1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
29 #include <sys/socket.h>
31 #include <sys/prctl.h>
32 #include <linux/sched.h>
33 #include <sys/types.h>
37 #include <sys/mount.h>
39 #include <linux/oom.h>
42 #include <sys/personality.h>
47 #include <security/pam_appl.h>
51 #include <selinux/selinux.h>
59 #include <sys/apparmor.h>
65 #include "capability.h"
68 #include "sd-messages.h"
70 #include "securebits.h"
71 #include "namespace.h"
73 #include "exit-status.h"
75 #include "utmp-wtmp.h"
77 #include "path-util.h"
82 #include "selinux-util.h"
83 #include "errno-list.h"
84 #include "apparmor-util.h"
87 #include "seccomp-util.h"
90 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
91 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
93 /* This assumes there is a 'tty' group */
96 #define SNDBUF_SIZE (8*1024*1024)
98 static int shift_fds(int fds[], unsigned n_fds) {
99 int start, restart_from;
104 /* Modifies the fds array! (sorts it) */
114 for (i = start; i < (int) n_fds; i++) {
117 /* Already at right index? */
121 if ((nfd = fcntl(fds[i], F_DUPFD, i+3)) < 0)
124 close_nointr_nofail(fds[i]);
127 /* Hmm, the fd we wanted isn't free? Then
128 * let's remember that and try again from here*/
129 if (nfd != i+3 && restart_from < 0)
133 if (restart_from < 0)
136 start = restart_from;
142 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
151 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
153 for (i = 0; i < n_fds; i++) {
155 if ((r = fd_nonblock(fds[i], nonblock)) < 0)
158 /* We unconditionally drop FD_CLOEXEC from the fds,
159 * since after all we want to pass these fds to our
162 if ((r = fd_cloexec(fds[i], false)) < 0)
169 _pure_ static const char *tty_path(const ExecContext *context) {
172 if (context->tty_path)
173 return context->tty_path;
175 return "/dev/console";
178 static void exec_context_tty_reset(const ExecContext *context) {
181 if (context->tty_vhangup)
182 terminal_vhangup(tty_path(context));
184 if (context->tty_reset)
185 reset_terminal(tty_path(context));
187 if (context->tty_vt_disallocate && context->tty_path)
188 vt_disallocate(context->tty_path);
191 static bool is_terminal_output(ExecOutput o) {
193 o == EXEC_OUTPUT_TTY ||
194 o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
195 o == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
196 o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE;
199 static int open_null_as(int flags, int nfd) {
204 fd = open("/dev/null", flags|O_NOCTTY);
209 r = dup2(fd, nfd) < 0 ? -errno : nfd;
210 close_nointr_nofail(fd);
217 static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd) {
219 union sockaddr_union sa = {
220 .un.sun_family = AF_UNIX,
221 .un.sun_path = "/run/systemd/journal/stdout",
225 assert(output < _EXEC_OUTPUT_MAX);
229 fd = socket(AF_UNIX, SOCK_STREAM, 0);
233 r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path));
235 close_nointr_nofail(fd);
239 if (shutdown(fd, SHUT_RD) < 0) {
240 close_nointr_nofail(fd);
244 fd_inc_sndbuf(fd, SNDBUF_SIZE);
254 context->syslog_identifier ? context->syslog_identifier : ident,
256 context->syslog_priority,
257 !!context->syslog_level_prefix,
258 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
259 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
260 is_terminal_output(output));
263 r = dup2(fd, nfd) < 0 ? -errno : nfd;
264 close_nointr_nofail(fd);
270 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
276 if ((fd = open_terminal(path, mode | O_NOCTTY)) < 0)
280 r = dup2(fd, nfd) < 0 ? -errno : nfd;
281 close_nointr_nofail(fd);
288 static bool is_terminal_input(ExecInput i) {
290 i == EXEC_INPUT_TTY ||
291 i == EXEC_INPUT_TTY_FORCE ||
292 i == EXEC_INPUT_TTY_FAIL;
295 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
297 if (is_terminal_input(std_input) && !apply_tty_stdin)
298 return EXEC_INPUT_NULL;
300 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
301 return EXEC_INPUT_NULL;
306 static int fixup_output(ExecOutput std_output, int socket_fd) {
308 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
309 return EXEC_OUTPUT_INHERIT;
314 static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty_stdin) {
319 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
323 case EXEC_INPUT_NULL:
324 return open_null_as(O_RDONLY, STDIN_FILENO);
327 case EXEC_INPUT_TTY_FORCE:
328 case EXEC_INPUT_TTY_FAIL: {
331 fd = acquire_terminal(tty_path(context),
332 i == EXEC_INPUT_TTY_FAIL,
333 i == EXEC_INPUT_TTY_FORCE,
339 if (fd != STDIN_FILENO) {
340 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
341 close_nointr_nofail(fd);
348 case EXEC_INPUT_SOCKET:
349 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
352 assert_not_reached("Unknown input type");
356 static int setup_output(const ExecContext *context, int fileno, int socket_fd, const char *ident, const char *unit_id, bool apply_tty_stdin) {
364 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
365 o = fixup_output(context->std_output, socket_fd);
367 if (fileno == STDERR_FILENO) {
369 e = fixup_output(context->std_error, socket_fd);
371 /* This expects the input and output are already set up */
373 /* Don't change the stderr file descriptor if we inherit all
374 * the way and are not on a tty */
375 if (e == EXEC_OUTPUT_INHERIT &&
376 o == EXEC_OUTPUT_INHERIT &&
377 i == EXEC_INPUT_NULL &&
378 !is_terminal_input(context->std_input) &&
382 /* Duplicate from stdout if possible */
383 if (e == o || e == EXEC_OUTPUT_INHERIT)
384 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
388 } else if (o == EXEC_OUTPUT_INHERIT) {
389 /* If input got downgraded, inherit the original value */
390 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
391 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
393 /* If the input is connected to anything that's not a /dev/null, inherit that... */
394 if (i != EXEC_INPUT_NULL)
395 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
397 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
401 /* We need to open /dev/null here anew, to get the right access mode. */
402 return open_null_as(O_WRONLY, fileno);
407 case EXEC_OUTPUT_NULL:
408 return open_null_as(O_WRONLY, fileno);
410 case EXEC_OUTPUT_TTY:
411 if (is_terminal_input(i))
412 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
414 /* We don't reset the terminal if this is just about output */
415 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
417 case EXEC_OUTPUT_SYSLOG:
418 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
419 case EXEC_OUTPUT_KMSG:
420 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
421 case EXEC_OUTPUT_JOURNAL:
422 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
423 r = connect_logger_as(context, o, ident, unit_id, fileno);
425 log_struct_unit(LOG_CRIT, unit_id,
426 "MESSAGE=Failed to connect std%s of %s to the journal socket: %s",
427 fileno == STDOUT_FILENO ? "out" : "err",
428 unit_id, strerror(-r),
431 r = open_null_as(O_WRONLY, fileno);
435 case EXEC_OUTPUT_SOCKET:
436 assert(socket_fd >= 0);
437 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
440 assert_not_reached("Unknown error type");
444 static int chown_terminal(int fd, uid_t uid) {
449 /* This might fail. What matters are the results. */
450 (void) fchown(fd, uid, -1);
451 (void) fchmod(fd, TTY_MODE);
453 if (fstat(fd, &st) < 0)
456 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
462 static int setup_confirm_stdio(int *_saved_stdin,
463 int *_saved_stdout) {
464 int fd = -1, saved_stdin, saved_stdout = -1, r;
466 assert(_saved_stdin);
467 assert(_saved_stdout);
469 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
473 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
474 if (saved_stdout < 0) {
479 fd = acquire_terminal(
484 DEFAULT_CONFIRM_USEC);
490 r = chown_terminal(fd, getuid());
494 if (dup2(fd, STDIN_FILENO) < 0) {
499 if (dup2(fd, STDOUT_FILENO) < 0) {
505 close_nointr_nofail(fd);
507 *_saved_stdin = saved_stdin;
508 *_saved_stdout = saved_stdout;
513 if (saved_stdout >= 0)
514 close_nointr_nofail(saved_stdout);
516 if (saved_stdin >= 0)
517 close_nointr_nofail(saved_stdin);
520 close_nointr_nofail(fd);
525 _printf_(1, 2) static int write_confirm_message(const char *format, ...) {
531 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
535 va_start(ap, format);
536 vdprintf(fd, format, ap);
539 close_nointr_nofail(fd);
544 static int restore_confirm_stdio(int *saved_stdin,
550 assert(saved_stdout);
554 if (*saved_stdin >= 0)
555 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
558 if (*saved_stdout >= 0)
559 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
562 if (*saved_stdin >= 0)
563 close_nointr_nofail(*saved_stdin);
565 if (*saved_stdout >= 0)
566 close_nointr_nofail(*saved_stdout);
571 static int ask_for_confirmation(char *response, char **argv) {
572 int saved_stdout = -1, saved_stdin = -1, r;
575 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
579 line = exec_command_line(argv);
583 r = ask(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
586 restore_confirm_stdio(&saved_stdin, &saved_stdout);
591 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
592 bool keep_groups = false;
597 /* Lookup and set GID and supplementary group list. Here too
598 * we avoid NSS lookups for gid=0. */
600 if (context->group || username) {
602 if (context->group) {
603 const char *g = context->group;
605 if ((r = get_group_creds(&g, &gid)) < 0)
609 /* First step, initialize groups from /etc/groups */
610 if (username && gid != 0) {
611 if (initgroups(username, gid) < 0)
617 /* Second step, set our gids */
618 if (setresgid(gid, gid, gid) < 0)
622 if (context->supplementary_groups) {
627 /* Final step, initialize any manually set supplementary groups */
628 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
630 if (!(gids = new(gid_t, ngroups_max)))
634 if ((k = getgroups(ngroups_max, gids)) < 0) {
641 STRV_FOREACH(i, context->supplementary_groups) {
644 if (k >= ngroups_max) {
650 r = get_group_creds(&g, gids+k);
659 if (setgroups(k, gids) < 0) {
670 static int enforce_user(const ExecContext *context, uid_t uid) {
673 /* Sets (but doesn't lookup) the uid and make sure we keep the
674 * capabilities while doing so. */
676 if (context->capabilities) {
677 _cleanup_cap_free_ cap_t d = NULL;
678 static const cap_value_t bits[] = {
679 CAP_SETUID, /* Necessary so that we can run setresuid() below */
680 CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
683 /* First step: If we need to keep capabilities but
684 * drop privileges we need to make sure we keep our
685 * caps, while we drop privileges. */
687 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
689 if (prctl(PR_GET_SECUREBITS) != sb)
690 if (prctl(PR_SET_SECUREBITS, sb) < 0)
694 /* Second step: set the capabilities. This will reduce
695 * the capabilities to the minimum we need. */
697 d = cap_dup(context->capabilities);
701 if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
702 cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0)
705 if (cap_set_proc(d) < 0)
709 /* Third step: actually set the uids */
710 if (setresuid(uid, uid, uid) < 0)
713 /* At this point we should have all necessary capabilities but
714 are otherwise a normal user. However, the caps might got
715 corrupted due to the setresuid() so we need clean them up
716 later. This is done outside of this call. */
723 static int null_conv(
725 const struct pam_message **msg,
726 struct pam_response **resp,
729 /* We don't support conversations */
734 static int setup_pam(
740 int fds[], unsigned n_fds) {
742 static const struct pam_conv conv = {
747 pam_handle_t *handle = NULL;
749 int pam_code = PAM_SUCCESS;
752 bool close_session = false;
753 pid_t pam_pid = 0, parent_pid;
760 /* We set up PAM in the parent process, then fork. The child
761 * will then stay around until killed via PR_GET_PDEATHSIG or
762 * systemd via the cgroup logic. It will then remove the PAM
763 * session again. The parent process will exec() the actual
764 * daemon. We do things this way to ensure that the main PID
765 * of the daemon is the one we initially fork()ed. */
767 if (log_get_max_level() < LOG_PRI(LOG_DEBUG))
770 pam_code = pam_start(name, user, &conv, &handle);
771 if (pam_code != PAM_SUCCESS) {
777 pam_code = pam_set_item(handle, PAM_TTY, tty);
778 if (pam_code != PAM_SUCCESS)
782 pam_code = pam_acct_mgmt(handle, flags);
783 if (pam_code != PAM_SUCCESS)
786 pam_code = pam_open_session(handle, flags);
787 if (pam_code != PAM_SUCCESS)
790 close_session = true;
792 e = pam_getenvlist(handle);
794 pam_code = PAM_BUF_ERR;
798 /* Block SIGTERM, so that we know that it won't get lost in
800 if (sigemptyset(&ss) < 0 ||
801 sigaddset(&ss, SIGTERM) < 0 ||
802 sigprocmask(SIG_BLOCK, &ss, &old_ss) < 0)
805 parent_pid = getpid();
815 /* The child's job is to reset the PAM session on
818 /* This string must fit in 10 chars (i.e. the length
819 * of "/sbin/init"), to look pretty in /bin/ps */
820 rename_process("(sd-pam)");
822 /* Make sure we don't keep open the passed fds in this
823 child. We assume that otherwise only those fds are
824 open here that have been opened by PAM. */
825 close_many(fds, n_fds);
827 /* Drop privileges - we don't need any to pam_close_session
828 * and this will make PR_SET_PDEATHSIG work in most cases.
829 * If this fails, ignore the error - but expect sd-pam threads
830 * to fail to exit normally */
831 if (setresuid(uid, uid, uid) < 0)
832 log_error("Error: Failed to setresuid() in sd-pam: %s", strerror(-r));
834 /* Wait until our parent died. This will only work if
835 * the above setresuid() succeeds, otherwise the kernel
836 * will not allow unprivileged parents kill their privileged
837 * children this way. We rely on the control groups kill logic
838 * to do the rest for us. */
839 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
842 /* Check if our parent process might already have
844 if (getppid() == parent_pid) {
846 if (sigwait(&ss, &sig) < 0) {
853 assert(sig == SIGTERM);
858 /* If our parent died we'll end the session */
859 if (getppid() != parent_pid) {
860 pam_code = pam_close_session(handle, flags);
861 if (pam_code != PAM_SUCCESS)
868 pam_end(handle, pam_code | flags);
872 /* If the child was forked off successfully it will do all the
873 * cleanups, so forget about the handle here. */
876 /* Unblock SIGTERM again in the parent */
877 if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0)
880 /* We close the log explicitly here, since the PAM modules
881 * might have opened it, but we don't want this fd around. */
890 if (pam_code != PAM_SUCCESS) {
891 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
892 err = -EPERM; /* PAM errors do not map to errno */
894 log_error("PAM failed: %m");
900 pam_code = pam_close_session(handle, flags);
902 pam_end(handle, pam_code | flags);
910 kill(pam_pid, SIGTERM);
911 kill(pam_pid, SIGCONT);
918 static void rename_process_from_path(const char *path) {
919 char process_name[11];
923 /* This resulting string must fit in 10 chars (i.e. the length
924 * of "/sbin/init") to look pretty in /bin/ps */
928 rename_process("(...)");
934 /* The end of the process name is usually more
935 * interesting, since the first bit might just be
941 process_name[0] = '(';
942 memcpy(process_name+1, p, l);
943 process_name[1+l] = ')';
944 process_name[1+l+1] = 0;
946 rename_process(process_name);
951 static int apply_seccomp(ExecContext *c) {
952 uint32_t negative_action, action;
953 scmp_filter_ctx *seccomp;
960 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
962 seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW);
966 if (c->syscall_archs) {
968 SET_FOREACH(id, c->syscall_archs, i) {
969 r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
973 seccomp_release(seccomp);
979 r = seccomp_add_secondary_archs(seccomp);
981 seccomp_release(seccomp);
986 action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
987 SET_FOREACH(id, c->syscall_filter, i) {
988 r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
990 seccomp_release(seccomp);
995 r = seccomp_load(seccomp);
996 seccomp_release(seccomp);
1002 static void do_idle_pipe_dance(int idle_pipe[4]) {
1005 if (idle_pipe[1] >= 0)
1006 close_nointr_nofail(idle_pipe[1]);
1007 if (idle_pipe[2] >= 0)
1008 close_nointr_nofail(idle_pipe[2]);
1010 if (idle_pipe[0] >= 0) {
1013 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1015 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1016 /* Signal systemd that we are bored and want to continue. */
1017 write(idle_pipe[3], "x", 1);
1019 /* Wait for systemd to react to the signal above. */
1020 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1023 close_nointr_nofail(idle_pipe[0]);
1027 if (idle_pipe[3] >= 0)
1028 close_nointr_nofail(idle_pipe[3]);
1031 static int build_environment(
1034 usec_t watchdog_usec,
1036 const char *username,
1040 _cleanup_strv_free_ char **our_env = NULL;
1047 our_env = new0(char*, 10);
1052 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1054 our_env[n_env++] = x;
1056 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1058 our_env[n_env++] = x;
1061 if (watchdog_usec > 0) {
1062 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1064 our_env[n_env++] = x;
1066 if (asprintf(&x, "WATCHDOG_USEC=%llu", (unsigned long long) watchdog_usec) < 0)
1068 our_env[n_env++] = x;
1072 x = strappend("HOME=", home);
1075 our_env[n_env++] = x;
1079 x = strappend("LOGNAME=", username);
1082 our_env[n_env++] = x;
1084 x = strappend("USER=", username);
1087 our_env[n_env++] = x;
1091 x = strappend("SHELL=", shell);
1094 our_env[n_env++] = x;
1097 if (is_terminal_input(c->std_input) ||
1098 c->std_output == EXEC_OUTPUT_TTY ||
1099 c->std_error == EXEC_OUTPUT_TTY ||
1102 x = strdup(default_term_for_tty(tty_path(c)));
1105 our_env[n_env++] = x;
1108 our_env[n_env++] = NULL;
1109 assert(n_env <= 10);
1117 int exec_spawn(ExecCommand *command,
1119 ExecContext *context,
1120 int fds[], unsigned n_fds,
1122 bool apply_permissions,
1124 bool apply_tty_stdin,
1126 CGroupControllerMask cgroup_supported,
1127 const char *cgroup_path,
1128 const char *unit_id,
1129 usec_t watchdog_usec,
1131 ExecRuntime *runtime,
1134 _cleanup_strv_free_ char **files_env = NULL;
1143 assert(fds || n_fds <= 0);
1145 if (context->std_input == EXEC_INPUT_SOCKET ||
1146 context->std_output == EXEC_OUTPUT_SOCKET ||
1147 context->std_error == EXEC_OUTPUT_SOCKET) {
1159 r = exec_context_load_environment(context, &files_env);
1161 log_struct_unit(LOG_ERR,
1163 "MESSAGE=Failed to load environment files: %s", strerror(-r),
1170 argv = command->argv;
1172 line = exec_command_line(argv);
1176 log_struct_unit(LOG_DEBUG,
1178 "EXECUTABLE=%s", command->path,
1179 "MESSAGE=About to execute: %s", line,
1188 _cleanup_strv_free_ char **our_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL;
1189 const char *username = NULL, *home = NULL, *shell = NULL;
1190 unsigned n_dont_close = 0;
1191 int dont_close[n_fds + 3];
1192 uid_t uid = (uid_t) -1;
1193 gid_t gid = (gid_t) -1;
1199 rename_process_from_path(command->path);
1201 /* We reset exactly these signals, since they are the
1202 * only ones we set to SIG_IGN in the main daemon. All
1203 * others we leave untouched because we set them to
1204 * SIG_DFL or a valid handler initially, both of which
1205 * will be demoted to SIG_DFL. */
1206 default_signals(SIGNALS_CRASH_HANDLER,
1207 SIGNALS_IGNORE, -1);
1209 if (context->ignore_sigpipe)
1210 ignore_signals(SIGPIPE, -1);
1212 assert_se(sigemptyset(&ss) == 0);
1213 if (sigprocmask(SIG_SETMASK, &ss, NULL) < 0) {
1215 r = EXIT_SIGNAL_MASK;
1220 do_idle_pipe_dance(idle_pipe);
1222 /* Close sockets very early to make sure we don't
1223 * block init reexecution because it cannot bind its
1228 dont_close[n_dont_close++] = socket_fd;
1230 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
1231 n_dont_close += n_fds;
1234 if (runtime->netns_storage_socket[0] >= 0)
1235 dont_close[n_dont_close++] = runtime->netns_storage_socket[0];
1236 if (runtime->netns_storage_socket[1] >= 0)
1237 dont_close[n_dont_close++] = runtime->netns_storage_socket[1];
1240 err = close_all_fds(dont_close, n_dont_close);
1246 if (!context->same_pgrp)
1253 if (context->tcpwrap_name) {
1255 if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) {
1261 for (i = 0; i < (int) n_fds; i++) {
1262 if (!socket_tcpwrap(fds[i], context->tcpwrap_name)) {
1270 exec_context_tty_reset(context);
1272 if (confirm_spawn) {
1275 err = ask_for_confirmation(&response, argv);
1276 if (err == -ETIMEDOUT)
1277 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1279 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-err));
1280 else if (response == 's') {
1281 write_confirm_message("Skipping execution.\n");
1285 } else if (response == 'n') {
1286 write_confirm_message("Failing execution.\n");
1292 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1293 * must sure to drop O_NONBLOCK */
1295 fd_nonblock(socket_fd, false);
1297 err = setup_input(context, socket_fd, apply_tty_stdin);
1303 err = setup_output(context, STDOUT_FILENO, socket_fd, basename(command->path), unit_id, apply_tty_stdin);
1309 err = setup_output(context, STDERR_FILENO, socket_fd, basename(command->path), unit_id, apply_tty_stdin);
1316 err = cg_attach_everywhere(cgroup_supported, cgroup_path, 0);
1323 if (context->oom_score_adjust_set) {
1326 snprintf(t, sizeof(t), "%i", context->oom_score_adjust);
1329 if (write_string_file("/proc/self/oom_score_adj", t) < 0) {
1331 r = EXIT_OOM_ADJUST;
1336 if (context->nice_set)
1337 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1343 if (context->cpu_sched_set) {
1344 struct sched_param param = {
1345 .sched_priority = context->cpu_sched_priority,
1348 r = sched_setscheduler(0,
1349 context->cpu_sched_policy |
1350 (context->cpu_sched_reset_on_fork ?
1351 SCHED_RESET_ON_FORK : 0),
1355 r = EXIT_SETSCHEDULER;
1360 if (context->cpuset)
1361 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1363 r = EXIT_CPUAFFINITY;
1367 if (context->ioprio_set)
1368 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1374 if (context->timer_slack_nsec != (nsec_t) -1)
1375 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1377 r = EXIT_TIMERSLACK;
1381 if (context->personality != 0xffffffffUL)
1382 if (personality(context->personality) < 0) {
1384 r = EXIT_PERSONALITY;
1388 if (context->utmp_id)
1389 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path);
1391 if (context->user) {
1392 username = context->user;
1393 err = get_user_creds(&username, &uid, &gid, &home, &shell);
1399 if (is_terminal_input(context->std_input)) {
1400 err = chown_terminal(STDIN_FILENO, uid);
1409 if (cgroup_path && context->user && context->pam_name) {
1410 err = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, 0644, uid, gid);
1417 err = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, 0755, uid, gid);
1425 if (apply_permissions) {
1426 err = enforce_groups(context, username, gid);
1433 umask(context->umask);
1436 if (apply_permissions && context->pam_name && username) {
1437 err = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
1444 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
1445 err = setup_netns(runtime->netns_storage_socket);
1452 if (!strv_isempty(context->read_write_dirs) ||
1453 !strv_isempty(context->read_only_dirs) ||
1454 !strv_isempty(context->inaccessible_dirs) ||
1455 context->mount_flags != 0 ||
1456 (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) ||
1457 context->private_devices) {
1459 char *tmp = NULL, *var = NULL;
1461 /* The runtime struct only contains the parent
1462 * of the private /tmp, which is
1463 * non-accessible to world users. Inside of it
1464 * there's a /tmp that is sticky, and that's
1465 * the one we want to use here. */
1467 if (context->private_tmp && runtime) {
1468 if (runtime->tmp_dir)
1469 tmp = strappenda(runtime->tmp_dir, "/tmp");
1470 if (runtime->var_tmp_dir)
1471 var = strappenda(runtime->var_tmp_dir, "/tmp");
1474 err = setup_namespace(
1475 context->read_write_dirs,
1476 context->read_only_dirs,
1477 context->inaccessible_dirs,
1480 context->private_devices,
1481 context->mount_flags);
1490 if (context->root_directory)
1491 if (chroot(context->root_directory) < 0) {
1497 if (chdir(context->working_directory ? context->working_directory : "/") < 0) {
1503 _cleanup_free_ char *d = NULL;
1505 if (asprintf(&d, "%s/%s",
1506 context->root_directory ? context->root_directory : "",
1507 context->working_directory ? context->working_directory : "") < 0) {
1520 /* We repeat the fd closing here, to make sure that
1521 * nothing is leaked from the PAM modules */
1522 err = close_all_fds(fds, n_fds);
1524 err = shift_fds(fds, n_fds);
1526 err = flags_fds(fds, n_fds, context->non_blocking);
1532 if (apply_permissions) {
1534 for (i = 0; i < RLIMIT_NLIMITS; i++) {
1535 if (!context->rlimit[i])
1538 if (setrlimit_closest(i, context->rlimit[i]) < 0) {
1545 if (context->capability_bounding_set_drop) {
1546 err = capability_bounding_set_drop(context->capability_bounding_set_drop, false);
1548 r = EXIT_CAPABILITIES;
1553 if (context->user) {
1554 err = enforce_user(context, uid);
1561 /* PR_GET_SECUREBITS is not privileged, while
1562 * PR_SET_SECUREBITS is. So to suppress
1563 * potential EPERMs we'll try not to call
1564 * PR_SET_SECUREBITS unless necessary. */
1565 if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
1566 if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
1568 r = EXIT_SECUREBITS;
1572 if (context->capabilities)
1573 if (cap_set_proc(context->capabilities) < 0) {
1575 r = EXIT_CAPABILITIES;
1579 if (context->no_new_privileges)
1580 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
1582 r = EXIT_NO_NEW_PRIVILEGES;
1587 if (context->syscall_filter || context->syscall_archs) {
1588 err = apply_seccomp(context);
1597 if (context->selinux_context && use_selinux()) {
1598 err = setexeccon(context->selinux_context);
1599 if (err < 0 && !context->selinux_context_ignore) {
1600 r = EXIT_SELINUX_CONTEXT;
1606 #ifdef HAVE_APPARMOR
1607 if (context->apparmor_profile && use_apparmor()) {
1608 err = aa_change_onexec(context->apparmor_profile);
1609 if (err < 0 && !context->apparmor_profile_ignore) {
1610 r = EXIT_APPARMOR_PROFILE;
1617 err = build_environment(context, n_fds, watchdog_usec, home, username, shell, &our_env);
1623 final_env = strv_env_merge(5,
1626 context->environment,
1636 final_argv = replace_env_argv(argv, final_env);
1643 final_env = strv_env_clean(final_env);
1645 if (_unlikely_(log_get_max_level() >= LOG_PRI(LOG_DEBUG))) {
1646 line = exec_command_line(final_argv);
1649 log_struct_unit(LOG_DEBUG,
1651 "EXECUTABLE=%s", command->path,
1652 "MESSAGE=Executing: %s", line,
1659 execve(command->path, final_argv, final_env);
1666 log_struct(LOG_ERR, MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
1667 "EXECUTABLE=%s", command->path,
1668 "MESSAGE=Failed at step %s spawning %s: %s",
1669 exit_status_to_string(r, EXIT_STATUS_SYSTEMD),
1670 command->path, strerror(-err),
1679 log_struct_unit(LOG_DEBUG,
1681 "MESSAGE=Forked %s as "PID_FMT,
1685 /* We add the new process to the cgroup both in the child (so
1686 * that we can be sure that no user code is ever executed
1687 * outside of the cgroup) and in the parent (so that we can be
1688 * sure that when we kill the cgroup the process will be
1691 cg_attach(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, pid);
1693 exec_status_start(&command->exec_status, pid);
1699 void exec_context_init(ExecContext *c) {
1703 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
1704 c->cpu_sched_policy = SCHED_OTHER;
1705 c->syslog_priority = LOG_DAEMON|LOG_INFO;
1706 c->syslog_level_prefix = true;
1707 c->ignore_sigpipe = true;
1708 c->timer_slack_nsec = (nsec_t) -1;
1709 c->personality = 0xffffffffUL;
1712 void exec_context_done(ExecContext *c) {
1717 strv_free(c->environment);
1718 c->environment = NULL;
1720 strv_free(c->environment_files);
1721 c->environment_files = NULL;
1723 for (l = 0; l < ELEMENTSOF(c->rlimit); l++) {
1725 c->rlimit[l] = NULL;
1728 free(c->working_directory);
1729 c->working_directory = NULL;
1730 free(c->root_directory);
1731 c->root_directory = NULL;
1736 free(c->tcpwrap_name);
1737 c->tcpwrap_name = NULL;
1739 free(c->syslog_identifier);
1740 c->syslog_identifier = NULL;
1748 strv_free(c->supplementary_groups);
1749 c->supplementary_groups = NULL;
1754 if (c->capabilities) {
1755 cap_free(c->capabilities);
1756 c->capabilities = NULL;
1759 strv_free(c->read_only_dirs);
1760 c->read_only_dirs = NULL;
1762 strv_free(c->read_write_dirs);
1763 c->read_write_dirs = NULL;
1765 strv_free(c->inaccessible_dirs);
1766 c->inaccessible_dirs = NULL;
1769 CPU_FREE(c->cpuset);
1774 free(c->selinux_context);
1775 c->selinux_context = NULL;
1777 free(c->apparmor_profile);
1778 c->apparmor_profile = NULL;
1781 set_free(c->syscall_filter);
1782 c->syscall_filter = NULL;
1784 set_free(c->syscall_archs);
1785 c->syscall_archs = NULL;
1789 void exec_command_done(ExecCommand *c) {
1799 void exec_command_done_array(ExecCommand *c, unsigned n) {
1802 for (i = 0; i < n; i++)
1803 exec_command_done(c+i);
1806 void exec_command_free_list(ExecCommand *c) {
1810 LIST_REMOVE(command, c, i);
1811 exec_command_done(i);
1816 void exec_command_free_array(ExecCommand **c, unsigned n) {
1819 for (i = 0; i < n; i++) {
1820 exec_command_free_list(c[i]);
1825 int exec_context_load_environment(const ExecContext *c, char ***l) {
1826 char **i, **r = NULL;
1831 STRV_FOREACH(i, c->environment_files) {
1834 bool ignore = false;
1836 _cleanup_globfree_ glob_t pglob = {};
1846 if (!path_is_absolute(fn)) {
1854 /* Filename supports globbing, take all matching files */
1856 if (glob(fn, 0, NULL, &pglob) != 0) {
1861 return errno ? -errno : -EINVAL;
1863 count = pglob.gl_pathc;
1871 for (n = 0; n < count; n++) {
1872 k = load_env_file(pglob.gl_pathv[n], NULL, &p);
1880 /* Log invalid environment variables with filename */
1882 p = strv_env_clean_log(p, pglob.gl_pathv[n]);
1889 m = strv_env_merge(2, r, p);
1905 static bool tty_may_match_dev_console(const char *tty) {
1906 char *active = NULL, *console;
1909 if (startswith(tty, "/dev/"))
1912 /* trivial identity? */
1913 if (streq(tty, "console"))
1916 console = resolve_dev_console(&active);
1917 /* if we could not resolve, assume it may */
1921 /* "tty0" means the active VC, so it may be the same sometimes */
1922 b = streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
1928 bool exec_context_may_touch_console(ExecContext *ec) {
1929 return (ec->tty_reset || ec->tty_vhangup || ec->tty_vt_disallocate ||
1930 is_terminal_input(ec->std_input) ||
1931 is_terminal_output(ec->std_output) ||
1932 is_terminal_output(ec->std_error)) &&
1933 tty_may_match_dev_console(tty_path(ec));
1936 static void strv_fprintf(FILE *f, char **l) {
1942 fprintf(f, " %s", *g);
1945 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
1952 prefix = strempty(prefix);
1956 "%sWorkingDirectory: %s\n"
1957 "%sRootDirectory: %s\n"
1958 "%sNonBlocking: %s\n"
1959 "%sPrivateTmp: %s\n"
1960 "%sPrivateNetwork: %s\n"
1961 "%sPrivateDevices: %s\n"
1962 "%sIgnoreSIGPIPE: %s\n",
1964 prefix, c->working_directory ? c->working_directory : "/",
1965 prefix, c->root_directory ? c->root_directory : "/",
1966 prefix, yes_no(c->non_blocking),
1967 prefix, yes_no(c->private_tmp),
1968 prefix, yes_no(c->private_network),
1969 prefix, yes_no(c->private_devices),
1970 prefix, yes_no(c->ignore_sigpipe));
1972 STRV_FOREACH(e, c->environment)
1973 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
1975 STRV_FOREACH(e, c->environment_files)
1976 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
1978 if (c->tcpwrap_name)
1980 "%sTCPWrapName: %s\n",
1981 prefix, c->tcpwrap_name);
1988 if (c->oom_score_adjust_set)
1990 "%sOOMScoreAdjust: %i\n",
1991 prefix, c->oom_score_adjust);
1993 for (i = 0; i < RLIM_NLIMITS; i++)
1995 fprintf(f, "%s%s: %llu\n", prefix, rlimit_to_string(i), (unsigned long long) c->rlimit[i]->rlim_max);
1997 if (c->ioprio_set) {
1998 _cleanup_free_ char *class_str = NULL;
2000 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
2002 "%sIOSchedulingClass: %s\n"
2003 "%sIOPriority: %i\n",
2004 prefix, strna(class_str),
2005 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
2008 if (c->cpu_sched_set) {
2009 _cleanup_free_ char *policy_str = NULL;
2011 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
2013 "%sCPUSchedulingPolicy: %s\n"
2014 "%sCPUSchedulingPriority: %i\n"
2015 "%sCPUSchedulingResetOnFork: %s\n",
2016 prefix, strna(policy_str),
2017 prefix, c->cpu_sched_priority,
2018 prefix, yes_no(c->cpu_sched_reset_on_fork));
2022 fprintf(f, "%sCPUAffinity:", prefix);
2023 for (i = 0; i < c->cpuset_ncpus; i++)
2024 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
2025 fprintf(f, " %u", i);
2029 if (c->timer_slack_nsec != (nsec_t) -1)
2030 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
2033 "%sStandardInput: %s\n"
2034 "%sStandardOutput: %s\n"
2035 "%sStandardError: %s\n",
2036 prefix, exec_input_to_string(c->std_input),
2037 prefix, exec_output_to_string(c->std_output),
2038 prefix, exec_output_to_string(c->std_error));
2044 "%sTTYVHangup: %s\n"
2045 "%sTTYVTDisallocate: %s\n",
2046 prefix, c->tty_path,
2047 prefix, yes_no(c->tty_reset),
2048 prefix, yes_no(c->tty_vhangup),
2049 prefix, yes_no(c->tty_vt_disallocate));
2051 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
2052 c->std_output == EXEC_OUTPUT_KMSG ||
2053 c->std_output == EXEC_OUTPUT_JOURNAL ||
2054 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2055 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2056 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
2057 c->std_error == EXEC_OUTPUT_SYSLOG ||
2058 c->std_error == EXEC_OUTPUT_KMSG ||
2059 c->std_error == EXEC_OUTPUT_JOURNAL ||
2060 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2061 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2062 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
2064 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
2066 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
2067 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
2070 "%sSyslogFacility: %s\n"
2071 "%sSyslogLevel: %s\n",
2072 prefix, strna(fac_str),
2073 prefix, strna(lvl_str));
2076 if (c->capabilities) {
2077 _cleanup_cap_free_charp_ char *t;
2079 t = cap_to_text(c->capabilities, NULL);
2081 fprintf(f, "%sCapabilities: %s\n", prefix, t);
2085 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
2087 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
2088 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
2089 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
2090 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
2091 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
2092 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
2094 if (c->capability_bounding_set_drop) {
2096 fprintf(f, "%sCapabilityBoundingSet:", prefix);
2098 for (l = 0; l <= cap_last_cap(); l++)
2099 if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) {
2100 _cleanup_cap_free_charp_ char *t;
2104 fprintf(f, " %s", t);
2111 fprintf(f, "%sUser: %s\n", prefix, c->user);
2113 fprintf(f, "%sGroup: %s\n", prefix, c->group);
2115 if (strv_length(c->supplementary_groups) > 0) {
2116 fprintf(f, "%sSupplementaryGroups:", prefix);
2117 strv_fprintf(f, c->supplementary_groups);
2122 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
2124 if (strv_length(c->read_write_dirs) > 0) {
2125 fprintf(f, "%sReadWriteDirs:", prefix);
2126 strv_fprintf(f, c->read_write_dirs);
2130 if (strv_length(c->read_only_dirs) > 0) {
2131 fprintf(f, "%sReadOnlyDirs:", prefix);
2132 strv_fprintf(f, c->read_only_dirs);
2136 if (strv_length(c->inaccessible_dirs) > 0) {
2137 fprintf(f, "%sInaccessibleDirs:", prefix);
2138 strv_fprintf(f, c->inaccessible_dirs);
2144 "%sUtmpIdentifier: %s\n",
2145 prefix, c->utmp_id);
2147 if (c->selinux_context)
2149 "%sSELinuxContext: %s%s\n",
2150 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
2152 if (c->personality != 0xffffffffUL)
2154 "%sPersonality: %s\n",
2155 prefix, strna(personality_to_string(c->personality)));
2157 if (c->syscall_filter) {
2165 "%sSystemCallFilter: ",
2168 if (!c->syscall_whitelist)
2172 SET_FOREACH(id, c->syscall_filter, j) {
2173 _cleanup_free_ char *name = NULL;
2180 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
2181 fputs(strna(name), f);
2188 if (c->syscall_archs) {
2195 "%sSystemCallArchitectures:",
2199 SET_FOREACH(id, c->syscall_archs, j)
2200 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
2205 if (c->syscall_errno != 0)
2207 "%sSystemCallErrorNumber: %s\n",
2208 prefix, strna(errno_to_name(c->syscall_errno)));
2210 if (c->apparmor_profile)
2212 "%sAppArmorProfile: %s%s\n",
2213 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
2216 void exec_status_start(ExecStatus *s, pid_t pid) {
2221 dual_timestamp_get(&s->start_timestamp);
2224 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
2227 if (s->pid && s->pid != pid)
2231 dual_timestamp_get(&s->exit_timestamp);
2237 if (context->utmp_id)
2238 utmp_put_dead_process(context->utmp_id, pid, code, status);
2240 exec_context_tty_reset(context);
2244 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
2245 char buf[FORMAT_TIMESTAMP_MAX];
2257 "%sPID: "PID_FMT"\n",
2260 if (s->start_timestamp.realtime > 0)
2262 "%sStart Timestamp: %s\n",
2263 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
2265 if (s->exit_timestamp.realtime > 0)
2267 "%sExit Timestamp: %s\n"
2269 "%sExit Status: %i\n",
2270 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
2271 prefix, sigchld_code_to_string(s->code),
2275 char *exec_command_line(char **argv) {
2283 STRV_FOREACH(a, argv)
2286 if (!(n = new(char, k)))
2290 STRV_FOREACH(a, argv) {
2297 if (strpbrk(*a, WHITESPACE)) {
2308 /* FIXME: this doesn't really handle arguments that have
2309 * spaces and ticks in them */
2314 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
2316 const char *prefix2;
2325 p2 = strappend(prefix, "\t");
2326 prefix2 = p2 ? p2 : prefix;
2328 cmd = exec_command_line(c->argv);
2331 "%sCommand Line: %s\n",
2332 prefix, cmd ? cmd : strerror(ENOMEM));
2336 exec_status_dump(&c->exec_status, f, prefix2);
2341 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2347 LIST_FOREACH(command, c, c)
2348 exec_command_dump(c, f, prefix);
2351 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2358 /* It's kind of important, that we keep the order here */
2359 LIST_FIND_TAIL(command, *l, end);
2360 LIST_INSERT_AFTER(command, *l, end, e);
2365 int exec_command_set(ExecCommand *c, const char *path, ...) {
2373 l = strv_new_ap(path, ap);
2394 static int exec_runtime_allocate(ExecRuntime **rt) {
2399 *rt = new0(ExecRuntime, 1);
2404 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
2409 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
2419 if (!c->private_network && !c->private_tmp)
2422 r = exec_runtime_allocate(rt);
2426 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
2427 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, (*rt)->netns_storage_socket) < 0)
2431 if (c->private_tmp && !(*rt)->tmp_dir) {
2432 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
2440 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
2442 assert(r->n_ref > 0);
2448 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
2453 assert(r->n_ref > 0);
2456 if (r->n_ref <= 0) {
2458 free(r->var_tmp_dir);
2459 close_pipe(r->netns_storage_socket);
2466 int exec_runtime_serialize(ExecRuntime *rt, Unit *u, FILE *f, FDSet *fds) {
2475 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
2477 if (rt->var_tmp_dir)
2478 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
2480 if (rt->netns_storage_socket[0] >= 0) {
2483 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
2487 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
2490 if (rt->netns_storage_socket[1] >= 0) {
2493 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
2497 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
2503 int exec_runtime_deserialize_item(ExecRuntime **rt, Unit *u, const char *key, const char *value, FDSet *fds) {
2510 if (streq(key, "tmp-dir")) {
2513 r = exec_runtime_allocate(rt);
2517 copy = strdup(value);
2521 free((*rt)->tmp_dir);
2522 (*rt)->tmp_dir = copy;
2524 } else if (streq(key, "var-tmp-dir")) {
2527 r = exec_runtime_allocate(rt);
2531 copy = strdup(value);
2535 free((*rt)->var_tmp_dir);
2536 (*rt)->var_tmp_dir = copy;
2538 } else if (streq(key, "netns-socket-0")) {
2541 r = exec_runtime_allocate(rt);
2545 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2546 log_debug_unit(u->id, "Failed to parse netns socket value %s", value);
2548 if ((*rt)->netns_storage_socket[0] >= 0)
2549 close_nointr_nofail((*rt)->netns_storage_socket[0]);
2551 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
2553 } else if (streq(key, "netns-socket-1")) {
2556 r = exec_runtime_allocate(rt);
2560 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2561 log_debug_unit(u->id, "Failed to parse netns socket value %s", value);
2563 if ((*rt)->netns_storage_socket[1] >= 0)
2564 close_nointr_nofail((*rt)->netns_storage_socket[1]);
2566 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
2574 static void *remove_tmpdir_thread(void *p) {
2575 _cleanup_free_ char *path = p;
2577 rm_rf_dangerous(path, false, true, false);
2581 void exec_runtime_destroy(ExecRuntime *rt) {
2585 /* If there are multiple users of this, let's leave the stuff around */
2590 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
2591 asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
2595 if (rt->var_tmp_dir) {
2596 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
2597 asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
2598 rt->var_tmp_dir = NULL;
2601 close_pipe(rt->netns_storage_socket);
2604 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
2605 [EXEC_INPUT_NULL] = "null",
2606 [EXEC_INPUT_TTY] = "tty",
2607 [EXEC_INPUT_TTY_FORCE] = "tty-force",
2608 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
2609 [EXEC_INPUT_SOCKET] = "socket"
2612 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
2614 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
2615 [EXEC_OUTPUT_INHERIT] = "inherit",
2616 [EXEC_OUTPUT_NULL] = "null",
2617 [EXEC_OUTPUT_TTY] = "tty",
2618 [EXEC_OUTPUT_SYSLOG] = "syslog",
2619 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
2620 [EXEC_OUTPUT_KMSG] = "kmsg",
2621 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
2622 [EXEC_OUTPUT_JOURNAL] = "journal",
2623 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
2624 [EXEC_OUTPUT_SOCKET] = "socket"
2627 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);