1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
29 #include <sys/socket.h>
31 #include <sys/prctl.h>
32 #include <linux/sched.h>
33 #include <sys/types.h>
37 #include <sys/mount.h>
39 #include <linux/oom.h>
42 #include <sys/personality.h>
47 #include <security/pam_appl.h>
51 #include <selinux/selinux.h>
59 #include <sys/apparmor.h>
65 #include "capability.h"
68 #include "sd-messages.h"
70 #include "securebits.h"
71 #include "namespace.h"
72 #include "exit-status.h"
74 #include "utmp-wtmp.h"
76 #include "path-util.h"
81 #include "selinux-util.h"
82 #include "errno-list.h"
85 #include "apparmor-util.h"
86 #include "smack-util.h"
87 #include "bus-endpoint.h"
92 #include "seccomp-util.h"
95 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
96 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
98 /* This assumes there is a 'tty' group */
101 #define SNDBUF_SIZE (8*1024*1024)
103 static int shift_fds(int fds[], unsigned n_fds) {
104 int start, restart_from;
109 /* Modifies the fds array! (sorts it) */
119 for (i = start; i < (int) n_fds; i++) {
122 /* Already at right index? */
126 if ((nfd = fcntl(fds[i], F_DUPFD, i+3)) < 0)
132 /* Hmm, the fd we wanted isn't free? Then
133 * let's remember that and try again from here */
134 if (nfd != i+3 && restart_from < 0)
138 if (restart_from < 0)
141 start = restart_from;
147 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
156 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
158 for (i = 0; i < n_fds; i++) {
160 if ((r = fd_nonblock(fds[i], nonblock)) < 0)
163 /* We unconditionally drop FD_CLOEXEC from the fds,
164 * since after all we want to pass these fds to our
167 if ((r = fd_cloexec(fds[i], false)) < 0)
174 _pure_ static const char *tty_path(const ExecContext *context) {
177 if (context->tty_path)
178 return context->tty_path;
180 return "/dev/console";
183 static void exec_context_tty_reset(const ExecContext *context) {
186 if (context->tty_vhangup)
187 terminal_vhangup(tty_path(context));
189 if (context->tty_reset)
190 reset_terminal(tty_path(context));
192 if (context->tty_vt_disallocate && context->tty_path)
193 vt_disallocate(context->tty_path);
196 static bool is_terminal_output(ExecOutput o) {
198 o == EXEC_OUTPUT_TTY ||
199 o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
200 o == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
201 o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE;
204 static int open_null_as(int flags, int nfd) {
209 fd = open("/dev/null", flags|O_NOCTTY);
214 r = dup2(fd, nfd) < 0 ? -errno : nfd;
222 static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd) {
224 union sockaddr_union sa = {
225 .un.sun_family = AF_UNIX,
226 .un.sun_path = "/run/systemd/journal/stdout",
230 assert(output < _EXEC_OUTPUT_MAX);
234 fd = socket(AF_UNIX, SOCK_STREAM, 0);
238 r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path));
244 if (shutdown(fd, SHUT_RD) < 0) {
249 fd_inc_sndbuf(fd, SNDBUF_SIZE);
259 context->syslog_identifier ? context->syslog_identifier : ident,
261 context->syslog_priority,
262 !!context->syslog_level_prefix,
263 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
264 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
265 is_terminal_output(output));
268 r = dup2(fd, nfd) < 0 ? -errno : nfd;
275 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
281 if ((fd = open_terminal(path, mode | O_NOCTTY)) < 0)
285 r = dup2(fd, nfd) < 0 ? -errno : nfd;
293 static bool is_terminal_input(ExecInput i) {
295 i == EXEC_INPUT_TTY ||
296 i == EXEC_INPUT_TTY_FORCE ||
297 i == EXEC_INPUT_TTY_FAIL;
300 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
302 if (is_terminal_input(std_input) && !apply_tty_stdin)
303 return EXEC_INPUT_NULL;
305 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
306 return EXEC_INPUT_NULL;
311 static int fixup_output(ExecOutput std_output, int socket_fd) {
313 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
314 return EXEC_OUTPUT_INHERIT;
319 static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty_stdin) {
324 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
328 case EXEC_INPUT_NULL:
329 return open_null_as(O_RDONLY, STDIN_FILENO);
332 case EXEC_INPUT_TTY_FORCE:
333 case EXEC_INPUT_TTY_FAIL: {
336 fd = acquire_terminal(tty_path(context),
337 i == EXEC_INPUT_TTY_FAIL,
338 i == EXEC_INPUT_TTY_FORCE,
344 if (fd != STDIN_FILENO) {
345 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
353 case EXEC_INPUT_SOCKET:
354 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
357 assert_not_reached("Unknown input type");
361 static int setup_output(const ExecContext *context, int fileno, int socket_fd, const char *ident, const char *unit_id, bool apply_tty_stdin) {
369 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
370 o = fixup_output(context->std_output, socket_fd);
372 if (fileno == STDERR_FILENO) {
374 e = fixup_output(context->std_error, socket_fd);
376 /* This expects the input and output are already set up */
378 /* Don't change the stderr file descriptor if we inherit all
379 * the way and are not on a tty */
380 if (e == EXEC_OUTPUT_INHERIT &&
381 o == EXEC_OUTPUT_INHERIT &&
382 i == EXEC_INPUT_NULL &&
383 !is_terminal_input(context->std_input) &&
387 /* Duplicate from stdout if possible */
388 if (e == o || e == EXEC_OUTPUT_INHERIT)
389 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
393 } else if (o == EXEC_OUTPUT_INHERIT) {
394 /* If input got downgraded, inherit the original value */
395 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
396 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
398 /* If the input is connected to anything that's not a /dev/null, inherit that... */
399 if (i != EXEC_INPUT_NULL)
400 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
402 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
406 /* We need to open /dev/null here anew, to get the right access mode. */
407 return open_null_as(O_WRONLY, fileno);
412 case EXEC_OUTPUT_NULL:
413 return open_null_as(O_WRONLY, fileno);
415 case EXEC_OUTPUT_TTY:
416 if (is_terminal_input(i))
417 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
419 /* We don't reset the terminal if this is just about output */
420 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
422 case EXEC_OUTPUT_SYSLOG:
423 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
424 case EXEC_OUTPUT_KMSG:
425 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
426 case EXEC_OUTPUT_JOURNAL:
427 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
428 r = connect_logger_as(context, o, ident, unit_id, fileno);
430 log_unit_struct(unit_id,
432 LOG_MESSAGE("Failed to connect %s of %s to the journal socket: %s",
433 fileno == STDOUT_FILENO ? "stdout" : "stderr",
434 unit_id, strerror(-r)),
437 r = open_null_as(O_WRONLY, fileno);
441 case EXEC_OUTPUT_SOCKET:
442 assert(socket_fd >= 0);
443 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
446 assert_not_reached("Unknown error type");
450 static int chown_terminal(int fd, uid_t uid) {
455 /* This might fail. What matters are the results. */
456 (void) fchown(fd, uid, -1);
457 (void) fchmod(fd, TTY_MODE);
459 if (fstat(fd, &st) < 0)
462 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
468 static int setup_confirm_stdio(int *_saved_stdin,
469 int *_saved_stdout) {
470 int fd = -1, saved_stdin, saved_stdout = -1, r;
472 assert(_saved_stdin);
473 assert(_saved_stdout);
475 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
479 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
480 if (saved_stdout < 0) {
485 fd = acquire_terminal(
490 DEFAULT_CONFIRM_USEC);
496 r = chown_terminal(fd, getuid());
500 if (dup2(fd, STDIN_FILENO) < 0) {
505 if (dup2(fd, STDOUT_FILENO) < 0) {
513 *_saved_stdin = saved_stdin;
514 *_saved_stdout = saved_stdout;
519 safe_close(saved_stdout);
520 safe_close(saved_stdin);
526 _printf_(1, 2) static int write_confirm_message(const char *format, ...) {
527 _cleanup_close_ int fd = -1;
532 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
536 va_start(ap, format);
537 vdprintf(fd, format, ap);
543 static int restore_confirm_stdio(int *saved_stdin,
549 assert(saved_stdout);
553 if (*saved_stdin >= 0)
554 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
557 if (*saved_stdout >= 0)
558 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
561 safe_close(*saved_stdin);
562 safe_close(*saved_stdout);
567 static int ask_for_confirmation(char *response, char **argv) {
568 int saved_stdout = -1, saved_stdin = -1, r;
569 _cleanup_free_ char *line = NULL;
571 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
575 line = exec_command_line(argv);
579 r = ask_char(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
581 restore_confirm_stdio(&saved_stdin, &saved_stdout);
586 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
587 bool keep_groups = false;
592 /* Lookup and set GID and supplementary group list. Here too
593 * we avoid NSS lookups for gid=0. */
595 if (context->group || username) {
597 if (context->group) {
598 const char *g = context->group;
600 if ((r = get_group_creds(&g, &gid)) < 0)
604 /* First step, initialize groups from /etc/groups */
605 if (username && gid != 0) {
606 if (initgroups(username, gid) < 0)
612 /* Second step, set our gids */
613 if (setresgid(gid, gid, gid) < 0)
617 if (context->supplementary_groups) {
622 /* Final step, initialize any manually set supplementary groups */
623 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
625 if (!(gids = new(gid_t, ngroups_max)))
629 if ((k = getgroups(ngroups_max, gids)) < 0) {
636 STRV_FOREACH(i, context->supplementary_groups) {
639 if (k >= ngroups_max) {
645 r = get_group_creds(&g, gids+k);
654 if (setgroups(k, gids) < 0) {
665 static int enforce_user(const ExecContext *context, uid_t uid) {
668 /* Sets (but doesn't lookup) the uid and make sure we keep the
669 * capabilities while doing so. */
671 if (context->capabilities) {
672 _cleanup_cap_free_ cap_t d = NULL;
673 static const cap_value_t bits[] = {
674 CAP_SETUID, /* Necessary so that we can run setresuid() below */
675 CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
678 /* First step: If we need to keep capabilities but
679 * drop privileges we need to make sure we keep our
680 * caps, while we drop privileges. */
682 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
684 if (prctl(PR_GET_SECUREBITS) != sb)
685 if (prctl(PR_SET_SECUREBITS, sb) < 0)
689 /* Second step: set the capabilities. This will reduce
690 * the capabilities to the minimum we need. */
692 d = cap_dup(context->capabilities);
696 if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
697 cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0)
700 if (cap_set_proc(d) < 0)
704 /* Third step: actually set the uids */
705 if (setresuid(uid, uid, uid) < 0)
708 /* At this point we should have all necessary capabilities but
709 are otherwise a normal user. However, the caps might got
710 corrupted due to the setresuid() so we need clean them up
711 later. This is done outside of this call. */
718 static int null_conv(
720 const struct pam_message **msg,
721 struct pam_response **resp,
724 /* We don't support conversations */
729 static int setup_pam(
735 int fds[], unsigned n_fds) {
737 static const struct pam_conv conv = {
742 pam_handle_t *handle = NULL;
744 int pam_code = PAM_SUCCESS;
747 bool close_session = false;
748 pid_t pam_pid = 0, parent_pid;
755 /* We set up PAM in the parent process, then fork. The child
756 * will then stay around until killed via PR_GET_PDEATHSIG or
757 * systemd via the cgroup logic. It will then remove the PAM
758 * session again. The parent process will exec() the actual
759 * daemon. We do things this way to ensure that the main PID
760 * of the daemon is the one we initially fork()ed. */
762 if (log_get_max_level() < LOG_PRI(LOG_DEBUG))
765 pam_code = pam_start(name, user, &conv, &handle);
766 if (pam_code != PAM_SUCCESS) {
772 pam_code = pam_set_item(handle, PAM_TTY, tty);
773 if (pam_code != PAM_SUCCESS)
777 pam_code = pam_acct_mgmt(handle, flags);
778 if (pam_code != PAM_SUCCESS)
781 pam_code = pam_open_session(handle, flags);
782 if (pam_code != PAM_SUCCESS)
785 close_session = true;
787 e = pam_getenvlist(handle);
789 pam_code = PAM_BUF_ERR;
793 /* Block SIGTERM, so that we know that it won't get lost in
795 if (sigemptyset(&ss) < 0 ||
796 sigaddset(&ss, SIGTERM) < 0 ||
797 sigprocmask(SIG_BLOCK, &ss, &old_ss) < 0)
800 parent_pid = getpid();
810 /* The child's job is to reset the PAM session on
813 /* This string must fit in 10 chars (i.e. the length
814 * of "/sbin/init"), to look pretty in /bin/ps */
815 rename_process("(sd-pam)");
817 /* Make sure we don't keep open the passed fds in this
818 child. We assume that otherwise only those fds are
819 open here that have been opened by PAM. */
820 close_many(fds, n_fds);
822 /* Drop privileges - we don't need any to pam_close_session
823 * and this will make PR_SET_PDEATHSIG work in most cases.
824 * If this fails, ignore the error - but expect sd-pam threads
825 * to fail to exit normally */
826 if (setresuid(uid, uid, uid) < 0)
827 log_error_errno(r, "Error: Failed to setresuid() in sd-pam: %m");
829 /* Wait until our parent died. This will only work if
830 * the above setresuid() succeeds, otherwise the kernel
831 * will not allow unprivileged parents kill their privileged
832 * children this way. We rely on the control groups kill logic
833 * to do the rest for us. */
834 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
837 /* Check if our parent process might already have
839 if (getppid() == parent_pid) {
841 if (sigwait(&ss, &sig) < 0) {
848 assert(sig == SIGTERM);
853 /* If our parent died we'll end the session */
854 if (getppid() != parent_pid) {
855 pam_code = pam_close_session(handle, flags);
856 if (pam_code != PAM_SUCCESS)
863 pam_end(handle, pam_code | flags);
867 /* If the child was forked off successfully it will do all the
868 * cleanups, so forget about the handle here. */
871 /* Unblock SIGTERM again in the parent */
872 if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0)
875 /* We close the log explicitly here, since the PAM modules
876 * might have opened it, but we don't want this fd around. */
885 if (pam_code != PAM_SUCCESS) {
886 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
887 err = -EPERM; /* PAM errors do not map to errno */
889 log_error_errno(errno, "PAM failed: %m");
895 pam_code = pam_close_session(handle, flags);
897 pam_end(handle, pam_code | flags);
905 kill(pam_pid, SIGTERM);
906 kill(pam_pid, SIGCONT);
913 static void rename_process_from_path(const char *path) {
914 char process_name[11];
918 /* This resulting string must fit in 10 chars (i.e. the length
919 * of "/sbin/init") to look pretty in /bin/ps */
923 rename_process("(...)");
929 /* The end of the process name is usually more
930 * interesting, since the first bit might just be
936 process_name[0] = '(';
937 memcpy(process_name+1, p, l);
938 process_name[1+l] = ')';
939 process_name[1+l+1] = 0;
941 rename_process(process_name);
946 static int apply_seccomp(const ExecContext *c) {
947 uint32_t negative_action, action;
948 scmp_filter_ctx *seccomp;
955 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
957 seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW);
961 if (c->syscall_archs) {
963 SET_FOREACH(id, c->syscall_archs, i) {
964 r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
972 r = seccomp_add_secondary_archs(seccomp);
977 action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
978 SET_FOREACH(id, c->syscall_filter, i) {
979 r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
984 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
988 r = seccomp_load(seccomp);
991 seccomp_release(seccomp);
995 static int apply_address_families(const ExecContext *c) {
996 scmp_filter_ctx *seccomp;
1002 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1006 r = seccomp_add_secondary_archs(seccomp);
1010 if (c->address_families_whitelist) {
1011 int af, first = 0, last = 0;
1014 /* If this is a whitelist, we first block the address
1015 * families that are out of range and then everything
1016 * that is not in the set. First, we find the lowest
1017 * and highest address family in the set. */
1019 SET_FOREACH(afp, c->address_families, i) {
1020 af = PTR_TO_INT(afp);
1022 if (af <= 0 || af >= af_max())
1025 if (first == 0 || af < first)
1028 if (last == 0 || af > last)
1032 assert((first == 0) == (last == 0));
1036 /* No entries in the valid range, block everything */
1037 r = seccomp_rule_add(
1039 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1047 /* Block everything below the first entry */
1048 r = seccomp_rule_add(
1050 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1053 SCMP_A0(SCMP_CMP_LT, first));
1057 /* Block everything above the last entry */
1058 r = seccomp_rule_add(
1060 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1063 SCMP_A0(SCMP_CMP_GT, last));
1067 /* Block everything between the first and last
1069 for (af = 1; af < af_max(); af++) {
1071 if (set_contains(c->address_families, INT_TO_PTR(af)))
1074 r = seccomp_rule_add(
1076 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1079 SCMP_A0(SCMP_CMP_EQ, af));
1088 /* If this is a blacklist, then generate one rule for
1089 * each address family that are then combined in OR
1092 SET_FOREACH(af, c->address_families, i) {
1094 r = seccomp_rule_add(
1096 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1099 SCMP_A0(SCMP_CMP_EQ, PTR_TO_INT(af)));
1105 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1109 r = seccomp_load(seccomp);
1112 seccomp_release(seccomp);
1118 static void do_idle_pipe_dance(int idle_pipe[4]) {
1122 safe_close(idle_pipe[1]);
1123 safe_close(idle_pipe[2]);
1125 if (idle_pipe[0] >= 0) {
1128 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1130 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1131 /* Signal systemd that we are bored and want to continue. */
1132 write(idle_pipe[3], "x", 1);
1134 /* Wait for systemd to react to the signal above. */
1135 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1138 safe_close(idle_pipe[0]);
1142 safe_close(idle_pipe[3]);
1145 static int build_environment(
1146 const ExecContext *c,
1148 usec_t watchdog_usec,
1150 const char *username,
1154 _cleanup_strv_free_ char **our_env = NULL;
1161 our_env = new0(char*, 10);
1166 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1168 our_env[n_env++] = x;
1170 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1172 our_env[n_env++] = x;
1175 if (watchdog_usec > 0) {
1176 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1178 our_env[n_env++] = x;
1180 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, watchdog_usec) < 0)
1182 our_env[n_env++] = x;
1186 x = strappend("HOME=", home);
1189 our_env[n_env++] = x;
1193 x = strappend("LOGNAME=", username);
1196 our_env[n_env++] = x;
1198 x = strappend("USER=", username);
1201 our_env[n_env++] = x;
1205 x = strappend("SHELL=", shell);
1208 our_env[n_env++] = x;
1211 if (is_terminal_input(c->std_input) ||
1212 c->std_output == EXEC_OUTPUT_TTY ||
1213 c->std_error == EXEC_OUTPUT_TTY ||
1216 x = strdup(default_term_for_tty(tty_path(c)));
1219 our_env[n_env++] = x;
1222 our_env[n_env++] = NULL;
1223 assert(n_env <= 10);
1231 static int exec_child(ExecCommand *command,
1232 const ExecContext *context,
1233 const ExecParameters *params,
1234 ExecRuntime *runtime,
1237 int *fds, unsigned n_fds,
1241 _cleanup_strv_free_ char **our_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL;
1242 _cleanup_free_ char *mac_selinux_context_net = NULL;
1243 const char *username = NULL, *home = NULL, *shell = NULL;
1244 unsigned n_dont_close = 0;
1245 int dont_close[n_fds + 4];
1246 uid_t uid = UID_INVALID;
1247 gid_t gid = GID_INVALID;
1255 rename_process_from_path(command->path);
1257 /* We reset exactly these signals, since they are the
1258 * only ones we set to SIG_IGN in the main daemon. All
1259 * others we leave untouched because we set them to
1260 * SIG_DFL or a valid handler initially, both of which
1261 * will be demoted to SIG_DFL. */
1262 default_signals(SIGNALS_CRASH_HANDLER,
1263 SIGNALS_IGNORE, -1);
1265 if (context->ignore_sigpipe)
1266 ignore_signals(SIGPIPE, -1);
1268 err = reset_signal_mask();
1270 *error = EXIT_SIGNAL_MASK;
1274 if (params->idle_pipe)
1275 do_idle_pipe_dance(params->idle_pipe);
1277 /* Close sockets very early to make sure we don't
1278 * block init reexecution because it cannot bind its
1283 dont_close[n_dont_close++] = socket_fd;
1285 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
1286 n_dont_close += n_fds;
1288 if (params->bus_endpoint_fd >= 0)
1289 dont_close[n_dont_close++] = params->bus_endpoint_fd;
1291 if (runtime->netns_storage_socket[0] >= 0)
1292 dont_close[n_dont_close++] = runtime->netns_storage_socket[0];
1293 if (runtime->netns_storage_socket[1] >= 0)
1294 dont_close[n_dont_close++] = runtime->netns_storage_socket[1];
1297 err = close_all_fds(dont_close, n_dont_close);
1303 if (!context->same_pgrp)
1305 *error = EXIT_SETSID;
1309 exec_context_tty_reset(context);
1311 if (params->confirm_spawn) {
1314 err = ask_for_confirmation(&response, argv);
1315 if (err == -ETIMEDOUT)
1316 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1318 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-err));
1319 else if (response == 's') {
1320 write_confirm_message("Skipping execution.\n");
1321 *error = EXIT_CONFIRM;
1323 } else if (response == 'n') {
1324 write_confirm_message("Failing execution.\n");
1330 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1331 * must sure to drop O_NONBLOCK */
1333 fd_nonblock(socket_fd, false);
1335 err = setup_input(context, socket_fd, params->apply_tty_stdin);
1337 *error = EXIT_STDIN;
1341 err = setup_output(context, STDOUT_FILENO, socket_fd, basename(command->path), params->unit_id, params->apply_tty_stdin);
1343 *error = EXIT_STDOUT;
1347 err = setup_output(context, STDERR_FILENO, socket_fd, basename(command->path), params->unit_id, params->apply_tty_stdin);
1349 *error = EXIT_STDERR;
1353 if (params->cgroup_path) {
1354 err = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
1356 *error = EXIT_CGROUP;
1361 if (context->oom_score_adjust_set) {
1364 snprintf(t, sizeof(t), "%i", context->oom_score_adjust);
1367 if (write_string_file("/proc/self/oom_score_adj", t) < 0) {
1368 *error = EXIT_OOM_ADJUST;
1373 if (context->nice_set)
1374 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1379 if (context->cpu_sched_set) {
1380 struct sched_param param = {
1381 .sched_priority = context->cpu_sched_priority,
1384 err = sched_setscheduler(0,
1385 context->cpu_sched_policy |
1386 (context->cpu_sched_reset_on_fork ?
1387 SCHED_RESET_ON_FORK : 0),
1390 *error = EXIT_SETSCHEDULER;
1395 if (context->cpuset)
1396 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1397 *error = EXIT_CPUAFFINITY;
1401 if (context->ioprio_set)
1402 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1403 *error = EXIT_IOPRIO;
1407 if (context->timer_slack_nsec != NSEC_INFINITY)
1408 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1409 *error = EXIT_TIMERSLACK;
1413 if (context->personality != 0xffffffffUL)
1414 if (personality(context->personality) < 0) {
1415 *error = EXIT_PERSONALITY;
1419 if (context->utmp_id)
1420 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path);
1422 if (context->user) {
1423 username = context->user;
1424 err = get_user_creds(&username, &uid, &gid, &home, &shell);
1430 if (is_terminal_input(context->std_input)) {
1431 err = chown_terminal(STDIN_FILENO, uid);
1433 *error = EXIT_STDIN;
1440 if (params->bus_endpoint_fd >= 0 && context->bus_endpoint) {
1441 uid_t ep_uid = (uid == UID_INVALID) ? 0 : uid;
1443 err = bus_kernel_set_endpoint_policy(params->bus_endpoint_fd, ep_uid, context->bus_endpoint);
1445 *error = EXIT_BUS_ENDPOINT;
1451 /* If delegation is enabled we'll pass ownership of the cgroup
1452 * (but only in systemd's own controller hierarchy!) to the
1453 * user of the new process. */
1454 if (params->cgroup_path && context->user && params->cgroup_delegate) {
1455 err = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
1457 *error = EXIT_CGROUP;
1462 err = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
1464 *error = EXIT_CGROUP;
1469 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
1472 STRV_FOREACH(rt, context->runtime_directory) {
1473 _cleanup_free_ char *p;
1475 p = strjoin(params->runtime_prefix, "/", *rt, NULL);
1477 *error = EXIT_RUNTIME_DIRECTORY;
1481 err = mkdir_safe(p, context->runtime_directory_mode, uid, gid);
1483 *error = EXIT_RUNTIME_DIRECTORY;
1489 if (params->apply_permissions) {
1490 err = enforce_groups(context, username, gid);
1492 *error = EXIT_GROUP;
1497 umask(context->umask);
1500 if (params->apply_permissions && context->pam_name && username) {
1501 err = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
1509 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
1510 err = setup_netns(runtime->netns_storage_socket);
1512 *error = EXIT_NETWORK;
1517 if (!strv_isempty(context->read_write_dirs) ||
1518 !strv_isempty(context->read_only_dirs) ||
1519 !strv_isempty(context->inaccessible_dirs) ||
1520 context->mount_flags != 0 ||
1521 (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) ||
1522 params->bus_endpoint_path ||
1523 context->private_devices ||
1524 context->protect_system != PROTECT_SYSTEM_NO ||
1525 context->protect_home != PROTECT_HOME_NO) {
1527 char *tmp = NULL, *var = NULL;
1529 /* The runtime struct only contains the parent
1530 * of the private /tmp, which is
1531 * non-accessible to world users. Inside of it
1532 * there's a /tmp that is sticky, and that's
1533 * the one we want to use here. */
1535 if (context->private_tmp && runtime) {
1536 if (runtime->tmp_dir)
1537 tmp = strappenda(runtime->tmp_dir, "/tmp");
1538 if (runtime->var_tmp_dir)
1539 var = strappenda(runtime->var_tmp_dir, "/tmp");
1542 err = setup_namespace(
1543 context->read_write_dirs,
1544 context->read_only_dirs,
1545 context->inaccessible_dirs,
1548 params->bus_endpoint_path,
1549 context->private_devices,
1550 context->protect_home,
1551 context->protect_system,
1552 context->mount_flags);
1555 log_unit_warning_errno(params->unit_id, err, "Failed to set up file system namespace due to lack of privileges. Execution sandbox will not be in effect: %m");
1557 *error = EXIT_NAMESPACE;
1562 if (params->apply_chroot) {
1563 if (context->root_directory)
1564 if (chroot(context->root_directory) < 0) {
1565 *error = EXIT_CHROOT;
1569 if (chdir(context->working_directory ? context->working_directory : "/") < 0) {
1570 *error = EXIT_CHDIR;
1574 _cleanup_free_ char *d = NULL;
1576 if (asprintf(&d, "%s/%s",
1577 context->root_directory ? context->root_directory : "",
1578 context->working_directory ? context->working_directory : "") < 0) {
1579 *error = EXIT_MEMORY;
1584 *error = EXIT_CHDIR;
1590 if (params->apply_permissions && mac_selinux_use() && params->selinux_context_net && socket_fd >= 0) {
1591 err = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
1593 *error = EXIT_SELINUX_CONTEXT;
1599 /* We repeat the fd closing here, to make sure that
1600 * nothing is leaked from the PAM modules. Note that
1601 * we are more aggressive this time since socket_fd
1602 * and the netns fds we don't need anymore. The custom
1603 * endpoint fd was needed to upload the policy and can
1604 * now be closed as well. */
1605 err = close_all_fds(fds, n_fds);
1607 err = shift_fds(fds, n_fds);
1609 err = flags_fds(fds, n_fds, context->non_blocking);
1615 if (params->apply_permissions) {
1617 for (i = 0; i < _RLIMIT_MAX; i++) {
1618 if (!context->rlimit[i])
1621 if (setrlimit_closest(i, context->rlimit[i]) < 0) {
1622 *error = EXIT_LIMITS;
1627 if (context->capability_bounding_set_drop) {
1628 err = capability_bounding_set_drop(context->capability_bounding_set_drop, false);
1630 *error = EXIT_CAPABILITIES;
1636 if (context->smack_process_label) {
1637 err = mac_smack_apply_pid(0, context->smack_process_label);
1639 *error = EXIT_SMACK_PROCESS_LABEL;
1645 if (context->user) {
1646 err = enforce_user(context, uid);
1653 /* PR_GET_SECUREBITS is not privileged, while
1654 * PR_SET_SECUREBITS is. So to suppress
1655 * potential EPERMs we'll try not to call
1656 * PR_SET_SECUREBITS unless necessary. */
1657 if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
1658 if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
1659 *error = EXIT_SECUREBITS;
1663 if (context->capabilities)
1664 if (cap_set_proc(context->capabilities) < 0) {
1665 *error = EXIT_CAPABILITIES;
1669 if (context->no_new_privileges)
1670 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
1671 *error = EXIT_NO_NEW_PRIVILEGES;
1676 if (context->address_families_whitelist ||
1677 !set_isempty(context->address_families)) {
1678 err = apply_address_families(context);
1680 *error = EXIT_ADDRESS_FAMILIES;
1685 if (context->syscall_whitelist ||
1686 !set_isempty(context->syscall_filter) ||
1687 !set_isempty(context->syscall_archs)) {
1688 err = apply_seccomp(context);
1690 *error = EXIT_SECCOMP;
1697 if (mac_selinux_use()) {
1698 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
1701 err = setexeccon(exec_context);
1703 *error = EXIT_SELINUX_CONTEXT;
1710 #ifdef HAVE_APPARMOR
1711 if (context->apparmor_profile && mac_apparmor_use()) {
1712 err = aa_change_onexec(context->apparmor_profile);
1713 if (err < 0 && !context->apparmor_profile_ignore) {
1714 *error = EXIT_APPARMOR_PROFILE;
1721 err = build_environment(context, n_fds, params->watchdog_usec, home, username, shell, &our_env);
1723 *error = EXIT_MEMORY;
1727 final_env = strv_env_merge(5,
1728 params->environment,
1730 context->environment,
1735 *error = EXIT_MEMORY;
1739 final_argv = replace_env_argv(argv, final_env);
1741 *error = EXIT_MEMORY;
1745 final_env = strv_env_clean(final_env);
1747 if (_unlikely_(log_get_max_level() >= LOG_PRI(LOG_DEBUG))) {
1748 _cleanup_free_ char *line;
1750 line = exec_command_line(final_argv);
1753 log_unit_struct(params->unit_id,
1755 "EXECUTABLE=%s", command->path,
1756 LOG_MESSAGE("Executing: %s", line),
1761 execve(command->path, final_argv, final_env);
1766 int exec_spawn(ExecCommand *command,
1767 const ExecContext *context,
1768 const ExecParameters *params,
1769 ExecRuntime *runtime,
1772 _cleanup_strv_free_ char **files_env = NULL;
1773 int *fds = NULL; unsigned n_fds = 0;
1783 assert(params->fds || params->n_fds <= 0);
1785 if (context->std_input == EXEC_INPUT_SOCKET ||
1786 context->std_output == EXEC_OUTPUT_SOCKET ||
1787 context->std_error == EXEC_OUTPUT_SOCKET) {
1789 if (params->n_fds != 1)
1792 socket_fd = params->fds[0];
1796 n_fds = params->n_fds;
1799 err = exec_context_load_environment(context, params->unit_id, &files_env);
1801 log_unit_struct(params->unit_id,
1803 LOG_MESSAGE("Failed to load environment files: %s", strerror(-err)),
1809 argv = params->argv ?: command->argv;
1811 line = exec_command_line(argv);
1815 log_unit_struct(params->unit_id,
1817 "EXECUTABLE=%s", command->path,
1818 LOG_MESSAGE("About to execute: %s", line),
1829 err = exec_child(command,
1841 LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
1842 "EXECUTABLE=%s", command->path,
1843 LOG_MESSAGE("Failed at step %s spawning %s: %s",
1844 exit_status_to_string(r, EXIT_STATUS_SYSTEMD),
1845 command->path, strerror(-err)),
1854 log_unit_struct(params->unit_id,
1856 LOG_MESSAGE("Forked %s as "PID_FMT,
1857 command->path, pid),
1860 /* We add the new process to the cgroup both in the child (so
1861 * that we can be sure that no user code is ever executed
1862 * outside of the cgroup) and in the parent (so that we can be
1863 * sure that when we kill the cgroup the process will be
1865 if (params->cgroup_path)
1866 cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
1868 exec_status_start(&command->exec_status, pid);
1874 void exec_context_init(ExecContext *c) {
1878 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
1879 c->cpu_sched_policy = SCHED_OTHER;
1880 c->syslog_priority = LOG_DAEMON|LOG_INFO;
1881 c->syslog_level_prefix = true;
1882 c->ignore_sigpipe = true;
1883 c->timer_slack_nsec = NSEC_INFINITY;
1884 c->personality = 0xffffffffUL;
1885 c->runtime_directory_mode = 0755;
1888 void exec_context_done(ExecContext *c) {
1893 strv_free(c->environment);
1894 c->environment = NULL;
1896 strv_free(c->environment_files);
1897 c->environment_files = NULL;
1899 for (l = 0; l < ELEMENTSOF(c->rlimit); l++) {
1901 c->rlimit[l] = NULL;
1904 free(c->working_directory);
1905 c->working_directory = NULL;
1906 free(c->root_directory);
1907 c->root_directory = NULL;
1912 free(c->syslog_identifier);
1913 c->syslog_identifier = NULL;
1921 strv_free(c->supplementary_groups);
1922 c->supplementary_groups = NULL;
1927 if (c->capabilities) {
1928 cap_free(c->capabilities);
1929 c->capabilities = NULL;
1932 strv_free(c->read_only_dirs);
1933 c->read_only_dirs = NULL;
1935 strv_free(c->read_write_dirs);
1936 c->read_write_dirs = NULL;
1938 strv_free(c->inaccessible_dirs);
1939 c->inaccessible_dirs = NULL;
1942 CPU_FREE(c->cpuset);
1947 free(c->selinux_context);
1948 c->selinux_context = NULL;
1950 free(c->apparmor_profile);
1951 c->apparmor_profile = NULL;
1953 set_free(c->syscall_filter);
1954 c->syscall_filter = NULL;
1956 set_free(c->syscall_archs);
1957 c->syscall_archs = NULL;
1959 set_free(c->address_families);
1960 c->address_families = NULL;
1962 strv_free(c->runtime_directory);
1963 c->runtime_directory = NULL;
1965 bus_endpoint_free(c->bus_endpoint);
1966 c->bus_endpoint = NULL;
1969 int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
1974 if (!runtime_prefix)
1977 STRV_FOREACH(i, c->runtime_directory) {
1978 _cleanup_free_ char *p;
1980 p = strjoin(runtime_prefix, "/", *i, NULL);
1984 /* We execute this synchronously, since we need to be
1985 * sure this is gone when we start the service
1987 rm_rf(p, false, true, false);
1993 void exec_command_done(ExecCommand *c) {
2003 void exec_command_done_array(ExecCommand *c, unsigned n) {
2006 for (i = 0; i < n; i++)
2007 exec_command_done(c+i);
2010 ExecCommand* exec_command_free_list(ExecCommand *c) {
2014 LIST_REMOVE(command, c, i);
2015 exec_command_done(i);
2022 void exec_command_free_array(ExecCommand **c, unsigned n) {
2025 for (i = 0; i < n; i++)
2026 c[i] = exec_command_free_list(c[i]);
2029 typedef struct InvalidEnvInfo {
2030 const char *unit_id;
2034 static void invalid_env(const char *p, void *userdata) {
2035 InvalidEnvInfo *info = userdata;
2037 log_unit_error(info->unit_id, "Ignoring invalid environment assignment '%s': %s", p, info->path);
2040 int exec_context_load_environment(const ExecContext *c, const char *unit_id, char ***l) {
2041 char **i, **r = NULL;
2046 STRV_FOREACH(i, c->environment_files) {
2049 bool ignore = false;
2051 _cleanup_globfree_ glob_t pglob = {};
2061 if (!path_is_absolute(fn)) {
2069 /* Filename supports globbing, take all matching files */
2071 if (glob(fn, 0, NULL, &pglob) != 0) {
2076 return errno ? -errno : -EINVAL;
2078 count = pglob.gl_pathc;
2086 for (n = 0; n < count; n++) {
2087 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
2095 /* Log invalid environment variables with filename */
2097 InvalidEnvInfo info = {
2099 .path = pglob.gl_pathv[n]
2102 p = strv_env_clean_with_callback(p, invalid_env, &info);
2110 m = strv_env_merge(2, r, p);
2126 static bool tty_may_match_dev_console(const char *tty) {
2127 _cleanup_free_ char *active = NULL;
2130 if (startswith(tty, "/dev/"))
2133 /* trivial identity? */
2134 if (streq(tty, "console"))
2137 console = resolve_dev_console(&active);
2138 /* if we could not resolve, assume it may */
2142 /* "tty0" means the active VC, so it may be the same sometimes */
2143 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
2146 bool exec_context_may_touch_console(ExecContext *ec) {
2147 return (ec->tty_reset || ec->tty_vhangup || ec->tty_vt_disallocate ||
2148 is_terminal_input(ec->std_input) ||
2149 is_terminal_output(ec->std_output) ||
2150 is_terminal_output(ec->std_error)) &&
2151 tty_may_match_dev_console(tty_path(ec));
2154 static void strv_fprintf(FILE *f, char **l) {
2160 fprintf(f, " %s", *g);
2163 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
2170 prefix = strempty(prefix);
2174 "%sWorkingDirectory: %s\n"
2175 "%sRootDirectory: %s\n"
2176 "%sNonBlocking: %s\n"
2177 "%sPrivateTmp: %s\n"
2178 "%sPrivateNetwork: %s\n"
2179 "%sPrivateDevices: %s\n"
2180 "%sProtectHome: %s\n"
2181 "%sProtectSystem: %s\n"
2182 "%sIgnoreSIGPIPE: %s\n",
2184 prefix, c->working_directory ? c->working_directory : "/",
2185 prefix, c->root_directory ? c->root_directory : "/",
2186 prefix, yes_no(c->non_blocking),
2187 prefix, yes_no(c->private_tmp),
2188 prefix, yes_no(c->private_network),
2189 prefix, yes_no(c->private_devices),
2190 prefix, protect_home_to_string(c->protect_home),
2191 prefix, protect_system_to_string(c->protect_system),
2192 prefix, yes_no(c->ignore_sigpipe));
2194 STRV_FOREACH(e, c->environment)
2195 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
2197 STRV_FOREACH(e, c->environment_files)
2198 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
2205 if (c->oom_score_adjust_set)
2207 "%sOOMScoreAdjust: %i\n",
2208 prefix, c->oom_score_adjust);
2210 for (i = 0; i < RLIM_NLIMITS; i++)
2212 fprintf(f, "%s%s: "RLIM_FMT"\n",
2213 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
2215 if (c->ioprio_set) {
2216 _cleanup_free_ char *class_str = NULL;
2218 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
2220 "%sIOSchedulingClass: %s\n"
2221 "%sIOPriority: %i\n",
2222 prefix, strna(class_str),
2223 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
2226 if (c->cpu_sched_set) {
2227 _cleanup_free_ char *policy_str = NULL;
2229 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
2231 "%sCPUSchedulingPolicy: %s\n"
2232 "%sCPUSchedulingPriority: %i\n"
2233 "%sCPUSchedulingResetOnFork: %s\n",
2234 prefix, strna(policy_str),
2235 prefix, c->cpu_sched_priority,
2236 prefix, yes_no(c->cpu_sched_reset_on_fork));
2240 fprintf(f, "%sCPUAffinity:", prefix);
2241 for (i = 0; i < c->cpuset_ncpus; i++)
2242 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
2243 fprintf(f, " %u", i);
2247 if (c->timer_slack_nsec != NSEC_INFINITY)
2248 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
2251 "%sStandardInput: %s\n"
2252 "%sStandardOutput: %s\n"
2253 "%sStandardError: %s\n",
2254 prefix, exec_input_to_string(c->std_input),
2255 prefix, exec_output_to_string(c->std_output),
2256 prefix, exec_output_to_string(c->std_error));
2262 "%sTTYVHangup: %s\n"
2263 "%sTTYVTDisallocate: %s\n",
2264 prefix, c->tty_path,
2265 prefix, yes_no(c->tty_reset),
2266 prefix, yes_no(c->tty_vhangup),
2267 prefix, yes_no(c->tty_vt_disallocate));
2269 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
2270 c->std_output == EXEC_OUTPUT_KMSG ||
2271 c->std_output == EXEC_OUTPUT_JOURNAL ||
2272 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2273 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2274 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
2275 c->std_error == EXEC_OUTPUT_SYSLOG ||
2276 c->std_error == EXEC_OUTPUT_KMSG ||
2277 c->std_error == EXEC_OUTPUT_JOURNAL ||
2278 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2279 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2280 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
2282 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
2284 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
2285 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
2288 "%sSyslogFacility: %s\n"
2289 "%sSyslogLevel: %s\n",
2290 prefix, strna(fac_str),
2291 prefix, strna(lvl_str));
2294 if (c->capabilities) {
2295 _cleanup_cap_free_charp_ char *t;
2297 t = cap_to_text(c->capabilities, NULL);
2299 fprintf(f, "%sCapabilities: %s\n", prefix, t);
2303 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
2305 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
2306 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
2307 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
2308 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
2309 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
2310 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
2312 if (c->capability_bounding_set_drop) {
2314 fprintf(f, "%sCapabilityBoundingSet:", prefix);
2316 for (l = 0; l <= cap_last_cap(); l++)
2317 if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l)))
2318 fprintf(f, " %s", strna(capability_to_name(l)));
2324 fprintf(f, "%sUser: %s\n", prefix, c->user);
2326 fprintf(f, "%sGroup: %s\n", prefix, c->group);
2328 if (strv_length(c->supplementary_groups) > 0) {
2329 fprintf(f, "%sSupplementaryGroups:", prefix);
2330 strv_fprintf(f, c->supplementary_groups);
2335 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
2337 if (strv_length(c->read_write_dirs) > 0) {
2338 fprintf(f, "%sReadWriteDirs:", prefix);
2339 strv_fprintf(f, c->read_write_dirs);
2343 if (strv_length(c->read_only_dirs) > 0) {
2344 fprintf(f, "%sReadOnlyDirs:", prefix);
2345 strv_fprintf(f, c->read_only_dirs);
2349 if (strv_length(c->inaccessible_dirs) > 0) {
2350 fprintf(f, "%sInaccessibleDirs:", prefix);
2351 strv_fprintf(f, c->inaccessible_dirs);
2357 "%sUtmpIdentifier: %s\n",
2358 prefix, c->utmp_id);
2360 if (c->selinux_context)
2362 "%sSELinuxContext: %s%s\n",
2363 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
2365 if (c->personality != 0xffffffffUL)
2367 "%sPersonality: %s\n",
2368 prefix, strna(personality_to_string(c->personality)));
2370 if (c->syscall_filter) {
2378 "%sSystemCallFilter: ",
2381 if (!c->syscall_whitelist)
2385 SET_FOREACH(id, c->syscall_filter, j) {
2386 _cleanup_free_ char *name = NULL;
2393 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
2394 fputs(strna(name), f);
2401 if (c->syscall_archs) {
2408 "%sSystemCallArchitectures:",
2412 SET_FOREACH(id, c->syscall_archs, j)
2413 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
2418 if (c->syscall_errno != 0)
2420 "%sSystemCallErrorNumber: %s\n",
2421 prefix, strna(errno_to_name(c->syscall_errno)));
2423 if (c->apparmor_profile)
2425 "%sAppArmorProfile: %s%s\n",
2426 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
2429 bool exec_context_maintains_privileges(ExecContext *c) {
2432 /* Returns true if the process forked off would run run under
2433 * an unchanged UID or as root. */
2438 if (streq(c->user, "root") || streq(c->user, "0"))
2444 void exec_status_start(ExecStatus *s, pid_t pid) {
2449 dual_timestamp_get(&s->start_timestamp);
2452 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
2455 if (s->pid && s->pid != pid)
2459 dual_timestamp_get(&s->exit_timestamp);
2465 if (context->utmp_id)
2466 utmp_put_dead_process(context->utmp_id, pid, code, status);
2468 exec_context_tty_reset(context);
2472 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
2473 char buf[FORMAT_TIMESTAMP_MAX];
2481 prefix = strempty(prefix);
2484 "%sPID: "PID_FMT"\n",
2487 if (s->start_timestamp.realtime > 0)
2489 "%sStart Timestamp: %s\n",
2490 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
2492 if (s->exit_timestamp.realtime > 0)
2494 "%sExit Timestamp: %s\n"
2496 "%sExit Status: %i\n",
2497 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
2498 prefix, sigchld_code_to_string(s->code),
2502 char *exec_command_line(char **argv) {
2510 STRV_FOREACH(a, argv)
2513 if (!(n = new(char, k)))
2517 STRV_FOREACH(a, argv) {
2524 if (strpbrk(*a, WHITESPACE)) {
2535 /* FIXME: this doesn't really handle arguments that have
2536 * spaces and ticks in them */
2541 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
2542 _cleanup_free_ char *cmd = NULL;
2543 const char *prefix2;
2548 prefix = strempty(prefix);
2549 prefix2 = strappenda(prefix, "\t");
2551 cmd = exec_command_line(c->argv);
2553 "%sCommand Line: %s\n",
2554 prefix, cmd ? cmd : strerror(ENOMEM));
2556 exec_status_dump(&c->exec_status, f, prefix2);
2559 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2562 prefix = strempty(prefix);
2564 LIST_FOREACH(command, c, c)
2565 exec_command_dump(c, f, prefix);
2568 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2575 /* It's kind of important, that we keep the order here */
2576 LIST_FIND_TAIL(command, *l, end);
2577 LIST_INSERT_AFTER(command, *l, end, e);
2582 int exec_command_set(ExecCommand *c, const char *path, ...) {
2590 l = strv_new_ap(path, ap);
2611 int exec_command_append(ExecCommand *c, const char *path, ...) {
2612 _cleanup_strv_free_ char **l = NULL;
2620 l = strv_new_ap(path, ap);
2626 r = strv_extend_strv(&c->argv, l);
2634 static int exec_runtime_allocate(ExecRuntime **rt) {
2639 *rt = new0(ExecRuntime, 1);
2644 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
2649 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
2659 if (!c->private_network && !c->private_tmp)
2662 r = exec_runtime_allocate(rt);
2666 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
2667 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, (*rt)->netns_storage_socket) < 0)
2671 if (c->private_tmp && !(*rt)->tmp_dir) {
2672 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
2680 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
2682 assert(r->n_ref > 0);
2688 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
2693 assert(r->n_ref > 0);
2696 if (r->n_ref <= 0) {
2698 free(r->var_tmp_dir);
2699 safe_close_pair(r->netns_storage_socket);
2706 int exec_runtime_serialize(ExecRuntime *rt, Unit *u, FILE *f, FDSet *fds) {
2715 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
2717 if (rt->var_tmp_dir)
2718 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
2720 if (rt->netns_storage_socket[0] >= 0) {
2723 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
2727 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
2730 if (rt->netns_storage_socket[1] >= 0) {
2733 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
2737 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
2743 int exec_runtime_deserialize_item(ExecRuntime **rt, Unit *u, const char *key, const char *value, FDSet *fds) {
2750 if (streq(key, "tmp-dir")) {
2753 r = exec_runtime_allocate(rt);
2757 copy = strdup(value);
2761 free((*rt)->tmp_dir);
2762 (*rt)->tmp_dir = copy;
2764 } else if (streq(key, "var-tmp-dir")) {
2767 r = exec_runtime_allocate(rt);
2771 copy = strdup(value);
2775 free((*rt)->var_tmp_dir);
2776 (*rt)->var_tmp_dir = copy;
2778 } else if (streq(key, "netns-socket-0")) {
2781 r = exec_runtime_allocate(rt);
2785 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2786 log_unit_debug(u->id, "Failed to parse netns socket value %s", value);
2788 safe_close((*rt)->netns_storage_socket[0]);
2789 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
2791 } else if (streq(key, "netns-socket-1")) {
2794 r = exec_runtime_allocate(rt);
2798 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2799 log_unit_debug(u->id, "Failed to parse netns socket value %s", value);
2801 safe_close((*rt)->netns_storage_socket[1]);
2802 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
2810 static void *remove_tmpdir_thread(void *p) {
2811 _cleanup_free_ char *path = p;
2813 rm_rf_dangerous(path, false, true, false);
2817 void exec_runtime_destroy(ExecRuntime *rt) {
2823 /* If there are multiple users of this, let's leave the stuff around */
2828 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
2830 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
2832 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
2839 if (rt->var_tmp_dir) {
2840 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
2842 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
2844 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
2845 free(rt->var_tmp_dir);
2848 rt->var_tmp_dir = NULL;
2851 safe_close_pair(rt->netns_storage_socket);
2854 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
2855 [EXEC_INPUT_NULL] = "null",
2856 [EXEC_INPUT_TTY] = "tty",
2857 [EXEC_INPUT_TTY_FORCE] = "tty-force",
2858 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
2859 [EXEC_INPUT_SOCKET] = "socket"
2862 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
2864 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
2865 [EXEC_OUTPUT_INHERIT] = "inherit",
2866 [EXEC_OUTPUT_NULL] = "null",
2867 [EXEC_OUTPUT_TTY] = "tty",
2868 [EXEC_OUTPUT_SYSLOG] = "syslog",
2869 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
2870 [EXEC_OUTPUT_KMSG] = "kmsg",
2871 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
2872 [EXEC_OUTPUT_JOURNAL] = "journal",
2873 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
2874 [EXEC_OUTPUT_SOCKET] = "socket"
2877 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);