+ if (!context->same_pgrp)
+ if (setsid() < 0) {
+ *exit_status = EXIT_SETSID;
+ return -errno;
+ }
+
+ exec_context_tty_reset(context);
+
+ if (params->confirm_spawn) {
+ char response;
+
+ r = ask_for_confirmation(&response, argv);
+ if (r == -ETIMEDOUT)
+ write_confirm_message("Confirmation question timed out, assuming positive response.\n");
+ else if (r < 0)
+ write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-r));
+ else if (response == 's') {
+ write_confirm_message("Skipping execution.\n");
+ *exit_status = EXIT_CONFIRM;
+ return -ECANCELED;
+ } else if (response == 'n') {
+ write_confirm_message("Failing execution.\n");
+ *exit_status = 0;
+ return 0;
+ }
+ }
+
+ if (context->user) {
+ username = context->user;
+ r = get_user_creds(&username, &uid, &gid, &home, &shell);
+ if (r < 0) {
+ *exit_status = EXIT_USER;
+ return r;
+ }
+ }
+
+ /* If a socket is connected to STDIN/STDOUT/STDERR, we
+ * must sure to drop O_NONBLOCK */
+ if (socket_fd >= 0)
+ fd_nonblock(socket_fd, false);
+
+ r = setup_input(context, socket_fd, params->apply_tty_stdin);
+ if (r < 0) {
+ *exit_status = EXIT_STDIN;
+ return r;
+ }
+
+ r = setup_output(context, STDOUT_FILENO, socket_fd, basename(command->path), params->unit_id, params->apply_tty_stdin, uid, gid);
+ if (r < 0) {
+ *exit_status = EXIT_STDOUT;
+ return r;
+ }
+
+ r = setup_output(context, STDERR_FILENO, socket_fd, basename(command->path), params->unit_id, params->apply_tty_stdin, uid, gid);
+ if (r < 0) {
+ *exit_status = EXIT_STDERR;
+ return r;
+ }
+
+ if (params->cgroup_path) {
+ r = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
+ if (r < 0) {
+ *exit_status = EXIT_CGROUP;
+ return r;
+ }
+ }
+
+ if (context->oom_score_adjust_set) {
+ char t[DECIMAL_STR_MAX(context->oom_score_adjust)];
+
+ /* When we can't make this change due to EPERM, then
+ * let's silently skip over it. User namespaces
+ * prohibit write access to this file, and we
+ * shouldn't trip up over that. */
+
+ sprintf(t, "%i", context->oom_score_adjust);
+ r = write_string_file("/proc/self/oom_score_adj", t);
+ if (r == -EPERM || r == -EACCES) {
+ log_open();
+ log_unit_debug_errno(params->unit_id, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m");
+ log_close();
+ } else if (r < 0) {
+ *exit_status = EXIT_OOM_ADJUST;
+ return -errno;
+ }
+ }
+
+ if (context->nice_set)
+ if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
+ *exit_status = EXIT_NICE;
+ return -errno;
+ }
+
+ if (context->cpu_sched_set) {
+ struct sched_param param = {
+ .sched_priority = context->cpu_sched_priority,
+ };
+
+ r = sched_setscheduler(0,
+ context->cpu_sched_policy |
+ (context->cpu_sched_reset_on_fork ?
+ SCHED_RESET_ON_FORK : 0),
+ ¶m);
+ if (r < 0) {
+ *exit_status = EXIT_SETSCHEDULER;
+ return -errno;
+ }
+ }
+
+ if (context->cpuset)
+ if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
+ *exit_status = EXIT_CPUAFFINITY;
+ return -errno;
+ }
+
+ if (context->ioprio_set)
+ if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
+ *exit_status = EXIT_IOPRIO;
+ return -errno;
+ }
+
+ if (context->timer_slack_nsec != NSEC_INFINITY)
+ if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
+ *exit_status = EXIT_TIMERSLACK;
+ return -errno;
+ }
+
+ if (context->personality != 0xffffffffUL)
+ if (personality(context->personality) < 0) {
+ *exit_status = EXIT_PERSONALITY;
+ return -errno;
+ }
+
+ if (context->utmp_id)
+ utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path);
+
+ if (context->user && is_terminal_input(context->std_input)) {
+ r = chown_terminal(STDIN_FILENO, uid);
+ if (r < 0) {
+ *exit_status = EXIT_STDIN;
+ return r;
+ }
+ }
+
+#ifdef ENABLE_KDBUS
+ if (params->bus_endpoint_fd >= 0 && context->bus_endpoint) {
+ uid_t ep_uid = (uid == UID_INVALID) ? 0 : uid;
+
+ r = bus_kernel_set_endpoint_policy(params->bus_endpoint_fd, ep_uid, context->bus_endpoint);
+ if (r < 0) {
+ *exit_status = EXIT_BUS_ENDPOINT;
+ return r;
+ }
+ }
+#endif
+
+ /* If delegation is enabled we'll pass ownership of the cgroup
+ * (but only in systemd's own controller hierarchy!) to the
+ * user of the new process. */
+ if (params->cgroup_path && context->user && params->cgroup_delegate) {
+ r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
+ if (r < 0) {
+ *exit_status = EXIT_CGROUP;
+ return r;
+ }
+
+
+ r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
+ if (r < 0) {
+ *exit_status = EXIT_CGROUP;
+ return r;
+ }
+ }
+
+ if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
+ char **rt;
+
+ STRV_FOREACH(rt, context->runtime_directory) {
+ _cleanup_free_ char *p;
+
+ p = strjoin(params->runtime_prefix, "/", *rt, NULL);
+ if (!p) {
+ *exit_status = EXIT_RUNTIME_DIRECTORY;
+ return -ENOMEM;
+ }
+
+ r = mkdir_safe_label(p, context->runtime_directory_mode, uid, gid);
+ if (r < 0) {
+ *exit_status = EXIT_RUNTIME_DIRECTORY;
+ return r;
+ }
+ }
+ }
+
+ if (params->apply_permissions) {
+ r = enforce_groups(context, username, gid);
+ if (r < 0) {
+ *exit_status = EXIT_GROUP;
+ return r;
+ }
+ }
+
+ umask(context->umask);
+
+#ifdef HAVE_PAM
+ if (params->apply_permissions && context->pam_name && username) {
+ r = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
+ if (r < 0) {
+ *exit_status = EXIT_PAM;
+ return r;
+ }
+ }
+#endif
+
+ if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
+ r = setup_netns(runtime->netns_storage_socket);
+ if (r < 0) {
+ *exit_status = EXIT_NETWORK;
+ return r;
+ }
+ }
+
+ if (!strv_isempty(context->read_write_dirs) ||
+ !strv_isempty(context->read_only_dirs) ||
+ !strv_isempty(context->inaccessible_dirs) ||
+ context->mount_flags != 0 ||
+ (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) ||
+ params->bus_endpoint_path ||
+ context->private_devices ||
+ context->protect_system != PROTECT_SYSTEM_NO ||
+ context->protect_home != PROTECT_HOME_NO) {
+
+ char *tmp = NULL, *var = NULL;
+
+ /* The runtime struct only contains the parent
+ * of the private /tmp, which is
+ * non-accessible to world users. Inside of it
+ * there's a /tmp that is sticky, and that's
+ * the one we want to use here. */
+
+ if (context->private_tmp && runtime) {
+ if (runtime->tmp_dir)
+ tmp = strjoina(runtime->tmp_dir, "/tmp");
+ if (runtime->var_tmp_dir)
+ var = strjoina(runtime->var_tmp_dir, "/tmp");
+ }
+
+ r = setup_namespace(
+ context->read_write_dirs,
+ context->read_only_dirs,
+ context->inaccessible_dirs,
+ tmp,
+ var,
+ params->bus_endpoint_path,
+ context->private_devices,
+ context->protect_home,
+ context->protect_system,
+ context->mount_flags);
+
+ /* If we couldn't set up the namespace this is
+ * probably due to a missing capability. In this case,
+ * silently proceeed. */
+ if (r == -EPERM || r == -EACCES) {
+ log_open();
+ log_unit_debug_errno(params->unit_id, r, "Failed to set up namespace, assuming containerized execution, ignoring: %m");
+ log_close();
+ } else if (r < 0) {
+ *exit_status = EXIT_NAMESPACE;
+ return r;
+ }
+ }
+
+ if (params->apply_chroot) {
+ if (context->root_directory)
+ if (chroot(context->root_directory) < 0) {
+ *exit_status = EXIT_CHROOT;
+ return -errno;
+ }
+
+ if (chdir(context->working_directory ?: "/") < 0 &&
+ !context->working_directory_missing_ok) {
+ *exit_status = EXIT_CHDIR;
+ return -errno;
+ }
+ } else {
+ _cleanup_free_ char *d = NULL;
+
+ if (asprintf(&d, "%s/%s",
+ context->root_directory ?: "",
+ context->working_directory ?: "") < 0) {
+ *exit_status = EXIT_MEMORY;
+ return -ENOMEM;
+ }
+
+ if (chdir(d) < 0 &&
+ !context->working_directory_missing_ok) {
+ *exit_status = EXIT_CHDIR;
+ return -errno;
+ }
+ }
+
+#ifdef HAVE_SELINUX
+ if (params->apply_permissions && mac_selinux_use() && params->selinux_context_net && socket_fd >= 0) {
+ r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
+ if (r < 0) {
+ *exit_status = EXIT_SELINUX_CONTEXT;
+ return r;
+ }
+ }
+#endif
+
+ /* We repeat the fd closing here, to make sure that
+ * nothing is leaked from the PAM modules. Note that
+ * we are more aggressive this time since socket_fd
+ * and the netns fds we don't need anymore. The custom
+ * endpoint fd was needed to upload the policy and can
+ * now be closed as well. */
+ r = close_all_fds(fds, n_fds);
+ if (r >= 0)
+ r = shift_fds(fds, n_fds);
+ if (r >= 0)
+ r = flags_fds(fds, n_fds, context->non_blocking);
+ if (r < 0) {
+ *exit_status = EXIT_FDS;
+ return r;
+ }
+
+ if (params->apply_permissions) {
+
+ for (i = 0; i < _RLIMIT_MAX; i++) {
+ if (!context->rlimit[i])
+ continue;
+
+ if (setrlimit_closest(i, context->rlimit[i]) < 0) {
+ *exit_status = EXIT_LIMITS;
+ return -errno;
+ }
+ }
+
+ if (context->capability_bounding_set_drop) {
+ r = capability_bounding_set_drop(context->capability_bounding_set_drop, false);
+ if (r < 0) {
+ *exit_status = EXIT_CAPABILITIES;
+ return r;
+ }