1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
29 #include <sys/socket.h>
31 #include <sys/prctl.h>
32 #include <linux/sched.h>
33 #include <sys/types.h>
37 #include <sys/mount.h>
39 #include <linux/oom.h>
42 #include <sys/personality.h>
47 #include <security/pam_appl.h>
51 #include <selinux/selinux.h>
59 #include <sys/apparmor.h>
65 #include "capability.h"
68 #include "sd-messages.h"
70 #include "securebits.h"
71 #include "namespace.h"
72 #include "exit-status.h"
74 #include "utmp-wtmp.h"
76 #include "path-util.h"
81 #include "selinux-util.h"
82 #include "errno-list.h"
85 #include "apparmor-util.h"
86 #include "smack-util.h"
87 #include "bus-endpoint.h"
92 #include "seccomp-util.h"
95 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
96 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
98 /* This assumes there is a 'tty' group */
101 #define SNDBUF_SIZE (8*1024*1024)
103 static int shift_fds(int fds[], unsigned n_fds) {
104 int start, restart_from;
109 /* Modifies the fds array! (sorts it) */
119 for (i = start; i < (int) n_fds; i++) {
122 /* Already at right index? */
126 if ((nfd = fcntl(fds[i], F_DUPFD, i+3)) < 0)
132 /* Hmm, the fd we wanted isn't free? Then
133 * let's remember that and try again from here */
134 if (nfd != i+3 && restart_from < 0)
138 if (restart_from < 0)
141 start = restart_from;
147 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
156 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
158 for (i = 0; i < n_fds; i++) {
160 if ((r = fd_nonblock(fds[i], nonblock)) < 0)
163 /* We unconditionally drop FD_CLOEXEC from the fds,
164 * since after all we want to pass these fds to our
167 if ((r = fd_cloexec(fds[i], false)) < 0)
174 _pure_ static const char *tty_path(const ExecContext *context) {
177 if (context->tty_path)
178 return context->tty_path;
180 return "/dev/console";
183 static void exec_context_tty_reset(const ExecContext *context) {
186 if (context->tty_vhangup)
187 terminal_vhangup(tty_path(context));
189 if (context->tty_reset)
190 reset_terminal(tty_path(context));
192 if (context->tty_vt_disallocate && context->tty_path)
193 vt_disallocate(context->tty_path);
196 static bool is_terminal_output(ExecOutput o) {
198 o == EXEC_OUTPUT_TTY ||
199 o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
200 o == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
201 o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE;
204 static int open_null_as(int flags, int nfd) {
209 fd = open("/dev/null", flags|O_NOCTTY);
214 r = dup2(fd, nfd) < 0 ? -errno : nfd;
222 static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd) {
224 union sockaddr_union sa = {
225 .un.sun_family = AF_UNIX,
226 .un.sun_path = "/run/systemd/journal/stdout",
230 assert(output < _EXEC_OUTPUT_MAX);
234 fd = socket(AF_UNIX, SOCK_STREAM, 0);
238 r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path));
244 if (shutdown(fd, SHUT_RD) < 0) {
249 fd_inc_sndbuf(fd, SNDBUF_SIZE);
259 context->syslog_identifier ? context->syslog_identifier : ident,
261 context->syslog_priority,
262 !!context->syslog_level_prefix,
263 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
264 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
265 is_terminal_output(output));
268 r = dup2(fd, nfd) < 0 ? -errno : nfd;
275 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
281 if ((fd = open_terminal(path, mode | O_NOCTTY)) < 0)
285 r = dup2(fd, nfd) < 0 ? -errno : nfd;
293 static bool is_terminal_input(ExecInput i) {
295 i == EXEC_INPUT_TTY ||
296 i == EXEC_INPUT_TTY_FORCE ||
297 i == EXEC_INPUT_TTY_FAIL;
300 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
302 if (is_terminal_input(std_input) && !apply_tty_stdin)
303 return EXEC_INPUT_NULL;
305 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
306 return EXEC_INPUT_NULL;
311 static int fixup_output(ExecOutput std_output, int socket_fd) {
313 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
314 return EXEC_OUTPUT_INHERIT;
319 static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty_stdin) {
324 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
328 case EXEC_INPUT_NULL:
329 return open_null_as(O_RDONLY, STDIN_FILENO);
332 case EXEC_INPUT_TTY_FORCE:
333 case EXEC_INPUT_TTY_FAIL: {
336 fd = acquire_terminal(tty_path(context),
337 i == EXEC_INPUT_TTY_FAIL,
338 i == EXEC_INPUT_TTY_FORCE,
344 if (fd != STDIN_FILENO) {
345 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
353 case EXEC_INPUT_SOCKET:
354 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
357 assert_not_reached("Unknown input type");
361 static int setup_output(const ExecContext *context, int fileno, int socket_fd, const char *ident, const char *unit_id, bool apply_tty_stdin) {
369 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
370 o = fixup_output(context->std_output, socket_fd);
372 if (fileno == STDERR_FILENO) {
374 e = fixup_output(context->std_error, socket_fd);
376 /* This expects the input and output are already set up */
378 /* Don't change the stderr file descriptor if we inherit all
379 * the way and are not on a tty */
380 if (e == EXEC_OUTPUT_INHERIT &&
381 o == EXEC_OUTPUT_INHERIT &&
382 i == EXEC_INPUT_NULL &&
383 !is_terminal_input(context->std_input) &&
387 /* Duplicate from stdout if possible */
388 if (e == o || e == EXEC_OUTPUT_INHERIT)
389 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
393 } else if (o == EXEC_OUTPUT_INHERIT) {
394 /* If input got downgraded, inherit the original value */
395 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
396 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
398 /* If the input is connected to anything that's not a /dev/null, inherit that... */
399 if (i != EXEC_INPUT_NULL)
400 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
402 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
406 /* We need to open /dev/null here anew, to get the right access mode. */
407 return open_null_as(O_WRONLY, fileno);
412 case EXEC_OUTPUT_NULL:
413 return open_null_as(O_WRONLY, fileno);
415 case EXEC_OUTPUT_TTY:
416 if (is_terminal_input(i))
417 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
419 /* We don't reset the terminal if this is just about output */
420 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
422 case EXEC_OUTPUT_SYSLOG:
423 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
424 case EXEC_OUTPUT_KMSG:
425 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
426 case EXEC_OUTPUT_JOURNAL:
427 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
428 r = connect_logger_as(context, o, ident, unit_id, fileno);
430 log_unit_struct(unit_id,
432 LOG_MESSAGE("Failed to connect %s of %s to the journal socket: %s",
433 fileno == STDOUT_FILENO ? "stdout" : "stderr",
434 unit_id, strerror(-r)),
437 r = open_null_as(O_WRONLY, fileno);
441 case EXEC_OUTPUT_SOCKET:
442 assert(socket_fd >= 0);
443 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
446 assert_not_reached("Unknown error type");
450 static int chown_terminal(int fd, uid_t uid) {
455 /* This might fail. What matters are the results. */
456 (void) fchown(fd, uid, -1);
457 (void) fchmod(fd, TTY_MODE);
459 if (fstat(fd, &st) < 0)
462 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
468 static int setup_confirm_stdio(int *_saved_stdin,
469 int *_saved_stdout) {
470 int fd = -1, saved_stdin, saved_stdout = -1, r;
472 assert(_saved_stdin);
473 assert(_saved_stdout);
475 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
479 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
480 if (saved_stdout < 0) {
485 fd = acquire_terminal(
490 DEFAULT_CONFIRM_USEC);
496 r = chown_terminal(fd, getuid());
500 if (dup2(fd, STDIN_FILENO) < 0) {
505 if (dup2(fd, STDOUT_FILENO) < 0) {
513 *_saved_stdin = saved_stdin;
514 *_saved_stdout = saved_stdout;
519 safe_close(saved_stdout);
520 safe_close(saved_stdin);
526 _printf_(1, 2) static int write_confirm_message(const char *format, ...) {
527 _cleanup_close_ int fd = -1;
532 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
536 va_start(ap, format);
537 vdprintf(fd, format, ap);
543 static int restore_confirm_stdio(int *saved_stdin,
549 assert(saved_stdout);
553 if (*saved_stdin >= 0)
554 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
557 if (*saved_stdout >= 0)
558 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
561 safe_close(*saved_stdin);
562 safe_close(*saved_stdout);
567 static int ask_for_confirmation(char *response, char **argv) {
568 int saved_stdout = -1, saved_stdin = -1, r;
569 _cleanup_free_ char *line = NULL;
571 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
575 line = exec_command_line(argv);
579 r = ask_char(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
581 restore_confirm_stdio(&saved_stdin, &saved_stdout);
586 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
587 bool keep_groups = false;
592 /* Lookup and set GID and supplementary group list. Here too
593 * we avoid NSS lookups for gid=0. */
595 if (context->group || username) {
597 if (context->group) {
598 const char *g = context->group;
600 if ((r = get_group_creds(&g, &gid)) < 0)
604 /* First step, initialize groups from /etc/groups */
605 if (username && gid != 0) {
606 if (initgroups(username, gid) < 0)
612 /* Second step, set our gids */
613 if (setresgid(gid, gid, gid) < 0)
617 if (context->supplementary_groups) {
622 /* Final step, initialize any manually set supplementary groups */
623 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
625 if (!(gids = new(gid_t, ngroups_max)))
629 if ((k = getgroups(ngroups_max, gids)) < 0) {
636 STRV_FOREACH(i, context->supplementary_groups) {
639 if (k >= ngroups_max) {
645 r = get_group_creds(&g, gids+k);
654 if (setgroups(k, gids) < 0) {
665 static int enforce_user(const ExecContext *context, uid_t uid) {
668 /* Sets (but doesn't lookup) the uid and make sure we keep the
669 * capabilities while doing so. */
671 if (context->capabilities) {
672 _cleanup_cap_free_ cap_t d = NULL;
673 static const cap_value_t bits[] = {
674 CAP_SETUID, /* Necessary so that we can run setresuid() below */
675 CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
678 /* First step: If we need to keep capabilities but
679 * drop privileges we need to make sure we keep our
680 * caps, while we drop privileges. */
682 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
684 if (prctl(PR_GET_SECUREBITS) != sb)
685 if (prctl(PR_SET_SECUREBITS, sb) < 0)
689 /* Second step: set the capabilities. This will reduce
690 * the capabilities to the minimum we need. */
692 d = cap_dup(context->capabilities);
696 if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
697 cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0)
700 if (cap_set_proc(d) < 0)
704 /* Third step: actually set the uids */
705 if (setresuid(uid, uid, uid) < 0)
708 /* At this point we should have all necessary capabilities but
709 are otherwise a normal user. However, the caps might got
710 corrupted due to the setresuid() so we need clean them up
711 later. This is done outside of this call. */
718 static int null_conv(
720 const struct pam_message **msg,
721 struct pam_response **resp,
724 /* We don't support conversations */
729 static int setup_pam(
735 int fds[], unsigned n_fds) {
737 static const struct pam_conv conv = {
742 pam_handle_t *handle = NULL;
744 int pam_code = PAM_SUCCESS;
747 bool close_session = false;
748 pid_t pam_pid = 0, parent_pid;
755 /* We set up PAM in the parent process, then fork. The child
756 * will then stay around until killed via PR_GET_PDEATHSIG or
757 * systemd via the cgroup logic. It will then remove the PAM
758 * session again. The parent process will exec() the actual
759 * daemon. We do things this way to ensure that the main PID
760 * of the daemon is the one we initially fork()ed. */
762 if (log_get_max_level() < LOG_PRI(LOG_DEBUG))
765 pam_code = pam_start(name, user, &conv, &handle);
766 if (pam_code != PAM_SUCCESS) {
772 pam_code = pam_set_item(handle, PAM_TTY, tty);
773 if (pam_code != PAM_SUCCESS)
777 pam_code = pam_acct_mgmt(handle, flags);
778 if (pam_code != PAM_SUCCESS)
781 pam_code = pam_open_session(handle, flags);
782 if (pam_code != PAM_SUCCESS)
785 close_session = true;
787 e = pam_getenvlist(handle);
789 pam_code = PAM_BUF_ERR;
793 /* Block SIGTERM, so that we know that it won't get lost in
795 if (sigemptyset(&ss) < 0 ||
796 sigaddset(&ss, SIGTERM) < 0 ||
797 sigprocmask(SIG_BLOCK, &ss, &old_ss) < 0)
800 parent_pid = getpid();
810 /* The child's job is to reset the PAM session on
813 /* This string must fit in 10 chars (i.e. the length
814 * of "/sbin/init"), to look pretty in /bin/ps */
815 rename_process("(sd-pam)");
817 /* Make sure we don't keep open the passed fds in this
818 child. We assume that otherwise only those fds are
819 open here that have been opened by PAM. */
820 close_many(fds, n_fds);
822 /* Drop privileges - we don't need any to pam_close_session
823 * and this will make PR_SET_PDEATHSIG work in most cases.
824 * If this fails, ignore the error - but expect sd-pam threads
825 * to fail to exit normally */
826 if (setresuid(uid, uid, uid) < 0)
827 log_error_errno(r, "Error: Failed to setresuid() in sd-pam: %m");
829 /* Wait until our parent died. This will only work if
830 * the above setresuid() succeeds, otherwise the kernel
831 * will not allow unprivileged parents kill their privileged
832 * children this way. We rely on the control groups kill logic
833 * to do the rest for us. */
834 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
837 /* Check if our parent process might already have
839 if (getppid() == parent_pid) {
841 if (sigwait(&ss, &sig) < 0) {
848 assert(sig == SIGTERM);
853 /* If our parent died we'll end the session */
854 if (getppid() != parent_pid) {
855 pam_code = pam_close_session(handle, flags);
856 if (pam_code != PAM_SUCCESS)
863 pam_end(handle, pam_code | flags);
867 /* If the child was forked off successfully it will do all the
868 * cleanups, so forget about the handle here. */
871 /* Unblock SIGTERM again in the parent */
872 if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0)
875 /* We close the log explicitly here, since the PAM modules
876 * might have opened it, but we don't want this fd around. */
885 if (pam_code != PAM_SUCCESS) {
886 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
887 err = -EPERM; /* PAM errors do not map to errno */
889 log_error_errno(errno, "PAM failed: %m");
895 pam_code = pam_close_session(handle, flags);
897 pam_end(handle, pam_code | flags);
905 kill(pam_pid, SIGTERM);
906 kill(pam_pid, SIGCONT);
913 static void rename_process_from_path(const char *path) {
914 char process_name[11];
918 /* This resulting string must fit in 10 chars (i.e. the length
919 * of "/sbin/init") to look pretty in /bin/ps */
923 rename_process("(...)");
929 /* The end of the process name is usually more
930 * interesting, since the first bit might just be
936 process_name[0] = '(';
937 memcpy(process_name+1, p, l);
938 process_name[1+l] = ')';
939 process_name[1+l+1] = 0;
941 rename_process(process_name);
946 static int apply_seccomp(const ExecContext *c) {
947 uint32_t negative_action, action;
948 scmp_filter_ctx *seccomp;
955 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
957 seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW);
961 if (c->syscall_archs) {
963 SET_FOREACH(id, c->syscall_archs, i) {
964 r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
972 r = seccomp_add_secondary_archs(seccomp);
977 action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
978 SET_FOREACH(id, c->syscall_filter, i) {
979 r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
984 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
988 r = seccomp_load(seccomp);
991 seccomp_release(seccomp);
995 static int apply_address_families(const ExecContext *c) {
996 scmp_filter_ctx *seccomp;
1002 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1006 r = seccomp_add_secondary_archs(seccomp);
1010 if (c->address_families_whitelist) {
1011 int af, first = 0, last = 0;
1014 /* If this is a whitelist, we first block the address
1015 * families that are out of range and then everything
1016 * that is not in the set. First, we find the lowest
1017 * and highest address family in the set. */
1019 SET_FOREACH(afp, c->address_families, i) {
1020 af = PTR_TO_INT(afp);
1022 if (af <= 0 || af >= af_max())
1025 if (first == 0 || af < first)
1028 if (last == 0 || af > last)
1032 assert((first == 0) == (last == 0));
1036 /* No entries in the valid range, block everything */
1037 r = seccomp_rule_add(
1039 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1047 /* Block everything below the first entry */
1048 r = seccomp_rule_add(
1050 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1053 SCMP_A0(SCMP_CMP_LT, first));
1057 /* Block everything above the last entry */
1058 r = seccomp_rule_add(
1060 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1063 SCMP_A0(SCMP_CMP_GT, last));
1067 /* Block everything between the first and last
1069 for (af = 1; af < af_max(); af++) {
1071 if (set_contains(c->address_families, INT_TO_PTR(af)))
1074 r = seccomp_rule_add(
1076 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1079 SCMP_A0(SCMP_CMP_EQ, af));
1088 /* If this is a blacklist, then generate one rule for
1089 * each address family that are then combined in OR
1092 SET_FOREACH(af, c->address_families, i) {
1094 r = seccomp_rule_add(
1096 SCMP_ACT_ERRNO(EPROTONOSUPPORT),
1099 SCMP_A0(SCMP_CMP_EQ, PTR_TO_INT(af)));
1105 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1109 r = seccomp_load(seccomp);
1112 seccomp_release(seccomp);
1118 static void do_idle_pipe_dance(int idle_pipe[4]) {
1122 safe_close(idle_pipe[1]);
1123 safe_close(idle_pipe[2]);
1125 if (idle_pipe[0] >= 0) {
1128 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1130 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1131 /* Signal systemd that we are bored and want to continue. */
1132 write(idle_pipe[3], "x", 1);
1134 /* Wait for systemd to react to the signal above. */
1135 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1138 safe_close(idle_pipe[0]);
1142 safe_close(idle_pipe[3]);
1145 static int build_environment(
1146 const ExecContext *c,
1148 usec_t watchdog_usec,
1150 const char *username,
1154 _cleanup_strv_free_ char **our_env = NULL;
1161 our_env = new0(char*, 10);
1166 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1168 our_env[n_env++] = x;
1170 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1172 our_env[n_env++] = x;
1175 if (watchdog_usec > 0) {
1176 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1178 our_env[n_env++] = x;
1180 if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, watchdog_usec) < 0)
1182 our_env[n_env++] = x;
1186 x = strappend("HOME=", home);
1189 our_env[n_env++] = x;
1193 x = strappend("LOGNAME=", username);
1196 our_env[n_env++] = x;
1198 x = strappend("USER=", username);
1201 our_env[n_env++] = x;
1205 x = strappend("SHELL=", shell);
1208 our_env[n_env++] = x;
1211 if (is_terminal_input(c->std_input) ||
1212 c->std_output == EXEC_OUTPUT_TTY ||
1213 c->std_error == EXEC_OUTPUT_TTY ||
1216 x = strdup(default_term_for_tty(tty_path(c)));
1219 our_env[n_env++] = x;
1222 our_env[n_env++] = NULL;
1223 assert(n_env <= 10);
1231 static int exec_child(ExecCommand *command,
1232 const ExecContext *context,
1233 const ExecParameters *params,
1234 ExecRuntime *runtime,
1237 int *fds, unsigned n_fds,
1241 _cleanup_strv_free_ char **our_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL;
1242 _cleanup_free_ char *mac_selinux_context_net = NULL;
1243 const char *username = NULL, *home = NULL, *shell = NULL;
1244 unsigned n_dont_close = 0;
1245 int dont_close[n_fds + 4];
1246 uid_t uid = UID_INVALID;
1247 gid_t gid = GID_INVALID;
1255 rename_process_from_path(command->path);
1257 /* We reset exactly these signals, since they are the
1258 * only ones we set to SIG_IGN in the main daemon. All
1259 * others we leave untouched because we set them to
1260 * SIG_DFL or a valid handler initially, both of which
1261 * will be demoted to SIG_DFL. */
1262 default_signals(SIGNALS_CRASH_HANDLER,
1263 SIGNALS_IGNORE, -1);
1265 if (context->ignore_sigpipe)
1266 ignore_signals(SIGPIPE, -1);
1268 err = reset_signal_mask();
1270 *error = EXIT_SIGNAL_MASK;
1274 if (params->idle_pipe)
1275 do_idle_pipe_dance(params->idle_pipe);
1277 /* Close sockets very early to make sure we don't
1278 * block init reexecution because it cannot bind its
1283 dont_close[n_dont_close++] = socket_fd;
1285 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
1286 n_dont_close += n_fds;
1288 if (params->bus_endpoint_fd >= 0)
1289 dont_close[n_dont_close++] = params->bus_endpoint_fd;
1291 if (runtime->netns_storage_socket[0] >= 0)
1292 dont_close[n_dont_close++] = runtime->netns_storage_socket[0];
1293 if (runtime->netns_storage_socket[1] >= 0)
1294 dont_close[n_dont_close++] = runtime->netns_storage_socket[1];
1297 err = close_all_fds(dont_close, n_dont_close);
1303 if (!context->same_pgrp)
1305 *error = EXIT_SETSID;
1309 exec_context_tty_reset(context);
1311 if (params->confirm_spawn) {
1314 err = ask_for_confirmation(&response, argv);
1315 if (err == -ETIMEDOUT)
1316 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1318 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-err));
1319 else if (response == 's') {
1320 write_confirm_message("Skipping execution.\n");
1321 *error = EXIT_CONFIRM;
1323 } else if (response == 'n') {
1324 write_confirm_message("Failing execution.\n");
1330 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1331 * must sure to drop O_NONBLOCK */
1333 fd_nonblock(socket_fd, false);
1335 err = setup_input(context, socket_fd, params->apply_tty_stdin);
1337 *error = EXIT_STDIN;
1341 err = setup_output(context, STDOUT_FILENO, socket_fd, basename(command->path), params->unit_id, params->apply_tty_stdin);
1343 *error = EXIT_STDOUT;
1347 err = setup_output(context, STDERR_FILENO, socket_fd, basename(command->path), params->unit_id, params->apply_tty_stdin);
1349 *error = EXIT_STDERR;
1353 if (params->cgroup_path) {
1354 err = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL);
1356 *error = EXIT_CGROUP;
1361 if (context->oom_score_adjust_set) {
1364 snprintf(t, sizeof(t), "%i", context->oom_score_adjust);
1367 if (write_string_file("/proc/self/oom_score_adj", t) < 0) {
1368 *error = EXIT_OOM_ADJUST;
1373 if (context->nice_set)
1374 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1379 if (context->cpu_sched_set) {
1380 struct sched_param param = {
1381 .sched_priority = context->cpu_sched_priority,
1384 err = sched_setscheduler(0,
1385 context->cpu_sched_policy |
1386 (context->cpu_sched_reset_on_fork ?
1387 SCHED_RESET_ON_FORK : 0),
1390 *error = EXIT_SETSCHEDULER;
1395 if (context->cpuset)
1396 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1397 *error = EXIT_CPUAFFINITY;
1401 if (context->ioprio_set)
1402 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1403 *error = EXIT_IOPRIO;
1407 if (context->timer_slack_nsec != NSEC_INFINITY)
1408 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1409 *error = EXIT_TIMERSLACK;
1413 if (context->personality != 0xffffffffUL)
1414 if (personality(context->personality) < 0) {
1415 *error = EXIT_PERSONALITY;
1419 if (context->utmp_id)
1420 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path);
1422 if (context->user) {
1423 username = context->user;
1424 err = get_user_creds(&username, &uid, &gid, &home, &shell);
1430 if (is_terminal_input(context->std_input)) {
1431 err = chown_terminal(STDIN_FILENO, uid);
1433 *error = EXIT_STDIN;
1440 if (params->bus_endpoint_fd >= 0 && context->bus_endpoint) {
1441 uid_t ep_uid = (uid == UID_INVALID) ? 0 : uid;
1443 err = bus_kernel_set_endpoint_policy(params->bus_endpoint_fd, ep_uid, context->bus_endpoint);
1445 *error = EXIT_BUS_ENDPOINT;
1451 /* If delegation is enabled we'll pass ownership of the cgroup
1452 * (but only in systemd's own controller hierarchy!) to the
1453 * user of the new process. */
1454 if (params->cgroup_path && context->user && params->cgroup_delegate) {
1455 err = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid);
1457 *error = EXIT_CGROUP;
1462 err = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0755, uid, gid);
1464 *error = EXIT_CGROUP;
1469 if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) {
1472 STRV_FOREACH(rt, context->runtime_directory) {
1473 _cleanup_free_ char *p;
1475 p = strjoin(params->runtime_prefix, "/", *rt, NULL);
1477 *error = EXIT_RUNTIME_DIRECTORY;
1481 err = mkdir_safe(p, context->runtime_directory_mode, uid, gid);
1483 *error = EXIT_RUNTIME_DIRECTORY;
1489 if (params->apply_permissions) {
1490 err = enforce_groups(context, username, gid);
1492 *error = EXIT_GROUP;
1497 umask(context->umask);
1500 if (params->apply_permissions && context->pam_name && username) {
1501 err = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
1509 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
1510 err = setup_netns(runtime->netns_storage_socket);
1512 *error = EXIT_NETWORK;
1517 if (!strv_isempty(context->read_write_dirs) ||
1518 !strv_isempty(context->read_only_dirs) ||
1519 !strv_isempty(context->inaccessible_dirs) ||
1520 context->mount_flags != 0 ||
1521 (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) ||
1522 params->bus_endpoint_path ||
1523 context->private_devices ||
1524 context->protect_system != PROTECT_SYSTEM_NO ||
1525 context->protect_home != PROTECT_HOME_NO) {
1527 char *tmp = NULL, *var = NULL;
1529 /* The runtime struct only contains the parent
1530 * of the private /tmp, which is
1531 * non-accessible to world users. Inside of it
1532 * there's a /tmp that is sticky, and that's
1533 * the one we want to use here. */
1535 if (context->private_tmp && runtime) {
1536 if (runtime->tmp_dir)
1537 tmp = strappenda(runtime->tmp_dir, "/tmp");
1538 if (runtime->var_tmp_dir)
1539 var = strappenda(runtime->var_tmp_dir, "/tmp");
1542 err = setup_namespace(
1543 context->read_write_dirs,
1544 context->read_only_dirs,
1545 context->inaccessible_dirs,
1548 params->bus_endpoint_path,
1549 context->private_devices,
1550 context->protect_home,
1551 context->protect_system,
1552 context->mount_flags);
1555 log_unit_warning_errno(params->unit_id, err, "Failed to set up file system namespace due to lack of privileges. Execution sandbox will not be in effect: %m");
1557 *error = EXIT_NAMESPACE;
1562 if (params->apply_chroot) {
1563 if (context->root_directory)
1564 if (chroot(context->root_directory) < 0) {
1565 *error = EXIT_CHROOT;
1569 if (chdir(context->working_directory ? context->working_directory : "/") < 0) {
1570 *error = EXIT_CHDIR;
1574 _cleanup_free_ char *d = NULL;
1576 if (asprintf(&d, "%s/%s",
1577 context->root_directory ? context->root_directory : "",
1578 context->working_directory ? context->working_directory : "") < 0) {
1579 *error = EXIT_MEMORY;
1584 *error = EXIT_CHDIR;
1590 if (params->apply_permissions && mac_selinux_use() && params->selinux_context_net && socket_fd >= 0) {
1591 err = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
1593 *error = EXIT_SELINUX_CONTEXT;
1599 /* We repeat the fd closing here, to make sure that
1600 * nothing is leaked from the PAM modules. Note that
1601 * we are more aggressive this time since socket_fd
1602 * and the netns fds we don't need anymore. The custom
1603 * endpoint fd was needed to upload the policy and can
1604 * now be closed as well. */
1605 err = close_all_fds(fds, n_fds);
1607 err = shift_fds(fds, n_fds);
1609 err = flags_fds(fds, n_fds, context->non_blocking);
1615 if (params->apply_permissions) {
1617 for (i = 0; i < _RLIMIT_MAX; i++) {
1618 if (!context->rlimit[i])
1621 if (setrlimit_closest(i, context->rlimit[i]) < 0) {
1622 *error = EXIT_LIMITS;
1627 if (context->capability_bounding_set_drop) {
1628 err = capability_bounding_set_drop(context->capability_bounding_set_drop, false);
1630 *error = EXIT_CAPABILITIES;
1636 if (context->smack_process_label) {
1637 err = mac_smack_apply_pid(0, context->smack_process_label);
1639 *error = EXIT_SMACK_PROCESS_LABEL;
1645 if (context->user) {
1646 err = enforce_user(context, uid);
1653 /* PR_GET_SECUREBITS is not privileged, while
1654 * PR_SET_SECUREBITS is. So to suppress
1655 * potential EPERMs we'll try not to call
1656 * PR_SET_SECUREBITS unless necessary. */
1657 if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
1658 if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
1659 *error = EXIT_SECUREBITS;
1663 if (context->capabilities)
1664 if (cap_set_proc(context->capabilities) < 0) {
1665 *error = EXIT_CAPABILITIES;
1669 if (context->no_new_privileges)
1670 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
1671 *error = EXIT_NO_NEW_PRIVILEGES;
1676 if (context->address_families_whitelist ||
1677 !set_isempty(context->address_families)) {
1678 err = apply_address_families(context);
1680 *error = EXIT_ADDRESS_FAMILIES;
1685 if (context->syscall_whitelist ||
1686 !set_isempty(context->syscall_filter) ||
1687 !set_isempty(context->syscall_archs)) {
1688 err = apply_seccomp(context);
1690 *error = EXIT_SECCOMP;
1697 if (mac_selinux_use()) {
1698 char *exec_context = mac_selinux_context_net ?: context->selinux_context;
1701 err = setexeccon(exec_context);
1703 *error = EXIT_SELINUX_CONTEXT;
1710 #ifdef HAVE_APPARMOR
1711 if (context->apparmor_profile && mac_apparmor_use()) {
1712 err = aa_change_onexec(context->apparmor_profile);
1713 if (err < 0 && !context->apparmor_profile_ignore) {
1714 *error = EXIT_APPARMOR_PROFILE;
1721 err = build_environment(context, n_fds, params->watchdog_usec, home, username, shell, &our_env);
1723 *error = EXIT_MEMORY;
1727 final_env = strv_env_merge(5,
1728 params->environment,
1730 context->environment,
1735 *error = EXIT_MEMORY;
1739 final_argv = replace_env_argv(argv, final_env);
1741 *error = EXIT_MEMORY;
1745 final_env = strv_env_clean(final_env);
1747 if (_unlikely_(log_get_max_level() >= LOG_PRI(LOG_DEBUG))) {
1748 _cleanup_free_ char *line;
1750 line = exec_command_line(final_argv);
1753 log_unit_struct(params->unit_id,
1755 "EXECUTABLE=%s", command->path,
1756 LOG_MESSAGE("Executing: %s", line),
1761 execve(command->path, final_argv, final_env);
1766 int exec_spawn(ExecCommand *command,
1767 const ExecContext *context,
1768 const ExecParameters *params,
1769 ExecRuntime *runtime,
1772 _cleanup_strv_free_ char **files_env = NULL;
1773 int *fds = NULL; unsigned n_fds = 0;
1783 assert(params->fds || params->n_fds <= 0);
1785 if (context->std_input == EXEC_INPUT_SOCKET ||
1786 context->std_output == EXEC_OUTPUT_SOCKET ||
1787 context->std_error == EXEC_OUTPUT_SOCKET) {
1789 if (params->n_fds != 1)
1792 socket_fd = params->fds[0];
1796 n_fds = params->n_fds;
1799 err = exec_context_load_environment(context, params->unit_id, &files_env);
1801 log_unit_struct(params->unit_id,
1803 LOG_MESSAGE("Failed to load environment files: %s", strerror(-err)),
1809 argv = params->argv ?: command->argv;
1811 line = exec_command_line(argv);
1815 log_unit_struct(params->unit_id,
1817 "EXECUTABLE=%s", command->path,
1818 LOG_MESSAGE("About to execute: %s", line),
1829 err = exec_child(command,
1841 LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
1842 "EXECUTABLE=%s", command->path,
1843 LOG_MESSAGE("Failed at step %s spawning %s: %s",
1844 exit_status_to_string(r, EXIT_STATUS_SYSTEMD),
1845 command->path, strerror(-err)),
1854 log_unit_struct(params->unit_id,
1856 LOG_MESSAGE("Forked %s as "PID_FMT,
1857 command->path, pid),
1860 /* We add the new process to the cgroup both in the child (so
1861 * that we can be sure that no user code is ever executed
1862 * outside of the cgroup) and in the parent (so that we can be
1863 * sure that when we kill the cgroup the process will be
1865 if (params->cgroup_path)
1866 cg_attach(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, pid);
1868 exec_status_start(&command->exec_status, pid);
1874 void exec_context_init(ExecContext *c) {
1878 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
1879 c->cpu_sched_policy = SCHED_OTHER;
1880 c->syslog_priority = LOG_DAEMON|LOG_INFO;
1881 c->syslog_level_prefix = true;
1882 c->ignore_sigpipe = true;
1883 c->timer_slack_nsec = NSEC_INFINITY;
1884 c->personality = 0xffffffffUL;
1885 c->runtime_directory_mode = 0755;
1888 void exec_context_done(ExecContext *c) {
1893 strv_free(c->environment);
1894 c->environment = NULL;
1896 strv_free(c->environment_files);
1897 c->environment_files = NULL;
1899 for (l = 0; l < ELEMENTSOF(c->rlimit); l++) {
1901 c->rlimit[l] = NULL;
1904 free(c->working_directory);
1905 c->working_directory = NULL;
1906 free(c->root_directory);
1907 c->root_directory = NULL;
1912 free(c->syslog_identifier);
1913 c->syslog_identifier = NULL;
1921 strv_free(c->supplementary_groups);
1922 c->supplementary_groups = NULL;
1927 if (c->capabilities) {
1928 cap_free(c->capabilities);
1929 c->capabilities = NULL;
1932 strv_free(c->read_only_dirs);
1933 c->read_only_dirs = NULL;
1935 strv_free(c->read_write_dirs);
1936 c->read_write_dirs = NULL;
1938 strv_free(c->inaccessible_dirs);
1939 c->inaccessible_dirs = NULL;
1942 CPU_FREE(c->cpuset);
1947 free(c->selinux_context);
1948 c->selinux_context = NULL;
1950 free(c->apparmor_profile);
1951 c->apparmor_profile = NULL;
1953 set_free(c->syscall_filter);
1954 c->syscall_filter = NULL;
1956 set_free(c->syscall_archs);
1957 c->syscall_archs = NULL;
1959 set_free(c->address_families);
1960 c->address_families = NULL;
1962 strv_free(c->runtime_directory);
1963 c->runtime_directory = NULL;
1965 bus_endpoint_free(c->bus_endpoint);
1966 c->bus_endpoint = NULL;
1969 int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_prefix) {
1974 if (!runtime_prefix)
1977 STRV_FOREACH(i, c->runtime_directory) {
1978 _cleanup_free_ char *p;
1980 p = strjoin(runtime_prefix, "/", *i, NULL);
1984 /* We execute this synchronously, since we need to be
1985 * sure this is gone when we start the service
1987 rm_rf(p, false, true, false);
1993 void exec_command_done(ExecCommand *c) {
2003 void exec_command_done_array(ExecCommand *c, unsigned n) {
2006 for (i = 0; i < n; i++)
2007 exec_command_done(c+i);
2010 ExecCommand* exec_command_free_list(ExecCommand *c) {
2014 LIST_REMOVE(command, c, i);
2015 exec_command_done(i);
2022 void exec_command_free_array(ExecCommand **c, unsigned n) {
2025 for (i = 0; i < n; i++)
2026 c[i] = exec_command_free_list(c[i]);
2029 int exec_context_load_environment(const ExecContext *c, const char *unit_id, char ***l) {
2030 char **i, **r = NULL;
2035 STRV_FOREACH(i, c->environment_files) {
2038 bool ignore = false;
2040 _cleanup_globfree_ glob_t pglob = {};
2050 if (!path_is_absolute(fn)) {
2058 /* Filename supports globbing, take all matching files */
2060 if (glob(fn, 0, NULL, &pglob) != 0) {
2065 return errno ? -errno : -EINVAL;
2067 count = pglob.gl_pathc;
2075 for (n = 0; n < count; n++) {
2076 k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
2084 /* Log invalid environment variables with filename */
2086 p = strv_env_clean_log(p, unit_id, pglob.gl_pathv[n]);
2093 m = strv_env_merge(2, r, p);
2109 static bool tty_may_match_dev_console(const char *tty) {
2110 _cleanup_free_ char *active = NULL;
2113 if (startswith(tty, "/dev/"))
2116 /* trivial identity? */
2117 if (streq(tty, "console"))
2120 console = resolve_dev_console(&active);
2121 /* if we could not resolve, assume it may */
2125 /* "tty0" means the active VC, so it may be the same sometimes */
2126 return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
2129 bool exec_context_may_touch_console(ExecContext *ec) {
2130 return (ec->tty_reset || ec->tty_vhangup || ec->tty_vt_disallocate ||
2131 is_terminal_input(ec->std_input) ||
2132 is_terminal_output(ec->std_output) ||
2133 is_terminal_output(ec->std_error)) &&
2134 tty_may_match_dev_console(tty_path(ec));
2137 static void strv_fprintf(FILE *f, char **l) {
2143 fprintf(f, " %s", *g);
2146 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
2153 prefix = strempty(prefix);
2157 "%sWorkingDirectory: %s\n"
2158 "%sRootDirectory: %s\n"
2159 "%sNonBlocking: %s\n"
2160 "%sPrivateTmp: %s\n"
2161 "%sPrivateNetwork: %s\n"
2162 "%sPrivateDevices: %s\n"
2163 "%sProtectHome: %s\n"
2164 "%sProtectSystem: %s\n"
2165 "%sIgnoreSIGPIPE: %s\n",
2167 prefix, c->working_directory ? c->working_directory : "/",
2168 prefix, c->root_directory ? c->root_directory : "/",
2169 prefix, yes_no(c->non_blocking),
2170 prefix, yes_no(c->private_tmp),
2171 prefix, yes_no(c->private_network),
2172 prefix, yes_no(c->private_devices),
2173 prefix, protect_home_to_string(c->protect_home),
2174 prefix, protect_system_to_string(c->protect_system),
2175 prefix, yes_no(c->ignore_sigpipe));
2177 STRV_FOREACH(e, c->environment)
2178 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
2180 STRV_FOREACH(e, c->environment_files)
2181 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
2188 if (c->oom_score_adjust_set)
2190 "%sOOMScoreAdjust: %i\n",
2191 prefix, c->oom_score_adjust);
2193 for (i = 0; i < RLIM_NLIMITS; i++)
2195 fprintf(f, "%s%s: "RLIM_FMT"\n",
2196 prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
2198 if (c->ioprio_set) {
2199 _cleanup_free_ char *class_str = NULL;
2201 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
2203 "%sIOSchedulingClass: %s\n"
2204 "%sIOPriority: %i\n",
2205 prefix, strna(class_str),
2206 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
2209 if (c->cpu_sched_set) {
2210 _cleanup_free_ char *policy_str = NULL;
2212 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
2214 "%sCPUSchedulingPolicy: %s\n"
2215 "%sCPUSchedulingPriority: %i\n"
2216 "%sCPUSchedulingResetOnFork: %s\n",
2217 prefix, strna(policy_str),
2218 prefix, c->cpu_sched_priority,
2219 prefix, yes_no(c->cpu_sched_reset_on_fork));
2223 fprintf(f, "%sCPUAffinity:", prefix);
2224 for (i = 0; i < c->cpuset_ncpus; i++)
2225 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
2226 fprintf(f, " %u", i);
2230 if (c->timer_slack_nsec != NSEC_INFINITY)
2231 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
2234 "%sStandardInput: %s\n"
2235 "%sStandardOutput: %s\n"
2236 "%sStandardError: %s\n",
2237 prefix, exec_input_to_string(c->std_input),
2238 prefix, exec_output_to_string(c->std_output),
2239 prefix, exec_output_to_string(c->std_error));
2245 "%sTTYVHangup: %s\n"
2246 "%sTTYVTDisallocate: %s\n",
2247 prefix, c->tty_path,
2248 prefix, yes_no(c->tty_reset),
2249 prefix, yes_no(c->tty_vhangup),
2250 prefix, yes_no(c->tty_vt_disallocate));
2252 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
2253 c->std_output == EXEC_OUTPUT_KMSG ||
2254 c->std_output == EXEC_OUTPUT_JOURNAL ||
2255 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2256 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2257 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
2258 c->std_error == EXEC_OUTPUT_SYSLOG ||
2259 c->std_error == EXEC_OUTPUT_KMSG ||
2260 c->std_error == EXEC_OUTPUT_JOURNAL ||
2261 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2262 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2263 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
2265 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
2267 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
2268 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
2271 "%sSyslogFacility: %s\n"
2272 "%sSyslogLevel: %s\n",
2273 prefix, strna(fac_str),
2274 prefix, strna(lvl_str));
2277 if (c->capabilities) {
2278 _cleanup_cap_free_charp_ char *t;
2280 t = cap_to_text(c->capabilities, NULL);
2282 fprintf(f, "%sCapabilities: %s\n", prefix, t);
2286 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
2288 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
2289 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
2290 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
2291 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
2292 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
2293 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
2295 if (c->capability_bounding_set_drop) {
2297 fprintf(f, "%sCapabilityBoundingSet:", prefix);
2299 for (l = 0; l <= cap_last_cap(); l++)
2300 if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l)))
2301 fprintf(f, " %s", strna(capability_to_name(l)));
2307 fprintf(f, "%sUser: %s\n", prefix, c->user);
2309 fprintf(f, "%sGroup: %s\n", prefix, c->group);
2311 if (strv_length(c->supplementary_groups) > 0) {
2312 fprintf(f, "%sSupplementaryGroups:", prefix);
2313 strv_fprintf(f, c->supplementary_groups);
2318 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
2320 if (strv_length(c->read_write_dirs) > 0) {
2321 fprintf(f, "%sReadWriteDirs:", prefix);
2322 strv_fprintf(f, c->read_write_dirs);
2326 if (strv_length(c->read_only_dirs) > 0) {
2327 fprintf(f, "%sReadOnlyDirs:", prefix);
2328 strv_fprintf(f, c->read_only_dirs);
2332 if (strv_length(c->inaccessible_dirs) > 0) {
2333 fprintf(f, "%sInaccessibleDirs:", prefix);
2334 strv_fprintf(f, c->inaccessible_dirs);
2340 "%sUtmpIdentifier: %s\n",
2341 prefix, c->utmp_id);
2343 if (c->selinux_context)
2345 "%sSELinuxContext: %s%s\n",
2346 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
2348 if (c->personality != 0xffffffffUL)
2350 "%sPersonality: %s\n",
2351 prefix, strna(personality_to_string(c->personality)));
2353 if (c->syscall_filter) {
2361 "%sSystemCallFilter: ",
2364 if (!c->syscall_whitelist)
2368 SET_FOREACH(id, c->syscall_filter, j) {
2369 _cleanup_free_ char *name = NULL;
2376 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
2377 fputs(strna(name), f);
2384 if (c->syscall_archs) {
2391 "%sSystemCallArchitectures:",
2395 SET_FOREACH(id, c->syscall_archs, j)
2396 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
2401 if (c->syscall_errno != 0)
2403 "%sSystemCallErrorNumber: %s\n",
2404 prefix, strna(errno_to_name(c->syscall_errno)));
2406 if (c->apparmor_profile)
2408 "%sAppArmorProfile: %s%s\n",
2409 prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
2412 bool exec_context_maintains_privileges(ExecContext *c) {
2415 /* Returns true if the process forked off would run run under
2416 * an unchanged UID or as root. */
2421 if (streq(c->user, "root") || streq(c->user, "0"))
2427 void exec_status_start(ExecStatus *s, pid_t pid) {
2432 dual_timestamp_get(&s->start_timestamp);
2435 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
2438 if (s->pid && s->pid != pid)
2442 dual_timestamp_get(&s->exit_timestamp);
2448 if (context->utmp_id)
2449 utmp_put_dead_process(context->utmp_id, pid, code, status);
2451 exec_context_tty_reset(context);
2455 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
2456 char buf[FORMAT_TIMESTAMP_MAX];
2464 prefix = strempty(prefix);
2467 "%sPID: "PID_FMT"\n",
2470 if (s->start_timestamp.realtime > 0)
2472 "%sStart Timestamp: %s\n",
2473 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
2475 if (s->exit_timestamp.realtime > 0)
2477 "%sExit Timestamp: %s\n"
2479 "%sExit Status: %i\n",
2480 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
2481 prefix, sigchld_code_to_string(s->code),
2485 char *exec_command_line(char **argv) {
2493 STRV_FOREACH(a, argv)
2496 if (!(n = new(char, k)))
2500 STRV_FOREACH(a, argv) {
2507 if (strpbrk(*a, WHITESPACE)) {
2518 /* FIXME: this doesn't really handle arguments that have
2519 * spaces and ticks in them */
2524 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
2525 _cleanup_free_ char *cmd = NULL;
2526 const char *prefix2;
2531 prefix = strempty(prefix);
2532 prefix2 = strappenda(prefix, "\t");
2534 cmd = exec_command_line(c->argv);
2536 "%sCommand Line: %s\n",
2537 prefix, cmd ? cmd : strerror(ENOMEM));
2539 exec_status_dump(&c->exec_status, f, prefix2);
2542 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2545 prefix = strempty(prefix);
2547 LIST_FOREACH(command, c, c)
2548 exec_command_dump(c, f, prefix);
2551 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2558 /* It's kind of important, that we keep the order here */
2559 LIST_FIND_TAIL(command, *l, end);
2560 LIST_INSERT_AFTER(command, *l, end, e);
2565 int exec_command_set(ExecCommand *c, const char *path, ...) {
2573 l = strv_new_ap(path, ap);
2594 int exec_command_append(ExecCommand *c, const char *path, ...) {
2595 _cleanup_strv_free_ char **l = NULL;
2603 l = strv_new_ap(path, ap);
2609 r = strv_extend_strv(&c->argv, l);
2617 static int exec_runtime_allocate(ExecRuntime **rt) {
2622 *rt = new0(ExecRuntime, 1);
2627 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
2632 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
2642 if (!c->private_network && !c->private_tmp)
2645 r = exec_runtime_allocate(rt);
2649 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
2650 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, (*rt)->netns_storage_socket) < 0)
2654 if (c->private_tmp && !(*rt)->tmp_dir) {
2655 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
2663 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
2665 assert(r->n_ref > 0);
2671 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
2676 assert(r->n_ref > 0);
2679 if (r->n_ref <= 0) {
2681 free(r->var_tmp_dir);
2682 safe_close_pair(r->netns_storage_socket);
2689 int exec_runtime_serialize(ExecRuntime *rt, Unit *u, FILE *f, FDSet *fds) {
2698 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
2700 if (rt->var_tmp_dir)
2701 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
2703 if (rt->netns_storage_socket[0] >= 0) {
2706 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
2710 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
2713 if (rt->netns_storage_socket[1] >= 0) {
2716 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
2720 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
2726 int exec_runtime_deserialize_item(ExecRuntime **rt, Unit *u, const char *key, const char *value, FDSet *fds) {
2733 if (streq(key, "tmp-dir")) {
2736 r = exec_runtime_allocate(rt);
2740 copy = strdup(value);
2744 free((*rt)->tmp_dir);
2745 (*rt)->tmp_dir = copy;
2747 } else if (streq(key, "var-tmp-dir")) {
2750 r = exec_runtime_allocate(rt);
2754 copy = strdup(value);
2758 free((*rt)->var_tmp_dir);
2759 (*rt)->var_tmp_dir = copy;
2761 } else if (streq(key, "netns-socket-0")) {
2764 r = exec_runtime_allocate(rt);
2768 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2769 log_unit_debug(u->id, "Failed to parse netns socket value %s", value);
2771 safe_close((*rt)->netns_storage_socket[0]);
2772 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
2774 } else if (streq(key, "netns-socket-1")) {
2777 r = exec_runtime_allocate(rt);
2781 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2782 log_unit_debug(u->id, "Failed to parse netns socket value %s", value);
2784 safe_close((*rt)->netns_storage_socket[1]);
2785 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
2793 static void *remove_tmpdir_thread(void *p) {
2794 _cleanup_free_ char *path = p;
2796 rm_rf_dangerous(path, false, true, false);
2800 void exec_runtime_destroy(ExecRuntime *rt) {
2806 /* If there are multiple users of this, let's leave the stuff around */
2811 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
2813 r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
2815 log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir);
2822 if (rt->var_tmp_dir) {
2823 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
2825 r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
2827 log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir);
2828 free(rt->var_tmp_dir);
2831 rt->var_tmp_dir = NULL;
2834 safe_close_pair(rt->netns_storage_socket);
2837 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
2838 [EXEC_INPUT_NULL] = "null",
2839 [EXEC_INPUT_TTY] = "tty",
2840 [EXEC_INPUT_TTY_FORCE] = "tty-force",
2841 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
2842 [EXEC_INPUT_SOCKET] = "socket"
2845 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
2847 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
2848 [EXEC_OUTPUT_INHERIT] = "inherit",
2849 [EXEC_OUTPUT_NULL] = "null",
2850 [EXEC_OUTPUT_TTY] = "tty",
2851 [EXEC_OUTPUT_SYSLOG] = "syslog",
2852 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
2853 [EXEC_OUTPUT_KMSG] = "kmsg",
2854 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
2855 [EXEC_OUTPUT_JOURNAL] = "journal",
2856 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
2857 [EXEC_OUTPUT_SOCKET] = "socket"
2860 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
~ianmdlvl / elogind.git / blob