+ if (context->personality != 0xffffffffUL)
+ if (personality(context->personality) < 0) {
+ *error = EXIT_PERSONALITY;
+ return -errno;
+ }
+
+ if (context->utmp_id)
+ utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path);
+
+ if (context->user) {
+ username = context->user;
+ err = get_user_creds(&username, &uid, &gid, &home, &shell);
+ if (err < 0) {
+ *error = EXIT_USER;
+ return err;
+ }
+
+ if (is_terminal_input(context->std_input)) {
+ err = chown_terminal(STDIN_FILENO, uid);
+ if (err < 0) {
+ *error = EXIT_STDIN;
+ return err;
+ }
+ }
+ }
+
+#ifdef ENABLE_KDBUS
+ if (params->bus_endpoint_fd >= 0 && context->bus_endpoint) {
+ uid_t ep_uid = (uid == UID_INVALID) ? 0 : uid;
+
+ err = bus_kernel_set_endpoint_policy(params->bus_endpoint_fd, ep_uid, context->bus_endpoint);
+ if (err < 0) {
+ *error = EXIT_BUS_ENDPOINT;
+ return err;
+ }
+ }
+#endif
+
+ /* If delegation is enabled we'll pass ownership of the cgroup
+ * (but only in systemd's own controller hierarchy!) to the
+ * user of the new process. */
+ if (params->cgroup_path && context->user && params->cgroup_delegate) {
+ err = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
+ if (err < 0) {
+ *error = EXIT_CGROUP;
+ return err;
+ }
+
+
+ err = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
+ if (err < 0) {
+ *error = EXIT_CGROUP;
+ return err;
+ }
+ }
+
+ if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
+ char **rt;
+
+ STRV_FOREACH(rt, context->runtime_directory) {
+ _cleanup_free_ char *p;
+
+ p = strjoin(params->runtime_prefix, "/", *rt, NULL);
+ if (!p) {
+ *error = EXIT_RUNTIME_DIRECTORY;
+ return -ENOMEM;
+ }
+
+ err = mkdir_safe(p, context->runtime_directory_mode, uid, gid);
+ if (err < 0) {
+ *error = EXIT_RUNTIME_DIRECTORY;
+ return err;
+ }
+ }
+ }
+
+ if (params->apply_permissions) {
+ err = enforce_groups(context, username, gid);
+ if (err < 0) {
+ *error = EXIT_GROUP;
+ return err;
+ }
+ }
+
+ umask(context->umask);
+
+#ifdef HAVE_PAM
+ if (params->apply_permissions && context->pam_name && username) {
+ err = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
+ if (err < 0) {
+ *error = EXIT_PAM;
+ return err;
+ }
+ }
+#endif
+
+ if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
+ err = setup_netns(runtime->netns_storage_socket);
+ if (err < 0) {
+ *error = EXIT_NETWORK;
+ return err;
+ }
+ }
+
+ if (!strv_isempty(context->read_write_dirs) ||
+ !strv_isempty(context->read_only_dirs) ||
+ !strv_isempty(context->inaccessible_dirs) ||
+ context->mount_flags != 0 ||
+ (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) ||
+ params->bus_endpoint_path ||
+ context->private_devices ||
+ context->protect_system != PROTECT_SYSTEM_NO ||
+ context->protect_home != PROTECT_HOME_NO) {
+
+ char *tmp = NULL, *var = NULL;
+
+ /* The runtime struct only contains the parent
+ * of the private /tmp, which is
+ * non-accessible to world users. Inside of it
+ * there's a /tmp that is sticky, and that's
+ * the one we want to use here. */
+
+ if (context->private_tmp && runtime) {
+ if (runtime->tmp_dir)
+ tmp = strappenda(runtime->tmp_dir, "/tmp");
+ if (runtime->var_tmp_dir)
+ var = strappenda(runtime->var_tmp_dir, "/tmp");
+ }
+
+ err = setup_namespace(
+ context->read_write_dirs,
+ context->read_only_dirs,
+ context->inaccessible_dirs,
+ tmp,
+ var,
+ params->bus_endpoint_path,
+ context->private_devices,
+ context->protect_home,
+ context->protect_system,
+ context->mount_flags);
+
+ if (err == -EPERM)
+ log_unit_warning_errno(params->unit_id, err, "Failed to set up file system namespace due to lack of privileges. Execution sandbox will not be in effect: %m");
+ else if (err < 0) {
+ *error = EXIT_NAMESPACE;
+ return err;
+ }
+ }
+
+ if (params->apply_chroot) {
+ if (context->root_directory)
+ if (chroot(context->root_directory) < 0) {
+ *error = EXIT_CHROOT;
+ return -errno;
+ }
+
+ if (chdir(context->working_directory ? context->working_directory : "/") < 0) {
+ *error = EXIT_CHDIR;
+ return -errno;
+ }
+ } else {
+ _cleanup_free_ char *d = NULL;
+
+ if (asprintf(&d, "%s/%s",
+ context->root_directory ? context->root_directory : "",
+ context->working_directory ? context->working_directory : "") < 0) {
+ *error = EXIT_MEMORY;
+ return -ENOMEM;
+ }
+
+ if (chdir(d) < 0) {
+ *error = EXIT_CHDIR;
+ return -errno;
+ }
+ }
+
+#ifdef HAVE_SELINUX
+ if (params->apply_permissions && mac_selinux_use() && params->selinux_context_net && socket_fd >= 0) {
+ err = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
+ if (err < 0) {
+ *error = EXIT_SELINUX_CONTEXT;
+ return err;
+ }
+ }
+#endif
+
+ /* We repeat the fd closing here, to make sure that
+ * nothing is leaked from the PAM modules. Note that
+ * we are more aggressive this time since socket_fd
+ * and the netns fds we don't need anymore. The custom
+ * endpoint fd was needed to upload the policy and can
+ * now be closed as well. */
+ err = close_all_fds(fds, n_fds);
+ if (err >= 0)
+ err = shift_fds(fds, n_fds);
+ if (err >= 0)
+ err = flags_fds(fds, n_fds, context->non_blocking);
+ if (err < 0) {
+ *error = EXIT_FDS;
+ return err;
+ }
+
+ if (params->apply_permissions) {
+
+ for (i = 0; i < _RLIMIT_MAX; i++) {
+ if (!context->rlimit[i])
+ continue;
+
+ if (setrlimit_closest(i, context->rlimit[i]) < 0) {
+ *error = EXIT_LIMITS;
+ return -errno;
+ }
+ }
+
+ if (context->capability_bounding_set_drop) {
+ err = capability_bounding_set_drop(context->capability_bounding_set_drop, false);
+ if (err < 0) {
+ *error = EXIT_CAPABILITIES;
+ return err;
+ }
+ }
+
+#ifdef HAVE_SMACK
+ if (context->smack_process_label) {
+ err = mac_smack_apply_pid(0, context->smack_process_label);
+ if (err < 0) {
+ *error = EXIT_SMACK_PROCESS_LABEL;
+ return err;
+ }
+ }
+#endif
+
+ if (context->user) {
+ err = enforce_user(context, uid);
+ if (err < 0) {
+ *error = EXIT_USER;
+ return err;
+ }
+ }
+
+ /* PR_GET_SECUREBITS is not privileged, while
+ * PR_SET_SECUREBITS is. So to suppress
+ * potential EPERMs we'll try not to call
+ * PR_SET_SECUREBITS unless necessary. */
+ if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
+ if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
+ *error = EXIT_SECUREBITS;
+ return -errno;
+ }
+
+ if (context->capabilities)
+ if (cap_set_proc(context->capabilities) < 0) {
+ *error = EXIT_CAPABILITIES;
+ return -errno;
+ }
+
+ if (context->no_new_privileges)
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
+ *error = EXIT_NO_NEW_PRIVILEGES;
+ return -errno;
+ }
+
+#ifdef HAVE_SECCOMP
+ if (context->address_families_whitelist ||
+ !set_isempty(context->address_families)) {
+ err = apply_address_families(context);
+ if (err < 0) {
+ *error = EXIT_ADDRESS_FAMILIES;
+ return err;
+ }
+ }
+
+ if (context->syscall_whitelist ||
+ !set_isempty(context->syscall_filter) ||
+ !set_isempty(context->syscall_archs)) {
+ err = apply_seccomp(context);
+ if (err < 0) {
+ *error = EXIT_SECCOMP;
+ return err;
+ }
+ }
+#endif
+
+#ifdef HAVE_SELINUX
+ if (mac_selinux_use()) {
+ char *exec_context = mac_selinux_context_net ?: context->selinux_context;
+
+ if (exec_context) {
+ err = setexeccon(exec_context);
+ if (err < 0) {
+ *error = EXIT_SELINUX_CONTEXT;
+ return err;
+ }
+ }
+ }
+#endif
+
+#ifdef HAVE_APPARMOR
+ if (context->apparmor_profile && mac_apparmor_use()) {
+ err = aa_change_onexec(context->apparmor_profile);
+ if (err < 0 && !context->apparmor_profile_ignore) {
+ *error = EXIT_APPARMOR_PROFILE;
+ return -errno;
+ }
+ }
+#endif
+ }
+
+ err = build_environment(context, n_fds, params->watchdog_usec, home, username, shell, &our_env);
+ if (err < 0) {
+ *error = EXIT_MEMORY;
+ return err;
+ }
+
+ final_env = strv_env_merge(5,
+ params->environment,
+ our_env,
+ context->environment,
+ files_env,
+ pam_env,
+ NULL);
+ if (!final_env) {
+ *error = EXIT_MEMORY;
+ return -ENOMEM;
+ }
+
+ final_argv = replace_env_argv(argv, final_env);
+ if (!final_argv) {
+ *error = EXIT_MEMORY;
+ return -ENOMEM;
+ }
+
+ final_env = strv_env_clean(final_env);
+
+ if (_unlikely_(log_get_max_level() >= LOG_PRI(LOG_DEBUG))) {
+ _cleanup_free_ char *line;
+
+ line = exec_command_line(final_argv);
+ if (line) {
+ log_open();
+ log_unit_struct(params->unit_id,
+ LOG_DEBUG,
+ "EXECUTABLE=%s", command->path,
+ LOG_MESSAGE("Executing: %s", line),
+ NULL);
+ log_close();
+ }
+ }
+ execve(command->path, final_argv, final_env);
+ *error = EXIT_EXEC;
+ return -errno;
+}
+
+int exec_spawn(ExecCommand *command,
+ const ExecContext *context,
+ const ExecParameters *params,
+ ExecRuntime *runtime,
+ pid_t *ret) {
+
+ _cleanup_strv_free_ char **files_env = NULL;
+ int *fds = NULL; unsigned n_fds = 0;
+ char *line, **argv;
+ int socket_fd;
+ pid_t pid;
+ int err;
+
+ assert(command);
+ assert(context);
+ assert(ret);
+ assert(params);
+ assert(params->fds || params->n_fds <= 0);
+
+ if (context->std_input == EXEC_INPUT_SOCKET ||
+ context->std_output == EXEC_OUTPUT_SOCKET ||
+ context->std_error == EXEC_OUTPUT_SOCKET) {
+
+ if (params->n_fds != 1)
+ return -EINVAL;
+
+ socket_fd = params->fds[0];
+ } else {
+ socket_fd = -1;
+ fds = params->fds;
+ n_fds = params->n_fds;
+ }
+
+ err = exec_context_load_environment(context, params->unit_id, &files_env);
+ if (err < 0) {
+ log_unit_struct(params->unit_id,
+ LOG_ERR,
+ LOG_MESSAGE("Failed to load environment files: %s", strerror(-err)),
+ LOG_ERRNO(-err),
+ NULL);
+ return err;
+ }
+
+ argv = params->argv ?: command->argv;
+
+ line = exec_command_line(argv);
+ if (!line)
+ return log_oom();
+
+ log_unit_struct(params->unit_id,
+ LOG_DEBUG,
+ "EXECUTABLE=%s", command->path,
+ LOG_MESSAGE("About to execute: %s", line),
+ NULL);
+ free(line);
+
+ pid = fork();
+ if (pid < 0)
+ return -errno;
+
+ if (pid == 0) {
+ int r;
+
+ err = exec_child(command,
+ context,
+ params,
+ runtime,
+ argv,
+ socket_fd,
+ fds, n_fds,
+ files_env,
+ &r);
+ if (r != 0) {
+ log_open();
+ log_struct(LOG_ERR,
+ LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
+ "EXECUTABLE=%s", command->path,
+ LOG_MESSAGE("Failed at step %s spawning %s: %s",
+ exit_status_to_string(r, EXIT_STATUS_SYSTEMD),
+ command->path, strerror(-err)),
+ LOG_ERRNO(-err),
+ NULL);
+ log_close();
+ }
+
+ _exit(r);
+ }
+
+ log_unit_struct(params->unit_id,
+ LOG_DEBUG,
+ LOG_MESSAGE("Forked %s as "PID_FMT,
+ command->path, pid),
+ NULL);
+
+ /* We add the new process to the cgroup both in the child (so
+ * that we can be sure that no user code is ever executed
+ * outside of the cgroup) and in the parent (so that we can be
+ * sure that when we kill the cgroup the process will be
+ * killed too). */
+ if (params->cgroup_path)
+ cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
+
+ exec_status_start(&command->exec_status, pid);
+
+ *ret = pid;