X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=src%2Fcore%2Fexecute.c;h=63d295cf41f372a2b814edbb78715fc921bc5ed4;hp=a88e1b19533cce2435e98253a6b557218e1ae37d;hb=d5243d628624038567c576e9b69c1d775eb05a05;hpb=bb7dd0b04a6e89674100476eed0bbd05c6a4cbd8 diff --git a/src/core/execute.c b/src/core/execute.c index a88e1b195..63d295cf4 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -83,6 +83,10 @@ #include "af-list.h" #include "mkdir.h" #include "apparmor-util.h" +#include "smack-util.h" +#include "bus-endpoint.h" +#include "label.h" +#include "cap-list.h" #ifdef HAVE_SECCOMP #include "seccomp-util.h" @@ -126,7 +130,7 @@ static int shift_fds(int fds[], unsigned n_fds) { fds[i] = nfd; /* Hmm, the fd we wanted isn't free? Then - * let's remember that and try again from here*/ + * let's remember that and try again from here */ if (nfd != i+3 && restart_from < 0) restart_from = i; } @@ -215,12 +219,52 @@ static int open_null_as(int flags, int nfd) { return r; } -static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd) { - int fd, r; +static int connect_journal_socket(int fd, uid_t uid, gid_t gid) { union sockaddr_union sa = { .un.sun_family = AF_UNIX, .un.sun_path = "/run/systemd/journal/stdout", }; + uid_t olduid = UID_INVALID; + gid_t oldgid = GID_INVALID; + int r; + + if (gid != GID_INVALID) { + oldgid = getgid(); + + r = setegid(gid); + if (r < 0) + return -errno; + } + + if (uid != UID_INVALID) { + olduid = getuid(); + + r = seteuid(uid); + if (r < 0) { + r = -errno; + goto restore_gid; + } + } + + r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path)); + if (r < 0) + r = -errno; + + /* If we fail to restore the uid or gid, things will likely + fail later on. This should only happen if an LSM interferes. */ + + if (uid != UID_INVALID) + (void) seteuid(olduid); + + restore_gid: + if (gid != GID_INVALID) + (void) setegid(oldgid); + + return r; +} + +static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd, uid_t uid, gid_t gid) { + int fd, r; assert(context); assert(output < _EXEC_OUTPUT_MAX); @@ -231,11 +275,9 @@ static int connect_logger_as(const ExecContext *context, ExecOutput output, cons if (fd < 0) return -errno; - r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path)); - if (r < 0) { - safe_close(fd); - return -errno; - } + r = connect_journal_socket(fd, uid, gid); + if (r < 0) + return r; if (shutdown(fd, SHUT_RD) < 0) { safe_close(fd); @@ -354,7 +396,7 @@ static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty } } -static int setup_output(const ExecContext *context, int fileno, int socket_fd, const char *ident, const char *unit_id, bool apply_tty_stdin) { +static int setup_output(const ExecContext *context, int fileno, int socket_fd, const char *ident, const char *unit_id, bool apply_tty_stdin, uid_t uid, gid_t gid) { ExecOutput o; ExecInput i; int r; @@ -421,14 +463,15 @@ static int setup_output(const ExecContext *context, int fileno, int socket_fd, c case EXEC_OUTPUT_KMSG_AND_CONSOLE: case EXEC_OUTPUT_JOURNAL: case EXEC_OUTPUT_JOURNAL_AND_CONSOLE: - r = connect_logger_as(context, o, ident, unit_id, fileno); + r = connect_logger_as(context, o, ident, unit_id, fileno, uid, gid); if (r < 0) { - log_struct_unit(LOG_CRIT, unit_id, - "MESSAGE=Failed to connect std%s of %s to the journal socket: %s", - fileno == STDOUT_FILENO ? "out" : "err", - unit_id, strerror(-r), - "ERRNO=%d", -r, - NULL); + log_unit_struct(unit_id, + LOG_ERR, + LOG_MESSAGE("Failed to connect %s of %s to the journal socket: %s", + fileno == STDOUT_FILENO ? "stdout" : "stderr", + unit_id, strerror(-r)), + LOG_ERRNO(-r), + NULL); r = open_null_as(O_WRONLY, fileno); } return r; @@ -754,7 +797,7 @@ static int setup_pam( * daemon. We do things this way to ensure that the main PID * of the daemon is the one we initially fork()ed. */ - if (log_get_max_level() < LOG_PRI(LOG_DEBUG)) + if (log_get_max_level() < LOG_DEBUG) flags |= PAM_SILENT; pam_code = pam_start(name, user, &conv, &handle); @@ -819,7 +862,7 @@ static int setup_pam( * If this fails, ignore the error - but expect sd-pam threads * to fail to exit normally */ if (setresuid(uid, uid, uid) < 0) - log_error("Error: Failed to setresuid() in sd-pam: %s", strerror(-r)); + log_error_errno(r, "Error: Failed to setresuid() in sd-pam: %m"); /* Wait until our parent died. This will only work if * the above setresuid() succeeds, otherwise the kernel @@ -881,7 +924,7 @@ fail: log_error("PAM failed: %s", pam_strerror(handle, pam_code)); err = -EPERM; /* PAM errors do not map to errno */ } else { - log_error("PAM failed: %m"); + log_error_errno(errno, "PAM failed: %m"); err = -errno; } @@ -938,7 +981,7 @@ static void rename_process_from_path(const char *path) { #ifdef HAVE_SECCOMP -static int apply_seccomp(ExecContext *c) { +static int apply_seccomp(const ExecContext *c) { uint32_t negative_action, action; scmp_filter_ctx *seccomp; Iterator i; @@ -987,7 +1030,7 @@ finish: return r; } -static int apply_address_families(ExecContext *c) { +static int apply_address_families(const ExecContext *c) { scmp_filter_ctx *seccomp; Iterator i; int r; @@ -1234,11 +1277,12 @@ static int exec_child(ExecCommand *command, int *error) { _cleanup_strv_free_ char **our_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL; + _cleanup_free_ char *mac_selinux_context_net = NULL; const char *username = NULL, *home = NULL, *shell = NULL; unsigned n_dont_close = 0; - int dont_close[n_fds + 3]; - uid_t uid = (uid_t) -1; - gid_t gid = (gid_t) -1; + int dont_close[n_fds + 4]; + uid_t uid = UID_INVALID; + gid_t gid = GID_INVALID; int i, err; assert(command); @@ -1279,6 +1323,8 @@ static int exec_child(ExecCommand *command, memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds); n_dont_close += n_fds; } + if (params->bus_endpoint_fd >= 0) + dont_close[n_dont_close++] = params->bus_endpoint_fd; if (runtime) { if (runtime->netns_storage_socket[0] >= 0) dont_close[n_dont_close++] = runtime->netns_storage_socket[0]; @@ -1319,6 +1365,15 @@ static int exec_child(ExecCommand *command, } } + if (context->user) { + username = context->user; + err = get_user_creds(&username, &uid, &gid, &home, &shell); + if (err < 0) { + *error = EXIT_USER; + return err; + } + } + /* If a socket is connected to STDIN/STDOUT/STDERR, we * must sure to drop O_NONBLOCK */ if (socket_fd >= 0) @@ -1330,20 +1385,20 @@ static int exec_child(ExecCommand *command, return err; } - err = setup_output(context, STDOUT_FILENO, socket_fd, basename(command->path), params->unit_id, params->apply_tty_stdin); + err = setup_output(context, STDOUT_FILENO, socket_fd, basename(command->path), params->unit_id, params->apply_tty_stdin, uid, gid); if (err < 0) { *error = EXIT_STDOUT; return err; } - err = setup_output(context, STDERR_FILENO, socket_fd, basename(command->path), params->unit_id, params->apply_tty_stdin); + err = setup_output(context, STDERR_FILENO, socket_fd, basename(command->path), params->unit_id, params->apply_tty_stdin, uid, gid); if (err < 0) { *error = EXIT_STDERR; return err; } if (params->cgroup_path) { - err = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0); + err = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL); if (err < 0) { *error = EXIT_CGROUP; return err; @@ -1351,12 +1406,16 @@ static int exec_child(ExecCommand *command, } if (context->oom_score_adjust_set) { - char t[16]; + char t[DECIMAL_STR_MAX(context->oom_score_adjust)]; - snprintf(t, sizeof(t), "%i", context->oom_score_adjust); - char_array_0(t); + /* When we can't make this change due to EPERM, then + * let's silently skip over it. User namespaces + * prohibit write access to this file, and we + * shouldn't trip up over that. */ - if (write_string_file("/proc/self/oom_score_adj", t) < 0) { + sprintf(t, "%i", context->oom_score_adjust); + err = write_string_file("/proc/self/oom_score_adj", t); + if (err < 0 && err != -EPERM) { *error = EXIT_OOM_ADJUST; return -errno; } @@ -1411,25 +1470,30 @@ static int exec_child(ExecCommand *command, if (context->utmp_id) utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path); - if (context->user) { - username = context->user; - err = get_user_creds(&username, &uid, &gid, &home, &shell); + if (context->user && is_terminal_input(context->std_input)) { + err = chown_terminal(STDIN_FILENO, uid); if (err < 0) { - *error = EXIT_USER; + *error = EXIT_STDIN; return err; } + } - if (is_terminal_input(context->std_input)) { - err = chown_terminal(STDIN_FILENO, uid); - if (err < 0) { - *error = EXIT_STDIN; - return err; - } +#ifdef ENABLE_KDBUS + if (params->bus_endpoint_fd >= 0 && context->bus_endpoint) { + uid_t ep_uid = (uid == UID_INVALID) ? 0 : uid; + + err = bus_kernel_set_endpoint_policy(params->bus_endpoint_fd, ep_uid, context->bus_endpoint); + if (err < 0) { + *error = EXIT_BUS_ENDPOINT; + return err; } } +#endif -#ifdef HAVE_PAM - if (params->cgroup_path && context->user && context->pam_name) { + /* If delegation is enabled we'll pass ownership of the cgroup + * (but only in systemd's own controller hierarchy!) to the + * user of the new process. */ + if (params->cgroup_path && context->user && params->cgroup_delegate) { err = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, 0644, uid, gid); if (err < 0) { *error = EXIT_CGROUP; @@ -1443,7 +1507,6 @@ static int exec_child(ExecCommand *command, return err; } } -#endif if (!strv_isempty(context->runtime_directory) && params->runtime_prefix) { char **rt; @@ -1498,6 +1561,7 @@ static int exec_child(ExecCommand *command, !strv_isempty(context->inaccessible_dirs) || context->mount_flags != 0 || (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) || + params->bus_endpoint_path || context->private_devices || context->protect_system != PROTECT_SYSTEM_NO || context->protect_home != PROTECT_HOME_NO) { @@ -1523,11 +1587,15 @@ static int exec_child(ExecCommand *command, context->inaccessible_dirs, tmp, var, + params->bus_endpoint_path, context->private_devices, context->protect_home, context->protect_system, context->mount_flags); - if (err < 0) { + + if (err == -EPERM) + log_unit_warning_errno(params->unit_id, err, "Failed to set up file system namespace due to lack of privileges. Execution sandbox will not be in effect: %m"); + else if (err < 0) { *error = EXIT_NAMESPACE; return err; } @@ -1560,10 +1628,22 @@ static int exec_child(ExecCommand *command, } } +#ifdef HAVE_SELINUX + if (params->apply_permissions && mac_selinux_use() && params->selinux_context_net && socket_fd >= 0) { + err = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net); + if (err < 0) { + *error = EXIT_SELINUX_CONTEXT; + return err; + } + } +#endif + /* We repeat the fd closing here, to make sure that * nothing is leaked from the PAM modules. Note that * we are more aggressive this time since socket_fd - * and the netns fds we don#t need anymore. */ + * and the netns fds we don't need anymore. The custom + * endpoint fd was needed to upload the policy and can + * now be closed as well. */ err = close_all_fds(fds, n_fds); if (err >= 0) err = shift_fds(fds, n_fds); @@ -1594,6 +1674,16 @@ static int exec_child(ExecCommand *command, } } +#ifdef HAVE_SMACK + if (context->smack_process_label) { + err = mac_smack_apply_pid(0, context->smack_process_label); + if (err < 0) { + *error = EXIT_SMACK_PROCESS_LABEL; + return err; + } + } +#endif + if (context->user) { err = enforce_user(context, uid); if (err < 0) { @@ -1646,21 +1736,25 @@ static int exec_child(ExecCommand *command, #endif #ifdef HAVE_SELINUX - if (context->selinux_context && use_selinux()) { - err = setexeccon(context->selinux_context); - if (err < 0 && !context->selinux_context_ignore) { - *error = EXIT_SELINUX_CONTEXT; - return err; + if (mac_selinux_use()) { + char *exec_context = mac_selinux_context_net ?: context->selinux_context; + + if (exec_context) { + err = setexeccon(exec_context); + if (err < 0) { + *error = EXIT_SELINUX_CONTEXT; + return err; + } } } #endif #ifdef HAVE_APPARMOR - if (context->apparmor_profile && use_apparmor()) { + if (context->apparmor_profile && mac_apparmor_use()) { err = aa_change_onexec(context->apparmor_profile); if (err < 0 && !context->apparmor_profile_ignore) { *error = EXIT_APPARMOR_PROFILE; - return err; + return -errno; } } #endif @@ -1692,16 +1786,16 @@ static int exec_child(ExecCommand *command, final_env = strv_env_clean(final_env); - if (_unlikely_(log_get_max_level() >= LOG_PRI(LOG_DEBUG))) { + if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) { _cleanup_free_ char *line; line = exec_command_line(final_argv); if (line) { log_open(); - log_struct_unit(LOG_DEBUG, - params->unit_id, + log_unit_struct(params->unit_id, + LOG_DEBUG, "EXECUTABLE=%s", command->path, - "MESSAGE=Executing: %s", line, + LOG_MESSAGE("Executing: %s", line), NULL); log_close(); } @@ -1744,13 +1838,13 @@ int exec_spawn(ExecCommand *command, n_fds = params->n_fds; } - err = exec_context_load_environment(context, &files_env); + err = exec_context_load_environment(context, params->unit_id, &files_env); if (err < 0) { - log_struct_unit(LOG_ERR, - params->unit_id, - "MESSAGE=Failed to load environment files: %s", strerror(-err), - "ERRNO=%d", -err, - NULL); + log_unit_struct(params->unit_id, + LOG_ERR, + LOG_MESSAGE("Failed to load environment files: %s", strerror(-err)), + LOG_ERRNO(-err), + NULL); return err; } @@ -1760,10 +1854,10 @@ int exec_spawn(ExecCommand *command, if (!line) return log_oom(); - log_struct_unit(LOG_DEBUG, - params->unit_id, + log_unit_struct(params->unit_id, + LOG_DEBUG, "EXECUTABLE=%s", command->path, - "MESSAGE=About to execute: %s", line, + LOG_MESSAGE("About to execute: %s", line), NULL); free(line); @@ -1785,12 +1879,13 @@ int exec_spawn(ExecCommand *command, &r); if (r != 0) { log_open(); - log_struct(LOG_ERR, MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED), + log_struct(LOG_ERR, + LOG_MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED), "EXECUTABLE=%s", command->path, - "MESSAGE=Failed at step %s spawning %s: %s", - exit_status_to_string(r, EXIT_STATUS_SYSTEMD), - command->path, strerror(-err), - "ERRNO=%d", -err, + LOG_MESSAGE("Failed at step %s spawning %s: %s", + exit_status_to_string(r, EXIT_STATUS_SYSTEMD), + command->path, strerror(-err)), + LOG_ERRNO(-err), NULL); log_close(); } @@ -1798,10 +1893,10 @@ int exec_spawn(ExecCommand *command, _exit(r); } - log_struct_unit(LOG_DEBUG, - params->unit_id, - "MESSAGE=Forked %s as "PID_FMT, - command->path, pid, + log_unit_struct(params->unit_id, + LOG_DEBUG, + LOG_MESSAGE("Forked %s as "PID_FMT, + command->path, pid), NULL); /* We add the new process to the cgroup both in the child (so @@ -1931,7 +2026,7 @@ int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_p /* We execute this synchronously, since we need to be * sure this is gone when we start the service * next. */ - rm_rf_dangerous(p, false, true, false); + rm_rf(p, false, true, false); } return 0; @@ -1954,7 +2049,7 @@ void exec_command_done_array(ExecCommand *c, unsigned n) { exec_command_done(c+i); } -void exec_command_free_list(ExecCommand *c) { +ExecCommand* exec_command_free_list(ExecCommand *c) { ExecCommand *i; while ((i = c)) { @@ -1962,18 +2057,29 @@ void exec_command_free_list(ExecCommand *c) { exec_command_done(i); free(i); } + + return NULL; } void exec_command_free_array(ExecCommand **c, unsigned n) { unsigned i; - for (i = 0; i < n; i++) { - exec_command_free_list(c[i]); - c[i] = NULL; - } + for (i = 0; i < n; i++) + c[i] = exec_command_free_list(c[i]); +} + +typedef struct InvalidEnvInfo { + const char *unit_id; + const char *path; +} InvalidEnvInfo; + +static void invalid_env(const char *p, void *userdata) { + InvalidEnvInfo *info = userdata; + + log_unit_error(info->unit_id, "Ignoring invalid environment assignment '%s': %s", p, info->path); } -int exec_context_load_environment(const ExecContext *c, char ***l) { +int exec_context_load_environment(const ExecContext *c, const char *unit_id, char ***l) { char **i, **r = NULL; assert(c); @@ -2029,8 +2135,14 @@ int exec_context_load_environment(const ExecContext *c, char ***l) { return k; } /* Log invalid environment variables with filename */ - if (p) - p = strv_env_clean_log(p, pglob.gl_pathv[n]); + if (p) { + InvalidEnvInfo info = { + .unit_id = unit_id, + .path = pglob.gl_pathv[n] + }; + + p = strv_env_clean_with_callback(p, invalid_env, &info); + } if (r == NULL) r = p; @@ -2244,13 +2356,8 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { fprintf(f, "%sCapabilityBoundingSet:", prefix); for (l = 0; l <= cap_last_cap(); l++) - if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) { - _cleanup_cap_free_charp_ char *t; - - t = cap_to_name(l); - if (t) - fprintf(f, " %s", t); - } + if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) + fprintf(f, " %s", strna(capability_to_name(l))); fputs("\n", f); } @@ -2361,6 +2468,21 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile); } +bool exec_context_maintains_privileges(ExecContext *c) { + assert(c); + + /* Returns true if the process forked off would run run under + * an unchanged UID or as root. */ + + if (!c->user) + return true; + + if (streq(c->user, "root") || streq(c->user, "0")) + return true; + + return false; +} + void exec_status_start(ExecStatus *s, pid_t pid) { assert(s); @@ -2528,6 +2650,29 @@ int exec_command_set(ExecCommand *c, const char *path, ...) { return 0; } +int exec_command_append(ExecCommand *c, const char *path, ...) { + _cleanup_strv_free_ char **l = NULL; + va_list ap; + int r; + + assert(c); + assert(path); + + va_start(ap, path); + l = strv_new_ap(path, ap); + va_end(ap); + + if (!l) + return -ENOMEM; + + r = strv_extend_strv(&c->argv, l); + if (r < 0) + return r; + + return 0; +} + + static int exec_runtime_allocate(ExecRuntime **rt) { if (*rt) @@ -2680,7 +2825,7 @@ int exec_runtime_deserialize_item(ExecRuntime **rt, Unit *u, const char *key, co return r; if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd)) - log_debug_unit(u->id, "Failed to parse netns socket value %s", value); + log_unit_debug(u->id, "Failed to parse netns socket value %s", value); else { safe_close((*rt)->netns_storage_socket[0]); (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd); @@ -2693,7 +2838,7 @@ int exec_runtime_deserialize_item(ExecRuntime **rt, Unit *u, const char *key, co return r; if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd)) - log_debug_unit(u->id, "Failed to parse netns socket value %s", value); + log_unit_debug(u->id, "Failed to parse netns socket value %s", value); else { safe_close((*rt)->netns_storage_socket[1]); (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd); @@ -2726,7 +2871,7 @@ void exec_runtime_destroy(ExecRuntime *rt) { r = asynchronous_job(remove_tmpdir_thread, rt->tmp_dir); if (r < 0) { - log_warning("Failed to nuke %s: %s", rt->tmp_dir, strerror(-r)); + log_warning_errno(r, "Failed to nuke %s: %m", rt->tmp_dir); free(rt->tmp_dir); } @@ -2738,7 +2883,7 @@ void exec_runtime_destroy(ExecRuntime *rt) { r = asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir); if (r < 0) { - log_warning("Failed to nuke %s: %s", rt->var_tmp_dir, strerror(-r)); + log_warning_errno(r, "Failed to nuke %s: %m", rt->var_tmp_dir); free(rt->var_tmp_dir); }