1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
29 #include <sys/socket.h>
31 #include <sys/prctl.h>
32 #include <linux/sched.h>
33 #include <sys/types.h>
37 #include <sys/mount.h>
39 #include <linux/oom.h>
46 #include <security/pam_appl.h>
50 #include <selinux/selinux.h>
60 #include "capability.h"
63 #include "sd-messages.h"
65 #include "securebits.h"
66 #include "namespace.h"
68 #include "exit-status.h"
70 #include "utmp-wtmp.h"
72 #include "path-util.h"
77 #include "selinux-util.h"
78 #include "errno-list.h"
80 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
81 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
83 /* This assumes there is a 'tty' group */
86 #define SNDBUF_SIZE (8*1024*1024)
88 static int shift_fds(int fds[], unsigned n_fds) {
89 int start, restart_from;
94 /* Modifies the fds array! (sorts it) */
104 for (i = start; i < (int) n_fds; i++) {
107 /* Already at right index? */
111 if ((nfd = fcntl(fds[i], F_DUPFD, i+3)) < 0)
114 close_nointr_nofail(fds[i]);
117 /* Hmm, the fd we wanted isn't free? Then
118 * let's remember that and try again from here*/
119 if (nfd != i+3 && restart_from < 0)
123 if (restart_from < 0)
126 start = restart_from;
132 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
141 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
143 for (i = 0; i < n_fds; i++) {
145 if ((r = fd_nonblock(fds[i], nonblock)) < 0)
148 /* We unconditionally drop FD_CLOEXEC from the fds,
149 * since after all we want to pass these fds to our
152 if ((r = fd_cloexec(fds[i], false)) < 0)
159 _pure_ static const char *tty_path(const ExecContext *context) {
162 if (context->tty_path)
163 return context->tty_path;
165 return "/dev/console";
168 static void exec_context_tty_reset(const ExecContext *context) {
171 if (context->tty_vhangup)
172 terminal_vhangup(tty_path(context));
174 if (context->tty_reset)
175 reset_terminal(tty_path(context));
177 if (context->tty_vt_disallocate && context->tty_path)
178 vt_disallocate(context->tty_path);
181 static bool is_terminal_output(ExecOutput o) {
183 o == EXEC_OUTPUT_TTY ||
184 o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
185 o == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
186 o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE;
189 static int open_null_as(int flags, int nfd) {
194 fd = open("/dev/null", flags|O_NOCTTY);
199 r = dup2(fd, nfd) < 0 ? -errno : nfd;
200 close_nointr_nofail(fd);
207 static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd) {
209 union sockaddr_union sa = {
210 .un.sun_family = AF_UNIX,
211 .un.sun_path = "/run/systemd/journal/stdout",
215 assert(output < _EXEC_OUTPUT_MAX);
219 fd = socket(AF_UNIX, SOCK_STREAM, 0);
223 r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path));
225 close_nointr_nofail(fd);
229 if (shutdown(fd, SHUT_RD) < 0) {
230 close_nointr_nofail(fd);
234 fd_inc_sndbuf(fd, SNDBUF_SIZE);
244 context->syslog_identifier ? context->syslog_identifier : ident,
246 context->syslog_priority,
247 !!context->syslog_level_prefix,
248 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
249 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
250 is_terminal_output(output));
253 r = dup2(fd, nfd) < 0 ? -errno : nfd;
254 close_nointr_nofail(fd);
260 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
266 if ((fd = open_terminal(path, mode | O_NOCTTY)) < 0)
270 r = dup2(fd, nfd) < 0 ? -errno : nfd;
271 close_nointr_nofail(fd);
278 static bool is_terminal_input(ExecInput i) {
280 i == EXEC_INPUT_TTY ||
281 i == EXEC_INPUT_TTY_FORCE ||
282 i == EXEC_INPUT_TTY_FAIL;
285 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
287 if (is_terminal_input(std_input) && !apply_tty_stdin)
288 return EXEC_INPUT_NULL;
290 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
291 return EXEC_INPUT_NULL;
296 static int fixup_output(ExecOutput std_output, int socket_fd) {
298 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
299 return EXEC_OUTPUT_INHERIT;
304 static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty_stdin) {
309 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
313 case EXEC_INPUT_NULL:
314 return open_null_as(O_RDONLY, STDIN_FILENO);
317 case EXEC_INPUT_TTY_FORCE:
318 case EXEC_INPUT_TTY_FAIL: {
321 fd = acquire_terminal(tty_path(context),
322 i == EXEC_INPUT_TTY_FAIL,
323 i == EXEC_INPUT_TTY_FORCE,
329 if (fd != STDIN_FILENO) {
330 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
331 close_nointr_nofail(fd);
338 case EXEC_INPUT_SOCKET:
339 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
342 assert_not_reached("Unknown input type");
346 static int setup_output(const ExecContext *context, int fileno, int socket_fd, const char *ident, const char *unit_id, bool apply_tty_stdin) {
354 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
355 o = fixup_output(context->std_output, socket_fd);
357 if (fileno == STDERR_FILENO) {
359 e = fixup_output(context->std_error, socket_fd);
361 /* This expects the input and output are already set up */
363 /* Don't change the stderr file descriptor if we inherit all
364 * the way and are not on a tty */
365 if (e == EXEC_OUTPUT_INHERIT &&
366 o == EXEC_OUTPUT_INHERIT &&
367 i == EXEC_INPUT_NULL &&
368 !is_terminal_input(context->std_input) &&
372 /* Duplicate from stdout if possible */
373 if (e == o || e == EXEC_OUTPUT_INHERIT)
374 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
378 } else if (o == EXEC_OUTPUT_INHERIT) {
379 /* If input got downgraded, inherit the original value */
380 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
381 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
383 /* If the input is connected to anything that's not a /dev/null, inherit that... */
384 if (i != EXEC_INPUT_NULL)
385 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
387 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
391 /* We need to open /dev/null here anew, to get the right access mode. */
392 return open_null_as(O_WRONLY, fileno);
397 case EXEC_OUTPUT_NULL:
398 return open_null_as(O_WRONLY, fileno);
400 case EXEC_OUTPUT_TTY:
401 if (is_terminal_input(i))
402 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
404 /* We don't reset the terminal if this is just about output */
405 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
407 case EXEC_OUTPUT_SYSLOG:
408 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
409 case EXEC_OUTPUT_KMSG:
410 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
411 case EXEC_OUTPUT_JOURNAL:
412 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
413 r = connect_logger_as(context, o, ident, unit_id, fileno);
415 log_struct_unit(LOG_CRIT, unit_id,
416 "MESSAGE=Failed to connect std%s of %s to the journal socket: %s",
417 fileno == STDOUT_FILENO ? "out" : "err",
418 unit_id, strerror(-r),
421 r = open_null_as(O_WRONLY, fileno);
425 case EXEC_OUTPUT_SOCKET:
426 assert(socket_fd >= 0);
427 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
430 assert_not_reached("Unknown error type");
434 static int chown_terminal(int fd, uid_t uid) {
439 /* This might fail. What matters are the results. */
440 (void) fchown(fd, uid, -1);
441 (void) fchmod(fd, TTY_MODE);
443 if (fstat(fd, &st) < 0)
446 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
452 static int setup_confirm_stdio(int *_saved_stdin,
453 int *_saved_stdout) {
454 int fd = -1, saved_stdin, saved_stdout = -1, r;
456 assert(_saved_stdin);
457 assert(_saved_stdout);
459 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
463 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
464 if (saved_stdout < 0) {
469 fd = acquire_terminal(
474 DEFAULT_CONFIRM_USEC);
480 r = chown_terminal(fd, getuid());
484 if (dup2(fd, STDIN_FILENO) < 0) {
489 if (dup2(fd, STDOUT_FILENO) < 0) {
495 close_nointr_nofail(fd);
497 *_saved_stdin = saved_stdin;
498 *_saved_stdout = saved_stdout;
503 if (saved_stdout >= 0)
504 close_nointr_nofail(saved_stdout);
506 if (saved_stdin >= 0)
507 close_nointr_nofail(saved_stdin);
510 close_nointr_nofail(fd);
515 _printf_(1, 2) static int write_confirm_message(const char *format, ...) {
521 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
525 va_start(ap, format);
526 vdprintf(fd, format, ap);
529 close_nointr_nofail(fd);
534 static int restore_confirm_stdio(int *saved_stdin,
540 assert(saved_stdout);
544 if (*saved_stdin >= 0)
545 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
548 if (*saved_stdout >= 0)
549 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
552 if (*saved_stdin >= 0)
553 close_nointr_nofail(*saved_stdin);
555 if (*saved_stdout >= 0)
556 close_nointr_nofail(*saved_stdout);
561 static int ask_for_confirmation(char *response, char **argv) {
562 int saved_stdout = -1, saved_stdin = -1, r;
565 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
569 line = exec_command_line(argv);
573 r = ask(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
576 restore_confirm_stdio(&saved_stdin, &saved_stdout);
581 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
582 bool keep_groups = false;
587 /* Lookup and set GID and supplementary group list. Here too
588 * we avoid NSS lookups for gid=0. */
590 if (context->group || username) {
592 if (context->group) {
593 const char *g = context->group;
595 if ((r = get_group_creds(&g, &gid)) < 0)
599 /* First step, initialize groups from /etc/groups */
600 if (username && gid != 0) {
601 if (initgroups(username, gid) < 0)
607 /* Second step, set our gids */
608 if (setresgid(gid, gid, gid) < 0)
612 if (context->supplementary_groups) {
617 /* Final step, initialize any manually set supplementary groups */
618 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
620 if (!(gids = new(gid_t, ngroups_max)))
624 if ((k = getgroups(ngroups_max, gids)) < 0) {
631 STRV_FOREACH(i, context->supplementary_groups) {
634 if (k >= ngroups_max) {
640 r = get_group_creds(&g, gids+k);
649 if (setgroups(k, gids) < 0) {
660 static int enforce_user(const ExecContext *context, uid_t uid) {
663 /* Sets (but doesn't lookup) the uid and make sure we keep the
664 * capabilities while doing so. */
666 if (context->capabilities) {
667 _cleanup_cap_free_ cap_t d = NULL;
668 static const cap_value_t bits[] = {
669 CAP_SETUID, /* Necessary so that we can run setresuid() below */
670 CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
673 /* First step: If we need to keep capabilities but
674 * drop privileges we need to make sure we keep our
675 * caps, while we drop privileges. */
677 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
679 if (prctl(PR_GET_SECUREBITS) != sb)
680 if (prctl(PR_SET_SECUREBITS, sb) < 0)
684 /* Second step: set the capabilities. This will reduce
685 * the capabilities to the minimum we need. */
687 d = cap_dup(context->capabilities);
691 if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
692 cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0)
695 if (cap_set_proc(d) < 0)
699 /* Third step: actually set the uids */
700 if (setresuid(uid, uid, uid) < 0)
703 /* At this point we should have all necessary capabilities but
704 are otherwise a normal user. However, the caps might got
705 corrupted due to the setresuid() so we need clean them up
706 later. This is done outside of this call. */
713 static int null_conv(
715 const struct pam_message **msg,
716 struct pam_response **resp,
719 /* We don't support conversations */
724 static int setup_pam(
730 int fds[], unsigned n_fds) {
732 static const struct pam_conv conv = {
737 pam_handle_t *handle = NULL;
739 int pam_code = PAM_SUCCESS;
742 bool close_session = false;
743 pid_t pam_pid = 0, parent_pid;
750 /* We set up PAM in the parent process, then fork. The child
751 * will then stay around until killed via PR_GET_PDEATHSIG or
752 * systemd via the cgroup logic. It will then remove the PAM
753 * session again. The parent process will exec() the actual
754 * daemon. We do things this way to ensure that the main PID
755 * of the daemon is the one we initially fork()ed. */
757 if (log_get_max_level() < LOG_PRI(LOG_DEBUG))
760 pam_code = pam_start(name, user, &conv, &handle);
761 if (pam_code != PAM_SUCCESS) {
767 pam_code = pam_set_item(handle, PAM_TTY, tty);
768 if (pam_code != PAM_SUCCESS)
772 pam_code = pam_acct_mgmt(handle, flags);
773 if (pam_code != PAM_SUCCESS)
776 pam_code = pam_open_session(handle, flags);
777 if (pam_code != PAM_SUCCESS)
780 close_session = true;
782 e = pam_getenvlist(handle);
784 pam_code = PAM_BUF_ERR;
788 /* Block SIGTERM, so that we know that it won't get lost in
790 if (sigemptyset(&ss) < 0 ||
791 sigaddset(&ss, SIGTERM) < 0 ||
792 sigprocmask(SIG_BLOCK, &ss, &old_ss) < 0)
795 parent_pid = getpid();
805 /* The child's job is to reset the PAM session on
808 /* This string must fit in 10 chars (i.e. the length
809 * of "/sbin/init"), to look pretty in /bin/ps */
810 rename_process("(sd-pam)");
812 /* Make sure we don't keep open the passed fds in this
813 child. We assume that otherwise only those fds are
814 open here that have been opened by PAM. */
815 close_many(fds, n_fds);
817 /* Drop privileges - we don't need any to pam_close_session
818 * and this will make PR_SET_PDEATHSIG work in most cases.
819 * If this fails, ignore the error - but expect sd-pam threads
820 * to fail to exit normally */
821 if (setresuid(uid, uid, uid) < 0)
822 log_error("Error: Failed to setresuid() in sd-pam: %s", strerror(-r));
824 /* Wait until our parent died. This will only work if
825 * the above setresuid() succeeds, otherwise the kernel
826 * will not allow unprivileged parents kill their privileged
827 * children this way. We rely on the control groups kill logic
828 * to do the rest for us. */
829 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
832 /* Check if our parent process might already have
834 if (getppid() == parent_pid) {
836 if (sigwait(&ss, &sig) < 0) {
843 assert(sig == SIGTERM);
848 /* If our parent died we'll end the session */
849 if (getppid() != parent_pid) {
850 pam_code = pam_close_session(handle, flags);
851 if (pam_code != PAM_SUCCESS)
858 pam_end(handle, pam_code | flags);
862 /* If the child was forked off successfully it will do all the
863 * cleanups, so forget about the handle here. */
866 /* Unblock SIGTERM again in the parent */
867 if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0)
870 /* We close the log explicitly here, since the PAM modules
871 * might have opened it, but we don't want this fd around. */
880 if (pam_code != PAM_SUCCESS) {
881 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
882 err = -EPERM; /* PAM errors do not map to errno */
884 log_error("PAM failed: %m");
890 pam_code = pam_close_session(handle, flags);
892 pam_end(handle, pam_code | flags);
900 kill(pam_pid, SIGTERM);
901 kill(pam_pid, SIGCONT);
908 static void rename_process_from_path(const char *path) {
909 char process_name[11];
913 /* This resulting string must fit in 10 chars (i.e. the length
914 * of "/sbin/init") to look pretty in /bin/ps */
918 rename_process("(...)");
924 /* The end of the process name is usually more
925 * interesting, since the first bit might just be
931 process_name[0] = '(';
932 memcpy(process_name+1, p, l);
933 process_name[1+l] = ')';
934 process_name[1+l+1] = 0;
936 rename_process(process_name);
941 static int apply_seccomp(ExecContext *c) {
942 uint32_t negative_action, action;
943 scmp_filter_ctx *seccomp;
950 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
952 seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW);
956 action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
958 SET_FOREACH(id, c->syscall_filter, i) {
959 r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
961 seccomp_release(seccomp);
966 r = seccomp_load(seccomp);
967 seccomp_release(seccomp);
973 static void do_idle_pipe_dance(int idle_pipe[4]) {
976 if (idle_pipe[1] >= 0)
977 close_nointr_nofail(idle_pipe[1]);
978 if (idle_pipe[2] >= 0)
979 close_nointr_nofail(idle_pipe[2]);
981 if (idle_pipe[0] >= 0) {
984 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
986 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
987 /* Signal systemd that we are bored and want to continue. */
988 write(idle_pipe[3], "x", 1);
990 /* Wait for systemd to react to the signal above. */
991 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
994 close_nointr_nofail(idle_pipe[0]);
998 if (idle_pipe[3] >= 0)
999 close_nointr_nofail(idle_pipe[3]);
1002 static int build_environment(
1005 usec_t watchdog_usec,
1007 const char *username,
1011 _cleanup_strv_free_ char **our_env = NULL;
1018 our_env = new0(char*, 10);
1023 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1025 our_env[n_env++] = x;
1027 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1029 our_env[n_env++] = x;
1032 if (watchdog_usec > 0) {
1033 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1035 our_env[n_env++] = x;
1037 if (asprintf(&x, "WATCHDOG_USEC=%llu", (unsigned long long) watchdog_usec) < 0)
1039 our_env[n_env++] = x;
1043 x = strappend("HOME=", home);
1046 our_env[n_env++] = x;
1050 x = strappend("LOGNAME=", username);
1053 our_env[n_env++] = x;
1055 x = strappend("USER=", username);
1058 our_env[n_env++] = x;
1062 x = strappend("SHELL=", shell);
1065 our_env[n_env++] = x;
1068 if (is_terminal_input(c->std_input) ||
1069 c->std_output == EXEC_OUTPUT_TTY ||
1070 c->std_error == EXEC_OUTPUT_TTY ||
1073 x = strdup(default_term_for_tty(tty_path(c)));
1076 our_env[n_env++] = x;
1079 our_env[n_env++] = NULL;
1080 assert(n_env <= 10);
1088 int exec_spawn(ExecCommand *command,
1090 ExecContext *context,
1091 int fds[], unsigned n_fds,
1093 bool apply_permissions,
1095 bool apply_tty_stdin,
1097 CGroupControllerMask cgroup_supported,
1098 const char *cgroup_path,
1099 const char *unit_id,
1100 usec_t watchdog_usec,
1102 ExecRuntime *runtime,
1105 _cleanup_strv_free_ char **files_env = NULL;
1114 assert(fds || n_fds <= 0);
1116 if (context->std_input == EXEC_INPUT_SOCKET ||
1117 context->std_output == EXEC_OUTPUT_SOCKET ||
1118 context->std_error == EXEC_OUTPUT_SOCKET) {
1130 r = exec_context_load_environment(context, &files_env);
1132 log_struct_unit(LOG_ERR,
1134 "MESSAGE=Failed to load environment files: %s", strerror(-r),
1141 argv = command->argv;
1143 line = exec_command_line(argv);
1147 log_struct_unit(LOG_DEBUG,
1149 "EXECUTABLE=%s", command->path,
1150 "MESSAGE=About to execute: %s", line,
1159 _cleanup_strv_free_ char **our_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL;
1160 const char *username = NULL, *home = NULL, *shell = NULL;
1161 unsigned n_dont_close = 0;
1162 int dont_close[n_fds + 3];
1163 uid_t uid = (uid_t) -1;
1164 gid_t gid = (gid_t) -1;
1170 rename_process_from_path(command->path);
1172 /* We reset exactly these signals, since they are the
1173 * only ones we set to SIG_IGN in the main daemon. All
1174 * others we leave untouched because we set them to
1175 * SIG_DFL or a valid handler initially, both of which
1176 * will be demoted to SIG_DFL. */
1177 default_signals(SIGNALS_CRASH_HANDLER,
1178 SIGNALS_IGNORE, -1);
1180 if (context->ignore_sigpipe)
1181 ignore_signals(SIGPIPE, -1);
1183 assert_se(sigemptyset(&ss) == 0);
1184 if (sigprocmask(SIG_SETMASK, &ss, NULL) < 0) {
1186 r = EXIT_SIGNAL_MASK;
1191 do_idle_pipe_dance(idle_pipe);
1193 /* Close sockets very early to make sure we don't
1194 * block init reexecution because it cannot bind its
1199 dont_close[n_dont_close++] = socket_fd;
1201 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
1202 n_dont_close += n_fds;
1205 if (runtime->netns_storage_socket[0] >= 0)
1206 dont_close[n_dont_close++] = runtime->netns_storage_socket[0];
1207 if (runtime->netns_storage_socket[1] >= 0)
1208 dont_close[n_dont_close++] = runtime->netns_storage_socket[1];
1211 err = close_all_fds(dont_close, n_dont_close);
1217 if (!context->same_pgrp)
1224 if (context->tcpwrap_name) {
1226 if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) {
1232 for (i = 0; i < (int) n_fds; i++) {
1233 if (!socket_tcpwrap(fds[i], context->tcpwrap_name)) {
1241 exec_context_tty_reset(context);
1243 if (confirm_spawn) {
1246 err = ask_for_confirmation(&response, argv);
1247 if (err == -ETIMEDOUT)
1248 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1250 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-err));
1251 else if (response == 's') {
1252 write_confirm_message("Skipping execution.\n");
1256 } else if (response == 'n') {
1257 write_confirm_message("Failing execution.\n");
1263 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1264 * must sure to drop O_NONBLOCK */
1266 fd_nonblock(socket_fd, false);
1268 err = setup_input(context, socket_fd, apply_tty_stdin);
1274 err = setup_output(context, STDOUT_FILENO, socket_fd, basename(command->path), unit_id, apply_tty_stdin);
1280 err = setup_output(context, STDERR_FILENO, socket_fd, basename(command->path), unit_id, apply_tty_stdin);
1287 err = cg_attach_everywhere(cgroup_supported, cgroup_path, 0);
1294 if (context->oom_score_adjust_set) {
1297 snprintf(t, sizeof(t), "%i", context->oom_score_adjust);
1300 if (write_string_file("/proc/self/oom_score_adj", t) < 0) {
1302 r = EXIT_OOM_ADJUST;
1307 if (context->nice_set)
1308 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1314 if (context->cpu_sched_set) {
1315 struct sched_param param = {
1316 .sched_priority = context->cpu_sched_priority,
1319 r = sched_setscheduler(0,
1320 context->cpu_sched_policy |
1321 (context->cpu_sched_reset_on_fork ?
1322 SCHED_RESET_ON_FORK : 0),
1326 r = EXIT_SETSCHEDULER;
1331 if (context->cpuset)
1332 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1334 r = EXIT_CPUAFFINITY;
1338 if (context->ioprio_set)
1339 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1345 if (context->timer_slack_nsec != (nsec_t) -1)
1346 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1348 r = EXIT_TIMERSLACK;
1352 if (context->utmp_id)
1353 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path);
1355 if (context->user) {
1356 username = context->user;
1357 err = get_user_creds(&username, &uid, &gid, &home, &shell);
1363 if (is_terminal_input(context->std_input)) {
1364 err = chown_terminal(STDIN_FILENO, uid);
1373 if (cgroup_path && context->user && context->pam_name) {
1374 err = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, 0644, uid, gid);
1381 err = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, 0755, uid, gid);
1389 if (apply_permissions) {
1390 err = enforce_groups(context, username, gid);
1397 umask(context->umask);
1400 if (apply_permissions && context->pam_name && username) {
1401 err = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
1408 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
1409 err = setup_netns(runtime->netns_storage_socket);
1416 if (!strv_isempty(context->read_write_dirs) ||
1417 !strv_isempty(context->read_only_dirs) ||
1418 !strv_isempty(context->inaccessible_dirs) ||
1419 context->mount_flags != 0 ||
1420 (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) ||
1421 context->private_devices) {
1423 char *tmp = NULL, *var = NULL;
1425 /* The runtime struct only contains the parent
1426 * of the private /tmp, which is
1427 * non-accessible to world users. Inside of it
1428 * there's a /tmp that is sticky, and that's
1429 * the one we want to use here. */
1431 if (context->private_tmp && runtime) {
1432 if (runtime->tmp_dir)
1433 tmp = strappenda(runtime->tmp_dir, "/tmp");
1434 if (runtime->var_tmp_dir)
1435 var = strappenda(runtime->var_tmp_dir, "/tmp");
1438 err = setup_namespace(
1439 context->read_write_dirs,
1440 context->read_only_dirs,
1441 context->inaccessible_dirs,
1444 context->private_devices,
1445 context->mount_flags);
1454 if (context->root_directory)
1455 if (chroot(context->root_directory) < 0) {
1461 if (chdir(context->working_directory ? context->working_directory : "/") < 0) {
1467 _cleanup_free_ char *d = NULL;
1469 if (asprintf(&d, "%s/%s",
1470 context->root_directory ? context->root_directory : "",
1471 context->working_directory ? context->working_directory : "") < 0) {
1484 /* We repeat the fd closing here, to make sure that
1485 * nothing is leaked from the PAM modules */
1486 err = close_all_fds(fds, n_fds);
1488 err = shift_fds(fds, n_fds);
1490 err = flags_fds(fds, n_fds, context->non_blocking);
1496 if (apply_permissions) {
1498 for (i = 0; i < RLIMIT_NLIMITS; i++) {
1499 if (!context->rlimit[i])
1502 if (setrlimit_closest(i, context->rlimit[i]) < 0) {
1509 if (context->capability_bounding_set_drop) {
1510 err = capability_bounding_set_drop(context->capability_bounding_set_drop, false);
1512 r = EXIT_CAPABILITIES;
1517 if (context->user) {
1518 err = enforce_user(context, uid);
1525 /* PR_GET_SECUREBITS is not privileged, while
1526 * PR_SET_SECUREBITS is. So to suppress
1527 * potential EPERMs we'll try not to call
1528 * PR_SET_SECUREBITS unless necessary. */
1529 if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
1530 if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
1532 r = EXIT_SECUREBITS;
1536 if (context->capabilities)
1537 if (cap_set_proc(context->capabilities) < 0) {
1539 r = EXIT_CAPABILITIES;
1543 if (context->no_new_privileges)
1544 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
1546 r = EXIT_NO_NEW_PRIVILEGES;
1551 if (context->syscall_filter) {
1552 err = apply_seccomp(context);
1561 if (context->selinux_context && use_selinux()) {
1565 c = context->selinux_context;
1572 err = setexeccon(c);
1573 if (err < 0 && !ignore) {
1574 r = EXIT_SELINUX_CONTEXT;
1581 err = build_environment(context, n_fds, watchdog_usec, home, username, shell, &our_env);
1587 final_env = strv_env_merge(5,
1590 context->environment,
1600 final_argv = replace_env_argv(argv, final_env);
1607 final_env = strv_env_clean(final_env);
1609 if (_unlikely_(log_get_max_level() >= LOG_PRI(LOG_DEBUG))) {
1610 line = exec_command_line(final_argv);
1613 log_struct_unit(LOG_DEBUG,
1615 "EXECUTABLE=%s", command->path,
1616 "MESSAGE=Executing: %s", line,
1623 execve(command->path, final_argv, final_env);
1630 log_struct(LOG_ERR, MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
1631 "EXECUTABLE=%s", command->path,
1632 "MESSAGE=Failed at step %s spawning %s: %s",
1633 exit_status_to_string(r, EXIT_STATUS_SYSTEMD),
1634 command->path, strerror(-err),
1643 log_struct_unit(LOG_DEBUG,
1645 "MESSAGE=Forked %s as "PID_FMT,
1649 /* We add the new process to the cgroup both in the child (so
1650 * that we can be sure that no user code is ever executed
1651 * outside of the cgroup) and in the parent (so that we can be
1652 * sure that when we kill the cgroup the process will be
1655 cg_attach(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, pid);
1657 exec_status_start(&command->exec_status, pid);
1663 void exec_context_init(ExecContext *c) {
1667 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
1668 c->cpu_sched_policy = SCHED_OTHER;
1669 c->syslog_priority = LOG_DAEMON|LOG_INFO;
1670 c->syslog_level_prefix = true;
1671 c->ignore_sigpipe = true;
1672 c->timer_slack_nsec = (nsec_t) -1;
1675 void exec_context_done(ExecContext *c) {
1680 strv_free(c->environment);
1681 c->environment = NULL;
1683 strv_free(c->environment_files);
1684 c->environment_files = NULL;
1686 for (l = 0; l < ELEMENTSOF(c->rlimit); l++) {
1688 c->rlimit[l] = NULL;
1691 free(c->working_directory);
1692 c->working_directory = NULL;
1693 free(c->root_directory);
1694 c->root_directory = NULL;
1699 free(c->tcpwrap_name);
1700 c->tcpwrap_name = NULL;
1702 free(c->syslog_identifier);
1703 c->syslog_identifier = NULL;
1711 strv_free(c->supplementary_groups);
1712 c->supplementary_groups = NULL;
1717 if (c->capabilities) {
1718 cap_free(c->capabilities);
1719 c->capabilities = NULL;
1722 strv_free(c->read_only_dirs);
1723 c->read_only_dirs = NULL;
1725 strv_free(c->read_write_dirs);
1726 c->read_write_dirs = NULL;
1728 strv_free(c->inaccessible_dirs);
1729 c->inaccessible_dirs = NULL;
1732 CPU_FREE(c->cpuset);
1737 free(c->selinux_context);
1738 c->selinux_context = NULL;
1741 set_free(c->syscall_filter);
1742 c->syscall_filter = NULL;
1746 void exec_command_done(ExecCommand *c) {
1756 void exec_command_done_array(ExecCommand *c, unsigned n) {
1759 for (i = 0; i < n; i++)
1760 exec_command_done(c+i);
1763 void exec_command_free_list(ExecCommand *c) {
1767 LIST_REMOVE(command, c, i);
1768 exec_command_done(i);
1773 void exec_command_free_array(ExecCommand **c, unsigned n) {
1776 for (i = 0; i < n; i++) {
1777 exec_command_free_list(c[i]);
1782 int exec_context_load_environment(const ExecContext *c, char ***l) {
1783 char **i, **r = NULL;
1788 STRV_FOREACH(i, c->environment_files) {
1791 bool ignore = false;
1793 _cleanup_globfree_ glob_t pglob = {};
1803 if (!path_is_absolute(fn)) {
1811 /* Filename supports globbing, take all matching files */
1813 if (glob(fn, 0, NULL, &pglob) != 0) {
1818 return errno ? -errno : -EINVAL;
1820 count = pglob.gl_pathc;
1828 for (n = 0; n < count; n++) {
1829 k = load_env_file(pglob.gl_pathv[n], NULL, &p);
1837 /* Log invalid environment variables with filename */
1839 p = strv_env_clean_log(p, pglob.gl_pathv[n]);
1846 m = strv_env_merge(2, r, p);
1862 static bool tty_may_match_dev_console(const char *tty) {
1863 char *active = NULL, *console;
1866 if (startswith(tty, "/dev/"))
1869 /* trivial identity? */
1870 if (streq(tty, "console"))
1873 console = resolve_dev_console(&active);
1874 /* if we could not resolve, assume it may */
1878 /* "tty0" means the active VC, so it may be the same sometimes */
1879 b = streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
1885 bool exec_context_may_touch_console(ExecContext *ec) {
1886 return (ec->tty_reset || ec->tty_vhangup || ec->tty_vt_disallocate ||
1887 is_terminal_input(ec->std_input) ||
1888 is_terminal_output(ec->std_output) ||
1889 is_terminal_output(ec->std_error)) &&
1890 tty_may_match_dev_console(tty_path(ec));
1893 static void strv_fprintf(FILE *f, char **l) {
1899 fprintf(f, " %s", *g);
1902 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
1909 prefix = strempty(prefix);
1913 "%sWorkingDirectory: %s\n"
1914 "%sRootDirectory: %s\n"
1915 "%sNonBlocking: %s\n"
1916 "%sPrivateTmp: %s\n"
1917 "%sPrivateNetwork: %s\n"
1918 "%sPrivateDevices: %s\n"
1919 "%sIgnoreSIGPIPE: %s\n",
1921 prefix, c->working_directory ? c->working_directory : "/",
1922 prefix, c->root_directory ? c->root_directory : "/",
1923 prefix, yes_no(c->non_blocking),
1924 prefix, yes_no(c->private_tmp),
1925 prefix, yes_no(c->private_network),
1926 prefix, yes_no(c->private_devices),
1927 prefix, yes_no(c->ignore_sigpipe));
1929 STRV_FOREACH(e, c->environment)
1930 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
1932 STRV_FOREACH(e, c->environment_files)
1933 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
1935 if (c->tcpwrap_name)
1937 "%sTCPWrapName: %s\n",
1938 prefix, c->tcpwrap_name);
1945 if (c->oom_score_adjust_set)
1947 "%sOOMScoreAdjust: %i\n",
1948 prefix, c->oom_score_adjust);
1950 for (i = 0; i < RLIM_NLIMITS; i++)
1952 fprintf(f, "%s%s: %llu\n", prefix, rlimit_to_string(i), (unsigned long long) c->rlimit[i]->rlim_max);
1954 if (c->ioprio_set) {
1958 r = ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
1962 "%sIOSchedulingClass: %s\n"
1963 "%sIOPriority: %i\n",
1964 prefix, strna(class_str),
1965 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
1969 if (c->cpu_sched_set) {
1973 r = sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
1977 "%sCPUSchedulingPolicy: %s\n"
1978 "%sCPUSchedulingPriority: %i\n"
1979 "%sCPUSchedulingResetOnFork: %s\n",
1980 prefix, strna(policy_str),
1981 prefix, c->cpu_sched_priority,
1982 prefix, yes_no(c->cpu_sched_reset_on_fork));
1987 fprintf(f, "%sCPUAffinity:", prefix);
1988 for (i = 0; i < c->cpuset_ncpus; i++)
1989 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
1990 fprintf(f, " %u", i);
1994 if (c->timer_slack_nsec != (nsec_t) -1)
1995 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
1998 "%sStandardInput: %s\n"
1999 "%sStandardOutput: %s\n"
2000 "%sStandardError: %s\n",
2001 prefix, exec_input_to_string(c->std_input),
2002 prefix, exec_output_to_string(c->std_output),
2003 prefix, exec_output_to_string(c->std_error));
2009 "%sTTYVHangup: %s\n"
2010 "%sTTYVTDisallocate: %s\n",
2011 prefix, c->tty_path,
2012 prefix, yes_no(c->tty_reset),
2013 prefix, yes_no(c->tty_vhangup),
2014 prefix, yes_no(c->tty_vt_disallocate));
2016 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
2017 c->std_output == EXEC_OUTPUT_KMSG ||
2018 c->std_output == EXEC_OUTPUT_JOURNAL ||
2019 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2020 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2021 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
2022 c->std_error == EXEC_OUTPUT_SYSLOG ||
2023 c->std_error == EXEC_OUTPUT_KMSG ||
2024 c->std_error == EXEC_OUTPUT_JOURNAL ||
2025 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2026 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2027 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
2029 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
2031 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
2032 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
2035 "%sSyslogFacility: %s\n"
2036 "%sSyslogLevel: %s\n",
2037 prefix, strna(fac_str),
2038 prefix, strna(lvl_str));
2041 if (c->capabilities) {
2042 _cleanup_cap_free_charp_ char *t;
2044 t = cap_to_text(c->capabilities, NULL);
2046 fprintf(f, "%sCapabilities: %s\n", prefix, t);
2050 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
2052 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
2053 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
2054 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
2055 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
2056 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
2057 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
2059 if (c->capability_bounding_set_drop) {
2061 fprintf(f, "%sCapabilityBoundingSet:", prefix);
2063 for (l = 0; l <= cap_last_cap(); l++)
2064 if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) {
2065 _cleanup_cap_free_charp_ char *t;
2069 fprintf(f, " %s", t);
2076 fprintf(f, "%sUser: %s\n", prefix, c->user);
2078 fprintf(f, "%sGroup: %s\n", prefix, c->group);
2080 if (strv_length(c->supplementary_groups) > 0) {
2081 fprintf(f, "%sSupplementaryGroups:", prefix);
2082 strv_fprintf(f, c->supplementary_groups);
2087 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
2089 if (strv_length(c->read_write_dirs) > 0) {
2090 fprintf(f, "%sReadWriteDirs:", prefix);
2091 strv_fprintf(f, c->read_write_dirs);
2095 if (strv_length(c->read_only_dirs) > 0) {
2096 fprintf(f, "%sReadOnlyDirs:", prefix);
2097 strv_fprintf(f, c->read_only_dirs);
2101 if (strv_length(c->inaccessible_dirs) > 0) {
2102 fprintf(f, "%sInaccessibleDirs:", prefix);
2103 strv_fprintf(f, c->inaccessible_dirs);
2109 "%sUtmpIdentifier: %s\n",
2110 prefix, c->utmp_id);
2112 if (c->selinux_context)
2114 "%sSELinuxContext: %s\n",
2115 prefix, c->selinux_context);
2117 if (c->syscall_filter) {
2125 "%sSystemCallFilter: \n",
2128 if (!c->syscall_whitelist)
2132 SET_FOREACH(id, c->syscall_filter, j) {
2133 _cleanup_free_ char *name = NULL;
2140 name = seccomp_syscall_resolve_num_arch(PTR_TO_INT(id)-1, SCMP_ARCH_NATIVE);
2141 fputs(strna(name), f);
2148 if (c->syscall_errno != 0)
2150 "%sSystemCallErrorNumber: %s\n",
2151 prefix, strna(errno_to_name(c->syscall_errno)));
2154 void exec_status_start(ExecStatus *s, pid_t pid) {
2159 dual_timestamp_get(&s->start_timestamp);
2162 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
2165 if (s->pid && s->pid != pid)
2169 dual_timestamp_get(&s->exit_timestamp);
2175 if (context->utmp_id)
2176 utmp_put_dead_process(context->utmp_id, pid, code, status);
2178 exec_context_tty_reset(context);
2182 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
2183 char buf[FORMAT_TIMESTAMP_MAX];
2195 "%sPID: "PID_FMT"\n",
2198 if (s->start_timestamp.realtime > 0)
2200 "%sStart Timestamp: %s\n",
2201 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
2203 if (s->exit_timestamp.realtime > 0)
2205 "%sExit Timestamp: %s\n"
2207 "%sExit Status: %i\n",
2208 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
2209 prefix, sigchld_code_to_string(s->code),
2213 char *exec_command_line(char **argv) {
2221 STRV_FOREACH(a, argv)
2224 if (!(n = new(char, k)))
2228 STRV_FOREACH(a, argv) {
2235 if (strpbrk(*a, WHITESPACE)) {
2246 /* FIXME: this doesn't really handle arguments that have
2247 * spaces and ticks in them */
2252 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
2254 const char *prefix2;
2263 p2 = strappend(prefix, "\t");
2264 prefix2 = p2 ? p2 : prefix;
2266 cmd = exec_command_line(c->argv);
2269 "%sCommand Line: %s\n",
2270 prefix, cmd ? cmd : strerror(ENOMEM));
2274 exec_status_dump(&c->exec_status, f, prefix2);
2279 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2285 LIST_FOREACH(command, c, c)
2286 exec_command_dump(c, f, prefix);
2289 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2296 /* It's kind of important, that we keep the order here */
2297 LIST_FIND_TAIL(command, *l, end);
2298 LIST_INSERT_AFTER(command, *l, end, e);
2303 int exec_command_set(ExecCommand *c, const char *path, ...) {
2311 l = strv_new_ap(path, ap);
2332 static int exec_runtime_allocate(ExecRuntime **rt) {
2337 *rt = new0(ExecRuntime, 1);
2342 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
2347 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
2357 if (!c->private_network && !c->private_tmp)
2360 r = exec_runtime_allocate(rt);
2364 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
2365 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, (*rt)->netns_storage_socket) < 0)
2369 if (c->private_tmp && !(*rt)->tmp_dir) {
2370 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
2378 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
2380 assert(r->n_ref > 0);
2386 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
2391 assert(r->n_ref > 0);
2394 if (r->n_ref <= 0) {
2396 free(r->var_tmp_dir);
2397 close_pipe(r->netns_storage_socket);
2404 int exec_runtime_serialize(ExecRuntime *rt, Unit *u, FILE *f, FDSet *fds) {
2413 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
2415 if (rt->var_tmp_dir)
2416 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
2418 if (rt->netns_storage_socket[0] >= 0) {
2421 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
2425 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
2428 if (rt->netns_storage_socket[1] >= 0) {
2431 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
2435 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
2441 int exec_runtime_deserialize_item(ExecRuntime **rt, Unit *u, const char *key, const char *value, FDSet *fds) {
2448 if (streq(key, "tmp-dir")) {
2451 r = exec_runtime_allocate(rt);
2455 copy = strdup(value);
2459 free((*rt)->tmp_dir);
2460 (*rt)->tmp_dir = copy;
2462 } else if (streq(key, "var-tmp-dir")) {
2465 r = exec_runtime_allocate(rt);
2469 copy = strdup(value);
2473 free((*rt)->var_tmp_dir);
2474 (*rt)->var_tmp_dir = copy;
2476 } else if (streq(key, "netns-socket-0")) {
2479 r = exec_runtime_allocate(rt);
2483 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2484 log_debug_unit(u->id, "Failed to parse netns socket value %s", value);
2486 if ((*rt)->netns_storage_socket[0] >= 0)
2487 close_nointr_nofail((*rt)->netns_storage_socket[0]);
2489 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
2491 } else if (streq(key, "netns-socket-1")) {
2494 r = exec_runtime_allocate(rt);
2498 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2499 log_debug_unit(u->id, "Failed to parse netns socket value %s", value);
2501 if ((*rt)->netns_storage_socket[1] >= 0)
2502 close_nointr_nofail((*rt)->netns_storage_socket[1]);
2504 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
2512 static void *remove_tmpdir_thread(void *p) {
2513 _cleanup_free_ char *path = p;
2515 rm_rf_dangerous(path, false, true, false);
2519 void exec_runtime_destroy(ExecRuntime *rt) {
2523 /* If there are multiple users of this, let's leave the stuff around */
2528 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
2529 asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
2533 if (rt->var_tmp_dir) {
2534 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
2535 asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
2536 rt->var_tmp_dir = NULL;
2539 close_pipe(rt->netns_storage_socket);
2542 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
2543 [EXEC_INPUT_NULL] = "null",
2544 [EXEC_INPUT_TTY] = "tty",
2545 [EXEC_INPUT_TTY_FORCE] = "tty-force",
2546 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
2547 [EXEC_INPUT_SOCKET] = "socket"
2550 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
2552 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
2553 [EXEC_OUTPUT_INHERIT] = "inherit",
2554 [EXEC_OUTPUT_NULL] = "null",
2555 [EXEC_OUTPUT_TTY] = "tty",
2556 [EXEC_OUTPUT_SYSLOG] = "syslog",
2557 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
2558 [EXEC_OUTPUT_KMSG] = "kmsg",
2559 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
2560 [EXEC_OUTPUT_JOURNAL] = "journal",
2561 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
2562 [EXEC_OUTPUT_SOCKET] = "socket"
2565 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);