMITS;
- return log_exec_error_errno(context, params, errno, "Failed to adjust RLIMIT_RTPRIO resource limit: %m");
+ return log_error_errno(errno, "Failed to adjust RLIMIT_RTPRIO resource limit: %m");
}
}
r = setup_smack(context, params, executable_fd);
if (r < 0 && !context->smack_process_label_ignore) {
*exit_status = EXIT_SMACK_PROCESS_LABEL;
- return log_exec_error_errno(context, params, r, "Failed to set SMACK process label: %m");
+ return log_error_errno(r, "Failed to set SMACK process label: %m");
}
}
#endif
if (prctl(PR_SET_KEEPCAPS, 1) < 0) {
*exit_status = EXIT_USER;
- return log_exec_error_errno(context, params, errno, "Failed to enable keep capabilities flag: %m");
+ return log_error_errno(errno, "Failed to enable keep capabilities flag: %m");
}
/* Save the current bounding set so we can restore it after applying the seccomp
r = capability_bounding_set_drop(bset, /* right_now= */ false);
if (r < 0) {
*exit_status = EXIT_CAPABILITIES;
- return log_exec_error_errno(context, params, r, "Failed to drop capabilities: %m");
+ return log_error_errno(r, "Failed to drop capabilities: %m");
}
}
r = capability_ambient_set_apply(capability_ambient_set, /* also_inherit= */ true);
if (r < 0) {
*exit_status = EXIT_CAPABILITIES;
- return log_exec_error_errno(context, params, r, "Failed to apply ambient capabilities (before UID change): %m");
+ return log_error_errno(r, "Failed to apply ambient capabilities (before UID change): %m");
}
}
}
/* chroot to root directory first, before we lose the ability to chroot */
r = apply_root_directory(context, params, runtime, needs_mount_namespace, exit_status);
if (r < 0)
- return log_exec_error_errno(context, params, r, "Chrooting to the requested root directory failed: %m");
+ return log_error_errno(r, "Chrooting to the requested root directory failed: %m");
if (needs_setuid) {
if (uid_is_valid(uid)) {
r = enforce_user(context, uid, capability_ambient_set);
if (r < 0) {
*exit_status = EXIT_USER;
- return log_exec_error_errno(context, params, r, "Failed to change UID to " UID_FMT ": %m", uid);
+ return log_error_errno(r, "Failed to change UID to " UID_FMT ": %m", uid);
}
if (keep_seccomp_privileges) {
r = drop_capability(CAP_SETUID);
if (r < 0) {
*exit_status = EXIT_USER;
- return log_exec_error_errno(context, params, r, "Failed to drop CAP_SETUID: %m");
+ return log_error_errno(r, "Failed to drop CAP_SETUID: %m");
}
}
r = keep_capability(CAP_SYS_ADMIN);
if (r < 0) {
*exit_status = EXIT_USER;
- return log_exec_error_errno(context, params, r, "Failed to keep CAP_SYS_ADMIN: %m");
+ return log_error_errno(r, "Failed to keep CAP_SYS_ADMIN: %m");
}
r = keep_capability(CAP_SETPCAP);
if (r < 0) {
*exit_status = EXIT_USER;
- return log_exec_error_errno(context, params, r, "Failed to keep CAP_SETPCAP: %m");
+ return log_error_errno(r, "Failed to keep CAP_SETPCAP: %m");
}
}
r = capability_ambient_set_apply(capability_ambient_set, /* also_inherit= */ false);
if (r < 0) {
*exit_status = EXIT_CAPABILITIES;
- return log_exec_error_errno(context, params, r, "Failed to apply ambient capabilities (after UID change): %m");
+ return log_error_errno(r, "Failed to apply ambient capabilities (after UID change): %m");
}
}
}
r = apply_working_directory(context, params, runtime, pwent_home, accum_env);
if (r < 0) {
*exit_status = EXIT_CHDIR;
- return log_exec_error_errno(context, params, r, "Changing to the requested working directory failed: %m");
+ return log_error_errno(r, "Changing to the requested working directory failed: %m");
}
if (needs_sandboxing) {
if (r < 0) {
if (!context->selinux_context_ignore) {
*exit_status = EXIT_SELINUX_CONTEXT;
- return log_exec_error_errno(context, params, r, "Failed to change SELinux context to %s: %m", exec_context);
+ return log_error_errno(r, "Failed to change SELinux context to %s: %m", exec_context);
}
- log_exec_debug_errno(context,
- params,
- r,
- "Failed to change SELinux context to %s, ignoring: %m",
- exec_context);
+ log_debug_errno(r, "Failed to change SELinux context to %s, ignoring: %m", exec_context);
}
}
}
r = ASSERT_PTR(sym_aa_change_onexec)(context->apparmor_profile);
if (r < 0 && !context->apparmor_profile_ignore) {
*exit_status = EXIT_APPARMOR_PROFILE;
- return log_exec_error_errno(context,
- params,
- errno,
- "Failed to prepare AppArmor profile change to %s: %m",
- context->apparmor_profile);
+ return log_error_errno(errno, "Failed to prepare AppArmor profile change to %s: %m",
+ context->apparmor_profile);
}
}
#endif
r = capability_gain_cap_setpcap(/* ret_before_caps = */ NULL);
if (r < 0) {
*exit_status = EXIT_CAPABILITIES;
- return log_exec_error_errno(context, params, r, "Failed to gain CAP_SETPCAP for setting secure bits");
+ return log_error_errno(r, "Failed to gain CAP_SETPCAP for setting secure bits");
}
if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
*exit_status = EXIT_SECUREBITS;
- return log_exec_error_errno(context, params, errno, "Failed to set process secure bits: %m");
+ return log_error_errno(errno, "Failed to set process secure bits: %m");
}
}
if (context_has_no_new_privileges(context))
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
*exit_status = EXIT_NO_NEW_PRIVILEGES;
- return log_exec_error_errno(context, params, errno, "Failed to disable new privileges: %m");
+ return log_error_errno(errno, "Failed to disable new privileges: %m");
}
#if HAVE_SECCOMP
r = apply_address_families(context, params);
if (r < 0) {
*exit_status = EXIT_ADDRESS_FAMILIES;
- return log_exec_error_errno(context, params, r, "Failed to restrict address families: %m");
+ return log_error_errno(r, "Failed to restrict address families: %m");
}
r = apply_memory_deny_write_execute(context, params);
if (r < 0) {
*exit_status = EXIT_SECCOMP;
- return log_exec_error_errno(context, params, r, "Failed to disable writing to executable memory: %m");
+ return log_error_errno(r, "Failed to disable writing to executable memory: %m");
}
r = apply_restrict_realtime(context, params);
if (r < 0) {
*exit_status = EXIT_SECCOMP;
- return log_exec_error_errno(context, params, r, "Failed to apply realtime restrictions: %m");
+ return log_error_errno(r, "Failed to apply realtime restrictions: %m");
}
r = apply_restrict_suid_sgid(context, params);
if (r < 0) {
*exit_status = EXIT_SECCOMP;
- return log_exec_error_errno(context, params, r, "Failed to apply SUID/SGID restrictions: %m");
+ return log_error_errno(r, "Failed to apply SUID/SGID restrictions: %m");
}
r = apply_restrict_namespaces(context, params);
if (r < 0) {
*exit_status = EXIT_SECCOMP;
- return log_exec_error_errno(context, params, r, "Failed to apply namespace restrictions: %m");
+ return log_error_errno(r, "Failed to apply namespace restrictions: %m");
}
r = apply_protect_sysctl(context, params);
if (r < 0) {
*exit_status = EXIT_SECCOMP;
- return log_exec_error_errno(context, params, r, "Failed to apply sysctl restrictions: %m");
+ return log_error_errno(r, "Failed to apply sysctl restrictions: %m");
}
r = apply_protect_kernel_modules(context, params);
if (r < 0) {
*exit_status = EXIT_SECCOMP;
- return log_exec_error_errno(context, params, r, "Failed to apply module loading restrictions: %m");
+ return log_error_errno(r, "Failed to apply module loading restrictions: %m");
}
r = apply_protect_kernel_logs(context, params);
if (r < 0) {
*exit_status = EXIT_SECCOMP;
- return log_exec_error_errno(context, params, r, "Failed to apply kernel log restrictions: %m");
+ return log_error_errno(r, "Failed to apply kernel log restrictions: %m");
}
r = apply_protect_clock(context, params);
if (r < 0) {
*exit_status = EXIT_SECCOMP;
- return log_exec_error_errno(context, params, r, "Failed to apply clock restrictions: %m");
+ return log_error_errno(r, "Failed to apply clock restrictions: %m");
}
r = apply_private_devices(context, params);
if (r < 0) {
*exit_status = EXIT_SECCOMP;
- return log_exec_error_errno(context, params, r, "Failed to set up private devices: %m");
+ return log_error_errno(r, "Failed to set up private devices: %m");
}
r = apply_syscall_archs(context, params);
if (r < 0) {
*exit_status = EXIT_SECCOMP;
- return log_exec_error_errno(context, params, r, "Failed to apply syscall architecture restrictions: %m");
+ return log_error_errno(r, "Failed to apply syscall architecture restrictions: %m");
}
r = apply_lock_personality(context, params);
if (r < 0) {
*exit_status = EXIT_SECCOMP;
- return log_exec_error_errno(context, params, r, "Failed to lock personalities: %m");
+ return log_error_errno(r, "Failed to lock personalities: %m");
}
r = apply_syscall_log(context, params);
if (r < 0) {
*exit_status = EXIT_SECCOMP;
- return log_exec_error_errno(context, params, r, "Failed to apply system call log filters: %m");
+ return log_error_errno(r, "Failed to apply system call log filters: %m");
}
#endif
r = apply_restrict_filesystems(context, params);
if (r < 0) {
*exit_status = EXIT_BPF;
- return log_exec_error_errno(context, params, r, "Failed to restrict filesystems: %m");
+ return log_error_errno(r, "Failed to restrict filesystems: %m");
}
#endif
r = apply_syscall_filter(context, params);
if (r < 0) {
*exit_status = EXIT_SECCOMP;
- return log_exec_error_errno(context, params, r, "Failed to apply system call filters: %m");
+ return log_error_errno(r, "Failed to apply system call filters: %m");
}
if (keep_seccomp_privileges) {
r = capability_bounding_set_drop(saved_bset, /* right_now= */ false);
if (r < 0) {
*exit_status = EXIT_CAPABILITIES;
- return log_exec_error_errno(context, params, r, "Failed to drop bset capabilities: %m");
+ return log_error_errno(r, "Failed to drop bset capabilities: %m");
}
}
r = drop_capability(CAP_SYS_ADMIN);
if (r < 0) {
*exit_status = EXIT_USER;
- return log_exec_error_errno(context, params, r, "Failed to drop CAP_SYS_ADMIN: %m");
+ return log_error_errno(r, "Failed to drop CAP_SYS_ADMIN: %m");
}
}
r = drop_capability(CAP_SETPCAP);
if (r < 0) {
*exit_status = EXIT_USER;
- return log_exec_error_errno(context, params, r, "Failed to drop CAP_SETPCAP: %m");
+ return log_error_errno(r, "Failed to drop CAP_SETPCAP: %m");
}
}
if (prctl(PR_SET_KEEPCAPS, 0) < 0) {
*exit_status = EXIT_USER;
- return log_exec_error_errno(context, params, errno, "Failed to drop keep capabilities flag: %m");
+ return log_error_errno(errno, "Failed to drop keep capabilities flag: %m");
}
}
#endif
r = replace_env_argv(command->argv, accum_env, &replaced_argv, &unset_variables, &bad_variables);
if (r < 0) {
*exit_status = EXIT_MEMORY;
- return log_exec_error_errno(context,
- params,
- r,
- "Failed to replace environment variables: %m");
+ return log_error_errno(r, "Failed to replace environment variables: %m");
}
final_argv = replaced_argv;
if (!strv_isempty(unset_variables)) {
_cleanup_free_ char *ju = strv_join(unset_variables, ", ");
- log_exec_warning(context,
- params,
- "Referenced but unset environment variable evaluates to an empty string: %s",
- strna(ju));
+ log_warning("Referenced but unset environment variable evaluates to an empty string: %s", strna(ju));
}
if (!strv_isempty(bad_variables)) {
_cleanup_free_ char *jb = strv_join(bad_variables, ", ");
- log_exec_warning(context,
- params,
- "Invalid environment variable name evaluates to an empty string: %s",
- strna(jb));
+ log_warning("Invalid environment variable name evaluates to an empty string: %s", strna(jb));
}
} else
final_argv = command->argv;
(void) exec_fd_mark_hot(context, params, /* hot= */ false, /* reterr_exit_status= */ NULL);
*exit_status = EXIT_EXEC;
- return log_exec_error_errno(context, params, r, "Failed to execute %s: %m", executable);
+ return log_error_errno(r, "Failed to execute %s: %m", executable);
}
projects / thirdparty / systemd.git / commitdiff
