1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
29 #include <sys/socket.h>
31 #include <sys/prctl.h>
32 #include <linux/sched.h>
33 #include <sys/types.h>
37 #include <sys/mount.h>
39 #include <linux/oom.h>
42 #include <sys/personality.h>
47 #include <security/pam_appl.h>
51 #include <selinux/selinux.h>
59 #include <sys/apparmor.h>
65 #include "capability.h"
68 #include "sd-messages.h"
70 #include "securebits.h"
71 #include "namespace.h"
72 #include "exit-status.h"
74 #include "utmp-wtmp.h"
76 #include "path-util.h"
81 #include "selinux-util.h"
82 #include "errno-list.h"
85 #include "apparmor-util.h"
86 #include "bus-kernel.h"
90 #include "seccomp-util.h"
93 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
94 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
96 /* This assumes there is a 'tty' group */
99 #define SNDBUF_SIZE (8*1024*1024)
101 static int shift_fds(int fds[], unsigned n_fds) {
102 int start, restart_from;
107 /* Modifies the fds array! (sorts it) */
117 for (i = start; i < (int) n_fds; i++) {
120 /* Already at right index? */
124 if ((nfd = fcntl(fds[i], F_DUPFD, i+3)) < 0)
130 /* Hmm, the fd we wanted isn't free? Then
131 * let's remember that and try again from here*/
132 if (nfd != i+3 && restart_from < 0)
136 if (restart_from < 0)
139 start = restart_from;
145 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
154 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
156 for (i = 0; i < n_fds; i++) {
158 if ((r = fd_nonblock(fds[i], nonblock)) < 0)
161 /* We unconditionally drop FD_CLOEXEC from the fds,
162 * since after all we want to pass these fds to our
165 if ((r = fd_cloexec(fds[i], false)) < 0)
172 _pure_ static const char *tty_path(const ExecContext *context) {
175 if (context->tty_path)
176 return context->tty_path;
178 return "/dev/console";
181 static void exec_context_tty_reset(const ExecContext *context) {
184 if (context->tty_vhangup)
185 terminal_vhangup(tty_path(context));
187 if (context->tty_reset)
188 reset_terminal(tty_path(context));
190 if (context->tty_vt_disallocate && context->tty_path)
191 vt_disallocate(context->tty_path);
194 static bool is_terminal_output(ExecOutput o) {
196 o == EXEC_OUTPUT_TTY ||
197 o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
198 o == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
199 o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE;
202 static int open_null_as(int flags, int nfd) {
207 fd = open("/dev/null", flags|O_NOCTTY);
212 r = dup2(fd, nfd) < 0 ? -errno : nfd;
220 static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd) {
222 union sockaddr_union sa = {
223 .un.sun_family = AF_UNIX,
224 .un.sun_path = "/run/systemd/journal/stdout",
228 assert(output < _EXEC_OUTPUT_MAX);
232 fd = socket(AF_UNIX, SOCK_STREAM, 0);
236 r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path));
242 if (shutdown(fd, SHUT_RD) < 0) {
247 fd_inc_sndbuf(fd, SNDBUF_SIZE);
257 context->syslog_identifier ? context->syslog_identifier : ident,
259 context->syslog_priority,
260 !!context->syslog_level_prefix,
261 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
262 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
263 is_terminal_output(output));
266 r = dup2(fd, nfd) < 0 ? -errno : nfd;
273 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
279 if ((fd = open_terminal(path, mode | O_NOCTTY)) < 0)
283 r = dup2(fd, nfd) < 0 ? -errno : nfd;
291 static bool is_terminal_input(ExecInput i) {
293 i == EXEC_INPUT_TTY ||
294 i == EXEC_INPUT_TTY_FORCE ||
295 i == EXEC_INPUT_TTY_FAIL;
298 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
300 if (is_terminal_input(std_input) && !apply_tty_stdin)
301 return EXEC_INPUT_NULL;
303 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
304 return EXEC_INPUT_NULL;
309 static int fixup_output(ExecOutput std_output, int socket_fd) {
311 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
312 return EXEC_OUTPUT_INHERIT;
317 static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty_stdin) {
322 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
326 case EXEC_INPUT_NULL:
327 return open_null_as(O_RDONLY, STDIN_FILENO);
330 case EXEC_INPUT_TTY_FORCE:
331 case EXEC_INPUT_TTY_FAIL: {
334 fd = acquire_terminal(tty_path(context),
335 i == EXEC_INPUT_TTY_FAIL,
336 i == EXEC_INPUT_TTY_FORCE,
342 if (fd != STDIN_FILENO) {
343 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
351 case EXEC_INPUT_SOCKET:
352 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
355 assert_not_reached("Unknown input type");
359 static int setup_output(const ExecContext *context, int fileno, int socket_fd, const char *ident, const char *unit_id, bool apply_tty_stdin) {
367 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
368 o = fixup_output(context->std_output, socket_fd);
370 if (fileno == STDERR_FILENO) {
372 e = fixup_output(context->std_error, socket_fd);
374 /* This expects the input and output are already set up */
376 /* Don't change the stderr file descriptor if we inherit all
377 * the way and are not on a tty */
378 if (e == EXEC_OUTPUT_INHERIT &&
379 o == EXEC_OUTPUT_INHERIT &&
380 i == EXEC_INPUT_NULL &&
381 !is_terminal_input(context->std_input) &&
385 /* Duplicate from stdout if possible */
386 if (e == o || e == EXEC_OUTPUT_INHERIT)
387 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
391 } else if (o == EXEC_OUTPUT_INHERIT) {
392 /* If input got downgraded, inherit the original value */
393 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
394 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
396 /* If the input is connected to anything that's not a /dev/null, inherit that... */
397 if (i != EXEC_INPUT_NULL)
398 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
400 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
404 /* We need to open /dev/null here anew, to get the right access mode. */
405 return open_null_as(O_WRONLY, fileno);
410 case EXEC_OUTPUT_NULL:
411 return open_null_as(O_WRONLY, fileno);
413 case EXEC_OUTPUT_TTY:
414 if (is_terminal_input(i))
415 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
417 /* We don't reset the terminal if this is just about output */
418 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
420 case EXEC_OUTPUT_SYSLOG:
421 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
422 case EXEC_OUTPUT_KMSG:
423 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
424 case EXEC_OUTPUT_JOURNAL:
425 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
426 r = connect_logger_as(context, o, ident, unit_id, fileno);
428 log_struct_unit(LOG_CRIT, unit_id,
429 "MESSAGE=Failed to connect std%s of %s to the journal socket: %s",
430 fileno == STDOUT_FILENO ? "out" : "err",
431 unit_id, strerror(-r),
434 r = open_null_as(O_WRONLY, fileno);
438 case EXEC_OUTPUT_SOCKET:
439 assert(socket_fd >= 0);
440 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
443 assert_not_reached("Unknown error type");
447 static int chown_terminal(int fd, uid_t uid) {
452 /* This might fail. What matters are the results. */
453 (void) fchown(fd, uid, -1);
454 (void) fchmod(fd, TTY_MODE);
456 if (fstat(fd, &st) < 0)
459 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
465 static int setup_confirm_stdio(int *_saved_stdin,
466 int *_saved_stdout) {
467 int fd = -1, saved_stdin, saved_stdout = -1, r;
469 assert(_saved_stdin);
470 assert(_saved_stdout);
472 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
476 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
477 if (saved_stdout < 0) {
482 fd = acquire_terminal(
487 DEFAULT_CONFIRM_USEC);
493 r = chown_terminal(fd, getuid());
497 if (dup2(fd, STDIN_FILENO) < 0) {
502 if (dup2(fd, STDOUT_FILENO) < 0) {
510 *_saved_stdin = saved_stdin;
511 *_saved_stdout = saved_stdout;
516 safe_close(saved_stdout);
517 safe_close(saved_stdin);
523 _printf_(1, 2) static int write_confirm_message(const char *format, ...) {
524 _cleanup_close_ int fd = -1;
529 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
533 va_start(ap, format);
534 vdprintf(fd, format, ap);
540 static int restore_confirm_stdio(int *saved_stdin,
546 assert(saved_stdout);
550 if (*saved_stdin >= 0)
551 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
554 if (*saved_stdout >= 0)
555 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
558 safe_close(*saved_stdin);
559 safe_close(*saved_stdout);
564 static int ask_for_confirmation(char *response, char **argv) {
565 int saved_stdout = -1, saved_stdin = -1, r;
566 _cleanup_free_ char *line = NULL;
568 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
572 line = exec_command_line(argv);
576 r = ask_char(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
578 restore_confirm_stdio(&saved_stdin, &saved_stdout);
583 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
584 bool keep_groups = false;
589 /* Lookup and set GID and supplementary group list. Here too
590 * we avoid NSS lookups for gid=0. */
592 if (context->group || username) {
594 if (context->group) {
595 const char *g = context->group;
597 if ((r = get_group_creds(&g, &gid)) < 0)
601 /* First step, initialize groups from /etc/groups */
602 if (username && gid != 0) {
603 if (initgroups(username, gid) < 0)
609 /* Second step, set our gids */
610 if (setresgid(gid, gid, gid) < 0)
614 if (context->supplementary_groups) {
619 /* Final step, initialize any manually set supplementary groups */
620 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
622 if (!(gids = new(gid_t, ngroups_max)))
626 if ((k = getgroups(ngroups_max, gids)) < 0) {
633 STRV_FOREACH(i, context->supplementary_groups) {
636 if (k >= ngroups_max) {
642 r = get_group_creds(&g, gids+k);
651 if (setgroups(k, gids) < 0) {
662 static int enforce_user(const ExecContext *context, uid_t uid) {
665 /* Sets (but doesn't lookup) the uid and make sure we keep the
666 * capabilities while doing so. */
668 if (context->capabilities) {
669 _cleanup_cap_free_ cap_t d = NULL;
670 static const cap_value_t bits[] = {
671 CAP_SETUID, /* Necessary so that we can run setresuid() below */
672 CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
675 /* First step: If we need to keep capabilities but
676 * drop privileges we need to make sure we keep our
677 * caps, while we drop privileges. */
679 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
681 if (prctl(PR_GET_SECUREBITS) != sb)
682 if (prctl(PR_SET_SECUREBITS, sb) < 0)
686 /* Second step: set the capabilities. This will reduce
687 * the capabilities to the minimum we need. */
689 d = cap_dup(context->capabilities);
693 if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
694 cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0)
697 if (cap_set_proc(d) < 0)
701 /* Third step: actually set the uids */
702 if (setresuid(uid, uid, uid) < 0)
705 /* At this point we should have all necessary capabilities but
706 are otherwise a normal user. However, the caps might got
707 corrupted due to the setresuid() so we need clean them up
708 later. This is done outside of this call. */
715 static int null_conv(
717 const struct pam_message **msg,
718 struct pam_response **resp,
721 /* We don't support conversations */
726 static int setup_pam(
732 int fds[], unsigned n_fds) {
734 static const struct pam_conv conv = {
739 pam_handle_t *handle = NULL;
741 int pam_code = PAM_SUCCESS;
744 bool close_session = false;
745 pid_t pam_pid = 0, parent_pid;
752 /* We set up PAM in the parent process, then fork. The child
753 * will then stay around until killed via PR_GET_PDEATHSIG or
754 * systemd via the cgroup logic. It will then remove the PAM
755 * session again. The parent process will exec() the actual
756 * daemon. We do things this way to ensure that the main PID
757 * of the daemon is the one we initially fork()ed. */
759 if (log_get_max_level() < LOG_PRI(LOG_DEBUG))
762 pam_code = pam_start(name, user, &conv, &handle);
763 if (pam_code != PAM_SUCCESS) {
769 pam_code = pam_set_item(handle, PAM_TTY, tty);
770 if (pam_code != PAM_SUCCESS)
774 pam_code = pam_acct_mgmt(handle, flags);
775 if (pam_code != PAM_SUCCESS)
778 pam_code = pam_open_session(handle, flags);
779 if (pam_code != PAM_SUCCESS)
782 close_session = true;
784 e = pam_getenvlist(handle);
786 pam_code = PAM_BUF_ERR;
790 /* Block SIGTERM, so that we know that it won't get lost in
792 if (sigemptyset(&ss) < 0 ||
793 sigaddset(&ss, SIGTERM) < 0 ||
794 sigprocmask(SIG_BLOCK, &ss, &old_ss) < 0)
797 parent_pid = getpid();
807 /* The child's job is to reset the PAM session on
810 /* This string must fit in 10 chars (i.e. the length
811 * of "/sbin/init"), to look pretty in /bin/ps */
812 rename_process("(sd-pam)");
814 /* Make sure we don't keep open the passed fds in this
815 child. We assume that otherwise only those fds are
816 open here that have been opened by PAM. */
817 close_many(fds, n_fds);
819 /* Drop privileges - we don't need any to pam_close_session
820 * and this will make PR_SET_PDEATHSIG work in most cases.
821 * If this fails, ignore the error - but expect sd-pam threads
822 * to fail to exit normally */
823 if (setresuid(uid, uid, uid) < 0)
824 log_error("Error: Failed to setresuid() in sd-pam: %s", strerror(-r));
826 /* Wait until our parent died. This will only work if
827 * the above setresuid() succeeds, otherwise the kernel
828 * will not allow unprivileged parents kill their privileged
829 * children this way. We rely on the control groups kill logic
830 * to do the rest for us. */
831 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
834 /* Check if our parent process might already have
836 if (getppid() == parent_pid) {
838 if (sigwait(&ss, &sig) < 0) {
845 assert(sig == SIGTERM);
850 /* If our parent died we'll end the session */
851 if (getppid() != parent_pid) {
852 pam_code = pam_close_session(handle, flags);
853 if (pam_code != PAM_SUCCESS)
860 pam_end(handle, pam_code | flags);
864 /* If the child was forked off successfully it will do all the
865 * cleanups, so forget about the handle here. */
868 /* Unblock SIGTERM again in the parent */
869 if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0)
872 /* We close the log explicitly here, since the PAM modules
873 * might have opened it, but we don't want this fd around. */
882 if (pam_code != PAM_SUCCESS) {
883 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
884 err = -EPERM; /* PAM errors do not map to errno */
886 log_error("PAM failed: %m");
892 pam_code = pam_close_session(handle, flags);
894 pam_end(handle, pam_code | flags);
902 kill(pam_pid, SIGTERM);
903 kill(pam_pid, SIGCONT);
910 static void rename_process_from_path(const char *path) {
911 char process_name[11];
915 /* This resulting string must fit in 10 chars (i.e. the length
916 * of "/sbin/init") to look pretty in /bin/ps */
920 rename_process("(...)");
926 /* The end of the process name is usually more
927 * interesting, since the first bit might just be
933 process_name[0] = '(';
934 memcpy(process_name+1, p, l);
935 process_name[1+l] = ')';
936 process_name[1+l+1] = 0;
938 rename_process(process_name);
943 static int apply_seccomp(const ExecContext *c) {
944 uint32_t negative_action, action;
945 scmp_filter_ctx *seccomp;
952 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
954 seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW);
958 if (c->syscall_archs) {
960 SET_FOREACH(id, c->syscall_archs, i) {
961 r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
969 r = seccomp_add_secondary_archs(seccomp);
974 action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
975 SET_FOREACH(id, c->syscall_filter, i) {
976 r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
981 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
985 r = seccomp_load(seccomp);
988 seccomp_release(seccomp);
992 static int apply_address_families(const ExecContext *c) {
993 scmp_filter_ctx *seccomp;
999 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1003 r = seccomp_add_secondary_archs(seccomp);
1007 if (c->address_families_whitelist) {
1008 int af, first = 0, last = 0;
1011 /* If this is a whitelist, we first block the address
1012 * families that are out of range and then everything
1013 * that is not in the set. First, we find the lowest
1014 * and highest address family in the set. */
1016 SET_FOREACH(afp, c->address_families, i) {
1017 af = PTR_TO_INT(afp);
1019 if (af <= 0 || af >= af_max())
1022 if (first == 0 || af < first)
1025 if (last == 0 || af > last)
1029 assert((first == 0) == (last == 0));
1033 /* No entries in the valid range, block everything */
1034 r = seccomp_rule_add(
1036 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1044 /* Block everything below the first entry */
1045 r = seccomp_rule_add(
1047 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1050 SCMP_A0(SCMP_CMP_LT, first));
1054 /* Block everything above the last entry */
1055 r = seccomp_rule_add(
1057 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1060 SCMP_A0(SCMP_CMP_GT, last));
1064 /* Block everything between the first and last
1066 for (af = 1; af < af_max(); af++) {
1068 if (set_contains(c->address_families, INT_TO_PTR(af)))
1071 r = seccomp_rule_add(
1073 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1076 SCMP_A0(SCMP_CMP_EQ, af));
1085 /* If this is a blacklist, then generate one rule for
1086 * each address family that are then combined in OR
1089 SET_FOREACH(af, c->address_families, i) {
1091 r = seccomp_rule_add(
1093 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1096 SCMP_A0(SCMP_CMP_EQ, PTR_TO_INT(af)));
1102 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1106 r = seccomp_load(seccomp);
1109 seccomp_release(seccomp);
1115 static void do_idle_pipe_dance(int idle_pipe[4]) {
1119 safe_close(idle_pipe[1]);
1120 safe_close(idle_pipe[2]);
1122 if (idle_pipe[0] >= 0) {
1125 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1127 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1128 /* Signal systemd that we are bored and want to continue. */
1129 write(idle_pipe[3], "x", 1);
1131 /* Wait for systemd to react to the signal above. */
1132 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1135 safe_close(idle_pipe[0]);
1139 safe_close(idle_pipe[3]);
1142 static int build_environment(
1143 const ExecContext *c,
1145 usec_t watchdog_usec,
1147 const char *username,
1151 _cleanup_strv_free_ char **our_env = NULL;
1158 our_env = new0(char*, 10);
1163 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1165 our_env[n_env++] = x;
1167 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1169 our_env[n_env++] = x;
1172 if (watchdog_usec > 0) {
1173 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1175 our_env[n_env++] = x;
1177 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, watchdog_usec) < 0)
1179 our_env[n_env++] = x;
1183 x = strappend("HOME=", home);
1186 our_env[n_env++] = x;
1190 x = strappend("LOGNAME=", username);
1193 our_env[n_env++] = x;
1195 x = strappend("USER=", username);
1198 our_env[n_env++] = x;
1202 x = strappend("SHELL=", shell);
1205 our_env[n_env++] = x;
1208 if (is_terminal_input(c->std_input) ||
1209 c->std_output == EXEC_OUTPUT_TTY ||
1210 c->std_error == EXEC_OUTPUT_TTY ||
1213 x = strdup(default_term_for_tty(tty_path(c)));
1216 our_env[n_env++] = x;
1219 our_env[n_env++] = NULL;
1220 assert(n_env <= 10);
1228 static int exec_child(ExecCommand *command,
1229 const ExecContext *context,
1230 const ExecParameters *params,
1231 ExecRuntime *runtime,
1234 int *fds, unsigned n_fds,
1238 _cleanup_strv_free_ char **our_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL;
1239 const char *username = NULL, *home = NULL, *shell = NULL;
1240 unsigned n_dont_close = 0;
1241 int dont_close[n_fds + 4];
1242 uid_t uid = (uid_t) -1;
1243 gid_t gid = (gid_t) -1;
1251 rename_process_from_path(command->path);
1253 /* We reset exactly these signals, since they are the
1254 * only ones we set to SIG_IGN in the main daemon. All
1255 * others we leave untouched because we set them to
1256 * SIG_DFL or a valid handler initially, both of which
1257 * will be demoted to SIG_DFL. */
1258 default_signals(SIGNALS_CRASH_HANDLER,
1259 SIGNALS_IGNORE, -1);
1261 if (context->ignore_sigpipe)
1262 ignore_signals(SIGPIPE, -1);
1264 err = reset_signal_mask();
1266 *error = EXIT_SIGNAL_MASK;
1270 if (params->idle_pipe)
1271 do_idle_pipe_dance(params->idle_pipe);
1273 /* Close sockets very early to make sure we don't
1274 * block init reexecution because it cannot bind its
1279 dont_close[n_dont_close++] = socket_fd;
1281 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
1282 n_dont_close += n_fds;
1284 if (params->bus_endpoint_fd >= 0)
1285 dont_close[n_dont_close++] = params->bus_endpoint_fd;
1287 if (runtime->netns_storage_socket[0] >= 0)
1288 dont_close[n_dont_close++] = runtime->netns_storage_socket[0];
1289 if (runtime->netns_storage_socket[1] >= 0)
1290 dont_close[n_dont_close++] = runtime->netns_storage_socket[1];
1293 err = close_all_fds(dont_close, n_dont_close);
1299 if (!context->same_pgrp)
1301 *error = EXIT_SETSID;
1305 exec_context_tty_reset(context);
1307 if (params->confirm_spawn) {
1310 err = ask_for_confirmation(&response, argv);
1311 if (err == -ETIMEDOUT)
1312 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1314 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-err));
1315 else if (response == 's') {
1316 write_confirm_message("Skipping execution.\n");
1317 *error = EXIT_CONFIRM;
1319 } else if (response == 'n') {
1320 write_confirm_message("Failing execution.\n");
1326 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1327 * must sure to drop O_NONBLOCK */
1329 fd_nonblock(socket_fd, false);
1331 err = setup_input(context, socket_fd, params->apply_tty_stdin);
1333 *error = EXIT_STDIN;
1337 err = setup_output(context, STDOUT_FILENO, socket_fd, basename(command->path), params->unit_id, params->apply_tty_stdin);
1339 *error = EXIT_STDOUT;
1343 err = setup_output(context, STDERR_FILENO, socket_fd, basename(command->path), params->unit_id, params->apply_tty_stdin);
1345 *error = EXIT_STDERR;
1349 if (params->cgroup_path) {
1350 err = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0);
1352 *error = EXIT_CGROUP;
1357 if (context->oom_score_adjust_set) {
1360 snprintf(t, sizeof(t), "%i", context->oom_score_adjust);
1363 if (write_string_file("/proc/self/oom_score_adj", t) < 0) {
1364 *error = EXIT_OOM_ADJUST;
1369 if (context->nice_set)
1370 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1375 if (context->cpu_sched_set) {
1376 struct sched_param param = {
1377 .sched_priority = context->cpu_sched_priority,
1380 err = sched_setscheduler(0,
1381 context->cpu_sched_policy |
1382 (context->cpu_sched_reset_on_fork ?
1383 SCHED_RESET_ON_FORK : 0),
1386 *error = EXIT_SETSCHEDULER;
1391 if (context->cpuset)
1392 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1393 *error = EXIT_CPUAFFINITY;
1397 if (context->ioprio_set)
1398 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1399 *error = EXIT_IOPRIO;
1403 if (context->timer_slack_nsec != NSEC_INFINITY)
1404 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1405 *error = EXIT_TIMERSLACK;
1409 if (context->personality != 0xffffffffUL)
1410 if (personality(context->personality) < 0) {
1411 *error = EXIT_PERSONALITY;
1415 if (context->utmp_id)
1416 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path);
1418 if (context->user) {
1419 username = context->user;
1420 err = get_user_creds(&username, &uid, &gid, &home, &shell);
1426 if (is_terminal_input(context->std_input)) {
1427 err = chown_terminal(STDIN_FILENO, uid);
1429 *error = EXIT_STDIN;
1436 if (params->bus_endpoint_fd >= 0 && context->bus_endpoint) {
1437 uid_t ep_uid = (uid == (uid_t) -1) ? 0 : uid;
1439 err = bus_kernel_set_endpoint_policy(params->bus_endpoint_fd, ep_uid, context->bus_endpoint);
1441 *error = EXIT_BUS_ENDPOINT;
1447 /* If delegation is enabled we'll pass ownership of the cgroup
1448 * (but only in systemd's own controller hierarchy!) to the
1449 * user of the new process. */
1450 if (params->cgroup_path && context->user && params->cgroup_delegate) {
1451 err = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
1453 *error = EXIT_CGROUP;
1458 err = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
1460 *error = EXIT_CGROUP;
1465 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
1468 STRV_FOREACH(rt, context->runtime_directory) {
1469 _cleanup_free_ char *p;
1471 p = strjoin(params->runtime_prefix, "/", *rt, NULL);
1473 *error = EXIT_RUNTIME_DIRECTORY;
1477 err = mkdir_safe(p, context->runtime_directory_mode, uid, gid);
1479 *error = EXIT_RUNTIME_DIRECTORY;
1485 if (params->apply_permissions) {
1486 err = enforce_groups(context, username, gid);
1488 *error = EXIT_GROUP;
1493 umask(context->umask);
1496 if (params->apply_permissions && context->pam_name && username) {
1497 err = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
1505 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
1506 err = setup_netns(runtime->netns_storage_socket);
1508 *error = EXIT_NETWORK;
1513 if (!strv_isempty(context->read_write_dirs) ||
1514 !strv_isempty(context->read_only_dirs) ||
1515 !strv_isempty(context->inaccessible_dirs) ||
1516 context->mount_flags != 0 ||
1517 (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) ||
1518 params->bus_endpoint_path ||
1519 context->private_devices ||
1520 context->protect_system != PROTECT_SYSTEM_NO ||
1521 context->protect_home != PROTECT_HOME_NO) {
1523 char *tmp = NULL, *var = NULL;
1525 /* The runtime struct only contains the parent
1526 * of the private /tmp, which is
1527 * non-accessible to world users. Inside of it
1528 * there's a /tmp that is sticky, and that's
1529 * the one we want to use here. */
1531 if (context->private_tmp && runtime) {
1532 if (runtime->tmp_dir)
1533 tmp = strappenda(runtime->tmp_dir, "/tmp");
1534 if (runtime->var_tmp_dir)
1535 var = strappenda(runtime->var_tmp_dir, "/tmp");
1538 err = setup_namespace(
1539 context->read_write_dirs,
1540 context->read_only_dirs,
1541 context->inaccessible_dirs,
1544 params->bus_endpoint_path,
1545 context->private_devices,
1546 context->protect_home,
1547 context->protect_system,
1548 context->mount_flags);
1551 log_warning_unit(params->unit_id, "Failed to set up file system namespace due to lack of privileges. Execution sandbox will not be in effect: %s", strerror(-err));
1553 *error = EXIT_NAMESPACE;
1558 if (params->apply_chroot) {
1559 if (context->root_directory)
1560 if (chroot(context->root_directory) < 0) {
1561 *error = EXIT_CHROOT;
1565 if (chdir(context->working_directory ? context->working_directory : "/") < 0) {
1566 *error = EXIT_CHDIR;
1570 _cleanup_free_ char *d = NULL;
1572 if (asprintf(&d, "%s/%s",
1573 context->root_directory ? context->root_directory : "",
1574 context->working_directory ? context->working_directory : "") < 0) {
1575 *error = EXIT_MEMORY;
1580 *error = EXIT_CHDIR;
1585 /* We repeat the fd closing here, to make sure that
1586 * nothing is leaked from the PAM modules. Note that
1587 * we are more aggressive this time since socket_fd
1588 * and the netns fds we don't need anymore. The custom
1589 * endpoint fd was needed to upload the policy and can
1590 * now be closed as well. */
1591 err = close_all_fds(fds, n_fds);
1593 err = shift_fds(fds, n_fds);
1595 err = flags_fds(fds, n_fds, context->non_blocking);
1601 if (params->apply_permissions) {
1603 for (i = 0; i < _RLIMIT_MAX; i++) {
1604 if (!context->rlimit[i])
1607 if (setrlimit_closest(i, context->rlimit[i]) < 0) {
1608 *error = EXIT_LIMITS;
1613 if (context->capability_bounding_set_drop) {
1614 err = capability_bounding_set_drop(context->capability_bounding_set_drop, false);
1616 *error = EXIT_CAPABILITIES;
1621 if (context->user) {
1622 err = enforce_user(context, uid);
1629 /* PR_GET_SECUREBITS is not privileged, while
1630 * PR_SET_SECUREBITS is. So to suppress
1631 * potential EPERMs we'll try not to call
1632 * PR_SET_SECUREBITS unless necessary. */
1633 if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
1634 if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
1635 *error = EXIT_SECUREBITS;
1639 if (context->capabilities)
1640 if (cap_set_proc(context->capabilities) < 0) {
1641 *error = EXIT_CAPABILITIES;
1645 if (context->no_new_privileges)
1646 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
1647 *error = EXIT_NO_NEW_PRIVILEGES;
1652 if (context->address_families_whitelist ||
1653 !set_isempty(context->address_families)) {
1654 err = apply_address_families(context);
1656 *error = EXIT_ADDRESS_FAMILIES;
1661 if (context->syscall_whitelist ||
1662 !set_isempty(context->syscall_filter) ||
1663 !set_isempty(context->syscall_archs)) {
1664 err = apply_seccomp(context);
1666 *error = EXIT_SECCOMP;
1673 if (mac_selinux_use()) {
1674 if (context->selinux_context) {
1675 err = setexeccon(context->selinux_context);
1676 if (err < 0 && !context->selinux_context_ignore) {
1677 *error = EXIT_SELINUX_CONTEXT;
1682 if (params->selinux_context_net && socket_fd >= 0) {
1683 _cleanup_free_ char *label = NULL;
1685 err = mac_selinux_get_child_mls_label(socket_fd, command->path, &label);
1687 *error = EXIT_SELINUX_CONTEXT;
1691 err = setexeccon(label);
1693 *error = EXIT_SELINUX_CONTEXT;
1700 #ifdef HAVE_APPARMOR
1701 if (context->apparmor_profile && mac_apparmor_use()) {
1702 err = aa_change_onexec(context->apparmor_profile);
1703 if (err < 0 && !context->apparmor_profile_ignore) {
1704 *error = EXIT_APPARMOR_PROFILE;
1711 err = build_environment(context, n_fds, params->watchdog_usec, home, username, shell, &our_env);
1713 *error = EXIT_MEMORY;
1717 final_env = strv_env_merge(5,
1718 params->environment,
1720 context->environment,
1725 *error = EXIT_MEMORY;
1729 final_argv = replace_env_argv(argv, final_env);
1731 *error = EXIT_MEMORY;
1735 final_env = strv_env_clean(final_env);
1737 if (_unlikely_(log_get_max_level() >= LOG_PRI(LOG_DEBUG))) {
1738 _cleanup_free_ char *line;
1740 line = exec_command_line(final_argv);
1743 log_struct_unit(LOG_DEBUG,
1745 "EXECUTABLE=%s", command->path,
1746 "MESSAGE=Executing: %s", line,
1751 execve(command->path, final_argv, final_env);
1756 int exec_spawn(ExecCommand *command,
1757 const ExecContext *context,
1758 const ExecParameters *params,
1759 ExecRuntime *runtime,
1762 _cleanup_strv_free_ char **files_env = NULL;
1763 int *fds = NULL; unsigned n_fds = 0;
1773 assert(params->fds || params->n_fds <= 0);
1775 if (context->std_input == EXEC_INPUT_SOCKET ||
1776 context->std_output == EXEC_OUTPUT_SOCKET ||
1777 context->std_error == EXEC_OUTPUT_SOCKET) {
1779 if (params->n_fds != 1)
1782 socket_fd = params->fds[0];
1786 n_fds = params->n_fds;
1789 err = exec_context_load_environment(context, params->unit_id, &files_env);
1791 log_struct_unit(LOG_ERR,
1793 "MESSAGE=Failed to load environment files: %s", strerror(-err),
1799 argv = params->argv ?: command->argv;
1801 line = exec_command_line(argv);
1805 log_struct_unit(LOG_DEBUG,
1807 "EXECUTABLE=%s", command->path,
1808 "MESSAGE=About to execute: %s", line,
1819 err = exec_child(command,
1830 log_struct(LOG_ERR, MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
1831 "EXECUTABLE=%s", command->path,
1832 "MESSAGE=Failed at step %s spawning %s: %s",
1833 exit_status_to_string(r, EXIT_STATUS_SYSTEMD),
1834 command->path, strerror(-err),
1843 log_struct_unit(LOG_DEBUG,
1845 "MESSAGE=Forked %s as "PID_FMT,
1849 /* We add the new process to the cgroup both in the child (so
1850 * that we can be sure that no user code is ever executed
1851 * outside of the cgroup) and in the parent (so that we can be
1852 * sure that when we kill the cgroup the process will be
1854 if (params->cgroup_path)
1855 cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
1857 exec_status_start(&command->exec_status, pid);
1863 void exec_context_init(ExecContext *c) {
1867 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
1868 c->cpu_sched_policy = SCHED_OTHER;
1869 c->syslog_priority = LOG_DAEMON|LOG_INFO;
1870 c->syslog_level_prefix = true;
1871 c->ignore_sigpipe = true;
1872 c->timer_slack_nsec = NSEC_INFINITY;
1873 c->personality = 0xffffffffUL;
1874 c->runtime_directory_mode = 0755;
1877 void exec_context_done(ExecContext *c) {
1882 strv_free(c->environment);
1883 c->environment = NULL;
1885 strv_free(c->environment_files);
1886 c->environment_files = NULL;
1888 for (l = 0; l < ELEMENTSOF(c->rlimit); l++) {
1890 c->rlimit[l] = NULL;
1893 free(c->working_directory);
1894 c->working_directory = NULL;
1895 free(c->root_directory);
1896 c->root_directory = NULL;
1901 free(c->syslog_identifier);
1902 c->syslog_identifier = NULL;
1910 strv_free(c->supplementary_groups);
1911 c->supplementary_groups = NULL;
1916 if (c->capabilities) {
1917 cap_free(c->capabilities);
1918 c->capabilities = NULL;
1921 strv_free(c->read_only_dirs);
1922 c->read_only_dirs = NULL;
1924 strv_free(c->read_write_dirs);
1925 c->read_write_dirs = NULL;
1927 strv_free(c->inaccessible_dirs);
1928 c->inaccessible_dirs = NULL;
1931 CPU_FREE(c->cpuset);
1936 free(c->selinux_context);
1937 c->selinux_context = NULL;
1939 free(c->apparmor_profile);
1940 c->apparmor_profile = NULL;
1942 set_free(c->syscall_filter);
1943 c->syscall_filter = NULL;
1945 set_free(c->syscall_archs);
1946 c->syscall_archs = NULL;
1948 set_free(c->address_families);
1949 c->address_families = NULL;
1951 strv_free(c->runtime_directory);
1952 c->runtime_directory = NULL;
1954 bus_endpoint_free(c->bus_endpoint);
1955 c->bus_endpoint = NULL;
1958 int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
1963 if (!runtime_prefix)
1966 STRV_FOREACH(i, c->runtime_directory) {
1967 _cleanup_free_ char *p;
1969 p = strjoin(runtime_prefix, "/", *i, NULL);
1973 /* We execute this synchronously, since we need to be
1974 * sure this is gone when we start the service
1976 rm_rf_dangerous(p, false, true, false);
1982 void exec_command_done(ExecCommand *c) {
1992 void exec_command_done_array(ExecCommand *c, unsigned n) {
1995 for (i = 0; i < n; i++)
1996 exec_command_done(c+i);
1999 void exec_command_free_list(ExecCommand *c) {
2003 LIST_REMOVE(command, c, i);
2004 exec_command_done(i);
2009 void exec_command_free_array(ExecCommand **c, unsigned n) {
2012 for (i = 0; i < n; i++) {
2013 exec_command_free_list(c[i]);
2018 int exec_context_load_environment(const ExecContext *c, const char *unit_id, char ***l) {
2019 char **i, **r = NULL;
2024 STRV_FOREACH(i, c->environment_files) {
2027 bool ignore = false;
2029 _cleanup_globfree_ glob_t pglob = {};
2039 if (!path_is_absolute(fn)) {
2047 /* Filename supports globbing, take all matching files */
2049 if (glob(fn, 0, NULL, &pglob) != 0) {
2054 return errno ? -errno : -EINVAL;
2056 count = pglob.gl_pathc;
2064 for (n = 0; n < count; n++) {
2065 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
2073 /* Log invalid environment variables with filename */
2075 p = strv_env_clean_log(p, unit_id, pglob.gl_pathv[n]);
2082 m = strv_env_merge(2, r, p);
2098 static bool tty_may_match_dev_console(const char *tty) {
2099 _cleanup_free_ char *active = NULL;
2102 if (startswith(tty, "/dev/"))
2105 /* trivial identity? */
2106 if (streq(tty, "console"))
2109 console = resolve_dev_console(&active);
2110 /* if we could not resolve, assume it may */
2114 /* "tty0" means the active VC, so it may be the same sometimes */
2115 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
2118 bool exec_context_may_touch_console(ExecContext *ec) {
2119 return (ec->tty_reset || ec->tty_vhangup || ec->tty_vt_disallocate ||
2120 is_terminal_input(ec->std_input) ||
2121 is_terminal_output(ec->std_output) ||
2122 is_terminal_output(ec->std_error)) &&
2123 tty_may_match_dev_console(tty_path(ec));
2126 static void strv_fprintf(FILE *f, char **l) {
2132 fprintf(f, " %s", *g);
2135 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
2142 prefix = strempty(prefix);
2146 "%sWorkingDirectory: %s\n"
2147 "%sRootDirectory: %s\n"
2148 "%sNonBlocking: %s\n"
2149 "%sPrivateTmp: %s\n"
2150 "%sPrivateNetwork: %s\n"
2151 "%sPrivateDevices: %s\n"
2152 "%sProtectHome: %s\n"
2153 "%sProtectSystem: %s\n"
2154 "%sIgnoreSIGPIPE: %s\n",
2156 prefix, c->working_directory ? c->working_directory : "/",
2157 prefix, c->root_directory ? c->root_directory : "/",
2158 prefix, yes_no(c->non_blocking),
2159 prefix, yes_no(c->private_tmp),
2160 prefix, yes_no(c->private_network),
2161 prefix, yes_no(c->private_devices),
2162 prefix, protect_home_to_string(c->protect_home),
2163 prefix, protect_system_to_string(c->protect_system),
2164 prefix, yes_no(c->ignore_sigpipe));
2166 STRV_FOREACH(e, c->environment)
2167 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
2169 STRV_FOREACH(e, c->environment_files)
2170 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
2177 if (c->oom_score_adjust_set)
2179 "%sOOMScoreAdjust: %i\n",
2180 prefix, c->oom_score_adjust);
2182 for (i = 0; i < RLIM_NLIMITS; i++)
2184 fprintf(f, "%s%s: "RLIM_FMT"\n",
2185 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
2187 if (c->ioprio_set) {
2188 _cleanup_free_ char *class_str = NULL;
2190 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
2192 "%sIOSchedulingClass: %s\n"
2193 "%sIOPriority: %i\n",
2194 prefix, strna(class_str),
2195 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
2198 if (c->cpu_sched_set) {
2199 _cleanup_free_ char *policy_str = NULL;
2201 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
2203 "%sCPUSchedulingPolicy: %s\n"
2204 "%sCPUSchedulingPriority: %i\n"
2205 "%sCPUSchedulingResetOnFork: %s\n",
2206 prefix, strna(policy_str),
2207 prefix, c->cpu_sched_priority,
2208 prefix, yes_no(c->cpu_sched_reset_on_fork));
2212 fprintf(f, "%sCPUAffinity:", prefix);
2213 for (i = 0; i < c->cpuset_ncpus; i++)
2214 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
2215 fprintf(f, " %u", i);
2219 if (c->timer_slack_nsec != NSEC_INFINITY)
2220 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
2223 "%sStandardInput: %s\n"
2224 "%sStandardOutput: %s\n"
2225 "%sStandardError: %s\n",
2226 prefix, exec_input_to_string(c->std_input),
2227 prefix, exec_output_to_string(c->std_output),
2228 prefix, exec_output_to_string(c->std_error));
2234 "%sTTYVHangup: %s\n"
2235 "%sTTYVTDisallocate: %s\n",
2236 prefix, c->tty_path,
2237 prefix, yes_no(c->tty_reset),
2238 prefix, yes_no(c->tty_vhangup),
2239 prefix, yes_no(c->tty_vt_disallocate));
2241 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
2242 c->std_output == EXEC_OUTPUT_KMSG ||
2243 c->std_output == EXEC_OUTPUT_JOURNAL ||
2244 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2245 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2246 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
2247 c->std_error == EXEC_OUTPUT_SYSLOG ||
2248 c->std_error == EXEC_OUTPUT_KMSG ||
2249 c->std_error == EXEC_OUTPUT_JOURNAL ||
2250 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2251 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2252 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
2254 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
2256 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
2257 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
2260 "%sSyslogFacility: %s\n"
2261 "%sSyslogLevel: %s\n",
2262 prefix, strna(fac_str),
2263 prefix, strna(lvl_str));
2266 if (c->capabilities) {
2267 _cleanup_cap_free_charp_ char *t;
2269 t = cap_to_text(c->capabilities, NULL);
2271 fprintf(f, "%sCapabilities: %s\n", prefix, t);
2275 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
2277 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
2278 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
2279 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
2280 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
2281 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
2282 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
2284 if (c->capability_bounding_set_drop) {
2286 fprintf(f, "%sCapabilityBoundingSet:", prefix);
2288 for (l = 0; l <= cap_last_cap(); l++)
2289 if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) {
2290 _cleanup_cap_free_charp_ char *t;
2294 fprintf(f, " %s", t);
2301 fprintf(f, "%sUser: %s\n", prefix, c->user);
2303 fprintf(f, "%sGroup: %s\n", prefix, c->group);
2305 if (strv_length(c->supplementary_groups) > 0) {
2306 fprintf(f, "%sSupplementaryGroups:", prefix);
2307 strv_fprintf(f, c->supplementary_groups);
2312 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
2314 if (strv_length(c->read_write_dirs) > 0) {
2315 fprintf(f, "%sReadWriteDirs:", prefix);
2316 strv_fprintf(f, c->read_write_dirs);
2320 if (strv_length(c->read_only_dirs) > 0) {
2321 fprintf(f, "%sReadOnlyDirs:", prefix);
2322 strv_fprintf(f, c->read_only_dirs);
2326 if (strv_length(c->inaccessible_dirs) > 0) {
2327 fprintf(f, "%sInaccessibleDirs:", prefix);
2328 strv_fprintf(f, c->inaccessible_dirs);
2334 "%sUtmpIdentifier: %s\n",
2335 prefix, c->utmp_id);
2337 if (c->selinux_context)
2339 "%sSELinuxContext: %s%s\n",
2340 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
2342 if (c->personality != 0xffffffffUL)
2344 "%sPersonality: %s\n",
2345 prefix, strna(personality_to_string(c->personality)));
2347 if (c->syscall_filter) {
2355 "%sSystemCallFilter: ",
2358 if (!c->syscall_whitelist)
2362 SET_FOREACH(id, c->syscall_filter, j) {
2363 _cleanup_free_ char *name = NULL;
2370 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
2371 fputs(strna(name), f);
2378 if (c->syscall_archs) {
2385 "%sSystemCallArchitectures:",
2389 SET_FOREACH(id, c->syscall_archs, j)
2390 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
2395 if (c->syscall_errno != 0)
2397 "%sSystemCallErrorNumber: %s\n",
2398 prefix, strna(errno_to_name(c->syscall_errno)));
2400 if (c->apparmor_profile)
2402 "%sAppArmorProfile: %s%s\n",
2403 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
2406 bool exec_context_maintains_privileges(ExecContext *c) {
2409 /* Returns true if the process forked off would run run under
2410 * an unchanged UID or as root. */
2415 if (streq(c->user, "root") || streq(c->user, "0"))
2421 void exec_status_start(ExecStatus *s, pid_t pid) {
2426 dual_timestamp_get(&s->start_timestamp);
2429 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
2432 if (s->pid && s->pid != pid)
2436 dual_timestamp_get(&s->exit_timestamp);
2442 if (context->utmp_id)
2443 utmp_put_dead_process(context->utmp_id, pid, code, status);
2445 exec_context_tty_reset(context);
2449 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
2450 char buf[FORMAT_TIMESTAMP_MAX];
2458 prefix = strempty(prefix);
2461 "%sPID: "PID_FMT"\n",
2464 if (s->start_timestamp.realtime > 0)
2466 "%sStart Timestamp: %s\n",
2467 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
2469 if (s->exit_timestamp.realtime > 0)
2471 "%sExit Timestamp: %s\n"
2473 "%sExit Status: %i\n",
2474 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
2475 prefix, sigchld_code_to_string(s->code),
2479 char *exec_command_line(char **argv) {
2487 STRV_FOREACH(a, argv)
2490 if (!(n = new(char, k)))
2494 STRV_FOREACH(a, argv) {
2501 if (strpbrk(*a, WHITESPACE)) {
2512 /* FIXME: this doesn't really handle arguments that have
2513 * spaces and ticks in them */
2518 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
2519 _cleanup_free_ char *cmd = NULL;
2520 const char *prefix2;
2525 prefix = strempty(prefix);
2526 prefix2 = strappenda(prefix, "\t");
2528 cmd = exec_command_line(c->argv);
2530 "%sCommand Line: %s\n",
2531 prefix, cmd ? cmd : strerror(ENOMEM));
2533 exec_status_dump(&c->exec_status, f, prefix2);
2536 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2539 prefix = strempty(prefix);
2541 LIST_FOREACH(command, c, c)
2542 exec_command_dump(c, f, prefix);
2545 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2552 /* It's kind of important, that we keep the order here */
2553 LIST_FIND_TAIL(command, *l, end);
2554 LIST_INSERT_AFTER(command, *l, end, e);
2559 int exec_command_set(ExecCommand *c, const char *path, ...) {
2567 l = strv_new_ap(path, ap);
2588 int exec_command_append(ExecCommand *c, const char *path, ...) {
2589 _cleanup_strv_free_ char **l = NULL;
2597 l = strv_new_ap(path, ap);
2603 r = strv_extend_strv(&c->argv, l);
2611 static int exec_runtime_allocate(ExecRuntime **rt) {
2616 *rt = new0(ExecRuntime, 1);
2621 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
2626 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
2636 if (!c->private_network && !c->private_tmp)
2639 r = exec_runtime_allocate(rt);
2643 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
2644 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, (*rt)->netns_storage_socket) < 0)
2648 if (c->private_tmp && !(*rt)->tmp_dir) {
2649 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
2657 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
2659 assert(r->n_ref > 0);
2665 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
2670 assert(r->n_ref > 0);
2673 if (r->n_ref <= 0) {
2675 free(r->var_tmp_dir);
2676 safe_close_pair(r->netns_storage_socket);
2683 int exec_runtime_serialize(ExecRuntime *rt, Unit *u, FILE *f, FDSet *fds) {
2692 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
2694 if (rt->var_tmp_dir)
2695 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
2697 if (rt->netns_storage_socket[0] >= 0) {
2700 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
2704 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
2707 if (rt->netns_storage_socket[1] >= 0) {
2710 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
2714 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
2720 int exec_runtime_deserialize_item(ExecRuntime **rt, Unit *u, const char *key, const char *value, FDSet *fds) {
2727 if (streq(key, "tmp-dir")) {
2730 r = exec_runtime_allocate(rt);
2734 copy = strdup(value);
2738 free((*rt)->tmp_dir);
2739 (*rt)->tmp_dir = copy;
2741 } else if (streq(key, "var-tmp-dir")) {
2744 r = exec_runtime_allocate(rt);
2748 copy = strdup(value);
2752 free((*rt)->var_tmp_dir);
2753 (*rt)->var_tmp_dir = copy;
2755 } else if (streq(key, "netns-socket-0")) {
2758 r = exec_runtime_allocate(rt);
2762 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2763 log_debug_unit(u->id, "Failed to parse netns socket value %s", value);
2765 safe_close((*rt)->netns_storage_socket[0]);
2766 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
2768 } else if (streq(key, "netns-socket-1")) {
2771 r = exec_runtime_allocate(rt);
2775 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2776 log_debug_unit(u->id, "Failed to parse netns socket value %s", value);
2778 safe_close((*rt)->netns_storage_socket[1]);
2779 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
2787 static void *remove_tmpdir_thread(void *p) {
2788 _cleanup_free_ char *path = p;
2790 rm_rf_dangerous(path, false, true, false);
2794 void exec_runtime_destroy(ExecRuntime *rt) {
2800 /* If there are multiple users of this, let's leave the stuff around */
2805 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
2807 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
2809 log_warning("Failed to nuke %s: %s", rt->tmp_dir, strerror(-r));
2816 if (rt->var_tmp_dir) {
2817 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
2819 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
2821 log_warning("Failed to nuke %s: %s", rt->var_tmp_dir, strerror(-r));
2822 free(rt->var_tmp_dir);
2825 rt->var_tmp_dir = NULL;
2828 safe_close_pair(rt->netns_storage_socket);
2831 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
2832 [EXEC_INPUT_NULL] = "null",
2833 [EXEC_INPUT_TTY] = "tty",
2834 [EXEC_INPUT_TTY_FORCE] = "tty-force",
2835 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
2836 [EXEC_INPUT_SOCKET] = "socket"
2839 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
2841 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
2842 [EXEC_OUTPUT_INHERIT] = "inherit",
2843 [EXEC_OUTPUT_NULL] = "null",
2844 [EXEC_OUTPUT_TTY] = "tty",
2845 [EXEC_OUTPUT_SYSLOG] = "syslog",
2846 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
2847 [EXEC_OUTPUT_KMSG] = "kmsg",
2848 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
2849 [EXEC_OUTPUT_JOURNAL] = "journal",
2850 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
2851 [EXEC_OUTPUT_SOCKET] = "socket"
2854 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
~ianmdlvl / elogind.git / blob