+#ifdef HAVE_PAM
+ if (params->apply_permissions && context->pam_name && username) {
+ err = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
+ if (err < 0) {
+ *error = EXIT_PAM;
+ return err;
+ }
+ }
+#endif
+
+ if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
+ err = setup_netns(runtime->netns_storage_socket);
+ if (err < 0) {
+ *error = EXIT_NETWORK;
+ return err;
+ }
+ }
+
+ if (!strv_isempty(context->read_write_dirs) ||
+ !strv_isempty(context->read_only_dirs) ||
+ !strv_isempty(context->inaccessible_dirs) ||
+ context->mount_flags != 0 ||
+ (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) ||
+ params->bus_endpoint_path ||
+ context->private_devices ||
+ context->protect_system != PROTECT_SYSTEM_NO ||
+ context->protect_home != PROTECT_HOME_NO) {
+
+ char *tmp = NULL, *var = NULL;
+
+ /* The runtime struct only contains the parent
+ * of the private /tmp, which is
+ * non-accessible to world users. Inside of it
+ * there's a /tmp that is sticky, and that's
+ * the one we want to use here. */
+
+ if (context->private_tmp && runtime) {
+ if (runtime->tmp_dir)
+ tmp = strappenda(runtime->tmp_dir, "/tmp");
+ if (runtime->var_tmp_dir)
+ var = strappenda(runtime->var_tmp_dir, "/tmp");
+ }
+
+ err = setup_namespace(
+ context->read_write_dirs,
+ context->read_only_dirs,
+ context->inaccessible_dirs,
+ tmp,
+ var,
+ params->bus_endpoint_path,
+ context->private_devices,
+ context->protect_home,
+ context->protect_system,
+ context->mount_flags);
+ if (err < 0) {
+ *error = EXIT_NAMESPACE;
+ return err;
+ }
+ }
+
+ if (params->apply_chroot) {
+ if (context->root_directory)
+ if (chroot(context->root_directory) < 0) {
+ *error = EXIT_CHROOT;
+ return -errno;
+ }
+
+ if (chdir(context->working_directory ? context->working_directory : "/") < 0) {
+ *error = EXIT_CHDIR;
+ return -errno;
+ }
+ } else {
+ _cleanup_free_ char *d = NULL;
+
+ if (asprintf(&d, "%s/%s",
+ context->root_directory ? context->root_directory : "",
+ context->working_directory ? context->working_directory : "") < 0) {
+ *error = EXIT_MEMORY;
+ return -ENOMEM;
+ }
+
+ if (chdir(d) < 0) {
+ *error = EXIT_CHDIR;
+ return -errno;
+ }
+ }
+
+ /* We repeat the fd closing here, to make sure that
+ * nothing is leaked from the PAM modules. Note that
+ * we are more aggressive this time since socket_fd
+ * and the netns fds we don't need anymore. The custom
+ * endpoint fd was needed to upload the policy and can
+ * now be closed as well. */
+ err = close_all_fds(fds, n_fds);
+ if (err >= 0)
+ err = shift_fds(fds, n_fds);
+ if (err >= 0)
+ err = flags_fds(fds, n_fds, context->non_blocking);
+ if (err < 0) {
+ *error = EXIT_FDS;
+ return err;
+ }
+
+ if (params->apply_permissions) {
+
+ for (i = 0; i < _RLIMIT_MAX; i++) {
+ if (!context->rlimit[i])
+ continue;
+
+ if (setrlimit_closest(i, context->rlimit[i]) < 0) {
+ *error = EXIT_LIMITS;
+ return -errno;
+ }
+ }
+
+ if (context->capability_bounding_set_drop) {
+ err = capability_bounding_set_drop(context->capability_bounding_set_drop, false);
+ if (err < 0) {
+ *error = EXIT_CAPABILITIES;
+ return err;
+ }
+ }
+
+ if (context->user) {
+ err = enforce_user(context, uid);
+ if (err < 0) {
+ *error = EXIT_USER;
+ return err;
+ }
+ }
+
+ /* PR_GET_SECUREBITS is not privileged, while
+ * PR_SET_SECUREBITS is. So to suppress
+ * potential EPERMs we'll try not to call
+ * PR_SET_SECUREBITS unless necessary. */
+ if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
+ if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
+ *error = EXIT_SECUREBITS;
+ return -errno;
+ }
+
+ if (context->capabilities)
+ if (cap_set_proc(context->capabilities) < 0) {
+ *error = EXIT_CAPABILITIES;
+ return -errno;
+ }
+
+ if (context->no_new_privileges)
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
+ *error = EXIT_NO_NEW_PRIVILEGES;
+ return -errno;
+ }
+
+#ifdef HAVE_SECCOMP
+ if (context->address_families_whitelist ||
+ !set_isempty(context->address_families)) {
+ err = apply_address_families(context);
+ if (err < 0) {
+ *error = EXIT_ADDRESS_FAMILIES;
+ return err;
+ }
+ }
+
+ if (context->syscall_whitelist ||
+ !set_isempty(context->syscall_filter) ||
+ !set_isempty(context->syscall_archs)) {
+ err = apply_seccomp(context);
+ if (err < 0) {
+ *error = EXIT_SECCOMP;
+ return err;
+ }
+ }
+#endif
+
+#ifdef HAVE_SELINUX
+ if (context->selinux_context && use_selinux()) {
+ err = setexeccon(context->selinux_context);
+ if (err < 0 && !context->selinux_context_ignore) {
+ *error = EXIT_SELINUX_CONTEXT;
+ return err;
+ }
+ }
+#endif
+
+#ifdef HAVE_APPARMOR
+ if (context->apparmor_profile && use_apparmor()) {
+ err = aa_change_onexec(context->apparmor_profile);
+ if (err < 0 && !context->apparmor_profile_ignore) {
+ *error = EXIT_APPARMOR_PROFILE;
+ return err;
+ }
+ }
+#endif
+ }
+
+ err = build_environment(context, n_fds, params->watchdog_usec, home, username, shell, &our_env);
+ if (err < 0) {
+ *error = EXIT_MEMORY;
+ return err;
+ }