1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
29 #include <sys/socket.h>
31 #include <sys/prctl.h>
32 #include <linux/sched.h>
33 #include <sys/types.h>
37 #include <sys/mount.h>
39 #include <linux/oom.h>
41 #include <linux/seccomp-bpf.h>
47 #include <security/pam_appl.h>
53 #include "capability.h"
56 #include "sd-messages.h"
58 #include "securebits.h"
59 #include "namespace.h"
61 #include "exit-status.h"
63 #include "utmp-wtmp.h"
65 #include "path-util.h"
66 #include "syscall-list.h"
72 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
73 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
75 /* This assumes there is a 'tty' group */
78 #define SNDBUF_SIZE (8*1024*1024)
80 static int shift_fds(int fds[], unsigned n_fds) {
81 int start, restart_from;
86 /* Modifies the fds array! (sorts it) */
96 for (i = start; i < (int) n_fds; i++) {
99 /* Already at right index? */
103 if ((nfd = fcntl(fds[i], F_DUPFD, i+3)) < 0)
106 close_nointr_nofail(fds[i]);
109 /* Hmm, the fd we wanted isn't free? Then
110 * let's remember that and try again from here*/
111 if (nfd != i+3 && restart_from < 0)
115 if (restart_from < 0)
118 start = restart_from;
124 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
133 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
135 for (i = 0; i < n_fds; i++) {
137 if ((r = fd_nonblock(fds[i], nonblock)) < 0)
140 /* We unconditionally drop FD_CLOEXEC from the fds,
141 * since after all we want to pass these fds to our
144 if ((r = fd_cloexec(fds[i], false)) < 0)
151 _pure_ static const char *tty_path(const ExecContext *context) {
154 if (context->tty_path)
155 return context->tty_path;
157 return "/dev/console";
160 static void exec_context_tty_reset(const ExecContext *context) {
163 if (context->tty_vhangup)
164 terminal_vhangup(tty_path(context));
166 if (context->tty_reset)
167 reset_terminal(tty_path(context));
169 if (context->tty_vt_disallocate && context->tty_path)
170 vt_disallocate(context->tty_path);
173 static bool is_terminal_output(ExecOutput o) {
175 o == EXEC_OUTPUT_TTY ||
176 o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
177 o == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
178 o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE;
181 static int open_null_as(int flags, int nfd) {
186 fd = open("/dev/null", flags|O_NOCTTY);
191 r = dup2(fd, nfd) < 0 ? -errno : nfd;
192 close_nointr_nofail(fd);
199 static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd) {
201 union sockaddr_union sa = {
202 .un.sun_family = AF_UNIX,
203 .un.sun_path = "/run/systemd/journal/stdout",
207 assert(output < _EXEC_OUTPUT_MAX);
211 fd = socket(AF_UNIX, SOCK_STREAM, 0);
215 r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path));
217 close_nointr_nofail(fd);
221 if (shutdown(fd, SHUT_RD) < 0) {
222 close_nointr_nofail(fd);
226 fd_inc_sndbuf(fd, SNDBUF_SIZE);
236 context->syslog_identifier ? context->syslog_identifier : ident,
238 context->syslog_priority,
239 !!context->syslog_level_prefix,
240 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
241 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
242 is_terminal_output(output));
245 r = dup2(fd, nfd) < 0 ? -errno : nfd;
246 close_nointr_nofail(fd);
252 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
258 if ((fd = open_terminal(path, mode | O_NOCTTY)) < 0)
262 r = dup2(fd, nfd) < 0 ? -errno : nfd;
263 close_nointr_nofail(fd);
270 static bool is_terminal_input(ExecInput i) {
272 i == EXEC_INPUT_TTY ||
273 i == EXEC_INPUT_TTY_FORCE ||
274 i == EXEC_INPUT_TTY_FAIL;
277 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
279 if (is_terminal_input(std_input) && !apply_tty_stdin)
280 return EXEC_INPUT_NULL;
282 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
283 return EXEC_INPUT_NULL;
288 static int fixup_output(ExecOutput std_output, int socket_fd) {
290 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
291 return EXEC_OUTPUT_INHERIT;
296 static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty_stdin) {
301 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
305 case EXEC_INPUT_NULL:
306 return open_null_as(O_RDONLY, STDIN_FILENO);
309 case EXEC_INPUT_TTY_FORCE:
310 case EXEC_INPUT_TTY_FAIL: {
313 fd = acquire_terminal(tty_path(context),
314 i == EXEC_INPUT_TTY_FAIL,
315 i == EXEC_INPUT_TTY_FORCE,
321 if (fd != STDIN_FILENO) {
322 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
323 close_nointr_nofail(fd);
330 case EXEC_INPUT_SOCKET:
331 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
334 assert_not_reached("Unknown input type");
338 static int setup_output(const ExecContext *context, int fileno, int socket_fd, const char *ident, const char *unit_id, bool apply_tty_stdin) {
346 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
347 o = fixup_output(context->std_output, socket_fd);
349 if (fileno == STDERR_FILENO) {
351 e = fixup_output(context->std_error, socket_fd);
353 /* This expects the input and output are already set up */
355 /* Don't change the stderr file descriptor if we inherit all
356 * the way and are not on a tty */
357 if (e == EXEC_OUTPUT_INHERIT &&
358 o == EXEC_OUTPUT_INHERIT &&
359 i == EXEC_INPUT_NULL &&
360 !is_terminal_input(context->std_input) &&
364 /* Duplicate from stdout if possible */
365 if (e == o || e == EXEC_OUTPUT_INHERIT)
366 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
370 } else if (o == EXEC_OUTPUT_INHERIT) {
371 /* If input got downgraded, inherit the original value */
372 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
373 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
375 /* If the input is connected to anything that's not a /dev/null, inherit that... */
376 if (i != EXEC_INPUT_NULL)
377 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
379 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
383 /* We need to open /dev/null here anew, to get the right access mode. */
384 return open_null_as(O_WRONLY, fileno);
389 case EXEC_OUTPUT_NULL:
390 return open_null_as(O_WRONLY, fileno);
392 case EXEC_OUTPUT_TTY:
393 if (is_terminal_input(i))
394 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
396 /* We don't reset the terminal if this is just about output */
397 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
399 case EXEC_OUTPUT_SYSLOG:
400 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
401 case EXEC_OUTPUT_KMSG:
402 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
403 case EXEC_OUTPUT_JOURNAL:
404 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
405 r = connect_logger_as(context, o, ident, unit_id, fileno);
407 log_struct_unit(LOG_CRIT, unit_id,
408 "MESSAGE=Failed to connect std%s of %s to the journal socket: %s",
409 fileno == STDOUT_FILENO ? "out" : "err",
410 unit_id, strerror(-r),
413 r = open_null_as(O_WRONLY, fileno);
417 case EXEC_OUTPUT_SOCKET:
418 assert(socket_fd >= 0);
419 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
422 assert_not_reached("Unknown error type");
426 static int chown_terminal(int fd, uid_t uid) {
431 /* This might fail. What matters are the results. */
432 (void) fchown(fd, uid, -1);
433 (void) fchmod(fd, TTY_MODE);
435 if (fstat(fd, &st) < 0)
438 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
444 static int setup_confirm_stdio(int *_saved_stdin,
445 int *_saved_stdout) {
446 int fd = -1, saved_stdin, saved_stdout = -1, r;
448 assert(_saved_stdin);
449 assert(_saved_stdout);
451 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
455 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
456 if (saved_stdout < 0) {
461 fd = acquire_terminal(
466 DEFAULT_CONFIRM_USEC);
472 r = chown_terminal(fd, getuid());
476 if (dup2(fd, STDIN_FILENO) < 0) {
481 if (dup2(fd, STDOUT_FILENO) < 0) {
487 close_nointr_nofail(fd);
489 *_saved_stdin = saved_stdin;
490 *_saved_stdout = saved_stdout;
495 if (saved_stdout >= 0)
496 close_nointr_nofail(saved_stdout);
498 if (saved_stdin >= 0)
499 close_nointr_nofail(saved_stdin);
502 close_nointr_nofail(fd);
507 _printf_(1, 2) static int write_confirm_message(const char *format, ...) {
513 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
517 va_start(ap, format);
518 vdprintf(fd, format, ap);
521 close_nointr_nofail(fd);
526 static int restore_confirm_stdio(int *saved_stdin,
532 assert(saved_stdout);
536 if (*saved_stdin >= 0)
537 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
540 if (*saved_stdout >= 0)
541 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
544 if (*saved_stdin >= 0)
545 close_nointr_nofail(*saved_stdin);
547 if (*saved_stdout >= 0)
548 close_nointr_nofail(*saved_stdout);
553 static int ask_for_confirmation(char *response, char **argv) {
554 int saved_stdout = -1, saved_stdin = -1, r;
557 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
561 line = exec_command_line(argv);
565 r = ask(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
568 restore_confirm_stdio(&saved_stdin, &saved_stdout);
573 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
574 bool keep_groups = false;
579 /* Lookup and set GID and supplementary group list. Here too
580 * we avoid NSS lookups for gid=0. */
582 if (context->group || username) {
584 if (context->group) {
585 const char *g = context->group;
587 if ((r = get_group_creds(&g, &gid)) < 0)
591 /* First step, initialize groups from /etc/groups */
592 if (username && gid != 0) {
593 if (initgroups(username, gid) < 0)
599 /* Second step, set our gids */
600 if (setresgid(gid, gid, gid) < 0)
604 if (context->supplementary_groups) {
609 /* Final step, initialize any manually set supplementary groups */
610 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
612 if (!(gids = new(gid_t, ngroups_max)))
616 if ((k = getgroups(ngroups_max, gids)) < 0) {
623 STRV_FOREACH(i, context->supplementary_groups) {
626 if (k >= ngroups_max) {
632 r = get_group_creds(&g, gids+k);
641 if (setgroups(k, gids) < 0) {
652 static int enforce_user(const ExecContext *context, uid_t uid) {
655 /* Sets (but doesn't lookup) the uid and make sure we keep the
656 * capabilities while doing so. */
658 if (context->capabilities) {
659 _cleanup_cap_free_ cap_t d = NULL;
660 static const cap_value_t bits[] = {
661 CAP_SETUID, /* Necessary so that we can run setresuid() below */
662 CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
665 /* First step: If we need to keep capabilities but
666 * drop privileges we need to make sure we keep our
667 * caps, while we drop privileges. */
669 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
671 if (prctl(PR_GET_SECUREBITS) != sb)
672 if (prctl(PR_SET_SECUREBITS, sb) < 0)
676 /* Second step: set the capabilities. This will reduce
677 * the capabilities to the minimum we need. */
679 d = cap_dup(context->capabilities);
683 if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
684 cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0)
687 if (cap_set_proc(d) < 0)
691 /* Third step: actually set the uids */
692 if (setresuid(uid, uid, uid) < 0)
695 /* At this point we should have all necessary capabilities but
696 are otherwise a normal user. However, the caps might got
697 corrupted due to the setresuid() so we need clean them up
698 later. This is done outside of this call. */
705 static int null_conv(
707 const struct pam_message **msg,
708 struct pam_response **resp,
711 /* We don't support conversations */
716 static int setup_pam(
722 int fds[], unsigned n_fds) {
724 static const struct pam_conv conv = {
729 pam_handle_t *handle = NULL;
731 int pam_code = PAM_SUCCESS;
734 bool close_session = false;
735 pid_t pam_pid = 0, parent_pid;
742 /* We set up PAM in the parent process, then fork. The child
743 * will then stay around until killed via PR_GET_PDEATHSIG or
744 * systemd via the cgroup logic. It will then remove the PAM
745 * session again. The parent process will exec() the actual
746 * daemon. We do things this way to ensure that the main PID
747 * of the daemon is the one we initially fork()ed. */
749 if (log_get_max_level() < LOG_PRI(LOG_DEBUG))
752 pam_code = pam_start(name, user, &conv, &handle);
753 if (pam_code != PAM_SUCCESS) {
759 pam_code = pam_set_item(handle, PAM_TTY, tty);
760 if (pam_code != PAM_SUCCESS)
764 pam_code = pam_acct_mgmt(handle, flags);
765 if (pam_code != PAM_SUCCESS)
768 pam_code = pam_open_session(handle, flags);
769 if (pam_code != PAM_SUCCESS)
772 close_session = true;
774 e = pam_getenvlist(handle);
776 pam_code = PAM_BUF_ERR;
780 /* Block SIGTERM, so that we know that it won't get lost in
782 if (sigemptyset(&ss) < 0 ||
783 sigaddset(&ss, SIGTERM) < 0 ||
784 sigprocmask(SIG_BLOCK, &ss, &old_ss) < 0)
787 parent_pid = getpid();
797 /* The child's job is to reset the PAM session on
800 /* This string must fit in 10 chars (i.e. the length
801 * of "/sbin/init"), to look pretty in /bin/ps */
802 rename_process("(sd-pam)");
804 /* Make sure we don't keep open the passed fds in this
805 child. We assume that otherwise only those fds are
806 open here that have been opened by PAM. */
807 close_many(fds, n_fds);
809 /* Drop privileges - we don't need any to pam_close_session
810 * and this will make PR_SET_PDEATHSIG work in most cases.
811 * If this fails, ignore the error - but expect sd-pam threads
812 * to fail to exit normally */
813 if (setresuid(uid, uid, uid) < 0)
814 log_error("Error: Failed to setresuid() in sd-pam: %s", strerror(-r));
816 /* Wait until our parent died. This will only work if
817 * the above setresuid() succeeds, otherwise the kernel
818 * will not allow unprivileged parents kill their privileged
819 * children this way. We rely on the control groups kill logic
820 * to do the rest for us. */
821 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
824 /* Check if our parent process might already have
826 if (getppid() == parent_pid) {
828 if (sigwait(&ss, &sig) < 0) {
835 assert(sig == SIGTERM);
840 /* If our parent died we'll end the session */
841 if (getppid() != parent_pid) {
842 pam_code = pam_close_session(handle, flags);
843 if (pam_code != PAM_SUCCESS)
850 pam_end(handle, pam_code | flags);
854 /* If the child was forked off successfully it will do all the
855 * cleanups, so forget about the handle here. */
858 /* Unblock SIGTERM again in the parent */
859 if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0)
862 /* We close the log explicitly here, since the PAM modules
863 * might have opened it, but we don't want this fd around. */
872 if (pam_code != PAM_SUCCESS) {
873 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
874 err = -EPERM; /* PAM errors do not map to errno */
876 log_error("PAM failed: %m");
882 pam_code = pam_close_session(handle, flags);
884 pam_end(handle, pam_code | flags);
892 kill(pam_pid, SIGTERM);
893 kill(pam_pid, SIGCONT);
900 static void rename_process_from_path(const char *path) {
901 char process_name[11];
905 /* This resulting string must fit in 10 chars (i.e. the length
906 * of "/sbin/init") to look pretty in /bin/ps */
910 rename_process("(...)");
916 /* The end of the process name is usually more
917 * interesting, since the first bit might just be
923 process_name[0] = '(';
924 memcpy(process_name+1, p, l);
925 process_name[1+l] = ')';
926 process_name[1+l+1] = 0;
928 rename_process(process_name);
931 static int apply_seccomp(uint32_t *syscall_filter) {
932 static const struct sock_filter header[] = {
933 VALIDATE_ARCHITECTURE,
936 static const struct sock_filter footer[] = {
942 struct sock_filter *f;
943 struct sock_fprog prog = {};
945 assert(syscall_filter);
947 /* First: count the syscalls to check for */
948 for (i = 0, n = 0; i < syscall_max(); i++)
949 if (syscall_filter[i >> 4] & (1 << (i & 31)))
952 /* Second: build the filter program from a header the syscall
953 * matches and the footer */
954 f = alloca(sizeof(struct sock_filter) * (ELEMENTSOF(header) + 2*n + ELEMENTSOF(footer)));
955 memcpy(f, header, sizeof(header));
957 for (i = 0, n = 0; i < syscall_max(); i++)
958 if (syscall_filter[i >> 4] & (1 << (i & 31))) {
959 struct sock_filter item[] = {
960 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, INDEX_TO_SYSCALL(i), 0, 1),
961 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
964 assert_cc(ELEMENTSOF(item) == 2);
966 f[ELEMENTSOF(header) + 2*n] = item[0];
967 f[ELEMENTSOF(header) + 2*n+1] = item[1];
972 memcpy(f + (ELEMENTSOF(header) + 2*n), footer, sizeof(footer));
974 /* Third: install the filter */
975 prog.len = ELEMENTSOF(header) + ELEMENTSOF(footer) + 2*n;
977 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0)
983 static void do_idle_pipe_dance(int idle_pipe[4]) {
986 if (idle_pipe[1] >= 0)
987 close_nointr_nofail(idle_pipe[1]);
988 if (idle_pipe[2] >= 0)
989 close_nointr_nofail(idle_pipe[2]);
991 if (idle_pipe[0] >= 0) {
994 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
996 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
997 /* Signal systemd that we are bored and want to continue. */
998 write(idle_pipe[3], "x", 1);
1000 /* Wait for systemd to react to the signal above. */
1001 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1004 close_nointr_nofail(idle_pipe[0]);
1008 if (idle_pipe[3] >= 0)
1009 close_nointr_nofail(idle_pipe[3]);
1012 static int build_environment(
1015 usec_t watchdog_usec,
1017 const char *username,
1021 _cleanup_strv_free_ char **our_env = NULL;
1028 our_env = new0(char*, 10);
1033 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1035 our_env[n_env++] = x;
1037 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1039 our_env[n_env++] = x;
1042 if (watchdog_usec > 0) {
1043 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1045 our_env[n_env++] = x;
1047 if (asprintf(&x, "WATCHDOG_USEC=%llu", (unsigned long long) watchdog_usec) < 0)
1049 our_env[n_env++] = x;
1053 x = strappend("HOME=", home);
1056 our_env[n_env++] = x;
1060 x = strappend("LOGNAME=", username);
1063 our_env[n_env++] = x;
1065 x = strappend("USER=", username);
1068 our_env[n_env++] = x;
1072 x = strappend("SHELL=", shell);
1075 our_env[n_env++] = x;
1078 if (is_terminal_input(c->std_input) ||
1079 c->std_output == EXEC_OUTPUT_TTY ||
1080 c->std_error == EXEC_OUTPUT_TTY ||
1083 x = strdup(default_term_for_tty(tty_path(c)));
1086 our_env[n_env++] = x;
1089 our_env[n_env++] = NULL;
1090 assert(n_env <= 10);
1098 int exec_spawn(ExecCommand *command,
1100 ExecContext *context,
1101 int fds[], unsigned n_fds,
1103 bool apply_permissions,
1105 bool apply_tty_stdin,
1107 CGroupControllerMask cgroup_supported,
1108 const char *cgroup_path,
1109 const char *unit_id,
1110 usec_t watchdog_usec,
1112 ExecRuntime *runtime,
1115 _cleanup_strv_free_ char **files_env = NULL;
1124 assert(fds || n_fds <= 0);
1126 if (context->std_input == EXEC_INPUT_SOCKET ||
1127 context->std_output == EXEC_OUTPUT_SOCKET ||
1128 context->std_error == EXEC_OUTPUT_SOCKET) {
1140 r = exec_context_load_environment(context, &files_env);
1142 log_struct_unit(LOG_ERR,
1144 "MESSAGE=Failed to load environment files: %s", strerror(-r),
1151 argv = command->argv;
1153 line = exec_command_line(argv);
1157 log_struct_unit(LOG_DEBUG,
1159 "EXECUTABLE=%s", command->path,
1160 "MESSAGE=About to execute: %s", line,
1169 _cleanup_strv_free_ char **our_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL;
1170 const char *username = NULL, *home = NULL, *shell = NULL;
1171 unsigned n_dont_close = 0;
1172 int dont_close[n_fds + 3];
1173 uid_t uid = (uid_t) -1;
1174 gid_t gid = (gid_t) -1;
1180 rename_process_from_path(command->path);
1182 /* We reset exactly these signals, since they are the
1183 * only ones we set to SIG_IGN in the main daemon. All
1184 * others we leave untouched because we set them to
1185 * SIG_DFL or a valid handler initially, both of which
1186 * will be demoted to SIG_DFL. */
1187 default_signals(SIGNALS_CRASH_HANDLER,
1188 SIGNALS_IGNORE, -1);
1190 if (context->ignore_sigpipe)
1191 ignore_signals(SIGPIPE, -1);
1193 assert_se(sigemptyset(&ss) == 0);
1194 if (sigprocmask(SIG_SETMASK, &ss, NULL) < 0) {
1196 r = EXIT_SIGNAL_MASK;
1201 do_idle_pipe_dance(idle_pipe);
1203 /* Close sockets very early to make sure we don't
1204 * block init reexecution because it cannot bind its
1209 dont_close[n_dont_close++] = socket_fd;
1211 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
1212 n_dont_close += n_fds;
1215 if (runtime->netns_storage_socket[0] >= 0)
1216 dont_close[n_dont_close++] = runtime->netns_storage_socket[0];
1217 if (runtime->netns_storage_socket[1] >= 0)
1218 dont_close[n_dont_close++] = runtime->netns_storage_socket[1];
1221 err = close_all_fds(dont_close, n_dont_close);
1227 if (!context->same_pgrp)
1234 if (context->tcpwrap_name) {
1236 if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) {
1242 for (i = 0; i < (int) n_fds; i++) {
1243 if (!socket_tcpwrap(fds[i], context->tcpwrap_name)) {
1251 exec_context_tty_reset(context);
1253 if (confirm_spawn) {
1256 err = ask_for_confirmation(&response, argv);
1257 if (err == -ETIMEDOUT)
1258 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1260 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-err));
1261 else if (response == 's') {
1262 write_confirm_message("Skipping execution.\n");
1266 } else if (response == 'n') {
1267 write_confirm_message("Failing execution.\n");
1273 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1274 * must sure to drop O_NONBLOCK */
1276 fd_nonblock(socket_fd, false);
1278 err = setup_input(context, socket_fd, apply_tty_stdin);
1284 err = setup_output(context, STDOUT_FILENO, socket_fd, basename(command->path), unit_id, apply_tty_stdin);
1290 err = setup_output(context, STDERR_FILENO, socket_fd, basename(command->path), unit_id, apply_tty_stdin);
1297 err = cg_attach_everywhere(cgroup_supported, cgroup_path, 0);
1304 if (context->oom_score_adjust_set) {
1307 snprintf(t, sizeof(t), "%i", context->oom_score_adjust);
1310 if (write_string_file("/proc/self/oom_score_adj", t) < 0) {
1312 r = EXIT_OOM_ADJUST;
1317 if (context->nice_set)
1318 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1324 if (context->cpu_sched_set) {
1325 struct sched_param param = {
1326 .sched_priority = context->cpu_sched_priority,
1329 r = sched_setscheduler(0,
1330 context->cpu_sched_policy |
1331 (context->cpu_sched_reset_on_fork ?
1332 SCHED_RESET_ON_FORK : 0),
1336 r = EXIT_SETSCHEDULER;
1341 if (context->cpuset)
1342 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1344 r = EXIT_CPUAFFINITY;
1348 if (context->ioprio_set)
1349 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1355 if (context->timer_slack_nsec != (nsec_t) -1)
1356 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1358 r = EXIT_TIMERSLACK;
1362 if (context->utmp_id)
1363 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path);
1365 if (context->user) {
1366 username = context->user;
1367 err = get_user_creds(&username, &uid, &gid, &home, &shell);
1373 if (is_terminal_input(context->std_input)) {
1374 err = chown_terminal(STDIN_FILENO, uid);
1383 if (cgroup_path && context->user && context->pam_name) {
1384 err = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, 0644, uid, gid);
1391 err = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, 0755, uid, gid);
1399 if (apply_permissions) {
1400 err = enforce_groups(context, username, gid);
1407 umask(context->umask);
1410 if (apply_permissions && context->pam_name && username) {
1411 err = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
1418 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
1419 err = setup_netns(runtime->netns_storage_socket);
1426 if (!strv_isempty(context->read_write_dirs) ||
1427 !strv_isempty(context->read_only_dirs) ||
1428 !strv_isempty(context->inaccessible_dirs) ||
1429 context->mount_flags != 0 ||
1430 (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) ||
1431 context->private_devices) {
1433 char *tmp = NULL, *var = NULL;
1435 /* The runtime struct only contains the parent
1436 * of the private /tmp, which is
1437 * non-accessible to world users. Inside of it
1438 * there's a /tmp that is sticky, and that's
1439 * the one we want to use here. */
1441 if (context->private_tmp && runtime) {
1442 if (runtime->tmp_dir)
1443 tmp = strappenda(runtime->tmp_dir, "/tmp");
1444 if (runtime->var_tmp_dir)
1445 var = strappenda(runtime->var_tmp_dir, "/tmp");
1448 err = setup_namespace(
1449 context->read_write_dirs,
1450 context->read_only_dirs,
1451 context->inaccessible_dirs,
1454 context->private_devices,
1455 context->mount_flags);
1464 if (context->root_directory)
1465 if (chroot(context->root_directory) < 0) {
1471 if (chdir(context->working_directory ? context->working_directory : "/") < 0) {
1477 _cleanup_free_ char *d = NULL;
1479 if (asprintf(&d, "%s/%s",
1480 context->root_directory ? context->root_directory : "",
1481 context->working_directory ? context->working_directory : "") < 0) {
1494 /* We repeat the fd closing here, to make sure that
1495 * nothing is leaked from the PAM modules */
1496 err = close_all_fds(fds, n_fds);
1498 err = shift_fds(fds, n_fds);
1500 err = flags_fds(fds, n_fds, context->non_blocking);
1506 if (apply_permissions) {
1508 for (i = 0; i < RLIMIT_NLIMITS; i++) {
1509 if (!context->rlimit[i])
1512 if (setrlimit_closest(i, context->rlimit[i]) < 0) {
1519 if (context->capability_bounding_set_drop) {
1520 err = capability_bounding_set_drop(context->capability_bounding_set_drop, false);
1522 r = EXIT_CAPABILITIES;
1527 if (context->user) {
1528 err = enforce_user(context, uid);
1535 /* PR_GET_SECUREBITS is not privileged, while
1536 * PR_SET_SECUREBITS is. So to suppress
1537 * potential EPERMs we'll try not to call
1538 * PR_SET_SECUREBITS unless necessary. */
1539 if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
1540 if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
1542 r = EXIT_SECUREBITS;
1546 if (context->capabilities)
1547 if (cap_set_proc(context->capabilities) < 0) {
1549 r = EXIT_CAPABILITIES;
1553 if (context->no_new_privileges)
1554 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
1556 r = EXIT_NO_NEW_PRIVILEGES;
1560 if (context->syscall_filter) {
1561 err = apply_seccomp(context->syscall_filter);
1569 err = build_environment(context, n_fds, watchdog_usec, home, username, shell, &our_env);
1575 final_env = strv_env_merge(5,
1578 context->environment,
1588 final_argv = replace_env_argv(argv, final_env);
1595 final_env = strv_env_clean(final_env);
1597 if (_unlikely_(log_get_max_level() >= LOG_PRI(LOG_DEBUG))) {
1598 line = exec_command_line(final_argv);
1601 log_struct_unit(LOG_DEBUG,
1603 "EXECUTABLE=%s", command->path,
1604 "MESSAGE=Executing: %s", line,
1611 execve(command->path, final_argv, final_env);
1618 log_struct(LOG_ERR, MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
1619 "EXECUTABLE=%s", command->path,
1620 "MESSAGE=Failed at step %s spawning %s: %s",
1621 exit_status_to_string(r, EXIT_STATUS_SYSTEMD),
1622 command->path, strerror(-err),
1631 log_struct_unit(LOG_DEBUG,
1633 "MESSAGE=Forked %s as "PID_FMT,
1637 /* We add the new process to the cgroup both in the child (so
1638 * that we can be sure that no user code is ever executed
1639 * outside of the cgroup) and in the parent (so that we can be
1640 * sure that when we kill the cgroup the process will be
1643 cg_attach(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, pid);
1645 exec_status_start(&command->exec_status, pid);
1651 void exec_context_init(ExecContext *c) {
1655 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
1656 c->cpu_sched_policy = SCHED_OTHER;
1657 c->syslog_priority = LOG_DAEMON|LOG_INFO;
1658 c->syslog_level_prefix = true;
1659 c->ignore_sigpipe = true;
1660 c->timer_slack_nsec = (nsec_t) -1;
1663 void exec_context_done(ExecContext *c) {
1668 strv_free(c->environment);
1669 c->environment = NULL;
1671 strv_free(c->environment_files);
1672 c->environment_files = NULL;
1674 for (l = 0; l < ELEMENTSOF(c->rlimit); l++) {
1676 c->rlimit[l] = NULL;
1679 free(c->working_directory);
1680 c->working_directory = NULL;
1681 free(c->root_directory);
1682 c->root_directory = NULL;
1687 free(c->tcpwrap_name);
1688 c->tcpwrap_name = NULL;
1690 free(c->syslog_identifier);
1691 c->syslog_identifier = NULL;
1699 strv_free(c->supplementary_groups);
1700 c->supplementary_groups = NULL;
1705 if (c->capabilities) {
1706 cap_free(c->capabilities);
1707 c->capabilities = NULL;
1710 strv_free(c->read_only_dirs);
1711 c->read_only_dirs = NULL;
1713 strv_free(c->read_write_dirs);
1714 c->read_write_dirs = NULL;
1716 strv_free(c->inaccessible_dirs);
1717 c->inaccessible_dirs = NULL;
1720 CPU_FREE(c->cpuset);
1725 free(c->syscall_filter);
1726 c->syscall_filter = NULL;
1729 void exec_command_done(ExecCommand *c) {
1739 void exec_command_done_array(ExecCommand *c, unsigned n) {
1742 for (i = 0; i < n; i++)
1743 exec_command_done(c+i);
1746 void exec_command_free_list(ExecCommand *c) {
1750 LIST_REMOVE(command, c, i);
1751 exec_command_done(i);
1756 void exec_command_free_array(ExecCommand **c, unsigned n) {
1759 for (i = 0; i < n; i++) {
1760 exec_command_free_list(c[i]);
1765 int exec_context_load_environment(const ExecContext *c, char ***l) {
1766 char **i, **r = NULL;
1771 STRV_FOREACH(i, c->environment_files) {
1774 bool ignore = false;
1776 _cleanup_globfree_ glob_t pglob = {};
1786 if (!path_is_absolute(fn)) {
1794 /* Filename supports globbing, take all matching files */
1796 if (glob(fn, 0, NULL, &pglob) != 0) {
1801 return errno ? -errno : -EINVAL;
1803 count = pglob.gl_pathc;
1811 for (n = 0; n < count; n++) {
1812 k = load_env_file(pglob.gl_pathv[n], NULL, &p);
1820 /* Log invalid environment variables with filename */
1822 p = strv_env_clean_log(p, pglob.gl_pathv[n]);
1829 m = strv_env_merge(2, r, p);
1845 static bool tty_may_match_dev_console(const char *tty) {
1846 char *active = NULL, *console;
1849 if (startswith(tty, "/dev/"))
1852 /* trivial identity? */
1853 if (streq(tty, "console"))
1856 console = resolve_dev_console(&active);
1857 /* if we could not resolve, assume it may */
1861 /* "tty0" means the active VC, so it may be the same sometimes */
1862 b = streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
1868 bool exec_context_may_touch_console(ExecContext *ec) {
1869 return (ec->tty_reset || ec->tty_vhangup || ec->tty_vt_disallocate ||
1870 is_terminal_input(ec->std_input) ||
1871 is_terminal_output(ec->std_output) ||
1872 is_terminal_output(ec->std_error)) &&
1873 tty_may_match_dev_console(tty_path(ec));
1876 static void strv_fprintf(FILE *f, char **l) {
1882 fprintf(f, " %s", *g);
1885 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
1892 prefix = strempty(prefix);
1896 "%sWorkingDirectory: %s\n"
1897 "%sRootDirectory: %s\n"
1898 "%sNonBlocking: %s\n"
1899 "%sPrivateTmp: %s\n"
1900 "%sPrivateNetwork: %s\n"
1901 "%sPrivateDevices: %s\n"
1902 "%sIgnoreSIGPIPE: %s\n",
1904 prefix, c->working_directory ? c->working_directory : "/",
1905 prefix, c->root_directory ? c->root_directory : "/",
1906 prefix, yes_no(c->non_blocking),
1907 prefix, yes_no(c->private_tmp),
1908 prefix, yes_no(c->private_network),
1909 prefix, yes_no(c->private_devices),
1910 prefix, yes_no(c->ignore_sigpipe));
1912 STRV_FOREACH(e, c->environment)
1913 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
1915 STRV_FOREACH(e, c->environment_files)
1916 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
1918 if (c->tcpwrap_name)
1920 "%sTCPWrapName: %s\n",
1921 prefix, c->tcpwrap_name);
1928 if (c->oom_score_adjust_set)
1930 "%sOOMScoreAdjust: %i\n",
1931 prefix, c->oom_score_adjust);
1933 for (i = 0; i < RLIM_NLIMITS; i++)
1935 fprintf(f, "%s%s: %llu\n", prefix, rlimit_to_string(i), (unsigned long long) c->rlimit[i]->rlim_max);
1937 if (c->ioprio_set) {
1941 r = ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
1945 "%sIOSchedulingClass: %s\n"
1946 "%sIOPriority: %i\n",
1947 prefix, strna(class_str),
1948 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
1952 if (c->cpu_sched_set) {
1956 r = sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
1960 "%sCPUSchedulingPolicy: %s\n"
1961 "%sCPUSchedulingPriority: %i\n"
1962 "%sCPUSchedulingResetOnFork: %s\n",
1963 prefix, strna(policy_str),
1964 prefix, c->cpu_sched_priority,
1965 prefix, yes_no(c->cpu_sched_reset_on_fork));
1970 fprintf(f, "%sCPUAffinity:", prefix);
1971 for (i = 0; i < c->cpuset_ncpus; i++)
1972 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
1973 fprintf(f, " %u", i);
1977 if (c->timer_slack_nsec != (nsec_t) -1)
1978 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
1981 "%sStandardInput: %s\n"
1982 "%sStandardOutput: %s\n"
1983 "%sStandardError: %s\n",
1984 prefix, exec_input_to_string(c->std_input),
1985 prefix, exec_output_to_string(c->std_output),
1986 prefix, exec_output_to_string(c->std_error));
1992 "%sTTYVHangup: %s\n"
1993 "%sTTYVTDisallocate: %s\n",
1994 prefix, c->tty_path,
1995 prefix, yes_no(c->tty_reset),
1996 prefix, yes_no(c->tty_vhangup),
1997 prefix, yes_no(c->tty_vt_disallocate));
1999 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
2000 c->std_output == EXEC_OUTPUT_KMSG ||
2001 c->std_output == EXEC_OUTPUT_JOURNAL ||
2002 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2003 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2004 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
2005 c->std_error == EXEC_OUTPUT_SYSLOG ||
2006 c->std_error == EXEC_OUTPUT_KMSG ||
2007 c->std_error == EXEC_OUTPUT_JOURNAL ||
2008 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2009 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2010 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
2012 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
2014 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
2015 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
2018 "%sSyslogFacility: %s\n"
2019 "%sSyslogLevel: %s\n",
2020 prefix, strna(fac_str),
2021 prefix, strna(lvl_str));
2024 if (c->capabilities) {
2025 _cleanup_cap_free_charp_ char *t;
2027 t = cap_to_text(c->capabilities, NULL);
2029 fprintf(f, "%sCapabilities: %s\n", prefix, t);
2033 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
2035 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
2036 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
2037 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
2038 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
2039 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
2040 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
2042 if (c->capability_bounding_set_drop) {
2044 fprintf(f, "%sCapabilityBoundingSet:", prefix);
2046 for (l = 0; l <= cap_last_cap(); l++)
2047 if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) {
2048 _cleanup_cap_free_charp_ char *t;
2052 fprintf(f, " %s", t);
2059 fprintf(f, "%sUser: %s\n", prefix, c->user);
2061 fprintf(f, "%sGroup: %s\n", prefix, c->group);
2063 if (strv_length(c->supplementary_groups) > 0) {
2064 fprintf(f, "%sSupplementaryGroups:", prefix);
2065 strv_fprintf(f, c->supplementary_groups);
2070 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
2072 if (strv_length(c->read_write_dirs) > 0) {
2073 fprintf(f, "%sReadWriteDirs:", prefix);
2074 strv_fprintf(f, c->read_write_dirs);
2078 if (strv_length(c->read_only_dirs) > 0) {
2079 fprintf(f, "%sReadOnlyDirs:", prefix);
2080 strv_fprintf(f, c->read_only_dirs);
2084 if (strv_length(c->inaccessible_dirs) > 0) {
2085 fprintf(f, "%sInaccessibleDirs:", prefix);
2086 strv_fprintf(f, c->inaccessible_dirs);
2092 "%sUtmpIdentifier: %s\n",
2093 prefix, c->utmp_id);
2096 void exec_status_start(ExecStatus *s, pid_t pid) {
2101 dual_timestamp_get(&s->start_timestamp);
2104 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
2107 if (s->pid && s->pid != pid)
2111 dual_timestamp_get(&s->exit_timestamp);
2117 if (context->utmp_id)
2118 utmp_put_dead_process(context->utmp_id, pid, code, status);
2120 exec_context_tty_reset(context);
2124 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
2125 char buf[FORMAT_TIMESTAMP_MAX];
2137 "%sPID: "PID_FMT"\n",
2140 if (s->start_timestamp.realtime > 0)
2142 "%sStart Timestamp: %s\n",
2143 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
2145 if (s->exit_timestamp.realtime > 0)
2147 "%sExit Timestamp: %s\n"
2149 "%sExit Status: %i\n",
2150 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
2151 prefix, sigchld_code_to_string(s->code),
2155 char *exec_command_line(char **argv) {
2163 STRV_FOREACH(a, argv)
2166 if (!(n = new(char, k)))
2170 STRV_FOREACH(a, argv) {
2177 if (strpbrk(*a, WHITESPACE)) {
2188 /* FIXME: this doesn't really handle arguments that have
2189 * spaces and ticks in them */
2194 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
2196 const char *prefix2;
2205 p2 = strappend(prefix, "\t");
2206 prefix2 = p2 ? p2 : prefix;
2208 cmd = exec_command_line(c->argv);
2211 "%sCommand Line: %s\n",
2212 prefix, cmd ? cmd : strerror(ENOMEM));
2216 exec_status_dump(&c->exec_status, f, prefix2);
2221 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2227 LIST_FOREACH(command, c, c)
2228 exec_command_dump(c, f, prefix);
2231 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2238 /* It's kind of important, that we keep the order here */
2239 LIST_FIND_TAIL(command, *l, end);
2240 LIST_INSERT_AFTER(command, *l, end, e);
2245 int exec_command_set(ExecCommand *c, const char *path, ...) {
2253 l = strv_new_ap(path, ap);
2274 static int exec_runtime_allocate(ExecRuntime **rt) {
2279 *rt = new0(ExecRuntime, 1);
2284 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
2289 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
2299 if (!c->private_network && !c->private_tmp)
2302 r = exec_runtime_allocate(rt);
2306 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
2307 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, (*rt)->netns_storage_socket) < 0)
2311 if (c->private_tmp && !(*rt)->tmp_dir) {
2312 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
2320 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
2322 assert(r->n_ref > 0);
2328 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
2333 assert(r->n_ref > 0);
2336 if (r->n_ref <= 0) {
2338 free(r->var_tmp_dir);
2339 close_pipe(r->netns_storage_socket);
2346 int exec_runtime_serialize(ExecRuntime *rt, Unit *u, FILE *f, FDSet *fds) {
2355 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
2357 if (rt->var_tmp_dir)
2358 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
2360 if (rt->netns_storage_socket[0] >= 0) {
2363 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
2367 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
2370 if (rt->netns_storage_socket[1] >= 0) {
2373 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
2377 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
2383 int exec_runtime_deserialize_item(ExecRuntime **rt, Unit *u, const char *key, const char *value, FDSet *fds) {
2390 if (streq(key, "tmp-dir")) {
2393 r = exec_runtime_allocate(rt);
2397 copy = strdup(value);
2401 free((*rt)->tmp_dir);
2402 (*rt)->tmp_dir = copy;
2404 } else if (streq(key, "var-tmp-dir")) {
2407 r = exec_runtime_allocate(rt);
2411 copy = strdup(value);
2415 free((*rt)->var_tmp_dir);
2416 (*rt)->var_tmp_dir = copy;
2418 } else if (streq(key, "netns-socket-0")) {
2421 r = exec_runtime_allocate(rt);
2425 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2426 log_debug_unit(u->id, "Failed to parse netns socket value %s", value);
2428 if ((*rt)->netns_storage_socket[0] >= 0)
2429 close_nointr_nofail((*rt)->netns_storage_socket[0]);
2431 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
2433 } else if (streq(key, "netns-socket-1")) {
2436 r = exec_runtime_allocate(rt);
2440 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2441 log_debug_unit(u->id, "Failed to parse netns socket value %s", value);
2443 if ((*rt)->netns_storage_socket[1] >= 0)
2444 close_nointr_nofail((*rt)->netns_storage_socket[1]);
2446 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
2454 static void *remove_tmpdir_thread(void *p) {
2455 _cleanup_free_ char *path = p;
2457 rm_rf_dangerous(path, false, true, false);
2461 void exec_runtime_destroy(ExecRuntime *rt) {
2465 /* If there are multiple users of this, let's leave the stuff around */
2470 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
2471 asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
2475 if (rt->var_tmp_dir) {
2476 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
2477 asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
2478 rt->var_tmp_dir = NULL;
2481 close_pipe(rt->netns_storage_socket);
2484 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
2485 [EXEC_INPUT_NULL] = "null",
2486 [EXEC_INPUT_TTY] = "tty",
2487 [EXEC_INPUT_TTY_FORCE] = "tty-force",
2488 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
2489 [EXEC_INPUT_SOCKET] = "socket"
2492 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
2494 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
2495 [EXEC_OUTPUT_INHERIT] = "inherit",
2496 [EXEC_OUTPUT_NULL] = "null",
2497 [EXEC_OUTPUT_TTY] = "tty",
2498 [EXEC_OUTPUT_SYSLOG] = "syslog",
2499 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
2500 [EXEC_OUTPUT_KMSG] = "kmsg",
2501 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
2502 [EXEC_OUTPUT_JOURNAL] = "journal",
2503 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
2504 [EXEC_OUTPUT_SOCKET] = "socket"
2507 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);