1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
29 #include <sys/socket.h>
31 #include <sys/prctl.h>
32 #include <linux/sched.h>
33 #include <sys/types.h>
37 #include <sys/mount.h>
39 #include <linux/oom.h>
41 #include <linux/seccomp-bpf.h>
47 #include <security/pam_appl.h>
53 #include "capability.h"
56 #include "sd-messages.h"
58 #include "securebits.h"
59 #include "namespace.h"
61 #include "exit-status.h"
63 #include "utmp-wtmp.h"
65 #include "path-util.h"
66 #include "syscall-list.h"
72 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
73 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
75 /* This assumes there is a 'tty' group */
78 #define SNDBUF_SIZE (8*1024*1024)
80 static int shift_fds(int fds[], unsigned n_fds) {
81 int start, restart_from;
86 /* Modifies the fds array! (sorts it) */
96 for (i = start; i < (int) n_fds; i++) {
99 /* Already at right index? */
103 if ((nfd = fcntl(fds[i], F_DUPFD, i+3)) < 0)
106 close_nointr_nofail(fds[i]);
109 /* Hmm, the fd we wanted isn't free? Then
110 * let's remember that and try again from here*/
111 if (nfd != i+3 && restart_from < 0)
115 if (restart_from < 0)
118 start = restart_from;
124 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
133 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
135 for (i = 0; i < n_fds; i++) {
137 if ((r = fd_nonblock(fds[i], nonblock)) < 0)
140 /* We unconditionally drop FD_CLOEXEC from the fds,
141 * since after all we want to pass these fds to our
144 if ((r = fd_cloexec(fds[i], false)) < 0)
151 _pure_ static const char *tty_path(const ExecContext *context) {
154 if (context->tty_path)
155 return context->tty_path;
157 return "/dev/console";
160 static void exec_context_tty_reset(const ExecContext *context) {
163 if (context->tty_vhangup)
164 terminal_vhangup(tty_path(context));
166 if (context->tty_reset)
167 reset_terminal(tty_path(context));
169 if (context->tty_vt_disallocate && context->tty_path)
170 vt_disallocate(context->tty_path);
173 static bool is_terminal_output(ExecOutput o) {
175 o == EXEC_OUTPUT_TTY ||
176 o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
177 o == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
178 o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE;
181 static int open_null_as(int flags, int nfd) {
186 fd = open("/dev/null", flags|O_NOCTTY);
191 r = dup2(fd, nfd) < 0 ? -errno : nfd;
192 close_nointr_nofail(fd);
199 static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd) {
201 union sockaddr_union sa = {
202 .un.sun_family = AF_UNIX,
203 .un.sun_path = "/run/systemd/journal/stdout",
207 assert(output < _EXEC_OUTPUT_MAX);
211 fd = socket(AF_UNIX, SOCK_STREAM, 0);
215 r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path));
217 close_nointr_nofail(fd);
221 if (shutdown(fd, SHUT_RD) < 0) {
222 close_nointr_nofail(fd);
226 fd_inc_sndbuf(fd, SNDBUF_SIZE);
236 context->syslog_identifier ? context->syslog_identifier : ident,
238 context->syslog_priority,
239 !!context->syslog_level_prefix,
240 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
241 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
242 is_terminal_output(output));
245 r = dup2(fd, nfd) < 0 ? -errno : nfd;
246 close_nointr_nofail(fd);
252 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
258 if ((fd = open_terminal(path, mode | O_NOCTTY)) < 0)
262 r = dup2(fd, nfd) < 0 ? -errno : nfd;
263 close_nointr_nofail(fd);
270 static bool is_terminal_input(ExecInput i) {
272 i == EXEC_INPUT_TTY ||
273 i == EXEC_INPUT_TTY_FORCE ||
274 i == EXEC_INPUT_TTY_FAIL;
277 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
279 if (is_terminal_input(std_input) && !apply_tty_stdin)
280 return EXEC_INPUT_NULL;
282 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
283 return EXEC_INPUT_NULL;
288 static int fixup_output(ExecOutput std_output, int socket_fd) {
290 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
291 return EXEC_OUTPUT_INHERIT;
296 static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty_stdin) {
301 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
305 case EXEC_INPUT_NULL:
306 return open_null_as(O_RDONLY, STDIN_FILENO);
309 case EXEC_INPUT_TTY_FORCE:
310 case EXEC_INPUT_TTY_FAIL: {
313 fd = acquire_terminal(tty_path(context),
314 i == EXEC_INPUT_TTY_FAIL,
315 i == EXEC_INPUT_TTY_FORCE,
321 if (fd != STDIN_FILENO) {
322 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
323 close_nointr_nofail(fd);
330 case EXEC_INPUT_SOCKET:
331 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
334 assert_not_reached("Unknown input type");
338 static int setup_output(const ExecContext *context, int fileno, int socket_fd, const char *ident, const char *unit_id, bool apply_tty_stdin) {
346 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
347 o = fixup_output(context->std_output, socket_fd);
349 if (fileno == STDERR_FILENO) {
351 e = fixup_output(context->std_error, socket_fd);
353 /* This expects the input and output are already set up */
355 /* Don't change the stderr file descriptor if we inherit all
356 * the way and are not on a tty */
357 if (e == EXEC_OUTPUT_INHERIT &&
358 o == EXEC_OUTPUT_INHERIT &&
359 i == EXEC_INPUT_NULL &&
360 !is_terminal_input(context->std_input) &&
364 /* Duplicate from stdout if possible */
365 if (e == o || e == EXEC_OUTPUT_INHERIT)
366 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
370 } else if (o == EXEC_OUTPUT_INHERIT) {
371 /* If input got downgraded, inherit the original value */
372 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
373 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
375 /* If the input is connected to anything that's not a /dev/null, inherit that... */
376 if (i != EXEC_INPUT_NULL)
377 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
379 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
383 /* We need to open /dev/null here anew, to get the right access mode. */
384 return open_null_as(O_WRONLY, fileno);
389 case EXEC_OUTPUT_NULL:
390 return open_null_as(O_WRONLY, fileno);
392 case EXEC_OUTPUT_TTY:
393 if (is_terminal_input(i))
394 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
396 /* We don't reset the terminal if this is just about output */
397 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
399 case EXEC_OUTPUT_SYSLOG:
400 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
401 case EXEC_OUTPUT_KMSG:
402 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
403 case EXEC_OUTPUT_JOURNAL:
404 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
405 r = connect_logger_as(context, o, ident, unit_id, fileno);
407 log_struct_unit(LOG_CRIT, unit_id,
408 "MESSAGE=Failed to connect std%s of %s to the journal socket: %s",
409 fileno == STDOUT_FILENO ? "out" : "err",
410 unit_id, strerror(-r),
413 r = open_null_as(O_WRONLY, fileno);
417 case EXEC_OUTPUT_SOCKET:
418 assert(socket_fd >= 0);
419 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
422 assert_not_reached("Unknown error type");
426 static int chown_terminal(int fd, uid_t uid) {
431 /* This might fail. What matters are the results. */
432 (void) fchown(fd, uid, -1);
433 (void) fchmod(fd, TTY_MODE);
435 if (fstat(fd, &st) < 0)
438 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
444 static int setup_confirm_stdio(int *_saved_stdin,
445 int *_saved_stdout) {
446 int fd = -1, saved_stdin, saved_stdout = -1, r;
448 assert(_saved_stdin);
449 assert(_saved_stdout);
451 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
455 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
456 if (saved_stdout < 0) {
461 fd = acquire_terminal(
466 DEFAULT_CONFIRM_USEC);
472 r = chown_terminal(fd, getuid());
476 if (dup2(fd, STDIN_FILENO) < 0) {
481 if (dup2(fd, STDOUT_FILENO) < 0) {
487 close_nointr_nofail(fd);
489 *_saved_stdin = saved_stdin;
490 *_saved_stdout = saved_stdout;
495 if (saved_stdout >= 0)
496 close_nointr_nofail(saved_stdout);
498 if (saved_stdin >= 0)
499 close_nointr_nofail(saved_stdin);
502 close_nointr_nofail(fd);
507 _printf_(1, 2) static int write_confirm_message(const char *format, ...) {
513 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
517 va_start(ap, format);
518 vdprintf(fd, format, ap);
521 close_nointr_nofail(fd);
526 static int restore_confirm_stdio(int *saved_stdin,
532 assert(saved_stdout);
536 if (*saved_stdin >= 0)
537 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
540 if (*saved_stdout >= 0)
541 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
544 if (*saved_stdin >= 0)
545 close_nointr_nofail(*saved_stdin);
547 if (*saved_stdout >= 0)
548 close_nointr_nofail(*saved_stdout);
553 static int ask_for_confirmation(char *response, char **argv) {
554 int saved_stdout = -1, saved_stdin = -1, r;
557 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
561 line = exec_command_line(argv);
565 r = ask(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
568 restore_confirm_stdio(&saved_stdin, &saved_stdout);
573 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
574 bool keep_groups = false;
579 /* Lookup and set GID and supplementary group list. Here too
580 * we avoid NSS lookups for gid=0. */
582 if (context->group || username) {
584 if (context->group) {
585 const char *g = context->group;
587 if ((r = get_group_creds(&g, &gid)) < 0)
591 /* First step, initialize groups from /etc/groups */
592 if (username && gid != 0) {
593 if (initgroups(username, gid) < 0)
599 /* Second step, set our gids */
600 if (setresgid(gid, gid, gid) < 0)
604 if (context->supplementary_groups) {
609 /* Final step, initialize any manually set supplementary groups */
610 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
612 if (!(gids = new(gid_t, ngroups_max)))
616 if ((k = getgroups(ngroups_max, gids)) < 0) {
623 STRV_FOREACH(i, context->supplementary_groups) {
626 if (k >= ngroups_max) {
632 r = get_group_creds(&g, gids+k);
641 if (setgroups(k, gids) < 0) {
652 static int enforce_user(const ExecContext *context, uid_t uid) {
655 /* Sets (but doesn't lookup) the uid and make sure we keep the
656 * capabilities while doing so. */
658 if (context->capabilities) {
659 _cleanup_cap_free_ cap_t d = NULL;
660 static const cap_value_t bits[] = {
661 CAP_SETUID, /* Necessary so that we can run setresuid() below */
662 CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
665 /* First step: If we need to keep capabilities but
666 * drop privileges we need to make sure we keep our
667 * caps, while we drop privileges. */
669 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
671 if (prctl(PR_GET_SECUREBITS) != sb)
672 if (prctl(PR_SET_SECUREBITS, sb) < 0)
676 /* Second step: set the capabilities. This will reduce
677 * the capabilities to the minimum we need. */
679 d = cap_dup(context->capabilities);
683 if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
684 cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0)
687 if (cap_set_proc(d) < 0)
691 /* Third step: actually set the uids */
692 if (setresuid(uid, uid, uid) < 0)
695 /* At this point we should have all necessary capabilities but
696 are otherwise a normal user. However, the caps might got
697 corrupted due to the setresuid() so we need clean them up
698 later. This is done outside of this call. */
705 static int null_conv(
707 const struct pam_message **msg,
708 struct pam_response **resp,
711 /* We don't support conversations */
716 static int setup_pam(
722 int fds[], unsigned n_fds) {
724 static const struct pam_conv conv = {
729 pam_handle_t *handle = NULL;
731 int pam_code = PAM_SUCCESS;
734 bool close_session = false;
735 pid_t pam_pid = 0, parent_pid;
742 /* We set up PAM in the parent process, then fork. The child
743 * will then stay around until killed via PR_GET_PDEATHSIG or
744 * systemd via the cgroup logic. It will then remove the PAM
745 * session again. The parent process will exec() the actual
746 * daemon. We do things this way to ensure that the main PID
747 * of the daemon is the one we initially fork()ed. */
749 if (log_get_max_level() < LOG_PRI(LOG_DEBUG))
752 pam_code = pam_start(name, user, &conv, &handle);
753 if (pam_code != PAM_SUCCESS) {
759 pam_code = pam_set_item(handle, PAM_TTY, tty);
760 if (pam_code != PAM_SUCCESS)
764 pam_code = pam_acct_mgmt(handle, flags);
765 if (pam_code != PAM_SUCCESS)
768 pam_code = pam_open_session(handle, flags);
769 if (pam_code != PAM_SUCCESS)
772 close_session = true;
774 e = pam_getenvlist(handle);
776 pam_code = PAM_BUF_ERR;
780 /* Block SIGTERM, so that we know that it won't get lost in
782 if (sigemptyset(&ss) < 0 ||
783 sigaddset(&ss, SIGTERM) < 0 ||
784 sigprocmask(SIG_BLOCK, &ss, &old_ss) < 0)
787 parent_pid = getpid();
797 /* The child's job is to reset the PAM session on
800 /* This string must fit in 10 chars (i.e. the length
801 * of "/sbin/init"), to look pretty in /bin/ps */
802 rename_process("(sd-pam)");
804 /* Make sure we don't keep open the passed fds in this
805 child. We assume that otherwise only those fds are
806 open here that have been opened by PAM. */
807 close_many(fds, n_fds);
809 /* Drop privileges - we don't need any to pam_close_session
810 * and this will make PR_SET_PDEATHSIG work in most cases.
811 * If this fails, ignore the error - but expect sd-pam threads
812 * to fail to exit normally */
813 if (setresuid(uid, uid, uid) < 0)
814 log_error("Error: Failed to setresuid() in sd-pam: %s", strerror(-r));
816 /* Wait until our parent died. This will only work if
817 * the above setresuid() succeeds, otherwise the kernel
818 * will not allow unprivileged parents kill their privileged
819 * children this way. We rely on the control groups kill logic
820 * to do the rest for us. */
821 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
824 /* Check if our parent process might already have
826 if (getppid() == parent_pid) {
828 if (sigwait(&ss, &sig) < 0) {
835 assert(sig == SIGTERM);
840 /* If our parent died we'll end the session */
841 if (getppid() != parent_pid) {
842 pam_code = pam_close_session(handle, flags);
843 if (pam_code != PAM_SUCCESS)
850 pam_end(handle, pam_code | flags);
854 /* If the child was forked off successfully it will do all the
855 * cleanups, so forget about the handle here. */
858 /* Unblock SIGTERM again in the parent */
859 if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0)
862 /* We close the log explicitly here, since the PAM modules
863 * might have opened it, but we don't want this fd around. */
872 if (pam_code != PAM_SUCCESS) {
873 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
874 err = -EPERM; /* PAM errors do not map to errno */
876 log_error("PAM failed: %m");
882 pam_code = pam_close_session(handle, flags);
884 pam_end(handle, pam_code | flags);
892 kill(pam_pid, SIGTERM);
893 kill(pam_pid, SIGCONT);
900 static void rename_process_from_path(const char *path) {
901 char process_name[11];
905 /* This resulting string must fit in 10 chars (i.e. the length
906 * of "/sbin/init") to look pretty in /bin/ps */
910 rename_process("(...)");
916 /* The end of the process name is usually more
917 * interesting, since the first bit might just be
923 process_name[0] = '(';
924 memcpy(process_name+1, p, l);
925 process_name[1+l] = ')';
926 process_name[1+l+1] = 0;
928 rename_process(process_name);
931 static int apply_seccomp(uint32_t *syscall_filter) {
932 static const struct sock_filter header[] = {
933 VALIDATE_ARCHITECTURE,
936 static const struct sock_filter footer[] = {
942 struct sock_filter *f;
943 struct sock_fprog prog = {};
945 assert(syscall_filter);
947 /* First: count the syscalls to check for */
948 for (i = 0, n = 0; i < syscall_max(); i++)
949 if (syscall_filter[i >> 4] & (1 << (i & 31)))
952 /* Second: build the filter program from a header the syscall
953 * matches and the footer */
954 f = alloca(sizeof(struct sock_filter) * (ELEMENTSOF(header) + 2*n + ELEMENTSOF(footer)));
955 memcpy(f, header, sizeof(header));
957 for (i = 0, n = 0; i < syscall_max(); i++)
958 if (syscall_filter[i >> 4] & (1 << (i & 31))) {
959 struct sock_filter item[] = {
960 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, INDEX_TO_SYSCALL(i), 0, 1),
961 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
964 assert_cc(ELEMENTSOF(item) == 2);
966 f[ELEMENTSOF(header) + 2*n] = item[0];
967 f[ELEMENTSOF(header) + 2*n+1] = item[1];
972 memcpy(f + (ELEMENTSOF(header) + 2*n), footer, sizeof(footer));
974 /* Third: install the filter */
975 prog.len = ELEMENTSOF(header) + ELEMENTSOF(footer) + 2*n;
977 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0)
983 static void do_idle_pipe_dance(int idle_pipe[4]) {
986 if (idle_pipe[1] >= 0)
987 close_nointr_nofail(idle_pipe[1]);
988 if (idle_pipe[2] >= 0)
989 close_nointr_nofail(idle_pipe[2]);
991 if (idle_pipe[0] >= 0) {
994 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
996 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
997 /* Signal systemd that we are bored and want to continue. */
998 write(idle_pipe[3], "x", 1);
1000 /* Wait for systemd to react to the signal above. */
1001 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1004 close_nointr_nofail(idle_pipe[0]);
1008 if (idle_pipe[3] >= 0)
1009 close_nointr_nofail(idle_pipe[3]);
1012 static int build_environment(
1015 usec_t watchdog_usec,
1017 const char *username,
1021 _cleanup_strv_free_ char **our_env = NULL;
1028 our_env = new0(char*, 10);
1033 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1035 our_env[n_env++] = x;
1037 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1039 our_env[n_env++] = x;
1042 if (watchdog_usec > 0) {
1043 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1045 our_env[n_env++] = x;
1047 if (asprintf(&x, "WATCHDOG_USEC=%llu", (unsigned long long) watchdog_usec) < 0)
1049 our_env[n_env++] = x;
1053 x = strappend("HOME=", home);
1056 our_env[n_env++] = x;
1060 x = strappend("LOGNAME=", username);
1063 our_env[n_env++] = x;
1065 x = strappend("USER=", username);
1068 our_env[n_env++] = x;
1072 x = strappend("SHELL=", shell);
1075 our_env[n_env++] = x;
1078 if (is_terminal_input(c->std_input) ||
1079 c->std_output == EXEC_OUTPUT_TTY ||
1080 c->std_error == EXEC_OUTPUT_TTY ||
1083 x = strdup(default_term_for_tty(tty_path(c)));
1086 our_env[n_env++] = x;
1089 our_env[n_env++] = NULL;
1090 assert(n_env <= 10);
1098 int exec_spawn(ExecCommand *command,
1100 ExecContext *context,
1101 int fds[], unsigned n_fds,
1103 bool apply_permissions,
1105 bool apply_tty_stdin,
1107 CGroupControllerMask cgroup_supported,
1108 const char *cgroup_path,
1109 const char *unit_id,
1110 usec_t watchdog_usec,
1112 ExecRuntime *runtime,
1115 _cleanup_strv_free_ char **files_env = NULL;
1124 assert(fds || n_fds <= 0);
1126 if (context->std_input == EXEC_INPUT_SOCKET ||
1127 context->std_output == EXEC_OUTPUT_SOCKET ||
1128 context->std_error == EXEC_OUTPUT_SOCKET) {
1140 r = exec_context_load_environment(context, &files_env);
1142 log_struct_unit(LOG_ERR,
1144 "MESSAGE=Failed to load environment files: %s", strerror(-r),
1151 argv = command->argv;
1153 line = exec_command_line(argv);
1157 log_struct_unit(LOG_DEBUG,
1159 "EXECUTABLE=%s", command->path,
1160 "MESSAGE=About to execute: %s", line,
1169 _cleanup_strv_free_ char **our_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL;
1170 const char *username = NULL, *home = NULL, *shell = NULL;
1171 unsigned n_dont_close = 0;
1172 int dont_close[n_fds + 3];
1173 uid_t uid = (uid_t) -1;
1174 gid_t gid = (gid_t) -1;
1180 rename_process_from_path(command->path);
1182 /* We reset exactly these signals, since they are the
1183 * only ones we set to SIG_IGN in the main daemon. All
1184 * others we leave untouched because we set them to
1185 * SIG_DFL or a valid handler initially, both of which
1186 * will be demoted to SIG_DFL. */
1187 default_signals(SIGNALS_CRASH_HANDLER,
1188 SIGNALS_IGNORE, -1);
1190 if (context->ignore_sigpipe)
1191 ignore_signals(SIGPIPE, -1);
1193 assert_se(sigemptyset(&ss) == 0);
1194 if (sigprocmask(SIG_SETMASK, &ss, NULL) < 0) {
1196 r = EXIT_SIGNAL_MASK;
1201 do_idle_pipe_dance(idle_pipe);
1203 /* Close sockets very early to make sure we don't
1204 * block init reexecution because it cannot bind its
1209 dont_close[n_dont_close++] = socket_fd;
1211 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
1212 n_dont_close += n_fds;
1215 if (runtime->netns_storage_socket[0] >= 0)
1216 dont_close[n_dont_close++] = runtime->netns_storage_socket[0];
1217 if (runtime->netns_storage_socket[1] >= 0)
1218 dont_close[n_dont_close++] = runtime->netns_storage_socket[1];
1221 err = close_all_fds(dont_close, n_dont_close);
1227 if (!context->same_pgrp)
1234 if (context->tcpwrap_name) {
1236 if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) {
1242 for (i = 0; i < (int) n_fds; i++) {
1243 if (!socket_tcpwrap(fds[i], context->tcpwrap_name)) {
1251 exec_context_tty_reset(context);
1253 if (confirm_spawn) {
1256 err = ask_for_confirmation(&response, argv);
1257 if (err == -ETIMEDOUT)
1258 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1260 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-err));
1261 else if (response == 's') {
1262 write_confirm_message("Skipping execution.\n");
1266 } else if (response == 'n') {
1267 write_confirm_message("Failing execution.\n");
1273 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1274 * must sure to drop O_NONBLOCK */
1276 fd_nonblock(socket_fd, false);
1278 err = setup_input(context, socket_fd, apply_tty_stdin);
1284 err = setup_output(context, STDOUT_FILENO, socket_fd, basename(command->path), unit_id, apply_tty_stdin);
1290 err = setup_output(context, STDERR_FILENO, socket_fd, basename(command->path), unit_id, apply_tty_stdin);
1297 err = cg_attach_everywhere(cgroup_supported, cgroup_path, 0);
1304 if (context->oom_score_adjust_set) {
1307 snprintf(t, sizeof(t), "%i", context->oom_score_adjust);
1310 if (write_string_file("/proc/self/oom_score_adj", t) < 0) {
1312 r = EXIT_OOM_ADJUST;
1317 if (context->nice_set)
1318 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1324 if (context->cpu_sched_set) {
1325 struct sched_param param = {
1326 .sched_priority = context->cpu_sched_priority,
1329 r = sched_setscheduler(0,
1330 context->cpu_sched_policy |
1331 (context->cpu_sched_reset_on_fork ?
1332 SCHED_RESET_ON_FORK : 0),
1336 r = EXIT_SETSCHEDULER;
1341 if (context->cpuset)
1342 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1344 r = EXIT_CPUAFFINITY;
1348 if (context->ioprio_set)
1349 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1355 if (context->timer_slack_nsec != (nsec_t) -1)
1356 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1358 r = EXIT_TIMERSLACK;
1362 if (context->utmp_id)
1363 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path);
1365 if (context->user) {
1366 username = context->user;
1367 err = get_user_creds(&username, &uid, &gid, &home, &shell);
1373 if (is_terminal_input(context->std_input)) {
1374 err = chown_terminal(STDIN_FILENO, uid);
1383 if (cgroup_path && context->user && context->pam_name) {
1384 err = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, 0644, uid, gid);
1391 err = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, 0755, uid, gid);
1399 if (apply_permissions) {
1400 err = enforce_groups(context, username, gid);
1407 umask(context->umask);
1410 if (apply_permissions && context->pam_name && username) {
1411 err = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
1418 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
1419 err = setup_netns(runtime->netns_storage_socket);
1426 if (!strv_isempty(context->read_write_dirs) ||
1427 !strv_isempty(context->read_only_dirs) ||
1428 !strv_isempty(context->inaccessible_dirs) ||
1429 context->mount_flags != 0 ||
1430 (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))) {
1432 char *tmp = NULL, *var = NULL;
1434 /* The runtime struct only contains the parent
1435 * of the private /tmp, which is
1436 * non-accessible to world users. Inside of it
1437 * there's a /tmp that is sticky, and that's
1438 * the one we want to use here. */
1440 if (context->private_tmp && runtime) {
1441 if (runtime->tmp_dir)
1442 tmp = strappenda(runtime->tmp_dir, "/tmp");
1443 if (runtime->var_tmp_dir)
1444 var = strappenda(runtime->var_tmp_dir, "/tmp");
1447 err = setup_namespace(
1448 context->read_write_dirs,
1449 context->read_only_dirs,
1450 context->inaccessible_dirs,
1453 context->mount_flags);
1462 if (context->root_directory)
1463 if (chroot(context->root_directory) < 0) {
1469 if (chdir(context->working_directory ? context->working_directory : "/") < 0) {
1475 _cleanup_free_ char *d = NULL;
1477 if (asprintf(&d, "%s/%s",
1478 context->root_directory ? context->root_directory : "",
1479 context->working_directory ? context->working_directory : "") < 0) {
1492 /* We repeat the fd closing here, to make sure that
1493 * nothing is leaked from the PAM modules */
1494 err = close_all_fds(fds, n_fds);
1496 err = shift_fds(fds, n_fds);
1498 err = flags_fds(fds, n_fds, context->non_blocking);
1504 if (apply_permissions) {
1506 for (i = 0; i < RLIMIT_NLIMITS; i++) {
1507 if (!context->rlimit[i])
1510 if (setrlimit_closest(i, context->rlimit[i]) < 0) {
1517 if (context->capability_bounding_set_drop) {
1518 err = capability_bounding_set_drop(context->capability_bounding_set_drop, false);
1520 r = EXIT_CAPABILITIES;
1525 if (context->user) {
1526 err = enforce_user(context, uid);
1533 /* PR_GET_SECUREBITS is not privileged, while
1534 * PR_SET_SECUREBITS is. So to suppress
1535 * potential EPERMs we'll try not to call
1536 * PR_SET_SECUREBITS unless necessary. */
1537 if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
1538 if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
1540 r = EXIT_SECUREBITS;
1544 if (context->capabilities)
1545 if (cap_set_proc(context->capabilities) < 0) {
1547 r = EXIT_CAPABILITIES;
1551 if (context->no_new_privileges)
1552 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
1554 r = EXIT_NO_NEW_PRIVILEGES;
1558 if (context->syscall_filter) {
1559 err = apply_seccomp(context->syscall_filter);
1567 err = build_environment(context, n_fds, watchdog_usec, home, username, shell, &our_env);
1573 final_env = strv_env_merge(5,
1576 context->environment,
1586 final_argv = replace_env_argv(argv, final_env);
1593 final_env = strv_env_clean(final_env);
1595 if (_unlikely_(log_get_max_level() >= LOG_PRI(LOG_DEBUG))) {
1596 line = exec_command_line(final_argv);
1599 log_struct_unit(LOG_DEBUG,
1601 "EXECUTABLE=%s", command->path,
1602 "MESSAGE=Executing: %s", line,
1609 execve(command->path, final_argv, final_env);
1616 log_struct(LOG_ERR, MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
1617 "EXECUTABLE=%s", command->path,
1618 "MESSAGE=Failed at step %s spawning %s: %s",
1619 exit_status_to_string(r, EXIT_STATUS_SYSTEMD),
1620 command->path, strerror(-err),
1629 log_struct_unit(LOG_DEBUG,
1631 "MESSAGE=Forked %s as "PID_FMT,
1635 /* We add the new process to the cgroup both in the child (so
1636 * that we can be sure that no user code is ever executed
1637 * outside of the cgroup) and in the parent (so that we can be
1638 * sure that when we kill the cgroup the process will be
1641 cg_attach(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, pid);
1643 exec_status_start(&command->exec_status, pid);
1649 void exec_context_init(ExecContext *c) {
1653 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
1654 c->cpu_sched_policy = SCHED_OTHER;
1655 c->syslog_priority = LOG_DAEMON|LOG_INFO;
1656 c->syslog_level_prefix = true;
1657 c->ignore_sigpipe = true;
1658 c->timer_slack_nsec = (nsec_t) -1;
1661 void exec_context_done(ExecContext *c) {
1666 strv_free(c->environment);
1667 c->environment = NULL;
1669 strv_free(c->environment_files);
1670 c->environment_files = NULL;
1672 for (l = 0; l < ELEMENTSOF(c->rlimit); l++) {
1674 c->rlimit[l] = NULL;
1677 free(c->working_directory);
1678 c->working_directory = NULL;
1679 free(c->root_directory);
1680 c->root_directory = NULL;
1685 free(c->tcpwrap_name);
1686 c->tcpwrap_name = NULL;
1688 free(c->syslog_identifier);
1689 c->syslog_identifier = NULL;
1697 strv_free(c->supplementary_groups);
1698 c->supplementary_groups = NULL;
1703 if (c->capabilities) {
1704 cap_free(c->capabilities);
1705 c->capabilities = NULL;
1708 strv_free(c->read_only_dirs);
1709 c->read_only_dirs = NULL;
1711 strv_free(c->read_write_dirs);
1712 c->read_write_dirs = NULL;
1714 strv_free(c->inaccessible_dirs);
1715 c->inaccessible_dirs = NULL;
1718 CPU_FREE(c->cpuset);
1723 free(c->syscall_filter);
1724 c->syscall_filter = NULL;
1727 void exec_command_done(ExecCommand *c) {
1737 void exec_command_done_array(ExecCommand *c, unsigned n) {
1740 for (i = 0; i < n; i++)
1741 exec_command_done(c+i);
1744 void exec_command_free_list(ExecCommand *c) {
1748 LIST_REMOVE(command, c, i);
1749 exec_command_done(i);
1754 void exec_command_free_array(ExecCommand **c, unsigned n) {
1757 for (i = 0; i < n; i++) {
1758 exec_command_free_list(c[i]);
1763 int exec_context_load_environment(const ExecContext *c, char ***l) {
1764 char **i, **r = NULL;
1769 STRV_FOREACH(i, c->environment_files) {
1772 bool ignore = false;
1774 _cleanup_globfree_ glob_t pglob = {};
1784 if (!path_is_absolute(fn)) {
1792 /* Filename supports globbing, take all matching files */
1794 if (glob(fn, 0, NULL, &pglob) != 0) {
1799 return errno ? -errno : -EINVAL;
1801 count = pglob.gl_pathc;
1809 for (n = 0; n < count; n++) {
1810 k = load_env_file(pglob.gl_pathv[n], NULL, &p);
1818 /* Log invalid environment variables with filename */
1820 p = strv_env_clean_log(p, pglob.gl_pathv[n]);
1827 m = strv_env_merge(2, r, p);
1843 static bool tty_may_match_dev_console(const char *tty) {
1844 char *active = NULL, *console;
1847 if (startswith(tty, "/dev/"))
1850 /* trivial identity? */
1851 if (streq(tty, "console"))
1854 console = resolve_dev_console(&active);
1855 /* if we could not resolve, assume it may */
1859 /* "tty0" means the active VC, so it may be the same sometimes */
1860 b = streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
1866 bool exec_context_may_touch_console(ExecContext *ec) {
1867 return (ec->tty_reset || ec->tty_vhangup || ec->tty_vt_disallocate ||
1868 is_terminal_input(ec->std_input) ||
1869 is_terminal_output(ec->std_output) ||
1870 is_terminal_output(ec->std_error)) &&
1871 tty_may_match_dev_console(tty_path(ec));
1874 static void strv_fprintf(FILE *f, char **l) {
1880 fprintf(f, " %s", *g);
1883 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
1890 prefix = strempty(prefix);
1894 "%sWorkingDirectory: %s\n"
1895 "%sRootDirectory: %s\n"
1896 "%sNonBlocking: %s\n"
1897 "%sPrivateTmp: %s\n"
1898 "%sPrivateNetwork: %s\n"
1899 "%sIgnoreSIGPIPE: %s\n",
1901 prefix, c->working_directory ? c->working_directory : "/",
1902 prefix, c->root_directory ? c->root_directory : "/",
1903 prefix, yes_no(c->non_blocking),
1904 prefix, yes_no(c->private_tmp),
1905 prefix, yes_no(c->private_network),
1906 prefix, yes_no(c->ignore_sigpipe));
1908 STRV_FOREACH(e, c->environment)
1909 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
1911 STRV_FOREACH(e, c->environment_files)
1912 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
1914 if (c->tcpwrap_name)
1916 "%sTCPWrapName: %s\n",
1917 prefix, c->tcpwrap_name);
1924 if (c->oom_score_adjust_set)
1926 "%sOOMScoreAdjust: %i\n",
1927 prefix, c->oom_score_adjust);
1929 for (i = 0; i < RLIM_NLIMITS; i++)
1931 fprintf(f, "%s%s: %llu\n", prefix, rlimit_to_string(i), (unsigned long long) c->rlimit[i]->rlim_max);
1933 if (c->ioprio_set) {
1937 r = ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
1941 "%sIOSchedulingClass: %s\n"
1942 "%sIOPriority: %i\n",
1943 prefix, strna(class_str),
1944 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
1948 if (c->cpu_sched_set) {
1952 r = sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
1956 "%sCPUSchedulingPolicy: %s\n"
1957 "%sCPUSchedulingPriority: %i\n"
1958 "%sCPUSchedulingResetOnFork: %s\n",
1959 prefix, strna(policy_str),
1960 prefix, c->cpu_sched_priority,
1961 prefix, yes_no(c->cpu_sched_reset_on_fork));
1966 fprintf(f, "%sCPUAffinity:", prefix);
1967 for (i = 0; i < c->cpuset_ncpus; i++)
1968 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
1969 fprintf(f, " %u", i);
1973 if (c->timer_slack_nsec != (nsec_t) -1)
1974 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
1977 "%sStandardInput: %s\n"
1978 "%sStandardOutput: %s\n"
1979 "%sStandardError: %s\n",
1980 prefix, exec_input_to_string(c->std_input),
1981 prefix, exec_output_to_string(c->std_output),
1982 prefix, exec_output_to_string(c->std_error));
1988 "%sTTYVHangup: %s\n"
1989 "%sTTYVTDisallocate: %s\n",
1990 prefix, c->tty_path,
1991 prefix, yes_no(c->tty_reset),
1992 prefix, yes_no(c->tty_vhangup),
1993 prefix, yes_no(c->tty_vt_disallocate));
1995 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
1996 c->std_output == EXEC_OUTPUT_KMSG ||
1997 c->std_output == EXEC_OUTPUT_JOURNAL ||
1998 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
1999 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2000 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
2001 c->std_error == EXEC_OUTPUT_SYSLOG ||
2002 c->std_error == EXEC_OUTPUT_KMSG ||
2003 c->std_error == EXEC_OUTPUT_JOURNAL ||
2004 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2005 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2006 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
2008 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
2010 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
2011 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
2014 "%sSyslogFacility: %s\n"
2015 "%sSyslogLevel: %s\n",
2016 prefix, strna(fac_str),
2017 prefix, strna(lvl_str));
2020 if (c->capabilities) {
2021 _cleanup_cap_free_charp_ char *t;
2023 t = cap_to_text(c->capabilities, NULL);
2025 fprintf(f, "%sCapabilities: %s\n", prefix, t);
2029 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
2031 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
2032 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
2033 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
2034 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
2035 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
2036 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
2038 if (c->capability_bounding_set_drop) {
2040 fprintf(f, "%sCapabilityBoundingSet:", prefix);
2042 for (l = 0; l <= cap_last_cap(); l++)
2043 if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) {
2044 _cleanup_cap_free_charp_ char *t;
2048 fprintf(f, " %s", t);
2055 fprintf(f, "%sUser: %s\n", prefix, c->user);
2057 fprintf(f, "%sGroup: %s\n", prefix, c->group);
2059 if (strv_length(c->supplementary_groups) > 0) {
2060 fprintf(f, "%sSupplementaryGroups:", prefix);
2061 strv_fprintf(f, c->supplementary_groups);
2066 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
2068 if (strv_length(c->read_write_dirs) > 0) {
2069 fprintf(f, "%sReadWriteDirs:", prefix);
2070 strv_fprintf(f, c->read_write_dirs);
2074 if (strv_length(c->read_only_dirs) > 0) {
2075 fprintf(f, "%sReadOnlyDirs:", prefix);
2076 strv_fprintf(f, c->read_only_dirs);
2080 if (strv_length(c->inaccessible_dirs) > 0) {
2081 fprintf(f, "%sInaccessibleDirs:", prefix);
2082 strv_fprintf(f, c->inaccessible_dirs);
2088 "%sUtmpIdentifier: %s\n",
2089 prefix, c->utmp_id);
2092 void exec_status_start(ExecStatus *s, pid_t pid) {
2097 dual_timestamp_get(&s->start_timestamp);
2100 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
2103 if (s->pid && s->pid != pid)
2107 dual_timestamp_get(&s->exit_timestamp);
2113 if (context->utmp_id)
2114 utmp_put_dead_process(context->utmp_id, pid, code, status);
2116 exec_context_tty_reset(context);
2120 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
2121 char buf[FORMAT_TIMESTAMP_MAX];
2133 "%sPID: "PID_FMT"\n",
2136 if (s->start_timestamp.realtime > 0)
2138 "%sStart Timestamp: %s\n",
2139 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
2141 if (s->exit_timestamp.realtime > 0)
2143 "%sExit Timestamp: %s\n"
2145 "%sExit Status: %i\n",
2146 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
2147 prefix, sigchld_code_to_string(s->code),
2151 char *exec_command_line(char **argv) {
2159 STRV_FOREACH(a, argv)
2162 if (!(n = new(char, k)))
2166 STRV_FOREACH(a, argv) {
2173 if (strpbrk(*a, WHITESPACE)) {
2184 /* FIXME: this doesn't really handle arguments that have
2185 * spaces and ticks in them */
2190 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
2192 const char *prefix2;
2201 p2 = strappend(prefix, "\t");
2202 prefix2 = p2 ? p2 : prefix;
2204 cmd = exec_command_line(c->argv);
2207 "%sCommand Line: %s\n",
2208 prefix, cmd ? cmd : strerror(ENOMEM));
2212 exec_status_dump(&c->exec_status, f, prefix2);
2217 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2223 LIST_FOREACH(command, c, c)
2224 exec_command_dump(c, f, prefix);
2227 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2234 /* It's kind of important, that we keep the order here */
2235 LIST_FIND_TAIL(command, *l, end);
2236 LIST_INSERT_AFTER(command, *l, end, e);
2241 int exec_command_set(ExecCommand *c, const char *path, ...) {
2249 l = strv_new_ap(path, ap);
2270 static int exec_runtime_allocate(ExecRuntime **rt) {
2275 *rt = new0(ExecRuntime, 1);
2280 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
2285 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
2295 if (!c->private_network && !c->private_tmp)
2298 r = exec_runtime_allocate(rt);
2302 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
2303 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, (*rt)->netns_storage_socket) < 0)
2307 if (c->private_tmp && !(*rt)->tmp_dir) {
2308 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
2316 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
2318 assert(r->n_ref > 0);
2324 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
2329 assert(r->n_ref > 0);
2332 if (r->n_ref <= 0) {
2334 free(r->var_tmp_dir);
2335 close_pipe(r->netns_storage_socket);
2342 int exec_runtime_serialize(ExecRuntime *rt, Unit *u, FILE *f, FDSet *fds) {
2351 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
2353 if (rt->var_tmp_dir)
2354 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
2356 if (rt->netns_storage_socket[0] >= 0) {
2359 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
2363 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
2366 if (rt->netns_storage_socket[1] >= 0) {
2369 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
2373 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
2379 int exec_runtime_deserialize_item(ExecRuntime **rt, Unit *u, const char *key, const char *value, FDSet *fds) {
2386 if (streq(key, "tmp-dir")) {
2389 r = exec_runtime_allocate(rt);
2393 copy = strdup(value);
2397 free((*rt)->tmp_dir);
2398 (*rt)->tmp_dir = copy;
2400 } else if (streq(key, "var-tmp-dir")) {
2403 r = exec_runtime_allocate(rt);
2407 copy = strdup(value);
2411 free((*rt)->var_tmp_dir);
2412 (*rt)->var_tmp_dir = copy;
2414 } else if (streq(key, "netns-socket-0")) {
2417 r = exec_runtime_allocate(rt);
2421 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2422 log_debug_unit(u->id, "Failed to parse netns socket value %s", value);
2424 if ((*rt)->netns_storage_socket[0] >= 0)
2425 close_nointr_nofail((*rt)->netns_storage_socket[0]);
2427 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
2429 } else if (streq(key, "netns-socket-1")) {
2432 r = exec_runtime_allocate(rt);
2436 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2437 log_debug_unit(u->id, "Failed to parse netns socket value %s", value);
2439 if ((*rt)->netns_storage_socket[1] >= 0)
2440 close_nointr_nofail((*rt)->netns_storage_socket[1]);
2442 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
2450 static void *remove_tmpdir_thread(void *p) {
2451 _cleanup_free_ char *path = p;
2453 rm_rf_dangerous(path, false, true, false);
2457 void exec_runtime_destroy(ExecRuntime *rt) {
2461 /* If there are multiple users of this, let's leave the stuff around */
2466 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
2467 asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
2471 if (rt->var_tmp_dir) {
2472 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
2473 asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
2474 rt->var_tmp_dir = NULL;
2477 close_pipe(rt->netns_storage_socket);
2480 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
2481 [EXEC_INPUT_NULL] = "null",
2482 [EXEC_INPUT_TTY] = "tty",
2483 [EXEC_INPUT_TTY_FORCE] = "tty-force",
2484 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
2485 [EXEC_INPUT_SOCKET] = "socket"
2488 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
2490 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
2491 [EXEC_OUTPUT_INHERIT] = "inherit",
2492 [EXEC_OUTPUT_NULL] = "null",
2493 [EXEC_OUTPUT_TTY] = "tty",
2494 [EXEC_OUTPUT_SYSLOG] = "syslog",
2495 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
2496 [EXEC_OUTPUT_KMSG] = "kmsg",
2497 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
2498 [EXEC_OUTPUT_JOURNAL] = "journal",
2499 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
2500 [EXEC_OUTPUT_SOCKET] = "socket"
2503 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);