1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
29 #include <sys/socket.h>
31 #include <sys/prctl.h>
32 #include <linux/sched.h>
33 #include <sys/types.h>
37 #include <sys/mount.h>
39 #include <linux/oom.h>
43 #include <security/pam_appl.h>
49 #include "capability.h"
53 #include "securebits.h"
55 #include "namespace.h"
57 #include "exit-status.h"
59 #include "utmp-wtmp.h"
61 #include "loopback-setup.h"
62 #include "path-util.h"
64 /* This assumes there is a 'tty' group */
67 static int shift_fds(int fds[], unsigned n_fds) {
68 int start, restart_from;
73 /* Modifies the fds array! (sorts it) */
83 for (i = start; i < (int) n_fds; i++) {
86 /* Already at right index? */
90 if ((nfd = fcntl(fds[i], F_DUPFD, i+3)) < 0)
93 close_nointr_nofail(fds[i]);
96 /* Hmm, the fd we wanted isn't free? Then
97 * let's remember that and try again from here*/
98 if (nfd != i+3 && restart_from < 0)
102 if (restart_from < 0)
105 start = restart_from;
111 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
120 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
122 for (i = 0; i < n_fds; i++) {
124 if ((r = fd_nonblock(fds[i], nonblock)) < 0)
127 /* We unconditionally drop FD_CLOEXEC from the fds,
128 * since after all we want to pass these fds to our
131 if ((r = fd_cloexec(fds[i], false)) < 0)
138 static const char *tty_path(const ExecContext *context) {
141 if (context->tty_path)
142 return context->tty_path;
144 return "/dev/console";
147 void exec_context_tty_reset(const ExecContext *context) {
150 if (context->tty_vhangup)
151 terminal_vhangup(tty_path(context));
153 if (context->tty_reset)
154 reset_terminal(tty_path(context));
156 if (context->tty_vt_disallocate && context->tty_path)
157 vt_disallocate(context->tty_path);
160 static int open_null_as(int flags, int nfd) {
165 if ((fd = open("/dev/null", flags|O_NOCTTY)) < 0)
169 r = dup2(fd, nfd) < 0 ? -errno : nfd;
170 close_nointr_nofail(fd);
177 static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, int nfd) {
179 union sockaddr_union sa;
182 assert(output < _EXEC_OUTPUT_MAX);
186 fd = socket(AF_UNIX, SOCK_STREAM, 0);
191 sa.un.sun_family = AF_UNIX;
192 strncpy(sa.un.sun_path, "/run/systemd/journal/stdout", sizeof(sa.un.sun_path));
194 r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path));
196 close_nointr_nofail(fd);
200 if (shutdown(fd, SHUT_RD) < 0) {
201 close_nointr_nofail(fd);
212 context->syslog_identifier ? context->syslog_identifier : ident,
213 context->syslog_priority,
214 !!context->syslog_level_prefix,
215 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
216 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
217 output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || output == EXEC_OUTPUT_KMSG_AND_CONSOLE || output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE);
220 r = dup2(fd, nfd) < 0 ? -errno : nfd;
221 close_nointr_nofail(fd);
227 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
233 if ((fd = open_terminal(path, mode | O_NOCTTY)) < 0)
237 r = dup2(fd, nfd) < 0 ? -errno : nfd;
238 close_nointr_nofail(fd);
245 static bool is_terminal_input(ExecInput i) {
247 i == EXEC_INPUT_TTY ||
248 i == EXEC_INPUT_TTY_FORCE ||
249 i == EXEC_INPUT_TTY_FAIL;
252 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
254 if (is_terminal_input(std_input) && !apply_tty_stdin)
255 return EXEC_INPUT_NULL;
257 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
258 return EXEC_INPUT_NULL;
263 static int fixup_output(ExecOutput std_output, int socket_fd) {
265 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
266 return EXEC_OUTPUT_INHERIT;
271 static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty_stdin) {
276 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
280 case EXEC_INPUT_NULL:
281 return open_null_as(O_RDONLY, STDIN_FILENO);
284 case EXEC_INPUT_TTY_FORCE:
285 case EXEC_INPUT_TTY_FAIL: {
288 if ((fd = acquire_terminal(
290 i == EXEC_INPUT_TTY_FAIL,
291 i == EXEC_INPUT_TTY_FORCE,
295 if (fd != STDIN_FILENO) {
296 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
297 close_nointr_nofail(fd);
304 case EXEC_INPUT_SOCKET:
305 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
308 assert_not_reached("Unknown input type");
312 static int setup_output(const ExecContext *context, int socket_fd, const char *ident, bool apply_tty_stdin) {
319 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
320 o = fixup_output(context->std_output, socket_fd);
322 /* This expects the input is already set up */
326 case EXEC_OUTPUT_INHERIT:
328 /* If input got downgraded, inherit the original value */
329 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
330 return open_terminal_as(tty_path(context), O_WRONLY, STDOUT_FILENO);
332 /* If the input is connected to anything that's not a /dev/null, inherit that... */
333 if (i != EXEC_INPUT_NULL)
334 return dup2(STDIN_FILENO, STDOUT_FILENO) < 0 ? -errno : STDOUT_FILENO;
336 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
338 return STDOUT_FILENO;
340 /* We need to open /dev/null here anew, to get the
341 * right access mode. So we fall through */
343 case EXEC_OUTPUT_NULL:
344 return open_null_as(O_WRONLY, STDOUT_FILENO);
346 case EXEC_OUTPUT_TTY:
347 if (is_terminal_input(i))
348 return dup2(STDIN_FILENO, STDOUT_FILENO) < 0 ? -errno : STDOUT_FILENO;
350 /* We don't reset the terminal if this is just about output */
351 return open_terminal_as(tty_path(context), O_WRONLY, STDOUT_FILENO);
353 case EXEC_OUTPUT_SYSLOG:
354 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
355 case EXEC_OUTPUT_KMSG:
356 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
357 case EXEC_OUTPUT_JOURNAL:
358 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
359 return connect_logger_as(context, o, ident, STDOUT_FILENO);
361 case EXEC_OUTPUT_SOCKET:
362 assert(socket_fd >= 0);
363 return dup2(socket_fd, STDOUT_FILENO) < 0 ? -errno : STDOUT_FILENO;
366 assert_not_reached("Unknown output type");
370 static int setup_error(const ExecContext *context, int socket_fd, const char *ident, bool apply_tty_stdin) {
377 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
378 o = fixup_output(context->std_output, socket_fd);
379 e = fixup_output(context->std_error, socket_fd);
381 /* This expects the input and output are already set up */
383 /* Don't change the stderr file descriptor if we inherit all
384 * the way and are not on a tty */
385 if (e == EXEC_OUTPUT_INHERIT &&
386 o == EXEC_OUTPUT_INHERIT &&
387 i == EXEC_INPUT_NULL &&
388 !is_terminal_input(context->std_input) &&
390 return STDERR_FILENO;
392 /* Duplicate from stdout if possible */
393 if (e == o || e == EXEC_OUTPUT_INHERIT)
394 return dup2(STDOUT_FILENO, STDERR_FILENO) < 0 ? -errno : STDERR_FILENO;
398 case EXEC_OUTPUT_NULL:
399 return open_null_as(O_WRONLY, STDERR_FILENO);
401 case EXEC_OUTPUT_TTY:
402 if (is_terminal_input(i))
403 return dup2(STDIN_FILENO, STDERR_FILENO) < 0 ? -errno : STDERR_FILENO;
405 /* We don't reset the terminal if this is just about output */
406 return open_terminal_as(tty_path(context), O_WRONLY, STDERR_FILENO);
408 case EXEC_OUTPUT_SYSLOG:
409 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
410 case EXEC_OUTPUT_KMSG:
411 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
412 case EXEC_OUTPUT_JOURNAL:
413 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
414 return connect_logger_as(context, e, ident, STDERR_FILENO);
416 case EXEC_OUTPUT_SOCKET:
417 assert(socket_fd >= 0);
418 return dup2(socket_fd, STDERR_FILENO) < 0 ? -errno : STDERR_FILENO;
421 assert_not_reached("Unknown error type");
425 static int chown_terminal(int fd, uid_t uid) {
430 /* This might fail. What matters are the results. */
431 (void) fchown(fd, uid, -1);
432 (void) fchmod(fd, TTY_MODE);
434 if (fstat(fd, &st) < 0)
437 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
443 static int setup_confirm_stdio(const ExecContext *context,
445 int *_saved_stdout) {
446 int fd = -1, saved_stdin, saved_stdout = -1, r;
449 assert(_saved_stdin);
450 assert(_saved_stdout);
452 /* This returns positive EXIT_xxx return values instead of
453 * negative errno style values! */
455 if ((saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3)) < 0)
458 if ((saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3)) < 0) {
463 if ((fd = acquire_terminal(
465 context->std_input == EXEC_INPUT_TTY_FAIL,
466 context->std_input == EXEC_INPUT_TTY_FORCE,
472 if (chown_terminal(fd, getuid()) < 0) {
477 if (dup2(fd, STDIN_FILENO) < 0) {
482 if (dup2(fd, STDOUT_FILENO) < 0) {
488 close_nointr_nofail(fd);
490 *_saved_stdin = saved_stdin;
491 *_saved_stdout = saved_stdout;
496 if (saved_stdout >= 0)
497 close_nointr_nofail(saved_stdout);
499 if (saved_stdin >= 0)
500 close_nointr_nofail(saved_stdin);
503 close_nointr_nofail(fd);
508 static int restore_confirm_stdio(const ExecContext *context,
516 assert(*saved_stdin >= 0);
517 assert(saved_stdout);
518 assert(*saved_stdout >= 0);
520 /* This returns positive EXIT_xxx return values instead of
521 * negative errno style values! */
523 if (is_terminal_input(context->std_input)) {
525 /* The service wants terminal input. */
529 context->std_output == EXEC_OUTPUT_INHERIT ||
530 context->std_output == EXEC_OUTPUT_TTY;
533 /* If the service doesn't want a controlling terminal,
534 * then we need to get rid entirely of what we have
537 if (release_terminal() < 0)
540 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
543 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
546 *keep_stdout = *keep_stdin = false;
552 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
553 bool keep_groups = false;
558 /* Lookup and set GID and supplementary group list. Here too
559 * we avoid NSS lookups for gid=0. */
561 if (context->group || username) {
563 if (context->group) {
564 const char *g = context->group;
566 if ((r = get_group_creds(&g, &gid)) < 0)
570 /* First step, initialize groups from /etc/groups */
571 if (username && gid != 0) {
572 if (initgroups(username, gid) < 0)
578 /* Second step, set our gids */
579 if (setresgid(gid, gid, gid) < 0)
583 if (context->supplementary_groups) {
588 /* Final step, initialize any manually set supplementary groups */
589 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
591 if (!(gids = new(gid_t, ngroups_max)))
595 if ((k = getgroups(ngroups_max, gids)) < 0) {
602 STRV_FOREACH(i, context->supplementary_groups) {
605 if (k >= ngroups_max) {
611 r = get_group_creds(&g, gids+k);
620 if (setgroups(k, gids) < 0) {
631 static int enforce_user(const ExecContext *context, uid_t uid) {
635 /* Sets (but doesn't lookup) the uid and make sure we keep the
636 * capabilities while doing so. */
638 if (context->capabilities) {
640 static const cap_value_t bits[] = {
641 CAP_SETUID, /* Necessary so that we can run setresuid() below */
642 CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
645 /* First step: If we need to keep capabilities but
646 * drop privileges we need to make sure we keep our
647 * caps, whiel we drop privileges. */
649 int sb = context->secure_bits|SECURE_KEEP_CAPS;
651 if (prctl(PR_GET_SECUREBITS) != sb)
652 if (prctl(PR_SET_SECUREBITS, sb) < 0)
656 /* Second step: set the capabilities. This will reduce
657 * the capabilities to the minimum we need. */
659 if (!(d = cap_dup(context->capabilities)))
662 if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
663 cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0) {
669 if (cap_set_proc(d) < 0) {
678 /* Third step: actually set the uids */
679 if (setresuid(uid, uid, uid) < 0)
682 /* At this point we should have all necessary capabilities but
683 are otherwise a normal user. However, the caps might got
684 corrupted due to the setresuid() so we need clean them up
685 later. This is done outside of this call. */
692 static int null_conv(
694 const struct pam_message **msg,
695 struct pam_response **resp,
698 /* We don't support conversations */
703 static int setup_pam(
708 int fds[], unsigned n_fds) {
710 static const struct pam_conv conv = {
715 pam_handle_t *handle = NULL;
717 int pam_code = PAM_SUCCESS;
720 bool close_session = false;
721 pid_t pam_pid = 0, parent_pid;
727 /* We set up PAM in the parent process, then fork. The child
728 * will then stay around until killed via PR_GET_PDEATHSIG or
729 * systemd via the cgroup logic. It will then remove the PAM
730 * session again. The parent process will exec() the actual
731 * daemon. We do things this way to ensure that the main PID
732 * of the daemon is the one we initially fork()ed. */
734 if ((pam_code = pam_start(name, user, &conv, &handle)) != PAM_SUCCESS) {
740 if ((pam_code = pam_set_item(handle, PAM_TTY, tty)) != PAM_SUCCESS)
743 if ((pam_code = pam_acct_mgmt(handle, PAM_SILENT)) != PAM_SUCCESS)
746 if ((pam_code = pam_open_session(handle, PAM_SILENT)) != PAM_SUCCESS)
749 close_session = true;
751 if ((!(e = pam_getenvlist(handle)))) {
752 pam_code = PAM_BUF_ERR;
756 /* Block SIGTERM, so that we know that it won't get lost in
758 if (sigemptyset(&ss) < 0 ||
759 sigaddset(&ss, SIGTERM) < 0 ||
760 sigprocmask(SIG_BLOCK, &ss, &old_ss) < 0)
763 parent_pid = getpid();
765 if ((pam_pid = fork()) < 0)
772 /* The child's job is to reset the PAM session on
775 /* This string must fit in 10 chars (i.e. the length
776 * of "/sbin/init"), to look pretty in /bin/ps */
777 rename_process("(sd-pam)");
779 /* Make sure we don't keep open the passed fds in this
780 child. We assume that otherwise only those fds are
781 open here that have been opened by PAM. */
782 close_many(fds, n_fds);
784 /* Wait until our parent died. This will most likely
785 * not work since the kernel does not allow
786 * unprivileged parents kill their privileged children
787 * this way. We rely on the control groups kill logic
788 * to do the rest for us. */
789 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
792 /* Check if our parent process might already have
794 if (getppid() == parent_pid) {
796 if (sigwait(&ss, &sig) < 0) {
803 assert(sig == SIGTERM);
808 /* If our parent died we'll end the session */
809 if (getppid() != parent_pid)
810 if ((pam_code = pam_close_session(handle, PAM_DATA_SILENT)) != PAM_SUCCESS)
816 pam_end(handle, pam_code | PAM_DATA_SILENT);
820 /* If the child was forked off successfully it will do all the
821 * cleanups, so forget about the handle here. */
824 /* Unblock SIGTERM again in the parent */
825 if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0)
828 /* We close the log explicitly here, since the PAM modules
829 * might have opened it, but we don't want this fd around. */
838 if (pam_code != PAM_SUCCESS)
839 err = -EPERM; /* PAM errors do not map to errno */
845 pam_code = pam_close_session(handle, PAM_DATA_SILENT);
847 pam_end(handle, pam_code | PAM_DATA_SILENT);
855 kill(pam_pid, SIGTERM);
856 kill(pam_pid, SIGCONT);
863 static int do_capability_bounding_set_drop(uint64_t drop) {
865 cap_t old_cap = NULL, new_cap = NULL;
869 /* If we are run as PID 1 we will lack CAP_SETPCAP by default
870 * in the effective set (yes, the kernel drops that when
871 * executing init!), so get it back temporarily so that we can
872 * call PR_CAPBSET_DROP. */
874 old_cap = cap_get_proc();
878 if (cap_get_flag(old_cap, CAP_SETPCAP, CAP_EFFECTIVE, &fv) < 0) {
884 static const cap_value_t v = CAP_SETPCAP;
886 new_cap = cap_dup(old_cap);
892 if (cap_set_flag(new_cap, CAP_EFFECTIVE, 1, &v, CAP_SET) < 0) {
897 if (cap_set_proc(new_cap) < 0) {
903 for (i = 0; i <= cap_last_cap(); i++)
904 if (drop & ((uint64_t) 1ULL << (uint64_t) i)) {
905 if (prctl(PR_CAPBSET_DROP, i) < 0) {
918 cap_set_proc(old_cap);
925 static void rename_process_from_path(const char *path) {
926 char process_name[11];
930 /* This resulting string must fit in 10 chars (i.e. the length
931 * of "/sbin/init") to look pretty in /bin/ps */
933 p = path_get_file_name(path);
935 rename_process("(...)");
941 /* The end of the process name is usually more
942 * interesting, since the first bit might just be
948 process_name[0] = '(';
949 memcpy(process_name+1, p, l);
950 process_name[1+l] = ')';
951 process_name[1+l+1] = 0;
953 rename_process(process_name);
956 int exec_spawn(ExecCommand *command,
958 const ExecContext *context,
959 int fds[], unsigned n_fds,
961 bool apply_permissions,
963 bool apply_tty_stdin,
965 CGroupBonding *cgroup_bondings,
966 CGroupAttribute *cgroup_attributes,
967 const char *cgroup_suffix,
975 char **files_env = NULL;
980 assert(fds || n_fds <= 0);
982 if (context->std_input == EXEC_INPUT_SOCKET ||
983 context->std_output == EXEC_OUTPUT_SOCKET ||
984 context->std_error == EXEC_OUTPUT_SOCKET) {
996 if ((r = exec_context_load_environment(context, &files_env)) < 0) {
997 log_error("Failed to load environment files: %s", strerror(-r));
1002 argv = command->argv;
1004 if (!(line = exec_command_line(argv))) {
1009 log_debug("About to execute: %s", line);
1012 r = cgroup_bonding_realize_list(cgroup_bondings);
1016 cgroup_attribute_apply_list(cgroup_attributes, cgroup_bondings);
1018 if ((pid = fork()) < 0) {
1026 const char *username = NULL, *home = NULL;
1027 uid_t uid = (uid_t) -1;
1028 gid_t gid = (gid_t) -1;
1029 char **our_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL;
1031 int saved_stdout = -1, saved_stdin = -1;
1032 bool keep_stdout = false, keep_stdin = false, set_access = false;
1036 rename_process_from_path(command->path);
1038 /* We reset exactly these signals, since they are the
1039 * only ones we set to SIG_IGN in the main daemon. All
1040 * others we leave untouched because we set them to
1041 * SIG_DFL or a valid handler initially, both of which
1042 * will be demoted to SIG_DFL. */
1043 default_signals(SIGNALS_CRASH_HANDLER,
1044 SIGNALS_IGNORE, -1);
1046 if (context->ignore_sigpipe)
1047 ignore_signals(SIGPIPE, -1);
1049 assert_se(sigemptyset(&ss) == 0);
1050 if (sigprocmask(SIG_SETMASK, &ss, NULL) < 0) {
1052 r = EXIT_SIGNAL_MASK;
1057 if (idle_pipe[1] >= 0)
1058 close_nointr_nofail(idle_pipe[1]);
1059 if (idle_pipe[0] >= 0) {
1060 fd_wait_for_event(idle_pipe[0], POLLHUP, DEFAULT_TIMEOUT_USEC);
1061 close_nointr_nofail(idle_pipe[0]);
1065 /* Close sockets very early to make sure we don't
1066 * block init reexecution because it cannot bind its
1069 err = close_all_fds(socket_fd >= 0 ? &socket_fd : fds,
1070 socket_fd >= 0 ? 1 : n_fds);
1076 if (!context->same_pgrp)
1083 if (context->tcpwrap_name) {
1085 if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) {
1091 for (i = 0; i < (int) n_fds; i++) {
1092 if (!socket_tcpwrap(fds[i], context->tcpwrap_name)) {
1100 exec_context_tty_reset(context);
1102 /* We skip the confirmation step if we shall not apply the TTY */
1103 if (confirm_spawn &&
1104 (!is_terminal_input(context->std_input) || apply_tty_stdin)) {
1107 /* Set up terminal for the question */
1108 if ((r = setup_confirm_stdio(context,
1109 &saved_stdin, &saved_stdout))) {
1114 /* Now ask the question. */
1115 if (!(line = exec_command_line(argv))) {
1121 r = ask(&response, "yns", "Execute %s? [Yes, No, Skip] ", line);
1124 if (r < 0 || response == 'n') {
1128 } else if (response == 's') {
1133 /* Release terminal for the question */
1134 if ((r = restore_confirm_stdio(context,
1135 &saved_stdin, &saved_stdout,
1136 &keep_stdin, &keep_stdout))) {
1142 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1143 * must sure to drop O_NONBLOCK */
1145 fd_nonblock(socket_fd, false);
1148 err = setup_input(context, socket_fd, apply_tty_stdin);
1156 err = setup_output(context, socket_fd, path_get_file_name(command->path), apply_tty_stdin);
1163 err = setup_error(context, socket_fd, path_get_file_name(command->path), apply_tty_stdin);
1169 if (cgroup_bondings) {
1170 err = cgroup_bonding_install_list(cgroup_bondings, 0, cgroup_suffix);
1177 if (context->oom_score_adjust_set) {
1180 snprintf(t, sizeof(t), "%i", context->oom_score_adjust);
1183 if (write_one_line_file("/proc/self/oom_score_adj", t) < 0) {
1184 /* Compatibility with Linux <= 2.6.35 */
1188 adj = (context->oom_score_adjust * -OOM_DISABLE) / OOM_SCORE_ADJ_MAX;
1189 adj = CLAMP(adj, OOM_DISABLE, OOM_ADJUST_MAX);
1191 snprintf(t, sizeof(t), "%i", adj);
1194 if (write_one_line_file("/proc/self/oom_adj", t) < 0
1195 && errno != EACCES) {
1197 r = EXIT_OOM_ADJUST;
1203 if (context->nice_set)
1204 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1210 if (context->cpu_sched_set) {
1211 struct sched_param param;
1214 param.sched_priority = context->cpu_sched_priority;
1216 if (sched_setscheduler(0, context->cpu_sched_policy |
1217 (context->cpu_sched_reset_on_fork ? SCHED_RESET_ON_FORK : 0), ¶m) < 0) {
1219 r = EXIT_SETSCHEDULER;
1224 if (context->cpuset)
1225 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1227 r = EXIT_CPUAFFINITY;
1231 if (context->ioprio_set)
1232 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1238 if (context->timer_slack_nsec_set)
1239 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1241 r = EXIT_TIMERSLACK;
1245 if (context->utmp_id)
1246 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path);
1248 if (context->user) {
1249 username = context->user;
1250 err = get_user_creds(&username, &uid, &gid, &home);
1256 if (is_terminal_input(context->std_input)) {
1257 err = chown_terminal(STDIN_FILENO, uid);
1264 if (cgroup_bondings && context->control_group_modify) {
1265 err = cgroup_bonding_set_group_access_list(cgroup_bondings, 0755, uid, gid);
1267 err = cgroup_bonding_set_task_access_list(cgroup_bondings, 0644, uid, gid, context->control_group_persistent);
1277 if (cgroup_bondings && !set_access && context->control_group_persistent >= 0) {
1278 err = cgroup_bonding_set_task_access_list(cgroup_bondings, (mode_t) -1, (uid_t) -1, (uid_t) -1, context->control_group_persistent);
1285 if (apply_permissions) {
1286 err = enforce_groups(context, username, gid);
1293 umask(context->umask);
1296 if (context->pam_name && username) {
1297 err = setup_pam(context->pam_name, username, context->tty_path, &pam_env, fds, n_fds);
1304 if (context->private_network) {
1305 if (unshare(CLONE_NEWNET) < 0) {
1314 if (strv_length(context->read_write_dirs) > 0 ||
1315 strv_length(context->read_only_dirs) > 0 ||
1316 strv_length(context->inaccessible_dirs) > 0 ||
1317 context->mount_flags != MS_SHARED ||
1318 context->private_tmp) {
1319 err = setup_namespace(context->read_write_dirs,
1320 context->read_only_dirs,
1321 context->inaccessible_dirs,
1322 context->private_tmp,
1323 context->mount_flags);
1331 if (context->root_directory)
1332 if (chroot(context->root_directory) < 0) {
1338 if (chdir(context->working_directory ? context->working_directory : "/") < 0) {
1347 if (asprintf(&d, "%s/%s",
1348 context->root_directory ? context->root_directory : "",
1349 context->working_directory ? context->working_directory : "") < 0) {
1365 /* We repeat the fd closing here, to make sure that
1366 * nothing is leaked from the PAM modules */
1367 err = close_all_fds(fds, n_fds);
1369 err = shift_fds(fds, n_fds);
1371 err = flags_fds(fds, n_fds, context->non_blocking);
1377 if (apply_permissions) {
1379 for (i = 0; i < RLIMIT_NLIMITS; i++) {
1380 if (!context->rlimit[i])
1383 if (setrlimit_closest(i, context->rlimit[i]) < 0) {
1390 if (context->capability_bounding_set_drop) {
1391 err = do_capability_bounding_set_drop(context->capability_bounding_set_drop);
1393 r = EXIT_CAPABILITIES;
1398 if (context->user) {
1399 err = enforce_user(context, uid);
1406 /* PR_GET_SECUREBITS is not privileged, while
1407 * PR_SET_SECUREBITS is. So to suppress
1408 * potential EPERMs we'll try not to call
1409 * PR_SET_SECUREBITS unless necessary. */
1410 if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
1411 if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
1413 r = EXIT_SECUREBITS;
1417 if (context->capabilities)
1418 if (cap_set_proc(context->capabilities) < 0) {
1420 r = EXIT_CAPABILITIES;
1425 if (!(our_env = new0(char*, 7))) {
1432 if (asprintf(our_env + n_env++, "LISTEN_PID=%lu", (unsigned long) getpid()) < 0 ||
1433 asprintf(our_env + n_env++, "LISTEN_FDS=%u", n_fds) < 0) {
1440 if (asprintf(our_env + n_env++, "HOME=%s", home) < 0) {
1447 if (asprintf(our_env + n_env++, "LOGNAME=%s", username) < 0 ||
1448 asprintf(our_env + n_env++, "USER=%s", username) < 0) {
1454 if (is_terminal_input(context->std_input) ||
1455 context->std_output == EXEC_OUTPUT_TTY ||
1456 context->std_error == EXEC_OUTPUT_TTY)
1457 if (!(our_env[n_env++] = strdup(default_term_for_tty(tty_path(context))))) {
1465 if (!(final_env = strv_env_merge(
1469 context->environment,
1478 if (!(final_argv = replace_env_argv(argv, final_env))) {
1484 final_env = strv_env_clean(final_env);
1486 execve(command->path, final_argv, final_env);
1493 log_warning("Failed at step %s spawning %s: %s",
1494 exit_status_to_string(r, EXIT_STATUS_SYSTEMD),
1495 command->path, strerror(-err));
1499 strv_free(final_env);
1501 strv_free(files_env);
1502 strv_free(final_argv);
1504 if (saved_stdin >= 0)
1505 close_nointr_nofail(saved_stdin);
1507 if (saved_stdout >= 0)
1508 close_nointr_nofail(saved_stdout);
1513 strv_free(files_env);
1515 /* We add the new process to the cgroup both in the child (so
1516 * that we can be sure that no user code is ever executed
1517 * outside of the cgroup) and in the parent (so that we can be
1518 * sure that when we kill the cgroup the process will be
1520 if (cgroup_bondings)
1521 cgroup_bonding_install_list(cgroup_bondings, pid, cgroup_suffix);
1523 log_debug("Forked %s as %lu", command->path, (unsigned long) pid);
1525 exec_status_start(&command->exec_status, pid);
1531 strv_free(files_env);
1536 void exec_context_init(ExecContext *c) {
1540 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
1541 c->cpu_sched_policy = SCHED_OTHER;
1542 c->syslog_priority = LOG_DAEMON|LOG_INFO;
1543 c->syslog_level_prefix = true;
1544 c->mount_flags = MS_SHARED;
1545 c->kill_signal = SIGTERM;
1546 c->send_sigkill = true;
1547 c->control_group_persistent = -1;
1548 c->ignore_sigpipe = true;
1551 void exec_context_done(ExecContext *c) {
1556 strv_free(c->environment);
1557 c->environment = NULL;
1559 strv_free(c->environment_files);
1560 c->environment_files = NULL;
1562 for (l = 0; l < ELEMENTSOF(c->rlimit); l++) {
1564 c->rlimit[l] = NULL;
1567 free(c->working_directory);
1568 c->working_directory = NULL;
1569 free(c->root_directory);
1570 c->root_directory = NULL;
1575 free(c->tcpwrap_name);
1576 c->tcpwrap_name = NULL;
1578 free(c->syslog_identifier);
1579 c->syslog_identifier = NULL;
1587 strv_free(c->supplementary_groups);
1588 c->supplementary_groups = NULL;
1593 if (c->capabilities) {
1594 cap_free(c->capabilities);
1595 c->capabilities = NULL;
1598 strv_free(c->read_only_dirs);
1599 c->read_only_dirs = NULL;
1601 strv_free(c->read_write_dirs);
1602 c->read_write_dirs = NULL;
1604 strv_free(c->inaccessible_dirs);
1605 c->inaccessible_dirs = NULL;
1608 CPU_FREE(c->cpuset);
1614 void exec_command_done(ExecCommand *c) {
1624 void exec_command_done_array(ExecCommand *c, unsigned n) {
1627 for (i = 0; i < n; i++)
1628 exec_command_done(c+i);
1631 void exec_command_free_list(ExecCommand *c) {
1635 LIST_REMOVE(ExecCommand, command, c, i);
1636 exec_command_done(i);
1641 void exec_command_free_array(ExecCommand **c, unsigned n) {
1644 for (i = 0; i < n; i++) {
1645 exec_command_free_list(c[i]);
1650 int exec_context_load_environment(const ExecContext *c, char ***l) {
1651 char **i, **r = NULL;
1656 STRV_FOREACH(i, c->environment_files) {
1659 bool ignore = false;
1669 if (!path_is_absolute(fn)) {
1678 if ((k = load_env_file(fn, &p)) < 0) {
1692 m = strv_env_merge(2, r, p);
1708 static void strv_fprintf(FILE *f, char **l) {
1714 fprintf(f, " %s", *g);
1717 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
1729 "%sWorkingDirectory: %s\n"
1730 "%sRootDirectory: %s\n"
1731 "%sNonBlocking: %s\n"
1732 "%sPrivateTmp: %s\n"
1733 "%sControlGroupModify: %s\n"
1734 "%sControlGroupPersistent: %s\n"
1735 "%sPrivateNetwork: %s\n",
1737 prefix, c->working_directory ? c->working_directory : "/",
1738 prefix, c->root_directory ? c->root_directory : "/",
1739 prefix, yes_no(c->non_blocking),
1740 prefix, yes_no(c->private_tmp),
1741 prefix, yes_no(c->control_group_modify),
1742 prefix, yes_no(c->control_group_persistent),
1743 prefix, yes_no(c->private_network));
1745 STRV_FOREACH(e, c->environment)
1746 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
1748 STRV_FOREACH(e, c->environment_files)
1749 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
1751 if (c->tcpwrap_name)
1753 "%sTCPWrapName: %s\n",
1754 prefix, c->tcpwrap_name);
1761 if (c->oom_score_adjust_set)
1763 "%sOOMScoreAdjust: %i\n",
1764 prefix, c->oom_score_adjust);
1766 for (i = 0; i < RLIM_NLIMITS; i++)
1768 fprintf(f, "%s%s: %llu\n", prefix, rlimit_to_string(i), (unsigned long long) c->rlimit[i]->rlim_max);
1772 "%sIOSchedulingClass: %s\n"
1773 "%sIOPriority: %i\n",
1774 prefix, ioprio_class_to_string(IOPRIO_PRIO_CLASS(c->ioprio)),
1775 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
1777 if (c->cpu_sched_set)
1779 "%sCPUSchedulingPolicy: %s\n"
1780 "%sCPUSchedulingPriority: %i\n"
1781 "%sCPUSchedulingResetOnFork: %s\n",
1782 prefix, sched_policy_to_string(c->cpu_sched_policy),
1783 prefix, c->cpu_sched_priority,
1784 prefix, yes_no(c->cpu_sched_reset_on_fork));
1787 fprintf(f, "%sCPUAffinity:", prefix);
1788 for (i = 0; i < c->cpuset_ncpus; i++)
1789 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
1790 fprintf(f, " %i", i);
1794 if (c->timer_slack_nsec_set)
1795 fprintf(f, "%sTimerSlackNSec: %lu\n", prefix, c->timer_slack_nsec);
1798 "%sStandardInput: %s\n"
1799 "%sStandardOutput: %s\n"
1800 "%sStandardError: %s\n",
1801 prefix, exec_input_to_string(c->std_input),
1802 prefix, exec_output_to_string(c->std_output),
1803 prefix, exec_output_to_string(c->std_error));
1809 "%sTTYVHangup: %s\n"
1810 "%sTTYVTDisallocate: %s\n",
1811 prefix, c->tty_path,
1812 prefix, yes_no(c->tty_reset),
1813 prefix, yes_no(c->tty_vhangup),
1814 prefix, yes_no(c->tty_vt_disallocate));
1816 if (c->std_output == EXEC_OUTPUT_SYSLOG || c->std_output == EXEC_OUTPUT_KMSG || c->std_output == EXEC_OUTPUT_JOURNAL ||
1817 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE || c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
1818 c->std_error == EXEC_OUTPUT_SYSLOG || c->std_error == EXEC_OUTPUT_KMSG || c->std_error == EXEC_OUTPUT_JOURNAL ||
1819 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE || c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE || c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE)
1821 "%sSyslogFacility: %s\n"
1822 "%sSyslogLevel: %s\n",
1823 prefix, log_facility_unshifted_to_string(c->syslog_priority >> 3),
1824 prefix, log_level_to_string(LOG_PRI(c->syslog_priority)));
1826 if (c->capabilities) {
1828 if ((t = cap_to_text(c->capabilities, NULL))) {
1829 fprintf(f, "%sCapabilities: %s\n",
1836 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
1838 (c->secure_bits & SECURE_KEEP_CAPS) ? " keep-caps" : "",
1839 (c->secure_bits & SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
1840 (c->secure_bits & SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
1841 (c->secure_bits & SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
1842 (c->secure_bits & SECURE_NOROOT) ? " noroot" : "",
1843 (c->secure_bits & SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
1845 if (c->capability_bounding_set_drop) {
1847 fprintf(f, "%sCapabilityBoundingSet:", prefix);
1849 for (l = 0; l <= cap_last_cap(); l++)
1850 if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) {
1853 if ((t = cap_to_name(l))) {
1854 fprintf(f, " %s", t);
1863 fprintf(f, "%sUser: %s\n", prefix, c->user);
1865 fprintf(f, "%sGroup: %s\n", prefix, c->group);
1867 if (strv_length(c->supplementary_groups) > 0) {
1868 fprintf(f, "%sSupplementaryGroups:", prefix);
1869 strv_fprintf(f, c->supplementary_groups);
1874 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
1876 if (strv_length(c->read_write_dirs) > 0) {
1877 fprintf(f, "%sReadWriteDirs:", prefix);
1878 strv_fprintf(f, c->read_write_dirs);
1882 if (strv_length(c->read_only_dirs) > 0) {
1883 fprintf(f, "%sReadOnlyDirs:", prefix);
1884 strv_fprintf(f, c->read_only_dirs);
1888 if (strv_length(c->inaccessible_dirs) > 0) {
1889 fprintf(f, "%sInaccessibleDirs:", prefix);
1890 strv_fprintf(f, c->inaccessible_dirs);
1896 "%sKillSignal: SIG%s\n"
1897 "%sSendSIGKILL: %s\n"
1898 "%sIgnoreSIGPIPE: %s\n",
1899 prefix, kill_mode_to_string(c->kill_mode),
1900 prefix, signal_to_string(c->kill_signal),
1901 prefix, yes_no(c->send_sigkill),
1902 prefix, yes_no(c->ignore_sigpipe));
1906 "%sUtmpIdentifier: %s\n",
1907 prefix, c->utmp_id);
1910 void exec_status_start(ExecStatus *s, pid_t pid) {
1915 dual_timestamp_get(&s->start_timestamp);
1918 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
1921 if (s->pid && s->pid != pid)
1925 dual_timestamp_get(&s->exit_timestamp);
1931 if (context->utmp_id)
1932 utmp_put_dead_process(context->utmp_id, pid, code, status);
1934 exec_context_tty_reset(context);
1938 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
1939 char buf[FORMAT_TIMESTAMP_MAX];
1952 prefix, (unsigned long) s->pid);
1954 if (s->start_timestamp.realtime > 0)
1956 "%sStart Timestamp: %s\n",
1957 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
1959 if (s->exit_timestamp.realtime > 0)
1961 "%sExit Timestamp: %s\n"
1963 "%sExit Status: %i\n",
1964 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
1965 prefix, sigchld_code_to_string(s->code),
1969 char *exec_command_line(char **argv) {
1977 STRV_FOREACH(a, argv)
1980 if (!(n = new(char, k)))
1984 STRV_FOREACH(a, argv) {
1991 if (strpbrk(*a, WHITESPACE)) {
2002 /* FIXME: this doesn't really handle arguments that have
2003 * spaces and ticks in them */
2008 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
2010 const char *prefix2;
2019 p2 = strappend(prefix, "\t");
2020 prefix2 = p2 ? p2 : prefix;
2022 cmd = exec_command_line(c->argv);
2025 "%sCommand Line: %s\n",
2026 prefix, cmd ? cmd : strerror(ENOMEM));
2030 exec_status_dump(&c->exec_status, f, prefix2);
2035 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2041 LIST_FOREACH(command, c, c)
2042 exec_command_dump(c, f, prefix);
2045 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2052 /* It's kind of important, that we keep the order here */
2053 LIST_FIND_TAIL(ExecCommand, command, *l, end);
2054 LIST_INSERT_AFTER(ExecCommand, command, *l, end, e);
2059 int exec_command_set(ExecCommand *c, const char *path, ...) {
2067 l = strv_new_ap(path, ap);
2073 if (!(p = strdup(path))) {
2087 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
2088 [EXEC_INPUT_NULL] = "null",
2089 [EXEC_INPUT_TTY] = "tty",
2090 [EXEC_INPUT_TTY_FORCE] = "tty-force",
2091 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
2092 [EXEC_INPUT_SOCKET] = "socket"
2095 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
2097 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
2098 [EXEC_OUTPUT_INHERIT] = "inherit",
2099 [EXEC_OUTPUT_NULL] = "null",
2100 [EXEC_OUTPUT_TTY] = "tty",
2101 [EXEC_OUTPUT_SYSLOG] = "syslog",
2102 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
2103 [EXEC_OUTPUT_KMSG] = "kmsg",
2104 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
2105 [EXEC_OUTPUT_JOURNAL] = "journal",
2106 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
2107 [EXEC_OUTPUT_SOCKET] = "socket"
2110 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
2112 static const char* const kill_mode_table[_KILL_MODE_MAX] = {
2113 [KILL_CONTROL_GROUP] = "control-group",
2114 [KILL_PROCESS] = "process",
2115 [KILL_NONE] = "none"
2118 DEFINE_STRING_TABLE_LOOKUP(kill_mode, KillMode);
2120 static const char* const kill_who_table[_KILL_WHO_MAX] = {
2121 [KILL_MAIN] = "main",
2122 [KILL_CONTROL] = "control",
2126 DEFINE_STRING_TABLE_LOOKUP(kill_who, KillWho);
~ianmdlvl / elogind.git / blob