1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
29 #include <sys/socket.h>
31 #include <sys/prctl.h>
32 #include <linux/sched.h>
33 #include <sys/types.h>
37 #include <sys/mount.h>
39 #include <linux/oom.h>
41 #include <linux/seccomp-bpf.h>
47 #include <security/pam_appl.h>
51 #include <selinux/selinux.h>
57 #include "capability.h"
60 #include "sd-messages.h"
62 #include "securebits.h"
63 #include "namespace.h"
65 #include "exit-status.h"
67 #include "utmp-wtmp.h"
69 #include "path-util.h"
70 #include "syscall-list.h"
76 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
77 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
79 /* This assumes there is a 'tty' group */
82 #define SNDBUF_SIZE (8*1024*1024)
84 static int shift_fds(int fds[], unsigned n_fds) {
85 int start, restart_from;
90 /* Modifies the fds array! (sorts it) */
100 for (i = start; i < (int) n_fds; i++) {
103 /* Already at right index? */
107 if ((nfd = fcntl(fds[i], F_DUPFD, i+3)) < 0)
110 close_nointr_nofail(fds[i]);
113 /* Hmm, the fd we wanted isn't free? Then
114 * let's remember that and try again from here*/
115 if (nfd != i+3 && restart_from < 0)
119 if (restart_from < 0)
122 start = restart_from;
128 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
137 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
139 for (i = 0; i < n_fds; i++) {
141 if ((r = fd_nonblock(fds[i], nonblock)) < 0)
144 /* We unconditionally drop FD_CLOEXEC from the fds,
145 * since after all we want to pass these fds to our
148 if ((r = fd_cloexec(fds[i], false)) < 0)
155 _pure_ static const char *tty_path(const ExecContext *context) {
158 if (context->tty_path)
159 return context->tty_path;
161 return "/dev/console";
164 static void exec_context_tty_reset(const ExecContext *context) {
167 if (context->tty_vhangup)
168 terminal_vhangup(tty_path(context));
170 if (context->tty_reset)
171 reset_terminal(tty_path(context));
173 if (context->tty_vt_disallocate && context->tty_path)
174 vt_disallocate(context->tty_path);
177 static bool is_terminal_output(ExecOutput o) {
179 o == EXEC_OUTPUT_TTY ||
180 o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
181 o == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
182 o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE;
185 static int open_null_as(int flags, int nfd) {
190 fd = open("/dev/null", flags|O_NOCTTY);
195 r = dup2(fd, nfd) < 0 ? -errno : nfd;
196 close_nointr_nofail(fd);
203 static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd) {
205 union sockaddr_union sa = {
206 .un.sun_family = AF_UNIX,
207 .un.sun_path = "/run/systemd/journal/stdout",
211 assert(output < _EXEC_OUTPUT_MAX);
215 fd = socket(AF_UNIX, SOCK_STREAM, 0);
219 r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path));
221 close_nointr_nofail(fd);
225 if (shutdown(fd, SHUT_RD) < 0) {
226 close_nointr_nofail(fd);
230 fd_inc_sndbuf(fd, SNDBUF_SIZE);
240 context->syslog_identifier ? context->syslog_identifier : ident,
242 context->syslog_priority,
243 !!context->syslog_level_prefix,
244 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
245 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
246 is_terminal_output(output));
249 r = dup2(fd, nfd) < 0 ? -errno : nfd;
250 close_nointr_nofail(fd);
256 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
262 if ((fd = open_terminal(path, mode | O_NOCTTY)) < 0)
266 r = dup2(fd, nfd) < 0 ? -errno : nfd;
267 close_nointr_nofail(fd);
274 static bool is_terminal_input(ExecInput i) {
276 i == EXEC_INPUT_TTY ||
277 i == EXEC_INPUT_TTY_FORCE ||
278 i == EXEC_INPUT_TTY_FAIL;
281 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
283 if (is_terminal_input(std_input) && !apply_tty_stdin)
284 return EXEC_INPUT_NULL;
286 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
287 return EXEC_INPUT_NULL;
292 static int fixup_output(ExecOutput std_output, int socket_fd) {
294 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
295 return EXEC_OUTPUT_INHERIT;
300 static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty_stdin) {
305 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
309 case EXEC_INPUT_NULL:
310 return open_null_as(O_RDONLY, STDIN_FILENO);
313 case EXEC_INPUT_TTY_FORCE:
314 case EXEC_INPUT_TTY_FAIL: {
317 fd = acquire_terminal(tty_path(context),
318 i == EXEC_INPUT_TTY_FAIL,
319 i == EXEC_INPUT_TTY_FORCE,
325 if (fd != STDIN_FILENO) {
326 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
327 close_nointr_nofail(fd);
334 case EXEC_INPUT_SOCKET:
335 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
338 assert_not_reached("Unknown input type");
342 static int setup_output(const ExecContext *context, int fileno, int socket_fd, const char *ident, const char *unit_id, bool apply_tty_stdin) {
350 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
351 o = fixup_output(context->std_output, socket_fd);
353 if (fileno == STDERR_FILENO) {
355 e = fixup_output(context->std_error, socket_fd);
357 /* This expects the input and output are already set up */
359 /* Don't change the stderr file descriptor if we inherit all
360 * the way and are not on a tty */
361 if (e == EXEC_OUTPUT_INHERIT &&
362 o == EXEC_OUTPUT_INHERIT &&
363 i == EXEC_INPUT_NULL &&
364 !is_terminal_input(context->std_input) &&
368 /* Duplicate from stdout if possible */
369 if (e == o || e == EXEC_OUTPUT_INHERIT)
370 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
374 } else if (o == EXEC_OUTPUT_INHERIT) {
375 /* If input got downgraded, inherit the original value */
376 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
377 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
379 /* If the input is connected to anything that's not a /dev/null, inherit that... */
380 if (i != EXEC_INPUT_NULL)
381 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
383 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
387 /* We need to open /dev/null here anew, to get the right access mode. */
388 return open_null_as(O_WRONLY, fileno);
393 case EXEC_OUTPUT_NULL:
394 return open_null_as(O_WRONLY, fileno);
396 case EXEC_OUTPUT_TTY:
397 if (is_terminal_input(i))
398 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
400 /* We don't reset the terminal if this is just about output */
401 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
403 case EXEC_OUTPUT_SYSLOG:
404 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
405 case EXEC_OUTPUT_KMSG:
406 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
407 case EXEC_OUTPUT_JOURNAL:
408 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
409 r = connect_logger_as(context, o, ident, unit_id, fileno);
411 log_struct_unit(LOG_CRIT, unit_id,
412 "MESSAGE=Failed to connect std%s of %s to the journal socket: %s",
413 fileno == STDOUT_FILENO ? "out" : "err",
414 unit_id, strerror(-r),
417 r = open_null_as(O_WRONLY, fileno);
421 case EXEC_OUTPUT_SOCKET:
422 assert(socket_fd >= 0);
423 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
426 assert_not_reached("Unknown error type");
430 static int chown_terminal(int fd, uid_t uid) {
435 /* This might fail. What matters are the results. */
436 (void) fchown(fd, uid, -1);
437 (void) fchmod(fd, TTY_MODE);
439 if (fstat(fd, &st) < 0)
442 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
448 static int setup_confirm_stdio(int *_saved_stdin,
449 int *_saved_stdout) {
450 int fd = -1, saved_stdin, saved_stdout = -1, r;
452 assert(_saved_stdin);
453 assert(_saved_stdout);
455 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
459 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
460 if (saved_stdout < 0) {
465 fd = acquire_terminal(
470 DEFAULT_CONFIRM_USEC);
476 r = chown_terminal(fd, getuid());
480 if (dup2(fd, STDIN_FILENO) < 0) {
485 if (dup2(fd, STDOUT_FILENO) < 0) {
491 close_nointr_nofail(fd);
493 *_saved_stdin = saved_stdin;
494 *_saved_stdout = saved_stdout;
499 if (saved_stdout >= 0)
500 close_nointr_nofail(saved_stdout);
502 if (saved_stdin >= 0)
503 close_nointr_nofail(saved_stdin);
506 close_nointr_nofail(fd);
511 _printf_(1, 2) static int write_confirm_message(const char *format, ...) {
517 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
521 va_start(ap, format);
522 vdprintf(fd, format, ap);
525 close_nointr_nofail(fd);
530 static int restore_confirm_stdio(int *saved_stdin,
536 assert(saved_stdout);
540 if (*saved_stdin >= 0)
541 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
544 if (*saved_stdout >= 0)
545 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
548 if (*saved_stdin >= 0)
549 close_nointr_nofail(*saved_stdin);
551 if (*saved_stdout >= 0)
552 close_nointr_nofail(*saved_stdout);
557 static int ask_for_confirmation(char *response, char **argv) {
558 int saved_stdout = -1, saved_stdin = -1, r;
561 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
565 line = exec_command_line(argv);
569 r = ask(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
572 restore_confirm_stdio(&saved_stdin, &saved_stdout);
577 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
578 bool keep_groups = false;
583 /* Lookup and set GID and supplementary group list. Here too
584 * we avoid NSS lookups for gid=0. */
586 if (context->group || username) {
588 if (context->group) {
589 const char *g = context->group;
591 if ((r = get_group_creds(&g, &gid)) < 0)
595 /* First step, initialize groups from /etc/groups */
596 if (username && gid != 0) {
597 if (initgroups(username, gid) < 0)
603 /* Second step, set our gids */
604 if (setresgid(gid, gid, gid) < 0)
608 if (context->supplementary_groups) {
613 /* Final step, initialize any manually set supplementary groups */
614 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
616 if (!(gids = new(gid_t, ngroups_max)))
620 if ((k = getgroups(ngroups_max, gids)) < 0) {
627 STRV_FOREACH(i, context->supplementary_groups) {
630 if (k >= ngroups_max) {
636 r = get_group_creds(&g, gids+k);
645 if (setgroups(k, gids) < 0) {
656 static int enforce_user(const ExecContext *context, uid_t uid) {
659 /* Sets (but doesn't lookup) the uid and make sure we keep the
660 * capabilities while doing so. */
662 if (context->capabilities) {
663 _cleanup_cap_free_ cap_t d = NULL;
664 static const cap_value_t bits[] = {
665 CAP_SETUID, /* Necessary so that we can run setresuid() below */
666 CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
669 /* First step: If we need to keep capabilities but
670 * drop privileges we need to make sure we keep our
671 * caps, while we drop privileges. */
673 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
675 if (prctl(PR_GET_SECUREBITS) != sb)
676 if (prctl(PR_SET_SECUREBITS, sb) < 0)
680 /* Second step: set the capabilities. This will reduce
681 * the capabilities to the minimum we need. */
683 d = cap_dup(context->capabilities);
687 if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
688 cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0)
691 if (cap_set_proc(d) < 0)
695 /* Third step: actually set the uids */
696 if (setresuid(uid, uid, uid) < 0)
699 /* At this point we should have all necessary capabilities but
700 are otherwise a normal user. However, the caps might got
701 corrupted due to the setresuid() so we need clean them up
702 later. This is done outside of this call. */
709 static int null_conv(
711 const struct pam_message **msg,
712 struct pam_response **resp,
715 /* We don't support conversations */
720 static int setup_pam(
726 int fds[], unsigned n_fds) {
728 static const struct pam_conv conv = {
733 pam_handle_t *handle = NULL;
735 int pam_code = PAM_SUCCESS;
738 bool close_session = false;
739 pid_t pam_pid = 0, parent_pid;
746 /* We set up PAM in the parent process, then fork. The child
747 * will then stay around until killed via PR_GET_PDEATHSIG or
748 * systemd via the cgroup logic. It will then remove the PAM
749 * session again. The parent process will exec() the actual
750 * daemon. We do things this way to ensure that the main PID
751 * of the daemon is the one we initially fork()ed. */
753 if (log_get_max_level() < LOG_PRI(LOG_DEBUG))
756 pam_code = pam_start(name, user, &conv, &handle);
757 if (pam_code != PAM_SUCCESS) {
763 pam_code = pam_set_item(handle, PAM_TTY, tty);
764 if (pam_code != PAM_SUCCESS)
768 pam_code = pam_acct_mgmt(handle, flags);
769 if (pam_code != PAM_SUCCESS)
772 pam_code = pam_open_session(handle, flags);
773 if (pam_code != PAM_SUCCESS)
776 close_session = true;
778 e = pam_getenvlist(handle);
780 pam_code = PAM_BUF_ERR;
784 /* Block SIGTERM, so that we know that it won't get lost in
786 if (sigemptyset(&ss) < 0 ||
787 sigaddset(&ss, SIGTERM) < 0 ||
788 sigprocmask(SIG_BLOCK, &ss, &old_ss) < 0)
791 parent_pid = getpid();
801 /* The child's job is to reset the PAM session on
804 /* This string must fit in 10 chars (i.e. the length
805 * of "/sbin/init"), to look pretty in /bin/ps */
806 rename_process("(sd-pam)");
808 /* Make sure we don't keep open the passed fds in this
809 child. We assume that otherwise only those fds are
810 open here that have been opened by PAM. */
811 close_many(fds, n_fds);
813 /* Drop privileges - we don't need any to pam_close_session
814 * and this will make PR_SET_PDEATHSIG work in most cases.
815 * If this fails, ignore the error - but expect sd-pam threads
816 * to fail to exit normally */
817 if (setresuid(uid, uid, uid) < 0)
818 log_error("Error: Failed to setresuid() in sd-pam: %s", strerror(-r));
820 /* Wait until our parent died. This will only work if
821 * the above setresuid() succeeds, otherwise the kernel
822 * will not allow unprivileged parents kill their privileged
823 * children this way. We rely on the control groups kill logic
824 * to do the rest for us. */
825 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
828 /* Check if our parent process might already have
830 if (getppid() == parent_pid) {
832 if (sigwait(&ss, &sig) < 0) {
839 assert(sig == SIGTERM);
844 /* If our parent died we'll end the session */
845 if (getppid() != parent_pid) {
846 pam_code = pam_close_session(handle, flags);
847 if (pam_code != PAM_SUCCESS)
854 pam_end(handle, pam_code | flags);
858 /* If the child was forked off successfully it will do all the
859 * cleanups, so forget about the handle here. */
862 /* Unblock SIGTERM again in the parent */
863 if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0)
866 /* We close the log explicitly here, since the PAM modules
867 * might have opened it, but we don't want this fd around. */
876 if (pam_code != PAM_SUCCESS) {
877 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
878 err = -EPERM; /* PAM errors do not map to errno */
880 log_error("PAM failed: %m");
886 pam_code = pam_close_session(handle, flags);
888 pam_end(handle, pam_code | flags);
896 kill(pam_pid, SIGTERM);
897 kill(pam_pid, SIGCONT);
904 static void rename_process_from_path(const char *path) {
905 char process_name[11];
909 /* This resulting string must fit in 10 chars (i.e. the length
910 * of "/sbin/init") to look pretty in /bin/ps */
914 rename_process("(...)");
920 /* The end of the process name is usually more
921 * interesting, since the first bit might just be
927 process_name[0] = '(';
928 memcpy(process_name+1, p, l);
929 process_name[1+l] = ')';
930 process_name[1+l+1] = 0;
932 rename_process(process_name);
935 static int apply_seccomp(uint32_t *syscall_filter) {
936 static const struct sock_filter header[] = {
937 VALIDATE_ARCHITECTURE,
940 static const struct sock_filter footer[] = {
946 struct sock_filter *f;
947 struct sock_fprog prog = {};
949 assert(syscall_filter);
951 /* First: count the syscalls to check for */
952 for (i = 0, n = 0; i < syscall_max(); i++)
953 if (syscall_filter[i >> 4] & (1 << (i & 31)))
956 /* Second: build the filter program from a header the syscall
957 * matches and the footer */
958 f = alloca(sizeof(struct sock_filter) * (ELEMENTSOF(header) + 2*n + ELEMENTSOF(footer)));
959 memcpy(f, header, sizeof(header));
961 for (i = 0, n = 0; i < syscall_max(); i++)
962 if (syscall_filter[i >> 4] & (1 << (i & 31))) {
963 struct sock_filter item[] = {
964 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, INDEX_TO_SYSCALL(i), 0, 1),
965 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
968 assert_cc(ELEMENTSOF(item) == 2);
970 f[ELEMENTSOF(header) + 2*n] = item[0];
971 f[ELEMENTSOF(header) + 2*n+1] = item[1];
976 memcpy(f + (ELEMENTSOF(header) + 2*n), footer, sizeof(footer));
978 /* Third: install the filter */
979 prog.len = ELEMENTSOF(header) + ELEMENTSOF(footer) + 2*n;
981 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) < 0)
987 static void do_idle_pipe_dance(int idle_pipe[4]) {
990 if (idle_pipe[1] >= 0)
991 close_nointr_nofail(idle_pipe[1]);
992 if (idle_pipe[2] >= 0)
993 close_nointr_nofail(idle_pipe[2]);
995 if (idle_pipe[0] >= 0) {
998 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1000 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1001 /* Signal systemd that we are bored and want to continue. */
1002 write(idle_pipe[3], "x", 1);
1004 /* Wait for systemd to react to the signal above. */
1005 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1008 close_nointr_nofail(idle_pipe[0]);
1012 if (idle_pipe[3] >= 0)
1013 close_nointr_nofail(idle_pipe[3]);
1016 static int build_environment(
1019 usec_t watchdog_usec,
1021 const char *username,
1025 _cleanup_strv_free_ char **our_env = NULL;
1032 our_env = new0(char*, 10);
1037 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1039 our_env[n_env++] = x;
1041 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1043 our_env[n_env++] = x;
1046 if (watchdog_usec > 0) {
1047 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1049 our_env[n_env++] = x;
1051 if (asprintf(&x, "WATCHDOG_USEC=%llu", (unsigned long long) watchdog_usec) < 0)
1053 our_env[n_env++] = x;
1057 x = strappend("HOME=", home);
1060 our_env[n_env++] = x;
1064 x = strappend("LOGNAME=", username);
1067 our_env[n_env++] = x;
1069 x = strappend("USER=", username);
1072 our_env[n_env++] = x;
1076 x = strappend("SHELL=", shell);
1079 our_env[n_env++] = x;
1082 if (is_terminal_input(c->std_input) ||
1083 c->std_output == EXEC_OUTPUT_TTY ||
1084 c->std_error == EXEC_OUTPUT_TTY ||
1087 x = strdup(default_term_for_tty(tty_path(c)));
1090 our_env[n_env++] = x;
1093 our_env[n_env++] = NULL;
1094 assert(n_env <= 10);
1102 int exec_spawn(ExecCommand *command,
1104 ExecContext *context,
1105 int fds[], unsigned n_fds,
1107 bool apply_permissions,
1109 bool apply_tty_stdin,
1111 CGroupControllerMask cgroup_supported,
1112 const char *cgroup_path,
1113 const char *unit_id,
1114 usec_t watchdog_usec,
1116 ExecRuntime *runtime,
1119 _cleanup_strv_free_ char **files_env = NULL;
1128 assert(fds || n_fds <= 0);
1130 if (context->std_input == EXEC_INPUT_SOCKET ||
1131 context->std_output == EXEC_OUTPUT_SOCKET ||
1132 context->std_error == EXEC_OUTPUT_SOCKET) {
1144 r = exec_context_load_environment(context, &files_env);
1146 log_struct_unit(LOG_ERR,
1148 "MESSAGE=Failed to load environment files: %s", strerror(-r),
1155 argv = command->argv;
1157 line = exec_command_line(argv);
1161 log_struct_unit(LOG_DEBUG,
1163 "EXECUTABLE=%s", command->path,
1164 "MESSAGE=About to execute: %s", line,
1173 _cleanup_strv_free_ char **our_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL;
1174 const char *username = NULL, *home = NULL, *shell = NULL;
1175 unsigned n_dont_close = 0;
1176 int dont_close[n_fds + 3];
1177 uid_t uid = (uid_t) -1;
1178 gid_t gid = (gid_t) -1;
1184 rename_process_from_path(command->path);
1186 /* We reset exactly these signals, since they are the
1187 * only ones we set to SIG_IGN in the main daemon. All
1188 * others we leave untouched because we set them to
1189 * SIG_DFL or a valid handler initially, both of which
1190 * will be demoted to SIG_DFL. */
1191 default_signals(SIGNALS_CRASH_HANDLER,
1192 SIGNALS_IGNORE, -1);
1194 if (context->ignore_sigpipe)
1195 ignore_signals(SIGPIPE, -1);
1197 assert_se(sigemptyset(&ss) == 0);
1198 if (sigprocmask(SIG_SETMASK, &ss, NULL) < 0) {
1200 r = EXIT_SIGNAL_MASK;
1205 do_idle_pipe_dance(idle_pipe);
1207 /* Close sockets very early to make sure we don't
1208 * block init reexecution because it cannot bind its
1213 dont_close[n_dont_close++] = socket_fd;
1215 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
1216 n_dont_close += n_fds;
1219 if (runtime->netns_storage_socket[0] >= 0)
1220 dont_close[n_dont_close++] = runtime->netns_storage_socket[0];
1221 if (runtime->netns_storage_socket[1] >= 0)
1222 dont_close[n_dont_close++] = runtime->netns_storage_socket[1];
1225 err = close_all_fds(dont_close, n_dont_close);
1231 if (!context->same_pgrp)
1238 if (context->tcpwrap_name) {
1240 if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) {
1246 for (i = 0; i < (int) n_fds; i++) {
1247 if (!socket_tcpwrap(fds[i], context->tcpwrap_name)) {
1255 exec_context_tty_reset(context);
1257 if (confirm_spawn) {
1260 err = ask_for_confirmation(&response, argv);
1261 if (err == -ETIMEDOUT)
1262 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1264 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-err));
1265 else if (response == 's') {
1266 write_confirm_message("Skipping execution.\n");
1270 } else if (response == 'n') {
1271 write_confirm_message("Failing execution.\n");
1277 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1278 * must sure to drop O_NONBLOCK */
1280 fd_nonblock(socket_fd, false);
1282 err = setup_input(context, socket_fd, apply_tty_stdin);
1288 err = setup_output(context, STDOUT_FILENO, socket_fd, basename(command->path), unit_id, apply_tty_stdin);
1294 err = setup_output(context, STDERR_FILENO, socket_fd, basename(command->path), unit_id, apply_tty_stdin);
1301 err = cg_attach_everywhere(cgroup_supported, cgroup_path, 0);
1308 if (context->oom_score_adjust_set) {
1311 snprintf(t, sizeof(t), "%i", context->oom_score_adjust);
1314 if (write_string_file("/proc/self/oom_score_adj", t) < 0) {
1316 r = EXIT_OOM_ADJUST;
1321 if (context->nice_set)
1322 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1328 if (context->cpu_sched_set) {
1329 struct sched_param param = {
1330 .sched_priority = context->cpu_sched_priority,
1333 r = sched_setscheduler(0,
1334 context->cpu_sched_policy |
1335 (context->cpu_sched_reset_on_fork ?
1336 SCHED_RESET_ON_FORK : 0),
1340 r = EXIT_SETSCHEDULER;
1345 if (context->cpuset)
1346 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1348 r = EXIT_CPUAFFINITY;
1352 if (context->ioprio_set)
1353 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1359 if (context->timer_slack_nsec != (nsec_t) -1)
1360 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1362 r = EXIT_TIMERSLACK;
1366 if (context->utmp_id)
1367 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path);
1369 if (context->user) {
1370 username = context->user;
1371 err = get_user_creds(&username, &uid, &gid, &home, &shell);
1377 if (is_terminal_input(context->std_input)) {
1378 err = chown_terminal(STDIN_FILENO, uid);
1387 if (cgroup_path && context->user && context->pam_name) {
1388 err = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, 0644, uid, gid);
1395 err = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, 0755, uid, gid);
1403 if (apply_permissions) {
1404 err = enforce_groups(context, username, gid);
1411 umask(context->umask);
1414 if (apply_permissions && context->pam_name && username) {
1415 err = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
1422 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
1423 err = setup_netns(runtime->netns_storage_socket);
1430 if (!strv_isempty(context->read_write_dirs) ||
1431 !strv_isempty(context->read_only_dirs) ||
1432 !strv_isempty(context->inaccessible_dirs) ||
1433 context->mount_flags != 0 ||
1434 (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) ||
1435 context->private_devices) {
1437 char *tmp = NULL, *var = NULL;
1439 /* The runtime struct only contains the parent
1440 * of the private /tmp, which is
1441 * non-accessible to world users. Inside of it
1442 * there's a /tmp that is sticky, and that's
1443 * the one we want to use here. */
1445 if (context->private_tmp && runtime) {
1446 if (runtime->tmp_dir)
1447 tmp = strappenda(runtime->tmp_dir, "/tmp");
1448 if (runtime->var_tmp_dir)
1449 var = strappenda(runtime->var_tmp_dir, "/tmp");
1452 err = setup_namespace(
1453 context->read_write_dirs,
1454 context->read_only_dirs,
1455 context->inaccessible_dirs,
1458 context->private_devices,
1459 context->mount_flags);
1468 if (context->root_directory)
1469 if (chroot(context->root_directory) < 0) {
1475 if (chdir(context->working_directory ? context->working_directory : "/") < 0) {
1481 _cleanup_free_ char *d = NULL;
1483 if (asprintf(&d, "%s/%s",
1484 context->root_directory ? context->root_directory : "",
1485 context->working_directory ? context->working_directory : "") < 0) {
1498 /* We repeat the fd closing here, to make sure that
1499 * nothing is leaked from the PAM modules */
1500 err = close_all_fds(fds, n_fds);
1502 err = shift_fds(fds, n_fds);
1504 err = flags_fds(fds, n_fds, context->non_blocking);
1510 if (apply_permissions) {
1512 for (i = 0; i < RLIMIT_NLIMITS; i++) {
1513 if (!context->rlimit[i])
1516 if (setrlimit_closest(i, context->rlimit[i]) < 0) {
1523 if (context->capability_bounding_set_drop) {
1524 err = capability_bounding_set_drop(context->capability_bounding_set_drop, false);
1526 r = EXIT_CAPABILITIES;
1531 if (context->user) {
1532 err = enforce_user(context, uid);
1539 /* PR_GET_SECUREBITS is not privileged, while
1540 * PR_SET_SECUREBITS is. So to suppress
1541 * potential EPERMs we'll try not to call
1542 * PR_SET_SECUREBITS unless necessary. */
1543 if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
1544 if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
1546 r = EXIT_SECUREBITS;
1550 if (context->capabilities)
1551 if (cap_set_proc(context->capabilities) < 0) {
1553 r = EXIT_CAPABILITIES;
1557 if (context->no_new_privileges)
1558 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
1560 r = EXIT_NO_NEW_PRIVILEGES;
1564 if (context->syscall_filter) {
1565 err = apply_seccomp(context->syscall_filter);
1572 if (context->selinux_context && use_selinux()) {
1573 err = security_check_context(context->selinux_context);
1575 r = EXIT_SELINUX_CONTEXT;
1578 err = setexeccon(context->selinux_context);
1580 r = EXIT_SELINUX_CONTEXT;
1587 err = build_environment(context, n_fds, watchdog_usec, home, username, shell, &our_env);
1593 final_env = strv_env_merge(5,
1596 context->environment,
1606 final_argv = replace_env_argv(argv, final_env);
1613 final_env = strv_env_clean(final_env);
1615 if (_unlikely_(log_get_max_level() >= LOG_PRI(LOG_DEBUG))) {
1616 line = exec_command_line(final_argv);
1619 log_struct_unit(LOG_DEBUG,
1621 "EXECUTABLE=%s", command->path,
1622 "MESSAGE=Executing: %s", line,
1629 execve(command->path, final_argv, final_env);
1636 log_struct(LOG_ERR, MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
1637 "EXECUTABLE=%s", command->path,
1638 "MESSAGE=Failed at step %s spawning %s: %s",
1639 exit_status_to_string(r, EXIT_STATUS_SYSTEMD),
1640 command->path, strerror(-err),
1649 log_struct_unit(LOG_DEBUG,
1651 "MESSAGE=Forked %s as "PID_FMT,
1655 /* We add the new process to the cgroup both in the child (so
1656 * that we can be sure that no user code is ever executed
1657 * outside of the cgroup) and in the parent (so that we can be
1658 * sure that when we kill the cgroup the process will be
1661 cg_attach(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, pid);
1663 exec_status_start(&command->exec_status, pid);
1669 void exec_context_init(ExecContext *c) {
1673 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
1674 c->cpu_sched_policy = SCHED_OTHER;
1675 c->syslog_priority = LOG_DAEMON|LOG_INFO;
1676 c->syslog_level_prefix = true;
1677 c->ignore_sigpipe = true;
1678 c->timer_slack_nsec = (nsec_t) -1;
1681 void exec_context_done(ExecContext *c) {
1686 strv_free(c->environment);
1687 c->environment = NULL;
1689 strv_free(c->environment_files);
1690 c->environment_files = NULL;
1692 for (l = 0; l < ELEMENTSOF(c->rlimit); l++) {
1694 c->rlimit[l] = NULL;
1697 free(c->working_directory);
1698 c->working_directory = NULL;
1699 free(c->root_directory);
1700 c->root_directory = NULL;
1705 free(c->tcpwrap_name);
1706 c->tcpwrap_name = NULL;
1708 free(c->syslog_identifier);
1709 c->syslog_identifier = NULL;
1717 strv_free(c->supplementary_groups);
1718 c->supplementary_groups = NULL;
1723 if (c->capabilities) {
1724 cap_free(c->capabilities);
1725 c->capabilities = NULL;
1728 strv_free(c->read_only_dirs);
1729 c->read_only_dirs = NULL;
1731 strv_free(c->read_write_dirs);
1732 c->read_write_dirs = NULL;
1734 strv_free(c->inaccessible_dirs);
1735 c->inaccessible_dirs = NULL;
1738 CPU_FREE(c->cpuset);
1743 free(c->selinux_context);
1744 c->selinux_context = NULL;
1746 free(c->syscall_filter);
1747 c->syscall_filter = NULL;
1750 void exec_command_done(ExecCommand *c) {
1760 void exec_command_done_array(ExecCommand *c, unsigned n) {
1763 for (i = 0; i < n; i++)
1764 exec_command_done(c+i);
1767 void exec_command_free_list(ExecCommand *c) {
1771 LIST_REMOVE(command, c, i);
1772 exec_command_done(i);
1777 void exec_command_free_array(ExecCommand **c, unsigned n) {
1780 for (i = 0; i < n; i++) {
1781 exec_command_free_list(c[i]);
1786 int exec_context_load_environment(const ExecContext *c, char ***l) {
1787 char **i, **r = NULL;
1792 STRV_FOREACH(i, c->environment_files) {
1795 bool ignore = false;
1797 _cleanup_globfree_ glob_t pglob = {};
1807 if (!path_is_absolute(fn)) {
1815 /* Filename supports globbing, take all matching files */
1817 if (glob(fn, 0, NULL, &pglob) != 0) {
1822 return errno ? -errno : -EINVAL;
1824 count = pglob.gl_pathc;
1832 for (n = 0; n < count; n++) {
1833 k = load_env_file(pglob.gl_pathv[n], NULL, &p);
1841 /* Log invalid environment variables with filename */
1843 p = strv_env_clean_log(p, pglob.gl_pathv[n]);
1850 m = strv_env_merge(2, r, p);
1866 static bool tty_may_match_dev_console(const char *tty) {
1867 char *active = NULL, *console;
1870 if (startswith(tty, "/dev/"))
1873 /* trivial identity? */
1874 if (streq(tty, "console"))
1877 console = resolve_dev_console(&active);
1878 /* if we could not resolve, assume it may */
1882 /* "tty0" means the active VC, so it may be the same sometimes */
1883 b = streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
1889 bool exec_context_may_touch_console(ExecContext *ec) {
1890 return (ec->tty_reset || ec->tty_vhangup || ec->tty_vt_disallocate ||
1891 is_terminal_input(ec->std_input) ||
1892 is_terminal_output(ec->std_output) ||
1893 is_terminal_output(ec->std_error)) &&
1894 tty_may_match_dev_console(tty_path(ec));
1897 static void strv_fprintf(FILE *f, char **l) {
1903 fprintf(f, " %s", *g);
1906 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
1913 prefix = strempty(prefix);
1917 "%sWorkingDirectory: %s\n"
1918 "%sRootDirectory: %s\n"
1919 "%sNonBlocking: %s\n"
1920 "%sPrivateTmp: %s\n"
1921 "%sPrivateNetwork: %s\n"
1922 "%sPrivateDevices: %s\n"
1923 "%sIgnoreSIGPIPE: %s\n",
1925 prefix, c->working_directory ? c->working_directory : "/",
1926 prefix, c->root_directory ? c->root_directory : "/",
1927 prefix, yes_no(c->non_blocking),
1928 prefix, yes_no(c->private_tmp),
1929 prefix, yes_no(c->private_network),
1930 prefix, yes_no(c->private_devices),
1931 prefix, yes_no(c->ignore_sigpipe));
1933 STRV_FOREACH(e, c->environment)
1934 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
1936 STRV_FOREACH(e, c->environment_files)
1937 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
1939 if (c->tcpwrap_name)
1941 "%sTCPWrapName: %s\n",
1942 prefix, c->tcpwrap_name);
1949 if (c->oom_score_adjust_set)
1951 "%sOOMScoreAdjust: %i\n",
1952 prefix, c->oom_score_adjust);
1954 for (i = 0; i < RLIM_NLIMITS; i++)
1956 fprintf(f, "%s%s: %llu\n", prefix, rlimit_to_string(i), (unsigned long long) c->rlimit[i]->rlim_max);
1958 if (c->ioprio_set) {
1962 r = ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
1966 "%sIOSchedulingClass: %s\n"
1967 "%sIOPriority: %i\n",
1968 prefix, strna(class_str),
1969 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
1973 if (c->cpu_sched_set) {
1977 r = sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
1981 "%sCPUSchedulingPolicy: %s\n"
1982 "%sCPUSchedulingPriority: %i\n"
1983 "%sCPUSchedulingResetOnFork: %s\n",
1984 prefix, strna(policy_str),
1985 prefix, c->cpu_sched_priority,
1986 prefix, yes_no(c->cpu_sched_reset_on_fork));
1991 fprintf(f, "%sCPUAffinity:", prefix);
1992 for (i = 0; i < c->cpuset_ncpus; i++)
1993 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
1994 fprintf(f, " %u", i);
1998 if (c->timer_slack_nsec != (nsec_t) -1)
1999 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
2002 "%sStandardInput: %s\n"
2003 "%sStandardOutput: %s\n"
2004 "%sStandardError: %s\n",
2005 prefix, exec_input_to_string(c->std_input),
2006 prefix, exec_output_to_string(c->std_output),
2007 prefix, exec_output_to_string(c->std_error));
2013 "%sTTYVHangup: %s\n"
2014 "%sTTYVTDisallocate: %s\n",
2015 prefix, c->tty_path,
2016 prefix, yes_no(c->tty_reset),
2017 prefix, yes_no(c->tty_vhangup),
2018 prefix, yes_no(c->tty_vt_disallocate));
2020 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
2021 c->std_output == EXEC_OUTPUT_KMSG ||
2022 c->std_output == EXEC_OUTPUT_JOURNAL ||
2023 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2024 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2025 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
2026 c->std_error == EXEC_OUTPUT_SYSLOG ||
2027 c->std_error == EXEC_OUTPUT_KMSG ||
2028 c->std_error == EXEC_OUTPUT_JOURNAL ||
2029 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2030 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2031 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
2033 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
2035 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
2036 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
2039 "%sSyslogFacility: %s\n"
2040 "%sSyslogLevel: %s\n",
2041 prefix, strna(fac_str),
2042 prefix, strna(lvl_str));
2045 if (c->capabilities) {
2046 _cleanup_cap_free_charp_ char *t;
2048 t = cap_to_text(c->capabilities, NULL);
2050 fprintf(f, "%sCapabilities: %s\n", prefix, t);
2054 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
2056 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
2057 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
2058 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
2059 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
2060 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
2061 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
2063 if (c->capability_bounding_set_drop) {
2065 fprintf(f, "%sCapabilityBoundingSet:", prefix);
2067 for (l = 0; l <= cap_last_cap(); l++)
2068 if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) {
2069 _cleanup_cap_free_charp_ char *t;
2073 fprintf(f, " %s", t);
2080 fprintf(f, "%sUser: %s\n", prefix, c->user);
2082 fprintf(f, "%sGroup: %s\n", prefix, c->group);
2084 if (strv_length(c->supplementary_groups) > 0) {
2085 fprintf(f, "%sSupplementaryGroups:", prefix);
2086 strv_fprintf(f, c->supplementary_groups);
2091 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
2093 if (strv_length(c->read_write_dirs) > 0) {
2094 fprintf(f, "%sReadWriteDirs:", prefix);
2095 strv_fprintf(f, c->read_write_dirs);
2099 if (strv_length(c->read_only_dirs) > 0) {
2100 fprintf(f, "%sReadOnlyDirs:", prefix);
2101 strv_fprintf(f, c->read_only_dirs);
2105 if (strv_length(c->inaccessible_dirs) > 0) {
2106 fprintf(f, "%sInaccessibleDirs:", prefix);
2107 strv_fprintf(f, c->inaccessible_dirs);
2113 "%sUtmpIdentifier: %s\n",
2114 prefix, c->utmp_id);
2116 if (c->selinux_context)
2118 "%sSELinuxContext: %s\n",
2119 prefix, c->selinux_context);
2123 void exec_status_start(ExecStatus *s, pid_t pid) {
2128 dual_timestamp_get(&s->start_timestamp);
2131 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
2134 if (s->pid && s->pid != pid)
2138 dual_timestamp_get(&s->exit_timestamp);
2144 if (context->utmp_id)
2145 utmp_put_dead_process(context->utmp_id, pid, code, status);
2147 exec_context_tty_reset(context);
2151 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
2152 char buf[FORMAT_TIMESTAMP_MAX];
2164 "%sPID: "PID_FMT"\n",
2167 if (s->start_timestamp.realtime > 0)
2169 "%sStart Timestamp: %s\n",
2170 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
2172 if (s->exit_timestamp.realtime > 0)
2174 "%sExit Timestamp: %s\n"
2176 "%sExit Status: %i\n",
2177 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
2178 prefix, sigchld_code_to_string(s->code),
2182 char *exec_command_line(char **argv) {
2190 STRV_FOREACH(a, argv)
2193 if (!(n = new(char, k)))
2197 STRV_FOREACH(a, argv) {
2204 if (strpbrk(*a, WHITESPACE)) {
2215 /* FIXME: this doesn't really handle arguments that have
2216 * spaces and ticks in them */
2221 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
2223 const char *prefix2;
2232 p2 = strappend(prefix, "\t");
2233 prefix2 = p2 ? p2 : prefix;
2235 cmd = exec_command_line(c->argv);
2238 "%sCommand Line: %s\n",
2239 prefix, cmd ? cmd : strerror(ENOMEM));
2243 exec_status_dump(&c->exec_status, f, prefix2);
2248 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2254 LIST_FOREACH(command, c, c)
2255 exec_command_dump(c, f, prefix);
2258 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2265 /* It's kind of important, that we keep the order here */
2266 LIST_FIND_TAIL(command, *l, end);
2267 LIST_INSERT_AFTER(command, *l, end, e);
2272 int exec_command_set(ExecCommand *c, const char *path, ...) {
2280 l = strv_new_ap(path, ap);
2301 static int exec_runtime_allocate(ExecRuntime **rt) {
2306 *rt = new0(ExecRuntime, 1);
2311 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
2316 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
2326 if (!c->private_network && !c->private_tmp)
2329 r = exec_runtime_allocate(rt);
2333 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
2334 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, (*rt)->netns_storage_socket) < 0)
2338 if (c->private_tmp && !(*rt)->tmp_dir) {
2339 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
2347 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
2349 assert(r->n_ref > 0);
2355 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
2360 assert(r->n_ref > 0);
2363 if (r->n_ref <= 0) {
2365 free(r->var_tmp_dir);
2366 close_pipe(r->netns_storage_socket);
2373 int exec_runtime_serialize(ExecRuntime *rt, Unit *u, FILE *f, FDSet *fds) {
2382 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
2384 if (rt->var_tmp_dir)
2385 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
2387 if (rt->netns_storage_socket[0] >= 0) {
2390 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
2394 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
2397 if (rt->netns_storage_socket[1] >= 0) {
2400 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
2404 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
2410 int exec_runtime_deserialize_item(ExecRuntime **rt, Unit *u, const char *key, const char *value, FDSet *fds) {
2417 if (streq(key, "tmp-dir")) {
2420 r = exec_runtime_allocate(rt);
2424 copy = strdup(value);
2428 free((*rt)->tmp_dir);
2429 (*rt)->tmp_dir = copy;
2431 } else if (streq(key, "var-tmp-dir")) {
2434 r = exec_runtime_allocate(rt);
2438 copy = strdup(value);
2442 free((*rt)->var_tmp_dir);
2443 (*rt)->var_tmp_dir = copy;
2445 } else if (streq(key, "netns-socket-0")) {
2448 r = exec_runtime_allocate(rt);
2452 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2453 log_debug_unit(u->id, "Failed to parse netns socket value %s", value);
2455 if ((*rt)->netns_storage_socket[0] >= 0)
2456 close_nointr_nofail((*rt)->netns_storage_socket[0]);
2458 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
2460 } else if (streq(key, "netns-socket-1")) {
2463 r = exec_runtime_allocate(rt);
2467 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2468 log_debug_unit(u->id, "Failed to parse netns socket value %s", value);
2470 if ((*rt)->netns_storage_socket[1] >= 0)
2471 close_nointr_nofail((*rt)->netns_storage_socket[1]);
2473 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
2481 static void *remove_tmpdir_thread(void *p) {
2482 _cleanup_free_ char *path = p;
2484 rm_rf_dangerous(path, false, true, false);
2488 void exec_runtime_destroy(ExecRuntime *rt) {
2492 /* If there are multiple users of this, let's leave the stuff around */
2497 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
2498 asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
2502 if (rt->var_tmp_dir) {
2503 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
2504 asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
2505 rt->var_tmp_dir = NULL;
2508 close_pipe(rt->netns_storage_socket);
2511 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
2512 [EXEC_INPUT_NULL] = "null",
2513 [EXEC_INPUT_TTY] = "tty",
2514 [EXEC_INPUT_TTY_FORCE] = "tty-force",
2515 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
2516 [EXEC_INPUT_SOCKET] = "socket"
2519 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
2521 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
2522 [EXEC_OUTPUT_INHERIT] = "inherit",
2523 [EXEC_OUTPUT_NULL] = "null",
2524 [EXEC_OUTPUT_TTY] = "tty",
2525 [EXEC_OUTPUT_SYSLOG] = "syslog",
2526 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
2527 [EXEC_OUTPUT_KMSG] = "kmsg",
2528 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
2529 [EXEC_OUTPUT_JOURNAL] = "journal",
2530 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
2531 [EXEC_OUTPUT_SOCKET] = "socket"
2534 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
~ianmdlvl / elogind.git / blob