1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
29 #include <sys/socket.h>
31 #include <sys/prctl.h>
32 #include <linux/sched.h>
33 #include <sys/types.h>
37 #include <sys/mount.h>
39 #include <linux/oom.h>
42 #include <sys/personality.h>
47 #include <security/pam_appl.h>
51 #include <selinux/selinux.h>
61 #include "capability.h"
64 #include "sd-messages.h"
66 #include "securebits.h"
67 #include "namespace.h"
69 #include "exit-status.h"
71 #include "utmp-wtmp.h"
73 #include "path-util.h"
78 #include "selinux-util.h"
79 #include "errno-list.h"
82 #include "seccomp-util.h"
85 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
86 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
88 /* This assumes there is a 'tty' group */
91 #define SNDBUF_SIZE (8*1024*1024)
93 static int shift_fds(int fds[], unsigned n_fds) {
94 int start, restart_from;
99 /* Modifies the fds array! (sorts it) */
109 for (i = start; i < (int) n_fds; i++) {
112 /* Already at right index? */
116 if ((nfd = fcntl(fds[i], F_DUPFD, i+3)) < 0)
119 close_nointr_nofail(fds[i]);
122 /* Hmm, the fd we wanted isn't free? Then
123 * let's remember that and try again from here*/
124 if (nfd != i+3 && restart_from < 0)
128 if (restart_from < 0)
131 start = restart_from;
137 static int flags_fds(const int fds[], unsigned n_fds, bool nonblock) {
146 /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags */
148 for (i = 0; i < n_fds; i++) {
150 if ((r = fd_nonblock(fds[i], nonblock)) < 0)
153 /* We unconditionally drop FD_CLOEXEC from the fds,
154 * since after all we want to pass these fds to our
157 if ((r = fd_cloexec(fds[i], false)) < 0)
164 _pure_ static const char *tty_path(const ExecContext *context) {
167 if (context->tty_path)
168 return context->tty_path;
170 return "/dev/console";
173 static void exec_context_tty_reset(const ExecContext *context) {
176 if (context->tty_vhangup)
177 terminal_vhangup(tty_path(context));
179 if (context->tty_reset)
180 reset_terminal(tty_path(context));
182 if (context->tty_vt_disallocate && context->tty_path)
183 vt_disallocate(context->tty_path);
186 static bool is_terminal_output(ExecOutput o) {
188 o == EXEC_OUTPUT_TTY ||
189 o == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
190 o == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
191 o == EXEC_OUTPUT_JOURNAL_AND_CONSOLE;
194 static int open_null_as(int flags, int nfd) {
199 fd = open("/dev/null", flags|O_NOCTTY);
204 r = dup2(fd, nfd) < 0 ? -errno : nfd;
205 close_nointr_nofail(fd);
212 static int connect_logger_as(const ExecContext *context, ExecOutput output, const char *ident, const char *unit_id, int nfd) {
214 union sockaddr_union sa = {
215 .un.sun_family = AF_UNIX,
216 .un.sun_path = "/run/systemd/journal/stdout",
220 assert(output < _EXEC_OUTPUT_MAX);
224 fd = socket(AF_UNIX, SOCK_STREAM, 0);
228 r = connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(sa.un.sun_path));
230 close_nointr_nofail(fd);
234 if (shutdown(fd, SHUT_RD) < 0) {
235 close_nointr_nofail(fd);
239 fd_inc_sndbuf(fd, SNDBUF_SIZE);
249 context->syslog_identifier ? context->syslog_identifier : ident,
251 context->syslog_priority,
252 !!context->syslog_level_prefix,
253 output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
254 output == EXEC_OUTPUT_KMSG || output == EXEC_OUTPUT_KMSG_AND_CONSOLE,
255 is_terminal_output(output));
258 r = dup2(fd, nfd) < 0 ? -errno : nfd;
259 close_nointr_nofail(fd);
265 static int open_terminal_as(const char *path, mode_t mode, int nfd) {
271 if ((fd = open_terminal(path, mode | O_NOCTTY)) < 0)
275 r = dup2(fd, nfd) < 0 ? -errno : nfd;
276 close_nointr_nofail(fd);
283 static bool is_terminal_input(ExecInput i) {
285 i == EXEC_INPUT_TTY ||
286 i == EXEC_INPUT_TTY_FORCE ||
287 i == EXEC_INPUT_TTY_FAIL;
290 static int fixup_input(ExecInput std_input, int socket_fd, bool apply_tty_stdin) {
292 if (is_terminal_input(std_input) && !apply_tty_stdin)
293 return EXEC_INPUT_NULL;
295 if (std_input == EXEC_INPUT_SOCKET && socket_fd < 0)
296 return EXEC_INPUT_NULL;
301 static int fixup_output(ExecOutput std_output, int socket_fd) {
303 if (std_output == EXEC_OUTPUT_SOCKET && socket_fd < 0)
304 return EXEC_OUTPUT_INHERIT;
309 static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty_stdin) {
314 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
318 case EXEC_INPUT_NULL:
319 return open_null_as(O_RDONLY, STDIN_FILENO);
322 case EXEC_INPUT_TTY_FORCE:
323 case EXEC_INPUT_TTY_FAIL: {
326 fd = acquire_terminal(tty_path(context),
327 i == EXEC_INPUT_TTY_FAIL,
328 i == EXEC_INPUT_TTY_FORCE,
334 if (fd != STDIN_FILENO) {
335 r = dup2(fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
336 close_nointr_nofail(fd);
343 case EXEC_INPUT_SOCKET:
344 return dup2(socket_fd, STDIN_FILENO) < 0 ? -errno : STDIN_FILENO;
347 assert_not_reached("Unknown input type");
351 static int setup_output(const ExecContext *context, int fileno, int socket_fd, const char *ident, const char *unit_id, bool apply_tty_stdin) {
359 i = fixup_input(context->std_input, socket_fd, apply_tty_stdin);
360 o = fixup_output(context->std_output, socket_fd);
362 if (fileno == STDERR_FILENO) {
364 e = fixup_output(context->std_error, socket_fd);
366 /* This expects the input and output are already set up */
368 /* Don't change the stderr file descriptor if we inherit all
369 * the way and are not on a tty */
370 if (e == EXEC_OUTPUT_INHERIT &&
371 o == EXEC_OUTPUT_INHERIT &&
372 i == EXEC_INPUT_NULL &&
373 !is_terminal_input(context->std_input) &&
377 /* Duplicate from stdout if possible */
378 if (e == o || e == EXEC_OUTPUT_INHERIT)
379 return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
383 } else if (o == EXEC_OUTPUT_INHERIT) {
384 /* If input got downgraded, inherit the original value */
385 if (i == EXEC_INPUT_NULL && is_terminal_input(context->std_input))
386 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
388 /* If the input is connected to anything that's not a /dev/null, inherit that... */
389 if (i != EXEC_INPUT_NULL)
390 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
392 /* If we are not started from PID 1 we just inherit STDOUT from our parent process. */
396 /* We need to open /dev/null here anew, to get the right access mode. */
397 return open_null_as(O_WRONLY, fileno);
402 case EXEC_OUTPUT_NULL:
403 return open_null_as(O_WRONLY, fileno);
405 case EXEC_OUTPUT_TTY:
406 if (is_terminal_input(i))
407 return dup2(STDIN_FILENO, fileno) < 0 ? -errno : fileno;
409 /* We don't reset the terminal if this is just about output */
410 return open_terminal_as(tty_path(context), O_WRONLY, fileno);
412 case EXEC_OUTPUT_SYSLOG:
413 case EXEC_OUTPUT_SYSLOG_AND_CONSOLE:
414 case EXEC_OUTPUT_KMSG:
415 case EXEC_OUTPUT_KMSG_AND_CONSOLE:
416 case EXEC_OUTPUT_JOURNAL:
417 case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
418 r = connect_logger_as(context, o, ident, unit_id, fileno);
420 log_struct_unit(LOG_CRIT, unit_id,
421 "MESSAGE=Failed to connect std%s of %s to the journal socket: %s",
422 fileno == STDOUT_FILENO ? "out" : "err",
423 unit_id, strerror(-r),
426 r = open_null_as(O_WRONLY, fileno);
430 case EXEC_OUTPUT_SOCKET:
431 assert(socket_fd >= 0);
432 return dup2(socket_fd, fileno) < 0 ? -errno : fileno;
435 assert_not_reached("Unknown error type");
439 static int chown_terminal(int fd, uid_t uid) {
444 /* This might fail. What matters are the results. */
445 (void) fchown(fd, uid, -1);
446 (void) fchmod(fd, TTY_MODE);
448 if (fstat(fd, &st) < 0)
451 if (st.st_uid != uid || (st.st_mode & 0777) != TTY_MODE)
457 static int setup_confirm_stdio(int *_saved_stdin,
458 int *_saved_stdout) {
459 int fd = -1, saved_stdin, saved_stdout = -1, r;
461 assert(_saved_stdin);
462 assert(_saved_stdout);
464 saved_stdin = fcntl(STDIN_FILENO, F_DUPFD, 3);
468 saved_stdout = fcntl(STDOUT_FILENO, F_DUPFD, 3);
469 if (saved_stdout < 0) {
474 fd = acquire_terminal(
479 DEFAULT_CONFIRM_USEC);
485 r = chown_terminal(fd, getuid());
489 if (dup2(fd, STDIN_FILENO) < 0) {
494 if (dup2(fd, STDOUT_FILENO) < 0) {
500 close_nointr_nofail(fd);
502 *_saved_stdin = saved_stdin;
503 *_saved_stdout = saved_stdout;
508 if (saved_stdout >= 0)
509 close_nointr_nofail(saved_stdout);
511 if (saved_stdin >= 0)
512 close_nointr_nofail(saved_stdin);
515 close_nointr_nofail(fd);
520 _printf_(1, 2) static int write_confirm_message(const char *format, ...) {
526 fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
530 va_start(ap, format);
531 vdprintf(fd, format, ap);
534 close_nointr_nofail(fd);
539 static int restore_confirm_stdio(int *saved_stdin,
545 assert(saved_stdout);
549 if (*saved_stdin >= 0)
550 if (dup2(*saved_stdin, STDIN_FILENO) < 0)
553 if (*saved_stdout >= 0)
554 if (dup2(*saved_stdout, STDOUT_FILENO) < 0)
557 if (*saved_stdin >= 0)
558 close_nointr_nofail(*saved_stdin);
560 if (*saved_stdout >= 0)
561 close_nointr_nofail(*saved_stdout);
566 static int ask_for_confirmation(char *response, char **argv) {
567 int saved_stdout = -1, saved_stdin = -1, r;
570 r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
574 line = exec_command_line(argv);
578 r = ask(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
581 restore_confirm_stdio(&saved_stdin, &saved_stdout);
586 static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) {
587 bool keep_groups = false;
592 /* Lookup and set GID and supplementary group list. Here too
593 * we avoid NSS lookups for gid=0. */
595 if (context->group || username) {
597 if (context->group) {
598 const char *g = context->group;
600 if ((r = get_group_creds(&g, &gid)) < 0)
604 /* First step, initialize groups from /etc/groups */
605 if (username && gid != 0) {
606 if (initgroups(username, gid) < 0)
612 /* Second step, set our gids */
613 if (setresgid(gid, gid, gid) < 0)
617 if (context->supplementary_groups) {
622 /* Final step, initialize any manually set supplementary groups */
623 assert_se((ngroups_max = (int) sysconf(_SC_NGROUPS_MAX)) > 0);
625 if (!(gids = new(gid_t, ngroups_max)))
629 if ((k = getgroups(ngroups_max, gids)) < 0) {
636 STRV_FOREACH(i, context->supplementary_groups) {
639 if (k >= ngroups_max) {
645 r = get_group_creds(&g, gids+k);
654 if (setgroups(k, gids) < 0) {
665 static int enforce_user(const ExecContext *context, uid_t uid) {
668 /* Sets (but doesn't lookup) the uid and make sure we keep the
669 * capabilities while doing so. */
671 if (context->capabilities) {
672 _cleanup_cap_free_ cap_t d = NULL;
673 static const cap_value_t bits[] = {
674 CAP_SETUID, /* Necessary so that we can run setresuid() below */
675 CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
678 /* First step: If we need to keep capabilities but
679 * drop privileges we need to make sure we keep our
680 * caps, while we drop privileges. */
682 int sb = context->secure_bits | 1<<SECURE_KEEP_CAPS;
684 if (prctl(PR_GET_SECUREBITS) != sb)
685 if (prctl(PR_SET_SECUREBITS, sb) < 0)
689 /* Second step: set the capabilities. This will reduce
690 * the capabilities to the minimum we need. */
692 d = cap_dup(context->capabilities);
696 if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
697 cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0)
700 if (cap_set_proc(d) < 0)
704 /* Third step: actually set the uids */
705 if (setresuid(uid, uid, uid) < 0)
708 /* At this point we should have all necessary capabilities but
709 are otherwise a normal user. However, the caps might got
710 corrupted due to the setresuid() so we need clean them up
711 later. This is done outside of this call. */
718 static int null_conv(
720 const struct pam_message **msg,
721 struct pam_response **resp,
724 /* We don't support conversations */
729 static int setup_pam(
735 int fds[], unsigned n_fds) {
737 static const struct pam_conv conv = {
742 pam_handle_t *handle = NULL;
744 int pam_code = PAM_SUCCESS;
747 bool close_session = false;
748 pid_t pam_pid = 0, parent_pid;
755 /* We set up PAM in the parent process, then fork. The child
756 * will then stay around until killed via PR_GET_PDEATHSIG or
757 * systemd via the cgroup logic. It will then remove the PAM
758 * session again. The parent process will exec() the actual
759 * daemon. We do things this way to ensure that the main PID
760 * of the daemon is the one we initially fork()ed. */
762 if (log_get_max_level() < LOG_PRI(LOG_DEBUG))
765 pam_code = pam_start(name, user, &conv, &handle);
766 if (pam_code != PAM_SUCCESS) {
772 pam_code = pam_set_item(handle, PAM_TTY, tty);
773 if (pam_code != PAM_SUCCESS)
777 pam_code = pam_acct_mgmt(handle, flags);
778 if (pam_code != PAM_SUCCESS)
781 pam_code = pam_open_session(handle, flags);
782 if (pam_code != PAM_SUCCESS)
785 close_session = true;
787 e = pam_getenvlist(handle);
789 pam_code = PAM_BUF_ERR;
793 /* Block SIGTERM, so that we know that it won't get lost in
795 if (sigemptyset(&ss) < 0 ||
796 sigaddset(&ss, SIGTERM) < 0 ||
797 sigprocmask(SIG_BLOCK, &ss, &old_ss) < 0)
800 parent_pid = getpid();
810 /* The child's job is to reset the PAM session on
813 /* This string must fit in 10 chars (i.e. the length
814 * of "/sbin/init"), to look pretty in /bin/ps */
815 rename_process("(sd-pam)");
817 /* Make sure we don't keep open the passed fds in this
818 child. We assume that otherwise only those fds are
819 open here that have been opened by PAM. */
820 close_many(fds, n_fds);
822 /* Drop privileges - we don't need any to pam_close_session
823 * and this will make PR_SET_PDEATHSIG work in most cases.
824 * If this fails, ignore the error - but expect sd-pam threads
825 * to fail to exit normally */
826 if (setresuid(uid, uid, uid) < 0)
827 log_error("Error: Failed to setresuid() in sd-pam: %s", strerror(-r));
829 /* Wait until our parent died. This will only work if
830 * the above setresuid() succeeds, otherwise the kernel
831 * will not allow unprivileged parents kill their privileged
832 * children this way. We rely on the control groups kill logic
833 * to do the rest for us. */
834 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
837 /* Check if our parent process might already have
839 if (getppid() == parent_pid) {
841 if (sigwait(&ss, &sig) < 0) {
848 assert(sig == SIGTERM);
853 /* If our parent died we'll end the session */
854 if (getppid() != parent_pid) {
855 pam_code = pam_close_session(handle, flags);
856 if (pam_code != PAM_SUCCESS)
863 pam_end(handle, pam_code | flags);
867 /* If the child was forked off successfully it will do all the
868 * cleanups, so forget about the handle here. */
871 /* Unblock SIGTERM again in the parent */
872 if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0)
875 /* We close the log explicitly here, since the PAM modules
876 * might have opened it, but we don't want this fd around. */
885 if (pam_code != PAM_SUCCESS) {
886 log_error("PAM failed: %s", pam_strerror(handle, pam_code));
887 err = -EPERM; /* PAM errors do not map to errno */
889 log_error("PAM failed: %m");
895 pam_code = pam_close_session(handle, flags);
897 pam_end(handle, pam_code | flags);
905 kill(pam_pid, SIGTERM);
906 kill(pam_pid, SIGCONT);
913 static void rename_process_from_path(const char *path) {
914 char process_name[11];
918 /* This resulting string must fit in 10 chars (i.e. the length
919 * of "/sbin/init") to look pretty in /bin/ps */
923 rename_process("(...)");
929 /* The end of the process name is usually more
930 * interesting, since the first bit might just be
936 process_name[0] = '(';
937 memcpy(process_name+1, p, l);
938 process_name[1+l] = ')';
939 process_name[1+l+1] = 0;
941 rename_process(process_name);
946 static int apply_seccomp(ExecContext *c) {
947 uint32_t negative_action, action;
948 scmp_filter_ctx *seccomp;
955 negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
957 seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW);
961 if (c->syscall_archs) {
963 SET_FOREACH(id, c->syscall_archs, i) {
964 r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
968 seccomp_release(seccomp);
974 r = seccomp_add_secondary_archs(seccomp);
976 seccomp_release(seccomp);
981 action = c->syscall_whitelist ? SCMP_ACT_ALLOW : negative_action;
982 SET_FOREACH(id, c->syscall_filter, i) {
983 r = seccomp_rule_add(seccomp, action, PTR_TO_INT(id) - 1, 0);
985 seccomp_release(seccomp);
990 r = seccomp_load(seccomp);
991 seccomp_release(seccomp);
997 static void do_idle_pipe_dance(int idle_pipe[4]) {
1000 if (idle_pipe[1] >= 0)
1001 close_nointr_nofail(idle_pipe[1]);
1002 if (idle_pipe[2] >= 0)
1003 close_nointr_nofail(idle_pipe[2]);
1005 if (idle_pipe[0] >= 0) {
1008 r = fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT_USEC);
1010 if (idle_pipe[3] >= 0 && r == 0 /* timeout */) {
1011 /* Signal systemd that we are bored and want to continue. */
1012 write(idle_pipe[3], "x", 1);
1014 /* Wait for systemd to react to the signal above. */
1015 fd_wait_for_event(idle_pipe[0], POLLHUP, IDLE_TIMEOUT2_USEC);
1018 close_nointr_nofail(idle_pipe[0]);
1022 if (idle_pipe[3] >= 0)
1023 close_nointr_nofail(idle_pipe[3]);
1026 static int build_environment(
1029 usec_t watchdog_usec,
1031 const char *username,
1035 _cleanup_strv_free_ char **our_env = NULL;
1042 our_env = new0(char*, 10);
1047 if (asprintf(&x, "LISTEN_PID="PID_FMT, getpid()) < 0)
1049 our_env[n_env++] = x;
1051 if (asprintf(&x, "LISTEN_FDS=%u", n_fds) < 0)
1053 our_env[n_env++] = x;
1056 if (watchdog_usec > 0) {
1057 if (asprintf(&x, "WATCHDOG_PID="PID_FMT, getpid()) < 0)
1059 our_env[n_env++] = x;
1061 if (asprintf(&x, "WATCHDOG_USEC=%llu", (unsigned long long) watchdog_usec) < 0)
1063 our_env[n_env++] = x;
1067 x = strappend("HOME=", home);
1070 our_env[n_env++] = x;
1074 x = strappend("LOGNAME=", username);
1077 our_env[n_env++] = x;
1079 x = strappend("USER=", username);
1082 our_env[n_env++] = x;
1086 x = strappend("SHELL=", shell);
1089 our_env[n_env++] = x;
1092 if (is_terminal_input(c->std_input) ||
1093 c->std_output == EXEC_OUTPUT_TTY ||
1094 c->std_error == EXEC_OUTPUT_TTY ||
1097 x = strdup(default_term_for_tty(tty_path(c)));
1100 our_env[n_env++] = x;
1103 our_env[n_env++] = NULL;
1104 assert(n_env <= 10);
1112 int exec_spawn(ExecCommand *command,
1114 ExecContext *context,
1115 int fds[], unsigned n_fds,
1117 bool apply_permissions,
1119 bool apply_tty_stdin,
1121 CGroupControllerMask cgroup_supported,
1122 const char *cgroup_path,
1123 const char *unit_id,
1124 usec_t watchdog_usec,
1126 ExecRuntime *runtime,
1129 _cleanup_strv_free_ char **files_env = NULL;
1138 assert(fds || n_fds <= 0);
1140 if (context->std_input == EXEC_INPUT_SOCKET ||
1141 context->std_output == EXEC_OUTPUT_SOCKET ||
1142 context->std_error == EXEC_OUTPUT_SOCKET) {
1154 r = exec_context_load_environment(context, &files_env);
1156 log_struct_unit(LOG_ERR,
1158 "MESSAGE=Failed to load environment files: %s", strerror(-r),
1165 argv = command->argv;
1167 line = exec_command_line(argv);
1171 log_struct_unit(LOG_DEBUG,
1173 "EXECUTABLE=%s", command->path,
1174 "MESSAGE=About to execute: %s", line,
1183 _cleanup_strv_free_ char **our_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL;
1184 const char *username = NULL, *home = NULL, *shell = NULL;
1185 unsigned n_dont_close = 0;
1186 int dont_close[n_fds + 3];
1187 uid_t uid = (uid_t) -1;
1188 gid_t gid = (gid_t) -1;
1194 rename_process_from_path(command->path);
1196 /* We reset exactly these signals, since they are the
1197 * only ones we set to SIG_IGN in the main daemon. All
1198 * others we leave untouched because we set them to
1199 * SIG_DFL or a valid handler initially, both of which
1200 * will be demoted to SIG_DFL. */
1201 default_signals(SIGNALS_CRASH_HANDLER,
1202 SIGNALS_IGNORE, -1);
1204 if (context->ignore_sigpipe)
1205 ignore_signals(SIGPIPE, -1);
1207 assert_se(sigemptyset(&ss) == 0);
1208 if (sigprocmask(SIG_SETMASK, &ss, NULL) < 0) {
1210 r = EXIT_SIGNAL_MASK;
1215 do_idle_pipe_dance(idle_pipe);
1217 /* Close sockets very early to make sure we don't
1218 * block init reexecution because it cannot bind its
1223 dont_close[n_dont_close++] = socket_fd;
1225 memcpy(dont_close + n_dont_close, fds, sizeof(int) * n_fds);
1226 n_dont_close += n_fds;
1229 if (runtime->netns_storage_socket[0] >= 0)
1230 dont_close[n_dont_close++] = runtime->netns_storage_socket[0];
1231 if (runtime->netns_storage_socket[1] >= 0)
1232 dont_close[n_dont_close++] = runtime->netns_storage_socket[1];
1235 err = close_all_fds(dont_close, n_dont_close);
1241 if (!context->same_pgrp)
1248 if (context->tcpwrap_name) {
1250 if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) {
1256 for (i = 0; i < (int) n_fds; i++) {
1257 if (!socket_tcpwrap(fds[i], context->tcpwrap_name)) {
1265 exec_context_tty_reset(context);
1267 if (confirm_spawn) {
1270 err = ask_for_confirmation(&response, argv);
1271 if (err == -ETIMEDOUT)
1272 write_confirm_message("Confirmation question timed out, assuming positive response.\n");
1274 write_confirm_message("Couldn't ask confirmation question, assuming positive response: %s\n", strerror(-err));
1275 else if (response == 's') {
1276 write_confirm_message("Skipping execution.\n");
1280 } else if (response == 'n') {
1281 write_confirm_message("Failing execution.\n");
1287 /* If a socket is connected to STDIN/STDOUT/STDERR, we
1288 * must sure to drop O_NONBLOCK */
1290 fd_nonblock(socket_fd, false);
1292 err = setup_input(context, socket_fd, apply_tty_stdin);
1298 err = setup_output(context, STDOUT_FILENO, socket_fd, basename(command->path), unit_id, apply_tty_stdin);
1304 err = setup_output(context, STDERR_FILENO, socket_fd, basename(command->path), unit_id, apply_tty_stdin);
1311 err = cg_attach_everywhere(cgroup_supported, cgroup_path, 0);
1318 if (context->oom_score_adjust_set) {
1321 snprintf(t, sizeof(t), "%i", context->oom_score_adjust);
1324 if (write_string_file("/proc/self/oom_score_adj", t) < 0) {
1326 r = EXIT_OOM_ADJUST;
1331 if (context->nice_set)
1332 if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) {
1338 if (context->cpu_sched_set) {
1339 struct sched_param param = {
1340 .sched_priority = context->cpu_sched_priority,
1343 r = sched_setscheduler(0,
1344 context->cpu_sched_policy |
1345 (context->cpu_sched_reset_on_fork ?
1346 SCHED_RESET_ON_FORK : 0),
1350 r = EXIT_SETSCHEDULER;
1355 if (context->cpuset)
1356 if (sched_setaffinity(0, CPU_ALLOC_SIZE(context->cpuset_ncpus), context->cpuset) < 0) {
1358 r = EXIT_CPUAFFINITY;
1362 if (context->ioprio_set)
1363 if (ioprio_set(IOPRIO_WHO_PROCESS, 0, context->ioprio) < 0) {
1369 if (context->timer_slack_nsec != (nsec_t) -1)
1370 if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
1372 r = EXIT_TIMERSLACK;
1376 if (context->personality != 0xffffffffUL)
1377 if (personality(context->personality) < 0) {
1379 r = EXIT_PERSONALITY;
1383 if (context->utmp_id)
1384 utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path);
1386 if (context->user) {
1387 username = context->user;
1388 err = get_user_creds(&username, &uid, &gid, &home, &shell);
1394 if (is_terminal_input(context->std_input)) {
1395 err = chown_terminal(STDIN_FILENO, uid);
1404 if (cgroup_path && context->user && context->pam_name) {
1405 err = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, 0644, uid, gid);
1412 err = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, 0755, uid, gid);
1420 if (apply_permissions) {
1421 err = enforce_groups(context, username, gid);
1428 umask(context->umask);
1431 if (apply_permissions && context->pam_name && username) {
1432 err = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
1439 if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
1440 err = setup_netns(runtime->netns_storage_socket);
1447 if (!strv_isempty(context->read_write_dirs) ||
1448 !strv_isempty(context->read_only_dirs) ||
1449 !strv_isempty(context->inaccessible_dirs) ||
1450 context->mount_flags != 0 ||
1451 (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) ||
1452 context->private_devices) {
1454 char *tmp = NULL, *var = NULL;
1456 /* The runtime struct only contains the parent
1457 * of the private /tmp, which is
1458 * non-accessible to world users. Inside of it
1459 * there's a /tmp that is sticky, and that's
1460 * the one we want to use here. */
1462 if (context->private_tmp && runtime) {
1463 if (runtime->tmp_dir)
1464 tmp = strappenda(runtime->tmp_dir, "/tmp");
1465 if (runtime->var_tmp_dir)
1466 var = strappenda(runtime->var_tmp_dir, "/tmp");
1469 err = setup_namespace(
1470 context->read_write_dirs,
1471 context->read_only_dirs,
1472 context->inaccessible_dirs,
1475 context->private_devices,
1476 context->mount_flags);
1485 if (context->root_directory)
1486 if (chroot(context->root_directory) < 0) {
1492 if (chdir(context->working_directory ? context->working_directory : "/") < 0) {
1498 _cleanup_free_ char *d = NULL;
1500 if (asprintf(&d, "%s/%s",
1501 context->root_directory ? context->root_directory : "",
1502 context->working_directory ? context->working_directory : "") < 0) {
1515 /* We repeat the fd closing here, to make sure that
1516 * nothing is leaked from the PAM modules */
1517 err = close_all_fds(fds, n_fds);
1519 err = shift_fds(fds, n_fds);
1521 err = flags_fds(fds, n_fds, context->non_blocking);
1527 if (apply_permissions) {
1529 for (i = 0; i < RLIMIT_NLIMITS; i++) {
1530 if (!context->rlimit[i])
1533 if (setrlimit_closest(i, context->rlimit[i]) < 0) {
1540 if (context->capability_bounding_set_drop) {
1541 err = capability_bounding_set_drop(context->capability_bounding_set_drop, false);
1543 r = EXIT_CAPABILITIES;
1548 if (context->user) {
1549 err = enforce_user(context, uid);
1556 /* PR_GET_SECUREBITS is not privileged, while
1557 * PR_SET_SECUREBITS is. So to suppress
1558 * potential EPERMs we'll try not to call
1559 * PR_SET_SECUREBITS unless necessary. */
1560 if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
1561 if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
1563 r = EXIT_SECUREBITS;
1567 if (context->capabilities)
1568 if (cap_set_proc(context->capabilities) < 0) {
1570 r = EXIT_CAPABILITIES;
1574 if (context->no_new_privileges)
1575 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
1577 r = EXIT_NO_NEW_PRIVILEGES;
1582 if (context->syscall_filter || context->syscall_archs) {
1583 err = apply_seccomp(context);
1592 if (context->selinux_context && use_selinux()) {
1593 err = setexeccon(context->selinux_context);
1594 if (err < 0 && !context->selinux_context_ignore) {
1595 r = EXIT_SELINUX_CONTEXT;
1602 err = build_environment(context, n_fds, watchdog_usec, home, username, shell, &our_env);
1608 final_env = strv_env_merge(5,
1611 context->environment,
1621 final_argv = replace_env_argv(argv, final_env);
1628 final_env = strv_env_clean(final_env);
1630 if (_unlikely_(log_get_max_level() >= LOG_PRI(LOG_DEBUG))) {
1631 line = exec_command_line(final_argv);
1634 log_struct_unit(LOG_DEBUG,
1636 "EXECUTABLE=%s", command->path,
1637 "MESSAGE=Executing: %s", line,
1644 execve(command->path, final_argv, final_env);
1651 log_struct(LOG_ERR, MESSAGE_ID(SD_MESSAGE_SPAWN_FAILED),
1652 "EXECUTABLE=%s", command->path,
1653 "MESSAGE=Failed at step %s spawning %s: %s",
1654 exit_status_to_string(r, EXIT_STATUS_SYSTEMD),
1655 command->path, strerror(-err),
1664 log_struct_unit(LOG_DEBUG,
1666 "MESSAGE=Forked %s as "PID_FMT,
1670 /* We add the new process to the cgroup both in the child (so
1671 * that we can be sure that no user code is ever executed
1672 * outside of the cgroup) and in the parent (so that we can be
1673 * sure that when we kill the cgroup the process will be
1676 cg_attach(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, pid);
1678 exec_status_start(&command->exec_status, pid);
1684 void exec_context_init(ExecContext *c) {
1688 c->ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 0);
1689 c->cpu_sched_policy = SCHED_OTHER;
1690 c->syslog_priority = LOG_DAEMON|LOG_INFO;
1691 c->syslog_level_prefix = true;
1692 c->ignore_sigpipe = true;
1693 c->timer_slack_nsec = (nsec_t) -1;
1694 c->personality = 0xffffffffUL;
1697 void exec_context_done(ExecContext *c) {
1702 strv_free(c->environment);
1703 c->environment = NULL;
1705 strv_free(c->environment_files);
1706 c->environment_files = NULL;
1708 for (l = 0; l < ELEMENTSOF(c->rlimit); l++) {
1710 c->rlimit[l] = NULL;
1713 free(c->working_directory);
1714 c->working_directory = NULL;
1715 free(c->root_directory);
1716 c->root_directory = NULL;
1721 free(c->tcpwrap_name);
1722 c->tcpwrap_name = NULL;
1724 free(c->syslog_identifier);
1725 c->syslog_identifier = NULL;
1733 strv_free(c->supplementary_groups);
1734 c->supplementary_groups = NULL;
1739 if (c->capabilities) {
1740 cap_free(c->capabilities);
1741 c->capabilities = NULL;
1744 strv_free(c->read_only_dirs);
1745 c->read_only_dirs = NULL;
1747 strv_free(c->read_write_dirs);
1748 c->read_write_dirs = NULL;
1750 strv_free(c->inaccessible_dirs);
1751 c->inaccessible_dirs = NULL;
1754 CPU_FREE(c->cpuset);
1759 free(c->selinux_context);
1760 c->selinux_context = NULL;
1763 set_free(c->syscall_filter);
1764 c->syscall_filter = NULL;
1766 set_free(c->syscall_archs);
1767 c->syscall_archs = NULL;
1771 void exec_command_done(ExecCommand *c) {
1781 void exec_command_done_array(ExecCommand *c, unsigned n) {
1784 for (i = 0; i < n; i++)
1785 exec_command_done(c+i);
1788 void exec_command_free_list(ExecCommand *c) {
1792 LIST_REMOVE(command, c, i);
1793 exec_command_done(i);
1798 void exec_command_free_array(ExecCommand **c, unsigned n) {
1801 for (i = 0; i < n; i++) {
1802 exec_command_free_list(c[i]);
1807 int exec_context_load_environment(const ExecContext *c, char ***l) {
1808 char **i, **r = NULL;
1813 STRV_FOREACH(i, c->environment_files) {
1816 bool ignore = false;
1818 _cleanup_globfree_ glob_t pglob = {};
1828 if (!path_is_absolute(fn)) {
1836 /* Filename supports globbing, take all matching files */
1838 if (glob(fn, 0, NULL, &pglob) != 0) {
1843 return errno ? -errno : -EINVAL;
1845 count = pglob.gl_pathc;
1853 for (n = 0; n < count; n++) {
1854 k = load_env_file(pglob.gl_pathv[n], NULL, &p);
1862 /* Log invalid environment variables with filename */
1864 p = strv_env_clean_log(p, pglob.gl_pathv[n]);
1871 m = strv_env_merge(2, r, p);
1887 static bool tty_may_match_dev_console(const char *tty) {
1888 char *active = NULL, *console;
1891 if (startswith(tty, "/dev/"))
1894 /* trivial identity? */
1895 if (streq(tty, "console"))
1898 console = resolve_dev_console(&active);
1899 /* if we could not resolve, assume it may */
1903 /* "tty0" means the active VC, so it may be the same sometimes */
1904 b = streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
1910 bool exec_context_may_touch_console(ExecContext *ec) {
1911 return (ec->tty_reset || ec->tty_vhangup || ec->tty_vt_disallocate ||
1912 is_terminal_input(ec->std_input) ||
1913 is_terminal_output(ec->std_output) ||
1914 is_terminal_output(ec->std_error)) &&
1915 tty_may_match_dev_console(tty_path(ec));
1918 static void strv_fprintf(FILE *f, char **l) {
1924 fprintf(f, " %s", *g);
1927 void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
1934 prefix = strempty(prefix);
1938 "%sWorkingDirectory: %s\n"
1939 "%sRootDirectory: %s\n"
1940 "%sNonBlocking: %s\n"
1941 "%sPrivateTmp: %s\n"
1942 "%sPrivateNetwork: %s\n"
1943 "%sPrivateDevices: %s\n"
1944 "%sIgnoreSIGPIPE: %s\n",
1946 prefix, c->working_directory ? c->working_directory : "/",
1947 prefix, c->root_directory ? c->root_directory : "/",
1948 prefix, yes_no(c->non_blocking),
1949 prefix, yes_no(c->private_tmp),
1950 prefix, yes_no(c->private_network),
1951 prefix, yes_no(c->private_devices),
1952 prefix, yes_no(c->ignore_sigpipe));
1954 STRV_FOREACH(e, c->environment)
1955 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
1957 STRV_FOREACH(e, c->environment_files)
1958 fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
1960 if (c->tcpwrap_name)
1962 "%sTCPWrapName: %s\n",
1963 prefix, c->tcpwrap_name);
1970 if (c->oom_score_adjust_set)
1972 "%sOOMScoreAdjust: %i\n",
1973 prefix, c->oom_score_adjust);
1975 for (i = 0; i < RLIM_NLIMITS; i++)
1977 fprintf(f, "%s%s: %llu\n", prefix, rlimit_to_string(i), (unsigned long long) c->rlimit[i]->rlim_max);
1979 if (c->ioprio_set) {
1980 _cleanup_free_ char *class_str = NULL;
1982 ioprio_class_to_string_alloc(IOPRIO_PRIO_CLASS(c->ioprio), &class_str);
1984 "%sIOSchedulingClass: %s\n"
1985 "%sIOPriority: %i\n",
1986 prefix, strna(class_str),
1987 prefix, (int) IOPRIO_PRIO_DATA(c->ioprio));
1990 if (c->cpu_sched_set) {
1991 _cleanup_free_ char *policy_str = NULL;
1993 sched_policy_to_string_alloc(c->cpu_sched_policy, &policy_str);
1995 "%sCPUSchedulingPolicy: %s\n"
1996 "%sCPUSchedulingPriority: %i\n"
1997 "%sCPUSchedulingResetOnFork: %s\n",
1998 prefix, strna(policy_str),
1999 prefix, c->cpu_sched_priority,
2000 prefix, yes_no(c->cpu_sched_reset_on_fork));
2004 fprintf(f, "%sCPUAffinity:", prefix);
2005 for (i = 0; i < c->cpuset_ncpus; i++)
2006 if (CPU_ISSET_S(i, CPU_ALLOC_SIZE(c->cpuset_ncpus), c->cpuset))
2007 fprintf(f, " %u", i);
2011 if (c->timer_slack_nsec != (nsec_t) -1)
2012 fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
2015 "%sStandardInput: %s\n"
2016 "%sStandardOutput: %s\n"
2017 "%sStandardError: %s\n",
2018 prefix, exec_input_to_string(c->std_input),
2019 prefix, exec_output_to_string(c->std_output),
2020 prefix, exec_output_to_string(c->std_error));
2026 "%sTTYVHangup: %s\n"
2027 "%sTTYVTDisallocate: %s\n",
2028 prefix, c->tty_path,
2029 prefix, yes_no(c->tty_reset),
2030 prefix, yes_no(c->tty_vhangup),
2031 prefix, yes_no(c->tty_vt_disallocate));
2033 if (c->std_output == EXEC_OUTPUT_SYSLOG ||
2034 c->std_output == EXEC_OUTPUT_KMSG ||
2035 c->std_output == EXEC_OUTPUT_JOURNAL ||
2036 c->std_output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2037 c->std_output == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2038 c->std_output == EXEC_OUTPUT_JOURNAL_AND_CONSOLE ||
2039 c->std_error == EXEC_OUTPUT_SYSLOG ||
2040 c->std_error == EXEC_OUTPUT_KMSG ||
2041 c->std_error == EXEC_OUTPUT_JOURNAL ||
2042 c->std_error == EXEC_OUTPUT_SYSLOG_AND_CONSOLE ||
2043 c->std_error == EXEC_OUTPUT_KMSG_AND_CONSOLE ||
2044 c->std_error == EXEC_OUTPUT_JOURNAL_AND_CONSOLE) {
2046 _cleanup_free_ char *fac_str = NULL, *lvl_str = NULL;
2048 log_facility_unshifted_to_string_alloc(c->syslog_priority >> 3, &fac_str);
2049 log_level_to_string_alloc(LOG_PRI(c->syslog_priority), &lvl_str);
2052 "%sSyslogFacility: %s\n"
2053 "%sSyslogLevel: %s\n",
2054 prefix, strna(fac_str),
2055 prefix, strna(lvl_str));
2058 if (c->capabilities) {
2059 _cleanup_cap_free_charp_ char *t;
2061 t = cap_to_text(c->capabilities, NULL);
2063 fprintf(f, "%sCapabilities: %s\n", prefix, t);
2067 fprintf(f, "%sSecure Bits:%s%s%s%s%s%s\n",
2069 (c->secure_bits & 1<<SECURE_KEEP_CAPS) ? " keep-caps" : "",
2070 (c->secure_bits & 1<<SECURE_KEEP_CAPS_LOCKED) ? " keep-caps-locked" : "",
2071 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP) ? " no-setuid-fixup" : "",
2072 (c->secure_bits & 1<<SECURE_NO_SETUID_FIXUP_LOCKED) ? " no-setuid-fixup-locked" : "",
2073 (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",
2074 (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
2076 if (c->capability_bounding_set_drop) {
2078 fprintf(f, "%sCapabilityBoundingSet:", prefix);
2080 for (l = 0; l <= cap_last_cap(); l++)
2081 if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) {
2082 _cleanup_cap_free_charp_ char *t;
2086 fprintf(f, " %s", t);
2093 fprintf(f, "%sUser: %s\n", prefix, c->user);
2095 fprintf(f, "%sGroup: %s\n", prefix, c->group);
2097 if (strv_length(c->supplementary_groups) > 0) {
2098 fprintf(f, "%sSupplementaryGroups:", prefix);
2099 strv_fprintf(f, c->supplementary_groups);
2104 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
2106 if (strv_length(c->read_write_dirs) > 0) {
2107 fprintf(f, "%sReadWriteDirs:", prefix);
2108 strv_fprintf(f, c->read_write_dirs);
2112 if (strv_length(c->read_only_dirs) > 0) {
2113 fprintf(f, "%sReadOnlyDirs:", prefix);
2114 strv_fprintf(f, c->read_only_dirs);
2118 if (strv_length(c->inaccessible_dirs) > 0) {
2119 fprintf(f, "%sInaccessibleDirs:", prefix);
2120 strv_fprintf(f, c->inaccessible_dirs);
2126 "%sUtmpIdentifier: %s\n",
2127 prefix, c->utmp_id);
2129 if (c->selinux_context)
2131 "%sSELinuxContext: %s%s\n",
2132 prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
2134 if (c->personality != 0xffffffffUL)
2136 "%sPersonality: %s\n",
2137 prefix, strna(personality_to_string(c->personality)));
2139 if (c->syscall_filter) {
2147 "%sSystemCallFilter: ",
2150 if (!c->syscall_whitelist)
2154 SET_FOREACH(id, c->syscall_filter, j) {
2155 _cleanup_free_ char *name = NULL;
2162 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
2163 fputs(strna(name), f);
2170 if (c->syscall_archs) {
2177 "%sSystemCallArchitectures:",
2181 SET_FOREACH(id, c->syscall_archs, j)
2182 fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
2187 if (c->syscall_errno != 0)
2189 "%sSystemCallErrorNumber: %s\n",
2190 prefix, strna(errno_to_name(c->syscall_errno)));
2193 void exec_status_start(ExecStatus *s, pid_t pid) {
2198 dual_timestamp_get(&s->start_timestamp);
2201 void exec_status_exit(ExecStatus *s, ExecContext *context, pid_t pid, int code, int status) {
2204 if (s->pid && s->pid != pid)
2208 dual_timestamp_get(&s->exit_timestamp);
2214 if (context->utmp_id)
2215 utmp_put_dead_process(context->utmp_id, pid, code, status);
2217 exec_context_tty_reset(context);
2221 void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) {
2222 char buf[FORMAT_TIMESTAMP_MAX];
2234 "%sPID: "PID_FMT"\n",
2237 if (s->start_timestamp.realtime > 0)
2239 "%sStart Timestamp: %s\n",
2240 prefix, format_timestamp(buf, sizeof(buf), s->start_timestamp.realtime));
2242 if (s->exit_timestamp.realtime > 0)
2244 "%sExit Timestamp: %s\n"
2246 "%sExit Status: %i\n",
2247 prefix, format_timestamp(buf, sizeof(buf), s->exit_timestamp.realtime),
2248 prefix, sigchld_code_to_string(s->code),
2252 char *exec_command_line(char **argv) {
2260 STRV_FOREACH(a, argv)
2263 if (!(n = new(char, k)))
2267 STRV_FOREACH(a, argv) {
2274 if (strpbrk(*a, WHITESPACE)) {
2285 /* FIXME: this doesn't really handle arguments that have
2286 * spaces and ticks in them */
2291 void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
2293 const char *prefix2;
2302 p2 = strappend(prefix, "\t");
2303 prefix2 = p2 ? p2 : prefix;
2305 cmd = exec_command_line(c->argv);
2308 "%sCommand Line: %s\n",
2309 prefix, cmd ? cmd : strerror(ENOMEM));
2313 exec_status_dump(&c->exec_status, f, prefix2);
2318 void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
2324 LIST_FOREACH(command, c, c)
2325 exec_command_dump(c, f, prefix);
2328 void exec_command_append_list(ExecCommand **l, ExecCommand *e) {
2335 /* It's kind of important, that we keep the order here */
2336 LIST_FIND_TAIL(command, *l, end);
2337 LIST_INSERT_AFTER(command, *l, end, e);
2342 int exec_command_set(ExecCommand *c, const char *path, ...) {
2350 l = strv_new_ap(path, ap);
2371 static int exec_runtime_allocate(ExecRuntime **rt) {
2376 *rt = new0(ExecRuntime, 1);
2381 (*rt)->netns_storage_socket[0] = (*rt)->netns_storage_socket[1] = -1;
2386 int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
2396 if (!c->private_network && !c->private_tmp)
2399 r = exec_runtime_allocate(rt);
2403 if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
2404 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, (*rt)->netns_storage_socket) < 0)
2408 if (c->private_tmp && !(*rt)->tmp_dir) {
2409 r = setup_tmp_dirs(id, &(*rt)->tmp_dir, &(*rt)->var_tmp_dir);
2417 ExecRuntime *exec_runtime_ref(ExecRuntime *r) {
2419 assert(r->n_ref > 0);
2425 ExecRuntime *exec_runtime_unref(ExecRuntime *r) {
2430 assert(r->n_ref > 0);
2433 if (r->n_ref <= 0) {
2435 free(r->var_tmp_dir);
2436 close_pipe(r->netns_storage_socket);
2443 int exec_runtime_serialize(ExecRuntime *rt, Unit *u, FILE *f, FDSet *fds) {
2452 unit_serialize_item(u, f, "tmp-dir", rt->tmp_dir);
2454 if (rt->var_tmp_dir)
2455 unit_serialize_item(u, f, "var-tmp-dir", rt->var_tmp_dir);
2457 if (rt->netns_storage_socket[0] >= 0) {
2460 copy = fdset_put_dup(fds, rt->netns_storage_socket[0]);
2464 unit_serialize_item_format(u, f, "netns-socket-0", "%i", copy);
2467 if (rt->netns_storage_socket[1] >= 0) {
2470 copy = fdset_put_dup(fds, rt->netns_storage_socket[1]);
2474 unit_serialize_item_format(u, f, "netns-socket-1", "%i", copy);
2480 int exec_runtime_deserialize_item(ExecRuntime **rt, Unit *u, const char *key, const char *value, FDSet *fds) {
2487 if (streq(key, "tmp-dir")) {
2490 r = exec_runtime_allocate(rt);
2494 copy = strdup(value);
2498 free((*rt)->tmp_dir);
2499 (*rt)->tmp_dir = copy;
2501 } else if (streq(key, "var-tmp-dir")) {
2504 r = exec_runtime_allocate(rt);
2508 copy = strdup(value);
2512 free((*rt)->var_tmp_dir);
2513 (*rt)->var_tmp_dir = copy;
2515 } else if (streq(key, "netns-socket-0")) {
2518 r = exec_runtime_allocate(rt);
2522 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2523 log_debug_unit(u->id, "Failed to parse netns socket value %s", value);
2525 if ((*rt)->netns_storage_socket[0] >= 0)
2526 close_nointr_nofail((*rt)->netns_storage_socket[0]);
2528 (*rt)->netns_storage_socket[0] = fdset_remove(fds, fd);
2530 } else if (streq(key, "netns-socket-1")) {
2533 r = exec_runtime_allocate(rt);
2537 if (safe_atoi(value, &fd) < 0 || !fdset_contains(fds, fd))
2538 log_debug_unit(u->id, "Failed to parse netns socket value %s", value);
2540 if ((*rt)->netns_storage_socket[1] >= 0)
2541 close_nointr_nofail((*rt)->netns_storage_socket[1]);
2543 (*rt)->netns_storage_socket[1] = fdset_remove(fds, fd);
2551 static void *remove_tmpdir_thread(void *p) {
2552 _cleanup_free_ char *path = p;
2554 rm_rf_dangerous(path, false, true, false);
2558 void exec_runtime_destroy(ExecRuntime *rt) {
2562 /* If there are multiple users of this, let's leave the stuff around */
2567 log_debug("Spawning thread to nuke %s", rt->tmp_dir);
2568 asynchronous_job(remove_tmpdir_thread, rt->tmp_dir);
2572 if (rt->var_tmp_dir) {
2573 log_debug("Spawning thread to nuke %s", rt->var_tmp_dir);
2574 asynchronous_job(remove_tmpdir_thread, rt->var_tmp_dir);
2575 rt->var_tmp_dir = NULL;
2578 close_pipe(rt->netns_storage_socket);
2581 static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
2582 [EXEC_INPUT_NULL] = "null",
2583 [EXEC_INPUT_TTY] = "tty",
2584 [EXEC_INPUT_TTY_FORCE] = "tty-force",
2585 [EXEC_INPUT_TTY_FAIL] = "tty-fail",
2586 [EXEC_INPUT_SOCKET] = "socket"
2589 DEFINE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
2591 static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
2592 [EXEC_OUTPUT_INHERIT] = "inherit",
2593 [EXEC_OUTPUT_NULL] = "null",
2594 [EXEC_OUTPUT_TTY] = "tty",
2595 [EXEC_OUTPUT_SYSLOG] = "syslog",
2596 [EXEC_OUTPUT_SYSLOG_AND_CONSOLE] = "syslog+console",
2597 [EXEC_OUTPUT_KMSG] = "kmsg",
2598 [EXEC_OUTPUT_KMSG_AND_CONSOLE] = "kmsg+console",
2599 [EXEC_OUTPUT_JOURNAL] = "journal",
2600 [EXEC_OUTPUT_JOURNAL_AND_CONSOLE] = "journal+console",
2601 [EXEC_OUTPUT_SOCKET] = "socket"
2604 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);